Page 5 of 5

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Posted: Sun Jan 30, 2011 11:20 am
by majonezz
I don't know if this is still needed, but maybe someone is intrested in getting all characters via exlink in some exotic CI+ devices. My device is B679 with patched 1008 f-ware.
I have shell access already via telnet, but i need full access to exlink console as well, becouse there are some functions like "0xFF = exit" when you must use letters for desired action. Maybe someone done it before, but i can't find it anywhere.
@sg75 Why don't you use

Code: Select all

unsigned char searchstr[28] =
{ 0x01, 0x30, 0x92, 0xE7, 0x04, 0x20, 0x82, 0xE2, 0x04, 0x00, 0x53, 0xE1, 0x02, 0x00,
  0x00, 0x0A, 0x34, 0x00, 0x52, 0xE3, 0x2E, 0x03, 0x00, 0x0A, 0xF8, 0xFF, 0xFF, 0xEA };
unsigned char replacestr[28] =
{ 0x01, 0x30, 0x92, 0xE7, 0x04, 0x20, 0x82, 0xE2, 0x04, 0x00, 0x53, 0xE1, 0x02, 0x00,
  0x00, 0x0A, 0x34, 0x00, 0x52, 0xE3, 0x2E, 0x03, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00 };
in your application?
When i used your orginal code, i was able to type only "0". But when i change it like in quoted code i can type letters as well.
Maybe we can patch the firmware like this, so no special application will be needed?

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Posted: Wed Feb 02, 2011 4:50 pm
by erdem_ua
Yes, we need an application to do this automatically. It's not on exeDSP memory but kernel. I know how to change memory at a process but have not experience to do this in kernel space.
How could we detect that pattern at kernel memory?
Does anyone could make this an application? :)

I think this approach could also cures C series ExLink connection well.

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Posted: Wed Feb 02, 2011 9:04 pm
by majonezz
This one worked for me (at B679).

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Posted: Thu Feb 03, 2011 10:51 am
by smartsmurf
erdem_ua wrote: How could we detect that pattern at kernel memory?
Does anyone could make this an application? :)

I think this approach could also cures C series ExLink connection well.
Some time ago I did write an extension to samdrv.ko which basically is a loadable kernel module.

To call existing functions I get addresses using /proc/kallsyms

Code: Select all

static int assign_ksym( const char * symbol, void ** ptr )
{
	unsigned long addr;

	addr = kallsyms_lookup_name( symbol );
	printk("kallsyms_lookup_name('%s') returned 0x%lX\n", symbol, addr );
	*ptr = (void *)addr;
	if( *ptr )
		return 1;

	printk(KERN_ERR " Unable to import '%s'\n", symbol );
	return 0;
} 

?
if( !assign_ksym("kerSys_PHY2VIR", (void *)&samdrv.kerSys_PHY2VIR) )
	return -1; 
?
When it is possible to load a module I would suggest the following approach:

(1) Get the address of "n_tty_receive_buf". This kernel export is available due to the tty_ldisc driver structure.
(2) From that point move backwards in memory until the search pattern is found.
(3) Patch memory. At this stage no mprotect is needed. Kernel module already has R/W permission in kernel space. ;-)

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Posted: Tue Oct 11, 2011 4:11 pm
by dasilverpaladin
sg75 wrote:You're right :) I forget to think about endianess :roll:

Code: Select all

========== DEBUG MAIN ============
0 : Register & Physical Memory Read
1 : Register & Physical Memory Write
2 : Register Repeat
[...]
Select> 0
physical address: 0x60166598
input is 0x60166598
number:16

[60166598]: ebfb620c ea000336 
[601665a0]: e59f1dfc e3a02000 e7923001 e2822004 
[601665b0]: e1530004  a000002 e3520034  a00032e 
[601665c0]: eafffff8 e5d63180 e3130004 1a0002c6 
[601665d0]: e5d630c4 e2033005 
So the byte to patch is at 0x601665c0. Quoting a famous cartoon character: "D'Oh!". :roll:
I'am not familiar with ARM opcodes, but I see a few other possibilities:
1.) initialize check=1
2.) make a local jmp early on to "if (tty->raw) {"
3.) prevent the "if( !check ) return;" instruction

Any hints?

Kind regards,
sg75
as part of my unbricking i came across this problem and solved it, kinda

i edited all 11 entries from offset 0x60166598 on

Code: Select all

Select> 1
physical address: 0x060166598
input is 0x60166598
number:11
this way i was able to get full console with disabled filter on my B650 CI+

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Posted: Sat Dec 10, 2011 2:15 pm
by LLStarks
Hi, I'm trying to adapt the memory patching approach for Mips D-series since n_tty.c is present with the filtering loop and my TV has a read/write register function.

I'm a bit confused on what the search patterns represent, which file they present in, and what exactly is changed.

I have my TV's kernel compiled, if it's of any help.