PDA

View Full Version : DirecTivo 6.2 Network GUI Research.



TivoWare
08-08-2005, 05:28 PM
Since I have been playing with the Menus while I was trying to figure out how to get standby back on the main menu I have some (very little) understanding of them. It looks like everything is there for the Networking stuff, but it's just not enabled. I know this seems like the only way we can get WEP working so lets see what we can do.

There are a few things I would like to see from a 7.1 system just to be sure it's not somehting simple:
/State/GeneralConfig
/State/Network
/State/PhoneConfig
/State/ServiceConfig
/State/StaticConfig

LanMan
08-08-2005, 08:25 PM
TivoWare,

Looks like this, ${PHONE_AND_OR_NETWORK}, might be a variable stored
elsewhere. Change the value, Phone changes to Phone and Network.

I'm probably off base.............

Eric

TivoWare
08-08-2005, 08:33 PM
Looks like this, ${PHONE_AND_OR_NETWORK}, might be a variable stored
elsewhere. Change the value, Phone changes to Phone and Network.
I'm probably off base.............
EricI had noticed and played with that even forcing my menu to say Phone & Network. I guess it's a flag in tivoapp or something and have no idea what sets it. It would be nice if we had someone that could debug tivoapp and see where that value might originate.

Makes for a good screenshot, but does nothing different.

jeboo
08-09-2005, 02:25 AM
I had noticed and played with that even forcing my menu to say Phone & Network. I guess it's a flag in tivoapp or something and have no idea what sets it. It would be nice if we had someone that could debug tivoapp and see where that value might originate.

Makes for a good screenshot, but does nothing different.

Menu items can be easily changed, but the functionality of certain features is still governed by the spigots...'Phone & Network' settings menu is an example of such a problem.

I also saw some discussion about restoring 'Standby' to the main menu after superpatching..It should be trivial if you are familar with brf structure. Here's the relevant excerpt from tivocentraldocument.brf:


ServerList.soma_musicphoto..K...D.Music & Photos...M...`..u...N...@...N...@...L"..`
.PickPrograms.soma_pickprograms...K...D.Pick Programs to Record...M...0...q..L...`
.SetupMainMenu.soma_setup...K...D.Messages & Setup....K:..d
.Read New Messages & Setup./soma_uicommon/img/mail.png...N...@...N...@...L...`
.StandbyMode.soma_mainmenu..K...D.Standby...M...H..u..... ....L...`.


The pattern is pretty straightforward, function name ... title menu. You should be able to replace 'Music & Photos' with 'Stanby' as long as you change the function too..The only tricky part is if you have to modify the record lengths, but a decent brf parser should be available on DDB if I recall...Note, I've only done a menu transplantation on the PickPrograms menu, to get rid of that stupid 'search by title (demo)' entry.

Have fun :)
jeboo

darrin75
08-09-2005, 02:34 AM
Menu items can be easily changed, but the functionality of certain features is still governed by the spigots...'Phone & Network' settings menu is an example of such a problem.

I also saw some discussion about restoring 'Standby' to the main menu after superpatching..It should be trivial if you are familar with brf structure. Here's the relevant excerpt from tivocentraldocument.brf:


ServerList.soma_musicphoto..K...D.Music & Photos...M...`..u...N...@...N...@...L"..`
.PickPrograms.soma_pickprograms...K...D.Pick Programs to Record...M...0...q..L...`
.SetupMainMenu.soma_setup...K...D.Messages & Setup....K:..d
.Read New Messages & Setup./soma_uicommon/img/mail.png...N...@...N...@...L...`
.StandbyMode.soma_mainmenu..K...D.Standby...M...H..u..... ....L...`.


The pattern is pretty straightforward, function name ... title menu. You should be able to replace 'Music & Photos' with 'Stanby' as long as you change the function too..The only tricky part is if you have to modify the record lengths, but a decent brf parser should be available on DDB if I recall...Note, I've only done a menu transplantation on the PickPrograms menu, to get rid of that stupid 'search by title (demo)' entry.

Have fun :)
jeboo



TivoWare has already done the standby script search for TuikStandby6.2 Its in that thread works great..

Better Yet heres the link check it out..
http://www.dealdatabase.com/forum/showthread.php?t=44308

rbautch
08-20-2005, 03:02 PM
I have an idea on how to enable WEP, although it's very inelegant. Right now the only way to set WEP in 6.2 is to install 4.01b, set wireless params, then upgrade to 6.2 with slices. Here (http://www.dealdatabase.com/forum/showpost.php?p=223466&postcount=39) is what my wireless params look like in MFS, and the WEP key is obviously encrypted somehow. If there is a direct relationship between the way WEP is stored and the actual hex value of WEP, presumably anyone could use the encrypted WEP values that are shown in my post, as long as they set the WEP key on their router to match mine. Obviously this could be a security concern, especially if you live near me. However, if some enterprising hacker had the time, he could install 4.01b and begin to populate a table of WEP keys in hex and the corresponding encrypted values in MFS. That way if you want WEP, you just pick one of the predetermined WEP keys and you're off and running. A mod to netconfig.tcl would complete the effort. I've been meaning to play with this, but I just didn't have the time.

AlphaWolf
08-24-2005, 01:34 PM
Instead of doing that, I would examine the way the wireless network configuration settings are stored in MFS, and then write a TCL script to be able to configure them accordingly.

rbautch
08-24-2005, 01:51 PM
That's just it. Finding the link betwen the hex value of WEP and the way it's stored in MFS has eluded average hackers like me for many months. Do you see any relationship?:

My WEP key is 73696D706C, and is stored in MFS as:
WepKey = 20 -1279806544 -1212960592 -624709453 -1008942118 -591144230

TivoWare
08-24-2005, 02:33 PM
I have not had much time to play with any of this lately, but looking at how the wep key is in mfs again makes me wonder if it is related to how numbers seem to be stored in brf files.

The GUI will be what I keep working on. I'm starting to think a tivoapp patch will be required for this tho.

AlphaWolf
08-25-2005, 02:58 AM
That's just it. Finding the link betwen the hex value of WEP and the way it's stored in MFS has eluded average hackers like me for many months. Do you see any relationship?:

My WEP key is 73696D706C, and is stored in MFS as:
WepKey = 20 -1279806544 -1212960592 -624709453 -1008942118 -591144230

Not off hand, try making a subtle change and see how the stored numbers change. These numbers look like they are probably a binary equivalent of the data converted to dec somehow, though the exact syntax isn't anything that I can identify right away (tivo uses similar number schemes to store e.g. the CSO keys and the DC keys, but I haven't actually seen how these translate into human readable data.)

If you make a small change (e.g. change that C to a B or something) and you get a drastically changed value for that attribute, then this would be some kind of hash of the WEP key, and you would need to poke around at tivoapp to figure out how to generate this hash on your own. If the hash also involves a random seed, you could replace tivoapps entropy source (/dev/urandom) with something predictable (e.g. once when I was playing around with the CSO/DC keys, I was able to get tivoapp to create predictable keys by creating a file called /dev/one which was about 6k of all x01 characters, tivoapp doesn't seem to like it when /dev/zero is in place of /dev/urandom for some reason.)

rbautch
08-25-2005, 11:10 AM
Very interesting. Unfortunately, to change the WEP key I'll have to pull the drive and reinstall 4.01b. I'll try it on spare drive this weekend.

rbautch
09-09-2005, 11:26 PM
Not off hand, try making a subtle change and see how the stored numbers change. These numbers look like they are probably a binary equivalent of the data converted to dec somehow, though the exact syntax isn't anything that I can identify right away (tivo uses similar number schemes to store e.g. the CSO keys and the DC keys, but I haven't actually seen how these translate into human readable data.)

If you make a small change (e.g. change that C to a B or something) and you get a drastically changed value for that attribute, then this would be some kind of hash of the WEP key, and you would need to poke around at tivoapp to figure out how to generate this hash on your own. If the hash also involves a random seed, you could replace tivoapps entropy source (/dev/urandom) with something predictable (e.g. once when I was playing around with the CSO/DC keys, I was able to get tivoapp to create predictable keys by creating a file called /dev/one which was about 6k of all x01 characters, tivoapp doesn't seem to like it when /dev/zero is in place of /dev/urandom for some reason.) Here are a few examples of different WEP keys in hex, and then encoded in MFS:

Hex = 73696d706c
WepKey = 20 -1279806544 -1212960592 -624709453 -1008942118 -591144230

Hex = 73696d706d
WepKey = 20 -1296649551 -1229803087 -607997518 -1025719589 -591209509

Hex = 63696d706c
WepKey = 20 -1549294672 -1482444624 -892096349 -740502582 -590099766It appears the hash on the WEP key does not involve a random seed, as I was able to duplicate the same encrypted WEP key on multiple tivos repeatedly. I'd like to showcase my ignorance by saying I've never poked a tivoapp (well maybe once in college, but I was drunk). A few hours of searching leads me to think I need a disassembler to look at the code that generated the tivoapp. I'm not sure if this is something a non-pointyhead has a chance of figuring out, but I'll try. Any nudge in the right direction or search term suggestions are appreciated.

jonbig
09-10-2005, 05:11 PM
Here are a few examples of different WEP keys in hex, and then encoded in MFS:

Hex = 73696d706c
WepKey = 20 -1279806544 -1212960592 -624709453 -1008942118 -591144230

Hex = 73696d706d
WepKey = 20 -1296649551 -1229803087 -607997518 -1025719589 -591209509

Hex = 63696d706c
WepKey = 20 -1549294672 -1482444624 -892096349 -740502582 -590099766It appears the hash on the WEP key does not involve a random seed, as I was able to duplicate the same encrypted WEP key on multiple tivos repeatedly. I'd like to showcase my ignorance by saying I've never poked a tivoapp (well maybe once in college, but I was drunk). A few hours of searching leads me to think I need a disassembler to look at the code that generated the tivoapp. I'm not sure if this is something a non-pointyhead has a chance of figuring out, but I'll try. Any nudge in the right direction or search term suggestions are appreciated.


The first step would be to convert the decimal numbers to hex and/or binary and look in them to see if there's a pattern.

cravens
10-25-2005, 09:54 PM
Has the WEP key issue been resolved? Assuming that it hasn't, I converted the decimal MFS entries in the following table:

WEP MFS 1 MFS 2 MFS 3 MFS 4 MFS 5
Hex 1 73696d706c 4C484C50 484C4F50 253C4F4D 3C233C26 233C2526
Hex 2 73696d706d 4D494D4F 494D4E4F 243D4E4E 3D233D25 233D2425
Hex 3 63696d706c 5C585C50 585C4F50 352C4F5D 2C232C36 232C3536

I noticed that when the WEP is added to each of the MFS terms the first two digits alway equal the first 2 digits in the original WEP code. See the table below:

WEP MFS 1 MFS 2 MFS 3 MFS 4 MFS 5
WEP 1 73696d706c 73B5B5BCBC 73B1B9BFBC 738EA9BFB9 73A590AC92 738CA99592
WEP 2 73696d706d 73B6B6BDBC 73B2BABEBC 738DAABEBB 73A690AD92 738CAA9492
WEP 3 63696d706c 63C5C5CCBC 63C1C9BFBC 639E99BFC9 6395909CA2 638C99A5A2

I'm not very knowledgeable about formatting tables in html so the column headings are not aligned over the columns but the order is correct. As an example, 73696d706c (1st WEP) + 4C484C50 (1st MFS term for 1st WEP) = 73B5B5BCBC -- note that the "73" is the same for the original WEP and the sum. Interestingly, this holds true for all three WEPs and All 15 MFS terms.

Thats all I have so far . . . any suggestions?

Jamie
10-25-2005, 10:14 PM
I noticed that when the WEP is added to each of the MFS terms the first two digits alway equal the first 2 digits in the original WEP code. ..Might this be because the WEP keys are 40 bit (10 hex digits) while the MFS values are 32 bits (8 hex digits)? Unless there is a carry, you'd expect the top two digits not to change when you add a 10 digit number to an 8 digit number.

It also looks to me like you didn't take into account the sign of the MFS values when you converted to hex.

epsilon
10-25-2005, 10:33 PM
Signed conversion looks like:

Hex 1 73696d706c B3B7B3B0 B7B3B0B0 DAC3B0B3 C3DCC3DA DCC3DADA
Hex 2 73696d706d B2B6B2B1 B6B2B1B1 FC6044F9 C2DCC2DB DCC2DBDB
Hex 3 63696d706c A3A7A3B0 A7A3B0B0 CAD3B0A3 D3DCD3CA DCD3CACA

cravens
10-25-2005, 10:59 PM
Might this be because the WEP keys are 40 bit (10 hex digits) while the MFS values are 32 bits (8 hex digits)? Unless there is a carry, you'd expect the top two digits not to change when you add a 10 digit number to an 8 digit number.

It also looks to me like you didn't take into account the sign of the MFS values when you converted to hex.

LOL you are absolutely right about the first 2 digits. How about this (probably equally irrelevant) observation. If you take the MFS terms two digits at a time, they are either one more, one less, or equal to one another for WEP 1 and WEP 2 (which are 1 apart from each other):

Hex 1 4C484C50 484C4F50 253C4F4D 3C233C26 233C2526
Hex 2 4D494D4F 494D4E4F 243D4E4E 3D233D25 233D2425

I.e. 4C + 1 = 4D; 48 + 1 = 49; 4C + 1 = 4D; 50 - 1 = 4F

The same thing is true (I think for WEP 1 and WEP 3 - where the first two digits differ by 10):

Hex 1 4C484C50 484C4F50 253C4F4D 3C233C26 233C2526
Hex 3 5C585C50 585C4F50 352C4F5D 2C232C36 232C3536

I.e. 5C - 4C = 10; 58 - 48 = 10; 5C- 4C = 10; 50 - 50 = 0

Any ideas?

cravens
10-26-2005, 01:09 AM
Its been a long, long time since college linear algerbra but this looks like a matrix transformation to me. Any math wizards?

Hex-1 73 69 6d 70 6c 4C 48 4C 50 48 4C 4F 50 25 3C 4F 4D 3C 23 3C 26 23 3C 25 26
Hex-2 73 69 6d 70 6d 4D 49 4D 4F 49 4D 4E 4F 24 3D 4E 4E 3D 23 3D 25 23 3D 24 25
Diff.... 00 00 00 00 01 01 01 01 -1 01 01 -1 -1 -1 01 -1 01 01 00 01 -1 00 01 -1 -1

Hex-1 73 69 6d 70 6c 4C 48 4C 50 48 4C 4F 50 25 3C 4F 4D 3C 23 3C 26 23 3C 25 26
Hex-3 63 69 6d 70 6c 5C 58 5C 50 58 5C 4F 50 35 2C 4F 5D 2C 23 2C 36 23 2C 35 36
Diff... 10 00 00 00 00 10 10 10 0 10 10 00 00 10 -10 00 10 -10 00 -10 10 00 -10 10 10

Hex-2 73 69 6d 70 6d 4D 49 4D 4F 49 4D 4E 4F 24 3D 4E 4E 3D 23 3D 25 23 3D 24 25
Hex-3 63 69 6d 70 6c 5C 58 5C 50 58 5C 4F 50 35 2C 4F 5D 2C 23 2C 36 23 2C 35 36
Diff ... 10 00 00 00 -1 -F 0F 0F 01 0F 0F 01 01 11 -11 01 0F 11 00 11 11 00 11 11 11

cravens
10-26-2005, 02:20 AM
[Snip]
Hex-2 73 69 6d 70 6d 4D 49 4D 4F 49 4D 4E 4F 24 3D 4E 4E 3D 23 3D 25 23 3D 24 25
Hex-3 63 69 6d 70 6c 5C 58 5C 50 58 5C 4F 50 35 2C 4F 5D 2C 23 2C 36 23 2C 35 36
Diff ... 10 00 00 00 -1 -F 0F 0F 01 0F 0F 01 01 11 -11 01 0F 11 00 11 11 00 11 11 11

Making a matrix out of diff Hex-2 Hex-3:

v1 v2 v3 v4 v5
10 00 00 00 -1

-F 0F 0F 01
0F 0F 01 01
11 -11 01 0F
11 00 11 11
00 11 11 11

Relating these values to the vector difference between Wep1 and Wep3:
v1 v2 v3 v4 v5
10 00 00 00 -1


-v1-v5 v1+v5 v1+v5 -v5
v1+v5 v1+v5 -v5 -v5
v1-v5 -v1+v5 -v5 v1+v5
v1-v5 0 v1-v5 v1-v5
0 v1-v5 v1-v5 v1-v5

I'm just guessing here ... way out of my league ... but I think the solution may look something like

Wep key [v1v2v3v4v5]x
MFS Matrix
[-1 0 0 0 1]
[+1 1 0 0 0]
[ ... ]
[ ... ]
Where the MFS Matrix is a 5x4 matrix consisting of +/-1 and 0's. I think we are going to need some more sample keys in order to figure this out. It would be helpful to have MFS terms for the following keys:

73696d716c
73696e706c
736A6d706c
74696d706c
74706e716d
746B6f7571

Of course, this newbie is probably way off base.

cravens
10-26-2005, 03:48 PM
I'm just guessing here ... way out of my league ... but I think the solution may look something like

Wep key [v1v2v3v4v5]x
MFS Matrix
[-1 0 0 0 1]
[+1 1 0 0 0]
[ ... ]
[ ... ]
Where the MFS Matrix is a 5x4 matrix consisting of +/-1 and 0's. I think we are going to need some more sample keys in order to figure this out. It would be helpful to have MFS terms for the following keys:

73696d716c
73696e706c
736A6d706c
74696d706c
74706e716d
746B6f7571

Of course, this newbie is probably way off base.

I think the following matrix (T) will transform all three of rbautch's WEP keys into the first MFS term i.e Wep x T -> MFS1:

T =
-1 5-2-2 1
-1 6-3-2 1
-1 5-2-2 1
0 6-2-2-1

I highly doubt that this particular transformation is a general solution but it might help point us in the right direction. I need more keys to test this transformation. Rbautch, any chance of getting some more keys?

cravens
10-26-2005, 08:18 PM
I think the following matrix (T) will transform all three of rbautch's WEP keys into the first MFS term i.e Wep x T -> MFS1:

T =
-1 5-2-2 1
-1 6-3-2 1
-1 5-2-2 1
0 6-2-2-1

I highly doubt that this particular transformation is a general solution but it might help point us in the right direction. I need more keys to test this transformation. Rbautch, any chance of getting some more keys?

The following transformations (T1...T5) transform rbautch's WEP keys to their respective MFS keys MFS1...MFS5. I doubt that this is a general solution for a variety of reasons. First, the transformations are not unique solutions. I only used array elements (9 to -9) to generate these transformations. It is possible that I will need to go (F to -F). Second, there are additional patterns in the keys that are still a complete mystery to me. This makes me think that something else is going on besides a straight transformation. Third, as I said before, I really have no idea what I'm doing and am not really comfortable with math in hex. I hope there is a crypto person out there who can help point me in the right direction.

In the meantime, I think that I've done all that I can do without additional keys. The keys in the post above would be best but if anyone has a key that works, it would be helpful to test this possible "solution". My guess is this "solution" won't hold up for additional keys but it would be nice to verify it.

If this method ever produces a true solution, creating a script to convert a wep key to the mfs keys would be trivial.

T1 =

-1 8-9 2 1
-1 6-3-2 1
-1 8-9 2 1
0 9-9 2-1

T2 =

-1 6-3-2 1
-1 8-9 2 1
0 7-4-1-1
0 9-9 2-1

T3 =

-1-6 2 6-1
1 9-4-6 1
0 7-4-1-1
-1 7-7 1 1

T4 =

1 9-4-6 1
0-2-7 9 0
1 9-4-6 1
-1-4-3 9-1

T5 =

0-2-7 9 0
1 9-4-6 1
-1-6 2 6-1
-1-4-3 9-1

rbautch
10-26-2005, 08:21 PM
Here you go...

Hex = 12345d762a
WepKey = 20 -1829006602 -74254602 -1494944110 -455285594 -588994906

Hex = 73616d716c
WepKey = 20 -1296125264 -1095585616 -742149966 -1008942125 -591146029

rbautch
10-26-2005, 08:38 PM
Nice job moving this issue forward. Here (http://www.dealdatabase.com/forum/showpost.php?p=234590&postcount=94) is a script that I wrote that works very well for setting up wireless parameters, and it even sets the WEP key, although you have to pick from one of my 5 predetermined WEP keys. I've never done matrix transformation in tcl, but I'd love to learn once we/you figure out the WEP translation. Keep up the good work.

cravens
10-26-2005, 09:17 PM
Thanks for the additional keys. :) I'm not too hopeful that we are there yet or even that this is the right approach so solve the problem but I'll run the transformations tonight. I'm mainly hoping that the thread will draw someone's interest who actually has the ability to solve the problem.

alldeadhomiez
10-27-2005, 01:49 AM
This is wepkey v0.1, a copyrighted non-redistributable implementation of the WEP key mangling algorithm. It was developed entirely from the information posted in this thread, and may well barf on arbitrary WEP keys. Source is included.

Sample usage:


$ ./wepkey.x86 12345d762a
20 -1829006602 -74254602 -1494944110 -455285594 -588994906

License terms, by popular demand:

You MAY use, modify, and rebuild this code to your heart's content.
You MAY post modified versions, Win32 exe's, tcl ports, script packages that include wepkey, etc. IN THIS THREAD ONLY (http://www.dealdatabase.com/forum/showthread.php?t=44829)
You MAY NOT post, distribute, sell, trade, or barter this program, modified versions, or any derivative work under ANY other circumstances.
Any program/archive/script that includes wepkey MUST be posted under the same terms as wepkey itself. Please make this clear in your post so that my code does not accidentally get reposted elsewhere.

cravens
10-27-2005, 10:07 PM
This is wepkey v0.1, a copyrighted non-redistributable implementation of the WEP key mangling algorithm. It was developed entirely from the information posted in this thread, and may well barf on arbitrary WEP keys.

Thanks alldeadhomiez!

rbautch
10-28-2005, 12:13 AM
I tested ADH's wepkey tool with 20 different random WEP keys, and they all worked fine. I'm curious what it actually does to the hex key. Was cravens on the right track? Anyway, here comes the easy part... The attached is an updated script to set wireless parameters, including WEP. Copy it to the same directory as ADH's wepkey, and run it (without arguments).

alldeadhomiez
10-28-2005, 03:47 AM
I tested ADH's wepkey tool with 20 different random WEP keys, and they all worked fine. I'm not smart enough to interpret what's going on in the source code, but I'm curious what it actually does to the hex key.

Each byte of the output is a constant xor'ed with zero or more (specific) bytes from the input. An easy way to spot this pattern is by noting that specific bit(s) get flipped in the output when a particular bit flips in the input.

(Hopefully the bit mapping does not vary from unit to unit. I guess we'll find out soon enough.)

Now, knowing the algorithm used to create the encoded WEP key, can you write a script that decodes it into the 5-byte WEP key?

rbautch
10-28-2005, 12:58 PM
Each byte of the output is a constant xor'ed with zero or more (specific) bytes from the input. An easy way to spot this pattern is by noting that specific bit(s) get flipped in the output when a particular bit flips in the input.

(Hopefully the bit mapping does not vary from unit to unit. I guess we'll find out soon enough.)

Now, knowing the algorithm used to create the encoded WEP key, can you write a script that decodes it into the 5-byte WEP key?I'll give it a shot. I had to google to find the meaning of xor, to give you an idea of the handicap I'm starting with. Seems like it might me easier to do it in a shell script rather than tcl. Just curious, what would be the purpose of converting back to hex?

eastwind
10-28-2005, 01:05 PM
I'll give it a shot. I had to google to find the meaning of xor, to give you an idea of the handicap I'm starting with. Seems like it might me easier to do it in a shell script rather than tcl. Just curious, what would be the purpose of converting back to hex?
Sometimes you learn things just so you can learn. Does there have to be more to it than that? Didn't you ever hack a game that you bought just to see how the copy protection scheme worked? :)

ew

rbautch
10-30-2005, 10:49 AM
Now, knowing the algorithm used to create the encoded WEP key, can you write a script that decodes it into the 5-byte WEP key?I converted everything to binary, with the goal of finding the constant that gets XORed with parts of the input, and then applying that same value again to arrive back at the original key. XORed encryption is an interesting topic to research, but I have yet to find a unique constant the works for each key. I tried XORing the first 4 bytes (omitting the last byte) of the hex key with each resulting 4-byte MFS entry, and then I tried using the last 4 bytes (omitting the first byte). I then compared the XORed values from different keys bit-by-bit. The XORed value seems to shift from one key to the next, even if the keys have the same first 4 bytes (like key #1). Hmm... I'll keep plugging.

pcsmith
11-06-2005, 08:30 PM
I tested ADH's wepkey tool with 20 different random WEP keys, and they all worked fine. I'm not smart enough to interpret what's going on in the source code, but I'm curious what it actually does to the hex key. Was cravens on the right track? Anyway, here comes the easy part... The attached is an updated script to set wireless parameters, including WEP. Copy it to the same directory as ADH's wepkey, and run it (without arguments).


I ran your script and this is what happens...

bash-2.02# ./setSSIDwep2.tcl
found network with default = 1, good...

The following IP parameters found in MFS:
IP address is currently set to: 192.168.1.130
Default gateway is currently set to: 192.168.1.1
Subnet Mask is currently set to: 255.255.255.0
DNS Server is currently set to: 216.231.41.2
DHCP is off
NO WIRELESS PARAMETERS ARE SET IN MFS

Do you want to change/add wireless parameters? y/n: y

You must enter y or n. Exiting...
aborting open transaction ...
bash-2.02#
bash-2.02#

fixn278
11-07-2005, 02:54 AM
I ran your script and this is what happens...

bash-2.02# ./setSSIDwep2.tcl
found network with default = 1, good...

The following IP parameters found in MFS:
IP address is currently set to: 192.168.1.130
Default gateway is currently set to: 192.168.1.1
Subnet Mask is currently set to: 255.255.255.0
DNS Server is currently set to: 216.231.41.2
DHCP is off
NO WIRELESS PARAMETERS ARE SET IN MFS

Do you want to change/add wireless parameters? y/n: y

You must enter y or n. Exiting...
aborting open transaction ...
bash-2.02#
bash-2.02#

Fix your terminal settings. You are sending an extra line feed.

pcsmith
11-07-2005, 11:28 AM
Thanks! That was it..

MORF
11-08-2005, 01:26 AM
adh,

Can your code handle 128 bit WEP too? Perhaps change then string length check on line 17 to be 26 instead of 10 and then line 20 to be i < 13 ?? Too simple?

-- MORF

lgkahn
12-01-2005, 11:21 PM
ok I have searched for TuikStandby6.2 and mentioned and cannot find the script to move the standby back to the normal place.. anyone have any ideas

TivoWare
12-02-2005, 01:12 AM
Here it is:
http://www.dealdatabase.com/forum/showthread.php?p=231730

lgkahn
12-02-2005, 09:04 AM
thanks worked great...

bma
12-23-2005, 09:44 PM
adh,

Can your code handle 128 bit WEP too? Perhaps change then string length check on line 17 to be 26 instead of 10 and then line 20 to be i < 13 ?? Too simple?

-- MORF

I tried that and no dice (output did not match the value in MFS).

Which is not surprising given the mapping[] matrix in the code has 5 columns, not 13. :)

If anyone is interested in trying to do 128 bit values:

Hex:
776C616E3020626D61206E6574
MFS:
52 -644310392 -1949725738 -1701258794 -1734702968 -913582375 -1730554229 -151025510 -1410942983 -105388373 -196618 -424150538 -1209619541 -50333959

I no longer have 4.01b installed on the unit so I can't currently try other values.


Brian

alldeadhomiez
12-26-2005, 12:09 AM
Which is not surprising given the mapping[] matrix in the code has 5 columns, not 13. :)

The TiVo software appears to produce one 32-bit word for every byte of the WEP key. The first output word (52) is merely a count of bytes in the entry, and is not significant to us.

The mapping array is 5x4 because it contains the mappings needed to construct five words of four bytes each. Additionally, each entry is only 5 (8) bits wide, which is insufficient to encode the mapping for a 13-byte input. Furthermore, we need to determine the mapping.

If the 128-bit algorithm is consistent with the 40-bit WEP key encoding algorithm, each output byte will be the xor of one or more input bytes and a constant. In the 40-bit algorithm, the constant was 0xdc.

The attached script might be able to help you guess the new mapping. It will not be able to produce definitive results without a few more data points.

Trying strongly dissimilar keys (possibly non-ASCII data) which don't have any repeated bytes will probably make the job easier.

cjs226
02-12-2006, 09:07 PM
I assume there's still no solution for utilizing an existing 128bit key?

tivo4mevo
03-04-2006, 02:38 PM
I assume there's still no solution for utilizing an existing 128bit key?

This is wepkey v0.2, which includes support for mangling 128-bit wep keys in addition to 64-bit keys. The mapping was determined from three, carefully chosen keys entered into a dtivo running 4.0.1b. It has been fairly well tested, though not exhaustively.

Wepkey v0.2 follows the same licensing terms as alldeadhomiez laid out for v0.1 (http://dealdatabase.com/forum/showpost.php?p=238863&postcount=25)

Namely,


License terms, by popular demand:

You MAY use, modify, and rebuild this code to your heart's content.
You MAY post modified versions, Win32 exe's, tcl ports, script packages that include wepkey, etc. IN THIS THREAD ONLY (http://www.dealdatabase.com/forum/sh...ad.php?t=44829)
You MAY NOT post, distribute, sell, trade, or barter this program, modified versions, or any derivative work under ANY other circumstances.
Any program/archive/script that includes wepkey MUST be posted under the same terms as wepkey itself. Please make this clear in your post so that my code does not accidentally get reposted elsewhere.

The usage remains the same:


$ ./wepkey.x86 12345d762a
20 -1829006602 -74254602 -1494944110 -455285594 -588994906
$ ./wepkey.x86 0102030405060708090a0b0c0d
52 -50987791 -50463503 -50987791 -167972367 -33754628 -167972356 -17763844 -84608778 -151456518 -251858690 -185010434 -118162694 -51314954


Please note that the attached file does not yet contain a mips executable (as I don't have a mips cross-compiler); if someone would be so kind as to compile one, I can include it here.

[EDIT] Thanks to cheer for catching a critical segfault and providing the MIPS binary (now included in the attached file).

cheer
03-04-2006, 10:42 PM
Please note that the attached file does not yet contain a mips executable (as I don't have a mips cross-compiler); if someone would be so kind as to compile one, I can include it here.
Here you go. I figured to myself, "Heck, it's a simple program; should take all of 30 seconds to recompile for mips and post." Right?

Hah. Well, it worked -- if you supplied a proper parameter. Or even a wrong parameter. But if you gave it NO parameter, it segfaulted.

Now for any of you C types, this probably would've been a 2 minute fix. But since I am wholly C illiterate, it took me a lot longer to find the problem, and the fix is a kludge. If some C person out there wants to make it clean and/or elegant, by all means please do so.

Near as I can tell, readkey was bombing on whatever value argv[1] gets set to if there's no command-line parameter. (I'd assume it's a null but maybe not.) Anyway, I added another check in main() that checks if argc == 1 before calling readkey. Seems to have done the trick. Haven't tested it at all beyond running it and passing it a few valid and invalid strings -- I don't use wireless on my Tivos.

Anyway. As I said, feel free to fix it -- I did it more as an exercise to see if I could figure it out than anything else.

EDIT: attachment removed; tivo4mevo has bundled the mips binary in his archive.

rbautch
05-29-2006, 06:12 PM
The script I posted here (http://www.dealdatabase.com/forum/showpost.php?p=238928&postcount=27) also works with the 128-bit wepkey.mips.

captain_reef
12-10-2006, 06:36 PM
need some help. I followed all the directions to add wireless to my HR10-250. When I ran setSSIDwep2.tcl to enter the encription key, it crashed. Probably because my SSID had an imbedded space.
For now, everything works again with wired except I cannot get into the TivoWebPlus screen. I can telnet, ftp, ping and have the same address as before. When I open my browser and enter the IP address, I get the white page, not found.

Can anyone give me an idea where to start?

I will attack the wireless after I have everything else working.

captain_reef
12-10-2006, 06:56 PM
Ignore this post. After 20 minutes, it corrected itself.

Wonders never cease!!

ScottB
01-31-2007, 10:43 PM
Never mind. I found my STUPID mistake.