Theory

Starting B series CI+ TV models, Samsung patched n_tty.c to cripple the console at kernel level. So it is not possible to get full unrestricted shell trough ExLink cable, even the required menu exists on TDM. All what is possible - input HEX chars A-Z, 0...9.
Example (T-VALDEUC) how to get in to shell trough ExLink:

10041004 {Enter}
20089999
2 (Platform Print Setting)
0
0
2 (Advanced Platform)
2 (DeviceManager Debug)
91 (DeviceManager SS Debug)
20 (Enter system command)
SELP#>

From patched n_tty.c: (B series sources)

int allow_char[] = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57 /* 0~9 */, 32 /*space*/, 13 /*enter*/, 8 /*backspace*/ };
                        ..
                        ..
                        ..
#ifdef CONFIG_SERIAL_INPUT_ENABLE_ONLY_NUMBER
          // additional checking 0~9, space, enter, backspace, SPTEAM 2009-02-12
          check = i = 0;
          while(i < MAX_ARRAY )
          {
               if( allow_char[i] == c )
                {
                          check = 1;
                          break;
                }
               i++;
          }
          if( !check )
               return;
#endif

Unlimited shell access might be useful in developing, repair if TV is bricked or any other emergency situations.

How To

We have few possibilities to get unrestricted root access via exlink cable:

Patch kernel in memory

Check this topic - for B series CI+ and maybe for D550(if anyone finds proper code to patch) only. Because on other models the required TDM function Register & Physical Memory Write is not available anymore (removed or hidden).

Recompile kernel

Anyone should document that!

Patch kernel image

Dirtiest, but confirmed way to patch out input filtration. Checked on IDA, proper function and HEX string to search for is found.

Steps:

• Use dump of kernel`s partition or decrypt kernel using SamyGO Firmware patcher (example):

SamyGO.py decrypt_all ./T-VALDEUC

• Open decrypted kernel image in HEX editor
• Search for HEX string

01 30 92 E7 04 20 82 E2 04 00 53 E1 02 00 00 0A

• Replace last byte (0A to EA). Result must look like:

01 30 92 E7 04 20 82 E2 04 00 53 E1 02 00 00 EA

The Mathematics in asm code:

ROM:0016DA98 E0 1D 9F E5                 LDR     R1, =0xC02FBF9C
ROM:0016DA9C 01 30 92 E7                 LDR     R3, [R2,R1]
ROM:0016DAA0 04 20 82 E2                 ADD     R2, R2, #4
ROM:0016DAA4 04 00 53 E1                 CMP     R3, R4 
ROM:0016DAA8 02 00 00 0A                 BEQ     loc_16DAB8
ROM:0016DAAC 4C 00 52 E3                 CMP     R2, #0x4C ==19
ROM:0016DAB0 2E 03 00 0A                 BEQ     loc_16E770
ROM:0016DAB4 F7 FF FF EA                 B       loc_16DA98 

With such patch we escaped from that input filtration loop and can input whatever we need now.

• Save new kernel image
• Calculate required hashes for new kernel
• Edit hashes file (cmac bloks (hashes) of appdata.img, exe.img, Image and rootfs.img are stored in some separate partition on TV).

If you miss this step, you get TV reboot every 30 sec, which is initialized by authuld due hashes mismatch.

Calculating and comparing of hashes can be done with chkhash (Instructions and download)

• Connect to TV (telnet/ssh) and restore both (Image and hash partition) with new files you`ve made. It is MANDATORY to flash both partition at one TV session. If you reboot TV with just one partition re-flashed, you get cyclic reboot by authuld, where repair is almost impossible if no full root access at boot time is available.
• If no errors came, reboot TV. And pray :)

To Be Added, WIP

Firmwares

HEX patching possible with same string from example on: B series CI+ devices, firmwares T-CHUCIP*, T-CHLCIP*, T-CHL5CIP*, T-CHL6CIP*
C series T-VAL* family firmwares

References

Support forum