MX-760HD FirmwareAnalysis

From MvixCommunity

Contents 1 Overview 2 uClinux Kernel 3 Busybox 4 Curacao 5 Rompkg 6 Wifi driver 7 NDAS Software 8 Configuration 9 References

Overview

The Mvix MX-760HD has a very limited software subset in it's default firmware image (firmware 1.1.27 was used in analysis).

The operating consists of the following:

• uClinux Kernel
• Busybox 1.00
• Curacao, the GUI binary (/usr/curacao/curacao)
• Rompkg (/usr/local/bin/rompkg)
• A wifi driver which is not a part of the kernel (/etc/ra61)
• NDAS software (/ndas)
• Configuration (/tmp/config)

uClinux Kernel

The 2.4.26-uc0-sigma-20051018-nm kernel sources that once were available on http://www.mvixusa.com/support/index.php?_m=downloads&_a=downloadfile&downloaditemid=19 contain a kernel configuration file named .config.old that reveals the following features:

• ARM, UCLINUX, TANGO, EM86XX architecture
• PCI support
• IDE Disk+CD support
• SCSI support
• MTD support
• Ext2, Ext3, FAT, MSDOS, VFAT, ISO9660 with Joliet, UDF, NTFS (including R/W support!), ROMFS, DEVFS
• NFS (+V3), SMBFS (with NLS)
• EM86XX Serial support including serial console
• EM86XX Infrared support
• USB support
• A bunch of SD (Sigma Designs) specific options (e.g. fast IDE probing)

Although the kernel has loadable module support, all of the options are built into the kernel and no modules are specified.

Busybox

Currently, the Busybox version provided with the MX-760HD is extremely limited. It has no grep(1), no find(1), no file(1) or passwd(1).

Issuing the busybox command gives the following output:

  BusyBox v1.00 (2007.04.11-17:11+0000) multi-call binary
  
  Usage: busybox [function] [arguments]...
     or: [function] [arguments]...
  
          BusyBox is a multi-call binary that combines many common Unix
          utilities into a single executable.  Most people will create a
          link to busybox for each function they wish to use, and BusyBox
          will act like whatever it was invoked as.
  
  Currently defined functions:
          [, basename, busybox, cat, cp, date, df, false, free, gunzip,
          gzip, hostname, id, ifconfig, init, insmod, kill, killall, login,
          ls, mkdir, more, mount, msh, ping, pwd, reboot, reset, rm, rmmod,
          route, sh, tar, telnetd, test, time, top, true, umount, uptime,
          vi, wget, zcat

This version of Busybox is also very old. The Busybox website states that version 1.00 was released October 2004.

Interestingly, while busybox does not define udhcpc (Busybox's DHCP client) as being available, it is present on the system as a seperate binary (/usr/share/udhcpc). I'd just be speculating at the moment, but this might be because MvixUSA/Unicorn are using a version of the udhcpc from a more updated version of busybox.

Curacao

It's no longer just a drink for mixing cocktails. The curacao binary is located at /usr/curacao/curacao.

It controls the GUI interface of the MX760HD player, as well automatically mounts and unmounts USB storage devices (presumably by just passing the relevant mount or umount options on to busybox).

As far as I can tell it's proprietary in nature - Googling for it brings up no results that lead me to believe this is a f/oss application. Curiously, AV Forums lists the curacao binary as also being present in the IAMM NTD36HD player (http://www.avforums.com/forums/archive/index.php/t-431810.html).

Four curacao processes are run on the MX760HD at boot up. Here is a diagram of what occurs:

  init
    |
    |--- curacao (launched by init)
            |
            |--- curacao (launches a child process)
                    |
                    |--- curacao
                    |             (launches two new child processes from this)
                    |--- curacao

Gui files

Rompkg

rompkg seems to be a proprietary binary which has been designed to provide some additional functionality that is not present in Busybox. It is located at /usr/local/bin/rompkg.

On cursory analysis, it's purpose (among other things) is to flash the ROM with when a firmware upgrade is initiated, provide control over the wireless interface and connect to SMB (Windows or Samba) shares.

rompkg has been designed in a similar manner to busybox, a singular monolithic binary /usr/local/bin/rompkg contains multiple internal routines that when run with syntax parameters on the command line invoke different behaviours.

That is, running /usr/local/bin/rompkg smbmount results in different behaviour from running /usr/local/bin/rompkg flash_update.

Just like Busybox, Unicorn create symbolic links of the name of the internal rompkg functions in the firmware filesystem.

The list of symbolic links within the 1.1.27 firmware that link back to rompkg are as follows:

/usr/local/bin/arpscan -> /usr/local/bin/rompkg
/usr/local/bin/auto_wnet -> /usr/local/bin/rompkg
/usr/local/bin/extractpref -> /usr/local/bin/rompkg
/usr/local/bin/flash_eraseall -> /usr/local/bin/rompkg
/usr/local/bin/flash_update -> /usr/local/bin/rompkg
/usr/local/bin/flash_write -> /usr/local/bin/rompkg
/usr/local/bin/init_dac_pcm174x -> /usr/local/bin/rompkg
/usr/local/bin/iwconfig -> /usr/local/bin/rompkg
/usr/local/bin/iwlist -> /usr/local/bin/rompkg
/usr/local/bin/iwpriv -> /usr/local/bin/rompkg
/usr/local/bin/mkprefimg -> /usr/local/bin/rompkg
/usr/local/bin/mount.cifs -> /usr/local/bin/rompkg
/usr/local/bin/setgpio -> /usr/local/bin/rompkg
/usr/local/bin/smbmnt -> /usr/local/bin/rompkg
/usr/local/bin/smbmount -> /usr/local/bin/rompkg
/usr/local/bin/smbmount_simple -> /usr/local/bin/rompkg
/usr/local/bin/smbshares -> /usr/local/bin/rompkg
/usr/local/bin/smbumount -> /usr/local/bin/rompkg
/usr/local/bin/sys_up -> /usr/local/bin/rompkg
/usr/smb/smbmnt -> /usr/local/bin/rompkg
/usr/smb/smbmount -> /usr/local/bin/rompkg
/usr/smb/smbmount_simple -> /usr/local/bin/rompkg
/usr/smb/smbshares -> /usr/local/bin/rompkg
/usr/smb/smbumount -> /usr/local/bin/rompkg

rompkg, just like curacao, does not seem to just be unique to the Mvix line of products either. This post on the AVS Forums (http://www.avsforum.com/avs-vb/printthread.php?t=763110&page=2&pp=30) shows that rompkg is also present on the Iamm NTD36HD by Novatron.

Wifi driver

A wifi driver exists on in the firmware that is not present in the kernel. It is located at /etc/ra61.

The name of this directory suggest that the driver is for a Ralink rt61 wireless chipset, however more work needs to be done to confirm or deny this.

NDAS Software

As of firmware 1.1.26 Beta, Ximeta's NDAS software is included in the firmware for MX-760HD.

Three pre-compiled kernel modules and some shell scripts to load and unload them exist in /ndas.

Configuration

Run-time (volatile) configuration data is stored in /tmp/config:

  /tmp/config
    |--player.conf (most of the configuration data except network configuration)
    |--resolv.conf (DNS configuration)
    |--smbsnapshot.conf (??)
    |--network
         |
         |--wireless (Wireless configuration data, including non-encrypted key)
         |--wired    (Wired configuration data)
         |--global   (Global network settings)
    |--playlists (Jukebox data, information about most recent played files)

Most probably curacao is calling /usr/local/bin/pref_saveall.sh to compress all configuration data into /tmp/config.tgz, convert it into a flashable file and save it into flash area /dev/mtd/2.

References

Template:Reflist

---

Go back to MX-760HD Main Page