SageTV acquired by Google

[SWKerr]

Quote:

Originally Posted by Narflex

Don't waste your time. You won't be able to get it to work. Even if you had the identical hardware manufactured and put identical firmware on it; it still would not work. We're smarter than that. (just trying to save people from spending a lot of time trying to get that to work and failing)

You know they will just take this as a challenge now don't you.

[pez]

Quote:

Originally Posted by SWKerr

You know they will just take this as a challenge now don't you.

The sigma SMP8654 (used in the HD300) has a dedicated security process that appears to sit behind a firewall. It also appears to have secure storage for keys (and possibly the program it runs) that only it can access. It is the traffic cop for boot loading (fw updates). The secure storage contains the keys to encrypt/decrypt and the public key of sagetv for authentication.

If Jeff is this sure, i would suspect that the sage servers authenticate firmware specific to each device. So unless you can get the keys from sage and also from the chip, that security process is not going to allow it to run. It shouldn't even allow it do be written to flash.

MS has a decent enough article on secure download boot loader here.

[wayner]

Quote:

Originally Posted by MitchSchaft

What a bunch of sell-outs. We are screwed, folks. Nothing good can possible come from this except for the owner making a lot of money from Google.

He could also make some additional pocket money selling remaining HD-300s at something north of $300 on eBay.

[Evil_Attorney]

Quote:

Originally Posted by pez

The sigma SMP8654 (used in the HD300) has a dedicated security process that appears to sit behind a firewall. It also appears to have secure storage for keys (and possibly the program it runs) that only it can access. It is the traffic cop for boot loading (fw updates). The secure storage contains the keys to encrypt/decrypt and the public key of sagetv for authentication.

If Jeff is this sure, i would suspect that the sage servers authenticate firmware specific to each device. So unless you can get the keys from sage and also from the chip, that security process is not going to allow it to run. It shouldn't even allow it do be written to flash.

MS has a decent enough article on secure download boot loader here.

But is this the same security mechanism that the WDTV Live Plus uses? I think the wdlxtv folks were able to break it.

[pez]

Quote:

Originally Posted by Evil_Attorney

But is this the same security mechanism that the WDTV Live Plus uses? I think the wdlxtv folks were able to break it.

The features are there in the chip. WD does not need to use those features or they only half heartedly used them on the WDTV. Jeff probably used them fully because he had more to protect.

If you're more interested in security look up a guy named Bruce Schneier. He's written a few books on the subject.

Now I don't know what is actually in the 8654 as i couldn't find the spec. But it is an older chip. So if it doesn't implement SHA256, it may be vulnerable. But it would be unlikely that it could be exploited to create a usable piece of firmware that would authenticate correctly. And even then I believe you would have to break it for each device separately.

The only hope is to find a hole in the implementation because there isn't one in the method (that I know of).

[jptheripper]

Since the wdtv live plus is already hacked, cheap (<$90) and runs linux, wouldnt it make more sense to try to run the linux client on it?

[ThePaladinTech]

And wouldn't it make more sense to discuss this on this thread?
http://forums.sagetv.com/forums/showthread.php?t=56134


We don't know all the details about how people are hacking the WD unit - perhaps they are only modding the existing code or something that allows the security to 'pass' , or perhaps WD didn't implement it as securely as mentioned above.

Does anyone think we could get the linux placeshifter client going on a WD live? and from my questions in other topics, would it even be worth it?

[drewg]

Quote:

Originally Posted by ThePaladinTech

Does anyone think we could get the linux placeshifter client going on a WD live? and from my questions in other topics, would it even be worth it?

Not the "normal" miniclient, as it is for a totally different CPU arch (x86 vs mips). The only thing that has a hope to run is the client from the hd300, but Jeff says this would be impossible..

Drew

[reggie14]

Quote:

Originally Posted by pez

Now I don't know what is actually in the 8654 as i couldn't find the spec. But it is an older chip. So if it doesn't implement SHA256, it may be vulnerable. But it would be unlikely that it could be exploited to create a usable piece of firmware that would authenticate correctly. And even then I believe you would have to break it for each device separately.

I don' t know what security features are present in the Sigma chipsets, but I can tell you the crypto algorithms are unlikely to the weak link. You could do digital signatures (or just hashes) with SHA-1 without a practical problem- heck, you could probably do signatures with MD5 without a problem.

Generally speaking, a cryptographic exploit along the lines that you seem to be describing would require a second preimage attack on the hash function. SHA-1, MD5, even MD4 are all relatively safe if all you need is preimage resistance. Collision resistance is much tougher to get.

[lfilomeno]

Quote:

Originally Posted by wayner

He could also make some additional pocket money selling remaining HD-300s at something north of $300 on eBay.

That is exactly my train of thought; If it is going to be difficult to port-over the extender firmware to other available boxes, then why not sell the extender stock they have available? The same way they make the Sage "exe's" available to license users should be done with the extenders! C'mmon Jeff!

[lfilomeno]

Quote:

Originally Posted by Narflex

Don't waste your time. You won't be able to get it to work. Even if you had the identical hardware manufactured and put identical firmware on it; it still would not work. We're smarter than that. (just trying to save people from spending a lot of time trying to get that to work and failing)

Jeff,

Save us the grief then! Give us access to purchase the extenders!

[n9cqs]

Quote:

Originally Posted by lfilomeno

Jeff,

Save us the grief then! Give us access to purchase the extenders!

I second that. An "amnesty" period to purchase extenders, licenses and such is not going to cut into Google's purchase one bit. My guess is that the Google use of Sage (whatever it may be) will appeal to a very different audience than the current SageTV base.

[BobPhoenix]

I think they need what they have for warranty replacements. They might sell the remaining stock in a year but not before.

[frontlinegeek]

Quote:

Originally Posted by BobPhoenix

I think they need what they have for warranty replacements. They might sell the remaining stock in a year but not before.

That may be true to an extend but they must have had to order enough to cover what sales they originally forecast. Release those for purchase by us that want them.

Or a better idea for them would be to put up a survey that requires the use of something unique to vote with so that we can indicate to them how many HD300s we want to buy. I want one more but procrastinated one week too long.

[lfilomeno]

Quote:

Originally Posted by frontlinegeek

That may be true to an extend but they must have had to order enough to cover what sales they originally forecast. Release those for purchase by us that want them.

Or a better idea for them would be to put up a survey that requires the use of something unique to vote with so that we can indicate to them how many HD300s we want to buy. I want one more but procrastinated one week too long.

Agreed. In the mean time, I have a mini-itx board that will serve as a client for the time being. I have a client license that I used for testing purposes so it is time for it to joint the Sage network!

[BobPhoenix]

Quote:

Originally Posted by frontlinegeek

That may be true to an extend but they must have had to order enough to cover what sales they originally forecast. Release those for purchase by us that want them.

Correct but that is what they will use over the next year to fulfill waranty replacements. They don't want to have to order ANY more just to statisfy the waranty. Once the year has passed and they have some available they can sell them but not before.

Quote:

Or a better idea for them would be to put up a survey that requires the use of something unique to vote with so that we can indicate to them how many HD300s we want to buy. I want one more but procrastinated one week too long.

I want to replace the 3 HD200s I currently have but I was waiting until next Tax Refund time to do it. I thought HD400s might be out by then and I would be skipping the HD300s completely. Oh well.

[can3gxw]

Quote:

Originally Posted by BobPhoenix

Correct but that is what they will use over the next year to fulfill waranty replacements.

What happens when the next year passes, warranty replacements are fulfilled, and then they start selling the remainder off? They STILL need to be able to provide a FULL warranty on those units since they are brand new. That doesn't make any sense.

The "real" sense would be to unload all the remaining HD300 stock to start (because you KNOW they would sell out "instantly"), and then get that one year ticking and put behind them. No warranty replacements, but rather repair, patch, duct tape them until the end of the one year warranty.

Then they can move on knowing that there is NOTHING outstanding that could possibly need warranty service.

[joematt]

People! Just ass-u-me that there will be no more sales of anything and get on with your life.

[Fuzzy]

Quote:

Originally Posted by can3gxw

What happens when the next year passes, warranty replacements are fulfilled, and then they start selling the remainder off? They STILL need to be able to provide a FULL warranty on those units since they are brand new. That doesn't make any sense.

After the year, they will be liquidated as-is, no warranty included. This is not uncommon practice. Google/sage will not sell them directly, they will go off to some 3rd party liquidation warehouse to be sold out, probably for much less than the original list price.

[Flash69]

Quote:

Originally Posted by joematt

People! Just ass-u-me that there will be no more sales of anything and get on with your life.

I understand what you are saying however that does not help the people that need more extenders. I was about to order more extenders since I need 3 more. I was hoping for a new version soon; so I waited on ordering them.

This caught us ALL off guard and people are not happy about being abandoned.

The extender was the main reason I stayed with SageTV. I compared the major players at the time and found I liked SageTV. I built a dedicated server and started with a single client on my workstation. I started putting together a plan to build clients when the extender came out. It was perfect. So perfect I see building/using PC clients as a waste of time and resources.
You have to spend too much money to even get close to the usefulness of the extender.

I honestly had no idea SageTV would go anywhere. I guess I was living with my head in the sand... LOL

Oh well, not that it matters now...Google TV is testing 'fishtank' box already anyway...