If I execute the command, and then telnet to the box IP on port 8082
I get the reply of "hello"
I also found the following strings in the tv2remotekeys app
hello
code
/key
quit
bye
key
ok
in the debug tv2client some of the keys do the following
case Keys.Q:
tV2Keys = TV2Keys.PowerToggle;
break;
case Keys.R:
tV2Keys = TV2Keys.Record;
break;
case Keys.S:
tV2Keys = TV2Keys.Search;
break;
case Keys.T:
tV2Keys = TV2Keys.ToggleMonkeyDisplay;
break;
case Keys.U:
tV2Keys = TV2Keys.DBG_TestPage;
break;
The current version of the appliction also appears it would react to some keys too....
Anyone tried playing with tv2remotekeys or worked out the protocol?
I did try things like keyQ/key etc, but did not get a response...
Mick
I have been trying to disassemble the app in IDA
bye and quit commands seem to jump to the same place (which is expected).
The "key" command seems like it will respond with an "ok" message if the correct input is received.
You can see the commands below.. not sure why it doesnt respond tho? any ideas?
there were also some bits of code using HTTP protocol but not sure if they are used..
.text:00013A48 loc_13A48: # CODE XREF: command_loop?+60�j
.text:00013A48 lui $v0, 1
.text:00013A4C addiu $a3, $v0, aOk # "ok"
.text:00013A50 lui $v0, 1
.text:00013A54 addiu $a2, $v0, aKey_0 # "key"
.text:00013A58 lui $v0, 1
.text:00013A5C lw $v1, 0x88+var_3C($fp)
.text:00013A60 addiu $a1, $v0, aBye # "bye"
.text:00013A64 lui $v0, 1
.text:00013A68 lw $v1, 0($v1)
.text:00013A6C addiu $a0, $v0, aQuit # "quit"
.text:00013A70 addiu $s2, $fp, 0x88+var_60
.text:00013A74 addiu $s3, $fp, 0x88+var_60
.text:00013A78 addiu $s4, $fp, 0x88+var_50
.text:00013A7C addiu $s5, $fp, 0x88+var_50
.text:00013A80 sw $v1, 0x88+var_78($fp)
.text:00013A84 addiu $s6, $fp, 0x88+var_50
.text:00013A88 sw $a3, 0x88+var_68($fp)
.text:00013A8C addiu $s0, $fp, 0x88+var_60
.text:00013A90 sw $a2, 0x88+var_6C($fp)
.text:00013A94 addiu $s1, $fp, 0x88+var_78
.text:00013A98 sw $a1, 0x88+var_70($fp)
.text:00013A9C sw $a0, 0x88+var_74($fp)
.text:00013AA0
.text:00013AA0 loc_13AA0: # CODE XREF: command_loop?+1A4�j
.text:00013AA0 li $a3, 1
.text:00013AA4 lw $t0, 0x88+var_3C($fp)
.text:00013AA8 beq $v1, $t0, loc_13AB4
.text:00013AAC move $v0, $a3
.text:00013AB0 move $v0, $0
.text:00013AB4
.text:00013AB4 loc_13AB4: # CODE XREF: command_loop?+D0�j
.text:00013AB4 bnez $v0, loc_13AC4
.text:00013AB8 nop
.text:00013ABC b loc_13AC8
.text:00013AC0 move $v0, $a3
.text:00013AC4 # ---------------------------------------------------------------------------
.text:00013AC4
.text:00013AC4 loc_13AC4: # CODE XREF: command_loop?:loc_13AB4�j
.text:00013AC4 move $v0, $0
.text:00013AC8
.text:00013AC8 loc_13AC8: # CODE XREF: command_loop?+E4�j
.text:00013AC8 beqz $v0, loc_13B84
.text:00013ACC nop
.text:00013AD0 addiu $s7, $v1, 0xC
.text:00013AD4 move $a1, $s7
.text:00013AD8 jal sub_16D8C
.text:00013ADC move $a0, $s2
.text:00013AE0 lw $a1, 0x88+var_74($fp) # quit
.text:00013AE4 move $a0, $s3
.text:00013AE8
.text:00013AE8 loc_13AE8: # DATA XREF: .text:000112B4�o
.text:00013AE8 jal stringcompare?
.text:00013AEC nop
.text:00013AF0 bnez $v0, loc_13B5C
.text:00013AF4 nop
.text:00013AF8 lw $a1, 0x88+var_70($fp) # bye
.text:00013AFC jal stringcompare?
.text:00013B00 addiu $a0, $fp, 0x88+var_60
.text:00013B04 bnez $v0, loc_13B5C
.text:00013B08 nop
.text:00013B0C lw $a1, 0x88+var_6C($fp) # key
.text:00013B10 jal stringcompare?
.text:00013B14 addiu $a0, $fp, 0x88+var_60
.text:00013B18 beqz $v0, loc_13B68
.text:00013B1C nop
.text:00013B20 addiu $a1, $s7, 0x10
.text:00013B24 jal sub_1377C
.text:00013B28 move $a0, $s4
.text:00013B2C jal sub_12504
.text:00013B30 move $a0, $s5
.text:00013B34 lw $a1, 0x88+var_68($fp) # ok
.text:00013B38 lw $a0, 0x88+arg_0($fp)
.text:00013B3C li $a2, 3
.text:00013B40 jal transmit
.text:00013B44 nop
.text:00013B48 li $a1, 1
.text:00013B4C jal sub_123C0
.text:00013B50 move $a0, $s6
.text:00013B54 b loc_13B68
.text:00013B58 nop
Update:
Darkneo was asking about this app, so we loaded it up in IDA yesterday and I had another look at it.
We were only missing an equals sign!
text:00013B2C jal sub_12504
The jump there, checks that the input string contains an = sign.
So you can use the web interface on booterce to launch tv2remotekeys.exe in the windows folder. (there is a command line switch also when running tv2ClientCE i think its -remotekeys)
After tv2remotekeys is running telnet to 8082
commands are:
bye=
quit=
and to send a key its key=[keycode] like this
key=40
you should get a response from the box saying Ok.
Darkneo is working on a small remote control emulator program to make this easier :)
There are still two unknowns with tv2remote keys.. theres a section that has '/key' and 'code' which we have yet to figure out.. any IDA gurus want to have a look?
Mick
Just to weigh in on the "/key" and "code" bit, I'm pretty sure this is a web API for it, but I can't find out where that gets started, if you navigate to "[boxip]:8082/key" in a browser it just sends the usual 'hello'. Perhaps it's a command line switch, but after the string comparisons on "/key" and "code" there's a lot of references to the HTTP strings, so I'm pretty certain that's what it does.
Enjoy :)
KEY_UP=38
KEY_DOWN=40
KEY_LEFT=37
KEY_RIGHT=39
KEY_OK=13
KEY_ENTER=13
KEY_MENU=11
KEY_SPACE=32
KEY_BACK=8
KEY_BROWSER_BACK=166
KEY_PAGEUP=33
KEY_PAGEDOWN=34
KEY_DELETE=46
KEY_0=48
KEY_1=49
KEY_2=50
KEY_3=51
KEY_4=52
KEY_5=53
KEY_6=54
KEY_7=55
KEY_8=56
KEY_9=57
KEY_GREEN=141
KEY_BLUE=143
KEY_RED=140
KEY_YELLOW=142
KEY_A=97
KEY_B=98
KEY_C=99
KEY_D=100
KEY_E=101
KEY_F=102
KEY_G=103
KEY_H=104
KEY_I=105
KEY_J=106
KEY_K=107
KEY_L=108
KEY_M=109
KEY_N=110
KEY_O=111
KEY_P=112
KEY_Q=113
KEY_R=114
KEY_S=115
KEY_T=116
KEY_U=117
KEY_V=118
KEY_W=119
KEY_X=120
KEY_Y=121
KEY_Z=122
KEY_A=65
KEY_B=66
KEY_C=67
KEY_D=68
KEY_E=69
KEY_F=70
KEY_G=71
KEY_H=72
KEY_I=73
KEY_J=74
KEY_K=75
KEY_L=76
KEY_M=77
KEY_N=78
KEY_O=79
KEY_P=80
KEY_Q=81
KEY_R=82
KEY_S=83
KEY_T=84
KEY_U=85
KEY_V=86
KEY_W=87
KEY_X=88
KEY_Y=89
KEY_Z=90
Do you need a chipped box for this to work?
I tried connecting with Telnet to [boxip]:8082 on my unmodified BT Vision box but it said "unable to connect to remote host: connection refused"
Port 8080 seems to be the only open port on my BT vision box, but it does not respond or reply with anything at all, not even a "hello". Accessing [boxip]:8080/key=[number] in a browser just gives a blank page.
This stuff was a very long time ago.
Maybe they ditched this stuff, or the box you are trying is not running windows CE and is running the linux version?
Mick
This stuff was a very long time ago.
Maybe they ditched this stuff, or the box you are trying is not running windows CE and is running the linux version?
Mick
It's a silver box running Windows CE. It has not been chipped or modified in anyway.
So this must mean a modified box is required to get tv2remotekeys.exe running and ready to accept commands on port 8082.
The only other way I can think of to get tv2remotekeys.exe running on an unmodified box is to make use of the Windows CE
Autorun facility and have an .exe on a usb stick that is set to run "C:\Windows\tv2remotekeys.exe". When I plug a usb stick into the BT Vision box, its light flashes, so Windows CE is reading it looking for an autorun. In fact, one of my USB sticks makes the BT Vision box freeze until I remove it.
Or if I could get back into the secret menu (http://www.t-hack.com/forum/index.php?topic=1144.0) and run the Ajax/CSS test and make it load a specially crafted gif/jpg to execute custom code.
It's a silver box running Windows CE. It has not been chipped or modified in anyway.
So this must mean a modified box is required to get tv2remotekeys.exe running and ready to accept commands on port 8082.
No, it depends, some providers have tv2remotekeys.exe enabled on their STBs... some not...
If tv2remotekeys is not enabled on your STB, you can enable it, but you'll need to patch the MS(err... now Ericsson...) bootloader...
The only other way I can think of to get tv2remotekeys.exe running on an unmodified box is to make use of the Windows CE Autorun facility and have an .exe on a usb stick that is set to run "C:\Windows\tv2remotekeys.exe". When I plug a usb stick into the BT Vision box, its light flashes, so Windows CE is reading it looking for an autorun. In fact, one of my USB sticks makes the BT Vision box freeze until I remove it.
LOL :) Easy, Cowboy... That will not not work :)
I'm not even sure WinCE implements Autorun...
Or if I could get back into the secret menu (http://www.t-hack.com/forum/index.php?topic=1144.0) and run the Ajax/CSS test and make it load a specially crafted gif/jpg to execute custom code.
You don't need that Secret Menu, just use Wireshark then load some interative tv app from your provider... You will see tons of PNG/JPEGs...
Now, you can just set some form of dns spoofing and the STB will load your images...
I'm not even sure WinCE implements Autorun...
According to this website (http://www.codeproject.com/Articles/27917/Automatically-Starting-Your-Application-on-Windows) Windows CE does have autorun.
When a memory card is inserted into a Windows Mobile / Windows CE device, the OS automatically looks in a certain folder for a program named Autorun.exe. If that program is found, then it is immediately run. The folder in which the OS looks is going to depend on what type of processor the device has. For an overwhelming majority of Windows Mobile devices, that folder will be "/2577". Here is a table of the possible folder names for other Windows CE devices:Processor Folder Name
ARM 720 1824
Arm 820 2080
ARM 920 2336
ARM 7TDMI 70001
Hitachi SH3 10003
Hitachi SH3E 10004
Hitachi SH4 10005
Motorola 821 821
SH3 103
SH4 104
Strongarm 2577
One of my USB flash drives will cause the BT Vision box to freeze when I insert it, so the USB port is indeed being read by Windows CE and it doesn't like that particular model of USB flash drive for some reason.
Well, that's easy... According to http://msdn.microsoft.com/en-us/library/aa453696.aspx the folder for MIPS CPUs is 4000...
The problem is... I'm quite sure the autorun functionality is implemented by the Windows shell (explorer.exe or whatever they use on Windows Mobile)
And the STB isn't running the shell :)
Well, that's easy... According to http://msdn.microsoft.com/en-us/library/aa453696.aspx the folder for MIPS CPUs is 4000...
The problem is... I'm quite sure the autorun functionality is implemented by the Windows shell (explorer.exe or whatever they use on Windows Mobile)
And the STB isn't running the shell :)
When a USB flash drive is plugged into the box before boot up, the box will access the flash drive 2 times early on during the boot up process. The question is, what file is it looking for on the USB flash drive? Could it be looking for a firmware update or a file to execute?