[How To] Get root access on F series

[Lordbyte]

the firewall on pc is not active. ican ping the the tv. i don?t need to configure the router.

Guess we have to accept that there will always be a few TV?s that simply wont play nice
Do some manual testing .. Can you manually FTP TV, can you manually get a telnet/netcat-connection ?
I am basically out of ideas .. What can I say, - I works well on most TV?s

[Tamagnun]

Yesterday I've reinstalled Skype in order to be able to set it in autostart mode; to repair the Skype installation I had to unplug/plug the power cable, it wasn't enough to restart the TV by using the red button on the remote controller, is this a normal behaviour?

This evening I'll repeat the root method, I hope...

Regards

[hispan1cMT]

Hi,

This is my first post. Just received my Samsung UE46F6500 yesterday. It came with Firmware 1111.
Followed the instructions and it works flawlessly.

Root access via FTP = WORKING! Im now logging in to different countries and grabbing the widgets I want

Great job guys! Keep it up. Very thankful.

[Tamagnun]

Hi at all... unfortunately I need help!
So:
1) I've reinstalled Skype app, made login, set autostart on, and I've checked two or three times that it started properly when I switched on the TV (after some seconds the message "Skype: successfull login" was produced, that means the autostart was ok!)
2) after this I've installed the SamyGO widget by using the SammyWidget.exe method
3) I've executed it with the data folder placed on an USB key into USB port 1
4) SamyGO widget said the activation files were found on /dtv/usb/sda1
5) After my confirmation, in few seconds your widget said "Step1: OK" and "Step2: OK" messages
6) I've exited the Smart Hub, switched off/on the TV and after the restart no messages about Skype autostart were produced (that's right, I think!!)
7) But unfortunately NO telnet of ftp access to the TV IP address, PING command works properly

I've disabled COMODO firewall in my PC configuration, and, in any cases, I'm using WinSCP to access my DM800SE decoder and some other equipments, so I'm sure the problem is not related to the PC firewall... nothing is configured on the lan router, all the equipments across the network can freely access any other one.

Note I have the same TV that Lordbyte has (more or less, my one is the italian version, his one is the Denmark or Norge one, I think) with fw vers. 1111.0 installed (which fw release do you have on your TV, Lord, pls?), do you think the problem could be the Skype app version?
I accept any suggestion, If I've to use the ExLink cable to log anything or If I've to do any another tests on the TV, let's say to me what I've to do and I'll do it, also if there is another more intricated (or manual) way to do the root, let's describe it to me and I'll try!!
I'm interested in rooting because I want to install the Oscam feature to access my local Dreambox set-top box with my rgular pay-tv card in order to see transmissions by using the internal TV sat tuner.

Thanks at all that want to try to help me!
Regards

[Lordbyte]

"Unfortunately" it sounds to me like you did everything right ..
That means, I have a hard time comming up with an idea for you ..
If something occurs to me I will get back to you ..

My current firmware is T-FXPDEUC-1110.2 after installing latest upgrade (wich samyGO survived just fine)
I am sorry to say that I dont remember exactly what firmware I was on when I rooted TV, and I believe it shouldent
matter as long as newest firmware is supported.

Sorry for the non-answer .. If you stumble over a solution we would love to hear about it, so we can add it to our
case-studies for a future FAQ .. Thanks

[Tamagnun]

Hi Lordbyte, other guys on the forum have rooted F-series TV with fw 1111.0, so probably ("probably"... because we've a different model) the problem is not ?the fw version.

So, I don't know who is the root method developer (you, bugficks or juuso, or others) so I've tried to understand how it works, in order to debug what happens on my TV: I hope that this very short and incomplete analysis doesn't create any problem to the developer!

1) during the installation of the SamyGO widget the run.sh and data.zi p files are copied into the widget directory on the TV
2) at the execution time, the widget copies AutoStart and modified libSkype.so from the USB pen to the Skype directory on the TV
3) at the TV boot time, libSkype.so is executed by the autostart process and the modified library executes the run.sh (I think with root user's rights)
4) run.sh expands data.zip, installs in /tmp/bin the busibox, makes something about ftp (I don't understand what! ), runs your remshd executable program -probably the heart of your hack-, and it ends by killing the run'sh's child processes and system UEP's child processes (i don't know these...)

So, my idea to debug the tool installation has been to modify the run.sh script, in order to write some log files to the USB pen (e.g. /dvt/usb/sd1/log folder) to verify if the script starts at the boot time and what does it do!
Do you think that this script is capable to write these log files? If it runs as root user it doesn't have any problem...

I'll inform you about this test, obviously I'll be very grateful for any suggestion!
Regards

[Lordbyte]

Your best hope at this point is guidance by Bugficks or juuso in my best opinion.
My level of involvement is "only" as integrator of tools, and that requires next to NO
knowledge of the Samsung TV .. To me the TV is mostly a blackbox, and I simply
invoke plug-ins on the TV when I wish for stuff to happen.

So, lets hope for Bugficks and/or juuso to make a statement on your issue

[bugficks]

juuso made it.
i think libSkype.so is crap or IDA

Code: Select all

.rodata:00000664 2F 62 69 6E 2F 73 68 20+aBinShMtd_rwcom DCB "/bin/sh /mtd_rwcommon/widgets/user/SamyGO/data/run.s"
.rodata:00000664 2F 6D 74 64 5F 72 77 63+                                        ; DATA XREF: test::test(void)+1Co
.rodata:00000664 6F 6D 6D 6F 6E 2F 77 69+                                        ; .text:off_658o
.rodata:00000664 64 67 65 74 73 2F 75 73+; .rodata       ends
.rodata:00000664 65 72 2F 53 61 6D 79 47+
.ARM.extab:00000698                         ; ===========================================================================
.ARM.extab:00000698
.ARM.extab:00000698                         ; Segment type: Pure data
.ARM.extab:00000698                                         AREA .ARM.extab, DATA, READONLY
.ARM.extab:00000698                                         ; ORG 0x698
.ARM.extab:00000698 68 00                   aH              DCB "h",0

the last letter ('h') is put in a new section. can you try renaming run.sh in zip to run.s and see if that works?

wonder what gcc/ld was thinking

[Tamagnun]

Well (or, better, not good!!), I've modified the run.sh script as follow, in order to write at TV boot time four log files on the USB pen, under /log folder, but after the boot no files are present under this folder!!

This (probably) means that run.sh isn't executed during the boot process, I think the libSkype.so used to overwrite the original one has to start it, isn't it? Any idea about it doesn't execute the script?
I'm absolutely sure that before to install and execute the SamyGO widget the orginal app Skype has automatically logged in at the TV start.

Another italian guy on the forum, via PM, has shown me that the SamyGO widget for the E series has also the capability to repair the Autostart process, something of similar should be preparred for the F series also?

Help, pleaseeeeee...
Regards

run.sh modified to write log files
#!/bin/sh

ps -ef >/dtv/usb/sda1/log/ps1.log

cd /tmp
mkdir /tmp/bin
/mtd_exe/InfoLink/lib/unzip -o -P 12345 /mtd_rwcommon/widgets/user/SamyGO/data/data.zip -d /tmp/bin/ >/dtv/usb/sda1/log/runout.log
chmod 777 /tmp/bin/* >>/dtv/usb/sda1/log/runout.log
/tmp/bin/busybox --install -s /tmp/bin >>/dtv/usb/sda1/log/runout.log
sync >>/dtv/usb/sda1/log/runout.log
export PATH=/tmp/bin:$PATH
export LD_LIBRARY_PATH=/tmp/bin:$LD_LIBRARY_PATH
sync >>/dtv/usb/sda1/log/runout.log
/tmp/bin/busybox tcpsvd -vE 0.0.0.0 21 /tmp/bin/busybox ftpd -w / &
/tmp/bin/remshd &
sync

ps -ef >/dtv/usb/sda1/log/ps2.log

/tmp/bin/UEP_killer.sh &
ps | grep run.sh | grep -v grep | while read child_pid others
do
echo "Killing child process $child_pid of run.sh"
kill -9 $child_pid
done

ps -ef >/dtv/usb/sda1/log/ps3.log

[Tamagnun]

Opppssssss... I've read only now your answer; I cannot immediately test your solution (my girlfriend is using the TV!! ), but tomorrow I'll surely test it!!!

Thank you!
P.S.: but the question is... why this libSkype.so is working well on hundreds of F-series TV?!?!?!