Below is the first portion of the readme; attached are the packages.

Regards,

ScrambleThis

--------------------------------

Introduction
------------

By popular request, from the ScrambleThis Labs, we present unscramble for
Series 2 TiVo boxes. In the context of this release, "Series 2" is anything
that runs a 2.4x Linux kernel on MIPS hardware. The initial release of
s2_unscramble will be for the 3.1x series (most non-DVD, non-HD boxes) and
3.1.5x (HD boxes, where the development of this software was done). Note
well that, though a 3.1.1x kernel with LBA48 support is provided, it has
NOT been tested! Only the 3.1.5x kernel has been tested.

First, some background: Some of you may be familiar with the original
unscramble for Series 1, implemented as the unscramble.o kernel module. The
bad news is: s2_unscramble effectively cannot be implemented in this manner.
If you're not willing to use a non-standard kernel (that is, one that was
built by someone other than TiVo) or non-standard extraction tools, you
probably should stop reading now.


Overview
--------

As some of you know, the low level calls used to access the MFS partitions
changed from the Series 1 kernels to the Series 2. Thanks to alldeadhomiez's
documentation of this mechanism, along with a sample util.c that can be used
in any Tridge-derived MFS toolset (read: all of them), we're able to create
a client-server system to cache and "play back" the scramble keys. The
extraction tools are the client, and the kernel becomes the server; as the
TiVo software plays a show, the kernel mods will cache the scramble keys for
later access by the extraction tools.

Upon extraction, the tools use a specially created "sentinel key" to initiate
interaction with the kernel, and instruct it to "play back" the keys. At this
point, the data is read in the clear, and can be used in any application that
processes unscrambled shows.

Obviously, this mechanism requires that the user be able to install a custom
kernel and extraction tools in his/her TiVo; the mechanics of doing this is
outside the scope of this document. In addition, the user should disable
future scrambling on the machine with the "nocso" or other hack.


Unscrambling methodology
------------------------

The s2_unscramble package includes two distinct methods of unscrambling. The
original motivation for this development began when a HD TiVo with a bad HDMI
port was brought into the ScrambleThis Labs with a request to somehow transfer
the programming to the replacement machine. The machine had not been
previously hacked in any way, thus the programming was scrambled.

The first efforts focused on the more traditional method of transferring
programming to another TiVo: mfs_ftp. Once the unscramble code was
implemented, extraction could proceed and went without issue. This method
would dictate that the custom kernel and extraction tools be in place
whenever a scrambled show is to be extracted.

However, some issues arose during insertion attempts that gave rise to a
second approach: Unscrambling the shows "in place" on the TiVo. This involves
reading a block of data with the unscramble functionality in place, then
writing the block back to the disk in the same place. Once this is done for
all of the shows on the disk, the custom kernel and extraction tools can be
removed. At that point, the disk is portable to another TiVo (same model, of
course) after running the 51kill.tcl script.

The "in place" unscrambling method is ideal for situations where a disk needs
to be transplanted into another TiVo. It's also good for situations where a
user may have a lot of scrambled programming that doesn't need to be extracted
in the near term, but the user doesn't want to run the custom kernel and tools
on an ongoing basis.

However, you are STRONGLY advised to make a FULL backup of your drive before
attempting the "in place" unscramble. Since you will be WRITING to the disk,
if anything goes wrong, some (even ALL) of your programming could be
rendered unusable. This cannot be stressed enough: "In place" unscrambling can
DESTROY your shows!

Once you've determined which method is right for you, read further to
determine what's needed.

Awesome news! Thanks for your work on this.

Quick question, have the included custom kernels already been killhdinitrd'ed?

Custom kernel requires monte.

Custom kernel requires monte.
Gotcha. Load a killhdinitrd kernel, then monte into the custom kernel(s) provided. Sorry for the confusion, I clearly had a brain fart.

It's good to know that we can finally provide an answer, other than "sorry it can't currently be done" when series 2 users ask the question, "how do I unscramble previously scrambled recordings".

For what it's worth, I built a 2.4.18 TiVo 4.0 kernel with the ide-disk patch from this package and have successful extracted and unscrabled a scrambled show on a 4.0.1b S2 SA using the mfs_ftp method.

Thanks for the package!

This sounds great!

But, Since I have a S2 with probably 75 shows on it, is there a way to make a script that will play part of each show so all the keys can be found?

:)

i remember doing this back in the s1 days. trust me, if you get that remote and get into a rythym, you can prime those shows pretty quick.

ronny

If I don't need to view old, previously recorded shows, do I need to do this?
I'm planning to run a killhdinitrd'd 4.01 kernel and after tivoapp adjustments want to know if I need to do this unscramble (and set up monte which I don't think I need up to this point).
Can I still extract the shows recorded after the tivoapp mod with having to unscramble?

Thanks in advance for your help... Dave

If I don't need to view old, previously recorded shows, do I need to do this?
No. This is for extracting previously recorded shows that were recorded prior to disabling scrambling / encryption.
I'm planning to run a killhdinitrd'd 4.01 kernel
4.0.1a is your kernel then. Download it here:

http://www.dealdatabase.com/forum/showthread.php?t=38573

...and after tivoapp adjustments want to know if I need to do this unscramble
see first answer.

[and set up monte which I don't think I need up to this point).
You don't.

Can I still extract the shows recorded after the tivoapp mod with having to unscramble?
That's the point of the tivoapp patch :)

johnsortivo is correct. playing scrambled shows on the tivo itself is no problem, even after the tivoapp patch for "nocso". the unscramble stuff is only if you want to extract scrambled shows.

so, has anyone besides jamie given it a run yet? none of my s2 units have any scrambled shows.

ronny

so, has anyone besides jamie given it a run yet? none of my s2 units have any scrambled shows.
I'm in the same boat. Don't have a need for it, but good to know it's there should I in the future. Heck, at a minimum, it's another good source for an lba48 aware kernel, for those who aren't so inclined to compile their own :p

For those interested in running this on 4.01b, here's a kernel compiled with gcc 3.0 from the TiVo-4.0-linux-2.4 sources. It's got the fpu patch, the lba48 patch, the s2-unscramble patch, and CONFIG_FILTER and CONFIG_NETFILTER are turned off. I use it with TiVo software version 4.0.1b on a S2 SA.

{Edit: I'm leaving this kernel up for historical purposes, but suggest you use the one in this (http://www.dealdatabase.com/forum/showthread.php?p=202967#post202967) post instead, since it is compatible with 4.0 on RID boxes. It also has CONFIG_FILTER turned back on, allowing DHCP to work. CONFIG_FILTER does not seem to affect network performance the way CONFIG_NETFILTER does.}

I was succesfully able to descramble/extract shows using the tserver method and tytools, but I'm having problems with the mfs_ftp method. I want to be able to use mfs_ftp to descramble and transfer a show to a 2nd tivo.

I'm using a DVR40, Sleeper'd (a long time ago), running 3.1.1c.

I'm able to connect using mfs_ftp, but when I click on the tmf directory to get a listing my connection gets closed. Here's the output from the port.3105.log file:

11:38:17:PM - 227 Entering Passive Mode (192,168,1,50,12,32).
11:38:17:PM - 150 Opening ASCII mode data connection for file list.
11:38:20:PM - updating cached recording info
..................................................................bgerror invok
d with error

" syntax error in expression "((0x - 4) / 256) + 1" "

re-initializing mfs_ftp

close the current ftp connection and simply open another

"core dump" :p

info(version): 1.2.9p
info(tswv): 3.1.1c-01-2-351
info(dbl): 0
info(ithrottle): 2
info(insert_priority): 10
info(multithreaded): 0
info(saveuntil): suggestion
info(name_detail): 5
info(bjuggle): 0
info(active): 0
info(ac_interval): 1800
info(gatewayip): 127.0.0.1
info(gatewayport): 3105

catch close lastsock val ""

I searched and found someone else who had a similar problem, but the solution was to use a different mfs_stream binary. In my case, I'm using the ones that were provided for the unscramble, so I'm not sure what the problem is. Any pointers, or suggestions?

thanks.

I was succesfully able to descramble/extract shows using the tserver method and tytools, but I'm having problems with the mfs_ftp method. I want to be able to use mfs_ftp to descramble and transfer a show to a 2nd tivo.

I'm using a DVR40, Sleeper'd (a long time ago), running 3.1.1c.

I'm able to connect using mfs_ftp, but when I click on the tmf directory to get a listing my connection gets closed.


I've had the same problem a couple of times too.

From what I can tell, this happens when your tivo is recording something.

Both times I had this occur, I cancelled the recording, restarted mfs_ftp (might not have been needed), and then it worked (note: I did NOT reboot the tivo).

Edit: I've also had to run csoscout.tcl on the target tivo afterwards to fix the shows. Refer to http://www.dealdatabase.com/forum/showpost.php?p=187489

Ok, I tried using the mfs_ftp method again this morning... and it worked! Previously I had my tivo set to 2 unavailable channels (570, 580), but this time I had the channels set to actual channels I receive. That seemed to do the trick. My tivo wasn't recording anything either time, so it seems my problem was a little different. (although the suggestion about the recording issue was the reason I tried a different channel).

By popular request, from the ScrambleThis Labs, we present unscramble for Series 2 TiVo boxes.

Your timing couldn't have been better! I had to replace my drive, and didn't have time to rehack my system before I needed to record a show I had been waiting for. I had just resigned myself to grabbing it via video capture, when you made your post. Unscrambling (and extraction) were flawless. :D

Thanks again!

For those interested in running this on 4.01b, here's a kernel compiled with gcc 3.0 from the TiVo-4.0-linux-2.4 sources. It's got the fpu patch, the lba48 patch, the s2-unscramble patch, and CONFIG_FILTER and CONFIG_NETFILTER are turned off. I use it with TiVo software version 4.0.1b on a S2 SA.
Jamie,

I don't want to make any assumptions... so I'll ask just to make sure I don't screw something up. I've got a S2 DTV Tivo (Hughes SD-DVR40) running 4.01b.

Can I safely install this on my box? Is it as simple as replacing the current vmlinux.px file?

Thanks in advance!

Jamie,

I don't want to make any assumptions... so I'll ask just to make sure I don't screw something up. I've got a S2 DTV Tivo (Hughes SD-DVR40) running 4.01b.

Can I safely install this on my box? Is it as simple as replacing the current vmlinux.px file?

Thanks in advance!Not Jamie, but...Since you're running 4.x on a RID unit, this means you are already monte'ing, and as such, yes, all you have to do is replace the current vmlimux.px file you are monte'ing into with the one Jamie has attached.

edit:
that kernel will not work with rid boxes

Not Jamie, but...Since you're running 4.x on a RID unit, this means you are already monte'ing, and as such, yes, all you have to do is replace the current vmlimux.px file you are monte'ing into with the one Jamie has attached.
You minor point: because I turned off CONFIG_FILTER, this kernel won't work with DHCP. You have to assign a static IP address. Eventually I'll update the post with one that has CONFIG_FILTER back on, since, as ADH observed, CONFIG_FILTER doesn't seem to affect performance the way CONFIG_NETFILTER does.

{Edit: this kernel *will not* work with RID boxes}

For those interested in running this on 4.01b, here's a kernel compiled with gcc 3.0 from the TiVo-4.0-linux-2.4 sources. It's got the fpu patch, the lba48 patch, the s2-unscramble patch, and CONFIG_FILTER and CONFIG_NETFILTER are turned off. I use it with TiVo software version 4.0.1b on a S2 SA.
but does it have the uma6 patch that rocketman24 needs?

but does it have the uma6 patch that rocketman24 needs?nope. ....

Jamie,

I don't want to make any assumptions... so I'll ask just to make sure I don't screw something up. I've got a S2 DTV Tivo (Hughes SD-DVR40) running 4.01b.

Can I safely install this on my box? Is it as simple as replacing the current vmlinux.px file?

Thanks in advance!
to answer your question - no, that kernel build doesn't work with rid dtivos

Thanks for the heads up. I really thought when I posted my question I was being over cautious... glad I asked.

Anyway, I assigned static IP to my box... so that part won't be problem. I'll wait to find one that's compatible for my box.

but does it have the uma6 patch that rocketman24 needs?Dang. Didn't think about that. Sorry for the mis-information.

Thanks for the heads up. I really thought when I posted my question I was being over cautious... glad I asked.

Anyway, I assigned static IP to my box... so that part won't be problem. I'll wait to find one that's compatible for my box.If there is demand, and if the uma6 patch is readily available, I can build a unscramble kernel that also includes it and the other patches Riley listed here (http://www.dealdatabase.com/forum/showthread.php?p=202708&highlight=uma6+patch#post202708). I don't have a rid unit though, so I can't really test it.

{edit: I've got all the right patches and built a test kernel. I'll test it on my non rid hardware, and if it works I'll replace the one above with this uma6 friendly version.}

Here's a 2.4.18 unscramble kernel that may work on 4.0 rid boxes. I first applied "bigpatch-2.4.18.patch" from here (http://www.dealdatabase.com/forum/showpost.php?p=202708&postcount=6), then applied the ide-disk.c.unscramble.diff patch posted by ScrambleThis. I also turned off CONFIG_NETFILTER (but not CONFIG_FILTER). Note that you need a fuzz of 3 or more (-F3) to apply the ide-disk patch to the 4.0 TiVo kernel.

I tested this on my S2SA. I don't have a rid box. If someone tries this on a 4.0 RID box and it works for you, please PM me (no need to post), and I'll update the kernel posted earlier in the thread and mark it as ok for RID.

{Update: mmoore99 reports that this kernel works fine on his RID SDVR-80, though he didn't try unscrambling anything.}

Here's a 2.4.18 unscramble kernel that may work on 4.0 rid boxes. Jamie, is it ok to use this kernel in conjunction with the tivoapp "superpatch" since it also disables scrambling?

Jamie, is it ok to use this kernel in conjunction with the tivoapp "superpatch" since it also disables scrambling?The kernel patch discussed in this thread provides a mechanism for unscrambling existing scrambled shows. The tivoapp "superpatch" (really the nocso patch) is a patch that allows new shows to be recorded without scrambling. The two serve different purposes.

The only known conflict between the two (to me anyway) is that shows that you unscramble with the unscramble kernel may continue to have cso keys set for them in their metadata. This can cause playback problems if you don't clear the cso keys. Search for ciphercheck and csoscout for ways to deal with this.

Jaime, this is what I have in my serial output when testing on a sd-dvr40 (RID)




## MIPS ## arch-specific shell functions defined
starting test.conf
starting /init/001_bash.init
starting /init/010_lba48.init
bash: no job control in this shell
bash-2.02# Warning: kernel-module version mismatch
/init/kmonte.o was compiled for kernel version 2.4.4-TiVo-3.0
while this kernel is version 2.4.20
monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: Operation not permitted
monte failed - starting bash on the serial port
bash: no job control in this shell



EDIT: Just as a followup I have a kill'd 3.1.1c installed to the boot partitions.

bash-2.02# Warning: kernel-module version mismatch
/init/kmonte.o was compiled for kernel version 2.4.4-TiVo-3.0
while this kernel is version 2.4.20It appears to me that your boot kernel (the one installed in /dev/hda3 or /dev/hda6) is a 2.4.20 kernel. Perhaps from 3.1.5? You should be using the 3.1.1c killhdinitrd kernel, but it appears you are not.

This is before you are even getting to the point where you'd monte to the kernel I built.

Did you have a working monte setup before? What else did you change?

I re-ran my restore and went through my steps again to ensure I didn't miss anything and it did boot up this time (thought I had the 3.1.1c installed, but may not have.....)

Anyways, posted the bootlog for inspection, doing a C&D right now.

Are those scramblerkey messages errors or are they to be expected ?

Are those scramblerkey messages errors or are they to be expected ?I believe these are due to the fact your 4.0 image came from a machine with a different serial number. They should go away after the
C&D.

{edit: Note that Riley restored the uma6 RID kernel in the RID support thread. If you don't want/need the unscramble patch, you should be using that kernel instead.}

The C&D cleared up those issues in question. I was able to boot with your kernel and with the one from riley (now since fixed on the original post).

Did you want to test anything with regards to your kernel as far as the RID system goes ? I still have it on the box and can switch easily enough....

The C&D cleared up those issues in question. I was able to boot with your kernel and with the one from riley (now since fixed on the original post).

Did you want to test anything with regards to your kernel as far as the RID system goes ? I still have it on the box and can switch easily enough....Far as I know, nobody has actually tried unscrambling a show on a RID unit with this build. It should just work, so I'm not sure it's worth a special effort to test it. If it turns out not to work, I'm sure someone will let us know ;-)

Hi , I'm a newbie here and trying to understand. So please be kind :) .

I hacked my RID box last weekend to get the HMO option, and now I want to hack my HDVR2 as well. I have a lot of programs that Iwould like to extract (the first 4 hours of 24).

Do I just need to replace the kernel with the one listed in this thread and install tytools?

How can you configure the USB port without having the 4.01 software?

Thanks for all the great work from the Linux guru's here.

I have an unhacked DVR80 that I'll try it out on as soon as I get it hacked. Gotta go but a new drive so I can dd it instead of mfs_backup/restore in case I need anything that doesn't normally get backed up (including scrambled streams). Will report back.

ew

Got my system hacked. Hughes DVR80 running a killhdinitrd'd 3.1.1c kernel and 3.1.1e software in 3/4 and killhdinird'd 3.1.1c kernel monte'd to s2_unscramble kernel in 6/7. I did take a few steps getting everthing to work, but in the end I was able to mfs_rewrite a scrambled program in place and extract with TyTool's tserver. Before I rewrote it I also extracted it with the tserver_mfs included in the s2_unscramble package. Now I can pull out my other drive with all the scrambled recordings and unscramble them.


ew

Hey guys, i hope you can help me on this one.

i vaguely follow what you are doing here. let me tell you my problem and you tell me if this is the right thread to post in or the right thing to do to my tivo.

i have a series 2 unit that has a lifetime subscription paid on it. i also have the home media option (which i paid for and use frequently), AND TiVo to go (to xfer programs to my computer). i have upgraded the HD in the TiVo using a weaknees bracket kit and i added my own HD. i haven't changed the system software or anything else.

1) my dilemma is the programming i transfer. it requires me to type in a password (that i set) every time i want to view the programs. whats worse, if i want to edit those video files to cut out commercials, i cannot as every video editor i have doesn't recognize the video file because of the password protection.

2) what constitues a "hacked" tivo? is my tivo considered "hacked"? does changing the kernel prevent the tivo from retrieving the upcoming programming? does it cancel out my home media option (my house is networked)? does it cancel out my tivo to go feature?

3) if i do what you guys talk about in this thread, will i still be able to use the home media option? if not, is there a similar feature in the hack? (that allows me to view pictures and listen to music from my computer on my tivo.)

Keep in mind i want to be able to edit the programs i transfer, thats my only real need at the moment. i just need to strip that stupid password protection deal... do i need to upgrade the kernel and swap OS's and do all this talk, or is there an easier way to do what i want?

Thanks for your guys help!

Hey guys, i hope you can help me on this one.

i vaguely follow what you are doing here. let me tell you my problem and you tell me if this is the right thread to post in or the right thing to do to my tivo.

i have a series 2 unit that has a lifetime subscription paid on it. i also have the home media option (which i paid for and use frequently), AND TiVo to go (to xfer programs to my computer). i have upgraded the HD in the TiVo using a weaknees bracket kit and i added my own HD. i haven't changed the system software or anything else.

1) my dilemma is the programming i transfer. it requires me to type in a password (that i set) every time i want to view the programs. whats worse, if i want to edit those video files to cut out commercials, i cannot as every video editor i have doesn't recognize the video file because of the password protection.

2) what constitues a "hacked" tivo? is my tivo considered "hacked"? does changing the kernel prevent the tivo from retrieving the upcoming programming? does it cancel out my home media option (my house is networked)? does it cancel out my tivo to go feature?

3) if i do what you guys talk about in this thread, will i still be able to use the home media option? if not, is there a similar feature in the hack? (that allows me to view pictures and listen to music from my computer on my tivo.)

Keep in mind i want to be able to edit the programs i transfer, thats my only real need at the moment. i just need to strip that stupid password protection deal... do i need to upgrade the kernel and swap OS's and do all this talk, or is there an easier way to do what i want?

Thanks for your guys help!

Your post is offtopic. Search for:

TiVo to Go / TTG
killhdinitrd
superpatch

and don't even bother posting again until you've spent several hours or days reading (especially all of the stickies).

I've done it. I've now finished unscrambling (in place) all of my programming that was there before hacking the system (60-70 recordings). Now on to make sure that my 'other' LBA48 kernel can play everything and I won't be caching keys anymore.
Thanks,
ew

Is that all we need to do with the mod kernel? I am stll kinda a newbie to the series 2

Thanks

While trying to set up the s2_unscramble hack to pull some already encrypted video out of my hr10-250, I got stuck trying to monte the hacked kernel. It took me hours to figure out what I was doing wrong, so I figured I'd share this with everyone.

If you're using a 3.1.5x kernel, you'll need to use Jaime's version of kmonte.o for the 2.4.20 kernel which can be found here (http://www.dealdatabase.com/forum/showpost.php?p=194533&postcount=2).

Here's the step I was getting stuck on:
2. Install the custom kernel containing the s2_unscramble software. The
recommended method for this is to use the killhdinitrd and the
"rc.sysinit.real" approach (search on www.dealdatabase.com).

The instructions on how to do the monte using the "rc.sysinit.real" approach can be found here (http://www.dealdatabase.com/forum/showpost.php?p=182539&postcount=2)

Everything else should be straightforward.

This hack is awesome! No more sleepless nights worrying about weather or nto the encryption has been disabled on all your tivo's.

Thanks to the s2_unscramble team!

If you're using a 3.1.5x kernel, you'll need to use Jaime's version of kmonte.o for the 2.4.20 kernel which can be found here (http://www.dealdatabase.com/forum/showpost.php?p=194533&postcount=2).I'm glad the 2.4.20 kmonte.o worked for you, but let repeat the warning I left in the other thread: it doesn't work reliably. It can monte to some kernels, but not to others.

The recommended approach is to monte from a 2.4.4 kernel such as the 3.1.1c kernel.

Gang,
I am upgrading to a 120GB disk and planning on using PTVUPGRADE's InstantCake for my version 4 hack. Will I be able to use this Unscramble with this kernel, and how do I get the current shows from old to new drive?

Thanks

I would like to install this on a Hughes SD-DVR40 dtivo, that has been modified with a 120G drive and hacked in 6.2, most hacks learned from this board. I assume I can monte to the supplied kernel "vmlinux.px.3.1.5x", by using the techniques listed in other posts.

I plan on using the "kmonte.o" "monte.o" and "check" scripts that Alphwolf posted in the "62init" archive from this post:

http://www.dealdatabase.com/forum/showpost.php?p=216711&postcount=53

I am assuming they are ok for 2.4.20, since the post says they are used for 6.2

After I am done extracting the recordings I want I plan on going back to booting without the monte. Does this seem like a good plan to the experts here? I guess I want to know if anyone has done this on this model dtivo with 6.2 before. I'm going to do it anyway since I think if something goes wrong I can recover by pulling the drive. Just want to know if i am close or way off base.

Thanks,

Ciucca.

I would like to install this on a Hughes SD-DVR40 dtivo, that has been modified with a 120G drive and hacked in 6.2, most hacks learned from this board. I assume I can monte to the supplied kernel "vmlinux.px.3.1.5x", by using the techniques listed in other posts.

I plan on using the "kmonte.o" "monte.o" and "check" scripts that Alphwolf posted in the "62init" archive from this post:

http://www.dealdatabase.com/forum/showpost.php?p=216711&postcount=53

I am assuming they are ok for 2.4.20, since the post says they are used for 6.2

After I am done extracting the recordings I want I plan on going back to booting without the monte. Does this seem like a good plan to the experts here? I guess I want to know if anyone has done this on this model dtivo with 6.2 before. I'm going to do it anyway since I think if something goes wrong I can recover by pulling the drive. Just want to know if i am close or way off base.

Thanks,

Ciucca.
Your best bet (even though I don't expect you to have any trouble) is to make a dd backup copy of the drive and work from there. That way all your recordings are still intact if there is a problem. I did this very thing when I was working on mine, but I was still on 3.1.1e when I was working. I know there are issues with mfs_ftp & 6.2, so you might want to consider "unscrambling in place" or TyTool (if you just want the content).

ew

I am assuming they are ok for 2.4.20, since the post says they are used for 6.2Just to clarrify one issue that may be confusing: when chainloading with monte, there are two kernel versions involved: the kernel you are coming from and the kernel you going to. Normally the kernel you are coming from will be the killhdinitrd'd 3.1.1c linux 2.4.4 kernel installed in the tivo boot partition. The reason for this is that monte/kmonte.o are known to work reliably there.

I've experimented with chainloading from 2.4.18 and 2.4.20 kernels, but it didn't work reliably. It sometimes worked and sometimes didn't, depending on the from and to kernel. There is some discussion of this in the monte development thread (http://www.dealdatabase.com/forum/showthread.php?t=37225).

Just to clarrify one issue that may be confusing: when chainloading with monte, there are two kernel versions involved: the kernel you are coming from and the kernel you going to. Normally the kernel you are coming from will be the killhdinitrd'd 3.1.1c linux 2.4.4 kernel installed in the tivo boot partition. The reason for this is that monte/kmonte.o are known to work reliably there.

I've experimented with chainloading from 2.4.18 and 2.4.20 kernels, but it didn't work reliably. It sometimes worked and sometimes didn't, depending on the from and to kernel. There is some discussion of this in the monte development thread (http://www.dealdatabase.com/forum/showthread.php?t=37225).

Thanks for the warning.

Before I try something I may regret, what are the consequences when it "doesn't work"? Do I lose all my hacks , i.e like running a none killhdinitrd kernel, or does the monte just fail and the unscramble doesn't get chained.


Thanks.

Before I try something I may regret, what are the consequences when it "doesn't work"? Do I lose all my hacks , i.e like running a none killhdinitrd kernel, or does the monte just fail and the unscramble doesn't get chained.
Failure scenarios are typically that the chain load fails. It might fail cleanly (e.g. leaving you with a serial bash running on the console, if you've started that), or it might just hang on the monte.

Depending on your setup, if it hangs you may have to pull the drive to repair. If you have a serial cable, you've set your prom password and have a working setup in your alternate boot partitions, you won't have to even do that: after a failure, just boot from the alternative kernel/root partitions and mount/repair the messed up partitions. With a serial cable and a minimal boot environment in the alternate partitions that just runs bash and nothing else, you can experiment quickly interactively at a shell prompt and see what works and what doesn't.

Of course, if you make mistakes (e.g. dd'ing to the wrong partition when installing a kernel) you can wind up trashing your disk and all recordings. So eastwind's suggestion to experiment on a copy is always a good idea.

I recently set a friend up with a hacked HR10-250, had everything working great, an extra 250gb drive, patched tivoapp so that it would record unscrambled, tserver, the whole works. His son-in-law plays for the Brewers (Brady Clark) so he records all of their games with the sports packages and then archives them and edits them down to show the highlights. Anyway, everything was working fine until my friend plugged in his phone line so that he could order pay-per-view(*sigh*). As a result, his 3.1.5e system was upgraded to 3.1.5f, and none of my hacks were running any longer, including telnet and FTP. Normally I would have started fresh and reinstalled everything, but he has ~20 recordings that he was planning to edit on the drive. So in trying to come up with a solution I found ScrambleThis' unscramble for s2. Sounds like exactly what I need. I am most concerned about unscrambling and archiving these files to my PC for him.

I read through the readme file and this thread, and read the related posts on monte'ing, but I can't seem to get the monte working properly. I've never had to do a monte before, but I understand the general concept and I think I should be able to figure things out. Here's the steps I took so far:

1. killhdinitrd'd the kernel on the drive, so now it boots into my rc.system.author
2. downloaded & copied over the vmlinux.px.3.1.5x, monte, and kmonte.o files and placed them in /monte (per ViperX2's posting, I used Jaime's kmonte.o for the 2.4.20 kernel
3. made sure the files were executable (chmod 755)
4. moved my current rc.sysinit to rc.sysinit.real
5. created a new rc.sysinit with the following in it, set to executable:
#!/bin/bash
# bogus rc.sysinit, checks for monte
export PATH=/sbin:/bin:/tivobin:/tvbin:.:/:/etc/rc.d
export TERM=xterm
export PS1='\h:\w$ '

bootparm=`/sbin/bootpage -p /dev/hda`

if [ "$sp" != "true" ]; then
echo "sp=\"$sp\" must be first pass, trying to run monte"
/sbin/insmod -f /monte/kmonte.o
/monte/monte /monte/vmlinux.px "$bootparm sp=true"
else
echo "sp=\"$sp\" must be second pass"
exec /etc/rc.d/rc.sysinit.real
fi
The result I get upon placing the drive in the Tivo is that it goes into a reboot loop, never getting past the "Welcome. Powering up..." screen.

Any ideas? Am I doing something wrong? I don't have a serial cable, so the echo statements don't do me much good...

Thanks in advance for your thoughts.

I used Jaime's kmonte.o for the 2.4.20 kernel
The 2.4.20 kmonte.o does not work reliably. I thought I made that clear in the thread where it was posted and in the posts immediately preceeding your post in this thread. A 'hang' or a reboot loop are a likely outcome. Serial port output would tell us if that is the problem.

Suggestion #1: build or buy a serial cable so you aren't flying blind.

Suggestion #2: Use a killhdinitrd'd 3.1.1c kernel to monte from and use the 2.4.4 kmonte.o. That version has been found to be dependable.

Yes, Jamie, that was clear form your previous post but ViperX2 seemed to get it to work with the same model, so I thought it might work. What I'm confused by is you suggest trying the 3.1.1c kernel but for the HR10-250 there hasn't been a 3.1.1c kernel, it started with 3.1.5c - would that work as well? I think that's the original one I had. Or will either work if I can find one somewhere? Also, is there a way I can write out the debug info to a log file to see what's going on instead of the echo statements?

Yes, Jamie, that was clear form your previous post but ViperX2 seemed to get it to work with the same model, so I thought it might work. What I'm confused by is you suggest trying the 3.1.1c kernel but for the HR10-250 there hasn't been a 3.1.1c kernel, it started with 3.1.5c - would that work as well? I think that's the original one I had. Or will either work if I can find one somewhere? Also, is there a way I can write out the debug info to a log file to see what's going on instead of the echo statements?It might well be that since ViperX2 got it to work, you can too. Just warning you that it is hit or miss and you'll definitely want a serial cable so you can see what's going on.

The kernel you monte from just needs to run long enough to do the monte to the new kernel. It has to be compatible enough with the hardware to get that far. I believe the 3.1.1c kernel is known to boot on all series 2 hardware , incuding the HR10-250.

At the point that the monte is run, the root file system is mounted read only, and var isn't mounted yet. You might be able to figure out how to mount /var and redirect the monte command stderr output to a log, but a serial cable is cheap and a heck of a lot easier. If you don't feel like making one, check out 9thtee.com.

The kernel you monte from just needs to run long enough to do the monte to the new kernel. It has to be compatible enough with the hardware to get that far. I believe the 3.1.1c kernel is known to boot on all series 2 hardware , incuding the HR10-250.
Okay, so I just tried a couple things with no success. First, I dd'd a clean 3.1.5 kernel from the files section, then killhdinitrd'd it. Tried a monte from this kernel to the 3.1.5x in ScrambleThis's download, using the kmonte.o for 2.4.4, but got the same reboot loop.

Then I tried the exact same thing but with a clean 3.1.1c kernel from the files section, as you suggested. This resulted in the same reboot loop. So I removed the drive, and when I mounted the root file system (partition 4 in this case), I noticed that my /monte directory was there, but no longer had any files in it. Also, the /etc/rc.d file had reverted to the default with none of the author files in it. I copied over my rc.sysinit.author from my partition 7 and rebooted the Tivo but nothing happened.

Now, no matter what kernel I try I can no longer get the Tivo to boot up at all, it's always in a constant reboot loop. I'm kind of at a loss of what to do next. Since the rc.sysinit is the default one I'm no longer even doing a monte yet it's in the reboot loop. Did I royally screw this up by trying to load the 3.1.1c kernel on an HR10-250??

Okay, so I just tried a couple things with no success. First, I dd'd a clean 3.1.5 kernel from the files section, then killhdinitrd'd it. Tried a monte from this kernel to the 3.1.5x in ScrambleThis's download, using the kmonte.o for 2.4.4, but got the same reboot loop.Won't work. A 2.4.4 kmonte.o wont modload when you are running a 2.4.20 kernel.Then I tried the exact same thing but with a clean 3.1.1c kernel from the files section, as you suggested. This resulted in the same reboot loop. So I removed the drive, and when I mounted the root file system (partition 4 in this case), I noticed that my /monte directory was there, but no longer had any files in it. Also, the /etc/rc.d file had reverted to the default with none of the author files in it. I copied over my rc.sysinit.author from my partition 7 and rebooted the Tivo but nothing happened.You did run killhdinitrd on the 3.1.1c kernel, didn't you? Sounds like you booted a non killlhdinitrd'd kernel, which wiped out your files.Now, no matter what kernel I try I can no longer get the Tivo to boot up at all, it's always in a constant reboot loop. I'm kind of at a loss of what to do next. Since the rc.sysinit is the default one I'm no longer even doing a monte yet it's in the reboot loop. Did I royally screw this up by trying to load the 3.1.1c kernel on an HR10-250??If you booted with a kernel that hadn't been neutered with killhdinitrd, you might have wiped out any hacks you have done. You'll need to rehack.

It's hard to help you much further without serial console output.

Thanks for your patience, Jamie! I was able to piece together a serial cable and boy does that ever make a difference! By using that I was able to troubleshoot my reboot issue, which had to do with needing to change my boot partition back to partition 6 instead of partition 3 (partition 6 was the partition for 3.1.5c, what I'm restoring from, but when it had upgraded itself it had switched the bootpage to 3). So, now I'm finally able to figure out what's going on with my monte setup and unscramble.

I tried quite a few variations, which each yield different results. A few seem to suggest that it montes the alternate kernel, but then it reboots itself and gets in a reboot loop. It did not allow me to boot the HD Tivo from the 3.1.1c kernel at all ("Unable to mount root fs" kernel panic) - but then that was the same error I was getting before I switched the boot partition. I definitely killhdinitrd'd all of these kernels before attempting to load them.

Below are the log files, hopefully they shed some light for you. Any further suggestions are definitely appreciated!
from 3.1.5 killhdinitrd'd to 3.1.5x using kmonte.o 2.4.20

...
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: loaded kernel image (target load_addr=0x80002000, len=0x14f780) at 0x87f8
2000
monte: total pages used: 337 for image, 2 for indirect tables, 1 for reload code
<< * reboots here * >>


from 3.1.5 killhdinitrd'd to 3.1.1x using kmonte.o 2.4.4

...
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ Warning: kernel-module version mismatch
/monte/kmonte.o was compiled for kernel version 2.4.4-TiVo-3.0
while this kernel is version 2.4.20
monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: Operation not permitted
monte sysinit wrapper complete, you're on your own
<< * reboots here * >>


from 3.1.1c killhdinitrd'd to 3.1.1x using kmonte.o 2.4.4

...
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Starting kswapd v1.8
block: queued sectors max/low 19709kB/6569kB, 64 slots per queue
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Uniform Multi-Platform E-IDE driver Revision: 6.31
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
hda: WDC WD2500LB-55EDA0, ATA DISK drive
hdb: WDC WD2500JB-00FUA0, ATA DISK drive
ide0 at 0x400-0x407,0x438 on irq 87
hda: 268435455 sectors (137439 MB) w/2048KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

hdb: 268435455 sectors (137439 MB) w/8192KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

Partition check:
hda: [mac] hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 hda10 hda11 hda12 hda13
hda14
hdb: [mac] hdb1 hdb2 hdb3[M]
Serial driver version 5.05a (2001-03-20) with MANY_PORTS SHARE_IRQ SERIAL_PCI en
abled
ttyS00 at 0x0100 (irq = 79) is a 16550A
ttyS01 at 0xbc010000 (irq = 133) is a unknown
ttyS02 at 0x0140 (irq = 81) is a 16550A
ttyS03 at 0x0120 (irq = 80) is a 16550A
PPP generic driver version 2.4.1
PPP Deflate Compression module registered
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Kernel panic: VFS: Unable to mount root fs on 03:07
Rebooting in 1 seconds..


from 3.1.5c killhdinitrd'd to 3.1.1x using kmonte.o 2.4.20

...
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: loaded kernel image (target load_addr=0x80002000, len=0x1241a0) at 0x87fc
a000
monte: total pages used: 294 for image, 2 for indirect tables, 1 for reload code
<< * reboots here * >>


from 3.1.5 killhdinitrd'd to 3.1.5x using kmonte.o 2.4.4

...
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: loaded kernel image (target load_addr=0x80002000, len=0x14f780) at 0x87f7
2000
monte: total pages used: 337 for image, 2 for indirect tables, 1 for reload code
<< * reboots here * >>


from 3.1.5 killhdinitrd'd to 3.1.5x using kmonte.o 2.4.18

...
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ Warning: kernel-module version mismatch
/monte/kmonte.o was compiled for kernel version 2.4.18
while this kernel is version 2.4.20
monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: loaded kernel image (target load_addr=0x80002000, len=0x14f780) at 0x87fc
a000
monte: total pages used: 337 for image, 2 for indirect tables, 1 for reload code
<< * reboots here * >>

I didn't see you try the combination of kernels you should be using:

From a killhdinitrd'd 3.1.1c using kmonte.o compiled for 2.4.4 to the 3.1.5 unscramble custom kernel in this thread. Give that one a try and report the results. Be sure you have your bootpage properly setup with the right root and kernel partitions.

Spend a little time thinking about why this is the right combination of from and to kernels and kmonte.o's. It's worth it to help establish a clear understanding of the monte/chainload concept. Trying all combinations and looking at the results is an interesting approach, but I think you'll come to the desired result faster by reasoning about it.

I didn't see you try the combination of kernels you should be using: From a killhdinitrd'd 3.1.1c using kmonte.o compiled for 2.4.4 to the 3.1.5 unscramble custom kernel in this thread. Give that one a try and report the results. Be sure you have your bootpage properly setup with the right root and kernel partitions.
I didn't try that specific configuration after the first time it failed to boot from the 3.1.1c kernel, it seems that it's failing to even mount the root filesystem before it even attempts the monte. Just to be sure, I tried as you suggested (from 3.1.1c killhdinitrd'd kernel to 3.1.5x custom kernel using kmonte.o compiled for 2.4.4) and got the same results:
hda: WDC WD2500LB-55EDA0, ATA DISK drive
hdb: WDC WD2500JB-00FUA0, ATA DISK drive
ide0 at 0x400-0x407,0x438 on irq 87
hda: 268435455 sectors (137439 MB) w/2048KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

hdb: 268435455 sectors (137439 MB) w/8192KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

Partition check:
hda: [mac] hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 hda10 hda11 hda12 hda13
hda14
hdb: [mac] hdb1 hdb2 hdb3[M]
Serial driver version 5.05a (2001-03-20) with MANY_PORTS SHARE_IRQ SERIAL_PCI en
abled
ttyS00 at 0x0100 (irq = 79) is a 16550A
ttyS01 at 0xbc010000 (irq = 133) is a unknown
ttyS02 at 0x0140 (irq = 81) is a 16550A
ttyS03 at 0x0120 (irq = 80) is a 16550A
PPP generic driver version 2.4.1
PPP Deflate Compression module registered
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Kernel panic: VFS: Unable to mount root fs on 03:07
Rebooting in 1 seconds..
This is with the bootpage set to:

root=/dev/hda7 dsscon=true console=2,115200 upgradesoftware=false

Just for kicks and giggles, I duped partition 6 to 3 and 7 to 4 and set the bootpage root parameter and boot parition appropriately and it yielded the same results as well.
Spend a little time thinking about why this is the right combination of from and to kernels and kmonte.o's. It's worth it to help establish a clear understanding of the monte/chainload concept. Trying all combinations and looking at the results is an interesting approach, but I think you'll come to the desired result faster by reasoning about it.
I do try to think things through before attempting them, but then when those don't work sometimes I take shots in the dark when I don't see any other alternatives. If there's something I'm missing I'd really like to know!

Has anyone successfully booted an HR10-250 to a 3.1.1c kernel? I was under the impression that it required at least 3.1.5 for the LB48 support. Has anyone besides ViperX2 succesfully used this s2 unscramble on an HR10-250?

the 3.1.1c kernel (2.4.4) will boot a hr10-250 just fine

however

initial root and the chainloaded kernel must be below the lba48 boundry (137 gig) where the lba24 3.1.1c kernel and monte can "see" them ;)


either move partitions around (pita) or monte from a killhdinitrd'd lba48 3.1.5 (2.4.20) into a killinitrd or noscramble-custom 2.4.20


*here's an excercise for anyone with a clue and too much time on their hands - recompile monte to chainload from the original kernel partition, then figure out how to store monte/utils in there as well :D

initial root and the chainloaded kernel must be below the lba48 boundry (137 gig) where the lba24 3.1.1c kernel and monte can "see" them ;)


either move partitions around (pita) or monte from a killhdinitrd'd lba48 3.1.5 (2.4.20) into a killinitrd or noscramble-custom 2.4.20
Riley nailed it. I should have remembered that, since that was the original reason I compiled kmonte for 2.4.20. It can't mount the root because it is probably over the lba28 mark (137GB). Look at the partition table with pdisk and check whether any of partitions 3,4,6,7 end above sector 268435456.

The problem with monte'ing from 3.1.5 is that it doesn't work reliably. It appears that you tried it, and it reboots immediately after the monte. I guess it is time to try to figure out why monte doesn't always work from 2.4.18 and 2.4.20.

Riley nailed it. I should have remembered that, since that was the original reason I compiled kmonte for 2.4.20. It can't mount the root because it is probably over the lba28 mark (137GB). Look at the partition table with pdisk and check whether any of partitions 3,4,6,7 end above sector 268435456.Seems like that is the issue:
Partition map (with 512 byte blocks) on '/dev/hdc'
# type name length base (size)
1 Apple_partition_map Apple 63 @ 1
2 Image Bootstrap 1 4096 @ 484709440 (2.0M)
3 Image Kernel 1 4096 @ 484713536 (2.0M)
4 Ext2 Root 1 262144 @ 484717632 (128M)
5 Image Bootstrap 2 1 @ 484979776
6 Image Kernel 2 8192 @ 484979777 (4.0M)
7 Ext2 Root 2 524288 @ 484987969 (256M)The problem with monte'ing from 3.1.5 is that it doesn't work reliably. It appears that you tried it, and it reboots immediately after the monte. I guess it is time to try to figure out why monte doesn't always work from 2.4.18 and 2.4.20.It'd be wondeful if the 2.4.20 monte code worked as you're saying. I might be able to manage moving the partitions like Riley suggested, but I'd need to study up on it first as I've never done anything like that on Linux before. Any pointers would be very helpful.

It'd be wondeful if the 2.4.20 monte code worked as you're saying.I'll take a look at it again, but I'm afraid it's a bit over my head, so I'm not sure I'll be able to figure out what the problem is with 2.4.20. I might be able to manage moving the partitions like Riley suggested, but I'd need to study up on it first as I've never done anything like that on Linux before. Any pointers would be very helpful.By far the easiest way is with a second disk at least as large as the one you are using now: simply do a backup|restore pipeline that preserves recordings, but don't "optimize" the partition layout (leave off -p in the restore). This should leave partitions 1-9 all well below the 137GB mark.

Seems like that is the issue:
Partition map (with 512 byte blocks) on '/dev/hdc'
# type name length base (size)
1 Apple_partition_map Apple 63 @ 1
2 Image Bootstrap 1 4096 @ 484709440 (2.0M)
3 Image Kernel 1 4096 @ 484713536 (2.0M)
4 Ext2 Root 1 262144 @ 484717632 (128M)
5 Image Bootstrap 2 1 @ 484979776
6 Image Kernel 2 8192 @ 484979777 (4.0M)
7 Ext2 Root 2 524288 @ 484987969 (256M)It'd be wondeful if the 2.4.20 monte code worked as you're saying. I might be able to manage moving the partitions like Riley suggested, but I'd need to study up on it first as I've never done anything like that on Linux before. Any pointers would be very helpful.
<unbridled optomism>
can you post the entire hda partition map? something has to start at block 64, if it's 8,9 or > 2 meg of Apple_free_extra the partition shuffle might not be so bad
</unbridled optomism>


alternate gameplan, take this with a grain of salt since it's been forever and my memory may not be 100%

a "mfstool backup|restore pipeline" won't preserve the CommercialSkipOffset attributes so those 20 or so scrambled recordings on the cloned drive will be useless. you'll have to back them up as tmf via mfs_ftp, clone a working drive as jamie suggested, install the unscramble_this kernel, insert the recordings, then unscramble them (in place or during extract)

*you could also clone the drive and use the /var/mfs_ftp/cache/*.xml files and a script built with procedures copied out of mfs_ftp to restore the CommercialSkipOffset attributes, but that probably deserves it's own thread if you decide to try it - if for example there were 400 gig of hd recordings that would take forever to network back & forth

a "mfstool backup|restore pipeline" won't preserve the CommercialSkipOffset attributes so those 20 or so scrambled recordings on the cloned drive will be useless. Huh? I'd swear I've done full backups (with recordings) of unhacked drives with scrambled recordings and had the recordings still play on the target drive. I believe mfstool preserves all recording attributes. What am I missing here?

I know I've done full backups with scrambled recordings, but I did them with dd instead of a piped mfsbackup | mfsrestore. But I don't know why mfstools wouldn't keep the CommercialSkipOffset attributes as it is for expansion not for disabling encryption.

just my 2 cents worth,
ew

I know I've done full backups with scrambled recordings, but I did them with dd instead of a piped mfsbackup | mfsrestore. But I don't know why mfstools wouldn't keep the CommercialSkipOffset attributes as it is for expansion not for diabling encryption.

just my 2 cents worth,
ewI still believe a piped backup|restore will preserve scrambled recording CSO keys. Hey, it's in the Hindsdale guide, it must be right! On the other hand, Riley has a record of consistently catching my errors, so I might be missing something.

If the backup|restore won't work, one could do a dd style backup, partition by partition. You'd have to handcraft the partition table on the destination disk with pdisk to make sure the important partitions (3,4,6,7) are all below the lba28 mark.

In the meantime, I'll try to play around some more with the 2.4.20 monte to see if I can find any pattern to failures.

Well, this does at least sound quite promising. I attempted an mfsbackup | mfsrestore, but since I had expanded the HR10-250 to use two 250gb drives, it complained about the second drive being missing. After attaching both drives I tried to copy and restore the combined volumes to a single 250gb drive but there are enough recordings to cause it to be too large. So I setup up a partition table manually on a new 250gb drive and have been dd'ing one partition at a time. I'm on the last one now - I had forgotten to turn on DMA on the first media partition and at 216gb it took over 24 hours! I enabled DMA and hopefully this last partition will be ready shortly and I can put it in the Tivo and verify that it works before trying the monte.

A couple quick questions I had - with pdisk I used the "c" option rather than "C" as I read that tivo igores the actual type names. Is that okay? they all show up as "APPLE_UNIX_SRV2" type right now (except for the 1st partition). Also, since this is a new drive that's essentially a clone of the old one but with partitions at different blocks, should I expect to run into Error 51?

I'll keep you posted on how it goes with the monte.

Okay, here's what I did:
- got an identical disk (WD 250gb)
- manually created a partition table using pdisk from the boot disc:
Partition map (with 512 byte blocks) on '/dev/hdc'
# : type : name : length : base : size
1: Apple_partition_map : Apple : 63 : 1
2: Apple_UNIX_SVR2 : Bootstrap 1 : 4096 : 64 : (2.0M)
3: Apple_UNIX_SVR2 : Kernel 1 : 4096 : 4160 : (2.0M)
4: Apple_UNIX_SVR2 : Root 1 : 262144 : 8256 : (128.0M)
5: Apple_UNIX_SVR2 : Bootstrap 2 : 1 : 270400
6: Apple_UNIX_SVR2 : Kernel 2 : 8192 : 270401 (4.0M)
7: Apple_UNIX_SVR2 : Root 2 : 524288 : 278593 (256.0M)
8: Apple_UNIX_SVR2 : Linux Swap : 260096 : 802881 (127.0M)
9: Apple_UNIX_SVR2 : /var : 262144 : 1062977 (128.0M)
10: Apple_UNIX_SVR2 : MFS Application region : 1048576 : 1325121 (512.0M)
11: Apple_UNIX_SVR2 : MFS media region : 216091648 : 2373697 (103.G)
12: Apple_UNIX_SVR2 : Second MFS app region : 1048576 : 218465345 (512.0M)
13: Apple_UNIX_SVR2 : Second MFS media region : 268617728 : 219513921 (128.1G)
14: Apple_Free : Extra : 265519 @ 488131649 (129.6M)
- used dd to copy over each partition, one by one
- used bootpage to set the correct parameters and boot partition
- put the disk back in the Tivo and booted up to test (no problems)
- put the disk back in the PC, dd'd over the kernel partition (6) with 3.1.1c
- ran killhdinitrd, it confirmed it applied it to 3.1.1c
- set it up to monte to 3.1.5 included with this unscramble package, along with Jamie's kmonte.o compiled for 2.4.4

Result: I seem to be able to boot the root partition now, monte says it's loaded the kernel image, then it goes into a reboot loop. Here's the boot log:
Linux version 2.4.4-TiVo-3.0 (build@buildmaster10) (gcc version 3.0) #9 Wed Jan
7 10:05:19 PST 2004
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/hda7 dsscon=true console=2,115200 upgradesoftware
=false
Monotonic time calibrated: 81.00 counts per usec
Calibrating delay loop... 161.38 BogoMIPS
Contiguous region 0: 1048576 bytes
Contiguous region 1: 131072 bytes
Contiguous region of 1179648 bytes reserved at 0x81ee0000.
Memory: 29772k/32768k available (1029k kernel code, 2996k reserved, 71k data, 60
k init)
Dentry-cache hash table entries: 4096 (order: 3, 32768 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 2048 (order: 2, 16384 bytes)
Checking for 'wait' instruction... unavailable.
POSIX conformance testing by UNIFIX
PCI: Probing PCI hardware
ttyS00 at iomem 0xb4100100 (irq = 79) is a 16550A
ttyS00 at port 0xbc010000 (irq = 133) is a unknown
ttyS00 at iomem 0xb4100140 (irq = 81) is a 16550A
ttyS00 at iomem 0xb4100120 (irq = 80) is a 16550A
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Starting kswapd v1.8
block: queued sectors max/low 19709kB/6569kB, 64 slots per queue
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Uniform Multi-Platform E-IDE driver Revision: 6.31
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
hda: WDC WD2500JB-00FUA0, ATA DISK drive
hdb: WDC WD2500JB-00FUA0, ATA DISK drive
ide0 at 0x400-0x407,0x438 on irq 87
hda: 268435455 sectors (137439 MB) w/8192KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

hdb: 268435455 sectors (137439 MB) w/8192KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

Partition check:
hda: [mac] hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 hda10 hda11 hda12 hda13
hda14
hdb: [mac] hdb1 hdb2 hdb3[M]
Serial driver version 5.05a (2001-03-20) with MANY_PORTS SHARE_IRQ SERIAL_PCI en
abled
ttyS00 at 0x0100 (irq = 79) is a 16550A
ttyS01 at 0xbc010000 (irq = 133) is a unknown
ttyS02 at 0x0140 (irq = 81) is a 16550A
ttyS03 at 0x0120 (irq = 80) is a 16550A
PPP generic driver version 2.4.1
PPP Deflate Compression module registered
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 60k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: loaded kernel image (target load_addr=0x80002000, len=0x14f780) at 0x81b9
2000
monte: total pages used: 337 for image, 2 for indirect tables, 1 for reload code

Any ideas where I went wrong? I know I didn't type the partitions as I may have needed to, but I had read that Tivo doesn't look at the types. Looking at my new partition table, it seems that partitions 3,4,6,7 end well below sector 268435456. And since it mounted the root fs, I don't think this is the problem. Any suggestions as to what I should try next?

Any ideas where I went wrong? I know I didn't type the partitions as I may have needed to, but I had read that Tivo doesn't look at the types. Looking at my new partition table, it seems that partitions 3,4,6,7 end well below sector 268435456. And since it mounted the root fs, I don't think this is the problem. Any suggestions as to what I should try next?I think you did everything fine. After all that, it appears that you are having the same problem with the 2.4.4 monte that you did with the 2.4.20 version.

Are you sure the kernel you are monteing into isn't corrupt? Here's the md5sum I get on it:% md5sum vmlinux.px.3.1.5x
f2158f170e1cb6983d229d7694bd003e vmlinux.px.3.1.5x

I'll try to replicate your situation. I don't have the same hardware, but I can still monte from&to the same kernels to see if it works for me.

Are you sure the kernel you are monteing into isn't corrupt? Here's the md5sum I get on it:% md5sum vmlinux.px.3.1.5x
f2158f170e1cb6983d229d7694bd003e vmlinux.px.3.1.5x
I get the exact same results for vmlinux.px.3.1.5x. Good thought though.
I'll try to replicate your situation. I don't have the same hardware, but I can still monte from&to the same kernels to see if it works for me.
Thanks, that would be wonderful. I'm still curious as to how ViperX2 was able to get his going! Viper? Any thoughts?

I'll try to replicate your situation. I don't have the same hardware, but I can still monte from&to the same kernels to see if it works for me.I just tried, and I can monte fine from the 3.1.1c kernel to the vmlinux.px.3.1.5x kernel posted in this thread. Log attached. I booted with a rc.sysinit that just brings up a bare bash, then did the rest from the command line as shown in the log.

In looking more carefully at your log above, I do now see something strange: a bash prompt intermixed with the console output:bash: no job control in this shell
(none):/$It appears to me that you have an interactive bash running on the console concurrent with the monte load. Is there any chance you have something else running before rc.sysinit? If you do, that's likely to be causing the problem. You really want as little as possible running before you do the monte. Loading usb modules, for example, is known to cause problems.

At this point, your best bet may be to do what I did: boot to a bare bash and try things from the serial console. See if you can figure out what works from there.

In looking more carefully at your log above, I do now see something strange: a bash prompt intermixed with the console output:bash: no job control in this shell
(none):/$It appears to me that you have an interactive bash running on the console concurrent with the monte load. Is there any chance you have something else running before rc.sysinit? If you do, that's likely to be causing the problem. You really want as little as possible running before you do the monte. Loading usb modules, for example, is known to cause problems.
I don't think I have anything else running, unless something in the rc.sysinit.bogus is causing that. I'm using the version from Nutkase's thread (http://www.dealdatabase.com/forum/showpost.php?p=182539&postcount=2), where he's posted Riley's version. The only difference is I uncommented his /bin/bash line because I'm "paranoid" - could that be causing it? Here (http://www.colorchemist.com/temp/unscramble_inits.zip) are my rc.sysinit files if you care to check them out.
At this point, your best bet may be to do what I did: boot to a bare bash and try things from the serial console. See if you can figure out what works from there.
I've never done this either, but I'm willing to try. Would I essentially remove the second half of the .bogus file so that it's just setting up the paths, TERM and the prompt? then follow the commands in the log you posted?

I don't think I have anything else running, unless something in the rc.sysinit.bogus is causing that. I'm using the version from Nutkase's thread (http://www.dealdatabase.com/forum/showpost.php?p=182539&postcount=2), where he's posted Riley's version. The only difference is I uncommented his /bin/bash line because I'm "paranoid" - could that be causing it? Here (http://www.colorchemist.com/temp/unscramble_inits.zip) are my rc.sysinit files if you care to check them out.

I've never done this either, but I'm willing to try. Would I essentially remove the second half of the .bogus file so that it's just setting up the paths, TERM and the prompt? then follow the commands in the log you posted?
It's really a long shot, but you might try commenting out the 'paranoid' bash, just on the off chance it is causing the problem. I'm sure it is why the bash prompt is interspersed in your output, but I doubt it is causing the problem. You never know though.

I've attached my minimal rc.sysinit. Use this in place of the standard one if you just want to boot up a bare bash. You might need to alter the PATH to reflect your tivo hacks directory. You might also need to go find setsid (http://www.dealdatabase.com/forum/showthread.php?p=189425&highlight=setsid#post189425) to use it as is.

Once you've booted a bare bash you should be able to try out the commands you'd put in the script to see what they do. It's easier (at least for me) than changing the script each time and looking at the logs after the fact.

One thing that hasn't been clear to me: right after you monte, what's the very next thing you see? You say it goes into a reboot loop, but it would help if you showed the exact output. Is there any sort of kernel crash output? Or does it start right right at the top again and repeat the exact console output from the previous boot (starting at "Linux version-2.4.4-TiVo-3.0" ...)?

First of all, thanks a bunch to Jamie for helping me through all of these issues, and secondly to ScrambleThis for a great solution! I was finally succesfull in getting this working on my HR10-250 and am backing up all of the recordings, unscrambled as I type this.

It turned out that in my rc.sysinit.bogus file, I had a typo (doh!) - I used single quotes (') when setting the bootparm instead of graves (`). This only became apparent after booting up to a bare bash shell as Jamie suggested and typing in the commands one by one as in his log. When I did the "echo $bootparm" and I got the command I had typed in quotes instead of the value of that command, I realized what had happened. As I was afraid of messing up the file by copying and pasting, since it was short enough I thought I would just type it in, and I missed the subtle (but essential!) difference between the two characters.

Once it succesfully monte'd, however, the setup that I was using (monte from 3.1.1c to custom unscramble 3.1.5 via the kmonte.o compiled for 2.4.4) did not work. The monte worked, but after showing about a 90% progress meter in acquiring "information" from satellite, it went to a blank screen and stayed there. I waited for 10 minutes but nothing. I had telnet so I shutdown, took out the drive and put it back in the PC. Then I decided to try the exact same setup that ViperX2 suggested earlier in this thread for the HR10-250: monte from 3.1.5 to custom unscramble 3.1.5 via the kmonte.o compiled for 2.4.20. This worked perfectly! After it booted up, I played one previously scrambled recording for a few seconds, verified the kernel log as instructed, all systems checked, then used the custom vserver to download the recording via TyTools and bam! there it is. A beautiful thing when it works out!

Thanks again for all the help! I owe you a debt of gratitude!

It turned out that in my rc.sysinit.bogus file, I had a typo (doh!) - I used single quotes (') when setting the bootparm instead of graves (`). This only became apparent after booting up to a bare bash shell as Jamie suggested and typing in the commands one by one as in his log. Glad you finally found resolution. In an effort to catch any typos, I was cutting and pasting my commands from your rc.sysinit in post #50, but the typo wasn't in that version. Sorry I led you down a complicated wild goose chase. Sometimes that's the way debugging goes.

Couldn't someone just apply killhdinitrd to one of the provided unscramble kernels (3.1.1 or 3.1.5 depending on your software), replace the bootable kernel with that one, load the unscramble specific extraction tools, and unscramble to your heart's content? Then once you're done unscrambling, you could overwrite that kernel with a stock killhdinitrd kernel and apply the nocso patch, and replace the unscramble specific extraction tools with the standard ones.

Am I missing something?

Am I missing something?Yes. Think about where this would fail to break the chain of trust (http://www.dealdatabase.com/forum/showpost.php?p=197479&postcount=2). When in doubt, try it, and see what happens.

Link 3: The prom checks the kernel for a signature verifying it's unchanged. This signature cannot be faked, if the test fails the prom halts.

Thanks for that link, I get it...The unscramble kernel will not pass the prom's signature checking since it's modified in areas that are signature checked. (unlike killhdinitrd, which alters a portion of the kernel which is not signature checked, allowing it to bypass the subsequent initrd function).

Hi -

I'm having a weird problem that maybe someone else has had and can help me out with.

I've got a HDVR2 - running 3.1.1e. I've hacked it - using a 3.1.1c killhdinitrd'd kernel to boot into the s2_unscramble kernel.

I went through my Now Playing list and played a few seconds of each program that I want scrambled. I saw the kernel spit out the "X chunk keys cached" messages.

Next, I copied over the various mfs_ftp files from the s2_unscramble tarball - and started up mfs_ftp.

From a PC, I was able to connect to mfs_ftp and I transferred two of the shows over to the PC.

Next, sent the shows - via mfs_ftp (NOT the s2_unscrable mfs_ftp files) - to another HDVR2 that I have (happily hacked and running 4.0.1b since last December).

While unscrambled show is uploading to the 4.0.1b HDVR2, I get the little red "recording" ball in the Now Playing list - and I can play the show. It's perfect!

Here's the weird part: Once the transfer is complete - the show entry remains on the Now Playing list - but when you go to play it, it immediately give you the "Delete Now" or "Do Not Delete" options. If "Do Not Delete" is selected, you get the "bong" sound that says there was a problem playing the recording. That is - NO part of the program is able to be viewed on the target TiVo.

Anybody seen this before? Anybody know what I'm doing wrong?

Seems like the unscramble went okay, since I'm able to play any of it on the destination TiVo... Is this the "some issues arose during insertion attempts" that is referenced in the README file of the s2_unscrable packages?

Help?

Regards,
Kevin

Edited: to clarify that all mfs_ftp files from s2_unscramble package were being copied over per the README instructions

Anybody seen this before? Anybody know what I'm doing wrong?yep and yep. Go back to the README file from the package and pay particular attention to the discussion of "CommercialSkipOffset". Also, search this forum for csoscout.tcl. I think it's in the " How to disable tystream encryption..." thread.

Hi Jamie -

I thought the CommercialSkipOffset (kcso) script was only relevant if doing an "in-place" unscramble. I'm going through the mfs_ftp tools...

Looking back in the README file, I see mention of CommercialSkipOffset - but that's in the "in-place" unscramble section...

Doing more research...

Kevin

Hi Jamie -

I thought the CommercialSkipOffset (kcso) script was only relevant if doing an "in-place" unscramble. I'm going through the mfs_ftp tools...

Looking back in the README file, I see mention of CommercialSkipOffset - but that's in the "in-place" unscramble section...I guess the README does make it sound like that, but it is also relevant if you are reinserting the shows onto a tivo after extraction.

The problem is the metadata says that the show is encrypted (through the CommercialSkipOffset value), but the show is not encrypted. Go read AlphaWolf's posts in the "How to disable tystream encryption...". And I recommend you use csoscout.tcl instead of kcso.tcl -- it's safer.

Hi Jamie -

Thanks for your help on this - and thanks for the comment about the README file throwing me off track.

Taking your suggestion, I did run csoscout.tcl on the v4.0.1b HDVR2 and once it was finished, my unscrambled/downloaded/uploaded programs were completely playable.

Again, thank you for your help.

Regards,
Kevin

I have DTivo w/ 6.2 installed with 3.1.5 kernel from PTVUpgrade. I'm using the rc.sysinit.real method with the 2.4.20 kmonte.o and vmlinux.px 3.1.5x file. Tivo boots fine and from the logs it appears the kernel is being loaded, but there is no networking. The USB and hub lights are on, but it never acquires an IP address.

I see a few lines like this in the log which is my only guess to the problem.

Jun 6 03:53:18 (none) kernel: iptables v1.2.6a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Jun 6 03:53:18 (none) kernel: Perhaps iptables or your kernel needs to be upgraded.

This one is also suspicious

Jun 6 04:26:21 (none) kernel: /lib/modules/af_packet.o: unresolved symbol sk_run_filter

I've attached the kernel log.

The kernel seems to be working as I see a line in there.

Jun 6 07:02:31 (none) kernel: add_only: 2403569106,1,0,0,2672450029,1620835734,258783841,3516275162|8016fd70,13,0,131072,256,1

EDIT: Figured it out... switching to use a static IP instead of DHCP. Happened to see a random post mentioning sk_run_filter and got lucky :)

I have DTivo w/ 6.2 installed with 3.1.5 kernel from PTVUpgrade. I'm using the rc.sysinit.real method with the 2.4.20 kmonte.o and vmlinux.px 3.1.5x file. Tivo boots fine and from the logs it appears the kernel is being loaded, but there is no networking. The USB and hub lights are on, but it never acquires an IP address.

I see a few lines like this in the log which is my only guess to the problem.

Jun 6 03:53:18 (none) kernel: iptables v1.2.6a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Jun 6 03:53:18 (none) kernel: Perhaps iptables or your kernel needs to be upgraded.

This one is also suspicious

Jun 6 04:26:21 (none) kernel: /lib/modules/af_packet.o: unresolved symbol sk_run_filter

I've attached the kernel log.

The kernel seems to be working as I see a line in there.

Jun 6 07:02:31 (none) kernel: add_only: 2403569106,1,0,0,2672450029,1620835734,258783841,3516275162|8016fd70,13,0,131072,256,1

EDIT: Figured it out... switching to use a static IP instead of DHCP. Happened to see a random post mentioning sk_run_filter and got lucky :)
Were you able to unscramble? I am thinking about trying to unscramble on my 6.2 box and would like to know if you were able to.

yes, after I set up the static ip stuff, I was able to connect to it and unscramble. I used the mfs_ftp method to extract.

yes, after I set up the static ip stuff, I was able to connect to it and unscramble. I used the mfs_ftp method to extract.


Cool. I am going to have to read up on monte. I have a virgin 6.2 drive that has some (scrambled) NFL games that I want to get off it. I plan on backing it up to another drive and hacking it.

I have DTivo w/ 6.2 installed with 3.1.5 kernel from PTVUpgrade. I'm using the rc.sysinit.real method with the 2.4.20 kmonte.o and vmlinux.px 3.1.5x file. Tivo boots fine and from the logs it appears the kernel is being loaded, but there is no networking. The USB and hub lights are on, but it never acquires an IP address.

I see a few lines like this in the log which is my only guess to the problem.

Jun 6 03:53:18 (none) kernel: iptables v1.2.6a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Jun 6 03:53:18 (none) kernel: Perhaps iptables or your kernel needs to be upgraded.

This one is also suspicious

Jun 6 04:26:21 (none) kernel: /lib/modules/af_packet.o: unresolved symbol sk_run_filter

I've attached the kernel log.

The kernel seems to be working as I see a line in there.

Jun 6 07:02:31 (none) kernel: add_only: 2403569106,1,0,0,2672450029,1620835734,258783841,3516275162|8016fd70,13,0,131072,256,1

EDIT: Figured it out... switching to use a static IP instead of DHCP. Happened to see a random post mentioning sk_run_filter and got lucky :)

I'm having the same problem. Did you have networking before you monted the drive? I did. I just renamed /tivo/etc/netfilter-enable to tivo/etc/netfilter-notenabled to do so. Now I dont' have networking after the monte.


edit-Jamie just let me know that DHCP was the issue and I need to switch to a static IP because the kernel monted into does not work with dhcp.

I can't obtain a list in tytool. I am running Alphawolf's version of NowShowing.tcl both are in /hack and both have been chmod 755. My execute string in tytool is...


/hack/tserver_mfs -s /hack/NowShowing.tcl


Also, the tserver_mfs is the scramble one. I just can't seem to obtain the NowShowing list. Help please.

This is what I get from bash.


bash-2.02# ./tserver_mfs
Switching to low priority...
Waiting for an incoming connection!
SERVER: We got a message! buf = 'SHOWING'
invalid attribute: TimeZone
while executing
"dbobj $setup get TimeZone"
("uplevel" body line 16)
invoked from within
"uplevel $body"
invoked from within
"transaction {uplevel $body}"
(procedure "RetryTransaction" line 5)
invoked from within
"RetryTransaction {
if {$version5} {
set lconfig [db $db open /State/LocationConfig]
set tzval [dbobj $lconfig get TimeZoneOffs..."
(procedure "GetConfig" line 28)
invoked from within
"GetConfig"
(file "./NowShowing.tcl" line 278)
Waiting for an incoming connection!

And before anyone recommends changing to a version of tserver that doesn't require NowShowing...I can't because I need to use this specific version of tserver to get the scrambled shows off.

It looks to me like your NowShowing.tcl still doesn't support the newer MFS structures that use TimeZoneOffset rather than TimeZone. Looking at AW's script, it looks like it only supports tivo software versions up to 5, but not 6 and 7. You should be able to tweak it easily to support the newer versions. IIRC, all versions after 4.x use the same MFS structures for keeping track of the time zone.

Alternatively, there's a NowShowing.tcl in the mfs_* package. Try that one. I believe it does a better version check than AW's and assumes that all software versions >4 use the new timezone MFS data structures.

It looks to me like your NowShowing.tcl still doesn't support the newer MFS structures that use TimeZoneOffset rather than TimeZone. Looking at AW's script, it looks like it only supports tivo software versions up to 5, but not 6 and 7. You should be able to tweak it easily to support the newer versions. IIRC, all versions after 4.x use the same MFS structures for keeping track of the time zone.

Alternatively, there's a NowShowing.tcl in the mfs_* package. Try that one. I believe it does a better version check than AW's and assumes that all software versions >4 use the new timezone MFS data structures.

Still unable to obtain the list using the mfs_* version of NowShowing.tcl. I was curious what would happen if I launched it the mfs_* NowShowing.tcl from bash and I got the following..


<Title>:<The X-Files><Day>:<Wed><Date>:<3/30><Year>:<3/30/05><Station>:<TNT><Epi
sodeTitle>:<Revelations><FSID>:<448358/11><TyStream>:</486648/486654><TotalSize>
:<881>
<Title>:<The X-Files><Day>:<Wed><Date>:<3/30><Year>:<3/30/05><Station>:<TNT><Epi
sodeTitle>:<Oubliette><FSID>:<448357/11><TyStream>:</486614/486634><TotalSize>:<
908>
<Title>:<The X-Files><Day>:<Wed><Date>:<3/30><Year>:<3/30/05><Station>:<TNT><Epi
sodeTitle>:<The Walk><FSID>:<448356/11><TyStream>:</486570/486592><TotalSize>:<8
58>
<Title>:<The X-Files><Day>:<Wed><Date>:<3/30><Year>:<3/30/05><Station>:<TNT><Epi
sodeTitle>:<2Shy><FSID>:<451147/11><TyStream>:</486501/486550><TotalSize>:<832>
<Title>:<Scrubs><Day>:<Tue><Date>:<3/29><Year>:<3/29/05><Station>:<WAVY><Episode
Title>:<My Boss's Free Haircut><FSID>:<448797/11><TyStream>:</486085><TotalSize>
:<480>
<Title>:<Scrubs><Day>:<Tue><Date>:<3/29><Year>:<3/29/05><Station>:<WAVY><Episode
Title>:<My Cake><FSID>:<448796/11><TyStream>:</486079><TotalSize>:<496>
<Title>:<All of Us><Day>:<Tue><Date>:<3/29><Year>:<3/29/05><Station>:<WGNT><Epis
odeTitle>:<Movin' on Up><FSID>:<485912/22><TyStream>:</486008/486012><TotalSize>
:<480>
<Title>:<The Bachelor><Day>:<Mon><Date>:<3/28><Year>:<3/28/05><Station>:<WVEC><E
pisodeTitle>:<><FSID>:<474001/257><TyStream>:</482617/482694/482704/482709/48275
8/482816/482832><TotalSize>:<2106>
<Title>:<The Surreal Life><Day>:<Sun><Date>:<3/27><Year>:<3/27/05><Station>:<VH1
><EpisodeTitle>:<Seven Celebrities of Death><FSID>:<478995/11><TyStream>:</47904
1/479044><TotalSize>:<608>
<Title>:<Arrested Development><Day>:<Sun><Date>:<3/27><Year>:<3/27/05><Station>:
<WVBT><EpisodeTitle>:<The Sword of Destiny><FSID>:<443086/11><TyStream>:</478956
><TotalSize>:<442>
<Title>:<The X-Files><Day>:<Sun><Date>:<3/27><Year>:<3/27/05><Station>:<WSKY><Ep
isodeTitle>:<Aubrey><FSID>:<442573/11><TyStream>:</478944/478948><TotalSize>:<77
8>
<Title>:<2005 NFL Scouting Combine><Day>:<Wed><Date>:<3/2><Year>:<3/2/05><Statio
n>:<NFL><EpisodeTitle>:<RB, QB, WR><FSID>:<401257/18><TyStream>:</402924/403280/
403295/403355><TotalSize>:<1112>
<Title>:<Scooby-Doo on Zombie Island><Day>:<Wed><Date>:<3/2><Year>:<3/2/05><Stat
ion>:<TOON><EpisodeTitle>:<><FSID>:<397229/45><TyStream>:</400817/400819/401254/
401262><TotalSize>:<1172>
<Title>:<2005 NFL Scouting Combine><Day>:<Sun><Date>:<2/27><Year>:<2/27/05><Stat
ion>:<NFL><EpisodeTitle>:<RB, QB, WR><FSID>:<392482/11><TyStream>:</393160/39316
2/393164/393165/393168><TotalSize>:<2484>
<Title>:<NFL Films Presents><Day>:<Fri><Date>:<2/25><Year>:<2/25/05><Station>:<N
FL><EpisodeTitle>:<Barry Sanders><FSID>:<377002/11><TyStream>:</377106/377182><T
otalSize>:<976>
<Title>:<NASCAR Racing><Day>:<Wed><Date>:<2/16><Year>:<2/16/05><Station>:<SPD><E
pisodeTitle>:<Nextel Cup Daytona 500, Practice><FSID>:<340191/129><TyStream>:</3
47697/347710><TotalSize>:<356>
<Title>:<Texans @ Bears><Day>:<Sun><Date>:<12/19><Year>:<12/19/04><Station>:<NFL
><EpisodeTitle>:<Houston Texans at Chicago Bears><FSID>:<173725/11><TyStream>:</
177495/177498/177500/177501/177503/177505/177506/177507/177528><TotalSize>:<4576
>
<Title>:<Vikings @ Bears><Day>:<Sun><Date>:<12/5><Year>:<12/5/04><Station>:<NFL>
<EpisodeTitle>:<Minnesota Vikings at Chicago Bears><FSID>:<137623/14><TyStream>:
</137622/137637/137646/137649/137658/137659/137671/137693/137696><TotalSize>:<42
72>
<Title>:<Bears @ Titans><Day>:<Sun><Date>:<11/14><Year>:<11/14/04><Station>:<NFL
><EpisodeTitle>:<Chicago Bears at Tennessee Titans><FSID>:<68320/11><TyStream>:<
/77784/77808/77820/77824/77829/77839/77847/77855/77858/77862/77867><TotalSize>:<
5336>


When I ran the original NowShowing I get this...


invalid attribute: TimeZone
while executing
"dbobj $setup get TimeZone"
("uplevel" body line 16)
invoked from within
"uplevel $body"
invoked from within
"transaction {uplevel $body}"
(procedure "RetryTransaction" line 5)
invoked from within
"RetryTransaction {
if {$version5} {
set lconfig [db $db open /State/LocationConfig]
set tzval [dbobj $lconfig get TimeZoneOffs..."
(procedure "GetConfig" line 28)
invoked from within
"GetConfig"
(file "./NowShowing.tclorig" line 278)

Still unable to obtain the list using the mfs_* version of NowShowing.tcl. I was curious what would happen if I launched it the mfs_* NowShowing.tcl from bash and I got the following..



When I ran the original NowShowing I get this...
It looks to me like the mfs_* NowShowing.tcl is working. What happens when you use it with tserver?

It looks to me like the mfs_* NowShowing.tcl is working. What happens when you use it with tserver?

This is what happens in the status window on tytool when I try to start it. When trying to use themfs_* NowShowing.tcl w/ the scramble tserver


Clear Now Showing List...
Connecting to '192.168.8.18'
Connected...
Getting NowShowing data...
Sorry.. Could not obtain the list.

This is what happens in the status window on tytool when I try to start it. When trying to use themfs_* NowShowing.tcl w/ the scramble tserverThat doesn't help. I want to see the output on the tserver_mfs side. What happens when you run tserver_mfs on your tivo? Be sure you have the right NowShowing.tcl where tserver_mfs is looking for it (current working directory, I think).

That doesn't help. I want to see the output on the tserver_mfs side. What happens when you run tserver_mfs on your tivo? Be sure you have the right NowShowing.tcl where tserver_mfs is looking for it (current working directory, I think).

This is the output when I start tserver_mfs from bash.


bash-2.02# ./tserver_mfs
Switching to low priority...
Waiting for an incoming connection!
SERVER: We got a message! buf = 'SHOWING'
missing close-bracket
while compiling
" ..."
(file "./NowShowing.tcl" line 291)
Waiting for an incoming connection!



The NowShowing.tcl I have is from here.

http://www.dealdatabase.com/forum/attachment.php?attachmentid=4818

both are in /hack

edit...quoted the wrong output.

Just for piece of mind I downloaded my kernel log to make sure things were being unscrambled and they were.

"3. Verify that the key caching is working by playing a few seconds of a
scrambled show. In the kernel log, you should see some messages similar
to the below (the ellipses indicate data removed for brevity):

Oct 24 19:15:16 (none) kernel: add_first_or_middle: 2403569106,1,0,0,...
Oct 24 19:15:16 (none) kernel: add_end: 2403569106,1,0,0,2042787767,...
Oct 24 19:15:16 (none) kernel: iscram: 2 chunk keys cached"


Jun 9 17:41:55 (none) kernel: add_only: 2403569106,1,0,0,4186733261,333474715,3204548479,2749403977|8016fd70,13,0,42467328,256,1
Jun 9 17:41:56 (none) kernel: add_first_or_middle: 2403569106,1,0,0,1716480691,3745985578,237892385,2463229587|8016fd70,11,0,21889024,256,1
Jun 9 17:41:56 (none) kernel: iscram: 2 chunk keys cached

If all else fails I may just unscramble on the box and then unmonte the drive and use tytool to pull everthing off via a normal tserver file. I would really like to get it working however as is.

let me know how it comes out, I'm just "updated" my 6.2 and need to pull about 30 hours worth of shows off.

If all else fails I may just unscramble on the box and then unmonte the drive and use tytool to pull everthing off via a normal tserver file. I would really like to get it working however as is.I'll try to take a look at it, but it might not be until tonight.

In the meantime, this might be a good time for you to develop tcl debugging skills. :) The error message tells you the line number and says there is a mismatched bracket there. It isn't clear to me why it runs fine from a bash shell but not from tserver_mfs, but maybe you can figure that out. Let me know if you find a fix before I get around to looking at it.

I tested the mfs_* NowShowing.tcl with the tserver_mfs in this thread, and they worked fine together under 7.1b and TyTool 9r18. The mfs_bin.mips package you linked to earlier did not contain a NowShowing.tcl, so I'm uncertain exactly which NowShowing.tcl you are running.

I tested the mfs_* NowShowing.tcl with the tserver_mfs in this thread, and they worked fine together under 7.1b and TyTool 9r18. The mfs_bin.mips package you linked to earlier did not contain a NowShowing.tcl, so I'm uncertain exactly which NowShowing.tcl you are running.

You are right. The file had NowShowing but not NowShowing.tcl I renamed it to NowShowing.tcl. Looks like that may be my problem. I'll look for another mfs_bin.mips in that thread which does have the NowShowing.tcl in it.

I got the one I am using now in this thread.

http://www.dealdatabase.com/forum/showpost.php?p=195327&postcount=1

You are right. The file had NowShowing but not NowShowing.tcl I renamed it to NowShowing.tcl. Looks like that may be my problem. I'll look for another mfs_bin.mips in that thread which does have the NowShowing.tcl in it.

I got the one I am using now in this thread.

http://www.dealdatabase.com/forum/showpost.php?p=195327&postcount=1
It's not a mips binary, it is a tcl source file. Get the mfs_src, not the mips_bin package. You'll find it there.

The NowShowing (sans .tcl) in the mfs_bin package is a binary compiled from NowShowing.c. It won't work as a substitute for NowShowing.tcl with an old tserver.

It's not a mips binary, it is a tcl source file. Get the mfs_src, not the mips_bin package. You'll find it there.

The NowShowing (sans .tcl) in the mfs_bin package is a binary compiled from NowShowing.c. It won't work as a substitute for NowShowing.tcl with an old tserver.

I'm a dork. I almost did this once before but I caught it. Thanks for the help. I appreciating it.

It's not a mips binary, it is a tcl source file. Get the mfs_src, not the mips_bin package. You'll find it there.

The NowShowing (sans .tcl) in the mfs_bin package is a binary compiled from NowShowing.c. It won't work as a substitute for NowShowing.tcl with an old tserver.

I got the NowShowing.tcl from the mfs_src and uploaded it chmod 755 it and its still not working. :confused:

edit..
Its working now :D For some reason I could not kill a instance of tserver already running. So I rebooted and it started up fine. I had an issue with tytool saying it didn't have enough chunks to start so I checked the kernel log and saw no keys. I played the file I wanted to extract on my tivo. I assume that cached the keys. The tytool was able to pull it.

let me know how it comes out, I'm just "updated" my 6.2 and need to pull about 30 hours worth of shows off.


It came out GREAT! I did everything right but had the wrong NowShowing.tcl I think I used the one included in 9r18 tytool initially and that didn't work then I rename a source file named NowShowing (stupid me) and finally with Jamie pointing me to the right one I got the correct NowShowing.tcl that works with the unscramble tserver. The process was not hard at all. I was just careless when looking for the NowShowing.tcl file. I can pull off scramble shows with no problem now. I only have probably 10-15gigs left to pull of now. I've pulled off 9gigs (2 Chicago Bears game from last season) so far. :D

I have a Philips DSR708 with hacked 6.2. I've got ftp and telnet working and tytools working. I'd like to get some pre-hacked recordings off and have been reading here and some other sites on the web.

I was wondering if anyone has done this with 6.2 that has a cheatsheet? I'm re-reading all the posts, but feel like I'm going in circles. The biggest fear I have is using in killhdinitrd and monte. I will work on making some notes and do a sort of unguide tonight.

I have a Philips DSR708 with hacked 6.2. I've got ftp and telnet working and tytools working. I'd like to get some pre-hacked recordings off and have been reading here and some other sites on the web.

I was wondering if anyone has done this with 6.2 that has a cheatsheet? I'm re-reading all the posts, but feel like I'm going in circles. The biggest fear I have is using in killhdinitrd and monte. I will work on making some notes and do a sort of unguide tonight.

The box I pulled off my scrambled shows was a 6.2 box. You have to monte to use the custom kernel that allows you to pull off the scrambled shows. There is no "cheat sheet".

<snip>

Message moved to it's own thread in this forum.

The box I pulled off my scrambled shows was a 6.2 box. You have to monte to use the custom kernel that allows you to pull off the scrambled shows. There is no "cheat sheet".

I have the same Box a DSR 708 I ran PTVnet then followed Alpha wolfs post on the 4 byte hack when I did that I lost my networking any help would be greatly apreciated.

Freddy_k

I have the same Box a DSR 708 I ran PTVnet then followed Alpha wolfs post on the 4 byte hack when I did that I lost my networking any help would be greatly apreciated.

Freddy_k

Not sure if I had the same problem, but after I got the two kernel monte going with the s2_unscramble 3.1.5x kernel, my v6.2 SD-DVR40 fell off the network too. Couldn't find any good reason for it (wrong network device module versions, etc.). Got in through the serial port and first verified that the monte did work and that the keys were being cached (WooHoo! My first monte!), then started investigating the network problem. ifconfig showed that only the local interface (lo - 127.0.0.1) was up, so I took a stab at bringing up the ethernet interface manually:


ifconfig eth0 192.168.100.30 netmask 255.255.255.0 up


(substitute your own network parameters) I was actually a little surprised when that worked. Since I'm only running the s2_unscramble kernel long enough to decrypt my old shows, that quick fix is sufficient.

EDIT: Earlier posts in this thread indicate that the s2_unscramble kernels don't support DHCP. That explains it.

But I did slam into a brick wall after that. When I run tivosh and do an mls /Recording/NowShowingByTitle, I get this:


% Directory of /Recording starting at 'NowShowingByTitle'

Name Type FsId Date Time Size
---- ---- ---- ---- ---- ----
Pending tyDir 854566 09/29/05 22:03 2304
TiVoClipNowShowing tyDir 854591 09/29/05 09:01 1600
TmsId tyDir 854592 09/29/05 23:59 6764


If I try to list any of those directories(?), I get "can't scan path (errNmNameNotFound)." Harumph!

I've probably missed something, or done something stupid, but I was expecting to find all my NowShowing titles there and haven't been able to figure out why not. (TiVo change something on us?)

So I Googled around, pulled down a copy of nowshowing.tcl, ran it and got basically the same results.

Clue? Anyone? Please?

EDIT: If it's not obvious, I'm trying to do an unscramble in place. I've found a few more clues that point to this being a MFS structure change, but nothing yet on where I should be looking for my list of shows... :confused:

-cw-

But I did slam into a brick wall after that. When I run tivosh and do an mls /Recording/NowShowingByTitle, I get this:


% Directory of /Recording starting at 'NowShowingByTitle'

Name Type FsId Date Time Size
---- ---- ---- ---- ---- ----
Pending tyDir 854566 09/29/05 22:03 2304
TiVoClipNowShowing tyDir 854591 09/29/05 09:01 1600
TmsId tyDir 854592 09/29/05 23:59 6764


If I try to list any of those directories(?), I get "can't scan path (errNmNameNotFound)." Harumph!

I've probably missed something, or done something stupid, but I was expecting to find all my NowShowing titles there and haven't been able to figure out why not. (TiVo change something on us?)


Clue? Anyone? Please?


-cw-
Check the listing for /Recording and then try the directories listed. I think the one you want is mls /Recording/NowShowingByBucketTitle

ew

I am VERY new to TiVo hacking, buy also VERY interested. I am fairly technical, but very new to Linux. I have been attempting to read through posts on the topic, have gotten confused by the steps to take.

I have a Philips DSR-7000 with a PTVUpgrade drive (120Gb) w/3.1.1e. I am using the AlphaWolf hack to remove/disable encryption, but have many shows recorded prior to the hack. No other hacks installed/used. The drive is failing and I have ordered a replacement drive from PTVUpgrade (w/6.2). I would like to unscramble my existing shows to transfer to DVD (using tyTools) OR the the new replacement drive. Any help would be GREATLY appreciated.

I am VERY new to TiVo hacking, buy also VERY interested. I am fairly technical, but very new to Linux. I have been attempting to read through posts on the topic, have gotten confused by the steps to take.

I have a Philips DSR-7000 with a PTVUpgrade drive (120Gb) w/3.1.1e. I am using the AlphaWolf hack to remove/disable encryption, but have many shows recorded prior to the hack. No other hacks installed/used. The drive is failing and I have ordered a replacement drive from PTVUpgrade (w/6.2). I would like to unscramble my existing shows to transfer to DVD (using tyTools) OR the the new replacement drive. Any help would be GREATLY appreciated.
Well this will do it. So what you have to do is:

Get a copy of the S2_Unscramble kernel onto your DTivo
Configure it to monte from the 3.1.1c kernel (that presumably you are running) to the unscramble kernel
Install the specia