Hi, interesting to see you're still working on this. Dumping all the info I have once more, to address some questions raised in this thread, and in the hope someone finds it useful.
The back door.
http://www.radioandtelly.co.uk/images/netgem13.jpgWhenever you see the above screen on the iplayer the backdoor is open. The backdoor is a standard rsh server which gives a root shell.
You can confirm this by looking at /etc/inittab in the unpacked firmware. Notice that rshd is started when the player goes into runlevel 6 (I think.) That happens whenever the player is downloading or flashing a firmware. If you get in before the download completes (up to 30 minutes on dial up - plenty of time) you can kill the downloader to abort the update but stay in this runlevel.
Yes, this is a huge security vulnerability which allows attackers to trivially root your box if they do a port scan while you do an update. And from there they can permanently brick it. So really you should thank Netgem for not making any more updates
The second disk-on-chip pads.
These aren't for a different type of chip, they're for using two DoC in stacked arrangement. All the pads are connected the same except the chip enable lines. That means with a custom kernel and some soldering you can double the available disk space. The soldering is not that difficult: I fixed my player that I bricked while rooting it by removing the DoC and soldering in one from a player with a hardware fault. (ok, actually I got a friend to do it - but it is possible at the hobby level.)
The supposed serial port on SCART
I never once got this to work and I don't believe it can be done in recent firmwares. There is absolutely no sign of a bootprompt or kernel log on these "ports." It seems to be for controlling VCRs with a proprietary serial protocol and not RS232 compatible even with a voltage shifter.
While I briefly had root access I tried writing directly to the serial ports (/dev/ttyS0 etc) but could not pick up the output on these pins, or any other - I even tried at many random resistors around the CPU. So I conclude that the iPlayer does not have a serial port in the hardware revisions I used.
The mysterious 20 pin test pad
Located at front right, just above a barcode sticker. I never figured out what these do, but they definitely aren't serial (see above) and they don't seem to be JTAG either (apparently no TRST line.)
The loopback dial-up trick
This trick involved connecting the built in modem directly to another software modem set to auto answer and authenticate any PPP login, and then provide internet access. This used to be a good way to snoop on what the iPlayer is sending home. In the latest firmware I just can't get it to work. I think the "wait for dialtone" option has been deliberately broken to prevent this attack.
Spoofing the Netgem homepage
By manipulating local DNS you can direct requests which would go to Netgem to your own server. However, most of the requests are carried out over SSL so Netgem will reject your server - it doesn't use Netgem's certificate. The actual firmwares are not encrypted - only the connection to the download site.
Updating on USB
Since we know the Netgem page is never going to have another firmware either to upgrade or downgrade, we can't access the backdoor that way any more. Has anybody managed to run an update from USB on UK classic or BT iPlayer+ hardware? If so it shouldn't be hard to get in that way, since the updates themselves don't seem to be encrypted and include the flasher code which we could replace with something else (eg telnetd.)
Home
Pages: 
Old firmwares for i-Player? (Read 20648 times)
