SamyGO

erdem_ua wrote:mprotect, Don't you wanted to license this sources like GPL?
And also It is good to copy aspect.so to /mtd_ram device before executing.

Good ideas. I'll add a check whether /mtd_ram is really a ram filesystem before copying, too. Copying to a wrong flash position can be dangerous...

Here are the separated telnet-enable and avrfix2-packages:

Erdem, the VideoAR Fix v2 attached to this thread is with Telnet enable and for CHLCIPDEUC-2005 Firmware. What about the telnet enable included with this VideoAR Fix? Will it collide with the now permanently (by the patched FW) enabled telnet? Will this VideoAR Fix also work with the CHLCIPDEUC-200...

I just tested PRE4 a bit. After patching validinfo.txt looks like this: I think there's missing a leading '0' in the checksum (checksum is right).

Erdem, I tried to decrypt an image encrypted with the patch-tool you developed. I get a message I think thats the error preventing successfull flashing.

Just feeding 16 bytes at the end of de-/encryption is the wrong way. You need to call a final-routine.

g-l-l4x0r7 wrote: Where is the mistake? RSA-Disable didn't work?

Edit: dmsg -> <4> RSA_verify at 0x801864 patched.

If that messages appears the RSA_verify function has been patched. Did you update validinfo.txt, too? Please check this file and the directory structure on the usb stick.

Couldn't we disable it via application itself via executing /mtd_boot/MicomCtrl 23 command? I advise to disable the watchdog to enhance the chances to repair a broken TV (in case exeDSP doesn't start anymore). And a login possibility is importent to be able to switch to the other flash partition. A...

About flashing modified firmware. It isn't possible to flash TV with encrypt_update programs output, right? Wrong. That's why I created the "RSA disable" game. And if checksums are generated after flashing, than we can hack exeDSP via IDA as at CI devices (like for implementing Video ARFi...

I wanted to ask mprotect that, what If we leave signature area null at re-encrypted file? Is kernel complain about that? Or it is only check executables and kernel modules instead of whole image? And doesn't understand encryption code at Salt. Why don't we use "SamyGO__" as salt? AFAIk th...

tried different cip firmwares but no success, or do i miss the point? ./decrypt_update T-CHUCIPDEUC/image/exe.img.sec exe.img Decryption completed, CRC=0x43b976b9. /decrypt_update T-CHUCIPDEUC/image/appdata.img.sec appdata.img Decryption completed, CRC=0x5f2e612f. cat T-CHUCIPDEUC/image/validinfo.t...