Page 5 of 8
Re: LExxB650 T2P CI+ hacking
Posted: Tue Dec 01, 2009 5:12 pm
by arris69
jeroenvoc wrote:...
Another thing: has someone any idea what the EDID directory is for in mtd_exe ??? encryption keys ???
Jeroen
hi edid data is simply monitor capability information:
Code: Select all
cat 1.ddc | xxd -r -p | monitor-parse-edid -
Name: SAMSUNG
EISA ID: SAM051b
Screen size: 88.0 cm x 50.0 cm (39.85 inches, aspect ratio 16/9 = 1.78)
Gamma: 2.2
Analog signal
Max video bandwidth: 150 MHz
HorizSync 30-81
VertRefresh 60-75
# Monitor preferred modeline (60.0 Hz vsync, 67.5 kHz hsync, ratio 16/9, 55 dpi)
ModeLine "1920x1080" 148.5 1920 2008 2052 2200 1080 1084 1089 1125 +hsync +vsync
# Monitor preferred modeline (60.0 Hz vsync, 47.7 kHz hsync, ratio 16/9, 39 dpi)
ModeLine "1360x768" 85.5 1360 1424 1536 1792 768 771 777 795 +hsync +vsync
Re: LExxB650 T2P CI+ hacking
Posted: Tue Dec 01, 2009 10:19 pm
by dynamic1969
Hi robbiesz,
did you discover any information as to what authuld is checking these partitions against ( I assume there is some sort of checksum or fingerprint stored per partition somewhere ? )
As during a normal FW Upgrade only mtd_app and mtd_exe are updated, one could assume that the checksums / fingerprints are:
- either calculated on the file during the upgrade and then stored or
- already embedded in a file in the respective partition
Regards
dynamic
Re: LExxB650 T2P CI+ hacking
Posted: Tue Dec 01, 2009 11:10 pm
by erdem_ua
If the key created while update process, than we alter the update process with uploading modified exe.img file without .sec extension.
I check the root file (bml6) and found a little script at /usr/sbin directory, that updates firmware of TV from exe.img directly!
So we don't needed encrypted file for update partition I think.
At least, worth to try
And I saw some info at script at bml7 rc.local. this file is highly related with SW update process...
Code: Select all
if [ "$usb_upgrade" = "true" ]; then
# $BOOT_MOUNT/usb
# CI+ could not run in emergency mode for hacking... Set will be shutdown
echo "Wait time: 1-30 sec."
Are they talking to us?
Re: LExxB650 T2P CI+ hacking
Posted: Thu Dec 03, 2009 12:35 am
by erdem_ua
robbiesz wrote:Hi Jeroen
Communication between Authuld and the kernel is binary... I havent cracked the authuld->kernel way but the kernel only sends 4 bytes (only once) to authuld which seem to be a simple number (unsigned int) from a timer interface..
The kernel will shut the set down if
- authuld does not respond within a predefined amount of time
- the message is corrupted or does not conform to the protocol..
On boot-up the authuld has 5 minutes to authenticate all modules, by default the kernel has a 2 minute timeout value for the response from authuld..
All crypting is done by the kernel..
robbiesz
I don't understand "modules" word. Do you mean kernel modules?
Is it checks kernel modules + exeDSP only?
Are we sure about that authuld checks files/modules instead of partitions?
If answer is yes, checking every file alone comes weird to me.
Implementing this might possible by 2 way
1)Including secret hash index of files in the authuld or anywhere that authuld reads.
2)Hashes included each kernel file, like CRC.
Second approach is more difficult and could be problematic at implementation for Sammy. Like needing every module modified by hand( or program )
By comparing modules at encrypted version and normal version could make visible that hash rounder byte(s).