T-VALDEUC Firmware AES key :)

[gooseye]

"A435HX:********-****-****-****-************-********-****-****-****-************"

End part of key does not look very random... anyone want to try 00001abc2011 for D-series fw?

[Denny]

alredy tried
fail, but i dont worry much for D serie, it can be also easy done

just step by step, now fw reflashing, then execute modified exeDSP (rsa disable check for native applications) then can be moved to D serie , i just have problem , noone shop here in croatia have anything of new D seriel, i was lucly with BD player last week to start such think,
also i had very big luck to find firmware where i realy can trace and reverse all correct, 300x are very shity to read.



Denny

[Denny]

yes, it is still need as the tool should automaticly decrypt, change data and flash it direct to tv

i have some routines , but got only 2nd loop decrypted ok just for fun to see does the key realy match.


in case of erdem?s script, i just sugest to decrypt all .sec files , and dont do any modifications.

Denny

[juusso]

i'll try to port pyton decryptof to C if is still be unrelesed.

1. Not for whole C series, just for T-VALDEUS (until card2000 gives us all keys)
2. Port python? If you mean just decryption - it is easy to be done by changing one line. Look at my post. To port whole SamyGO.py - you need some addresses to patch to have result. I suggest to leave this for just .sec decryption as Denny said.

Denny, how do you disable RSA check to let TV accept modified firmware? It is good to have some widget to patch exeDSP, right?

[juusso]

If you add some nice gui and let run it under windows...

[juusso]

Yes, it would be great to have some GUI for samygo patcher...

[Denny]

Code: Select all

GUI for samygo patcher

ehhmm, why easy if complicated is also posible, no ....
as i work every day with many korean engeniers (ex Samsung also) , i know this way, but they almost do complicated way , so i go easy way ^..^ ,

just simple tool that we run under telnet , this tool will do all need job, no python no magic ....

1. decrypt firmware
2. mount it temporarly
3. modify start rc.local
4. copy exeDSP outside of mtd_exe
5. patch exeDSP on need points
6. umount exe.imt
7. flash whole images to unused parition
8. calculate each cmacs
9. store cmac to need parition
10. user must just at finish self press ./toggle_c8000

in case of modify rc.local
just add :

Code: Select all

if [ -e /mtd_rwarea/myBoot.sh ]; then
	/dtv/usb/sdax/myBoot.sh
else
cd /mtd_exe
./exeDSP
fi

in case of exeDSP patch, it just need one 0 to 1 to change, this can be done by flash tool , so now some special script is realy no need to do,
my plan is just to disable Widget RSA check point that other applications can be ported by other guys to C serie , like Browser etc...
after this all,
i have 2 more pioints to check out , that is widget.signature calculation, and recorded streams to decrypt then is C serie done from my side.

also , if someone play litelbit, he can find out , so strange things are not as they sounds , basicly u can read write stuff whenever u wish but this later on.... so now some special script is realy no need to do,


@ wortex , yes , Pure "C" code, no Openssl, as i think compiler at me dont have it, and best solution, one C unit to tool.

Denny