PDA

View Full Version : 11.0c sitting in MFS



swinokur
04-17-2009, 01:38 PM
woke up this morning and took a peek at the tivo...

11.0c-01-2-648 tyDb 1471525 04/16/09 20:22 884

has anyone else seen this on their tivo yet?

let me know if you need a copy of the tivoapp to look for patches...

jt1134
04-17-2009, 04:20 PM
0x005d3a14 - NoCSO
untested as I'm at work.

kernel hasn't changed at all. be nice if they'd release source.

lgkahn
04-17-2009, 09:24 PM
i have it on all 3 series 3 original of my tivos i need nocso , cci, backdoors, 30 sec skip
and finally a new buffhack patch.. b4 i am ready to go.. .anyone.. anyone also know what the changes are that this version brings us..

lrhorer
04-17-2009, 10:01 PM
Yeah, my THD is ready to restart, presumably to upgrade to 11.0c, but I don't want to lose any recordings. Does anyone have the NoCSO hack for the THD?

ScanMan
04-18-2009, 12:22 AM
bash-2.02# chksw
Directory of /SwSystem starting at ''

Name Type FsId Date Time Size
---- ---- ---- ---- ---- ----
11.0b-01-2-652 tyDb 1012347 04/18/09 03:04 884
11.0c-01-2-652 tyDb 1156309 04/18/09 03:04 908
ACTIVE tyDb 1156309 04/18/09 03:04 908

bash-2.02# drmcheck.tcl | more
DRMCheck.tcl, based on CipherCheck.tcl by AlphaWolf_HK

TyStream encryption is currently disabled.

jt1134's NoCSO patch above is verified on the TivoHD (nice work!)

No problems with upgrade using Jamie's "Gen06-netopt-ext3" kernel.

lrhorer
04-18-2009, 12:32 AM
jt1134's NoCSO patch above is verified on the TivoHD (nice work!)
I don't have a hex editor set up for my system, yet, to search for the string, so to what does this translate for the offset and new byte value in order to use dd?

ScanMan
04-18-2009, 01:07 AM
I don't have a hex editor set up for my system, yet, to search for the string, so to what does this translate for the offset and new byte value in order to use dd?NoCSO for 11.0c
echo -ne "\x10\x00\x00\xaa" | dd conv=notrunc of=tivoapp bs=1 seek=1915412

lgkahn
04-18-2009, 12:14 PM
is this for 11.0c 652 or 648 thanks

daily reboots started till i get them upgraded

ScanMan
04-18-2009, 02:35 PM
Backdoors for 11.0c

Tested and confirmed on TivoHD!

VMA/Hex Old Value New Value

0x0773b38/0x0373b38 00008021 24100001
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=3619640
Cool way to check your seek:
bash-2.02# dd if=/tvbin/tivoapp bs=1 count=4 skip=3619640 | hexdump
4+0 records in
4+0 records out
0000000 2410 0001
0000004
bash-2.02#
Obviously, this is after patching...

lrhorer
04-18-2009, 03:35 PM
Woah, wait! Huh??

I'm very confused. I thought the word value of 0x100000AA and the offset of 1915412 was for the THD, so I hacked the tivoapp on my THD with those values and it seems to be working. Now, however, you are saying the THD should require a new word value of 0x24100001 at location 3619640. How is it my THD is working at all, let alone having CSO apparently properly disabled, if I patched the wrong location with the wrong value?

ScanMan
04-18-2009, 04:51 PM
The first seek value was for nocso the second patch was to enable backdoors.

lrhorer
04-18-2009, 06:05 PM
Oh, Duh!! I didn't spot the bold text at the top of the message.

On a related note, is there a link to a reference which describes for what you guys look when figuring out what location to replace? I would like to be able to do this myself, in case I need to but the resources on this site are not available.

jt1134
04-18-2009, 10:38 PM
On a related note, is there a link to a reference which describes for what you guys look when figuring out what location to replace?

porting a patch to a new sw version is pretty simple. i usually just run the new tivoapp thru the tmesis disassembly script and match old code to the new. in the case of minor sw revisions, there usually is not much difference. if you look for the nocso address in the 11.0b tivoapp (0x005d3a1c), the code around it looks like :


0x005d3a10 jal 0x005cdf1c
0x005d3a14 sw a3,52(sp)
0x005d3a18 lbu v0,36(s1)
0x005d3a1c beqz v0,0x005d3cc8
0x005d3a20 addiu a0,sp,40
0x005d3a24 jal 0x0055cb90
0x005d3a28 nop

that's pretty much meaningless in such a huge disassembly, but there are helpful strings down below that such as : "Can't add clip, recording in state %d" and "DiskManager". so, find those strings in the new disassembly, then scroll up and start matching up code and you'll find :


0x005d3a08 jal 0x005cdcc0
0x005d3a0c sw a3,52(sp)
0x005d3a10 lbu v0,36(s1)
0x005d3a14 beqz v0,0x005d3cc0
0x005d3a18 addiu a0,sp,40
0x005d3a1c jal 0x0055bf58
0x005d3a20 nop

looks familiar, no? of course the branch and jump locations will likely be different, but that's to be expected. of course, you could go an even cheesier route and just match up the target code using a hex editor (it works :P), but I feel much safer looking thru the disassembly.

subtract 0x400000 from the address you find and then convert it to decimal to get your 'seek' value.

ScanMan
04-19-2009, 09:09 AM
Here are the common patches for 11.0c

array set patch_11.0c {
0x005d3a14 "104000aa 100000aa"
0x00773b38 "00008021 24100001"
0x00b92be4 "14400026 10400026"
0x00656e40 "30b000ff 00008021"
0x00656e64 "00e08821 24110000"
0x0117e020 "30b000ff 00008021"
}

array set desc_11.0c {
0x005d3a14 "noencrypt"
0x00773b38 "backdoors"
0x00b92be4 "30secskip"
0x00656e40 "cci1"
0x00656e64 "cci2"
0x0117e020 "cci3"
}
As jt1134 said above, remember to subtract 0x400000 from the VMA address and then convert it to decimal to get your 'seek' value if you use the 'dd' method.

The "tvapppatches-11.0c.tcl" was posted here. (http://www.dealdatabase.com/forum/showthread.php?p=302666#post302666)

lgkahn
04-19-2009, 11:53 AM
thanks scan man here are the converted patches to dd format



11.0c
disable enc
backdoors
30 sec skip
cc1
cc2
and cc3

echo -ne "\x10\x00\x00\xaa" | dd conv=notrunc of=tivoapp bs=1 seek=1915412
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=3619640
echo -ne "\x10\x40\x00\x26" | dd conv=notrunc of=tivoapp bs=1 seek=7941092
echo -ne "\x00\x00\x80\x21" | dd conv=notrunc of=tivoapp bs=1 seek=2453056
echo -ne "\x24\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=2453092
echo -ne "\x00\x00\x80\x21" | dd conv=notrunc of=tivoapp bs=1 seek=14147616

falcontx
04-20-2009, 01:57 AM
Thanks guys. You saved me some time. ;)

T_RJ
04-21-2009, 01:26 AM
Here is the patch for 11.0c bufferhack.

set sys(11.0c) [list 0x115d82 0x115a4e 0x6c 0x1bd672 32207760 325F14DAA33CC105AD841D8F73E3E67B7A85EDBF]

I've also included a patched bufferhack.


OOPS I had not noticed jt1134 had already posted this.

phdeez
06-06-2009, 01:56 AM
thanks scan man here are the converted patches to dd format



11.0c
disable enc
backdoors
30 sec skip
cc1
cc2
and cc3

echo -ne "\x10\x00\x00\xaa" | dd conv=notrunc of=tivoapp bs=1 seek=1915412
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=3619640
echo -ne "\x10\x40\x00\x26" | dd conv=notrunc of=tivoapp bs=1 seek=7941092
echo -ne "\x00\x00\x80\x21" | dd conv=notrunc of=tivoapp bs=1 seek=2453056
echo -ne "\x24\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=2453092
echo -ne "\x00\x00\x80\x21" | dd conv=notrunc of=tivoapp bs=1 seek=14147616

Thank you all for the new tivoapp patch locations, and thank you lgkahn for this (http://www.dealdatabase.com/forum/showpost.php?p=300109&postcount=17) guide... another flawless update!

I love not having to pull my drive (out of my tivo out of my entertainment center) in the comfort of my couch on my laptop.

Now, on to the bufferhack!

toyuniverses
06-09-2009, 05:58 AM
Backdoors for 11.0c
Cool way to check your seek:
bash-2.02# dd if=/tvbin/tivoapp bs=1 count=4 skip=3619640 | hexdump
4+0 records in
4+0 records out
0000000 2410 0001
0000004
bash-2.02#
Obviously, this is after patching...

Good idea, but probably better to pipe through "hd" (which is the same as "hexdump -C") since this gives separate bytes as output. On my Linux system the two-byte words have lo and hi bytes swapped, which is confusing.