yesterday, I have found a BD F6500 lying around and decided to start hacking it.
I found the UART interface and was able to connect via my buspirate and enter the Top Debug Menu.
I found a shell in there, but I guess it's pretty useless, since I can only enter numbers and I have JTAG access to the main Cortex M0 and the device controller, etc.
During this journey and the accompanied google searches, I encountered this forum quite often. After looking around, I have seen a lot reverse engineering and exploitation work has been already done with these devices. However, with all the different models and locations to look for (wiki pages and 20-pages-long threads) some things aren't clear to me, that I'd like to discuss:
- For Samsung TV's I've found an exploit on this forum, that looks like it's hijacking the libSkype.so library of skype to elevate its privileges. This one seems to be available without having to donate.
- In the smart hub of my BD F6500, I couldn't find the skype app (I guess, because it doesn't have a microphone/camera) and I didn't find a quick way to install skype manually. Also, I could not login as "develop":"" (the TV was hanging forever with the connection message in the top right corner). Is this expected behaviour? So I guess, there is another exploit that does not depend on skype being installed and that is what you have to donate for, right?
- How does one disable OTN/get in the service menu on the F6500? There is no mute or menu key and the instruction at http://wiki.samygo.tv/index.php5/Enteri ... Setup_Menu >> Debug Console enabled devices didn't seem to work as well. (last modified on 8 December 2012, at 15:43.)
- Are the encryption keys for the downloadable firmware leaked or are there full firmware dumps available to sift through?
Code: Select all
binwalk ./image/upgrade.msd DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 150 0x96 OpenSSL encryption, salted, salt: 0x-47CD44FA16867C2B 1486 0x5CE OpenSSL encryption, salted, salt: 0x-56CFBD10-3D5804ED 82737061 0x4EE77A5 MySQL ISAM compressed data file Version 9 112699437 0x6B7A82D MySQL MISAM compressed data file Version 9 166292940 0x9E96DCC MySQL ISAM compressed data file Version 5 236992246 0xE2036F6 OpenSSL encryption, salted, salt: 0x-4FD93B96-536EDF9B 236993142 0xE203A76 OpenSSL encryption, salted, salt: 0x7F15D1F64FE0134C 242756766 0xE782C9E OpenSSL encryption, salted, salt: 0x-4FD93B96-536EDF9B 242757662 0xE78301E OpenSSL encryption, salted, salt: 0x1151D60031BB74F2 246323654 0xEAE99C6 OpenSSL encryption, salted, salt: 0x-4FD93B96-536EDF9B 246324550 0xEAE9D46 OpenSSL encryption, salted, salt: 0x-2DC6A2A1-4C3EB62E 246849134 0xEB69E6E OpenSSL encryption, salted, salt: 0x-4FD93B96-536EDF9B 246850030 0xEB6A1EE OpenSSL encryption, salted, salt: 0x5535FC4E26751367 - I guess, the TOCTTOU (https://www.usenix.org/system/files/con ... inal28.pdf) bug has long been fixed, right?
Could someone explain the BD-Exploit or even provide it? (I would rather like to help with my knowledge than my money and don't have a PayPal-account)
Best,
drogbart
