Beta [iplfix] BBC iPlayer fix

Status
Not open for further replies.

prpr

Well-Known Member
I've created a package which implements the iPlayer certificate fixes from the firmware update images Humax have recently made available.

You just need to download the attached file, unzip it, copy the .opk file to the Humax via whatever your preferred method is, install it using "opkg install" and then reboot.
You do not need, and should not have, the iplhack package installed.

It should work on both the HDR and HD units, although I have not tested it on the latter due to being somewhat remote from my unit.
It works for me so hopefully it will work for you if you decide to try it. Feedback appreciated.

Edit: These instructions are obsolete
 
Last edited:
New Readers:

The custom firmware iplfix pre-beta package corrects the problem which caused the BBC iPlayer section of the Humax TV Portal to stop working in September 2020, as discussed here: https://hummy.tv/forum/threads/iplayer-stopped-working.9882/

In summary: the cryptographic certificates required to authenticate accesses to the BBC servers, embedded in the Humax HDR-FOX and HD-FOX firmware, expired and thus rendered the TV Portal unable to play content from iPlayer. Replacement certificates have been published unofficially (by a new firmware download made available on request), which were extracted and can be installed using the iplfix package.

Full installation instructions are provided in post 15 (click).

Any new issue of the Custom Firmware (currently 3.13) will most likely include the new certificates and not require iplfix.


As originally posted:

Is there an unzip command available in CF? If so, I presume the appropriate command line incantations could wget the zip, unzip it, and install it.
 
Last edited:
There is unzip available if you install it e.g. opkg install zip
I only zipped it for the forum which won't accept .opk files. However, you could try this instead:
Code:
humax# cd /tmp
humax# wget https://www.dropbox.com/s/link-munged-as-file-deleted/iplfix_1.0_mipsel.opk
humax# opkg install iplfix_1.0_mipsel.opk

Edit: These instructions are obsolete
 
Last edited:
It should work on both the HDR and HD units, although I have not tested it on the latter due to being somewhat remote from my unit.
On my HD-FOX, with iplhack I was getting "something went wrong" this morning trying to play a couple of things. I removed iplhack and used the post 3 instructions to install iplfix, then tried it without a reboot - I got "something went wrong" with error code 01114 even trying to access iPlayer (never got to a play option).

After a reboot, it works and I was able to initiate play.
 
I got "something went wrong" with error code 01114 even trying to access iPlayer (never got to a play option).
That's expected as installing the package deletes a load of files the browser needs to operate. Rebooting magically recreates them from somewhere. Some of them are different after changing the certificates, but just changing the certs and rebooting doesn't update all the files, only some of them - you need to delete them first to force it. I gave up with trying to work out what it was doing at that point.
 
First, may I refer testers to these instructions for correctly removing iplhack.

Is there any reason for including the expired root certificates in iplfix/certs/root? It should be possible to refresh most of them.
Code:
# for ff in /mod/tmp/iplfix_1.0_mipsel/boot/2/iplfix/certs/root/*.pem; do 
> openssl x509 -text -in "$ff" 2>/dev/null | { echo ${ff##*/}; grep -E 'Issuer:|Not After :'; }
> done
equifax_secure_ca.pem
        Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
            Not After : Aug 22 16:41:51 2018 GMT
gte_cybertrust_global_ca.pem
        Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root
            Not After : Aug 13 23:59:00 2018 GMT
humax_tvportal_rootcert_2k_20101106_pub.pem
        Issuer: C=KR, ST=KYUNG-GI, L=SUNG-NAM, O=HUMAX Co., CN=humaxtvportal.com/emailAddress=tvportal@humaxdigital.com
            Not After : Nov  1 11:36:30 2030 GMT
rootcert_1k.pem
        Issuer: C=KR, ST=KYUNG-GI, L=SUNG-NAM, O=HUMAX Co., CN=humaxdigital.com/emailAddress=info@humaxdigital.com
            Not After : Sep 28 07:12:55 2020 GMT
thawte_personal_basic_ca.pem
        Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting, OU=Certification Services Division, CN=Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com
            Not After : Jan  1 23:59:59 2021 GMT
thawte_personal_freemail_ca.pem
        Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting, OU=Certification Services Division, CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
            Not After : Jan  1 23:59:59 2021 GMT
thawte_personal_premium_ca.pem
        Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting, OU=Certification Services Division, CN=Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com
            Not After : Jan  1 23:59:59 2021 GMT
thawte_premium_server_ca.pem
        Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
            Not After : Jan  1 23:59:59 2021 GMT
thawte_server_ca.pem
        Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com
            Not After : Jan  1 23:59:59 2021 GMT
verisign_g1_c1_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority
            Not After : Aug  1 23:59:59 2028 GMT
verisign_g1_c2_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification Authority
            Not After : Aug  1 23:59:59 2028 GMT
verisign_g1_c3_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
            Not After : Aug  2 23:59:59 2028 GMT
verisign_g2_c1_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
            Not After : Aug  1 23:59:59 2028 GMT
verisign_g2_c2_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
            Not After : Aug  1 23:59:59 2028 GMT
verisign_g2_c3_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
            Not After : Aug  1 23:59:59 2028 GMT
verisign_g2_c4_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=Class 4 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
            Not After : Aug  1 23:59:59 2028 GMT
verisign_g3_c1_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 1 Public Primary Certification Authority - G3
            Not After : Jul 16 23:59:59 2036 GMT
verisign_g3_c2_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 2 Public Primary Certification Authority - G3
            Not After : Jul 16 23:59:59 2036 GMT
verisign_g3_c3_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G3
            Not After : Jul 16 23:59:59 2036 GMT
verisign_g3_c4_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 4 Public Primary Certification Authority - G3
            Not After : Jul 16 23:59:59 2036 GMT
verisign_g4_c3_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4
            Not After : Jan 18 23:59:59 2038 GMT
verisign_g5_c3_public_primary_ca.pem
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
            Not After : Jul 16 23:59:59 2036 GMT
#
Also, I was able to view a show with iPlayer on one of my HD-Fox T2s after installing and restarting!
 
Last edited:
The link to the special version of CF in post #1 takes me to an unauthorised page. Is that intentional?
 
I guess you are not on the approved list for that section. I'll PM you the details.
 
Is there any reason for including the expired root certificates in iplfix/certs/root?
That's what Humax supplied. It was a "try it out and see what happens" kind of thing, without any refinement.
It should be possible to refresh most of them.
Great. But I have no idea how, so any info. would be useful.
Also, I was able to view a show with iPlayer on one of my HD-Fox T2s after installing and restarting!
Good!
 
That's what Humax supplied. It was a "try it out and see what happens" kind of thing, without any refinement.
...
I guessed so.

As to the the certificates, in this case my memory beats yours!

A current version (129 certificates) of the Mozilla NSS certificate bundle that @af123 included in the ca-bundle package is here (161kB text file) (and also the ca-bundle package ought to be updated from there). They seem to be disjoint from the root certificates included by Humax but are good enough for FireFox, as well as curl. My doubt about replacing the non-Humax roots with the Mozilla ones is that the settop program may load all the much larger number of certificates and be left with even less free memory.

AIUI, the certificates listed in /usr/browser/client.conf are processed into the files opcacrt6.dat (roots) and opcert6.dat (others) in /var/lib/humaxtv/browser.

In the desktop version of Opera from the same era, you would use some settings menu to import the PEM/P12 certificates (a default root set would be distributed with the program). As the setup for iplfix demonstrates, deleting the .dat files causes them to be regenerated.

I assumed that part of the settop wrapper code for the embedded Opera used the client.conf file (which wasn't in the desktop version, to my recollection) to generate the .dat files, in which case any client certificates not listed in the configuration file wouldn't really need to be shipped. However the settop binary seems to know about the certs/client and certs/server directories and not client.conf: perhaps it just loads all the certificates it finds regardless of client.conf. It's not quite true that expired certificates can only be used with a time machine: an expired certificate can still validate something that was signed during its validity period. This may be a reason for not removing the expired Humax client certificate.
 
That's expected as installing the package deletes a load of files the browser needs to operate. Rebooting magically recreates them from somewhere.
Duh! The fixed ones are in /usr/browser/opera_home/ which I completely failed to look in.
 
Humax Customer Support tell me "It is with regret that I inform you that iPlayer has been discontinued for that model (HDR Fox T2) due to a lack of support from the BBC. We apologise for any inconveniences caused".

I would love to get iplayer back working, so I have installed opkg beta in CF 3.13 and unzipped iplfix_1.0_mipsel.opk to my computer. At this point, having little knowledge of coding I cannot figure how to get iplfix onto my Humax, please can someone kindly give me a step by step walk through to get iplayer up and running? TIA
 
please can someone kindly give me a step by step walk through to get iplayer up and running? TIA


Manual Installation of iplfix

Readers please note: iplfix is (as of 10/03/2021) available in the standard package repo (not beta) as an advanced package. Previously the package required manual installation, as described below for historical reference (obsolete). New users should refer to the relevant thread, here (click).

Option 1: Directly via a Command Line
  1. If you previously installed iplhack you need to remove it through WebIF >> Package Management.

  2. If not already installed, install webshell through WebIF >> Package Management, and reboot. (You could use Telnet for the following instead of webshell, but webshell offers an easier route.)

  3. Use webshellto obtain a command window:–
    • WebIF >> Diagnostics >> Command Line
    • Enter your PIN (default is 0000)
    • Type "cli" to select command line option from menu

  4. If you might have had iplhack installed before (and removed it), a little clean-up is needed because of an error in its de-installation script (you do not need to do this if you never had iplhack installed, but it does no harm). At the command prompt (you can use copy and paste, but you have to right-click to paste in webshell):–
    • if crontab -l | grep -q /iplhack; then crontab -l | grep -v /iplhack | crontab -; fi

  5. Download and install iplfix. At the command prompt:–
    • Change the working Directory to the temporary directory (anything in here disappears at boot):
      cd /tmp
    • Download the .opk directly from prpr's Dropbox (no longer available):
      wget https://www.dropbox.com/s/g67k0c8oppeiaf3/iplfix_1.0_mipsel.opk
    • Install it:
      opkg install iplfix_1.0_mipsel.opk
    • Reboot to take effect (don't do this if you're recording!):
      reboot
Job done.


Option 2: Using Auto-Install from USB

Please note the author has no experience of this method, so comments gratefully received.

There is a facility built into the CF (Custom Firmware) for automatic loading of packages from USB. With the HDR-FOX (with CF installed) already running, plug in a USB storage device containing the relevant .opk or .opb at the root level. The CF should detect this, and install from it automatically. For more information see the relevant wiki page (click).

This presumes the user has not previously installed iplhack (which needs to be removed - see above). In the case of iplfix, a reboot is required after installation for the package to take effect.


There is unzip available if you install it e.g. opkg install zip
I only zipped it for the forum which won't accept .opk files. However, you could try this instead:
Code:
humax# cd /tmp
humax# wget https://www.dropbox.com/s/g67k0c8oppeiaf3/iplfix_1.0_mipsel.opk
humax# opkg install iplfix_1.0_mipsel.opk
If that file doesn't exist, the package has probably already been uninstalled. Instead, use this command at a command prompt to clean up the detritus:
Code:
if crontab -l | grep -q /iplhack; then crontab -l | grep -v /iplhack | crontab -; fi
After either of these, a restart may also be a good idea.
 
Last edited:
Black Hole, Thank you for the full walk through to get iPlayer up and running. Your detailed instructions worked well for me on my first journey through a cli and I learned a lot on the way.
 
Black Hole, Thank you for the full walk through to get iPlayer up and running. Your detailed instructions worked well for me on my first journey through a cli and I learned a lot on the way.
Excellent. You haven't stated explicitly, but I presume iPlayer is indeed working now you have CF+iplfix installed.
 
Last edited:
Excellent. You haven't stated explicitly, but I presume iPlayer is indeed working now you have CF+iplhack installed.
Yes, iPlayer is working and I can record as before. CF + iplfix installed. Thanks again, I would never have got there without your guide.
 
Status
Not open for further replies.
Back
Top