Sniffing the OTA firmware updates for the HDR-1000S

mafoo

New Member
EDIT: I've put this in the wrong section, could a mod move it please? :oops:

Is there currently any one looking into custom firmwares for the HDR-1000S? I have a spare box coming in the post that I'd like to sacrifice to the modding gods as soon as I get it, any hint of a JTAG header will be sniffed out :)

I've spent some time trying to break apart the HDr-1000S update/reset file available on the Humax website, with limited success. I get the feeling that a firmware update sniffed from the OTA is probably the best route as it's likely to be a full(er) image.
 
EDIT: I've put this in the wrong section, could a mod move it please? :oops:
There isn't a forum section for the HDR-1000S custom firmware. You could post a message in the HDR-FOX T2 custom firmware section asking for advice on how best to proceed.
 
There's no need to sniff OTA's for a copy of the hdf. Humax have released a USB version (1.00.22) for this box. Available from HERE. I could be wrong but I believe that the OTA's contain information in the same format as the blocks contained in the hdf.
From what myself and one or two others have been able to ascertain from what little information is available, this box and all recent Humax offerings, contain a LUKS encrypted file system.
Unlike earlier squashfs packed hdf's, which were otherwise in the clear, these are pretty much locked down. Sorry, but JTAG may prove to be the only way to get root access on any of these boxes. Providing a header even exists on the board that is. :(
I don't have a 1000-S myself so am not in any position to tinker.
 
Thanks for replying Martin & Raydon.

Raydon: I've downloaded that firmware and attempted to de construct it, but 99% of all the available HDF tools fail to read the file. (EDIT: Actually I think I may have been looking at the rest firmware) There is one utility that will create one large raw file from it, but I'm unsure if this is doing it 100% correctly. If I binwalk the contents for strings I can see much more human readable content, for instance, a list of xml files

p1_s6_a3.xml
p2_s2_a2.xml
p2_s2_a3.xml
p1_s6_a4.xml
help.xml
p1_s4_a5.xml
p2_s3_a2.xml

etc...

But the this is where it starts to fall apart as I'm unable to extract any files cleanly, other than a few PNG files.

If a firmware could be uploaded to the machine and custom code injected, LUKS aside, would it be possible just via a firmware update? Or am I barking up the wrong tree here? :D

Thanks for your time.

M
 
The HD/HDR-FOX .hdf files are crypto-signed, so in order to build .hdf files those machines will accept it is necessary to reconstruct the authentication. For the 1000S and the like, you need to battle with encrypted images as well.
 
Having read a few threads here and there I thought the code wasn't signed on all Humax devices? Or does it differ from box to box? I noticed Binwalk found some blowfish encryption, but I assumed this was a false positive.

I also note that source code for some HDF tools has been taken down, was this to avoid angering the Humax gods?
 
Which one was that ?

Your probably barking in the wrong forest, never mind the wrong tree.

Some times it's hard to see the forest for the trees ;) WinHDFTool will decompress the smaller firmware update (the one I was playing around with), but not the larger one, it will list the blocks, decompress one but falls over in a heap if you try to decompress them all. I notice humidify is mentioned around these parts but it's absent as anything other than a compiled binary on hummypkg, source also AWOL, I take it there has been some effort to kerb tinkering in the community?
 
I notice humidify is mentioned around these parts but it's absent as anything other than a compiled binary on hummypkg, source also AWOL, I take it there has been some effort to kerb tinkering in the community?

The source was never released but there are binaries available for most operating systems. I can post a link if you can't find it.
 
The source was never released but there are binaries available for most operating systems. I can post a link if you can't find it.

If you could please, every thread I found referencing it didn't have a link, I was starting to think there was a conspiracy, I'll put away my tin foil hat. I could only find the MIPS binary, I was trying to figure out how I could build something in QEMU to run it lol.

Thanks :)
 
I tried humidify on the 1.0.22 hdf a while back. I think it just created one big raw file with nothing human readable in it which might indicate content. I did get WinHDFTool v1.1 to decompress it into three files. hdfbin-1-8440F000.raw - 2,780,757 bytes, hdfbin-1-80400000.raw - 36,819,212 bytes , and hdfbin-7-130000.raw - 9 bytes. But again there was nothing in them to indicate content.:(
 

Attachments

  • WinHDFTool.zip
    204.4 KB · Views: 14
Thanks Af123!

raydon -When you save the three files via WinHDFTool, had you checked the compress/raw box? I can output three files, but I think they are uncompressed as there is nothing of interest in them, but if I toggle the compression switch the application falls over in a heap on two of the raw files, BUT, one of the files will save as a raw seemingly uncompressed, with the human readable string it of "UKSFAA" which it did not previously, my assumption being that this particular block is now uncompressed.

There is clearly a difference between the "Data" version of the update/fix firmware and "Full";


HDF Tool v1.0.2, by af123, 2011.

Opening hdr1000s_upgrade_data.hdf, 14096644 bytes.

Blocks: 1857
Model: 5
System ID: 809c.7d00 - 809c.7d04

File Offset Address Type Flags Size Uncompressed Size
---- ------ ------- ---- ----- ---- -----------------
Oversized block.
1858,0xd71804: data block:
File Offset: 14096388 (0xd71804)
Block Length: 30360 (0x7698)
CRC: 0xbbfd
Flags: 0x8a
Type: 0xa2
Original Length: 63242 (0xf70a)
Address: 0x2fab875
Datalen: 30348 (0x768c)

1 0000014 8bd00000 3 0x80 14074084 60821504 (6.24%)​
HDF Tool v1.0.2, by af123, 2011.

Opening hdr1000s_upgrade_full.hdf, 39614774 bytes.

Blocks: 1210
Model: 5
System ID: 809c.7d00 - 809c.7d04

x 1.hdfbin-1-80400000.raw Address mismatch: 0x231d10c.
1125,0x23205d0: data block:
File Offset: 36832720 (0x23205d0)
Block Length: 32770 (0x8002)
CRC: 0xa613
Flags: 0x3
Type: 0x1
Original Length: 32758 (0x7ff6)
Address: 0x8440f000
Datalen: 32758 (0x7ff6)​


So, I think WinHDFTool can see more raw chunks in the full firmware than HDFTool, but it can't decompress them, due to encryption or a change in format. The data update is more promising, but could be potentially useless.

What do you think?
 
raydon -When you save the three files via WinHDFTool, had you checked the compress/raw box?
There is no checkbox in WinHDFTool 1.1.
So, I think WinHDFTool can see more raw chunks in the full firmware than HDFTool, but it can't decompress them, due to encryption or a change in format. The data update is more promising, but could be potentially useless.
What do you think?
When you examine raw files extracted from the Foxsat HDR or HDR Fox T2 in a hex editor you can immediately see that it's squashfs file from the first 4 bytes which are "sqsh". With the 1000s files there must be another layer of encryption, i.e. LUKS. I reckon you're onto a loser here but best of luck with your efforts anyway.
 
There is no checkbox in WinHDFTool 1.1.

When you examine raw files extracted from the Foxsat HDR or HDR Fox T2 in a hex editor you can immediately see that it's squashfs file from the first 4 bytes which are "sqsh". With the 1000s files there must be another layer of encryption, i.e. LUKS. I reckon you're onto a loser here but best of luck with your efforts anyway.

Ahh you're correct, I see what the check box/toggle does now, it doesn't actually do what I thought it did *ahem* :rolleyes: .

I'd seen it's fairly straight forward to unsquash the Fox in comparrison, shame this isn't. It is curious how the smaller "data" update is mostly human readable, it must update an area of the file system that they don't care about, there is the potential to inject something mischievous in there I suppose, but that's long shot, it would probably break everything in the process.

I noticed the box listens on ports 53, 12321, 54154 and 58981, the only port that responds in any way is port 12321, which returns a "Unknown Command" in a browser window, but doesn't respond to telnet/ssh in any manner, another dog, another wrong tree to bark up ;)

Thank's for your pearls of wisdom, it's all very interesting.
 
HDF Tool v1.0.2, by af123, 2011.​
Opening hdr1000s_upgrade_data.hdf, 14096644 bytes.​
Blocks: 1857​
Model: 5​
System ID: 809c.7d00 - 809c.7d04​
Model 5 is a new one on me. The Freeview and Sat Fox boxes specify model 4 in their HDF files.​
I'll have a look to see if I can work out why the utility is having problems though... not sure if it will really help.​
 
Model 5 is a new one on me. The Freeview and Sat Fox boxes specify model 4 in their HDF files.​
I'll have a look to see if I can work out why the utility is having problems though... not sure if it will really help.​

If you have a spare moment to tinker that would be great :) Alas I didn't win the partially faulty box I was hoping to aquire via ebay, some one else beat me to it by a few £, typical, I'll keep an eye out for a patient to take apart, I don't mind spending a little on it. I'd rather not toy with the main Hummy, Mrs Mafoo would be none to pleased if I bricked it ;)
 
It's almost as if Humax don't want their firmware improved, or to attract the denizens of this forum to buy one of their new boxes. Now there's a funny thing.
 
Back
Top