Difference between revisions of "Remove shell input filtration"
| m (→Theory) | m (→Theory) | ||
| Line 12: | Line 12: | ||
|   20 (Enter system command) |   20 (Enter system command) | ||
|   SELP#> |   SELP#> | ||
| − | + | Function in n_tty.c: | |
|   int allow_char[] = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57 /* 0~9 */, 32 /*space*/, 13 /*enter*/, 8 /*backspace*/ }; |   int allow_char[] = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57 /* 0~9 */, 32 /*space*/, 13 /*enter*/, 8 /*backspace*/ }; | ||
|                           .. |                           .. | ||
Revision as of 09:14, 27 May 2013
Contents
Theory
Starting B series CI+ TV models, Samsung patched n_tty.c to cripple the console at kernel level. So it is not possible to get full unrestricted shell trough ExLink cable, even the required menu exists on TDM. All what is possible - input HEX chars A-F, 0...9.
Example (T-VALDEUC) how to get in to shell trough ExLink:
10041004 {Enter}
20089999
2 (Platform Print Setting)
0
0
2 (Advanced Platform)
2 (DeviceManager Debug)
91 (DeviceManager SS Debug)
20 (Enter system command)
SELP#>
Function in n_tty.c:
int allow_char[] = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57 /* 0~9 */, 32 /*space*/, 13 /*enter*/, 8 /*backspace*/ };
                        ..
                        ..
                        ..
#ifdef CONFIG_SERIAL_INPUT_ENABLE_ONLY_NUMBER
          // additional checking 0~9, space, enter, backspace, SPTEAM 2009-02-12
          check = i = 0;
          while(i < MAX_ARRAY )
          {
               if( allow_char[i] == c )
                {
                          check = 1;
                          break;
                }
               i++;
          }
          if( !check )
               return;
#endif
Unlimited shell access might be useful in developing, repair if TV is bricked or any other emergency situations.
How To
We have few possibilities to get unrestricted root access via exlink cable:
Patch kernel in memory
Check this topic - for B series CI+ and maybe for D550(if anyone finds proper code to patch) only. Because on other models the required TDM function Register & Physical Memory Write is not available anymore (removed or hidden).
Recompile kernel
Anyone should document that!
Patch kernel image
Dirtiest, but confirmed way to patch out input filtration.
Checked on IDA, proper function and HEX string to search for is found.
Steps:
- Use dump of kernel`s partition or decrypt kernel using SamyGO Firmware patcher (example):
SamyGO.py decrypt_all ./T-VALDEUC
- Open decrypted kernel image in HEX editor
- Search for HEX string
01 30 92 E7 04 20 82 E2 04 00 53 E1 02 00 00 0A
- Replace last byte (0A to EA). Result must look like:
01 30 92 E7 04 20 82 E2 04 00 53 E1 02 00 00 EA
The Mathematics in asm code:
ROM:0016DA98 E0 1D 9F E5 LDR R1, =0xC02FBF9C ROM:0016DA9C 01 30 92 E7 LDR R3, [R2,R1] ROM:0016DAA0 04 20 82 E2 ADD R2, R2, #4 ROM:0016DAA4 04 00 53 E1 CMP R3, R4 ROM:0016DAA8 02 00 00 0A BEQ loc_16DAB8 ROM:0016DAAC 4C 00 52 E3 CMP R2, #0x4C ==19 ROM:0016DAB0 2E 03 00 0A BEQ loc_16E770 ROM:0016DAB4 F7 FF FF EA B loc_16DA98
With such patch we escaped from that input filtration loop and can input whatever we need now.
- Save new kernel image
- Calculate new cmac blocks (hashes) for new kernel:
mkey=6f6bc7e1fc7f86bf9c150a82f343e2e0 (for T-VAL* firmwares)
- Calculating and comparing of hashes can be done with chkhash tool
- Edit hashes file (cmac bloks (hashes) of appdata.img, exe.img, Image and rootfs.img are stored in some separate partition on TV).
- If you miss this step, you get TV reboot every 30 sec, which is initialized by authuld due hashes mismatch.
- Connect to TV (telnet/ssh) and restore both (Image and hash partition) with new files you`ve made. It is MANDATORY to flash both partition at one TV session. If you reboot TV with just one partition re-flashed, you get cyclic reboot by authuld, where repair is almost impossible if no full root access at boot time is available.
Decide what is your active partition set (on C/D/E series here are two sets of rootfs+kernel, active and alternative). For this goal you have to check for console output:
cat /proc/cmdline
The output for 1st set should look:
root=/dev/tfsr6 console=ttyS1 quiet
This means active firmware uses first set of partitions, kernel=/dev/bml0/5, rootfs=/dev/bml0/6 and hashes are checked from /dev/bml0/9
Output for 2nd set:
root=/dev/tfsr8 console=ttyS1 quiet
This means active firmware uses second set of partitions, kernel=/dev/bml0/7, rootfs=/dev/bml0/8 and hashes are checked from /dev/bml0/10
In example we got the 2nd partition set is used and we have to restore bml0/7 with patched kernel and bml0/10 with correct hashes:
bml.restore /dev/bml0/7 /dtv/usb/sda1/bml7_VAL_3015_patched.dmp sync sync sync bml.restore /dev/bml0/10 /dtv/usb/sda1/bml10_VAL_3015_patched.dmp sync sync sync
If you get ANY error while restoring partitions, DO NOT REBOOT or POWER OFF TV, ask for help and wait...
- If no errors came, reboot TV. And pray :)
Firmwares
HEX patching possible with same string from example on:
B series CI+ devices, firmwares T-CHUCIP*, T-CHLCIP*, T-CHL5CIP*, T-CHL6CIP*
C series T-VAL* family firmwares

