Thread: Firmware update Hauppauge Nova HD-S2 (HVR-4000)

Greetings,

first of all: Big Thank You to all the developers of mythtv and its plug-ins!



Been fiddling with mythtv for a while and its starting to get into shape...

I have a Hauppauge Nova S-2 (HVR-4000) and when you want to make this card work in mythtv (or Linux in general) you need to update the firmware. This is well-documented on the web and the procedure is to extract the firmware from the windows based software distribution of Hauppauge. What's puzzling me is the dd command used:

Code:

 sudo dd if=hcw88bda.sys of=/lib/firmware/dvb-fe-cx24116-1.20.79.0.fw skip=81768 bs=1 count=32522

The 'skip=81768' part seems to mean that the dd should skip the first bytes of the input and 'count=32522' means that this many bytes are written into the input.

Does anyone know where these two parameters come from and how they are detrmined? On the web you find instructions for both version 120 and 122 of the firmware (I also know of the 123 one from tevii), however both count and skip are different.

The reason I'm asking is 1) curiosity and 2) there is a firmware version 124 (windows software from Hauppage) and would like to try it.

Thanks in advance for any support on this!

I'd love to know the answer to this question too for the same reasons, unfortunately extensive googling hasn't turned up anything, but someone must know how to identify the block of firmware within the sys file.

Here's hoping....

Hi everyone!

This is a mini how-to for extracting the firmware for the Hauppauge DVB-S2 TV card from the windows sys-files. In particular, I want to extract the firmware from the latest published firmware file from Version:2.124.27191, August 6, 2009. You can find it here:
http://www.wintvcd.co.uk/drivers/88x...191_1_WHQL.zip

As no one seems to be able to figure out how to extract the Hauppauge firmware from the published windows archive (at least no one comes forward and explains it to us mortals...), I took a brief look at this myself with a hex editor. What follows are some observations made simply by looking at the files, in particular hcw88bda.sys. Just to make it clear: I have no idea whatsoever about the structure of these files nor the hardware that it runs on. So what I'm writing is pure guesswork and not guaranteed to work with future firmware files published by Hauppauge. If you decide to do follow my description, it is your risk entirely. Anyway, here goes:

The actual firmware of the Hauppauge dvb-s2 card is somehow embedded within the file hcw88bda.sys contained in the windows zip archives available from Hauppauge's home page. There seems to be a reliable method for locating he beginning. This I found on the Internet. The magic word seems to be:

Code:

"33 50 03 12" (in hex)

Seemingly, the _very_ first part of the firmware file contains information that depends on the version. This information starts 4 bytes earlier. Thus, for the currently publicly known firmware versions we get:

88x_2_119_25023_WHQL.zip:

Code:

"02 11 f9 ec 33 50 03 12"
 ^-- firmware starts here

88x_2_122_26109_WHQL.zip:

Code:

"02 11 fb ec 33 50 03 12"
 ^-- firmware starts here

Firmware v1.23.86.1 that is available with the TeVii S460:

Code:

"02 12 02 ec 33 50 03 12"
 ^-- firmware starts here

With this information we can locate the beginning of the actual firmware. So far, so good. Now we need the end or equivalently know how large the firmware file is. To me that was a bit more tricky...

The firmware files in 88x_2_119_25023_WHQL.zip and 88x_2_122_26109_WHQL.zip end with

Code:

"e0 c3 94 1c 22"

so I thought this was it. However when I looked into 88x_2_124_27191_1_WHQL.zip, I was unable to locate this pattern. However, getting back to 88x_2_122_26109_WHQL.zip: Just behind the firmware there is a pattern that seems to repeat:

Code:

 "7b1a 8808 6840"

6 Bytes before, I found "f57e". Now, remembering this obnoxious business about little and big endian and swapping the byte order you get "7ef5", which is 32501 (decimal). This happens to be the size of the firmware in bytes. Repeating this with other known firmwares yielded similar results (although the exact position of the firmware file size relative to the "marker" "7b 1a 88 08" varied!)

For 88x_2_119_25023_WHQL.zip: we have

Code:

"94 1c 22 00 00 00 f5 7e 00 00 00 00 00 00 7b 1a 88 08"
firmware size   -> ^^ ^^                   ^^ ^^ ^^ ^^ <-- pattern to search for
                  =32501 (decimal, remember "endianness")

For 88x_2_122_26109_WHQL.zip we have:

Code:

"94 1c 22 00 00 0a 7f 00 00  7b 1a 88 08"
firmware size-> ^^ ^^        ^^ ^^ ^^ ^^ <-- pattern to search for
               =32522

Now, the corresponding position in the firmware file within
88x_2_124_27191_1_WHQL.zip is:

Code:

"00 22 00 00 22 7e 00 00 7b 1a 88 08"
   fw size-> ^^ ^^       ^^ ^^ ^^ ^^ <-- pattern to search for
            =32290

This looked very plausible to me and the number 32290 fit quite well with the number of bytes between the start and the actual location. So, I tried it and it worked. At least mythtv/linux doesn't choke on the firmware.

Now, why the offset between end of firmware and its size vary may have something to do with byte alignment on a 32-bit architecture, but honestly, I have no idea! This could also be something completely different...

To summarize:

Code:

> unzip 88x_2_124_27191_1_WHQL.zip

and locate hcw88bda.sys

Code:

> dd if=hcw88bda.sys of=124.fw skip=105768 bs=1 count=32290

The magic number 105768 you can verify with your favorite hex editor. It is the location of "02 12 06 ec 33 50 03..." within hcw88bda.sys.

Then you do the standard extremely idiotic sudo stuff to set the sym-links and copy the file.

To whoever wants to try this out: Hope this works out for you!

Regards,

Jón

I followed olafur's instructions and extracted the firmware. However the reported version is 1.26.90.0. Which seems strange. Given Hauppauge's naming convention, it should have been 1.24.x.x.
This is what I get in my logs:

Code:

cx24116_load_firmware: FW version 1.26.90.0

Hi named,

interesting! I must admit that I didn't check this. All I did was copy the firmware and turn on the TV... And it worked... Does the firmware you extracted work?

Besides, I haven't understood the version numbering that Hauppauge uses. If I recall correctly, the version number of the firmware contained in 88x_2_119_25023_WHQL.zip is 120.something... (where you might expect 119...).

When you say "naming convention" are you referring to the name of the zip file or is there something more to it?

I really hope you haven't managed to damage any of your hardware permanently because of my post! Dispite my disclaimer, I would feel really bad about that...

Regards,

Jón

Hi Jón,

My hardware is ok and working as expected. I was referring to the name of the zip file when I said naming convention but apparently there is no such thing.

Also I have found this forum which might be of interest to you.
bbs.kewl.org • View topic - http://www.wintvcd.co.uk/drivers/88x_2_124_27191_1_WHQL.zip
It completely confirms your line of reasoning. Good work Jón!

Thank you,
Bobby

Can someone please tell me what I do wit the firmware once i have it?


Cheers.

Dear Scorpuk,

this is actually quite well documented on the internet. Anyway, to understand what is going on you should know that the firmware actually does not get uploaded to the DVB card permanently. Usually (or oftentimes) when devices receive a firmware update it gets written to a non-volatile memory on the device itself (non-volatile memory: memory that doesn't get erased when the device has no power, e.g. flash or HDD etc...).

In the case of the Hauppauge card this seems not to happen. Rather, each time the computer is started, the system uploads the firmware to the card (apparently to a volatile memory). Now for this to work the system needs to know where the firmware is. In mythbuntu 9.10 this is accomplished by defining a unique location for firmwares, which is the directory:

Code:

/lib/firmware/

The system accesses this particular firmware via the file name:

Code:

dvb-fe-cx24116.fw

in that directory.

You could simply replace the old firmware with the new one, saving it under this exact name. However, I wouldn't do that, because if you do this several times you loose track of what you are doing and your old firmware is gone (unless you save that under a different name)

A better way is to use the so-called symbolic links (this is a very nice feature in unix that I really miss under windows). These are basically pointers to files or directories. In my previous post I simply named the extracted firmware

Code:

124.fw

but you can chose a different name of course. The main thing is to set the symbolic link. Assuming your extracted firmware is located under /home/Scorpuk, you could do the following:

Code:

sudo cp /home/Scorpuk/124.fw /lib/firmware
sudo ln -s /lib/firmware/124.fw /lib/firmware/dvb-fe-cx24116.fw

Now the system will upload the firmware to the card on startup using the file

Code:

124.fw

that it accesses via the symbolic link

Code:

dvb-fe-cx24116.fw

.

Hope this explains,

Regards,

Jón

Hi Bobby,

The post you pointed out is older than mine... surprised I didn't find it at the time.

Anyway I tried to shed some light on the "why" and not just on the "how". Besides I hate these posts that just give you some magic numbers without an explanation where they come from...

Glad things are working for you...

Regards,

Jón

Hi Bobby,

surprised I didn't find this link at the time... Its about one month older than my post.

Anyway, good that someone else has confirmed this. However, after this exercise we can do the extracting ourselves in the future, no need to believe in magic numbers from the Internet...

Regards,

Jón