well, since this seems like a good way to fake the dtivo into hacking itself, i will bring it up again. first, here is the relevant code from rc.sysinit:

export DEBUG_BOARD=false
me=`getprom -hostname`
ipaddr=`getprom -ipaddr`
mac=`getprom -macaddr`

#
# Look up /proc/ioports for TCD8390 (should be first string). If present,
# assume we have a debug board. There is probably an easier way to do this,
# but...
#

echo "Look for debug board ..."
tnforce=false
xxx=`cat /proc/ioports`
set -- $xxx
shift 2
if [ "$1" == TCD8390 ] ; then
tnforce=true
fi

set --

if /sbin/ifconfig eth0 hw ether $mac $ipaddr || [ "$tnforce" = true ] ; then
PATH=/bin:/sbin:/tvbin:/devbin
export PATH
echo "Starting network ..."
gw=`getprom -gateway`
if [ ! $gw = 0.0.0.0 ]; then
route add -net 192.168.0.0 gw $gw netmask 255.255.0.0
fi

export TMK_DEBUGGER=sleep
export DEBUG_BOARD=true
echo "Starting Telnet Listener..."
if [ -x /bin/bash ] ; then
tnlited 23 /bin/bash -login &
else
export TIVOSH_POOLSIZE=800000
tnlited 23 /tvbin/tivosh -login &
fi

echo "Starting /proc Listener..."
procd
fi


ok, what this tells me is that all we need to do is make the tivonet board say that it's name is 'TCD8390' and it will think its a debug board. a quick test of 'cat /proc/ioports' revealed the following output on my dtivo:

0300-031f : TiVoNE
f4100000-f4100007 : serial(auto)
ffb40000-ffb40007 : serial(auto)
ffc00000-ffc00007 : serial(auto)

so that means that the tivonet board is reporting it's name as TiVoNE. this must be stored in the GAL somewhere. so, that shouldn't be too hard to modify. the next issue is getprom compatibility.

getproc gives some interesting responces:

315:$ getprom -checksum
Good checksum - 0x00DE0D89
316:$ getprom -memconfig
32
317:$ getprom -videoconfig
5
318:$ getprom -hostname
debug-95
319:$ getprom -ipaddr
192.168.1.XXX
320:$ getprom -macaddr
0004ace3XXXX

329:$ getprom -dump /var/hack/2.0.1prom
done. New version:

TiVoProm Monitor version 1.100

330:$ getprom -gateway
192.168.1.1

i looked at the prom image with the following results:

the hostname started on byte 27 and appeared to be a null terminated string.

the bootparams start on A9 and are also null terminated

the checksum is stored at 1FD and is 4 bytes long.

menu text starts at 12B80 (beginning of data segment?) and looks to be null terminated printf style strings (ie: there are strings there with %s and %d in places which would have strings or numbers accordingly). looking at the menu text seems to indicate that the MAC address, gateway, IP & Hostname can be changed. there is also a menu selection area for processor speeds, including 54Mhz, 60Mhz, 72Mhz,80Mhz, and custom (overclocking?!)

for a little fun, look at 173E0

from about 190FC on is all FF's, except for the last 4 bytes. probably used for the checksum.

anyway, just thought i would tantalize everyone a bit. time to sleep before exams.

well, a little setback: the TiVoNE from the cat /etc/proc looks like it came from the tivone.o kenel module:

/* Set up the rest of the parameters. */
name = "TiVoNE";

dev->irq = 29;

dev->base_addr = ioaddr;

so that begs the question: how does tivo load the debug board without loading a kernel module? my only guess is that it is supported directly via the kernel and detected at bootup. that way, the following line would function properly

/sbin/ifconfig eth0 hw ether $mac $ipaddr

im sure a bunch of this has been covered before, but I figured I would get the ball rolling.

4bytes =32bits, maybe a 32bit CRC??

can someone run a 32bit checksum on the prom??

For a look at how the KERNEL detects the debug board...

http://www.samba.org/ftp/unpacked/tivo/ethernet/tcd8390.c