26. Jun 2019, 15:32

## Wegener SMD515 IPTV

Started by merkin, 23. Jun 2011, 04:49

Go Down

#### merkin

##### 23. Jun 2011, 04:49
http://www.wegener.com/datasheets/DS_SMD515a.pdf
Attachment 1:  Picture of internals (Wegener has EVERY header (UART0, UART1/EJTAG, SCARD, etc...lucky me  )
Attachment 2:  UART0 log

According to UART log it is chip revision 0x8634:0x83 (does this mean rev. A,B, or C?)

There are 2 on-board flash memories S29GL128N labeled by silkscreen printing "BOOT" and "OPTION".
1.  What is your best guess as to the purpose of the second flash? (just more space perhaps)

DDR0 bank is 2x VDD9616A8A-5CG
DDR1 bank is 2x VDD8616A8A-5BG

2.  Does Wegener have any obligation to release any sources based on GPL like other NMT's?

3.  The board ID "852-E2", and I have seen people running Enigma2 on the same board ID with AZBOX...Can I also?  (without tuner support of course).  Or perhaps even Android IPTV distro?

They have no HDD's when I bought them off Ebay AS IS.  But UART0 log references "/dev/ide/host0/bus0/target0/lun0/part1 on /hdisk/media failed: No such file or directory"

Currently when I power up the unit there is no GUI or Splash screen. (There should be according to the Wegener SMD-515 Datasheet linked above), however there is DEFINATELY an HDMI signal present.

All I want is to use these as a client media device or NMT, by loading some homebrew firmware.
4.  Is this possible?

I have read the forum and until today the WIKI was down so forgive my noob questions.
Building the modchip is not a problem either, if necessary.

I guess the best question for the veterans here is....
If you personally owned this device what would you do to get video output and allow connections to my LAN's NAS?

BTW...I would even be interested in putting WinCE on here if possible.  In fact a buddy that I alpha test for is a C# guru.  Here is his project http://pvr.sichbo.ca/.  If I can get M$bootloader going he will develop a nice GUI or just rip of M$'s example http://www.windowsfordevices.com/c/a/News/Free-addon-outfits-Windows-CE-for-DVRs-IPSTBs/
Does anyone have a MIPS BSP.msi?  or the M$WinCE feature pack? My searches found nothing. Please help and thanks in advance. #### mce2222 #1 ##### 23. Jun 2011, 21:13 Hi and welcome to the forum. I looked at the UART log and I have a pretty clear picture about the firmware now. the chip should be version 3 which is rev.B ... 1) the flash address space is usually continous, so I am pretty sure that there are two just to get more space.. 32MB to be exact 2) well, that device seems to be Linux based. They should release some sources, but I doubt that it would be of any help since those sources are available on the net anyway. 3) the ID is from the reference board designed by Sigma, I am not sure what triggers the detection of that board type, but it doesnt mean that you can run another firmware without modifications. There is no Android version for SMP 863x... Sigma only supports SMP 864x 865x and 867x on Android. I don't expect that a HDD is needed to startup the box. with 32MB flash, it is very likely that the full firmware is in flash. The HDD is most likely only used as cache or for recording of IPTV content. Most IPTV boxes require a connection to a hardwired IPTV server, so that is most likely the reason why you dont get any GUI. 4) there is one possible obstacle to running your own firmware and that would be if there are vendor certificates installed in the CPU. if that would be the case, then it is impossible to create a bootable flash without the correct private key. The only option in that case is to use a modchip which changes the boot code via JTAG during init phase. I have not seen any Linux boxes using vendor certifcates yet... from the UART log I can see that they use some kind of modified sigma-zboot bootloader. the standard bootloader has an option to stop the boot phase via UART and get a prompt, but this seems to be removed. Which means that there is no easy way to getting into the system. I would recommend to dump the flash with JTAG just to verify if they use the standard SDK keys for signing the bootloader. if that is the case, then you could create a standard firmware + bootloader with the Sigma SDK and flash that to the box. the only problem is a usable software which runs on top of the Linux. The Sigma SDK only has some sample apps and movie-player that does not have a real GUI. The AZBOX firmware sources were leaked some weeks ago, so it would be possible to adjust the sources to your box and use that. WinCE is indeed another option. the Sigma WinCE 6.0 BSP can be found on the net, but the WinCE drivers do have limited hardware support. Someone here on the forum tried to get a fresh WinCE running but didnt have much success. #### merkin #2 ##### 24. Jun 2011, 06:16Last Edit: 24. Jun 2011, 06:20 by merkin Thank for the help and the warm welcome In reply to you: 1. Yes I agree, but if you zoom in on the two flashes you can see they have "offsets"...The flash labeled "BOOT" is in the U36 silkscreen pcb print and the "OPTION" is U35 position. They can be offset to U24 and U23 respectively, which was odd to me. 2. I sent informal email to Wegener as I am not sure if they have broken GPL or not. Linux is not my primary OS, and GPL is nothing but confusing to me. I saw in the UART0 log they use Smartmontools and that is GPL. My question is this enough info to formally demand the sources and contact the developers of Smartmontools? If not what obligations does Wegener have? I understand the content is on the web, but if Wegener is in breach of GPL than they should suffer the consequences like other NMT's hardware developers running Linux. 3. OK thank you for info, here is my source http://developer.mips.com/sigma-8654/. I didnt look close enough at the URL, but the article just says SMP86XX, hence my confusion. That makes perfect sense about the absent of the GUI. It appears the box tries to connect to the IPTV server that is hardcoded in the firmware according to the UART0 log. BTW here are Wegener iPump IPTV media servers http://www.wegener.com/PRODUCTS/iPUMP/index.php. No HDD's were in them upon arrival, but that doesnt mean there wasnt an HDD in there at one time. Either way I have plenty spare HDD's for the job. 4. Well I will build the DCU5 cable. I have all the parts on the bench. Then we will see if there are vendor certs in this linux distro :-) I have all parts for the modchip laying around also ;-), but fingers crossed your instincts are correct for the sake of ease. Yes I noticed that modified bootloader "FocusBoot", different from for instance AZBOX. Are you referring to YAMON when you say stopping the standard bootloader? Cant I just "Ctrl-C"? I will get entire dump via ejtag, but can you recommend a compatible Windows dump utility to use with the DCU5 jtag cable? Hey this is all for fun. Got the units off Ebay for dirt cheap. Just happy the hardware is still functional at this point. Okay I have WinCE6.0 from my M$ Dreamspark.com account, as well as VisualStudio 05/08/10
I NEED the BSP for WinCE6.0 as referenced in the Sigam SDK. The SDK even says Sigma provides the source code of the BSP.

Please throw me a hint.  I must be missing something because my search cannot find the WinCE6.0 BSP.msi?

Let us (SichboPVR) worry about OS development.  We just need all the tools and the BSP.msi is the ONLY missing link!

Sichbo can make one hell of a C# GUI, just check out SichboPVR.

Thanks again for the wealth of information you supplied.  I am sure I will have more questions in the future.

#### mce2222

#3
##### 24. Jun 2011, 09:13

1.  Yes I agree, but if you zoom in on the two flashes you can see they have "offsets"...The flash labeled "BOOT" is in the U36 silkscreen pcb print and the "OPTION" is U35 position.  They can be offset to U24 and U23 respectively, which was odd to me.

that is only to be flexible in regards to chip-packaging. it has no effect on the memory-offsets

2.  I sent informal email to Wegener as I am not sure if they have broken GPL or not.  Linux is not my primary OS, and GPL is nothing but confusing to me.  I saw in the UART0 log they use Smartmontools and that is GPL.  My question is this enough info to formally demand the sources and contact the developers of Smartmontools?  If not what obligations does Wegener have?  I understand the content is on the web, but if Wegener is in breach of GPL than they should suffer the consequences like other NMT's hardware developers running Linux.

currently they do not breach the GPL. They have to supply the sources of all GPL bases tools INCLUDING their modifications. But the interesting parts of the software are not GPL based for sure, so you would only get the sources of the Linux kernel and some other system services and tools.
I would say, they would be annoyed by the work they have to do to get all the sources assembled, but thats about it.

Are you referring to YAMON when you say stopping the standard bootloader? Cant I just "Ctrl-C"?

yes, I got that mixed up. the BREAK signal interrupts the YAMON auto-start sequence. But in the log there is no indication that they use the YAMON for startup.
which doesnt mean that there is no YAMON in the flash.
you should try to press and hold number-keys during startup. In the standard ZBoot, this selects different flash-partitions for booting.
It is quite common to have one flash-partition set up with YAMON to allow recovery.
maybe you are in luck.

I will get entire dump via ejtag, but can you recommend a compatible Windows dump utility to use with the DCU5 jtag cable?

sure try our bootloader dumper from the WIKI

without parameters it will just dump the RAM where the decrypted bootloader is stored if an encrypted flash is used.

I NEED the BSP for WinCE6.0 as referenced in the Sigam SDK. The SDK even says Sigma provides the source code of the BSP.

Please throw me a hint.  I must be missing something because my search cannot find the WinCE6.0 BSP.msi?

thats correct, there is source code in the BSP, but the BSP alone does only make the system boot.
there is a second WinCE package that provides DLLs for the audio/video hardware acceleration, and there are no sources for that.
I have to check if I can find a link to that package somewhere.

Let us (SichboPVR) worry about OS development.  We just need all the tools and the BSP.msi is the ONLY missing link!

Sichbo can make one hell of a C# GUI, just check out SichboPVR.

that sure looks impressive. haven't used it yet though.
would be really cool to finally see something useful done with all the research that has been done on the forum.

#### merkin

#4
##### 28. Jul 2011, 19:17Last Edit: 28. Jul 2011, 19:19 by merkin
Finally got around to dumping the bootloader.

I was getting an error with the original bootloader. (It said it installed correctly,but it would not "start")(On Windows 7 x86.  Also tried enabling the legacy parrallel port driver via device manager with the same result)

The C# version worked fine however it is very slow as the wiki states. Averaged about 175 b/s.

1. Also does the C# version use the same parameters as the original version?

I tried
Code: [Select]
\path\to\dumptool\   /start:00000000 /length:00060000
but nothing would dump.

Code: [Select]
Creating 1 MTD partitions on "CS1+CS2":0x00400000-0x01f00000 : "Root FileSystem"Creating 4 MTD partitions on "Flash_CS2":0x00400000-0x01000000 : "Flash FileSystem"0x00000000-0x00060000 : "Bootloader"0x00060000-0x00080000 : "Common_Area"0x00080000-0x00400000 : "Kernel"Creating 2 MTD partitions on "Flash_CS1":0x00000000-0x00f00000 : "Filesystem-pt2"0x00f00000-0x01000000 : "Flash_NVM"Finished adding mtd devices

2. So how do I tell if the bootloader is encrypted?

Also I tried to interrupt the boot process in putty to get yamon prompt, but nothing happens.

3.  Do you have any idea what the login credentials may be?

4.  Any luck finding the WinCE BSP and driver package?  I looked everywhere for many days and cannot find it.

Thanks again

#### mce2222

#5
##### 29. Jul 2011, 21:04

1. Also does the C# version use the same parameters as the original version?

not sure, I have not looked at the source code, but since it is not derived from the C dumptool, I think it will not use the same parameters.

2. So how do I tell if the bootloader is encrypted?

at the beginning of the Flash which is always mapped to 0xac000000 you should find an XENV block which looks something like this
Code: [Select]
   ð....ÕkSk.úÄ.Oˆmà5ÇŽ×ï„ü..a.avclk_mux.......a.board_id."KMM3210-A"..a.cd2_freq..Ø¸...a.cd4_freq.U ü...a.chip_rev.‚.4†..a.enable_devices.þ>....a.gpio_data.......a.gpio_dir.......a.gpio_irq_map.......a.hostclk_mux.......a.irq_fall_edge_hi.......a.irq_fall_edge_lo..À....a.irq_rise_edge_hi.ÿ.....a.irq_rise_edge_lo..Ê(ÿ..a.pb_cs_config.À.....a.pb_def_timing.......a.pb_timing0.......a.pb_timing1.......a.pb_use_timing0.ü.....a.pb_use_timing1.ó.....a.pcidev1_irq_route.......a.pcidev2_irq_route.......a.pcidev3_irq_route.......a.pcidev4_irq_route.......a.premux.......a.scard_5v_pin.......a.scard_cmd_pin.......a.scard_off_pin.......a.uart0_gpio_data.......a.uart0_gpio_dir.......a.uart0_gpio_mode.n.....a.uart1_gpio_data.......a.uart1_gpio_dir.......a.uart1_gpio_mode.n.....a.uart_console_port.......a.uart_used_ports.......l.cs0_size.......l.cs1_size.......l.cs2_part1_offset.......l.cs2_part1_size..€....l.cs2_part2_offset..€....l.cs2_part2_size..€.€..l.cs2_part3_offset.......l.cs2_part3_size....€..l.cs2_parts.......l.cs2_size...@...l.cs3_size.......x.boot..€....x.csf.......x.d0.cfg.º.Aã..x.d1.cfg.º.Aã..x.ds.@.....x.dt.......x.l2rzc.......x.l2xz.......z.boot0.......z.boot1.......z.boot2....L..z.boot3....L..z.default_boot.......a.eth_mac."00:00:DE:AD:BE:EF"

the important pointer in this is "x.boot" which is the relative memory address of the bootloader in this memory-section

so if this points to 0x2000 then the bootloader is located at 0xac002000

Code: [Select]
00 00 00 00 05 00 00 00  00 00 0D 00 00 00 60 13   02 00 00 00 03 00 00 00  04 00 00 00 34 04 0D 00   0B 00 00 FF D5 7B 3F A5  91 A1 7A 3D D9 24 BA 09 87 33 47 2E 15 2C 31 CF  75 40 36 8C 06 5B 17 D2

the interesting part here would be line 3 and 4, since the 0x0b is the public key id. if you have the same data in line 3 and 4, then
they use the standard Sigma Developer SDK keys... that you can get from the net. So you could sign your own bootloader or you can use some existing one from other devices.

following these 4 lines will be about 0x300  bytes  which is the public key chain to verify the signature of the memory block.
if the block is encrypted, then you will see just random data following. otherwise you should notice texts and areas with zeros.

Also I tried to interrupt the boot process in putty to get yamon prompt, but nothing happens.

you cannot really interrupt the boot process.

3.  Do you have any idea what the login credentials may be?

no idea, but since the root file system is mounted directly from flash
"/dev/mtdblock/1 ro"
I guess it would be quite easy to find the login if you dump the flash completely.

4.  Any luck finding the WinCE BSP and driver package?  I looked everywhere for many days and cannot find it.

I will send you a PM later with some hints.

#### merkin

#6
##### 05. Aug 2011, 05:40
Can you confirm that the bootloader is encrypted with vendor certs?  I dont know if I am looking at the correct x.boot pointer.

#### mce2222

#7
##### 08. Aug 2011, 00:33
it references certificate 0x14 ... and that is not an id of the SDK certificates, so it is for sure some vendor certificate.

#### merkin

#8
##### 28. Feb 2013, 05:42
Quote from: mce2222

3.  Do you have any idea what the login credentials may be?

no idea, but since the root file system is mounted directly from flash
"/dev/mtdblock/1 ro"
I guess it would be quite easy to find the login if you dump the flash completely.

decided to dump entire firmware and try this.  installed binwalk and analyzed. appears to be JFFS2 and its LZMA compressed.
can you help with next step?

#### merkin

#9
##### 03. Mar 2013, 01:21
Ok mounted JFFS2 file system
http://rapidshare.com/files/1104149096/smd515_jffs2.tar.gz
/etc/passwd and /etc/shadow are in the archive.

I tried this app http://www.golubev.com/hashgpu.htm with gtx460 to crack the md5 hash.

Here is copy of firmware.
http://rapidshare.com/files/373084072/smd515_firm.zip

Any other way to get root password?

#### merkin

#10
##### 03. Mar 2013, 19:08
Turns out the password is hashed with md5crypt.  Gonna take a while to crack it.

Can also just change the hash to a known password, then remake jffs2 and add it back to firmware image.  But CRC checks or signed image will probably make it fail.

#### asgard

#11
##### 05. Mar 2013, 08:26

Turns out the password is hashed with md5crypt.  Gonna take a while to crack it.

i'm trying it with hashcat (http://hashcat.net)

#### merkin

#12
##### 07. Mar 2013, 00:25
I also moved on to hashcat instead.  This pass is hashed with md5crypt, which is 1000 iterations of md5.
Are you trying bruteforce or dictionary attack?

Decided to edit the etc/shadow file according to here
http://www.thaivisa.com/forum/topic/620644-dreambox-500s-problem/?p=6134586

But login does not work still.

Maybe need to change ssh config to allow root login?  But no ssh config exists in file system.  setop uses busybox with dropbear for ssh.

I also need to try this new hash with 'dreambox' password from uart console.

#### merkin

#13
##### 08. Mar 2013, 00:11

Turns out the password is hashed with md5crypt.  Gonna take a while to crack it.

i'm trying it with hashcat (http://hashcat.net)

someone on hashcat IRC cracked it...
\$1$$ca/TeYtIqHqWO6VxOfbvN.:7365126 I AM IN!!! #### asgard #14 ##### 08. Mar 2013, 14:05 same here Session.Name...: cudaHascat-plus Status.........: Cracked Input.Mode.....: Mask (?1?1?1?1?1?1?1) Hash.Target....: 1$$ca/TeYtIqHqWO6VxOfbvN.
Hash.Type......: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Time.Started...: Wed Mar 06 08:06:50 2013 (1 day, 19 hours)
Speed.GPU.#1...:   195.4k/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 13121454080/78364164096 (16.74%)
Rejected.......: 0/13121454080 (0.00%)
HWMon.GPU.#1...:  0% Util, 49c Temp, N/A Fan

Started: Wed Mar 06 08:06:50 2013
Stopped: Fri Mar 08 07:05:57 2013

Go Up