Update: a working method of rooting ES series

[mamaich]

A minor update: I've managed to make a widget that launches the hack without need of a manual Web Browser running.
NFS, SMB modules are compiled and loaded, but have not tested them in real life yet. I'll publish the work a bit later, after testing and making some improvements.

And I have an idea on using a debian repository. Currently I've setup a chroot environment, and console debian utils work fine (apt-get, etc). The next step is X-windows.

[mamaich]

2 sbav1
It is possible to replace one of the useless EMPs with our own program, for example I've played with Camera emp successfully. Using that EMP in your JS would trigger the launch of a corresponding program - and you can do in it all that you need. Replacing can be done with FilePlugin.Copy method (don't forget to restore the original EMP after success and run it, otherwise JS may hang). I'd recommend not to play with the browser and download EMP - as breaking them would make your device unrestorable to original state.
EMPs are stored in /mtd_contents that is RW and formatted as FAT with all files executable, but check your "mounts" first.

[thwalker3]

Hmm, I have a brand new UN46ES7500 that I tried this on but when I insert the USB key, it only prompts me for a choice of "Video, Photos, or Music". How do you get it to accept the custom "widget"? Admittedly, before I found this site, I updated my firmware to the latest so maybe they removed the option...

That all said, this is very interesting still... because the fact that your method "works" seems to indicate that Samsung is running what should be "sandboxed" processes that take "user" input as a privileged userid (root?) that has the ability to modify the (temporary) runtime filesystem. This is a huge no-no for obvious reasons because it *greatly* increases the attack surface. While changing this in a future fw update is, of course, possible, it would be very invasive and prone to bugs. Not something that their engineers likely want to fiddle with in a production product update.

Even if they've removed the ability to run arbitrary "applets or widgets", another route to arbitrary code execution just requires some further investigation... libpng, for instance, has had numerous public buffer overflows in the last year or two, any one of which could let you execute arbitrary code with the privileges of the process opening a "malicious" image file (the web browser could be exploited by pointing you at a specially crafted page, the photo viewing app via an image on a USB key, etc).

Anyway, I'm kind of limited in what I can do on my TV without having a functional serial console or way of getting a shell yet but I *do* have access to some other ARMv7 based systems (including A9) and an unencrypted copy of the "root" (initrd?) and "exe" ("/" ?) filesystems so poking around looking for a workable userland exploit should be doable with just that...

Anyone else already been down this route and have any success (or failure) stories to share?

[juusso]

thwalker3

look at this:


other than in video, you haven`t use mail (what they actually suggest), but develop as user name and any six digit password.

you have to fire up your own web server and serve widget, which is to be installed trough develop account while in SmartHub. Also this wiki article may be helpful to understand what is what here

btw, this rooting method is confirmed on T-MST10PDEUC, but not on ECHO.P boards (T-ECPDEUC, T-EPAKUC and so on), so can be it isn`t ok for your board...

[thwalker3]

Ah, sorry, bit of a n00b and hadn't quite looked up what was meant on step #1 (prepare development environment). So I can confirm that that does work and allow me to copy the "app" onto my TV and the app appears to run but the web broswer *never* takes the 10 seconds to startup and I don't get any additional open ports. Will keep fiddling.

[mamaich]

Try this one: viewtopic.php?f=48&t=5062
Archive contains a newer widget that would output some info in case of error.

[thwalker3]

Not having much luck with any of the multiupload links from the US. Is it possible to make it available somewhere else?

Been playing with this older widget and it happily copies libm into /dtv but the loader doesn't seem to be picking up your copy (running browser, camera emp, etc). What does environ show your LD_LIBRARY_PATH to be on a system where this works? I notice that on my box, they put /lib in front (twice actually). Wonder if that is a new "feature".

Assuming you can get a library of your making loaded, there are some cleaner ways to do what you're after (dlsym comes to mind). Actually, the libm in the version here doesn't appear to have any of the "libm symbols" so I'm not quite sure how this even works unless the loader is managing to load libm twice (which is possible in some circumstances). Anyway, all theoretical unless I have a working shell

[juusso]

ok, just a moment...

added alternative download links.
viewtopic.php?f=48&t=5062&p=37076#p37076

[thwalker3]

Got it, thanks.
Mount path and everything look ok but:

<snip>
Copying Files
Running script

Error: can't find samygo.log!!!"

No camera app launching either. What return codes do you expect out of the Open() and Execute()? Is this javascript API documented somewhere?

[E3V3A]

I'd be happy to try to help out with this, but...

... This is not a complete telnet daemon as we don't have devpts driver on TV. So do not try to execute interactive commands - you'll see their output, but would be unable to enter text...

1. What do you mean with this? (I.e. How can I enter commands, if I cannot enter text?)
2. Where would the "devpts" driver be located (in sources) if there were there?) [So it's not enough to just create /dev/pts ??]
3. How could I help?