PDA

View Full Version : Digital signature in crypto chip



pasha
06-21-2001, 10:54 PM
Folks,

Seems like to spoof subscribtion on Dtivo is not and issue,
problem is coming down in modifing certain system files.
Since they are signed in atmel crypto chip system automaticly recover them from I dont know where...
setting imune bit helps but looking forward this may break stuff so now is the time to fix it..
I will release hack for service spoof as soon as somebody will help me out with crypto chip.

GITM
06-26-2001, 12:57 PM
Sounds like you have done a lot of digging in the DirecTiVo. Do you know how the "you haven't called TiVo in 30 days" nag system works. I already have a lifetime sub, but I want to stop calling in every month.

It would be nice to start a technical conversation about the authentication system. If I can get the new small backup software to work on the DirecTiVo I will finally be able to start hacking it, and I don't want to retrace steps others have already taken.

-GhostInTheMachine

mrblack51
06-29-2001, 06:38 PM
What type of info are you looking for on that crypto chip. I have a directivo, and a knack for finding info when its needed. I would definitely be interested in your service spoof hack, so I am willing to learn what I need to in order to help as best I can. Time to put those comp sci classes to work.

Of course, a small backup of the directivo would be very useful in this sort of endeavor.

Sonn
06-29-2001, 10:52 PM
Count me in also, I will help out anyway I can. I love to tinker with this stuff

pasha
06-29-2001, 11:53 PM
sorry for long wait guys, I've been busy with some personal issue
but here is deal...
directivo use digital signatures for IMPORTATNT files and it check them every time it boots
i.e. if you modify your rc.sysinit it will check checksum in crypto chip and if it's doesn't much it will recover file from the backup
don't ask me where the backup... I don't have a clue :(
however today you can fix this by setting immune bit on the file (ext2 filesystem feature). but tommorow they may do something and to check signature, attemp to recover, hand on failure... :(
so we gonna even lose ability to get a bash prompt on it...
so NOW is the time figure how to modify files and store changes back to crypto chip....

KRavEN
06-30-2001, 10:46 AM
It actually mounts an image filesystem on bootup that contains a file with an MD5 sum of all the important files that it checks. When the files do not match that MD5 sum it deletes them and replaces them with the correct files that are also located on the image. It will also remove any files that you add to the filesystem that are not in it's MD5 sum file. None of this actually has anything to do with the crypto chip though. I have had a lot of experience with getting around this and dealing with this because I was able to get a TivoNet card into a DirecTivo using some pci extender boards and such to locate it on the other side of the HD braket. I was fine in the beginning, but then my tivo went over the net and updated my software and prom blowing out everything I had done.

So, if you know what files I can change and then chattr +i to make it not want to dial in ever again, I would be happy. I allready changed it to lifetime service, but in another 5 days it is going to wat to dial in again.

I have no intention of ever letting it dial into Tivo again. If the new 2.5 software actually adds the second tuner support and doesn't add encryption, then I may let it upgrade.

pasha
06-30-2001, 11:16 AM
post your e-mail and I will email it to you...
but still I need way to get around chattr +i
this is temporary solution

pasha
06-30-2001, 11:19 AM
BTW this signatore stored in crypto chip and it calculate MD5 SIGNATURE and checksums and store them them in crypto chip

KRavEN
07-01-2001, 03:46 PM
I snet a PM to you with my email address.

mrblack51
07-01-2001, 07:59 PM
do we have the part number on the chip? that would seem like a good place to start getting info

Vadim
07-01-2001, 08:02 PM
I'd recommend reading TiVo Hacking, ZipWeep posted a way that changes it.

Lord Magnus
07-05-2001, 02:01 AM
All this talk about the files being replaced if they have an invalid hash has me confused. I modified my sysinit and it wasn't replaced. Where are you running into this issue?

Also, can someone elaborate on the Setup_Bypass mod for bypassing the interactive setup? I am having no success...

pasha
07-05-2001, 08:52 AM
Originally posted by Lord Magnus
All this talk about the files being replaced if they have an invalid hash has me confused. I modified my sysinit and it wasn't replaced. Where are you running into this issue?

Also, can someone elaborate on the Setup_Bypass mod for bypassing the interactive setup? I am having no success...
directivo

Lord Magnus
07-05-2001, 11:27 AM
Originally posted by eel-sushi

directivo

Yea, I am working with a DirecTiVio

KRavEN
07-05-2001, 02:55 PM
It doesn't start happening until your DirecTivo calls in and get the update to 2.0.1-001-001. Mine used to work fine too. You probably can't mount your /dev/hda4 partition either right? This isn't created until after the first upadte is taken. At least that has been my experience on a 2 drive philips directivo.

Lord Magnus
07-05-2001, 03:32 PM
Originally posted by KRavEN
It doesn't start happening until your DirecTivo calls in and get the update to 2.0.1-001-001. Mine used to work fine too. You probably can't mount your /dev/hda4 partition either right? This isn't created until after the first upadte is taken. At least that has been my experience on a 2 drive philips directivo.

That's exactly my system, except I had a single Quantum 40GB.

Did you ever have problems with your system going into a continuous reboot loop? I think my hardware is hosed. :(

mrblack51
07-21-2001, 03:44 AM
well, i was digging in the rc.sysinit from my dtivo, and i saw the following line

if /tvbin/crypto -vfs /var/diag/finaltest.sig /var/diag/finaltest /tvlib/misc/service-v3-s.pub ; then
/var/diag/finaltest

now, that looks like its using the crypto chip against the signature that is stored. i tried to do a number of commands with crypto, but the only responces were really vague. this type of check occurs multiple times.

of course, this may mean nothing with 2.5 on the way

Vadim
07-21-2001, 10:15 AM
That's in the function runme correct?



Originally posted by mrblack51
well, i was digging in the rc.sysinit from my dtivo, and i saw the following line

if /tvbin/crypto -vfs /var/diag/finaltest.sig /var/diag/finaltest /tvlib/misc/service-v3-s.pub ; then
/var/diag/finaltest

now, that looks like its using the crypto chip against the signature that is stored. i tried to do a number of commands with crypto, but the only responces were really vague. this type of check occurs multiple times.

of course, this may mean nothing with 2.5 on the way

mrblack51
07-21-2001, 02:15 PM
its in a couple places actually. the runme function, runfinaltest, and batterycheck

Vadim
07-21-2001, 03:04 PM
I'm trying to figure out what could update the signature.
Can anyone try this
crypto -u -fs "some file"
then try to crypto -vfs that file
thx
I dont have a working tivo now, so I can't try it myself.

mrblack51
07-21-2001, 09:50 PM
#crypto -u -fs ./nonagz.itcl
Option -fs not recognized
#crypto -ufs ./nonagz.itcl
Option -ufs not recognized

Vadim
07-21-2001, 11:25 PM
Try crypto -vfs
on any file.
This should verify the signature..


Originally posted by mrblack51
#crypto -u -fs ./nonagz.itcl
Option -fs not recognized
#crypto -ufs ./nonagz.itcl
Option -ufs not recognized

mrblack51
07-22-2001, 12:04 AM
crypto -vfs wants three arguments. from inspection of the runme function, it wants

crypto -vfs /location/signature.sig /location/signature /location/filename

does anyone have any ideas on how to find out what switches crypto wants? we know it verifies signatures and set the unit serial number, but it would be very useful if it also created signatures.

Vadim
07-22-2001, 12:17 AM
I'm almost 100% sure it creates signatures. This would be very helpful for 2.5. Then hacking will be so much easier :)
Just need that digital signature or the way to disable tivo from checking it..

It got to be crypto -u
-u means to update
such as the password or serial number
Hmm
password and serial all were 3 letter and verify signature was also three letters.

So to update is has to be three letters too. Anyone got any ideas?
-srp is to update the password hmm, not sure what it could me
-vfs = verify file signature.
-ssn = serial number (an extra s?)

I think I got it!!!!!!!! the 1st s means to set.
Set serial number, set the password.
HMMMMMMMM

Someone please try crypto -u -sfs

I'm almost sure it will work.

Got to find what possible could be used.

dumbuser
07-22-2001, 01:07 AM
crypto -u -ssn "xxxxx" ; to update where xxxxx is in this example the serial number
crypto -gsn ; to show

hope that helps

mrblack51
07-22-2001, 01:11 AM
-sfs isnt a valid option either. doh!

btw, its great to see a few people jazzed about this topic

pasha
07-22-2001, 01:16 AM
Originally posted by dumbuser
crypto -u -ssn "xxxxx" ; to update where xxxxx is in this example the serial number
crypto -gsn ; to show

hope that helps
good point
then -gxx for get sn=serail number
and -sxx for set sn=serial number
so next step is to figure how to update
file signature which is more complicated
vfs maybe for verify file signature , but it requite file name and public key... probably u need private key to update...
and other things... which probably will solve most of the problems is compile our own kernel...
should work...

mrblack51
07-22-2001, 03:00 AM
here is a chart of key combos and the responce

key responce
-e No Command!
-u No Command!
-v No Command!
-x

mrblack51
07-22-2001, 03:20 AM
here is a chart of key combos and the responce.

sections checked
start end
-a -z
-aa -az
-ua -uz
-va -vz

these commands gave me something other than 'Option -xx not recognized'
key responce
-e No Command!
-u No Command!
-v No Command!
-x No Command!
-vfs The -vfs option requires 3 parameter[s]
-ssn The -ssn option requires 1 parameter[s]
-gsn 0110000502XXXXX
-srp The -srp option requires 1 parameter[s]

Vadim
07-22-2001, 10:11 AM
OK, that didn't work.

As I see right now to check there is only 1 parameter, to update you need -u (update).

So we are looking for a command with 3 parameters and -u.
-v looks like it means to verify
-u to update
-v uknown
-x also unknown

Now I beleive there will be a whole 2nd list of commands when used with -u.
Sort of like a sub-parameter. So there is 2 more sub parameters we don't know what they mean.
And the 3 letter parameter is the main question. To verify the signature you need a public key, but why would it need a private key to set the signature.
Now what all those parameters that are needed to verify the signature? Key, location of the file? what else?
Help me out people, I think we are onto something big. If you could create your own signatures then you will have no problems.

I just wish I could boot into my other partion to try all these parameters myself.

Vadim
07-22-2001, 10:23 AM
Just a dumb question, did you use -u too?
crypto -u -sfs
cuz it's to update.


Originally posted by mrblack51
-sfs isnt a valid option either. doh!

btw, its great to see a few people jazzed about this topic

dumbuser
07-22-2001, 02:26 PM
Hmmm... sorry, I'm still trying to catch up here. Its seems the goal is to install hacked files and have them signed as legit files.

Has anyone looked into signed slices and having the TiVo do the work?

I know that Jpags has told me in the pass that having the TiVo sign the slices is not a problem, so maybe if someone has looked into how the TiVo actually does its updates, we can just create our own little package slice, have the TiVo sign it and get its blessing from the one file?

Vadim
07-22-2001, 05:11 PM
You think you can catch that process and tell us how it's done?

I'm just interested in trying crypto -u -sfs "some file"



Originally posted by dumbuser
Hmmm... sorry, I'm still trying to catch up here. Its seems the goal is to install hacked files and have them signed as legit files.

Has anyone looked into signed slices and having the TiVo do the work?

I know that Jpags has told me in the pass that having the TiVo sign the slices is not a problem, so maybe if someone has looked into how the TiVo actually does its updates, we can just create our own little package slice, have the TiVo sign it and get its blessing from the one file?

mrblack51
07-22-2001, 05:27 PM
#crypto -u -sfs
Option -sfs not recognized
#crypto -u -gfs
Option -gfs not recognized

Vadim
07-22-2001, 09:23 PM
-gfs must be used without -u since you are not updating anything.

GoneSilent
07-30-2001, 06:20 PM
Still need a key to sign all these files correct? 12345? How would we find such a key? sign with random keys then check for a boot? or can we use the db of the checksums?

milhouse
08-31-2001, 01:03 PM
This is an awesome thread....though it ended pretty suddenly.

I figure you guys figured it out, or got bumped off(you know...too close to the truth...).

Did you guys figure out how to update the signatures?

Milhouse.

mrblack51
08-31-2001, 08:52 PM
last time i checked, crypto was basically useless for anything except changing the unit serial number. the file signatures are checked using the boot prom image, not crypto. also, the last concensus that i was aware of felt that to make a signature, we would need the private key of a public/private pair.

BubbaJ
09-07-2001, 12:02 PM
and just how big is that prom geez..

This is what I'm gonna find out if worked tonight...

cd tvbin
mv crypto cry
joe crypto
<space> <Backspace>
<ctrl><k><ctrl><x>

and update the line in sysinit to use cry intead.

will it let the files survive? the world may never know...
BUt I will :)