modifying exeDSP

User avatar
arris69
SamyGO Moderator
Posts: 1700
Joined: Fri Oct 02, 2009 8:52 am
Location: Austria/Vienna (no Kangaroos here)
Contact:

Re: modifying exeDSP

Post by arris69 » Sat Jan 05, 2013 10:53 am

prairie wrote:So I tried this method but exeDSP is too big for /mtd_rwarea. So instead I put it in /mtd_rwcommon but apparently this doesn't get mounted until later so the bind command failed and regular exeDSP started. Any way to mount /mtd_rwcommon prior to bind line?
use your secondary mtd_exe partition?

User avatar
prairie
SamyGO Project Donor
Posts: 303
Joined: Wed May 04, 2011 10:30 pm

Re: modifying exeDSP

Post by prairie » Sat Jan 05, 2013 2:50 pm

Turns out it's possible to manually mount mtd_rwcommon first, here is user.sh I can launch alternate exeDSP ok but new FWs require missing shared libs. Patched one would work fine.

WARNING! This user.sh is for D8K-series plasma, do not use on BD player!
SpoilerShow

Code: Select all

#!/bin/sh

#Run FastLogo 
source /mtd_exe/Fastlogo.sh

export MAPLE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
export MAPLE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
export MAPLE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
export MAPLE_DUMMY_WIDGET_PATH=/mtd_appdata/SmartTV
export MAPLE_WIDGET_DATA_PATH=/mtd_down
export MAPLE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc
export MAPLE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_contents:/mtd_cmmlib/InfoLink/lib/plugin/Static:/mtd_cmmlib/moip:/mtd_cmmlib/Comp_LIB:/mtd_cmmlib/GAME_LIB:/mtd_cmmlib/DRM_LIB:/Java/lib:/mtd_cmmlib/InfoLink/lib:/mtd_cmmlib/XT9_LIB:/dtv:/mtd_cmmlib/lib:/mtd_cmmlib/YWidget_LIB:/mtd_appext/Webkit
export HOME=/mtd_moip
export KF_SLEEP_READ=-2
echo 30000 > /mtd_rwarea/DelayValue.txt
touch /mtd_rwarea/DoPrintYahoo.txt
export KF_NO_INTERACTIVE=1
export KF_LOG=/dev/null #Remove engine logging.
export KF_NO_LOG=1
export KF_NO_CRASHHANDLERS=1
export KF_HF_WRITE_PATH=/mtd_rwarea/yahoo
export KF_DATA_DIR=/mtd_yahoo/yahoo
export KF_THREAD_PRIORITY=0
export KF_CURL_PRIORITY=high
export KF_RESTART_INTERVAL=3

#====================================
# For Webkit Browser
export MOZ_PLUGIN_PATH=/mtd_down/webkit/plugins
#====================================

#====================================
# For XServer
export  XVT_DEFAULT="/dev/sam/tty0"
export  XVT_RUNTIME="/dev/sam/tty%d"

mknod /dev/sam/tty0 c 4 0
mknod /dev/sam/tty1 c 4 1
mknod /dev/sam/tty2 c 4 2
mknod /dev/sam/tty3 c 4 2
export DISPLAY=:0
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_appdata/Runtime/lib/CairoShadow:/mtd_appdata/Runtime/lib:/mtd_appdata/Runtime/XorgLibs
export FONTCONFIG_PATH=/mtd_appdata/Runtime/fonts
export FONTCONFIG_FILE=/mtd_rocommon/FullBrowser/fonts/fonts.conf
export PANGO_RC_FILE=/mtd_appdata/Runtime/pango/pangorc
export GTK_PATH=/mtd_appdata/Runtime/lib/gtk-2.0
export PATH=$PATH:/mtd_appdata/Runtime/bin
#====================================

#============================================================================
#for_yahoo_release(YAHOO)

#export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_down/widget:/mtd_down/widget/lib
#touch /mtd_rwarea/rc.local
#source /mtd_rwarea/rc.local

#for_samsung_release(YAHOO)

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_appdata/yahoo:/mtd_appdata/yahoo/lib
#===========================================================================
mv /mtd_rwarea/user.sh /mtd_rwarea/user.sh.safe
mount -t rfs ${MTD_RWCOMMON} /mtd_rwcommon
mount -o bind /mtd_rwcommon/exeDSP /mtd_exe/exeDSP
#===========================================================================
insmod /mtd_exe/samdrv.ko

cd /mtd_exe
./exeDSP
PN60F8500AFXZA
T-FXPAKUC 1206.3 + SamyGO

"BrickMaster 2015"

alessio71
Posts: 39
Joined: Wed Sep 26, 2012 8:47 pm

Re: modifying exeDSP

Post by alessio71 » Sun Jan 13, 2013 5:19 pm

prairie wrote:Turns out it's possible to manually mount mtd_rwcommon first, here is user.sh I can launch alternate exeDSP ok but new FWs require missing shared libs. Patched one would work fine.

WARNING! This user.sh is for D8K-series plasma, do not use on BD player!
SpoilerShow

Code: Select all

#!/bin/sh

#Run FastLogo 
source /mtd_exe/Fastlogo.sh

export MAPLE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
export MAPLE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
export MAPLE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
export MAPLE_DUMMY_WIDGET_PATH=/mtd_appdata/SmartTV
export MAPLE_WIDGET_DATA_PATH=/mtd_down
export MAPLE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc
export MAPLE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_contents:/mtd_cmmlib/InfoLink/lib/plugin/Static:/mtd_cmmlib/moip:/mtd_cmmlib/Comp_LIB:/mtd_cmmlib/GAME_LIB:/mtd_cmmlib/DRM_LIB:/Java/lib:/mtd_cmmlib/InfoLink/lib:/mtd_cmmlib/XT9_LIB:/dtv:/mtd_cmmlib/lib:/mtd_cmmlib/YWidget_LIB:/mtd_appext/Webkit
export HOME=/mtd_moip
export KF_SLEEP_READ=-2
echo 30000 > /mtd_rwarea/DelayValue.txt
touch /mtd_rwarea/DoPrintYahoo.txt
export KF_NO_INTERACTIVE=1
export KF_LOG=/dev/null #Remove engine logging.
export KF_NO_LOG=1
export KF_NO_CRASHHANDLERS=1
export KF_HF_WRITE_PATH=/mtd_rwarea/yahoo
export KF_DATA_DIR=/mtd_yahoo/yahoo
export KF_THREAD_PRIORITY=0
export KF_CURL_PRIORITY=high
export KF_RESTART_INTERVAL=3

#====================================
# For Webkit Browser
export MOZ_PLUGIN_PATH=/mtd_down/webkit/plugins
#====================================

#====================================
# For XServer
export  XVT_DEFAULT="/dev/sam/tty0"
export  XVT_RUNTIME="/dev/sam/tty%d"

mknod /dev/sam/tty0 c 4 0
mknod /dev/sam/tty1 c 4 1
mknod /dev/sam/tty2 c 4 2
mknod /dev/sam/tty3 c 4 2
export DISPLAY=:0
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_appdata/Runtime/lib/CairoShadow:/mtd_appdata/Runtime/lib:/mtd_appdata/Runtime/XorgLibs
export FONTCONFIG_PATH=/mtd_appdata/Runtime/fonts
export FONTCONFIG_FILE=/mtd_rocommon/FullBrowser/fonts/fonts.conf
export PANGO_RC_FILE=/mtd_appdata/Runtime/pango/pangorc
export GTK_PATH=/mtd_appdata/Runtime/lib/gtk-2.0
export PATH=$PATH:/mtd_appdata/Runtime/bin
#====================================

#============================================================================
#for_yahoo_release(YAHOO)

#export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_down/widget:/mtd_down/widget/lib
#touch /mtd_rwarea/rc.local
#source /mtd_rwarea/rc.local

#for_samsung_release(YAHOO)

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_appdata/yahoo:/mtd_appdata/yahoo/lib
#===========================================================================
mv /mtd_rwarea/user.sh /mtd_rwarea/user.sh.safe
mount -t rfs ${MTD_RWCOMMON} /mtd_rwcommon
mount -o bind /mtd_rwcommon/exeDSP /mtd_exe/exeDSP
#===========================================================================
insmod /mtd_exe/samdrv.ko

cd /mtd_exe
./exeDSP
Too late for me... already bricked my BD... :cry:

Chainfire
Posts: 8
Joined: Tue Jan 15, 2013 10:59 pm

Re: modifying exeDSP

Post by Chainfire » Thu Jan 17, 2013 4:14 pm

Regarding exeDSP modification, on B-FIRHTBEUC_001116 on a HT-D6500 . I actually installed the patched firmware from the SamyGO servers using the DNS trick, then pulled the exeDSP file off the device (rather than downloading from Samsung's site as described on the wiki).

I based my patching on the wiki article, searching for:
08 40 2D E9 04 00 50 E3 00 F1 9F 97 xx xx 00 EA
In my exeDSP, this value was present multiple times. The value to modify was actually the second occurrence (verified with IDA), starting at 0x97D8F0 (bold bytes at 0x97D8F8).

Looking at IDA, I see no easy way to deduct from the HEX which values to modify. The search bytes correspond to a function start, so making the start of the search longer would not make any sense, as the search would cross function boundaries. Directly following the search pattern (after xx xx 00 EA) is a jump table 20 bytes long, followed by 06 00 A0 E3 (MOV R0, #6). The other occurrence in my executable was followed by different instructions. This would make the search string:
08 40 2D E9 04 00 50 E3 00 F1 9F 97 xx xx 00 EA xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 06 00 A0 E3
That's not really useful in a moving target ... I'm not sure what to advise in this case. It seems to me like the other occurrence of this function is not actually used on a BR player, so modifying it may not be a major issue, but that's guesswork.

User avatar
juusso
SamyGO Moderator
Posts: 9776
Joined: Sun Mar 07, 2010 6:20 pm

Re: modifying exeDSP

Post by juusso » Thu Jan 17, 2013 7:49 pm

@Chainfire, interesting... I`ve searched for:

Code: Select all

08402DE9040050E300F19F973F3F00EA
with pattern 3F (any char is to be found instead of 3F), on B-FIRHTBEUC:
1010.1 - 8910D5
1014.0 - 8B6F09
1016.3 - 8B7561
Addresses given of the first byte to be changed according howto.
And this sequence of bytes is found only once in whole exeDSP. You have to search not for F1 9F 97, but for whole 16 bytes string above. I`ve checked almost all FIR* and ECB* firmwares i ever found and this came only once per exeDSP, no repeating. I don`t imagine why do you find a lot of strings... Please check again.
LE40B653T5W,UE40D6750
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

Chainfire
Posts: 8
Joined: Tue Jan 15, 2013 10:59 pm

Re: modifying exeDSP

Post by Chainfire » Thu Jan 17, 2013 9:42 pm

juuso wrote:@Chainfire, interesting... I`ve searched for:

Code: Select all

08402DE9040050E300F19F973F3F00EA
with pattern 3F (any char is to be found instead of 3F), on B-FIRHTBEUC:
1010.1 - 8910D5
1014.0 - 8B6F09
1016.3 - 8B7561
Addresses given of the first byte to be changed according howto.
And this sequence of bytes is found only once in whole exeDSP. You have to search not for F1 9F 97, but for whole 16 bytes string above. I`ve checked almost all FIR* and ECB* firmwares i ever found and this came only once per exeDSP, no repeating. I don`t imagine why do you find a lot of strings... Please check again.
I have checked, double checked, and triple checked. I don't know what to tell you. As stated, I didn't extract it from a firmware from Samsung, I extracted it from the firmware from SamyGO, which is labeled 1116, and I believe to be based on 1016.3. Are you sure you are not checked a prepatched exeDSP on 1016.3 ? As the location you mention - 8B7561 - is indeed the first match on my exeDSP as well, but this is the wrong location! Check IDA, it's a PVR function, not AWMEnforcementCallback (which is at 97D8F9 first byte change)

PS. I'm not sure if I said anywhere a lot of strings, but there were at least two matches in my original exeDSP, after which I fired up IDA and simply searched for AWMEnforcementCallback instead.

User avatar
juusso
SamyGO Moderator
Posts: 9776
Joined: Sun Mar 07, 2010 6:20 pm

Re: modifying exeDSP

Post by juusso » Thu Jan 17, 2013 10:04 pm

Are we talking about same binary? just checked your given address and there is nothing similar. B-FIRHTBEUC-1016.3
Can you upload you unpatched exeDSP binary? Thanks!
LE40B653T5W,UE40D6750
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

Chainfire
Posts: 8
Joined: Tue Jan 15, 2013 10:59 pm

Re: modifying exeDSP

Post by Chainfire » Thu Jan 17, 2013 10:21 pm

Sorry, I don't have the original available right now, but here is my patched version, confirm with IDA:

https://dl.dropbox.com/u/25695577/exeDSP.zip

Let me know if you have the file so I can kick it off my dropbox.

User avatar
juusso
SamyGO Moderator
Posts: 9776
Joined: Sun Mar 07, 2010 6:20 pm

Re: modifying exeDSP

Post by juusso » Fri Jan 18, 2013 1:38 pm

Okey, thanks, seems you`re right. 16bytes string on wiki seems to be to short, it is already shortened version of initial string we`ve used in research of this hack. Your note is important, because seems, string from wiki is valid for B-ECB* firmwares, indeed on Fir* based firmwares we have to use some longer one. OR one string for all firmwares:

Code: Select all

08 40 2D E9 04 00 50 E3 00 F1 9F 97 ?? ?? 00 EA ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 06 00 A0 E3
and this definitely doesn`t repeat it self in whole binary. Fixed. Thanks!
p.s. looks your string is ok as well on all firmwares.
LE40B653T5W,UE40D6750
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

GTK
SamyGO Project Donor
Posts: 14
Joined: Mon Jul 01, 2013 10:59 pm

Re: modifying exeDSP

Post by GTK » Fri Jul 12, 2013 8:39 pm

Another Question about modifying the exeDSP...
I have a HT-E6750W, which currently cant be downgraded using the DNS trick,
and i want to install a patched exeDSP for it.
currently im on version 2006.1, and i have 2010 and 2011 official Samsung firmwares.
Is the following solution a possible one:
1. Extract img from latest official Samsung firmware.
2. Edit the img, and replace its exeDSP with the modified one (after the C-Free patch)
3. Update the validinfo.txt with the updated CRC of the decrypted modified img file.
4. Encrypt the img file using the "SamyGO Firmware Patcher"
(Currently script will write 'Not supported in public release, too dangerous!!!', but i can skip this and try to encrypt)
5. Update using a normal USB with my official modified firmware.

Is this possible?
am i missing something?
Im new at this samsung firmware stuff, so any help will be appreciated.

Post Reply

Return to “Support”