Patching exeDSP

Here is information about customize your C series firmware..:!:This forum is NOT FOR DUMMY USERS questions or problems but DEVELOPER.

hedak
Posts: 81
Joined: Wed Jan 08, 2014 9:21 pm

Patching exeDSP

Post by hedak » Sun Feb 16, 2014 9:09 pm

Hallo again,

i wanted to share some information/progress i made patching exeDSP (of my UE46C700 FW T-VALDEUC-3011.0):

It started when i read the init scripts of SamyGO. In 01_01_catch_crap.init i stumbled across the line 'bin/busybox date -s "2011-06-23 13:45:00"'. After doing some research getting the current time was possible via NTP only. But as i have my tv not connected to internet that was no option for me. Anyway it was strange to me that the tv's screen was able to display the current time pressing the INFO key on the tv remote, but the os (linux) still runs in 1980 starting from boot :?

So i patched some unimportant lines of code (primary printf's in pvr functionality) to write the real date/time received from tv signal via exeDSP in a new file in /mtd_rwarea/ containing the result of asctime(). After one hard week of writing assembler/machine code i finally succeeded to even do that automatically once during boot before usb mount/SamyGO's start :)

Whilst testing i stumbled across a 'feature' i had never recognized before: i could record only some of the free broadcasted digital channels I could record some broadcasts (shows) of the free broadcasted digital channels while others on the same channels couldn't be recorded due to channel regulations (pop-up on tv screen) (without using CI/CI+). I could see one printed line to be different dependend on this limited channels broadcasts. As i wrote it took me one week to get my goal working and incidentally this line was just 10 to 20 instructions away from my code... So i just changed one 'bne' to 'b' without thinking about it a long time and unexpectedly the 'feature' has gone.

If anyone is interested in some details to the first part just let me know! (The second part might be guessed knowing this information)

PS: the next step will be to get the date/time using samyGOso without patching exeDSP in flash.

EDIT: Attached dif file without patched limiting channel 'feature' limiting broadcast recording 'feature'. You can use the python script mentioned here (http://marcoramilli.blogspot.de/2011/01 ... a-pro.html) to patch the original file (MD5: FEB488C71ED8CDFE62D9ECA738ACD2DD) calling it like this:

Code: Select all

idadif.py exeDSP exeDSP.dif
EDIT2: corrected my statement about the limiting broadcast recording 'feature'
You do not have the required permissions to view the files attached to this post.
Last edited by hedak on Fri Mar 07, 2014 8:28 pm, edited 3 times in total.

User avatar
greenhorn
SamyGO Project Donor
Posts: 686
Joined: Wed Feb 15, 2012 3:05 pm
Location: Eastern Europe

Re: Patching exeDSP

Post by greenhorn » Sun Feb 16, 2014 9:32 pm

Interesting... Could you please share...?
TV: UE40F7000 - T-FXPDEUC-1115.0 - SamyGO Extensions on F series
TV: UE55ES7000S - T-ECPDEUC-2003.4 - SamyGO tool Right from USB - no develop account is needed
TV: UE40C6710 - T-VALDEUC 3011 - Hacking TV over Hotel mode (C650 T-VALDEUC-3009.2)
BD-Player: BD-E6100 - B-FIRBPEWWC 1063.3 - rooted, no more Cin@vi@
NAS: CIFS: MAG250 NFS: Playon!HD

Mkò
Posts: 199
Joined: Fri Jul 29, 2011 2:34 pm

Re: Patching exeDSP

Post by Mkò » Sun Feb 16, 2014 11:24 pm

Please share info and patch. Did you have a working samygo.so for c series? If yes share it please
I don't understand very well what you've done.

User avatar
juusso
SamyGO Moderator
Posts: 9949
Joined: Sun Mar 07, 2010 6:20 pm

Re: Patching exeDSP

Post by juusso » Mon Feb 17, 2014 1:47 pm

hedak wrote:If anyone is interested in some details to the first part just let me know! (The second part might be guessed knowing this information)
PS: the next step will be to get the date/time using samyGOso without patching exeDSP in flash.
Sure, dude, never ask such kind of questions here, we`re always interested in paching/modifying exeDSP whatever series it was :)

cmon ;)
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. Imagerooting K seriesImage, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

hedak
Posts: 81
Joined: Wed Jan 08, 2014 9:21 pm

Re: Patching exeDSP

Post by hedak » Mon Feb 17, 2014 7:37 pm

Ok, i will explain in detail, but first i will quote erdem_ua:
If you download a program, EULA will say something about "disassembling, decompiling, reverse engineering is prohibited".
But there is no string about on firmware download pages of Samsung. And again no such a string in Firmware image or inside of exeDSP (A.F.A.I.K). So Samsung doesn't say a word about it. [..] is free software and we don't sell this content with money. We also don't distribute Samsung's modified firmware too. Only thing we made is researching and trying to fix our devices.
What's the goal:
Let exeDSP output the current time into a file that can be read via any script.

What tools/resources did i use:
HxD
IDA 6.4 Demo
Windows calculator ;)
ARM ? Architecture Reference Manual ARM ? v7-A and ARM ? v7-R edition (ARM DDI 0406B)
Procedure Call Standard for the ARM ? Architecture (ARM IHI 0042E)
a famous search web page

Some hints:
ATM this is for devs only!
In this post i have posted my code only (no original code).
Remember that IDA adds an offset of 0x8000 to .text section (or all?) relativ to the real file offset in hex editor.
Using the IDA demo version you are not able to save modifications (you can modify instructions using the menu 'Edit->Patch Program->Change Byte'). So i changed the machine code using 'Change byte' in IDA and checked IDA's resolved asm instruction. If correct i used a hex editor to apply the patched machine code in exeDSP (remember the 0x8000 offset).

How to start:

Look at the original exlink output excerpt when recording is started (on unlimited channels at digital channels allowing to record the current broadcast/show) via tv's remote:

Code: Select all

!!------!![SSPVR_ERROR][SsPvrManager.cpp:RenameRecordFile():5136] Error : IsFileExist() failed 

[PvrAppDrm] Current = 1391798775,  Fri Feb  7 18:46:15 2014
[PvrAppDrm] Uri = 0
[PvrAppDrm] Able to Record (emi = 0)
[PvrDRM] Send ci info  ( SSPvrManager --> PvrDrmManager ) filename(/dtv/usb/sdb/CONTENTS/20140207194613.tmp)



 _______ REC STR OPEN (/dtv/usb/s#########SETTING THE CODEC TYPE 0

db/CONTENTS/20140207194613.tmp, 1, 5b)
The second line already shows what i wanted to get.

How to go on:

I fired up IDA and set up the ARM architecture options using the infos from http://www.arm.com/products/processors/ ... fications+ related to the processor i got from the file /sys/selp/vd/lspinfo/board_name:

Code: Select all

Samsung ARMv7 Cortex-A8 Processor
Also i enabled all options except
ARM specific options: 'Disable pointer dereferencing', 'Enable Macros', 'No automatic ARM-THUMB switch', 'Disable BL jumps detection',
options 1: 'Delete instructions with no xrefs', 'Convert 32bit instruction operand to offset', 'Create offset if data xref to seg32 exists' and
options 2: 'Control flow to data segment is ignored'.

Then i let it run A WHOLE DAY until the green 'LED' below menu 'Help' turned green (see screenshots, working while its yellow is annoying as IDA takes a lot of cpu processing time/ressources). BTW i didn't shutdown my laptop since that day, just used hibernating to prevent form stressing my pc once more ;)

Looking for '[PvrAppDrm] Current =' you'll find one string with two reference to subs. I concentrated on the sub also using the string '[PvrAppDrm] Uri ='. The pseudo c code of the relavant code (i don't want to post original code here) is:

Code: Select all

char* sTime;
ulong* rawTime;
GetSystemInfoTime(rawTime, 0);
sTime = asctime(localtime(rawTime));
// in asm here is register and stack handling
printf("[PvrAppDrm] Current = %llu, %s", *(ulonglong*)(&rawTime), sTime); // notice the format specifier of 'Current' is '%llu', that specifies a 64 bit value (two registers)
// in asm here is register and stack handling
printf("[PvrAppDrm] Uri = %d", some_register);
// in asm here is register and stack handling
loc_13BCD24();
// UNMODIFIED FROM HERE, but limiting broadcast recording 'feature' is implemented here
// in asm here is register and stack handling
// two compares in a row
// if not equal jump to loc_13BCD14 and print '[PvrAppDrm] Able to Record (emi = %d)'
// else print '[PvrAppDrm] NOT able to Record (emi = %d)'
In asm there's a lot of register handling for assigning function arguments and saving return values, which i reduced. The second printf() was unneccessary and could be modified. Also i removed a following branch to 'loc_13BCD24' where something is ignored only: '[PvrAppDrm] ignore default uri (0x%.2x) value and set copy-free value(0x%.2x)'. This string was only used there and this very small function was referenced only once, so i reused its string as filepath of the new file. So i finally had exactly 10 instructions for modifying.

The main information here is: There's a class method 'GetSystemInfoTime' that writes the current time at the address the first argument (i.e. 'rawTime') points to.

How to implement:

The main part was replacing the first printf() with fprintf(). fprintf() writes a string buffer into a file. As no file was opened in this sub i had to do that. Creating a file implies fopen() and fclose(). fopen() needs two arguments (string pointer): filepath and open mode. Therefor i used some strings being used in failure cases only. The returned FILE pointer is used by fclose() and fprintf(). The difference from printf() to fprintf() is that fprintf() has one additional argument being the first one and followed by the same arguments as printf()'s. So the modified pseudo code looks like this:

Code: Select all

char* sTime;
ulong* rawTime;
GetSystemInfoTime(rawTime, 0);
sTime = asctime(localtime(rawTime));
// reduced asm register handling: not assigning value of registers for '%llu'
fopen(<static_filepath>, <static_mode>); // return value is stored in R5
fprintf(R0/R5, "[PvrAppDrm] Current = %llu, %s", *(ulonglong*)(&rawTime), sTime); // hint: value of R0 and R5 are the same before this call
fclose(R5);
// reduced asm register handling
// no call to loc_13BCD24() anymore (so in this sub 6 more instruction were free to use)
// UNMODIFIED FROM HERE, but limiting broadcast recording 'feature' is implemented here
// in asm here is register and stack handling
// two compares in a row
// if not equal jump to loc_13BCD14 and print '[PvrAppDrm] Able to Record (emi = %d)'
// else print '[PvrAppDrm] NOT able to Record (emi = %d)'
Finally the resulting asm code looks like this (see comments):
record_sub_patched.png
(the main part was calculating the machine code for the new asm instruction, especially the offsets for the branch calls)
The equivalent machine code looks like this (one instruction is 4 Byte, little endian):
record_sub_patched_machine.png
From now on any time recording is started the new file is created containing the string created by asctime().

How to run at boot:

The next goal was creating this file automatically (in best case during boot before SamyGO scripts start). So i combed through the exlink boot output once more to find a good place for calling the modified code. Finally i found and used the following:

Code: Select all

		 +----------------------------------------------------------+
		 |                                                          |
		 |   Congratulations : All RUIS threads are terminated!!!   |
		 |                                                          |
		 +----------------------------------------------------------+

Here i had 10 instructions to modify (5 times loading a register and branching to puts()). But to see that this stuff was still called/working i wanted to keep the puts() of string containing 'Congratulations'. So 8 instruction were left to modify. What i had to do was calling the function already modified AND branching back. The latter one was the hard part is i had just one instruction left to modify in the already modified funtion. So that line had to be a branch to the 'Congratulations' sub and the 'Congratulations' sub had to decide whether to branch back (recording) or proceed executing (boot process). See the following illustration:
process_flow.png
The decission whether to branch back (recording) or proceed booting is done via the value of R8.:
At booting when entering the 'Congratulations' sub i assign the value 0xAB to R8. Then its branched in the recording sub (but not at its top) where R8 is NOT modified anymore. After fprinting and branching back to the 'Congratulations' sub R8 is still 0xAB. So we know it's the booting process and don't branch back to the recording function.
At recording the recording sub in its beginning assigns something to R8 (which is most probably not 0xAB; above the my modified code). After fptinting and branching to the 'Congratulations' sub R8 is NOT 0xAB, so it's branched back to the next instruction in the recording function and the original code is processed as before.

The asm code looks like this:
congratulations_sub_patched.png
The equivalent machine code looks like this:
congratulations_sub_patched_machine.png
I hope this is at least al little bit comprehensible!
(It's really hard to write down the learning progress and it's result of nearly two weeks)

PS: Tomorrow i will post how to fail safe test the patched exeDSP (edit: need more time to describe how to modify /mtd_exe)
PPS: if you look at my pseudo code and i tell you that the limiting channel 'feature' limiting broadcast recording 'feature' results in printing '[PvrAppDrm] NOT able to Record (emi = 3)' then you could know which 'bne' (xx xx xx 1A) i talked about in my first post to replace with a 'b' (xx xx xx EA)

EDIT: attached dif file to first post (dif is without patched limiting channel 'feature' limiting broadcast recording 'feature')
You do not have the required permissions to view the files attached to this post.
Last edited by hedak on Fri Mar 07, 2014 8:23 pm, edited 2 times in total.

Mkò
Posts: 199
Joined: Fri Jul 29, 2011 2:34 pm

Re: Patching exeDSP

Post by Mkò » Mon Feb 24, 2014 8:58 pm

am i wrong or the replacing 1a to ea is related to disabling pvr encrypion? remember that times ago i read something about it on wiki.

User avatar
juusso
SamyGO Moderator
Posts: 9949
Joined: Sun Mar 07, 2010 6:20 pm

Re: Patching exeDSP

Post by juusso » Mon Feb 24, 2014 9:26 pm

omg, hedak, i missed your post since weeks! nice tutorial, needed to be on wiki :)
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. Imagerooting K seriesImage, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

Mkò
Posts: 199
Joined: Fri Jul 29, 2011 2:34 pm

Re: Patching exeDSP

Post by Mkò » Tue Feb 25, 2014 10:12 am

hedak wrote: PS: Tomorrow i will post how to fail safe test the patched exeDSP (edit: need more time to describe how to modify /mtd_exe)
PPS: if you look at my pseudo code and i tell you that the limiting channel 'feature' results in printing '[PvrAppDrm] NOT able to Record (emi = 3)' then you could know which 'bne' (xx xx xx 1A) i talked about in my first post to replace with a 'b' (xx xx xx EA)
we are all waiting for how to fail safe test the patched exeDSP :D
Thanks for your sharing

hedak
Posts: 81
Joined: Wed Jan 08, 2014 9:21 pm

Re: Patching exeDSP

Post by hedak » Tue Feb 25, 2014 10:11 pm

Thx juuso! (i already thought it was too detailed or too hard or whatever)

@Mk?: i think there are several '0x1a' in the 59MB code ;) I didn't try whether that's the same, but i will check that (EDIT: it's not the same!). BTW i'm still preparing how to failsafe test patched exeDSP. Before doing that i have to write about how to modify /mtd_exe of active partition which is needed therefore. Right now i proofed a working way without toggling partitions and without the need of any pc tools (except ssh client) thx to undocumented features of chkhash :) I'll post it and update chkhash wiki entry on thursday. DONE

Edit: how to modify /mtd_exe of active partition: https://forum.samygo.tv/viewtopic.php?f ... 294#p56294
how to failsafe test patched exeDSP follows on friday: see next post
Last edited by hedak on Fri Mar 07, 2014 8:06 pm, edited 2 times in total.

hedak
Posts: 81
Joined: Wed Jan 08, 2014 9:21 pm

Re: Patching exeDSP

Post by hedak » Fri Feb 28, 2014 9:50 pm

In the following I will present you how to use/test a patched exeDSP FAILSAFE :idea:
(i use it that way)

Some introduction:

Q: Why not just replace exeDSP located in /mtd_exe?
A: Because /mtd_exe is mounted read-only, so you can't simply change it.

Q: So, why not simpy re-mounting /mtd_exe read-write and change exeDSP then?
A: The main reason is that a process called authuld checks the hash of the partition /mtd_exe against a hash stored in another partition (called cmac). Not updating the hash will result in shutting down the tv after about 45 seconds forced by authuld.

Q: Why not change exeDSP and the hash of /mtd_exe in one tv session?
A: You could. But image your exeDSP got corrupted during copying to tv. You would brick your tv!

Q: So what to do?
A: First understand how exeDSP is called: At the end of tv boot the script /etc/rc.local is called. After mounting some partitions it calls the script /mtd_exe/rc.local which then calls /mtd_exe/exeDSP. As far as i know exeDSP then calls the script /etc/Scripts/rest_mount.sh which mounts '/mtd_contents', '/mtd_swu' and '/mtd_rwcommon'.

Beside partition /mtd_exe there are other partitions, for example /mtd_rwarea and /mtd_rwcommon. Both are mounted read-write and not hash checked. At least on my C7700 /mtd_rwcommon/ is very large - large enough to take a few copies of exeDSP.

Q: Why place a copy of exeDSP in /mtd_rwcommon?
A: Because you can change the copy of exeDSP without rehashing and authuld doesn't check whether the original exeDSP in /mtd_exe is running or its another exeDSP. Another (but really important) point is that you still have the original one untouched that could be called in case of starting exeDSP copy fails.

Q: Ok, but how should exeDSP in athother location be started instead of the one on /mtd_exe?
A: That's the point! Read on:

During unbricking my tv a figured out that in a very old T-VALDEUC version (1000.4) the script /mtd_exe/rc.local checked for existence of a file called 'start.sh' in /mtd_rwarea/. If that script existed it was called. /mtd_rwarea/start.sh (mounted read-write) was an excellent entry to call the copy of exeDSP. The same approach is described here: http://wiki.samygo.tv/index.php5/ExeDSP_modifications. The problem is that new c series fw don't call user.sh and newer version of /mtd_exe/rc.local don't behave like the old one.

In any case it's very useful to place the script starting exeDSP and exeDSP copy itself in a read-write mounted partition so they are changable at any time.

So there are (at least) two ways of calling the exeDSP copy from a user script now:
1) change /etc/rc.local to not call /mtd_exe/rc.local but another script in a read-write mounted partition
2) change /mtd_exe/rc.local to call a user script in a read-write mounted partition as the old FW did

I prefer solution 2) as modifying /etc/rc.local implies changing rootfs which is really dangerous and very extensive (see https://forum.samygo.tv/viewtopic.php?f ... 47&p=54937).

Modifying /mtd_exe is more simple and calculating its hash is done via chkhash.

The practical part:

Let's begin with modifying /mtd_exe/rc.local:
The whole procedure of modifying /mtd_exe is described here in detail:
https://forum.samygo.tv/viewtopic.php?f ... 294#p56294

Read/work until step 9) and first then go on here:

My original /mtd_exe/rc.local looked like this:

Code: Select all

#!/bin/sh

export MAPLE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
export MAPLE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
export MAPLE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
export MAPLE_WIDGET_DATA_PATH=/mtd_down
export MAPLE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc
export MAPLE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_cmmlib/YWidget_LIB:/mtd_contents:/mtd_cmmlib/InfoLink/lib/plugin/Static:/mtd_appdata/yahoo:/mtd_appdata/moip:/mtd_cmmlib/Comp_LIB:/mtd_cmmlib/GAME_LIB:/mtd_appdata/gemstar:/mtd_cmmlib/DRM_LIB:/Java/lib:/mtd_cmmlib/InfoLink/lib:/dtv

export HOME=/mtd_moip
export KF_SLEEP_READ=-2
echo 30000 > /mtd_rwarea/DelayValue.txt
#touch /mtd_rwarea/DoPrintYahoo.txt
export KF_NO_INTERACTIVE=1
export KF_LOG=/dev/null #Remove engine logging.
export KF_DATA_DIR=/mtd_yahoo/yahoo
export KF_THREAD_PRIORITY=20
export KF_NO_LOG=1
export KF_NO_CRASHHANDLERS=1
export KF_HF_WRITE_PATH=/mtd_rwarea/yahoo
cd /mtd_exe/

./exeDSP
The modified one looks like this:

Code: Select all

#!/bin/sh
#hedak: added: run /mtd_rwarea/start.sh if found

if [ -e /mtd_rwarea/start.sh ]; then
    echo "user start.sh found!"
    /mtd_rwarea/start.sh
fi

export MAPLE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
export MAPLE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
export MAPLE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
export MAPLE_WIDGET_DATA_PATH=/mtd_down
export MAPLE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc
export MAPLE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_cmmlib/YWidget_LIB:/mtd_contents:/mtd_cmmlib/InfoLink/lib/plugin/Static:/mtd_appdata/yahoo:/mtd_appdata/moip:/mtd_cmmlib/Comp_LIB:/mtd_cmmlib/GAME_LIB:/mtd_appdata/gemstar:/mtd_cmmlib/DRM_LIB:/Java/lib:/mtd_cmmlib/InfoLink/lib:/dtv

export HOME=/mtd_moip
export KF_SLEEP_READ=-2
echo 30000 > /mtd_rwarea/DelayValue.txt
#touch /mtd_rwarea/DoPrintYahoo.txt
export KF_NO_INTERACTIVE=1
export KF_LOG=/dev/null #Remove engine logging.
export KF_DATA_DIR=/mtd_yahoo/yahoo
export KF_THREAD_PRIORITY=20
export KF_NO_LOG=1
export KF_NO_CRASHHANDLERS=1
export KF_HF_WRITE_PATH=/mtd_rwarea/yahoo
cd /mtd_exe/

./exeDSP
Whenever start.sh returns the original rc.local code is run.

Do not forget to set all its file permission correctly!

After modifying /mtd_exe/rc.local you are now ready to go on here at 10):
https://forum.samygo.tv/viewtopic.php?f ... 294#p56294

After successfully modifying /mtd_exe and rebooting you can now care about the user script '/mtd_rwarea/start.sh':

As we just want to run our patched exeDSP from start.sh the original /mtd_exe/rc.local will serve as template. So start.sh basically looks like the original one except calling the exeDSP copy, i.e. placed in /mtd_rwcommon/. But using /mtd_rwcommon/exeDSP needs mounting /mtd_rwcommon/ before. In /etc/Scripts/rest_mount.sh you can see how /mtd_rwcommon is mounted. In my case:

Code: Select all

############### mtd_rwcommon #################
if [ "$(mount | grep /dev/stl0/21)" == "" ]; then
	mount -t rfs /dev/stl0/21 /mtd_rwcommon -o codepage=utf8
	if [ $? != 0 ] ; then
	        partition.erase /dev/bml0/21
	        stl.format -r 16 /dev/bml0/21
        	fat.format -S 4096 -s 1 /dev/stl0/21
	        mount -t rfs /dev/stl0/21 /mtd_rwcommon -o codepage=utf8
	fi
else
	echo "/mtd_rwcommon already mounted"
fi
As we don't want to format this partition the code simplifies to:

Code: Select all

############### mtd_rwcommon #################
if [ "$(mount | grep /dev/stl0/21)" == "" ]; then
	mount -t rfs /dev/stl0/21 /mtd_rwcommon -o codepage=utf8
else
	echo "/mtd_rwcommon already mounted"
fi
But there's still a potential problem: If starting /mtd_rwcommon/exeDSP fails or modified exeDSP crashes (for example due to a segmentation fault), start.sh ends and returns to /mtd_exe/rc.local which calls the original exeDSP in /mtd_exe. From my experience that will fail (at least in case the modified exeDSP was already running before). You may think: 'OK, i just turn off power and turn the tv on again.' Oops! The whole procedure will repeat. That's why we let our start.sh script rename itself whenever the call to the modified exeDSP returns (unusual case!).

So a failsafe start.sh could look like this:

Code: Select all

#!/bin/sh

export MAPLE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
export MAPLE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
export MAPLE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
export MAPLE_WIDGET_DATA_PATH=/mtd_down
export MAPLE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc
export MAPLE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_cmmlib/YWidget_LIB:/mtd_contents:/mtd_cmmlib/InfoLink/lib/plugin/Static:/mtd_appdata/yahoo:/mtd_appdata/moip:/mtd_cmmlib/Comp_LIB:/mtd_cmmlib/GAME_LIB:/mtd_appdata/gemstar:/mtd_cmmlib/DRM_LIB:/Java/lib:/mtd_cmmlib/InfoLink/lib:/dtv

export HOME=/mtd_moip
export KF_SLEEP_READ=-2
echo 30000 > /mtd_rwarea/DelayValue.txt
#touch /mtd_rwarea/DoPrintYahoo.txt
export KF_NO_INTERACTIVE=1
export KF_LOG=/dev/null #Remove engine logging.
export KF_DATA_DIR=/mtd_yahoo/yahoo
export KF_THREAD_PRIORITY=20
export KF_NO_LOG=1
export KF_NO_CRASHHANDLERS=1
export KF_HF_WRITE_PATH=/mtd_rwarea/yahoo

if [ "$(mount | grep /dev/stl0/21)" == "" ]; then
	mount -t rfs /dev/stl0/21 /mtd_rwcommon -o codepage=utf8
	echo "/mtd_rwcommon NOW mounted"
else
	echo "/mtd_rwcommon already mounted"
fi

cd /mtd_rwcommon/

./exeDSP

echo " Defensive: renaming /mtd_rwarea/start.sh to /mtd_rwarea/start.sh.dis"
mv /mtd_rwarea/start.sh /mtd_rwarea/start.sh.dis
If /mtd_rwcommon/exeDSP returns unwanted or could even not be called '/mtd_rwarea/start.sh' is automatically renamed to '/mtd_rwarea/start.sh.dis' and /mtd_rwarea/start.sh will return to /mtd_exe/rc.local which then runs the original exeDSP.

Just for information: As i modified /mtd_exe/rc.local of 1st and 2nd partition and both use the same start.sh but have different exports my start.sh now looks like this:
SpoilerShow
#!/bin/sh

PARTITION_FLAG00=/dtv/PART_FLAG_0
PARTITION_FLAG10=/dtv/PART_FLAG_1

if [ -e $PARTITION_FLAG00 ]; then
echo $PARTITION_FLAG00 " is detected..."
export MAPLE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
export MAPLE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
export MAPLE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
export MAPLE_WIDGET_DATA_PATH=/mtd_down
export MAPLE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc
export MAPLE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_cmmlib/YWidget_LIB:/mtd_contents:/mtd_cmmlib/InfoLink/lib/plugin/Static:/mtd_appdata/yahoo:/mtd_appdata/moip:/mtd_cmmlib/Comp_LIB:/mtd_cmmlib/GAME_LIB:/mtd_appdata/gemstar:/mtd_cmmlib/DRM_LIB:/Java/lib:/mtd_cmmlib/InfoLink/lib

export HOME=/mtd_moip
export KF_SLEEP_READ=-2
echo 30000 > /mtd_rwarea/DelayValue.txt
#touch /mtd_rwarea/DoPrintYahoo.txt
export KF_NO_INTERACTIVE=1
export KF_LOG=/dev/null #Remove engine logging.
cd /mtd_exe/

./exeDSP

echo " Defensive: renaming /mtd_rwarea/start.sh to /mtd_rwarea/start.sh.dis"
mv /mtd_rwarea/start.sh /mtd_rwarea/start.sh.dis
exit 1
fi

echo $PARTITION_FLAG10 " is detected..."
export MAPLE_DEFAULT_PATH=/mtd_cmmlib/InfoLink/lib
export MAPLE_MANAGER_WIDGET_PATH=/mtd_down/widgets/manager
export MAPLE_NORMAL_WIDGET_PATH=/mtd_down/widgets/normal
export MAPLE_WIDGET_DATA_PATH=/mtd_down
export MAPLE_WIDGET_INCLUDE_PATH=/mtd_down/widgets/inc
export MAPLE_PLUGIN_DATA_PATH=/mtd_cmmlib/InfoLink/lib
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mtd_cmmlib/YWidget_LIB:/mtd_contents:/mtd_cmmlib/InfoLink/lib/plugin/Static:/mtd_appdata/yahoo:/mtd_appdata/moip:/mtd_cmmlib/Comp_LIB:/mtd_cmmlib/GAME_LIB:/mtd_appdata/gemstar:/mtd_cmmlib/DRM_LIB:/Java/lib:/mtd_cmmlib/InfoLink/lib:/dtv

export HOME=/mtd_moip
export KF_SLEEP_READ=-2
echo 30000 > /mtd_rwarea/DelayValue.txt
#touch /mtd_rwarea/DoPrintYahoo.txt
export KF_NO_INTERACTIVE=1
export KF_LOG=/dev/null #Remove engine logging.
export KF_DATA_DIR=/mtd_yahoo/yahoo
export KF_THREAD_PRIORITY=20
export KF_NO_LOG=1
export KF_NO_CRASHHANDLERS=1
export KF_HF_WRITE_PATH=/mtd_rwarea/yahoo

if [ "$(mount | grep /dev/stl0/21)" == "" ]; then
mount -t rfs /dev/stl0/21 /mtd_rwcommon -o codepage=utf8
echo "/mtd_rwcommon NOW mounted"
else
echo "/mtd_rwcommon already mounted"
fi

cd /mtd_rwcommon/

./exeDSP

echo " Defensive: renaming /mtd_rwarea/start.sh to /mtd_rwarea/start.sh.dis"
mv /mtd_rwarea/start.sh /mtd_rwarea/start.sh.dis
(Notice: I didn't place the PARTITION_FLAG10 stuff in the else node. So i can be sure that the line 'mv /mtd_rwarea/start.sh /mtd_rwarea/start.sh.dis' is reached in any case.)

From now on you can copy your exeDSP to /mtd_rwcommon (don't forget the correct file permissions) and it will be executed as long as the user script is named '/mtd_rwarea/start.sh'. If the fallback way got active you have to rename '/mtd_rwarea/start.sh.dis' to '/mtd_rwarea/start.sh'.

If '/mtd_rwcommon/exeDSP' is executed and you want to replace it with another version you should rename '/mtd_rwarea/start.sh' to '/mtd_rwarea/start.sh.dis' manually and reboot the tv to let the original exeDSP be executed. Now replace '/mtd_rwcommon/exeDSP' and rename '/mtd_rwarea/start.sh.dis' back to '/mtd_rwarea/start.sh'. After next tv's reboot the new '/mtd_rwcommon/exeDSP' will be run :)

You can check if your exeDSP is running using the 'ps' command by checking for a running '/mtd_rwarea/start.sh'. The result should contain something like this:

Code: Select all

   45 root       1388 SW  /bin/sh /etc/rc.local
   60 root       1388 SW  /bin/sh /mtd_exe/rc.local
   61 root       1388 SW  /bin/sh /mtd_rwarea/start.sh
   66 root     1161600 SW  ./exeDSP
This way is extensively tested by me. I already had segmentation faults, missing /mtd_rwcommon/exeDSP file permissions and even missing /mtd_rwcommon/exeDSP ;) The tv always returned to the original state after turning of tv (as running original exeDSP fails after returning from running modified exeDSP you can use command 'reboot' to restart quickly).

If there are any suggestions or question, just reply! I'll try to answer/help :)

Post Reply

Return to “[C] Firmware”