Wegener SMD515 IPTV

Started by merkin, 23. Jun 2011, 04:49

previous topic - next topic
Go Down

merkin

http://www.wegener.com/datasheets/DS_SMD515a.pdf
Attachment 1:  Picture of internals (Wegener has EVERY header (UART0, UART1/EJTAG, SCARD, etc...lucky me  ;D)
Attachment 2:  UART0 log

According to UART log it is chip revision 0x8634:0x83 (does this mean rev. A,B, or C?)

There are 2 on-board flash memories S29GL128N labeled by silkscreen printing "BOOT" and "OPTION".   
1.  What is your best guess as to the purpose of the second flash? (just more space perhaps)

DDR0 bank is 2x VDD9616A8A-5CG
DDR1 bank is 2x VDD8616A8A-5BG

2.  Does Wegener have any obligation to release any sources based on GPL like other NMT's? 

3.  The board ID "852-E2", and I have seen people running Enigma2 on the same board ID with AZBOX...Can I also?  (without tuner support of course).  Or perhaps even Android IPTV distro?

They have no HDD's when I bought them off Ebay AS IS.  But UART0 log references "/dev/ide/host0/bus0/target0/lun0/part1 on /hdisk/media failed: No such file or directory"

Currently when I power up the unit there is no GUI or Splash screen. (There should be according to the Wegener SMD-515 Datasheet linked above), however there is DEFINATELY an HDMI signal present.

All I want is to use these as a client media device or NMT, by loading some homebrew firmware.
4.  Is this possible?

I have read the forum and until today the WIKI was down so forgive my noob questions. 
Building the modchip is not a problem either, if necessary.

I guess the best question for the veterans here is....
If you personally owned this device what would you do to get video output and allow connections to my LAN's NAS?

BTW...I would even be interested in putting WinCE on here if possible.  In fact a buddy that I alpha test for is a C# guru.  Here is his project http://pvr.sichbo.ca/.  If I can get M$ bootloader going he will develop a nice GUI or just rip of M$'s example http://www.windowsfordevices.com/c/a/News/Free-addon-outfits-Windows-CE-for-DVRs-IPSTBs/
Does anyone have a MIPS BSP.msi?  or the M$ WinCE feature pack?  My searches found nothing.

Please help and thanks in advance.

mce2222

Hi and welcome to the forum.

I looked at the UART log and I have a pretty clear picture about the firmware now.
the chip should be version 3 which is  rev.B  ...

1) the flash address space is usually continous, so I am pretty sure that there are two just to get more space.. 32MB to be exact

2) well, that device seems to be Linux based. They should release some sources, but I doubt that it would be of any help since those sources are available on the net anyway.

3)  the ID is from the reference board designed by Sigma, I am not sure what triggers the detection of that board type, but it doesnt mean that you can run another firmware without modifications. There is no Android version for SMP 863x... Sigma only supports SMP 864x 865x and 867x on Android.

I don't expect that a HDD is needed to startup the box. with 32MB flash, it is very likely that the full firmware is in flash. The HDD is most likely only used as cache or for recording of IPTV content. Most IPTV boxes require a connection to a hardwired IPTV server, so that is most likely the reason why you dont get any GUI.

4) there is one possible obstacle to running your own firmware and that would be if there are vendor certificates installed in the CPU. if that would be the case, then it is impossible to create a bootable flash without the correct private key. The only option in that case is to use a modchip which changes the boot code via JTAG during init phase.
I have not seen any Linux boxes using vendor certifcates yet...

from the UART log I can see that they use some kind of modified sigma-zboot bootloader. the standard bootloader has an option to stop the boot phase via UART and get a prompt, but this seems to be removed. Which means that there is no easy way to getting into the system.
I would recommend to dump the flash with JTAG just to verify if they use the standard SDK keys for signing the bootloader.
if that is the case, then you could create a standard firmware + bootloader with the Sigma SDK and flash that to the box.

the only problem is a usable software which runs on top of the Linux. The Sigma SDK only has some sample apps and movie-player that does not have a real GUI.
The AZBOX firmware sources were leaked some weeks ago, so it would be possible to adjust the sources to your box and use that.

WinCE is indeed another option. the Sigma WinCE 6.0 BSP can be found on the net, but the WinCE drivers do have limited hardware support. Someone here on the forum tried to get a fresh WinCE running but didnt have much success.


merkin

#2
24. Jun 2011, 06:16 Last Edit: 24. Jun 2011, 06:20 by merkin
Thank for the help and the warm welcome

In reply to you:

1.  Yes I agree, but if you zoom in on the two flashes you can see they have "offsets"...The flash labeled "BOOT" is in the U36 silkscreen pcb print and the "OPTION" is U35 position.  They can be offset to U24 and U23 respectively, which was odd to me.

2.  I sent informal email to Wegener as I am not sure if they have broken GPL or not.  Linux is not my primary OS, and GPL is nothing but confusing to me.  I saw in the UART0 log they use Smartmontools and that is GPL.  My question is this enough info to formally demand the sources and contact the developers of Smartmontools?  If not what obligations does Wegener have?  I understand the content is on the web, but if Wegener is in breach of GPL than they should suffer the consequences like other NMT's hardware developers running Linux.

3.  OK thank you for info, here is my source http://developer.mips.com/sigma-8654/.  I didnt look close enough at the URL, but the article just says SMP86XX, hence my confusion.

That makes perfect sense about the absent of the GUI.  It appears the box tries to connect to the IPTV server that is hardcoded in the firmware according to the UART0 log.  BTW here are Wegener iPump IPTV media servers http://www.wegener.com/PRODUCTS/iPUMP/index.php.  No HDD's were in them upon arrival, but that doesnt mean there wasnt an HDD in there at one time.  Either way I have plenty spare HDD's for the job.

4.  Well I will build the DCU5 cable.  I have all the parts on the bench.  Then we will see if there are vendor certs in this linux distro :-) 
I have all parts for the modchip laying around also ;-), but fingers crossed your instincts are correct for the sake of ease.

Yes I noticed that modified bootloader "FocusBoot", different from for instance AZBOX.

Are you referring to YAMON when you say stopping the standard bootloader? Cant I just "Ctrl-C"?

I will get entire dump via ejtag, but can you recommend a compatible Windows dump utility to use with the DCU5 jtag cable?

Hey this is all for fun.  Got the units off Ebay for dirt cheap.  Just happy the hardware is still functional at this point.

Okay I have WinCE6.0 from my M$ Dreamspark.com account, as well as VisualStudio 05/08/10
I NEED the BSP for WinCE6.0 as referenced in the Sigam SDK. The SDK even says Sigma provides the source code of the BSP.

Please throw me a hint.  I must be missing something because my search cannot find the WinCE6.0 BSP.msi?

Let us (SichboPVR) worry about OS development.  We just need all the tools and the BSP.msi is the ONLY missing link!

Sichbo can make one hell of a C# GUI, just check out SichboPVR.

Thanks again for the wealth of information you supplied.  I am sure I will have more questions in the future.
 

mce2222


1.  Yes I agree, but if you zoom in on the two flashes you can see they have "offsets"...The flash labeled "BOOT" is in the U36 silkscreen pcb print and the "OPTION" is U35 position.  They can be offset to U24 and U23 respectively, which was odd to me.

that is only to be flexible in regards to chip-packaging. it has no effect on the memory-offsets


2.  I sent informal email to Wegener as I am not sure if they have broken GPL or not.  Linux is not my primary OS, and GPL is nothing but confusing to me.  I saw in the UART0 log they use Smartmontools and that is GPL.  My question is this enough info to formally demand the sources and contact the developers of Smartmontools?  If not what obligations does Wegener have?  I understand the content is on the web, but if Wegener is in breach of GPL than they should suffer the consequences like other NMT's hardware developers running Linux.

currently they do not breach the GPL. They have to supply the sources of all GPL bases tools INCLUDING their modifications. But the interesting parts of the software are not GPL based for sure, so you would only get the sources of the Linux kernel and some other system services and tools.
I would say, they would be annoyed by the work they have to do to get all the sources assembled, but thats about it.



Are you referring to YAMON when you say stopping the standard bootloader? Cant I just "Ctrl-C"?


yes, I got that mixed up. the BREAK signal interrupts the YAMON auto-start sequence. But in the log there is no indication that they use the YAMON for startup.
which doesnt mean that there is no YAMON in the flash.
you should try to press and hold number-keys during startup. In the standard ZBoot, this selects different flash-partitions for booting.
It is quite common to have one flash-partition set up with YAMON to allow recovery.
maybe you are in luck.


I will get entire dump via ejtag, but can you recommend a compatible Windows dump utility to use with the DCU5 jtag cable?


sure try our bootloader dumper from the WIKI
http://www.t-hack.com/wiki/index.php/Dump_X300T_Bootloader

without parameters it will just dump the RAM where the decrypted bootloader is stored if an encrypted flash is used.


I NEED the BSP for WinCE6.0 as referenced in the Sigam SDK. The SDK even says Sigma provides the source code of the BSP.

Please throw me a hint.  I must be missing something because my search cannot find the WinCE6.0 BSP.msi?


thats correct, there is source code in the BSP, but the BSP alone does only make the system boot.
there is a second WinCE package that provides DLLs for the audio/video hardware acceleration, and there are no sources for that.
I have to check if I can find a link to that package somewhere.


Let us (SichboPVR) worry about OS development.  We just need all the tools and the BSP.msi is the ONLY missing link!

Sichbo can make one hell of a C# GUI, just check out SichboPVR.

that sure looks impressive. haven't used it yet though.
would be really cool to finally see something useful done with all the research that has been done on the forum.

merkin

#4
28. Jul 2011, 19:17 Last Edit: 28. Jul 2011, 19:19 by merkin
Finally got around to dumping the bootloader.

I was getting an error with the original bootloader. (It said it installed correctly,but it would not "start")(On Windows 7 x86.  Also tried enabling the legacy parrallel port driver via device manager with the same result)

The C# version worked fine however it is very slow as the wiki states. Averaged about 175 b/s.

1. Also does the C# version use the same parameters as the original version?

I tried
Code: [Select]
\path\to\dumptool\   /start:00000000 /length:00060000
but nothing would dump.

Code: [Select]

Creating 1 MTD partitions on "CS1+CS2":
0x00400000-0x01f00000 : "Root FileSystem"

Creating 4 MTD partitions on "Flash_CS2":
0x00400000-0x01000000 : "Flash FileSystem"
0x00000000-0x00060000 : "Bootloader"
0x00060000-0x00080000 : "Common_Area"
0x00080000-0x00400000 : "Kernel"

Creating 2 MTD partitions on "Flash_CS1":
0x00000000-0x00f00000 : "Filesystem-pt2"
0x00f00000-0x01000000 : "Flash_NVM"
Finished adding mtd devices


2. So how do I tell if the bootloader is encrypted?

Also I tried to interrupt the boot process in putty to get yamon prompt, but nothing happens.

However after the UART log stops, I can hit "enter" key, and I am asked for username and password to login.

3.  Do you have any idea what the login credentials may be?

4.  Any luck finding the WinCE BSP and driver package?  I looked everywhere for many days and cannot find it.

Thanks again

mce2222


1. Also does the C# version use the same parameters as the original version?


not sure, I have not looked at the source code, but since it is not derived from the C dumptool, I think it will not use the same parameters.



2. So how do I tell if the bootloader is encrypted?


at the beginning of the Flash which is always mapped to 0xac000000 you should find an XENV block which looks something like this
Code: [Select]
   
ð....ÕkSk.úÄ.Oˆmà5ÇŽ×ï„ü..a.avclk_mux.......a.board_id."KMM3210-
A"..a.cd2_freq..ظ...a.cd4_freq.U ü...a.chip_rev.‚.4†..a.enab
le_devices.þ>....a.gpio_data.......a.gpio_dir.......a.gpio_irq_m
ap.......a.hostclk_mux.......a.irq_fall_edge_hi.......a.irq_fall
_edge_lo..À....a.irq_rise_edge_hi.ÿ.....a.irq_rise_edge_lo..Ê(ÿ.
.a.pb_cs_config.À.....a.pb_def_timing.......a.pb_timing0.......a
.pb_timing1.......a.pb_use_timing0.ü.....a.pb_use_timing1.ó.....
a.pcidev1_irq_route.......a.pcidev2_irq_route.......a.pcidev3_ir
q_route.......a.pcidev4_irq_route.......a.premux.......a.scard_5
v_pin.......a.scard_cmd_pin.......a.scard_off_pin.......a.uart0_
gpio_data.......a.uart0_gpio_dir.......a.uart0_gpio_mode.n.....a
.uart1_gpio_data.......a.uart1_gpio_dir.......a.uart1_gpio_mode.
n.....a.uart_console_port.......a.uart_used_ports.......l.cs0_si
ze.......l.cs1_size.......l.cs2_part1_offset.......l.cs2_part1_s
ize..€....l.cs2_part2_offset..€....l.cs2_part2_size..€.€..l.cs2_
part3_offset.......l.cs2_part3_size....€..l.cs2_parts.......l.cs
2_size...@...l.cs3_size.......x.boot..€....x.csf.......x.d0.cfg.
º.Aã..x.d1.cfg.º.Aã..x.ds.@.....x.dt.......x.l2rzc.......x.l2xz.
......z.boot0.......z.boot1.......z.boot2....L..z.boot3....L..z.
default_boot.......a.eth_mac."00:00:DE:AD:BE:EF"


the important pointer in this is "x.boot" which is the relative memory address of the bootloader in this memory-section

so if this points to 0x2000 then the bootloader is located at 0xac002000

the bootloader will have a header like this:
Code: [Select]

00 00 00 00 05 00 00 00  00 00 0D 00 00 00 60 13   
02 00 00 00 03 00 00 00  04 00 00 00 34 04 0D 00   
0B 00 00 FF D5 7B 3F A5  91 A1 7A 3D D9 24 BA 09
87 33 47 2E 15 2C 31 CF  75 40 36 8C 06 5B 17 D2


the interesting part here would be line 3 and 4, since the 0x0b is the public key id. if you have the same data in line 3 and 4, then
they use the standard Sigma Developer SDK keys... that you can get from the net. So you could sign your own bootloader or you can use some existing one from other devices.

following these 4 lines will be about 0x300  bytes  which is the public key chain to verify the signature of the memory block.
if the block is encrypted, then you will see just random data following. otherwise you should notice texts and areas with zeros.


Also I tried to interrupt the boot process in putty to get yamon prompt, but nothing happens.


you cannot really interrupt the boot process.



However after the UART log stops, I can hit "enter" key, and I am asked for username and password to login.

3.  Do you have any idea what the login credentials may be?


no idea, but since the root file system is mounted directly from flash
"/dev/mtdblock/1 ro"
I guess it would be quite easy to find the login if you dump the flash completely.



4.  Any luck finding the WinCE BSP and driver package?  I looked everywhere for many days and cannot find it.


I will send you a PM later with some hints.

merkin

Can you confirm that the bootloader is encrypted with vendor certs?  I dont know if I am looking at the correct x.boot pointer.


mce2222

the bootloader is at 0x020000
it references certificate 0x14 ... and that is not an id of the SDK certificates, so it is for sure some vendor certificate.

merkin

Quote from: mce2222

However after the UART log stops, I can hit "enter" key, and I am asked for username and password to login.

3.  Do you have any idea what the login credentials may be?


no idea, but since the root file system is mounted directly from flash
"/dev/mtdblock/1 ro"
I guess it would be quite easy to find the login if you dump the flash completely.

decided to dump entire firmware and try this.  installed binwalk and analyzed. appears to be JFFS2 and its LZMA compressed.
can you help with next step?

merkin

Ok mounted JFFS2 file system
http://rapidshare.com/files/1104149096/smd515_jffs2.tar.gz
/etc/passwd and /etc/shadow are in the archive.

I tried this app http://www.golubev.com/hashgpu.htm with gtx460 to crack the md5 hash. 


Here is copy of firmware.
http://rapidshare.com/files/373084072/smd515_firm.zip

Any other way to get root password?

merkin

Turns out the password is hashed with md5crypt.  Gonna take a while to crack it.

Can also just change the hash to a known password, then remake jffs2 and add it back to firmware image.  But CRC checks or signed image will probably make it fail.

asgard


Turns out the password is hashed with md5crypt.  Gonna take a while to crack it.


i'm trying it with hashcat (http://hashcat.net)

merkin

I also moved on to hashcat instead.  This pass is hashed with md5crypt, which is 1000 iterations of md5. 
Are you trying bruteforce or dictionary attack?

Decided to edit the etc/shadow file according to here
http://www.thaivisa.com/forum/topic/620644-dreambox-500s-problem/?p=6134586

But login does not work still. :(

Maybe need to change ssh config to allow root login?  But no ssh config exists in file system.  setop uses busybox with dropbear for ssh.

I also need to try this new hash with 'dreambox' password from uart console.

merkin



Turns out the password is hashed with md5crypt.  Gonna take a while to crack it.


i'm trying it with hashcat (http://hashcat.net)


someone on hashcat IRC cracked it...
$1$$ca/TeYtIqHqWO6VxOfbvN.:7365126  :)

I AM IN!!!

asgard

same here  ;D

Session.Name...: cudaHascat-plus
Status.........: Cracked
Input.Mode.....: Mask (?1?1?1?1?1?1?1)
Hash.Target....: $1$$ca/TeYtIqHqWO6VxOfbvN.
Hash.Type......: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Started...: Wed Mar 06 08:06:50 2013 (1 day, 19 hours)
Speed.GPU.#1...:   195.4k/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 13121454080/78364164096 (16.74%)
Rejected.......: 0/13121454080 (0.00%)
HWMon.GPU.#1...:  0% Util, 49c Temp, N/A Fan

Started: Wed Mar 06 08:06:50 2013
Stopped: Fri Mar 08 07:05:57 2013

Go Up