Current state of the BD F6500

Samsung's BluRay player related hacks.
Post Reply

Posts: 1
Joined: Fri Aug 07, 2015 6:27 pm

Current state of the BD F6500

Post by drogbart »

Hi all,

yesterday, I have found a BD F6500 lying around and decided to start hacking it.
I found the UART interface and was able to connect via my buspirate and enter the Top Debug Menu.
I found a shell in there, but I guess it's pretty useless, since I can only enter numbers and I have JTAG access to the main Cortex M0 and the device controller, etc.

During this journey and the accompanied google searches, I encountered this forum quite often. After looking around, I have seen a lot reverse engineering and exploitation work has been already done with these devices. However, with all the different models and locations to look for (wiki pages and 20-pages-long threads) some things aren't clear to me, that I'd like to discuss:
  • For Samsung TV's I've found an exploit on this forum, that looks like it's hijacking the library of skype to elevate its privileges. This one seems to be available without having to donate.
  • In the smart hub of my BD F6500, I couldn't find the skype app (I guess, because it doesn't have a microphone/camera) and I didn't find a quick way to install skype manually. Also, I could not login as "develop":"" (the TV was hanging forever with the connection message in the top right corner). Is this expected behaviour? So I guess, there is another exploit that does not depend on skype being installed and that is what you have to donate for, right?
  • How does one disable OTN/get in the service menu on the F6500? There is no mute or menu key and the instruction at ... Setup_Menu >> Debug Console enabled devices didn't seem to work as well. (last modified on 8 December 2012, at 15:43.)
  • Are the encryption keys for the downloadable firmware leaked or are there full firmware dumps available to sift through?

    Code: Select all

    binwalk ./image/ 
    150           0x96            OpenSSL encryption, salted, salt: 0x-47CD44FA16867C2B
    1486          0x5CE           OpenSSL encryption, salted, salt: 0x-56CFBD10-3D5804ED
    82737061      0x4EE77A5       MySQL ISAM compressed data file Version 9
    112699437     0x6B7A82D       MySQL MISAM compressed data file Version 9
    166292940     0x9E96DCC       MySQL ISAM compressed data file Version 5
    236992246     0xE2036F6       OpenSSL encryption, salted, salt: 0x-4FD93B96-536EDF9B
    236993142     0xE203A76       OpenSSL encryption, salted, salt: 0x7F15D1F64FE0134C
    242756766     0xE782C9E       OpenSSL encryption, salted, salt: 0x-4FD93B96-536EDF9B
    242757662     0xE78301E       OpenSSL encryption, salted, salt: 0x1151D60031BB74F2
    246323654     0xEAE99C6       OpenSSL encryption, salted, salt: 0x-4FD93B96-536EDF9B
    246324550     0xEAE9D46       OpenSSL encryption, salted, salt: 0x-2DC6A2A1-4C3EB62E
    246849134     0xEB69E6E       OpenSSL encryption, salted, salt: 0x-4FD93B96-536EDF9B
    246850030     0xEB6A1EE       OpenSSL encryption, salted, salt: 0x5535FC4E26751367
  • I guess, the TOCTTOU ( ... inal28.pdf) bug has long been fixed, right?
So in general, I want to know about the state of different aspects of F6500-hacking, so I don't repeat old work. Are there still some pieces missing, that I could work on? (I have quite some experience in reversing/exploitation and also embedded security)
Could someone explain the BD-Exploit or even provide it? (I would rather like to help with my knowledge than my money and don't have a PayPal-account)


Official SamyGO Developer
Posts: 5928
Joined: Wed May 04, 2011 5:10 pm

Re: Current state of the BD F6500

Post by sectroyer »

We need to fix the mount point of samyext4.img since /mnt is used for DVD/Bluray playback :)
I do NOT support "latest fw" at ALL. If you have one you should block updates on router and wait for it to STOP being "latest":)
If you want me to help you please paste FULL log(s) to "spoiler"/"code" bbcodes or provide link(s) to pasted file(s) on Otherwise "NO HELP"!!!
If you want root DISABLE internet access to your device!!!!

Post Reply

Return to “BluRay Players”