Supporting other boxes (IRHD-5000C/IRHD-5300C)

jschwart

New Member
Is there any documentation on how the customized firmware provided here was developed? I have two boxes here a IRHD-5000C and a IRHD-5300C. Both of them have ethernet and USB ports. It would be nice if I could get shell access to at least one of them.
 

Black Hole

May contain traces of nut
Is there any documentation on how the customized firmware provided here was developed?
The entire forum is documentation. You will find it all discussed, but you'll have to start at the beginning. However, I can give you a brief summary ("our" and "we" refers to this community and HDR-FOX, not specifically myself):

1. Capture a firmware update file for examination. In our case that was easy because Humax made update files available for users to download and apply, to allow for non-universality of Internet connections in those days. More recent models may access the firmware update directly by Internet, limiting the options for interception. Also, in those days (as an alternative to Internet for distribution), firmware updates were broadcast over the air, and it was possible to capture them with a DVB-T USB dongle.

2. Analyse the firmware update file to recognise what it represents. In our case that wasn't too difficult because the data was not encrypted, and Humax used some open-source stuff for the OS (Linux) which meant they were obliged to publish information about the non-proprietary elements of the code (with a proprietary undocumented executable that runs under the OS providing the actual PVR functionality). With a knowledge of the target processor and the OS structure, it was possible to add small tweaks which enabled a Telnet console and thus gain root access to the OS. It is likely more recent models use encrypted update files, making it necessary to figure out decryption before the analysis can be done.

3. Figure out the crypto-signature which authenticates firmware updates. Without the matching crypto-signature, a firmware update file is not recognised and not installed. It was necessary to generate the signature for the tweaked update file in order to make it install, and thus add hooks to run our own code.

Really, we got lucky. The HDR-FOX was the first DVB-T2 PVR, and it was rushed to market with very naive security presumably on the assumption that nobody would be very interested in "cracking" it. The primary driver for cracking it was to remove the security on HiDef recordings, intended to ensure playback of an off-air HiDef recording was restricted to the unit that recorded it only. This is a requirement imposed on the PVR manufacturers by the broadcasting industry.

Consequently, it is the broadcasting industry, not Humax itself, who would be upset that it was cracked, and the loopholes we exploited have notably been plugged in more recent models.
 
Last edited:

MartinLiddle

Super Moderator
Staff member
In our case that was easy because Humax made update files available for users to download and apply, to allow for non-universality of Internet connections in those days. More recent models access the firmware update directly by Internet, limiting the options for interception.
Not sure why you think that, firmware for the current Freeview models is available from the Humax web site.
 

Black Hole

May contain traces of nut
Fair enough, perhaps I should have put "may access...". That's just one barrier fewer to overcome.
 
OP
jschwart

jschwart

New Member
Thanks a lot for your replies! It seems you're spot on regarding the availability of firmware update files. As far as I can see, there are exactly NONE available online for any of the models I have. They were only ever provided OTA.
I should see what Humax provides when I mail them for information on their GPL address.

Some alternative ideas:

The only daemon running on one of the boxes is the FTP daemon. Maybe this daemon has an exploit? Do you know which FTP server is running on your boxes? I guess mine could be similar.
There is a portal option in the menu on the same box, possibly it tries to fetch some data over HTTP (not HTTPS). I can change the provider through the secret menu. This might be exploitable as well. Do you know what is used to render the portal? Are you aware of any official portal that still operates with the Humax?

Did you copy/analyze the complete flash data off your boxes? Is it known what bootloader is used? Could it be possible to boot off USB instead?

Maybe a firmware could be built from scratch, especially if the bootloader is flexible. Did other manufacturers build boxes that have similar hardware? This is common with routers/WAPs.
 

/df

Active Member
These look like products that didn't make it to the UK, presumably because the firmware knows Freeview not.

Comparing the manuals, the 5300C has the same GPL components as the HD/R Fox T2, plus iptables, avinfo and libjpeg. However the last of these is found in the CF's /usr/lib: I don't think this directory has been modified in CF, so that looks like an oversight, as confirmed below.

The built-in FTP server is tinyftp in both cases, but this package is silent about its own version.

You can now download GPL components from https://holdings.humaxdigital.com/open-source/ directly. The Wiki links to a different page that it says requires you to create an account but in any case no longer works.

The download list for HDR Fox T2 is missing freetype (the link is provided for HD Fox). Otherwise, apart from iptables and avinfo, some reduplicated extensions, and OpenSSL, the versions, where listed, look almost identical. In fact, I couldn't find many of the listed products (HDR-2000T, eg) that didn't have the same toolchain and Linux versions.

Code:
    HDR Fox T2                                                                                   IRHD-5300C
    
    --                                                                                           avinfo-1.0a15.zip
    busybox-1.12.4.tar                                                                           ==.tar
    config_HDR-FOX-T2.tar                                                                        config_IRHD-5300C.zip
    crosstools_hf-linux-2.6.18.0_gcc-4.2-11ts_uclibc-nptl-0.9.29-20070423_20090508.tar.bz2       ==.bz2
    curl-7.19.6.tar.bz2                                                                          --
    e2fsprogs-1.40.8.tar                                                                         ==
    --                                                                                           freetype-2.3.7.tar.bz2
    id3lib-3.8.3.tar.gz                                                                          ==
    --                                                                                           iptables-1.4.10.tar.bz2
    jpegsrc.v6b.tar.gz                                                                           ==
    libexif-0.6.16.tar.bz2                                                                       ==
    libpng-1.2.25.tar.bz2                                                                        ==
    ntpclient.tar.gz                                                                             ntpclient.zip
    openssl-0.9.8l.zip                                                                           openssl-1.0.0a.zip
    rt3070.tar.gz                                                                                rt3070.zip
    stblinux-2.6.18-7.1_r3761.tar.gz                                                             stblinux-2.6.18-7.1.zip
    tinyftp.tar.gz                                                                               tinyftp.zip
    uClibc-nptl-0.9.29-20070423.tar                                                              ==.tar
    zlib-1.2.3.tar.bz2                                                                           ==
 
OP
jschwart

jschwart

New Member
Ah nice, so that's at least the sources! Thanks a lot for sharing that page. I don't see any instructions on compiling this into a working firmware image though. Has this already been achieved?
 
OP
jschwart

jschwart

New Member
Yes I did. I have only seen references based on an existing firmware image, nothing on creating a firmware from scratch with just the sources. Did I miss something?
 
OP
jschwart

jschwart

New Member
For some models the build instructions say the output ends up in a tftp directory. Maybe it would be possible to boot the box and provide it a kernel image and root filesystem through TFTP. This is something that works for recovering Speedtouch modems. Maybe the specs for the respective Broadcom chipsets have info on that.
 

/df

Active Member
Even if you could force an update from something built with the GPL sources, wouldn't you just have destroyed the non-GPL stuff that you'd need to make a working box? I expect the tftp thing is the bootloader installing the new image, not doing a network boot.

I understand that most of these consumer devices have a JTAG, or similar, serial test interface, if only as pads on the PCB. Then you might be able to recover a system image and work on that ...

Or if you can get it to try downloading a software update, then Wireshark could help you to find where it might be ...
 
OP
jschwart

jschwart

New Member
For some models the build instructions say the output ends up in a tftp directory. Maybe it would be possible to boot the box and provide it a kernel image and root filesystem through TFTP. This is something that works for recovering Speedtouch modems. Maybe the specs for the respective Broadcom chipsets have info on that.
 
OP
jschwart

jschwart

New Member
I managed to obtain the remote. Does anybody know of a working Humax TV Portal? Depending on the operator setting in the hidden menu, it either doesn't do anything or it shows interactive TV is not temporarily not available.

I looked around for exploits for tinyftp. Someone found an exploit, but there are no details available.

I should probably log the traffic from the box with Wireshark.
 

/df

Active Member
...
I looked around for exploits for tinyftp. Someone found an exploit, but there are no details available.
...
Probably not the same tinyftp. There is a Japanese one, which has a buffer overflow calling sprintf() in its do_mkdir() function.

This one, with source files (at the Humax link mentioned earlier in the thread) dated 2008-11-11 00:14, is by Dimitur Kurov from 2005 with Humax mods that have non-ASCII comments and reference Irdeto, a content security company. Maybe Humax retained Irdeto to modify the program and the work was farmed out to the Far East -- someone with username jhlee? The file structure and function names indicate that this program is unrelated to the earlier one above.

In case Irdeto didn't do a good job, you could scan and/or build and fuzz (maybe in a MIPS32 VM?) the source provided.
 
OP
jschwart

jschwart

New Member
Ah that's good to know. Irdeto is famous around here. They provide the technology for the encryption and smartcards used by cable operator Ziggo in the Netherlands. One of my teachers in university of a mathematical course on coding theory moved there and came back once to give a presentation on their technology.

The idea of doing a fuzz is interesting, I should try that yeah!
 
Top