Extracting the ES-series firmware
Contents
Extracting the ES-series Firmware
Here we will show you how to extract an official Samsung stock firmware for your ES-model, based on the MStar processor found in most of these models. The best way to illustrate how this is done, is by providing a working example, for a particular model. Then you just have to determine your model and download the appropriate firmware (FW) for your TV set. In our case we have a European ES5700 running the T-MST10PDEUC firmware. So we will take it from there.
However, there are some tool requirements that you need satisfy before proceeding. For example, you need a working Python installation, some standard file extraction utilities, in addition to downloading the correct firmware. Here is the extraction procedure:
- Install Python
- Install PyCrypto
- Download latest SamyGO patcher script from svn
- Extract your firmware
- Decrypt it (just example)
- Uncompress exe.img with 7zip and extract exeDSP or any other file you want.
Or mount image file as a loop device under linux...
Example extraction for:
PC OS: Windows + Cygwin TV Model: UExxES5700 Processor: MST-10 Plus FW series: T-MST10PDEUC FW version: 1029.0
1. Installing Python (on Windows)
I really hate using native Windows Python/Perl interpreters. So I will not show you how to install those. Instead, you will eventually be grateful to have installed Cygwin, which is the most simple way to do this. Just install Cygwin and then run setup and select one of the Python (Python 2.x.x or 3) packages...
(For installing Python3 on Cygwin check here. Not yet needed...) http://stackoverflow.com/questions/440547/installing-python-3-0-on-cygwin )
2. Installing PyCrypt in Cygwin
If you already have a previous installation of Python in Cygwin (like any descent hacker should have), all you have to do is installing the PyCrypt modules. Just fire up your latest Cygwin "setup.exe", and in the "Python" category you'll find the "python-crypto" package. (2.6-1 at this writing). Select and continue installation to finish.
If you need to compile your own, check: https://www.dlitz.net/software/pycrypto/
3. Downloading "SamyGO"
The SamyGo script is also known as the "SamyGO Firmware Patcher" script. This is what you need to download. Be sure to get the latest build possible.
The script (always updated and recent) can be found on svn:
http://sourceforge.net/p/samygo/code
Navigate to patcher/trunk/, click on SamyGO Firmware Patcher.py and press "Download this file" at the top.
Rename script to "SamyGO.py", if needed.
4. Extract your firmware
Of course you have already downloaded your firmware, so you need to decompress the firmware. The firmware is usually delivered as a Windows executable file. If you use 7-zip, it will automatically extract the files into a sub-directory.
For example, extracting:
T-MST10PDEUC_1029.0.exe ==[7-zip]==>
Will result in a subdirectory structure as:
./T-MST10PDEUC_1029.0/T-MST10PDEUC/image/
containing the files:
appext.img.sec appext.img.sec.cs appext.img.sec.vs exe.img.sec exe.img.sec.cs exe.img.sec.vs rootfs.img.sec rootfs.img.sec.cs rootfs.img.sec.vs uImage.sec uImage.sec.cs uImage.sec.vs appext.img.sec.cmac exe.img.sec.cmac info.txt major_version minor_version rootfs.img.sec.cmac uImage.sec.cmac validinfo.txt version_info.txt
You need to be working in the "T-MST10PDEUC_1029.0" directory, and copy the SamyGo.py script there, unless it's already in your PATH.
5. Decrypting with SamyGO.py
$ python SamyGO.py decrypt_all T-MST10PDEUC ----------------------------------------------------------------------------- SamyGO Firmware Patcher v0.34 (c) 2010-2011 Erdem U. Altinyurt -=BIG FAT WARNING!=- You can brick your TV with this tool! Authors accept no responsibility about ANY DAMAGE on your devices! project home: http://www.SamyGO.tv Firmware: T-MST10PDEUC v1029.0 AES Encrytped CI+ firmware detected. Processing file appext.img.sec secret key : b4c136-fbc93576-b3e8-4035-bf4e-ba4cb4ada1ac-f0d81cc4-8301-4832-bd60-f331295743ba Decrypting AES... Decrypting with XOR Key : T-MST10PDEUC Crypto package found, using fast XOR engine. Calculated CRC : 0x37E3430D CRC Validation passed Processing file exe.img.sec secret key : b4c136-fbc93576-b3e8-4035-bf4e-ba4cb4ada1ac-f0d81cc4-8301-4832-bd60-f331295743ba Decrypting AES... Decrypting with XOR Key : T-MST10PDEUC Crypto package found, using fast XOR engine. Calculated CRC : 0xE48D94E0 CRC Validation passed Processing file rootfs.img.sec secret key : b4c136-fbc93576-b3e8-4035-bf4e-ba4cb4ada1ac-f0d81cc4-8301-4832-bd60-f331295743ba Decrypting AES... Decrypting with XOR Key : T-MST10PDEUC Crypto package found, using fast XOR engine. Calculated CRC : 0x76AC7C2C CRC Validation passed Processing file uImage.sec secret key : b4c136-fbc93576-b3e8-4035-bf4e-ba4cb4ada1ac-f0d81cc4-8301-4832-bd60-f331295743ba Decrypting AES... Decrypting with XOR Key : T-MST10PDEUC Crypto package found, using fast XOR engine. Calculated CRC : 0xF1681A66 CRC Validation passed -----------------------------------------------------------------------------
The result of this operation is that we get a number of new files:
uImage uImage.enc rootfs.img rootfs.img.enc exe.img exe.img.enc appext.img appext.img.enc
The files without the ".enc" (encrypted) extension can then be extracted or mounted, again to see all individual files.
6. Extracting exeDSP
Now you can open any of the resulting disk image files:
uImage rootfs.img exe.img appext.img
Here uImage is the "VDLinux" based kernel image. The exeDSP is contained in the exe.img, which can be either expanded with 7-zip or mounted as a loop image by the standard "mount" Linux utility.
For example, in Linux:
mount -t loop exe.img /dev/tmp/imgdata
However, if you're using Windows you'll need to first extract the above disk image. You can only extract since there is no reliable Windows utility which can mount a disk image with Read & Write. (Cygwin does not support "loop" devices as shown above.) The recommended one to use is DiskInternals Linux Reader. Download and install this.
<< This WIP and may need some more editing... >>
Ask in forum, if not understood.