Hacker News new | past | comments | ask | show | jobs | submit login
Turning a TV set-top box into a Linux computer (2022) (zeus.ugent.be)
379 points by todsacerdoti on Feb 14, 2023 | hide | past | favorite | 110 comments



You can also get a similar board with that CPU here: https://libre.computer/products/aml-s905x-cc/

It's optimized for mainline Linux and since u-boot supports UEFI booting, you can just throw a downloaded Fedora arm64 image on it and it will boot.


Oh hey, the Amlogic chips. I worked for a company that wanted to turn an Amlogic S805 STB kit into a Linux computer. I think the reason that it works fairly well out of the box is because of some of the drivers we contributed to the effort :)

Their display controller driver was fun to figure out. https://github.com/torvalds/linux/tree/master/drivers/gpu/dr...


I've had trouble sourcing reliable SD cards for these SBCs. I have had the Le Potato, ODROIDs, RasPis. And they will generally work really well 98% of the time. But I keep them in a closet and I hate that I need to service them once a year or so. I tried buying SD cards from several different retailers and never got reliable results like from SATA SSDs (or even rotating disks it seems).

I eventually just bought an intel NUC which I saw as a big defeat but also a remarkably practical solution.


What cards have you tried? If you stick with general-use mSD card these days they'll most likely be TLC. The issue mostly is they don't* support TRIM unlike an SSD, and they use bottom-of-the-barrel flash chips (cause consumer grade, pricing is important here).

Pony up a bit more cash for "high endurance" grade (mostly MLC), or even industrial SLC cards at a much higher price point. My current roster for my small pi4 cluster is a mix of Samsung Pro Endurance, SanDisk High Endurance and Kioxia High Endurance. So far they've been working pretty great for me. Last time I checked they're about $15-25 a pop, which isn't cheap but not that bad either. I've been meaning to checkout SanDisk's max endurance which supposedly has much better write cycles, which I'll probably do after the card in my dashcam dies.

*On SBCs you could do something *like* trim, but it's not as straight forward, and support depends on the controller of the card wildly.


I've given up on SD cards for general purpose OS disk storage, I use small (≤16GB) SD cards for boot and small mSATA or m.2 SSDs in USB3 enclosures for everything else. Performance and reliability are drastically better, SMART gives you a heads up when a drive starts lotlike it will need replacement, cost isn't even much of an issue if you source your SSDs from fleaBay.


Can you network boot a Raspi? This source seems to think so, as of the 3B+, anyway: https://www.makeuseof.com/tag/network-boot-raspberry-pi-with...

I guess it requires them to be on wired network, but if they're in a closet, that's probably the case anyway.


Yep, I've done network boot with mine. It's a lot easier these days since you don't have to manually generate an initramfs with the modules.


SD cards are flaky in general.


Wow, I've been looking for a replacement for my ancient BeagleBone Black for ages. This fits the bill to a T! 64 bit, mainline linux, u-boot, it's all there. And for less than I bought the BBB for. Thanks for the link!


Oh wow, if this had an M.2 slot i'd consider getting these for my home k8s cluster (I use rpi4s which are hard to get and such cause USB SSDs are flaky with power, and an odroid M1, which has a pretty slow processor, but is otherwise perfect)


I've found the Argon power supplies (18W, 3.5A) for RPi are probably the best option when using USB powered storage... I swapped out the ones that came with my DeskPi cases. I have tried several, an earlier model didn't have the inline switch, which I don't really use but a nice to have feature.

https://www.amazon.com/gp/product/B0919CQKQ8/


> you can just throw a downloaded Fedora arm64 image on it and it will boot.

I know what you meant, but I have known and loathed hardware for which this would occur quite literally


+1 for Libre Computer. Le Potato is awesome.


author here, surprised to see this on HN. If you have any questions, don't hesitate to ask :)


I’m about to attempt to do something similar on Deco routers, using [this](https://blog.keane.space/tp-link-deco-m5-hardware-hacking.ht...) as a base, but have never wired serial to usb manually before. My main question is how do you use a multimeter to tell which pad is which?

Great article!


You first need to find ground. You can do this by visual inspection (a bit less risky), or by using your multimeter in continuity mode across external metal parts (for example the outside of the USB port)/negative pin of the power supply. Then, you can use a logic analyzer to find the serial TX pin. The RX pin is usually pretty close, and might be pulled up through a resistor to VCC.


I work for an ISP and my role is pretty much to have the TV STBs become ewaste as late as possible (trying my best to do my part). Currently our security is pretty bad [1] (that's why I'm posting from a throwaway account), but I have a mainline Linux booting off a USB storage without touching internal storage (with very little changes). I plan to fix those security issues, and make this boot-from-usb official within few months. We're far from thrashing those units, but when we will, it'll be too late to open them up.

[1] related to security of user private data


That's great, be sure to post your story here on HN when you've finished the project!


Vendors of STBs should unlock them so that we don't get so much e-waste.

These boxes are most of the times locked, whereas they could be repurposed for many interesting uses (linux machines, android boxes, educational devices...), now they will be thrown away, remain in closets/garages or at the best be recycled.

Tried to unlock my Vodafone TV box (Sagemcom DIW387 if I'm not mistaken), but with no luck since there is no community to "hack" it.


I won't hold my breath. From the article:

> In theory, we might be asked to give this device back. In practice, these devices are written off as soon as they’re sent to customers.

In my country, there are various ISPs with the same OEM boxes from SDMCtech. They went to the trouble of asking manufacturer to put a custom SDIO encryption chip onboard. If someone dares to touch the firmware and/or included apps (not system, but phone-home ones) the device automatically bricks forever. Not even a NAND change fixes this, as the SoC/cryptochip/NAND trio is somehow "mated" at factory. This derived in a literal invasion of these at flea markets, charity stores etc. Almost none of them work, and if they do they are thoroughly locked.

Some people like me had limited success tweaking things through ADB. This box seems to accept a launcher change as long as the original isn't erased. That works until the box updates itself and bitches again about "pirating/unauthorized use", which is quite frequent.

Our ISPs are well aware of said e-waste, and still won't budge their up-the-ass attitude.


Then when it's time to get rid of it, throw it back at their door step since it doesn't belong to you


Actually many of those providers in some jurisdisions require returning the device at contract termination.


Most of the common STBs have piss poor performance because their specs are barely adequate as providers don't give a fuck about anything except BOM cost.


They are really excellent at decoding video, as you would expect. They can't run a 4k UI generally, however.

I think it's holding the industry back somewhat. Having a bit more power might make these boxes a home hub, a video calling device, a gaming device, or at least a bit future-proof.

One thing I like to do with Android TV devices is install tailscale on them. At least I can ADB to them from anywhere, and I can also setup the exit node. They use hardly any power, so it's a nice solution to have access to your home network or home internet connection.


Good luck with that. I just don't see Arris or Sagemcom opening up any time soon. These things are fairly locked down and drivers are tuned for specific things.

I spent a few years dealing with some of these STBs and yeah, they make great little computers. Such a waste. Just like smartphones,


We aren’t going to modify our security protocols so a handful of people can mod their STB, sorry :P


Given how quickly support is dropped for consumer electronics, not opening up access to them is unacceptable.

And that isn't really addressing the fact that many companies don't have the funding or the will to secure these devices.


I think the desire to repurpose obsolete electronic appliances is probably far too small to make a meaningful dent in e-waste. Not much to be done at scale with random, idiosyncratic, and underpowered SBCs.

I don't know for sure but I do strongly suspect it.


I mean, if nothing else when the device reaches EOL what would it hurt to release a bootloader unlock?


“What would it hurt” is the wrong question. The question is “how would it profit them”?

If it wouldn’t, they have zero incentive to do it.


Perhaps the regulatory solution is to offer the option: Either the vendor covers the cost of recycling, or they liberate the devices so recycling isn't the only option.


It would profit them by generating buzz and good will from their customers towards their future products, knowing that at some point, the customer will be given complete ownership of the product.

Plus, if the parts of the underlying software that are not going to be reused without modification in future products were open sourced, then for most semi-successful products there is the possibility of the code base growing, new tools and utilities being created, and information being generated that would improve their future products.

The only potential downside is that if the newer products that are released are retrogressive or are deemed to not be enough of an improvement then their own older systems with better software might crowd out their market share.

This would be a dramatic blow to sales of products like iPhones which have not had any MAJOR hardware upgrades in a few years, but for SBCs, a new processor, additional cores, faster memory, stronger graphics cards, USB-C, there's dozens of small improvements each generation that make a newer version worthwhile to customers.


>would it hurt to release a bootloader unlock?

In cases I am familiar with, you would need the sign off of 4 separate companies. I’m 99% certain one of them would outright refuse. I’m also 99% certain the others would be ambivalent and it would fall to the bottom of a bottomless queue.


> We aren’t going to modify our security protocols so a handful of people can mod their STB, sorry :P

Don't try to pass off lockdown nonsense as "security". If your "security" depends on a locked down end user device it's a broken design from the start.

I'd be willing to bet that the restrictions actually enforce the execution of insecure components, almost every locked down device ends up that way because the chain of vendors involved in approving updates doesn't really care about anything that doesn't affect their profit margins.

Just admit it's all about the margins, don't lie about security.


It must be a low. Like self unlock after 513 boots


What about game consoles?


I find "set-top" a funny leftover term from the age of CRTs. There's no way to set anything on top of TV's these days. My Kinect is still teetering atop it, but even that seems precarious.


It is impressive that that they were able to run linux without making permanent destructive changes.

Had a pogoplug that I was able to repurpose as a linux server for some odd cron jobs and occasional backups.

Assuming there are no such constraints to revert, what other general purpose consumer devices are hack friendly and can be turned into low powered linux boxes ?


Check out the OpenWRT Table of Hardware.[0] It runs on all kinds of stuff.

[0] https://openwrt.org/toh/start


It's an Android TV box. It was running Linux already.

The main difficultly is usually unlocking the bootloader.


Getting an updated kernel is also an issue - the article describes the device tree hacks they had to go through before the machine was usable.


That's my issue with PostmarketOS and the Pocket Chip and the 7" Android Netbook.


Not exactly a consumer device, but old thin clients are cheap and can be repurposed this way.


And the x86 ones are just PCs, so all the software bringup part is trivial (which is why I managed to succeed at that ;-) )



Very cool, I wish I could do this sort of thing.


Bootlin's embedded Linux class is fantastic and will teach you how to do all of this--uboot setup, building a kernel and root fs, etc. All of the materials for the class are free downloads so if you're motivated you can read the slides and follow it all yourself. I highly recommend it: https://bootlin.com/training/embedded-linux/


Same here. I appreciate the projects like OpenWRT that make this kind of thing possible for mere mortals like me. I flashed OpenWRT onto an old Verizon combo DSL modem/router[0] and now it's a VPN endpoint. I think the most complicated part was uploading the initial firmware via TFTP. But it looks like you can now just use the web interface, so it's even easier. Props to the people who figure this stuff out and make it available.

[0] https://openwrt.org/toh/actiontec/gt784wnv


Out of interest, what logic analyzer/logic analyzer software is the author using?


(author here) this is indeed a Salea clone (one of the first results when searching for 'logic analyzer' on Aliexpress), with pulseview/sigrok as software. I try to use cheap tools if possible, so it's more accessible for other people to reproduce.


Looks like sigrok[0]. From the screenshots, the logic analyzer looks similar to a saleae clone.

[0]:https://sigrok.org/wiki/Main_Page


... and if you're not aware, Saleae clones are widely available on e.g. Amazon, prices before shipping seem to start around $7 in the US. This is possible since the original Saleae is basically just a CY7C68013A [1] in a box, and once others realized that cloning it was not difficult. No idea about patents and so on here, obviously it's not OK for clones to use Saleae's firmware without licensing it.

I have one, it worked fine and is of course highly recommended since the combination of a cheap way to get signals into the computer and Sigrok's protocol analyzers makes things really neat.

[1]: https://www.infineon.com/cms/en/product/universal-serial-bus...


I had a clone once upon a time, together with several Saleaes and have recommended them to many many people, and that clone was not accurate to me. While the chip and the firmware was probably exactly the same as the original one, the rest of the hardware was cost minimized and did not work as well. I compared. The clone must have had capacitive coupling or something, since signals was often slightly delayed in unpredictable ways. Eg, a bit here and there could be shifted early or late, which is kind of bad when you work on protocols or timing.


Almost all my friends in France have a old ISP modem router that their former ISP did not bother getting their hands back onto when they changed providers.

I would love to repurpose them. Where do I start with ?


Check whether an alternative firmware already exists (e.g. OpenWrt or DD-WRT).

https://openwrt.org/toh/start


This is a good article that covers the basics of looking for a UART debug port that could be used as a way to get some low level access to the router and go from there:

https://www.riverloopsecurity.com/blog/2020/01/hw-101-uart/


Try to identify a serial port on the PCB, connect a serial adaptor to it (careful to get the pins and voltage right!) and take it from there

(Edit: or google the PCB board markings, maybe somebody already did this)


Finding the JTAG port is also useful, combined with something like OpenOCD.


Is there anything that can be done with unused Roku boxes? I have a Roku Ultra 4k that I'd love to install open source software onto.


I made a similar write up on running mainline Linux on a similar device a few years ago. Interesting read though.

https://codedbearder.com/posts/mainline-linux-on-tx3-mini/


Very interesting writeup, bookmarked! I wish there was a community willing to reverse engineer those very cheap DVR/NVR video surveillance boxes and boards sold on Ebay and Aliexpress. They have USB, SATA, some GPIOs and quite fast ADC chips on board to achieve high definition video sampling so they could be repurposed for various uses like SDR. They already run Linux inside, although it is predictably tight closed, not updated security-wise and often phones home to Chinese servers, so reverse engineering them would be worth beyond mere hacking.

Here's one of these boards, just search for "ahd dvr board".

https://www.aliexpress.us/item/3256804455950963.html


Do you happen to know other spec's on these or similar? (Eg, CPU type/speed, RAM etc)


Not much info unfortunately. Some of them apparently use a HiSilicon (owned by Huawei) chipset; the following Alibaba page lists some of them among others.

https://www.alibaba.com/countrysearch/CN/dvr-motherboard.htm...

Here are a few pages I found that could turn out interesting:

https://securitycamcenter.com/firmware-chinese-dvr-nvr-secur...

https://github.com/hisilicon

And as widely reported, they're quite vulnerable.

https://github.com/tothi/pwn-hisilicon-dvr

https://www.exploit-db.com/exploits/44004

I wonder if those vulnerabilities could be used to gain root access to the hardware in order to either patch it and make decent security devices, or repurpose them completely, as the hardware is interesting and dirt cheap.


Most interesting, thank you.

These may have an ARM Cortex A7 dual-core at 1.3Ghz according to this datasheet for the HiSilicon hi3520dv400 (the 4 channel version):

http://wangxunic.com/wp-content/uploads/2019/05/Hi3520DV400....

Not bad at all. And with DDR3.


I started down a similar path for a Lorex NVR, amusingly it brings out its serial port to a physical DB9 on the back. Trivial to get it into the uBoot prompt and start dumping its flash. Annoyingly it has a hardware watchdog that reset the machine every minute or so unless it's in the OS. I didn't feel like figuring it out so I wrote a quick script that dumped a few hundred K, waited for machine reset, re-entered u-boot, and kept dumping.

Ultimately I decided to work on something else as I have plenty of more interesting hardware hacking projects to work on, but it was fun practice to overcome the watchdog.


I love these kinds of writeups, thank you!

How did you determine what addresses to read things into? (the chainloaded bootloader, then its initrd/ FDT / etc.).


Mainly by looking at what addresses the original bootloader loads them into. The addresses don't matter too much, as long as you load them into valid memory, since for most you pass a reference to them anyway in later steps.


Thanks for your response!

I'm a hobbyist that's been tinkering with uboot now and again for years and can never figure out the right addresses for stuff, or where / how to learn this.

I assume this memory is subsequently released for the OS? Or does the OS just work around it?

Are you hobbling your runtime experience in some way if you load to the wrong address?


This is raw memory, so the concept of malloc/free does not really exist: the OS will just overwrite the data.

I think (not entirely sure) that the kernel gets relocated to a more or less fixed address in memory anyway, this won't affect your runtime experience.


I've worked with STB hardware before and they usually suck. The processors that I worked with were all from MIPS and it felt like all useful instructions were removed, except for the bare basics. Forget anything related to vectorization, for example. They were painfully slow.


These boxes generally utilize stock Cortex A53/A55 which are quite good IMO.


"Good" as in they can do anything slowly. A7x boxes won't struggle.


Exactly. A53 cores are efficiency cores designed for non-intensive background tasks in phones to save battery.

The only decent cpu atm that will eventually show up in TV boxes is the Rockchip Rk3588, but they aren't as cheap as some old s905x chips, and software support is very early days, so it will be a while before we see them in any android tv boxes.

The key does seem to be you need at least a quad-core of high-efficiency cores. The Nvidia Tegra X1 found in the Nvidia Shield and Switch runs fine even though it has even older A57 cores(predecessor to the A72). Compare this to rockchip's last-gen Rk3399, which only has 2x A72 cores (and 4x A53 cores) and is pretty slow compared to a Rpi 4 (but that could also be because of crap software support on the Rockchip side)


Good as in they implement the ARMv8 architecture fully unlike the crippled cores parent comment was talking about, also being more powerful because they're still 4-cores, GHz CPUs while the MIPS parent was talking about probably only had 1-2 core(s) and low 3-digit MHz clock speed.


Excellent work once again. Would have loved to find something like this when I was a student... back when computers occupied entire desks.

This seems similar, if not identical, to the free streaming box I told Xfinity they could keep. Might go revisit that decision now.


Really interesting writeup. Might be fun to try something similar with some old devices I have.


Its on my bucket list of things to do, because here in the UK there are plenty of TalkTalk Youview (Huewei DN372T) TV boxes with 320GB hard drives that overheat and hang with the last official update from Youview and despite asking there is no way to revert these back.

However with so many being available on Ebay et al and the HD-less (DN360T) forcing people onto streaming services, I think its only right to reprovision these to work in a hive networked manner with external storage so people can store as much broadcast footage as they have storage for, and stream from any device.

Being an early adopter of Media Portal over a decade ago, but finding it impossible to secure windows even back then despite only using it for satellite transmissions, I think Linux should receive more attention now.


Has anyone ever tried to find out how one can connect to the TV servers and how the DRM works? In the EU you’d be allowed to get the keys from the provider.


Sometimes it is just an app that knows where the streams are, and sometimes there is a devices attestation certificate burned into a TPM. The latter you are probably not going to hack, and even if you could, the various pirate IPTV providers will provide it for less cost if you value your time at minimum wage.


You don’t need to hack things, the providers are required to cooperate. I just wonder if anyone has tried to actually do it.


I love this article so much for some u known reason. Hacking should be praised! Amen


Nice. Repurpose and reuse for when these things get thrown away next year.


yes but have you ported doom to it's hand held controller?


It's impressive that a set-top box can be turned into a Linux Computer. I feel with such a reality like that any device can electronic device, if it has the right compents can run linux, like how Doom is used as the base case.


I struggle to think of what purpose a device that wasn’t meant to be a Linux computer would realistically serve beyond nefarious goals.


(author here) We use the device instead of a Raspberry Pi, not for anything too serious: we attached it to a screen and have a small server running with an API where you can write single pixels into the framebuffer (a bit like /r/place)


Ironically, the Raspberry Pi started as a failed set-top box.


I always thought that SoC was wildly popular.


It is, because Broadcom had a surplus of them and couldn't get anyone to adopt it for a streaming device. So an enterprising Broadcom FAE decided to turn it into an "educational" Linux desktop device.

The "wildly popular" part came when people realized BRCM was dumping these boards cheaper than any existing Linux SBC at the time. The educational angle is long gone.


The educational angle is far from gone. The Raspberry Pi Foundation handles that part of it now.

https://www.raspberrypi.org

I would agree that most of the Pis sold are not used for education, but that doesn't diminish their importance in that area.


The education part continues. Raspberry Pi continue to make teaching materials, run training etc. I think the focus is the UK.


Pretty much any device like these (as well as most modern TVs with network ports) can probably be turned into computers or, at least, X terminals.


This is an ethically neutral activity. The mere act of transforming a device into such a computer doesn't add or remove any nefarious goals, if you have those goals, you can get another device intended to be a Linux computer and still accomplish them (and it would be much easier). If the transformation is done in contravention of the owner, it's bad, but it sounds like from the article that the ISP has written it off and in any case, they say they are doing this nondestructively.


I'd argue 100% ethically positive; it's the sprinkling of unnecessary devices by companies that's the negative.


In a worst case scenario the company (so called "owner), will just charge you for its replacement. Since it was well calculated that

a) the box was useless and

b) would never be asked for again and

c) (as I've said) would just be charged a certain amount for non-return...

I hardly see how it's an ethical activity. If the owner was one person that was needing this device -- fine. But this is just a company doing business...


On the contrary, I struggle to think of "nefarious" goals.


Many of these SBCs are programmed in stupid ways. For example, there was a whole subforum on a popular Dutch site that was shut down because it turned out the way ISPs make you pay for premium channels is to... not encrypt them in any special way and hide them in the front end. This was all configured through a JSON file over an unencrypted protocol. The whole project began because people wanted to record their shows onto the disabled USB drive, and ended up exposing trivial ways to get around subscription limitations.

People immediately MitM'd these devices to get unlimited free bonus stuff, and the forum was copyright struck to hell.

These devices are programmed so badly that once you give any user any modicum of control over them, you can bypass almost every restriction your TV provider can think of. Modify one or two files and you've got an excellent piracy box.

Personally, I think this whole situation is terrible and I think that it's up to providers to fix their shitty DRM, but legally speaking these boxes don't become your property.


Do you have the name of the forum maybe?


I have an android TV using armbian with a nextcloud instance, transmission, pydownloader, radarr and sonarr. I have another running a quake 3 server. They are cheap raspberry pi alternatives with a nice case and a very good power supply using 12v instead of 5v, which is more stable.


Vey interesting, does the remote also work? How do you asses Linux compatibility of those boxes?


I just look for ones with a rk322x chip and use this image:

https://forum.armbian.com/topic/12656-csc-armbian-for-rk322x...


I don't know about supported video playback capabilities, but being a settop box under your own control is pretty good by itself. It can play back music, video, do light desktop duty -- any place you just need one or two browser tabs, it will probably work.


...to not have to throw it into a landfill ? How's that not natural conclusion to you ? It's in the title of article...


Running Linux is the goal. It might be useful if you want to drive a TV, say. And of course, since it already runs Android, it's pretty close to "intended to run Linux" to start with.


Plenty of applications for a Linux box that aren't "nefarious". Maybe digital signage, or backup server, to name two.


Getting a cheap NAS.


Or, if you manage to get a dozen, it can become an educational cluster where students can get hands-on experience with managing computer clusters.


Entirely correct, although I question the value of investing time with such a goal in mind when ex-corp laptops, desktops, and thin clients are available, inexpensive, likely more powerful, and require no hackarounds to be serviceable Linux systems. I feel an effort like this should be enjoyed for its hack value, rather than for any potential practical purposes.


If you get one model up and runnning, getting a couple dozen of them up and running is easy. 2GB and 4 cores per node is not too shabby either. My last Pi-based cluster has Pi Zero's as nodes, with single puny core with a very minimal 512MB per node.


less e-waste. If you cared enough about our planet, you'll know that




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: