PDA

View Full Version : "Series2.5" / TCD540040 / "nightlight SA" / Humax / DirecTV R10 initial observations



alldeadhomiez
08-07-2004, 08:04 PM
I have procured one of the new silver SAS2 units, model TCD540040, TCD_ID 540-0001-xxxx-xxxx, manufacture date June 2004. These units run TiVo software version 5.3.N2 and have many differences from previous versions of the Series2 hardware; thus I have dubbed this architecture "Series2.5" and suggest referring to it as such so that users can use the term as a search keyword.

First off, I have been unable to boot the 5.3 drive on an HDVR2. The kernel locks up and silently fails. As HD TeAm reported last week, these units implement a new "TCD1" ABI, so the kernel image now starts at 0x80001fe0 instead of 0x80002000. The extra 0x20 bytes are used to hold "trusted" copies of the boot parameters, so that the hack used in killhdinitrd no longer works. It appears that versions of the TiVo software designed for the 7315-based units may not be backward compatible; we will know more once the 5.3 kernel source is posted. Interestingly, both brcmdrv-rb.o (Series2) and brcmdrv-7315.o (Series2.5) kernel modules were included in version 5.3. Even after replacing the stock kernel with a known good 2.4.20 kernel, 5.3 did not boot correctly on the HDVR2.

My TCD540040 came with PROM version 2.25. This version sports the pretty "sunrise" startup screens seen here (http://www.weaknees.com/new_tivo_screens.php) instead of the drab gray screens seen on normal Series2 units. PROM version 2.25 does not boot on an HDVR2. The last known PROM version, 2.14 (found on the HR10-250) was backward compatible with all previous Series2 hardware.

The previous Series2 hardware used a NEC VR5432 MIPS processor running at ~166Mhz in big endian mode. Series2.5 hardware uses an "IRD on a chip" Broadcom BCM7317 IC, apparently an (undocumented) close a relative of the BCM7315 (http://www.broadcom.com/collateral/pb/7315-PB00-R.pdf); a BCM7315 IC includes an integrated MIPS32 CPU running at 175Mhz. On the Series2, the BCM7030-class chipset IC (used for MPEG decoding, PCI, TS demux, etc.) was separate from the CPU.

Several functions have been moved to the main processor in the Series2.5: the NEC USB 2.0 controller and the TiVo ASIC (IDE and scrambling functions) are the two most prominent ones. As far as I can tell, there is no longer even an internal PCI bus. Modem I/O is handled by an external Si2434; the MPEG encoder is still a BCM7040. Like the Series1, the CPU does not appear to support floating point operations, and seems quite a bit slower than the original Series2; the caches on the BCM7315 seem a bit lacking. No EHCI modules are available, and the BCM7315 marketing literature implies that USB 2.0 / High-speed transfers are not supported. Main system memory appears to be 32MB, provided by a single NT5DS16M16BT-6K 16-bit wide DDR component. The crypto chip is still an Atmel AT90SC6464C.

The mainboard is considerably smaller than the Series2 mainboard due to the reduced component count. The power supply looks similar but has noticeably fewer parts. The IDE cable is now an old ATA33 cable, not the ATA66 cable seen on the Series2.

Since there is no public software hack for these units, compromising a Series2.5 device currently requires socketing the PROM and loading a new image. Fortunately, the PROM is still the old, familiar SST37 in PLCC32 form. After modifying the PROM, replace_initrd was used to kill the initrd, and I was able to get a shell on ttyS1.

Overall, my assessment so far is that the Series2.5 is an attempt to lower the manufacturing cost and jack up the sticker price. I was very disappointed that the TiVo hardware is getting slower over time, not faster. I see no advantages to this hardware over a $49 refurb Series2.

Update 2004/12/15:

The 242Mhz BCM7317 CPU in the Series2.5 has been shown to be quicker at many operations than the Series2.0 VR5432, but slower at others (in particular this affects perl scripts and other software that uses the (now emulated) FPU). For more CPU information, see below.

The DirecTV R10 ships with an ATA-66 cable; the SA2.5 models I have seen have ATA-33 cables.

Summary of current known advantages over Series2.0 hardware: higher CPU clock speed, higher memory bandwidth, newer software (5.3/SA, 5.4/DVD, 6.1/DTV)

Known disadvantages: smaller CPU cache / no FPU, less available memory (DVD/Elmo models only), no working USB 2.0 / EHCI support, no software exploits, poor hack compatibility

Update 2005/01/04:

New USB drivers, which also have EHCI support, have been posted here (http://www.dealdatabase.com/forum/showthread.php?t=38167).

Update 2005/01/07:

I did a short writeup (http://www.dealdatabase.com/forum/showthread.php?p=192565#post192565) on the chain of trust, i.e. why we need to socket the PROM to gain access to the Series2.5. Read and understand it before you ask any questions on this topic.

alldeadhomiez
08-07-2004, 09:14 PM
Couple more notes:

To get serial output working correctly, you need to install a loadable module (normally this is done from the 5.3 startup scripts) and stty sane. Here is my new rc.sysinit that I installed to intercept the boot process:


#!/bin/bash

export PATH=/bin:/tvbin:/sbin:/var/hack
export MFS_DEVICE=/dev/hda10
export TIVO_ROOT=
insmod /lib/modules/bcm7315tty.o
stty 115200 sane < /dev/ttyS1
bash < /dev/ttyS1 >& /dev/ttyS1
exec /etc/rc.d/rc.sysinit.orig

Using a generic ax8817x adapter, OHCI drivers, and a completely idle system (no tivoapp loaded), I was able to receive data at 1.1 megabytes/sec and send at 800 kilobytes/sec over TCP with netcat. Some interesting excerpts from the kernel log:


<4>Algorithmics/MIPS FPU Emulator v1.5
<6>BCM7315 serial driver loaded, 2 ports starting at /dev/ttyS0
<6>usb.c: registered new driver usbdevfs
<6>usb.c: registered new driver hub
<6>usb_ohci.c: USB OHCI at membase 0xfffe8100, IRQ 8
<6>usb_ohci.c: usb-OHCI-Direct, BRCM-OHCI
<6>usb.c: new USB bus registered, assigned bus number 1
<6>hub.c: USB hub found
<6>hub.c: 2 ports detected
<6>usb_ohci.c: TiVo 2-chip USB Host Controller
<6>usb_ohci.c: v5.3 Roman Weissgaerber <weissg@vienna.at>, David Brownell
<6>usb_ohci.c: USB OHCI Host Controller Driver

Looks like the (GPL) OHCI module might have been modified to use the native Broadcom interfaces. The "v5.3" is just a coincidence.

rc3105
08-11-2004, 12:07 AM
please post any non-development commentary here

TCD540040 - What can I do with this? (http://www.dealdatabase.com/forum/showthread.php?t=36886)

Edit 2004/11/12 by ADH:

Walkthrough to hacking your new Series2.5 (http://www.dealdatabase.com/forum/showthread.php?p=193381#post193381): newbie-friendly instructions by mrblack51
For Sale/Trade (http://www.dealdatabase.com/forum/forumdisplay.php?f=34): post an offer here if you want to pay somebody to socket your PROM. Suggested subject line: "WTB: PROM socketing"

Edit 2004/12/13 by ADH:

Review and pictures of the DirecTV R10 (http://www.tivocommunity.com/tivo-vb/showthread.php?threadid=210960)

alldeadhomiez
08-21-2004, 02:51 PM
I just ran across a "new" Series2.5 unit at Sam's Club. They are now selling HUMAX branded TiVo units, model T800. The service number prefix is 590. They are 80 hour units selling for $249.99. This is what they look like:

http://www.jr.com/JRProductPage.process?Product_Code=HUX+T800

fixn278
08-21-2004, 03:00 PM
I also remember seeing an article that Humax would be releasing a 250gb version which would imply native LBA48 assuming they are only using a single drive

alldeadhomiez
08-21-2004, 03:09 PM
I also remember seeing an article that Humax would be releasing a 250gb version which would imply native LBA48 assuming they are only using a single drive

5.x uses kernel 2.4.20, which does LBA48 natively.

Also, LBA48 support (needed to boot a kernel that lies past 137GB) was added in PROM version 2.14 on the HR10-250. I haven't checked but I'm pretty sure it's still in 2.25 on the Series2.5 boxes.

alldeadhomiez
08-28-2004, 12:46 AM
I have attached a script, patch, and kernel conf file which illustrates the process of building a functional Uma2c-compatible 2.4.20 kernel for 5.3. Note that TiVo has patched 2.4.20 to use the 2.5/2.6 build system, so some of the legacy Makefiles (which I chose to use instead of the 2.5 stuff) are out of date.

I was not able to get EHCI working correctly (and am not convinced that it even exists on the 7317), but the driver is in the tree if you want to play with it.

If your cross compiler is not in /usr/local/tivo-mips, you will need to adjust $(CROSS_DIR) in linux-2.4/Makefile .

The kernel sources are available from: http://www.tivo.com/linux/

AlphaWolf
08-28-2004, 05:06 PM
Overall, my assessment so far is that the Series2.5 is an attempt to lower the manufacturing cost and jack up the sticker price. I was very disappointed that the TiVo hardware is getting slower over time, not faster. I see no advantages to this hardware over a $49 refurb Series2.

But...it includes a free night light, and the regular S2 doesn't. Who in their right mind would resist a free night light? ;)

kafowler10
09-03-2004, 02:43 PM
Has anyone determined whether the new silver Tivos can support USB 2.0?

The BCM7315 is USB 1.1 only, but USB 2.0 support could be one of the differences between the BCM7315 and the BCM7317 in the new "Series 2.5" Tivo.

Also, has it also been confirmed whether the BCM7317 has the same 175MHz processor in the BCM7315? Or might it have something closer to the 250MHz processor in the BCM7320?

alldeadhomiez
09-03-2004, 03:51 PM
Has anyone determined whether the new silver Tivos can support USB 2.0?

The BCM7315 is USB 1.1 only, but USB 2.0 support could be one of the differences between the BCM7315 and the BCM7317 in the new "Series 2.5" Tivo.

Well, it didn't work for me, but there is some sort of (hacked-in) 7317 special handling in drivers/usb/tivo/bcm-usb.h:


static int brcm_ehcd_init (void)
{
int status = 0;

{ // Init BRCM USB setup registers for board and HC specific issues
__u32 *setup = (__u32 *) HC_BASE_ADDR;
writel( BRCM_USB_SETUP_REG_VAL, &setup[BrcmUsbSetup] );
writel( BRCM_PLL_CONTROL_REG_VAL, &setup[BrcmPllControl] );

}

#if 1 //for BCM7317 only
//straighten out frame length
writel( 0x000c0020, (volatile u32 *) 0xfffe81f8 );

//set generic_ctl_11 (USB_UTMICTRL)
writel( (readl( (u32 *) 0xfffe81ec ) | (1 << 11)), (u32 *) 0xfffe81ec );
#endif

Pci_ehci_dev = kmalloc( sizeof( struct pci_dev ), GFP_KERNEL );
if( !Pci_ehci_dev )
return -ENOMEM;
strcpy( Pci_ehci_dev->name, "BRCM-EHCI" );
strcpy( Pci_ehci_dev->slot_name, "EHCI-Direct" );
pci_resource_start(Pci_ehci_dev, 0) = EHC_BASE_ADDR;
pci_resource_end(Pci_ehci_dev, 0) = EHC_END_ADDR;
Pci_ehci_dev->irq = EHC_INT_VECTOR;
status = usb_hcd_pci_probe (Pci_ehci_dev, &brcm_ehci_pci_ids[0]);

return( status );
}

I'm pretty sure that's not a real PCI device though - especially because the default Uma2c kernels don't even build PCI support (CONFIG_PCI), and because bcm-usb.h overrides any PCI support functions that are called by the Linux USB code. Thus, the PCI probe is faked, although it does look like usb_hcd_pci_probe() attempts to initialize the hardware and would fail if the EHCI hardware was not present.

They also don't build the EHCI driver, which makes sense because it is very broken when I build it. The whole USB setup on these chips is a bit curious and needs to be explored further.

kafowler10
09-07-2004, 08:24 PM
Broadcom recently updated their web site with specifications for the BCM7317. It is quite a bit more robust than the BCM7315 described above.

BCM7317 Specifications (http://www.broadcom.com/collateral/pb/7317-PB02-R.pdf)

Features include: 242 MHz MIPS CPU

16-bit 133MHz DDR memory controller

Integrated USB 2.0 host controller

ATA5 / Ultra ATA66 controller

The hardware in the new silver Series2 Tivo does appear to be a slight upgrade from the previous Series2 model, not a downgrade as previously suggested.

alldeadhomiez
09-07-2004, 11:08 PM
The hardware in the new silver Series2 Tivo does appear to be a slight upgrade from the previous Series2 model, not a downgrade as previously suggested.

It's a tradeoff.

NEC VR5432:
166Mhz
Separate 32KB instruction and data caches
FPU
83Mhz multiplexed memory interface

BCM7317:
242Mhz
Separate 8KB instruction and data caches
No FPU
133Mhz 16-bit DDR memory interface

The small caches on the BCM7317 might slow things down, but on the VR5432 the cost of a cache miss is probably substantially higher.

Also, if they never release working Uma2c EHCI support, that could be a disadvantage.

The VR5432 info is at http://tivoutils.sf.net .

my0gr81
09-08-2004, 04:34 PM
Anyone notice the 8KB onchip boot rom on the BM7317? That does not bode well for the prom mods does it?

ronnythunder
09-08-2004, 05:56 PM
well, except for this in the original post:


Fortunately, the PROM is still the old, familiar SST37 in PLCC32 form.

ronny

my0gr81
09-09-2004, 12:05 AM
For this release of hardware it is true, the rom is still separate.

This new "set top box in a chip" solution does offer possibilities for TIVO to forego the separate rom and use the built in one for future releases.

mrblack51
09-09-2004, 01:21 AM
For this release of hardware it is true, the rom is still separate.

This new "set top box in a chip" solution does offer possibilities for TIVO to forego the separate rom and use the built in one for future releases.
the sky is falling the sky is falling! wait, not its not.

yeah, they may add that in the future...however, this thread is about current hardware observations, not about possible things tivo could do as they become more paranoid

alldeadhomiez
09-11-2004, 10:34 PM
The BORD ID is 0x10f8: "0x000010 Gen04 standalone 1".

5.3 includes the following kernel modules:


Common:

af_packet.o ax8817x.o cdrom.o cobra.o fan.o fanstub.o fat.o tivoconfig.o
isofs.o kaweth.o msdos.o oslink.o p80211.o pegasus.o prism2_usb.o
router.o rtl8150.o scsi_mod.o sd_mod.o sg.o sr_mod.o therm.o usb-ohci.o
usb-storage.o usbcore.o usbnet.o vfat.o vnetusba.o

For Series2.0 only:

fpga.o
ideturbo.o (?)

Not in 5.1, may be for Series2.5 only:

tivo_pwmdrv.o (this might control the nightlight brightness)
ubuddy.o
bcm7315tty.o (definitely for Series2.5 only)

Separate by architecture:

brcmdrv-7315.o brcmdrv-rb.o
i2c_Gen04.o i2c_Series2.o
irblast.o irblast_Gen04.o ircatch-atmel.o
ircatch.o ircatch_Gen04.o
kfirm.o kfirm_Gen04.o
modemtty_Gen04.o modemtty_Series2.o
tvinput.o tvinput_Gen04.o tvinput_falcon.o

uucee
09-19-2004, 08:39 PM
this thread is about current hardware observationsAn observation: streaking video (http://homepage.mac.com/uucee/tivo/TCD540040-5.3-01-2-540-Strk.mp4) (7.5M MP4) on a TCD540040 w/5.3 sw. Observed ab. two minutes after reboot, both on tuner and s-video sources, and subsequently intermittently either in Live TV or in recordings (various qualities.) Apparently there are some timing issues to be resolved on the new hw. :mad:

sadseries2
10-10-2004, 07:45 PM
Is it possible to hook another PC up to the modem phone port and intercept a bash call back to Tivo? I see there is an kickstart.expect script in tvbin or tvlib that initiates a call back to tivo and just leaves a bash session running on the line.

# Copyright (c) 2001, 2002 TiVo Inc.
# Expect script for phoning home in an emergency
...
overlay -0 $modem -1 $modem -2 $modem /bin/bash -i

1. Would this require special hardware or additional power for the modem line -- if I don't really want it connected to the phone service at the time? Or will I have to use a real phone line and trick it to calling my cell phone?
2. Is it possible to trigger this call with one of the secret remote combinations? Or is this just a developer or old script that will never run?

Anyhow, my hope would be to get this connection going, then start up some daemons or maybe monte into a new kernel on a series2.5.

--

Edit - nevermind, i see that the last thing the script does is pass an auth token around that's been encrypted with the machines public key, and then waits for the system on the other end to decrypt it and send it back. I assume this would be hard to fake.

ubermensch
10-17-2004, 02:46 PM
I am somewhat a newbie, so please excuse my ignorance. I have one of these TCD540040 Tivo's and I understand that to get the goodies on it you must hack the PROM. I'm a hardware guy and pretty comfortable soldering my Tivo, but I can't seem to find information on how to flash the tivo's PROM. Can someone please point me to this information? Thanks!

alldeadhomiez
10-17-2004, 03:51 PM
I am somewhat a newbie, so please excuse my ignorance. I have one of these TCD540040 Tivo's and I understand that to get the goodies on it you must hack the PROM. I'm a hardware guy and pretty comfortable soldering my Tivo, but I can't seem to find information on how to flash the tivo's PROM. Can someone please point me to this information? Thanks!

The cheap way: use a willem programmer (http://www.willem.org) or hot swap it on a compromised TiVo (see the flash39 thread).

The expensive way: drop a grand on a commercial programmer.

As for the mods to make, the TCF archives tell us:


Here's a PROM patch for S2 for those of you with access to a burner. The patch will allow you to boot any kernel, whether it's signed correctly or not.

Somewhere within your TiVoProm.bin image, you should see the following instruction word:

0x1043000c

You want to change that 0x43 to a 0x42. Just that one byte change is all you need...it changes a conditional branch to an unconditional one. This essentially discards the results of the signature checking routine.

The above 4-byte word will probably appear as 0x43100c00 in the image file itself (endian issues). I've only hand-verified the patch on 1.15 and 1.18 images (1.18 came out with version 3.2 of the software. 1.15 was posted on this board but it wasn't completely there). In 1.18, the file offset of the byte to change is 0x2b40.

---

As it turns out, before the boot code even verifies the kernel signature, it verifies itself. It computes the sha1 hash of its own in-memory image (after a certain offset) and compares the result to one stored in its own image (before that certain offset). So in addition to patching over the signature checking results as I showed 2 posts back, you have to patch over this too.

This second patch also consists of a single byte change. Somewhere in your 1.15 or 1.18 image you should find the following instruction word:
0x14830004
You want to change that 0x83 byte to 0x84. This word will probably appear as 0x83140400 in the .bin image file itself.

So socket it, dump it, change the integrity checks, and reflash.

alldeadhomiez
10-21-2004, 08:16 PM
1) Are the modifications that you quoted here exactly what you did to the unit that you successfully compromised at the start of this thread? (Basically, I'm trying to reassure myself that the same trick that worked for Series2 ROM works for Series2.5 ROM as well)

These are the changes I made:


958c = 14830004 -> 14840004 (disable prom sha-160)
a4c0 = 1043000a -> 1042000a (disable kernel check)
9f88 = 0c771ac1 00000000 0440ff95 -> 0c771a83 00000000 24020000 (skip memchk)
8974 = 10400011 -> 00000000 (enable debug msgs)

(yadda yadda, 1201(f) notice goes here, don't violate any copyrights)

Note that the debug message hack isn't necessarily a good idea on an SA, since it will be transmitting "junk" on the serial cable box control line.


2) Did the smaller board form factor make the socket and reset job noticably more difficult than with earlier hardware revisions?

No.

RedFive
11-07-2004, 06:38 AM
...we will know more once the 5.3 kernel source is posted.

Please correct me if I'm wrong (as I'm new here), but it appears the 5.3 source has been posted here (http://www.tivo.com/linux/linux.asp). Has any progress been made on figuring out how to gain access to these newer TiVo units? I have the "night light" model and would love to hack on it with some further assistance from this forum.

Thanks.

alldeadhomiez
11-07-2004, 10:40 AM
Please correct me if I'm wrong (as I'm new here), but it appears the 5.3 source has been posted here (http://www.tivo.com/linux/linux.asp).

Correct, and as predicted, you now must choose whether you want to support Series2.0 OR Series2.5 in the kernel configuration.


Has any progress been made on figuring out how to gain access to these newer TiVo units? I have the "night light" model and would love to hack on it with some further assistance from this forum.

Socket the PROM. Instructions are in this thread. Or post a request in the For Sale forum.

Or, wait an indefinite amount of time for a software exploit that may or may not ever go public (or exist).

Edit 2005/01/07:

I will provide some background information for those of you who have not worked with a Series2.0 unit.

All Series2.0 and Series2.5 units employ a security mechanism to prevent unauthorized code from booting. The normal boot process looks something like:

1. PROM initializes the hardware
2. PROM code computes a SHA-160 over most of the PROM image, and compares it to the stored hash. If there is a mismatch, an error is displayed on the serial console
3. PROM reads the bootpage (sector 0) from the first IDE disk, checks the boot signature, and saves the active (boot) kernel partition number
4. PROM looks up the boot kernel's partition in the Mac partition table, reads the "px header," then loads the kernel image into memory
5. PROM conducts several sanity checks on the px header (accounting for boot failure reasons 53-59)
6. PROM computes a SHA-1 hash across the kernel and across the initrd stored in the kernel image
7. PROM compares the hash with the SHA-1 stored in the signature at the end of the kernel image. If it does not match, boot failure 60 is thrown and startup halts
8. PROM verifies that the hash is properly signed with the "Kernel Release Key." The public half of this release key is stored in the PROM. If the signature is bad, boot failure 60 is thrown and startup halts
9. PROM checks the new TCD1 section of the kernel image, a signed area that mirrors most of the px header's parameters. This prevents a killhdinitrd-style attack. If a mismatch is found, startup halts and an error code (61+) is displayed on the serial console
10. PROM passes control to the (now verified) kernel image
11. Linux kernel boots, mounts the initrd, and runs linuxrc from the initrd
12. linuxrc checks boot parameters for forbidden stuff (like BASH_ENV), then mounts the root filesystem to look for unauthorized files or files that don't match the SHA-1 stored in the initrd's signature database
13. After linuxrc is satisfied, the ext2 root filesystem is remounted and control passes to /sbin/init

In order to do anything interesting with the unit, we must find a way to make persistent changes to the root filesystem. So, what are the weaknesses in the chain of trust? The biggest weakness is the PROM: it is relatively easy to replace it with an IC containing a modified image that does not check the kernel signature. In this way, we can boot a non-approved kernel without an initrd, and make persistent changes to the root filesystem.

A naive approach (e.g. "just add bash to rc.sysinit," "just compute a new checksum," etc.) is highly unlikely to be successful. These units were designed to keep us out. As a general rule in computer security: "if your question begins with 'why can't we just...', the answer is NO!" If you don't understand why, ask in the Newbie forum.

It is entirely possible that there is a way to gain control of the unit later on in the boot process, due to the fact that the TiVo software handles such a large quantity of untrusted data (particularly data coming from the network). However, this hack is less than ideal: once you have a way to run your own code on the unit, you don't have a way to reflash the PROM. Ditto for hacks involving the EJTAG. You will have to use the same exploit every time you want to run your hacks; there is no obvious way to leverage it in a way that lets you affect the 13 steps I listed. All Series2.5 units use the SST37 PROM, which is not reflashable in this circuit.

For this reason, the current recommendation is to socket your PROM, or pay somebody else to do it.

References:

Software flashing SST39s (http://dealdatabase.com/forum/showthread.php?s=&threadid=25116) (requires replacement of the flash IC on all Series2.5 and most Series2.0 units)
Preliminary dissection of the Series2.0 PROM code (http://www.dealdatabase.com/forum/showthread.php?t=27474)
Tiros attempts to flash an SST37 in-circuit on a Series2.0 (http://www.dealdatabase.com/forum/showthread.php?t=26531)
Information on socketing the PROM yourself (http://www.dealdatabase.com/forum/showthread.php?t=23114)

alldeadhomiez
11-12-2004, 02:48 PM
I have attached two 2.4.20 kernels for the Series2.5:

boot/vmlinux.px - this was built with the script I posted above. I have been running this kernel with no problems for a few weeks now.

boot/vmlinux.px-nonetfilter - in the USB 2.4.27 thread, Jamie noted that on a Series2.0 machine, a network performance gain could be realized by disabling netfilter. I have not tried this yet on a Series2.5, but it is worth exploring due to the abysmally slow networking performance on these boxes.

lib/modules - modules built by my script. ehci-hcd.o is included, for the adventurous. Don't expect it to work.

Obviously, neither of these kernels includes or needs an initrd image.

alldeadhomiez
11-19-2004, 06:49 PM
DirecTV has posted the owner's manual (http://www.directv.com/DTVAPP/learn/Manuals.dsp) for the new RCA/DirecTV R10 DVR. I quickly looked through this document for any interesting tidbits on the new device; here are my observations:

The system information screenshot was taken from a -3F1 HDVR2 (?) running a 3.1.1c beta. The manufacturer and model were blacked out. This may have been done because a working R10 was not available at the time the manual was finalized.
Groups (folders) were mentioned as a feature of the R10, but again no R10 screenshot was provided.
Under the section on ordering and recording PPV showings, no mention was made of the new copy/retention control features that have been in the news. The manual states that PPV recordings will default to "keep until I delete."
It is very likely that the R10 will run 6.1 software, as it is probably easier to make a few DTiVo-specific changes to the 5.3/5.4 codebase than to backport all of the Series2.5 changes and security enhancements to 3.1.x.

Based on the header files from tivo.com, it appears that we now have three different Series2.5 boards:

Gen04 standalone: BORD 0x10xx - TiVo SA nightlight models, Humax SA models
"Elmo" P0: BORD 0x12xx - Humax/Toshiba models with DVD-R
"Bryce": BORD 0x21xx - DirecTV R10

alunj
11-29-2004, 07:35 AM
DRT-800 seems to be fairly similar platform. 37 proms :(
Two off I assume the one near the ESS is the dvd prom and the one by the battery is the TIvo Prom.
There are pics at if any one wants a lookat http://www.yllain.plus.com/TiVo/
in the big dir you will find full size
jpegs from the cam .
I'm guessing the connector labled CN16 is an ejtag, can we do something with that? I assume we could do in place flash with that interface and the right software.
There is also a jumper at J33 real close to the prom , I wonder what that is for. Im just looking up the ST data sheets now.

alldeadhomiez
11-29-2004, 10:32 AM
I'm guessing the connector labled CN16 is an ejtag, can we do something with that? I assume we could do in place flash with that interface and the right software.

Tiros claims that the system controller used with the VR5432 (Series2.0) CPU is not able to generate the correct memory timings to program an SST37, even if there is a way to provide Vpp to the IC. Although the multiplexed address/data bus is not used on the Series2.5, I expect that it will be a challenge to generate the proper write pulse width as we have no documentation on the BCM7317's internal peripherals/registers.

Best bet is to socket and reflash the PROM.

alunj
11-29-2004, 10:47 AM
Yeah I found the 37/39 datasheet. Just orderd the willem programmer :)
I wonder if one other way to make it easier for the hords would be to make
like a piggy back plcc socket-socket adaptor and bring out the CE to a switch / logic on a board . That would only require a cut on one pin and a wire to that but like chippin a playstation.
Am I right the Tivo prom is the one by the batt on the DRT ?

Alun

alldeadhomiez
11-29-2004, 10:53 AM
Am I right the Tivo prom is the one by the batt on the DRT ?

Yes .

alldeadhomiez
12-05-2004, 02:18 PM
Series2.5 Worklog (http://www.dealdatabase.com/forum/showthread.php?t=39792) - MudShark's documentation of his Series2.5 hacking experience

Some DirecTV inside info (http://www.dbsforums.com/vbulletin/showthread.php?threadid=40294) - this is a thread filled with rumors and speculation regarding the new DirecTV R10 and the 6.1 software which will presumably run on it. Based on the evidence I have seen, I consider some of the assertions to be highly dubious; for instance, claims were made that the R10 will use the same NEC CPU and non-DDR SDRAM used in the Uma4/Uma6. Also, bogus "DirecTV R10" screenshots clearly taken from an HDVR2 were posted. Fun reading, but take it with a grain of salt.

misterbryceguy
12-05-2004, 05:14 PM
These are pictures and screenshots of a DIRECTV R10 DVR I am borrowing. Here is what I found when I opened it:

CPU is BCM7317KPB9
Flash is SST37VF010 in PLCC32 package
Tuners, demodulator are the same as HDVR2
LNBP is combined into a dual LNBH221PDT
Crypto chip is same AT90SC6464C
No TIVO asic
No separate USB controller
RAM is one Micron MT46V32M16TG-75Z 32Mx16 (64MB)
AV1AWA RID chip
Modem is Si3018 and Si2434

Other:

New Reset button behind card slot door
Serial but no IR port
3-prong cord
TIVO Peanut remote
DIRECTV D1 access card
Reduced parts count on mainboard
Software is 6.1-01-2-521
System info does not say HDVR2

Update 12/6:

Program groups (folders) are supported
Guide is quick, each page renders in 1-2 seconds
Network adapters are detected and enabled, but only ports 2190 and 2191 are open. HMO features are not enabled.

If you can socket the prom for a reasonable price please PM me.

misterbryceguy
12-08-2004, 11:06 AM
Thanks to the ddb regulars who helped me out over the past few days, I have bash on the new R10. A few new observations:

6.1 respects the active disk configuration so Jamie's fix is needed to expand the drive. Edit 12/12, this was based on bad information. I have verified that only mfs tools is needed to expand the drive in 6.1.

/GuideIndexV2 has changed to /GuideIndexV3:


Directory of /GuideIndexV3 starting at ''

Name Type FsId Date Time Size
---- ---- ---- ---- ---- ----
Actor tyFile 49486 12/08/04 12:17 651396
ChannelTable tyFile 49484 12/08/04 12:17 4484
Correlation.index tyFile 49497 12/08/04 12:19 0
Correlation.key tyFile 49498 12/08/04 12:19 24
Director tyFile 49485 12/08/04 12:17 51957
Genre.index tyFile 49537 12/08/04 12:29 20324
Genre.key tyFile 49538 12/08/04 12:29 44
GenreTable tyFile 49483 12/08/04 12:17 7208
Keyword tyFile 49491 12/08/04 12:19 2008084
Program.index tyFile 49534 12/08/04 12:29 1267328
Program.key tyFile 49536 12/08/04 12:29 2504
ProgramToSeries.index tyFile 49495 12/08/04 12:19 422112
ProgramToSeries.key tyFile 49496 12/08/04 12:19 440
Showing.index tyFile 49531 12/08/04 12:29 1145592
Showing.key tyFile 49532 12/08/04 12:29 408
Title tyFile 49492 12/08/04 12:19 304892
TitleKeyword tyFile 49487 12/08/04 12:17 669013
Tms.index tyFile 49493 12/08/04 12:19 487344
Tms.key tyFile 49494 12/08/04 12:19 1928

CPU and memory info:


system type : TiVo UMA2C board
processor : 0
cpu model : unknown V0.6
BogoMIPS : 242.48
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : no
spurious interrupts : 129
cycle counter frequency : 121644531

total: used: free: shared: buffers: cached:
Mem: 44998656 40595456 4403200 0 1523712 27443200
Swap: 67104768 7626752 59478016
MemTotal: 43944 kB
MemFree: 4300 kB
MemShared: 0 kB
Buffers: 1488 kB
Cached: 25320 kB
SwapCached: 1480 kB
Active: 19612 kB
Inactive: 11336 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 43944 kB
LowFree: 4300 kB
SwapTotal: 65532 kB
SwapFree: 58084 kB

netstat:


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:2190 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2191 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:2190 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*

The kernel is 2.4.20 so it supports the lba48.

The 30 second skip works. You can use the code or you can use the patch.

I have not seen the video on demand features yet.

TWP 1.0 final and 1.1 beta don't work right.

Overall the R10 is very responsive but the startup time is terrible. I would put it on a ups so it does not have to reboot much.

ronnythunder
12-08-2004, 01:15 PM
so the startup time is lengthy even after the prom hack and disabling initrd?

ronny

alldeadhomiez
12-12-2004, 12:48 AM
Introduction

Today we will talk about RAM on the Series2.5 SA units.

Please be aware that SMD rework on your TiVo mainboard could render it unusable, and will absolutely void your warranty. If you are new to TSOP rework, it would be a good idea to practice on something else first (or, even better, hire a professional).

Understanding and Upgrading RAM on your Series2.5

The Series2.5 standalone models have only 32MB of main memory. By "main memory," I am referring to the DDR SDRAM IC that is connected directly (through resistor packs) to the BCM7317 CPU. On the Series2.5 DVD units, such as the Humax DRT800, the ESS DVD processor also has 32MB of DDR SDRAM, and the 1394 controller appears to also have dedicated RAM. Also, the Kfir-II MPEG encoder on all Series2.0/2.5 SA units has dedicated RAM. However, none of this "extra" memory is of any interest to us, because Linux applications running on the box cannot directly occupy it. Thus, the only IC relevant to this discussion is the main memory connected to the BCM7317.

Out of the 32MB of main memory accessible to the MIPS CPU on a Series2.5 unit, somewhere between ~8.5MB-14MB is taken up by various buffers used by the OSD controller, MPEG decoder, kernel, etc. On the DRT800, the reserved memory is a whopping 14MB, leaving ~18MB free for the TiVo software, daemons, and hacks. After loading the bloated 5.4 software and its prerequisites, there isn't much room left for hacks. In my configuration, TWP used at least 3MB of its own, which is almost 20% of the main memory available to Linux applications. With just a few hacks loaded, I experienced constant thrashing; in fact, the system could not even boot without swap enabled. This had a negative impact on UI response times, drive noise, and my overall satisfaction with the unit.

Upon opening the unit, I found that it used a Samsung K4H561638F-TCB3 IC for the main system memory. This IC is a 16Mbit x 16 DDR333 CL2.5 array in a TSOP-66 package. misterbryceguy notes that his DirecTV R10, also based on the BCM7317, uses for its main memory a Micron MT46V32M16TG-75Z, a 32Mbit x 16 DDR266 CL2 array. We see from the BCM7317 specification that the memory interface is 16 bits wide and runs at 133Mhz DDR. Judging from the fact that address lines unused in a 32MB configuration are still connected to the CPU on the SA2.5 units, I theorized that a larger IC could be substituted to improve the performance of a hacked SA2.5 box.

I was in fact able to locate two suitable ICs, which I successfully used to upgrade my DRT800 and TCD540040:

Micron MT46V32M16TG-75E, pulled from scrap equipment (DDR266 CL2)
Kingston D3216DE4T-6U, pulled from a KVR333SO/512R SODIMM (DDR333 CL2.5)

Once upgraded, the unit should function normally. In fact, it will function "too" normally: it will not recognize the extra 32MB. In order to use the entire 64MB, you need to patch the kernel. Fortunately, I have attached a new kernel to this post. This kernel supports a new command line option: "mems=". The "mems" option takes a decimal value specified in megabytes, and overrides the default memory size for your BORD type. On my setup, I appended "mems=64" to the kernel command line in the bootpage. After making this change and booting the modified kernel, /proc/meminfo will now show about 50MB instead of the usual 18MB for MemTotal.

After installing the new RAM the thrashing has ceased completely, swap usage is minimal, and the system is a lot more pleasant to use.

(continued...)

alldeadhomiez
12-12-2004, 12:50 AM
(...continued)

Attachment Notes

kernel/series25-2.4.20.patch is the same patch I posted earlier, except netfilter (not CONFIG_FILTER) has been turned off to improve network performance. The kernel I included should work properly with the stock af_packet.o, and therefore DHCP will work.

kernel/mems-2.4.20.patch is the patch that adds the "mems" option for Series2.5 boards.

Unresolved Questions

Can these systems take DDR266/CL2.5 memory, or is it necessary to install DDR266/CL2 or better?

What other 32Mbit x 16 ICs can be used? (512MB+ SODIMMs are a good source, but you must be careful to make sure you are getting modules with eight TSOP-66 ICs. Many variants exist.) Results from testing MT46V32M16TG-6 ICs from a Crucial SODIMM are thus far inconclusive.

Can these systems handle 64Mbit x 16 (128MB) ICs? If so, is there a performance advantage or a good use for the extra RAM? Can we reconfigure the MFS application buffers to use this memory to cache a larger portion of the database?

References

Micron MT46V32M16 datasheet (http://www.knt.vein.hu/Tantargyak/DigitalisSzigorlat/konyv/512MBDDRx4x8x16.pdf)

Samsung K4H561638F-TCB3 datasheet (in attachment)

JEDEC DDR specification (in attachment)

Kernel patch (in attachment)

Sleeper's SMD removal instructions (http://www.dealdatabase.com/forum/showthread.php?p=152913#post152913)

9th tee SMD installation instructions (http://www.9thtee.com/tivomemory.htm)

Output

/proc/meminfo after the upgrade:

total: used: free: shared: buffers: cached:
Mem: 51863552 50405376 1458176 0 843776 36192256
Swap: 268427264 9105408 259321856
MemTotal: 50648 kB
MemFree: 1424 kB
MemShared: 0 kB
Buffers: 824 kB
Cached: 33956 kB
SwapCached: 1388 kB
Active: 16324 kB
Inactive: 23156 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 50648 kB
LowFree: 1424 kB
SwapTotal: 262136 kB
SwapFree: 253244 kB

alldeadhomiez
12-12-2004, 03:02 PM
I constantly see these myths propagated (especially at TCF and other non-technical sites), so I will attempt to put them to rest now:

Myth: The DirecTV R10 has more RAM than the Uma4 or Uma6 boards.
Fact: Both units have 64MB of RAM. For details, reread this thread.

Myth: The DirecTV R10 6.1 kernel might boot on a Series2.0 DTiVo.
Fact: Kernels for Series2.5 units, as well as some of their modules, are compiled only for the Series2.5. Specifically, the chipset initialization code is different, there is no PCI support (as the BCM7317 has no PCI bus), the IDE driver is completely different (as the Series2.5 does not use a TiVo ASIC for this), and the USB driver is completely different (using a hackish emulation layer to fake out the PCI function calls). For more information, download the 5.3 kernel source from TiVo and look in arch/mips/tivo . Also, look for any references to CONFIG_TIVO_UMA2C. In my experience, the signature check on a Series2.5 kernel will pass on a Series2.0 box, but the system will lock up almost immediately after control is passed to the kernel, because the Series2.5 kernel is looking for peripherals that just don't exist on the Series2.0.

It is unclear at this point whether the userland Series2.5 6.1 software will run on a Series2.0 with a different kernel and different (say, 5.x) modules, but I wouldn't get my hopes up.

Myth: The DirecTV R10 is mostly a cosmetic change from the Uma6-based models. Variations: "they only released it so they can change the brand name," "it's the same stuff with a rearranged board," and other such nonsense.
Fact: Almost every major component on the mainboard has been changed in the Series2.0->Series2.5 transition. This was probably done to capitalize on improvements in technology to cut costs and reduce component count. Information on the new components can be found in this thread.

Myth: A naive approach (trying the Sleeper ISO, running killhdinitrd, "just editing rc.sysinit," etc.) is likely to allow you to bypass the Series2.5 security mechanism.
Fact: You will either need to develop a new software exploit, socket the PROM, or enjoy your stock TiVo. This thread documents the procedure for the second option. BASH_ENV is out of the question because that hole was closed way back in 3.1.0. killhdinitrd is out of the question because that hole was closed prior to the release of 5.3 (Spring 2004).

Myth: Series2.0 software releases will run on a Series2.5 because they're both MIPS.
Fact: Series2.0 software releases lack many critical kernel modules needed to support the Series2.5 peripheral devices. Getting, say, the 4.0 software to run on a Series2.5 is likely to involve a substantial amount of effort.

Myth: TCF is a good place to get accurate technical information about how TiVos work.
Fact: Although I respect David Bott's right to bar DDB links from his site, the fact that TCF users are unable to reference threads such as this one prevents them from pointing people to accurate, reliable sources of information from the people who are actually taking the time to document how the system works. The end result of this policy is that the accuracy and timeliness of information available on TCF has been dealt a serious blow. For this reason, I recommend that readers directly consult the technical threads at DDB, AO, etc. instead of relying on the secondhand, occasionally correct information found at TCF.

AlphaWolf
12-12-2004, 06:58 PM
Guide is quick, each page renders in 1-2 seconds

I was hoping they would do a bit better than that. Even first generation directv receivers can render a page from the guide in less than a second. I am curious if this speed will be any different (be it faster or slower) on the regular S2 units.

alldeadhomiez
12-12-2004, 08:04 PM
Myth: The DirecTV R10 has more RAM than the Uma4 or Uma6 boards.
Fact: Both units have 64MB of RAM. For details, reread this thread.

To elaborate on the RAM and CPU questions, let's take a look at the evidence we have:

On the topic of CPU speed, I have not measured the clock speed of any of these units. However, what we do know is that Series2.0 SA (excluding the old 60-hour boards) and the Series2.0 DTiVos (including the HR10-250) show ~162 BogoMIPS. We know that the NEC CPU is rated for 166Mhz, and the memory interface is rated at 83Mhz. We know that the system needs a 27Mhz reference clock for MPEG2 purposes, so we can reasonably theorize that the CPU is running at 6 x 27Mhz = 162Mhz, and the memory bus is running at half that. Likewise, the Series2.5 shows ~242 BogoMIPS, which is about 9 x 27Mhz = 242Mhz. This is consistent with the information in the BCM7317 datasheet, mentioned earlier in this thread. I would guess that the external memory interface is running at 121Mhz, with two data transfers per clock (i.e. DDR). I assume that a MIPS core is likely to approach 1 CPI in a tight loop with no stalls, e.g. the BogoMIPS measurement loop.

As mentioned earlier in this thread, the BCM7317 clearly runs at a faster clock speed and has a better external memory interface, but it lacks an FPU and has pitifully small caches. Because of this, some things will run more quickly and other things will not.

In terms of RAM, the Series2.0 boards have four SDRAM ICs. My Uma4 HDVR2 has four Hynix HY57V281620 8M x 16 (16MB) ICs, for a grand total of 64MB. It has been reported that the HR10-250 has four Samsung K4S561632E-TC60 16M x 16 (32MB) ICs, for a total of 128MB. And my TCD240040 has four Hynix HY57V641620HG 4M x 16 (8MB) ICs, for a total of 32MB.

I posted the known Series2.5 memory configurations last night. In a nutshell: SA2.0 and SA2.5 units all have 32MB, and DTiVo Series2.0 and Series2.5 units (except for the HR10-250) all have 64MB. The DirecTV R10 does not have more memory than its Series2.0 predecessors. Any speed improvements seen on the R10 stem from algorithmic optimizations, a higher clock rate, and/or a faster external memory interface. This makes it difficult to forecast the performance of a Uma4/Uma6 running the 6.1 software.

It is also worth noting that the amount of reserved memory on a DTiVo is quite large, which may help to explain why they have historically shipped with double the RAM of an equivalent SA. The Uma4, Uma6, and Bryce configurations reserve 19MB, so ~45MB is left for the kernel and for user applications. On the Elmo (Humax DVD) platform, 12.5MB is reserved, and on the Uma7/Uma2c (TCD540040), 7.2MB is reserved.

ronnythunder
12-12-2004, 08:21 PM
here's the meminfo from a stock hr10-250:
bash-2.02# cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 93495296 69791744 23703552 0 15728640 35196928
Swap: 134209536 765952 133443584
MemTotal: 91304 kB
MemFree: 23148 kB
MemShared: 0 kB
Buffers: 15360 kB
Cached: 33724 kB
SwapCached: 648 kB
Active: 41160 kB
Inactive: 13652 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 91304 kB
LowFree: 23148 kB
SwapTotal: 131064 kB
SwapFree: 130316 kB
ronny

compwiz312
12-22-2004, 11:21 PM
ADH, running your nonetfilter kernel seems to work fine except for one bug/issue I noticed. If you try and run DHCP (which requires af_packet.o), upon insmoding it, is says it has unresolved symbols to
sk_run_filter. Upon doing a little research, I found this to be enabled by netfilter, so if you could possibly correct it in the source, it would be much appreciated.

Justin

alldeadhomiez
12-23-2004, 12:03 AM
ADH, running your nonetfilter kernel seems to work fine except for one bug/issue I noticed. If you try and run DHCP (which requires af_packet.o), upon insmoding it, is says it has unresolved symbols to
sk_run_filter. Upon doing a little research, I found this to be enabled by netfilter, so if you could possibly correct it in the source, it would be much appreciated.

That's an issue with CONFIG_FILTER. Here is the kernel I am using now, which has CONFIG_FILTER enabled, but CONFIG_NETFILTER disabled (still). I don't think CONFIG_FILTER should hurt performance, as it does not seem to apply to TCP according to the description. It also includes the recent mems= patch and other patches from this thread.

This kernel is based on the new 5.4.1 sources (thanks alunj), in which a few things have changed from 5.3:

VM changes: added new "priority" memory type
new support for the BCM7317 TLB
new SCSI drivers to support the DVD drive and the bridge ASIC (modules - not included here)
new performance monitoring stuff (perfmon and ktop), probably used in remote debugging
reduction in the reserved memory region on Elmo (DVD boards)

As it turns out, the DRT-800 performance is quite a bit better with this kernel than it was with the older 5.3-based kernel I used, but the 64MB upgrade still makes the UI more responsive.

compwiz312
12-23-2004, 12:09 AM
Before I go and install this, possibly hosing my TiVo, would the modules from your previous build or from TiVo default work with this kernel?

BTW, thanks for your continued help and support and Happy Holidays...

alldeadhomiez
12-23-2004, 12:27 AM
Before I go and install this, possibly hosing my TiVo, would the modules from your previous build or from TiVo default work with this kernel?

Works for me, but no guarantees. Most things that we are likely to change will not break the kernel module ABI.

Back up your old kernel first (or understand how to get it from the GZkernel SwModule).

justmike
12-27-2004, 07:33 PM
Not to butt in but what the heck .... I have a new Humax DRT-800 and have yet to crack the case (wanted some of the warrantee to run out first) but if the pictures are correct that were posted earlier in the thread then the DVD is a Dual Layer drive?

(http://www.pioneerelectronics.com/pna/article/0,,2076_4249_138551420,00.html)

Mike :cool:

Edit - Removed some dumb stuff

compwiz312
12-28-2004, 02:09 AM
ADH, I'm just wondering if you or anyone else is willing to port the NoCSO patch to these new 2.5 units (specifically the TCD54xxx and the Humax DVD units). It would be a great help to me as I could have my new unit completely hacked and extraction ready. I'd even be willing to throw in a little incentive, if you wanted; let's say $50?

TIA,
Justin

alldeadhomiez
01-07-2005, 05:41 PM
This simple program demonstrates how to use the pwm device (major 98) to set the LED nightlight brightness on the TCD5400xx. Usage:


./dim 50 # sets nightlight to 50% brightness
./dim pulse # pulses nightlight between 35% and 85%
./dim flash # flashes nightlight between 0% and 100%

(Side note: ioctl 0x20005001 appears to read back the brightness, but the units are different. Oddly, the same value is returned for 99% and 49%, 98% and 48%, etc.)

DarkHelmet
01-13-2005, 03:12 PM
What I'd like to know more about is what they are doing for scrambling the recordings.

In the S1 and S2.0 dtivos, it was done by the mediaswitch asic (or mediaswitch functionality on a fpga). Now, with the 'tivo asic" gone and the ide interface moved to the mips core package, where is the scrambling done? Software? crypto silicon?

alldeadhomiez
01-13-2005, 03:40 PM
What I'd like to know more about is what they are doing for scrambling the recordings.

In the S1 and S2.0 dtivos, it was done by the mediaswitch asic (or mediaswitch functionality on a fpga). Now, with the 'tivo asic" gone and the ide interface moved to the mips core package, where is the scrambling done? Software? crypto silicon?

linux-2.4/arch/mips/tivo/bcm2-ide.c

IIRC, the 7317 product brief claims that it does hardware DES.

justmike
01-15-2005, 08:26 PM
IIRC, the 7317 product brief claims that it does hardware DES.

Can be found here http://www.broadcom.com/collateral/pb/7317-PB02-R.pdf

And of course you are correct :cool:

Mike

dledeaux
01-25-2005, 09:22 PM
Has anyone had any luck playing with the new 7.1 software? I just got done socketing & hacking my prom and then realized that I might have problems with one of the kernels posted on here.

Update 1-27-2005
Well, in the spirit of hacking I went ahead and gave it a go. I didn't have much to go on other than my previous series 2 hacking experience. How similar is hacking a 2.5 to a 2? I have successfully hacked a series 2 with a modded kernel and dd'd it to parition 3 and 6, but I wasn't sure if I needed to do that with a 2.5. The first thing I did was dd'd the old kernel off of partition 3. I went ahead and dd'd partition 6 off to a file, but it didn't seem to contain anything useful when I looked at the first line of the output file, so I pretty much ignored partition 6 it when it came to putting a modded kernel on there. Should I dd the kernel there too like I did with a series 2?

I also created a new rc.sysinit and rc.sysinit.orig, but when I booted the system removed them. I'm still getting this:

Running as /linuxrc - autoscan!
Loading signatures file
9748 valid entries loaded

What does this indicate? That I'm not running the right kernel? Or that my prom mod didn't go right?

After cleaning up my modded files, the system rebooted itself and then failed with the following lines (slightly abridged) in the console:

ehci_hcd EHCI-Direct: illegal capability!
Illegal read at 0000009c
do_page_fault #2: sending signal 11 to myworld(219)
$0 : 00000000 90008401 005744b8 10048038 0000009c 7efff400 00000000 00ffffff
$8 : 00000001 ffffffff 00000002 00000001 00000000 000000db 00000000 00000000
$16: 0000009c 7efff400 0000009c 7efff3f8 7efff3e0 100efc58 100efc54 100efc50
$24: 00000000 2ac98628 2ad59c90 7efff308 000000c6 00585fc8
Hi : 00000000
Lo : 00000021
epc : 2ac9864c Not tainted
Status: 80008413
Cause : 00800008
800b6380 800b639c 800ba634 800ba7f4 800bc900 2ac9864c
2ac9864c 00585fc8 005744f4 00589cdc 00562594 0056cb70 005c4928 005c1bac
0059d9b4 0123a314 2ac9d514 00541508 0168e4c0 2ac9d514 004e46c0 0170bc20
2ac9d514 2aca2da8 2ace6c34 2ac9d514 2aca2504 2ac9ceb0 2ac9b9c4 2ac9f204
2accc9a8 2acb8298 2acd0d60 2acbc5fc
Tmk Fatal Error: Activity TvVideoGutsActivity <219> strayed!
pc 0x2ac9864c status 0x80008413 cause 0x800008 bva 0x000001 hi 00000000 lo 0x000021
R00 0x00000000 R01 0x90008401 R02 0x005744b8 R03 0x10048038
R04 0x0000009c R05 0x7efff400 R06 0x00000000 R07 0x00ffffff
R08 0x00000001 R09 0xffffffff R10 0x00000002 R11 0x00000001
R12 0x00000000 R13 0x000000db R14 0x00000000 R15 0x00000000
R16 0x0000009c R17 0x7efff400 R18 0x0000009c R19 0x7efff3f8
R20 0x7efff3e0 R21 0x100efc58 R22 0x100efc54 R23 0x100efc50
R24 0x00000000 R25 0x2ac98628 R26 0x00000001 R27 0x00000000
R28 0x2ad59c90 R29 0x7efff308 R30 0x000000c6 R31 0x00585fc8

Paste the following into a shell to get a backtrace...
bt -t /tvbin/tivoapp <<END_OF_BT
tcd 1
hpk Gen04
read 0x2aaa8000 /lib/ld.so.1
read 0x2ab04000 /lib/libhpkoss.so
read 0x2ab50000 /lib/libtvstructures.so
read 0x2abac000 /platform/lib/libhpkhl.so
read 0x2ac74000 /lib/libtmk.so
read 0x2ad58000 /lib/libtvutil.so
read 0x2adc0000 /platform/lib/libhpkll.so
read 0x2ae04000 /lib/libutil.so.1
read 0x2ae48000 /lib/libdl.so.2
read 0x2ae8c000 /lib/libpthread.so.0
read 0x2aee8000 /lib/libm.so.6
read 0x2afb0000 /lib/libc.so.6
0x2ac9864c 0x00585fc8 0x005744f4 0x00589cdc 0x00562594 0x0056cb70 0x005c4928
0x005c1bac 0x0059d9b4 0x0123a314 0x2ac9d514 0x00541508 0x0168e4c0 0x2ac9d514
0x004e46c0 0x0170bc20 0x2ac9d514 0x2aca2da8 0x2ace6c34 0x2ac9d514 0x2aca2504
0x2ac9ceb0 0x2ac9b9c4 0x2ac9f204 0x2accc9a8 0x2acb8298 0x2acd0d60 0x2acbc5fc
END_OF_BT

Tmk Fatal Error: Activity TvVideoGutsActivity <219>: unexpected signal 11

Then it reboots.

Update 1-29-2005
I took one of my old images from my original 40 gig drive and dumped it on a new drive, tpip'd a new kernel to it and then let the TiVo service update the software to 7.1 so it works fine at least letting it upgrade. Right now I'm copying my production drive to another one and will try tpiping a replacement kernel to a system with 7.1 already on it.

BTW, it seems that DHCP is not working with the new kernel. I had to configure an IP manually. Boot up time seems to be improved though.

Update 1-30-2005
Upon further investigation it seems that when a 5.3 system upgrades to 7.1 it also overwrites the kernel. I have not been successful in getting 7.1 to take the no_netfilter kernel posted here, either before or after a 7.1 upgrade. I'm contemplating starting a new drive with 5.3 and not worrying about 7.1. I can't see any reason for 7.1 other than tivo2go which is a joke anyway.

santa8claws
06-15-2005, 08:10 AM
(...continued)

Can these systems take DDR266/CL2.5 memory, or is it necessary to install DDR266/CL2 or better?

What other 32Mbit x 16 ICs can be used? (512MB+ SODIMMs are a good source, but you must be careful to make sure you are getting modules with eight TSOP-66 ICs. Many variants exist.) Results from testing MT46V32M16TG-6 ICs from a Crucial SODIMM are thus far inconclusive.

Can these systems handle 64Mbit x 16 (128MB) ICs? If so, is there a performance advantage or a good use for the extra RAM? Can we reconfigure the MFS application buffers to use this memory to cache a larger portion of the database?



Repeating some of the testing you did with the Micron MT46V32M16TG-6, I was not able to reliably boot my Tivo (Toshiba RS-TX20). Sometimes it gave read/write memory errors in POST, intermittent kernel panics, and other memory issues. I would guess that the reason is due to the clock running at 133Mhz and needs a faster memory with CL=2, but I'd need to put a scope to the pins in order to verify this. Unfortunately, when I replaced with the original Samsung part, the system still crashes and periodically fails to boot. I'm going to try the larger Micron part next...
-S8C

Edit: 6/16/05
I did some additional solder touchup on the nearby resistor packs, which may have been affected by the hot air rework, and it seems to have cured the random crashes. But now I'm back to square one with the same 32mb.

Edit: 9/22/05
Since my last update, I had tried tried the 128MB Micron part (MT46V64M16TG-75) without much success--causing read/write memory failures, stuck on power-on blank screen, bootup hangs, etc.

Recently I tried a new DDR333 64MB part which is the -6T speed grade (not the same as the stock -6) and it is working great now! I had a little trouble once in a while when the Tivo first was powered on and it got stuck on a black screen, but after resetting a few times it now starts up fine.

My conclusion is that these boards are running at CL=2 with 133Mhz bus and have very tight timing with little design margin and component tolerances for the terminating resistors. This makes them susceptible to hot/cold temperature changes and variations in the DDR333 asics.
-- S8C

hiddencoyote
06-16-2005, 10:31 AM
I bougth a TCD540040 I read a lot in different forums and sites and now I am very confused
I found this guide on internet:
http://www.newreleasesvideo.com/hinsdale-how-to/
I post there and they said that to hack this unit is not necessary to patch the PROM just to follow the gudeleines.
I am still seeing new posts in the PROM socketing tread so I guest that it is necesary for something.
It is possible that the guideline is just for increase the size/hours of the tivo and nothing else (no tivo web,ftp,etc) and I should patch the PROM if I nedd something else, or that guideline will never work onm y model.
Thanks for your time and sorry if my N00b question.

JJBliss
06-16-2005, 10:34 AM
It is possible that the guideline is just for increase the size/hours of the tivo and nothing else (no tivo web,ftp,etc) and I should patch the PROM if I nedd something else
Indeed that's the case. You could have figured that out more definitively, by yourself, merely reading the guide that you referenced

hiddencoyote
11-04-2005, 07:32 PM
I have a TCD 540040 2.5 series.
I replaced and patched the Prom with the soldering skills of a friend :) , the tivo booted without problems.
After that I prepared a 80 gb using instantcake cd for this model
and after a couple of cicles of:
reading:confused: ,
trying,
error:mad: ,
learnig
(What included to put a 4.1 patche with killinitrd kernel that only gave a white screen and boot error 62.)

I finaly :p got the bash prompt using the replace initrd method in my 5.3-01-2-540 tivo kernel and then using he ADH script that I am copying below.

================================
bash-2.02# command -p cat rc.sysinit
#!/bin/bash
export PATH=/bin:/tvbin:/sbin:/var/hack
export MFS_DEVICE=/dev/hda10
export TIVO_ROOT=
insmod /lib/modules/bcm7315tty.o
stty 115200 sane < /dev/ttyS1
bash < /dev/ttyS1 >& /dev/ttyS1
exec /etc/rc.d/rc.sysinit.orig
================================

But I having a lot of errors when I am tryin to run the crypto command or tivosh I am a newby in linux and I stucked in this point any help will be appreciated a posting the error below.
Thanks
HiddenCoyote


=====================================================
crypto -u -srp "password"
bash: bash-2.02#crypto: command not found
bash-2.02# crypto -u -srp "factory"
TmkLogger: <132>Jan 2 00:02:13 AttachSharedMemoryFile[58]: Can't find key HpkSharedMemoryPool on attach

Tmk Assertion Failure:
HPK_Result TivoSerialCryptoResetOn(HPK_CryptoInstance*), line 137 ()
TmkLogger: <129>Jan 2 00:02:13 TmkAssertionFailure[58]: (HPK_Result TivoSerial
CryptoResetOn(HPK_CryptoInstance*), line 137 ())
Tmk Fatal Error: Thread crypto <58> strayed!
TmkLogger: <129>Jan 2 00:02:13 crypto[58]: Tmk Fatal Error: Thread crypto <58>
strayed!
0x2ac24cbc 0x2ab19580 0x00410a14 0x00407940 0x00401c98 0x004019d0 0x2afa145c
TmkLogger: <129>Jan 2 00:02:13 crypto[58]: 0x2ac24cbc 0x2ab19580 0x00410a14 0
x00407940 0x00401c98 0x004019d0 0x2afa145c

TmkLogger: <129>Jan 2 00:02:13 crypto[58]:
END_OF_BT

Tmk Fatal Error: Thread crypto <58>: assertion failure
TmkLogger: <129>Jan 2 00:02:13 crypto[58]: Tmk Fatal Error: Thread crypto <58>:
assertion failure
TmkLogger: <129>Jan 2 00:02:13 crypto[58]: Tmk Fatal Error: Thread died due to
signal -2
TmkLogger: <129>Jan 2 00:02:13 crypto[58]: Invoking rule 834: rebooting system
Tmbash: no job control in this shell

eastwind
11-04-2005, 08:14 PM
I have a TCD 540040 2.5 series.
I replaced and patched the Prom with the soldering skills of a friend :) , the tivo booted without problems.
After that I prepared a 80 gb using instantcake cd for this model
and after a couple of cicles of:
reading:confused: ,
trying,
error:mad: ,
learnig
(What included to put a 4.1 patche with killinitrd kernel that only gave a white screen and boot error 62.)

I finaly :p got the bash prompt using the replace initrd method in my 5.3-01-2-540 tivo kernel and then using he ADH script that I am copying below.

================================
bash-2.02# command -p cat rc.sysinit
#!/bin/bash
export PATH=/bin:/tvbin:/sbin:/var/hack
export MFS_DEVICE=/dev/hda10
export TIVO_ROOT=
insmod /lib/modules/bcm7315tty.o
stty 115200 sane < /dev/ttyS1
bash < /dev/ttyS1 >& /dev/ttyS1
exec /etc/rc.d/rc.sysinit.orig
================================

But I having a lot of errors when I am tryin to run the crypto command or tivosh I am a newby in linux and I stucked in this point any help will be appreciated a posting the error below.
Thanks
HiddenCoyote


=====================================================
crypto -u -srp "password"
bash: bash-2.02#crypto: command not found
bash-2.02# crypto -u -srp "factory"
TmkLogger: <132>Jan 2 00:02:13 AttachSharedMemoryFile[58]: Can't find key HpkSharedMemoryPool on attach

Tmk Assertion Failure:
HPK_Result TivoSerialCryptoResetOn(HPK_CryptoInstance*), line 137 ()
TmkLogger: <129>Jan 2 00:02:13 TmkAssertionFailure[58]: (HPK_Result TivoSerial
CryptoResetOn(HPK_CryptoInstance*), line 137 ())
Tmk Fatal Error: Thread crypto <58> strayed!
TmkLogger: <129>Jan 2 00:02:13 crypto[58]: Tmk Fatal Error: Thread crypto <58>
strayed!
0x2ac24cbc 0x2ab19580 0x00410a14 0x00407940 0x00401c98 0x004019d0 0x2afa145c
TmkLogger: <129>Jan 2 00:02:13 crypto[58]: 0x2ac24cbc 0x2ab19580 0x00410a14 0
x00407940 0x00401c98 0x004019d0 0x2afa145c

TmkLogger: <129>Jan 2 00:02:13 crypto[58]:
END_OF_BT

Tmk Fatal Error: Thread crypto <58>: assertion failure
TmkLogger: <129>Jan 2 00:02:13 crypto[58]: Tmk Fatal Error: Thread crypto <58>:
assertion failure
TmkLogger: <129>Jan 2 00:02:13 crypto[58]: Tmk Fatal Error: Thread died due to
signal -2
TmkLogger: <129>Jan 2 00:02:13 crypto[58]: Invoking rule 834: rebooting system
Tmbash: no job control in this shell

echo $PATH will show you the PATH variable.
crypto is in the /tvbin directory. Use the absolute path to the crypto command.

ew

hiddencoyote
11-04-2005, 09:16 PM
echo $PATH will show you the PATH variable.
crypto is in the /tvbin directory. Use the absolute path to the crypto command.

ew


bash-2.02# echo $PATH
/bin:/tvbin:/sbin:/var/hack

I tried with the absolute PATH and I still having same error
I am also having errors running tivosh