FOX T2 Hacking?

It's based on busybox same as the foxsat. It's stripped down though so it's just a case of adding it in.
Hopefully will be able to test further tommorow night, roll up my own hdf file and test.
 
Amazing. Genuinely excited to see what can be done, DLNA was my main reason for buying the box. Is there a guide anywhere as to how you unpacked the hdf?
 
Same here... I read the Foxsat hack with interest........ but I'm useless with Linux... good luck.
 
OK, i need help with this and i'm not going to be able to get to my box after tonight until next week.
I dont understand Linux all that well anyway so maybe this should be pushed forward by someone who does.

What i've done:
Using WinHDFTool.V1.2 (Dont ask - google it) (run full screen - windowed cuts off some buttons), I extracted the 4 firmware bins as raw files.
I then extracted hdfbin-1-000000.raw with 7-zip (its just compressed).
It is this part of the flash that needs modding in the same way as the FoxSat and then putting back into a hdf file.

If you have a browse around hdfbin-1-000000.raw after uncompressing, you will find it is the linux fs ! ;-)

What i'm stuck with:
I've modded the linux fs, dropped it back into the hdf with WinHDFTool, changed it to compressed (orange - dont know what this does) and tried to flash the box.
Flashing the box is sucessful - no errors, however i cannot telnet to the box and the new ftp does not work, so i dont think this part is actually flashing. It looks like it is only updating the second part of the flash.
From what i have read, this is fairly safe (someone like raydon will be able to offer better advice however).

What i think is wrong:
According to notes i have read, a SSH key needs to be present for the box to accept the flash. I have not messed with this - i've downloaded putty-gen, but I dont know where the key goes! I think it is the hdfbin-128-000000.raw as there are two and they are both 32 bytes. When i have investigated the foxsat hdr file however, i cannot see that it is a key so i am not certain.

What needs to be done:
Fix the above so that the flash is accepted by the box (raydon will know how)
Avoid the FTP conflict by either totally replacing the standard tinyftp or creating another instance.
Remove the useless firmware upgrade from the hdf file (same as what raydon has done) to shrink the filesize and to be safer.
Change references to FoxSat to Fox T2!

If anyone can help with this it would be much appriciated by all your fellow Fox T2 owners ;-)
Hopefully this will be enough of a start for someone to pick it up!
I really recommend you do some reading up however before you start attempting any of this, and of course, i accept no responsibility should you do something wrong and kill your box.

I will be online from time to time over the next week, but will not be able to get to my box to test until earliest Sunday night.
 
OK, this is harder than i thought.
The tool used to mod the foxsat firmware crashes when you try to load the Fox T2 firmware.

How I was trying to do this previously using WinHDFTool was not working as it was stripping out my changes, and there are no instructions to tell me why.

I've still got a few more things I can try (using a combination of tools), but really the tools need updating as the majority are about 5 years old and someone who really understands the Humax hdf format needs to help us out.

I've also read disturbing reports that an uneven file size/raw file size can brick the box which makes me feel uneasy without knowing the full risks involved.

I think it would be more than helpful to have our German friends on the iCord forum help out as they have a lot more experience than us newcomers.

There is a lot of potential here, but we/i need a kick-start.
 
I may have chance to play with WinHDFTool tonight. Unfortuanatly my Linux knowledge is also minimal and bricking my box is something I am not willing to risk.

However, if there is anything you would like me to try out, either post of pm me and I will see what I can do.
 
I've managed to extract the Linux filesystem from the hdfbin-1-000000.raw which itself is contained within the HDF file. I'm going to attempt to install the OpenSSH binaries so that I can SSH into the box. Apparently box uses a MIPS processor so you have to run an emulator to boot the OS. Been looking at the iCord forums and it seems that you have to use the qemu emulator. Though I've not yet worked out how to use it with an existing filesystem. I do have experience with Linux so once I've got the OS running I should have no problems installing extra software. Any help would be appreciated.
 
Good job. Extraction however, is the easy part.
Remember to keep in mind the flash size on the box is 32mb I think from memory (it's detailed in the manual), I was starting to struggle for space after adding all the additions from the foxsat mod.

Also keep a note of the system ID. I think it will be needed to make a hdf again.
I didnt bother using linux to mod, i just used windows tools. Linux may be the way to go however.

Just shout if you need any advice.
 
Good job. Extraction however, is the easy part.
Remember to keep in mind the flash size on the box is 32mb I think from memory (it's detailed in the manual), I was starting to struggle for space after adding all the additions from the foxsat mod.

Also keep a note of the system ID. I think it will be needed to make a hdf again.
I didnt bother using linux to mod, i just used windows tools. Linux may be the way to go however.

Just shout if you need any advice.

I guess there are two different ways to hacking the software:
  • Extract the filesystem and drop in precompiled binaries and configuration scripts.
OR
  • Mount the extracted filesystem and boot it on PC. Then just install required software.
The problem with the first approach is that you would need to have precompiled binaries for MIPS processors. I was thinking that if I could boot from the extracted filesystem then I can download the sources for any application that I wanted to install and then compile.

I've got a feeling it maybe more reliable to use Linux as the filesystem that is extracted is Linux and it's more likely to preserve the correct permissions etc when recreating the HDF file.

Chris, have you had an success yet getting your mods working on your Humax?
 
You must use Linux to unsquash your filesystem in order to maintain file permissions etc. If you you use the Windows version you'll get lots of errors. I've used WinHDFTool to remove all but the busybox binary hdfbin-1-000000.raw and it's associated -128- file. from an original Humax firmware and reflashed successfully with that. I then tried adding a utelnetd binary and startup script to the OS then mksquash'ing it back but I can't get the T2 to accept it. I just got an error code which I can't remember. I suspect the secret is in the checksums in the -128- file. :(
 
You must use Linux to unsquash your filesystem in order to maintain file permissions etc. If you you use the Windows version you'll get lots of errors. I've used WinHDFTool to remove all but the busybox binary hdfbin-1-000000.raw and it's associated -128- file. from an original Humax firmware and reflashed successfully with that. I then tried adding a utelnetd binary and startup script to the OS then mksquash'ing it back but I can't get the T2 to accept it. I just got an error code which I can't remember. I suspect the secret is in the checksums in the -128- file. :(

Where did you get the utelnetd and start up script from?
 
Have a look at the foxsat mod to see the scripts raydon has used.

Thanks for the advice raydon :)

No, I've not been successful as yet, same as raydon, I think it's the checksum.
Using another tool however "PD-Heaven" I think it was called, it has an option to fake sign the file. Maybe worth a second look.

Raydon, how did you pass the checksum for the foxsat mod? Or was it not an issue? Maybe security has been upped for the T2?
 
No, I've not been successful as yet, same as raydon, I think it's the checksum.
Using another tool however "PD-Heaven" I think it was called, it has an option to fake sign the file. Maybe worth a second look.
This tool will not load a T2 hdf file. It just crashes.
Raydon, how did you pass the checksum for the foxsat mod? Or was it not an issue? Maybe security has been upped for the T2?
Foxsat hdf's are not signed.

The reason I have not pursued this any further, is that all content on the T2 ,both SD and HD, is encrypted as it is recorded. Any SD content later copied to USB is decrypted on the fly. Same goes for the upcoming DLNA server feature. SD is decrypted as it's streamed off the box. That's why all content transferred by FTP is encrypted. It's not that FTP is doing the encryption, it was encrypted from the start. I draw the line at tweaking publicly licensed software like the Linux busybox OS. Attempting to reverse engineer proprietary software to remove encryption is a different ballgame altogether, and it's not where I want to go. This is the main reason why I have not published details on how the firmware modification was achieved. If people are intent on doing this, then I will not be the one to give them the tools. Humax know who I am, and I definitely do not want to be on the wrong end of any litigation from them.
Apart from that, Humax are still actively developing T2 firmware, whereas the Foxsat HDR is a 'mature'product, unlikely to get any major updates. Good luck with your endeavors, and be careful what you publish in public forums.
 
This tool will not load a T2 hdf file. It just crashes.
I know, thats what i was saying previously. But maybe creating from scratch using the System ID?

The reason I have not pursued this any further, is that all content on the T2 ,both SD and HD, is encrypted as it is recorded.
I see. I'm not really bothered if the content is encrypted. I just want to stream it to another box or XBMC. If it is decrypted when steamed, then this is worth the time and effort. If HD is still encrypted however, thats when i would question the worth?
I've not mentioned anything about removing encryption ? or reverse engineering proprietary software ? I just want the same extras as the Foxsat.
 
I know, thats what i was saying previously. But maybe creating from scratch using the System ID?


I see. I'm not really bothered if the content is encrypted. I just want to stream it to another box or XBMC. If it is decrypted when steamed, then this is worth the time and effort. If HD is still encrypted however, thats when i would question the worth?
I've not mentioned anything about removing encryption ? or reverse engineering proprietary software ? I just want the same extras as the Foxsat.
If you just want streaming to XBMC or wherever, then just wait for the DLNA server service which is going to be provided by Humax very soon. No need to put any effort into adding your own. Even if you did manage add something like Twonky, it would not be able to decrypt the video. It's only Humax's own DLNA server that can do that. And if you can't decrypt the video, there's no point in trying. That's why I assumed you were going down that route.
 
I think the worry is that Humax will release an implementation which is so locked down it won't actually work with any clients other than Foxes.
 
Why not wait and see :rolleyes:
Some people like to tinker and there are a lot more possibilities than just streaming recordings. Also who knows how long it will be before Humax release the media server (although I guess not long since it has been in beta).
 
Back
Top