SamyGO

Yes, mirsev, you`re right. But here is one limitations - does not work on lthe latest firmware, because TV does not accept the same firmware twice, just version higher.

juuso wrote:Yes, mirsev, you`re right. But here is one limitations - does not work on lthe latest firmware, because TV does not accept the same firmware twice, just version higher.

What is the problem to mark the modified firmware as higher version?

mirsev wrote:

card2000 wrote:

Code: Select all

Denny, yes, your way is good! But we need hack TV first to get telnet access. New 3009 firmwares do not allow make hotel mode hack.

i know what u mean, but dont worry about this , will be also posible to do by widget, just the one point that needs to be done, in code is litelbit fuzzy to reverse it complete but will be done!!!

look, if someone alredy update 3009 he even can not do anything with modified firmware coz he can not disable rsa check coz it is in exeDSP and we dont have private key, so no way except widget way and i am 1000% sure it can be done coz i have for cmk private rsa key! .
Denny

Hi, I don't understand, if you can decrypt and encrypt back firmware, why don't you just install telnetd, ftpd, and/or sshd and their startup scripts on the decrypted rootfs or mtd_exe, build new squashfs, rewrite hashes, encrypt firmware back and flash it by standard way? Is there problem do do that?

and what do you think about RSA firmware verify and DSA firmware verify functions whitch are still enabled in your current running exeDSP by doing standard way ?


Denny

mirsev wrote:What is the problem to mark the modified firmware as higher version?

Then ok. Could you explane how?

juuso , by manual way, there is no care whitch is actual active fw version, you just flash unused parition and swap to it.

i alredy swaped from 3005 to 3003 in TV... so no problem

Denny

You want to say, it works on TV
lol. Now i understand...

card2000 wrote:juuso , by manual way, there is no care whitch is actual active fw version, you just flash unused parition and swap to it.

i alredy swaped from 3005 to 3003 in TV... so no problem :)

How? Flashing your own modified encrypted firmware, so that TV accepted it as its native Samsung firmware? Or, by flashing partitions from inside TV, for which TV must be hacked?

i think, Denny made the same trick as with BD player - mounted partition as read write from inside of pre-hacked TV and changed it. For downgrading - tool for hash calculation and writing to right places is already done if i understand correctly

juuso u understand i well correct and it is not a trick, it just folow asm code reversed from exeDSP ,
and same is Samsung doing inside FW update routines except that they do more steps like rsa verify and dsa verfy and show you this in OSD and our tool will do all in Console , that is all magic .

mirsev now i am with plain files direct flashing like BD player , later on, tool should do all job (decrypt - mount- modify - flash).

so, again, GUI Flashing, or GUI Firmware upgrade , you can do only!!!! :
if you have signed crypted firmware or in alredy changed exeDSP the verify points are disabled, whitch is realy not need to do.

Denny

We need something... to patch firmware and avoid RSA checks. Is it possible somehow? By following SWU upgrade procedure on IDA (as you`ve made)? Now unhackable TV`s are still unhackable and as you know, T-VALDEUC 3009 is restricting HotelMode hack. Ideal case could be: virgin TV accepts our patched firmware and it opens the gates. We need work on this and the main question still remains open - how to avoid RSA check by patching firmware or by running some widget. Sorry if i`m repeating my self