PDA

View Full Version : The Series5 (Tivo Roamio) Development Thread



GaveUp
11-17-2013, 08:29 PM
Figure a new thread will keep from the Premiere information/efforts and the Roamio efforts getting intertwined. Here are some high res pics of the PCB. They're a but slanted and blurry in a couple of places but it was the best I was able to get with the camera and lens I have.

They were too large to attach, but here are the links:

Top (http://tivo.vidphiles.com/img/roamio-top.jpg)
Bottom (http://tivo.vidphiles.com/img/roamio-bottom.jpg)

eMMC is KLM4G1YE4C-B001. Datasheet (http://www.wpgcloud.com/commonDataSheet.action?name=KLMxGxxE4x-x001(MMC4.41%202ynm%20based%20e_MMC)_1.1.pdf)

prom.eth.eus
11-25-2013, 05:08 AM
Ok, the next step would be to identify all the connectors.

Top left is:
Sata
Power for the Hard Drive
Fan?

2 Bottom edge connectors go to the front panel.

Which leaves J3200 in the middle, as the most interesting.

What does the connector between the wifi daughtercard and the motherboard look like?

Next, we need a boot log either via serial console or reading /var/log/* off of a booted hard drive. And if anyone is pulling out their hard drive, what the partition map looks like would be useful as well.

GaveUp
11-25-2013, 09:35 AM
Ok, the next step would be to identify all the connectors.

Top left is:
Sata
Power for the Hard Drive
Fan?

2 Bottom edge connectors go to the front panel.

Which leaves J3200 in the middle, as the most interesting.

What does the connector between the wifi daughtercard and the motherboard look like?

Next, we need a boot log either via serial console or reading /var/log/* off of a booted hard drive. And if anyone is pulling out their hard drive, what the partition map looks like would be useful as well.

You're right on the top left. Sata, Sata power, and a fan. Two connectors on the bottom left and right wire up to the LEDs. When pulling it apart I don't remember seeing any unpopulated headers, but now I'm actually not sure on J3200 (yeah, should have taken intermediary photos). Dumping the HD is on the list as well. It would be nice to get the contents of a never powered on image and the first boot log as well.

Lastly, it would be nice to get a couple highres photos of the other roamio models. Comparing to the linked photos in the other thread there are quite a few differences (including a labeled uart0).

GaveUp
01-20-2014, 09:45 AM
It looks like the HD ships blank on the Roamios so the OS must be contained on the eMMC. Anyone have the equipment to pop that off so we can trace out CLK/CMD/DAT lines for dumping?

GaveUp
01-26-2014, 04:29 PM
Probably not news to most but J3200 is the serial. Pin 1 is TX, 2 is GND, 3 appears to be RX. You can connect to it with an FTDI cable, MicroFTX or similar. Settings are 115200 8N1. Output on boot is:


Initializing XXXXXXXX (LOCKED)...

TiVo Gen10 release 1.00 (2013-06-17 18:31:53)
Copyright by TiVo Inc. All Rights Reserved.
System temperature: 32C
TSN: XXXXXXXXXXXXXXX BREV: 0xXXXX MAC: 00:00:00:00:00:00
Initializing mmc...
Booting from internal device partition 3...
Loading 6196192 bytes...
Image signed by '... the Porridge bird ...'
Hashing image... done
Checking signature... done.
Valid for release
Kernel entry point is 0x8037c510


Confirms that it is booting off the eMMC and given it's booting off partition 3 it's probably safe to assume it's using a similar partition layout to previous models. The, obvious, next step is getting a dump of the eMMC. I'll also wager J2205 is probably JTAG so that would also be worth investigating.

J3202 is most likely a second serial port, but it doesn't display anything nor accept any input.

Omikron
01-31-2014, 02:44 AM
It looks like the HD ships blank on the Roamios so the OS must be contained on the eMMC. Anyone have the equipment to pop that off so we can trace out CLK/CMD/DAT lines for dumping?

I have access to IR rework equipment now, so I can pop off the chip.

I'm currently trying to get Xeltek to add support for this chip so I can dump the firmware directly.

Omikron
01-31-2014, 02:46 AM
I should note that I have yet to be able to see a Roamio in person, but if we have a sure-fire way of pulling the data off, perhaps it's wroth getting a Roamio to start dumping code...

GaveUp
01-31-2014, 09:27 AM
If we had the lines of the chip it should be possible to dump it with an SD reader as has been done with the consoles that have eMMC chips. I do have a heat gun that could pop the chip off easy enough, but I don't have the equipment or skills to get it back on in working order. Without a throwaway tivo it's not a route I want to go down at this point.

Omikron
01-31-2014, 04:29 PM
If we had the lines of the chip it should be possible to dump it with an SD reader as has been done with the consoles that have eMMC chips. I do have a heat gun that could pop the chip off easy enough, but I don't have the equipment or skills to get it back on in working order. Without a throwaway tivo it's not a route I want to go down at this point.

I'm not worried about getting the chip back on as much as I am about accidentally corrupting the chip with the SD reader method. If that happens, the TiVo is still dead.

GaveUp
01-31-2014, 05:19 PM
I'm not worried about getting the chip back on as much as I am about accidentally corrupting the chip with the SD reader method. If that happens, the TiVo is still dead.

True. On that I'd be curious how the thing behaves with the chip removed. Does it try to boot from somewhere else (hard drive)? JTAG might be an option for poking at the chip too, assuming it's functional. I'd guess it's not.

Omikron
02-03-2014, 11:53 PM
True. On that I'd be curious how the thing behaves with the chip removed. Does it try to boot from somewhere else (hard drive)? JTAG might be an option for poking at the chip too, assuming it's functional. I'd guess it's not.

Most likely the JTAG fuse in the Broadcom CPU is blown. There's no reason they wouldn't blow it, and since it was blown on the S4, it's got to be blown here as well. Still, no reason not to try anyway...

My guess is that it behaves the same way the other platforms do when you remove the PROM, which is for the CPU to halt.

I've contacted Xeltek and they are willing to add the programing algorithm for this chip to the SP6000 series, but there's a $200 development fee, plus they need three samples of the chip to test with (we should be able to source these externally), plus the BGA153 adapter, which is about $600.

All in all, it's a fairly expensive proposition but from my experience it's a known-good way of getting a perfect, reliable, read and write. Unfortunately, considering how stymied the S4 development got, it's hard to justify the money since it's likely that we'll be stopped in our tracks even once we get the firmware out. We won't know if we don't try...

Omikron
02-04-2014, 02:46 AM
So after looking through what people are doing on the Xbox One side to dump the NAND via the SD card method, I think it may have merit.

Now to find a Roamio to start attacking with hot pointy things... ;-)

djl
02-04-2014, 07:37 AM
Omikron - if you get to a point where a donation call is in order, don't hesitate. Some of us old-timers still stop by, but we've all been stymied by the Premiere for the past few years.

GaveUp
02-04-2014, 08:55 AM
Omikron - if you get to a point where a donation call is in order, don't hesitate. Some of us old-timers still stop by, but we've all been stymied by the Premiere for the past few years.

At this point I think the most helpful thing would be tracking down more of the datasheets and tracing the pin outs of the main chips. Even the less technically inclined can help in that area.


Most likely the JTAG fuse in the Broadcom CPU is blown. There's no reason they wouldn't blow it, and since it was blown on the S4, it's got to be blown here as well. Still, no reason not to try anyway...

My guess is that it behaves the same way the other platforms do when you remove the PROM, which is for the CPU to halt.

I'd guess the same on the JTAG as well. It'd be a pretty big oops if not. The eMMC is different in purpose over the PROM in that it holds the OS as well. Just my thought is there's probably some, presumably disabled, way of telling it to boot of some other media. It'd make sense from the development perspective.

Omikron
02-04-2014, 04:59 PM
Omikron - if you get to a point where a donation call is in order, don't hesitate. Some of us old-timers still stop by, but we've all been stymied by the Premiere for the past few years.

At this point I don't have physical access to a Roamio, so for me that's one of the first things I'd like to get taken care of. At the moment I'm just trying to keep an eye out for Roamio Plus hardware that is discounted enough to justify buying.

Since I don't actually have cable service or TiVo service at the moment (not until I move), I'm not so excited about paying full price for a box I will have no personal use for outside of hacking it. :-)

Omikron
02-04-2014, 05:00 PM
At this point I think the most helpful thing would be tracking down more of the datasheets and tracing the pin outs of the main chips. Even the less technically inclined can help in that area.



I'd guess the same on the JTAG as well. It'd be a pretty big oops if not. The eMMC is different in purpose over the PROM in that it holds the OS as well. Just my thought is there's probably some, presumably disabled, way of telling it to boot of some other media. It'd make sense from the development perspective.

Yep. Working on both of those points at the moment. :-)

AlphaWolf
03-07-2014, 03:25 AM
Most likely the JTAG fuse in the Broadcom CPU is blown. There's no reason they wouldn't blow it, and since it was blown on the S4, it's got to be blown here as well. Still, no reason not to try anyway...

My guess is that it behaves the same way the other platforms do when you remove the PROM, which is for the CPU to halt.

It turns out that CableLabs completely forbids any kind of debug or developer access ports (such as jtag) in any CableLabs certified device. This would probably explain why S3 and beyond don't have a serial port, whereas all previous models did (though they did have a poorly hidden TTL port.)

Anyways, I recall during my S3 hacking days that parts of the PROM were read and executed while tivoapp (or swedishchef as I think it's now called?) was live. I learned this inadvertently when the tivo locked up when I pulled the PROM out of a live system, and only booting the tivo in a "bare" state (e.g. terminating rc.sysinit early in the boot stage) allowed me to use a live tivo to reprogram a prom chip (because I didn't have any actual tools for reprogramming one.)

Aside from the sata idea I came up with earlier, I was thinking alternatively you could *possibly* figure out what portions are read and swap out the prom early in the boot stage (but after the prom has done its signing checks.) Wouldn't be a permanent solution, but it would at least allow you to gain initial entry and learn more about how they work.

philhu
02-25-2015, 02:39 PM
So, I am assuming the S4 and now S5 development is dead?

Nothing new to report?

GaveUp
02-25-2015, 08:22 PM
So, I am assuming the S4 and now S5 development is dead?

Nothing new to report?

I'd say the shellshock thread answers that question.


Yep. Working on both of those points at the moment. :-)

Any luck on the datasheet front?

Throg
06-03-2015, 08:28 PM
Hi everyone. it's good to see some familiar names still around here. I got a 4TB Roamio Plus and love it. I just miss all of the hacks that I became accustomed to on my S2 units. I toyed around a little with KMTTG but it's nothing like the old days.

Anyway, I just wanted to introduce myself to the forum and let y'all know that I am here. I was inactive long enough that I had to recreate my account so my coolness has worn off.

That's all.

Roger Dylan
06-20-2015, 04:28 AM
Hi everyone. it's good to see some familiar names still around here. I got a 4TB Roamio Plus and love it. I just miss all of the hacks that I became accustomed to on my S2 units. I toyed around a little with KMTTG but it's nothing like the old days.The only relevance of old time hacking to the Roamio (i.e. the current situation) is that it's still worth having a hacked s3/HD with the cci bytes disabled in your mix if you're still getting channels within the tuning capability of the s3/HD that have the cci bytes set. Once recorded on the s3/HD, shows from those channels can be transferred by standard means to the Roamio and your home net with full functionality.

For example my Cable provider is crippling 8 channels I'm paying for. Two of them they've gone to mpeg4 so they are lost (until the mpeg4 s3/HD hack surfaces, if ever) but the other 6, though crippled as directly recorded on the Roamio, are still useful in my home network via the s3/HD entry point.

But hacking older Tivos is ultimately a lost cause with mpeg4 inevitable. Again, absent the mpeg4 hack for the s3/HD.

cj47
07-08-2015, 10:10 AM
The links in the 1st post are dead.
Any chance of re-posting the hi-rez board shots??

RWS3
10-12-2015, 08:47 PM
The only relevance of old time hacking to the Roamio (i.e. the current situation) is that it's still worth having a hacked s3/HD with the cci bytes disabled in your mix if you're still getting channels within the tuning capability of the s3/HD that have the cci bytes set. Once recorded on the s3/HD, shows from those channels can be transferred by standard means to the Roamio and your home net with full functionality.

For example my Cable provider is crippling 8 channels I'm paying for. Two of them they've gone to mpeg4 so they are lost (until the mpeg4 s3/HD hack surfaces, if ever) but the other 6, though crippled as directly recorded on the Roamio, are still useful in my home network via the s3/HD entry point.

But hacking older Tivos is ultimately a lost cause with mpeg4 inevitable. Again, absent the mpeg4 hack for the s3/HD.

My TiVo HD has served me well. I pay per seat for cable cards. The newer TiVos can stream, so there has been progress for the consumer. Still, the S3 and HD mods have been super useful. Too bad the Premiere and Roamio have put a damper on everything. Still, many thanks.

philhu
02-19-2016, 10:42 AM
Well, since tivoHD now has mpeg4 on 11.0n, GAME ON!!!!!!!!

I just resurrected my 2 hacked tivoHD units, CCI bit on, GAME ON!