Update: a working method of rooting ES series

[mamaich]

Last edited 16 nov 2012

Now the method is almost finished, though it would be further improved.
This method executes a FTP and remote shell servers on TV with a root access. These changes are not persistent and are lost on TV reboot, so hack is 100% safe, unless you'll break something yourself.

Instructions:
1. Set up a development environment on your PC and TV (read wiki how to do this).
2. Extract htdocs.zip to your Apache htdocs folder. Edit widgetlist.xml and change 192.168.1.2 to IP address of your Apache server.
3. Unzip usb_card_updated.zip to the root directory of FAT-formatted USB stick.
4. Turn on a TV and wait until it completely boots.
5. Insert USB stick to TV, install and run the "Test Applet" widget on TV
6. Press "enter" on remote, the widget would do its dark things.
7. Exit widget and run "Web Browser". It should display a black screen for >10 seconds and then the browser would start. If browser starts immediately (this happens sometimes) - rerun browser again.
I've added a 10-second delay on the hack start to see that it works.

After this - you'll get a shell access via telnet on port 23 on TV IP address, and a FTP access to its filesystem.
Shell access allows you to execute commands and see their output. This is not a complete telnet daemon as we don't have devpts driver on TV. So do not try to execute interactive commands - you'll see their output, but would be unable to enter text. Code is taken from here: http://www.andreadrian.de/remsh/index.html with minor modifications (added a delay after popen). Later I'll replace this shell with something better.

Tested on UE32ES6727. USB is hardcoded to be "/dtv/usb/sda1", so insert only one USB device into TV, and your USB stick should have only one partition.

Todo:
1. Remove the requirement to manually launch Web Browser
2. Better telnet daemon
3. Remove the hardcoded "/dtv/usb/sda1", detect USB folder automatically

Internals:

SpoilerShow

Look into /mtd_exe/rc.local script. It has lines that set the LD_LIBRARY_PATH to search for .so files in "/dtv" directory before trying other dirs. And "/dtv" dir is writable! So we can place our own .so with a name of a system library (I've chosen libm.so.6) and it would be loaded instead of a system one.
So a hack is simple - copy our .so to /dtv, then run any application on TV (for example Web Browser, but other apps may work too), system would load our .so instead of libm, and our .so runs /dtv/usb/sda/run.sh on load.
To copy the .so file in your widget - use the "FilePlugin.Copy" function, but hide it with eval(), otherwise app would not be loaded as it contains "undocumented" functions.
As /dtv directory is tmpfs, all our modifications would be lost on reboot. So this hack is absolutely safe (of cause if you would not break something in run.sh script).

[arris69]

...
2. Add FTP/telnet for the easy hacking. This should not be difficult too - find a working busybox, run it (for example via "/mtd_exe/lib/ld-2.11.1.so /dtv/usb/sda1/busybox ...", as USB is noexec, or remount usb as executable)...

are you sure that on mstar the noexec isn't made at kernel level (like on "ECP based e-series")?

[mamaich]

are you sure that on mstar the noexec isn't made at kernel level (like on "ECP based e-series")?

I have not looked into the kernel sources yet, but this explains one of my problems during tests. So this is just another issue that should be solved
I'll try busybox from the archive you've sent me.

[mamaich]

Regarding noexec - we can't run executables directly from usb:

Code: Select all

/dtv/usb/sda1/busybox: error while loading shared libraries: /dtv/usb/sda1/busybox: failed to map segment from shared object: Operation not permitted

but if we copy it to /tmp and chmod - it executes correctly.

[mamaich]

Updated the first post. Now we have FTP and limited shell access.
I'm looking now for a good remote shell sources, that does not require /dev/pts. When I'll find it - it would be used instead of the current one.

[Scary]

Hello,

Thank you for your great Job. It works fine for me on ES6100.

I have one question. How can i copy the SamyGO-Extention to the TV whit this method??
Sry when i post in wrong forum.

[mamaich]

I have one question. How can i copy the SamyGO-Extention to the TV whit this method??

SamyGO is currently not tested to work with this hack. So I can't tell you what to do next - I'm currently busy with other things.

Maybe someone would write an instruction on running SamyGO?

[sbav1]

Nicely done!

Can you check what are the file permissions after copying it from USB drive to /mtd_rwarea using FilePlugin.Copy() ?
There are some E-series devices (e.g. Firenze-based BD-E6100 models) with

Code: Select all

...

if [ -e /mtd_rwarea/myBoot.sh ]; then
	/mtd_rwarea/myBoot.sh
else
	cd /mtd_exe
	sysctl -w kernel.msgmni=64
	./exeDSP
fi 

in /mtd_exe/rc.local, but with more sane LD_LIBRARY_PATH (without writable path destinations like /dtv included).
As Samsung is using '-e' and not '-x' in their shell script, if /mtd_rwarea/myBoot.sh can be copied with '-rwxrwxrwx' (or equivalent) permissions, I think such devices can also be rooted using this method in reasonably safe way.. if not, it will become an instant brick .

[mamaich]

Can you check what are the file permissions after copying it from USB drive to /mtd_rwarea using FilePlugin.Copy() ?

You need to look into /proc/self/mounts (copy it to USB via FilePlugin.Copy()). On my device /mtd_rwarea is a FAT partition with all files executable. But other devices may be different.
And be very careful when playing with /mtd_rwarea/*.sh. One wrong line - and you'll get a brick, as we currently don't have a method of erasing /mtd_rwarea without exeDSP running.

You may post here contents of your rc.local and mounts files, maybe you've mislooked something. For example, some root directories may be symlinks to writable /mtd_xxx folders, but with different names.

[sbav1]

You need to look into /proc/self/mounts (copy it to USB via FilePlugin.Copy()). On my device /mtd_rwarea is a FAT partition with all files executable.

I don't have any E-series model yet (I am currently bidding on internet auction for BD-E6100 with slightly defective loader, though).
Judging from decrypted firmware contents (B-FIRBPEWWC_1053), /mtd_rwarea in this device should be vanilla Samsung RFS; while recent RFS versions do support arbitrary UNIX file permissions, it looks like all new files in /mtd_rwarea should be typically created with 'rwxr-x-rx' - I just hope files copied/created with FilePlugin.Copy() will have default permissions. Alas, we don't yet know if FilePlugin.Copy() may work as expected in BD-E6100; it's completely different firmware branch.. We will see .

And be very careful when playing with /mtd_rwarea/*.sh. One wrong line - and you'll get a brick, as we currently don't have a method of erasing /mtd_rwarea without exeDSP running.

Well, no risk = no gain . On devices equipped with eMMC flash, I think boot-time /mtd_rwarea partition reformat may be triggered with mainboard test-pads shorting (in a manner somehow similar to EEPROM-related unbricking procedures). It will require really exact timing and a lot of trouble - quite inconvenient, but theoretically possible..

maybe you've mislooked something.

Yes! Apparently there is :/mtd_contents: included in LD_LIBRARY_PATH, which is indeed writable. It's between /lib:/usr/lib:... and ...:/mtd_rocommon/Webkit) - looks like custom *.so loading might be possible in this model, too.