Autoloader for custom "Game" plug-ins

Here are software that related with Samsung B series TVs. Like hex editors, new version of BusyBox or internal software, app programs that will run in your TV hardware.:!:This forum is NOT FOR USER QUESTIONS or Problems.
Post Reply

User avatar
geo650
Official SamyGO Developer
Posts: 302
Joined: Wed Oct 07, 2009 12:03 pm

Autoloader for custom "Game" plug-ins

Post by geo650 » Wed Apr 21, 2010 12:53 am


!
WARNING!!! THIS MOD IS EXTREMLY DANGEROUS FOR YOUR TV!
BEFORE DOING ANYTHING, PLEASE READ THE WHOLE TEXT CAREFUL, THEN READ IT AGAIN!
MAKE BACKUPS (IMPORTANT FILES AND PARTITION IMAGES) AND ENABLE RS232C DEBUG MODE BEFORE START!
ONLY FOR EXPERIENCED USERS!!! NOVICE USERS SHOULD READ OTHER SamyGO WIKI ARTICLES FIRST.
THIS MOD HAS NOT BEEN FULLY TESTED! THIS TEXT MAY CONTAIN ERRORS!
PLEASE READ WITH UNDERSTANDING. NO HURRY. YOU HAVE BEEN WARNED!
You have been warned. Warned?

Edited by Moderator:
Do not use this HOW-TO from now, it is too dangerous. You can brick your TV easily with this.
Search forum for injectso or gdbtrick instead
UPDATE: Follow updated description on the Wiki page here:
http://wiki.samygo.tv/index.php?title=A ... %28B65x%29

THIS PROJECT IS DESIGNED FOR SAMSUNG LExxB65x T-CHL7DEUC MODELS WITH 2005.0 FIRMWARE.


What is a "game" plug-in ?

"Game" plug-in is dynamically-loaded library file (*.so) that may be executed using game-menu of Content Library. Normally, such plug-in is brought to you together with clmeta.dat XML file that points to the main library file to be started (loader.so, for example).


Why to autostart ?

Some plug-ins are intended to be run in the background. Unfortunately, you have to enter Content Library to execute them. This is confusing in some situations. Autostart is useful for staying resident applications that are waiting for a specified signal to execute a piece of its code.


The problem is...

You cannot execute library files using starting script. You even cannot run them using telnet shell. These files are not executable ones. Even if you make an application that run a library, then exeDSP functions (symbols) would be unknown. These functions are used in "game" plug-ins because they allow programmer to access hardware layer easily.


Then how to autostart my plug-in ?

You have to load "game" plug-ins using exeDSP in a way like Content Library does. Content Library is started by exeDSP application. The problem is that exeDSP is a closed-source binary and it is hard to modify its functions. So I decided to load "game" libraries using another open-source library which is loaded by exeDSP. One of such libraries is LIBUSB (libusb.so), normally loaded from /mtd_drv/Comp_LIB directory.
We have to force exeDSP to load our custom libusb library instead of original one.
That directory (with the original library file) is read-only one, but this can be omitted by modifying LD_LIBRARY_PATH variable.
Here is a graph explaining this method:

Image


Steps

WARNING!!! YOU MAY BRICK YOUR TV!!! ENSURE YOU HAVE ENOUGH EXPERIENCE BEFORE CONTINUING!
ENABLE RS-232 DEBUG MODE AND ENSURE THAT EX-LINK CABLE WORKS WELL.

Ex-link cable is not necessary to make this mod but it is a must-have at the recovery phase.

You must have telnet access to your TV. Login to root, then:

1) Create directory tree in your TV:
mkdir /mtd_rwarea/SamyGO
mkdir /mtd_rwarea/SamyGO/exe
mkdir /mtd_rwarea/SamyGO/exe/lib
mkdir /mtd_rwarea/SamyGO/exe/conf


2) If not yet created, using your favourite text editor create /mtd_rwarea/SamyGO.sh script, for example:

Code: Select all

#!/bin/sh
mount -t devpts devpts /dev/pts
telnetd
3) Then create a new script /mtd_rwarea/exeDSP.sh (described below):

Code: Select all

#!/bin/sh
cd /mtd_exe
export LD_LIBRARY_PATH="/mtd_rwarea/SamyGO/exe/lib:$LD_LIBRARY_PATH"
./exeDSP
4) Set executable flags:

Code: Select all

chmod a+x /mtd_rwarea/SamyGO.sh
chmod a+x /mtd_rwarea/exeDSP.sh
5) Download original LIBUSB from Open-Source Samsung site.

6) After unpacking, you have to edit and recompile usedSource_TV files using SamyGO compilation toolchain.

a) Edit Makefile:

find and replace compiler tools:

Code: Select all

CC = $(CROSS_COMPILE)arm-SamyGO-linux-gnueabi-gcc
AR = $(CROSS_COMPILE)arm-SamyGO-linux-gnueabi-ar
RANLIB = $(CROSS_COMPILE)arm-SamyGO-linux-gnueabi-ranlib
b) Edit usb.c:

add this after "#include <pthread.h>" line:

Code: Select all

#include <dlfcn.h>
#define SAMYGO_CONF_FNAME     "/mtd_rwarea/SamyGO/exe/conf/libusb.conf"     // configuration file location
int SamyGO_done = 0;
void SamyGO_init()
{
  FILE *SamyGO_conf;
  char s[256];
  unsigned *handle;
  int (*Game_Main)(const char *, const char *);

  if (SamyGO_done) return;
  SamyGO_done = 1;

  SamyGO_conf = fopen(SAMYGO_CONF_FNAME, "r");
  if (SamyGO_conf)
  {
     int limit=100; // max number of lines
     while ((fgets(s, sizeof(s), SamyGO_conf) != NULL) && (--limit>0))
     {
        int ln = strlen(s);
        if (ln > 0)
        {
           int i;
           for (i=0; i<ln; i++)
               if ((s[i]==0x0D) || (s[i]==0x0A)) { s[i]=0; i=ln; }

           if ((s[0]!='#') && (s[0]!=';') && (s[0]!=0))
           {
              if (strstr(s, ".so"))
              {
                 if ( (handle = dlopen(s, RTLD_NOW | RTLD_LOCAL | RTLD_NODELETE)) != NULL )
                 {
                    Game_Main = dlsym(handle, "Game_Main");
                    if (Game_Main)
                    {
                       ln = strlen(s);
                       int last_slash = 0;
                       for (i=0; i<ln; i++) if (s[i]=='/') last_slash = i;
                       s[last_slash + 1] = 0;
                       (*Game_Main)(s, "");     // *** MODULE EXECUTION ***
                    }
                    dlclose(handle);
                 }
              }
           }
        }
     }
     fclose(SamyGO_conf);
  }
}
c) then find usb_set_callback() function and add this at the very beginning:

Code: Select all

SamyGO_init();
d) Recompile binary file using command:

Code: Select all

make
No errors should be produced at this stage.
You will get new "libusb.so" binary file that must be copied to /mtd_rwarea/SamyGO/exe/lib directory.

7) Copy plug-in files to your TV if not already installed. I prefer to copy somewhere else than standard Games are placed.
For example, in /mtd_rwarea/SamyGO/exe/any_subdirectory". Don't forget to check and/or set right permissions for those files.

8) Create text configuration file /mtd_rwarea/exe/conf/libusb.conf with list of full path(es) to the plug-in files to be executed at boot phase. For example:

Code: Select all

# libusb configuration file
/mtd_rwarea/SamyGO/exe/remote/loader.so
General rules: one line = one full path to the library. Lines starting with # or ; are ignored. Empty lines are ignored, too.
Libraries are loaded one-by-one and Game_Main() functions are executed immediately at that stage.
Library files should end with ".so" extension.
Configuration file may be empty, too. In that case no additional plug-ins are loaded.
Nothing is going to happen when no configuration file is present.

WARNING: Badly-written plug-ins may hang your TV at this stage so be very careful.
WARNING: Don't add regular games to the libusb.conf list. This mod is not intended to load such applications.


9) Then we have to inform exeDSP to load our custom libusb instead of the original one. We are doing this by expanding library path chain using export command. That's why we create /mtd_rwarea/exeDSP.sh script which executes exeDSP after that. This script must be executed instead of the original exeDSP process. But how?
The only way (as I know) is to modify /mtd_exe/rc.local script and re-flash the TV. Do you remember the place where we run telnet or SamyGO.sh script? In the same script, we must replace exeDSP commands with exeDSP.sh execution instruction.
If you know how to patch the firmware, then do such changes in decoded exe.img file:

Image

Image

As you can see, rc.local file has been enlarged. This is possible because exe.img partition is FAT16-type one with 8KB-size cluster. This means that rc.local file can be easily enlarged up to 8KB. Now, there are some extra instructions for checking if exeDSP.sh custom script is available.
If exeDSP.sh script does not exist, then standard exeDSP binary image is executed immediately.

10) Then recalculate CRC, re-encode, make firmware file set, put on the pendrive.
For T-CHL7DEUC 2005.0 firmware patched earlier with ARfix1 my validinfo file looks like this:

Code: Select all

*007_exe.img_13ae8195*011_appdata.img_69153622
BTW, it could be practical to add these modifications to the SamyGO Fimware Patcher.

11) Check if you have /mtd_rwarea/exeDSP.sh script and check its "x" permissions with "ls -l /mtd_rwarea/exeDSP.sh" command.
12) Make channels backup, custom widget manager backup if necessary, or just make a full backup of the TV's flash memory.
13) Flash your new custom firmware! If your TV is not working now, don't blame me. It was your fault, not mine. I'm sorry.
WARNING! REMEMBER TO RE-ENABLE RS232C DEBUG MODE AFTER FLASHING!



Adding a new plug-in:

To add a new (tested!) plug-in, copy it to the TV, then add new path entry to the /mtd_rwarea/SamyGO/exe/conf/libusb.conf file.


Removing a plug-in:

Remove path entry from the /mtd_rwarea/SamyGO/exe/conf/libusb.conf file, restart your TV, then delete library file(s) of removed plug-in.


Problems and advices:

The biggest problem here is that your TV may be bricked in the situation when badly-written plug-in causes exeDSP to hang or exit abnormally. Then watchdog restarts the TV and restarting loop will occur. To repair, use ex-link cable, run telnet and delete bad plug-ins (or edit your script/config).

BE CAREFUL! At the beginning, you may "hash" export command, so internal libusb library will be loaded and no additional plug-ins will be executed.

There is no danger when exeDSP.sh is accidentally deleted. New enlarged /mtd_exe/rc.local script prevents you from such situation.

Configuration file path is hard-encoded in libusb.so library - see source code above.


Useful links:

Remote Control TCP Server (remote.zip)
Remote control signal over LAN thread
How to enable Telnet on samsung TV's
Playing with Firmware Images
Setting up a cross-compilation toolchain
Linux Fedora Project
and many other SamyGO articles or posts.


Testing environment/tools:

- SamyGo Cross-Compilation Toolchain installed on FC12 linux (Intel Pentium-class PC)
- LE40B650T2W with patched 2005.0 firmware; no SamyGo extensions installed (only some libs for FTP, NTP, CIFS); modified widgets manager and CL manager replacement.
- 2 customized plug-ins has been tested so far: Remote Control TCP Server and so-called PVR2.


What you can do ?

If somebody knows how to make it easier or better, don't afraid to share your ideas with us.
Anyway, happy patching!
Last edited by geo650 on Sat May 08, 2010 10:58 am, edited 1 time in total.

User avatar
erdem_ua
SamyGO Admin
Posts: 3101
Joined: Thu Oct 01, 2009 6:02 am
Location: Istanbul, Turkey
Contact:

Re: Autoloader for custom "Game" plug-ins

Post by erdem_ua » Wed Apr 21, 2010 12:27 pm

Congratulations , but I am sad :( about you write here instead of wiki...
Thanks for the explanations too.

nbd
Posts: 160
Joined: Wed Jan 13, 2010 12:02 pm

Re: Autoloader for custom "Game" plug-ins

Post by nbd » Wed Apr 21, 2010 8:51 pm

Hello. A suggestion how to make autoloading plugins safer (I got the idea from the run-once method presented somewhere in this forum). Make the plugins run-once by default and when TV is booted and plugins loaded, start a simple script that sleeps for 1 min, and if TV is still on, removes the run-once flag. This way, if a bad plugin causes TV to crash, the watchdog reboots before the 1 min delay, and the plugin is disabled at the next boot.

User avatar
geo650
Official SamyGO Developer
Posts: 302
Joined: Wed Oct 07, 2009 12:03 pm

Re: Autoloader for custom "Game" plug-ins

Post by geo650 » Wed Apr 21, 2010 11:31 pm

bmwskead wrote:isnt there any chance to precompile libusb.so and modifiying something like LD_PRELOAD for ci+?
I didn't know about LD_PRELOAD method before. Now I have to read some docs. Today, I don't really know if it would be better or not.
Sorry, I don't know much about CI+ devices. Good advices are welcome. Or maybe someone else could help.
erdem_ua wrote:Congratulations , but I am sad :( about you write here instead of wiki...
I think it is too early for Wiki, because this project is not well-tested. If you want, then copy-and-paste it to the Wiki ;) Sorry, I don't know how to edit wiki pages (I never did); maybe some day... Actually, I even don't know if it is a firmware or software mod :roll:
Now I am working on some plug-ins (there are 3 slightly-customized plug-ins already in my configuration: remote, PVR and ARFix2). Everything seems to be working well.
nbd wrote:Hello. A suggestion how to make autoloading plugins safer (I got the idea from the run-once method presented somewhere in this forum). Make the plugins run-once by default and when TV is booted and plugins loaded, start a simple script that sleeps for 1 min, and if TV is still on, removes the run-once flag. This way, if a bad plugin causes TV to crash, the watchdog reboots before the 1 min delay, and the plugin is disabled at the next boot.
Good idea. I even tried it before (in shell script), but I had some strange effects - probably I did something wrong. I think, it is possible to code such mechanism in libusb.so which could load configuration from libusb.test file (if exists), then delete or rename that file. At next boot libusb.so would load libusb.conf ("old good configuration"). To test a plugin you might simply copy libusb.conf to libusb.test and edit libusb.test -> add new plugin's path. What do you think?

EDIT: I attach custom libusb.so library (with functions described above) if someone would like to test:
You do not have the required permissions to view the files attached to this post.

User avatar
geo650
Official SamyGO Developer
Posts: 302
Joined: Wed Oct 07, 2009 12:03 pm

Re: Autoloader for custom "Game" plug-ins

Post by geo650 » Thu Apr 22, 2010 9:22 am

bmwskead wrote:thank you very much for precompiling libusb.so :) i will give it a try today with LD_PRELOAD, maybe it works too (have a ci+ device but not very familiar with creating a new own firmware and im a bit afraid of doing that)
I don't know if firmware modifications are possible in CI+ devices because of encryption.
bmwskead wrote:LD_PRELOAD environment variable points to your own shared library, which contains a function with the same name as the one you want to overload.
Then you need to overload int usb_set_callback(usb_callback_t callback) function of the original libusb.so. I don't know how to do it before exeDSP start. Or, maybe I need to put my procedure in other function than usb_set_callback? Function usb_set_callback is called only once (quite early) by exeDSP, but there are many other functions in libusb that are called leter, too (I mean after SamyGO.sh script execution; do you have such script in your CI+ device?).
bmwskead wrote:about the "run-once" and "libusb.test" idea: sounds very interesting for testing purposes
My tests were successful. Created libusb.test configuration file is renamed to libusb.back, then is parsed once (tested plugins are executed while no test configuration file is present). It seems to work well.
bmwskead wrote:how did you customize this plugins? improving?
I attach a snapshot of my plugins. Sorry, there is no source code (which is very dirty at the moment), but if anyone want one, I can send you. I need a few days to re-fine used plug-ins and clear the source code.
You do not have the required permissions to view the files attached to this post.

User avatar
geo650
Official SamyGO Developer
Posts: 302
Joined: Wed Oct 07, 2009 12:03 pm

Re: Autoloader for custom "Game" plug-ins

Post by geo650 » Thu Apr 22, 2010 1:14 pm

bmwskead wrote:yep, i already have a modified firmware flashed on ci+ b650 device (firmware 2007.1) and added a samygo.sh with automounting shares and things like that, so i could test everything regarding overloading a shared lib function, but as you mentioned i think the "usb_set_callbac()" might be to early ...
Expect alternate version of libusb.so here with modified usb_init() function; usb_init() function is called periodically. I will edit this post in a few hours. [...] see below!

P.S. Personally, I doubt it will work. LD_PRELOAD variable causes pointed library to be loaded while parent process is created. The problem is that exeDSP is already in RAM when SamyGO.sh script is starting. But maybe I am wrong. Let's try. Actually, SamyGO script starts before exeDSP, but runs in the background. In the worst case, you will have to edit your firmware (as I did) - at least remove "&" sign after SamyGO.sh in rc.local which is certainly not recommended. But then, there would be no need to use LD_PRELOAD variable.

AFTER A FEW HOURS: I compiled 3 "special edition" libusb libraries for different wait-time: 1s, 3s and 10s. Only 10s-version has been tested in my TV, but I think other versions should also work as expected because only one parameter was changed (number of second to wait defined in the source code). Have a good time!
Last edited by geo650 on Thu Apr 22, 2010 6:14 pm, edited 1 time in total.

Post Reply

Return to “[B] Software”