42 replies to this topic

[gesnazo]

Hi,

Yesterday vu launched a clone attack and many clone cloud ibox were bricked.
Should we be worried about this or openpli images aré free of this?

Regards

[Erik Slagter]

I don't know honestly. We don't have anything to do with clones.

[Rob van der Does]

There are dozens of reports on the clone loving forums. All about Solo2 clones, and all kinds of firmware & drivers were used, all died Friday night or Saturday.
Must be the Chinese themselves, who build in a bomb, to get sales up...... (Easteregg )

[littlesat]

We currently use the latest drivers intended to improve the performance of the genuine vu boxes.
When vu puts a clone brikker in the newer drives is not our responsebility... Our goal is to support genuine boxes.
Nothing changes... We did the same in the past for dmm...

[Rob van der Does]

That's not the case. As I said: the clones died on using all kinds of firmware and drivers.

[Pedro_Newbie]

The moral of the story: Who buys cheap buys twice

[Rob van der Does]

If you want to enjoy the full story: http://www.digitalwo...ese-vu-225.html

[radxnl]

So for some technical background, just for those who care

 

About half a year or so ago i already made aware that there was added into the Vu drivers a 'time bomb', i don't know the exact thread by heart but pretty sure that the search function will bring it up..

 

The following driver releases where, apart for the usual bug fixes and improvements, trial runs for what has now gone 'live'.

 

Due to the fact the guys who cloned the security for the Chinese (and this was actually done in Europe, as many of you might know) made a pretty good copy of the alpu tpm chip (from neowine), which is used by many stb manufacturers and of course offers no real sense of clone protection what so ever Vu had to look for another means of establishing the board authenticity.

 

So the logical second choice was the FPGA, hey, it was sitting on the board anyway and for the clone companies would for sure mean another $10/25K to read out and so that was of course the logical way to go.

 

So that brings us to the current situation, the best they can do is just wipe out the block in the nand where the SoC boots from, that would mean that the resellers will have to be equipped with at least BBS tools and software to 'revive' all boxes killed in the 19-4 attack.

Which is of course a good thing in more that one way,

First - the clones where shut off, even if it will be for a very short time. But this is giving a strong signal to the end user market never to buy a clone (of course, buying a clone is always a bad thing) as you can never be sure what will happen.

Second - this creates a market for the 'guy on the attic with a soldering station' (not that he will need one in this case) but you know the guy i am talking about, these are the same guys who helped out when ci modules and other stb where killed (a.k.a. erased) in the past.

 

So i guess the next thing that will happen is that the manufacturer of the clone boxes will start shipping BBS tools and so on to their resellers and they will 'fix' the problem in a jiffie any day soon now.

 

And now, just because we can, a quick rundown of what is exactly the 'authenticity check' and the 'counter measure' taken by Vu.

Let me first just state, i have no involvement in any cloning activities, i am just an independent researcher who likes to 'see what went down'.

And if i tell or not, it won't matter for the outcome, the current 'disabled' hardware will be revived, i am sure of this as there where too many sold already so it is imperative to the companies who made them that the 'problem' will be fixed, and so it will.

 

So, first what they have done is do some FPGA magic, to confirm to the drivers that they are in fact dealing with cloned hardware (i won't go into details on how they do this, its some challenge, some des crypto and some other stuff but not really relevant to be known exactly).

Then after they have established that it is in fact not a genuine board some counters start running in some critical places, like the tuning of the front end, vfd actions and a random one connected to the a/v input. So doing this they are pretty sure that at some point the counter limits are reached and then it is time to run 'the check'.

The check of course consist of a simple 'hello, what day are we at?' if this is in fact 19-4-2014 or later it is time to do some erasing to make sure that we are not happy that you cloned our board.

So now we start erasing, all they need to do is clean out the area where to SoC start reading from after it start up (a.k.a. the boot loader, a.k.a CFE). But for whatever reasons they chose to erase 64 pages, I guess to make sure it really won't start (not that it would matter at all, 1 would have been enough).

After that the erasing continues some more when the critical functions are called until the stb is rebooted and at that point the user will get a nice black screen and no reaction from the stb what so ever. All gpio will remain uninitialized after powering on, this for instance causes the LAN light to stay on continuously and so forth.

 

So that's pretty much the background of the whole thing, clones are killed and now let's see what the next move will be

 

For those who want to investigate the matter for them selves,

the recent functions where added into the drivers from a file called brcm_fpga_secu.c,

find it and you will see what i was talking about

 

A quick code snippet from it (the least interesting one, as here the damage is 'already being done') just for reference:

 

void nand_erase_64_pages(void)
{
    for (int addr = 0; addr < 64; addr += 2)
    {
        BDEV_WR_RB((BCHP_NAND_CMD_ADDRESS, addr));
        BDEV_WR_RB((BCHP_NAND_CMD_START, CMD_ERASE << BCHP_NAND_CMD_START_OPCODE_SHIFT));
        BDEV_WR_RB((BCHP_NAND_CMD_START, CMD_NULL << BCHP_NAND_CMD_START_OPCODE_SHIFT));
        BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_0 + 0x00, 0));
        BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_0 + 0x04, 0));
        BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_0 + 0x08, 0));
        BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_0 + 0x0c, 0));
        BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_10 + 0x00, 0));
        BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_10 + 0x04, 0));
        BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_10 + 0x08, 0));
        BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_10 + 0x0c, 0));
        BKNI_Sleep_tagged(20);
    }
    BKNI_Sleep_tagged(100);
}

 

Moral of the story is of course, with the genuine product you would have never had these kind of issues and thus that is ALWAYS the way to go!

 

These where my 2 cents happy reading.

 

[Rob van der Does]

Yep, I remember reading your post about that; that was when the new Solo2 drivers invoked an FPGA-upgrade after reboot.

Going by the reports (well, reports; a lot of BS there....) there are two more things:
1- Boxes were also dying when in use, not only when rebooted. First symptom was EPG-data not showing.
2- Flash was not only erased, but also set to 'read-only'.

[radxnl]

1. Yes that may be a side effect of the erase, drivers are 'blocking' for quite some time when the 64 page erase is going on. Can manifest in a lot of 'irregular' stuff.
2. As i stated, the box can be revived using the BBS tool, given you have one and the corresponding software and a dump of the CFE to write back.

The FPGA update i did not mention on purpose, as that is used in the verification of the board, the binary file is linked in the driver (as opposed to the previous standalone donwloadable releases from the vu.com website, handled by the fpupdate plugin).

Of course the FPGA update can be easily avoided, but that is a whole different story

[gesnazo]

And what date are this new drivers?

How could i know what drivers i have?

[delavega]

Saving a 100 euros to buy a clone is so stupid, you get a 100 problems with it.

[shon]

Saving a 100 euros to buy a clone is so stupid, you get a 100 problems with it.

who buys that is his personal problems, and not others and other this does not concern , just have some people who are not human. If you have a problem with someone then solve them with him and not with customer?

[delavega]

You dont make in sense, why dont you go hug the clone makers nuts instead?

[delavega]

any*

[dirkjan73]

First of all one little thing off Topic:,a dish watcher who says "i am not doing anything illegal" is talking BULLsh..TT!!There is no ONE satelite TV provider who is allowing that u using a Receiver that doesnt belong to them,and lets be honoust we,the experienced dishwatchers,sometimes watching on more tv sets then we payed our provider to,so we are no angels!

 

And now On toppic:What i am curious about is this,did Pli or any member knew about this,lets call it a "virus"?

Edited by dirkjan73, 23 April 2014 - 19:32.

[Erik Slagter]

Untrue, CDS and TVV totally allow you to use any receiver you like, as long as you use the CI module.

[dirkjan73]

Untrue, CDS and TVV totally allow you to use any receiver you like, as long as you use the CI module.

Thank u Eric for correcting me,but those providers dont like it if we are watching with those cards on more than one TV...But this was the Off topic part

[Rob van der Does]

Untrue, CDS and TVV totally allow you to use any receiver you like, as long as you use the CI module.

Thank u Eric for correcting me,but those providers dont like it if we are watching with those cards on more than one TV...But this was the Off topic part

Untrue: those providers even assisted in the process and brought a special smartcard update to facilitate it.

[dirkjan73]

 

Untrue, CDS and TVV totally allow you to use any receiver you like, as long as you use the CI module.

Thank u Eric for correcting me,but those providers dont like it if we are watching with those cards on more than one TV...But this was the Off topic part

 

Untrue: those providers even assisted in the process and brought a special smartcard update to facilitate it.

Ok guys my off topic was untrue...

 

On Topic:Did VU let Pli know that they were going to put a "timebomb" in the drivers,personaly i think they did it briljant and was massive effective,but the thing is,what i am curious about is,did they do it "just like that in a heartbeat" or did they noticed there partners,Pli,BH.etc,etc