Patch Downgrade Firmware from original old Upgrade?

[KRAER]

So hi there community,

I am browsing the forum now for about a week and every second thread does look for the same: -> Patched Firmware for Player XYZ

Wouldn't it be a brill idea if for all of these poor souls ( including me ) to explain how to patch a given Firmware of the Samsungserversor compile via the sources from the Samsungservers ( http://opensource.samsung.com/ )? Well since Samsung only offers Kernel and Modules we will be rather better off using an unpacked Upgrade-Firmware to tweak around.
Instead of telling every second thread: if DNS Hack doesn't work it will not be avaiable because service development has stopped.

When box hacking on the nokia medimasters and d-box2 was big all you could get was the tools and the description, so you could brick your box completly on your own ... there was no updateserver until years after the first hacks appeared. it was all done by Terminal, soldergun and luck


So just in case you do not know anyhing about Linux and do not have some basic understanding in Scriptdevelopment nor knowledge about the usage of root rights on your device and you are just looking for a quick solution on playing ripped movies without popups or being cool by adding different bootimages -> keep your fingers off this won't be anything for you as it will take some effort and brain


So this could be the beginning of the end to the repeadetly asked question: Build my Firmware please!


As far as I understood up to today you need to get these things:

- FIRMWARE: get a Firmware that is older and confirmed to be best for your device ( in my case BD-D7000 with FIRBP7WWC at version 1004.0 would be good as this is the one SamyGO used for DNS-Delivery in a patched version (funny enough that DNS Hack does not work on mine with version 1014.0) .. I could get 1003.1 (Googled it) and 1010.0 ( dowloaded that from Samsung when it came out ) as Upgrade-Zip for USB-Upgrade to play around a bit.)

- PATCHER TOOLS: get the SamyGO Patcher Python Script to fiddle around with for decrypting and encrypting, maybe patching ( wich did not work for me, maybe because of the 1010 version but I am still trying ) http://sourceforge.net/p/samygo/code/12 ... cher/trunk

- SQUASHFS-TOOLS: I had to get Squashfs Tools Version 4 ( used that one and compiled on Debian http://sourceforge.net/projects/squashf ... uashfs4.1/ there should be some precompiled versions as well around ) and replaced the content of the downloaded bz so I would not need to change that part of the python script, cause version 1010 is SQFS ver. 4.0.

- CHANGE PATCHER SCRIPT: for decrypting I had to change some stuff in the Decryptor because the FIRBP7 would try to impersionate as BDe Firmware, but it is actually a BDd Firmware ... that was simply done with adding the FIRBP7 to the correct section and remove it from the wrong one. So more quick and dirty to get it going ... but worked for decrypting and encrypting. Well and I had to opt out all the exit calls of the "Too Dangerous to be public"-Stuff


So up to here I am able to decrypt the 1010 Firmware successfully with the Script, manually unsquashfs the *.img files and browse through the files like a normal Linux system.


Contents are as followed

exe.img

Code: Select all

drwxrwxr-x 3 root root     4096 27. Jul 2012  BD_JAVA
drwxr-xr-x 2 root root     4096 27. Jul 2012  Comp_LIB
-rw-rw-r-- 1 root root      470 27. Jul 2012  cvmparam
-r-xr-xr-x 1 root root    58053 27. Jul 2012  ddr_margin
-rwxrwxr-x 1 root root 58919620 27. Jul 2012  exeDSP
-r--r--r-- 1 root root        6 27. Jul 2012  EXE_IMG_VER
-rwxrwxr-x 1 root root    98776 27. Jul 2012  Factory_Part1.dat
-rwxrwxr-x 1 root root   171968 27. Jul 2012  Factory_Part2.dat
lrwxrwxrwx 1 root root       18 10. Okt 11:22 Font -> /mtd_rocommon/Font
-rwxr-xr-x 1 root root    16272 27. Jul 2012  fpi.ko
-rwxrwxr-x 1 root root    15402 27. Jul 2012  FWDownload
lrwxrwxrwx 1 root root       28 10. Okt 11:22 Images_960x540 -> /mtd_rocommon/Images_960x540
drwxr-xr-x 4 root root     4096 27. Jul 2012  InfoLink
-r-xr-xr-x 1 root root    38298 27. Jul 2012  JadeTarget
-r--r--r-- 1 root root      232 27. Jul 2012  JadeTarget.cfg
drwxr-xr-x 2 root root     4096  1. Sep 2011  Java
-r--r--r-- 1 root root       14 27. Jul 2012  LDVER_6700
-r--r--r-- 1 root root       14 27. Jul 2012  LDVER_7000
-r--r--r-- 1 root root       14 27. Jul 2012  LDVER_7500
drwxr-xr-x 2 root root     4096 27. Jul 2012  lib
-r--r--r-- 1 root root     8547 27. Jul 2012  LifeScenario
-r--r--r-- 1 root root   524288 27. Jul 2012  Loader_D6700.bin
-r--r--r-- 1 root root   524288 27. Jul 2012  Loader_D7000.bin
-r--r--r-- 1 root root   524288 27. Jul 2012  Loader_D7500.bin
-rwxrwxr-x 1 root root    22122 27. Jul 2012  LoaderUpgrade
-rwxrwxr-x 1 root root    11208 27. Jul 2012  MicomCtrl
drwxrwxr-x 2 root root     4096 27. Jul 2012  mtd_boot
drwxrwxr-x 2 root root     4096 27. Jul 2012  mtd_contents
-rwxrwxr-x 1 root root     2230 27. Jul 2012  partition.txt
drwxr-xr-x 2 root root     4096 27. Jul 2012  PhotoBrowser
-rw-r--r-- 1 root root    11656 27. Jul 2012  prelink.cache
-r--r--r-- 1 root root      527 27. Jul 2012  prelink.conf
-r-xr-xr-x 1 root root     3210 27. Jul 2012  rc.local
-r--r--r-- 1 root root       92 27. Jul 2012  rc.local.rfs
-rwxrwxr-x 1 root root      104 27. Jul 2012  ReleaseInfo
lrwxrwxrwx 1 root root       22 10. Okt 11:22 resource -> /mtd_rocommon/resource
-rwxr-xr-x 1 root root   976000 27. Jul 2012  samdrv.ko
drwxr-xr-x 2 root root     4096 27. Jul 2012  SMDATA
-r--r--r-- 1 root root     9366 27. Jul 2012  SpecialItemNumber.txt
drwxr-xr-x 2 root root     4096 27. Jul 2012  stagecraft
drwxr-xr-x 3 root root     4096 27. Jul 2012  stagecraft20
drwxr-xr-x 7 root root     4096 27. Jul 2012  Upgrade
-r-xr-xr-x 1 root root     1024 27. Jul 2012  value.bin
drwxr-xr-x 2 root root     4096 27. Jul 2012  WIFI_LIB

rootfs.img

Code: Select all

drwxr-xr-x  2 root root  4096  1. Sep 2011  bin
drwxr-xr-x  2 root root  4096  1. Sep 2011  core
drwxr-xr-x 14 root root 12288  1. Sep 2011  dev
drwxr-xr-x  2 root root  4096  1. Sep 2011  dsm
drwxr-xr-x  2 root root  4096  1. Sep 2011  dtv
drwxr-xr-x  3 root root  4096  1. Sep 2011  etc
lrwxrwxrwx  1 root root    12 10. Okt 18:17 Java -> mtd_exe/Java
drwxr-xr-x  3 root root  4096  1. Sep 2011  lib
lrwxrwxrwx  1 root root    11 10. Okt 18:17 linuxrc -> bin/busybox
drwxr-xr-x  6 root root  4096  1. Sep 2011  mnt
lrwxrwxrwx  1 root root     7 10. Okt 18:17 mtd_appdata -> mtd_exe
lrwxrwxrwx  1 root root    12 10. Okt 18:17 mtd_boot -> etc/Scripts/
lrwxrwxrwx  1 root root    10 10. Okt 18:17 mtd_chmap -> mtd_rwarea
lrwxrwxrwx  1 root root     7 10. Okt 18:17 mtd_cmmlib -> mtd_exe
drwxr-xr-x  2 root root  4096  1. Sep 2011  mtd_contents
drwxr-xr-x  2 root root  4096  1. Sep 2011  mtd_dlna
lrwxrwxrwx  1 root root    12 10. Okt 18:17 mtd_down -> mtd_rwcommon
drwxr-xr-x  2 root root  4096  1. Sep 2011  mtd_drmregion_a
drwxr-xr-x  2 root root  4096  1. Sep 2011  mtd_drmregion_b
lrwxrwxrwx  1 root root    10 10. Okt 18:17 mtd_epg -> mtd_rwarea
drwxr-xr-x  4 root root  4096  1. Sep 2011  mtd_exe
lrwxrwxrwx  1 root root    10 10. Okt 18:17 mtd_factory -> mtd_rwarea
lrwxrwxrwx  1 root root    10 10. Okt 18:17 mtd_gemstar -> mtd_rwarea
lrwxrwxrwx  1 root root    17 10. Okt 18:17 mtd_java -> mtd_rwarea/bd_vfs
drwxr-xr-x  2 root root  4096  1. Sep 2011  mtd_loader1
lrwxrwxrwx  1 root root    10 10. Okt 18:17 mtd_mhp -> mtd_rwarea
lrwxrwxrwx  1 root root    12 10. Okt 18:17 mtd_moip -> mtd_rwcommon
drwxr-xr-x  2 root root  4096  1. Sep 2011  mtd_musicdb
lrwxrwxrwx  1 root root    10 10. Okt 18:17 mtd_pers -> mtd_rwarea
lrwxrwxrwx  1 root root     3 10. Okt 18:17 mtd_ram -> tmp
drwxr-xr-x  2 root root  4096  1. Sep 2011  mtd_rocommon
drwxr-xr-x  2 root root  4096  1. Sep 2011  mtd_rwarea
drwxr-xr-x  2 root root  4096  1. Sep 2011  mtd_rwcommon
drwxr-xr-x  2 root root  4096  1. Sep 2011  mtd_swu
drwxr-xr-x  2 root root  4096  1. Sep 2011  mtd_wiselink
lrwxrwxrwx  1 root root    12 10. Okt 18:17 mtd_yahoo -> mtd_rwcommon
drwxr-xr-x  2 root root  4096  1. Sep 2011  proc
drwxr-xr-x  3 root root  4096  1. Sep 2011  sbin
drwxr-xr-x  2 root root  4096  1. Sep 2011  sys
drwxr-xr-x  2 root root  4096  1. Sep 2011  tmp
drwxr-xr-x  5 root root  4096  1. Sep 2011  usr
drwxr-xr-x  2 root root  4096  1. Sep 2011  util

The Patcher-Section still does not do any good, maybe because it can not find the correct points to enable Telnetd. So it breaks here ... and I did not look any further into it until now.

So I think this would be the rest to do:

- VERSIONNUMBER: tweak a given firmware in a way that you can make it look like an Upgrade ( so tweak the Versionnumber to a higher than the installed one )
UPDATE: Found the file .version within rootfs wich can be the one who tells the Upgrader if it is newer or older. So that might be a solution. Can someone proof this?

- SERVICES INIT.D: remove the restrictions to telnetd or any other service to be started

- ROOT: gain root-access ( maybe like on Androiddevices with supplying a su binary?! couldn't work that out till now, cause nobody tells what is done whilst rooting. It is allways the allmighty "DNS-Hack" ) Ok so I walked through some stuff and the passwd file wich showed me that everything seem to run as root on the Samsung Firmwares since there is no other user. So I assume as soon as you have Telnet up and running you can be root. So a bit simpler than Android rooting ...

- DSP-TWEAKS: patch the desired exeDSP stuff like Regioncode free or the cinavia removal etc. There is some good stuff in the wiki that should make it possible to understand for ppl who know a bit about Linux and programming or HEX-Editing ...


Then:

- RESQUASH: put it all back together in the needed *.img-Files

- ENCRYPT: Encrypt everything again with the Patcher Script. ( Think that should already work for my FIRBP7WWC 1010 ... it did encrypt in a unchanged form and should do as well when the content was changed .. hopefully)

- UPDATE FILEDESCRIPTOR: there is a file that hosts hashes as far as I can see, so these need to be corrected!? Or does the Encrpytor take care of these?

- SIGN YOUR FIRMWARE PACKAGES - OTN will accept your own signature, so create one with the tools given at the Samy-Go SVN. Will read some more into it and hopefully find out more


And at the end:

-USB UPGRADE: Put it on the stick like any other Upgrade and it should be possible to install. My Player still offers USB Updates ... don't know if that is with all the Players. If not there would be another thing like setting up a Webserver and DNS-Spoof to do the DNS-Hack on a local net. ( That should be possible with every windows or Linux computer or even with a WRT-Like router that runs on some tweaked hardware or similiar.

-> As I have learned now - no private USB keys from Samsung = no USB Update possible if Firmware was tweaked .. But OTN will accept a self signed package, so you will be able to provide your own keysets!

- DNS-SPOOF Upgrade: Build a solution within your network to have a DNS Server redirect to a Upgrade-Image that will actually Downgrade your device. This will be done with the Smarthub and the included OTN Feature - SVN is here -> http://sourceforge.net/p/samygo/code/HE ... lease_1.0/. You will need an apache webserver that can be installed on every current OS.

Since we now have the problem that the firmware still asks for http://www.samsungotn.net and setting up a proper DNS Server is a bit more than we actually need to do I like the idea of a lazy solution with two lines iptable rules ( well you need a gateway or router that runs iptables obviously, but this may give you a hint on how to do it with whatever you use as gateway solution):

I am using WRT-54GL with DD-WRT v24sp2 with some tweaks but it should work on any similar setup:

Code: Select all

iptables -t nat -A PREROUTING -p tcp -i br0 -d www.samsungotn.net -j DNAT --to 192.168.0.11
iptables -t nat -A PREROUTING -p udp -i br0 -d www.samsungotn.net -j DNAT --to 192.168.0.11

-i br0 is the bridge device where ALL traffic comes over on my WRT54-Router on a gateway it might be ppp0 or eth0 etc. just check your ifconfig.

that makes sure that every device on my network will get just normal DNS resolution from every DNS Server bt will never be able to reach the original server at Samsung instead gets served by my Linux Server at 192.168.0.11 where I will now try and test the Smarthub and OTN stuff. This will make sure that every firmware will only gets answers from my local machine since the resulting IP from the DNS resolve will be overwritten by NAT

This should solve the "How to get my Player to communicate with my Smarthub"

(maybe the final) Downer: I have version 1014 of FIRBP7WW as mentioned in the beginning. And this little bugger does want to talk to samsungotn.net only and tries to verify by establishing a https connection and tests the certificate against some kind of stored copy of that inside the firmware. So if you still have version before 1014 DNS-Spoof might work. As mentioned later in this thtread it won't be enough to just give the player a spoofed server with certificate because it seems to test against the fingerprints and hashes. That is not good regarding that this might be even harder to solve as if you would just open the box and try to flash the rom with an jtag or any similar cable that might be able to bootp or whatever like on routers or other settopboxes.

If some clever folks are around drop some lines and help to help those who still do ask for Firmwares .. I start to think that some cable flashing might be easier to realize than all the spoofing -> IS THERE A CONNECTOR LIKE JTAG THAT COULD BE USED?

[KRAER]

Updated the stuff above a bit:

Regarding Version-Tweak:
UPDATE: Found the file .version within rootfs wich can be the one who tells the Upgrader if it is newer or older. So that might be a solution. Can someone proof this?

Regarding ROOT Access:
UPDATE: Ok so I walked through some stuff and the passwd file wich showed me that everything seem to run as root on the Samsung Firmwares since there is no other user. So I assume as soon as you have Telnet up and running you can be root. So a bit simpler that Android rooting ...

[arris69]

...

from samsung opensource packages you can't build the whole firmware, just the kernel and kernel-modules

- ENCRYPT: Encrypt everything again with the Patcher Script. ( Think that should already work for my FIRBP7WWC 1010 ... it did encrypt in a unchanged form and should do as well when the content was changed .. hopefully)

it's not possible to encrypt it so that your device accepts it for usb update. (except you hacked samsungs's korean developer-center and you found the private usb-keys...)

- UPDATE FILEDESCRIPTOR: there is a file that hosts hashes as far as I can see, so these need to be corrected!? Or does the Encrpytor take care of these?

think the samygo-patcher told you that encryption is not supported, ergo it also not creates the correct hashes...

regards
arris

[KRAER]

from samsung opensource packages you can't build the whole firmware, just the kernel and kernel-modules

Fair enough, so since the rest of the Firmware can be extracted from the SQFS there should be not problem putting the whole system back together again, and as far as I could read up to, there is no need for a custom kernel, to let the device be accessable as root over telnet.

it's not possible to encrypt it so that your device accepts it for usb update. (except you hacked samsungs's korean developer-center and you found the private usb-keys...)

OK that was one thing I haven't found out yet. But it seemed a bit too simple and now I know why.

So when USB Upgrade will not be possible, then it should be possible to get it going as DNS Spoof by rerouting it to a local server that pushes the Image. So OTN Upgrades does not check for the keys?

If OTN Upgrades could be done with a repacked Image, everybody could at least have the chance to downgrade without asking SamyGO Team constantly to build more Images for other devices.

Do you see any possibility to approach a solution that everyone could do at home without your DNS-Spoof at SamyGO if the device is not supported (yet)?

[arris69]

....

So when USB Upgrade will not be possible, then it should be possible to get it going as DNS Spoof by rerouting it to a local server that pushes the Image. So OTN Upgrades does not check for the keys?

it also checks for hashes and encryption but it has a "feature" -> you can use your own keyset

If OTN Upgrades could be done with a repacked Image, everybody could at least have the chance to downgrade without asking SamyGO Team constantly to build more Images for other devices.

the problem is when you correct encrypt and sign the data the device will also update the "firmware" if you feed it with a pdf file...

Do you see any possibility to approach a solution that everyone could do at home without your DNS-Spoof at SamyGO if the device is not supported (yet)?

http://sourceforge.net/p/samygo/code/HE ... hubOTN-NG/ the code is here since ages but no one wanna play around with it.

regards
arris

[KRAER]

....

So when USB Upgrade will not be possible, then it should be possible to get it going as DNS Spoof by rerouting it to a local server that pushes the Image. So OTN Upgrades does not check for the keys?

it also checks for hashes and encryption but it has a "feature" -> you can use your own keyset

If OTN Upgrades could be done with a repacked Image, everybody could at least have the chance to downgrade without asking SamyGO Team constantly to build more Images for other devices.

the problem is when you correct encrypt and sign the data the device will also update the "firmware" if you feed it with a pdf file...

Do you see any possibility to approach a solution that everyone could do at home without your DNS-Spoof at SamyGO if the device is not supported (yet)?

http://sourceforge.net/p/samygo/code/HE ... hubOTN-NG/ the code is here since ages but no one wanna play around with it.

regards
arris

Thanks for the link. I will check the Smarthub and the included OTN feature out and maybe I will be able to get a Downgrade sorted on my own network.

Will keep the top entry updated to give an overview about "Sorting out your own firmware -> on your own <-" A massive load of tools is already built and it should be a thing about reading and some trying and testing.

Thanks again for the link!

[ggros]

I did more or less the same and same conclusions so far.
It seems to me that the 800 error when you try to downgrade with DNS hack is because newer firmwares may be checking the identity of the update server.
So far I am still in need of understanding how to calculate the hashes to create a custom firmware.

[arris69]

I did more or less the same and same conclusions so far.
It seems to me that the 800 error when you try to downgrade with DNS hack is because newer firmwares may be checking the identity of the update server.
So far I am still in need of understanding how to calculate the hashes to create a custom firmware.

and how do you like to flash it if your actually installed firmware just want to communicate with the original samsung server?

[KRAER]

I did more or less the same and same conclusions so far.
It seems to me that the 800 error when you try to downgrade with DNS hack is because newer firmwares may be checking the identity of the update server.
So far I am still in need of understanding how to calculate the hashes to create a custom firmware.

and how do you like to flash it if your actually installed firmware just want to communicate with the original samsung server?

Lazy-solution to this problem without setting up a local DNS Server and fiddle around with Zones is to use prerouting of NAT on a Linux-Like-Router or gateway on any flavour that can use iptables:

I am using WRT-54GL with DD-WRT v24sp2 with some tweaks but it should work on any similar setup:

Code: Select all

iptables -t nat -A PREROUTING -p tcp -i br0 -d www.samsungotn.net -j DNAT --to 192.168.0.11
iptables -t nat -A PREROUTING -p udp -i br0 -d www.samsungotn.net -j DNAT --to 192.168.0.11

-i br0 is the bridge device where ALL traffic comes over on a gateway it might be ppp0 or eth0 etc. just check your ifconfig

that makes sure that every device on my network will get just normal DNS resolution from every DNS Server bt will never be able to reach the original server at Samsung instead gets served by my Linux Server at 192.168.0.11 where I will now try and test the Smarthub and OTN stuff. This will make sure that every firmware will only gets answers from my local machine since the resulting IP from the DNS resolve will be overwritten by NAT

[arris69]

...

and how do you like to flash it if your actually installed firmware just want to communicate with the original samsung server?

Lazy-solution to this problem without setting up a local DNS Server and fiddle around with Zones is to use prerouting of NAT on a Linux-Like-Router or gateway on any flavour that can use iptables...

how you redirect the traffic (dns or nat) is secondary. the error 800 indicates (on recent firmwares) that the device checks the server certificate, so first you need to replace the samsung root-ca somehow on the device first...