BD-C6900 /mtd_exe Success modified :)

[Denny]

1. cat partition from stl0 u want modify ( i have use mtd_exe /dev/stl0/16) coipy to PC.
2. toggle to old sw partition.(be sure both partitions are written!)
3. modify partition and pack it with mksquashfs back.
4. make on usb stick fw directory like B-BARBSPUSC
5. copy exe.img.mod in the created directory
6. run ./flash_c6900 /dtv/usb/sda1
7. when finis and all match , execute ./toggle_c6900

all tools included in zip as i change only mtd_exe i just wrote this part, other partitions need to be done !.
also , when u sure u know what u do enable

Code: Select all

//#define EXEC_SYSTEM  // ENABLE ME IF U REALY KNOW WHAT U DO!!!!!

the tool calc new hash of flashed file and store it in corect partition.

if you dont know what to do ,dont do anything and take care before you manual execute : ./toggle_c6900 command, dont call me when u brick tv/bd


in the log cmac are almost same , coz i have multiply reflash the partition before i realy toggle to changed partition.
this is my log:
i toggle the partitions and all went okey
just for fun i modified this part :

Code: Select all

if [ -e /dtv/usb/sda1/myBoot.sh ]; then
        /dtv/usb/sda1/myBoot.sh
else
cd /mtd_exe
./exeDSP
fi

source and rest can be downloaded here :

http://www.multiupload.com/TXGI8FQXQ0

now time to do T-VALDEUC

Denny

Code: Select all

# ./flash_c6900 /dtv/usb/sda1

We have B-BARBSPUSC
Parition used 0
Parition 1 will be flashed

/dev/bml0/10

0 02726000 : 2b d1 26 04 d6 2a e1 8b 15 dd 4d fc 08 98 e4 3d
1 0240c000 : 2c 23 83 1d 82 14 07 d1 80 60 78 90 c0 7d 4d 22
2 002f5e48 : 60 a8 d9 99 f3 b6 da 20 c5 8a 3e b2 05 6d 43 d6
3 003ff014 : b0 da c7 4b 78 a6 81 41 49 18 7c f4 d6 60 f1 f5
4 0001e276 : 7b ca 4c f5 f2 59 47 5a da c2 c5 79 65 d7 d6 f1
Opening /dtv/usb/sda1/B-BARBSPUSC/exe.img.mod
+---------------------------------------------------------------------+
|  stl.format : STL-level Partitioning Tool for Flash Block Devices   |
+---------------------------------------------------------------------+
This partition does not have GWL attribute
[Block size  : 512 KB]
[Total unit  :     90]
[Block Device Information for /dev/bml0/16]
--------------------------------------------
 Total number of sectors = 84992 (41 MB/45 MB)
--------------------------------------------
STL format complete.
+------------------------------------------------------------------------+
|  stl.restore : stl-level Partition Restore Tool for NAND Flash Memory  |
+------------------------------------------------------------------------+
  100%
All of the flash memory blocks have been restored successfully.
Verify /dev/stl0/16 2726000 , Please Wait....
Flash Write Verified!, calculate hash, please wait...
2b d1 26 04 d6 2a e1 8b 15 dd 4d fc 08 98 e4 3d
New Hash : 2b d1 26 04 d6 2a e1 8b 15 dd 4d fc 08 98 e4 3d
Write new hash
0 02726000 : 2b d1 26 04 d6 2a e1 8b 15 dd 4d fc 08 98 e4 3d
1 0240c000 : 2c 23 83 1d 82 14 07 d1 80 60 78 90 c0 7d 4d 22
2 002f5e48 : 60 a8 d9 99 f3 b6 da 20 c5 8a 3e b2 05 6d 43 d6
3 003ff014 : b0 da c7 4b 78 a6 81 41 49 18 7c f4 d6 60 f1 f5
4 0001e276 : 7b ca 4c f5 f2 59 47 5a da c2 c5 79 65 d7 d6 f1
/dtv/usb/sda1/B-BARBSPUSC/cmac.bin
0 02726000 : 2b d1 26 04 d6 2a e1 8b 15 dd 4d fc 08 98 e4 3d
1 0240c000 : 2c 23 83 1d 82 14 07 d1 80 60 78 90 c0 7d 4d 22
2 002f5e48 : 60 a8 d9 99 f3 b6 da 20 c5 8a 3e b2 05 6d 43 d6
3 003ff014 : b0 da c7 4b 78 a6 81 41 49 18 7c f4 d6 60 f1 f5
4 0001e276 : 7b ca 4c f5 f2 59 47 5a da c2 c5 79 65 d7 d6 f1
+----------------------------------------------------------------------+
| bml.restore : Low-level Partition Restore Tool for NAND Flash Memory |
+----------------------------------------------------------------------+
------------------  This is confirm message  ---------------------
/********  Check your options and selected partition  ***********/
Selected Flex-OneNAND device and 10 partition
  100%
All of the flash memory units have been restored successfully

0 02726000 : 2b d1 26 04 d6 2a e1 8b 15 dd 4d fc 08 98 e4 3d
1 0240c000 : 2c 23 83 1d 82 14 07 d1 80 60 78 90 c0 7d 4d 22
2 002f5e48 : 60 a8 d9 99 f3 b6 da 20 c5 8a 3e b2 05 6d 43 d6
3 003ff014 : b0 da c7 4b 78 a6 81 41 49 18 7c f4 d6 60 f1 f5
4 0001e276 : 7b ca 4c f5 f2 59 47 5a da c2 c5 79 65 d7 d6 f1
Verify CMAC DATA!!!! if match with previus hit ./toggle_c6900 to switch paritions.
0 02726000 : 2b d1 26 04 d6 2a e1 8b 15 dd 4d fc 08 98 e4 3d
1 0240c000 : 2c 23 83 1d 82 14 07 d1 80 60 78 90 c0 7d 4d 22
2 002f5e48 : 60 a8 d9 99 f3 b6 da 20 c5 8a 3e b2 05 6d 43 d6
3 003ff014 : b0 da c7 4b 78 a6 81 41 49 18 7c f4 d6 60 f1 f5
4 0001e276 : 7b ca 4c f5 f2 59 47 5a da c2 c5 79 65 d7 d6 f1
#
# mount -t squashfs /dev/stl0/16 /dtv/usb/sda1/mtd_exe_mod
# ls /dtv/usb/sda1/mtd_exe_mod
BD_JAVA                ReleaseInfo            mtd_boot
Comp_LIB               SpecialItemNumber.txt  mtd_contents
EXE_IMG_VER            WIFI_LIB               prelink.cache
Factory_Part1.dat      cvmparam               prelink.conf
Factory_Part2.dat      ddr_margin             rc.local
InfoLink               exeDSP                 rc.local.rfs
JadeTarget             fpi.ko                 samdrv.ko
JadeTarget.cfg         libs                   stagecraft
LifeScenario           memalloc               value.bin
# cat /dtv/usb/sda1/mtd_exe_mod/rc.local
#!/bin/sh

echo "/mtd_exe/rc.local start !!!!!"

export MAPLE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
export MAPLE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
export MAPLE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
export MAPLE_WIDGET_DATA_PATH=/mtd_down
export MAPLE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc
export MAPLE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_cmmlib/YWidget_LIB
export KF_SLEEP_READ=-2
echo 30000 > /mtd_rwarea/DelayValue.txt

export KF_NO_INTERACTIVE=1
export KF_LOG=/dev/null #Remove engine logging.

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_exe/Comp_LIB:/mtd_exe/InfoLink/lib:/mtd_contents:/mtd_cmmlib/InfoLink/lib/plugin/Static:/mtd_appdata/Comp_LIB

#/sbin/usb_start.sh

insmod /mtd_exe/samdrv.ko
insmod /mtd_exe/fpi.ko

#mount -t squashfs /dev/tbml14 /mtd_appdata
#mount -t rfs /dev/stl0/17 /mtd_rwarea
#mount -t rfs /dev/stl0/16 /mtd_rwcommon

if [ ! -e /mtd_rwarea/ps ]; then
        mkdir /mtd_rwarea/ps
fi

#if [ ! -e /mtd_rwarea/ps ]; then
#       partition.erase /dev/bml0/25
#       stl.format /dev/bml0/25
#       fat.format -S 2048 -s 1 -F 32 /dev/stl0/25
#
#       echo "STL0/25 Patition Unformated : STL Format agaion...!!"

#       mkdir /mtd_rwarea/ps
#fi

if [ ! -e /mtd_rwarea/bd_local ]; then
        mkdir /mtd_rwarea/bd_local
fi

#if [ ! -e /mtd_rwarea/bd_vfs/bd_local ]; then
#       mkdir /mtd_rwarea/bd_vfs/bd_local
#fi

if [ ! -e /mtd_rwarea/vfs_p ]; then
        mkdir /mtd_rwarea/vfs_p
fi

#temp
#mkdir /mtd_rwarea/pstor
#mkdir /mtd_rwarea/pstor/bd_vfs
#mkdir /mtd_rwarea/pstor/bd_vfs/lstor
#mkdir /mtd_rwarea/pstor/bd_vfs/lstor/bd_local
#temp_end

#insmod /mtd_exe/usbabs.ko
#insmod /mtd_exe/wl.ko

# Set the default Time (2009. 1. 1. 1. 1). requested by JH.Yang. BD TC Disc Issue.
date 010101002010

echo "B-BARBSPUSC" > /dtv/info
echo 7 4 1 7 > /proc/sys/kernel/printk

sysctl -w kernel.msgmni=64

if [ -e /dtv/usb/sda1/myBoot.sh ]; then
        /dtv/usb/sda1/myBoot.sh
else
cd /mtd_exe
./exeDSP
fi

#

[juusso]

omg...
please, do not stop, keep working

[mirsev]

Hi Denny,

Now looking at you code... Good job! But please be careful: there are some bugs... They just did not yet manifested themselves but it is better to clean up the code.

For example, look at this:

Code: Select all

void hash_stl(char *file , int len, unsigned char *hash ) {
    ...
    memset(hash, 0, sizeof(hash));

This will clear only 4 bytes of memory at the address hash. This is because sizeof(hash) in C is not the size of array, but the size of variable hash, which is pointer (32 bits in this architecture). So, if you with to clear 16 bytes, you will need to specify this as

Code: Select all

memset(hash, 0, 16);

Another question: why do you use fread for files and read for devices. I think it is better to use read for both because it guaranties one by one data transfer between memory and devices and files, and also has less overhead because read/write goes directly to the kernel while fread/fwrite are buffered in the C library.

Well, this is not really important but it seems that using the same functions for files and flash memory just makes the code more coherent.

Then, in function verify_flash reading by just one byte is not good idea. It is better and faster to read data by blocks and compare them by memcmp function.

By the way, you forgot to release the source code of toggle_c6900...

You code is really nice because it shows how one can make custom firmware but it still needs some work. I think it is better to write such program without explicit device names in the TV or player (/dev/bml0/N, etc.), but use variables holding these names. In this case you can substitute these devices by files on your PC, compile this program there with its native C compiler and run it on your PC to see if everything works as needed. This will reduce the probalility to brick your TV or player.

I will look more in your code. At the time being please, take a look at this toolkit:

http://www.multiupload.com/MI03O2RSG6

I have collected others work and also wrote something to study firmware parts, calculate hashes and to rebuild firmware partitions. Read carefully file README and script mknewfs.sh. I would appreciate if you could find any mistake. I'll wait for your comments. Thank you in advance.

[Denny]

mirsev

ehhmm, right, this was just to show the right way how it can be easy done, (in source code u have see , that i flash only /mtd_exe parition, and all other are disabled whitch need to be done.

in case of bugs, posible some keystroke missmatch as i do it in late night time but no big problem.

read()/write() generaly i use for devices, fread()/fwrite() i use for true files. but code can be modified as everyone wish , that is why i publish it that someone continue work on it as there are now few other points to be done, or after i finish these points that are waiting, i can come back and finalise flashing tools to.

the device names should be done like in flash_c8000 (structure) , c6900 was just a 1ist try , before i go realy into TV.

in case of safety, u can realy flash how much u want(flash reprograming time limited) and check howmany time u want, so basicly , u can flash 100 time firmware and develop in BD/TV, no problem , just dont toggle parition if u dont have finish work and all hashes are correct. so, no big risk , untill toggle.
same is valid for TV serie, T-VALDEUC and i think same way can be done in B Serie.

also, in TV , UE55C8000 for example, if u modify rootfs, you can mount mtd_exe as r/w fat and after mounting, u can replace files, without that authuld will do anything against. this trick i just foward by PM. as samsung can do something against by releasing next firmware.


Denny