LExxB650 T2P CI+ hacking

[arris69]

...

Another thing: has someone any idea what the EDID directory is for in mtd_exe ??? encryption keys ???

Jeroen

hi edid data is simply monitor capability information:

Code: Select all

cat 1.ddc | xxd -r -p | monitor-parse-edid -
Name: SAMSUNG
EISA ID: SAM051b
Screen size: 88.0 cm x 50.0 cm (39.85 inches, aspect ratio 16/9 = 1.78)
Gamma: 2.2
Analog signal
Max video bandwidth: 150 MHz

        HorizSync 30-81
        VertRefresh 60-75

        # Monitor preferred modeline (60.0 Hz vsync, 67.5 kHz hsync, ratio 16/9, 55 dpi)
        ModeLine "1920x1080" 148.5 1920 2008 2052 2200 1080 1084 1089 1125 +hsync +vsync

        # Monitor preferred modeline (60.0 Hz vsync, 47.7 kHz hsync, ratio 16/9, 39 dpi)
        ModeLine "1360x768" 85.5 1360 1424 1536 1792 768 771 777 795 +hsync +vsync

[dynamic1969]

Hi robbiesz,

did you discover any information as to what authuld is checking these partitions against ( I assume there is some sort of checksum or fingerprint stored per partition somewhere ? )
As during a normal FW Upgrade only mtd_app and mtd_exe are updated, one could assume that the checksums / fingerprints are:
- either calculated on the file during the upgrade and then stored or
- already embedded in a file in the respective partition

Regards
dynamic

[erdem_ua]

If the key created while update process, than we alter the update process with uploading modified exe.img file without .sec extension.

I check the root file (bml6) and found a little script at /usr/sbin directory, that updates firmware of TV from exe.img directly!
So we don't needed encrypted file for update partition I think.
At least, worth to try

And I saw some info at script at bml7 rc.local. this file is highly related with SW update process...

Code: Select all

if [ "$usb_upgrade" = "true" ]; then			
#	$BOOT_MOUNT/usb
#	CI+ could not run in emergency mode for hacking... Set will be shutdown
        echo "Wait time: 1-30 sec."

Are they talking to us?

[erdem_ua]

Hi Jeroen

Communication between Authuld and the kernel is binary... I havent cracked the authuld->kernel way but the kernel only sends 4 bytes (only once) to authuld which seem to be a simple number (unsigned int) from a timer interface..
The kernel will shut the set down if
- authuld does not respond within a predefined amount of time
- the message is corrupted or does not conform to the protocol..

On boot-up the authuld has 5 minutes to authenticate all modules, by default the kernel has a 2 minute timeout value for the response from authuld..
All crypting is done by the kernel..

robbiesz

I don't understand "modules" word. Do you mean kernel modules?
Is it checks kernel modules + exeDSP only?
Are we sure about that authuld checks files/modules instead of partitions?
If answer is yes, checking every file alone comes weird to me.
Implementing this might possible by 2 way
1)Including secret hash index of files in the authuld or anywhere that authuld reads.
2)Hashes included each kernel file, like CRC.
Second approach is more difficult and could be problematic at implementation for Sammy. Like needing every module modified by hand( or program )
By comparing modules at encrypted version and normal version could make visible that hash rounder byte(s).