Root my TV Hack Philips PFL9.Do you want to control your TV and your devices smart Take a look at this Kickstarter campaign.I try to get root access on my Philips PFL9.TV.Why dont askThe TV runs a 2.MIPS3.MHz CPU, compiled with a Monta.Vista toolchain.I need YOUR help to root the Philips TV Please write a comment end of the article or email me if you have any hints, thanks RC triggered service modes Customer Service Mode CSM 1.Insert USB stick, put the remote in DVD mode and press 2.USB stick binary.Service Alignment Mode SAM 0.I didnt find a option to enable the serial console Service Default Mode SDM 0.Purpose To create a pre defined setting, to get the same measurement results as given in the service manual.Manual software upgrade Disconnect the TV from the AC Power, press hold the OK button of the RC and connect set to mains.Back up Software Upgrade Application Disconnect the TV from the AC Power, press hold the INFO button or cursor down of the RC and connect set to mains.Jett mode Disconnect the TV from the AC Power, switch to DVD RC, press hold the INFO button and connect set to mains.Now you TV is in the Jett mode but we need some files now, which are NOT available We should create a directory on the root of the USB drive which is called JETTFILES and put two files called Memory.Test.PNX8. 63. 5.Those files are part of a software package called TESTSCRIPT Q5.I guess in this mode, serial access couldbe possible, however the protocol will change, as there is only binary stuff visible after the bootloader tries to load the kernel.Flash Menu Crack Serial Free' title='123 Flash Menu Crack Serial Free' />This could be a side effect of the missing JETTFILES, but Im not sure.Perhaps some kind of 3 Wire SPI mode See Serial Port dumps below.Philips write about this in the service manual Install the computer program BOARDTESTLOGGER available in TESTSCRIPT Q5.PC Connect a Com.Pairservice cable from the service connector in the set to the COM1 port of the PC Start up the program BOARDTESTLOGGER and select COM1 Put the USB stick into the TV and start up the TV while pressing the i button on a Philips DVD RC6 remote control its also possible to use a TV remote in DVD mode On the PC the memory test is shown now.This is alsovisible on the TV screen.In BOARDTESTLOGGER an option Send extra UART command can be found where the AUD1 can be selected.This command generates hear test tones of 2.Hz.Serial Port access.To access the serial port of the TV you need a EIB cable basically a serial db.This is my professional EIB cable Terminal settings 3.If youre away from home and in need of WiFi, now Facebook can help you find it.Originally only available in a few countries, the social networks Find WiFi.Baud 8.N1. Web Server On port 8.Web Server, more precisely a Allegro Software Rom.Pager4.There is only a test page visible 1.Rom.Pager. Embedded Web Server.WiseFixer is a professional and advanced system optimizer tool to help users easily and conveniently fix system errors,clean registry,optimize system to speed up PC.Weekly Feature Sept.Surf Privately On Any Mobile Device Or Tablet If you dont want your internet browser to save a record of what sites you visit and.Flash Menu Crack Serial Free' title='123 Flash Menu Crack Serial Free' />Noregistration upload of files up to 250MB.Not available in some countries.Flash Menu Crack Serial Free' title='123 Flash Menu Crack Serial Free' />First Page.The value of the test variable is Hello World Some basic tests 1.GET HTTP1.Host 1.Authenticate.A x 1.HTTP1. 1 4.Bad Request.Content Length 0.Server Allegro Software Rom.Pager4.Connection closebash 3.GET HTTP1.Host 1.HTTP1. 1 2.OKContent Type texthtml.Date Sat, 0.Jan 2.GMTCache Control no cache.Expires Thu, 2.Oct 1.GMTTransfer Encoding chunked.Server Allegro Software Rom.Pager4.I didnt find and vulnerabilityinformation about this webserverFirmware Get the firmware here http philips.The firmware is encrypted, with some help from the www.I was more or less able to get the firmware header first 7.SWU uint.TXV magici 1 uint.Str Q5.E 0.Those 1. This block is different in each firmware version Someone in the hifi forum wrote, that the firmware is encrypted AND signed, but this is unconfirmedEdit 1.The Firmware is encrypted AND signed, see comment 1.Other users observed, that there are quite a lot of repeating patterns in the firmware.An interesting idea is to search for JFFS2 inodes magic bytes 8.Varon thinks, that the firmware or parts of it are encrypted with a 1.Here is a hexdump of the firmware header 1.SWU3.TXV. 8. 0. Pb.Release for TV5.R2. Q5. 91. E 0. Generatio0.Z.JIL. O. 0. 00.H. b.M0. 00. 00. 25. 0 2.MF.J.A. b. V. t. 0. Jk.N.L. 7. 0. 00.KIM. 0.Q5.E 0. 1. 00. I checked the firmware with draca 1.DRACA.Draft Crypto Analyzer.Version 0.Ilya O.Levin. Preliminary detection and analysis of crypto algorithms within executables.File.AESRijndael 9. Twofish 1.Edit 1.I guess those results are useless because draca is searching for crypto constants in the firmware which do simply not exist there.Philips also released source code of the parts of Philips TV software that fall under open source licenses.Here is the firmware layout in the flash, not the upgrade file Attack Vectors 1 decode firmware, modify and repack.S1.Useful links General Information http www.Firmware Mirror http philips.Jointspace Project jointspace project.Service Manuals http www.Philips Ch q.Lbhttp www. ayslearningcentre.Training2.MaterialTVtv.Serial Port dumps Jett mode 1.Jan 1.Boot device. ST NAND5.W3.A. OKSearching Boot.Loader.Load bffs.Boot. Loader.Done.Start bffs. 0Boot.Loader.JBL boottime improvement.Boot. Bmx Game Pc Download Free . Loader OSR0.Feb 2.Searching boot. bat.Execute bffs.Execute bffs. 1boot.SR5 Fact JETTOn error goto 7.Load bffs.Kernel.Load bffs.RFSBoot.Mem. Fill 0x.Signal 3. 0Cmd Line.CMDLINE arguments passed by JBL consoletty.S1,3.M kgdbtty. S1 loglevel3 initinit ipnone rootdevram lpj1.Start bffs.Kernel.TV Boot 1.Jan 1. 6 2. 00. 8 1.Boot device.ST NAND5.W3. A. OKSearching Boot.Loader.Load bffs.Boot. Loader.Done.Start bffs. 0Boot.Loader.JBL boottime improvement.Boot.Loader OSR0.Feb 2.Searching boot. bat.Execute bffs.SR1 ColdbootOn error goto 6.Load bffs.Tm.App. tdf okLoad bffs.Pnx.App. tdf okLoad bffs.Download.TM0. tdf okStarting early.Start.TMLoad bffs.Pnx. 51xx.Co. Apptm.Load bffs.Pnx. 51xx. Co. Apptm.Load bffs.Kernel.Mem. Fill 0x.Signal 3. 0Cmd Line.CMDLINE arguments passed by JBL consoletty.S0,3.M kgdbtty. S1 loglevel3 rootdevmtdblock.Start bffs.Kernel.EU9. 2 startup script.Mounting file systemsTotal usertime mount for proc 0,0.SecTotal systemtime mount for proc 0,0.SecTotal usertime mount for sys 0,0.SecTotal systemtime mount for sys 0,0.SecTotal usertime mount for devshm 0,0.SecTotal systemtime mount for devshm 0,0.SecTotal usertime mount for devpts 0,0.SecTotal systemtime mount for devpts 0,0.SecMounting the flash file systemsTotal usertime mount for mntjffs.SecTotal systemtime mount for mntjffs.SecLoading PNX5.ImageLaunching TV applicationUsing errlib version 0.Errlib communication with plfapp failed, will retry laterredirecting 1 to 1.MB memory on board.MB memory MAP0.NO0. 0 0. 02. 4. 67 Standby version 3.Expected standby version 3.Init clearing mInit.Done.Blunk. 00 0.Using errlib version 0.Errlib 0.Reference timestamp.Mount check passes, 0 iterations 1 0.Fusion.DaleConfig Parsing config file etcfusiondalerc.Fusion.Dale v. 0.FusionSHM NOT using MADVREMOVE 2.DirectThread Running Fusion Dispatch MESSAGING, 1.App Init.Fusion. Web Page Maker 3 21 Latest Bollywood .Dale 1 0. 02. 5. Errlib communication with plfapp failed, will retry later.Errlib 0.Layoutcheck OK0. 0 0.Display flash file Layout version 8 Content version 2.Display flash file Project Id 1 Branch Id 5.DISPT0.Fusion. Dale v. 0.Using screen option 1.LCD LGD WUF SAC1 4.Diversity Board.Type9.Board. Version3, Detected pnx.M2.Ambient.Light. Generator None.Ambient.Light. Mode Triple.Ambient.Light. Technology Led.Cabinet.Number 3.Channel.Decoder.Type Tda.Channel.Decoder.Type None.Clear.Lcd. Supported False.Dimming.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |