Defeating authuld protection on CI+ devices

[mirsev]

Try this version: http://www.multiupload.com/MI03O2RSG6

First run chkhash it without any option: it will show possible options.

Example of running chkhash with -L option:

Code: Select all

./chkhash -k 2b7e151628aed2a6abf7158809cf4f3c -L 0x0000 5 BSP-C6900WWB-1021.2.dir/part_09.cmac.bin BSP-C6900WWB-1021.2.dir/*
hash[ 0] = ecb6ae326156eef9bfbffd1b77b378d8   length = 41054208  :  BSP-C6900WWB-1021.2.dir/part_01.exe.img
hash[ 1] = 5fc772558c80567e9474a58855c7982b   length = 37826560  :  BSP-C6900WWB-1021.2.dir/part_04.appdata.img
hash[ 2] = 60a8d999f3b6da20c58a3eb2056d43d6   length =  3104328  :  BSP-C6900WWB-1021.2.dir/part_02.Image
hash[ 3] = 59326c34975e53f92eedc2388c6a288f   length =  4190228  :  BSP-C6900WWB-1021.2.dir/part_03.rootfs.img
hash[ 4] = 7bca4cf5f259475adac2c57965d7d6f1   length =   123510  :  BSP-C6900WWB-1021.2.dir/part_06.onboot

Here options are: -k mkey -L offset_in_hash_file number_of_hashes hash_file files_to_check

In your case
mkey = 7CED26D8CA2FA0F80BC637E2FF07EC46
offset = 0x1000
hash_file = bml0/3

So, the command could be like:

Code: Select all

./chkhash -k 7CED26D8CA2FA0F80BC637E2FF07EC46 -L 0x1000 8 bml0/3 *

Instead of '*' you can list all files in the directory.

[juusso]

It`s same i already using, but thanks anyway
My foul was wrong command. Now it worked fine:

Code: Select all

./chkhash -k 7CED26D8CA2FA0F80BC637E2FF07EC46 -L 0x1000 8 bml0_3_dump *
hash[ 0] = 267a0ef76ff0e49f791bc57454102ed9   length =  3095776  :  bml0_5_dump
hash[ 1] = 72abf209a8ead4bce54b24a87b1df6bb   length =   270812  :  bml0_2_dump
hash[ 2] = 62419296d04c2fb11700810fb57847ca   length =   178868  :  bml0_4_dump
hash[ 3] = 3d8a03f31cf0b81530a14bf742d84dfa   length =    38328  :  authuld
hash[ 4] = c0d5c54bbf04e528ef3bc84a5b75aa07   length =  3346432  :  bml0_6_dump
hash[ 5] = b05ab07100328411e2f7fe45a483fe5e   length =   909312  :  bml0_7_dump

So what about my question about one more string on bml18, chkhash haven`t found any other hashes:

Code: Select all

./chkhash -k 7CED26D8CA2FA0F80BC637E2FF07EC46 -L 0 8 bml18.dmp *
hash[ 0] = cc33983c70ee40d60357ae9f176e6cf6   length = 54267904  :  bml0_8_dump
hash[ 1] = f3e08e2d699ac276ce0708713a9a0b2d   length = 30003200  :  bml0_9_dump

Sure, what if i missing here the file whose hash is written, then chkhash does not find it...

Code: Select all

./chkhash -k 7CED26D8CA2FA0F80BC637E2FF07EC46 -L 0 8 bml19.dmp *
hash[ 0] = d960b582b2ad80eb3203c6bc23735bca   length = 54587392  :  bml0_10_dump
hash[ 1] = 077cb33241eccdb1ddf040fdf421829d   length = 30068736  :  bml0_11_dump

This just confirmed, initially cyberdemon79 was right about the structure of bml3 and macpartitions.

So the question is still open. Users with B series CI+ TV`s, please, dumps are needed

[mirsev]

The program stops reading hash-block file if any next hash in invalid with 0 zero file length.
Try this

Code: Select all

./chkhash -k 7CED26D8CA2FA0F80BC637E2FF07EC46 -L 0x258 8 bml18.dmp *

[juusso]

ok people,

we successfully flashed UE40B7000WPXXN with FW 3001.1 and got fully operating T-CHUCIPDEUC-3000.0.

I`ll add CI+ support to FFB 0.6 soon. Actually flashing CI+ device was made by test version of FFB CIP.

Who could provide patched kernel for tests? (enable full shel input, probably other important patches).
Cyberdemons tool is needed to modify by adding write of re-calculated hashes to required partitions function . Who could do that?

Thanks

[DEvil0000]

LE46B750U1P -> CI+

Code: Select all

# ./calchash
str_hash 3d 8a 03 f3 1c f0 b8 15 30 a1 4b f7 42 d8 4d fa
AES_CMAC 3d 8a 03 f3 1c f0 b8 15 30 a1 4b f7 42 d8 4d fa
mkey    7c ed 26 d8 ca 2f a0 f8 0b c6 37 e2 ff 07 ec 46
detected a flashtype of 1000
using 2nd partition for mtd_exe and mtd_appdata
kernel  26 7a 0e f7 6f f0 e4 9f 79 1b c5 74 54 10 2e d9
        26 7a 0e f7 6f f0 e4 9f 79 1b c5 74 54 10 2e d9         matches
uboot   72 ab f2 09 a8 ea d4 bc e5 4b 24 a8 7b 1d f6 bb
        72 ab f2 09 a8 ea d4 bc e5 4b 24 a8 7b 1d f6 bb         matches
fnw     62 41 92 96 d0 4c 2f b1 17 00 81 0f b5 78 47 ca
        62 41 92 96 d0 4c 2f b1 17 00 81 0f b5 78 47 ca         matches
authuld 3d 8a 03 f3 1c f0 b8 15 30 a1 4b f7 42 d8 4d fa
        3d 8a 03 f3 1c f0 b8 15 30 a1 4b f7 42 d8 4d fa         matches
root    03 16 53 43 b4 50 8d fc 20 57 c4 a2 cc 3d 15 f8
        03 16 53 43 b4 50 8d fc 20 57 c4 a2 cc 3d 15 f8         matches
boot    99 94 2c 0f d7 e1 3a ec eb 57 a2 13 82 be b3 c8
        99 94 2c 0f d7 e1 3a ec eb 57 a2 13 82 be b3 c8         matches
mtd_exe 61 81 35 30 3b ef 50 26 62 93 9d cb de 92 21 2c
        61 81 35 30 3b ef 50 26 62 93 9d cb de 92 21 2c         matches
mtd_app be 65 a8 67 1b 7a 61 77 b7 57 aa 0b 14 9d a2 89
        be 65 a8 67 1b 7a 61 77 b7 57 aa 0b 14 9d a2 89         matches

[juusso]

Do we have BML3 structure on wiki? feel absence of Defeating Authld wiki page

Yes, mate, from now we do! Just think no one need this...

LE37B550A5PXZG CHL5CIPDEUC_2004 (CI+) => mtd_exe and mtd_app doesn't match

Code: Select all

# ./calchash
str_hash 3d 8a 03 f3 1c f0 b8 15 30 a1 4b f7 42 d8 4d fa
AES_CMAC 3d 8a 03 f3 1c f0 b8 15 30 a1 4b f7 42 d8 4d fa
mkey    7c ed 26 d8 ca 2f a0 f8 0b c6 37 e2 ff 07 ec 46
detected a flashtype of 128
using 1st partition for mtd_exe and mtd_appdata
kernel  ce 63 ba 14 d4 b8 fa d5 65 5e 71 e3 5f 6f 66 62
        ce 63 ba 14 d4 b8 fa d5 65 5e 71 e3 5f 6f 66 62         matches
uboot   76 f0 7d 82 94 6d e1 32 af 94 e9 1a cf ad 85 bb
        76 f0 7d 82 94 6d e1 32 af 94 e9 1a cf ad 85 bb         matches
fnw     e1 45 a7 3c 99 e8 c6 ea 8e 10 92 a1 20 6f ea 40
        e1 45 a7 3c 99 e8 c6 ea 8e 10 92 a1 20 6f ea 40         matches
authuld 3d 8a 03 f3 1c f0 b8 15 30 a1 4b f7 42 d8 4d fa
        3d 8a 03 f3 1c f0 b8 15 30 a1 4b f7 42 d8 4d fa         matches
root    2d 7d 5d d0 af e2 c2 8d 90 b3 75 35 72 34 95 4e
        2d 7d 5d d0 af e2 c2 8d 90 b3 75 35 72 34 95 4e         matches
boot    58 83 d6 e8 4a df 27 28 08 f8 30 df f4 3b 2a 00
        58 83 d6 e8 4a df 27 28 08 f8 30 df f4 3b 2a 00         matches
mtd_exe 0c 26 f6 d7 fe 40 4a e1 6c 81 1f 0f 85 c1 58 e5
        02 0c 7b da 5b cb 10 50 b8 75 e4 42 c2 1c 4f 2d doesn't match
mtd_app ae 35 13 44 db dc 27 dc 9d 70 01 72 2b 9d c3 09
        d8 8d f1 b4 7b 95 a0 ee 8c 9d 96 c5 d9 0f 35 64 doesn't match

Really old post, but i think i have idea why it doesn`t match and TV is still OK. Authuld is checking abnormally and uses not proper strmackey partition. In your case it should use 2nd partition...Sad, we couldn`t confirm or decline this idea

[efyzz]

Hi,

does anyone still work on this?
Any progress?

[juusso]

No active work, but what exact is needed? Almost everything is known related to authuld.

[efyzz]

Hi juuso,

as I read the thread I thought work is done. But it's too hard for me to understand the details.

So what I need is a step by step tutorial for dummies

Perhaps I have to explain what my target is:
I want to get an USB WiFi stick (HAMA) work on my LE40B550 (CI+). There is a toturial to compile a new kernel for WiFi support on B-series (thanks for that great work!). But then this kernel will not work on my CI+ device because of authuld protection as far as I understand. So what exactly do I have to do to get a self-compiled kernel work on my device?

Thanks for any advice!

[juusso]

here is much more problems on b series ci+ tvs than just defeating authuld. for this goal you need only pre-calculate hash of your new kernel and write modified bml3 to tv at same tv session with kernel reflash.

as you don't have u-boot access on this tv, you have only one try. If your kernel will wrong compilled or you make mistake while flash it, you have no chance to repair. So before to start, think triple what to do if bricked. Maybe need some extra patches for kernel to get chance for repair?

one of users made two in one kernel, combined uboot and kernel to same partition on his b550 but thos generates another problems...