Comments on: Root my TV: Hack Philips PFL9703

By: corecoder

corecoder — Fri, 20 Jan 2012 22:10:08 +0000

The HDD is not encrypted, just formatted as extfs. But the recordings are encrypted to only allow playback on the TV they were recorded -> maybe this?

There also is an exploit for the Allegro Rompager Webserver:: http://www.securiteam.com/exploits/5XP0M0UCUO.html
But I’m no expert on how to use this.

By: bkgg

bkgg — Sun, 08 Jan 2012 11:09:40 +0000

Well, I’m no pratitioner, but maybe 2 cents from me.

Regarding the Encryption:
With my model, a xxpfl5xxx, if you want to record something (regardless of timeshift or normal) the TV wants to format a connected HDD. The manual states, that you cant use this HDD in this condition otherwise.
This could either be because its formated for Linux, or because its encrypted. In latter case, maybe its made with the same method and key as the firmware, because it has to be decoded again, and why use a second key for this. That would add cost.

Other possibility would be jointspace. Your articel is now 2 years old, and it has probably more functions now than then.
First the webserver is now in use with xxPFL5xx6 to xxPFL9xx6 models. Via port 1925 you can use some GET and two POST methods. SO no big deal for rooting I gues.
But Jointspace has a lot of methods in use. With this you can prorgamm software which is executed on your PC but shown on your TV. So maybe, if there is a weakness in their drawing function it is possible to activate telnet through a pufferoverflow or something like this.
(For example there is software for just showing your monitor on TV via ethernet or for playing Doom, controlled by remotecontrol http://jointspace.sourceforge.net/download.html )

By: corecoder

corecoder — Fri, 16 Dec 2011 16:39:22 +0000

A different vector than firmware:: the Nettv series run Opera 10 and it’s possible to enter any URL. It supports Javascript and the 2011 TVs support SWF. Any ideas if or how this can be exploited?

By: Anonymous

Anonymous — Mon, 05 Dec 2011 21:22:15 +0000

I don’t think you can decrypt the firmware very easy. This series powerPC processors has on-chip fuses which can’t be read back an internal processor can use these data do decrypt data. probably an AES-key is stored there.

Without: the private AES-key, much-patient in bruteforce, rainbow-tables or corrupt Phillips employees you are at an dead end.

At the company where I work we use this processor in a SetTopBox with no smartcard. The key programmed in the fuses is the identification of the box.

By: Detektei

Detektei — Sun, 06 Nov 2011 23:28:11 +0000

Is there a chance to upgrade the unsupported Firmware of 37PFL8404..?

By: Recep

Recep — Mon, 03 Oct 2011 22:24:26 +0000

Try binwalk. I used it to analyze son bravia firmware

By: Ian

Ian — Sat, 30 Jul 2011 18:25:47 +0000

I’ve just realised that my Phillips TV runs Linux. I was so exited. Then the disappointment of finding there is no way in yet. One huge hole in the GPL, yes you can download the source, yes you can modify it and compile it, no you can’t run it because you can’t sign it!

By: George

George — Fri, 22 Jul 2011 16:56:51 +0000

Interesting info on the ComPair & Jett files: http://www.scribd.com/doc/53185886/philips-ComPair-training-20January-2008

By: gigirex

gigirex — Mon, 18 Jul 2011 14:32:23 +0000

Hi!
Did you have the HsvAntennaDigSrvcTable file format?
Thanks

By: ScripTrix

ScripTrix — Wed, 23 Feb 2011 07:55:03 +0000

e.g. for my TV 7605 -> http://www.p4c.philips.com/files/4/40pfl7605h_12/40pfl7605h_12_mus_deu.zip

It’s a ~3 MB File including the Helpsystem manual

By: michu

michu — Tue, 22 Feb 2011 08:34:34 +0000

which helpfile.upg?

By: ScripTrix

ScripTrix — Tue, 22 Feb 2011 08:11:31 +0000

Have u take a look to the HELPFILE UPG ?
it’s no “Version Header” only 00h.
From 211h — 2DF is crypt stuff/header or so ? however the comercial string is present with a parm ->
xxxxx_commercial.FORCEUPGRADE

By: Joshua

Joshua — Wed, 09 Feb 2011 22:19:25 +0000

Here anther NVM dump:
http://dump.elektroda.pl/download13244.html

By: Mark

Mark — Wed, 02 Feb 2011 03:39:57 +0000

It seems that the unique way to read the NVM is to dismantle it from the tv’s pcb. No manual edit mode ? HyperTerminal on service UART is able to show logs only, what about a way to enter as root so making read and write possible? Thanks for some answer.

By: bla

bla — Tue, 18 Jan 2011 15:31:59 +0000

Here is EEPROM-dump of 42pf9631d :
http://www.badcaps.net/forum/showthread.php?t=9751

By: bla

bla — Tue, 18 Jan 2011 15:11:23 +0000

Someone tried to write a Hello-World programm and to execute with the Jett mode?

By: michu

michu — Wed, 12 Jan 2011 16:21:44 +0000

Good Idea, here are the relevant infos:
TomCrypt (http://libtomcrypt.com/index.old.html.LibTomCrypt)
OpenSSL
Adler-32 CRC (http://en.wikipedia.org/wiki/Adler-32)
SHA1 algorithm (http://gladman.plushost.co.uk/oldsite/cryptography_technology/sha/sha2-07–01-07.zip)

By: bak

bak — Wed, 12 Jan 2011 16:00:49 +0000

may provide a clue on algorithms used (gzip, sha1) — at least on this 58″

http://www.p4c.philips.com/files/5/58pfl9955h_12/58pfl9955h_12_osr_eng.txt

By: rysmario

rysmario — Sat, 08 Jan 2011 07:56:04 +0000

the file seems to be compressed too.. referring to Q5551_v1.140.27.0.upg upgrade log 81mb Update ‘iStoredSize’ are cumulated 81190368 bytes whereas the image payload is only 74936429 bytes large.

encryption must be 128bit block-cypher — if i take the image apart referring to the header details — it is padded to fit 16byte blocks…