Komentarze do: Hakowanie telewizora Samsung – Seria 7 http://aiv-dev.info/2009/06/25/hakowanie-telewizora-samsung-tv-seria-7/ Ciekawostki programistyczne i tematy związane z bezpieczeństwem Mon, 28 Dec 2009 21:34:18 +0100 http://wordpress.org/?v=2.8.4 hourly 1 Autor: D3LLF http://aiv-dev.info/2009/06/25/hakowanie-telewizora-samsung-tv-seria-7/comment-page-1/#comment-404 D3LLF Sun, 23 Aug 2009 11:57:40 +0000 http://aiv-dev.info/?p=34#comment-404 I just wanted to tell, that samsung has published source code of used GPL utils in their visual display - check it out:http://www.samsung.com/global/opensource/. IMO Specially interesting is http://www.samsung.com/global/opensource/files/LE46A956.zip which provides e-mail (korean), how opensource is handled in Samsung. I just wanted to tell, that samsung has published source code of used GPL utils in their visual display – check it out:http://www.samsung.com/global/opensource/. IMO Specially interesting is http://www.samsung.com/global/opensource/files/LE46A956.zip which provides e-mail (korean), how opensource is handled in Samsung.

]]> Autor: dynamic1969 http://aiv-dev.info/2009/06/25/hakowanie-telewizora-samsung-tv-seria-7/comment-page-1/#comment-369 dynamic1969 Sat, 08 Aug 2009 13:52:07 +0000 http://aiv-dev.info/?p=34#comment-369 @b457144n I eventually got a serial console working on the 7 Series. The good thing about this is, that it should also work equally on other devices ( also those where we were not yet able to decrypt OpenSSL encrypted FW ). See http://www.avsforum.com/avs-vb/showthread.php?p=16964905#post16964905 for further details on the HOWTO. With the console access, there are many simple ways to directly alter the ( already decrypted ) FW ;-) Hope this helps! Regards dynamic mailto: dynamic1969@gmail.com @b457144n

I eventually got a serial console working on the 7 Series.

The good thing about this is, that it should also work equally on other devices ( also those where we were not yet able to decrypt OpenSSL encrypted FW ).
See http://www.avsforum.com/avs-vb/showthread.php?p=16964905#post16964905 for further details on the HOWTO.

With the console access, there are many simple ways to directly alter the ( already decrypted ) FW ;-)

Hope this helps!

Regards
dynamic

mailto: dynamic1969@gmail.com

]]> Autor: b457144n http://aiv-dev.info/2009/06/25/hakowanie-telewizora-samsung-tv-seria-7/comment-page-1/#comment-363 b457144n Wed, 05 Aug 2009 22:25:03 +0000 http://aiv-dev.info/?p=34#comment-363 @dynamic1969: thanks for the tarball. Pity it does not contain the secureSWU stuff. It would be interesting to see what exeDSP does when you try to feed it a fake secure update for T-CHL7DEUC. Have you ever killed and restarted exeDSP? Is that possible? In that case running it with strace would get us a lot of information. Regards, Bastiaan @dynamic1969:
thanks for the tarball. Pity it does not contain the secureSWU stuff.
It would be interesting to see what exeDSP does when you try to feed it a fake secure update for T-CHL7DEUC. Have you ever killed and restarted exeDSP? Is that possible? In that case running it with strace would get us a lot of information.

Regards,

Bastiaan

]]> Autor: dynamic1969 http://aiv-dev.info/2009/06/25/hakowanie-telewizora-samsung-tv-seria-7/comment-page-1/#comment-357 dynamic1969 Mon, 03 Aug 2009 06:47:18 +0000 http://aiv-dev.info/?p=34#comment-357 @b457144n: Yes, I have telnet access to the device. Have put the desired tar-file here ... http://c2a2b2.com/arm_samsung and also included the "ls -alR" output. Unforunately secureSWU is empty and there is also no secpub.key in mtd_rwarea. As far as I can see this directory is only ( mounted or filled ) filled during a secure Update process, which we need to still find out. As mariusz is saying, the key must be available somewhere in the FW ... but where. Regards dynamic1969 @b457144n:
Yes, I have telnet access to the device. Have put the desired tar-file here … http://c2a2b2.com/arm_samsung and also included the “ls -alR” output.
Unforunately secureSWU is empty and there is also no secpub.key in mtd_rwarea.

As far as I can see this directory is only ( mounted or filled ) filled during a secure Update process, which we need to still find out.
As mariusz is saying, the key must be available somewhere in the FW … but where.

Regards
dynamic1969

]]> Autor: b457144n http://aiv-dev.info/2009/06/25/hakowanie-telewizora-samsung-tv-seria-7/comment-page-1/#comment-350 b457144n Thu, 30 Jul 2009 20:21:22 +0000 http://aiv-dev.info/?p=34#comment-350 @mariusz, yes, I'm afraid that those last 256 chars may be some digital signature. exeDSP has stuff like ' SWUDsaVerify' and 'error readpubkey' :-( It looks like a lot of parameters related to this are stored in files under /mtd_rwarea/secureSWU/. Also /mtd_rwarea/secpub.key looks interesting. Now to get access to them.... @dynamic1969, thanks for the link. Looks like the make serious progress. Unfortunately their work is not usable for my TV yet, but maybe it can help breaking the new encryption scheme as well. BTW do you have telnet access to your TV already? In that case, could you post a tarball of /mtd_rwarea? Thanks! Bastiaan @mariusz,
yes, I’m afraid that those last 256 chars may be some digital signature. exeDSP has stuff like ‘ SWUDsaVerify’ and ‘error readpubkey’ :-(
It looks like a lot of parameters related to this are stored in files under /mtd_rwarea/secureSWU/. Also /mtd_rwarea/secpub.key looks interesting. Now to get access to them….
@dynamic1969,
thanks for the link. Looks like the make serious progress. Unfortunately their work is not usable for my TV yet, but maybe it can help breaking the new encryption scheme as well.
BTW do you have telnet access to your TV already? In that case, could you post a tarball of /mtd_rwarea? Thanks!

Bastiaan

]]> Autor: dynamic1969 http://aiv-dev.info/2009/06/25/hakowanie-telewizora-samsung-tv-seria-7/comment-page-1/#comment-345 dynamic1969 Mon, 27 Jul 2009 10:41:36 +0000 http://aiv-dev.info/?p=34#comment-345 Hi, telnet access on the Samsung UE46B70xx is now possible and confirmed to be working. Check out following Thread ( posting 86 onwards ) for a high level description of approach taken: http://www.avsforum.com/avs-vb/showthread.php?p=16849932 Same concept should be possible on other recent models of Samsung LCD/LED TVs. Next steps are to get a toolchain/buildroot established ... let's see what all is possible :-) Regards dynamic Hi,

telnet access on the Samsung UE46B70xx is now possible and confirmed to be working.

Check out following Thread ( posting 86 onwards ) for a high level description of approach taken: http://www.avsforum.com/avs-vb/showthread.php?p=16849932

Same concept should be possible on other recent models of Samsung LCD/LED TVs.

Next steps are to get a toolchain/buildroot established … let’s see what all is possible :-)

Regards
dynamic

]]> Autor: Mariusz Dalewski http://aiv-dev.info/2009/06/25/hakowanie-telewizora-samsung-tv-seria-7/comment-page-1/#comment-340 Mariusz Dalewski Tue, 21 Jul 2009 22:44:58 +0000 http://aiv-dev.info/?p=34#comment-340 @b457144n first ideas: last 3 chars of sec files are the same - 256 if you read 256 chars before this value you got some other value (possible in hex). Maybe it's checksum, maybe not :) Assume that tv need to know kthe ey, key must be stored in firmware package or hardcoded in tv. @b457144n first ideas:
last 3 chars of sec files are the same – 256
if you read 256 chars before this value you got some other value (possible in hex). Maybe it’s checksum, maybe not :)
Assume that tv need to know kthe ey, key must be stored in firmware package or hardcoded in tv.

]]> Autor: b457144n http://aiv-dev.info/2009/06/25/hakowanie-telewizora-samsung-tv-seria-7/comment-page-1/#comment-337 b457144n Tue, 21 Jul 2009 21:25:32 +0000 http://aiv-dev.info/?p=34#comment-337 Hi Mariusz, Thank you for sharing what you figured out. Today Samsung has released updated firmware for the LE40B650T2P variant (= 650 with CI+) as well. Unfortunately it uses a new encryption scheme.The files have a '.sec' extension instead of '.enc' and start with the string 'Salted'. Searching exeDSP of the T-CHU7DEUC firmware for this string shows that the new method already has been built into that version. Maybe with disassembling exeDSP we can find out the new scheme as well, but it won't be trivial. Also it looks like the updates have been digitally signed, so enhancing the firmware with a telnetd for example won't be easy :-( Regards, Bastiaan Hi Mariusz,

Thank you for sharing what you figured out. Today Samsung has released updated firmware for the LE40B650T2P variant (= 650 with CI+) as well.
Unfortunately it uses a new encryption scheme.The files have a ‘.sec’ extension instead of ‘.enc’ and start with the string ‘Salted’.
Searching exeDSP of the T-CHU7DEUC firmware for this string shows that the new method already has been built into that version.
Maybe with disassembling exeDSP we can find out the new scheme as well, but it won’t be trivial.
Also it looks like the updates have been digitally signed, so enhancing the firmware with a telnetd for example won’t be easy :-(

Regards,

Bastiaan

]]> Autor: dynamic1969 http://aiv-dev.info/2009/06/25/hakowanie-telewizora-samsung-tv-seria-7/comment-page-1/#comment-329 dynamic1969 Wed, 15 Jul 2009 08:29:27 +0000 http://aiv-dev.info/?p=34#comment-329 Hi Mariusz, what you have discovered sounds really interesting! It'd be great to see, if one could get a telnet deamon started and then logon via the Network interface. Curiously watching this thread :-) Regards dynamic1969 Hi Mariusz,

what you have discovered sounds really interesting!
It’d be great to see, if one could get a telnet deamon started and then logon via the Network interface.

Curiously watching this thread :-)

Regards
dynamic1969

]]> Autor: Prof2k http://aiv-dev.info/2009/06/25/hakowanie-telewizora-samsung-tv-seria-7/comment-page-1/#comment-320 Prof2k Tue, 07 Jul 2009 13:19:59 +0000 http://aiv-dev.info/?p=34#comment-320 No to czekamy, czekamy :) Serdecznie pozdrawiam Prof2k No to czekamy, czekamy :)

Serdecznie pozdrawiam
Prof2k

]]>