Sniff login/update/desaster recovery

[asgard]

Hey,

is it possible, that some, who has a Philips DIT9719, can sniff the complete traffic (e.g. with wireshark) and upload it here?
That would be great!

thx
asgard

[redband]

Hi,
I'll see what I can do.  My box is currently on a switch so I can't trace anything much other than UDP broadcasts.  I'll shuffle things around and see what I can collect.

I'm still researching the different modes of the philips box, but apparently I can do a "disaster recovery"/hard reset.

"To do this press down and select (the one in the middle) on the front of the box at the same time, then pull the power cable out, then put it in again (keeping buttons pressed), then when it comes on with a "technical difficulties" screen release the buttons. It will then reinstall all the software (takes about 20-30 minutes)."
This apparently chews recordings and series links, etc.  so I wo'n't be trying this on my current box.  Trying to get hold of a "spare" for experimentation.

There is also the soft reset: Hold down the 'standby' button in for a few seconds. It initiates a soft-reboot.  Doesn't effect recordings, series links or any other configuration.

Not yet sure how to acheive the upgrade or login that you refer to with this box though...
Are there any recorded methods to acheive this with the X30-t?

Regards

Redband

[mce2222]

I am pretty sure that the bootloader of the philips will be very similar (or even the same) then the one in the x300t.

that means, there is a counter in the boot.prv file, which will increase on each start.  only if the startup completes it will be set to zero.
the bootloader checks this counter during startup, and if it is larger than 4 then it will automatically trigger a disaster-recovery.

so if you keep pressing the power button shortly after the display shows that it is beginning to start, you will get to the recovery pretty quick.... its the same on the x300t.


about the sniffing, I don't think it will help much to sniff the traffic, since it is all encrypted. well except for the http headers.
so the only thing you will get are the server addresses, and the urls.... but no content itself.

sniffing the traffic is also possible with a switch (at least for most unmanaged ones) ... when you use nasty hackers tools like cain&abel from http://www.oxid.it/

[mikeprotts]

I can get a trace up to a point.  I have started by connecting via my linux box (on it's second network card) so I can see what is sent.  I will see if I can interrupt as I go and then see what the box does.  So far it's trying to get a file from my tftp server (as all DNS entries point back to the local machine).

Cheers
Mike

[mikeprotts]

I have a complete packet trace up to the point where the dra file has been downloaded (when the machine displays error BE01).

I changed my test linux machine to provide DHCP and DNS, so that any useful information stays local.  I then downloaded the bootstrap, sync and dra files from IPTVdiscovery.nevis.btopenworld.com using tftp on another Linux box (as this is an unprotected tftp server I didn't have to do anything special).

Then I copied these files to my test server tftproot, and started the BT vision box.  This got it's ip address from my server using dhcp, and asked DNS for the IPTVdiscovery server (my DNS gave it my server address).  Then it used tftp for bootstrap and sync files, then asked DNS for syncserver.nevis.btopenworld.com.  Agin I set my DNS to return my server IP and it used tftp to download my copy of dra.  That's as far as it's got up to now.

I can provide the trace if anyone is interested.

Cheers
Mike

[mce2222]

a trace is not really needed I think.

the process of disaster recovery is documented in the WIKI
http://www.t-hack.com/wiki/index.php/Boot_Process

[mikeprotts]

a trace is not really needed I think.

the process of disaster recovery is documented in the WIKI
http://www.t-hack.com/wiki/index.php/Boot_Process

That's why I didn't post the trace - I don't think it adds anything.  It does confirm the process for BT Vision though.  I've also hooked up a second box, which seems to be in a different state (I think it's never been used, but I'm not sure).  This one posted for document /bootstrap/Bootstrap.asmx and got a healthy looking reply (I assume encrypted) but eventually came up with and error C01, and a diagnostic screen that 'Box certificate: Not avaialbel.  I suspect that problem may be because I've tunnelled the traffic for port 80 via a non-BT connection.

I'm still learning here, but I hope to get something useful soon, ideally a way to intercept and inject a useful boot loader.

Cheers
Mike

[mce2222]

if you get "box certificate unavailable" that usually means that the box was unable to register with the IPTV server.
either because the server rejected your IP (when you do not have a service subscription) or something does
not work with the server communication.

[mikeprotts]

if you get "box certificate unavailable" that usually means that the box was unable to register with the IPTV server.
either because the server rejected your IP (when you do not have a service subscription) or something does
not work with the server communication.

It's almost certainly the server rejecting my IP, as I'd tunnelled this via a non BT isp.  There were no problems with any network traffic because my server was the default gateway and wireshark was showing no traffic.

Cheers
Mike

[redband]

Hi Mike,

Where do you see the debug error? is this shown on screen?  My HDMI/monitor goes blank after startup but the box proceeds to post the /bootstrap/Bootstrap.asmx, part of which is the x-tv2-auth-ticketReq.  The box then expects a response containing x-tv2-auth-ticketResp.
This may be the point you are at. 

[mikeprotts]

Hi Mike,

Where do you see the debug error? is this shown on screen?  My HDMI/monitor goes blank after startup but the box proceeds to post the /bootstrap/Bootstrap.asmx, part of which is the x-tv2-auth-ticketReq.  The box then expects a response containing x-tv2-auth-ticketResp.
This may be the point you are at. 

It's on the screen (scart output).  I'm not seeing any network traffic at this stage.

Cheers
Mike

[redband]

I'll give it a go with Scart to see if it is at the same point.  I do get net traffic at this stage, as the box resubmits a Bootstrap.asmx with a new ticket request every 3-4 mins.  From a dump of traffic on from my BT connected box, it would usually only do this once, get the ticket response back and then proceed with startup.

[mikeprotts]

I'm trying to identify what sort of file bootstrap is.  It looks like a root CA cert in some format, and if I can work out how I will try to create my own certificate with my own root CA.  The I'll see if the box gets as far if I create the signatures.

Cheers
Mike

[mce2222]

the only purpose of the "bootstrap" file is to provide the hostname of the system that should be contacted for registering the box.

so the file consist of the hostname which is at the beginning... then you have a signature that is built just from the hostname, and finally
you have the certificate chain to verify the signature.

in theory it might be possible to use other certificates, but I think the root certificate is also stored in the cpu itself.

actually I havent tried it.... so who knows, maybe it will work, but I would be surprised

[redband]

I'm trying to identify what sort of file bootstrap is.  It looks like a root CA cert in some format, and if I can work out how I will try to create my own certificate with my own root CA.  The I'll see if the box gets as far if I create the signatures.

Cheers
Mike

From DiscoverBootstrap...

                num5 := ((reader.ReadByte shl or reader.ReadByte);
                message := New(array[num5] of Byte);
                message := reader.ReadBytes(num5);
                num6 := ((reader.ReadByte shl or reader.ReadByte);
                signature := New(array[num6] of Byte);
                signature := reader.ReadBytes(num6);
                num7 := ((reader.ReadByte shl or reader.ReadByte);
                chain := New(array[num7] of Byte);
                chain := reader.ReadBytes(num7);