Comments on: Root my TV: Hack Philips PFL9703 http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/ are you still afraid? Thu, 03 May 2012 05:45:40 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Anonymous http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-611 Anonymous Thu, 03 May 2012 05:45:40 +0000 http://192.168.111.20/wordpress/?p=146#comment-611 01 00 01 00 00... is a well-known RSA public exponent, while first half of the file is a RSA modulus. UPG is crypted using AES-256. Decryption key and SHA-1 checksum are stored in RSA crypted block (0x220-0x2A0). To decrypt 128 bytes you will need a modulus of 128 bytes, not 256. 01 00 01 00 00… is a well-known RSA public exponent, while first half of the file is a RSA modulus.
UPG is crypted using AES-256. Decryption key and SHA-1 checksum are stored in RSA crypted block (0x220-0x2A0).
To decrypt 128 bytes you will need a modulus of 128 bytes, not 256.

]]> By: Anonymous http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-609 Anonymous Mon, 30 Apr 2012 11:34:28 +0000 http://192.168.111.20/wordpress/?p=146#comment-609 The file has 512 bytes, yes, but if you look at the hex dump, only the first 256 bytes have useful "randomlike" values. The remaining bytes are 01 00 01 00 00 00 00 ... The file has 512 bytes, yes, but if you look at the hex dump, only the first 256 bytes have useful “randomlike” values. The remaining bytes are 01 00 01 00 00 00 00 …

]]> By: Anonymous http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-600 Anonymous Wed, 18 Apr 2012 10:22:21 +0000 http://192.168.111.20/wordpress/?p=146#comment-600 /proc/public_key is used to decrypt UPG. But it must be 256 bytes. This key is too big. /proc/public_key is used to decrypt UPG. But it must be 256 bytes. This key is too big.

]]> By: pippo http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-587 pippo Mon, 09 Apr 2012 15:38:20 +0000 http://192.168.111.20/wordpress/?p=146#comment-587 @55: where did you get that public key from? And what's the debug usb stick is supposed to do? @55: where did you get that public key from?
And what’s the debug usb stick is supposed to do?

]]> By: Anonymous http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-566 Anonymous Wed, 07 Mar 2012 11:02:10 +0000 http://192.168.111.20/wordpress/?p=146#comment-566 I forgot - this is the key from the PFL 7xx6 series I forgot — this is the key from the PFL 7xx6 series

]]> By: Anonymous http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-565 Anonymous Wed, 07 Mar 2012 10:56:28 +0000 http://192.168.111.20/wordpress/?p=146#comment-565 This is the public key from the TV used as cookie to identify a debug USB stick during bootup (from /proc/public_key). Maybe this is also used for the Firmware? MIME-Version: 1.0 Content-Type: application/octet-stream; name="public_key256.out" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="public_key256.out" QYMOXtEEAtDq1L/2xwExIU6qcuV4njMeDz68CCwzpoFTlgrK6IfrefrAe1R/jfLJBAOCKN+tf8Vt D/9n9W1Z/GWJYEFEe7hT5H2U+hxMBOnhGGJ3Ggl2JtPccEhOdXWL3uCZ8bqjCSghP6qtAEfZzG1Z BH+aE/jnhHD5UO+4gvqEqWM4TrpgY9DM4zYhOCEnLsIa24zoygMmNTnLkEYTftmlqgqrhg01X87w 77ptPRskrxnm71z4BCMDXedmzKaw/lIEvfIuDYlGqSUOmQCv3m4YW1gddqymMu/yNyKnC5zr5gvE 0cExBC05MkyFaU9365LJBongz5Rr0WIFuU7GvwEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= This is the public key from the TV used as cookie to identify a debug USB stick during bootup (from /proc/public_key).

Maybe this is also used for the Firmware?

MIME-Version: 1.0
Content-Type: application/octet-stream; name=“public_key256.out“
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=“public_key256.out”

QYMOXtEEAtDq1L/2xwExIU6qcuV4njMeDz68CCwzpoFTlgrK6IfrefrAe1R/jfLJBAOCKN+tf8Vt
D/9n9W1Z/GWJYEFEe7hT5H2U+hxMBOnhGGJ3Ggl2JtPccEhOdXWL3uCZ8bqjCSghP6qtAEfZzG1Z
BH+aE/jnhHD5UO+4gvqEqWM4TrpgY9DM4zYhOCEnLsIa24zoygMmNTnLkEYTftmlqgqrhg01X87w
77ptPRskrxnm71z4BCMDXedmzKaw/lIEvfIuDYlGqSUOmQCv3m4YW1gddqymMu/yNyKnC5zr5gvE
0cExBC05MkyFaU9365LJBongz5Rr0WIFuU7GvwEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

]]> By: corecoder http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-513 corecoder Fri, 20 Jan 2012 22:10:08 +0000 http://192.168.111.20/wordpress/?p=146#comment-513 The HDD is not encrypted, just formatted as extfs. But the recordings are encrypted to only allow playback on the TV they were recorded -> maybe this? There also is an exploit for the Allegro Rompager Webserver:: http://www.securiteam.com/exploits/5XP0M0UCUO.html But I'm no expert on how to use this. The HDD is not encrypted, just formatted as extfs. But the recordings are encrypted to only allow playback on the TV they were recorded -> maybe this?

There also is an exploit for the Allegro Rompager Webserver:: http://www.securiteam.com/exploits/5XP0M0UCUO.html
But I’m no expert on how to use this.

]]> By: bkgg http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-503 bkgg Sun, 08 Jan 2012 11:09:40 +0000 http://192.168.111.20/wordpress/?p=146#comment-503 Well, I'm no pratitioner, but maybe 2 cents from me. Regarding the Encryption: With my model, a xxpfl5xxx, if you want to record something (regardless of timeshift or normal) the TV wants to format a connected HDD. The manual states, that you cant use this HDD in this condition otherwise. This could either be because its formated for Linux, or because its encrypted. In latter case, maybe its made with the same method and key as the firmware, because it has to be decoded again, and why use a second key for this. That would add cost. Other possibility would be jointspace. Your articel is now 2 years old, and it has probably more functions now than then. First the webserver is now in use with xxPFL5xx6 to xxPFL9xx6 models. Via port 1925 you can use some GET and two POST methods. SO no big deal for rooting I gues. But Jointspace has a lot of methods in use. With this you can prorgamm software which is executed on your PC but shown on your TV. So maybe, if there is a weakness in their drawing function it is possible to activate telnet through a pufferoverflow or something like this. (For example there is software for just showing your monitor on TV via ethernet or for playing Doom, controlled by remotecontrol http://jointspace.sourceforge.net/download.html ) Well, I’m no pratitioner, but maybe 2 cents from me.

Regarding the Encryption:
With my model, a xxpfl5xxx, if you want to record something (regardless of timeshift or normal) the TV wants to format a connected HDD. The manual states, that you cant use this HDD in this condition otherwise.
This could either be because its formated for Linux, or because its encrypted. In latter case, maybe its made with the same method and key as the firmware, because it has to be decoded again, and why use a second key for this. That would add cost.

Other possibility would be jointspace. Your articel is now 2 years old, and it has probably more functions now than then.
First the webserver is now in use with xxPFL5xx6 to xxPFL9xx6 models. Via port 1925 you can use some GET and two POST methods. SO no big deal for rooting I gues.
But Jointspace has a lot of methods in use. With this you can prorgamm software which is executed on your PC but shown on your TV. So maybe, if there is a weakness in their drawing function it is possible to activate telnet through a pufferoverflow or something like this.
(For example there is software for just showing your monitor on TV via ethernet or for playing Doom, controlled by remotecontrol http://jointspace.sourceforge.net/download.html )

]]> By: corecoder http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-473 corecoder Fri, 16 Dec 2011 16:39:22 +0000 http://192.168.111.20/wordpress/?p=146#comment-473 A different vector than firmware:: the Nettv series run Opera 10 and it's possible to enter any URL. It supports Javascript and the 2011 TVs support SWF. Any ideas if or how this can be exploited? A different vector than firmware:: the Nettv series run Opera 10 and it’s possible to enter any URL. It supports Javascript and the 2011 TVs support SWF. Any ideas if or how this can be exploited?

]]> By: Anonymous http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-471 Anonymous Mon, 05 Dec 2011 21:22:15 +0000 http://192.168.111.20/wordpress/?p=146#comment-471 I don't think you can decrypt the firmware very easy. This series powerPC processors has on-chip fuses which can't be read back an internal processor can use these data do decrypt data. probably an AES-key is stored there. Without: the private AES-key, much-patient in bruteforce, rainbow-tables or corrupt Phillips employees you are at an dead end. At the company where I work we use this processor in a SetTopBox with no smartcard. The key programmed in the fuses is the identification of the box. I don’t think you can decrypt the firmware very easy. This series powerPC processors has on-chip fuses which can’t be read back an internal processor can use these data do decrypt data. probably an AES-key is stored there.

Without: the private AES-key, much-patient in bruteforce, rainbow-tables or corrupt Phillips employees you are at an dead end.

At the company where I work we use this processor in a SetTopBox with no smartcard. The key programmed in the fuses is the identification of the box.

]]> By: Detektei http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-463 Detektei Sun, 06 Nov 2011 23:28:11 +0000 http://192.168.111.20/wordpress/?p=146#comment-463 Is there a chance to upgrade the unsupported Firmware of 37PFL8404..? Is there a chance to upgrade the unsupported Firmware of 37PFL8404..?

]]> By: Recep http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-441 Recep Mon, 03 Oct 2011 22:24:26 +0000 http://192.168.111.20/wordpress/?p=146#comment-441 Try binwalk. I used it to analyze son bravia firmware Try binwalk. I used it to analyze son bravia firmware

]]> By: Ian http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-419 Ian Sat, 30 Jul 2011 18:25:47 +0000 http://192.168.111.20/wordpress/?p=146#comment-419 I've just realised that my Phillips TV runs Linux. I was so exited. Then the disappointment of finding there is no way in yet. One huge hole in the GPL, yes you can download the source, yes you can modify it and compile it, no you can't run it because you can't sign it! I’ve just realised that my Phillips TV runs Linux. I was so exited. Then the disappointment of finding there is no way in yet. One huge hole in the GPL, yes you can download the source, yes you can modify it and compile it, no you can’t run it because you can’t sign it!

]]> By: George http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-415 George Fri, 22 Jul 2011 16:56:51 +0000 http://192.168.111.20/wordpress/?p=146#comment-415 Interesting info on the ComPair & Jett files: http://www.scribd.com/doc/53185886/philips-ComPair-training-20January-2008 Interesting info on the ComPair & Jett files: http://www.scribd.com/doc/53185886/philips-ComPair-training-20January-2008

]]> By: gigirex http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-410 gigirex Mon, 18 Jul 2011 14:32:23 +0000 http://192.168.111.20/wordpress/?p=146#comment-410 Hi! Did you have the HsvAntennaDigSrvcTable file format? Thanks Hi!
Did you have the HsvAntennaDigSrvcTable file format?
Thanks

]]> By: ScripTrix http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-245 ScripTrix Wed, 23 Feb 2011 07:55:03 +0000 http://192.168.111.20/wordpress/?p=146#comment-245 e.g. for my TV 7605 -> http://www.p4c.philips.com/files/4/40pfl7605h_12/40pfl7605h_12_mus_deu.zip It's a ~3 MB File including the Helpsystem manual e.g. for my TV 7605 -> http://www.p4c.philips.com/files/4/40pfl7605h_12/40pfl7605h_12_mus_deu.zip

It’s a ~3 MB File including the Helpsystem manual

]]> By: michu http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-244 michu Tue, 22 Feb 2011 08:34:34 +0000 http://192.168.111.20/wordpress/?p=146#comment-244 which helpfile.upg? which helpfile.upg?

]]> By: ScripTrix http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-243 ScripTrix Tue, 22 Feb 2011 08:11:31 +0000 http://192.168.111.20/wordpress/?p=146#comment-243 Have u take a look to the HELPFILE UPG ? it's no "Version Header" only 00h. From 211h - 2DF is crypt stuff/header or so ? however the comercial string is present with a parm -> xxxxx_commercial.FORCEUPGRADE Have u take a look to the HELPFILE UPG ?
it’s no “Version Header” only 00h.
From 211h — 2DF is crypt stuff/header or so ? however the comercial string is present with a parm ->
xxxxx_commercial.FORCEUPGRADE

]]> By: Joshua http://neophob.com/2010/01/root-my-tv-hack-philips-pfl9703/#comment-242 Joshua Wed, 09 Feb 2011 22:19:25 +0000 http://192.168.111.20/wordpress/?p=146#comment-242 Here anther NVM dump: http://dump.elektroda.pl/download13244.html Here anther NVM dump:
http://dump.elektroda.pl/download13244.html

]]>