AES for T-MST9DEUC

Here is information about customize your E series firmware..:!:This forum is NOT FOR USER questions or problems but DEVELOPER.
Post Reply

CBX2013
Posts: 4
Joined: Fri Dec 27, 2013 12:28 pm

AES for T-MST9DEUC

Post by CBX2013 »

Hi all

Using the latest patcher script, I can't unpack the fw for my T-MST9DEUC. This looks to be because the AES key isn't in the script, and therefore I assume not known outside of Samsung.

Are there any resources available regarding how to find the AES key? Does it involve finding a JTAG within the TV and dumping out the chips? Or connecting to the service port and getting a shell (sounds easier).

The telnet enabler doesn't work on the TV I have, as it doesn't have game content, and the gallery hack makes no difference.

If my post is breaking any rules, please accept my apology.

Thanks!
CBX2013
Posts: 4
Joined: Fri Dec 27, 2013 12:28 pm

Re: AES for T-MST9DEUC

Post by CBX2013 »

Ah just saw that even though a shell via Ex-Link cable is possible, we're limited to hex input only which won't be any use.

So it looks as though the only way to get a shell on this device would be to flash hacked firmware, which need AES key we don't know.

Sounds like this isn't going to happen :)
CBX2013
Posts: 4
Joined: Fri Dec 27, 2013 12:28 pm

Re: AES for T-MST9DEUC

Post by CBX2013 »

Could there be a different break in boot code (or whatever it's called) that would allow non hex input?

I was thinking about maybe brute forcing it? Or is this obviously not the case to those who know more than me (everyone on here :) )
CBX2013
Posts: 4
Joined: Fri Dec 27, 2013 12:28 pm

Re: AES for T-MST9DEUC

Post by CBX2013 »

Ok so seen the wiki page on the tty code restriction on typing non hex. Finally got my Ex-Link up and running yesterday :)

Can confirm the break in code for MST9 is 1198282 and TDM is 20089999.

A snippet of boot code:

Code: Select all

=================================
onboot (Dec 30 2011 - 18:13:55)
release ver : 1000  - RELEASE
etc : spi_wp
=================================

Onboot X9 Sync mode
LCD FastLogo Run...
[SS] fc, 39  [SFL][SE]
Loading Kernel....
load kernel start, size : 131072 + 2883584 byte
Jump Kernel....

auth success by h/w sha1 UART1 is used to UART or logic mode.  
=================================
onboot (Dec 30 2011 - 18:13:55)
release ver : 1000  - RELEASE
etc : spi_wp
=================================

Onboot X9 Sync mode
LCD FastLogo Run...
[SS] fc, 39  [SFL][SE]
Loading Kernel....
load kernel start, size : 131072 + 2883584 byte
Jump Kernel....

auth success by h/w sha1 UART1 is used to debug mode. [SELP] preset_lpj manual setting 669696
================================================================================
 SAMSUNG Mstar Kernel
 Version : 1011_013 RELEASE
================================================================================

init started: VDLinux-BusyBox v1.14.3-VD Linux VDLinux.1.2.1.x (2011-01-18 11:04:20 KST)

starting pid 19, tty '': '/etc/rc.sysinit'
mount: mounting devpts on /dev/pts failed: No such device
/etc/rc.local start!!!!
=====================================================================
  ROOTFS VERSION : "Mstar-X9 1016 RELEASE" KERNEL MODULE VERSION : "1011_013"
==========##### send signal from USER, SIG : 0, init(1)->???(19) sys_kill
===========================================================

starting pid 31, tty '': '/bin/cttyhack -/bin/sh'
/etc/profile start!! 
So the AES keys aren't known for MST9, and many of the attack vectors don't seem to be applicable:

- can't update firmware online
- no games/apps
- Ex-Link shell input resitriction

Is the Samsung SDK for Smart TVs applicable to this board as I understand it can contain keys for decrypting?

I note that upon USB key insertion a file is checked for [/dtv/usb/sda1/SMRTNTKY/WSETTING.WFC] - possible buffer overflow attack?

Playing in TDM noticed things like

Code: Select all

[AP_PSA_ANALYZER/Fatal] 637 : @@@ sMoundCommand ..[mkdir /mtd_rwarea/Analyzer/tmp; mount -t nfs -o nolock 168.219.241.67:/home1/ktnoh /mtd_rwarea/Analyzer/tmp]
mkdir: cannot create directory '/mtd_rwarea/Analyzer/tmp': No such file or directory 
Obviously with no valid place to mount that's no going to happen, but still exploring.

Just some thoughts. Still a bit off putting that MST9 TVs have been out for 2 years or so and still not rooted :(
faris
Posts: 1
Joined: Wed Jan 22, 2014 5:48 am

Re: AES for T-MST9DEUC

Post by faris »

A new App (which I want to have) requires to update the FW... But a working SamyGo is more important :-)
User avatar
fluffi444
SamyGO Project Donor
Posts: 568
Joined: Fri Apr 05, 2013 9:55 pm
Location: Germany

Re: AES for T-MST9DEUC

Post by fluffi444 »

faris wrote:A new App (which I want to have) requires to update the FW... But a working SamyGo is more important :-)
Which app do you mean? Maybe there is a way to modify some files of the app via Notepad++ and switch off the FW checking...

We did something similar for the german LoveFilm app recently.
TV: UE40ES7000 @ UE40ES8090 - T-ECPDEUC-2022.0 // SamyGO
CI+: Unicam EVO 4 with HD+ (HD02) @ Pacific 4.60
NET: Samba: PC
vladserebrya
Posts: 1
Joined: Sat Feb 08, 2014 7:34 pm

Re: AES for T-MST9DEUC

Post by vladserebrya »

Hi!Tv UE32EH4000W, main BN94-05546F_BN41-01795A
NAND TSOP, SAMSUNG 237_K9F1G08U0D_SCB0, ver PULEX9_1021.0_1015.e_49A_02/11,
CPU SEMS23 DNIe_1240B_APMF179ZC.
how do you get into boot? I want backup dump nand flash to usb flash. Log has the form:
=================================
onboot (Dec 30 2011 - 18:13:55)
release ver : 1000 - RELEASE
etc : spi_wp
=================================

Onboot X9 Sync mode
LCD FastLogo Run...
this is LCD/LED HD panel
[SS] fc, 39 [SFL][SE]
Loading Kernel....
load kernel start, size : 131072 + 2883584 byte
Jump Kernel....

auth success by h/w sha1 UART1 is used to UART or logic mode.

for continue that should be pressed?

Post Reply

Return to “[E] Firmware”