Difference between revisions of "Remove shell input filtration"
(Created page with "<placeholder> ==References== [http://forum.samygo.tv/viewtopic.php?f=10&t=2165 Support forum]") |
m (Please add info, correct my style/gramatic errors. Thanks!) |
||
| Line 1: | Line 1: | ||
| − | < | + | = Theory = |
| − | ==References | + | Starting B series CI+ TV models, Samsung patched n_tty.c to cripple the console at kernel level. So it is not possible to get full unrestricted shell trough ExLink cable, even the required menu exists on TDM. All what is possible - input HEX chars A-Z, 0...9.<br> |
| + | Example (T-VALDEUC) how to get in to shell trough ExLink: | ||
| + | 10041004 {Enter} | ||
| + | 20089999 | ||
| + | 2 (Platform Print Setting) | ||
| + | 0 | ||
| + | 0 | ||
| + | 2 (Advanced Platform) | ||
| + | 2 (DeviceManager Debug) | ||
| + | 91 (DeviceManager SS Debug) | ||
| + | 20 (Enter system command) | ||
| + | SELP#> | ||
| + | From patched n_tty.c: (B series sources) | ||
| + | int allow_char[] = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57 /* 0~9 */, 32 /*space*/, 13 /*enter*/, 8 /*backspace*/ }; | ||
| + | .. | ||
| + | .. | ||
| + | .. | ||
| + | #ifdef CONFIG_SERIAL_INPUT_ENABLE_ONLY_NUMBER | ||
| + | // additional checking 0~9, space, enter, backspace, SPTEAM 2009-02-12 | ||
| + | check = i = 0; | ||
| + | while(i < MAX_ARRAY ) | ||
| + | { | ||
| + | if( allow_char[i] == c ) | ||
| + | { | ||
| + | check = 1; | ||
| + | break; | ||
| + | } | ||
| + | i++; | ||
| + | } | ||
| + | if( !check ) | ||
| + | return; | ||
| + | #endif | ||
| + | |||
| + | Unlimited shell access might be useful in developing, repair if TV is bricked or any other emergency situations. | ||
| + | = Shell Unlock = | ||
| + | We have few possibilities to get unrestricted root access via exlink cable: | ||
| + | :#Patch kernel in memory - check [http://forum.samygo.tv/viewtopic.php?f=2&t=289&start=20#p5650 '''this topic'''] - for B series CI+ and maybe for D550(if anyone finds proper code to patch) only. Because on other models the required TDM function ''Register & Physical Memory Write'' is not available anymore (removed or hidden). | ||
| + | :#Recompile kernel - anyone should do that! Not yet available :( | ||
| + | :#Patch original kernel image and flash it to TV - dirtiest, but confirmed way to patch out input filtration. | ||
| + | Checked on IDA, proper function and HEX string to search for is found. Patching looks like this: | ||
| + | * Open kernel image in HEX editor | ||
| + | * Search for HEX string | ||
| + | 01 30 92 E7 04 20 82 E2 04 00 53 E1 02 00 00 {{red|0A}} | ||
| + | * Replace last byte ('''0A''' to '''EA'''). Result must look like: | ||
| + | 01 30 92 E7 04 20 82 E2 04 00 53 E1 02 00 00 {{red|EA}} | ||
| + | The Mathematics in asm code: | ||
| + | ROM:0016DA98 E0 1D 9F E5 LDR R1, =0xC02FBF9C | ||
| + | ROM:0016DA9C 01 30 92 E7 LDR R3, [R2,R1] | ||
| + | ROM:0016DAA0 04 20 82 E2 ADD R2, R2, #4 | ||
| + | ROM:0016DAA4 04 00 53 E1 CMP R3, R4 | ||
| + | ROM:0016DAA8 02 00 00 0A BEQ loc_16DAB8 | ||
| + | ROM:0016DAAC 4C 00 52 E3 CMP R2, #0x4C ==19 | ||
| + | ROM:0016DAB0 2E 03 00 0A BEQ loc_16E770 | ||
| + | ROM:0016DAB4 F7 FF FF EA B loc_16DA98 | ||
| + | With such patch we escaped from that input filtration loop and can input whatever we need now. | ||
| + | * Save new kernel image | ||
| + | * Calculate required hashes for new kernel | ||
| + | * '''[[Hashes | Edit hashes file]]''' (dump of original sign.bin - where hashes of appdata.img, exe.img, Image and rootfs.img are stored). If you miss this step, you get TV reboot every 30 sec, which is initialized by authuld due hashes mismatch. This job is well done with '''chkhash''' (Instructions and download) | ||
| + | * Connect to TV (telnet/ssh) and restore both (Image and hash partition) with new files you`ve made. It is MANDATORY to flash both partition at one TV session. If you reboot TV with just one partition re-flashed, you get cyclic reboot by authuld, where repair is almost impossible if no full root access at boot time is available. | ||
| + | * If no errors came, reboot TV. And pray :) | ||
| + | |||
| + | |||
| + | |||
| + | '''{{red|To Be Added, WIP}}''' | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | = References = | ||
[http://forum.samygo.tv/viewtopic.php?f=10&t=2165 Support forum] | [http://forum.samygo.tv/viewtopic.php?f=10&t=2165 Support forum] | ||
Revision as of 20:57, 5 January 2013
Theory
Starting B series CI+ TV models, Samsung patched n_tty.c to cripple the console at kernel level. So it is not possible to get full unrestricted shell trough ExLink cable, even the required menu exists on TDM. All what is possible - input HEX chars A-Z, 0...9.
Example (T-VALDEUC) how to get in to shell trough ExLink:
10041004 {Enter}
20089999
2 (Platform Print Setting)
0
0
2 (Advanced Platform)
2 (DeviceManager Debug)
91 (DeviceManager SS Debug)
20 (Enter system command)
SELP#>
From patched n_tty.c: (B series sources)
int allow_char[] = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57 /* 0~9 */, 32 /*space*/, 13 /*enter*/, 8 /*backspace*/ };
..
..
..
#ifdef CONFIG_SERIAL_INPUT_ENABLE_ONLY_NUMBER
// additional checking 0~9, space, enter, backspace, SPTEAM 2009-02-12
check = i = 0;
while(i < MAX_ARRAY )
{
if( allow_char[i] == c )
{
check = 1;
break;
}
i++;
}
if( !check )
return;
#endif
Unlimited shell access might be useful in developing, repair if TV is bricked or any other emergency situations.
Shell Unlock
We have few possibilities to get unrestricted root access via exlink cable:
- Patch kernel in memory - check this topic - for B series CI+ and maybe for D550(if anyone finds proper code to patch) only. Because on other models the required TDM function Register & Physical Memory Write is not available anymore (removed or hidden).
- Recompile kernel - anyone should do that! Not yet available :(
- Patch original kernel image and flash it to TV - dirtiest, but confirmed way to patch out input filtration.
Checked on IDA, proper function and HEX string to search for is found. Patching looks like this:
- Open kernel image in HEX editor
- Search for HEX string
01 30 92 E7 04 20 82 E2 04 00 53 E1 02 00 00 0A
- Replace last byte (0A to EA). Result must look like:
01 30 92 E7 04 20 82 E2 04 00 53 E1 02 00 00 EA
The Mathematics in asm code:
ROM:0016DA98 E0 1D 9F E5 LDR R1, =0xC02FBF9C ROM:0016DA9C 01 30 92 E7 LDR R3, [R2,R1] ROM:0016DAA0 04 20 82 E2 ADD R2, R2, #4 ROM:0016DAA4 04 00 53 E1 CMP R3, R4 ROM:0016DAA8 02 00 00 0A BEQ loc_16DAB8 ROM:0016DAAC 4C 00 52 E3 CMP R2, #0x4C ==19 ROM:0016DAB0 2E 03 00 0A BEQ loc_16E770 ROM:0016DAB4 F7 FF FF EA B loc_16DA98
With such patch we escaped from that input filtration loop and can input whatever we need now.
- Save new kernel image
- Calculate required hashes for new kernel
- Edit hashes file (dump of original sign.bin - where hashes of appdata.img, exe.img, Image and rootfs.img are stored). If you miss this step, you get TV reboot every 30 sec, which is initialized by authuld due hashes mismatch. This job is well done with chkhash (Instructions and download)
- Connect to TV (telnet/ssh) and restore both (Image and hash partition) with new files you`ve made. It is MANDATORY to flash both partition at one TV session. If you reboot TV with just one partition re-flashed, you get cyclic reboot by authuld, where repair is almost impossible if no full root access at boot time is available.
- If no errors came, reboot TV. And pray :)
To Be Added, WIP
