B Series hacking - Exlink, NFS mounted media play

[cell800]

Hi,

I am posting after searching and reading information on related topics. Perhaps I am overlooking or misunderstanding something.

Background Information- (before start of any hacking)
TV - UN46B8000XF - Purchased in Dec 2009
Firmware - T-CHE7AUSC-1018.2
There is alternative firmware T-CHE7AUSC-1017.2 which shows a date of 1/5/2010 but still does UDN encryption check while loading games in Content Library. In other words it in not an open firmware.
I can switch between 1018 and 1017 easily using Menu->Software->Alternative Firmware
I placed T-CHE7AUSC-1013 in the USB but I can not select older firmware from USB

NAS- I have WD MyBook with GigEthernet connected to TV through a GigE switch


DLNA works and I can get the content on TV. But as someone else said DLNA on these TVs suck.

My humble goal is to enable NFS access to the NAS and watch all content in all supported formats (many more types supported in NFS mode than in DLNA).

My actions based on SamyGo instructions

Exlink -
1) Bought the Exlink cable
2) Enabled RS232 Debug, had to use [Mute] 1, 8, 2 [Power] to get to access to service menu
3) Disabled the Watchdog
4) Wiselink write was ON already
5) Used Putty Serial - Saw the TV booting on the serial Console
6) After typing D E B U G followed by 1198282 1198282 nothing happens. I cannot get to TOP DEBUG menu. This is similar to Pitou's post viewtopic.php?f=2&t=1362&start=0 on Sun Jan 23, 2011 11:48 am
7) I tried 10041004 10041004 sequence as well no TOP DEBUG menu.

Telnet-
Therefore I resorted to Telnet and made some progress
1) Used Telnet Enabler Trojan through Content Library method and installed it in Children
2) Enabled Telnet - it worked!! (root login, no password)
3) Wanted to enable Telnet by putting the telnetd in rc.local
4)It does not allow me saying it is READ ONLY Filesystem

Dumpmaker Lite
1) Used the Content Library method to Dump the binaries in USB.
2) Given that Telnet access is dependent on enabling it every time after power up through the content library, I do no feel comfortable messing up with firmware just yet. I am not able to get access to TOP DEBUG menu through serial hence don't know if will be able to recover bricked TV.
3) Is my concern valid?

SamyGo Extension-
Next I tried SamyGo Extensions. I did not edit any of the scripts in the samygo init.d but it looks like I should to mount the NFS through Samygo extension. Could not find exact instructions for it.

1) Copying SamyGo to Games through Content Library did not work
2) It complained that it is NOT UDN encrypted
3) So copied SamyGo directly from USB to /mtd_tlib/GGame using Telnet shell
4) Enabled SamyGo by running it from Content Library
5) SamyGo Virtual USB appears
6) The webserver at TV became accessible (don't know what to do with it)
7) SSH became available as well

SSH

1) Used Putty to start SSH
2) Root Login with Password SamyGO

NFS
1) Enabled NFS on MYBOOK and added TV IP address in the host list
2) NFS mounted the Public share to /dtv/usb/sda1/media
3) I am able to browse the MYBook using Media.P and I see Pictures, Music and Videos
4) Pictures work beautifully
5) Video playing causes coredump (serial console says coredumped but does not say which process)
6) TV hangs (Remote does not work power switch does not work), since watchdog is disabled only method that works is to pull the plug
7) Shell is still fully functional,
8) reboot or shutdown commands are not there, how do I reboot from the shell.

While jostling with the above, just for sake of it started telnet again (as it was gone due to power cycle)

FEW UNEXPECTED THINGS HAPPENED

1) The telnet asked for password ( before this it simply went in as root).
2) Logged in using SamyGO as password
3) Login successful
4) #mount does not show anything!!
5) same behavior in SSH shell
6) Noticed that cursor became available in Serial Console, preceded by three lines

[SERIAL INPUT MANAGE] Managed tty_struct(.name:ptm1) Setup!!!
[SERIAL INPUT MANAGE] disable_serial : ~~bye(len:5)
[SERIAL INPUT MANAGE] enable_serial : debug(len: 5)

login[652]: root login on `pts/1'

7) Typed d e b u g
8) TOP DEBUG Menu magically appears
9) Selected the option 0x11, 0x04 and 68 to get the Shell access
10) Now I have full shell access through serial console
11) #mount on this shell shows all valid mountings!! while telnet and SSH shell still show nothing for #mount but otherwise these shells are functional

I repeated the sequence of SSH and Telnet and I got debug access on Serial console every time.

Now I have several questions

1) What is the dependence between SSH, telnet and Serial console? Will appreciate an explanation.
2) How do I make this serial console access permanent?
3) With the serial console access can I copy Firmware 1013 version at the right place to enable older firmware? Any instruction will be very much appreciated.
4) Why is video playing through NFS is failing while picture browsing is fine?

[juusso]

FEW UNEXPECTED THINGS HAPPENED

1) The telnet asked for password ( before this it simply went in as root).
2) Logged in using SamyGO as password
3) Login successful
4) #mount does not show anything!!
5) same behavior in SSH shell
6) Noticed that cursor became available in Serial Console, preceded by three lines

Hi, nice and long story Some comments:
1.-3. Yes telnet gets password and actually the connection drops to ssh... I don`t think it is a problem. You can change the password by typing

Code: Select all

passw

4. use this command:

Code: Select all

/bin/mount

Now I have several questions

1) What is the dependence between SSH, telnet and Serial console? Will appreciate an explanation.
2) How do I make this serial console access permanent?
3) With the serial console access can I copy Firmware 1013 version at the right place to enable older firmware? Any instruction will be very much appreciated.
4) Why is video playing through NFS is failing while picture browsing is fine?

1. Too general question about differences... Google could help you a lot to understand what telnet, ssh or serial connection is. Practically for you it doesn`t matter which method do you use to get root on TV. Personally i`m using ssh, but in emergency i`m using ExLink and serial connection.
2. Installing patched firmware allows you to get telnet from the TV start. If you need ssh, you have to create custom SamyGO.sh (startup script) which executes required daemons.
3. Yes, you can reflash firmware by hand, but only with decrypted/dexored firmware.
4. Perhaps not supported video format? Try to play same file from USB dongle.

[cell800]

Thanks juuso,

3. Yes, you can reflash firmware by hand, but only with decrypted/dexored firmware.

OK I did that. I placed the decrypted 1013 firmware in partitions /8 and /9 using bml.restore command. It was successful. Selected this firmware from Menu->software upgrade -> Alternative Firmware. The TV comes up and the restriction of UDN encrypted games is gone. I can run games from USB. This is my Version.0 Thanks.

The restricted FW 1018 is still there in /10 and /11 which I will replace later. This is in Version.1

Now my next task is to restore u-boot. This was removed when TV upgraded to restricted FW. I have a DUMP of functional TV but as I understood, i need u-boot in order to recover from bricking.

How do I restore [T-CHE7AUSC]-fnw.bin and [T-CHE7AUSC]-u-boot.bin by hand?? Any instruction will be appreciated

1. Too general question about differences... Google could help you a lot to understand what telnet, ssh or serial connection is. Practically for you it doesn`t matter which method do you use to get root on TV. Personally i`m using ssh, but in emergency i`m using ExLink and serial connection.

My question was not about the difference among the three. Rather how come the exlink Serial Console becomes enabled for debug ONLY AFTER I start an SSH session AND a Telnet session. As I said typing DEBUG and 11982821198282 does not give the TOP Debug menu in the serial console.

I think the restricted FW boot sequence removes the debug capability from the Serial console, but opening an SSH and Telnet session simultaneously somehow enables it again. Perhaps a patcher can use the same thing to open the restricted FW. Anyway just a thought.

2. Installing patched firmware allows you to get telnet from the TV start. If you need ssh, you have to create custom SamyGO.sh (startup script) which executes required daemons.

Can I patch the unencrypted 1013 image that I created? How do I do that?

I feel comfortable with bml.restore procedure by hand. Since I have alternative firmware, I am assuming if I mess up the selected firmware TV will boot from the alternative. Am I right in assuming that?

4. Perhaps not supported video format? Try to play same file from USB dongle

Thanks this problem got resolved with firmware downgrade.

[juusso]

To get fully functional u-boot using bml.restore command, you have to restore:
[T-CHE7AUSC]-u-boot.bin (/dev/bml0/2)
[T-CHE7AUSC]-fnw.bin (/dev/bml0/4)
For console it is needed to reflash kernel (/dev/bml0/5) with file, called [T-CHE7AUSC]-Image. Why do you think those three files are mandatory for FFB procedure

You must use not touched original 1013 firmware for patcher. It decryopts/patches and encrypts back it for you automatically.

[cell800]

To get fully functional u-boot using bml.restore command, you have to restore:
[T-CHE7AUSC]-u-boot.bin (/dev/bml0/2)
[T-CHE7AUSC]-fnw.bin (/dev/bml0/4)
For console it is needed to reflash kernel (/dev/bml0/5) with file, called [T-CHE7AUSC]-Image. Why do you think those three files are mandatory for FFB procedure

Thanks juuso.

I would have used FFB but it seems the instructions were meant for scenarios where CI TV had the post FEB firmware and alternative firmware option was gone. In my case, as I said there was already an alternative firmware 1017.1
So I was not sure if the FFB will work as is. In fact the revert.sh looks for existence of Version.1 and stops which will be true in my case. Hence I decided to do reflashing by hand.

Base on you response this is what I plan to do. Please let me know if the sequence needs to be different.

1) Reflash kernel ([T-CHE7AUSC]-Image) using bml.restore to /dev/bml0/5
2) Verify that I got the shell access through serial console
3) Reflash [T-CHE7AUSC]-u-boot.bin to (/dev/bml0/2) and [T-CHE7AUSC]-fnw.bin to (/dev/bml0/4)
4) verify that U-boot is fucntional
5) Then do the patching of original firmware.

Please reply. Thanks.

[juusso]

Right.

[cell800]

One more question.

After reflashing kernel in step 1) above can I restart the new kernel without powering the TV off? I mean is there a equivalent of "reboot" command from the shell. Since I still don't have u-boot or serial access upon power up, I want to do as much verification while I have the telnet/ssh enabled serial access.

Thanks for your patience and help.

[juusso]

no, you can`t restart in that way.
just only :

Code: Select all

/mtd_boot/MicomCtrl 143

makes restart. Full restart.

[cell800]

Thanks juuso.

It worked. Please let me know if it would be worthwhile to summarize the steps for regaining UN46B8000XF that already has two latest firmware (both of which are restricted). If that topic is adequately covered I don't want to create clutter.

[juusso]

It would be really great if you made some summary for rooting USA models. We have topics, but here is no all in one version... thanks!