SamyGO

Samsung TV Firmware on the GO
https://forum.samygo.tv/

Access Linux Shell of TV on CI+ without "Game Menu"

https://forum.samygo.tv/viewtopic.php?t=289

Page 3 of 5

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Posted: Wed Jan 20, 2010 8:00 pm
by langerhans
I know. And the DirectSWUpgrade Option did only work with an unmodified FW, but even that lead to my TV using the second partition now. Thanks Samsung for implemeting this feature :P

Oh, and I found another debug menu with a new number code but I can't remember it now, will have a look at it tomorrow. It has some USB debug stuff like remount an dmesg to USB... Nothing special...

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Posted: Fri Jan 22, 2010 8:15 pm
by langerhans
So, here is the new debug menu: 8282119
And here are the options:

Code: Select all

====================================
      [ DEBUG MENU ]                
------------------------------------
 1. ReMount Usb device              
 2. dmesg > printk.txt              
 3. Copy corefile to USB            
====================================
 99. Exit                           
====================================
First option will do the following:

Code: Select all

...
umount /dtv/usb/$MOUNT_DIR
echo "umount /dtv/usb/$MOUNT_DIR"
mount -t vfat /dev/$MOUNT_DIR /dtv/usb/$MOUNT_DIR
echo "mount -t vfat /dev/$MOUNT_DIR /dtv/usb/$MOUNT_DIR"
Second option will do:

Code: Select all

...
dmesg > /dtv/usb/$MOUNT_DIR/printk.txt
sync
cat /proc/kmsg > /dtv/usb/$MOUNT_DIR/kmsg.txt & 
echo "dmesg > printk.txt"
sleep 2
sync
killall cat
sync
echo "sync"
And the last one:

Code: Select all

if [ -e /dtv/core* ]; then
	cp /dtv/core* /dtv/usb/$MOUNT_DIR/core
	echo "cp /dtv/core* /dtv/usb/$MOUNT_DIR/core"
	sync
	echo "sync"
else
	echo "No Core_dump file"
	exit
fi
So nothing special here... I doubt we can get shell access on the TV over the Debug menus...

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Posted: Sun May 23, 2010 10:44 pm
by erdem_ua
Clapping.
Thanks petergray.
We needed to wikify this also :)

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Posted: Sun May 30, 2010 8:25 pm
by langerhans
Hello!
Thanks for finally getting shell access to work.
This lead me into investigating the filesystem a bit. In another Thread i read about Flash Dumping. See what i found:

Code: Select all

# ./flash_dump.cmd
OUTFILE_NAME > dump
+---------------------------------------------------------------------+
|  fdump : Low-level Partition Dump Tool for NAND Flash Memory        |
+---------------------------------------------------------------------+
You will dump Chip

=^^ PARTITION INFO  ^^=========================================================
 Signature = XSRPARTI
 nVer = 0x00011000
 Num of part entry = 16
 part(0)   nID=0x00000000   n1stVbn=000   nNumOfBlks=001   Attr=BML_PI_ATTR_RW
 part(1)   nID=0x00000001   n1stVbn=001   nNumOfBlks=004   Attr=BML_PI_ATTR_RW
 part(2)   nID=0x00000002   n1stVbn=005   nNumOfBlks=001   Attr=BML_PI_ATTR_RW
 part(3)   nID=0x00000003   n1stVbn=006   nNumOfBlks=001   Attr=BML_PI_ATTR_RW
 part(4)   nID=0x00000004   n1stVbn=007   nNumOfBlks=024   Attr=BML_PI_ATTR_RW
 part(5)   nID=0x00000005   n1stVbn=031   nNumOfBlks=032   Attr=BML_PI_ATTR_RW
 part(6)   nID=0x00000006   n1stVbn=063   nNumOfBlks=016   Attr=BML_PI_ATTR_RW
 part(7)   nID=0x00000008   n1stVbn=079   nNumOfBlks=135   Attr=BML_PI_ATTR_RW
 part(8)   nID=0x00000009   n1stVbn=214   nNumOfBlks=160   Attr=BML_PI_ATTR_RW
 part(9)   nID=0x0000000a   n1stVbn=374   nNumOfBlks=135   Attr=BML_PI_ATTR_RW
 part(10)   nID=0x0000000b   n1stVbn=509   nNumOfBlks=160   Attr=BML_PI_ATTR_RW
 part(11)   nID=0x0000000c   n1stVbn=669   nNumOfBlks=104   Attr=BML_PI_ATTR_RW
 part(12)   nID=0x0000000d   n1stVbn=773   nNumOfBlks=222   Attr=BML_PI_ATTR_RW
 part(13)   nID=0x0000000e   n1stVbn=995   nNumOfBlks=001   Attr=BML_PI_ATTR_RW
 part(14)   nID=0x0000000f   n1stVbn=996   nNumOfBlks=001   Attr=BML_PI_ATTR_RW
 part(15)   nID=0x00000010   n1stVbn=997   nNumOfBlks=001   Attr=BML_PI_ATTR_RW
===============================================================================

=^^ MODEL INFO  ^^========
 Signature : XSRPARTI
 Size of szModelName : 24
 Model Name = hlve
 Version of Mode = 0001
==========================
  100%
All of the flash memory blocks have been dumped                                successfully.
xsr_otp_CIP /dev/bml0/c /dtv/usb/sda1/dump.otp
chmod 777 /dtv/usb/sda1/dump.otp
#
Seems like this dumps the whole NAND.
Now I have a file on my USB-Stick named dump.otp with filesize 128MB. It seems encrypted, since the first 8 bytes are "XSRPARTI". The same Signature is found in the dumplog i posted above.
So i guess the line

Code: Select all

xsr_otp_CIP /dev/bml0/c /dtv/usb/sda1/dump.otp
encrypts the dump. Maybe i can prevent the TV from encrypting, Ill have a look at the script tomorrow.
If anyone is interested in the dump, tell me where i should upload it.

Re: Access Linux Shell of TV on CI+ without "Game Menu"

Posted: Thu Jun 17, 2010 10:08 am
by cyberdemon79
Hi,

I think the way to find the offset is something like this:

grab the compiled kernel (from your TV)
disassemble it to find to char checking procedure
look at the hex-representation of the bne (branch if not equal) command
(branches if no allowed character is found in this loops iteration)
dump the kernels memory (not quite sure how to guess the lower and upper limit for that)
find the hex-representation in memory (should be inverted when displayed via the debug menu)
overwrite the instruction with 00 00 00 00 (value 0) which should be "andeq r0, r0 and r0" (modifies register r0 but doesn't matter)
so now it won't branch and falls through to the "allowed character entered" code (sets r0 to 1 and returns if i remeber correctly)

Am I correct in my assumption ?
cu Cyberdemon
All times are UTC+01:00
Page 3 of 5

Powered by phpBB® Forum Software © phpBB Limited