Playing with Firmware Images

From SamyGO
Jump to: navigation, search

Here is how to play with your firmware images.

Extraction of Firmware

Downloaded firmwares from Samsung is usually an windows executable file. You can extract it using both wine or unrar command from linux/MacOS.

death@triQuad:/SamyGO/Silo> unrar x T-CHL7DEUC.exe

UNRAR 3.90 beta 3 freeware      Copyright (c) 1993-2009 Alexander Roshal

Extracting from T-CHL7DEUC.exe

;The comment below contains SFX script commands

Title=How to prepare the USB Memory Drive

Creating    T-CHL7DEUC                                                OK
Extracting  T-CHL7DEUC/crc                                            OK 
Extracting  T-CHL7DEUC/ddcmp                                          OK 
Creating    T-CHL7DEUC/image                                          OK
Extracting  T-CHL7DEUC/image/appdata.img.enc                          OK 
Extracting  T-CHL7DEUC/image/exe.img.enc                              OK 
Extracting  T-CHL7DEUC/image/info.txt                                 OK 
Extracting  T-CHL7DEUC/image/serial_temp                              OK 
Extracting  T-CHL7DEUC/image/validinfo.txt                            OK 
Extracting  T-CHL7DEUC/image/version_info.txt                         OK 
Extracting  T-CHL7DEUC/MicomCtrl                                      OK 
Extracting  T-CHL7DEUC/rc.local                                       OK 
Extracting  T-CHL7DEUC/                                     OK 
All OK

After extraction, you can open the exe.img.enc file, which holds exeDSP program in it.

You can also extract images from your TV! All you need is reading Dumping and Flashing images by hand.

Decryption/Encrpytion of Image

But before, you needed to decrypt it via XOR tool. Files which has '.enc' extension means this file is encrypted with XOR and the key is the firmware name which usually directory name.

exe.img.enc -> XORDecrypt -> exe.img

If you wanted to play with CI+ device firmware, this devices firmwares has '.sec' extension at the end and those are both encrypted via AES and XOR.

exe.img.sec -> AESdecrypt -> XORDecrypt -> exe.img

For getting decrypted firmware image is little harder than exe.img.enc files. You needed to decrypt 'exe.img.sec' file with AES using secret key of "A435HX:d3e90afc-0f09-4054-9bac-350cc8dfc901-7cee72ea-15ae-45ce-b0f5-611c4f8d4a71". 'exe.img.sec' file has a 8 byte SALT at begging which you don't needed to forget... Using OpenSSL or simply using SamyGO Firmware Patcher will give you AES decrypted XOR encrypted file. You needed to decrypt XOR after this step.

Unfortunately this AES encrypted files has a RSA signature at last bytes. Since we don't know RSA secret, we can't compute required signature after modifying the firmware. So we cannot flash CI+ firmwares yet.

Some older firmwares like older A series has no protection at their firmware images. You can mount those images directly.

Mounting the Images

You can mount images as a FAT image. If you are under linux, simply

mount exe.img ./<any_directory> -o loop

will does the job done. If you are under Windows, you can use some Virtualization software to mount that image under Virtual Hosts second HDD drive or needed to search a tool that mounts FAT images.

Some images uses SquashFS instead of fat image. You can extract those images using unsquashfs utility.

unsquashfs exe.img

But remember, use only squashfs 3.0 for repacking the firmware or TV's kernel cannot recognize your recompiled firmware image at run time and your TV will bricked.

For repacking directory as SquashFS Image

mksquashfs <directory name here for compress> <resulting file name here> -b 65536 -le -all-root

Flashing Manually Modified Images

Firstly you must aware that, if you make any mistake on firmware modification, your TV will probably bricked after its flashed with it... You needed to ExLink cable and console access (only possible on CI devices) for revive your TV back. After modifying any image (like appdate.img or exe.img) you needed to update validinfo.txt for CRC.


Here bold numbers are exe.img's CRC that taken from unencrypted image, not of the exe.img.enc or exe.img.sec files CRC.