SamyGO

[robbiesz]

1198282 works on a non-CI+ tv as well (mine, LExxB650)... the first 1198282 enables the debug console (same as "debug" on CI)..

the second 1198282 activates the debug menu you were presented...

what terminal do you use? Does it send the CTRL-C to the TV? if you kill the exeDSP process in telnet, do you get a prompt on the serial terminal?

robbiesz

PS: this is getting a lot more interesting than I'd hoped

[robbiesz]

other codes that I found in exeDSP...
1198282 - Debug Menu
1194444
8158282
81588
81599
81501
81590
30101

robbiesz

Edit: forgot to mention that you need to press ENTER after these

[dynamic1969]

Hi robbiesz,
these are great findings you have discovered there ... this is getting more and more exciting.

Hi jeroenvoc,

I got a LE46B650T2PXXN; looks like a CI+ device to me....

I can use the Telnet enabler (https://sourceforge.net/projects/samygo ... z/download), dump it on an USB-stick, and do the magic.

It just executes the program without any serious warning in the logs....

Only downside is that it's not persistent; after a reboot you will have to start it again.

I also have a cable in place; I got a lot of info on the serial, but no input seems to work. So not escape-route...

Jeroen

provided that you have telnet access, you should also be able to:
1) dump mtd_exe image from the appropriate device
2) modify the appropriate rc.local script in the image you dumped
3) write back the image using the manual flashing method shown here

Regards
dynamic

[jeroenvoc]

Ok, tried tem all...

1198282 - Debug Menu
1194444 - reboot... nothing special seems to happen
8158282 - key debug menu; see attached .log
81588 - key record start ??
81599 - key record exit ??
81501 - play key scenario !!!! Do not try this at home !!!! see .log
A keyscenario plays, and does all weird things to your TV... channel up / down, volume up to max / down etc.
I rebooted the TV; it just goes further....
I unplugged it for 15 minutes; scenario seems to pick up, and goes further.... (is this written somewhere??)
Only way out is:
81590 - stop key scenario
30101 - halsubsystemtest menu; see log.


@dynamic
I'll dump the mtd_exe and put it on the internet. I'll look into modifying the rc.local in it...

Jeroen

[jeroenvoc]

Here he is again. Tried several things...

* when I switch off the watchdog (service-menu), and I remotely kill exeDSP, the service-console gives me a # prompt. No console input seems to give me a reaction...... still no local shell, so flashing seems a wild move...

* I made a dump from the mtd_exe. You can find it here: http://217.148.84.117/ext/exe.img.orig
I followed the step here: https://sourceforge.net/apps/mediawiki/ ... _and_CRC32)
but when I want to mount the partition again, troubles arise... /dev/tbml8 doesn't exist...

Please advise how to modify the exe.img.orig; the first thing I realy need is a remote shell ........

Jeroen

[jeroenvoc]

I hacked to exe.img, and added ;/etc/telnetd_start.sh& to the rc.local
Flashed it back and when starting exeDSP, the TV reboots...
When rebooting, the terminal-log says:

[SSPF] [Fastboot.cpp] ResetBoard, m_semReset.Give
EERId : Nvram[358] vs File[359]
*********EERId is different !!!!!!!! saved[358] new[359]

The telnet deamon doesn't run, and when I inspect the /mtd_exe/rc.local the insert I made is gone............

So somewhere the contents of the Nvram is checked agains a File. What's next?

[aquadran]

I did try that; no luck...
The console doesn't seem to respond on any input whatsoever.

I got the telnet-enabler V1 working, so I got telnet access.

First of all sorry if I understood wrong but, is it possible to access via telnet to a B650 with a T-CHUCIPDEUC (CI+) firmware?? I thought it wasn't possible at this moment due to the encryption!

Firmware maybe it's encrypted, but it seems running unsigned apps is not protected after all like for non CI+.

[robbiesz]

I hacked to exe.img, and added ;/etc/telnetd_start.sh& to the rc.local
Flashed it back and when starting exeDSP, the TV reboots...
When rebooting, the terminal-log says:

[SSPF] [Fastboot.cpp] ResetBoard, m_semReset.Give
EERId : Nvram[358] vs File[359]
*********EERId is different !!!!!!!! saved[358] new[359]

The telnet deamon doesn't run, and when I inspect the /mtd_exe/rc.local the insert I made is gone............

There are two copies of the filesystem containing exeDSP and alikes on the flash.. In case the first one gets corrupted. Maybe your TV has switched partitions... You can check that by running 'mount' or 'cat /proc/mounts'. Which bml device is mounted for /mtd_exe?

robbiesz

[dynamic1969]

Hi jeroenvoc,
first things first: I am assuming, that your device is up and running still, right ( as you were able to check mtd_exe/rc.local again ) ?

It'd be interesting to understand, if and what error/warning messages you may have received, while flashing the image back ... do you happen to have the logs from your flashing activities ?

As robbiesz has correctly explained, the TV has a backup image, which it does use in certain cases.
It basically sets the "PARTITION_FLAG" to use the backup image ( tbml10 ), in case the productive image ( tbml8 ) is identified to be corrupt / unusable during the boot process. That would however mean, that your modified image is still in your Flash and possibly still accessible ...
It should at least be possible to do a "bml.dump /dev/bml0/8 > /mtd_wiselink/dump" to see, if the contents are corrupt and whether your modifications are still there.

Regards
dynamic

[erdem_ua]

How could we decipher exe.img encryption on PC?
If we find technique and correct keys, than we build modifications on the computer and plug&flash option for safe process.

@Jeroen could you get all bml devices image and compress them with 7z?
Resulting file is nearly ~200-250 Mb but full image is better at some cases.

Is there anyone that understands cryptology here:?: