Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - mce2222

16
ich vermute mal da wird ein signiertes WinCE image gesucht, so wie es auch auf der Festplatte drauf sein müsste.

Zur Frage ob mit der Kiste was geht...
da dort keine Sigma CPU drin ist sondern ein BCM7405, wird user modchip schon mal nicht funktionieren.
17
News / Re: Wiki hacked?
23. Oct 2011, 02:25
yes it gets spammed a lot.
and nothing new is going on in the sigma world :( ... so we could disable the wiki registering completely I think.
18
Software / Re: Step by Step Anleitung
29. Sep 2011, 23:43
da gibts keine anleitung.
wenn der jtag modchip läuft dann wär als nächstes der file-system signatur-check abzuschalten. da gibt es im Englischen Bereich des Forums einen Thread wo dies beschrieben wird.

diese datei lässt sich dann leicht anpassen... z.b. um DVB-T oder die USB ports zu aktivieren. Jugendschutz-settings gibts auch ein paar.
tv2clientce/content/tv2config.xml

Microsoft\TV2\Client\AccessControl\Internal\AccessControlManager.cs  wäre ein heisser Kandidat für Jugendschutz weg-patchen :)
19
Grundsätzlich sind die Daten auf der Festplatte verschlüsselt (abgesehen von Aufnahmen der öffentlich-rechtlichen Sender).
Der Plattentauch könnte klappen, da der Receiver beim Abspielen vom IPTV Server den Receiver-spezifischen Entschlüsselungskey holt.
Ausprobiert hat das glaub ich noch niemand.

zu beachten ist beim umbau eigentlich nichts. Aber sicherheitshalber würd ich zuerst ein Backup der Platte machen, da die Software gern eine komplett-formatierung durchführt wenn irgendetwas nicht so ist wie es sein soll.

20
nee das wird nicht klappen.
ich versteh allerdings auch nicht was der Vorteil wäre wenn man eine VM auf dem Receiver laufen hat.
21
beachten muss man eigentlich nichts, aber es funktionieren einfach nicht alle. Warum einige funktionieren und andere nicht weiss glaub ich keiner so genau.
22
ohne hdd geht es nicht... man kann aber eine lautlose hdd einbauen. also ein Disk-on-Module, oder ein IDE-Compact-Flash Adapter, oder halt ne SSD (wenn man zu viel Geld hat)

wenn ich mich recht entsinne müssten 128MB reichen... sowas bekommt man für 10eu
23
I have no idea what that error code means.
anyway. the security of that box is quite high, so without modchip you cannot install anything that is not officially delivered.

but even with a modchip it is still difficult to get something to work.
24
Hardware / Re: Wegener SMD515 IPTV
08. Aug 2011, 00:33
the bootloader is at 0x020000
it references certificate 0x14 ... and that is not an id of the SDK certificates, so it is for sure some vendor certificate.
25
Hardware / Re: Wegener SMD515 IPTV
29. Jul 2011, 21:04

1. Also does the C# version use the same parameters as the original version?


not sure, I have not looked at the source code, but since it is not derived from the C dumptool, I think it will not use the same parameters.



2. So how do I tell if the bootloader is encrypted?


at the beginning of the Flash which is always mapped to 0xac000000 you should find an XENV block which looks something like this
Code: [Select]
   
ð....ÕkSk.úÄ.Oˆmà5ÇŽ×ï„ü..a.avclk_mux.......a.board_id."KMM3210-
A"..a.cd2_freq..ظ...a.cd4_freq.U ü...a.chip_rev.‚.4†..a.enab
le_devices.þ>....a.gpio_data.......a.gpio_dir.......a.gpio_irq_m
ap.......a.hostclk_mux.......a.irq_fall_edge_hi.......a.irq_fall
_edge_lo..À....a.irq_rise_edge_hi.ÿ.....a.irq_rise_edge_lo..Ê(ÿ.
.a.pb_cs_config.À.....a.pb_def_timing.......a.pb_timing0.......a
.pb_timing1.......a.pb_use_timing0.ü.....a.pb_use_timing1.ó.....
a.pcidev1_irq_route.......a.pcidev2_irq_route.......a.pcidev3_ir
q_route.......a.pcidev4_irq_route.......a.premux.......a.scard_5
v_pin.......a.scard_cmd_pin.......a.scard_off_pin.......a.uart0_
gpio_data.......a.uart0_gpio_dir.......a.uart0_gpio_mode.n.....a
.uart1_gpio_data.......a.uart1_gpio_dir.......a.uart1_gpio_mode.
n.....a.uart_console_port.......a.uart_used_ports.......l.cs0_si
ze.......l.cs1_size.......l.cs2_part1_offset.......l.cs2_part1_s
ize..€....l.cs2_part2_offset..€....l.cs2_part2_size..€.€..l.cs2_
part3_offset.......l.cs2_part3_size....€..l.cs2_parts.......l.cs
2_size...@...l.cs3_size.......x.boot..€....x.csf.......x.d0.cfg.
º.Aã..x.d1.cfg.º.Aã..x.ds.@.....x.dt.......x.l2rzc.......x.l2xz.
......z.boot0.......z.boot1.......z.boot2....L..z.boot3....L..z.
default_boot.......a.eth_mac."00:00:DE:AD:BE:EF"


the important pointer in this is "x.boot" which is the relative memory address of the bootloader in this memory-section

so if this points to 0x2000 then the bootloader is located at 0xac002000

the bootloader will have a header like this:
Code: [Select]

00 00 00 00 05 00 00 00  00 00 0D 00 00 00 60 13   
02 00 00 00 03 00 00 00  04 00 00 00 34 04 0D 00   
0B 00 00 FF D5 7B 3F A5  91 A1 7A 3D D9 24 BA 09
87 33 47 2E 15 2C 31 CF  75 40 36 8C 06 5B 17 D2


the interesting part here would be line 3 and 4, since the 0x0b is the public key id. if you have the same data in line 3 and 4, then
they use the standard Sigma Developer SDK keys... that you can get from the net. So you could sign your own bootloader or you can use some existing one from other devices.

following these 4 lines will be about 0x300  bytes  which is the public key chain to verify the signature of the memory block.
if the block is encrypted, then you will see just random data following. otherwise you should notice texts and areas with zeros.


Also I tried to interrupt the boot process in putty to get yamon prompt, but nothing happens.


you cannot really interrupt the boot process.



However after the UART log stops, I can hit "enter" key, and I am asked for username and password to login.

3.  Do you have any idea what the login credentials may be?


no idea, but since the root file system is mounted directly from flash
"/dev/mtdblock/1 ro"
I guess it would be quite easy to find the login if you dump the flash completely.



4.  Any luck finding the WinCE BSP and driver package?  I looked everywhere for many days and cannot find it.


I will send you a PM later with some hints.
26
Software / Re: Mediaroom 2.0.26130.102
29. Jun 2011, 21:16
so that means no upgrade possible to Mediaroom 2.0 without subscription to the IPTV provider...
27
Software / Mediaroom 2.0.26130.102
25. Jun 2011, 01:09
Hallo,
ich hab mal meine alte x300t wieder ausgegraben und wollt mal ein update machen nachdem ich gelesen hab das Mediaroom 2 seit zwei monaten verfügbar sein soll.

beim desaster-recovery bekomm ich allerdings immer nur die version 1.6.25281.6
ist das jetzt ein zweistufiger upgrade der erst nach erfolgreichem boot mit der 1.6 weiterläuft ?
wenn jemand die version 2.0 auf der platte hat, würd ich mich über ein backup freuen ;)
28
Hardware / Re: Wegener SMD515 IPTV
24. Jun 2011, 09:13

1.  Yes I agree, but if you zoom in on the two flashes you can see they have "offsets"...The flash labeled "BOOT" is in the U36 silkscreen pcb print and the "OPTION" is U35 position.  They can be offset to U24 and U23 respectively, which was odd to me.

that is only to be flexible in regards to chip-packaging. it has no effect on the memory-offsets


2.  I sent informal email to Wegener as I am not sure if they have broken GPL or not.  Linux is not my primary OS, and GPL is nothing but confusing to me.  I saw in the UART0 log they use Smartmontools and that is GPL.  My question is this enough info to formally demand the sources and contact the developers of Smartmontools?  If not what obligations does Wegener have?  I understand the content is on the web, but if Wegener is in breach of GPL than they should suffer the consequences like other NMT's hardware developers running Linux.

currently they do not breach the GPL. They have to supply the sources of all GPL bases tools INCLUDING their modifications. But the interesting parts of the software are not GPL based for sure, so you would only get the sources of the Linux kernel and some other system services and tools.
I would say, they would be annoyed by the work they have to do to get all the sources assembled, but thats about it.



Are you referring to YAMON when you say stopping the standard bootloader? Cant I just "Ctrl-C"?


yes, I got that mixed up. the BREAK signal interrupts the YAMON auto-start sequence. But in the log there is no indication that they use the YAMON for startup.
which doesnt mean that there is no YAMON in the flash.
you should try to press and hold number-keys during startup. In the standard ZBoot, this selects different flash-partitions for booting.
It is quite common to have one flash-partition set up with YAMON to allow recovery.
maybe you are in luck.


I will get entire dump via ejtag, but can you recommend a compatible Windows dump utility to use with the DCU5 jtag cable?


sure try our bootloader dumper from the WIKI
http://www.t-hack.com/wiki/index.php/Dump_X300T_Bootloader

without parameters it will just dump the RAM where the decrypted bootloader is stored if an encrypted flash is used.


I NEED the BSP for WinCE6.0 as referenced in the Sigam SDK. The SDK even says Sigma provides the source code of the BSP.

Please throw me a hint.  I must be missing something because my search cannot find the WinCE6.0 BSP.msi?


thats correct, there is source code in the BSP, but the BSP alone does only make the system boot.
there is a second WinCE package that provides DLLs for the audio/video hardware acceleration, and there are no sources for that.
I have to check if I can find a link to that package somewhere.


Let us (SichboPVR) worry about OS development.  We just need all the tools and the BSP.msi is the ONLY missing link!

Sichbo can make one hell of a C# GUI, just check out SichboPVR.

that sure looks impressive. haven't used it yet though.
would be really cool to finally see something useful done with all the research that has been done on the forum.
29
Sonstiges / Re: MT300 (B) und XBMC?
23. Jun 2011, 21:36
grundsätzlich gilt bei allen Microsoft IPTV Boxen:  ohne Modchip geht gar nichts.

Alle T-Home Boxen abgesehen von den neueren MR 303/MR102 haben die gleiche CPU und sind daher fast identisch.
Linux kann man auf allen Sigma basierten Boxen zum Laufen bekommen, aber es bringt leider nicht viel ohne fertige Software die dann unter Linux gestartet wird.

aktive Entwicklung gibt es soweit ich weiss zur Zeit nicht.
30
Hardware / Re: Wegener SMD515 IPTV
23. Jun 2011, 21:13
Hi and welcome to the forum.

I looked at the UART log and I have a pretty clear picture about the firmware now.
the chip should be version 3 which is  rev.B  ...

1) the flash address space is usually continous, so I am pretty sure that there are two just to get more space.. 32MB to be exact

2) well, that device seems to be Linux based. They should release some sources, but I doubt that it would be of any help since those sources are available on the net anyway.

3)  the ID is from the reference board designed by Sigma, I am not sure what triggers the detection of that board type, but it doesnt mean that you can run another firmware without modifications. There is no Android version for SMP 863x... Sigma only supports SMP 864x 865x and 867x on Android.

I don't expect that a HDD is needed to startup the box. with 32MB flash, it is very likely that the full firmware is in flash. The HDD is most likely only used as cache or for recording of IPTV content. Most IPTV boxes require a connection to a hardwired IPTV server, so that is most likely the reason why you dont get any GUI.

4) there is one possible obstacle to running your own firmware and that would be if there are vendor certificates installed in the CPU. if that would be the case, then it is impossible to create a bootable flash without the correct private key. The only option in that case is to use a modchip which changes the boot code via JTAG during init phase.
I have not seen any Linux boxes using vendor certifcates yet...

from the UART log I can see that they use some kind of modified sigma-zboot bootloader. the standard bootloader has an option to stop the boot phase via UART and get a prompt, but this seems to be removed. Which means that there is no easy way to getting into the system.
I would recommend to dump the flash with JTAG just to verify if they use the standard SDK keys for signing the bootloader.
if that is the case, then you could create a standard firmware + bootloader with the Sigma SDK and flash that to the box.

the only problem is a usable software which runs on top of the Linux. The Sigma SDK only has some sample apps and movie-player that does not have a real GUI.
The AZBOX firmware sources were leaked some weeks ago, so it would be possible to adjust the sources to your box and use that.

WinCE is indeed another option. the Sigma WinCE 6.0 BSP can be found on the net, but the WinCE drivers do have limited hardware support. Someone here on the forum tried to get a fresh WinCE running but didnt have much success.