If you've got an S3 you want to hack I've written this overview to point you in the right direction. Telnet bash and ftp are the foundational hacks. With them the door is open to any other modification. This is not a guide, but an overview. In very broad strokes, the steps you'll need to take to get the foundational hacks working. These will also apply to the late model S2.5 versions.

Getting a Bash prompt and ftp on my S3 took 3 days of reading and reading ... and reading. I've owned and modified an S1, and an early S2 so I was surprised at how research was required to find the answers I needed.

In the course of reading dozens of posts I got the sense that some folks here are "anti-guide" they prefer newbies use the same approach as me. These are people who have been reading these posts for years. Perhaps they don't realize that within a 415 post long thread there are maybe 6 important posts. I concluded that what DDB needs is not a set of guides but a useful index. An index tells where to find the most relevant threads or posts to address specific topics. The search function is useful but the key to an index is relevancy. Searching for "initrd" will return thousands of posts, but won't tell you which ones define what it is and why it is important to the tivo hacker. A well designed index to quality posts could enhance DDB a great deal. Currently there is no good way to do this.

Please think of what follows as a type of index to the essential information for the initial cracking of an S3. This is really for my own use so that in 2 years I won't have to start from scratch if I need to retrace my steps. After developing it, I decided to share it here.

Of course it goes without saying that modifying your tivo in any way is a breach of the user agreement. There is no way to hide these changes from Tivo, INC. Since the tivo needs to call in every day they could test any of a dozen indicators as part of the daily call to check for hacking.


The Tivo has a number of features specifically designed to keep you out of it. These build on top of each other like a stack of books. Read the write up S2 chain of trust (http://www.dealdatabase.com/forum/showthread.php?p=192565#post192565).


Currently the S3 can only be cracked by replacing the software in an EPROM chip soldered to the motherboard. Read the thread on the S3 prom hack for details (http://www.dealdatabase.com/forum/showthread.php?t=52620).


Get the EPROM in your S3 socketed (http://www.dealdatabase.com/forum/showpost.php?p=276863&postcount=2). A socket allows it to be pulled at will for re-programming. This is no more difficult than indoor wall climbing, but it does take skill and some special tools. There is no thread which explicitly spells out how to do this, but there are good tips in the S2 support forum under PROM socketing


Get the EPROM (once removed) reprogrammed (http://www.dealdatabase.com/forum/showthread.php?t=52620). This takes some special equipment.


Modify the kernel (http://www.dealdatabase.com/forum/showthread.php?t=21976) (this should be obvious from the Chain-of-trust thread), specifically a portion known as initrd. This is a tricky topic to research since there are so many threads, but most assume the reader already knows the basics. Look in the S2 forum for the tiny initrd thread. Read every post. I also discuss this below in post #9 of this thread


To modify the kernel, you need to get the tivo drive in a PC computer running Linux. You'll need a SATA port on your desktop PC and a specialized linux boot disk. As of March 2007, I'm finding the best ISO for this purpose is at mfslive.org However Mr Black's replace_initrd is not compatible with the version of DD on the mfslive boot disk. I haven't looked into why this is yet. You will need another linux environment to actually edit the kernel in.


Copy tivoftpd to the Tivo drive while the tivo drive is in the PC.

Copy Alpha Wolf's All-in-one utilities to the TiVo drive while the drive is in the PC.


With the tivo drive in the PC, create an rc.sysinit.author file to:
include your hack directories in the PATH
start telnet tnlited 23 /bin/bash -login &
start tivoftpd
defeat the built-in firewall (http://www.dealdatabase.com/forum/showthread.php?p=273961&postcount=2)



Once it's running probably the first thing you'll want to do is get a copy of ls on the machine. This is easily done by ftp'ing in alphawolfs all-in-one tools (http://www.dealdatabase.com/forum/showthread.php?t=37602).

Socketing a PROM is so precise and exactly the same for every S3 owner that I feel comfortable writing a guide for this process. This is forum for hobbyists, yet it is somewhat rare for computer hacking skills and electronic soldering skills to coexist in the same hobbyist.

To socket an S3 I use the following tools and supplies

- 30W / 15W switchable radio shack soldering iron with a sharp and well tinned tip
- Fine electronic solder
- About 10 cm of ChipQuick alloy
- Radio Shack desoldering braid
- ChipQuick flux
- 3M surface mount PLCC32 socket 3M part number 8432-21B1-RK-TP Get it at mouser.com (http://www.mouser.com/search/refine.aspx?Ntt=517-8432-21B1-RK-TP)
- Utility knife
- Small needle nose pliers
- A dozen Q-tips
- Isopropyl alcohol
- Magnifying glass
- Ohm meter to check for shorts and mis-soldered pins

The best DDB threads for general tips are
This one in the Buy/Sell forum (http://www.dealdatabase.com/forum/showthread.php?t=49832)
This one in the S2 Support forum (http://www.dealdatabase.com/forum/showthread.php?t=23114)

Both threads include many approaches and methods. Here is my method:

After removing the hard drive and getting the box on a bench with bright lighting,

1. Prepare the TIVO.

Get the box on a bench with good light and ventilation.
Remove the hard drive.
Remove the clock battery.
Take static electric precautions. Either use a ground strap (I connect it to my ankle to keep my hands free) or get the room humidity over 50%.
Tape off the area around the prom to prevent possible splatter contamination / shorting of nearby parts

2. Follow the ChipQuick instructions to remove the PROM

- Apply a bunch of flux to all pins
- Melt a bunch of the alloy to bridge the 8 pins on each side.
- Rapidly heat different sides with iron until the chip slides around
- Lift the chip off with a pair of small pliers
- If you lift a pad, this is not the end of the world, extremely delicate surgery might be able to save the device, by transplanting a few stands of copper from a de-soldering braid onto the trace to form a new pad. Best not let this happen though

3. Clean the Pads

While melting the remaining alloy, use Q-tips to push the alloy / solder mixture off the pads. After the blobs harden remove them with fingers or tweezers.
Using plenty of desoldering braid laid flat across a row of pads heat the solder and pad through the braid. Do not linger in any one place long. Be sure to run a fine balance between getting the pads clean enough that good joint is possible and between overheating the pads detaching them by melting the underlying PCD
Clean the pads and area with Q-tips and alcohol. Special lint-free versions of the classic q-tip may be desirable since leave less mess.

4. Clean the Old Prom

The ChipQuick designers assume the old component will be trashed and the old prom is left with all the pins bridged. To remove the alloy:
Set the iron to 15W
Grasp the PROM between thumb and forefinger so that one row of pins is in the clear.
Heat that row of pins all at once with the side of iron tip until the alloy melts
Quickly hit your wrist / edge of your palm against a table top
DO NOT HIT THE PROM AGAINST THE TABLE. Hold on the prom the entire time.
The liquid alloy should fly off the pins and splatter on the table. Put down some cardboard to catch the mess.
Rotate and repeat until all pins are isolated. If a second round is needed a little flux can help the process

5. Prepare the Pads.

Apply a load of flux the pad area.
Carefully place a very small amount of solder on each pad. To do this ...
Touch the iron to the solder to melt a droplet on the tip of the iron
Touch the iron to the pad to transfer the solder to the pad
Repeat until all pads have a small bubble of solder on them

6. Prepare the socket.

Using a sharp knife cut the bottom out of the socket.
Cut the plastic lines as close to the connectors as possible
Do not lose the bottom piece, it will be needed later!
Use the tip of the knife to pop out the remaining plastic between the connectors.
Cutting the bottom of socket does not significantly weaken it, once soldered it is very strong. Having the bottom out makes the job of soldering much easier and allows for easier testing of the circuit if there is a problem later

7. Solder the socket

Align the socket carefully on the board
Triple check the socket is aligned properly
Press the socket down until the 'feet' are resting on the pcd, the pins are springy and will bend up away from the solder pads you laid down.
When you are sure the socket is perfectly aligned touch the iron tip to one pin. The pin will melt the solder under it and push down to the pad. Once you remove the iron the solder will cool and lock that pin in place.
Repeat with a pin on the opposite side to ensure good alignement
Solder two pin on each side
Finish soldering all pins
Triple check every solder connection with a magnifying glass
If there a solder bridge remove it with some braid and re-apply a bit of solder to each joint

8. Clean up

Clean the area with Q-tips and alcohol
Strictly speaking the ChipQuick flux is safe to leave behind, but I don't like the way it looks. Without washing the board, it can't be completely removed though.
Place the socket bottom you previously cut out in side the socket. Just let it sit there, don't glue it or anything. This will serve to prevent the PROM from bottoming out, which can cause twisting and connection problems

9. Insert the PROM and cross your fingers.

Push the PROM down until it bottoms out. With the box still open on the bench plug in the power supply. If the fan starts spinning within 10 seconds you are almost certainly OK. If not, get out volt meter and start checking for shorts or missed connections.

10. Reinstall the drive & battery, close it up and connect to a TV. See if it boots.


In the photos below (as attachments) the first is a socket with new PROM in a S3. Notice how close the socket must come to a nearby capacitor.

The second is a detail in the same S3 of the pin soldering. Notice a little flux I couldn't quite clean in the corners and between some pins. Since the spacing on the pins is about the same as the thickness of mechanical pencil lead, getting the exact amount of solder on the pads is crucial. Too much solder and a bridge is almost inevitable.

Still too scared to DIY? There may be people offering to do this service for you:

The PROM socketing service thread in buy/sell (http://www.dealdatabase.com/forum/showthread.php?t=49832)

A company that reportedly offers to socket S3's for free (http://www.dealdatabase.com/forum/showthread.php?p=275499&postcount=18)

AVPMAN's source (http://www.dealdatabase.com/forum/showthread.php?p=275854&postcount=24)

And I'm also willing to do this for a fee (http://www.dealdatabase.com/forum/showthread.php?p=277086&postcount=59)

thank you so much for this walkthrough and summary.

My question:

what does this get me ?

I don't know about all the million things people do with their hacked tivos - the ONLY thing I care about is getting full-resolution copies of my TV shows off of the tivo, and onto my unix fileserver so that 20 years from now when I don't have a tivo anymore I can still use them.

That's it. How close are we to that ?

My question:

what does this get me ?


It gets you a hacked unit. It gets you a Series-3 Tivo unit which you can telnet into, which you can add/change the (GPL'ed) software on the box, and access to the proprietary files which run the Tivo interface in the event any useful patches are ever found.

Your other question isn't really a hacking question, so much as an extraction question. Maybe it should go in a new thread. Right now it is still early in the S3's life, so there isn't a lot to say at this point. The TY format on the S3 seems to have been subtly changed so the tools we're all used to using don't work.

I would love to do this hack on my Tivo so that I can get some more features on the S3...Caller ID :).

But I dont have the skills to take the PROM off or back on for that matter. Anybody in Greenville SC with skills that can do it for me? For $$$ of course!

The whole point of my earlier post was to socket the prom. Why socket the prom? So we can change it of course!

Because of the vast number of ways to accomplish the goal of re-writing the prom it is impossible to write a step by step guide. This overview is intended to tell in a different way what has been written many times before at DDB.

PROM is an acronym for Programmable Read Only Memory. The key nature of this the programmability part. We will change instructions inside the PROM to bend the function of the Tivo more to our liking. By modifying the prom we move down one step in the overview. After this step is complete, the next will be modifying the kernel. You will only need to reprogram the prom once. Once it is fixed you will likely never ever need to change it again.

When the Tivo first turns on the CPU is hard coded to look for its first instructions at a specific memory location inside the PROM. These instructions are written in "machine language", a set of about 100 different very specific actions which the CPU knows how to do. (To the human, these appear as bunch of almost random numbers. Special software can turn them into a form more understandable, mnemonics.)

Those instructions need to get the tivo up and running; basically initialize and check some hardware and then load the kernel. Control is passed to the kernel and the instructions in the PROM are then ignored until the next reboot.

Part of the security in the Tivo as discussed in the chain of trust post is that the instructions in the PROM scrutinize the kernel to make sure it is Tivo Inc, approved. If not the PROM is supposed to refuse to proceed and just stop.

The easiest way to bypass this is to change the programming inside the PROM a little. Changing just the smallest byte of a machine language program can have a big impact. In machine language, an if-then command is known as a "conditional jump" For example, "if the kernel is legit then load it or else stop" is essentially written as:
if the kernel is legit then jump to the routine which loads the kernel
else keep going to the next instruction
stop
.
.
.
Routine which loads and runs the kernel ...

changing just two bytes turns that into
jump to the routine which loads the kernel

stop
.
.
.
Routine which loads and runs the kernel ...

The trick is to find where that command is inside the PROM and change it.

Fortunately others have already done so for virtually every Tivo. The addressing notation is in hex

For the S3 with prom 3.16, the changes are documented here (http://www.dealdatabase.com/forum/showthread.php?t=52620)

For the 2.5 'Nightlight' TCD540xx with prom 2.25 the changes are here (http://www.dealdatabase.com/forum/showthread.php?p=189777&postcount=22)

For the S2 dual tuner, the changes are here (http://dealdatabase.com/forum/showthread.php?t=50973)

By far the hardest part of reprogramming the prom is getting appropriate hardware to do it with. Once you have that in hand it really is a snap. What equipment is needed to reprogram a PROM? There are several options:
A specialized tool known as a "EPROM programmer" is the easiest choice since it usually comes with software to perform the needed functions.
other cheaper options, including using a socketed early S2, using homieflash
or a various PC hard drive controller cards. These are little more difficult since they do not automatically have user friendly software.


Broadly speaking there are several discrete steps involved in reprogramming the prom:


use the Eprom programmer software copy the contents of the original prom to the PC
save a copy to the hard drive of the PC as a file
edit the right bytes in the code.
Cut out the compressed section with some hex editing software. I like 010 editor (http://www.sweetscape.com/) but only because it was the first one I found. I'm sure there must be very functional free options out there.
in cgywin or some other linux environment use gzip to expand the compressed section
use hex editing software to change the right bytes
use gzip to compress the modified section
use a hex editor to paste the modified section back in
save the result as file
get a new prom chip in the programmer
write the modified code to the new prom


For the S3 and the DT versions a linux environment is needed to use gzip uncompress and parts of the code before editing. A good choice for my needs on a windows PC is cygwin.

As of March 2007 an EPROM programmer will run about $60 on eBay.

Because there are so many ways to accomplish this task, I won't create a blow by blow walk through. If you are doing this yourself, you need to adapt the previous steps to your situation.

ok let me ask a different question (or perhaps the same question, a different way).

Now that you can hack the PROM, etc., do you have all the tools you need to work on video extraction ?

I understand the format is different and things are done differently than on S1/S2 ... I realize there is still (soft) work to be done. But does the PROM hack mean that all the heavy lifting is done and that all of the tools are in place to get extraction going ?

Is it now just a question bits and bytes ? Or are there additional hard(ware) problems to solve ?

I wonder if tivo, deep down, knows that there are a lot of people out there (myself) that would immediately pay any price for an S3 if video could be extracted from it...

But does the PROM hack mean that all the heavy lifting is done and that all of the tools are in place to get extraction going ?

Hacking the PROM really just refers to removing the SHA1 signature check done on the Tivo's kernel. At this point you can run a modified kernel. Specifically: A kernel which doesn't fall into an initrd filesystem check as it boots.

In the sense that a PROM-hacked S3 gives you access to your own machine, then yes the 'heavy lifting' is done once you socket the PROM and fix the PROM code running on the chip. Everything else is pretty much a matter of figuring out software bits and bytes, as you say.

There is still a lot to be done with figuring out encryption on the recordings, and the 'new' format of the TY files. The S3 is still very much a minority unit, plus a lot of the heavy duty figure-it-outers on this site seem to be satellite users, so it might be a long while before a lot of useful tools ever get built. You need to decide if the S3 does what you need now, and can live without file extraction, before you drop money on it.

Now that you can hack the PROM, etc., do you have all the tools you need to work on video extraction ?


Hacking the PROM is to video extraction as running the first mile is to finishing a marathon.

In terms of difficultly there are two different aspects:

1. To design the hardware modification described at DDB is not that difficult. To implement them is difficult due to the touchy soldering and and need for special equipment.

2. To design the software modification is extremely difficult but once they are created and released, implementation should be relatively easy (assuming you have already implemented the necessary hardware modifications)

There are also various reasons for prom socketing which have nothing to do with video extraction, such as the caller ID program and the fan speed modification

The intention of this thread is paint broad strokes of how to get an S3 to the point that when any software mods are built and released they can be installed. I will never in this thread discuss video extraction or any other software modification beyond getting telnet and ftp running.

Modifying the kernel on your shiny, prom modified S3

The TiVo is a Linux machine. At the heart of Linux is the kernel, a program that oversees the operation of a computer in ways similar to traffic lights. Generally the kernel has no "will" of its own. It exists only to allow other computer programs to function. There is though the possibility of an "initrd (http://en.wikipedia.org/wiki/Initrd)", a space where programs can be stored and run before anything else.

In the case of the TiVo S2 and S3, the initrd will contain a program that checks the file system of the TiVo for unauthorized modification and if it does find them, it attempts to destroy them. If it fails the TiVo won't boot.

The solution is to replace the contents of initrd with something more benign.

Enter stage right: alldeadhomiez's tiny initrd (http://www.dealdatabase.com/forum/showthread.php?t=21976). This initrd replacement was created in Feb 2003 for the S2, but still works great on the S3 since the hardware is still in the same 'family'. The program in the replacement initrd does nothing at all, except to return an "all clear" signal to the kernel so that booting can continue normally.

The purpose of this post is to demystify how to replace the original TiVo initrd in your S3 with the benign version.

Shortly after alldeadhomiez created the initrd replacement, Mr Black in March 2003, created a C program to scan a kernel, find the initrd segment and automatically patch in the tiny initrd replacement. Thanks to NillaZilla a complied version of this program can be found at this thread (http://www.dealdatabase.com/forum/showthread.php?t=53272).

Edit: The discussion in the next two paragraphs is no longer an issue. NillaZilla's complied version now includes a busybox compatible version of replace initrd.

Unfortunately there is a problem with Mr. Black's program. It relies on a linux tool, DD. DD is a program for copying sections of data to and from a hard disk. DD is implemented differently in various distributions of linux. Various linux bootdisks, such as the version as mfslive.org use busybox to implement DD. Mr. Black's tool won't work with that linux distribution since the workings of DD are subtly changed. I know that the PTV upgrade linux disk will work, but that the mfslive.org version will not.

I say all that because there is yet another complication - SATA. Most TiVo aware linux distributions do not play well with SATA. The PTV upgrade version does not work with many SATA inferfaces, but the mfslive.org version does very well. This creates something of a Gordian Knot. I can read the kernel with one version of linux, but can only edit it with another. Sigh. The result is a long procedure where the kernel must be copied from the tivo disk to a Parallel ATA drive, then reboot into a different linux version, edit it, boot back into the SATA aware version and copy the edited linux onto the TiVo drive.

Many of the steps of this process are demonstrated in the tiny initrd replacement thread (http://www.dealdatabase.com/forum/showthread.php?t=21976) unfortunately the thread reads like a mystery novel. The information is there, but it is not in any good order, nor is it complete as "walk-through" you will need to fill in the gaps. I recommend reading every word of first 35 posts. 5 of those posts are useful, but are only meaningful in context. Read them all again. Build a plan of what steps must be taken and in what order. Get every command you will need to type written down / printed out before you open the case on your TiVo.

Since that thread describes the actual commands to enter, I won't replicate them here. What I will do is share the outline of my plan.

0. Collect tools.

NillaZilla's distro of replace_initrd (http://www.dealdatabase.com/forum/showthread.php?t=53272)
SATA enabled, tivo aware linux boot disk. I like mfslive.org
a PC with a SATA interface and FAT32 formated hard drive or USB flash drive.


1. Connect the TiVo drive to my PC and boot with mfslive.org disk
'mount' a FAT32 drive so I can copy files to it
2. Use bootpage to figure out which the partition the active kernel is in.
3. Use DD to copy the kernel to a new file on the FAT32 drive. DO NOT RELY ON REPLACE_INITRD TO PROPERLY BACKUP THE KERNEL
4. Use busybox.replace_initrd to patch the kernel.
5. Copy tivoftpd, AlphaWolf's Tools to the tivo drive. (Get tivoftpd by expanding AlphaWolf's tools on the Fat32 drive. I find that AlphaWolf's tools need to be installed on a running tivo, so just copy the tar file to the tivo drive and wait until you are logged into the tivo via telnet to expand it.
6. Create an rc.sysinit.author file on the tivo drive to start telnet and ftp at bootup. Chmod +755 rc.sysinit.author so it can be run.

Sample rc.sysinit.author file
# Add /tivo-bin to path
export PATH=$PATH:/tivo-bin

# Start telnet
tnlited 23 /bin/bash -login &

# Disable firewall
iptables -F

#start FTP
/tivo-bin/tivoftpd

That's it. If everything works out right the boot is successful and I can then telnet in. Because there is no ls yet available, I blindly navigate to /tivo-bin and use cpio to install Alpha Wolfs tools.

Here's another alternative to using the stock kernel with the initrd replaced: link (http://www.dealdatabase.com/forum/showthread.php?p=279214#post279214).

I get outgoing netperf speeds of about 75mbps with the stock kernel and the builtin ethernet, 90mbps with the custom kernel and still the builtin ethernet, and ~150mbps with the custom kernel and the backport drivers with jumbo frames and a AGIGAUSB gige dongle. Incoming numbers are lower, but show similar improvement.

There is a simple solution to working with an S3 SATA drive using the popular PTVUpgrade boot CD without requiring SATA support. Get yourself one of these (http://www.newegg.com/product/product.asp?item=N82E16812206001) SATA to IDE adapters and your S3 drive will be treated just like any other IDE drive. It's the only SATA to IDE adapter I've found that doesn't plug directly into the IDE connector on the mainboard, thereby limiting you to either a single drive or two SATA drives only. You can use your existing IDE cable and have a 2nd IDE device attached along with the SATA drive and adapter.

I agree with buechel's assessment that figuring out how to use the replace_initrd script is a bit cryptic but it's not difficult once you learn the ropes. I found out the hard way that the mfslive boot CD doesn't work for this process (thanks to Jamie for helping me with this), hence the SATA to IDE adapter. I performed the replace_initrd function in my PC after copying the kernel to my FAT32 drive. Using NillaZilla's replace_initrd.x86 script and the included null-linuxrc.img.gz file, I used the following command:

/mnt/dos/replace_initrd.x86 /mnt/dos/vmlinux.px /mnt/dos/null-linuxrc.img.gz /mnt/dos/original_kernel.bak

where vmlinux.px is the copy of the extracted kernel from the S3 drive and original_kernel.bak is a backup copy of the unpatched kernel (this is created as an output to the above process and is not something you need to create ahead of time). You could probably eliminate the extraneous path information by navigating to the root partition of the mounted FAT32 partition but this worked for me as is. Note that the null-linuxrc.img.gz file is not extracted and must be used in compressed form. Copy the patched kernel back over to the S3 drive using the dd command and you should be good to go. I added Alphawolf's binaries and an rc.sysnit.author file to the active partition while I had the drive in my PC so I would be able to use the network connection right away, assuming everything worked correctly (which, fortunately, it did).

TivoWebPlus 2.0 (http://thomson.tivo.googlepages.com/tivowebplus) seems to work well on the S3. However, looks like the Tivo OEM software is already using port 80. To get TWP working, go to the config directory below where you installed TivoWebPlus e.g. .../TivoWebPlus/config and edit the tivoweb.cfg file. Change the value on the “Port” line from 80 to something else, like 8080. Then restart tivoweb. When you open your browser use the 8080 as the new port for the Tivo. e.g. http://myTivoIP:8080

Ok, dumb question alert.

I've been away from Tivo since 2k4. I just picked up an S3 and like it (duh).

My questions on hacks for the S3 are:
Do font hacks that affect the Now Playing list work?
Do hacks for changing the show names work?

The reason I ask is I remember on my old Tivo changing the font to display more of the show name and information on single screen. That was one of my favorite hacks.
Another hack I really loved was being able to rename shows using any string I wanted and the original air date. It made recording and watching mutliple seasons of a show easy as can be.

Just trying to guage my expectations and determine if I should prom hack now or wait and either of those 2 items would make it a definite now.

Thanks.

Ok, dumb question alert.

I've been away from Tivo since 2k4. I just picked up an S3 and like it (duh).

My questions on hacks for the S3 are:
Do font hacks that affect the Now Playing list work?
Do hacks for changing the show names work?

The reason I ask is I remember on my old Tivo changing the font to display more of the show name and information on single screen. That was one of my favorite hacks.
Another hack I really loved was being able to rename shows using any string I wanted and the original air date. It made recording and watching mutliple seasons of a show easy as can be.

Just trying to guage my expectations and determine if I should prom hack now or wait and either of those 2 items would make it a definite now.

Thanks.

Although I'm not sure about any font hacks, I've never had a problem with running out of room for viewing information on the screen.

As far as renaming shows goes, that has been fairly darn simple with the use of TivoWebPlus. In fact, just the other day I recorded all 6 Star Wars movies off of HBOHD and was able to use TWP to rename them, mark them as episodes, give them episode numbers, and group them all together into one folder. Quite slick if you ask me...

I don't think you'll be disappointed with the extra capabilities once you hack your PROM.

i am wondering if i hack the s3, can i clone the sn of my other s3? i know this was possible with the directivo unit.

i am wondering if i hack the s3, can i clone the sn of my other s3? i know this was possible with the directivo unit.Why would you want to do that? This (http://dealdatabase.com/forum/showpost.php?p=129486&postcount=44) post is relevant.

the reason, i was hoping to use my 2nd s3 for mrv without activating it. i think it is bs that i cant use mrv if both units are not subbed. i would like to be able to watch in my bedroom what is recorded on my subbed s3.

Ugh, for the millionth time... no, it can't be done.

Can you tell me about the TWP interface on the TivoHD/Series3? I want to initiate copies (TTGB) from the pc to the tivo without having to be in front of my tivo or having to make my wife stop watching while I do it.

With MFS_FTP, on Series 1's, I could just use an ftp client to move them around. If TWP includes the TivoDesktop-served shows in the Now Playing list, then I can select them and start transfers without ever touching the remote control.

To modify the kernel, you need to get the tivo drive in a PC computer running Linux. You'll need a SATA port on your desktop PC and a specialized linux boot disk. As of March 2007, I'm finding the best ISO for this purpose is at mfslive.org However Mr Black's replace_initrd is not compatible with the version of DD on the mfslive boot disk. I haven't looked into why this is yet. You will need another linux environment to actually edit the kernel in.


Is this still the case or does the 1.3b version of MFSLive.iso use a compatible version od dd/replace_initrd?

Is this still the case or does the 1.3b version of MFSLive.iso use a compatible version od dd/replace_initrd?

buechel fixed replace_initrd to work with the busybox version of dd, and NillaZilla posted it here (http://dealdatabase.com/forum/showthread.php?t=53272). I used it this afternoon and it worked fine.

buechel fixed replace_initrd to work with the busybox version of dd, and NillaZilla posted it here (http://dealdatabase.com/forum/showthread.php?t=53272). I used it this afternoon and it worked fine.

Okay, so all I need to do is put that on a drive that will be accessible when I'm booted from the mfslive cd. I'm going to assume that's any internal drive...

thanks.

replace_initrd and the null-linuxrc.img.gz file. I usually use a usb stick.

Hopefully this will help someone else ... hacked drives wouldnt boot took me a long time pulling drive doing hack one step at a time... reinstalling drive reboot.. repeat.

to determine that my bootpage was the culprit and the serial port on the series 3 tivos is on PORT 1 not PORT 2 so the following bootpage that myself and probably many other past series 2 or tivo hackers are familiar with will Not boot at all

root=/dev/hda7 dsscon=true console=2,115200 upgradesoftware=false

make sure you set it to

root=/dev/hda7 dsscon=true console=1,115200 upgradesoftware=false

instead..

not I just need to get the damn cable company to get the pay channels working again on my cable cards..

Hopefully this will help someone else ... hacked drives wouldnt boot took me a long time pulling drive doing hack one step at a time... reinstalling drive reboot.. repeat.

to determine that my bootpage was the culprit and the serial port on the series 3 tivos is on PORT 1 not PORT 2 so the following bootpage that myself and probably many other past series 2 or tivo hackers are familiar with will Not boot at all

root=/dev/hda7 dsscon=true console=2,115200 upgradesoftware=false

make sure you set it to

root=/dev/hda7 dsscon=true console=1,115200 upgradesoftware=false

instead..

not I just need to get the damn cable company to get the pay channels working again on my cable cards..
NillaZilla's thread on building a console cable covers the bootpage port issue here:

http://www.dealdatabase.com/forum/showthread.php?t=53169

thanks i read that and that is how i found this out.. but thought it should be in this thread as it didn't specifically mention that the box wont even book if you have the wrong port in your bootparms..

also as a side note other people here have gotten comcast working with cable cards and pay channels on a hacked box correct?

just making sure it is only a coincidence that when I got the larger hacked drives in my 2 boxes no pay channels are working on the cablecards and not something to do with the hacking the kernel.. (other channels work fine) just not hbo/showtime/hbohd etc.

thanks in advance

re: this message in the logs.. makes me wonder if it knows we turned off encryption and hacked the kernel and that is why they are not working:


May 19 21:43:05 (none) Stats: 2008.04.02-1024 9.3a-01-2
May 19 21:43:05 (none) Stats: PROM version: TiVo/mips/Gen05C/rel version 3.16
May 19 21:43:05 (none) Stats: !! Computed SHA1 doesn't match stored SHA1 !! Computed SHA1: 0x25D6EF0AB77F0767BF8C43B52BFC1CDAC2372F92 Stored SHA1: 0x66DFBB8FD26C1F808EE364A1830B38E18AFA6AD3 File length: 87144 Stored length: 87144 Build type: TiVo/mips/Gen05C/rel Marked version: 3.16

also as a side note other people here have gotten comcast working with cable cards and pay channels on a hacked box correct?I have comcast with premium channels working with an S3 and cable cards. Took months to get comcast to provision the cable cards properly, and there are a still HD channels I should be getting but don't (The HD SciFi, for example).

I personally prefer to cleanup the startup scripts to suppress messages that reveal the presence of a hacked PROM.

do you have the modified startup scripts that you hacked.. thanks that would save me time because I know it uploads many of these logs to tivo..

also you don't have any contacts at comcast ie phone number that can be used as reference do you.. don't know if i am that patient damn

do you have the modified startup scripts that you hacked.. thanks that would save me time because I know it uploads many of these logs to tivo..Look at the LogSystemStats.sh script in the StageE startup directory.also you don't have any contacts at comcast ie phone number that can be used as reference do you.. don't know if i am that patient damnYou'll need to deal with your local folks for provisioning the cable head-end, as far as I know.

I've got my hacked S3 working fine with FIOS and two cablecards.

thanks yes mine is working too.. the issue I was asking about was specifically premium encrypted channels.. as i can watch other stuff no problem.. just thought it maybe was too much of a coincidence that it stopped working when I put the hacked drives in.. more likely it appears to be that they were not hooked up for 2-3 weeks and comcast changed something in my acct..

just wanted to make sure b4 I lambast them.

All channels work for me. The only premium I have is HBO but I can record it and extract shows with no problem.

got both boxes working hacked with all pay channels.. thanks.. if i can help anyone else let me know..

also has anyone tried having a cable box in addition to the tivo and paid for a ppv etc. on the cable box and then tried to record the show on the tivo????

thanks omikron for doing prom mod..

think the problem actually was that omikron must have removed cable cards when doing mod and put them back in the wrong boxes so it wasn't really comcasts fault.. (obviously i didn't tell them that)

one card was dead anyway error 162 so they still needed to come out.

ok isolated the issue

encryption is off
pulling off shows with mfs ftp works fine...
pulling off with tytools works fine
converting to mpg with tytompg and putting back on with pytivo and they work fine

putting any .tmf or .ty back on (even those just pulled off and which convert to .mpg and then work fine) with
mfs_ftp doesn't work.. i get 600 or so seconds time and they only play a blank screen and go immediately to done..

is there a special fix for insertion using mfs_ftp on series 3 that I missed somewhere thanks..


this is the log inserting looks .like the number of bytes is wrong so it doesnt inser tthe object.
it really only sent about 512 meg.. in my little test file..

04:00:21:AM - 220 Mfs_Ftp ver 1.2.9p - {sock34} from "64.222.190.107:1677"
04:00:22:AM - 331 User name okay, need password.
04:00:23:AM - 230 Running in TiVo Mode.
04:00:24:AM - 200 Type set to I
04:00:25:AM - 250 Directory change successful.
04:00:31:AM - 200 PORT command successful.
04:00:31:AM - 150 Opening BINARY mode data connection for "{{Deadliest Catch}{2008-05-13}{Racing the Clock}{01.00 AM Tue May 02, 2006}{DSCHD}.tmf}"


inserted 1073 meg at 1605k/sec
04:05:47:AM - 226 File transfer complete
04:05:47:AM - mismatch, not setting csos
04:05:48:AM - updating cached recording info
.......

had replaced mfs_ftp with new version with patches but old files extracted with the old version would not insert correctly
(even though they converted to .mpg fine) had to re extract ... I think it had to do with the missing drm stuff in the .xml

anyway now it kinda workds but cannot play shows as they are reinserting while you used to be able to when using the older mfs_ftp on series 2.. Is this because we are not inserting till the end ??? whereas we use to do an insert after every part??????? If so can It be fixed.. it is a pain and unuseable to wait for an insert of a 8 gb show 2 hours b4 you can play it..

2nd I tried mucking with the Copy protection info object

I cleared it out on a movie recorded on hbohd

ie

#!/tvbin/tivosh

EnableTransactionHoldoff true
set fsid [lindex $argv 0]
set db [dbopen]

puts "ClearCopyP.tcl by lgkahn"
puts "Clearing the CopyProtectionInfo on a Recording"
puts "ths fsid is $fsid"

if { $fsid == "" } {
puts "Syntax: ClearCopyP.tcl fsid!"
dbclose $db
exit 0
}

itrans start
set rec [db $db openidconstruction $fsid]
set parts [dbobj $rec get Part]
set overalldrm [dbobj $rec get Drm]
set copyp [dbobj $overalldrm get CopyProtectionInfo]

puts "clearing copy protection bits on overall drm ... it was $copyp"
dbobj $overalldrm remove CopyProtectionInfo
itrans commit

puts ""
dbclose $db


it did not like that at all and had a flashing red flag by the show when i went back and wouldn't play any longer.. bummer
there must be a way to remove this so that it can be pulled off with mrv or tivotogo???
I will keep looking.. any suggestions would be appreciated.

Is this any place you can pay to have this mod done for you - for those of us that aren't so good with a soldering iron?

thanks!

Better hurry. (http://dealdatabase.com/forum/showthread.php?t=53722)

Is there a simple way to find out which drive on the PC is the TiVo drive? I'm doing a little bit of automation, and the last manual bit left over is inputting the drive spec. It would be great if the script could find the TiVo drive itself, so there's no likelihood of a mistake. I'm running Debian "Etch" Linux on an AMD Athlon 64 x 2. Right now I've got the drive in as a run-time constant (sdb), but the drive mapping could easily change in between the times TiVo pushes an update.

Edit: Come to think of it, there is one other manual constant, and that is the software version. If there is an easy way to figure out the software version, I could automate that, as well.

If anyone is interested, here is the script so far. For any neophytes, it rather demonstrates the basic requirements for hacking a prom-modded Series III class TiVo. Forgive the very pedestrian approach to scripting.

#!/bin/bash

dspec=/dev/sdb
sver=9.4

echo Getting the hacking parameters for tivoapp
echo
echo Enter the offset value \(not VMA\) in decimal
read offset
echo
echo Enter the new word value in hex
read newword

# Pad with leading zeroes if required
newword="00000000"$newword
newword=${newword: -8:8}

# Verify everyting is as should be, exit if not
echo "Offset (decimal): "$offset
echo "New Value (hex) : "$newword
echo
echo Is this correct?
select confirm in Yes No;
do
if [ $confirm == "Yes" ];
then
break
elif [ $confirm == "No" ];
then
exit
fi;
done

# Convert the string into a 4 byte number expression
escape="\x"
H1=${newword:0:2}
H2=${newword:2:2}
H3=${newword:4:2}
H4=${newword:6:2}
newword=$escape$H1$escape$H2$escape$H3$escape$H4

# Get the active kernel partition using bootpage
kerndrv=$dspec`/hack/bootpage -b $dspec`

# Get the active root partition using bootpage and adjust the name
root=`/hack/bootpage -p $dspec`
rootdrv=$dspec${root##*hda}

dstring=`date +%m-%d-%y`
vardrv="$dspec"9

# Scan the TiVo partitions
/hack/tivopart r $dspec

# If tivopart worked, display the active partitions and pause for 5 seconds.
# Otherwise, quit
if [ $? -eq 0 ];
then
echo Boot = $kerndrv
echo Root = $rootdrv
echo
tvar=5
until [ $tvar -lt 1 ];
do
echo -ne " "$tvar "\r"
sleep 1
tvar=$[ $tvar - 1 ];
done
else
exit;
fi
echo " "

# Check for the existence of partition #9 (/var)
if test ! -e $vardrv;
then
echo Valid TiVo Drive not found. Exiting.
exit;
fi
echo Writing new Kernel...
/hack/replace_initrd.x86 $kerndrv /hack/null-linuxrc.img.gz /hack/Saved_Kernels/"$sver"_Kernel:$dstring
echo
echo Mounting Drives...
mount $rootdrv /tivo
mount $vardrv /tivo/var
echo
echo Replacing IP Tables Function
cd /tivo/sbin
cp iptables iptables.sav.$dstring
echo
tvar=5
until [ $tvar -lt 1 ];
do
echo -ne " "$tvar "\r"
sleep 1
tvar=$[ $tvar - 1 ];
done

echo Copying Files...
sleep 2
cd /tivo
tar -xvf /hack/tivohacks.tar
echo
echo Writing new tivoapp
cd /tivo/tvbin
cp tivoapp tivoapp.sav.$dstring
echo -ne "$newword" | dd conv=notrunc of=tivoapp bs=1 seek=$offset
echo
echo Done!

This of course assumes bootpage, tivopart, replace_initrd.x86 and its little null-linuxrc.img.gz null initrd are all in /hack on the PC. It also requires a tarball (tivohacks.tar) of all the files to be placed on the TiVo. I include the mfs utilities, TiVoWebPlus, busybox, /etc/profile, and /etc/rc.d/rc.sysinit.author as well as the iptables hack in the tarball.

buechel, thanks for the guide man! I successfully hacked my TivoHD, got everything working.... and then upgraded to 9.4!! ARGH!

Time to pull my drive again... :(

But thanks none-the-less!

My TiVo HD finally got the 9.4 upgrade last night, so I loaded the drive on the Linux workstation and used the little script above to hack the drive. There was a little bug (fixed in the script above) which caused the iptables file to be overwritten rather than saving a backup of the file. Other than that, it seems to be working just fine.

It only took about 7 minutues start to finish to upgrade the drive, and that includes the time to move the drive back and forth and to boot up the host PC. (Gawd, I love Linux!!) Moving the primary drive into an external Antec MX-1 housing and implementing the script have really made the upgrade process easy, yet still readily accessible to the user at the lowest levels. I don't even have to open up either the TiVo or the host PC.