Custom Firmware source code?

dibber

New Member
I see there is some customised firmware for some of the Humax machines, I wondered if this firmware source code is available to anyone and if so where could I find it, github perhaps?

I've got given a Foxsat HD rev 1.0 and a BT-T1000 (DTR-T1000) freeview box and I was wondering what would be involved in adding DLNA functionality to them which is why I'm interested in the looking at the firmware code.

TIA
 
So when searching for "custom firmware" I found this thread Cross compiling (anything) from Debian Wheezy to the HDR | hummy.tv (hummy. tv/ forum/ threads/ cross-compiling-anything-from-debian-wheezy-to-the-hdr.5229 /#post-147580) and I managed to find this wiki link Compile Software for the Humax - hummy.tv Wiki (wiki. hummy. tv/ wiki/ Compile_Software_for_the_Humax) which I didnt spot over Xmas.
Anyway in the link is a reference to Humax but their webpages like the Humax open source download site link doesnt appear to exist anymore.

"The actual cross compiler is available from the HUMAX open source download site (www. humaxdigital.com / uk / opensource.php) with the specific package needed being entitled crosstools_hf-linux-2.6.18.0_gcc-4.2-11ts_uclibc-nptl-0.9.29-20070423_20090508.tar.bz2"

Does anyone know if their open source webpages have been moved or removed?

Am I correct to believe the Foxsat HD and the DTR-1000 can be telnetted into, I havent portscanned the devices yet, but I just wondered because otherwise I might have to use Flashrom or similar with a SOIC clip to download the firmware off the Foxsat HD chip and take the HD out of the DTR-T1000.

TIA
 
I see there is some customised firmware for some of the Humax machines, I wondered if this firmware source code is available to anyone and if so where could I find it, github perhaps?
There is CF for HD-FOX, HDR-FOX, FOXSAT-HD, FOXSAT-HDR only. The methods for reverse-engineering the official firmware and then "fooling" the units into accepting adapted firmware as an official update are considered proprietary to their authors. In the case of FOXSAT, the author is known as "Raydon" (who appears to have disappeared from the scene).

You also need to be aware that this is not the primary support forum for Foxsat CF, although there is a sub-forum for it on here (Mods: please move this thread). One pinned post in the Foxsat CF sub-forum is: https://hummy.tv/forum/threads/useful-links-for-the-foxsat-hdr-customised-firmware.3330/post-39418

I've got given a Foxsat HD rev 1.0 and a BT-T1000 (DTR-T1000) freeview box and I was wondering what would be involved in adding DLNA functionality to them which is why I'm interested in the looking at the firmware code.
If you have done any background reading at all before diving in, you should already know you can install the Foxsat CF and the Mediatomb package to add DLNA. There is no need to reinvent the wheel (unless you are a masochist). If you want to crack the enhanced security of the more modern Humax boxes (such as the DTR-1000T), be our guest (but I am surprised you imply the DTR-1000T doesn't have a built-in DLNA server).

The DTR-1000T also has a sub-forum on this site. I suggest you look there for your DLNA issue.

So when searching for "custom firmware" I found this thread Cross compiling (anything) from Debian Wheezy to the HDR | hummy.tv (hummy. tv/ forum/ threads/ cross-compiling-anything-from-debian-wheezy-to-the-hdr.5229 /#post-147580) and I managed to find this wiki link Compile Software for the Humax - hummy.tv Wiki (wiki. hummy. tv/ wiki/ Compile_Software_for_the_Humax) which I didnt spot over Xmas.
Anyway in the link is a reference to Humax but their webpages like the Humax open source download site link doesnt appear to exist anymore.
You are barking up the wrong tree there. Your reference is to matters pertaining to the HDR-FOX (which you should be able to tell from the title of the forum section it is posted in), and context is vital. FOXSAT-HDR is not the same as HDR-FOX.

(In case the penny still hasn't dropped: FOXSAT-HD is a diskless Freesat tuner; FOXSAT-HDR is a Freesat PVR; HD-FOX is a diskless Freeview - ie terrestrial - tuner; HDR-FOX is a Freeview PVR. For information: the FOXSAT-HDR has much less "compute capacity" than the HDR-FOX.)

Am I correct to believe the Foxsat HD and the DTR-1000 can be telnetted into
FOXSAT-HD or FOXSAT-HDR (please be precise) with CF installed: yes. DTR-1000T (no CF available): no.

Newbies' Guide to the Forum (click)
 
Last edited:
Hello Black Hole.

Not trying to cause offence here but other half got given a load of 1st gen devices, including some Humax devices so I've trying to figure out their capabilities. So the idea I have being an ex-Media Portal 1 user from the mid-00's using DVB-S2 (freesat) is to see if I can recycle or up-cycle these devices here and get them to work with Media Portal 2. These devices would save me having to purchase some new PCI-e cards for MP2 (more beer money) but can also build in a level of redundancy by not having all my eggs in a HTPC running MP2.

So we have a Foxsat-HD (part no 01004-00003) which is just a tuner, although looking at the main board, theres still solder points for a CAM to go in it and possibly rig up a hard drive as well. My aim with this is to see if its possible to make it export freesat broadcasts over ethernet to the MP2 windows machine to save the recording. It would also be good to see if I could get it to interact with and stream recordings from the the MP2 box, although if this is not possible I'm also exploring using a RaspberryPi connected to the TV via HDMI to stream and interact with the MP2 box. I can write an android/iOS app making the smart phones here remote controls for the RPi's.

We also have one of the DTR-1000T boxes (branded BT) which apart from some over-heating issues (which other forums have suggested is degraded caps) seems to work ok. So I now know from your post its got some sort of enhanced security/encryption methods in use. The idea for the DTR-1000T is the same as the Foxsat-HD, making it work with MP2.

I havent portscanned any of the devices yet, I havent even delved into the DLNA technicals yet as it appears to be something new which wasnt around when I was using MP1 back in the mid-00's.

As to the firmware, I didnt know whether these were devices with custom firmware or where devices running a form of linux, like busybox or something else. I used to reprogram fax machines and then upload the code using one of those eeprom's which meant taking the sticker off the quartz glass to blank them before reprogramming them, so I didnt know just how much space was available on these devices. I've taken photos of the main boards but not got down to identifying the chips inside yet to see if these are jellybean parts which will make getting the chip datasheets easier or not. I dont even know what cpu is being used in the DTR-1000T as this would tell me what instruction sets are available and then dictates what libraries can and can not be used. Dont get me wrong there's a bit of work involved establishing the facts about the machines which will then dictate what actions I take to get the devices to work with MP2, but my aim is to see if I can upcycle these to work with MP2 and/or DLNA or even uPnPa.

For example does anyone know if there are any JTAG ports on the DTR-1000T or Foxsat-HD?

Anyway, I've got Roku's to go through, seeing if they can be utilised, establishing what functionality exists in MP2. I've also got to look into uPnP as this maybe an alternative to some DLNA functionality and I'm also looking to see if I can get my Freeswitch installation to work with the TV's and if I can get Skype to work with them as well. Not a small project, but as a coder I'm not adverse to rolling up my sleeves and it was long past my bedtime last night. :)
 
Not trying to cause offence here
You're not causing offence, but as you seem determined to go your own way on this, all I can say is: good luck (you'll need it). I don't like to say "never", but I do think you will be wasting your time. However, that said, if you are successful I'm sure there will be a lot of interested people.

I confess I know less about the FOXSAT-HD than the FOXSAT-HDR (because the HDR version is discussed on here more than the HD), but I assume (analogous with the HD-FOX) the FOXSAT-HD can use a USB HDD and has its own version of the CF. The FOXSAT-HDR has a patch which can be installed to defeat recording encryption (otherwise all recordings on disk are in encrypted form, with no means to decrypt them). The "gubbins" is all embedded in a System-on-Chip, the only access being a built-in firmware update process - and firmware updates have to pass security checks (cryptographic signature) to be accepted*. There is no publicly-available documentation for the SoC detailed architecture or programming interface, so everything that is known has been deduced from decompiling firmware updates.

* The reason any progress was made with FOXSAT and HDR-FOX is because, although signed, firmware updates were transmitted/downloaded plaintext (ie not encrypted). We believe the more recent Humax boxes use encrypted (not just signed) firmware updates, and even (possibly) encrypted file systems.

Follow the link to the wiki (top of the page) and you will find some technical details for the HDR-FOX - the FOXSAT is effectively a predecessor of similar architecture. You will find out more about CF for FOXSAT-HD by following the links previously indicated: https://hummy.tv/forum/threads/useful-links-for-the-foxsat-hdr-customised-firmware.3330/post-39418.

If the FOXSAT-HD can be patched to defeat encryption, and if it supports recording to USB drive and CF, then you can set up Mediatomb or Twonky to provide network access to recordings by DLNA - and I think that's the best you can expect to do. Without an extreme hack of the SoC you will not be able to broadcast Freesat over the network (and it is entirely possible the SoC does not support forwarding the broadcast stream to the network stack).

Maybe you should look at units designed for that purpose, eg HomeRun: https://hummy.tv/forum/threads/opinions-on-hdhomerun.9041/, https://hummy.tv/forum/threads/hdr-fox-t2-to-hdhomerun-my-journey.9765/.

PS: DLNA comes under the general category "UPnP" - VLC, for example, lists DLNA network servers under UPnP.
 
Last edited:
I confess I know less about the FOXSAT-HD than the FOXSAT-HDR (because the HDR version is discussed on here more than the HD), but I assume (analogous with the HD-FOX) the FOXSAT-HD can use a USB HDD and has its own version of the CF.
I think the FOXSAT-HD was purely a Fressat receiver with no recording capability.
PS: DLNA comes under the general category "UPnP" - VNC, for example, lists DLNA network servers under UPnP.
Do you mean VNC or are you thinking of VLC?
 
Hi Black Hole,

I've not really decided what the best way is at the moment, but I know from decades of coding, there is always more than one way to skin a cat. :)

I'll go through Raydons firmware hpkg. tv/foxsat/raydons_Media_and_File_Server_Bundle_for_the_Foxsat_HDR_release_4.1.3.rar and see what I can deduce from there.

Re " The reason any progress was made with FOXSAT and HDR-FOX is because, although signed, firmware updates were transmitted/downloaded plaintext (ie not encrypted). We believe the more recent Humax boxes use encrypted (not just signed) firmware updates, and even (possibly) encrypted file systems."

This is entirely reasonable but with this sort of stuff, I think trying to find the JTAG may shed more light on the situation and be the fastest approach, I dont know anything about Raydon, what they tried, didnt try etc so I've got to assume they havent tried this approach.

Now whilst this is only hacking a hard drive controller, what is shown here spritesmods. com/?art=hddhack&page=3 is useful for other applications/devices and many SoC's will have a JTAG, put another way I dont know of any SoC without a JTAG but I'm not experienced in this area so I could be wrong. OpenOCD. org should be able to at least identify the SoC once the JTAG is found, and from there it should be possible to work out whats going on. If its possible to work out the cipher being used, there might be some sort of bug which has come to light elsewhere like in OpenSSL /news/vulnerabilities.html. And just because its Humax own code, doesnt mean they havent copied chunks of code from an FOSS package thus carrying across bugs into their own firmware.

Anyway thats just one approach to reverse engineering, and whilst I cant do ptychographic X-ray laminography , or hackaday. com/2017/05/02/how-to-reverse-engineer-a-chip/ there's always clue's given out by these sorts of devices.

Re "If the FOXSAT-HD can be patched to defeat encryption, and if it supports recording to USB drive and CF, then you can set up Mediatomb or Twonky to provide network access to recordings by DLNA - and I think that's the best you can expect to do. Without an extreme hack of the SoC you will not be able to broadcast Freesat over the network (and it is entirely possible the SoC does not support forwarding the broadcast stream to the network stack)."

Depending on what can be deduced it maybe possible to inject code to load more code from another source, a bit like the int13h on pc's where the bios loads code from sectors on a hard drive en. wikipedia. org/wiki/INT_13H#EDD or a SoC approach as shown here spritesmods. com/?art=hddhack&page=4

If its possible to inject code, it may be possible to bypass some things on the SoC but I cant say for sure at this stage because I'm just trying to get as much info as possible from various sources.

Anyway thanks for the info.

Edit: There's also a link here which shows how you can push code via JTAG everytime a device boots which could be useful. spritesmods. com/?art=stdalonejtag&page=2
 
Last edited:
As I also have a Roku and NowTv to mess around with, looking into them it seems the Roku is employing similar encryption techniques if this thread is anything to go by: forum. xda-developers. com/t/flash-now-tv-box-with-roku-lt-firmware.2384435/page-3

This comment caught my eye "The nand dump provided some insight into things as there is a second partition (dev image) which isn't encrypted - just a foobar'd version of cramfs" and so did this comment "Decryption of fskey (fskey is within the iblock structure) is handled by a function called "decrypt_img_key", which in turn passes to "decrypt_16_with_private_key" which is actually a broadcom function of their "secretkey" driver."


It seems the Roku's use a scripting language called BrightScript which is "easy and quick to build media and networked applications for embedded devices". developer. roku. com (cant post links yet so I just break them apart).

Anyway its possible what they are doing on XDA with the Roku's & NowTV boxes may also translate in some part to the later Humax machines like the BT / Humax DTR-T1000, but only time will tell.

Plus if the XDA ref to uboot is Denx's Das uBoot, it should be possible to load from another location overcoming lack of space issues that sometimes present themselves with older hardware and the inevitable bloat increase in code. uBoot will also mean a ROM bootloader is being used first so that might present some headaches.

Anyway still digging/researching/whatever you want to call it. :)
 
Hi Martin

It is interesting, fortunately the pages on the XDA link also contains some quite detailed attempts on the roku and nowtv which will probably translate to the humax's I have here but I even found a nice paper link in the thread: eprint. iacr. org/2012/296.pdf titled" In the blink of an eye: There goes your AES key".
"This paper is a short summary of a real world AES key extraction performed on a military grade FPGA marketed as 'virtually unbreakable' and 'highly secure'. We demonstrated that it is possible to extract the AES key from the Actel/Microsemi ProASIC3 chip in a time of 0.01 seconds using a new side-channel analysis technique called Pipeline Emission Analysis (PEA)"

Scanning it, I'm sure the approach can be adapted for other chips with AES strings.

As there is a suggestion of uboot being used on the roku and nowtv so similar may exist on the humaxs, to make life easier I'm going to try and get each device to boot off a NAS for now. I can monitor the NAS, port mirror at the switch or wireshark the network communications but if that approach works, then it will be a case of choosing the functionality I want and see if I can stuff it back on the relevant chip in the device. I've used Flashrom and SOIC's before so shouldnt be too much of a problem. If I cant stuff it on the chips, I'll just leave it to uboot to a NAS. Eitherway I need a NAS to store my tv programmes on anyway as I can rapidly fill up the drives in these devices easily. I think I was using 500Gb drives with MediaPortal1 back in the mid-00's and you can get 16TB drives now.

Anyway if that doesnt work, back to hunting for a JTAG port, if that still turns up a blank then back to trying other approaches on these devices.

What I like about the uboot NAS approach is I can update the packages on the NAS easily and I wont need packages included in the device to handle upgrades like USB functionality, which can free up space for future versions of uBoot and other neccesary packages. This also means the Foxsat-HD which doesnt have a hard disk could still have enough space to include packages/code to stream the broadcast to the NAS.

The hard part at the moment is hunting down as much info as possible, so even if the early Humaxs I have here dont use an ARM SoC but something else like a MIPS, the approaches will or should still be similar. I just dont want to rip off the plate on the DTR-T1000 just yet, until I know how its been affixed.

I see later humaxs have a broadcom soc "The SOC used in the Humax HDR Fox T2 is the Broadcom BCM7405" so alot of the Rpi stuff will be relevant and I think the the Pi foundation have also released an opensource videocore library which should be useful for later Soc's en. wikipedia. org/wiki/VideoCore

As this will be using opensource I dont think there will be any legal ramifications either, but like the chap in your link says "
But over time I realized some missing capabilities like
  • a comprehensive channel editor on the system itself (without the need for export / import channel list),
  • remote timer list programming (I’d like telling my iCord to record an interesting broadcast even when I’m not @ home.),
  • a nice web interface for the stuff above and much, much more."
I've got some functionality I want to see so rather than splashing the cash and finding some stuff is not implemented properly or is vapourware as I have done all too easily in the past, I'll try hacking these devices instead and do it myself.
Trying to persuade the missus to look into the Sonoff stuff as its so cheap but easily modified. Freeswitch does voice recognition, but its also possible to stream it to other voice recog systems like google and others, but the more I can integrate everything together the better and it shouldnt break the bank!

I have been looking into the DLNA stuff more along with what MP2 will be supporting, I got an answer earlier tonight, nothing at the moment, but a DLNA plugin will be available later in the year.
forum. team-mediaportal. com/threads/mp2-dlna-status.140308/

Having been on the DLNA site, its been handed over to an org called spirespark who can certify and sell test tools if you have a few $10k spare! Not cheap.

Anyway waiting to get their technical docs, to get more info on DLNA, Wiki sheds a bit of light on it and on Vidipath, but the more technical detail I can find the better so I'll probably be trawling github looking for opensource implementations and technical docs linked to aspects of DLNA.

Anyway..... :rolleyes:
 
  • a comprehensive channel editor on the system itself (without the need for export / import channel list),
  • remote timer list programming (I’d like telling my iCord to record an interesting broadcast even when I’m not @ home.),
  • a nice web interface for the stuff above and much, much more."
...all of which has been done on HDR-FOX (and I guess FOXSAT-HDR) by inserting hooks into the firmware update to gain access to a command prompt, and then executing code for a web server to provide a browser control interface. The high-level functionality of a HDR-FOX is provided through SQLite database tables, which can be manipulated.
 
Hi Black Hole

Yeah using a DB like SQLLite, to serve webpages is a fairly common technique. SQL Lite has the added benefit it can be run on a a few different OS'es and its got a nice small footprint compared to other DB's like MySQL.
 
I'm not talking about serving web pages, I'm talking about the HDR-FOX standard functions (such as the tuning table, recording schedule, user settings, EPG...) being stored in .db structures. These are meant as hints to help you along.
 
SQL lite is like MS Access (Jet Engine) db, ie a desktop db thats self contained when compared to ISAM files like Clipper, Dbase and others that rely on desktop apps & their respective runtimes to maintain the file structures. So it does help keep that data tidier and makes it easier to update a table or two so I might be able to garner some info out of the tables. I think firefox also uses SQL lite to manage the bookmarks for users and its reasonable for embedded systems especially where space is a constraint.
 
Back
Top