PDA

View Full Version : Series 3 PROM Hack



Narf54321
01-06-2007, 04:45 AM
Important Note: This method requires removing the SST37 PROM chip from the Series-3 motherboard, which is difficult and may end up rendering your (expensive) Tivo useless!

Inferring some info from the DT PROM hack thread (http://dealdatabase.com/forum/showthread.php?t=50973), I managed to get some work done on the Series 3 TCD648 PROM v3.16. Like the SD Dual-Tuner model, the S3 has a compressed image as part of the bootup code. As mrpenguin describes in the other thread, First there is a check code you need to disable. For v3.16 PROM this should be at 0x6D4C.

Then you need to locate the gzip signature 1F 8B 08 (the 08 indicates max compression) within the binary PROM code which marks the compressed portion and save it out seperately from the rest of the PROM code for further editing. I did this by using the editor to delete everything before the gzip portion begins, and save as a new binary file. For v3.16 PROM this compressed portion should begin at 0xB5C8.

Then you must unpack this compressed portion, edit the hex, and recompress with gzip -9n. Be wary of compressor tools which want to add flags and comments to your re-compressed image since the original PROM has none of that. I don't know how well the S3 would handle extra cruft. I ended up using plain gzip within cygwin.

Use the editor to glue your newly compressed image back into the original PROM code at the same place the old image was. Save it and burn to a new chip.


First edit (hex):
Address Orig_Value Change_Value
0x6D4C 04 40 00 12 00 00 00 00



Edit within gzip compressed portion:
Addr Orig_Value Change_Value
0x31B8 10 43 00 0A 10 00 00 0A


(Note that address 0x31B8 is from the beginning of the smaller binary file after you've chopped this piece of PROM clean away from the rest and uncompressed it. Be sure to re-compress with gzip -9n when you're finished here)

Added confusion since the target code 10 43 00 0A is found twice within the internal compressed image -- Once at 0x31B8 (which I edited) and another at 0x8BBC (which I left alone). Discussion on how important this might be can follow.

Once you've verified your S3 Tivo still boots, you can pull the drive and use mrblack's venerable replace_initrd (http://www.dealdatabase.com/forum/showpost.php?p=91200&postcount=12) on the hard drive's boot kernel.

Narf54321
01-06-2007, 04:53 AM
So what actually works on a "hacked" S3? It's late and I haven't spent much more than a few minutes verifying telnet. I've only loaded AlphaWolf's All-in-One utilities (http://www.dealdatabase.com/forum/showthread.php?t=37602) (busybox and other useful stuff) and tried ls and vi. The busybox version of vi is of course still broken, but works well enough to edit files on the Tivo.

I'm guessing that a number of S2 MIPS programs will run.

EDIT: A couple more things found which work. TivoWebPlus 2.0 (http://www.dealdatabase.com/forum/showthread.php?p=275374&postcount=154) and caller-ID via TivoNCID (http://www.dealdatabase.com/forum/showthread.php?t=53236). Also MFS_FTP runs with the same series-2 tweaks, although it seems to be of very limited usefulness right now.

mr_zorg
01-06-2007, 03:46 PM
Awesome work! Now I may have to seriously think about upgrading to an S3... Time to research exactly what this box can and can't do. :)

P.S. Any chance of someone burning new PROMs for those of us that don't have the equipment to do so? For a small fee, of course...

mrpenguin
01-07-2007, 07:48 PM
Great job! I bet you are psyched! you should be!

Congrats!

DaytonaDave
01-08-2007, 07:34 PM
Great work!

I am curious -- is this prom socketed? I am ordering my S3 this week and look forward to trying this out.

Thanks,
DD

stevel
01-08-2007, 08:18 PM
It is not socketed unless you socket it.

Narf54321
01-08-2007, 09:08 PM
Removing (i.e. desoldering) the S3 PROM and installing a socket should be performed very carefully. There are little surface-mount components which are much closer to this chip on the S3 than on the previous model 2.5 "nightlight" and R10 motherboards.

avpman
01-21-2007, 11:29 PM
No way to reprogram the chip in place I guess??

Narf54321
01-22-2007, 01:12 AM
Tivo uses an SST37VF010 model PROM chip, which requires 12 volts on the A9 pin to erase for reprogramming. I don't know if Tivo supplies the required equipment to erase "in-line" at the higher voltage. And you run into the catch-22 issue of how to issue an 'erase' command if you haven't already exploited the box. And the fact that although there appears to be an official Tivo linux tool which can read from the PROM, Tivo doesn't seem to have included anything to write an image onto the PROM.

Seems to me rigging a wiring harness or something to reprogram the PROM on the motherboard is more difficult and potentially more dangerous to the board than simply socketing.

I've done a few sockets in my time, and I've always replaced the original chips with the SST39's which are erased and reprogrammed at ~3.3volts. Once socketed, you can boot into the fixed machine and theoretically use something like homieflash to do PROM updates.

avpman
01-24-2007, 12:00 PM
I've been doing some research on the S3 board and chip. The chip is a 32pin PLCC form factor. A bit easier to work with than a (SMT) surface mount chip in the S2 series.

I've inquired among several commercial component level repair shops and the going rate to remove the S3 chip and replace it with a socket has so far been about $70-80 (provided I supply the socket). The prices quoted all seem to be the going minimum rate for an hour's work.

If someone is able to hack the code succesfully, I'll agressively pursue a shop to get the price down to something more reasonable. I would think something in the $40-50 range would be more palatible.

If you're brave enough to do it on your own, a company called Chipquik makes a kit for desoldering SMD chips. http://www.chipquik.com/newsletters/cq_new_june_2004.htm I've written them to ask if their product will work equally as well on PLCC chips. PLCC chips are soldered through holes in the board. Surface mount chips sit on pads atop the board.

Jamie
01-24-2007, 12:04 PM
I've been doing some research on the S3 board and chip. The chip is a 32pin PLCC form factor. A bit easier to work with than a (SMT) surface mount chip in the S2 series.It's the same chip and form factor as the Series2. They are both surface mount PLCC-32. Here (http://www.dealdatabase.com/forum/showthread.php?p=273808#post273808) are some sources for parts.



...
If someone is able to hack the code succesfully,
...
Narf already did that.



...
PLCC chips are soldered through holes in the board. Surface mount chips sit on pads atop the board.I think you are confused. Have you examined a Series3 motherboard?

avpman
01-24-2007, 12:42 PM
It's the same chip and form factor as the Series2. They are both surface mount PLCC-32. Here (http://www.dealdatabase.com/forum/showthread.php?p=273808#post273808) are some sources for parts.


Narf already did that.

I think you are confused. Have you examined a Series3 motherboard?

1) Do we have independent confirmation that Narf's hack has worked?

2) Can we get a way to get the code or someone willing to burn a PROM for further testing?

3) I'm willing to help in any way I can. I'll get the blank chips, sockets and a burner if someone can give me instructions on what to do. (I follow instructions well. And I'm fairly bright).

4) I opened my S3. I am looking at the chip in position U6 on the board. The sticker on the chip says "CBOM-0013-00 V3.16 rel". Underneath the sticker the chip is identified as an SST "37VF010-70-3C-NH". Curiously, there is an outine on the board for a socket. Am I looking at the right chip? If I'm not looking at the right chip, then disregard my self-assesment in comment #3 above :eek:

Narf54321
01-24-2007, 01:05 PM
1) Do we have independent confirmation that Narf's hack has worked?

Ah, a scientist ... I see.
You don't necessarily have to take my word for it, but yes the PROM hack works (else I wouldn't have posted). I'm a bit hesitant to post actual binaries at this time, but there's nothing wrong with instructions for other owners.


2) Can we get a way to get the code or someone willing to burn a PROM for further testing?

You get the code off the original SST37 prom. And monkey it with a hex editor -- I used XVI32 myself.

As far as 'testing', the S3 behaves much like a MIPS S2 machine, there's just more RAM available. It seems to be pretty much the same Linux setup. TivoWebPlus 2.0 runs, but most of the modules don't work right.


3) I'm willing to help in any way I can. I'll get the blank chips, sockets and a burner if someone can give me instructions on what to do. (I follow instructions well. And I'm fairly bright).

I got one of those knockoff Willem programmers off eBay. It works well enough, just be sure you get one with the PLCC32 socket. Jamie even mentioned in another thread that there are cheap IDE controllers (SI I think) with programmable PLCC32 sockets.

Or an old S2 DirecTivo laying around already socketed, and use ADH's homieflash.

Personally, I recommend using the SST39's as replacement chips. The 37's require 12volts to reprogram and I've had trouble setting that up with my programmer. The 39's can be erased and reprogrammed easily at 3.3volts, and once installed should be able to be homieflashed in the future if needed.

A side note on sockets: Do NOT get the sockets with posts on the bottom. There are no holes on the Tivo board to fit them.


4) I opened my S3. I am looking at the chip in position U6 on the board. The sticker on the chip says "CBOM-0013-00 V3.16 rel". Underneath the sticker the chip is identified as an SST "37VF010-70-3C-NH". Curiously, there is an outine on the board for a socket. Am I looking at the right chip? If I'm not looking at the right chip, then disregard my self-assesment in comment #3 above :eek:

Yeah, its nice they masked off the socket area already for us, isn't it. It's the same SST chip they've used in the S2, and the S1 before that.

According to the sticker, you've got the v3.16 release, which is good. My instructions (see first post) rely on the 3.16 PROM code, so if Tivo ships out a newer code version the exact hex locations will likely be different.

avpman
01-24-2007, 01:42 PM
Check your PM - Thanks

pmiranda
01-30-2007, 10:01 AM
They probably used sockets for the prototypes so they could swap ROMs quickly for debug.
Hmm... I've got a really early S3, I wonder if it has a socket... Even basic web control of it would be nice... being able to take a few shows with me on the road would be really nice.
Just 35 weeks until my warranty expires.

Supafly
01-30-2007, 10:49 AM
This is GREAT news Narf, this is definitely a step in the right direction. I was getting a little concerned lately due to the lack of interest in the S3 dev forums. Oh, and by the way, you hit front page of Engadget: http://www.engadget.com/2007/01/30/series3-prom-hack/.

:)

Narf54321
02-01-2007, 05:29 PM
Wow, over 4000 page views to this thread now!

I see a bit of misinformation in some of the blog reports... we don't re-solder a chip onto the motherboard. Much better to install a PLCC32 socket so you can pop new PROM chips in and out whenever you wish.

PLCC32:

cordless
02-08-2007, 01:02 PM
To keep interest in this for the series 3 I will FREE of charge remove and program. U just pay the shipping about 20-25.00 UPS ground. I offer this to keep the hacking alive on the Tivo 3 as I dont have time to hack it myself and If I offer this I will maybe be giving back to the community in some small way.. Please contact me 1st before shipping. if u want it socketed then u need to send me the socket. or pay for one I have them here, otherwise i will desolder program and resolder.

This is not a commercial offer for any fee whatsoever.. I do this only to help the community. U may remove this post if u think otherwise.

Keep Hacking Alive
Todd.

Ship to
www.digitalrecorder.com
FREE PROM OFFER
32877 112th st
Eureka, SD. 57437

605 284-2900

Jamie
02-08-2007, 01:36 PM
To keep interest in this for the series 3 I will FREE of charge remove and program. U just pay the shipping about 20-25.00 UPS ground. I offer this to keep the hacking alive on the Tivo 3 as I dont have time to hack it myself and If I offer this I will maybe be giving back to the community in some small way.. Please contact me 1st before shipping. if u want it socketed then u need to send me the socket. or pay for one I have them here, otherwise i will desolder program and resolder.

This is not a commercial offer for any fee whatsoever.. I do this only to help the community. U may remove this post if u think otherwise.

Keep Hacking Alive
Todd.

Ship to
www.digtalrecorder.com
FREE PROM OFFER
32877 112th st
Eureka, SD. 57437

605 284-2900As always, caveat emptor. It's worth doing some background research on any company you are thinking of sending your $800 box to for surgery.

In this case, there is some history of selling hacked tivos on ebay, some even with service theft hacks: link1 (http://stores.ebay.com/digitalrecorder-com), link2 (http://www.dealdatabase.com/forum/showthread.php?t=45421&highlight=digitalrecorder.com), link3 (http://www.dvrplayground.com/comment/349/;jsessionid=1702A59260D39B181EF2ACCA7BA8F7EA?type=4).

avpman
02-10-2007, 08:45 AM
To keep interest in this for the series 3 I will FREE of charge remove and program. U just pay the shipping about 20-25.00 UPS ground. I offer this to keep the hacking alive on the Tivo 3 as I dont have time to hack it myself and If I offer this I will maybe be giving back to the community in some small way.. Please contact me 1st before shipping. if u want it socketed then u need to send me the socket. or pay for one I have them here, otherwise i will desolder program and resolder.

This is not a commercial offer for any fee whatsoever.. I do this only to help the community. U may remove this post if u think otherwise.

Keep Hacking Alive
Todd.

Ship to
www.digtalrecorder.com
FREE PROM OFFER
32877 112th st
Eureka, SD. 57437

605 284-2900


I think the above link contains a typo. Also, what is the turn-around time for such a generous offer?

cordless
02-13-2007, 02:29 AM
Takes only few minutes to do the work.We repair tivos Replaytv and xbox all day here. I can guarantee as long as we dont get more than 10 units a week we can get them out in 2 days here.. Then whatever it takes for shipping. u can use you Fed Ex or UPS accounts as well. Remember NO CHARGE for the work. Only shipping back to you. Our shipping prices are posted at the website and Please use the shipping and repair form for faster service.
http://www.digitalrecorder.com
Thanks

Todd

cordless
02-13-2007, 02:34 AM
Fixed the URL above Sorry

cheer
02-13-2007, 09:03 AM
People who sell hacked Tivos on eBay aren't very popular around here, mostly because they profit off the work of the people around here.

Just an FYI.

avpman
02-14-2007, 11:50 AM
I found a commercial DVR repair facility that will do the removal and socket rework for $45 plus shipping. You can send in the entire unit, in which case they will be able to test the work before returning the unit to you. Or, you can just send in the board. Although, if you do that they won't be able to test the rework.

Two things to keep in mind:
1) You will have to supply the socket when you send in the unit.
2) They do not have the ability to re-program the chip. You'll have to get that done somewhere else. (I may consider offering the pre-programmed chips and sockets for cost plus shipping).

I am checking with the repair facility and asking permission to post their info here. Anybody interested in this service or in my supplying them with the chip and socket? Total cost of chip & socket plus shipping would probably be $10-15, depending on overall interest (volume). I also need to ask permission to distribute the patched PROM code from the folks that put their time and intellectual effort into modifying the PROM code.

buechel
02-14-2007, 07:22 PM
1) Do we have independent confirmation that Narf's hack has worked?


My S3 still boots after applying the PROM changes.

last night I socketed the prom - took about 45 min start to finish.

tonight I modified the software and made a new prom - tivo still boots.

After applying the needed software modifications, telnet and ftp work fine.

mfs_ftp runs but has no value. Trying to insert anything by mfs_ftp hoses the MFS.

tiver
03-04-2007, 03:20 PM
any new developments on this front ?

The end goal, if I understand correctly, is to get s3 HD content off of the s3 tivo in unprotected form ... so I can use the video elsewhere, emancipated from my s3 tivo ... are we still pretty far away from this ?

Heinrich
03-07-2007, 02:31 AM
Ya

Burst of activity then......

quiet spread the land

Roger Dylan
03-07-2007, 04:35 AM
Ya

Burst of activity then......

quiet spread the landCableLabs is watching. Low profile advisable for awhile.

tiver
03-11-2007, 11:47 PM
**** cable labs.

**** them dead.

The s3 tivo will get its shows ripped off without protection - it's just a matter of time. And as long as I keep paying my cable bill each month, it's none of their business what I do with it.

PTVupgrade
03-16-2007, 01:47 AM
People who sell hacked Tivos on eBay aren't very popular around here, mostly because they profit off the work of the people around here.

Just an FYI.

Not only that, but the guy is actually redistributing/using stuff that is expressly forbidden; sort of ticks off those of us who've actually paid for the rights and gotten permission to use certain things that he just uses without any remorse:
http://www.dvdcenter.org/downloads

avpman
03-25-2007, 09:47 AM
I found a commercial DVR repair facility that will do the removal and socket rework for $45 plus shipping. You can send in the entire unit, in which case they will be able to test the work before returning the unit to you. Or, you can just send in the board. Although, if you do that they won't be able to test the rework.

Two things to keep in mind:
1) You will have to supply the socket when you send in the unit.
2) They do not have the ability to re-program the chip. You'll have to get that done somewhere else. (I may consider offering the pre-programmed chips and sockets for cost plus shipping).

I am checking with the repair facility and asking permission to post their info here. Anybody interested in this service or in my supplying them with the chip and socket? Total cost of chip & socket plus shipping would probably be $10-15, depending on overall interest (volume). I also need to ask permission to distribute the patched PROM code from the folks that put their time and intellectual effort into modifying the PROM code.

Just to update you guys. I did the socketing myself using Buechel's "Chipquik method" (http://www.dealdatabase.com/forum/showpost.php?p=276863&postcount=12). (I couldn't stand the thought of being w/o my Tivo while I sent it off for socketing). I have to say it went a lot easier than I had expected. The only thing I would add to Buechel's instructions is carefully to mask off the ENTIRE area around the prom before trying to remove it (thanks Narf!). There is one very tiny surface mount chip very close to the prom that could get damaged if you're not careful. I used a layer of blue painter's tape, a layer of aluminum foil and another layer of painter's tape to mask off the area. After I applied the ChipQuik I was able to simply slide the old prom right off it's pads and onto the masked area.

To make sure I was able to successfully burn a working prom, I made a copy of the original prom. The socket and the new unaltered prom worked great. Next step is to try the modified code and if all goes well, I'll have chips available.

avpman
04-03-2007, 05:12 PM
TivoWebPlus 2.0 seems to work well on the S3. However, looks like the Tivo OEM software is already using port 80. To get TWP working, go to the config directory below where you installed TivoWebPlus e.g. .../TivoWebPlus/config and edit the tivoweb.cfg file. Change the “Port” line from 80 to something else, like 8080. Then restart tivoweb. When you open your browser use the 8080 as the new port for the Tivo. E.g. http://192.168.1.37:8080

superwagon@mac.
02-05-2009, 09:11 PM
The modding went so well on my beloved THD that I decided to buy a Series 3 off of craigslist. I upped the HD to 1TB and socketed it. Anyway, when I pulled the code off of the working PROM (3.16-rel), I can't find the gzip signature anywhere.

Here is what I find:


0x6D4C 00 00 00 00
0xB5C8 00 00 7F FF

1F 8B 08 is no where to be found.

The TiVo boots up and works fine.

Am I missing something? (I am new to this.)

UPDATE: I figured it out. The willem programmer I was using needed a jumper change when switching between the SST37 and SST39 chips. It would read all of the data but half of it would be corrupt.