Difference between revisions of "Remove shell input filtration"


From SamyGO
Jump to: navigation, search
m (Patch kernel image)
m (Theory)
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
= Theory =
 
= Theory =
Starting B series CI+ TV models, Samsung patched n_tty.c to cripple the console at kernel level. So it is not possible to get full unrestricted shell trough ExLink cable, even the required menu exists on TDM. All what is possible - input HEX chars A-Z, 0...9.<br>
+
Starting B series CI+ TV models, Samsung patched n_tty.c to cripple the console at kernel level. So it is not possible to get full unrestricted shell trough ExLink cable, even the required menu exists on TDM. All what is possible - input HEX chars A-F, 0...9.<br>
 
Example (T-VALDEUC) how to get in to shell trough ExLink:
 
Example (T-VALDEUC) how to get in to shell trough ExLink:
 
  10041004 {Enter}
 
  10041004 {Enter}
Line 12: Line 12:
 
  20 (Enter system command)
 
  20 (Enter system command)
 
  SELP#>
 
  SELP#>
From patched n_tty.c: (B series sources)
+
Function in /drivers/char/n_tty.c:
 
  int allow_char[] = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57 /* 0~9 */, 32 /*space*/, 13 /*enter*/, 8 /*backspace*/ };
 
  int allow_char[] = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57 /* 0~9 */, 32 /*space*/, 13 /*enter*/, 8 /*backspace*/ };
 
                         ..
 
                         ..
Line 34: Line 34:
  
 
Unlimited shell access might be useful in developing, repair if TV is bricked or any other emergency situations.
 
Unlimited shell access might be useful in developing, repair if TV is bricked or any other emergency situations.
 +
 
= How To =
 
= How To =
 
'''We have few possibilities to get unrestricted root access via exlink cable:'''
 
'''We have few possibilities to get unrestricted root access via exlink cable:'''
Line 48: Line 49:
 
<font size="3">'''Steps:'''</font size>
 
<font size="3">'''Steps:'''</font size>
 
* Use dump of kernel`s partition or decrypt kernel using '''[http://sourceforge.net/p/samygo/code/1246/tree/patcher/trunk SamyGO Firmware patcher]''' (example):
 
* Use dump of kernel`s partition or decrypt kernel using '''[http://sourceforge.net/p/samygo/code/1246/tree/patcher/trunk SamyGO Firmware patcher]''' (example):
  SamyGO.py decrypt_all ./T-CHLCIPDEUC
+
  SamyGO.py decrypt_all ./T-VALDEUC
 
* Open decrypted kernel image in HEX editor
 
* Open decrypted kernel image in HEX editor
 
* Search for HEX string
 
* Search for HEX string
Line 65: Line 66:
 
With such patch we escaped from that input filtration loop and can input whatever we need now.
 
With such patch we escaped from that input filtration loop and can input whatever we need now.
 
* Save new kernel image
 
* Save new kernel image
* '''[[Hashes#Calculating_hashes | Calculate]] required hashes for new kernel
+
* '''[[Hashes#Calculating_hashes | Calculate]]''' new cmac blocks (hashes) for new kernel:
 +
mkey=6f6bc7e1fc7f86bf9c150a82f343e2e0 (for T-VAL* firmwares)
 +
:Calculating and comparing of hashes can be done with '''[http://download.samygo.tv/Others/chkhash-0.02.zip chkhash tool]'''
 
* '''[[Hash_partition_structure | Edit hashes file]]''' (cmac bloks (hashes) of appdata.img, exe.img, Image and rootfs.img are stored in some separate partition on TV).  
 
* '''[[Hash_partition_structure | Edit hashes file]]''' (cmac bloks (hashes) of appdata.img, exe.img, Image and rootfs.img are stored in some separate partition on TV).  
 
:If you miss this step, you get TV reboot every 30 sec, which is initialized by authuld due hashes mismatch.  
 
:If you miss this step, you get TV reboot every 30 sec, which is initialized by authuld due hashes mismatch.  
:Calculating and comparing of hashes can be done with '''chkhash''' (Instructions and download)
+
* Connect to TV (telnet/ssh) and restore both (Image and hash partition) with new files you`ve made. It is MANDATORY to flash both partition at one TV session. If you reboot TV with just one partition re-flashed, you get cyclic reboot by authuld, where repair is almost impossible if no full root access at boot time is available.<br>
* Connect to TV (telnet/ssh) and restore both (Image and hash partition) with new files you`ve made. It is MANDATORY to flash both partition at one TV session. If you reboot TV with just one partition re-flashed, you get cyclic reboot by authuld, where repair is almost impossible if no full root access at boot time is available.
+
Decide what is your active partition set (on C/D/E series here are two sets of rootfs+kernel, active and alternative). For this goal you have to check for console output:
* If no errors came, reboot TV. And pray :)
+
cat /proc/cmdline
 
+
The output for '''1st set''' should look:
 
+
root=/dev/tfsr6 console=ttyS1 quiet
 
+
This means active firmware uses '''first''' set of partitions, kernel=/dev/bml0/'''{{red|5}}''', rootfs=/dev/bml0/'''{{red|6}}''' and hashes are checked from /dev/bml0/'''{{red|9}}'''<br>
'''{{red|To Be Added, WIP}}'''
+
Output for '''2nd set''':
 
+
root=/dev/tfsr8 console=ttyS1 quiet
 
+
This means active firmware uses '''second''' set of partitions, kernel=/dev/bml0/'''{{red|7}}''', rootfs=/dev/bml0/'''{{red|8}}''' and hashes are checked from /dev/bml0/'''{{red|10}}'''<br>
 
+
''In example we got the 2nd partition set is used and we have to restore bml0/7 with patched kernel and bml0/10 with correct hashes:''
 
+
bml.restore /dev/bml0/7 /dtv/usb/sda1/bml7_VAL_3015_patched.dmp
 +
sync
 +
sync
 +
sync
 +
bml.restore /dev/bml0/10 /dtv/usb/sda1/bml10_VAL_3015_patched.dmp
 +
sync
 +
sync
 +
sync
 +
'''{{red|If you get ANY error while restoring partitions, DO NOT REBOOT or POWER OFF TV, ask for help and wait...}}'''
  
  
 +
* If no errors came, reboot TV. And pray :)
  
  

Latest revision as of 09:17, 27 May 2013

Theory

Starting B series CI+ TV models, Samsung patched n_tty.c to cripple the console at kernel level. So it is not possible to get full unrestricted shell trough ExLink cable, even the required menu exists on TDM. All what is possible - input HEX chars A-F, 0...9.
Example (T-VALDEUC) how to get in to shell trough ExLink:

10041004 {Enter}
20089999
2 (Platform Print Setting)
0
0
2 (Advanced Platform)
2 (DeviceManager Debug)
91 (DeviceManager SS Debug)
20 (Enter system command)
SELP#>

Function in /drivers/char/n_tty.c:

int allow_char[] = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57 /* 0~9 */, 32 /*space*/, 13 /*enter*/, 8 /*backspace*/ };
                        ..
                        ..
                        ..
#ifdef CONFIG_SERIAL_INPUT_ENABLE_ONLY_NUMBER
          // additional checking 0~9, space, enter, backspace, SPTEAM 2009-02-12
          check = i = 0;
          while(i < MAX_ARRAY )
          {
               if( allow_char[i] == c )
                {
                          check = 1;
                          break;
                }
               i++;
          }
          if( !check )
               return;
#endif

Unlimited shell access might be useful in developing, repair if TV is bricked or any other emergency situations.

How To

We have few possibilities to get unrestricted root access via exlink cable:

Patch kernel in memory

Check this topic - for B series CI+ and maybe for D550(if anyone finds proper code to patch) only. Because on other models the required TDM function Register & Physical Memory Write is not available anymore (removed or hidden).

Recompile kernel

Anyone should document that!

Patch kernel image

Dirtiest, but confirmed way to patch out input filtration. Checked on IDA, proper function and HEX string to search for is found.

Steps:

SamyGO.py decrypt_all ./T-VALDEUC
  • Open decrypted kernel image in HEX editor
  • Search for HEX string
01 30 92 E7 04 20 82 E2 04 00 53 E1 02 00 00 0A
  • Replace last byte (0A to EA). Result must look like:
01 30 92 E7 04 20 82 E2 04 00 53 E1 02 00 00 EA

The Mathematics in asm code:

ROM:0016DA98 E0 1D 9F E5                 LDR     R1, =0xC02FBF9C
ROM:0016DA9C 01 30 92 E7                 LDR     R3, [R2,R1]
ROM:0016DAA0 04 20 82 E2                 ADD     R2, R2, #4
ROM:0016DAA4 04 00 53 E1                 CMP     R3, R4 
ROM:0016DAA8 02 00 00 0A                 BEQ     loc_16DAB8
ROM:0016DAAC 4C 00 52 E3                 CMP     R2, #0x4C ==19
ROM:0016DAB0 2E 03 00 0A                 BEQ     loc_16E770
ROM:0016DAB4 F7 FF FF EA                 B       loc_16DA98 

With such patch we escaped from that input filtration loop and can input whatever we need now.

  • Save new kernel image
  • Calculate new cmac blocks (hashes) for new kernel:
mkey=6f6bc7e1fc7f86bf9c150a82f343e2e0 (for T-VAL* firmwares)
Calculating and comparing of hashes can be done with chkhash tool
  • Edit hashes file (cmac bloks (hashes) of appdata.img, exe.img, Image and rootfs.img are stored in some separate partition on TV).
If you miss this step, you get TV reboot every 30 sec, which is initialized by authuld due hashes mismatch.
  • Connect to TV (telnet/ssh) and restore both (Image and hash partition) with new files you`ve made. It is MANDATORY to flash both partition at one TV session. If you reboot TV with just one partition re-flashed, you get cyclic reboot by authuld, where repair is almost impossible if no full root access at boot time is available.

Decide what is your active partition set (on C/D/E series here are two sets of rootfs+kernel, active and alternative). For this goal you have to check for console output:

cat /proc/cmdline

The output for 1st set should look:

root=/dev/tfsr6 console=ttyS1 quiet

This means active firmware uses first set of partitions, kernel=/dev/bml0/5, rootfs=/dev/bml0/6 and hashes are checked from /dev/bml0/9
Output for 2nd set:

root=/dev/tfsr8 console=ttyS1 quiet

This means active firmware uses second set of partitions, kernel=/dev/bml0/7, rootfs=/dev/bml0/8 and hashes are checked from /dev/bml0/10
In example we got the 2nd partition set is used and we have to restore bml0/7 with patched kernel and bml0/10 with correct hashes:

bml.restore /dev/bml0/7 /dtv/usb/sda1/bml7_VAL_3015_patched.dmp
sync
sync
sync
bml.restore /dev/bml0/10 /dtv/usb/sda1/bml10_VAL_3015_patched.dmp
sync
sync
sync

If you get ANY error while restoring partitions, DO NOT REBOOT or POWER OFF TV, ask for help and wait...


  • If no errors came, reboot TV. And pray :)


Firmwares

HEX patching possible with same string from example on: B series CI+ devices, firmwares T-CHUCIP*, T-CHLCIP*, T-CHL5CIP*, T-CHL6CIP*
C series T-VAL* family firmwares

References

Support forum