How to reverse set top box of TV

[suddenLy]

Dear ppl,

How can I reverse set top box of IPTV?
I don't know how to start this kinds of reversing.
My questions are...

1) how to reverse the ROM or memory of set top box?
is there any universal method to download the firmware?
(and maybe including upload the modified firmware)

2) how to capture the packet of IPTV with my PC?
I don't know how to configure the network.

[Syoma]

1) No universal method. Identify firmware and hardware components first. Then decide which method applicable to grab fw.
2) Configure PC as proxy and grab traffic using wireshark, for example.

[Storm Shadow]

in my experience most Topbox have option for RS232 serial cable.Never seen one with it.
Uselly Putty the best software to grab / upload FW via RS232.Think off the port as a recovery (flash port)


Im pretty sure there have been made some custom fw for IPTV, (running on dreambox top-box etc)

[new_profile]

1/ Reversing the firmware of STB could be easy or difficult depending whether or not it is encrypted or not. It will depend too on the CAS Provider requirements (nds, irdeto, ...).
2/ In order to capture packets, find a hub or a switch with a mirrored port capability and set your PC on that port; then give Wireshark a try : it's powerful tool: you can decrypt all kind of traffic: dhcp (bootp), udp, ...

Cheers

[sh3dow]

hi
for Identify, analyzing and extracting firmware images use binwalk
tut for binwalk from author blog http://www.devttys0.com/blog/ [ best blog in firmware reversing]

link will help you
http://www.zlotkus.com/2013/09/reverse-engineering-telergy-t501-iptv-set-top-box/
-----------------------------------------
-binwalk result will be like this-
-----------------------------------------

PHP Code:

DECIMAL      HEX        DESCRIPTION
-------------------------------------------------------------------------------------------------------
131584      0x20200      romfs filesystem, version 1 size: 210864 bytes, named YAMON_XLOAD.
393728      0x60200      romfs filesystem, version 1 size: 8042720 bytes, named MIPSLINUX_XLOAD.
393891      0x602A3      LZMA compressed data, properties: 0xA9, dictionary size: 33882112 bytes, uncompressed size: 8042532 bytes
8782336      0x860200     romfs filesystem, version 1 size: 8042720 bytes, named MIPSLINUX_XLOAD.
8782499      0x8602A3     LZMA compressed data, properties: 0xA9, dictionary size: 33882112 bytes, uncompressed size: 8042532 bytes
17170944     0x1060200     romfs filesystem, version 1 size: 2276400 bytes, named imaterial.
18373849     0x1185CD9     Windows CE RTOS
18373851     0x1185CDB     Windows CE RTOS
18375770     0x118645A     Windows CE RTOS
18375772     0x118645C     Windows CE RTOS
19246092     0x125AC0C     gzip compressed data, from Unix, DD-WRT date: Thu Jan 1 01:00:00 1970
19250569     0x125BD89     gzip compressed data, from Unix, DD-WRT date: Thu Jan 1 01:00:00 1970
19250940     0x125BEFC     gzip compressed data, from Unix, DD-WRT date: Thu Jan 1 01:00:00 1970
19447294     0x128BDFE     gzip compressed data, from Unix, DD-WRT date: Thu Jan 1 01:00:00 1970
19792384     0x12E0200     romfs filesystem, version 1 size: 144144 bytes, named xmaterial.
20054528     0x1320200     CramFS filesystem, little endian size 39141376 version #2 sorted_dirs CRC 0x4bd0995b, edition 0, 44794 blocks, 2005 files
41886683     0x27F23DB     gzip compressed data, ASCII, extra field, has comment, comment, last modified: Thu Jul 24 16:42:19 2008
53363176     0x32E41E8     TROC filesystem, 852941726 file entries
57071804     0x366D8BC     JFFS2 filesystem data big endian, JFFS node length: 339134