It seems to be an older design than LKV373A. It does not utilize the same architecture.

There are at least 2 different revisions, V1 and V2.

HARDWARE

Pictures of the units (V1) are on Danmans Blog.

The SoC is a Taifatech TF-680. There is a datasheet available but it does not contain much details (like memory-mapping, peripherals, ...).

The HDMI-Receiver on the Transmitter Unit is a IT6604E.

On V2 the firmware is stored inside a 4MB KH25L3233F. Basic support for it can be hacked into flashrom.

The RAM (on V2) is a 4Mx32 IS45S32400E.

The Ethernet-MAC is contained inside the SoC, the PHY (on V2) is an IC+ IP101A.

There also is an EEPROM for the HDMI-DDC or something. Its content can be accessed through the webserver to make a backup: http://192.168.168.55/backup.edid

HEADERS/PINOUTS

On V2 there a 3 unpopulated headers:

One above the Ethernet-Port, it's purpose is unknown.

Two between the RAM and HDMI-Receiver. The one above is connected to the UART of the SoC (from left to right: GND - RXD - TXD - 3,3V), the purpose of the header below is unknown.

SERIAL CONSOLE

On the header as stated above. 115200 8N1 3,3V. There is a shell without login with various commands.

FIRMWARE

The firmware image for the Transmitter Unit can be found here. Notice that the file lkv373**-new**.bin does not work with the Transmitter Unit V2.

The firmware-file can be split into two parts separated by lots of 0xFF.

Part1 begins @ 0x00000000. It contains references to a chip called EP932E, which is a HDMI transmitter chip and a chip called EP9853 which is a HDMI dual receiver.

At 0x0004FF00 inside the file there is some magic number and the size of the code.

Part2 begins @ 0x00050000. It only contains reference to the EP932E (receiver) and some default logins of unknown use (admin/1234). Part2 can be overwritten from web UI by uploading a firmware file. It will accept any file with .bin extension, no check is done so the device can be easily bricked (be careful!).

Block1 contains a bootloader with a simple webserver. During normal operation it only copies block2 to SRAM and then changes the memory-mapping (remap bit) to switch execution to block 2 that does all the work.

THE SOC

It's a TF-680 from a defunct company called Taifatech, now Kiwi-Tec. It has an Andes NDS32 CPU core (N10 rev 0x14). It is 32 bit little-endian RISC, the architecture is called "AndeStar". Instruction Set Architecture Specification. Some bits and pieces about the UART and stuff can be found under the same URL: http://twins.ee.nctu.edu.tw/courses/embedlab_09/ . There is also this datasheet for the AG101P but it does not seem to match much of the TF-680. At least ist contains some valid info for the serial port.

GNU binutils has support for this architecture since version 2.24 see here. For compiling unpack it and execute ./configure --target=nds32le-unknown-linux-gnu && make . The "le" stands for little endian. Beware that the assembler is broken, it does not handle labels properly. A fix would be great.

radare2 does not support this architecture. kitten_nb_five has done some work for a very basic support, look at his github.

As of today not much information about the memory mapping or the peripheral registers are available. It is known however that the I/O memory mapping is in the 0x90000000 region. Some stuff has been found on the internet and/or guessed, see kitten_nb_five's simulator-code. The UART lives at 0x99600000, the UDR (UART Data Register) is at offset 0x00.

Timer1 fires an IRQ every millisecond during normal operation. This is used for task switching.

The SoC is running the ųC/OS-II operating system:

• Several references to the OS name are in the blob.
• The ųC/OS-II priority resolution table, a fixed 256-byte set, appears in the blob. Source code to the OS is available here

KNOWN FUNCTIONS

There are at least 2 printf()-functions.

The first one is located at 0x65f0 with $r0 always 0xfa and $r1 containing (the address of) the format string. It is unknown if arguments are passed inside $r2 and following or via the stack.

The second one is located at 0x6ad8, and takes the following arguments:

• $r0 - always 1
• $r1 - always 0xfa
• $r2 - format string
• $r3-$r5 arguments according to format string
• more arguments are loaded on to the stack
  Either $r0 or $r1 likely point the printf() to the UART output.

There also seems to be some kind of output-function at 0x14edc.

Some more identified functions are inside known_funcs.pm on kitten_nb_five's github.