SamyGO

Samsung TV Firmware on the GO
https://forum.samygo.tv/

Make fake answer from server when tv download widget

https://forum.samygo.tv/viewtopic.php?t=9267

Page 1 of 1

Make fake answer from server when tv download widget

Posted: Sun Jun 28, 2015 3:50 am
by szt
I captured some http GET request when tv downloading widged :

Code: Select all

GET /files/widget/bla/bla/bla/enc_blablabla.img?Expires=...&Signature=...&Key-Pair-Id=... HTTP/1.1
Host: somehost.cloudfront.net
Accept: */*
And captured answer :

Code: Select all

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 123456
Connection: keep-alive
Date: ...
Last-Modified: ...
ETag: "..."
Accept-Ranges: bytes
Server: AmazonS3
Age: 123456
X-Cache: Hit from cloudfront
Via: 1.1 somehost2.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ...

_here_goes_Squashfs_img_data_
If I make fake answer and put some handmade app in answer (or modify existing app and put it) I be able to run it? Or it will be rejected? Has anyone tried to do so?

Model UE40H6400 fw T-MST14DEUC 2740.6

Re: Make fake answer from server when tv download widget

Posted: Sat Jul 04, 2015 4:14 pm
by Wolfgan
Did you try tinkering replies with Fiddler? http://www.telerik.com/fiddler

Re: Make fake answer from server when tv download widget

Posted: Sun Jul 05, 2015 10:23 pm
by ZGod
It's easy to run handmade widgets using the built-in develop log-in, so I don't think many people tried this.

Re: Make fake answer from server when tv download widget

Posted: Mon Jul 06, 2015 4:54 am
by szt
ZGod wrote:It's easy to run handmade widgets using the built-in develop log-in, so I don't think many people tried this.
It is possible to put ARM ELF executable in handmade widget and run it on TV without root access?

Re: Make fake answer from server when tv download widget

Posted: Thu Jul 09, 2015 8:27 am
by szt
Wolfgan wrote:Did you try tinkering replies with Fiddler? http://www.telerik.com/fiddler
I tried mitmproxy. This python code replace http response:

Code: Select all

from libmproxy.protocol.http import decoded

def response(context, flow):
    with decoded(flow.response):
        squashfs = open('replaces/orig.bin', 'rb').read()
        if flow.response.content == squashfs:
            squashfs2 = open('replaces/repl.bin', 'rb').read()
            flow.response.content = squashfs2
            flow.response.headers["Content-Length"] = [str(len(squashfs2))]
but TV reject it. Even if I change single bit in squashfs image. I tried to make squashfs img based on original with modified png images, but it also was rejected. Files in squashfs which have .spm extension are encrypted. how can I decrypt it?

I need filesystem dump from rooted tv. Need to find code that make integrity check(maybe md5 or other hash function). Or maybe somebody can trace action which performed after widget was downloaded?

I can't mount/unpack cramfs filesystem from firmware file viewtopic.php?f=77&t=9257
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited