Digital tuner reverse engineering

hvr-1600-i2c-sniffing

Hackaday alum [Ian Lesnet] tipped us off about some reverse engineering of the HVR-1600, an analog and digital television encoder/tuner. The project was spawned when [Devin] noticed his Hauppauge HVR-1600 didn’t tune channels in Linux quite as well as it did in Windows. He had a hunch this was due to improper initialization settings for either the tuner chip or the demodulator.

To fix this he used two test points on the board to tap into the I2C bus. Using a logic analyzer he captured the command traffic from the bus while running Linux, then while running Windows. By filtering the results with a bit of Perl, and comparing them by using diff, he tracks down and finds the variation in the commands being sent by the two drivers. After a bit of poking around in the Linux source and making the necessary changes, he improved the tuning ability of the Linux package.

[Devin's] work looks simple enough, and it is. The difficult part of this process is being smart enough to know what you’re looking for, and what you’ve got once you’ve found it.

Comments

  1. polossatik says:

    what, no buspirate killed during this experiment?

  2. evaproto says:

    Ya I have a similar problem with my pvr-150. I ended up making a list of the channels in mhz and the offsets so it would tune right. However it wasn’t the same offset and its different for each channel.

  3. Josh Malone says:

    I had to do something very similar when working on a Linux driver for a video capture chip on a single-board computer… only I didn’t have a logic analyzer. It turns out the I2C communication was so slow that I captured it with my sound card and decoded the traffic visually in audacity. I suspect the driver was actually bit-banging the I2C rather than using a real transciever.

    Anyway – it worked and I figured out how to initialize the chip and got great results. But I sure wish I’d had a logic analyzer back then.

    -Josh

  4. tene says:

    “Perl” is a name, not an acronym.

  5. tj says:

    This has been going on for years with Linux and BSD kernel devs. It usually happens based on demand or personal necessity. You can see a lot of reversed stuff in driver packages.

  6. mars says:

    > “Perl” is a name, not an acronym.
    This.

    Yay, finally some real hacking!

  7. Lucas says:

    i am envious of this guys 1337 skills. Thats pretty awesome. This encourages me to learn more about hardware and such

  8. Max says:

    Great post, would like to see more projects like this

  9. dan says:

    “The difficult part of this process is being smart enough to know what you’re looking for”

    I prefer: The difficult part is having enough experience to know what you’re looking for.
    Chalking it up to smarts just discourages folks who don’t yet know what they’re doing. I suspect this guy knows how to do a lot because he’s *done* a lot.

  10. Lucas says:

    “I prefer: The difficult part is having enough experience to know what you’re looking for.
    Chalking it up to smarts just discourages folks who don’t yet know what they’re doing. I suspect this guy knows how to do a lot because he’s *done* a lot.” ~ dan

    I completely agree with dan. Its funny how things seem so overwhelming when you dont know how it works but in reality its not all that hard

  11. Mike Szczys says:

    @tene: You’re right, fixed.

  12. SheeEttin says:

    tene: according to Wikipedia, the name Perl was chosen in part to be expanded to many different things (practical extraction and report language, pathologically eclectic rubbish lister).

    Also, I’m still waiting for analog support on my HVR-1250. We were told it was “very soon” two years ago…

  13. Jack says:

    Maybe I’m confused, but doesn’t PERL stand for Practical Extraction and Report Language? Or am I missing a joke somewhere?

  14. Mein Senf says:

    This is just GREAT work!

    @Jack. The abbreviation from you for perl is right. Devin used I2C to extract data from the I2C-bus and “extracted and reported” the captured data with perl.

  15. Andrew says:

    I did this as well with an HDMI encoder. the BIOS would initialize it, Windows would re-init it but the BIOS mfg wouldn’t release info to make it work in Linux. I built an I2C bus interface and used a second computer to dump the chip contents once it was set up correctly at boot or during a video mode change in Windows, then correlated that with the tables provided by the HDMI tx manufacturer. We got HDMI output working in Linux shortly thereafter. :-)

  16. saimhe says:

    Still for me the most difficult part is to have a logic analyzer, or someone to borrow it from. Why buy one if it won’t be used as often as, say, a welding station or multimeter? :) Here we have completely different levels of _opportunity_: catching those raw bits with appropriate hardware that just happened to be available, vs. deducing Windows driver behavior from BPIOs in SoftICE (very unrewarding in this case, though a proper way sometimes). The software approach is far more available to anyone, legal things aside or not.

    @Josh: that’s just magnificent!

  17. Daniel Reetz says:

    Could Hack A Day please do some kind of Idiot’s Guide To i2c using the Bus Pirate? It would be awesome if you’d just grab a few electronics items off the shelf and show how to use the Bus Pirate to hack/analyze them, all the while illustrating i2c principles.

    I have a bunch of projects that could potentially employ my Bus Pirate, but could really use a walkthrough to getting things done.

  18. juancubillo says:

    now we’re hacking! :D

    @saimhe, you probably don’t use a logic analyzer much simply because you don’t have it. I used to say exactly what you are saying… until I got mayself a cheap logic analizer and a cheap scope from a garage sale… noww I use them everytime I can and they also helped me get into some new projects. go ahead and buy one from say… ebay… one of the cheap usb ones. you’ll notice how much more you can do once you have proper tools.

    PS. I still love my $4 multimeter ;)

  19. Eric says:

    I agree with Daniel Reetz!

    As dan said, I’m pretty sure I’m smart enough to do lots of things, but since I haven’t done them yet I don’t know where to start :)

  20. natrix says:

    Awesome. A real hack, without using a silly Arduino! Great work!

  21. Clutchdude says:

    Awesome!

    I bought a hvr-1600 recently for mythtv and have been a little put off by it’s tuning.

    Thanks again Kernel labs for all you’ve contributed!

  22. Hmm, maye this is why I use a PC, I don’t have to use a logic analyzer to get your tuner card to work :)

  23. Mike Szczys says:

    @The Cheap Vegetable Gardener: I’m not ‘trying’ to be a jerk here, but I use a PC as well. I just choose to use a superior operating system like Ubuntu because there about are about fifty times as many things about those other operating systems that drive me crazy.

  24. @Mike Szczys, I understand you need to use the right tool for the job. I do like the option of modifying source and fixing problems instead of waiting for the next service pack, just no desire to do it. :)

    Less of an issue with Linux/Windows/Mac but more of the lack of testing or support on the periphial side.

  25. tj says:

    So “real hacking” is anything involving reverse engineering?

    I like a lot of the non-reversing stuff here. This isn’t a reversing site, and hacking isn’t exclusively reverse engineering.

    This is cool and all but the ‘finally’ comments are kind of annoying. Are we going to hack banks across state lines next to appeal to this demographic? ^^

  26. therian says:

    STOP REFERRING TO WINDOWS AS “PC”
    it plain stupid and annoying, and to here this on hack a day make it 10 time worse. If you want to refer to operation system call it by its name not hardware. By the way macs pars made by same manufacturer on the same factory as other Chinese junk hardware parts

  27. realcomix says:

    i envy you skills!

  28. Ian says:

    @ Danial Reetz & Eric – There’s a bunch of I2C demos in the ‘parts’ category:

    http://hackaday.com/category/parts/

    There should be one for an I2C EEPROM just like this one. You can also check the manual on the Google Code page.

  29. XD says:

    @therian True.
    @Natrix You made my day

    Like this project, maybe I start reverseengineer that isa 3d Card without driver cd. and I need a
    logic analyzer… Thx hackaday “friends”.

  30. Eric says:

    @Ian, thanks! I’m still waiting for mine, I’ll make sure to check it out as soon as I receive it :)

  31. nyder says:

    Craigslist is your friend.

    I’ve picked up free working eletronic items (oscilloscope, etc) from there.

  32. Manxtu says:

    Does anyone nknow of any code I could use to turn a digital tuner into a spectrum analyser – Ive pestered Hauppauge and a few other companies but none are willing to let controlcodes for these tuners out – For the I2C part thats well know but id love to control it by direct commands/code in Linux/windows etc to provide the capability – ie put mixer in front of vcard and sweep frequencies and monitor level out.

    Mike

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,295 other followers