Now the method is almost finished, though it would be further improved.
This method executes a FTP and remote shell servers on TV with a root access. These changes are not persistent and are lost on TV reboot, so hack is 100% safe, unless you'll break something yourself.
1. Set up a development environment on your PC and TV (read wiki how to do this).
2. Extract htdocs.zip to your Apache htdocs folder. Edit widgetlist.xml and change 192.168.1.2 to IP address of your Apache server.
3. Unzip usb_card_updated.zip to the root directory of FAT-formatted USB stick.
4. Turn on a TV and wait until it completely boots.
5. Insert USB stick to TV, install and run the "Test Applet" widget on TV
6. Press "enter" on remote, the widget would do its dark things.
7. Exit widget and run "Web Browser". It should display a black screen for >10 seconds and then the browser would start. If browser starts immediately (this happens sometimes) - rerun browser again.
I've added a 10-second delay on the hack start to see that it works.
After this - you'll get a shell access via telnet on port 23 on TV IP address, and a FTP access to its filesystem.
Shell access allows you to execute commands and see their output. This is not a complete telnet daemon as we don't have devpts driver on TV. So do not try to execute interactive commands - you'll see their output, but would be unable to enter text. Code is taken from here: http://www.andreadrian.de/remsh/index.html with minor modifications (added a delay after popen). Later I'll replace this shell with something better.
Tested on UE32ES6727. USB is hardcoded to be "/dtv/usb/sda1", so insert only one USB device into TV, and your USB stick should have only one partition.
1. Remove the requirement to manually launch Web Browser
2. Better telnet daemon
3. Remove the hardcoded "/dtv/usb/sda1", detect USB folder automatically
Internals: Look into /mtd_exe/rc.local script. It has lines that set the LD_LIBRARY_PATH to search for .so files in "/dtv" directory before trying other dirs. And "/dtv" dir is writable! So we can place our own .so with a name of a system library (I've chosen libm.so.6) and it would be loaded instead of a system one.
So a hack is simple - copy our .so to /dtv, then run any application on TV (for example Web Browser, but other apps may work too), system would load our .so instead of libm, and our .so runs /dtv/usb/sda/run.sh on load.
To copy the .so file in your widget - use the "FilePlugin.Copy" function, but hide it with eval(), otherwise app would not be loaded as it contains "undocumented" functions.
As /dtv directory is tmpfs, all our modifications would be lost on reboot. So this hack is absolutely safe (of cause if you would not break something in run.sh script).