tv2remotekeys ?

[is0-mick]

If I execute the command, and then telnet to the box IP on port 8082

I get the reply of "hello"

I also found the following strings in the tv2remotekeys app

hello
code
/key
quit
bye
key
ok

in the debug tv2client some of the keys do the following
                    case Keys.Q:
                        tV2Keys = TV2Keys.PowerToggle;
                        break;

                    case Keys.R:
                        tV2Keys = TV2Keys.Record;
                        break;

                    case Keys.S:
                        tV2Keys = TV2Keys.Search;
                        break;

                    case Keys.T:
                        tV2Keys = TV2Keys.ToggleMonkeyDisplay;
                        break;

                    case Keys.U:
                        tV2Keys = TV2Keys.DBG_TestPage;
                        break;


The current version of the appliction also appears it would react to some keys too....

Anyone tried playing with tv2remotekeys or worked out the protocol?
I did try things like keyQ/key etc, but did not get a response...

Mick

[is0-mick]

I have been trying to disassemble the app in IDA

bye and quit commands seem to jump to the same place (which is expected).
The "key" command seems like it will respond with an "ok" message if the correct input is received.

You can see the commands below.. not sure why it doesnt respond tho? any ideas?

there were also some bits of code using HTTP protocol but not sure if they are used..



.text:00013A48 loc_13A48:                               # CODE XREF: command_loop?+60j
.text:00013A48                 lui     $v0, 1
.text:00013A4C                 addiu   $a3, $v0, aOk    # "ok"
.text:00013A50                 lui     $v0, 1
.text:00013A54                 addiu   $a2, $v0, aKey_0  # "key"
.text:00013A58                 lui     $v0, 1
.text:00013A5C                 lw      $v1, 0x88+var_3C($fp)
.text:00013A60                 addiu   $a1, $v0, aBye   # "bye"
.text:00013A64                 lui     $v0, 1
.text:00013A68                 lw      $v1, 0($v1)
.text:00013A6C                 addiu   $a0, $v0, aQuit  # "quit"
.text:00013A70                 addiu   $s2, $fp, 0x88+var_60
.text:00013A74                 addiu   $s3, $fp, 0x88+var_60
.text:00013A78                 addiu   $s4, $fp, 0x88+var_50
.text:00013A7C                 addiu   $s5, $fp, 0x88+var_50
.text:00013A80                 sw      $v1, 0x88+var_78($fp)
.text:00013A84                 addiu   $s6, $fp, 0x88+var_50
.text:00013A88                 sw      $a3, 0x88+var_68($fp)
.text:00013A8C                 addiu   $s0, $fp, 0x88+var_60
.text:00013A90                 sw      $a2, 0x88+var_6C($fp)
.text:00013A94                 addiu   $s1, $fp, 0x88+var_78
.text:00013A98                 sw      $a1, 0x88+var_70($fp)
.text:00013A9C                 sw      $a0, 0x88+var_74($fp)
.text:00013AA0
.text:00013AA0 loc_13AA0:                               # CODE XREF: command_loop?+1A4j
.text:00013AA0                 li      $a3, 1
.text:00013AA4                 lw      $t0, 0x88+var_3C($fp)
.text:00013AA8                 beq     $v1, $t0, loc_13AB4
.text:00013AAC                 move    $v0, $a3
.text:00013AB0                 move    $v0, $0
.text:00013AB4
.text:00013AB4 loc_13AB4:                               # CODE XREF: command_loop?+D0j
.text:00013AB4                 bnez    $v0, loc_13AC4
.text:00013AB8                 nop
.text:00013ABC                 b       loc_13AC8
.text:00013AC0                 move    $v0, $a3
.text:00013AC4  # ---------------------------------------------------------------------------
.text:00013AC4
.text:00013AC4 loc_13AC4:                               # CODE XREF: command_loop?:loc_13AB4j
.text:00013AC4                 move    $v0, $0
.text:00013AC8
.text:00013AC8 loc_13AC8:                               # CODE XREF: command_loop?+E4j
.text:00013AC8                 beqz    $v0, loc_13B84
.text:00013ACC                 nop
.text:00013AD0                 addiu   $s7, $v1, 0xC
.text:00013AD4                 move    $a1, $s7
.text:00013AD8                 jal     sub_16D8C
.text:00013ADC                 move    $a0, $s2
.text:00013AE0                 lw      $a1, 0x88+var_74($fp)  # quit
.text:00013AE4                 move    $a0, $s3
.text:00013AE8
.text:00013AE8 loc_13AE8:                               # DATA XREF: .text:000112B4o
.text:00013AE8                 jal     stringcompare?
.text:00013AEC                 nop
.text:00013AF0                 bnez    $v0, loc_13B5C
.text:00013AF4                 nop
.text:00013AF8                 lw      $a1, 0x88+var_70($fp)  # bye
.text:00013AFC                 jal     stringcompare?
.text:00013B00                 addiu   $a0, $fp, 0x88+var_60
.text:00013B04                 bnez    $v0, loc_13B5C
.text:00013B08                 nop
.text:00013B0C                 lw      $a1, 0x88+var_6C($fp)  # key
.text:00013B10                 jal     stringcompare?
.text:00013B14                 addiu   $a0, $fp, 0x88+var_60
.text:00013B18                 beqz    $v0, loc_13B68
.text:00013B1C                 nop
.text:00013B20                 addiu   $a1, $s7, 0x10
.text:00013B24                 jal     sub_1377C
.text:00013B28                 move    $a0, $s4
.text:00013B2C                 jal     sub_12504
.text:00013B30                 move    $a0, $s5
.text:00013B34                 lw      $a1, 0x88+var_68($fp)  # ok
.text:00013B38                 lw      $a0, 0x88+arg_0($fp)
.text:00013B3C                 li      $a2, 3
.text:00013B40                 jal     transmit
.text:00013B44                 nop
.text:00013B48                 li      $a1, 1
.text:00013B4C                 jal     sub_123C0
.text:00013B50                 move    $a0, $s6
.text:00013B54                 b       loc_13B68
.text:00013B58                 nop

[is0-mick]

Update:

Darkneo was asking about this app, so we loaded it up in IDA yesterday and I had another look at it.

We were only missing an equals sign!

text:00013B2C                 jal     sub_12504
The jump there, checks that the input string contains an = sign.

So you can use the web interface on booterce to launch tv2remotekeys.exe in the windows folder. (there is a command line switch also when running tv2ClientCE i think its -remotekeys)

After tv2remotekeys is running telnet to 8082
commands are:
bye=
quit=

and to send a key its key=[keycode] like this

key=40

you should get a response from the box saying Ok.

Darkneo is working on a small remote control emulator program to make this easier

There are still two unknowns with tv2remote keys.. theres a section that has '/key' and 'code' which we have yet to figure out.. any IDA gurus want to have a look?

Mick

[DarkNeo]

Just to weigh in on the "/key" and "code" bit, I'm pretty sure this is a web API for it, but I can't find out where that gets started, if you navigate to "[boxip]:8082/key" in a browser it just sends the usual 'hello'. Perhaps it's a command line switch, but after the string comparisons on "/key" and "code" there's a lot of references to the HTTP strings, so I'm pretty certain that's what it does.

[Mulder3]

Enjoy

KEY_UP=38
KEY_DOWN=40               
KEY_LEFT=37             
KEY_RIGHT=39               
KEY_OK=13             
KEY_ENTER=13 
KEY_MENU=11             
KEY_SPACE=32               
KEY_BACK=8               
KEY_BROWSER_BACK=166               
KEY_PAGEUP=33               
KEY_PAGEDOWN=34             
KEY_DELETE=46             
KEY_0=48             
KEY_1=49             
KEY_2=50               
KEY_3=51               
KEY_4=52               
KEY_5=53               
KEY_6=54               
KEY_7=55               
KEY_8=56               
KEY_9=57               
KEY_GREEN=141               
KEY_BLUE=143               
KEY_RED=140             
KEY_YELLOW=142             
KEY_A=97             
KEY_B=98             
KEY_C=99             
KEY_D=100             
KEY_E=101             
KEY_F=102             
KEY_G=103             
KEY_H=104             
KEY_I=105             
KEY_J=106             
KEY_K=107             
KEY_L=108             
KEY_M=109             
KEY_N=110           
KEY_O=111             
KEY_P=112             
KEY_Q=113             
KEY_R=114             
KEY_S=115             
KEY_T=116               
KEY_U=117             
KEY_V=118             
KEY_W=119             
KEY_X=120             
KEY_Y=121               
KEY_Z=122             
KEY_A=65             
KEY_B=66             
KEY_C=67             
KEY_D=68             
KEY_E=69             
KEY_F=70             
KEY_G=71             
KEY_H=72             
KEY_I=73             
KEY_J=74             
KEY_K=75           
KEY_L=76             
KEY_M=77             
KEY_N=78             
KEY_O=79             
KEY_P=80           
KEY_Q=81           
KEY_R=82           
KEY_S=83             
KEY_T=84             
KEY_U=85             
KEY_V=86               
KEY_W=87               
KEY_X=88               
KEY_Y=89             
KEY_Z=90             

[VisionUser]

Do you need a chipped box for this to work?

I tried connecting with Telnet to [boxip]:8082 on my unmodified BT Vision box but it said "unable to connect to remote host: connection refused"

Port 8080 seems to be the only open port on my BT vision box, but it does not respond or reply with anything at all, not even a "hello". Accessing [boxip]:8080/key=[number] in a browser just gives a blank page.

[is0-mick]

This stuff was a very long time ago.
Maybe they ditched this stuff, or the box you are trying is not running windows CE and is running the linux version?

Mick

[VisionUser]

This stuff was a very long time ago.
Maybe they ditched this stuff, or the box you are trying is not running windows CE and is running the linux version?

Mick

It's a silver box running Windows CE. It has not been chipped or modified in anyway.

So this must mean a modified box is required to get tv2remotekeys.exe running and ready to accept commands on port 8082.

The only other way I can think of to get tv2remotekeys.exe running on an unmodified box is to make use of the Windows CE Autorun facility and have an .exe on a usb stick that is set to run "C:\Windows\tv2remotekeys.exe". When I plug a usb stick into the BT Vision box, its light flashes, so Windows CE is reading it looking for an autorun. In fact, one of my USB sticks makes the BT Vision box freeze until I remove it.

Or if I could get back into the secret menu and run the Ajax/CSS test and make it load a specially crafted gif/jpg to execute custom code.

[Mulder3]

It's a silver box running Windows CE. It has not been chipped or modified in anyway.

So this must mean a modified box is required to get tv2remotekeys.exe running and ready to accept commands on port 8082.

No, it depends, some providers have tv2remotekeys.exe enabled on their STBs... some not...

If tv2remotekeys is not enabled on your STB, you can enable it, but you'll need to patch the MS(err... now Ericsson...) bootloader...

The only other way I can think of to get tv2remotekeys.exe running on an unmodified box is to make use of the Windows CE Autorun facility and have an .exe on a usb stick that is set to run "C:\Windows\tv2remotekeys.exe". When I plug a usb stick into the BT Vision box, its light flashes, so Windows CE is reading it looking for an autorun. In fact, one of my USB sticks makes the BT Vision box freeze until I remove it.

LOL Easy, Cowboy... That will not not work
I'm not even sure WinCE implements Autorun...

Or if I could get back into the secret menu and run the Ajax/CSS test and make it load a specially crafted gif/jpg to execute custom code.

You don't need that Secret Menu, just use Wireshark then load some interative tv app from your provider... You will see tons of PNG/JPEGs...
Now, you can just set some form of dns spoofing and the STB will load your images...

[VisionUser]

I'm not even sure WinCE implements Autorun...

According to this website Windows CE does have autorun.

When a memory card is inserted into a Windows Mobile / Windows CE device, the OS automatically looks in a certain folder for a program named Autorun.exe. If that program is found, then it is immediately run. The folder in which the OS looks is going to depend on what type of processor the device has. For an overwhelming majority of Windows Mobile devices, that folder will be "/2577". Here is a table of the possible folder names for other Windows CE devices:Processor   Folder Name
ARM 720   1824
Arm 820   2080
ARM 920   2336
ARM 7TDMI   70001
Hitachi SH3   10003
Hitachi SH3E   10004
Hitachi SH4   10005
Motorola 821   821
SH3   103
SH4   104
Strongarm   2577

One of my USB flash drives will cause the BT Vision box to freeze when I insert it, so the USB port is indeed being read by Windows CE and it doesn't like that particular model of USB flash drive for some reason.

[Mulder3]

Well, that's easy... According to http://msdn.microsoft.com/en-us/library/aa453696.aspx the folder for MIPS CPUs is 4000...

The problem is... I'm quite sure the autorun functionality is implemented by the Windows shell (explorer.exe or whatever they use on Windows Mobile)

And the STB isn't running the shell

[VisionUser]

Well, that's easy... According to http://msdn.microsoft.com/en-us/library/aa453696.aspx the folder for MIPS CPUs is 4000...

The problem is... I'm quite sure the autorun functionality is implemented by the Windows shell (explorer.exe or whatever they use on Windows Mobile)

And the STB isn't running the shell

When a USB flash drive is plugged into the box before boot up, the box will access the flash drive 2 times early on during the boot up process. The question is, what file is it looking for on the USB flash drive? Could it be looking for a firmware update or a file to execute?