Page 3 of 4
Re: T-VALDEUC Flashing tool.
Posted: Tue May 17, 2011 6:56 pm
by mirsev
card2000 wrote:
in /etc/rc.local @ line 69 > mount -t rfs -r $EXE_MOUNT /mtd_exe/ to remove -r maybee adding -o codepage=utf8
Hmm, sorry for my stupid question but isn't the mtd_exe partition of squashfs type? If yes, I don't think it can be mounted read-write...
card2000 wrote:
in cmac calculation, write just 0x10 bytes as file len and calculate for this len cmac , store it in need /dev/bml
...
the same can i am 99.9999% sure for other squashfd paritions be done.
And what about custom kernel? Well, bootloader may check the kernel image size and load into RAM only these 16 bytes...
Re: T-VALDEUC Flashing tool.
Posted: Tue May 17, 2011 7:02 pm
by Denny
yap, am 99,999999 % sure it can be done
authuld get all infos about cmac from /dev/bml0/9 or /dev/bml0/10 regarding size of normal fat file(during flashing alredy), acording these informations it calculate cmac?s of stl0/xx paritions and compare result with stored cmac?s in /dev/bml0/9 or /dev/bml0/10.
in case of firmware > 3009 i mean that they can additional put a check to fix this trick
and when u download source code, you have
Code: Select all
AES_CMAC_with_f_and_size(mkey, f, len, h);
this one line, the parameter is length of true image size, this should be in case of exe.img replaced by some fix value that will never change, for example 1st 16 bytes of hearder of image.
can u now folow ?
@ mirsev , in T-VALDEUC mtd_exe is FAT, but this can be changed for BD-Player also , jsut reformat stl device , create own FAT image from squashfs image, flash it to stl device and change such things like in TV.....
Denny
Re: T-VALDEUC Flashing tool.
Posted: Tue May 17, 2011 7:03 pm
by mirsev
wortex wrote:well, sounds good, are you sure cmac caclulation can be fooled with such a trick ?
i missed cmac calculation algo and i don't understand for now how it really works
Please, take a look at this toolkit:
http://www.multiupload.com/MI03O2RSG6
Re: T-VALDEUC Flashing tool.
Posted: Tue May 17, 2011 7:11 pm
by mirsev
If you do everything correctly (write only to inactive partition), rollback is just toggling partitions again.
Re: T-VALDEUC Flashing tool.
Posted: Tue May 17, 2011 7:13 pm
by Denny
in case of rollback, by playing this issue
just execute :
/sbin/toggle
rename /mtd_rearea/Version.x before executing exeDSP
that if TV again start reboots and something went wrong u come back to unchanged parition by next boot.
what about this ?
Re: T-VALDEUC Flashing tool.
Posted: Tue May 17, 2011 7:16 pm
by Denny
wortex just make sure, /sbin/toggle has been executed correct, as i have see at me, 1st time always i get error in i2c , 2nd time it execute correct.