Some Questions

[Mulder3]

- How the patch to disable the signature check works? I know from the wiki that the bootloader is encrypted and signed, however, the XPU stores it in ram unencrypted, so this means the patch is only temporary, and every time we reboot the box, the bootloader goes to its original condition?

- What we know about communications with bootstrap.asmx, and exactly how the box logins on provider´s server? It logins with what? I don´t think it´s a username/password, but it has to be something.
Maybe the webservices used in bootstrap is based on Microsoft Connected Services Framework (on MSDN, it shows some methods related to iptv)

- What exactly is the role of MAC addr in the login authentication? I heard that STB´s MAC needs to be "authorized" to work. Is possible to modify MAC? The wiki says XENV has a SHA1 hash of its contents, but is encrypted or signed?

-TV2client is a CLR binary, in theory it should run out-of-box on a pc, probably is dependent on some non-managed DLL Anybody explored this?

-Will SMP direct JTAG connection give access to XPU? How exactly the communication between WinCE and XPU works? (i am not talking of boot process, but how about WinCE/tv2client retrieves the keys) 

- I know there is some STBs based on SMP using Linux, but where is the source? Linux is GPL, they legally have the provide us the source, at least the kernel, its drivers and other GPLed applications that they chose to use (like busybox).

- Anybody knows what is the server that is used for firmware downloads for MEO service(IPTV in portugal)?

Thanks.

[mce2222]

- How the patch to disable the signature check works? I know from the wiki that the bootloader is encrypted and signed, however, the XPU stores it in ram unencrypted, so this means the patch is only temporary, and every time we reboot the box, the bootloader goes to its original condition?

yes that is correct. without a valid signature, there is no way to boot the SMP with the normal process.
a semi-permanent solution would be a microcontroller that is attached to the JTAG port to patch the bootloader on each start.

- What we know about communications with bootstrap.asmx, and exactly how the box logins on provider´s server? It logins with what? I don´t think it´s a username/password, but it has to be something.
Maybe the webservices used in bootstrap is based on Microsoft Connected Services Framework (on MSDN, it shows some methods related to iptv)

it is Webservice communication but the http body is encrypted with some kind of session key. It looks similar to NTLM v2.

- What exactly is the role of MAC addr in the login authentication? I heard that STB´s MAC needs to be "authorized" to work. Is possible to modify MAC? The wiki says XENV has a SHA1 hash of its contents, but is encrypted or signed?

not sure if the MAC is checked when the box registers itself at the IPTV server. I dont remember if the MAC is transmitted in the webservice requests...
The MAC is set in the bootloader, so it can be patched in the bootloader. I think it is stored in the secure flash inside the SMP, so it is not that easy (maybe even impossible) to change it permanently.

there is also a MAC reference in the XENV block, but that is not used in our case.
the XENV can be modified with YAMON... it is only hashed, not signed.

-TV2client is a CLR binary, in theory it should run out-of-box on a pc, probably is dependent on some non-managed DLL Anybody explored this?

yes it works, but you need to create dummy DLLs for all the hardware access.

-Will SMP direct JTAG connection give access to XPU? How exactly the communication between WinCE and XPU works? (i am not talking of boot process, but how about WinCE/tv2client retrieves the keys) 

the XPU is completely shielded. the interface between CPU and XPU is a small shared memory area where encrypted+signed binaries are stored (XTASKS). the CPU has no control at all over the XPU, it can only initate tasks and wait for them to complete and fetch the result from the shared memory. .... at least that is my understanding.

- I know there is some STBs based on SMP using Linux, but where is the source? Linux is GPL, they legally have the provide us the source, at least the kernel, its drivers and other GPLed applications that they chose to use (like busybox).

good point. I think that should be tried... I have only seen the source of a SMP based box, but it was a 2.4.xxx kernel... the source of a 2.6.xxx kernel would be nice. so if you want to contact Popcornhour  or Dune-HD developers... just try it... they should supply the source.

- Anybody knows what is the server that is used for firmware downloads for MEO service(IPTV in portugal)?

no idea. I have only found the servers for BT-Vision and T-Home

[robert_s]

it is Webservice communication but the http body is encrypted with some kind of session key. It looks similar to NTLM v2.

It uses SOAP, but the requests are all encrypted and digitally signed using the box' internal certificate and private key.

not sure if the MAC is checked when the box registers itself at the IPTV server. I dont remember if the MAC is transmitted in the webservice requests...

The MAC address is part of the box' certificate (it's the "subject" of the certificate), and IIRC is also used as the "user name" for the login.

The MAC is set in the bootloader, so it can be patched in the bootloader. I think it is stored in the secure flash inside the SMP, so it is not that easy (maybe even impossible) to change it permanently.

Well, you can, but then you wouldn't have any valid certificate the IPTV server would accept from your box...

yes it works, but you need to create dummy DLLs for all the hardware access.

FWIW, I once wrote a dumme tv2engine.dll which allows the DRA application to run on the PC, but it only gets to the point where TV2DRACE.EXE wants to have its requests to the server encrypted and digitally signed, and since I can't get the private key from the box, there is no way to create a valid digital signature, so the IPTV server rejects all the requests made to it...

[Mulder3]

I've been playing around with .NET reflector and found some interesting things:

- yes, it logs on webservice with LoginEx(), you can find this on login() method on "Microsoft.TV.bootstrap" class, it authenticates with
"info = proxy.LoginEx(clientVersion, Authenticator.Default.MyCertificate, TV2Engine.GetSTBType());" it gets the certificate from "Microsoft.TV2.crypto.Authenticator" class, and "Authenticator" gets it from "Microsoft.TV2.security.TV2SecureCore" TV2SecureCore is just a stub no native DLL tv2engine.dll, with i think i will the retrieve keys from XPU(i don´t have experience with MIPS assembly)

So, maybe we can modify tv2client assembly with tools like Reflexil (http://sourceforge.net/projects/reflexil) with allows us to inject C# code into tv2client.exe to dump certificate to UART port... i think it should be possible... what you think?

[robert_s]

So, maybe we can modify tv2client assembly with tools like Reflexil (http://sourceforge.net/projects/reflexil) with allows us to inject C# code into tv2client.exe to dump certificate to UART port... i think it should be possible... what you think?

That's not even necessary. You can extract the certificates from the dumps created by the bootloader dumper found in the WIKI. However, without the private key, you won't be able to encrypt nor sign the messages. And you cannot get at the private key since that is inaccessibly stored inside the XPU from what I understand.

[Mulder3]

So, tv2client just sends the message to XPU, and XPU will return its signature, looks like we have to wait for the xbox360 version, as far i know, xbox does´t have a secure CPU to store RSA keys... I currently not have a x300t, i am waiting the service to become available in my area, but even if we can´t get privatekey, we can at lest know what the box is sending/receiving to server, by injecting code into tv2client(adding code to methods that encrypt/decrypt messages) to dump the messages before they are encrypted(for messages sent) and after they are decrypted(for messages received), at least we can understand the protocol, it´s better than nothing... I thinking in trying this, in theory, it should work... What you think?

[Mulder3]

Can anyone try this modified tv2client?

I modified stub method SetMacrovision(bool enable) to always set the argument of TV2Engine_MacrovisionEnable() to false... It should disable Macrovison...


REMOVED COPYRIGHT-PROTECTED FILE

[xthing]

One question:
Why would you want to extract the private keys?
To turn the box into more flexible multimedia reciever there is no need to access these keys.

[BTVHack]

I can try this out, but what would disabling Macrovision do?

[robert_s]

One question:
Why would you want to extract the private keys?
To turn the box into more flexible multimedia reciever there is no need to access these keys.

But to "emulate" the box on your PC in order to be able to easier develop extensions to the box functionality, it'd be required.

[mce2222]

we should keep an eye on copyrighted content... posting the tv2client.exe is not a good idea.
it is better to provide information on what bytes to change.

I have a feeling that Sigma and MS are not happy if they find out that their "secure" IPTV platform is not so secure after all ... if they search for a way to shut the forum down, copyrighted material is an easy target.
it is only a matter of time before a C&D is fired when you give them a reason to do so.


btw. you can also disable HDCP with config options... so if you have an old LCD or use a HDMI->DVI adapter, you should be able to use the box
another nice change is to ignore the copyprotection flag on the record-tv-show method. (... thats what you get when you try to screw customers)

[Mulder3]

we should keep an eye on copyrighted content... posting the tv2client.exe is not a good idea.
it is better to provide information on what bytes to change.

I have a feeling that Sigma and MS are not happy if they find out that their "secure" IPTV platform is not so secure after all ... if they search for a way to shut the forum down, copyrighted material is an easy target.
it is only a matter of time before a C&D is fired when you give them a reason to do so.


btw. you can also disable HDCP with config options... so if you have an old LCD or use a HDMI->DVI adapter, you should be able to use the box
another nice change is to ignore the copyprotection flag on the record-tv-show method. (... thats what you get when you try to screw customers)

Where exactly in the namespace is "record-tv-show()" ?

[mce2222]

check Microsoft.TV2.DVR.DvrManager

IsRecordingAllowed(....)
IsBufferingAllowed(....)
IsManualRecordingAllowed(....)

[xthing]

But to "emulate" the box on your PC in order to be able to easier develop extensions to the box functionality, it'd be required.

hmm i don't get that... remote debugging through JTAG should be easier than to write a box-emulator for x86 just for development?
From what i understand from the sniffed bootstrap headers on the wire the private keys are used for authentication and i suppose also for the AV content decryption... so the only reason to get access to the keys would be to authenticate/decrypt from a different place with the same rights as the STB... and my guess would be that most of the people wouldn't use that possibility for "development"

In general i have a question:
What is the intention for this project? Is the goal to utilize the hardware as a network media player, is the goal to modify/extend the current firmware or is the goal to replace the current firmware and use the T-Home service with it?
Just curious

[mce2222]

hmm i don't get that... remote debugging through JTAG should be easier than to write a box-emulator for x86 just for development?
From what i understand from the sniffed bootstrap headers on the wire the private keys are used for authentication and i suppose also for the AV content decryption... so the only reason to get access to the keys would be to authenticate/decrypt from a different place with the same rights as the STB... and my guess would be that most of the people wouldn't use that possibility for "development"

actually it is even easier to use the VisualStudio Remote-debugger than using JTAG.
however it is a bit quicker to develop a C# application on a local PC, and upload the final application to the real hardware.

but back to the keys. The initial question was: "how to get the original application to work on the PC"  ... and the answer is ... "it is not possible, because you need the private keys to authenticate against the IPTV server"

if the application is modified or a complete new application is developed, then it is of course not required to have the private keys.

In general i have a question:
What is the intention for this project? Is the goal to utilize the hardware as a network media player, is the goal to modify/extend the current firmware or is the goal to replace the current firmware and use the T-Home service with it?

the only common goal is to maximize the use of the hardware. The current goal is to prepare the possibility to create new applications or modify the existing.
this is partly completed, but for writing a new C# application it would be required to analyze the DLL apis that are available in the WinCE.
the alternative option is to have everything Linux based... this is in the works as well, however there would also be the need to analyze the linux library api in this case.

the interesting part about the project is, that all results can be applied to any SMP863x based hardware
the differences between SMP863x based devices are very small since everything is already on the chip.