Boot Process

Box Boot Process Diagram

CPU internal

The SMP863x has a security coprocessor (XPU) that is responsible for controlling the boot process.

It has a bios like bootstrap code (XOS) in internal flash memory. This bootstrap code cannot be read from outside the CPU.

Bootloader in Flash

The XOS tries to find the an XENV block in the external flash memory.

The XENV contains a pointer where the flash-boot-partition is located. The boot partition is encrypted and signed in case of the x300t. Therefore the XPU decrypts the flash-boot-partition and stores the decrypted code in RAM.

The signature of the boot partition is verified, and if it is ok, then the XPU triggers the CPU to start the code from RAM.

This code is the IPTV Bootloader. It does some hardware inits and downloads the "bootstrap" file via TFTP from discovery.iptv.t-online.de

The content of this file is not important for the boot itself. (On the BT-Vision version the file contains some Certificate information. Maybe this is part of the trust chain - will the box accept any CA cert, i.e. if this is the start of the chain, or is there a cert that verifies this one that is already in flash? I do not recognise the format, but the strings make this look like a BT Vision CA cert signed by the BT root CA.)

Next step is the Desaster-Recovery check. On the 1st partition on the harddrive there is the file "BOOT.PRF". This file contains a boot counter that is increased on each boot attempt by the IPTV Bootloader. If the BOOT.PRF file is not found or if the boot counter is at least 4, then a Desaster-Recovery is triggered.

Disaster-Recovery

For Disaster-Recovery the Bootloader downloads the files "sync" and "dra" from discovery.iptv.t-online.de also via TFTP. (On the BT-Vision version the file sync contains the dns name of the server to download dra from, and a some Certificate information).

dra contains a WinCE kernel (NK.BIN) and a signed hash for the kernel. If the signature is correct, then the kernel is started.

The NK.BIN is a stripped down WinCE 5.0 kernel, with some SMP863x drivers, DotNet Compact 2.0 and a Boot application (TV2DRACE.exe)

The WinCE initializes the hardware and starts the TV2DRACE.exe (a C# application)

The TV2DRACE.exe will download the IPTV application with all its data files from the t-online server, same way as the regular IPTV application update takes place.

After all the files are extracted to harddisk, the box will reboot because there is also a new NK.BIN included in the application files.

The Bootloader will detect that there is a NK.BIN on the harddrive and it will check the signature that is in the boot.sig file.

If the signatur is ok, and the hash and size of the NK.BIN matches as well, then it will start the new NK.BIN.

The new NK.BIN is similar to the one that is in the "dra" but it has much more files, and instead of a TV2DRACE.exe it contains a BooterCE.exe

BooterCE

The BooterCE.exe autostarts and will check if there is an update available on the bootstrap server of t-online. If this is true the IPTV application update is started.

Next the BooterCE.exe searches the harddrive for *.sig files and processes them. Any file that is not listed in a .sig file will be deleted. If an incorrect hash is found, then the system will be rebooted... which will finally result in a desaster recovery.

The file check takes quite some time as it is recursively checking all files on the first partition. If no problems were found then the TV2Client.exe (C#) is started. The TV2Client.exe is now embedded in the NK.BIN (in earlier version it was stored on the harddrive)

The TV2Client.exe is the application that handles all the communication with the IPTV server and it also creates the GUI that is seen on TV.