I know. And the DirectSWUpgrade Option did only work with an unmodified FW, but even that lead to my TV using the second partition now. Thanks Samsung for implemeting this feature
Oh, and I found another debug menu with a new number code but I can't remember it now, will have a look at it tomorrow. It has some USB debug stuff like remount an dmesg to USB... Nothing special...
Access Linux Shell of TV on CI+ without "Game Menu"
-
- Posts: 54
- Joined: Sun Jan 10, 2010 3:22 pm
-
- Posts: 54
- Joined: Sun Jan 10, 2010 3:22 pm
Re: Access Linux Shell of TV on CI+ without "Game Menu"
So, here is the new debug menu: 8282119
And here are the options:
First option will do the following:
Second option will do:
And the last one:
So nothing special here... I doubt we can get shell access on the TV over the Debug menus...
And here are the options:
Code: Select all
====================================
[ DEBUG MENU ]
------------------------------------
1. ReMount Usb device
2. dmesg > printk.txt
3. Copy corefile to USB
====================================
99. Exit
====================================
Code: Select all
...
umount /dtv/usb/$MOUNT_DIR
echo "umount /dtv/usb/$MOUNT_DIR"
mount -t vfat /dev/$MOUNT_DIR /dtv/usb/$MOUNT_DIR
echo "mount -t vfat /dev/$MOUNT_DIR /dtv/usb/$MOUNT_DIR"
Code: Select all
...
dmesg > /dtv/usb/$MOUNT_DIR/printk.txt
sync
cat /proc/kmsg > /dtv/usb/$MOUNT_DIR/kmsg.txt &
echo "dmesg > printk.txt"
sleep 2
sync
killall cat
sync
echo "sync"
Code: Select all
if [ -e /dtv/core* ]; then
cp /dtv/core* /dtv/usb/$MOUNT_DIR/core
echo "cp /dtv/core* /dtv/usb/$MOUNT_DIR/core"
sync
echo "sync"
else
echo "No Core_dump file"
exit
fi
- erdem_ua
- SamyGO Admin
- Posts: 3125
- Joined: Thu Oct 01, 2009 6:02 am
- Location: Istanbul, Turkey
- Contact:
Re: Access Linux Shell of TV on CI+ without "Game Menu"
Clapping.
Thanks petergray.
We needed to wikify this also
Thanks petergray.
We needed to wikify this also
-
- Posts: 54
- Joined: Sun Jan 10, 2010 3:22 pm
Re: Access Linux Shell of TV on CI+ without "Game Menu"
Hello!
Thanks for finally getting shell access to work.
This lead me into investigating the filesystem a bit. In another Thread i read about Flash Dumping. See what i found:
Seems like this dumps the whole NAND.
Now I have a file on my USB-Stick named dump.otp with filesize 128MB. It seems encrypted, since the first 8 bytes are "XSRPARTI". The same Signature is found in the dumplog i posted above.
So i guess the line encrypts the dump. Maybe i can prevent the TV from encrypting, Ill have a look at the script tomorrow.
If anyone is interested in the dump, tell me where i should upload it.
Thanks for finally getting shell access to work.
This lead me into investigating the filesystem a bit. In another Thread i read about Flash Dumping. See what i found:
Code: Select all
# ./flash_dump.cmd
OUTFILE_NAME > dump
+---------------------------------------------------------------------+
| fdump : Low-level Partition Dump Tool for NAND Flash Memory |
+---------------------------------------------------------------------+
You will dump Chip
=^^ PARTITION INFO ^^=========================================================
Signature = XSRPARTI
nVer = 0x00011000
Num of part entry = 16
part(0) nID=0x00000000 n1stVbn=000 nNumOfBlks=001 Attr=BML_PI_ATTR_RW
part(1) nID=0x00000001 n1stVbn=001 nNumOfBlks=004 Attr=BML_PI_ATTR_RW
part(2) nID=0x00000002 n1stVbn=005 nNumOfBlks=001 Attr=BML_PI_ATTR_RW
part(3) nID=0x00000003 n1stVbn=006 nNumOfBlks=001 Attr=BML_PI_ATTR_RW
part(4) nID=0x00000004 n1stVbn=007 nNumOfBlks=024 Attr=BML_PI_ATTR_RW
part(5) nID=0x00000005 n1stVbn=031 nNumOfBlks=032 Attr=BML_PI_ATTR_RW
part(6) nID=0x00000006 n1stVbn=063 nNumOfBlks=016 Attr=BML_PI_ATTR_RW
part(7) nID=0x00000008 n1stVbn=079 nNumOfBlks=135 Attr=BML_PI_ATTR_RW
part(8) nID=0x00000009 n1stVbn=214 nNumOfBlks=160 Attr=BML_PI_ATTR_RW
part(9) nID=0x0000000a n1stVbn=374 nNumOfBlks=135 Attr=BML_PI_ATTR_RW
part(10) nID=0x0000000b n1stVbn=509 nNumOfBlks=160 Attr=BML_PI_ATTR_RW
part(11) nID=0x0000000c n1stVbn=669 nNumOfBlks=104 Attr=BML_PI_ATTR_RW
part(12) nID=0x0000000d n1stVbn=773 nNumOfBlks=222 Attr=BML_PI_ATTR_RW
part(13) nID=0x0000000e n1stVbn=995 nNumOfBlks=001 Attr=BML_PI_ATTR_RW
part(14) nID=0x0000000f n1stVbn=996 nNumOfBlks=001 Attr=BML_PI_ATTR_RW
part(15) nID=0x00000010 n1stVbn=997 nNumOfBlks=001 Attr=BML_PI_ATTR_RW
===============================================================================
=^^ MODEL INFO ^^========
Signature : XSRPARTI
Size of szModelName : 24
Model Name = hlve
Version of Mode = 0001
==========================
100%
All of the flash memory blocks have been dumped successfully.
xsr_otp_CIP /dev/bml0/c /dtv/usb/sda1/dump.otp
chmod 777 /dtv/usb/sda1/dump.otp
#
Now I have a file on my USB-Stick named dump.otp with filesize 128MB. It seems encrypted, since the first 8 bytes are "XSRPARTI". The same Signature is found in the dumplog i posted above.
So i guess the line
Code: Select all
xsr_otp_CIP /dev/bml0/c /dtv/usb/sda1/dump.otp
If anyone is interested in the dump, tell me where i should upload it.
-
- Official SamyGO Developer
- Posts: 37
- Joined: Tue May 04, 2010 10:43 am
Re: Access Linux Shell of TV on CI+ without "Game Menu"
Hi,
I think the way to find the offset is something like this:
grab the compiled kernel (from your TV)
disassemble it to find to char checking procedure
look at the hex-representation of the bne (branch if not equal) command
(branches if no allowed character is found in this loops iteration)
dump the kernels memory (not quite sure how to guess the lower and upper limit for that)
find the hex-representation in memory (should be inverted when displayed via the debug menu)
overwrite the instruction with 00 00 00 00 (value 0) which should be "andeq r0, r0 and r0" (modifies register r0 but doesn't matter)
so now it won't branch and falls through to the "allowed character entered" code (sets r0 to 1 and returns if i remeber correctly)
Am I correct in my assumption ?
cu Cyberdemon
I think the way to find the offset is something like this:
grab the compiled kernel (from your TV)
disassemble it to find to char checking procedure
look at the hex-representation of the bne (branch if not equal) command
(branches if no allowed character is found in this loops iteration)
dump the kernels memory (not quite sure how to guess the lower and upper limit for that)
find the hex-representation in memory (should be inverted when displayed via the debug menu)
overwrite the instruction with 00 00 00 00 (value 0) which should be "andeq r0, r0 and r0" (modifies register r0 but doesn't matter)
so now it won't branch and falls through to the "allowed character entered" code (sets r0 to 1 and returns if i remeber correctly)
Am I correct in my assumption ?
cu Cyberdemon