FOX T2 Hacking?


New Member
I was suggesting that if the 32 hexadecimal characters are expressed as 1 byte per character (i.e. a text representation of the hexadecimal), it would be 32 bytes. But if you've established it's SHA256 already then it seems you're on the right track regardless.


Staff member
So, finally got to the bottom of the 32 byte trailer blocks. They contain a checksum of the preceding file generated by a faulty SHA256 algorithm (perhaps deliberately broken for obfuscation?) which has then been encrypted with a block cipher.

I've finished the HDF tool so that it handles these signature blocks automatically and generates the correct checksums on the fly. When I get back home later this week I'll try and update the software on my box using it.


Staff member
I haven't had any luck getting my Humax to take an updated filesystem via USB and I'm confident that I'm now creating valid images with correct checksum blocks (if I unpack and re-pack any of the versions from the Humax site I get back to the same file).

The box sees the update file and says it's programming it, then says download success, but after the reboot there is no difference and the last update date in system information still says January. There's no indication as to why the update wasn't accepted.


Staff member
Spoke too soon:

$ telnet humax
Connected to humax
Escape character is '^]'.
# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                   15.1M     15.1M         0 100% /
/dev/root                15.1M     15.1M         0 100% /
tmpfs                    61.0M      4.0k     61.0M   0% /tmp
tmpfs                    61.0M         0     61.0M   0% /media
/dev/mtdblock1            2.0M    456.0k      1.6M  22% /var/lib/humaxtv
/dev/mtdblock2            2.0M    388.0k      1.6M  19% /var/lib/humaxtv_backup
/dev/sda1              1011.4M     36.2M    923.8M   4% /mnt/hd1
/dev/sda2               906.1G    224.6G    635.5G  26% /mnt/hd2
/dev/sda3                 9.8G    268.1M      9.1G   3% /mnt/hd3


New Member
Great stuff, now let's see if you can conjure up some cool ideas. I would love to see remote scheduling, but not sure if examining an sqlite table structure is considered reverse engineering (I assume this is where scheduling info is stored).


New Member

As far as I understand reverse engineering is allowed (otherwise Wine project would be illegal). However, you're now allowed reverse-engineering by looking at the code.

However, would table structures constitute "code" - I don't think so but might be a grey area.

The problem with updating tables is that I'd guess you'd need to signal to the program that the tables need to be re-read.
Hopefully a reboot won't be necessary ?


The legalities of the situation are going to be different in what ever country you are based in. Observing a situation and then writing your OWN code to do the same thing is not illegal (in UK or US) - this is a prime example of how Samba designed their software by observing what windows NT server did if you sent certain packets to it, and then writing code that did the same thing (but in a different way) - Obviously copying the code is illegal.
The reason I raise this is that if somebody with a HD-FOX T2 is thinking of downloading the HDR-FOX T2 code and copying the TV portal code from this box's firmware and 'adding' it to the HD-FOX T2's fireware this would seem to be a violation of Humax's copyright on the code - However I doubt they would try and defend their copyright on this code if you tried to do this in their current situation. - This also depends what the license is that Humax have granted users of the firmware

Second point that could be considered is regarding the database. As the database is already editable via the remote control (for recording schedule etc) all you are going to be doing is writing code that makes the same changes to the DATA stored in the table - you are not going to be making changes to the table structure are you :)

Either way unless you go and publish your work for all to see I doubt anybody will ever find out - and if anybody does, tell them to go away and get a warrent to search you house, and then wipe the flash before they get back - or just simple toss it out your window into the street and let it smash.....


New Member
Second point that could be considered is regarding the database. As the database is already editable via the remote control (for recording schedule etc) all you are going to be doing is writing code that makes the same changes to the DATA stored in the table - you are not going to be making changes to the table structure are you :)

You're not editing the data stored in the tables with the remote control. The remote control interacts with the humax program that's running. The question is "when does the humax program read the database ?". Obviously it does this on boot up. Its possible it never reads its again, since when you add/delete a recording it knows what you're doing. However, if the humax is actually a few programs (or threads) - 1 to control the interface and 1 to do the recording then once the data is changed in the db then it would need to signal to the recording program/thread to re-read the database.

Will be interesting finding out....


Staff member
I've almost got an HDF file ready that I'll be happy to share, but I need to find more time to finish it and tidy up. I've also got a very lightweight TCL interpreter with SQLite3 support running on my box that has no problems reading the Humax databases.

humax# jimsh
Welcome to Jim version 0.71, Copyright (c) 2005-8 Salvatore Sanfilippo
. package require sqlite3
. set db [ /var/lib/humaxtv/rsv.db]
. set res [$db query {select * from tbl_reservations}]
. foreach r $res {puts "$r(szevtname) $r(nduration) $r(szCRID)"}
i7Octonauts 600 FP.BBC.CO.UK/KQX9Q1
i7Octonauts: Creature Reports 300 FP.BBC.CO.UK/KS658O
i7Dennis & Gnasher 900 FP.BBC.CO.UK/KR9GHW
i7CSI: New York 3600 WWW.FIVE.TV/RAQN
i7CSI: Crime Scene Investigation 3600 WWW.FIVE.TV/RAUE
i7Chuggington 600 FP.BBC.CO.UK/KPM3QK
i7The Scooby-Doo Show 1800 FP.BBC.CO.UK/KSN12C
Wonders of the Universe 3600 FP.BBC.CO.UK/KT948D
i7The Mentalist 3600 WWW.FIVE.TV/RAQQ
i7The Mentalist 3600 WWW.FIVE.TV/RAQQ
i7Waking the Dead 3600 FP.BBC.CO.UK/KTCWHC
Comic Relief Highlights 2011 3600 FP.BBC.CO.UK/KTCX9K
Formula 1: The Chinese Grand Prix 9000 FP.BBC.CO.UK/KTGN3M
i7Formula 1: The Chinese Grand Prix 3600 FP.BBC.CO.UK/KTLO9J
SuperScrimpers: Waste Not Want Not 1800 WWW.CHANNEL4.COM/C4ED0110330162111551
i7The Fall Guy 3900 WWW.ITV.COM/27759895
i7The Fall Guy 3600 WWW.ITV.COM/27759897


I've not got the time to help out with this at the moment but I'd like to say well done and thanks to everyone for getting this far. Great work. Being able to mod the firmware provides many opportunities to enhance the product. Android springs to mind as a great example of this.

Although there are only a few contributors on this topic, I'm sure there are many others who take an interest but do not have the time and/or skills to help out.


New Member
I agree I'm from the .Net world so apart from and Android Phone and electrical aroudn the house I don't really use Linux.
However I have been watching this thread avidly, and hoping for the break through.

For me the important thing is that if humax cut us adrift we can still add to the product; from Humax's lack of intrest in it's customers this could be likely too.

Is there any chance of using the box to connect directly to the iplayer site, rather than going through the slow portal?
Or are there issues with the speed and abilty of architecture?

Again top marks guys.


Staff member
Does this mean you are not going to release your HDF Tool so that anyone can just make their own ? :rolleyes:

I plan to release that in the next couple of weeks. I just need to make some time to finish it off!

It might even be useful to streamline the creation of your FOXSAT files :)


Thanks for all the work af123, that answers my previous PM to you, and I guess there is no point in me spending my time anymore 'trying' to repeat your work...................


Staff member
I've started working on a little tool to extract information from .hmt files and allow some useful tweaks. Not ready for release yet but I just wanted to share a little triumph..

I have a lot of folders of kids' programmes, like these
humax# ls
Chuggington_20110107_0748.hmt  Chuggington_20110305_0720.nts
Chuggington_20110107_0748.nts  Chuggington_20110305_0720.thm
Chuggington_20110107_0748.thm  Chuggington_20110305_0720.ts
Chuggington_20110107_0748.ts  Chuggington_20110306_0720.hmt
Chuggington_20110108_0720.hmt  Chuggington_20110306_0720.nts
Chuggington_20110108_0720.nts  Chuggington_20110306_0720.thm
Chuggington_20110108_0720.thm  Chuggington_20110306_0720.ts
Chuggington_20110108_0720.ts  Chuggington_20110307_0719.hmt
Chuggington_20110109_0720.hmt  Chuggington_20110307_0719.nts
... (you get the picture)

and there are a lot of duplicates and they all show up in the Media List as just 'Chuggington'.
I wrote a small script which uses my new 'hmt' utility:


[ ! -d dup ] && mkdir dup

for hmt in *.hmt; do
        fbase=`basename $hmt .hmt`

        epg=`hmt $hmt | grep '^EPG:' | cut -d: -f2`

        newfbase="`echo $epg | tr '[/ ]' '[._]'`"

        [ "$fbase" = "$newfbase" ] && continue

        echo "$fbase -> $newfbase"

        if [ -f "$newfbase.ts" ]; then
                echo "    Duplicate"
                mv "$fbase."* dup

        for f in "$fbase."*; do
                [ ! -f "$f" ] && continue
                ext=`echo "$f" | sed 's/.*\.//'`
                echo "      Moving $f [$ext]"
                mv "$f" "$newfbase.$ext"
        hmt +patchtitle="$epg" "$newfbase.hmt"

and now I have a folder like:

A_Pat_On_The_Paintwork.hmt          Koko_on_Call.hmt
A_Pat_On_The_Paintwork.nts          Koko_on_Call.nts
A_Pat_On_The_Paintwork.thm          Koko_on_Call.thm
A_Pat_On_The_Paintwork.ts          Koko_on_Call.ts
Action_Brewster.hmt                Late_Again_Eddie.hmt
Action_Brewster.nts                Late_Again_Eddie.nts
Action_Brewster.thm                Late_Again_Eddie.thm
Action_Brewster.ts                  Late_Again_Eddie.ts

No more duplicates and the media list shows titles like 'Koko on Call" now.

Edit: the dedup package is now availabe in the repository.