SamyGO

Hi is possible on c series tv to get access of uboot and boot the firmware from usb? with the exlink cable is possile to load a custom firmware and boot it?
or maybe load a decrypt fw to hidden partitions of the tv then activate the partition from shell and reboot the tv with that partitons with a different firmware.
I know that the c series tv as 2 partitions with firmware one is hidden and other is active...the tv boot the tv from active partitions right?
When i downgrade my tv i switch the active partitions from first to second partition and then the tv reboot with the fw versions that i choose maybe i think is possible to load one different sw image instead of a different version of the same sw image.

At C serie , it is posible by a way to patch kernel at the point where the task wait for authuld replay, after success patch authuld can be killed, after this point , in rootfs you may mount external usb (ext3/xfs) where you have alredy copy each dirs (exe, appext etc.).

in case of paritions 0/1, right, always switch between them at firmware upgrade, active parition is stored in micom eeprom.

This could also be a way to get T-VALDEUC running on T-VAL6DEUC Systems with 128M flash...

modifying the bootloader would be a nice way as aou could avoid complications through already running native OS, but there may also occur problems when external kernel was booted and still trys to access internal flash as we mostly will have to get the USB-OS as romdump from other models, cusom fw will be far away since very much sw in TV-OS is closed source and won't be easy to replace... otherwise we already would have a dvbapi ...

another point to grab it would be the instance that creates the block devices at boot time, if we could modify it to first look on USB for flash... but this would require a large amount of reverse engineering i guess...

next point could be mounting, perhaps there is some kind of config file which controls initial mounting of the flash partitions, perhaps the simpliest way, ...if we ignore the authuld thing...

so as Denny has proposed we'll have to do this at a later point of booting process...

i don't have enough linux experience to try it but maybe it could be possible to move over to an external OS via some kind of chrooting...?

beatfreak wrote:This could also be a way to get T-VALDEUC running on T-VAL6DEUC Systems with 128M flash...

modifying the bootloader would be a nice way as aou could avoid complications through already running native OS, but there may also occur problems when external kernel was booted and still trys to access internal flash as we mostly will have to get the USB-OS as romdump from other models, cusom fw will be far away since very much sw in TV-OS is closed source and won't be easy to replace... otherwise we already would have a dvbapi ...

another point to grab it would be the instance that creates the block devices at boot time, if we could modify it to first look on USB for flash... but this would require a large amount of reverse engineering i guess...

next point could be mounting, perhaps there is some kind of config file which controls initial mounting of the flash partitions, perhaps the simpliest way, ...if we ignore the authuld thing...

so as Denny has proposed we'll have to do this at a later point of booting process...

i don't have enough linux experience to try it but maybe it could be possible to move over to an external OS via some kind of chrooting...?

Interesting if you need one tester i'm here... maybe we can run android or puppy linux or othe native tv-os

Denny wrote:At C serie , it is posible by a way to patch kernel at the point where the task wait for authuld replay, after success patch authuld can be killed, after this point , in rootfs you may mount external usb (ext3/xfs) where you have alredy copy each dirs (exe, appext etc.).

in case of paritions 0/1, right, always switch between them at firmware upgrade, active parition is stored in micom eeprom.

Could you explain me how to do this how i can patch the fw to do this?

You have to disasm exeDSP on IDA, research asm code and make modifications you`ll find. This is called "reverse engineering".
When you have your patches, you have to replace patched exeDSP in exe.img image, calculate proper hashes and flash all to proper partitions or TV.

Or you can make native applications (widget with *.so files), where you could apply your patch - inject code in memmory.