How to modify Broadcom firmware

From Openlgtv
Jump to: navigation, search

Introduction

In this article we assume that you are familiar with modifications on Saturn 6 or Saturn 7 firmwares, so we'll speak for the most part about differences in Broadcom models.
The instruction is not finished, yet.

Models

EU models: LD650, LD750, LE55xx (except for 26LE55xx), LE7500, LE8500, PK950.
US models: LD550, LD650, (others?)
(most models with Ethernet connection and Netcast services)

Firmware

At first, the debug-mode and the u-boot mode are forbidden in new firmwares (since 3.06.01).
Try the instruction from Debug mode connection for 2010 year models or find an older firmware which will fit your model and use it instead, for example 03.05.15.

Preparations

Also, there is no production-ready solution like .epk-packed lgmod yet. You have to do most of the stuff with a RS-232 null-modem cable and USB drive.
Later you might make modifications through remotely through Ethernet connection.

Backup

When you finish to build your workspace environment, do not forget to backup your firmware! The backup process for Saturn 6 is described in the article How to backup TV firmware, but numbers of your mtd devices and numbers in the article are not going to match. So you shall pick the right numbers. You can find them in an output of the command 'mtd' in debug menu (not in the shell) or with 'cat /proc/mtd' shell command. Broadcom based models have usually 41 partitions - mtd0 up to mtd40.

Diving in

One of the most notable differences is the initialization process. In Saturn 6, bootstrap process looks like this: U-Boot calls linux kernel, kernel calls /sbin/init (init is a part of the busybox tool). /sbin/init reads usual (for linux) configuration files and executes usual startup scripts, such as /etc/init.d/rcS. So it goes. In Broadcom models U-Boot is replaced with CFE bootloader.
It's not possible to get into the bootloader and flash partitions in case of boot problems yet so most modifications, especially booting mods are risky here and could end with bricked TV.
LG haven't even thought about connecting JTAG pins on chip for flashing alternative
In Saturn7 and Broadcom, /sbin/init is substituted by custom LG init, which is called lginit and is stored in mtd 'lginit' partition. No usual linux startup script is executed during that process. One of the ways to fix the situation is to use /sbin/init instead of lginit (UNTESTED HERE! and because of locked CFE very risky to test).
This will require changes in the startup scripts. We know that lginit mounts partitions (mtd partitons with it's filesystems but also proc, ramfs, tmpfs, usbfs), connects to /dev/ttyS0 (RS232 port), initiates environment variables (which are not in startup scripts on rootfs!) for RELEASE and starts '/lg/lgapp/RELEASE 0'. In some situations it can erase partitions like mtd7 (data), mtd17 (fladata), mtd19 (brodata), for example when started by hand on already running system.
The lginit in Broadcom models on new firmwares (3.06.01 and up) also has a watchdog that points to /proc/sys/kernel/panic and reboots TV few seconds after it finds that RELEASE is not running (for example exit from it to shell on rs232 connection, killed or crashed). The watchdog is being disabled by enabling debug mode using service remote IR codes, described in Debug mode connection for 2010 year models.

After RELEASE is started it starts following processes:
addon_mgr
/mnt/addon/browser/opt/msdl //multimedia downloader
/mnt/addon/browser/opt/msdl -1
NetworkManager //manages ethernet connections
/mnt/addon/stagecraft/bin/stagecraft --bg /mnt/addon/contents/master.swf //Netcast services menu made using Flash with Flash executing binary
/bin/sh /mnt/browser/run3556 0 //web browser starting shell script
lb4wk 0 //Webkit and Mozilla Spidermonkey based web browser

Looking at these processed there are many ways for modifications by just for example subsitute the apps or scripts in the corresponding mtd by your own script which will serve as a proxy (do what you want and start the orignal app then). Making changes here is not as much risky as making modifications to init, rootfs or susbstituting RELEASE.

Images

Unfortunately there are no modified images for download, yet. You have to make changes yourself.

Lginit

Lginit mtd is a squashfs with one file. Unpack this squashfs and rename or remove this file. Pack new lginit image with squashfs (as opposite to Saturn 6 or 7 use the 4.0 version of squash-tools).
We don't recommend making changes to lginit, yet as in case of boot problems you'll brick yours TV and wont be able for recover backup.

Rootfs

Mostly all of the instructions below are related to the modification of rootfs image. Unpack it, modify, pack it again and flash it via RS-232. There's a /usr/sbin/start_telnetd script in original firmware that is capable of starting telnet server but it's not executed by lginit.
Before starting this script it might be necessary to mount pts device with 'mount -t devpts devpts /dev/pts' command to make telnetd be able to open virtual terminal.

Fstab

With /sbin/init on charge, all of standard linux configs start working. But they are wrong, that is the problem. Remember your list of mtd devices with numbers and fix those numbers in /etc/fstab, file which is responsible for mounting file system on the start. Be care, there are two kinds of mtds in the list - one for the main partition and one for reserved partition. The main one is the first one. For example, if you have lgres on 10 and on 30, then 10 is desired number.

Kernel modules

Add all modules you needed to the rootfs or any other modified partition. For example, for the CIFS support it is cifs.ko, NFS support are provided by sunrpc.ko, lockd.ko, nfs.ko. Load NFS modules in the listed order using 'insmod' command and full path to module file. You can also compile a new kernel with all the options you needed and flash it in kernel mtd. To compile custom modules you need a) BCM toolchain (BCM_toolchain.tar.gz), b) sources of Broadcom kernel (stblinux-2.6.31-1.0 from GP2_BCM.tar.gz), c) Linux (other unix) system, native or virtualized. Link to an archive with the kernel and toolchain is on Opensource packages list page. Pick up a working kernel for your model at that page. Export path to toolchain's bin/ directory to your PATH environment. You might need additional variables for compiling under toolchain.
Use the provided .config file as a basis for your .config file.
'make menuconfig' command will give you dialog menu to check the modules you want to compile. Be sure to answer 'yes' for question about to save on exit.
'make' will compile the kernel, but that's probably not needed now as using custom kernel might be high risk.
'make clean' will clean the results of previous builds.
For modules compilation (that's what we like to do) you should use 'make modules' command.

That's all, add your script to tie the things together or add other modification you want and you are done. This page is based on How to modify Saturn 7 firmware, so you might also look there for more informations.

Other differences

  • Binaries in Broadcom for old firmwares were linked statically to uClibc so LG should provide at least object files for their binaries, like RELEASE but doesn't want to do that.
  • From firmware 3.06.01 and up the binaries are linked dynamically, not statically. There is a whole bunch of .so files in /lib.
  • The new thing in Saturn 7 and Broadcom is DirectFB system. It is a powerful thing and can serve as a basis for many interesting modifications.