When successful, the console prints something like:
[+] MStar BIN Beta 3 Unpacker starting...
[+] File size: 8,388,608 bytes (8 MB)
[+] No standard XOR header found. Brute XOR key 0xA5... matched at offset 0x200.
[+] De-XORed buffer written to temp_xor.bin
[+] Found UBOOT image at offset 0x400 (size 0x60000)
[+] Found SquashFS big-endian signature at offset 0x70000
[+] Extracting filesystem...
[+] Separation complete: boot.bin, kernel.bin, rootfs.squashfs
The output folder now contains discrete binary files. The rootfs.squashfs can be mounted or unsquashed:
unsquashfs rootfs.squashfs
You now have access to every Linux file in the TV’s operating system: init scripts, logos, web interfaces, and even hidden diagnostic tools. unpack mstar bin beta 3
Cause: The manufacturer used a non-standard XOR key or a more complex scrambling (e.g., rolling XOR).
Fix: Use a brute-force XOR scanner within Beta 3: --brute-xor-range 0x00-0xFF. If that fails, try an alternative unpacker like mstar-bin-tool from GitHub, which supports AES-ECB decryption for newer chips (T6 series).
Sometimes the tool extracts the kernel and bootloader but fails on RootFS, outputting a .squashfs.raw file that cannot be mounted. This usually indicates a non-standard compression block size or a vendor-modified Super partition. When successful, the console prints something like: [+]
Some forums (4pda, XDA, FreakTab) released MStarBinTool_beta3 as an improved unpacker for newer MStar firmware with changed offsets.
Typical usage (beta 3):
./mstar_bin_tool_beta3 unpack input.bin ./unpacked
Or on Windows:
The proprietary MStar header must be calculated to find the true start of the code. Using a custom Python script, we stripped the first N bytes based on the header size field located at offset 0x4. The output folder now contains discrete binary files
Many newer MStar devices (especially those with HDCP 2.2 and Widevine L1) encrypt the .bin file using AES or a proprietary scrambling algorithm. Beta 3 cannot decrypt. You would first need a decryption key (often extracted from the device’s RAM via UART).