Well, they fooled me into buying this, and now they fooled me into buying a newer box!
-Cable TV provider that is.
I wanted to see if it could be hacked / reverse engineered and I thought is was too bad to just toss it as garbage allthough my Cable provider bricked the use of it once I bought a new box. (Multicast /TFTP booting)
After fumbling around for a while I am now able to run it with my own modded firmware despite it having signed flash memory.
The bootloader is encrypted with a cert and tolerates only the correct cert or it will not boot.
Now its just a matter of coding a decent html page for the different streams and sources.
This German/Netherlands forum was of great use: (google translate those)
Notes to self and likemided:
Key notes on the IR controller after pressing menu button when booting are the following unlocking codes for “advanced mode”
7532 and 3257
In advanced mode you are able to clear the flash, and change splash and kernel modes.
Possible codes for boot order means:
212 -tftp, local boot, tftp
313 – bootcast, local, bootcast
313 is default, but 212 is my preference because you can’t enter letters with the ir remote controller.
To wipe text (backspace) you need to hold the red “back” while pressing “fast rewind” 4 times.
Furthermore key info is to setup a DHCP providing TFTP server info (DHCP option 66) and Bootfile name (DHCP option 67)
Get the right bin file from the site menitioned, (vip-19×3 is running the same firmware) user “Claude” contribution is working for me.
A nice TFTP server for Windows with some expanded options is http://tftpd32.jounin.net/
Also get a hold of the Windows logger and run it as logclient.exe “IPaddress of Arris”
Another option is to compile your own with the use of KreaTV: (caveat: this GCC needs older ver. of Perl, I suggest Ubuntu 14 (x86)) and perl 5.20
But from what I gather you need to first export the rootcert.pem from the working image and compile it in.
When running, telnet in and use toish to be able to write to flash, (updates via file flash/settings2.xml)
toish is used to invoke some Ipc calls to the vendor userland software stack
toish is setobject cfg.portal.whitelisturls “<PortalURLs>http://192.168.1.2:8080<PortalURL>http://www.login-as.no</PortalURL></PortalURLs>” permanent
Flash is write protected and no executable. You can however save to flash with toish, (flash2 is about 4MB) and to execute you must first run it through sh.
Scripts must be executed by sh /flash/myscript.sh
scripts must contain #!/bin/bash at startup
/usr/applications/ekioh/ekioh.cfg must be edited
ekioh must be killed by “killall ekioh”
Your html page should then load
Here are the IR codes:
The IR remote control rx is started with the following command:
(you can see your IR ID with: vi /etc/irmap.conf
This page even describes how to hack the hardware:
This German is making a GameBoy emulator of it:
Yes its still usable, but it was a pain in the butt 🙂
-Those old Germans are naughty boys!