Page 11 of 16 FirstFirst ... 910111213 ... LastLast
Results 151 to 165 of 231

Thread: LOCK down the Flash!!!

  1. #151
    Join Date
    Nov 2001
    Posts
    730
    ROFLMFAO

  2. #152
    Join Date
    Feb 2002
    Posts
    109
    Huh? ROFLMFAO?

    Anyway, given that linux does not require a bios (did you know that?), only for primitive initialization of hardware and booting. Upgrading the bios may not be necessary unless the kernel and bios locked or married in some way. Else everything could be done inside the kernel.

  3. #153
    Join Date
    Apr 2002
    Posts
    1

    Alternative to pin cutting?

    Instead of modifying the flash chip, would one of these "bios savior" devices work instead? I use them on PCs and they do the job nicely.

    Various versions depending on CMOS flash type
    http://direct.mwave.com/mwave/doc/A06950.html
    http://direct.mwave.com/mwave/RD18.html

  4. #154
    Join Date
    Jan 2002
    Posts
    63

    qman,

    very interesting idea, but one SMALL problem.

    The Prom is not socketed on the DTIVOS. It would require a SMT rework station to remove the chip safely. Scanman probably has the capabilities to socket his PROM, and I am waiting on my Metcal 500xp to arrive in the mail (thanx ebay!), so I will have the tools, if maybe not the skill...Scan care to make a roadtrip ?

    But yes, it is a very interesting idea.
    madd0c
    Yes, there are two paths you can go by, but in the long run, there's still time to change the road your on.
    Led Zeppelin

  5. #155
    Join Date
    Feb 2002
    Posts
    109
    Qman,

    I don't think so. The flash in the the dTivo is a surface mount square package leadless chip carrier (SMT PLCC) that is not socketed. This solution requires a lot more surface mount factory expertise and experience that most of this audience has.
    Last edited by lcreech; 04-16-2002 at 12:40 AM.

  6. #156
    Join Date
    Jan 2002
    Location
    SouthEast (EST)
    Posts
    196

    Piggyback prom is possible.

    Actually, it's not even needed to remove the chip, if you wanted to add a second rom and toggle between the two rom's.

    I have done this on my PC, long before the "bios savior" was created. All that is needed is to take the second chip and bend the bottom of the "J" pins so they all go strait down. mount the second chip directly on top of the old chip.

    All that you need to do is then lift pin #22(/Chip Enaible) from the origional chip. Lift pin #22 from the new chip, and tack solder ALL of the remaining pins of the new chip to the pin legs of the old prom.

    Then use a dual throw dual pole switch to either tie:

    1. OLD chip pin #22 to ground, and new chip #22 to +5 volts (Old chip active)
    2. NEW chip pin #22 to ground, and old chip #22 to +5 volts. (New chip active)

    To program the new chip, boot the unit up, with the old chip active. After your up and at a bash prompt, just throw the switch and re-flash. This will flash the new chip. This is a great setup, if you are writing your own bios, as you can toggle back & forth to recover from errors & debug it.

  7. #157
    Join Date
    Oct 2001
    Posts
    1,243
    Cool

    DTiVo / Prom burner

  8. #158
    Join Date
    Jan 2002
    Location
    SouthEast (EST)
    Posts
    196

    Yes!, You could make it a chip programmer

    To place a socket "piggyback", instead of a second chip, with the switch, it does then become a true programmer.

    I have done this kind of stuff, from way back before there was even a 286 PC.......even an 8088, or an 8086...(I'm not that old)....I had 3 ROMS stacked with a dial switch, back on my Commodore 64 PC. This awsome box was sporting a fast as hell 1 MHZ processor, and 64 k or ram, with this neato "ROM" that could be toggled in and out of the tight ram space...I Also did this with expansion cartridges, as I needed to swap my hack cartriges in and out of the tight space, in real time....I even had to use a dremmel tool on part of the keyboard, to allow the head space for the third rom to fit.

    I can claim that I was the first to do this hack, for any kind of PC.

    I'm an old school hacker, and know my logic, and have been through the origional Devry instatute (Chicago), I'm known to the professor as the *******, that found 6 errors in his "advanced logic chip design" textbook, as he was so proud of his book, he gave a grade bump in the class, for every flaw that was proved to him. I could have skipped his final exam, as I bonused out of needing the final, and his next year text was fault free....Thanks to my free, and excessive "study"......But I think that was his goal..
    Last edited by scanman0; 04-16-2002 at 09:37 PM.

  9. #159
    Join Date
    Feb 2002
    Posts
    109
    Scanman0,

    We must be related, or brothers. I did a hack just like this on my homebrew apple II clone for non-maskable interupts. On 2708's if memory serves my right.

  10. #160
    Join Date
    Mar 2002
    Posts
    290

    Re: Yes!, You could make it a chip programmer

    Originally posted by scanman0
    ...I had 3 ROMS stacked with a dial switch, back on my Commodore 64 PC. This awsome box was sporting a fast as hell 1 MHZ processor, and 64 k or ram, with this neato "ROM" that could be toggled in and out of the tight ram space...I Also did this with expansion cartridges, as I needed to swap my hack cartriges in and out of the tight space, in real time....
    Your remarks reminded me of my old analysis of the ubiquitous C64 Fastload cartidge. I had no knowledge of hardware at all and was puzzled by the big capacitor sitting on the CE line. So I looked at the code over and over and saw just a tiny tight loop that kept hitting the expansion address space somewhere around $D000. It turned out that hitting that address space actually pumped up the capacitor to hold the CE up and make the Fastload cartridge appear at the $C000 address. Once enabled, subsequent reads from the ROM kept it enabled until the user finished with the Fastload utilities.

    Just a little trip down memory lane. An elegant little software-controlled bankswitching scheme on the King of the bankswitchers, the venerable Commie 64.

    Every now and then, I look at the C64 shops to see the prices they're paying for IDE interfaces and memory cartridges. Hilarious. Did you see the C64 now has an Ethernet card and they're streaming audio over the net with it? http://dunkels.com/adam/tfe/

  11. #161
    Join Date
    Sep 2001
    Posts
    889
    sounds reasonable.

    so, you'll need an API for the unlock code, you'll need to block read access to the prom by default, and you'll need a prom that will only boot a kernel that is signed.

    sign your kernel the way that TiVo signed theirs, (with your own key) and put the other side in the non-speedboot prom, that way the prom won't boot tivos kernel, but will boot yours. There's plenty of room in the prom for a password, snoop around in the first 512 bytes, that's the NV storage area, you should be able to find somewhere there. it'd still boot extreme, but unless tivo released and unsigned kernel it wouldn't make a difference, and if they DID release an unsigned kernel, it would be exploitable without the original prom hack.



    Originally posted by smeghead


    Thanks for the vote of confidence but that's not really the point of this modification. The point is to prevent unexpected changes to the flash. Once a new upgrade has been tested under controlled conditions and been found to be safe (or been hacked), the update can then be allowed. The trick is to stop the new kernel from being loaded in the first place.



    Actually, I was thinking of going a bit further - modifying the prom to ONLY boot from a kernel that matched a checksum stored on the prom when the prom was "locked". That was the bit I was asking for help on - I know what I'm just now sure of how. In addition, at lock time, the checksums of all loaded kernel modules, plus an encrypted password would need to be stored on the prom.

    Here's the scheme in simple terms:

    1. User runs a "lock" utility, supplying a password.
    2. Modified Kernel checksums itself and all the loaded modules. Stores this info and the password on the flash, and sets a flag (also stored on the flash) to enable lock mode.
    3. From then on (until unlock is run with the correct password), the kernel won't allow either write access to the flash, or modules to be loaded that don't match the stored checksums.
    4. The prom has been modified as part of this scheme so that it will refuse to boot a kernel that does not match the stored checksum in step 2.

    Using this method, the kernel stops access to the prom, and the prom stops the kernel from being changed. Tivo can download and write whatever kernel they like to wherever they like, but they won't get it to boot.



    You may be right, but smart people have been wrong before - take this quote from Vorlon001 for instance...



    And we all know how that turned out
    Last edited by BubbaJ; 04-17-2002 at 10:16 AM.

  12. #162
    Join Date
    Feb 2002
    Location
    Los Angeles, CA
    Posts
    91

    Time's up?

    We may not have any more time to fine tune this hack. Slashdot reports 3.0 Beta is out now for the SA Tivo's. It also says the update is sent over the air. Unless we develop a 3.0 proof hack pronto DTivo hacking may become extinct. May, I say.










    "I may be paranoid but that don't mean they're not out to get me"

  13. #163
    Join Date
    Feb 2002
    Posts
    109
    This was a good post on slashdot describing 3.0:
    http://slashdot.org/comments.pl?sid=...ad&cid=3363811

  14. #164
    Join Date
    Aug 2001
    Location
    out of space
    Posts
    1,880
    What proof is there or even a hint from a credible source that this upgrade will come down thru the sat data stream? Is this notion because the UTV get upgrades this way and therefore TiVo will follow suit? It seems to me that TiVo would want to keep the upgrade process consistent between S/A and DTiVos.

  15. #165
    Join Date
    Mar 2002
    Posts
    74

    Re: Time's up?

    Originally posted by Astrogoth
    3.0 Beta is out now for the SA Tivo's. It also says the update is sent over the air. .


    "I may be paranoid but that don't mean they're not out to get me"
    It just says the GUIDE Data will be sent over the air- so far nothing about software updates.

    Maybe the dtvios will get over the sat, maybe not. But the SA's still seem to be getting it through the phone...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •