UPDATE: Apologies for the broken images – an old ISP account where I held them disappeared and I need to find them in my backups & stick them onto some webspace.
Introduction
Note: This article covers the Netgem iPlayer (a freeview box), and not the BBC’s P2P/IP TV offering which shares the same name.
When I say 'hacking' the Netgem iPlayer, I mean it in a good way.. the traditional way, not the media view of hacking which often means 'cracking' systems. This is more affectionate and I'm simply extending what the iPlayer can do without modifying the firmware, reverse engineering or anything that would breach copyrights.
What is the iPlayer?
The iPlayer is a Freeview box developed by Netgem. It's no normal digital TV adapter; it runs an embedded version of Linux (which hasn't been made open source), and a USB port.. into which you can plug in a number of devices.. the one with the most potential is the Belkin F5D5050, USB-to-Ethernet adapter.
It basically means that you can connect the iPlayer to your broadband connection to view online content via it's in-built browser. There's also a decent email client that supports multiple POP3 accounts.
Australia has it's own version of the iPlayer, distributed by TEAC. The software is badged differently, but it functions the same, and fortunately they have a few examples of coding HTML specifically for the box which gave me the inspiration to code some (hopefully useful) web pages.
BT have also recently announced a new addition to their line of Digital TV adaptors.. which is also re-badged version of the iPlayer. It's good news for the whole iPlayer community, since the more people that use it, the better the software will get. We'll hopefully also see more people making useful hacks.. how about a Instant Messenger client, eh?
(pictures of the iPlayer interface from http://www.dtg.org.uk)
Some essential links
There isn't too much in the way of non-official sites. The main source of information for me has either been the forums or the Australian TEAC site. Still, here are some links.. I'll add more if I find any.
| Netgem | The main site.. not a lot here TBH |
| Netgem Forums | Very useful resource.. and a conduit to the developers who do read the them |
| TEAC Australia | Good to see the iPlayer in use in other countries! |
| DTG | Lots of pictures of the iPlayer in action |
Unofficial Forums
This is a completely unofficial forum for discussing the i-Player and everything on this site… I hope you find it useful! :)
http://s4.invisionfree.com/IPH/
Some essential commands when developing with the iPlayer
In the web address box you can type the following commands:
| about:tcp | This will give you all the TCP/IP connection information you need |
| about:cache | Allows you to reset the browser cache (useful if you're not using the metatag to tell the browser not to cache the page) |
| about:javascript | JavaScript info |
| about:pics | Info on the PICS and IRCA rating of a web page |
| about:tv | Switch to the TV |
| about:plugins | Plugins info |
| about: | Hardware/software info on the i-Player |
| dvb: | Detailed info on the DVB transmission |
| dvb:NUM | Switches to channel NUM |
Hooking up the iPlayer to broadband
If you can get hold of the Belkin F5D5050 adaptor then that's a good first step! Anything other than the exact model is unlikely to work (until Netgem add support for a wider range of adapters). Once you've got that you can either stick an ethernet cable straight in, or use a wireless setup if your other half won't let you lay the cable!
If you go for wireless, remember that you can't use a USB dongle.. the driver won't be present in the iPlayer kernel and there's no provision for installing it yourself. There is an alternative; by using access points you can use the Belkin adaptor and a bit of ethernet cable.. the D-Link DWG-700AP was perfect for this. In my case, I bought 2 identical units, set one to be an Access Point, and the other to be a Remote Client. You can get them from eBuyer at £45 each.. which isn't too bad, even though they're only using the 802.11b standard.
New Email Notification
The built-in POP3 email functionality is good, but you do have to keep going to the email screen to see if you've got new mail. Therefore I've coded up a page which will superimpose a new mail message whilst you're watching TV. Since there aren't too many examples out there for the iPlayer I'll explain some of what I've done in more detail.. but hopefully you're a hacker too and therefore shouldn't find it hard to follow what I've done.
Ingredients…
– Web server (e.g. Apache) running PHP
– The scripts I've written (9k)
– A POP3 account + it's server/login details
– An iPlayer box running on a broadband connection (see above)
How it works
Basically I coded up a web page which consists of a frameset. The reason for doing this was so that the whole page didn't have to refresh to check for new messages (I'd expected the screen to temporarily flash as it re-rendered the page and wanted to avoid this early on). The frameset is constructed like this:
The modules
As you can see, there are lots of parts to this project, but it's all quite modular so I'll go through each part in turn.
| Module | Description |
| The frameset | What I've done here is construct a frameset which has certain height settings (see the picture above). This pushes some of the frames off screen.. which is a good thing in this case, but during debug you might want to change the display page to be 200 pixels high so that you can see the other frames.Another thing I've done is include a 1 pixel high frame which is there to focus the iPlayer cursor on. Let me explain.. when I didn't have this, the iPlayer selects the first frame it finds and highlights it with a green rectangle. If I navigate down, the next onscreen frame is selected. Any frames that are off the visible screen area can't be selected. When I first coded up the page, the display.html frame was being selected and a massive green rectangle surrounded the screen! If this happens now, I simply press the down button to move to the 1 pixel-high frame.The 50 pixel high blank frame is simply used as padding to make the other 2 frames go offscreen.Notes… – To make sure the background is the TV picture (i.e. you can see through the web page), you must include the usual bgcolor=transparent background="tv:" link=transparent attributes, but do this for the frameset rather than the usual <body> section, e.g.<frameset rows="500,1,50,300" border=0 bgcolor=transparent background="tv:" link=transparent> |
| display.html | There's not much to this one.. it's a transparent page and simply has a couple of empty <div> blocks which are positioned to display the onscreen message. One thing to note is the first <div> tag is for the caption's shadow, and the second is for the message.. the ordering is important here since the layering is determined by when the <div> tag was defined.. i.e. the second appears over the top of the first. |
| timer.html | This is an important bit. It contains a bunch of JavaScript code that ticks over every second. In here we tell the checkemail.php to reload every x number of seconds, and if the number of emails changes then it manipulates the display.html <div> tags to display a message. Most of it is self explanatory but there are a few things to note if you're going to code up your own JavaScript for the iPlayer…Notes… – Even if your scripts work fine on your PC under Internet Explorer, don't expect them to work on the iPlayer.. it uses a different JavaScript engine – Make sure you define your variables.. IE doesn't care if you don't, but the iPlayer does! – Try/Catch blocks seem to be treated slightly differently so if your code requires it, check for variables being set to undefined, e.g.if (newMailCount = = undefined) newMailCount = currentMailCount; |
| checkemail.php | It's a shame I couldn't do the POP3 checking in JavaScript.. there might be a way (TBH I didn't bother looking!) but I went for the PHP option since I'm a half-decent PHP coder. It uses a freebie class which makes it even easier to connect to a POP3 account, but apart from that none of it is rocket science. So that the timer.html page can see how may emails are waiting I've put the results of the check into standard HTML text boxes.. it could be done differently but I also found this method useful for testing. |
| blank.html | Blank page with the background set to transparent to let the TV picture show through. |
| styles.css | Contains the font formatting information. In here you can change the size/style of the messages that appear onscreen. Note, that there are two lines you'd have to change, one for the text and one for the text's shadow. |
Installing it
That's pretty much it, drop the files into your web server, edit the checkmail.php file to enter your POP3 account details, and perhaps the timer.html page to change the interval between checks (it's set to 5 minutes at the moment). Give it a try on your PC to ensure it all works (it's a pain to debug on the iPlayer since you won't be able to see the bottom 2 frames unless you tamper with index.html), and then fire it up on your iPlayer.
Using it
When you first load it you may see a green rectangle over the screen, if you do, simply press the down button and it'll disappear. You'll also find that if you move channels using the numeric pad, list, or EPG then you'll loose the web page. The only way to navigate channels and keep the web page running is to use the channel +/- buttons. I really do hope that Netgem fix this in the next firmware!
Attempting to capture a copy of the i-Player firmware update
Okay, so it's not like I'd be able to do much with it, but it interested me to see Netgem posting a link to upgrade my i-Player to the new firmware on their forums. If I hit that link with a PC-based browser nothing happens, therefore I set about working out how it's put together.The first step is to find out why the i-Player will work and a PC won't. That's quite a simple if you've been hacking around on the web for a while. Basically it's to do with the browser identification. Each web browser has an ID so that web servers can identify them and tailor the content if required.To find out what the i-Player uses I could check my own web logs but a quick Google search gave me what I needed…
Mozilla/3.01 (compatible; Netgem/3.6.5a; netbox.itv; Linux 2.2)
Okay, so I know how it identifies itself, now how do I spoof this so that I can access the page from my PC. Well, there are two ways to do this.. the first is using our old friend telnet. If you didn't know already, you can actually browse the web using telnet.. albiet in text form and it's very querky!
Spoofing using telnet
Start up telnet with the following command:
telnet www.netgem.com 80
That logs us onto the Netgem web site. Next we need to request the page, so paste in the following line which asks for the December 2003 firmware (it's the link off their forums).
GET http://www.netgem.com/dec2003/ HTTP/1.0
After pasting in that line press return once, since we then need to paste in this line to tell the web server we're an i-Player:
User-Agent: Mozilla/3.01 (compatible; Netgem/3.6.5a; netbox.itv; Linux 2.2)
Press return a couple of times; this will set the User-Agent and then request the page.
Results without spoofing User-Agent (http://www.netgem.com/dec2003/)
HTTP/1.0 200 OK
Date: Thu, 01 Jan 2004 16:40:21 GMT
Server: Jetty/NVD-CMS (http://www.novadeck.com)
Servlet-Engine:
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: jsessionid=h7eqld06;Path=/
Set-Cookie2: jsessionid=h7eqld06;Version=1;Path=/;Discard
Cache-Control: no-cache
Results after spoofing User-Agent (http://www.netgem.com/dec2003/)
HTTP/1.0 302 Moved Temporarily
Date: Thu, 01 Jan 2004 16:41:26 GMT
Server: Jetty/NVD-CMS (http://www.novadeck.com)
Servlet-Engine:
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: jsessionid=e5n0u2dj;Path=/
Set-Cookie2: jsessionid=e5n0u2dj;Version=1;Path=/;Discard
Cache-Control: no-cache
Location: https://www.netgemplatform.co.uk/upgrade/index_4.4.jsp?netgem.com
Connection: close
Spoofing the User-Agent in Internet Explorer
I got a bit fed up using Telnet to do all this so I found that you can use the following technique to spoof the UA in IE. Edit the registry and navigate to…
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User Agent
If that key doesn't exist, create it. Then enter the following…
| {Default} | REG_SZ | Mozilla/3.01 | |
| Compatible | REG_SZ | compatible | |
| Version | REG_SZ | Netgem/3.6.5a | |
| Platform | REG_SZ | Linux 2.2 |
Restart IE and now when you hit the web the sites will think you're using the i-Player. If you do this, make sure you delete the key later on so that future web browsing isn't affected!
One step on!
Now we're seeing the actual page it's going to; you can see that it's responding differently depending on the User-Agent string that's being sent. Our next step is to see how the following page works:
https://www.netgemplatform.co.uk/upgrade/index_4.4.jsp?netgem.com
If you download this and look at the source you'll see it also pulls in these JSP pages:
common.jsp.htm
menu_4.4.jsp.htm
The important one for us is the second file. Within this page there's some JavaScript that instructs the i-Player to perform the update and tells it where all the necessary directories are on the update server. This is interesting since we don't know a lot about the custom Javascript functions/properties for the i-Player.
To save you going through all this yourself I've archived off the files into a ZIP file which you can download and take a look at yourself.
Constructing the update path
Some of the processing which happens when you choose to update the i-Player software creates a path to the new firmware. The function that does this is called getUpgradeSubdir() and will return something like this…
http://www.netgemplatform.co.uk/upgrade/4.4/n6-5-produk/
When I attempt to navigate to here nothing happens.. it's a blank page. The actual update is likely to be here in binary form.. it's just I don't know the name of the file it'll be downloading.. this must be encoded in the i-Player itself as a standard name such as UPDATE.BIN.
I've tried to packet sniff traffic on my LAN to see what it's doing, however my router (the Netgear DG814) routes the traffic directly to each connected device. Therefore network cards in promiscuous mode won't be able to sniff the traffic. Perhaps someone has an older router which they can sniff the traffic on and let me know exactly where it's going when it attempts a firmware update?
Captured copy of UPGRADE.BIN
Over the past few months people have written to me with various insights into the upgrade process. Soon after I published the section above, someone (who will remain anonymous) got in touch and let me know the name of the upgrade image.As you can see by the title, I wasn't far off when I speculated that the update file was probably given a standard name such as UPDATE.BIN. In fact it's UPGRADE.BIN! I can't host the file here because it's probably illegal, but you can download youself a copy…http://www.netgemplatform.co.uk/upgrade/4.4/n6-5-produk/upgrade.binOkay, so we've got a copy of UPGRADE.BIN, so now what. Well exactly, I looked at the file and you can see plain text headers to a certain point, and then it seems to get encrypted. That was a bit too techie for me, but recently someone got in touch and has come up with a way to decode portions of the file. The code to do this is written in C and I've pasted it below. Stick it though a free C compiler such as LCC and you'll get this exe (5kb).
#include <stdio.h>
unsigned long DataDecode(unsigned long k,unsigned char *data,int len) {
unsigned long newk;
unsigned int c;
newk=k;
for (c=0;c<len;c++) {
newk=(newk*0x41c64e71)+1;
data[c]=data[c]^((newk>>16)&0xff);
}
return newk;
}
void extract_data(unsigned char *fname,unsigned long offseti,unsigned long len) {
int k=0;
int a,b,btogo,toread;
FILE *fp;
FILE *fpo;
unsigned char buf[1024];
b=1;
btogo=len;
fp=fopen("upgrade.bin","rb");
fpo=fopen(fname,"wb");
fseek(fp,offseti,SEEK_SET);
// following IF statement didn't work in LCC.. you can uncomment this
// and it simply won't bother checking that upgrade.bin has opened
if ((fp>0) && (fpo>0)) {
while ((b>0) && (btogo>0)) {
if (btogo>sizeof(buf)) toread=sizeof(buf); else toread=btogo;
b=fread(buf,1,toread,fp);
btogo=btogo-b;
if (b>0)
{
k=DataDecode(k,buf,b);
fwrite(buf,1,sizeof(buf),fpo);
}
}
} else printf("Failed to open upgrade.bin for decoding.n");
fclose(fp);
fclose(fpo);
}
int main() {
extract_data("Data/part_ptab.img",0x630,0x74);
extract_data("Data/upgrade_prog.img",0x6a4,0x252dc);
extract_data("Data/part_unknown1.img",0x2578c,0x20000);
extract_data("Data/part_bios.img",0x45b50,0x20000);
extract_data("Data/part_usr.img",0x65b50,0x1ba000);
extract_data("Data/part_root.img",0x21fb50,0x396000);
}
Make sure you've got upgrade.bin in the same directory, and create a sub-directory called data. Run decode and it'll generate you 6 decrypted .img files.
From here we're still suck because we have no way of putting a modified UPGRADE.BIN onto the i-Player. However, people are working on ways around this.. it just may take some time.
Interesting plaintext from the decoded UPGRADE.BIN
There is a hidden maintenance console on the i-Player. We believe it's a telnet shell but don't yet know what you can do with it, or how to access it. Perhaps someone can gleam some useful information from the plaintext below:
part_root.img
=============
.. bin cache
cem lib
;operator
?sbin
dvbci_server dvbfsm fb
gdbserver i2c
io
iodriver
memory-14.cfg
memory-16.cfg
memory-30.cfg
memory.cfg netgem
ngclient ping
rcp
term
/home/cache . ..
netgem-factory.ini ; Used by functional test (merged NEVERSYNC).
[options]
ifname="functest"
[isp.functest]
ppp="native"
proxy="10.0.0.2"
admin=0
hidden=1
. .. hotplug
modules 3netgem . ..
firmware . ..
at76c503-i3861-fw at76c503-rfmd-fw
4app_n6.lbr 5app.pem 6drums.o3
7netgem.lbr 8netgem-mw.ini
9oem.pem
:std.o3
/lib/oem.pem
netgem-op.ini alias="Comments", addr="comments@mailbox.tv"
;crc=0x813d0ffa
addr="http://www.iwf.org.uk/safe_surfing/parents_tips.html", alias="Kids Safety on the Internet"
addr="http://about-the-web.com/shtml/glossary.shtml", alias="Web glossary"
addr="http://www.worldwidewebinfo.com/webintro.htm", alias="Web tutorial"
;crc=0x38ec587d
@chat Adiskinit Biwconfig
Cmkdosfs Dpppon Epppwin
Fusb_net.sh
/sbin/pppd -detach nologfd noauth nocrtscts local defaultroute 10.0.0.1:10.0.0.2 /dev/ttyS0 115200&
#!/bin/sh
#
# This program is started by init when functional test mode is selected.
# The chat program is needed here as the other end of the serial cable is
# connected to a Windows machine.
# In order to launch RAS on Windows when the box is ready (launching it
# before causes problems), the box sends "READY" at the very beginning.
# The RAS-client on the Windows machine sends "CLIENT", and the box answers
# "CLIENTSERVER".
/sbin/pppd /dev/ttyS0 115200 -detach nologfd noauth nocrtscts local defaultroute 10.0.0.1:10.0.0.2 connect
'/usr/sbin/chat -e -t 120 "" "READYn" CLIENT CLIENTSERVER'
#!/bin/sh
#
# This script loads the low level USB drivers. /sbin/hotplug is called
# on device insertion or removal.
#
# Load USB stack module
/sbin/insmod /lib/modules/usbcore.o
# Load the SL811 driver
/sbin/insmod /lib/modules/sl811.o
upgrade_prog.img
================
Reset one environment variable Set one environment variable Reboot Swap root part Try save
Save Whole Save Mandatory Error Message Load Save Sync Wait Rmmod Insmod Resize
Unmount Mount Exec Bloc device Char device Pipe Symlink Hardlink Make directory Remove
Move Copy Update BIOS Update home Update usr Update opt Update sys Upload Download %s :
ERROR %%%% %02d
/upgrade.log a w Received signal %d code %d location %p
Received signal %d from process %d code %d
/dev/console UPGRADE: Received signal %d code %d location %p
UPGRADE: Received signal %d from process %d code %d
Info : %s Remount: %s (%s)
EXEC minix /tmp/sdpl_patch.o ERROR: %s at line %d
Unable to remove one partition
/dev/sla Can't adapt partition size
Re-creation of /opt partition not supported yet
Don't know how to swith to %d partitions
Info : %s Setting status for SWAP to : %02X
Action %s failed
Can't get header
Bad magics in script header
Don't know any box with numparts : %d
Info : %s Root size: %u
Info : %s /opt size: %u
Info : %s /usr size: %u
Info : %s /home size: %u
Info : %s BIOS size: %u
Info : %s Total data size: %u
Info : %s Number of script commands: %u
Info : %s Size of script: %u
ÿþÀÿþ èÿþ ôÿþ ÿþÿþŽÿþ ÿþ
ŽÿþŽÿþŽÿþ�Can't get memory
Can't get the script
digest doesn't match for script
Can't get memory ÿþŒÿþäÿþ
`ÿþ°ÿþ°ÿþ°ÿþ�Info : %s Going to get data: %04X
/dev/nftla Info : %s Going to skip %d bytes
Can't upgrade system directly.
Please contact your vendor
Opt partition isn't valid on this system.
Please contact your vendor
Command isn't a load one %s...
Info : %s Length: wanted: %d load: %d
Info : %s Allocate %d blocs
Unable to prepare upgrade
Info : %s Get file (%04X)
Info : %s Length: got: %d load: %d
Info : %s Test digests
Info : %s WARNING: digest differs for bloc %d (%d)
Info : %s Loaded %u (%u) bytes from %s
ÿþôÿþ
ÿþtÿþ¬ÿþäÿþìÿþôInfo : %s Load script from file %s (%04X - %04X)
Can't open a stream %s
Unable to retrieve stream header %s
Info : %s Before read_script: flags: %04X
Unable to retrieve script %s
Info : %s Before complete_download: flags: %04X
Can't complete download
/home/.save/ #!/bin/sh
exit 2;
/home/.save//upgrade Error while executing script %s
Error during upgrade
ÿþ@ÿþ
hÿþ
tÿþ
�ÿþ
�ÿþ4ÿþ
ÿþ4ÿþ
Žÿþ4ÿþ4ÿþ4ÿþ
Èÿþ4ÿþ4ÿþ4ÿþ
äÿþ4ÿþ4ÿþ4ÿþ
ÿþ(ÿþ�ÿþ�ÿþ�ÿþ€ÿþÿþ°ÿþÿþÀÿþÿþÿþÿþÐÿþÿþÿþÿþäÿþÿþÿþÿþü
ÿþØÿþôÿþÿþ,ÿþHInfo : %s Save script in file %s
cx:3457: cx:3567: drv:23457: drv:23567: �€°Œ /sbin/inittab Info : %s Tried to open inittab (%d)
/sbin/inittab2 HW_TYPE cannot determine HW_TYPE
No upgrade data for check
This upgrade file doesn't match this hardware...
cur_hw=%08x
Upgrade version 3.0
upgrade [-h] [-v] [-f] [-q] [-Q] [-O][-i -o] filename
-v: increase verbosity
-f: do not allow skip
(read all data and write them)
-Q: require the browser to quit
-i: read upgrade script from file filename
-O: indicates input file isn't obfuscated
/tmp/upgrade3.log hvfqQOi Info : %s Using file as input
Info : %s Don't deobfuscate stream
Invalid option: %c
Bad number of arguments
Upgrade doesn't match hardware
Info : %s filename: %s (%d)
/ /usr /home /opt Don't know what to do with %d partitions
Info : %s Send QUIT command
QUIT QUITOK
Info : %s Answer : %s
Error while asking: %s
Info : %s Going out with return code: %d
ÿþ ÿþÄ%s/.save.%02d./ Unable to copy %s into %s
Info : %s Got to put back %s from %s
Unable to put %s back in place
unable to upgrade partition
Unable to save file %s
Upload isn't supported yet
/tmp/bd_remap.o /tmp/dev/remap /tmp/dev Unable to create remap device
/vmlinuz /lib/modules can't remap system partition
%s%d REBOOT Partition already upgraded
Error saving %s
Can't copy file %s to %s
Can't move file %s to %s
Can't create directory %s
Unable to link %s to %s
Unable to symlink %s to %s
Unable to create pipe %s
Unable to create device %s
Can't mount partition %s to %s
Can't unmount partition %s
No infos on partition to resize
/sbin/insmod -f /sbin/rmmod Unable to save %s Unable to load script %s Info : %s %s %s
%s %s
Info : %s %s
%s
Info : %s Init font
Info : %s Init title area
Info : %s Init progress area
Info : %s Init message area
UPGRADE to version 4.4.2 Info : %s Put %s on screen
In progress Upgrade progress: Loading upgrade data. Please wait.
This may take up to 20 minutes Info : %s Init progress bar
/dev/bios ERROR: %s at line %d
UPGRADE Info : %s %d bloc to get, %d to move, %d to leave
Can't open partition %s
%s/%s . .. Info : %s can't acces to dir: %s
%s%1u Info : %s %s size is %d, %d sectors reserved
Info : %s Bloc size is %d
/dev/sla Info : %s Got: %d - I want %d
Info : %s Orig size: %d - wanted: %d - diff: %d
blocsize: %04u - bloc org: %d - new_blocs: %d -> %d
Info : %s Going to add %d blocs to partition %d
Info : %s Going to remove bloc %d from partition %d
Info : %s Partition %d %s: wanted %u, got %u
Info : %s Skip partition: %d
Info : %s Partition sizes:
Info : %s wanted: %u - %u - %u - %u -> %u
Info : %s got %u - %u - %u - %u -> %u (%u res)
/dev/ram1 /tmp/mnt/ /tmp/mnt/rd /tmp/mnt/rd/ /tmp/mnt/rd/opt/
/proc /proc/%d/exe /sbin/ /bin/ /dev/tty1 ioctl KDSETMODE ERROR: %s at line %d
SCREEN /dev/fb0 ERROR: %s at line %d
HELP Info : %s Got to get %d bytes (%04X) -> is%s Obfuscated
n't Info : %s Other type: %04X -> is%s Obfuscated
Got %d bytes, remaining: %d
Info : %s Got to save %d bytes (%04X)
TRACE_RC %ld-%ld: ERROR: %s at line %d
COMMON Info : %s %s size is %d
/ %s%1u Info : %s Root part is %s, so alternate is %s
Bad number of partitions
Info : %s Partition %d (%s) has size zero !
Info : %s Got %d partitions
Info : %s Put boot flag on partition %s
Cannot launch %s
/dev/null /sbin/mkfs.minix -w %d -i %ld Info : %s Mount: %s at %s
minix discarded
empty
empty (0xFF)
not remapped
copied
unknown type: %d
ÿþ�šÿþ�xÿþ��ÿþ��ÿþ�žMount point: %s %d %d %lu
Special files:
* %s skipped
Bloc %lu to %lu: Memory error
Add file %s with type /dev/remap Unable to open %s : %s
Unable to unmap dev %d : %s
ÿþ�ðÿþ�Lÿþ�Tÿþ�`ÿþ�pÿþ�äÿþ�|ÿþ�äÿþ��ÿþ�äÿþ�äÿþ�äÿþ��ÿþ�äÿþ�äÿþ�äÿþ�°ÿþ�äÿþ�äÿþ�äÿþ�Ècan't stat: %s
/tmp/__%02x__%02x__ can't create: %s
can't open: %s
can't get size of %s : %s
WARNING: unknown file: %s - Skip it
WARNING: can't open file: %s for reading - Skip it
WARNING: can't stat %s - Skip it
WARNING: file %s is on another device - Skip it
Add directory %s content recursively
Error : can't get block for file: %s
Unable to open device: /dev/remap
map failed for device: %s
ÿþ�Tÿþ�Tÿþ�Tÿþ� ÿþ�Tÿþ�Tÿþ�Tÿþ�8 /dev/slowmem ERROR: %s at line %d
STREAM ERROR: %s at line %d
STRLOW Info : %s Realloc %d -> %d + %d
READ %d
SKIP %d
ÿþ³Àÿþ³,ÿþ³Àÿþ³@ÿþ³Àÿþ³Àÿþ³Àÿþ³Tÿþ³Àÿþ³Àÿþ³Àÿþ³pÿþ³Àÿþ³Àÿþ³Àÿþ³� %s Unknown error %d /dev/tty0
)$))(ü(ä(Ü(Ð(Ž(¬(�(�(h((P(D (4(((('ø'à'È'°'�'|'d'T'D
I/O possible Window changed Profiling timer expired Virtual timer expired File size limit exceeded
CPU time limit exceeded Urgent I/O condition Stopped (tty output)
Stopped (tty input) Stopped Stopped (signal) Continued Child exited
Terminated Alarm clock Broken pipe User defined signal 2 Segmentation fault
User defined signal 1 Killed Floating point exception Bus error
Aborted Trace/breakpoint trap Illegal Instruction Quit Interrupt Hangup Unknown signal %d : %s%s%s
%s:%d: assertion '%s' failed in function '%s'
.ð.È.€.t.P.8.$.. -à-Ä-¬-�-t-T-<-(--,ôWrong medium type
No medium found Quota exceeded Remote I/O error Is a named type file No XENIX semaphores available
Not a XENIX named type file Structure needs cleaning Stale NFS file handle Operation now in progress
Operation already in progress No route to host Host is down Connection refused Connection timed out
Too many references: cannot splice Cannot send after transport endpoint shutdown
Transport endpoint is not connected Transport endpoint is already connected No buffer space available
Connection reset by peer Software caused connection abort
Network dropped connection because of reset Network is unreachable
Network is down Cannot assign requested address Address already in use
Address family not supported by protocol Protocol family not supported
Operation not supported on transport endpoint Socket type not supported
Protocol not supported Protocol not available Protocol wrong type for socket
Message too long Destination address required Socket operation on non-socket
Too many users Streams pipe error Interrupted system call should be restarted Illegal byte sequence
Cannot exec a shared library directly Attempting to link in too many shared libraries .
lib section in a.out corrupted Accessing a corrupted shared library
Can not access a needed shared library Remote address changed File descriptor in bad state
Name not unique on network Value too large for defined data type
Not a data message RFS specific error Multihop attempted
Protocol error Communication error on send Srmount error
Advertise error Link has been severed Object is remote Package not installed
Machine is not on the network Out of streams resources
Timer expired No data available Device not a stream Bad font file format
Invalid slot Invalid request code No anode Exchange full
Invalid request descriptor Invalid exchange Level 2 halted No CSI structure available
Protocol driver not attached Link number out of range Level 3 reset
Level 3 halted Level 2 not synchronized
Channel number out of range Identifier removed No message of desired type Operation would block
Too many symbolic links encountered Directory not empty Function not implemented
No record locks available File name too long Resource deadlock would occur Math result not representable
Math argument out of domain of func Broken pipe Too many links Read-only file system Illegal seek
No space left on device File too large Text file busy Not a typewriter
Too many open files File table overflow Invalid argument Is a directory
Not a directory No such device Cross-device link
File exists Device or resource busy Block device required Bad address Permission denied Out of memory Try again
No child processes Bad file number Exec format error Arg list too long No such device or address I/O error
Interrupted system call No such process No such file or directory Operation not permitted Success
system in use
Arena %d: %10u %10u
Mmap : %10u %10u
Total : %10u %10u
max system bytes = %10u
max mmap regions = %10u
max mmap bytes = %10lu
ÿÿÄÿÿŽÿÿ€ÿÿ�ÿÿpÿÿ`Heap %p, size %10lx:
chunk %p size %10lx (top)
(fence)
FREE BLOCK
{ %c t r n %02X }
? %s: invalid option -- %c
%s: option requires an argument -- %c
} @ �ÿÿÿ ÿÿÿÿ ÿÿÿÿ k .symtab .strtab .shstrtab .init .
text .fini .rodata .sdata2 .data hw_match_ids .got2 .ctors .dtors .got .sdata .sbss .bss
t t $ ! �
ÿÿÿÿ k .symtab .strtab .shstrtab .init
part_usr.img
============
# kernel boot configuration
append="physmap_part=0x00000,0x7e0000"
dbg_lvls="23"
append_prod="console=null"
append_dbg="CONSOLE=1 console=ttyS0,115200n8"
. .. audio bios
console dsp
dsp1
dvbci
fb0
hda hda1 hda2
hda3 hda4 hwserial
i2c-0 i2c-1
input io
ir0
led lp0 mem
mixer
mixer1
mtd0 mtdblock0
mtdblock1 !nftla
"null $ost
+ppp
.
mice $. .. #
%audio &demux 'dvr
(frontend )sec *video #.
,ptyp0 -ptyp1 .ptyp2 /ptyp3
0ptyp4 1ptyp5 2ptyp6 3ram1
4ram2 5sequencer 6sla 7sla1
8sla2 9sla3 :sla4
;slowmem sw
?ttx @tty0
Atty1 Btty2
Ctty3 Dtty4
Etty5 Ftty6
Gttyp0 Httyp1
Ittyp2 Jttyp3
Kttyp4 Lttyp5
Mttyp6 NttyS0
OttyS1 PttyS2
QttyS3 RttySC0
_firmware
dadc_dvb_uc.o eadc_vulcan.o fbiosupgrade.o
gcxa2161.o hcxd1973R.o idragnet.o
jfe.o kfirmware_class.o lir.redwood.o
mkaweth.o npegasus.o ortl8150.o
psl811.o qsmcard.o rsw_vulcan.o
stda10086.o tucode.o uusbcore.o
vusbnet.o wvdc_vesta.o xvdc_vulcan.o
yvesta.o
/home/opt }. .. ~.
..
�cxmgr �dhcpcd
�drvmgr �drvmgr.cfg
�fsck.minix �hotplug
�init �inittab
�insmod �ip-change
�mkfs.minix �pppd
�pppoe �rc.sysinit
�rlogind �rmmod
�rshd �system.conf
�upgrade
# XXX: The two first one should be configured directly by the cxmgr...
# Local network
ifname=lo
class=net
device=lo
driver=none
bootload=y
configure=y
ipaddr=127.0.0.1
addroute=y
network=127.0.0.0
netmask=255.0.0.0
# DVB download stream network
ifname=dvb0
class=net
device=dvb0
driver=none # ???
bootload=y
configure=y
ipaddr=172.17.4.207
netmask=255.255.255.255
# For multicast tests
# addroute=y
# network=224.0.0.0
# Generic drivers
# Firmware loader
ifname=firmware_class
class=core
device=none
driver=firmware_class
bootload=n
# USB device firmware upgrade
ifname=usbdfu
class=core
device=none
preload=firmware_class
driver=usbdfu
bootload=n
# Scsi stack
ifname=scsi
class=core
device=none
driver=scsi_mod
bootload=n
# Scsi disks support
ifname=sd
class=disk
device=none
driver=sd_mod
preload=scsi
bootload=n
# Generic CDROMs support
ifname=cdrom
class=disk
device=none
driver=cdrom
bootload=n
# Scsi CDROMs support
ifname=sr
class=disk
device=none
driver=sr_mod
preload=scsi
preload=cdrom
bootload=n
# Scsi generic devices support
ifname=sg
class=core
device=none
driver=sg
preload=scsi
bootload=n
# Input devices
ifname=input
class=input
device=none
driver=input
bootload=n
# Keyboard input device
ifname=keybdev
class=input
device=none
driver=keybdev
bootload=n
# Mouse input device
ifname=mousedev
class=input
device=none
driver=mousedev
bootload=n
# File systems support
# Vfat support
ifname=vfat
class=fs
device=none
driver=vfat
preload=fat
bootload=n
# NLS support
ifname=nls
class=fs
device=none
driver=none
preload=nls_cp437
preload=nls_iso8859-15
preload=nls_utf8
bootload=n
# Netgem boards drivers
# demodulator for N6 (including the tuner)
ifname=demod_ter
class=core
device=none
driver=cxd1973R
bootload=y
drvopts=bus_id=0 demod_connect_retry=3 tuner_bus_id=0
hardware=0x0600FFFF
# front end for N6
ifname=fe
class=core
device=none
driver=fe
bootload=y
hardware=0x0600FFFF
# demodulator for N9 (including the tuner)
ifname=demod_sat
class=core
device=none
driver=tda10086
bootload=y
drvopts=bus_id=0 debug=0 tuner_addr=0x60 tuner_type=16 tuner_bus_id=0
hardware=0x0900FFFF
# cxd2099a module: DVBCI for N6-6
ifname=pcmcia6
class=core
device=none
driver=cxd2099a
drvopts=io_base=0x70000000
bootload=y
hardware=0x060006FF
# PPP interface
ifname=ppp0
class=net
device=ppp0
driver=dragnet
drvopts=io=0x730FF000 irq=27 hw_version=${HW_TYPE} hw_options=${HW_OPTIONS}
exec=/usr/bin/ngclient "device=internal/modem;mode=add;class=modem;kernel;name=Internal Modem"
bootload=y # Should not be...
hardware=0x060003FF
hardware=0x060005FF
hardware=0x090001FF
# ethernet interface for N6-4
ifname=eth4
class=net
device=eth0
driver=smc91111
drvopts=io=0x73000300 irq=26 nowait=1
exec=ifconfig eth0 hw ether ${MACADDR}
bootload=y
hardware=0x060004FF
# ethernet interface for N6-6
ifname=eth6
class=net
device=eth0
driver=smc91111
drvopts=io=0x73000300 irq=27 nowait=1
exec=ifconfig eth0 hw ether ${MACADDR}
bootload=y
hardware=0x060006FF
# USB interface
# N6-4:
ifname=usb4
class=usb
device=none
driver=hcd-1161
preload=usbcore
bootload=n
hardware=0x060004FF
# N6-3:
ifname=usb3
class=usb
device=none
driver=sl811
preload=usbcore
bootload=y
hardware=0x060003FF
hardware=0x090001FF
# N6-5:
ifname=usb5
class=usb
device=none
driver=sl811
preload=usbcore
drvopts=sl811_irq=26
bootload=y
hardware=0x060005FF
hardware=0x060006FF
# native ide support
# N6-4 version
ifname=ide-mod4
class=core
device=none
driver=ide-mod
drvopts=
bootload=n
hardware=0x060004FF
# N6-6 version
ifname=ide-mod6
class=core
device=none
driver=ide-mod
drvopts=stb03_irq=28
bootload=n
hardware=0x060006FF
ifname=ide-probe-mod
class=core
device=none
driver=ide-probe-mod
drvopts=
bootload=n
# NOTE: I don't understand why vfat needs to be loaded. partition
# format check should load the required filesystem driver.
# Jma: known problem: for now, filesystem probe is all done by the kernel,
# so filesystem drivers are needed before we mont them...
ifname=ide-disk4
class=disk
device=none
driver=ide-disk
preload=vfat
preload=nls
preload=ide-mod
preload=ide-probe-mod
drvopts=
bootload=y
hardware=0x060004FF
ifname=ide-disk6
class=disk
device=none
driver=ide-disk
preload=vfat
preload=nls
preload=ide-mod6
preload=ide-probe-mod
drvopts=
bootload=y
hardware=0x060006FF
# There come USB devices
# Pegasus USB-ethernet driver
ifname=pegasus
class=net
device=none
driver=pegasus
preload=usbcore
bootload=n
# Kawasaki USB-ethernet driver
ifname=kaweth
class=net
device=none
driver=kaweth
preload=usbcore
bootload=n
# RTL8150 USB-ethernet driver
ifname=rtl8150
class=net
device=none
driver=rtl8150
preload=usbcore
bootload=n
# Host to host USB adapters
ifname=usbnet
class=net
device=usb0
driver=usbnet
preload=usbcore
bootload=n
# we "known" that Windoz likes this address...
configure=y
ipaddr=192.168.0.2
addroute=y
network=192.168.0.0
netmask=255.255.255.0
# Philips Webcam driver
ifname=pwc
class=video
device=none
driver=pwc
drvopts=size=qcif fps=5 fbufs=2 mbufs=2
preload=usbcore
bootload=n
# Quickcam express webcam
ifname=quickcam
class=video
device=none
driver=quickcam
drvopts=bright=40000
preload=usbcore
bootload=n
# Usb storage support
ifname=usb-storage
class=core
device=none
driver=usb-storage
preload=sd
preload=sr
preload=vfat
preload=isofs
preload=nls
bootload=n
# Usb printer support
ifname=printer
class=printer
device=none
driver=printer
bootload=n
# usb hid (keyboard, mouse, ...) support
ifname=usb-hid
class=input
device=none
driver=hid
preload=input
preload=keybdev
preload=mousedev
bootload=n
# Generic ATMEL WIFI device's driver
ifname=atmel
class=net
device=none
preload=firmware_class
preload=usbdfu
driver=at76c503
bootload=n
# ATMEL chipset based USB-Wifi adapters.
ifname=at503-rfmd
class=net
device=none
driver=at76c503-rfmd
preload=usbdfu
preload=atmel
bootload=n
ifname=at503-i3861
class=net
device=none
driver=at76c503-i3861
preload=usbdfu
preload=atmel
bootload=n
# Lucent chipset based USB-Wifi adapters
ifname=hermes
class=net
device=none
driver=hermes
preload=firmware_class
bootload=n
ifname=orinoco
class=net
device=none
driver=orinoco
preload=firmware_class
bootload=n
ifname=orinoco_usb
class=net
device=none
driver=orinoco_usb
preload=hermes
preload=orinoco
bootload=n
# tda8002 module: smartcard for N6-6
ifname=smcard
class=core
device=none
driver=smcard
bootload=y
hardware=0x060006FF
hardware=0x060005FF
insmod rlogind
hardware_type = n6-dtt
firmware_digest = 4DD74097E145706D9A03851AEADB1AABAB540115
oem = NetgemUK
firmware_version = 4.4.2
firmware_date = Mon Feb 23 14:00:00 UTC 2004
@K< @K @O� .symtab .strtab .shstrtab .text .data .bss
part_ptab.img
=============
BIOS ÅÏTé$e¹�ÿÊ Eš#�žØñ2q USR F~þþ^l�±4ì¬�óÉÛœ× ROOT 9` Ã�è;_,ÅKEOÍmÍ$
part_bios.img
=============
,}+x9@ � | Sx| X8� N� | BŠT �>N� %06dKB
write error: %d
read error %d
OK %d kB
Could not load '%s'
append append_prod append_dbg dbg_lvls tvstd ntsc palm paln
tvout svhs rca bpp allow_serial_line allow_interactive_bios NOAPP=1 Loading %s (not found %d)
(%d bytes)
� ì `Partition magic error (0x%04x)
Boot Start Blocks Id Device
%c %7d %7d %02x %s%d
read error
write error
sector 0x%4x:
NFTL: DOC found at %p
Block device init error
No valid system partition
0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdef
octet 5 6� ÿÿÿÿÿÿ ¯
«À «ž T� «° «� �x «� «� �� vmemtest [nb [start [len]]]
memtest NUMPART chpart [PATH] ls FILENAME [ADDR] load ADDR SIZE crc ADDR pr
savecfg [my_ip [server_ip]] ipcfg [xx:xx:xx:xx:xx:xx] macaddr [address] netrx s|p|c
console FILENAME logo n fib ms delay [CMD [NUM]] nftl docinfo doccheck
block [count] docerase docwrite docread [-erase] [from [count]] docformat
[sector [count]] docdump sector [count [from]] bw sector [count] bd sector
[count [dest]] br address g vmlinuz file loadimage [NTSC/PAL] tv value
value [...] + addr2 value [...] e,ew,ed [addr1] [length] d,dw,dd [addr1/d]
[addr2/s] [length] m,mw,md [addr1] [length] [value] f,fw,fd [addr1] [addr2] [length]
c,cw,cd serial_speed baud,b args... boot reboot,Q [command] help,?
[-f] [from [count]] docwritesys file [-f] loadbios address length checksum p >
usage: %s %s
%s: command not found
%-11s %s
= %08X, %d, %u, 0%o, 0b%s
b delay
*(%08x) = 0x%02x
%08X %c%02X %04X %08X %08X: %02X
%08X: %04X
%08X: %08X
%08X: %02X <=> %08X: %02X
%08X: %04X <=> %08X: %04X
%08X: %08X <=> %08X: %08X
%d
Length: %d at %p
/ ls: opendir error %d
%s
mac address= %02x%c my_ip=%d.%d.%d.%d server_ip=%d.%d.%d.%d
Write error
Change boot partition from %d to %d
Partition mapping isn't SDPL
@3/status .
boot.cfg LinBios 4.4.2b4 (C) Copyright Netgem 1996-2003 (Feb 16 2004 13:59:11)
boot 7 ±X ±`Press [enter] to stop boot
%02X: %02X [ì � %08X
Failed to write sector %d of %d from %0x04x (0x%04x)
DOC_writeCheckedSector: cannot read page 0x%05x
DOC_writeCheckedSector: compare failed for page 0x%05x
Could not find boot record
Boot block is not free
Incorrect size for BIOS (found %d/%d, expect %d)
Writing BIOS (%d)... %04X Done
Write error
Error: block %d should have been erased
DOC_format: bios_size = %d
Erasing ... Searching block table ...
No block table: searching bad blocks ...
Bad Block: #%d
Error: the first block must be free for the BIOS
Writing block table ...
sector 0x%04x DOC error
(Toshiba) (Samsung) (AMD) (Fujitsu) Unknown Vendor ID: %x
Unknown Chip ID: %x
MDOC 8M
SECT SIGN DATA
%04x %02X ...
-erase WARNING: you must use reboot now
-f Overwrite serial from image.
Patching memory image's serial.
header at %d: boot_blocks: %d, data_blocks: %d
Bad blocks: %d N: nb_erase logical_block rep rep_unit er_mark
Error sector %d
%04x: %6d %05x %1d %04x %04x
NumEraseUnits: %d (0x%04x), FirstPhysicalEUN: %d (0x%04x)
FormattedSize: %d (%d Kb), UnitSize: %d
Nbr virtual EUN: %d (0x%04x)
EUN %x|%x
%04x: %04x %c %04x: %04x %04x %c Bad unit:
EU %d: (0x%02x) original
marked
???
%d bad erase unit%c
free blocks: %d, replacements: %d
nftl: cannot mount (no media header found)
** Mismatch with previous one!!
Err: media header is not in physical area
Err: formatted size is not a multiple of sectorsize
Err: more erase units than doc size
Err: unhandled unit size factor 0x%02x
nftl:err: errors, try to reformat
Err: cannot read bad erase unit table %d at page %d
Err: BEUT %d mismatch
Err: cannot read any BEUT
Warn: main & spare virt UN of block 0x%04x mismatch
Warn: main & spare repl UN of block 0x%04x mismatch
Warn: block 0x%04x marked as free while being non free. Please report this bug.
Err: bad virtual EUN (0x%04x) for EUN 0x%04x
Err: severals EUN for virtual EUN 0x%04x: 0x%04x 0x%04x
Err: bad replacement EUN (0x%04x) for EUN 0x%04x
Err: replacement EUN (0x%04x) referenced by 0x%04x is not marked replacing
Warn: long replacement chain for EUN 0x%04x
Err: infinite replacement chain for EUN 0x%04x
Err: physical EUN 0x%04x replaces a nil virtual EUN 0x%04x
nftl:err: errors, mounted read-only (you should reformat)
nftl_write: bad write off/len: block=0x%04x, nsect=0x%04x
nftl_write: cannot write block 0x%04x (r=%d)
/dev/nftla 0x%04x: 0x%04x ... (%d)
Œstat badtable chains erase uci mount help header map commands:
header disp media header
map [MAX] disp virtual map
mount remount
uci disp unit control info
erase NUM free virtual block NUM
chains disp chains
badtable disp bad unit table
stat disp statistics
res = %d
ÿÿÎ�ÿÿÎ�ÿÿÎŽÿÿÎÄÿÿÎÌÿÿÎÔÿÿÎðÿÿÎøÿÿÏ Memory error
Memory Error
Can't get the MBR
File don't contain any SDpl mapping (%08X) !
CRC error got %08X instead of %08X (%08X)
SDPL layer version %02d - %04d sects/bloc - %04d blocs - size: %05d Kbytes
%c Partition %02d - size %02d blocs - %05d Kbytes
Load ELF file %s failed
root=/dev/sla%c sdpl_map=%s ROOTDEV=/dev/sla%c root=%s%c ROOTDEV=%s%c NBPARTS=3 NBPARTS=4
MACADDR=%02x:%02x:%02x:%02x:%02x:%02x REBOOT=%d mem=%dM HW_TYPE=%d HW_OPTIONS=%d N6 Version : %08x
(Version detect: %08lx - %08lx)
GPO: %08X, GPTC: %08X, GPR1: %08X, GPIS30: %08X
Open file %s failed
Read elf header error
Error : not an ELF file...
Read program header error
starting %s
addr_self_test %s: read error at: %p: 0x%08lx
%s: read inv error at: %p: 0x%08lx
%s done
pattern_test testing patterns: 0x%02x ..
%s: pattern error at: %p: 0x%02x (0x%02x)
%s: inv pattern error at: %p: 0x%02x (0x%02x)
%s done
Starting memtest from %p len=0x%08lx
Starting pass %d of %d
Memory error
Memory test successfull
Unable to proceed to memory test
Unable to proceed to video memory test
vmlinuz ÿÿÿ Â @�0P �`
Endpoint 101 
Do you still have the upgrade.bin left somewhere? I am interested in decoding i-player/netgem netbox firmware and would like to start my research using your findings.
Thanks!