View Full Version : TiVo Series 2 Prom

08-30-2002, 11:12 PM
I think the better initial approach is to consider altering or wiping out the Prom code that checks for the kernel signing. However I'm not sure of the feasibility. Did anyone mention if the prom is flashable? Or is it remove the PROM time?

Once the PROM is dumped then we can start down a XBOX hacking path.

09-27-2002, 06:56 PM
There have been some interesting posts on the TIVO underground at....


09-27-2002, 08:10 PM
basically, the most feasible short term solution would be to use and eprom programmer to read the data on the tivos prom, then modify it to our liking in the same way that was done with the dtivo, and then write it back to the prom and re-install.

the reason the old methods won't work on the series 2 units is that with series 1, we had a hackable place to start (version 2.0), and could use the tivo to hack itself.

with the series 2 units, we have no base to start from which is hackable. therefore, we need to first get in, and then we can do all the old stuff with some adjustments as needed.

10-04-2002, 07:57 PM
Duplicated from


10-02-2002 09:30 PM

New Member

Registered: Oct 2002
Location: Pleasanton, CA
Posts: 1
I'm new to the forum and am a HW guy. If someone could get an ICE (in circuit emulator) it wouldn't be that hard to find/disable the checks in the firmware. There may be a jumper or resistor stuffing option on the circuit board that would allow the firmware to be reimaged. Or there may be a JTAG header which allows you to program the FLASH. If not it isn't that hard to remove the part and reimage it with a programmer (if someone gives me the part number on the FLASH part) I'll see if I can do that.


Originally posted by jtl
No. The kernel image includes an initrd image, which includes a hash checking executable and a list of files & hashes. These aren't encrypted, but are part of the signed kernel image.

again, the kernel is checked with an ElGamal public key. The public key is easily available, no bus sniffing needed, but it doesn't help.

As to "replace .. in the firmware", how do you propose that? If we could modify the firmware, we'd just disable the checking and be done with it.

10-31-2002, 12:18 PM
here is some interesting info from AVS:

A key decision point appears to be at offset 0x172c in that file. Zero out the four bytes starting at that offset (the bytes are currently 0x40041000 before endian adjustment) and the "\n sha check failed!\n" string never gets printed and the sha check is forced to pass.

// This is where we branch when the SHA check fails!
0xbfc0172c 04400010 bltz v0,0xbfc01770 ; if (v0 < 0) goto 0xbfc01770

// This is where we output a message that the SHA check failed!
0xbfc01770 240200a1 addiu v0,zero,161 ; v0 = 161
0xbfc01774 3c01bfc0 lui at,0xbfc0 ; at = 0xbfc00000
0xbfc01778 a0220000 sb v0,0(at) ; 0(at) = v0
0xbfc0177c 3c02bfc0 lui v0,0xbfc0 ; v0 = 0xbfc0117c
0xbfc01780 2442117c addiu v0,v0,4476 ;
0xbfc01784 00501024 and v0,v0,s0 ; v0 &= s0
0xbfc01788 3c04bfc0 lui a0,0xbfc0 ; a0 = 0xbfc01360 ["\nsha check failed!!"]
0xbfc0178c 24841360 addiu a0,a0,4960 ;
0xbfc01790 0040f809 jalr ra,v0 ; gosub v0
0xbfc01794 00000000 nop
0xbfc01798 087f80c3 j 0xb1fe030c
0xbfc0179c 00000000 nop

0xbfc01360: 0a 73 68 61 20 63 68 65 63 6b 20 66 61 69 6c 65 ; .sha check faile
0xbfc01370: 64 21 21 0a 00 00 00 00 0a 65 78 70 61 6e 64 65 ; d!!......expande

So, if you can desolder your prom and reflash it, you should be able to break into your S2 unit