Hdvr2 hack idea

[d7o]

Ok, first I haven't hacked my new hdvr2. I will real soon, though. This question is posed more as a hypothetical question.

Assuming for a moment that our hypothetical hdvr2 has the U5 BASH_ENV hack enabled. Is it possible to insmod a custom driver (one that did not come with the the hdvr2). Does the kernel do signing/hash checking on modules? If they don't perhaps there's a way to exploit this.

If we can run privledged code, wouldn't it be possible to reboot the tivo without using the prom? We would have to create code that did basically the same thing as the prom without the kernel signature checking. Except instead of loading and bootstrapping the U5 kernel, we bootstrap the latest up to date kernel. With the replaced initrd, we would then be running an up-to-date kernel/system but fully exploitable.

Its been a long time since I've played with mips and I don't know much of the dtivo's internals but I've done this very trick on other architectures (and it works pretty slick).

The down side to this kind of hack is that it basically doubles the boot time. The up side is that you don't have to replace the prom to boot an arbitrary kernel (the zen of dtivo hacking?).

All hypothetical until I get my dtivo hacked and can start playing around with this idea. Comments from the gurus around here?

Once a backdoor exists, you can never take it back.

d7o

[mrblack51]

basically what you are talking about is the two-kernel-monte idea. it has been implemented on a x86 system, but im not sure if anyone has done it on a mips system. basically, you use one kernel to chain load a second kernel.

as for the checks, they go like this:
prom loads, then checks itself
prom checks kernel
kernel checks the filesystem. if a file fails hash, it will replace it if a clean copy is available (rc.sysinit is replaced for example), or just delete it if not. The tivo will then reboot if any of the checks fail, or continue if they all pass.

once you have booted into a compromised kernel, such as 3.1.U5, you can do whatever you want to. If you have the expertise to design a chain-loading system for a mips kernel, im sure many would love you for it.

basically, the idea would be to allow all the checks to occur and pass. break into the system using BASH_ENV. then, modify the kernel in memory or the prom in memory, and soft reboot the system essentially. from there, you should be golden. kinda similar to how the xbox-linux team does stuff.

two card monte with the kernel? A new possibility for hacking the HDVR2 w/o prom mods

[d7o]

Ah already discussed. Didn't find that one.

I think that this kind of hack would be worth pursuing. I could implement this hack in a heartbeat on x86 but on mips it might take me a while.

Anyway, if anyone has more thoughts please post. I'll post more information here after I get my box hacked tonight.