Reply With QuoteAlso, feel free to make suggestions for hacks you'd like to see. I'll let you know how feasible they are.
Senior Member
Now that AVS prohibits talk on just about every interesting hacking topic, this forum seems to be the ideal place to post the sort of hacks you can do directly to tivoapp (the main TiVo application).
These hacks directly modify the tivoapp executable. Before applying any of them, you really should save away the original tivoapp so that you can go back to it should the need arise.
Because of the way permissions work in Linux, you cannot modify the binary image of an executable if it's still running. Therefore, one suggested way of applying any hacks in this thread goes something like this:
[list=1][*]Get the hack over to your TiVo somehow and then make sure it's executable: chmod +x /var/hack/bin/somehack [*]Shut down the tivoapp program: cd /tvbin ; ./switcherstart -k
(Wait for the prompt to reappear. Sometimes you have to hit a remote control key to get that to happen).[*]Make the root filesystem writeable: mount -o remount,rw /[*]Save away the original tivoapp if you haven't already done so: cp tivoapp tivoapp.orig[*]Apply the hack: /var/hack/bin/somehack[*]Make the root filesystem read-only again and then reboot: mount -o remount,ro / ; reboot[/list=1]
Keep in mind that hacks that alter tivoapp are *very* specific to both the type of TiVo you have and the software version you're running.
Senior Member
Also, feel free to make suggestions for hacks you'd like to see. I'll let you know how feasible they are.
Senior Member
Here's a hack that patches the Series 1 tivoapp v3.1.0b such that 30-second skip mode is enabled by default. You can still toggle the mode using the normal backdoor; this patch just makes it so that it defaults to being enabled on reboot
Senior Member
Here's a hack that patches the Series 1 tivoapp v3.1.0b such that backdoors are permanently enabled.
Senior Member
Here's a hack that patches the Series 1 tivoapp v3.1.0b such that yellow star promo items are never shown in TiVo Central.
If you'd still like to see the promos recorded (but not show up as a menu item), then put "Teleworld Paid Programming" and "Advanced Paid Programming" in your Season Pass list. Then they'll show up as normal recordings.
Diamond Member
Can you suggest how to modify this to work on 2.5.5?Originally posted by MuscleNerd
Here's a hack that patches the Series 1 tivoapp v3.1.0b such that 30-second skip mode is enabled by default. You can still toggle the mode using the normal backdoor; this patch just makes it so that it defaults to being enabled on reboot
Death to the MPAA
Although you can't modify the original tivoapp while it's running, you can rename it ("mv"). Here's what I did when making 30-sec skip the default:Originally posted by MuscleNerd
Because of the way permissions work in Linux, you cannot modify the binary image of an executable if it's still running.
1. FTP tivoapp to my PC.
2. Hexedit it.
3. Rename it "tivoapp.new".
4. (remount tivo root as read-write)
5. FTP tivoapp.new to tivo.
6. Telnet to tivo and do:
7. "mv tivoapp tivoapp.org"
8. "mv tivoapp.new tivoapp"
9. (remount as read-only)
10. restart
After renaming, the original tivoapp will still be used until a restart, or it's killed.
Last edited by TheWickedPriest; 11-19-2003 at 01:02 PM.
Senior Member
If you can somehow get me a copy of the 2.5.5 tivoapp, I can take a look at it and see if I find similar code to patch.Originally posted by sanderton
Can you suggest how to modify this to work on 2.5.5?
Senior Member
Yeah, TheWickedPriest makes two good points: you don't have to run these hacks directly if you're comfortable hex-editing (see the source code for the location to hex-edit), and you can use "mv" instead of "cp" if you want, in which case you don't need to shut down the switcher (but you'll still need to reboot afterwards (and don't forget to make that partition read-only before you reboot)).
Senior Member
Greetings,
Let me apologize in advance for the long post.
A Request:
If you get a few minutes could you post your permanent backdoor hack for a 3.0 SA Phillips HDR. I've already gotten it, but that was because a nice person emailed it to me, thanks again. I noticed that a few other people had posted that they too were a few days to late to download it and your other hacks at "the other forum"
One suggestion:
A choice of how to sort the now playing list at boot would be a great hack in my opinion.
A Few Hex Editing Questions:
When hex editing, please be nice as I am a complete newbie at this, with Hex Workshop or UltraEdit, how do know where to find the location of some of these settings? I know I can look at your source code and find the location that way, but I see garbled or meaningless, at least to me, text, on the right had side of the addresses. Is there a setting I’m missing in both programs or is this a “programmers only” area.
Will the Tivo boot to serial bash with an incorrectly edited tivoapp? In other words if I screw it up will I have to pull the drives to restore the old tivoapp or will I have to completely restore from a backup?
Thanks for the great hacks,
Mikey
Senior Member
This is the Series 1 v3.0 version of the backdoor hack described earlier.
Senior Member
No problem...I just posted it above.Originally posted by mikey
If you get a few minutes could you post your permanent backdoor hack for a 3.0 SA Phillips HDR.
Okay I'll look into that when I can.One suggestion: A choice of how to sort the now playing list at boot would be a great hack in my opinion.
And as for hex editing...most hex editors show the hex value in the left columns as ASCII characters in the right columns, so that you can easily identify strings. But the section of the program these patches affect don't usually contain strings..they're all PowerPC or MIPS instructions. Those instructions just look like gibberish on the right hand side.
If you want to actually decode the values as instructions, you'd use a disassembler, not a hex editor. A disassembler would show the values around that backdoor patch as:
Code:1b8ed38: 7f 64 db 78 mr r4,r27 1b8ed3c: 48 00 02 41 bl 0x1b8ef7c 1b8ed40: 83 9f 00 08 lwz r28,8(r31)
Diamond Member
What disassembler do you use? Olly is win32 only. Haven't tried IDA.Originally posted by MuscleNerd
You'd use a disassembler,
[EDIT] IDA 4.3.0 works fine.
NutKase
Last edited by NutKase; 12-13-2003 at 04:31 AM.
"God, and DealDataBase, help those that help themselves." --Shamelessly stolen from psxboy
------------------------------------------------
2 each, SA S2 287hr 7.2.1a's with Lifetime.
Hacks: 1 Manually Monte'd -140, Bash,Telnet,FTP,TivoWebPlus,
Superpatch-67all Unscrambled/HMO,MFS_FTP Ver. N,TyTools, tivoserver
Fully hacked SA S1
Oh captain, my captain
um, i dont think olly supports mips or ppc, regardless of whether its windows only or not.Originally posted by NutKase
What disassembler do you use? Olly is win32 only. Haven't tried IDA.
NutKase
Step one: search button!
Silly Wabbit, guides are for kids
Diamond Member
I guess I wasn't clear I meant x86. Anyway, IDA has several options for mips:Originally posted by mrblack51
um, i dont think olly supports mips or ppc, regardless of whether its windows only or not.
mipsb=Little endian
mipsl =Big endian (I think this one.)
and mipsr=Didn't find much on this one.
Which do I use? I've tried them all and I get:
IDA kernel and IDP module mips.w32 are not compatible. There are tons of other setup options that I may be missing for IDA though. Any ideas.
NutKase
"God, and DealDataBase, help those that help themselves." --Shamelessly stolen from psxboy
------------------------------------------------
2 each, SA S2 287hr 7.2.1a's with Lifetime.
Hacks: 1 Manually Monte'd -140, Bash,Telnet,FTP,TivoWebPlus,
Superpatch-67all Unscrambled/HMO,MFS_FTP Ver. N,TyTools, tivoserver
Fully hacked SA S1
Posting Permissions
