today i'd like to share how to modify exe.img within /mtd_exe of the active partition (2nd i.e.) without the need of any pc tools except a ssh/telnet client.
Be warned that i tested this on my C7700 (T-VALDEUC 3011.0) only.
I highly recommend to have the other partition (1st i.e.) working before to have a fallback solution! (although not needed)
Do not turn off the tv between flashing exe.img and the hash partition!
Requirements:
already hacked/rooted tv
access to tv's filesystem via ssh/telnet (i.e. putty as client)
usb memory or working ftp connection to pc
getmkey, download here: http://wiki.samygo.tv/index.php5/Hashes (precompiled contained in chkhash-0.2.zip)
chkhash, download here: https://forum.samygo.tv/viewtopic.php?f ... =50#p54217
optional: chkhash for windows, download here: https://forum.samygo.tv/viewtopic.php?f ... =50#p54306
Some theory:
As for some other partitions /mtd_exe's hash is checked by a process called 'authuld' against a hash stored in another partition. Modifying /mtd_exe's content implys correcting its hash. Not doing so in one tv session will cause tv shutdown by authuld after about 45 seconds.
/mtd_exe contains exe.img. As exe.img is smaller than /mtd_exe the bytes behind exe.img are tyically set to 0xFF during flashing. Within exe.img there are also some unsed bytes (in this case set to zero). In my case about 500kB.
Here we go
0) Preparation
copy getmkey to /mtd_rwarea/getmkey
copy chkhash to /mtd_rwarea/chkhash
Code: Select all
cd to /mtd_rwarea/
./getmkey
Code: Select all
# ./getmkey
opening /dev/mem ok!
No key was supplied from a command line.
Using mackey from /dev/tfsr11
Input key = 66d77c3a497f53e2515ef14c21d6a4d8
After waiting 2 loops
mkey = 6f6bc7e1fc7f86bf9c150a82f343e2e0
1) Run two commands
Code: Select all
df
cat /mtd_exe/partition.txt
Code: Select all
# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/tbml8 3456 3456 0 100% /
none 10240 1668 8572 16% /dtv
none 10240 0 10240 0% /dsm
none 235556 0 235556 0% /core
none 10240 0 10240 0% /tmp
/dev/stl0/14 25478 6616 18862 26% /mtd_rwarea
/dev/stl0/19 51072 51072 0 100% /mtd_rocommon
/dev/stl0/17 91080 87336 3744 96% /mtd_exe
/dev/stl0/18 40832 40832 0 100% /mtd_appdata
/dev/stl0/13 10942 1339 9603 12% /mtd_contents
/dev/stl0/20 102368 47600 54768 46% /mtd_swu
/dev/stl0/21 401712 212520 189192 53% /mtd_rwcommon
/dev/sdb 1974784 38692 1936092 2% /dtv/usb/sdb
/dev/sda1 503892 171316 332576 34% /dtv/usb/sda1
/dev/stl0/14 25478 6616 18862 26% /etc/passwd
/dev/stl0/14 25478 6616 18862 26% /etc/profile
/dev/sdc 482 0 482 0% /dtv/usb/sdc
Code: Select all
# cat /mtd_exe/partition.txt
partitionID flash_device_name flash_device_size flash_image_name flash_device_type flash_upgrade_type flash_partition_map flash_mount_path default_block_size flash_format_option flash_mount_option
0 /dev/bml0/1 262144 onboot.bin DEVICE OTHER BOOTLOADER0 NONE 262144 NONE NONE
1 /dev/bml0/2 262144 u-boot.bin BML OTHER BOOTLOADER1 NONE 262144 NONE NONE
2 /dev/bml0/3 262144 uboot_env.bin BML OTHER BOOTLOADER2 NONE 262144 NONE NONE
3 /dev/bml0/4 262144 fnw.bin BML OTHER BOOTLOADER3 NONE 262144 NONE NONE
4 /dev/bml0/5 4194304 Image BML USER KERNEL0 NONE 262144 NONE NONE
5 /dev/bml0/6 3670016 rootfs.img BML USER RFS0 NONE 262144 NONE NONE
6 /dev/bml0/7 4194304 Image BML USER KERNEL1 NONE 262144 NONE NONE
7 /dev/bml0/8 3670016 rootfs.img BML USER RFS1 NONE 262144 NONE NONE
8 /dev/bml0/9 262144 NONE BML OTHER SECUREMAC0 NONE 262144 NONE NONE
9 /dev/bml0/10 262144 NONE BML OTHER SECUREMAC1 NONE 262144 NONE NONE
10 /dev/bml0/11 262144 key.bin BML OTHER SECUREMAC2 NONE 262144 NONE NONE
11 /dev/bml0/12 262144 NONE BML OTHER NONE NONE 262144 NONE NONE
12 /dev/stl0/13 11272192 NONE STL OTHER NONE /mtd_contents 4096 ERASE:,STL:-r_7,FAT:-S_1024_-s_1 -t_rfs_-o_codepage=utf8
13 /dev/stl0/14 26214400 NONE STL OTHER NONE /mtd_rwarea 4096 ERASE:,STL:-r_7,FAT:-S_1024_-s_1 -t_rfs_-o_codepage=utf8
14 /dev/stl0/15 93323264 exe.img STL USER EXE0 /mtd_exe 4096 ERASE:,STL:-r_2 NONE
15 /dev/stl0/16 58195968 appdata.img STL USER APP_DATA0 /mtd_appdata 4096 ERASE:,STL:-r_2 NONE
16 /dev/stl0/17 93323264 exe.img STL USER EXE1 /mtd_exe 4096 ERASE:,STL:-r_2 NONE
17 /dev/stl0/18 58195968 appdata.img STL USER APP_DATA1 /mtd_appdata 4096 ERASE:,STL:-r_2 NONE
18 /dev/stl0/19 52953088 rocommon.img STL OTHER CONTENT0 /mtd_rocommon 4096 ERASE:,STL:-r_2 NONE
19 /dev/stl0/20 104857600 NONE STL OTHER NONE /mtd_swu 4096 ERASE:,STL:-r_16,FAT:-S_4096_-s_4 -t_rfs
20 /dev/stl0/21 411566080 NONE STL OTHER NONE /mtd_rwcommon 4096 FAT:-S_4096_-s_1 -t_rfs_-o_codepage=utf8
Reading the output of partition.txt you can see that there are two exe.img named 'EXE0' and 'EXE1' and its corresponding 'SECUREMAC0' and 'SECUREMAC1'.
The active exe.img is shown in df's output (i.e. /dev/stl0/17, named 'EXE1'). So the corresponding hash partition is named 'SECUREMAC1' belonging to /dev/bml0/10.
3) Now figure out a partition with space to store the image of exe.img
In df's output you can see that the size of /mtd_exe partition (i.e. /dev/stl0/17) is 91080 1k blocks. Potential storage partitions are /mtd_rwarea and /mtd_rwcommon. As you can see /mtd_rwcommon has 189192 1k blocks available, which is the double of /mtd_exe size. So we will go on with /mtd_rwcommon.
4) Backup exe.img's hash partition
Code: Select all
cat /dev/bml0/10>/mtd_rwcommon/bml10.dmp
5) Get exe.img size within /mtd_exe
Code: Select all
./chkhash -p 0 4 /mtd_rwcommon/bml10.dmp
'0' no offset within given file
'4' print first 4 hashes found in given file
Code: Select all
# ./chkhash -p 0 4 /mtd_rwcommon/bml10.dmp
hash[ 0] = d5a3d3f345838c49700cceb71fd1078d length = 89485312
hash[ 1] = 58036fe36c3fe1585613a94551ae9200 length = 41762816
hash[ 2] = b2c3353dd594dd95ce4c674fa767c0f6 length = 3712144
hash[ 3] = 9b3290bd21a1c12653246c4d5742d571 length = 3665940
Its size i.e. is 89485312 bytes
6) Backup current exe.img
For just backuping the whole partition you can run:
Code: Select all
dd if=/dev/stl0/17 bs=2K count=43694 of=/mtd_rwcommon/exe.img.dmp
7) Check the correct function of chkhash by calculating the hash for /mtd_rwcommon/exe.img.dmp
Code: Select all
./chkhash -k <your mkey> -h 0 /mtd_rwcommon/exe.img.dmp
'0' is the count of bytes from the beginning of the file to calculate the hash of, '0' means over the whole file
Code: Select all
# ./chkhash -k 6f6bc7e1fc7f86bf9c150a82f343e2e0 -h 0 /mtd_rwcommon/exe.img.dmp
Hash: d5a3d3f345838c49700cceb71fd1078d, length = 89485312
If there's a mismatch STOP HERE and ask for help!
8) Mount the dumped image from 6)
first create a directory to mount the image to:
Code: Select all
mkdir /mtd_rwcommon/exe.img_mod
Code: Select all
mount -w -o loop /mtd_rwcommon/exe.img.dmp /mtd_rwcommon/exe.img_mod/
9) Change /mtd_rwcommon/exe.img_mod/
You can now change the content of /mtd_rwcommon/exe.img_mod/ with one restriction:
There's limited space to use. Exceeding the size seems to be prevent by the os:
# cp /mtd_rwcommon/exe.img_mod/Factory_Part2.dat /mtd_rwcommon/exe.img_mod/Factory_Part2.dat.cpy
# cp /mtd_rwcommon/exe.img_mod/Factory_Part2.dat /mtd_rwcommon/exe.img_mod/Factory_Part2.dat.cpy.cpy
cp: write error: No space left on device
(i did NOT try what happens if using the max size, i only changed rc.local here (just a few bytes))
10) Unmount /mtd_rwcommon/exe.img_mod/
Check where /mtd_rwcommon/exe.img_mod/ is mounted to (/bin/mount is used here as samygo's mount outputs nothing):
Code: Select all
/bin/mount
Code: Select all
# /bin/mount
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/sam type tmpfs (rw)
none on /dtv type tmpfs (rw)
none on /dsm type tmpfs (rw)
none on /core type tmpfs (rw)
none on /tmp type tmpfs (rw)
/dev/stl0/14 on /mtd_rwarea type rfs (rw,codepage=utf8,vfat,fcache(blks)=128)
/dev/stl0/19 on /mtd_rocommon type squashfs (ro)
/dev/stl0/17 on /mtd_exe type rfs (ro,codepage=cp949,vfat,fcache(blks)=128)
/dev/stl0/18 on /mtd_appdata type squashfs (ro)
/dev/stl0/13 on /mtd_contents type rfs (rw,codepage=utf8,vfat,fcache(blks)=128)
/dev/stl0/20 on /mtd_swu type rfs (rw,codepage=cp949,vfat,fcache(blks)=128)
/dev/stl0/21 on /mtd_rwcommon type rfs (rw,codepage=utf8,vfat,fcache(blks)=128)
none on /proc/bus/usb type usbfs (rw)
/dev/sdb on /dtv/usb/sdb type xfs (rw,nouuid,noquota)
/dev/sda1 on /dtv/usb/sda1 type vfat (rw,sync,fmask=0022,dmask=0022,codepage=cp437,iocharset=utf8,shortname=mixed)
/dev/stl0/14 on /etc/passwd type rfs (rw,codepage=utf8,vfat,fcache(blks)=128)
/dev/stl0/14 on /etc/profile type rfs (rw,codepage=utf8,vfat,fcache(blks)=128)
/dev/sdc on /dtv/usb/sdc type vfat (rw,sync,fmask=0022,dmask=0022,codepage=cp437,iocharset=utf8,shortname=mixed)
devpts on /dev/pts type devpts (rw)
/dev/loop0 on /mtd_rwcommon/exe.img_mod type vfat (rw,fmask=0022,dmask=0022,codepage=cp437,iocharset=ascii)
Try to unmount /mtd_rwcommon/exe.img_mod/
Code: Select all
# /bin/umount /mtd_rwcommon/exe.img_mod/
Code: Select all
umount: cannot umount /mtd_rwcommon/exe.img_mod: Device or resource busy
Code: Select all
# /bin/umount -l /mtd_rwcommon/exe.img_mod/
You now have a modified exe.img
To be safe you should NOW copy /mtd_rwcommon/exe.img.dmp to pc via usb memory or ssh/telnet
11) Calculate the hash of modified /mtd_rwcommon/exe.img.dmp
Code: Select all
./chkhash -k <your mkey> -h 0 /mtd_rwcommon/exe.img.dmp
Code: Select all
# ./chkhash -k 6f6bc7e1fc7f86bf9c150a82f343e2e0 -h 0 /mtd_rwcommon/exe.img.dmp
Hash: fc3e52f512a6113042349bf3d7df1fd3, length = 89485312
optional: use windows version of chkhash to calculate the hash of exe.img.dmp (must result in the same hash of course) on pc: chkhash -k <your mkey> -h 0 /mtd_rwcommon/exe.img.dmp
12) Write hash of /mtd_rwcommon/exe.img.dmp in /mtd_rwcommon/bml10.dmp
Code: Select all
./chkhash -k <your mkey> -w 0 0 /mtd_rwcommon/bml10.dmp /mtd_rwcommon/exe.img.dmp
first '0' is the offset within the given hash file
second '0' is the hash index behind the offset within the given hash file
13) Check exe.img's hash in /mtd_rwcommon/bml10.dmp
Code: Select all
./chkhash -p 0 4 /mtd_rwcommon/bml10.dmp
Code: Select all
# ./chkhash -p 0 4 /mtd_rwcommon/bml10.dmp
hash[ 0] = fc3e52f512a6113042349bf3d7df1fd3 length = 89485312
hash[ 1] = 58036fe36c3fe1585613a94551ae9200 length = 41762816
hash[ 2] = b2c3353dd594dd95ce4c674fa767c0f6 length = 3712144
hash[ 3] = 9b3290bd21a1c12653246c4d5742d571 length = 3665940
ATTENTION: NOW you change the tv's filesystem and enter the RISKY way!
14) Write hash of /mtd_rwcommon/exe.img.dmp in /dev/bml0/10
Code: Select all
./chkhash -k <your mkey> -w 0 0 /dev/bml0/10 /mtd_rwcommon/exe.img.dmp
15) Check exe.img's hash in /dev/bml0/10
Code: Select all
./chkhash -p 0 4 /dev/bml0/10
Code: Select all
# ./chkhash -p 0 4 /dev/bml0/10
hash[ 0] = fc3e52f512a6113042349bf3d7df1fd3 length = 89485312
hash[ 1] = 58036fe36c3fe1585613a94551ae9200 length = 41762816
hash[ 2] = b2c3353dd594dd95ce4c674fa767c0f6 length = 3712144
hash[ 3] = 9b3290bd21a1c12653246c4d5742d571 length = 3665940
16) Flash the modified exe.img
Code: Select all
stl.restore /dev/stl0/17 /mtd_rwcommon/exe.img.dmp
It will give something like this:
Code: Select all
# stl.restore /dev/stl0/17 /mtd_rwcommon/exe.img.dmp
+------------------------------------------------------------------------+
| stl.restore : stl-level Partition Restore Tool for NAND Flash Memory |
+------------------------------------------------------------------------+
100%
All of the flash memory blocks have been restored successfully.
Code: Select all
sync
sync
sync
(@devs: calculating the hash of /dev/stl0/17 now gives a wrong hash, without any change the hash after reboot is as expected! Any ideas?)
Hope this helps someone! Any hints/suggestions/feedback is much appreciated
Edit: corrected some inelegance and added spoilers describing used chkhash arguments