Difference between revisions of "How to enable Telnet on samsung TV's"


From SamyGO
Jump to: navigation, search
(Created page with '(by dynamic1969, edits and extensions by marcelr, suggestions by olivluca, grajen) Prerequisites (if you do not have ALL of these: Google is your friend, at least for the softwa…')
 
(Added sections for easy access to required section.)
Line 1: Line 1:
(by dynamic1969, edits and extensions by marcelr, suggestions by olivluca, grajen)
+
(by dynamic1969, edits and extensions by marcelr, erdem_ua, suggestions by olivluca, grajen)
  
Prerequisites (if you do not have ALL of these: Google is your friend, at least for the software):
+
== Prerequisites ==
 +
(if you do not have ALL of these: Google is your friend, at least for the software):
  
 
*a Samsung TV attached to your local network.
 
*a Samsung TV attached to your local network.
Line 22: Line 23:
 
*a telnet client.
 
*a telnet client.
  
 +
== Hacking the Firmware ==
 
To acquire telnet access to your tv, do the following:
 
To acquire telnet access to your tv, do the following:
  
Line 53: Line 55:
 
  *007_exe.img_xxxxxxxx*011_appdata.img_126fb41f
 
  *007_exe.img_xxxxxxxx*011_appdata.img_126fb41f
 
*Encrypt exe.img again, using xor encryption with key "T-CHU7DEUC" and copy it into the T-CHU7DEUC/image directory. Name it "exe.img.enc"
 
*Encrypt exe.img again, using xor encryption with key "T-CHU7DEUC" and copy it into the T-CHU7DEUC/image directory. Name it "exe.img.enc"
 +
 +
=== Flashing to TV ===
 
*Move the T-CHU7DEUC directory and all of its contents to an otherwise empty USB drive, plugin the USB drive into your TV and manually start the upgrade via the appropriate menu entry on your TV
 
*Move the T-CHU7DEUC directory and all of its contents to an otherwise empty USB drive, plugin the USB drive into your TV and manually start the upgrade via the appropriate menu entry on your TV
 +
 +
=== Result ===
 
*After upgrade, open a shell and start a telnet session on your tv:
 
*After upgrade, open a shell and start a telnet session on your tv:
  

Revision as of 23:39, 3 October 2009

(by dynamic1969, edits and extensions by marcelr, erdem_ua, suggestions by olivluca, grajen)

Prerequisites

(if you do not have ALL of these: Google is your friend, at least for the software):

  • a Samsung TV attached to your local network.
  • a hex editor.
    • Linux : okteta and many others
    • Windows: flexhex, neo, and many others.
    • Mac :
  • a crc32 checksum calculator.
    • Linux : okteta 0.3 or later, check, minicrc and many others
    • Windows: flexhex, be wary of little endian (byte-reversed) checksums, possibly others
    • Mac :
  • xor encryption/decryption software.
    • Linux : okteta 0.3 or later, crypt-xor, possibly others. I wrote my own ...
    • Windows: flexhex, possibly others
    • Mac :
  • a normal ASCII editor.
    • Linux : emacs, vi, gedit and and many more.
    • Windows: notepad (Or a word processor. Be careful to save in ascii mode, .txt format)
    • Mac :
  • a telnet client.

Hacking the Firmware

To acquire telnet access to your tv, do the following:

  • Download the firmware package for your tv from the Samsung website and unpack it. As an example in this HOWTO, the T-CHU7DEUC.exe file for a ue40b70xx is taken. This will also work on any other xor-encoded firmware. Just replace the T-CHU7DEUC in this howto with your firmware name. When working on a linux box, you can unpack it with wine or unrar.
  • Decrypt exe.img.enc in the T-CHU7DEUC/image directory using an xor decrypter with key "T-CHU7DEUC" (the firmware root directory name) and name it exe.img
  • Check the CRC32 checksum of your decrypted file (exe.img). It should match the checksum (8-digit hexadecimal number), <xxxxxxxx> given in validinfo.txt _exactly_:
*007_exe.img_xxxxxxxx*011_appdata.img_126fb41f 

If the checksums don't match, check the following: Is the downloaded file not corrupted? Is your decryption flawless?

  • Using a hex-editor, make the following changes to the contents of rc.local in the decrypted exe.img file: locate the lines:
export KF_LOG=/dev/null #Remove engine logging.
cd /mtd_exe/

./exeDSP

and replace the first one with:

export KF_LOG=/dev/null;/etc/telnetd_start.sh;

Do not touch:

cd /mtd_exe/

./exeDSP

Make sure you do not change the length of the image file. To be on the safe side, replace any unprintable characters on the changed line with spaces, but _keep_ the linefeed (0x0a)

And remember: Think before you type.

  • Re-calculate the CRC32 checksum for the updated image.
  • Using a normal ASCII editor, update validinfo.txt in the T-CHU7DEUC/image directory with the new CRC information: Replace xxxxxxxx in this line with the newly calculated checksum (8 hexadecimal digits, be aware of leading zeros):
*007_exe.img_xxxxxxxx*011_appdata.img_126fb41f
  • Encrypt exe.img again, using xor encryption with key "T-CHU7DEUC" and copy it into the T-CHU7DEUC/image directory. Name it "exe.img.enc"

Flashing to TV

  • Move the T-CHU7DEUC directory and all of its contents to an otherwise empty USB drive, plugin the USB drive into your TV and manually start the upgrade via the appropriate menu entry on your TV

Result

  • After upgrade, open a shell and start a telnet session on your tv:
$ telnet aaa.bbb.ccc.ddd

with aaa.bbb.ccc.ddd your tv's IP-address. when prompted, log in as <root> This is what you'll see, when connected:

$ telnet aaa.bbb.ccc.ddd
Trying aaa.bbb.ccc.ddd...
Connected to aaa.bbb.ccc.ddd.
Escape character is '^]'.

localhost login: root
-sh: id: not found
#

You can now start typing commands. For available commands visit the normal places: /bin, /sbin, /usr/bin and /usr/sbin