PACE DIT7431/05 (Black BT box)

[is0-mick]

Hi Guys,
Got a black BT box today to disect.
Completely different to the other boxes. This one is Broadcom based.
BCM7405.

I think the board could be a reference design, or they designed it for multiple uses.
There are a number of places where unpopulated components would fit, such as another card reader, and also an external power jack (12v type).
There is also a place for a reset switch, and for another sata port.

Pictures attached.

Does anyone have any datasheets (not the 2 page product brief) or ballout for the BCM7405?

Mick

[is0-mick]

Seem to be having problems attaching photos.

Mick

[zfeet]

Here's 196 pages of goodness

[is0-mick]

Cool nice one.

Thanks zfeet

Mick

[gloader]

  Glad you have got one of these now.. I am good with pc hardware etc but not so good with things like this black box.. so will be great to see what you can find out about it.. yes i had noticed place for second sata port etc..

[is0-mick]

Well, looking at the PDF, the secure co processor could do all kinds of nasty stuff, like verify the boot signature from an onboard rom. There is also a mention of secure handshake to access jtag (maybe they didnt implement it?)

I may need to get hold of another box to remove the CPU, then we can trace the jtag pads to see if they go anywhere.

It seems a better build than the sigma box, and a 400mhz cpu (from the data sheet).
Also being sata, and the sigma chip network or ide performance being crap iirc, the box should perform a lot better than the previous one.

However if the secure modes are implemented in the cpu, then a cpu replacement may be the only option

Mick

[mce2222]

Hoernchen had some more documents about that cpu directly from the broadcom library... unfortunately he has vanished... no idea why.
from what I remembered, he mentioned that the security of the cpu is very similar to the sigma cpu.

about the performance... I have read some user-reviews where they said that the box feels a bit faster but not THAT much.

anyway, it is interesting that broadcom finally managed to get a competitive SoC on the market. up to now I did not see a real product using the chip.
at least the documentation of the chip is way better than this joke that Sigma is providing.

[is0-mick]

Apparently the Dreambox DM500HD uses the BCM7405 chip too.

Mick

[mce2222]

but that box isnt long on the market either... about the same as the pace

[Mulder3]

Can you provide the BT firmware for that box? I would like to see what changes MS did to tv2client/tv2engine.

[is0-mick]

Hi Mulder3,
Seems they have done a few changes.
The etc.bin now seems encrypted, so the normal tools don't open it to get to the tv2client.

There also seems to be 3 filters in the NK.BIN and some hash / key file?

I dont have the files to hand at the moment, will send you a PM later.

Just to add, I also have found the jtag pins on the board, which is the connector to the left of the sata ports.

Pin 1 seems to be nTRST, I have tried a few combinations but no ID from the chip..
jtag are pins 1 - 6 (5 is GND).

I'm awaiting another box to remove the CPU to verify the pin assignment.

Mick

[Mulder3]

Ok, send me a PM later.

About the security, while it could be just another layer of Windows CE security(most likely, i think), i can also be some kind of encryption related to Broadcom's SoC security co-processor. That WinCE filters you referred can use the co-processor to perform the decryption. What do you think?

[Plasma]

Way to go guys watching this topic with interest! 

Plasma

[Plasma]

I have one of these black beauty's winging its way to me, any news on whether they are suceptible to a similar hack?

Plasma

[is0-mick]

Hi Plasma,
Unfortunately I haven't had time to progress this any further....

Mick