Samsung made the mistake of using a small key without understanding that the image file
being encrypted contained a lot of null characters (this is very common in binary files). Not
only did it commit this mistake, but in this case the root directory name of the firmware is
also the key.
The implications of this are that anyone can decrypt the firmware with the exposed key,
make changes to the firmware, and encrypt it again using the same key. This circumvents
Samsung’s controls intended to prevent users and external parties from tinkering with the
core functionality of its TVs to bypass application and digital rights controls.
The SamyGO website and forums are thriving with posts from Samsung TV owners who
want to modify their TVs in just the way Samsung doesn’t want them to. One of the popular
tools available from SamyGO, the SamyGO Firmware Patcher, exploits the XOR vulnerability
we just looked at. This tool enables Telnet so users can remotely log into their TVs and obtain
a Linux prompt, so that they can further modify the TVs. To run this tool, you just have to
download the firmware as we did earlier and issue the path to the location of the firmware:
$ python ./SamyGO.py ~/Downloads/T-CHE7AUSC
SamyGO Firmware Patcher v0.16 Beta (c) 2010 Erdem U. Altinyurt
-=BIG FAT WARNING!=-
You can brick your TV with this tool!
Authors accept no responsibility about ANY DAMAGE on your devices!
project home: http://SamyGO.sourceforge.net
XOR Encrytped CI firmware detected.
Decrypting with XOR key : T-CHE7AUSC
Crypto package found, using fast XOR engine.
Applying VideoAR Patch...
MD5 of Decrypted image is : 9b4d11ddc6bd41156573ae61d1660fdf
FAT image analyzed - exeDSP location: 7811072 size: 37414044
ARM ELF exeDSP File Detected
CToolMmbDisplaySizeItem::GetToolItem() Adress : 0x13537D0
CToolMmbDisplaySizeItem::PressLeftRightKey() Adress : 0x1353AC8
VideoAR Fix v1 Compatibility Found.
VideoAR Fix v1 Patched on image.
Applying Telnet Patch...
Searching %3
Suitable Location Found for Script injection on Offset : 3969567
Enable Telnet or Advanced Mode on image( T/a )?
Patching File...
Telnet Enabled on image.
Calculatin new CRC : d71d7f17
Updating /SamyGO/T-CHL7DEUC/image/validinfo.txt with new CRC.
Encrypting with XOR : T-CHE7AUSC
Crypto package found, using fast XOR engine.
134 CHAPTER 5: THE IDIOT BOX—ATTACKING “SMART” TELEVISIONS