SamyGO

Posted: **Sun Nov 07, 2010 4:44 pm**

otn key ?

Posted: **Sun Nov 07, 2010 5:06 pm**

test.samsungotn.net - otn - online update

Posted: **Mon Nov 08, 2010 1:09 pm**

this keys is used for some authentizing ,with samsung servers etc .... key for decrypting firmware is read from cmackey partition (imho bml11) and then decrypted to something like
Old B-Series Key:
A435HX:d3e90afc-0f09-4054-9bac-350cc8dfc901-7cee72ea-15ae-45ce-b0f5-611c4f8d4a71

is never visible in clean text(in exeDSP), and never logged (imho)

Posted: **Tue Nov 09, 2010 1:44 pm**

as i said,
from my dump
<noticeinfo regist_num="834" url="http://test.samsungotn.net/openapi/tv/T ... 622/notice" m_url="http://test.samsungotn.net/openapi/tv/T ... 2/m_notice" cipher="aes-128-cbc" pass="DOVL5T:4236a401-835a-457d-80c1-798fffc0de06-f7bc11e5-ab08-4d58-bca4-c7bb9a7666ea" pass_dgst="SHA1" substitute="yes" />
key is from otn update server

/dev/bml0/9 262144 NONE BML OTHER SECUREMAC0 NONE 262144 NONE NONE
/dev/bml0/10 262144 NONE BML OTHER SECUREMAC1 NONE 262144 NONE NONE
/dev/bml0/11 262144 key.bin BML OTHER SECUREMAC2 NONE 262144 NONE NONE

bml11 have encrypted 20byte lenght key -> F0F0FEFA6B3D8D27EFD36D2F57396C09015B686B
SECUREMAC0(bml9) and SECUREMAC1(bml10) contain hashes checked by authuld

Posted: **Tue Nov 09, 2010 11:11 pm**

alexscaliante wrote:Hi guys,

I'm new to the forum, but i've been following it before and after i acquired my LE40C650 (firmware 1003). I've been able to get SSH access and to mount my NFS share by following the instructions here and later using the SamyGO Extensions from the other topic on the C series forum.

I was also able to get my NFS mount on a "virtual usb" by using the method arris described (usblog), just changing the path and the FileSystem to nfs:

arris69 wrote: ..[/code]

nice, work this for windows shares too? can you test it pls.?

alexscaliante wrote: Also, on my TV, the mtd_exe/rc.local file contains the piece of code that timoo mentioned. But as you look on the script, only the start.sh would be executed if it exists on the mtd_rwarea, and the rest of the initiation script (including the call to exe_DSP) would be skipped (whatever comes after the else).

timoo wrote:
...
My question is: wouldn't there be a problem or even maybe be dangerous to create a start.sh and thus, skipping the rest of the rc.local script? I'm not sure what would happen if exe_DSP doesn't get executed on the initiation of the TV... timoo, you said you tested creating the start.sh script, and you had no problems with the rest of the rc.local? I'm afraid to screw up the init script and somehow lose access to the TV (sorry for the maybe noob question )

Regards,
Alex

depends from where and how the /mtd_exe/rc.local is called. on b series its from /mtd_boot/rc.local.

so if your user script ends or exits it can cause an emergency handling in previous script, and if you don't start exeDSP from user script it may also triggers the watchdog.
summary: if you like to use /mtd_rwarea/start.sh script i recommend also to start exeDSP from it (as last command, and NOT in background). exeDSP needs also enviroment variables so be careful.

hth
arris

Posted: **Wed Nov 10, 2010 1:30 am**

forget start.sh ,now it s dangerous to run code it ,maybe in future ,better from usb, you can always unplug

Posted: **Thu Nov 11, 2010 2:45 am**

Hi,

did anyone arround here test the "10041004" at the Serial console of a UExxCxxxx ?!

So far I have no response at the Serial console even with "touch /dtv/debug_on" ... is there probably another "login" for the Serial Console needed ?! even zepping with # and enter doesn?t work here ...

Regards

Bastler

Posted: **Thu Nov 11, 2010 4:45 am**

HI rob,

wht did you mean with "(read 32c6800)" !?

As I said I tryed here but nothing happens .... tryed at the internal Serial port af th PC and with a USB2Serial converter but nothing happens when entering "10041004" -> Enter ..... and after this changing channels with keyboard also doesn?t work !?

I?m using hyperterminal ... with configuration 115200 8N1 and hardware flow control off ...

The Log is there but nothing seems to be happening ... what firmware version are you runnung ?? Here 1014 is at the TV .

Regards

Bastler

Posted: **Thu Nov 11, 2010 1:25 pm**

Hey Guys,

Ok I got it working ... was my fault, I think the almost 5m of VGA extension cable was a little bit toooo much for the TTL level to TV, receiving the log was without problems but sending to TV seemed to be not working with the length of this cable ^^

So thx for all the replies finally got it sorted out ... and also the TTL level adaptor is working fine

Now as written before ... some more options would be great

Regards, Bastler

Posted: **Sat Nov 13, 2010 1:32 am**

Hi,

hmm the last days I was looking arround where the informations about the TV an which features are enabled were stored, but so far I didn?t find anything

It was mentioned that there possibly is an external I2C Eeprom which contains the data about the TV, did anyone found some more info?s about this ? (probably Service Manual is available) or is there somewhere a routine which accesses en external Eeprom ... and from where is the Service Menue executed ? or where is the binary for this located ? If an Eeprom exists it must be reachable from the Service Menue, or am I wrong ??

Regards, Bastler

SamyGO

[How-To] Hacking C series TV. Models with Internet@TV only

Re: Hacking C series TV. It`s already done!

Re: Hacking C series TV. It`s already done!

Re: Hacking C series TV. It`s already done!

Re: Hacking C series TV. It`s already done!

Re: Hacking C series TV. It`s already done!

Re: Hacking C series TV. It`s already done!

Re: Hacking C series TV. It`s already done!

Re: Hacking C series TV. It`s already done!

Re: Hacking C series TV. It`s already done!

Re: Hacking C series TV. It`s already done!