SamyGO Firmware Patcher


From SamyGO
Jump to: navigation, search

SamyGO Firmware Patcher Script is a tool, modifies original firmwares that downloaded from Samsung site and converting them to Hacked firmwares for enabling Telnet on boot, executing start scripts via advanced mode and implement Video AR Fix for to exeDSP programs.

  • Why we are using patches instead of releasing hacked firmwares?

Because we are not allowed to distribute Samsung owned firmwares even we modify it. For avoiding any legal problems, we are turning around and modify original software via this script instead of releasing hacked firmwares.

Needings

  • Before start, you needed to download 32 bit python 2.6.4 (not 3.x one) for your operating system from www.python.org site.
  • Python is OS independent language for using this script at all OS'es.
  • You needed pyCrypto package too if you try to modify CI+ device firmwares which has 'CIP' string in that firmware name (example: T-CHLCIPDEUC).

Usage

  • Download SamyGO Firmware Patcher script from download area.
  • Download your devices original firmware from Samsung site.
  • Extract downloaded original firmware (by double clicking at windows or using unzip on Linux, OS X...)
  • patch it using SamyGO Firmware patcher as "python SamyGO.py <your extracted firmware directory>"

for example:

python SamyGO.py ./T-CHL7DEUC
  • Take look at process output
death@triQuad:/SamyGO> python ./SamyGO.py Silo/T-CHL7DEUC
SamyGO Firmware Patcher v0.16 Beta (c) 2010 Erdem U. Altinyurt

                  -=BIG FAT WARNING!=-
           You can brick your TV with this tool!
Authors accept no responsibility about ANY DAMAGE on your devices!
        project home: http://SamyGO.sourceforge.net

XOR Encrytped CI firmware detected.
Decrypting with XOR key :  T-CHL7DEUC
Crypto package found, using fast XOR engine.

Applying VideoAR Patch...
MD5 of Decrypted image is : 9b4d11ddc6bd41156573ae61d1660fdf
FAT image analyzed - exeDSP location: 7811072  size: 37414044
ARM ELF exeDSP File Detected
CToolMmbDisplaySizeItem::GetToolItem() Adress : 0x13537D0
CToolMmbDisplaySizeItem::PressLeftRightKey() Adress : 0x1353AC8
VideoAR Fix v1 Compatibility Found.
VideoAR Fix v1 Patched on image.

Applying Telnet Patch...
Searching %3
Suitable Location Found for Script injection on Offset : 3969567
Enable Telnet or Advanced Mode on image( T/a )? 
Patching File...
Telnet Enabled on image.
Calculatin new CRC :  d71d7f17
Updating /SamyGO/T-CHL7DEUC/image/validinfo.txt with new CRC.

Encrypting with XOR :  T-CHL7DEUC
Crypto package found, using fast XOR engine.

Operation successfully completed.
Now you can flash your TV with ./T-CHL7DEUC directory.
  • If everything goes on the way, copy the modified firmware directory to your USB flash device root and plug it to the TV and Flash your device. Thats all.

Advanced Mode

During the patching process you will be asked to use Enable Telnet or Advanced Mode.

Enable Telnet or Advanced Mode on image( T/a )?
  • If you simply wish to just enable telnet on startup select "T"
  • If you wish to automount shares and telnet then select "a"

If you selected Advanced Mode you will need to create a file called /mtd_rwarea/SamyGO.sh and set the permissions to 755

Once you have flashed your TV you will need to use the SamyGO Telnet Enabler Program, to enable telnet. This is a once off.

Once you have enabled telnet using SamyGO Telnet Enabler, telnet to your tv and create /mtd_rwarea/SamyGO.sh

# vi /mtd_rwarea/SamyGO.sh

Add the following to SamyGO.sh

#!/bin/sh

# Enable Telnetd
if [ `cat /proc/mounts | grep -c "/dev/pts"` -lt "1" ] ; then
        echo "telnetd Enabled"
        mount -t devpts devpts /dev/pts
        telnetd
else
        echo "/dev/pts is mounted"
fi

# Open back-door for fixing boot-loop situations
sleep 20            # Allow USB-stick to settle
USB="/dtv/usb/sda1" # USB mount-point

if [ -f $USB/usb.sh ];then
        echo "USB-File detected"
        $USB/usb.sh
        exit
else
        echo "Running Normal SamyGO Startup"
fi

#Your lines here!

exit

Set the right permissions

# chmod 755 /mtd_rwarea/SamyGO.sh

Now reboot your TV and you ready to rock and roll....

Python Works

Notice: This part is for python programmers. Not for users.

  • If you wanted to modify firmware with hand, or wanted to use SamyGO Firmware Patcher script at manual, here how can you make it. I explain those functions for use script for manual operations.
  • First you needed to open python shell and than import SamyGO script
death@triQuad:/SamyGO> python
Python 2.6.2 (r262:71600, Oct 24 2009, 03:15:21) 
[GCC 4.4.1 [gcc-4_4-branch revision 150839]] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import SamyGO
SamyGO Firmware Patcher pre-v0.16 (c) 2010 Erdem U. Altinyurt

                   -=BIG FAT WARNING!=-
            You can brick your TV with this tool!
Authors accept no responsibility about ANY DAMAGE on your devices!
         project home: http://SamyGO.sourceforge.net

For use this script, you have to extract your firmware to a directory first!
usage: python  <path to extracted directory from firmware>
example: python  ./T-CHL7DEUC/

AESdec( filename,key )

  • This function decrypts AES encrypted exe.img.sec file and writes xor encrypted firmware. If you not give key, it defaults to use key bellow. Returns decrypted/encrypted filename.
>>> SamyGO.AESdec( '/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img.sec' )
secret key :  A435HX:d3e90afc-0f09-4054-9bac-350cc8dfc901-7cee72ea-15ae-45ce-b0f5-611c4f8d4a71
Decrypting AES... done
'/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img.enc'

AESenc( filename,key )

  • This function encrypts any file (usually XOR encrypted firmware image) with AES-128-CBC encryption and writes encrypted firmware. If you not give key, it defaults to use key bellow. Returns decrypted/encrypted filename.
SamyGO.AESenc( '/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img.enc' )
secret key :  A435HX:d3e90afc-0f09-4054-9bac-350cc8dfc901-7cee72ea-15ae-45ce-b0f5-611c4f8d4a71
Encrypting with AES... done
'/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img.sec'

xor( filename, key)

  • This function make XOR encryption and decryption (which is same process for both), key input required. Returns decrypted/encrypted filename and it's MD5 for identification.
>>> SamyGO.xor( '/Silo/T-CHUCIPDEUC/image/exe.img.enc' , 'T-CHUCIPDEUC')
Crypto package found, using fast XOR engine.

('/SamyGO/Silo/T-CHUCIPDEUC/image/exe.img', '1ec6cb71c53fcbd3ca27f5e67c3fdfee')

patch_Telnet( filename )

  • This function scan for
"#Remove engine logging."

text in while firmware image and replaces it with

';/etc/telnetd_start.sh&'

string if selected Telnet patch or replaces with

';/mtd_rwarea/SamyGO.sh&'

if selected Advanced mode. It returns true on successful patch. Function Output is like: >>> SamyGO.patch_Telnet( 'SamyGO/Silo/T-CHUCIPDEUC/image/exe.img' )

Applying Telnet Patch...
Searching %92
Suitable Location Found for Script injection on Image Offset : 52204063
Enable Telnet or Advanced Mode on image( T/a )? T
Patching File...
Telnet Enabled on image.
True

patch_VideoAR( filename, md5dig )

  • This function look md5 digest and patched VideoAR Fix to "image". If MD5 image is not meet with anything, than it calls VideoARFix_v1_patch_auto() option for implement patch. If MD5 is match from choices at script, it calls for xdelta tool for apply patch(usually for SquashFS images like T-CHL5DEUC), or ımplement patch via inner diff engine (for T-CHL7DEUC-2004.1 FW)

>>> SamyGO.patch_VideoAR( '/SamyGO/Silo/T-CHL7DEUC/image/exe.img', )

Applying VideoAR Patch...
MD5 of Decrypted image is : e9489b2c40878977df0194853a8beccc
FAT image analyzed - exeDSP location: 7811072  size: 37414044
ARM ELF exeDSP File Detected
CToolMmbDisplaySizeItem::GetToolItem() Adress : 0x13537D0
CToolMmbDisplaySizeItem::PressLeftRightKey() Adress : 0x1353AC8
VideoAR Fix v1 Compatibility NOT Found.
Oops!: This firmware is unknown for VideoAR patch. Skipped!
Please visit forum for support.
SamyGO Home: http://SamyGO.sourceforge.net

VideoARFix_v1_patch_auto( filename )

  • This function extracts exeDSP from FAT image and inspect it via ELFRead() function. After finding requires adress, implements VideoAR Fix v1 patch.
>>> SamyGO.VideoARFix_v1_patch_auto( '/SamyGO/Silo/T-CHL7DAUC/image/exe.img' )
FAT image analyzed - exeDSP location: 3166208  size: 36887876
ARM ELF exeDSP File Detected
CToolMmbDisplaySizeItem::GetToolItem() Adress : 0x1320320
CToolMmbDisplaySizeItem::PressLeftRightKey() Adress : 0x1320614
VideoAR Fix v1 Compatibility Found.

ReadELF( filename_exeDSP )

  • This function read exeDSP than generate and return symbol table of it.
>>> SymbolTable = SamyGO.ReadELF( '/SamyGO/SamyGO.exeDSP' )
ARM ELF exeDSP File Detected

calculate_crc( decfile )

  • This function calculates crc for given file and returns it as integer.
>>> SamyGO.calculate_crc( '/SamyGO/Silo/T-CHL7DAUC/image/exe.img' )
Calculated CRC : 0x4C008347
1275102023