This forum is NOT FOR USER QUESTIONS or Problems.! | WARNING!!! THIS MOD IS EXTREMLY DANGEROUS FOR YOUR TV! BEFORE DOING ANYTHING, PLEASE READ THE WHOLE TEXT CAREFUL, THEN READ IT AGAIN! MAKE BACKUPS (IMPORTANT FILES AND PARTITION IMAGES) AND ENABLE RS232C DEBUG MODE BEFORE START! ONLY FOR EXPERIENCED USERS!!! NOVICE USERS SHOULD READ OTHER SamyGO WIKI ARTICLES FIRST. THIS MOD HAS NOT BEEN FULLY TESTED! THIS TEXT MAY CONTAIN ERRORS! PLEASE READ WITH UNDERSTANDING. NO HURRY. YOU HAVE BEEN WARNED! You have been warned. Warned? |
Edited by Moderator:
Do not use this HOW-TO from now, it is too dangerous. You can brick your TV easily with this.
Search forum for injectso or gdbtrick instead
UPDATE: Follow updated description on the Wiki page here:Do not use this HOW-TO from now, it is too dangerous. You can brick your TV easily with this.
Search forum for injectso or gdbtrick instead
http://wiki.samygo.tv/index.php?title=A ... %28B65x%29
THIS PROJECT IS DESIGNED FOR SAMSUNG LExxB65x T-CHL7DEUC MODELS WITH 2005.0 FIRMWARE.
What is a "game" plug-in ?
"Game" plug-in is dynamically-loaded library file (*.so) that may be executed using game-menu of Content Library. Normally, such plug-in is brought to you together with clmeta.dat XML file that points to the main library file to be started (loader.so, for example).
Why to autostart ?
Some plug-ins are intended to be run in the background. Unfortunately, you have to enter Content Library to execute them. This is confusing in some situations. Autostart is useful for staying resident applications that are waiting for a specified signal to execute a piece of its code.
The problem is...
You cannot execute library files using starting script. You even cannot run them using telnet shell. These files are not executable ones. Even if you make an application that run a library, then exeDSP functions (symbols) would be unknown. These functions are used in "game" plug-ins because they allow programmer to access hardware layer easily.
Then how to autostart my plug-in ?
You have to load "game" plug-ins using exeDSP in a way like Content Library does. Content Library is started by exeDSP application. The problem is that exeDSP is a closed-source binary and it is hard to modify its functions. So I decided to load "game" libraries using another open-source library which is loaded by exeDSP. One of such libraries is LIBUSB (libusb.so), normally loaded from /mtd_drv/Comp_LIB directory.
We have to force exeDSP to load our custom libusb library instead of original one.
That directory (with the original library file) is read-only one, but this can be omitted by modifying LD_LIBRARY_PATH variable.
Here is a graph explaining this method:
Steps
WARNING!!! YOU MAY BRICK YOUR TV!!! ENSURE YOU HAVE ENOUGH EXPERIENCE BEFORE CONTINUING!
ENABLE RS-232 DEBUG MODE AND ENSURE THAT EX-LINK CABLE WORKS WELL.
Ex-link cable is not necessary to make this mod but it is a must-have at the recovery phase.
You must have telnet access to your TV. Login to root, then:
1) Create directory tree in your TV:
mkdir /mtd_rwarea/SamyGO
mkdir /mtd_rwarea/SamyGO/exe
mkdir /mtd_rwarea/SamyGO/exe/lib
mkdir /mtd_rwarea/SamyGO/exe/conf
2) If not yet created, using your favourite text editor create /mtd_rwarea/SamyGO.sh script, for example:
Code: Select all
#!/bin/sh
mount -t devpts devpts /dev/pts
telnetdCode: Select all
#!/bin/sh
cd /mtd_exe
export LD_LIBRARY_PATH="/mtd_rwarea/SamyGO/exe/lib:$LD_LIBRARY_PATH"
./exeDSPCode: Select all
chmod a+x /mtd_rwarea/SamyGO.sh
chmod a+x /mtd_rwarea/exeDSP.sh6) After unpacking, you have to edit and recompile usedSource_TV files using SamyGO compilation toolchain.
a) Edit Makefile:
find and replace compiler tools:
Code: Select all
CC = $(CROSS_COMPILE)arm-SamyGO-linux-gnueabi-gcc
AR = $(CROSS_COMPILE)arm-SamyGO-linux-gnueabi-ar
RANLIB = $(CROSS_COMPILE)arm-SamyGO-linux-gnueabi-ranlibadd this after "#include <pthread.h>" line:
Code: Select all
#include <dlfcn.h>
#define SAMYGO_CONF_FNAME "/mtd_rwarea/SamyGO/exe/conf/libusb.conf" // configuration file location
int SamyGO_done = 0;
void SamyGO_init()
{
FILE *SamyGO_conf;
char s[256];
unsigned *handle;
int (*Game_Main)(const char *, const char *);
if (SamyGO_done) return;
SamyGO_done = 1;
SamyGO_conf = fopen(SAMYGO_CONF_FNAME, "r");
if (SamyGO_conf)
{
int limit=100; // max number of lines
while ((fgets(s, sizeof(s), SamyGO_conf) != NULL) && (--limit>0))
{
int ln = strlen(s);
if (ln > 0)
{
int i;
for (i=0; i<ln; i++)
if ((s[i]==0x0D) || (s[i]==0x0A)) { s[i]=0; i=ln; }
if ((s[0]!='#') && (s[0]!=';') && (s[0]!=0))
{
if (strstr(s, ".so"))
{
if ( (handle = dlopen(s, RTLD_NOW | RTLD_LOCAL | RTLD_NODELETE)) != NULL )
{
Game_Main = dlsym(handle, "Game_Main");
if (Game_Main)
{
ln = strlen(s);
int last_slash = 0;
for (i=0; i<ln; i++) if (s[i]=='/') last_slash = i;
s[last_slash + 1] = 0;
(*Game_Main)(s, ""); // *** MODULE EXECUTION ***
}
dlclose(handle);
}
}
}
}
}
fclose(SamyGO_conf);
}
}Code: Select all
SamyGO_init();Code: Select all
makeYou will get new "libusb.so" binary file that must be copied to /mtd_rwarea/SamyGO/exe/lib directory.
7) Copy plug-in files to your TV if not already installed. I prefer to copy somewhere else than standard Games are placed.
For example, in /mtd_rwarea/SamyGO/exe/any_subdirectory". Don't forget to check and/or set right permissions for those files.
8) Create text configuration file /mtd_rwarea/exe/conf/libusb.conf with list of full path(es) to the plug-in files to be executed at boot phase. For example:
Code: Select all
# libusb configuration file
/mtd_rwarea/SamyGO/exe/remote/loader.soLibraries are loaded one-by-one and Game_Main() functions are executed immediately at that stage.
Library files should end with ".so" extension.
Configuration file may be empty, too. In that case no additional plug-ins are loaded.
Nothing is going to happen when no configuration file is present.
WARNING: Badly-written plug-ins may hang your TV at this stage so be very careful.
WARNING: Don't add regular games to the libusb.conf list. This mod is not intended to load such applications.
9) Then we have to inform exeDSP to load our custom libusb instead of the original one. We are doing this by expanding library path chain using export command. That's why we create /mtd_rwarea/exeDSP.sh script which executes exeDSP after that. This script must be executed instead of the original exeDSP process. But how?
The only way (as I know) is to modify /mtd_exe/rc.local script and re-flash the TV. Do you remember the place where we run telnet or SamyGO.sh script? In the same script, we must replace exeDSP commands with exeDSP.sh execution instruction.
If you know how to patch the firmware, then do such changes in decoded exe.img file:
As you can see, rc.local file has been enlarged. This is possible because exe.img partition is FAT16-type one with 8KB-size cluster. This means that rc.local file can be easily enlarged up to 8KB. Now, there are some extra instructions for checking if exeDSP.sh custom script is available.
If exeDSP.sh script does not exist, then standard exeDSP binary image is executed immediately.
10) Then recalculate CRC, re-encode, make firmware file set, put on the pendrive.
For T-CHL7DEUC 2005.0 firmware patched earlier with ARfix1 my validinfo file looks like this:
Code: Select all
*007_exe.img_13ae8195*011_appdata.img_6915362211) Check if you have /mtd_rwarea/exeDSP.sh script and check its "x" permissions with "ls -l /mtd_rwarea/exeDSP.sh" command.
12) Make channels backup, custom widget manager backup if necessary, or just make a full backup of the TV's flash memory.
13) Flash your new custom firmware! If your TV is not working now, don't blame me. It was your fault, not mine. I'm sorry.
WARNING! REMEMBER TO RE-ENABLE RS232C DEBUG MODE AFTER FLASHING!
Adding a new plug-in:
To add a new (tested!) plug-in, copy it to the TV, then add new path entry to the /mtd_rwarea/SamyGO/exe/conf/libusb.conf file.
Removing a plug-in:
Remove path entry from the /mtd_rwarea/SamyGO/exe/conf/libusb.conf file, restart your TV, then delete library file(s) of removed plug-in.
Problems and advices:
The biggest problem here is that your TV may be bricked in the situation when badly-written plug-in causes exeDSP to hang or exit abnormally. Then watchdog restarts the TV and restarting loop will occur. To repair, use ex-link cable, run telnet and delete bad plug-ins (or edit your script/config).
BE CAREFUL! At the beginning, you may "hash" export command, so internal libusb library will be loaded and no additional plug-ins will be executed.
There is no danger when exeDSP.sh is accidentally deleted. New enlarged /mtd_exe/rc.local script prevents you from such situation.
Configuration file path is hard-encoded in libusb.so library - see source code above.
Useful links:
Remote Control TCP Server (remote.zip)
Remote control signal over LAN thread
How to enable Telnet on samsung TV's
Playing with Firmware Images
Setting up a cross-compilation toolchain
Linux Fedora Project
and many other SamyGO articles or posts.
Testing environment/tools:
- SamyGo Cross-Compilation Toolchain installed on FC12 linux (Intel Pentium-class PC)
- LE40B650T2W with patched 2005.0 firmware; no SamyGo extensions installed (only some libs for FTP, NTP, CIFS); modified widgets manager and CL manager replacement.
- 2 customized plug-ins has been tested so far: Remote Control TCP Server and so-called PVR2.
What you can do ?
If somebody knows how to make it easier or better, don't afraid to share your ideas with us.
Anyway, happy patching!
about you write here instead of wiki...
wxHexEditor
DivFix++ AVI Fix
Meteorite MKV Repair
Sorry, I don't know how to edit wiki pages (I never did); maybe some day... Actually, I even don't know if it is a firmware or software mod 
i will give it a try today with LD_PRELOAD, maybe it works too (have a ci+ device but not very familiar with creating a new own firmware and im a bit afraid of doing that)