Belgacom TV (Mood 337) Box -------------------------- I own two Belgcom TV Boxes. Because I found no GPL download, I've done some reverse engineering on the box to investigate the opportunity to run my own software on that thing. This readme summarizes on that. Update (2007-12-10): Now there is a GPL repo located here: ftp://ftp.opensource.tilgin.com (dunno what src quality) To enter the Box, a voltage converter for the serial port is required (see seriell.jpg). My serial adapter needs 3.3 volts, available from the bottom/right pin (on the seriall.jpg under the letter "g" from "debug"). Serial settings: 115 kbaud,n,8,1 (no handshake) To prepare for hacking, be sure to also have an ethernet connection ready. To prepare, you need this softs: apt-get install minicom The do a setup to 115200,n,8,1 on /dev/ttyUSB0 ifconfig eth0 192.168.1.100 up Prepare a static ip on the ethernet card apt-get install hpa-tftp Will install and start a tftp server, you can place files for upload in /var/lib/tftpboot/ apt-get install pure-ftpd Install an ftp server with anon access. You need to change /etc/pure-ftpd/conf/NoAnonymous to "no" and add a new "ftp" user with group "ftp" and home=/srv/ftp as well as an "ftp" group ftp. Create a /srv/ftp dir, chown to ftp:ftp and place a file there. Verify with "wget -O - ftp://localhost/" apt-get install dnsmasq Install a DHCP Server. Add a single line to /etc/dnsmasq.conf: dhcp-range=192.168.1.50,192.168.1.150,12h Saving the Flash: ================= If your box is brand new and has never updated, you should first the flash/hdd contents. Start minicom. The during power on, simply connect the debug pin to ground, so u-boot will wait 1 second for a [return key] on startup. You will have the u-boot command line then. To start linux with a console simply issue: setenv bootargs $(bootargs) init=/bin/sh boot As a side-note: to start a loaded kernel with hda2 you can do this: setenv bootargs root=/dev/hda2 rw console=ttyS0,115200 init=/bin/sh dhcp bootm To activate the /dev/mtd? devices and start httpd, issue: mount /dev/ram0 / -t ext2 -o remount /etc/init.d/checkroot.sh start /etc/init.d/flashconfig start /etc/init.d/hdinit start sleep 5 ifconfig eth0 192.168.1.1 mount /dev/hda1 /media/hdd cd /media/hdd;mini_httpd -u root -n& Save the flash contents and config to files in /tmp and grab it via wget, e.g. "wget http://192.168.1.1/NOR_0". cat /dev/mtd0 > /media/hdd/NOR_0 cat /dev/mtd1 > /media/hdd/NOR_1 cat /dev/mtd2 > /media/hdd/NOR_2 cat /dev/mtd3 > /media/hdd/NOR_3 cat /dev/mtd4 > /media/hdd/NOR_4 cat /dev/mtd5 > /media/hdd/NAND_5 cat /dev/mtd6 > /media/hdd/NAND_6 cp /etc/mood.conf /media/hdd/PVR cp /etc/release /media/hdd/PVR cp /etc/remote.cfg /media/hdd/PVR Desaster recovery & flashing a new kernel version: ================================================== The NAND_5 file contains the kernel and a large initrd. You can boot the new kernel via TFTP. Copy the following file to tftp it: cp boxnew/NAND_5 /var/lib/tftpboot/mood300_recover_MH02.img Restart the box (with debug pin to ground) and press [ret] to halt in u-boot. The following "dhcp" command will load the new kernel which is then started: setenv bootargs $(bootargs) init=/bin/sh dhcp bootm Get the new kernel file again via FTP and flash it to NAND_5: mount /dev/ram0 / -t ext2 -o remount mount none /proc -t proc mount /dev/hda1 /media/hdd cd /media/hdd ifconfig eth0 192.168.1.1 (old:)wget ftp://192.168.1.100/upload/mood-300/boxnew/NAND_5 (new:)wget ftp://192.168.1.100/upload/mood-300/kernel/mood300_recover_MH02.img flash_eraseall /dev/mtd5 nandwrite /dev/mtd5 NAND_5 Note, that mtd6 (NAND_6) is unused with the new kernel - the new initrd does not use the NAND (as the original initrd does), it uses hda2 mounted at /media/hdd/AUX. For this reason, you grab hda2.tar.gz and extract it to the hard disk: cd / umount /media/hdd mount /dev/hda2 /media/hdd cd /media/hdd wget ftp://192.168.1.100/upload/mood-300/boxnew/hda2.tar.gz tar xvzf hda2.tar.gz After this, you need to recover the flashfiles (hopefully saved earlier). Check if the necessary triple files are there: mount /dev/ram0 / -t ext2 -o remount /etc/init.d/checkroot.sh start /etc/init.d/flashconfig start flashfiles list If this does not list 3 files, you need to recover. E.g. cd /etc wget ftp://192.168.1.100/upload/mood-300/boxold/mood.conf wget ftp://192.168.1.100/upload/mood-300/boxold/release wget ftp://192.168.1.100/upload/mood-300/boxold/remote.cfg flashfiles add /etc/mood.conf flashfiles add /etc/release flashfiles add /etc/remote.cfg Putting Nylon on the Mood: ========================== I've managed to break my box completely. For that reason, I re- combined nylon (a linux for the 4G meshcube) with the stock mood softs. This will give you the mood software combined with nylon. Which means: - Serial login for emergency - opensshd on the configured IP (see "sysflash" below) - A real shell (bash) - Simple ipkg update / ipkg install You need a clean AUX (aka hda2, see above under "Desaster recovery"). 0) Optional: Configure static network settings. Issue these commands: sysflash -w staticip -v true sysflash -w ip -v 192.168.1.1 sysflash -w mask -v 255.255.255.0 sysflash -w gateway -v 192.168.1.254 sysflash -w dns -v 81.169.139.12 1) Load and untar the nylon-for-mood-AUX.tgz to /media/hdd/AUX: cd /media/hdd/AUX wget http://download.berlin.freifunk.net/sven-ola/mood-300/nylon-for-mood-AUX.tgz tar xvzf nylon-for-mood-AUX.tgz sync Restart by pulling the plug. During the restart, the changed etc/init.d/rc script copies the mood softs to AUX, then it changes/adds a couple of symlinks in the initrd and continues with unpacking the nylon addons on top. Takes some minutes because of ssh-keygen... 2) Login to the box using this command: root@192.168.1.1 3) Change the root password: passwd 4) You may activate the unused /dev/hda1 as swap. Issue: vi /etc/fstab (press [i] and insert this line:) /dev/hda1 swap swap defaults 0 0 (press [esc][w][q][ret]) mkswap /dev/hda1 swapon -a free 5) Without connectivity to the belgacom TV server, save CPU resources by: mkdir /etc/rc2.d-disabled mv /etc/rc2.d/S90startapp /etc/rc2.d-disabled 6) Restart the box with: reboot 7) Optional lighttpd as debian package (ignoring the wild warning zoo): (add "-p 81" to /etc/init.d/minihttpd) ipkg update mkdir /etc/rc3.d /etc/rc4.d /etc/rc5.d ipkg -force-overwrite install dpkg ipkg -force-overwrite install debconf ipkg -force-overwrite install dialog ipkg -force-depends install perl-modules (now reboot to init the dpkg system in /var) mkdir /usr/share/base-files touch /usr/share/base-files/info.dir ipkg -force-overwrite install lighttpd (two times!) vi /etc/init.d/lighttpd [add next 2 lines after start)] mkdir -p /var/log/lighttpd chown www-data:www-data /var/log/lighttpd vi /etc/lighttpd/lighttpd.conf (change to server.document-root = "/srv/www/" /etc/init.d/lighttpd stop mv /var/www /srv /etc/init.d/lighttpd start 8) Feeling brave? Ok, we install an X client: mkdir /etc/default touch /etc/default/rcS ipkg -force-overwrite install xterm (sereral times!) ipkg install mood-weirdx weirdx -Dweirdx.windowmode=RootlessWM & export DISPLAY=localhost:2.0 xterm (don't know what it's good for, no kbd etc. So we continue) ipkg install xbase-clients xclock -geometry 520x520+100+35 -update 1 & (oh, well that thing has no lock, so this will do) ipkg install ntpdate /etc/init.d/ntpdate start Doing Freifunk on the Mood (outdated, prefer above nylon method): ================================================================= After initializing the hda2 contents, you may add the freifunk addons (olsrd, driver for Ralink-USB-Wireless, dropbear), simply untar the addon pack: cd /media/hdd/localexec/root wget ftp://192.168.1.100/upload/mood-300/mood-freifunk.tgz tar xvzf mood-freifunk.tgz To disable the TV app, which tries to connect to the application server and may write flash every 30 seconds: chmod -x /media/hdd/localexec/root/etc/init.d/startapp To configure the network config, you can issue these commands: sysflash -w ip -v 192.168.1.24 sysflash -w mask -v 255.255.255.0 sysflash -w staticip -v true sysflash -w dns -v 81.169.139.12 To set a new password (other than "admin") for use with dropbear: cd /media/hdd/localexec/root usr/sbin/httpd -m [newpassword] > etc/dropbear/passwd Restart and login with ssh root@192.168.1.24 (pw=admin or [yours]). If you want to change params, do "cd /media/hdd/AUX/localexec/root" and change text files using vi, e.g. "vi etc/olsrd.conf" to configure the geopos and name for olsrd, "vi etc/init.d/olsrd" to change wifi params and the IP. Kernel-Compile: =============== Unpack kernel source from ftp://ftp.opensource.tilgin.com/MOOD/ the apply the patch (also there). Grab the kernel.config from this directory. Do "make oldconfig;make dep;make zImage". Grab u-boot sources, do "make dbau1550_el_config;make all". Then you have a tools/mkimage command. Generate a bootable image with: /usr/src/cross/u-boot-1.3.1/tools/mkimage \ -A mips -O linux -T kernel -C gzip -a 0x80100000 \ -e $(objdump -f vmlinux|sed -ne"s/^start address //p") \ -d arch/mips/zboot/images/vmlinux.gz \ /var/lib/tftpboot/mood300_recover_MH02.img // Sven-Ola old: Belgacom TV (Mood 337) Box (Old version for reference only) old: =========================================================== old: old: I own a Belgcom TV Box. Because I found no GPL download, old: I've done some reverse engineering on the box to investigate old: the opportunity to run my own software on that thing. old: This readme summarizes on that. old: old: To enter the Box, a voltage converter for the serial old: is required (see seriell.jpg). My serial adapter needs old: 3.3 volts, available from the bottom/right pin (on the old: seriall.jpg under the letter "g" from "debug"). old: old: Serial settings: 115 kbaud,n,8,1 (no handshake) old: old: During power on, simply connect the debug pin to ground, old: so u-boot will wait 1 second for a [return key] on startup. old: You will have the u-boot command line then. To investigate old: for you own simply issue: old: old: setenv bootargs $(bootargs) init=/bin/sh old: boot old: old: After startup, you have a limited linux command line from old: the initrd compiled into the kernel. To inject dropbear/ssh old: available later (if you have a DHCP server) under the DHCP old: aquired IP addr with root/admin, enter: old: old: mount /dev/ram0 / -t ext2 -o remount old: ifconfig eth0 192.168.1.1 old: wget ftp://192.168.1.100/upload/mood-300/dropbear-static.tgz old: gunzip -c dropbear-static.tgz | tar xv old: rm dropbear-static.tgz old: exec /sbin/init old: old: The serial console is somewhat disfunct. Serial port RX is old: disabled during one of the startup scripts, so I tried dropbear old: directly (my ftp server is on 192.168.1.100): old: old: mount /dev/ram0 / -t ext2 -o remount old: mount none /proc -t proc old: mount none /dev -t devfs old: ifconfig eth0 192.168.1.1 old: cd / old: wget ftp://192.168.1.100/upload/mood-300/busybox-static.tgz old: gunzip -c busybox-static.tgz | tar xv old: rm busybox-static.tgz old: export PATH=$PATH:/opt/busybox.static old: # Those are created during startup (don't know when, but now missing) old: for i in 0 1 2 3 4 5 6 7 8 9; do ln -s pty/m$i /dev/ptyp$i; mknod /dev/ttyp$i c 3 $i;done old: /etc/init.d/telnetd startnow old: cd /tmp;mini_httpd -u root -n& old: old: The httpd daemon in the /tmp directory is waiting for your old: download commands. To get data into that thing simply use old: the wget command on the box. old: old: Without contact to the Belgacom application server, the HDD has old: 3 empty partions. There are 5 nor-flash partions (0-4 = 2 Mb) old: and 2 nand-flash partitions (5+6 = 64 Mb): old: old: mtd0: 00050000 00010000 "all" old: mtd1: 00030000 00010000 "uboot" old: mtd2: 00010000 00010000 "parameters" old: mtd3: 00010000 00010000 "parameters-sysdef" old: mtd4: 001b0000 00010000 "misc" old: mtd5: 00400000 00004000 "Mood 300 NAND FS 0" old: mtd6: 03c00000 00004000 "Mood 300 NAND FS 1" old: old: To activate those manually issue (0-3 and 5 unmountable): old: old: mount /dev/mtdblock/4 /media/nor old: mount /dev/mtdblock/6 /media/nand old: old: To activate those per script issue: old: old: /etc/init.d/nandfs start old: /etc/init.d/hdinit start old: mount /dev/hda1 /media/hdd (or hda2 hda3) old: old: Installing own softs: old: --------------------- old: old: The stock firmware mounts the NAND flash as well old: as the hard drive under /media. You can simply extract old: software for example under /media/nand/localexec/root. old: old: mount none /proc -t proc old: mount none /dev -t devfs old: mount none /tmp -t ramfs old: mount /dev/mtdblock/6 /media/nand old: ifconfig eth0 192.168.1.1 old: cd /tmp old: wget ftp://192.168.1.100/bla.tar old: cd /media/nand/localexec/root old: tar xvf /tmp/bla.tar old: old: Extracting via u-boot old: --------------------- old: old: There is no tftp upload from the u-boot command line. But you old: can dump memory contents and convert the output back to the old: original contents. To dump the flash content issue "fli" and: old: old: md.b bfc00000 200000 old: old: Because a NAND flash is not memory mapped, dumping that needs old: to copy the NAND flash contents to RAM first: old: old: nand read 82000000 0 4000000 old: md.b 82000000 4000000 old: old: Desaster reovery: old: ----------------- old: old: Download mood300_recover_MH02-erasenand.img and place this in your old: your local tftp server's dir as mood300_recover_MH02.img, e.g. old: /var/lib/tftpboot/mood300_recover_MH02.img. Configure old: a standard dnsmasq setup which will hand out a DHCP address. old: Start the u-boot command line and issue "dhcp". Should output old: this: old: old: BOOTP broadcast 1 old: *** Unhandled DHCP Option in OFFER/ACK: 57 old: *** Unhandled DHCP Option in OFFER/ACK: 28 old: *** Unhandled DHCP Option in OFFER/ACK: 57 old: *** Unhandled DHCP Option in OFFER/ACK: 28 old: DHCP client bound to address 192.168.1.60 old: *** Using default 'mood300_recover_MH02.img' for boot file name old: Using Au1X00 ETHERNET device old: TFTP from server 192.168.1.100; our IP address is 192.168.1.60 old: Filename 'mood300_recover_MH02.img'. old: Load address: 0x81000000 old: Loading: ##############################################[...] old: done old: Bytes transferred = 2709753 (2958f9 hex) old: old: Now issue bootm. This will start the recovery kernel which will old: start and cleans the NAND flash. Now re-power and issue this old: on the u-boot prompt to start "failsafe": old: old: setenv bootargs $bootargs init=/bin/sh old: boot old: old: Download mood-nandfs.tgz and place this to your local ftp/http old: server. Mine has 192.168.1.100, so this works for me: old: old: mount none /proc -t proc old: mount none /dev -t devfs old: mount none /tmp -t ramfs old: cd /tmp old: ifconfig eth0 192.168.1.1 old: wget ftp://192.168.1.100/upload/mood-300/mood-nandfs.tgz old: mount /dev/mtdblock/6 /media/nand -t jffs2 old: cd /media/nand old: gunzip -c /tmp/mood-nandfs.tgz|tar xv old: sync old: old: Now to the complicated part. The system configuration is old: stored in the mtd2 partition of the NOR flash. We need the old: /dev/mtdX device files for character dev access. For example old: the ubiquitous /etc/mood.conf is stored in mtd2. Restart linux old: from u-boot (see above "setenv", then issue): old: old: mount /dev/ram0 / -t ext2 -o remount old: /etc/init.d/checkroot.sh start old: /etc/init.d/flashconfig start old: flashfiles list old: old: If there is no mood.conf listed, you need a new one. This old: works for me: old: old: cd /etc old: cat>mood.conf< /etc/release old: flashfiles add /etc/release old: old: I don't know which of this stuff has personalized keys, since old: I do not live in belgium nor do I want to watch TV too much :) old: Maybe you send me your mood.conf so I can include a description old: what to change for your box (box serial number is stored anyhow in old: another part of mtd2). old: old: Files in this directory old: ----------------------- old: old: busybox-static.tgz old: dropbear-static.tgz statically linked dropbear old: extract-hexdump.pl re-convert md.b output to binary old: mood300_recover_MH02-erasenand.img load this via tftp to erase NAND old: mood300_recover_MH02.img contents of my /dev/mtd5 partition old: mood-bb.tar static busybox -> /media/nand/localexec/root old: mood-db.tar static dropbear -> /media/nand/localexec/root old: mood-flash.bin 2Mb NOR Flash contents dumped with u-boot old: mood-freifunk.tgz busybox, olsr, dropbear -> /media/nand/localexec/root old: mood-initrd.tgz These files are in the initrd old: mood-nandfs.tgz These files are in the NAND flash old: readme.txt (This file) old: seriell.jpg Image from the serial connector old: old: Doing Freifunk on the box old: ------------------------- old: old: After rewriting the nand with defaults and restarting (see above "setenv"): old: old: mount none /proc -t proc old: mount none /dev -t devfs old: mount none /tmp -t ramfs old: mount /dev/mtdblock/6 /media/nand old: ifconfig eth0 192.168.1.1 old: cd /tmp old: wget ftp://192.168.1.100/upload/mood-300/mood-freifunk.tgz old: cd /media/nand/localexec/root old: gunzip -c /tmp/mood-freifunk.tgz | tar xv old: old: To disable the TV app, which tries to connect to the application old: server and may write flash every 30 seconds: old: old: chmod -x /media/nand/localexec/root/etc/init.d/startapp old: old: To set a new password for use with dropbear: old: cd /media/nand/localexec/root old: usr/sbin/httpd -m [newpassword] > etc/dropbear/passwd old: old: To set a static ethernet IP suitable for me (after reboot + ssh): old: old: sysflash -w ip -v 192.168.1.24 old: sysflash -w mask -v 255.255.255.0 old: sysflash -w staticip -v true old: sysflash -w dns -v 81.169.139.12 old: old: After this, do a "sync" and reboot via powercycle. Initializing old: the dropbear keys takes a while. Enter "ssh 192.168.1.24" on old: your PC to log in. old: old: The mood-freifunk.tgz includes 2 usb modules. One for an USB old: ethernet adapt called "dm9601", the other is for a Wifi USB old: stick "Ralink rt73". The rt73 wifi device is initialized in the old: /etc/init.d/olsrd script, so be sure to adapt to your own old: settings. May be helpfule: insmod rt73-dbg.o has a lot of old: debug info to display in the kernel log old: old: Note: For some reason (dunno why) the nylon binaries meant for old: the meshcube run on the mood box. So I used the olsrd.ipk from old: ../nylon/ (on this server). Nylon ipks are packed with the "ar" old: command, so unpacking them with these commands on your PC: old: old: ar x bla.ipk old: tar xvzf data.tar.gz old: old: Flashing new kernel: old: old: You need a working Nandfs in place. Then start (see "setenv"). old: Then enable access to /dev/mtd5 (which holds the kernel): old: old: mount /dev/ram0 / -t ext2 -o remount old: /etc/init.d/checkroot.sh start old: /etc/init.d/flashconfig start old: ifconfig eth0 192.168.1.1 old: cd /tmp old: wget ftp://192.168.1.100/upload/mood-300-von-goetz/NAND_5 old: flash_eraseall /dev/mtd5 old: nandwrite /dev/mtd5 NAND_5 old: old: // Sven-Ola