Just a thought: BD-live trojan possible?

Samsung's BluRay player related hacks.
Post Reply

marcelru
Official SamyGO Developer
Posts: 171
Joined: Thu Oct 01, 2009 7:27 am

Just a thought: BD-live trojan possible?

Post by marcelru »

Hi,

I open my bluray HT-BD8200 last week, had a (very) quick peek around and couldn't find a serial port or something similar. Possibly just didn't look well enough for one, but it's a brand new machine, albeit not the last design available, so I didn't want to take it apart completely.

It supports BD-live 2.0, whatever that may be, I have no experience with it. Through BD-live, it's possible to download extra stuff including games from the major movie companies.
Would it be possible to master your own Bluray disc, with BD-live extras added, and import a nice game, typically a telnet daemon or ssh daemon to run on the BD player?

Any thoughts on that?

grtz,

marcelr

Denny
Official SamyGO Developer
Posts: 350
Joined: Thu Sep 30, 2010 12:18 pm
Location: Croatia

Re: Just a thought: BD-live trojan possible?

Post by Denny »

marcelru wrote: ...
Would it be possible to master your own Bluray disc, with BD-live extras added, and import a nice game, typically a telnet daemon or ssh daemon to run on the BD player?

Any thoughts on that?

marcelr

yes there is call for native application in BD player (here BD-C6900) but it verify also a signature,
in case of BD-C6900 it is not a big problem to manipulate public key for this issue, but i self dont have idea how the BD-Live work and how culd be posible to handle permanent call posibility to the native.so when we inject them by our self.

Code: Select all

.text:006EFFD8                 LDR     R0, =aMtd_rwareaBdpl ; "/mtd_rwarea/bdplus/native.so"
.text:006EFFDC                 MOV     R1, #2          ; mode
.text:006EFFE0                 BL      dlopen
.text:006EFFE4                 SUBS    R6, R0, #0
.text:006EFFE8                 BEQ     loc_6F0110
.text:006EFFEC
.text:006EFFEC loc_6EFFEC                              ; CODE XREF: CALL_RunNative+3B0j
.text:006EFFEC                 MOV     R12, #1
.text:006EFFF0                 MOV     R3, #0xBE7
.text:006EFFF4                 STR     R12, [R7,#4]
.text:006EFFF8                 LDR     R1, =aSamdebugSD_2 ; "\n samdebug <%s,%d> "
.text:006EFFFC                 LDR     R2, =aCall_runnati_1 ; "CALL_RunNative"
.text:006F0000                 MOV     R0, #0
.text:006F0004                 BL      DRM_Log
.text:006F0008                 MOV     R0, R6          ; handle
.text:006F000C                 LDR     R1, =aBdplus_bdp_bar ; "BDPlus_BDP_Barcelona_Native"
.text:006F0010                 BL      dlsym
.text:006F0014                 LDR     R3, =_BDPLUS_native_func
Denny - 데니 - 丹尼 (card2000)
UE55C8000 UE55D8000 UE32D6510 BD-C9600 3xDM8000
Reversing HW Demux Drivers and API from Samsung´s TV

marcelru
Official SamyGO Developer
Posts: 171
Joined: Thu Oct 01, 2009 7:27 am

Re: Just a thought: BD-live trojan possible?

Post by marcelru »

@Denny:

I'm not sure how BD-live works either, but I can imagine that the verification is done on the content of the disc, with keys stored on that disc. Content provides will want to check that _their_ media is used to access the extras from their website and not just any Bluray disc, and I don't think Samsung or any other manufacturer has all the keys in the world, to be used in the foreseeable future, stored in firmware. That means that both keys and content access mechanism should be stored on the BD that provides the access to the extra bits.

So the first step to take is to find out how to master a disc with BD-live content ....

grtz,

marcelr

arris69
Official SamyGO Developer
Posts: 1700
Joined: Fri Oct 02, 2009 8:52 am
Location: Austria/Vienna (no Kangaroos here)
Contact:

Re: Just a thought: BD-live trojan possible?

Post by arris69 »

Denny wrote:...

Code: Select all

.text:006EFFD8                 LDR     R0, =aMtd_rwareaBdpl ; "/mtd_rwarea/bdplus/native.so"
...
this looks like a not cleaned build of exeDSP. funny, if they remove all debug/testing shit from exeDSP / bd_lpayer_whatever the binary is just 20kb big :lol: (and maybe 'secure' too) :shock:

arris69
Official SamyGO Developer
Posts: 1700
Joined: Fri Oct 02, 2009 8:52 am
Location: Austria/Vienna (no Kangaroos here)
Contact:

Re: Just a thought: BD-live trojan possible?

Post by arris69 »

[quote="marcelru...
So the first step to take is to find out how to master a disc with BD-live content ....

grtz,

marcelr[/quote]

maybe a starting point to analize the proggies from here: http://forum.doom9.org/archive/index.php/t-129663.html

marcelru
Official SamyGO Developer
Posts: 171
Joined: Thu Oct 01, 2009 7:27 am

Re: Just a thought: BD-live trojan possible?

Post by marcelru »

Apparently, BD-J, rather than BD-Live may already do the trick.

I just got the java TV sdk up and running, it basically spits out BD-J layouts which can then be burned on BluRay, when configured properly. Now it's time to find out how to merge a working telnet daemon into that framework.
I'm not very fluent in java so this is likely to take some time, which in itself is a rare commodity for me.
Will have a go at it anyway. You never know what may come from it.

Oh BTW, will also order a BluRay burner, haven't got one yet. :roll:

grtz,

marcelr

User avatar
julianbb
Posts: 163
Joined: Fri Dec 10, 2010 1:18 pm
Location: Romania

Re: Just a thought: BD-live trojan possible?

Post by julianbb »

Could output log provide the ip adress where the online content is available for disc ?
Then put a http small server with "fake content" for native.so ?
Online content is saved on BD in "Internal memory" OR on Fat usb stick... (see in settings)
I'd like to try but since i vote with PirateBayParty... :D
"Everything is possible... The impossible just takes longer..." (Dan Brown)

marcelru
Official SamyGO Developer
Posts: 171
Joined: Thu Oct 01, 2009 7:27 am

Re: Just a thought: BD-live trojan possible?

Post by marcelru »

Steps taken:

Got the BD-J development kit: JavaME SDK (windows only :cry: ).
Got the daemon (telnetd2, from sourceforge, tested as stand alone, works).
Got the burner (still packed).

ToDo:

Implement a shell, not that many options on the web. jShell looks like a fair option, far from complete, but has the major commands.
For now I only need cd, ls, just to take a look around and cp, cat, to copy files and partitions to USB. Once properly rooted, busybox will take over.

Convert the daemon and not-yet-existing-shell to BD-J compatible code. The daemon is easy (almost done), now the rest.

Find a BD-J compatible software player, for testing. Most of the stuff available is for windows, and not free. I _refuse_ to pay anything for windows related software, so there's a challenge :-). The guys from VLC started on libbluray, with BD-J support, let's see how far they've got.

For homebrew Bluray discs, I'm not sure about the scrambling stuff. It is possible to burn your own home videos to bluray and play them. The same holds for making BD-J stuff. I don't know if a player will let you execute the java code, though. Any thoughts on this?


I'm off to Portugal, won't take the windoze box with me. So it'll be quiet for the next week or so, as far as Bluray is concerned.

grtz,

marcelr

Post Reply

Return to “BluRay Players”