Modifying /mtd_exe of active partition

Here is information about customize your C series firmware..:!:This forum is NOT FOR DUMMY USERS questions or problems but DEVELOPER.
Post Reply

hedak
Posts: 81
Joined: Wed Jan 08, 2014 9:21 pm

Modifying /mtd_exe of active partition

Post by hedak » Thu Feb 27, 2014 10:12 pm

Hi again,

today i'd like to share how to modify exe.img within /mtd_exe of the active partition (2nd i.e.) without the need of any pc tools except a ssh/telnet client.

Be warned that i tested this on my C7700 (T-VALDEUC 3011.0) only.
I highly recommend to have the other partition (1st i.e.) working before to have a fallback solution! (although not needed)
Do not turn off the tv between flashing exe.img and the hash partition!


Requirements:
already hacked/rooted tv
access to tv's filesystem via ssh/telnet (i.e. putty as client)
usb memory or working ftp connection to pc
getmkey, download here: http://wiki.samygo.tv/index.php5/Hashes (precompiled contained in chkhash-0.2.zip)
chkhash, download here: https://forum.samygo.tv/viewtopic.php?f ... =50#p54217
optional: chkhash for windows, download here: https://forum.samygo.tv/viewtopic.php?f ... =50#p54306


Some theory:
As for some other partitions /mtd_exe's hash is checked by a process called 'authuld' against a hash stored in another partition. Modifying /mtd_exe's content implys correcting its hash. Not doing so in one tv session will cause tv shutdown by authuld after about 45 seconds.
/mtd_exe contains exe.img. As exe.img is smaller than /mtd_exe the bytes behind exe.img are tyically set to 0xFF during flashing. Within exe.img there are also some unsed bytes (in this case set to zero). In my case about 500kB.


Here we go :)

0) Preparation
copy getmkey to /mtd_rwarea/getmkey
copy chkhash to /mtd_rwarea/chkhash

Code: Select all

cd to /mtd_rwarea/
./getmkey
It will give something like this:

Code: Select all

# ./getmkey
opening /dev/mem ok!
No key was supplied from a command line.
Using mackey from /dev/tfsr11
Input key = 66d77c3a497f53e2515ef14c21d6a4d8
After waiting 2 loops
mkey = 6f6bc7e1fc7f86bf9c150a82f343e2e0
Remember that mkey!

1) Run two commands

Code: Select all

df
cat /mtd_exe/partition.txt
They will give something like this:

Code: Select all

# df
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/tbml8                3456      3456         0 100% /
none                     10240      1668      8572  16% /dtv
none                     10240         0     10240   0% /dsm
none                    235556         0    235556   0% /core
none                     10240         0     10240   0% /tmp
/dev/stl0/14             25478      6616     18862  26% /mtd_rwarea
/dev/stl0/19             51072     51072         0 100% /mtd_rocommon
/dev/stl0/17             91080     87336      3744  96% /mtd_exe
/dev/stl0/18             40832     40832         0 100% /mtd_appdata
/dev/stl0/13             10942      1339      9603  12% /mtd_contents
/dev/stl0/20            102368     47600     54768  46% /mtd_swu
/dev/stl0/21            401712    212520    189192  53% /mtd_rwcommon
/dev/sdb               1974784     38692   1936092   2% /dtv/usb/sdb
/dev/sda1               503892    171316    332576  34% /dtv/usb/sda1
/dev/stl0/14             25478      6616     18862  26% /etc/passwd
/dev/stl0/14             25478      6616     18862  26% /etc/profile
/dev/sdc                   482         0       482   0% /dtv/usb/sdc

Code: Select all

# cat /mtd_exe/partition.txt
partitionID     flash_device_name       flash_device_size       flash_image_name        flash_device_type       flash_upgrade_type      flash_partition_map flash_mount_path default_block_size      flash_format_option     flash_mount_option
0       /dev/bml0/1     262144  onboot.bin      DEVICE  OTHER   BOOTLOADER0     NONE    262144  NONE    NONE
1       /dev/bml0/2     262144  u-boot.bin      BML     OTHER   BOOTLOADER1     NONE    262144  NONE    NONE
2       /dev/bml0/3     262144  uboot_env.bin   BML     OTHER   BOOTLOADER2     NONE    262144  NONE    NONE
3       /dev/bml0/4     262144  fnw.bin BML     OTHER   BOOTLOADER3     NONE    262144  NONE    NONE
4       /dev/bml0/5     4194304 Image   BML     USER    KERNEL0 NONE    262144  NONE    NONE
5       /dev/bml0/6     3670016 rootfs.img      BML     USER    RFS0    NONE    262144  NONE    NONE
6       /dev/bml0/7     4194304 Image   BML     USER    KERNEL1 NONE    262144  NONE    NONE
7       /dev/bml0/8     3670016 rootfs.img      BML     USER    RFS1    NONE    262144  NONE    NONE
8       /dev/bml0/9     262144  NONE    BML     OTHER   SECUREMAC0      NONE    262144  NONE    NONE
9       /dev/bml0/10    262144  NONE    BML     OTHER   SECUREMAC1      NONE    262144  NONE    NONE
10      /dev/bml0/11    262144  key.bin BML     OTHER   SECUREMAC2      NONE    262144  NONE    NONE
11      /dev/bml0/12    262144  NONE    BML     OTHER   NONE    NONE    262144  NONE    NONE
12      /dev/stl0/13    11272192        NONE    STL     OTHER   NONE    /mtd_contents   4096    ERASE:,STL:-r_7,FAT:-S_1024_-s_1        -t_rfs_-o_codepage=utf8
13      /dev/stl0/14    26214400        NONE    STL     OTHER   NONE    /mtd_rwarea     4096    ERASE:,STL:-r_7,FAT:-S_1024_-s_1        -t_rfs_-o_codepage=utf8
14      /dev/stl0/15    93323264        exe.img STL     USER    EXE0    /mtd_exe        4096    ERASE:,STL:-r_2 NONE
15      /dev/stl0/16    58195968        appdata.img     STL     USER    APP_DATA0       /mtd_appdata    4096    ERASE:,STL:-r_2 NONE
16      /dev/stl0/17    93323264        exe.img STL     USER    EXE1    /mtd_exe        4096    ERASE:,STL:-r_2 NONE
17      /dev/stl0/18    58195968        appdata.img     STL     USER    APP_DATA1       /mtd_appdata    4096    ERASE:,STL:-r_2 NONE
18      /dev/stl0/19    52953088        rocommon.img    STL     OTHER   CONTENT0        /mtd_rocommon   4096    ERASE:,STL:-r_2 NONE
19      /dev/stl0/20    104857600       NONE    STL     OTHER   NONE    /mtd_swu        4096    ERASE:,STL:-r_16,FAT:-S_4096_-s_4       -t_rfs
20      /dev/stl0/21    411566080       NONE    STL     OTHER   NONE    /mtd_rwcommon   4096    FAT:-S_4096_-s_1        -t_rfs_-o_codepage=utf8
2) Figure out the active exe.img (/mtd_exe) partition and its related hash partition
Reading the output of partition.txt you can see that there are two exe.img named 'EXE0' and 'EXE1' and its corresponding 'SECUREMAC0' and 'SECUREMAC1'.
The active exe.img is shown in df's output (i.e. /dev/stl0/17, named 'EXE1'). So the corresponding hash partition is named 'SECUREMAC1' belonging to /dev/bml0/10.

3) Now figure out a partition with space to store the image of exe.img
In df's output you can see that the size of /mtd_exe partition (i.e. /dev/stl0/17) is 91080 1k blocks. Potential storage partitions are /mtd_rwarea and /mtd_rwcommon. As you can see /mtd_rwcommon has 189192 1k blocks available, which is the double of /mtd_exe size. So we will go on with /mtd_rwcommon.

4) Backup exe.img's hash partition

Code: Select all

cat /dev/bml0/10>/mtd_rwcommon/bml10.dmp
To be safe you should NOW copy /mtd_rwcommon/bml10.dmp to pc via usb memory or ssh/telnet

5) Get exe.img size within /mtd_exe

Code: Select all

./chkhash -p 0 4 /mtd_rwcommon/bml10.dmp
Argument with value '0' may depend on the tv model! Open spoiler and check that before! '-p' means print hashes
'0' no offset within given file
'4' print first 4 hashes found in given file
It will give something like this:

Code: Select all

# ./chkhash -p 0 4 /mtd_rwcommon/bml10.dmp
hash[ 0] = d5a3d3f345838c49700cceb71fd1078d   length = 89485312
hash[ 1] = 58036fe36c3fe1585613a94551ae9200   length = 41762816
hash[ 2] = b2c3353dd594dd95ce4c674fa767c0f6   length =  3712144
hash[ 3] = 9b3290bd21a1c12653246c4d5742d571   length =  3665940
Reading our wikis you will find that FOR MY TV hash[0] is the hash of the exe.img
Its size i.e. is 89485312 bytes

6) Backup current exe.img
For just backuping the whole partition you can run: cat /dev/stl0/17>/mtd_rwcommon/stl17.dmp
But in preparation for later use dump exe.img out of the partition only. Therefore use 'dd' which is able to copy a given amount of bytes. This byte count is given as a number of blocks. Define that one block is 2048 byte (2KiB) given as '2K'. I.e. 89485312 bytes eqauls 43694 2K blocks:

Code: Select all

dd if=/dev/stl0/17 bs=2K count=43694 of=/mtd_rwcommon/exe.img.dmp
To be safe you should NOW copy /mtd_rwcommon/exe.img.dmp to pc via usb memory or ssh/telnet

7) Check the correct function of chkhash by calculating the hash for /mtd_rwcommon/exe.img.dmp

Code: Select all

./chkhash -k <your mkey> -h 0 /mtd_rwcommon/exe.img.dmp
'-h' means calculate hash
'0' is the count of bytes from the beginning of the file to calculate the hash of, '0' means over the whole file