Samsung LA40C550J1FXXZ firmware decryption and RMVB video

[erdem_ua]

SamyGO is not compatible with "C" series yet. And injecting RMVB might generate more problem to you.
Anyway, we don't know AES key. You can brute force to crack it if you have some quantum computer core or some super computers...

If I have C series TV, I will open inside (yup, definitely void your warranty) and search a connector inside it. It might be leaved some Serial ExLink header. Or using JTAG, you can read current firmware from flash chip. But finding JTAG port might be require some experience on it. In unencrypted firmware, that has Encryption key. After inspecting firmware, you can find weakness of it and attack there...

[erdem_ua]

Thanks for your reply.
I am software oriented IT staff, not a electronic engineer. So...
I would prefer soft bruce force crack first.
Could you indicate me how to do so, is there any existing software could be used? I have a lots of brand new high performance server to do so.
The interesting thing is:
- When I view contents of my USB harddisk on the TV, the TV could display rmvb's frame picture as file icon. That means the TV has already had decoder of RMVB format, but when press enter to play, it alarm me that the file format is not supported.
Thanks.

So TV might compatible with RMVB format. But RMVB is patented file format. Might be Samsung don't pay their license yet. So It's relatively easy to unlock disabled RMVB support....

About brute forcing AES, I don't know deeper as a cryptologist but I can say that you cannot crack it via some downloaded software and some CPU's. Lots of High end server PC's doesn't help you in this situation. You needed to have Super Computer(s), which has ~1K CPUs at least for decrease calculating power to meaningful time. Also we don't know encryption algorithm too. We guess that it's AES, but it might be not. Even AES has multiple types and we needed to find correct key-correct algorithm. So brute-forcing is not meaningful.

If C series supports widgets like B serie. Than we could inject some code via interface. But they don't make same mistake twice I guess.
Proper way is using tool like JTAG (Samsung don't have JTAG on C series DSUB but we can search it on MB ) or Extract flash chip physically to read it's contents. But this requires some precise hand works too and no one want to do that

[arris69]

Thanks for your info.

I think, there must be some way to decrypt the FW, if technology couldn't, maybe there is some tricky. For example, some one who develop the FW pass me the key, or his girl friend. haha........

..

first you will get his girl friend an than maaaaaaaaaay the key.

arris

[marcelru]

Hi Salfuman,

In theory it can be done, provided you have the _complete_ source for your type of TV and not another one.
However, the sources you will? get from samsung are not complete. The information about their RFS filesystem needed to build rfs.ko is missing, and the code to build the tv driver (samdrv.ko) is not in there either. So getting things working from scratch will be tough, because some vital parts aren't there. I probably overlooked a lot of other pieces of non-(L)GPL code, but not having the first two is enough of a set-back as it is.

marcelr

[doodlecz]

I also think finding AES decryption key by brute-force is pointless.
Better we should concetrate on possibility of Exlink or trying to inject code by custom game content (maybe not possible? I've read manual for C series and I'm not sure about this) or widgets (not sure, if widgets process have rights we need) and then try to dump process memory or simply copy exeDSP to flash.
Have anybody other idea?