Lets try again to put the free in regionfreedom

Looking forward to the latest update if there is eventually one. In the market for making my UB820 multi region for Region A Blu Ray imports, without having to pay a premium of £100+.
 
Still working on it @MudkipDan . The system is slightly harder to penetrate than I initially expected but I do have an exploit I been working on that should be able to give me an entry point. Once I have something concrete to show the community I'll make an announcement.
 
Still working on it @MudkipDan . The system is slightly harder to penetrate than I initially expected but I do have an exploit I been working on that should be able to give me an entry point. Once I have something concrete to show the community I'll make an announcement.
Appreciate the update and reply, more so as this is unpaid and in spare time. Good luck. 👍
 
I think I do have a firmware for the 820 (if I can find it). However, the firmware should be the same for 420/424/820/924/9000 and 9004.

You will need the encryption key and method from the player. No chance by just comparing the files (I tried). Only the first few bytes (header?) are identical.
 
I think I do have a firmware for the 820 (if I can find it). However, the firmware should be the same for 420/424/820/924/9000 and 9004.

You will need the encryption key and method from the player. No chance by just comparing the files (I tried). Only the first few bytes (header?) are identical.
Hello @DreckSoft, yes you are correct on both accounts. the firmware is encrypted and it is the same for all of those models. I already have the latest version of it but in any case thank you for your offer. I'm dumping the roms by flashing them and then dumping the NAND chip. It comes out like a "bit salad" but I'm writing some code to try and make it work.

The prospect is to find an exploit people can easily trigger and jailbreak the player (I have an idea of a possible way but I need to extract the player libc to analyze where some methods are in the memory and then maybe I can trigger a ret2libc exploit that anyone can do). I believe this to be the easiest route, however I am going to still try to reverse engineer the firmware decryption method (once I dump the full updater program) and possible reverse it to be able to encrypt and release the firmware already patched, however it is not simple and might even be impossible if it uses a secure private key not present in the player.

I am at this stage, dumping and patching the NAND so that I can extract the much coveted libc which is not a standard one and was probably patched and compiled by Panasonic, after extracting it I'm hoping I will find what I need to trigger the exploit I been working on.
 
Last edited:
libc is LGPL, so Panasonic is required to release the source. You could contact Panasonic and request the source to all open source parts. If they won't release it, contact EFF.

An unencrypted dump of the firmware could also be interesting even if there is no way (yet) to put it back into the player without directly flashing the NAND. There are still a few issues that haven't been resolved:
  • PUO off for BD only works partially. There are still titles that can't be skipped and jumping directly to the main menu doesn't work.
  • The USB / network player has restrictions. It will not play DTS-HD, Dolby TrueHD or even E-AC3.

I think I had one or two more which I currently can't remember.
 
libc is LGPL, so Panasonic is required to release the source. You could contact Panasonic and request the source to all open source parts. If they won't release it, contact EFF.

An unencrypted dump of the firmware could also be interesting even if there is no way (yet) to put it back into the player without directly flashing the NAND. There are still a few issues that haven't been resolved:
  • PUO off for BD only works partially. There are still titles that can't be skipped and jumping directly to the main menu doesn't work.
  • The USB / network player has restrictions. It will not play DTS-HD, Dolby TrueHD or even E-AC3.

I think I had one or two more which I currently can't remember.

You are right, and I even though about that (requesting the source) however it wouldn't help much since I don't know with what parameter, compiler, compiler version they compiled the code and any small variable can make a different binary and hence the memory location of the methods would not match up. I know that the lib is not standard (at least I assume) because I can see kernel logs and looking at some crash dumps

28050000-28128fff: r-xp /lib/libc-2.20-2014.11.so
28138000-28139fff: r--p /lib/libc-2.20-2014.11.so
2813a000-2813bfff: rw-p /lib/libc-2.20-2014.11.so

it tells me that the size of libc is about ~875k. I found a libc with that same name "libc-2.20-2014.11.so" which seams to belong to a Linaro release of ARM curated releases (Linaro Releases) but couldn't find any lib that matched up in size (the smallest I found was about 1.3mb) hence my assumption that it was based in it but altered or recompiled by Panasonic.

  • PUO off for BD only works partially. There are still titles that can't be skipped and jumping directly to the main menu doesn't work.
  • The USB / network player has restrictions. It will not play DTS-HD, Dolby TrueHD or even E-AC3.

Yes, it is one of the main reasons that I am doing this. I want to unlock the USB / network player to be able to play all the formats the hardware is capable of.

Ultimately this are my personal goals:

1. Debloat the firmware by taking out Netflix and Youtube (and possibly some other useless background processes) that are making the UI slower than it should be. I've notice this when downgrading to the lowest firmware I could find and was taken by surprise by how much faster the UI was in the older firmware and figure it was because Netflix and Youtube were not being loaded during Boot time.

2. Add new features;
- All the features from reagionfreadom
- Network ISO playback
- Unlock PGS subtitles and all lossless audio formats when playing .mkv and .m2ts files
- Add better font for subtitles (somehow text subtitles in mkv files are jagged and pixelated)
- Playback information for mkv and m2ts the same way as it shows for BD-Disks (Audio and Video input and output information)
 
That sounds awesome. It is really a shame, the guy didn't release his work at least before he took down the page. There are rumors he had access to the source code. That could have been the base for a even more enhanced firmware but money talks. There was a time when modified firmwares were free for all :(
 
That sounds awesome. It is really a shame, the guy didn't release his work at least before he took down the page. There are rumors he had access to the source code. That could have been the base for a even more enhanced firmware but money talks. There was a time when modified firmwares were free for all :(

Having access to the source is a double edge sword. You can truly develop awesome stuff with it but at the same time you risk being sued out of existence by Panasonic or whoever holds the rights to that code, it is better to do a clean room approach to be on the safe side.
 
What's all the hardware you're using?
On the left it is likely an adjustable power supply. The LA1010 USB logic analyzer is obvious but the rest?
 
What's all the hardware you're using?
On the left it is likely an adjustable power supply. The LA1010 USB logic analyzer is obvious but the rest?

It is just a STM32F407ZGT6 development board. I used it to dump the NAND.
The usb sticks are the STM32 debugger (STLink2) and two UART to USB adapters, one to get a console out of the STM32, and another to tap into the readonly UART port of the player.

The LA1010 turned out to be too slow for what I wanted and was a good excuse to upgrade and got a Digital Discovery analyzer which is doing a great job now. I'm using it to dump the addresses in the NAND that the player uses when writing the firmware to try and pinpoint where in the NAND the good stuff is. From the dump I acquire has been hard to extract the actual rootfs, got access to the RW partition but it is just logs a a couple of bluray certificates. The rootfs is a compressed (possibly encrypted, not sure yet) Cromfs image (I assume it to be cromfs because the player logs make reference to it) However binwalk has not been able to pick it up so now I'm trying to slice it depending on what the player writes to it during the FW upgrade process. I'm here now, coding a little piece of C to tap into the analyzer and dump all the write addresses the NAND receives.
 
Last edited:
I've got the 1.66C firmware for the DP-UB420 if you need it. Does anyone remember HOW to change the region, though? I've somehow lost that information and the site is gone...
 
I already posted the answer there:
 
Hopefully u can make a working firmware.

I Always wonder what the deal with the guy who ran that site was. he was like the soup nazi from Seinfeld if u didn't follow his order process to the T he would cut u off.

He banned me permanently because i had bought the firmware for a player and the player failed after 2 years but i had best buys warranty on it so best buy exchanged it for a newer model. he refused to honour the discount for repeat buyers even though i had bought several firmware off him. i wasn't rude in anyway just asked nicely if he could still provide me the discount and he banned me lol.

i heard of many people getting banned for doing far less.
 
I bought my player with the intention of installing the RegionFreedom firmware in it. However by the time I got my player, the guy running RegionFreedom was basically MIA and no longer contacting people or responding.

I’m still really wanting to make my player region free.

Has anybody figured out exactly what the RattleByte hardware mod does? If I install it will I be locked out of this threads potential firmware?
 
Hopefully u can make a working firmware.

I Always wonder what the deal with the guy who ran that site was. he was like the soup nazi from Seinfeld if u didn't follow his order process to the T he would cut u off.

He banned me permanently because i had bought the firmware for a player and the player failed after 2 years but i had best buys warranty on it so best buy exchanged it for a newer model. he refused to honour the discount for repeat buyers even though i had bought several firmware off him. i wasn't rude in anyway just asked nicely if he could still provide me the discount and he banned me lol.

i heard of many people getting banned for doing far less.
Yes, I've heard of some stories like that, I'm hoping I can make it work as well, getting close.
 
I bought my player with the intention of installing the RegionFreedom firmware in it. However by the time I got my player, the guy running RegionFreedom was basically MIA and no longer contacting people or responding.

I’m still really wanting to make my player region free.

Has anybody figured out exactly what the RattleByte hardware mod does? If I install it will I be locked out of this threads potential firmware?

That is exactly my story, bought the player to make it region free but the guy was gone by the time I applied for it, since he was gone I decided to try and make mine free on my own.

I don't know what the RattleByte hardware does, and cannot tell you if their firmware will allow or not for the jailbreak I'm developing. Without testing I cannot tell, for now I'm making it to work on the original FW v.1.69

At the moment I'm not building a firmware file like the others, I'm building a jailbreak and a homebrew style patch to the system which will have in essence the same effect (hopefully).

I am very close and hope to have something to show soon (withing the month) but no promises at this stage just yet.
 
Been looking into RegionFreedom and found they no longer exist?

From what I can gather this is about building a new firmware/update to allow region free for all and it's a work in progress?

If it is, I'll follow this thread 👌
 
Been looking into RegionFreedom and found they no longer exist?

From what I can gather this is about building a new firmware/update to allow region free for all and it's a work in progress?

If it is, I'll follow this thread 👌

You are correct on all accounts.
 
A little update for those following along.

I've manage to jailbreak the device successfully, by this I mean that I can now get root access to the operating system.

With this new access I'm able to debug from the inside and my first impression is that it will not be so simple to fully unlock the player. There are multiple services working together and it is not just one "player" application responsible for getting the pictures up on the screen. This means that I have one hell of a "witch hunt" to do de-compiling a couple dozen programs and libraries to find where is what. It can be doable but requires a significant amount of time to track things down properly.

I Flashed the regionfreedom firmware on my player to test it out and see what happens when a firmware not encoded with the proper MAC address does. And nothing. Flashed everything successfully, no errors, boots normally but when I dump the NAND and compare all the files with the original Firmware I find no significant differences. The only thing that comes to mind is that the MAC address check is being made by the update process and the code that makes up the "regionfreedom" is not being flashed into the device.

Unfortunately without me being able to detect any binary differences I will not be able to figure out how regionfreedom did things.

I do however have another idea. Does someone out there has a player with the regionfreedom firmware and is willing to run my software on their player to make a dump of the filesystem directly? The process is completely safe and nothing is written onto the player, everything runs through a USB stick. If anyone is willing to help with this please let me know.

For now, I'll just try to figure it out for myself until I hit a wall.

On a side note, I was able to partially reverse engineer the firmware encryption, I can "peal" off the first layer of encryption and exposes the headers and bootloader code. Unfortunately everything else seams to be under a second encryption layer or compressed in a way that I haven't figure out.


Now that I came this far, is there anyone that would like to help? Someone that knows their way around Ghidra / IDA, or have some knowledge into embedded devices, Trusted Firmware, OP-TEE OS? If you think you could be useful into help me crack this thing faster let me know.
 
Last edited:
You are correct about the check during the update process. I also tried to flash it on another player and simply nothing happens.

Btw: Have you looked at the Panasonic Firmware Hacks for the cameras? Maybe they used a similar encryption there.
 
You are correct about the check during the update process. I also tried to flash it on another player and simply nothing happens.

Btw: Have you looked at the Panasonic Firmware Hacks for the cameras? Maybe they used a similar encryption there.

I'm not sure about the firmware on the Lumix cameras, I took a look at one and at a first glance the format inside is different, on the BD players the whole fw is encrypted but not on the Cameras. I might take a better look someday.
 
Hello, I recently came across this thread because I was thinking of doing an update for my player since there's a new firmware but I seem to recall any updates had to be done through the region freedom website. Something like that was stated on the website or perhaps it was just a warning to not update the player or else the region freedom firmware might disappear? Can't exactly remember it's been so long.

Anyways, I was looking to update cause I was having problems getting the player to read from a USB stick (figured the rf firmware was the problem since it's on an older LG firmware version). Long story short, I got it working but in the process of trying to find the website, I discovered this thread and found it interesting that someone is looking to try and recreate the region freedom firmware or at least something similar.

All that aside, I just wanted to chime in and say I'd be okay with helping out and inserting your USB to my player that has region freedom installed. Anything to get closer to cracking this thing and making it available to everyone. I'm mainly just interested in getting the player to be faster by removing the media apps like Netflix and YouTube which are just sitting there lol. Oh and better subtitles cause yikes the built-in font leaves much to be desired haha.
 

The latest video from AVForums

Is 4K Blu-ray Worth It?
Subscribe to our YouTube channel
Back
Top Bottom