[DEV] Full Shell Access (ES 5/6 series) [wanted]

Here for general support for E series TVs, request and problem solve area.

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

[DEV] Full Shell Access (ES 5/6 series) [wanted]

Post by E3V3A » Tue Nov 13, 2012 12:17 am

The following should be of interest to anyone on the ES 5/6 series. These devices are based on the MStar X10 (ARM) processor, and include the range
ES-5300 to ES-6800 and possibly others.

So I have been reading tons of often outdated information on these forums for the last week or so, but I still don't feel any smarter. I can easily get to TDM, after some helpful hints, and also get to the "VDLinux#> ", but there the happy music ends, since we're not allowed to enter any other characters than HEX. I've been playing around with settings and menus to the point of almost bricking my TV several times, driven by the belief that the Samsung service guys must have a hidden setting where they can get full shell access. Now, it's enough and I need some better help.

For reference, these have been the most helpful threads on this topic:

Access Linux Shell of TV on CI+ without "Game Menu" (B)
executing custom script on CI+ (B)
Roll back LExxB5xx, LExxB62x, UExxB6xxx (B)
Hacking TV over Hotel mode (most C series models) (C)
C series shell input filtration removal (C)
Got my D550 back. Came with T-MSV4AUSC. Rooted. (D)
exeDSP from SWU_T-ECPAKUC_001012_I03_ES000KS000RS000_120308 (E)

Review:

To enter the "VDLinux#" shell prompt:

First we have to enter the console unlock code and then the Top Debug Menu
(TDM) code, to get full debug access.

Code: Select all

1198282    <-- From kernel cmdline: "SELP_ENABLE=1198282" ( onboot.bin / u-boot.bin ).
20089999   <-- From the exeDSP binary inside the exe.img disk image.     
After having entered the first code, you should be able to see what you write,
since terminal echo (or loopback) will be turned on from now on.
Then, after you enter the last code, you will be presented with the TDM:

Code: Select all

[TOP Debug Menu]  
-->  (11) "TD Debug"  
-->  (20) "System Shell"

VDLinux#> 
This is the shell (sh) prompt. But due to some kernel filtering in the exeDSP,
we cannot enter anything else than capital hexadecimal characters, backspace,
space and newline: [0-9A-F \b\n]. This filtering is probably due to the config
defines in the VDLinux device driver n_tty.c, in the following code segments:

Code: Select all

...
#define MAX_ARRAY 19
int allow_char[] = { 
        48, 49, 50, 51, 52, 53, 54, 55, 56, 57  /* 0~9 */,
        65, 66, 67, 68, 69, 70                  /* A~F */,
        32                                      /*space*/,
        13                                      /*enter*/,
        8                                       /*backspace*/ 
};
...
#ifdef CONFIG_SERIAL_INPUT_ENABLE_ONLY_NUMBER
// additional checking 0~9, space, enter, backspace, SPTEAM 2010-02-07
check = i = 0;
while(i < MAX_ARRAY ) {
	if( allow_char[i] == c ) {
		check = 1;
		break;
	}
	i++;
}
if( !check ) return;
#endif
...
[/size]

This file can be found in the Kernel Sources of UExxES6xxx with this path (after extraction):

/UExxES6xxx/VDLinux_2.6.35.11/linux-2.6.35.11/drivers/char/n_tty.c

So after reading above, we find that one way to circumvent the HEX character limitation, is to try to manipulate the code above, after it has been compiled into machine code. The problem is then to find this code in memory and subsequently write the appropriate changes into that location. Thus it is obvious that different firmwares (and hardware) have different locations, making it difficult to find. In addition, there are a few other things to think about:
  • the memory writing abilities of the Debug Menu is very limited and sometimes not accessible (AFAIK), as TZ enabled processors can have memory protected.
  • the physical memory location might not be the same as the offest in the exeDSP file.
  • the machine code (assembly) for that function may depend on compiler used.
  • the machine code in memory depends on the endianess. (ARM == Dual Endian, but little by default, MIPS = big endian.)
  • searching huge chunks of memory is unfeasible, unless you are root and can dump the memory with dd , viewmem or lime.
What we need to do:
  • For each firmware release we need to fire up IDA and search for the code above and dump a minimally, but exclusive hex string, that can be used for an automatic memory search.
  • Compare actual running memory offset with file offset (if any).
  • Write the binary code into memory while running Debug Menu (if available).
At this point I'm not able to get any further without some guidance or assistance...
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

User avatar
juusso
SamyGO Moderator
Posts: 10100
Joined: Sun Mar 07, 2010 6:20 pm

Re: [DEV] Full Shell Access (ES 5/6 series) [wanted]

Post by juusso » Fri Nov 16, 2012 7:41 am

I think this may help you get shell and collect required info.
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: [DEV] Full Shell Access (ES 5/6 series) [wanted]

Post by E3V3A » Fri Nov 30, 2012 2:36 am

Not sure that would help since:
mamaich wrote:... This is not a complete telnet daemon as we don't have devpts driver on TV. So do not try to execute interactive commands - you'll see their output, but would be unable to enter text...
Whatever that means...it doesn't sound very promising.

Why wouldn't he implement a full telnetd (or sshd) if we have root?
Would the serial debug console provide proper root shell access?
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

User avatar
juusso
SamyGO Moderator
Posts: 10100
Joined: Sun Mar 07, 2010 6:20 pm

Re: [DEV] Full Shell Access (ES 5/6 series) [wanted]

Post by juusso » Fri Nov 30, 2012 8:23 am

why it doesn`t? Any root access, even limited is welcome, because then you can go further and execute your arbitrary code.
I won`t repeat myself here, but briefly - we can`t have full telnet/ssh because of limitations of kernel. devpts support is missing.
Also rootfs is read only (strongly) and here is no success to mount it as rw.
Yes, same situation on D series too, but if this sounds promising, we have successfully recompiled D series kernel with devpts and other stuff enabled. Also changing of rootfs is needed too. But here are some underwater stones: even if you compile everything properly, you have to keep in mind whole security system implemented by samsung. They check kernel`s hash and call it "secure boot".
Bootloader checks kernel, kernel checks rootfs`s hash or/and authuld`s hash, then authuld (after successfully mounted rootfs - sure if kernel found roofs is ok), checks all other read only partitions for its hashes. So you have to know how to calculate those hashes using some mkey, specific for each series and write those hashes to proper places, for example kernel`s hash is stored on kernels partition, auhulds hash is stored at the end of rootfs image, other hashes (appext, appdata, exe.img) have their hashes on so called key partitions.

Any changes on those ro partitions will change its hash. So after reflashing partition, you have to flash corrected hash at same tv session too, because after reboot you can simply get brick.

serial debug console is limited to hex imput only (A-Z, 0-9), so it is senseless. On B series we had some TDM option for memory read and memory write, so we could patch kernel in memory and enable such way unrestricted shell. In c/d (and e?) series this function is removed (hidden)? .

You should know too, that if you kill exeDSP, you`ll lose ability to enter top debug menu.

This is just a piece of info we know about modifying firmwares and your disappointing approach is not correct. When gates are open, even with some limitation, you can go further. Dont ask what can you do, just start researching from inside. :)
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: [DEV] Full Shell Access (ES 5/6 series) [wanted]

Post by E3V3A » Mon Dec 03, 2012 4:38 am

juuso wrote:...Yes, same situation on D series too, but if this sounds promising, we have successfully recompiled D series kernel with devpts and other stuff enabled. Also changing of rootfs is needed too. But here are some underwater stones: even if you compile everything properly, you have to keep in mind whole security system implemented by samsung...
So let me verify, that I understood you right. You have already successfully compiled new (devpts) Kernel for D model??
If that is so, that is really great! Send me a link to where I can join the discussion for resolving other problems.. Cheers!
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: [DEV] Full Shell Access (ES 5/6 series) [wanted]

Post by E3V3A » Wed Dec 12, 2012 2:25 am

Since I didn't get any response, I went on trying to patch up the kernel ( uImage ) as also shown in some other threads. But so far I have not been able to properly identify where the assembly code (n_tty.c) is located in that kernel image. The problem is, that they have either changed the source-code or just simply obfuscated the assembly code, in a way so that it is no longer recognized as shown in other older posts. I have an idea about a location that could be related, but since I'm not sure what this code does, I don't know. Any help would be appreciated! This is what I have so far.

I have looked at uImage in both T-MST10PDEUC-1027.1 and 1029.0, and they are the same, which indicate that they are not always re-compiled for new FW updates.

EDIT: In this image I found the following, at file-offset 0x221900:

Code: Select all

< code removed since it was not correct >
However this code seem obfuscated (or something). I certainly don't understand what it does...

In addition there are two addresses (above) that keep on popping up throughout the rest of the code: 0xC030344C and 0xC03179CC. But I have no idea to what they refer to, as they are outside the scope of the code memory. Their address range seem to indicate some device memory area, but who knows.

BTW. If you need to read these addresses from shell, you need to add the RAM offset of where the kernel is. Not yet sure what it is for me...
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: [DEV] Full Shell Access (ES 5/6 series) [wanted]

Post by E3V3A » Mon Dec 17, 2012 8:04 pm

So from what I understand so far, the shell input limitation are "filtered" in at least two ways. Why do I say this? Because:

1. The HEX input limitation occurs in n_tty.c, where all other characters are ignored, however...
2. We know that there is another "filter" above/before (1), because apparently if you type "~~bye" it does react (by disabling character echo & input), even if you're only apparently able to enter [1-9A-F\n\ \t]. In what part of the code does this occur?

Logically, this would be the same code (in kernel) that handles the console unlock code as passed down from bootloader by SELP_ENABLE variable...but who knows!?
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

User avatar
juusso
SamyGO Moderator
Posts: 10100
Joined: Sun Mar 07, 2010 6:20 pm

Re: [DEV] Full Shell Access (ES 5/6 series) [wanted]

Post by juusso » Mon Dec 17, 2012 8:38 pm

~~bye locks console and is opposite to code for console unlocking code 20102011 on e series arm devices...
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: [DEV] Full Shell Access (ES 5/6 series) [wanted]

Post by E3V3A » Mon Dec 17, 2012 9:38 pm

juuso wrote:~~bye locks console and is opposite to code for console unlocking code 20102011 on e series arm devices...
Yes, but is it the same handler? And how does it check chars, when HEX locked?
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

oga83
Posts: 268
Joined: Sun Mar 18, 2012 10:11 pm
Location: France

Re: [DEV] Full Shell Access (ES 5/6 series) [wanted]

Post by oga83 » Wed Dec 19, 2012 12:58 pm

E3V3A wrote:Yes, but is it the same handler? And how does it check chars, when HEX locked?
Yes it is. As HEX lock is done at the same place, there is no problem to check for non-hex chars.

Look for CONFIG_SERIAL_INPUT_DISABLE_STRING in n_tty.c
CONFIG_SERIAL_INPUT_DISABLE_STRING is defined as "~~bye" Echo.B_defconfig_release*

Post Reply

Return to “[E] Support”