t-hack.com - Hack X300T / X301T - User contributions [en]

Remote Debugging

2008-09-09T17:37:20Z

Is0-mick:

Copy these files to the box.
they need to go into the folder
\hard disk\win

[win.rar:http://www.t-hack.com/wiki/images/7/72/Win.rar]

Remote Debugging

2008-09-09T17:36:47Z

Is0-mick:

Copy these files to the box.
they need to go into the folder
\hard disk\win

[http://www.t-hack.com/wiki/images/7/72/Win.rar]

File:Win.rar

2008-09-09T17:35:37Z

Is0-mick: debug files

debug files

Remote Debugging

2008-09-09T17:34:43Z

Is0-mick: New page: Copy these files to the box. they need to go into the folder \hard disk\win

Copy these files to the box.
they need to go into the folder
\hard disk\win

Main Page

2008-09-09T17:34:05Z

Is0-mick: /* Software */

__NOTOC__

<big>'''Willkommen zum Wiki von t-hack.com'''</big>

Das t-hack.com - Projekt wurde am 14. Dezember 2007 ins Leben gerufen, um eine alternative Software für die Multimedia-Box X300T bzw. X301T zu entwickeln bzw. die originale zu verbessern ;)

'''Das Wiki ist zum Schutz vor Spambots nur von registrierten Usern nutzbar.'''

'''You are able to upload files with following extension:
png, gif, jpg, jpeg, zip, rar, pdf, ace'''

Besuchen Sie auch das [http://www.t-hack.com/forum t-hack-Forum]

The hardware seems very similar to the Philips DIT9719, which is widely available in the UK as the BT Vision box. With luck a bit of common effort will get a usable system.
== Momentaner Status (August 2008)==
'''Linux'''
* Linux kann auf der Box gebootet werden, da aber immernoch keine Microcodes geladen werden können macht das wenig Sinn (Keine Ausgabe von Bild/Ton möglich).

'''Windows CE'''
* Es ist möglich eigene native Anwendungen als auch .net-basierende Anwendungen auf der Box auszuführen und mit MSVC2005 zu debuggen.

Konkret heisst das : Beliebigen eigenen Code auf der Box ausführen !

Keine der Änderungen sind ohne "Modchip" permanent, jegliche Modifikationen setzen das Löten an der Box und das zumindest einmalige Ausbauen der Festplatte voraus !

== Hardware ==
*[[Versions X300T/X301T]]
*[[SMP8634]]
*[[Picture]]
*[[Schematic/Boardlayout]]
*[[eJTAG|eJTAG on PCB]]
*[[eJTAG on SMP]]
*[[UART0|Serial Debug Port]]
*[[Display]]

==Software==
*[[Tools]]
**[[Dump X300T Bootloader]]
**[[Disable X300T Signature Check]]
**[[Upload YAMON]]
**[[NK.BIN_toolset]]
**[[MakeNK]]
**[[Download Update Files]]
**[[NK.BIN Patcher]]
**[[Debug Files for remote debugging]]
*[[Boot Process]]
*[[Bootstrap-Message]]
*[[HDD-Layout]]
*[[Network-Bootstrap]]
*[[TV2ClientCE.exe]]
*[[BooterCE.exe]]
*[[TFTP]]
===WinCE===
*[[Disable TrustModel]]

===Linux===
*[[Toolchain]]
*[[Howto boot Linux]]
*[[Setup NFS-Root-Filesystem]]
*[[fli4l]]
**[[Grundinformationen]]
**[[Wir legen los]]
**[[Konfiguration anpassen]]
**[[Wichtige Links]]
**[[ein Wort in eigener Sache]]
 
*[[some additional output regarding Linux]]

==Filesystem==
*[[NK.BIN]]

==Unsorted information==
*[[Bootlog??|Bootlog of Beta X300T]]
*[[x300tBeta|Flash dump of Beta X300T]]
*[[Workaround, damit mehrere Settopboxen im Netz sind und die Timeshift-Funktion erhalten bleibt]]
*[[PKG.DIR]]

Disable TrustModel

2008-08-10T19:10:33Z

Is0-mick: /* to to fix it */

==WinCE Trust Model==
The WinCE Kernel has an option to verify exe and dll files before they are allowed to start.

since IPTV firmware 1.2.xxxx this has been enabled. Although they screwed up the verification ;)

it is even metioned in the source code of loader.c of the kernel.

// for files in ROM -- fully trusted unless specified otherwise in the flag
// NOTE: we perform the test before testing pOEMLoadInit/pOEMLoadModule so
// OEM can have a close system with trusted model without implementing
// pOEMLoadInit/pOEMLoadModule. However, if an OEM has RAM filesys, he
// must implement the functions or files in RAM will be fully trusted.

this basically means that any file can be executed when /windows is writeable.
but the space in /windows folder is too limited for bigger applications and it wastes precious RAM.

==how it works==
when the kernel wants to load a binary, it calls the VerifyBinary() method.
the VerifyBinary() method in the nk.exe calls the CertVerify() method of filesys.exe which forwards
the call to certmod.dll CertVerify() if that exists.

when all these calls returned without error, then the binary is actually loaded and executed.

certmod.dll was added in IPTV firmware 1.2.

==to to fix it==
the trust model can be easily killed.
either certmod.dll, filesys.exe or nk.exe can be patched.

patching nk.exe is the easiest, because it is stored uncompressed in the nk.bin.

the VerifyBinary() method can be found with IDA Pro when searching for

li $v0, 0x80090006

the constant is NTE_BAD_SIGNATURE, which is returned when the binary is untrusted.

first part to be patched is found at the beginning of the method:
.text:91E08CC8 sw $s4, 0x450+arg_C($sp)
.text:91E08CCC sw $s5, 0x450+arg_8($sp)
.text:91E08CD0 move $s7, $a1
.text:91E08CD4 andi $v1, $v0, 2
.text:91E08CD8 beqz $v1, loc_91E08D58 // <--- this jumps to the Kernel Flag check
.text:91E08CDC sw $0, 0x450+var_430($sp)
the "beqz" needs to be changed to a "b" so that we always get to the kernel flag check

so this is the kernel flag check:
.text:91E08D58 loc_91E08D58: # CODE XREF: VerifyBinary+4C�j
.text:91E08D58 li $v0, 0x91E0101C
.text:91E08D60 lw $t3, 0($v0)
.text:91E08D64 lw $t4, 0x34($t3)
.text:91E08D68 andi $t5, $t4, 0x10
.text:91E08D6C beqz $t5, loc_91E08D80 // binary doesnt have Kernel flag so jump to next check
.text:91E08D70 nop
.text:91E08D74 li $t6, 1 // binary has Kernel Flag, so KERN_TRUST_RUN is set
.text:91E08D78 b loc_91E08EF8 // and jump to exit code
.text:91E08D7C sb $t6, 0($s5)

here we only need to "nop" out the beqz, so that all binaries get kernel permissions :)
to make things even better, the "li $t6, 1" should be changed to "li $t6, 2" which means the
binary gets KERN_TRUST_FULL permissions (the highest trust level)

this is work in progress. I just wanted to write stuff down

Program to patch the NK.BIN and fix the checksum
**[[NK.BIN Patcher]]

Main Page

2008-08-10T19:09:02Z

Is0-mick: /* Software */

__NOTOC__

<big>'''Willkommen zum Wiki von t-hack.com'''</big>

Das t-hack.com - Projekt wurde am 14. Dezember 2007 ins Leben gerufen, um eine alternative Software für die Multimedia-Box X300T bzw. X301T zu entwickeln bzw. die originale zu verbessern ;)

'''Das Wiki ist zum Schutz vor Spambots nur von registrierten Usern nutzbar.'''

'''You are able to upload files with following extension:
png, gif, jpg, jpeg, zip, rar, pdf, ace'''

Besuchen Sie auch das [http://www.t-hack.com/forum t-hack-Forum]

The hardware seems very similar to the Philips DIT9719, which is widely available in the UK as the BT Vision box. With luck a bit of common effort will get a usable system.
== Momentaner Status (Mai 2008)==
'''Linux'''
* Linux kann auf der Box gebootet werden, da aber immernoch keine Microcodes geladen werden können macht das wenig Sinn (Keine Ausgabe von Bild/Ton möglich).

'''Windows CE'''
* Es ist möglich eigene native Anwendungen als auch .net-basierende Anwendungen auf der Box auszuführen und mit MSVC2005 zu debuggen.

Keine der Änderungen sind ohne "Modchip" permanent, jegliche Modifikationen setzen das Löten an der Box und das zumindest einmalige Ausbauen der Festplatte voraus !

== Hardware ==
*[[Versions X300T/X301T]]
*[[SMP8634]]
*[[Picture]]
*[[Schematic/Boardlayout]]
*[[eJTAG|eJTAG on PCB]]
*[[eJTAG on SMP]]
*[[UART0|Serial Debug Port]]
*[[Display]]

==Software==
*[[Tools]]
**[[Dump X300T Bootloader]]
**[[Disable X300T Signature Check]]
**[[Upload YAMON]]
**[[NK.BIN_toolset]]
**[[MakeNK]]
**[[Download Update Files]]
**[[NK.BIN Patcher]]
*[[Boot Process]]
*[[Bootstrap-Message]]
*[[HDD-Layout]]
*[[Network-Bootstrap]]
*[[TV2ClientCE.exe]]
*[[BooterCE.exe]]
*[[TFTP]]
===WinCE===
*[[Disable TrustModel]]

===Linux===
*[[Toolchain]]
*[[Howto boot Linux]]
*[[Setup NFS-Root-Filesystem]]
*[[fli4l]]
**[[Grundinformationen]]
**[[Wir legen los]]
**[[Konfiguration anpassen]]
**[[Wichtige Links]]
**[[ein Wort in eigener Sache]]
 
*[[some additional output regarding Linux]]

==Filesystem==
*[[NK.BIN]]

==Unsorted information==
*[[Bootlog??|Bootlog of Beta X300T]]
*[[x300tBeta|Flash dump of Beta X300T]]
*[[Workaround, damit mehrere Settopboxen im Netz sind und die Timeshift-Funktion erhalten bleibt]]
*[[PKG.DIR]]

File:NKpatcher.rar

2008-08-10T19:01:13Z

Is0-mick:

NK.BIN Patcher

2008-08-10T19:00:59Z

Is0-mick: New page: NK Patcher is a C# GUI application that patches a NK.BIN file to allow unsigned applications to run outside of the windows folder (rom). '''Download NK Patcher'''

NK Patcher is a C# GUI application that patches a NK.BIN file to allow unsigned applications to run outside of the windows folder (rom).

'''[[Media:NKpatcher.rar|Download NK Patcher]]'''

Tools

2008-08-10T18:58:19Z

Is0-mick:

At this Point,you can download some tools to edit/modify/create/extract files of the X30xT:

'''[[Dump X300T Bootloader]]''' 
With this tool, you are able to dump the bootloader of the X300T. It's not been tested, if you can dump the bootloader of the X301T, too. So someone should test it!

'''[[Debrick SMP863x Device]]''' 
This is a modified version of the WRT-Debrick Tool. It recognizes the SMP863x CPU and allows to flash even when the device does not boot up any more.

'''[[Disable X300T Signature Check]]''' 
This tool can disable the signature check, so you'r able to boot a Linux-Kernel or something else.
Currently there is nothing else to boot than the WinCE 5.0.

'''[[NK.BIN toolset]]''' 
These tools are used to view, modify and dump the NK.BIN

'''[[MakeNK|Fake NK.BIN creator]]''' 
This small GUI tool allows to package a Linux Kernel and/or other binary memory dumps into a NK.BIN file that will be accepted by the MS IPTV Bootloader. Of course this will only work if the signature check is disabled :)

'''[[NK.BIN Patcher]]''' 
This tool patches the NK.BIN to disable the signature checking on exe files outside the windows folder
It also fixes up the record checksum after patching.