UPDATED: April 20, 2011 - Boxee confirms presence of GPLv3 binary.  GPLv3 binaries still distributed in current firmware.  See below.

D-Link and Boxee Violate GPL!


GPLv3The Boxee BoxGPLv3


The Task
Modify the open-source software on your Boxee Box.

The Trick

Boxee has included cryptographic controls to block you from using your software on the Boxee Box. Both D-Link and Boxee refuse to release the key files required to pass these checks.

The Twist

The GPLv2 did not specifically prohibit blocking installation.  The newer version, the GPLv3, prohibits this explicitly.

The Truth

Your Boxee Box was shipped containing GPLv3 software. You should be able to install modified versions of software to your Boxee Box.

Broken Promises and License Gaming
by a Big-Money Corporation

The GNU General Public License was written to protect the freedoms that have brought the world so many useful things, including software like Linux and XBMC, from which Boxee has taken its code base. One of those essential freedoms is to be able to change open-source software to make it better suit a purpose.  It is essential to the evolution of open-source projects that people are free to take something and run with it as they see fit.  This is how Free Software has come so far.  D-Link and Boxee have now played a trick on the people who made it possible (developers and customers), by trying to hide behind games and deceit to exert control over your hardware.  They have blocked installation of custom software on the Boxee Box.

Boxee is NOT a small-time open-source community project by people who do it out of love; it is now a big money operation and they are using dirty tricks to exert control they should not have.  They use customers' and investors' money to have road trips and keg parties while users who have already paid are left with alpha-quality software and no way to fix it themselves.  They have decided to have a 3 month (forced) release cycle, making many users wait with completely disabling bugs.

What is also striking is Boxee's abandonment of development on the open platforms.  Progress has all but stopped, and you never see them tweeting about the PC version.  Little wonder, when they imagine for themselves a future of total power on the Boxee Box.

There has been a freight train of broken promises along the way, with the Netflix Promise Debacle and VUDU (it was on the retail box but didn't work) being some of the more publicized.  The option to use XBMC instead does not exist, and soon there will be a big surprise for many Boxee Box owners... The option to control the volume with the remote will disappear! Because of the forced updates, if you don't like something, too bad for you.  Don't get too attached to that volume function on the D-pad of the remote.

Moreover, the closed hardware breaks promises made during its promotion, by none other than Boxee CEO Avner Ronen:

"No keyboards, mice, windows or labyrinthine menus.  It should be calm and it should be beautiful. And it *must* be open." 

Instead we have labyrinthine menus, no option to skin or customize, ugly visualizations, and a COMPLETELY CLOSED SOFTWARE.  The deception continues: blog posts like this from before the release of the Boxee Box have been hidden.  (Track back through the pages and see that the history has been cut off)

Avner Ronen has publicly said hacking the Boxee Box was something they "hoped for" and they would try make it "hacker friendly". Clip Youtube Article

Part of this hacking would be the ability to use XBMC instead of Boxee on the box:
Originally Posted by avneron
yes, users should be able to run XBMC on the Boxee Box. we're not sure about the exact installation process that will be supported, but it is important for us to make sure XBMC runs properly on the Box.

Many people made buying decisions on that claim alone.  Strung along with false promises and deceptive tactics, many return periods lapsed before people realized what was happening.  Now they are stuck.


D-Link and Boxee are using Tivoization to control something that belongs to you.  
What is Tivoization?  From the website of The Free Software Foundation (the authors of the GPL):

“Some devices utilize free software that can be upgraded, but are designed so that users are not allowed to modify that software. There are lots of different ways to do this; for example, sometimes the hardware checksums the software that is installed, and shuts down if it doesn't match an expected signature. The manufacturers comply with GPLv2 by giving you the source code, but you still don't have the freedom to modify the software you're using. We call this practice tivoization.

When people distribute User Products that include software under GPLv3, section 6 requires that they provide you with information necessary to modify that software. User Products is a term specially defined in the license; examples of User Products include portable music players, digital video recorders, and home security systems.”


 “Tivoization is a dangerous attempt to curtail users' freedom: the right to modify your software will become meaningless if none of your computers let you do it. GPLv3 stops tivoization by requiring the distributor to provide you with whatever information or data is necessary to install modified software on the device. This may be as simple as a set of instructions, or it may include special data such as cryptographic keys or information about how to bypass an integrity check in the hardware. It will depend on how the hardware was designed—but no matter what information you need, you must be able to get it.

This requirement is limited in scope. Distributors are still allowed to use cryptographic keys for any purpose, and they'll only be required to disclose a key if you need it to modify GPLed software on the device they gave you. The GNU Project itself uses GnuPG to prove the integrity of all the software on its FTP site, and measures like that are beneficial to users. GPLv3 does not stop people from using cryptography; we wouldn't want it to. It only stops people from taking away the rights that the license provides you—whether through patent law, technology, or any other means.”

Boxee publishes the source code to the Boxee Box software.  This is actually a farce and and insult to the community that carried it this far.  The binary distribution that is automatically forced upon users arrives in a special filesystem that contains much more than the binaries from the source code.  It also contains signature files which are not available from the source code itself.  The private key is held, presumably, only by Boxee.  Without being able to produce these signature files, even changing the filesystem one bit would cause a failure of the whole system to load. 

Proof of the Violation Yourself

If you would like to confirm for yourself that this software (and currently, the violation) exists,
simply follow these steps to see GPLv3 software on your own Boxee Box:

  1. Factory restore your Boxee Box.  If you have ever used your Boxee Box on the internet (which is central to its functioning), you have been forced to upgrade your firmware, possibly against your will.  A factory reset will restore the firmware your Boxee Box was shipped with.  Shutdown your Boxee Box, and then press and hold the power button for 6-10 seconds before releasing.  You should get a different menu at bootup offering Factory Restore.  Follow the steps. 

  2. Load the UnBoxed app from the mirror at http://infinityoverzero.com/bbox/rep/ and click “Enable Telnet”  You will be able to see your Boxee Box's IP details on the app screen.

  3. Telnet to your Boxee Box's IP address.  If you are using a UNIX (including OS X) environment, simply open a terminal and type “telnet X.X.X.X” where the X's represent your Box's IP.  If you are using Windows you will need to use an application like PuTTY.

  4. Once you have a command prompt on your Boxee Box, type “gpgv2 --help” et voila, you are greeted with the GPLv3 header. 

  5. Contact D-Link AND Boxee and request the ability to modify the GPLv3 Software included in your Boxee Box.  Specifically you require the OpenSSL keys to generate the signature files found in the boxee.iso firmware file, and the scripts and instructions for their use.  For the D-Link contact, you might need to use their website.

  6. Comment here and elsewhere on the web to show your support and spread the word.  Forums, blogs, status updates...  Link here and help promote the cause. Everything will help.  There are sharing links further down this page.

Response from
D-Link and Boxee

On multiple occasions, both companies have been contacted seeking the rights granted under the GPL.  Neither company has taken responsibility and complied with their GPLv3 obligations.


D-Link responded with a mix of denial and passing the buck:

John M at dlink.com:
"All software and development resources for the Boxee Box are directly handled by Boxee. You need to create a Developer account with Boxee to get the API keys for the unit. There is a link at the top of the Boxee Developer site to create your account."

Clint B at D-Link:
"Sorry, we are unable to assist with your question(s).  Technical Support on this questioning will not be supported."

Boxee  responded with avoidance and denial:

Marcel Hass replied:
"Sorry this is not possible and will not happen"

What Users Can Do to Help

There are things that can be done.  Contact both D-Link and Boxee. Contact the FSF and request that they pursue this GPL violation.  Contact lawyers who want a piece of that $16.5 million.  And raise awareness of this on the web.  The more links and connections the better. 

Companies abuse users because they get away with it.  Actions like this make D-Link and Boxee very bad citizens of the community that gives them life. 

Don't let D-Link and Boxee abuse what the community has given them.

If you are tech savvy, you might take a look at http://boxeeboxwiki.org where there is some excellent information about the Boxee Box.
UPDATED: April 20, 2011

Boxee has confirmed the presence of GPLv3 software distributed in the Boxee Box. 

In the response, it is noted that gpgv2 was included in a pre-release.  This release is, however, the software that comes loaded on the device from retail.  Is that a pre-release?  In any case, gpgv2 itself was also released in subsequent firmwares.  It has been removed from the current firmware, but other GPLv3 binaries are still being distributed in the current firmware.  Every Boxee Box on the globe currently has GPLv3 software in it, in the factory-reset memory AND the currently running binaries.

There are now further questions.

Is yes-I-stole-the-candy-bar-but-I-did-not-eat-it-so-I-will-put-it-back-now-that-I-am-busted a valid argument?

Can Boxee un-distribute the binaries already distributed?  The GPLv3 binaries were not only in the pre-release version.  They were in the release version.  And the versions after that.  And the CURRENT version.  Can Pandora's Box be closed again?  See below for details on the current version.

Even if they delete the binaries in future releases, anyone can simply put them back into violation with a factory restore. Does Boxee have the right to change that factory restore firmware?  Can Boxee reach into the homes of users and change devices the users paid for?

Is "Yes we stole software but we want to make money" an adequate excuse?

How does the US Government and Customs and Border Protection view Boxee making them implicitly profit (via import tariffs) from the import of software piracy?


Boxee contends that since its new firmwares do not contain gpgv2, they do not need to honor the license terms.  As expressed above, it is possible that this is flatly incorrect.  As an interesting moot point (since the distributing of GPLv3 software has already been acknowledged), the current firmware still contains GPLv3 binaries.  It is downloadable from their website.

If you'd like to confirm this yourself, follow these steps:

  1. Download the firmware.  Current firmware here.

  2. Open the squashfs file boxee.iso using a suitable method for you, some are described here. The squashfs tools under Ubuntu need an older kernel.  Hardy Heron Live USB works great.  Just make sure to mount on a different disk.
  3. You need to mount the boxee.iso, then repeat the process with normal.img, then dlink_boxee_runtime.img, which are nested in descending order.  The commands on Linux could easily be: 

    1. mkdir mountpoint
    2. mkdir normal
    3. mkdir runtime
    4. sudo mount -o loop boxee.iso mountpoint
    5. sudo mount -o loop mountpoint/normal.img normal
    6. sudo mount -o loop mountpoint/normal/dlinl_boxee_runtime.img runtime
    7. /mountpoint/normal/runtime/opt/local/bin/chown --version
    8. /mountpoint/normal/runtime/opt/local/bin/chgrp --version
  4. View the GPLv3 license notice, and compare to your system, to show that you are not simply running the local machine's binary.
If you don't want to go through all these steps, here is a screenshot of the above process.

GPLv3 in the current firmware


Perhaps it wasn't made clear enough, but some people have been confused on why a single file requires the opening of the whole platform.  It has to do with how the Boxee Box is set up.  As noted in the original article, the firmware arrives in a squashfs filesystem.  This filesystem is only unpacked by the Boxee Box if the signature accompanying it is correct, signed with a private key held by Boxee.  If you were to add a even single text file to the filesystem, the signature would fail, and so would the boot/install.  The terms of the GPLv3 require that Boxee enable users to succeed in doing this.  It does not require them to provide technical support to users' modified firmwares.

As an aside, others have commented that buying decisions should have been made on what was available at the time.  This is also problematic, as Boxee is planning on removing features in upcoming builds.  Users do not have the option to decline a new build.  Nor do they currently have the ability to build and install their own version with their preferences enabled.

Please feel free to email at any time:

and share!