Playing with Firmware Images
Here is how to play with your firmware images.
Contents
Extraction of Firmware
Downloaded firmwares from Samsung is usually an windows executable file. You can extract it using both wine or unrar command from linux/MacOS.
death@triQuad:/SamyGO/Silo> unrar x T-CHL7DEUC.exe UNRAR 3.90 beta 3 freeware Copyright (c) 1993-2009 Alexander Roshal Extracting from T-CHL7DEUC.exe ;The comment below contains SFX script commands Title=How to prepare the USB Memory Drive Text { <BODY> ...... ...... </BODY> } Creating T-CHL7DEUC OK Extracting T-CHL7DEUC/crc OK Extracting T-CHL7DEUC/ddcmp OK Creating T-CHL7DEUC/image OK Extracting T-CHL7DEUC/image/appdata.img.enc OK Extracting T-CHL7DEUC/image/exe.img.enc OK Extracting T-CHL7DEUC/image/info.txt OK Extracting T-CHL7DEUC/image/serial_temp OK Extracting T-CHL7DEUC/image/validinfo.txt OK Extracting T-CHL7DEUC/image/version_info.txt OK Extracting T-CHL7DEUC/MicomCtrl OK Extracting T-CHL7DEUC/rc.local OK Extracting T-CHL7DEUC/run.sh.enc OK All OK
After extraction, you can open the exe.img.enc file, which holds exeDSP program in it.
You can also extract images from your TV! All you need is reading Dumping and Flashing images by hand.
Decryption/Encrpytion of Image
But before, you needed to decrypt it via XOR tool. Files which has '.enc' extension means this file is encrypted with XOR and the key is the firmware name which usually directory name.
exe.img.enc -> XORDecrypt -> exe.img
If you wanted to play with CI+ device firmware, this devices firmwares has '.sec' extension at the end and those are both encrypted via AES and XOR.
exe.img.sec -> AESdecrypt -> XORDecrypt -> exe.img
For getting decrypted firmware image is little harder than exe.img.enc files. You needed to decrypt 'exe.img.sec' file with AES using secret key of "A435HX:d3e90afc-0f09-4054-9bac-350cc8dfc901-7cee72ea-15ae-45ce-b0f5-611c4f8d4a71". 'exe.img.sec' file has a 8 byte SALT at begging which you don't needed to forget... Using OpenSSL or simply using SamyGO Firmware Patcher will give you AES decrypted XOR encrypted file. You needed to decrypt XOR after this step.
Unfortunately this AES encrypted files has a RSA signature at last bytes. Since we don't know RSA secret, we can't compute required signature after modifying the firmware. So we cannot flash CI+ firmwares yet.
Some older firmwares like older A series has no protection at their firmware images. You can mount those images directly.
Mounting the Images
You can mount images as a FAT image. If you are under linux, simply
mount exe.img ./<any_directory> -o loop
will does the job done. If you are under Windows, you can use some Virtualization software to mount that image under Virtual Hosts second HDD drive or needed to search a tool that mounts FAT images.
Some images uses SquashFS instead of fat image. You can extract those images using unsquashfs utility.
unsquashfs exe.img
But remember, use only squashfs 3.0 for repacking the firmware or TV's kernel cannot recognize your recompiled firmware image at run time and your TV will bricked.
Flashing Manually Modified Images
Firstly you must aware that, if you make any mistake on firmware modification, your TV will probably bricked after its flashed with it... You needed to ExLink cable and console access (only possible on CI devices) for revive your TV back. After modifying any image (like appdate.img or exe.img) you needed to update validinfo.txt for CRC.
*007_exe.img_35bda3e4*011_appdata.img_69153622
Here bold numbers are exe.img's CRC that taken from unencrypted image, not of the exe.img.enc or exe.img.sec files CRC.