LNxxB650 and B679 with CI+ certification

This forum is for information related with B series hardware instead of firmware/software.

marcelru
Official SamyGO Developer
Posts: 171
Joined: Thu Oct 01, 2009 7:27 am

Re: LNxxB650 and B679 with CI+ certification

Post by marcelru »

Hi guys, I'm not sure if this is what you need, but nevertheless, here it is:
The exeDSP disassembly on rapidshare: (FW T-CHU7DEUC, 002008.1 (or 2) )

http://rapidshare.com/files/292147252/e ... sm.gz.html

It's just bare output of objdump, with no string/jump/call annotations. Haven't got the full disassembly script working yet ...

User avatar
erdem_ua
SamyGO Admin
Posts: 3112
Joined: Thu Oct 01, 2009 6:02 am
Location: Istanbul, Turkey
Contact:

Re: LNxxB650 and B679 with CI+ certification

Post by erdem_ua »

Hey! Is everybody dead with CI+ cert?
Are you give up? Too pity!

So engineer here. I don't know who want to be a volunteer for this but we need a hero.
If our attacks are being avoided by enemy than we need a commando for the job which sneak in to enemy line and bring the key of caste to us.

We can also read flash NAND chip without removing from motherboard. But who want to be commando? (Or a hacker to solder it's NAND chip )
http://www.uchobby.com/index.php/2007/0 ... ash-chips/
You do not have the required permissions to view the files attached to this post.

User avatar
erdem_ua
SamyGO Admin
Posts: 3112
Joined: Thu Oct 01, 2009 6:02 am
Location: Istanbul, Turkey
Contact:

Re: LNxxB650 and B679 with CI+ certification

Post by erdem_ua »

Alternatively, we can try to hack CI+ "program" cert protection algorithm that uses 16 bytes (128 bit) long to execute our program on TV.
With our program, we can read whole internal flash device and store to USB flash
Or alternatively, enable telnet application.
Trying to hack 16 byte key CI+ program key algorithm is far easier than trying to hack 256Bit AES which placed to main entrance.

dasilverpaladin
Official SamyGO Developer
Posts: 119
Joined: Sat Oct 31, 2009 1:04 am

Re: LNxxB650 and B679 with CI+ certification

Post by dasilverpaladin »

Hi @ll,

I orderd my new Samsung LE37B650, hope its coming fast :)

As part of my research for this TV i found somewhere a posting where people where able
to activate the usb movie play funktion on an UB6000 by modifying the TV type in the service menu.
If this funktions are enabled and disabled by just the TV type string, maybe there is a chance
1) to disable the CI+ security measures
2) render your nice TV useless...

We would need to compare these TV type numbers

2nd suggetion, you would need serial console to use one of this great professional remotes.
As i understand the Console on CI+ TV`s doesnt recognise any inputs?
If this is true, we maybe have to switch the Hotel Mode on to get console.
Anyone know how to disable Hotel Mode without special service remote control?


Silver

cracket
Posts: 6
Joined: Thu Oct 22, 2009 8:15 pm

Re: LNxxB650 and B679 with CI+ certification

Post by cracket »

How can I determine if my tv is CI+ or not?

Is it the matter of model code? T2P or T2W ?
LE37B650T2WXXH T-CHL7DEUC patched&injected

User avatar
erdem_ua
SamyGO Admin
Posts: 3112
Joined: Thu Oct 01, 2009 6:02 am
Location: Istanbul, Turkey
Contact:

Re: LNxxB650 and B679 with CI+ certification

Post by erdem_ua »

cracket wrote:How can I determine if my tv is CI+ or not?

Is it the matter of model code? T2P or T2W ?
If yout model is T2P than It's CI+

aquadran
Posts: 264
Joined: Fri Oct 16, 2009 9:35 pm
Location: Poland

Re: LNxxB650 and B679 with CI+ certification

Post by aquadran »

Based on CI+ kernel source mac key is stored in uboot env partition:
int getAuthUld (macAuthULd_t *mac_authuld) {

int fd;
fd = sys_open(UBOOT_PARAM_PARTITION, O_RDONLY, 0);
if( fd >= 0 ) {
sys_lseek(fd, sizeof(int) + UBOOT_ENV_SIZE + sizeof(macOnboot_t), SEEK_SET);
sys_read(fd, (void *) mac_authuld, sizeof(macAuthULd_t));
sys_close(fd);


also other key from:
// 1GB
#define CMACKEY_PARTITION_1000 "/dev/bml0/20"
// 2GB
#define CMACKEY_PARTITION_2000 "/dev/bml0/18"
// 128 MB
#define CMACKEY_PARTITION_128 "/dev/bml0/16"


So only way I think it's boot of from CI kernel.
CI+ owner should try this: http://forum.samygo.tv/viewtopic.php?f=2&t=53&start=20
If access to eboot is enabled, look also into my comments how to get easy keypress '~'

Post Reply

Return to “[B] Hardware”