Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - merkin

Pages: [1]
1
Hardware / Re: Broadcom 7405 and 7401 chips
16. Mar 2013, 19:18
By spec, if jtag device has IDCODE then its mandatory for the register to be loaded when tap is reset.  If no IDCODE than BYPASS register is loaded.  This means TDI is not needed to read IDCODE, but other tap commands will not work.

Btw in my previous post I meant to say TDO in ejtag mode .
2
Hardware / Re: Broadcom 7405 and 7401 chips
16. Mar 2013, 01:43
The full datasheet and bcm97405 development board schematics can be found on web. 
It can be configured for three different modes via stapping resistors. 
In normal mode output from TDO is always 0.
In jtag mode you can read IDCODE, but nothing else...which leads me to believe TDI is disabled.
In ejtag mode output from TDI is always 1.

YMMV, its possible the manufacturer of your device did not disable the debug module, or blow any OTP fuses.
3
Hardware / Re: Wegener SMD515 IPTV
15. Mar 2013, 05:16
What gpu chipset you use?...I am using gtx460.

smd515 uses 2.7.147.0 mrua, is there chance that compiling sample apps from different mrua(2.7.127.0) will run on smd515?
4
Hardware / Re: Wegener SMD515 IPTV
08. Mar 2013, 00:11
Quote from: asgard on 05. Mar 2013, 08:26

Quote from: merkin on 03. Mar 2013, 19:08

Turns out the password is hashed with md5crypt.  Gonna take a while to crack it.


i'm trying it with hashcat (http://hashcat.net)


someone on hashcat IRC cracked it...
$1$$ca/TeYtIqHqWO6VxOfbvN.:7365126  :)

I AM IN!!!
5
Hardware / Re: Wegener SMD515 IPTV
07. Mar 2013, 00:25
I also moved on to hashcat instead.  This pass is hashed with md5crypt, which is 1000 iterations of md5. 
Are you trying bruteforce or dictionary attack?

Decided to edit the etc/shadow file according to here
http://www.thaivisa.com/forum/topic/620644-dreambox-500s-problem/?p=6134586

But login does not work still. :(

Maybe need to change ssh config to allow root login?  But no ssh config exists in file system.  setop uses busybox with dropbear for ssh.

I also need to try this new hash with 'dreambox' password from uart console.
6
Hardware / Re: Wegener SMD515 IPTV
03. Mar 2013, 19:08
Turns out the password is hashed with md5crypt.  Gonna take a while to crack it.

Can also just change the hash to a known password, then remake jffs2 and add it back to firmware image.  But CRC checks or signed image will probably make it fail.
7
Hardware / Re: Wegener SMD515 IPTV
03. Mar 2013, 01:21
Ok mounted JFFS2 file system
http://rapidshare.com/files/1104149096/smd515_jffs2.tar.gz
/etc/passwd and /etc/shadow are in the archive.

I tried this app http://www.golubev.com/hashgpu.htm with gtx460 to crack the md5 hash. 


Here is copy of firmware.
http://rapidshare.com/files/373084072/smd515_firm.zip

Any other way to get root password?
8
Hardware / Re: Wegener SMD515 IPTV
28. Feb 2013, 05:42
Quote from: mce2222
Quote from: merkin on 28. Jul 2011, 19:17

However after the UART log stops, I can hit "enter" key, and I am asked for username and password to login.

3.  Do you have any idea what the login credentials may be?


no idea, but since the root file system is mounted directly from flash
"/dev/mtdblock/1 ro"
I guess it would be quite easy to find the login if you dump the flash completely.

decided to dump entire firmware and try this.  installed binwalk and analyzed. appears to be JFFS2 and its LZMA compressed.
can you help with next step?
9
Hardware / Re: Belgacom Scientific Atlanta box
20. Apr 2012, 21:58
Interesting...according to the UART log it uses "Focus Boot" just like my smp8634 target here http://www.t-hack.com/forum/index.php?topic=859.0

Most important to find out if your bootloader is signed with the standard SDK keys or using a 3rd party vendor key.  Follow the above post to find all the info to dump the bootloader and XENV via jtag.

The modchip is only for certain versions of Microsoft's WinCE bootloader.  The Atmega firmware needs to be updated for the "focus boot" bootloader.  Then we can run unsigned code.

10
Software / Re: Debrick tool hangs at 0xac00a000
01. Dec 2011, 06:18
Two things to consider.

1.  Does the IPP330HD use sigma's SDK vendor keys?

Where on the forum or wiki is this beta_rom_img.zip discussed?

2.  Detected flash is here http://pdf1.alldatasheet.com/datasheet-pdf/view/55494/AMD/AM29LV160DB-90EC.html

and actual flash is http://pdf1.alldatasheet.com/datasheet-pdf/view/217860/SPANSION/S29GL016A.html

It seems it is wrongly detecting the flash..perhaps that could be issue.

AMD and Spansion have the same vendor ID, but different flash chips should NOT have the same device ID.
11
Hardware / Re: jtag flash dump dit9719
06. Oct 2011, 02:30
Quote from: 7.4 on 04. Oct 2011, 21:11


It all works fine but when I try to dump 1 meg of flash starting at 0x1FC00000 I only get the first 64K dumped correctly.  Everything after 0x1FC10000 is all 00 00 00....
Is this read protected?  The first 64K is identical to Mick's bootloader.bin so I'm confident the interface is working correctly.

This is a short version my output from 0x1FC10000

Code: [Select]

BTVJTAG>flaps  -backup:custom  /instrlen:5 /fc:01
/window:1FC00000 /start:1FC10000 /length:00000100  /notimestamp /xeloa

=====================================================
    FLAPS MIPS EJTAG Flash Utility probes-v1.4
    Patched for BT Vision DiT9719   by 007.4
=====================================================

   Waiting 1 second..

Selected  port  = 0x0378

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00001000011000110000000000000001 (08630001)
*** Found a SigmaDesigns SMP8634 Rev A CPU chip ***

  - EJTAG IMPCODE ............... : 01000000010000010100000000000000 (40414000)
  - EJTAG Version ............... : 2.6
  - EJTAG Implementation flags .. : R4k ASID_8 MIPS16 NoDMA MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Init PrAcc ... Done
Clearing Watchdog ... Done
Done

Flash Vendor ID: 00000000000000000000000000000000 (00000000)
Flash Device ID: 00000000000000000000000000000000 (00000000)
    - Flash Chip Window Start .... : 1fc00000
    - Flash Chip Window Length ... : 00100000
    - Selected Area Start ........ : 1fc10000
    - Selected Area Length ....... : 00000100

*** Manually Selected a MX29LV800BTC 512kx16 TopB  (1MB) Flash Chip ***

*** You Selected to Backup the CUSTOM.BIN ***

=========================
Backup Routine Started
=========================

Saving CUSTOM.BIN.SAVED to Disk...
[  1% Backed Up]   1fc10000: 00000000 00000000 00000000 00000000
[  7% Backed Up]   1fc10010: 00000000 00000000 00000000 00000000
[ 14% Backed Up]   1fc10020: 00000000 00000000 00000000 00000000
[ 20% Backed Up]   1fc10030: 00000000 00000000 00000000 00000000
[ 26% Backed Up]   1fc10040: 00000000 00000000 00000000 00000000
[ 32% Backed Up]   1fc10050: 00000000 00000000 00000000 00000000
[ 39% Backed Up]   1fc10060: 00000000 00000000 00000000 00000000
[ 45% Backed Up]   1fc10070: 00000000 00000000 00000000 00000000
[ 51% Backed Up]   1fc10080: 00000000 00000000 00000000 00000000
[ 57% Backed Up]   1fc10090: 00000000 00000000 00000000 00000000
[ 64% Backed Up]   1fc100a0: 00000000 00000000 00000000 00000000
[ 70% Backed Up]   1fc100b0: 00000000 00000000 00000000 00000000
[ 76% Backed Up]   1fc100c0: 00000000 00000000 00000000 00000000
[ 82% Backed Up]   1fc100d0: 00000000 00000000 00000000 00000000
[ 89% Backed Up]   1fc100e0: 00000000 00000000 00000000 00000000
[ 95% Backed Up]   1fc100f0: 00000000 00000000 00000000 00000000
Done  (CUSTOM.BIN.SAVED saved to Disk OK)

bytes written: 256
=========================
Backup Routine Complete
=========================
elapsed time: 0 seconds


*** REQUESTED OPERATION IS COMPLETE ***


Also I have to manually select the flash chip.  Anyone know why it is not correctly identified?

Help please!

Cheers
007.4


Not familiar with that hardware or flash utility.  Just curious, what speeds do you get over LPT port?
I made this http://www.t-hack.com/wiki/index.php/EJTAG and used this flash utility http://www.t-hack.com/wiki/index.php/Dump_X300T_Bootloader
to dump parts of the flash on my SMP8634 based box http://www.t-hack.com/forum/index.php?topic=859.0. 

Try that combo if possible.

Where exactly are you starting to read from?  Because you said starting at 0x1FC00000, but in the code section it says /start:1FC10000.  (I use the same value for "/window:" and "/start:", but admittedly I do not know what the "/window:" command even does.

Also the beginning of the Flash is always mapped to 0xac000000.  Try this tool also http://www.t-hack.com/wiki/index.php/Debrick_SMP863x_Device

Good Luck.
12
Hardware / Re: Wegener SMD515 IPTV
05. Aug 2011, 05:40
Can you confirm that the bootloader is encrypted with vendor certs?  I dont know if I am looking at the correct x.boot pointer.

13
Hardware / Re: Wegener SMD515 IPTV
28. Jul 2011, 19:17
Finally got around to dumping the bootloader.

I was getting an error with the original bootloader. (It said it installed correctly,but it would not "start")(On Windows 7 x86.  Also tried enabling the legacy parrallel port driver via device manager with the same result)

The C# version worked fine however it is very slow as the wiki states. Averaged about 175 b/s.

1. Also does the C# version use the same parameters as the original version?

I tried
Code: [Select]
\path\to\dumptool\   /start:00000000 /length:00060000
but nothing would dump.

Code: [Select]

Creating 1 MTD partitions on "CS1+CS2":
0x00400000-0x01f00000 : "Root FileSystem"

Creating 4 MTD partitions on "Flash_CS2":
0x00400000-0x01000000 : "Flash FileSystem"
0x00000000-0x00060000 : "Bootloader"
0x00060000-0x00080000 : "Common_Area"
0x00080000-0x00400000 : "Kernel"

Creating 2 MTD partitions on "Flash_CS1":
0x00000000-0x00f00000 : "Filesystem-pt2"
0x00f00000-0x01000000 : "Flash_NVM"
Finished adding mtd devices


2. So how do I tell if the bootloader is encrypted?

Also I tried to interrupt the boot process in putty to get yamon prompt, but nothing happens.

However after the UART log stops, I can hit "enter" key, and I am asked for username and password to login.

3.  Do you have any idea what the login credentials may be?

4.  Any luck finding the WinCE BSP and driver package?  I looked everywhere for many days and cannot find it.

Thanks again
14
Hardware / Re: Wegener SMD515 IPTV
24. Jun 2011, 06:16
Thank for the help and the warm welcome

In reply to you:

1.  Yes I agree, but if you zoom in on the two flashes you can see they have "offsets"...The flash labeled "BOOT" is in the U36 silkscreen pcb print and the "OPTION" is U35 position.  They can be offset to U24 and U23 respectively, which was odd to me.

2.  I sent informal email to Wegener as I am not sure if they have broken GPL or not.  Linux is not my primary OS, and GPL is nothing but confusing to me.  I saw in the UART0 log they use Smartmontools and that is GPL.  My question is this enough info to formally demand the sources and contact the developers of Smartmontools?  If not what obligations does Wegener have?  I understand the content is on the web, but if Wegener is in breach of GPL than they should suffer the consequences like other NMT's hardware developers running Linux.

3.  OK thank you for info, here is my source http://developer.mips.com/sigma-8654/.  I didnt look close enough at the URL, but the article just says SMP86XX, hence my confusion.

That makes perfect sense about the absent of the GUI.  It appears the box tries to connect to the IPTV server that is hardcoded in the firmware according to the UART0 log.  BTW here are Wegener iPump IPTV media servers http://www.wegener.com/PRODUCTS/iPUMP/index.php.  No HDD's were in them upon arrival, but that doesnt mean there wasnt an HDD in there at one time.  Either way I have plenty spare HDD's for the job.

4.  Well I will build the DCU5 cable.  I have all the parts on the bench.  Then we will see if there are vendor certs in this linux distro :-) 
I have all parts for the modchip laying around also ;-), but fingers crossed your instincts are correct for the sake of ease.

Yes I noticed that modified bootloader "FocusBoot", different from for instance AZBOX.

Are you referring to YAMON when you say stopping the standard bootloader? Cant I just "Ctrl-C"?

I will get entire dump via ejtag, but can you recommend a compatible Windows dump utility to use with the DCU5 jtag cable?

Hey this is all for fun.  Got the units off Ebay for dirt cheap.  Just happy the hardware is still functional at this point.

Okay I have WinCE6.0 from my M$ Dreamspark.com account, as well as VisualStudio 05/08/10
I NEED the BSP for WinCE6.0 as referenced in the Sigam SDK. The SDK even says Sigma provides the source code of the BSP.

Please throw me a hint.  I must be missing something because my search cannot find the WinCE6.0 BSP.msi?

Let us (SichboPVR) worry about OS development.  We just need all the tools and the BSP.msi is the ONLY missing link!

Sichbo can make one hell of a C# GUI, just check out SichboPVR.

Thanks again for the wealth of information you supplied.  I am sure I will have more questions in the future.
 
15
Hardware / Wegener SMD515 IPTV
23. Jun 2011, 04:49
http://www.wegener.com/datasheets/DS_SMD515a.pdf
Attachment 1:  Picture of internals (Wegener has EVERY header (UART0, UART1/EJTAG, SCARD, etc...lucky me  ;D)
Attachment 2:  UART0 log

According to UART log it is chip revision 0x8634:0x83 (does this mean rev. A,B, or C?)

There are 2 on-board flash memories S29GL128N labeled by silkscreen printing "BOOT" and "OPTION".   
1.  What is your best guess as to the purpose of the second flash? (just more space perhaps)

DDR0 bank is 2x VDD9616A8A-5CG
DDR1 bank is 2x VDD8616A8A-5BG

2.  Does Wegener have any obligation to release any sources based on GPL like other NMT's? 

3.  The board ID "852-E2", and I have seen people running Enigma2 on the same board ID with AZBOX...Can I also?  (without tuner support of course).  Or perhaps even Android IPTV distro?

They have no HDD's when I bought them off Ebay AS IS.  But UART0 log references "/dev/ide/host0/bus0/target0/lun0/part1 on /hdisk/media failed: No such file or directory"

Currently when I power up the unit there is no GUI or Splash screen. (There should be according to the Wegener SMD-515 Datasheet linked above), however there is DEFINATELY an HDMI signal present.

All I want is to use these as a client media device or NMT, by loading some homebrew firmware.
4.  Is this possible?

I have read the forum and until today the WIKI was down so forgive my noob questions. 
Building the modchip is not a problem either, if necessary.

I guess the best question for the veterans here is....
If you personally owned this device what would you do to get video output and allow connections to my LAN's NAS?

BTW...I would even be interested in putting WinCE on here if possible.  In fact a buddy that I alpha test for is a C# guru.  Here is his project http://pvr.sichbo.ca/.  If I can get M$ bootloader going he will develop a nice GUI or just rip of M$'s example http://www.windowsfordevices.com/c/a/News/Free-addon-outfits-Windows-CE-for-DVRs-IPSTBs/
Does anyone have a MIPS BSP.msi?  or the M$ WinCE feature pack?  My searches found nothing.

Please help and thanks in advance.
Pages: [1]