Injecting modules into exeDSP

[edelfalke]

Hi All,

i have a realy big problem, because my TV boots up and shuts down after some seconds.
i think i have used this the injecting to early in my Samygo.sh script:

Code: Select all

#!/bin/sh
Enable Telnetd
mount -t devpts devpts /dev/pts
telnetd


if [ -f /mtd_rwarea/injectso ]; then
    /mtd_rwarea/injectso `pidof exeDSP` /mtd_tlib/GGame/avrfix2/load.so Game_Main /mtd_tlib/GGame/avrfix2/&
    /mtd_rwarea/injectso `pidof exeDSP` /mtd_tlib/GGame/ChannelInfo/loader.so Game_Main /mtd_tlib/GGame/ChannelInfo/&
    /mtd_rwarea/injectso `pidof exeDSP` /mtd_tlib/GGame/SamygoPVR/loader.so Game_Main /mtd_tlib/GGame/SamygoPVR/&
fi

.
.
.
.

Telnet doesn't work.
I think the failure is caused by Authuld as you can see in attached File.

Please help me..

My TV is UE40B7090 CI+ with 3001 FW

[smartsmurf]

Please help me..

This looks not good.
(1) AFAIK, busybox in firmware 3001 is not including "telnetd". So you should have copied an alternative busybox onto the TV first.
(2) injectso acts like a debugger. When sending it into background multiple times you attach several debuggers to one process. It not only crashes exeDSP, but also panics the kernel.
You end up with broken kernel (CIFS and network failed) and exeDSP killed. I don't see a way to hack into the device in this state.

[edelfalke]

I have used Telnetd to edit my Samygo.sh.

Why is telnetd not started, if it is ahead of injecting?

Is my TV now realy broken without any option?

[smartsmurf]

In contrast with other hacks, here using the background sign "&" has problems. When loading only one module is not a problem, but it becomes one when loading more than one.

We should edit our posts to remove the "&" in the examples. It is plenty (look at the first page of this post).

Also, to prevent this injectso should detect if there is other instance of it running and the PID is already attached. Then, fail with an advice.

Global advice: When possible, run your hacks from a USB pen!! If something goes wrong you can unplug the device.

You are right with all your comments. However when looking into the logfile you can see two instances being started, but one of them fails:

Code: Select all

...
Module injector V1.2 for ARM based CPUs.
(copyleft) SmartSmurf 2010 (smartsmurf@shared-files.de)


Module injector V1.2 for ARM based CPUs.
(copyleft) SmartSmurf 2010 (smartsmurf@shared-files.de)

Error: ptrace_attachInfo: Import dlopen set at 0x00530d7c
Info: Import dlsym set at 0x00531244
Info: Import dlclose set at 0x00530f38
...

This is the result of the ptrace_attach() function:

Code: Select all

void ptrace_attach(int pid)
{
	if ((ptrace(PTRACE_ATTACH, pid, NULL, NULL)) < 0) {
		printf("Error: ptrace_attach");
		exit(-1);
	}
	waitpid(pid, NULL, WUNTRACED);
} 

So, finally only one injectso debugger process controls exeDSP. It is definitely a good advise to not use the background sign since you cannot predict which call to injectso will fail and which will succeed.
Yesterday I tried to reproduce the issue with a manually started script and 3 calls to injectso, but I could not kill exeDSP with it. That's why I am not sure, whether the "&" caused the problems or whether it is a matter of calling it too early. The bootlog entry "Application is started..." comes from rc.local before calling /mtd_exe/rc.local. But there is not any output from exeDSP. Maybe the injectso messes up with the dynamic loader while in the stage of loading exeDSP.

[edelfalke]

Is now my only option to calling Samsung Service??

[smartsmurf]

Is now my only option to calling Samsung Service??

As said, with neither ExLink nor telnetd working you cannot modify the problematic startup script. Also I doubt that you can modify anything on the filesystem since authuld already complained about not being able to open a file.
So I think calling service is the only option.

[smartsmurf]

You could also try netcat to check whether telnetd is up and running before the system breaks:

Code: Select all

nc -z <IP of your TV> 23

If this works, one could write a little script which logs on to TV and deletes /mtd_rwarea/injectso.