Just a thought: BD-live trojan possible?

[marcelru]

Hi,

I open my bluray HT-BD8200 last week, had a (very) quick peek around and couldn't find a serial port or something similar. Possibly just didn't look well enough for one, but it's a brand new machine, albeit not the last design available, so I didn't want to take it apart completely.

It supports BD-live 2.0, whatever that may be, I have no experience with it. Through BD-live, it's possible to download extra stuff including games from the major movie companies.
Would it be possible to master your own Bluray disc, with BD-live extras added, and import a nice game, typically a telnet daemon or ssh daemon to run on the BD player?

Any thoughts on that?

grtz,

marcelr

[Denny]

...
Would it be possible to master your own Bluray disc, with BD-live extras added, and import a nice game, typically a telnet daemon or ssh daemon to run on the BD player?

Any thoughts on that?

marcelr

yes there is call for native application in BD player (here BD-C6900) but it verify also a signature,
in case of BD-C6900 it is not a big problem to manipulate public key for this issue, but i self dont have idea how the BD-Live work and how culd be posible to handle permanent call posibility to the native.so when we inject them by our self.

Code: Select all

.text:006EFFD8                 LDR     R0, =aMtd_rwareaBdpl ; "/mtd_rwarea/bdplus/native.so"
.text:006EFFDC                 MOV     R1, #2          ; mode
.text:006EFFE0                 BL      dlopen
.text:006EFFE4                 SUBS    R6, R0, #0
.text:006EFFE8                 BEQ     loc_6F0110
.text:006EFFEC
.text:006EFFEC loc_6EFFEC                              ; CODE XREF: CALL_RunNative+3B0j
.text:006EFFEC                 MOV     R12, #1
.text:006EFFF0                 MOV     R3, #0xBE7
.text:006EFFF4                 STR     R12, [R7,#4]
.text:006EFFF8                 LDR     R1, =aSamdebugSD_2 ; "\n samdebug <%s,%d> "
.text:006EFFFC                 LDR     R2, =aCall_runnati_1 ; "CALL_RunNative"
.text:006F0000                 MOV     R0, #0
.text:006F0004                 BL      DRM_Log
.text:006F0008                 MOV     R0, R6          ; handle
.text:006F000C                 LDR     R1, =aBdplus_bdp_bar ; "BDPlus_BDP_Barcelona_Native"
.text:006F0010                 BL      dlsym
.text:006F0014                 LDR     R3, =_BDPLUS_native_func

[marcelru]

@Denny:

I'm not sure how BD-live works either, but I can imagine that the verification is done on the content of the disc, with keys stored on that disc. Content provides will want to check that _their_ media is used to access the extras from their website and not just any Bluray disc, and I don't think Samsung or any other manufacturer has all the keys in the world, to be used in the foreseeable future, stored in firmware. That means that both keys and content access mechanism should be stored on the BD that provides the access to the extra bits.

So the first step to take is to find out how to master a disc with BD-live content ....

grtz,

marcelr

[arris69]

...

Code: Select all

.text:006EFFD8                 LDR     R0, =aMtd_rwareaBdpl ; "/mtd_rwarea/bdplus/native.so"
...

this looks like a not cleaned build of exeDSP. funny, if they remove all debug/testing shit from exeDSP / bd_lpayer_whatever the binary is just 20kb big (and maybe 'secure' too)

[arris69]

[quote="marcelru...
So the first step to take is to find out how to master a disc with BD-live content ....

grtz,

marcelr[/quote]

maybe a starting point to analize the proggies from here: http://forum.doom9.org/archive/index.php/t-129663.html

[marcelru]

Apparently, BD-J, rather than BD-Live may already do the trick.

I just got the java TV sdk up and running, it basically spits out BD-J layouts which can then be burned on BluRay, when configured properly. Now it's time to find out how to merge a working telnet daemon into that framework.
I'm not very fluent in java so this is likely to take some time, which in itself is a rare commodity for me.
Will have a go at it anyway. You never know what may come from it.

Oh BTW, will also order a BluRay burner, haven't got one yet.

grtz,

marcelr

[julianbb]

Could output log provide the ip adress where the online content is available for disc ?
Then put a http small server with "fake content" for native.so ?
Online content is saved on BD in "Internal memory" OR on Fat usb stick... (see in settings)
I'd like to try but since i vote with PirateBayParty...

[marcelru]

Steps taken:

Got the BD-J development kit: JavaME SDK (windows only ).
Got the daemon (telnetd2, from sourceforge, tested as stand alone, works).
Got the burner (still packed).

ToDo:

Implement a shell, not that many options on the web. jShell looks like a fair option, far from complete, but has the major commands.
For now I only need cd, ls, just to take a look around and cp, cat, to copy files and partitions to USB. Once properly rooted, busybox will take over.

Convert the daemon and not-yet-existing-shell to BD-J compatible code. The daemon is easy (almost done), now the rest.

Find a BD-J compatible software player, for testing. Most of the stuff available is for windows, and not free. I _refuse_ to pay anything for windows related software, so there's a challenge . The guys from VLC started on libbluray, with BD-J support, let's see how far they've got.

For homebrew Bluray discs, I'm not sure about the scrambling stuff. It is possible to burn your own home videos to bluray and play them. The same holds for making BD-J stuff. I don't know if a player will let you execute the java code, though. Any thoughts on this?


I'm off to Portugal, won't take the windoze box with me. So it'll be quiet for the next week or so, as far as Bluray is concerned.

grtz,

marcelr