i-Player Hacking

UPDATE: Apologies for the broken images – an old ISP account where I held them disappeared and I need to find them in my backups & stick them onto some webspace.


Note: This article covers the Netgem iPlayer (a freeview box), and not the BBC’s P2P/IP TV offering which shares the same name.

When I say 'hacking' the Netgem iPlayer, I mean it in a good way.. the traditional way, not the media view of hacking which often means 'cracking' systems. This is more affectionate and I'm simply extending what the iPlayer can do without modifying the firmware, reverse engineering or anything that would breach copyrights.

What is the iPlayer?
The iPlayer is a Freeview box developed by Netgem. It's no normal digital TV adapter; it runs an embedded version of Linux (which hasn't been made open source), and a USB port.. into which you can plug in a number of devices.. the one with the most potential is the Belkin F5D5050, USB-to-Ethernet adapter.

It basically means that you can connect the iPlayer to your broadband connection to view online content via it's in-built browser. There's also a decent email client that supports multiple POP3 accounts.

Australia has it's own version of the iPlayer, distributed by TEAC. The software is badged differently, but it functions the same, and fortunately they have a few examples of coding HTML specifically for the box which gave me the inspiration to code some (hopefully useful) web pages.

BT have also recently announced a new addition to their line of Digital TV adaptors.. which is also re-badged version of the iPlayer. It's good news for the whole iPlayer community, since the more people that use it, the better the software will get. We'll hopefully also see more people making useful hacks.. how about a Instant Messenger client, eh?

(pictures of the iPlayer interface from http://www.dtg.org.uk)

Some essential links

There isn't too much in the way of non-official sites. The main source of information for me has either been the forums or the Australian TEAC site. Still, here are some links.. I'll add more if I find any.

Netgem The main site.. not a lot here TBH
Netgem Forums Very useful resource.. and a conduit to the developers who do read the them
TEAC Australia Good to see the iPlayer in use in other countries!
DTG Lots of pictures of the iPlayer in action

Unofficial Forums
This is a completely unofficial forum for discussing the i-Player and everything on this site… I hope you find it useful! :)


Some essential commands when developing with the iPlayer
In the web address box you can type the following commands:

about:tcp This will give you all the TCP/IP connection information you need
about:cache Allows you to reset the browser cache (useful if you're not using the metatag to tell the browser not to cache the page)
about:javascript JavaScript info
about:pics Info on the PICS and IRCA rating of a web page
about:tv Switch to the TV
about:plugins Plugins info
about: Hardware/software info on the i-Player
dvb: Detailed info on the DVB transmission
dvb:NUM Switches to channel NUM

Hooking up the iPlayer to broadband
If you can get hold of the Belkin F5D5050 adaptor then that's a good first step! Anything other than the exact model is unlikely to work (until Netgem add support for a wider range of adapters). Once you've got that you can either stick an ethernet cable straight in, or use a wireless setup if your other half won't let you lay the cable!

If you go for wireless, remember that you can't use a USB dongle.. the driver won't be present in the iPlayer kernel and there's no provision for installing it yourself. There is an alternative; by using access points you can use the Belkin adaptor and a bit of ethernet cable.. the D-Link DWG-700AP was perfect for this. In my case, I bought 2 identical units, set one to be an Access Point, and the other to be a Remote Client. You can get them from eBuyer at £45 each.. which isn't too bad, even though they're only using the 802.11b standard.

New Email Notification

The built-in POP3 email functionality is good, but you do have to keep going to the email screen to see if you've got new mail. Therefore I've coded up a page which will superimpose a new mail message whilst you're watching TV. Since there aren't too many examples out there for the iPlayer I'll explain some of what I've done in more detail.. but hopefully you're a hacker too and therefore shouldn't find it hard to follow what I've done.

– Web server (e.g. Apache) running PHP
– The scripts I've written (9k)
– A POP3 account + it's server/login details
– An iPlayer box running on a broadband connection (see above)

How it works
Basically I coded up a web page which consists of a frameset. The reason for doing this was so that the whole page didn't have to refresh to check for new messages (I'd expected the screen to temporarily flash as it re-rendered the page and wanted to avoid this early on). The frameset is constructed like this:

The modules
As you can see, there are lots of parts to this project, but it's all quite modular so I'll go through each part in turn.

Module Description
The frameset What I've done here is construct a frameset which has certain height settings (see the picture above). This pushes some of the frames off screen.. which is a good thing in this case, but during debug you might want to change the display page to be 200 pixels high so that you can see the other frames.Another thing I've done is include a 1 pixel high frame which is there to focus the iPlayer cursor on. Let me explain.. when I didn't have this, the iPlayer selects the first frame it finds and highlights it with a green rectangle. If I navigate down, the next onscreen frame is selected. Any frames that are off the visible screen area can't be selected. When I first coded up the page, the display.html frame was being selected and a massive green rectangle surrounded the screen! If this happens now, I simply press the down button to move to the 1 pixel-high frame.The 50 pixel high blank frame is simply used as padding to make the other 2 frames go offscreen.Notes…
– To make sure the background is the TV picture (i.e. you can see through the web page), you must include the usual bgcolor=transparent background="tv:" link=transparent attributes, but do this for the frameset rather than the usual <body> section, e.g.<frameset rows="500,1,50,300" border=0 bgcolor=transparent background="tv:" link=transparent>
display.html There's not much to this one.. it's a transparent page and simply has a couple of empty <div> blocks which are positioned to display the onscreen message. One thing to note is the first <div> tag is for the caption's shadow, and the second is for the message.. the ordering is important here since the layering is determined by when the <div> tag was defined.. i.e. the second appears over the top of the first.
timer.html This is an important bit. It contains a bunch of JavaScript code that ticks over every second. In here we tell the checkemail.php to reload every x number of seconds, and if the number of emails changes then it manipulates the display.html <div> tags to display a message. Most of it is self explanatory but there are a few things to note if you're going to code up your own JavaScript for the iPlayer…Notes…
– Even if your scripts work fine on your PC under Internet Explorer, don't expect them to work on the iPlayer.. it uses a different JavaScript engine
– Make sure you define your variables.. IE doesn't care if you don't, but the iPlayer does!
– Try/Catch blocks seem to be treated slightly differently so if your code requires it, check for variables being set to undefined, e.g.if (newMailCount = = undefined) newMailCount = currentMailCount;
checkemail.php It's a shame I couldn't do the POP3 checking in JavaScript.. there might be a way (TBH I didn't bother looking!) but I went for the PHP option since I'm a half-decent PHP coder. It uses a freebie class which makes it even easier to connect to a POP3 account, but apart from that none of it is rocket science. So that the timer.html page can see how may emails are waiting I've put the results of the check into standard HTML text boxes.. it could be done differently but I also found this method useful for testing.
blank.html Blank page with the background set to transparent to let the TV picture show through.
styles.css Contains the font formatting information. In here you can change the size/style of the messages that appear onscreen. Note, that there are two lines you'd have to change, one for the text and one for the text's shadow.

Installing it
That's pretty much it, drop the files into your web server, edit the checkmail.php file to enter your POP3 account details, and perhaps the timer.html page to change the interval between checks (it's set to 5 minutes at the moment). Give it a try on your PC to ensure it all works (it's a pain to debug on the iPlayer since you won't be able to see the bottom 2 frames unless you tamper with index.html), and then fire it up on your iPlayer.

Using it
When you first load it you may see a green rectangle over the screen, if you do, simply press the down button and it'll disappear. You'll also find that if you move channels using the numeric pad, list, or EPG then you'll loose the web page. The only way to navigate channels and keep the web page running is to use the channel +/- buttons. I really do hope that Netgem fix this in the next firmware!

Attempting to capture a copy of the i-Player firmware update
Okay, so it's not like I'd be able to do much with it, but it interested me to see Netgem posting a link to upgrade my i-Player to the new firmware on their forums. If I hit that link with a PC-based browser nothing happens, therefore I set about working out how it's put together.The first step is to find out why the i-Player will work and a PC won't. That's quite a simple if you've been hacking around on the web for a while. Basically it's to do with the browser identification. Each web browser has an ID so that web servers can identify them and tailor the content if required.To find out what the i-Player uses I could check my own web logs but a quick Google search gave me what I needed…

Mozilla/3.01 (compatible; Netgem/3.6.5a; netbox.itv; Linux 2.2)

Okay, so I know how it identifies itself, now how do I spoof this so that I can access the page from my PC. Well, there are two ways to do this.. the first is using our old friend telnet. If you didn't know already, you can actually browse the web using telnet.. albiet in text form and it's very querky!

Spoofing using telnet

Start up telnet with the following command:

telnet www.netgem.com 80

That logs us onto the Netgem web site. Next we need to request the page, so paste in the following line which asks for the December 2003 firmware (it's the link off their forums).

GET http://www.netgem.com/dec2003/ HTTP/1.0

After pasting in that line press return once, since we then need to paste in this line to tell the web server we're an i-Player:

User-Agent: Mozilla/3.01 (compatible; Netgem/3.6.5a; netbox.itv; Linux 2.2)

Press return a couple of times; this will set the User-Agent and then request the page.

Results without spoofing User-Agent (http://www.netgem.com/dec2003/)

HTTP/1.0 200 OK
    Date: Thu, 01 Jan 2004 16:40:21 GMT
    Server: Jetty/NVD-CMS (http://www.novadeck.com)
    Content-Type: text/html; charset=iso-8859-1
    Set-Cookie: jsessionid=h7eqld06;Path=/
    Set-Cookie2: jsessionid=h7eqld06;Version=1;Path=/;Discard
    Cache-Control: no-cache

Results after spoofing User-Agent (http://www.netgem.com/dec2003/)

HTTP/1.0 302 Moved Temporarily
    Date: Thu, 01 Jan 2004 16:41:26 GMT
    Server: Jetty/NVD-CMS (http://www.novadeck.com)
    Content-Type: text/html; charset=iso-8859-1
    Set-Cookie: jsessionid=e5n0u2dj;Path=/
    Set-Cookie2: jsessionid=e5n0u2dj;Version=1;Path=/;Discard
    Cache-Control: no-cache
    Location: https://www.netgemplatform.co.uk/upgrade/index_4.4.jsp?netgem.com
    Connection: close

Spoofing the User-Agent in Internet Explorer

I got a bit fed up using Telnet to do all this so I found that you can use the following technique to spoof the UA in IE. Edit the registry and navigate to…

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User Agent

If that key doesn't exist, create it. Then enter the following…

  {Default} REG_SZ Mozilla/3.01
  Compatible REG_SZ compatible
  Version REG_SZ Netgem/3.6.5a
  Platform REG_SZ Linux 2.2

Restart IE and now when you hit the web the sites will think you're using the i-Player. If you do this, make sure you delete the key later on so that future web browsing isn't affected!

One step on!

Now we're seeing the actual page it's going to; you can see that it's responding differently depending on the User-Agent string that's being sent. Our next step is to see how the following page works:


If you download this and look at the source you'll see it also pulls in these JSP pages:


The important one for us is the second file. Within this page there's some JavaScript that instructs the i-Player to perform the update and tells it where all the necessary directories are on the update server. This is interesting since we don't know a lot about the custom Javascript functions/properties for the i-Player.

To save you going through all this yourself I've archived off the files into a ZIP file which you can download and take a look at yourself.

Constructing the update path

Some of the processing which happens when you choose to update the i-Player software creates a path to the new firmware. The function that does this is called getUpgradeSubdir() and will return something like this…


When I attempt to navigate to here nothing happens.. it's a blank page. The actual update is likely to be here in binary form.. it's just I don't know the name of the file it'll be downloading.. this must be encoded in the i-Player itself as a standard name such as UPDATE.BIN.

I've tried to packet sniff traffic on my LAN to see what it's doing, however my router (the Netgear DG814) routes the traffic directly to each connected device. Therefore network cards in promiscuous mode won't be able to sniff the traffic. Perhaps someone has an older router which they can sniff the traffic on and let me know exactly where it's going when it attempts a firmware update?

Captured copy of UPGRADE.BIN
Over the past few months people have written to me with various insights into the upgrade process. Soon after I published the section above, someone (who will remain anonymous) got in touch and let me know the name of the upgrade image.As you can see by the title, I wasn't far off when I speculated that the update file was probably given a standard name such as UPDATE.BIN. In fact it's UPGRADE.BIN! I can't host the file here because it's probably illegal, but you can download youself a copy…http://www.netgemplatform.co.uk/upgrade/4.4/n6-5-produk/upgrade.binOkay, so we've got a copy of UPGRADE.BIN, so now what. Well exactly, I looked at the file and you can see plain text headers to a certain point, and then it seems to get encrypted. That was a bit too techie for me, but recently someone got in touch and has come up with a way to decode portions of the file. The code to do this is written in C and I've pasted it below. Stick it though a free C compiler such as LCC and you'll get this exe (5kb).

#include <stdio.h>

unsigned long DataDecode(unsigned long k,unsigned char *data,int len) {
	        unsigned long newk;
	        unsigned int c;
	        for (c=0;c<len;c++) {
	        return newk;

void extract_data(unsigned char *fname,unsigned long offseti,unsigned long len) {
		int k=0;
		int a,b,btogo,toread;
		FILE *fp;
		FILE *fpo;
		unsigned char buf[1024];

// following IF statement didn't work in LCC.. you can uncomment this
		// and it simply won't bother checking that upgrade.bin has opened
		if ((fp>0) && (fpo>0)) {
			while ((b>0) && (btogo>0)) {
				if (btogo>sizeof(buf)) toread=sizeof(buf); else toread=btogo;
			        if (b>0)
		} else printf("Failed to open upgrade.bin for decoding.n");


int main() {

Make sure you've got upgrade.bin in the same directory, and create a sub-directory called data. Run decode and it'll generate you 6 decrypted .img files.

From here we're still suck because we have no way of putting a modified UPGRADE.BIN onto the i-Player. However, people are working on ways around this.. it just may take some time.

Interesting plaintext from the decoded UPGRADE.BIN

There is a hidden maintenance console on the i-Player. We believe it's a telnet shell but don't yet know what you can do with it, or how to access it. Perhaps someone can gleam some useful information from the plaintext below:


..                             bin                            cache
                          cem                            lib
dvbci_server                   dvbfsm                         fb
                             gdbserver                      i2c
memory-14.cfg                  memory-16.cfg                  

memory.cfg                     netgem
                         ngclient                       ping

/home/cache  .                              ..                             
netgem-factory.ini            ; Used by functional test (merged NEVERSYNC).

.                              ..                             hotplug
modules                        3netgem   .                              ..
firmware       .                              ..                             
at76c503-i3861-fw              at76c503-rfmd-fw   

4app_n6.lbr                     5app.pem                        6drums.o3
                       7netgem.lbr                     8netgem-mw.ini

netgem-op.ini alias="Comments", addr="comments@mailbox.tv" ;crc=0x813d0ffa addr="http://www.iwf.org.uk/safe_surfing/parents_tips.html", alias="Kids Safety on the Internet" addr="http://about-the-web.com/shtml/glossary.shtml", alias="Web glossary" addr="http://www.worldwidewebinfo.com/webintro.htm", alias="Web tutorial" ;crc=0x38ec587d @chat Adiskinit Biwconfig Cmkdosfs Dpppon Epppwin Fusb_net.sh /sbin/pppd -detach nologfd noauth nocrtscts local defaultroute /dev/ttyS0 115200& #!/bin/sh # # This program is started by init when functional test mode is selected. # The chat program is needed here as the other end of the serial cable is # connected to a Windows machine. # In order to launch RAS on Windows when the box is ready (launching it # before causes problems), the box sends "READY" at the very beginning. # The RAS-client on the Windows machine sends "CLIENT", and the box answers # "CLIENTSERVER". /sbin/pppd /dev/ttyS0 115200 -detach nologfd noauth nocrtscts local defaultroute connect '/usr/sbin/chat -e -t 120 "" "READYn" CLIENT CLIENTSERVER' #!/bin/sh # # This script loads the low level USB drivers. /sbin/hotplug is called # on device insertion or removal. # # Load USB stack module /sbin/insmod /lib/modules/usbcore.o # Load the SL811 driver /sbin/insmod /lib/modules/sl811.o upgrade_prog.img ================ Reset one environment variable Set one environment variable Reboot Swap root part Try save Save Whole Save Mandatory Error Message Load Save Sync Wait Rmmod Insmod Resize Unmount Mount Exec Bloc device Char device Pipe Symlink Hardlink Make directory Remove Move Copy Update BIOS Update home Update usr Update opt Update sys Upload Download %s : ERROR %%%% %02d /upgrade.log a w Received signal %d code %d location %p Received signal %d from process %d code %d /dev/console UPGRADE: Received signal %d code %d location %p UPGRADE: Received signal %d from process %d code %d Info : %s Remount: %s (%s) EXEC minix /tmp/sdpl_patch.o ERROR: %s at line %d Unable to remove one partition /dev/sla Can't adapt partition size Re-creation of /opt partition not supported yet Don't know how to swith to %d partitions Info : %s Setting status for SWAP to : %02X Action %s failed Can't get header Bad magics in script header Don't know any box with numparts : %d Info : %s Root size: %u Info : %s /opt size: %u Info : %s /usr size: %u Info : %s /home size: %u Info : %s BIOS size: %u Info : %s Total data size: %u Info : %s Number of script commands: %u Info : %s Size of script: %u ÿþÀÿþ èÿþ ôÿþ ÿþÿþŽÿþ ÿþ ŽÿþŽÿþŽÿþ�Can't get memory Can't get the script digest doesn't match for script Can't get memory ÿþŒÿþäÿþ `ÿþ°ÿþ°ÿþ°ÿþ�Info : %s Going to get data: %04X /dev/nftla Info : %s Going to skip %d bytes Can't upgrade system directly. Please contact your vendor Opt partition isn't valid on this system. Please contact your vendor Command isn't a load one %s... Info : %s Length: wanted: %d load: %d Info : %s Allocate %d blocs Unable to prepare upgrade Info : %s Get file (%04X) Info : %s Length: got: %d load: %d Info : %s Test digests Info : %s WARNING: digest differs for bloc %d (%d) Info : %s Loaded %u (%u) bytes from %s ÿþôÿþ ÿþtÿþ¬ÿþäÿþìÿþôInfo : %s Load script from file %s (%04X - %04X) Can't open a stream %s Unable to retrieve stream header %s Info : %s Before read_script: flags: %04X Unable to retrieve script %s Info : %s Before complete_download: flags: %04X Can't complete download /home/.save/ #!/bin/sh exit 2; /home/.save//upgrade Error while executing script %s Error during upgrade ÿþ@ÿþ hÿþ tÿþ �ÿþ �ÿþ4ÿþ ÿþ4ÿþ Žÿþ4ÿþ4ÿþ4ÿþ Èÿþ4ÿþ4ÿþ4ÿþ äÿþ4ÿþ4ÿþ4ÿþ ÿþ(ÿþ�ÿþ�ÿþ�ÿþ€ÿþÿþ°ÿþÿþÀÿþÿþÿþÿþÐÿþÿþÿþÿþäÿþÿþÿþÿþü ÿþØÿþôÿþÿþ,ÿþHInfo : %s Save script in file %s cx:3457: cx:3567: drv:23457: drv:23567: �€°Œ /sbin/inittab Info : %s Tried to open inittab (%d) /sbin/inittab2 HW_TYPE cannot determine HW_TYPE No upgrade data for check This upgrade file doesn't match this hardware... cur_hw=%08x Upgrade version 3.0 upgrade [-h] [-v] [-f] [-q] [-Q] [-O][-i -o] filename -v: increase verbosity -f: do not allow skip (read all data and write them) -Q: require the browser to quit -i: read upgrade script from file filename -O: indicates input file isn't obfuscated /tmp/upgrade3.log hvfqQOi Info : %s Using file as input Info : %s Don't deobfuscate stream Invalid option: %c Bad number of arguments Upgrade doesn't match hardware Info : %s filename: %s (%d) / /usr /home /opt Don't know what to do with %d partitions Info : %s Send QUIT command QUIT QUITOK Info : %s Answer : %s Error while asking: %s Info : %s Going out with return code: %d ÿþ ÿþÄ%s/.save.%02d./ Unable to copy %s into %s Info : %s Got to put back %s from %s Unable to put %s back in place unable to upgrade partition Unable to save file %s Upload isn't supported yet /tmp/bd_remap.o /tmp/dev/remap /tmp/dev Unable to create remap device /vmlinuz /lib/modules can't remap system partition %s%d REBOOT Partition already upgraded Error saving %s Can't copy file %s to %s Can't move file %s to %s Can't create directory %s Unable to link %s to %s Unable to symlink %s to %s Unable to create pipe %s Unable to create device %s Can't mount partition %s to %s Can't unmount partition %s No infos on partition to resize /sbin/insmod -f /sbin/rmmod Unable to save %s Unable to load script %s Info : %s %s %s %s %s Info : %s %s %s Info : %s Init font Info : %s Init title area Info : %s Init progress area Info : %s Init message area UPGRADE to version 4.4.2 Info : %s Put %s on screen In progress Upgrade progress: Loading upgrade data. Please wait. This may take up to 20 minutes Info : %s Init progress bar /dev/bios ERROR: %s at line %d UPGRADE Info : %s %d bloc to get, %d to move, %d to leave Can't open partition %s %s/%s . .. Info : %s can't acces to dir: %s %s%1u Info : %s %s size is %d, %d sectors reserved Info : %s Bloc size is %d /dev/sla Info : %s Got: %d - I want %d Info : %s Orig size: %d - wanted: %d - diff: %d blocsize: %04u - bloc org: %d - new_blocs: %d -> %d Info : %s Going to add %d blocs to partition %d Info : %s Going to remove bloc %d from partition %d Info : %s Partition %d %s: wanted %u, got %u Info : %s Skip partition: %d Info : %s Partition sizes: Info : %s wanted: %u - %u - %u - %u -> %u Info : %s got %u - %u - %u - %u -> %u (%u res) /dev/ram1 /tmp/mnt/ /tmp/mnt/rd /tmp/mnt/rd/ /tmp/mnt/rd/opt/  /proc /proc/%d/exe /sbin/ /bin/ /dev/tty1 ioctl KDSETMODE ERROR: %s at line %d SCREEN /dev/fb0 ERROR: %s at line %d HELP Info : %s Got to get %d bytes (%04X) -> is%s Obfuscated n't Info : %s Other type: %04X -> is%s Obfuscated Got %d bytes, remaining: %d Info : %s Got to save %d bytes (%04X) TRACE_RC %ld-%ld: ERROR: %s at line %d COMMON Info : %s %s size is %d / %s%1u Info : %s Root part is %s, so alternate is %s Bad number of partitions Info : %s Partition %d (%s) has size zero ! Info : %s Got %d partitions Info : %s Put boot flag on partition %s Cannot launch %s /dev/null /sbin/mkfs.minix -w %d -i %ld Info : %s Mount: %s at %s minix discarded empty empty (0xFF) not remapped copied unknown type: %d ÿþ�šÿþ�xÿþ��ÿþ��ÿþ�žMount point: %s %d %d %lu Special files: * %s skipped Bloc %lu to %lu: Memory error Add file %s with type /dev/remap Unable to open %s : %s Unable to unmap dev %d : %s ÿþ�ðÿþ�Lÿþ�Tÿþ�`ÿþ�pÿþ�äÿþ�|ÿþ�äÿþ��ÿþ�äÿþ�äÿþ�äÿþ��ÿþ�äÿþ�äÿþ�äÿþ�°ÿþ�äÿþ�äÿþ�äÿþ�Ècan't stat: %s /tmp/__%02x__%02x__ can't create: %s can't open: %s can't get size of %s : %s WARNING: unknown file: %s - Skip it WARNING: can't open file: %s for reading - Skip it WARNING: can't stat %s - Skip it WARNING: file %s is on another device - Skip it Add directory %s content recursively Error : can't get block for file: %s Unable to open device: /dev/remap map failed for device: %s ÿþ�Tÿþ�Tÿþ�Tÿþ� ÿþ�Tÿþ�Tÿþ�Tÿþ�8 /dev/slowmem ERROR: %s at line %d STREAM ERROR: %s at line %d STRLOW Info : %s Realloc %d -> %d + %d READ %d SKIP %d ÿþ³Àÿþ³,ÿþ³Àÿþ³@ÿþ³Àÿþ³Àÿþ³Àÿþ³Tÿþ³Àÿþ³Àÿþ³Àÿþ³pÿþ³Àÿþ³Àÿþ³Àÿþ³� %s Unknown error %d /dev/tty0 )$))(ü(ä(Ü(Ð(Ž(¬(�(�(h((P(D (4(((('ø'à'È'°'�'|'d'T'D I/O possible Window changed Profiling timer expired Virtual timer expired File size limit exceeded CPU time limit exceeded Urgent I/O condition Stopped (tty output) Stopped (tty input) Stopped Stopped (signal) Continued Child exited Terminated Alarm clock Broken pipe User defined signal 2 Segmentation fault User defined signal 1 Killed Floating point exception Bus error Aborted Trace/breakpoint trap Illegal Instruction Quit Interrupt Hangup Unknown signal %d : %s%s%s %s:%d: assertion '%s' failed in function '%s' .ð.È.€.t.P.8.$.. -à-Ä-¬-�-t-T-<-(--,ôWrong medium type No medium found Quota exceeded Remote I/O error Is a named type file No XENIX semaphores available Not a XENIX named type file Structure needs cleaning Stale NFS file handle Operation now in progress Operation already in progress No route to host Host is down Connection refused Connection timed out Too many references: cannot splice Cannot send after transport endpoint shutdown Transport endpoint is not connected Transport endpoint is already connected No buffer space available Connection reset by peer Software caused connection abort Network dropped connection because of reset Network is unreachable Network is down Cannot assign requested address Address already in use Address family not supported by protocol Protocol family not supported Operation not supported on transport endpoint Socket type not supported Protocol not supported Protocol not available Protocol wrong type for socket Message too long Destination address required Socket operation on non-socket Too many users Streams pipe error Interrupted system call should be restarted Illegal byte sequence Cannot exec a shared library directly Attempting to link in too many shared libraries . lib section in a.out corrupted Accessing a corrupted shared library Can not access a needed shared library Remote address changed File descriptor in bad state Name not unique on network Value too large for defined data type Not a data message RFS specific error Multihop attempted Protocol error Communication error on send Srmount error Advertise error Link has been severed Object is remote Package not installed Machine is not on the network Out of streams resources Timer expired No data available Device not a stream Bad font file format Invalid slot Invalid request code No anode Exchange full Invalid request descriptor Invalid exchange Level 2 halted No CSI structure available Protocol driver not attached Link number out of range Level 3 reset Level 3 halted Level 2 not synchronized Channel number out of range Identifier removed No message of desired type Operation would block Too many symbolic links encountered Directory not empty Function not implemented No record locks available File name too long Resource deadlock would occur Math result not representable Math argument out of domain of func Broken pipe Too many links Read-only file system Illegal seek No space left on device File too large Text file busy Not a typewriter Too many open files File table overflow Invalid argument Is a directory Not a directory No such device Cross-device link File exists Device or resource busy Block device required Bad address Permission denied Out of memory Try again No child processes Bad file number Exec format error Arg list too long No such device or address I/O error Interrupted system call No such process No such file or directory Operation not permitted Success system in use Arena %d: %10u %10u Mmap : %10u %10u Total : %10u %10u max system bytes = %10u max mmap regions = %10u max mmap bytes = %10lu ÿÿÄÿÿŽÿÿ€ÿÿ�ÿÿpÿÿ`Heap %p, size %10lx: chunk %p size %10lx (top) (fence) FREE BLOCK { %c t r n %02X }    ?    %s: invalid option -- %c %s: option requires an argument -- %c } @   �ÿÿÿ ÿÿÿÿ ÿÿÿÿ k .symtab .strtab .shstrtab .init . text .fini .rodata .sdata2 .data hw_match_ids .got2 .ctors .dtors .got .sdata .sbss .bss    t t $  !   � ÿÿÿÿ k .symtab .strtab .shstrtab .init part_usr.img ============ # kernel boot configuration append="physmap_part=0x00000,0x7e0000" dbg_lvls="23" append_prod="console=null" append_dbg="CONSOLE=1 console=ttyS0,115200n8" . .. audio bios console dsp dsp1 dvbci fb0 hda hda1 hda2 hda3 hda4 hwserial i2c-0 i2c-1 input io ir0 led lp0 mem mixer mixer1 mtd0 mtdblock0 mtdblock1 !nftla "null $ost +ppp . mice $. .. # %audio &demux 'dvr (frontend )sec *video #.  ,ptyp0 -ptyp1 .ptyp2 /ptyp3 0ptyp4 1ptyp5 2ptyp6 3ram1 4ram2 5sequencer 6sla 7sla1 8sla2 9sla3 :sla4 ;slowmem sw ?ttx @tty0 Atty1 Btty2 Ctty3 Dtty4 Etty5 Ftty6 Gttyp0 Httyp1 Ittyp2 Jttyp3 Kttyp4 Lttyp5 Mttyp6 NttyS0 OttyS1 PttyS2 QttyS3 RttySC0 _firmware dadc_dvb_uc.o eadc_vulcan.o fbiosupgrade.o gcxa2161.o hcxd1973R.o idragnet.o jfe.o kfirmware_class.o lir.redwood.o mkaweth.o npegasus.o ortl8150.o psl811.o qsmcard.o rsw_vulcan.o stda10086.o tucode.o uusbcore.o vusbnet.o wvdc_vesta.o xvdc_vulcan.o yvesta.o /home/opt }. .. ~. .. �cxmgr �dhcpcd �drvmgr �drvmgr.cfg �fsck.minix �hotplug �init �inittab �insmod �ip-change �mkfs.minix �pppd �pppoe �rc.sysinit �rlogind �rmmod �rshd �system.conf �upgrade # XXX: The two first one should be configured directly by the cxmgr... # Local network ifname=lo class=net device=lo driver=none bootload=y configure=y ipaddr= addroute=y network= netmask= # DVB download stream network ifname=dvb0 class=net device=dvb0 driver=none # ??? bootload=y configure=y ipaddr= netmask= # For multicast tests # addroute=y # network= # Generic drivers # Firmware loader ifname=firmware_class class=core device=none driver=firmware_class bootload=n # USB device firmware upgrade ifname=usbdfu class=core device=none preload=firmware_class driver=usbdfu bootload=n # Scsi stack ifname=scsi class=core device=none driver=scsi_mod bootload=n # Scsi disks support ifname=sd class=disk device=none driver=sd_mod preload=scsi bootload=n # Generic CDROMs support ifname=cdrom class=disk device=none driver=cdrom bootload=n # Scsi CDROMs support ifname=sr class=disk device=none driver=sr_mod preload=scsi preload=cdrom bootload=n # Scsi generic devices support ifname=sg class=core device=none driver=sg preload=scsi bootload=n # Input devices ifname=input class=input device=none driver=input bootload=n # Keyboard input device ifname=keybdev class=input device=none driver=keybdev bootload=n # Mouse input device ifname=mousedev class=input device=none driver=mousedev bootload=n # File systems support # Vfat support ifname=vfat class=fs device=none driver=vfat preload=fat bootload=n # NLS support ifname=nls class=fs device=none driver=none preload=nls_cp437 preload=nls_iso8859-15 preload=nls_utf8 bootload=n # Netgem boards drivers # demodulator for N6 (including the tuner) ifname=demod_ter class=core device=none driver=cxd1973R bootload=y drvopts=bus_id=0 demod_connect_retry=3 tuner_bus_id=0 hardware=0x0600FFFF # front end for N6 ifname=fe class=core device=none driver=fe bootload=y hardware=0x0600FFFF # demodulator for N9 (including the tuner) ifname=demod_sat class=core device=none driver=tda10086 bootload=y drvopts=bus_id=0 debug=0 tuner_addr=0x60 tuner_type=16 tuner_bus_id=0 hardware=0x0900FFFF # cxd2099a module: DVBCI for N6-6 ifname=pcmcia6 class=core device=none driver=cxd2099a drvopts=io_base=0x70000000 bootload=y hardware=0x060006FF # PPP interface ifname=ppp0 class=net device=ppp0 driver=dragnet drvopts=io=0x730FF000 irq=27 hw_version=${HW_TYPE} hw_options=${HW_OPTIONS} exec=/usr/bin/ngclient "device=internal/modem;mode=add;class=modem;kernel;name=Internal Modem" bootload=y # Should not be... hardware=0x060003FF hardware=0x060005FF hardware=0x090001FF # ethernet interface for N6-4 ifname=eth4 class=net device=eth0 driver=smc91111 drvopts=io=0x73000300 irq=26 nowait=1 exec=ifconfig eth0 hw ether ${MACADDR} bootload=y hardware=0x060004FF # ethernet interface for N6-6 ifname=eth6 class=net device=eth0 driver=smc91111 drvopts=io=0x73000300 irq=27 nowait=1 exec=ifconfig eth0 hw ether ${MACADDR} bootload=y hardware=0x060006FF # USB interface # N6-4: ifname=usb4 class=usb device=none driver=hcd-1161 preload=usbcore bootload=n hardware=0x060004FF # N6-3: ifname=usb3 class=usb device=none driver=sl811 preload=usbcore bootload=y hardware=0x060003FF hardware=0x090001FF # N6-5: ifname=usb5 class=usb device=none driver=sl811 preload=usbcore drvopts=sl811_irq=26 bootload=y hardware=0x060005FF hardware=0x060006FF # native ide support # N6-4 version ifname=ide-mod4 class=core device=none driver=ide-mod drvopts= bootload=n hardware=0x060004FF # N6-6 version ifname=ide-mod6 class=core device=none driver=ide-mod drvopts=stb03_irq=28 bootload=n hardware=0x060006FF ifname=ide-probe-mod class=core device=none driver=ide-probe-mod drvopts= bootload=n # NOTE: I don't understand why vfat needs to be loaded. partition # format check should load the required filesystem driver. # Jma: known problem: for now, filesystem probe is all done by the kernel, # so filesystem drivers are needed before we mont them... ifname=ide-disk4 class=disk device=none driver=ide-disk preload=vfat preload=nls preload=ide-mod preload=ide-probe-mod drvopts= bootload=y hardware=0x060004FF ifname=ide-disk6 class=disk device=none driver=ide-disk preload=vfat preload=nls preload=ide-mod6 preload=ide-probe-mod drvopts= bootload=y hardware=0x060006FF # There come USB devices # Pegasus USB-ethernet driver ifname=pegasus class=net device=none driver=pegasus preload=usbcore bootload=n # Kawasaki USB-ethernet driver ifname=kaweth class=net device=none driver=kaweth preload=usbcore bootload=n # RTL8150 USB-ethernet driver ifname=rtl8150 class=net device=none driver=rtl8150 preload=usbcore bootload=n # Host to host USB adapters ifname=usbnet class=net device=usb0 driver=usbnet preload=usbcore bootload=n # we "known" that Windoz likes this address... configure=y ipaddr= addroute=y network= netmask= # Philips Webcam driver ifname=pwc class=video device=none driver=pwc drvopts=size=qcif fps=5 fbufs=2 mbufs=2 preload=usbcore bootload=n # Quickcam express webcam ifname=quickcam class=video device=none driver=quickcam drvopts=bright=40000 preload=usbcore bootload=n # Usb storage support ifname=usb-storage class=core device=none driver=usb-storage preload=sd preload=sr preload=vfat preload=isofs preload=nls bootload=n # Usb printer support ifname=printer class=printer device=none driver=printer bootload=n # usb hid (keyboard, mouse, ...) support ifname=usb-hid class=input device=none driver=hid preload=input preload=keybdev preload=mousedev bootload=n # Generic ATMEL WIFI device's driver ifname=atmel class=net device=none preload=firmware_class preload=usbdfu driver=at76c503 bootload=n # ATMEL chipset based USB-Wifi adapters. ifname=at503-rfmd class=net device=none driver=at76c503-rfmd preload=usbdfu preload=atmel bootload=n ifname=at503-i3861 class=net device=none driver=at76c503-i3861 preload=usbdfu preload=atmel bootload=n # Lucent chipset based USB-Wifi adapters ifname=hermes class=net device=none driver=hermes preload=firmware_class bootload=n ifname=orinoco class=net device=none driver=orinoco preload=firmware_class bootload=n ifname=orinoco_usb class=net device=none driver=orinoco_usb preload=hermes preload=orinoco bootload=n # tda8002 module: smartcard for N6-6 ifname=smcard class=core device=none driver=smcard bootload=y hardware=0x060006FF hardware=0x060005FF insmod rlogind hardware_type = n6-dtt firmware_digest = 4DD74097E145706D9A03851AEADB1AABAB540115 oem = NetgemUK firmware_version = 4.4.2 firmware_date = Mon Feb 23 14:00:00 UTC 2004 @K< @K  @O� .symtab .strtab .shstrtab .text .data .bss part_ptab.img ============= BIOS  ÅÏTé$e¹�ÿÊ Eš#�žØñ2q USR  F~þþ^l�±4ì¬�óÉÛœ× ROOT 9` Ã�è;_,ÅKEOÍmÍ$ part_bios.img ============= ,}+x9@ � | Sx| X8� N� |BŠT �>N� %06dKB write error: %d read error %d OK %d kB Could not load '%s' append append_prod append_dbg dbg_lvls tvstd ntsc palm paln tvout svhs rca bpp allow_serial_line allow_interactive_bios NOAPP=1 Loading %s (not found %d) (%d bytes) � ì  `Partition magic error (0x%04x) Boot Start Blocks Id Device %c %7d %7d %02x %s%d read error write error sector 0x%4x: NFTL: DOC found at %p Block device init error No valid system partition 0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdef octet 5 6� ÿÿÿÿÿÿ   ¯ «À «ž T� «° «� �x «� «� �� vmemtest [nb [start [len]]] memtest NUMPART chpart [PATH] ls FILENAME [ADDR] load ADDR SIZE crc ADDR pr savecfg [my_ip [server_ip]] ipcfg [xx:xx:xx:xx:xx:xx] macaddr [address] netrx s|p|c console FILENAME logo n fib ms delay [CMD [NUM]] nftl docinfo doccheck block [count] docerase docwrite docread [-erase] [from [count]] docformat [sector [count]] docdump sector [count [from]] bw sector [count] bd sector [count [dest]] br address g vmlinuz file loadimage [NTSC/PAL] tv value value [...] + addr2 value [...] e,ew,ed [addr1] [length] d,dw,dd [addr1/d] [addr2/s] [length] m,mw,md [addr1] [length] [value] f,fw,fd [addr1] [addr2] [length] c,cw,cd serial_speed baud,b args... boot reboot,Q [command] help,? [-f] [from [count]] docwritesys file [-f] loadbios address length checksum p > usage: %s %s %s: command not found %-11s %s = %08X, %d, %u, 0%o, 0b%s b delay *(%08x) = 0x%02x %08X %c%02X %04X %08X %08X: %02X %08X: %04X %08X: %08X %08X: %02X <=> %08X: %02X %08X: %04X <=> %08X: %04X %08X: %08X <=> %08X: %08X %d Length: %d at %p / ls: opendir error %d %s mac address= %02x%c my_ip=%d.%d.%d.%d server_ip=%d.%d.%d.%d Write error Change boot partition from %d to %d Partition mapping isn't SDPL @3/status . boot.cfg LinBios 4.4.2b4 (C) Copyright Netgem 1996-2003 (Feb 16 2004 13:59:11) boot 7 ±X ±`Press [enter] to stop boot %02X: %02X [ì � %08X Failed to write sector %d of %d from %0x04x (0x%04x) DOC_writeCheckedSector: cannot read page 0x%05x DOC_writeCheckedSector: compare failed for page 0x%05x Could not find boot record Boot block is not free Incorrect size for BIOS (found %d/%d, expect %d) Writing BIOS (%d)... %04X Done Write error Error: block %d should have been erased DOC_format: bios_size = %d Erasing ... Searching block table ... No block table: searching bad blocks ... Bad Block: #%d Error: the first block must be free for the BIOS Writing block table ... sector 0x%04x DOC error (Toshiba) (Samsung) (AMD) (Fujitsu) Unknown Vendor ID: %x Unknown Chip ID: %x MDOC 8M SECT SIGN DATA %04x %02X ... -erase WARNING: you must use reboot now -f Overwrite serial from image. Patching memory image's serial. header at %d: boot_blocks: %d, data_blocks: %d Bad blocks: %d N: nb_erase logical_block rep rep_unit er_mark Error sector %d %04x: %6d %05x %1d %04x %04x NumEraseUnits: %d (0x%04x), FirstPhysicalEUN: %d (0x%04x) FormattedSize: %d (%d Kb), UnitSize: %d Nbr virtual EUN: %d (0x%04x) EUN %x|%x %04x: %04x %c %04x: %04x %04x %c Bad unit: EU %d: (0x%02x) original marked ??? %d bad erase unit%c free blocks: %d, replacements: %d nftl: cannot mount (no media header found) ** Mismatch with previous one!! Err: media header is not in physical area Err: formatted size is not a multiple of sectorsize Err: more erase units than doc size Err: unhandled unit size factor 0x%02x nftl:err: errors, try to reformat Err: cannot read bad erase unit table %d at page %d Err: BEUT %d mismatch Err: cannot read any BEUT Warn: main & spare virt UN of block 0x%04x mismatch Warn: main & spare repl UN of block 0x%04x mismatch Warn: block 0x%04x marked as free while being non free. Please report this bug. Err: bad virtual EUN (0x%04x) for EUN 0x%04x Err: severals EUN for virtual EUN 0x%04x: 0x%04x 0x%04x Err: bad replacement EUN (0x%04x) for EUN 0x%04x Err: replacement EUN (0x%04x) referenced by 0x%04x is not marked replacing Warn: long replacement chain for EUN 0x%04x Err: infinite replacement chain for EUN 0x%04x Err: physical EUN 0x%04x replaces a nil virtual EUN 0x%04x nftl:err: errors, mounted read-only (you should reformat) nftl_write: bad write off/len: block=0x%04x, nsect=0x%04x nftl_write: cannot write block 0x%04x (r=%d) /dev/nftla 0x%04x: 0x%04x ... (%d) Œstat badtable chains erase uci mount help header map commands: header disp media header map [MAX] disp virtual map mount remount uci disp unit control info erase NUM free virtual block NUM chains disp chains badtable disp bad unit table stat disp statistics res = %d ÿÿÎ�ÿÿÎ�ÿÿÎŽÿÿÎÄÿÿÎÌÿÿÎÔÿÿÎðÿÿÎøÿÿÏ Memory error Memory Error Can't get the MBR File don't contain any SDpl mapping (%08X) ! CRC error got %08X instead of %08X (%08X) SDPL layer version %02d - %04d sects/bloc - %04d blocs - size: %05d Kbytes %c Partition %02d - size %02d blocs - %05d Kbytes Load ELF file %s failed root=/dev/sla%c sdpl_map=%s ROOTDEV=/dev/sla%c root=%s%c ROOTDEV=%s%c NBPARTS=3 NBPARTS=4 MACADDR=%02x:%02x:%02x:%02x:%02x:%02x REBOOT=%d mem=%dM HW_TYPE=%d HW_OPTIONS=%d N6 Version : %08x (Version detect: %08lx - %08lx) GPO: %08X, GPTC: %08X, GPR1: %08X, GPIS30: %08X Open file %s failed Read elf header error Error : not an ELF file... Read program header error starting %s addr_self_test %s: read error at: %p: 0x%08lx %s: read inv error at: %p: 0x%08lx %s done pattern_test testing patterns: 0x%02x .. %s: pattern error at: %p: 0x%02x (0x%02x) %s: inv pattern error at: %p: 0x%02x (0x%02x) %s done Starting memtest from %p len=0x%08lx Starting pass %d of %d Memory error Memory test successfull Unable to proceed to memory test Unable to proceed to video memory test vmlinuz ÿÿÿ   @�0P �`

One thought on “i-Player Hacking”

  1. Do you still have the upgrade.bin left somewhere? I am interested in decoding i-player/netgem netbox firmware and would like to start my research using your findings.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: