Is there any documentation on how the customized firmware provided here was developed?
The entire forum is documentation. You will find it all discussed, but you'll have to start at the beginning. However, I can give you a brief summary ("our" and "we" refers to this community and HDR-FOX, not specifically myself):
1. Capture a firmware update file for examination. In our case that was easy because Humax made update files available for users to download and apply, to allow for non-universality of Internet connections in those days. More recent models may access the firmware update directly by Internet, limiting the options for interception. Also, in those days (as an alternative to Internet for distribution), firmware updates were broadcast over the air, and it was possible to capture them with a DVB-T USB dongle.
2. Analyse the firmware update file to recognise what it represents. In our case that wasn't too difficult because the data was not encrypted, and Humax used some open-source stuff for the OS (Linux) which meant they were obliged to publish information about the non-proprietary elements of the code (with a proprietary undocumented executable that runs under the OS providing the actual PVR functionality). With a knowledge of the target processor and the OS structure, it was possible to add small tweaks which enabled a Telnet console and thus gain root access to the OS. It is likely more recent models use encrypted update files, making it necessary to figure out decryption before the analysis can be done.
3. Figure out the crypto-signature which authenticates firmware updates. Without the matching crypto-signature, a firmware update file is not recognised and not installed. It was necessary to generate the signature for the tweaked update file in order to make it install, and thus add hooks to run our own code.
Really, we got lucky. The HDR-FOX was the first DVB-T2 PVR, and it was rushed to market with very naive security presumably on the assumption that nobody would be very interested in "cracking" it. The primary driver for cracking it was to remove the security on HiDef recordings, intended to ensure playback of an off-air HiDef recording was restricted to the unit that recorded it only. This is a requirement imposed on the PVR manufacturers by the broadcasting industry.
Consequently, it is the broadcasting industry, not Humax itself, who would be upset that it was cracked, and the loopholes we exploited have notably been plugged in more recent models.