Difference between revisions of "Forced revert back to older firmware"


From SamyGO
Jump to: navigation, search
(Notice about T-CHL7DEUC)
m (Force firmware back (FFB): youtube video)
 
(79 intermediate revisions by 5 users not shown)
Line 1: Line 1:
This article for revert back to older firmware if only if you upgraded TV to latest firmware accidentally.
+
[[File:moras_trojan.png|380px|right]] This is procedure for reverting back to an older firmware. It can help you if you upgraded TV to latest firmware accidentally or buy TV with already latest firmware, however it only works for TV which support '''Content Library'''.
  
'''If your new TV comes with latest firmware, this instructions does not change anything for your TV...'''
 
[[File:Samy_horse.jpg | right]]
 
 
=Enabling Telnet=
 
=Enabling Telnet=
With latest firmware, Samsung disabled both Ex-Link console connection and external applications because of stopping us. So you cannot create telnet connection with TV because cannot use Telnet Enabler application. If you copied Telnet Application to TV's flash before you are lucky. But If you not, please don't cry, here is solution.
 
  
 +
With the latest firmware, Samsung disabled both Ex-Link console connection and external applications probably to stopping us. So you cannot create telnet connection to TV because you cannot use Telnet Enabler application. If you copied Telnet Application to TV's flash memory before you are lucky. But if you didn't please don't cry, here is the solution.
  
==Trojan Horse==
+
=Trojan Horse=
  
 +
'''Historically:''' Trojan is a giant horse that has hidden soldiers in it and it was used first at Troya A.D.2500-3000, which is in Çanakkale, Turkey now. Soldiers leave a huge wooden horse behind them as a gift and fade away... Enemies take that giant horse inside of city walls. But when the night comes, soldiers hidden in the horse get out and open the gates... :)
  
'''Historically :''' Trojan is a giant horse that has hidden soldiers in it, used first at Troya A.D.2500-3000, which is in Çanakkale, Turkey now. Soldiers leave a huge wooden horse behind as a gift and fade away... Enemies take that giant horse inside of city walls. But when night become, hidden soldiers that in the horse get out and open the gates... :)
 
  
 +
First you need enable (if not already) copy/remove feature in Content Library Manager.
 +
*Enter Service Menu ( quickly push '''[INFO] [MENU] [MUTE] [POWER]''' on your remote control )
 +
*Change setting (Control -> Sub Option -> Wiselink Write -> On )
  
 +
*Download [http://download.samygo.tv/B%20Series/Content%20Library%20Applications/SamyGO%20Telnet%20Enabler%20Trojan%20v0.01.zip SamyGO Telnet Enabler Trojan].
 +
*Unpack and copy '''telnet-enabler''' folder to root USB and plug in to TV.
 +
*Enter Content Library Manager -> Select USB -> Select '''Children''' category.
 +
*Use Copy function on TV to copy '''Telnet Enabler as Trojan''' content to TV internal flash.
 +
*Return back to main manu in Content Library Manager and select again '''Children''' but from TV flash contents this time.
 +
*Run '''Run this Telnet Enabler''' to enable telnet access (or open the gates :) ).
  
  
So we follow the same pattern here. Delete a some content library tool, something like "children stories" than download new one from that from [http://www.samsung.com/uk/consumer/learningresources/media2.0/library_download.html# Samsung] and use downloaded file as trojan horse. After downloading file, place [[SamyGO Telnet Enabler]] folder to inside it, than move files to USB and plug in to TV. After copy to TV's Flash, now you can run Telnet Enabler from Content Library than enables Telnet (or open the gates :) )
+
----
  
=Forcing to Enable Alternative Firmware=
+
=Force firmware back (FFB)=
After some firmware upgrades, Samsung doesn't let us revert firmware back to older state.
 
Actually we were using a solution for that, flashing mtd_exe and mtd_appdata partitions via manually flashing from telnet connection, enabled via telnet application.
 
  
Instead of flashing dump of older firmware to actually used partition (which is risky), switch older firmware via this hack.
+
[[File:Moras_forcefirmwareback.png|300px|right]]{{#ev:youtube|RiNLDsN8fXY|300|right| Downgrade B series TV using FFB}}
This way is more safe than other approach. Lines bellow will make TV use alternative firmware.  
+
'''FFB''' is a small Samygo application for B series CI (but not CI+ !!!) Samsung TVs to force firmware downgrade <br>
 +
on "february" and latest firmwares. With help of this Samygo "game" its easy to restore<br>
 +
pre-february firmware.<br>
 +
No change of firmware files needed.
  
'''Notice: This output/lines for B650-B750 devices, so firmware name contains T-CHL7DEUC, with other TV's you needed to leave corresponding strings and versions!!!.'''
+
'''CI TV models:'''
 +
 
 +
LCD
 +
*LExxB65x - firmware: '''T-CHL7DEUC'''
 +
*LExxB75x - firmware: '''T-CHL7DEUC'''
 +
 
 +
*LNxxB65x - firmware: '''T-CHEAUSC'''
 +
*LNxxB75x - firmware: '''T-CHEAUSC'''
 +
 
 +
PLASMA
 +
*PSxxB65x - firmware: '''T-CHL7DEUC'''
 +
*PSxxB85x - firmware: '''T-CHU7DEUC'''
 +
*PNxxB85x - firmware: '''T-CHEAUSC'''
 +
*PNxxB8xxx - firmware: '''T-CHE7AUSC'''
 +
 
 +
LEDTV
 +
*UExxB7xxx - firmware: '''T-CHU7DEUC'''
 +
*UExxB8xxx - firmware: '''T-CHU7DEUC'''
 +
*UNxxB7xxx - firmware: '''T-CHE7AUSC '''
 +
*UNxxB8xxx - firmware: '''T-CHE7AUSC'''
 +
 
 +
No other models supported, you can brick TV if use other!<br>
 +
Use at your own risk.<br>
 +
 
 +
Instructions and DOWNLOAD link for the latest release: available [http://forum.samygo.tv/viewtopic.php?f=5&t=2038&start=0#p9080 on samygo.tv] <font color = red>(read it first!)</font><br><br>
 +
For other models try methods below:
 +
 
 +
=Forcing to Enable Alternative Firmware if you upgraded to latest firmware '''(CI and CI+)'''=
 +
 
 +
After some firmware upgrades, Samsung disable reverting firmware back to older state.
 +
Actually we were using as a solution for that, flashing mtd_exe and mtd_appdata partitions via manual flashing procedure (or by script from TV Content Library Manager) over telnet connection, enabled with Telnet Enabler application. Instead of flashing dump of older firmware over actually used partition which is risky, we can switch to older firmware via this simple hack. This way is safer than other approaches. Code bellow unhides alternative firmware in TV.
 +
*If You accidentally upgraded to the latest firmware and there was earlier firmware on Your TV before<br> You can run script and activate alternative firmware from TV menu. Go to [http://wiki.samygo.tv/index.php5?title=Forced_revert_back_to_older_firmware#Fully_automated_way:_activate_Alternative_Firmware_from_Content_Library_Manager Fully automated way]<br>
 +
*If You bought TV with the latest firmware installed, and there isn`t any earlier firmware installed before, go to [http://wiki.samygo.tv/index.php5?title=Forced_revert_back_to_older_firmware#DANGEROUS_WAY.2C_FOR_NEW_TV_WITH_LATEST_FIRMWARE_ONLY Dangerous way]<br>
 +
 
 +
==Fully automated way: activate Alternative Firmware from Content Library Manager==
 +
 
 +
Here is the instruction how to modify SamyGO Telnet Enabler Trojan  to enable telnet and activate alternative firmware menu.<br>With this You be able to:[[File:Samygoautorevertfirmwar.png|right]]
 +
*Activate Alternative firmware menu (no comments. This game does '''NOT enable''' telnet)
 +
*Run Telnet Enabler <br>
 +
Here is the third option: Samygo Trojan Horse. It does nothing, You don`t need to run it<br>
 +
 
 +
Steps are very similar to [[#Trojan_Horse]]:
 +
 
 +
*Enter Service Menu ( quickly push '''[INFO] [MENU] [MUTE] [POWER]''' on your remote control )
 +
*Change setting (Control -> Sub Option -> Wiselink Write -> '''On''' )
 +
*Download attached file: [http://forum.samygo.tv/download/file.php?id=298 telnet-enabler.tar.gz]
 +
*Unpack and copy telnet-enabler folder to root USB and plug in to TV.
 +
*Enter Content Library Manager -> Select USB -> Select Children category.
 +
*Use Copy function on TV to copy Telnet Enabler as Trojan content to TV internal flash.
 +
*Return back to main manu in Content Library Manager and select again Children but from TV flash contents this time.
 +
 
 +
*You can run it from:  '''[Menu] -> [Source list] -> [USB] -> [Content Library] -> [My Contents] -> [Children]'''
 +
 
 +
*Run '''Activate Alternative firmware menu'''
 +
*Wait while script makes a job, don`t power-off TV. There isn`t any message to inform You about it`s done (on LE40B653T5WXBT it took 50 sec). Just after approx. 2 minutes check Firmware upgrade menu, if there is Alternative Firmware active, choose it, TV reboots with new older firmware. ;)
 +
 
 +
If You have trouble with this method, try making whole procedure manually:
 +
* [http://wiki.samygo.tv/index.php?title=Forced_revert_back_to_older_firmware#Partially_automated_way_to_get_Alternative_Firmware_enabled Partially automated way]
 +
* [http://wiki.samygo.tv/index.php?title=Forced_revert_back_to_older_firmware#Not_automated_way._Enter_commands_manually Manual way]
 +
 
 +
If You have UDN key (from nurisam.com) and/or You have trouble with running "game" from Children menu, just copy whole '''telnet''' and '''rollback''' sub-directories to USB root and You will able run it from Games menu.
 +
 
 +
==Partially automated way to get Alternative Firmware enabled==
 +
 
 +
Based on the simple script, that enables older firmware [http://forum.samygo.tv/viewtopic.php?f=5&t=785&start=10#p7032].
 +
 
 +
*Enable telnet (exact as described) with [[#Trojan_Horse]]<br>
 +
*Connect to Your TV via telnet. You can use any telnet program. For example - [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Putty]<br>
 +
Enter IP address of TV (e.g. 192.168.1.100). IP address must be configured manually, not automaticaly!<br><br>
 +
''Fig.1. Connection type: telnet and Port: 23''
 +
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 +
''Fig.2. After You press Open, You get to TV:''
 +
[[File:putty1.png|350px|left]][[File:putty2.png|400px]]
 +
Now You are inside and TV is ready accept commands.<br> Enter Your commands after sign '''#'''.
 +
<br><br><br><br><br><br><br><br><br><br>
 +
*Download the file [http://forum.samygo.tv/download/file.php?id=292 revert.rar] and unpack it to USB root, plug-in USB to TV.<br>
 +
You have to know what path is to your USB. Input ''mount'' and look what You get. e.g:
 
  localhost login: root
 
  localhost login: root
 
  -sh: id: not found
 
  -sh: id: not found
  # cd mtd_rwarea/
+
# mount
  # ls -al Version.*
+
/dev/root on / type squashfs (ro)
 +
none on /proc type proc (rw)
 +
none on /sys type sysfs (rw)
 +
none on /dev/sam type tmpfs (rw)
 +
none on /dtv type tmpfs (rw)
 +
/dev/tbml7 on /mtd_boot type squashfs (ro)
 +
none on /mtd_ram type tmpfs (rw)
 +
/dev/stl0/14 on /mtd_rwarea type rfs (rw)
 +
/dev/tbml8 on /mtd_exe type rfs (ro)
 +
/dev/tbml9 on /mtd_appdata type squashfs (ro)
 +
devpts on /dev/pts type devpts (rw)
 +
/dev/stl0/13 on /mtd_tlib type rfs (rw)
 +
/dev/stl0/15 on /mtd_contents type rfs (rw)
 +
/dev/stl0/16 on /mtd_down type rfs (rw)
 +
/dev/stl0/12 on /mtd_wiselink type rfs (rw)
 +
/dev/stl0/17 on /mtd_swu type rfs (rw)
 +
none on /proc/bus/usb type usbfs (rw)
 +
/dev/sda1 on /dtv/usb/sda1 type vfat rw,sync,fmask=0022,dmask=0022,codepage=cp437,iocharset=utf8,shortname=mixed)
 +
Look at the last line of output. In example You see, that my USB is recognized as '''/dtv/usb/sda1'''. If You get another path, please correct it.
 +
*Give permissions to run script.
 +
chmod 755 /dtv/usb/sda1/revert.sh
 +
*Run script and wait until it ends. (approximately 2 minutes)
 +
sh +x /dtv/usb/sda1/revert.sh
 +
Don`t power off TV. You have to see '''.!!!!!!!!!!!!!!! End. Now go to firmware update menu !!!!!!!!!!!!!!!.''' on telnet window.
 +
*Go to Firmware upgrade menu and You will see alternative firmware choice active.<br><br>
 +
 
 +
You can make ''revert.sh'' script by Yourself. Here is the code:
 +
#!/bin/sh
 +
echo .
 +
echo .
 +
echo .!!!!!!!!!!!!!!! Start script. Wait....for next message....!!!!!!!!!!!!!!!.
 +
 +
if [ -f /mtd_rwarea/PartitionSwitch_1_0 ]
 +
then
 +
 +
mkdir /dtv/test
 +
mount -t auto /dev/tbml8 /dtv/test
 +
FWNAME=$(cat /.info)
 +
OLDVERS=$(/bin/busybox egrep -e $(echo "$FWNAME-[0-9][0-9][0-9][0-9].[0-9]") /dtv/test/exeDSP)
 +
OLDVERS=$(echo $OLDVERS | sed s/.*-//g | sed 's/\..*//g')
 +
if [ -f /mtd_rwarea/Version.0 ] # Script doesn't overwrite if there is a Version.0 file
 +
  then
 +
  echo "Error  /mtd_rwarea/Version.0 already exists." > ./error.log
 +
  else
 +
  echo $(sed 's/_00[0-9][0-9][0-9][0-9]_/_00'$OLDVERS'_/g' /mtd_rwarea/Version.1) > /mtd_rwarea/Version.0
 +
fi
 +
 +
  else
 +
 +
mkdir /dtv/test
 +
mount -t auto /dev/tbml10 /dtv/test
 +
 +
FWNAME=$(cat /.info)
 +
OLDVERS=$(/bin/busybox egrep -e $(echo "$FWNAME-[0-9][0-9][0-9][0-9].[0-9]") /dtv/test/exeDSP)
 +
OLDVERS=$(echo $OLDVERS | sed s/.*-//g | sed 's/\..*//g')
 +
if [ -f /mtd_rwarea/Version.1 ] # Script doesn't overwrite if there is a Version.1 file
 +
  then
 +
  echo "Error  /mtd_rwarea/Version.1 already exists." > ./error.log
 +
  else
 +
  echo $(sed 's/_00[0-9][0-9][0-9][0-9]_/_00'$OLDVERS'_/g' /mtd_rwarea/Version.0) > /mtd_rwarea/Version.1
 +
fi
 +
 +
fi 
 +
 +
echo .
 +
echo .done!                                                                                               
 +
echo .!!!!!!!!!!!!!!! Now go to firmware update menu !!!!!!!!!!!!!!!.
 +
 
 +
==Not automated way. Enter commands manually==
 +
All commands You need enter manually.
 +
'''Notice: These code lines are as an example for B650-B750 devices, so firmware name contains T-CHL7DEUC, for other TV's you need to use corresponding version string of previously installed firmware and corresponding missing Version file (Version.0 or Version.1)!!!'''
 +
localhost login: root
 +
-sh: id: not found
 +
  # cd /mtd_rwarea
 +
  # ls -l Version.*
 
  -rwxr-xr-x    1 root    0              44 Jan  1  1980 Version.1
 
  -rwxr-xr-x    1 root    0              44 Jan  1  1980 Version.1
 
  # cat Version.1
 
  # cat Version.1
 
  SWU_T-CHL7DEUC_003000_I02_EK000DK000_100125
 
  SWU_T-CHL7DEUC_003000_I02_EK000DK000_100125
  # touch Version.0
+
  # echo SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816 > Version.0
# ls -al Version.*
+
  # ls -l Version.*
-rw-r--r--    1 root    0              0 Jan  1  1980 Version.0
 
-rwxr-xr-x    1 root    0              44 Jan  1  1980 Version.1
 
# chmod 755 Version.0
 
  # ls -al Version.*
 
 
  -rwxr-xr-x    1 root    0              44 Jan  1 00:00 Version.0
 
  -rwxr-xr-x    1 root    0              44 Jan  1 00:00 Version.0
 
  -rwxr-xr-x    1 root    0              44 Jan  1  1980 Version.1
 
  -rwxr-xr-x    1 root    0              44 Jan  1  1980 Version.1
# echo SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816 >Version.0
 
 
  # cat Version.*
 
  # cat Version.*
 
  SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816
 
  SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816
Line 46: Line 199:
 
  #
 
  #
  
So after this, disabled "Alternative Firmware" selection became enable. So you can switch older firmware and patch some safe firmware on to latest firmware which has restrictions.
+
After this, disabled "Alternative Software" selection in standard TV's Support / Software Upgrade Menu becomes enabled and populated again. You can switch to previously flashed firmware and then flash some safe firmware over the latest firmware which has restrictions.
 +
 
 +
===Find EXACT ID of older firmware===
 +
You can find your TV's older Version.* file via mounting backup partitions.
 +
You can extract EXACT ID of older Firmware at this step too. You needed to change Firmware model if its not T-CHL7DEUC that written bold at bellow.
 +
# mkdir /dtv/test1
 +
# mkdir /dtv/test2
 +
# mount -t auto /dev/tbml8 /dtv/test1
 +
# /bin/busybox egrep -e ''''T-CHL7DEUC'''-[0-9][0-9][0-9][0-9].[0-9]' /dtv/test1/exeDSP
 +
SWU_T-CHL7DEUC_003000_I02_EK000DK000_100125
 +
# mount -t auto /dev/tbml10 /dtv/test2
 +
# /bin/busybox egrep -e ''''T-CHL7DEUC'''-[0-9][0-9][0-9][0-9].[0-9]' /dtv/test2/exeDSP
 +
SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816
 +
This results show that tbml10 partition holding firmware 2004.
 +
 
 +
=DANGEROUS WAY, FOR NEW TV WITH LATEST FIRMWARE AND '''CI''' ONLY=
 +
'''Don't try this unless knowing what you are doing exactly.'''
 +
==Flash older firmware on new TV '''(CI only)''' with latest firmware==
 +
'''WARNING 1: THIS IS ABSOLUTELY NOT FOR CI+ DEVICES'''
 +
 
 +
'''WARNING 2: You better to have FULL TV partitions backup to your flash and working uboot code on your TV before starting this hack, Unless you might not recover your bricked TV later. But with working uboot code on your TV, it's easy to recover your bricked TV.
 +
 
 +
'''*For safety reasons enable ex-link and turn off watchdog in service menu.
 +
*Install python on your computer if not yet installed.
 +
*Download one of below firmwares used by your TV.
 +
*Download [http://download.samygo.tv/SamyGO%20Tools/SamyGO%20Firmware%20Decrypter%20v0.01.zip SamyGO Firmware Decrypter].
 +
*Unpack firmware to some directory.
 +
*Copy '''SamyGO Firmware Decrypter''' to unpacked firmware directory.
 +
*Run shell/cmdline and change directory to unpacked firmware.
 +
*Run Decrypter:
 +
python "SamyGO Firmware Decrypter"
 +
*After it successfully finished you will have two decrypted files in '''image''' folder: '''appdata.img''' and '''exe.img'''.
 +
*Copy that two files into USB drive.
 +
*Plug USB drive into TV.
 +
*Telnet to TV.
 +
 
 +
'''Notice: These code lines below are as an example for B650-B750 devices, so firmware name contains T-CHL7DEUC and specific versions IDs!!!'''
 +
 
 +
# cd /mtd_rwarea/
 +
# ls -l Version.*
 +
 
 +
You should have this:
 +
-rwxr-xr-x    1 root    0              44 Jan  1  1980 Version.1
 +
or
 +
-rwxr-xr-x    1 root    0              44 Jan  1  1980 Version.0
 +
 
 +
First case we call it now '''1''' and second '''2''' and you proceed '''only one''' of them. So you will write to alternative file opposite to allready existed.
 +
 
 +
'''---1---'''
 +
# echo SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816 > Version.0
 +
# bml.restore /dev/bml0/8 /dtv/usb/sda1/exe.img
 +
# bml.restore /dev/bml0/9 /dtv/usb/sda1/appdata.img
 +
 
 +
Now lets verify it:
 +
# mkdir /dtv/test
 +
# mount -t auto /dev/tbml8 /dtv/test
 +
If there are not errors unmount it.
 +
# umount /dtv/test
 +
And test second:
 +
# mount -t auto /dev/tbml9 /dtv/test
 +
If there are not errors unmount it.
 +
# umount /dtv/test
 +
Checks if version file is ok:
 +
# ls -l Version.0
 +
SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816
 +
 
 +
'''---2---'''
 +
# echo SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816 > Version.1
 +
# bml.restore /dev/bml0/10 /dtv/usb/sda1/exe.img
 +
# bml.restore /dev/bml0/11 /dtv/usb/sda1/appdata.img
 +
 
 +
Now lets verify it:
 +
# mkdir /dtv/test
 +
# mount -t auto /dev/tbml10 /dtv/test
 +
If there are not errors unmount it.
 +
# umount /dtv/test
 +
And test second:
 +
# mount -t auto /dev/tbml11 /dtv/test
 +
If there are not errors unmount it.
 +
# umount /dtv/test
 +
Checks if version file is ok:
 +
# ls -l Version.1
 +
SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816
  
Thanks for [[User:ji035453|ji035453]] for his research.
+
After this, disabled "Alternative Software" selection in standard TV's Support / Software Upgrade Menu becomes enabled and populated again. You can switch to previously flashed firmware and then flash some safe firmware over the latest firmware which has restrictions.
  
--[[User:Erdem_ua|Erdem_ua]] 02:52, 23 April 2010 (EET)
+
==List Firmware links, versions and their ids==
 +
You can find info on our [[Old & Good Firmwares]] page.

Latest revision as of 06:06, 29 November 2012

Moras trojan.png

This is procedure for reverting back to an older firmware. It can help you if you upgraded TV to latest firmware accidentally or buy TV with already latest firmware, however it only works for TV which support Content Library.

Enabling Telnet

With the latest firmware, Samsung disabled both Ex-Link console connection and external applications probably to stopping us. So you cannot create telnet connection to TV because you cannot use Telnet Enabler application. If you copied Telnet Application to TV's flash memory before you are lucky. But if you didn't please don't cry, here is the solution.

Trojan Horse

Historically: Trojan is a giant horse that has hidden soldiers in it and it was used first at Troya A.D.2500-3000, which is in Çanakkale, Turkey now. Soldiers leave a huge wooden horse behind them as a gift and fade away... Enemies take that giant horse inside of city walls. But when the night comes, soldiers hidden in the horse get out and open the gates... :)


First you need enable (if not already) copy/remove feature in Content Library Manager.

  • Enter Service Menu ( quickly push [INFO] [MENU] [MUTE] [POWER] on your remote control )
  • Change setting (Control -> Sub Option -> Wiselink Write -> On )
  • Download SamyGO Telnet Enabler Trojan.
  • Unpack and copy telnet-enabler folder to root USB and plug in to TV.
  • Enter Content Library Manager -> Select USB -> Select Children category.
  • Use Copy function on TV to copy Telnet Enabler as Trojan content to TV internal flash.
  • Return back to main manu in Content Library Manager and select again Children but from TV flash contents this time.
  • Run Run this Telnet Enabler to enable telnet access (or open the gates :) ).



Force firmware back (FFB)

Moras forcefirmwareback.png
Downgrade B series TV using FFB

FFB is a small Samygo application for B series CI (but not CI+ !!!) Samsung TVs to force firmware downgrade
on "february" and latest firmwares. With help of this Samygo "game" its easy to restore
pre-february firmware.
No change of firmware files needed.

CI TV models:

LCD

  • LExxB65x - firmware: T-CHL7DEUC
  • LExxB75x - firmware: T-CHL7DEUC
  • LNxxB65x - firmware: T-CHEAUSC
  • LNxxB75x - firmware: T-CHEAUSC

PLASMA

  • PSxxB65x - firmware: T-CHL7DEUC
  • PSxxB85x - firmware: T-CHU7DEUC
  • PNxxB85x - firmware: T-CHEAUSC
  • PNxxB8xxx - firmware: T-CHE7AUSC

LEDTV

  • UExxB7xxx - firmware: T-CHU7DEUC
  • UExxB8xxx - firmware: T-CHU7DEUC
  • UNxxB7xxx - firmware: T-CHE7AUSC
  • UNxxB8xxx - firmware: T-CHE7AUSC

No other models supported, you can brick TV if use other!
Use at your own risk.

Instructions and DOWNLOAD link for the latest release: available on samygo.tv (read it first!)

For other models try methods below:

Forcing to Enable Alternative Firmware if you upgraded to latest firmware (CI and CI+)

After some firmware upgrades, Samsung disable reverting firmware back to older state. Actually we were using as a solution for that, flashing mtd_exe and mtd_appdata partitions via manual flashing procedure (or by script from TV Content Library Manager) over telnet connection, enabled with Telnet Enabler application. Instead of flashing dump of older firmware over actually used partition which is risky, we can switch to older firmware via this simple hack. This way is safer than other approaches. Code bellow unhides alternative firmware in TV.

  • If You accidentally upgraded to the latest firmware and there was earlier firmware on Your TV before
    You can run script and activate alternative firmware from TV menu. Go to Fully automated way
  • If You bought TV with the latest firmware installed, and there isn`t any earlier firmware installed before, go to Dangerous way

Fully automated way: activate Alternative Firmware from Content Library Manager

Here is the instruction how to modify SamyGO Telnet Enabler Trojan to enable telnet and activate alternative firmware menu.
With this You be able to:

Samygoautorevertfirmwar.png
  • Activate Alternative firmware menu (no comments. This game does NOT enable telnet)
  • Run Telnet Enabler

Here is the third option: Samygo Trojan Horse. It does nothing, You don`t need to run it

Steps are very similar to #Trojan_Horse:

  • Enter Service Menu ( quickly push [INFO] [MENU] [MUTE] [POWER] on your remote control )
  • Change setting (Control -> Sub Option -> Wiselink Write -> On )
  • Download attached file: telnet-enabler.tar.gz
  • Unpack and copy telnet-enabler folder to root USB and plug in to TV.
  • Enter Content Library Manager -> Select USB -> Select Children category.
  • Use Copy function on TV to copy Telnet Enabler as Trojan content to TV internal flash.
  • Return back to main manu in Content Library Manager and select again Children but from TV flash contents this time.
  • You can run it from: [Menu] -> [Source list] -> [USB] -> [Content Library] -> [My Contents] -> [Children]
  • Run Activate Alternative firmware menu
  • Wait while script makes a job, don`t power-off TV. There isn`t any message to inform You about it`s done (on LE40B653T5WXBT it took 50 sec). Just after approx. 2 minutes check Firmware upgrade menu, if there is Alternative Firmware active, choose it, TV reboots with new older firmware. ;)

If You have trouble with this method, try making whole procedure manually:

If You have UDN key (from nurisam.com) and/or You have trouble with running "game" from Children menu, just copy whole telnet and rollback sub-directories to USB root and You will able run it from Games menu.

Partially automated way to get Alternative Firmware enabled

Based on the simple script, that enables older firmware [1].

  • Enable telnet (exact as described) with #Trojan_Horse
  • Connect to Your TV via telnet. You can use any telnet program. For example - Putty

Enter IP address of TV (e.g. 192.168.1.100). IP address must be configured manually, not automaticaly!

Fig.1. Connection type: telnet and Port: 23                                         Fig.2. After You press Open, You get to TV:

Putty1.png

Putty2.png

Now You are inside and TV is ready accept commands.
Enter Your commands after sign #.









  • Download the file revert.rar and unpack it to USB root, plug-in USB to TV.

You have to know what path is to your USB. Input mount and look what You get. e.g:

localhost login: root
-sh: id: not found
# mount
/dev/root on / type squashfs (ro)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/sam type tmpfs (rw)
none on /dtv type tmpfs (rw)
/dev/tbml7 on /mtd_boot type squashfs (ro)
none on /mtd_ram type tmpfs (rw)
/dev/stl0/14 on /mtd_rwarea type rfs (rw)
/dev/tbml8 on /mtd_exe type rfs (ro)
/dev/tbml9 on /mtd_appdata type squashfs (ro)
devpts on /dev/pts type devpts (rw)
/dev/stl0/13 on /mtd_tlib type rfs (rw)
/dev/stl0/15 on /mtd_contents type rfs (rw)
/dev/stl0/16 on /mtd_down type rfs (rw)
/dev/stl0/12 on /mtd_wiselink type rfs (rw)
/dev/stl0/17 on /mtd_swu type rfs (rw)
none on /proc/bus/usb type usbfs (rw)
/dev/sda1 on /dtv/usb/sda1 type vfat rw,sync,fmask=0022,dmask=0022,codepage=cp437,iocharset=utf8,shortname=mixed)

Look at the last line of output. In example You see, that my USB is recognized as /dtv/usb/sda1. If You get another path, please correct it.

  • Give permissions to run script.
chmod 755 /dtv/usb/sda1/revert.sh
  • Run script and wait until it ends. (approximately 2 minutes)
sh +x /dtv/usb/sda1/revert.sh

Don`t power off TV. You have to see .!!!!!!!!!!!!!!! End. Now go to firmware update menu !!!!!!!!!!!!!!!. on telnet window.

  • Go to Firmware upgrade menu and You will see alternative firmware choice active.

You can make revert.sh script by Yourself. Here is the code:

#!/bin/sh
echo .
echo .
echo .!!!!!!!!!!!!!!! Start script. Wait....for next message....!!!!!!!!!!!!!!!.

if [ -f /mtd_rwarea/PartitionSwitch_1_0 ]
then

mkdir /dtv/test
mount -t auto /dev/tbml8 /dtv/test
FWNAME=$(cat /.info)
OLDVERS=$(/bin/busybox egrep -e $(echo "$FWNAME-[0-9][0-9][0-9][0-9].[0-9]") /dtv/test/exeDSP)
OLDVERS=$(echo $OLDVERS | sed s/.*-//g | sed 's/\..*//g')
if [ -f /mtd_rwarea/Version.0 ] # Script doesn't overwrite if there is a Version.0 file
 then
 echo "Error  /mtd_rwarea/Version.0 already exists." > ./error.log
 else
 echo $(sed 's/_00[0-9][0-9][0-9][0-9]_/_00'$OLDVERS'_/g' /mtd_rwarea/Version.1) > /mtd_rwarea/Version.0
fi

 else

mkdir /dtv/test
mount -t auto /dev/tbml10 /dtv/test

FWNAME=$(cat /.info)
OLDVERS=$(/bin/busybox egrep -e $(echo "$FWNAME-[0-9][0-9][0-9][0-9].[0-9]") /dtv/test/exeDSP)
OLDVERS=$(echo $OLDVERS | sed s/.*-//g | sed 's/\..*//g')
if [ -f /mtd_rwarea/Version.1 ] # Script doesn't overwrite if there is a Version.1 file
 then
 echo "Error  /mtd_rwarea/Version.1 already exists." > ./error.log
 else
 echo $(sed 's/_00[0-9][0-9][0-9][0-9]_/_00'$OLDVERS'_/g' /mtd_rwarea/Version.0) > /mtd_rwarea/Version.1
fi

fi   

echo .
echo .done!                                                                                                 
echo .!!!!!!!!!!!!!!! Now go to firmware update menu !!!!!!!!!!!!!!!.

Not automated way. Enter commands manually

All commands You need enter manually. Notice: These code lines are as an example for B650-B750 devices, so firmware name contains T-CHL7DEUC, for other TV's you need to use corresponding version string of previously installed firmware and corresponding missing Version file (Version.0 or Version.1)!!!

localhost login: root
-sh: id: not found
# cd /mtd_rwarea
# ls -l Version.*
-rwxr-xr-x    1 root     0              44 Jan  1  1980 Version.1
# cat Version.1
SWU_T-CHL7DEUC_003000_I02_EK000DK000_100125
# echo SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816 > Version.0
# ls -l Version.*
-rwxr-xr-x    1 root     0              44 Jan  1 00:00 Version.0
-rwxr-xr-x    1 root     0              44 Jan  1  1980 Version.1
# cat Version.*
SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816
SWU_T-CHL7DEUC_003000_I02_EK000DK000_100125
#

After this, disabled "Alternative Software" selection in standard TV's Support / Software Upgrade Menu becomes enabled and populated again. You can switch to previously flashed firmware and then flash some safe firmware over the latest firmware which has restrictions.

Find EXACT ID of older firmware

You can find your TV's older Version.* file via mounting backup partitions. You can extract EXACT ID of older Firmware at this step too. You needed to change Firmware model if its not T-CHL7DEUC that written bold at bellow.

# mkdir /dtv/test1
# mkdir /dtv/test2
# mount -t auto /dev/tbml8 /dtv/test1
# /bin/busybox egrep -e 'T-CHL7DEUC-[0-9][0-9][0-9][0-9].[0-9]' /dtv/test1/exeDSP
SWU_T-CHL7DEUC_003000_I02_EK000DK000_100125
# mount -t auto /dev/tbml10 /dtv/test2
# /bin/busybox egrep -e 'T-CHL7DEUC-[0-9][0-9][0-9][0-9].[0-9]' /dtv/test2/exeDSP
SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816

This results show that tbml10 partition holding firmware 2004.

DANGEROUS WAY, FOR NEW TV WITH LATEST FIRMWARE AND CI ONLY

Don't try this unless knowing what you are doing exactly.

Flash older firmware on new TV (CI only) with latest firmware

WARNING 1: THIS IS ABSOLUTELY NOT FOR CI+ DEVICES

WARNING 2: You better to have FULL TV partitions backup to your flash and working uboot code on your TV before starting this hack, Unless you might not recover your bricked TV later. But with working uboot code on your TV, it's easy to recover your bricked TV.

*For safety reasons enable ex-link and turn off watchdog in service menu.

  • Install python on your computer if not yet installed.
  • Download one of below firmwares used by your TV.
  • Download SamyGO Firmware Decrypter.
  • Unpack firmware to some directory.
  • Copy SamyGO Firmware Decrypter to unpacked firmware directory.
  • Run shell/cmdline and change directory to unpacked firmware.
  • Run Decrypter:
python "SamyGO Firmware Decrypter"
  • After it successfully finished you will have two decrypted files in image folder: appdata.img and exe.img.
  • Copy that two files into USB drive.
  • Plug USB drive into TV.
  • Telnet to TV.

Notice: These code lines below are as an example for B650-B750 devices, so firmware name contains T-CHL7DEUC and specific versions IDs!!!

# cd /mtd_rwarea/
# ls -l Version.*

You should have this:

-rwxr-xr-x    1 root     0              44 Jan  1  1980 Version.1

or

-rwxr-xr-x    1 root     0              44 Jan  1  1980 Version.0

First case we call it now 1 and second 2 and you proceed only one of them. So you will write to alternative file opposite to allready existed.

---1---

# echo SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816 > Version.0
# bml.restore /dev/bml0/8 /dtv/usb/sda1/exe.img
# bml.restore /dev/bml0/9 /dtv/usb/sda1/appdata.img

Now lets verify it:

# mkdir /dtv/test
# mount -t auto /dev/tbml8 /dtv/test

If there are not errors unmount it.

# umount /dtv/test

And test second:

# mount -t auto /dev/tbml9 /dtv/test

If there are not errors unmount it.

# umount /dtv/test

Checks if version file is ok:

# ls -l Version.0
SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816

---2---

# echo SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816 > Version.1
# bml.restore /dev/bml0/10 /dtv/usb/sda1/exe.img
# bml.restore /dev/bml0/11 /dtv/usb/sda1/appdata.img

Now lets verify it:

# mkdir /dtv/test
# mount -t auto /dev/tbml10 /dtv/test

If there are not errors unmount it.

# umount /dtv/test

And test second:

# mount -t auto /dev/tbml11 /dtv/test

If there are not errors unmount it.

# umount /dtv/test

Checks if version file is ok:

# ls -l Version.1
SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816

After this, disabled "Alternative Software" selection in standard TV's Support / Software Upgrade Menu becomes enabled and populated again. You can switch to previously flashed firmware and then flash some safe firmware over the latest firmware which has restrictions.

List Firmware links, versions and their ids

You can find info on our Old & Good Firmwares page.