Ok,

Call me paranoid, but some outside source could re-flash my eprom, and prevent my current custom software from operating. I have already taken software countermeasures to prevent any tampering to my system. It's still possible that I may not have enough software control to prevent a possible unautherised tampering of my system Eprom. I concider this an open "hole in security". This being a potential unautherised invasion of my personal property, I have decided to prevent any changes to this firmware at a HARDWARE level. I DO NOT AUTHORISE any changes to any Eprom code on my machine without my prior concent! In other words, I MUST physically allow it. This makes it MY CHOICE. You too can make this hardware choice.

If you are happy with the current state of your firmware, and choose to NOT accept ANY unauthorised firmware updates, you can physically prevent any new and most likely undesirable code updates by simply CUTTING 1 pin on the firmware chip.

Now, this may possibly, in the future, make you "not compatible" with some service offering, but you can always solder the pin back to the board, if you decide to authorise the update, and recieve the "flash" update to be compatable with a future service offering.

The Flash chip on the Dtivo is:

http://www.sst.com/products/pdf/398-39SF010A-020A-040-02.000-DS.pdf


If you look at chart:

Page #6
TABLE 3
OPERATION MODES SELECTION:

It will become obvious that you can PHYSICALLY choose to allow updates to the chip based on the input of a single pin on the chip.

If pin #31 (WE#) is connected to the PCB, it allows the eprom to be updated, because the software can decide what state this input is at. HOWEVER, if this pin is simply CUT from the printed circuit board, it is placed in a state called "High Z", or "Floating".
It is a determination of the chip to decide what an open connection stat of the chip is, and in this case, a clipped pin as a "floating" , or "high z" state. This is the same state on the chart as a high state. In simple terms, carefully snipping this pin at the circuit board and leaving the posablility to re-connect it, WILL WRITE PROTECT YOUR EPROM!!!!!

If you want to be anal about it, you can tie the pin to +5v with a 10K resistor, and be 100% positive, knowing it can't be re-programmed.


I personally didn't snip mine, but placed a piece of wire wrap behind the pin and heated it with the iron, and pulled it out to 90 degrees, like pulling a tooth. I now have the pin outward, and ready for soldering to a switch, if in the future I decide to accept any updates.

Longwinded, but hopefully usefull.

ScanMan

If pin #31 (WE#) is connected to the PCB, it allows the eprom to be updated, because the software can decide what state this input is at. HOWEVER, if this pin is simply CUT from the printed circuit board, it is placed in a state called "High Z", or "Floating".
It is a determination of the chip to decide what an open connection stat of the chip is, and in this case, a clipped pin as a "floating" , or "high z" state. This is the same state on the chart as a high state. In simple terms, carefully snipping this pin at the circuit board and leaving the posablility to re-connect it, WILL WRITE PROTECT YOUR EPROM!!!!!


Just to be anal .. (hey, I'm an engineer) .. the high-Z state will not necessarily float high. It depends on the device. If the flash has a built-in weak pullup on the lines then you'd be fine "cutting" the pin. However, it's generally considered a VERY bad idea to leave a CMOS input floating as it can cause oscillation to the part. It could cause your flash to get written to with garbage.


If you want to be anal about it, you can tie the pin to +5v with a 10K resistor, and be 100% positive, knowing it can't be re-programmed.


That's the smartest way. What you MIGHT also consider doing is this:

Lift the pin on the Flash. DON'T pull it to 90 degrees as that's a good way to risk damaging it. Isolate it from the board, and solder a small magwire to the pad. Connect that to one end of a simple single-pole single-throw switch. To the other end of the switch, connect your 10K pullup and the flash WE_N pin. Then you've got the ability to allow or disallow flash writes at will (i.e. upgrading to a new version of xtreme).

Having the 10K pullup in the legit signal path won't affect the Tivo being able to drive the pin to ground to signal a write.

What software coutermeasures have you taken?

Originally posted by keither


Just to be anal .. (hey, I'm an engineer) .. the high-Z state will not necessarily float high. It depends on the device. If the flash has a built-in weak pullup on the lines then you'd be fine "cutting" the pin. However, it's generally considered a VERY bad idea to leave a CMOS input floating as it can cause oscillation to the part. It could cause your flash to get written to with garbage.



That's the smartest way. What you MIGHT also consider doing is this:

Lift the pin on the Flash. DON'T pull it to 90 degrees as that's a good way to risk damaging it. Isolate it from the board, and solder a small magwire to the pad. Connect that to one end of a simple single-pole single-throw switch. To the other end of the switch, connect your 10K pullup and the flash WE_N pin. Then you've got the ability to allow or disallow flash writes at will (i.e. upgrading to a new version of xtreme).

Having the 10K pullup in the legit signal path won't affect the Tivo being able to drive the pin to ground to signal a write.


Where is a good +5v source that's close by? I'm very interested in doing the hardware mod. What is the best way to lift the pin on the flash? The last thing I want is a broken flash pin or one that got cooked from the soldering iron.

Thanks Scanman0. I posted a question asking for how to do this several months ago & never got a responce.

Could you please tell us were this chip resides within a DSR6000? Here is a link showing the inside of the unit and it has each chip numbered. Which number is it?

http://www.9thtee.com/images/dt10.jpg

That would be chip #49, with the white sticker on it.

Let me get this straight before I fry something! :)

the pullup resistor goes between the lifted pin(31) and the +5v source?

In the switch mod I don't understand the SPST switch...with it off (disallow writes) then the pin would still be "floating"

Or do you want a DPST switch where one position has the 10k +5v connected to the lifted pin, and the second position would directly connect the pad you lifted from to the lifted pin.

Here is a small schematic to look at...Is this the correct placment of the switch/10k pullup?

madd0c

Two questions:

1) is this a PLCC or a PDIP?
2) Can we use Pin#32 which is Vdd as the +5 volt supply?

This is a plcc and yes you can use pin 32 next to it. That would be the 2nd and 3rd pins from the corner.

I didn't give quickcam pic's, and DETAILED information, simply because, I figured....If you could understand my origional post, you knew enough to NOT FRY your unit. The Tivo "expert" that has never played with a soldering iron, that runs out and buys a trash shack iron with the included solder and crap, will FAIL, and most likely blame me for telling him to do this. It should NOT be attempted by anyone that cant handle a surgical soldering job. And yes 90 degrees is a bit mutch....Mine is only lifted enough that it's clear...1 mm tops :)

The switch is a bit overkill...

YES, I did attempt a flash with the high-z, The chip DOES float LOGIC HIGH, and it is not really needed to be tied high with the 10K resistor......the osc. problem refered to is on an ACTIVE input, on OLD TTL circuitry. On modern logic prom chips sutch as this, this is NOT an issue. Read the datasheet. It's VERY safe to lift the pin 1 mm, as you apply heat with a LOW power 25 watt iron, lifting it with a dental pick. This is all that is needed.

As far as sw countermeasures, I removed about 80% of my rc.sysinit. and deleted critical files that are used to flash. As far as sw countermeasures, I still don't feel as warm and fuzzy about it as KNOWING that the dark side can't make changes to my unit, so they would need to change the "DSS stream" that the tivo uses to get the data, AFTER a flash of all units, and then become incompatable to the old version. (Good luck!)

IF 3.0 is sent via the datastream....AND it is done in a way that the 25extreme image is open to....It's possible that they could reflash the eprom in a way that NONE of the old backup HD's will be worth thier weight in coal. They could lock the firmware, and leave no OPEN door to old versions of the sw. And this would LOCK THE DOOR SHUT!!! This hack is the only way to prevent 3.0 from locking the eprom. As nobody has unlocked the tivo2, it's almost inevidable that they will thrust a new locked prom upon us!!!!


Peace.

scanman,
We appreciate the info you have provided, and as MANY,MANY,MANY posts of this nature state, If you don't feel comfortable doing this, and you absolutely CANNOT afford to loose your DTIVO, then if I(or anyone else) fries their machine they have NO ONE TO BLAME but themselves...


No user servicable parts inside! (heheh)

Anyway, I am NOT attempting to publish a schematic of how to do this, I was simply asking about the pullup as keither's post has further obscured the info in your original post. (Not bashing you keither, just made it more confusing for me)

My question is NOT for detailed, step by step how-to-fry-your-Tivo-in-one-easy-step type directions. It was simply to clarify the pull-up.

And, you have clarified that a pullup does not in fact need to be installed.

I will repeat this for anyone out there who is reading this:
DON'T DO THIS IF YOU CAN'T AFFORD LOOSING THE UNIT!

and as for bashing my soldering skills (heh j/k I know it's not personal)
I have a weller 12.5watt with a microtip that I think is perfect for this type of thing :)

Thanks again for the info,
madd0c

I didn't say that the switch schematic is in any way flawed. If you are a "super hacker", and want to re-flash your chip, the schematic for the switch is a dandy aproach, and should be concidered, but for the average non-flash code hacker, the lift method is more than proper to prevent unauthorised updates :)

I use a Weller industrial soldering station, with SMT tips and have a desoldering unit with a vacum pump, not all here are soldering at the same level.....so I started out sorta...worried about the abilities of the average reader.

I guess I should have listned to my own advice.

I tried the pin 31 mod, and maybe my 12 watt soldering iron was still to much for the flash, but I now have a dead DTIVO. :(


I pulled pin 31 and it now won't boot at all, harddrives don't spin up or anything.

The fan is on, and the chip is getting 3 v on Vdd (pin 32)

It says through hole chip withstands 300 degrees C for ten seconds. I didn't think I was on there for ten seconds, and my soldering iron is 245 degrees C (measured)


Argggg.....Well, I think I am fubar, glad this was a unit to play with.

Anyway, Scan, If you still need a sat input module :) (saw your other post)

arggggggggg
madd0c

Scan,
Have you found a JTAG interface on the DTIVO mainboard? I notice you say you tried to write to your flash after the pin was lifted....

maybe (hopefully) I just corrupted my flash and didn't completely destroy the chip.

I have made a JTAG interface for othe projects, and If I could find one on the board I would try to read the chip...

Take a look at positions J18 and J20 ( beside the OMEGA D&S chips), looks like a JTAG pinout to me....I have nothing to loose..I may start trying some stuff there.


Any ideas, I REALLY hate to let this machine die such a horrible death.

Thanks,
madd0c

Hello,

would it be possible to 'cut' the top of the pin and bend it out. Then just bend it back and add some solder to it later if needed.

I'd hate to fubar my only unit up like madd0c did...but I'm willing to take a chance since I hear version 3 is on it's way.

I'm no soldering expert, nor am I an engineer...the only thing I like to 'cook' is on the Q. I don't want to cook my DTivo...

Just wondering what the easiest and safest method is of (re)moving pin#31.

TIA,

Here's a link on how to attach a jtag to you DtiVoLink (http://penguinppc.org/embedded/tivo/hardware/jtag.shtml)

Sorry to confuse anyone. I had wanted to include a schematic but didn't want to do it in paint. Alas...


As you can see, the pullup is ALWAYS connected to the WE# pin, and when the switch is thrown, the pullup/flash combo is connected to the original signal.

I would avoid any cutting of the pins.

So assuming I get up the nerve to lift/cut the W/E pin, that still leaves us with having to block a software update, no? What are folks doing to handle that side of the puzzle, inquiring minds want to know. :eek:

I personally didn't snip mine, but placed a piece of wire wrap behind the pin and heated it with the iron, and pulled it out to 90 degrees

I was planning on getting help from someone that used to do a lot of soldering on small circuts.....but I think that I'll take a lesson from Maddoc & avoid the Iron. I don't want to lose a Tivo, but I do have more than one, so in this case I think it's worth the risk. What type of tool would I use to cut something this small(while using a Soldering Station Magnifying glass of course).

Well, After I carefully soldered the pin back down (it's a BITCH because it's bent at a right angle TWICE in it's standard position)

I then left the unit unplugged WITHOUT the battery in it overnight.(Not intentionally, just got tired and left it that way until today)

Today when I plugged it in, it fired up!!!
Unbelievable. Now, I got brave and carefully bent the pin up again, and IT WON'T BOOT. PERIOD.

I moved the pin back down, and it boots again...

I may just be unlucky, but I am NOT messing with this pin again.

I hope others have better luck than I did, I think I am just gonna leave well enough alone for now.

madd0c

Why not just cut the trace connecting the pad to wherever it goes? I remember tracing where it went, it it was to a near by chip. If you need to FLASH the PROM you could make take some super tiny wire and connect the two pins for the duration of the flash.

I remember seeing an Athalon hack where they used a graphite (I think) pencil to bridge two small contacts together. If the trace was cut between the WE# pin and the chip it goes to, couldn't the graphite pen be used to re-establish the electrical connection?

If you are going to try this, and you DO cut a trace, then don't use a wire to reconnect...you could but soldering it would be tough. Use a trace repair pen. It has a conductive silver ink. You just draw the trace back in where you cut it. Use the tip of a needle for the size traces you would be working with.

I would love to hear from anyone else who has tried this mod. My unit wouldn't boot at ALL with pin 31 disconnected.

Anyone elses not boot, or do I just have a flaky unit?

madd0c

Originally posted by madd0c
I would love to hear from anyone else who has tried this mod. My unit wouldn't boot at ALL with pin 31 disconnected.

Anyone elses not boot, or do I just have a flaky unit?

madd0c

I haven't tried this mod yet, but was wondering if you used the pullup resistor as suggested?

Originally posted by madd0c
Well, After I carefully soldered the pin back down (it's a BITCH because it's bent at a right angle TWICE in it's standard position)

I then left the unit unplugged WITHOUT the battery in it overnight.(Not intentionally, just got tired and left it that way until today)

Today when I plugged it in, it fired up!!!
Unbelievable. Now, I got brave and carefully bent the pin up again, and IT WON'T BOOT. PERIOD.

I moved the pin back down, and it boots again...

I may just be unlucky, but I am NOT messing with this pin again.

I hope others have better luck than I did, I think I am just gonna leave well enough alone for now.

madd0c

Well, that's good & bad news madd0c...good news your unit still works, bad news it doesn't with pin#31 pulled...Are you positively sure it was the correct pin? The chip has a knotch in one of the corners doesn't it? (I haven't opened my unit yet to look)...two sides have 9 pins and 2 sides have 7 pins...placing the knotch away from you, pin#31 should be the 6th pin from right of knotch...correct?

scanman0, is this correct? So far, are you are the only one to get this working???

TIA,

BBQ

Yes, I have done the mod and it does work. Being from the "old school" I don't believe in leaving pins floating, I lifted pin 31 with an exacto knife tip under heat of a soldering iron an the tied it to pin 32 with blue wire (wirewrap). Fired it up and it works fine. Figured this out weeks ago. This only protects flash updates and does nothing for the OS changes on the disk. Certain counter measures be done such as chattr +i on critical partitions, renaming commands, and implementing owership and users/groups and privelage/restrictions on commands and the file system. Alternativly "critcial" file systems could be mounted read only

Did you use a pullup resistor lcreech, or just tied it to the 5 Vcc?

I went direct from 31 to 32, no resistor, no switch. I considered pulling the flash and putting in a socket since I have a couple and replacing the chip with an eprom, but I didn't, maybe some other day. This was a 5 minute hack if that.

Thanks lcreech!
that was good info...

Well I cut the Trace & ended up with an unbootable Tivo! I tried jumpering 31 to 32 & NOTHING! Jumpered the pin back to where the trace led(small round circle near the corner of the chip) & It booted again! So Maddoc.....You're not the only one having problems here. I still have to figure out how to get that trace back, or resolder it.

Are you positively sure it was the correct pin? The chip has a knotch in one of the corners doesn't it? (I haven't opened my unit yet to look)...two sides have 9 pins and 2 sides have 7 pins...placing the knotch away from you, pin#31 should be the 6th pin from right of knotch...correct?

Yep that's the pin that I cut the trace to. With the notch on the top, the left hand corner is the only corner that doesn't come to a point. I traced back the second pin from the right top(pin 3o is the far right top pin & 31 is to the left of it). So tracing 31 I followed it up, to the right...past pin 30 to a small round circle with a hole in it. I cut the trace between the circle and pin 31(closer to the circle). I used a microscope to follow the trace, so I know it was right.

P.S. in case some of these tivo's have different Atmels, I peeled off the white sticker and it reads AT49 HLV010 90JC 9952. The inside of my tivo looked slightly different than the picture that I posted, but most of the chips were in the exact same place, including this one. Also the shape, number of pins, the dent by Pin#1, etc. match the PLCC diagram exactly.

Don't know why it works for some and not for others????

I would not cut traces. Unless you have the chip pulled you don't know if it continues underneath it and who knows where else it goes. write enable from the processor or to ram?

It has a conductive silver ink. You just draw the trace back in where you cut it. Use the tip of a needle for the size traces you would be working with.

So what are you saying? Do you bleed some of the inK from the pen & dip the needle in it and use the needle as a paint brush?

If anyone else does the lift, or lift and wirewrap to 32 method, please post the results. I'd like to know if anyone else has a problem &/or if I have a chance at making this thing work. I'm definately going to need some help with the soldering. I was blown away with how small the traces & pin spacing was!

Originally posted by scanman0

As far as sw countermeasures, I removed about 80% of my rc.sysinit. and deleted critical files that are used to flash. As far as sw countermeasures, I still don't feel as warm and fuzzy about it as KNOWING that the dark side can't make changes to my unit, so they would need to change the "DSS stream" that the tivo uses to get the data, AFTER a flash of all units, and then become incompatable to the old version. (Good luck!)


Any change is better than no change, care to share your modified rc.sysinit and tell which files you removed?

Originally posted by BBQ-AllStar

I'd hate to fubar my only unit up like madd0c did...but I'm willing to take a chance since I hear version 3 is on it's way.


How far away are we talkin? I haven't even seen any indication of 3.0 coming anytime soon. Anybody care to mention any press releases? :)

Originally posted by AlphaWolf
How far away are we talkin? I haven't even seen any indication of 3.0 coming anytime soon. Anybody care to mention any press releases? :)

(check out tivocommunity & do a search on 3.0)

I've just heard rumors that beta testing will begin by end of this month...I'm not sure if they will begin with SAs first, then DTivos like 2.5. However, the next release was to synchronize the code base between all the units (DirecTiVo, SA, Series 2) so maybe it will be released for all units.

By bro-in-law beta tested 2.5 on a SA and said it took a few weeks b4 they released the nonbeta version...It's all rumors though...

It seems illegal to me that TiVo could overwrite all your "hardwork" unless they knew for sure that you are stealing their service. Many people have several tivos in their house, and use one for testing and tinkering with.

I am also interested in what software countermeasures were taken by scanman0...lcreech gave us some ideas...

Thanks guys..

BBQ

Originally posted by BBQ-AllStar

It seems illegal to me that TiVo could overwrite all your "hardwork" unless they knew for sure that you are stealing their service. Many people have several tivos in their house, and use one for testing and tinkering with.


BBQ

dont think its illegal. Rude maybe but illegal no. I'm not even sure its rude though- they are pretty open that and employees have posted at tivocommunity that they wont intentially screw things up unless stealing is involved but they cant garuantee futeur compatiabiltiy with the hundreds of user performed hacks.

Hec if it was illegal Bill Gates would be in Jail (hmmm... that sounds nice....) for screwing thousands of commerical software coders evertime they upgrade windoze and screw up 3rd party compatibility. MS is even malicious about it they purposefully screw others (well i guess they do at least get slapped ont he wrist for that).

Hey groundhog,
In reply to your question, the way i did it was to unscrew the pen and dip the needle into the ink directly. The pen tip and barrel connect together by a REVERSE thread (i.e. right=unscrew)

This is what I use to unlock AMD processors. I have never tried it in the DTIVO, but it should work fine.

Also, to whoever asked if I was sure it wa the right pin, YES, I AM SURE, no doubt whatsoever. No worky worky here.

I am wondering if groundhog may be right...I haven't looked at the part# for the flash chip in mine, and like I said...
I AIN'T TOUCHING IT FOR A WHILE :) It's working, and I have a nice new SAT-T60 on the way as well...(heh, thats what you get when the wife is addicted to her TIVO...the one I screwed up :) )

well, good luck guys, I look forward to hearing from any other "success" stories,

BubbaJ has previously said that the way to test for protection of the eeprom is:
getprom -Update <filename> should fail if the chip is protected, the best way of veifying the write is getprom -checksum

madd0c

Maddoc, is there any chance that when you lifted the pin, that it killed part of the trace? If Icreech is right, and the trace continues after going under the pin, maybe that connection somehow lost continuity when you lifted the pin. I'm thinking about trying the pin cutting method, tomorrow afternoon. Maybe I'll be the guinnypig here and see if that method works any better. If you deside to try it your self, first, let me know the results.

P.S. With a little help, I was able to fix the trace with a tiny bead of solder.

I am wondering if groundhog may be right...

Well.....I did a search based on the part number that I found on the Atmel & came up with the exact same Diagram & Pinout as posted here originally. Pin 31 is in the exact same location & is WE. It is in fact, the same chip.

So far so good :)

I lifted pin 31 and tied it to pin 32 and my t60 still boots normally.

At least the firmware is safe, if the software gets updated, I'm not worried thanks to extreme (and it's developers of course!).

Thanks for the info, now back to tv, I'm way behind. :D

Well, so far the score is:

Successful: 3 (scanman0, lcreech, & DarkWing)
Unsuccesful: 2 (maddoc0 & groundhog)

Hmmm, I need better results b4 I screw with my only Tivo. BTW, what units were successful & unsuccessful. So far, Darwing did it on a Sony T60...what unit do you have scanman0? groundhog? maddoc0? lcreech?

TIA,

BBQ

<RANT>
I hate to spread rumors, but word has it on AVS forum that tivo 3.0 will use an encrypted guide system, whereas the unit dials in, downloads a decryption key, then uses that key to receive the guide data. Standalone tivos will be downloading the guide data from the discovery channel somehow, and dtivos will (I guess) keep getting it from their current source.

Word also has it that the software is currently in beta, and will likely be deployed to the field at the end of this month.

It seems to me that weather you block updates or not, one will be inevitable and required in order to continue using your unit, unless of course you decide to modify the current 2.5 software to a certain extent. So the question is, how do we get the guide data on the units which we prefer not to dial in? Probably something that we can't do anything about until the time arrives? I myself think that there must be a way we can somehow have the tivo parse the normal DTV guide data into its own guide.
</RANT>

Originally posted by BBQ-AllStar
<...>
I've just heard rumors that beta testing will begin by end of this month
<...>

<fact>
Beta testing of 3.0 for SA is long over. They have been doing release candidates for the last month or so, so they are very close to the final code base. They do not mix the SA and DTiVo early access groups, so I wouldn't know where they are at for DTiVos.
</fact>

<speculation>
I have heard that 3.0 was to be the rollup code (Both SA and DTiVo on the same version), but now plans are that the DTiVo version will be out sometime closer to christmas. (Possibly in sync with the release of DTiVo Series 2 boxen?)
</speculation>

Originally posted by AlphaWolf
<RANT>
I hate to spread rumors, but word has it on AVS forum that tivo 3.0 will use an encrypted guide system, whereas the unit dials in, downloads a decryption key, then uses that key to receive the guide data. Standalone tivos will be downloading the guide data from the discovery channel somehow, and dtivos will (I guess) keep getting it from their current source.
</RANT>

Nothing is changing there. This is how it has been on SAs since the first TiVo rolled off the assembly line. The only thing that will change for SAs is the fact that the bulk of the data will be delivered over The Discovery Channel through a form of VBI data, with dial in delivery as a fall-back option.

As for DTiVos, they would need to change the way that all the other non TiVo receivers get guide data before they could encrypt it.

IWantMyDTV

...what unit do you have scanman0? groundhog? maddoc0? lcreech?

I have a DSR6000R

Originally posted by IWantMyDTV

As for DTiVos, they would need to change the way that all the other non TiVo receivers get guide data before they could encrypt it.

IWantMyDTV

I don't think this is correct. There are 2 forms of guide data the one used by other receivers and the one used by DTiVos and UTVs ( I think it's called the APG).

I did my mod on a sony sat-t60, I will also try it on my virgin dsr6000, when I can get the kids off it.

Originally posted by superzap
I don't think this is correct. There are 2 forms of guide data the one used by other receivers and the one used by DTiVos and UTVs ( I think it's called the APG).

The RCA DRD430RG featuring the 'Advanced Program Guide' (New) (http://www.energenix.com/rca-drd430rg.html)

<mumbling complaint>
So the tivo company doesn't even make the guide then...so what the hell is the subscriber paying a monthly fee for? the software itself? what a ripoff. Before I could see the use in that by them providing the guide service, and it was sort of like an everquest thing, but since directv provides the guide service, there should be no addiditional cost. These things probably cost about $100 to make and in most cases they sell for well over $300, shouldn't that about cover the software?
</mumbling complaint>

Well, least that keeps me a bit more at ease that the 3.0 deployment won't take us out of commision :D

Originally posted by AlphaWolf
<mumbling complaint>
So the tivo company doesn't even make the guide then...so what the hell is the subscriber paying a monthly fee for?
I bet TiVo doesn't even see half of the $10 that DTV collects. I know this type of pay structure pretty well, and DTV is making out like a bandit.
These things probably cost about $100 to make and in most cases they sell for well over $300, shouldn't that about cover the software?
</mumbling complaint>
You're joking, right? It's a known fact that TiVo was losing money on each SA TiVo sold. It's a loss leader for them, and they have bet the farm on getting it back and more in subscriptions. I won't even go into detail on how much money it costs for each box to be able to connect to the internet commercially.

As for DTiVos, DTV has now made the same bet that TiVo made before. (Except that after a box is paid off, it's all profit for DTV.)
Well, least that keeps me a bit more at ease that the 3.0 deployment won't take us out of commision :D
It would be a sad day indeed when my DTiVo stops working. ;)

Hi everyone.....
This is my first post at DealDatabase, but I've been reading all I could, for the past few weeks, and I want to send a very special Thank You to all of you who gave such excellent info. on How to's, and also to the brave souls that wrote all the scripts.
We all know who you are !!!!Thanks PGM, Surgeons etc.etc.
I've bought a Philips 6000 on E-Bay, without the card or dish, and by the time I finished shopping for the rest of the parts, I've spent almost $2000 Can. The biggest expense was for two 120GB HD and for an H card, but i also bought a 3sat dish and a programmer. I've build a one chip emu, and installed it on the DTivo board, wired to a DB9 female on the back panel, for an easy connection to the com. port on the emu computer.
I've installed 25xtreme, and done the service hack, logs, noppv, showcases, and now Atmel AT 49HLV010 pin 31.
This is the first snag I've encountered since the begining.....no booting, and gibberish code on Tera Term. This gave me the clue of a corrupted code. I can see that other people are having problems with this......so here is how I've fixed mine. Full reset of the board eproms by removing the batt. for a few min. Jump pin 31 and 32. Now it boots OK.
Seadog

Being a lowly Computer Engineering undergrad here I am just thinking something here...

Assuming they do try to do a flash update and change the software on the drive, wouldn't it be possible to either:

a.) replace the flash chip (assuming they are commercially available, which I would assume they are) and just re-install software on the drive

or

b.) simply re-flash the chip and as said before re-install the software.

I simply find it hard to believe that having a device in your own house and having full access to it there would be no way to re-take control of the unit if DTV or Tivo decided to become hostile in regards to Tivo users.

Your are right, you could reflash using a jtag interface if all is lost (no bash), but this requires a bit of soldering on the board. The flash itself is not socketed, so not easily replaced by the novice. I'm considering puting in a socket along with an eprom with the code ripped from the flash so I can have it both ways. Updates if I want, or go back to older stuff if trouble happens.

Hey onyx00! Any word on those drives yet?

With the wrong flash code, there would be no way to boot the TiVo -- No way to flash the on board chip. I think the general idea here is that while it would be possible to desolder the surface mount flash, most would not have the skill to do this (And even less the skill to put it back).

It may be possible to do an in circuit flash with an 32pin PLCC test clip adapter to a programmer. I've not done this on chips this large but I have done many in circuit programmers using this technique for serial eeproms for nic cards and other consumer electronic things. But the easiest protection, if you can get it right is just write protect the flash, it's only 1 pin.

Originally posted by IWantMyDTV


The RCA DRD430RG featuring the 'Advanced Program Guide' (New) (http://www.energenix.com/rca-drd430rg.html)

I may be wrong here but I don't think that receiver uses the same guide data as the DTiVo. The specs for the RCA 430 show a 3 day max lookahead for guide data whereas the DTiVo can have guide data going to 2 weeks.

Sorry guys to seem to get a little off subject, but if the rumors about the guide data being changed to a different form of encryption requiring v3.0 and phone calls are true, these mods might be all for naught.

Edit update:
I just read that the RCA 430 does use the same APG data that is used by the DTiVo. So unless the 430 has a means to get keys to decrypt the guide data this rumor is false. And since the 430 only has enough memory to hold a max of 3 days of guide data it seems more unlikely. Maybe wishful thinking.
As a side note I was also surprised to read that the APG data falls short of the detail provided in the guide for S/A TiVo. That clears up the mystery of why searches on a S/A can find hits that a DTiVo can't. That sucks.

Hmmm, a public key server for 30Xtreme?

This guide is free and goes out several weeks:

http://www.directv.com/DTVAPP/ProgramGuide
Now if we could just get it into the TiVo

BBQ,
I tried the mod on a DSR6000.
So we have two SAT-T60 Sony's that work, and 2 DSR6000 that don't.

I see a pattern :)

Anyone gotten this to work with a DSR6000?

madd0c

So we have two SAT-T60 Sony's that work, and 2 DSR6000 that don't.

I see a pattern

Anyone gotten this to work with a DSR6000?


O.K. That's it. I'm holding off on trying the hack by cutting the leg until I see sucess with a DSR6K. Thank's for your insite Madoc. You may have saved me one more headache. Somehow I missed confirmation on who had the second Sony....but for now it's not looking good for the Phillips.

Wait a minute....Didn't Seadog get it to work on a DSR? I don't get the removing the battery part. I removed mine and it did nothing(without the jumper). Plus when I jumpered it back, it booted right up. If something was corrupted, I don't think that rejumpering it would have fixed it.

I have one of each. My mod'd sony is working. I'll try the dsr6000 tonight.

This may be a long shot, but is it possible that the flash is getting corrupted when people are lifting/cutting the W/E pin? Based on Seadog's fix, would it be wise to power off the box and remove the battery before doing the surgery? Just tossing ideas around.

edit

I'd probably pull the power supply connector off the MB too, since the caps will hold a residual charge for a bit.

I didn't mean to imply people are working on the box with it powered up, bad choice of words!

Well shit yeah BubbleLamp, I would think people would be doing this with power removed and battery backup removed.

From my little knowledge of electrical stuff, you never want to have any power in the circuit if you are messing with things. I would say also make sure you don't give the thing a static shock, i.e. make sure you're grounded.

That could definately cause problems.

Talk about being on the fence! As if DTV didn't have things all messed up enough, now TiVo has me torn! I am going to hold off a little longer before trying this mod, but the only problem is how long is too long? What a gamble! At this point, I am glad I kept my Sony UTV, which I had written off as never needing again. One thing for sure, I cannot go back to no PVR whatsoever, so the UTV should make a good backup. I am also concidering holding on to my extra T60 and DSR6000 until the smoke clears.

What to do!!!!


rustyfingerWhat to do!!!!

I'd probably pull the power supply connector off the MB too

Were is the power supply connector? Is that the white ribbin, type, cable that connects the two boards?

"Were is the power supply connector? Is that the white ribbin, type, cable that connects the two boards? "

Yes, that is the one. I had it disconnected as well, and took the battery out also.

The DSR didn't boot up before, but after I've reset and jump 31 and 32, it booted OK
Seadog

Both my dsr6000 and my sat-t60 work after this mod. Here is a picture.

With all this hardware talk about locking down the flash, I wonder, is it really necessary? I mean, the software has to do the actual flashing, so why not try to attack the problem there. This hardware modification seems a little extreme, not to mention potentially fatal (for the box). First I'd see what programs mess with the prom, getprom I know is one of them. I would move them somewhere else if the system doesn't complain about it. If that doesn't work, then you'll have to either recompile the programs commenting out the flash section or patch the programs with noop instructions on the area of the code if source is not available. Lastly you should create a kernel module called noflash.o that would intercept any calls to write to the flash and block them. I think that should do the trick. Any corrections are welcome.

Whats to stop tivo/dtv from sending down a self extracting/running flash update from the sat? All the precautions trying to protect the flash or other binaries on the disk could be bypassed this way. The flash hardware protection is only the first step against such a situation.

Everything running as root is dangerous. Especially for staticly linked binary updates that could cause the most harm.

Just out of interest, did anyone who's done this mod verify that the flash can't be written to? i.e. using getprom to write another copy of the current prom image?

I'm waiting for my wife to let me at the tivo for a few days (i.e. leaves town ;)) so I can test a software-based prom protection, as I'm to chicken to start chopping traces and soldering stuff (I'm more of a bits & bytes guy). However, if somebody has a box that is hardware protected, it would make it a LOT easier to test the software mod without risking screwing up the PROM. PM me if you're willing to help.

lcreech: did you read the part about noflash.o? It's a kernel module. How is a self extracting program even running as root going to bypass the kernel? I doubt tivo would try to craft a self extracting flasher that would do that. They've got other things besides security to worry about.

How would you do it? Simple:

rmmod noflash.o

Loadable modules are dangerous too.

Smeghead what was the command to verify the flash being write protected? I though it was in this thread somewhere but I didn't see it.

lcreech: what if you used some kernel module tricks to prevent the module from being unloaded?

What can be done in software can probably be undone in software. If there is not hardware support to do something in software via hardware, then software probably cannot do it.

If the module was named with some random or non standard name how could TiVo know what to unload?

This sounds like a plan to me.

The kernel we use is already nonstandard.

There is no way that TiVo could know what we choose to name our personal anti prom module.

This is a non interactive system if you don't let the TiVo call home.

They can download all the shit they want but if our kernel is different then the one there update was intended for it can't work.

Why couldn't they just write a program to unload unknown modules till the flash works? Isn't the source for the kernel available? Why not just compile a kernel with source from noflash included?

Even still, what is to keep them from replacing the kernel on the alternate partition, and boot with that?

Originally posted by lcreech
What can be done in software can probably be undone in software. If there is not hardware support to do something in software via hardware, then software probably cannot do it.

Would you care to clarify that? I got lost somewhere between the software and the hardware ;)

Seriously though, I am very much hoping it can be done in software. If and when an update comes down it will try to modify the PROM with software. I'm pretty sure it can be protected using software.

Not bloody likely. You show me some proof of a reasonably-well hidden kernel module being removed, then I might believe you. Technically you're right, but it would be really really hard for tivo to even think about doing such a thing. Now I've seen lots of articles on hidden module *detection*, but nothing about removal.

No one says you must use the kernel just the way it came.
Actually we aren't using it the way it was provided.
Yes it is open source, open source means you can do with it as you wish.
Change what is known to something that is unknown.
They can't know what you have changed.
Even if the change is only renaming something they expect to be there to something else.

Originally posted by T_RJ
If the module was named with some random or non standard name how could TiVo know what to unload?

This sounds like a plan to me.

The kernel we use is already nonstandard.

There is no way that TiVo could know what we choose to name our personal anti prom module.

This is a non interactive system if you don't let the TiVo call home.

They can download all the shit they want but if our kernel is different then the one there update was intended for it can't work.

Ok, I was going to wait until I have something working before I let too much out of the bag here, but what the hell...

The main threat is the kernel, and installable kernel modules. The PROM (or more acurately the Flash) can only be accessed with "permission" from the kernel. There are only a few ways to do this, and only one of them works on the TiVo.

The trick is to stop getprom (and any other downloaded program) from getting permission to write to the flash. This means:
1. modifying the kernel to reject any attempts to get write access to the prom
2. modifying the kernel to refuse to load any modules that are not pre-approved by CRC or other hash mechanism
3. modifying the PROM so that it won't boot with a kernel that doesn't match a known CRC

Ironically, #3 was originally done by TiVo to protect them from us! Now we need to do the same thing to protect us from them :D :D

I've done #1 and am waiting to test it. #2 is pretty easy. #3 needs some input from BubbaJ or somebody else who is comfortable with mucking with the PROM code.

Smeghead let me know how I can help. :D

We are on the same page! :D

I'm just not as versed as some of the DTiVo wizards in rewriting kernels. :rolleyes:

Actually I am not versed at all. :confused:

smeghead: yep, you're right. #3 is the only one that would work because tivo could replace the kernel and then we'd be screwed. I forgot about that. However, there is option #4, prevent tivo from replacing the kernel. That would eliminate the eeprom programming requirement, making it much easier.

Originally posted by slothman
smeghead: yep, you're right. #3 is the only one that would work because tivo could replace the kernel and then we'd be screwed. I forgot about that. However, there is option #4, prevent tivo from replacing the kernel. That would eliminate the eeprom programming requirement, making it much easier.

Exactly. That is why the PROM needs to be mod'd too - to stop the box from booting with a Tivo controlled kernel which could write to the PROM re-lock it so we couldn't get back in. Can anybody say "spy vs. spy" :D

This is starting to get interesting. Maybe we should bump up the ratings.

BUT, Ok so someone has the mod working on a DSR6000. Now WHY cant 2 other people get it working. I tried the jumping to +Vdd, and it wouldn't boot. I now KNOW it wasn't a corrupt flash, because when I reconnected the trace, it is working fine...If the flash was corrupt, reconnecting the trace should still leave the machine dead.

There MUST be some difference between the machines that this works with and those that it doesn't.

for lcreech and T_RJ and smeg, I would LOVE to see you guys succeed with some sort of software mod, because I am NOT touching that pin again any time soon...24 hours without my DTIVO was scary enough! heheh I Think it was really the fact that I just screwed up about $500 worth of hardware that has made me gunshy.

madd0c

madd0c,
I'll ask the obvious, I'm running 25Xtreme on both my boxes. Are you?

It's 12:26 A.M., do you know who's writing to your PROM?

j/k sorry, just couldn't resist.

I have a sony T-60
I pulled the "WE" line open and the unit would no longer boot. Then after reading some posts on this thread I tied it to pin 32 that when measured with a volt meter it tested around 3.2v.

My tivo now works. I asume that the leg did need pulled high and that "floating" did not work.

I also asume that "WE" held high prevents programming to the prom.

:)

I guess I will find out if they ever send down a prom upgrade and I don't get it :)


>> side note <<

I remember the old days when you had to modify the serial eeprom on the Direct Tv rcvr's and if the eprom was write protected on power up the unit would not boot.. Maybe this is the same way and using pin32 to pull it up creats that split second delay that allows it to post? Just a thought. It would be interesting to know if the "floating" "we" line works on non D-Tivo units

My tivo now works. I asume that the leg did need pulled high and that "floating" did not work.

I tried connecting to 32 when my unit wouldn't boot & it still wouldn't boot. However, my fix was different because I cut the trace instead of lifting the pin. I'm still looking into cutting the pin & tying to 32 later today. I'll let you know the results if I do it.

Originally posted by madd0c
BBQ,
I tried the mod on a DSR6000.
So we have two SAT-T60 Sony's that work, and 2 DSR6000 that don't.

I see a pattern :)

Anyone gotten this to work with a DSR6000?

madd0c

What method(s) did you use on the T60? So far I've seen the following:

1. Lift the pin from the pad and nothing else
2. LIft the pin and add a 10K pull up resistor
3. Cut the trace leading to the pin
4. Install a switch with a pull up resistor
5. Tie the pulled pin to the pin next to it (+5?)
6. Others?

I think cutting the trace is the easiest (no heat to fry the chip), but others don't think it's a good idea.

I've only done #5.
#3 Cutting the trace may not work for several reasons, we don't know that this trace terminates at the flash, if it does fine, but you may still need a pull up.

In answer to your question,
Yes, both my units were xtreme 2.5'd.
Mine wouldn't boot with pullup or tying to pin 32.

I have a Sat-T60 on the way and I may play with it when I get it.

madd0c

SUCESS!!!

Same DSR6000. I removed the battery & Pwr supply cable overnight, heated and lifted the leg, soldered it directly to Pin #32. IT WORKED. I fully booted & had to fake a new phone call because I didn't have it plugged into the sat & it thought that it was september. I can't confirm 100% functionality until I get home and hook it to the Sat, but I'm pretty convinced that its working perfectly.

Thats good news groundhog...

Now I might open my only DSR6000 this weekend...

Thanks for all the info guys...this site rules!

Now, as smeghead stated...next on the list for the brains out there is
modifying the PROM so that it won't boot with a kernel that doesn't match a known CRC!


BBQ

found the answer..sorry

If Tivo was STUPID enough to actually do some of the things that have been posted earlier in this thread, sutch as:

Call in to get a key, and authourize the download of the guide data, based on this key, based on the crypto chip....Blag...blagh..


Tivo knows the ONLY reason there are NOT many slice file creation tools floating around, with the ability to create slice files from many source data streams all over the net, is the simple fact that most people around here want them to survive, and prosper. I have a lifetime sub on my box. But if Tivo decides to stop my "locked" version of thier software from working, with some new SW, I'll be in the forefront of "ALTERNATIVE" slice files, and this could be the END of Tivo's control of my system, I've already told them to shove the firmware update, and if they decide I cant get guide data from them, so be it, but they will GENERATE a NEW IMPROVED "EXTREME" hack, that will leave them totally out of the loop, if they cut the guide off, there are MANY sources to get the data, So any attemt to close thier stream, will INCREASE the HACKING and REMOVE any dependance of thier influence, as slice file alternatives become MAINSTREAM, and erode thier service to NOTHING.

So if Tivo wants to survive & prosper, it won't be by "fully locking" thier guide data, as it's WAY TOO LATE for that. If Tivo did do the nasty, I look forward to the challenge to make the Tivo Service meaningless....BUT, if they act honorably, I see no reason that sutch tools will be created, as I believe all here feel as I do, and want only the best for Tivo.


(end of editorial)

I saw another post on this question but I didn't see a direct answer. Has anyone tested the update of there prom after doing this MOD. It is all great that your TIVO still boots but what a waste of time if you don't test it and see if it really blocks updates. Using the

getprom -Update prom.bin

and updating it back to v2.0 prom then try to get in with BASH or something like that. uploading an old prom seems to be the easist way to test this and should be done by everyone when updating the hardware to make sure they really are blocking updates...

Thanks..

Taran...

Originally posted by Taran
I saw another post on this question but I didn't see a direct answer. Has anyone tested the update of there prom after doing this MOD. It is all great that your TIVO still boots but what a waste of time if you don't test it and see if it really blocks updates. Using the

getprom -Update prom.bin

and updating it back to v2.0 prom then try to get in with BASH or something like that. uploading an old prom seems to be the easist way to test this and should be done by everyone when updating the hardware to make sure they really are blocking updates...

Thanks..

Taran...

It should be suffifcient to attempt to rewrite the current bin for the prom. This should just fail, but is benign either way.

Reverting back to the 2.0 prom may cause problems leading to an unbootable box - not sure on this but I wouldn't want to do it.

BTW, initial testing on my modified kernel shows that the box boots to a bash prompt - which is a big step which means that kernel is valid, but unfortunately something is wrong because the tivo software never comes up properly and the box ends up in a reboot loop.

Now to figure out what's missing...

You can't test this by trying to flash with the same hacked prom file i don't think. The getprom program first checks the checksums and if they match won't flash. You might be able to test flash with:

getprom -Update /prom/TiVoProm_2.05.bin

but first make sure you have a copy of the hacked prom file available just in case. If using v25xtreme it should be
/var/hack/tivoprom.205

Superzap

You can't test this by trying to flash with the same hacked prom file i don't think. The getprom program first checks the checksums and if they match won't flash. You might be able to test flash with:

getprom -Update /prom/TiVoProm_2.05.bin

but first make sure you have a copy of the hacked prom file available just in case. If using v25xtreme it should be
/var/hack/tivoprom.205

When you use the getprom -Update (/path/filename.***)
It' will flash what ever you tell it to.
Getprom does not check for version.

I had to send a xtremed tivo back to philips for repairs and flashed the prom back to the factory 2.5 prom no problem.
It is the same version as the one used by xtreme. The xtremed prom is just slightly editted.

It always passes with the same checksum, so I assume it's not writing as I would expect.

bash-2.02# getprom -Update /prom/TiVoProm_1.84b.bin
Mfg code 0x54 - not Atmel, no lock support
Updating old version:

TiVoProm Monitor, release version 2.05 (ntsc)

Erasing FLASH
Updating FLASH
............................................done. New version:

TiVoProm Monitor, release version 2.05 (ntsc)

Good checksum - 0x00C08BE7
bash-2.02# getprom -Update tivoprom.205
Prom update not required
bash-2.02#

That doesn't sound like a good sign that your prom is protected. Especially the first response from getprom:
Erasing FLASH

If you were truly protected, the program should fail at this point with an error returned.

I have a bad feeling that if your info is correct, then the flash IS NOT protected.

madd0c

What you say is correct for a well written piece of code. What if, it verifies the checksum, then tries to write without error checking that would descibe what I just posted. Here is more proof:

bash-2.02#
bash-2.02# getprom -Update /prom/TiVoProm.pal.bin
Mfg code 0x54 - not Atmel, no lock support
Updating old version:

TiVoProm Monitor, release version 2.05 (ntsc)

Erasing FLASH
Updating FLASH
............................................done. New version:

TiVoProm Monitor, release version 2.05 (ntsc)

Good checksum - 0x00C08BE7
bash-2.02# getprom -Update /prom/TiVoProm_1.84b.bin
Mfg code 0x54 - not Atmel, no lock support
Updating old version:

TiVoProm Monitor, release version 2.05 (ntsc)

Erasing FLASH
Updating FLASH
............................................done. New version:

TiVoProm Monitor, release version 2.05 (ntsc)

Good checksum - 0x00C08BE7
bash-2.02# getprom -Update tivoprom.205
Prom update not required
bash-2.02# getprom -Update tivoprom.205
Prom update not required
bash-2.02#

Originally posted by T_RJ
Superzap



When you use the getprom -Update (/path/filename.***)
It' will flash what ever you tell it to.
Getprom does not check for version.


Not true. It does not check the version id, it compares checksums. If the checksums don't match, getprom will flash, if checksums match will not.
Here are checksums:
0x00C08E9C 2.05 ntsc umodified
0x00C08BE7 2.05 ntsc hacked

I have another version of the hack that I created which has the version changed slightly so that a getprom -version will make it easy to identify. And this version has yet another checksum value. You can tell what version is in your prom by using getprom -checksum.

Oops I stand corrected. :p

This is why I love this site you never stop learning. :D

Ok, so people here are flashing there units back to different numbers however can someone verify what happens if your prom is locked (ie: pin 31)??? Can someone post what it says and verify that it doesn't update?

My guess is you could:
update to a normal 2.05 and see what error you get, then update back to the hacked prom and see if it says your CRC is the same. That would mean that 2.05 didn't take and the CRC in the PROM hasn't changed..

If I understand what lcreech is saying, the box has the 31 pin mod on, but does not really accept the flash changes. The getprom program thinks the flash is working but always comes back with the same checksum 0x00C08BE7 with indicates a hacked prom is still in the chip, therefore the hack is working.
I would have thought some kind of error would be reported, but in any case the result is what counts.

superzap you understand me correctly. Thanks for explaining it.

This is a Good Thing. :D :D :D :D :D :D ...etc

I stand corrected :)

That's good news then. I am with Superzap though, I would feel better if it resulted in an error when it tried to write the chip. But I guess we'll know when your DTIVO is still functioning and we are struggling with V3.0 :p

Once my new Sat-T60 gets here I am going to try to remove my prom(on the "damaged" DSR6000<heh>) and socket the pcb so I can change it out If I need to. Gotta get some schematics for an eprom reader that will read the chip so I can back it up. Any thoughts on this?

madd0c

Thanks superzap for explaining that and thanks lcreech for doing the test and posting it for us. I guess I should do this.... How are you guys lifting pin 31 up?? Do you cut it then left it or are you unsoldering it from the board???

Taran

With my magnifying headset on, I heat pin 31 with my iron set to 800 degrees in one hand and pry it up with the tip of an exacto knife with the other hand. Then I tied it to pin 32 with a small piece of blue wire. As seen on page 5.

See lcreech's photo here ===> http://dealdatabase.com/forum/attachment.php?s=&postid=39565

The ideal thing would be to use a SPDT switch in case you ever wanted to flash.

Sounds cool, thanks for the information.... :)

If anyone has just jumped to the last page of this thread without reading the whole thing, I just wanted to let you know that the "pin" we are messing with is on a surface mount TSOP chip with a "J" type pin placement. This means the pin has THREE 90 degree (or so) bends in it after leaving the plastic package. (or at least the one in my dsr6000 did).

This means when you are trying to pry up the pin, it has another 90 degree bend AT THE END OF THE PIN. You can't see this one, it is under the chip. So please think twice about doing this before attempting. If you can't change the DIMM chips in your computer then close this thread now and walk away :)

I am trying to get a hot air rework device (pencil) in to possibly remove the chip entirely and place a socket there. If I do that, I will dump the chip for anyone that wants it...may be a couple of weeks before I get the rework station in, and ignore my earlier post about info for an eprom reader for this chip, I got the schematics in my hand for one :)

Thanks,
madd0c

madd0c

You can dump the using getprom.

getprom -dump filename

Just did the mod last night. Works fine but, if I had it to do over, I would cut the pin half way instead of pulling it out of the board. Just in case I wanted to put it back. I dont have any idea how many layer board this is.

Just for the poll, DSR6000.

Just did the mod took about 5 min with no problems.. I was going to cut pin 31 but I did not have any thing small enough to cut it, I went ahead and pulled the 31 pin out. I then used a small wire with one end stripped and the other end to hold, add solder to the stripped end and just used enough heat to get it to stick to pins 31 and 32

You need to lift pin 31 from the MB


Edited

mvett thanks for editing your post had me concerned some ppl might just try and short pin 31 to pin 32 with out lifting pin 31 form the Mother board.

If my memory is correct regarding past hardware mods(ex:Planker), The WE pin is usually tied to Ground. I'm hoping that you just forgot to mention that you lifted it before tying it to pin 32. Otherwards you're risking tying +5V to Ground. I don't think that would be a very good idea. :(

I changed my first post to say that I did pull the 31 pin. Thanks for adding your guys comments. I would hate for someone to follow my post and to think they do NOT have to have an open between 31 and the board, which would be wrong you do have to pull or cut 31 before you connect to 32.

If anyone has just jumped to the last page of this thread without reading the whole thing, I just wanted to let you know that the "pin" we are messing with is on a surface mount TSOP chip with a "J" type pin placement. This means the pin has THREE 90 degree (or so) bends in it after leaving the plastic package. (or at least the one in my dsr6000 did).

I've pretty much known from the beginning that if the chip gets killed, I'm Screwed!....But I guess what you are saying, here, is that when you lift the pin, you can't just simply solder it back onto the board? All though I thought that you said that you did that once, or twice?

So.....Say that we're still willing to risk frying another Tivo. The best option would be to find the right type of wire cutters & cut the pin. Heating and lifting doesn't seem like a good option any more.

P.S., I visited a local electronics store. The only wire cutters that I could find, that would work, cost $22.

Hey,
No, I am not saying you can't solder it back, what I mean to say is that if you just bend it a little, you MAY not break the contact between pin/pad because of the extra pin length BEHIND the current pad.

I pulled it by placing wire wrap wire around the pin and then heating the pin while pulling on the wire. I think I almost broke the pin because the wire got trapped in the "J" portion once the solder lifted.

Scared me, but you can bend it back down and touch it with an iron and it will reseat.

Hope this helps,
madd0c

Hey,
No, I am not saying you can't solder it back, what I mean to say is that if you just bend it a little, you MAY not break the contact between pin/pad because of the extra pin length BEHIND the current pad.

O.K. Thanks for clarifying that. I did have a hard time with it myself. I used an exacto knife to pry it & couldn't figure out why it wouldn't lift when I heated it. Based on every post before yours it didn't sound like the leg went into the chip. Someone elese that was looking at the board told me that it looked like it went through the board(and warned me not to lift it), but I couldn't tell if it entered the board, or not. Plus a few other people had lifted it, so I figured that it shouldn't be a problem. When I finnally got it to lift, I had to use so much force that when It popped up, It came up so fast that I was worried about it braking at the chip level.

P.S. for anyone else attempting this mod, that may not be an expert at soldering, another word of caution! Double check every single solder point. I had a little solder drip down from where I lifted the pin. It formed into a hair line connection. It actually reconnected to the pad where I lifted the pin from. If I hadn't of looked undernieth the pin with a magnifying glass, one last time, I wouldn't have caught it. I only noticed it, while doing one last check, before plugging it in.

Make no mistake about this fix !

This is precision soldering of surface mounted chips.

If you had trouble making your serial cable this is not for you.

Take it to local TV repair shop and tell them ( print out some of this thread ) to do it for you.

This mod appears to be scaring alot of people. It should. Unless you have alot of experience soldering and a feel for SMT you probably should get some else who does to do it. And no the pin does not go though the motherboard. If you didn't know this you probably shouldn't try this mod. To get this kind of experience you need to work on other peoples equipment and not your own.

After I've pryed mine up I have no intentions of bending it back for metal fatigue could break it off. I'll solder another blue wire to make the connection if I have to re-flash.

I've pretty much known from the beginning that if the chip gets killed, I'm Screwed!....

I knew what I was in for when I began this project. I don't disagree with the last couple of posts. If there is any possible way to have someone with experience do it for you, then DON'T DO IT YOURSELF. I decided to try anyway, with full knowledge of the risks, and it was successful. I suck at soldering & I was able to do it. It's not impossible. If you have no other options & you SERIOUSLY ask yourself, "Can I afford to kill this Tivo" & the answer is "Yes", then it's not impossible to do if your not fully experienced. Personally, this was an extra unit. I am convinced that there is a good chance of a prom update in the future, and I wanted to make sure that I had at least one unit that would block it. I'm going to do the mod again, but I definitely am going to involve someone with a lot more experience than myself. DON'T DO THIS IF YOU CAN'T AFFORD TO LOSE A TIVO. Seriously, ask yourself that question. But, I would have to disagree the thinking that it can't possibly be done if you’re not an expert. If you have no other resources & are willing to take a huge risk,
then practice soldering a few other things first then go for it.

I think the biggest thing people need to know when soldering to a microchip is NOT to heat the chip. Tint the wire (put the solder on the wire first) then heat the wire and touch the pin (ie#31 or 32) for a split second (until the wire is stuck). If you heat the chip to much it will never work again. Again to keep from over heating the chip I would suggest cutting #31 and not to heat and pull. (just some ideas from past experience moding circuit boards) (I AM NOT AN EXPERT)

Here are some helpful soldering links:

http://www.allsands.com/HowTo/howtosolder_cc_gn.htm
http://www.aaroncake.net/electronics/solder.htm
http://www.robotstore.com/download/How_to_solder_1.pdf
http://ourworld.compuserve.com/homepages/g_knott/elect3.htm

I would also strongly suggest reading & re-reading this post for precautions that you can should take. Once again, make sure that you disconnect the battery and pwr supply. Avoid static electricity & if it's not mentioned in one of the above links, I'm pretty sure that the solder sticks better if you scrape the metal on the leg of the chip a little first.

I had to heat the pin for over 5(maybe 7 or 8) seconds to get the solder to stick right(*EDIT*=Using a 15W grounded Iron). Someone posted here that it couldn't handle more than 10. A split second wouldn't be long enough. If you don't get the solder to stick to the pin correctly, the heat from the drives, etc could possibly cause the wire to fall off and land on one of the other pins later, causing major damage. Make sure that you have a solid solder point, without overheating the chip.

P.S. earlier, I mentioned that I could only find wire cutters for around $22. I visited Radio Shack yesterday and they had some that were the same exact size for $4 or $5.

Thanks Guys,

Can someone confirm that cutting pin 31 is as good as pulling it (electronically speaking).

With my abilities it seems easier and less chance to break something by cutting it, and then soldier the jumper.

I just want to make sure that it will do the job, which is to write protect the prom.

Thanks in advance,

Soleil

From the very first post in this thread, the suggested way to perform this fix, has been to Cut the Pin. It does the exact same thing electronically as heating and lifting, and is much less dangerous. The main reason that I think that most people heated and lifted the pin was because it is hard to find a wire cutter small enough to work. By all means, if you can find the right tool, that is the way to go.

It is. But I don't like to do it because if you have to reattach a wire, the shard left on the pad can easily cause a lot of grief when it moves when you are soldering there. Someone also voiced some concern about heating the chip too much. I don't think this is much of a problem. If too little heat is used prying the leg up will damage the trace on the board. Keep in mind were only talking about 1 pin, the whole chip was heated and soldered into place all at once.

Based on Icreech's last post, and my last fix, I'm now suggesting NOT cutting the pin. I found a pair of wire cutters that were SO small(1/2 the size of the one's I saw at ratshack). I tried cutting the pin & I still couldn't get between the other 2 pins. Once I thought I had a grip on it, and tried cutting it again, all it did was rip the leg at board level. That made it even harder to lift the leg, because it was still wedged against the board. I was able to lift it. I soldered it to a lead with A 10K 1/4watt resister with heatshrink covering the resister and it's legs and soldered from 31 to 32. All is well. Works great....but I know that I'll never be able to get access to a solder point were the leg came from in the future. Heating and lifting worked better, for me.

I am not going to do this mod because 1) I don't use the tivolution magazine/showcases so; 2) I blocked the TIVOR channel through mvchannels which completely blocks downloading any slice files from the satellite.

However, should I ever consider doing this, would it be work for me (a soldering novice who is only experienced with building his own hardware from raw materials, never dealt with surface mount) to just cut the trace leading to the pin, and then use something as simple as a bread twist wire (anchored down somehow of course to prevent it from moving around) to connect 31 and 32?

Undoing this would be as simple as removing the wire and adding a dab of solder into the trace cut.

I didn't think that my origional post would have caused sutch a stir.....

1. Do NOT cut ANY trace on the motherboard.

2. Cutting the -write enaible pin(31) and leaving it floating has been a problem. Tie it to + 5 volts.

3. As stated, if you don't plan on adding a switch to re-connect it, using the 10K resistor is not needed, and soldering it to pin #32 (vcc) is a very good way to go.

Let me restate that you can very easily achive this hack:
Here is the most simple version I have come up with, and perhaps I should post pictures....

1. heat up a 25 watt iron.

2. place a piece of dental floss behind the pin and LOW to the surface of the chip.

3. DO NOT place any tention on the floss, BEFORE the pin is heated, as this WILL allow you to pull the trace off the circuit board!!

4. Heat the PAD on the Circuit board for 2-3 seconds....THEN, jently pull on the floss, and the leg of the chip will EASILY lift slightly.

5. If you apply pressure to the floss BEFORE you start heating the pin, you could VERY EASILY pull the pin up, BEFORE you heated the pin to the point that it will sepeate from the trace. The trace will break, and/or seperate from the board at a lower heating point than the pin will come free from the board, so applying force to the pin PRIOR to heating the solder, is a bad idea.

6. Don't be too overcautious that you'll fry the chip, as it'd take over 15 seconds with an ungrounded 100 watt iron to actually do damage to the chip. Be more concerned with the circuit trace on the circuit board. Even then, you'd be unlucky to fry the chip.

7. Cutting the pin is not really possible, unless you have medical surplus type insturments, as even the best pair of nips will not get in there, and you risk breaking, and/or bending the nieghboring pins.

8. I highly recommend you use Wire wrap type wire, or strip a piece of speaker wire, and use a single strand of sutch wire to tack the lifted pin to pin #32. DO NOT bend the lifted pin to pin #32. Do NOT Place a BIG SOLDER GLOB between the 2 pins.

9. You do NOT need to remove the battery from your Dtivo, BUT you MUST have it powered off, and remove the drive assy. Removal of the bat. will mess up your units time/date stamp, and cause problems....I repeat....don't remove the battery.

If you do either, the bending back, or removal of the solder glob, will be another probem, if you must reverse this mod in the future.

Peace

Scanman


:D

Originally posted by AlphaWolf
I am not going to do this mod because 1) I don't use the tivolution magazine/showcases so; 2) I blocked the TIVOR channel through mvchannels which completely blocks downloading any slice files from the satellite.


Heh Alpha, I remember PGM saying something about not being able to stop updates.

There simply is something preventing the service download. BTW, channel 100 is NOT the download channel. It's TIVOR, which is assigned a number of 100 but is NOT tuned to the same frequency, so seeing channel 100 is NOT an indication that MVC is fine!!!


Have you confirmed nothing comes down? Did you just hide TIVOR?

I'm now pissy drunk, and had a friend bring his box over for the eprom flash protection mod...Whoa...Not something to do on an empty stomach, and half a bottle of vodka...but I did it anyway...

Since I'm half crocked, threading half a strand of floss and getting it to feed thru the other side of pin # 31 is not happening, I grabbed a dental pick, and heated the pin, and then just pried the pin strait out...(Just like I did the first time on my box......)

See, I'm too drunk to even walk to the the pisser, without hitting a wall, so I talked my friend into moving the light, and focusing my camera, to grab this shot... Yes, I did pry off the PCB, and yes, there is a scrape mark, but not enough to cut a trace...


If I can do it, this messed up....you got it, sober...


(BELCH)




:)

Just looking at my soldering...dont the right side look like a chicken head ? looks like the chicken is trying to take a bite out of C367....Hehe

:p:D

I don't really believe, that anything we do as far as "blocking" updates:

1. Editing mvchannel's to block the download of:

#TIVOR:100:100:0:0:1
#TIVOD:101:101:0:0:1


As it will stop the nightly download, of the crap guides....


Then we can go all thru the rc.sysinit, and chattr...and delete the offending files...

The bottom line, in my opinion, is that they can force a new s/w, upgrade and make the unit re-boot to it, regardless, of ANYTHING we do to the old sw. This will include a new firmware "shit on me" upgrade, in the process.

Unless you have disassembled "myworld", you can't really know what they can do...

Now, We have leveled the field a wee bit, in letting them know, if they do some stupid crap, like attempting to lock the prom, they have just thrown down the LAST card, and the new project will be the end of thier guide data, as we then start making slice data from ANYWHERE but tivo....HINT HINT ....I really hope that they don't attempt to do what I think they are going to do....as it will force them into a corner, and I can expect people other than Australians, and our very north neighbors, to be placing FULL slice files up for d/l....

Nothing prvents tivo from using a channels other then 100 to accomplish the same thing.

When and if they decide to do this there is know way of knowing wich channel they will use.

Hardware prevention is the only proof positive way to stop a prom update.

Originally posted by scanman0
Just looking at my soldering...dont the right side look like a chicken head ? looks like the chicken is trying to take a bite out of C367....Hehe

:p:D

So it's a little pecker? :D

Look for these in the channels.dat. Make sure that last number is a zero and you should be all set I think....just mvchannels.tcl reset, mvchannels.tcl reload, and plain mvchannels.tcl.

TIVOR:100:100:2859:387:0
TIVOD:101:101:2859:388:0

I can't realy say that this works, however, in this configuration, I never see the red light come on at 2:30 in the morning. I looked on the information screen and it says the last service data download was about a week ago (around the time that I applied this). Of course you also effectively stop the tivolution magazine and showcases from coming down too. (I tried them thanks to PGM, but they were just novelty to me. Not worth it if I can't realy secure my tivo from tivo :) ) About dave changing the update download to be from another channel, how would the tivo know which channel to look for it from? And if mvchannels is keeping the channel list constantly under control, how would they add another channel to get it from?

If we do the hardware lockdown mod and *someone* comes up with an improved firmware, say 30Xtreme, we'll have to undo our work. Quite a few people have used the, how shall I say it, "destructive desolder" method where the pads come up from the PC board. This is a real pain to fix in most cases.
Knowing there is a new firmware coming soon would help those of us about to do the mod. I'd rather not wait unless I have a reason to. Should I wait?

Astrogoth

This is a control thing. Do you want an upgrade without your knowlege that "will fix things" or a controlled upgrade so you can have it your way, i.e. burger king. This is mod is not for the masses since the general public cannot handle a soldring iron, much less smt devices, but still we are only talking about 1 pin and not that hard to undo, if you got this far.

I was one of the people that screwed up the board, but I'm pretty sure i could make sure the chip is Write enabled again. On my original fix I did follow and confirm where the trace went. It goes to an area of the board that would be easy to solder to. I recently became a little concerned about this fix when my RCA IRD with the plaker mod gave me a "serveral software upgrades have failed, please call your hardware manufacturer". Then it stoped working. A soft reboot cleared it up, but it made me think, for a sec. On to some software fixes.

Question: With this hardware mod, is there anything besides the Hard Drive or the Card that can be written to at this point. I was hoping that worst case, my boot sector of my HD might prevent me from reinstalling something like 25extreme, but even if that happend, I could just use another drive. But this RCA mod trying to shut it self down thing threw me for a loop. What got written to in that case? It couldn't have been the card, because all I did was reboot it, and didn't touch the card, and it worked again.

I've attached a kernel which will disallow writes to the Flash/PROM. If you are interested in trying this out, please read all the following carefully.

This is not a completely secure protection. It can be circumvented by one of two methods:

a) Somebody (e.g. TiVo) installing a kernel module that accesses the flash directly (working on this one)

b) Somebody (e.g. TiVo) installing a new kernel and rebooting (as I said before, this requires some input from someone with good powerpc/prom skills - BubbaJ where are you?)

Having said that, it will prevent a flash write by any user-mode program. Any program attempting to write to the flash will be killed with a segmentation fault. You can monitor access to the flash by looking in /var/log/kernel and/or /var/log/messages, presuming you haven't disabled syslogd and klogd.

You will notice that all attempts to talk to the flash are initially requested as read/write, even those that don't need write access. These are converted to read-only requests and "getprom" is none the wiser, as long as it doesn't actually try to do a write (in which case it is killed).

To install this kernel, do the following (this presumes that your root filesystem is /dev/hda4 and therefore the kernel is on /dev/hda3. Check this with "mount" first) :

dd if=vmlinux.px of=/dev/hda3 bs=1k count=997

Then reboot. Obviously you need to get the file onto your TiVo first, using FTP or similar -- MAKE SURE you transfer the file in BINARY mode!

I would also recommend that you make a backup of your existing kernel prior to doing this. You can back up the kernel with

dd if=/dev/hda3 of=kernel.dat bs=1k count=1072

That way you still have the original if you need to modify the flash (or if you have problems :( )

This is not for the faint of heart - right now it's mostly for test purposes so use at your own risk. I don't think it will cause any problems, but caveat emptor

with the current upgrade path, a new kernel is flashing the bios anyhow. With the current upgrade path, this hack is irrelevant.

You could alter the prom to ONLY boot from the kernel on hda3, and ONLY mount root from hda4, and that would give some significance to the program, but if TiVo could still send down an upgrade, they could just as easily upgrade /dev/hda3 with a new kernel (losing their failsafe of course).

As I've mentioned before, I don't think that TiVo is going to mess around with the prom issue any more. If they make a prom that defeats extreme it also defeats their own fail safe, then they may have to deal with serious fallout from legitimate customers. That's just my take on it though..

Originally posted by BubbaJ
with the current upgrade path, a new kernel is flashing the bios anyhow. With the current upgrade path, this hack is irrelevant.


Thanks for the vote of confidence :p but that's not really the point of this modification. The point is to prevent unexpected changes to the flash. Once a new upgrade has been tested under controlled conditions and been found to be safe (or been hacked), the update can then be allowed. The trick is to stop the new kernel from being loaded in the first place.

Originally posted by BubbaJ
You could alter the prom to ONLY boot from the kernel on hda3, and ONLY mount root from hda4, and that would give some significance to the program, but if TiVo could still send down an upgrade, they could just as easily upgrade /dev/hda3 with a new kernel (losing their failsafe of course).


Actually, I was thinking of going a bit further - modifying the prom to ONLY boot from a kernel that matched a checksum stored on the prom when the prom was "locked". That was the bit I was asking for help on - I know what I'm just now sure of how. In addition, at lock time, the checksums of all loaded kernel modules, plus an encrypted password would need to be stored on the prom.

Here's the scheme in simple terms:

1. User runs a "lock" utility, supplying a password.
2. Modified Kernel checksums itself and all the loaded modules. Stores this info and the password on the flash, and sets a flag (also stored on the flash) to enable lock mode.
3. From then on (until unlock is run with the correct password), the kernel won't allow either write access to the flash, or modules to be loaded that don't match the stored checksums.
4. The prom has been modified as part of this scheme so that it will refuse to boot a kernel that does not match the stored checksum in step 2.

Using this method, the kernel stops access to the prom, and the prom stops the kernel from being changed. Tivo can download and write whatever kernel they like to wherever they like, but they won't get it to boot.

Originally posted by BubbaJ
As I've mentioned before, I don't think that TiVo is going to mess around with the prom issue any more. If they make a prom that defeats extreme it also defeats their own fail safe, then they may have to deal with serious fallout from legitimate customers. That's just my take on it though.. [/B]

You may be right, but smart people have been wrong before - take this quote from Vorlon001 for instance...


"And......to any site claiming that a certain HU loader will become an unlooper as soon as software is developed....you know who you are!...it ain't gonna happen with a regular unlooper/loader...PERIOD!"


And we all know how that turned out :D

ROFLMFAO

Huh? ROFLMFAO?

Anyway, given that linux does not require a bios (did you know that?), only for primitive initialization of hardware and booting. Upgrading the bios may not be necessary unless the kernel and bios locked or married in some way. Else everything could be done inside the kernel.

Instead of modifying the flash chip, would one of these "bios savior" devices work instead? I use them on PCs and they do the job nicely.

Various versions depending on CMOS flash type
http://direct.mwave.com/mwave/doc/A06950.html
http://direct.mwave.com/mwave/RD18.html

very interesting idea, but one SMALL problem.

The Prom is not socketed on the DTIVOS. It would require a SMT rework station to remove the chip safely. Scanman probably has the capabilities to socket his PROM, and I am waiting on my Metcal 500xp to arrive in the mail (thanx ebay!), so I will have the tools, if maybe not the skill...Scan care to make a roadtrip ? :)

But yes, it is a very interesting idea.
madd0c

Qman,

I don't think so. The flash in the the dTivo is a surface mount square package leadless chip carrier (SMT PLCC) that is not socketed. This solution requires a lot more surface mount factory expertise and experience that most of this audience has.

Actually, it's not even needed to remove the chip, if you wanted to add a second rom and toggle between the two rom's.

I have done this on my PC, long before the "bios savior" was created. All that is needed is to take the second chip and bend the bottom of the "J" pins so they all go strait down. mount the second chip directly on top of the old chip.

All that you need to do is then lift pin #22(/Chip Enaible) from the origional chip. Lift pin #22 from the new chip, and tack solder ALL of the remaining pins of the new chip to the pin legs of the old prom.

Then use a dual throw dual pole switch to either tie:

1. OLD chip pin #22 to ground, and new chip #22 to +5 volts (Old chip active)
2. NEW chip pin #22 to ground, and old chip #22 to +5 volts. (New chip active)

To program the new chip, boot the unit up, with the old chip active. After your up and at a bash prompt, just throw the switch and re-flash. This will flash the new chip. This is a great setup, if you are writing your own bios, as you can toggle back & forth to recover from errors & debug it.

Cool

DTiVo / Prom burner

To place a socket "piggyback", instead of a second chip, with the switch, it does then become a true programmer.

I have done this kind of stuff, from way back before there was even a 286 PC.......even an 8088, or an 8086...(I'm not that old)....I had 3 ROMS stacked with a dial switch, back on my Commodore 64 PC. This awsome box was sporting a fast as hell 1 MHZ processor, and 64 k or ram, with this neato "ROM" that could be toggled in and out of the tight ram space...I Also did this with expansion cartridges, as I needed to swap my hack cartriges in and out of the tight space, in real time....I even had to use a dremmel tool on part of the keyboard, to allow the head space for the third rom to fit.

I can claim that I was the first to do this hack, for any kind of PC.

I'm an old school hacker, and know my logic, and have been through the origional Devry instatute (Chicago), I'm known to the professor as the *******, that found 6 errors in his "advanced logic chip design" textbook, as he was so proud of his book, he gave a grade bump in the class, for every flaw that was proved to him. I could have skipped his final exam, as I bonused out of needing the final, and his next year text was fault free....Thanks to my free, and excessive "study"......But I think that was his goal..

Scanman0,

We must be related, or brothers. I did a hack just like this on my homebrew apple II clone for non-maskable interupts. On 2708's if memory serves my right.

Originally posted by scanman0
...I had 3 ROMS stacked with a dial switch, back on my Commodore 64 PC. This awsome box was sporting a fast as hell 1 MHZ processor, and 64 k or ram, with this neato "ROM" that could be toggled in and out of the tight ram space...I Also did this with expansion cartridges, as I needed to swap my hack cartriges in and out of the tight space, in real time....


Your remarks reminded me of my old analysis of the ubiquitous C64 Fastload cartidge. I had no knowledge of hardware at all and was puzzled by the big capacitor sitting on the CE line. So I looked at the code over and over and saw just a tiny tight loop that kept hitting the expansion address space somewhere around $D000. It turned out that hitting that address space actually pumped up the capacitor to hold the CE up and make the Fastload cartridge appear at the $C000 address. Once enabled, subsequent reads from the ROM kept it enabled until the user finished with the Fastload utilities.

Just a little trip down memory lane. An elegant little software-controlled bankswitching scheme on the King of the bankswitchers, the venerable Commie 64.

Every now and then, I look at the C64 shops to see the prices they're paying for IDE interfaces and memory cartridges. Hilarious. Did you see the C64 now has an Ethernet card and they're streaming audio over the net with it? http://dunkels.com/adam/tfe/

sounds reasonable.

so, you'll need an API for the unlock code, you'll need to block read access to the prom by default, and you'll need a prom that will only boot a kernel that is signed.

sign your kernel the way that TiVo signed theirs, (with your own key) and put the other side in the non-speedboot prom, that way the prom won't boot tivos kernel, but will boot yours. There's plenty of room in the prom for a password, snoop around in the first 512 bytes, that's the NV storage area, you should be able to find somewhere there. it'd still boot extreme, but unless tivo released and unsigned kernel it wouldn't make a difference, and if they DID release an unsigned kernel, it would be exploitable without the original prom hack.



Originally posted by smeghead


Thanks for the vote of confidence :p but that's not really the point of this modification. The point is to prevent unexpected changes to the flash. Once a new upgrade has been tested under controlled conditions and been found to be safe (or been hacked), the update can then be allowed. The trick is to stop the new kernel from being loaded in the first place.



Actually, I was thinking of going a bit further - modifying the prom to ONLY boot from a kernel that matched a checksum stored on the prom when the prom was "locked". That was the bit I was asking for help on - I know what I'm just now sure of how. In addition, at lock time, the checksums of all loaded kernel modules, plus an encrypted password would need to be stored on the prom.

Here's the scheme in simple terms:

1. User runs a "lock" utility, supplying a password.
2. Modified Kernel checksums itself and all the loaded modules. Stores this info and the password on the flash, and sets a flag (also stored on the flash) to enable lock mode.
3. From then on (until unlock is run with the correct password), the kernel won't allow either write access to the flash, or modules to be loaded that don't match the stored checksums.
4. The prom has been modified as part of this scheme so that it will refuse to boot a kernel that does not match the stored checksum in step 2.

Using this method, the kernel stops access to the prom, and the prom stops the kernel from being changed. Tivo can download and write whatever kernel they like to wherever they like, but they won't get it to boot.



You may be right, but smart people have been wrong before - take this quote from Vorlon001 for instance...



And we all know how that turned out :D

We may not have any more time to fine tune this hack. Slashdot reports 3.0 Beta is out now for the SA Tivo's. It also says the update is sent over the air. Unless we develop a 3.0 proof hack pronto DTivo hacking may become extinct. May, I say.










"I may be paranoid but that don't mean they're not out to get me"

This was a good post on slashdot describing 3.0:
http://slashdot.org/comments.pl?sid=31245&threshold=1&commentsort=0&tid=129&mode=thread&cid=3363811

What proof is there or even a hint from a credible source that this upgrade will come down thru the sat data stream? Is this notion because the UTV get upgrades this way and therefore TiVo will follow suit? It seems to me that TiVo would want to keep the upgrade process consistent between S/A and DTiVos.

Originally posted by Astrogoth
3.0 Beta is out now for the SA Tivo's. It also says the update is sent over the air. .


"I may be paranoid but that don't mean they're not out to get me"

It just says the GUIDE Data will be sent over the air- so far nothing about software updates.

Maybe the dtvios will get over the sat, maybe not. But the SA's still seem to be getting it through the phone...

This SA 3.0 kind of worries me, since I know it will come over the phone line. I have a 2.0 dtivo that I'm going to upgrade to 2.5, after I do this and force a test call, can it upgrade me to 3.0 on a test call? Or does it have to call out on its own to do that?

In case anyone is still counting...

I just protected my DSR6000 successfully by lifting the pin and connecting to +5.

Did you use the dental floss/heating the pad method?

Slothman,

With the dTivo and and Xtreme 2.5 no test calls are necessary, the eeprom is re-flashed