Topic: Working on unbricking the HID-B7 / B70

Hello,
  I love my Infocast 8, and the Chumby hardware, the folks keeping Chumby running are awesome.

In pricing out an Infocast for my wife, I was surprised to discover the value has gone up, since they
can be made operational via Chumby.com (I scored mine cheap on Craigslist, during a time when Chumby
had ceased, but before Duane[? I think] got the services back).

Then I read that the Dash can be chumbified, so I ordered the cheapest one I could find on fleabay, without
doing enough research first. Of course, I got a nice HID-B7 brick.

After scrounging through Sony Community, the forums here, reddit, and slashdot (which pretty much constitutes
all there is on this thing [except some XDA forums tidbits), I've learned that:
1) It was the C10 that was ...breached
2) Sony has effectively blacked out as much as they could on the device, and people are being asked to return their units
to get garbage-tier parting gifts
3) There are people working on the B7(0)s, but they've been hampered.

I did manage to find the following:
- All the GPL sources they released for the B7
- A similar board support / OS  package generator for a similar product from a different company, that fills in the some of the operational
gaps from the above material.
- The update.zip for the C10 ssh kludge
- The last good (1.7.1526) update.zip for the C10
- A 'TVID Upgrading Mode'

What I don't have is:
- a good idea of the B7 memory layout (flash/mtd & ram)
- the Sony encryption key to generate signed update images
- any update.zip 's for the B7
- any idea what TVID is; search engine queries lead off on unrelated tangents

So, if anyone with any additional information wants to contact me via PM, perhaps we can share resources and get the B7 unbricked.

Re: Working on unbricking the HID-B7 / B70

Oops, just realized there's no PM and I have 'allow email from forum' disabled.
I can be reached at tarkin000 AT mail DOT com, or if people / admins feel that is a scam,
I will enable mail-from-forum.

To be clear, I am NOT asking for:
-Sony encryption keys
-help disseminating Sony intellectual property

I am investigating a device I own for research purposes and would like to compare notes with someone doing the same.

Re: Working on unbricking the HID-B7 / B70

I really hope someone will succeed and we will be able to bring B7s back to life

Re: Working on unbricking the HID-B7 / B70

Miracles just take time.

Re: Working on unbricking the HID-B7 / B70

demarks51 wrote:

Miracles just take time.

Not sure if Chumby's team were able to make any progress at all however Christmas is coming, so you never know :)

6 (edited by Geaux Tigers 2018-01-14 17:06:42)

Re: Working on unbricking the HID-B7 / B70

I also hope you are able to make the older Dash's compatible with Chumby. Is there any update regarding this?

Re: Working on unbricking the HID-B7 / B70

Hello!

I'm working on trying to crack the HID-B70 nut too!  Right now, I own five worthless Sony Dash HID-B70s that I would love to Chumbyize.

I'm fairly new at this, so bare with my stupid questions, please!  smile  So, I'm dabbling with Kali Linux and I setup a private network for which I connected a HID-B70.  The HID-B70 grabbed an IP address, and while watching the traffic on Wireshark, I expected to see network traffic where the HID-B70 would try to call back to some IP address during the authorization process.  Nothing!  I also ran an NMAP scan, and there doesn't appear to be any open ports.  Any progress or suggestions out there that I may try?

As the final knife in the Dash, did Sony push a firmware update that bricked the HID-B70?  If so, does anyone have a copy of the last known good firmware update?

Thanks!
Joe

Re: Working on unbricking the HID-B7 / B70

Duane must be covered up at work. Seems like there were some serious problems with the b7/70s.

Re: Working on unbricking the HID-B7 / B70

I am indeed working today.

I don't think Sony released an update that would brick B7/70's - they're very likely running the last official release.

You should be seeing some attempts at secure traffic to Sony's servers upon startup, but I don't know enough about the B7/70 firmware to know for sure.  Unlike the C10, we had absolutely no involvement with the development of the B7/70.

Re: Working on unbricking the HID-B7 / B70

I can confirm there were no SW upgrades for B7. It still works in a night mode. It is definitely attempting to connect to the sony's server at startup as I was able to make it 'work' in a night mode by blocking dash's mac address on my router.

Re: Working on unbricking the HID-B7 / B70

Hello,
Suddenly my HID-B70 decided to firmware upgrade on it's own today. I'm very sad (seriously). It's in a continuous "Authorizing" state now [or I can shut it off]. Please help!

Re: Working on unbricking the HID-B7 / B70

solugi wrote:

Hello,
Suddenly my HID-B70 decided to firmware upgrade on it's own today. I'm very sad (seriously). It's in a continuous "Authorizing" state now [or I can shut it off]. Please help!

The Sony servers are permanently off-line. Nobody has been able to hack their way into a B70 yet. I am not sure what help can be provided. The B70 may be unbricked some day so I would not toss it in the bin yet. I suggest you put it in a closet, in a garage, someplace out of the way. Maybe pick up a Chumby or Infocast 10 for now. They are available fairly cheaply these days.

Tar, feathers, congress. Some assembly required.

Re: Working on unbricking the HID-B7 / B70

So while messing with my B70 (ordered a c10 on the bay and was sent a b70) I've noticed it's pretty useless as is.

While trying to connect to wifi it pushes me to a screen to sign in to said wifi much like if I was at a hotel. I'm wondering if anyone has tried to use a custom dns server to trick it to loading a webpage that could potentially lead to being somewhat functional.

Also, if anyone knows roughly how the wifi connection command is executed it might be possible to enter a custom SSID that will allow us to break free or at minimum enable sshd etc.

Thoughts? I know we are blind to the device right now but I'd like to see this thing get cracked. I'm gonna take it apart later today and look for some sort of console access.

Re: Working on unbricking the HID-B7 / B70

I am not sure which model this is or how similar the different Dash models are, but here is a teardown of a Sony Dash. Hope this is helpful.

http://cubiclegnome.blogspot.com/2011/0 … lysis.html

Tar, feathers, congress. Some assembly required.

15 (edited by demarks51 2018-08-15 08:22:15)

Re: Working on unbricking the HID-B7 / B70

As you can read in previous post by Duane, Chumby had none or little to do with the B7/70 production. Sony was trying to improve from the C10 and it actually was more Sony exclusive than previous model. Maybe you can crack this case. There would a few that would be happy to hear that. I think there is a key, but if it still exists, Sony has locked it up in their archives. Seems like they would love to let their former loyal customers have the joy of their Dashes again. Here's hoping you succeed.

Almost positive the above tear down is on a C-10. B7/70 had an on/off button and looked similar but not exactly like the previous model. Also, B70 had a 60 minute life battery back up.

Re: Working on unbricking the HID-B7 / B70

Thanks for the info Dennis. I have not seen a Dash in person and have no idea about the differences in models. As for Sony, they have a long history of treating their customers poorly. They would much rather see all of the Dashes in a landfill before they would hand over the keys that would allow their customers to continue to use their devices.

Tar, feathers, congress. Some assembly required.

17 (edited by outkastz 2018-08-21 10:54:10)

Re: Working on unbricking the HID-B7 / B70

I'm not allowed to post any (clickable) links but I did take some pictures of the internal hardware. My USB UART won't arrive until Friday so maybe I'll be able to do something on Monday.

https://ckb3.com/chumby/front.jpg
https://ckb3.com/chumby/back.jpg

Any ideas? I'm willing to try whatever as this is just a brick. Need any additional pics, just ask. This is of the HID-B70

18 (edited by demarks51 2018-08-17 08:45:49)

Re: Working on unbricking the HID-B7 / B70

If you can send a link to a google photos or the like we can see it. I have not figured out how to post pictures on the post.

Link to a picture of a B70. https://www.bhphotovideo.com/c/product/ … Clock.html
Notice right side on/off switch

19 (edited by outkastz 2018-08-20 09:11:31)

Re: Working on unbricking the HID-B7 / B70

on JP1 (by the wireless card) I was able to gain a serial connection to the device. With wireless card on the right working left to right

Pin 1 - 3.3v
Pin 2 - RX
Pin 3 - TX
Pin 4 - Ground

Baud rate of 115200bps

I'll let you know if I can get anywhere with this.

Re: Working on unbricking the HID-B7 / B70

On boot this is the read out

Wait..............
Unable to connect: Network interface never connected

[  127.420000] wl_iw_ioctl: error in cmd=8b03 : not supported
[  127.450000] wl_iw_ioctl: error in cmd=8b09 : not supported
<network>
        <interface if="wlan0" up="true" link="false" gateway="">
                <stats rx_bytes="1160" rx_packets="20" rx_errs="0" rx_drop="0" r                                          x_fifo="0" rx_frame="0" rx_compressed="0" rx_multicast="0" tx_bytes="0" tx_packe                                          ts="0" tx_errs="0" tx_drop="0" tx_fifo="0" tx_colls="0" tx_carrier="0" tx_compre                                          ssed="0" wifi_link="5." wifi_level="-256." wifi_noise="-92." />
                <error>wlan0 link is down</error>
                <error>failed to obtain IP address</error>
                <error>internet is unreachable</error>
        </interface>
<configuration " key="" en                                          coding="hex" auth="WPS" encryption="PBC" ssid="" allocation="dhcp" hwaddr="00:00                                          :00:00:00:00" nameserver2="" nameserver1="" gateway="" netmask="255.255.255.0" i                                          p="" type="wlan" />
</network>
Network is down.  Network time not updated.
crond[431]: crond: crond (busybox 1.17.3) started, log level 8
[iconcnt] playlogo counter 10
cat: can't open '/etc/firmware_build_type': No such file or directory
[  131.690000] wl_iw_ioctl: error in cmd=8b03 : not supported
[  131.710000] wl_iw_ioctl: error in cmd=8b09 : not supported
NERWORK_ERROR  <error>wlan0 link is down</error> <error>failed to obtain IP addr                                          ess</error> <error>internet is unreachable</error>
start controlpanel: /psp/yume_cp.swf -dbuiltin=1 -dforce_update=1 -Q -x 860 -y 4                                          80 -m 900 -E /psp/cacert_new.pem
[  134.140000] [dlMalloc] 1898
[  134.410000] [dlMalloc] 1898
[  134.500000] [dlMalloc] 1898
[  134.510000] [dlMalloc] 1898
[  134.670000] [dlMalloc] 1898
[  134.760000] [dlMalloc] 1898
[  140.060000] flush work buffer spend time. t[0]. sync_detected[0], do_sync_req                                          [1]
[  142.030000] sync process detected.t[14203]
[  142.310000] flush work buffer because sync_detected. sync_detected[1], do_syn                                          c_req[4], t[14231]
[  142.320000] flush work buffer spend time. t[0]. sync_detected[1], do_sync_req                                          [4]
[  143.950000] wl_iw_ioctl: error in cmd=8b03 : not supported
[  144.000000] wl_iw_ioctl: error in cmd=8b09 : not supported
[  144.980000] [dlMalloc] 1898
[  145.000000] PPU open
[  145.000000] [gp_enable_clock][1200] run, clock_name=[READLTIME_ABT]
[  145.000000] [gp_enable_clock][1200] run, clock_name=[PPU_FB]
[  145.020000] [gpHalPPUEn][166]
[  145.020000] [dlMalloc] 1898
[  145.020000] [dlMalloc] 1898
[  145.040000] [dlMalloc] 1898
[  145.040000] [dlMalloc] 1898
[  145.040000] [gp_enable_clock][1200] run, clock_name=[2DSCAABT]
[  146.330000] flush work buffer spend time. t[0]. sync_detected[0], do_sync_req                                          [1]
[  146.390000] flush work buffer spend time. t[0]. sync_detected[0], do_sync_req                                          [3]
[  146.800000] flush work buffer spend time. t[0]. sync_detected[0], do_sync_req                                          [4]
[  147.310000] flush work buffer spend time. t[0]. sync_detected[0], do_sync_req                                          [4]
[  147.780000] [dlMalloc] 1898
[  147.780000] [dlMalloc] 1898
[  148.650000] wl_iw_ioctl: error in cmd=8b03 : not supported
[  148.670000] wl_iw_ioctl: error in cmd=8b09 : not supported
[  150.850000] [tmalloc_large] 1649
[  150.860000] [dlMalloc] 1898
[  150.980000] [tmalloc_large] 1649
[  150.990000] [dlMalloc] 1898
[  153.060000] flush work buffer spend time. t[0]. sync_detected[0], do_sync_req                                          [1]
[  172.310000] sync process detected.t[17231]
[  172.360000] flush work buffer because sync_detected. sync_detected[1], do_sync_req[0], t[17236]
[  172.370000] flush work buffer spend time. t[0]. sync_detected[1], do_sync_req[0]
rtc sync
t=[946714733]
tm 100-0-1 0:18:53 dst:0
sync to rtc
crond[431]: crond: USER root pid 661 cmd /usr/chumby/scripts/hosts-update

Re: Working on unbricking the HID-B7 / B70

I was able to get a shell but this is where I slow to a crawl. Anyone have ideas?

Re: Working on unbricking the HID-B7 / B70

secure.footprint.net/bivl4-ww/static/updates/dashlite/firmware/1.8.50/DAL70V01.VUP this is what we were needing to play around with but it's obviously not there :-/

Re: Working on unbricking the HID-B7 / B70

If you put a USB drive in the device, can you see if it mounted?

24 (edited by outkastz 2018-08-20 11:54:32)

Re: Working on unbricking the HID-B7 / B70

It did mount. I'm copying the file system. I was able to update busybox :-)

Re: Working on unbricking the HID-B7 / B70

OK, what is the mount point for the USB (probably something with "media" in the path)?