After trying the easy stuff (soft reset, hard reset, etc) I decided to dig deeper. First, locate the debug pins and get the tap setup. Helpfully they were clearly labeled and pre-soldered, however I needed to add a little bit more solder to get the wires to stick well enough:
Then route those through a FTDI device:
Once the correct baud rate was found (brute force FTW), we finally see what’s going on as the TV is stuck in a boot loop:
UART_115200 Jul 23 2019 13:43:52 Version 1.0087 Straps:0862 ML-Chip ID:000722c5 MP AC_ON MIU0_DQS-OK BIST0-OK #_DV Device ID - 6d61000005500722c51bba .........efuse ok BBT: Read @ 0x00000000 Bad blocks: 007b 049d NAND: Remapping Firmware partition using BBT 07721000 NAND: Remapping Rescue partition using BBT 01721000 Boot firmware partition SWUP Magic Offset 06fe0000 preuboot Jun 25 2021 00:13:02 BBT: Read @ 0x00000000 Bad blocks: 007b 049d NAND: Remapping Rescue partition using BBT 07721000 Check uboot in partition 0 Decrypt ATF Decrypt OPTEE Setup EL3 vector vode Boot ATF NOTICE: BL3-1: v1.1(debug): NOTICE: BL3-1: Built : 11:54:56, Jun 22 2021 INFO: warmboot return address : 5e301c00 INFO: BL3-1: Initializing runtime services ERROR: From args : smp boot address not pass from teeloader INFO: [Booting] mstar_send_magic_ATF 349 INFO: BL3-1: Initializing BL3-2 [Ramlog] ramlog_init init success INFO: BL3-1: Preparing for EL3 exit to normal world INFO: BL3-1: Next image address = 0x30c00000 INFO: BL3-1: Next image spsr = 0x1d3 INFO: BIN1_32bit mode Jun 22 2021 11:54:54 INFO: R1 0 INFO: R2 0 INFO: R3 0 starting addr 303EFFE0 303EFF60 303EFF60 303EDF50 303F0000 30D86E2C monitor len: 00577458 uboot_loadaddr: 30C00000 ramsize: 11190000 31180000 20000000 U-Boot 2011.06 (Dec 03 2021 - 23:29:48) LIBCODE:Utopia LIBVER:2.1638574183 BUILDDATE:2021120323msIR_Initialize [Utopia][SYS]: Function = SYSOpen, Line = 1655, current resource pri_shm content is: 0 [Utopia][SYS]: Function = SYSOpen, Line = 1674, [SYS INFO] OPEN INSTANCE... create instance at 30602EC0 with private size 108 bytes at 30602F10 [Utopia][MIU]: [MIU INFO] miu opencreate instance at 30602F80 with private size 152 bytes at 30602FD0 create instance at 30603070 with private size 60 bytes at 306030C0 uboot held at [303EDF50~31190000],size=00DA20B0 DRAM: 273.6 MiB Now running in RAM - U-Boot at: 30C00000 NAND: CIS is found @Blk1 FCIE is set to 62MHz initialize_roku_bbt Found BBT table in block 0 Read BBT contents from block 0 Bad blocks: 123 (@ 0x00F60000), 1181 (@ 0x093A0000) nand_remap_swupbbt NAND: Remapping Active partition using BBT 0x07721000 512 MiB Customer ID: 2
Now, we research these details. Just getting started….