Page 6 of 19
Re: Hacking C series TV. It`s already done!
Posted: Wed Nov 03, 2010 4:57 pm
by juusso
borkuz wrote:Hi, i am wondering if this also works on a Samsung LE37C550?
TVs w/o widget function haven`t hacked yet and this hack does not work. But don`t worry, process is going on and we have some results on C550 (unfortunatly negative yet: at least two c550 dead and one c650 bricked too).
dredkin wrote:
BTW, the only step where ext3 is really important is the step 5-8 (where usb_hotplug.sh is copied to /mtd_rwarea through widget , because widget cannot do chmod), in all the other steps usb stick can be FAT, no problem, only don't forget to chmod all the files copied to tv.
Yes, i know. Here were some people who have had errors with fat32. This is because i wrote about ext3 as an alternative to fat32.
Re: Hacking C series TV. It`s already done!
Posted: Wed Nov 03, 2010 9:19 pm
by sbav1
bastler0815 wrote:So I think the data what options are used or blocked from the Service Menue or Model has to be stored somewhere else ... anybody some other Ideas ?!?!
/mtd_exe/Factory*.dat file[s] are each-and-everything option database (read-only, tree-like structured data used by factory/service menu firmware functions. AFAIK, actual configuration settings (factory/service/special item values, user settings, panel hours counter, various TV calibrations etc.) are stored in dedicated NVRAM/EEPROM chip connected to I2C bus.
Configuration storage implementation in recent Samsung TVs is quite complex: there are settings cache[s], built-in "protections" and checksums, somehow correlated file[s] stored in NAND flash filesystem (i.e.: /mtd_rwarea/nvramCount: I'm not sure - is it configuration backup, or maybe just NVRAM checksum of some kind - ?).
Just to make things even more interesting, apparently there are some functions in firmware for configuration cloning/ storing/restoring ( CCloneControlBase:: class in B-series, and CloneUSB:: class in C-series).
So far, it's not so well researched topic; there may be some dangers involved; take care while experimenting!
Re: Hacking C series TV. It`s already done!
Posted: Wed Nov 03, 2010 10:03 pm
by timoo
btw
mtd_exe/rc.local
if [ -e /mtd_rwarea/start.sh ]; then
echo "user start.sh found!"
/mtd_rwarea/start.sh
else ...
we can start telnet etc... on every boot from start.sh no need to insert flash disk
Re: Hacking C series TV. It`s already done!
Posted: Thu Nov 04, 2010 1:07 am
by bastler0815
Hi
I also thogth that the Model values are sored at an external memory device ...
here I had posted a (low res) pic of the TV mainboard:
http://forum.samygo.tv/viewtopic.php?f= ... t=20#p6971
There are some IC?s with 8 pins but hard to say which clould be "the one" ?!
Regards
Re: Hacking C series TV. It`s already done!
Posted: Thu Nov 04, 2010 8:52 am
by juusso
timoo wrote:btw
mtd_exe/rc.local
if [ -e /mtd_rwarea/start.sh ]; then
It is done unsuccesfully. The code was changed to:
Code: Select all
export KF_LOG=/dev/null;/mtd_rwarea/SamyGO.sh&
And - dead c650 as result .
The problem is, that /mtd_exe is read only and changing something in exe.img is very dangerous, because check sums, hashes and something else are controlled by authuld. Another problem is, that bml.restore does not work, we have stl.restore instead and unknown method for flash changed image to TV.
Code: Select all
~ # stl.restore /dev/stl0/17 /dtv/usb/sda1/stl017
+------------------------------------------------------------------------+
| stl.restore : stl-level Partition Restore Tool for NAND Flash Memory |
+------------------------------------------------------------------------+
100%
All of the flash memory blocks have been restored successfully.
~ # cat /dev/stl0/17 > /dtv/usb/sda1/stl017_tst
~ # cat /dev/bml0/17 > /dtv/usb/sda1/bml017_tst
~ # sync
stl 0/17 dump after reflash was identical to changed one, but bml dump was fully changed. After command
Code: Select all
mount -t rfs -r /dev/stl0/17 /mtd_exe/
partition was mounted w/o errors, but after restart TV goes to reboot every 20s.
Re: Hacking C series TV. It`s already done!
Posted: Thu Nov 04, 2010 12:36 pm
by bastler0815
Hi,
as you take a look at the partition.txt there are 2 rootfs and kernel partitions ... so as written before it seems like a fallback option.
Here at the UE40C6700 the U-Boot partition also is empty.
Regards
Re: Hacking C series TV. It`s already done!
Posted: Thu Nov 04, 2010 12:53 pm
by juusso
execute
in telnet. after reboot your tv boots to alternative partitions
Re: Hacking C series TV. It`s already done!
Posted: Thu Nov 04, 2010 12:54 pm
by bastler0815
That?s what I found in etc/rc.local
Code: Select all
#############################emergency handling##############################
echo "Application running is failed..try to do emergency state handling"
if [ "$UseSecondPartition" = "true" ]; then
if [ -e $PARTITION_CHECK_1ST ]; then
echo "no sub SW image...going shutdown"
$MICOM_BASE/shutdown
else
# echo "rollback to 1.."
echo "current partition 2nd is corrupted. roll back to sub partition 1st"
rm -f $PARTITION_VERSION_2ND
touch $PARTITION_CHECK_2ND
sync
$MICOM_BASE/toggle
fi
else
if [ -e $PARTITION_CHECK_2ND ]; then
echo "no sub SW image...going shutdown"
$MICOM_BASE/shutdown
else
# echo "rollback to 2.."
echo "current partition 1st is corrupted. roll back to sub partition 2nd"
rm -f $PARTITION_VERSION_1ST
touch $PARTITION_CHECK_1ST
sync
$MICOM_BASE/toggle
fi
fi
echo "reboot system..."
$MICOM_BASE/reboot
#############################emergency handling##############################
Re: Hacking C series TV. It`s already done!
Posted: Thu Nov 04, 2010 5:05 pm
by erdem_ua
Congratulations, we have C series NFS share at least.
I moved this topic to new C series forum.
Re: Hacking C series TV. It`s already done!
Posted: Thu Nov 04, 2010 8:30 pm
by timoo
juuso wrote:timoo wrote:btw
mtd_exe/rc.local
if [ -e /mtd_rwarea/start.sh ]; then
It is done unsuccesfully. The code was changed to:
Code: Select all
export KF_LOG=/dev/null;/mtd_rwarea/SamyGO.sh&
And - dead c650 as result .
The problem is, that /mtd_exe is read only and changing something in exe.img is very dangerous, because check sums, hashes and something else are controlled by authuld. Another problem is, that bml.restore does not work, we have stl.restore instead and unknown method for flash changed image to TV.
Code: Select all
~ # stl.restore /dev/stl0/17 /dtv/usb/sda1/stl017
+------------------------------------------------------------------------+
| stl.restore : stl-level Partition Restore Tool for NAND Flash Memory |
+------------------------------------------------------------------------+
100%
All of the flash memory blocks have been restored successfully.
~ # cat /dev/stl0/17 > /dtv/usb/sda1/stl017_tst
~ # cat /dev/bml0/17 > /dtv/usb/sda1/bml017_tst
~ # sync
stl 0/17 dump after reflash was identical to changed one, but bml dump was fully changed. After command
Code: Select all
mount -t rfs -r /dev/stl0/17 /mtd_exe/
partition was mounted w/o errors, but after restart TV goes to reboot every 20s.
running /mtd_rwarea/start.sh was removed in later firmware i found this piece of code in version 1008.3 :/