samyGOso (.so injection - patching exeDSP/exeAPP)

Here are software that related with Samsung F series TVs.
Please don't create any new topic here unless you have software to post/release.
Post Reply

User avatar
bugficks
Official SamyGO Developer
Posts: 1062
Joined: Tue Jun 25, 2013 3:56 pm

samyGOso (.so injection - patching exeDSP/exeAPP)

Post by bugficks »

samyGOso v1.2.5 (latest) downloadImage

Notice: Once you installed latest version, you can ignore reminder and samyGOso related steps in patching procedures.

Reminder:
*For E/F/H series, follow both steps below.
*For D series (arm), replace instances of /mnt by /mtd_rwcommon/widgets/user/SamyGO/SamyGO
*For C series (arm), replace instances of /mnt by /SamyGO on your rooting USB device
*For B series, latest samyGOso is there.
  • Extract archive and copy/overwrite samyGOso file (not folder) to /mnt/opt/privateer/usr/bin
  • Set permissions if needed (usually not if overwritten)

    Code: Select all

    chmod +x /mnt/opt/privateer/usr/bin/samyGOso


hi,
i've modified http://www.mulliner.org/android/feed/co ... bi_v02.zip to work on my F8000. might work on others as well i guess.
SpoilerShow
before:

Code: Select all

cat /proc/2204/maps
00008000-00009000 r-xp 00000000 b3:10 818        /mtd_rwarea/root/srv
00010000-00011000 rwxp 00000000 b3:10 818        /mtd_rwarea/root/srv
0109e000-010bf000 rwxp 00000000 00:00 0          [heap]
40045000-40046000 rwxp 00000000 00:00 0
400f0000-400f1000 rwxp 00000000 00:00 0
4018d000-4018e000 rwxp 00000000 00:00 0
41000000-4101f000 r-xp 00000000 b3:12 530        /mtd_exe/lib/ld-2.14.1.so
41026000-41027000 r-xp 0001e000 b3:12 530        /mtd_exe/lib/ld-2.14.1.so
41027000-41028000 rwxp 0001f000 b3:12 530        /mtd_exe/lib/ld-2.14.1.so
41e80000-41fa5000 r-xp 00000000 b3:12 529        /mtd_exe/lib/libc-2.14.1.so
41fa5000-41fad000 ---p 00125000 b3:12 529        /mtd_exe/lib/libc-2.14.1.so
41fad000-41faf000 r-xp 00125000 b3:12 529        /mtd_exe/lib/libc-2.14.1.so
41faf000-41fb0000 rwxp 00127000 b3:12 529        /mtd_exe/lib/libc-2.14.1.so
41fb0000-41fb3000 rwxp 00000000 00:00 0
42058000-42062000 r-xp 00000000 b3:12 547        /mtd_exe/lib/libgcc_s.so.1
42062000-42069000 ---p 0000a000 b3:12 547        /mtd_exe/lib/libgcc_s.so.1
42069000-4206a000 rwxp 00009000 b3:12 547        /mtd_exe/lib/libgcc_s.so.1
42310000-42314000 r-xp 00000000 b3:12 533        /mtd_exe/lib/libdl-2.14.1.so
42314000-4231b000 ---p 00004000 b3:12 533        /mtd_exe/lib/libdl-2.14.1.so
4231b000-4231c000 r-xp 00003000 b3:12 533        /mtd_exe/lib/libdl-2.14.1.so
4231c000-4231d000 rwxp 00004000 b3:12 533        /mtd_exe/lib/libdl-2.14.1.so
be8f0000-be8f0000 rw-p 00000000 00:00 0
be8f0000-be911000 rwxp 00000000 00:00 0          [stack]
ffff0000-ffff1000 r-xp 00000000 00:00 0          [vectors]
injecting .so:

Code: Select all

./hijack -l /mtd_exe/Comp_LIB/libz.so -d -p 2204
mprotect: 0x41e96f80
dlopen: 0x42310c5c
pc=41e962bc lr=41f16074 sp=be910994 fp=be910b54
r0=fffffffc r1=be910b28
r2=0 r3=8
libaddr: be910928
stack: 0xbe8f0000-0xbe911000 length = 135168
executing injection code at 0xbe910944
library injection completed!
after:

Code: Select all

cat /proc/2204/maps
00008000-00009000 r-xp 00000000 b3:10 818        /mtd_rwarea/root/srv
00010000-00011000 rwxp 00000000 b3:10 818        /mtd_rwarea/root/srv
0109e000-010bf000 rwxp 00000000 00:00 0          [heap]
40045000-40046000 rwxp 00000000 00:00 0
40046000-4005a000 r-xp 00000000 b3:12 1228       /mtd_exe/Comp_LIB/libz.so
4005a000-40061000 ---p 00014000 b3:12 1228       /mtd_exe/Comp_LIB/libz.so
40061000-40062000 rwxp 00013000 b3:12 1228       /mtd_exe/Comp_LIB/libz.so
400f0000-400f1000 rwxp 00000000 00:00 0
4018d000-4018e000 rwxp 00000000 00:00 0
41000000-4101f000 r-xp 00000000 b3:12 530        /mtd_exe/lib/ld-2.14.1.so
41026000-41027000 r-xp 0001e000 b3:12 530        /mtd_exe/lib/ld-2.14.1.so
41027000-41028000 rwxp 0001f000 b3:12 530        /mtd_exe/lib/ld-2.14.1.so
41e80000-41fa5000 r-xp 00000000 b3:12 529        /mtd_exe/lib/libc-2.14.1.so
41fa5000-41fad000 ---p 00125000 b3:12 529        /mtd_exe/lib/libc-2.14.1.so
41fad000-41faf000 r-xp 00125000 b3:12 529        /mtd_exe/lib/libc-2.14.1.so
41faf000-41fb0000 rwxp 00127000 b3:12 529        /mtd_exe/lib/libc-2.14.1.so
41fb0000-41fb3000 rwxp 00000000 00:00 0
42058000-42062000 r-xp 00000000 b3:12 547        /mtd_exe/lib/libgcc_s.so.1
42062000-42069000 ---p 0000a000 b3:12 547        /mtd_exe/lib/libgcc_s.so.1
42069000-4206a000 rwxp 00009000 b3:12 547        /mtd_exe/lib/libgcc_s.so.1
42310000-42314000 r-xp 00000000 b3:12 533        /mtd_exe/lib/libdl-2.14.1.so
42314000-4231b000 ---p 00004000 b3:12 533        /mtd_exe/lib/libdl-2.14.1.so
4231b000-4231c000 r-xp 00003000 b3:12 533        /mtd_exe/lib/libdl-2.14.1.so
4231c000-4231d000 rwxp 00004000 b3:12 533        /mtd_exe/lib/libdl-2.14.1.so
be8f0000-be8f0000 rw-p 00000000 00:00 0
be8f0000-be911000 rwxp 00000000 00:00 0          [stack]
ffff0000-ffff1000 r-xp 00000000 00:00 0          [vectors]
hijack.zip
update:
I've completely rewritten the shellcode. hijack now has support for temporarily and resident .so injection (-r), default is temporary.
also there is no need for __attribute__(ctor) anymore. just export lib_init().
temp injection:
dlopen(), lib_init(), lib_deinit(), dl_close()
resident injection:
dlopen(), lib_init()

check source for exact declarations of lib_init/lib_deinit.
hijack_v2.tgz
update2:
-added support for json config (-c configfile)
SpoilerShow

Code: Select all

[
    {
        "keep": 0,
        "path": "/mtd_rwarea/test/lib_test.so"
    },
    {
        "keep": 0,
        "path": "/mtd_rwarea/test/lib_test2.so"
    }
]
-renamed it to samyGOso
samyGOso.tgz
update3:
- added support for passing command line arguments to injected .so (check lib_test.c for usage)
- some fixes
samyGOso-v1.2.1.zip
update4:
Some fixes to version 1.2.1 of samyGOso:
  • * now loading non-existent .so will not succeed ;)
    * added -n option so now you can use procname instead of pid
    * added -D,-A,T for using standard proc names (exeDSP,exeAPP,exeTV)
    * added -B switch which causes samyGOso to use exeDSP if exeAPP/exeTV fails
Sample usage:

Code: Select all

/tmp/samyGOso -d -l /tmp/test.so -n exeAPP

Code: Select all

/tmp/samyGOso -d -l /tmp/test.so -A

Code: Select all

/tmp/samyGOso -d -l /tmp/test.so -A -B
SpoilerShow

Code: Select all

samyGOso v1.2.4 (c) bugficks 2013, sectroyer 2014
usage: samyGOso [-p PID | -n procname | -A | -T | -D ] [-B ] {-c CONFIG | -l /full/path/to/inject.so [-r (=resident)]} [-d (=debug on)] [-a (=add libc addressoffset )] [arg0,...,argN]

Code: Select all

_mandatory parameters:
__targeting (choose one of these parameters):
-p [PID] specifies target process by PID [decimal value] (old parameter, usually used like -p `pidof exeDSP` to automatically get the right PID)
-n [procname] specifies target process by name of process
-A specifies "exeAPP" as target process name
-D specifies "exeDSP" as target process name
-T specifies "exeTV" as target process name

___optional additional targeting:
-B usable in combination with -A -T, sets "exeDSP" as fallback target (need more details here)

__source lib
-l [path to lib] specifies the lib*.so to be used

_optional parameters:
-r switch on resident mode, causes samyGOso to inject the libso in resident mode, depending on type of libso wether it's necessary
-d switch on debug mode, causes samyGOso to create a Logfile with debug output in /dtv (tmpfs, deleted at poweroff/reboot)
-a [0x#######] sets an addtess offset [?bit hex value], only use if you exactly know why (need more details here)

you may additionally add arguments to be passed to lib*.so to influence its behavior
samyGOso v1.2.5 (latest) download Image
You do not have the required permissions to view the files attached to this post.
User avatar
bugficks
Official SamyGO Developer
Posts: 1062
Joined: Tue Jun 25, 2013 3:56 pm

Re: .so injection

Post by bugficks »

it's the default syntax for the hijack bin as found in original zip. there is no argument passing to .so in it's current state. if you look at the samples from original zip you'll find:

Code: Select all

void __attribute__ ((constructor)) my_init(void);
this functions will be executed after .so was loaded into target process.
User avatar
juusso
SamyGO Moderator
Posts: 10129
Joined: Sun Mar 07, 2010 6:20 pm

Re: .so injection

Post by juusso »

Some testing on D series:

Code: Select all

# ps -A | grep exeDSP
  190 ttyS3    00:01:18 exeDSP

Code: Select all

# cd /mtd_down
# ./hijack -l /mtd_exe/Comp_LIB/libz.so -d -p 190
mprotect: 0x419b2be0
dlopen: 0x41db0b28
pc=41cdb670 lr=41cdb65c sp=bec92088 fp=59a0024
r0=fffffe00 r1=80
r2=1 r3=0
libaddr: bec9201c
stack: 0xbec7e000-0xbec93000 length = 86016
executing injection code at 0xbec92038
library injection completed!
I tried to check some game.so files, got it listed on /proc/PID/maps, but actually no expected result.
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE
JoeyBiggins
Posts: 24
Joined: Tue Jan 22, 2013 10:29 am

Re: .so injection

Post by JoeyBiggins »

I have tried this on the e series and it worked great.

I have been trying to hook some functions from exeDSP with no luck though.
Has anyone made any progress with this?
Whenever I try and hook a function from exeDSP with my injected so file the TV crashes within a few seconds and restarts.
User avatar
juusso
SamyGO Moderator
Posts: 10129
Joined: Sun Mar 07, 2010 6:20 pm

Re: .so injection

Post by juusso »

got working channelinfo patch on gapdeuc d series. Later I give you to try for E.
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE
JoeyBiggins
Posts: 24
Joined: Tue Jan 22, 2013 10:29 am

Re: .so injection

Post by JoeyBiggins »

Thank you, much appreciated I will be on later
User avatar
juusso
SamyGO Moderator
Posts: 10129
Joined: Sun Mar 07, 2010 6:20 pm

Re: .so injection

Post by juusso »

Here is another version of hijack, patches you have to add to patches block inside memjack.c and compile. Have fun :)
You do not have the required permissions to view the files attached to this post.
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE
User avatar
patois
Posts: 26
Joined: Fri Feb 22, 2013 5:20 pm
Location: Berlin, Germany

Re: .so injection

Post by patois »

JoeyBiggins wrote:I have tried this on the e series and it worked great.

I have been trying to hook some functions from exeDSP with no luck though.
Has anyone made any progress with this?
Whenever I try and hook a function from exeDSP with my injected so file the TV crashes within a few seconds and restarts.
what is your tv model please? My tv reboots as soon as I attach a debugger, because my exeDSP contains anti debugging code.
currently working on a solution (UE55ES6100).
User avatar
bugficks
Official SamyGO Developer
Posts: 1062
Joined: Tue Jun 25, 2013 3:56 pm

Re: .so injection

Post by bugficks »

that's why I added a patch adbg_CheckSystem :) check memjack src
User avatar
patois
Posts: 26
Joined: Fri Feb 22, 2013 5:20 pm
Location: Berlin, Germany

Re: .so injection

Post by patois »

I'm currently stuck at trying memjack to compile (I have stated this in another thread but I think this thread should be more appropriate).

Code: Select all

dennis@ubuntu:~/Downloads/memjack$ make
arm-v7a8v2r2-linux-gnueabi-gcc memjack.o util.o procutils.o -o memjack
arm-v7a8v2r2-linux-gnueabi-gcc: selected multilib '.' not installed
make: *** [memjack] Error 1
Does anyone have an idea what the problem is and how to fix it?

Thanks

btw, bugficks: nice BH talk/slides :)

Post Reply

Return to “[F] Software”