MalcolmStagg.com
Home    Recent Work    Science Fair    About Me    Contact Me    Software

project bdp

Overview

Browsers on these players have a "browser.sh" file which runs to setup the browser environment and start the browser. MediaTek appears to have left a line in this browser.sh file which originally would have been inserted for debugging purposes. The line is as follows:

export LD_PRELOAD=/mnt/sda1/bbb/libSegFault.so

/mnt/sda1 is the first USB drive mounted, and LD_PRELOAD causes this library to be loaded before the executable (browser). This appears to affect many Sony and Panasonic players. I have tested this successfully with a Sony BDP-S390 and BDP-S5100.

Download these code samples, including a compiled version for ARMv6 (some BDP players are ARMv6).

Building a Cross-Compiler

The first step to get this to run on your Blu-Ray player is to build a cross-compiler. These are the instructions and notes from my experience.

Writing a Shared Library

My shared library C code is below. As you can see it is extremely simple. The __attribute__((constructor)) is gcc syntax to identify the constructor function (which runs as the library is loaded). unsetenv removes the existing library preload export, otherwise more and copies of this code would run, until the player runs out of memory. Finally system runs a custom script on the root of the USB drive.

#include <stdio.h>

__attribute__((constructor))
void libSample() {
	unsetenv("LD_PRELOAD");
	system("/mnt/sda1/script.sh");
}
	

My script.sh file does 2 things: changes the password to something we know, and start the telnet daemon to allow remote access:

#!/bin/sh
echo root:admin | chpasswd
telnetd
	

Of course, this can be easily modified to run other commands without recompiling the libSegFault.so.

Cross-Compiling a Shared Library

  1. Setup the paths for your cross compiler e.g.

    export PATH=$PATH:/home/malcolm/arm/x-tools/arm-unknown-linux-gnueabi/bin

  2. arm-unknown-linux-gnueabi-gcc -c -fPIC libsample.c -o libSegFault.o
  3. arm-unknown-linux-gnueabi-gcc libSegFault.o -shared -o libSegFault.so

Usage

Create a folder "bbb" on your USB key and copy libSegFault.so there. Copy script.sh to the root of your USB key. Insert it into the player and start the browser. The USB key does not have to be blank.

Now if you know your player's IP address (look in System Information if you don't) you can Telnet in from any computer. The username/password I set in my sample script file is username: root , password: admin .

Issues

If the library is not compatible with your player, your player may crash. If it does either unplug it from the wall, or on some players you can hold down Power+Eject for about 15 seconds and it will reboot.

Acknowledgement

Thanks to Matthew Garrett for noticing this entry point. You can read his post about it here.

DISCLAIMER

While this doesn't involve modified firmware, this could at least make your player crash, requiring you to unplug it from the wall. Also it could void your warranty and violate EULA agreements. Please try this at your own risk!

Copyright © 2013-2014 Malcolm Stagg