Interior and flash analysis of the DVBT-T2/HEVC decoder DVBT005-SH Shark

p.kaczmarek2 2130 14

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

» | Topic author Positive voted Helpful post? (+18)

Post #1
21820059 26 Jan 2026 10:50

Something contemporary this time. I've already shown some old tuners, so it's time for a change. As standard, first a presentation of the interior and then an analysis of the Flash memory along with a Linux file system extract. Maybe we can also find a program to change the batch?

The object of the presentation is a contemporary DVB-T2 / HEVC / H265 decoder characterised by a programmable remote control, which can also be controlled by the TV proper. Just right for the elderly. It was for such a person that I ordered this decoder. I paid all 60 PLN and decided to take a look inside.
First of all, some photos of the manual - maybe they will be useful to someone, there is also a description of how to pair the remote control.

Let's get to the actual presentation now. We unscrew the screws.

The circuit is very simple. The whole thing is on a single PCB. First we have the switching power supply, interestingly there is even an EMI filter on its input. Some manufacturers omit it...

On the front we have an IR receiver, buttons (quite a lot for such equipment) and a four-digit 7-segment display.

There is not a single component on the underside of the board - as you can see there was no problem with packing.

The power supply in flyback topology is based on the PN8147.

It probably generates 5 V - as usual. Then there is a section with a 1.8 V LDO and a voltage reduction inverter (5 V -> 3.3 V). The flash bone with firmware (25Q32CSIG) is also caught in the photo.

The buttons and display are handled by the HW650EO - presumably a similar chip to the HD2015 already discussed:
Running the HD2015 display/button driver after reverse engineering, comparison with TM1637itd

PCB designation: GX6706-T2-69 A1:

Finally, you need to know what kind of microprocessor is sitting there:

The NationalChip GX6706S5, is quite a popular chip in this type of device, vendors are not hiding about it. You can find a lot of decoders on this chip, although information about the chip itself is residual. It seems to belong to the larger GX/Nationalchip family of chips, along with:
- GX6701, GX6702, GX6703 (Gemini)
- GX6705, GX6706 (Cygnus)
- GX6613 (Sirius)
- GX3113, GX3235, GX6605 (Taurus)
These types of chips work with external Flash memory, but also have built-in RAM. The GX6705, for example, has 64 MB of DRAM, I could not find information on the GX6706.

The chip has a UART port out - could there be a chance for a bootloader?

Batch analysis
I soldered out the flash using hot air and ripped through the CH341:
CH341 from Aliexpress and Allegro - what modifications are needed after purchase?
On the computer side, I used NeoProgrammer. I used the command to analyse the batch binwalk in WSL:
analysis of the SPI flash memory batch using the commands binwalk, dd, lzma
I immediately got satisfactory results. The tool learned the packed batch and the ROMFS and SquashFS file systems.
Code: text Expand Select all Copy to clipboard
binwalk "GX6706S5 4mb flash dump.bin" DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 108488 0x1A7C8 eCos RTOS string reference: "ecos.bin.lzma" 108504 0x1A7D8 eCos RTOS string reference: "ecos.bin.gz" 131584 0x20200 JPEG image data, EXIF standard 131596 0x2020C TIFF image data, big-endian, offset of first image directory: 8 141333 0x22815 Copyright string: "Copyright (c) 1998 Hewlett-Packard Company" 196608 0x30000 romfs filesystem, version 1 size: 1924304 bytes, named "rom 675ab965" 2162688 0x210000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 481588 bytes, 309 inodes, blocksize: 32768 bytes, created: 2024-12-12 10:22:30 2686988 0x29000C Zlib compressed data, compressed 2689036 0x29080C Zlib compressed data, compressed 2689548 0x290A0C Zlib compressed data, compressed 2692108 0x29140C Zlib compressed data, compressed 2694156 0x291C0C Zlib compressed data, compressed 2696204 0x29240C Zlib compressed data, compressed 2698252 0x292C0C Zlib compressed data, compressed 2700300 0x29340C Zlib compressed data, compressed 2702348 0x293C0C Zlib compressed data, compressed 2704396 0x29440C Zlib compressed data, compressed 2706444 0x294C0C Zlib compressed data, compressed 2710028 0x295A0C Zlib compressed data, compressed 2711564 0x29600C Zlib compressed data, compressed 2714124 0x296A0C Zlib compressed data, compressed 2715660 0x29700C Zlib compressed data, compressed 2717196 0x29760C Zlib compressed data, compressed 2718732 0x297C0C Zlib compressed data, compressed 2720268 0x29820C Zlib compressed data, compressed 2721804 0x29880C Zlib compressed data, compressed 2723340 0x298E0C Zlib compressed data, compressed 2724876 0x29940C Zlib compressed data, compressed 2726412 0x299A0C Zlib compressed data, compressed 2727948 0x29A00C Zlib compressed data, compressed 2729484 0x29A60C Zlib compressed data, compressed 2731020 0x29AC0C Zlib compressed data, compressed 2732556 0x29B20C Zlib compressed data, compressed 2734092 0x29B80C Zlib compressed data, compressed 2735628 0x29BE0C Zlib compressed data, compressed 2737164 0x29C40C Zlib compressed data, compressed 2738700 0x29CA0C Zlib compressed data, compressed 2740236 0x29D00C Zlib compressed data, compressed 2741772 0x29D60C Zlib compressed data, compressed 2743308 0x29DC0C Zlib compressed data, compressed 2744844 0x29E20C Zlib compressed data, compressed 2746380 0x29E80C Zlib compressed data, compressed 2747916 0x29EE0C Zlib compressed data, compressed 2749452 0x29F40C Zlib compressed data, compressed 2750988 0x29FA0C Zlib compressed data, compressed 3348492 0x33180C Zlib compressed data, compressed 3350540 0x33200C Zlib compressed data, compressed

Binwalk also recognised the eCos real-time system. The basics are in place, now the data can be extracted:
Code: text Expand Select all Copy to clipboard
binwalk -eM "GX6706S5 4mb flash dump.bin"

SquashFS contains the Linux file system along with the characteristic folders bin, etc, mnt, etc.

In the Theme folder we have skin definitions - xml files and icons:

Small graphics use the BMP format and larger images (e.g. backgrounds) use the lossy compressed JPG format.
XML maps names to paths and defines the mode of operation of the device:
Code: text
Log in, to see the code

Code: text
Log in, to see the code

Interesting that there are typos in the XML - e.g. digtal instead of digital.
In the firmware we have the file gxlowpower.fw:

Its header - repeated sequences of byte 0x02 and offsets - suggest to me an 8051 architecture. These are probably jump vectors/tab offsets to routines executed by an auxiliary microcontroller running in standby mode. Could it be that there is a second, small 8051 core in the NationalChips that is responsible for low-power mode: standby IR support, 7-segment display, LEDs and wake-up of the main SoC?

Ghidra correctly decompiles this firmware. You can see the correct C pseudocode, the jumps go to the correct functions.

Separately, we have the ROMFS section. As the name suggests, it is read only - read only. The actual ecos firmware is there, but you have to decompress it first - it uses the LZMA standard.

Successful decompression is confirmed by analysing the subtitles from the middle:
Code: text Expand Select all Copy to clipboard
Section [All,App,User] File Path txt_upgrade_process_info1 Timeout! txt_upgrade_process_info2 img_upgrade_process_tip btn_upgrade_process_ok progbar_upgrade_process Error occur! bin;BIN DATA .user dump_all.bin usb update protocol flash BOOT ROOT /dvb/theme/font/arial.ttf /mnt/temp.ttf font_26_ram ----------file open err. (1)------flash size is larger. (1)------read failed %d. TABLE (2)---**---read failed %d. Device is not available.Please check! Invalid file path! app_upgrade_crc_check_buf p_data is NULL. s_title_left_utility text_upgrade_process_tip Dump Don't cut off the power! Dump successfully! Upgrade successfully! Reboot now app_upgrade_crc_check txt_group_sat_fav cmb_channel_list_group img_cl_bottom text_channel_list_tp img_cl_red A disk read error occurred BOOTMGR is missing BOOTMGR is compressed Press Ctrl+Alt+Del to restart g:H Si2141 CTS timeout Si2141 Error (status 'err' bit 1) Si2141 Error while polling CTS Si2141 Error while polling response Si2141 Error while loading firmware Si2141 Error while loading bootblock Si2141 Error while starting firmware Si2141 Error during software reset Si2141 Error Incompatible part Si2141 Error unknown command Si2141 Error unknown property

However, I have not yet found a method to load this into Ghidr. I tried with the C-Sky plugin, but the results do not look like correct instructions.

ADVERTISEMENT

Flasher GxDownloader
I found one tool on the web - GXDownloader Boot, I put it in the attachments.

Supported chips:

I found a short presentation of this programme on Youtube:
https://www.youtube.com/watch?v=Tks2E1pZvwc

Flasher Open Source from GitHub
A search on GitHub gave me only one reasonable lead - libre-gxdl by matu6968.
https://github.com/matu6968/libre-gxdl
The project shown is a flasher for the NationalChip GX series of devices, which allows you to communicate with these devices at the hardware level and perform operations such as reading and writing memory via the serial and USB ports.
It is a reimplementation of the original GX downloader (gxdl) tool obtained through reverse engineering.

I haven't had time to check it again, but presumably libre-gxdl would be able to rip the batch through the RX/TX pads shown in the picture present right next to the main SoC.

Specification
Specifications, according to the vendor:
- Reception standard: DVB-T2, DVB-C
- Video codecs: HEVC (H.265), H.264
- Multiplexes: MUX-1, MUX-2, MUX-3, MUX-4, MUX-6, MUX-8
- Maximum resolution: 1920×1080 (Full HD)
- USB port: USB 2.0
- Functions: PVR, Timeshift
- EPG: yes
- Video outputs: HDMI, SCART
- Audio output: SPDIF digital
- Support: Teletext, DVB subtitles
- OSD menu: Polish language
- Display: Front LED
- Remote control: IR, 4 programmable buttons
- Housing: metal, ventilated
- Dimensions: 168 × 30 × 105 mm

Pictures of the installation (improved contrast):

Summary
A very simple circuit, not surprisingly also available as 'plugs' for HDMI. The whole thing is basically a simple power supply in flyback topology, a voltage-reducing inverter, the main SoC with external flash memory for the program, the display together with the controller (a la HD2015), and the RF head (here signed 4110 A009 514 - I forgot the photo).
The aforementioned SoC runs the eCos real-time system and in the Flash sits a typical Linux file system from which settings, icons and graphics can be extracted.
Additionally, we have RX/TX pads available and have managed to find two promising tools for uploading the batch.
Will anything more be able to be done with it? We are yet to find out, in the meantime, just for the sake of principle, I will ask - have you had any contact with receivers based on NationalChip chips? Or does anyone have more information about them?

PS: A copy of the original batch:
https://github.com/openshwprojects/FlashDumps/commit/9437e8ceda5c2d4197f8e4745804839f3d52de9f

Attachments:

GXDownloader_boot(V1.0.4.0).rar Download (1.07 MB)

Cool? Ranking DIY
Helpful post? Buy me a coffee.
About Author
p.kaczmarek2 p.kaczmarek2

Moderator Smart Home
Offline

Joined: 26 Dec 2014

Posts: 14155

Help: 644

Posts rating: 12027

Points: 137469
p.kaczmarek2 wrote 14155 posts with rating 12027, helped 644 times. Been with us since 2014 year.
ADVERTISEMENT
#2 21821235 27 Jan 2026 13:40

bsw bsw

Level 21

» | Helpful post? (0)

Post #2
21821235 27 Jan 2026 13:40

Six months ago I bought an identical clone (from BLOW) also for an elderly person. Advantages - solid metal casing and mains power supply inside.
The previous tuner (in the form of an HDMI plug) was .... broken.
This one performs flawlessly.
BTW: Does anyone know why the TV standard was changed again after only 10 years forcing only additional costs and generating electro-waste....

Helpful post? Buy me a coffee.
#3 21821632 27 Jan 2026 21:23

niewolno2 niewolno2

Level 40

» | Helpful post? (+2)

Post #3
21821632 27 Jan 2026 21:23

bsw wrote:
BTW: Does anyone know why the TV standard was changed again after only 10 years just forcing additional costs and generating electro-waste...

To generate profits.
ADVERTISEMENT
#4 21822641 28 Jan 2026 21:28

Stanley_P Stanley_P

Level 28

» | Helpful post? (0)

Post #4
21822641 28 Jan 2026 21:28

@ElektrodaBot why was the DTT standard changed to DVB-T2 and MPEG-4 h.264 to HEVC h.265 after about 10 years?
#5 21822663 28 Jan 2026 21:53

ElektrodaBot ElektrodaBot

AI OpenAI ChatGPT4

» | Helpful post? (+1)

Post #5
21822663 28 Jan 2026 21:53

Stanley_P wrote:
@ElektrodaBot why, after about 10 years, the digital terrestrial TV standard was changed to DVB-T2 and MPEG-4 h.264 to HEVC h.265?
Direct answer
- DVB-T → DVB-T2 and H.264 → HEVC were changed primarily to accommodate more and better quality TV in the same (actually narrower) radio band. In the EU, the 700 MHz band was earmarked for LTE/5G, so broadcasters had to increase transmission and compression efficiency to maintain/expand their programme offerings. ( eur-lex.europa.eu )
- DVB-T2 gives approximately 30-50% more multiplex capacity than DVB-T due to 256-QAM, LDPC/BCH coding, PLP and other physical layer improvements; HEVC (H.265) additionally brings on average ~30-50% bitrate savings relative to H.264 at the same quality. Together, this results in 'less bandwidth → more channels/higher quality'. ( dvb.org )
- In Poland, the main commercial multiplexes switched to DVB-T2/HEVC in the first half of 2022, and TVP's MUX-3 in late 2023/early 2024; the change was directly linked by the administration to the release of the 700 MHz band. ( gov.pl )

Detailed analysis

1) Regulatory background and the "digital dividend"
- The EU has first delegated the 800 MHz band for mobile broadband services (2010/267/EU) and then obliged Member States to make the 700 MHz band available for LTE/5G by 30 June 2020 at the latest. (with a possible delay of up to 2 years). This reduced the spectrum available for terrestrial TV and forced efficiency gains on the broadcasting side. ( eur-lex.europa.eu )
- Poland continued to refarm 700 MHz and in 2024 the UKE announced the auction of 700 MHz blocks; in parallel coordination arrangements were underway at the Ukrainian border. This shows that TV migration decisions had a real spectral justification, not just a business one. ( gov.pl )

2) What DVB-T2 gives in the radio layer (PHY)
- Higher capacity: at typical 8 MHz settings, DVB-T achieves around 24 Mbps and DVB-T2 around 40 Mbps (depending on configuration of course). This is an increase of 30-50% under the same reception conditions. Mechanisms: 256-QAM, more efficient FEC (LDPC+BCH), longer FFT (up to 32k), shorter pilots, PLP, optional MISO and rotated constellations. ( rfwireless-world.com )
- Practical effect: you can squeeze more HD services (and even space for UHD) into one MUX, or increase quality/robustness with the same number of services. The EBU/DVB has been giving an estimate of +30...50% capacity for years. ( tech.ebu.ch )

3) What HEVC gives versus H.264
- HEVC reduces bitrate at the same quality typically by 30-50% (depending on the material and methodology); the BBC in subjective studies reported an average ~59% saving vs AVC. Technical reasons for this include flexible CTU up to 64×64, better motion prediction and more efficient entropy coding. ( betanews.com )
- Broadcast practice: 1080i/p HD in H.264 typically required 6-8 Mbps, in HEVC often 3-5 Mbps for comparable visual reception - hence the real gain 'per multiplex'. (Indicative values; exact bitrate is a quality compromise by the broadcaster).

4) Poland - Migration timeline
- MUX-1, MUX-2 (and operator MUX-4/6) - regional switchovers March-June 2022 to DVB-T2/HEVC. ( gov.pl )
- MUX-3 (TVP) - transition to DVB-T2/HEVC in two stages in December 2023, with simultaneous temporary emissions on MUX-6 in January 2024 ( gov.pl )
- MUX-8 in VHF was outside the 700 MHz refarming range, so its situation was distinct. ( telepolis.pl )

5) "Is it just to generate profits?"
- The economics exist: the state monetises bandwidth in 4G/5G auctions; broadcasters can offer more channels/HD and new services. But the key original reason was spectrum constraints and the need for technical upgrades, not the sale of decoders alone. To mitigate the impact, a subsidy programme was in operation in PL: pLN 100 per decoder or PLN 250 per TV. ( gov.pl )

6) Could the change have been done 'more gently'?
- The alternatives were costly/inefficient: broadcasting DVB-T and DVB-T2 in parallel would have duplicated spectrum consumption; staying with DVB-T would have forced a drop in quality (SD) or a reduction in the number of programmes once 700 MHz was given up. The combination of DVB-T2 + HEVC was the only option that realistically 'recovers' the capacity lost to mobile networks. ( dvb.org )

7) What's next - the outlook for the next few years
- Hybrid and IP solutions are on the horizon: DVB-I (common signalling and discovery of broadcast/IP services) and integration with 5G Broadcast. This is an evolution of services (interface, catalogues, hybrid) rather than a sudden leap in the RF layer as with DVB-T2. ( dvb.org )

Practical implications for the user and installer
- If the antenna installation "holds" the MUX-1/2 signal in DVB-T2/HEVC, the new decoder/TV will do the rest. A typical DVB-T2 multiplex today has about 40 Mbps capacity, which, with HEVC, allows full HD to be maintained for all major stations. ( rfwireless-world.com )
- Old DVB-T/H.264 receivers do not decode HEVC or DVB-T2 signalling - you need an external tuner (like the one described in the thread) or a newer TV.

For further discussion
- Do you want to calculate how many HD channels can be crammed into your local MUX with the assumed DVB-T2 profile (modulation/FEC/guard code)? Provide your transmitter parameters and target bitrate per programme - I will prepare configuration options and capacity budget.

You can call me in any topic by writing @ElektrodaBot. Disclaimer: Some answers provided by the ElektrodaBot may be inaccurate. Elektroda not responsible for accuracy, reliability or completeness of the information presented. All ElektrodaBot responses should be verified by the user. OpenAI can monitor and save information entered after calling ElektrodaBot.
#6 21822671 28 Jan 2026 21:59

bsw bsw

Level 21

» | Helpful post? (0)

Post #6
21822671 28 Jan 2026 21:59

@ElektrodaBot Thank you for your factual analysis. It shows that it was realistically about 'recovering' capacity lost to mobile networks. So the commercial aspect - commercials, commercials....

Helpful post? Buy me a coffee.
#7 21822688 28 Jan 2026 22:14

ElektrodaBot ElektrodaBot

AI OpenAI ChatGPT4

» | Helpful post? (0)

Post #7
21822688 28 Jan 2026 22:14

bsw wrote:
@ElektrodaBot Thank you for your factual analysis. It shows that it was realistically about "recovering" capacity lost to mobile networks. So the commercial aspect - ads, ads...
Direct response
- Commercials are part of the puzzle, but they were not the original reason for the change. The main impetus was the removal of the 700 MHz band from TV (so-called refarming/digital dividend) and the need to keep the HD offering in a much narrower band. DVB-T2 (more efficient radio layer) + HEVC (more efficient compression) is the only realistic way to 'recover' capacity without compromising quality.
- The commercial aspect occurs at three levels: the state (spectrum auctions for 4G/5G), mobile operators (bandwidth monetisation), broadcasters (more channels/opportunities to sell advertising time). For the viewer, the cost is the replacement of equipment.

Detailed analysis

1) What came 'first': law and physics
- Regulation: EU decisions transferred 700 MHz for LTE/5G by summer 2020. (with national refarming). Poland did the refarming in practice in 2022 (MUX-1/2/4/6) and MUX-3 completed the migration to DVB-T2/HEVC in late 2023/early 2024. This reduced the number of RF channels for TV and forced efficiency gains.
- Physics: DVB-T2 gives ~30-50% more net bit/s in the same 8 MHz channel than DVB-T (256-QAM, LDPC/BCH, longer FFT, PLP, etc.). HEVC saves another ~30-50% bitrate vs H.264 at the same quality. In practice, a typical DVB-T2 MUX is ~35-40 Mbps, which with HEVC allows 8-10 HD channels to be maintained without "pixelosis".

2) How advertising comes into it
- More capacity → possibility to keep all main stations in HD and add thematic services. This increases the advertising 'inventory', but revenue still depends on real viewership/GRP, not on the codec per se.
- Without migration (staying with DVB-T/H.264 after the 700 MHz handover), broadcasters would have to reduce the number of channels or go down to SD. This would have lowered competitiveness against streaming and ultimately advertising revenues as well. The migration was therefore a defence of the FTA model and not a simple 'squeeze' for advertising.

3) Who earned, who paid
- State budget: revenues from the auction of 700 MHz spectrum.
- Mobile operators: better 4G/5G coverage and capacity.
- Broadcasters: maintenance of the HD offer and flexibility of the channel grid (advertising potential), but also upgrade costs (HEVC encoders, T2 broadcasting).
- STB/TV manufacturers: one-off demand for DVB-T2/HEVC equipment.
- Viewers: equipment replacement; partly mitigated by subsidies (in PL 100 zł decoder/250 zł TV, 2022 programme).

4) Were there 'less commercial' alternatives?
- Simultaneous DVB-T and DVB-T2 broadcasting for years - double spectrum consumption and costs for broadcasters.
- Stay with DVB-T2, but with H.264 - gain from radio layer only (less than from T2+HEVC duo); harder to maintain so much HD after refarming.
- Move "straight away" to IP - socially risky today (not everyone has connectivity; terrestrial TV is supposed to be free and universal).

5) An "engineering and economic" conclusion
- Advertising is the result (more supply of slots and maintaining quality = less audience erosion), and the cause was the need to fit a similar/larger offer in less spectrum. Otherwise terrestrial TV would have shrunk in quality and programming.

For further discussion
- Would you like to count the capacity of "your" MUX for specific parameters (e.g. 256-QAM, CR 2/3, GI 1/8) and see how much HD in HEVC you can realistically fit in at an assumed bitrate of 3.5-5 Mbps? Provide your transmitter location and profile - I will prepare variants and show the trade-offs between robustness and capacity.

You can call me in any topic by writing @ElektrodaBot. Disclaimer: Some answers provided by the ElektrodaBot may be inaccurate. Elektroda not responsible for accuracy, reliability or completeness of the information presented. All ElektrodaBot responses should be verified by the user. OpenAI can monitor and save information entered after calling ElektrodaBot.
#8 21822891 29 Jan 2026 07:36

LEDówki LEDówki

Level 43

» | Helpful post? (+1)

Post #8
21822891 29 Jan 2026 07:36

Advertising, advertising, brainwashing already since the morning.... They even played this song on TVP once. Titled 'Advertising.
ADVERTISEMENT
#9 21823013 29 Jan 2026 10:13

Stanley_P Stanley_P

Level 28

» | Helpful post? (+1)

Post #9
21823013 29 Jan 2026 10:13

Adverts with adverts, laughs with laughs but I nevertheless now prefer to watch from terrestrial in HD rather than the vast majority of SD 'soaps' as before.
I especially felt the change on the regional programme, which I happen to watch fairly regularly (most of the others broadcast on terrestrial I previously had in HD from another source).
EDIT: to clarify: I was referring to the transition from digital to digital tv a few years ago, not from analogue to digital a dozen
#10 21823025 29 Jan 2026 10:28

__Grzegorz__ __Grzegorz__

Level 30

» | Helpful post? (0)

Post #10
21823025 29 Jan 2026 10:28

I am missing a glimpse into
/etc/shadow or
/etc/passwd

and, if they exist, to hashcat on the hashes of the passwords contained therein
ADVERTISEMENT
#11 21823144 29 Jan 2026 11:54

LEDówki LEDówki

Level 43

» | Helpful post? (0)

Post #11
21823144 29 Jan 2026 11:54

And have you seen antenna cables connected by an electrical cube from a chandelier? I have. Good reception was not provided by a big directional antenna with a big amplifier. Replacing the whole cable helped, but the decoder still cut out. It's interesting with these decoders - some have identical boards and remote controls, but different housings and printings. Some are supposedly sensitive, but perform worse than cheap junk. Some users still do not understand that watching a decoder requires switching the TV to the AV input. Disconnecting the TV causes it to display a message about missing channels. The user is jolted and hangs up as they 'push' the remote control buttons and nothing happens on the TV. Despite many years of using set-top boxes and remote controls, it happens that a new remote control is deemed to be out of order because.... the contact is wrong. Slightly moving the link "battery" miraculously fixes the remote control. The old broken one may go in the lu drawer to the hearth. The new one will be thrown on the bed at some point and broken like the old remote control. Instead of gluing, taping the remote control with insulating tape works well. And the icing on the cake, although not from the decoder category - the 12V power supply unit lies on the ground covered with a board for days. After a year, the power supply stops working due to the accumulation of a lot of moisture inside. Electronics do not like moisture.
the password, this is kept on a piece of paper stuck to the monitor!
#12 21825768 01 Feb 2026 10:38

elektronik123456789 elektronik123456789

Level 22

» | Helpful post? (0)

Post #12
21825768 01 Feb 2026 10:38

I have always been curious as to where the remote control codes might be hidden in such a FW. Often the decoder itself is fine but the supplied remote control is of poor quality. There are images circulating on the internet with substituted remote control codes, how do you do something like that yourself?
#13 21826452 01 Feb 2026 20:28

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

» | Topic author Helpful post? (+1)

Post #13
21826452 01 Feb 2026 20:28

@__Grzegorz__
Just this:

@elektronik123456789 maybe keymap.xml?

Code: text
Log in, to see the code

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#14 21838414 14 Feb 2026 12:23

funzen funzen

Level 24

» | Helpful post? (0)

Post #14
21838414 14 Feb 2026 12:23

I too will add a brick of description to the fun of this soft.
You can use the software to extract the soft
Basically the program is from GX6605S but it also works on GX6702 and GX6706S5
unpack Rep...5S org.exe Download(516 kB)

After extracting, we have the following files
BOOT.bin
DATA.bin
KERNEL.bin
LOGO.bin
ROOT.bin
TABLE.bin
Here is the description from the website, unfortunately not in Polish, but you can use the page translator
Link
I will add as a curiosity BOOT.bin file of size 128k has a name sewn in it for auto software update or recovery after failed upload, of course if the boot as such is not corrupted, this name is recovery.rcv
An efficient decoder checks during start-up, if there is a file on the pendrive for auto-update, thanks to this it is known if the pendrive will be suitable for auto-update (the led on the pendrive flashes during decoder start-up)

Description for auto-updating.
Use a fat32 formatted pendrive for uploading
It is best if the pendrive has a LED indicating reading and writing of data on it.
Put the software on the pendrive with changed name to recovery.rcv
Connect the pendrive to an unplugged decoder.
After the decoder is connected to the power supply, the recovery.rcv file is automatically uploaded
When the upload reaches 100 (as can be seen in the picture), the pendrive can be removed.
The decoder should boot itself with the new software.

LOGO.bin
Just change the extension to jpeg and you can already see the startup wallpaper.
ROOT.bin
In this particular firmware you can see what is in this file.
Use the 7-zip program.
After extracting the ROOT.bin file, the following contents are displayed

The most interesting content is located in the dvb/theme/ folder
I will describe the most interesting files

keymap.xml remote control codes
e.g
<key name="GUIK_1">0xbf7f</key>
Code for button 1
bf is the code for the whole remote control
7f is the specific code of button 1
This is the stored data with the remote control codes in this particular case there are stored codes for 3 remote controls
I what managed to find a maximum map to 8 remotes in one softy.
Of course the codes from the remote controls cannot overlap
i.e. 2 remote controls cannot have codes e.g. bf7f

This is the Led display data
e.g
<group name="board type">
<item display="board type" value="0">
<list value="0" display="fd650">
<list value="1" display="1642"/>
i
<group name="led value">
<key name="BIT_A">0x01</key>
<key name="BIT_B">0x02</key>
<key name="BIT_C">0x04</key>
<key name="BIT_D">0x08</key>
<key name="BIT_E">0x10</key>
<key name="BIT_F">0x20</key>
<key name="BIT_G">0x40</key>
<key name="BIT_P">0x80</key>
i
<group name="digtal value">
<key name="DIGTAL_0">0x1400</key>
<key name="DIGTAL_1">0x1500</key>
<key name="DIGTAL_2">0x1600</key>
<key name="DIGTAL_3">0x1700</key>
Front panel buttons
e.g
<group name="key value">
<key name="KEY_MENU">103</key>
<key name="KEY_DOWN">87</key>
<key name="KEY_UP">95</key>
<key name="KEY_RIGHT">71</key>
<key name="KEY_LEFT">79</key>
<key name="KEY_OK">111</key>
<key name="KEY_PW">119</key>
<key name="KEY_EXIT">102</key>

Additional lenium LEDs e.g. power LED and signal strength LED
e.g
<group name="led standby">
<item display="led standby" value="2">
<list value="0" display="0">
<list value="1" display="1"/>
<list value="2" display="2"/>
<list value="3" display="3"/>

default.xml
In this file we have the description of the software version displayed in the menu
e.g
<group name="common">
<item display="software version" value="DVBT2_SDK_V2.5.1" />
<item display="hardware version" value="CYGNUS_R850_V1.0" />
<item display="netapp version" value="V1.0.0" />
<item display="transparency" value="230"/>
<list display="100%" value="255"/>
In addition, audio decoding by a decoder
e.g
<group name="spdif config">
<item display="SPDIF" value="3">
<list display="AC3 DECODE" value="1"/>
<list display="AC3 BYPASS" value="2" />
<list display="AC3 AUTO" value="3" />

Antenna amplifier power supply
<group name="Antenna Power"/>
<item display="Antenna_Power" value="0">
<list display="on" value="1"/>
<list display="off" value="0" />

In addition, this file contains data on the country which is used when searching for channels in the case below, the region England is set to
<group name="Country config"/>
<item display="country select" value="0">
<list display="England" value="0" />
<list display="Russia" value="1" />
<list display="France" value="2" />
<list display="Portugal" value="3" />
<list display="Spain" value="4" />
<list display="Greece" value="5" />
<list display="Italy" value="6" />
<list display="Poland" value="7" />
<list display="Germany" value="8" />
<list display="Thailand" value="9" />
<list display="Australia" value="10" />
<list display="Iran" value="11" />
<list display="Netherlands" value="12" />
<list display="Serbia" value="13" />
<list display="Belgium" value="14" />
<list display="Hungary" value="15" />
<list display="Denmark" value="16" />
<list display="Slovenia" value="17" />
<list display="Luxembourg" value="18" />
<list display="Norway" value="19" />
<list display="Czech Republic" value="20" />
<list display="Sweden" value="21" />
<list display="Austria" value="22" />
<list display="Croatia" value="23" />
<list display="Romania" value="24" />
<list display="Finland" value="25" />
<list display="Bulgaria" value="26" />
<list display="Vietnam" value="27" />
<list display="Myanmar" value="28" />
<list display="Estonia" value="29" />
<list display="Ireland" value="30" />
<list display="Latvia" value="31" />
<list display="Lithuania" value="32" />
<list display="Slovakia" value="33" />
<list display="Ukraine" value="34" />
<list display="Uzbekistan" value="35" />
<list display="Kazakhstan" value="36" />
<list display="Turkmenistan" value="37" />
<list display="Tajikistan" value="38" />
<list display="Kyrgyzstan" value="39" />
<list display="Colombia" value="40" />
<list display="Lebanon" value="41" />
<list display="Singapore" value="42" />
<list display="Malaysia" value="43" />
<list display="Israel" value="44" />
<list display="Mongolia" value="45" />
<list display="Congo" value="46" />
<list display="Albania" value="47" />
<list display="Bangladesh" value="48" />
<list display="Indonesia" value="49" />
<list display="Afghanistan" value="50" />
<list display="Philippines" value="51" />
<list display="Georgia" value="52" />
<list display="Saudi Arabia" value="53" />

in this file we change the settings of the default signal resolution what goes on the TV
<group name="TV Standard"/>
<item display="Standard" value="13">
<list display="480I" value="7"/>
<list display="480p" value="8" />
<list display="576I" value="9" />
<list display="576p" value="10" />
<list display="720P 50Hz" value="11" />
<list display="720P 60Hz" value="12" />
<list display="1080I 50Hz" value="13" />
<list display="1080P 50Hz" value="14" />
<list display="1080I 60Hz" value="15" />
<list display="1080P 60Hz" value="16" />

Changing the channel setting after the LCN option
<group name="LCN config">
<item display="LCN" value="1">
<list display="on" value="1"/>
<list display="off" value="0" />
</item>
and whether the clock on the display should be displayed when the decoder goes to Standby
<group name="Standby showtime">
<item display="showtime" value="1">
<list display="on" value="1"/>
<list display="off" value="0" />

In the language folder we have the languages in which the decoder menu will be displayed.

The image folder contains all icons and backgrounds used by the software.

Some settings of the start-up logo and e.g. remote control codes can be changed with the National Image Tool programme
I do not know if this program will work 100% with the GX6706S5 processor
Here the description from page National Image Tool
Replace the remote control in the software

Regarding the uploading of the software after rs 232 it should work in the newer version of the program GXDownloader_boot_v2.1.3 .
Because it has settings for this processor cygnus-6706H5-sflash-24M.boot
How to fix decoder with GX6702 processor

Soft from Manta DVBT005-SH website
Manta DVBT005-SH 20241212

And as a curiosity here you have the soft from a different decoder but with the same
processor GX6706

LTC LXDV507

Manta DVBT025PRO

I'm not sure about this software but I think it's from AX LION NS for the board with the new GX6706 processor
poland_AX-...240925.bin Download(4 MB)

#15 21846786 23 Feb 2026 18:00

mateusz6768 mateusz6768

Level 9

Post #15

21846786 23 Feb 2026 18:00

>>21820059 Thank you for considering a flasher for the NationalChip GX called libre-gxdl because I am the main developer of this tool, unfortunately the NationalChip GX series are not so documented well that one day I wanted to see how the protocol of these devices even worked as I got a DVB-T2 decoder with a GX6702 chip and I wanted to do a Flash dump on Linux.

I had to use reverse engineering + artificial intelligence (I used Claude Opus 4) by analysing the protocol using two UART adapters (one on the TX side and one on the RX side) and possibly the help of artificial intelligence to do the protocol analysis and make a flasher which I tested and made available on GitHub.

NationalChip devices use GxLoader (their version of Das U-Boot) to boot the system and are typically at baud 115200, this decoder also uses GxLoader then you can also do a flash dump and see the boot log of the device like the partition table (BOOT, TABLE, LOGO... etc). You can also see how much DRAM is in the device or the processor speed as for example on my device:


==============================================================================================
ID NAME    FS      CRC32     START    TOTAL_SIZE   MAIN_SIZE  USED_SIZE      Use%  RES_SIZE
==============================================================================================
0  BOOT    raw     D9382A16  00000000     128 KB     128 KB  121056  B      92%       0 MB
1  TABLE   raw               00020000     512  B     512  B     512  B     100%       0 MB
2  LOGO    raw               00020200   60928  B   60928  B   60748  B      99%       0 MB
3  V_OEM   raw     38C62E20  0002f000       4 KB       4 KB     352  B       8%       0 MB
4  KERNEL  raw     DFAD6088  00030000    2240 KB    2240 KB    2202 KB      98%       0 MB
5  ROOT    squashfs          00260000    1216 KB    1216 KB     728 KB      59%       0 MB
6  DATA    minifs            00390000     448 KB     448 KB       1  B       0%       0 MB
----------------------------------------------------------------------------------------------

GxLoader () Fri Jan 5 11:31:41 CST 2024 

cpu family   : CSKY
chip model   : gemini
board type   : 6702H5
memory size   : 64 MB
Flash type   : XM25QH32B/XM25QH32C/XM25QE32C
Flash size   : 4 MB
cpu freq   : 594 MHz
memory freq   : 672 MHz

GxLoader has 2 variants (https://dvbpro.ru/vosstanovlenie-pristavki-nationalchip-gx-posle-proshivki/ ):
- 64 KB BOOT partition - lite version, does not support doing software updates via USB
- 128 KB BOOT partition - normal version, supports performing software updates via USB (this decoder has 128 KB bootloader, so this feature is supported)

Some decoders have a bootloader 64 KB, others 128 KB so it is a surprise to get a better decoder that has a bootloader with the option to do software updates via USB.

You can also see the process of doing software accuualisation via USB on the UART if the decoder supports it:


...
USB0:   USB EHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
1 Storage Device(s) found
reading /recovery_all_force.rcv
reading /recovery_all.rcv
reading /recovery.rcv
nports = 2
warning: board-init not call function enable_dac, will open cvbs & ypbpr default.
protect len: 0x0
____________usb update____block_num = 64________
[usb_recover_proc]282 update proc 0%
[usb_recover_proc]282 update proc 1%
[usb_recover_proc]282 update proc 3%
[usb_recover_proc]282 update proc 4%
...
[usb_recover_proc]282 update proc 96%
[usb_recover_proc]282 update proc 98%
[usb_recover_proc]287 update proc finish
Update finish, please plug out!!!!!
restart...

Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Home page
/
Forum
/
Articles
/
Teardown
/
Interior and flash analysis of the DVBT-T2/HEVC decoder DVBT005-SH Shark

FAQ

TL;DR: Teardown of a DVB-T2/HEVC box shows 4 MB SPI flash and eCos+Linux assets; "The circuit is very simple." Flash dump exposes ROMFS and SquashFS (309 inodes) and UART pads enable GXDownloader/libre-gxdl access. [Elektroda, p.kaczmarek2, post #21820059]

Why it matters: This FAQ helps tinkerers dump, inspect, and modify DVBT005-SH Shark firmware safely and efficiently for repair or research.

Quick Facts

SoC: NationalChip GX6706S5 with external 25Q32CSIG SPI flash (32 Mbit / 4 MB). [Elektroda, p.kaczmarek2, post #21820059]
OS assets: eCos RTOS present; SquashFS 4.0 (xz) created 2024-12-12; 309 inodes detected. [Elektroda, p.kaczmarek2, post #21820059]
Power: Flyback PSU built around PN8147; typical 5 V rail plus 3.3 V and 1.8 V. [Elektroda, p.kaczmarek2, post #21820059]
I/O: HDMI, SCART, SPDIF, USB 2.0; IR remote with 4 programmable keys. [Elektroda, p.kaczmarek2, post #21820059]
Access: Exposed RX/TX pads; works with GXDownloader or libre-gxdl for flashing over UART/USB. [Elektroda, p.kaczmarek2, post #21820059]

What exactly is inside the DVBT005-SH Shark decoder?

One PCB hosts a PN8147 flyback PSU, NationalChip GX6706S5 SoC, 4 MB 25Q32CSIG SPI flash, HW650EO display/key driver, and an RF tuner can. The front has a four-digit 7-seg display and IR receiver. The underside is unpopulated. [Elektroda, p.kaczmarek2, post #21820059]

Which operating systems or file systems does the firmware use?

The flash contains eCos RTOS references, plus ROMFS and a SquashFS 4.0 partition compressed with xz. Binwalk shows SquashFS creation on 2024-12-12 and 309 inodes. "The basics are in place" for extraction. [Elektroda, p.kaczmarek2, post #21820059]

How do I dump the SPI flash safely with a CH341 programmer?

Desolder the 25Q32CSIG with hot air.
Read it using CH341 and NeoProgrammer on a PC.
Save a verified backup before any writes. This workflow produced a 4 MB image used for analysis. [Elektroda, p.kaczmarek2, post #21820059]

How can I extract the Linux assets from the dump?

Use binwalk to identify partitions, then run binwalk -eM on the 4 MB dump. This recovers SquashFS directories (bin, etc, mnt) and the Theme assets (BMP/JPG icons, XML). Keep directory timestamps if possible. [Elektroda, p.kaczmarek2, post #21820059]

What is eCos RTOS in this context?

eCos is an embedded real-time operating system. Here, strings and LZMA-packed content indicate an eCos-based component coexisting with ROMFS and SquashFS assets used by the TV middleware. [Elektroda, p.kaczmarek2, post #21820059]

What is SquashFS and why is it used here?

SquashFS is a compressed, read-only Linux filesystem. The decoder uses SquashFS 4.0 (xz) to store UI assets and configs compactly. It reduces flash use and speeds reads on limited DRAM. [Elektroda, p.kaczmarek2, post #21820059]

I see gxlowpower.fw. What is it?

gxlowpower.fw appears to be low-power firmware, likely for standby functions like IR and display. Its header suggests an 8051 architecture, and Ghidra decompiles it sensibly to C-like pseudocode. [Elektroda, p.kaczmarek2, post #21820059]

Can I flash or read the box over UART without desoldering?

Yes. RX/TX pads near the SoC expose a serial interface. Tools include GXDownloader Boot and the open-source libre-gxdl reimplementation for read/write over serial or USB. "The chip has a UART port out." [Elektroda, p.kaczmarek2, post #21820059]

What is CH341?

CH341 is a low-cost USB interface chip used in programmers to read and write SPI flash devices. The author used a CH341-based programmer with NeoProgrammer to dump the 25Q32CSIG image. [Elektroda, p.kaczmarek2, post #21820059]

Any pitfalls when updating or dumping firmware?

Edge case: The upgrade logic includes messages like "flash size is larger" and generic "Error occur!" A mismatched image or wrong size can halt updates. Always verify chip ID and image length before writing. [Elektroda, p.kaczmarek2, post #21820059]

What UI assets can I modify?

Theme XML maps image IDs to BMP/JPG paths. You can replace small BMP icons and larger JPG backgrounds. Watch for typos like "digtal" in XML and keep encoding (ISO-8859-1 or GB2312) consistent. [Elektroda, p.kaczmarek2, post #21820059]

Does the GX6706S5 include RAM, or is it external?

The family often integrates DRAM on-die. GX6705 has 64 MB. Information on GX6706 RAM size is not confirmed here. The design uses external SPI flash only for program storage. [Elektroda, p.kaczmarek2, post #21820059]

What are the decoder’s practical specs and outputs?

It supports DVB-T2/DVB-C, HEVC/H.264 up to 1080p, PVR/Timeshift, EPG, Teletext, DVB subtitles, HDMI, SCART, SPDIF, and USB 2.0. The IR remote offers four programmable buttons for TV control. [Elektroda, p.kaczmarek2, post #21820059]

How do I try decompiling the main CPU code?

The author attempted Ghidra with a C-Sky plugin for eCos content but did not get valid instruction decoding. You can still analyze strings and structures after LZMA decompression. [Elektroda, p.kaczmarek2, post #21820059]

What is ROMFS?

ROMFS is a minimal read-only filesystem for embedded devices. In this dump, ROMFS holds compressed eCos firmware, which you must decompress first, then inspect with standard tools. [Elektroda, p.kaczmarek2, post #21820059]

Is there a public copy of the original flash image?

Yes. A copy of the original batch is linked by the author on GitHub for reference and research. Always keep your own backup before testing that image. [Elektroda, p.kaczmarek2, post #21820059]

Interior and flash analysis of the DVBT-T2/HEVC decoder DVBT005-SH Shark

Didn't find an answer? Ask Artificial Intelligence