Update: a working method of rooting ES series

[E3V3A]

@ thewalker3: +1 Photos are very useful, for everyone. Please try to provide some high-res closeups of major board components.

Also, do you have time to do anything in those 30s? Try factory reset a few times, but pulling the plug in between. (TV never dies unless you do that.) Sound like watchdog is going crazy, but I'm not sure its a good idea to kill watchdog (from Service menu) in this state. Someone else would have to chime in on this... Or see if you have time to start a firmware update via USB. (Use smallest possible increment.) Also, can you see from debug log (or post one) what is causing the reset?
[perhaps starting a new thread, as this is getting OT?]

[thwalker3]

Happy to upload a photo but I don't have edit rights on the wiki. Don't really want to upload it here as we are quite off-topic at this point. Maybe I'll start another thread in the HW section with the photos. Need to tend to holiday stuff now though.
As for the 30 seconds or so, nothing works in that time (exeDSP doesn't appear to have loaded yet). And since I cleared the eeprom, I don't have any serial output (even the unreadable garbled stuff I got before).

[xorloser]

Following up to what thwalker3 noticed about unsanitised Copy;
The code that get called to process the "Copy" is as follows:

Code: Select all

char buff[1024];
memset(buff, 0, 0x400);
PCString::Print(buff, "nice -n 19 cp -rf %s %s", filename1, filename2);
CMyPrint::DebugPrintf("copy: %s\n", buff);
if ( sef::CEmpTaskCameraApp::SystemCall(pThis, buff) )
{
	CMyPrint::DebugPrintf("Copy Result: PLR_FALSE\n");
	result = 0;
}
else
{
	sef::CEmpTaskCameraApp::SystemCall(pThis, "sync");
	sef::CEmpTaskCameraApp::SystemCall(pThis, "sync");
	result = 1;
}

So not only can you see that no sanitising occurs, it also has potential for buffer a overflow by using a filename longer than 1024 characters

[xorloser]

Ok so looking closer is *does* do some checks inside the SystemCall function. It checks that the string doesn't contain one of the 5 characters:

Code: Select all

;
'
&
|
"

So any strings that don't contain them will get past the checks.

[JoeyBiggins]

I am interested in how your root method works.

I think I understand it, but can I ask about the libm.so. Is that the libm.so from the glibc library with a modified inizialisation method or constructor to run the script on the usb? If so what is the entry point as id like to try it out for myself.

Thans Joey BB

[zarigo]

Thanks a lot. This method works 100% in Samsung 40ES5000W.

Please, is possible quit records drm? any hack yet?

Thanks a lot.

Regards from Spain

[yepp]

it is possible to execute ftp, telnet on TV startup ? without running hack widget every time.

[miazza]

Hello guys,

Sorry if I make a silly question but I'm a beginner.
I've spent few days in reading , I have a 46ES8000 , and I feel the need to have the TV compatible also with SMB.
After having done the rooting, is it possible to configure the TV set so that SMB is visible via LAN or Wi-Fi ?

Thanks for your patience.

miazza

[juusso]

sambe-server is included, you just need to enable it trough telnet (rename required file).

[miazza]

Thanks very much juuso.
I will start to read the way to do that and menwhile I will manufacture a serial cable to telnet the TV (or can I telnet it via Wi-Fi ?).
I'm not very skilled with linux command line and, as usual, I'm very carefull and I ready and I need to understand everything before to try

A last question if you are so kind:
Does it men that the TV will look also to my SMB server in the standard connection pop up ?

Ciao

miazza

To be continued here viewtopic.php?f=53&t=5797