daniel1

Hacking PVR (Triax T-HD 409 VA)

9 posts in this topic

Hi,

I am looking for someone to point me in the right direction here.

The goal is to hack my PVR, to make it possible for me to move my recordings onto a pc and burn it to DVD's.

I have a Triax T-HD 409 VA terrestrial receiver. I record FTA programmes onto an external hard drive through eSATA. I've tried connecting this external hard drive to my pc. I figured out, that it was an ext-filesystem (suggests that the box is running Linux software?). I tried moving some recordings-folders onto my PC. They contain a some data files and (one or more) .TS-file. Unfortunately these TS-files are scrambled somehow. I am therefore searching for a way to move UNSCRAMBLED TS-files.

I've considered 3 ways of doing this:

1. Unscramble the TS-files after moving them to the PC. I've read A LOT about this, and it seems almost impossible.

2. Alter the firmware image and flash the PVR. I have tried different approaches, but I can't determine the encoding/scrambling of the firmware image.

3. Somehow gain control over the software running on the box. This is what I turn to now. My first idea was to scan the ethernet port, but it seems that it's not in use.

My question therefore is: What do I do next?

Anny suggestions on what to do (especially for possiblity 2 or 3 above) are much appreciated.

Firmware image can be found here: http://www.triax.dk/upload/triax409va_1.151app.zip

Instruction Manual (in Danish, but with a picture of the connections): http://www.triax.dk/upload/triax_t-hd409va_dk_a.pdf

0

Share this post


Link to post
Share on other sites

Any advice would be greatly appreciated :)

Edited by daniel1
0

Share this post


Link to post
Share on other sites

Any advice would be greatly appreciated :)

Just the usual one. Open it, look for on the pcb for jtag pads, unused pins or things of that nature.

Often you find if you look round that its some sort of serial port that hasnt been terminated in a socket so that engineering can solder on a lead, but left on the production boxes.

If your *VERY* lucky, you might get a dmesg on it or something after fux0ring around to work out the baud rate etc... stranger things have happened at sea...

Other than that, scan it at boot time, try holding down button combo's while restoring power at the wall socket etc, anything to try and put it in a reflash or engineering mode.

The only caveat is its highly likely you'll brick it at some point unless you know what your doing once inside, and even then the risk goes with the territory.

Crappy locked up content devices. Good luck.

1

Share this post


Link to post
Share on other sites

Any advice would be greatly appreciated :)

Just the usual one. Open it, look for on the pcb for jtag pads, unused pins or things of that nature.

Often you find if you look round that its some sort of serial port that hasnt been terminated in a socket so that engineering can solder on a lead, but left on the production boxes.

If your *VERY* lucky, you might get a dmesg on it or something after fux0ring around to work out the baud rate etc... stranger things have happened at sea...

Other than that, scan it at boot time, try holding down button combo's while restoring power at the wall socket etc, anything to try and put it in a reflash or engineering mode.

The only caveat is its highly likely you'll brick it at some point unless you know what your doing once inside, and even then the risk goes with the territory.

Crappy locked up content devices. Good luck.

Thanks phaedrus. I would like to avoid opening it up just yet (I know it's probably necessary) and maybe have a look at the firmware image I've downloaded from the manufacturer website.

Can you recommend any tools for working with the firmware image? I've tried a hex-editor, but I can't find anything useful - it's all gibberish. The filetype is ".aesimg".

0

Share this post


Link to post
Share on other sites

You have to understand what your dealing with to make sense of it.

First triax themselves have some helpful information , sparse as it is :-

http://www.triax.com/AntennaSystems/STB/Terrestrial.aspx?productId=%7BB362B96E-16F8-4F7E-901A-9D2E145B98D4%7D&Tab=0

From that :-

Main system 

CPU  STI 7101 

DDR memory  128 MByte 

Flash memory  4 MByte 

The STi7101 is a new generation, high-definition set-top box / DVD decoder chip, that provides

ST40 CPU core: 266 MHz

So its a STi7101 cpu, which is risc based. And even more, theres a datasheet for that chip on alldatasheets :-

http://pdf1.alldatasheet.com/datasheet-pdf/view/244194/STMICROELECTRONICS/STI7101.html

And right inside that datasheet you wil find the following snippet :-

JTAG/TAP interface, ST40 toolset support, ST231 toolset support

So it has a jtag interface for engineering works. Its now up to you if you want to find that interface and do things to it via a jtag lead, or try to mess with the binary firmware blob and try to decode it. Id be reaching for the soldering iron about now whilst scanning the innards for the jtag pads...

You should now be trying to find out more about the linux implementation from ST electronics and seeing if that gives any clues if the firmware is encrypted or signed or just a binary blob requiring decompillation.

Enjoy learning, and post back, you will learn a lot ;)

0

Share this post


Link to post
Share on other sites

Thanks Phaedrus. Great findings.

I'll install their Linux-distro and take a look at it, as soon as I've made space for it.

Thanks for the link PurpleJesus. You are definitely right about the pictures ;) It seems to be a similar project, so it may be useful.

0

Share this post


Link to post
Share on other sites

Dont forget to post back with how you get on to chip into the hacking mythos of things.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now