Patch Downgrade Firmware from original old Upgrade?

[KRAER]

how you redirect the traffic (dns or nat) is secondary. the error 800 indicates (on recent firmwares) that the device checks the server certificate, so first you need to replace the samsung root-ca somehow on the device first...

Ahh I see. Well that will be another problem to solve and would explain why my BD-D7000 ver. 1014.0 always results in 800 error.

If I would filter the certificate request and redirect that to samsungotn.net and reroute everything else to my own Smarthub then the problem should be solved. Or am I completly false?

The Plan: I will do a complete tcpdump on a real Samsungserver request, and one on a SamyGO Spoofed Server and check where the Certificate gets requested, maybe there is a call that can be defined and filtered!?

[arris69]

...

The Plan: I will do a complete tcpdump on a real Samsungserver request, and one on a SamyGO Spoofed Server and check where the Certificate gets requested, maybe there is a call that can be defined and filtered!?

hmm, it's not an explicit/(stand alone) certificate request, the device try to establish a "simple" https connection where it checks the root authority (http://blog.bigbasti.com/ssl-teil-3-der-ssl-handshake/)
http://publib.boulder.ibm.com/tividd/td ... min231.htm (step 3, normally user should be asked to accept the certificate, but this is not implemented on samsung devices...)

[ggros]

I did more or less the same and same conclusions so far.
It seems to me that the 800 error when you try to downgrade with DNS hack is because newer firmwares may be checking the identity of the update server.
So far I am still in need of understanding how to calculate the hashes to create a custom firmware.

and how do you like to flash it if your actually installed firmware just want to communicate with the original samsung server?

Clever question. I am actually not on a newer firmware as the DNS hack is working for me so did not realize that.

[ggros]

And to flash using USB you need a special package? I saw Kramer mentioning you would need special crypt only known by Samsung.
Anyone can confirm that?
I mean you cannot put a firmware downloaded from Samsung website on a USB disk?

[KRAER]

...

The Plan: I will do a complete tcpdump on a real Samsungserver request, and one on a SamyGO Spoofed Server and check where the Certificate gets requested, maybe there is a call that can be defined and filtered!?

hmm, it's not an explicit/(stand alone) certificate request, the device try to establish a "simple" https connection where it checks the root authority (http://blog.bigbasti.com/ssl-teil-3-der-ssl-handshake/)
http://publib.boulder.ibm.com/tividd/td ... min231.htm (step 3, normally user should be asked to accept the certificate, but this is not implemented on samsung devices...)

OK. Just checked the www.smasungotn.net and the certificate. It is selfsigned and unrecognized by all common browsers, so at first I would try to generate a certificate and put in the same name and root infos in the hope that it the device will only check if the certificate says the name of the server and not really checking the hashes or fingerprint. Just making sure it will use the same encryption and will be same lenght might work.

Using OpenSSL to generate a selfsigned cert by using the following Infos like the original one:

Code: Select all

Initiator
L = Suwon
ST = Kyong-gi
C = KR
O = Samsung Electronics
CN = Samsung Hubsite CA

valid from: 21.01.2010 02:41:43
(21.01.2010 01:41:43 GMT)

valid to: 14.01.2040 02:41:43
(14.01.2040 01:41:43 GMT)

Owner
CN = www.samsungotn.net
OU = Visual Display
O = Samsung Electronics
ST = Kyong-gi
C = KR

So just like it is visible to a client when connecting. There should nothing more that the device is able to see since it simply connect over http like a browser does.

Do you guys think that might work?

[KRAER]

And to flash using USB you need a special package? I saw Kramer mentioning you would need special crypt only known by Samsung.
Anyone can confirm that?
I mean you cannot put a firmware downloaded from Samsung website on a USB disk?

You can put an Upgrade to an USB Stick and successfully upgrade as long as it is original and higher in version. But not if tweaked (signature will be wrong) or lower version (not an UPgrade)

[arris69]

....

OK. Just checked the http://www.smasungotn.net and the certificate. It is selfsigned and unrecognized by all common browsers,

truly the certificate is a "broken one" but i won't start a course here how to work with self signed ca's...

so at first I would try to generate a certificate and put in the same name and root infos in the hope that it the device will only check if the certificate says the name of the server and not really checking the hashes or fingerprint. Just making sure it will use the same encryption and will be same lenght might work.

Using OpenSSL to generate a selfsigned cert by using the following Infos like the original one:

Code: Select all

Initiator
L = Suwon
ST = Kyong-gi
C = KR
O = Samsung Electronics
CN = Samsung Hubsite CA

valid from: 21.01.2010 02:41:43
(21.01.2010 01:41:43 GMT)

valid to: 14.01.2040 02:41:43
(14.01.2040 01:41:43 GMT)

Owner
CN = www.samsungotn.net
OU = Visual Display
O = Samsung Electronics
ST = Kyong-gi
C = KR

So just like it is visible to a client when connecting. There should nothing more that the device is able to see since it simply connect over http like a browser does.

Do you guys think that might work?

nope, the device has a copy of the certificate so you need to generate one with the same public key and same fingerprint....

[KRAER]

nope, the device has a copy of the certificate so you need to generate one with the same public key and same fingerprint....

Alright ..

If the device has a copy of the certificate, then it will be in the ver 1014 upgrade somewhere, cause before that the DNS Spoof seems to be working. That means that the copy of that cert is patched into it with the upgrade ...

... what about intercepting the traffic to samsungotn.net and after cert check went well we cut the line and push stuff from the smarthub?

Or: Maybe I should start thinking about some more hardware based attemps like flashing the content of the flashrom directly

[ggros]

And to flash using USB you need a special package? I saw Kramer mentioning you would need special crypt only known by Samsung.
Anyone can confirm that?
I mean you cannot put a firmware downloaded from Samsung website on a USB disk?

You can put an Upgrade to an USB Stick and successfully upgrade as long as it is original and higher in version. But not if tweaked (signature will be wrong) or lower version (not an UPgrade)

Well from what I could see in the zip for my firmware (B-FIRHT7WWC) it contains 3 crypted partitions files with extension .sec.
Those 3 then have a corresponding .cs /.vs and .cmac I assume the .cmac is a signature and .cs/.vs could be too.
So granted that you can't modify the img files without recalculating the .cmac/vs/cs.
But the firmware B-FIRBP7WWC for example is also a CI+ and it is listed as a patched firmware in the thread viewtopic.php?f=18&t=4244

As such I would think that SamyGo developers have found a way to calculate the signatures or a way to disable signature checking.

However, it might even be simpler than that if we just want to downgrade to an official version.
The version_info.txt and info.txt do not seem to be signed, so could it be that you could just change the info.txt file to put a higher version, rezip and put on a usb drive?

I guess it doesn't work otherwise it would be too easy but I will give it a try

[KRAER]

And to flash using USB you need a special package? I saw Kramer mentioning you would need special crypt only known by Samsung.
Anyone can confirm that?
I mean you cannot put a firmware downloaded from Samsung website on a USB disk?

You can put an Upgrade to an USB Stick and successfully upgrade as long as it is original and higher in version. But not if tweaked (signature will be wrong) or lower version (not an UPgrade)

Well from what I could see in the zip for my firmware (B-FIRHT7WWC) it contains 3 crypted partitions files with extension .sec.
Those 3 then have a corresponding .cs /.vs and .cmac I assume the .cmac is a signature and .cs/.vs could be too.
So granted that you can't modify the img files without recalculating the .cmac/vs/cs.
But the firmware B-FIRBP7WWC for example is also a CI+ and it is listed as a patched firmware in the thread viewtopic.php?f=18&t=4244

As such I would think that SamyGo developers have found a way to calculate the signatures or a way to disable signature checking.

However, it might even be simpler than that if we just want to downgrade to an official version.
The version_info.txt and info.txt do not seem to be signed, so could it be that you could just change the info.txt file to put a higher version, rezip and put on a usb drive?

I guess it doesn't work otherwise it would be too easy but I will give it a try

Nice Try, Wayne

That does not work. The textfiles are only for humanreadable references to know what you just unzipped as I suppose. The device might check on the encrypted partitions for version numbers maybe in rootfs at the file called .version ... but I am not sure.

BUT you can decrypt the partitions and unsquash like any sqfs and browse them as normal filesystem. (see first entry in this thread, its manual stuff because of the SQFS 4.0 but unpack is possible).

give it a try and post results, as I just crashed my harddisk on my Linux machine I am on forced pause right now

The patched version from SamyGo is based on 1004 so way before the cert-checking was included - so no need to take care of back then.