Attached please find a small, trivial linuxrc and initrd.

The linuxrc is a MIPS assembly program that just calls exit(0). A successful linuxrc exit status is required by the Tivo kernel mods (init/main.c:768).

The initrd is simply the output of mkcramfs on a directory containing the linuxrc. It is a pleasant 4096 bytes, mostly padding.

Neither file has been tested since I do not have a hacked rom yet (although it has been verified that the linuxrc does not require any support files/libs, and does indeed return 0). Things that might cause this to break:

1) the kernel might not like the cramfs - I think the original initrd may have been a different format?

2) linuxrc may perform other operations to get the box ready or to make the kernel happy. (These could probably be observed by monitoring syscalls, however - it's hard to "hide" things on a unix system because the user/kernel boundary is well defined.)

File is here:

attached is a copy of alldeadhomiez's special linuxrc which has been turned into a romfs image and gziped. remove the .zip extension for use

you can extract a .gz file with gunzip filename.gz

but, you should understand why you are using something. this is a general message to all, and my final warning on this subject:

the initrd replacement is only for those with a hacked prom. If you have not sent your unit to someone to have the prom replaced, or replaced it yourself, then you do not have a hacked prom. There is no way to hack the prom in place on most units, since they have a 37 series chip.

If you apply the initrd hack to a unit with an unhacked prom, your unit will not boot. if you don't have a backup, then you are screwed. if you do not heed this warning, i will laugh in your face for not reading the blatant warnings.

how do you move these files over to the tivo? via ftp, bash over serial, or by copying them to the hard drive.

however, without a hacked prom, they are useless and pointless, and will cause your unit to not boot

ok, for those with a hacked prom:

you can use the file in its gziped form. look at a gzip file in a hex editor, the first 3 bytes or so are the same for every one, its the gzip signature. next, determine where the gzip signature is located for your given kernel. then you use dd to copy the file:

dd if=null_initrd.img.gz of=my_kernel_file seek=<location where you found the gzip signature in the kernel> conv=notrunc

you should be operating on a copy of your kernel, and have a backup just in case. if you don't know how to backup your kernel, you have major issues.

Originally posted by orangejaylove
the old faq I found said the kernel img is in partition 3 would that be the same for all?

is it an image file how do I copy this to my harddrive so I can poke around in it and stuff?

the kernel is either on partition 3 or partition 6

if root is hda4, kernel is hda3
if root is hda7, kernel is hda6

you can use dd to pull a backup of the entire partition. lots of info available on that

'man dd'

that will give you lots of info on how dd works
if = input file
of = output file
in unix, pretty much everything can be treated like a file, including disk partitions.

so, dd if=/dev/hda6 of=/path/to/file
that command will read the contents of hda6, or the second kernel partition, and dump it into the 'file' which /path/to points to.

you can't just dump to hdd2...you need to mount your drive, then choose a directory on that mounted drive

you are forgetting how 'of=' works. it writes to either a file or partition. if you say of=/dev/hdd2, then you are saying you want to replace your fat32 filesystem with the contents of the if= file/partition/etc. thats probably not what you want.

remember, you want of=/path/to/mykernel. 'mykernel' doesnt have to exist, but /path/to needs to exist. also, if you did an of=/mnt/c/tivo, then you tried to copy the kernel onto a directory, which is also a no-no.

1) figure out where you want the file, ie: /mnt/c/tivo
2) figure out what you want the filename to be, ie: kernel_backup
3) construct your of= command by using path/filename, ie: of=/mnt/c/tivo/kernel_backup

now you know the of= part, you can try the dd command again

If someone would be so kind as to post a dd image of a hacked kernel with the right initrd allready in it then you can use the steps below:

Get the tivo boot disk

put the hacked kernel file on a floppy

put your tivo drive as slave and connect it to your pc

boot from the tivo boot disk

once you are up, go to the tivomad directory and type "bootpage hdb" (or hdd if your tivo is slave on the secondary ide controller)

it will tell you what the current boot partition is hda4 or hda7.

do the - to escape out of there without a change

now take the floppy with the kernel image on it and put it in the a drive

type "mount /dev/fd0 /mnt"

now "cd /mnt" and do an "ls" to make sure the file is there.

now copy the .gz file to / by typing "cp hacked-kernel.img.gz /"

now "cd /"

now "gzip -d hacked-kernel.img.gz"

now you should have an img file in the /

now do a "dd if=/hacked-kernel.img of=/dev/hdb3 bs=32k" if your boot partition was /dev/hda4 or "dd if=/hacked-kernel.img of=/dev/hdb6 bs=32k" if your boot partition was hda7

the records in should equal the records out

now you can power down and put the drive back in the tivo.

If you guys see I missed any steps or misnamed programs like bootpage, let me know cuz I'm just winging it from memory here.

attached is a little program i threw together. it simply looks through the kernel image which you pass to it, and determines the location of the gziped initrd image by using the gzip signature. it prints the integer location if found, and will also return it for scripting purposes.

once you have the location, you should be able to use dd to drop the nulled initrd onto the kernel image.

editorial note: this code would have been simpler if there was a nice peekchar and peek2char function...bah, then i would have to do more work

man, im being generous today =)

here is a program i threw together which will automatically replace your initrd with the initrd you indicate. a backup is made automatically.

NOTE: this is c code. i shouldn't have to say this, but i will anyway. remove the .txt extension, compile and go. no warranties, expressed or implied. If you break it, you own both halves.


/*
* replace_initrd.c
*
* Hacked by MrBlack51
*
* Takes a kernel image, finds the gziped initrd, then replaces
* it with the one specefied by the user. A backup is made with
* either the user specefied filename, or the inputfilename with
* a ".bak" extension added if no backup filename specefied.
* This program will also tell you the integer location of the
* gziped initrd.img located in a kernel image. I was too
* lazy to do it from scratch, so I based it on Steve
* White's extract-gzip.c
*
* USAGE: replace_initrd <kernel filename> <new initrd image> <backup filename>
*
*/

i.e: replace_initrd /dev/hda6 initrd.img.gz original_kernel.bak
-or- replace_initrd kernel_image initrd.img.gz


if you use "replace_initrd /dev/hda# initrd.img.gz original_kernel.bak" (where # is either 3 or 6) and you have problems, you can restore the old kernel with the following command:
dd if=original_kernel.bak of=/dev/hda#

again, where # is either 3 or 6 as appropriate.

ok, so hopefully we are past the traditional cycle of tool gets released, tool gets berated, various sides express their views...

lets get this thread back on topic. initrd replacements, related tools, etc.

how long should it take to dd null-linuxrc.img.gz to the copy of my kernel ?

a few seconds. remember, you need a hacked prom, and this is designed for the s2 units only

well, the c code is for any platform, but the null_initrd is for s2 units only.

if you have compiled it on linux, what command are you trying to use when you run it?

Originally posted by tytyty
I was trying to do the dd if=null_initrd of=saved kernel seek=gzip loc conv=?

It just hung with ocassional hd spins.

I then tried mrblack51's replace_initrd which went bada bing

I had bash from setting up unit per Ingeneers thread on tivocommunity so I should be well on my way to breaking something new this evening.

nice to hear some positive reports...and that someone got some use out of it.

oh, and your dd probably had a problem since you left out the obs=1. without that, dd has a set block size, so the seek value would need to be changed.

Just an FYI: It appears that the flash prom is prevented from being writeable by the OE* pin being low at the same time as WE*. According to the .pdf's this disables writes. If this chip's CE*, OW* & WE* signals are generated by an FPLA then it would probably be easier to reprogram and replace that rather than resolder the prom.

EDIT: BUZZZZ! I was wrong. I did figure out the problem thou; The MIPs processor was cacheing writes (write combining) to the flash preventing it from getting all the right writes in order to go into program mode. The "fix" was to flush the cache after each write. I'm now able to get the SoftwareID and erase sectors (4096 bytes) but any attempt to write to any address below 0x13000 reboot the TiVo. :(

Originally posted by rc3105
not even having a s2 yet I'm just speculating.... but might that indicate the possibility of assembling a jumper & a few resistors into a write-enable switch ???

boot with a compromised image, flash, remove jumper, reboot any kernel...?

--
Riley

I think it's going to at least take a logic change to prevent OE* during WE*. I'm hoping this will require changing a FPLA (GAL, PAL, etc.) instead of removing, flashing and replacing the prom.

Can you use mrblack51's replacement on any version of the series 2 software?

I assume you can do this with the drive in your computer if you don't have bash.

Is there a place to download the lastest version of the tivo OS?

I do have a hacked prom.

Many thanks!

Can you use mrblack51's replacement on any version of the series 2 software?
yup, thats the point of the program

I assume you can do this with the drive in your computer if you don't have bash.
yup, thats the point of the program

Is there a place to download the lastest version of the tivo OS?
yup...from tivo. realistically, your best bet is to find a backup from someone and hack it.

Many thanks!

Originally posted by KRavEN
Since so many people still can't seem to understand how to do this and I get at least 2 PM's a day about it. Here is a link to a kernel image. To get it on extract it and then do:

dd if=/tiny-initrd.img of=/dev/hd** bs=32k

of course substitute the correct letters and numbers for the device.

ftp://tivo:later@ftp.twinbrothers.com/tiny-initrd.img.gz

Many thanks to KRavEN and mrblack51!

My HDVR2 had upgraded via the phone line to v3.1.0-01-2-151, so I had KRavEN replace the prom with a socket and hacked prom. I then installed the tiny-initrd by using:
dd if=tiny-initrd.img of=/dev/hdd6 bs=32k
I then created a rc.sysinit.author file containing:
/bin/bash < /dev/ttyS2 >& /dev/ttyS2 &
and I made it executable with:
chmod +x rc.sysinit.author
When I booted the HDVR2, I was able to get a bash prompt with 9600 bps, 8 bit, no parity,1 stop, no flow control.

My 3.1.0 software resided on partition 7, I verified which partition had the current software by mounting the partition using:
mount /dev/hdd7 /mnt/tivo
cd /mnt/tivo/etc
cat build-version
to verify the current version number. If the version number doesn't match, check partition 4. If your current software is on partition 4, then you would apply the tiny-initrd.img to partition 3.

Make sure you have the correct drive and partition before you apply the tiny-initrd.img file!

BTW, my tinyinitrd kernel image won't work for the new 4.0 software, you'll have to compile and run MrBlack51's initrd replacement program.

My kernel image won't work for 4.0.

Look on http://tivoutils.sourceforge.net/ and get the utility that removes the initrd and patches the kernel.

Yes, I tried that, it didn' t work. It said it was expecting some string of numbers but instead got zeroes.

I will keep looking and maybe try again tomorrow.

thanks

I have a hacked prom.

Is the 3.1.0 kernal any different in the 3.1.1b upgrade?

If not, I suppose I could just use the 3.1.0 kernal that I already have patched with the new 3.1.1b update I just received.

Is there a downside to doing this or is it better to patch the (new?) 3.1.1b ?

Originally posted by Tiros
I have a hacked prom.

Is the 3.1.0 kernal any different in the 3.1.1b upgrade?

If not, I suppose I could just use the 3.1.0 kernal that I already have patched with the new 3.1.1b update I just received.

Is there a downside to doing this or is it better to patch the (new?) 3.1.1b ?

use killinitrd on the new kernel. the only reason to use outdated software at this point is if you don't have a hacked prom (at least for s2 peeps)

Id like to replace my original 2.5 initrd file with MrBlack51's replace_initrd.c file, but not sure how to compile it...

Is there a toolchain/make file thats specific to tivo's mips and will output the file 'tiny-initrd.img'?

Since my tivo hd will be hooked up on the secondary ide, on a pc running from a linux boot cd, to replace my tivo's initrd, I would execute:
dd if=tiny-initrd.img of=/dev/hdd# bs=32k
where # is the number where the tivo hd got mounted? Is that correct?

Since my tivo hd will be hooked up on the secondary ide, on a pc running from a linux boot cd, to replace my tivo's initrd, I would execute:
dd if=tiny-initrd.img of=/dev/hdd# bs=32k
where # is the number where the tivo hd got mounted? Is that correct?That won't work; I suggest you read through the PROM socketing thread, especially from page 12 on. There are discussions about replace_initrd as well as links to posts containing kernels with the initrd already replaced that you can use.

The alternative is getting replace_initrd.c compiled either on a linux platform or cygwin; you might also look into Jamie's toolchain and MIPS cross-compiler script. Useful for building kernels and compiling MIPS executables.

Thanks, the Prom thread is where I originally downloaded the 2.5 prom image... I havent made any changes to the hard drive yet, thats where Im at... Isnt whats in the prom the boot info? The actual kernel resides on the hard drive and requires the new initrd, right?

Ive just downloaded the "vmlinux_5.4.1-20041222", but seems to be a few years old... will it still work on a 8.x version sa tivo?

The zip contains a config file and a vmlinux.px. How do I execute this on the tivo drive without connecting the drive as a slave on a pc -- I mean, since I cant telnet/ftp/serial to it yet, how is everyone running it?

Ive just downloaded the "vmlinux_5.4.1-20041222", but seems to be a few years old... will it still work on a 8.x version sa tivo?

The zip contains a config file and a vmlinux.px. How do I execute this on the tivo drive without connecting the drive as a slave on a pc -- I mean, since I cant telnet/ftp/serial to it yet, how is everyone running it?Yes, the kernel needs a null initrd. That kernel should boot fine on your machine, although you may have problems with network (NIC) drivers and 8.1; if you do check the "8.1 and my NIC" thread. Or, get replace_initrd.c compiled and use it on the 8.1 kernel. Also, you'll have to pull the drive and use the 'dd' utility to transfer the kernel (vmlinux.px) into your active boot/kernel partition; don't worry about the config file, it's just the kernel build config info.

Can a tivo boot cd be used to execute the replace_initrd program, or must it be executed via telnet while tivo is running?

I am ready to repace my initrd with the one from the 'null-linuxrc.img.gz' file posted at the start of the thread, however, I am still looking for a compiled version of the replace_initrd... can someone be kind enough to pm that to me??

Thanks!
replace_initrd /dev/hdaX initrd.img.gz backup.bak

Can a tivo boot cd be used to execute the replace_initrd program, or must it be executed via telnet while tivo is running?


It is usually compiled as as i386 executable. Replace_initrd was originally used to neuter a kernel so the system could be hacked. Since you can't telnet into an unhacked system.... Well, I'm sure you grasp the conflict.

PlainBill

I spent almost an entire day getting the kernel safely off my Tivo drive, remove the initrd, and then put it back. Mostly because I had to build a working linux system form scratch and install developer tools. Even with tivopart to read the drive none of the common Live CD discs seem to have a functional gcc compiler.

I have put linux x86 (Intel) and also Tivo-MIPS versions of the replace_initrd tool in the file (http://www.dealdatabase.com/forum/showthread.php?p=275120#post275120) section. I hope this is useful for PROM modders.

Very cool NillaZilla! Thanks!

I ran the replace_initrd and it seemed to work, it found the initrd and made backups (I executed it twice, partition 3 and 6)

However, the tivo boots up fine, can even make its call via the network like usual, but the telnet and ftp dont work.

These are the only things Ive done on my virgin SA 2.5 540...
1) Upgrade the prom to the hacked 2.5
2) Run the replace_initrd
3) Copied over tivoftpd to 'tivo-hacks' folder in partition 4 and 9
4) Added rc.sysinit.author (executable on both partitions) that starts telnet, ftp, and sets path to tivo-hacks.

Since the rc file uses bash... could the problem be that I need to first have bash installed and running? Or maybe its telnet thats not installed. I didnt copy it over assuming that its already on the default tivo software, but maybe this is the problem?

I tried installing Alphawolf's all-in-one utilities, but I do not have 'cpio' installed so it didnt work. I pushed forward, figuring I would install it AFTER I get telnet up, but perhaps that cant be done like this?

Telnet should be there, as should cpio. FTP won't be there though, so you do definitely need the AIO utils there for tivoftpd, if nothing else.

More likely, though, the root issue is that you didn't disable iptables. Rename /sbin/iptables to /sbin/iptables.original, then create a new iptables file with the following contents:#!/bin/bash
exit 0Make sure you chmod 755 your new iptables. Note that that is a zero after the exit, and not the letter O.

The rise of the S3 made me switch to using a boot CD from mfslive.org to access the kernel and other partitions.

That Linux CD uses busybox to implement DD. In the busybox implementation of DD, ibs and obs are not recognized, only the more general bs. Therefore I adjusted Mr. Black's original replace_initrd.c to meet this requirement. Please find it attached below:

Might as well post binaries.. The binaries in the other thread weren't taken down.

That Linux CD uses busybox to implement DD. In the busybox implementation of DD, ibs and obs are not recognized, only the more general bs. Therefore I adjusted Mr. Black's original replace_initrd.c to meet this requirement. Please find it attached below:

I can compile and stick in the mfslive iso.
What is the license status? It's freeware right?

man, im being generous today =)

here is a program i threw together which will automatically replace your initrd with the initrd you indicate. a backup is made automatically.

NOTE: this is c code. i shouldn't have to say this, but i will anyway. remove the .txt extension, compile and go. no warranties, expressed or implied. If you break it, you own both halves.


The original creator hasn't posted to this forum in over a year. His original post seemed to imply that he won't mind.

The code has a reference to Mr. Black but no copyright notice. IMHO (but not authoritative opinion) if you compile and give it away it is okay.

If you do include it on the CD please post a copy of the executable in this thread for users who might not chose to use the mfslive.org CD but still need the tool

Nicer would be a copy gcc was in the mfslive.org for those of us who use cgywin for most everything linux and haven't put in the time to build our own stand alone linux with developer tools.

If a somebody needs gcc, they're probably better off using a regular distro with tivopart (http://www.dealdatabase.com/forum/showthread.php?t=25219) (tivopart makes a tivo drive readable by a regular distro.... read this thread for more info (http://www.dealdatabase.com/forum/showthread.php?p=270018#post270018))



Spike2k5: it'd be nice to have your updated mfstools binaries available at ddb :)

EDIT: Never mind. I see that the binary over in the file section has already been updated.