FOX T2 Hacking?

af123

Administrator
Staff member
Well as soon as someone works out what those 32 byte type 128 files are and how they are generated (I'm assuming that at least Raydon has worked it out) it should be fairly easy to start adding modifications. I have finished an HDF unpacker/packer now but the files aren't accepted - presumably because the type 128 files are a type of checksum. Did someone mention that there is a serial port inside the box? If so, I'll plug something into there and see if it gives any clues about why it isn't accepting the HDF files I'm trying to upload.

For my part, I want to add the coherence DLNA server. Partly so that it can serve files from an external USB disk (because if I copy things over from internal to external then they are decrypted on the way) but mainly to act as a DLNA proxy to add services like YouTube to the Humax. There are really useful modifications that can be done even though the recording files are encrypted.
 

mwillett

New Member
W Did someone mention that there is a serial port inside the box? If so, I'll plug something into there and see if it gives any clues about why it isn't accepting the HDF files I'm trying to upload.
There's a line in the inittab file to start up a getty presumably on the serial port - but its commented out.
So I wouldn't expect much success - but give it ago.
 

af123

Administrator
Staff member
There's a line in the inittab file to start up a getty presumably on the serial port - but its commented out.
So I wouldn't expect much success - but give it ago.
Even without a getty I'd expect to see boot messages and probably output from the bootloader (CFE). Do you know if there's a serial port there before I break the warranty label?
 
OP
ChrisDaniels

ChrisDaniels

Well-Known Member
Guys, have a read of this regarding the checksum.
Its in German, but you can use google translate or similar tools.. it looks quite interesting, and gives a few things away, but its made more complicated by the broken english of the translation :-(
From what i have gathered so far, the signature check exists, but can be bypassed using set commands..
It sheds some more light on it anyway and might let us progress.
http://colibri.net63.net/PR-HD1000-Secrets.zip
 

mwillett

New Member
Any luck finding a german speaker to translate it ?

I see they use the PR-HD1000 Heaven tool. Have you had a look at it ?

I've read a poor translation of Section 4 , which mentions the RSA keys and the signature heders.
Section 4.2 "Assembling HDFs2 shows a screen shot which suggests that the tool PR-HD1000 Heaven might create a signature for you. There's a drop-down box with "Signature priority : Try to use a valid sig, if not possible use sig bypass".

Oddly the PR-HD1000 Heaven looks to be in English so surely there are english docs available ?

M
 
OP
ChrisDaniels

ChrisDaniels

Well-Known Member
Yeah Heaven has already been tested and crashes out with the T2 firmware.. the foxsat firmware is fine however :confused:
Raydon confirmed the same. Ive not had any time to have a look at this since due to "Real Life" activites, but i remember reading that the signature can be bypassed by changing a few characters in the checksum file. I think it implied OTA updates do not include the checksum, only USB requires it.

Cannot find any english docs out there at all, and Raydon is still refusing to help us too citing that its to avoid script-kiddies of all things [here].
Sureley you could apply that logic to every single modding project ever?

While I did understand raydons stance at first regarding this, its getting harder for me to agree with it seeing as Bob_Cat from Humax (who is leaving by the way) recently stated that basically its up the end-user what they do with the (foxsat) box, but obviously, they cannot acknowledge or support it [here].
So whats the difference with the T2? its still being developed? hold on, hasnt the foxsat just had an update??
 

mwillett

New Member
Yeah Heaven has already been tested and crashes out with the T2 firmware.. the foxsat firmware is fine however :confused:
Thanks - I won't bother with that.

Raydon confirmed the same. Ive not had any time to have a look at this since due to "Real Life" activites, but i remember reading that the signature can be bypassed by changing a few characters in the checksum file. I think it implied OTA updates do not include the checksum, only USB requires it.
Thats what I understand from the translation.

Cannot find any english docs out there at all, and Raydon is still refusing to help us too citing that its to avoid script-kiddies of all things [here].
Sureley you could apply that logic to every single modding project ever?
Absolutely agree - the statement doesn't make any sense. And so what it script-kiddies code things.
I suspect either he has an ulterior motive or he just likes to watch us grovel ?

While I did understand raydons stance at first regarding this,
I don't - but that's his right. We'll just have to waste our time replicating his work.
At least we can then publicise it without guilt.
 

James

Member
Did someone mention that there is a serial port inside the box? If so, I'll plug something into there and see if it gives any clues about why it isn't accepting the HDF files I'm trying to upload.
Yes it does (at least the HD-FOX T2) have a set of pins with UART0 on the board next to it. Not sure what the pin outs are, but im sure if you remove the cover, get the make/model of the chip the pins are connected to, then google it and work out which pin outs on the chips the ports pins are connected to you should be able to work it out.

However if no getty is running then I dont see it being much use - i suspect this was used for building/testing the software when it was designed/written/built. However if you do get into the software it would be a god backup in case you damage the telnet server/netowrk config.

As for the checksum files, from Raydons post elsewhere, it can't be that dificult to work out what they are. Have we checked the standard checksum formats e.g. MD5 etc......
 

af123

Administrator
Staff member
I read the Colibri PDF (I speak German which helps) but I don't think that applies to the Fox. If the firmware really is digitally signed then it seems unlikely that Mogie and Raydon would have access to the private key needed to generate valid signatures (although if they have then we're stuck). I also doubt that a firmware bug that was present in the HD1000 and allowed bypassing the signature check is present in the Fox.

The files that Mogie and Raydon have produced do have data in those type 128 trailer blocks and the data is different for each release they make, which makes me believe that it is in some way a hash of the preceding file. There may be other data encoded in there too but I haven't seen any patterns yet.

As for the checksum files, from Raydons post elsewhere, it can't be that dificult to work out what they are. Have we checked the standard checksum formats e.g. MD5 etc......
There are 32 bytes involved (256 bits) so it's twice as long as a standard MD5. The bytes in the file don't seem to bear any relation to any hash algorithm that I've tried.

If it is a hash then I doubt it is very complicated. The other parts of the software use fairly standard algorithms which are usually favoured by developers in China and other parts of Asia, e.g. the block compression algorithm is LH5 and the CRC algorithm is a 16-bit one generally used in hard disk controllers.

Unfortunately I haven't had enough time to look at this properly due to the day job. If we can get a few more eyes on this it would be good. If we crack it then I can make my HDF utility automatically handle this as part of the archive generation.
 

af123

Administrator
Staff member
Some progress... with a bit of fiddling around, I just got PD Heaven to create a HDF file that has a valid 32 byte trailer ! It isn't straightforward as the HDF format created by PD Heaven is slightly different to the one we need but it shows that it is possible. I've added extraction of these digitally signed HDF files to my tool too (The HDR Fox ones aren't digitally signed :))
 
OP
ChrisDaniels

ChrisDaniels

Well-Known Member
Well done af123 :eek:)

Maybe we could try to attack PD Heaven to see if we can extract any of the code routines from it? a long shot i know, but maybe worth a try..!
 

af123

Administrator
Staff member
Well done af123 :eek:)

Maybe we could try to attack PD Heaven to see if we can extract any of the code routines from it? a long shot i know, but maybe worth a try..!
It's probably easier to attack the FOXSAT bootloader..

This might whet someone's appetite. The trailer for a one byte file with that byte being a zero is:

Code:
0000000: 4e30 d73c 5ef7 9519 314b a0ec ef02 0d42  N0.<^...1K.....B
0000010: 2203 c223 e62b 8a8e 50bc a4d0 740c 394d  "..#.+..P...t.9M
I checked a fair range of standard checksum algorithms against the test file at http://ossbox.com/checksums.htm and none of them match this trailer.
 

raydon

Well-Known Member
Thanks - I won't bother with that.



Thats what I understand from the translation.



Absolutely agree - the statement doesn't make any sense. And so what it script-kiddies code things.
I suspect either he has an ulterior motive or he just likes to watch us grovel ?



I don't - but that's his right. We'll just have to waste our time replicating his work.
At least we can then publicise it without guilt.
Yeah can't get enough grovelling. As to ulterior motive, mine is simply to avoid any possibility of litigation from Humax or Freesat/Freeview, no matter how remote the chances are. You may enjoy a degree of anonymity online, and can carry on with your enterprise with impunity, legal or not. However, I am known to Humax and not just as raydon, so they don't have far to look.
 

framedtoo

Member
"im not raydon have never been raydon and never will be raydon" it could be shortened "inrhnbranwbr"

that could fool them for a some time
 

Kyrt

New Member
af123, MD5 produces 32 byte hexadecimal checksums... have you tried it? The checksum could be of either the compressed or uncompressed block. There are of course others. If the signature uses a private key you're screwed.

Or better still, if you wing me (or point me to) the source for your extractor tool (assuming you are willing), I'd like to have a quick play.
 

af123

Administrator
Staff member
af123, MD5 produces 32 byte hexadecimal checksums... have you tried it?
MD5 produces 32 character (16-byte) hex checksums.

From analysis of the boot loader and the Heaven tool, it's using SHA256 (I can see the SHA256 seed value being set at the start of the HDF creation routine) which is a 32-byte checksum, but adding a twist somewhere that I haven't found yet. I need to find some more time to finish looking through the disassembly.

There's actually a bug in PD Heaven too - it only generates the correct checksum for the first file in an HDF archive.
 
Top