PDA

View Full Version : s2_unscramble - Unscramble for Series 2



Pages : [1] 2

ScrambleThis
11-10-2004, 05:59 PM
Below is the first portion of the readme; attached are the packages.

Regards,

ScrambleThis

--------------------------------

Introduction
------------

By popular request, from the ScrambleThis Labs, we present unscramble for
Series 2 TiVo boxes. In the context of this release, "Series 2" is anything
that runs a 2.4x Linux kernel on MIPS hardware. The initial release of
s2_unscramble will be for the 3.1x series (most non-DVD, non-HD boxes) and
3.1.5x (HD boxes, where the development of this software was done). Note
well that, though a 3.1.1x kernel with LBA48 support is provided, it has
NOT been tested! Only the 3.1.5x kernel has been tested.

First, some background: Some of you may be familiar with the original
unscramble for Series 1, implemented as the unscramble.o kernel module. The
bad news is: s2_unscramble effectively cannot be implemented in this manner.
If you're not willing to use a non-standard kernel (that is, one that was
built by someone other than TiVo) or non-standard extraction tools, you
probably should stop reading now.


Overview
--------

As some of you know, the low level calls used to access the MFS partitions
changed from the Series 1 kernels to the Series 2. Thanks to alldeadhomiez's
documentation of this mechanism, along with a sample util.c that can be used
in any Tridge-derived MFS toolset (read: all of them), we're able to create
a client-server system to cache and "play back" the scramble keys. The
extraction tools are the client, and the kernel becomes the server; as the
TiVo software plays a show, the kernel mods will cache the scramble keys for
later access by the extraction tools.

Upon extraction, the tools use a specially created "sentinel key" to initiate
interaction with the kernel, and instruct it to "play back" the keys. At this
point, the data is read in the clear, and can be used in any application that
processes unscrambled shows.

Obviously, this mechanism requires that the user be able to install a custom
kernel and extraction tools in his/her TiVo; the mechanics of doing this is
outside the scope of this document. In addition, the user should disable
future scrambling on the machine with the "nocso" or other hack.


Unscrambling methodology
------------------------

The s2_unscramble package includes two distinct methods of unscrambling. The
original motivation for this development began when a HD TiVo with a bad HDMI
port was brought into the ScrambleThis Labs with a request to somehow transfer
the programming to the replacement machine. The machine had not been
previously hacked in any way, thus the programming was scrambled.

The first efforts focused on the more traditional method of transferring
programming to another TiVo: mfs_ftp. Once the unscramble code was
implemented, extraction could proceed and went without issue. This method
would dictate that the custom kernel and extraction tools be in place
whenever a scrambled show is to be extracted.

However, some issues arose during insertion attempts that gave rise to a
second approach: Unscrambling the shows "in place" on the TiVo. This involves
reading a block of data with the unscramble functionality in place, then
writing the block back to the disk in the same place. Once this is done for
all of the shows on the disk, the custom kernel and extraction tools can be
removed. At that point, the disk is portable to another TiVo (same model, of
course) after running the 51kill.tcl script.

The "in place" unscrambling method is ideal for situations where a disk needs
to be transplanted into another TiVo. It's also good for situations where a
user may have a lot of scrambled programming that doesn't need to be extracted
in the near term, but the user doesn't want to run the custom kernel and tools
on an ongoing basis.

However, you are STRONGLY advised to make a FULL backup of your drive before
attempting the "in place" unscramble. Since you will be WRITING to the disk,
if anything goes wrong, some (even ALL) of your programming could be
rendered unusable. This cannot be stressed enough: "In place" unscrambling can
DESTROY your shows!

Once you've determined which method is right for you, read further to
determine what's needed.

JohnSorTivo
11-10-2004, 06:14 PM
Awesome news! Thanks for your work on this.

Quick question, have the included custom kernels already been killhdinitrd'ed?

StanSimmons
11-10-2004, 06:19 PM
Custom kernel requires monte.

JohnSorTivo
11-10-2004, 06:21 PM
Custom kernel requires monte.
Gotcha. Load a killhdinitrd kernel, then monte into the custom kernel(s) provided. Sorry for the confusion, I clearly had a brain fart.

It's good to know that we can finally provide an answer, other than "sorry it can't currently be done" when series 2 users ask the question, "how do I unscramble previously scrambled recordings".

Jamie
11-11-2004, 01:07 AM
For what it's worth, I built a 2.4.18 TiVo 4.0 kernel with the ide-disk patch from this package and have successful extracted and unscrabled a scrambled show on a 4.0.1b S2 SA using the mfs_ftp method.

Thanks for the package!

TivoWare
11-11-2004, 12:27 PM
This sounds great!

But, Since I have a S2 with probably 75 shows on it, is there a way to make a script that will play part of each show so all the keys can be found?

ronnythunder
11-11-2004, 01:12 PM
:)

i remember doing this back in the s1 days. trust me, if you get that remote and get into a rythym, you can prime those shows pretty quick.

ronny

massdave
11-12-2004, 06:43 PM
If I don't need to view old, previously recorded shows, do I need to do this?
I'm planning to run a killhdinitrd'd 4.01 kernel and after tivoapp adjustments want to know if I need to do this unscramble (and set up monte which I don't think I need up to this point).
Can I still extract the shows recorded after the tivoapp mod with having to unscramble?

Thanks in advance for your help... Dave

JohnSorTivo
11-12-2004, 06:57 PM
If I don't need to view old, previously recorded shows, do I need to do this?
No. This is for extracting previously recorded shows that were recorded prior to disabling scrambling / encryption.

I'm planning to run a killhdinitrd'd 4.01 kernel
4.0.1a is your kernel then. Download it here:

http://www.dealdatabase.com/forum/showthread.php?t=38573


...and after tivoapp adjustments want to know if I need to do this unscramble
see first answer.


[and set up monte which I don't think I need up to this point).
You don't.


Can I still extract the shows recorded after the tivoapp mod with having to unscramble?
That's the point of the tivoapp patch :)

ronnythunder
11-12-2004, 07:09 PM
johnsortivo is correct. playing scrambled shows on the tivo itself is no problem, even after the tivoapp patch for "nocso". the unscramble stuff is only if you want to extract scrambled shows.

so, has anyone besides jamie given it a run yet? none of my s2 units have any scrambled shows.

ronny

JohnSorTivo
11-12-2004, 07:37 PM
so, has anyone besides jamie given it a run yet? none of my s2 units have any scrambled shows.
I'm in the same boat. Don't have a need for it, but good to know it's there should I in the future. Heck, at a minimum, it's another good source for an lba48 aware kernel, for those who aren't so inclined to compile their own :p

Jamie
11-12-2004, 07:54 PM
For those interested in running this on 4.01b, here's a kernel compiled with gcc 3.0 from the TiVo-4.0-linux-2.4 sources. It's got the fpu patch, the lba48 patch, the s2-unscramble patch, and CONFIG_FILTER and CONFIG_NETFILTER are turned off. I use it with TiVo software version 4.0.1b on a S2 SA.

{Edit: I'm leaving this kernel up for historical purposes, but suggest you use the one in this (http://www.dealdatabase.com/forum/showthread.php?p=202967#post202967) post instead, since it is compatible with 4.0 on RID boxes. It also has CONFIG_FILTER turned back on, allowing DHCP to work. CONFIG_FILTER does not seem to affect network performance the way CONFIG_NETFILTER does.}

steve457
11-23-2004, 03:58 AM
I was succesfully able to descramble/extract shows using the tserver method and tytools, but I'm having problems with the mfs_ftp method. I want to be able to use mfs_ftp to descramble and transfer a show to a 2nd tivo.

I'm using a DVR40, Sleeper'd (a long time ago), running 3.1.1c.

I'm able to connect using mfs_ftp, but when I click on the tmf directory to get a listing my connection gets closed. Here's the output from the port.3105.log file:

11:38:17:PM - 227 Entering Passive Mode (192,168,1,50,12,32).
11:38:17:PM - 150 Opening ASCII mode data connection for file list.
11:38:20:PM - updating cached recording info
..................................................................bgerror invok
d with error

" syntax error in expression "((0x - 4) / 256) + 1" "

re-initializing mfs_ftp

close the current ftp connection and simply open another

"core dump" :p

info(version): 1.2.9p
info(tswv): 3.1.1c-01-2-351
info(dbl): 0
info(ithrottle): 2
info(insert_priority): 10
info(multithreaded): 0
info(saveuntil): suggestion
info(name_detail): 5
info(bjuggle): 0
info(active): 0
info(ac_interval): 1800
info(gatewayip): 127.0.0.1
info(gatewayport): 3105

catch close lastsock val ""

I searched and found someone else who had a similar problem, but the solution was to use a different mfs_stream binary. In my case, I'm using the ones that were provided for the unscramble, so I'm not sure what the problem is. Any pointers, or suggestions?

thanks.

chrised
11-23-2004, 04:31 AM
I was succesfully able to descramble/extract shows using the tserver method and tytools, but I'm having problems with the mfs_ftp method. I want to be able to use mfs_ftp to descramble and transfer a show to a 2nd tivo.

I'm using a DVR40, Sleeper'd (a long time ago), running 3.1.1c.

I'm able to connect using mfs_ftp, but when I click on the tmf directory to get a listing my connection gets closed.


I've had the same problem a couple of times too.

From what I can tell, this happens when your tivo is recording something.

Both times I had this occur, I cancelled the recording, restarted mfs_ftp (might not have been needed), and then it worked (note: I did NOT reboot the tivo).

Edit: I've also had to run csoscout.tcl on the target tivo afterwards to fix the shows. Refer to http://www.dealdatabase.com/forum/showpost.php?p=187489

steve457
11-23-2004, 02:06 PM
Ok, I tried using the mfs_ftp method again this morning... and it worked! Previously I had my tivo set to 2 unavailable channels (570, 580), but this time I had the channels set to actual channels I receive. That seemed to do the trick. My tivo wasn't recording anything either time, so it seems my problem was a little different. (although the suggestion about the recording issue was the reason I tried a different channel).

BeagleBoy
11-25-2004, 09:40 PM
By popular request, from the ScrambleThis Labs, we present unscramble for Series 2 TiVo boxes.

Your timing couldn't have been better! I had to replace my drive, and didn't have time to rehack my system before I needed to record a show I had been waiting for. I had just resigned myself to grabbing it via video capture, when you made your post. Unscrambling (and extraction) were flawless. :D

Thanks again!

rocketman24
01-04-2005, 09:38 PM
For those interested in running this on 4.01b, here's a kernel compiled with gcc 3.0 from the TiVo-4.0-linux-2.4 sources. It's got the fpu patch, the lba48 patch, the s2-unscramble patch, and CONFIG_FILTER and CONFIG_NETFILTER are turned off. I use it with TiVo software version 4.0.1b on a S2 SA.
Jamie,

I don't want to make any assumptions... so I'll ask just to make sure I don't screw something up. I've got a S2 DTV Tivo (Hughes SD-DVR40) running 4.01b.

Can I safely install this on my box? Is it as simple as replacing the current vmlinux.px file?

Thanks in advance!

JohnSorTivo
01-04-2005, 09:45 PM
Jamie,

I don't want to make any assumptions... so I'll ask just to make sure I don't screw something up. I've got a S2 DTV Tivo (Hughes SD-DVR40) running 4.01b.

Can I safely install this on my box? Is it as simple as replacing the current vmlinux.px file?

Thanks in advance!Not Jamie, but...Since you're running 4.x on a RID unit, this means you are already monte'ing, and as such, yes, all you have to do is replace the current vmlimux.px file you are monte'ing into with the one Jamie has attached.

edit:
that kernel will not work with rid boxes

Jamie
01-04-2005, 10:06 PM
Not Jamie, but...Since you're running 4.x on a RID unit, this means you are already monte'ing, and as such, yes, all you have to do is replace the current vmlimux.px file you are monte'ing into with the one Jamie has attached.
You minor point: because I turned off CONFIG_FILTER, this kernel won't work with DHCP. You have to assign a static IP address. Eventually I'll update the post with one that has CONFIG_FILTER back on, since, as ADH observed, CONFIG_FILTER doesn't seem to affect performance the way CONFIG_NETFILTER does.

{Edit: this kernel *will not* work with RID boxes}

rc3105
01-05-2005, 02:40 AM
For those interested in running this on 4.01b, here's a kernel compiled with gcc 3.0 from the TiVo-4.0-linux-2.4 sources. It's got the fpu patch, the lba48 patch, the s2-unscramble patch, and CONFIG_FILTER and CONFIG_NETFILTER are turned off. I use it with TiVo software version 4.0.1b on a S2 SA.
but does it have the uma6 patch that rocketman24 needs?

Jamie
01-05-2005, 02:55 AM
but does it have the uma6 patch that rocketman24 needs?nope. ....

rc3105
01-05-2005, 04:36 AM
Jamie,

I don't want to make any assumptions... so I'll ask just to make sure I don't screw something up. I've got a S2 DTV Tivo (Hughes SD-DVR40) running 4.01b.

Can I safely install this on my box? Is it as simple as replacing the current vmlinux.px file?

Thanks in advance!
to answer your question - no, that kernel build doesn't work with rid dtivos

rocketman24
01-05-2005, 05:54 AM
Thanks for the heads up. I really thought when I posted my question I was being over cautious... glad I asked.

Anyway, I assigned static IP to my box... so that part won't be problem. I'll wait to find one that's compatible for my box.

JohnSorTivo
01-05-2005, 09:55 AM
but does it have the uma6 patch that rocketman24 needs?Dang. Didn't think about that. Sorry for the mis-information.

Jamie
01-05-2005, 10:11 AM
Thanks for the heads up. I really thought when I posted my question I was being over cautious... glad I asked.

Anyway, I assigned static IP to my box... so that part won't be problem. I'll wait to find one that's compatible for my box.If there is demand, and if the uma6 patch is readily available, I can build a unscramble kernel that also includes it and the other patches Riley listed here (http://www.dealdatabase.com/forum/showthread.php?p=202708&highlight=uma6+patch#post202708). I don't have a rid unit though, so I can't really test it.

{edit: I've got all the right patches and built a test kernel. I'll test it on my non rid hardware, and if it works I'll replace the one above with this uma6 friendly version.}

Jamie
01-05-2005, 01:18 PM
Here's a 2.4.18 unscramble kernel that may work on 4.0 rid boxes. I first applied "bigpatch-2.4.18.patch" from here (http://www.dealdatabase.com/forum/showpost.php?p=202708&postcount=6), then applied the ide-disk.c.unscramble.diff patch posted by ScrambleThis. I also turned off CONFIG_NETFILTER (but not CONFIG_FILTER). Note that you need a fuzz of 3 or more (-F3) to apply the ide-disk patch to the 4.0 TiVo kernel.

I tested this on my S2SA. I don't have a rid box. If someone tries this on a 4.0 RID box and it works for you, please PM me (no need to post), and I'll update the kernel posted earlier in the thread and mark it as ok for RID.

{Update: mmoore99 reports that this kernel works fine on his RID SDVR-80, though he didn't try unscrambling anything.}

mmoore99
01-05-2005, 01:25 PM
Here's a 2.4.18 unscramble kernel that may work on 4.0 rid boxes. Jamie, is it ok to use this kernel in conjunction with the tivoapp "superpatch" since it also disables scrambling?

Jamie
01-05-2005, 01:30 PM
Jamie, is it ok to use this kernel in conjunction with the tivoapp "superpatch" since it also disables scrambling?The kernel patch discussed in this thread provides a mechanism for unscrambling existing scrambled shows. The tivoapp "superpatch" (really the nocso patch) is a patch that allows new shows to be recorded without scrambling. The two serve different purposes.

The only known conflict between the two (to me anyway) is that shows that you unscramble with the unscramble kernel may continue to have cso keys set for them in their metadata. This can cause playback problems if you don't clear the cso keys. Search for ciphercheck and csoscout for ways to deal with this.

rbreding
01-05-2005, 02:34 PM
Jaime, this is what I have in my serial output when testing on a sd-dvr40 (RID)




## MIPS ## arch-specific shell functions defined
starting test.conf
starting /init/001_bash.init
starting /init/010_lba48.init
bash: no job control in this shell
bash-2.02# Warning: kernel-module version mismatch
/init/kmonte.o was compiled for kernel version 2.4.4-TiVo-3.0
while this kernel is version 2.4.20
monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: Operation not permitted
monte failed - starting bash on the serial port
bash: no job control in this shell



EDIT: Just as a followup I have a kill'd 3.1.1c installed to the boot partitions.

Jamie
01-05-2005, 03:11 PM
bash-2.02# Warning: kernel-module version mismatch
/init/kmonte.o was compiled for kernel version 2.4.4-TiVo-3.0
while this kernel is version 2.4.20It appears to me that your boot kernel (the one installed in /dev/hda3 or /dev/hda6) is a 2.4.20 kernel. Perhaps from 3.1.5? You should be using the 3.1.1c killhdinitrd kernel, but it appears you are not.

This is before you are even getting to the point where you'd monte to the kernel I built.

Did you have a working monte setup before? What else did you change?

rbreding
01-05-2005, 03:41 PM
I re-ran my restore and went through my steps again to ensure I didn't miss anything and it did boot up this time (thought I had the 3.1.1c installed, but may not have.....)

Anyways, posted the bootlog for inspection, doing a C&D right now.

Are those scramblerkey messages errors or are they to be expected ?

Jamie
01-05-2005, 03:58 PM
Are those scramblerkey messages errors or are they to be expected ?I believe these are due to the fact your 4.0 image came from a machine with a different serial number. They should go away after the
C&D.

{edit: Note that Riley restored the uma6 RID kernel in the RID support thread. If you don't want/need the unscramble patch, you should be using that kernel instead.}

rbreding
01-05-2005, 10:09 PM
The C&D cleared up those issues in question. I was able to boot with your kernel and with the one from riley (now since fixed on the original post).

Did you want to test anything with regards to your kernel as far as the RID system goes ? I still have it on the box and can switch easily enough....

Jamie
01-05-2005, 10:46 PM
The C&D cleared up those issues in question. I was able to boot with your kernel and with the one from riley (now since fixed on the original post).

Did you want to test anything with regards to your kernel as far as the RID system goes ? I still have it on the box and can switch easily enough....Far as I know, nobody has actually tried unscrambling a show on a RID unit with this build. It should just work, so I'm not sure it's worth a special effort to test it. If it turns out not to work, I'm sure someone will let us know ;-)

gregwpb
01-12-2005, 05:59 PM
Hi , I'm a newbie here and trying to understand. So please be kind :) .

I hacked my RID box last weekend to get the HMO option, and now I want to hack my HDVR2 as well. I have a lot of programs that Iwould like to extract (the first 4 hours of 24).

Do I just need to replace the kernel with the one listed in this thread and install tytools?

How can you configure the USB port without having the 4.01 software?

Thanks for all the great work from the Linux guru's here.

eastwind
02-13-2005, 06:08 PM
I have an unhacked DVR80 that I'll try it out on as soon as I get it hacked. Gotta go but a new drive so I can dd it instead of mfs_backup/restore in case I need anything that doesn't normally get backed up (including scrambled streams). Will report back.

ew

eastwind
02-16-2005, 06:48 PM
Got my system hacked. Hughes DVR80 running a killhdinitrd'd 3.1.1c kernel and 3.1.1e software in 3/4 and killhdinird'd 3.1.1c kernel monte'd to s2_unscramble kernel in 6/7. I did take a few steps getting everthing to work, but in the end I was able to mfs_rewrite a scrambled program in place and extract with TyTool's tserver. Before I rewrote it I also extracted it with the tserver_mfs included in the s2_unscramble package. Now I can pull out my other drive with all the scrambled recordings and unscramble them.


ew

ABTsportsline
02-27-2005, 02:06 PM
Hey guys, i hope you can help me on this one.

i vaguely follow what you are doing here. let me tell you my problem and you tell me if this is the right thread to post in or the right thing to do to my tivo.

i have a series 2 unit that has a lifetime subscription paid on it. i also have the home media option (which i paid for and use frequently), AND TiVo to go (to xfer programs to my computer). i have upgraded the HD in the TiVo using a weaknees bracket kit and i added my own HD. i haven't changed the system software or anything else.

1) my dilemma is the programming i transfer. it requires me to type in a password (that i set) every time i want to view the programs. whats worse, if i want to edit those video files to cut out commercials, i cannot as every video editor i have doesn't recognize the video file because of the password protection.

2) what constitues a "hacked" tivo? is my tivo considered "hacked"? does changing the kernel prevent the tivo from retrieving the upcoming programming? does it cancel out my home media option (my house is networked)? does it cancel out my tivo to go feature?

3) if i do what you guys talk about in this thread, will i still be able to use the home media option? if not, is there a similar feature in the hack? (that allows me to view pictures and listen to music from my computer on my tivo.)

Keep in mind i want to be able to edit the programs i transfer, thats my only real need at the moment. i just need to strip that stupid password protection deal... do i need to upgrade the kernel and swap OS's and do all this talk, or is there an easier way to do what i want?

Thanks for your guys help!

alldeadhomiez
02-27-2005, 02:23 PM
Hey guys, i hope you can help me on this one.

i vaguely follow what you are doing here. let me tell you my problem and you tell me if this is the right thread to post in or the right thing to do to my tivo.

i have a series 2 unit that has a lifetime subscription paid on it. i also have the home media option (which i paid for and use frequently), AND TiVo to go (to xfer programs to my computer). i have upgraded the HD in the TiVo using a weaknees bracket kit and i added my own HD. i haven't changed the system software or anything else.

1) my dilemma is the programming i transfer. it requires me to type in a password (that i set) every time i want to view the programs. whats worse, if i want to edit those video files to cut out commercials, i cannot as every video editor i have doesn't recognize the video file because of the password protection.

2) what constitues a "hacked" tivo? is my tivo considered "hacked"? does changing the kernel prevent the tivo from retrieving the upcoming programming? does it cancel out my home media option (my house is networked)? does it cancel out my tivo to go feature?

3) if i do what you guys talk about in this thread, will i still be able to use the home media option? if not, is there a similar feature in the hack? (that allows me to view pictures and listen to music from my computer on my tivo.)

Keep in mind i want to be able to edit the programs i transfer, thats my only real need at the moment. i just need to strip that stupid password protection deal... do i need to upgrade the kernel and swap OS's and do all this talk, or is there an easier way to do what i want?

Thanks for your guys help!

Your post is offtopic. Search for:

TiVo to Go / TTG
killhdinitrd
superpatch

and don't even bother posting again until you've spent several hours or days reading (especially all of the stickies).

eastwind
02-27-2005, 04:23 PM
I've done it. I've now finished unscrambling (in place) all of my programming that was there before hacking the system (60-70 recordings). Now on to make sure that my 'other' LBA48 kernel can play everything and I won't be caching keys anymore.
Thanks,
ew

The BakedTivo
03-09-2005, 06:30 AM
Is that all we need to do with the mod kernel? I am stll kinda a newbie to the series 2

Thanks

ViperX2
03-24-2005, 09:34 AM
While trying to set up the s2_unscramble hack to pull some already encrypted video out of my hr10-250, I got stuck trying to monte the hacked kernel. It took me hours to figure out what I was doing wrong, so I figured I'd share this with everyone.

If you're using a 3.1.5x kernel, you'll need to use Jaime's version of kmonte.o for the 2.4.20 kernel which can be found here (http://www.dealdatabase.com/forum/showpost.php?p=194533&postcount=2).

Here's the step I was getting stuck on:
2. Install the custom kernel containing the s2_unscramble software. The
recommended method for this is to use the killhdinitrd and the
"rc.sysinit.real" approach (search on www.dealdatabase.com).

The instructions on how to do the monte using the "rc.sysinit.real" approach can be found here (http://www.dealdatabase.com/forum/showpost.php?p=182539&postcount=2)

Everything else should be straightforward.

This hack is awesome! No more sleepless nights worrying about weather or nto the encryption has been disabled on all your tivo's.

Thanks to the s2_unscramble team!

Jamie
03-24-2005, 10:30 AM
If you're using a 3.1.5x kernel, you'll need to use Jaime's version of kmonte.o for the 2.4.20 kernel which can be found here (http://www.dealdatabase.com/forum/showpost.php?p=194533&postcount=2).I'm glad the 2.4.20 kmonte.o worked for you, but let repeat the warning I left in the other thread: it doesn't work reliably. It can monte to some kernels, but not to others.

The recommended approach is to monte from a 2.4.4 kernel such as the 3.1.1c kernel.

holeejo
04-18-2005, 01:53 PM
Gang,
I am upgrading to a 120GB disk and planning on using PTVUPGRADE's InstantCake for my version 4 hack. Will I be able to use this Unscramble with this kernel, and how do I get the current shows from old to new drive?

Thanks

ciucca
04-20-2005, 11:42 AM
I would like to install this on a Hughes SD-DVR40 dtivo, that has been modified with a 120G drive and hacked in 6.2, most hacks learned from this board. I assume I can monte to the supplied kernel "vmlinux.px.3.1.5x", by using the techniques listed in other posts.

I plan on using the "kmonte.o" "monte.o" and "check" scripts that Alphwolf posted in the "62init" archive from this post:

http://www.dealdatabase.com/forum/showpost.php?p=216711&postcount=53

I am assuming they are ok for 2.4.20, since the post says they are used for 6.2

After I am done extracting the recordings I want I plan on going back to booting without the monte. Does this seem like a good plan to the experts here? I guess I want to know if anyone has done this on this model dtivo with 6.2 before. I'm going to do it anyway since I think if something goes wrong I can recover by pulling the drive. Just want to know if i am close or way off base.

Thanks,

Ciucca.

eastwind
04-20-2005, 01:48 PM
I would like to install this on a Hughes SD-DVR40 dtivo, that has been modified with a 120G drive and hacked in 6.2, most hacks learned from this board. I assume I can monte to the supplied kernel "vmlinux.px.3.1.5x", by using the techniques listed in other posts.

I plan on using the "kmonte.o" "monte.o" and "check" scripts that Alphwolf posted in the "62init" archive from this post:

http://www.dealdatabase.com/forum/showpost.php?p=216711&postcount=53

I am assuming they are ok for 2.4.20, since the post says they are used for 6.2

After I am done extracting the recordings I want I plan on going back to booting without the monte. Does this seem like a good plan to the experts here? I guess I want to know if anyone has done this on this model dtivo with 6.2 before. I'm going to do it anyway since I think if something goes wrong I can recover by pulling the drive. Just want to know if i am close or way off base.

Thanks,

Ciucca.
Your best bet (even though I don't expect you to have any trouble) is to make a dd backup copy of the drive and work from there. That way all your recordings are still intact if there is a problem. I did this very thing when I was working on mine, but I was still on 3.1.1e when I was working. I know there are issues with mfs_ftp & 6.2, so you might want to consider "unscrambling in place" or TyTool (if you just want the content).

ew

Jamie
04-20-2005, 02:20 PM
I am assuming they are ok for 2.4.20, since the post says they are used for 6.2Just to clarrify one issue that may be confusing: when chainloading with monte, there are two kernel versions involved: the kernel you are coming from and the kernel you going to. Normally the kernel you are coming from will be the killhdinitrd'd 3.1.1c linux 2.4.4 kernel installed in the tivo boot partition. The reason for this is that monte/kmonte.o are known to work reliably there.

I've experimented with chainloading from 2.4.18 and 2.4.20 kernels, but it didn't work reliably. It sometimes worked and sometimes didn't, depending on the from and to kernel. There is some discussion of this in the monte development thread (http://www.dealdatabase.com/forum/showthread.php?t=37225).

ciucca
04-20-2005, 03:29 PM
Just to clarrify one issue that may be confusing: when chainloading with monte, there are two kernel versions involved: the kernel you are coming from and the kernel you going to. Normally the kernel you are coming from will be the killhdinitrd'd 3.1.1c linux 2.4.4 kernel installed in the tivo boot partition. The reason for this is that monte/kmonte.o are known to work reliably there.

I've experimented with chainloading from 2.4.18 and 2.4.20 kernels, but it didn't work reliably. It sometimes worked and sometimes didn't, depending on the from and to kernel. There is some discussion of this in the monte development thread (http://www.dealdatabase.com/forum/showthread.php?t=37225).

Thanks for the warning.

Before I try something I may regret, what are the consequences when it "doesn't work"? Do I lose all my hacks , i.e like running a none killhdinitrd kernel, or does the monte just fail and the unscramble doesn't get chained.


Thanks.

Jamie
04-20-2005, 03:51 PM
Before I try something I may regret, what are the consequences when it "doesn't work"? Do I lose all my hacks , i.e like running a none killhdinitrd kernel, or does the monte just fail and the unscramble doesn't get chained.
Failure scenarios are typically that the chain load fails. It might fail cleanly (e.g. leaving you with a serial bash running on the console, if you've started that), or it might just hang on the monte.

Depending on your setup, if it hangs you may have to pull the drive to repair. If you have a serial cable, you've set your prom password and have a working setup in your alternate boot partitions, you won't have to even do that: after a failure, just boot from the alternative kernel/root partitions and mount/repair the messed up partitions. With a serial cable and a minimal boot environment in the alternate partitions that just runs bash and nothing else, you can experiment quickly interactively at a shell prompt and see what works and what doesn't.

Of course, if you make mistakes (e.g. dd'ing to the wrong partition when installing a kernel) you can wind up trashing your disk and all recordings. So eastwind's suggestion to experiment on a copy is always a good idea.

jeremyclark
04-23-2005, 09:47 PM
I recently set a friend up with a hacked HR10-250, had everything working great, an extra 250gb drive, patched tivoapp so that it would record unscrambled, tserver, the whole works. His son-in-law plays for the Brewers (Brady Clark) so he records all of their games with the sports packages and then archives them and edits them down to show the highlights. Anyway, everything was working fine until my friend plugged in his phone line so that he could order pay-per-view(*sigh*). As a result, his 3.1.5e system was upgraded to 3.1.5f, and none of my hacks were running any longer, including telnet and FTP. Normally I would have started fresh and reinstalled everything, but he has ~20 recordings that he was planning to edit on the drive. So in trying to come up with a solution I found ScrambleThis' unscramble for s2. Sounds like exactly what I need. I am most concerned about unscrambling and archiving these files to my PC for him.

I read through the readme file and this thread, and read the related posts on monte'ing, but I can't seem to get the monte working properly. I've never had to do a monte before, but I understand the general concept and I think I should be able to figure things out. Here's the steps I took so far:

1. killhdinitrd'd the kernel on the drive, so now it boots into my rc.system.author
2. downloaded & copied over the vmlinux.px.3.1.5x, monte, and kmonte.o files and placed them in /monte (per ViperX2's posting, I used Jaime's kmonte.o for the 2.4.20 kernel
3. made sure the files were executable (chmod 755)
4. moved my current rc.sysinit to rc.sysinit.real
5. created a new rc.sysinit with the following in it, set to executable:

#!/bin/bash
# bogus rc.sysinit, checks for monte
export PATH=/sbin:/bin:/tivobin:/tvbin:.:/:/etc/rc.d
export TERM=xterm
export PS1='\h:\w$ '

bootparm=`/sbin/bootpage -p /dev/hda`

if [ "$sp" != "true" ]; then
echo "sp=\"$sp\" must be first pass, trying to run monte"
/sbin/insmod -f /monte/kmonte.o
/monte/monte /monte/vmlinux.px "$bootparm sp=true"
else
echo "sp=\"$sp\" must be second pass"
exec /etc/rc.d/rc.sysinit.real
fi
The result I get upon placing the drive in the Tivo is that it goes into a reboot loop, never getting past the "Welcome. Powering up..." screen.

Any ideas? Am I doing something wrong? I don't have a serial cable, so the echo statements don't do me much good...

Thanks in advance for your thoughts.

Jamie
04-23-2005, 10:33 PM
I used Jaime's kmonte.o for the 2.4.20 kernel
The 2.4.20 kmonte.o does not work reliably. I thought I made that clear in the thread where it was posted and in the posts immediately preceeding your post in this thread. A 'hang' or a reboot loop are a likely outcome. Serial port output would tell us if that is the problem.

Suggestion #1: build or buy a serial cable so you aren't flying blind.

Suggestion #2: Use a killhdinitrd'd 3.1.1c kernel to monte from and use the 2.4.4 kmonte.o. That version has been found to be dependable.

jeremyclark
04-23-2005, 10:55 PM
Yes, Jamie, that was clear form your previous post but ViperX2 seemed to get it to work with the same model, so I thought it might work. What I'm confused by is you suggest trying the 3.1.1c kernel but for the HR10-250 there hasn't been a 3.1.1c kernel, it started with 3.1.5c - would that work as well? I think that's the original one I had. Or will either work if I can find one somewhere? Also, is there a way I can write out the debug info to a log file to see what's going on instead of the echo statements?

Jamie
04-24-2005, 12:09 AM
Yes, Jamie, that was clear form your previous post but ViperX2 seemed to get it to work with the same model, so I thought it might work. What I'm confused by is you suggest trying the 3.1.1c kernel but for the HR10-250 there hasn't been a 3.1.1c kernel, it started with 3.1.5c - would that work as well? I think that's the original one I had. Or will either work if I can find one somewhere? Also, is there a way I can write out the debug info to a log file to see what's going on instead of the echo statements?It might well be that since ViperX2 got it to work, you can too. Just warning you that it is hit or miss and you'll definitely want a serial cable so you can see what's going on.

The kernel you monte from just needs to run long enough to do the monte to the new kernel. It has to be compatible enough with the hardware to get that far. I believe the 3.1.1c kernel is known to boot on all series 2 hardware , incuding the HR10-250.

At the point that the monte is run, the root file system is mounted read only, and var isn't mounted yet. You might be able to figure out how to mount /var and redirect the monte command stderr output to a log, but a serial cable is cheap and a heck of a lot easier. If you don't feel like making one, check out 9thtee.com.

jeremyclark
04-24-2005, 01:52 AM
The kernel you monte from just needs to run long enough to do the monte to the new kernel. It has to be compatible enough with the hardware to get that far. I believe the 3.1.1c kernel is known to boot on all series 2 hardware , incuding the HR10-250.
Okay, so I just tried a couple things with no success. First, I dd'd a clean 3.1.5 kernel from the files section, then killhdinitrd'd it. Tried a monte from this kernel to the 3.1.5x in ScrambleThis's download, using the kmonte.o for 2.4.4, but got the same reboot loop.

Then I tried the exact same thing but with a clean 3.1.1c kernel from the files section, as you suggested. This resulted in the same reboot loop. So I removed the drive, and when I mounted the root file system (partition 4 in this case), I noticed that my /monte directory was there, but no longer had any files in it. Also, the /etc/rc.d file had reverted to the default with none of the author files in it. I copied over my rc.sysinit.author from my partition 7 and rebooted the Tivo but nothing happened.

Now, no matter what kernel I try I can no longer get the Tivo to boot up at all, it's always in a constant reboot loop. I'm kind of at a loss of what to do next. Since the rc.sysinit is the default one I'm no longer even doing a monte yet it's in the reboot loop. Did I royally screw this up by trying to load the 3.1.1c kernel on an HR10-250??

Jamie
04-24-2005, 11:54 AM
Okay, so I just tried a couple things with no success. First, I dd'd a clean 3.1.5 kernel from the files section, then killhdinitrd'd it. Tried a monte from this kernel to the 3.1.5x in ScrambleThis's download, using the kmonte.o for 2.4.4, but got the same reboot loop.Won't work. A 2.4.4 kmonte.o wont modload when you are running a 2.4.20 kernel.
Then I tried the exact same thing but with a clean 3.1.1c kernel from the files section, as you suggested. This resulted in the same reboot loop. So I removed the drive, and when I mounted the root file system (partition 4 in this case), I noticed that my /monte directory was there, but no longer had any files in it. Also, the /etc/rc.d file had reverted to the default with none of the author files in it. I copied over my rc.sysinit.author from my partition 7 and rebooted the Tivo but nothing happened.You did run killhdinitrd on the 3.1.1c kernel, didn't you? Sounds like you booted a non killlhdinitrd'd kernel, which wiped out your files.
Now, no matter what kernel I try I can no longer get the Tivo to boot up at all, it's always in a constant reboot loop. I'm kind of at a loss of what to do next. Since the rc.sysinit is the default one I'm no longer even doing a monte yet it's in the reboot loop. Did I royally screw this up by trying to load the 3.1.1c kernel on an HR10-250??If you booted with a kernel that hadn't been neutered with killhdinitrd, you might have wiped out any hacks you have done. You'll need to rehack.

It's hard to help you much further without serial console output.

jeremyclark
04-24-2005, 07:16 PM
Thanks for your patience, Jamie! I was able to piece together a serial cable and boy does that ever make a difference! By using that I was able to troubleshoot my reboot issue, which had to do with needing to change my boot partition back to partition 6 instead of partition 3 (partition 6 was the partition for 3.1.5c, what I'm restoring from, but when it had upgraded itself it had switched the bootpage to 3). So, now I'm finally able to figure out what's going on with my monte setup and unscramble.

I tried quite a few variations, which each yield different results. A few seem to suggest that it montes the alternate kernel, but then it reboots itself and gets in a reboot loop. It did not allow me to boot the HD Tivo from the 3.1.1c kernel at all ("Unable to mount root fs" kernel panic) - but then that was the same error I was getting before I switched the boot partition. I definitely killhdinitrd'd all of these kernels before attempting to load them.

Below are the log files, hopefully they shed some light for you. Any further suggestions are definitely appreciated!

from 3.1.5 killhdinitrd'd to 3.1.5x using kmonte.o 2.4.20

...
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: loaded kernel image (target load_addr=0x80002000, len=0x14f780) at 0x87f8
2000
monte: total pages used: 337 for image, 2 for indirect tables, 1 for reload code
<< * reboots here * >>


from 3.1.5 killhdinitrd'd to 3.1.1x using kmonte.o 2.4.4

...
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ Warning: kernel-module version mismatch
/monte/kmonte.o was compiled for kernel version 2.4.4-TiVo-3.0
while this kernel is version 2.4.20
monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: Operation not permitted
monte sysinit wrapper complete, you're on your own
<< * reboots here * >>


from 3.1.1c killhdinitrd'd to 3.1.1x using kmonte.o 2.4.4

...
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Starting kswapd v1.8
block: queued sectors max/low 19709kB/6569kB, 64 slots per queue
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Uniform Multi-Platform E-IDE driver Revision: 6.31
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
hda: WDC WD2500LB-55EDA0, ATA DISK drive
hdb: WDC WD2500JB-00FUA0, ATA DISK drive
ide0 at 0x400-0x407,0x438 on irq 87
hda: 268435455 sectors (137439 MB) w/2048KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

hdb: 268435455 sectors (137439 MB) w/8192KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

Partition check:
hda: [mac] hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 hda10 hda11 hda12 hda13
hda14
hdb: [mac] hdb1 hdb2 hdb3[M]
Serial driver version 5.05a (2001-03-20) with MANY_PORTS SHARE_IRQ SERIAL_PCI en
abled
ttyS00 at 0x0100 (irq = 79) is a 16550A
ttyS01 at 0xbc010000 (irq = 133) is a unknown
ttyS02 at 0x0140 (irq = 81) is a 16550A
ttyS03 at 0x0120 (irq = 80) is a 16550A
PPP generic driver version 2.4.1
PPP Deflate Compression module registered
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Kernel panic: VFS: Unable to mount root fs on 03:07
Rebooting in 1 seconds..


from 3.1.5c killhdinitrd'd to 3.1.1x using kmonte.o 2.4.20

...
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: loaded kernel image (target load_addr=0x80002000, len=0x1241a0) at 0x87fc
a000
monte: total pages used: 294 for image, 2 for indirect tables, 1 for reload code
<< * reboots here * >>


from 3.1.5 killhdinitrd'd to 3.1.5x using kmonte.o 2.4.4

...
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: loaded kernel image (target load_addr=0x80002000, len=0x14f780) at 0x87f7
2000
monte: total pages used: 337 for image, 2 for indirect tables, 1 for reload code
<< * reboots here * >>


from 3.1.5 killhdinitrd'd to 3.1.5x using kmonte.o 2.4.18

...
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ Warning: kernel-module version mismatch
/monte/kmonte.o was compiled for kernel version 2.4.18
while this kernel is version 2.4.20
monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: loaded kernel image (target load_addr=0x80002000, len=0x14f780) at 0x87fc
a000
monte: total pages used: 337 for image, 2 for indirect tables, 1 for reload code
<< * reboots here * >>

Jamie
04-25-2005, 12:16 AM
I didn't see you try the combination of kernels you should be using:

From a killhdinitrd'd 3.1.1c using kmonte.o compiled for 2.4.4 to the 3.1.5 unscramble custom kernel in this thread. Give that one a try and report the results. Be sure you have your bootpage properly setup with the right root and kernel partitions.

Spend a little time thinking about why this is the right combination of from and to kernels and kmonte.o's. It's worth it to help establish a clear understanding of the monte/chainload concept. Trying all combinations and looking at the results is an interesting approach, but I think you'll come to the desired result faster by reasoning about it.

jeremyclark
04-25-2005, 02:59 AM
I didn't see you try the combination of kernels you should be using: From a killhdinitrd'd 3.1.1c using kmonte.o compiled for 2.4.4 to the 3.1.5 unscramble custom kernel in this thread. Give that one a try and report the results. Be sure you have your bootpage properly setup with the right root and kernel partitions.
I didn't try that specific configuration after the first time it failed to boot from the 3.1.1c kernel, it seems that it's failing to even mount the root filesystem before it even attempts the monte. Just to be sure, I tried as you suggested (from 3.1.1c killhdinitrd'd kernel to 3.1.5x custom kernel using kmonte.o compiled for 2.4.4) and got the same results:

hda: WDC WD2500LB-55EDA0, ATA DISK drive
hdb: WDC WD2500JB-00FUA0, ATA DISK drive
ide0 at 0x400-0x407,0x438 on irq 87
hda: 268435455 sectors (137439 MB) w/2048KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

hdb: 268435455 sectors (137439 MB) w/8192KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

Partition check:
hda: [mac] hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 hda10 hda11 hda12 hda13
hda14
hdb: [mac] hdb1 hdb2 hdb3[M]
Serial driver version 5.05a (2001-03-20) with MANY_PORTS SHARE_IRQ SERIAL_PCI en
abled
ttyS00 at 0x0100 (irq = 79) is a 16550A
ttyS01 at 0xbc010000 (irq = 133) is a unknown
ttyS02 at 0x0140 (irq = 81) is a 16550A
ttyS03 at 0x0120 (irq = 80) is a 16550A
PPP generic driver version 2.4.1
PPP Deflate Compression module registered
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Kernel panic: VFS: Unable to mount root fs on 03:07
Rebooting in 1 seconds..
This is with the bootpage set to:

root=/dev/hda7 dsscon=true console=2,115200 upgradesoftware=false

Just for kicks and giggles, I duped partition 6 to 3 and 7 to 4 and set the bootpage root parameter and boot parition appropriately and it yielded the same results as well.

Spend a little time thinking about why this is the right combination of from and to kernels and kmonte.o's. It's worth it to help establish a clear understanding of the monte/chainload concept. Trying all combinations and looking at the results is an interesting approach, but I think you'll come to the desired result faster by reasoning about it.
I do try to think things through before attempting them, but then when those don't work sometimes I take shots in the dark when I don't see any other alternatives. If there's something I'm missing I'd really like to know!

Has anyone successfully booted an HR10-250 to a 3.1.1c kernel? I was under the impression that it required at least 3.1.5 for the LB48 support. Has anyone besides ViperX2 succesfully used this s2 unscramble on an HR10-250?

rc3105
04-25-2005, 03:55 AM
the 3.1.1c kernel (2.4.4) will boot a hr10-250 just fine

however

initial root and the chainloaded kernel must be below the lba48 boundry (137 gig) where the lba24 3.1.1c kernel and monte can "see" them ;)


either move partitions around (pita) or monte from a killhdinitrd'd lba48 3.1.5 (2.4.20) into a killinitrd or noscramble-custom 2.4.20


*here's an excercise for anyone with a clue and too much time on their hands - recompile monte to chainload from the original kernel partition, then figure out how to store monte/utils in there as well :D

Jamie
04-25-2005, 08:41 AM
initial root and the chainloaded kernel must be below the lba48 boundry (137 gig) where the lba24 3.1.1c kernel and monte can "see" them ;)


either move partitions around (pita) or monte from a killhdinitrd'd lba48 3.1.5 (2.4.20) into a killinitrd or noscramble-custom 2.4.20
Riley nailed it. I should have remembered that, since that was the original reason I compiled kmonte for 2.4.20. It can't mount the root because it is probably over the lba28 mark (137GB). Look at the partition table with pdisk and check whether any of partitions 3,4,6,7 end above sector 268435456.

The problem with monte'ing from 3.1.5 is that it doesn't work reliably. It appears that you tried it, and it reboots immediately after the monte. I guess it is time to try to figure out why monte doesn't always work from 2.4.18 and 2.4.20.

jeremyclark
04-25-2005, 09:39 PM
Riley nailed it. I should have remembered that, since that was the original reason I compiled kmonte for 2.4.20. It can't mount the root because it is probably over the lba28 mark (137GB). Look at the partition table with pdisk and check whether any of partitions 3,4,6,7 end above sector 268435456.Seems like that is the issue:

Partition map (with 512 byte blocks) on '/dev/hdc'
# type name length base (size)
1 Apple_partition_map Apple 63 @ 1
2 Image Bootstrap 1 4096 @ 484709440 (2.0M)
3 Image Kernel 1 4096 @ 484713536 (2.0M)
4 Ext2 Root 1 262144 @ 484717632 (128M)
5 Image Bootstrap 2 1 @ 484979776
6 Image Kernel 2 8192 @ 484979777 (4.0M)
7 Ext2 Root 2 524288 @ 484987969 (256M)
The problem with monte'ing from 3.1.5 is that it doesn't work reliably. It appears that you tried it, and it reboots immediately after the monte. I guess it is time to try to figure out why monte doesn't always work from 2.4.18 and 2.4.20.It'd be wondeful if the 2.4.20 monte code worked as you're saying. I might be able to manage moving the partitions like Riley suggested, but I'd need to study up on it first as I've never done anything like that on Linux before. Any pointers would be very helpful.

Jamie
04-25-2005, 11:39 PM
It'd be wondeful if the 2.4.20 monte code worked as you're saying.I'll take a look at it again, but I'm afraid it's a bit over my head, so I'm not sure I'll be able to figure out what the problem is with 2.4.20.
I might be able to manage moving the partitions like Riley suggested, but I'd need to study up on it first as I've never done anything like that on Linux before. Any pointers would be very helpful.By far the easiest way is with a second disk at least as large as the one you are using now: simply do a backup|restore pipeline that preserves recordings, but don't "optimize" the partition layout (leave off -p in the restore). This should leave partitions 1-9 all well below the 137GB mark.

rc3105
04-26-2005, 02:31 AM
Seems like that is the issue:

Partition map (with 512 byte blocks) on '/dev/hdc'
# type name length base (size)
1 Apple_partition_map Apple 63 @ 1
2 Image Bootstrap 1 4096 @ 484709440 (2.0M)
3 Image Kernel 1 4096 @ 484713536 (2.0M)
4 Ext2 Root 1 262144 @ 484717632 (128M)
5 Image Bootstrap 2 1 @ 484979776
6 Image Kernel 2 8192 @ 484979777 (4.0M)
7 Ext2 Root 2 524288 @ 484987969 (256M)It'd be wondeful if the 2.4.20 monte code worked as you're saying. I might be able to manage moving the partitions like Riley suggested, but I'd need to study up on it first as I've never done anything like that on Linux before. Any pointers would be very helpful.
<unbridled optomism>
can you post the entire hda partition map? something has to start at block 64, if it's 8,9 or > 2 meg of Apple_free_extra the partition shuffle might not be so bad
</unbridled optomism>


alternate gameplan, take this with a grain of salt since it's been forever and my memory may not be 100%

a "mfstool backup|restore pipeline" won't preserve the CommercialSkipOffset attributes so those 20 or so scrambled recordings on the cloned drive will be useless. you'll have to back them up as tmf via mfs_ftp, clone a working drive as jamie suggested, install the unscramble_this kernel, insert the recordings, then unscramble them (in place or during extract)

*you could also clone the drive and use the /var/mfs_ftp/cache/*.xml files and a script built with procedures copied out of mfs_ftp to restore the CommercialSkipOffset attributes, but that probably deserves it's own thread if you decide to try it - if for example there were 400 gig of hd recordings that would take forever to network back & forth

Jamie
04-26-2005, 08:59 AM
a "mfstool backup|restore pipeline" won't preserve the CommercialSkipOffset attributes so those 20 or so scrambled recordings on the cloned drive will be useless. Huh? I'd swear I've done full backups (with recordings) of unhacked drives with scrambled recordings and had the recordings still play on the target drive. I believe mfstool preserves all recording attributes. What am I missing here?

eastwind
04-26-2005, 12:06 PM
I know I've done full backups with scrambled recordings, but I did them with dd instead of a piped mfsbackup | mfsrestore. But I don't know why mfstools wouldn't keep the CommercialSkipOffset attributes as it is for expansion not for disabling encryption.

just my 2 cents worth,
ew

Jamie
04-26-2005, 12:12 PM
I know I've done full backups with scrambled recordings, but I did them with dd instead of a piped mfsbackup | mfsrestore. But I don't know why mfstools wouldn't keep the CommercialSkipOffset attributes as it is for expansion not for diabling encryption.

just my 2 cents worth,
ewI still believe a piped backup|restore will preserve scrambled recording CSO keys. Hey, it's in the Hindsdale guide, it must be right! On the other hand, Riley has a record of consistently catching my errors, so I might be missing something.

If the backup|restore won't work, one could do a dd style backup, partition by partition. You'd have to handcraft the partition table on the destination disk with pdisk to make sure the important partitions (3,4,6,7) are all below the lba28 mark.

In the meantime, I'll try to play around some more with the 2.4.20 monte to see if I can find any pattern to failures.

jeremyclark
05-01-2005, 10:28 PM
Well, this does at least sound quite promising. I attempted an mfsbackup | mfsrestore, but since I had expanded the HR10-250 to use two 250gb drives, it complained about the second drive being missing. After attaching both drives I tried to copy and restore the combined volumes to a single 250gb drive but there are enough recordings to cause it to be too large. So I setup up a partition table manually on a new 250gb drive and have been dd'ing one partition at a time. I'm on the last one now - I had forgotten to turn on DMA on the first media partition and at 216gb it took over 24 hours! I enabled DMA and hopefully this last partition will be ready shortly and I can put it in the Tivo and verify that it works before trying the monte.

A couple quick questions I had - with pdisk I used the "c" option rather than "C" as I read that tivo igores the actual type names. Is that okay? they all show up as "APPLE_UNIX_SRV2" type right now (except for the 1st partition). Also, since this is a new drive that's essentially a clone of the old one but with partitions at different blocks, should I expect to run into Error 51?

I'll keep you posted on how it goes with the monte.

jeremyclark
05-02-2005, 12:41 AM
Okay, here's what I did:
- got an identical disk (WD 250gb)
- manually created a partition table using pdisk from the boot disc:

Partition map (with 512 byte blocks) on '/dev/hdc'
# : type : name : length : base : size
1: Apple_partition_map : Apple : 63 : 1
2: Apple_UNIX_SVR2 : Bootstrap 1 : 4096 : 64 : (2.0M)
3: Apple_UNIX_SVR2 : Kernel 1 : 4096 : 4160 : (2.0M)
4: Apple_UNIX_SVR2 : Root 1 : 262144 : 8256 : (128.0M)
5: Apple_UNIX_SVR2 : Bootstrap 2 : 1 : 270400
6: Apple_UNIX_SVR2 : Kernel 2 : 8192 : 270401 (4.0M)
7: Apple_UNIX_SVR2 : Root 2 : 524288 : 278593 (256.0M)
8: Apple_UNIX_SVR2 : Linux Swap : 260096 : 802881 (127.0M)
9: Apple_UNIX_SVR2 : /var : 262144 : 1062977 (128.0M)
10: Apple_UNIX_SVR2 : MFS Application region : 1048576 : 1325121 (512.0M)
11: Apple_UNIX_SVR2 : MFS media region : 216091648 : 2373697 (103.G)
12: Apple_UNIX_SVR2 : Second MFS app region : 1048576 : 218465345 (512.0M)
13: Apple_UNIX_SVR2 : Second MFS media region : 268617728 : 219513921 (128.1G)
14: Apple_Free : Extra : 265519 @ 488131649 (129.6M)
- used dd to copy over each partition, one by one
- used bootpage to set the correct parameters and boot partition
- put the disk back in the Tivo and booted up to test (no problems)
- put the disk back in the PC, dd'd over the kernel partition (6) with 3.1.1c
- ran killhdinitrd, it confirmed it applied it to 3.1.1c
- set it up to monte to 3.1.5 included with this unscramble package, along with Jamie's kmonte.o compiled for 2.4.4

Result: I seem to be able to boot the root partition now, monte says it's loaded the kernel image, then it goes into a reboot loop. Here's the boot log:

Linux version 2.4.4-TiVo-3.0 (build@buildmaster10) (gcc version 3.0) #9 Wed Jan
7 10:05:19 PST 2004
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/hda7 dsscon=true console=2,115200 upgradesoftware
=false
Monotonic time calibrated: 81.00 counts per usec
Calibrating delay loop... 161.38 BogoMIPS
Contiguous region 0: 1048576 bytes
Contiguous region 1: 131072 bytes
Contiguous region of 1179648 bytes reserved at 0x81ee0000.
Memory: 29772k/32768k available (1029k kernel code, 2996k reserved, 71k data, 60
k init)
Dentry-cache hash table entries: 4096 (order: 3, 32768 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 2048 (order: 2, 16384 bytes)
Checking for 'wait' instruction... unavailable.
POSIX conformance testing by UNIFIX
PCI: Probing PCI hardware
ttyS00 at iomem 0xb4100100 (irq = 79) is a 16550A
ttyS00 at port 0xbc010000 (irq = 133) is a unknown
ttyS00 at iomem 0xb4100140 (irq = 81) is a 16550A
ttyS00 at iomem 0xb4100120 (irq = 80) is a 16550A
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Starting kswapd v1.8
block: queued sectors max/low 19709kB/6569kB, 64 slots per queue
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Uniform Multi-Platform E-IDE driver Revision: 6.31
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
hda: WDC WD2500JB-00FUA0, ATA DISK drive
hdb: WDC WD2500JB-00FUA0, ATA DISK drive
ide0 at 0x400-0x407,0x438 on irq 87
hda: 268435455 sectors (137439 MB) w/8192KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

hdb: 268435455 sectors (137439 MB) w/8192KiB Cache, CHS=266305/16/63<7>fpga_ide_
dmaproc: unsupported ide_dma_verbose func: 11

Partition check:
hda: [mac] hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 hda10 hda11 hda12 hda13
hda14
hdb: [mac] hdb1 hdb2 hdb3[M]
Serial driver version 5.05a (2001-03-20) with MANY_PORTS SHARE_IRQ SERIAL_PCI en
abled
ttyS00 at 0x0100 (irq = 79) is a 16550A
ttyS01 at 0xbc010000 (irq = 133) is a unknown
ttyS02 at 0x0140 (irq = 81) is a 16550A
ttyS03 at 0x0120 (irq = 80) is a 16550A
PPP generic driver version 2.4.1
PPP Deflate Compression module registered
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 60k freed
sp="" must be first pass, trying to run monte
bash: no job control in this shell
(none):/$ monte: Two-kernel Monte for MIPS (Version 0.1)
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: loaded kernel image (target load_addr=0x80002000, len=0x14f780) at 0x81b9
2000
monte: total pages used: 337 for image, 2 for indirect tables, 1 for reload code

Any ideas where I went wrong? I know I didn't type the partitions as I may have needed to, but I had read that Tivo doesn't look at the types. Looking at my new partition table, it seems that partitions 3,4,6,7 end well below sector 268435456. And since it mounted the root fs, I don't think this is the problem. Any suggestions as to what I should try next?

Jamie
05-02-2005, 09:48 AM
Any ideas where I went wrong? I know I didn't type the partitions as I may have needed to, but I had read that Tivo doesn't look at the types. Looking at my new partition table, it seems that partitions 3,4,6,7 end well below sector 268435456. And since it mounted the root fs, I don't think this is the problem. Any suggestions as to what I should try next?I think you did everything fine. After all that, it appears that you are having the same problem with the 2.4.4 monte that you did with the 2.4.20 version.

Are you sure the kernel you are monteing into isn't corrupt? Here's the md5sum I get on it:
% md5sum vmlinux.px.3.1.5x
f2158f170e1cb6983d229d7694bd003e vmlinux.px.3.1.5x

I'll try to replicate your situation. I don't have the same hardware, but I can still monte from&to the same kernels to see if it works for me.

jeremyclark
05-02-2005, 11:09 PM
Are you sure the kernel you are monteing into isn't corrupt? Here's the md5sum I get on it:
% md5sum vmlinux.px.3.1.5x
f2158f170e1cb6983d229d7694bd003e vmlinux.px.3.1.5x
I get the exact same results for vmlinux.px.3.1.5x. Good thought though.

I'll try to replicate your situation. I don't have the same hardware, but I can still monte from&to the same kernels to see if it works for me.
Thanks, that would be wonderful. I'm still curious as to how ViperX2 was able to get his going! Viper? Any thoughts?

Jamie
05-03-2005, 02:42 AM
I'll try to replicate your situation. I don't have the same hardware, but I can still monte from&to the same kernels to see if it works for me.I just tried, and I can monte fine from the 3.1.1c kernel to the vmlinux.px.3.1.5x kernel posted in this thread. Log attached. I booted with a rc.sysinit that just brings up a bare bash, then did the rest from the command line as shown in the log.

In looking more carefully at your log above, I do now see something strange: a bash prompt intermixed with the console output:
bash: no job control in this shell
(none):/$It appears to me that you have an interactive bash running on the console concurrent with the monte load. Is there any chance you have something else running before rc.sysinit? If you do, that's likely to be causing the problem. You really want as little as possible running before you do the monte. Loading usb modules, for example, is known to cause problems.

At this point, your best bet may be to do what I did: boot to a bare bash and try things from the serial console. See if you can figure out what works from there.

jeremyclark
05-03-2005, 06:35 PM
In looking more carefully at your log above, I do now see something strange: a bash prompt intermixed with the console output:
bash: no job control in this shell
(none):/$It appears to me that you have an interactive bash running on the console concurrent with the monte load. Is there any chance you have something else running before rc.sysinit? If you do, that's likely to be causing the problem. You really want as little as possible running before you do the monte. Loading usb modules, for example, is known to cause problems.
I don't think I have anything else running, unless something in the rc.sysinit.bogus is causing that. I'm using the version from Nutkase's thread (http://www.dealdatabase.com/forum/showpost.php?p=182539&postcount=2), where he's posted Riley's version. The only difference is I uncommented his /bin/bash line because I'm "paranoid" - could that be causing it? Here (http://www.colorchemist.com/temp/unscramble_inits.zip) are my rc.sysinit files if you care to check them out.

At this point, your best bet may be to do what I did: boot to a bare bash and try things from the serial console. See if you can figure out what works from there.
I've never done this either, but I'm willing to try. Would I essentially remove the second half of the .bogus file so that it's just setting up the paths, TERM and the prompt? then follow the commands in the log you posted?

Jamie
05-03-2005, 07:22 PM
I don't think I have anything else running, unless something in the rc.sysinit.bogus is causing that. I'm using the version from Nutkase's thread (http://www.dealdatabase.com/forum/showpost.php?p=182539&postcount=2), where he's posted Riley's version. The only difference is I uncommented his /bin/bash line because I'm "paranoid" - could that be causing it? Here (http://www.colorchemist.com/temp/unscramble_inits.zip) are my rc.sysinit files if you care to check them out.

I've never done this either, but I'm willing to try. Would I essentially remove the second half of the .bogus file so that it's just setting up the paths, TERM and the prompt? then follow the commands in the log you posted?
It's really a long shot, but you might try commenting out the 'paranoid' bash, just on the off chance it is causing the problem. I'm sure it is why the bash prompt is interspersed in your output, but I doubt it is causing the problem. You never know though.

I've attached my minimal rc.sysinit. Use this in place of the standard one if you just want to boot up a bare bash. You might need to alter the PATH to reflect your tivo hacks directory. You might also need to go find setsid (http://www.dealdatabase.com/forum/showthread.php?p=189425&highlight=setsid#post189425) to use it as is.

Once you've booted a bare bash you should be able to try out the commands you'd put in the script to see what they do. It's easier (at least for me) than changing the script each time and looking at the logs after the fact.

One thing that hasn't been clear to me: right after you monte, what's the very next thing you see? You say it goes into a reboot loop, but it would help if you showed the exact output. Is there any sort of kernel crash output? Or does it start right right at the top again and repeat the exact console output from the previous boot (starting at "Linux version-2.4.4-TiVo-3.0" ...)?

jeremyclark
05-04-2005, 03:43 AM
First of all, thanks a bunch to Jamie for helping me through all of these issues, and secondly to ScrambleThis for a great solution! I was finally succesfull in getting this working on my HR10-250 and am backing up all of the recordings, unscrambled as I type this.

It turned out that in my rc.sysinit.bogus file, I had a typo (doh!) - I used single quotes (') when setting the bootparm instead of graves (`). This only became apparent after booting up to a bare bash shell as Jamie suggested and typing in the commands one by one as in his log. When I did the "echo $bootparm" and I got the command I had typed in quotes instead of the value of that command, I realized what had happened. As I was afraid of messing up the file by copying and pasting, since it was short enough I thought I would just type it in, and I missed the subtle (but essential!) difference between the two characters.

Once it succesfully monte'd, however, the setup that I was using (monte from 3.1.1c to custom unscramble 3.1.5 via the kmonte.o compiled for 2.4.4) did not work. The monte worked, but after showing about a 90% progress meter in acquiring "information" from satellite, it went to a blank screen and stayed there. I waited for 10 minutes but nothing. I had telnet so I shutdown, took out the drive and put it back in the PC. Then I decided to try the exact same setup that ViperX2 suggested earlier in this thread for the HR10-250: monte from 3.1.5 to custom unscramble 3.1.5 via the kmonte.o compiled for 2.4.20. This worked perfectly! After it booted up, I played one previously scrambled recording for a few seconds, verified the kernel log as instructed, all systems checked, then used the custom vserver to download the recording via TyTools and bam! there it is. A beautiful thing when it works out!

Thanks again for all the help! I owe you a debt of gratitude!

Jamie
05-04-2005, 09:02 AM
It turned out that in my rc.sysinit.bogus file, I had a typo (doh!) - I used single quotes (') when setting the bootparm instead of graves (`). This only became apparent after booting up to a bare bash shell as Jamie suggested and typing in the commands one by one as in his log. Glad you finally found resolution. In an effort to catch any typos, I was cutting and pasting my commands from your rc.sysinit in post #50, but the typo wasn't in that version. Sorry I led you down a complicated wild goose chase. Sometimes that's the way debugging goes.

FoundSheep
05-10-2005, 03:17 AM
Couldn't someone just apply killhdinitrd to one of the provided unscramble kernels (3.1.1 or 3.1.5 depending on your software), replace the bootable kernel with that one, load the unscramble specific extraction tools, and unscramble to your heart's content? Then once you're done unscrambling, you could overwrite that kernel with a stock killhdinitrd kernel and apply the nocso patch, and replace the unscramble specific extraction tools with the standard ones.

Am I missing something?

Jamie
05-10-2005, 09:08 AM
Am I missing something?Yes. Think about where this would fail to break the chain of trust (http://www.dealdatabase.com/forum/showpost.php?p=197479&postcount=2). When in doubt, try it, and see what happens.

FoundSheep
05-10-2005, 03:23 PM
Link 3: The prom checks the kernel for a signature verifying it's unchanged. This signature cannot be faked, if the test fails the prom halts.

Thanks for that link, I get it...The unscramble kernel will not pass the prom's signature checking since it's modified in areas that are signature checked. (unlike killhdinitrd, which alters a portion of the kernel which is not signature checked, allowing it to bypass the subsequent initrd function).

kautrey
05-10-2005, 10:17 PM
Hi -

I'm having a weird problem that maybe someone else has had and can help me out with.

I've got a HDVR2 - running 3.1.1e. I've hacked it - using a 3.1.1c killhdinitrd'd kernel to boot into the s2_unscramble kernel.

I went through my Now Playing list and played a few seconds of each program that I want scrambled. I saw the kernel spit out the "X chunk keys cached" messages.

Next, I copied over the various mfs_ftp files from the s2_unscramble tarball - and started up mfs_ftp.

From a PC, I was able to connect to mfs_ftp and I transferred two of the shows over to the PC.

Next, sent the shows - via mfs_ftp (NOT the s2_unscrable mfs_ftp files) - to another HDVR2 that I have (happily hacked and running 4.0.1b since last December).

While unscrambled show is uploading to the 4.0.1b HDVR2, I get the little red "recording" ball in the Now Playing list - and I can play the show. It's perfect!

Here's the weird part: Once the transfer is complete - the show entry remains on the Now Playing list - but when you go to play it, it immediately give you the "Delete Now" or "Do Not Delete" options. If "Do Not Delete" is selected, you get the "bong" sound that says there was a problem playing the recording. That is - NO part of the program is able to be viewed on the target TiVo.

Anybody seen this before? Anybody know what I'm doing wrong?

Seems like the unscramble went okay, since I'm able to play any of it on the destination TiVo... Is this the "some issues arose during insertion attempts" that is referenced in the README file of the s2_unscrable packages?

Help?

Regards,
Kevin

Edited: to clarify that all mfs_ftp files from s2_unscramble package were being copied over per the README instructions

Jamie
05-10-2005, 10:37 PM
Anybody seen this before? Anybody know what I'm doing wrong?yep and yep. Go back to the README file from the package and pay particular attention to the discussion of "CommercialSkipOffset". Also, search this forum for csoscout.tcl. I think it's in the " How to disable tystream encryption..." thread.

kautrey
05-10-2005, 11:01 PM
Hi Jamie -

I thought the CommercialSkipOffset (kcso) script was only relevant if doing an "in-place" unscramble. I'm going through the mfs_ftp tools...

Looking back in the README file, I see mention of CommercialSkipOffset - but that's in the "in-place" unscramble section...

Doing more research...

Kevin

Jamie
05-10-2005, 11:07 PM
Hi Jamie -

I thought the CommercialSkipOffset (kcso) script was only relevant if doing an "in-place" unscramble. I'm going through the mfs_ftp tools...

Looking back in the README file, I see mention of CommercialSkipOffset - but that's in the "in-place" unscramble section...I guess the README does make it sound like that, but it is also relevant if you are reinserting the shows onto a tivo after extraction.

The problem is the metadata says that the show is encrypted (through the CommercialSkipOffset value), but the show is not encrypted. Go read AlphaWolf's posts in the "How to disable tystream encryption...". And I recommend you use csoscout.tcl instead of kcso.tcl -- it's safer.

kautrey
05-10-2005, 11:41 PM
Hi Jamie -

Thanks for your help on this - and thanks for the comment about the README file throwing me off track.

Taking your suggestion, I did run csoscout.tcl on the v4.0.1b HDVR2 and once it was finished, my unscrambled/downloaded/uploaded programs were completely playable.

Again, thank you for your help.

Regards,
Kevin

DrTusk
06-06-2005, 03:25 AM
I have DTivo w/ 6.2 installed with 3.1.5 kernel from PTVUpgrade. I'm using the rc.sysinit.real method with the 2.4.20 kmonte.o and vmlinux.px 3.1.5x file. Tivo boots fine and from the logs it appears the kernel is being loaded, but there is no networking. The USB and hub lights are on, but it never acquires an IP address.

I see a few lines like this in the log which is my only guess to the problem.

Jun 6 03:53:18 (none) kernel: iptables v1.2.6a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Jun 6 03:53:18 (none) kernel: Perhaps iptables or your kernel needs to be upgraded.

This one is also suspicious

Jun 6 04:26:21 (none) kernel: /lib/modules/af_packet.o: unresolved symbol sk_run_filter

I've attached the kernel log.

The kernel seems to be working as I see a line in there.

Jun 6 07:02:31 (none) kernel: add_only: 2403569106,1,0,0,2672450029,1620835734,258783841,3516275162|8016fd70,13,0,131072,256,1

EDIT: Figured it out... switching to use a static IP instead of DHCP. Happened to see a random post mentioning sk_run_filter and got lucky :)

94SupraTT
06-06-2005, 11:32 AM
I have DTivo w/ 6.2 installed with 3.1.5 kernel from PTVUpgrade. I'm using the rc.sysinit.real method with the 2.4.20 kmonte.o and vmlinux.px 3.1.5x file. Tivo boots fine and from the logs it appears the kernel is being loaded, but there is no networking. The USB and hub lights are on, but it never acquires an IP address.

I see a few lines like this in the log which is my only guess to the problem.

Jun 6 03:53:18 (none) kernel: iptables v1.2.6a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Jun 6 03:53:18 (none) kernel: Perhaps iptables or your kernel needs to be upgraded.

This one is also suspicious

Jun 6 04:26:21 (none) kernel: /lib/modules/af_packet.o: unresolved symbol sk_run_filter

I've attached the kernel log.

The kernel seems to be working as I see a line in there.

Jun 6 07:02:31 (none) kernel: add_only: 2403569106,1,0,0,2672450029,1620835734,258783841,3516275162|8016fd70,13,0,131072,256,1

EDIT: Figured it out... switching to use a static IP instead of DHCP. Happened to see a random post mentioning sk_run_filter and got lucky :)
Were you able to unscramble? I am thinking about trying to unscramble on my 6.2 box and would like to know if you were able to.

DrTusk
06-06-2005, 11:42 AM
yes, after I set up the static ip stuff, I was able to connect to it and unscramble. I used the mfs_ftp method to extract.

94SupraTT
06-06-2005, 05:04 PM
yes, after I set up the static ip stuff, I was able to connect to it and unscramble. I used the mfs_ftp method to extract.


Cool. I am going to have to read up on monte. I have a virgin 6.2 drive that has some (scrambled) NFL games that I want to get off it. I plan on backing it up to another drive and hacking it.

94SupraTT
06-08-2005, 02:48 PM
I have DTivo w/ 6.2 installed with 3.1.5 kernel from PTVUpgrade. I'm using the rc.sysinit.real method with the 2.4.20 kmonte.o and vmlinux.px 3.1.5x file. Tivo boots fine and from the logs it appears the kernel is being loaded, but there is no networking. The USB and hub lights are on, but it never acquires an IP address.

I see a few lines like this in the log which is my only guess to the problem.

Jun 6 03:53:18 (none) kernel: iptables v1.2.6a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Jun 6 03:53:18 (none) kernel: Perhaps iptables or your kernel needs to be upgraded.

This one is also suspicious

Jun 6 04:26:21 (none) kernel: /lib/modules/af_packet.o: unresolved symbol sk_run_filter

I've attached the kernel log.

The kernel seems to be working as I see a line in there.

Jun 6 07:02:31 (none) kernel: add_only: 2403569106,1,0,0,2672450029,1620835734,258783841,3516275162|8016fd70,13,0,131072,256,1

EDIT: Figured it out... switching to use a static IP instead of DHCP. Happened to see a random post mentioning sk_run_filter and got lucky :)

I'm having the same problem. Did you have networking before you monted the drive? I did. I just renamed /tivo/etc/netfilter-enable to tivo/etc/netfilter-notenabled to do so. Now I dont' have networking after the monte.


edit-Jamie just let me know that DHCP was the issue and I need to switch to a static IP because the kernel monted into does not work with dhcp.

94SupraTT
06-09-2005, 11:08 AM
I can't obtain a list in tytool. I am running Alphawolf's version of NowShowing.tcl both are in /hack and both have been chmod 755. My execute string in tytool is...



/hack/tserver_mfs -s /hack/NowShowing.tcl


Also, the tserver_mfs is the scramble one. I just can't seem to obtain the NowShowing list. Help please.

This is what I get from bash.



bash-2.02# ./tserver_mfs
Switching to low priority...
Waiting for an incoming connection!
SERVER: We got a message! buf = 'SHOWING'
invalid attribute: TimeZone
while executing
"dbobj $setup get TimeZone"
("uplevel" body line 16)
invoked from within
"uplevel $body"
invoked from within
"transaction {uplevel $body}"
(procedure "RetryTransaction" line 5)
invoked from within
"RetryTransaction {
if {$version5} {
set lconfig [db $db open /State/LocationConfig]
set tzval [dbobj $lconfig get TimeZoneOffs..."
(procedure "GetConfig" line 28)
invoked from within
"GetConfig"
(file "./NowShowing.tcl" line 278)
Waiting for an incoming connection!

And before anyone recommends changing to a version of tserver that doesn't require NowShowing...I can't because I need to use this specific version of tserver to get the scrambled shows off.

Jamie
06-09-2005, 11:54 AM
It looks to me like your NowShowing.tcl still doesn't support the newer MFS structures that use TimeZoneOffset rather than TimeZone. Looking at AW's script, it looks like it only supports tivo software versions up to 5, but not 6 and 7. You should be able to tweak it easily to support the newer versions. IIRC, all versions after 4.x use the same MFS structures for keeping track of the time zone.

Alternatively, there's a NowShowing.tcl in the mfs_* package. Try that one. I believe it does a better version check than AW's and assumes that all software versions >4 use the new timezone MFS data structures.

94SupraTT
06-09-2005, 12:16 PM
It looks to me like your NowShowing.tcl still doesn't support the newer MFS structures that use TimeZoneOffset rather than TimeZone. Looking at AW's script, it looks like it only supports tivo software versions up to 5, but not 6 and 7. You should be able to tweak it easily to support the newer versions. IIRC, all versions after 4.x use the same MFS structures for keeping track of the time zone.

Alternatively, there's a NowShowing.tcl in the mfs_* package. Try that one. I believe it does a better version check than AW's and assumes that all software versions >4 use the new timezone MFS data structures.

Still unable to obtain the list using the mfs_* version of NowShowing.tcl. I was curious what would happen if I launched it the mfs_* NowShowing.tcl from bash and I got the following..



<Title>:<The X-Files><Day>:<Wed><Date>:<3/30><Year>:<3/30/05><Station>:<TNT><Epi
sodeTitle>:<Revelations><FSID>:<448358/11><TyStream>:</486648/486654><TotalSize>
:<881>
<Title>:<The X-Files><Day>:<Wed><Date>:<3/30><Year>:<3/30/05><Station>:<TNT><Epi
sodeTitle>:<Oubliette><FSID>:<448357/11><TyStream>:</486614/486634><TotalSize>:<
908>
<Title>:<The X-Files><Day>:<Wed><Date>:<3/30><Year>:<3/30/05><Station>:<TNT><Epi
sodeTitle>:<The Walk><FSID>:<448356/11><TyStream>:</486570/486592><TotalSize>:<8
58>
<Title>:<The X-Files><Day>:<Wed><Date>:<3/30><Year>:<3/30/05><Station>:<TNT><Epi
sodeTitle>:<2Shy><FSID>:<451147/11><TyStream>:</486501/486550><TotalSize>:<832>
<Title>:<Scrubs><Day>:<Tue><Date>:<3/29><Year>:<3/29/05><Station>:<WAVY><Episode
Title>:<My Boss's Free Haircut><FSID>:<448797/11><TyStream>:</486085><TotalSize>
:<480>
<Title>:<Scrubs><Day>:<Tue><Date>:<3/29><Year>:<3/29/05><Station>:<WAVY><Episode
Title>:<My Cake><FSID>:<448796/11><TyStream>:</486079><TotalSize>:<496>
<Title>:<All of Us><Day>:<Tue><Date>:<3/29><Year>:<3/29/05><Station>:<WGNT><Epis
odeTitle>:<Movin' on Up><FSID>:<485912/22><TyStream>:</486008/486012><TotalSize>
:<480>
<Title>:<The Bachelor><Day>:<Mon><Date>:<3/28><Year>:<3/28/05><Station>:<WVEC><E
pisodeTitle>:<><FSID>:<474001/257><TyStream>:</482617/482694/482704/482709/48275
8/482816/482832><TotalSize>:<2106>
<Title>:<The Surreal Life><Day>:<Sun><Date>:<3/27><Year>:<3/27/05><Station>:<VH1
><EpisodeTitle>:<Seven Celebrities of Death><FSID>:<478995/11><TyStream>:</47904
1/479044><TotalSize>:<608>
<Title>:<Arrested Development><Day>:<Sun><Date>:<3/27><Year>:<3/27/05><Station>:
<WVBT><EpisodeTitle>:<The Sword of Destiny><FSID>:<443086/11><TyStream>:</478956
><TotalSize>:<442>
<Title>:<The X-Files><Day>:<Sun><Date>:<3/27><Year>:<3/27/05><Station>:<WSKY><Ep
isodeTitle>:<Aubrey><FSID>:<442573/11><TyStream>:</478944/478948><TotalSize>:<77
8>
<Title>:<2005 NFL Scouting Combine><Day>:<Wed><Date>:<3/2><Year>:<3/2/05><Statio
n>:<NFL><EpisodeTitle>:<RB, QB, WR><FSID>:<401257/18><TyStream>:</402924/403280/
403295/403355><TotalSize>:<1112>
<Title>:<Scooby-Doo on Zombie Island><Day>:<Wed><Date>:<3/2><Year>:<3/2/05><Stat
ion>:<TOON><EpisodeTitle>:<><FSID>:<397229/45><TyStream>:</400817/400819/401254/
401262><TotalSize>:<1172>
<Title>:<2005 NFL Scouting Combine><Day>:<Sun><Date>:<2/27><Year>:<2/27/05><Stat
ion>:<NFL><EpisodeTitle>:<RB, QB, WR><FSID>:<392482/11><TyStream>:</393160/39316
2/393164/393165/393168><TotalSize>:<2484>
<Title>:<NFL Films Presents><Day>:<Fri><Date>:<2/25><Year>:<2/25/05><Station>:<N
FL><EpisodeTitle>:<Barry Sanders><FSID>:<377002/11><TyStream>:</377106/377182><T
otalSize>:<976>
<Title>:<NASCAR Racing><Day>:<Wed><Date>:<2/16><Year>:<2/16/05><Station>:<SPD><E
pisodeTitle>:<Nextel Cup Daytona 500, Practice><FSID>:<340191/129><TyStream>:</3
47697/347710><TotalSize>:<356>
<Title>:<Texans @ Bears><Day>:<Sun><Date>:<12/19><Year>:<12/19/04><Station>:<NFL
><EpisodeTitle>:<Houston Texans at Chicago Bears><FSID>:<173725/11><TyStream>:</
177495/177498/177500/177501/177503/177505/177506/177507/177528><TotalSize>:<4576
>
<Title>:<Vikings @ Bears><Day>:<Sun><Date>:<12/5><Year>:<12/5/04><Station>:<NFL>
<EpisodeTitle>:<Minnesota Vikings at Chicago Bears><FSID>:<137623/14><TyStream>:
</137622/137637/137646/137649/137658/137659/137671/137693/137696><TotalSize>:<42
72>
<Title>:<Bears @ Titans><Day>:<Sun><Date>:<11/14><Year>:<11/14/04><Station>:<NFL
><EpisodeTitle>:<Chicago Bears at Tennessee Titans><FSID>:<68320/11><TyStream>:<
/77784/77808/77820/77824/77829/77839/77847/77855/77858/77862/77867><TotalSize>:<
5336>


When I ran the original NowShowing I get this...



invalid attribute: TimeZone
while executing
"dbobj $setup get TimeZone"
("uplevel" body line 16)
invoked from within
"uplevel $body"
invoked from within
"transaction {uplevel $body}"
(procedure "RetryTransaction" line 5)
invoked from within
"RetryTransaction {
if {$version5} {
set lconfig [db $db open /State/LocationConfig]
set tzval [dbobj $lconfig get TimeZoneOffs..."
(procedure "GetConfig" line 28)
invoked from within
"GetConfig"
(file "./NowShowing.tclorig" line 278)

Jamie
06-09-2005, 12:30 PM
Still unable to obtain the list using the mfs_* version of NowShowing.tcl. I was curious what would happen if I launched it the mfs_* NowShowing.tcl from bash and I got the following..



When I ran the original NowShowing I get this...
It looks to me like the mfs_* NowShowing.tcl is working. What happens when you use it with tserver?

94SupraTT
06-09-2005, 12:42 PM
It looks to me like the mfs_* NowShowing.tcl is working. What happens when you use it with tserver?

This is what happens in the status window on tytool when I try to start it. When trying to use themfs_* NowShowing.tcl w/ the scramble tserver



Clear Now Showing List...
Connecting to '192.168.8.18'
Connected...
Getting NowShowing data...
Sorry.. Could not obtain the list.

Jamie
06-09-2005, 12:46 PM
This is what happens in the status window on tytool when I try to start it. When trying to use themfs_* NowShowing.tcl w/ the scramble tserverThat doesn't help. I want to see the output on the tserver_mfs side. What happens when you run tserver_mfs on your tivo? Be sure you have the right NowShowing.tcl where tserver_mfs is looking for it (current working directory, I think).

94SupraTT
06-09-2005, 01:20 PM
That doesn't help. I want to see the output on the tserver_mfs side. What happens when you run tserver_mfs on your tivo? Be sure you have the right NowShowing.tcl where tserver_mfs is looking for it (current working directory, I think).

This is the output when I start tserver_mfs from bash.



bash-2.02# ./tserver_mfs
Switching to low priority...
Waiting for an incoming connection!
SERVER: We got a message! buf = 'SHOWING'
missing close-bracket
while compiling
" ..."
(file "./NowShowing.tcl" line 291)
Waiting for an incoming connection!



The NowShowing.tcl I have is from here.

http://www.dealdatabase.com/forum/attachment.php?attachmentid=4818

both are in /hack

edit...quoted the wrong output.

94SupraTT
06-09-2005, 01:53 PM
Just for piece of mind I downloaded my kernel log to make sure things were being unscrambled and they were.

"3. Verify that the key caching is working by playing a few seconds of a
scrambled show. In the kernel log, you should see some messages similar
to the below (the ellipses indicate data removed for brevity):

Oct 24 19:15:16 (none) kernel: add_first_or_middle: 2403569106,1,0,0,...
Oct 24 19:15:16 (none) kernel: add_end: 2403569106,1,0,0,2042787767,...
Oct 24 19:15:16 (none) kernel: iscram: 2 chunk keys cached"



Jun 9 17:41:55 (none) kernel: add_only: 2403569106,1,0,0,4186733261,333474715,3204548479,2749403977|8016fd70,13,0,42467328,256,1
Jun 9 17:41:56 (none) kernel: add_first_or_middle: 2403569106,1,0,0,1716480691,3745985578,237892385,2463229587|8016fd70,11,0,21889024,256,1
Jun 9 17:41:56 (none) kernel: iscram: 2 chunk keys cached

If all else fails I may just unscramble on the box and then unmonte the drive and use tytool to pull everthing off via a normal tserver file. I would really like to get it working however as is.

allenflame
06-09-2005, 02:18 PM
let me know how it comes out, I'm just "updated" my 6.2 and need to pull about 30 hours worth of shows off.

Jamie
06-09-2005, 02:29 PM
If all else fails I may just unscramble on the box and then unmonte the drive and use tytool to pull everthing off via a normal tserver file. I would really like to get it working however as is.I'll try to take a look at it, but it might not be until tonight.

In the meantime, this might be a good time for you to develop tcl debugging skills. :) The error message tells you the line number and says there is a mismatched bracket there. It isn't clear to me why it runs fine from a bash shell but not from tserver_mfs, but maybe you can figure that out. Let me know if you find a fix before I get around to looking at it.

Jamie
06-09-2005, 04:22 PM
I tested the mfs_* NowShowing.tcl with the tserver_mfs in this thread, and they worked fine together under 7.1b and TyTool 9r18. The mfs_bin.mips package you linked to earlier did not contain a NowShowing.tcl, so I'm uncertain exactly which NowShowing.tcl you are running.

94SupraTT
06-09-2005, 05:20 PM
I tested the mfs_* NowShowing.tcl with the tserver_mfs in this thread, and they worked fine together under 7.1b and TyTool 9r18. The mfs_bin.mips package you linked to earlier did not contain a NowShowing.tcl, so I'm uncertain exactly which NowShowing.tcl you are running.

You are right. The file had NowShowing but not NowShowing.tcl I renamed it to NowShowing.tcl. Looks like that may be my problem. I'll look for another mfs_bin.mips in that thread which does have the NowShowing.tcl in it.

I got the one I am using now in this thread.

http://www.dealdatabase.com/forum/showpost.php?p=195327&postcount=1

Jamie
06-09-2005, 05:39 PM
You are right. The file had NowShowing but not NowShowing.tcl I renamed it to NowShowing.tcl. Looks like that may be my problem. I'll look for another mfs_bin.mips in that thread which does have the NowShowing.tcl in it.

I got the one I am using now in this thread.

http://www.dealdatabase.com/forum/showpost.php?p=195327&postcount=1
It's not a mips binary, it is a tcl source file. Get the mfs_src, not the mips_bin package. You'll find it there.

The NowShowing (sans .tcl) in the mfs_bin package is a binary compiled from NowShowing.c. It won't work as a substitute for NowShowing.tcl with an old tserver.

94SupraTT
06-09-2005, 06:12 PM
It's not a mips binary, it is a tcl source file. Get the mfs_src, not the mips_bin package. You'll find it there.

The NowShowing (sans .tcl) in the mfs_bin package is a binary compiled from NowShowing.c. It won't work as a substitute for NowShowing.tcl with an old tserver.

I'm a dork. I almost did this once before but I caught it. Thanks for the help. I appreciating it.

94SupraTT
06-10-2005, 08:46 AM
It's not a mips binary, it is a tcl source file. Get the mfs_src, not the mips_bin package. You'll find it there.

The NowShowing (sans .tcl) in the mfs_bin package is a binary compiled from NowShowing.c. It won't work as a substitute for NowShowing.tcl with an old tserver.

I got the NowShowing.tcl from the mfs_src and uploaded it chmod 755 it and its still not working. :confused:

edit..
Its working now :D For some reason I could not kill a instance of tserver already running. So I rebooted and it started up fine. I had an issue with tytool saying it didn't have enough chunks to start so I checked the kernel log and saw no keys. I played the file I wanted to extract on my tivo. I assume that cached the keys. The tytool was able to pull it.

94SupraTT
06-10-2005, 05:48 PM
let me know how it comes out, I'm just "updated" my 6.2 and need to pull about 30 hours worth of shows off.


It came out GREAT! I did everything right but had the wrong NowShowing.tcl I think I used the one included in 9r18 tytool initially and that didn't work then I rename a source file named NowShowing (stupid me) and finally with Jamie pointing me to the right one I got the correct NowShowing.tcl that works with the unscramble tserver. The process was not hard at all. I was just careless when looking for the NowShowing.tcl file. I can pull off scramble shows with no problem now. I only have probably 10-15gigs left to pull of now. I've pulled off 9gigs (2 Chicago Bears game from last season) so far. :D

allenflame
06-13-2005, 04:44 PM
I have a Philips DSR708 with hacked 6.2. I've got ftp and telnet working and tytools working. I'd like to get some pre-hacked recordings off and have been reading here and some other sites on the web.

I was wondering if anyone has done this with 6.2 that has a cheatsheet? I'm re-reading all the posts, but feel like I'm going in circles. The biggest fear I have is using in killhdinitrd and monte. I will work on making some notes and do a sort of unguide tonight.

94SupraTT
06-13-2005, 04:59 PM
I have a Philips DSR708 with hacked 6.2. I've got ftp and telnet working and tytools working. I'd like to get some pre-hacked recordings off and have been reading here and some other sites on the web.

I was wondering if anyone has done this with 6.2 that has a cheatsheet? I'm re-reading all the posts, but feel like I'm going in circles. The biggest fear I have is using in killhdinitrd and monte. I will work on making some notes and do a sort of unguide tonight.

The box I pulled off my scrambled shows was a 6.2 box. You have to monte to use the custom kernel that allows you to pull off the scrambled shows. There is no "cheat sheet".

TasteBuds
07-12-2005, 04:55 AM
<snip>

Message moved to it's own thread in this forum.

Freddy_k
08-09-2005, 12:11 PM
The box I pulled off my scrambled shows was a 6.2 box. You have to monte to use the custom kernel that allows you to pull off the scrambled shows. There is no "cheat sheet".

I have the same Box a DSR 708 I ran PTVnet then followed Alpha wolfs post on the 4 byte hack when I did that I lost my networking any help would be greatly apreciated.

Freddy_k

cwilkins
09-29-2005, 09:16 PM
I have the same Box a DSR 708 I ran PTVnet then followed Alpha wolfs post on the 4 byte hack when I did that I lost my networking any help would be greatly apreciated.

Freddy_k

Not sure if I had the same problem, but after I got the two kernel monte going with the s2_unscramble 3.1.5x kernel, my v6.2 SD-DVR40 fell off the network too. Couldn't find any good reason for it (wrong network device module versions, etc.). Got in through the serial port and first verified that the monte did work and that the keys were being cached (WooHoo! My first monte!), then started investigating the network problem. ifconfig showed that only the local interface (lo - 127.0.0.1) was up, so I took a stab at bringing up the ethernet interface manually:



ifconfig eth0 192.168.100.30 netmask 255.255.255.0 up


(substitute your own network parameters) I was actually a little surprised when that worked. Since I'm only running the s2_unscramble kernel long enough to decrypt my old shows, that quick fix is sufficient.

EDIT: Earlier posts in this thread indicate that the s2_unscramble kernels don't support DHCP. That explains it.

But I did slam into a brick wall after that. When I run tivosh and do an mls /Recording/NowShowingByTitle, I get this:



% Directory of /Recording starting at 'NowShowingByTitle'

Name Type FsId Date Time Size
---- ---- ---- ---- ---- ----
Pending tyDir 854566 09/29/05 22:03 2304
TiVoClipNowShowing tyDir 854591 09/29/05 09:01 1600
TmsId tyDir 854592 09/29/05 23:59 6764


If I try to list any of those directories(?), I get "can't scan path (errNmNameNotFound)." Harumph!

I've probably missed something, or done something stupid, but I was expecting to find all my NowShowing titles there and haven't been able to figure out why not. (TiVo change something on us?)

So I Googled around, pulled down a copy of nowshowing.tcl, ran it and got basically the same results.

Clue? Anyone? Please?

EDIT: If it's not obvious, I'm trying to do an unscramble in place. I've found a few more clues that point to this being a MFS structure change, but nothing yet on where I should be looking for my list of shows... :confused:

-cw-

eastwind
09-30-2005, 04:44 AM
But I did slam into a brick wall after that. When I run tivosh and do an mls /Recording/NowShowingByTitle, I get this:



% Directory of /Recording starting at 'NowShowingByTitle'

Name Type FsId Date Time Size
---- ---- ---- ---- ---- ----
Pending tyDir 854566 09/29/05 22:03 2304
TiVoClipNowShowing tyDir 854591 09/29/05 09:01 1600
TmsId tyDir 854592 09/29/05 23:59 6764


If I try to list any of those directories(?), I get "can't scan path (errNmNameNotFound)." Harumph!

I've probably missed something, or done something stupid, but I was expecting to find all my NowShowing titles there and haven't been able to figure out why not. (TiVo change something on us?)


Clue? Anyone? Please?


-cw-
Check the listing for /Recording and then try the directories listed. I think the one you want is
mls /Recording/NowShowingByBucketTitle

ew

mabx2
10-03-2005, 03:21 PM
I am VERY new to TiVo hacking, buy also VERY interested. I am fairly technical, but very new to Linux. I have been attempting to read through posts on the topic, have gotten confused by the steps to take.

I have a Philips DSR-7000 with a PTVUpgrade drive (120Gb) w/3.1.1e. I am using the AlphaWolf hack to remove/disable encryption, but have many shows recorded prior to the hack. No other hacks installed/used. The drive is failing and I have ordered a replacement drive from PTVUpgrade (w/6.2). I would like to unscramble my existing shows to transfer to DVD (using tyTools) OR the the new replacement drive. Any help would be GREATLY appreciated.

cheer
10-03-2005, 04:54 PM
I am VERY new to TiVo hacking, buy also VERY interested. I am fairly technical, but very new to Linux. I have been attempting to read through posts on the topic, have gotten confused by the steps to take.

I have a Philips DSR-7000 with a PTVUpgrade drive (120Gb) w/3.1.1e. I am using the AlphaWolf hack to remove/disable encryption, but have many shows recorded prior to the hack. No other hacks installed/used. The drive is failing and I have ordered a replacement drive from PTVUpgrade (w/6.2). I would like to unscramble my existing shows to transfer to DVD (using tyTools) OR the the new replacement drive. Any help would be GREATLY appreciated.
Well this will do it. So what you have to do is:

Get a copy of the S2_Unscramble kernel onto your DTivo
Configure it to monte from the 3.1.1c kernel (that presumably you are running) to the unscramble kernel
Install the special Tserver that comes with the S2_Unscramble package
Play each scrambled video on your DTivo for just a few seconds
Use TyTool to pull the videos off

And then, Bob's your uncle, you'll have your unscrambled videos. Do some reading on monte; it seems daunting, but basically you are just chain-loading from your existing kernel to the custom one.

mabx2
10-20-2005, 08:48 PM
I hate to ask such a newbe question, but here goes:

Would it be possible to get more detailed instructions for the following:



Well this will do it. So what you have to do is:


Get a copy of the S2_Unscramble kernel onto your DTivo
Configure it to monte from the 3.1.1c kernel (that presumably you are running) to the unscramble kernel
Install the special Tserver that comes with the S2_Unscramble package
Play each scrambled video on your DTivo for just a few seconds
Use TyTool to pull the videos off


I understand steps 4 & 5. I just need help on 1-3.

I am very new to linux and this whole "monte" thing is a little overwhelming for me. I have found sets of instructions, but most/all assume a certain level of linux knowledge that I apparently do not have (yet). Most state WHAT they did, not HOW they did it. I guess my basic questions are:


How, specifically, do I monte into another kernel. I need specific commands, etc...
What file/s do I need (and where do I get them). And where do they need to go on the TiVo unit?


I have:
- DirecTiVo Philips DSR-7000
- Software System: v3.1.1.e-01-2-101
- Kernel: 2.4.4-TiVo-3.0
- No scramble hack in place, but have shos recorded PRIOR to hack.

I know all of this info can most likely be found within these forums, but it is spread out and, unfortunately, I am under a time crunch since I have to get my show off my drive (which is about to fail) before I return it.

Any help is GREATELY appreciated.

gamo62
10-22-2005, 05:09 AM
OK. I have hacked my stock TiVo. I now have all of the enhancements and can telnet and ftp. Encryption is disabled and everything I record can be transferred.

I just need help with the ton o' crap my wife has stored. She now wants for me to put it on a DVD, and I am LOST.

Can someone please email me or PM me with what I need to do. I use TyTools not MFS-FTP. DO not understand how to install the s2 kernel. Heck. Not sure if it will wipe out my system or not.

Any and all help appreciated. Thanks!

G.W.

gamo62
10-22-2005, 12:21 PM
I'm curious as to why no one has been working on a way to decrypt the video once it has been transferred to the PC/Mac. I'm sure that it's doable. Has anyone looked ionto it? Because with so much conflicting information here regarding decryption, it is a real pain trying to do research with 2 or more "solutions".

If anyone has been secretly working on this and has made progress, the by all means come forward.

G.W.

cheer
10-22-2005, 07:25 PM
Well I'm no encryption expert.

But as I understand it, the only reason s2_unscramble works is because it's a modified kernel that caches the keys necessary for unscramble. (I also seem to recall that the keys are tied to the decryption chip in the Tivo.)

Without having those keys, or the chip, I don't think you'd make much headway.

In any case, once you understand the concept of monte (read the stickies; there are a couple good threads on monte in them), the s2_unscramble is very simple.

gamo62
10-24-2005, 12:32 PM
Well I'm no encryption expert.

But as I understand it, the only reason s2_unscramble works is because it's a modified kernel that caches the keys necessary for unscramble. (I also seem to recall that the keys are tied to the decryption chip in the Tivo.)

Without having those keys, or the chip, I don't think you'd make much headway.

In any case, once you understand the concept of monte (read the stickies; there are a couple good threads on monte in them), the s2_unscramble is very simple.

Well, maybesimple for those who have been doing it a while. I tried monte with the drive and now it's FUBAR'd! I am now having toput in the 2nd drive that had the encryption turned off from the get go.

Now I am stuck with my first drive at Powering Up and then rebooting after trying to load the scrambled kernel. So much for me figuring this out. I've screwed up the drive and lost my wifes' shows in one shot.

G.W.

eastwind
10-24-2005, 01:50 PM
Well, maybesimple for those who have been doing it a while. I tried monte with the drive and now it's FUBAR'd! I am now having toput in the 2nd drive that had the encryption turned off from the get go.

Now I am stuck with my first drive at Powering Up and then rebooting after trying to load the scrambled kernel. So much for me figuring this out. I've screwed up the drive and lost my wifes' shows in one shot.

G.W.You might not've lost the shows. Might need to do it over, though. You can remove an attempt at a monte by removing the calls to the monte. BTW, what did you try to monte from? I'm guessing a killhdinitrd'd 3.1.5 kernel, but correct me if I'm wrong. Did the serial output say what happened? Did you check the kernel log when you pulled the drive?

ew

cheer
10-24-2005, 03:52 PM
You might not've lost the shows. Might need to do it over, though. You can remove an attempt at a monte by removing the calls to the monte. BTW, what did you try to monte from? I'm guessing a killhdinitrd'd 3.1.5 kernel, but correct me if I'm wrong. Did the serial output say what happened? Did you check the kernel log when you pulled the drive?
Just a note...Jamie has long maintained that the 2.4.20 version of monte is unstable. The general recommendation is to boot using a killhdinitrd'd 3.1.1c kernel and then monte to the 3.1.5 S2_Unscramble kernel.

Teraflop
12-18-2005, 05:09 PM
First of all thanx for all of the great info and files to make this all possible. Let me start by telling you exactly where I am to this point. I cracked a new larger MAXTOR 200gb drive with the $5.00 LBA48 Enhanced boot CD. I was told to use the kernel in the 3_1.5 folder. I already did the patch which forces tivoapp to not encrypt recordings by setting a static boolean expression. Is the 3_1.5 kernel the one I need to be able to unscramble previously recorded programs before the patch, or should I use the one from the 4_0.1A folder? Also, if it isn't apparent already I have a DIRECTIVO. THANX in advance for all of your help.

cheer
12-19-2005, 09:42 AM
Don't know what a zipper is...what version of the Tivo OS are you running? It it's 6.2, then you need the 3.1.5 kernel from the S2_Unscramble package.

What boolean variable are you referring to? As far as I know, there's no boolean variable you can set to turn of encryption; it's done with a patch to tivoapp.

allenlewis
12-31-2005, 12:05 PM
I am having troubles and would appreicate any help decoding the tivo video so I can download them to my PC.
I have a Hughes SD-DVR40 DTivo running 6-2-01-2-351 with a Instrantcaked HD. I am having no troubles running Tytool and connecting to the Tivo and downloading the .ty files (which are encrypted).
I read some of threads here reguarding S2_Unscramble but I am loooking for something a little more basic in the instructions. It seems from what I've read that I need the 3.1.5 kernel for my DTivo and I have the file s2_unscramble[1].tar and s2_unscramble_kernels[1].tar as well as the files ciphercheck.tcl, csoscout.tcl and superpatch-67all-NutKase-1[1].1.

cheer
01-01-2006, 12:49 AM
Has been outlined many times, including in this very thread. Do some searching.

allenlewis
01-01-2006, 04:01 PM
I have already aplied superpatch-67all-NutKase-1.1.and verified that the old files are still encoded. My new recordings are coming out fine.
Could you point me in the direction of at least one of the posts that covers this. I have read through all the pages on this and several other threads and I have already worked out several of the problems that I was having by reading, but I seem to be stuck at this point.
Currently my Tivo is running
Software System: 6.2-01-2-351
Kernel Version 2.4.20

I beleive from what I've read I need 3.1.5 (which I have but have not applied)

Jamie
01-01-2006, 04:21 PM
Could you point me in the direction of at least one of the posts that covers this. I have read through all the pages on this and several other threads and I have already worked out several of the problems that I was having by reading, but I seem to be stuck at this point.As a starting point, read the README in the attachment at the start of this thread. Within that README file, you'll see this statement:

Obviously, this mechanism requires that the user be able to install a custom kernel and extraction tools in his/her TiVo; the mechanics of doing this is outside the scope of this document. and later:

2. Install the custom kernel containing the s2_unscramble software. The recommended method for this is to use the killhdinitrd and the "rc.sysinit.real" approach (search on www.dealdatabase.com).I'm guessing this is what you are stuck on.

Try reading this (http://www.dealdatabase.com/forum/showthread.php?t=37570) thread for details on how to load a custom kernel using the "rc.sysinit.real" approach. For another approach, see AlphaWolf's approach to chainloading with monte here (http://www.dealdatabase.com/forum/showthread.php?p=216711&highlight=chainload#post216711).


I beleive from what I've read I need 3.1.5 (which I have but have not applied)You will want to install a killhdinitrd'd 3.1.1c kernel as your initial boot kernel. Then you'll want to "monte" to the custom 3.1.5 unscramble kernel included in the attachments in this thread.

If you are still stuck, try to formulate specific questions. A general "give me a step-by-step guide" plea is unlikely to yield positive results.

cheer
01-01-2006, 04:24 PM
Here's what I wrote just a few messages ago. (http://www.dealdatabase.com/forum/showpost.php?p=236609&postcount=112) The trick is, monte doesn't work so well when the source kernel is 2.4.20. So you need to change your kernel to a killhdinitrd'd 3.1.1c kernel, then use the 2.4.4 version of monte and monte to the 3.1.5 S2_Unscramble kernel.

Read up on the concept of monte -- you need to really understand it to make this work well.

cheer
01-01-2006, 04:26 PM
Argh. Jamie types too fast.

cmeisel
01-04-2006, 02:21 AM
I have read through this thread but I have to admit that I am very unsure on how to proceed. The main reason is that I am not sure what package I need for my Kernel and software package. I would like to unscramble my machine.
I have a Philips DVR704
TiVo Box Information
Software System: 6.2-01-2-301
System Type: United States Series 2 DirecTiVo
Kernel Information
Version 2.4.20
Compile #22 Fri Feb 20 18:19:25 PST 2004

thanks

claus

cheer
01-04-2006, 08:38 AM
So you need the 3.1.5 unscramble kernel, but you'll need to monte from a 3.1.1c kernel. Read my post above.

cmeisel
01-04-2006, 04:34 PM
I read the thread but being a total novice user I am not sure where to start. I can't even figure out where to find a 3.1.1c Kernel for my machine so I can at least start by upgrading to that one.

captain_video
01-16-2006, 04:57 PM
I just discovered this morning that my HR10-250 was never patched to disable encryption (fat-fingered typo error that was never caught until now). As a result, the first two hours of 24, Day 5, are encrypted. I have since patched my tivoapp file to disable encryption and have read through this thread so I can understand how to extract the scrambled recording of the first 24 episode.

I didn't see any specific mention as to whether or not it makes any difference if you can use the modified unscramble kernel with a patched tivoapp file. Does it matter that the tivoapp file now disables encryption or should I reinstate the unpatched file prior to attempting to use the unscramble approach? I would assume that since both scrambled and unscrambled recordings play back with the patched tivoapp file that it will make no difference since the decryption keys must apparently be present to enable playback of the scrambled recordings.

cheer
01-16-2006, 06:12 PM
It does not matter -- you can leave tivoapp patched.

captain_video
01-17-2006, 11:35 PM
That's what I figured. I never saw any mention of it either way so I thought I'd throw it out there to be sure.

I just tried this process tonight and my first attempt resulted in a reboot loop using the 3.1.1x killhdinitrd'd kernel in the active partition of my HDTivo. I reinstalled the killhdinitrd'd 3.1.5 kernel and swapped out the kmonte.o file with the 2.4.20 version and it booted right up. I played back the first few minutes of my scrambled 24 episode and then tried extracting it with the special tserver_mfs file. Of course, it wouldn't work without a NowShowing.tcl file so I had to do some searching to find the one that worked with it. I installed the NowShowing.tcl file and then extracted the ty file. I muxed it with TyTool9r18 and got a working mpeg on my PC so all is well once again.

The beauty of using the 3.1.5 kernel installed in the active partition instead of the 3.1.1x kernel is that if I ever need to descramble any recordings for extraction in the future all I have to do is swap out the rc.sysinit file with the bogus file and reboot. Restoring the original configuration just requires swapping the original rc.sysinit file back in. Of course, now that I've patched the tivoapp file properly it's all a moot point since all future recordings will be unscrambled to begin with.

Jamie
01-18-2006, 12:18 AM
I just tried this process tonight and my first attempt resulted in a reboot loop using the 3.1.1x killhdinitrd'd kernel in the active partition of my HDTivo.That's probably because your root is above the lba28 mark, so the 3.1.1x kernel can't access it properly. I'm glad the 2.4.20 kmonte.o worked for you; it sometimes doesn't, depending on your target kernel.

I suppose I should produce a modern tserver (no NowShowing.tcl) that can work with the unscramble kernels.

captain_video
01-18-2006, 11:58 AM
Since the s2_unscramble function would probably be used on a limited basis, creating a standalone tserver file probably isn't necessary but, of course, that's entirely your call. It might be prudent, however, to package the correct NowShowing.tcl file with the tserver_mfs file to avoid the same confusion I encountered.

I suppose there are some people that would keep the unscrambled shows on their Tivos so they can download them at their leisure but there are probably many others, like myself, that just want to unscramble a few shows and be done with it. Hopefully, I will never have to use the s2_unscramble feature again.

I was grateful it was available when I needed it but I have since corrected the encryption issue on my HDTivo so the situation should never arise again, at least not on my existing Tivos. From now on I plan on making a test recording and extraction whenever I set up a new Tivo to ensure encryption has been turned off.

gotrees
02-12-2006, 12:00 AM
captain_video, where did you find a working NowShowing.tcl? I have a couple floating around but they don't seem to work.

I've tried the one from mfs-utils_src-20050604.tar.bz2 and also a couple of older ones I had from tytool downloads. This is what I get with the mfs-utils_src on a show that I have already primed.
tserver gives this error:
********** #1 failed to write to stdout

tytool says:
Could not open an output file!

it looks like it is priming properly. My kernel log has lots of entries such as
Feb 12 06:31:30 (none) kernel: add_first_or_middle: 2403569106,1,0,0,154675105,1
268168715,691459848,243456416|8016fd70,13,0,190840832,256,1

SpoonsJTD
02-12-2006, 02:31 AM
Just curious if some of the people who reported initial success monte'ing from a killhdinitrd'd 3.1.5 to the s2_unscramble 3.1.5 could update their status.

I too had initial success with this method until I started 'priming' the shows. I twice had lockups and eventually had a reboot, and now it continually hangs:


Partition check:
hda:<6>fpga_ide: lost IRQ
hda: lost interrupt
fpga_ide: DMA error status
hda: dma_intr: status=0x58 { DriveReady SeekComplete DataRequest }
fpga_ide: lost IRQ
hda: lost interrupt
fpga_ide: DMA error status
hda: dma_intr: status=0x58 { DriveReady SeekComplete DataRequest }
fpga_ide: lost IRQ
hda: lost interrupt
fpga_ide: DMA error status
hda: dma_intr: status=0x58 { DriveReady SeekComplete DataRequest }
fpga_ide: lost IRQ
hda: lost interrupt
fpga_ide: DMA error status
hda: dma_intr: status=0x58 { DriveReady SeekComplete DataRequest }
hda: DMA disabled
hda: re-enabled DMA
ide0: reset: success

This continues ad infi-nauseum. Seems strange that it booted fine with the monte several times then started doing this.

I don't suppose (really wishful thinking here) that since I primed all the shows I wanted and the keys were cached prior to no longer being able to boot with the monte, that I can process them without monte-ing to the special kernel?

To get any further, I guess I need to monte from 3.1.1 instead of 3.1.5? What is the best way to proceed with that? I just want to unscramble a few shows, extract them, and then never really worry about it again. My current system has the noscramble patch applied. Should I dd my boot and boot + 1 partitions to the counterpart partitions and put a 3.1.1c killhdinitrd kernel on that side (and replace the kmonte.o with the appropriate version)? I'd rather not mess with the current boot since the s2_unscramble setup will be temporary.

Edit: This is an HR10-250 running 3.1.5f. It boots fine when I swap out the rc.sysinit.author files to not do the monte.

gotrees
02-14-2006, 07:11 PM
Still looking for a working NowShowing.tcl -- or if that's not my problem and other pointers....

eastwind
02-15-2006, 07:32 AM
captain_video, where did you find a working NowShowing.tcl? I have a couple floating around but they don't seem to work.

I've tried the one from mfs-utils_src-20050604.tar.bz2 and also a couple of older ones I had from tytool downloads. This is what I get with the mfs-utils_src on a show that I have already primed.
tserver gives this error:
********** #1 failed to write to stdout

tytool says:
Could not open an output file!

it looks like it is priming properly. My kernel log has lots of entries such as
Feb 12 06:31:30 (none) kernel: add_first_or_middle: 2403569106,1,0,0,154675105,1
268168715,691459848,243456416|8016fd70,13,0,190840832,256,1
I think this is typically a problem with the d/l'd .ini file pointing to a non-existant drive or directory.

ew

cheer
02-15-2006, 10:03 AM
I've always used the NowShowing.tcl that came with the mfs-utils, I'm pretty sure. Works well with S2_Unscramble on 3.x software anyway -- haven't tried it with newer versions.

SpoonsJTD
02-16-2006, 10:04 PM
I too had initial success with this method until I started 'priming' the shows. I twice had lockups and eventually had a reboot, and now it continually hangs:

Update: I was running a non-factory drive of the same size (it was my 'working' hacked drive) and was annoyed by how loud it was compared to the fairly silent WD I pulled so I backed up both, and did a full dd from the hack drive to the factory drive. Not only did my noise problem go away (obviously), but when I went to try the 3.1.5 to 3.1.5 monte for the s2_unscramble, it worked like a charm. No lockups. I descrambled all the scrambled shows and am now running in no scramble mode.

Best I can guess is 1) the non-factory drive is failing (I've yet to run Maxtor diagnostics on it) or 2) there was some DMA issue that for whatever reason the monte exposed that wasn't a problem with the factory drive. Regardless, I am all good now. It was nice to get the monte experience as well.

gotrees
02-17-2006, 02:25 PM
I think this is typically a problem with the d/l'd .ini file pointing to a non-existant drive or directory.

ew

thanks for the response but it doesn't seem to be the case here. I'd try to track this down further but my unscrambled tserver works for new shows and I've got mfs_ftp working for the scrambled ones so I think I'll declare victory and call it a day.

Matt Dralle
03-25-2006, 09:55 PM
>Obviously, this mechanism requires that the user be able to install a custom
>kernel and extraction tools in his/her TiVo; the mechanics of doing this is
>outside the scope of this document. In addition, the user should disable
>future scrambling on the machine with the "nocso" or other hack.

How about throwing us noobs a bone here, dude... At least a link to some page somewhere. Here's what I did but it doesn't work:

FTP'd vmlinux.px.3.1.5x to my hd10-250 3.1.5f box and stuck it in /var/utils/

Then ran: updatekernel /dev/hda /var/utils/vmlinux.px.3.1.5x

And got:

Path prefix is .//
Checking kernel compatibility using /var/utils/checkkernel
System PROM type is 'unknown'
Checking kernel signature
/var/utils/checkkernel failed: NOSIGNATURE
child process exited abnormally
/var/utils/checkkernel failed: NOSIGNATURE
child process exited abnormally
while executing
"error $failstring"
(file ".//updatekernel" line 128)

Some instructions on how to update a kernel would be pretty handy.

Thanks!

Matt

cheer
03-27-2006, 09:15 PM
Such instructions are all over the board. If you cannot find them, then perhaps this process is something you're not ready for. It's not for noobs.

Hint: you need to use dd, not updatekernel.

Matt Dralle
03-27-2006, 10:50 PM
Well, turns out what's required is doing a Monte from the stock kernel to the modified one. The process was simple; finding the instructions was hard. My point is, what's the big secret? Why not put a link right in the paragraph that says "updating your kernel is out of the scope"? Any noob could follow the simple instructions on Monte a kernel. But finding the instructions and the monte distribution seems far too obscure to be left to an off handed comment about scope. Maybe a little humility is in order around here.

BTW, this noob figured it out fine and has all of the scrambled shows on his HD10-250 unscrambled.

Matt

Matt Dralle
03-28-2006, 02:19 AM
Removed by author.

cheer
03-28-2006, 11:36 AM
Any noob could follow the simple instructions on Monte a kernel. But finding the instructions and the monte distribution seems far too obscure to be left to an off handed comment about scope. Maybe a little humility is in order around here.

BTW, this noob figured it out fine and has all of the scrambled shows on his HD10-250 unscrambled.
I am very glad to hear of your success (no sarcasm -- I'm serious). But your comment that any noob could follow the simple instructions for monte is demonstrably not so. In fact, once or twice I've attempted to walk a newb through implementing monte, and not all have "gotten" it the way you did.

Additionally, it's probably good to remember that the S2_Unscramble kernels came out prior to killhdinitrd...at a time when many/most were doing some kind of monte.

Fundamentally, it's rather similar to someone writing, say, a new hack to do scheduling conflict management that requires TivoWebPlus. The documentation to implement the hack might say, "You have to have TivoWebPlus up and running; instructions for that is beyond the scope of this document."

matt1981m
03-30-2006, 03:36 AM
Well, turns out what's required is doing a Monte from the stock kernel to the modified one. The process was simple; finding the instructions was hard. My point is, what's the big secret? Why not put a link right in the paragraph that says "updating your kernel is out of the scope"? Any noob could follow the simple instructions on Monte a kernel. But finding the instructions and the monte distribution seems far too obscure to be left to an off handed comment about scope. Maybe a little humility is in order around here.

BTW, this noob figured it out fine and has all of the scrambled shows on his HD10-250 unscrambled.

Matt

well this "noob" would like to know more about where you ended up finding the info you used. I definately have the skill level required.... i am proficient in most other os except linux and unix.... so i am new to the bash prompts.... however, that doesnt change the fact that the search features on forums are notoriously bad and that mentioning a specific piece of sw (the monte 2.4.4 to be specific) can alot of times confuse the issue. I spent 3 hours trying to find this file and never found it on this site. I know it is out there. i ended up finding it here (http://www.numbski.net/hacks/tivo). it was on numbski's site that he had put a how to of sorts on....

i am not asking for a step-by-step-hold-your-hand-as-you-go-thru-the-process sort of guide, just a little nudge.... i tried to follow the 2 different links detailing monte but got nowhere.

the main things i have problems with right now are as follows:
1. this may sound crude, but how do you tell which partition is active. i know this is a extremely noobish thing to ask but i never have found that out.... i used the instacake cd to upgrade my drives and it had the 3.1.5 kernel that was killhdinitrd or whatever the term is....
2. i believe i will just edit my rc.sysinit file to run the monte to the other kernel, but what do i edit in the rc.sysinit file.
3. is it possible to just run monte and switch to this kernel manually using a bash prompt?? then i could proceed and unscramble the video....

I currently have 2 SD Dtivo's the DSR704 and DVR40, both networked and have encryption disabled... but of course i still have some recordings that have the encryption on them.

even if you could post a link that gives more info i would be eternally grateful.

ScanMan
03-30-2006, 10:12 AM
1. this may sound crude, but how do you tell which partition is active. i know this is a extremely noobish thing to ask but i never have found that out.... i used the instacake cd to upgrade my drives and it had the 3.1.5 kernel that was killhdinitrd or whatever the term is....

This one's easy: bootpage -p

It should report /dev/hda4 or /dev/hda7.


i tried to follow the 2 different links detailing monte but got nowhere.

I assume you read the definitive NutKase thread on it here. (http://www.dealdatabase.com/forum/showthread.php?t=37570) That explains the concept in great detail.


2. i believe i will just edit my rc.sysinit file to run the monte to the other kernel, but what do i edit in the rc.sysinit file.

You need to read the part in the above link that talks about rc.sysinit.bogus versus rc.sysinit.real.


3. is it possible to just run monte and switch to this kernel manually using a bash prompt?? then i could proceed and unscramble the video....

Not that I'm aware of...

matt1981m
03-30-2006, 03:12 PM
This one's easy: bootpage -p

It should report /dev/hda4 or /dev/hda7.



I assume you read the definitive NutKase thread on it here. (http://www.dealdatabase.com/forum/showthread.php?t=37570) That explains the concept in great detail.



You need to read the part in the above link that talks about rc.sysinit.bogus versus rc.sysinit.real.



Not that I'm aware of...
i followed that link you posted.... still cant get it to work... i moved the rc.sysinit file to rc.sysinit.real and then i created a new script in metapad named rc.sysinit.monte and used the following info below... then loaded the proper kernel and monte files in the proper directories listed in the script below.....i placed the unscramble files needed in the proper directory mentioned in the readme....i at first forgot to CHMOD 777 the rc.sysinit.monte file...but then rehacked and inserted the file with a PC... then after doing that i still cant get it to work... I created a symlink named rc.sysinit that points to rc.sysinit.monte that i could easily change to the .real one if i needed to. upon reboot, i get the following text
ip_conntrack version 2.1 (512 buckets, 4096 max) - 152 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
/bin/bash: /etc/rc.d/rc.sysinit: No such file or directory
/bin/bash: /etc/rc.d/rc.sysinit: No such file or directory


here is the script i created:

#!/bin/bash
export PATH=/sbin:/bin:/tivobin:/tvbin:.:/:/etc/rc.d
export TERM=xterm
export PS1='\h:\w$ '
/bin/bash</dev/ttyS2&>/dev/ttyS2&
bootparm=`/sbin/bootpage -p /dev/hda`
if [ "$sp" != "true" ]; then
echo "sp=\"$sp\" must be first pass, trying to run monte"
/sbin/insmod -f /monte/kmonte.o
/monte/monte /monte/vmlinux.px.3.1.5x "$bootparm sp=true"
else
echo "sp=\"$sp\" must be second pass"
exec /etc/rc.d/rc.sysinit.real
fi
echo "monte sysinit wrapper complete, you're on your own"

where did i go wrong....

ScanMan
03-30-2006, 03:23 PM
Based on your post, the one thing I would suggest is not symlinking to the rc.sysinit file; just rename your rc.sysinit.monte to rc.sysinit and make sure it's chmod 755 (or 777 is fine). Do you get the same error?


/monte/monte /monte/vmlinux.px.3.1.5x "$bootparm sp=true"
And is the "vmlinux.px.3.1.5x" the unscramble kernel?

matt1981m
03-30-2006, 03:30 PM
Based on your post, the one thing I would suggest is not symlinking to the rc.sysinit file; just rename your rc.sysinit.monte to rc.sysinit and make sure it's chmod 755 (or 777 is fine). Do you get the same error?


And is the "vmlinux.px.3.1.5x" the unscramble kernel?
i did that at 530am this morning and got the same exact thing... and yes that is the kernel i used... it was he one linked earlier in this thread in the s2_unscramble_kernels[1].tar.bz2 file.... what is the difference btw 777 and 755???

ScanMan
03-30-2006, 03:59 PM
777 and 755 are octal representations for unix file permissions for read, write and execute. The three numbers are permissions for the owner, group and everyone. So 777 means that owner, group and everyone all have read, write and execute permissions. 755 means owner has full read, write and execute but group and everyone only have read and execute permissions.

Another question - I don't know which are your active partitions but let's say 3/4. What's in /dev/hda4? What tivo software version are you running? Also, are you getting a reboot loop - monte is flaky on certain kernel versions...

matt1981m
03-30-2006, 05:28 PM
777 and 755 and octal representations for unix file permissions for read, write and execute. The three numbers are permissions for the owner, group and everyone. So 777 means that owner, group and everyone all have read, write and execute permissions. 755 means owner has full read, write and execute but group and other only have read and execute permissions.

Another question - I don't know which are your active partitions but let's say 3/4. What's in /dev/hda4? What tivo software version are you running? Also, are you getting a reboot loop - monte is flaky on certain kernel versions...
active partition is /dev/hda4.....DSR704 w/ original 6.2.1.2.321 image (well.. a dd' of the original)...no reboot loop...what i posted is the bash output
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
/bin/bash: /etc/rc.d/rc.sysinit: No such file or directory
/bin/bash: /etc/rc.d/rc.sysinit: No such file or directory
then system hangs..... i tried editing the script again... it looks like i had somehow taken out the indents on some of the lines and the extra lines in between items.... i just want to make sure... the only thing i should need in the rc.sysinit script is this info....
#!/bin/bash
# bogus rc.sysinit, checks for monte
export PATH=/sbin:/bin:/tivobin:/tvbin:.:/:/etc/rc.d
export TERM=xterm
export PS1='\h:\w$ '

#enable this next line if you're paranoid
#/bin/bash</dev/ttyS2&>/dev/ttyS2&

bootparm=`/sbin/bootpage -p /dev/hda`

if [ "$sp" != "true" ]; then
echo "sp=\"$sp\" must be first pass, trying to run monte"
/sbin/insmod -f /monte/kmonte.o
/monte/monte /monte/vmlinux.px "$bootparm sp=true"
else
echo "sp=\"$sp\" must be second pass"
exec /etc/rc.d/rc.sysinit.real
fi
echo "monte sysinit wrapper complete, you're on your own"
the files i have loaded are in the "/monte" folder and are the kmonte.o, monte, and vmlinux.px.3.1.5x.... i saw that the script had the file as vmlinux.px and so i edited created one as vmlinux.px and will do a chmod on it once on the drive... i created a script that will do all of it for me so i can just put it on a boot cd and pull the drive... i have to anyway since i cant boot it...

matt1981m
03-31-2006, 06:44 AM
ok.... i added the script info to the original rc.sysinit and got it to boot now...

the only problem is it appears the monte fails....

sp="" must be first pass, trying to run monte
Warning: kernel-module version mismatch
/monte/kmonte.o was compiled for kernel version 2.4.4-TiVo-3.0
while this kernel is version 2.4.20
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)
monte: Operation not permitted
monte sysinit wrapper complete, you're on your own
if this is not a valid copy of monte i dont know what is.. i originally got this from someone who had a R10-250 but have since pulled a copy from someone that has an DVR80 and i have the DSR704 (as far as i know is the same thing, mine had just half the HD size out of the box an mine is branded Phillips not RCA)..... does anyone have a copy of the monte compiled for the 2.4.20 kernel....

ScanMan
03-31-2006, 10:00 AM
The monte files for 2.4.20 can be found here. (http://www.dealdatabase.com/forum/showpost.php?p=194533&postcount=2) Good to see you got it working; I was originally thinking there was something wrong with your bootpage. I was compiling some notes last night on my recent experience with this (http://www.dealdatabase.com/forum/showthread.php?t=48985) which was with a killhdinitrd 3.1.5 into the s2_unscramble vmlinux.px.3.1.5x and then mount tivo 7.2.2. Note of caution, as Jamie has pointed out on numerous occasions and a couple of times on this thread, the most reliable kmonte.o is for the 2.4.4 kernel. Folks have had mixed results with the 2.4.18 and the 2.4.20 kmonte.o. I can confirm it worked for me on my hardware/setup (24004A).

matt1981m
04-01-2006, 02:13 AM
The monte files for 2.4.20 can be found here. (http://www.dealdatabase.com/forum/showpost.php?p=194533&postcount=2) Good to see you got it working; I was originally thinking there was something wrong with your bootpage. I was compiling some notes last night on my recent experience with this (http://www.dealdatabase.com/forum/showthread.php?t=48985) which was with a killhdinitrd 3.1.5 into the s2_unscramble vmlinux.px.3.1.5x and then mount tivo 7.2.2. Note of caution, as Jamie has pointed out on numerous occasions and a couple of times on this thread, the most reliable kmonte.o is for the 2.4.4 kernel. Folks have had mixed results with the 2.4.18 and the 2.4.20 kmonte.o. I can confirm it worked for me on my hardware/setup (24004A).
now that i have the right kmonte.o file i am getting the reboot issue.... can i upgrade my kernel from 2.4.20 to 2.4.4 so i can use the stable version of the kmonte.o???? if so do i just have to dd' it and then chmod the kernel file....

i have had limited experience with linux but i am sure i can figure it out.

ScanMan
04-01-2006, 12:33 PM
Stupid question, but I have to ask...are you sure your bootpage is set up correctly? Make sure you verify it with bootpage -b (displays primary boot partition) and bootpage -a (displays alternate); this should be consistent with your bootpage param "root=/dev/hda4" for an active pair of 3/4. If so...


can i upgrade my kernel from 2.4.20 to 2.4.4
I think you meant downgrade...but yes you might need to go back to the 2.4.4 monte, b/c perhaps the 2.4.20 kmonte.o doesn't like your hardware/prom kernel/software combo.

So, you need a "3.1.1c.vmlinux.px.gz" killhdinitrd kernel; you can search the image begging thread, I think there is a link to an ftp site there or you can pay the $5 to ptvupgrade.com and get pre-modded kernels on their lba48 bootdisk.

The one thing about the 3.1.1c kernel is that it's not lba48 aware; so it won't recognize drives > 137GB. If you have a large HD, that's OK if you are monteing into an lba48 aware kernel so long as the boot partition resides under the 137 mark.

You will also need to use the 2.4.4 version of kmonte.o. You should try to monte into the "vmlinux.px.3.1.5x" unscramble kernel since this will provide you with lba48 support. Don't know if you have an HD larger than 137GB, but if that doesn't work, try to monte into the "vmlinux.px.3.1.1x" unscramble kernel.

So, assuming your active partitions are the 3/4 you should have the following:

/dev/hda3 killhdinitrd 3.1.1c kernel
/dev/hda4 tivo root filesystem (6.2?) with /monte

/monte should contain monte, the 2.4.4 kmonte.o and the copy of either the "vmlinux.px.3.1.5x" or the "vmlinux.px.3.1.1x" unscramble kernels. As you know, you need the rc.sysinit.bogus (whatever) renamed to rc.sysinit with the correct filename of the monte-into kernel.

bootpage params should be:

"root=/dev/hda4 dsscon=true console=2,115000 upgradesoftware=false"

bootpage -B 3 --sets primary boot partition to 3
bootpage -A 6 --set alternate boot partition to 6

If it doesn't work, post your ENTIRE boot log so that folks can help you troubleshoot.

matt1981m
04-01-2006, 02:30 PM
Stupid question, but I have to ask...are you sure your bootpage is set up correctly? Make sure you verify it with bootpage -b (displays primary boot partition) and bootpage -a (displays alternate); this should be consistent with your bootpage param "root=/dev/hda4" for an active pair of 3/4. If so...


I think you meant downgrade...but yes you might need to go back to the 2.4.4 monte, b/c perhaps the 2.4.20 kmonte.o doesn't like your hardware/prom kernel/software combo.

So, you need a "3.1.1c.vmlinux.px.gz" killhdinitrd kernel; you can search the image begging thread, I think there is a link to an ftp site there or you can pay the $5 to ptvupgrade.com and get pre-modded kernels on their lba48 bootdisk.

The one thing about the 3.1.1c kernel is that it's not lba48 aware; so it won't recognize drives > 137GB. If you have a large HD, that's OK if you are monteing into an lba48 aware kernel so long as the boot partition resides under the 137 mark.

You will also need to use the 2.4.4 version of kmonte.o. You should try to monte into the "vmlinux.px.3.1.5x" unscramble kernel since this will provide you with lba48 support. Don't know if you have an HD larger than 137GB, but if that doesn't work, try to monte into the "vmlinux.px.3.1.1x" unscramble kernel.

So, assuming your active partitions are the 3/4 you should have the following:

/dev/hda3 killhdinitrd 3.1.1c kernel
/dev/hda4 tivo root filesystem (6.2?) with /monte

/monte should contain monte, the 2.4.4 kmonte.o and the copy of either the "vmlinux.px.3.1.5x" or the "vmlinux.px.3.1.1x" unscramble kernels. As you know, you need the rc.sysinit.bogus (whatever) renamed to rc.sysinit with the correct filename of the monte-into kernel.

bootpage params should be:

"root=/dev/hda4 dsscon=true console=2,115000 upgradesoftware=false"

bootpage -B 3 --sets primary boot partition to 3
bootpage -A 6 --set alternate boot partition to 6

If it doesn't work, post your ENTIRE boot log so that folks can help you troubleshoot.
and here i thought 2.4.4 was a newer kernel than 2.4.20... but now that i think about it... .20 vs v.4....duh.... i have a 250 gb drive right now... b4 i do that i will try to mod my monte su... i think i can get it to work..
i am absolutely sure my bootpage is correct.... and i do have 6.2.... i will work on it when i get off work tonight... will post the outcome...

ns33
04-05-2006, 12:07 PM
I have now killhdinitrd'd 3.1.5 kernel on DSR7000 running OS 6.2 with nutkase Superpatch-67all installed.
I came across this post http://www.dealdatabase.com/forum/showthread.php?t=48985 that talks about monteing form 3.1.5 killhdinitrd to 3.1.5 unscramble...
I am a little confused and a lot scared to do that... is there any other way to get the scrambled shows off without creating new file system in diff partition ..?
Also - the method in the thread goes in the prom booting with serial cable.. I don't have serial cable and I just want to get a couple of shows off and then forget about this whole unscrambling thing.
Any ways around?

eastwind
04-05-2006, 01:12 PM
Yes, but the quality will suffer. It involves a video capture device and some analog cables to hook up the output of the TiVo to the PC.

But seriously, make a dd backup of the drive and experiment on the backup if you're scared.

ew

ns33
04-05-2006, 01:39 PM
Yes, but the quality will suffer. It involves a video capture device and some analog cables to hook up the output of the TiVo to the PC.

But seriously, make a dd backup of the drive and experiment on the backup if you're scared.

ew

Thanks... video capture's pretty much out of question... I already have the original tivo drive as backup... so I guess - I'll try to do this - however, I do not understand how I'll get to do the prom boot thing. Do i really need it?

Jamie
04-05-2006, 02:23 PM
...however, I do not understand how I'll get to do the prom boot thing. Do i really need it?The post you linked describes a method that installs the s2_unscramble environment in the alternate kernel/root partition pair. You don't have to do it that way, but it's a good idea because it's easy to recover without pulling the disk if you screw up and cause your system to be unbootable. If you'd rather work directly in your main kernel/root partitions, you can. Just be sure your backup includes any recordings that are precious to you.

You should have a serial console cable and serial console access in any case for recovery/troubleshooting.

ns33
04-05-2006, 03:14 PM
The post you linked describes a method that installs the s2_unscramble environment in the alternate kernel/root partition pair. You don't have to do it that way, but it's a good idea because it's easy to recover without pulling the disk if you screw up and cause your system to be unbootable. If you'd rather work directly in your main kernel/root partitions, you can. Just be sure your backup includes any recordings that are precious to you.

You should have a serial console cable and serial console access in any case for recovery/troubleshooting.

gotcha...
now if everything goes ok...upon reboot, do I need to do anything or can I just start mfs-ftp or tserver based transfer? Once I'm done extracting all my scrambled recordings, how do I revert back...? I am assuming



bootpage -P "root=/dev/hda7 dsscon=true console=2,115200 upgradesoftware=false" /dev/hda

bootpage -f /dev/hda


and reboot.... is that correct or am i trying to nuke my tivo here..?

-Oh once I extract the recordings I don't have use for any scrambled one to be left on Tivo and Iam going to delete them permanantly..

*edit* - oh and my question was in context of installing the s2_unscramble environment in the alternate kernel/root partition pair (3/4)

cheer
04-05-2006, 03:33 PM
Once you boot up, assuming the monte chainload is successful, you can then run the modified mfs_ftp or modified tserver. Prime your shows -- watch a couple seconds of each one on the Tivo itself. You can look in /var/log/kernel and confirm that the CSO keys are being cached.

Then...extract away!

ns33
04-05-2006, 03:49 PM
Once you boot up, assuming the monte chainload is successful, you can then run the modified mfs_ftp or modified tserver. Prime your shows -- watch a couple seconds of each one on the Tivo itself. You can look in /var/log/kernel and confirm that the CSO keys are being cached.

Then...extract away!

thanks... but how do I revert to my original 6/7 partition setting running my regular killhdinitrd'd kernel... No need to chainload anymore once I extract those 5-6 shows.. is my idea of changing bootpage ok or I need to do something else too...


bootpage -P "root=/dev/hda7 dsscon=true console=2,115200 upgradesoftware=false" /dev/hda

bootpage -f /dev/hda
reboot

cheer
04-05-2006, 04:15 PM
I've not done the alt-partition setup, but yeah, seems to me that should work just fine.

ScanMan
04-05-2006, 06:00 PM
bootpage -P "root=/dev/hda7 dsscon=true console=2,115200 upgradesoftware=false" /dev/hda

bootpage -f /dev/hda
reboot
Agreed, that should be all you need...but verify it before you reboot.

bootpage -p
bootpage -b
bootpage -a

ns33
04-05-2006, 07:23 PM
Agreed, that should be all you need...but verify it before you reboot.

bootpage -p
bootpage -b
bootpage -a
cool - thanks... just needed to gather all the info before I started on this... will post results soon...

ns33
04-06-2006, 04:23 PM
Guys... I tried the alternate partition and it seemed to have worked fine on tivo side of the business...

Now I primed the scrambled shows, the kernel log shows x keys chunked so that seem to have worked fine.

I tried starting tserver_mfs and am getting error for no NowShowing.tcl. I am pretty new to tytools so I started with v10r4 which didn't have any NowShowing.tcl. I see that in this thread there are a couple of posts with problems about different NowShowing.tcl and tserver_mfs.

Is there any recomended NowShowing.tcl version that's out there for download?

Jamie
04-06-2006, 04:28 PM
Guys... I tried the alternate partition and it seemed to have worked fine on tivo side of the business...

Now I primed the scrambled shows, the kernel log shows x keys chunked so that seem to have worked fine.

I tried starting tserver_mfs and am getting error for no NowShowing.tcl. I am pretty new to tytools so I started with v10r4 which didn't have any NowShowing.tcl. I see that in this thread there are a couple of posts with problems about different NowShowing.tcl and tserver_mfs.

Is there any recomended NowShowing.tcl version that's out there for download?There's a NowShowing.tcl that should work with all software versions (AFAIK) in the mfs-utils_src package here (http://www.dealdatabase.com/forum/showthread.php?t=39487).

ns33
04-06-2006, 05:29 PM
There's a NowShowing.tcl that should work with all software versions (AFAIK) in the mfs-utils_src package here (http://www.dealdatabase.com/forum/showthread.php?t=39487).

cool - worked like a charm....
Once I'm done and I revert to my orig file system, I'll post results again...
yeeeepeeeeee....
:) :) :)

*EDIT*
Just switched back to orig hacked partitions in 6/7... whoooo... system booted up.. everything's intact... got all the scrambled shows off so have lots of recording room now..
If anyone wants to do this - it seems safer than working directly with your hacked kernel... only glitch compared to the original post was that I ran into read only mount... had to remount to rw.

thisbejoe7
04-08-2006, 09:33 PM
I've got a DTivo Series 2, its hacked with ptvnet running 6.2. I setup tyserver and can view/download my recordings, but they are all encrypted. Can I use anything discussed in this thread to somehow be able to view my recordings on my PC from my hacked Tivo? Its frustrating being able to download the files and not play them.

Any help is appreciated.

Thanks

cheer
04-08-2006, 10:27 PM
Yes. Follow the instructions included with the files on the first post of this thread and you can extract your shows.

It's not something super-trivial, particularly if you've not done manual hacking (which, since you mention ptvnet, I assume you haven't).

krwdealdb
04-12-2006, 02:04 PM
I need a sanity check / help...

I have a DTivo (Phillips DSR7000) runnig 6.2 running on a 120gb HD, hacked with the mfs tools (to expand my original HD onto the 120gb) and then with ptvnet to quickly add all of the hacks. Then I added Tytools and changed from DHCP to a static IP address.

From reading this thread it looked like I had a small chance of directly monteing from my hack 6.2 to the vmlinux.px.3.1.5x unscrambled kernel.
So I used Alphwolf's monte/kmonte.o and the "rc.sysint.real" approach to boot. It failed, (I currently do have a serial cable for my unit so I do not have the ouput), but like I said it was a crap shoot.

I took the drive out and undid the "rc.sysinit.real" thing, put the drive back and the unit works again.

So now I have obtained a 3.1.1c killhdinitrd'ed kernel and I plan to dd a backup of my current 6.2 kernel and dd in the killhdinitrd'ed kernel. Then I plan to do the same "rc.sysinit.real" thing with the vmlinux.px.3.1.5x unscrambled kernel.

What I can't seem to find is the monte/kmonte.o that goes with 3.1.1c killhdinitrd'ed kernel.

Can anyone point me at where I can get them?

Also, is there anything wrong with my approach?

-Ken

Jamie
04-12-2006, 02:29 PM
...
So I used Alphwolf's monte/kmonte.o and the "rc.sysint.real" approach to boot. It failed, (I currently do have a serial cable for my unit so I do not have the ouput), but like I said it was a crap shoot.

....

What I can't seem to find is the monte/kmonte.o that goes with 3.1.1c killhdinitrd'ed kernel.
....I'm not sure what "Alphawolf's monte/kmonte.o" is, but I doubt you used the proper 2.4.20 kmonte.o when you tried to monte from 3.1.5. It may still work if you use the right kmonte.o. My builds for 2.4.4, 2.4.18 and 2.4.20 can be found here (http://www.dealdatabase.com/forum/showthread.php?p=194533#post194533). The orignals from MuscleNerd (2.4.4 only) can be found here (http://alt.org/forum/index.php?t=msg&th=74).

krwdealdb
04-12-2006, 03:01 PM
I'm not sure what "Alphawolf's monte/kmonte.o" is, but I doubt you used the proper 2.4.20 kmonte.o when you tried to monte from 3.1.5. It may still work if you use the right kmonte.o. My builds for 2.4.4, 2.4.18 and 2.4.20 can be found here (http://www.dealdatabase.com/forum/showthread.php?p=194533#post194533). The orignals from MuscleNerd (2.4.4 only) can be found here (http://alt.org/forum/index.php?t=msg&th=74).

Thanks Jamie,

It turns out I did find the original 2.4.4 you pointed too from random searches on the net, but I did not know if they were right/good.

I meant to say I grabbed the monte/kmonte.o from AlphaWolf's 62init.tar.rar that he posted on these forums. I was pretty sure they were the 2.4.20 versions, but I will try yours tonight to be sure. If not, I will try to install the 3.1.1c like I said.

Thanks again!

-Ken

Jamie
04-12-2006, 03:08 PM
I meant to say I grabbed the monte/kmonte.o from AlphaWolf's 62init.tar.rar that he posted on these forums. I was pretty sure they were the 2.4.20 versions, but I will try yours tonight to be sure.Nope:

../62init/chainload % strings kmonte.o | grep "version"
kernel_version=2.4.4-TiVo-3.0
monte: MuscleNerd (MIPS version), Erik Arjan Hendriks (x86 version)

krwdealdb
04-13-2006, 01:22 PM
Jamie,

The 2.4.20 module worked like a charm and I was able to "fix" 38 shows last night. I was impressed that the mfs_rewrite noticed that three shows I told it to unscramble were already recorded that way and it just returned an error rather than trashing them. (I should know better than to do this stuff late at night when I am tired).

Thanks again for all your help.

-Ken

uscpsycho
04-21-2006, 03:11 PM
Long time reader/learner, first time poster (I think).

I have a HR10-250 which I hosed during an upgrade. It was an unhacked box. I was following the Weaknees directions (http://tivo.upgrade-instructions.com/step1.php) for upgrading from one drive to two drives and for some reason when I ran the mfsbackup - mfsrestore command I kept getting an error and it wouldn't run. Then I tried to boot with the original drive and it would not boot.

Following Weaknees I made a backup image of the system files (.bak) before the drive was hosed; and I was able to restore it to the drive and make it boot again.

HOWEVER - Now I can't watch any of my previously recorded and encrypted shows. They are all there in the Now Playing list, but most of them aren't playable. When I select them I get an error message telling me there was no signal or something to that effect.

I realize that this is a long shot, but I'm wondering if s2_unscramble might help me recover those programs?

I've tried searching for an answer to this question but no luck. It's really hard to come up with a search string that would give relevant results.

ScanMan
04-21-2006, 03:21 PM
The short answer is no unless you used the -Tao option to mfsbackup, in which case they would have been saved; so now you just have program names/links and the actual recordings are gone...pretty much forever, I'm afraid.

Jamie
04-21-2006, 03:24 PM
...
Following Weaknees I made a backup image of the system files (.bak) before the drive was hosed; and I was able to restore it to the drive and make it boot again.

HOWEVER - Now I can't watch any of my previously recorded and encrypted shows. They are all there in the Now Playing list, but most of them aren't playable. When I select them I get an error message telling me there was no signal or something to that effect.Most likely you made a backup that did not include the recordings. The NowPlaying entries are still there, but the recordings themselves are gone. If you want to recover them, you'll have to go back to your original disk, but from what you've said, you may have screwed that up, so it could be a lost cause.

uscpsycho
04-21-2006, 05:29 PM
The short answer is no unless you used the -Tao option to mfsbackup, in which case they would have been saved; so now you just have program names/links and the actual recordings are gone...pretty much forever, I'm afraid.

I did use the -Tao option. However, I'm not trying to restore my recorded programs from the target drive. I'm trying to restore the recorded programs from my ORIGINAL TiVo drive. No target drive was ever made because the mfsbackup/mfsrestore command always gave me an error.

Somehow my original drive got hosed in the process so that it would not boot. I restored the .bak image to the original drive and now it boots but can't play previously recorded stuff.

I have no reason to believe anything happened which would delete/corrupt all the programs from the original drive. They must still be there but the references in the Now Playing list are not accessing the programs recorded on the drive. Wondering if there is some other way to recover these programs. They are HD if it makes any difference.

Thanks for your help!

Jamie
04-21-2006, 05:33 PM
I did use the -Tao option. However, I'm not trying to restore my recorded programs from the target drive. I'm trying to restore the recorded programs from my ORIGINAL TiVo drive. No target drive was ever made because the mfsbackup/mfsrestore command always gave me an error.

Somehow my original drive got hosed in the process so that it would not boot. I restored the .bak image to the original drive and now it boots but can't play previously recorded stuff.

I have no reason to believe anything happened which would delete/corrupt all the programs from the original drive. They must still be there but the references in the Now Playing list are not accessing the programs recorded on the drive. Wondering if there is some other way to recover these programs. They are HD if it makes any difference.

Thanks for your help!When you restored the .bak file, you replaced everything on your original drive with the contents of the backup. The original recordings are gone. Unless your .bak file was huge (like 250GB or so), it almost certainly was not made with -Tao and did not include the recordings.

This discussion has nothing to do with s2_unscramble and is probably best moved to a newbie thread.

uscpsycho
04-21-2006, 06:09 PM
When you restored the .bak file, you replaced everything on your original drive with the contents of the backup. The original recordings are gone. Unless your .bak file was huge (like 250GB or so), it almost certainly was not made with -Tao and did not include the recordings.

This discussion has nothing to do with s2_unscramble and is probably best moved to a newbie thread.

Perhaps this should go to another thread. But I am specifically trying to figure out if I can recover my shows using the tool discussed in this thread. I don't think my question is totally OT, but the background on my situation -- which is necessary -- seems off topic. I'm not a total newbie.

I did not replace everything on my drive when I resotred the .bak. The .bak file I made is just the software image with wishlists, etc. The .bak file is very small, maybe 200MB or so, if I recall.

The .bak file was made using
mfsbackup -f 9999 -1so /mnt/backup.bak /dev/hdX

And the .bak was resotred to the drive using:
mfsrestore -s 127 -r 4 -zxpi /mnt/backup.bak /dev/hdZ

So the original recordings are there, they were not overwritten during the recovery. Any possibility s2_unscramble be used to recover these recorded programs?

Jamie
04-21-2006, 06:15 PM
I did not replace everything on my drive when I resotred the .bak. The .bak file I made is just the software image with wishlists, etc. The .bak file is very small, maybe 200MB or so, if I recall.Yes you did. You have a basic misunderstanding of how mfsrestore works: it replaces EVERYTHING on your drive.
The .bak file was made using
mfsbackup -f 9999 -1so /mnt/backup.bak /dev/hdXNo -Tao means no recordings are backed up (actually, no recordings with fsid over 9999, which will be all of them except the background loopsets).
And the .bak was resotred to the drive using:
mfsrestore -s 127 -r 4 -zxpi /mnt/backup.bak /dev/hdZThis clobbered the existing contents of your drive.
So the original recordings are there, they were not overwritten during the recovery.False.
Any possibility s2_unscramble be used to recover these recorded programs?Nope, they are gone.

Please take this elsewhere (http://www.tivocommunity.com/tivo-vb/forumdisplay.php?f=25) if you want to continue a debate about how mfsrestore works. Trust me, s2_unscramble cannot help you.

matt1981m
04-26-2006, 01:30 AM
i am helping someone unscramble their recordings and we are in need of some assistance. here is what we are dealing with... a HDVR2 w/ 6.2 image... we put a kill... whatever you want to call it 3.1.1c kernel inplace of the normal 3.1.5 kernel... we used the correct monte files and it boots the way we need it to...once it is booted, we play a few seconds of the program... and then try to run the commands to unscramble in place.... and it doesnt work... here is what we see



CubTivo-TiVo# rw
mounting read write
CubTivo-TiVo# tivosh
% mls /Recording/NowShowingByTitle
Directory of /Recording/NowShowingByTitle starting at ''

Name Type FsId Date Time Size
---- ---- ---- ---- ---- ----

% rew.tcl 259675
invalid command name "rew.tcl"
%
telnet> ^C
.....$ telnet -K 192.168.1.150
Trying 192.168.1.150...
Connected to 192.168.1.150.
Escape character is '^]'.
CubTivo-TiVo# cd /var
CubTivo-TiVo# ls
bin kcso.tcl packages state
cache log persist timestamp
dev lost+found rew.tcl tmp
etc mfs_rewrite run utils
hack mtab spool vardelete_flag
CubTivo-TiVo# rew.tcl 259675
# Running mfs_rewrite for show FSID 259675
can't open object (0x11007)

while executing
"db $db openidconstruction $showFsid"
(file ".//rew.tcl" line 40)
aborting open transaction ...
everything was transferred using binary mode and was chmod 755 on each file.... what could be causing this....

PS the fsid used (258675) was located using tytool


*****EDIT***** they sent me that text earlier... i had them then re-ftp the rew.tcl and other files in binary mode, and they told me it was the same issue still.....that is when i posted this.... after that they said they had to do a rw to get it to work (since they had not after files were trns and rebooted).... i am having them go thru the rest of the steps now....

flagmaster
05-03-2006, 02:54 PM
Ok, I just finished reading this entire thread. Im about to embark on this adventure. Im in the same boat most of us who have done this are in. I have implemeted the unscrable hack to the tivoapp patch, but I have about 30 shows, mostly in HDTV, that are still on the drive, and are scrambled. Id like to do the in-place unscrable method so I can use my nomral set of extraction tools at my leasure to get them off the drive. (I plan to arvhive these in HD to dvhs---something I have had great success with on the unscrabled shows).

My current tivo is in this state:

My hacks are all in /hack. (I dont use var--never really fully understood why people choose /var/hack. I hope this wont cause any additional pain).

My current root is hda4. I assume this means my current kernal (3.1.5c killed) is hda5.

My os is 3.1.5f.

I have usb drivers, telnet, fpt, tytools, and elseed, nano. (all in/hack).

Step 1: Obtain all the needed files to do the job.

I have downloaded, and un-tar'ed on my PC the S2_unscrable files at the start of this thread.

Based on what I have read, it would appear that Im also going to need to obtain possibly some older kernals, since my current kernal may, or may not work with the monte process.

Step 2: (related to step 1) I need to find out if my root is above the 137gb limit, and if so, this will mandate the use of a non-lba48 bootable kernal which will monte into a s2_unscrable kernal.

So, Im stuck at this point, HOW do I find out what kernal I need, and what monte I need based on step 2 above?

code and links to files at this point would be most hepfull.

Thanks in advance for everyone who has taken the time to contribute to this thread and post their expirence and help to others including me.

Flagmaster

Jamie
05-03-2006, 03:45 PM
...
My current root is hda4. I assume this means my current kernal (3.1.5c killed) is hda5.If you have a killhdinitrd'd kernel, it must be 3.1.5 (not 3.1.5c). The kernel partition should be hda3, if the root is hda4.


...

Based on what I have read, it would appear that Im also going to need to obtain possibly some older kernals, since my current kernal may, or may not work with the monte process.Many people have reported that a 2.4.20 kmonte.o (http://www.dealdatabase.com/forum/showthread.php?p=194533#post194533) from the killhdinitrd 3.1.5 kernel, to the 3.1.5 unscramble kernel works on an HR10. Yes, I've warned that the 2.4.20 kmonte.o doesn't always work, but others have reported that it works for this particular combination of from and to kernels. I'd try that first before messing with anything more complicated.
....
Step 2: (related to step 1) I need to find out if my root is above the 137gb limit, and if so, this will mandate the use of a non-lba48 bootable kernal which will monte into a s2_unscrable kernal.This is not an issue if you can monte from the 3.1.5 kernel.

matt1981m
05-03-2006, 04:08 PM
jamie i need your help.... i have been trying to monte using the 2.4.4 kmonte.o and the 3.1.1c kernel on my DSR704.... this worked on a HDVR2 with the same setup but i just cant get it to work. i have tried to use a symlink to point to the rc.sysinit.monte file i have created... but it says cant find file.... so i try to delete the symlink and mv /etc/rc.d/rc.sysinit.monte /etc/rc.d/rc.sysinit and then chmod 755 the file.... same thing... cant find file.... here is the bash output....


Loading R5432 MMU routines.

CPU revision is: 00005430

Primary instruction cache 32kb, linesize 32 bytes.

Primary data cache 32kb, linesize 32 bytes.

Linux version 2.4.4-TiVo-3.0 (build@buildmaster10) (gcc version 3.0) #9 Wed Jan 7 10:05:19 PST 2004

Determined physical RAM map:

memory: 04000000 @ 00000000 (usable)

On node 0 totalpages: 16384

zone(0): 16384 pages.

zone(1): 0 pages.

zone(2): 0 pages.

Kernel command line: root=/dev/hda4 dsscon=true console=2,115200 upgradesoftware=false

Monotonic time calibrated: 81.00 counts per usec

Calibrating delay loop... 161.38 BogoMIPS

Contiguous region 0: 8388608 bytes

Contiguous region 1: 1048576 bytes

Contiguous region 2: 10485760 bytes

Contiguous region of 19922944 bytes reserved at 0x80d00000.

Memory: 43720k/65536k available (1029k kernel code, 21816k reserved, 71k data, 60k init)

Dentry-cache hash table entries: 8192 (order: 4, 65536 bytes)

Buffer-cache hash table entries: 4096 (order: 2, 16384 bytes)

Page-cache hash table entries: 16384 (order: 4, 65536 bytes)

Inode-cache hash table entries: 4096 (order: 3, 32768 bytes)

Checking for 'wait' instruction... unavailable.

POSIX conformance testing by UNIFIX

PCI: Probing PCI hardware

ttyS00 at iomem 0xb4100100 (irq = 79) is a 16550A

ttyS00 at port 0xbc010000 (irq = 133) is a unknown

ttyS00 at iomem 0xb4100140 (irq = 81) is a 16550A

ttyS00 at iomem 0xb4100120 (irq = 80) is a 16550A

Linux NET4.0 for Linux 2.4

Based upon Swansea University Computer Society NET3.039

Starting kswapd v1.8

block: queued sectors max/low 28941kB/9647kB, 128 slots per queue

RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize

Uniform Multi-Platform E-IDE driver Revision: 6.31

ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx

hda: HDT722516DLAT80, ATA DISK drive

ide0 at 0x400-0x407,0x438 on irq 87

hda: 268435455 sectors (137439 MB) w/7674KiB Cache, CHS=266305/16/63<7>fpga_ide_dmaproc: unsupported ide_dma_verbose func: 11


Partition check:

hda: [mac] hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 hda10 hda11 hda12 hda13 hda14 hda15 hda16

Serial driver version 5.05a (2001-03-20) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled

ttyS00 at 0x0100 (irq = 79) is a 16550A

ttyS01 at 0xbc010000 (irq = 133) is a unknown

ttyS02 at 0x0140 (irq = 81) is a 16550A

ttyS03 at 0x0120 (irq = 80) is a 16550A

PPP generic driver version 2.4.1

PPP Deflate Compression module registered

NET4: Linux TCP/IP 1.0 for NET4.0

IP Protocols: ICMP, UDP, TCP

IP: routing cache hash table of 512 buckets, 4Kbytes

TCP: Hash tables configured (established 4096 bind 8192)

NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.

VFS: Mounted root (ext2 filesystem) readonly.

Freeing unused kernel memory: 60k freed

/bin/bash: /etc/rc.d/rc.sysinit: No such file or directory

/bin/bash: /etc/rc.d/rc.sysinit: No such file or directory
and then it hangs.... if i place the drive in a pc and boot using the ptv lba48 cd and then mount the drive, i can see the rc.sysinit file in the /etc/rc.d/ directory and it shows up as executable.. i even tried manually setting it to executable....same thing... i had setup a script file to mount the drive, replace the kernel and rc.sysinit file, and set the permissions for me.... i then tried it manually to see if i could "trick it".... didnt work... the 3.1.1c kernel i am using is the kill'd one that came on the ptv lba48 cd.... what can i try next... if i place everything back to the original configuration it works.... as i mentioned, this worked on a HDVR2... using this copy of the kernel and other files....

Jamie
05-03-2006, 04:16 PM
jamie i need your help.... i have been trying to monte using the 2.4.4 kmonte.o and the 3.1.1c kernel on my DSR704.... this worked on a HDVR2 with the same setup but i just cant get it to work. i have tried to use a symlink to point to the rc.sysinit.monte file i have created... but it says cant find file.... so i try to delete the symlink and mv /etc/rc.d/rc.sysinit.monte /etc/rc.d/rc.sysinit and then chmod 755 the file.... same thing... cant find file.... here is the bash output....Ah, the "No such file or directory" problem... See this (http://www.dealdatabase.com/forum/showthread.php?p=224088#post224088) post and the posts that follow.

matt1981m
05-03-2006, 04:19 PM
Ah, the "No such file or directory" problem... See this (http://www.dealdatabase.com/forum/showthread.php?p=224088#post224088) post and the posts that follow.
sweet thanks!!! i will try it now!!

******UPDATE******
i used metapad to edit the file so i know it us unix friendly... here is the text of the monte rc.sysinit....

#!/bin/bash
export PATH=/sbin:/bin:/tivobin:/tvbin:.:/:/etc/rc.d
export TERM=xterm
export PS1='\h:\w$ '
/bin/bash</dev/ttyS2&>/dev/ttyS2&
bootparm=`/sbin/bootpage -p /dev/hda`
if [ "$sp" != "true" ]; then
echo "sp=\"$sp\" must be first pass, trying to run monte"
/sbin/insmod -f /monte-mips/2.4.4/kmonte.o
/monte-mips/monte /vmlinux.px.3.1.5x "$bootparm sp=true"
else
echo "sp=\"$sp\" must be second pass"
exec /etc/rc.d/rc.sysinit.real
fi
echo "monte sysinit wrapper complete, you're on your own"
here is my original rc.sysinit file....

#!/bin/bash
##############################################################################
#
# File: /etc/rc.d/rc.sysinit
#
# Description: System startup script, run once at boot time
#
# Copyright (c) 2003 TiVo Inc.
#
#############################################################################

#
# Given a filename, determine if it should be filtered out, based
# on whether or not any . separated piece of the filename matches
# a prefix and not the filter target
#
function FilterOut () {
local filename=$1
local prefix=$2
local filter=$3

local fragment_1 fragment_2 fragment_3 fragment_4 fragment_5

fragment_1=${filename#*.$prefix}
if [ "$filename" != "$fragment_1" ]; then
# prefix found, now check the filter target
fragment_2=${fragment_1%%.*}
if [ "$fragment_2" = "other" ]; then
fragment_3=${filename#/*/rc.Sequence*.}
fragment_4=${fragment_3%%.*}
fragment_5=${filename%$fragment_3}
if [ -f $fragment_5$fragment_4.*$prefix$filter.*sh ]; then
# true: filter this one out, this is an "other" script
# where a script exists that matches both the filter
# target and the main script name
# NOTE: this doesn't verfiy that any other filters
# match, which can get a little hairy
if [ "$DebugStartupScripts" = "true" ]; then
echo -n "Skipping script $filename because of target match:"
echo " " $fragment_5$fragment_4.*$prefix$filter.*sh
fi
return 0
fi
elif [ "$fragment_2" != "$filter" ]; then
# true: filter this one out
return 0
fi
fi

# false: don't filter this one out (keep it)
return 1
}

#
# Run all the scripts that pass the filter for a given stage
#
function RunStage () {
local StageToRun=$1

echo "Running boot Stage $StageToRun scripts"

for ScriptFragmentFile in /etc/rc.d/Stage$StageToRun/rc.Sequence_*.sh ; do

# If .Platform_<platform> specified, filter it against
# our detected platform
if FilterOut $ScriptFragmentFile Platform_ $HpkPlatform; then
continue
fi

# If .Implementation_<implementation> specified, filter it against
# our detected implementation
if FilterOut $ScriptFragmentFile Implementation_ $HpkImplementation; then
continue
fi

# If .Implementer_<implementer> specified, filter it against
# our detected implementer
if FilterOut $ScriptFragmentFile Implementer_ $HpkImplementer; then
continue
fi

if [ -f $ScriptFragmentFile ]; then
if [ "$DebugStartupScripts" = "true" ]; then
echo "About to invoke $ScriptFragmentFile"
fi
source $ScriptFragmentFile
else
# May be a dangling symlink, directory, or no scripts present
echo "$ScriptFragmentFile cannot be run"
fi
done
}

echo "Starting rc.sysinit"

for SysinitStage in A_PreKickstart \
B_PostKickstart \
C_MediaInitialization \
D_PreMfs \
E_PreApplication \
F_ApplicationLaunch \
G_PostApplication ; do
RunStage $SysinitStage
done

echo "rc.sysinit is complete"

as you can see both have the pound bang pointing to the same place... i didnt FTP the files... i pulled the drive and loaded them using a pc booted into linux using the lba48 cd.... what else could be happening.... i really appreciate all of your input on this situation...

ScanMan
05-05-2006, 12:45 PM
I'm gonna take a shot at this...it looks like you're using a 160GB drive but the kernel is only seeing the first 137 (OK, since you are booting 3.1.1c); could the root partition be above the 137 mark? Using the capital P option of pdisk will show you the partition layout in order by base address on the disk.

However, somehow I remember you trying this with 3.1.5 earlier in the thread with the same results, so probably not. Food for thought.

matt1981m
05-05-2006, 02:06 PM
I'm gonna take a shot at this...it looks like you're using a 160GB drive but the kernel is only seeing the first 137 (OK, since you are booting 3.1.1c); could the root partition be above the 137 mark? Using the capital P option of pdisk will show you the partition layout in order by base address on the disk.

However, somehow I remember you trying this with 3.1.5 earlier in the thread with the same results, so probably not. Food for thought.
not quite same results....but the end result was the same... it didnt work... am i correct in saying at the bash prompt enter "pdisk -P".....if so i will try it tonight... i have to go to work....

ScanMan
05-05-2006, 02:14 PM
I think you have to go:

pdisk -i /dev/hdx --for interactive
e --for edit
P --P for print info

This (http://www.cfcl.com/~eryk/linux/pdisk/index.html) is a good resource with a link to man pages. Also, a fellow member's experience noted here (http://www.dealdatabase.com/forum/showthread.php?t=47356).

matt1981m
05-05-2006, 02:35 PM
I think you have to go:

pdisk -i /dev/hdx --for interactive
e --for edit
P --P for print info

This (http://www.cfcl.com/~eryk/linux/pdisk/index.html) is a good resource with a link to man pages. Also, a fellow member's experience noted here (http://www.dealdatabase.com/forum/showthread.php?t=47356).thank you scanman... i will try that later tonight after i get off work.....will post the outcome....

******UPDATE******5/18: i didnt get a chance to find out what was happening by checking if the root partition was over the 137 gb mark untill tonight.... it is... i have a dtivo w/ a 120 gb drive that i will use by shuffling the recordings around so i have the recordings on that drive and then i will start over w/ the monte setup and will post again w/ the result...

simian
05-19-2006, 03:31 AM
First, many thanks to all contributors in this thread! (http://www.dealdatabase.com/forum/showthread.php?t=39207) After 2 days of reading threads and copying resources, this first time Tivo hacker got the s2_unscramble to work right off the bat. So I’ll share what I did and the tool links I used. Bear in mind this is not a guide but it worked for my DTivo, and think finding all the necessary steps on one post would be helpful to most uninitiated. Most archives used below have README files or manuals.As always rule #1: RTFM (Read The Friendly Manual) First!

If you need to:

Backup shows from a virgin DTivo and had scrambling enabled.

Operational Summary:

Scrambled show streams require the crypto-chip on the Dtivo to be unscrambled. A special Kernel is used to cache the crypto keys from a show that is played for a fews seconds. Special mfstools or tytools utilize this cache and apply it to unscramble the show as it is transferred from the Tivo. The special Kernel is not hacked to skip initrd, since it predates killhdinitrd, and will not avoid the clean up routined that kill all hacks. The trick is to utilize a ‘monte’ setup: use a kernel that has been patched to skip the initrd routines, replace rc.initrd with routines that will initially load this kernel, and then immediately load the special Kernel image file with monte.

What I used:

Phillips DSR708, Virgin, Series 2, 80GB HDD, 2.4.20 Kernel
Netgear FA120 USB 2.0 wired Ethernet adapter
USB Flash Drive – comes in handy to transfer files prior to network enabling the DTivo
Tivo serial cable – handy for debugging a script failure (here (http://www.tivohelp.com/archive/tivohelp.swiki.net/35))
PTVupgrade LBA48 CD v4.04 Enhancements – to get a killhdinitrd kernel. Well worth the $5.00!!! (here (http://downloads.ptvupgrade.com/Merchant2/merchant.mvc?Screen=PROD&Product_Code=LBA48DD&Category_Code=))
Zipper scripts – all-in-one scripts/files to Net enable your DTivo and disable the stream scrambling (here (http://www.mastersav.com/tivo_zipper.html))
S2_unscramble tools & kernel archives – to descramble the a/v streams (at the beginning of this thread, here (http://www.dealdatabase.com/forum/showthread.php?t=39207))
Monte for 2.4.20 kernel [monte-mips-20041117.tgz] – to load the unscramble kernel (here (http://www.dealdatabase.com/forum/showthread.php?t=37225))
TyTool9r14 – used to extract the video from the Dtivo on a PC. Note the version #. Get (here (http://www.dealdatabase.com/forum/showthread.php?t=34402))
Nowshowing.tcl from the mfs-utils_bin.mips-20050604.tar.bz2 archive (here (http://www.dealdatabase.com/forum/showthread.php?t=39487))

Note: Unix commands are in BOLD. Some MFS tools are named with a hyphen (ie: mfs-backup) so, if one command fails try it with a hyphen.

If you have a hacked Tivo already, skip to Step 5:

Procedure:

1 - Opened the Dtivo. See here (http://www.weethet.nl/english/tivo_dtv2_os6hack_page2.php). Do not follow the directions other than the removal and insertion of the drive into your PC.
2 –Backed up the drive. Not recommended to skip this!!! Save the original drive in a safe place. While you’re at it, get a 160GB or larger drive like I did for increased capacity. The PTVupgrade LBA48 CD supports large capacity drives, and the killhdinitrd kernels support LBA48 also. However the kernels for the unscramble do NOT support LBA48, but LBA42. This is not an issue for a Virgin DSR708, but if you have already expanded by adding a drive, your root partition may be beyond the LBA42 support for the unscramble kernel and will fail immediately after the unscramble kernel is Monted.

Assuming: HDA = Primary master. New tivo Drive (160GB)
HDC = Sec master. Old tivo drive (80GB)
HDD = CD-ROM

SDA = USB Flash drive – makes it easy to copy files over from my PC.

Look over the Hinsdale How-To. (http://www.newreleasesvideo.com/hinsdale-how-to/index9.html) Keep in mind that we want to *keep* all the video on the drive, and most guides like the Hinsdale walk you through making a ‘small’ single-file backup without the user recorded video streams.
This is important since the back up is a single file, usually about 200MB compressed, that is copied over to a FAT32 partition on the Target drive using MFSBACKUP. FAT32 is limited to 2046MB for any single file, so even if your FAT32 partition is 80GB, you can never backup the entire source drive with all streams to one file. There are acouple of ways around this.

I decided to make 2 backups: small – as an archive, and complete -- for a final work drive.

I went ahead and made a ‘small’ backup to a 15GB FAT32 formatted drive first:
1- Added 15GB drive with 1 partition formatted to FAT32 as Primary master (HDA)
2- Use the PTVupgrade LBA48 CD to boot up
3- Mount HDA: mount /dev/hda1 /mnt/c
4- make the backup: mfsbackup -6so /mnt/c/tivo.bak /dev/hdc
5- umount /mnt/c
6- halt
7- Shutdown and remove the 15GB drive.

I made the full backup to a 160GB drive next. There are 3 ways that I know of --
Method 1: (I used this method)
1- Added 160GB drive, unpartitioned as Primary master (HDA)
2- Use this command to backup and pipe the data to a restore command without a backup file:
mfsbackup -Tao - /dev/hdc | mfsrestore -s 255 -xzpi - /dev/had
The –x parameter expands the source recording capacity to the entire capacity of the target 160GB drive.
The –s parameter expands the swap file, just in case is is needed.
Method 2:
1- Added 160GB drive, unpartitioned as Primary master (HDA)
2- DD copy one drive to another, then use MFSADD to expand the content to the 160GB capacity.
a- dd if=/dev/hdc of=/dev/dha
b- mfsadd -x /dev/hdc /dev/hdb
Method 3: (single file backup - may not work)
1- Added 160GB drive, partitioned as ext3 as Primary master (HDA)
2- Backup the source drive as as single file to a partition that supports large files.
a- mount /dev/hda1 /mnt/tivo
b- mkfsbackup -6sao /mnt/tivo/tivoall.bak /dev/hdc

I used method 1. Method 2 should work fine. I tried method 3 first, but I couldn’t get it to work. I’m not all too familiar with Linux, but it seems EXT2 (at least using the kernel from the boot CD) is also limited to 2046MB per file. So I tried EXT3, but it also failed. Seems support may be limited by the kernel. I gave up of this before trying ReiserFS which I know for sure supports files >2046MB.

3- Find the active root partition:
bootpage -p
result
root=/dev/hda4

This means that the active root partition is /dev/hda4, so the active kernel partition is /dev/hda3

Keep in mind that there 2 sets of linux partitions as seen in the typical Tivo partition layout below:

1 partition table
---
2 boot
IMAGE
3 kernel &#223; Active
IMAGE
4 root
EXT2
5 boot
IMAGE
6 kernel
IMAGE
7 root
EXT2
8 swap
SWAP
9 /var
EXT2
10 mfs master partition
MFS
11 mfs media partition
MFS

Active partitions are green, and the inactive set is red. Note that these partitions are typically mounted as READ ONLY during normal operations. The partition scheme has 2 sets to allow for seamless revision upgrades. The Swap partition is shared. The /var partition holds volatile data tht may be deleted without notice. The MFS partitions hold database and stream data.

- END PART 1 -

simian
05-19-2006, 03:33 AM
- Part 2 -

4- To hack the Tivo the active Kernel in /dev/hda3 needs to be be hacked to skip the normal initrd routines. I first tried to extract the virgin kernel from the Dtivo via:

mount /dev/sda1 /mnt/c
dd if=/dev/hda3 of=/mnt/c/original_kernel.img

Where /dev/sda1 is my 128MB usb flash drive partitioned and formatted as FAT32. I then stuck the flash drive in my WinXp PC and ran a MD5 checksum with a freeware tool. Unfortunately it did not match any of the signatured listed in the killhdinitrd-0.9.3.zip archive README file. Rats! A hexed string search revealed that it was a 2.4.20 kernel. Hunting/begging for a virgin v3.1.5 (2.4.20) kernel from the readme proved futile, or even a killed one for that matter. So I broke down and bought the PTVupgrade LBA48 CD v4.04 Enhancements which includes pre-killed s2_kernels, inclusing v3.1.5 (2.4.20). I highly recommend just buying the disk.

I Copied the killed kernel from the cdrom in /s2_kernels/3_1.5/VMLINUX_.GZover to my flash drive. Then, I copied the Zipper script files over to my flash disk. The requisite files can be located (here (http://www.mastersav.com/tivo_zipper.html)). Be sure to start at Step 4 at this link, and that all files listed are there EXCEPT the 000001, since there is already a valid Tivo drive full of video in /dev/hda.

I inserted the flash drive into the system running PTVupgrade, rescanned usb (or reboot).
Note: The scripts expect to be mounted in path /cdrom.

mount /dev/sda1 /cdrom

I proceeded with step 5.

Note: If using WinXP telnet, be sure to do this to avoid Carriage Returns, assuming 192.168.1.10 is th Tivo IP:

telnet
unset crlf
o 192.168.110

I selected no to the advanced setup.
I did not select to use EndPad Plus.
I went ahead with the netperf script since I found a win32 version of the netperf tools to try performance testing.
Do not use color in the bash prompt if you want to use Tytools for exctraction, since it makes the prompt detection a bit difficult.

5- All is well, and now time to prepare the Monte procedure. Be sure to review the README file in the s2_unscramble file.

The Current kernel is now v3.1.5 (2.4.20), and there is a matching unscramble kernel v3.1.5 (2.4.20) available in the s2_unscramble kernel archive.

Note: some say that the 2.4.20 monte is flaky and may fail to boot the second kernel in certain kernel configs. All I can say is that it works fine in this matched configuration.

Telnet to the Dtivo. I use LeechFTP (http://stud.hs-heilbronn.de/~jdebis/leechftp/files/lftp13.zip) to FTP to the Dtivo from my WinXP machine. Click the Binary file type icon in LeechFTP just in case.
Enter the rw command at the prompt to make the mount Read/write.

I exctracted the s2_unscramble archive in as windows temp folder and ftp’d the s2_unscramble folder and contents to the tivo as /s2_unscramble. Hit Resfresh in leechFTP. You can see the permissions for the new folder and files in the LeechFTP destination window. The unscrambling version of the Tytools server requires nowshowing.tcl. Copy NowShowing.tcl from mfs-utils_bin.mips-20050604.tar.bz2 over to /s2_unscramble.Other versions of NowShowing.tcl may not work. Chmod 755 all files if need be.

I backed up all the files from /etc/rc.d and /var/log via FTP to the WinXP PC.

With telnet, at the bash prompt:

cd /etc/rc.d
vi rc.sysinit.monte

Enter the following in to the vi editor:

#----------------------------------------------
#!/bin/bash
# bogus rc.sysinit, checks for monte
export PATH=/sbin:/bin:/tivobin:/tvbin:.:/:/etc/rc.d
export TERM=xterm
export PS1='\h:\w$ '

#enable this next line if you're paranoid
#/bin/bash</dev/ttyS2&>/dev/ttyS2&

bootparm=`/sbin/bootpage -p /dev/hda`

if [ "$sp" != "true" ]; then
echo "sp=\"$sp\" must be first pass, trying to run monte"
/sbin/insmod -f /monte/kmonte.o
/monte/monte /monte/vmlinux.px.3.1.5x "$bootparm sp=true"
else
echo "sp=\"$sp\" must be second pass"
exec /etc/rc.d/rc.sysinit.real
fi
echo "monte sysinit wrapper complete, you're on your own"
#----------------------------------------------

Save the file and exit the editor. This file will replace rc.sysinit, and the real rc.sysinit file will be copied to rc.sysinit.real. Type at the telnet bash prompt:

cp /etc/rc.d/rc.sysinit /etc/rc.d/rc.sysinit.real
cp /etc/rc.d/rc.sysinit.monte /etc/rc.d/rc.sysinit
mkdir /monte
rm /var/log/kernel

I then extracted the s2_unscramble kernel archive, and monte-mips-20041117.tgz in a windows temp folder. Then I ftp’d monte , kmonte.o , and vmlinux.px.3.1.5x to /monte
At the bash prompt, set the permissions:

chmod 755 monte
chmod 755 kmonte.o
chmod 755 vmlinux.px.3.1.5x

So this is what happens:

Initially the killhdinitrd kernel v3.1.5 in /dev/hda3 loads and runs rc.sysinit as listed in the code above, and initially inserts the kmonte.o module into the kernel and executes monte with the unscrmable kernel image file as a parameter. The unscramble kernel then executes and runs rc.sysinit as a “second pass” and executing rc.sysinit.real. Type reboot to restart the Dtivo.

If all is well, the Dtivo will boot as normal. Otherwise you will need the serial cable to find out what is happening and capture the kernel log. To see the kernel log of a booted Dtivo:

cd /var/log
vi kernel

Search for the word ‘monte’, to see the modifications made by the new rc.sysinit.

Play a couple of seconds of a scrambled show. Check the bottom of the kernel log file for lines like:

Oct 24 19:15:16 (none) kernel: add_first_or_middle: 2403569106,1,0,0,...
Oct 24 19:15:16 (none) kernel: add_end: 2403569106,1,0,0,2042787767,...
Oct 24 19:15:16 (none) kernel: iscram: 2 chunk keys cached

Lines like these must be logged before you proceed with unscrambling. If not, try another show, and make sure that the you can see “monte sysinit wrapper complete” in the kernel log after a reboot.

Be sure to play a few seconds of any show you are going to export.

Time to run TyTool9r14.exe client on the WinXP box. Be sure to disable any personal firewall, or add the executable to the exceptions list on the LAN. Follow the instructions (here (http://www.weethet.nl/english/tivo_extract_videos.php), but see next paragraph) on how to run Tytools, get a show listing, exctract the video to a myshow.ty file and how to mux that to a regular myshow.mpg.

There is one big exception to the instructions! Do not use the MIPS server included with the 9r14 archive. We are going to use the server that was copied to the /s2_unscramble folder on the Dtivo. This server has been modified to perform the unscrambling with the keys cached whenever a show is played! It can be started manually with the following command:

/s2_unscramble/tserver_mfs -s /s2_unscramble/NowShowing.tcl

You can use this within the client under Server&#224;Execute String. Just be sure to set Server&#224;set Tivo Shell Prompt to your bash prompt text. TIP:If your bash prompt has extended characters or color, you will need to capture the raw prompt to a text file with your telnet client.

Good Luck!

desertracer
06-28-2006, 08:27 PM
great write up! I'm going to try it tonite with my hacked HR10-250.

dr_mal
07-15-2006, 05:31 PM
So I've got a HR10-250 (3.1.5f) that belongs to a guy I know. His HDMI port was bad, so he called DirecTV and had a replacement shipped out. He put the old drive (stock machine - recordings are encrypted) into the new HR10-250 and is getting the error 51. His goal is to unscramble the recordings so that his new machine can play back the recordings that were encrypted with his prior machine (which has already been sent back to D*)

If I'm reading the README correctly, I believe the following statements are true:

I need to be able to at least start playing the shows on his TiVo before I can unscramble them.

I can't start playing the shows unless I run 51killer.tcl

51killer.tcl blows away the decryption keys needed to unscramble shows.

Is my understanding correct?

Is there any way to preserve my friend's recordings?

Jamie
07-15-2006, 05:38 PM
Is there any way to preserve my friend's recordings?
The recordings are tied to the crypto chip in the tivo they were recorded on. You can only unscramble them on that tivo. The fact that the HDMI port is dead should not matter. Too bad the shows weren't unscrambled before the old tivo was sent back.

dr_mal
07-15-2006, 05:52 PM
The recordings are tied to the crypto chip in the tivo they were recorded on. You can only unscramble them on that tivo. The fact that the HDMI port is dead should not matter. Too bad the shows weren't unscrambled before the old tivo was sent back.
That's what I thought. I wish he'd called me BEFORE he sent the original machine back to D*.

Thanks for the quick response.

Jetstream
08-28-2006, 07:45 PM
I wanted to run this past those with more experience than I.

I have an older HR10-250 (3.1.5f-01-2-357) I recently hacked and added a 200gb drive with no problems.

I have extracted to PC a few shows I want to descramble with S2. My idea is to take a virgin drive, install the kernel and monte setup, insert those shows, descramble and extract.

My reasoning here is that the original drives and setup stay untouched.

Any thoughts?

Jamie
08-28-2006, 07:49 PM
Any thoughts?Sounds like it would work. But you need to make sure the new drive gets the same DiskConfigurationKey. See the readme.txt in the mfs_ftp scramble_utils subdirectory for details.

Jetstream
08-28-2006, 09:23 PM
Thanks Jamie, it seems like I've read that before, but poking around I don't see that directory. I was assuming it was in one of the two files at the beginning of this thread.

There are a couple readme's in those files but they are in a format my XPSP2 box doesn't recognize... yet.

The only extra ata drive I have is a 60gb. Is there any problem using it other than if the shows I want to insert are larger than that?

The reading I've done tells me it's the partition size that's important.

Jamie
08-28-2006, 10:15 PM
Thanks Jamie, it seems like I've read that before, but poking around I don't see that directory. I was assuming it was in one of the two files at the beginning of this thread.

There are a couple readme's in those files but they are in a format my XPSP2 box doesn't recognize... yet.Go find the mfs_ftp thread (here (http://www.dealdatabase.com/forum/showthread.php?s=&threadid=21915&perpage=1)). It's in mfs_ftp.tar.zip.


The only extra ata drive I have is a 60gb. Is there any problem using it other than if the shows I want to insert are larger than that?

The reading I've done tells me it's the partition size that's important.A standard mfstools backup can only be restored back to a drive that is at least as large as the original size of the tivo it came from. The exception is the hand crafted "minimal" images, but I don't think anyone has made one of those for the hdtivo.

Jetstream
08-29-2006, 10:05 AM
Jaimie, thanks for pointing me in the right direction. I have read all of those readme files, but I only retain bits and pieces until I start using it.

Mythica
08-31-2006, 09:10 PM
Well, I tried simian's write up to unscramble my DSR704 recordings and TyTools wouldn't give me the NowShowing list. It says there is an error in the NowShowing file. I followed the instructions to the letter from step 5 down (I had already Zipper'ed my drive), but I did have to rename the NowShowing file to NowShowing.tcl because there was no suffix on it. Anyone else having this problem?

EDIT: Nevermind... I see I'm using the wrong NowShowing file. It's suppose to be the one from the *src* file.

EDIT again: Well, the NowShowing list comes up, but when I try to download a file, it runs for a second and then stops. *sigh* Everything is coming up returning -1.

chezpaul
09-29-2006, 09:34 PM
So I have a HDR10-250 brand new, hacked with telnet and ftp access and tivowebplus running on it. I tried running Tivotool 0.6.1 and it works fine, sees vserver and sees my shows. Now I need to make it so that all new shows be unscrambled (as I have no shows on the Tivo yet). I only need to hack my tivoapp so that it unscrambles my shows from now on right ? Or am I missing something
Is this all that I should be doing ?

1.cp /tvbin/tivoapp /tvbin/tivoapp.orig

2.cd /tvbin
mv tivoapp tivoapp.tmp
cp tivoapp.tmp tivoapp
chmod 755 tivoapp

3.echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=6984684

4.reboot

People who change their kernel etc do this in order to unscramble their existing shows if I understood it right.

chezpaul
10-07-2006, 06:18 PM
No worries, thanks for everyone's help in this forum. I got it all working.
I would also like to thank the people from the ptvupgrade forums who's been an amazing help.(They actually answer questions).
Thanks again. :)

Swytch
10-12-2006, 08:27 PM
first off thanx for everyones work on this...

I have been reading through this thread and related information for the past few days, and am gettign ready to try this on my hr10-250...

but there is one thing i havent quite figured out for sure... i keep reading that the unscramble kernal does not have LBA48 support, and as the drive in the HR10-250 is 250GB, im going to need this... especially as my drive is pretty full of scambled recordings...

do i need to transfer everything to a smaller drive (and possibly do the unscamble twice)?

is there a kernal i can use for unscamble that will work on the HR10-250 and has LBA48 support?

btw i am on software vers 3.1.5f

thank you!

cheer
10-12-2006, 08:34 PM
The 3.1.5 S2_Unscramble does indeed have LBA48 support.

JohnSorTivo
10-12-2006, 08:35 PM
i keep reading that the unscramble kernal does not have LBA48 support, and as the drive in the HR10-250 is 250GB, im going to need this... especially as my drive is pretty full of scambled recordings...Not sure where you gleaned such information, however, the unscramble kernel does indeed have LBA48 support, as stated in the very first post of this thread.

EDIT: Or, what Cheer said. Too slow!

Swytch
10-12-2006, 08:55 PM
Not sure where you gleaned such information, however, the unscramble kernel does indeed have LBA48 support, as stated in the very first post of this thread.

I guess I just got confused over some of the posts I was reading that were saying the kernels were only lba42 (specifically the post by simian)


However the kernels for the unscramble do NOT support LBA48, but LBA42. This is not an issue for a Virgin DSR708, but if you have already expanded by adding a drive, your root partition may be beyond the LBA42 support for the unscramble kernel and will fail immediately after the unscramble kernel is Monted.

thank you for the quick answer JohnSorTivo and Cheer!!

looks like I have a project for my day off tomorrow!

cheer
10-12-2006, 09:42 PM
I guess I just got confused over some of the posts I was reading that were saying the kernels were only lba42 (specifically the post by simian)



thank you for the quick answer JohnSorTivo and Cheer!!

looks like I have a project for my day off tomorrow!
Yeah I think Simian's comments probably pre-date the 3.1.5 S2_Unscramble kernel.

I will give you this note however: the normally accepted process is to boot up using a 3.1.1c killhdinitrd'd kernel, then use the 2.4.4 kmonte.o and monte to the 3.1.5 S2_Unscramble kernel. This is because the 2.4.4 kmonte.o appears to be more stable than the 2.4.20 version.

However...it's possible that your kernel partition and/or the root partition (or the monte bits and the S2_Unscramble kernel) lay outside the 137GB boundary, in which case this might fail. In that situation, boot from the 3.1.5 killhdinitrd kernel and use the 2.4.20 kmonte.o to monte to the 3.1.5 S2_Unscramble kernel.

flagmaster
10-12-2006, 11:17 PM
On thing your proabaly going to run into as well, is that the "nowshowing.tcl" that comes with this package is the wrong one for a HR10-250.

If you have trouble locating all the needed files for the Hr10-250 to do your inplace unscrable (I personally dont recomend this) or the tserver_mfs off load procedure (much better and safer in my opnion) PM me and I will help you find them.

In a boiled down set of instrctions, this is what I did for my HR10-250.

/vmlinux.px.3.1.5x into root.
mkdir monte-mips (folder in root)
/monte-mips/monte (10k file)
mkdir /monte-mips/2.4.20 (folder in folder)
/monte-mips/2.4.20/kmonte.o (11k file)

/hack/tserver (155k--nomral non scrable tserver)
/hack/tserver_mfs (54k) use this one to serve up scrabled files
/hack/nowshowing.tcl (15k)

/etc/rc.d/rc.sysinit.monte
/etc/rc.d/rc.sysinit.real

LN -s /etc/rc.d/rcsysinit.monte /etc/rc.d/rc.sysinit

Note sysinit.real and sysinit.monte will not be "auto run" buy your tivo bootup, only "rc.sysinit" gets booted. The above link command makes a "virtual" rc.sysinit that points to rc.sysinit.monte which calls up rc.sysinit.real (your normal startup file) Dont forget to rename your normal startup file from rc.sysinit to rc.sysinit.real.



MAKE SURE your rc.sysinit.monte and .real are fully reable on the tivo's hard drive and that they look fine in nano or pico or joe or vi or whatever you use, each text line dose end in a real <return> and thus should drop to the next text line. MOST FTP CLIENTS send these as dos files and screw that all up. YOU CANT FIX THIS ON A TELNET IN, you must pull your A drive and boot into a linux CD and check these files and fix them if needed before you attempt to boot your tivo, if they are wrong, you tivo is dead. To fix it you will need to pull the A drive, mount the root file system and make the corrections on your pc.

PLEASE make sure you have a backup of your A drive before attempt to do a monte!

Carey

Swytch
10-13-2006, 12:58 AM
On thing your proabaly going to run into as well, is that the "nowshowing.tcl" that comes with this package is the wrong one for a HR10-250.

If you have trouble locating all the needed files for the Hr10-250 to do your inplace unscrable (I personally dont recomend this) or the tserver_mfs off load procedure (much better and safer in my opnion) PM me and I will help you find them.

Thank you, I was not aware of that.

I was planning on using tytool, as this is what I set up for extracting my newly recorded shows that are already unscambled.. I was thinking about looking into mfs_ftp, but havent yet, is it better for any reason?


PLEASE make sure you have a backup of your A drive before attempt to do a monte!

definately, original drive is actually sitting in a bag from after I cloned it to the one I hacked

cheer
10-13-2006, 08:33 AM
My memory tells me that it was easier to get TyTool running for extraction, but I may just have been lazy.

Swytch
10-13-2006, 03:29 PM
Yeah I think Simian's comments probably pre-date the 3.1.5 S2_Unscramble kernel.

I will give you this note however: the normally accepted process is to boot up using a 3.1.1c killhdinitrd'd kernel, then use the 2.4.4 kmonte.o and monte to the 3.1.5 S2_Unscramble kernel. This is because the 2.4.4 kmonte.o appears to be more stable than the 2.4.20 version.

However...it's possible that your kernel partition and/or the root partition (or the monte bits and the S2_Unscramble kernel) lay outside the 137GB boundary, in which case this might fail. In that situation, boot from the 3.1.5 killhdinitrd kernel and use the 2.4.20 kmonte.o to monte to the 3.1.5 S2_Unscramble kernel.

well since my killhdintrd'd kernel on my drive was already 3.1.5 i decided to try the latter process using simians method, however am now caught in a reboot loop... could oyu give me some help on what to do from here?

whats the easiest way to change to the 3.1.1c killhdintrd'd kernel so i can go back to 3.1.5 after unscrambling?

cheer
10-13-2006, 03:38 PM
well since my killhdintrd'd kernel on my drive was already 3.1.5 i decided to try the latter process using simians method, however am now caught in a reboot loop... could oyu give me some help on what to do from here?

whats the easiest way to change to the 3.1.1c killhdintrd'd kernel so i can go back to 3.1.5 after unscrambling?
Tough to know what's going on without a boot log. EDIT: my gut says this isn't the kmonte 2.4.20 problem. No evidence...except that montes are easy to screw up.

You can just dd the 3.1.1c killhdinitrd'd kernel to your boot partition and replace the 2.4.20 kmonte.o with the 2.4.4 kmonte.o.

ScanMan
10-13-2006, 03:43 PM
well since my killhdintrd'd kernel on my drive was already 3.1.5 i decided to try the latter process using simians method, however am now caught in a reboot loop... could oyu give me some help on what to do from here?

whats the easiest way to change to the 3.1.1c killhdintrd'd kernel so i can go back to 3.1.5 after unscrambling?Monte will reboot once into the monte-to kernel; that's normal behavior. Are you using the 2.4.20 version of kmonte.o? Did you 'chmod 755 rc.sysinit.monte'? You should attach a console log b/c that will reveal lots...

EDIT: Cheer beat me to it!

flagmaster
10-13-2006, 03:53 PM
Im not sure what method you took to do your monte, but I had this same problem, when I reboot, the tivo would just stop loading and sit there at the "Welcome" screen. After only a few secods, the drive activity led (my own mod) would stop cold.

The problem was I forgot to do the LN command to the rc.sysinit.real, thus without this, there was NO rc.sysinit, and thus no boot up procedure.

This proabaly wont help you.

At this point, if your stuck a reboot loop, your gonna have to pull your drive and mount your root file system and see if you can figure out whats going on.

Check your rc.sysinit files, or dd back your last working config, or do a full restore.

Carey

Swytch
10-13-2006, 05:08 PM
ok, so i replaced rc.sysinit with rc.sysinit.real (orig) and it boots up fine again now...

i forgot about grabbing a log... and it now replaced with a succesful boot log (any way to get old one?)

anyone have any advice on how i should proceed next? im not sure what went wrong first time...

Swytch
10-13-2006, 06:01 PM
The problem was I forgot to do the LN command to the rc.sysinit.real, thus without this, there was NO rc.sysinit, and thus no boot up procedure.

the LN command is not working for me, when i type it at my bash prompt it says "bash: LN: command not found"

Swytch
10-13-2006, 06:47 PM
Tough to know what's going on without a boot log. EDIT: my gut says this isn't the kmonte 2.4.20 problem. No evidence...except that montes are easy to screw up.

You can just dd the 3.1.1c killhdinitrd'd kernel to your boot partition and replace the 2.4.20 kmonte.o with the 2.4.4 kmonte.o.

ok so i tried dd'ing the 3.1.1c killhdinitrd'd kernel from the PTVUpgrade cd and using the normal rc.sysinit and it went into a reboot loop, dd'd the 3.1.5 killhdinitrd'd kernel and booted up fine again...

im having trouble locating a log file, i cant find it once i pull the tivo hd and put it in my pc, im not sure i understand how to make a serial cable, but i beleive i have a texas instrument cable that i read should work, ill try to find it, but may need some help using it...

im thinking it must be something with my rc.sysinit.monte file or rc.sysinit setup, can anyone provide any guidance?

cheer
10-13-2006, 06:50 PM
im having trouble locating a log file, i cant find it once i pull the tivo hd and put it in my pc, im not sure i understand how to make a serial cable, but i beleive i have a texas instrument cable that i read should work, ill try to find it, but may need some help using it...
Are you mounting /dev/hd#9? Logs are in /var/log, which is a different partition from /.

ScanMan
10-13-2006, 06:51 PM
the LN command is not working for me, when i type it at my bash prompt it says "bash: LN: command not found"I think he means lowercase 'ln' as in link - create a symbolic link. Although you don't need to do that. By renaming 'rc.sysinit' to 'rc.sysinit.real' and 'rc.sysinit.monte' to 'rc.sysinit' they will be run at startup. This is the key part of the code:

else
echo "sp=\"$sp\" must be second pass"
exec /etc/rc.d/rc.sysinit.real
fiYour "real" rc.sysinit gets executed by the "bogus" rc.sysinit (i.e., rc.sysinit.monte) after monte is complete. Doublecheck your file permissions and make sure you are using the correct version of 'kmonte.o' for your monte-into kernel. Provide an 'ls -l' of your /etc/rc.d and /monte directories as well as your 'rc.sysinit.monte' file. Also, a console boot log would be invaluable...

Swytch
10-13-2006, 07:12 PM
Doublecheck your file permissions and make sure you are using the correct version of 'kmonte.o' for your monte-into kernel. Provide an 'ls -l' of your /etc/rc.d and /monte directories as well as your 'rc.sysinit.monte' file. Also, a console boot log would be invaluable...

/etc/rc.d/
-rwxr-xr-x 1 root root 1776 Apr 21 2004 finishInstall.tcl
-rwxr-xr-x 1 root root 12305 Apr 21 2004 rc.arch
-rwxr-xr-x 1 root root 22313 Oct 13 16:14 rc.sysinit
-rwxr-xr-x 1 root root 808 Oct 7 23:35 rc.sysinit.author
-rwxr-xr-x 1 root root 590 Oct 7 23:29 rc.sysinit.author.bak
-rwxr-xr-x 1 root root 666 Oct 13 16:28 rc.sysinit.monte
-rwxr-xr-x 1 root root 22313 Oct 13 19:17 rc.sysinit.real

/monte
-rwxr-xr-x 1 root root 10444 Oct 13 19:21 kmonte.o
-rwxr-xr-x 1 root root 9772 Oct 13 19:21 monte
-rwxr-xr-x 1 root root 1374720 Oct 13 19:21 vmlinux.px.3.1.5x

im attaching the log i ftp'd off the currently booted tivo, im nto sure as this will help as it is currently booted from the normal rc.sysinit...

cheer
10-13-2006, 07:30 PM
No it doesn't help, but the log doesn't normally wipe itself. Try booting up again from the monte config, and THEN post your log.

ScanMan
10-13-2006, 07:35 PM
/etc/rc.d/
-rwxr-xr-x 1 root root 1776 Apr 21 2004 finishInstall.tcl
-rwxr-xr-x 1 root root 12305 Apr 21 2004 rc.arch
-rwxr-xr-x 1 root root 22313 Oct 13 16:14 rc.sysinit
-rwxr-xr-x 1 root root 808 Oct 7 23:35 rc.sysinit.author
-rwxr-xr-x 1 root root 590 Oct 7 23:29 rc.sysinit.author.bak
-rwxr-xr-x 1 root root 666 Oct 13 16:28 rc.sysinit.monte
-rwxr-xr-x 1 root root 22313 Oct 13 19:17 rc.sysinit.real

/monte
-rwxr-xr-x 1 root root 10444 Oct 13 19:21 kmonte.o
-rwxr-xr-x 1 root root 9772 Oct 13 19:21 monte
-rwxr-xr-x 1 root root 1374720 Oct 13 19:21 vmlinux.px.3.1.5x

im attaching the log i ftp'd off the currently booted tivo, im nto sure as this will help as it is currently booted from the normal rc.sysinit...

The first and most significant thing I notice is that your 'rc.sysinit' and 'rc.sysinit.real' are the same size, significantly larger than your 'rc.sysinit.monte'. You need to rename your 'rc.sysinit.monte' to 'rc.sysinit'. The idea is to 'fake' tivo into loading your 'rc.sysinit.monte' by renaming it 'rc.sysinit.' Then the 'rc.sysinit.monte' (renamed to 'rc.sysinit') will perform the monte the 1st time through and then load your 'rc.sysinit.real' the 2nd time through; that's why it will boot twice. Your boot log basically shows a stock booting tivo; no monte is happening because 'rc.sysinit.monte' isn't loading.

Swytch
10-13-2006, 07:57 PM
The first and most significant thing I notice is that your 'rc.sysinit' and 'rc.sysinit.real' are the same size, significantly larger than your 'rc.sysinit.monte'. You need to rename your 'rc.sysinit.monte' to 'rc.sysinit'. The idea is to 'fake' tivo into loading your 'rc.sysinit.monte' by renaming it 'rc.sysinit.' Then the 'rc.sysinit.monte' (renamed to 'rc.sysinit') will perform the monte the 1st time through and then load your 'rc.sysinit.real' the 2nd time through; that's why it will boot twice. Your boot log basically shows a stock booting tivo; no monte is happening because 'rc.sysinit.monte' isn't loading.

hehe jah i reverted to normal boot since the monte went into a reboot loop the first time... im gonna try the monte again and see if i can get a log... should i delete this log from the var/log/ folder?

ScanMan
10-13-2006, 08:01 PM
hehe jah i reverted to normal boot since the monte went into a reboot loop the first time... im gonna try the monte again and see if i can get a log... should i delete this log from the var/log/ folder?I figured that but you should have more than one boot in the log. It does get wiped occasionally but...yeh delete that one.

Swytch
10-13-2006, 09:49 PM
I figured that but you should have more than one boot in the log. It does get wiped occasionally but...yeh delete that one.

hmmmm... it doesnt seem to be making a log file...

heres what i did:
deleted the log file "kernel"
cp rc.sysinit.monte rc.sysinit
reboot
went into a reboot loop, after watching it reboot a few times i went and did something else and let it sit...
pulled the power, pulled the drive and mounted in pc
booted from ptvupgrade lba48 cd
mkdir /tivo
mount /dev/hda9 /tivo
cd /tivo/log
ls
no file named "kernel"
mount /dev/hda7 /tivo (bootpage -p reports hda7)
cd /tivo/etc/rc.d/
cp rc.sysinit.real rc.sysinit
put back in tivo and boots fine....

i have no idea what is going wrong here..... any ideas?

ScanMan
10-14-2006, 11:14 AM
hmmmm... it doesnt seem to be making a log file...

heres what i did:
deleted the log file "kernel"
cp rc.sysinit.monte rc.sysinit
reboot
went into a reboot loop, after watching it reboot a few times i went and did something else and let it sit...
pulled the power, pulled the drive and mounted in pc
booted from ptvupgrade lba48 cd
mkdir /tivo
mount /dev/hda9 /tivo
cd /tivo/log
ls
no file named "kernel"
mount /dev/hda7 /tivo (bootpage -p reports hda7)
cd /tivo/etc/rc.d/
cp rc.sysinit.real rc.sysinit
put back in tivo and boots fine....

i have no idea what is going wrong here..... any ideas?

It's most likely something with your 'rc.sysinit.monte' file; how did you create this? With a linux editor or on windows? If windows, you may be having problems with DOS-style line endings. If so, run the file thru 'dos2unix' utility. Post your 'rc.sysinit.monte' file for review. Where did you get your version of 'kmonte.o'? Again, a serial cable with console boot output would be invaluable. It may be your tivo is not booting enough to write to the kernel log file.

Swytch
10-14-2006, 12:28 PM
It's most likely something with your 'rc.sysinit.monte' file; how did you create this? With a linux editor or on windows? If windows, you may be having problems with DOS-style line endings. If so, run the file thru 'dos2unix' utility. Post your 'rc.sysinit.monte' file for review. Where did you get your version of 'kmonte.o'? Again, a serial cable with console boot output would be invaluable. It may be your tivo is not booting enough to write to the kernel log file.

i created my rc.sysinit.monte file using the joe text editor at my tivo's bash prompt (telneted from pc running winxp), to avoid the problem with dos text editors you describe. im attaching my monte file for you...

i got kmonte.o from monte-mips-20041117.tgz from (here (http://www.dealdatabase.com/forum/showthread.php?t=37225))

im not sure i fully understand how to make the serial cable, and will need some help with this, i was reading (here (http://www.tivohelp.com/archive/tivohelp.swiki.net/35)) and noticed at the bottom it says "The programming cable for a Texas Instruments TI-85/86 calculator will also work without modifications." I have one of these, will it in fact work? how do i hook it up to get the console boot output?

i havent been able to locate any info on the serial cable other than the tivohelp link

ScanMan
10-14-2006, 12:47 PM
i created my rc.sysinit.monte file using the joe text editor at my tivo's bash prompt (telneted from pc running winxp), to avoid the problem with dos text editors you describe. im attaching my monte file for you...OK, good; but there's still a problem with your file. On this line:

bootparm=`/sbin/bootpage -p /dev/hda`Those are backticks - not single quotes as yours appear. The backtick key is located on the far left of your keyboard next to the number 1 key. The rest looks OK, make that change and see what happens.


i got kmonte.o from monte-mips-20041117.tgz from (here (http://www.dealdatabase.com/forum/showthread.php?t=37225))
OK, that's the right one for 2.4.20.

Swytch
10-14-2006, 01:30 PM
OK, good; but there's still a problem with your file. On this line:

bootparm=`/sbin/bootpage -p /dev/hda`Those are backticks - not single quotes as yours appear. The backtick key is located on the far left of your keyboard next to the number 1 key. The rest looks OK, make that change and see what happens.

you know, when i was typing that in i was thinking the single quote didnt look right, but couldnt think of what other char it could have been, completely forgot that i was going to remember to check that... should have realized it was a backtick, i use it all the time programing at work... trying again now.... thanks

Swytch
10-14-2006, 01:53 PM
THANK YOU SO MUCH!

it booted finally, although i noticed it didnt seem to reboot at all (my understanding is it should reboot once), and when i check the kernel log file and search for "monte" i dont find it, however, when i start playing a scrambled show i get the following:


Oct 14 17:50:45 (none) kernel: add_only: 2403569106,1,0,0,3807283047,1687807892,678717756,842599940|8016fd70,11,0,172359680,256,1
Oct 14 17:50:45 (none) kernel: iscram: 1 chunk keys cached


i dont get the first line with the "add_first_or_middle:" but im guessing its still all fine?

now to start trying to extract these shows, hopefully all goes well

thanks again to everyone who helped me through this so far, hopefully i wont have any more problems!!!!

Swytch
10-14-2006, 01:59 PM
I just remembered something i forgot about...


On thing your proabaly going to run into as well, is that the "nowshowing.tcl" that comes with this package is the wrong one for a HR10-250.

i currentl am using the nowshowing file from the mfs-utils_bin.mips-20050604.tar.bz2 archive (here (http://www.dealdatabase.com/forum/showthread.php?t=39487))

does anyone know if i need a different one for my hr10-250? maybe direct me to where i can find the correct one?

how will i know if i have the wrong one? will it just not work?

also, i noticed the file in this archive has no extension, its just "NowShowing", do i need to add a ".tcl" extension?

thank you

drez
10-14-2006, 04:30 PM
NowShowing (without the .tcl extension) is the wrong file.


NowShowing.tcl is in mfs-utils_src-20050604.tar.bz2

Swytch
10-14-2006, 04:51 PM
NowShowing (without the .tcl extension) is the wrong file.


NowShowing.tcl is in mfs-utils_src-20050604.tar.bz2

thank you, i actually figured this out a few minutes ago, and already successfully used tytool to extract a scrambled show!!!

thank you so much to everyone who helped me!

flagmaster
10-14-2006, 05:29 PM
Its quite and adventure aint it? I remeber my first time doing this monte thing on an hr-10-250, and it took me days to get it all figured out. I never really had much luck with the "in place" descramble".

I did make it work, but there was a problem displaying all of the needed fsid's for the shows, and alot of them where left off the list, so I just went the other way.

Gald your up and going.

Carey

djMaxM
11-09-2006, 01:50 PM
Hi, I'm having a mess of trouble with S2_Unscramble. HR10-250 3.1.5f hacked with ptvupgrade CD. New recordings are unscrambled, can watch them with TivoTool, etc. However, when I install 2.4.20 s2_unscramble kernel and the sysinit trick, it reboots with no ethernet support, and no messages about monte in the kernel logs. If I move the sysinit.real script back in, everything is fine. Also, when rebooting with the "bad" version, I still get DTV. Help much appreciated.

djMaxM
11-09-2006, 03:35 PM
As usual, posting is the quickest way to find your own problem. The S2_Unscramble doesn't seem to like DHCP, or at least not with the PTV version. Setting a static IP seemed to make everything happy.

scotty2541
01-14-2007, 07:13 PM
What is the likelyhood of s2_unscramble working on a Ver 6.2 DTV device?

Like everyone else, I've got an untouched drive that I'd like to pull a bunch of stuff from. Which if I hadn't dragged my feet, I would have hacked before DirectV upgraded it. :-) Its a DirecTV HD10-250

So, I'm taking the 36 hours to duplicate the 250 gig to another drive. So I'll hack the copy.

Can I apply the PTVnetHD disk to 6.2? Then follow the rest of the instructions I've seen in the thread?

FMNY
01-16-2007, 03:19 PM
Below is the first portion of the readme; attached are the packages.

Regards,

ScrambleThis

--------------------------------

Introduction
------------

By popular request, from the ScrambleThis Labs, we present unscramble for
Series 2 TiVo boxes. In the context of this release, "Series 2" is anything
that runs a 2.4x Linux kernel on MIPS hardware. The initial release of
s2_unscramble will be for the 3.1x series (most non-DVD, non-HD boxes) and
3.1.5x (HD boxes, where the development of this software was done). Note
well that, though a 3.1.1x kernel with LBA48 support is provided, it has
NOT been tested! Only the 3.1.5x kernel has been tested.

First, some background: Some of you may be familiar with the original
unscramble for Series 1, implemented as the unscramble.o kernel module. The
bad news is: s2_unscramble effectively cannot be implemented in this manner.
If you're not willing to use a non-standard kernel (that is, one that was
built by someone other than TiVo) or non-standard extraction tools, you
probably should stop reading now.


Overview
--------

As some of you know, the low level calls used to access the MFS partitions
changed from the Series 1 kernels to the Series 2. Thanks to alldeadhomiez's
documentation of this mechanism, along with a sample util.c that can be used
in any Tridge-derived MFS toolset (read: all of them), we're able to create
a client-server system to cache and "play back" the scramble keys. The
extraction tools are the client, and the kernel becomes the server; as the
TiVo software plays a show, the kernel mods will cache the scramble keys for
later access by the extraction tools.

Upon extraction, the tools use a specially created "sentinel key" to initiate
interaction with the kernel, and instruct it to "play back" the keys. At this
point, the data is read in the clear, and can be used in any application that
processes unscrambled shows.

Obviously, this mechanism requires that the user be able to install a custom
kernel and extraction tools in his/her TiVo; the mechanics of doing this is
outside the scope of this document. In addition, the user should disable
future scrambling on the machine with the "nocso" or other hack.


Unscrambling methodology
------------------------

The s2_unscramble package includes two distinct methods of unscrambling. The
original motivation for this development began when a HD TiVo with a bad HDMI
port was brought into the ScrambleThis Labs with a request to somehow transfer
the programming to the replacement machine. The machine had not been
previously hacked in any way, thus the programming was scrambled.

The first efforts focused on the more traditional method of transferring
programming to another TiVo: mfs_ftp. Once the unscramble code was
implemented, extraction could proceed and went without issue. This method
would dictate that the custom kernel and extraction tools be in place
whenever a scrambled show is to be extracted.

However, some issues arose during insertion attempts that gave rise to a
second approach: Unscrambling the shows "in place" on the TiVo. This involves
reading a block of data with the unscramble functionality in place, then
writing the block back to the disk in the same place. Once this is done for
all of the shows on the disk, the custom kernel and extraction tools can be
removed. At that point, the disk is portable to another TiVo (same model, of
course) after running the 51kill.tcl script.

The "in place" unscrambling method is ideal for situations where a disk needs
to be transplanted into another TiVo. It's also good for situations where a
user may have a lot of scrambled programming that doesn't need to be extracted
in the near term, but the user doesn't want to run the custom kernel and tools
on an ongoing basis.

However, you are STRONGLY advised to make a FULL backup of your drive before
attempting the "in place" unscramble. Since you will be WRITING to the disk,
if anything goes wrong, some (even ALL) of your programming could be
rendered unusable. This cannot be stressed enough: "In place" unscrambling can
DESTROY your shows!

Once you've determined which method is right for you, read further to
determine what's needed.



I read a lot this thread, but I do not understand, in which folther I am going to put those files?

Narf54321
01-16-2007, 07:14 PM
I read a lot this thread, but I do not understand, in which folther I am going to put those files?

Usually something like /hack/monte-mips

If you don't speak or read English well, it will be difficult.

You'll need to monte the S2_unscramble kernel, such as this message indicates (http://dealdatabase.com/forum/showpost.php?p=216958&postcount=42).

cheer
01-26-2007, 05:41 PM
What is the likelyhood of s2_unscramble working on a Ver 6.2 DTV device?
It works just fine.

wbelhaven
02-28-2007, 01:46 PM
Greetings,

I may be the poster child for why the "extraction" method is safer than the "in place" method.

I successfully monte'd et. al. my HR10-250 and was able to unscramble and kcso 4 of my 5 encrypted (pre-hack) recorded shows. But while running the autogenerated script (created with rew.tcl) on the 5th show, my TiVo rebooted somewhere in the middle of decrypting the various part FSIDs. So, I really don't know which FSIDs are decrypted and which are still encrypted for that show. I also can't "prime" it now, cuz the first few FSIDs definitely are decrypted, but I have not (yet) kcso'ed the show FSID.

Does anyone have a recommendation of how to proceed? Should I kcso the show FSID, prime it, and then rerun my rew.tcl-generated script? Or will kcso'ing it forever leave it in a state where the remaining part FSIDs can't be decrypted?

Thanks for any help and thanks for the really nifty set of tools!

WB

Jamie
02-28-2007, 02:16 PM
Does anyone have a recommendation of how to proceed? Should I kcso the show FSID, prime it, and then rerun my rew.tcl-generated script? Or will kcso'ing it forever leave it in a state where the remaining part FSIDs can't be decrypted?

Thanks for any help and thanks for the really nifty set of tools!

WBOnce you lose the CSO keys, you probably can't recover any encrypted parts, so don't kcso the keys until you know all parts are unencrypted.

You could probably get fancy and write a tcl script that only killed the cso keys for recording parts that you've verified are unscrambled.