Hacking BD-C5500/XAA (serial console, firmware dump, etc...)

Samsung's BluRay player related hacks.
Post Reply

habee
Posts: 18
Joined: Sat Dec 04, 2010 10:57 pm

Re: Hacking BD-C5500/XAA (serial console, firmware dump, etc...)

Post by habee »

here is a not complete dump from an unknown user, it is firmware 1013.4:

http://www.ulozto.net/5277274/7630-bsp- ... 0-11c3-bin

It?s a almost complete flashdump, with the files for the mtd?s in sequential order. I extracted several parts of it, you can
download it here:

http://www.megaupload.com/?d=X2Y62QJO

here is a kernel and rootfs dump from a BD-C5500 with Firmware 1019.0

http://www.megaupload.com/?d=FRGTX7I4

You can unsquash the rootfs to see the file structure. Should be no problem if you are familiar with linux.

At boot time a rc.user script is in the /root-directory it will be executed. But you have to flash a modified rootfs to get it there.

If you compare the samsung firmware update files with the rootfs-size you will see that it has only a file-size difference of 4096 bytes.

The keys for decrypting the ruf-files must be in the firmware, maybe in that appplayer-app, which controls all of the functions. The appplayer is executed in a normal boot, you can find it in the extracted rootfs in /usr/local/bin.


BTW: what region is your player?

bye habee
Top
doodlecz
Official SamyGO Developer
Posts: 98
Joined: Wed Mar 17, 2010 9:12 am

Re: Hacking BD-C5500/XAA (serial console, firmware dump, etc...)

Post by doodlecz »

habee wrote: The keys for decrypting the ruf-files must be in the firmware, maybe in that appplayer-app, which controls all of the functions. The appplayer is executed in a normal boot, you can find it in the extracted rootfs in /usr/local/bin.
Thanks for those dumps. From the first look, RUF file is digitally signed by ECDSA - public key should be stored within /mnt/cdrom/ecdsakey.bin (I don't suppose there is also private key..).
AES is used to cipher the content of RUF file - path to key is mentioned in app_player as /mnt/cdrom/aeskey.bin.
Can anyone send me content of these files?

If the only way how to modify the file structure is via update, I think that basic strategy should be to make memory patch for app_player to ignore the RUF signature and try to make update by modifed FW version, but still this won't be possible without serial. I hope there will be a better way..
Top
mirsev
Posts: 48
Joined: Tue Apr 05, 2011 7:58 pm

Re: Hacking BD-C5500/XAA (serial console, firmware dump, etc...)

Post by mirsev »

Hello,

I'm trying to get access to BD-C6900 blu-ray player but without any success... The boot log is completely different from BD-C5500:

Code: Select all

>> ONBOOT :: 0x7dc20225 0x12821282 
[read] 2nd Partition Data read!!
upgrade_flag : 0, part_flag : 1

2nd Partition !!!!!!!!!!!!!!!!!
[Secure Boot] cmac loaded
[Secure Boot] KEY Loaded
[Secure Boot] KEY Loaded ok
onboot AUTH passed to S/E
[Secure Boot] onboot Auth Success
[Secure Boot] start kernel Auth
[Secure Boot] kernel Auth result.....:
[Secure Boot] kernel Auth Success
[Secure Boot] Secure Auth Completed....
RunImage Jump Address : 60008000 
Linux version 2.6.24_SELP.4.3.x-Cortex-A8 (wonseok_kim@localhost.localdomain) (gcc version 4.2.0 (SELP-ARM 4.3.1.30 4.2.0-16.0.58.custom.custom 2009-11-17(13:58))) #12 PREEMPT Tue Jul 13 19:26:37 KST 2010

================================================================================
 SAMSUNG: v2.6.24_SELP_4.3.x_GA(P20)
         (Detailed Information: /sys/selp/vd/lspinfo/summary)                   
================================================================================
[CIP_KERNEL] kernel flash type : 1000 MB
init started: SELP-BusyBox v1.6.0-VD Linux SELP.4.2.1.x (2009-12-01 00:13:36 KST) multi-call binary
starting pid 36, tty '/dev/ttyS2': '/etc/rcS'
/etc/rc.local start!!!!
=====================================================
 ROOTFS VERSION : 100407 Rootfs by SP(6900 REL)
=====================================================
[CIP_KERNEL] /dev/bml0/11 can read  (after=7)
[CIP_KERNEL] /bin/authuld can read  (after=0)
[CIP_KERNEL] >>> (/bin/authuld) file is successfully authenticated <<< 
[CIP_KERNEL] AUTHULD ADDRESS<0xc825f000>
[CIP_KERNEL] (0)th waiting. <0x0>
ReadDevice : /dev/tbml13
[CIP_AUTHULD] /dtv/.secure_booting file created.
[CIP_AUTHULD] sem_key = 1929904145
[CIP_AUTHULD] Attempting to create new semaphore set with 1 members
[CIP_AUTHULD] Semaphore created.
2nt Partition : make file /dtv/PART_FLAG_1
2nd Partition Mount
[CIP_AUTHULD] flash type : 1000MB
[CIP_AUTHULD] waiting 15 sec for executing other jobs
Application is started..
/mtd_exe/rc.local start !!!!!
Fri Jan  1 01:00:00 UTC 2010
kernel.msgmni = 64
##### System Execution!!! #####
FAST INIT
TDaStore Building...
TDaOpticalDisc Building...
This is just the beginning of the log. It is quite long and I don't see any hints how to get root access or anything else... Ctrl+C at the beginning does not help.

When it boot completely, it shows

Code: Select all

[CIP_KERNEL] AUTHULD ADDRESS<0xc825f000>
[CIP_KERNEL] (1)th waiting. <0x0>
[CIP_AU[BIF:   ]   FSR VERSION: FSR_1.2.1_b125_RTM
THULD] BIF:   ]   FSR_BML_Open(nVol:0, nFlag:0x0, nOpenCnt:8) / 1176 line
[BIF:   ]   FSR_BML_Close(nVol: 0, nFlag: 0x0, nOpenCnt: 7)
0m 
 total read length = 41050112
[CIP_AUTHULD] Hash checking is Verified
[CIP_AUTHULD] file = /dev/stl0/17, size = 37797888
[CIP_AUTHULD] with Cmac (SW)
[CIP_AUTHULD]  
 total read length = 37797888
[CIP_AUTHULD] Hash checking is Verified
[CIP_AUTHULD] error number = 0
[CIP_AUTHULD] abcdef00

[CIP_AUTHULD] /dtv/.secure_booting is deleted.
[CIP_AUTHULD] total - prev : 1262307584.000000, next : 1262307584.000000, next-prev : 0.000000

[CIP_AUTHULD] Authuld END.
[CIP_KERNEL] AUTHULD ADDRESS<0xc825f000>
[CIP_KERNEL] authentication success!!
[CIP_KERNEL] Success!! Authuld is successfully completed.
Then it does not respond to any input. However, if I type 'debug' and press Enter, it begins to echo typed digits. That's it...

Any idea?

UPDATE: BD-C6900 has been hacked.
Top
nspierbundel
Posts: 84
Joined: Thu Sep 29, 2011 3:08 pm

Re: Hacking BD-C5500/XAA (serial console, firmware dump, etc

Post by nspierbundel »

any updates on how to hack bd-c5500 ?

Daniel
Top
User avatar
juusso
SamyGO Moderator
Posts: 10129
Joined: Sun Mar 07, 2010 6:20 pm

Re: Hacking BD-C5500/XAA (serial console, firmware dump, etc

Post by juusso »

Mirsev,

What about 20089999 and enter, after you get symbols typed?
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]
DO NOT EVER INSTALL FIRMWARE UPGRADE
Top
nspierbundel
Posts: 84
Joined: Thu Sep 29, 2011 3:08 pm

Re: Hacking BD-C5500/XAA (serial console, firmware dump, etc

Post by nspierbundel »

Small update on my progress.

For now i do not want to open the box for serial.

Heres where ive got.
Ive installed a hack widget and can copy files to and from the player.
In /etc/hotplug.d are 3 folders usb, block and default.
Usb contains a .hotplug file for the wifi stick . Bash script
Default is empty
block contains a binary hotplug file.

In /sbin is a hotplug script that is used to read all file from /etc/hotplug.d ending in .hotplug

The 5500 cant read ext filesystem
Copying with execute permissions is inpossible ??? Any ideas to overcome this crucial step?

my .hotplug script is coppied by the widget but cant be executed.

Can i use the widget to copy a file from a network store containing an ext file?

Daniel
Top

Post Reply

Return to “BluRay Players”