Access Linux Shell of TV on CI+ without "Game Menu"

Here is information about customize your B series firmware..:!:This forum is NOT FOR USER questions or problems but DEVELOPER.
majonezz
SamyGO Project Donor
Posts: 63
Joined: Sat Feb 06, 2010 10:44 am
Location: Wroclaw, Poland

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Post by majonezz » Sun Jan 30, 2011 11:20 am

I don't know if this is still needed, but maybe someone is intrested in getting all characters via exlink in some exotic CI+ devices. My device is B679 with patched 1008 f-ware.
I have shell access already via telnet, but i need full access to exlink console as well, becouse there are some functions like "0xFF = exit" when you must use letters for desired action. Maybe someone done it before, but i can't find it anywhere.
@sg75 Why don't you use

Code: Select all

unsigned char searchstr[28] =
{ 0x01, 0x30, 0x92, 0xE7, 0x04, 0x20, 0x82, 0xE2, 0x04, 0x00, 0x53, 0xE1, 0x02, 0x00,
  0x00, 0x0A, 0x34, 0x00, 0x52, 0xE3, 0x2E, 0x03, 0x00, 0x0A, 0xF8, 0xFF, 0xFF, 0xEA };
unsigned char replacestr[28] =
{ 0x01, 0x30, 0x92, 0xE7, 0x04, 0x20, 0x82, 0xE2, 0x04, 0x00, 0x53, 0xE1, 0x02, 0x00,
  0x00, 0x0A, 0x34, 0x00, 0x52, 0xE3, 0x2E, 0x03, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00 };
in your application?
When i used your orginal code, i was able to type only "0". But when i change it like in quoted code i can type letters as well.
Maybe we can patch the firmware like this, so no special application will be needed?

User avatar
erdem_ua
SamyGO Admin
Posts: 3092
Joined: Thu Oct 01, 2009 6:02 am
Location: Istanbul, Turkey
Contact:

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Post by erdem_ua » Wed Feb 02, 2011 4:50 pm

Yes, we need an application to do this automatically. It's not on exeDSP memory but kernel. I know how to change memory at a process but have not experience to do this in kernel space.
How could we detect that pattern at kernel memory?
Does anyone could make this an application? :)

I think this approach could also cures C series ExLink connection well.

majonezz
SamyGO Project Donor
Posts: 63
Joined: Sat Feb 06, 2010 10:44 am
Location: Wroclaw, Poland

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Post by majonezz » Wed Feb 02, 2011 9:04 pm

This one worked for me (at B679).
You do not have the required permissions to view the files attached to this post.

smartsmurf
Official SamyGO Developer
Posts: 111
Joined: Thu Jun 24, 2010 8:26 am
Location: Frankfurt, Germany

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Post by smartsmurf » Thu Feb 03, 2011 10:51 am

erdem_ua wrote: How could we detect that pattern at kernel memory?
Does anyone could make this an application? :)

I think this approach could also cures C series ExLink connection well.
Some time ago I did write an extension to samdrv.ko which basically is a loadable kernel module.

To call existing functions I get addresses using /proc/kallsyms

Code: Select all

static int assign_ksym( const char * symbol, void ** ptr )
{
	unsigned long addr;

	addr = kallsyms_lookup_name( symbol );
	printk("kallsyms_lookup_name('%s') returned 0x%lX\n", symbol, addr );
	*ptr = (void *)addr;
	if( *ptr )
		return 1;

	printk(KERN_ERR " Unable to import '%s'\n", symbol );
	return 0;
} 

?
if( !assign_ksym("kerSys_PHY2VIR", (void *)&samdrv.kerSys_PHY2VIR) )
	return -1; 
?
When it is possible to load a module I would suggest the following approach:

(1) Get the address of "n_tty_receive_buf". This kernel export is available due to the tty_ldisc driver structure.
(2) From that point move backwards in memory until the search pattern is found.
(3) Patch memory. At this stage no mprotect is needed. Kernel module already has R/W permission in kernel space. ;-)

dasilverpaladin
Official SamyGO Developer
Posts: 119
Joined: Sat Oct 31, 2009 1:04 am

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Post by dasilverpaladin » Tue Oct 11, 2011 4:11 pm

sg75 wrote:You're right :) I forget to think about endianess :roll:

Code: Select all

========== DEBUG MAIN ============
0 : Register & Physical Memory Read
1 : Register & Physical Memory Write
2 : Register Repeat
[...]
Select> 0
physical address: 0x60166598
input is 0x60166598
number:16

[60166598]: ebfb620c ea000336 
[601665a0]: e59f1dfc e3a02000 e7923001 e2822004 
[601665b0]: e1530004  a000002 e3520034  a00032e 
[601665c0]: eafffff8 e5d63180 e3130004 1a0002c6 
[601665d0]: e5d630c4 e2033005 
So the byte to patch is at 0x601665c0. Quoting a famous cartoon character: "D'Oh!". :roll:
I'am not familiar with ARM opcodes, but I see a few other possibilities:
1.) initialize check=1
2.) make a local jmp early on to "if (tty->raw) {"
3.) prevent the "if( !check ) return;" instruction

Any hints?

Kind regards,
sg75
as part of my unbricking i came across this problem and solved it, kinda

i edited all 11 entries from offset 0x60166598 on

Code: Select all

Select> 1
physical address: 0x060166598
input is 0x60166598
number:11
this way i was able to get full console with disabled filter on my B650 CI+

LLStarks
Posts: 58
Joined: Mon Nov 07, 2011 12:17 pm

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Post by LLStarks » Sat Dec 10, 2011 2:15 pm

Hi, I'm trying to adapt the memory patching approach for Mips D-series since n_tty.c is present with the filtering loop and my TV has a read/write register function.

I'm a bit confused on what the search patterns represent, which file they present in, and what exactly is changed.

I have my TV's kernel compiled, if it's of any help.
LN32D550K1FXZA (ROOTED)
T-MSV4AUSC-1001.2
T-MSV4AUSS-2001 (wtf is this?)

Post Reply

Return to “[B] Firmware”