To start with, let us take a look at the freshly decrypted image files to see how Samsung
designed its their platform, which is based on Linux. Let’s mount rootfs.img:
$ mount rootfs.img /media/rootfs.img/ -o loop
In etc/profile we find the following partitions:
############## Partition Information ##############
export MTD_ONBOOT=/dev/mmcblk0p0
export MTD_UBOOT=/dev/mmcblk0p1
export MTD_KERNEL_0=/dev/mmcblk0p2
export MTD_ROOTFS_0=/dev/mmcblk0p3
export EX_PARTITION=/dev/mmcblk0p4
export MTD_KERNEL_1=/dev/mmcblk0p5
export MTD_ROOTFS_1=/dev/mmcblk0p6
export SECUREMAC0=/dev/mmcblk0p7
export SECUREMAC1=/dev/mmcblk0p8
export SECUREMAC2=/dev/mmcblk0p9
export MTD_DRMREGION_A=/dev/mmcblk0p10
export MTD_DRMREGION_B=/dev/mmcblk0p11
export MTD_RWAREA=/dev/mmcblk0p12
export MTD_EXE_0=/dev/mmcblk0p13
export MTD_EXE_1=/dev/mmcblk0p14
export MTD_ROCOMMON=/dev/mmcblk0p15
export MTD_EMANUAL=/dev/mmcblk0p16
export MTD_CONTENTS=/dev/mmcblk0p17
export MTD_SWU=/dev/mmcblk0p18
export MTD_RWCOMMON=/dev/mmcblk0p19
That’s a total of 20 partitions. That’s a lot for a single system, but many of these are
mounted in read-only mode, which limits attack vectors.
Here is the exeDSP executable we mentioned earlier, which is the main executable used
to control the TV’s functionality:
$ ls -lh /media/exe.img/exeDSP
-rwxr-xr-x 1 root root 146M Apr 28 2013 /media/exe.img/exeDSP
Notice that the file size of exeDSP is 146 MB, which is unusually large for a single exe-
cutable. This illustrates that a lot of functionality has been directly coded into the executable
rather than in shared libraries or shared code. That said, there are additional shared libraries
in the image as well.
There is also evidence that the TV uses the X11 Window System to display the user
interface:
UNDERSTANDING AND EXPLOITING THE APP WORLD 139