PDA

View Full Version : Rewriting Dtivo Prom



milhouse
08-30-2001, 11:44 AM
Recently Dircetv closed my Tivo Lifetime account (must be related to canceling my DTV sub..). At this point I figure I can either hack the unit with fixup02c or re-activate a minimum sub. Before I go to 2.5 I would like to make sure I can revert back to 2.0.1.

Is it fairly simple to rewrite the prom?

Where are the 2.5 installation files stored? I would like to make a backup after the down load before the restart.

Milhouse.

GoneSilent
08-30-2001, 02:36 PM
let me know if you have any backups of your prom. Or if anyone out there has any images of there proms. I'd love to be able to reflash. As I understand 2.0.1 will boot on machines with 2.5. So for sure at least the current prom being used in 2.5beta will still work should we wish to go back to 2.0. 2.5 does not run on machines with the older prom just wont boot.

milhouse
08-30-2001, 02:59 PM
Is the 2.5 beta hackable like 2.0.1? i.e chattr +i

milhouse.

GoneSilent
08-30-2001, 04:48 PM
2.5 is locked out....and is also in beta. When they release the darn thing Im sure it will only take a couple of days to get back in. My major problem is if Tivo starts locking out older software via the proms.

surgeon
08-30-2001, 11:12 PM
I've got two prom image files for the Philips DSR6000. One is from Sept 2000 which should be pre-file-checking and the other is from March 2001, which I'm guessing came with 2.01 and includes file-checking. If anyone wants to give them a shot just let me know...

GoneSilent
08-31-2001, 05:37 PM
So here is what I can do. Unsolder the flash chips on my 2.5 box reflash with a programer, I'd like to just socket the flash chips not sure if I well do that. Surfacemounts are a pain. I was planing to slap in a 2.01 drive and reflash via that. How ever with the current prom I am running I am only able to boot .002 with the checking and cant not get back in to flash. So the only thing I think Im left to do with this box is to just sit back and wait till someone makes it into 2.5. I have a few combo box's here and will start trying to walk one of them into 2.5 by hand. I hope to learn a little about how tivo goes about its upgrades. Direct TV will make tivo lock these box's down. A prom can happen anytime they feel like it. Im not sure about you but the idea of an auto upgrade is not somthing I want to see happen. Does anyone know of ANY way to simulate the sat feed? I'd like to give Dtivo a legit feed other then DirectTV. So many thing I'd like to do so little time!

Lord Magnus
08-31-2001, 07:06 PM
Originally posted by surgeon
I've got two prom image files for the Philips DSR6000. One is from Sept 2000 which should be pre-file-checking and the other is from March 2001, which I'm guessing came with 2.01 and includes file-checking. If anyone wants to give them a shot just let me know...

You might check with Lure and see if he wants to host them with the drive images.

LM

Fugg
08-31-2001, 08:43 PM
Originally posted by GoneSilent
How ever with the current prom I am running I am only able to boot .002 with the checking and cant not get back in to flash. So the only thing I think Im left to do with this box is to just sit back and wait till someone makes it into 2.5.


can you download an image(if it's there) of .001(.000?) and load it to flash with? or does the prom version keep you from booting with anything less than .002?

surgeon
09-01-2001, 11:48 AM
Originally posted by GoneSilent
with the current prom I am running I am only able to boot .002 with the checking and cant not get back in to flash. So the only thing I think Im left to do with this box is to just sit back and wait till someone makes it into 2.5. I have a few combo box's here and will start trying to walk one of them into 2.5 by hand

A couple of questions:

Since you have access to other combo boxes can you swap-in the drive with 2.5 on it and let us know if it boots fine with an earlier prom? If so, then we can advise everyone to cut the #WE line on the prom chip to avoid having it get upgraded.

Also, can't the "imutable" bit be set on files under 2.01.002 and still boot? I thought on 2.5 did the re-looping thing???

-Surgeon-

milhouse
09-05-2001, 11:14 AM
Has any one tried:
- taking a unit that was updated to 2.5.
- putting in a 2.0.1 drive.
- boot up with "$updateprom" set to true.

from looking at the rc.sysinit, that should cause the unit to update the prom.

Milhouse.

pasha
09-05-2001, 07:42 PM
if somebody here smart enough to patch new prom to skip kernel partition signature checking we can get back in it....
anyway box locked very good...
1st it check kernel signature in prom
if it's correct it load kernel with ramdisk
and linuxrc start checking filesystem
and old proms simply doesnt have code for directv tuners
so old prom not gonna make you happy

GoneSilent
09-05-2001, 08:19 PM
the old prom has been vary helpfull when compaired with the new =] checking has been there for ahile now not turned on.

pasha
09-05-2001, 08:58 PM
what do you mean by that?

GoneSilent
09-08-2001, 01:44 AM
I ment that the code or section that I can see pretaining to the boot checking has been in the proms that people have sent me. It has not been turn on. Im waiting for someone to post a prom of the current 2.5 release all mine are betas. also please someone upgrade there box and before it reboot remove the drive and back it up. I need a current 2.5 release that I can restore. I can not restore a 2.5 image if the machine has been rebooted. you can change the ser# on the drives, see other posts about its location. I how ever have not tryed with the new 2.5 to boot/upgrade in this fashion.

synthesis
09-08-2001, 08:35 AM
shit- I wish I'd seen this post last night! I got upgraded and though about backing up, but just went ahead and rebooted :(

quick question- once updated can I backup 2.5, restore 2.01 and then in the future restore 2.5 again? I don't have dual tuners and I'd like to keep fixup running for the nonce.

thanks!

GoneSilent
09-08-2001, 08:13 PM
Im sure everyone here reads all the threads but someone has a backup to upgrade. check out the Hacking 2.5 (what are we going to do?) for the image file. It restores and will let us all see the upgrade process before it happens. also check out how tivo it self is signing files during upgrade.

GoneSilent
09-08-2001, 08:19 PM
Im gone for the next 2 weeks right as 2.5 is out and the real smart guys get it and hack it back up. Cant wait to see what gets done while Im gone have fun.

icetre
09-09-2001, 01:09 AM
I do have a backup! and if need be, I will back it up and keep doing it until it's right.

I hope the posts that I have there at least make someone think and maybe I will be the inspiration behind the hack.

Anyways, I don't really want the credit, more I am just doing my part to take care of THE MAN.

I am not worried about Tivo, as I will always be a customer. And I don't ever plan on going lifetime because they will lose money, but I want a service hack because I don't want DAVE knowing what I am doing. I figure, I can't code, and I am not real good with hacks, so I might as well help however I can.

Also, I forced the download of 2.5.

And yes 2.0.1 can be booted with 2.5 proms.

The force for 2.5 works like this.

There is a bad backup of 2.5 out there.

Restore the bad backup to your tivo (it's not going to work because the serial number is encoded in the backup, don't worry about it.)

Put in a real sub'd card and dial out (this isn't going to work with a hacked card, besides you might as well put a neon sign on your dish for dave that reads hacked)

in about 1:20 you will have a tivo that's pending restart. (don't think it's this easy)

restart it, get to the part where it restarts itself again.

Pull the drives and restore your backup.

Now you are running under 2.5 proms but you have 2.0 software. This tells tivo you need an upgrade.

so force another daily call.

Guess what? yep another 1:20 minute download later you are pending restart again.

Restart, and your now at 2.5 congratulations.

Now don't get me wrong, this may have NOT worked..

I may have had a download of 2.5 pending.. But I don't think so..

I called about 1pm that day EST. Then again tivo updates at 2PST

Anyways someone give it a try and see if the force works, talk to kspades for the 2.5 hacked backup and talk to cyberdude for the pre reboot 2.5. I need to know if any of these methods worked.

Adam

tangee
10-06-2001, 12:08 PM
How can you run 2.01 with 2.5 proms? If the 2.5 prom is checksumming the kernel partition, then it will certainly fail if it finds a 2.01 partition - or at least a hacked 2.01 partition.

This would seem to mean that a 2.5 upgrade is a one-way process, there is no going back to 2.01 because your prom will get updated and you can never again boot any image in your tivo other than an unmodified 2.5 image.

DrXenon
10-06-2001, 03:13 PM
>So here is what I can do. Unsolder the flash chips on my 2.5 box >reflash with a programer, I'd like to just socket the flash chips >not sure if I well do that. Surfacemounts are a pain.

You shouldn't have to unsolder anything; these systems are typically programmed through a JTAG interface. You can use your peecee's parallel port to talk to it.

synthesis
10-06-2001, 06:01 PM
FWIW- i received the 2.5 upgrade, restarted, pulled the hard drive (backed it up) and restored a 2.01 backup.

Works just fine.

tangee
10-10-2001, 02:16 PM
Wait a minute. Let's do a sanity check.

If you can upgrade your prom to 2.5, then restore a hacked 2.01 kernel image and run it, then obviously the 2.5 prom is not checksumming the kernel partition blindly. If it were, it would fail when you attempted to boot the 2.01 image.

This is contrary to what has been posted here before, and raises some interesting questions. How _does_ the 2.5 prom checksum the kernel partition?

Perhaps the prom is checking some key bytes on the partition to determine if the kernel image is 2.5, and if so, checksumming it and otherwise not. If so, another route of attack into 2.5 would be to locate those key bytes.

BubbaJ
10-11-2001, 11:03 AM
or maybe the 2.01 kernel partition has a checksum??? maybe?? hmm.. nah.. thst'd make too much sense..

IWantMyDTV
10-11-2001, 01:14 PM
Originally posted by BubbaJ
or maybe the 2.01 kernel partition has a checksum??? maybe?? hmm.. nah.. thst'd make too much sense..

BubbaJ, he was asking a question. I would rather see someone ask a question rather than spew BS on this board as if it was fact.

http://dealdatabase.com/forum/showthread.php?s=&threadid=4212&perpage=15&pagenumber=1

Don't be bitter just cause you got flamed.

pasha
10-11-2001, 04:26 PM
Originally posted by tangee
Wait a minute. Let's do a sanity check.

If you can upgrade your prom to 2.5, then restore a hacked 2.01 kernel image and run it, then obviously the 2.5 prom is not checksumming the kernel partition blindly. If it were, it would fail when you attempted to boot the 2.01 image.

This is contrary to what has been posted here before, and raises some interesting questions. How _does_ the 2.5 prom checksum the kernel partition?

Perhaps the prom is checking some key bytes on the partition to determine if the kernel image is 2.5, and if so, checksumming it and otherwise not. If so, another route of attack into 2.5 would be to locate those key bytes.

Not to blame anybody....

but I repeat this one again....

it's not checking CHECKSUM (checksum is easy)

it check digital signature to verifiy identity... and/or validity...

i.e. prom have set of public keys which could be used in order to sign kernel partititon and last usefull block of kernel has signature itself....

so during the boot process it hash kernel against signature stored in last block and then verify identity using set of keys stored in prom...

means you can boot multiple kernel as long as they have valid for release signature block...

and you can't fake it unless you have private key from this key ring....


enjoy

tangee
10-12-2001, 10:33 AM
Well, of course it would be easy enough to have a 2.01 signature in the prom so that it could recognize that image as well.

The real question is can I boot a hacked 2.01 partition? Has anyone tried to boot a hacked 2.01 partition after upgrading to 2.5? This would be the real test as to whether or not the prom is fully checking non-2.5 kernel partitions.

On the digital signature matter, that procedure serves the same purpose as a checksum so I tend to call it that for simplicity's sake. The digital signature bytes simply serve as a cryptographically secure checksum i.e. one that would be prohibitively difficult to re-calculate based on an altered image.

The implications of that are simply that the attack must focus on the signature verification code itself, not on generating an alternative valid signature.

synthesis
10-12-2001, 11:09 PM
As above, i reloaded 2.01 over a 2.5 image. I've since made several changes to rc.sysinit, etc. without any problems. have rebooted several times since... it's all good.

syn.

pasha
10-13-2001, 12:17 AM
Originally posted by tangee
Well, of course it would be easy enough to have a 2.01 signature in the prom so that it could recognize that image as well.

The real question is can I boot a hacked 2.01 partition? Has anyone tried to boot a hacked 2.01 partition after upgrading to 2.5? This would be the real test as to whether or not the prom is fully checking non-2.5 kernel partitions.

On the digital signature matter, that procedure serves the same purpose as a checksum so I tend to call it that for simplicity's sake. The digital signature bytes simply serve as a cryptographically secure checksum i.e. one that would be prohibitively difficult to re-calculate based on an altered image.

The implications of that are simply that the attack must focus on the signature verification code itself, not on generating an alternative valid signature.

dude....

again.... signature itself is last block of kernel partition ( not root filesystem)

most likely tivo use same private key to sign all releases of software....
i.e. 2.0 will work... if it has signature....

as you mention above hacked 2.0.1 will work just becouse "hole" is in linuxrc... it will ignore errors... and you not modifying kernel partition itself

seems like you don't understand entire design... and concept of signature....


enjoy

CheckSum
10-16-2001, 11:07 AM
The way you normally verify the authenticity of a large block of data is to run a cryptographically secure checksum on the data (like md5 for example) and then use a private key to sign this checksum. This is much less computation intensive than signing the whole block of data, and you don't compromise a significant amount of security. If TiVo is running a checksum of the whole partition, then we are AFAIK in serious trouble. I doubt, though that this is what's actually happening in the TiVo when it boots. To calculate a checksum of a partition, you would first need to read in the entire partition, and that would take a significant amount of time.
It may be possible that they are taking a shortcut and maybe calculating the checksum on only the iNodes and directory structures of the FS. This would save a lot of time on boot up and would detect when any file changes (the timestamp would change), or when a file is added (there would be an extra directory entry).
This is only a hunch, but maybe someone who knows the file system of the TiVo will be able to comment of the validity of this.

Chance
10-16-2001, 10:07 PM
Come on someone out here has to have access to a real programmer! I did several yrs ago but anyone in programming industry can duplicate and get a file checksum from any chip, any kind, now I guess just verify that "tivo checksum" which may be diff than true prom checksum depending on your exact wants but bottom line, a perfect master copy of the file can be made in no time and duplicated countless times-very much dependant on the programmer(s) they are done on. even someone out here in programming final audit or such could skate buy doing it, anyone? speak up? How many different proms and files are we talking about ball park as far as diff versions, and different proms, etc?

pasha
10-16-2001, 10:33 PM
folks,

not to be rude, but PLS if you have no clue about whole this things PLS feel free to open you own thread about rumors and guesses...

and again I will explain...

1. prom will hash kernel partition (/dev/hda3 or /dev/hda6) not root (/dev/hda4 or /dev/hda7)
it will hash it against signature stored in last block in same partition... and will verify signature against public key stored in PROM

so if your kernel hasn't been signed in tivo it will not load it to the memory!
then if your kernel untouched it will load it and pass controll over...

kernel will create ramdisk and uncompress data stored in same partition and run linuxrc from it...

linuxrc will mount your root filesystem to /mnt and check every file against signature stored in signature file on the romfs....

if any file comprommised it will delete it and try to recover from backup (same romfs) or try to download on next call....

to verify changes it will reboot and pass every single check

then if something still there you will go for infinet loop.



anyway.....
starting point should be rewrighting PROM to skip signature check.
next will be kernel to skip romfs
then you know the rest....


enjoy

Chance
10-16-2001, 11:40 PM
Okay no need to get hostile! I am unfamiliar with Linux as here to absorb and gain new ideas , insight always taking something positive and useful out of every tid bit! I was simply mentioning and attempting to obtain additional information product specific. It was and is not my intention to get inbetween someone elses pissing contest if you will, I actually am only interested in discussion to better get to know, etc a particular area, field, etc. not to argue or "show that person who's the sh!t" sort of speak (not making accusation anyone is) Of course being unacquainted who is to say about anyone . Anyhow, my observation was to the questions of being able to duplicate proms, beyond that I would be interesed in t's process of assembly and so forth once the programmed proms are finished or back in house from being programed, etc.

Thank you for your time...........

BubbaJ
10-17-2001, 10:27 AM
Eel-Sushis Post, in eng.

:) 1. prom will hash kernel partition not root it will hash it against signature stored in last block in same partition... and will verify signature against public key stored in PROM

8) The PROM(the program that runs when the machine is turned on) will use a very special math to add up all of the information in the kernel/ramdisk partition (The kernel is the last program that the PROM starts up, it in turn provides the structure of the system) The PROM will then decrypt a block of data stored at the end of the kernel partition and make sure that it matches what it added up.

:) so if your kernel hasn't been signed in tivo it will not load it to the memory! then if your kernel untouched it will load it and pass controll over...

8) If the numbers don't match, then sorry charlie, If they do, the PROM loads the kernel into memory and passes control to it.

:) kernel will create ramdisk and uncompress data stored in same partition and run linuxrc from it...

8) The Kernel decompresses the ramdisk into memory, and uses it for it's boot up instructions

:) linuxrc will mount your root filesystem to /mnt and check every file against signature stored in signature file on the romfs....

8) One of the instructions is to make sure no one has been naughty with the files, it uses more of that special math to do this.

:) if any file comprommised it will delete it and try to recover from backup (same romfs) or try to download on next call....

8) If someone has been naughty, it replaces their painstaking work with the same crap that was there before

:) to verify changes it will reboot and pass every single check

8) to make sure it did it's job right it will reboot and try again

:) then if something still there you will go for infinite loop.

8) If it can't repair the damage you've done, it pukespukespukespukespukespukes... until you turn the power off or otherwise devise some manner to make it stop puking.

mrblack51
10-17-2001, 11:38 AM
not too bad of an analysis bubbaj. heres a thought:

something has to check the prom's checksum. clearly, since the prom is the first thing to load, it checks its own signature. SO, we should be able to modify the prom so that it skips both checks, then we could edit the linuxrc to remove the checks.

BubbaJ
10-17-2001, 11:54 AM
I used to do stuff like that for games on the C=64, but I 1) don't know PPC assembler, 2) don't have the prom, 3) don't have a PPC simulator, and 4) don't really have the time to slog through a rom (though it is probably a simple one)

I imagine that the 2.5 rom could be loaded in from a running 2.01 kernel, and that it could be debugged from there, but I still have the issues of 1), 2), and 4).

If someone sent me a 2.5 rom, I imagine I could start taking a look at PPC code, and maybe could look fo JMP/RETs at work, freeing me from doing the geueling work at home.. so MAYBE I could do it, but then again, maybe someone else better equipped than I could do it faster..

tangee
10-25-2001, 11:04 AM
I now have access to IDA Pro which can disassemble Power PC assembly. Would someone be able to post or send me the 2.5 prom binary? Thanks.

tangee@pirateden.com

pasha
10-25-2001, 01:52 PM
how about getting me IDA pro?

surgeon
10-25-2001, 03:20 PM
Originally posted by tangee
I now have access to IDA Pro which can disassemble Power PC assembly. Would someone be able to post or send me the 2.5 prom binary? Thanks.

tangee@pirateden.com

Yeah, I'd like to get my hands on a copy of IDA Pro also... I posted some eariler proms on lure's site, but haven't let any of my units upgrade to v2.5 yet...

surgeon@pirateden.com

-Surgeon-

PerlMonkey
10-25-2001, 04:25 PM
I've got a 2.5 unit if someone can describe how to pull the prom I'd be more than happy to help.

I'm trying to get a 2.0 or 2.0.1 image now so that I can try downgrading.

chipster
10-28-2001, 02:33 PM
Attached

chipster
10-28-2001, 02:43 PM
After ten weeks in the shop, my test DTivo is ready for hacking again.

If anyone is interested, I can also post each of the various boot and kernel partitions from the 2.5 box.

From the logs, and what I've read, upon a successful scan by the ramdisk, it loads the 2.5 kernel.

What I'd like to know is - is it possible to boot the 2.0.1 ramdisk which allows chattr , and let it hand off to the 2.5 kernel? I know that the PROM is happy with the old ramdisk (and verified this myself).

What partitions are the ramdisk and final kernel on?? If the same - I'm probably SOL, unless I can patch the two together and maintain signiture integrity on each.

BubbaJ
10-29-2001, 10:40 AM
I'm rather interested in a 2.5 hda4/7 if you've got one handy..

Thanks,
Bubba

chipster
10-31-2001, 09:42 AM
A little too large to upload...

rudes
11-02-2001, 09:06 PM
It sounds like everyone here was working out the problems I've just had (and explained the reason why)

Any progress??

I have a TiVo that has 2.5 on it and want to get bash and tivonet running on it.... but that damn checksum :(

I am going to see if I can't Revert back to the older version on my T60, But I've seen talk of images :) Is it possible to resore an image from a different DTiVo onto mine ?? THAT would be useful.

Thanks in advance for any help.

BubbaJ
11-02-2001, 10:38 PM
I formally abandoned my hybridation efforts today, The 2.05 tivoapp relies on several features of oslink.o that are not in the 2.01 version, the kernel reboots immediately when told to force the 2.05 oslink.o to load.

The 2.01 tivoapp does not understand at least one message from the STi5505 (the message stating that the master verifier has loaded, waiting for coordination)

I still think it may be possible to run a 2.05 system from a 1.85(2.01) prom, but I'm not set up for that yet.

hopefully a solution will be forthcoming in getting the 2.05 kernel to load without the kernel chack and without the initrd

Vadim
11-02-2001, 11:17 PM
BubbaJ, giving up? No way!

BubbaJ
11-02-2001, 11:49 PM
Just trying a different tack is all..

Look for a new message from me on how to tune ALL locals on a directivo.. (no guide data (Yet))