I am browsing the forum now for about a week and every second thread does look for the same: -> Patched Firmware for Player XYZ
Wouldn't it be a brill idea if for all of these poor souls ( including me ) to explain how to patch a given Firmware of the Samsungserversor compile via the sources from the Samsungservers ( http://opensource.samsung.com/ )? Well since Samsung only offers Kernel and Modules we will be rather better off using an unpacked Upgrade-Firmware to tweak around.
Instead of telling every second thread: if DNS Hack doesn't work it will not be avaiable because service development has stopped.
When box hacking on the nokia medimasters and d-box2 was big all you could get was the tools and the description, so you could brick your box completly on your own ... there was no updateserver until years after the first hacks appeared. it was all done by Terminal, soldergun and luck
So just in case you do not know anyhing about Linux and do not have some basic understanding in Scriptdevelopment nor knowledge about the usage of root rights on your device and you are just looking for a quick solution on playing ripped movies without popups or being cool by adding different bootimages -> keep your fingers off this won't be anything for you as it will take some effort and brain
So this could be the beginning of the end to the repeadetly asked question: Build my Firmware please!
As far as I understood up to today you need to get these things:
- FIRMWARE: get a Firmware that is older and confirmed to be best for your device ( in my case BD-D7000 with FIRBP7WWC at version 1004.0 would be good as this is the one SamyGO used for DNS-Delivery in a patched version (funny enough that DNS Hack does not work on mine with version 1014.0) .. I could get 1003.1 (Googled it) and 1010.0 ( dowloaded that from Samsung when it came out ) as Upgrade-Zip for USB-Upgrade to play around a bit.)
- PATCHER TOOLS: get the SamyGO Patcher Python Script to fiddle around with for decrypting and encrypting, maybe patching ( wich did not work for me, maybe because of the 1010 version but I am still trying ) http://sourceforge.net/p/samygo/code/12 ... cher/trunk
- SQUASHFS-TOOLS: I had to get Squashfs Tools Version 4 ( used that one and compiled on Debian http://sourceforge.net/projects/squashf ... uashfs4.1/ there should be some precompiled versions as well around ) and replaced the content of the downloaded bz so I would not need to change that part of the python script, cause version 1010 is SQFS ver. 4.0.
- CHANGE PATCHER SCRIPT: for decrypting I had to change some stuff in the Decryptor because the FIRBP7 would try to impersionate as BDe Firmware, but it is actually a BDd Firmware ... that was simply done with adding the FIRBP7 to the correct section and remove it from the wrong one. So more quick and dirty to get it going ... but worked for decrypting and encrypting. Well and I had to opt out all the exit calls of the "Too Dangerous to be public"-Stuff
So up to here I am able to decrypt the 1010 Firmware successfully with the Script, manually unsquashfs the *.img files and browse through the files like a normal Linux system.
Contents are as followed
exe.img
Code: Select all
drwxrwxr-x 3 root root 4096 27. Jul 2012 BD_JAVA
drwxr-xr-x 2 root root 4096 27. Jul 2012 Comp_LIB
-rw-rw-r-- 1 root root 470 27. Jul 2012 cvmparam
-r-xr-xr-x 1 root root 58053 27. Jul 2012 ddr_margin
-rwxrwxr-x 1 root root 58919620 27. Jul 2012 exeDSP
-r--r--r-- 1 root root 6 27. Jul 2012 EXE_IMG_VER
-rwxrwxr-x 1 root root 98776 27. Jul 2012 Factory_Part1.dat
-rwxrwxr-x 1 root root 171968 27. Jul 2012 Factory_Part2.dat
lrwxrwxrwx 1 root root 18 10. Okt 11:22 Font -> /mtd_rocommon/Font
-rwxr-xr-x 1 root root 16272 27. Jul 2012 fpi.ko
-rwxrwxr-x 1 root root 15402 27. Jul 2012 FWDownload
lrwxrwxrwx 1 root root 28 10. Okt 11:22 Images_960x540 -> /mtd_rocommon/Images_960x540
drwxr-xr-x 4 root root 4096 27. Jul 2012 InfoLink
-r-xr-xr-x 1 root root 38298 27. Jul 2012 JadeTarget
-r--r--r-- 1 root root 232 27. Jul 2012 JadeTarget.cfg
drwxr-xr-x 2 root root 4096 1. Sep 2011 Java
-r--r--r-- 1 root root 14 27. Jul 2012 LDVER_6700
-r--r--r-- 1 root root 14 27. Jul 2012 LDVER_7000
-r--r--r-- 1 root root 14 27. Jul 2012 LDVER_7500
drwxr-xr-x 2 root root 4096 27. Jul 2012 lib
-r--r--r-- 1 root root 8547 27. Jul 2012 LifeScenario
-r--r--r-- 1 root root 524288 27. Jul 2012 Loader_D6700.bin
-r--r--r-- 1 root root 524288 27. Jul 2012 Loader_D7000.bin
-r--r--r-- 1 root root 524288 27. Jul 2012 Loader_D7500.bin
-rwxrwxr-x 1 root root 22122 27. Jul 2012 LoaderUpgrade
-rwxrwxr-x 1 root root 11208 27. Jul 2012 MicomCtrl
drwxrwxr-x 2 root root 4096 27. Jul 2012 mtd_boot
drwxrwxr-x 2 root root 4096 27. Jul 2012 mtd_contents
-rwxrwxr-x 1 root root 2230 27. Jul 2012 partition.txt
drwxr-xr-x 2 root root 4096 27. Jul 2012 PhotoBrowser
-rw-r--r-- 1 root root 11656 27. Jul 2012 prelink.cache
-r--r--r-- 1 root root 527 27. Jul 2012 prelink.conf
-r-xr-xr-x 1 root root 3210 27. Jul 2012 rc.local
-r--r--r-- 1 root root 92 27. Jul 2012 rc.local.rfs
-rwxrwxr-x 1 root root 104 27. Jul 2012 ReleaseInfo
lrwxrwxrwx 1 root root 22 10. Okt 11:22 resource -> /mtd_rocommon/resource
-rwxr-xr-x 1 root root 976000 27. Jul 2012 samdrv.ko
drwxr-xr-x 2 root root 4096 27. Jul 2012 SMDATA
-r--r--r-- 1 root root 9366 27. Jul 2012 SpecialItemNumber.txt
drwxr-xr-x 2 root root 4096 27. Jul 2012 stagecraft
drwxr-xr-x 3 root root 4096 27. Jul 2012 stagecraft20
drwxr-xr-x 7 root root 4096 27. Jul 2012 Upgrade
-r-xr-xr-x 1 root root 1024 27. Jul 2012 value.bin
drwxr-xr-x 2 root root 4096 27. Jul 2012 WIFI_LIB
Code: Select all
drwxr-xr-x 2 root root 4096 1. Sep 2011 bin
drwxr-xr-x 2 root root 4096 1. Sep 2011 core
drwxr-xr-x 14 root root 12288 1. Sep 2011 dev
drwxr-xr-x 2 root root 4096 1. Sep 2011 dsm
drwxr-xr-x 2 root root 4096 1. Sep 2011 dtv
drwxr-xr-x 3 root root 4096 1. Sep 2011 etc
lrwxrwxrwx 1 root root 12 10. Okt 18:17 Java -> mtd_exe/Java
drwxr-xr-x 3 root root 4096 1. Sep 2011 lib
lrwxrwxrwx 1 root root 11 10. Okt 18:17 linuxrc -> bin/busybox
drwxr-xr-x 6 root root 4096 1. Sep 2011 mnt
lrwxrwxrwx 1 root root 7 10. Okt 18:17 mtd_appdata -> mtd_exe
lrwxrwxrwx 1 root root 12 10. Okt 18:17 mtd_boot -> etc/Scripts/
lrwxrwxrwx 1 root root 10 10. Okt 18:17 mtd_chmap -> mtd_rwarea
lrwxrwxrwx 1 root root 7 10. Okt 18:17 mtd_cmmlib -> mtd_exe
drwxr-xr-x 2 root root 4096 1. Sep 2011 mtd_contents
drwxr-xr-x 2 root root 4096 1. Sep 2011 mtd_dlna
lrwxrwxrwx 1 root root 12 10. Okt 18:17 mtd_down -> mtd_rwcommon
drwxr-xr-x 2 root root 4096 1. Sep 2011 mtd_drmregion_a
drwxr-xr-x 2 root root 4096 1. Sep 2011 mtd_drmregion_b
lrwxrwxrwx 1 root root 10 10. Okt 18:17 mtd_epg -> mtd_rwarea
drwxr-xr-x 4 root root 4096 1. Sep 2011 mtd_exe
lrwxrwxrwx 1 root root 10 10. Okt 18:17 mtd_factory -> mtd_rwarea
lrwxrwxrwx 1 root root 10 10. Okt 18:17 mtd_gemstar -> mtd_rwarea
lrwxrwxrwx 1 root root 17 10. Okt 18:17 mtd_java -> mtd_rwarea/bd_vfs
drwxr-xr-x 2 root root 4096 1. Sep 2011 mtd_loader1
lrwxrwxrwx 1 root root 10 10. Okt 18:17 mtd_mhp -> mtd_rwarea
lrwxrwxrwx 1 root root 12 10. Okt 18:17 mtd_moip -> mtd_rwcommon
drwxr-xr-x 2 root root 4096 1. Sep 2011 mtd_musicdb
lrwxrwxrwx 1 root root 10 10. Okt 18:17 mtd_pers -> mtd_rwarea
lrwxrwxrwx 1 root root 3 10. Okt 18:17 mtd_ram -> tmp
drwxr-xr-x 2 root root 4096 1. Sep 2011 mtd_rocommon
drwxr-xr-x 2 root root 4096 1. Sep 2011 mtd_rwarea
drwxr-xr-x 2 root root 4096 1. Sep 2011 mtd_rwcommon
drwxr-xr-x 2 root root 4096 1. Sep 2011 mtd_swu
drwxr-xr-x 2 root root 4096 1. Sep 2011 mtd_wiselink
lrwxrwxrwx 1 root root 12 10. Okt 18:17 mtd_yahoo -> mtd_rwcommon
drwxr-xr-x 2 root root 4096 1. Sep 2011 proc
drwxr-xr-x 3 root root 4096 1. Sep 2011 sbin
drwxr-xr-x 2 root root 4096 1. Sep 2011 sys
drwxr-xr-x 2 root root 4096 1. Sep 2011 tmp
drwxr-xr-x 5 root root 4096 1. Sep 2011 usr
drwxr-xr-x 2 root root 4096 1. Sep 2011 util
So I think this would be the rest to do:
- VERSIONNUMBER: tweak a given firmware in a way that you can make it look like an Upgrade ( so tweak the Versionnumber to a higher than the installed one )
UPDATE: Found the file .version within rootfs wich can be the one who tells the Upgrader if it is newer or older. So that might be a solution. Can someone proof this?
- SERVICES INIT.D: remove the restrictions to telnetd or any other service to be started
- ROOT: gain root-access ( maybe like on Androiddevices with supplying a su binary?! couldn't work that out till now, cause nobody tells what is done whilst rooting. It is allways the allmighty "DNS-Hack" ) Ok so I walked through some stuff and the passwd file wich showed me that everything seem to run as root on the Samsung Firmwares since there is no other user. So I assume as soon as you have Telnet up and running you can be root. So a bit simpler than Android rooting ...
- DSP-TWEAKS: patch the desired exeDSP stuff like Regioncode free or the cinavia removal etc. There is some good stuff in the wiki that should make it possible to understand for ppl who know a bit about Linux and programming or HEX-Editing ...
Then:
- RESQUASH: put it all back together in the needed *.img-Files
- ENCRYPT: Encrypt everything again with the Patcher Script. ( Think that should already work for my FIRBP7WWC 1010 ... it did encrypt in a unchanged form and should do as well when the content was changed .. hopefully)
- UPDATE FILEDESCRIPTOR: there is a file that hosts hashes as far as I can see, so these need to be corrected!? Or does the Encrpytor take care of these?
- SIGN YOUR FIRMWARE PACKAGES - OTN will accept your own signature, so create one with the tools given at the Samy-Go SVN. Will read some more into it and hopefully find out more
And at the end:
-USB UPGRADE: Put it on the stick like any other Upgrade and it should be possible to install. My Player still offers USB Updates ... don't know if that is with all the Players. If not there would be another thing like setting up a Webserver and DNS-Spoof to do the DNS-Hack on a local net. ( That should be possible with every windows or Linux computer or even with a WRT-Like router that runs on some tweaked hardware or similiar.
-> As I have learned now - no private USB keys from Samsung = no USB Update possible if Firmware was tweaked .. But OTN will accept a self signed package, so you will be able to provide your own keysets!
- DNS-SPOOF Upgrade: Build a solution within your network to have a DNS Server redirect to a Upgrade-Image that will actually Downgrade your device. This will be done with the Smarthub and the included OTN Feature - SVN is here -> http://sourceforge.net/p/samygo/code/HE ... lease_1.0/. You will need an apache webserver that can be installed on every current OS.
Since we now have the problem that the firmware still asks for http://www.samsungotn.net and setting up a proper DNS Server is a bit more than we actually need to do I like the idea of a lazy solution with two lines iptable rules ( well you need a gateway or router that runs iptables obviously, but this may give you a hint on how to do it with whatever you use as gateway solution):
I am using WRT-54GL with DD-WRT v24sp2 with some tweaks but it should work on any similar setup:
Code: Select all
iptables -t nat -A PREROUTING -p tcp -i br0 -d www.samsungotn.net -j DNAT --to 192.168.0.11
iptables -t nat -A PREROUTING -p udp -i br0 -d www.samsungotn.net -j DNAT --to 192.168.0.11
that makes sure that every device on my network will get just normal DNS resolution from every DNS Server bt will never be able to reach the original server at Samsung instead gets served by my Linux Server at 192.168.0.11 where I will now try and test the Smarthub and OTN stuff. This will make sure that every firmware will only gets answers from my local machine since the resulting IP from the DNS resolve will be overwritten by NAT
This should solve the "How to get my Player to communicate with my Smarthub"
(maybe the final) Downer: I have version 1014 of FIRBP7WW as mentioned in the beginning. And this little bugger does want to talk to samsungotn.net only and tries to verify by establishing a https connection and tests the certificate against some kind of stored copy of that inside the firmware. So if you still have version before 1014 DNS-Spoof might work. As mentioned later in this thtread it won't be enough to just give the player a spoofed server with certificate because it seems to test against the fingerprints and hashes. That is not good regarding that this might be even harder to solve as if you would just open the box and try to flash the rom with an jtag or any similar cable that might be able to bootp or whatever like on routers or other settopboxes.
If some clever folks are around drop some lines and help to help those who still do ask for Firmwares .. I start to think that some cable flashing might be easier to realize than all the spoofing -> IS THERE A CONNECTOR LIKE JTAG THAT COULD BE USED?