Update: a working method of rooting ES series

Ideas and dreaming will go this forum

User avatar
juusso
SamyGO Moderator
Posts: 10116
Joined: Sun Mar 07, 2010 6:20 pm

Re: Update: a working method of rooting ES series

Post by juusso » Fri Nov 30, 2012 8:42 am

As i understood, you haven`t got root access to your TV yet and you haven`t tried hack which is published by mamaich. Else you should already know what is what there.

If you can develop, then just do it!
If you can reverse engineering, then take disassembler and try find some places we could patch to get wanted functions
If you can read sources, try to do this, might you`ll find some "gaps" to use for our 3rd party apps.
If you can, you could try port some apps or unix binaries to be used on your TV
And so on and so on.

You`ve asked about USB cams, then you can research what is wrong and why doesn`t they work.
You`ve asked for /dev/pty and full telnet, then you can try to check your ideas on your tv and tell us about result
You`ve asked for flash support, then go further, tell us your result.

All this stuff we`are doing for ourselves (for different reasons - to improve our TV`s functionality, to get fun in developing, to realize our hobby first and share with all other people. If you can, just do something usefull (for you at first place) and i kindly ask you to share your research with us. If here is anyone, who could co-operate and support you, then he/she definitelly does.
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A » Fri Nov 30, 2012 4:42 pm

juuso wrote:As i understood, you haven`t got root access to your TV yet and you haven`t tried hack which is published by mamaich. Else you should already know what is what there.
That's correct, and the main reason for this, is that the set I'm working on does not belong to me, and I am not willing to risk bricking someone else's TV set for my own joy. If it was my own, I would have ripped it apart long ago and found out many more things that I am curious about. So I am asking the questions above, to minimize any possibility of bricking, while trying to know before hand what will happen to the TV after root and if it at all will be useful. My question was very simple. What exactly did he mean with executing commands, but not being able to enter them? To me that sound like you don't actually have an interactive rooted shell, but only script access. Is that correct? (If that is correct, then I don't understand why starting a telnetd wouldn't give you a full interactive root shell?)
If you can develop... blah blah...
Regarding those comments, I'm not here to get attacked and insulted, but to help where and how I can. I fully understand your frustration with continuously repeated questions about things that might be obvious to you, but you must also accept that people can interested to help even if they don't know how, which is the reason why I am here in the first place.

I mind you, that even though I have experience in mobile/linux development, I know nothing about these TV's...apart what is common with normal embedded linux devices. I'd be happy to cross-compile some useful binaries, if someone can show me how to find the correct tool-chain, required sources and compilation flags. (ATM, I don't have the faintest idea how to do this for this device.) This is really what would be useful to have on the Wiki entry. The more info there, the less questions here.
You`ve asked about USB cams, then you can research what is wrong and why doesn`t they work.
Well, that's why I asked! If someone already know why they don't work, and where I can find the associated files. For example I'd suggest to finding the file associated with checking the USB VID of the Samsung camera(s) and change it to whatever "you" have or disable the checking all together.
You`ve asked for /dev/pty and full telnet, then you can try to check your ideas on your tv and tell us about result
That's what I will do, once I have an interactive root shell.
You`ve asked for flash support, then go further, tell us your result.
Same thing here...
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

User avatar
juusso
SamyGO Moderator
Posts: 10116
Joined: Sun Mar 07, 2010 6:20 pm

Re: Update: a working method of rooting ES series

Post by juusso » Fri Nov 30, 2012 4:48 pm

E3V3A wrote:
If you can develop... blah blah...
:)
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

mamaich
Official SamyGO Developer
Posts: 65
Joined: Sun Nov 21, 2010 4:15 am

Re: Update: a working method of rooting ES series

Post by mamaich » Mon Dec 03, 2012 2:32 am

E3V3A wrote:1. What do you mean with this? (I.e. How can I enter commands, if I cannot enter text?)
Just try to run MC and you'll see. You can enter text, but no mouse or anything else that you have in a full-featured telnet session.

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A » Mon Dec 03, 2012 4:23 am

mamaich wrote:Just try to run MC and you'll see. You can enter text, but no mouse or anything else that you have in a full-featured telnet session.
Aah, but that's only for ANSI-control sequences (arrows etc) and mouse input then, in MC!?? If that's the case, then no problem. As long as I can enter stuff from keyboard. i never use MC anyway.
PS. Just to verify. I assume you mean "MC"=Midnight Commander...
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

arris69
Official SamyGO Developer
Posts: 1700
Joined: Fri Oct 02, 2009 8:52 am
Location: Austria/Vienna (no Kangaroos here)
Contact:

Re: Update: a working method of rooting ES series

Post by arris69 » Mon Dec 03, 2012 6:34 pm

added the widget to samygo server (just the widget), so people don't need to install own webserver.

http://wiki.samygo.tv/index.php5/Rootin ... cpu_models (section: Installing hack, points 1-6) how to install it.
any further stepps here: https://forum.samygo.tv/viewtopic.php?f=53&t=5015

(installation is supported for 12_ECHOP, 12_X10PLUS and 12_X10PLUS_2D types)

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A » Mon Dec 03, 2012 10:39 pm

Awesome! A couple of (other) things...

a) What does the remshd binary do? (sources?) Answer: It's the remote shell from here as linked in OP!
b) Which Busybox version are you using? Answer: BusyBox v1.20.2 (2012-11-15 22:46:44 PST)
c) I'd like to compile a few other very useful utilities. Is there any "how-to" info somewhere? (The more ES-specific, the better.)
d) Is someone adding this to the E model Wiki? (I can do it, but you'll have to let me know...and others who may consider doing it.)

e) How can I check that /dtv remain a non-permanent FS in future FW updates? I.e. It could be useful to allow for people to check themselves whether or not a new FW update would make any dangerous changes to our sets. So it might be a good idea to backup the libm files to USB stick before removing. (?)

f) juuso mentioned in another thread that devpts have been compiled for D-models. If this is correct, what would it take to implement that same hack here? (if even possible or needed.)

Oh, that was quite a lot. I don't expect anyone of you to be able to answer this. But any partial hints or suggestions would be appreciated!

EDIT: 2012-12-04
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

mamaich
Official SamyGO Developer
Posts: 65
Joined: Sun Nov 21, 2010 4:15 am

Re: Update: a working method of rooting ES series

Post by mamaich » Tue Dec 04, 2012 2:31 am

a) - yes, it was the first code that I've found on net for "telnet daemon in c". New version of hack uses a different code written by me.
c) - set up a build environment under ubuntu like is stated in samsung readme.zip in UExxES6xxx.zip for building kernel. Building your own progs is identical.
e) - on existing TVs it would remain. On newer models - it can be made r/o, renamed or removed. To stop this hack from working - Samsung may remove it from LD_LIBRARY_PATH, it is much easier for them. In this case we'll publish another method.
f) - I've compiled devpts as .ko, it was easy. But it would not work as there are no pts in kernel, so devpts gives you just an empty filesystem.
Denny recompiled kernel with pts support, not pts as a standalone driver.

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A » Tue Dec 04, 2012 4:45 am

Damn, that was one strange beast of a shell... It really doesn't make complete sense to me.
So for those of you who have not yet tried this. This is what happens, briefly.

1. You get a "shell" with a prompt "shell>" and you can type anything in it. But since any ANSI control sequences are not recognized, any movement with arrow keys and such are not recognized. This is surprisingly painful, as you will not be able to edit command on the line, but have to re-type everything.
2. When you enter something wrong, you don't get any error messages at all! Just a new "shell>" prompt.
3. You might think that the Busybox included on the USB stick is the working one, but it is not. It is instead (AFAICT) the original one used which seem not to accept all commands... hard to tell!
4. You cannot "cd" to another directory. (?) You are permanently stuck in /tmp (AFAICT)...
5. Trying to run another shell, like "ash", doesn't seem to work either.
mamaich wrote:a) - yes, it was the first code that I've found on net for "telnet daemon in c". New version of hack uses a different code written by me.
I'm afraid I don't understand the problem. (?) telnetd is certainly present in the Busybox sources... Perhaps we need to modify the way it presents itself on the tty or console device? I'm thinking that perhaps we could try to run it on /dev/ttyS1 which is the UART debug port, since it's not giving any output after boot anyway, afaik..
f) - I've compiled devpts as .ko, it was easy. But it would not work as there are no pts in kernel, so devpts gives you just an empty filesystem.
Denny recompiled kernel with pts support, not pts as a standalone driver.
Very cool. I can't wait to hear him tell us all about it! ;)

Another weird thing is that I was trying to find the GPIO's, but nothing and since I couldn't get find / -iname "gpio" to work, I never found anything related. Any ideas?

Finally, I'd like to take make dump of all the files in the temporary filesystem to USB stick...so that I can search them off line. ??
Last edited by E3V3A on Tue Dec 04, 2012 3:55 pm, edited 1 time in total.
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A » Tue Dec 04, 2012 4:56 am

Here's some output:

Code: Select all

[size=85]shell>cat /proc/emergloginfo
0x5ffe0000

shell>cat /proc/tty/drivers

/dev/tty             /dev/tty        5       0 system:/dev/tty
/dev/console         /dev/console    5       1 system:console
/dev/vc/0            /dev/vc/0       4       0 system:vtmaster
serial               /dev/ttyS       4 64-67 serial
unknown              /dev/tty        4 1-63 console

shell>cat /proc/devices
-----------------------------------------------------------------------------
Character devices
  1 mem
  4 /dev/vc/0
  4 tty
  4 ttyS
  5 /dev/tty
  5 /dev/console
  7 vcs
 10 misc
 13 input
 29 fb
148 system
158 malloc
176 miomap
180 usb
189 usb_device
226 drm
231 drvGOP
253 mali
254 ump

Block devices:
  1 ramdisk
259 blkext
  7 loop
  8 sd
 65 sd
 66 sd
 67 sd
 68 sd
 69 sd
 70 sd
 71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd
179 mmc
254 ramzswap

shell>cat /proc/cmdline
-----------------------------------------------------------------------------
console=ttyS2,115200 
root=/dev/mmcblk0p3 
rootfstype=squashfs 
LX_MEM=0x40200000,0x14900000 
LX_MEM2=0xA4E00000,0xB200000 
EMAC_MEM=0x40000000,0x100000 
SELP_ENABLE=1198282 Onboot  : 1003 quiet

shell>lsmod
-----------------------------------------------------------------------------
    Tainted: P
hid_microsoft   2032            0 - Live 0xbf310000
mousedev        7248            0 - Live 0xbf309000
evdev           5576            0 - Live 0xbf302000
usbhid          12872           0 - Live 0xbf2f9000
hid             31240           2 hid_microsoft,usbhid, Live 0xbf2ec000
rtnet5572sta    31400           0 - Live 0xbf2df000
rt5572sta       1295528         1 rtnet5572sta, Live 0xbf1a0000 (P)
rtutil5572sta   30436           2 rtnet5572sta,rt5572sta, Live 0xbf196000
usb_storage     30272           1 - Live 0xbf189000
ehci_hcd        47852           0 - Live 0xbf178000
usbcore         108904          6 usbhid,rtnet5572sta,rtutil5572sta,usb_storage,ehci_hcd, Live 0xbf158000
tntfs           363728          0 - Live 0xbf0fa000 (P)
mdrv_emac       12684           0 - Live 0xbf0f1000 (P)
samsung_mstar   494248          0 - Live 0xbf066000
samsung_mali    83468           23 samsung_mstar, Live 0xbf04c000
rfs_fat         202648          7 - Live 0xbf015000 (P)
rfs_glue        61548           1 rfs_fat, Live 0xbf000000 (P)


shell>env
-----------------------------------------------------------------------------
BASE_TIME=1354589852l
BG_MODE=1
CHANGE_PARTITION_FLAG=/mtd_rwarea/change_partition_flag
COMPILED_KEYMAP_PATH=/mtd_cmmlib/Runtime
DISPLAY=:0
DebugLogState=0
EXE_OR_RWREA_MOUNT_CHECK=/mtd_rwarea/exe_or_rwarea_mount_check
EX_PARTITION=/dev/mmcblk0p4
FONTCONFIG_FILE=/mtd_rocommon/WebBrowser/fonts/fonts.conf
FONTCONFIG_PATH=/mtd_cmmlib/Runtime/fonts
GDK_PIXBUF_MODULE_FILE=/mtd_exe/Runtime/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
GTK_PATH=/mtd_cmmlib/Runtime/lib/gtk-2.0
HOME=/mtd_moip
KF_LOG=/dev/null
KF_NO_INTERACTIVE=1
KF_NO_LOG=1
KF_SLEEP_READ=-2
LD_LIBRARY_PATH=/tmp/bin:/mtd_cmmlib/Runtime/XorgLibs:/mtd_cmmlib/Runtime/lib/CairoShadow:/mtd_cmmlib/Runtime/lib:/mtd_exe/WebServerApp/bin:/mtd_cmmlib/CBRE:/dtv:/mtd_cmmlib/GAME_LIB:/dtv:/mtd_cmmlib/YWidget_LIB:/mtd_contents:/mtd_appdata/Java/lib:/mtd_exe:/mtd_cmmlib/Comp_LIB:/mtd_cmmlib/Comp_LIB/XT9_LIB:/mtd_cmmlib/InfoLink/lib/plugin/Static:/mtd_cmmlib/InfoLink/lib:/mtd_cmmlib/OIPF:/lib:/mtd_cmmlib/CM_LIB:/mtd_appext/OIPF/lib:/mtd_exe/OIPF/lib:/mtd_cmmlib/YWidget_LIB:/mtd_contents:/mtd_appdata/yahoo:/mtd_cmmlib/moip:/mtd_appext/WidgetEngine:/mtd_rocommon/Webkit
MALLOC_CHECK_=1
MAPLE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
MAPLE_DUMMY_WIDGET_PATH=/mtd_appdata/SmartTV
MAPLE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
MAPLE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
MAPLE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib:/mtd_cmmlib/OIPF
MAPLE_WIDGET_DATA_PATH=/mtd_down
MAPLE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc
MAX_FLASH_COUNT=5
MICOM_BASE=/sbin
MODULES_DIR=/lib/modules

MTD_APP_0=/dev/mmcblk0p15
MTD_APP_1=/dev/mmcblk0p16
MTD_CONTENTS=/dev/mmcblk0p19
MTD_DRMREGION_A=/dev/mmcblk0p10
MTD_DRMREGION_B=/dev/mmcblk0p11
MTD_EMANUAL=/dev/mmcblk0p18
MTD_EXE_0=/dev/mmcblk0p13
MTD_EXE_1=/dev/mmcblk0p14
MTD_KERNEL_0=/dev/mmcblk0p2
MTD_KERNEL_1=/dev/mmcblk0p5
MTD_ONBOOT=/dev/mmcblk0p0
MTD_ROCOMMON=/dev/mmcblk0p17
MTD_ROOTFS_0=/dev/mmcblk0p3
MTD_ROOTFS_1=/dev/mmcblk0p6
MTD_RWAREA=/dev/mmcblk0p12
MTD_RWCOMMON=/dev/mmcblk0p21
MTD_SWU=/dev/mmcblk0p20
MTD_UBOOT=/dev/mmcblk0p1

OLDPWD=/mtd_exe
PANGO_RC_FILE=/mtd_cmmlib/Runtime/pango/pangorc

PARTITION_CHECK_1ST=/mtd_rwarea/empty.0
PARTITION_CHECK_2ND=/mtd_rwarea/empty.1
PARTITION_FLAG00=/mtd_rwarea/PartitionSwitch_0_0
PARTITION_FLAG10=/mtd_rwarea/PartitionSwitch_1_0
PARTITION_VERSION_1ST=/mtd_swu/Version.0
PARTITION_VERSION_2ND=/mtd_swu/Version.1

PATH=/tmp/bin:/mtd_cmmlib/Runtime/bin:/usr/sbin:/usr/bin:/bin:/sbin:/etc/Scripts:/util:/mtd_cmmlib/Runtime/bin
PWD=/tmp
RESOLUTION=720
RUNLEVEL=Onboot
SECUREMAC0=/dev/mmcblk0p7
SECUREMAC1=/dev/mmcblk0p8
SECUREMAC2=/dev/mmcblk0p9
SHELL=/bin/sh
TERM=vt102
UI_URL=file:///mtd_down/widgets/normal/20121000004/WebkitUI/Index.html
UPGRADE_FLAG=/mtd_rwarea/UPGRADE_FLAG
USER=root

WE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
WE_DUMMY_WIDGET_PATH=/mtd_appdata/SmartTV
WE_FONTCONFIG_FILE=/mtd_rocommon/Webkit/fonts/fonts.conf
WE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
WE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
WE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib
WE_PLUGIN_PATH=/mtd_appext/WidgetEngine/Plugins:/mtd_rocommon/Webkit/Plugins/Common
WE_WIDGET_DATA_PATH=/mtd_down
WE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc

XDG_DATA_HOME=/mtd_rocommon/WebBrowser/.local/share/
XSERVER_RW_PATH=/mtd_rwarea
XVT_DEFAULT=/dev/tty0
XVT_RUNTIME=/dev/tty%d
[/size]

HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003