Possible root for J series!!??

Ideas and dreaming will go this forum
Post Reply

sectroyer
Official SamyGO Developer
Posts: 5665
Joined: Wed May 04, 2011 5:10 pm

Re: Possible root for J series!!??

Post by sectroyer » Mon Nov 02, 2015 10:49 pm

savan wrote: What you think guys?? :)
NO :)
I do NOT support "latest fw" at ALL. If you have one you should block updates on router and wait for it to STOP being "latest":)
If you want me to help you please paste FULL log(s) to "spoiler"/"code" bbcodes or provide link(s) to pasted file(s) on http://ctrlv.it/ Otherwise "NO HELP"!!!
If you want root DISABLE internet access to your device!!!!
DO NOT EVER INSTALL FIRMWARE UPGRADE !!!!

User avatar
bugficks
Official SamyGO Developer
Posts: 1049
Joined: Tue Jun 25, 2013 3:56 pm

Re: Possible root for J series!!??

Post by bugficks » Wed Nov 04, 2015 10:36 am

if someone wants to play w/ sdb, here is a quick hack python script
for a list of "known" commands check:
org.tizen.common.sdblib_2.0.0.201506231003.jar!org/tizen/sdblib/command/security
-SecureCmdVer1_0.class
-NonSecureCmd.class
SpoilerShow

Code: Select all

#!/usr/bin/env python
#
# quick hack sdb testing tool 
# (c) 2015 bugficks@samygo
#

import os, sys, array
import socket
import binascii
import time
import ctypes
from ctypes import *

MAX_PAYLOAD=4096
A_VERSION=0x02000000
#define A_SYNC 0x434e5953
#define A_CNXN 0x4e584e43
#define A_OPEN 0x4e45504f
#define A_OKAY 0x59414b4f
#define A_CLSE 0x45534c43
#define A_WRTE 0x45545257
#define A_STAT 0x54415453

def hex2bin(s):
    return binascii.unhexlify(s.replace(' ', ''))
def bin2hex(s):
    return binascii.hexlify(s)

        
"""
struct amessage {
    unsigned command;       /* command identifier constant      */
    unsigned arg0;          /* first argument                   */
    unsigned arg1;          /* second argument                  */
    unsigned data_length;   /* length of payload (0 is allowed) */
    unsigned data_check;    /* checksum of data payload         */
    unsigned magic;         /* command ^ 0xffffffff             */
};
"""
def chksum(cmd):
    _sum = 0;
    for c in cmd:
        _sum += ord(c);
    return _sum    

def make_amessage(cmd, arg0=0, arg1=0, data=None):
    ar = array.array('L', cmd + '\x00' * 5 * 4)
    ar[1] = arg0
    ar[2] = arg1
    if data:
        ar[3] = len(data) + 1
        ar[4] = chksum(data)
    ar[5] = ar[0] ^ 0xFFFFFFFF
    
    if data:
        return bin2hex(ar.tostring() + data + '\x00')
    return bin2hex(ar.tostring())


def dump_packet(data):
    ar = array.array('L', data[0:6*4])
    print "  %08x %s" % (ar[0], data[0:4])
    for i in range(1,6):
        print "  %08x" % ar[i]
    if ar[3] > 0:
        payload = data[6*4:]
        print '    payload:', payload
    print '  hex', bin2hex(data), ''
    return ar
    
def send(s, data):
    print 'sending'
    _data = hex2bin(data)
    dump_packet(_data)
    
    s.sendall(_data)
    
    print ''
    

def recv(s):
    print 'receiving'
    try:
        data = s.recv(1024)
        dump_packet(data)
        return data
    except socket.timeout:
        pass
    print ''

def sdb_cmd(s, cmd):
    cmd = make_amessage('OPEN', 1, 0, cmd)
    send(s, cmd)

    data = ''
    while True:
        data = recv(s)
        if not data:
            break
        
        msg = array.array('L', data[:24])
        arg0 = msg[1]
        arg1 = msg[2]
    
        cmd = None    
        if data[:4] == "OKAY":
            cmd = make_amessage('OKAY', arg1, arg0)
            
        if data[:4] == "CLSE":
            cmd = make_amessage('CLSE', arg1, arg0)
            #break
        if data[:4] == "WRTE":
            cmd = make_amessage('OKAY', arg1, arg0)
            
        if cmd:
            send(s, cmd)


SHELL_PROTOCOL = "shell:";
ROOT_SHELL_PROTOCOL = "sshell:";

"""
org.tizen.common.sdblib_2.0.0.201506231003.jar!org/tizen/sdblib/command/security
    -SecureCmdVer1_0.class
    -NonSecureCmd.class
 
cmd = make_amessage('OPEN', 1, 0, 'shell:2 mkdir -p /tmp/asd')
cmd = make_amessage('OPEN', 1, 0, 'shell:1 uname')
cmd = make_amessage('OPEN', 1, 0, 'shell:2 /bin/sh /opt/storage/usb/sda1/HACKED.txt')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 psinfo')
cmd = make_amessage('OPEN', 1, 0, 'shell:rpm -qa | grep sdbd')
cmd = make_amessage('OPEN', 1, 0, 'shell:/usr/bin/dlogutil')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 getduid')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 rmfile /tmp/test')
cmd = make_amessage('OPEN', 1, 0, 'sysinfo:')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 getappinstallpath')
cmd = make_amessage('OPEN', 1, 0, "shell:cat /proc/cmdline | grep 'vm_name' | wc -l")
cmd = make_amessage('OPEN', 1, 0, "root:on")
cmd = make_amessage('OPEN', 1, 0, "shell:0 getvmname")
cmd = make_amessage('OPEN', 1, 0, 'shell:0 applist')
"""

if __name__ == '__main__':
    print "sdb tool (c) bugficks"
    try:
        cmd = sys.argv[1]
    except:
        print 'Usage: sdbtool.py "cmd" [ip]'
        print '       sdbtool.py "shell:0 getduid"'
        sys.exit(1)
        
    print ''

    try:
        ip = sys.argv[2]
    except:
        ip = '192.168.1.12'

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((ip, 26101))
    s.settimeout(2.0)

    cmd_connect = make_amessage('CNXN', A_VERSION, MAX_PAYLOAD, 'host::')
    send(s, cmd_connect)
    data = recv(s)
    if data and data[:4] == 'CNXN':
        sdb_cmd(s, cmd)

    print 'exiting...'
SpoilerShow

Code: Select all

>sdbtool.py "shell:0 getduid" 192.168.10.10
sdb tool (c) bugficks

sending
  4e584e43 CNXN
  02000000
  00001000
  00000007
  00000232
  b1a7b1bc
    payload: host::
  hex 434e584e00000002001000000700000032020000bcb1a7b1686f73743a3a00

receiving
  4e584e43 CNXN
  01000000
  00001000
  00000013
  00000548
  b1a7b1bc
    payload: device::UJU7500::0
  hex 434e584e00000001001000001300000048050000bcb1a7b16465766963653a3a554a55373530303a3a3000
sending
  4e45504f OPEN
  00000001
  00000000
  00000010
  00000588
  b1baafb0
    payload: shell:0 getduid
  hex 4f50454e01000000000000001000000088050000b0afbab17368656c6c3a30206765746475696400

receiving
  59414b4f OKAY
  000000a1
  00000001
  00000000
  00000000
  a6beb4b0
  hex 4f4b4159a1000000010000000000000000000000b0b4bea6
sending
  59414b4f OKAY
  00000001
  000000a1
  00000000
  00000000
  a6beb4b0
  hex 4f4b415901000000a10000000000000000000000b0b4bea6

receiving
  45545257 WRTE
  000000a1
  00000001
  0000000f
  00000411
  baabada8
    payload: AFCU6CTKYUHXU

  hex 57525445a1000000010000000f00000011040000a8adabba5a50434a364f544559574858550d0a
sending
  59414b4f OKAY
  00000001
  000000a1
  00000000
  00000000
  a6beb4b0
  hex 4f4b415901000000a10000000000000000000000b0b4bea6

receiving
  45534c43 CLSE
  00000000
  00000001
  00000000
  00000000
  baacb3bc
  hex 434c534500000000010000000000000000000000bcb3acba
sending
  45534c43 CLSE
  00000001
  00000000
  00000000
  00000000
  baacb3bc
  hex 434c534501000000000000000000000000000000bcb3acba

receiving

exiting...

otloal
Posts: 1
Joined: Sun Nov 08, 2015 8:30 pm

Re: Possible root for J series!!??

Post by otloal » Sun Nov 08, 2015 8:35 pm

savan wrote:Hey thank you for this! Curently I payd for diablocam but I will play with sdb in any way. Do you know, is firmware have any security check for example brick after firmware modification, is firmware hashed on device? I can modify firmware on the device without brick?
Is diablocam (LAN or Wifi) compatible with J series?? Did you get oscam working properly?

medi
SamyGO Project Donor
Posts: 8
Joined: Sun Mar 16, 2014 12:04 pm

Re: Possible root for J series!!??

Post by medi » Sat Nov 28, 2015 5:53 pm

Hi Savan can l get item is well ......

sectroyer
Official SamyGO Developer
Posts: 5665
Joined: Wed May 04, 2011 5:10 pm

Re: Possible root for J series!!??

Post by sectroyer » Sun Nov 29, 2015 10:20 am

medi wrote:Hi Savan can l get item is well ......
Yes you can :)
I do NOT support "latest fw" at ALL. If you have one you should block updates on router and wait for it to STOP being "latest":)
If you want me to help you please paste FULL log(s) to "spoiler"/"code" bbcodes or provide link(s) to pasted file(s) on http://ctrlv.it/ Otherwise "NO HELP"!!!
If you want root DISABLE internet access to your device!!!!
DO NOT EVER INSTALL FIRMWARE UPGRADE !!!!

djacemk
Posts: 1
Joined: Sun Jun 14, 2015 11:26 pm

Re: Possible root for J series!!??

Post by djacemk » Sun Dec 06, 2015 10:29 pm

savan wrote:
otloal wrote:Is diablocam (LAN or Wifi) compatible with J series??
Got item and I can say its fully compatible and fully working!
Hey, did you test this diablo thing, coz i see many consumers ahve issues with great heat and frezz

leimeisei
SamyGO Project Donor
Posts: 10
Joined: Fri Dec 25, 2015 3:10 am

Re: Possible root for J series!!??

Post by leimeisei » Tue Dec 29, 2015 7:08 am

If anyone would like to get started writing some Java, the JAR is actually surprisingly simple to use:

Here's how I set up my project in IntelliJ 15:

Image

And here's working code (note where I put the "shell:0 uname" string... thats where you can test some of the commands from the python script):

Code: Select all

SmartDevelopmentBridge sdb = SmartDevelopmentBridge.createBridge("/Users/xxxxxx/samsung-tv-sdk/tools/sdb", true);
sdb.getStarted();
sdb.waitforStart();
IDevice[] devices = sdb.getDevices();
SocketChannel sc = sdb.openChannel();
System.out.println(devices[0].getAppInstallPath());

byte[] result = SdbHelper.sendServiceRequest(SmartDevelopmentBridge.getBridge(), (Device)devices[0], "shell:0 uname");
System.out.print(new String(result));
You can also call sdb shell, which just like running the command in a terminal, does nothing:

Code: Select all

SdbShellProcess shell = devices[0].executeShellCommand("ls");
shell.waitFor();
BufferedReader br = new BufferedReader(new InputStreamReader(shell.getInputStream()));
String line = null;
System.out.println("Output:");
while ( (line = br.readLine()) != null) {
     System.out.println(line);
}

BufferedReader bre = new BufferedReader(new InputStreamReader(shell.getErrorStream()));
String errLine = null;
System.err.println("Errors:");
while ( (line = bre.readLine()) != null) {
     System.err.println(line);
}

System.err.println("Error out complete");

Post Reply

Return to “[J] Brainstorm”