Hello, I have catched 2 files with wireshark but I have no idea, how to unpack, or filter the sniff, to get the files. http://forum.ican3800.zajsoft.net/download/ADB3800TW-Italy/capture1_win.pcap http://forum.ican3800.zajsoft.net/download/ADB3800TW-Italy/capture1.pcap Can somebody help me please? asked 15 Dec '13, 04:26  joseff edited 15 Dec '13, 04:28 |
2 Answers:
Presuming you mean you transferred two files using a protocol such as HTTP and captured the traffic during the transfer, open the files with Wireshark, then from the File menu select "Export Objects" and then the transport protocol used, e.g. "HTTP". From the resulting dialog, select the object of choice and then click the "Save As" button and save the object to your filesystem. I didn't look too hard at your files, but the first one didn't seem to have any http objects (there are only requests, no server responses) and the second contains a video stream over udp (using ISO 13818-1) and a a jpg over http (Captain America DVD cover?). The image can be saved using the above description, but I don't know how to save the stream. Try searching on the rest of this site. answered 15 Dec '13, 06:46  grahamb ♦ Thanks for this informations, I am a Wireshark newbie and all helps. Really, Captain America, now I see it too, that is funny. I have no idea, how is shall work. The problem is, that the box don't work without this information. Before the box start, it must be connected to IPTV. On the boot procedure is it downloading something and than it works. But the provider has end his service, so the box is by all users a goot paperweighter. The only possibility, how to rescue it is to do some access, but we need the Firmware to remove the password by root. So we have hoped, that in this old sniff files is the Firmware. That files are related to the data exchange during the VS boot at the time it was connected to the iptv server. Those recordings were for the complete process. At the end of the files the VS was operating correctly. So, maybe is it only some unlock key and not Firmware. The transfer was TFTP. Is it somehow possible to reverse this sniff and send it to the box? Because we have some files, that we can send to the box, but at the end of the process we are stop with the TCP at the port 19076 and the box is still not working. (16 Dec '13, 10:30) joseff I dismissed the DHCP traffic (i.e. the tftp) as noise and went for the usual suspects, http and video\audio. (17 Dec '13, 02:38) grahamb ♦ I have asked the Italian and he told me: The bigger .pcap file is large because the sniff acquisition was much longer than the boot of the VS. In that sniff there should be also the streaming from the server (http) and that is the reason of the jpg over http (Captain America DVD cover: at that moment they were promote Captain America) (18 Dec '13, 02:14) joseff |
I don't think the firmware you are looking for is in the capture file. And if it is (there are some larger UDP downloads), it is most certainly encrypted/scrambled (with a key stored on the box). Solution to your problem: Instead of trying to extract the firmware from the capture file, google for: adb-3800-tw alternative firmware and you'll find some information about the boot process and some ideas how to load a different firmware to the box :-) Regards answered 16 Dec '13, 11:40  Kurt Knochner ♦ :-D Well, the most found sites are from me, or from some one else of the team. :-) We play with this box 4 years and the modified Firmware is working in CZ and ES. But this is "the same" box, but from Italy and there was used another Firmware and another data transfer to the box. JTAG is possible to use with the CZ and ES box, but by the German Alice HSN-3800TW is some JTAG protection and I get the Sentinel not found ERROR. So I can not help the people in Germany with the acces into their box. The same protection is in the Italian box. The last different working IPTV provider, that I know is in Austria: A1 - TLA-3801W - Österreich But I had no success to contact someone with this box. I hear, that maybe too in Hungary, Ukraine and USA is someone using this box, but nothing found. Our last chance is to unpack this files: This is the Firmware, but we have trouble to unpack it. The small file prep something for the other file in the box. Regards (16 Dec '13, 14:23) joseff
well, I don't think this site is the right place for your problem. We are talking mainly about Wireshark and sometimes about network troubleshooting in general. You should try it in a reversing forum. (17 Dec '13, 02:59) Kurt Knochner ♦ |
What kind of files?
It is a Firmware update by using a TFTP transfer. The firs file shall prepare the unpacking for the second file posted above.
do you mind to tell us the IP addresses of the involved systems?
Well, there is no problem to tell the IP (I am authorized), but I don't have them. The box is using DHCP, but only one IP is fixed. It is the multicast address 239.113.254.2:22222
That IP is important to receive the access key (BootCast), or the Firmware in the box.
There are 2 sniff files instead of 1 because the sniff was done with a configuration "network tap" with 2 PC's simultaneously. One PC was recording the exchange with the VS and the other PC was recording the exchange with the server. The sniff on the 2 PS was started almost simultaneously but obviously it is not exactly the same time.