Phillips Monitor Teardown & Analysis

Let me see what's inside this thing..

Posted by Gyul on October 07, 2022

Introduction

Actually I was trying to port doom in the monitor I have. The model is 271E9 made by Philips. But I couldn't find datasheet about the SoC. So I decide to just analyse their firmware and hardware. And I could find some new stuff. Let's see!

Teardown Montior

Getting Board

The First thing to do is see how board is made. To do that, let's teardown it. At the backside of the monitor, there are two screws.

After that just open the plastic backplate. Then there is a board. And it's covered.

Peel off the stickers and unscrew the VGA port.

Finally let's free the board!

Sweet. We can check the SoC and many other chips.

Soc is TSUMO88CDT9-1 and flash is BoyaMicro 25D40CSTIG.

Monitor Analysis

Firmware Extraction

I tried to grab the flash by clip but it didn't work. So I detached it and grab it by soic 8 pin clip.


The reason why I didn't use raspberry pi is because flashrom doesn't support the BM25D40 Flash. But the programmer I had TL866-II Plus supports it. So I used it.

However the data changed everytime I tried to read it.


I checked several times if the pins are connected correctly and it was all good!

I tried other thing like reading as many as I can and sort the datas by frequency. But yes. this is useless. Because we can't verify if it is real data.

And something just popped up in my mind. I have SOIC 8 pin socket. Why don't we use it?


After using this, the data extracted so well. I mean we got the real data! I still don't get it what was the problem. But anyways we got the firmware.

Firmware Analysis

First I binwalked the firmware.


But nothing shows up. But when we use Y option in binwalk to check the architecture,


binwalk says that they are using arm.

So I used IDA to check if this baremetal firmware is made of ARM.


And yes it's ARM.

But I couldn't go any further from here. Because we don't have SoC datasheet and no debugging ports. Then how can I know their memory layout and interrupts address!

So I stopped analysing arm codes in the firmware. But started to just look around a firmware.

And when we see the strings in here :


some command-looking strings are located. What is this?

VCP

It's VCP codes. Virtual Control Panel(VCP) represents the functions that monitor supports. It's a single command entity in the MCCS language.

The first 02 code in vcp means :


So following hex codes are also like this. Meaning something individually. Also by using utility which controls VCP, we can manually change our monitor settings.

You can check what the code up there means by reading this document

Conclusion

This project was started to play DOOM in monitor. But because of the lack of datasheet, I couldn't done it. Maybe next time!

Anyways It was fun playing around with monitor firmware. Wish me luck resoldering the flash chip and reassemble my monitor.

And also this time I will provide the firmware that I'v extracted which we usually don't. You can download it in our github repo We are very welcome if you share your cool work with this firmware. Our Twitter and Facebook is always opened.

Copyright © FirmExtract 2024