SamyGO

[juzis]

If you flashed your TV with the very latest firmware from samsung (T-CHL5DEUC-2010.1_Step2), here was no chance to roll back to older firmware because of:
1. TV has no Content library to run FFB
2. Alternative firmware menu is hidden - no chance to activate it.
3. Latest firmware deletes u-boot (it is not functional on those models) - no u-boot access at all.
4. Latest firmware changes kernel to block access to TOP debug menu over ExLink cable.

So all known ways to roll-back firmware are disabled if you flashed the latest firmware.
Thanks gao_atc from forum.ixbt.com, who ported hack for C550 to B550 and other T-CHL5DEUC models.
******************************************************************************************************************************

Important: method is tested and works IF you have upgraded your TV and you know, that here exist alternative firmware on it (T-CHL5DEUC-2009_Step1). If you bought TV and/or you are not sure if here is step1 firmware on TV - you get 100% bricked TV in this way!

If you have T-CHL5DEUC-2009_Step1 as the latest firmware (active), but you didn`t flashed the very latest, you can skip step1 in this How-To.

Step 1 - Activate alternative firmware to rollback from T-CHL5DEUC-2010.1_Step2
Download prepared files

Files you need are in /T-CHL5DEUC-2008.0-v.24-auto-arfix2-net/Step-1 directory:
You need only one USB prepared from one of these archives - choose method you prefer.

• T-CHL5DEUC-СhannelImport.tar.gz - archive of ext3 partition with required symlinks to unpack to ext3 formated USB, under linux (ubuntu or other) as root.
• T-CHL5DEUC-СhannelImport.rar - Image of USB with symlinks on it to activate Alternative Firmware by importing Channel settings. It was made with Acronis True Image Home 2009 - this program you can use under windows to make USB disk. After you restore image, you find one whole ext3 partition on it (not visible under Windows!)

Important. You can use second USB (from T-CHL5DEUC-СhannelImport.rar) only once, because after using TV function «Сhannel Import/Export» symlinks are deleted and restored original files. So if you want hack another TV, you need make new USB disk from files in Step-1 directory.

1.1. TV is OFF. Attach prepared USB to it and power on TV
1.2. Activate «Сhannel Import/Export» menu.
1.3. Select «USB to TV» and press Enter twice.
1.4. After you get «Completed successfully...» press exit. If you press Enter here, TV reboots, its ok, go to 1.5.
1.5. Go to Firmware upgrade menu and activate alternative firmware. TV reboots in to alternative, T-CHL5DEUC-2009_Step1 firmware. Do not worry, in Firmware upgrade menu isn`t any alternative firmware again. It is normal.

Step 2 - Restore partitions on TV for correct TOP Debug Menu (TDM) and u-boot access over ex-link.
Make this step just after you successfully finished Step-1. If not - you do not have success and TV won`t accept firmware below.

Files you need are in /T-CHL5DEUC-2008.0-v.24-auto-arfix2-net/Step-2

• T-CHL5DEUC_2010.1_Step2-Set.rar Images you require to restore on TV. Here is the latest kernel from aris69 with network support (09/12/2010, u-boot.bin and onw.bin image. Basis of this upgrade USB is Step2.exe original firmware.
• T-CHL5DEUC_2010.1_Step2.exe Original latest samsung`s firmare

TV is ON
2.1. Extract to fat32 formated USB original firmware (T-CHL5DEUC_2010.1_Step2.exe) and attach USB to TV, choose Upgrade Firmware
2.2. After TV finds firmware 2010.1 on it, decline it, pres cancel (it is very important)
2.3. Do not power off TV, remove USB, delete all content from this USB.
2.3.1. Extract T-CHL5DEUC_2010.1_Step2-Set.rar to the same USB.
2.3.2. Attach this USB to TV (here is T-CHL5DEUC on root of USB and few files)
2.4. Let TV find new 2010.1 firmware and confirm for upgrade. (press OK)

After TV flashes new firmware and reboots, You be able access u-boot and TOP debug menu over ExLink

Step 3 - Flash new firmware. Roll back from 2009_Step1 to T-CHL5DEUC-2008v24-auto-arfix2
Here is an pre-Februar firmware v.2008.0 patched with samygo patcher v.0.24 + ArFix_v2 is incorporated to exeDSP.
N.B. Firmware files in this step are unXORed, if you place xored firmware, you brick TV.

3.1. Get ExLink cable and set Watchdog off and rs232 Jack to debug as on Wiki.
3.2. Files you need are in /T-CHL5DEUC-2008.0-v.24-auto-arfix2-net/Step-3

• T-CHL5DEUC-2008v24-auto-arfix2-decod.rar - unxored T-CHL5DEUC-2008.0 patched firmware + ArFix2

3.3. Extract archive to fat32 USB and plug it to TV. Use ONLY dexored exe.img and appdata.img for this step. You can use your own firmware (original or not)too
3.4. Connect ExLink and estabilish connection to TV`s console over TOP debug menu. (here is telnet client - putty in archive.)
3.4.1. Parameters to set in terminal:

Code: Select all

Speed: 115200
Data bits: 8
Stop bits: 1
Parity: None
Flow control: None

3.4.2. Enter commands:

Code: Select all

debug
1198282

Next enter

Code: Select all

Ctrl+c

on keyboard. Terminal drops to shell console, after # you able enter your commands. TV does not respond to RC.
3.4.3. Next:

Code: Select all

cd /mtd_boot

Code: Select all

sh +x usb

TV starts to upgrade from USB and reboots.
After reboot you get active firmware -2008 and 2009 as alternative.

It is strongly recommended to upgrade prefebruar firmware once again to delete 2009_step1 from alternative firmware partition (to avoid accidental activation...)
In archive is very early firmware T-CHL5DEUC-1008, you can flash it and activate 2008 patched firmware from menu again
Method tested on UExxB6000.

[erdem_ua]

It's really good guide. Why don't you put this in wiki directly? It's easier in that way.

[juzis]

I do, just waiting for positive responses

[mladen82]

I have situation with 2010 firmware on LE40B551.
I will try this procedure and will post results.
Thanks.

[juzis]

Ok, we are waiting for results. If you do not get Step1 well, you can`t proceed other steps...

[mladen82]

Sorry for my not so good english, but i am not sure with option alternative update, when i tried last night was greyed out.
First firmware was 2008, then step1 2010 and then 2010 step2
Anyway i will try at home again with this procedure.

[mladen82]

Although i am repair technician this procedure i must confess looks little complex for me .
I see i must make Ex-link cable, i need time for that and i must read this carefuly several times to understand, so i need some free time
I dont want to screw up things, new main board isn't cheap
After New Year probably i will give chance to try.

Every honor to guy who hack all these things, he is probably good programer and engineer!

[bago75]

Hi all, here I am with a UE46B6000 (CI) and a 2009.0 firmware (no u-boot) to be hacked.

I succesfully completed the Step 2 and now I have working uboot.

Now I can succesfully obtain serial access using "debug" then "1198282" (once) and "enter". I then enter menu numbers 11 : TD Debug -> 0x04 but 0x04 does nothing and the same menu appears again. So I go with the other solution "CTRL-C" and then "/mtd_boot/MicomCtrl 23"

Code: Select all

# /mtd_boot/MicomCtrl 23
# killall -9 exeDSP
killall: exeDSP: no process killed
# umount /mtd_exe
# bml.dump
-sh: bml.dump: not found


Then before proceeding I wanted to take some backup. As it seems I don't have an /mtd_swu folder and bml.dump does not exists I dump stuff to USB using dd:

Code: Select all

# df
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/tbml6                3520      3520         0 100% /
none                     10240         8     10232   0% /dtv
/dev/tbml7                 832       832         0 100% /mtd_boot
none                     10240         0     10240   0% /mtd_ram
/dev/stl0/12             12804      1692     11112  13% /mtd_rwarea
/dev/stl0/9              16128     16128         0 100% /mtd_appdata
/dev/stl0/13             28052      2836     25216  10% /mtd_contents
/dev/sda1              2000352     30752   1969600   2% /dtv/usb/sda1


Code: Select all

# dd if=/dev/bml0/2 of=/dtv/usb/sda1/2
1024+0 records in
1024+0 records out
# dd if=/dev/bml0/4 of=/dtv/usb/sda1/4
256+0 records in
256+0 records out
# dd if=/dev/bml0/5 of=/dtv/usb/sda1/5
6144+0 records in
6144+0 records out
# dd if=/dev/bml0/6 of=/dtv/usb/sda1/6
8192+0 records in
8192+0 records out
# dd if=/dev/bml0/7 of=/dtv/usb/sda1/7
4096+0 records in
4096+0 records out
# dd if=/dev/bml0/8 of=/dtv/usb/sda1/8
34560+0 records in
34560+0 records out

Now before proceeding with Step3 I was trying to better understand what I was doing.

First of all I don't understand if Step3 will give me a network enabled kernel or not and I also don't understand why in Step3 there is no "test of the new kernel" before flashing: I hardly understand why http://sourceforge.net/apps/phpbb/samyg ... ?f=2&t=956 is so much different from Step3.

As you wrote this guide as a step by step I guess that I need to do Step3 and that the other guide (network enabled kernel) for some reason is not applicable, but i'd like to understand things better before proceeding "blindly". Do I have to do Step3 from this guide and THEN the procedure in the other guide to obtain the network enabled kernel?

Also the other guide refers to SamyGo Extensions but I can't find the download for T-CHL5DEUC so probably it's not applicable at all to my TV, but I admit I don't understand what's going on in all of this hacks (I'm an experienced linux user and a programmer but I don't know low level stuff related to firmwares and kernels for embedded devices)

Thank you for your great work!

[juzis]

1. You still have 2009 firmware that restricts access to console (exact by dissabling 04 input), it is known and you are right by dropping to console by Ctrl+c. After you flash 2008 firmware, you get to console w/o probl.

2. -sh: bml.dump: not found error you get probably because of missing bml.dump in your TV. You can use cat or as you made it - dd.

3. You don't have an /mtd_swu folder, you do not need it. I successfully make dumps directly to usb w/o copying it to memory almost one year and have no problems.

4. Step3 will give you a network enabled kernel

5. http://sourceforge.net/apps/phpbb/samyg ... ?f=2&t=956 is so much different from Step3 because here are different manuals. Do not compare exact steps. But of course you can use both methods and make as you think is better to make (at your own risk)

6. To have network enabled kernel it is enought to make steps from ONLY this manual.

7. why in Step3 there is no "test of the new kernel" before flashing - ok, you can do this step from other manual, probably i will add it here too.


One more thing in compare with merv07 manual: if you flash firmware in step3, you do not need to edit boot.img (or dump of bml7) to have samygo.sh working.
This How-To is dedicated to users who had/have no chance roll-back firmware because of upgrade 2010_step2 firmware. So you can choose what instruction do you use.

[bago75]

OK, thank you for your patience

Then I will proceed by decompressing T-CHL5DEUC-2008v24-auto-arfix2-decod.rar to the USB and try to run STEP2 from the other guide http://sourceforge.net/apps/mediawiki/s ... es_Devices and this should test the alternative firmware before flashing it.

I will try this later and report back!