libdvbsi++ is an open source C++ library for parsing DVB Service Information and MPEG-2 Program Specific Information.

It may be distributed under the terms of the GNU Lesser General Public License (LGPL) 2.1.

The current version, 0.3.8, was published on 2016-06-30.

There is a Git repository available:

git clone libdvbsi++

It is used by Engima2, a multimedia framework and user interface for digital television set-top-box environments. Enigma2 gets developed for Dream Property GmbH and its Dreambox line of products. Binaries and Python source code are available in a Git repository:

git clone git://


Metz Open Source

As of today, Metz Consumer Electronics GmbH doesn’t publish open source code on its company website, but you may ask their customer support and they’ll send it to you on CD-ROM. I received a disc containing source code for Chassis 610/611/612 LCD-TV models.

The customer support was very cooperative and responsive and kept me informed while preparing the disc. Much appreciated!

Speedport ISDN Adapter

These devices are used by customers of Deutsche Telekom as ISDN-to-SIP gateways. Currently there doesn’t seem to be much public information about it, so I’ll make a start.

Deutsche Telekom offers broadband network connectivity and telephony services via a combined ADSL2+ and LTE router, the Speedport Hybrid, which unfortunately comes without ISDN S0 ports. Attempts to use other ISDN-to-SIP gateways behind a Speedport Hybrid have failed for reasons still to be determined. Plus, there’s no known router available which could replace the Speedport Hybrid without losing its unique channel bonding feature. So if you want to keep using your PBX, the Speedport ISDN Adapter inevitably comes into play.

[Edit: According to a blog post at, the information regarding other ISDN-to-SIP gateways is obsolete.]

The adapter features one 10/100 Mbps ethernet connector and two ISDN S0 connectors.

When the device starts up, the following network activity can be observed:

  1. Requests IPv4 settings via DHCP
  2. Obtains network time from or (port 123/udp)
  3. Requests external IPv4 address via STUN from (port 3478/udp)
  4. Requests settings from (using a client certificate)
  5. Optionally requests a firmware update from, probably depending on the reply to the previous request.
  6. Registers at the SIP server (SRV record)

Upon removal of two rubber feet from the bottom of its casing, two Philips screws appear. Unscrewing them allows to open the device. The PCB features a Lantiq PXB 4210 EL processor and has a serial port connector.

This is the boot log:

ROM VER: 1.1.4
CFG 01
VRX family DDR Access auto data-eye tuning Rev 0.1a
DDR check ok... start booting...

ISDN Terminal Adaptor GR9 Loader v1.01.001 build Apr 2 2014 19:24:45
 Arcadyan Technology Corporation
A2x VR9,
0xbf106a10 : 78
0xbf106a11 : 0
0xbf106a0c : 88
MXIC MX29LV640EB bottom boot 16-bit mode found

Copying boot params.....DONE

Get Primary to 0.....
Flash Checking Passed.

Unzipping firmware at 0x80002000 ... with AREA[2][ZIP 3]
[ZIP Extra] [ZIP 1] source:816f0011
Ready to run firmware
In c_entry() function ...^M
install_exception ^M
Co config = 80048483
sys_irq_init ...
VR9 is A21 chip !!!!, ifx_bsp_basic_mps_decrypt bf001f38
0xbf106a10 : 78
0xbf106a11 : 0
0xbf106a0c : 88
##### _ftext = 0x80002000
##### _fdata = 0x8058B5F0
##### __bss_start = 0x80625F5C
##### end = 0x82EFEEB0
allocate_memory_after_end: alloc from 82F06EB0 to 82FA1830, length=633196
##### Backup Data from 0x8058B5F0 to 0x82F06EB0~0x82FA181C len 633196
##### Backup Data completed
##### Backup Data verified
[GPIO FLOW] SetGpio() Begin ..
PLL1 locked..fails 0.
ifx_gpio_init() !!!
ifx_gpio_pre_init() !!!
[KERN_INFO]IFX GPIO driver, version 1.2.10, (c)2009 Infineon Technologies AG
Register LED MODULE OK!!
[GPIO FLOW] SetGpio() End.
[INIT] System Log Pool startup ...
[INIT] MTinitialize ..
CPU Clock 500000000 Hz
r4k_offset: 0x0003d090(250000)
init_US_counter : time1 = 34 , time2 = 225065, diff 225031
US_counter = 112
set to constant US_counter = 112
 cnt1 2040034 cnt2 2042615, diff 2581
 cnt1 2886380 cnt2 2888184, diff 1804
Runtime code version: 01012701.00.004
System startup...
[INIT] Memory COLOR 0, 8242880 bytes ..
[INIT] Memory COLOR 1, 2097152 bytes ..
[INIT] Memory COLOR 2, 10906608 bytes ..
InitCommSys: RESOURCE_BASE = 29, NUMRES = 640
InitCommSys: EVENT_BASE = 163, NUMEVT = 818
InitCommSys: MAILBOX_BASE = 6, NUMMBX = 64

rzMemory start: 0x82313DB0, end 0x8252FE38, size 2211976
Build Day = 05.03.2015, 17:34 Uhr Version = 01012701.00.004
Version Type 'NORMAL'
>>>>set_MP_pass_Magic to 4
MXIC MX29LV640EB bottom boot 16-bit mode found
Set flash memory layout to FL2MacAddr=XX:XX:XX:XX:XX:XX
Boot Parameters found !!!
Bootcode version: v1.01.001
Serial number: XXXXXXXXXX
Hardware version: 01
Firmware Ready!

According to the manual, the boot loader is based on u-boot 1.1.5, but the source code doesn’t seem to have been published yet.


The ipw2200 device driver limited me to use only 11 channels for wireless LAN, even though I bought my notebook in Germany, where channels 1 to 13 may be used. Although other people on the net faced the same problem, nobody came up with a simple and permanent solution like writing the country code to the card’s EEPROM with just a few commands.

If you want to set the country code to ZZD, which is suitable for 802.11bg in Europe, then first rebuild the ipw2200 driver with the patch above. Afterwards execute the following command:

echo -n ZZD | hd

This tells you the hexadecimal representation of the ASCII characters ZZD (5a 5a 44). If your wireless LAN card is eth1, then follow these additional steps:

# load the patched driver
modprobe ipw2200
# make a backup of the original EEPROM
ethtool -e eth1 raw on > ~/ipw2200_eeprom.bin
# change the three country code letters
ethtool -E eth1 magic 0x2200 offset 0x4c value 0x5a
ethtool -E eth1 magic 0x2200 offset 0x4d value 0x5a
ethtool -E eth1 magic 0x2200 offset 0x4e value 0x44
# reload the driver and repair the checksum
rmmod ipw2200
modprobe ipw2200 repair_eeprom=1

Remember, this is a permanent change. You can render your card unusable. Don’t do this if you don’t know exactly what you’re doing. There is no guarantee that the above steps will work with every card.

For other valid country codes take a look at ipw2200.c included in the driver tarball.


For those of you who operate DNS services using Daniel J. Bernstein’s famous djbdns, autoaxfr “lets you emulate the functionality of bind’s type slave zones with a masters list of IP addresses”.

If your server has multiple IP addresses, then you need to way to specify one of those addresses for outgoing connections or use the default one. To address this I had to create a small patch:


Debian GNU/Linux contains a command line based FTP client, which has been enhanced to understand the AUTH SSL command. This is a good thing, but AUTH SSL has been superseded by AUTH TLS. At least one server, pure-ftpd, only understands the latter, because it does not support encrypted data transfers (which is mandatory for AUTH SSL), but only encrypted control connections. This patch adds AUTH TLS to ftp-ssl.

Bluetooth weaknesses in mobile phones

Once I met Collin R. Mulliner at the university, he told me he was having fun exploring weak bluetooth stacks. I liked the idea, and some days later I bought a bluetooth dongle. It was quite a surprise to me that my phone, a Nokia 6310i, silently accepted AT modem commands on some RFCOMM channels without pairing. Later I discovered that some Ericsson phones had the same kind of vulnerability. This is the C code which I wrote while learning how to use the bluez stack and how to get data from a phone using AT commands.

Linux framebuffer driver for ATI Rage128 M3/M4

For some time I used a notebook, which was equipped with an M4 mobile graphics chipset. Unfortunately the framebuffer driver of Linux refused to work with it. Instead, funny color shapes appeared on the screen every time the notebook booted. Knowing that the XFree86 driver worked, I started to compare both drivers. It turned out that the driver included in Linux 2.4 didn’t have support for flat panels at all. So, with kind help from Andi, who wanted to use it on his Mac and who is an experienced DirectFB developer, I wrote this new framebuffer driver for Linux 2.4. Be warned, it has probably never been tested on something different than M3 and M4 chipsets using flat panels.

I2C monitoring

If you write software for a badly documented or undocumented device, then it is sometimes easier to just sniff some bytes of data sent by the original software instead of using a disassembler. Milk is a great software which can be used to capture I2C traffic. To make its output more verbose I modified it to include register names where available and to calculate some stuff for the devices used in the Nokia dbox2.