How to compile and run custom firmware for ALI M3801 and other chips from tuners?

p.kaczmarek2 2664 35

TL;DR

A minimalist custom firmware demo for the ALI M3801 MIPS processor was built from the ali_sdk GitHub project and tested on an old Comsat TE 1050 HD tuner.
The firmware starts with UART Hello World, then reuses M36XX-style GPIO register mappings to scan buttons and read the chip ID directly from memory-mapped addresses.
Compilation only worked on Ubuntu, and the chip ID readback returned 0x3811 from an ALI M3801 board.
Button scanning works, with eight pins packed into one byte and displayed in a loop, but the main on/off button is not detected.
UART remains unstable: the CH341 likely mishandles even parity, blocking receive logic drops characters, and the next step is interrupt-driven UART support.

Generated by the language model.

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#31 21803405 09 Jan 2026 00:39

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14439

Help: 650

Rate: 12405
» | Topic author Helpful post? (0)

Post #31
21803405 09 Jan 2026 00:39

And isn't it enough to give a header like in my iterate.cpp? CRC we can already count. I'm talking about the maincode partition. I need to check with mips decompiler if there are normally commands after this header.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#32 21803726 09 Jan 2026 14:05

maciej_333 maciej_333

Level 38

Posts: 4214

Help: 486

Rate: 1574
» | Helpful post? (0)

Post #32
21803726 09 Jan 2026 14:05

One would still need to know where to RAM the bootloader loads the application from these partitions in flash. As if knowing this would be enough in the SDK to change the address where the code is and maybe just add the appropriate header. CRC actually we already know how to count. The application is not compressed?
ADVERTISEMENT
#33 21804202 09 Jan 2026 22:08

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14439

Help: 650

Rate: 12405
» | Topic author Helpful post? (0)

Post #33
21804202 09 Jan 2026 22:08

Do you mean the excerpt from un7zip?
Code: C / C++
Log in, to see the code

So far I have not been able to reproduce this in my C program. I did, however, find another clue - the test_rsa_ram function

Added after 11 [minutes]:

Here is the LZMA library used: https://github.com/erwinbsbqq/PDK_GoDroid/blo...65fd0ff291e9a3263f95/uboot/lib/lzma/LzmaDec.c

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#34 21812801 18 Jan 2026 21:24

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14439

Help: 650

Rate: 12405
» | Topic author Helpful post? (+1)

Post #34
21812801 18 Jan 2026 21:24

@maciej_333 any progress?

For my part I am putting together an emulator for Ali, my Hello World bin is already displaying text:

First via the printf hook and then normally already - reading from the register to send via the UART.

I also managed to pass the first bootloader, the C pseudocode:
Code: C / C++
Log in, to see the code

It copies the data to RAM at address 81e8e170 and then performs functions there:

I supposedly use the off-the-shelf CPU engine but it has a lot messed up and I have to manually handle the instructions:

I don't know how functional this will be, time will tell.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#35 21812810 18 Jan 2026 21:35

maciej_333 maciej_333

Level 38

Posts: 4214

Help: 486

Rate: 1574
» | Helpful post? (0)

Post #35
21812810 18 Jan 2026 21:35

p.kaczmarek2 wrote:
You mean the part with un7zip?

Yes, that's what I was thinking of.

p.kaczmarek2 wrote:
@maciej_333 any progress?

Unfortunately I haven't dealt with it since then.

Congratulations on the great progress on Ali.
#36 21812926 19 Jan 2026 01:29

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14439

Help: 650

Rate: 12405
» | Topic author Helpful post? (+1)

Post #36
21812926 19 Jan 2026 01:29

I still tried at the time to copy these unzip to my project and call on the flash dump, but it didn't work.

As for trying to make an emulator, I encountered another surprise. Here are mixed 32 and 16 bit commands. E.g:

And a moment later:

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law