A case study for MIPS based embedded computing

This case study will describe some aspects of embedded computing and show how such systems with non-i386 architecture could be used for a extended stuff. All I’m describing here is for evaluation purposes and not ready for mass production but it may help to understand the hurdles and how to jump over when dealing with limited resources.

What should be reached finally?

I’ve bought a settop box for DVB-S2 some months ago, a brand new HUMAX iCord HD (http://www.humax-digital.de/products/iCordHD.asp). It’s an easy to use, reliable stuff with a fantastic high quality TV experience including broadcast recording. But over time I realized some missing capabilities like

  • a comprehensive channel editor on the system itself (without the need for export / import channel list),
  • remote timer list programming (I’d like telling my iCord to record an interesting broadcast even when I’m not @ home.),
  • a nice web interface for the stuff above and much, much more.

The hurdle is that the iCord is a closed box. The only way to talk with the outside world is through FTP; but FTP shows only the media directory and isn’t suitable for executing commands. But there’s a network connectivity and the capability to update iCord’s firmware with an USB drive containing hdpvr.hmx file (the firmware container). Unfortunately the firmware is encrypted but good news is that some resourceful people has found a way to decrypt.

One word to the legal aspect: Decrypting and providing a modified version of a vendor’s software isn’t allowed by law. So far you would find nor link to the decryption tool neither to the patched firmware at all. I’ll explain the how-to and provide some basic stuff, finally the root file system with some add-ons. If you’re looking for decrypting / encrypting iCord’s firmware you may find something in Google when looking for “colibri” in relation to iCord.

So let’s come to the first step ..

Extensions described in this part

After making all modifications described in part 1 you’ll have

  • SSH access to iCord with public key authentication (that’s being used because iCord’s BusyBox is compiled without login module)
  • SCP and SFTP support including SSHFS (mount iCord’s filesystem into your’s)
  • a bootstrap mechanism for further extensibility on /mnt/hd1 (the root file system is read-only but this is a way to add extensions later on without flashing again)

Experiencing the new behaviour

My nature is to try things first to get an impression what’s going on and afterwards digging into the details of the “how-to?”. So far you may start with downloading the ready squashed file system to insert into your firmware update file. Please read following instructions carefully before changing anything. And .. there’s no guarantee that everything is working, so be prepared to have the original firmware ready to avoid stress with your family about non-available TV ;-)

Instructions:

  1. Modify your firmware with the extended root file system Flash_700000.bin (it’s based on 1.00.17).
  2. Store the updated firmware on a Fat32 formatted USB stick.
  3. Generate a file “authorized_keys” on same USB stick; this file must contain the public key part of your rsa / dss keys generated with ssh-keygen or PuTTY. You can find a detailed description of SSH public key authentication and key generation under http://hkn.eecs.berkeley.edu/~dhsu/ssh_public_key_howto.html.
  4. Plug in the USB stick into your iCord, switch on (with the back side power toggle) and hold “Record” key on the front side panel during boot. You should see the download and update progress on the screen and also on iCord’s LED panel.
  5. When finished, you’ll get a message to reboot. Important! – let the USB stick plugged in. Switch the iCord off and on again. After reboot you can plug off the USB stick.

If everything was going well you should be able to access your iCord with

ssh root@<ip-address>

You should be able to access the iCord now with SCP and SFTP, both can be used for any client you’d prefer to use. Under my Ubuntu installation on my laptop I also tried to get mounted iCord’s file system with

sudo sshfs root@<ip-address>:/ /media/icord -o IdentityFile=/home/username/.ssh/id_rsa

When you’re browsing the iCord’s file system you will see 2 new directories, /root and /opt. Both are symbolic links to /mnt/hd1/root and /mnt/hd1/opt. Sense of /opt is to provide an anchor for further extensions without the need for flashing again. /opt/bin has been added to iCord’s $PATH variable (this directory isn’t there at the moment but could be created easily). /opt/etc/init.d may contain later on startup scripts that following the “S??*” pattern. The trick is that at system boot both directories, /etc/init.d and /opt/etc/init.d will be parsed; scripts contained in both will be executed in sorted sequence. Means if /opt/etc/init.d contains a script S50utelnetd this one will be executed between /etc/init.d/S40/networking and /etc/init.d/S55dropbear (the new one for dropbear SSH server). /opt/bin may contain than the appropriate binary utelnetd.

So finally you’ll have an iCord with full and secure access from outside world and the option to extend functionality without flashing again.

What’s behind – the “how-to?”

Input structure for modifications

hdpvr.hmx consists of 3 parts. The interesting one is the Flash_70000.bin (contains root_fs – root file system /). Once extracted from hdpvr.hmx, you’re able to copy the Flash_700000.bin to elsewhere for further work.

“Unsquashing” the root file system

Flash_700000.bin is a squash file system image. To extract the files I’ve used squashfs tools (http://packages.debian.org/search?keywords=squashfs-tools). Take care that you’re using version 3.1 instead of 3.3 due to an error that 3.3 produces when packaging the file system back to the image. I’ve no clue what’s the reason is but 3.1. worked for me well. The command to unpack the Flash_700000.bin is

sudo unsquashfs -d /home/username/icord_root_fs/ /home/username/Flash_700000.bin

For next step let’s assume that you have a directory with unsquashed root file system on your Linux OS. All further links are relatively to this point. I’ve done all the work with Ubuntu 9.04, any other distribution should work either.

Adding dropbear SSH server and start script

The iCord is based on BusyBox (http://www.busybox.net/) and uClibc (http://www.uclibc.org/). A lean SSH server extension for BusyBox is dropbear (http://matt.ucc.asn.au/dropbear/dropbear.html). I took the sources of dropbear and compiled them statically linked for for MIPS / uClibc. The compiled binary you can found under /bin/dropbearmulti. There are also located symbolic links to this binary, dropbear, dropbearkey and scp. The start script for dropbear is located under /etc/init.d/S55dropbear. The host keys will be generated at system boot under /opt/etc/dropbear. Deleting these will trigger generation again. All client public keys are stored in /root/.ssh/authorized_keys file. You may change this manually or otherwise store it on an USB stick and plug the USB stick in during system boot. I’ve also modified the startup script /etc/profiles to avoid unnecessary error messages.

Adding greenend.org.uk sftp-server

Dropbear doesn’t support SFTP out-of-the-box. Therefore I’ve done some research to find a small sftp server under http://www.greenend.org.uk/rjk/sftpserver/. This isn’t ready for large production environments (and it will not be developed further) but I tested it and it works well for such an environment. The statically compiled binary sftp-server you can also find under /home/username/icord_root_fs/bin. As dropbear will look for a binary sftp-server under /usr/libexec I’ve modified the dropbearmulti binary with a hex editor and changed the sftp-server location to /bin.

Bootstrap mechanism

The extension point is quite simple .. adding a symbolic link /opt that points to /mnt/hd1/opt. All secrets you can find in /etc/init.d/rcS. It’s a simple script that contains the bootstrap mechanism. It mounts /mnt/hd1 first and looks for start scripts in /etc/init.d and /opt/etc/init.d in sorted sequence over both directories. Due to early mount of /mnt/hd1 I commented out the matching line in /etc/fstab.

“Squashing” the root filesystem

That’s it. The final step after all work is to create a squashfs image again. This could be done with

sudo mksquashfs /home/username/icord_root_fs/ /home/username/Flash_700000.bin.new -be -all-root -noappend

You may check all further details in Flash_700000.bin (see link above). I’ll proceed with further testing and some more stuff continued ..

Credits

All this work wouldn’t have been possible with a some people who helped me with lot’s of answers and tools ..

  • colibri – programming of an outstanding tool to decrypt and encrypt iCord’s firmware
  • Anthony G. Basile – providing a qemu development environment for MIPS uClibc and answering a lot of questions (http://opensource.dyc.edu/aboutus)
  • Graham White – for some about runtime debugging (http://gibbalog.blogspot.com)
  • last but not least HUMAX – for a really high-quality DVB-S2 platform