This looks like one of the most easily moddable/hackable boxes I have ever seen. It is sold by a UK company Maplin and is called a "Maplin Game Capture HD" .
(Sorry in order to get through the new user limitation on posting links I have had to horribly mangle my links)
world wide web dot maplin dot co dot uk /p/maplin-game-capture-hd-a84qu
It is a (cheap) HDMI capture box up to 1080p that has three modes capture to SD card, stream to network and capture to PC via USB. For game play, but can capture any HDMI input (non-HDCP).
The reason it's potentially easily moddable is that a telnet to port 23 in network mode gives you a root shell on it straight away. With a fully writeable root file system.
So far I have used this to start an FTP daemon that lets me FTP files straight from the SD Card though the NIC is a bit slow. Stole the command from their /plbin/start_ftpd.sh file and run "tcpsvd -vE 0.0.0.0 21 ftpd -w /".
There is a also a web interface for debug, that can be started with cd /plbin; ./test_web.sh. I may have had to set the WEBPAGE_LANGUAGE to "en" in nvram, to allow it to start. "/bin/plnvram wr WEBPAGE_LANGUAGE en"
The admin password for the web interface is just blank.
Very interestingly, if you use their app to display the streamed content from this device it allows you to see HDCP content, just not record it. I have so far had no need to look into this.
Lots of other functionality looks just commented out in the configs.
The web interface tells me this device is actually a SIGMA-PL330B,
world wide web marketwired dot com /press-release/sigma-designs-introduces-new-hd-video-encoder-technology-1518168.htm
And may well be the same (or a repackaged) version of this box
world wide web dot maxmediatek dot com pd-page/MM_V.htm
HS602 as they seem to use the same app to display the stream.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Here it is!
Your LINK
Ebay LINK
.
Did you come across anything that allowed you to record using software other than VivaStation?
I didn't but I haven't looked to hard, as recording to SD card was all I needed.
Hi - I've been looking for a way to start the streaming on this box by command line when logged into the box via telnet, but no real luck.
joemensor said:
Hi - I've been looking for a way to start the streaming on this box by command line when logged into the box via telnet, but no real luck.
Click to expand...
Click to collapse
I bought this from Maplin, but had to return the first one for a refund as I could not get the software to install on W10 (even with .net 3.5 installed), just kept throwing an error in Chinese! After looking online for replacements that do the same thing, costing between £80-250 (even the used ones, granted they do proper 1080 over Ethernet), I decided in the end to buy the box again, but from ebay...
This time I did manage to get the ShareView software installed on another machine after I spent a day installing windows 7 on it (it's an old machine + 235 updates!)..
Anyway, the commands the shareview software sends (via telnet) to get it to stream over ethernet seem quite straightforward..
First it "uploads" a config file with the contents..
Code:
SystemControl-StreamType ts
SystemControl-StreamData video+audio
SystemControl-Profile extended
SystemControl-Level 4
SysFunction-Function encode
SysFunction-Video h264
SysFunction-Audio audio
PictureResolution-InPicWidth 1920
PictureResolution-InPicHeight 1080
OutPictureResolution-OutPicWidth 640
OutPictureResolution-OutPicHeight 480
SystemControl-XferMode frame
SystemControl-SpsrFreq 1
SystemControl-FFMode frame
SystemControl-VMode cavlc
RateControl-Vbr 0
RateControl-Mode viu
RateControl-AvgBitRate 3000
VbrBitRate-MinBitRate 4285
VbrBitRate-MaxBitRate 3600
GopLoopFilter-IntraPeriod 30
GopLoopFilter-BNum 0
GopLoopFilter-Idr close
InputControl-ScanFormat progressive
InputControl-SrcMode hdmi
InputControl-SyncMode 0
InputControl-DataType raw
InputControl-InFrameRate 60
InputControl-OutFrameRate 30
InputControl-Fmt progressive
InputControl-CkEdge positive
DeInterlace-mode none
FilterControl-StartPixel 0
FilterControl-StartLine 0
SysLink-VideoInput viu
SysLink-VideoOutput host
SysLink-AudioInput aiu
SysLink-AudioOutput host
AudioControlParam-AudioType aac
AudioControlParam-SampleRate 48k
AudioControlParam-ChNum 2
AudioControlParam-LrclkI high
AudioControlEx-AacVer mpeg2
AudioControlEx-HType adts
AudioControlEx-CutoffFreq 18000
AudioControlEx-TNS 1
AudioControlEx-IS 1
AudioControlEx-PNS 1
AudioControlEx-MS 1
to /plbin/hs_enc_ts.cfg
And then launches the following command, three times, not sure why but it does., because when I run it, it only needs to be ran once..
Code:
/plbin/plstrm enc config /plbin/hs_enc_ts.cfg oudp <IP ADDRESS> oport 8085 reduceprintf nouserinput
That's all I know for now, will update if I find anything new to report =D
Hi mpmc - I think it does more than just uploads that file and runs the plstrm executable. Somehow it also passes the stream settings too. I feel I am getting somewhere, but still not able to kick off the streaming via the command line.
joemensor said:
Hi mpmc - I think it does more than just uploads that file and runs the plstrm executable. Somehow it also passes the stream settings too. I feel I am getting somewhere, but still not able to kick off the streaming via the command line.
Click to expand...
Click to collapse
Sorry for such a late reply.
I'm guessing by stream settings you mean the settings that upload to places like youtube? If so, I'm not sure myself as I don't need it for that function, but I will have a go & see if I can figure it out, but hopefully somebody has already worked it out by now.
Sorry for necroposting, but this thread hid me right on the spot. I got this box (in the form of Startech's overpriced variant), mainly for its standalone streaming to RTMP, but also as it has SD recording and HDMI capture (which I needed exactly, and nothing else).
The 720P streaming is horrible - bad codec settings (bitrates and gop probably), which means that 720P looks like 320x240 upscaled. So I opened the box to find a board number, so maybe some hack would pop up.. But telnet? - This is golden
Before I start reverse engineering (I don't really have any experience with telnet or *nix based stuff), maybe someone here worked out the details and would like to share?
TLDR. How do I set up the streaming codec settings via telnet and make them stick?
adomas said:
Sorry for necroposting, but this thread hid me right on the spot. I got this box (in the form of Startech's overpriced variant), mainly for its standalone streaming to RTMP, but also as it has SD recording and HDMI capture (which I needed exactly, and nothing else).
The 720P streaming is horrible - bad codec settings (bitrates and gop probably), which means that 720P looks like 320x240 upscaled. So I opened the box to find a board number, so maybe some hack would pop up.. But telnet? - This is golden
Before I start reverse engineering (I don't really have any experience with telnet or *nix based stuff), maybe someone here worked out the details and would like to share?
TLDR. How do I set up the streaming codec settings via telnet and make them stick?
Click to expand...
Click to collapse
Glad I'm not the only one still playing with this box.
I did have a go at working out the protocol used between the box and the software, I got as far as understanding how they find each other. The software makes a UDP broadcast to 255.255.255.255 on port 8086 with the message "HS602". The box then sends a UDP message ("YES") back, direct to the caller on the same port. The box then opens tcp port 8087 to which the software connects & they converse..
Sample of their conversation goes like this..
Client to box..
Code:
00000000 38 01 af 00 8c e0 af 00 68 54 d1 6b ff ff ff 8....... hT.k...
0000000F 32 01 af 00 00 00 00 00 50 df af 00 8c e0 af 2....... P......
0000001E 01 00 03 00 4c d5 af 00 8c e0 af 00 68 54 d1 ....L... ....hT.
0000002D 32 01 db 02 7c df af 00 3e ee 73 6a 00 00 00 2...|... >.sj...
0000003C 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000004B 0f 01 00 00 f0 e6 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
0000005A 04 01 00 00 0c e7 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
00000069 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000078 0f 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000087 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000096 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000A5 0f 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000B4 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000C3 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000D2 0f 01 ef 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000E1 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000F0 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000FF 0f 01 f0 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000010E 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000011D 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000012C 0f 01 f2 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000013B 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000014A 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000159 0f 01 f3 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000168 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000177 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000186 0f 01 f4 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000195 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001A4 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000001B3 0f 01 f5 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001C2 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001D1 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000001E0 0f 01 f6 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001EF 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001FE 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000020D 0f 01 f7 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000021C 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000022B 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000023A 0f 01 f8 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000249 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000258 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000267 0f 01 f9 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000276 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000285 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000294 0f 01 fa 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002A3 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002B2 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000002C1 0f 01 fb 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002D0 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002DF 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000002EE 0f 01 fe 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002FD 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000030C 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000031B 0f 01 ff 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000032A 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000339 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000348 0f 01 00 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000357 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000366 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000375 0f 01 01 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000384 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000393 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003A2 0f 01 02 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003B1 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003C0 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003CF 0f 01 03 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003DE 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003ED 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003FC 0f 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000040B 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000041A 32 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000429 0f 01 ed 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000438 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000447 32 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000456 0f 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
box to client
Code:
00000000 38 01 af 00 8c e0 af 00 68 54 d1 6b ff ff ff 8....... hT.k...
0000000F 01 01 af 00 00 00 00 00 50 df af 00 8c e0 af ........ P......
0000001E 01 00 03 1b 4c d5 af 00 8c e0 af 00 68 54 d1 ....L... ....hT.
0000002D 01 01 db 02 7c df af 00 3e ee 73 6a 00 00 00 ....|... >.sj...
0000003C 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000004B 00 01 00 00 f0 e6 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
0000005A 1b 01 00 00 0c e7 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
00000069 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000078 00 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000087 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000096 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000A5 00 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000B4 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000C3 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000D2 00 01 ef 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000E1 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000F0 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000FF 00 01 f0 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000010E 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000011D 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000012C 00 01 f2 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000013B 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000014A 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000159 00 01 f3 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000168 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000177 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000186 00 01 f4 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000195 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001A4 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000001B3 00 01 f5 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001C2 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001D1 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000001E0 00 01 f6 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001EF 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001FE 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000020D 00 01 f7 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000021C 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000022B 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000023A 00 01 f8 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000249 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000258 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000267 00 01 f9 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000276 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000285 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000294 00 01 fa 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002A3 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002B2 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000002C1 00 01 fb 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002D0 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002DF 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000002EE 00 01 fe 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002FD 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000030C 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000031B 00 01 ff 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000032A 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000339 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000348 00 01 00 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000357 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000366 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000375 00 01 01 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000384 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000393 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003A2 00 01 02 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003B1 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003C0 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003CF 00 01 03 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003DE 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003ED 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003FC 00 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000040B 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000041A 01 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000429 00 01 ed 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000438 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000447 01 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000456 00 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
I have no clue as to what this is! Hopefully you'll have better luck trying to decode it!
What I found so far, is that when I set up FTP the way OP posted, I can access the whole file system. I have copied it all, and am trying to find where the stream settings are stored. The mentioned cfg file does not exist though. If that works, I'll just make some custom app, that will telnet to open ftp, and upload my settings every time. However I am currently trying to just work out the basics of telnet controlling a linux system. None of the tutorials online help at all, but I found, that I can execute commands that are compiled packages in the operating folder. So far that helped for nothing I found a qzip thing in it, so maybe I will image the filesystem a little more properly than over ftp.
How could I listen the telnet communication between ShareView and the HS602? Btw - both of your pasted pieces are the same - intentional or mistake?
It also seems, that there is a whole settings web interface in plbin\www\, but I don't yet understand how to set up the webserver.
After finally launching the webserver I found that the website is some sample design and while it saves it's settings, they have no relation to the operation of the device. Going back to searching where ShareView puts it's settings and how to change them.
adomas said:
What I found so far, is that when I set up FTP the way OP posted, I can access the whole file system. I have copied it all, and am trying to find where the stream settings are stored. The mentioned cfg file does not exist though. If that works, I'll just make some custom app, that will telnet to open ftp, and upload my settings every time. However I am currently trying to just work out the basics of telnet controlling a linux system. None of the tutorials online help at all, but I found, that I can execute commands that are compiled packages in the operating folder. So far that helped for nothing I found a qzip thing in it, so maybe I will image the filesystem a little more properly than over ftp.
How could I listen the telnet communication between ShareView and the HS602? Btw - both of your pasted pieces are the same - intentional or mistake?
It also seems, that there is a whole settings web interface in plbin\www\, but I don't yet understand how to set up the webserver.
Click to expand...
Click to collapse
The stream settings aren't stored anywhere as far as I can tell, it gets sent to the running plkw binary, which appears to be the "server" for the software. This is what handles the upload to the receiving rtmp server, receiving of the encoder config, etc.
I used Wireshark to intercept the chatter between the software & the box. Yes, I know they're the same, I'm assuming it's just an echo.
I'd actually bricked mine by disabling the auto.sh scripts & ended up with no network. Thankfully mine has serial/uart pins populated & I was able to reverse the changes! Took me a while to figure the pinout (no meter) and why some chars weren't registering (needs parity set to EVEN).
Code:
Pinout starting from back of the SD card slot (Look underneath for the square pin).
[ 1 ][ 2 ][ 3 ][ 4 ]
1 = VCC (5v) - If not powered by usb it'll crash if ethernet is connected shortly after boot.
2 = TX
3 = RX
4 = GND
Will update if I find anything else out.
mpmc said:
The stream settings aren't stored anywhere as far as I can tell
Click to expand...
Click to collapse
The thing is that it does work as the manual says - set it up, and then it can be used standalone, even after a reboot. Some kind of settings seem to be in the binaries plkw, plstrm and quite a few others, stored in plain text (echo texts maybe?)
mpmc said:
Thankfully mine has serial/uart pins populated & I was able to reverse the changes!
Click to expand...
Click to collapse
Good to know. I thought that looked like some JTAG.. Did you go via telnet there as well?
Could you elaborate on how did you find what file and what command it sends over telnet? (The ones mentioned in #6)
Could you elaborate on how did you find what file and what command it sends over telnet? (The ones mentioned in #6)
Click to expand...
Click to collapse
By killing the already running plkw process on the box & running it again, you get to see what it outputs when they talk. That output is from wireshark.
adomas said:
The thing is that it does work as the manual says - set it up, and then it can be used standalone, even after a reboot. Some kind of settings seem to be in the binaries plkw, plstrm and quite a few others, stored in plain text (echo texts maybe?)
Click to expand...
Click to collapse
Yes, it appears that I was wrong, it does in fact store them, it writes them to memory (I'm guessing to the nvram block (see cat /proc/mtd)). I only found this out after watching the plkw binary via serial & by chance running "plnvram list" which makes the running plkw (not plnvram) print out it's current config.
The values set are
Code:
rd = read
/bin # plnvram rd username
username = http://foo.com
/bin # plnvram rd password
password = ONETWO
Good to know. I thought that looked like some JTAG.. Did you go via telnet there as well?
Click to expand...
Click to collapse
I'm not sure what you mean via telnet. you connect the pins to your ttl/uart serial converter (I used this one) & which drops into sh on tty0.
mpmc said:
Yes, it appears that I was wrong, it does in fact store them, it writes them to memory (I'm guessing to the nvram block (see cat /proc/mtd)). I only found this out after watching the plkw binary via serial & by chance running "plnvram list" which makes the running plkw (not plnvram) print out it's current config.
The values set are
Code:
rd = read
/bin # plnvram rd username
username = http://foo.com
/bin # plnvram rd password
password = ONETWO
Click to expand...
Click to collapse
To be fair, I actually don't really understand what you did here exactly. I don't have an uart usb adapter handy to try. But it brought me some (a lot actually) random pieces of understanding
I am unable to make it list out plnvram contents, only rd exact variables. I found a lot of those in plnvram_default.dat, but those appear to be useless. They are the values stored by the web interface and have nothing to do with ShareView settings, or how the box encodes the stream when its button is pressed. What I really want to find, is what variable names are used for ShareView settings (other than password, username, which are the places I can put RTMP link into).
ShareView has two dropboxes "Outputsize" and "bitrate", which I assume generates a quite few lines to plnvram that include exact encoding settings. Could you by any chance find where those fall into?
adomas said:
To be fair, I actually don't really understand what you did here exactly. I don't have an uart usb adapter handy to try. But it brought me some (a lot actually) random pieces of understanding
I am unable to make it list out plnvram contents, only rd exact variables. I found a lot of those in plnvram_default.dat, but those appear to be useless. They are the values stored by the web interface and have nothing to do with ShareView settings, or how the box encodes the stream when its button is pressed. What I really want to find, is what variable names are used for ShareView settings (other than password, username, which are the places I can put RTMP link into).
ShareView has two dropboxes "Outputsize" and "bitrate", which I assume generates a quite few lines to plnvram that include exact encoding settings. Could you by any chance find where those fall into?
Click to expand...
Click to collapse
As I already said , the plkw binary handles communicating with the software & this is what sets everything up, streamurl, streamkey etc, it is also what does the streaming when triggered by the button or software, unfortunately I've yet to figure out how it actually triggers! When the software connects it sends the encode config (creates the hs_enc_ts.cfg file and client.cfg in /plbin). The plkw then launches the plstrm binary three times (no idea why as one is enough from what I've found).
The outputsize & bitrate are set in the hs_enc_ts.cfg.
Code:
RateControl-AvgBitRate 8000
VbrBitRate-MinBitRate 11428
VbrBitRate-MaxBitRate 10400
Boot from serial.
Code:
Boot loader started
QL330-B0 detected
Entered diagnostic mode
Branching to external diagnostic code
Loading boot loader .....................................done
[ 0.000000] Linux version 2.6.35.8-arm1ql300 ([email protected]) (gcc version 4.3.2 (Sourcery G++ Lite 2008q3-72) ) #994 PREEMPT Tue Jul 29 10:58:16 CST 2014 v1.21
[ 0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
[ 0.000000] CPU: VIVT data cache, VIVT instruction cache
[ 0.000000] Machine: 0xc097f798,QL300-EVB Qpixel Artesa Evaluation Board
[ 0.000000]
[ 0.000000] ******************************************************
[ 0.000000] * pl330_ofc_en : 0
[ 0.000000] * pl330_cmos_reset_en : 0
[ 0.000000] * pl330_devid : 0x03300001
[ 0.000000] * pl330_sdio0_en : 1
[ 0.000000] * pl330_sdio1_en : 0
[ 0.000000] * pl330_gpiogrp1_en : 0
[ 0.000000] * pl330_gpiogrp2_en : 0
[ 0.000000] * pl330_swi2c_en : 1
[ 0.000000] * pl330_local_bus_mutex_type : 1
[ 0.000000] * pl330_eth_en : 1
[ 0.000000] * pl330_frondend_type : 14
[ 0.000000] * pl330_userdata0 : 0
[ 0.000000] * pl330_userdata1 : 1
[ 0.000000] * pl330_userdata2 : 2
[ 0.000000] * pl330_userdata3 : 3
[ 0.000000] * pl330_userdata4 : 4
[ 0.000000] * pl330_userdata5 : 5
[ 0.000000] * pl330_userdata6 : 6
[ 0.000000] * pl330_userdata7 : 7
[ 0.000000] * pl330_userstring0 : SIGMA-PL330B
[ 0.000000] * pl330_userstring1 : C4:01:42:00:86:1F
[ 0.000000] * pl330_userstring2 : userstring2
[ 0.000000] * pl330_userstring3 : userstring3
[ 0.000000] * pl330_userstring4 : userstring4
[ 0.000000] * pl330_userstring5 : userstring5
[ 0.000000] * pl330_userstring6 : userstring6
[ 0.000000] * pl330_userstring7 : userstring7
[ 0.000000] * pl330_mtd_partition : mtdparts=QL300_flash:640K(qcamboot),128K(nvram),5504K(linuxImage),1920K(custblk)
[ 0.000000] * pl330_GPIO_strap : 0x0000ffcf
[ 0.000000] ******************************************************
[ 0.000000]
[ 0.000000] vmalloc area is too big, limiting to 4MB
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 7366
[ 0.000000] Kernel command line: console=ttyS0 vmalloc=7M [email protected] root=/nodev/rootfs mtdparts=QL300_flash:640K(qcamboot),128K(nvram),7040K(linuxImage),8576K(custblk) mtdparts=QL300_flash:640K(qcamboot),128K(nvram),5504K(linuxImage),1920K(custblk)
[ 0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[ 0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Memory: 29MB = 29MB total
[ 0.000000] Memory: 19104k/19104k available, 10592k reserved, 0K highmem
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
[ 0.000000] DMA : 0xffc00000 - 0xffe00000 ( 2 MB)
[ 0.000000] vmalloc : 0xc1e00000 - 0xc2400000 ( 6 MB)
[ 0.000000] lowmem : 0xc0000000 - 0xc1d00000 ( 29 MB)
[ 0.000000] modules : 0xbf000000 - 0xc0000000 ( 16 MB)
[ 0.000000] .init : 0xc0008000 - 0xc06fa000 (7112 kB)
[ 0.000000] .text : 0xc06fa000 - 0xc09bb000 (2820 kB)
[ 0.000000] .data : 0xc09d2000 - 0xc09e32a0 ( 69 kB)
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] RCU-based detection of stalled CPUs is disabled.
[ 0.000000] Verbose stalled-CPUs detection is disabled.
[ 0.000000] NR_IRQS:32
[ 0.000000] console [ttyS0] enabled
[ 0.030000] Calibrating delay loop... 129.84 BogoMIPS (lpj=649216)
[ 0.240000] pid_max: default: 4096 minimum: 301
[ 0.240000] Mount-cache hash table entries: 512
[ 0.250000] CPU: Testing write buffer coherency: ok
[ 0.260000] NET: Registered protocol family 16
[ 0.270000] ql300_init: res=0xc1832740
[ 0.280000]
[ 0.280000] ******************************************************
[ 0.290000] * plgpio_group0_cfg (input/output) : 0x00003000
[ 0.300000] * plgpio_group1_cfg (input only) : 0x0000000f
[ 0.300000] * plgpio_group2_cfg (output only) : 0x0000000e
[ 0.310000] * plgpio_group3_cfg (boot strap input only) : 0x000000c0
[ 0.320000] ******************************************************
[ 0.320000]
[ 0.360000] bio: create slab <bio-0> at 0
[ 0.370000] cfg80211: Calling CRDA to update world regulatory domain
[ 0.390000] NET: Registered protocol family 2
[ 0.390000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.400000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[ 0.410000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.420000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.430000] TCP reno registered
[ 0.430000] NET: Registered protocol family 1
[ 0.440000] RPC: Registered udp transport module.
[ 0.450000] RPC: Registered tcp transport module.
[ 0.450000] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.710000] Loading and setting up QPSOS ...
MAIN FIRMWARE
QPSOS shell
Type 'help' for help
[ 0.730000] Loading and setting up PL330 GPIO ...
[ 0.740000] Loading and setting up PL330 NVRAM ...
[ 0.750000] NTFS driver 2.1.29 [Flags: R/W].
[ 0.760000] JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 0.770000] msgmni has been set to 37
[ 0.770000] io scheduler noop registered
[ 0.780000] io scheduler deadline registered
[ 0.780000] io scheduler cfq registered (default)
[ 0.810000] ttyS0 at I/O 0xf0000100 (irq = 17) is a builtin QL300 UART
[ 0.820000] nbd: registered device at major 43
[ 0.870000] init_ql_flash_mtd(),CFI=0,part_nums=3
[ 0.880000] m25p80 spi0.0: w25Q64 (8192 Kbytes)
[ 0.880000] 4 cmdlinepart partitions found on MTD device QL300_flash
[ 0.890000] Creating 4 MTD partitions on "QL300_flash":
[ 0.900000] 0x000000000000-0x0000000a0000 : "qcamboot"
[ 0.910000] 0x0000000a0000-0x0000000c0000 : "nvram"
[ 0.920000] 0x0000000c0000-0x000000620000 : "linuxImage"
[ 0.930000] 0x000000620000-0x000000800000 : "custblk"
0h00m00s007: (T)CODEC_Start HCI Thread
0h00m00s007: (T)CODEC_SYS config:10 SW1 isr
0h00m00s007: (T)CODEC_SYS config:1 dynamic mem alloc
0h00m00s007: (T)CODEC_Start M2M Thread
0h00m00s007: (T)CODEC_Start DTM Thread
0h00m00s007: (T)CODEC_Start VDCM Thread
[ 0.950000] Linux video capture interface: v2.00
[ 0.950000] sdhci: Secure Digital Host Controller Interface driver
[ 0.960000] sdhci: Copyright(c) Pierre Ossman
[ 0.970000] TCP cubic registered
[ 0.970000] NET: Registered protocol family 17
[ 0.980000] lib80211: common routines for IEEE802.11 drivers
[ 0.990000] Freeing init memory: 7112K
mounting proc
mounting sys
mounting pts
starting system loggers
vm.min_free_kbytes = 1024
starting status daemon
setup telnetd
plgpiod: 0x03300001
bring up lo interface
bring up sdio module
[ 1.720000] sdio_init: res=0xc0cc7920
[ 1.800000] sdio_init: SDIO-0 enabled
[ 1.810000] mem_log_init: exit
[ 1.870000] plnvram_data_load_mtd: magic(0x82312033)
[ 1.880000] plnvram_data_load_mtd: version_major(1)
[ 1.880000] plnvram_data_load_mtd: version_minor(0)
[ 1.890000] plnvram_data_load_mtd: checksum(0x00000000)
[ 1.890000] plnvram_data_load_mtd: nums(237)
success
mount: mounting /dev/mtdblock3 on /mnt/custblk failed: Invalid argument
[ 3.250000] JFFS2 notice: (201) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
bring up codec driver module
[ 3.480000] CDevice_Constructor()-> config to use Dynamic Memory Allocation for FW
[ 3.540000] CQLCodec_InitDevice() config to use internal Video FW
[ 3.550000] CQLCodec_InitDevice() config to use internal Audio FW
[ 4.610000] CComponent_Open AllocTask(0) hTask(0)
[ 4.610000] CComponent_Close ReleaseTask(0) hTask(0)
lookup_video_device_node()-> bus(4) inst(0) hTask(0) type(0)
lookup_video_device_node()-> Got 0:0
[ 4.640000] CComponent_Open AllocTask(0) hTask(0)
SetVideoFrontend()-> val=0
SetVideoFrontend()-> return 0
Working Mode:0,argc:2
Checking:0
[ 4.650000] CComponent_Close ReleaseTask(0) hTask(0)
do_whether_need_eth_driver: 1
bring up ethernet module (Wired)
[ 4.780000] AX88796C: Power saving disabled
[ 5.010000] ASIX AX88796C Fast Ethernet Adapter:v1.4.0-SDL0.93 16:31:34 Jul 19 2013
[ 5.010000] <6> http://www.asix.com.tw
[ 5.020000] Use random MAC address
[ 5.020000] AX88796C: MAC Address 76-f3-6c-e2-c3-c7
[ 5.040000] eth0: at 0x0 IRQ 4
[ 5.090000] ax88796c_init(): P1_OFFSET0x14=0x0000000f
[ 5.090000] ax88796c_init(): P1_OFFSET0x14=0x0000000e
ifconfig: ath0: error fetching interface information: Device not found
plnetworkchkd: ath0 is not existed or enabled, no need to enable connection backup. exit!
[ 6.870000] eth0: link up, 100Mbps, full-duplex
do_net_init: trying to init eth interface
do_eth_init: trying to load mac address from pl330_userstring1
do_eth_init: trying to use dynamic ip
udhcpc (v1.19.4) started
Setting IP address 0.0.0.0 on eth0
Sending discover...
Sending select for 192.168.1.110...
Lease of 192.168.1.110 obtained, lease time 86400
Setting IP address 192.168.1.110 on eth0
Deleting routers
route: SIOCDELRT: No such process
Adding router 192.168.1.1
Recreating /etc/resolv.conf
Adding DNS server 192.168.1.1
Adding DNS server 0.0.0.0
[ 8.080000] CComponent_Open AllocTask(0) hTask(0)
[ 8.090000] CComponent_Close ReleaseTask(0) hTask(0)
lookup_video_device_node()-> bus(4) inst(0) hTask(0) type(0)
lookup_video_device_node()-> Got 0:0
[ 8.110000] CComponent_Open AllocTask(0) hTask(0)
SetVideoFrontend()-> val=0
SetVideoFrontend()-> return 0
Working Mode:0,argc:1
name flag IP broadcastaddr
eth0 4163 192.168.1.110 192.168.1.255
Src:3,Res:12
recv:48,53,36,30,32
recv:43,6e,1,a8,c0
The client is: 192.168.1.40,2801a8c0
socket:8
Capture
[ 19.970000] CComponent_Open AllocTask(0) hTask(1)
[ 19.980000] CComponent_Close ReleaseTask(0) hTask(1)
lookup_video_device_node()-> bus(4) inst(0) hTask(1) type(0)
lookup_video_device_node()-> Got 0:0
[ 20.000000] CComponent_Open AllocTask(0) hTask(1)
****** Executing script file /plbin/hs_enc_ts.cfg
SystemControl-StreamType = ts
SystemControl-StreamData = video+audio
SystemControl-Profile = extended
SystemControl-Level = 4
SysFunction-Function = encode
SysFunction-Video = h264
SysFunction-Audio = audio
PictureResolution-InPicWidth = 1920
PictureResolution-InPicHeight = 1080
OutPictureResolution-OutPicWidth = 1920
OutPictureResolution-OutPicHeight = 1080
SystemControl-XferMode = frame
SystemControl-SpsrFreq = 1
SystemControl-FFMode = frame
SystemControl-VMode = cavlc
RateControl-Vbr = 0
RateControl-Mode = viu
RateControl-AvgBitRate = 15000
VbrBitRate-MinBitRate = 18000
VbrBitRate-MaxBitRate = 13000
GopLoopFilter-IntraPeriod = 30
GopLoopFilter-BNum = 0
GopLoopFilter-Idr = close
InputControl-ScanFormat = progressive
InputControl-SrcMode = hdmi
InputControl-SyncMode = 0
InputControl-DataType = raw
InputControl-InFrameRate = 60
InputControl-OutFrameRate = 30
InputControl-Fmt = progressive
InputControl-CkEdge = positive
DeInterlace-mode = none
FilterControl-StartPixel = 0
FilterControl-StartLine = 0
SysLink-VideoInput = viu
SysLink-VideoOutput = host
SysLink-AudioInput = aiu
SysLink-AudioOutput = host
AudioControlParam-AudioType = aac
AudioControlParam-SampleRate = 48k
AudioControlParam-ChNum = 2
AudioControlParam-LrclkI = high
AudioControlEx-AacVer = mpeg2
AudioControlEx-HType = adts
AudioControlEx-CutoffFreq = 18000
AudioControlEx-TNS = 1
AudioControlEx-IS = 1
AudioControlEx-PNS = 1
AudioControlEx-MS = 1
ioctl(PLDEV_STRM_IOCTL_PORT_OPEN) component(0) type(0) succeed
0h00m19s609: (T)CODEC_Start MUX Thread (channel 1)
0h00m19s609: (T)CODEC_Start VEN Thread (channel 1)
0h00m19s609: (T)AIO Record enter
acquire(0) hDev(11)
start(0) hDev(11)
0h00m19s722: (T)CODEC_Start VIU Thread (input channel 1)
0h00m19s722: (E)VIU OSD FontsStartAddr 34401500 !
0h00m19s722: (E)VIU OSD TextListStartAddr 34400100 !
0h00m19s722: (E)VIU OSD TimeInfoAddr 34401300 !
0h00m19s724: (E)CODEC_get misc_rate_control interval(80) activity_on/off(0)
0h00m19s724: (E)HCI: chInfo (0x10) phy_in(60) rec_in(30) outrate(30)
0h00m19s728: (E)VIU: (ch 1) (in 1920x1080) (out 1920x1080) (rate =30,30),(buf_num 3)
test_streamout() [
9024 t=20
VI-OSD 0
VI-OSD font_addr(0xd1005400) txtAddr(0xd1000400) timeAddr(0xd1004c00)
0h00m19s803: (E)VIU osd addr 0x34400100 0x34401500 0x34401300)
376 t=22
376 t=24
I've attached a screenshot of how I got the plnvram config to output (COM8 = serial connection).
---
I've also managed to build a test "hello world" binary & have it run on the box, so I might be able to build a better rtmp server. I may have to rely on the plstrm to get the output though :/
Some good news.. I think. I managed to "decompile" the android "Shareview" app source code using javadecompilers.com With any luck I should be able to figure it out!
If you're any good with java (I'm not) download the shareview apk from here: https://apkpure.com/shareview/com.asdfghjkl20203.hs602player/download?from=details.
And upload it to http://www.javadecompilers.com/.
mpmc said:
If you're any good with java
Click to expand...
Click to collapse
I'm also not, but I have a friend who does have some experience. Thanks for the idea.
The variable name thing threw me off, since it makes no sense to me, that it stores "password" and "username" straight to nvram, and the rest go through hs_enc_ts.cfg. I tried to manually change hs_enc_ts.cfg parameters, but they had no effect to the output stream, which is why I assumed, that it sends some other settings.
Could you save the whole putty printout somewhere? It does contain different parameters and variables than those in hs_enc_ts.cfg and plnvram_defaults.dat
Related
Recently, I took a copy of the object store in my PPC. I am trying to figure out the structure to the header:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 01 00 00 00 45 4B 49 4D 45 4B 49 4D 00 E0 0A 92 ....EKIMEKIM.à.’
00000010 00 B0 BD 03 00 40 00 00 00 00 00 00 00 00 00 00 .°½[email protected]
00000020 00 00 00 00 00 B0 CA 93 00 D0 6C 95 00 50 00 42 .....°Ê“.Ðl•.P.B
00000030 00 00 00 00 03 00 00 00 CA 00 00 00 00 00 00 00 ........Ê.......
00000040 00 09 04 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 01 00 00 00 54 EE 05 42 96 02 00 00 ........Tî.B–...
00000070 02 00 00 00 01 00 00 00 AC E8 05 42 60 0A 00 50 .........B`..P
00000080 04 00 00 00 01 00 00 00 C0 EF 5E 42 0D 00 00 00 ........Àï^B....
00000090 04 00 00 00 01 00 00 00 C4 EF 5E 42 00 00 00 00 ........Äï^B....
000000A0 04 00 00 00 01 00 00 00 E4 39 56 42 00 00 00 00 ........ä9VB....
000000B0 04 00 00 00 01 00 00 00 38 31 56 42 00 00 00 00 ........81VB....
000000C0 04 00 00 00 01 00 00 00 3C 31 56 42 77 01 C4 6E ........<1VBw.Än
000000D0 04 00 00 00 01 00 00 00 DC 39 56 42 28 02 9A 9B ........Ü9VB(.š›
000000E0 04 00 00 00 01 00 00 00 E0 39 56 42 33 31 6F 31 ........à9VB31o1
000000F0 04 00 00 00 01 00 00 00 C8 68 41 42 7D E1 55 10 ........ÈhAB}áU.
00000100 04 00 00 00 01 00 00 00 74 3E 4E 42 3D 16 00 00 ........t>NB=...
00000110 04 00 00 00 01 00 00 00 78 3E 4E 42 04 00 0C 00 ........x>NB....
As you can see, there is a structure to it and I don't know where it is defined. Please help.
Did you try comparing it to any of the structures in Platform Builder?
Hi everyone,
A carrier in my country (Telstra) has recently started offering all-you-can-eat activesync plans, however they have placed a limitation on which handsets you can use, by way of a hidden APN in the phone's ROM, meaning you can only use their approved handsets, purchased from them.
What I am hoping is that there is a way to obtain the APN details from the handset or the ROM directly, so I can populate the APN into my 'unsupported' device and take advantage of the offering, as it would suit my needs perfectly. I believe I have located the registry entry under RASBOOK that correlates to the APN, however lack the necessary skills to decrypt it.
Does anyone here know how to, or know a better way to get the APN details from the handset so I can use it in my hardware that I already own, as I do not wish to purchase a new handset just for the sake of utilising the plan. The HEX value of the key is as follows:
00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 07 F5 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7E 00 47 00 50 00 52 00 53 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F6 D1 93 01 C4 F0 91 0D 4C 14 FB 03 65 00 00 00 4C F5 91 0D 4C F5 91 0D 86 CF 93 01 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 10 00 00 00 04 00 00 00 40 32 23 00 74 21 92 4E 4C DE 01 00 20 26 04 00 F2 F0 BE 8F 00 00 90 4E 00 00 04 00 00 00 00 00 00 00 90 4E 00 00 04 00 00 00 90 4E CC BB F6 03 00 00 00 00 00 00 00 00 E8 72 70 04 00 00 07 04 00 00 6E 04 A0 00 00 00 B0 00 00 00 00 00 00 04 00 00 00 00 BC BE F6 03 00 00 00 00 A0 00 00 00 01 00 00 00 18 72 70 04 68 C1 F6 03 20 72 70 00 A8 F1 91 0D 3A 72 70 00 2A 72 70 00 40 E3 69 00 A0 F3 6F 00 F4 B3 F6 03 B0 D4 69 00 8C 1B F5 03 F0 8E 04 00 E8 72 70 04 68 C1 F6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 6D 00 6F 00 64 00 65 00 6D 00 00 00 01 00 00 00 AC F1 91 0D F0 72 70 00 00 00 00 00 00 00 00 00 02 00 43 00 65 00 6C 00 6C 00 75 00 6C 00 61 00 72 00 20 00 4C 00 69 00 6E 00 65 00 00 00 00 80 F0 40 05 00 01 00 00 00 C8 67 02 00 10 F2 91 0D 02 00 00 80 02 00 00 00 00 00 00 00 06 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 01 07 00 F0 40 05 00 F4 F2 91 0D 00 00 00 0C 02 00 00 80 15 00 00 00 40 03 00 00 43 03 00 00 43 04 00 00 44 04 00 00 7B 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 E1 D2 C3 F0 E1 D2 C3 64 B0 00 00 F8 F2 91 0D 00 00 00 00 F8 F2 91 0D DC 04 6A 03 00 00 00 00 00 00 00 00 78 D7 94 01 94 F7 91 0D E0 7B F9 03 35 F3 91 0D C8 01 00 00 F8 F2 91 0D 42 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 E1 F7 2B 5A 20 1F 00 C3 4D 56 9A 4D 4B EB 77 28 DE DB 0A 30 00 00 28 CA 96 D6 8F 99 03 01 00 00 00 00 00 00 F8 F2 91 0D 54 C6 F8 03 E0 C9 93 01 30 D9 94 01 E8 C1 F3 01 C0 CB F8 03 F8 F2 91 0D 24 21 6A 03 60 14 F7 03 E0 C9 93 01 E0 C9 93 01 5C 21 6A 03 63 00 65 00 6C 00 6C 00 75 00 6C 00 61 00 72 00 20 00 74 00 61 00 70 00 69 00 20 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00 70 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 00 00 6E 04 BC 00 00 00 D0 00 00 00 00 00 00 04 00 00 00 00 BC BE F6 03 00 00 00 00 BC 00 00 00 01 00 00 00 E8 72 70 04 68 C1 F6 03 F0 72 70 00 00 00 00 00 0A 73 70 00 FA 72 70 00 40 E3 69 00 A0 F3 6F 00 F4 B3 F6 03 B0 D4 69 00 8C 1B F5 03 F0 8E 04 00 01 00 00 00 30 01 07 00 00 00 00 00 03 00 00 00 30 01 07 00 00 00 00 00 88 21 92 4E 00 00 00 00 00 00 00 00 30 01 07 00 00 00 00 00 9C 95 04 00 01 00 00 00 C4 F3 91 0D 00 00 00 00 00 00 00 00 03 00 00 00 50 09 6A 03 30 01 07 00 88 21 92 4E 06 00 00 00 02 00 00 00 00 00 00 00 A0 F4 91 0D 84 42 02 00 03 00 00 00 F0 40 05 00 50 09 6A 03 00 00 00 00 10 6C 02 00 28 F4 91 0D 4E 00 00 00 02 00 00 00 00 00 00 00 06 00 00 00 F0 40 05 00 00 00 00 00 00 00 00 00 01 00 00 00 44 DB 94 0D 30 01 07 00 F0 40 05 00 00 00 00 00 00 10 00 00 02 00 00 80 15 00 00 00 40 03 00 00 43 03 00 00 43 04 00 00 44 04 00 00 7B 04 00 00 30 00 92 0D 4E 00 00 00 60 00 00 00 44 DB 94 01 00 00 00 0C CC 9D FE 8F 1A 00 00 00 00 00 00 00 74 71 D4 8E 10 CF 93 01 00 00 00 0C 4C 35 68 8F 0F 00 00 00 00 00 00 00 74 71 D4 8E 10 9D 47 80 20 DD 7E 8E 4C 35 68 8F 0F 00 00 00 38 FE 00 F0 E8 F4 91 0D 38 5A 02 80 0F 00 00 00 10 CF 93 01 C4 B3 00 F0 E8 C1 F3 01 DC 04 6A 03 00 00 00 00
When converted to ascii, it makes no sense to me. Is what I want to do possible?
Cheers
*Shameless Bump*
Can anyone shed any light on this. I have spoken to some other users who are looking for similar info.
Hi,
from the firmware upgrade of an ARM9 Windows Embedded CE 6.0 Device, I was able to extract a number of files, including the kernel image (NK.BIN.COMP).
However, with tools such as osnbtool, ImgfsToDump or ImgFsTools I was unable to decompress the image.
The image starts with:
Code:
00000000 58 50 52 53 e7 8b 26 01 16 89 00 00 05 00 01 00 |XPRS..&.........|
00000010 42 30 30 30 46 46 0a 00 10 36 80 50 10 2b 01 39 |B000FF...6.P.+.9|
00000020 00 04 00 00 00 eb 01 00 00 fe 03 00 ea 40 78 00 |[email protected]|
00000030 08 78 00 00 00 05 00 63 03 00 00 45 43 45 43 7c |.x.....c...ECEC||
00000040 f6 60 81 48 1c 01 8d 18 01 7c e6 2a 01 00 20 36 |.`.H.....|.*.. 6|
00000050 80 64 de 00 00 11 c5 47 00 02 04 00 00 d3 00 a0 |.d.....G........|
00000060 e3 00 f0 21 e1 0c 00 9f e5 10 0f 01 ee 87 15 00 |...!............|
00000070 eb 83 18 00 f8 37 00 ea 78 10 00 c0 b0 01 00 10 |.....7..x.......|
00000080 80 97 0a 7c 75 97 4e 39 00 02 18 00 20 18 00 08 |...|u.N9.... ...|
00000090 66 18 00 5a b8 00 d8 02 b9 00 07 00 0f 0f 6b 65 |f..Z..........ke|
000000a0 72 6e 65 6c 2e 64 6c 6c 7b 00 33 40 00 00 c4 04 |rnel.dll{[email protected]|
000000b0 4b 00 01 41 44 00 50 10 40 09 05 59 00 4c 53 5a |[email protected]|
000000c0 00 78 20 03 59 00 ec 10 29 80 f0 08 04 01 4b 5a |.x .Y...).....KZ|
000000d0 00 5a 03 04 52 54 58 00 39 81 00 00 81 24 0b 90 |.Z..RTX.9....$..|
000000e0 5f 00 c9 d0 5f 00 30 4c e0 5b 00 86 11 00 13 ba |_..._.0L.[......|
000000f0 50 58 00 44 4c 00 0b 10 20 00 cc a0 00 00 05 4e |PX.DL... ......N|
I suppose this is the Xpress compression format that is used in Win CE 6.0 ?
Are there any tools available that can decompress this image ?
Also, I would like to know which emulators you use to test out Win CE images.
I tried qemu-system-arm with the ARM926EJ-S core emulation, but it didn't work so far.
Ultimately, I would like to be able to boot into the image I extracted from the firmware upgrade and start a remote debugger inside the image, so that I can step through the code.
cheers,
knossos2
Hi,
as I already knew that the image was a Windows Embedded CE 6.0 image, I installed Platform Builder and other required development components.
My plan was to find out how the NK.BIN.COMP image is decompressed by the WinCE 6.0 loader.
It turned out, that the file had just been compressed with the WinCE 6.0 bincompress.exe tool (PUBLIC/COMMON/OAK/BIN/I386/bincompress.exe).
Although at least some of the tools I tried previously had compression support by using the WinCE libraries, it didn't work.
My best guess is that the libraries were for older versions of WinCE and thus it didn't work.
So, if you ever see "XPRS" at the start of a WinCE file, it has been compressed with bincompress.exe
I'm now trying to run the decompressed image either in qemu or in the MS Device Emulator.
I guess the Device Emulator will be the easier way.
Cheers,
knossos2
I'm looking for any information on the DMSS subsystem commands. I have a list of subsystem ids but none of the commands that correspond. My goal is to figure out how the Wireless Messaging Service (WMS) subsystem works. DCN 80-V1294-6 contains the information on building the payload packet but I can't find it anywhere. QXDM doesn't have any SMS controls as far as I know, so I can't spy on its communications. If anyone knows how to construct the proper packet request, I'd be very grateful.
Thanks
Doing some testing with the information I have, came up with the following responses. I spied on the Call Manager subsystem command and figured the structure would be similar to the rest of the subsystem payload markup.
STRUCTURE
Code:
4b 0e 01 ZEROED BUFFER df 80 7e
4b is DM command for subsystem
0e is subsystem id for Wireless Messaging System
Next is a sequence of 1 - 8 that I've sent. Anything after 8 results in response code of 13 which is an invalid command.
Zeroed buffer length of 258
The usual CRC high low
7e terminator
RESPONSES
Code:
4b 0e 01 00 bf 23 7e
4b 0e 02 00 d7 09 7e
4b 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 74 44 7e
4b 0e 04 00 00 00 00 00 63 d7 7e
4b 0e 05 00 df 44 7e
4b 0e 06 00 00 00 00 00 35df7e
4b 0e 07 00 6f 77 7e
4b 0e 08 00 a7 f4 7e
Looks like subsys commands of 3, 4, and 6 are interesting. Need to figure out what else to pass in the payload.
Quick question --> How did you spy on the Call Manager?
Hey everyone. This is not tested but I would like input. On the LG G3, I could flash partitions in fastboot mode which allowed me to change the device from an AS990 to a US990 or LS990. Would it be possible to flash the H918/H830 bin files through the patched LGUP partition DL to change the device type? Again just a brainstorm thread. Please post below.
Reserved
reserved
What could we gain from changing the device type? (Some have incompatible hardware if i'm right)
Also Aren't partitions checked by the bootloader( or kernel i dunno much) for any modification?
Sent from my LG-H860 using Tapatalk
abol_fa said:
What could we gain from changing the device type? (Some have incompatible hardware if i'm right)
Also Aren't partitions checked by the bootloader( or kernel i dunno much) for any modification?
Sent from my LG-H860 using Tapatalk
Click to expand...
Click to collapse
I'm not sure about the hardware but I think the RS998 might be close enough that a custom Rom would run
I'm interested in this. I have a us992 and it's the same hardware than rs998 but I can't root or unlock bootloader. It could be cool if there's a way to change it...
thjubeck said:
Hey everyone. This is not tested but I would like input. On the LG G3, I could flash partitions in fastboot mode which allowed me to change the device from an AS990 to a US990 or LS990. Would it be possible to flash the H918/H830 bin files through the patched LGUP partition DL to change the device type? Again just a brainstorm thread. Please post below.
Click to expand...
Click to collapse
By attaching a debugger to LGUP I found a couple of new commands
INFOSPRO is called 4 times which by reading is setting some sort of properties
SIGN
SIGN is called twice before anything begins to work such as the OPEN or WRTE command and the response should be something like success cmd SIGN
I think this is the missing link as after this all commands are given with 2 kilocent commands then 2 kilometr commands in that order so possibly the SIGN command is important but also the fact that the kilocent command is given twice then the 2 kilometr responses are sent but that's just speculation. Let me know what you guys think
also two other commands that were found are
OPCMCHEK
MISCWRTE
EDIT: I think CHCKCLER is our missing link. Disclaimer I am on the LG G5 but it has the same issue. Also the INFOSPRO may also need to be set [/B]
.
.
Debugged application message: [00:22:968] [T0002856] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 43 D0 00 00 B6 B1 B9 B0 INFOGPRO................C.......
.
Debugged application message: [00:23:062] [R0000032] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 00 00 00 00 B6 B1 B9 B0 INFOGPRO........................
.
Debugged application message: [00:23:062] [T0002856] 49 4E 46 4F 53 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 32 CF 00 00 B6 B1 B9 B0 INFOSPRO................2.......
.
Debugged application message: [00:23:187] [R0000032] 49 4E 46 4F 53 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 00 00 00 00 B6 B1 B9 B0 INFOSPRO........................
.
Debugged application message: [00:23:187] usb speed is high speed.
.
Debugged application message: [00:23:187] Not Support Fail Safe
.
Debugged application message: [00:23:187] Progress sleep for 1000 9 11
.
Debugged application message: [00:23:203] Set Progress 9
.
Debugged application message: [00:23:703] Set Progress 10
.
Debugged application message: [00:24:203] [T0000032] 43 48 43 4B 43 4C 45 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8C BA 00 00 BC B7 BC B4 CHCKCLER........................
.
Debugged application message: [00:24:203] [R0000032] 43 48 43 4B 43 4C 45 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BC B7 BC B4 CHCKCLER........................
.
Debugged application message: [00:24:203] LAF_CMD_SUB_CLER.
.
Debugged application message: [00:24:203] DATA CHECK SUM ERROR device = 0 tool = 0
.
Debugged application message: [00:24:203] ==============Start Direct Download 2485MB ==============
.
Debugged application message: [00:24:218] umount system (/system)
.
Debugged application message: [00:24:218] [T0000032] 4B 49 4C 4F 43 45 4E 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E3 7B 00 00 B4 B6 B3 B0 KILOCENT.................{......
.
Debugged application message: [00:24:218] [R0000032] 4B 49 4C 4F 43 45 4E 54 90 A9 25 4A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOCENT..%J....................
.
Debugged application message: [00:24:218] [T0000048] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 10 00 00 00 A3 07 00 00 B4 B6 B3 B0 KILOMETR........................
F4 7C 31 45 4C FF 58 73 0A D6 CB 7D 23 7B F0 17 .|1EL.Xs...}#{..
.
Debugged application message: [00:24:218] [R0000032] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOMETR........................
.
Debugged application message: [00:24:218] [T0000047] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 00 00 57 EC 00 00 BA A7 BA BC EXEC....................W.......
75 6D 6F 75 6E 74 20 2F 73 79 73 74 65 6D 00 umount./system.
.
Debugged application message: [00:24:234] [R0000032] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 00 00 00 00 00 00 BA A7 BA BC EXEC............................
.
Debugged application message: [00:24:234] [T0000032] 4B 49 4C 4F 43 45 4E 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E3 7B 00 00 B4 B6 B3 B0 KILOCENT.................{......
.
Debugged application message: [00:24:234] [R0000032] 4B 49 4C 4F 43 45 4E 54 CA DB 0F 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOCENT...!....................
.
Debugged application message: [00:24:234] [T0000048] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 10 00 00 00 6D 6D 00 00 B4 B6 B3 B0 KILOMETR................mm......
CB 74 3A 1A 43 2F 7D F9 DF 11 42 DC 7E 09 0A 8C .t:.C/}...B.....
.
Debugged application message: [00:24:234] [R0000032] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOMETR........................
.
Debugged application message: [00:24:234] [T0000060] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1C 00 00 00 17 2E 00 00 BA A7 BA BC EXEC............................
6D 6F 75 6E 74 20 2D 6F 20 72 65 6D 6F 75 6E 74 2C 72 6F 20 2F 73 79 73 74 65 6D 00 mount.-o.remount,ro./system.
.
Debugged application message: [00:24:234] [R0000032] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23 00 00 00 00 00 00 00 BA A7 BA BC EXEC................#...........
.
Debugged application message: [00:24:234] /system Unmount Success.
.
Debugged application message: [00:24:234] Erase Partition name : system, sector addr : 0xE886, size(sector count) : 0x120000
thjubeck said:
....
Click to expand...
Click to collapse
It's nice that you're looking into this, there is another guy in the V20 section, @runningnak3d who is also looking into making partition dl work.
BUT.... don't try to flash T-Mobile bootloader on any other variant phone. You will hard brick. T-Mobile uses a different key to sign it's files, and that key is programmed into the read-only-memory of a TMO phone.
Edit: Besides, he is looking into a different way of unlocking, by flashing a modified persistent partition with LGUP I believe.
askermk2000 said:
BUT.... don't try to flash T-Mobile bootloader on any other variant phone. You will hard brick. T-Mobile uses a different key to sign it's files, and that key is programmed into the read-only-memory of a TMO phone.
Click to expand...
Click to collapse
Don't worry I'm not an idiot I did my research like the thread says Brainstorm. Sometimes crazy ideas lead people to start thinking. Which reminds me.... Ooo look Squirrel. Be sure to post your ha's when you read that. Anyways in all seriousness checking with the other persons and who knows possibly sometime may have a solution.
thjubeck said:
Don't worry I'm not an idiot I did my research like the thread says Brainstorm. Sometimes crazy ideas lead people to start thinking. Which reminds me.... Ooo look Squirrel. Be sure to post your ha's when you read that. Anyways in all seriousness checking with the other persons and who knows possibly sometime may have a solution.
Click to expand...
Click to collapse
I see. So you where offended, and you're subtly calling me an idiot.
You must be a proud person.
And you couldn't have "done your research" at the time of posting, as why then would you ask about flashing TMO bootloader on a non-TMO device?
Would it be possible to flash the H918/H830 bin files through the patched LGUP partition DL to change the device type?
Click to expand...
Click to collapse
Also your reply reeks of utter nonsense.
askermk2000 said:
I see. So you where offended, and you're subtly calling me an idiot.
You must be a proud person.
And you couldn't have "done your research" at the time of posting, as why then would you ask about flashing TMO bootloader on a non-TMO device?
Also your reply reeks of utter nonsense.
Click to expand...
Click to collapse
Seriously man no harm intended and as for utter nonsense yes,yes it was.....partially. Also, like how you quoted me saying bootloader... wait you didn't. Missed that somewhere. Not necessarily pointing to that you could flash a system partition that was already rooted or something like that again emphasizing brainstorm thread here.
thjubeck said:
Seriously man no harm intended and as for utter nonsense yes,yes it was.....partially. Also, like how you quoted me saying bootloader... wait you didn't. Missed that somewhere. Not necessarily pointing to that you could flash a system partition that was already rooted or something like that again emphasizing brainstorm thread here.
Click to expand...
Click to collapse
Well how else would you change your "device type"?
Maybe I don't understand what you mean by that. I may have jumped to wrong conclusion, if so then I guess you where right to be slightly offended.
Anyway, persistent.bin seems to be where it's at. You should work with @runningnak3d he was looking earlier for some help.