C series shell input filtration removal

[juusso]

Hi,

One of users reported, he found on his C630 TV this:
(spI Debug) :

Code: Select all

0 : Register & Physical Memory Read
1 : Register & Physical Memory Write

I doubt about, because here were researches about that and w/o any success.
As you all know, this firmware is not hacked yet and might enabling shell is the way to do that.
Who could say what address to patch? Remember - we have decrypted kernel to look at.

Edit: I checked exeDSP of T-VAL6DEUC for txt string Physical Memory Write and here isn`t any Memory Write (just read).
But might the menu we are looking for is just hidden, because all menus are in that order:

Code: Select all

0: Register & Physical Memory Read
2: 

And 1: is missing. Might input of 1 isn`t disabled, just hidden somehow...?

Edit2:
===================================================================================
1. Searching for string

Code: Select all

013092E7042082E2040053E10200000A

in kernel of C630 (T-VAL6DEUC-1012), (compared to kernel of B550 )

bml5_B550CIP.zip

, indicates, that address to patch is 0016DAAB or in DRAM:60175AAB (or close to it)
String is not duplicated and found on C630 kernel only once.

2. Rvs2 suggest to path kernel ...

Code: Select all

ROM:0016DA98 E0 1D 9F E5                 LDR     R1, =0xC02FBF9C 
ROM:0016DA9C 01 30 92 E7                 LDR     R3, [R2,R1] 
ROM:0016DAA0 04 20 82 E2                 ADD     R2, R2, #4 
ROM:0016DAA4 04 00 53 E1                 CMP     R3, R4  
ROM:0016DAA8 02 00 00 0A                 BEQ     loc_16DAB8
ROM:0016DAAC 4C 00 52 E3                 CMP     R2, #0x4C ==19
ROM:0016DAB0 2E 03 00 0A                 BEQ     loc_16E770 
ROM:0016DAB4 F7 FF FF EA                 B       loc_16DA98 

All what we need is to patch kernel (change one value over HEX edditor) at address 001EF38B:
original value: 0A
changed value: EA

EDIT: It woks!

[erdem_ua]

WoW, it's good.
I think it's could be publicated. Also in wiki.

[juusso]

I can confirm it works 100%. Tested with T-VALDEUC, VAL6DEUC, VALAUSC.

[tempinbox]

How to do this and get full console over exlink?
I tried various method but withouth success could someone explain me how to get the full consolle? my tv is t-valdeuc
fw 3015. please help

[juusso]

1. Need patched kernel (from T-VALDEUC, not from val6!).
2. Need to calculate proper hash of patched and create sign0 (or sign1) partition image.
3. flash over telnet kernel and signature partition.

If you give me dumps:
Connect USB, check if it mounts as sda1, if not, correct commands below:
One by one.

Code: Select all

bml.dump /dev/bml0/9 /dtv/usb/sda1/bml9
bml.dump /dev/bml0/10 /dtv/usb/sda1/bml10
cat /proc/cmdline > /dtv/usb/sda1/cmdline

Attach those three files here pls, i`ll give you patched kernel and signature files + instructions

[E3V3A]

I'd like to try this kernel patching on the ES model.
I tried with the exeDSP, but I see you're using "Image" here. Which should I use?
Any suggestions?

[juusso]

But keep in mind, you have not only patch kernel, but also correct hashes to don`t get TV bricked. AFAIK this way to patch is valid for VAL* family.
Sure you can check kernel sources on IDA and check what is address to patch. By the way - memory write option is removed/hidden, so how else do you plan to patch kernel, than reflash needed images using telnet. If you aren`t ready to bring TV to service repair, don`t do this. I told you already about all dangerous stuff Samsung made to prevent firmware modifications.

[E3V3A]

I have moved all my ES series shell patching discussion to this thread:
[DEV] Full Shell Access (ES 5/6 series) [wanted]

PS. I was able to use devmem once ... then it stopped working. :/

[tempinbox]

1. Need patched kernel (from T-VALDEUC, not from val6!).
2. Need to calculate proper hash of patched and create sign0 (or sign1) partition image.
3. flash over telnet kernel and signature partition.

If you give me dumps:
Connect USB, check if it mounts as sda1, if not, correct commands below:
One by one.

Code: Select all

bml.dump /dev/bml0/9 /dtv/usb/sda1/bml9
bml.dump /dev/bml0/10 /dtv/usb/sda1/bml10
cat /proc/cmdline > /dtv/usb/sda1/cmdline

Attach those three files here pls, i`ll give you patched kernel and signature files + instructions

i try to do the dump but i get

Code: Select all

/mtd_rwarea/sh: bml.dump: not found

so how i can do this?
i also try the patch serial_unlock_arm.SGO_ext.tar but it seems not work on serial shell of tdm

Code: Select all

dtv/usb/sda1/SamyGO/etc/init.d # ./01_01_serial_unlock.init start
/dtv/usb/sda1/SamyGO/etc/init.d # RVR DRM Code not Found! or alredy Disabled , Suck Samsung

but after that i can input only 123456789abcdef

[juusso]

Just checked, here is no bml.dump tool on your TV. Not big problem, use dd instead:

Code: Select all

dd if=/dev/bml0/9 of=/dtv/usb/sda1/bml9.dmp
dd if=/dev/bml0/10 of=/dtv/usb/sda1/bml10.dmp