SamyGO

Hi there,

this is my first post on this forum and I would like to greet everyone
and thank you for the great job you're doing (this forum is one of the
reasons I bought a Samsung TV).

I created this topic, because it seems to be a huge difference if one
upgraded to 2007.1 or got a tv that had it already installed (with no alternate fw).

I recently bought a LExxB650, it's an CI+ model and came with 2007.1 preinstalled.
As I understand, it is not possible for me to downgrade the firmware,
because there are signature checks in place.
I have the ability to launch applications via the SEC_GAME-piggyback-method and
wrote a small program (shared library that can be loaded from the Game Menu)
which launches a file (called boot.elf) if it detects it on the usb stick
(it uses the system c-library function to do so). I seemed that I couldn't launch
my "games" from the usb stick directly that is why i used this workaround.

I would like to know in which way this firmware has stricter security measures
as other firmwares (especially details about the signature check) and if it
would be possible to manually downgrade the firmware (does RSA Disabler
work (am I able to upload modified firmware) or will it accept the new firmware
but authld reboots ?).
If the latter is the case, what about patching authld (and also kernel-code which
verifies authid itself (before flashing, then using RSA Disabler to allow flashing)) ?
I'm very interested in developing for this platform (the decision to buy I consisted
to a small part of wanting to watch tv and a major part of hacking curiosity ).

If RSA Disabler won't work, wouldn't it be possible, to search the public key in
memory and replace it (directly in memory) with a self-generated public-key for
which we know the private key ?

Also, can anyone help me getting telnetd or dropbear to work via the Game Menu ?
Telnetd isn't on the tv at all (is this new in 2007.1 ?). My approach for now is
putting an busybox (which includes telnetd functionality) on my usb stick and trying
to launch it with my elf-loading-game-app. This doesn't seem to work but i don't
know how to detect why it doesn't work (no console=no output and piping to a file yields empty files).

Thanks for now
and sorry for all the questions

cu Cyberdemon

I have some ideas on this problem in my mind.
Firs problem is enabling telnet. Which is already enabled on updated firmwares but not for new TVs. I thought before placing busybox with "game" will allow us telnet probably.
But this will not solve any problem. You can also flash older versions by hand but authld will reboot tv after 40 seconds. Because we don't know where is the hashes stored not compute it.

If you can locate where that hashes stored and find how could we compute those, than you can manually flash your TV with older firmwares.

One way to do that taking full flash image backup (/dev/tbmlc on my TV) than taking full flash backup again after version update and could look which areas are changed.
Since you wanted to turn back older version, we can just copy hash from another TV to your TV because it's same image. There could some glitches also could be cleaned by verifying those hash via multiple devices...

RSA Disabler just killing RSA check and return "true" for every input. So we can flash modified images with incorrect RSA sign. We needed to place a program makes similar thing for authld.
If we stop authld rebooting TV, than we can flash older version by hand than flash older version again via TV's menu that rewrite correct hashes..

We cannot place similar program like RSA Disabler for flashing on latest firmware because Flash upgrading processes is altered on latest firmwares that requires different keys...
There might be some booby trap on TV too. We don't know it exactly before falling one of them...

I wish those helps...

I think it's possible to root device via SamyGO Extensions with SSH connection.
Telnet is not available on TV but SSH Daemon is available on expansion pack. So you can connect via SSH.
One user which is in same situation is able to connect to their TV on next topic.
Once you root the device, everything became possible with enough work.

Hi there,

thanks, I'll look into that.
I had a look at the CI+ kernel sources (available at samsuung.com) and it gives
some insight into to authuld firmware checking procedure. Samsung created
a custom kernel-menuitem called samsung in which they can enable authuld
checking and also specify a timeout after which the tv is told to reboot.
I currently hadn't the time to look deeper into that, but will do soon.
They init-daemon creates a kernel-thread, which passes a nonce (random
number to prevent replay attacks) to the authuld userland application
(btw, where does authuld come from, it seems not to be in the 2007.1 firmware upgrade),
authuld then checks the files and answers (via .uk file) with the nonce
and an appended return code (23 if i remeber correctly).
The kernel thread reboots if the response isn't nonce+23 or if it doesn't
get a response after the defined timeinterval.
Rebooting itself is done through micom which seems to be a dedicated
embedded controller which controls low level functions of the tv (like
power up, reboot, waiting for a signal from the remote in standby).
It is kinda like the starlet of the Wii console.
Right after the reboot call to micom is a call to the panic() function
which initiates a kernel panic. This is why you can avoid rebooting
of the tv, but it becomes unresponsive nonetheless.
I hope to find time to look into authuld soon

cu
Cyberdemon