I try to get root access on my Philips PFL9703 TV. Why? don’t ask…
The TV runs a 2.6.18 kernel, pnx8535 MIPS32 240MHz CPU, compiled with a MontaVista toolchain.
I need YOUR help to root the Philips TV! Please write a comment (end of the article) or email me if you have any hints, thanks!
RC triggered service modes:
Customer Service Mode (CSM): 123654. Insert USB stick, put the remote in DVD mode and press 2679 — this will create an application dump of the tv application file on the USB stick (binary).
Service Alignment Mode (SAM): 062596info. I didn’t find a option to enable the serial console!
Service Default Mode (SDM): 062596menu. Purpose: To create a pre-defined setting, to get the same measurement results as given in the service manual.
Manual software upgrade: Disconnect the TV from the AC Power, press + hold the OK button of the RC and connect set to mains.
Back-up Software Upgrade Application: Disconnect the TV from the AC Power, press + hold the INFO button (or cursor down) of the RC and connect set to mains.
Jett mode: Disconnect the TV from the AC Power, switch to DVD RC, press + hold the INFO button and connect set to mains. Now you TV is in the Jett mode — but we need some files now, which are NOT available! We should create a directory on the root of the USB drive which is called JETTFILES and put two files called “MemoryTestPNX8635.bin” and “autojett.bin”. Those files are part of a software package called “TESTSCRIPT Q529”…
I guess in this mode, serial access *could* be possible, however the protocol will change, as there is only binary stuff visible after the bootloader tries to load the kernel. This could be a side effect of the missing JETTFILES, but I’m not sure. Perhaps some kind of 3 Wire SPI mode? another binary serial mode? See “Serial Port dumps” below.
Philips write about this in the service manual:
– Install the computer program “BOARDTESTLOGGER” (available in “TESTSCRIPT Q529”) on the PC
– Connect a “ComPair/service”-cable from the service-connector in the set to the COM1-port of the PC
– Start-up the program “BOARDTESTLOGGER” and select “COM1”
– Put the USB stick into the TV and start-up the TV while pressing the “i+”-button on a Philips DVD RC6 remote control (it’s also possible to use a TV remote in “DVD”-mode)
– On the PC the memory test is shown now. This is also
visible on the TV screen.
– In “BOARDTESTLOGGER” an option “Send extra UART command” can be found where the “AUD1” can be selected. This command generates hear test tones of 200, 400, 1000, 2000, 3000, 5000, 8000 and 12500Hz
Serial Port access
To access the serial port of the TV you need a EIB cable — basically a serial (db9) to stereo jack cable.
This is my professional EIB cable ;)
Terminal settings: 38400 Baud 8N1.
Web Server:
On port 8080 runs a Web Server, more precisely a Allegro-Software-RomPager/4.61. There is only a test page visible:
1 2 3 4 | RomPager Embedded Web Server First Page The value of the test variable is: Hello World! |
Some basic tests:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | bash-3.2$ perl –e ‘print “GET / HTTP/1.1rnHost: ’”192.168.111.16″‘rnAuthenticate: ” . ‘A’ x 1024 . “rnrn“‘ | nc “192.168.111.16″ 8080 HTTP/1.1 400 Bad Request Content-Length: 0 Server: Allegro-Software-RomPager/4.61 Connection: close bash-3.2$ perl –e ‘print “GET / HTTP/1.1rnHost: ’”192.168.111.16″‘rnrn“‘ | nc “192.168.111.16″ 8080 HTTP/1.1 200 OK Content-Type: text/html Date: Sat, 01 Jan 2000 02:05:41 GMT Cache-Control: no-cache Expires: Thu, 26 Oct 1995 00:00:00 GMT Transfer-Encoding: chunked Server: Allegro-Software-RomPager/4.61 |
I didn’t find and vulnerability/information about this webserver…
Firmware:
Get the firmware here http://philips.samipupu.com/9x03.html. The firmware is encrypted, with some help from the www.hifi-forum.de thread, I was more or less able to get the firmware header (first 732 bytes of the firmware):
1 2 3 4 5 6 7 8 9 10 11 12 13 | struct philips_header { uint32_t magic; /* “2SWU” */ uint32_t magic1; /* “3TXV” — magic[i] + 1 */ uint32_t header_size; /* 732 bytes */ uint32_t data_size; /* image size without header */ uint32_t crc; /* differ from release to release */ uint32_t unknown; /* data: 00 00 00 60, unknown, industrial mode enabled/disabled? */ uint32_t padding1; /* data: 00 00 00 00 */ uint32_t padding2; /* data: 00 00 00 00 */ char[512] description; /* release version */ char[160] signature char[28] releaseStr /* Q591E-0.100.0.0_commercial */ }; |
Those 160 bytes in the firmware header is quite interesting… This block is different in each firmware version! Someone in the hifi-forum wrote, that the firmware is encrypted AND signed, but this is unconfirmed!
Edit 13.2.09: The Firmware is encrypted AND signed, see comment #14!
Other users observed, that there are quite a lot of repeating patterns in the firmware. An interesting idea is to search for JFFS2 inodes magic bytes (85h 19h). Varon thinks, that the firmware (or parts of it) are encrypted with a 128b key, but the crypto algorithm is unknown.
Here is a hexdump of the firmware header:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | 00000000 32 53 57 55 33 54 58 56 dc 02 00 00 38 b1 b6 01 |2SWU3TXV.…8…| 00000010 a9 67 50 62 00 00 00 60 00 00 00 00 00 00 00 00 |.gPb…‘.….…| 00000020 52 65 6c 65 61 73 65 20 66 6f 72 20 54 56 35 32 |Release for TV52| 00000030 30 20 52 32 3a 0d 51 35 39 31 45 2d 30 2e 31 30 |0 R2:.Q591E-0.10| 00000040 30 2e 30 2e 30 0d 0d 47 65 6e 65 72 61 74 69 6f |0.0.0..Generatio| 00000050 6e 20 64 61 74 65 3a 0d 34 2f 31 32 2f 32 30 30 |n date:.4/12/200| 00000060 39 20 31 30 3a 33 31 3a 32 32 0d 00 00 00 00 00 |9 10:31:22.…..| 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.….….….…| * 00000220 9f f0 5a c2 4a 49 4c 18 11 1f 4f 9f 89 d6 b9 87 |..Z.JIL…O.….| 00000230 7f 2f a9 98 fb 10 8e 81 7d fb 05 48 c4 62 8d f6 |./.…..}..H.b..| 00000240 ab 62 f7 1b 0a 80 7d b2 fb fc 89 6d 3b 65 70 4d |.b.…}.…m;epM| 00000250 22 10 81 f9 4d 5b 46 29 e8 96 92 dd a0 3b a9 21 |”…M[F).….;.!| 00000260 ca 0b d5 b4 4a a1 64 41 97 62 e4 00 56 9e 74 15 |.…J.dA.b..V.t.| 00000270 71 4a 6b 09 b5 07 05 bc 8f 0f 7a 15 4e ff 2b 67 |qJk.……z.N.+g| 00000280 1f b0 26 bc 37 7e 8d 7a 81 a9 25 f9 1f e2 90 cd |..&.7~.z..%.….| 00000290 99 9a 17 d1 d6 dc 89 19 df 70 4c 9c a4 37 ef 1a |.….….pL..7..| 000002a0 1b 08 06 6e ff 1f ba a9 89 10 76 ff 22 b2 8a 14 |…n.…..v.”…| 000002b0 2f e3 2c d6 39 1c bc af 4b 49 4d ff 9c d7 60 c9 |/.,.9…KIM…‘.| 000002c0 51 35 39 31 45 2d 30 2e 31 30 30 2e 30 2e 30 5f |Q591E-0.100.0.0_| 000002d0 63 6f 6d 6d 65 72 63 69 61 6c 00 00 |commercial..| |
I checked the firmware with draca:
1 2 3 4 5 6 7 8 9 10 | c:tmpdraca>draca ..autorun.upg DRACA. Draft Crypto Analyzer. Version 0.5.7b by Ilya O. Levin Preliminary detection and analysis of crypto algorithms within executables. File: .. autorun.upg, 28750144 byte(s) analyzing… done results: * AES/Rijndael — 9% * Twofish — 17% total 2 algorithm(s) recognized |
Edit 13.2.09: I guess those results are useless because draca is searching for crypto constants in the firmware — which do simply not exist there.
Philips also released source code of the parts of Philips TV software that fall under open source licenses.
Here is the firmware layout (in the flash, not the upgrade file):
Attack Vectors:
1) decode firmware, modify and repack
2) jett mode and testfiles, serial access *could* be possible
3) kernel gdb on ttyS1
4) find a secret key combo to activate the terminal (aka deactivate philps industrial mode)
Useful links:
General Information:
http://www.hifi-forum.de/viewthread-152‑1851.html
http://samygo.sourceforge.net/
http://www.devttys0.com/2011/05/reverse-engineering-firmware-linksys-wag120n//
Firmware Mirror:
http://philips.samipupu.com/
Jointspace Project:
jointspace project
Service Manuals:
http://www.scribd.com/doc/23986104/Philips-Ch-q529-1e-Lb
http://www.ayslearningcentre.philips.com/userfiles/Training%20Material/TV/tv522-training%20booklet%20for%20printing%20.pdf
Serial Port dumps:
Jett mode:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | retail Jan 16 2008 12:03:04 Boot deviceST NAND512W3A BFFS init OK Searching BootLoader.tdfLoad /bffs0/BootLoader.tdf– Done Start /bffs0/BootLoader.tdf JBL (boottime improvement BootLoader OS_R0.7.2assert Feb 25 2008 12:49:28Searching boot.bat Execute /bffs2/boot.bat from label [14] unknown command, line 302 Execute /bffs1/boot.bat from label [14] * SR5->Fact JETT * On error goto 70 * Load /bffs1/Kernel.tdf — ok * Load /bffs1/RFSBoot1.tdf — ok * MemFill 0x87fff000 0x1000 0xff * Signal 30 * Cmd Line CMD_LINE arguments passed by JBL : console=ttyS1,38400n8 mem=16M kgdb=ttyS1 loglevel=3 init=/init ip=none root=/dev/ram lpj=1196032 rd_start=0x80500000 rd_size=1814528* Start /bffs1/Kernel.tdf (binary garbage here) |
TV Boot:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 | retail Jan 16 2008 12:03:04 Boot deviceST NAND512W3A BFFS init OK Searching BootLoader.tdfLoad /bffs0/BootLoader.tdf– Done Start /bffs0/BootLoader.tdf JBL (boottime improvement BootLoader OS_R0.7.2assert Feb 25 2008 12:49:28Searching boot.bat Execute /bffs2/boot.bat from label [1] * SR1->Coldboot * On error goto 60 * Load /bffs2/atvTm0App.tdf — ok * Load /bffs3/tmpvbPnx51xxApp.tdf — ok * Load /bffs2/cdDownloadTM0.tdf — ok * Starting earlyStartTM* Load /bffs3/tmvprPnx51xxCoApp_tm2.tdf — ok * Load /bffs3/tmvprPnx51xxCoApp_tm3.tdf — ok * Load /bffs2/Kernel.tdf — ok * MemFill 0x87fff000 0x1000 0xff * Signal 30 * Cmd Line CMD_LINE arguments passed by JBL : console=ttyS0,38400n8 mem=48M kgdb=ttyS1 loglevel=3 root=/dev/mtdblock5 lpj=1196032 init=/init ip=none jffs2_gc_delay=30 * Start /bffs2/Kernel.tdf“htv520EU/92 startup script …“ “Mounting file systems“ Total usertime mount for /proc: 0,000000 [Sec] Total systemtime mount for /proc: 0,000000 [Sec] Total usertime mount for /sys: 0,000000 [Sec] Total systemtime mount for /sys: 0,000000 [Sec] Total usertime mount for /dev/shm: 0,000000 [Sec] Total systemtime mount for /dev/shm: 0,000000 [Sec] Total usertime mount for /dev/pts: 0,000000 [Sec] Total systemtime mount for /dev/pts: 0,000000 [Sec] “Mounting the flash file systems“ Total usertime mount for /mnt/jffs0: 0,000000 [Sec] Total systemtime mount for /mnt/jffs0: 0,100000 [Sec] “Loading PNX5100 Image“ “Launching TV application“ Using errlib version 0.9 Errlib communication with plfapp failed, will retry later redirecting 1 to 14 00 002.467 128MB memory on board 00 002.467 128MB memory MAP 00 002.467 checking hotboot: NO 00 002.467 Standby version 35.x.1.13 00 002.467 Expected standby version 36.x.0.0 (or higher), please update your standby image 00 002.467 start_Init clearing m_InitDoneBlunk 00 002.467 Using errlib version 0.9 00 002.467 Errlib 0.9 registered from process 118 00 002.467 2402 — Reference timestamp 00 002.467 mounted: 00 002.467 Mount check passes, 0 iterations –1 002.589 (*) FusionDale/Config: Parsing config file ‘/etc/fusiondalerc’. –1 002.589 *————–) FusionDale v0.1.1 (————–* –1 002.589 © 2006–2007 directfb.org –1 002.589 ———————————————– –1 002.589 (*) Fusion/SHM: NOT using MADV_REMOVE (2.6.18.0 < 2.6.19.2)! [0x02061200] –1 002.589 (*) Direct/Thread: Running ‘Fusion Dispatch’ (MESSAGING, 119)… –1 002.599 redirecting 2 to 12 –1 002.599 starting : /philips/apps/ceplfapp –1 002.599 amApp : InitFusionDale –1 002.599 Errlib communication with plfapp failed, will retry later 00 002.694 /mnt/jffs0/rupg/tvplf/cetv/display foundErrlib 0.9 registered from process 116 00 002.694 - Layoutcheck OK 00 002.694 Display flash file : Layout version = 8 ; Content version = 28 00 002.694 Display flash file : Project Id = 1 ; Branch Id = 58 00 002.694 version string: DISPT_001.058.008.028 00 002.750 *————–) FusionDale v0.1.1 (————–* 00 002.750 © 2006–2007 directfb.org 00 002.750 ———————————————– 00 002.858 Using screen option 143, name LCD LGD WUF SAC1 42“Diversity: BoardType=/92, BoardVersion=3, Detected pnx8535 version=M2 00 002.858 AmbientLightGenerator : None 00 002.858 AmbientLightMode : Triple 00 002.858 AmbientLightTechnology : Led 00 002.858 CabinetNumber : 3 00 002.858 ChannelDecoderType : Tda10048 00 002.858 ChannelDecoder2Type : None 00 002.858 ClearLcdSupported : False 00 002.858 DimmingBacklightSupported : True 00 002.858 DisplayDelayCompensation : 36 — 190 00 002.858 DisplayRawNumber : 143 00 002.858 DvbHdSupported : False 00 002.858 EpldPresent : True 00 002.858 HDMIMuxPresent : Mux4 00 002.858 HDMISidePresent : True 00 002.858 IfDemVersion : V2 00 002.858 LightSensor : Present 00 002.858 LightSensorType : Aura 00 002.858 Sti7100Present : False 00 002.858 PacificPresent : False 00 002.858 Region : Europe 00 002.858 Pnx5050Present : False 00 002.858 Pnx5100Present : True 00 002.858 SawVersion : New 00 002.858 IF Mode (DVB-C) : Direct IF 00 002.858 TunerI2cConfig : ViaChannelDecoder 00 002.858 TunerType : 25 (PhilTd1716F) –1 002.977 amApp: Platform returned wakeup reason [src: 0, sys: 0, cmd: 4] –1 003.139 starting : /philips/apps/tveu 5 4 0 00 003.172 RU Flash file not found in /mnt/jffs0/rupg/tvplf/tv520avi/cabinet3 00 003.172 RO Flash file not found in /mnt/jffs0/ro/tvplf/tv520avi/cabinet3 00 003.172 Local flash file not found in file/cabinet3 00 003.172 RU Flash file found in /mnt/jffs0/rupg/tvplf/tv520avi/cabinet 00 003.172 Cabinet flash file : Layout version = 4 ; Content version = 8 00 003.172 Cabinet flash file : Project Id = 1 ; Branch Id = 0 00 003.172 version string: ACSTS_001.000.004.008 –1 003.279 amApp : InitDirectFB –1 003.279 Grabbing keyboard –1 003.279 Ungrabbing keyboard –1 003.279 amApp : InitSaWMan –1 003.279 AppMan: Process added (118) [1]! –1 003.279 AppMan: Process added (116) [2]! –1 003.279 AppMan: Window added (0,0-1x1) [1] — 1! 00 003.444 Using cabinet option 3, name VE8 A_NormalBass 00 003.444 /mnt/jffs0/rupg/tvplf/cetv/pqprivate found 00 003.444 PQ private flash file : Layout version = 8 ; Content version = 9 00 003.444 PQ private flash file : Project Id = 1 ; Branch Id = 0 00 003.444 version string: PRFPV_001.000.008.009********************** ipow_Init 1 0 00 003.444 /mnt/jffs0/rupg/tvplf/cetv/ambientlight found 00 003.444 Ambientlight flash file : Layout version = 3 ; Content version = 12 00 003.444 Ambientlight flash file : Project Id = 1 ; Branch Id = 0 00 003.489 version string: PRFAM_001.000.003.012i5100pow_Init 00 003.528 00 003.528 /mnt/jffs0/rupg/tvplf/cetv/pqpublic found 00 003.528 PQ public flash file : Layout version = 4 ; Content version = 11 00 003.528 PQ public flash file : Project Id = 1 ; Branch Id = 0 00 003.550 version string: PRFPB_001.000.004.011plfdmx_mdmx: DEBUG_ERROR_PRINT enabled 00 003.573 Platform Application from Dec 4 2009 10:29:04, 00 003.573 built on PC: BEQBRGBRG1TSS15 by user: beq00908 00 003.573 CCM_build_id: 00 003.573 Startup m_InitDoneBlunk: 0, m_InitDoneMain: 1 –1 003.597 Called icplfapisetup_pow_SetTvPower( 3 ) 00 003.894 Check TM download idrv_DspReady_Ready 00 003.972 Create Thread with priority 70 (=45) 00 003.972 Create Thread with priority 70 (=45) 00 003.972 Create Thread with priority 70 (=45) 00 003.972 Create Thread with priority 70 (=45) 00 003.972 Create Thread with priority 70 (=45) 00 003.972 Create Thread with priority 70 (=45) 00 003.994 Create Thread with priority 70 (=45) 00 003.994 Create Thread with priority 70 (=45) 00 003.994 Create Thread with priority 70 (=45) 00 003.994 Create Thread with priority 70 (=45) 00 004.012 Create Thread with priority 70 (=45) 00 004.020 PNX5100: Using PCI communication for all i2c write messsages!! 00 004.023 PNX5100: Input Wdw: 1944 1104 Output Freq: 100 00 004.025 PNX5100: Input Wdw: 1944 1104 Output Freq: 120 00 004.028 PNX5100: Hardware Id [5100hwid] 00 004.030 Software Id [20081111] 00 004.032 BootNvm Id [ 8] 00 004.035 5100 Drv GetBootstatus via PCI : 0 01 004.069 tvApp : entered main.… 00 004.077 TM download OK 01 004.079 amApp is passing 4 arguments 01 004.082 tvApp : Param 1 = 5 Param 2 = 4 01 004.085 Tvmain: start_Init called 00 004.119 5100 Drv GetBootstatus via PCI : 0 00 004.138 Firmware version 5.1 for TDA10048 succesfully downloaded 01 004.141 Using errlib version 0.9 00 004.152 Errlib 0.9 registered from process 164 01 004.193 (*) FusionDale/Config: Parsing config file ‘/etc/fusiondalerc’. 00 004.197 5100 Drv GetBootstatus via PCI : 2 00 004.199 PNX5100&&&&&& Bootstatus on 2 after 2 retries 01 004.212 *————–) FusionDale v0.1.1 (————–* 01 004.212 © 2006–2007 directfb.org 01 004.212 ———————————————– 01 004.220 (*) Fusion/SHM: NOT using MADV_REMOVE (2.6.18.0 < 2.6.19.2)! [0x02061200] 01 004.239 (*) Direct/Thread: Running ‘Fusion Dispatch’ (MESSAGING, 184)… 00 004.319 i5100pow_TurnOn 00 004.324 phatvEngine5100Proxy__pow_TurnOn using udma driver for autotv !!gOemRegTbl:0x3658C0 00 004.378 cetvbend_mpowon: iambl_SetState onoff = 0 00 004.523 cetvbend_mpowon: powon_TurnOn –1 004.559 AppMan: Process added (164) [3]! –1 004.630 icplfapisetup_powN_OnTvPowerChanged for state 3 01 004.788 svspow_m.c:2922::Start Init of svspow called.MsecSinceInit: 1791999667 01 004.794 svspow_m.c:2265::Wakeup Reason is RCX 01 004.819 svspow_m.c:2954::Quick Turn On Initiated 01 004.819 svspow_m.c:1380::Double call in InitialiseSoftware –1 004.947 AppMan: Window added (100,100-480x300) [2] — 0! –1 004.947 Border window attached –1 004.947 AppMan: Switch focus to 0x5132da00 [2] –1 004.947 AppMan: Window added (100,100-480x300) [3] — 1! –1 004.947 Audio node attached –1 004.957 amApp: Enabling keyboard –1 004.959 amApp: dst setup called for 2 –1 004.966 amApp: Enabling keyboard –1 004.969 amApp: dst setup called for 3 01 005.149 FUNCTION:hsveuins__impow_Init, LINE:219, InsStatus.Medium:255 01 005.165 MAINVIDEOWINDOW=2,sizeof(NoClearData):8,retval:0,retval1:0 01 005.332 svspow_m.c:1526::All Subsystems inited 00 005.335 cetvbend_mpowon: cetvambi_ambilight_Disable 01 005.379 mlock patch inited 01 005.410 svspow_m.c:3193::keywkp2n:Req pow = ON –1 005.413 HK_REQUEST_PS received for 5 01 005.417 GCK****************Hot key received by tvApp 01 005.417 svspow_m.c:4711::HK_PREPARE_PS received for cmd = 5 01 005.417 GCK******************Hot key prepare PS received by psc 01 005.417 svspow_m.c:4055::powctl_SetPowerMode to PscPowOn –1 005.424 Sending HK_PREPARE_PS to application index 1, window 0x5132da00 01 005.426 svspow_m.c:2854::REQUEST_PS for cmd: 5 01 005.458 svspow_m.c:1575::Reached SW Turn On 1 01 005.473 svspow_m.c:1634::Reached HandleTurnOn1Event with Event = 16 01 005.475 svspow_m.c:1634::Reached HandleTurnOn1Event with Event = 1 00 005.547 vpcecps__cecc2_SetOSDName len = 7 00 005.554 vpcecps__cecc2_SetDeviceVendorID len = 8 01 005.571 RB Analog file name /mnt/jffs0/boot/tv/hysvc/HsvAntennaAnalogTable 01 005.573 RB Digts file name /mnt/jffs0/boot/tv/hysvc/HsvAntennaDigPtcTable 01 005.575 RB digsrvc file name /mnt/jffs0/boot/tv/hysvc/HsvAntennaDigSrvcTable 01 005.577 FrequecnyMap file name /mnt/jffs0/boot/tv/hysvc/HsvAntennaFreqMapTable 01 005.708 Analog file::IsImmediateFlashUpdateReqd set to:0 01 005.710 RB Analog file open Sucessfull 01 005.712 Proceed1:1 01 005.714 generating dig tables 01 005.723 ANTENNA_FLASH_ANALOG_TABLE: records:36 01 005.725 RB Analog file closed 01 005.727 CurrentONID = 8948 01 005.730 euins_m:Medium from NVM = 0 01 005.732 Mohanan : Unable to open /mnt/jffs0/boot/tv/hysvc/HsvNITFreqListFile 01 005.748 Mohanan : Unable to open NITFreqList fileEPG: sysset_GetInstallCountry = 24 01 005.758 svspow_m.c:3586::cesvc powntf received for Ssby 01 005.760 svspow_m.c:1634::Reached HandleTurnOn1Event with Event = 2 01 005.782 svspow_m.c:750::Set has reached Semisby state 00 005.785 cetvbend_mpowon: iambl_SetState onoff = 0 01 005.820 svspow_m.c:1718::Reached SW Turn On 2 00 005.887 FUNCID_CEC_ONTRANSMITCOMPLETED 00 005.920 cetvbend_mpowon: iambl_SetState onoff = 0 01 005.998 cbmhgpow_mpow: selrqd_IsProgSelReqd = TRUE 01 006.002 <5> 6002 ZAP_BEGIN — SelectProgram 01 006.004 svspow_m.c:953::First Preset Seln made at 1792000884 01 006.178 svbas pgselN_OnProgramChangeRequested 01 006.180 svspow_m.c:1803::Reached HandleTurnOn2Event with Event = 1 01 006.310 svspow_m.c:1803::Reached HandleTurnOn2Event with Event = 16 00 006.317 FUNCID_CEC_ONTRANSMITCOMPLETED 01 006.338 svspow_m.c:3634::cesvc powntf received for ON 01 006.340 svspow_m.c:1803::Reached HandleTurnOn2Event with Event = 2 01 006.713 hsvprins: hsvprins__feapiN_OnStationFound 01 006.839 svspow_m.c:4595::First pgsel completed at 1792001718 01 006.843 svbas pgselN_OnProgramChangeCompleted 00 006.860 5100 Drv GetBootstatus via PCI : 2 00 006.863 cetvbend_mpowon: cetvdisplay_preheatN_OnEvent 00 006.865 cetvbend_mpowon: UpdateAmbientLight => cetvambi_ambl_SetState 00 006.986 m_FieldFreq = 50 00 006.988 Send DVP ValidSignal (576, 720, 50, 0, 0) 01 007.106 svspow_m.c:4759::Detected Mute = FALSE in vmtN 01 007.111 svspow_m.c:1803::Reached HandleTurnOn2Event with Event = 2048 01 007.113 RFS not found in environment 01 007.117 <5> 7116 ZAP_END — UnBlank 01 007.127 RFS not found in environment 01 007.129 FLASH system, mount request for partition 2 accepted 01 007.940 svspow_m.c:4766::flashopN_OnPartitionMounted::partitionid:2 01 007.961 svspow_m.c:4778::Sent flashopN_OnPartitionMounted::MOUNT_ON_EVENT hsvprins: hsvprins__feapiN_OnMeasReady 00 007.967 cetvbend_mpowon: cetvambi_ambilight_Disable 01 007.976 hsvprins: hsvprins__feapiN_OnMeasReady 00 008.013 mounted: 00 008.013 Mount check passes, 44 iterations 00 008.013 pffsN_OnMounted sets m_InitDoneBlunk to true 00 008.013 Startup m_InitDoneBlunk: 1, m_InitDoneMain: 1 01 008.180 svspow_m.c:1872::gfx setpower ON 01 008.187 svspow_m.c:1875::gfx powntf for ON 01 008.189 cbmhgpow_mpow: SetPower to ON 01 008.192 cbmhgpow_mpow: Turning On 01 008.221 cbmhgpow_mpow: OnPowerChanged 01 008.228 svspow_m.c:3428::cbmhg powntf received for ON 01 008.231 svspow_m.c:1913::cbmhg setpower On 01 008.377 svspow_m.c:1926::JUICE setpower On 01 008.393 svspow_m.c:1803::Reached HandleTurnOn2Event with Event = 16 01 008.399 svspow_m.c:1803::Reached HandleTurnOn2Event with Event = 256 –1 008.412 AppMan: Window added (0,0-852x480) [4] — 2! 01 008.418 Surface 0, PlaneId 2 in AttachSurface 00 008.793 argv[0] is /philips/bin/networkhelper 00 008.793 udhcpc gave me deconfig 00 008.793 HandleUdhcpcNotif : msgq is 32769 00 009.941 argv[0] is /philips/bin/networkhelper 00 009.941 udhcpc gave me bound 00 009.941 udhcpc gave me bound 00 009.941 IP address is 192.168.111.16 00 009.941 subnet mask is 255.255.255.0 00 009.941 $router is 192.168.111.1 00 009.941 First Gateway is 192.168.111.1 00 009.941 $dns is 62.2.24.162 62.2.17.61 62.2.24.158 00 009.941 DNS1 is 62.2.24.162 00 009.941 DNS2 is 62.2.17.61 00 009.941 Interface is eth0 00 009.941 HandleUdhcpcNotif : msgq is 32769 00 010.050 route: SIOC[ADD|DEL]RT: No such process 01 010.316 svspow_m.c:3497::juice powntf received for ON –1 010.343 AppMan: Window config — unhiding window –1 010.343 Relayout of window 4 –1 010.356 AppMan: Switch focus to 0x5132d600 [4] 01 010.369 svspow_m.c:1803::Reached HandleTurnOn2Event with Event = 512 01 010.376 svspow_m.c:1943::ceapps setpower On 00 010.415 (!!!) *** WARNING [color keying does not work on UPPER layer] *** [Philips/DirectFB/systems/cetvfb/primary.c:202 in get_color_minmax()] 01 010.568 Ceapps : Timer for CB BreakIn Timeout Started 01 010.651 svspow_m.c:3479::apps powntf received for ON 01 010.688 svspow_m.c:1803::Reached HandleTurnOn2Event with Event = 1024 01 010.729 svspow_m.c:693::Set Reached on state at 1792005608 01 010.729 svspow_m.c:755::Set has reached ON state 01 010.729 InitCehtvData done 01 011.054 hsvprins: hsvprins__feapiN_OnAfcFreqChanged 01 011.074 ReadCehtvData Configuration file /bffs1/product.xml could not be read 01 011.081 ReadCehtvData done, ConfigOK: FALSE 00 011.139 cetvbend_mpowon: iambl_SetState onoff = 1 00 011.142 cetvbend_mpowon: iambl_SetState onoff => cetvambi_ambl_SetState 00 011.148 cetvbend_mpowon: cetvambi_ambilight_Enable –1 011.259 HK_PREPARE_PS_DONE received for cmd: 5, src: 1 –1 011.259 Remaining PowerChangeBitmap: 0 –1 011.259 starting : /philips/apps/spettApp –1 011.259 starting : /philips/apps/media 01 011.273 svspow_m.c:2871::PREPARE_PS_DONE for cmd: 5 02 011.500 *————–) FusionDale v0.1.1 (————–* 02 011.500 © 2006–2007 directfb.org 02 011.500 ———————————————– 02 011.511 Using errlib version 0.9 02 011.511 ***SPETT*** FusionDale Init done 02 011.511 ***SPETT*** Windows created 00 011.516 Errlib 0.9 registered from process 222 00 011.516 *** DirectFB Surface allocation FALLBACK! Acquiring id 6 with size 376320 –1 011.520 AppMan: Process added (222) [4]! –1 011.520 AppMan: Window added (0,0-800x600) [5] — 0! –1 011.520 Border window attached –1 011.520 AppMan: Window added (100,100-672x280) [6] — 2! –1 011.520 AppMan: Window config — unhiding window –1 011.520 AppMan: Switch focus to 0x5132d200 [6] 02 011.535 Event class: DFEC_WINDOW 00 011.579 FUNCID_CEC_ONTRANSMITCOMPLETED 03 011.896 MediaApp: Initalized and running 00 011.898 FUNCID_CEC_ONTRANSMITCOMPLETED 03 011.978 (*) FusionDale/Config: Parsing config file ‘/etc/fusiondalerc’. 03 011.978 *————–) FusionDale v0.1.1 (————–* 03 011.978 © 2006–2007 directfb.org 03 011.978 ———————————————– 03 011.978 (*) Fusion/SHM: NOT using MADV_REMOVE (2.6.18.0 < 2.6.19.2)! [0x02061200] 03 011.978 (*) Direct/Thread: Running ‘Fusion Dispatch’ (MESSAGING, 240)… 03 012.007 Using errlib version 0.9 03 012.007 MediaApp: Call back Init from gplib 00 012.012 Errlib 0.9 registered from process 223 00 012.041 FUNCID_CEC_ONTRANSMITCOMPLETED 02 012.088 ***SPETT*** All inits done 02 012.093 ***SPETT*** gpilib.startr.Init done 03 012.215 arunkp: mplfabsav2_m.c: 209: mplfabsav2__pow_Init: –1 012.315 AppMan: Process added (223) [5]! 03 012.349 MediaApp: Gfx Init done 03 012.575 mediaApp: fusiondale Init, register called 03 012.575 mlock patch inited –1 012.579 AppMan: Window added (100,100-480x300) [7] — 0! –1 012.579 Border window attached –1 012.579 AppMan: Switch focus to 0x51334000 [7] –1 012.579 AppMan: Window added (100,100-480x300) [8] — 1! –1 012.579 Audio node attached –1 012.597 AppMan: Switch focus to 0x51334000 [7] 03 012.637 Network enabled and available — enabling allegro 03 012.639 allegroenb_Enable 03 012.974 The address is: 192.168.111.16 03 012.978 arunkp: mplfabsav2_m.c: 219: mplfabsav2__pow_TurnOn: –1 013.088 AppMan: Window added (0,0-852x480) [9] — 2! 00 013.097 *** DirectFB Surface allocation FALLBACK! Acquiring id 0 with size 410880 03 013.101 Surface 0, PlaneId 2 in AttachSurface 00 013.117 (!!!) *** WARNING [color keying does not work on UPPER layer] *** [Philips/DirectFB/systems/cetvfb/primary.c:202 in get_color_minmax()] 03 013.239 Infrastructure Resource Gained by mediaApp 03 013.242 (resourcechanged && !(ResourceOwned & FULL_STATE) : Setting mappstate_mediaIdle –1 013.292 AppMan: Window config — unhiding window 03 013.363 Census Found device uuid: 898f9738-d930-4db4-a3cf-000934278452 03 013.367 DeviceType: schemas-upnp-org:device:MediaServer:1 00 013.458 ***GVC: T2 — ceisusb_m.c (951): “usbdevspN_OnDeviceError( DeviceUnknownAttachedError, –1 )” notification given 03 013.699 Deepak status = 0 03 013.701 Adding new device to list 03 013.708 McSubscribe returned 0 00 014.473 ***GVC: T2 — ceisusb_m.c (951): “usbdevspN_OnDeviceError( DeviceUnknownAttachedError, –1 )” notification given 01 019.016 <5> 19014 ZAP_BEGIN — SelectProgram 01 019.087 svbas pgselN_OnProgramChangeRequested 01 019.602 hsvprins: hsvprins__feapiN_OnStationFound 01 019.621 svbas pgselN_OnProgramChangeCompleted 00 019.870 m_FieldFreq = 50 00 019.872 Send DVP ValidSignal (576, 720, 50, 0, 0) 01 019.947 <5> 19945 ZAP_END — UnBlank 01 020.413 hsvprins: hsvprins__feapiN_OnMeasReady 01 020.420 hsvprins: hsvprins__feapiN_OnMeasReady –1 020.429 Forwarding event to /philips/apps/tveu –1 020.727 Forwarding event to /philips/apps/tveu –1 020.727 Forwarding event to /philips/apps/tveu –1 020.974 Forwarding event to /philips/apps/tveu –1 020.974 Forwarding event to /philips/apps/tveu –1 021.210 Forwarding event to /philips/apps/tveu –1 021.210 Forwarding event to /philips/apps/tveu –1 021.425 Forwarding event to /philips/apps/tveu –1 021.425 Forwarding event to /philips/apps/tveu –1 021.650 Forwarding event to /philips/apps/tveu –1 021.650 Forwarding event to /philips/apps/tveu –1 021.914 Forwarding event to /philips/apps/tveu –1 022.827 Forwarding event to /philips/apps/tveu –1 023.086 Forwarding event to /philips/apps/tveu 00 024.139 — pass 0 — 00 024.142 freeMem : 27212 00 024.144 pgmajfault : 0 00 024.146 sectorsread: 11426 |
Force Firmware update:
In case the download application has been started manually, the “autorun.upg” will maybe not be recognized. What to do in this case:
1. Create a directory “UPGRADES” on the USB stick.
2. Rename the “autorun.upg” to something else, e.g. to “software.upg”. Do not use long or complicated names, keep it simple. Make sure that “AUTORUN.UPG” is no longer present in the root of the USB stick.
3. Copy the renamed “upg” file into this directory.
Firmware update log:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 | “Launching SW Download Application From Boot2“ checking hotboot: NO Standby version 35.x.1.13 Expected standby version 36.x.0.0 (or higher), please update your standby image start_Init clearing m_InitDoneBlunk Using errlib version 0.9 Errlib 0.9 registered from process 135 13387 — RefereRW partition: 4 mounting partition 4 to jffs2 file system passed RW partition: 5 mounting partition 5 to jffs2 file system passed mounted: Mount check passes, 0 iterations mounted: Mount check passes, 0 iterations pffsN_OnMounted sets m_InitDoneBlunk to true InitCehtvData done ReadCehtvData Configuration file /bffs1/product.xml does not exist ReadCehtvData done, ConfigOK: FALSE Could allocate 36701184. Startup m_InitDoneBlunk: 1, m_InitDoneMain: 1 /mnt/jffs0/rupg/tvplf/cetv/display found — Layoutcheck OK Display flash file : Layout version = 8 ; Content version = 28 Display flash file : Project Id = 1 ; Branch Id = 58 version string: DISPT_001.058.008.028 Using screen option 143, name LCD LGD WUF SAC1 42″ MMIO address obtained from pnx5xxx drv = 0x28000000 redirecting 1 to 22 00 015.088 redirecting 2 to 23 00 015.091 ***GVC: T2 — ceisusb_m.c (951): “usbdevspN_OnDeviceError( DeviceUnknownAttachedError, –1 )” notification given 00 015.093 ***GVC: T2 — ceisusb_m.c (951): “usbdevspN_OnDeviceError( DeviceUnknownAttachedError, –1 )” notification given 00 015.095 ***GVC: T2 — ceisusb_m.c (817): “usbdevspN_OnPhysicalDeviceConnected( 0 )” notification given… 00 015.270 startr_init 00 015.270 Startup m_InitDoneBlunk: 1, m_InitDoneMain: 1 00 015.372 gfxptr: 2de8d000 00 015.372 malloc 776527880 00 015.378 S18,0,Q591E_0.100.0.0 00 015.430 Go!!!!!!! 00 018.092 ***GVC: T2 — ceisusb_m.c (1199): “usbdevspN_OnNewDevice( 0 )” notification given. 00 018.242 ***GVC: T2 — ceisusb_m.c (1408): “usbdevspN_OnDriveMounted( 0 )” notification given 00 018.244 OnDriveMounted : 0 00 018.247 ceapps OnUpgradesChanged : 2 00 018.281 Amount of upgs on usb 1 00 018.645 1 upgs found on USB. Press right to enter the list. 00 018.645 sw <— Upgrade now 00 018.645 Software is equal or older, 00 018.645 — press OK to stop 00 018.645 - press down + OK to continue 00 052.837 L: 0% … 00 088.345 L: 98% 00 088.608 ReadCehtvData done, ConfigOK: FALSE 00 088.887 V: 0% … 00 105.628 V: 100% 00 106.169 P: 0% 00 106.709 P: 0% 00 106.786 /data/boot/* is being scanned for size 00 106.788 current flashsize: 16: 00 106.791 current flashsize: 84908: 00 106.793 /data/data/* is being scanned for size 00 106.867 current flashsize: 5380224: 00 106.869 /squash/* is being scanned for size 00 106.871 current flashsize: 14358656: 00 106.873 /bffs3/* is being scanned for size 00 106.875 current flashsize: 16882143: 00 106.877 current flashsize: 17629790: 00 106.879 current flashsize: 18374492: 00 106.881 /bffs2/* is being scanned for size 00 106.883 current flashsize: 18387152: 00 106.885 current flashsize: 18387227: 00 106.887 current flashsize: 23047555: 00 106.889 current flashsize: 23148767: 00 106.891 current flashsize: 24189379: 00 106.893 current flashsize: 25783095: 00 106.900 m_JffsMounted = 3 00 106.902 Sync called 00 106.904 Sync DONE 00 106.906 CheckUnMount: /mnt/jffs0 00 106.909 /mnt/jffs0 is mounted 00 106.911 Unmount /mnt/jffs0 00 106.915 /mnt/jffs0 is not mounted 00 106.917 umounting /mnt/jffs0 ok 00 106.919 umounting partition 4 from jffs2 file system passed 00 106.921 Sync called 00 106.923 Sync DONE 00 106.925 CheckUnMount: /mnt/jffs1 00 106.927 /mnt/jffs1 is mounted 00 106.929 Unmount /mnt/jffs1 00 106.935 /mnt/jffs1 is not mounted 00 106.936 umounting /mnt/jffs1 ok 00 106.938 umounting partition 5 from jffs2 file system passed 00 107.249 P: 0% 00 107.790 P: 0% 00 108.156 Format succesfull 00 108.157 Totalsize flashed: 0, TotalProgramSize: 25783095 00 108.160 m_JffsMounted = 0 00 108.162 spawning flash_eraseall 00 108.164 param: flash_eraseall 00 108.166 param: –q 00 108.168 param: /dev/mtd5 00 108.329 P: 0% 00 109.949 P: 0% 00 110.015 status: 1 ‚erasing partimage partition succesfull 00 110.017 Totalsize flashed: 0, TotalProgramSize: 25783095 00 110.020 m_JffsMounted = 0 00 110.490 P: 0% 00 110.829 Format succesfull 00 110.832 Totalsize flashed: 0, TotalProgramSize: 25783095 00 110.860 m_JffsMounted = 0 00 110.862 Totalsize flashed: 0, TotalProgramSize: 25783095 00 110.890 m_JffsMounted = 0 00 110.892 JFFS found to write /data/boot/tv 00 110.996 mounting partition 4 to jffs2 file system passed 00 110.998 Totalsize flashed: 0, TotalProgramSize: 25783095 00 111.030 P: 0% 00 111.569 P: 0% 00 112.060 m_JffsMounted = 1 00 112.062 Sync called 00 112.065 Sync DONE 00 112.067 CheckUnMount: /mnt/jffs0 00 112.070 /mnt/jffs0 is mounted 00 112.072 Unmount /mnt/jffs0 00 112.076 /mnt/jffs0 is not mounted 00 112.078 umounting /mnt/jffs0 ok 00 112.080 umounting partition 4 from jffs2 file system passed 00 112.082 JFFS found to write /data/data/tv 00 112.112 P: 0% 00 112.649 P: 0% 00 112.878 mounting partition 5 to jffs2 file system passed 00 112.880 Totalsize flashed: 84908, TotalProgramSize: 25783095 00 113.189 P: 0% … 00 127.229 P: 19% 00 127.330 m_JffsMounted = 2 00 127.332 Sync called 00 127.769 P: 19% 00 128.016 Sync DONE 00 128.018 CheckUnMount: /mnt/jffs1 00 128.020 /mnt/jffs1 is mounted 00 128.022 Unmount /mnt/jffs1 00 128.058 /mnt/jffs1 is not mounted 00 128.060 umounting /mnt/jffs1 ok 00 128.062 umounting partition 5 from jffs2 file system passed 00 128.064 v1 squash 00 128.066 Totalsize flashed: 5380224, TotalProgramSize: 25783095 00 128.068 spawning nandwrite 00 128.070 param: nandwrite 00 128.072 param: –z 00 128.074 param: 8978432 00 128.076 param: /dev/mtd5 00 128.077 param: /philips/pipe 00 128.095 execute nandwrite OK 00 128.309 P: 19% … 00 139.991 Writing data to block 88c000 00 141.206 P: 54% 00 141.206 /philips/pipe could is closed 00 141.206 m_JffsMounted = 0 00 141.206 Totalsize flashed: 14358656, TotalProgramSize: 25783095 00 141.206 P: 54% … 00 150.430 P: 70% 00 150.432 m_JffsMounted = 0 00 150.434 Totalsize flashed: 18374492, TotalProgramSize: 25783095 00 150.970 P: 70% … 00 168.791 P: 98% 00 169.280 m_JffsMounted = 0 00 169.282 Totalsize flashed: 25783095, TotalProgramSize: 25783095 00 169.331 P: 100% 00 169.333 Completed !! 00 169.511 Operation Successful! Remove all inserted media and restart the TV set. |
60 Comments
1 topsy.com wrote:
2 lbpb wrote:
Hi,
I’d like to root my TV too. I tried to look at the FW upgrade and as you wrote there are several parts with lots of repetition. So it is probably just obfuscated but not really encrypted or at least not all of it. My guess is that it is some kind of structure/archive just xored with some key, but then this archive contains compressed files, however just unobfuscating it might reveal useful info. Anyway I couldn’t get any further for now. Other notes: my 8664 has port 80 open, but not answering to any request I tried. Port 8080 seems closed. There is a guy claiming to have fw sources: http://www.avforums.com/forums/lcd-led-lcd-televisions/1119695-there-any-custom-firmware-philips-televisions-firmware-editor-maybe.html (will try to contact him).
3 rooter wrote:
Hi,
I had a look at the newer firmware for the current 8xxx series.
First, I stripped off the header and the, I think, signature to obtain the encrypted part. Then, I looked at all 16 byte blocks, sorted and counted them. One block occured very often, about 5000 times. Searching this block in the file revealed large areas with this block repeated in them. I found more then 100 separate areas distributed over the whole file.
IMO this shows that the whole file is encrypted with the same 128 bit block algorithm. I think the encrypted repetitious block contains fill bytes, either all 0x00 or all 0xff.
I think it’s definitely no XOR chiffre. In that case I would assume that some of the 16 byte block before the repeated areas would show some bytes of the repeated block in its last bytes, since I would assume that some of the previous areas wouldn’t end at a 16 byte boundary and hence end with the fill byte. But that’s apparently nowhere the case.
You should use your draca tool again, but only on the encrypted part. Maybe we get some information about the block chiffre used that way. But I assume it’s not so easy to crack the key, even if I assume the cleartext to be known.
Another way would be to either solder off the NAND flash and read it out, or use a JTAG interface to read the NAND flash through the CPU. Not easy either…
4 lbpb wrote:
I still think it’s just xor, for 2 reasons:
1– it would be very stupid to use more advanced crypt and still encrypt every 128 bit block individually. Of course you could use more advanced block modes with xor too, but if you are just trying to lightly obfuscate, then it can make sense to just apply a simple xor;
2– for some of the repeated blocks, there are also some nearby blocks that begin with the same bytes but end differently and some that end with the same bytes but begin differently. If it were a more advanced crypto, this would be very improbable.
Of course this is not a guaranteee…anyway my next step is: take every block that repeats several times, xor the whole file with it and see if with any of them I get anything more interesting. This won’t work very well if different parts of the file are “coded” with different xor keys. Will post results.
5 michu wrote:
The draca results do not differ if I run it against the header-less firmware file.
I also assume the 160 bytes in the header is the signature of the firmware.
There are similar patterns in each firmware, but never the SAME — so the key has to be different in each firmware (check http://www.neophob.com/serendipity/index.php?/archives/183-Firmware-Visualizer-fwimage.html).
Perhaps the ASCII text in the header is part of the key? (something like Q591E-0.100.0.0_)?
6 lbpb wrote:
Well trying to xor with the patterns didn’t lead anywhere. Also the non aligned blocks are very few and might be caused by encrypting different sections of the file individually. Just of note is that one single 128 bit block is repeated 5000 times, spread throughout the whole file, while the second most frequent block appears just about 500 times and is much more localized.
7 rooter wrote:
It’s presumably some kind of block chiffre with a 128 bit key. As if the 128 bit key size isn’t enough of a challenge, deducing which encryption algorithm was used might be possible for a crypto expert, but not for me.
The best bet might really be to somehow read out the NAND flash. Presuming that the partition content is not encrypted, we could read out the software and use a disassembler to learn how it works — there’s one for MIPS in the objdump GNU utility.
Defective SSB’s anyone? Any current Philips TV with a firmware structure like this would be eligible.
8 michu wrote:
The firmware is encrypted with blowfish/AES/… as a simple xor does not decrypt the file. The key differs in each release…
9 Tom wrote:
Regarding the binary garbage on the serial interface in the Jett mode: this looks like a bitrate/mode mismatch on the serial line. Try other speed settings. And don’t rely on the “console=ttyS1,38400n8” statement. I’ve seen kernels which just ignored settings passed by the bootloader and used hardcoded values.
Good luck! :-)
10 lbpb wrote:
Models with NetTV also have an internal Opera 9.5 browser, with javascript support but no flash/macromedia. It might be possible to use some opera exploit but I couldn’t find any for MIPS architecture…
11 rooter wrote:
Hmm… that idea is not bad.
Metasploit has some opera exploits, and a shell payload for MIPS linux. The busybox configuration from the open source publication pack suggests that there’s no shell, hence another payload would have to be developped — an exec of “busybox” for a list of the really available commands would be the first thing to do.
Anyway, the first thing to verify is that the browser is really vulnerable for one of the known exploits.
12 michu wrote:
I used those unknown 160 bytes in the header to decrypt the firmware, I tried AES-128-ECB, IDEA-ECB, DES, BLOWFISH, I used the key as little endian or big endian — without success.
—
#!/bin/bash
for i in {0..146}
do
echo “———- $i“
dd if=key of=key.tmp bs=1 count=16 skip=$i 2> /dev/null
openssl aes-128-ecb –d –nosalt –in nohde –out decr.xxx –kfile key.tmp
dd if=decr.xxx skip=28554720 bs=1 count=128 2> /dev/null| hexdump –Cv
done
—
13 lbpb wrote:
Apparently my tv is not affected by the exploit I found on Metasploit (I just found 1 anyway, if you found more then I must have missed something).
14 michu wrote:
hmm why is the firmware file-size 28’750’876 (-732 bytes header) bytes while the flashed size is only 25’783’095 bytes (Totalsize flashed: 25783095, TotalProgramSize: 25783095)? What are the remaining 2’967’049 bytes?
15 michu wrote:
Ok those 160 bytes in the header are really a signature, I nulled out those 160 bytes and tried to flash it. The validation process fails:
00 052.448 V: 93%
00 052.989 V: 97%
00 053.439 Invalid Firmware! Bad checksum or bad signature.
16 michu wrote:
I just found an interesting note in the service manual:
The set software and security keys are stored in a NAND– Flash, which is connected to the PNX8541 via the PCI bus.
17 rooter wrote:
That’s why I asked for defective PCB’s :-)
18 michu wrote:
Infos about “Option number” in the SAM Menu:
The first line (group 1) indicates hardware options 1 to 4.
The second line (group 2) indicates software options 5 to 8.
19 alterpeople wrote:
fixing a q591e –la with mpeg4 hardware actived wrongly.
Booting with jetfiles, connect the compair, select q52x
use nvm editor and set the address 0124 the value 42
;-)
20 alterpeople wrote:
the same for value must be changed for 10EF and 16E8 location addresses .
enjoy
;)
21 Joao wrote:
I do not currently own a Philips Net TV but I’m considering buying one. Someone please correct me if I’m wrong but these TV models do not have Bluetooth support. From what I read so far, text input is cumbersome (not only on the Philips but on every other brand), so Bluetooth would be good in order to have a wireless keyboard. Playstation, for instance, supports a Bluetooth keyboard. Being able to change the firmware would have, at least, one interesting objective: adding Bluetooth support!
22 michu wrote:
hey joao
You’re right, there is no bluetooth hardware installed, at least not on my model.
23 Steve wrote:
That’s why I asked for defective PCB’s :-)
24 Baris wrote:
I am trying to make an EIB cable but I am without luck.
Does the serial port of the TV need to be activated somehow?
I made a “stereo jack to serial” which I linked to a serial to USB dongle. I tried both 115200 and 38400 baud.
Do I need to enable/disable software or hardware control in the terminal program?
25 michu wrote:
I also use an USB dongle, without any problems, terminal settings: 38400 Baud 8N1. try to switch rx and tx. and you see log messages if you startup the tv or press some keys on the rc.
26 MartiniB wrote:
just idea, the key(or index of it) can be in the header
i have compared two same version(Release for TV520 R2:Q591E-0.83.0.0 Generation date:29/09/2008 13:44:08) firmwares
!!! version is the same but different autorun.upg
first 543 butes are exactly same
544 to 703 ???????????
704 to 728 plain text “Q591E-0.83.0.0_commercial“
729 to 28648764 ???????????
27 michu wrote:
I dont think so — I assume this bytes in the header are an encrypted checksum (sha1 or something) — check the article, I nulled out those bytes and tried to upload this firmware. It failed btw ;)
28 Terap wrote:
Some LG info,
http://www.lg-hack.info/ is an LG LCD TV hacking website, with details on unpacking/repacking the EPK/PAK firmware files.
openlgtv, http://mikko.korkalo.fi/openlgtv/ is a Linux distribution that replaces the LG official firmware.
29 Mark Zocher wrote:
Wow, you’ve gotten way further with this project than I ever did! (see http://www.myrejectedprojects.com/2010/09/hacking-my-philips-tv/). Did you see the progress the SamyGo project has made on the Samsungs? (http://samygo.sourceforge.net)
30 Bert wrote:
I’m also looking for connection to my Philips TV. The Help mentions BusyBox, which reminds me of the Xtreamer. The Xtreamer can be reached by putting some .php files on a USB device and “open” one of these (fakeshell.php). Files can be found at http://www.mavvy.net
31 bla wrote:
Found following in http://www.scribd.com/doc/23986104/Philips-Ch-q529-1e-Lb:
ReadCehtvData ConfigVersion: [0.01] OK
ReadCehtvData ProductID: [Q591E] OK
ReadCehtvData OUI: [0000903E] OK
ReadCehtvData HardwareModel: [0203] OK
ReadCehtvData HardwareVersion: [0100] OK
ConvertAscii2Bin started
ConvertAscii2Bin done
ConvertAscii2Bin started
ConvertAscii2Bin done
ReadCehtvData PublicKey: OK
ReadCehtvData done, ConfigOK: TRUE
—>
ReadCehtvData PublicKey: OK means that it uses some asymmetric encryption or?
32 michu wrote:
yes, but I don’t know whats meant with “ReadCehtvData PublicKey”. There is a signed part in the firmware header and there are also stored key’s in the eeprom of the tv.
33 bla wrote:
160 Byte is 1280 bit. There is also RSA-1280. Is RSA used here?
34 none wrote:
No firmware hack, but access to the tv via network allows remote control and streaming to the ‘TV’: http://sourceforge.net/apps/mediawiki/jointspace/index.php?title=Introduction
35 michu wrote:
I don’t have a clue, what kind of encryption is used here…
36 rysmario wrote:
the file seems to be compressed too.. referring to Q5551_v1.140.27.0.upg upgrade log 81mb Update ‘iStoredSize’ are cumulated 81190368 bytes whereas the image payload is only 74936429 bytes large.
encryption must be 128bit block-cypher — if i take the image apart referring to the header details — it is padded to fit 16byte blocks…
37 bak wrote:
may provide a clue on algorithms used (gzip, sha1) — at least on this 58″
http://www.p4c.philips.com/files/5/58pfl9955h_12/58pfl9955h_12_osr_eng.txt
38 michu wrote:
Good Idea, here are the relevant infos:
TomCrypt (http://libtomcrypt.com/index.old.html.LibTomCrypt)
OpenSSL
Adler-32 CRC (http://en.wikipedia.org/wiki/Adler-32)
SHA1 algorithm (http://gladman.plushost.co.uk/oldsite/cryptography_technology/sha/sha2-07–01-07.zip)
39 bla wrote:
Someone tried to write a Hello-World programm and to execute with the Jett mode?
40 bla wrote:
Here is EEPROM-dump of 42pf9631d :
http://www.badcaps.net/forum/showthread.php?t=9751
41 Mark wrote:
It seems that the unique way to read the NVM is to dismantle it from the tv’s pcb. No manual edit mode ? HyperTerminal on service UART is able to show logs only, what about a way to enter as root so making read and write possible? Thanks for some answer.
42 Joshua wrote:
Here anther NVM dump:
http://dump.elektroda.pl/download13244.html
43 ScripTrix wrote:
Have u take a look to the HELPFILE UPG ?
it’s no “Version Header” only 00h.
From 211h — 2DF is crypt stuff/header or so ? however the comercial string is present with a parm ->
xxxxx_commercial.FORCEUPGRADE
44 michu wrote:
which helpfile.upg?
45 ScripTrix wrote:
e.g. for my TV 7605 -> http://www.p4c.philips.com/files/4/40pfl7605h_12/40pfl7605h_12_mus_deu.zip
It’s a ~3 MB File including the Helpsystem manual
46 gigirex wrote:
Hi!
Did you have the HsvAntennaDigSrvcTable file format?
Thanks
47 George wrote:
Interesting info on the ComPair & Jett files: http://www.scribd.com/doc/53185886/philips-ComPair-training-20January-2008
48 Ian wrote:
I’ve just realised that my Phillips TV runs Linux. I was so exited. Then the disappointment of finding there is no way in yet. One huge hole in the GPL, yes you can download the source, yes you can modify it and compile it, no you can’t run it because you can’t sign it!
49 Recep wrote:
Try binwalk. I used it to analyze son bravia firmware
50 Detektei wrote:
Is there a chance to upgrade the unsupported Firmware of 37PFL8404..?
51 Anonymous wrote:
I don’t think you can decrypt the firmware very easy. This series powerPC processors has on-chip fuses which can’t be read back an internal processor can use these data do decrypt data. probably an AES-key is stored there.
Without: the private AES-key, much-patient in bruteforce, rainbow-tables or corrupt Phillips employees you are at an dead end.
At the company where I work we use this processor in a SetTopBox with no smartcard. The key programmed in the fuses is the identification of the box.
52 corecoder wrote:
A different vector than firmware:: the Nettv series run Opera 10 and it’s possible to enter any URL. It supports Javascript and the 2011 TVs support SWF. Any ideas if or how this can be exploited?
53 bkgg wrote:
Well, I’m no pratitioner, but maybe 2 cents from me.
Regarding the Encryption:
With my model, a xxpfl5xxx, if you want to record something (regardless of timeshift or normal) the TV wants to format a connected HDD. The manual states, that you cant use this HDD in this condition otherwise.
This could either be because its formated for Linux, or because its encrypted. In latter case, maybe its made with the same method and key as the firmware, because it has to be decoded again, and why use a second key for this. That would add cost.
Other possibility would be jointspace. Your articel is now 2 years old, and it has probably more functions now than then.
First the webserver is now in use with xxPFL5xx6 to xxPFL9xx6 models. Via port 1925 you can use some GET and two POST methods. SO no big deal for rooting I gues.
But Jointspace has a lot of methods in use. With this you can prorgamm software which is executed on your PC but shown on your TV. So maybe, if there is a weakness in their drawing function it is possible to activate telnet through a pufferoverflow or something like this.
(For example there is software for just showing your monitor on TV via ethernet or for playing Doom, controlled by remotecontrol http://jointspace.sourceforge.net/download.html )
54 corecoder wrote:
The HDD is not encrypted, just formatted as extfs. But the recordings are encrypted to only allow playback on the TV they were recorded -> maybe this?
There also is an exploit for the Allegro Rompager Webserver:: http://www.securiteam.com/exploits/5XP0M0UCUO.html
But I’m no expert on how to use this.
55 Anonymous wrote:
This is the public key from the TV used as cookie to identify a debug USB stick during bootup (from /proc/public_key).
Maybe this is also used for the Firmware?
MIME-Version: 1.0
Content-Type: application/octet-stream; name=“public_key256.out“
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=“public_key256.out”
QYMOXtEEAtDq1L/2xwExIU6qcuV4njMeDz68CCwzpoFTlgrK6IfrefrAe1R/jfLJBAOCKN+tf8Vt
D/9n9W1Z/GWJYEFEe7hT5H2U+hxMBOnhGGJ3Ggl2JtPccEhOdXWL3uCZ8bqjCSghP6qtAEfZzG1Z
BH+aE/jnhHD5UO+4gvqEqWM4TrpgY9DM4zYhOCEnLsIa24zoygMmNTnLkEYTftmlqgqrhg01X87w
77ptPRskrxnm71z4BCMDXedmzKaw/lIEvfIuDYlGqSUOmQCv3m4YW1gddqymMu/yNyKnC5zr5gvE
0cExBC05MkyFaU9365LJBongz5Rr0WIFuU7GvwEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
56 Anonymous wrote:
I forgot — this is the key from the PFL 7xx6 series
57 pippo wrote:
@55: where did you get that public key from?
And what’s the debug usb stick is supposed to do?
58 Anonymous wrote:
/proc/public_key is used to decrypt UPG. But it must be 256 bytes. This key is too big.
59 Anonymous wrote:
The file has 512 bytes, yes, but if you look at the hex dump, only the first 256 bytes have useful “randomlike” values. The remaining bytes are 01 00 01 00 00 00 00 …
60 Anonymous wrote:
01 00 01 00 00… is a well-known RSA public exponent, while first half of the file is a RSA modulus.
UPG is crypted using AES-256. Decryption key and SHA-1 checksum are stored in RSA crypted block (0x220-0x2A0).
To decrypt 128 bytes you will need a modulus of 128 bytes, not 256.
One Trackback