E-Series Firmware downgrade with USB drive?

[E3V3A]

Would it not be more easy to downgrade with USB drive?
That way you'd also have better control of what version you downgrade to?

Like arris69 said:

... if someone really like to revert to an older version he can decrypt an older usb firmware with samygo patcher and flash it manually over netcat shell and mmc.restore.

Looking in the T-MST10PDEUC_1029.0, I see we have the upgrade and revert scripts already.

Code: Select all

auto_fdisk_emmc.sh
network_init.sh
partition_check.sh
rest_mount.sh
umount_partition.sh
** update.sh
** update_change_partition_flag.sh
usb_start.sh

** May need to be edited or merged into our own update script.

So if we have root, we could just execute our own script that does the same thing as these:

1. Download the firmware (FW) you wanna "downgrade" to.
2. Extract FW on your local PC.
3. Extract & decrypt FW images with SamyGO patcher script.
4. Put all on your USB drive and put in to your TV.
5. Get root shell.
6. Run our own "samygo_reflash.sh" script to flash the various FW images via "dd" etc...
7. Reboot.

These steps are just begging to be scripted.

Now this is all in theory. I have no idea if this would actually work or brick. I currently have no way of testing, as I don't have an extra development TV to "play" with... (The only thing that worries me, is the key.bin file that I can't find...) Any comments?

[juusso]

This "update" script (as all such kind scripts on any of previous series) do everything right except one: no hash calculating and if not patched kernel used - after rebot you get some urgent reboots (=almost brick if no initial root access).

If we use custom kernel where hash checking is patched out, then yes.

[E3V3A]

^^ So it's OK then? Because we're not patching anything, just reverting entire firmware to lower version. Which I assumed this thread was for?

[juusso]

NOT OK. Reverting entire firmware doesn`t touch hash partitions. I mean we need re-flash hashes as well (could be pre-calculated...).

[E3V3A]

NOT OK. Reverting entire firmware doesn`t touch hash partitions. I mean we need re-flash hashes as well (could be pre-calculated...).

Which ones are the "hash partitions"?
I don't see why we need to re-flash hashes, if we're downgrading with Samsung official FW?

[juusso]

From /mtd_exe/partition.txt:

Code: Select all

7	/dev/mmcblk0p7	8192	sign0.bin	MLC	NONE	SECUREMAC0	NONE	1048576	NONE	NONE
8	/dev/mmcblk0p8	8192	sign1.bin	MLC	NONE	SECUREMAC1	NONE	1048576	NONE	NONE

also from update.sh:

Code: Select all

export SECUREMAC1=/dev/mmcblk0p8
export SECUREMAC2=/dev/mmcblk0p9

Those are hash/signature partitions. Hashes(or cmacs...) are stored there for both (actual and alternative) partition sets. Doesn`t matter you flash original or not firmware by hand/by script, you have to be sure hashes on these partitions match. Script doesnt update hashes, normally firmware upgrade files doesn`t contain sign.bin, this job is done by exeDSP.

To don`t brick, sign0/sign1.bin must be prepared on PC for each firmware version you`re going to flash by script, and flashed by script. Moreover, code exists there already:

Code: Select all

if [ -e  $MDIR/$directory/sign0.bin ] && [ "$partition" = "1" ]
then
        echo "START update sign0.bin"
        echo "update 1st partition"
        dd if=$MDIR/$directory/sign0.bin of=${SECUREMAC0} 2> /dev/null

        if [ $? != 0 ]
        then
                echo "Partition erase"
                dd if=$MDIR/$directory/sign0.bin of=${SECUREMAC0} 2> /dev/null
        fi

        sync
        echo "END update sign0.bin"

elif [ -e  $MDIR/$directory/sign1.bin ] && [ "$partition" = "2" ]
then
        echo "START update sign1.bin"
        echo "update 2nd partition"
        dd if=$MDIR/$directory/sign1.bin of=${SECUREMAC1} 2> /dev/null

        if [ $? != 0 ]
        then
                echo "Partition erase"
                dd if=$MDIR/$directory/sign1.bin of=${SECUREMAC1} 2> /dev/null
        fi

        sync
        echo "END update sign1.bin"
else
        echo "sign0.bin or sign1.bin is not found"
fi

I just want to make your attention that flashing just exe.img/apptata.img is not enough. signx.bin are very important for success.
If you gona to reflash kernel, you have to add hash/signature to kernel`s image. If you gona to change rootfs, you have to add authuld`s hash to the end of rootfs.img and hash of rootfs to signx.bin at correct address.

How to calculate required hashes is another question.

[arris69]

Would it not be more easy to downgrade with USB drive?
That way you'd also have better control of what version you downgrade to?

Like arris69 said:

... if someone really like to revert to an older version he can decrypt an older usb firmware with samygo patcher and flash it manually over netcat shell and mmc.restore.

...

ok to be more precise
you can easy downgrade to your prev. firmware (from samygo-patched firmware !!!! for ECPDEUC !!!!) you need to restore the exe.img from usb firmware and tell the tv to switch partitions (toggle, partitionflags etc...). but just if you have an original on the second partitions.

for full version from usb you need this signature stuff too...

[dajojo]

i have options in menu :
upgrade alternative firmware.. greyed out
remote managment.. for helpdesk purposes.. this gives me a code and opens something on the tv.

dont think its wise idea to downgrade original firmware as somewhere in the line samsung implemented a new function to make the upgrade process saver.

downgrade option from modified ecpdeuc to original .. u tried ? it seems to me it get overwritten at succesfull boot the 2nd partition with new sign1.bin.

[arris69]

i have options in menu :
upgrade alternative firmware.. greyed out
remote managment.. for helpdesk purposes.. this gives me a code and opens something on the tv.

its old dead fisch, it was also present on d-series...

dont think its wise idea to downgrade original firmware as somewhere in the line samsung implemented a new function to make the upgrade process saver.

downgrade option from modified ecpdeuc to original .. u tried ?

no, then i not checked that is some new version online from samsung or not.

it seems to me it get overwritten at succesfull boot the 2nd partition with new sign1.bin.

not checked just guessed -> if you install encrypted firmware (original one via usb or anyone over OTN) the flash routine rewrites the SECUREMACx partitions. so you need the signx.bin files if you
install unencrypted firmware images (probably samsung devs playing around this way...)

[dajojo]

so to elaborate.. USB encrypted firmware with userkeys will be unpacked by flashroutine and then flashed and get signx.bin put in ?
USB unencrypted firmware without keys get stuck in flashroutine as no keys found or get passed by and flashed and get no signx.bin
so the thing is to get the firmware on eMMC and calculate keys for signx.bin and put this there also and it will work
first firmware bin0 can be upgraded over the air and halfway pull plug so it crashes and auto swaps from boot to firmware bin1 .. since one of latest official firmwares this is no more brick issue as they improved failure catching.