Re: Possible root for J series!!??
Posted: Mon Nov 02, 2015 10:49 pm
NOsavan wrote: What you think guys??
Page 1 of 1
Re: Possible root for J series!!??
Posted: Wed Nov 04, 2015 10:36 am
if someone wants to play w/ sdb, here is a quick hack python script
for a list of "known" commands check:
org.tizen.common.sdblib_2.0.0.201506231003.jar!org/tizen/sdblib/command/security
-SecureCmdVer1_0.class
-NonSecureCmd.class
for a list of "known" commands check:
org.tizen.common.sdblib_2.0.0.201506231003.jar!org/tizen/sdblib/command/security
-SecureCmdVer1_0.class
-NonSecureCmd.class
SpoilerShow
Code: Select all
#!/usr/bin/env python
#
# quick hack sdb testing tool
# (c) 2015 bugficks@samygo
#
import os, sys, array
import socket
import binascii
import time
import ctypes
from ctypes import *
MAX_PAYLOAD=4096
A_VERSION=0x02000000
#define A_SYNC 0x434e5953
#define A_CNXN 0x4e584e43
#define A_OPEN 0x4e45504f
#define A_OKAY 0x59414b4f
#define A_CLSE 0x45534c43
#define A_WRTE 0x45545257
#define A_STAT 0x54415453
def hex2bin(s):
return binascii.unhexlify(s.replace(' ', ''))
def bin2hex(s):
return binascii.hexlify(s)
"""
struct amessage {
unsigned command; /* command identifier constant */
unsigned arg0; /* first argument */
unsigned arg1; /* second argument */
unsigned data_length; /* length of payload (0 is allowed) */
unsigned data_check; /* checksum of data payload */
unsigned magic; /* command ^ 0xffffffff */
};
"""
def chksum(cmd):
_sum = 0;
for c in cmd:
_sum += ord(c);
return _sum
def make_amessage(cmd, arg0=0, arg1=0, data=None):
ar = array.array('L', cmd + '\x00' * 5 * 4)
ar[1] = arg0
ar[2] = arg1
if data:
ar[3] = len(data) + 1
ar[4] = chksum(data)
ar[5] = ar[0] ^ 0xFFFFFFFF
if data:
return bin2hex(ar.tostring() + data + '\x00')
return bin2hex(ar.tostring())
def dump_packet(data):
ar = array.array('L', data[0:6*4])
print " %08x %s" % (ar[0], data[0:4])
for i in range(1,6):
print " %08x" % ar[i]
if ar[3] > 0:
payload = data[6*4:]
print ' payload:', payload
print ' hex', bin2hex(data), ''
return ar
def send(s, data):
print 'sending'
_data = hex2bin(data)
dump_packet(_data)
s.sendall(_data)
print ''
def recv(s):
print 'receiving'
try:
data = s.recv(1024)
dump_packet(data)
return data
except socket.timeout:
pass
print ''
def sdb_cmd(s, cmd):
cmd = make_amessage('OPEN', 1, 0, cmd)
send(s, cmd)
data = ''
while True:
data = recv(s)
if not data:
break
msg = array.array('L', data[:24])
arg0 = msg[1]
arg1 = msg[2]
cmd = None
if data[:4] == "OKAY":
cmd = make_amessage('OKAY', arg1, arg0)
if data[:4] == "CLSE":
cmd = make_amessage('CLSE', arg1, arg0)
#break
if data[:4] == "WRTE":
cmd = make_amessage('OKAY', arg1, arg0)
if cmd:
send(s, cmd)
SHELL_PROTOCOL = "shell:";
ROOT_SHELL_PROTOCOL = "sshell:";
"""
org.tizen.common.sdblib_2.0.0.201506231003.jar!org/tizen/sdblib/command/security
-SecureCmdVer1_0.class
-NonSecureCmd.class
cmd = make_amessage('OPEN', 1, 0, 'shell:2 mkdir -p /tmp/asd')
cmd = make_amessage('OPEN', 1, 0, 'shell:1 uname')
cmd = make_amessage('OPEN', 1, 0, 'shell:2 /bin/sh /opt/storage/usb/sda1/HACKED.txt')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 psinfo')
cmd = make_amessage('OPEN', 1, 0, 'shell:rpm -qa | grep sdbd')
cmd = make_amessage('OPEN', 1, 0, 'shell:/usr/bin/dlogutil')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 getduid')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 rmfile /tmp/test')
cmd = make_amessage('OPEN', 1, 0, 'sysinfo:')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 getappinstallpath')
cmd = make_amessage('OPEN', 1, 0, "shell:cat /proc/cmdline | grep 'vm_name' | wc -l")
cmd = make_amessage('OPEN', 1, 0, "root:on")
cmd = make_amessage('OPEN', 1, 0, "shell:0 getvmname")
cmd = make_amessage('OPEN', 1, 0, 'shell:0 applist')
"""
if __name__ == '__main__':
print "sdb tool (c) bugficks"
try:
cmd = sys.argv[1]
except:
print 'Usage: sdbtool.py "cmd" [ip]'
print ' sdbtool.py "shell:0 getduid"'
sys.exit(1)
print ''
try:
ip = sys.argv[2]
except:
ip = '192.168.1.12'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 26101))
s.settimeout(2.0)
cmd_connect = make_amessage('CNXN', A_VERSION, MAX_PAYLOAD, 'host::')
send(s, cmd_connect)
data = recv(s)
if data and data[:4] == 'CNXN':
sdb_cmd(s, cmd)
print 'exiting...'
SpoilerShow
Code: Select all
>sdbtool.py "shell:0 getduid" 192.168.10.10
sdb tool (c) bugficks
sending
4e584e43 CNXN
02000000
00001000
00000007
00000232
b1a7b1bc
payload: host::
hex 434e584e00000002001000000700000032020000bcb1a7b1686f73743a3a00
receiving
4e584e43 CNXN
01000000
00001000
00000013
00000548
b1a7b1bc
payload: device::UJU7500::0
hex 434e584e00000001001000001300000048050000bcb1a7b16465766963653a3a554a55373530303a3a3000
sending
4e45504f OPEN
00000001
00000000
00000010
00000588
b1baafb0
payload: shell:0 getduid
hex 4f50454e01000000000000001000000088050000b0afbab17368656c6c3a30206765746475696400
receiving
59414b4f OKAY
000000a1
00000001
00000000
00000000
a6beb4b0
hex 4f4b4159a1000000010000000000000000000000b0b4bea6
sending
59414b4f OKAY
00000001
000000a1
00000000
00000000
a6beb4b0
hex 4f4b415901000000a10000000000000000000000b0b4bea6
receiving
45545257 WRTE
000000a1
00000001
0000000f
00000411
baabada8
payload: AFCU6CTKYUHXU
hex 57525445a1000000010000000f00000011040000a8adabba5a50434a364f544559574858550d0a
sending
59414b4f OKAY
00000001
000000a1
00000000
00000000
a6beb4b0
hex 4f4b415901000000a10000000000000000000000b0b4bea6
receiving
45534c43 CLSE
00000000
00000001
00000000
00000000
baacb3bc
hex 434c534500000000010000000000000000000000bcb3acba
sending
45534c43 CLSE
00000001
00000000
00000000
00000000
baacb3bc
hex 434c534501000000000000000000000000000000bcb3acba
receiving
exiting...
Re: Possible root for J series!!??
Posted: Sun Nov 08, 2015 8:35 pm
Is diablocam (LAN or Wifi) compatible with J series?? Did you get oscam working properly?savan wrote:Hey thank you for this! Curently I payd for diablocam but I will play with sdb in any way. Do you know, is firmware have any security check for example brick after firmware modification, is firmware hashed on device? I can modify firmware on the device without brick?
Re: Possible root for J series!!??
Posted: Sat Nov 28, 2015 5:53 pm
Hi Savan can l get item is well ......
Re: Possible root for J series!!??
Posted: Sun Nov 29, 2015 10:20 am
Yes you canmedi wrote:Hi Savan can l get item is well ......
Re: Possible root for J series!!??
Posted: Sun Dec 06, 2015 10:29 pm
Hey, did you test this diablo thing, coz i see many consumers ahve issues with great heat and frezzsavan wrote:Got item and I can say its fully compatible and fully working!otloal wrote:Is diablocam (LAN or Wifi) compatible with J series??
Re: Possible root for J series!!??
Posted: Tue Dec 29, 2015 7:08 am
If anyone would like to get started writing some Java, the JAR is actually surprisingly simple to use:
Here's how I set up my project in IntelliJ 15:
And here's working code (note where I put the "shell:0 uname" string... thats where you can test some of the commands from the python script):
You can also call sdb shell, which just like running the command in a terminal, does nothing:
Here's how I set up my project in IntelliJ 15:
And here's working code (note where I put the "shell:0 uname" string... thats where you can test some of the commands from the python script):
Code: Select all
SmartDevelopmentBridge sdb = SmartDevelopmentBridge.createBridge("/Users/xxxxxx/samsung-tv-sdk/tools/sdb", true);
sdb.getStarted();
sdb.waitforStart();
IDevice[] devices = sdb.getDevices();
SocketChannel sc = sdb.openChannel();
System.out.println(devices[0].getAppInstallPath());
byte[] result = SdbHelper.sendServiceRequest(SmartDevelopmentBridge.getBridge(), (Device)devices[0], "shell:0 uname");
System.out.print(new String(result));
Code: Select all
SdbShellProcess shell = devices[0].executeShellCommand("ls");
shell.waitFor();
BufferedReader br = new BufferedReader(new InputStreamReader(shell.getInputStream()));
String line = null;
System.out.println("Output:");
while ( (line = br.readLine()) != null) {
System.out.println(line);
}
BufferedReader bre = new BufferedReader(new InputStreamReader(shell.getErrorStream()));
String errLine = null;
System.err.println("Errors:");
while ( (line = bre.readLine()) != null) {
System.err.println(line);
}
System.err.println("Error out complete");