Hacking Your Way to a Custom TV Boot Screen

More and more companies are offering ways for customers to personalize their products, realizing that the increase in production cost will be more than made up for by the additional sales you’ll net by offering a bespoke product. It’s great for us as consumers, but unfortunately we’ve still got a ways to go before this attitude permeates all corners of the industry.

[Keegan Ryan] recently purchased a TV and wanted to replace its stock boot screen logo with something of his own concoction, but sadly the set offered no official way to make this happen. So naturally he decided to crack the thing open and do it the hard way The resulting write-up is a fascinating step by step account of the trials and tribulations that ultimately got him his coveted custom boot screen, and just might be enough to get you to take a screw driver to your own flat panel at home.

The TV [Keegan] brought was from a brand called SCEPTRE, but as a security researcher for NCC Group he thought it would be a fun spin to change the boot splash to say SPECTRE in honor of the infamous x86 microarchitecture attack. Practically speaking it meant just changing around two letters, but [Keegan] would still need to figure out where the image is stored, how it’s stored, and write a modified version to the TV without letting the magic smoke escape. Luckily the TV wasn’t a “smart” model, so he figured there wouldn’t be much in the way of security to keep him from poking around.

He starts by taking the TV apart and studying the main PCB. After identifying the principle components, he deduces where the device’s firmware must be stored: an 8 MB SPI flash chip from Macronix. He connects a logic analyzer up to the chip, and sure enough sees that the first few kilobytes are being read on startup. Confident in his assessment, he uses his hot air rework station to lift the chip off the board so that he can dive into its contents.

With the help of the trusty Bus Pirate, [Keegan] is able to pull the chip’s contents and verify its integrity by reading a few human-readable strings from it. Using the binwalk tool he’s able to identify a JPEG image within the firmware file, and by feeding its offset to dd, pull it out so he can view it. As hoped, it’s the full screen SCEPTRE logo. A few minutes in GIMP, and he’s ready to merge the modified image with the firmware and write it back to the chip.

He boots the TV back up and finds…nothing changed. A check of the datasheet for the SPI flash chip shows there are some protection bits used to prevent modifying particular regions of the chip. So after some modifications to the Bus Pirate script and another write, he boots the TV and hopes for the best. Finally he sees the object of his affection pop up on the big screen, a subtle change that reminds him every time the TV starts about the power of reverse engineering.

40 thoughts on “Hacking Your Way to a Custom TV Boot Screen

  1. I’d like to see someone hack a Vizio M220NV TV to update its internet capabilities. It’s a smart-ish 21.5″ 1080p TV from 2007. The software is from Yahoo, hasn’t had an update in ages but if you come across one that doesn’t have the latest version, Vizio’s server will still push the updates if you connect the TV to the net.

    I got mine for free, replaced the mainboard for $50 and picked up a remote for $10. Cheaper than a new 1080p TV/monitor of this size.

    The problem is the “smart” part is mostly non-functional now due to services like Yahoo, Vudu etc changing their backend services to be incompatible with old apps. A friend has a Blu-Ray player with similar capabilities that are all useless now thanks to the changes in internet video streaming technologies.

    Manufacturers don’t want to keep updating their apps, they want people to buy new “smart” appliances to support changing web tech. My 4K Samsung TV hasn’t seen an OS update for a while, but various companies have periodically updated their apps for it.

    The problem with things like my Vizio TV or my friend’s Blu-Ray is their OS and all the apps were from the manufacturer. They didn’t create an open system where other parties could write their own apps. They did it even more restrictive than Qualcomm’s razor wire topped walled garden for BREW apps.

    As for the Vizio M220NV, I’d be happy if it could just play Youtube on its own. Surprisingly, Vudu still works on it – in HD. Hulu dropped support in August 2018. Netflix doesn’t say if it works or not, wants me to start my free trial. It *had* a Youtube app but one of the updates eliminated it. Yahoo News, Weather, and Flickr still work. Unfortunately the Flickr app only shows low-res versions of the pictures.

    1. TV’s became simple monitors with sound since the analog tv signals disappeared. Attach a Raspberry Pi for he cheapest and easiest way to make it smartish or an old appletv if you fancy.

    2. Youtube changes it’s API every 3 years or so. I figured this out with the first wave of breakage round about 2012 and have avoided closed player tech in TVs, players etc since. Got me a $40 android box for longer support, there’s a way to put ubuntu on it, when the android version is deprecated.

    3. I honestly would like to see a hack to remove all the vendor supplied bloatware & hardcoded apps into a TV, and give me more control over things like “2 presses of this button sets the sleep timer for 45 minutes” which would help on one TV I have that requires 13 button presses JUST TO GET TO THE SLEEP TIMER MENU. Remove all the built in appz, spyware, et-phone-home-to-samsungs-hq crap, but let me use MY device. If I want a smart TV, i’ll plug a device I control into it…like a Pi.

      1. Look at universal remotes for your tv, and play with all 255 button combinations. It’s likely that there is a dedicated sleep function button that’s not on your original remote. Case in point, my Insignia tv has dedicated/discrete change to specific input codes. By walking through the codes, I found the ones I needed.

    1. I hear that term thrown about quite often. I doubt, however, most take a moment to think beyond their convenient “catch-all” excuse. Technological advances in electronics can take many forms. Some once produced can no longer be modified like the selection of components. As software advances are made some of this hardware componentry cannot be upgraded to do things that were heretofore unimaginable of never intended. Similarly, design and component changes can affect the way drivers and operating systems interact. Newer component assemblies may benefit from changes to the OS that the old componentry is not designed to run as efficiently or may even go so far as to make those component assemblies slower. This is an effect of change and progressive change. Call it planned obsolescence if you wish but it is not that simple if you take the time to explore the concept and the various causes.

      1. I understand the reason for not supporting older products, the money has been made and it is not a wise business choice to dedicate resources to something that has already been written off in the books, perhaps an upgrade/update fee would make it more feasible economically. Technology direction and hardware limitations are good reason.
        My bigger gripe is companies that sell a product and tout it’s ability to be upgraded/future proof as a feature and then move on. Efficiency of the newer design is always a consideration and feature limitation. For instance google play store and this “progress” mentality of app, you must have the latest version of android to download this app. (from a software side i can understand the added difficulty of coding a program to operate in different ways depending on version and available features of the os.
        i.O.S. limiting processor speed on older devices…. If the device was running it’s original firmware with proper security backports the “slowdown” after upgrade would likely not be an issue, you may be missing the “feature” of the new device but it still functions similar to the day it was new.

        I do like the way backport updates are pushed into previous versions of debian. I have not seen this in other software sets and it always seems that if companies do “security update” they are pushing out a new unneeded feature and somehow effecting performance therefore making you consider to upgrade to a faster device.

        /end jumbled rant thought

    1. What is mundane to some will also be others first introduction. I don’t mind seeing and hearing about what others are doing that I can already do. Often it sparks an idea I wouldn’t have had without stirring the dust in my head.

    2. He shouldn’t have even needed to unsolder the chip. Programming clips are inexpensively available that allow for clipping onto the chip to allow for reading and writing of it.

      I’ve used such clips on a couple projects I have done including using one to ‘clone’ a gauge cluster of a car so I could upgrade the car to a tachometer cluster but keep the mileage and other cluster programming information.

      Now only if I could decode the method for storing the mileage, I know where it is stored but not how exactly. But that is a project for another day.

        1. I read the article here, but did not see it. Or do you mean, I should follow external links. This something I do not regularly from an article here, mostly because most external links lead to a youtube video. And while you can read a text s fast as you want, watching a video is (often) too time consuming.

        2. OK, this was not a link to a video, so I followed it. I would say: Of course it would be difficult – and mostly unwanted – to power the whole device through the test clip. I would try to access the flash in the powered up device. But of course, depending on the implementation of the SPI bus and possible HW write protection, this can work or not.

      1. PC1911, you wanna make friends? Devise a way to change the picture on the digital display in a Dodge Hellcat. It has 4 views of a red Hellcat. Every owner wants it to display his/her color.

    3. Pretty tough talk considering the snooze-fest you call a personal blog: “Observe, here is another dusty old clock gear”

      Come back when you do something half as impressive and well documented as this guy did.

      1. lol, that’s actually a very interesting blog but it doesn’t look like you read much of it – there is a shed load of technical stuff on there, like reverse engineering the esp8266 bootloader and writing a replacement, which is considerably more “impressive and well documented” than this.

  2. Really sweet hack and all, be much more useful to change the input selection menu to something more useful than HDMI1 and HDMI2 etc. Nobody in my house can remember which is connected to what device and I get a phone call about twice a week.

    Frankly, I’ve never understood why the manufacturers haven’t made this an editable list.

    1. I agree with you, but I think it depends on the manufacturer and the specific model of TV. I have several new-ish TVs at work I use for testing that don’t allow you to change the naming of the inputs to something meaningful. However, I have a Mitsubishi WD-65736 (1080p, rear-projection, DLP) from 2008 that allows each of the inputs to be assigned from a predefined list (DVD, Blu-ray, DVR, etc.). I also have a couple of LGs that have something similar to the Mitsubishi.

      From personal experience, I’ve seen that all (all is being used loosely) Home Theater receivers have the ability to name each input. I have an old Sony from 2002-ish, and Pioneer from 2010, and an Integra from 2012 that all support input naming.

    2. Definitely depends on make/model, and probably to an extent the cost, of the TV.

      In the past I’ve had TVs which let you pick from a list of common devices (GAME, DVD, CABLE, etc), but the new 4K smart TV I got last month let me name the things whatever I wanted with the on-screen keyboard. Can even hide the inputs you don’t use to make it quicker to navigate through.

      1. I have a S**y-TV (totally un-“smart”) which is close to fifteen years old and I can definitely brand the inputs via Remote and OSD. Putting in “hackaday” instead of “HDMI1” is most definitely possible.

  3. SPECTRE was, of course, named for the James Bond books’ evil organization ” Special Executive for Counter-intelligence, Terrorism, Revenge, and Extortion”, itself a product of Ian Fleming’s fertile (and occasionally febrile) imagination. Having that come up on a laptop boot screen can be a lot of fun in the right company.

  4. For decades you had to wait for the TV to warm up. Then along came solid state and the picture came on right away. Now TV’s and monitors make you wait, some shorter some longer. How much of my time does that unnecessary crap waste? I would like to get rid it, as well all of the animation on my phone. How much time does it waste? Phones would be faster! I don’t need ADDADHD enhancement.

    1. Enable developer settings and reduce the animations. The phone won’t be substantially faster though, animations are often masking load times. I put mine on 0.5x (half the time aka double the speed) and it’s snappy. You still want animations as feedback to know what’s happening on screen.

    2. It’s just the boot time you have anyway. Although it’s quite annoying e.g. on an Eonon car radio (Android): You have to wait 1-2 minutes for the device to cold boot after starting the car, before you can hear music or use the GPS navigation.

  5. Has anyone found firmware updates for the Sceptre TVs? I have a similar model. There is a working USB port and a listed firmware rev, so the capability is there. But the mfgr doesn’t post any firmware files, and I haven’t uncovered any via digging around on their site.
    No real need as it’s thankfully not a “smart” unit (and a good priceto boot) but it would be nice to have a look at the fw.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.