Extracting the ES-series firmware


From SamyGO
Jump to: navigation, search

Extracting the ES-series Firmware

Here we will show you how to extract an official Samsung stock firmware for your ES-model, based on the MStar processor found in most of these models. The best way to illustrate how this is done, is by providing a working example, for a particular model. Then you just have to determine your model and download the appropriate firmware (FW) for your TV set. In our case we have a European ES5700 running the T-MST10PDEUC firmware. So we will take it from there.

However, there are some tool requirements that you need satisfy before proceeding. For example, you need a working Python installation, some standard file extraction utilities, in addition to downloading the correct firmware. Here is the extraction procedure:

  1. Install Python
  2. Install PyCrypto
  3. Download latest SamyGO patcher script from svn
  4. Extract your firmware
  5. Decrypt it (just example)
  6. Uncompress exe.img with 7zip and extract exeDSP or any other file you want.
    Or mount image file as a loop device under linux...


Example extraction for:

PC OS:      Windows + Cygwin
TV Model:   UExxES5700
Processor:  MST-10 Plus
FW series:  T-MST10PDEUC
FW version: 1029.0


1. Installing Python (on Windows)

I really hate using native Windows Python/Perl interpreters. So I will not show you how to install those. Instead, you will eventually be grateful to have installed Cygwin, which is the most simple way to do this. Just install Cygwin and then run setup and select one of the Python (Python 2.x.x or 3) packages...

(For installing Python3 on Cygwin check here. Not yet needed...) http://stackoverflow.com/questions/440547/installing-python-3-0-on-cygwin )


2. Installing PyCrypt in Cygwin

If you already have a previous installation of Python in Cygwin (like any descent hacker should have), all you have to do is installing the PyCrypt modules. Just fire up your latest Cygwin "setup.exe", and in the "Python" category you'll find the "python-crypto" package. (2.6-1 at this writing). Select and continue installation to finish.

If you need to compile your own, check: https://www.dlitz.net/software/pycrypto/


3. Downloading "SamyGO"

The SamyGo script is also known as the "SamyGO Firmware Patcher" script. This is what you need to download. Be sure to get the latest build possible.

The script (always updated and recent) can be found on svn:

http://sourceforge.net/p/samygo/code

Navigate to patcher/trunk/, click on SamyGO Firmware Patcher.py and press "Download this file" at the top.

Rename script to "SamyGO.py", if needed.

4. Extract your firmware

Of course you have already downloaded your firmware, so you need to decompress the firmware. The firmware is usually delivered as a Windows executable file. If you use 7-zip, it will automatically extract the files into a sub-directory.


For example, extracting:

T-MST10PDEUC_1029.0.exe  ==[7-zip]==>  

Will result in a subdirectory structure as:

./T-MST10PDEUC_1029.0/T-MST10PDEUC/image/

containing the files:

appext.img.sec
appext.img.sec.cs
appext.img.sec.vs
exe.img.sec
exe.img.sec.cs
exe.img.sec.vs
rootfs.img.sec
rootfs.img.sec.cs
rootfs.img.sec.vs
uImage.sec
uImage.sec.cs
uImage.sec.vs
appext.img.sec.cmac
exe.img.sec.cmac
info.txt
major_version
minor_version
rootfs.img.sec.cmac
uImage.sec.cmac
validinfo.txt
version_info.txt

You need to be working in the "T-MST10PDEUC_1029.0" directory, and copy the SamyGo.py script there, unless it's already in your PATH.


5. Decrypting with SamyGO.py

$ python SamyGO.py decrypt_all T-MST10PDEUC
-----------------------------------------------------------------------------
SamyGO Firmware Patcher v0.34 (c) 2010-2011 Erdem U. Altinyurt

		   -=BIG FAT WARNING!=-
	    You can brick your TV with this tool!
Authors accept no responsibility about ANY DAMAGE on your devices!
	 project home: http://www.SamyGO.tv

Firmware:  T-MST10PDEUC v1029.0

AES Encrytped CI+ firmware detected.
Processing file appext.img.sec
secret key :  b4c136-fbc93576-b3e8-4035-bf4e-ba4cb4ada1ac-f0d81cc4-8301-4832-bd60-f331295743ba
Decrypting AES...
Decrypting with  XOR Key :  T-MST10PDEUC
Crypto package found, using fast XOR engine.

Calculated CRC : 0x37E3430D
CRC Validation passed


Processing file exe.img.sec
secret key :  b4c136-fbc93576-b3e8-4035-bf4e-ba4cb4ada1ac-f0d81cc4-8301-4832-bd60-f331295743ba
Decrypting AES...
Decrypting with  XOR Key :  T-MST10PDEUC
Crypto package found, using fast XOR engine.

Calculated CRC : 0xE48D94E0
CRC Validation passed


Processing file rootfs.img.sec
secret key :  b4c136-fbc93576-b3e8-4035-bf4e-ba4cb4ada1ac-f0d81cc4-8301-4832-bd60-f331295743ba
Decrypting AES...
Decrypting with  XOR Key :  T-MST10PDEUC
Crypto package found, using fast XOR engine.

Calculated CRC : 0x76AC7C2C
CRC Validation passed


Processing file uImage.sec
secret key :  b4c136-fbc93576-b3e8-4035-bf4e-ba4cb4ada1ac-f0d81cc4-8301-4832-bd60-f331295743ba
Decrypting AES...
Decrypting with  XOR Key :  T-MST10PDEUC
Crypto package found, using fast XOR engine.

Calculated CRC : 0xF1681A66
CRC Validation passed
-----------------------------------------------------------------------------

The result of this operation is that we get a number of new files:

uImage
uImage.enc
rootfs.img
rootfs.img.enc
exe.img
exe.img.enc
appext.img
appext.img.enc

The files without the ".enc" (encrypted) extension can then be extracted or mounted, again to see all individual files.

6. Extracting exeDSP

Now you can open any of the resulting disk image files:

uImage
rootfs.img
exe.img
appext.img

Here uImage is the "VDLinux" based kernel image. The exeDSP is contained in the exe.img, which can be either expanded with 7-zip or mounted as a loop image by the standard "mount" Linux utility.

For example, in Linux:

mount -t loop exe.img /dev/tmp/imgdata

However, if you're using Windows you'll need to first extract the above disk image. You can only extract since there is no reliable Windows utility which can mount a disk image with Read & Write. (Cygwin does not support "loop" devices as shown above.) The recommended one to use is DiskInternals Linux Reader. Download and install this.


<< This WIP and may need some more editing... >>

Ask in forum, if not understood.