Bug reports + patches + Question

[shantzu]

Hello,

just out of curiosity I tried running the patcher script on the T-MST10PDEUC-1017.1 firmware and noticed that there are a couple of bugs in it. I created a couple of patches, just in care you are interested:

First Error: http://pastebin.com/94JbsG9k
Patch for first error: CIPlus.patch

Second Error: http://pastebin.com/waezK8ZX
Patch for second error: update squashfstools in archive to 4.2 and squash4.2.patch
(You can take the squashfs 4.2 binaries for Linux from:
amd64: http://ftp.us.debian.org/debian/pool/ma ... _amd64.deb
i386: http://ftp.us.debian.org/debian/pool/ma ... 5_i386.deb )

Third error: http://pastebin.com/g7BGP9kK
Fix for third error: betterRemove.patch

(Also, I created a file complete.patch, which contains all of the above mentioned fixes)

Fourth error: http://pastebin.com/m8JBKk4J
This one, I wasn't yet able to find the root of yet, so I hope someone can help with this.

P.S. Should the patcher script even work with ES firmwares, or is it just intended for B Series firmwares?
(I am asking because the help only mentions B Series: print "Than for patching a B series TV firmwares you can patch your FW by this command:")

P.P.S. The patches are based on the latest version of the patcher script that I have found, more precisely this one: http://samygo.svn.sourceforge.net/viewv ... threv=1238

[juusso]

Hi, i think you were misinformed.
1. Latest patcher script (for today) is rev 1241.
2. Patcher contains patches ONLY for B series and some A series firmwares.
3. Patcher contains functions to decrypt ALL firmwares whose decrypt key is known. From A to ES series.
4. Encrypting of D/ES series firmware doesn`t work.

Usually we use patcher just for

Code: Select all

decrypt_all

because we don`t use such pre-patched firmwares on C/D/E... series. Just only on B.
Starting with C series (actually D, because we don`t have any patch for C series), we apply patches on the fly, in memory. Why? because of growing samsung`s limitations and improved security (hashes of partitions, signatures and so on) also because here is not possible to install patched firmware in normal way, through USB and software upgrade menu.

Anyway, thanks for patches, i think some of them must be applied in next version.

[shantzu]

Ok, I understand, guess I need to read a bit more before I go out bricking my device
Sorry for the noise then...

P.S. in 'betterRemove.patch', you can remove the DeleteDirectoryForced function completely and just replace the calls to this function with calls to 'shutil.rmtree'. Also, if there is anything else I can help with, so that a patched firmware for the ES is coming faster, just let me know. If the device can be recovered from a "brick", I can help you out, I bricked my phone a bunch of times while flashing custom Android ROMs to it, so it's nothing new to me.

[juusso]

the samygo patcher needs to be revised for bugs, some of them are known, some not. You did good job already
If you find some more we`re happy too.

About unbricking. First of all -we don`t have root access to MST10... so, we don`t have anything to check. Unbricking is almost impossible, here is no u-boot, nor serial (we call it ExLink) access with unlimited shell (just restricted to A...F, 0...9). All read only partitions are strongly checked for hashes during bootup. Even bootloader checks for kernel`s hash and kills the system down if doesn`t match immediately. Same for rootfs, exe and appdata.

You definitely will find info about samsung`s secure boot, they make everything to stop (us) to run 3rd party apps.

Anyway, i`ll keep you in mind when time comes to check something important

[shantzu]

For Android phones it's pretty easy to recover from a "brick" status, if you have a usb cable and a bit of patience, it's a shame really that manufacturers go as far to "steal" your freedom to do what you please with the hardware you buy. This secure boot thing I have heard of from windows 8 PCs, it seems they will have something similar, which will prevent you from installing third party OSes to it (like Linux). The future of hardware doesn't look to good, it seems we won't have any more freedoms with the devices we buy, which is a pity.

[rainless]

the samygo patcher needs to be revised for bugs, some of them are known, some not. You did good job already
If you find some more we`re happy too.

About unbricking. First of all -we don`t have root access to MST10... so, we don`t have anything to check. Unbricking is almost impossible, here is no u-boot, nor serial (we call it ExLink) access with unlimited shell (just restricted to A...F, 0...9). All read only partitions are strongly checked for hashes during bootup. Even bootloader checks for kernel`s hash and kills the system down if doesn`t match immediately. Same for rootfs, exe and appdata.

Wow... that all sounds really... BAD.

I'm a programmer as well (well... I *used to* be a programmer... now I'm a CTO), and I've made a few things for samsung's Android phones, and hacked the PS3 a bit, and dabbled a little bit with this and that...

...and the above sounds like CHECKMATE.

No root access to MST10... no u-boot... or even ExLink!... read only partitions checked during bootup... system kills on slightest hint of suspicious activity... one Samsung Tech and one highly trained CIA Armed Combat Operative teleported into your apartment if you try to use telnet... All of this sounds bad... though not impossible.

Big corporations like Samsung and Sony are in the BUSINESS of making mistakes.

Also, if they've done all this, then they would STILL need a way to repair the E Series themselves in the factory (unbrick TVs sent in under warranty that had natural bricks due to things like the power going out during an update or something). As far as I'm concerned they just changed the way they do it. Considering that ruSamsung still works, they're probably just using the network... somehow... to do everything. Possibly using the same method that we used to use to unbrick routers.

Still you'd need an actual Samsung tech to come out and TELL YOU to know for sure. Otherwise you're just working in the dark.

Although sometimes it's more fun that way.

[juusso]

not really bad, i haven`t said it is checkmate. Good thing is, we know how to calculate that hashes
bricked devices are repaired by replacing mainboards. As far we know, none at "low end" service centers repair it in jtag or some other "software" way. Collected mainboards are being shipped to "hi-end" centers. As we see some pins on mainboards, big chance they have backdoor left for repair, we just don`t know the key

and yes, we have root on MST10 devices already, but not for public yet.

[rainless]

Well let me know if there's anything I can help with.

My specialty is finding mistakes.

[E3V3A]

Count me in too!

Does someone have some more details on the MST processor? I know a bit about various Android bootloaders for common processors like Qualcomm, OMPA & Exynos etc. Perhaps this is similar (or even the same, if repackaged) to one of these? Could be interesting to find the boot configuration flags of this processor. These are usually set either by GPIO pins (directly connected to processor) or by blown Efuses inside the processor...

[MarocOS]

Hi,

EDIT:

New fixes added to the patcher but i will only give them in PM if he want to test, mee too i need a confirmation.

I am interested to the root part if you can share ll be happy my network is down by mistake

viewtopic.php?f=53&t=5866&p=43447#p43447