Motorola/Kreatel- STB
I have some boxes from Motorola i'm planing to do some fun of it now. This page is intentend to be an information only page. I will later write howtos about booting and managing this type of set top boxes. much of this information may be Telia (swedish service provider) specific. Much of the information is just translated, theres is pretty much information about this device on the net, but much of it is written in swedish, norwegian or spanish wich makes it hard for most peoplo to access.
Boot process
Known featuers is DHCP and Static ip booting booth trought infocast and tftp. Only infocast boot is activated on Telias boxes,I don't know how to activate tftp. Maybe there is some sort of JTAG or some magic RC key combo like the one needed for the ip configuration menu. It could also be deactivated since the boxes comes preconfigured from provider, or at least ar reflashed when first connected . Since the Web API of the box is so big there is probably plenty of bugs that will give access at an lower level than javascript, this may be a way to access boot con
Static ip
For static ip you need to access Network IP configuration. Reboot the STB, you need to unplug the power cord. When the device starts booting press "Info" or "Menu" depending on model. When you get the IP-STB Configuration menu, you should press 2, 3, 5, 7 in order. This will bring up the ip config menu in vip1510 and a menu entry in vip1910, if you have a vip1510 remember that you need to zero pad the settings like 192.168.002.006 for 192.168.2.6. I have not tested yet if it is possible to use another meta data when using an encrypted boot image.
DHCP ip
Same as Static ip execpt you need to change to DHCP when appreciate
Very first boot processing of VIP1910-9.
Infocast
The box use something called infocast, this is used to distrubute the kernel, the splash image and the configuration to the box. It seems that VIP1910 does join the infocast 239.16.16.202 automatic even when dhcp does not send meta data, at least this is true when meta-data is entered correct in the box ip config menu. VIP1510 does not join automatic, you need to enter static configuration and enter correct meta-data, or use an DHCP wich sends correct meta data. When the box is connected to the iptv network it's about 2ms between every packet and a total of 1068 bytes of data in every datagram, if you use it on an local network i think you could get really high speed, at 100Mbit you could theoretical load the kernel in about 2sec, but hardware probably limits transfer rate. (ie it will fail to load all packets and need to go trought the packets again)
The webGUI
HTTP_USER_AGENT
"Mozilla/5.0 (X11; U; Linux mips; rv:1.7.12) Gecko/20080331 Kreatel" on vip1510, i use this to identify that an request comes from this box.
Javascript Stuff
> createMediaPlayer *
> browserWindow
enableColorKeying
setColorKey
setTransparency
COLOR_KEY_SOLID_COLOR
QueryInterface
isVisible
show
hide
getPositionX
getPositionY
getWidth
getHeight
setPosition
setFullscreen
isColorKeyingEnabled
disableColorKeying
getColorKey
getTransparency
getColorKeyMode
setColorKeyMode
getSolidColor
setSolidColor
COLOR_KEY_TRANSPARENT
COLOR_KEY_ALPHA_BLEND
> QueryInterface *
> getVersion *
> applicationService
QueryInterface
addEventListener
removeEventListener
activate
activateWithUri
activateWithCommand
kill
getBoolProperty
getIntProperty
getStringProperty
STATE_REGISTERED
STATE_INSTALLING
STATE_INSTALLED
STATE_STARTING
STATE_INVISIBLE
STATE_VISIBLE
STATE_ACTIVE
STATE_STOPPED
ON_STATE_CHANGED
> softwareService *
> deviceService *
> system
QueryInterface
reboot
setStandbyMode
restartPortal
isMuted
mute
getVolume
setVolume
getAspectRatio
setAspectRatio
ASPECT_RATIO_4_3
ASPECT_RATIO_16_9
> uriLoader
QueryInterface
loadUri
> dvbTuners
length
item
> mediaRepository *
> createInformationObject *
> createMediaRecorder *
> createHomeMediaBrowser *
> createCommunicationContext
> input
QueryInterface
addEventListener
removeEventListener
grabKey
ungrabKey
ON_KEY_DOWN
ON_KEY_UP
Decrypt boot image or load unencrypted image
I have not managed to decrypt the image that Telia use. But that should not be very difficult, i have a list with involved steps.
1. Get the image that the box gets on its very first boot, this is an unencrypted image that flashes the box with new firmwire.
2. Extract the firmwire from the image
3. Extract the cryptographic keys from the firmwire
4. Decrypt the encrypted image with the keys.
5. Get some more information about the device trought the image. Maybe we can make it boot trought tftp and stuff.
6. If we don't get past the point were we decrypt the image, the unencrypted image probably has some good information to becuse it's changes hardware settings on the box.
Comments
#1 All day today trying to
All day today trying to understand how programming via RS232 first boot
the VIP1710 and that program and did not understand anything, please
someone explain the whole process over RS232 because my ID is locked.
Converter RS232 to TTL I have with it I have already worked.
Vlatko
#2 Advanced menu
Tftp menu
7532
#3 motorola project...
hi
I was just wondering, is it still an ongoing project? Theres no date, so this may long be degraded to the back of your closet, as far as we know:-).
Im asking because I have IPTV with dbnet, with their VIP1510 box. From a relative I´ve obtained a 1920 box, that seems to work on the network, only not as stable as I would need. I could use some help to learn, whats in the entries from wireshark when connected to the network...that is, what metadata ip to use, how will I know what IP is my box and so on.
Regards,
barbaren at (google mail service) dot com
#4 Hi! I found sourcecode for
Hi!
I found sourcecode for decrypt "Motorola vip1920" firmware, are you intrested?
#5 Motorola VIP1920
Hi,
I have the VIP 1920 as an IPTV, but the software that my operator provided doesn't allow do receive RF signal input.
Is it possible to reset or install a new software in order to receive digital tv? I heard about a software called KreaTV tha usualy comes with the device. Is it possible so install it? Are any software that I can use?
Thanks for the attention.
#6 About Motorola VIP 1920 with DVB-T
Hello,
I have one question, does anybody know hot to update software or firmware to get working DVB-T reciever in Motorola VIP 1920. Because I have box from my ISP and seems that a lot of features are blocked. Maby you have a link to the SW or HW and steps how to do that. Thank You.
My email : esutam@takas.lt
#7 Does it work properly? (is it
Does it work properly? (is it from Rohde?)