Hi all
Using the latest patcher script, I can't unpack the fw for my T-MST9DEUC. This looks to be because the AES key isn't in the script, and therefore I assume not known outside of Samsung.
Are there any resources available regarding how to find the AES key? Does it involve finding a JTAG within the TV and dumping out the chips? Or connecting to the service port and getting a shell (sounds easier).
The telnet enabler doesn't work on the TV I have, as it doesn't have game content, and the gallery hack makes no difference.
If my post is breaking any rules, please accept my apology.
Thanks!
AES for T-MST9DEUC
Re: AES for T-MST9DEUC
Ah just saw that even though a shell via Ex-Link cable is possible, we're limited to hex input only which won't be any use.
So it looks as though the only way to get a shell on this device would be to flash hacked firmware, which need AES key we don't know.
Sounds like this isn't going to happen
So it looks as though the only way to get a shell on this device would be to flash hacked firmware, which need AES key we don't know.
Sounds like this isn't going to happen
Re: AES for T-MST9DEUC
Could there be a different break in boot code (or whatever it's called) that would allow non hex input?
I was thinking about maybe brute forcing it? Or is this obviously not the case to those who know more than me (everyone on here )
I was thinking about maybe brute forcing it? Or is this obviously not the case to those who know more than me (everyone on here )
Re: AES for T-MST9DEUC
Ok so seen the wiki page on the tty code restriction on typing non hex. Finally got my Ex-Link up and running yesterday
Can confirm the break in code for MST9 is 1198282 and TDM is 20089999.
A snippet of boot code:
So the AES keys aren't known for MST9, and many of the attack vectors don't seem to be applicable:
- can't update firmware online
- no games/apps
- Ex-Link shell input resitriction
Is the Samsung SDK for Smart TVs applicable to this board as I understand it can contain keys for decrypting?
I note that upon USB key insertion a file is checked for [/dtv/usb/sda1/SMRTNTKY/WSETTING.WFC] - possible buffer overflow attack?
Playing in TDM noticed things like
Obviously with no valid place to mount that's no going to happen, but still exploring.
Just some thoughts. Still a bit off putting that MST9 TVs have been out for 2 years or so and still not rooted
Can confirm the break in code for MST9 is 1198282 and TDM is 20089999.
A snippet of boot code:
Code: Select all
=================================
onboot (Dec 30 2011 - 18:13:55)
release ver : 1000 - RELEASE
etc : spi_wp
=================================
Onboot X9 Sync mode
LCD FastLogo Run...
[SS] fc, 39 [SFL][SE]
Loading Kernel....
load kernel start, size : 131072 + 2883584 byte
Jump Kernel....
auth success by h/w sha1 UART1 is used to UART or logic mode.
=================================
onboot (Dec 30 2011 - 18:13:55)
release ver : 1000 - RELEASE
etc : spi_wp
=================================
Onboot X9 Sync mode
LCD FastLogo Run...
[SS] fc, 39 [SFL][SE]
Loading Kernel....
load kernel start, size : 131072 + 2883584 byte
Jump Kernel....
auth success by h/w sha1 UART1 is used to debug mode. [SELP] preset_lpj manual setting 669696
================================================================================
SAMSUNG Mstar Kernel
Version : 1011_013 RELEASE
================================================================================
init started: VDLinux-BusyBox v1.14.3-VD Linux VDLinux.1.2.1.x (2011-01-18 11:04:20 KST)
starting pid 19, tty '': '/etc/rc.sysinit'
mount: mounting devpts on /dev/pts failed: No such device
/etc/rc.local start!!!!
=====================================================================
ROOTFS VERSION : "Mstar-X9 1016 RELEASE" KERNEL MODULE VERSION : "1011_013"
==========##### send signal from USER, SIG : 0, init(1)->???(19) sys_kill
===========================================================
starting pid 31, tty '': '/bin/cttyhack -/bin/sh'
/etc/profile start!!
- can't update firmware online
- no games/apps
- Ex-Link shell input resitriction
Is the Samsung SDK for Smart TVs applicable to this board as I understand it can contain keys for decrypting?
I note that upon USB key insertion a file is checked for [/dtv/usb/sda1/SMRTNTKY/WSETTING.WFC] - possible buffer overflow attack?
Playing in TDM noticed things like
Code: Select all
[AP_PSA_ANALYZER/Fatal] 637 : @@@ sMoundCommand ..[mkdir /mtd_rwarea/Analyzer/tmp; mount -t nfs -o nolock 168.219.241.67:/home1/ktnoh /mtd_rwarea/Analyzer/tmp]
mkdir: cannot create directory '/mtd_rwarea/Analyzer/tmp': No such file or directory
Just some thoughts. Still a bit off putting that MST9 TVs have been out for 2 years or so and still not rooted
Re: AES for T-MST9DEUC
A new App (which I want to have) requires to update the FW... But a working SamyGo is more important
Re: AES for T-MST9DEUC
Which app do you mean? Maybe there is a way to modify some files of the app via Notepad++ and switch off the FW checking...faris wrote:A new App (which I want to have) requires to update the FW... But a working SamyGo is more important
We did something similar for the german LoveFilm app recently.
TV: UE40ES7000 @ UE40ES8090 - T-ECPDEUC-2022.0 // SamyGO
CI+: Unicam EVO 4 with HD+ (HD02) @ Pacific 4.60
NET: Samba: PC
CI+: Unicam EVO 4 with HD+ (HD02) @ Pacific 4.60
NET: Samba: PC
-
- Posts: 1
- Joined: Sat Feb 08, 2014 7:34 pm
Re: AES for T-MST9DEUC
Hi!Tv UE32EH4000W, main BN94-05546F_BN41-01795A
NAND TSOP, SAMSUNG 237_K9F1G08U0D_SCB0, ver PULEX9_1021.0_1015.e_49A_02/11,
CPU SEMS23 DNIe_1240B_APMF179ZC.
how do you get into boot? I want backup dump nand flash to usb flash. Log has the form:
=================================
onboot (Dec 30 2011 - 18:13:55)
release ver : 1000 - RELEASE
etc : spi_wp
=================================
Onboot X9 Sync mode
LCD FastLogo Run...
this is LCD/LED HD panel
[SS] fc, 39 [SFL][SE]
Loading Kernel....
load kernel start, size : 131072 + 2883584 byte
Jump Kernel....
auth success by h/w sha1 UART1 is used to UART or logic mode.
for continue that should be pressed?
NAND TSOP, SAMSUNG 237_K9F1G08U0D_SCB0, ver PULEX9_1021.0_1015.e_49A_02/11,
CPU SEMS23 DNIe_1240B_APMF179ZC.
how do you get into boot? I want backup dump nand flash to usb flash. Log has the form:
=================================
onboot (Dec 30 2011 - 18:13:55)
release ver : 1000 - RELEASE
etc : spi_wp
=================================
Onboot X9 Sync mode
LCD FastLogo Run...
this is LCD/LED HD panel
[SS] fc, 39 [SFL][SE]
Loading Kernel....
load kernel start, size : 131072 + 2883584 byte
Jump Kernel....
auth success by h/w sha1 UART1 is used to UART or logic mode.
for continue that should be pressed?