PDA

View Full Version : Series2 in PAL



Marianok
07-06-2008, 05:27 AM
Dear all,
It's been a long time, but I'm once again bothering you with a few questions :-)

I've been trying to figure out the chipset of the Series 2 in order to see if it's posbile to do a "palmod" for this chips (hopefully a software mod).

Like many others, I hit the big NDA wall on the bcm7040 (AKA AFFIK-II) and bcm7020 but this chips are used in so many products that i was expecting to find much more info on them (I was expecting to find a few linuz/windows drivers, and maybe some source code), but I was really mistaken.

I'm in "desperate mode" :o, my next "plan" is to try a brute force attack and see if I can (at leat) identify the addresses for this units.

But before that, I want to see if anyone else had made any progress (hopefully we won't have to duplicate efforts). If so, please let me know, either here or by private.


Thanks a lot to all in advance ...

P.S.:Needless to say, I'll post here what I find (If I get nowhere it will at least save the next guy sometime).

petestrash
07-06-2008, 02:12 PM
have a look here (http://www.oztivo.net/twiki/pub/Uploads/WebHome/s2v4pal.zip) this is as far as robert got at OzTiVo.

As for the rest of the mods, there is a shorthand version here (http://www.oztivo.net/twiki/bin/view/Howto/HowToStartHackingAnS2).

Also check the South African TiVo site (http://tivoza.nanfo.com/forum/viewtopic.php?t=62#506).

Darren King
08-06-2008, 01:43 AM
If it can be done then great. Full marks for wanting to give it a go :)

Despite what some have said lately (present posting company excepted) regarding Series 2 being a "lost cause" for PAL modding given the impending release of the Series 3 as a commercial product in Australia I have a different view. I feel there is a fantastic niche for the Series 2 as an updated hobbyist device to carry on where the Series 1 left off if only the issue of exactly what is required to make the chipset run in PAL.

So good luck! I'm sadly not a software person otherwise I would have given it a go long before now :(

Skolink
08-06-2008, 01:34 PM
I've got friends who work at a company with an NDA with Broadcom, but they couldn't persuade the appropriate person to provide any info. I'm always on the lookout for some one else..
I've just imported a Series 2 DT. The first step was converting the PSU to 230V, now I need the PAL version of the NTSC Samsung tuners, and also the registry settings for the BC chips (different again from those on the standard Series 2).

Series 2 seem to be more plentiful on Ebay now than Series 1.

The info will come out sooner or later. In the mean time I'm trying to source some tuners (not the same as in the Series 1).
Cheers,
John

example3891
09-06-2008, 05:20 AM
As somebody who has access to the information you need this is heartwrenching for me to stand by and watch this go on. Unfortunately due to fear of losing my career I can't say anything. I can tell you that what you are trying to do is very possible but it's not going to be easy.

I know this comment has been no help but I wish you the best of luck I would really like to see you guys succeed on this. It's such a shame that it's come down to this.

petestrash
09-06-2008, 01:43 PM
As somebody who has access to the information you need this is heartwrenching for me to stand by and watch this go on.

While writing your post, It's probably at this point you should have realised your post would not be helpful, and really just cause more frustration.

Over the years we have many people claim to have the information, and choose not to share it. Personally my feeling is that these people do not know anything and just post to be mean/stupid. If they really had any knowledge and chose not to share it, why bother posting?

We do know that it's possible, and it's just a matter of finding the correct addresses.

It's a shame the NDA still applies to what really is a superseded product.

I thought that by now that someone would have contacted one of us privately and anonymously to provide the snippets we require. This information is generic and there is no way it could be traced back to the individual providing it. Not to mention the bits we are after are not commercially sensitive, as you would need to be using the Broadcom chips to make use of it.

Peter.

Darren King
09-06-2008, 02:51 PM
Hear Hear Peter.

I was going to type a message similar to yours this morning but thought I would hold off as it sounded too harsh. But on second thoughts; stuff it. I wholeheartedly agree with all you have said.

For someone to post (and example3891 don't flatter yourself you are by no means the first) saying "hey I have the information but you can't have it" serves no purpose but to anger the OzTiVo community as it flies directly in the face of our open "share and prosper" stance. There's many a way to get the information to us anonymously without putting anyone's job in jeopardy if a little thought was put into it. For well over three years I have had such an open invitation sitting on my website. Like Peter, I feel that unless you choose to prove you know anything then you are just blowing hot air and nothing more.

I'll bet my bottom dollar that even though "example3891" sits there saying he can give us the information but choose not to he will be one of the first to use the hack when it becomes available. :mad:

inaxeon
09-06-2008, 06:45 PM
I've got friends who work at a company with an NDA with Broadcom, but they couldn't persuade the appropriate person to provide any info. I'm always on the lookout for some one else..
I've just imported a Series 2 DT. The first step was converting the PSU to 230V, now I need the PAL version of the NTSC Samsung tuners, and also the registry settings for the BC chips (different again from those on the standard Series 2).

Series 2 seem to be more plentiful on Ebay now than Series 1.

The info will come out sooner or later. In the mean time I'm trying to source some tuners (not the same as in the Series 1).
Cheers,
John

I presume you're talking about my former employer (who doesn't need to be named here). There's only a select few there who have the ability to download arbitrary documents. Even if one of those people is your contact I'm still not sure if they'd help you. Broadcom's docSAFE system is extremely clever as it automatically watermarks, passwords and re-words each download of a document making it unique to the person who downloaded it. When you take that and think about leaking information that's kinda scary for the individual involved as you are personally accountable for that information. Generally one hangs onto copies of datasheets and doesn't let them out of their sight.

So now our only hope is down to someone having access also being a hardcore TiVo hacker (unlikely) as they would have to distill the needed information into a hack themselves as just "passing on" large chunks information to another hacker would be too risky as you don't know where it's going to end up and some of that may have been unique to your copy of the document.

So by some miracle the above two circumstances have occurred and the S2 is now hacked - S2's are flying out of the country for use in situations that don't profit TiVo. I can imagine an instant political ****storm between TiVo and Broadcom. Broadcom would launch an instant investigation as to how this information "got out". The first thing they'd do is check who downloaded that document recently (you'd probably be the only download in 2 years as the chip is mostly used by TiVo) A little further amateur forensics and you're busted.

You try being a TiVo enthusiast working in that area - it freaking sucks. Probably ten times more frustrating than being the person trying to hack it.

I know that like the post of "example3891" my post has once again been negative and unhelpful but this is the situation many people themselves in thanks to corporate greed and vicious guarding of intellectual property. Some day someone's going to have to do something extremely brave and just throw it out there. (Maybe someone terminally Ill who works for a company that's about to go bankrupt. Now we're talking :-)

Darren King
09-06-2008, 07:59 PM
I know that like the post of "example3891" my post has once again been negative and unhelpful

On the contrary. It gives insight into what protection Broadcom has against such information leaking out. Hey, props to them. If you have trade secrets and are bound to secrecy by TiVo, inc then that is what they have to do. You've done quite a good job explaining rather than everyone else (and I mean everyone) who has "claimed" to know something but never produces any evidence.

Being the constructive thinker I am however it would not need the *whole* document passed onto anyone, although I can vouch for a particular name (note name as in singular) that to most here would just be "anybody" but to me is the direct person who would write the PAL module and also be a 100% secure "do not hand out this information" person. Even to that end all that would be required is the particular register(s) that need programming and nothing more. I've seen literally thousands of technical documents on chips and the table would not be something "re-written" by any document security system otherwise the chip wouldn't work as it should, would it? ;) I'm sure other issues raised like watermarks and passwords can be circumvented simply by hand copying (as in hand writing) the relevant registers. While I am not expecting anyone within Broadcom to go off today and access the system and then hand it over tomorrow thus giving a direct lead to find out who provided the information I also highly doubt that the only copy of the relevant document in existence is locked away on a protected server. Someone, somewhere, must have the file on a local PC or a hardcopy that is gathering dust that was downloaded and/or printed YEARS ago that combined with manually copying down the relevant information would make the job of traceability almost impossible.

And besides, like Peter has mentioned, I highly doubt that TiVo would be that interested in pursuing how the information got out. We're not talking about a product that is being highly marketed anymore (they now have a Series 3) nor are we talking about the information being used to create a competing product. We're talking about utilising what is now relatively old hardware (it can't even do high def!) that a lot of units are now turning up on eBay as surplus or ending up in the trash if they are broken. In effect what is fast becoming (if not already) obsolete technology. If TiVo had a real problem with what OzTiVo is doing with their hardware they would have shut us down years ago. Why? Because even the Series 1 has the words "Private And Confidential" screen printed on the motherboard near the diagnostics connector. That never stopped people devising aftermarket add-on hardware, freely distributing hardware information on the units (of which even I am guilty of) or reverse engineering how the guide data works. All of which TiVo knows about and the only stipulation that I know of is TiVo expressly saying that it is for non-profit hobbyist use in areas a TiVo service is not provided. And at any rate like mentioned by the original poster the BCM7040 and BCM7020 is *not* a TiVo-Broadcom proprietary chipset. It has been used in other devices.

Take all of the above as you will. My intentions are not to argue or pressure anyone to do anything but merely looking at it from what is probably a very simplistic viewpoint.

Anyway, the offer still stands as it has done for years: If anyone has anything they wish to share on the information required then feel free to contact me anonymously and I'll 100% ensure your anonymity.

inaxeon
09-06-2008, 08:19 PM
Perhaps you should mention how one may contact you anonymously because there may just be someone who has the right information reading this thread as we speak.

Here's another interesting thought for you - I've seen one silicon vendor (not Broadcom) have many many copies of the same registers, only disclosing the location of one set to each customer. That might sound extreme, but it really helps track down leaks :-)

Another thing I've found when working with these chips is that the vendor doesn't always give out the datasheets "Willy Nilly" usually all we get is a precompiled library with an easy to use API for performing the needed tasks on the chip and if there's any issues with that API the vendor will support that rather than giving out a register reference to fix it yourself. (Which does make me wonder, has TiVo been lazy and just used one of these libraries?) So it's not always as straight forward as getting register reference datasheets.

Darren King
09-06-2008, 08:55 PM
Perhaps you should mention how one may contact you anonymously because there may just be someone who has the right information reading this thread as we speak.

My website (link is in each and every post I make in my signature) contains my email address. I am sure if one genuinely wanted to help they can find a public terminal, obtain an email address, and email me. From there I am happy to give out better ways of contacting myself. I used to publish my mobile (cell) phone number but although people could read the numbers to dial the correct number they could not read the correct numbers for the times you can and cannot contact me so I withdrew it. I do have a family and a real job so getting calls all hours into the evening is not the done thing.

Failing that one can always send me a private message on this forum.

I'm sure there are other ways people can contact me. I'm not a very private person and just reading my website can give a few more clues if one is genuinely interested in helping the cause.



Another thing I've found when working with these chips is that the vendor doesn't always give out the datasheets "Willy Nilly" usually all we get is a precompiled library with an easy to use API for performing the needed tasks on the chip and if there's any issues with that API the vendor will support that rather than giving out a register reference to fix it yourself. (Which does make me wonder, has TiVo been lazy and just used one of these libraries?) So it's not always as straight forward as getting register reference datasheets.

True. However I am assuming that there is more than simply a subset of registers or an API in the possession of "example3891" (and others) given the wording "As somebody who has access to the information you need".

However I could be wrong. Like I have said previously I've seen zero evidence of anything so therefore until someone wants to step up to the plate anyone could be telling OzTiVo any old story, including yourself with what you have already divulged about how Broadcom conducts their document control.

Cheers

inaxeon
09-06-2008, 10:47 PM
However I could be wrong. Like I have said previously I've seen zero evidence of anything so therefore until someone wants to step up to the plate anyone could be telling OzTiVo any old story, including yourself with what you have already divulged about how Broadcom conducts their document control.
Cheers

That is true. I could just be making all of this up and there's no point in me trying to back up anything I've said because I don't have any useful information to start with. We'll never know until someone divulges anything useful.

Islander
10-06-2008, 04:35 PM
And at any rate like mentioned by the original poster the BCM7040 and BCM7020 is *not* a TiVo-Broadcom proprietary chipset. It has been used in other devices.



Interesting reading.

I wonder if TiVo is not the only product using these devices then what are the other ones and could they provide some sort of insight into the problem.

inaxeon
10-06-2008, 05:44 PM
If you found another product with that same MIPS processor running binaries compiled with a similar compiler, that product runs the chip in PAL mode and also happens to run linux then comparing binaries may provide some insight.

Although if all of the above were found then there are other approaches like trying to hook into the kernel register access stub and see what is written. for example changing the /dev/xxx (or whatever they're called on TiVo) nodes to point to your own kernel module, log them then redirect those to the appropriate Broadcom code (I'm sure all of this has been done by experienced OzTivo members before)

But then you've still got the problem where the TiVo software is quite possibly constantly trying to set the chip back into NTSC mode which totally screws that approach so the TiVo software is what needs to get modified.

petestrash
10-06-2008, 11:39 PM
Certainly it would be easier if a tv capture card or something similar had used these chips, so we could learn from it's API.

But as far as I'm aware no one has found a product of use to us that had used this chip.

Peter

Darren King
11-06-2008, 06:13 AM
There are several capture cards based on the BCM7040. Refer to the bottom post here: http://forums.sagetv.com/forums/archive/index.php/t-5289.html

Another page I stumbled across suggests the BCM7040 was used at least the "Snazzi-II" and "Snazzi-III" models of capture card: http://qaix.com/software-computer-help/454-746-kfir-ii-chipset-based-capture-card-still-available-read.shtml

I also had a little time to Google last night and Broadcom make a PVR chip that interfaces to the 7040, the BCM7115: http://www.broadcom.com/collateral/pb/7115-PB06-R.pdf

Added to this, Broadcom did not develop the BCM7040. The original name for the chip, the KFIR-II was the name given to it by a company called VisionTech which Broadcom acquired at some point in time and re-badged the chip with a Broadcom product number: http://archive.tivocommunity.com/tivo-vb/history/topic/57528-1.html and as said by one post in that thread the BCM7040 was not even a new chip at time of TiVo Series 2 development so that adds weight that someone, somewhere would have some information gathering dust on the device.

Therefore it is very clear the BCM7040 was *not* something that Broadcom developed themselves or specifically for use in the Series 2 TiVo and given the age, obsolescence and history of this chip it escapes me why Broadcom would still want to guard it more closely than the Crown Jewels. :confused:

Keith Wilkinson
11-06-2008, 05:36 PM
Added to this, Broadcom did not develop the BCM7040. The original name for the chip, the KFIR-II was the name given to it by a company called VisionTech which Broadcom acquired at some point in time and re-badged the chip with a Broadcom product number

That's correct and before that there was the KFIR chip which has pretty much the same register set and parameters as the KFIR-II.

Someone even wrote an open source Linux driver for the KFIR chip which clearly showed the values that needed to be put in the various registers for encoding PAL.

Both Robert Lowery and I came to the conclusion that it's not just the register values that need to be changed.

The chip runs microcode for encoding the video signal and the version of the microcode is specific to the television standard to be encoded i.e. NTSC or PAL. The microcode is loaded into the chip during the driver initialisation.

The BCM7040 driver on the Series2 contains NTSC microcode so no matter what you do to the registers it won't encode a PAL signal correctly.

Overwriting the microcode is quite easy to do but the problem is finding the right version. There are several versions of microcode for the KFIR-II chip available on the net and, of these, I found one that could be used to overwrite the existing code.

When I tried it all I got was a black picture but it wasn't a total failure. When running Robert's S2 palmod.o there were error messages being generated in the tverr log that shouldn't have been there. After replacing the microcode, the error messages stopped.

Maybe it was one step closer to success, maybe not. I really don't know.

If anyone does decide to try and have a go at getting the chip to encode PAL, I hope they succeed. Having spent many, many hours on the project it would be nice to know the answer.

The decoder driver might be an easier place to start. The decoder driver is far more complicated than the encoder driver but it seems to be a Broadcom driver rather than something TiVo wrote. It would also be much easier to determine when you've got it configured for PAL.

Marianok
18-06-2008, 03:44 AM
I've been silently reading the different posts and I figure that I should post to let you know that I'm still here :-)

Regarding the whole "I have the info but I can not give it to you" issue, I kind of understand the persons that are telling us that if they really say this out of frustration.
On the other hand, despite any "super-duper" system that Broadcome could have to protect the documents, and as much as they could change words and shuffle them around, I really doubt that they will dear touch the sample code (at most the *could* change the name of some variables).
And even a plain sample code would be really helpful ... and if one of us were to get a copy of it, it would not be hard to "rewrite it" so it's not traceable ... but I don't count on that happening anytime soon.

For the rest of the post, I learned that I had not done my homework as good as I believed ...
I knew about the Snazzi capture cards and That's why I was surprised that there is not a lot more info available (I only found a partial code for a driver), still, I was planning to use the little info I got for this cards as my starting point.

On the other hand, I did not knew about the microkernel needing to be changed to start with, nor did I knew that the KFIR and KFIR-II had the same registers ... something interesting to investigate a further.

thanks a lot for the info ...

ozNick
22-06-2008, 06:57 PM
Certainly it would be easier if a tv capture card or something similar had used these chips, so we could learn from it's API.

Just reading with interest.

I passed on these links to someone a while ago (for BCM7021+BCM7040), not sure if they were/are of interest but just in case.

http://www.fabiao.net/viewthread.php?tid=1468301&highlight=broadcom
http://www.fabiao.net/viewthread.php?tid=395235&highlight=broadcom

If you translate the rest of the page you can see where to pay (~$20) to get a copy of these papers.

http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.fabiao.net/viewthread.php?tid=1468301&highlight=broadcom
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.fabiao.net/viewthread.php?tid=395235&highlight=broadcom

If this has already been discounted, then appologies.

Cheers Nick

DickFikkert
14-07-2008, 04:16 AM
Seeing that the 7040 pops up again. Was the issue resolved of believing that, given Robert's efforts back in 2004, the only major issue left is that the Tivoapp needed (unknown) modification? In that case the internals of the BCM7040 are not needed, right?

see Robert's mail on 09-10-2004
"Seeing there seems to be a bit more interest in S2 hacking at the moment,
here is some details of the progress I made ages ago. I believe all this
talk of getting Broadcom datasheets etc is a red herring. I have already
managed to hack the mpeg encoder module (kfirm.o) to support PAL and looking
at the disassembly of the mpeg decoder module (brcmdrv-rb.o), it already
supports PAL. I believe the real work remaining is in tivoapp."

petestrash
14-07-2008, 06:10 AM
That is my understanding.

Peter.

Ps Dick, were you ultimately successful in restoring the image to a USB attached Hard drive? From memory the last comment in your wiki was that you have not tried the drive in a TiVo yet.

DickFikkert
14-07-2008, 04:09 PM
Peter, I am using that USB restored disk now for about 1,5 year now so the part of the script I used worked for me for sure.
There are options in the script that I have not tested by doing a restore and putting it back in Tivo. Those options have been marked when used. For experienced users the script also has a dry run option, so you can judge whether the commands used, make sense.

petestrash
14-07-2008, 07:24 PM
Cool thanks I'm trying to figure out options for the next image to allow USB only restores.

Peter.

Marianok
28-08-2008, 05:06 AM
Hi dick,
You mentioned an email from Robert from before I was a member, I noticed that Keith had also mentioned 'Robert Lowery', but I was unable to find it among the registered users.

Is Robert still a member or does anyone have a copy of his work that I can put my hands on ?

Best regards, Marianok


PS. Nick: I did see the link you sent and they seem to have something replated to what we need, but it's all in mandarin and I find imposible to buy it ...

petestrash
28-08-2008, 02:05 PM
Robert is not active any more, and was only active in the OzTiVo community, but not here.

You can find the start of his palmod work here (http://www.oztivo.net/twiki/pub/Software/LatestPalModSeries2/s2palmod.tar.gz).

and some other notes we started here (http://www.oztivo.net/twiki/bin/view/Howto/HowToStartHackingAnS2).

Peter.