Search found 37 matches

by cyberdemon79
Fri Feb 25, 2011 12:26 pm
Forum: [B] Firmware
Topic: Defeating authuld protection on CI+ devices
Replies: 82
Views: 63774

Re: Defeating authuld protection on CI+ devices

Hi, my tool is for now read-only on purpose. Writing the hashes would be easy to implement, but I don't know if a simple (fopen, fseek, fwrite, fclose) to /dev/bml0/3 would break something and I would feel very bad I a TV got bricked because of my tool. If someone has experience in modifying his has...
by cyberdemon79
Mon Dec 06, 2010 10:43 am
Forum: [C] Firmware
Topic: TOP Debug menu for C models via ExLink
Replies: 25
Views: 34228

Re: Top Debug Menu for C models via exlink

Hi there, petergrey found a way to patch the character checking routine in memory using direct memory writes and only numbers. You can find his post here: http://forum.samygo.tv/viewtopic.php?f=2&t=289&p=5650&hilit=tty#p5650 (this is for a B550 CI+ and can't be applied to a C series tv w...
by cyberdemon79
Sat Dec 04, 2010 1:28 am
Forum: [B] Firmware
Topic: Defeating authuld protection on CI+ devices
Replies: 82
Views: 63774

Re: Defeating authuld protection on CI+ devices

Faster implementation (source included)
by cyberdemon79
Fri Dec 03, 2010 7:30 pm
Forum: [B] Firmware
Topic: Defeating authuld protection on CI+ devices
Replies: 82
Views: 63774

Re: Defeating authuld protection on CI+ devices

I have compiled the program and it is attached below. Here's the output on my tv (LExxB650T2P, firmware 2007.1): # ./calchash str_hash 3d 8a 03 f3 1c f0 b8 15 30 a1 4b f7 42 d8 4d fa AES_CMAC 3d 8a 03 f3 1c f0 b8 15 30 a1 4b f7 42 d8 4d fa mkey 7c ed 26 d8 ca 2f a0 f8 0b c6 37 e2 ff 07 ec 46 detecte...
by cyberdemon79
Fri Dec 03, 2010 3:40 pm
Forum: [B] Firmware
Topic: Defeating authuld protection on CI+ devices
Replies: 82
Views: 63774

Re: Defeating authuld protection on CI+ devices

Hi there, I modified the program to display and check all available hashes on the tv. When executed it grabs the hashes for kernel, uboot, fnw, authuld, root and boot from /dev/bml0/3, tries to detect the flashtype (128, 1000 or 2000) and on which partition mtd_exe and mtd_appdata are mounted. Then ...
by cyberdemon79
Thu Dec 02, 2010 3:07 pm
Forum: [B] Firmware
Topic: Defeating authuld protection on CI+ devices
Replies: 82
Views: 63774

Re: Defeating authuld protection on CI+ devices

Forgot to add: The hardcoded mkey is correct for a LxxxB650T2P (CI+ model), it may be different for other tvs. Be very careful if you want to modify your stored hashes and keep away from hash in /dev/bml0/3 (don't modify them, executing the program on them should be safe) if you miscalculate one of ...
by cyberdemon79
Thu Dec 02, 2010 2:58 pm
Forum: [B] Firmware
Topic: Defeating authuld protection on CI+ devices
Replies: 82
Views: 63774

Re: Defeating authuld protection on CI+ devices

Hi, the following program calculates the hash for a given partition or file. usage: ./calchash filename length For example if you want to check the hash for the file /dev/bml7 (fnw partition) you do would call it in this way: ./calchash /dev/bml7 909312 The hashes for the kernel partition, uboot and...
by cyberdemon79
Tue Nov 30, 2010 6:41 pm
Forum: [B] Firmware
Topic: Defeating authuld protection on CI+ devices
Replies: 82
Views: 63774

Re: Restore of mac_config_file.mac possible?

The mkey for (most ?) LxxxB650 CI+ and maybe other TVs too is

Code: Select all

7c ed 26 d8 ca 2f a0 f8 0b c6 37 e2 ff 07 ec 46
.
I haven't tried it, but the algorithm should be in init/aes-cmac.c
from the LE37B650 CI+ kernel sources.
by cyberdemon79
Tue Nov 30, 2010 4:44 pm
Forum: [B] Firmware
Topic: Defeating authuld protection on CI+ devices
Replies: 82
Views: 63774

Re: Restore of mac_config_file.mac possible?

Hi there, the hashes are calculated over an entire partition (/dev/tbml8 for example (mtd_exe). It is an AES_CMAC algorithm which uses a common key (mkey) and works on the partition data. The mkey is calculated by the tv's onboard hardware cipher from the so called cmac key. The security of the CI+ ...
by cyberdemon79
Tue Nov 30, 2010 3:13 pm
Forum: [B] Support
Topic: [SOLVED] Restore of mac_config_file.mac possible?
Replies: 8
Views: 3655

Re: Restore of mac_config_file.mac possible?

Hi there, as soon as you have a shell, type killall authuld That should buy you a few minutes (I think abount 3). If authuld is running, it will alert the kernel as soon as it detects an inconsistency between the files present on your tv and their stored hashes (on bml3). If you kill the authuld pro...

Go to advanced search