Messages

31

WinCE / Re: TV2 DRM

03. Aug 2009, 19:54

My interpretation of the drm/encryption stuff is about the same. The dump was made by modifying a tv2clientce.exe to dump the data
The AES key for the xml communication is included in the first rsa encrypted answer from the server, this key does not change (or it does change, but only after a loong time), the only thing that does change is the IV which is the first 16 bytes of each base64 encoded xml data blob.

So, if i understood right, the xml soap request/response is base64 encoded prior to encryption, and the first 16bytes in the base64 blob used as IV in the AES encryption process, why? I doesn't make sense...They could directly encrypt the xml, why the base64 step? base64 will increase the blob's length... WBXML(binary xml) should be used instead of base64 in that step... Microsoft never ceases to impress me...

32

WinCE / TV2 DRM

03. Aug 2009, 01:29

Can someone comment on my (very)summarized description(and probably wrong) of the DRM used in tv2 that i posted here: http://www.t-hack.com/forum/index.php?topic=565.0

Also, i would like to know how the "x300t client<->server xml communication dump" dump available in the wiki as made.

I noticed that "x-tv2-auth-svrMsgNonce" appears to be some kind of sequence number witch is incremented by 1 in each soap call(probably to avoid replay attacks???)

About the "x-tv2-auth-ticket" :They appear to be the same in every soap call(on the same session) are they a encrypted AES key to decrypt the soap call??? (probably base64 encoded and encrypted with RSA???)

Thanks.

33

Linux / Re: Porting Enigma2 to BT Vision Box

31. Jul 2009, 22:16

As far as I'm aware the private keys aren't in the XPU, nor would we need them to decrypt the channels, since they're signed by the content provider with the private keys and decrypted with the public keys (which I guess are 'private'ly stored on the XPU, is this what you meant?) I could be wrong, this isn't an area I've looked into much.

From what i understood while reversing the tv2, there are two RSA certificates(bounded to STBs Mac addr.) stored on the boot ROM, one for server communication, and one for decrypting the video.
The video is encrypted using AES using a key named "Boundary Key" kinda like DVB's CW keys...
The Boundary key is then encrypted with a session key with is delivered via web services.
The communication with the web services is made via a SSL-like connection using the certificates in the rom
But, from what i understood, the communication server->client is encrypted with the box public key(that stored on the rom), to decrypt, the box uses its private key part stored in the XPU, so the server, doesn't even need to know the box's private key...
The client->server communication is encrypted with the server's public key(with is retrieved from the "sync" file downloaded via tftp) and then decrypted by the server's private key

At least, that's my understanding, but i could be wrong(i really want to be wrong, since what i described is probably the worst case scenario )

34

Linux / Re: Porting Enigma2 to BT Vision Box

31. Jul 2009, 21:57

Hi Guys,
I doubt access to the IPTV service would be possible without subscription, however decrypting recorded or VOD content from a subscribed box may be possible using a modified client, although I'm no expert in this area.

No one said it would be possible without a subscription, and even if it was possible, you will be easily "catched" by the provider, since they probably have some kind of fraud detection, like analyzing the DSLAMs IGMP logs, so they can compare it to the subscribers database, so if they see a non-customer IP requesting a iptv channel...

35

Linux / Re: Porting Enigma2 to BT Vision Box

31. Jul 2009, 01:44

Are you talking about the IPTV service from BT? I have no plans of using that.

Well, there are two groups of people in this forum, those who want to use the STB as media-center replacement, and those who want to use the iptv service in other devices, or on the STB itself but running Linux
In my personal case, i don´t care about the STBs at all, i can built a better mediacenter(x86 based) with more features than the STBs will ever have... What i want is try the reverse the mediaroom/iptv edition software to use it on other devices...
Since probably will never be possible to decrypt the iptv stream in other devices unless we can crack the XPU to get the rsa private keys, the option is to get Linux to decrypt the channels...

Just my 2cents, of course...

36

Linux / Re: Porting Enigma2 to BT Vision Box

30. Jul 2009, 02:16

IPTV should be possible to decrypt in linux, as long as you use the apis used by tv2client to talk to the xpu

37

Software / Mediaroom website says MediaSharing has video support

23. Jul 2009, 02:14

On MS mediaroom website, it says that the mediasharing feature has video support (http://www.microsoft.com/Mediaroom/Features.aspx) Has anyone seen any firmware with that? what about BTvision beta? does it support video?

38

WinCE / Re: tv2remotekeys ?

24. May 2009, 20:36

Enjoy

KEY_UP=38
KEY_DOWN=40               
KEY_LEFT=37             
KEY_RIGHT=39               
KEY_OK=13             
KEY_ENTER=13 
KEY_MENU=11             
KEY_SPACE=32               
KEY_BACK=8               
KEY_BROWSER_BACK=166               
KEY_PAGEUP=33               
KEY_PAGEDOWN=34             
KEY_DELETE=46             
KEY_0=48             
KEY_1=49             
KEY_2=50               
KEY_3=51               
KEY_4=52               
KEY_5=53               
KEY_6=54               
KEY_7=55               
KEY_8=56               
KEY_9=57               
KEY_GREEN=141               
KEY_BLUE=143               
KEY_RED=140             
KEY_YELLOW=142             
KEY_A=97             
KEY_B=98             
KEY_C=99             
KEY_D=100             
KEY_E=101             
KEY_F=102             
KEY_G=103             
KEY_H=104             
KEY_I=105             
KEY_J=106             
KEY_K=107             
KEY_L=108             
KEY_M=109             
KEY_N=110           
KEY_O=111             
KEY_P=112             
KEY_Q=113             
KEY_R=114             
KEY_S=115             
KEY_T=116               
KEY_U=117             
KEY_V=118             
KEY_W=119             
KEY_X=120             
KEY_Y=121               
KEY_Z=122             
KEY_A=65             
KEY_B=66             
KEY_C=67             
KEY_D=68             
KEY_E=69             
KEY_F=70             
KEY_G=71             
KEY_H=72             
KEY_I=73             
KEY_J=74             
KEY_K=75           
KEY_L=76             
KEY_M=77             
KEY_N=78             
KEY_O=79             
KEY_P=80           
KEY_Q=81           
KEY_R=82           
KEY_S=83             
KEY_T=84             
KEY_U=85             
KEY_V=86               
KEY_W=87               
KEY_X=88               
KEY_Y=89             
KEY_Z=90             

39

Linux / working linux ucodes

15. May 2009, 00:26

The irqhandler is embedded in booter.dll, see http://www.t-hack.com/forum/index.php?topic=352.0
The microcodes are not encrypted, so the only thing we need is a mrua which is compatible with our wince irqhandler, then everything should work out of the box.

OK, thanks for the explanation The challenge now is to adapt the mrua/emhwlib to use the WinCE irqhandler...
Sorry to bother you again with questions, but i need to understand this correctly

As far as i know Sigma provides two interfaces to code graphical apps on their platform: low-level libraries like mrua and the ones used in WinCE iptv edition and a more high-level libraries: DirectFB on Linux and DirectX on WinCE, since there is no other platform besides IPTV edition to run WinCE, so we don't have access to DirectX.
However, the majority of Linux based devices are using DirecFB abstraction implemented on top of mrua, so even that sigma doesn´t provide the complete DirectFB source, we could "rip" that DirectFB binary modules and use it? they are standard linux code, not encrypted/signed(assuming we can adapt the code the work with WinCE irqhandler) We don´t need the the DirectFB source code...

Another question is the xrpc certificates, can microcodes/xtasks/whatever run on different boxes from different providers? ie, the certificate the signs the Telekom X300T irqhandler is the same that signs, for example the Portugal Telecom X300T? while, for obvious reasons, the certificate that signs the firmware is unique per provider, i am wondering if the "things" that runs on XPU share a common certificate since they are part of the same iptv platform and providers don´t need to touch or bother with XPU related things(and probably Microsoft doesn't want to give them such control, since they could write custom xtasks that could be bugged and exploited to dump the MS iptv xtask that implements the DRM)

40

Linux / working linux ucodes

14. May 2009, 22:34

The most im important fact about the smp86xx this that the smp86xx is just a em862x on steroids, this means the main cpu is MIPS instead of ARM and there is a second cpu called the XPU, otherwise it's mostly the same, the demux/a/v/gfx/mpeg engines are just like those in the em862xx.
Back in the day of the em862x there was already an irqhandler, but without the xpu it was just unencrypted loadable ARM code running on the only cpu the em862x had, which handled specific interrupts for the demux/a/v/gfx/mpeg engine and communication between mrua and those chip parts like "automatic" dma transfer tasks from and to the demux engine buffer, all this while considering vync timings to prevent screen flickering, so it was more or less just an addition to the linux irqhandler.
On the smp86xx however this changed, probably due to high computational demands for handling HD content and the need for more security.
Now there is a second 200mhz MIPS cpu, called the, xpu and while the irqhandler is still just some code which lives at the end of dram controller 0, it is now encrypted and signed because it will be executed by the XPU.
So while the irqhandler is platform independent like the whole mrua package it looks like it is bound to microsoft specific certificates, so we can't just load an linux irqhandler, we have to find out which linux mrua package the wince irqhandler version corresponds to. This is necessary because the microcode seems to be rather static but the mrua<->irqhandler interface is not so using a random mrua version will fail.

Yes, i understand this issue, what i was asking is that if we found the irqhandler in xrpc format in WinCE(it must be hidden on some dll, right? on previous versions the audio/video microcodes was in iptvplatform.dll) we can use it with Linux out-of-box? or the Linux microcodes are different? ie, assuming we can find all microcodes we need in wince(binded to our box) can we draw on screen using standard linux framebuffer access(or even PopCornHour DirectFB) out-of-box or the ABI to access microcodes are different?

There is a sigma designs directfb version which seems to be able to communicate directly with the irhandler/gfx engine, but all this sigma specific code has been stripped from the popcornhour directfb version - a common directfb release works, but without gfx engine support it has to rely on the 300mhz host cpu which is no reaaaally fast.

DirectFB is LGPL, unlesse they didn´t touch the original code and just linked it with their code, it should be a GPL violation...

<off-topic/rant>the use of smp86xx by PopCornHour is preventing me from buying it, the PopCornHour is a wonderful device in price/quality/features, no other MediaCenter can beat it on its price segment, but their choice of using that particular chipset was a bad choice in my opinion, why would we a want such a wonderfull Linux Mediacenter if it´s crippled with DRM???</off-topic/rant>

And as for the last question - http://www.t-hack.com/forum/index.php?topic=114.msg910#msg910, after starting the tv2client and hiding it it works.

I don´t understand German, and google translate does an awful job... So i couln't understand on the thread why tv2client has to be started...what about .NET C# winforms?

41

Linux / working linux ucodes

14. May 2009, 16:58

They are loadable, but we have to find a matching mrua version for the wince/microsoft irqhandler.

Thats exact what i thought, i was unable o find the irqhandler microcode.
What about the APIs? are they compatible with Linux? (i.e. the microcode is the same on WinCE/Linux?) I read somewhere that sigma microcodes are now compatible with standard DirectFB APIs. this means that apps can now be coded without mrua/libemhwlib libs?

What about WinCE?i read somewhere on this forum that we can't code graphical programs using standard WinCE API(Or .net WinForms) because tv2engine talks directly to hardware(has sigma libemhwlib libs statically linked or something) to draw on screen? But the WinCE includes a SMP GDI driver...

Can someone clarify me on this... After the microcodes are loaded can we use standard Linux/WinCE APIs to draw on screen? If Linux has a sigma kernel module that implements DirectFB interface and WinCE has a sigma GDI driver, it should be possible... if not...why not?

42

Software / Re: BT Vision Beta Update

14. May 2009, 11:05

Anyone noticed audio_microcode_tango2_release.bin/demuxpsf_microcode_tango2_release.bin/video_microcode_tango2_release.bin in ETC.bin? Could someone with a modded box try to load them under Linux?

43

Software / Re: HTML/HTTP content

08. May 2009, 16:27

mobile IE6

No, it´s not based on mobile IE6 nor Desktop IE6, as matter of fact, Tasman is a way better than IE6(mobile or desktop) in terms of standards compliance, tasman is based on old IE mac version.
more info: http://en.wikipedia.org/wiki/Tasman_(layout_engine)

My provider(Portugal Telecom) has some xhtml pages on a server and i redirect them on my router to my own web server, so i can display content on a normal unmodified box, actualy i have written a youtube client(using youtube api and some magic to get the actual flv url from youtube IDs) in php+xhtml+css+javascript using a custom CGI written in C that wrapps FFmpeg, so i can do the transcoding of flash video(FLV) to WMV9 on the fly. It´s currently in beta, but i plan to release it (GPL) when it´s ready.
I normally use Firefox and Microsoft Entourage for Mac 2004 (2008 doesn´t use Tasman, it uses Apple's WebKit) for testing since we don´t have access to the official emulator.

44

Software / Re: RemoteKeys

26. Apr 2009, 03:51

It's not only for debugging, I've personally seen a demo by Portugal Telecom, and they have a small program on a windows mobile phone that controls the box, they say it uses a feature of Mediaroom called RemoteKeys...

45

Software / RemoteKeys

24. Apr 2009, 20:21

Anybody find something about RemoteKeys besides what's already in the forum? ( http://www.t-hack.com/forum/index.php?topic=177.0 )

I can connect via telnet on port 8082, the box responds with "hello", then ignores any commands that i type.