I am trying to hack a PROM (Rel 2.27) from a R10, however after almost 9 hours of searching and reading on these forums I have not been able to find the information I’m looking for (and I have found some conflicting information). Just as background information on my experience: I was able to hack my SA Series 2.5 by myself from information found here (from the PROM hack all the way through TWP).

A stock PROM 2.27 has MD5 c37c61654de112866ba55354189f954f. If you read something different off the chip, check your hardware before you try to reprogram it.

The PROM that I have is indeed release 2.27, however the MD5 is bf83fac6144867e5b6dbc746ff397c4c. The PROM is able to boot the R10, and I have read the same image off the PROM several times.

In searching for the bytes to patch, I have only found solutions for PROM Releases 2.25, 2.14, and 1.18. Since I could not find specific information on Release 2.27, I searched the PROM image for the original bytes from each patch (10 patches in total). From these, I found only one match in the PROM image:

1043000C -> 1042000C (disable kernel check)

My questions are as follows:

1. Can anyone verify the MD5 of PROM Release 2.27?
2. Can anyone verify the bytes that must be patched on this PROM? Surely the SHA-160 check must be disabled in addition to disabling the kernel check.

I don't know if it helps, but I thought I read somthing about some incorrect md5 hash calculation. I just searched, and looked through my history to find the post, but no luck. Check out HashCalc (win) and see if that confirms your findings.

I don't know if it helps, but I thought I read somthing about some incorrect md5 hash calculation.

Yes, it was one of the many bugs in the Sleeper ISO.

To the OP: compare your output and see which 8k blocks match up:

$ for x in `seq 0 15`; do dd if=tivoprom-2.27.bin bs=8192 count=1 skip=$x | md5sum ; done 2> /dev/null
f03bc7140f8a483d46c0f95061c36149 -
1ff030c95d1a6f6d76e9574118f8f18c -
ab6719e8e5fdffe8708c9042513f5419 -
c773f35aef1a7bd3a1245a3b4520877d -
0bdd65b0eb1a60ad01315b5c4ba4e7a8 -
2a8cc28d8092952911d65cd9d6754f8f -
38853673e898dca49d3ef3514c393635 -
1a0780eb3fdabf037eeb1c20ff9567e9 -
811a848b4a79bfef23282052d4e8d0bb -
9deccb7e739f9b9a8f059ba245e928b8 -
d10722a6e23d0c61b6d80b8ba1fc53f6 -
879f6d7c0877e592c055ac9dd85c7bc5 -
3cf1e1c40c71d42e1fee526b56c79ee1 -
84d04c9d6cc8ef35bf825d51a5277699 -
84d04c9d6cc8ef35bf825d51a5277699 -
84d04c9d6cc8ef35bf825d51a5277699 -

Something funny is going on here. Only the last 4 lines of my output match and of that only the first 40 bytes are not 0xFF. I have posted the ID string from the PROM as well as my output below.


TiVo/mips/Gen04/rel.2.27


for x in `seq 0 15`; do dd if=tivoprom-2.27.bin bs=8192 count=1 skip=$x | md5sum ; done 2> /dev/null
84cdc2b1eba43dd5b9898595091f04e4 -
aa6f94b1a7b4fdde3b4172194ade778b -
5f860ba3caef28202810a5def76d3c64 -
b563b2e06394fc1704597bdd9f115483 -
d4594784aa0f14b3b97b55914f41af27 -
7b4f5af9cd262c1467eed2d0a02d9214 -
a81a8ac899372e7651cdb1393cbdf686 -
68a4794202a823ade464ab63902164dc -
ffb6d8ad188ac1d5f2024261a507d6a3 -
e852cd91ab6198f52e52df12d1ccb6d5 -
fb9080e3aaa8d3d80ae51bd13fd91b93 -
1009ba219eac208845885801c5a145be -
3cf1e1c40c71d42e1fee526b56c79ee1 -
84d04c9d6cc8ef35bf825d51a5277699 -
84d04c9d6cc8ef35bf825d51a5277699 -
84d04c9d6cc8ef35bf825d51a5277699 -

It looks like the PROM may have gotten damage somewhere along the way. I know this might be asking a lot, but if anyone has a stock 2.27 PROM image that they would be willing to send me, please PM me.