PDA

View Full Version : tivoapp patches and hacks



MuscleNerd
11-18-2003, 10:29 PM
Now that AVS prohibits talk on just about every interesting hacking topic, this forum seems to be the ideal place to post the sort of hacks you can do directly to tivoapp (the main TiVo application).

These hacks directly modify the tivoapp executable. Before applying any of them, you really should save away the original tivoapp so that you can go back to it should the need arise.

Because of the way permissions work in Linux, you cannot modify the binary image of an executable if it's still running. Therefore, one suggested way of applying any hacks in this thread goes something like this:
[list=1]
Get the hack over to your TiVo somehow and then make sure it's executable: chmod +x /var/hack/bin/somehack
Shut down the tivoapp program: cd /tvbin ; ./switcherstart -k
(Wait for the prompt to reappear. Sometimes you have to hit a remote control key to get that to happen).
Make the root filesystem writeable: mount -o remount,rw /
Save away the original tivoapp if you haven't already done so: cp tivoapp tivoapp.orig
Apply the hack: /var/hack/bin/somehack
Make the root filesystem read-only again and then reboot: mount -o remount,ro / ; reboot
[/list=1]
Keep in mind that hacks that alter tivoapp are *very* specific to both the type of TiVo you have and the software version you're running.

MuscleNerd
11-18-2003, 10:32 PM
Also, feel free to make suggestions for hacks you'd like to see. I'll let you know how feasible they are.

MuscleNerd
11-18-2003, 10:34 PM
Here's a hack that patches the Series 1 tivoapp v3.1.0b such that 30-second skip mode is enabled by default. You can still toggle the mode using the normal backdoor; this patch just makes it so that it defaults to being enabled on reboot

MuscleNerd
11-18-2003, 10:52 PM
Here's a hack that patches the Series 1 tivoapp v3.1.0b such that backdoors are permanently enabled.

MuscleNerd
11-18-2003, 11:28 PM
Here's a hack that patches the Series 1 tivoapp v3.1.0b such that yellow star promo items are never shown in TiVo Central.

If you'd still like to see the promos recorded (but not show up as a menu item), then put "Teleworld Paid Programming" and "Advanced Paid Programming" in your Season Pass list. Then they'll show up as normal recordings.

sanderton
11-19-2003, 05:49 AM
Originally posted by MuscleNerd
Here's a hack that patches the Series 1 tivoapp v3.1.0b such that 30-second skip mode is enabled by default. You can still toggle the mode using the normal backdoor; this patch just makes it so that it defaults to being enabled on reboot

Can you suggest how to modify this to work on 2.5.5?

TheWickedPriest
11-19-2003, 01:59 PM
Originally posted by MuscleNerd
Because of the way permissions work in Linux, you cannot modify the binary image of an executable if it's still running.Although you can't modify the original tivoapp while it's running, you can rename it ("mv"). Here's what I did when making 30-sec skip the default:

1. FTP tivoapp to my PC.
2. Hexedit it.
3. Rename it "tivoapp.new".
4. (remount tivo root as read-write)
5. FTP tivoapp.new to tivo.
6. Telnet to tivo and do:
7. "mv tivoapp tivoapp.org"
8. "mv tivoapp.new tivoapp"
9. (remount as read-only)
10. restart

After renaming, the original tivoapp will still be used until a restart, or it's killed.

MuscleNerd
11-19-2003, 02:12 PM
Originally posted by sanderton
Can you suggest how to modify this to work on 2.5.5?
If you can somehow get me a copy of the 2.5.5 tivoapp, I can take a look at it and see if I find similar code to patch.

MuscleNerd
11-19-2003, 02:14 PM
Yeah, TheWickedPriest makes two good points: you don't have to run these hacks directly if you're comfortable hex-editing (see the source code for the location to hex-edit), and you can use "mv" instead of "cp" if you want, in which case you don't need to shut down the switcher (but you'll still need to reboot afterwards (and don't forget to make that partition read-only before you reboot)).

mikey
11-19-2003, 11:15 PM
Greetings,
Let me apologize in advance for the long post.

A Request:

If you get a few minutes could you post your permanent backdoor hack for a 3.0 SA Phillips HDR. I've already gotten it, but that was because a nice person emailed it to me, thanks again. I noticed that a few other people had posted that they too were a few days to late to download it and your other hacks at "the other forum" :)

One suggestion:

A choice of how to sort the now playing list at boot would be a great hack in my opinion.

A Few Hex Editing Questions:

When hex editing, please be nice as I am a complete newbie at this, with Hex Workshop or UltraEdit, how do know where to find the location of some of these settings? I know I can look at your source code and find the location that way, but I see garbled or meaningless, at least to me, text, on the right had side of the addresses. Is there a setting I’m missing in both programs or is this a “programmers only” area.

Will the Tivo boot to serial bash with an incorrectly edited tivoapp? In other words if I screw it up will I have to pull the drives to restore the old tivoapp or will I have to completely restore from a backup?


Thanks for the great hacks,
Mikey

MuscleNerd
11-20-2003, 12:45 AM
This is the Series 1 v3.0 version of the backdoor hack described earlier.

MuscleNerd
11-20-2003, 12:56 AM
Originally posted by mikey
If you get a few minutes could you post your permanent backdoor hack for a 3.0 SA Phillips HDR.
No problem...I just posted it above.

One suggestion: A choice of how to sort the now playing list at boot would be a great hack in my opinion.
Okay I'll look into that when I can.

And as for hex editing...most hex editors show the hex value in the left columns as ASCII characters in the right columns, so that you can easily identify strings. But the section of the program these patches affect don't usually contain strings..they're all PowerPC or MIPS instructions. Those instructions just look like gibberish on the right hand side.

If you want to actually decode the values as instructions, you'd use a disassembler, not a hex editor. A disassembler would show the values around that backdoor patch as:

1b8ed38: 7f 64 db 78 mr r4,r27
1b8ed3c: 48 00 02 41 bl 0x1b8ef7c
1b8ed40: 83 9f 00 08 lwz r28,8(r31)

NutKase
11-20-2003, 03:00 AM
Originally posted by MuscleNerd
You'd use a disassembler,

What disassembler do you use? Olly is win32 only. Haven't tried IDA.

[EDIT] IDA 4.3.0 works fine.

NutKase

mrblack51
11-20-2003, 05:24 AM
Originally posted by NutKase
What disassembler do you use? Olly is win32 only. Haven't tried IDA.

NutKase

um, i dont think olly supports mips or ppc, regardless of whether its windows only or not.

NutKase
11-20-2003, 09:49 AM
Originally posted by mrblack51
um, i dont think olly supports mips or ppc, regardless of whether its windows only or not.

I guess I wasn't clear I meant x86. Anyway, IDA has several options for mips:

mipsb=Little endian
mipsl =Big endian (I think this one.)
and mipsr=Didn't find much on this one.

Which do I use? I've tried them all and I get:

IDA kernel and IDP module mips.w32 are not compatible. There are tons of other setup options that I may be missing for IDA though. Any ideas.

NutKase

MuscleNerd
11-20-2003, 10:44 AM
I just use objdump, cross compiled as appropriate.

Series 1 is PowerPC. Series 2 is Big-Endian MIPS.

MuscleNerd
11-20-2003, 05:56 PM
This is the Series 1 v2.5.5 version of the 30-sec skip hack described earlier (for UK TiVo owners).

sanderton
11-21-2003, 05:52 AM
Brilliant, thanks!

sanderton
11-21-2003, 06:00 PM
TiVoApp patched to 30 second skip on my UK 2.5.5 box - cheers MuscleNerd.

mrblack51
11-21-2003, 06:39 PM
well, other than having the hacks ported to the mips 3.1.1b tivoapp (well, 4.0 would be better i suppose, or maybe 5.2), how about having the SORT backdoor enabled on 3.x systems by default?

dah31
11-23-2003, 02:49 AM
I'm new to MIPS, and I've been playing with IDA on some of the smaller binaries from 4.0. MIPS doesn't seem too bad, not too different from PowerPC or ARM, but I am flummoxed over one thing.

Seemingly every function (based on what I've read elsewhere, it should be every object module) has its own GOT pointer. How do I reconcile these pointers (in the 0xf00 0000 range) with the single huge GOT section in the executable? It's a bit hard to figure out what's going on when all the data references look like

li $gp, 0xf00dbad
lw $v0, -0x7b90($gp)

REC and objdump are no more helpful.

--
dah31

MuscleNerd
11-23-2003, 05:48 AM
Originally posted by dah31
Seemingly every function (based on what I've read elsewhere, it should be every object module) has its own GOT pointer.
It might look like that at first glance, but if you add together the call address of the subroutine (stored in t9) and the value loaded into the gp at the start of the routine, you'll end up with the same GOT value in each subroutine.

For instance:

402c84: 3c1c0fc6 lui gp,0xfc6
402c88: 279cbaec addiu gp,gp,-17684
402c8c: 0399e021 addu gp,gp,t9

0xfc6baec + 0x402c84 = 0x1006E770

Then, the next subroutine begins:

402d10: 3c1c0fc6 lui gp,0xfc6
402d14: 279cba60 addiu gp,gp,-17824
402d18: 0399e021 addu gp,gp,t9

0xfc6ba60 + 0x402d10 = 0x1006E770

So the same GOT address ends up in the gp after the third instruction of each function.

MacGyver
11-23-2003, 06:55 AM
MuscleNerd...I don't suppose you've got a version that can permanently enable 30 second skip on 3.0 TiVos? It would be greatly appreciated.

On a related note...is there a way I can permanently enable sorting options in Now Playing instead of having to enable it on each reboot on 3.0?

And last, but not least...is there a way to permanently enable 'show suggestions' and 'show scheduled suggestions' for 3.0?

Patches to do all those things would eliminate my need to use something like TCS or a wacky cron job with lots of 'sleep' cycles and let me just enjoy my TiVo. :)

MuscleNerd...I followed you over here from AVS -- don't let them get you down...they're a bit overzealous at times, but you've always been a great resource to the rest of us...thanks so much.

dialanothernumb
11-23-2003, 02:15 PM
I think I know how likely this is but what the heck, I'll ask anyway!

How possible would it be to create folders for tivoapp? I imagined something like: sorting recordings into folders on TiVoweb, then having them mapped out like this in NowPlaying (or Now Showing(!)

You might guess I'm using 2.5.5 for UK. Our software is likely to go precisely nowhere without hacks like this so I'm grateful for what's been produced already. Folders, like our American cousins have would be icing (or frosting) on the cake...

dah31
11-23-2003, 04:34 PM
Originally posted by MuscleNerd
It might look like that at first glance, but if you add together the call address of the subroutine (stored in t9) and the value loaded into the gp at the start of the routine, you'll end up with the same GOT value in each subroutine.


Ah! Thanks!

Here's an IDC routine to do this in IDA:



// This routine converts all operands (second position or later) between two limits
// to offsets from a GOT base pointer.
//
// This works on either a selection or a single instruction.

#include <idc.idc>

static main() {
auto addr;
auto operand;
auto i;
auto start_addr;
auto end_addr;
auto lower_limit;
auto upper_limit;
auto GOT_base;

// configure these to taste
lower_limit = -0x8000;
upper_limit = -0x5800;
GOT_base = 0x1006e770;

start_addr = SelStart();
if (start_addr == BADADDR) start_addr = ScreenEA();
end_addr = SelEnd();
if (end_addr == BADADDR) end_addr = ScreenEA();

for (addr = start_addr; addr <= end_addr; addr = NextNotTail(addr)) {
Jump(addr);
operand = GetOperandValue(addr, 1);
if (operand > lower_limit && operand < upper_limit) OpOff(addr, 1, GOT_base);
}
}


--
dah31

dah31
11-23-2003, 05:02 PM
Originally posted by dah31


if (operand > lower_limit && operand < upper_limit) OpOff(addr, 1, GOT_base);
}
}



I had to change that line to



if (operand > lower_limit && operand < upper_limit)
OpOffEx(addr, 1, REF_OFF16, -1, GOT_base, 0x10000);
}
}


For some reason (bad arithmetic, looks like), IDA was giving me addresses 0x10000 too great, telling me TiVo was calling routines whose addresses came from bss.... :rolleyes:

--
dah31

dah31
11-23-2003, 08:50 PM
Originally posted by dah31


Jump(addr);



Also delete this line for a couple of orders of magnitude faster performance. :p

--
dah31

uktivo
11-24-2003, 07:12 AM
where can I get my hands on a copy of tivoapp for UK 2.5.5 ??

sanderton
11-24-2003, 09:59 AM
Er, TiVoApp is the software that runs your TiVo?

vu2vu
11-24-2003, 11:09 AM
Superzap would be the one to consult regarding these hacks. He has already done them. Download a version of xplusz and you will see all the files inside. I applied his binary patch for ebd and 30 sec skip. He has them for every version of dtivo s1 tivo os up to 3.1 I think. Superzap has developed naming convention that takes some time to accept, but I think i have it figured out.

Edit: After checking with the xplusz readme it appears that the binary patches belong to Musclenerd. He deserves all the credit.

To apply the hack you want locate the proper file.

Files starting with EBD are for enabling backdoors.

Files starting with T30 are for toggle 30 sec skip.

The value after EBD or T30 are very important if it has value of 0 that means disable, a value of 1 means enable.

The numbers after the 0 or 1 refer to software version. 25, 252, 310.

The last letters always end in sz, standing for superzap, thanks buddy.

So if you wanted to enable 30 sec skip you would use T301252sz.

To apply the patch you type

switcherstart -k (wait to recieve command prompt)
cp /tvbin/tivoapp /tvbin/tivoapp.bak (always good to backup original)
./T301252sz (assumes that T301252sz is in your tvbin folder)
reboot

MuscleNerd
11-24-2003, 01:18 PM
Originally posted by vu2vu
Superzap would be the one to consult regarding these hacks. He has already done them.
And I'm assuming he did them based on the patches I provided. But anyway, where is the source code for those binaries?

emu
11-25-2003, 03:41 AM
Originally posted by MuscleNerd
And I'm assuming he did them based on the patches I provided. But anyway, where is the source code for those binaries?

Hmm, he did that a long time ago.. think the noobs might have ran him off.

:)

MuscleNerd
11-25-2003, 03:46 AM
Originally posted by emu
Hmm, he did that a long time ago.. think the noobs might have ran him off.
Heh, that's ok...it was sort of rhetorical anyway. I was amused by the claim that he came up with the patches to begin with.

NutKase
11-25-2003, 03:50 AM
Originally posted by emu
Hmm, he did that a long time ago.. think the noobs might have ran him off.

:)

What does this mean? Was the source posted?

NutKase

MuscleNerd
11-25-2003, 03:54 AM
Originally posted by NutKase
What does this mean? Was the source posted?
Oh the source has been posted, but not by superzap...by me. A simple examination of "strings" run against the binaries should convince you that these are my patch programs, just spread across multiple flavors. Don't forget, I had these patches over on AVS for a long time, before I picked up and left there.

When other people get credit for your work, it really does make closed-source look more appealing.



.

NutKase
11-25-2003, 04:01 AM
Originally posted by MuscleNerd
When other people get credit for your work, it really does make closed-source look more appealing.

No. I meant any 'superzap' source. I have no doubt that he used your patches.

NutKase

PS. Don't do it... err, move to the 'closed' dark side :) I'm no where near you yet but if I can ever get an fscking x-compiler working I'll help.

vu2vu
11-25-2003, 06:41 AM
Originally posted by MuscleNerd
And I'm assuming he did them based on the patches I provided. But anyway, where is the source code for those binaries?

Musclenerd, after careful examination of the xplusz readme it turns out that he did give you credit for it. I have deleted my attachment because no credit was given inside. It was my mistake for assuming that since superzap wrote the patches because he ended all of his file names with sz for superzap. Muslenerd I hope you don't stop creating open source software, it would be a real shame to lose you over a misunderstanding on my part.

MuscleNerd
11-25-2003, 11:20 AM
Oh ok cool....no harm, no foul :)

mikey
11-26-2003, 12:26 AM
I just wanted to say thanks MuscleNerd for the great patches.
Mikey

NutKase
11-26-2003, 12:50 AM
Originally posted by dah31
I'm new to MIPS, and I've been playing with IDA on some of the smaller binaries from 4.0.

Which version of IDA? I'm getting errors as metioned in this thread. Are there settings I need to change for mips? Do you use mipsb (correct I think) mipsr or mipsl as cpu setting?

NutKase

scanman0
11-26-2003, 02:42 AM
Am I the only one here who still runs 2.52 ?
If someone could PM me with the patch, that prevents me from wanting to go forward, Id be most gratefull, as the Tivo tier is not something I want to deal with...:confused:

mrblack51
11-26-2003, 02:45 AM
Originally posted by scanman0
Am I the only one here who still runs 2.52 ?
If someone could PM me with the patch, that prevents me from wanting to go forward, Id be most gratefull, as the Tivo tier is not soething I want to deal with...:confused:

bypassing the tivo tier is purely service theft related, as any legitimate sub should have it. therefore, it really isnt appropriate for discussion here.

vu2vu
11-26-2003, 04:42 AM
Your not the only one running 252, I actually prefer it. I haven't found any reason to upgrade yet. Read my post above, you can find all the MusclNerds patches for tivo 2.5 - 3.1 inside superzaps xplusz program. They are all compiled and read to go. The file your looking for is T301252sz.


Originally posted by scanman0
Am I the only one here who still runs 2.52 ?
If someone could PM me with the patch, that prevents me from wanting to go forward, Id be most gratefull, as the Tivo tier is not something I want to deal with...:confused:

MacGyver
11-27-2003, 05:31 AM
That's great for people with DTivos...but what about those of us with SA TiVos running 3.0...anyone got a copy of the patch utility for skip30?

Too bad nobody bothered to archive all of MuscleNerd's great contributions. :(

deebo
11-27-2003, 11:10 AM
I would be intrested in the script to modify SA 3.0 to enable 30 second script as well. It looks like it was posted on AVS but has been removed. In the mean time MacGyver you can look here (http://www.tivocommunity.com/tivo-vb/showthread.php?s=&threadid=139929&highlight=script+30+second+skip) for a script that enables 30 sec skip at bootup using sendkey commands. It is no where as good as MuscleNerd's method, but better than nothing.

NutKase
11-27-2003, 02:26 PM
Originally posted by MacGyver
That's great for people with DTivos...but what about those of us with SA TiVos running 3.0...

Which SA Tivo's are still running 3.0? S1's?

NutKase

deebo
11-27-2003, 10:04 PM
I have a Phillips SA Series 1 that is running 3.0.

MacGyver
11-27-2003, 11:37 PM
deebo,

Thanks for the pointer...I'm aware of the script method (I actually use TCS to do it currently)...but as you pointed out, it's nowhere near as effective as a binary hack would be.

Speaking of which...can someone PM me or point me to where I can get a copy of tivoapp for my SA TiVo (Sony SVR-2000 running 3.0-01-1-010). Why do I ask? Apparently my hard drive must be going bad because everytime I try to make a copy of tivoapp, the drive starts timing out and reports a variety of IDE errors when it gets about halfway through copying the file. I'd like to have a clean, working copy to start from as I start the process of reimaging my drives.

Thanks.

MuscleNerd
11-28-2003, 02:26 AM
This is the Series 1 v3.0 version of the 30-sec skip mode hack described earlier.

MuscleNerd
11-28-2003, 02:30 AM
Originally posted by AVD
I have a sony SVR-2000 tivo with software version 3.0-01-1-010. Now you are referencing version 3.1b software.
Do I have the latest software, or am I all confused?
3.0 (aka 3.0-01-1) is the latest (but still kinda old) version of the software for your S1 SA.

The 3.1.0b software is the latest for the S1 dtivos (and 3.1.1b is the latest for the S2 dtivos)

MuscleNerd
11-28-2003, 06:23 AM
This patch makes the Now Showing sorting backdoor default to "enabled". You can still toggle it off or on using the normal backdoor sequence.

Originally posted by MacGyver
MuscleNerd...is there a way I can permanently enable sorting options in Now Playing instead of having to enable it on each reboot on 3.0?

MuscleNerd
11-28-2003, 06:44 AM
This is the Series 1 v3.0 version of the yellow star hack described earlier.

compwiz312
11-28-2003, 12:58 PM
Musclenerd, you are officially the greatest.

Thanks for the great hacks.

SR712
11-28-2003, 01:41 PM
I think I've found a couple of the offsets for DTiVo ver 2.5.2.

For the Backdoor hack it is at 0x3FEBD4 and
for the NoPromo hack it is at 0x025990.

MuscleNerd- Thanks for including the C code. It is very helpful.

dah31
11-28-2003, 11:46 PM
Originally posted by NutKase
Which version of IDA? I'm getting errors as metioned in this thread. Are there settings I need to change for mips? Do you use mipsb (correct I think) mipsr or mipsl as cpu setting?

This is IDA 4.3.0. I set the CPU type to auto (or metapc or whatever it's called), and it was automatically detected as mipsb/big-endian MIPS, which agrees with the ELF header.

However, these instructions don't seem to make sense to me in big-endian mode. Have I mixed up left and right again?



.text:00DE204C lwl $v0, 0($a0)
.text:00DE2050 lwr $v0, 3($a0)
.text:00DE2054 lwl $v1, 4($a0)
.text:00DE2058 lwr $v1, 7($a0)


Based on the charts on pages 451 and 455 of the VR5432 User's Manual, this should have roughly the same effect as



lw $v0, 0($a0)
lw $v1, 4($a0)


Also, I was going to ask about apparent jumps to 0, like



.text:005ABDA0 lw $t9, (off_10057088+0x10000 - GOT_base)($t9)
.text:005ABDA4 jalr $t9
.text:005ABDA8 nop
[...]
.got:10057088 off_10057088: .word 0 # DATA XREF: sub_5AB9F8+3A8r
.got:10057088 # sub_E43A38+E4o ...


, but I've figured out that these are supposed to be library calls (ioctl and friends). Only thing is, I can't find the data that will fill in these blanks. Still, I can guess for now.

--
dah31

NutKase
11-29-2003, 05:05 AM
Originally posted by dah31
[B]This is IDA 4.3.0. I set the CPU type to auto (or metapc or whatever it's called), and it was automatically detected as mipsb/big-endian MIPS, which agrees with the ELF header.

However, these instructions don't seem to make sense to me in big-endian mode. Have I mixed up left and right again?/B]

Heck, I was just trying to figure out which version of IDA I need to get a hold of, mine is 4.17 and although is says it'll handle mipsb it error's out.

You're doing good work BTW.

NutKase

mrblack51
12-06-2003, 02:07 PM
Musclenerd: if you could find the patch for 3.1.0b that enables advanced wishlists, that would be sweet. you can enable them via the node navigator, option 30, and then the menu...but a patch would be cool (or if you could tell us what change is made to the mfs due to that menu option). thanks

ajhrefugee
12-07-2003, 04:38 PM
Has anyone found the nopromo and sorting offsets for 3.1.0? I've been looking over the disassembly but I really have nothing to compare it to.

burbinator
12-13-2003, 05:06 AM
Since there hasn't been posted a yellow star removal hack for 3.1.1b, I wonder if changing the following string in tivoapp from:

/MenuItem/%d/%08x:%05d

to

/MenuItem_%d/%08x:%05d

would safely kill the yellow star ads...

fr3d
01-05-2004, 03:24 PM
MuscleNerd - I was wondering if you had already figured the patch for 30 second skip for the 4.0 Tivo App, this would be usefull since the SendKeys doesnt apear to be working in this release.

I also read in another thread that there is a known patch for fixing parental controls for 4.0 on HDVR2s?

Not to be a bother but if you have figured out the right addresses already it would save me some work :)

David Bought
01-06-2004, 01:34 PM
MuscleNerd - I was wondering if you had already figured the patch for 30 second skip for the 4.0 Tivo App, this would be usefull since the SendKeys doesnt apear to be working in this release.

I also read in another thread that there is a known patch for fixing parental controls for 4.0 on HDVR2s?

Not to be a bother but if you have figured out the right addresses already it would save me some work :)

NO BEGGING FOR HANDOUTS WILL BE TOLERATED IN THE EXPERT FORUM.

You have three options:

1) Do your own damn work.

2) Get out of our way.

3) Open the attached file to get the patches you seek. Key is sprintf("david bought owns me %08x", n), 0 <= n < 2^32

splitsec
01-06-2004, 08:05 PM
Welcome back DB! :)


NO BEGGING FOR HANDOUTS WILL BE TOLERATED IN THE EXPERT FORUM.

While I agree that is what one would expect to see, except the orginator of this thread said (in the second post):



Suggestions

--------------------------------------------------------------------------------

Also, feel free to make suggestions for hacks you'd like to see. I'll let you know how feasible they are.


So I can't really blame the guy for asking... Perhaps this thread should be moved to another forum?

Split

sanderton
01-09-2004, 01:54 PM
MuscleNerd, a useful patch for 2.5.2 and 2.5.5 TiVos would be to fix the mwstate bug:

http://www.dealdatabase.com/forum/showthread.php?t=27366

I've hex-edited mine, but I'm working on an app which needs it fixed and I don't really want to put hexediting instructions in the readme. :)

RUBiK
01-13-2004, 11:00 PM
Not complaining, just searching...

No S2 DTiVo tivoapp patches publically available, currently? Or is there another thread I'm missing on here?

(Again, not trying to be an ass... Just got started with S2 stuff after doing S1 hacking for a few years and I'm having a hard time finding any S2 tivoapp hacks, which leads me to believe there just aren't any.. public ones..)

I also don't need to be spoonfed and would gladly help find the 4.x offsets if the 3.x ones are known/given, etc. (or the other way around -- I'm able to disassemble and browse through MIPS binaries using IDA PRO and a cross compiled disassembler)

TIA.

NutKase
01-13-2004, 11:42 PM
I also don't need to be spoonfed and would gladly help find the 4.x offsets if the 3.x ones are known/given, etc. (or the other way around -- I'm able to disassemble and browse through MIPS binaries using IDA PRO and a cross compiled disassembler)

The only one's I know about are the 4.0 and 4.0.1 tivoapp 'play unscrambled video' ones.

I'm still learning IDA and don't have a X-compiled disassembler working yet.

Good Luck

NutKase

grog54321
01-27-2004, 12:59 PM
Here's a hack that patches the Series 1 tivoapp v3.1.0b such that 30-second skip mode is enabled by default. You can still toggle the mode using the normal backdoor; this patch just makes it so that it defaults to being enabled on reboot
Is there a skip30 patch for S1 v3.1.0? I searched but couldn't find one.

Thanks

ronnythunder
01-28-2004, 03:24 PM
since nobody else has done so, here's the skip30 that's been modified to do the 30 second skip hack for s2 3.1.1b. it also has the address to do 3.1.1, but you'd have to edit the source and rebuild for that. source and mips binary included; verified to work on a dsr7k.

ronny

gorilla daddy
01-30-2004, 02:20 AM
Thanks Musclenerd and others for setting me off on the right path with regards to MIPS $gp relative indirect function calls. I was able to disassemble one of the tivo apps and resolve all function calls and generate a cross reference.

I don't know how strings in the readonly data segment are referenced. I haven't been able to resolve any references; I'm not even sure what they look like. Is it also $gp relative indirect addressing? Or something else, maybe a single table of pointers to every .rodata item starting address? Dunno.

A sample disassembly of a reference to an .rodata string, along with a brief explanation of would be really welcome!

thanks guys,

GD

AlphaWolf
02-01-2004, 03:41 AM
Could somebody post a searchable (16 or so) byte signature for the backdoors patch on an S2 binary of tivoapp, along with what it should be replaced with?

I'd like to apply it to two different versions of tivoapp for S2, and I don't have any other binaries to compare against.

NutKase
02-01-2004, 01:25 PM
Could somebody post a searchable (16 or so) byte signature for the backdoors patch on an S2 binary of tivoapp, along with what it should be replaced with?

I'd like to apply it to two different versions of tivoapp for S2, and I don't have any other binaries to compare against.

Sounds like we're in the same boat. :)

I'd actually like an ftp of an earlier version (already backdoor patched) of tivoapp to diff several hacks from.

NutKase

PS. Anyone?

Sincere0219
02-10-2004, 01:22 AM
hey iago check these 2 sites out http://www.powerzip.biz/ and http://www.gnupg.org/documentation/ i still havent figured out if you do let me know

acr2001
02-20-2004, 02:35 AM
To everyone asking people to post hacks:
If you cant find a 30 sec skip, SORT, etc hack for your tivo you can always use SendKey to emulate the remote after the tivo completes its bootup. Its a dirty way to do it, but it works well for me.
Just my 2 cents.

MuscleNerd
02-20-2004, 03:10 PM
SendKey won't work for software versions 4.0 or higher. That functionality has been removed from those versions.

scottjf8
03-09-2004, 01:39 PM
Here's a hack that patches the Series 1 tivoapp v3.1.0b such that 30-second skip mode is enabled by default. You can still toggle the mode using the normal backdoor; this patch just makes it so that it defaults to being enabled on reboot

<noob>
How do I install this? Just FTP it to my /var/hack and chmod +x it and run it?
</noob>

David Bought
03-09-2004, 04:12 PM
<noob>
How do I install this? Just FTP it to my /var/hack and chmod +x it and run it?
</noob>

Wrong.

Regardless, this is not a question for the EXPERT forum so it will not be answered here.

scottjf8
03-09-2004, 10:58 PM
My bad - I am now (again, noob!) but I am getting:
tivoapp: Text file busy

But i'll keep playing around.

Do you know if there is a similar hack for the Clock (SPS9S) ?

mrblack51
03-09-2004, 11:53 PM
My bad - I am now (again, noob!) but I am getting:
tivoapp: Text file busy

But i'll keep playing around.

Do you know if there is a similar hack for the Clock (SPS9S) ?

do not ask support questions in the experts forum - this is not a place to "ask the experts"

scottjf8
03-10-2004, 10:12 AM
I know - I figured it out and got it working...

my only question was, is there a similar hack for doing the SPS9S (show the clock) on by default?

David Bought
03-10-2004, 10:42 AM
I know - I figured it out and got it working...

my only question was, is there a similar hack for doing the SPS9S (show the clock) on by default?

Are you having trouble reading? Let me spell it out for you:

ASK YOUR NEWBIE QUESTIONS IN THE NEWBIE FORUM. GET THE HELL OUT OF THIS THREAD NOW.

Your posts will be deleted shortly. If you pull this shit again you will be banned.

bbsux
03-12-2004, 02:04 PM
Just wanted to ask if there is a Nopromo patch that will work on the S1 Dtivo version 3.10 (no 'b')?

Thanks for your help...

David Bought
03-12-2004, 02:12 PM
Just wanted to ask if sure there is a Nopromo patch that will work on the Dtivo version 3.10 (no 'b')?

Yes. Find it and we'll tell you if you're right. :D

And next time specify S1 or S2 for an ambiguous version.

bbsux
03-12-2004, 02:15 PM
Yes. Find it and we'll tell you if you're right. :D

And next time specify S1 or S2 for an ambiguous version.


Better????

Just wanted to ask if there is a Nopromo patch that will work on the S1 Dtivo version 3.10 (no 'b')?

Thanks for your help...

David Bought
03-12-2004, 02:25 PM
Just wanted to ask if there is a Nopromo patch that will work on the S1 Dtivo version 3.10 (no 'b')?

I'm running it right now. Get off your ass and find it. :D


bash-2.02# sha < /tvbin/tivoapp
0x73DAE4B9EA97D494633972F6EFE56CAA1E7871BA

AlphaWolf
03-12-2004, 09:49 PM
Better????

Just wanted to ask if there is a Nopromo patch that will work on the S1 Dtivo version 3.10 (no 'b')?

Thanks for your help...


I'm running it right now. Get off your ass and find it. :D


bash-2.02# sha < /tvbin/tivoapp
0x73DAE4B9EA97D494633972F6EFE56CAA1E7871BA

I don't see why you guys don't just upgrade.

jeboo
03-20-2004, 01:34 PM
Here are the 3.1.1c patches for hacks aforementioned in this thread.

Permanently enable sort options in Now Showing:
echo -ne "\xA2\x22\x00\xE1" | dd conv=notrunc of=tivoapp bs=1 seek=2552376

Skip30 ON by default (This is just an extrapolation of ronny's 3.1b patch..Thanks :))
echo -ne "\x14\x40\x00\x24" | dd conv=notrunc of=tivoapp bs=1 seek=3228708

Enable Backdoors:
echo -ne "\x24\x05\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=3274084

NoPPV hack (Set PPVs to record in advance):
echo -ne "\x00\x00\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=3319020

sgerbode
09-05-2006, 01:30 PM
Does anyone have a patch for disabling yellow stars on
a 3.1.5-01-2-357 tivo?

(not a 3.1.5-01-2-357d, e, or f).

Thanks!

--Sarge

ScanMan
09-05-2006, 10:07 PM
Does anyone have a patch for disabling yellow stars on
a 3.1.5-01-2-357 tivo? You could try and port this yourself - in looking at the tivoapp patches for disabling the yellow stars here (http://www.dealdatabase.com/forum/showpost.php?p=159808&postcount=7) it appears the Original Value is "12200007" - you could make a copy of your tivoapp, load it into a hex editor and search for those hex values. Make sure you understand the difference b/w hex locations and Virtual Memory Address (VMA) offsets before you try and craft an "echo/dd" statement; in the alternative, you could just edit it directly in the hex editor. This (http://www.dealdatabase.com/forum/showthread.php?p=193286) thread is a gem.

In the alternative, if you want to provide me with a copy your tivoapp; I'll give it a shot...PM me.

sgerbode
09-22-2006, 07:16 PM
Sorry -- I let the ball drop because I want to do the upgrade to 6.3, which will render it a moot point. But thanks so much for your offer of help!

I tried looking at tivoapp in a hex editor and did not find any instances of 12200007.

So I guess I'll live with the pesky yellow stars for awhile until I can get 6.3 up and running (waiting for a revised release which is supposed to be coming).

NutKase
09-22-2006, 10:26 PM
This (http://www.dealdatabase.com/forum/showthread.php?p=193286) thread is a gem.

I hate diluting a great thread, mods feel free to delete if you want... but

Thank you! It's the notion that someone will USE the information when I have time to spell it out. I like to do that when I can (and try to label those posts with 'nkinfo' ,for NutKase info) so people can use it as a search term.

That just made my day to find out that someone was using it. Thanks.


NutKase