mkey dump tool available

[Denny]

the function check_hash does very interesting stuff with the cryptoengine, too:

probutus, nothing strange there
look:

Code: Select all

....
RAM:6701A4D8                 STR     R3, [R2,#0x454]
RAM:6701A4DC                 MOV     R1, #0x2B
RAM:6701A4E0                 STR     R3, [R2,#0x458]
RAM:6701A4E4                 STR     R3, [R2,#0x45C]
RAM:6701A4E8                 STR     R3, [R2,#0x460]
....

reg 444 - 450 key , 16 byte
reg 454 - 460 IV , 16 byte

code should be like :

Code: Select all

lldSe_WriteReg(0x440 + 4 , UINT32_BE( key ) );
lldSe_WriteReg(0x440 + 8 , UINT32_BE( key+4 ) );
lldSe_WriteReg(0x440 + 12, UINT32_BE( key+8 ) );
lldSe_WriteReg(0x450     , UINT32_BE( key+12 ) );
	
lldSe_WriteReg(0x450 + 4 , UINT32_BE( iv ) );
lldSe_WriteReg(0x450 + 8 , UINT32_BE( iv+4 ) );
lldSe_WriteReg(0x450 + 12, UINT32_BE( iv+8 ) );
lldSe_WriteReg(0x460     , UINT32_BE( iv+12 ) );

and :

Code: Select all

RAM:6701A1B4                 ORR     R0, R9, R3      ; r0 = 0x80 | 0x10 =0x90
RAM:6701A1B8                 STR     R0, [R1,#0x430]

0x80 value = Custom Key, Decrypt -->0x80 & 1 = 0 --> AES_128_ECB
0x90 value = Custom Key , Encrypt -->0x90 & 1 = 0 --> AES_128_ECB



now clear ?

all tested and work ^..^

Denny

[mirsev]

the mkey dump tool should work on the BD-Player, too

Surprise? Look here: http://forum.samygo.tv/viewtopic.php?f= ... =10#p15424 :

I have compiled it and run on my Samsung BD-C6900 blu-ray player

By the way, there is a new firmware 1020.4 for BD-C6900 on Samsung site. I did not yet flashed it, just decrypted on the PC and now studying it. Quick note: bootloader, kernel and rootfs are the same as in 1019.0. What is changed: mtd_exe, mtd_appdata and something which is called loader (looks like firmware for BR/DVD/CD drive but I'm not sure).

[mirsev]

u-boot is at /dev/bml/2 but I don't know how to access it during boot from the serial port. Press-and-hold '~' key does just stops the system completely.

The Part Nr.5 seems to be the disc drive firmware but I'm not sure. Probably the part which can be executed directly is the flash utility for the disc drive.

Just in case, I have posted an updated version of the tool for BD-C6900 firmware decryption here:

http://forum.samygo.tv/viewtopic.php?f= ... 193#p16193

[mirsev]

probutus, BSP-C6900WWB-1019.0_02 is indeed kernel image. It is flashed into /dev/bml0/{5 or 7}. The numbering of the files after firmware decryption has nothing to do with the number of the flash partition. Please, take a look at the updated version of decryption utility: there are some comments about this.

Regarding, part No.5: disc drive may also have ARM CPU inside, so there is nothing strange that it has ARM code. If it were a testing utility it would be installed in the main Linux filesystem. So, I believe this is an utility and code to flash the disc drive controller. It is run only once at firmware upgrade.

I also use squashfs tools, so unshquash is the only way to inspect the filesystem content. But this is not a big problem for me.

When I have time and non-busy connection, I will build an archive with my dumps and upload it somewhere. May be tomorrow.

[sbav1]

Another thing: the ex-link serial port is on /dev/ttyS2.... I wonder where ttyS1 and ttyS3 physically are.

AFAIK, traditionally (B-series, C-Series):

Chelsea/Valencia ttyS0 <- (micom interface) - > MICOM <- ("UART" mode: RS232 remote TV control/hotel TV) -> MX0
Chelsea/Valencia ttyS1 <- ("Debug" mode: serial console) -> MX1
Chelsea/Valencia ttyS2 <- (autowall, Samsung motorized wall mount) -> MX2
Logic board ("Logic" mode: optional, PDPs only) LVDS TX/RX <-> MX3

MX0-MX3 <-> analog multiplexer (74HC4052D or similar, controlled by MICOM and/or mainboard switch) <-> external RS232 interface

Looks like Genua chipset is equipped with one extra UART.. I dunno, perhaps it is:
- not connected (like one of extra I2C buses in some Valencia boards)?
- needed for interfacing with encoder chip of some kind (D-Series "TwinView")?
- used for direct chipset <-> logic board connection in D-series PDP models (or T-con/FRC board in LCD/LED models)?