Playing with Firmware Images
Here is how to play with your firmware images.
Contents
Extraction of Firmware
Downloaded firmwares from Samsung is usually an windows executable file. You can extract it using both wine or unrar command from linux/MacOS.
death@triQuad:/SamyGO/Silo> unrar x T-CHL7DEUC.exe
UNRAR 3.90 beta 3 freeware Copyright (c) 1993-2009 Alexander Roshal
Extracting from T-CHL7DEUC.exe
;The comment below contains SFX script commands
Title=How to prepare the USB Memory Drive
Text
{
<BODY>
......
......
</BODY>
}
Creating T-CHL7DEUC OK
Extracting T-CHL7DEUC/crc OK
Extracting T-CHL7DEUC/ddcmp OK
Creating T-CHL7DEUC/image OK
Extracting T-CHL7DEUC/image/appdata.img.enc OK
Extracting T-CHL7DEUC/image/exe.img.enc OK
Extracting T-CHL7DEUC/image/info.txt OK
Extracting T-CHL7DEUC/image/serial_temp OK
Extracting T-CHL7DEUC/image/validinfo.txt OK
Extracting T-CHL7DEUC/image/version_info.txt OK
Extracting T-CHL7DEUC/MicomCtrl OK
Extracting T-CHL7DEUC/rc.local OK
Extracting T-CHL7DEUC/run.sh.enc OK
All OK
After extraction, you can open the exe.img.enc file, which holds exeDSP program in it.
You can also extract images from your TV! All you need is reading Dumping and Flashing images by hand.
Decryption/Encrpytion of Image
But before, you needed to decrypt it via XOR tool. Files which has '.enc' extension means this file is encrypted with XOR and the key is the firmware name which usually directory name.
exe.img.enc -> XORDecrypt -> exe.img
If you wanted to play with CI+ device firmware, this devices firmwares has '.sec' extension at the end and those are both encrypted via AES and XOR.
exe.img.sec -> AESdecrypt -> XORDecrypt -> exe.img
For getting decrypted firmware image is little harder than exe.img.enc files. You needed to decrypt 'exe.img.sec' file with AES using secret key of "A435HX:d3e90afc-0f09-4054-9bac-350cc8dfc901-7cee72ea-15ae-45ce-b0f5-611c4f8d4a71". 'exe.img.sec' file has a 8 byte SALT at begging which you don't needed to forget... Using OpenSSL or simply using SamyGO Firmware Patcher will give you AES decrypted XOR encrypted file. You needed to decrypt XOR after this step.
Unfortunately this AES encrypted files has a RSA signature at last bytes. Since we don't know RSA secret, we can't compute required signature after modifying the firmware. So we cannot flash CI+ firmwares yet.
Some older firmwares like older A series has no protection at their firmware images. You can mount those images directly.
Mounting the Images
You can mount images as a FAT image. If you are under linux, simply
mount exe.img ./<any_directory> -o loop
will does the job done. If you are under Windows, you can use some Virtualization software to mount that image under Virtual Hosts second HDD drive or needed to search a tool that mounts FAT images.
Some images uses SquashFS instead of fat image. You can extract those images using unsquashfs utility.
unsquashfs exe.img
But remember, use only squashfs 3.0 for repacking the firmware or TV's kernel cannot recognize your recompiled firmware image at run time and your TV will bricked.
For repacking directory as SquashFS Image
mksquashfs <directory name here for compress> <resulting file name here> -b 65536 -le -all-root
Flashing Manually Modified Images
Firstly you must aware that, if you make any mistake on firmware modification, your TV will probably bricked after its flashed with it... You needed to ExLink cable and console access (only possible on CI devices) for revive your TV back. After modifying any image (like appdate.img or exe.img) you needed to update validinfo.txt for CRC.
*007_exe.img_35bda3e4*011_appdata.img_69153622
Here bold numbers are exe.img's CRC that taken from unencrypted image, not of the exe.img.enc or exe.img.sec files CRC.
