[How-To] Hacking C series TV. Models with Internet@TV only

[juusso]

Hi, i am wondering if this also works on a Samsung LE37C550?

TVs w/o widget function haven`t hacked yet and this hack does not work. But don`t worry, process is going on and we have some results on C550 (unfortunatly negative yet: at least two c550 dead and one c650 bricked too).

BTW, the only step where ext3 is really important is the step 5-8 (where usb_hotplug.sh is copied to /mtd_rwarea through widget , because widget cannot do chmod), in all the other steps usb stick can be FAT, no problem, only don't forget to chmod all the files copied to tv.

Yes, i know. Here were some people who have had errors with fat32. This is because i wrote about ext3 as an alternative to fat32.

[sbav1]

So I think the data what options are used or blocked from the Service Menue or Model has to be stored somewhere else ... anybody some other Ideas ?!?!

/mtd_exe/Factory*.dat file[s] are each-and-everything option database (read-only, tree-like structured data used by factory/service menu firmware functions. AFAIK, actual configuration settings (factory/service/special item values, user settings, panel hours counter, various TV calibrations etc.) are stored in dedicated NVRAM/EEPROM chip connected to I2C bus.
Configuration storage implementation in recent Samsung TVs is quite complex: there are settings cache[s], built-in "protections" and checksums, somehow correlated file[s] stored in NAND flash filesystem (i.e.: /mtd_rwarea/nvramCount: I'm not sure - is it configuration backup, or maybe just NVRAM checksum of some kind - ?).

Just to make things even more interesting, apparently there are some functions in firmware for configuration cloning/ storing/restoring ( CCloneControlBase:: class in B-series, and CloneUSB:: class in C-series).

So far, it's not so well researched topic; there may be some dangers involved; take care while experimenting!

[timoo]

btw
mtd_exe/rc.local

if [ -e /mtd_rwarea/start.sh ]; then
echo "user start.sh found!"
/mtd_rwarea/start.sh
else ...

we can start telnet etc... on every boot from start.sh no need to insert flash disk

[bastler0815]

Hi
I also thogth that the Model values are sored at an external memory device ...

here I had posted a (low res) pic of the TV mainboard:

http://forum.samygo.tv/viewtopic.php?f= ... t=20#p6971

There are some IC?s with 8 pins but hard to say which clould be "the one" ?!

Regards

[juusso]

btw
mtd_exe/rc.local
if [ -e /mtd_rwarea/start.sh ]; then

It is done unsuccesfully. The code was changed to:

Code: Select all

export KF_LOG=/dev/null;/mtd_rwarea/SamyGO.sh& 

And - dead c650 as result .
The problem is, that /mtd_exe is read only and changing something in exe.img is very dangerous, because check sums, hashes and something else are controlled by authuld. Another problem is, that bml.restore does not work, we have stl.restore instead and unknown method for flash changed image to TV.

Code: Select all

~ # stl.restore /dev/stl0/17 /dtv/usb/sda1/stl017
+------------------------------------------------------------------------+
|  stl.restore : stl-level Partition Restore Tool for NAND Flash Memory  |
+------------------------------------------------------------------------+
  100%
All of the flash memory blocks have been restored successfully.
~ # cat /dev/stl0/17 > /dtv/usb/sda1/stl017_tst
~ # cat /dev/bml0/17 > /dtv/usb/sda1/bml017_tst
~ # sync

stl 0/17 dump after reflash was identical to changed one, but bml dump was fully changed. After command

Code: Select all

mount -t rfs -r /dev/stl0/17 /mtd_exe/

partition was mounted w/o errors, but after restart TV goes to reboot every 20s.

[bastler0815]

Hi,

as you take a look at the partition.txt there are 2 rootfs and kernel partitions ... so as written before it seems like a fallback option.
Here at the UE40C6700 the U-Boot partition also is empty.

Regards

[juusso]

execute

Code: Select all

toggle

in telnet. after reboot your tv boots to alternative partitions

[bastler0815]

That?s what I found in etc/rc.local

Code: Select all

#############################emergency handling##############################		
echo "Application running is failed..try to do emergency state handling"				
		
if [ "$UseSecondPartition" = "true" ]; then				
	if [ -e $PARTITION_CHECK_1ST ]; then			
		echo "no sub SW image...going shutdown"		
		$MICOM_BASE/shutdown
	else			
#		echo "rollback to 1.."		
		echo "current partition 2nd is corrupted. roll back to sub partition 1st"		
        rm -f $PARTITION_VERSION_2ND
        touch $PARTITION_CHECK_2ND
		sync
		$MICOM_BASE/toggle
	fi			
else 				
	if [ -e $PARTITION_CHECK_2ND ]; then			
		echo "no sub SW image...going shutdown"		
		$MICOM_BASE/shutdown
	else			
#		echo "rollback to 2.."		
		echo "current partition 1st is corrupted. roll back to sub partition 2nd"		
        rm -f $PARTITION_VERSION_1ST
        touch $PARTITION_CHECK_1ST
		sync
		$MICOM_BASE/toggle
	fi			
fi				

echo "reboot system..."		
$MICOM_BASE/reboot

#############################emergency handling##############################

[erdem_ua]

Congratulations, we have C series NFS share at least.
I moved this topic to new C series forum.

[timoo]

btw
mtd_exe/rc.local
if [ -e /mtd_rwarea/start.sh ]; then

It is done unsuccesfully. The code was changed to:

Code: Select all

export KF_LOG=/dev/null;/mtd_rwarea/SamyGO.sh& 

And - dead c650 as result .
The problem is, that /mtd_exe is read only and changing something in exe.img is very dangerous, because check sums, hashes and something else are controlled by authuld. Another problem is, that bml.restore does not work, we have stl.restore instead and unknown method for flash changed image to TV.

Code: Select all

~ # stl.restore /dev/stl0/17 /dtv/usb/sda1/stl017
+------------------------------------------------------------------------+
|  stl.restore : stl-level Partition Restore Tool for NAND Flash Memory  |
+------------------------------------------------------------------------+
  100%
All of the flash memory blocks have been restored successfully.
~ # cat /dev/stl0/17 > /dtv/usb/sda1/stl017_tst
~ # cat /dev/bml0/17 > /dtv/usb/sda1/bml017_tst
~ # sync

stl 0/17 dump after reflash was identical to changed one, but bml dump was fully changed. After command

Code: Select all

mount -t rfs -r /dev/stl0/17 /mtd_exe/

partition was mounted w/o errors, but after restart TV goes to reboot every 20s.

running /mtd_rwarea/start.sh was removed in later firmware i found this piece of code in version 1008.3 :/