LExxB650 T2P CI+ hacking

[dynamic1969]

Hi robbiesz,
these are great findings you have discovered there ... this is getting more and more exciting.

Hi jeroenvoc,

I got a LE46B650T2PXXN; looks like a CI+ device to me....

I can use the Telnet enabler (https://sourceforge.net/projects/samygo ... z/download), dump it on an USB-stick, and do the magic.

It just executes the program without any serious warning in the logs....

Only downside is that it's not persistent; after a reboot you will have to start it again.

I also have a cable in place; I got a lot of info on the serial, but no input seems to work. So not escape-route...

Jeroen

provided that you have telnet access, you should also be able to:
1) dump mtd_exe image from the appropriate device
2) modify the appropriate rc.local script in the image you dumped
3) write back the image using the manual flashing method shown here

Regards
dynamic

[aquadran]

I did try that; no luck...
The console doesn't seem to respond on any input whatsoever.

I got the telnet-enabler V1 working, so I got telnet access.

First of all sorry if I understood wrong but, is it possible to access via telnet to a B650 with a T-CHUCIPDEUC (CI+) firmware?? I thought it wasn't possible at this moment due to the encryption!

Firmware maybe it's encrypted, but it seems running unsigned apps is not protected after all like for non CI+.

[dynamic1969]

Hi jeroenvoc,
first things first: I am assuming, that your device is up and running still, right ( as you were able to check mtd_exe/rc.local again ) ?

It'd be interesting to understand, if and what error/warning messages you may have received, while flashing the image back ... do you happen to have the logs from your flashing activities ?

As robbiesz has correctly explained, the TV has a backup image, which it does use in certain cases.
It basically sets the "PARTITION_FLAG" to use the backup image ( tbml10 ), in case the productive image ( tbml8 ) is identified to be corrupt / unusable during the boot process. That would however mean, that your modified image is still in your Flash and possibly still accessible ...
It should at least be possible to do a "bml.dump /dev/bml0/8 > /mtd_wiselink/dump" to see, if the contents are corrupt and whether your modifications are still there.

Regards
dynamic

[erdem_ua]

How could we decipher exe.img encryption on PC?
If we find technique and correct keys, than we build modifications on the computer and plug&flash option for safe process.

@Jeroen could you get all bml devices image and compress them with 7z?
Resulting file is nearly ~200-250 Mb but full image is better at some cases.

Is there anyone that understands cryptology here:?: