[How-To] Hacking C series TV. Models with Internet@TV only

[bastler0815]

Hi,

interesting that it was readable

Did you also test bigger Eeproms ?! Probably that?s not the complete Eeprom ??

Regards

Bastler

[mamaich]

process is going on and we have some results on C550 (unfortunatly negative yet: at least two c550 dead and one c650 bricked too).

I'm just a new owner of LE40C550, and I see that firmware update contains rootfs.img that seems to be a non-encrypted file with squashfs filesystem. It also seems that CRC of this file is not stored anywhere, so we can add a line like "/bin/busybox telnetd &" to /etc/rc.local in it and upload to TV. This idea is too simple, so, obviously someone have already tried it earlier. The phrase "at least two c550 dead" stops me from doing this myself.
So the question is: is here anyone who have tried this method, and what was the result? And after making this test - was it possible to revive a TV without sending it to a service center?
One more question. There is a Windows tool "SAMSUNG PC Share Manager" that creates an HTTP server which sends some XML files to device. Is it possible to modify these XML files to force TV to load our .SO file like it was done with old "SamyGO Telnet Enabler v0.01" tool?

[juusso]

Here are 3 c550 broken. Rootfs was changed to execute run.sh like hack for c650. And you know, hack works! Here is ability to execute code over insertion of usb. But we have every 20 sec rebooting tv. It seems that authuld or some other security mechanism checks hash of rootfs. So here is the hack, but no progress to write busybox to flash memory and get it working. Try to rewrite native unchanged rootfs was unsuccessfull, tv was finaly dead. After we got sources from samsung, custom kernel was compiled and the code by comparing kernels in native kernel was patched to disable authuld. After flash such kernel we got one more dead c550.

[mamaich]

A silly question. As far as I see - authuld is located in rootfs. What would happen if you'll just delete it or replace it with some empty executable file?

[juusso]

Can you please provide me the serial output of the dead units? This would help me a lot in better understanding the authentication routines in the bootloader

Log where kernel was rewritten:

Code: Select all

{boot
[build]
2010. 01. 19. (??) 11:07:22 KST,yongkyoon81 built on host localhost.localdomain for SAMSUNG.
=================================
Samsung Bootloader Infomation for 1C
release ver : 1000 Release
etc :
=================================
SHUTDOWN : enable
SECURE_JTAG : enable
USB_UPDATE : disable
=================================
This board is SX1C Retail!
[Sync Mode, DMA]
Init Success on TridentSX
TinyBML open success
selUART : 0x0
N boot
Failed!!
 

Led is blinking, no more serial output.
Log with unsuccessful rootfs re-flashing (another TV). Maybe wrong command was used for restoring rootfs (bml.restore w/o any keys)

Code: Select all

{boot
[build]
2010. 03. 19. (??) 17:24:16 KST,yoonsik.park built on host localhost.localdomain for SAMSUNG.
=================================
Samsung Bootloader Infomation for 1C
release ver : 1001 Release
etc :
=================================
SHUTDOWN : enable
SECURE_JTAG : enable
USB_UPDATE : disable
=================================
This board is SX1C Retail!
[Sync Mode, DMA]
Init Success on TridentSX
TinyBML open success
selUART : 0x0
N boot
Verified!!
+[ Loaded normal kernel from OneNand ]+
kernel_entry : 0x80100800
cmd_line : console=ttyS0,115200 mem=126M@1M ftmac110_sx.mem=1M@158M rootfstype=squashfs root=/dev/tbml7 quiet
[jump kernel]
SQUASHFS error: zlib_fs returned unexpected result 0xfffffffd
SQUASHFS error: Unable to read cache block [30431d:ff]
SQUASHFS error: Unable to read inode [30431d:ff]
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(139,7)

Led is blinking, no more serial output.
And here is normal log.

I forgot to say, all modifications were with T-TDT5DEUC, Trident basis c550...

[mamaich]

juuso
Do you have a log taken from c550 with a patched root.img, where it reboots after 20 seconds?
I hope to see there an error string from authuld.

[juusso]

It's a pity, we don't have log of this rebooting tv with working hack. No serial cable was available when hack was done. After short time this tv was upgraded with modified rootfs and totally bricked. Now here isn't any tv to play with. No more mouses for experiments. Yet.

[bastler0815]

Hi,

as far as I had compared the board is identical with the 40C6700 Board ...the only differences I saw were the Frontend as in fact the C6000 ony has a cable tuner and the C6700 has DVB-S/S2 and Cable ... so that?s why also sone SMD parts an IC?s were missing at the C6000 board compared to the C6700 cause the cable tuner doesn?t need power supply for the SAT LNB.

Has anyone a IDea for what the missing switch "SW4001" could be used for (located at the top middle at the topview Mainboard picture). Another question is ... where is the Micom Chip located ??

Regards, Bastler

[bastler0815]

Hi,

ok Thx ... I just was trying to read the label at the Chip ... "Weltrend" was good readable but not the exact model number / version ... does anybody know which model the Chip is, and if yes is there a Datasheet somewhere for the Chip ?

Regards

PS: Could the not assembled switch probably be something like a reset switch cause it?s located very near to the Micom Chip ? probably if this switch has something to do with the Micom chip would it be possible that something like a hardware factory reset could be dine with this switch like it is i.e. at WIFI Accesspoints or CableModems ?

[juusso]

I followed the steps in the first post, and USB ports have stopped working.
Any idea?.

Yes, i have an idea. Solution is written on the first post:

If TV does not react to USB or its behavior is strange, you can allways delete usb_hotplug.sh with help of widget:

Code: Select all

FilePlugind.Delete("/mtd_rwarea/usb_mount/usb_hotplug.sh")

Change code as above, run modified widget again and you get your USB back. Then try whole procedure to hack TV again.