I've been reading this forum quite extensively and have come to one conclusion.

People who own Series 2 Stand Alone's are out of luck.

I currently own a TiVo Series 2 Stand Alone running Kernel 4.x.

BASH-ENV hack will only work on kernel 3.1U5, which only runs on HDTV2. The earliest Series 2 kernel from what I read is 3.2.0, which the BASH-ENV hack is not available for.

I could send it off to Kraven to get the PROM hacked, but still there is not a kernel image out there of 3.1U5 for the Series 2. Same goes for the Monte route.

Please correct me if I am wrong. I would love to throw away my Dazzle DVC-80 and move on to ripping the streams directly from the Tivo.

Thank you.

Two kernel (card) monte works but you have to get your hands on a pre 3.2 kernel. I just started on this forum and it seems that people are pretty touchy about noobz asking questions, so I haven't figured out where to get it yet. The 3.1U5 won't work, but there are some out there that do. Somewhere.

Originally posted by needo
I've been reading this forum quite extensively and have come to one conclusion.

People who own Series 2 Stand Alone's are out of luck.

No, you are not out of luck.

Please do not come here and try to earn our pity. The old timers here like myself have listened to that sort of crap for years and are completely immune to it.

What happened when you tried to boot the 3.1u5 kernel on an SA?

Originally posted by David Bought
No, you are not out of luck.

Please do not come here and try to earn our pity. The old timers here like myself have listened to that sort of crap for years and are completely immune to it.

What happened when you tried to boot the 3.1u5 kernel on an SA?

My intention was not for pity. I apologize if it read that way. I was simply trying to get clarification. I did many searches and read for several hours before posting.

I have not tried booting a 3.1u5 kernel on the SA. I could only find 3.1u5 kernel's for the hdtv2 which I do not have. Of the posts I read the general consenus was that this kernel would not work on a standalone. Am I mistaken? I really hope I am! :)

Yeah, good luck getting anyone to give a definative answer on how to get BASH on a SA S2 with 4.0.

Everyone always says "search" for "BASH_ENV", but every thread only talks about the directv tivo's or series 1's. I've spent many an hour looking through every thread that even mentions BASH and I've only got a few pieces of the puzzle.

I'll post some links to the info I've found so far, but I don't know how much help they'll be.

But from all that've I've found so far is summed up with this: To get any kind of hacks going with 4.0, you either need to A. flash the prom, B. get the 3.0 backup image and use that to get the two kernal monty working, or C. live with what you got.

Originally posted by Chiun
Yeah, good luck getting anyone to give a definative answer on how to get BASH on a SA S2 with 4.0.

Everyone always says "search" for "BASH_ENV", but every thread only talks about the directv tivo's or series 1's. I've spent many an hour looking through every thread that even mentions BASH and I've only got a few pieces of the puzzle.

I'll post some links to the info I've found so far, but I don't know how much help they'll be.

But from all that've I've found so far is summed up with this: To get any kind of hacks going with 4.0, you either need to A. flash the prom, B. get the 3.0 backup image and use that to get the two kernal monty working, or C. live with what you got.

Yeah I belive the Monte is the best course of action. I have not yet found a 3.1U5 OS Image though. I'm still searching though. :)

You can try and modify the stuff for the HDRV2's (http://www.tivocommunity.com/tivo-vb/showthread.php?s=&threadid=90268&highlight=BASHENV)

This also might help (http://tivo.stevejenkins.com/network.html)

I was going to post this earlier but you can thank the vbulletin 1 meg limit and file extension restrictions for ****ing up my upload.

This is the exploitable, BASH_ENV capable 3.1u5 HDVR2 kernel image, gzipped and split into two parts. ConCATenate them, gunzip, and write to a spare partition. A minimal 3.1u5 root partition (that is about 4 megs long) can be found elsewhere in the S2 forum; it contains no tivo software but has enough libraries and binaries to pass the initrd and run init/rc.sysinit/bash. If this kernel boots far enough to get a shell on the tty, you're golden (and please share your experiences for other SAS2 users). If you can't get the BASH_ENV hack to yield a shell on your SA box, either the kernel is incompatible with your box or you are retarded - either way, it's hopeless. Your best bet is to make a scratch image and overwrite hda6/hda7 if you are not familiar with the proper care and feeding of bootpage - then start reallocating space and trying more complicated partition/mounting arrangements after you know the kernel boots properly. GL.

part 2

Thank you very much. Im looking for a root image now and as soon as that is complete I will post my findings. Thank you for your help.

Originally posted by needo
Thank you very much. Im looking for a root image now and as soon as that is complete I will post my findings. Thank you for your help.

I certainly hope you took heed of Mr. Bott's friendly advice to search for a minimal root partition in the Series 2 forum.

Originally posted by Dr. Phil
I certainly hope you took heed of Mr. Bott's friendly advice to search for a minimal root partition in the Series 2 forum.

Yup. For the rest of the individuals out there I found the minimal root partition in http://www.dealdatabase.com/forum/showthread.php?s=&threadid=25219&highlight=minimal+AND+root+AND+partition

His zipfiles. Also mrblack posted a hdvr2-31us site awhile back.

Now to see if hdvr2 will work on the standalone.

Happy Hacking!

Originally posted by needo
Yup. For the rest of the individuals out there I found the minimal root partition in http://www.dealdatabase.com/forum/showthread.php?s=&threadid=25219&highlight=minimal+AND+root+AND+partition

His zipfiles. Also mrblack posted a hdvr2-31us site awhile back.

Now to see if hdvr2 will work on the standalone.

Happy Hacking!

Remember: all you need is for the 3.1u5 kernel to run correctly. If you can get that to boot you into a shell, you run monte to boot a 2.4.18 tivo 4.0 kernel and modified 4.0 root partition.

Don't forget about iptables / netfilter. If you don't change the startup scripts on 4.0, iptables will close off many interesting ports (such as telnet and ftp).

well, since no one has been able to produce definitive proof, i will be happy to investigate. of course, i dont have an SA S2. so, if someone wants to buy me one, i will be happy to figure stuff out =)

Originally posted by David Bought
I was going to post this earlier but you can thank the vbulletin 1 meg limit and file extension restrictions for ****ing up my upload.

This is the exploitable, BASH_ENV capable 3.1u5 HDVR2 kernel image, gzipped and split into two parts. ConCATenate them, gunzip, and write to a spare partition. A minimal 3.1u5 root partition (that is about 4 megs long) can be found elsewhere in the S2 forum; it contains no tivo software but has enough libraries and binaries to pass the initrd and run init/rc.sysinit/bash. If this kernel boots far enough to get a shell on the tty, you're golden (and please share your experiences for other SAS2 users). If you can't get the BASH_ENV hack to yield a shell on your SA box, either the kernel is incompatible with your box or you are retarded - either way, it's hopeless. Your best bet is to make a scratch image and overwrite hda6/hda7 if you are not familiar with the proper care and feeding of bootpage - then start reallocating space and trying more complicated partition/mounting arrangements after you know the kernel boots properly. GL.

It seems the gzip is corrupt.

$ cat 31u5.img.gz.1.tcl >> U5kernel.img.gz

$ cat 31u5.img.gz.2.tcl >> U5kernel.img.gz

$ gunzip U5kernel.img.gz
gunzip: U5kernel.img.gz: invalid compressed data--format violated

$ file U5kernel.img.gz
U5kernel.img.gz: gzip compressed data, deflated, last modified: Wed Jul 9 13:49:37 2003, os: Unix

Works for me. File sizes are 524288 and 578927 - if yours are different your OS or browser is probably ****ing up CRLFs during the download (use wget or something instead).

If you just use a single ">" during the first cat operation, it will truncate the file to 0 bytes prior to writing, which is desirable.

md5's:

e83da0802f3eed1ba3264d13697db3b2 31u5.img.gz.1.tcl
00a6f6adbaf79f4c57ebba86c676265d 31u5.img.gz.2.tcl

Originally posted by David Bought
Works for me. File sizes are 524288 and 578927 - if yours are different your OS or browser is probably ****ing up CRLFs during the download (use wget or something instead).

If you just use a single ">" during the first cat operation, it will truncate the file to 0 bytes prior to writing, which is desirable.

md5's:

e83da0802f3eed1ba3264d13697db3b2 31u5.img.gz.1.tcl
00a6f6adbaf79f4c57ebba86c676265d 31u5.img.gz.2.tcl

You were right. Well, I followed all the directions I could find. Mainly followed the step by step directions here...

http://www.dealdatabase.com/forum/showthread.php?s=&threadid=22154&perpage=15&pagenumber=6

I did use the ttys the directions gave. Right now Im sitting at the grey welcome screen, or GSOD. And have been for about 5-10 minutes.

I'm not going to be able to tell what went wrong until I can get a null modem cable from the office tomorrow.

I'm *guessing* the hdtv2 image was probably incompatible and I have a kernel panic.

I'll post again as soon as I know for sure.

I really wish I would've remembered that null modem cable today. :)

I'm working on my Series 2 Standalone Monte HOWTO now. For reference could someone send me the dmesg | grep hda from a HDTV2?

Thank you.

Originally posted by needo
I'm working on my Series 2 Standalone Monte HOWTO now. For reference could someone send me the dmesg | grep hda from a HDTV2?

Thank you.

This probably is not what you are looking for.


Kernel command line: root=/dev/hda7 BASH_ENV=`mount$IFS-n$IFS/dev/hda14$IFS/mnt;echo$IFS/mnt/hacks` console=2,115200
hda: IBM-DEATHSTAR-80GXP, ATA DISK drive
hda: 156303576 sectors (80030 MB) w/2048KiB Cache, CHS=155026/16/63<7>fpga_ide_dmaproc: unsupported ide_dma_verbose func: 11
hda: [mac] hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 hda10 hda11 hda12 hda13 hda14


Couple notes here:

1) The shell is the goal right now. You have no need or particular desire to get to "Almost there..." until after you monte over to 2.4.18, which you should not worry about at all until you have gotten the shell from the 2.4.4 kernel. Take things one step at a time.

2) The partition layout shouldn't really matter much. For the sake of convenience, if your active kernel/root is (6,7) then just dd the kernel I posted over hda6, and dd an HDVR2 root over hda7. Then install a "hacks" script that runs bash somewhere, and point the bootpage to it. Don't worry about trashing the drive - learning what works is more important than avoiding a reimage.

3) If you really can't figure out what's going on, use a spare LED (if you can) or a removable drive bay to watch the IDE activity light. This will help you trace the boot sequence, esp. if you train yourself on the various stages from a working setup.

4) Anyone who is currently running monte on your SA, feel free to chime in here or, even better, post a copy of the signed exploitable kernel you are using.

Thank you for all your help. Im going to try again tonight when I have a console cable handy to watch what is going on.

I've already begun a HOWTO to document what Im doing, and to help others.

I tested my backup and restore this morning and was happy to find that with my current backup I was back up and running where I left my Tivo.

Once I have this fully working I post the HOWTO on my website and post the link here.

If any one else has attempted this before please chime in with your two cents on what works and does not work.

Thanks!

Have you found anything out yet? Were you able to get it working? I have a new series 2 and want to be able to ftp and telnet to it so I'd be interested in hearing how that went. Thanks.

Originally posted by jfunkk99
Have you found anything out yet? Were you able to get it working? I have a new series 2 and want to be able to ftp and telnet to it so I'd be interested in hearing how that went. Thanks.

Not yet. Attempting again tonight. I have quite an indepth HOWTO written. It is entirely based on how to do it for a HDTV2 by d7o. With slight modifications for the Series 2 Stand Alone.

I just obtained a non-HDTV2 kernel image so Im going to try it again tonight now that I have that and a null modem cable.

Anyway you can post that non-HDVR2 (I assume that's what you mean) kernel so others can give it a whirl? That's the one thing I'm lacking to get me started.

Thanks! BTW, I really support what you're doing here for us SA folks.

Originally posted by beanball75
Anyway you can post that non-HDVR2 (I assume that's what you mean) kernel so others can give it a whirl? That's the one thing I'm lacking to get me started.

Thanks! BTW, I really support what you're doing here for us SA folks.

It's way to big for this forum, shoot me a PM and Ill send you the URL.

When I publish my HOWTO on my website Im going to include all Tivo Software and Images needed.

Originally posted by needo
It's way to big for this forum, shoot me a PM and Ill send you the URL.

When I publish my HOWTO on my website Im going to include all Tivo Software and Images needed.

You should be able to gzip and split. The majority of the 2MB or 4MB kernel partition is free space which compresses very well (my original "2MB" kernel fit into just over a meg, or two posts).

Originally posted by David Bought
You should be able to gzip and split. The majority of the 2MB or 4MB kernel partition is free space which compresses very well (my original "2MB" kernel fit into just over a meg, or two posts).

I'll do so when I get home. The file I have downloaded now is the full backup of a 60GB drive. So its 68MB rar'ed, and a little over 1GB uncompressed.

So... :)

FYI: For people watching at home...

http://www.dealdatabase.com/forum/showthread.php?s=&threadid=25255&highlight=tivoweb

The U5 kernel/FS *will not* work on a S2 Stand Alone.

Originally posted by needo
FYI: For people watching at home...

http://www.dealdatabase.com/forum/showthread.php?s=&threadid=25255&highlight=tivoweb

The U5 kernel/FS *will not* work on a S2 Stand Alone.

That's not really what mrblack said though. His quote is:


Don't waste your time, the u5 image wont work on an s2 sa unit for regular use.


which is something that we all should already know. Obviously trying to boot dssapp on a SA with no DSS tuners is not going to work - but it's not the kernel that does it, and you don't have to get that far into the boot process to monte into 4.0.

Has any one had any luck with the serial cable on a Series 2 Standalone? I cant seem to get any output out of mine, and its stuck on the Welcome... screen.

Thanks!

I did it!

Pvr - Adding Network Recording Proxy - Input Section
AddInputSection 2
ProcessRemoteFilterChanged db=0 cur=0
ProcessRemoteFilterChanged db=0 cur=0
Scanning for phase4 repair scripts
rc.sysinit is complete
bash: no job control in this shell
bash-2.02#

This is via the serial cable.

Will be posting howto probably on Saturday. (It'll be the first time I have a chance to sit down and write it all out and upload the images.)

If you have any interim questions please ask. Preferably here so everyone can see.

I followed d7o's howto to the letter and found a new OS/Kernel that worked with my Tivo.

I cant type out to the serial, but thats easy enough to overcome.

I did it!

*dances*

Ill post the images hopefully tomorrow. Depending if I can get them over to a PC today.

I can't wait needo!

BTW, what Tivo do you have exactly? The 40, 60, or 80 gig model?

Originally posted by Chiun
I can't wait needo!

BTW, what Tivo do you have exactly? The 40, 60, or 80 gig model?

I have the 80GB modem and Im using a 3.0 image from a 60GB model and then monte'ing to my 4.0

Im currently working on the video extraction piece of it, some of the tools dont work on 4.0.

I lied here's the docs I used. If I left anyone out of the credits please let me know.

http://www.superhero.org/tivo/

Originally posted by needo
I lied here's the docs I used. If I left anyone out of the credits please let me know.

http://www.superhero.org/tivo/


Needo you are my superhero!!!

Thanks for posting it all on your site.
I can't wait to get home and try it out!!!

Originally posted by Brick
Needo you are my superhero!!!

Thanks for posting it all on your site.
I can't wait to get home and try it out!!!

Im still looking for the easiest way to extract the .ty streams. If you come up with any thing please let me know.

on step 32, it says use /dev/hdc16 but wasnt yours hdc14 in the step 22 above? that part confuses me

Originally posted by dualfragment
on step 32, it says use /dev/hdc16 but wasnt yours hdc14 in the step 22 above? that part confuses me

Sorry missed one. Ill fix it right now.

Please note that everyone may have a different place to put the ROM image. HDTV2 is /dev/hdc16 mine was /dev/hdc14 . It all depends on your TiVo. AFAIK.

thanks, was confused. i sent you a PM btw needo :)

Update:

May be someone could help me out. Using mfs_ftp series2 I am able to download the tmf. I am unable to download the ty though.

(No big deal there is a conversion .exe)

However, after I did the kmem hack for unscramble, TivoApp, through Now Playing will not play any of the unscrambled streams.

Any one else run in to this?

For all of you guys the kernel and filesystem I used for the monte trick is now on http://www.superhero.org/tivo/

I have the 60 gig SA Tivo. Since you have the 80 gig version, would I still be able to use your kernal and filesystem on mine? Granted that I put them in the correct place.

Originally posted by Chiun
I have the 60 gig SA Tivo. Since you have the 80 gig version, would I still be able to use your kernal and filesystem on mine? Granted that I put them in the correct place.

I assume your talking about the 3.0 kernel I posted.

Yes you should be able to use them without a problem. They actually originated from a 60GB image.

I can't download the kernel or FS, they both corrupt.

Its very strange on the DL speeds because I have cable and it says that the fs img is going 5MB/sec but thats impossible on my connection and it ends up just being corrupt

Originally posted by needo

However, after I did the kmem hack for unscramble, TivoApp, through Now Playing will not play any of the unscrambled streams.

Any one else run in to this?

That is the expected outcome. When noscrabmle is enabled, you can only play shows that weren't scrambled and vice-versa

Originally posted by fixn278
That is the expected outcome. When noscrabmle is enabled, you can only play shows that weren't scrambled and vice-versa

So now that I have unscrambled streams I can no longer play them on the TiVo.

What's going on is now that kmem is turned on that *no* streams whatsoever will play on the TiVo. Whether they were recorded a week ago, or 2 minutes ago since kmem got turned on.

Any ideas?

If you're saying that even shows you've recorded after patching can't be played, then something is definitely wrong.

Anything recorded after scrambling is turned off should be playable.

If I had to put it in technical terms, I would say something went "kablooey!"

:D

The image that needo used wont work on my comp. It just produces strange green pixelation at the bottom of my screen and eventually restarts to welcome. powering up... I need to find a version 3.0 for series 2 that works for me.

It wont even let me mfsrestore the image that needo got the kernel and fs from, it does the exact same thing

Originally posted by fixn278
If you're saying that even shows you've recorded after patching can't be played, then something is definitely wrong.

Anything recorded after scrambling is turned off should be playable.

If I had to put it in technical terms, I would say something went "kablooey!"

:D

That's what I'm saying. Any ideas on how to correct this?

Thank you.

Originally posted by dualfragment
The image that needo used wont work on my comp. It just produces strange green pixelation at the bottom of my screen and eventually restarts to welcome. powering up... I need to find a version 3.0 for series 2 that works for me.

It wont even let me mfsrestore the image that needo got the kernel and fs from, it does the exact same thing

That happened to me too. Double check your 4.0 kernel and your Monte setup. I had a typo the first time I did it, and it did the same thing for me.

the same image didn't work either doing a standard mfsrestore without trying to do anything. i didnt have a typo cause i saved the runmonte file directly from the website and just did cp

Originally posted by dualfragment
the same image didn't work either doing a standard mfsrestore without trying to do anything. i didnt have a typo cause i saved the runmonte file directly from the website and just did cp

What TiVo do you have exactly?

I get the green stuff too, but then it continues booting without an issue.

just a standalone tivo 80 hours

mine never boots up normally, even in just mfsrestoring the 420 mb image

I put together something based on needo's with less steps, although I cannot get the hack for this to even work for me, can someone try it to see if what I have works and sounds right?

http://home.triad.rr.com/asheronscall/tivo.html

Originally posted by dualfragment
I put together something based on needo's with less steps, although I cannot get the hack for this to even work for me

Then why are you skipping steps?

I got it to actually boot up now, but I get no bash-2.02#. I wasn't really skipping steps, just condensing it down.

Originally posted by dualfragment
I got it to actually boot up now, but I get no bash-2.02#. I wasn't really skipping steps, just condensing it down.

Check your rc.sysinit for the bash line at the bottom. Make sure there are no spaces around the <'s or the >'s.

Also what are you using for a serial cable?

"/bin/bash </dev/ttyS2& >/dev/ttyS2&" is what you have in the guide. there are two spaces in the above

do I need to remove any?

I think I actually have bash access because I can do commands like dir and mkdir but it never actually tells me bash-2.02#

Originally posted by dualfragment
"/bin/bash </dev/ttyS2& >/dev/ttyS2&" is what you have in the guide. there are two spaces in the above

do I need to remove any?

I think I actually have bash access because I can do commands like dir and mkdir but it never actually tells me bash-2.02#

Remove the space between & and >

There should not be one, failure of formatting I guess.

will try, thanks

thanks, got bash finally

now i just have to figure out how to extract the recorded programs and i'm good heh

Originally posted by dualfragment
thanks, got bash finally

now i just have to figure out how to extract the recorded programs and i'm good heh

Do a search for kmem, thats what to use to noscramble and then use mfs_ftp-series2.

If you actually get kmem to work with 4.0 please let me know what you did.

Thanks!

i put this line at the bottom of my rc.sysinit file:

/bin/kmem 800bf958 00001021

tivo starts up but I cant view older recorded files. I went to live tv, selected some random channel, hit record and then went into the tivo program list. I tried to play the one i just recorded and I can see the recording just fine.

Now I just need to figure out how exactly to extract the recorded files using mfs-ftp. (i'm new to this stuff heh)

Originally posted by dualfragment
i put this line at the bottom of my rc.sysinit file:

/bin/kmem 800bf958 00001021

tivo starts up but I cant view older recorded files. I went to live tv, selected some random channel, hit record and then went into the tivo program list. I tried to play the one i just recorded and I can see the recording just fine.

Now I just need to figure out how exactly to extract the recorded files using mfs-ftp. (i'm new to this stuff heh)

What version of TiVo are you running exactly? I did the same thing and I could not view newly recorded files at all. I tried so many times in fact instead of Monteing between 3.0 and 4.0 I gave up and monte'ed between 3.0 and 3.2. :)

version 4.0. dont know whats causing your probs

Did you use the exact same line I just posted ? check yours to see if its the same as mine.

Originally posted by dualfragment
version 4.0. dont know whats causing your probs

Did you use the exact same line I just posted ? check yours to see if its the same as mine.

Yup even tried directly patching the kernel with s2_fix_kernel by Hamsterman

hmm thats strange, it let me view it while its recording but not after recording stops

Originally posted by dualfragment
hmm thats strange, it let me view it while its recording but not after recording stops

So after you stop the recording and go in to Now Showing it will no longer le you view it? I bet it will let you download and play on your computer just fine.

That's the exact same thing that happened to me.

Originally posted by needo
So after you stop the recording and go in to Now Showing it will no longer le you view it? I bet it will let you download and play on your computer just fine.

That's the exact same thing that happened to me.

Did you have the same problem with the recompiled 2.4.18 kernel (presumably with the scrambling stuff #ifdef'ed out)?

Originally posted by David Bought
Did you have the same problem with the recompiled 2.4.18 kernel (presumably with the scrambling stuff #ifdef'ed out)?

I didn't get that far. I ran in to too many problems with the Makefile's and trying to re-create them,.

Originally posted by needo
I didn't get that far. I ran in to too many problems with the Makefile's and trying to re-create them,.

You shouldn't be "re-creating" any makefiles. You just need to edit the top level makefile to tell the build a little bit about your environment.

I unpacked the 2.4.18 source and edited the top level Makefile.

I commented out the include ... ismdefs shit.

I defined the following variables at the top of the Makefile:


NATIVE_CC=gcc
ARCH=mips
CC=mips-TiVo-linux-gcc
CROSS_COMPILE=mips-TiVo-linux-


I ran make menuconfig, set the appropriate settings, exited, and saved.

I ran 'make dep clean vmlinux.px modules' and compilation commenced.

Not sure if it would have finished but this should be a good start.

Has anyone gotten tivoweb to work on their newly hacked SA S2?

Specifically, has anyone gotten a channel lineup hack to work?

Thanks.

When i try and extract the s2f2.img file I get an "unexpected file format" error message...any ideas?

EDIT:
<Post Refers to a posting (http://www.dealdatabase.com/forum/showthread.php?s=&threadid=26046) in the Sale/Trade Forum - Please do not cross post>

Why do you need telnet/FTP access if not for the purpose of video extraction?

good point. it is not a MUST. A and C are the musts. If you can do it without the telnet/ftp access...GREAT!

(one thing it has to do is connect to tivo via my ethernet, which it has always been able to do....via a wireless linksys usb adapter)

Originally posted by needo
Why do you need telnet/FTP access if not for the purpose of video extraction?

depending on the setup, you dont need telnet or ftp for video extraction. however, if you (not you specifically, but anyone in general) are dumb enough to pay for a unit to be hacked in that way, i pitty you. telnet is the key to being able to fix your unit. ftp will let you upgrade to a new version of the extraction stuff. telnet will let you make that new stuff executable.

I have repeated the steps on needo's page, and am getting the same error each time. Welcome -> Almost there -> reboot.

Here's what the terminal reports (this is repeated with every reboot):

ide_read_security_challenge errored selecting device
ide_read_security_challenge returned failure
Attempting to disk load partition 3
Number of blocks: 3481
Start of image: 0x80002000
Starting sector #: 0x6de9c40 (115252288)
End of Image: 0x801b53e0
Ending sector #: 0x6dea9d9 (115255769)
Kernel signed by 'Kernel release key'
Hashing kernel... done
Checking signature... done.
Signed, valid for release
Using entry address 0x80004330 with boot string "root=/dev/hda4 BASH_ENV=`mount$
IFS-n$IFS/dev/hda16$IFS/mnt;echo$IFS/mnt/runmonte\' console=2,115200" and board
rev 0x000003ef

Anyone else seeing this, or knows what it means? I have searched for this read error everywhere and cannot find it. Also, I can boot from the drive after restoring my 4.0 to it from the image, with no problems.

I havent seen this exact error, but try a couple things...

Double check your diskpage commands, make sure you are specifying the right /dev/hda's etc.

Might help to start from scratch and do it over.

anyone got the kmem trick working on a SAS2 yet and was able to extract the stream and convert it to other formats without issues? This is the only thing holding me back from buying a SA S2.

Originally posted by pyrodex
anyone got the kmem trick working on a SAS2 yet and was able to extract the stream and convert it to other formats without issues? This is the only thing holding me back from buying a SA S2.

Personally I've gotten as far as. The kmem trick works. I can extract it and play it on my computer. But it leaves all streams on the Tivo unplayable. So you cannot play them on the tivo.

Originally posted by needo
Personally I've gotten as far as. The kmem trick works. I can extract it and play it on my computer. But it leaves all streams on the Tivo unplayable. So you cannot play them on the tivo.

Are the OLD streams unplayable or even the new ones? If the OLD ones are unplayable that is fine for me since I will be buying a new one.

Originally posted by pyrodex
Are the OLD streams unplayable or even the new ones? If the OLD ones are unplayable that is fine for me since I will be buying a new one.

Old and new are both unplayable.

Originally posted by needo
I'm working on my Series 2 Standalone Monte HOWTO now. For reference could someone send me the dmesg | grep hda from a HDTV2?

Thank you.

I'd like to get a copy of your 'in progress' how-to as it seems that we are about the same place in our adventure. I've gotten through the "How to Monte a Series 2 Standalone' thread but I'm not sure if I have the 'Step 32 - /cdrom/bootpage -P "root=dev/hdc7 BASH_ENV...snip... command entered correctly. It's hard to see if there's spaces etc.
Anyway, I've got to get a serial cable made... I get to stuck on the Welcome screen for minutes of no seeable activity then REBOOT - AAHH!!!
This is fun anyway but the spousal support unit (wife) is tired of the cover being off the TiVo and our computer being disassembled while she watches our 4.0 63hr TiVo restored from our original backup 3.2whatever update. Were you able to find a pre-3.2 img or are you using the dtivo u5 small img's available?
Anything you have that might move me along will be appreciated.

NutKase

Originally posted by NutKase
I'd like to get a copy of your 'in progress' how-to as it seems that we are about the same place in our adventure. I've gotten through the "How to Monte a Series 2 Standalone' thread but I'm not sure if I have the 'Step 32 - /cdrom/bootpage -P "root=dev/hdc7 BASH_ENV...snip... command entered correctly. It's hard to see if there's spaces etc.
Anyway, I've got to get a serial cable made... I get to stuck on the Welcome screen for minutes of no seeable activity then REBOOT - AAHH!!!
This is fun anyway but the spousal support unit (wife) is tired of the cover being off the TiVo and our computer being disassembled while she watches our 4.0 63hr TiVo restored from our original backup 3.2whatever update. Were you able to find a pre-3.2 img or are you using the dtivo u5 small img's available?
Anything you have that might move me along will be appreciated.

NutKase

You can pick up a Null Modem Cable at any local computer store. Such as Fry's or Radio Shack. This works just as well, no reason to have one "made". Just hook up your diagnostic cable that came with the TiVO to the null modem cable and plug it in to the back of your machine.

My HOWTO can be found at http://www.superhero.org/tivo/ along with all images I used to currently get this working.

Currently I am using a 3.0 kernel to monte to 3.2. The reason for this is I was unable to get the noscramble patch to work correctly under 4.0. It made all streams unplayable on the TiVO but playable if downloaded to the computer. (Not a viable setup in my case.)

If I can be of any further assistance please let me know.

Thanks!

Needo, did you use the same procedure to monte 3.0 to 3.2? Besides using a different killinitd.

Originally posted by Chiun
Needo, did you use the same procedure to monte 3.0 to 3.2? Besides using a different killinitd.

Yup. My docs work with any kernel version, just insert the one you want.

I've pretty much given up on mine. I might try again in a few months.

In needo's how-to guide he refers to 2 images: a 3.0 and 4.0 one.

I'm assuming that the 4.0 image is the one that i backed up off of my tivo (about 800meg). Needo links to two files, the kernal and fs for the 3.0 image. Now do just need those two files, or do i need the entire 3.0 image("420MB, of which you only need 130MB ") Also, I've read about a 3.0 and a 3.0.u5 image. What is the difference, which do i need, and where do i get em.

Please help.

Originally posted by buktotruth
In needo's how-to guide he refers to 2 images: a 3.0 and 4.0 one.

I'm assuming that the 4.0 image is the one that i backed up off of my tivo (about 800meg). Needo links to two files, the kernal and fs for the 3.0 image. Now do just need those two files, or do i need the entire 3.0 image("420MB, of which you only need 130MB ") Also, I've read about a 3.0 and a 3.0.u5 image. What is the difference, which do i need, and where do i get em.

Please help.

Download what I have linked off my page. 3.0.u5 is not for series 2 Tivo's and will not work.

Originally posted by needo
Download what I have linked off my page. 3.0.u5 is not for series 2 Tivo's and will not work.

So should i be using my backed up 4.0 image at all? In step 20 you say :"mfsrestore -s 127 -xzpi /mnt/c/tivo-s2.bak /dev/hdc". Now this will restore my 4.0 os onto the tivo drive. I read later in this thread that you had trouble viewing video on the tivo with the 4.0 image. Is this going to be the case for me as well?

I've got my TiVo open beside me and I'm working on the monte right now ... botched it once ... realized quickly my mistake. That part I'm not worried about.

The goal however ... at least for me ... is extraction. I realize that isn't everyone's "home run" that's why I added "for me". I see people posting that the kmem hack isn't working with the 4.0 kernel so the question becomes what to do?

In d7o's howto he mentions at the end that since kmonte opens the door to direct kernel modification a modified kernel could be used instead of the kmem technique. I've seen others mention this but what about applying this to creating a scramble-modded 4.0 kernel? Would it be simple for someone with the crosscompile setup to build a scramble-free 4.0 Kernel to pass around?

-X

K... I have a tivo tcd240040 upgraded to a 120g wd drive. That is all well and good. It also has the backdoor mode enabled by changing the code. I've tried needo's instructions for the monte 5 times with the same results... Welcome... Green flash... Both lights come on (red and green) reboot. I have used various versions of the same instructions without any luck...

Has anyone had any luck using needo's kernal and fs image? Where should I start as far as troubleshooting?

For now I have given up and just added another 120g hd giving lots of room but no bash...

I'm not sure if there is a simple error in the instructions or what... Anyhow if anyone has sucessfully done this with the 240040 please pm me.

Thanks!

The good news: I HAVE A BASH PROMPT!!!!!

The bad news: When i try and play recording in tivo it first asks me to delete the file, then when i say "no", it wants says "unable to record from source b/c there is no signal" (or something to that effect)

I am thrilled that i have a bash prompt, but it does me little good if i can't watch what the Tivo records.

During the hack, i copied all the files in the devbin-s2 directory over to the tivo bin folder (ala step 38). I am wondering if one of these hacks caused the problem. I really don't care about video extraction, so if what i copied over is used for that and may be causing the problem, please let me know what exacatly i need to delete.

Also, once i get this problem resolved...anyone know a good hack that works on a SA S2 that will rearange the channels in a manner that i see fit.

Lastly...and chance of being able to telnet into the tivo via my network (without the serial connection). This would save me alot of headaches.

THANKS!

And needo, great job on the how to. After 3-4 attemps I actually got it!

Originally posted by buktotruth
The good news: I HAVE A BASH PROMPT!!!!!

The bad news: When i try and play recording in tivo it first asks me to delete the file, then when i say "no", it wants says "unable to record from source b/c there is no signal" (or something to that effect)

I am thrilled that i have a bash prompt, but it does me little good if i can't watch what the Tivo records.

During the hack, i copied all the files in the devbin-s2 directory over to the tivo bin folder (ala step 38). I am wondering if one of these hacks caused the problem. I really don't care about video extraction, so if what i copied over is used for that and may be causing the problem, please let me know what exacatly i need to delete.

Also, once i get this problem resolved...anyone know a good hack that works on a SA S2 that will rearange the channels in a manner that i see fit.

Lastly...and chance of being able to telnet into the tivo via my network (without the serial connection). This would save me alot of headaches.

THANKS!

And needo, great job on the how to. After 3-4 attemps I actually got it!

Only 3-4 you did good! :) Took me a lot of tries before I got mine right.

As for the playing question. Are you using kernel 4.x or 3.2? Also, have you applied the kmem patch for noscramble?

Originally posted by needo
Only 3-4 you did good! :) Took me a lot of tries before I got mine right.

As for the playing question. Are you using kernel 4.x or 3.2? Also, have you applied the kmem patch for noscramble?

kenrel = 4.0
and no on the kmem patch...i'm a semi-newbie so i'm not even sure what that is.

Originally posted by buktotruth
kenrel = 4.0
and no on the kmem patch...i'm a semi-newbie so i'm not even sure what that is.

Do a search in this group for it. Its how to turn on noscramble so you can download the streams to your computer.

Originally posted by needo
Do a search in this group for it. Its how to turn on noscramble so you can download the streams to your computer.

needo,

the issue isn't downloading them on my computer...the issue is that i can't view them on my tivo. Will the kmem patch fix this as well??

thanks.

Originally posted by buktotruth
When i try and play recording in tivo it first asks me to delete the file, then when i say "no", it wants says "unable to record from source b/c there is no signal" (or something to that effect)

That's a symptom of having switched between scrambled and non-scrambled recording (either way -- scrambled recordings will do that when you're in non-scrambled mode, and vice versa).

Originally posted by TheWickedPriest
That's a symptom of having switched between scrambled and non-scrambled recording (either way -- scrambled recordings will do that when you're in non-scrambled mode, and vice versa).

how would I go about switching back to the scrambled recording mode so that i could watch the recordings on my tivo.

thanks

Originally posted by TheWickedPriest
That's a symptom of having switched between scrambled and non-scrambled recording (either way -- scrambled recordings will do that when you're in non-scrambled mode, and vice versa).

Well, from what people have been posting it sounds as though the kmem hack isn't working at all on 4.0 S2 SA units. I've seen people suggest that a direct hack of the kernel would be very simple but I honestly haven't the setup to be able to crosscompile a new kernel so I was sorta hoping if I crossed my fingers and waited that someone might post one.

:)

-X

Originally posted by Xanthio
Well, from what people have been posting it sounds as though the kmem hack isn't working at all on 4.0 S2 SA units. I've seen people suggest that a direct hack of the kernel would be very simple but I honestly haven't the setup to be able to crosscompile a new kernel so I was sorta hoping if I crossed my fingers and waited that someone might post one.

:)

-X

Well I hope someone figures out to how to get a SA S2 4.0 working b/c thats what i have and i'm stuck :(

Also, where have you seen people talking about the kernel hack?

Originally posted by buktotruth
Well I hope someone figures out to how to get a SA S2 4.0 working b/c thats what i have and i'm stuck :(

Also, where have you seen people talking about the kernel hack?

I just downgraded to 3.2. (See my site.) :)

A little bit of a pain since you cant make your daily call through the ethernet connection, but I much prefer being able to extract the shows using common means like TyServer.

Originally posted by needo
I just downgraded to 3.2. (See my site.) :)

A little bit of a pain since you cant make your daily call through the ethernet connection, but I much prefer being able to extract the shows using common means like TyServer.

The only problem with that is i don't have a phone line in my apt. My cell phone is my only form of telephone, so the network call is a must.

Guess i'm !@#$ out of luck.:(

Originally posted by buktotruth
Well I hope someone figures out to how to get a SA S2 4.0 working b/c thats what i have and i'm stuck :(

Also, where have you seen people talking about the kernel hack?

I forgot, I thought it was on this thread but maybe not ... I'll have to track it down and if I find it maybe I'll just have to get the setup together to cross-compile a new kernel.

-X

Originally posted by Xanthio
I forgot, I thought it was on this thread but maybe not ... I'll have to track it down and if I find it maybe I'll just have to get the setup together to cross-compile a new kernel.

-X

xanthio

if you could put together a kernel that works i might just have to make you my new best friend :D

In 4.0, the kernel patch is not enough. You have to patch tivoapp too.

That's because 4.0 tivoapp effectively checks to see that the stream you ask it to play has been scrambled. If it hasn't, tivoapp will give you the same "corrupt recording" screen that you would get if your DiskConfiguration value got wiped or doesn't go with the CSO values.

So again, for 4.0 you need to patch both kernel and tivoapp.

Originally posted by MuscleNerd
In 4.0, the kernel patch is not enough. You have to patch tivoapp too.

That's because 4.0 tivoapp effectively checks to see that the stream you ask it to play has been scrambled. If it hasn't, tivoapp will give you the same "corrupt recording" screen that you would get if your DiskConfiguration value got wiped or doesn't go with the CSO values.

So again, for 4.0 you need to patch both kernel and tivoapp.

Do you happen to have a tivoapp patch handy?

Originally posted by MuscleNerd
In 4.0, the kernel patch is not enough. You have to patch tivoapp too.

That's because 4.0 tivoapp effectively checks to see that the stream you ask it to play has been scrambled. If it hasn't, tivoapp will give you the same "corrupt recording" screen that you would get if your DiskConfiguration value got wiped or doesn't go with the CSO values.

So again, for 4.0 you need to patch both kernel and tivoapp.

I stand co-rected. I remember someone mentioning building a new kernel but I wasn't aware of the tivoapp issue.

Personally I'd rather just use kmem.o and whatever workaround / patch would be needed for tivoapp since I'm less concerned with elegance than convenience. I hadn't seen the tivoapp mentioned before, is there a known workaround or does tivoapp have to be patched / replaced?

I'm eager to get extraction for SA S2 4.0 working since I got the monte working perfectly (thanks to needo's notes).

-X

Originally posted by Xanthio
I stand co-rected. I remember someone mentioning building a new kernel but I wasn't aware of the tivoapp issue.

Personally I'd rather just use kmem.o and whatever workaround / patch would be needed for tivoapp since I'm less concerned with elegance than convenience. I hadn't seen the tivoapp mentioned before, is there a known workaround or does tivoapp have to be patched / replaced?

I'm eager to get extraction for SA S2 4.0 working since I got the monte working perfectly (thanks to needo's notes).

-X

I'm in the same camp as X...i'm not too familiar with tivoapp and don't really care about an "elegant" patch. I just want my tivo up and running (also SA S2 4.0). If anyone knows more about this tivoapp patch, please post it.

I'll probably release my "elegant" (wtf?) tivoapp patch within a few weeks.

I tried it out for a few days in the spring, and it works...but I wanna make sure it doesn't break anything else.

Originally posted by MuscleNerd
I'll probably release my "elegant" (wtf?) tivoapp patch within a few weeks.

I tried it out for a few days in the spring, and it works...but I wanna make sure it doesn't break anything else.

musclenerd

just a thought...if you could post this sooner than later, we can all try and help you weed out the bugs.

Originally posted by Xanthio
I'm eager to get extraction for SA S2 4.0 working since I got the monte working perfectly (thanks to needo's notes).

-X

Did you have to use an exact 3.1 image for the brand of SA S2 that you have? I haven't been able to find one from a TiVo brand

TiVo 60hr TCD140060 Standalone Single 60GB A drive.

Should I just go with another one. I did use the u5 one with no backgrounds (I found this unacceptable) but didn't get the monte working yet and before I waste any more time I want to rule out the image as the culprit. Thanks for any help!

Originally posted by NutKase
Did you have to use an exact 3.1 image for the brand of SA S2 that you have? I haven't been able to find one from a TiVo brand

TiVo 60hr TCD140060 Standalone Single 60GB A drive.

Should I just go with another one. I did use the u5 one with no backgrounds (I found this unacceptable) but didn't get the monte working yet and before I waste any more time I want to rule out the image as the culprit. Thanks for any help!

I was using d7o's HOWTO when I ran into trouble, I suspect much the way needo did in his early posts, where it just wouldn't boot with the U5 stuff. I was able to use the 3.1 images from needo's HOWTO perfectly and monte into 4.0, so if you haven't I'd suggest checking those out.

The only hangup I ran into was writing the romfs image ... the mistake I made was in picking the right partition number for the romfs image. If you make this mistake, you will probably see the "Welcome" screen followed by a 3/4 blank screen with corrupted video at the bottom and then freeze there (may just reboot). I'd like to believe this is a common mistake but then I probably just want to believe that so I don't feel so dumb.

With the monte working I get that corrupted screen for a few seconds between the "Welcome" and "Almost there" screens. It has no other ramifications in regards to performance.

-X

Originally posted by Xanthio
I was using d7o's HOWTO when I ran into trouble, I suspect much the way needo did in his early posts, where it just wouldn't boot with the U5 stuff. I was able to use the 3.1 images from needo's HOWTO perfectly and monte into 4.0, so if you haven't I'd suggest checking those out.

The only hangup I ran into was writing the romfs image ... the mistake I made was in picking the right partition number for the romfs image. If you make this mistake, you will probably see the "Welcome" screen followed by a 3/4 blank screen with corrupted video at the bottom and then freeze there (may just reboot). I'd like to believe this is a common mistake but then I probably just want to believe that so I don't feel so dumb.

With the monte working I get that corrupted screen for a few seconds between the "Welcome" and "Almost there" screens. It has no other ramifications in regards to performance.

-X

I dont want to tell you guys how many time I re-imaged my TiVo. :)

*runs and hides*

But I get the same thing you do, corrupted video then the Welcome, and Almost There. Smooth as pie.

Now if only the 4.0 tivoapp would play unscrambled video we'd be flyin high. Until then Im sticking with my 3.0 boot kernel monte'ed to 3.2

Originally posted by needo
Now if only the 4.0 tivoapp would play unscrambled video we'd be flyin high. Until then Im sticking with my 3.0 boot kernel monte'ed to 3.2

Aren't you getting nagged to update to 4.0? Are you still downloading updates?

Anyway, now I have the motivation from your success stories to try again with mine. I'll let you know soon.

NutKase

BTW, Needo, The Guide is great - it must be me :)

Originally posted by Xanthio
I'm eager to get extraction for SA S2 4.0 working since I got the monte working perfectly (thanks to needo's notes).

-X


needo, X, and buktotruth,

OK, more info. I want to confirm that needo's guide you used is located at http://www.superhero.org/tivo/ this is the one linked to on the board but it still has a lot of d7o's U5 stuff in there like steps 8, 13 and 14?

This is confusing I don't need to extract anything if I get the files from needo right? Well anyway, I ignored all the U5 mounting and extracting and just dd'd the needo kernel and fs images to the proper partitions.

I'm fairly linux savy as I've been running it off and on since Red Hat 5.3 so I don't think I've bone-headed it.

The only error I see is that when I write the s2kernel.img to the /dev/hdc6 partition is says
4097+0 records in
4096+0 records out

But he says right in the guide that "you will see an error message saying not everything was copied because of lack of space. This is OK. The first 2 megs were copied and thats what counts."

My 4.0 original bootpage said /hda4 and I've succesfully gotten thru the guide making the romfs.img and putting it on /dev/hdc16 and then updated the bootpage to /hda7 and checked that it did update. The outprt from bootpage -p /dev/hdx was something like:

root=/dev/hda7 BASH_ENV=all the other monte stuff I typed in w/step 32.

Question: should it be a long bootpage result or just a simple "root=/dev/hda7"?

When I put the drive in it won't even boot past the 'powering up' screen which I've read indicates that it can't even find a working kernel (the s2kernel provided by needo) so I go back to having the problem with 4097vs4096 records or I have a bad s2kernel.img. Did you uncompress it using Winzip or gunzip it in linux?

Help. I think I'm close, at least I'm understanding where and what partitions everything is going on now but no boot yet with any kernel but 4.0 non-hacked. Dammit.

I'm wondering if I need the entire drive image he mentions at 420mg
:confused: TIA, NutKase

Your bootpage params should still be pretty long, because they need to include the whole BASH_ENV string that mounts your romfs.

If you've got a serial cable all hooked up, I recommend you add even another item to the bootpage params: dsscon=true

I can't overstate how useful that option is! Somebody please tell all the guide writes to include that option, say, right before the BASH_ENV option.

dsscon=true will let you see exactly what's happening on the *first* boot. You'll be able to diagnose what's going wrong much easier! The "runmonte" script I wrote does include it, but that is useful only for the monte re-load. You'll need to include it on the drive (via "bootpage") to see all the kernel output from your first (pre-monte) boot.

Originally posted by MuscleNerd
Your bootpage params should still be pretty long, because they need to include the whole BASH_ENV string that mounts your romfs.

If you've got a serial cable all hooked up, I recommend you add even another item to the bootpage params: dsscon=true

I can't overstate how useful that option is! Somebody please tell all the guide writes to include that option, say, right before the BASH_ENV option.

So proper bootpage change would read as follows for the 'needo' guide.

/cdrom/bootpage:)-P:)"root=/dev/hda7:)dsscon=true:)BASH_ENV=\`mount\$IFS-n\$IFS/dev/hda16\$IFS/mnt;echo\$IFS/mnt/runmonte\`":)-C:)/dev/hdc

All of this on one line and each space is represented by a smiley. Caps are necessary and partitions are subject to your setup. What I want to know is... is the dsscon=true in the right place?

Thx for quick reply, I'm working on it all day today. NutKase

Originally posted by NutKase
is the dsscon=true in the right place?
Yep.

Now, when you get that back in the TiVo and you power up, watch the serial console carefully. The kernel starts its first boot with the first occurrence of "Loading R5432 MMU routines". If you don't get that at all, it means your initial kernel signature failed.

If your kernel is signed right, you'll eventually see the RAMDISK load, and then "Running as /linuxrc - autoscan!" That's the initrd starting to verify the ext2fs filesystem. If it finds a mismatch, it'll try to recover, but it can't always do that (in which case you can't proceed).

If autoscan verifies everything okay, the rc.sysinit will be called. With the BASH_ENV hack, this means that control gets diverted to your runmonte script, assuming the romfs partition mounted okay. If all goes well, you'll see monte spit out a few messages, and then the "Loading R5432 MMU routines" will repeat, because monte is now chain-loading the second kernel. You should not see any 'autoscan' output in this second boot.

OK, Thanks. Do I need to hit enter or not hit enter at a certain time? Or just have the terminal open?

Redoing the monte from scratch first will let you know soon wish me luck:)

Originally posted by MuscleNerd
In 4.0, the kernel patch is not enough. You have to patch tivoapp too.

That's because 4.0 tivoapp effectively checks to see that the stream you ask it to play has been scrambled. If it hasn't, tivoapp will give you the same "corrupt recording" screen that you would get if your DiskConfiguration value got wiped or doesn't go with the CSO values.

So again, for 4.0 you need to patch both kernel and tivoapp.

How would i go about patching tivoapp. I can't seem to find it in the forums.

Thx

Originally posted by MuscleNerd
Yep.

Now, when you get that back in the TiVo and you power up, watch the serial console carefully. The kernel starts its first boot with the first occurrence of "Loading R5432 MMU routines". If you don't get that at all, it means your initial kernel signature failed.

If your kernel is signed right, you'll eventually see the RAMDISK load, and then "Running as /linuxrc - autoscan!" That's the initrd starting to verify the ext2fs filesystem. If it finds a mismatch, it'll try to recover, but it can't always do that (in which case you can't proceed).

If autoscan verifies everything okay, the rc.sysinit will be called. With the BASH_ENV hack, this means that control gets diverted to your runmonte script, assuming the romfs partition mounted okay. If all goes well, you'll see monte spit out a few messages, and then the "Loading R5432 MMU routines" will repeat, because monte is now chain-loading the second kernel. You should not see any 'autoscan' output in this second boot.


---------------------------------------------
Loading R5432 MMU routines.

Linux version 2.4.4-TiVo-3.0 (build@buildmaster12) (gcc version 3.0) #11 Wed May 8 15:40:02 PDT 2002

I think this means my 3.0 kernel got loaded fine. Yipee!! /NutKase does a 'booty shake' around all the cables and HDs lying all over the floor :)

Initial ramdisk at: 0x8014b000 (585230 bytes)
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/hda7 dsscon=true BASH_ENV=`mount$IFS-n$IFS/dev/hd
a16$IFS/mnt;echo$IFS/mnt/runmonte` console=2,115200
Calibrating delay loop... 201.93 BogoMIPS

Also good, Loads MY bootpage lines and starts up serial output.

Partition check:
hda: [mac] hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 hda10 hda11 hda12 hda13
hda14 hda15 hda16

Show all the partitions

TCP: Hash tables configured (established 2048 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
VFS: Mounted root (romfs filesystem) readonly.
Running as /linuxrc - autoscan!
Loading signatures file

At first I thought this was the 4.0 loading but after reading MuscleNerd's response to me this is the 3.0 romfs loading then scanning.
---------------------------------------------------------------------------
End of good stuff: Problems start here!

Scan /mnt/kernel
Scan /mnt/prom
The filesystem seems to be OK
Scanner main is done
VFS: Mounted root (ext2 filesystem) readonly.
change_root: old root has d_count=3
Freeing unused kernel memory: 60k freed
: command not found
/bin/bash: set: unknown option:
'bin/bash: /mnt/runmonte: line 6: syntax error near unexpected token `in
'bin/bash: /mnt/runmonte: line 6: `case "$root" in
## MIPS ## arch-specific shell functions defined
Starting rc.sysinit


: command not found?

Doesn't know what set option is... it was set -a in the runmonte I downloaded and used I didn't type it but it matches the needo/d70 guides perfectly.

Please help me understand the runmonte Line 6 errors? A bunch of stuff I don't think matters <snip>

then...
Scanning for phase2 repair scripts
Checking for database conversions...
Checking new software installation
SwSystem 4.0-01-2-140 is already active, nothing to do.
Scanning for phase3 repair scripts
Starting Services.
Scanning for phase4 repair scripts
rc.sysinit is complete
MCP startup complete
Tmk Assertion Failure:
GetImage, line 229 ()
Tmk Fatal Error: Thread myworld <129> died due to signal -2
8aad38 8aadc8 8a87ec 8a7d38 8a5fe4 6d2554 6d1edc 6981f4 684204 50f2d0 50f174 400
8dc be0250 <0>Restarting system.
Loading R5432 MMU routines.

It looks like it's into 4.0 but I never saw the second 'Loading R5432 MMU routines' before the monte to 4.0 as MuscleNerd indicated. Then the Tmk fatal error - myworld and reboot - This is why I never got past the 'Powering up' screen I guess. Sorry about the bold but I was trying to set my rambling off from the output - getting close but not there yet. Thanks MuscleNerd for the advice to get the serial ouput up it is indespensible to my sanity, now at least I can see behind the scenes that something I'm doing is right :)

: command not found
/bin/bash: set: unknown option:

I'm going to reload and look in rc.sysint for a typo for this one...
no clue yet about the others.

On second thought rc.sysinit loads right
AFTER this error so I'm not sure what's running to produce this error?

VFS: Mounted root (ext2 filesystem) readonly.
change_root: old root has d_count=3
Freeing unused kernel memory: 60k freed
monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: loaded kernel image (target load_addr=0x80002000, len=0x190453) at 0x810f
3000
monte: total pages used: 402 for image, 2 for indirect tables, 1 for reload code
Loading R5432 MMU routines.
<snip>
Kernel command line: root=/dev/hda4 dsscon=true console=2,115200 upgradesoftware
=false
<snip>
Scanning for phase4 repair scripts
rc.sysinit is complete
bash: no job control in this shell
bash-2.02#

--------------------------------------
All I did after the above failures was rebuild the romfs after I found that I'd named runmonte 'copy of runmonte' and built it that way the first time. Duh!

I also did chmod 777 runmonte although I'm not sure that was required. Now to kick this thing on the tv and see what I get.

What a fscking relief after months of reading! I second MuscleNerd GET A SERIAL CABLE, HOOK IT UP and see what the kernel tells you. I have slaved over this bash/monte for too long not knowing if I typed or did something wrong when all of the time the boot processes were 'yelling' out the serial port :)

If you have a SA S2 just use the black serial-to-minijack cable supplied with your TiVo and buy a DB9 null modem adapter (male on both ends) so you'll also need a DB9 genderbender (female on both ends) these are available ar RadioS for about $7 each. Do it now! :)

Cool, you figured it all out while I was gone :) But to address some of the questions you raised...

On the S2 systems, if you hit <Return> twice too soon, the bootrom will ask you for bootrom password. The only way out of that, if you don't know your password, is to power-cycle. Best to just not hit anything, and wait for the console to start on its own (although the bootrom menu is very handy for certain things).

With dsscon=true, you'll see the console output start just after the kernel signature has been loaded and verified...i.e. right before it jumps to the kernel entry point.

The reason you saw tivoapp produce assertion failures is because the 3.0 application (on hda7) was trying to make sense of the 4.0 database (in the MFS partitions). Best case scenario is that it bombs like you saw...worst case is it gets its dirty little 3.0 hands on the 4.0 data and messes it all up.

Anyhow, glad you figured it all out....eventually you'll probably wanna search for the threads that talk about ways to prevent "automatic" updates ripping the carpet out from under your setup.

(PS: Guide writers, please use dsscon=true in your writeups)

One debugging tip that some may find useful: if your runmonte script/romfs partition just doesn't seem to be acting right, you can temporarily replace the BASH_ENV string with this:
BASH_ENV=\`/bin/bash</dev/ttyS2&>/dev/ttyS2\`
(no spaces anywhere in that, and no ampersand at the end).

That will start up bash on the console at the point where the romfs mount should occur. So when you get the prompt, do the "mount -n /dev/hdaxx /mnt" yourself, see that it works, and see that the script it contains can be run by hand.

Originally posted by MuscleNerd
Cool, you figured it all out while I was gone :) But to address some of the questions you raised...

The reason you saw tivoapp produce assertion failures is because the 3.0 application (on hda7) was trying to make sense of the 4.0 database (in the MFS partitions).

So Tmk = tivoapp?

I think it stands for tivo media kernel, but there's more than the kernel involved. It also involves the whole MFS (media file system), half-baked databases, etc. So you saw myworld (aka tivoapp) throw a Tmk assertion failure when it couldn't load some image, and the "safest" thing the system can do is reboot and hope it goes away.

If you compile the TiVo-published kernel, you can actually go into debug mode with it, and allow a remote gdb to debug the kernel when a Tmk assertion is thrown, rather than just rebooting. You lose the dss serial console in that mode, however...it's used for the gdb control channel. Anyway, the tmk-gdb-kernel debugger isn't a particularly fun or productive project :)

Ok thanks for that extra info. I'm trying to back up the working 3.0 to 4.0 bash/monte drive. I have several same size drives and want to backup and then test the badkup before I use it and update the guide. Then I won't be in danger of a newer version being pushed while I learn how to stop it.

Is there a way to back up both the active and inactive partitions with MFSTools or am I reduced to an 8hr dd of a 120g HD? :(

I'm testing a backup I made using MFS Tools now but I think it only copied the 3.0 hda7 partition and left the 4.0 hda4 system out.

Back in a few!

NutKase

EDIT:

Yeah it looks like I'm just in 3.0 and monte had nothing to monte too

monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: Boot signature not found (0 instead of 52504f).
monte: Invalid argument
bash: no job control in this shell
bash-2.02#

yeah, mfstool only backs up the active root partition (and /var, I think). So you'll have to manually back up the partition that you monte into (and the accompanying kernel partition).

The ext2 partitions are only 128MB each though, so it's not that bad....you can fit images of the three ext2fs partitions all on one CD. You can try to save some space by using tar/cpio, but a straight dd image is more foolproof, especially when it comes to preserving the /dev inodes, etc.

Originally posted by MuscleNerd
yeah, mfstool only backs up the active root partition (and /var, I think). So you'll have to manually back up the partition that you monte into (and the accompanying kernel partition).

The ext2 partitions are only 128MB each though, so it's not that bad....you can fit images of the three ext2fs partitions all on one CD. You can try to save some space by using tar/cpio, but a straight dd image is more foolproof, especially when it comes to preserving the /dev inodes, etc.

Yeah, I dd'd the whole 120gig drive :) took 20 hours. So I have a good copy but... Question: If I use MFS Tools for a backup then dd an image of the other FS and Kernel partitions which is which. I think MFS tools will think the active partition is my 3.0 boot and I'll have to manually do the 4.0 partitions? What about settings and recordings? They are still 4.0. Do I just:

dd if=/dev/hdc3 of=/mnt/c/partit3.img

Also, after I get a working tricked out single drive system I'm going to put my other 120g back in. Will just backing up the partitions from the A drive work?

and repeat for 4, 6, 7 and 16(romfs) What about other partitions will I have all I need? Seems like a pain - but as I tell my 6 year old "If it was easy, everbody would be doin' it!" :)

Short version is I wonder what you mean by 'images of the three ext2fs partitions' and what do you do to restore from screwing up your drive installing FTP tivoweb etc.

NutKase

Originally posted by MuscleNerd
In 4.0, the kernel patch is not enough. You have to patch tivoapp too.

That's because 4.0 tivoapp effectively checks to see that the stream you ask it to play has been scrambled. If it hasn't, tivoapp will give you the same "corrupt recording" screen that you would get if your DiskConfiguration value got wiped or doesn't go with the CSO values.

So again, for 4.0 you need to patch both kernel and tivoapp.

Alrighty, and now for the info some of you have been waiting for. The magical address you want to patch over is:
0xbe4448

At least that's what it is in 4.0. It'll be close to that in 4.01.

The location should currently contain 0x0320f809. You want to change that to a 0x24020001. Here's the section of code, for context:

be442c: 8fbc0020 lw gp,32(sp)
be4430: 27a50040 addiu a1,sp,64
be4434: 27a40028 addiu a0,sp,40
be4438: 24060005 li a2,5
be443c: 3c190001 lui t9,0x1
be4440: 033cc821 addu t9,t9,gp
be4444: 8f39935c lw t9,-27812(t9)

be4448: 0320f809 jalr t9 ;: <memcmp>

be444c: 00000000 nop
be4450: 8fbc0020 lw gp,32(sp)
be4454: 10400064 beqz v0,0xbe45e8
be4458: 00000000 nop

So, how do you go about changing that? Just patch the tivoapp binary. Subtract 0x400000 from that magic address above to determine its offset into the ELF executable. I have a few tivoapp patch programs posted over at AVS. Someone may want to grab one as a template. Or come up with other ways to do it.

So let me reiterate: if you have a v4.0 or higher TiVo S2, you'll need to do both the kmem hack and the above tivoapp patch to be able to happily record your streams in the clear. The kmem patch is what actually disables the ide scrambling. But the tivoapp patch is required to make TiVo accept the fact that the scrambling isn't being done.

With College started I really dont have a whole lot of free time to hack on this. If someone would like to write up how they patched tivoapp I would happily add it to my HOWTO.

(And I of course would do it myself.) :)

Originally posted by MuscleNerd
So let me reiterate: if you have a v4.0 or higher TiVo S2, you'll need to do both the kmem hack and the above tivoapp patch to be able to happily record your streams in the clear. The kmem patch is what actually disables the ide scrambling. But the tivoapp patch is required to make TiVo accept the fact that the scrambling isn't being done.

That much I am comfortable with my understanding of ... there are however a few points I'd like to clarify if MuscleNerd or anyone else could spare a few answers (yes I searched, no I did not find).

1) With kmem set to run at the end of rc.sysinit and the tivoapp patched, will this "4.0 extraction hack" suffer the same inability to play back recordings that were on the unit prior to the hack. I ask only as a matter of curiousity.

2) Is there any reason that mfs_ftp shouldn't load properly being launched at the end of rc.sysinit? I set it up to but it doesn't seem to be loading. I realize that this is one of those "plug in the serial cable and see what's wrong" things but I don't have a serial cable and yes I'm so broke at the moment I can't spring 5 bucks for one. I'll make due until I can get a cable if I have to but I thought I'd ask in case there's any common problem that I might check.

3) Should the S2 TyTools mentioned in Section 7 of "The COMPLETE HDVR2/DSR7000 How-To" work with the S2 SA unit?

-X

I am not a complete noob but I am not sure how to go about pathching over a binary. Are you just opening the file up in a hex editor and finding/replacing the value?

Is there a thread i missed that talks about this.

Yes, a hex editor would work just fine for this sort of thing.

So would a C program, a perl script, a Tcl script, emacs in hexl mode, and and even a crafty bash script. Use whatever method you're most comfortable with.

ok cool. I thought you where someone "decompliing the binary" which was odd because i know you can't recompile a decomplied binary with out the original source.

Your just ripping the file up in a hex editor :) That I understand.


Thanks!

ok sorry i am asking to be spoon fed but i open up tivoapp in HexWorkshop.

If i go to the offset address then there is nothing resembleing what you have there anywhere near it.

If i just search for the portion to be changed i find thousands of instances. :(

Any help would be greatly appreciated. On an up note this is fun.

You're looking at offset 0xbe4448-0x400000 = 0x7e4448 ?


% dd if=tivoapp bs=1 skip=0x7e4448 count=4 2>/dev/null | hexdump -C | colrm 1 10
03 20 f8 09

Originally posted by MuscleNerd
Alrighty, and now for the info some of you have been waiting for. The magical address you want to patch over is:
0xbe4448

At least that's what it is in 4.0. It'll be close to that in 4.01.

The location should currently contain 0x0320f809. You want to change that to a 0x24020001. Here's the section of code, for context:

be442c: 8fbc0020 lw gp,32(sp)
be4430: 27a50040 addiu a1,sp,64
be4434: 27a40028 addiu a0,sp,40
be4438: 24060005 li a2,5
be443c: 3c190001 lui t9,0x1
be4440: 033cc821 addu t9,t9,gp
be4444: 8f39935c lw t9,-27812(t9)

be4448: 0320f809 jalr t9 ;: <memcmp>

be444c: 00000000 nop
be4450: 8fbc0020 lw gp,32(sp)
be4454: 10400064 beqz v0,0xbe45e8
be4458: 00000000 nop

So, how do you go about changing that? Just patch the tivoapp binary. Subtract 0x400000 from that magic address above to determine its offset into the ELF executable. I have a few tivoapp patch programs posted over at AVS. Someone may want to grab one as a template. Or come up with other ways to do it.

So am I to take from this that Extraction on 4.0 is good to go? If so I'm going there next :)

Also, what is 4.01? Am I looking at another software Update?

Should I worry more about 'protecting' my system from an update and having to start over or just continue 'adding' enhancements then ensure no updates occur and then backup?

I guess a sense of direction is in order. :)

NutKase
--------------------------------------------------------------------------------
SA S2 w/Bash/Telnet/FTP(not mfs_ftp) no kmem or extraction or /packages to /tmp

Post in the thread or feel free to pm me :rolleyes:

4.01 is the update they're pushing down for the S2 SA's. It is mostly just a bunch of TV Guide logos all over the place. But it also includes the "grid-style" option for the guide.

I don't have 4.01, and the patch location will definitely change for that. Whenever someone gets the update, they can send me the tivoapp binary and I'll find the new patch location.

Originally posted by MuscleNerd
Whenever someone gets the update, they can send me the tivoapp binary and I'll find the new patch location.

Have you ever considered sharing a few of the techniques and reference points you use to develop tivoapp patches, instead of or in addition to providing the public with raw patch locations?

Many members of this forum thirst for knowledge and would be able to make important contributions to TiVo hacking if the experienced reverse engineers such as yourself would help "teach them to fish."

edit: changed "spoonfeeding" to a more neutral term

I am confused why wouldn't the kmem address all need to be changed in the update? Do they not update the kernel when they do these automatic updates?

Originally posted by DjPK
I am confused why wouldn't the kmem address all need to be changed in the update? Do they not update the kernel when they do these automatic updates?

yes, the kernel gets updated. however, 4.0 is the start of their HMO option. when they push that, they have to keep the MPAA off their back, and one way is to make it 'more secure' so that they control where shows are sent, preventing the replaytv lawsuit. as such, they already knew that we bypasses the basic scrambling stuff in the kernel, so it only makes sense that tivoapp would do a check in newer versions to see if that bypass had been used.

the kernel doesnt always get updated between versions, except for the initrd. as such, the patch location could be the same if there weren't any kernel changes, only an initrd change. just have to wait and see.

Originally posted by David Bought
Have you ever considered sharing a few of the techniques and reference points you use to develop tivoapp patches, instead of or in addition to spoonfeeding the public with raw patch locations?

Many members of this forum thirst for knowledge and would be able to make important contributions to TiVo hacking if the experienced reverse engineers such as yourself would help "teach them to fish."

Musclenerd: Bought is dead on with this. While the 'spoonfeeding' comment is a bit harsh, I definitely fall into the category of those 'thirst[ing] for knowledge' regarding tivoapp disassembly and exploration. Your contributions have been great in the past, and this latest patch is no exception.

Without the techniques, we simply sit at the feet of giants in awe. With the knowledge, we can stand on the shoulders of giants, and reach just that much farther.

David Bought, MrBlack,

I am trying to get my arms around the culture and expected behaviors here. I see the point about spoonfeeding. But...

As a compromise, would it hypothetically have been OK for MuscleNerd to post the memory location and the method by which he came upon it?

I just question the value of 100 people reinventing the same wheel every time.

Originally posted by TiVOBell
David Bought, MrBlack,

I am trying to get my arms around the culture and expected behaviors here. I see the point about spoonfeeding. But...

As a compromise, would it hypothetically have been OK for MuscleNerd to post the memory location and the method by which he came upon it?

I just question the value of 100 people reinventing the same wheel every time.

There is nothing wrong with posting the memory location. Bought and I, as well as many others, were simply making a related request for the methods used to find the patch (afterall, this is a dev board).

It would be hard for me to sufficiently and clearly document everything I do related to reverse engineering. I just pull different things from the bag of engineering tricks I've accumulated over the years in unrelated projects. I don't use any commercial programs, etc. I use a lot of Perl. Everything beyond that is a huge can of worms, and it would take forever to explain it all in a post.

Originally posted by MuscleNerd
It would be hard for me to sufficiently and clearly document everything I do related to reverse engineering. I just pull different things from the bag of engineering tricks I've accumulated over the years in unrelated projects. I don't use any commercial programs, etc. I use a lot of Perl. Everything beyond that is a huge can of worms, and it would take forever to explain it all in a post.

Believe me I understand. Would it be possible for you to write up a quick howoto patch the tivo app for us?

Originally posted by needo
Would it be possible for you to write up a quick howoto patch the tivo app for us?

printf "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=0x7e4448

That should be all you need. Of course, keep a backup handy...the above command will patch your tivoapp directly. Also, you can't patch the binary while it's actually running.

Originally posted by MuscleNerd
printf "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=0x7e4448

That should be all you need. Of course, keep a backup handy...the above command will patch your tivoapp directly. Also, you can't patch the binary while it's actually running.

Awesome! Now I must resist the urge to take my Tivo apart and do this. :)

maybe i am missing something.
I created a copy of tivoapp called tivonew and used the printf statement and replaced of=tivoapp with of=tivonew

I get a problem saying that 0x7e4448 is in invalid number....

What am i missing.

Maybe your version of dd doesn't recognize hex values? Convert it to decimal and try that...

Originally posted by MuscleNerd
printf "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=0x7e4448

What version of dd are you using? None that I have ever used (currently I'm using the version from GNU coreutils 5.0) has properly handled hexadecimal arguments.

My best guess is that they are reluctant to use the obvious strtoul(..., 0) because it breaks compatibility with leading zeroes on decimal numbers.

s1% uname -sr
OpenBSD 3.3
s1% echo 0123456789abcdef | dd bs=1 count=0x2 skip=0x6 2>/dev/null
67

s2% uname -sr
Darwin 6.6
s2% echo 0123456789abcdef | dd bs=1 count=0x2 skip=0x6 2>/dev/null
67


I do most of my tivo development on the Mac, and as shown above, I guess BSD-based systems accept hex arguments for dd. But you're right...I tried it on my linux system and it failed. (There's no "dd" option to print the version number in BSD, btw).

just to be on the safe side i got 8275016 from 0x7e4448


Yes?

Yep!

Well that did it. Mnerd gave me the tserver binaries and the instructions for patching both the kernel with kmem and the tivoapp. I know have bash telnet ftp and video extraction.

Good Show!!!!

Now to learn how to do this. You said you use perl... Any particular modules that you use regularly??

Paul Kraus

Originally posted by DjPK
Now to learn how to do this. You said you use perl... Any particular modules that you use regularly??
I don't use any modules, actually....partly because everything was done incrementally over time, without a clear goal :) The scripts just analyze/organize the objdump disassembly output (along with strings pulled from MFS).

Brace for another upgrade. Probably this fall.

http://customersupport.tivo.com/tivoknowbase/root/public/tv1053.htm?

Methinks they put something on the website a little early. But still, that was fast from 4 to 5. Probably for the Tivo Basic stuff.

-DPF

It took almost 5 hours to extract 1 stargate episode with tserver.

I am using a wireless 802.11 network.

Not complaining just trying to see if thats normal.


:) One more time Mnerd you ROCK!

But still, that was fast from 4 to 5.
They were probably working on 5.0 even before 4.0 was released.

Originally posted by MuscleNerd
They were probably working on 5.0 even before 4.0 was released.

The current software out now is 4.01-XXXetc? I'm curious because I want to be sure my software isn't updating and I remember MuscleNerd mentioned that there was a 4.01 ... especially want to make sure if there's another big update coming. Just getting this all tweaked to perfection don't need any surprises this soon :eek: !

-X

TivoPony says that 5.0 is only going to be deployed on the DVD TiVos. It includes the limited "TiVo Basic" infrastructure, along with DVD-only functions.

Originally posted by MuscleNerd
TivoPony says that 5.0 is only going to be deployed on the DVD TiVos. It includes the limited "TiVo Basic" infrastructure, along with DVD-only functions.

I'm still curious though if 4.01 is the current version on an updating S2SA unit, just to verify that there's been an update to the S2SA from 4.00 to 4.01. I don't care so much about the content of the update as I do confirming that my unit is successfully NOT updating.

-X

Originally posted by Xanthio
I'm still curious though if 4.01 is the current version on an updating S2SA unit, just to verify that there's been an update to the S2SA from 4.00 to 4.01. I don't care so much about the content of the update as I do confirming that my unit is successfully NOT updating.

-X

I have 4.0-01xxx on my SA S2 3.0-4.0 monte'd Bash FTP telnet unscrambled and TivoWeb(sort've, but locks up now and then and no Sendkey) System. Looking to get mfs_ftp and extraction confirmed soon.

I have not set up anything to STOP software updates so I'm in the same boat as you... Trusting :(

Can anyone confim that I should spend my limited hours of TiVo hacking time in preventing updates or am I safe to continue with mfs_ftp and extraction activities?

NutKase

Originally posted by mrblack51
yes, the kernel gets updated. however, 4.0 is the start of their HMO option. when they push that, they have to keep the MPAA off their back, and one way is to make it 'more secure' so that they control where shows are sent, preventing the replaytv lawsuit. as such, they already knew that we bypasses the basic scrambling stuff in the kernel, so it only makes sense that tivoapp would do a check in newer versions to see if that bypass had been used.

the kernel doesnt always get updated between versions, except for the initrd. as such, the patch location could be the same if there weren't any kernel changes, only an initrd change. just have to wait and see.

OK, I got the 4.01 upgrade. My hacks are gone and I cannot play the old unscrambled recordings. I take this to mean that tivoapp was replaced.

I wonder what would happen if I put my old patched one back?

I will try to boot the MFStools disk and do a diff tonight to see it the new and old files are the same. Stay tuned.

Can anyone give some guidance on the diff command I would use to compare new and old kernels?

thx

Originally posted by TiVOBell
OK, I got the 4.01 upgrade. My hacks are gone and I cannot play the old unscrambled recordings. I take this to mean that tivoapp was replaced.

I wonder what would happen if I put my old patched one back?

I will try to boot the MFStools disk and do a diff tonight to see it the new and old files are the same. Stay tuned.

Can anyone give some guidance on the diff command I would use to compare new and old kernels?

thx

What happened? Did your patched copy of tivoapp work when you copied it to your 'new' 4.01 setup?

NutKase

I didn't try. I remembered that without a patched kernel it probably wouldn't work.

is your tivo monte'd.

I had a software upgrade but it still says pending restart. I have restarted 4 times and everything is still working great.

hmmmmm. Let me know what you find. What does this new version have to offer? What hacks does it kill?

Dj PK

Originally posted by DjPK
is your tivo monte'd.

I had a software upgrade but it still says pending restart. I have restarted 4 times and everything is still working great.

hmmmmm. Let me know what you find. What does this new version have to offer? What hacks does it kill?

Dj PK

Same here. Log says software is on the drive somewhere but when I check nothing's there and I get the pending restart so I reboot and it says finished. I'm just worried that I'll keep downloading the update and upset someone.

NutKase

No, no Monte. I had the prom hack.

I recovered OK though. I ran Killinitrd, then KMEM, and I copied my old patched tivoapp from the inactive partition. Everything works great.

NutKase,
Force an update the pending restart messages comes back. Anyone have any suggestions on how to handle this or what we should do?

Paul

Originally posted by DjPK
NutKase,
Force an update the pending restart messages comes back. Anyone have any suggestions on how to handle this or what we should do?

Paul

Yeah, I know. I'm looking through logs (tclient.log et. al.) and can't see specific references that it's downloading 4,01 over and over but the 'pending restart' keeps coming back as well as a log entry that says...
-------------------------------------
Sep 13 11:54:11 (none) comm[128]: NewSoftware: SwSystem 4.0.1-01-2-140 is present but NOT active.
Sep 13 11:54:11 (none) comm[128]: UpdateStatus: status PendingRestart, phase 0, code 2
Sep 13 11:54:11 (none) comm[128]: NewSoftware: software is not active, new software will be installed at 02:00
------------------------------------

See the thread I started when I first noticed this at

http://www.dealdatabase.com/forum/showthread.php?s=&threadid=27445

for more info and logs.

BREAK

DjPK, What version of tytools are you using and do you have a copy of an S2 setpri file that you can post? Do you successfully have mfs_ftp running? I'm stuck there (posts are in
http://www.dealdatabase.com/forum/showthread.php?s=&threadid=23424&perpage=20&pagenumber=6
for more info) as it seems many others are. Where did you get good S2 mfs_export and mfs_stdimport files?

Originally posted by TiVOBell
No, no Monte. I had the prom hack.

I recovered OK though. I ran Killinitrd, then KMEM, and I copied my old patched tivoapp from the inactive partition. Everything works great. :eek: as a general rule, this is a *very* bad idea. tivoapp is the heart of the tivo software, and is likely to be the component that's changed the most between releases. you're probably in the clear for now only because 4.0 -> 4.0.1 is such a minor change. if you tried that with a major upgrade, you'd probably hose things up bad enough to require a reload.

better would be to hexedit the tivoapp and look for the instruction that musclenerd patched, and update your patch. as he indicated, it should be pretty close to the location in the old app.

ronny

Thanks for that, it makes sense that this could be troublesome with a major update.

I was planning to try to find the new location this week. If I find it I will post it right away.

Thanks

Originally posted by ronnythunder
better would be to hexedit the tivoapp and look for the instruction that musclenerd patched, and update your patch. as he indicated, it should be pretty close to the location in the old app.

OK, I whipped out my hex editor and went through the file. I found the desired data at 0x7E4454. Just as MuscleNerd said, it was very near the 4.0 location (0x7E4448) I replaced "03 20 f8 09" with "24 02 00 01." I moved the file to the TiVo, chmodded it and rebooted. No Good. It would not play my unscrambled shows.

So next I tried " printf "\x24\x02\x00\x01" | dd conv=notrunc
of=tivoapp bs=1 seek=8275028 " on the original tivoapp from bash. Still no good.

Not sure what else to try. I will PM MuscleNerd with the tivoapp file per his request, maybe I am missing something.

Originally posted by ronnythunder
:eek: as a general rule, this is a *very* bad idea. tivoapp is the heart of t