Page 4 of 9 FirstFirst ... 23456 ... LastLast
Results 46 to 60 of 131

Thread: tivoapp patches

  1. #46
    Join Date
    Aug 2003
    Posts
    2,149

    7.1a-01 NoCSO Disable Encryption Patch Location

    I have version 7.1a (7.1a-01-2-240 to be exact) on my SA.



    NoCSO - Disable Encryption

    --------------------------------------------------------------------------------
    Code:
    All Values are Hex
    
    Sw Version          Offset (VMA)     Original Value      New Value
    7.1a                691284           0320f809            3C020000
    In order to keep in the style of this thread, since the address is a VMA from the disassembly, you'll have to subtract the offset getting the patch location 0x00291284.


    NutKase

    [EDIT] Here's the rest of the 7.1a patch locations. I'll fill in as I get them.

    Code:
    All Values are Hex
    
    Patch                  Offset (VMA)     Original Value      New Value
    30 Second Skip         ff7fd4           1040001d            1440001d
    Backdoors              93bc8c           00008821            24100001


    [EDIT] Here are the 7.1b patch locations, since 7.1a didn't last long.

    Code:
    All Values are Hex
    
    Patch                  Offset (VMA)     Original Value      New Value
    30 Second Skip         ff7fa0           1040001d            1440001d
    Backdoors              93bcc4           00008821            24100001
    NoCSO                  691290           0320f809            3C020000
    Last edited by NutKase; 07-08-2005 at 02:37 AM. Reason: Added 7.1b patch locations for clarity
    "God, and DealDataBase, help those that help themselves." --Shamelessly stolen from psxboy
    ------------------------------------------------
    2 each, SA S2 287hr 7.2.1a's with Lifetime.
    Hacks: 1 Manually Monte'd -140, Bash,Telnet,FTP,TivoWebPlus,
    Superpatch-67all Unscrambled/HMO,MFS_FTP Ver. N,TyTools, tivoserver
    Fully hacked SA S1

  2. #47
    Join Date
    Oct 2003
    Posts
    13

    3.1.5f patches

    The only different patch location for 3.1.5f versus 3.1.5e is the NO CSO patch. All others remained the same. All address are actual locations not the VMA.

    30 Second Skip
    3.1.5f 0x0033C420 10400024 -> 14400024

    Directory Sort
    3.1.5f 0x00291FA8 A22000E0 -> A22200E0

    Enable backdoors
    3.1.5f 0x00348414 02802821 -> 24050001

    Disable Encryption

    3.1.5f 0x006A93EC 0320F809 -> 3C020000

    Disable Yellow Stars
    3.1.5f 0x002baa50 12200007 -> 00000000

    Edit: Removed caveat from post. Patches have been tested
    Last edited by m4mmut; 03-09-2005 at 01:48 PM.

  3. #48
    Join Date
    May 2004
    Posts
    253

    7.2?

    Has anyone figured out the 7.2 patches yet? I'd take a crack at it, if I had any any clue how to.

    I did do a bit of searching and comparing (with 7.1b) using hexedit, but didn't find anything close in the same area. Looking for a NoCSO patch location, the first appearance of 0x0320f809 after location 0x280000 is at 0x29D598, way different than the 7.1x tivoapps.

    I can provide the tivoapp if someone who knows how is willing to take a look.

  4. #49
    Join Date
    Jan 2005
    Posts
    127
    Quote Originally Posted by mike_s
    Has anyone figured out the 7.2 patches yet? I'd take a crack at it, if I had any any clue how to.

    I did do a bit of searching and comparing (with 7.1b) using hexedit, but didn't find anything close in the same area. Looking for a NoCSO patch location, the first appearance of 0x0320f809 after location 0x280000 is at 0x29D598, way different than the 7.1x tivoapps.

    I can provide the tivoapp if someone who knows how is willing to take a look.
    Untested, but this looks right to me:
    Code:
    All Values are Hex
    
    Sw Version         Offset (VMA)     Original Value      New Value
    7.2.0-oth-01-2     5893e0           0c16ae9e            3C020000
    7.2.0-elm-01-2     58e960           0c16c8d2            3C020000
    7.2.0-tak-01-2     5c7578           0c17b5d4            3C020000
    Hint: looking at hex won't work very well for porting patches to 7.2. The compiler used to compile tivoapp changed, and a number of things are different now. For example, most calls are with jal instead of jalr. You really need a disassembler to make much progress. See this thread. The script there needs some changes to recognize the new patterns for string references and function calls in 7.2.
    Last edited by 7.1; 09-04-2005 at 04:48 PM. Reason: Add -tak- and -elm- patches

  5. #50
    Join Date
    May 2004
    Posts
    253
    Quote Originally Posted by 7.1
    Untested, but this looks right to me:
    Code:
    All Values are Hex
    
    Sw Version         Offset (VMA)     Original Value      New Value
    7.2.0-oth-01-2     5893e0           0c16ae9e            3C020000
    Thanks. That works, recorded a clip, and it plays fine in TyTool and with vserver.

  6. #51
    Join Date
    Jan 2005
    Posts
    27
    Quote Originally Posted by 7.1
    Hint: looking at hex won't work very well for porting patches to 7.2. The compiler used to compile tivoapp changed, and a number of things are different now. For example, most calls are with jal instead of jalr. You really need a disassembler to make much progress. See this thread. The script there needs some changes to recognize the new patterns for string references and function calls in 7.2.
    7.1,

    I'm running on 7.2.0-tak-01-2-275 (Pioneer DVR-810H), and I just took a look in my tivoapp using the more naive method (a hex editor) - the string
    Code:
    0c 16 ae 9e
    isn't present anywhere in the app, which I guess isn't very surprising, based on your comment that hex editors aren't the way to go with newer versions of tivoapp.

    Unfortunately, I took a read through the disassembly thread, and it appears to be way over my head. If you're willing to take a look at that version, I can arrange to get you a copy of the tivoapp.

  7. #52
    Join Date
    May 2004
    Posts
    253
    Quote Originally Posted by bdjohns1
    7.1,

    I'm running on 7.2.0-tak-01-2-275 (Pioneer DVR-810H), and I just took a look in my tivoapp using the more naive method (a hex editor) - the string
    Code:
    0c 16 ae 9e
    isn't present anywhere in the app, which I guess isn't very surprising, based on your comment that hex editors aren't the way to go with newer versions of tivoapp.
    Look at offset 0x1893e0. The address given (0x5893e0) is the VMA (Virtual Memory Address) location. They differ by 0x400000.

  8. #53
    Join Date
    Aug 2004
    Posts
    4,075
    It appears there are different 7.2.0 versions of tivoapp for different hardware. -elm- is for the humax dvd recorders, IIRC. -tak- is for the Pioneer units. -oth- is everything else, AFAIK. The patch locations will vary slightly depending on the exact software version.
    Last edited by Jamie; 09-04-2005 at 05:04 PM.

  9. #54
    Join Date
    Jan 2005
    Posts
    27
    Quote Originally Posted by mike_s
    Look at offset 0x1893e0. The address given (0x5893e0) is the VMA (Virtual Memory Address) location. They differ by 0x400000.
    Thanks for the pointer on the VMA - I knew there was an offset, but wasn't aware what it was, which was why I did the global search. In any case, the 8 bytes at 0x1893e0 in my tivoapp are 00 00 00 00, so I'm pretty sure that's not what we're looking for...

    Jamie,

    7.1 has agreed to take a look at my tivoapp, so hopefully he'll be able to pull out the right offsets.

  10. #55
    Join Date
    Apr 2003
    Posts
    2,402
    Quote Originally Posted by bdjohns1
    Thanks for the pointer on the VMA - I knew there was an offset, but wasn't aware what it was, which was why I did the global search. In any case, the 8 bytes at 0x1893e0 in my tivoapp are 00 00 00 00, so I'm pretty sure that's not what we're looking for...

    Jamie,

    7.1 has agreed to take a look at my tivoapp, so hopefully he'll be able to pull out the right offsets.
    Did you try the right offset for your version?
    Quote Originally Posted by 7.1
    7.2.0-tak-01-2 5c7578 0c17b5d4 3C020000
    So that would be 0x1C7578 I guess.

    ew

  11. #56
    Join Date
    Jan 2005
    Posts
    127
    I edited in the -tak- patch after bdjohns1 post, so he may not have seen it yet.

  12. #57
    Join Date
    Jan 2005
    Posts
    27

    Thumbs up Works for Pioneer DVR810H

    Quote Originally Posted by 7.1
    Untested, but this looks right to me:
    Code:
    All Values are Hex
    
    Sw Version         Offset (VMA)     Original Value      New Value
    7.2.0-tak-01-2     5c7578           0c17b5d4            3C020000
    Confirmed that this is working via ciphercheck.tcl and by extracting using TyTool. Thanks very much, 7.1!

  13. #58
    Join Date
    Sep 2004
    Posts
    8
    Quote Originally Posted by 7.1
    Untested, but this looks right to me:
    Code:
    All Values are Hex
    
    Sw Version         Offset (VMA)     Original Value      New Value
    7.2.0-oth-01-2     5893e0           0c16ae9e            3C020000
    7.2.0-elm-01-2     58e960           0c16c8d2            3C020000
    7.2.0-tak-01-2     5c7578           0c17b5d4            3C020000
    I can also verify that the patch for -oth- is valid.

    Thanks everyone.
    2 SA2
    1 40hr upgraded to 186hr and running 9.1-01-2-140
    1 40hr upgraded to 181hr and running 9.3-01-2-140
    TivoWebPlus 2.0
    Vstream
    etc....

  14. #59
    Join Date
    Jan 2004
    Posts
    26

    3.1.5f easier

    For newbies:

    cd /tvbin
    mv tivoapp tivoapp.tmp
    cp tivoapp.tmp tivoapp
    chmod 755 tivoapp

    30 Second Skip
    3.1.5f 0x0033C420 10400024 -> 14400024
    echo -ne "\x14\x40\x00\x24" | dd conv=notrunc of=tivoapp bs=1 seek=3392544

    Directory Sort
    3.1.5f 0x00291FA8 A22000E0 -> A22200E0
    echo -ne "\xA2\x22\x00\xE0" | dd conv=notrunc of=tivoapp bs=1 seek=2695080

    Enable backdoors
    3.1.5f 0x00348414 02802821 -> 24050001
    echo -ne "\x24\x05\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=3441684

    Disable Encryption
    3.1.5f 0x006A93EC 0320F809 -> 3C020000
    echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=6984684

    Disable Yellow Stars
    3.1.5f 0x002baa50 12200007 -> 00000000
    echo -ne "\x00\x00\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=2861648

  15. #60
    Join Date
    Sep 2003
    Posts
    81
    Based on http://www.dealdatabase.com/forum/ne...ote=1&p=247117 the 3.5 S1 DTiVo patch for disable scrambling is

    Code:
    echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=5108848

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •