Difference between revisions of "Digital Decoder Mod"
m (set project picture) |
|||
(11 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
{{Project | {{Project | ||
− | |State= | + | |State=Completed |
− | |Members=Prodigity | + | |Members=Prodigity, Da Syntax |
|Description=Gaining access to the console of the DD and perhaps install doom on it | |Description=Gaining access to the console of the DD and perhaps install doom on it | ||
+ | |Picture=Versatek_sniffed.jpg | ||
}} | }} | ||
==The SMT-6010E== | ==The SMT-6010E== | ||
+ | |||
+ | ftp server geval: | ||
+ | |||
+ | 172.16.113.27 | ||
+ | |||
+ | user: fttc | ||
+ | |||
+ | pass: cassis | ||
+ | |||
+ | firmware: download/samsung.img | ||
+ | |||
WE HAZ A SOURCE CODE! | WE HAZ A SOURCE CODE! | ||
[http://www.samsung.com/global/business/telecomm/opensource/SMT-6010E_OpenSource.zip link Source code] | [http://www.samsung.com/global/business/telecomm/opensource/SMT-6010E_OpenSource.zip link Source code] | ||
+ | |||
+ | By sniffing the communication between the decoder and the Tele2 modem while it was updating we extracted a copy of the samsung.img firmware file. | ||
+ | |||
+ | We were able to extract the root password from this firmware image by bruteforcing the shadow file. | ||
+ | |||
+ | The credentials are: | ||
+ | |||
+ | Username: root | ||
+ | |||
+ | password: t1days | ||
[[File:SMT-6010E.jpg]] | [[File:SMT-6010E.jpg]] | ||
Line 43: | Line 65: | ||
I've currently connected the digital decoder to the ft232rl chip on my arduino (usb <-> rs232 conversion). | I've currently connected the digital decoder to the ft232rl chip on my arduino (usb <-> rs232 conversion). | ||
− | + | ||
+ | Pinout: | ||
+ | |||
+ | +------+ TX | ||
+ | |||
+ | | heat | RX | ||
+ | |||
+ | | sink | GND | ||
+ | |||
+ | +------+ VCC(3.3v) | ||
{| class="wikitable collapsible collapsed" | {| class="wikitable collapsible collapsed" |
Latest revision as of 21:49, 3 November 2015
Project: Digital Decoder Mod | |
---|---|
Featured: | |
State | Completed |
Members | Prodigity, Da Syntax |
GitHub | No GitHub project defined. Add your project here. |
Description | Gaining access to the console of the DD and perhaps install doom on it |
Picture | |
The SMT-6010E
ftp server geval:
172.16.113.27
user: fttc
pass: cassis
firmware: download/samsung.img
WE HAZ A SOURCE CODE!
link Source code
By sniffing the communication between the decoder and the Tele2 modem while it was updating we extracted a copy of the samsung.img firmware file.
We were able to extract the root password from this firmware image by bruteforcing the shadow file.
The credentials are:
Username: root
password: t1days
Specifications:
CPU | 300 MHz DSP | |
Memory | 128 MB SDRAM, 32MB DOC for OS Image, 2MB Flash for Boot loads | |
RTOS | Linux | |
Browser | Html 4.0, http 1.1, DHTML, Frame Support, JavaScript 1.3, SSL 3.0, CSS Level3, Open SSH, Cookie | |
Decoding | MPEC-1: 5 Kbps ~ 1.5 Mbps MPEC-2: 1.5 Mbps ~ 6 Mbps, D1 Resolution, MP@LL MP@ML WMV-9 | |
DRM | Verimatrix DRM | |
Copy Protection | Macrovision Copy Protection | |
WAN Interface | RJ-45 for 10/100 Base-T | |
I/O Interface | USB 1.1 2Ports, Composite Video Output, 2 Scarts, S-Video Output, RCA Stereo Audio (L/R) Output, S/PDIF Audio Output | |
Maintenance | Network Configuration Screen Remote Software / OS Update through the Network Self-diagnostic Function |
Description
The SMT-6010E is a Digital Decoder ... blabla bla
Gaining Access
...
I've currently connected the digital decoder to the ft232rl chip on my arduino (usb <-> rs232 conversion).
Pinout:
+------+ TX
| heat | RX
| sink | GND
+------+ VCC(3.3v)
Output |
---|
Success1 registering the Video DAC devices for board: 1300, daughter board: 0 Success2 registering the Video DAC devices for board: 1300, daughter board: 0 Success3 registering the Video DAC devices for board: 1300, daughter board: 0 [cyg_net_init] Init: mbinit(0x00000000) [cyg_net_init] Init: cyg_net_init_devs(0x00000000) Init device 'rltk8139_eth0' [cyg_net_init] Init: loopattach(0x00000000) [cyg_net_init] Init: ifinit(0x00000000) [cyg_net_init] Init: domaininit(0x00000000) [cyg_net_init] Init: cyg_net_add_domain(0x803afae0) New domain internet at 0x00000000 [cyg_net_init] Init: cyg_net_add_domain(0x803aea60) New domain route at 0x00000000 [cyg_net_init] Init: call_route_init(0x00000000) [cyg_net_init] Done ************************* * Bootrom Version * * V_STB_BT_01_02_050418 * ************************* pciVIAInit imageDisplay Display Refresh Video Output example. etiDefaultMemPool 0x87efc000 , start 0x80000000 size 0x8000000 hiMemGap 0x104000 xOffset 80 yOffset 48 dstBytesPerPixel 2 imageBmpWidth 640 CXA2161R status : d8 CXA2161R status : d8 Press <CANCEL> remote key to start net booting.... hmpv_read_fcnt start time in 23eaa96d cycles Doc Booting.... flRegisterSAFTL: start flRegisterSAFTL: end Media Size = 32 Mbytes Note: Searching for the media header. As a result a few H/W protection error messages might be reported. ERROR in read_Seq: M512_checkAndFixAccessError:Protection error occurred. ERROR in read_Seq: M512_checkAndFixAccessError:Protection error occurred. ERROR in read_Seq: M512_checkAndFixAccessError:Protection error occurred. ERROR in read_Seq: M512_checkAndFixAccessError:Protection error occurred. Note: header was found - end of media header search. DALN: PC=0x8009938c, RP=0x800ff560, addr=0x80a19f39: 2 byte load r60 START WITH BANK0 imageversion : 0 START TIME : 26932610 bdkReadBlock has Completed Succefully CheckSignature returned 0, nds signature passed END TIME : b07fffd3 Read done in 8ca65206 cycles Start Booting.... address from [82517820] 00:0a:0 Class 0200: 10ec:8139 0:0x1000[256]I 1:0x10000000[256]M IRQ 9 00:0c:0 Class 0601: 1106:0686 00:0c:1 Class 0101: 1106:0571 4:0x1100[16]I 00:0c:2 Class 0c03: 1106:3038 4:0x1120[32]I IRQ 16 00:0c:4 Class 0000: 1106:3057 pciDolphinFixup: 10ec:8139 IRQ pin A-->B IRQ 10 pciDolphinFixup: 1106:3038 VIA device: IRQ 42 (i8259 IRQ 5) Linux version 2.2.20 (root@versatel) (ecc version v6.0_6127) #31 Thu Aug 30 19:33:07 KST 2007 CPU frequency: 297 MHz Mem frequency: 118 MHz Calibrating delay loop... 296.55 BogoMIPS Memory: 93072k/130032k available (2736k kernel code, 1056k data, 400k reserved) Dentry hash table entries: 16384 (order 3, 128k) Buffer cache hash table entries: 524288 (order 7, 2048k) Page cache hash table entries: 8192 (order 1, 32k) POSIX conformance testing by UNIFIX PCI: Probing PCI hardware Linux NET4.0 for Linux 2.2 Based upon Swansea University Computer Society NET3.039 NET4: Unix domain sockets 1.0 for Linux NET4.0. NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP TCP: Hash tables configured (ehash 524288 bhash 65536) Serial driver version 4.27 with no serial options enabled ttyS00 at 0x03f8 (irq = 41) is a 16550A ttyS01 at 0x02f8 (irq = 40) is a 16550A pty: 256 Unix98 ptys configured RAM disk driver initialized: 16 RAM disks of 32768K size RAMDISK: ext2 filesystem found at block 0 RAMDISK: Loading 32768 blocks [1 disk] into ram disk... done. usb.c: registered new driver usbdevfs usb.c: registered new driver hub usb.c: registered new driver hid mice: PS/2 mouse device common for all mice usb-uhci.c: $Revision: 1.2 $ time 21:50:03 Apr 24 2007 usb-uhci.c: High bandwidth mode enabled usb-uhci.c: USB UHCI at I/O 0x1120, IRQ 42 usb-uhci.c: Detected 2 ports usb.c: new USB bus registered, assigned bus number 1 usb.c: USB new device connect, assigned device number 1 Product: USB UHCI Root Hub SerialNumber: 1120 hub.c: USB hub found hub.c: 2 ports detected VFS: Mounted root (ext2 filesystem). Freeing unused kernel memory: 128k freed Using /lib/modules/2.2.20/block/doc.o fl: TrueFFS driver 621.41 flRegisterComponents: fFound:01 fl: 1 device(s) found fl: Registered module at major 62 Partition check: fla: fla1 fl: Device 0x0 size 0x1028000 sectors 0x8140 fl: partition 0x1 size 0x1024c00 fla: fla1 EXT2-fs warning: mounting unchecked fs, running e2fsck is recommended EXT2-fs error (device fl(62,1)): ext2_check_blocks_bitmap: Wrong free blocks count for group 0, stored = 2812, counted = 2814 EXT2-fs error (device fl(62,1)): ext2_check_blocks_bitmap: Wrong free blocks count in super block, stored = 10741, counted = 10743 EXT2-fs error (device fl(62,1)): ext2_check_inodes_bitmap: Wrong free inodes count in group 0, stored = 2041, counted = 2043 EXT2-fs error (device fl(62,1)): ext2_check_inodes_bitmap: Wrong free inodes count in super block, stored = 4113, counted = 4115 grep: /var/run/rc.pids: No such file or directory test: 0: unknown operand ifconfig: face: error fetching interface information: Device not found Using /lib/modules/2.2.20/8139too.o PCI: Increasing latency timer of device 00:50 to 64 eth0: 8139too Fast Ethernet driver 0.9.18-2.2 eth0: Samsung Electronics SMT-6000E, YSU v1.2 <sukun.yoon@samsung.com> eth0: RealTek RTL8139 Fast Ethernet board found at 0x1000, IRQ 10 eth0: Chip is 'RTL-8139C' - MAC address '00:00:f0:f0:22:bd'. ifconfig: face: error fetching interface information: Device not found 60: old priority 0, new priority 7 eth0: Setting half-duplex based on auto-negotiated partner ability 0000. Using /lib/modules/2.2.20/saa7128/saa7128.o Loading Saa7128 Color Bar Test Module Saa7128color: Device registered with Major Number = 0 Using /lib/modules/2.2.20/saa7128/cxa2161r.o Loading Cxa2161r Scart Switch Test Module Cxa2161rScart: Device registered with Major Number = 0 Using /lib/modules/2.2.20/cs4341/cs4341Control.o insmod: unresolved symbol prinfLinkNewDriver umount: /proc/bus/usb: Invalid argument CS4341 open.... rm: cannot remove `/wfs/run': No such file or directory Login: Received cs4341 mute command cs4341Control_k.c: Error raised during driver call -> Error 6 by library Iic : file /usr/local/Equator/v6.0/tools/source/libdev/iic/mask.c, line 331 (failed: ack == 0) -> Error 6 by library Iic : file /usr/local/Equator/v6.0/tools/source/libdev/iic/mask.c, line 387 (failed: rcvAck(context)) -> Error 6 by library Iic : file /usr/local/Equator/v6.0/tools/source/libdev/iic/mask.c, line 503 (failed: sendAddr(context,slave)) -> Error 6 by library Iic : file /usr/local/Equator/v6.0/tools/source/libdev/iic/mask.c, line 704 (failed: send(maskContext,slave,data,size)) -> Error 6 by library Iic : file /usr/local/Equator/v6.0/tools/source/libdev/iic/etiIic.c, line 237 (failed: iicMaskSend(handle,slave,data,size)) -> Error 8 by library cs4341Control : file control.c, line 211 (failed: iicSend(instance->handle,0x22,cs4341muteon,sizeof(cs4341muteon))) Saa7128color : Device Open (254, 0) Saa7128color: Opened Value 0 Cxa2161rScart : Device Open (252, 0) Cxa2161rScart: Opened Value 0 I2C_ADDR - DATA1, DATA2, DATA3, DATA4, DATA5, DATA6, DATA7 [90] 86 , 82, 00 , 3a , 02 , 4b , ef Success1 registering the Video DAC devices for board: 1300, daughter board: 0 Success2 registering the Video DAC devices for board: 1300, daughter board: 0 Success3 registering the Video DAC devices for board: 1300, daughter board: 0 Jump starting VLX processor In 6.0 mode. Vlx processor started successfully (vlxStatus 0x2). IIS audclk = 1 audclk = 1 DrcDrv: Output -> PAL Interlaced 720 x 576 @ 25Hz Primary input: Enabled Secondary input: Enabled Graphics input: Enabled gfxFormat: 800 alphaStream: 0 ping: sendto: Network is unreachable START: Update checking... Error downloading version.txt. Update canceled. |
After pressing 'Enter', the console asks me for a username and a password. Unfortunately, the password isn't easy to guess
Link to the source code: [1]