Hacking the Seiki SE39UY04

Posted: 8/17/14 12:13 AM

A few coworkers had originally purchased a Seiki SE39UY04 because of its low price so I was able to acquire one through a coworker who was looking to upgrade.  Despite the minor blemishes these panels have in general I have been happy with it.  I use the 4k display at work as a monitor for software development.  It didn't take much to setup in Linux, just some tweaking to xorg.conf after installing the latest NVIDIA drivers.  I read online about flashing different versions of the firmware so 120 Hz works at 1080p or to reduce input lag.  So, I went ahead and flashed the latest firmware from the Seiki website.  The hacker in me got interested when I saw the firmware image was just a tar file masked as a .img file.  So begins the adventure...

I was curious to see what was inside the firmware image, so I started by simply untaring it.  It contains some tools, device firmware, resources (boot video), kernel, and root filesystem.  Continuing further I unpacked the root filesystem and /usr/local/etc overlay archive.  Upon further inspection I found a number of interesting things.  The basics of course, which is that the TV runs a MIPS processor, 512 MB RAM, and 2.6.34 kernel.  I also found out that it has USB WiFi drivers for various RealTek chipsets (8192cu in particular), telnet enabled, and that the menu system is driven by a program called dvdplayer.  I thought since it has WiFi drivers available maybe I could telnet in if I could setup the interface.

Well this wasn't easy without knowing the network device name and what wireless tools were available.  I needed access to the UART so I could poke around the live system.  I took off the back panel, took some pictures, then connected my Bus Pirate so I could get console access.  I not only saw all the boot messages, but I could even interrupt the bootloader before the kernel was loaded.  I was able to find out that /usr/local/etc was a different partition and it was even mounted as writable.  My co-worker suggested that I have it call a script on the USB stick so I didn't need to mess with the firmware more than once.  So, I changed the boot script /usr/local/etc/rcS to call init.sh on the USB stick.  In this script it created an AdHoc wireless network with static IPs.  Once connected I was able to telnet in without problems (no root password).  He also suggested at one point that I try a USB serial adapter and fortunately there are drivers available for the ubiquitous pl2303.  The script was then changed to detect if either of the two devices were connected and setup either wireless, USB serial, or both.

Now the final step was to package these changes into an installable firmware file so others could get root access without opening up the TV and accessing the UART.  This involved untaring the install.img file and repacking the usr.local.etc.tar.bz archive to execute my script on the USB stick.  I started with a simple test change, to test the methodology, which was changing the engineering menu password (which is 2947).  After succeeding I continued on to changing the boot scripts.  The link at the bottom of this article contains the modified firmware file, a patch with these changes, and also an example USB script to enable wireless AdHoc access and USB serial access.  Please refer to the README file for more detailed information about the TV and how the firmware was modified and/or devices setup.

The real question is what to do now?  Since you can insert an arbitrarily large USB stick you could host complicated applications on the TV.  If there was a way to access the display then I imagine you could use the TV as a self-hosted digital signage system, or maybe you could use it as a remote display?  I'm not sure what the next step is, but keep in mind that the CPU shuts down when the TV is off, so no wake-on-lan or remote wake-up applications.  I hope by giving the community this first step someone will come up with a unique application.

There is a February 14th, 2014 firmware that some newer TVs come with pre-installed.  Unfortunately it's not available on the Seiki website and extracting the firmware from a newer TV could be difficult.  I have recorded the output of the firmware update procedure, which does write to various regions of the flash memory.  I'm not sure if this information would be enough to recreate the firmware.  Maybe the best course of action would be to continue to ask Seiki for the newer firmware.

All referenced files and additional information can be found at: http://download.zeroepoch.com/se39uy04


Show/Add Comments (38)