Tips for 4.0 on your S2 DTivo

[hpmailman]

I haven't tried these yet but I seen different printf's posted here 4.01 and 4.0

4.01
printf "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=08300072

4.0
printf "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=8275016 {credit to MuscleNerd}

[hpmailman]

Does 4.x have any special security regarding network connections to the home office. Is there special encrypted handshake or something?
Would it be hard to fool my HDVR2 into thinking it was talking to the home office but instead talking to my laptop or another computer?

[mrblack51]

Originally posted by hpmailman
Does 4.x have any special security regarding network connections to the home office. Is there special encrypted handshake or something?
Would it be hard to fool my HDVR2 into thinking it was talking to the home office but instead talking to my laptop or another computer?

eh? are you talking about HMO or about telnet and such?

if HMO, you won't be able to get HMO working on your HDVR2 as of now. in the future, maybe...but not now. yes, i believe the tivo limits the connection to local lan tivos. you could fool the tivo by setting up a VPN connection between the two networks, so the remote stuff would see themselves as on the local network.

if you aren't talking about HMO, then VPN should work. im not sure what you are trying to do

[Juppers]

Yep, it seems the 2 byte patch is working. I found my error whatever problem. An attempt at inserting a program into the unit was the responsible party. The nowplaying structure is different, and it bascially pissed the unit off. It fixed right up and can record fine after I pulled that partial from the DB. You can't use the current mfs_ftp to import programs if anyone else wasn't aware, like I wasn't aware. Good news is that it seems with some minimal changes, it should work.

Bad news for those like me that hate the peanut remote, the constants that used to govern the remote don't seem to do much of squat. All the IR codes are there as far as I can see, I just can't find the toggle to let the Sony remote work. I'm almost a third through mapping out the constants, hoping to get lucky, or I'm going back to 3.1.1b.

Originally posted by NutKase
Worked fine when I was on 4.0, let me know how it goes.

NutKase

[MuscleNerd]

Originally posted by hpmailman
I would like to imitate the Tivo server. Have my HDVR2 call into my PC using the network.

The service connection itself makes no use of encryption or any other security features. So obviously, one of the quicker approaches would involve snooping the network during a legit connection to see what goes back and forth.

Note that some things that the service can send your box do require cryptographic signature checking. But much of what you can do doesn't involve that.

[Juppers]

I haven't looked into the patches, but here is a script that will change the backdoor code to T1V0.

[mrblack51]

Originally posted by Juppers
I haven't looked into the patches, but here is a script that will change the backdoor code to T1V0.

when i tried this, the backdoor code was different. i had to modify the script to use the backdoor code hash that i had.

[MuscleNerd]

Originally posted by nata2
What address does the 4.0 tivo make a service call to? can we just spoof the DNS by throwing a hosts file entry into the /etc dir on the box

The service call is made using an IP address directly, not a hostname -- so a hosts file entry wouldn't be useful.

Your logs should show that the IP address is 204.176.49.2, which is inside a UUNET domain. If you wanted to filter out that entire block of addresses, the CIDR is 204.176.0.0/14.

[mrblack51]

for those trying to get tivoweb up and going on your hdvr2 running 4.0, http://www.dealdatabase.com/forum/sh...Old#post119780 has some good info. the main thing you need to do in addition to the info mentioned there is to add "230" to the place in http-tt.tcl that is setting the dtivo variable. i ended up renaming phone.itcl because it was giving an error.

edit: this info is deprecated. tivowebplus fully supports 4.x. this stuff only applies to tivoweb 1.9.4

[NutKase]

Originally posted by mrblack51
when i tried this, the backdoor code was different. i had to modify the script to use the backdoor code hash that i had.

I don't suppose you have any idea what the hash is for 4.01? What direction should I take for finding it?

NutKase

[EDIT] I got this and no hash back when I ran it. I think it's Resource Group related. I never get any resource info from tivoweb either.
-----------------------------------------------------
bash-2.02# ./backdoor4.0.tcl
no such object:
while executing
"dbobj $tmpres get "String""
invoked from within
"transaction {
set swsysa [db $db open "/SwSystem/ACTIVE"]
set resgrp [dbobj $swsysa get ResourceGroup]
set tmpgrp [lindex $resgrp 1]
set tmpres [linde..."
(file "./backdoor4.0.tcl" line 7)
bash-2.02#

[mrblack51]

Originally posted by NutKase
I don't suppose you have any idea what the hash is for 4.01? What direction should I take for finding it?

NutKase

when you ran the script, what did it say? when i ran it, the script indicated what hash it found. i just took the one it spit out and plugged that into the script

[Juppers]

Yeah, I didn't actually compare the hash, I had already hunted it down and replaced it by hand long before moding that script with the correct resource location. For those that understand what they are doing, they can remove the validation check so it just sets the new hash. I'm not going to explain how, because it isn't really bright to blindly replace things.

Anyhow, my time with 4.0 is over until I figure out how to get my remote to work with it. Can't stand the peanut.

[mrblack51]

I was able to get mfs_ftp going for extraction on 4.0 on my s2. as with tivoweb, you need to edit the tzoffset.tcl file in a similar fashion to ensure that the script counts the unit as an 3.x dtivo, and make sure to get rid of the TimeZoneOld stuff.

I made similar edits to the NowShowing.tcl of tytools, but i am still getting the following error. i will try to track it down, but if others have ideas, let me know:

Code:

SERVER: We got a message! buf = 'SHOWING'
InitializeProgramOrDie failed: 0x190001

on the tytools side, it says "Sorry.. Could not obtain the list."

update: by using musclenerd's archive of the tyserver stuff, i got it working. the problem above was a somewhat unrelated mempool issue. after a reboot, it worked fine.

[mrblack51]

Originally posted by Zyll
I used Sleeper's script to set up Monte and install the hacks - everything seemed OK, but after playing around with mfs_ftp I'm getting "internal error 86" whenever I try to record (some kind of corruption in the todo list?). "clear all" doesn't fix it. I think that it probably happened after trying to insert, but these aren't well controlled experiments!

I'm going to start over, and try to figure out exactly what caused the problem this weekend.

i got an error 86 after some wierdness upgrading my gxcebot to 3.1.0b manually. it was cleared by doing a C & D todo list from the tivo menus. some have mentioned that extraction works on 4.0, but insertion currently doesn't, and can cause corruption of the mfs

[n4zmz]

Sequence for communication with the mothership:

204.176.49.2/tivo-service/mlog.cgi
(uploads svclog)
204.176.49.2/tivo-service/TCD411.cgi
(checks for new phone numbers)
204.176.49.2/tivo-service/HServer.cgi
(checks for new slices, ice.bnds, snow.bnds, etc. Sets parameters for subsequent communications including the location of the keyserver)
204.176.49.4/keyserver.cgi
(updates keyring for HMO keys, etc)
204.176.49.2/tivo-service/mlog.cgi
(uploads download status)