WARNING: The method described here does not guarantee that you will be able to extract working firmware for your Hauppauge PVR-usb2 device. It only documents what I have been able to do so far with some specific versions of the Hauppauge driver files. I am not affiliated with Hauppauge, Cypress, or Conexant, so I have no way of knowing what particular format they may choose to use for new versions of the firmware. Actually, you're on your own even if you limit yourself to extracting the firmware versions described here, since the whole procedure is based on guesswork anyway. Caveat emptor!
When I first managed to upload the Cypress FX2 firmware, it was after studying the chip manual and writing a couple of test programs that dumped portions of my Cypress chip memory to my Linux machine. Then, after applying od and grep to this data, I found that the USB product/vendor-ID combination 2900/2040 was uniquely present as a backward (i.e. intel/vax/little-endian) byte sequence.
Then I looked for 0x29002040 in the HCWUSB2.SYS file, and found that it was uniquely present there too, at least if we stick to even 32-bit boundaries:
The above numbers are for the HCWUSB2.SYS file found in pvrusb2_25_22329.exe which can be downloaded from Hauppauge's web site, not the original file that I did this on back in 2003.$ od -t x4 HCWUSB2.SYS | grep 29002040 4052000 02000112 40000000 29002040 02010400
OK, now we know where this signature 29002040 is located, i.e. at octal offset 04052010, but we still don't know exactly where the block of code starts. This is solved by comparing the address offset with the corresponding offset in the low-memory dump from my Cypress chip. The signature is located 011010 bytes from the start of the block (that's 4616 in decimal). This is sort of confirmed by the fact that in the file, preceding the address 04041000 = 04052010 - 011010 there is a very long block of 0's. However, there is of course no guarantee that this offset will be 011010 octal in any future drivers published by Hauppauge. So if you try this on new code you will have to verify to your own satisfaction whether you've got the right block or not.
The other firmware block is found in a similar manner:
Here we have 3 possible candidates, but the first two of these turn out to be identical (not only the lines matched by grep, but all 262144 bytes in each block) and the same code also matches the stuff sent via the USB bus during initialization, according to the usbsnoop log. The presence of this code in the usbsnoop log also makes it trivial to see where the code block starts, in contrast to the Cypress FX2 firmware which for some reason isn't visible at all in the usbnoop log.$ od -t x4 HCWUSB2.SYS | grep aa55bb66 1041000 00000da7 aa55bb66 0000002c 07032001 2041000 00000da7 aa55bb66 0000002c 07032001 3041000 000003a7 aa55bb66 0000002c dead2008