Update: a working method of rooting ES series

Ideas and dreaming will go this forum

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A »

thwalker3 wrote:...Read the thread I cited. I know the cable works because I use it on numerous other 3.3V and 5V TTL serial connections) and I know the serial settings are correct (I can see what they are from /proc/cmdline). I do embedded linux programming for a living, I think I'm capable of getting a serial console to work. FWIW- I'm using http://store.ckdevices.com/products/FTDI-Pro.html which are great little devices and have small physical switches to reverse tx/rx and switch between 3.3V and 5V. Takes a lot of the guesswork out of these sorts of things usually.
Ok, cool! I just wanted to double check. You'd be surprised how many people complain about the same thing, only to find that they have constructed crappy cables or using the wrong settings. I already read that thread long ago, as you can see I commented on it, but then there never was any response from OP, so I just assumed that he had screwed up too...
Samsung has already clearly modified the the kernel TTY code (to limit input from the serial console) so I don't know why people think it a stretch that they started fiddling with the output too. Given that I can see patterns in the output, they're using a simple rotation or table lookup but I haven't gone digging in the binary yet.
Yeah, I'm sure the SEC engineers are drooling over this forum so that they can use what's left of their "can't think for themselves" talents to keep us from looking inside our TV's. Anyway, we can solve this. But first I noticed that your TV has a different firmware than mine, so it would be interesting to see how your 1041.1 kernels compares to my 1029. (Different kernel branches. Can you see your kernel compilation date?)

There are two simple things you can try to do.
1. Rollback your firmware until serial works.
2. Save a binary copy of your bootup output and run it through all XOR/ROT/ROL encodings, until you find a string that corresponds to what's expected.
(These are very popular ways to obscure code, but efficient to implement as they are essentially assembly "one liners" and thus hard to spot in reverse engineering.)
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Update: a working method of rooting ES series

Post by E3V3A »

BTW. I updated the ES Wiki with:
Rooting the ES-series

Please have a look for errors and give me some feedback.
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

arris69
Official SamyGO Developer
Posts: 1700
Joined: Fri Oct 02, 2009 8:52 am
Location: Austria/Vienna (no Kangaroos here)
Contact:

Re: Update: a working method of rooting ES series

Post by arris69 »

E3V3A wrote:BTW. I updated the ES Wiki with:
Rooting the ES-series

Please have a look for errors and give me some feedback.
sorry for my laziness, but think the widget is just named "Test" or so, also no icon for now....

arris69
Official SamyGO Developer
Posts: 1700
Joined: Fri Oct 02, 2009 8:52 am
Location: Austria/Vienna (no Kangaroos here)
Contact:

Re: Update: a working method of rooting ES series

Post by arris69 »

thwalker3 wrote:... DNS hacks for downgrades don't work as they're now checking the SSL cert...
SSL certificates was checked before too :-) only thing is that now samsung probably hardcoded the rootca into exe dsp (i replaced some of the cert files on tv with a custom root cert but it was for nuts...)

if someone has interest to play around on that "problem" for ECPDEUC there is a firmware online (on SamyGO server) with extensions included and you can safe reflash the exe partition with custom modified (what you have to build for your self :-D ) for MST10 i can put one online (on request). but you need an "older" version on your tv to make the (down/up)date.

Sebastien
Posts: 2
Joined: Fri Dec 21, 2012 9:10 am

Re: Update: a working method of rooting ES series

Post by Sebastien »

Hi,

Thanks you for this method, it works on my UE55ES6100 ;) (Telnet and FTP access)

I have make a similar method to 'hack' a LG PVR (MS400/450 H) but we had already a root access through telnet on it ;) (make an embedded filesystem in a file and mounted), with a web access console to start FTP,Samba,Network Share and other stuff

Is there a way or a method to have the 'drm key' to decrypt records ?

thanks

Seb@stien

User avatar
nobody
Posts: 182
Joined: Sat Nov 12, 2011 1:45 am

Re: Update: a working method of rooting ES series

Post by nobody »

thwalker3 wrote:eval("FilePlugin.Copy(\"/proc/self/cmdline\", \"$(sh /dtv/usb/sda1/run.sh)/dtv/usb/sda1/cmdline\")");
Why do you use eval?
There's no need.
FilePlugin.Copy("/proc/self/cmdline", "$(sh /dtv/usb/sda1/run.sh)/dtv/usb/sda1/cmdline");

Is easier on the eyes :)

User avatar
juusso
SamyGO Moderator
Posts: 10124
Joined: Sun Mar 07, 2010 6:20 pm

Re: Update: a working method of rooting ES series

Post by juusso »

welcome back, nobody ;)
That`s why eval is used.
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

User avatar
nobody
Posts: 182
Joined: Sat Nov 12, 2011 1:45 am

Re: Update: a working method of rooting ES series

Post by nobody »

(Thanks for the welcome back.. I've been really busy this year, no time for hobbies)

I don't understand.
With or without eval, makes no difference.

thwalker3
Posts: 18
Joined: Sun Nov 25, 2012 6:39 pm

Re: Update: a working method of rooting ES series

Post by thwalker3 »

E3V3A wrote: I noticed (too late) another thing. Be very careful when trying to start interactive shells, as they might wanna load /etc/profile !
Why, because this profile contains instructions to re-format, or switch FW, which can easily fail in the wrong circumstances.
Well I should have read that sooner... :(
I think the flag files in mtd_rwarea are in a state that makes it just keep flipping from one partition to the other. Video comes through just fine but it reboots every 30 sec or so. Cleared the eeprom (top left quadrant of the board with nicely labeled vcc, ground, sda, scl) but no luck (no suprise there, I hadn't been mucking with the service menu settings much).

May be time for the repairman unless anyone has made any progress on getting access to the MMC through hw.

Doh.

User avatar
juusso
SamyGO Moderator
Posts: 10124
Joined: Sun Mar 07, 2010 6:20 pm

Re: Update: a working method of rooting ES series

Post by juusso »

Yes, you should have read this before. Apologies. But chance to revive TV still exists. Check this topic. As soon i get required interface will report back about the result.
thwalker3 wrote:Cleared the eeprom (top left quadrant of the board with nicely labeled vcc, ground, sda, scl)
Could you please take some photos to add pictures to wiki? Thanks!
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

Post Reply

Return to “[E] Brainstorm”