Add rescue scripts /enable full ExLink console on C series

Here is information about customize your C series firmware..:!:This forum is NOT FOR DUMMY USERS questions or problems but DEVELOPER.

User avatar
juusso
SamyGO Moderator
Posts: 10125
Joined: Sun Mar 07, 2010 6:20 pm

Add rescue scripts /enable full ExLink console on C series

Post by juusso » Wed May 18, 2011 10:41 am

Hi,

After few bricks of C series TV last week, i want to share some solutions (thanx gao_atc and solevi).
It is known, that console after TV brick is restricted for input 0-9 and A-F and it is almost worthless in case of brick (except if TV was hacked and executes scripts from USB).

Idea is tested and enabling full console works. Look at the log:

Code: Select all

20089999

====================================
      [ TOP Debug Menu]
------------------------------------
  1  : SubSystem Print On/Off
  2  : Platform Print Setting
  3  : TD Print Setting
  4  : Performance Print Setting
  5  : Sdal Print Setting
  6  : Sdal Trace Setting
  10 : Factory Debug
  11 : TD Debug
  12 : SubSystem DBG
  13 : SubSystem Info Print
  20 : Performance File Write
  21 : Louvre Print Setting
------------------------------------
  70 : Jade Debug
====================================
  99 : Exit
====================================
DBG> : 11

==============================
 [ TD Debug Menu ]
------------------------------
 0x01  : TDc Debug
 0x02  : TDi Debug
 0x03  : SDAL Debug
 0x04  : SPCScreen Debug
 0x05  : Sequence Test
 0x06  : Amp mute on/off
 0x07  : SdAVDec_Debug
 0x08  : SdMisc Debug
 0x09  : SdTSData_Debug
------------------------------
 0x20  : System Shell
 0x21  : Get SDAL version
 0x22  : Get Kernel driver version
------------------------------
 0x99  : Exit Debug
------------------------------
TD>: 0x20
SELP#>
SELP#>
SELP#>
SELP#>
SELP#>
SELP#>
SELP#>

SELP#>
SELP#> asdf
/bin/sh: asdf: not found
SELP#> ls -al
total 66052
drwxr-xr-x    8 root     0              466 Aug  9 11:54 .
drwxrwxrwx   24 root     0              458 Aug  9 11:03 ..
drwxr-xr-x    2 root     0              108 Aug  9 11:54 Comp_LIB
drwxr-xr-x    2 root     0              156 Aug  9 11:54 EDID
-r--r--r--    1 root     0                6 Aug  9 11:54 EXE_IMG_VER
-rwxr-xr-x    1 root     0          5059912 Aug  9 11:54 Factory_Part1.dat
-rwxr-xr-x    1 root     0           652372 Aug  9 11:54 Factory_Part2.dat
drwxr-xr-x    3 root     0               20 Aug  9 11:54 InfoLink
-r--r--r--    1 root     0             8547 Aug  9 11:54 LifeScenario
drwxr-xr-x    3 root     0              161 Aug  9 11:54 RUIC
-rwxr-xr-x    1 root     0               13 Aug  9 11:54 ReleaseInfo
-r--r--r--    1 root     0             9764 Aug  9 11:54 SpecialItemNumber.txt
drwxr-xr-x    2 root     0               69 Aug  9 11:54 WIFI_LIB
-r-xr-xr-x    1 root     0           204085 Aug  9 11:54 audioencoder.bin
-r-xr-xr-x    1 root     0          2179151 Aug  9 11:54 avdecoder.bin
-r-xr-xr-x    1 root     0           351044 Aug  9 11:54 database_SX1.TSE
-rwxr-xr-x    1 root     0         55180264 Aug  9 11:54 exeDSP
drwxr-xr-x    2 root     0              580 Aug  9 11:54 lib
-rwxr-xr-x    1 root     0           564648 Aug  9 11:54 libSDAL.so
-rwxr-xr-x    1 root     0          2943468 Aug  9 11:54 libTrident.so
-rwxr-xr-x    1 root     0           118172 Aug  9 11:54 libptp.so
-rwxr-xr-x    1 root     0            40772 Aug  9 11:54 libusb.so
-rwxr-xr-x    1 root     0            92813 Aug  9 11:54 libz.so
-rwxr-xr-x    1 root     0           212928 Aug  9 11:54 monolithic.ko
-rwxr-xr-x    1 root     0              230 Aug  9 11:54 otpcheck.sh
-r--r--r--    1 root     0             1651 Aug  9 11:54 partition.txt
-rw-r--r--    1 root     0             2257 Aug  9 11:54 prelink.cache
-r--r--r--    1 root     0              198 Aug  9 11:54 prelink.conf
-r-xr-xr-x    1 root     0              907 Aug  9 11:54 rc.local
-r--r--r--    1 root     0               92 Aug  9 11:54 rc.local.rfs
SELP#>
Enabling console over ExLink is done by executing script:

Code: Select all

#!/bin/sh
/bin/cttyhack /bin/sh
Native console is limited, but it executes scripts from /etc/Scripts/CIP (in higher models and /sbin in lower models) and here is already one script (CB for <c650 models or 8282119 for higher versions). The idea is to create custom rootfs (or just mount --bind for tests) with the script called for example 333 with code above and rwx-r-xr-x permissions.

Could anyone test this:
1. Place the script 333 to /mtd_rwarea/CIP
2. mount --bind it to right place:

Code: Select all

mount --bind /mntd_rwarea/CIP /etc/Scripts/CIP
3. Connect ExLink and get the limited console and enter:

Code: Select all

333
If everything is as expected, full console is enabled.

To enable full console permanently, it is needed to edit rootfs:
the file: /etc/inittab
before:

Code: Select all

#::respawn:/bin/cttyhack /bin/sh 
::respawn:/bin/cttyhack -/bin/sh
after:

Code: Select all

::respawn:/bin/cttyhack /bin/sh 
#::respawn:/bin/cttyhack -/bin/sh
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

mirsev
Posts: 48
Joined: Tue Apr 05, 2011 7:58 pm

Re: Add rescue scripts /enable full ExLink console on C series

Post by mirsev » Wed May 18, 2011 4:10 pm

What about watchdog?

User avatar
juusso
SamyGO Moderator
Posts: 10125
Joined: Sun Mar 07, 2010 6:20 pm

Re: Add rescue scripts /enable full ExLink console on C series

Post by juusso » Wed May 18, 2011 4:15 pm

sure, hash of rootfs must be calculated and writed right places.
Silly question - does hash change if we just move # from the first line to second? We do not add or remove any additional chars...
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

mirsev
Posts: 48
Joined: Tue Apr 05, 2011 7:58 pm

Re: Add rescue scripts /enable full ExLink console on C series

Post by mirsev » Wed May 18, 2011 4:37 pm

juuso wrote:sure, hash of rootfs must be calculated and writed right places.
Silly question - does hash change if we just move # from the first line to second? We do not add or remove any additional chars...
Of course, hash will change. It will change not only because of moving one byte from one place to another, but also because the squashfs will have different timestamps. Also, since squashfs is compressed, it will be quite different from original even if you change a single byte.

However, calculating hashes is not a problem anymore. Remember that you will need to disable watchdog if it is active.

plasticassius
Posts: 59
Joined: Fri Dec 17, 2010 12:37 am

Re: Add rescue scripts /enable full ExLink console on C series

Post by plasticassius » Fri May 27, 2011 4:55 pm

juuso wrote: Idea is tested and enabling full console works. Look at the log:
I get this:

Code: Select all

20089999

====================================
      [ TOP Debug Menu]
------------------------------------
  1  : SubSystem Print On/Off
  2  : Platform Print Setting
  3  : TD Print Setting
  4  : Performance Print Setting
  5  : Sdal Print Setting
  6  : Sdal Trace Setting
  10 : Factory Debug
  11 : TD Debug
  12 : SubSystem DBG
  13 : SubSystem Info Print
  20 : Performance File Write
  21 : Louvre Print Setting
------------------------------------
  70 : Jade Debug
  80 : PVR Debug
====================================
  99 : Exit
====================================
DBG> : 11

==============================
 [ TD Debug Menu ]
------------------------------
 0x01  : TDc Debug
 0x02  : TDi Debug

 0x03  : SDAL Debug
 0x04  : spI Debug
 0x05  : Sequence Test
------------------------------
 0x99  : Exit Debug
------------------------------
TD>: 0x20
command not found
What did you do that I am missing?
I take it you added something to the firmware.
---
LE37C670 T-VALDEUC_3005.1

User avatar
juusso
SamyGO Moderator
Posts: 10125
Joined: Sun Mar 07, 2010 6:20 pm

Re: Add rescue scripts /enable full ExLink console on C series

Post by juusso » Fri May 27, 2011 5:29 pm

This is executed over telnet...

Code: Select all

/bin/cttyhack /bin/sh
No working realization by changing firmware/rootfs, just idea, that works if combined with telnet. :roll:
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

plasticassius
Posts: 59
Joined: Fri Dec 17, 2010 12:37 am

Re: Add rescue scripts /enable full ExLink console on C series

Post by plasticassius » Fri May 27, 2011 9:03 pm

Sounds like an interesting idea, but my firmware is somehow different. It doesn't have /bin/cttyhack and /etc/inittab contains

Code: Select all

ttyS1::sysinit:/etc/rcS
ttyS1::respawn:-/bin/sh
::restart:/sbin/init
::ctrlaltdel:/bin/umount -a -r
Ok, so I tried this in SSH:

Code: Select all

mount --bind /dtv/usb/sda1/ /etc/Scripts/CIP
And this in exlink:

Code: Select all

# 8282119
Check usb module insmod status
usb modules exist
Check usb mount status
Usb re-mount for write speed
umount: cannot umount /dtv/usb/sda1: Device or resource busy
umount /dtv/usb/sda1
mount: mounting /dev/sda1 on /dtv/usb/sda1 failed
mount -t vfat /dev/sda1 /dtv/usb/sda1
====================================
      [ DEBUG MENU ]
------------------------------------
 1. Copy log to USB
 2. Copy corefile to USB
====================================
 99. Exit
====================================
select > 1
log dump to /dtv/usb/sda1/logdump.txt start
131072 bytes dump completed
No emeg_log.txt file
cat /proc/kmsg > /dtv/usb/sda1/kmsg.txt &
sync
====================================
      [ DEBUG MENU ]
------------------------------------
 1. Copy log to USB
 2. Copy corefile to USB
====================================
 99. Exit
====================================
select > 2
No Coredump file
====================================
      [ DEBUG MENU ]
------------------------------------
 1. Copy log to USB
 2. Copy corefile to USB
====================================
 99. Exit
====================================
select > 99
# 123
boo
#
The script 8282119 was in /etc/Scripts/CIP, and 123 is one I placed into /dtv/usb/sda1/. So, the mount seems to work fine, but console is still restricted.

Ok, I found cttyhack. And I tried executing:

Code: Select all

/usr/bin/cttyhack /bin/sh
in the ssh session as well as in the exlink session, but neither made the console unrestricted.
By the way, the full path in the exlink session is

Code: Select all

PATH='/usr/sbin:/usr/bin:/bin:/sbin:/etc/Scripts:/etc/Scripts/CIP'

Post Reply

Return to “[C] Firmware”