- How the patch to disable the signature check works? I know from the wiki that the bootloader is encrypted and signed, however, the XPU stores it in ram unencrypted, so this means the patch is only temporary, and every time we reboot the box, the bootloader goes to its original condition?
yes that is correct. without a valid signature, there is no way to boot the SMP with the normal process.
a semi-permanent solution would be a microcontroller that is attached to the JTAG port to patch the bootloader on each start.
- What we know about communications with bootstrap.asmx, and exactly how the box logins on provider´s server? It logins with what? I don´t think it´s a username/password, but it has to be something.
Maybe the webservices used in bootstrap is based on Microsoft Connected Services Framework (on MSDN, it shows some methods related to iptv)
it is Webservice communication but the http body is encrypted with some kind of session key. It looks similar to NTLM v2.
- What exactly is the role of MAC addr in the login authentication? I heard that STB´s MAC needs to be "authorized" to work. Is possible to modify MAC? The wiki says XENV has a SHA1 hash of its contents, but is encrypted or signed?
not sure if the MAC is checked when the box registers itself at the IPTV server. I dont remember if the MAC is transmitted in the webservice requests...
The MAC is set in the bootloader, so it can be patched in the bootloader. I think it is stored in the secure flash inside the SMP, so it is not that easy (maybe even impossible) to change it permanently.
there is also a MAC reference in the XENV block, but that is not used in our case.
the XENV can be modified with YAMON... it is only hashed, not signed.
-TV2client is a CLR binary, in theory it should run out-of-box on a pc, probably is dependent on some non-managed DLL Anybody explored this?
yes it works, but you need to create dummy DLLs for all the hardware access.
-Will SMP direct JTAG connection give access to XPU? How exactly the communication between WinCE and XPU works? (i am not talking of boot process, but how about WinCE/tv2client retrieves the keys)
the XPU is completely shielded. the interface between CPU and XPU is a small shared memory area where encrypted+signed binaries are stored (XTASKS). the CPU has no control at all over the XPU, it can only initate tasks and wait for them to complete and fetch the result from the shared memory. .... at least that is my understanding.
- I know there is some STBs based on SMP using Linux, but where is the source? Linux is GPL, they legally have the provide us the source, at least the kernel, its drivers and other GPLed applications that they chose to use (like busybox).
good point. I think that should be tried... I have only seen the source of a SMP based box, but it was a 2.4.xxx kernel... the source of a 2.6.xxx kernel would be nice. so if you want to contact Popcornhour or Dune-HD developers... just try it... they should supply the source.
- Anybody knows what is the server that is used for firmware downloads for MEO service(IPTV in portugal)?
no idea. I have only found the servers for BT-Vision and T-Home