So, I've been reorganizing all of my TiVo hacking notes lately and I wrote up a small text file dedicated to the locations of the patches for different PROM versions. Up until now, everything in this document was already documented on here in various threads so I never saw a need to post it. Since I ported the PROM patches to the TiVoHD tonight, I figured it might be a good occasion to post it. I can't take credit for any of the actual content, since even the TiVo HD patches I ported were a derivative work of older patches, but hopefully people will like the organization. I'll try to keep this up to date as needed. Enjoy!

-----------------
Gen04 (Series2.5)
-----------------

v2.25 //Unpatched MD5 is c4c7eb11170777e8893e00c1d60a8715

0x958C: 14 83 00 04 -> 14 84 00 04 //Disable PROM SHA-160
0xA4C0: 10 43 00 0A -> 10 42 00 0A //Disable Kernel Check


v2.27.1 //Unpatched MD5 is 39708224a08491441a20bd41397c56c6

0x69A8: 14 83 00 04 -> 14 84 00 04 //Disable PROM SHA-160
0x78DC: 10 43 00 0A -> 10 42 00 0A //Disable Kernel Check


v2.28 //Unpatched MD5 is 8d78f4d6dafd5073412123710c673896

0x6A60: 14 83 00 04 -> 14 84 00 04 //Disable PROM SHA-160
0x7994: 10 43 00 0A -> 10 42 00 0A //Disable Kernel Check


v2.28.1 //Unpatched MD5 is 832470766286885cd3a72fccfc9ecaaa OR 825c84c86a6b95b9a0addb61b44fa971

0x6A70: 14 83 00 04 -> 14 84 00 04 //Disable PROM SHA-160
0x79A4: 10 43 00 0A -> 10 42 00 0A //Disable Kernel Check


-----------------
TGC01 (Series2DT)
-----------------

v1.06.3 //Unpatched MD5 is 06e9b92912025f45d1fb11ad0fc25950

0x8050: 04 40 00 12 -> 00 00 00 00 //Original Offset
0x2688: 10 43 00 0A -> 10 00 00 0A //Offset From gzip Image at 0xC91C


----------------
Gen05 (Series3)
----------------

v3.16 //Unpatched MD5 is 169a120ce24aa6ccb8e1fa6c0d717603

0x6D4C: 04 40 00 12 -> 00 00 00 00 //Original Offset
0x31B8: 10 43 00 0A -> 10 00 00 0A //Offset From gzip Image at 0xB5C8


----------------
Gen06 (TiVo HD)
----------------

v1.04.C1 //Unpatched MD5 is fa5a5d638d3a65d0dcbd39619d55763c

0x3E18: 04 40 00 12 -> 00 00 00 00 //Original Offset
0x2C98: 10 43 00 0A -> 10 00 00 0A //Offset From gzip Image at 0x8684

v1.05.C1 //Unpatched MD5 is 9f9a48da7fcc1b151336e7e6d6b2768c

0x3DD8: 04 40 00 12 -> 00 00 00 00 //Original Offset
0x2C98: 10 43 00 0A -> 10 00 00 0A //Offset From gzip Image at 0x8644



------------------
Points of Interest
------------------

gzip Signature: 1F 8B 08

As a side note, all of the MD5's except for v2.25 are based on images that I personally read off of original PROM chips. If your MD5 doesn't match, there's something funny going on.

There's some new TiVo HD PROM code on the block. I just today got a box from TiVo that had 1.05 on the chip. I'm not sure what the difference is, but once I verify patch locations I'll post them up along with MD5 sums.

Added:

v1.05.C1 //Unpatched MD5 is 9f9a48da7fcc1b151336e7e6d6b2768c

0x3DD8: 04 40 00 12 -> 00 00 00 00 //Original Offset
0x2C98: 10 43 00 0A -> 10 00 00 0A //Offset From gzip Image at 0x8644

As a side note, I should say that I did a binary compare and could not find any real differences between the two PROM revisions other than a few bytes in the very beginning of the image. If anyone here is more experienced at analyzing PROM code, feel free to drop me a line if you'd like to do the comparison yourself.

Today I worked on a TiVo that came with PROM v2.25. Since the previous image I had was one found on the boards, I read the flash with the programmer and found that the MD5's were identical. As such, I've removed the "Unverified" status from that MD5.

I also ran into an interesting issue with a v2.28.1 PROM. All of the previous versions that I had looked at before had an MD5 of 832470766286885cd3a72fccfc9ecaaa , but this latest one had an MD5 of 825c84c86a6b95b9a0addb61b44fa971. After a binary compare, I found that the only difference was what appeared to be garbage data at the end of the file. I'm chalking this one up to a weird programming glitch at the factory, but I'll leave the MD5 up for others just in case.