Hi guys, I'm not sure if this is what you need, but nevertheless, here it is:
The exeDSP disassembly on rapidshare: (FW T-CHU7DEUC, 002008.1 (or 2) )
http://rapidshare.com/files/292147252/e ... sm.gz.html
It's just bare output of objdump, with no string/jump/call annotations. Haven't got the full disassembly script working yet ...
LNxxB650 and B679 with CI+ certification
- erdem_ua
- SamyGO Admin
- Posts: 3125
- Joined: Thu Oct 01, 2009 6:02 am
- Location: Istanbul, Turkey
- Contact:
Re: LNxxB650 and B679 with CI+ certification
Hey! Is everybody dead with CI+ cert?
Are you give up? Too pity!
So engineer here. I don't know who want to be a volunteer for this but we need a hero.
If our attacks are being avoided by enemy than we need a commando for the job which sneak in to enemy line and bring the key of caste to us.
We can also read flash NAND chip without removing from motherboard. But who want to be commando? (Or a hacker to solder it's NAND chip )
http://www.uchobby.com/index.php/2007/0 ... ash-chips/
Are you give up? Too pity!
So engineer here. I don't know who want to be a volunteer for this but we need a hero.
If our attacks are being avoided by enemy than we need a commando for the job which sneak in to enemy line and bring the key of caste to us.
We can also read flash NAND chip without removing from motherboard. But who want to be commando? (Or a hacker to solder it's NAND chip )
http://www.uchobby.com/index.php/2007/0 ... ash-chips/
You do not have the required permissions to view the files attached to this post.
- erdem_ua
- SamyGO Admin
- Posts: 3125
- Joined: Thu Oct 01, 2009 6:02 am
- Location: Istanbul, Turkey
- Contact:
Re: LNxxB650 and B679 with CI+ certification
Alternatively, we can try to hack CI+ "program" cert protection algorithm that uses 16 bytes (128 bit) long to execute our program on TV.
With our program, we can read whole internal flash device and store to USB flash
Or alternatively, enable telnet application.
Trying to hack 16 byte key CI+ program key algorithm is far easier than trying to hack 256Bit AES which placed to main entrance.
With our program, we can read whole internal flash device and store to USB flash
Or alternatively, enable telnet application.
Trying to hack 16 byte key CI+ program key algorithm is far easier than trying to hack 256Bit AES which placed to main entrance.
-
- Official SamyGO Developer
- Posts: 119
- Joined: Sat Oct 31, 2009 1:04 am
Re: LNxxB650 and B679 with CI+ certification
Hi @ll,
I orderd my new Samsung LE37B650, hope its coming fast
As part of my research for this TV i found somewhere a posting where people where able
to activate the usb movie play funktion on an UB6000 by modifying the TV type in the service menu.
If this funktions are enabled and disabled by just the TV type string, maybe there is a chance
1) to disable the CI+ security measures
2) render your nice TV useless...
We would need to compare these TV type numbers
2nd suggetion, you would need serial console to use one of this great professional remotes.
As i understand the Console on CI+ TV`s doesnt recognise any inputs?
If this is true, we maybe have to switch the Hotel Mode on to get console.
Anyone know how to disable Hotel Mode without special service remote control?
Silver
I orderd my new Samsung LE37B650, hope its coming fast
As part of my research for this TV i found somewhere a posting where people where able
to activate the usb movie play funktion on an UB6000 by modifying the TV type in the service menu.
If this funktions are enabled and disabled by just the TV type string, maybe there is a chance
1) to disable the CI+ security measures
2) render your nice TV useless...
We would need to compare these TV type numbers
2nd suggetion, you would need serial console to use one of this great professional remotes.
As i understand the Console on CI+ TV`s doesnt recognise any inputs?
If this is true, we maybe have to switch the Hotel Mode on to get console.
Anyone know how to disable Hotel Mode without special service remote control?
Silver
Re: LNxxB650 and B679 with CI+ certification
How can I determine if my tv is CI+ or not?
Is it the matter of model code? T2P or T2W ?
Is it the matter of model code? T2P or T2W ?
LE37B650T2WXXH T-CHL7DEUC patched&injected
- erdem_ua
- SamyGO Admin
- Posts: 3125
- Joined: Thu Oct 01, 2009 6:02 am
- Location: Istanbul, Turkey
- Contact:
Re: LNxxB650 and B679 with CI+ certification
If yout model is T2P than It's CI+cracket wrote:How can I determine if my tv is CI+ or not?
Is it the matter of model code? T2P or T2W ?
Re: LNxxB650 and B679 with CI+ certification
Based on CI+ kernel source mac key is stored in uboot env partition:
int getAuthUld (macAuthULd_t *mac_authuld) {
int fd;
fd = sys_open(UBOOT_PARAM_PARTITION, O_RDONLY, 0);
if( fd >= 0 ) {
sys_lseek(fd, sizeof(int) + UBOOT_ENV_SIZE + sizeof(macOnboot_t), SEEK_SET);
sys_read(fd, (void *) mac_authuld, sizeof(macAuthULd_t));
sys_close(fd);
also other key from:
// 1GB
#define CMACKEY_PARTITION_1000 "/dev/bml0/20"
// 2GB
#define CMACKEY_PARTITION_2000 "/dev/bml0/18"
// 128 MB
#define CMACKEY_PARTITION_128 "/dev/bml0/16"
So only way I think it's boot of from CI kernel.
CI+ owner should try this: http://forum.samygo.tv/viewtopic.php?f=2&t=53&start=20
If access to eboot is enabled, look also into my comments how to get easy keypress '~'
int getAuthUld (macAuthULd_t *mac_authuld) {
int fd;
fd = sys_open(UBOOT_PARAM_PARTITION, O_RDONLY, 0);
if( fd >= 0 ) {
sys_lseek(fd, sizeof(int) + UBOOT_ENV_SIZE + sizeof(macOnboot_t), SEEK_SET);
sys_read(fd, (void *) mac_authuld, sizeof(macAuthULd_t));
sys_close(fd);
also other key from:
// 1GB
#define CMACKEY_PARTITION_1000 "/dev/bml0/20"
// 2GB
#define CMACKEY_PARTITION_2000 "/dev/bml0/18"
// 128 MB
#define CMACKEY_PARTITION_128 "/dev/bml0/16"
So only way I think it's boot of from CI kernel.
CI+ owner should try this: http://forum.samygo.tv/viewtopic.php?f=2&t=53&start=20
If access to eboot is enabled, look also into my comments how to get easy keypress '~'