Update: a working method of rooting ES series

Ideas and dreaming will go this forum

mamaich
Official SamyGO Developer
Posts: 65
Joined: Sun Nov 21, 2010 4:15 am

Re: Update: a working method of rooting ES series

Post by mamaich »

Use a newer telnet server (and other files) from here: viewtopic.php?f=48&t=5062

Seems that I would no longer work on hacking TV - simply have no time for that. Though I had a really good progress with debianizing TV (apt-get and other tools were working) and even have seen a working OpenGL demo (in software GL emulation) on the built-in X server.
User avatar
juusso
SamyGO Moderator
Posts: 10129
Joined: Sun Mar 07, 2010 6:20 pm

Re: Update: a working method of rooting ES series

Post by juusso »

mamaich wrote:Seems that I would no longer work on hacking TV - simply have no time for that.
this is really bad news... But i hope youll find a little time for that, to code at least for your self. Please share with us if youll do something :-)
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE
E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A »

mamaich wrote:Seems that I would no longer work on hacking TV - simply have no time for that. Though I had a really good progress with debianizing TV (apt-get and other tools were working) and even have seen a working OpenGL demo (in software GL emulation) on the built-in X server.
Yes, that is really too bad as it looks like no one else is working on this...at least not with any visible progress. But if you don't have time, that is fine. But perhaps before you leave us hanging, you could give us a work plan or summary on what should be done? Or some brief instructions how to follow up on your work?

Cheers!
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003
E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A »

Any idea on why I always have to run the browser twice (2x) before this works?
(How can we fix it?)
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003
thwalker3
Posts: 18
Joined: Sun Nov 25, 2012 6:39 pm

Re: Update: a working method of rooting ES series

Post by thwalker3 »

Encountered something stunningly simple last night :)

Been spending some free time on and off the last few weeks looking at the filesystem images for my new UN46ES7500 w/ the lastest 1041.1 firmware (updated long before I saw this site). Serial out is scrambled somehow, DNS hacks for downgrades don't work as they're now checking the SSL cert, and they fixed the library path so that you can't write to the early bits of it anymore. I was actually somewhat impressed that they've been keeping up on patches as I checked off a whole bunch of recent libtiff, libpng, libxml CVEs that seem to already be closed.

Then, last night, I realized something rather interesting... Our friend, 'FilePlugin.Copy' appears to be taking its two arguments and passing them straight down to the busybox shell as 'cp -rf $1 $2' while making *no attempt* to sanitize the inputs. i.e. you can do something like:

eval("FilePlugin.Copy(\"/proc/self/cmdline\", \"$(sh /dtv/usb/sda1/run.sh)/dtv/usb/sda1/cmdline\")");

And the (bash) shell will spawn a subshell to evaluate the bit inside $( ... ). No libm hacks, no manually opening the web browser once (or twice), or copying scripts around (the above works, even with the USB mounted 'noexec' because the only thing you're exec()ing from the kernel's point of view is 'sh'). I haven't figured out the proper escaping to get shell redirection to work in there but you just make sure the script you exec immediately redirects stdout/stderr to a file that you can retrieve. the bits outside of $( ... ) don't really matter although you can use them to do something "normal" as above.

Successfully got telnet and ftp up and running now... now if only the VDLinux prompt actually did something useful (no TDM on this model that I can find).

Enjoy ;)
E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A »

thwalker3 wrote:...Successfully got telnet and ftp up and running now... now if only the VDLinux prompt actually did something useful (no TDM on this model that I can find).
Very nice work! Now, can you explain how you went about getting "VDLinux>" without Ex-link? (I know spawning a shell results in this, but why do you say it's not doing anything "useful"?)

All models should have a TDM.
1. Have you got the "debug" terminal unlock? It's the code that allows you to enable echo, so that you can see what you type, but only hex characters.** This code is found in /proc/cmdline in the SELP_ENABLE variable which is passed to kernel from bootloader.
2. Then once you can see what you type, you have to enter the TDM code that actually runs the menu. This code is hidden in kernel and can be very hard to find. Since you seem to have a different firmware from me I cannot help you with that one...as of now.

** It should be noted that the terminal filtering seem to be made on several layers. Although you can only "see" hex characters, we know that other characters are actually processed as it reacts to things like "~~bye".
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003
thwalker3
Posts: 18
Joined: Sun Nov 25, 2012 6:39 pm

Re: Update: a working method of rooting ES series

Post by thwalker3 »

VDLinux prompt is via (mamaich's?) telnetd. I can't get the serial console working because it looks like Samsung started scrambling the output (see viewtopic.php?f=52&t=5026&p=37121). The telnetd VDLinux prompt happily echoes whatever I type as I type it (letters, numbers, special chars) but doesn't do anything more than give me a newline when I hit enter. Stuff like '~~bye' doesn't appear to do anything.
running netcat piped to a shell on a random port is much more useful (can run arbitrary shell commands remotely and get at least stdout back easily).

Nice thing about the shell escape trick with 'Copy' is that I imagine it should work on most of the older TVs and definitely works on the latest hw/fw if my TV is any indication.
E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A »

thwalker3 wrote:... it looks like Samsung started scrambling the output (see viewtopic.php?f=52&t=5026&p=37121).
No. There is no scrambling. You're cable or settings are messed up. See: viewtopic.php?f=52&t=4974#p37816
The telnetd VDLinux prompt happily echoes whatever I type as I type it (letters, numbers, special chars)
Do you have local echo enabled?
...but doesn't do anything more than give me a newline when I hit enter.
Same thing happened to me when I ran:

Code: Select all

sh -c 'exec sh -i </dev/tty >/dev/tty 2>&1' &
It gave me a "VDLinux>" prompt, but doing funny and worrysome shit...
SpoilerShow

Code: Select all

-----------------------------------------------------------------------------------------------------
VDLinux#>  ##### call default signal (17) handler                               
[2]+  Stopped (tty input)        /mtd_exe/rc.local                              
[1]-  Done(1)                    ${MICOM_BASE}/micom rollback                   
Saving emergency log dump                                                       
******************************************************                          
Application running is failed                                                   
SW image is stopped                                                             
******************************************************                          
VDLinux#> VDLinux#> VDLinux#>  ##### call default signal (1) handler            
process '/bin/cttyhack -/bin/sh' (pid 36) exited. Scheduling for restart.       
starting pid 1603, tty '': '/bin/cttyhack -/bin/sh'                             
/etc/profile start                                                              
##### send signal from USER, SIG : 1, busybox(1201)->busybox(1201) sys_tgkill   
insmod: can't insert '/lib/modules/rfs_glue.ko': File exists                    
insmod: can't insert '/lib/modules/rfs_fat.ko': File exists                     
1st partition                                                                   
1st Partition is selected                                                       
mount mtd_exe                                                                   
mount: mounting none on /sys/fs/cgroup failed: Device or resource busy          
mkdir: can't create directory '/sys/fs/cgroup/fg_group': File exists            
mount: mounting /dev/mmcblk0p13 on /mtd_exe/ failed: Device or resource busy    
mount mtd_exe fail                                                              
mkdir: can't create directory '/sys/fs/cgroup/bg_group': File exists            
mount mtd_rwarea                                                                
mount: mounting /dev/mmcblk0p12 on /mtd_rwarea failed: Device or resource busy  
Cgroup Fail                                                                     
Success to format                                                               
mount: mounting /dev/mmcblk0p12 on /mtd_rwarea failed: Device or resource busy  
mount mtd_rwarea fail                                                           
[1]+  Done                       /etc/cgroup_init                               
mount mtd_drmregion_a                                                           
mount: mounting /dev/mmcblk0p10 on /mtd_drmregion_a failed: Device or resource b
usy                                                                             
Success to format                                                               
mount mtd_drmregion_b                                                           
mount: mounting /dev/mmcblk0p11 on /mtd_drmregion_b failed: Device or resource b
usy                                                                             
Success to format                                                               
Partition.txt doesn't exist                                                     
mount mtd_appext                                                                
mount: mounting /dev/mmcblk0p15 on /mtd_appext/ failed: Device or resource busy 
mount mtd_appext fail                                                           
mount mtd_rocommon                                                              
mount: mounting /dev/mmcblk0p17 on /mtd_rocommon failed: Device or resource busy
mount mtd_rocommon fail                                                         
Saving emergency log dump                                                       
[1]+  Done(1)                    ${MICOM_BASE}/micom rollback                   
******************************************************                          
Application running is failed                                                   
SW image is stopped                                                             
******************************************************                          
VDLinux#> 
As you can see it triggered "micom rollback" and was attempting to format the partitions!
After that my TV no longer retains channel memory!! I also had a huge log (that I missed saving) giving lots of errors.

I believe the mistake was in the "2>&1" part of that line, which re-directs stdin/stdout/stderr to somewhere else...and if current console is used by micom, that is very bad! I also accidentally sent some crap to /dev/ttyS1 (Micom) with some other blind-folded memory dump command!

Never use /dev/ttyS1 for anything!
Stuff like '~~bye' doesn't appear to do anything. running netcat piped to a shell on a random port is much more useful (can run arbitrary shell commands remotely and get at least stdout back easily). Nice thing about the shell escape trick with 'Copy' is that I imagine it should work on most of the older TVs and definitely works on the latest hw/fw if my TV is any indication.
I have no idea what you're talking about, do you have an example? It is always recommended to show your commands when discussing results...since everyone will eventually ask for them anyways.

EDIT (2012-12-19):
I noticed (too late) another thing. Be very careful when trying to start interactive shells, as they might wanna load /etc/profile !
Why, because this profile contains instructions to re-format, or switch FW, which can easily fail in the wrong circumstances.
SpoilerShow

Code: Select all

# /etc/profile
echo "/etc/profile start"

export PATH="/usr/sbin:/usr/bin:/bin:/sbin:/etc/Scripts:/util"
export LD_LIBRARY_PATH="/lib"
export MODULES_DIR=/lib/modules
export MICOM_BASE=/sbin
export MALLOC_CHECK_=1

############## Flash Driver ###########
insmod $MODULES_DIR/rfs_glue.ko
insmod $MODULES_DIR/rfs_fat.ko

echo "4096    87380   1425408" > /proc/sys/net/ipv4/tcp_rmem

############## Partition Information ##############
export MTD_ONBOOT=/dev/mmcblk0p0
export MTD_UBOOT=/dev/mmcblk0p1
export MTD_KERNEL_0=/dev/mmcblk0p2
export MTD_ROOTFS_0=/dev/mmcblk0p3
export EX_PARTITION=/dev/mmcblk0p4
export MTD_KERNEL_1=/dev/mmcblk0p5
export MTD_ROOTFS_1=/dev/mmcblk0p6
export SECUREMAC0=/dev/mmcblk0p7
export SECUREMAC1=/dev/mmcblk0p8
export SECUREMAC2=/dev/mmcblk0p9
export MTD_DRMREGION_A=/dev/mmcblk0p10
export MTD_DRMREGION_B=/dev/mmcblk0p11
export MTD_RWAREA=/dev/mmcblk0p12
export MTD_EXE_0=/dev/mmcblk0p13
export MTD_EXE_1=/dev/mmcblk0p14
export MTD_APP_0=/dev/mmcblk0p15
export MTD_APP_1=/dev/mmcblk0p16
export MTD_ROCOMMON=/dev/mmcblk0p17
export MTD_EMANUAL=/dev/mmcblk0p18
export MTD_CONTENTS=/dev/mmcblk0p19
export MTD_SWU=/dev/mmcblk0p20
export MTD_RWCOMMON=/dev/mmcblk0p21

############## SWU Parameter Init ##############
export PARTITION_FLAG00=/mtd_rwarea/PartitionSwitch_0_0
export PARTITION_FLAG10=/mtd_rwarea/PartitionSwitch_1_0
export PARTITION_VERSION_1ST=/mtd_swu/Version.0
export PARTITION_VERSION_2ND=/mtd_swu/Version.1
export PARTITION_CHECK_1ST=/mtd_rwarea/empty.0
export PARTITION_CHECK_2ND=/mtd_rwarea/empty.1
export EXE_OR_RWREA_MOUNT_CHECK=/mtd_rwarea/exe_or_rwarea_mount_check
export CHANGE_PARTITION_FLAG=/mtd_rwarea/change_partition_flag
export UPGRADE_FLAG=/mtd_rwarea/UPGRADE_FLAG

############## Parameter Init ##############
SUCCESS_MOUNT="true"
UseSecondPartition="false"
CurrentFlag=$PARTITION_FLAG00
ulimit -c unlimited

#### Execution Cgroup Init Script ####
/etc/cgroup_init &
######################################

############## Boot partition select ##############
PART_FLAG=$(cat /proc/cmdline | cut -d'/' -f3 | cut -d' ' -f1)

if [ "$PART_FLAG" = "mmcblk0p3" ]
then
        echo "1st partition"
        UseSecondPartition="false"
        CurrentFlag=$PARTITION_FLAG00
else
        echo "2nd partition"
        UseSecondPartition="true"
        CurrentFlag=$PARTITION_FLAG10
fi

if [ "$UseSecondPartition" = "true" ]
then
        echo "2nd Partition is selected"
        EXE_MOUNT=$MTD_EXE_1
	APP_MOUNT=$MTD_APP_1 
        EXE_MOUNT_SUB=$MTD_EXE_0
	APP_MOUNT_SUB=$MTD_APP_0 
else
        echo "1st Partition is selected"
        EXE_MOUNT=$MTD_EXE_0 
	APP_MOUNT=$MTD_APP_0 
        EXE_MOUNT_SUB=$MTD_EXE_1 
	APP_MOUNT_SUB=$MTD_APP_1 
fi

echo "mount mtd_exe"
mount -t squashfs  $EXE_MOUNT /mtd_exe/
if [ $? != 0 ]
then
	echo "mount mtd_exe fail"
	SUCCESS_MOUNT="false"
fi

if [ -e /mtd_exe/TunerInit ]
then
      /mtd_exe/TunerInit&
fi
 
echo "mount mtd_rwarea"
mount -t rfs $MTD_RWAREA /mtd_rwarea
if [ $? != 0 ]
then
        umount /mtd_rwarea 2> /dev/null
        fat.format -F 32 -s 1 -S 1024 $MTD_RWAREA
        mount -t rfs $MTD_RWAREA /mtd_rwarea
        if [ $? != 0 ]
        then
                echo "mount mtd_rwarea fail"
                SUCCESS_MOUNT="false"
        fi
fi

echo "mount mtd_drmregion_a"
mount -t rfs $MTD_DRMREGION_A /mtd_drmregion_a
if [ $? != 0 ]
then
        umount /mtd_drmregion_a 2> /dev/null
        fat.format -F 16 -s 1 -S 512 $MTD_DRMREGION_A
        mount -t rfs $MTD_DRMREGION_A /mtd_drmregion_a
        if [ $? != 0 ]
        then
                echo "mount mtd_drmregion_a fail"
                SUCCESS_MOUNT="false"
        fi
fi

echo "mount mtd_drmregion_b"
mount -t rfs $MTD_DRMREGION_B /mtd_drmregion_b
if [ $? != 0 ]
then
        umount /mtd_drmregion_b 2> /dev/null
        fat.format -F 16 -s 1 -S 512 $MTD_DRMREGION_B
        mount -t rfs $MTD_DRMREGION_B /mtd_drmregion_b
        if [ $? != 0 ]
        then
                echo "mount mtd_drmregion_b fail"
                SUCCESS_MOUNT="false"
        fi
fi

rm -f /mtd_rwarea/PartitionSwitch*
if [ "$PART_FLAG" = "mmcblk0p3" ]
then
        touch $PARTITION_FLAG00
else
        touch $PARTITION_FLAG10
fi

if [ -e  /mtd_rwarea/change_partition_flag ]
then
	usb_start.sh
	
	if [ "$SUCCESS_MOUNT" = "false" ]
	then
		echo "EXE or RWAREA mount error"
		touch $EXE_OR_RWREA_MOUNT_CHECK
		rm /mtd_rwarea/change_partition_flag
		#micom reboot
		sleep 3
	fi

	echo "Partition.txt is exist"
	#micom ledon
	/etc/Scripts/partition_check.sh
	rm /mtd_rwarea/change_partition_flag
	/etc/Scripts/update_change_partition_flag.sh
	sleep 3
else
	echo "Partition.txt doesn't exist"
fi


echo "mount mtd_appext"
mount -t squashfs  $APP_MOUNT /mtd_appext/
if [ $? != 0 ]
then
        echo "mount mtd_appext fail"
        SUCCESS_MOUNT="false"
fi

echo "mount mtd_rocommon"
mount -t squashfs $MTD_ROCOMMON /mtd_rocommon
if [ $? != 0 ]
then
        echo "mount mtd_rocommon fail"
        SUCCESS_MOUNT="false"
fi

$MICOM_BASE/micom rollback &

if [ "$SUCCESS_MOUNT" = "true" ]
then
	echo "== Start exeDSP =="
	/mtd_exe/rc.local
fi

# save emergency log dump
echo "Saving emergency log dump"
/util/save_error_log
sync

if [ -e $UPGRADE_FLAG  ]
then
	echo "******************************************************"
	echo "Application running is failed"
	echo "SW image is stopped"
	echo "******************************************************"
else
	echo "Application running is failed..try to do emergency state handling"
        echo "wait 5 seconds"
        x=0
        while [ $x -lt 5 ]
        do
        x=$(($x + 1))
        sleep 1
        echo $x
        done

	if [ "$UseSecondPartition" = "true" ]
	then
        	if [ -e $PARTITION_CHECK_1ST ]
		then
 	               echo "no sub SW image...going shutdown : DEV"
 	               ##$MICOM_BASE/micom shutdown
        	else    
        	        echo "current partition 2nd is corrupted. roll back to sub partition 1st"
		        rm -f $PARTITION_VERSION_2ND
        	        touch $PARTITION_CHECK_2ND
        	        sync
        	        $MICOM_BASE/micom toggle 0
        	        touch $USB_UPDATE_FLAG
        	        sync
        	        echo "Reboot system"
        	        $MICOM_BASE/micom reboot
		fi
	else    
        	if [ -e $PARTITION_CHECK_2ND ]
		then
        	        echo "no sub SW image...going shutdown : DEV"
        	        ##$MICOM_BASE/micom shutdown
        	else
        	        echo "current partition 1st is corrupted. roll back to sub partition 2nd"
        	        rm -f $PARTITION_VERSION_1ST
        	        touch $PARTITION_CHECK_1ST
        	        sync
        	        $MICOM_BASE/micom toggle 1
        	        touch $USB_UPDATE_FLAG
        	        sync
                	echo "Reboot system"
                	$MICOM_BASE/micom reboot
        	fi
        fi
fi
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003
E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A »

If you're attached to a remote shell via nc, then you have limited error output and command result feedback. I don't know why,
but to get more normal shell feedback, issue the following at the "shell>" prompt:

Code: Select all

shell> openvt -c 1 -s /bin/sh &
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003
thwalker3
Posts: 18
Joined: Sun Nov 25, 2012 6:39 pm

Re: Update: a working method of rooting ES series

Post by thwalker3 »

E3V3A wrote:
thwalker3 wrote:... it looks like Samsung started scrambling the output (see viewtopic.php?f=52&t=5026&p=37121).
No. There is no scrambling. You're cable or settings are messed up. See: viewtopic.php?f=52&t=4974#p37816
Read the thread I cited. I know the cable works because I use it on numerous other 3.3V and 5V TTL serial connections) and I know the serial settings are correct (I can see what they are from /proc/cmdline). I do embedded linux programming for a living, I think I'm capable of getting a serial console to work. FWIW- I'm using http://store.ckdevices.com/products/FTDI-Pro.html which are great little devices and have small physical switches to reverse tx/rx and switch between 3.3V and 5V. Takes a lot of the guesswork out of these sorts of things usually.

Samsung has already clearly modified the the kernel TTY code (to limit input from the serial console) so I don't know why people think it a stretch that they started fiddling with the output too. Given that I can see patterns in the output, they're using a simple rotation or table lookup but I haven't gone digging in the binary yet.

As for showing output, I would, but there isn't much of anything to show...

Code: Select all

Trying 192.168.1.116...
Connected to 192.168.1.116.
Escape character is '^]'.
/bin/sh: can't access tty; job control turned off
VDLinux#> echo foo
> ;
> ~~bye
> exit
> quit
> .
> ^C
It does stop responding after ctrl-c (but not ctrl-z, ctrl-d or anything else). This modified telnet daemon is part of the package that started this thread so you can try it for yourself.

Getting netcat to redirect stderr doable on some versions but the busybox version of nc is pretty limited and doesn't include this option (and no amount of redirection I've tried seems to work around it). Still, better than nothing.

Anyway, will still keep playing around when I have time but you now at least have a method to root even the latest firmware reliably without relying on LD_LIBRARY_PATH which is (and was) easily fixed by Samsung. Unfortunately, this one is trivial for them to close as well.

Post Reply

Return to “[E] Brainstorm”