Make fake answer from server when tv download widget

General Forum talking area for H series TVs.
Post Reply

szt
Posts: 62
Joined: Wed Jun 24, 2015 10:27 pm

Make fake answer from server when tv download widget

Post by szt »

I captured some http GET request when tv downloading widged :

Code: Select all

GET /files/widget/bla/bla/bla/enc_blablabla.img?Expires=...&Signature=...&Key-Pair-Id=... HTTP/1.1
Host: somehost.cloudfront.net
Accept: */*
And captured answer :

Code: Select all

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 123456
Connection: keep-alive
Date: ...
Last-Modified: ...
ETag: "..."
Accept-Ranges: bytes
Server: AmazonS3
Age: 123456
X-Cache: Hit from cloudfront
Via: 1.1 somehost2.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ...

_here_goes_Squashfs_img_data_
If I make fake answer and put some handmade app in answer (or modify existing app and put it) I be able to run it? Or it will be rejected? Has anyone tried to do so?

Model UE40H6400 fw T-MST14DEUC 2740.6
Last edited by szt on Mon Jul 06, 2015 1:14 am, edited 1 time in total.
Top
Wolfgan
SamyGO Project Donor
Posts: 19
Joined: Sat Jul 04, 2015 4:09 pm

Re: Make fake answer from server when tv download widget

Post by Wolfgan »

Did you try tinkering replies with Fiddler? http://www.telerik.com/fiddler
Tinkerer & owner of a UN48H6400
Top
ZGod
Posts: 91
Joined: Sat Mar 21, 2015 7:46 pm

Re: Make fake answer from server when tv download widget

Post by ZGod »

It's easy to run handmade widgets using the built-in develop log-in, so I don't think many people tried this.
Top
szt
Posts: 62
Joined: Wed Jun 24, 2015 10:27 pm

Re: Make fake answer from server when tv download widget

Post by szt »

ZGod wrote:It's easy to run handmade widgets using the built-in develop log-in, so I don't think many people tried this.
It is possible to put ARM ELF executable in handmade widget and run it on TV without root access?
Top
szt
Posts: 62
Joined: Wed Jun 24, 2015 10:27 pm

Re: Make fake answer from server when tv download widget

Post by szt »

Wolfgan wrote:Did you try tinkering replies with Fiddler? http://www.telerik.com/fiddler
I tried mitmproxy. This python code replace http response:

Code: Select all

from libmproxy.protocol.http import decoded

def response(context, flow):
    with decoded(flow.response):
        squashfs = open('replaces/orig.bin', 'rb').read()
        if flow.response.content == squashfs:
            squashfs2 = open('replaces/repl.bin', 'rb').read()
            flow.response.content = squashfs2
            flow.response.headers["Content-Length"] = [str(len(squashfs2))]
but TV reject it. Even if I change single bit in squashfs image. I tried to make squashfs img based on original with modified png images, but it also was rejected. Files in squashfs which have .spm extension are encrypted. how can I decrypt it?

I need filesystem dump from rooted tv. Need to find code that make integrity check(maybe md5 or other hash function). Or maybe somebody can trace action which performed after widget was downloaded?

I can't mount/unpack cramfs filesystem from firmware file viewtopic.php?f=77&t=9257
Top

Post Reply

Return to “[H] General”