I've been eyeing my Telus Optik HD (IPTV) box for a little while now.


It won't do anything, won't even play stored content, until it connects to the Telus network.
It stores stuff with some proprietary file system in encrypted nonsequential 1GB chunks, it's a DRM thing. It has a noticeable hit on internal HDD performance. I'm convinced that it's broken a few of my recorded shows.
I've learned that my provider (Telus) intermittently alters or erases my "permanently" stored content.
The device has a nice front-mounted USB port which seemingly does nothing (unpowered, no matter what you plug in).
The thing overheats badly. Cheap minimal power/thermal engineering, just like an XBox. My first CIS430 box actually cooked to failure during the summer, I've kinda propped this one up on a couple books to open some airflow, although it sometimes gets pretty warm - even when turned off.


Telus basically owns the units and leases them for about $5-$15 per month (depending on billing package), or sells them upfront for $250. I've frequently seen them on craigslist for dirt cheap, since the units are "useless" without being installed and configured by Telus techs, and Telus actually fines people who mess with their gear. And around here there really aren't any alternative provider (they all use the Telus infrastructure).

But I'm thinkin' DOCSIS, firmware, replace that piddly slow junk HDD with something manly, basically get rid of all that inconvenient performance/reliability-hitting DRM crap and make a friendly box which plays nice with my computer. And has decent cooling. I expect anti-tamper engineering to largely rely on consumer fear and ignorance, because (rebranded Cisco manufacturing aside) this thing was built cheap and it shows.

But before I start, does anyone know particular hack stuff about this device?

Best of luck to you. Content providers have the movie producers so far up their butts to make sure you can't do stuff like this. A couple of things I would imagine that you will find, if you get that far in the first place:

1. The processor ASIC on this thing (if you can find docs) probably requires a signed bootloader.
2. Even if sticking with original firmware the HDD can't be changed because it probably needs to be "blessed" like tivo or xbox hdds and or has some proprietary partition table and or filesystem.
3. If you can replace the firmware on it, make sure you document the MAC address of the DOCSIS interface and make sure that you use it in the custom firmware if it isn't set at the hardware level, as telus will use the MAC address to whitelist it to the network.

I don't mean to be a downer but unless you are some sort of uber hacker, I don't see it happening. If you still want to mess with it, I will do whatever I can to look for white papers on telus's IPTV system and whatever ICs you find inside that box.

Another avenue of attack is an xbox360 with HDD and Live Gold. They are an approved device with telus. The processing power and amount of ram might solve your playback issues. As far as keeping recordings permanently, then you'd need to look into modding the xbox in a way that prevents getting kicked off of live. This might be easier to pull of than mucking with the Cisco.

I'm not an uber hacker in the sense of being able to decode every bit, block, and chip in the box. I'm not fanatical enough (and perhaps not knowledgeable enough) to pull out the full JTAG suite and scope down every undocumented opcode on every pin which generates a response. If I wanted to dedicate that much effort then I'd probably build my own digital TVR from scratch and just figure out how to spoof a whitelisted Telus ID.

But a lesser hacker (like me) can still use alternate approaches. There are PCB traces, data ribbons, wires, connectors, signal runs, lots of places to piggyback and circumvent ... the impossible-to-crack components can be left in place while their inputs and outputs are tapped. I could always just build a black box pass-filter of some kind which strips the yucky invisible DRM data from the output signal, then stick another black box in-line recording device; basically doing its own thing between the Telus box and television.

So it's really more a matter of doing it "elegantly", in a way which unshackles the existing hardware instead of adding more hardware. I mean ... they gave me a firmware-castrated USB port, it taunts me, c'mon! And what else can the box do that Telus has disabled? Alas, it seems impossible to purchase a CIS430 which hasn't been OEM branded (by Telus or someone else).

The great part is - unless I get into irreversible component-level soldering and modding - I can always reassemble the box, drop it on the floor, then call Telus for a free (if not necessarily prompt) replacement.

I haven't installed a console modchip for years, but my understanding is that the modern XBox is deliberately engineered in ways which make anti-DRM modding very troublesome, and difficult to pull off because the always-online thing keeps babysitting and updating stuff.

SoC powering the CIS430: http://www.sigmadesigns.com/products.php?id=59

The Sigma 8634 seems to handle everything important. It has an IDE controller so it probably accesses the drive directly so you can't intercept the data between the IP multicast and storage.

Optik TV uses Microsoft Mediaroom technology so you can look into whether anyone has figured out how to sniff the data from the network and decode it.

I've located a copy of the Cisco ppvUpdate utilities used (by Telus, etc) to configure the CIS430 set top boxes. They sadly enable/disable any device features I like without the need for any exciting mods. (And no surprise that the Telus defaults gimped the box good, disabling and limiting every option they could find.)

I still plan on beefing up the cooling because this thing is seriously deficient. Looking deeper into this device, it's just too junky (and DRM-paranoid) to really be worth serious reverse engineering efforts. Defeating the specific encryption algorithm would be interesting but not worth the time since (now that I have the config utility) I don't need to actually build/mod anything which would use it. I suppose I'll have to strip DRM the old-fashioned way, through an analog or brainless digital device.

Next project, that persnickety DVDROM drive ... rotten little thing needs some new firmware, I think.

Plenty of sites like this http://www.t-hack.com/wiki/index.php/Main_Page

And, interestingly, most of the code for SMP863x chips was developed and published under GPL, although Syaba/Sigma are currently being flamed by some linux groups for claiming GPL privileges while holding out on chunks of sourcecode. People want to emulate it on other parts.

Maybe this piece of junk is more interesting than I first thought.