Greetings, I have a receiver that is a chinese xoro clone that has an mstarmsd7816 chipset. The firmware that was installed caused the receiver to lose most functions and subsequent attempts to replace the original firmware have failed. It will finish loaded then go back to xoro. Closer inspection of the mains indicate a 4 pin section for possible recovery. I have obtained an mstar command list in the hopes that someone experienced with this can guide me through interfacing with this unit.

Would it not be a jtag on the j6 ports top left corner of pic?

I was thinking maybe the 4 pin? Either way what cord setup do I need to serial interface with this?

Connect to UART port and power up the device. Hold any key till you will see << MStar >> prompt.

U-Boot 1.1.6 (Jul 15 2011 - 08:23:38)

Board: MSTAR KRNOUS (CPU Speed 552 MHz)
DRAM: 64 X 0 MBytes
U-Boot is running at DRAM 0x87600000
Module: USB FAT FLASH SPI LOGO OSD ENV=SERIAL
Flash is detected (0x0502, 0xC2, 0x20, 0x16)
MDrv_SERFLASH_GetInfo()
u32AccessWidth = 1
u32TotalSize = 4194304
u32SecNum = 64
u32SecSize = 65536
In: serial
Out: serial
Err: serial
MSVC00B000100100208768TH0000000T
[do_set_paneltype][559] is invoked!!
MDrv_PNL_Init u32PnlRiuBaseAddr = BF200000
MDrv_PNL_Init u32PMRiuBaseAddr = BF000000
MDrv_HDMITx_Init
Get IOMAP ID:300 Base:BF000000!
MDrv_HDMITx_SetHDMITxMode: HDMI mode
DAC eTiming =6
HDMITx eTiming =7
MDrv_HDMITx_Exhibit: Create Check Rx timer success!
HDMITx eTiming =7
=>cmd: spi_rdc 0x80B2C000 0x20000 0x80
offset 0x20000, size 0x80
WARNING: it is better to set dram start addr aligned to 65536 !!!
WARNING: it is better to set total length aligned to 65536 !!!
Flash is detected (0x0502, 0xC2, 0x20, 0x16)
initialization done!
logo addr in spi: 0xBFC70000; logo size:0x1E528
=>cmd: spi_rdc 0x80B2C000 0x70000 0x1E528
offset 0x70000, size 0x1E528
WARNING: it is better to set dram start addr aligned to 65536 !!!
WARNING: it is better to set total length aligned to 65536 !!!
u32ReadBuffVirAddr = A0000000, u32IntBuffVirAddr = A0100000, u32OutBuffVirAddr = A0730000
verJPD_SetStatus >>>>>>>>>>> w:720, h:576, p:720
GFX init--
GE_SetOnePixelMode
Hit any key to stop autoboot: 0 0

Now insert USB drive and enter commands:


<< MStar >># usb reset 0
<< MStar >># fatwrite usb 0 0xBFC00000 backup.bin 0x400000
<< MStar >># usb stop


This was a flash backup wiki I found

This below is more debricking instructions

hxxp://mstar.wikia.com/wiki/Debricking

Usually to a printer port on one end and soldered on the board.
https://images.search.yahoo.com/search/images?p=jtag+cable&fr=yset_ff_hp_cnewtab-s&imgurl=http%3A%2F%2Fvelesoft.speccy.cz%2Fjtag%2Fjt ag-cable.jpg#id=2&iurl=http%3A%2F%2Fwww.cellcorner.com%2Fxshp%2Fstor edimages%2Fdetailed%2Fd_2430.jpg&action=click

Take your pick theirs programs for writing the software also. I haven't had to write a tsop or any board in at least 5 yrs.

The serial port cmds are very useful. It may be that you can do anything that you could do through the serial port with usb by having the correct monitor cmds as part of the start of a file. If you look at the xoro 1.1 file you will find a set of cms as ascii text at the start that tell the box with to do:


cusid cd90 7620 1 U01 0x0C02
fatload usb 0 80000000 $(ForceUpgradePath)
spi_wrc 80004000 0 3be04c

setenv usb_complete 1
setenv usb_upgrade 0
setenv OAD_NEED_UPGRADE 0
setenv OAD_TRIGGER_TYPE 0
setenv bootcmd ' spi_rdc 0x80b00000 0x9e01c 0x32002e; LzmaDec 0x80b00000 0x32002e 0x80000180 0x81000000; go 0x80000224;
setenv upgrade_mode null
setenv MstarUpgrade_complete 1
setenv bl_jpd_read_addr 0x01cf0000
setenv bl_jpd_read_size 0x00100000
setenv bl_jpd_write_addr 0x01df0000
setenv bl_jpd_write_size 0x003fc000
setenv bl_jpd_inter_addr 0x021ec000
setenv bl_jpd_inter_size 0x00630000
setenv bl_dfb_framebuffer_addr 0x0281c000
setenv ve_buffer_addr 0x02e0ac00

saveenv
reset


The first thing you see is the manufacturer ID code and while I don't know for sure, I bet that is tested to only allow that box ID files to be written to the box.

The rest of the cmds are best explored with the serial port as you can get 'help' on the commands:
Here is generic help from the cmd promt on one of my MStar based boxes:


<< MStar >># help
? - alias for 'help'

do Lzma for compress image
base - print or set address offset
bdinfo - print Board Info structure
boot_logo - Logo display
bootm - boot application image from memory
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
cpmsbin - Copy ms bin file (Chakra) from nand to dram
crc32 - checksum calculation
cusid check the image is release by the valid guys
dcache - enable or disable data cache
dmx_init - initialize the demux setting
dmx_init - initialize the demux setting
draw_pixel - draw a pixel with color
draw_string - draw string with color
draw_rect - draw rect with color
draw_string - draw string with color
du - Disable UART
env2flash - read environment parameter file and restore it to flash
envbin - read out environment parameter and store it to usb disk
erase - erase FLASH memory
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
fatwrite - write binary file to a dos filesystem
flinfo - print FLASH memory information
go - start application at address 'addr'
help - print online help
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing)
mstar - update kernal & root file system automatically by script file
mtest - simple RAM test
mw - memory write (fill)
ustar - update kernal & root file system automatically by script file
nm - memory modify (constant address)
ostar - update kernal & root file system automatically by script file
oad_get_size - Get the file size from OAD download
osd_create - create osd layer
osd_destroy - destroy osd layer
pnlinfo - set panel info and save to nand flahs
printenv- print environment variables
protect - enable or disable FLASH write protection
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
set_paneltype [type] - Set Mboot panel type and store the type value in env
setenv - set environment variables
spi_dma - SPI copy data from flash to DRAM by PIU DMA
spi_ea - SPI erase all
spi_eb - SPI erase block
spi_gfo - SPI get flash info
spi_gr - SPI get Chip Rev
spi_id - SPI read ID
spi_in - SPI initialization
spi_r - SPI read commands
spi_rb - SPI read buffer
spi_rdc - SPI read code from SPI flash to DRAM
spi_rs - SPI read status
spi_w - SPI write commands
spi_wb - SPI write buffer
spi_wp - SPI write protect
spi_wrc - SPI write code from DRAM to SPI flash
sspi - SPI utility commands
sysinfo - set system info and save to nand flahs
tuner_demodtype - set frontend type
tuner_init - frondend initialization
tuner_tune - tune RF to check lock or not
usb - USB sub-system
ustar - update kernal & root file system automatically by script file
usbboot - boot from USB device
ustar - update kernal & root file system automatically by script file
version - print monitor version

<< MStar >

More info can be had on specific cmds.

If you have not figured out the pin-outs for your serial port already, then you might try pin 2 as ground and pins 3 and 4 as RX and TX (could be TX and RX order, just connect your serial port RX line (use interface of some sort PLEASE rs232 lines use plus and minus 12 volts and your box processor will not like those one little bit) to one or the other and boot up the box--if you don't see something then use the other pin to see if that is the box TX line). I just use a pair of NPN transistors as my TTL to serial port interface (details are in the RCA thread here: http://www.satfix.to/showthread.php?167246-DTA800B-hacking), but you can use a TTL to usb serial convert board--they are cheap. You use 115.2k Baud 8,N,1 settings.

I don't think much work has been done to explore these boxes. I have a DVB-S2 box with MStar processor and have played with a ATSC Sunkey 903H box with the same chip (just the tuner decoder chips are diff). The main code inside the files is lzma compressed and MIPS32 machine code. The serial port commands can be used to dump the flash and RAM contents to usb files (be careful to have a small usb memory stick that is largely empty because there is not much effort to keep from overwriting file on the stick with you do a cmd like fatwrite usb 0 0xbfc00000 fw.bin 0x400000)

In your quoted boot you can see:
logo addr in spi: 0xBFC70000; logo size:0x1E528
=>cmd: spi_rdc 0x80B2C000 0x70000 0x1E528

That tells you the boot logo that you first see on screen is stored in flash at 0xBFC70000 and its size--you can change that! It is just a jpeg image. The image is moved from flash to RAM at 0x80B2C000 for eventual display.

What is the best terminal program to interface with this? Is all of the programming present on the 8 pin chip or is it found in multiple places?

Will something like this work for a cable?

hxxps://www.amazon.com/Armorview-PL2303HX-RS232-Module-Converter/dp/B008AGDTA4/ref=sr_1_6?ie=UTF8&qid=1485294936&sr=8-6&keywords=usb+to+serial+ttl+cable

I think just about any terminal program. If they still have Hyperterm with windows, that would be OK. I use it and another.

Yes all the programming is on the 8 pin SPI chip. The boot is part of what you load with the bin file as is the main lzma compressed SW. Also on the flash is the channel list that you scan in and the environment settings--both of these are in two places in the flash but I'm not sure if that is so you can recover the env or just what is going on.

I'm not sure if that cable is the best to use or not. I know the processor uses 3.3 V in most places but TTL is really 5V as I learned it (long, long ago). So, I don't know if the cable uses TTL to indicate 5V or if it would work just fine with 3.3, or if you might want to use a resistor in-line to limit currents. I can set the two transistor interface to the voltage I find that works and currents is limited by the resistors anyway.

What I would try as a first test is to dump the flash contents out the usb port by trying out script in a usb file that you load. Or just try to load a new logo image by having a file with the image (lets say it is 0x20000 bytes in size and called logo.bin) and load a file with script something like:
cusid cd90 7620 1 U01 0x0C02
fatload usb 0 80000000 logo.bin 0x20000
spi_wrc 80000000 70000 0x20000

You might try modifying the script at the start of the file you've been trying to load. With any luck that would force load the logo file to the location in flash where the logo image is at (assuming that is indeed where your box has it saved). If it works then when you turn on the box you should see a new logo.
Or you might try to slip in the fatwrite usb 0 0xbfc00000 fw.bin 0x400000 in your file script as a first try to see if you can copy out your flash contents (assuming you have a 4Meg byte flash and not 8M ). It has been a while since I played with the script via the serial port, you might have to have a file named fw.bin on the usb stick before you try it.

Would the terminal output tell me when the box boots? This reminds me of lynx software.

I did some digging and opened the firmwares with a file viewer. The file extension is .ap

Here is the beginning of both firmwares, I am thinking maybe if I modify the first cusid line maybe something good will happen but I don't know what program to use in order to edit this type of file:
XORO 8530 firmware:
cusid cd90 5 1
spi_wrc 0x80001000 0 30e710
setenv usb_complete 1
setenv usb_upgrade 0
setenv bootcmd ' spi_rdc 0x80b00000 0x9001c 0x27e6f4; LzmaDec 0x80b00000 0x27e6f4 0x80000180 0x81000000; go 0x80000224;
saveenv
reset

MSD7816 factory file:
cusid 4d5354 1 1
spi_wrc 0x80001000 0 2fe8e0
setenv usb_complete 1
setenv usb_upgrade 0
setenv bootcmd ' spi_rdc 0x80b00000 0x8001c 0x27e8c1; LzmaDec 0x80b00000 0x27e8c1 0x80000180 0x81000000; go 0x80000224;
saveenv
reset

Any hex editor will do. Most hex editors will let you enter ascii text in the left field of the screen. The lines are 0x0d 0x0a newline and return separated.

There might be a checksum at the end of the file, when I took a close look at the xoro 1.1 file (I think I was told this was a DVB-T box so the file is likely DVB-T rather than DVB-S2), I found that the first 0x4000 bytes seem to be space for script and if you look at the spi_wrc 0x80001000 0 30e710 and add 0x4000 and compare to the file size there seem to be 0x18 bytes at the end that are not in that write to flash--in that 0x18 bytes is see the first 4 bytes are non-zero and could be a checksum.
I also found the background image--about 90K bytes in size, but jpeg (lots of red in it).

I pulled out my old DVB-S2 box that is MStar based and found the 4 pin connector for serial has ground on pin 2, pin 3 RX and pin 4 TX.
I don't have an upload file example for the box (only the flash dump) but I have been playing with script in a usb file to see if one can do something interesting that way--no luck so far, but I do get odd results trying to load a small file as upload file (I was able to figure out the name the file has to be from the flash dump). Sadly that Sunkey 903H box got zapped by lightning over the summer so I can't play with it or the upload files I have for similar boxes (there are a lot of ATSC convert/recording boxes that use MStar).

You might consider uploading the SW you are trying to get in the box. I've been to the xoro site and they don't offer a zip file of the download, just a weird data format (maybe if I try a diff browser...hum). I've found the usb_upload_flash_all zip at a couple of German forums, but they don't allow download unless you are a member.

Never mind. Chrome gave me the option to save the data AP file as such.

That should be the proper file.

The version for 8530 that I picked up from xoro site yesterday does have a four byte checksum at the end of it. Standard crc32 over the file from start to the checksum. The script space was 0x1000 bytes and included in the crc. The logo jpeg inside was the same as the one I extracted from another box by them.

BTW, for those that want to see a little about the menu and functions in ATSC boxes based on MStar processors you can look at images in the thread here:
http://www.avsforum.com/forum/42-hdtv-recorders/1465875-iview-3500stb-tuner-dvr-owners-thread.html
Seems boxes like Koramzi, Ematic, ViewTV and a number of other are all MStar inside. All record OTA and lets you see the Nagra encrypted channels on ION's channel.

Just to clarify, you can't watch the encrypted channels, just that the box will find them and show them in the channel list. Last I tried to scan with an RCA 800 box, the ION channel made the box very unhappy--it seemed to get stuck trying to figure out what to do with it.

On the topic of the DVB-S2 box though, here is the help for cusid:
help cusid
cusid
command cusid <oui> <swModel> <swVer>

And when I have the box print out the environment settings:
printenv
bootdelay=0
baudrate=115200
preboot=echo;echo Type "help" for more commands.
MS_BOARD=BD_MST124SZ.h
CUS_NAME=MST_7816_DEMO
logo_cmd=boot_logo 0 0 1 1
AppMagicFlagAddr=0x80000
info_exchange=spi
CUSTOMER_OUI=0x4D5354
AP_SW_MODEL=0x0001
AP_SW_VERSION=0x0001
HW_MODEL=0x0001
HW_VERSION=0x0001
OAD_NEED_UPGRADE=0
OAD_NEED_SCAN=0
USBUpdateFlag=0
usb_upgrade_port=0
usb_upgrade_path=usb_upgrade_all_flash.AP
filesize=2F87D8
usb_complete=1
usb_upgrade=0
bootcmd=spi_rdc 0x80b00000 0x8001c 0x2777b7; LzmaDec 0x80b00000 0x2777b7 0x80000
180 0x81000000; go 0x80000224;
LOGO_SPI_ADDR=70000
LOGO_BIN_SIZE=B054
panel_cmd=set_paneltype 11
stdin=serial
stdout=serial
stderr=serial

Environment size: 664/65532 bytes

So I'm guessing that the parameters for the cusid cmd for my box should have:
cusid 4D5354 1 1

And if you leave out the cusid line of the script for loading an upgrade that the box will take the upgrade regardless of the environment settings for it's "validity".