Next step after telnet access?

[patois]

Thanks!

I do not intend to stop working on this, I'd rather like to contribute

[patois]

Another question: I plan to patch the anti debugging code of exeDSP and use the following way to get
my "customized" exeDSP to be started. http://wiki.samygo.tv/index.php5/ExeDSP_modifications.
However, I do not understand what code/script would be in charge for launching /mtd_rwarea/user.sh.
Could anyone please explain?

Thanks in advance

[patois]

in this particular example, wouldn't it make more sense to name the script myBoot.sh (instead of user.sh) in order for the script to be executed? Or is there something that I am missing?

Code: Select all

if [ -e /mtd_rwarea/myBoot.sh ]; then
	/mtd_rwarea/myBoot.sh
else
	mount -o bind /mtd_rwarea/exeDSP /mtd_exe/exeDSP 
	cd /mtd_exe
	sysctl -w kernel.msgmni=64
	./exeDSP
fi

Thanks

[juusso]

we have memjack to inject our code to exeDSP, so you don`t need to mount --bind exeDSP anymore. Check this thread. Don`t use user.sh example from wiki for your TV, it is for BD only! You have to check your /mtd_exe/rc.local and you will know what script name should be and why.

[patois]

thanks for your quick reply and for the pointer. however, I'm not sure whether memjack actually works for me because my tv model employs anti debugging stuff.
regarding my previous question, I was just wondering because the linked wiki article doesn't make any sense. it instructs you to rename your rc.local script to user.sh
which isn't executed by the original rc.local at all. So I guess my assumption was right that it should have been named myBoot.sh instead.
btw, this is the equivalent excerpt from my tv set's rc.local:

Code: Select all

if [ -f /mtd_rwarea/start.sh ];
then
	/mtd_rwarea/start.sh
else
	cd /mtd_exe/
	./exeDSP
fi

I'll go that route first and write my own start.sh script which launches my custom exeDSP in order to get rid of the anti debugging stuff.

[juusso]

I don`t suggest you to use custom start.sh (or whatever - myBoot.sh or else). Memjack should be fine, because one of most "critical" samsungs app, which checks for "not secure processes and kills them" is being killed by SamyGO already. All other stuff can be patched in memmory. Sure, you have to find proper addresses first. But this you already do with hex editor or IDA. No need for increased risk to brick

As i don`t remember what is inside rc.local, i can`t answer what script should be look like. Just remember that start of exeDSP is to be latest command in the script and mandatory in foreground.

[patois]

sure, I could try memjack first and I would love to. but I honestly doubt that it'll work since it uses ptrace (which attaches to the process) in order to patch memory. Attaching to exeDSP, however, will cause my version of exeDSP to reboot the TV set. So I think I do not really have a choice but to write a custom start.sh (in my tv set's case) script.
the following should work (tho untested so far):

1. copy modified/patched exeDSP to /mtd_rwarea/exeDSP
2. chmod 777 /mtd_rwarea/exeDSP
3. create /mtd_rwarea/start.sh
4. chmod 777 /mtd_rwarea/start.sh

content of start.sh:

Code: Select all

mv /mtd_rwarea/start.sh /mtd_rwarea/start.sh.safe
mount -o bind /mtd_rwarea/exeDSP /mtd_exe/exeDSP
cd /mtd_exe
./exeDSP

I am aware of the risk of causing a brick but I think I don't have a choice :[

[juusso]

pre-patched firmware is a choice.
btw, is there enough place on rwarea for exeDSP?

[patois]

I haven't tried either, I'm sorry. But I learned in another thread that memjack actually patches the anti debugging routines so I am going that route first. I'm just in the process of setting up the toolchain. Btw, thanks a lot for your support

[juusso]

for toolchain you can use svn
viewtopic.php?p=44296#p44296