Modifying /mtd_exe of active partition

Here is information about customize your C series firmware..:!:This forum is NOT FOR DUMMY USERS questions or problems but DEVELOPER.
Post Reply

hedak
Posts: 81
Joined: Wed Jan 08, 2014 9:21 pm

Modifying /mtd_exe of active partition

Post by hedak »

Hi again,

today i'd like to share how to modify exe.img within /mtd_exe of the active partition (2nd i.e.) without the need of any pc tools except a ssh/telnet client.

Be warned that i tested this on my C7700 (T-VALDEUC 3011.0) only.
I highly recommend to have the other partition (1st i.e.) working before to have a fallback solution! (although not needed)
Do not turn off the tv between flashing exe.img and the hash partition!


Requirements:
already hacked/rooted tv
access to tv's filesystem via ssh/telnet (i.e. putty as client)
usb memory or working ftp connection to pc
getmkey, download here: http://wiki.samygo.tv/index.php5/Hashes (precompiled contained in chkhash-0.2.zip)
chkhash, download here: https://forum.samygo.tv/viewtopic.php?f ... =50#p54217
optional: chkhash for windows, download here: https://forum.samygo.tv/viewtopic.php?f ... =50#p54306


Some theory:
As for some other partitions /mtd_exe's hash is checked by a process called 'authuld' against a hash stored in another partition. Modifying /mtd_exe's content implys correcting its hash. Not doing so in one tv session will cause tv shutdown by authuld after about 45 seconds.
/mtd_exe contains exe.img. As exe.img is smaller than /mtd_exe the bytes behind exe.img are tyically set to 0xFF during flashing. Within exe.img there are also some unsed bytes (in this case set to zero). In my case about 500kB.


Here we go :)

0) Preparation
copy getmkey to /mtd_rwarea/getmkey
copy chkhash to /mtd_rwarea/chkhash

Code: Select all

cd to /mtd_rwarea/
./getmkey
It will give something like this:

Code: Select all

# ./getmkey
opening /dev/mem ok!
No key was supplied from a command line.
Using mackey from /dev/tfsr11
Input key = 66d77c3a497f53e2515ef14c21d6a4d8
After waiting 2 loops
mkey = 6f6bc7e1fc7f86bf9c150a82f343e2e0
Remember that mkey!

1) Run two commands

Code: Select all

df
cat /mtd_exe/partition.txt
They will give something like this:

Code: Select all

# df
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/tbml8                3456      3456         0 100% /
none                     10240      1668      8572  16% /dtv
none                     10240         0     10240   0% /dsm
none                    235556         0    235556   0% /core
none                     10240         0     10240   0% /tmp
/dev/stl0/14             25478      6616     18862  26% /mtd_rwarea
/dev/stl0/19             51072     51072         0 100% /mtd_rocommon
/dev/stl0/17             91080     87336      3744  96% /mtd_exe
/dev/stl0/18             40832     40832         0 100% /mtd_appdata
/dev/stl0/13             10942      1339      9603  12% /mtd_contents
/dev/stl0/20            102368     47600     54768  46% /mtd_swu
/dev/stl0/21            401712    212520    189192  53% /mtd_rwcommon
/dev/sdb               1974784     38692   1936092   2% /dtv/usb/sdb
/dev/sda1               503892    171316    332576  34% /dtv/usb/sda1
/dev/stl0/14             25478      6616     18862  26% /etc/passwd
/dev/stl0/14             25478      6616     18862  26% /etc/profile
/dev/sdc                   482         0       482   0% /dtv/usb/sdc

Code: Select all

# cat /mtd_exe/partition.txt
partitionID     flash_device_name       flash_device_size       flash_image_name        flash_device_type       flash_upgrade_type      flash_partition_map flash_mount_path default_block_size      flash_format_option     flash_mount_option
0       /dev/bml0/1     262144  onboot.bin      DEVICE  OTHER   BOOTLOADER0     NONE    262144  NONE    NONE
1       /dev/bml0/2     262144  u-boot.bin      BML     OTHER   BOOTLOADER1     NONE    262144  NONE    NONE
2       /dev/bml0/3     262144  uboot_env.bin   BML     OTHER   BOOTLOADER2     NONE    262144  NONE    NONE
3       /dev/bml0/4     262144  fnw.bin BML     OTHER   BOOTLOADER3     NONE    262144  NONE    NONE
4       /dev/bml0/5     4194304 Image   BML     USER    KERNEL0 NONE    262144  NONE    NONE
5       /dev/bml0/6     3670016 rootfs.img      BML     USER    RFS0    NONE    262144  NONE    NONE
6       /dev/bml0/7     4194304 Image   BML     USER    KERNEL1 NONE    262144  NONE    NONE
7       /dev/bml0/8     3670016 rootfs.img      BML     USER    RFS1    NONE    262144  NONE    NONE
8       /dev/bml0/9     262144  NONE    BML     OTHER   SECUREMAC0      NONE    262144  NONE    NONE
9       /dev/bml0/10    262144  NONE    BML     OTHER   SECUREMAC1      NONE    262144  NONE    NONE
10      /dev/bml0/11    262144  key.bin BML     OTHER   SECUREMAC2      NONE    262144  NONE    NONE
11      /dev/bml0/12    262144  NONE    BML     OTHER   NONE    NONE    262144  NONE    NONE
12      /dev/stl0/13    11272192        NONE    STL     OTHER   NONE    /mtd_contents   4096    ERASE:,STL:-r_7,FAT:-S_1024_-s_1        -t_rfs_-o_codepage=utf8
13      /dev/stl0/14    26214400        NONE    STL     OTHER   NONE    /mtd_rwarea     4096    ERASE:,STL:-r_7,FAT:-S_1024_-s_1        -t_rfs_-o_codepage=utf8
14      /dev/stl0/15    93323264        exe.img STL     USER    EXE0    /mtd_exe        4096    ERASE:,STL:-r_2 NONE
15      /dev/stl0/16    58195968        appdata.img     STL     USER    APP_DATA0       /mtd_appdata    4096    ERASE:,STL:-r_2 NONE
16      /dev/stl0/17    93323264        exe.img STL     USER    EXE1    /mtd_exe        4096    ERASE:,STL:-r_2 NONE
17      /dev/stl0/18    58195968        appdata.img     STL     USER    APP_DATA1       /mtd_appdata    4096    ERASE:,STL:-r_2 NONE
18      /dev/stl0/19    52953088        rocommon.img    STL     OTHER   CONTENT0        /mtd_rocommon   4096    ERASE:,STL:-r_2 NONE
19      /dev/stl0/20    104857600       NONE    STL     OTHER   NONE    /mtd_swu        4096    ERASE:,STL:-r_16,FAT:-S_4096_-s_4       -t_rfs
20      /dev/stl0/21    411566080       NONE    STL     OTHER   NONE    /mtd_rwcommon   4096    FAT:-S_4096_-s_1        -t_rfs_-o_codepage=utf8
2) Figure out the active exe.img (/mtd_exe) partition and its related hash partition
Reading the output of partition.txt you can see that there are two exe.img named 'EXE0' and 'EXE1' and its corresponding 'SECUREMAC0' and 'SECUREMAC1'.
The active exe.img is shown in df's output (i.e. /dev/stl0/17, named 'EXE1'). So the corresponding hash partition is named 'SECUREMAC1' belonging to /dev/bml0/10.

3) Now figure out a partition with space to store the image of exe.img
In df's output you can see that the size of /mtd_exe partition (i.e. /dev/stl0/17) is 91080 1k blocks. Potential storage partitions are /mtd_rwarea and /mtd_rwcommon. As you can see /mtd_rwcommon has 189192 1k blocks available, which is the double of /mtd_exe size. So we will go on with /mtd_rwcommon.

4) Backup exe.img's hash partition

Code: Select all

cat /dev/bml0/10>/mtd_rwcommon/bml10.dmp
To be safe you should NOW copy /mtd_rwcommon/bml10.dmp to pc via usb memory or ssh/telnet

5) Get exe.img size within /mtd_exe

Code: Select all

./chkhash -p 0 4 /mtd_rwcommon/bml10.dmp
Argument with value '0' may depend on the tv model! Open spoiler and check that before!
SpoilerShow
'-p' means print hashes
'0' no offset within given file
'4' print first 4 hashes found in given file
It will give something like this:

Code: Select all

# ./chkhash -p 0 4 /mtd_rwcommon/bml10.dmp
hash[ 0] = d5a3d3f345838c49700cceb71fd1078d   length = 89485312
hash[ 1] = 58036fe36c3fe1585613a94551ae9200   length = 41762816
hash[ 2] = b2c3353dd594dd95ce4c674fa767c0f6   length =  3712144
hash[ 3] = 9b3290bd21a1c12653246c4d5742d571   length =  3665940
Reading our wikis you will find that FOR MY TV hash[0] is the hash of the exe.img
Its size i.e. is 89485312 bytes

6) Backup current exe.img
For just backuping the whole partition you can run:
SpoilerShow
cat /dev/stl0/17>/mtd_rwcommon/stl17.dmp
But in preparation for later use dump exe.img out of the partition only. Therefore use 'dd' which is able to copy a given amount of bytes. This byte count is given as a number of blocks. Define that one block is 2048 byte (2KiB) given as '2K'. I.e. 89485312 bytes eqauls 43694 2K blocks:

Code: Select all

dd if=/dev/stl0/17 bs=2K count=43694 of=/mtd_rwcommon/exe.img.dmp
To be safe you should NOW copy /mtd_rwcommon/exe.img.dmp to pc via usb memory or ssh/telnet

7) Check the correct function of chkhash by calculating the hash for /mtd_rwcommon/exe.img.dmp

Code: Select all

./chkhash -k <your mkey> -h 0 /mtd_rwcommon/exe.img.dmp
SpoilerShow
'-h' means calculate hash
'0' is the count of bytes from the beginning of the file to calculate the hash of, '0' means over the whole file
It will give something like this:

Code: Select all

# ./chkhash -k 6f6bc7e1fc7f86bf9c150a82f343e2e0 -h 0 /mtd_rwcommon/exe.img.dmp
Hash: d5a3d3f345838c49700cceb71fd1078d, length = 89485312
It is very important that the returned hash AND the returned size EXACTLY match the values for your hash from 4)
If there's a mismatch STOP HERE and ask for help!


8) Mount the dumped image from 6)
first create a directory to mount the image to:

Code: Select all

mkdir /mtd_rwcommon/exe.img_mod
mount the image writable (do NOT use /bin/mount/ here):

Code: Select all

mount -w -o loop /mtd_rwcommon/exe.img.dmp /mtd_rwcommon/exe.img_mod/
The content of /mtd_rwcommon/exe.img_mod/ should now EXACTLY look like the content of /mtd_exe/

9) Change /mtd_rwcommon/exe.img_mod/
You can now change the content of /mtd_rwcommon/exe.img_mod/ with one restriction:

There's limited space to use. Exceeding the size seems to be prevent by the os:
# cp /mtd_rwcommon/exe.img_mod/Factory_Part2.dat /mtd_rwcommon/exe.img_mod/Factory_Part2.dat.cpy
# cp /mtd_rwcommon/exe.img_mod/Factory_Part2.dat /mtd_rwcommon/exe.img_mod/Factory_Part2.dat.cpy.cpy
cp: write error: No space left on device

(i did NOT try what happens if using the max size, i only changed rc.local here (just a few bytes))

10) Unmount /mtd_rwcommon/exe.img_mod/
Check where /mtd_rwcommon/exe.img_mod/ is mounted to (/bin/mount is used here as samygo's mount outputs nothing):

Code: Select all

/bin/mount
It will give something like this:

Code: Select all

# /bin/mount
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/sam type tmpfs (rw)
none on /dtv type tmpfs (rw)
none on /dsm type tmpfs (rw)
none on /core type tmpfs (rw)
none on /tmp type tmpfs (rw)
/dev/stl0/14 on /mtd_rwarea type rfs (rw,codepage=utf8,vfat,fcache(blks)=128)
/dev/stl0/19 on /mtd_rocommon type squashfs (ro)
/dev/stl0/17 on /mtd_exe type rfs (ro,codepage=cp949,vfat,fcache(blks)=128)
/dev/stl0/18 on /mtd_appdata type squashfs (ro)
/dev/stl0/13 on /mtd_contents type rfs (rw,codepage=utf8,vfat,fcache(blks)=128)
/dev/stl0/20 on /mtd_swu type rfs (rw,codepage=cp949,vfat,fcache(blks)=128)
/dev/stl0/21 on /mtd_rwcommon type rfs (rw,codepage=utf8,vfat,fcache(blks)=128)
none on /proc/bus/usb type usbfs (rw)
/dev/sdb on /dtv/usb/sdb type xfs (rw,nouuid,noquota)
/dev/sda1 on /dtv/usb/sda1 type vfat (rw,sync,fmask=0022,dmask=0022,codepage=cp437,iocharset=utf8,shortname=mixed)
/dev/stl0/14 on /etc/passwd type rfs (rw,codepage=utf8,vfat,fcache(blks)=128)
/dev/stl0/14 on /etc/profile type rfs (rw,codepage=utf8,vfat,fcache(blks)=128)
/dev/sdc on /dtv/usb/sdc type vfat (rw,sync,fmask=0022,dmask=0022,codepage=cp437,iocharset=utf8,shortname=mixed)
devpts on /dev/pts type devpts (rw)
/dev/loop0 on /mtd_rwcommon/exe.img_mod type vfat (rw,fmask=0022,dmask=0022,codepage=cp437,iocharset=ascii)
(The last line is our mount)

Try to unmount /mtd_rwcommon/exe.img_mod/

Code: Select all

# /bin/umount /mtd_rwcommon/exe.img_mod/
It will most probably fail with the following message:

Code: Select all

umount: cannot umount /mtd_rwcommon/exe.img_mod: Device or resource busy
If that failed try the lazy unmount:

Code: Select all

# /bin/umount -l /mtd_rwcommon/exe.img_mod/
Try '/bin/mount' until '/mtd_rwcommon/exe.img_mod' is not output anymore.

You now have a modified exe.img

To be safe you should NOW copy /mtd_rwcommon/exe.img.dmp to pc via usb memory or ssh/telnet

11) Calculate the hash of modified /mtd_rwcommon/exe.img.dmp

Code: Select all

./chkhash -k <your mkey> -h 0 /mtd_rwcommon/exe.img.dmp
It will give something like this:

Code: Select all

# ./chkhash -k 6f6bc7e1fc7f86bf9c150a82f343e2e0 -h 0 /mtd_rwcommon/exe.img.dmp
Hash: fc3e52f512a6113042349bf3d7df1fd3, length = 89485312
If you modified something in 9) the HASH MUST HAVE CHANGED and the SIZE MUST HAVE REMAINED THE SAME

optional: use windows version of chkhash to calculate the hash of exe.img.dmp (must result in the same hash of course) on pc: chkhash -k <your mkey> -h 0 /mtd_rwcommon/exe.img.dmp

12) Write hash of /mtd_rwcommon/exe.img.dmp in /mtd_rwcommon/bml10.dmp

Code: Select all

./chkhash -k <your mkey> -w 0 0 /mtd_rwcommon/bml10.dmp /mtd_rwcommon/exe.img.dmp
Both arguments with value '0' may depend on the tv model! Open spoiler and check that before!
SpoilerShow
'-w' means write calculated hash in given file
first '0' is the offset within the given hash file
second '0' is the hash index behind the offset within the given hash file
To be safe you should NOW copy /mtd_rwcommon/bml10.dmp to pc via usb memory or ssh/telnet

13) Check exe.img's hash in /mtd_rwcommon/bml10.dmp

Code: Select all

./chkhash -p 0 4 /mtd_rwcommon/bml10.dmp
It will give something like this:

Code: Select all

# ./chkhash -p 0 4 /mtd_rwcommon/bml10.dmp
hash[ 0] = fc3e52f512a6113042349bf3d7df1fd3   length = 89485312
hash[ 1] = 58036fe36c3fe1585613a94551ae9200   length = 41762816
hash[ 2] = b2c3353dd594dd95ce4c674fa767c0f6   length =  3712144
hash[ 3] = 9b3290bd21a1c12653246c4d5742d571   length =  3665940
Continue only if the hash of exe.img in this output and the calculated hash in 11) MATCH EXACTLY. Otherwise stop here and ask for help!

ATTENTION: NOW you change the tv's filesystem and enter the RISKY way!

14) Write hash of /mtd_rwcommon/exe.img.dmp in /dev/bml0/10

Code: Select all

./chkhash -k <your mkey> -w 0 0 /dev/bml0/10 /mtd_rwcommon/exe.img.dmp
DO NOT TURN OFF THE TV FROM NOW ON until the end

15) Check exe.img's hash in /dev/bml0/10

Code: Select all

./chkhash -p 0 4 /dev/bml0/10
It will give something like this:

Code: Select all

# ./chkhash -p 0 4 /dev/bml0/10
hash[ 0] = fc3e52f512a6113042349bf3d7df1fd3   length = 89485312
hash[ 1] = 58036fe36c3fe1585613a94551ae9200   length = 41762816
hash[ 2] = b2c3353dd594dd95ce4c674fa767c0f6   length =  3712144
hash[ 3] = 9b3290bd21a1c12653246c4d5742d571   length =  3665940
The output has to be EXACTLY THE SAME as in 13)

16) Flash the modified exe.img

Code: Select all

stl.restore /dev/stl0/17 /mtd_rwcommon/exe.img.dmp
DONT TOUCH THE TV IN ANY WAY NOW

It will give something like this:

Code: Select all

# stl.restore /dev/stl0/17 /mtd_rwcommon/exe.img.dmp
+------------------------------------------------------------------------+
|  stl.restore : stl-level Partition Restore Tool for NAND Flash Memory  |
+------------------------------------------------------------------------+
  100%
All of the flash memory blocks have been restored successfully.
17) Flush all buffers:

Code: Select all

sync
sync
sync
18) You are ready to turn off the tv and restart it!
(@devs: calculating the hash of /dev/stl0/17 now gives a wrong hash, without any change the hash after reboot is as expected! Any ideas?)

Hope this helps someone! Any hints/suggestions/feedback is much appreciated :)

Edit: corrected some inelegance and added spoilers describing used chkhash arguments
Last edited by hedak on Fri Feb 28, 2014 7:19 pm, edited 2 times in total.
User avatar
greenhorn
SamyGO Project Donor
Posts: 701
Joined: Wed Feb 15, 2012 3:05 pm
Location: Eastern Europe

Re: Modifying /mtd_exe of active partition

Post by greenhorn »

Wow! This one is good...Thank you!
TV: UE40F7000 - T-FXPDEUC-1115.0 - SamyGO Extensions on F series
TV: UE55ES7000S - T-ECPDEUC-2003.4 - SamyGO tool Right from USB - no develop account is needed
TV: UE40C6710 - T-VALDEUC 3011 - Hacking TV over Hotel mode (C650 T-VALDEUC-3009.2)
BD-Player: BD-E6100 - B-FIRBPEWWC 1063.3 - rooted, no more Cin@vi@
NAS: CIFS: MAG250 NFS: Playon!HD
User avatar
juusso
SamyGO Moderator
Posts: 10129
Joined: Sun Mar 07, 2010 6:20 pm

Re: Modifying /mtd_exe of active partition

Post by juusso »

i especially like the part of writing hash on the fly :)
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE
hedak
Posts: 81
Joined: Wed Jan 08, 2014 9:21 pm

Re: Modifying /mtd_exe of active partition

Post by hedak »

THX guys :)
Stefan74Nrw
Posts: 20
Joined: Mon Jul 03, 2017 8:19 am

Re: Modifying /mtd_exe of active partition

Post by Stefan74Nrw »

I can´t find the getmkey .......can someone help please?

Post Reply

Return to “[C] Firmware”