Hacking the Magic TV MTV3600

The Pixel Magic – Magic TV MTV3600NZ
http://www.magictv.com/nz/

I really objected to two of the Freeview approved restrictions on this device:

  1. Fixed skip time of 10 minutes, effectively making this feature useless.
  2. Inability to copy recorded shows to external media.

So I set about finding a way around these artificial restrictions (the same device marketed in Hong Kong has these features and more).

My guess was the device was based on Linux (although the device makes no mention of this and probably violates the GNU license). I thought there were two avenues for investigation, the device hardware and software.

I looked at the hardware first. Upon opening the case I found a Western Digital Green 500GB (WDC WD5000AVVS-63M8B0) hard drive and two circuit boards, one a small display board to drive the VFD, the other containing pretty much everything else:

Here is a scan of the motherboard: http://2lostkiwis.com/magictv/magic_scan.jpg

Devices of note:

  • Sigma Designs SMP8635LF
  • Spansion S29GL128P10TF101
  • 4x NANYA NT5DS16M16CS-5T
  • JMicron JM20330
  • Realtek RTL8201CP

In the bottom right hand side of the scan is an unpopulated 28pin SSOP device and a 10 pin header. I thought this would be the serial console port with missing RS232 level conversion. Turns out this was a correct assumption, pin 9 of this chip is transmit from the MTV and pin 10 is receive to the MTV. These are +3V3 level signals at 115200 baud. I have connected an external level shifter board as I haven’t found a level shifter device with the correct pinout yet. Luckily the serial console has not been disabled and when powered up I got the following boot log (I think with the hard drive unplugged): http://2lostkiwis.com/magictv/boot.txt

This certainly proved the device ran linux, and I was pretty excited at getting the login prompt. Unfortunately I had no idea what the root password was, I tried a few guesses but had no luck. I tried various ways to interrupt the boot process but no luck there either. Time to find a new attack route.

The next investigation was looking at the upgrade firmware, downloadable from Pixel Magic:
http://www.mymagictv.co.nz/downloads/mtv3600_3_12NZ.zip

If you unzip the archive, the file “mtv3600_3_12NZ.upg” contains (among other things) the root filesystem in a squashfs image. I found the image offset in the file by opening mtv3600_3_12NZ.upg in a hex editor and searching for the squashfs magic number – ascii string “hsqs“. In this case it was at 1696882 bytes in. Next the squashfs filesystem was extracted with the command “dd if=mtv3600_3_12NZ.upg of=squash.bin bs=1 skip=1696882“. The extracted image was then mounted with “mount -t squashfs ./squash.bin /mnt/tmp -o loop” which gave the following filesystem:

root@slax:~# ls /mnt/tmp
bin/  etc/   init@  linuxrc@  opt/   root/  sys/  usr/  version
dev/  home/  lib/   mnt/      proc/  sbin/  tmp/  var/

I immediately looked at the “/etc/shadow” file to try and find the root password. It contained the string “root:$1$eG/OSotD$9oEArAGZ89ZTsUibWtl.q.:10933:0:99999:7:::” this meant the password was stored as an MD5 hash, salted to be more secure against a table attack. I downloaded John the Ripper to give a brute force attack on the password a go: http://www.openwall.com/john/. It took almost 4 days on a Core2 3GHz machine and it finally cracked the password.

I then went back to my serial console and made a successful root login.

BusyBox v1.00 (2009.11.23-02:24+0000) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

# cat /proc/cpuinfo
system type : Sigma Designs TangoX
processor : 0
cpu model : MIPS 4KEc V6.9
Initial BogoMIPS : 291.84
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes
ASEs implemented : mips16
shadow register sets : 1
VCED exceptions : not available
VCEI exceptions : not available

System bus frequency : 198000000 Hz
CPU frequency : 297000000 Hz
DSP frequency : 297000000 Hz
# mount
/dev/mtdblock5 on / type squashfs (rw)
/proc on /proc type proc (rw)
tmpfs on /dev type tmpfs (rw)
sysfs on /sys type sysfs (rw)
tmpfs on /mnt type tmpfs (rw)
tmpfs on /tmp type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
/dev/mtdblock6 on /mnt/mtd6 type jffs2 (rw,noatime)
/dev/hda1 on /mnt/hd0 type ext3 (rw,noatime,data=ordered)
/dev/hda2 on /mnt/hd0/1 type jfs (rw,noatime)

It turns out that most of the software related to the Magic TV is mounted on another filesystem mounted under /mnt/mtd6 and is a jffs2 read/write filesystem. This contains a startup script “/mnt/mtd6/autorun.sh” that is quite interesting. It has some lines copied below:

  1. #telnetd -p 8282
  2. #modprobe pl2303 debug=1
  3. insmod /lib/wifi/rt2870sta.ko

Line 1 is to run a telnet server, I have uncommented this line and can now telnet into my Magic TV over ethernet while it is turned on.
Line 2 looks to be a module for a PL2303 chipset USB to RS232 serial converter. I have not tested this, but maybe the Magic TV outputs some useful information here.
Line 3 is already uncommented, and it looks as if the Magic TV might already support some wireless network adapters based on this chipset.

Once I enabled the telnet server, I reassembled the Magic TV and put the device back in service. I can now copy files off over the network using the built in ftp client, it’s not the most user friendly but it does work:

# /mnt/mtd6/ncftp/ncftp -u xxxxx -p xxxxx 10.0.0.11
NcFTP 3.2.3 (Jul 28, 2009) by Mike Gleason (http://www.NcFTP.com/contact/).
Copyright (c) 1992-2009 by Mike Gleason.
All rights reserved.
Connecting to 10.0.0.11…
10.0.0.11 FTP server (tnftpd 20080929) ready.
Logging in…
User ian logged in.
Logged in to 10.0.0.11.
ncftp /Users/ian > put 100613213005_002.ts
100613213005_002.ts:              ETA:   1:11   29.69/277.25 MB    3.50 MB/s

Copying the files off at 3.5 MB/s did not appear to have any impact on watching live TV which normally uses around 15% of the CPU.

That’s where I can currently up to. In the future I would like to try the following things:

  1. Find out what the RS232 level translator is and solder it onto the PCB to make a tidy console connection.
  2. Examine and compare the Hong Kong upgrade image to see the differences. Maybe one day get the variable program skip option added.
  3. Get a bittorrent client running for convienient downloading (just kidding :-).

Any suggestions, help gladly accepted.

281 Responses to “Hacking the Magic TV MTV3600”

  1. You will have enjoyable and so will your 6 MINUTE PROFITS as you create a fantastic relationship.

  2. It¡¦s actually a nice and useful piece of info. I¡¦m glad that you simply shared this helpful info with us. Please keep us up to date like this. Thanks for sharing.

  3. Very soon this web site will be famous among all blogging users, due to it’? Traffikrr articles of reviews

  4. Traffikrr jv says:

    You will have enjoyable and so will your Traffikrr as you create a fantastic relationship.

  5. Lifetime Stock Video got this site from my pal who told me regarding this web page and at the moment this time I am visiting this site and reading very informative posts at this time.

  6. Hey! I’m at work surfing around your blog from my new Fast Traffic Bot ! Just wanted to say I love reading through your blog and look forward to all your posts! Carry on the outstanding work!

  7. hi!,I love your writing very much! share we keep in touch extra approximately your post on AOL? I require a specialist on this house to unravel my problem. May be that’s you! Taking a look ahead to look you.

  8. Hey! I’m at work surfing around your blog from my new ClickFunnels ! Just wanted to say I love reading through your blog and look forward to all your posts! Carry on the outstanding work!

  9. Twitter had a tweet on wholesale designer handbags, and lead me here.

  10. Social Traffic System was suggested this web site through my cousin. I’m no longer positive whether or not this publish is written via him as nobody else realize such designated about my trouble. You are incredible! Thank you!

  11. Hi there, for all tie i used too check weblog posts here in the early hours in the daylight, because i love to gain knowledge of more and more with Passive Profit Builder .

  12. I must express my appreciation to you just for rescuing me from this type of crisis. As a result of surfing through the online world and finding solutions which were not powerful, I thought my entire life was well over. Existing without the solutions to the issues you’ve fixed all through your main article is a serious case, and the ones that might have badly affected my career if I hadn’t come across your web page. Your primary competence and kindness in controlling all the details was helpful. I don’t know what I would’ve done if I hadn’t come upon such a subject like this. I am able to now look ahead to my future. Thanks a lot so much for your impressive and results-oriented guide. I will not hesitate to propose your web page to anybody who should get guidance on this topic.

  13. You could definitely see your expertise in the paintings you write. The sector hopes for more passionate writers like you who are not afraid to say how they believe. Always follow your heart.

  14. I needed to draft you one very small word so as to thank you very much once again for those stunning tricks you’ve shared in this article. This is certainly remarkably open-handed with people like you to supply unhampered precisely what some people could possibly have made available as an e-book in order to make some profit for themselves, precisely now that you could have tried it in the event you considered necessary. These strategies additionally served to become great way to comprehend other people have similar keenness just like my own to realize a great deal more on the subject of this condition. I am certain there are millions of more pleasant moments ahead for many who looked at http://thiefnews.com.

  15. I needed to draft you one tiny note so as to thank you so much again over the gorgeous opinions you’ve documented here. It was certainly extremely open-handed of you in giving easily all many individuals could possibly have distributed as an e-book to earn some dough on their own, especially considering the fact that you could have tried it in the event you decided. Those good tips as well worked to be the fantastic way to realize that the rest have similar dream like mine to see significantly more with regard to this problem. I know there are thousands of more pleasant periods up front for those who examine http://thiefnews.com.

  16. I wanted to compose you that little observation so as to give thanks once again for these great principles you have shared on this page. It has been certainly tremendously generous with you to present unhampered just what some people would’ve offered for an electronic book to end up making some dough for their own end, even more so given that you might well have done it in case you desired. Those points additionally served like the good way to fully grasp most people have the same desire much like mine to find out significantly more pertaining to this matter. I know there are many more pleasant sessions ahead for individuals that examine http://pusnews.com.

  17. Alonzo Macko says:

    I needed to draft you one very little observation to help say thank you over again on your splendid concepts you’ve contributed on this page. It has been simply shockingly open-handed with people like you to supply unhampered what exactly most people would have made available for an e book to end up making some money for themselves, mostly given that you might well have tried it if you ever wanted. These suggestions also served as the easy way to realize that someone else have the same passion much like my own to see very much more pertaining to this matter. I think there are numerous more pleasurable sessions in the future for those who looked over http://pusnews.com.

  18. Thanks for every other informative website. Where else may I am getting that kind of information written in such a perfect method? I’ve a venture that I’m just now operating on, and I’ve been on the glance out for such info.

  19. the tech says:

    I relish, result in I discovered exactly what I was taking a look for. You have ended my 4 day lengthy hunt! God Bless you man. Have a nice day. Bye

  20. It as hard to come by well-informed people on this subject, however, you sound like you know what you are talking about! Thanks

  21. Forex says:

    Trading Bitcoin and other digital currencies is also available to AvaTrade’s clients. Not only does the site contain basic information for those who have absolutely no idea or knowledge about Forex and Forex trading, it also features detailed information on Forex trading, knowledge and information based articles, news from the Forex, Equity and Commodity markets, information and links to brokers, analysis of the various markets and financial news from around the world. Foreign exchange trading was once just something that people had to do when traveling to other countries. A currency forward contract is traded in the over-the-counter market usually between two financial institutions or between a financial institution and its client. My friend was lured for forex trading in Dec 2013 and directly submitted money through moneybookers using his banks credit card.http://www.forexmastermethodevolutions.com/

  22. Thank you for any other excellent article. Where else may anybody get that kind of info in such a perfect way of writing? I have a presentation next week, and I’m at the look for such information.

  23. Hello there, just turned into aware of your blog through Google, and found that it is really informative. I’m going to watch out for brussels. I’ll appreciate in the event you continue this in future. Many other folks will likely be benefited out of your writing. Cheers!

  24. Hello. fantastic job. pielęgniarka Warszawa – usługi pielęgniarskie Warszawa I did not expect this. This is a excellent story. Thanks!

  25. I like the valuable info you supply in your articles. I will bookmark your blog and test once more here regularly.zdejmowanie szwów I am reasonably certain I’ll learn lots of new stuff proper right here! Good luck for the following!

  26. LEVIT VANESSA says:

    i met this dude on a thread on reddit. +1-(310)-953-8836 for whatsapp and @Olekdhacker on IG he’s helped me in a number of ways and some i’m not allowed to mention. text him discretely for social hacks (whatsapp, snapchat, instagram, facebook), money alternatives (credit or debit). bitcoin hacks and ooh he’s from moscow enjoy!

  27. alexis says:

    Hi, contact Cyberhackkings on gmail or on Instagram for any hacking services, he helped me hack my ex’s whats-app and Facebook accounts when i suspected he was cheating, and he did it within about an hour, his so great i just had to recommend him.

  28. Thanks for another informative blog. Where else could I get that kind of info written in such an ideal way? pielęgniarka Warszawa – usługi pielęgniarskie Warszawa I’ve a project that I am just now working on, and I have been on the look out for such information.

  29. I’ve been exploring for a little for any
    high quality articles or weblog posts in this sort of space
    . Exploring in Yahoo I eventually stumbled upon this site.
    Studying this info So i am happy to show
    that I have an incredibly good uncanny feeling I found out exactly what
    I needed. I most no doubt will make sure to don?t forget
    this website and provides it a look on a continuing basis.

  30. Steve Wilson says:

    when in need of pro hacker dm @taylorconsult on instagram or you can send a mail tconsult764@gmail.com for pro hacks and spy services…he is legit

Leave a Reply