Digital Tuner Reverse Engineering

hvr-1600-i2c-sniffing

Hackaday alum [Ian Lesnet] tipped us off about some reverse engineering of the HVR-1600, an analog and digital television encoder/tuner. The project was spawned when [Devin] noticed his Hauppauge HVR-1600 didn’t tune channels in Linux quite as well as it did in Windows. He had a hunch this was due to improper initialization settings for either the tuner chip or the demodulator.

To fix this he used two test points on the board to tap into the I2C bus. Using a logic analyzer he captured the command traffic from the bus while running Linux, then while running Windows. By filtering the results with a bit of Perl, and comparing them by using diff, he tracks down and finds the variation in the commands being sent by the two drivers. After a bit of poking around in the Linux source and making the necessary changes, he improved the tuning ability of the Linux package.

[Devin’s] work looks simple enough, and it is. The difficult part of this process is being smart enough to know what you’re looking for, and what you’ve got once you’ve found it.

32 thoughts on “Digital Tuner Reverse Engineering

  1. Ya I have a similar problem with my pvr-150. I ended up making a list of the channels in mhz and the offsets so it would tune right. However it wasn’t the same offset and its different for each channel.

  2. I had to do something very similar when working on a Linux driver for a video capture chip on a single-board computer… only I didn’t have a logic analyzer. It turns out the I2C communication was so slow that I captured it with my sound card and decoded the traffic visually in audacity. I suspect the driver was actually bit-banging the I2C rather than using a real transciever.

    Anyway – it worked and I figured out how to initialize the chip and got great results. But I sure wish I’d had a logic analyzer back then.

    -Josh

  3. “The difficult part of this process is being smart enough to know what you’re looking for”

    I prefer: The difficult part is having enough experience to know what you’re looking for.
    Chalking it up to smarts just discourages folks who don’t yet know what they’re doing. I suspect this guy knows how to do a lot because he’s *done* a lot.

  4. “I prefer: The difficult part is having enough experience to know what you’re looking for.
    Chalking it up to smarts just discourages folks who don’t yet know what they’re doing. I suspect this guy knows how to do a lot because he’s *done* a lot.” ~ dan

    I completely agree with dan. Its funny how things seem so overwhelming when you dont know how it works but in reality its not all that hard

  5. tene: according to Wikipedia, the name Perl was chosen in part to be expanded to many different things (practical extraction and report language, pathologically eclectic rubbish lister).

    Also, I’m still waiting for analog support on my HVR-1250. We were told it was “very soon” two years ago…

  6. This is just GREAT work!

    @Jack. The abbreviation from you for perl is right. Devin used I2C to extract data from the I2C-bus and “extracted and reported” the captured data with perl.

  7. I did this as well with an HDMI encoder. the BIOS would initialize it, Windows would re-init it but the BIOS mfg wouldn’t release info to make it work in Linux. I built an I2C bus interface and used a second computer to dump the chip contents once it was set up correctly at boot or during a video mode change in Windows, then correlated that with the tables provided by the HDMI tx manufacturer. We got HDMI output working in Linux shortly thereafter. :-)

  8. Still for me the most difficult part is to have a logic analyzer, or someone to borrow it from. Why buy one if it won’t be used as often as, say, a welding station or multimeter? :) Here we have completely different levels of _opportunity_: catching those raw bits with appropriate hardware that just happened to be available, vs. deducing Windows driver behavior from BPIOs in SoftICE (very unrewarding in this case, though a proper way sometimes). The software approach is far more available to anyone, legal things aside or not.

    @Josh: that’s just magnificent!

  9. Could Hack A Day please do some kind of Idiot’s Guide To i2c using the Bus Pirate? It would be awesome if you’d just grab a few electronics items off the shelf and show how to use the Bus Pirate to hack/analyze them, all the while illustrating i2c principles.

    I have a bunch of projects that could potentially employ my Bus Pirate, but could really use a walkthrough to getting things done.

  10. now we’re hacking! :D

    @saimhe, you probably don’t use a logic analyzer much simply because you don’t have it. I used to say exactly what you are saying… until I got mayself a cheap logic analizer and a cheap scope from a garage sale… noww I use them everytime I can and they also helped me get into some new projects. go ahead and buy one from say… ebay… one of the cheap usb ones. you’ll notice how much more you can do once you have proper tools.

    PS. I still love my $4 multimeter ;)

  11. @The Cheap Vegetable Gardener: I’m not ‘trying’ to be a jerk here, but I use a PC as well. I just choose to use a superior operating system like Ubuntu because there about are about fifty times as many things about those other operating systems that drive me crazy.

  12. @Mike Szczys, I understand you need to use the right tool for the job. I do like the option of modifying source and fixing problems instead of waiting for the next service pack, just no desire to do it. :)

    Less of an issue with Linux/Windows/Mac but more of the lack of testing or support on the periphial side.

  13. So “real hacking” is anything involving reverse engineering?

    I like a lot of the non-reversing stuff here. This isn’t a reversing site, and hacking isn’t exclusively reverse engineering.

    This is cool and all but the ‘finally’ comments are kind of annoying. Are we going to hack banks across state lines next to appeal to this demographic? ^^

  14. STOP REFERRING TO WINDOWS AS “PC”
    it plain stupid and annoying, and to here this on hack a day make it 10 time worse. If you want to refer to operation system call it by its name not hardware. By the way macs pars made by same manufacturer on the same factory as other Chinese junk hardware parts

  15. Does anyone nknow of any code I could use to turn a digital tuner into a spectrum analyser – Ive pestered Hauppauge and a few other companies but none are willing to let controlcodes for these tuners out – For the I2C part thats well know but id love to control it by direct commands/code in Linux/windows etc to provide the capability – ie put mixer in front of vcard and sweep frequencies and monitor level out.

    Mike

Leave a Reply to therianCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.