SamyGO Firmware Patcher
SamyGO Firmware Patcher Script is a tool, modifies original firmwares that downloaded from Samsung site and converting them to Hacked firmwares for enabling Telnet on boot, executing start scripts via advanced mode and implement Video AR Fix for to exeDSP programs.
- Why we are using patches instead of releasing hacked firmwares?
Because we are not allowed to distribute Samsung owned firmwares even we modify it. For avoiding any legal problems, we are turning around and modify original software via this script instead of releasing hacked firmwares.
- Before start, you needed to download 32 bit python 2.6.4 (not 3.x one) for your operating system from www.python.org site.
- Python is OS independent language for using this script at all OS'es.
- You needed pyCrypto package too if you try to modify CI+ device firmwares which has 'CIP' string in that firmware name (example: T-CHLCIPDEUC).
- Download SamyGO Firmware Patcher script from download area.
- Download your devices original firmware from Samsung site.
- Extract downloaded original firmware (by double clicking at windows or using unzip on Linux, OS X...)
- patch it using SamyGO Firmware patcher as "python SamyGO.py <your extracted firmware directory>"
python SamyGO.py ./T-CHL7DEUC
- Take look at process output
death@triQuad:/SamyGO> python ./SamyGO.py Silo/T-CHL7DEUC SamyGO Firmware Patcher v0.16 Beta (c) 2010 Erdem U. Altinyurt -=BIG FAT WARNING!=- You can brick your TV with this tool! Authors accept no responsibility about ANY DAMAGE on your devices! project home: http://SamyGO.sourceforge.net XOR Encrytped CI firmware detected. Decrypting with XOR key : T-CHL7DEUC Crypto package found, using fast XOR engine. Applying VideoAR Patch... MD5 of Decrypted image is : 9b4d11ddc6bd41156573ae61d1660fdf FAT image analyzed - exeDSP location: 7811072 size: 37414044 ARM ELF exeDSP File Detected CToolMmbDisplaySizeItem::GetToolItem() Adress : 0x13537D0 CToolMmbDisplaySizeItem::PressLeftRightKey() Adress : 0x1353AC8 VideoAR Fix v1 Compatibility Found. VideoAR Fix v1 Patched on image. Applying Telnet Patch... Searching %3 Suitable Location Found for Script injection on Offset : 3969567 Enable Telnet or Advanced Mode on image( T/a )? Patching File... Telnet Enabled on image. Calculatin new CRC : d71d7f17 Updating /SamyGO/T-CHL7DEUC/image/validinfo.txt with new CRC. Encrypting with XOR : T-CHL7DEUC Crypto package found, using fast XOR engine. Operation successfully completed. Now you can flash your TV with ./T-CHL7DEUC directory.
- If everything goes on the way, copy the modified firmware directory to your USB flash device root and plug it to the TV and Flash your device. Thats all.
During the patching process you will be asked to use Enable Telnet or Advanced Mode.
Enable Telnet or Advanced Mode on image( T/a )?
- If you simply wish to just enable telnet on startup select "T"
- If you wish to automount shares and telnet then select "a"
If you selected Advanced Mode you will need to create a file called /mtd_rwarea/SamyGO.sh and set the permissions to 755
Once you have flashed your TV you will need to use the SamyGO Telnet Enabler Program, to enable telnet. This is a once off.
Once you have enabled telnet using SamyGO Telnet Enabler, telnet to your tv and create /mtd_rwarea/SamyGO.sh
# vi /mtd_rwarea/SamyGO.sh
Add the following to SamyGO.sh
#!/bin/sh # Enable Telnetd if [ `cat /proc/mounts | grep -c "/dev/pts"` -lt "1" ] ; then echo "telnetd Enabled" mount -t devpts devpts /dev/pts telnetd else echo "/dev/pts is mounted" fi # Open back-door for fixing boot-loop situations sleep 20 # Allow USB-stick to settle USB="/dtv/usb/sda1" # USB mount-point if [ -f $USB/usb.sh ];then echo "USB-File detected" $USB/usb.sh exit else echo "Running Normal SamyGO Startup" fi #Your lines here! exit
Set the right permissions
# chmod 755 /mtd_rwarea/SamyGO.sh
Now reboot your TV and you ready to rock and roll....
Notice: This part is for python programmers. Not for users.
- If you wanted to modify firmware with hand, or wanted to use SamyGO Firmware Patcher script at manual, here how can you make it. I explain those functions for use script for manual operations.
- First you needed to open python shell and than import SamyGO script
death@triQuad:/SamyGO> python Python 2.6.2 (r262:71600, Oct 24 2009, 03:15:21) [GCC 4.4.1 [gcc-4_4-branch revision 150839]] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import SamyGO SamyGO Firmware Patcher pre-v0.16 (c) 2010 Erdem U. Altinyurt -=BIG FAT WARNING!=- You can brick your TV with this tool! Authors accept no responsibility about ANY DAMAGE on your devices! project home: http://SamyGO.sourceforge.net For use this script, you have to extract your firmware to a directory first! usage: python <path to extracted directory from firmware> example: python ./T-CHL7DEUC/
AESdec( filename,key )
- This function decrypts AES encrypted exe.img.sec file and writes xor encrypted firmware. If you not give key, it defaults to use key bellow. Returns decrypted/encrypted filename.
>>> SamyGO.AESdec( '/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img.sec' ) secret key : A435HX:d3e90afc-0f09-4054-9bac-350cc8dfc901-7cee72ea-15ae-45ce-b0f5-611c4f8d4a71 Decrypting AES... done '/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img.enc'
AESenc( filename,key )
- This function encrypts any file (usually XOR encrypted firmware image) with AES-128-CBC encryption and writes encrypted firmware. If you not give key, it defaults to use key bellow. Returns decrypted/encrypted filename.
SamyGO.AESenc( '/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img.enc' ) secret key : A435HX:d3e90afc-0f09-4054-9bac-350cc8dfc901-7cee72ea-15ae-45ce-b0f5-611c4f8d4a71 Encrypting with AES... done '/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img.sec'
xor( filename, key)
- This function make XOR encryption and decryption (which is same process for both), key input required. Returns decrypted/encrypted filename and it's MD5 for identification.
>>> SamyGO.xor( '/Silo/T-CHUCIPDEUC/image/exe.img.enc' , 'T-CHUCIPDEUC') Crypto package found, using fast XOR engine. ('/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img', '1ec6cb71c53fcbd3ca27f5e67c3fdfee')
patch_Telnet( filename )
- This function scan for
"#Remove engine logging."
text in while firmware image and replaces it with
string if selected Telnet patch or replaces with
if selected Advanced mode. It returns true on successful patch. Function Output is like: >>> SamyGO.patch_Telnet( 'SamyGO/Silo/T-CHUCIPDEUC/image/exe.img' )
Applying Telnet Patch... Searching %92 Suitable Location Found for Script injection on Image Offset : 52204063 Enable Telnet or Advanced Mode on image( T/a )? T Patching File... Telnet Enabled on image. True
patch_VideoAR( filename, md5dig )
- This function look md5 digest and patched VideoAR Fix to "image". If MD5 image is not meet with anything, than it calls VideoARFix_v1_patch_auto() option for implement patch. If MD5 is match from choices at script, it calls for xdelta tool for apply patch(usually for SquashFS images like T-CHL5DEUC), or Ä±mplement patch via inner diff engine (for T-CHL7DEUC-2004.1 FW)
>>> SamyGO.patch_VideoAR( '/SamyGO/Silo/T-CHL7DEUC/image/exe.img', )
Applying VideoAR Patch... MD5 of Decrypted image is : e9489b2c40878977df0194853a8beccc FAT image analyzed - exeDSP location: 7811072 size: 37414044 ARM ELF exeDSP File Detected CToolMmbDisplaySizeItem::GetToolItem() Adress : 0x13537D0 CToolMmbDisplaySizeItem::PressLeftRightKey() Adress : 0x1353AC8 VideoAR Fix v1 Compatibility NOT Found. Oops!: This firmware is unknown for VideoAR patch. Skipped! Please visit forum for support. SamyGO Home: http://SamyGO.sourceforge.net
VideoARFix_v1_patch_auto( filename )
- This function extracts exeDSP from FAT image and inspect it via ELFRead() function. After finding requires adress, implements VideoAR Fix v1 patch.
>>> SamyGO.VideoARFix_v1_patch_auto( '/SamyGO/Silo/T-CHL7DAUC/image/exe.img' ) FAT image analyzed - exeDSP location: 3166208 size: 36887876 ARM ELF exeDSP File Detected CToolMmbDisplaySizeItem::GetToolItem() Adress : 0x1320320 CToolMmbDisplaySizeItem::PressLeftRightKey() Adress : 0x1320614 VideoAR Fix v1 Compatibility Found.
ReadELF( filename_exeDSP )
- This function read exeDSP than generate and return symbol table of it.
>>> SymbolTable = SamyGO.ReadELF( '/SamyGO/SamyGO.exeDSP' ) ARM ELF exeDSP File Detected
calculate_crc( decfile )
- This function calculates crc for given file and returns it as integer.
>>> SamyGO.calculate_crc( '/SamyGO/Silo/T-CHL7DAUC/image/exe.img' ) Calculated CRC : 0x4C008347 1275102023