This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
My interpretation of the drm/encryption stuff is about the same. The dump was made by modifying a tv2clientce.exe to dump the data
The AES key for the xml communication is included in the first rsa encrypted answer from the server, this key does not change (or it does change, but only after a loong time), the only thing that does change is the IV which is the first 16 bytes of each base64 encoded xml data blob.
As far as I'm aware the private keys aren't in the XPU, nor would we need them to decrypt the channels, since they're signed by the content provider with the private keys and decrypted with the public keys (which I guess are 'private'ly stored on the XPU, is this what you meant?) I could be wrong, this isn't an area I've looked into much.
Hi Guys,
I doubt access to the IPTV service would be possible without subscription, however decrypting recorded or VOD content from a subscribed box may be possible using a modified client, although I'm no expert in this area.
Are you talking about the IPTV service from BT? I have no plans of using that.
The irqhandler is embedded in booter.dll, see http://www.t-hack.com/forum/index.php?topic=352.0
The microcodes are not encrypted, so the only thing we need is a mrua which is compatible with our wince irqhandler, then everything should work out of the box.
The most im important fact about the smp86xx this that the smp86xx is just a em862x on steroids, this means the main cpu is MIPS instead of ARM and there is a second cpu called the XPU, otherwise it's mostly the same, the demux/a/v/gfx/mpeg engines are just like those in the em862xx.
Back in the day of the em862x there was already an irqhandler, but without the xpu it was just unencrypted loadable ARM code running on the only cpu the em862x had, which handled specific interrupts for the demux/a/v/gfx/mpeg engine and communication between mrua and those chip parts like "automatic" dma transfer tasks from and to the demux engine buffer, all this while considering vync timings to prevent screen flickering, so it was more or less just an addition to the linux irqhandler.
On the smp86xx however this changed, probably due to high computational demands for handling HD content and the need for more security.
Now there is a second 200mhz MIPS cpu, called the, xpu and while the irqhandler is still just some code which lives at the end of dram controller 0, it is now encrypted and signed because it will be executed by the XPU.
So while the irqhandler is platform independent like the whole mrua package it looks like it is bound to microsoft specific certificates, so we can't just load an linux irqhandler, we have to find out which linux mrua package the wince irqhandler version corresponds to. This is necessary because the microcode seems to be rather static but the mrua<->irqhandler interface is not so using a random mrua version will fail.
There is a sigma designs directfb version which seems to be able to communicate directly with the irhandler/gfx engine, but all this sigma specific code has been stripped from the popcornhour directfb version - a common directfb release works, but without gfx engine support it has to rely on the 300mhz host cpu which is no reaaaally fast.
And as for the last question - http://www.t-hack.com/forum/index.php?topic=114.msg910#msg910, after starting the tv2client and hiding it it works.
They are loadable, but we have to find a matching mrua version for the wince/microsoft irqhandler.
mobile IE6