8 replies to this topic

[daniel1]

Hi,

I am looking for someone to point me in the right direction here.

The goal is to hack my PVR, to make it possible for me to move my recordings onto a pc and burn it to DVD's.

I have a Triax T-HD 409 VA terrestrial receiver. I record FTA programmes onto an external hard drive through eSATA. I've tried connecting this external hard drive to my pc. I figured out, that it was an ext-filesystem (suggests that the box is running Linux software?). I tried moving some recordings-folders onto my PC. They contain a some data files and (one or more) .TS-file. Unfortunately these TS-files are scrambled somehow. I am therefore searching for a way to move UNSCRAMBLED TS-files.

I've considered 3 ways of doing this:

1. Unscramble the TS-files after moving them to the PC. I've read A LOT about this, and it seems almost impossible.
2. Alter the firmware image and flash the PVR. I have tried different approaches, but I can't determine the encoding/scrambling of the firmware image.
3. Somehow gain control over the software running on the box. This is what I turn to now. My first idea was to scan the ethernet port, but it seems that it's not in use.

My question therefore is: What do I do next?

Anny suggestions on what to do (especially for possiblity 2 or 3 above) are much appreciated.
Firmware image can be found here: http://www.triax.dk/...va_1.151app.zip

Instruction Manual (in Danish, but with a picture of the connections): http://www.triax.dk/...d409va_dk_a.pdf

[daniel1]

Any advice would be greatly appreciated

Edited by daniel1, 16 January 2011 - 04:34 PM.

[phaedrus]

Any advice would be greatly appreciated

Just the usual one. Open it, look for on the pcb for jtag pads, unused pins or things of that nature.
Often you find if you look round that its some sort of serial port that hasnt been terminated in a socket so that engineering can solder on a lead, but left on the production boxes.
If your *VERY* lucky, you might get a dmesg on it or something after fux0ring around to work out the baud rate etc... stranger things have happened at sea...
Other than that, scan it at boot time, try holding down button combo's while restoring power at the wall socket etc, anything to try and put it in a reflash or engineering mode.
The only caveat is its highly likely you'll brick it at some point unless you know what your doing once inside, and even then the risk goes with the territory.

Crappy locked up content devices. Good luck.

[daniel1]

Any advice would be greatly appreciated

Just the usual one. Open it, look for on the pcb for jtag pads, unused pins or things of that nature.
Often you find if you look round that its some sort of serial port that hasnt been terminated in a socket so that engineering can solder on a lead, but left on the production boxes.
If your *VERY* lucky, you might get a dmesg on it or something after fux0ring around to work out the baud rate etc... stranger things have happened at sea...
Other than that, scan it at boot time, try holding down button combo's while restoring power at the wall socket etc, anything to try and put it in a reflash or engineering mode.
The only caveat is its highly likely you'll brick it at some point unless you know what your doing once inside, and even then the risk goes with the territory.

Crappy locked up content devices. Good luck.

Thanks phaedrus. I would like to avoid opening it up just yet (I know it's probably necessary) and maybe have a look at the firmware image I've downloaded from the manufacturer website.

Can you recommend any tools for working with the firmware image? I've tried a hex-editor, but I can't find anything useful - it's all gibberish. The filetype is ".aesimg".

[phaedrus]

You have to understand what your dealing with to make sense of it.
First triax themselves have some helpful information , sparse as it is :-
http://www.triax.com...145B98D4}&Tab=0
From that :-
Main system 
CPU  STI 7101 
DDR memory  128 MByte 
Flash memory  4 MByte 

The STi7101 is a new generation, high-definition set-top box / DVD decoder chip, that provides
ST40 CPU core: 266 MHz

So its a STi7101 cpu, which is risc based. And even more, theres a datasheet for that chip on alldatasheets :-
http://pdf1.alldatas...CS/STI7101.html

And right inside that datasheet you wil find the following snippet :-
JTAG/TAP interface, ST40 toolset support, ST231 toolset support

So it has a jtag interface for engineering works. Its now up to you if you want to find that interface and do things to it via a jtag lead, or try to mess with the binary firmware blob and try to decode it. Id be reaching for the soldering iron about now whilst scanning the innards for the jtag pads...

You should now be trying to find out more about the linux implementation from ST electronics and seeing if that gives any clues if the firmware is encrypted or signed or just a binary blob requiring decompillation.

Enjoy learning, and post back, you will learn a lot

[phaedrus]

One last bit of handholding, because you posted in NubieHQ.

http://www.stlinux.com/

Enjoy

[PurpleJesus]

Not sure if there's anything related.. but you might gleam some ideas from here:

http://www.binrev.co...__1#entry352972

warning.. lots of big pictures...

[daniel1]

Thanks Phaedrus. Great findings.
I'll install their Linux-distro and take a look at it, as soon as I've made space for it.

Thanks for the link PurpleJesus. You are definitely right about the pictures It seems to be a similar project, so it may be useful.

[phaedrus]

Dont forget to post back with how you get on to chip into the hacking mythos of things.