SamyGO

[mrmiau]

That's great news! I already ordered my serial cable. Thx a lot!

[maxkostuk]

It really drops me to a shell, but I vant input any letters... Only numbers will work. For example i get:

Code: Select all
# 1
sh: 1: not found

I think, we could try to name our patching or investigating executable with digital characters only (for example: "123").

[langerhans]

Sorry, but no good news from me. I couldnt manage to get a character input. I found many ways to get a console but everything I can Input are numbers -.-
Disabling the watchdog didnt't help. And sence we are default in a directory on TV's memory we can't name something different.
That's really bad...

I had a look at the sources but I couldn't find anything...
I found a way to send Micom signals but I guess that won't get us any further...

Edit: Since I can kill Micom from debug menu I think I can read the remote signals. Sice this produces a subsystem error. I will try this tomorrw

[maxkostuk]

I don’t know, is it really something useful, but I found following in the dump of exeDSP (Version T-CHL5CIPDEUC 2005.2) at the offset 013EDA40:

Code: Select all

1198282 1194444 8158282 81588   81599   81501   81590   30101

The first number is our well known access code to the debug menu.
May be one of another numbers could be an access code with another access rights???
Unfortunally I can try it first late in the evening.

[langerhans]

I don’t know, is it really something useful, but I found following in the dump of exeDSP (Version T-CHL5CIPDEUC 2005.2) at the offset 013EDA40:

Code: Select all

1198282 1194444 8158282 81588   81599   81501   81590   30101

The first number is our well known access code to the debug menu.
May be one of another numbers could be an access code with another access rights???
Unfortunally I can try it first late in the evening.

See this post: viewtopic.php?p=833#p833
Hmm, this is really tricky, I think the character Handling is done directly in the kernel or even direct on the chip by setting a special flag. That would make it nearly impossible to get access without knowing the RSA secret -.-

[erdem_ua]

Nope, I thing character handling done in MicomCtrl program. We need to compare CI+ MicomCtrl and CI MicomCtrl.

[cowenchicken]

nope, it's in the kernel...

namely the CONFIG_SERIAL_INPUT_ENABLE_ONLY_NUMBER option
look at what's going on in n_tty.c (around lines 87 and 770)

cheers

[erdem_ua]

Hi cowen, I can't see you here for a long time.

[langerhans]

Ok, got some news!
Played a bit again if I can get Micom commands, like I mentioned before but it didnt work.
After that I found an interesting Option in debug menu. It's called 'DirectSWUpgrade'. After selecting it the TV will search for USB for 30 seconds... Maybe it will flash everything it gets from there.
Wish me luck when I try this

Another option is called '[5 : TV_OPTION_BOOT_PARAM'. I can read it and it says

Code: Select all

Select Option : : 5
Success...Read Value = 0

Dont know if this is worth to have a look at...

Edit: Hmm, SamyGo FW Patcher won't patch my Firmware T-CHL5CIPDEUC:

Code: Select all

SamyGO Firmware Patcher v0.16 (c) 2010 Erdem U. Altinyurt

                   -=BIG FAT WARNING!=-
            You can brick your TV with this tool!
Authors accept no responsibility about ANY DAMAGE on your devices!
         project home: http://SamyGO.sourceforge.net

AES Encrytped CI+ firmware detected.
Decrypting with AES...
secret key :  A435HX:d3e90afc-0f09-4054-9bac-350cc8dfc901-7cee72ea-15ae-45ce-b0f
5-611c4f8d4a71
Decrypting AES...

Decrypting with XOR key :  T-CHL5CIPDEUC
Crypto package found, using fast XOR engine.

Calculated CRC : 0xE0839866
CRC Validation passed
It's not safe to change exeDSP at CI+ devices now.
Skipped Video AR Fix.

Applying Telnet Patch...
Searching %99
Oops!: "#Remove engine logging." string not found on image.
Probably this firmware is already patched or firmware is encrypted with SSL
Telnet Patch not applied.

No Change applied, Aborting...


Edit2: Sure it wont patch it since there is no Network on my TV... Have to find a way to modify FW without changing anything

[erdem_ua]

Firmware Patcher is not compatible with CHL5CIPDEUC, it can be patched manually but you can't flash that modified FW because of RSA check.