AirTV Reverse Engineering

[bobuhito]

I have a fairly common unsolved problem where my AirTV (an HDTV tuner and internet streamer) never properly finds a supposedly-supported USB drive (Western Digital "My Book Essential" WDBAAF5000EBK).  It does eventually format the drive (with a lot of unplugging and plugging) but never is able to use it as a DVR...I am giving up on Sling ever fixing this.

Anyway, since it's therefore not too useful, I opened it up to learn how it works and possibly hack it.  I can't identify many of the chips by their markings, so hoping some people here could help with comments.

By the way, FCC has photos at https://fcc.report/FCC-ID/DKN-MJS79

Here is the PCB's top view without and with notes (I'm going to add more details in a follow-up post...sorry for cheating EEVBLOG's image-storage limits this way):

[bobuhito]

First, the coax input seems to go to a filter, then an LNA amplifier, and then a demodulator, all within the can shielding (with the lid removed for the 3 corresponding photos below).

The coax input is shunted to ground by a large inductor L2.  A DC-blocking C1 also takes the input to a "K1L" ESD/TVS diode (I think this is a diode) and further L/R/C filtering/matching components.

I am guessing the "20N" chip is the LNA amplifier/splitter (to allow for 2 tuners), but can't find any datasheet.

I am also guessing the "4110" chip is the demodulator.  At first, I suspected this might be ADF4110, but that seems wrong since ADF4110 is not normally a demodulator.  Anyway, is there a public datasheet for this "4110" part?

[bobuhito]

Finally, "MSB1237" (for which I also cannot find a datasheet) probably converts the demodulated low-frequency signal to ATSC digital data for the "XCODE 5116" processor (which uses two SDRAM chips).

Does that flow all seem reasonable?  I am sure I have made some mistakes, so hoping y'all can set me straight and help with some of those chip markings.  Thanks!

[bobuhito]

Also, it seems Sling only allows me to write their latest firmware (though I believe older firmware would not have my DVR problems/bugs), so I wonder if there might be ways to get around this...or for general hacking.  Even without ethernet, there is a UART programming area shown in the photo below.  I have not tried to communicate with these pins (since somebody apparently already tried at https://www.reddit.com/r/AirTV/comments/dd6wiz/airtv_api), but I would be happy to try any good ideas you might have for hacking this.  Thanks!

[EggertEnjoyer123]

Figure out where the flash IC is (looks like the BGA chip next to the ethernet cable) and dump the contents. There should be a file system or something on the flash IC if you're lucky. You can then try to figure out how to get root on it (or modify it to accept your SSH password). It will be tricky to do (look into how data recovery is done)

It is very likely that the 4110 is actually the ADF4110. You should look for the mixer and VCO elsewhere on the board.

[bobuhito]

@EggertEnjoyer123
You're right, that IC can be read in my prior photo as "ML01G200BHI00", a 1Gb flash IC.

That is the first chip for which I have found a datasheet, but it says "security features are subject to an NDA (non-disclosure agreement) and are, therefore, not described in the datasheet", so I expect it to be difficult to get meaningful content from this IC (also, I've only read via UART and SPI protocols in the past, neither of which seem to be supported here, so I doubt that I have convenient tools to dump this flash through some backdoor).  Like you said, "It will be tricky to do"!

It's also possible that the "XCODE 5116" CPU has some persistent memory allowing it to encrypt any flash contents.  Even if I get the flash contents, I need a datasheet for the CPU to understand the meaning of flash instructions...does anyone have this datasheet?