Search:

Have you looked at this thread? http://www.dealdatabase.com/forum/showthread.php?27553-Mips-disassembler-v0-1

Otherwise, some folks have luck with IDA.

AlphaWolf is correct, no one has released a software or hardware exploit for the Roamio (or any later tivo for that matter).

Regarding SHA-1 though, Google's SHAttered proof of concept doesn't...

My knowledge of tivoapp focused on the specific patches and more generally tivo's underlying security subsystem. Series 3 units have been marooned with an 11.x tivoapp for years now, while s4 and up...

No, according to my notes 11.0m is different. psxboy posted the patches here: http://www.dealdatabase.com/forum/showthread.php?67566-new-sw&p=317574#post317574

Hope this helps.

This has been examined, and tivo paid attention to the env vars after Tiger's BASH_ENV exploit. The linuxrc in the initrd checks the entire root filesystem for any unrecognized files (comparing them...

Tivo implemented env var whitelisting; however, my memory is a bit fuzzy where that occurred (Boot Flash/PROM, kernel, or initrd linuxrc) and exactly when that occurred. You can find the whitelisted...

The StageC NetworkKickstart.sh has a
if [ $do_stageC_kickstart -eq 1 ] ; then line, and that environment variable is only set in the StageA CheckForPanic script (which sets the panic code by...

I looked at this after reading your suggestion. While one can either use a kickstart code or set a flag in /State/Database (as setzaprequestfactoryreset.tcl does) to kick off an MFS operation (e.g.,...

For premiere's and earlier, this is true in theory. However, Series 5 units have their root filesystems stored on internal Flash, not on the harddisk. Once a mini or roamio unit takes the 20.4.5...

Tivo has closed the shellshock vulnerability in the new 20.4.5 software release. So before you upgrade, you may wish to use this vulnerability to get a shell on your tivo and poke around a bit. ...

If you're trying to expand a single premiere drive beyond 2TB, I'll have to check to see where these tools stand.

I don't think there's a good way to do this on a Series3 as the only access to the live stream (that I can recall) was to the files as written to disk. The "LiveCache recordings" are problematic as...

Excellent point, one can use TiVo Desktop or some other TiVo Desktop solution (like kmttg) to extract shows from each unit, and then upload them to the other.

You've run into a tricky problem, as your premiere isn't hacked, it generates an "Error #86" when it's acting as an MRV client and attempting to receive an unencrypted video from your hacked Series 3...

I don't think there would be any downside for the old Series 2 Combo units other than perhaps increased boot time.

If you are referring to this patch: link, then I think tivo made some changes to the code that caused that patch (when ported to newer software) to cause crashes (my notes have it as valid for 11.0d,...

For what it's worth, I took a quick look at some old 6.3c brfs I had lying around. It looked to me that ui/TivoCentral/TivoCentral.brf had the menu names present ("Now Playing List", "Watch Live...

You haven't said what version of software you're working with, but chances are that menu item name is contained in a BRF file. So I'd start there.

No, it won't brick the unit. If you can revert tivoapp it should boot (assuming you haven't modified any other files). At worst you might need to reimage the drive.

Something akin to this: link could fit inside a premiere. It would need to be reprogrammed to redirect SATA reads after a specific amount of time (that time falling between the two presumed reads of...

You've seen bkdtv's review, I presume? It provides a nice hardware baseline, so it's a starting point. Link: here.

Yes, that's a hazard of the message board versus wiki, you find yourself poring over conversations germane only to exploiting software 4.0.1b with an lba48 aware kernel and the proper uma6fix to work...

Yea, I thought a bit more about a sata injection device, and even assuming some sort of inexpensive, embedded device to sit between the tivo and drive (similar to an Arduino), one would have to write...

Another approach would be some sort of sata injection device (or computer). It would sit between the tivo and the hard disk. When the BSP code checks the kernel, the device supplies a valid kernel....

No disagreement on your points. The board facilitates discussion, but is not as good a repository. I believe there was a tivo wiki hosted elsewhere at one point, though unfortunately I don't have a...

This thread has the most information. Post any other questions you have here, and collectively folks can chime in with available information.

I believe that the direct extraction thread (link: here) should still be valid.

That said, I can't recall if I've ever directly extracted myself.

In answer to your other question, given that...

I'm not a member of slashdot. I tried to search for the article/presentation, but had no luck finding it again. I can't even remember the device they were attacking, unfortunately.

Excellent point, Dave20042004. You could alternatively add the rubbishing to 51killer to create a new, "prep drive for imaging" script. But that might be overkill, as your directions are clear as...

No problem. #3 can take a fair amount of time (e.g., hours). I think that the garbage collection isn't strictly needed so long as Rubbishing completed successfully.

If I'm correctly about that,...

The MFS partitions are always writable, even if the root partition is mounted r/o. You may want to try kicking off garbage collection after rubbishing the objects, as they should no longer appear in...

I assume you're using the updated version of 51Killer (as you posted in that thread: link). You might try rubbishing the objects in /State/Keyring. I believe that in the newer software, old keys...

This could work. I saw on slashdot some time ago, a conference presentation of an Arduino based device (I believe) to sit between a SATA device and the victim, and it would alter a file accessed...

I believe that the "type" of the partition reflected in the apple partition map doesn't really matter (the tivo software won't care), but most just set the type to match what tivo (and mfs-tools)...

Tivo enabled dual-core with sw 14.9.x, so you should be running with both cores active. That said, I agree that the HDUI is still not "snappy" on the premiere hardware.

Thanks. I understood, but might not have provided enough background. This thread here (link) might be worth a re-read. But the short version is that the "PROM" code (i.e., the boot-loader code...

Aside from MFS schema updates, the guide data remains unchanged, I believe.

I should have noted that the OzTivo emulator was shuttered in preparation for the DVB TiVoHD, but could probably be...

All good questions, but ones that aren't allowed for discussion here. This exact thing happened in the UK for the original Series1 UK units when the new VirginMedia (s4-based) tivo was released. ...

The trouble is that the buffer over run flaw you seek would need to be in the Broadcom Security Processor (bsp) of the tivo's CPU, as a vulnerability in the tivo "boot sector" (code that prior to the...

Nice work chasing those down!

Off topic area for this question, but 51Killer allows you to move a hacked drive to a similar model tivo, and still be able to playback the videos. When restoring a backup image from another box,...

What sort of help are you looking for:

From memory, pdisk (run from a linux PC, with the tivo drive attached as /dev/sdb) would be "pdisk /dev/sdb", once in the interactive mode, you can then do...

This is because the lines you added above start only telnet and ftp, and I believe that you also desire to have bash running on the serial port. In which case, you need to add something like this ...

I don't know whether or not you could use the crypto chip trick to clone the TSN. If you just need to know the zip code that the device last called from, you could hook up the drive to a PC, and...

Red_Dog might be able to provide a better answer than I, as the last time I rummaged around the disassembly was in 2008. You might want to look at si9190test first, as I think that utility offered...

The "Error 51" arises when you move a drive from one unit to another (which is effectively what you've done when you've restored an image from another, albeit similar, tivo). If your unit is hacked,...

I also get a sha1sum of 118a7c7799ef20d04dd699387d6f91f6d47905e6 on a stock 11.0k tivoapp, so that seems to confirm your running 11.0k (at least the filesystem of it).

Earlier versions of 11.x also had the "SwedishChef" as the process name when launched by the tivoApplicationLauncher. I forget which version that began with. *edit* looks like it began with version...

Just going off memory, so this could be wrong, but I think that software 6.3e and later bundled the DHCP client into tivoapp. Thus, if you weren't using a killinitrd 6.3e+ kernel as your chainload...

Based on this thread here: link. It appears that MFSLive can do what you want.

There are other more manual methods, but this is probably the best.

I too was hoping to see the new directivo renew interest.

Ah, thanks for the clarification regarding the TIVO_SCHEMA environment variable. I had encountered the script to dump the current schema, but didn't realize that it could be read at runtime (and had...

Yes, effectively they are hardcoded. mfs_dumpobj was compiled with what is now, an older (fixed) version of the MFS schema, so it doesn't recognize newer MFS types. I forget if TiVoWebPlus is the...

I'll speculate no, based upon the inability to successfully run a TiVoHD XL image on a TiVoHD (see this post here: link). IIRC, the image would appear to work, but unit would run out of guidedata...

Yes, the script just needed a tweak (which evidently I had made back in 2009 but never posted for some reason).

See this thread (link) for the updated script.

As jt1134 may no longer be active, attached is a slight revision of the script to work with on all current tivos (including 11.x+).

Tivo introduced an extra DCKey named DBSOffset into the software...

Though slightly off topic, you're correct. You can easily "unhack" a drive in the manner you describe: first making an image of the active root partition (/dev/hda4|7) prior to hacking, hacking the...

It's been a long time since I've looked at this, but the third approach I postulated: was something of a hack.

But essentially, you modify the script enough to have multiple QAM-mapped headends...

Kudos on the impressive work! I like that you co-opt the NPL to display the information.

Thanks for the link, much clearer now.

This could be a pernicious bug. If tivo hasn't fixed it (evidently) in more than two years, a hack to fix it might not be trivial.

To boot without...

You didn't say what version of software your TivoHD is running.

Perhaps MFS is clogged with cruft? Have you tried booting without running TvLauncher (i.e. through etc/rc.d/StageE so that mfsd is...

Something's amiss with your tivo. You shouldn't need to manually force loading and indexing. Are you holding your unit back at an earlier software version. You may need to let it upgrade or to...

Search the forums for "CCI" and you should find what you're looking for.

It's not for the faint of heart. On Series 3 units, it requires desoldering the PROM, reprogramming it, and then soldering...

As psxboy points out this has been covered before.

The process to extract CPI/CCI protected recordings using TTG is:

hack your unit,
apply the "ignoredrmsig" patches (patches are specific to...

The recorded shows metadata lives in the MFS application partition while the video (streams) themselves live in the media partition. So copying over the root filesystem (partition 4) and the kernel...

It's unclear to me whether you have access to a Linux system (or Linux boot disk like MFSlive.org) capable of directly accessing the drive from your PC, but I would wager that the simplest thing...

I believe I built a "small" standalone image once, but the other option would be to install the needed standalone slices so as to be able to upgrade the 62small.mfs to the SA 9.3.2b software.

The...

It's been a while, but there is a tvbus client that registers to receive remote events on behalf of HME applications.

You can look at the sendkeyplus code for the details. "HmeHost" or...

51killer.tcl is not required.

psxboy is correct.

RemoveDrmAll.tcl does this on line 53
dbobj $drm_part remove MediaEncryptionKeywhich wiped out the encryption keys for your shows. Hence the tivo can't play them back now. If...

From that thread: With the purpose being to allow you to move a drive between units and preserve the recordings.

A side effect of those patches might be to allow manipulation of a recording's MFS...

I was mistaken about 2), it wasn't a limitation of tivoapp, but of the Apple Partition Map (APM). From its wikipedia page: So that's a per disk limitation. I believe that MFSlive (and potentially...

With a stock kernel, you're limited to the starting size of the drive plus an expansion of up to 1TiB (reference here: link). Thus (my math might be slightly off)

Series 3: 250GB + 1TiB = ~1.3GB...

Hello nosignal. I don't think a PROM mod is needed for what you wish to accomplish.


1. There's a built-in tivo remote "backdoor" code: SPS30S (URL describing this here: link)
2. This can be...

Yes, there is a trick for your kernel to recognize the partitions on a tivo drive: tivopart.

See this thread for a recent discussion and details: link

Typically, it does not matter if you superpatch tivoapp before or after the reboot. It's best to patch before you reboot, in case you've made modifications that depend upon patches (e.g.,...

Using TTG to extract a *.tts version should be as fast as tserver (link here). Regarding management tools, I can't help you.

An unhacked tivo cannot receive unencrypted video via MRV.

I can't find the post, but this has been covered before. The use of the patches is fairly simple: if all your units are hacked, then use...

The thread regarding the S4 expansion isn't germane beyond the general concepts of tivo/MFS partitioning being discussed.

I concur with mike_s, by having the MFS media and application partitions...

Perhaps recent software versions with more advertisements (like those that appear with the "Delete This Recording?" screen) cause this patch to now have undesirable consequences.

Some more recent 11.0x ports added to the post here

Is the FrameChannel an actual software update? Or is just another provider accessible through the "video on demand" HME UI? I was under the impression that it was the latter, but I haven't looked...

There isn't anything that prevents you from doing this, but you'll need to modify the script.

The Provider and Lineup from which the mapped channels draw their guide data are set just after the...

I would be interested in a tweaked grabpkg (that can dynamically find the sys_call_table). Do you still have this available?

Do those patches actually work? I saw you posted that they were causing reboots? But wasn't sure where it went from there.

More recent port of the patch in this thread here: link. The code structure between 9.4 and 11.0x should be largely the same (it was a much bigger jump porting the patch from 4.x to 9.4, which still...

Good points, though regarding the point about tivo not having a lot to protect, I thought saw mention that the S4 was to be fielded by some cable manufacturers. Who presumably would want assurances...

bsptest doesn't check the Flash boot partition signature, bsptest checks that secure boot is enabled and the debug interface is locked (based upon bsptest errors and the rc.sysinit notes).

Errors:...

The series2 units (combo units included) had 2.4.18 kernels that lacked lba48, necessitating custom kernels (with lba48 support) to utilize drives larger than 128GiB (details and a representative...

Based upon the OTP bits described in the Flash data sheet, the boot code is likely locked.

See this thread (link) and this thread (link) for information. Typically, the guide data problems crop up between major releases but not always. One should also be aware not to continually download...

Post on TCF here: http://www.tivocommunity.com/tivo-vb/showthread.php?p=7833681#post7833681 indicates that 11.0f is intended to the fix the Tuning Adapter MRV bug. Not sure if any other fixes are...

Nice polish!

You don't say whether the hacked unit is a S2 or S3, but if it's an S3, then you just need to be sure that you're not running the full superpatch on the S3 unit. See more original superpatch...

No, not yet.

11.0d is the current software version for Series 3 units.

I think you'd need a relatively "fresh" XL image (i.e., backup made before running the unit in earnest) to ensure the loaded loopset slices receive low FSIDs.

But to understand, after loading the...

If you haven't done so already, it's probably worth attempting to download directly from tivo's https interface using a browser. Though this still invokes TTG on the tivo, it sidesteps TiVoDesktop,...

It would be ideal if the NoCSO patch allowed MRV transfers of encrypted shows. I'm not the author of the patch, so I don't know how difficult such a refinement would be (or if it's even possible).
...

Judging by philhu's posts here and here, one can assume his question refers to native S3 MRV transfers.

So to elaborate upon what Jamie wrote, with NoCSO and the superpatch applied, one should...

That patch applies to both. The S3 and THD tivoapps are identical in the 11.x line.

In general, tivoapps will be identical except for two circumstances: legacy hardware and new hardware.
...

The Intel Pro/100B is one NIC that can flash SST39's.

You can find more discussion and details in the PROM socketing thread: link

Cool patches!

I believe that jkozee posted a patch for the NpkChannelDefinition issue, but it still takes a little while for the season pass to kick in (unless you poke it by fiddling with some other season pass)....

Neat patches.

Here they are for 7.2.2-oth

VMA previous new Patch function
0x00483408 0c1294bf 00001021 -remove TVGuide logo from guide screen
0x004c21fc 0c1294bf 00001021...

You're correct that hacking related to guide data isn't discussed here.

If no one has a *.proc file for your specific tivoapp, you may be able to obtain a tivoapp for which the proc file has...

There were never very many folks producing *.proc files to begin with, and the versions that you're asking for are circa 2005 (and 6.1 is for a combo box). So I'm not sure how much of a response...

I believe that the parsing of IDL files was obsoleted by tivo building a parser directly into tivosh (the tvidl command appeared with software version 6.3x/7.x).

Here's a recent post discussing...

I've not seen any reports of this being sighted in the wild, and I'm not aware of any modern tivoapp procedures that make use of this.

Tracing the lineage, these options appeared in crypto roughly...

Not that I'm aware of, though I thought that mfs_ftp should still be able to pull the (scrambled) shows off. Perhaps others, more knowledgable can comment more.

All three of these options draw...

You have it correct. The so called "NoCSO" patch is distinct from the "CCI" patches as they serve different purposes.

Have you tried removing the patch to see? ;) but yes that's correct.

I...

Cool getprom patches, jt.

If the goal is to lower the profile of hacked units, then correcting the PROM checksum after patching it would go along way as it would prevent logging of the error...

I believe that the publicly available PROM patches/versions skip neither the SHA-1 PROM checksum nor the verification of the kernel signature.

Assuming you have cron installed

echo "0 * * * * /path/to/mike_s's/More_About_script.tcl" >> /var/spool/cron/crontabs/root

Ciper was experimenting with this, though I don't know how far he got.

Creating loopset slices is non-trivial; it would probably be easier to forge loopset objects to point to the XL's loopsets.

Assuming that the recordings are unscrambled, any idea whether s3tots would work with an x-tivo-raw-tts file?

i.e., one downloaded in this fashion: http://...

When you say that you can't send keystrokes with sendkeyplus (skp), do you mean that trickeyplus (tkp) doesn't detect keystrokes sent by skp? Or do you mean that the tivo does not receive skp's...

The slice files for the new software should be in MFS. You can extract all but the swsystem slice using TWP, but GZCore is the slice with most filesystem executables. See here: link

You can also...

An alternate approach might patch around the checks in the httpd server. TTG then does the work of decrypting the on-disk encrypted recording and exporting it as a *.tivo file (which can be...

I found this via a Yahoo search, so I can't vouch for it.

http://www.rednex.net/Downloads/Utilities/TiVoDesktop2.3a.exe

I've not used IDA much, so I can't say definitively what it might be capable of, but you can see the base load address of each dynamic library on which tivoapp depends in the backtrace resulting from...

Good testing.

While you don't state it explicitly, am I correct that your MRV observations are based on S3 native transfer (S3<->S3)?

Are there any messages logged when you see the...

Does the hacked unit have backdoors enabled? Or do you need that patch too?

If you have backdoors enabled, what does the spigot information UI report?

Looks like the tivoapps are slightly different.

Thanks, ciper. I had come across those scripts as some point in the past, and collectively, they help explain some of the MFS structure for channels, lineups, and headends.

What type of...

TiVo included what they call "TCP Remote" in version 9.1, and this can be used to remotely control tivo units. Read more here, including a link to some handy client software maintained on TCF. I...

You may also want to read through this thread: (link) as well.

You can skip over the PROM socketing part, but the remainder of the thread nicely lays out the steps required to hack the software.

You can pull the drive and modify the bootpage without tinkering with the kernel. I believe that a stock kernel will still honor that bootpage setting (dsscon).

Great post! This works for a many other values stored in MFS.


% tvidl dbtotext 0 {53 50344978 2073756160 -483896316 620756992 0 16777216 419430400 65536 285736960 640985883 5796085 16777216...

Updated to version 1.1, which allows operation when running HME applications.

To quickly clarify, routerplus doesn't crash, but using routerplus to drop/modify messages can cause tivoapp to crash.

I don't have /MenuItem MFS values handy, but most times are stored in MFS as...

Yes, nice work.

Good job on exploring things through Routerplus, rather than just disassembly. Making your routerplus application more selective by inspecting the TvPvrMenuItemInfoResponse's...

I edited my initial post, as I think that I was barking up the wrong tree with the promos. You are right to try to correlate observed log messages with the tivoapp strings.

I did a bit more...

To my knowledge, the patch to disable "yellow stars" has not been carried forward and posted.

Either IDA or the tmesis post processor will allow you to inspect the disassembly. However, the code...

I don't entirely understand what you're trying to do, but if you wanted to map a given clear-QAM channel to guidedata from a non-OTA channel you could modify these values to draw from a different...

The killhdinit kernel goes into partition 3 or 6, while the target kernel (which you "monte" or chainload into) is typically put into a directory in the root filesystem (/chainload, /monte, or some...

You should be able to continue to use the same killhdinit'ed kernel you were using with 6.2, though you may need a new target kernel (to chainload into) for 6.4a.

This is covered in more detail...

I was under the impression that pytivo (or at least the video portion) would not work with dtivo software version 6.3/6.4 because both MRV and TTG/TTCB were stripped out?

MovieLoader can initiate...

Perhaps more fanfare was needed? :)

I actually wrote trickeyplus in response to the wake-on-lan discussion: link, but I've also used trickeyplus with RedDog's zoom-mode script for the HR10-250...

Now it's clear.

You're correct about the -321 and -121, and you have the slices you need already present. You won't see "6.4a-01-2-321..." present in MFS as tivo consolidated software versions...

131adb456e5bbef2aa153c4c7b59ae58 *GZcore-127004584-2.slice.gz
2a95a4c4bac5f90c24540c8da7001d6e *GZhpk-Gen04-127004592-2.slice.gz
683f43afad6eb53d8ead365f4aafbeba *GZhpk-Series2-127004588-2.slice.gz...

True, though more generally, the new software version might fail to appear in /SwSystem because some other portion is missing.

The DTV Loopsets were included with a 6.2 slices, which were...

Are you sure that you're loading the correct sw slices for your model? What leads you to believe that a loopset slice is required?

I thought that DVRUpgrade was hosting the 6.4a slices for all...

I've received permission to post the attached map_qam.tcl script (below). If you appropriately modify the "userMapArray" on line 45 and then run this script, it will create a clear QAM lineup...

There are actually two kernels that you'll need (and all the kernels discussed here are ultimately built from linux 2.4.20 source; so to distinguish, the kernels are referred to by their...

a) Yes, you will have to hack it to get USB networking to work.
b) You need not upgrade sequentially, you can upgrade from 6.3c to 6.4a. If you can't get a phone connection to work (you mentioned...

To echo what jt said, I think you'll have trouble by trying to port the patch using a hex editor.

With the disasssembly, you can match the strings (which have remained largely the same)...

This patch suppresses the "Delete this recording?" screen encountered when exiting a recording within the last six minutes.



All Values are Hex

Sw Version Offset (VMA) Original...

This page here seems to lay out the necessary steps as well as providing scripts for the various pieces.

I think that some experienced reliability issues with the piggyback socket (coming lose and causing boot failures) and that a more secure PROM socket wasn't that much more involved.

Removing the...

Did you remember to run superpatch (if the Music & Photos menu entry appears, then you probably have already run superpatch)?