Page 1 of 16 12311 ... LastLast
Results 1 to 15 of 231

Thread: LOCK down the Flash!!!

  1. #1
    Join Date
    Jan 2002
    Location
    SouthEast (EST)
    Posts
    196

    29 LOCK down the Flash!!!

    Ok,

    Call me paranoid, but some outside source could re-flash my eprom, and prevent my current custom software from operating. I have already taken software countermeasures to prevent any tampering to my system. It's still possible that I may not have enough software control to prevent a possible unautherised tampering of my system Eprom. I concider this an open "hole in security". This being a potential unautherised invasion of my personal property, I have decided to prevent any changes to this firmware at a HARDWARE level. I DO NOT AUTHORISE any changes to any Eprom code on my machine without my prior concent! In other words, I MUST physically allow it. This makes it MY CHOICE. You too can make this hardware choice.

    If you are happy with the current state of your firmware, and choose to NOT accept ANY unauthorised firmware updates, you can physically prevent any new and most likely undesirable code updates by simply CUTTING 1 pin on the firmware chip.

    Now, this may possibly, in the future, make you "not compatible" with some service offering, but you can always solder the pin back to the board, if you decide to authorise the update, and recieve the "flash" update to be compatable with a future service offering.

    The Flash chip on the Dtivo is:

    http://www.sst.com/products/pdf/398-...-02.000-DS.pdf


    If you look at chart:

    Page #6
    TABLE 3
    OPERATION MODES SELECTION:

    It will become obvious that you can PHYSICALLY choose to allow updates to the chip based on the input of a single pin on the chip.

    If pin #31 (WE#) is connected to the PCB, it allows the eprom to be updated, because the software can decide what state this input is at. HOWEVER, if this pin is simply CUT from the printed circuit board, it is placed in a state called "High Z", or "Floating".
    It is a determination of the chip to decide what an open connection stat of the chip is, and in this case, a clipped pin as a "floating" , or "high z" state. This is the same state on the chart as a high state. In simple terms, carefully snipping this pin at the circuit board and leaving the posablility to re-connect it, WILL WRITE PROTECT YOUR EPROM!!!!!

    If you want to be anal about it, you can tie the pin to +5v with a 10K resistor, and be 100% positive, knowing it can't be re-programmed.


    I personally didn't snip mine, but placed a piece of wire wrap behind the pin and heated it with the iron, and pulled it out to 90 degrees, like pulling a tooth. I now have the pin outward, and ready for soldering to a switch, if in the future I decide to accept any updates.

    Longwinded, but hopefully usefull.

    ScanMan
    Last edited by scanman0; 03-30-2002 at 12:27 AM.

  2. #2
    Join Date
    Mar 2002
    Posts
    53
    If pin #31 (WE#) is connected to the PCB, it allows the eprom to be updated, because the software can decide what state this input is at. HOWEVER, if this pin is simply CUT from the printed circuit board, it is placed in a state called "High Z", or "Floating".
    It is a determination of the chip to decide what an open connection stat of the chip is, and in this case, a clipped pin as a "floating" , or "high z" state. This is the same state on the chart as a high state. In simple terms, carefully snipping this pin at the circuit board and leaving the posablility to re-connect it, WILL WRITE PROTECT YOUR EPROM!!!!!
    Just to be anal .. (hey, I'm an engineer) .. the high-Z state will not necessarily float high. It depends on the device. If the flash has a built-in weak pullup on the lines then you'd be fine "cutting" the pin. However, it's generally considered a VERY bad idea to leave a CMOS input floating as it can cause oscillation to the part. It could cause your flash to get written to with garbage.

    If you want to be anal about it, you can tie the pin to +5v with a 10K resistor, and be 100% positive, knowing it can't be re-programmed.
    That's the smartest way. What you MIGHT also consider doing is this:

    Lift the pin on the Flash. DON'T pull it to 90 degrees as that's a good way to risk damaging it. Isolate it from the board, and solder a small magwire to the pad. Connect that to one end of a simple single-pole single-throw switch. To the other end of the switch, connect your 10K pullup and the flash WE_N pin. Then you've got the ability to allow or disallow flash writes at will (i.e. upgrading to a new version of xtreme).

    Having the 10K pullup in the legit signal path won't affect the Tivo being able to drive the pin to ground to signal a write.

  3. #3
    Join Date
    Oct 2001
    Posts
    122
    What software coutermeasures have you taken?

  4. #4
    Join Date
    Oct 2001
    Posts
    122
    Originally posted by keither


    Just to be anal .. (hey, I'm an engineer) .. the high-Z state will not necessarily float high. It depends on the device. If the flash has a built-in weak pullup on the lines then you'd be fine "cutting" the pin. However, it's generally considered a VERY bad idea to leave a CMOS input floating as it can cause oscillation to the part. It could cause your flash to get written to with garbage.



    That's the smartest way. What you MIGHT also consider doing is this:

    Lift the pin on the Flash. DON'T pull it to 90 degrees as that's a good way to risk damaging it. Isolate it from the board, and solder a small magwire to the pad. Connect that to one end of a simple single-pole single-throw switch. To the other end of the switch, connect your 10K pullup and the flash WE_N pin. Then you've got the ability to allow or disallow flash writes at will (i.e. upgrading to a new version of xtreme).

    Having the 10K pullup in the legit signal path won't affect the Tivo being able to drive the pin to ground to signal a write.

    Where is a good +5v source that's close by? I'm very interested in doing the hardware mod. What is the best way to lift the pin on the flash? The last thing I want is a broken flash pin or one that got cooked from the soldering iron.

  5. #5
    Join Date
    Nov 2001
    Posts
    813
    Thanks Scanman0. I posted a question asking for how to do this several months ago & never got a responce.

    Could you please tell us were this chip resides within a DSR6000? Here is a link showing the inside of the unit and it has each chip numbered. Which number is it?


  6. #6
    Join Date
    Feb 2002
    Posts
    109
    That would be chip #49, with the white sticker on it.

  7. #7
    Join Date
    Jan 2002
    Posts
    63

    Let me get this straight before I fry something!

    Let me get this straight before I fry something!

    the pullup resistor goes between the lifted pin(31) and the +5v source?

    In the switch mod I don't understand the SPST switch...with it off (disallow writes) then the pin would still be "floating"

    Or do you want a DPST switch where one position has the 10k +5v connected to the lifted pin, and the second position would directly connect the pad you lifted from to the lifted pin.

    Here is a small schematic to look at...Is this the correct placment of the switch/10k pullup?

    madd0c
    Yes, there are two paths you can go by, but in the long run, there's still time to change the road your on.
    Led Zeppelin

  8. #8
    Join Date
    Nov 2001
    Posts
    813
    Two questions:

    1) is this a PLCC or a PDIP?
    2) Can we use Pin#32 which is Vdd as the +5 volt supply?

  9. #9
    Join Date
    Feb 2002
    Posts
    109
    This is a plcc and yes you can use pin 32 next to it. That would be the 2nd and 3rd pins from the corner.

  10. #10
    Join Date
    Jan 2002
    Location
    SouthEast (EST)
    Posts
    196

    I was not detailed on purpose.

    I didn't give quickcam pic's, and DETAILED information, simply because, I figured....If you could understand my origional post, you knew enough to NOT FRY your unit. The Tivo "expert" that has never played with a soldering iron, that runs out and buys a trash shack iron with the included solder and crap, will FAIL, and most likely blame me for telling him to do this. It should NOT be attempted by anyone that cant handle a surgical soldering job. And yes 90 degrees is a bit mutch....Mine is only lifted enough that it's clear...1 mm tops

    The switch is a bit overkill...

    YES, I did attempt a flash with the high-z, The chip DOES float LOGIC HIGH, and it is not really needed to be tied high with the 10K resistor......the osc. problem refered to is on an ACTIVE input, on OLD TTL circuitry. On modern logic prom chips sutch as this, this is NOT an issue. Read the datasheet. It's VERY safe to lift the pin 1 mm, as you apply heat with a LOW power 25 watt iron, lifting it with a dental pick. This is all that is needed.

    As far as sw countermeasures, I removed about 80% of my rc.sysinit. and deleted critical files that are used to flash. As far as sw countermeasures, I still don't feel as warm and fuzzy about it as KNOWING that the dark side can't make changes to my unit, so they would need to change the "DSS stream" that the tivo uses to get the data, AFTER a flash of all units, and then become incompatable to the old version. (Good luck!)

    IF 3.0 is sent via the datastream....AND it is done in a way that the 25extreme image is open to....It's possible that they could reflash the eprom in a way that NONE of the old backup HD's will be worth thier weight in coal. They could lock the firmware, and leave no OPEN door to old versions of the sw. And this would LOCK THE DOOR SHUT!!! This hack is the only way to prevent 3.0 from locking the eprom. As nobody has unlocked the tivo2, it's almost inevidable that they will thrust a new locked prom upon us!!!!


    Peace.
    Last edited by scanman0; 04-02-2002 at 12:58 AM.

  11. #11
    Join Date
    Jan 2002
    Posts
    63

    scanman,

    scanman,
    We appreciate the info you have provided, and as MANY,MANY,MANY posts of this nature state, If you don't feel comfortable doing this, and you absolutely CANNOT afford to loose your DTIVO, then if I(or anyone else) fries their machine they have NO ONE TO BLAME but themselves...


    No user servicable parts inside! (heheh)

    Anyway, I am NOT attempting to publish a schematic of how to do this, I was simply asking about the pullup as keither's post has further obscured the info in your original post. (Not bashing you keither, just made it more confusing for me)

    My question is NOT for detailed, step by step how-to-fry-your-Tivo-in-one-easy-step type directions. It was simply to clarify the pull-up.

    And, you have clarified that a pullup does not in fact need to be installed.

    I will repeat this for anyone out there who is reading this:
    DON'T DO THIS IF YOU CAN'T AFFORD LOOSING THE UNIT!

    and as for bashing my soldering skills (heh j/k I know it's not personal)
    I have a weller 12.5watt with a microtip that I think is perfect for this type of thing

    Thanks again for the info,
    madd0c
    Yes, there are two paths you can go by, but in the long run, there's still time to change the road your on.
    Led Zeppelin

  12. #12
    Join Date
    Jan 2002
    Location
    SouthEast (EST)
    Posts
    196
    I didn't say that the switch schematic is in any way flawed. If you are a "super hacker", and want to re-flash your chip, the schematic for the switch is a dandy aproach, and should be concidered, but for the average non-flash code hacker, the lift method is more than proper to prevent unauthorised updates

    I use a Weller industrial soldering station, with SMT tips and have a desoldering unit with a vacum pump, not all here are soldering at the same level.....so I started out sorta...worried about the abilities of the average reader.
    Last edited by scanman0; 04-02-2002 at 01:55 AM.

  13. #13
    Join Date
    Jan 2002
    Posts
    63

    Well scanman,

    I guess I should have listned to my own advice.

    I tried the pin 31 mod, and maybe my 12 watt soldering iron was still to much for the flash, but I now have a dead DTIVO.


    I pulled pin 31 and it now won't boot at all, harddrives don't spin up or anything.

    The fan is on, and the chip is getting 3 v on Vdd (pin 32)

    It says through hole chip withstands 300 degrees C for ten seconds. I didn't think I was on there for ten seconds, and my soldering iron is 245 degrees C (measured)


    Argggg.....Well, I think I am fubar, glad this was a unit to play with.

    Anyway, Scan, If you still need a sat input module (saw your other post)

    arggggggggg
    madd0c
    Yes, there are two paths you can go by, but in the long run, there's still time to change the road your on.
    Led Zeppelin

  14. #14
    Join Date
    Jan 2002
    Posts
    63

    Hey Scan,

    Scan,
    Have you found a JTAG interface on the DTIVO mainboard? I notice you say you tried to write to your flash after the pin was lifted....

    maybe (hopefully) I just corrupted my flash and didn't completely destroy the chip.

    I have made a JTAG interface for othe projects, and If I could find one on the board I would try to read the chip...

    Take a look at positions J18 and J20 ( beside the OMEGA D&S chips), looks like a JTAG pinout to me....I have nothing to loose..I may start trying some stuff there.


    Any ideas, I REALLY hate to let this machine die such a horrible death.

    Thanks,
    madd0c
    Yes, there are two paths you can go by, but in the long run, there's still time to change the road your on.
    Led Zeppelin

  15. #15
    Join Date
    Jan 2002
    Location
    In Front of the Grill....
    Posts
    165

    NonCooked TiVo

    Hello,

    would it be possible to 'cut' the top of the pin and bend it out. Then just bend it back and add some solder to it later if needed.

    I'd hate to fubar my only unit up like madd0c did...but I'm willing to take a chance since I hear version 3 is on it's way.

    I'm no soldering expert, nor am I an engineer...the only thing I like to 'cook' is on the Q. I don't want to cook my DTivo...

    Just wondering what the easiest and safest method is of (re)moving pin#31.

    TIA,
    Should I throw something on the grill
    for ya?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •