PDA

View Full Version : tivoapp patches



Sleeper
04-08-2004, 11:45 PM
I know that there is another thread discussing tivoapp patches. This thread has two purposes:

1) A centralized list of each hack and the associated patches for each Series/Software version. Currently they are too spread out. I will attempt to give the "original" discoverer/author credit for each of them. If any of the information posted is incorrect, please let me know.

2) Eventually, I will develop a tpm packaged script for each hack that will encompass all the known software versions. Support issues for these scripts should be posted in the Support Forums.

Sleeper
04-08-2004, 11:46 PM
30 Second Skip

Series 1
Known Contributors/Authors: MuscleNerd



All Values are Hex

Sw Version Offset Original Value New Value
2.5.5 002D51EC 41860034 40860034
3.0 003DFA28 41860040 40860040
3.1.0 003FF21C 41860040 40860040
3.1.0b 003FF30C 41860040 40860040
3.1.0c 003FF358 41860040 40860040


Series 2
Known Contributors/Authors: MuscleNerd, RonnyThunder, Jeboo, falcontx, nutkase



All Values are Hex

Sw Version Offset Original Value New Value
3.1.1 00313BC4 10400024 14400024
3.1.1b 00314454 10400024 14400024
3.1.1c 00314424 10400024 14400024
3.1.1d 00315564 10400024 14400024
3.1.1e 00315564 10400024 14400024
4.0 005177DC 10400068 14400068
4.0.1 0051CC90 10400068 14400068
4.0.1b 0051CC90 10400068 14400068
6.2 00667d58 1040001d 1440001d


Edit by alldeadhomiez, 2004/08/12:

All 4.0.1b-01 offsets will be the same as 4.0.1b-02 offsets.

All 3.1.0c2 offsets are posted later in the thread.

Sleeper
04-08-2004, 11:47 PM
Directory Sort

Series 1
Known Contributors/Authors:



All Vaules are Hex

Sw Version Offset Original Value New Value
3.0
3.1.0
3.1.0b


Series 2
Known Contributors/Authors: Jeboo, falcontx



All Vaules are Hex

Sw Version Offset Original Value New Value
3.1.1
3.1.1b
3.1.1c 0026F238 A22000E1 A22200E1
3.1.1d 00270378 A22000E1 A22200E1


<edit by mrbalck51> Sort is only available in this way on 3.x units. 4.x allows it by default (as does 5.x), and 2.x doesnt have the capabilty at all.

Please post corrections or additions!

Sleeper
04-08-2004, 11:48 PM
Enable Backdoors

Series 1
Known Contributors/Authors: MuscleNerd



All Vaules are Hex

Sw Version Offset Original Value New Value
2.5.5
3.0 0038ED38 7F64DB78 38800001
3.1.0
3.1.0b 003B29FC 7F64DB78 38800001
3.1.0c 003B2A3C 7F64DB78 38800001


Series 2
Known Contributors/Authors: Jeboo, ntesla, falcontx



All Vaules are Hex

Sw Version Offset Original Value New Value
3.1.1
3.1.1b
3.1.1c 0031F564 02802821 24050001
3.1.1d 003206A4 02802821 24050001
3.1.5 00747384 02802821 24050001
4.0 005216C8 02602821 24050001
4.01b 00526B78 02602821 24050001
6.2 006e521c 00008821 24100001


Please post corrections or additions!

Sleeper
04-08-2004, 11:49 PM
NoPPV

Series 1
Known Contributors/Authors:



All Vaules are Hex

Sw Version Offset Original Value New Value
2.5.5
3.0
3.1.0
3.1.0b


Series 2
Known Contributors/Authors: Jeboo, AhoyMatey



All Vaules are Hex

Sw Version Offset Original Value New Value
3.1.1
3.1.1b
3.1.1c 0032A4EC 104001DC 00000000
3.1.1d 0032B62C 104001DC 00000000
4.0 005305EC 104001C8 00000000
4.01b 00535B0C 104001C8 00000000
6.2 00687530 1040026d 00000000


Please post corrections or additions!

Sleeper
04-08-2004, 11:50 PM
Parental Controls Fix for 4.x on S2 DirectTivos

Series 2
Known Contributors/Authors: Jeeboo



All Vaules are Hex

Sw Version Offset Original Value New Value
4.0 0058A298 304200FF 30420000
4.01b 0058F868 304200FF 30420000

Sleeper
04-08-2004, 11:52 PM
Disable Yellow Star Promos

Series 1
Known Contributors/Authors: MuscleNerd



All Vaules are Hex

Sw Version Offset Original Value New Value
2.5.5
3.0 003CBE4C 40860068 48000068
3.1.0
3.1.0b 003EC67C 40860068 48000068
3.1.0c 003EC6C8 40860068 48000068


Series 2
Known Contributors/Authors: Nutkase, Alarmtronics



All Vaules are Hex

Sw Version Offset Original Value New Value
3.1.u5 00296604 12200007 00000000
3.1.1c 00296de4 12200007 00000000
3.1.1d 00297f24 12200007 00000000
3.1.5d 002baa50 12200007 00000000
4.0 00387880 12200007 00000000
4.0.1 003884e4 12200007 00000000
4.0.1b 003884e4 12200007 00000000


Please post corrections or additions![/QUOTE]

Added 4.x patches.

Sleeper
04-08-2004, 11:53 PM
NoCSO - Disable tyStream Encryption

Series 1
Known Contributors/Authors:



All Values are Hex

Sw Version Offset Original Value New Value
2.5.5
3.0
3.1.0 00476248 41860038 48000038
3.1.0b 00476338 41860038 48000038
3.1.0c 00476408 41860038 48000038



Series 2
Known Contributors/Authors: anonymous by request, NutKase, 7.1



All Values are Hex

Sw Version Offset Original Value New Value
3.1.0 0062F09C 0320f809 3C020000
3.1.1 0063139C 0320f809 3C020000
3.1.1b 0063139C 0320f809 3C020000
3.1.1c 00631E1C 0320f809 3C020000
3.1.1d 00632FEC 0320f809 3C020000
4.0 00831F28 0320f809 3C020000
4.0.1 & 4.0.1b 00838108 0320f809 3C020000
5.3 009904c0 0320f809 3C020000
6.1 00a3536c 0320f809 3C020000
6.2 00a3599c 0320f809 3C020000
7.1 002916c4 0320f809 3C020000
7.1a-0[12] 00291284 0320f809 3C020000


Please post corrections or additions.

Sleeper
04-08-2004, 11:54 PM
This is Future #4

Sleeper
04-10-2004, 03:18 AM
Reserved #5

Sleeper
04-10-2004, 03:18 AM
Reserved #6

Sleeper
04-13-2004, 12:20 AM
I don't have 3.1.1c running. I would really appreciate it if someone would post up or PM me the missing original values.

Also, any other version locations?

AlphaWolf
04-13-2004, 01:01 AM
I don't have 3.1.1c running. I would really appreciate it if someone would post up or PM me the missing original values.

Yoink....



Offset Data
0026F238 A22000E1
0031F540 24050006
0032A4EC 104001DC


Also, a quick reference for those who don't know any better (because I know this question will surface):

To make a command line equivalent patch, follow this formula:



echo -ne "\xHH\xHH\xHH\xHH" | dd conv=notrunc of=tivoapp bs=1 seek=<dec offset>


Where the 8 H's are the hex data of the new value in its given order, and the <dec offset> is the patch offset converted from hexadecimal to decimal. Your average win user probably doesn't know how to convert from hex to dec, so I'll give a quick cheat: run the win calculator, set it to scientific mode, press F5, key in the byte offset, press F6, and viola, your dd seek offset appears.

Sleeper
04-13-2004, 01:03 AM
I thought that DirectTivo's started with Sw Version 3.1.0 and upgraded to 3.1.1b.

Was there an interim 3.1.1 version as I indicated in this post?
http://www.dealdatabase.com/forum/showpost.php?p=159803&postcount=2

If this is correct, does anyone know the 30 Second Skip location for 3.1.0?


AW, thanks for the values!

ronnythunder
04-13-2004, 01:33 AM
3.1.0 and it's ilk is for series 1, and 3.1.1 and variants are series 2.

ronny

TheWickedPriest
04-13-2004, 09:44 AM
No, the Series 2 DirecTivos started with 3.1.0. I vaguely seem to recall that one model had 3.1.1 (?), but my HDVR2 went from 3.1.0 to 3.1.1b.

alldeadhomiez
04-13-2004, 11:00 AM
No, the Series 2 DirecTivos started with 3.1.0. I vaguely seem to recall that one model had 3.1.1 (?), but my HDVR2 went from 3.1.0 to 3.1.1b.

All of the Uma6 based models I have seen were shipped with 3.1.1.

The early Uma4 based models shipped with 3.1.U5; within a few months they were all shipping with 3.1.0.

I don't see any benefits to supporting 3.1.U5, 3.1.0, 3.1.1, or 3.1.1b on the D2 platform. 3.1.1c has fixes for the guide and audio bugs, and AFAICT there is no compelling reason not to upgrade.

AlphaWolf
04-13-2004, 11:35 AM
Hmmm...that backdoors patch for 3.1.1c doesn't appear to work. BTW, I agree with ADH, I would assume just drop all versions prior to 3.1.1c if they aren't already there. The prior versions still even have the bug where they lose guide data, I would just assume upgrade.

splitsec
04-13-2004, 12:22 PM
Hmmm...that backdoors patch for 3.1.1c doesn't appear to work. BTW, I agree with ADH, I would assume just drop all versions prior to 3.1.1c if they aren't already there. The prior versions still even have the bug where they lose guide data, I would just assume upgrade.

While it might be nice to assume that everyone has upgraded to the latest version, in reality there are some reasons that some people will not have upgraded.

1) Lack of time (no matter how easy it is, people still need to re-install all their hacks)
2) Fear of loosing recordings (while it is possible to upgrade while keeping all recordings, not everyone knows how, and not everyone has the confidence to under take it)

Series 1 users (such as myself) have no version to upgrade to that will fix the "missing guide data" issue, and thus have less reasons to upgrade to the latest and greatest version at this time. (trust me I will upgrade when they fix that one).

I don't think there is any reason to support anything less than 3.X for any of the Tivo's with the exception of the version of 2.X that the UK tivos are running as they don't have an alternative.

Just my thoughts,

Split

PS. Sleeper, thanks for gathering these together, I am sure threads like this will help put the information that is needed in spots that can be found. :)

AlphaWolf
04-13-2004, 12:45 PM
Series 1 users (such as myself) have no version to upgrade to that will fix the "missing guide data" issue, and thus have less reasons to upgrade to the latest and greatest version at this time. (trust me I will upgrade when they fix that one).

I don't think there is any reason to support anything less than 3.X for any of the Tivo's with the exception of the version of 2.X that the UK tivos are running as they don't have an alternative.


You needn't worry then, this only applies to S2 users, not S1 or UK.

malfunct
04-13-2004, 03:57 PM
While it might be nice to assume that everyone has upgraded to the latest version, in reality there are some reasons that some people will not have upgraded.

1) Lack of time (no matter how easy it is, people still need to re-install all their hacks)
2) Fear of loosing recordings (while it is possible to upgrade while keeping all recordings, not everyone knows how, and not everyone has the confidence to under take it)

Series 1 users (such as myself) have no version to upgrade to that will fix the "missing guide data" issue, and thus have less reasons to upgrade to the latest and greatest version at this time. (trust me I will upgrade when they fix that one).

I don't think there is any reason to support anything less than 3.X for any of the Tivo's with the exception of the version of 2.X that the UK tivos are running as they don't have an alternative.

Just my thoughts,

Split

PS. Sleeper, thanks for gathering these together, I am sure threads like this will help put the information that is needed in spots that can be found. :)

I would actually say that you could limit that list even more, for instance on s2 dtivos you really only need to support 3.1.1b and 3.1.1c. Possibly support U5 for those using the bashenv hack only. I think some amount of back support is necessary but not every version for all of time. If people need the historic info they should search the threads.

Sleeper
04-13-2004, 07:30 PM
I agree with the 3.1.1c minumum on D2. However, there is no harm in documenting the older versions for the stubborn/lazy/whatever people.

Thanks ADH for clarifing the versions.
Thanks jeboo for pointing out the typo.

AlphaWolf
04-13-2004, 08:11 PM
Possibly support U5 for those using the bashenv hack only.

Nay...try as they might, people who are using this can never modify the tivoapp binary.

BTW: the proper data in that revised backdoors offset is 02802821

Sleeper
04-13-2004, 09:19 PM
Possibly support U5 for those using the bashenv hack only.

That's a chicken and egg syndrome. U5 hack does not allow ANY modification to the root filesystem. So the initrd would delete tivoapp, then your box would not fully boot.

The only purpose u5 has today is to monte another kernel. If you are still running the BASH_ENV hack, get off you but and upgrade!

alldeadhomiez
04-13-2004, 09:31 PM
That's a chicken and egg syndrome. U5 hack does not allow ANY modification to the root filesystem. So the initrd would delete tivoapp, then your box would not fully boot.

The only purpose u5 has today is to monte another kernel. If you are still running the BASH_ENV hack, get off you but and upgrade!

You don't need monte to change the root filesystem. 3.1.U5 is perfectly usable (and hackable), albeit buggy.

While there's nothing wrong with backporting patches to older software revisions, it is important to realize that TiVo hacking is a process, not a "one time fix." It's reasonable to expect that most of the new releases will require the latest TiVo software version.

Sleeper
04-13-2004, 09:40 PM
You don't need monte to change the root filesystem. 3.1.U5 is perfectly usable (and hackable), albeit buggy.

Granted. It is an advanced technique that most people running BASH_ENV would not attempt and probably don't know about. I was speaking in much simpler terms.


it is important to realize that TiVo hacking is a process, not a "one time fix." It's reasonable to expect that most of the new releases will require the latest TiVo software version.

I agree.

malfunct
04-13-2004, 09:51 PM
Nay...try as they might, people who are using this can never modify the tivoapp binary.

BTW: the proper data in that revised backdoors offset is 02802821

Sorry, didn't think about that all the way through. Was thinking hacks in general and not just tivoapp patches.

That said and this exact moment in time it would be very nice to support 3.1.1b as well as 3.1.1c because not all machines are even scheduled for update. Also, given that there are only about 5 success reports from people with considerably more skill than I, I wouldn't risk my wifes tivo to attempt the update (its bad enough I hacked it).

I guess I'm thinking more to not get rid of old patches that are found, and include them in any rollup thread thats attempted. New patches of course could be limited to the version they were developed on, assumbably 3.1.1c.

EDIT: I'll admit to you all now that I have little plans to install any of the tivoapp patches, so what I say should be of minimal importance to your decision.

alldeadhomiez
04-13-2004, 09:54 PM
Granted. It is an advanced technique that most people running BASH_ENV would not attempt and probably don't know about. I was speaking in much simpler terms.

It's actually really simple - instead of running monte you run pivot_root.

Before the "guides" and such, people actually had to learn something to hack their Series 2 box. This encouraged creativity and independent thought. I wouldn't be surprised if there are still many "nontraditional" setups out there (especially on SA S2s) from a time when things were not so homogenized and oversimplified.

drnull
05-03-2004, 08:53 PM
If any of the information posted is incorrect, please let me know.



Sw Version Offset Original Value New Value
3.1.1b 00631378 0320f809 3C020000
contradicts http://www.dealdatabase.com/forum/showpost.php?p=139455&postcount=1
and what I am getting from my tivoapp binary comparison program (http://www.dealdatabase.com/forum/showthread.php?t=34607).

Address should be 0x0063139c.

Also, I think the posts need to be updated to reflect the fact that 3.1.0 and 3.1.1 are both viable S2 versions. The 3.1.1 code for 30 second skip is also the correct code for 3.1.0. I don't know if that was a mistake or if the binaries are, in fact, that similar.

As for the other hacks, I have some values, but I cannot verify them. I can just say with 99% certaintity that they are correct.



Sw Version Offset Original Value New Value

sort
3.1.0 0x0026ea54 a22000e1 a22200e1
3.1.1b 0x0026f268 a22000e1 a22200e1

backdoors
3.1.0 0x0031deb4 02802821 24050001
3.1.1b 0x0031f594 02802821 24050001

disable encryption
3.1.0 0x0062f09c 0320f809 3c020000
3.1.1b 0x0063139c 0320f809 3c020000

NoPPV
3.1.0 0x00328d7c 104001dc 00000000
3.1.1b 0x0032a51c 104001dc 00000000


Basically, the original values and new values are all the same, just needed the new addresses. Anybody with 3.1.0 or 3.1.1b wanna try them out?

mrblack51
05-03-2004, 09:36 PM
contradicts http://www.dealdatabase.com/forum/showpost.php?p=139455&postcount=1
and what I am getting from my tivoapp binary comparison program (http://www.dealdatabase.com/forum/showthread.php?t=34607).

Address should be 0x0063139c.

thats the address that i originally posted, but i think sleeper changed it for some reason. in any event, based on my calculations, that address is correct

Weez
05-03-2004, 10:10 PM
Address should be 0x0063139c.



Yep thats the offset ive been using as well and works great.

Sleeper
05-05-2004, 07:37 PM
thats the address that i originally posted, but i think sleeper changed it for some reason. in any event, based on my calculations, that address is correct

I changed them because they were all the wrong offsets (perhaps the base was ommited) as was pointed out by Stephanie here:

http://www.dealdatabase.com/forum/showpost.php?p=163620&postcount=170

Apparently, I made a mistake when fixing them. The corrrect value has been posted. Thanks Dr. Null for pointing that out.

Also, could someone confirm that S2 3.1.0 and 3.1.1 tivoapp are the same binary?

drnull
05-07-2004, 10:51 AM
Also, could someone confirm that S2 3.1.0 and 3.1.1 tivoapp are the same binary?

Actually, it's S2 3.1.1 and S2 3.1.1b that are the same.

a cmp -l tivoapp311 tivoapp311b returns
10698265 40 62
10698266 61 62
10698277 62 61
10698279 60 61
10698280 65 70
which is just a version date string in the file:
tivoapp311 : May 1 2003 17:32:05
tivoapp311b: May 22 2003 17:31:18
The rest of the file is identical.

So all offsets that work for 311b will be the same for 311.

So, to summarize, here is the end of my .proc files (as used by tmesis's (http://www.dealdatabase.com/forum/showthread.php?t=27553) disassembler) that show the offsets for 31, 311, 311b and 311c. I've made a very slight modification to his disassembler so that it inserts an indicator at these patch locations into the assembly output.

EDIT: btw, these are all offsets of loaded code, so subtract 0x00400000 to get the actual offset into the file.

==> tivoapp31.proc <==
0x0066ea54 Directory sort-by-name
0x0071deb4 backdoors
0x00a2f09c disable encryption
0x00713bc4 30 second skip
0x00728d7c NoPPV

==> tivoapp311.proc <==
0x0066f268 NPSort
0x0071f594 backdoors
0x00a3139c disableEncryption
0x00714454 30SS
0x0072a51c NoPPV

==> tivoapp311b.proc <==
0x0066f268 NPSort
0x0071f594 backdoors
0x00a3139c disableEncryption
0x00714454 30SS
0x0072a51c NoPPV

==> tivoapp311c.proc <==
0x0066f238 NPSort
0x0071f564 backdoors
0x00a31e1c disableEncryption
0x00714424 30SS
0x0072a4ec NoPPV

alldeadhomiez
07-22-2004, 01:31 AM
3.1.0c patches were posted several days ago. Credits go to MuscleNerd for most of the original discoveries, and to Alarmtronics and cashion for porting them to 3.1.0c.

Please advise me of any inaccuracies via PM instead of arguing in this thread. This is reference material; offtopic posts will be deleted with no warning.

Alarmtronics
07-26-2004, 01:01 PM
Here is the Alarmtronics Now Playing Sort fix for 3.1.0c, all vaules are Hex!

Known Contributors/Authors: Alarmtronics :)



Version Offset Orignial New
3.1.0c 003e92dc 93df00f0 38600001
003e92e0 7fe3fb78 907f00f0
003e92e4 48001df1 7fe3fb78
003e92e8 38600000 48001ded
003e92ec 48000008 60000000


It will work at Offset 003e9290 on Sw Version 3.1.0b.

Please post corections or additions!

To install on 3.1.0c try Alarmtronics TivoScripts ISO 1.03 (http://www.dealdatabase.com/forum/showthread.php?p=175623). It does the dirty work so you don't have to!

Sleeper please add to the grid at your earliest convience.

--Robert

Alarmtronics
07-30-2004, 08:16 PM
Here is the Alarmtronics Now Playing Sort fix for 3.1.0c2, all vaules are Hex!

Known Contributors/Authors: Alarmtronics :)



Version Offset Orignial New
3.1.0c 003e92dc 93df00f0 38600001
003e92e0 7fe3fb78 907f00f0
003e92e4 48001df1 7fe3fb78
003e92e8 38600000 48001ded
003e92ec 48000008 60000000


Here are the other fixes for 3.1.0c2:



Fix Offset Orignial New
scramble 00476384 41860038 48000038
30 seconds 003ff358 41860040 40860040
backdoors 003b2a3c 7f64db78 38800001
stars 003ec6c8 40860068 48000068


Please post corections or additions!

To upgrade to 3.1.0c2 with ALL the hacks try Alarmtronics SleepyIso 1.1 (http://www.dealdatabase.com/forum/showthread.php?p=176311). It does the dirty work so you don't have to!

Sleeper please add to the grid at your earliest convience.

--Robert

alldeadhomiez
10-02-2004, 02:52 PM
The MIPS assembly language discussion has been split to:

http://www.dealdatabase.com/forum/showthread.php?t=38242

AhoyMatey
10-21-2004, 10:48 AM
tivoapp has not changed between versions 3.1.1e and 3.1.1d.

Oops, didn't realize that the minimal changes between the two versions had been discussed in another thread. http://www.dealdatabase.com/forum/showpost.php?p=189581&postcount=8

alldeadhomiez
11-08-2004, 07:00 PM
Patch to dim the fluorescent clock display on Humax Series2.5 DVD boxes instead of blanking it when you enter standby:

tivoapp 5.4: VMA 11e57c4: 00002821 -> 24050020

Replace 0020 with a number between 0 and 0x64, inclusive, to adjust the brightness. Untested on Toshiba.

bigrig
11-14-2004, 11:55 AM
I've got some you can add to your list, for the HR10-250 (HD Tivo):

Disable Encryption
3.1.5 0x006A7C8C 0320F809 -> 3C020000
3.1.5d 0x006A946C 0320F809 -> 3C020000
3.1.5e 0x006A93FC 0320F809 -> 3C020000

30 Second Skip
3.1.5 0x0033B3A0 10400024 -> 14400024
3.1.5d 0x0033C490 10400024 -> 14400024
3.1.5e 0x0033C420 10400024 -> 14400024

Directory Sort
3.1.5d 0x00291FA8 A22000E0 -> A22200E0
3.1.5e 0x00291FA8 A22000E0 -> A22200E0

Enable backdoors
3.1.5e 0x00348414 02802821 -> 24050001

bigrig
11-14-2004, 12:03 PM
This post intentionally blank. :rolleyes:

NutKase
11-16-2004, 07:00 PM
USE AT YOUR OWN RISK! HAVE A BACKUP.

I don't have a 5.x system so these are untested.

[EDIT] Patches tested = GOOD

NoCSO
tivoapp 5.2.1a: VMA ee9190: 0320F809 -> 2402000
tivoapp 5.2.2: VMA ee9200: 0320F809 -> 2402000

The decimal conversions:

5.2.1a
11440528

5.2.2
11440640


NutKase

c170flyer
12-08-2004, 10:45 PM
I opened tivoapp in hexedit last night to see if the 3.1.5d patch might work for 3.1.5e too. The expected values lined up so I gave it a try.
Appears to have worked as expected, so here's one more:

Disable Yellow Stars
3.1.5e 002baa50 12200007 00000000

TheOuch
12-30-2004, 01:54 PM
I got tired of using dd, so I wrote this little script to apply hacks. The nice thing about it is that it reads the previous value, so you can make sure you're not patching the wrong place. It's my first tcl script, so let me know if you find it handy.

7.1
01-23-2005, 02:46 PM
********************************************************
Danger, Will Robinson!

Blocking a software upgrade has unknown consequences. Tivo may eventually stop feeding guide data to units that have been sent a new software version but are being "held back". The "no thanks" patch here is best viewed as a temporary solution for those in the know. You should plan on accepting the 7.x upgrade eventually.

The ADD/DROP patches for 4.0.1b below prevent *any* keyring updates. This has even greater unknown consequences. A better solution has been developed and was posted here (http://www.dealdatabase.com/forum/showthread.php?t=41853), although it is still experimental.

NONE of these solutions are recommended for newbies. If you don't understand what they are doing, take the 7.1 upgrade.

**********************************************************


Imagine this scenario:

You have a S2 SA doing daily calls to TiVo. You've blocked software upgrades with "upgradesoftware=false", but Tivo decides to send you 7.1 anyway. The end result is that your machine continues to work with its current software, but it is in a "pending restart" state and reboots nightly at 2am. If you're fine with that, move along, but if you'd like to block this "pending restart" state, read on.

The one address patches listed below will avoid the "pending restart" state and nightly reboot after you've received, but not installed, a new software upgrade. Format is hex VMA: old -> new.
4.0.1b:
5f78e4: 10400007 -> 100000075.1.1b
66777c: 10400007 -> 100000075.3 (untested)
66820c: 10400007 -> 100000074.0.1b has an additional problem: Tivo will send down new 7.1 MRV keys with each daily call. These will replace any homemade keys constructed with the set_mrv_name_ADH.tcl script. The 4.0.1b software won't work with these new keys (it seems that 5.X will). The following rodata patch will block the MRV key replacements by overwriting the "ADD" and "DROP" strings in .rodata:
4.0.1b:
1144a40: 41444400 -> 41000000
1144a60: 44524f50 -> 44000000Note with these patches installed, you won't receive any keyring updates from Tivo, including the key required to decode the 7.1 swsystem slice. I'd recommend you install these patches only after you've received 7.1.

Another solution for those in this situation: take the 7.1 upgrade and auction your Tivo off to the hundreds of TCF members clambering for TTG.

Thanks go to an anonymous source for the original 4.0.1b code patch and ideas for blocking the keyring update.

NutKase
02-14-2005, 09:53 AM
I have version 7.1a (7.1a-01-2-240 to be exact) on my SA.



NoCSO - Disable Encryption

--------------------------------------------------------------------------------



All Values are Hex

Sw Version Offset (VMA) Original Value New Value
7.1a 691284 0320f809 3C020000



In order to keep in the style of this thread, since the address is a VMA from the disassembly, you'll have to subtract the offset getting the patch location 0x00291284.


NutKase

[EDIT] Here's the rest of the 7.1a patch locations. I'll fill in as I get them.



All Values are Hex

Patch Offset (VMA) Original Value New Value
30 Second Skip ff7fd4 1040001d 1440001d
Backdoors 93bc8c 00008821 24100001




[EDIT] Here are the 7.1b patch locations, since 7.1a didn't last long.



All Values are Hex

Patch Offset (VMA) Original Value New Value
30 Second Skip ff7fa0 1040001d 1440001d
Backdoors 93bcc4 00008821 24100001
NoCSO 691290 0320f809 3C020000

m4mmut
03-06-2005, 06:00 PM
The only different patch location for 3.1.5f versus 3.1.5e is the NO CSO patch. All others remained the same. All address are actual locations not the VMA.

30 Second Skip
3.1.5f 0x0033C420 10400024 -> 14400024

Directory Sort
3.1.5f 0x00291FA8 A22000E0 -> A22200E0

Enable backdoors
3.1.5f 0x00348414 02802821 -> 24050001

Disable Encryption
3.1.5f 0x006A93EC 0320F809 -> 3C020000

Disable Yellow Stars
3.1.5f 0x002baa50 12200007 -> 00000000

Edit: Removed caveat from post. Patches have been tested

mike_s
09-04-2005, 11:22 AM
Has anyone figured out the 7.2 patches yet? I'd take a crack at it, if I had any any clue how to.

I did do a bit of searching and comparing (with 7.1b) using hexedit, but didn't find anything close in the same area. Looking for a NoCSO patch location, the first appearance of 0x0320f809 after location 0x280000 is at 0x29D598, way different than the 7.1x tivoapps.

I can provide the tivoapp if someone who knows how is willing to take a look.

7.1
09-04-2005, 12:37 PM
Has anyone figured out the 7.2 patches yet? I'd take a crack at it, if I had any any clue how to.

I did do a bit of searching and comparing (with 7.1b) using hexedit, but didn't find anything close in the same area. Looking for a NoCSO patch location, the first appearance of 0x0320f809 after location 0x280000 is at 0x29D598, way different than the 7.1x tivoapps.

I can provide the tivoapp if someone who knows how is willing to take a look.
Untested, but this looks right to me:
All Values are Hex

Sw Version Offset (VMA) Original Value New Value
7.2.0-oth-01-2 5893e0 0c16ae9e 3C020000
7.2.0-elm-01-2 58e960 0c16c8d2 3C020000
7.2.0-tak-01-2 5c7578 0c17b5d4 3C020000
Hint: looking at hex won't work very well for porting patches to 7.2. The compiler used to compile tivoapp changed, and a number of things are different now. For example, most calls are with jal instead of jalr. You really need a disassembler to make much progress. See this (http://www.dealdatabase.com/forum/showthread.php?t=27553) thread. The script there needs some changes to recognize the new patterns for string references and function calls in 7.2.

mike_s
09-04-2005, 01:04 PM
Untested, but this looks right to me:
All Values are Hex

Sw Version Offset (VMA) Original Value New Value
7.2.0-oth-01-2 5893e0 0c16ae9e 3C020000

Thanks. That works, recorded a clip, and it plays fine in TyTool and with vserver.

bdjohns1
09-04-2005, 03:00 PM
Hint: looking at hex won't work very well for porting patches to 7.2. The compiler used to compile tivoapp changed, and a number of things are different now. For example, most calls are with jal instead of jalr. You really need a disassembler to make much progress. See this (http://www.dealdatabase.com/forum/showthread.php?t=27553) thread. The script there needs some changes to recognize the new patterns for string references and function calls in 7.2.

7.1,

I'm running on 7.2.0-tak-01-2-275 (Pioneer DVR-810H), and I just took a look in my tivoapp using the more naive method (a hex editor) - the string
0c 16 ae 9e isn't present anywhere in the app, which I guess isn't very surprising, based on your comment that hex editors aren't the way to go with newer versions of tivoapp.

Unfortunately, I took a read through the disassembly thread, and it appears to be way over my head. If you're willing to take a look at that version, I can arrange to get you a copy of the tivoapp.

mike_s
09-04-2005, 04:51 PM
7.1,

I'm running on 7.2.0-tak-01-2-275 (Pioneer DVR-810H), and I just took a look in my tivoapp using the more naive method (a hex editor) - the string
0c 16 ae 9e isn't present anywhere in the app, which I guess isn't very surprising, based on your comment that hex editors aren't the way to go with newer versions of tivoapp.

Look at offset 0x1893e0. The address given (0x5893e0) is the VMA (Virtual Memory Address) location. They differ by 0x400000. (http://www.dealdatabase.com/forum/showpost.php?p=193286)

Jamie
09-04-2005, 05:01 PM
It appears there are different 7.2.0 versions of tivoapp for different hardware. -elm- is for the humax dvd recorders, IIRC. -tak- is for the Pioneer units. -oth- is everything else, AFAIK. The patch locations will vary slightly depending on the exact software version.

bdjohns1
09-04-2005, 05:13 PM
Look at offset 0x1893e0. The address given (0x5893e0) is the VMA (Virtual Memory Address) location. They differ by 0x400000. (http://www.dealdatabase.com/forum/showpost.php?p=193286)

Thanks for the pointer on the VMA - I knew there was an offset, but wasn't aware what it was, which was why I did the global search. In any case, the 8 bytes at 0x1893e0 in my tivoapp are 00 00 00 00, so I'm pretty sure that's not what we're looking for...

Jamie,

7.1 has agreed to take a look at my tivoapp, so hopefully he'll be able to pull out the right offsets.

eastwind
09-04-2005, 05:42 PM
Thanks for the pointer on the VMA - I knew there was an offset, but wasn't aware what it was, which was why I did the global search. In any case, the 8 bytes at 0x1893e0 in my tivoapp are 00 00 00 00, so I'm pretty sure that's not what we're looking for...

Jamie,

7.1 has agreed to take a look at my tivoapp, so hopefully he'll be able to pull out the right offsets.
Did you try the right offset for your version?


7.2.0-tak-01-2 5c7578 0c17b5d4 3C020000

So that would be 0x1C7578 I guess.

ew

7.1
09-04-2005, 05:54 PM
I edited in the -tak- patch after bdjohns1 post, so he may not have seen it yet.

bdjohns1
09-04-2005, 11:35 PM
Untested, but this looks right to me:
All Values are Hex

Sw Version Offset (VMA) Original Value New Value
7.2.0-tak-01-2 5c7578 0c17b5d4 3C020000


Confirmed that this is working via ciphercheck.tcl and by extracting using TyTool. Thanks very much, 7.1!

plcdude
09-10-2005, 02:50 PM
Untested, but this looks right to me:
All Values are Hex

Sw Version Offset (VMA) Original Value New Value
7.2.0-oth-01-2 5893e0 0c16ae9e 3C020000
7.2.0-elm-01-2 58e960 0c16c8d2 3C020000
7.2.0-tak-01-2 5c7578 0c17b5d4 3C020000


I can also verify that the patch for -oth- is valid. :)

Thanks everyone.

billnbell
01-22-2006, 03:55 PM
For newbies:

cd /tvbin
mv tivoapp tivoapp.tmp
cp tivoapp.tmp tivoapp
chmod 755 tivoapp

30 Second Skip
3.1.5f 0x0033C420 10400024 -> 14400024
echo -ne "\x14\x40\x00\x24" | dd conv=notrunc of=tivoapp bs=1 seek=3392544

Directory Sort
3.1.5f 0x00291FA8 A22000E0 -> A22200E0
echo -ne "\xA2\x22\x00\xE0" | dd conv=notrunc of=tivoapp bs=1 seek=2695080

Enable backdoors
3.1.5f 0x00348414 02802821 -> 24050001
echo -ne "\x24\x05\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=3441684

Disable Encryption
3.1.5f 0x006A93EC 0320F809 -> 3C020000
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=6984684

Disable Yellow Stars
3.1.5f 0x002baa50 12200007 -> 00000000
echo -ne "\x00\x00\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=2861648

ADent
04-30-2006, 07:07 PM
Based on http://www.dealdatabase.com/forum/newreply.php?do=newreply&noquote=1&p=247117 the 3.5 S1 DTiVo patch for disable scrambling is


echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=5108848

tivo4mevo
03-10-2007, 05:18 PM
Here is a patch to enable the Phone & Network Setup menu on DTiVos.


All Values are Hex

Sw Version Offset (VMA) Original Value New Value
6.2 0x005bb254 02001021 24020001
6.2a 0x005bb344 02001021 24020001

Note that while the patched menus purport to allow you to change your connection type (between Phone and Network), the box will always connect via phone. I intended this, as DTiVos need not phone home, and if you really need to connect over the network, then go the debug board route.

ADent
03-12-2007, 04:43 AM
From TCF (!)

Offsets for 3.5b (S1 DTiVo)




And I just copied over the rc scripts and CacheCard drivers. Here the new encryption disable offset:
Quote:
timmy 20 # echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=5119668
4+0 records in
4+0 records out
timmy 21 # sum tivoapp.virgin tivoapp
07982 7005 tivoapp.virgin
60425 7005 tivoapp
Be sure to run this from bash and insure the checksums are correct.

leres
03-12-2007, 03:16 PM
That was my post. I made the assumption that the instruction byte sequence wouldn't change and went looking for it. Once I figured out the right magic for od (od -tx1 -Ad) I narrowed it down to one candidate and testing showed it was the right one.

(What'd I'd really like is a patch to turn off the "pending restart" state change in the HR10-250.)

Blackfoot
03-14-2007, 04:06 PM
(What'd I'd really like is a patch to turn off the "pending restart" state change in the HR10-250.)
Had the same issue on my HR10-250. Had to enable debug_board=true again and then set the dial prefix to ,#401. Forced the called and it updated the system state so it knows it should be running 6.3c now. Now my daily calls return as Succeeded.

leres
03-14-2007, 04:13 PM
Had the same issue on my HR10-250. Had to enable debug_board=true again and then set the dial prefix to ,#401. Forced the called and it updated the system state so it knows it should be running 6.3c now. Now my daily calls return as Succeeded. You misunderstand; I don't want to run 6.3, I want to stick with 3.1.5f. But I don't want my TiVo rebooting every time it phones home...

tivobanzai
03-17-2007, 04:01 PM
Here is a patch to enable the Phone & Network Setup menu on DTiVos.


All Values are Hex

Sw Version Offset (VMA) Original Value New Value
6.2 0x005bb254 02001021 24020001
6.2a 0x005bb344 02001021 24020001

Note that while the patched menus purport to allow you to change your connection type (between Phone and Network), the box will always connect via phone. I intended this, as DTiVos need not phone home, and if you really need to connect over the network, then go the debug board route.

Does this require a certain version of the kernel? I have tried this on 6.2 & 6.2a, and I still don't see the menu item. I am expecting to see a menu item called 'Phone & Network' (or similar) in the Settings menu. Is that not correct?

I am using kernel version 2.4.20 (killhdinitr'd, of course), a superpatched tivoapp & Jamie's backported USB drivers. Here is what I tried:

In 6.2:
cd /tvbin
mv tivoapp tivoapp.bak
cp tivoapp.bak tivoapp
chmod 755 tivoapp
echo -ne "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=6009428

in 6.2a:
cd /tvbin
mv tivoapp tivoapp.bak
cp tivoapp.bak tivoapp
chmod 755 tivoapp
echo -ne "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=6009668

Am I doing something incorrectly? If you need more info about my setup to assist, please just ask.

ScanMan
03-17-2007, 05:08 PM
Am I doing something incorrectly? If you need more info about my setup to assist, please just ask.
Yup, you're patching the wrong location. The file offset (i.e., the seek location) is VMA-400000. Perhaps this (http://www.dealdatabase.com/forum/showthread.php?p=193286) post will make some sense. So by my calculation for 6.2, seek=1815124; for 6.2a, seek=1815364. But hey, don't take my word for it, verify it for yourself. Or you could just apply this (http://www.dealdatabase.com/forum/showpost.php?p=278327&postcount=577) superpatch diff, which purports to include Phone & Network. And you might want to go back to a known good tivoapp since your erroneous patching could cause erratic behavior in the future...

tivobanzai
03-18-2007, 11:50 AM
Yup, you're patching the wrong location. The file offset (i.e., the seek location) is VMA-400000. Perhaps this (http://www.dealdatabase.com/forum/showthread.php?p=193286) post will make some sense. So by my calculation for 6.2, seek=1815124; for 6.2a, seek=1815364. But hey, don't take my word for it, verify it for yourself. Or you could just apply this (http://www.dealdatabase.com/forum/showpost.php?p=278327&postcount=577) superpatch diff, which purports to include Phone & Network. And you might want to go back to a known good tivoapp since your erroneous patching could cause erratic behavior in the future...

Thank you; that was it! As you probably noticed, I incorrectly assumed the VMA's were the offsets in Hex. I read through that post you referenced to get a better handle on this. Thanks again for the assistance.

tivo4mevo
04-06-2007, 09:38 PM
Here is a patch to remove the "TiVo Plus features (trial ends today)" footer from DirecTV Central.
All Values are Hex

Sw Version Offset (VMA) Original Value New Value
6.3b/c/d 0x004e00d0 0c144441 24020000
6.3e/f 0x004e0224 0c1443ed 24020000Tested and no reported problems.

Note that you only need this patch in two situations:

your girlfriend, roommate, dog, hamster, etc. yammers on nightly about the "trial ending today."
you want your tivo to be the prettiest one in the whole world.

tivo4mevo
04-21-2007, 12:29 PM
A while back, someone asked about a patch similar to MuscleNerd's 30 second skip, only for the on screen clock. Here's a patch that defaults to displaying the on screen clock (and elapsed time).

All Values are Hex

Sw Version Offset (VMA) Original Value New Value
4.0.1b 0x007da118 10400007 14400007
6.2a 0x00871238 10400007 14400007
6.3c/d 0x0042b210 1440001E 1040001E
6.3e/f 0x0042b270 1440001E 1040001E
6.4a 0x0042b980 1440001E 1040001E
7.2.2-oth 0x0042bdf0 1440001E 1040001E
You can still toggle the mode using SPS9S, check if the timer/clock suppresses closed captions, and beware of burn-in.

crashHD
04-27-2007, 08:36 PM
Here is a patch to enable the Phone & Network Setup menu on DTiVos.


This is awesome. Would it be difficult to port something like this to 6.1a? Are 6.1a and 6.2a similar enough that the patch locations could be found by comparing the disassembly of 6.1a to a disassembly of 6.2a which has these known patch points?

crashHD
04-28-2007, 11:25 PM
The patch for the "Phone and Network" settings screen in 6.1a is in the same location as 6.2a



All Values are Hex

Sw Version Offset (VMA) Original Value New Value
6.1 0x005bb254 02001021 24020001
6.1a 0x005bb344 02001021 24020001


Any real credit for this goes to Tivo4mevo. All I did was compare disassemblies of 6.1a and 6.2a, upon seeing that section of the code looked identical, I applied the patch and prepared to pull the drive to replace tivoapp, but sure enough, it booted and now shows the phone/network setup screen.

Edit:-----------------
I checked out the phone/network patch for 6.1 and it is the same as 6.2.

tivo4mevo
05-03-2007, 12:27 AM
This patch suppresses the DirecTV OSDMessageBox displayed for a missing or invalid access card.


All Values are Hex

Sw Version Offset (VMA) Original Value New Value
6.2 0x00a6cc64 0320f809 24020000
6.2a 0x00a6dfb8 0320f809 24020000
6.3c/d 0x00a69e6c 0c3187f6 24020000
6.3e 0x00a6aed0 0c319c2A 24020000
6.3f 0x00a689c4 0c319c9e 24020000
6.4a 0x00a936d8 0c3289f7 24020000
This underwent moderate testing and should suppress nearly all types of messages except for the "Transferring more of the program" and "Searching for Signal" type messages. A useful patch for those using an unsubscribed DTivo (without an access card).

SteveT
05-31-2007, 08:43 PM
...Here's a patch that defaults to displaying the on screen clock (and elapsed time)....

This patch suppresses the DirecTV OSDMessageBox displayed for a missing or invalid access card....
I loaded these on my TiVii (had to upgrade them first) and they are working great! Thanks for finding and posting these!

tmembrino
08-14-2007, 01:05 PM
I haven't seen these posted yet. I found the following patches for 3.5b on S1 DirecTivo units.



All Values are Hex

3.5b for S1 DTivo Units
Fix Offset Original New
Backdoors 004228B8 7f64db78 38800001
30 sec skip 0046D074 41860040 40860040

(Note - these are NOT VMA offsets)


I've been running these on my S1 Dtivo with 3.5b for a few days without any issues.

rslatkin
08-14-2007, 02:17 PM
Would this be the correct command for the 30 second skip?

echo -ne "\x40\x86\x00\x40" | dd conv=notrunc of=tivoapp bs=1 seek=446580

tmembrino
08-14-2007, 02:34 PM
Would this be the correct command for the 30 second skip?

echo -ne "\x40\x86\x00\x40" | dd conv=notrunc of=tivoapp bs=1 seek=446580

The offset location I listed for 3.5b is from a hex editor looking at the tivoapp file. If I understand correctly the hex editor locations are not VMA offsets. I edited my tivoapp directly in the hex editor and then transferred it to my /tvbin directory.

It looks like you took the offset and converted it from VMA by subtracting 40000. I may be wrong but I don't think that's the correct seek value. I think you just want the decimal equivalent of the hex location I listed.

rslatkin
08-14-2007, 02:39 PM
Yep, you're exactly right. I got used to people posting VMA offsets.

This looks like the correct command:

echo -ne "\x40\x86\x00\x40" | dd conv=notrunc of=tivoapp bs=1 seek=4640884

Thanks for the help!

tmembrino
08-14-2007, 02:44 PM
Yep, you're exactly right. I got used to people posting VMA offsets.

This looks like the correct command:

echo -ne "\x40\x86\x00\x40" | dd conv=notrunc of=tivoapp bs=1 seek=4640884

Thanks for the help!

Looks right to me. Good luck and make sure you have a backup plan in case it doesn't work for you (recent image, tivoapp.bak, etc). I've been using those 3.5b patches since the weekend but this was my first effort at finding patches and I'd hate to be guilty of causing you problems with your tivo.

Just wish I could figure out the sort patch for Now Playing but it eludes me.

jt1134
08-23-2007, 06:03 AM
Here is a patch to remove the "TiVo Plus features (trial ends today)" footer from DirecTV Central.

Sw Version Offset (VMA) Original Value New Value
6.3e 0x004e0024 0c1443ed 24020000
I haven't disassembled a 6.3e tivoapp yet, but this offset doesn't seem to match up.

RandC
08-23-2007, 11:50 AM
I haven't disassembled a 6.3e tivoapp yet, but this offset doesn't seem to match up.Make sure you adjust for VMA offset, if you do this you the information checks out. I have not installed 6.3e yet, but I had came up with the same offset as tivo4mevo by adjusting the offset from the other patches to come to my guess about the new patch location.

jt1134
08-23-2007, 03:53 PM
Make sure you adjust for VMA offset, if you do this you the information checks out. I have not installed 6.3e yet, but I had came up with the same offset as tivo4mevo by adjusting the offset from the other patches to come to my guess about the new patch location.

I did. The original value was different, I replaced it anyways just to see, but the message was still there.

RandC
08-23-2007, 06:53 PM
I did. The original value was different, I replaced it anyways just to see, but the message was still there.6.3e tivoapp
Hex offset E0024 E0224
Decimal offset 918052
original value OC1443ED
I just double checked the location in my 6.3e tivoapp file.

jt1134
08-23-2007, 08:57 PM
The decimal offset is correct. 918052 converted to hex would be E0224 not E0024.

edit - confirmed patch at E0224 works.

tivo4mevo
08-23-2007, 09:10 PM
I haven't disassembled a 6.3e tivoapp yet, but this offset doesn't seem to match up.My notes have it as 0x004e0224. I had incorrectly posted it as 0x004e0024 (corrected now).

RandC
08-23-2007, 09:46 PM
The decimal offset is correct. 918052 converted to hex would be E0224 not E0024.

edit - confirmed patch at E0224 works.Sorry I did not realize the hex value was different, since the first and last part matched with what I had I overlooked the middle. At least you located the correct patch location.

crashHD
08-26-2007, 01:44 PM
This patch removes the on-screen message for a missing access card, useful for using an unsubscribed unit as a MRV terminal.


All Values are Hex

Sw Version Offset (VMA) Original Value New Value
6.1a 0x00a6dfb8 0320f809 24020000

crashHD
08-26-2007, 01:48 PM
The following activates the on-screen clock, by default. It can still be toggled on/off by SPS9S


All Values are Hex

Sw Version Offset (VMA) Original Value New Value
6.1a 0x00871238 10400007 14400007

crashHD
08-26-2007, 03:38 PM
Allows live buffering and recording of XM Music channels, for tivoapp version 6.1a (6.2a is also the same)


Offset(VMA) Orig New
0x0087421C 50400009 10000009
0x0087425C 10400199 00000000
0x00BE797C 93a20018 00001021

rslatkin
09-05-2007, 11:42 AM
Here are the tivoapp patches for the new DirecTivo version 3.5c. Thanks to mikey and gohrnz.



All Values are Hex - (Note - these are NOT VMA offsets)

Change Offset Original Value New Value
Scramble 004e22a8h 41860038 48000038
30 sec skip 0046d424h 41860040 40860040
Backdoors 00422c68h 7f64db78 38800001

usa11usa
09-05-2007, 11:56 AM
So does that mean the directv tivo like boxes can be hacked. I'm not talking about the tivo version but i'm talking about the directv dvr boxes

sorry i forgot about the s1 boxes but anyway you can remove this if needed

Smee
09-05-2007, 12:50 PM
No, totally different Animal. We are only talking TiVo here, nothing else.

Smee

dt1401
09-07-2007, 09:52 PM
got the offest E0224 to work on 6.3e for to remove Tivo Plus Expire feature w/

echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=918052

Anyone know the Offset (VMA), Original Value, New Value for the Now Playing List Sort (Thumbs down, Thumbs up, Thumbs down,7,8) for 6.2 or 6.2a? be nice to not have to do that everytime directv sd tivo reboots.

ADent
09-08-2007, 04:09 AM
TivoApp patches for the latest DTiVo S1 update. See link for original post (not be me).


3.5c-01-1-011 ( from http://www.dealdatabase.com/forum/showthread.php?p=286824#post286824 )
--------------
unscramble
----------
echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=5120680

30 sec skip
-----------
echo -ne "\x40\x86\x00\x40" | dd conv=notrunc of=tivoapp bs=1 seek=4641828

backdoors
---------
echo -ne "\x38\x80\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=4336744

---

I see now these were posted a few posts above, but not in newbie or cut and paster friendly format. I hope folks don't mind the almost duplicate post.

TechFarmer
09-09-2007, 06:27 PM
All Values are Hex - (Note - these are NOT VMA offsets)


Can someone explain the difference between offsets and VMA offsets? I searched and found that VMA stands for Virtual Memory Address(??) but that doesn't mean anything to me.

How does one convert between a VMA offset and an offset used in a hex editor to modify a file?

Thanks . . .

dengland
09-09-2007, 07:33 PM
Can someone explain the difference between offsets and VMA offsets? I searched and found that VMA stands for Virtual Memory Address(??) but that doesn't mean anything to me.

How does one convert between a VMA offset and an offset used in a hex editor to modify a file?

Thanks . . .

http://www.dealdatabase.com/forum/showthread.php?p=178198&highlight=VMA+file+offset#post178198

The search terms I used = "VMA conversion". It returned one thread. 3 messages down had the link to the above post.

whackit
10-29-2007, 03:27 PM
Could someone please confirm that I have converted the patch to remove the "TiVo Plus features (trial ends today)" footer from DirecTV Central to cammand line correctly:



All Values are Hex

Sw Version Offset (VMA) Original Value New Value
6.3e 0x004e0224 0c1443ed 24020000


To:


echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=<4235277>


Thanks but new to this form of conversion... don't want to mess up.
cheers

jt1134
10-29-2007, 03:56 PM
Could someone please confirm that I have converted the patch to remove the "TiVo Plus features (trial ends today)" footer from DirecTV Central to cammand line correctly:...
No you didn't do it correctly. If you'd look 4 posts up from yours you'd see where someone spelled it out for you.

whackit
10-29-2007, 04:49 PM
No you didn't do it correctly. If you'd look 4 posts up from yours you'd see where someone spelled it out for you.

oops. Thanks for pointing that out. I am just trying to go through the process of learning though. Cheers.

Butch
11-29-2007, 05:06 PM
Never Mind

blips
06-11-2008, 10:16 PM
I just received a 3.5d update. Will the offsets be the same as 3.5c?

jt1134
06-12-2008, 02:01 PM
I just received a 3.5d update. Will the offsets be the same as 3.5c?

maybe, maybe not. open up tivoapp in a hex editor, or use hexdump to look and see.

tivo4mevo
12-20-2008, 03:26 PM
This patch suppresses the "Delete this recording?" screen encountered when exiting a recording within the last six minutes.



All Values are Hex

Sw Version Offset (VMA) Original Value New Value
6.2a 0x0087bca8 1060003c 1000003c
6.4a 0x00a324c4 1040010c 1000010c
9.3.2a 0x008e9a50 12400003 10000003
9.4 0x008fb300 12400003 10000003
11.0 0x009b9248 12400003 10000003


Like the clock patch, this is a "personalization" patch and was inspired by some old posts. It saves you some remote presses if you typically let tivo delete recordings when space is needed.

Note that if you let a recording play to completion, you still get the "Detele this recording" screen. The patch only suppresses the screen when exiting from a recording.

jt1134
12-20-2008, 10:36 PM
This patch suppresses the "Delete this recording?" screen encountered when exiting a recording within the last six minutes.

Nice. :cool:

lgkahn
12-21-2008, 04:50 PM
The one address patches listed below will avoid the "pending restart" state and nightly reboot after you've received, but not installed, a new software upgrade. Format is hex VMA: old -> new.
4.0.1b:
Code:
5f78e4: 10400007 -> 100000075.1.1b
Code:
66777c: 10400007 -> 100000075.3 (untested)
Code:
66820c: 10400007 -> 10000007
anyone have any suggestion how to find this in 9.4 i searched in a hex editor and there are multiple locations with 10400007 hex in the tivoapp file.

thanks

RandC
12-21-2008, 05:37 PM
anyone have any suggestion how to find this in 9.4 i searched in a hex editor and there are multiple locations with 10400007 hex in the tivoapp file.

thanksNot the proper way but, add code before or after known patch location and search in new tivoapp to try to locate same code. I would love to know what software and process tivo4mevo uses to locate patch locations.

jt1134
12-21-2008, 06:47 PM
anyone have any suggestion how to find this in 9.4 i searched in a hex editor and there are multiple locations with 10400007 hex in the tivoapp file.

thanks

Searching for the original hex data from 4.x/5.x in a 9.4 tivoapp isn't very likely to work at all. tivoapp has gone through some considerable changes since then, tivo uses a different compiler, and patches can't be ported that easily except in the case of minor sw revisions like 9.4 to 9.4b (at least not just by a simple hex compare). You'll need to identify the actual function that's being patched in 4.x and the logic used by the patch to cause the desired effects. Then if you can find a similar function in 9.4, you can translate that logic to the new function. Not a very trivial task until you brush up on a bit of mips assembly.

Start reading here (http://dealdatabase.com/forum/showthread.php?t=27553), here (http://dealdatabase.com/forum/showthread.php?t=38242), and of course, here (http://www.google.com).

tivo4mevo
12-21-2008, 07:43 PM
To echo what jt said, I think you'll have trouble by trying to port the patch using a hex editor.

With the disasssembly, you can match the strings (which have remained largely the same) surrounding the patch. Doing so would arrive at this patch


All Values are Hex

Sw Version Offset (VMA) Original Value New Value
9.4 0x00714030 10400008 10000008
11.0d 0x007c5a3c 10400008 10000008
11.0h 0x007c5c20 10400008 10000008

Not tested, but tracing around a bit, it looks like it should do the trick. For reference, this patch avoids the "pending restart" and nightly reboot after you've received, but not installed, a new software upgrade. See this post here (link (http://www.dealdatabase.com/forum/showthread.php?p=206511#post206511)) for more details and warnings.

lgkahn
12-21-2008, 11:12 PM
well mine is not rebooting every night but it is getting pending reboot.. here is what i got thanks for your help will test tonight

# !/tvbin/tivosh
# Sw Version Offset (VMA) Original Value New Value
# 9.4 0x00714030 10400008 10000008
# -400000 from vma to get hex offset then convert to decimal to get seek
echo -ne "\x10\x00\x00\x08" | dd conv=notrunc of=tivoapp bs=1 seek=3227696

lgkahn
12-22-2008, 08:36 AM
ok the test on one of my s3 units last night was sucessfull.. call was logged as sucessfull and guide to date changed to jan 4 and no pending restart.. will see how long it lasts my guess is as someone previously mentioned in the other thread till the cert. i got when the 11.0 download happended expires.. but then maybe i will have to upgrade to 11.0 which is on the box.. hopefully by then someone will have worked out the issue why mfs_ftp no longer works for insertion on 11.0.. thanks now i will apply the patch to my 2nd s3.

bengalfreak
01-24-2009, 10:09 AM
I used this command to patch my 6.2a tivoapp to turn the clock on automatically at reboot. It seems correct to me, but it didn't have any apparent effects whatsoever. I got 4 records in, 4 records out as the resulting message. However, no clock. Anyone see any mistakes I made in the command.


echo -ne "\x14\x40\x00\x07" | dd conv=notrunc of=tivoapp bs=1 seek=4657720


thanks...jeff


EDIT:

Nevermind, I finally figured out how to use a Hex editor. Duh.

Butch
01-24-2009, 12:37 PM
Allows live buffering and recording of XM Music channels, for tivoapp version 6.1a (6.2a is also the same)


Offset(VMA) Orig New
0x0087421C 50400009 10000009
0x0087425C 10400199 00000000
0x00BE797C 93a20018 00001021

I hate to ask this because I know I asked it a few times along time ago.
Does any have this for 6.3e software

jt1134
11-06-2009, 03:52 PM
Here are a few tivoapp patches that can be used instead of fakecall.tcl. These patches prevent a dtivo from dialing out to tivo, yet still report the call as being successful.


6.2a
0x00676734 "02001021 00001021"
0x0068145c "1600ff6e 1000ff6e"
0x006e34b0 "1040017d 1000017d"

6.4a
0x008f074c "02001021 00001021"
0x008f5eac "1440fff1 1000fff1"
0x00c3ebb8 "10400140 10000140"


These patches take into account the 2 types of calls to tivo, phone and network, and block both of them. The 2 calls are handled differently by tivoapp, thus there are a few patches. For a number of reasons, it's a good idea to target both of these calls. You could use the old 'route' trick in rc.sysinit.author or play some games with your router to block these calls, but that's not as fun as hacking tivoapp :p

The patch at 0x00c3ebb8 causes a call by phone to fail while checking for a dial tone.

The patch at 0x008f5eac causes a call by network to hang up as soon as it starts.

The patch at 0x008f074c causes the tivo to not give a damn what happened during the call and just report everything as "successful."

Apply all 3 patches and there will be no "Daily Call" nags, no downloading of showcases/ads/etc from tivo, and no tcl script/cron/reboot kludges to deal with.

RandC
11-06-2009, 06:28 PM
Here are a few tivoapp patches that can be used instead of fakecall.tcl. These patches prevent a dtivo from dialing out to tivo, yet still report the call as being successful.Excellent work. Even with fakecall some where down the line it gets messed up and I start getting the nags again. Will apply the patches and be thankful of your work understanding the tivoapp. :)

tivo4mevo
11-07-2009, 09:41 PM
Cool patches!

tvtyme
11-22-2009, 07:05 PM
I hate to ask this because I know I asked it a few times along time ago.
Does any have this (live buffering and recording of XM Music channels) for 6.3e software

Yup, here (http://www.dealdatabase.com/forum/showpost.php?p=304830&postcount=62).

tvtyme
11-24-2009, 08:56 PM
jt1134, for some reason the fakecall tivoapp patch crashes my Tivo (HDVR2 running 6.4a w/Tivo Wireless G NIC) when I either set it use the Network for daily call (where it would test the connection first) or made an actual call. I'm running elseed for caller-id (hence the "Modem: OK" and "Caught Signal" messages).


#:/var$ Caught signal, standby while exiting... (signo=14)
Modem: OK
Caught signal, standby while exiting... (signo=14)
Modem: OK
Modem: OK
Caught signal, standby while exiting... (signo=14)
Modem: OK
Modem: OK
Caught signal, standby while exiting... (signo=14)
Modem: OK
Modem: OK
emulate_load_store_insn: sending signal 10 to tcphonehome(358)
$0 : 00000000 80160000 00230003 aaaaaaaa aaaaaaaa 00000001 7fc7f1a0 00000000
$8 : 0000fc00 ffffdfff 00000000 00000001 8347f13c 7fcff640 00001ce7 80196004
$16: 5efca7d8 5efca7b0 7fc7f318 7fc7f370 00000000 5efc8000 00000001 5efc8000
$24: 00000000 0240e6e0 2ac1c1f0 7fc7f288 7fc7f348 00929ee4
Hi : 00000000
Lo : 00000014
epc : 00929ef0 Tainted: P
Status: 8001fc13
Cause : 00000010
8001f950 8001f96c 80023b94 8002270c 8002248c 8001e17c
00929ef0 00927f00 00c3d000 008f63c0 008f5ffc 008f061c 008f0244 008efdc4
008ef384 0096c224 00472f14 00f3f7b4 02a2871c 02a304bc 02a298cc 02a28a48
02a28834 02a6069c 02a2871c 02a28630 02a2b03c 02a3c684 02a3c56c 02a3c41c
02a3b978
Tmk Fatal Error: Activity DialRequest <358> strayed!
pc 0x929ef4 status 0x8001fc13 cause 0x000010 bva 0xaaaaaab6 hi 00000000 lo 0x000014
R00 0x00000000 R01 0x80160000 R02 0x00230003 R03 0xaaaaaaaa
R04 0xaaaaaaaa R05 0x00000001 R06 0x7fc7f1a0 R07 0x00000000
R08 0x0000fc00 R09 0xffffdfff R10 0x00000000 R11 0x00000001
R12 0x8347f13c R13 0x7fcff640 R14 0x00001ce7 R15 0x80196004
R16 0x5efca7d8 R17 0x5efca7b0 R18 0x7fc7f318 R19 0x7fc7f370
R20 0x00000000 R21 0x5efc8000 R22 0x00000001 R23 0x5efc8000
R24 0x00000000 R25 0x0240e6e0 R26 0x00000000 R27 0x00000000
R28 0x2ac1c1f0 R29 0x7fc7f288 R30 0x7fc7f348 R31 0x00929ee4
Paste the following into a shell to get a backtrace...

bt -t /tvbin/tivoapp <<END_OF_BT
tcd 1
hpk Series2
build b-6-4-prod @299218 2008.05.08-0010 release-mips []
pack 6.4a-01-2
read 0x00400000 /tvbin/tivoapp
read 0x02000000 /lib/libc.so.6
read 0x02200000 /lib/libm.so.6
read 0x02400000 /lib/libpthread.so.0
read 0x02600000 /lib/libutil.so.1
read 0x02800000 /lib/libtvutil.so
read 0x02a00000 /lib/libtmk.so
read 0x02c00000 /lib/libtvstructures.so
read 0x2aaa8000 /lib/ld.so.1
read 0x2ab04000 /lib/libhpkoss.so
read 0x2ab50000 /platform/lib/libhpkhl.so
read 0x2ac18000 /platform/lib/libhpkll.so
read 0x2ac5c000 /lib/libdl.so.2
read 0x2aca0000 /lib/libcdaudio.so
0x00929ef4 0x00927f00 0x00c3d000 0x008f63c0 0x008f5ffc 0x008f061c 0x008f0244
0x008efdc4 0x008ef384 0x0096c224 0x00472f14 0x00f3f7b4 0x02a2871c 0x02a304bc
0x02a298cc 0x02a28a48 0x02a28834 0x02a6069c 0x02a2871c 0x02a28630 0x02a2b03c
0x02a3c684 0x02a3c56c 0x02a3c41c 0x02a3b978
END_OF_BT

Tmk Fatal Error: Activity DialRequest <358>: unexpected signal 10
flushing ide devices: hda
Restarting system.

I went back to using fakecall and the "route" trick in rc.sysinit.author.

jt1134
11-26-2009, 01:54 AM
here's a leaner fakecall patch that shouldn't mess with any of the actual modem functions

6.4a
0x008f04d8 "27bdff78 03e00008"
0x008f04dc "afb5007c 24020000"

chris0583
12-13-2009, 06:16 PM
There a NOPPV patch for hr10-250 6.4a? I cant seem to find it after hours for searching.

jt1134
12-13-2009, 06:42 PM
There a NOPPV patch for hr10-250 6.4a? I cant seem to find it after hours for searching.

why? I ported it once out of boredom...it doesn't do anything useful

chris0583
12-27-2009, 12:46 PM
Looking to keep my PPV's Like i have with my older T60's. They auto delete after 24 hours.

jt1134
12-27-2009, 01:12 PM
ah ok

the 24 hour auto-delete is a feature of newer software, and unrelated to the old school NoPPV patch

chris0583
01-03-2010, 12:06 PM
any way to "disable" this feature?

kmt
01-04-2010, 09:18 AM
Do any of the patches have an effect on the Amazon rentals?

jt1134
01-04-2010, 01:40 PM
Do any of the patches have an effect on the Amazon rentals?

nope

what kind of effect are you referring to? auto-expire?

DeusExMachina
01-14-2010, 09:48 PM
Here are tivoapp patches that can be used in place of the current NoCSO patch to disable the encryption of new recordings while still allowing MRV transfers of existing encrypted recordings.


11.0d
0x005d3a10 "92220024 27a40028"
0x005d3a14 "104000aa 0c156fd6"
0x005d3a18 "27a40028 00000000"
0x005d3a1c "0c156fd6 0c477c51"
0x005d3a24 "8fa20020 106000aa"
0x011df11c "27bdfec8 03e00008"
0x011df120 "afb40128 24020001"
0x011df144 "00a0a021 8e230040"
0x011df148 "0c1b6110 10600002"
0x011df14c "00602821 00000000"
0x011df150 "00408021 8c630000"
0x011df154 "1200000a 03e00008"
0x011df158 "00001021 8fa20020"

philhu
01-19-2010, 03:18 PM
Here are tivoapp patches that can be used in place of the current NoCSO patch to disable the encryption of new recordings while still allowing MRV transfers of existing encrypted recordings.


11.0d
0x005d3a10 "92220024 27a40028"
0x005d3a14 "104000aa 0c156fd6"
0x005d3a18 "27a40028 00000000"
0x005d3a1c "0c156fd6 0c477c51"
0x005d3a24 "8fa20020 106000aa"
0x005d9abc "0c16e34b 0c477c49"
0x011df11c "27bdfec8 03e00008"
0x011df120 "afb40128 24020001"
0x011df144 "00a0a021 8e230040"
0x011df148 "0c1b6110 10600002"
0x011df14c "00602821 00000000"
0x011df150 "00408021 8c630000"
0x011df154 "1200000a 03e00008"
0x011df158 "00001021 8fa20020"

OMG! This is great! I'll try it tonight!

philhu
01-27-2010, 06:12 PM
Here are tivoapp patches that can be used in place of the current NoCSO patch to disable the encryption of new recordings while still allowing MRV transfers of existing encrypted recordings.


11.0d
0x005d3a10 "92220024 27a40028"
0x005d3a14 "104000aa 0c156fd6"
0x005d3a18 "27a40028 00000000"
0x005d3a1c "0c156fd6 0c477c51"
0x005d3a24 "8fa20020 106000aa"
0x005d9abc "0c16e34b 0c477c49"
0x011df11c "27bdfec8 03e00008"
0x011df120 "afb40128 24020001"
0x011df144 "00a0a021 8e230040"
0x011df148 "0c1b6110 10600002"
0x011df14c "00602821 00000000"
0x011df150 "00408021 8c630000"
0x011df154 "1200000a 03e00008"
0x011df158 "00001021 8fa20020"

I finally got around to trying this. The system boots fine, but the first thing I tried for 2 patched tivoHD units, copying an encrypted show from the other Tivo failed and rebooted

It asked if I want to transfer this recording. I clicked it, and 7 seconds later, bam reboot on rcving machine

THis was my patch batch file. I did check every item was the old value using hexdump before attempting patch

#!/bin/sh
#eko patch for 11.0d
#
echo -ne "\x27\xa4\x00\x28" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=1915408
echo -ne "\x0c\x15\x6f\xd6" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=1915412
echo -ne "\x00\x00\x00\x00" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=1915416
echo -ne "\x0c\x47\x7c\x51" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=1915420
echo -ne "\x10\x60\x00\xaa" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=1915428
echo -ne "\x0c\x47\x7c\x49" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=1940156
echo -ne "\x03\xe0\x00\x08" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=14545180
echo -ne "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=14545184
echo -ne "\x8e\x23\x00\x40" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=14545220
echo -ne "\x10\x60\x00\x02" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=14545224
echo -ne "\x00\x00\x00\x00" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=14545228
echo -ne "\x8c\x63\x00\x00" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=14545232
echo -ne "\x03\xe0\x00\x08" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=14545236
echo -ne "\x8f\xa2\x00\x20" | dd conv=notrunc of=tivoapp.ptandeko bs=1 seek=14545240
TIVOBDRM:/var/hack#

philhu
01-27-2010, 06:35 PM
Now the really bad news

The receiving Tivo rebooted. But now it is in a reboot loop.

It reboots, the welcome startup screen (Powering up, few minutes more) comes up, then the cute startup video, and 3-4 seconds into it, it reboots again.

I am assuming it is something failed in MFS check or something.

So.......

1) How can I find out what is failing?
2) Even if I can find out what is failing, is there any way to fix it?

I remember the kickstart that used to fix it.
Green screen stuff and an mfscheck comes to mind.

Any ideas how to get this working again?

3) Thinking about it, it could be failing over and over in the new patch. If sees an incomplete file and runs through the patch code to resume the transfer and dies again. I have not been able to keep it up long enough to put back the correct tivoapp

Might have to pull the drive to rename them.

Ideas?

jt1134
01-27-2010, 07:33 PM
1) How can I find out what is failing?

kernel log should contain the crash dumps which may hold some clues. tvlog and tverr should also have some information showing where exactly in the code it is failing

2) Even if I can find out what is failing, is there any way to fix it?

there usually is

I would humbly suggest to continue troubleshooting in a new thread, to keep the clutter out of this one, though

mrpenguin
02-02-2010, 03:45 PM
I know this is late to the party, but, I've had something similar to this. The receiving tivo has the transfer req in the todo list. you need to remove it from there. either quick enough via the tivo ui or with scripting done before it tries to start the transfer. try disconnecting it from the network and see if it still reboots.