NFS, SMB modules are compiled and loaded, but have not tested them in real life yet. I'll publish the work a bit later, after testing and making some improvements.
And I have an idea on using a debian repository. Currently I've setup a chroot environment, and console debian utils work fine (apt-get, etc). The next step is X-windows.
It is possible to replace one of the useless EMPs with our own program, for example I've played with Camera emp successfully. Using that EMP in your JS would trigger the launch of a corresponding program - and you can do in it all that you need. Replacing can be done with FilePlugin.Copy method (don't forget to restore the original EMP after success and run it, otherwise JS may hang). I'd recommend not to play with the browser and download EMP - as breaking them would make your device unrestorable to original state.
EMPs are stored in /mtd_contents that is RW and formatted as FAT with all files executable, but check your "mounts" first.
That all said, this is very interesting still... because the fact that your method "works" seems to indicate that Samsung is running what should be "sandboxed" processes that take "user" input as a privileged userid (root?) that has the ability to modify the (temporary) runtime filesystem. This is a huge no-no for obvious reasons because it *greatly* increases the attack surface. While changing this in a future fw update is, of course, possible, it would be very invasive and prone to bugs. Not something that their engineers likely want to fiddle with in a production product update.
Even if they've removed the ability to run arbitrary "applets or widgets", another route to arbitrary code execution just requires some further investigation... libpng, for instance, has had numerous public buffer overflows in the last year or two, any one of which could let you execute arbitrary code with the privileges of the process opening a "malicious" image file (the web browser could be exploited by pointing you at a specially crafted page, the photo viewing app via an image on a USB key, etc).
Anyway, I'm kind of limited in what I can do on my TV without having a functional serial console or way of getting a shell yet but I *do* have access to some other ARMv7 based systems (including A9) and an unencrypted copy of the "root" (initrd?) and "exe" ("/" ?) filesystems so poking around looking for a workable userland exploit should be doable with just that...
Anyone else already been down this route and have any success (or failure) stories to share?
look at this:
other than in video, you haven`t use mail (what they actually suggest), but develop as user name and any six digit password.
you have to fire up your own web server and serve widget, which is to be installed trough develop account while in SmartHub. Also this wiki article may be helpful to understand what is what here
btw, this rooting method is confirmed on T-MST10PDEUC, but not on ECHO.P boards (T-ECPDEUC, T-EPAKUC and so on), so can be it isn`t ok for your board...
Been playing with this older widget and it happily copies libm into /dtv but the loader doesn't seem to be picking up your copy (running browser, camera emp, etc). What does environ show your LD_LIBRARY_PATH to be on a system where this works? I notice that on my box, they put /lib in front (twice actually). Wonder if that is a new "feature".
Assuming you can get a library of your making loaded, there are some cleaner ways to do what you're after (dlsym comes to mind). Actually, the libm in the version here doesn't appear to have any of the "libm symbols" so I'm not quite sure how this even works unless the loader is managing to load libm twice (which is possible in some circumstances). Anyway, all theoretical unless I have a working shell
added alternative download links.
Mount path and everything look ok but:
Error: can't find samygo.log!!!"
1. What do you mean with this? (I.e. How can I enter commands, if I cannot enter text?)mamaich wrote:... This is not a complete telnet daemon as we don't have devpts driver on TV. So do not try to execute interactive commands - you'll see their output, but would be unable to enter text...
2. Where would the "devpts" driver be located (in sources) if there were there?) [So it's not enough to just create /dev/pts ??]
3. How could I help?
FW: T-MST10PDEUC-1029.0 Onboot: 1003