Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - VisionUser

Pages: [1]
1
WinCE / Re: tv2remotekeys ?
17. Jul 2014, 21:18
Quote from: Mulder3 on 21. Jan 2014, 21:03

Well, that's easy... According to http://msdn.microsoft.com/en-us/library/aa453696.aspx the folder for MIPS CPUs is 4000...

The problem is... I'm quite sure the autorun functionality is implemented by the Windows shell (explorer.exe or whatever they use on Windows Mobile)

And the STB isn't running the shell :)

When a USB flash drive is plugged into the box before boot up, the box will access the flash drive 2 times early on during the boot up process. The question is, what file is it looking for on the USB flash drive? Could it be looking for a firmware update or a file to execute?
2
Software / Re: BT Vision Box Hidden Menus
17. Jul 2014, 20:59
I found out how to get back into the hidden menu. Now I can enter the hidden menu at will!

In order to enter the secret menu, you must disrupt the boot process by either:
1) Removing the ethernet cable halfway though bootup
2) Blocking the box from loading certain URLs during bootup with a firewall/web filtering software etc.

The URL's to block (might not need to block them all):
sg05clgv.nevis.btopenworld.com/dvrV2/DVRScheduler.asmx
sg05clgv.nevis.btopenworld.com/ListingsClientDataDelivery/PackedListingsForClient/
sg05clgv.nevis.btopenworld.com/clientsms/Purchase.asmx
sg05clgv.nevis.btopenworld.com/clientsms/GetGroupGrantedKeys.ashx
sg05clgv.nevis.btopenworld.com/MDWS/MediaDiscovery.asmx
/clientuserstore/UserStore.asmx <--- This might be the only one you really need to block
/MDWS/MediaDiscovery.asmx
/vodCatalogWS/catalog.asmx


If you block those URLs, then the box will get stuck on the grey bootup screen.
- Then put it into standby, then take it out of standby
- The screen should now be either black, or asking you to enter a 4 digit pin code (depending on which urls you block)
- Press the main menu button, and now the secret menu will appear!

I think the "secret menu" is actually the default menu on the box that happens before it loads "the client user store" and if you block the user store, then it goes to the "secret menu" by default.

Inside the secret menu, you can turn on the DLNA/upnp client or use it's built in web browser. With some dns spoofing, you can get it to load any web page you want as long as it is valid xhtml.

The DLNA client says it wants to connect to Windows Media Player 11, but I successfully got it to connect to PS3 Media Server using the Xbox 360 profile.

Quite annoying to discover the silver box has a DLNA client all along but I didn't find out until now. And getting into the secret menu turned out to be quite easy.
3
Software / DLNA client on silver BT vision box
17. Jul 2014, 20:52
If you boot into the secret menu, there is a "Personal Media Settings" option to "Enable playback from home network". If you do this, it will turn the silver BT Vision box into a DLNA upnp client! When you select "Photos music and video" from the secret menu, it will then look on your local network for a DLNA server.

The following network activity can be observed:

Code: [Select]
NOTIFY * HTTP/1.1
Host: 239.255.255.250:1900
Cache-Control: max-age=1800
Location: http://192.168.0.4:53208/upnp/1
NT: uuid:-----------------------------
NTS: ssdp:alive
Server: CESTB/6.1 UPnP/1.0 DMP/5.0
USN: uuid:-----------------------------
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01

NOTIFY * HTTP/1.1
Host: 239.255.255.250:1900
Cache-Control: max-age=1800
Location: http://192.168.0.4:53208/upnp/1
NT: uuid:-----------------------------
NTS: ssdp:alive
Server: CESTB/6.1 UPnP/1.0 DMP/5.0
USN: uuid:-----------------------------
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01

NOTIFY * HTTP/1.1
Host: 239.255.255.250:1900
Cache-Control: max-age=1800
Location: http://192.168.0.4:53208/upnp/1
NT: upnp:rootdevice
NTS: ssdp:alive
Server: CESTB/6.1 UPnP/1.0 DMP/5.0
USN: uuid:-----------------------------::upnp:rootdevice
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01

NOTIFY * HTTP/1.1
Host: 239.255.255.250:1900
Cache-Control: max-age=1800
Location: http://192.168.0.4:53208/upnp/1
NT: upnp:rootdevice
NTS: ssdp:alive
Server: CESTB/6.1 UPnP/1.0 DMP/5.0
USN: uuid:-----------------------------::upnp:rootdevice
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01

NOTIFY * HTTP/1.1
Host: 239.255.255.250:1900
Cache-Control: max-age=1800
Location: http://192.168.0.4:53208/upnp/1
NT: urn:schemas-upnp-org:device:MediaRenderer:1
NTS: ssdp:alive
Server: CESTB/6.1 UPnP/1.0 DMP/5.0
USN: uuid:-----------------------------::urn:schemas-upnp-org:device:MediaRenderer:1
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01

NOTIFY * HTTP/1.1
Host: 239.255.255.250:1900
Cache-Control: max-age=1800
Location: http://192.168.0.4:53208/upnp/1
NT: urn:schemas-upnp-org:device:MediaRenderer:1
NTS: ssdp:alive
Server: CESTB/6.1 UPnP/1.0 DMP/5.0
USN: uuid:-----------------------------::urn:schemas-upnp-org:device:MediaRenderer:1
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01

NOTIFY * HTTP/1.1
Host: 239.255.255.250:1900
Cache-Control: max-age=1800
Location: http://192.168.0.4:53208/upnp/1
NT: urn:schemas-upnp-org:service:ConnectionManager:1
NTS: ssdp:alive
Server: CESTB/6.1 UPnP/1.0 DMP/5.0
USN: uuid:-----------------------------::urn:schemas-upnp-org:service:ConnectionManager:1
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01


If you visit the following URL, you will be met with this xml:

http://192.168.0.4:53208/upnp/1  <--- box IP address
Code: [Select]

  <?xml version="1.0" encoding="utf-8" ?>
- <root xmlns="urn:schemas-upnp-org:device-1-0">
- <specVersion>
  <major>1</major>
  <minor>0</minor>
  </specVersion>
- <device>
  <deviceType>urn:schemas-upnp-org:device:MediaRenderer:1</deviceType>
  <dlna:X_DLNADOC xmlns:dlna="urn:schemas-dlna-org:device-1-0">DMR-1.50</dlna:X_DLNADOC>
  <UDN>uuid:-----------------------------</UDN>
  <friendlyName>Mediaroom Device</friendlyName>
  <manufacturer>Mediaroom</manufacturer>
  <manufacturerURL>http://www.microsoft.com/</manufacturerURL>
  <modelName>Mediaroom</modelName>
  <modelNumber>Microsoft Windows CE 5.0.1400</modelNumber>
  <modelURL>http://www.microsoftmediaroom.com/</modelURL>
  <modelDescription>Mediaroom Client</modelDescription>
  <serialNumber>----------</serialNumber>
- <iconList>
- <icon>
  <mimetype>image/png</mimetype>
  <width>48</width>
  <height>48</height>
  <depth>24</depth>
  <url>/upnp/2</url>
  </icon>
  </iconList>
- <serviceList>
- <service>
  <serviceType>urn:schemas-upnp-org:service:ConnectionManager:1</serviceType>
  <serviceId>urn:upnp-org:serviceId:ConnectionManager</serviceId>
  <SCPDURL>/upnp/4</SCPDURL>
  <eventSubURL>/upnp/4e</eventSubURL>
  <controlURL>/upnp/4c</controlURL>
  </service>
- <service>
  <serviceType>urn:schemas-upnp-org:service:AVTransport:1</serviceType>
  <serviceId>urn:upnp-org:serviceId:AVTransport</serviceId>
  <SCPDURL>/upnp/5</SCPDURL>
  <eventSubURL>/upnp/5e</eventSubURL>
  <controlURL>/upnp/5c</controlURL>
  </service>
- <service>
  <serviceType>urn:schemas-upnp-org:service:RenderingControl:1</serviceType>
  <serviceId>urn:upnp-org:serviceId:RenderingControl</serviceId>
  <SCPDURL>/upnp/3</SCPDURL>
  <eventSubURL>/upnp/3e</eventSubURL>
  <controlURL>/upnp/3c</controlURL>
  </service>
  </serviceList>
  </device>
  </root>


It states that it wants to connect to Windows Media Player 11, but I managed to get it to connect to PS3 Media Server! Then you can browse it for media. The silver BT Vision box had secret DLNA capability the whole time. And there was no need to install mod-chips on the box, just booting into the secret menu was all that was required!
4
Others / BT servers switching off 22 July 2014. End of BT Vision?
16. Jul 2014, 21:15
BT sent a letter in the post saying they are axing the BT Vision service on 22 July 2014. More info on it here: http://www.a516digital.com/2014/04/bt-vision-to-close-this-summer.html

If they really do turn the servers off, then the silver BT Vision box could become unbootable and unusable even as a Freeview PVR. It is a sad day. The silver BT Vison box was a good solid PVR, shame to see BT kill a perfectly good piece of kit (and appallingly wasteful and damaging for the environment). It never missed a recording or developed problems with its hard drive in 5 solid years of service.

Other Freeview PVRs are apparently very unreliable and prone to going wrong (most of them Linux based). So I'm really going to miss the silver box if BT actually do kill it off.

The question is, could there be any way to get a computer to impersonate the BT servers so the silver box can continue to live a happy life as a Freeview PVR?

The silver boxes communications with the BT servers are encrypted, so can't be easily replicated.  Has anyone had any success in decrypting it or peeking inside the boxes code to see what kind of responses a fake BT server should give?
5
WinCE / Re: tv2remotekeys ?
14. Jan 2014, 16:22
Quote from: Mulder3 on 14. Oct 2013, 21:59

I'm not even sure WinCE implements Autorun...


According to this website Windows CE does have autorun.

Quote
When a memory card is inserted into a Windows Mobile / Windows CE device, the OS automatically looks in a certain folder for a program named Autorun.exe. If that program is found, then it is immediately run. The folder in which the OS looks is going to depend on what type of processor the device has. For an overwhelming majority of Windows Mobile devices, that folder will be "/2577". Here is a table of the possible folder names for other Windows CE devices:Processor   Folder Name
ARM 720   1824
Arm 820   2080
ARM 920   2336
ARM 7TDMI   70001
Hitachi SH3   10003
Hitachi SH3E   10004
Hitachi SH4   10005
Motorola 821   821
SH3   103
SH4   104
Strongarm   2577

One of my USB flash drives will cause the BT Vision box to freeze when I insert it, so the USB port is indeed being read by Windows CE and it doesn't like that particular model of USB flash drive for some reason.
6
WinCE / Re: tv2remotekeys ?
16. Sep 2013, 22:25
Quote from: is0-mick on 15. Sep 2013, 20:04

This stuff was a very long time ago.
Maybe they ditched this stuff, or the box you are trying is not running windows CE and is running the linux version?

Mick


It's a silver box running Windows CE. It has not been chipped or modified in anyway.

So this must mean a modified box is required to get tv2remotekeys.exe running and ready to accept commands on port 8082.

The only other way I can think of to get tv2remotekeys.exe running on an unmodified box is to make use of the Windows CE Autorun facility and have an .exe on a usb stick that is set to run "C:\Windows\tv2remotekeys.exe". When I plug a usb stick into the BT Vision box, its light flashes, so Windows CE is reading it looking for an autorun. In fact, one of my USB sticks makes the BT Vision box freeze until I remove it.

Or if I could get back into the secret menu and run the Ajax/CSS test and make it load a specially crafted gif/jpg to execute custom code.
7
WinCE / Re: tv2remotekeys ?
12. Sep 2013, 16:00
Do you need a chipped box for this to work?

I tried connecting with Telnet to [boxip]:8082 on my unmodified BT Vision box but it said "unable to connect to remote host: connection refused"

Port 8080 seems to be the only open port on my BT vision box, but it does not respond or reply with anything at all, not even a "hello". Accessing [boxip]:8080/key=[number] in a browser just gives a blank page.
8
Software / BT Vision Box Hidden Menus
10. Sep 2013, 17:55
I switched on my Philips DIT9719 BT Vision box the other day and the menu had changed - to a secret hidden menu. The Recordings menu had dissappeared, but new menu items had come up such as:

- Demo
- Extras
- XHTML Test
- http://172.29.50.50/ajax.html
- http://172.29.50.50/mosaic.html
- CSS Acid Test
- Ajax test
- Mr Youtube
- Static Weather
- Photos and Music
- Videos
- Static Media
- Launch Application
- MediaStream PiP test
- Mediaroom services
- Client AV Storefront
- WMS Seamonkey test
- Personal media settings
- Enable playback from home network

There was an option for browsing photos and videos on the local network, it said a PC with Windows Media Player 11 was required.

There was no TV Channels, just a black screen. Pressing the "i" info button on the remote control caused the box to reboot and it rebooted back to the normal menu. I can't get back into this hidden menu. :(

I don't know why this hidden menu came up. Was it just a bug in the BT Vision box, or is there a secret key combination you can type into the remote control to bring it up? Or do you have to press certain buttons on the box whilst turning it on? I have read in another thread of secret key codes that bring up diagnostic text, but what is the way to bring back this secret menu? I need to get back into this secret menu!!! Has anyone else accessed this secret menu?

The Ajax test is interesting, Windows CE v5 apparently has a JPG/Gif exploit for it. If you could use the Ajax test to load a specially crafted JPG/Gif, then you could load custom code onto the BT Vision box without the need for any soldering! :D

Screenshots of the hidden menus are attatched
Pages: [1]