Forced revert back to older firmware


From SamyGO
Jump to: navigation, search
Moras trojan.png
This is procedure for reverting back to an older firmware. It can help you if you upgraded TV to latest firmware accidentally or buy TV with already latest firmware, however it only works for TV which support Content Library.

Enabling Telnet

With the latest firmware, Samsung disabled both Ex-Link console connection and external applications probably to stopping us. So you cannot create telnet connection to TV because you cannot use Telnet Enabler application. If you copied Telnet Application to TV's flash memory before you are lucky. But if you didn't please don't cry, here is the solution.

Trojan Horse

Historically: Trojan is a giant horse that has hidden soldiers in it and it was used first at Troya A.D.2500-3000, which is in Çanakkale, Turkey now. Soldiers leave a huge wooden horse behind them as a gift and fade away... Enemies take that giant horse inside of city walls. But when the night comes, soldiers hidden in the horse get out and open the gates... :)


First you need enable (if not already) copy/remove feature in Content Library Manager.

  • Enter Service Menu ( quickly push [INFO] [MENU] [MUTE] [POWER] on your remote control )
  • Change setting (Control -> Sub Option -> Wiselink Write -> On )
  • Download SamyGO Telnet Enabler Trojan.
  • Unpack and copy telnet-enabler folder to root USB and plug in to TV.
  • Enter Content Library Manager -> Select USB -> Select Children category.
  • Use Copy function on TV to copy Telnet Enabler as Trojan content to TV internal flash.
  • Return back to main manu in Content Library Manager and select again Children but from TV flash contents this time.
  • Run Run this Telnet Enabler to enable telnet access (or open the gates :) ).



Force firmware back (FFB)

Moras forcefirmwareback.png
Downgrade B series TV using FFB

FFB is a small Samygo application for B series CI (but not CI+ !!!) Samsung TVs to force firmware downgrade
on "february" and latest firmwares. With help of this Samygo "game" its easy to restore
pre-february firmware.
No change of firmware files needed.

CI TV models:

LCD

  • LExxB65x - firmware: T-CHL7DEUC
  • LExxB75x - firmware: T-CHL7DEUC
  • LNxxB65x - firmware: T-CHEAUSC
  • LNxxB75x - firmware: T-CHEAUSC

PLASMA

  • PSxxB65x - firmware: T-CHL7DEUC
  • PSxxB85x - firmware: T-CHU7DEUC
  • PNxxB85x - firmware: T-CHEAUSC
  • PNxxB8xxx - firmware: T-CHE7AUSC

LEDTV

  • UExxB7xxx - firmware: T-CHU7DEUC
  • UExxB8xxx - firmware: T-CHU7DEUC
  • UNxxB7xxx - firmware: T-CHE7AUSC
  • UNxxB8xxx - firmware: T-CHE7AUSC

No other models supported, you can brick TV if use other!
Use at your own risk.

Instructions and DOWNLOAD link for the latest release: available on samygo.tv (read it first!)

For other models try methods below:

Forcing to Enable Alternative Firmware if you upgraded to latest firmware (CI and CI+)

After some firmware upgrades, Samsung disable reverting firmware back to older state. Actually we were using as a solution for that, flashing mtd_exe and mtd_appdata partitions via manual flashing procedure (or by script from TV Content Library Manager) over telnet connection, enabled with Telnet Enabler application. Instead of flashing dump of older firmware over actually used partition which is risky, we can switch to older firmware via this simple hack. This way is safer than other approaches. Code bellow unhides alternative firmware in TV.

  • If You accidentally upgraded to the latest firmware and there was earlier firmware on Your TV before
    You can run script and activate alternative firmware from TV menu. Go to Fully automated way
  • If You bought TV with the latest firmware installed, and there isn`t any earlier firmware installed before, go to Dangerous way

Fully automated way: activate Alternative Firmware from Content Library Manager

Here is the instruction how to modify SamyGO Telnet Enabler Trojan to enable telnet and activate alternative firmware menu.
With this You be able to:
Samygoautorevertfirmwar.png
  • Activate Alternative firmware menu (no comments. This game does NOT enable telnet)
  • Run Telnet Enabler

Here is the third option: Samygo Trojan Horse. It does nothing, You don`t need to run it

Steps are very similar to #Trojan_Horse:

  • Enter Service Menu ( quickly push [INFO] [MENU] [MUTE] [POWER] on your remote control )
  • Change setting (Control -> Sub Option -> Wiselink Write -> On )
  • Download attached file: telnet-enabler.tar.gz
  • Unpack and copy telnet-enabler folder to root USB and plug in to TV.
  • Enter Content Library Manager -> Select USB -> Select Children category.
  • Use Copy function on TV to copy Telnet Enabler as Trojan content to TV internal flash.
  • Return back to main manu in Content Library Manager and select again Children but from TV flash contents this time.
  • You can run it from: [Menu] -> [Source list] -> [USB] -> [Content Library] -> [My Contents] -> [Children]
  • Run Activate Alternative firmware menu
  • Wait while script makes a job, don`t power-off TV. There isn`t any message to inform You about it`s done (on LE40B653T5WXBT it took 50 sec). Just after approx. 2 minutes check Firmware upgrade menu, if there is Alternative Firmware active, choose it, TV reboots with new older firmware. ;)

If You have trouble with this method, try making whole procedure manually:

If You have UDN key (from nurisam.com) and/or You have trouble with running "game" from Children menu, just copy whole telnet and rollback sub-directories to USB root and You will able run it from Games menu.

Partially automated way to get Alternative Firmware enabled

Based on the simple script, that enables older firmware [1].

  • Enable telnet (exact as described) with #Trojan_Horse
  • Connect to Your TV via telnet. You can use any telnet program. For example - Putty

Enter IP address of TV (e.g. 192.168.1.100). IP address must be configured manually, not automaticaly!

Fig.1. Connection type: telnet and Port: 23                                         Fig.2. After You press Open, You get to TV:

Putty1.png
Putty2.png

Now You are inside and TV is ready accept commands.
Enter Your commands after sign #.









  • Download the file revert.rar and unpack it to USB root, plug-in USB to TV.

You have to know what path is to your USB. Input mount and look what You get. e.g:

localhost login: root
-sh: id: not found
# mount
/dev/root on / type squashfs (ro)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/sam type tmpfs (rw)
none on /dtv type tmpfs (rw)
/dev/tbml7 on /mtd_boot type squashfs (ro)
none on /mtd_ram type tmpfs (rw)
/dev/stl0/14 on /mtd_rwarea type rfs (rw)
/dev/tbml8 on /mtd_exe type rfs (ro)
/dev/tbml9 on /mtd_appdata type squashfs (ro)
devpts on /dev/pts type devpts (rw)
/dev/stl0/13 on /mtd_tlib type rfs (rw)
/dev/stl0/15 on /mtd_contents type rfs (rw)
/dev/stl0/16 on /mtd_down type rfs (rw)
/dev/stl0/12 on /mtd_wiselink type rfs (rw)
/dev/stl0/17 on /mtd_swu type rfs (rw)
none on /proc/bus/usb type usbfs (rw)
/dev/sda1 on /dtv/usb/sda1 type vfat rw,sync,fmask=0022,dmask=0022,codepage=cp437,iocharset=utf8,shortname=mixed)

Look at the last line of output. In example You see, that my USB is recognized as /dtv/usb/sda1. If You get another path, please correct it.

  • Give permissions to run script.
chmod 755 /dtv/usb/sda1/revert.sh
  • Run script and wait until it ends. (approximately 2 minutes)
sh +x /dtv/usb/sda1/revert.sh

Don`t power off TV. You have to see .!!!!!!!!!!!!!!! End. Now go to firmware update menu !!!!!!!!!!!!!!!. on telnet window.

  • Go to Firmware upgrade menu and You will see alternative firmware choice active.

You can make revert.sh script by Yourself. Here is the code:

#!/bin/sh
echo .
echo .
echo .!!!!!!!!!!!!!!! Start script. Wait....for next message....!!!!!!!!!!!!!!!.

if [ -f /mtd_rwarea/PartitionSwitch_1_0 ]
then

mkdir /dtv/test
mount -t auto /dev/tbml8 /dtv/test
FWNAME=$(cat /.info)
OLDVERS=$(/bin/busybox egrep -e $(echo "$FWNAME-[0-9][0-9][0-9][0-9].[0-9]") /dtv/test/exeDSP)
OLDVERS=$(echo $OLDVERS | sed s/.*-//g | sed 's/\..*//g')
if [ -f /mtd_rwarea/Version.0 ] # Script doesn't overwrite if there is a Version.0 file
 then
 echo "Error  /mtd_rwarea/Version.0 already exists." > ./error.log
 else
 echo $(sed 's/_00[0-9][0-9][0-9][0-9]_/_00'$OLDVERS'_/g' /mtd_rwarea/Version.1) > /mtd_rwarea/Version.0
fi

 else

mkdir /dtv/test
mount -t auto /dev/tbml10 /dtv/test

FWNAME=$(cat /.info)
OLDVERS=$(/bin/busybox egrep -e $(echo "$FWNAME-[0-9][0-9][0-9][0-9].[0-9]") /dtv/test/exeDSP)
OLDVERS=$(echo $OLDVERS | sed s/.*-//g | sed 's/\..*//g')
if [ -f /mtd_rwarea/Version.1 ] # Script doesn't overwrite if there is a Version.1 file
 then
 echo "Error  /mtd_rwarea/Version.1 already exists." > ./error.log
 else
 echo $(sed 's/_00[0-9][0-9][0-9][0-9]_/_00'$OLDVERS'_/g' /mtd_rwarea/Version.0) > /mtd_rwarea/Version.1
fi

fi   

echo .
echo .done!                                                                                                 
echo .!!!!!!!!!!!!!!! Now go to firmware update menu !!!!!!!!!!!!!!!.

Not automated way. Enter commands manually

All commands You need enter manually. Notice: These code lines are as an example for B650-B750 devices, so firmware name contains T-CHL7DEUC, for other TV's you need to use corresponding version string of previously installed firmware and corresponding missing Version file (Version.0 or Version.1)!!!

localhost login: root
-sh: id: not found
# cd /mtd_rwarea
# ls -l Version.*
-rwxr-xr-x    1 root     0              44 Jan  1  1980 Version.1
# cat Version.1
SWU_T-CHL7DEUC_003000_I02_EK000DK000_100125
# echo SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816 > Version.0
# ls -l Version.*
-rwxr-xr-x    1 root     0              44 Jan  1 00:00 Version.0
-rwxr-xr-x    1 root     0              44 Jan  1  1980 Version.1
# cat Version.*
SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816
SWU_T-CHL7DEUC_003000_I02_EK000DK000_100125
#

After this, disabled "Alternative Software" selection in standard TV's Support / Software Upgrade Menu becomes enabled and populated again. You can switch to previously flashed firmware and then flash some safe firmware over the latest firmware which has restrictions.

Find EXACT ID of older firmware

You can find your TV's older Version.* file via mounting backup partitions. You can extract EXACT ID of older Firmware at this step too. You needed to change Firmware model if its not T-CHL7DEUC that written bold at bellow.

# mkdir /dtv/test1
# mkdir /dtv/test2
# mount -t auto /dev/tbml8 /dtv/test1
# /bin/busybox egrep -e 'T-CHL7DEUC-[0-9][0-9][0-9][0-9].[0-9]' /dtv/test1/exeDSP
SWU_T-CHL7DEUC_003000_I02_EK000DK000_100125
# mount -t auto /dev/tbml10 /dtv/test2
# /bin/busybox egrep -e 'T-CHL7DEUC-[0-9][0-9][0-9][0-9].[0-9]' /dtv/test2/exeDSP
SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816

This results show that tbml10 partition holding firmware 2004.

DANGEROUS WAY, FOR NEW TV WITH LATEST FIRMWARE AND CI ONLY

Don't try this unless knowing what you are doing exactly.

Flash older firmware on new TV (CI only) with latest firmware

WARNING 1: THIS IS ABSOLUTELY NOT FOR CI+ DEVICES

WARNING 2: You better to have FULL TV partitions backup to your flash and working uboot code on your TV before starting this hack, Unless you might not recover your bricked TV later. But with working uboot code on your TV, it's easy to recover your bricked TV.

*For safety reasons enable ex-link and turn off watchdog in service menu.

  • Install python on your computer if not yet installed.
  • Download one of below firmwares used by your TV.
  • Download SamyGO Firmware Decrypter.
  • Unpack firmware to some directory.
  • Copy SamyGO Firmware Decrypter to unpacked firmware directory.
  • Run shell/cmdline and change directory to unpacked firmware.
  • Run Decrypter:
python "SamyGO Firmware Decrypter"
  • After it successfully finished you will have two decrypted files in image folder: appdata.img and exe.img.
  • Copy that two files into USB drive.
  • Plug USB drive into TV.
  • Telnet to TV.

Notice: These code lines below are as an example for B650-B750 devices, so firmware name contains T-CHL7DEUC and specific versions IDs!!!

# cd /mtd_rwarea/
# ls -l Version.*

You should have this:

-rwxr-xr-x    1 root     0              44 Jan  1  1980 Version.1

or

-rwxr-xr-x    1 root     0              44 Jan  1  1980 Version.0

First case we call it now 1 and second 2 and you proceed only one of them. So you will write to alternative file opposite to allready existed.

---1---

# echo SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816 > Version.0
# bml.restore /dev/bml0/8 /dtv/usb/sda1/exe.img
# bml.restore /dev/bml0/9 /dtv/usb/sda1/appdata.img

Now lets verify it:

# mkdir /dtv/test
# mount -t auto /dev/tbml8 /dtv/test

If there are not errors unmount it.

# umount /dtv/test

And test second:

# mount -t auto /dev/tbml9 /dtv/test

If there are not errors unmount it.

# umount /dtv/test

Checks if version file is ok:

# ls -l Version.0
SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816

---2---

# echo SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816 > Version.1
# bml.restore /dev/bml0/10 /dtv/usb/sda1/exe.img
# bml.restore /dev/bml0/11 /dtv/usb/sda1/appdata.img

Now lets verify it:

# mkdir /dtv/test
# mount -t auto /dev/tbml10 /dtv/test

If there are not errors unmount it.

# umount /dtv/test

And test second:

# mount -t auto /dev/tbml11 /dtv/test

If there are not errors unmount it.

# umount /dtv/test

Checks if version file is ok:

# ls -l Version.1
SWU_T-CHL7DEUC_002004_I02_ES000DS000_090816

After this, disabled "Alternative Software" selection in standard TV's Support / Software Upgrade Menu becomes enabled and populated again. You can switch to previously flashed firmware and then flash some safe firmware over the latest firmware which has restrictions.

List Firmware links, versions and their ids

You can find info on our Old & Good Firmwares page.