Update: a working method of rooting ES series
Re: Update: a working method of rooting ES series
As i understood, you haven`t got root access to your TV yet and you haven`t tried hack which is published by mamaich. Else you should already know what is what there.
If you can develop, then just do it!
If you can reverse engineering, then take disassembler and try find some places we could patch to get wanted functions
If you can read sources, try to do this, might you`ll find some "gaps" to use for our 3rd party apps.
If you can, you could try port some apps or unix binaries to be used on your TV
And so on and so on.
You`ve asked about USB cams, then you can research what is wrong and why doesn`t they work.
You`ve asked for /dev/pty and full telnet, then you can try to check your ideas on your tv and tell us about result
You`ve asked for flash support, then go further, tell us your result.
All this stuff we`are doing for ourselves (for different reasons - to improve our TV`s functionality, to get fun in developing, to realize our hobby first and share with all other people. If you can, just do something usefull (for you at first place) and i kindly ask you to share your research with us. If here is anyone, who could co-operate and support you, then he/she definitelly does.
If you can develop, then just do it!
If you can reverse engineering, then take disassembler and try find some places we could patch to get wanted functions
If you can read sources, try to do this, might you`ll find some "gaps" to use for our 3rd party apps.
If you can, you could try port some apps or unix binaries to be used on your TV
And so on and so on.
You`ve asked about USB cams, then you can research what is wrong and why doesn`t they work.
You`ve asked for /dev/pty and full telnet, then you can try to check your ideas on your tv and tell us about result
You`ve asked for flash support, then go further, tell us your result.
All this stuff we`are doing for ourselves (for different reasons - to improve our TV`s functionality, to get fun in developing, to realize our hobby first and share with all other people. If you can, just do something usefull (for you at first place) and i kindly ask you to share your research with us. If here is anyone, who could co-operate and support you, then he/she definitelly does.
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]
DO NOT EVER INSTALL FIRMWARE UPGRADE
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]
DO NOT EVER INSTALL FIRMWARE UPGRADE
Re: Update: a working method of rooting ES series
That's correct, and the main reason for this, is that the set I'm working on does not belong to me, and I am not willing to risk bricking someone else's TV set for my own joy. If it was my own, I would have ripped it apart long ago and found out many more things that I am curious about. So I am asking the questions above, to minimize any possibility of bricking, while trying to know before hand what will happen to the TV after root and if it at all will be useful. My question was very simple. What exactly did he mean with executing commands, but not being able to enter them? To me that sound like you don't actually have an interactive rooted shell, but only script access. Is that correct? (If that is correct, then I don't understand why starting a telnetd wouldn't give you a full interactive root shell?)juuso wrote:As i understood, you haven`t got root access to your TV yet and you haven`t tried hack which is published by mamaich. Else you should already know what is what there.
Regarding those comments, I'm not here to get attacked and insulted, but to help where and how I can. I fully understand your frustration with continuously repeated questions about things that might be obvious to you, but you must also accept that people can interested to help even if they don't know how, which is the reason why I am here in the first place.If you can develop... blah blah...
I mind you, that even though I have experience in mobile/linux development, I know nothing about these TV's...apart what is common with normal embedded linux devices. I'd be happy to cross-compile some useful binaries, if someone can show me how to find the correct tool-chain, required sources and compilation flags. (ATM, I don't have the faintest idea how to do this for this device.) This is really what would be useful to have on the Wiki entry. The more info there, the less questions here.
Well, that's why I asked! If someone already know why they don't work, and where I can find the associated files. For example I'd suggest to finding the file associated with checking the USB VID of the Samsung camera(s) and change it to whatever "you" have or disable the checking all together.You`ve asked about USB cams, then you can research what is wrong and why doesn`t they work.
That's what I will do, once I have an interactive root shell.You`ve asked for /dev/pty and full telnet, then you can try to check your ideas on your tv and tell us about result
Same thing here...You`ve asked for flash support, then go further, tell us your result.
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003
FW: T-MST10PDEUC-1029.0 Onboot: 1003
Re: Update: a working method of rooting ES series
E3V3A wrote:If you can develop... blah blah...
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]
DO NOT EVER INSTALL FIRMWARE UPGRADE
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]
DO NOT EVER INSTALL FIRMWARE UPGRADE
Re: Update: a working method of rooting ES series
Just try to run MC and you'll see. You can enter text, but no mouse or anything else that you have in a full-featured telnet session.E3V3A wrote:1. What do you mean with this? (I.e. How can I enter commands, if I cannot enter text?)
Re: Update: a working method of rooting ES series
Aah, but that's only for ANSI-control sequences (arrows etc) and mouse input then, in MC!?? If that's the case, then no problem. As long as I can enter stuff from keyboard. i never use MC anyway.mamaich wrote:Just try to run MC and you'll see. You can enter text, but no mouse or anything else that you have in a full-featured telnet session.
PS. Just to verify. I assume you mean "MC"=Midnight Commander...
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003
FW: T-MST10PDEUC-1029.0 Onboot: 1003
-
- Official SamyGO Developer
- Posts: 1700
- Joined: Fri Oct 02, 2009 8:52 am
- Location: Austria/Vienna (no Kangaroos here)
- Contact:
Re: Update: a working method of rooting ES series
added the widget to samygo server (just the widget), so people don't need to install own webserver.
http://wiki.samygo.tv/index.php5/Rootin ... cpu_models (section: Installing hack, points 1-6) how to install it.
any further stepps here: https://forum.samygo.tv/viewtopic.php?f=53&t=5015
(installation is supported for 12_ECHOP, 12_X10PLUS and 12_X10PLUS_2D types)
http://wiki.samygo.tv/index.php5/Rootin ... cpu_models (section: Installing hack, points 1-6) how to install it.
any further stepps here: https://forum.samygo.tv/viewtopic.php?f=53&t=5015
(installation is supported for 12_ECHOP, 12_X10PLUS and 12_X10PLUS_2D types)
Re: Update: a working method of rooting ES series
Awesome! A couple of (other) things...
a) What does the remshd binary do? (sources?) Answer: It's the remote shell from here as linked in OP!
b) Which Busybox version are you using? Answer: BusyBox v1.20.2 (2012-11-15 22:46:44 PST)
c) I'd like to compile a few other very useful utilities. Is there any "how-to" info somewhere? (The more ES-specific, the better.)
d) Is someone adding this to the E model Wiki? (I can do it, but you'll have to let me know...and others who may consider doing it.)
e) How can I check that /dtv remain a non-permanent FS in future FW updates? I.e. It could be useful to allow for people to check themselves whether or not a new FW update would make any dangerous changes to our sets. So it might be a good idea to backup the libm files to USB stick before removing. (?)
f) juuso mentioned in another thread that devpts have been compiled for D-models. If this is correct, what would it take to implement that same hack here? (if even possible or needed.)
Oh, that was quite a lot. I don't expect anyone of you to be able to answer this. But any partial hints or suggestions would be appreciated!
EDIT: 2012-12-04
a) What does the remshd binary do? (sources?) Answer: It's the remote shell from here as linked in OP!
b) Which Busybox version are you using? Answer: BusyBox v1.20.2 (2012-11-15 22:46:44 PST)
c) I'd like to compile a few other very useful utilities. Is there any "how-to" info somewhere? (The more ES-specific, the better.)
d) Is someone adding this to the E model Wiki? (I can do it, but you'll have to let me know...and others who may consider doing it.)
e) How can I check that /dtv remain a non-permanent FS in future FW updates? I.e. It could be useful to allow for people to check themselves whether or not a new FW update would make any dangerous changes to our sets. So it might be a good idea to backup the libm files to USB stick before removing. (?)
f) juuso mentioned in another thread that devpts have been compiled for D-models. If this is correct, what would it take to implement that same hack here? (if even possible or needed.)
Oh, that was quite a lot. I don't expect anyone of you to be able to answer this. But any partial hints or suggestions would be appreciated!
EDIT: 2012-12-04
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003
FW: T-MST10PDEUC-1029.0 Onboot: 1003
Re: Update: a working method of rooting ES series
a) - yes, it was the first code that I've found on net for "telnet daemon in c". New version of hack uses a different code written by me.
c) - set up a build environment under ubuntu like is stated in samsung readme.zip in UExxES6xxx.zip for building kernel. Building your own progs is identical.
e) - on existing TVs it would remain. On newer models - it can be made r/o, renamed or removed. To stop this hack from working - Samsung may remove it from LD_LIBRARY_PATH, it is much easier for them. In this case we'll publish another method.
f) - I've compiled devpts as .ko, it was easy. But it would not work as there are no pts in kernel, so devpts gives you just an empty filesystem.
Denny recompiled kernel with pts support, not pts as a standalone driver.
c) - set up a build environment under ubuntu like is stated in samsung readme.zip in UExxES6xxx.zip for building kernel. Building your own progs is identical.
e) - on existing TVs it would remain. On newer models - it can be made r/o, renamed or removed. To stop this hack from working - Samsung may remove it from LD_LIBRARY_PATH, it is much easier for them. In this case we'll publish another method.
f) - I've compiled devpts as .ko, it was easy. But it would not work as there are no pts in kernel, so devpts gives you just an empty filesystem.
Denny recompiled kernel with pts support, not pts as a standalone driver.
Re: Update: a working method of rooting ES series
Damn, that was one strange beast of a shell... It really doesn't make complete sense to me.
So for those of you who have not yet tried this. This is what happens, briefly.
1. You get a "shell" with a prompt "shell>" and you can type anything in it. But since any ANSI control sequences are not recognized, any movement with arrow keys and such are not recognized. This is surprisingly painful, as you will not be able to edit command on the line, but have to re-type everything.
2. When you enter something wrong, you don't get any error messages at all! Just a new "shell>" prompt.
3. You might think that the Busybox included on the USB stick is the working one, but it is not. It is instead (AFAICT) the original one used which seem not to accept all commands... hard to tell!
4. You cannot "cd" to another directory. (?) You are permanently stuck in /tmp (AFAICT)...
5. Trying to run another shell, like "ash", doesn't seem to work either.
Another weird thing is that I was trying to find the GPIO's, but nothing and since I couldn't get find / -iname "gpio" to work, I never found anything related. Any ideas?
Finally, I'd like to take make dump of all the files in the temporary filesystem to USB stick...so that I can search them off line. ??
So for those of you who have not yet tried this. This is what happens, briefly.
1. You get a "shell" with a prompt "shell>" and you can type anything in it. But since any ANSI control sequences are not recognized, any movement with arrow keys and such are not recognized. This is surprisingly painful, as you will not be able to edit command on the line, but have to re-type everything.
2. When you enter something wrong, you don't get any error messages at all! Just a new "shell>" prompt.
3. You might think that the Busybox included on the USB stick is the working one, but it is not. It is instead (AFAICT) the original one used which seem not to accept all commands... hard to tell!
4. You cannot "cd" to another directory. (?) You are permanently stuck in /tmp (AFAICT)...
5. Trying to run another shell, like "ash", doesn't seem to work either.
I'm afraid I don't understand the problem. (?) telnetd is certainly present in the Busybox sources... Perhaps we need to modify the way it presents itself on the tty or console device? I'm thinking that perhaps we could try to run it on /dev/ttyS1 which is the UART debug port, since it's not giving any output after boot anyway, afaik..mamaich wrote:a) - yes, it was the first code that I've found on net for "telnet daemon in c". New version of hack uses a different code written by me.
Very cool. I can't wait to hear him tell us all about it! ;)f) - I've compiled devpts as .ko, it was easy. But it would not work as there are no pts in kernel, so devpts gives you just an empty filesystem.
Denny recompiled kernel with pts support, not pts as a standalone driver.
Another weird thing is that I was trying to find the GPIO's, but nothing and since I couldn't get find / -iname "gpio" to work, I never found anything related. Any ideas?
Finally, I'd like to take make dump of all the files in the temporary filesystem to USB stick...so that I can search them off line. ??
Last edited by E3V3A on Tue Dec 04, 2012 3:55 pm, edited 1 time in total.
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003
FW: T-MST10PDEUC-1029.0 Onboot: 1003
Re: Update: a working method of rooting ES series
Here's some output:
SpoilerShow
Code: Select all
[size=85]shell>cat /proc/emergloginfo
0x5ffe0000
shell>cat /proc/tty/drivers
/dev/tty /dev/tty 5 0 system:/dev/tty
/dev/console /dev/console 5 1 system:console
/dev/vc/0 /dev/vc/0 4 0 system:vtmaster
serial /dev/ttyS 4 64-67 serial
unknown /dev/tty 4 1-63 console
shell>cat /proc/devices
-----------------------------------------------------------------------------
Character devices
1 mem
4 /dev/vc/0
4 tty
4 ttyS
5 /dev/tty
5 /dev/console
7 vcs
10 misc
13 input
29 fb
148 system
158 malloc
176 miomap
180 usb
189 usb_device
226 drm
231 drvGOP
253 mali
254 ump
Block devices:
1 ramdisk
259 blkext
7 loop
8 sd
65 sd
66 sd
67 sd
68 sd
69 sd
70 sd
71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd
179 mmc
254 ramzswap
shell>cat /proc/cmdline
-----------------------------------------------------------------------------
console=ttyS2,115200
root=/dev/mmcblk0p3
rootfstype=squashfs
LX_MEM=0x40200000,0x14900000
LX_MEM2=0xA4E00000,0xB200000
EMAC_MEM=0x40000000,0x100000
SELP_ENABLE=1198282 Onboot : 1003 quiet
shell>lsmod
-----------------------------------------------------------------------------
Tainted: P
hid_microsoft 2032 0 - Live 0xbf310000
mousedev 7248 0 - Live 0xbf309000
evdev 5576 0 - Live 0xbf302000
usbhid 12872 0 - Live 0xbf2f9000
hid 31240 2 hid_microsoft,usbhid, Live 0xbf2ec000
rtnet5572sta 31400 0 - Live 0xbf2df000
rt5572sta 1295528 1 rtnet5572sta, Live 0xbf1a0000 (P)
rtutil5572sta 30436 2 rtnet5572sta,rt5572sta, Live 0xbf196000
usb_storage 30272 1 - Live 0xbf189000
ehci_hcd 47852 0 - Live 0xbf178000
usbcore 108904 6 usbhid,rtnet5572sta,rtutil5572sta,usb_storage,ehci_hcd, Live 0xbf158000
tntfs 363728 0 - Live 0xbf0fa000 (P)
mdrv_emac 12684 0 - Live 0xbf0f1000 (P)
samsung_mstar 494248 0 - Live 0xbf066000
samsung_mali 83468 23 samsung_mstar, Live 0xbf04c000
rfs_fat 202648 7 - Live 0xbf015000 (P)
rfs_glue 61548 1 rfs_fat, Live 0xbf000000 (P)
shell>env
-----------------------------------------------------------------------------
BASE_TIME=1354589852l
BG_MODE=1
CHANGE_PARTITION_FLAG=/mtd_rwarea/change_partition_flag
COMPILED_KEYMAP_PATH=/mtd_cmmlib/Runtime
DISPLAY=:0
DebugLogState=0
EXE_OR_RWREA_MOUNT_CHECK=/mtd_rwarea/exe_or_rwarea_mount_check
EX_PARTITION=/dev/mmcblk0p4
FONTCONFIG_FILE=/mtd_rocommon/WebBrowser/fonts/fonts.conf
FONTCONFIG_PATH=/mtd_cmmlib/Runtime/fonts
GDK_PIXBUF_MODULE_FILE=/mtd_exe/Runtime/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
GTK_PATH=/mtd_cmmlib/Runtime/lib/gtk-2.0
HOME=/mtd_moip
KF_LOG=/dev/null
KF_NO_INTERACTIVE=1
KF_NO_LOG=1
KF_SLEEP_READ=-2
LD_LIBRARY_PATH=/tmp/bin:/mtd_cmmlib/Runtime/XorgLibs:/mtd_cmmlib/Runtime/lib/CairoShadow:/mtd_cmmlib/Runtime/lib:/mtd_exe/WebServerApp/bin:/mtd_cmmlib/CBRE:/dtv:/mtd_cmmlib/GAME_LIB:/dtv:/mtd_cmmlib/YWidget_LIB:/mtd_contents:/mtd_appdata/Java/lib:/mtd_exe:/mtd_cmmlib/Comp_LIB:/mtd_cmmlib/Comp_LIB/XT9_LIB:/mtd_cmmlib/InfoLink/lib/plugin/Static:/mtd_cmmlib/InfoLink/lib:/mtd_cmmlib/OIPF:/lib:/mtd_cmmlib/CM_LIB:/mtd_appext/OIPF/lib:/mtd_exe/OIPF/lib:/mtd_cmmlib/YWidget_LIB:/mtd_contents:/mtd_appdata/yahoo:/mtd_cmmlib/moip:/mtd_appext/WidgetEngine:/mtd_rocommon/Webkit
MALLOC_CHECK_=1
MAPLE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
MAPLE_DUMMY_WIDGET_PATH=/mtd_appdata/SmartTV
MAPLE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
MAPLE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
MAPLE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib:/mtd_cmmlib/OIPF
MAPLE_WIDGET_DATA_PATH=/mtd_down
MAPLE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc
MAX_FLASH_COUNT=5
MICOM_BASE=/sbin
MODULES_DIR=/lib/modules
MTD_APP_0=/dev/mmcblk0p15
MTD_APP_1=/dev/mmcblk0p16
MTD_CONTENTS=/dev/mmcblk0p19
MTD_DRMREGION_A=/dev/mmcblk0p10
MTD_DRMREGION_B=/dev/mmcblk0p11
MTD_EMANUAL=/dev/mmcblk0p18
MTD_EXE_0=/dev/mmcblk0p13
MTD_EXE_1=/dev/mmcblk0p14
MTD_KERNEL_0=/dev/mmcblk0p2
MTD_KERNEL_1=/dev/mmcblk0p5
MTD_ONBOOT=/dev/mmcblk0p0
MTD_ROCOMMON=/dev/mmcblk0p17
MTD_ROOTFS_0=/dev/mmcblk0p3
MTD_ROOTFS_1=/dev/mmcblk0p6
MTD_RWAREA=/dev/mmcblk0p12
MTD_RWCOMMON=/dev/mmcblk0p21
MTD_SWU=/dev/mmcblk0p20
MTD_UBOOT=/dev/mmcblk0p1
OLDPWD=/mtd_exe
PANGO_RC_FILE=/mtd_cmmlib/Runtime/pango/pangorc
PARTITION_CHECK_1ST=/mtd_rwarea/empty.0
PARTITION_CHECK_2ND=/mtd_rwarea/empty.1
PARTITION_FLAG00=/mtd_rwarea/PartitionSwitch_0_0
PARTITION_FLAG10=/mtd_rwarea/PartitionSwitch_1_0
PARTITION_VERSION_1ST=/mtd_swu/Version.0
PARTITION_VERSION_2ND=/mtd_swu/Version.1
PATH=/tmp/bin:/mtd_cmmlib/Runtime/bin:/usr/sbin:/usr/bin:/bin:/sbin:/etc/Scripts:/util:/mtd_cmmlib/Runtime/bin
PWD=/tmp
RESOLUTION=720
RUNLEVEL=Onboot
SECUREMAC0=/dev/mmcblk0p7
SECUREMAC1=/dev/mmcblk0p8
SECUREMAC2=/dev/mmcblk0p9
SHELL=/bin/sh
TERM=vt102
UI_URL=file:///mtd_down/widgets/normal/20121000004/WebkitUI/Index.html
UPGRADE_FLAG=/mtd_rwarea/UPGRADE_FLAG
USER=root
WE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
WE_DUMMY_WIDGET_PATH=/mtd_appdata/SmartTV
WE_FONTCONFIG_FILE=/mtd_rocommon/Webkit/fonts/fonts.conf
WE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
WE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
WE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib
WE_PLUGIN_PATH=/mtd_appext/WidgetEngine/Plugins:/mtd_rocommon/Webkit/Plugins/Common
WE_WIDGET_DATA_PATH=/mtd_down
WE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc
XDG_DATA_HOME=/mtd_rocommon/WebBrowser/.local/share/
XSERVER_RW_PATH=/mtd_rwarea
XVT_DEFAULT=/dev/tty0
XVT_RUNTIME=/dev/tty%d
[/size]
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003
FW: T-MST10PDEUC-1029.0 Onboot: 1003