SamyGO

[erdem_ua]

Have a look at the files in linux-b650t2p/init folder... The encryption used is cmac-eas where the cmac ciphering is done by the processor.. I've managed to compile the CI+ kernel so I can run some tests myself. Yeah, you can run CI+ kernel on a CI set... Of course my build has a bit (a lot) more debugging info..
I've also been working on a kernel module which will do the HW ciphering. It seems to be working on my set but will need a CI+ tester soon.. Jeroen, how would you feel about doing some testing for me?
robbiesz

So If we run CI+ kernel on CI machine, couldn't we run CI kernel on CI+ ? Wouldn't Cross firmware update drop entire CI+ problem?

[robbiesz]

So If we run CI+ kernel on CI machine, couldn't we run CI kernel on CI+ ? Wouldn't Cross firmware update drop entire CI+ problem?

Not really, there are some problems with this:
- The bootloader might or might not (I haven't finished disassembling it yet) authenticate the kernel before it loads and executes it..
- The bootloader has been changed in the CI+ models and can no longer boot u-boot (secondary bootloader). Meaning that if the kernel is not run then the TV becomes a big, expensive paper weight..

robbiesz

[jeroenvoc]

robbiesz,

I'll test for you, as long as I will be able to understand what I'm doing, and I can oversee the risks

Jeroen

[almar10]

I don't know if this helps but isn't it just possible to use the data we have from a system (e.g RAM dump, firmware dump, files accomponied with the firmware etc) and split it up into different key sizes (128, 192, 256 bit) add the SALT, MD5 it and run the encrypted firmware through AES/Reijndael? Maybe even dump the RAM/flash during an ongoing update ( then well have the key for shure).

[erdem_ua]

I think we can't publish the original Firmware images for download as our own.
If we can decrypt firmware update images, It helps much.
We have the flash dumps means literally any key and salt we need. But we need a person, who understands that encryption thing for modify those flashes.

[almar10]

I don't understand you completely. Are you saying it is a goal worth persuing or not? Nobody fluent in a scripting language who can cook up this (fast):

Read from byte 1 onwards 128, 192, 256 bit add the salt(which is in the firmware file), MD5 the result --> decrypt firmware (is just a part possible? for example first 1024 bytes this would decrease the time needed) , check the result for text (an string that is there in other decrypted firmware images)--> not found start with 2nd byte... If found -->decrypt the whole firmware.

If someone runs this with a quad-core, this should not take longer than a few hours..

[erdem_ua]

I wanted to say that, we can't re-distrubute Samsung owned programs. But we can distribute patches that modify original firmware.
If we crack the encryption of images (as it samsung download pages), than we can modify that FWs with SamyGO Firmware Patcher script.

[almar10]

I still don't think we are on the same line. The person responsible for this shouldn't have to publish anything proprietary. If we made a memory dump during an update proces its safe to say we have the key (in memory). (start firmware update cancel it and do a dd /dev/mem)We just don't know where, hence the decryption using the whole memory. I think the key will be a logical or one deductable from the firmware image afterwards so that we do the same trick for the other ci models.

[erdem_ua]

I still don't think we are on the same line. The person responsible for this shouldn't have to publish anything proprietary. If we made a memory dump during an update proces its safe to say we have the key (in memory). (start firmware update cancel it and do a dd /dev/mem)We just don't know where, hence the decryption using the whole memory. I think the key will be a logical or one deductable from the firmware image afterwards so that we do the same trick for the other ci models.

Sorry, I miss understood your last post by my low knowledge of english

[mprotect]

Hi,

I attach some tools for decrypting/encrypting the CIP firmware files and a plugin for disabling the RSA signature check.
Try them on your own risk I tested the tools but I didn't flash a patched firmware yet.