Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: Internet enabling your TiVo; security solution with Java

  1. #1
    Join Date
    Jun 2004
    Posts
    2

    Cool Internet enabling your TiVo; security solution with Java

    Hello. I am pretty new to the TiVo hacking but an experienced networking and Java guy.

    For the purposes of this thread, I have (and assume you have) the TiVo hacked as desired with things like TivoWeb and streaming video all set up and working. But I want to be able to access these things from anywhere on the Internet, not just my LAN.

    The problem is there is no secure way to expose those services to the Internet. TivoWeb at leat supports HTTP authentication (not that secure), but the other services like FTP and streaming offer no security capability at all that I am aware of. (I've read the threads on the topic, and people seem to be confusing having a firewall with security for *exposed* services. A firewall only protects services that you don't expose to the Internet; i.e., *YOU* can't access them either.)

    I have a solution to this in mind that uses an open source Java project called SocketSwitchboard. (http://sourceforge.net/projects/sbdaemon/) "... SocketSwitchboard can act as a virtual router or proxy, allowing restricted access to network services. Currently, SocketSwitchboard supports constraints based on IP address range, IP address pattern match, hostname pattern match, time of day, day of week, and SSL client authentication."

    The SSL client authentication support in this program provides robust security for any service you want to run on your TiVO (FTP, streaming, TivoWeb, etc.) This program also has the additional security benefit of allowing you to remap a service (such as TivoWeb on port 80) to any arbitrary port desired, making it harder for port scanners to know what services are running.

    Anyway, now on to my question... All that is needed to run this program is the JVM (aka Java Virtual Machine aka JRE aka Java Runtime Environment). Has anyone tried to install a JVM on their Tivo? Before pursuing this, I wanted to learn of anyone else's experiences trying. I don't think it will create any space concerns, and performance should be adequate.

    Ideally, the install could be done by running the linux install on another machine, and just FTP'ing the needed files and adding the bin to the path. I would prefer to avoid executing the installer on the Tivo to prevent any possible unintended side effects.

    Any input or suggestions from people who have attempted this would be great. And, if there is interest, I can report my progress here implementing SocketSwitchboard for gaining secure Internet access.

  2. #2
    Join Date
    May 2003
    Posts
    67
    As a Java developer and moderately experienced Tivo hacker (not nearly on the level of some on this board, but enough for this), I would say you will have problems running this thing on a Tivo box. The JVM is memory hungry and you've got, depending on Tivo model, a max of 32MB of RAM in the machine. That's not much to run all the stuff a Tivo runs and still have room for a JVM.

    I know they have small footprint JVMs for mobile phones and such, but I don't think they will do what you need. And I really think performance will suffer. I love coding in Java, but it's the wrong tool for this job, IMO.

    If you want secure access to your TivoWeb, use a proxy of some kind. I have a Linux based server/firewall box on my LAN that handles this for me. I use SSH to create the tunnel so I can connect to my box from anywhere I can install an SSH client. There are other ways, but this works for my needs. It's encrypted, and authenticated. I could have enabled mod_proxy for my Apache server as well, as I allready have SSL working there. You could also use this Java app on your firewall, I just allready had SSH setup and working and I preffer to keep open services to a minimum on my server.

    Hell, if you don't want a regular computer running 24/7, get a Linksys WRT-54G wireless router and install one of the hacked Linux packages on it. They have SSH on those. Then download the free Putty SSH client and use it to create your tunnel.

    You mentioned FTP and streaming... I wouldn't use those remotely on less than a T1. It would just take too damn long to be worthwhile. My upstream is only 256K on a good day. It works great for Tivoweb+, but I would never stream over it. If I want to install hacks remotely, I just SSH into my server and use FTP and telnet from there to work on the Tivo. In theroy I could use SSH to create a tunnel for FTP or Streaming, I've just never done it for speed reasons.

  3. #3
    Join Date
    Jul 2003
    Location
    NYC
    Posts
    339
    I'm confused...

    how do you set up the ssh tunnel from the internet->WRT54G->tivoweb?

  4. #4
    Join Date
    Oct 2003
    Location
    Somewhere in CA
    Posts
    503
    LinkSys WRT54G has an open source firmware, start here to download the Sveasoft firmware, which basically allows you to run SSHD on the router. Once you get that going, use something like Tera Term Pro with SSH to do SSH port forwarding (example, forward localhost port 80 to tivo port 80). While connected to the SSHD, point your browser to http://localhost:80, and TTSSH will forward the traffic to your Tivo. So, your Tivo is behind the firewall, and traffic is encrypted via SSH. You can forward multiple port at the same time, so you could access TivoWeb and Tivo Telnet, and or mfs_ftp at the same time if you really want.

  5. #5
    Join Date
    Feb 2003
    Posts
    155
    You might look into OrenoSP.
    It's a reverse proxy server for windows. You will need to keep another machine up though.

  6. #6
    Join Date
    Jun 2004
    Posts
    2
    OK, so sounds like the JVM would be too much for the Tivo box.

    I've used SSH before, but not for tunneling. Would it be possible to install it directly on the Tivo box rather than on the router or on another 24/7 machine on the LAN?

    My fallback plan would just be the 24/7 second host, but I'm trying to see if I can avoid all that overhead. I have two routers (arranged as follows), but I'm not sure if either of them can run SSH.

    Internet --> NetGear WGR614 (wireless) --> D-Link DI-704P --> LAN w/Tivo
    \--> WLAN

  7. #7
    Join Date
    Jun 2001
    Posts
    3,108
    Quote Originally Posted by ttabbal
    As a Java developer and moderately experienced Tivo hacker (not nearly on the level of some on this board, but enough for this), I would say you will have problems running this thing on a Tivo box. The JVM is memory hungry and you've got, depending on Tivo model, a max of 32MB of RAM in the machine. That's not much to run all the stuff a Tivo runs and still have room for a JVM.

    I know they have small footprint JVMs for mobile phones and such, but I don't think they will do what you need. And I really think performance will suffer. I love coding in Java, but it's the wrong tool for this job, IMO.
    have you ever found a J2ME implementation that runs on mips linux? I looked around, but couldn't find one. that would be highly useful IMHO
    Step one: search button!
    Silly Wabbit, guides are for kids

  8. #8
    Join Date
    May 2003
    Posts
    67
    Quote Originally Posted by mrblack51
    have you ever found a J2ME implementation that runs on mips linux? I looked around, but couldn't find one. that would be highly useful IMHO

    Nope. I haven't done much with J2ME, but I have never seen one for MIPS Linux. I found this with a quick google search as you got me thinking.. http://www.linuxdevices.com/products/PD8658640976.html

    You might be able to cross-compile it to work on an S2 I suppose.


    As for the original topic.. I wouldn't expose the Tivo to the internet. Not even one port. Tivos aren't designed for it, and the IP stuff in the kernel is not very advanced. It also seems very touchy, I could easily see a DOS on your Tivo being easy from the internet. The CPU and RAM for SSH probably aren't too bad, except the key exchange, which might cause you issues. SSHD also uses authentication, and as there are no user accounts on Tivo. I'm not sure how it would handle that. It might be able to handle it if you added a passwd file, but I suspect there is more required. Honestly, another box isn't much overhead. I use a K6-3/500 for mine. Nothing special, uses little power, and can do a lot of work. A 486 would probably work if you only needed SSH. I do a little dynamic web content and email. SPAM scanning takes a fair bit of CPU.

  9. #9
    Join Date
    Aug 2003
    Posts
    1,285
    Quote Originally Posted by ttabbal
    Hell, if you don't want a regular computer running 24/7, get a Linksys WRT-54G wireless router and install one of the hacked Linux packages on it. They have SSH on those. Then download the free Putty SSH client and use it to create your tunnel.
    That's a great idea!!

    AVD, you run sshd on the Linksys, which could also be behind another firewall.

    The machine that you are connecting from would need a ssh client like putty. You point your web browser to your localhost running ssh client. The http connection is "tunnelled" through the secure connection between your ssh client and ssdh. The sshd on the linksys then forwards the http connection when it exits the tunnel to the Tivo.

    browser-->ssh client--TUNNELL--sshd-->Tivo

    I've got to try this!

  10. #10
    Join Date
    Dec 2003
    Posts
    233
    Quote Originally Posted by Sleeper
    The machine that you are connecting from would need a ssh client like putty. You point your web browser to your localhost running ssh client. The http connection is "tunnelled" through the secure connection between your ssh client and ssdh. The sshd on the linksys then forwards the http connection when it exits the tunnel to the Tivo.

    browser-->ssh client--TUNNELL--sshd-->Tivo

    I've got to try this!
    I've been doing this (actually something similar using a linux ssh client) for six months. Works great!

  11. #11
    Join Date
    Aug 2003
    Posts
    1,285
    Quote Originally Posted by jonbig
    I've been doing this (actually something similar using a linux ssh client) for six months. Works great!
    PC or embedded?

  12. #12
    Join Date
    Dec 2003
    Posts
    233
    Quote Originally Posted by Sleeper
    PC or embedded?
    Neither actually.

    My sshd server is a Sun Ultrasparc 10. But any PC running Linux would work as well.

    I do use either Windows or Linux on the client end.

  13. #13
    Join Date
    Aug 2003
    Posts
    1,285
    Quote Originally Posted by jonbig
    My sshd server is a Sun Ultrasparc 10. But any PC running Linux would work as well.
    Yeah, I don't run a dedicated server at my home, so the idea of cheap embedded soultion in really cool. I'm always mucking with my linux distro and I don't like the idea of using a wintel box as a server.

  14. #14
    Join Date
    Jul 2004
    Location
    Eastern Seaboard
    Posts
    20
    Quote Originally Posted by Sleeper
    Yeah, I don't run a dedicated server at my home, so the idea of cheap embedded soultion in really cool. I'm always mucking with my linux distro and I don't like the idea of using a wintel box as a server.
    We run a dedicated server for our home security business, so using ssh on that server to get to the Tivo works great!! You should try it sometime!

    --Robert
    3.1.0c2 Upgrade with all the goods: Alarmtronics SleepyISO 1.1!

  15. #15
    Join Date
    Jul 2003
    Posts
    770
    I use ssh to access tivoweb via a Treo600 cell phone. First I use a palm ssh client to log into my firewall. I then launch a script that opens an SSL tunnel/port forward to the Tivoweb using stunnel to one of my three tivos (I never need to access more than one). The tunnel listens on a non-standard port and the script expires the tunnel after 1 hour. I only open it to the IP addresses used by the Sprint web proxies and have password authentication enabled on my Tivoweb. I would rather have it so the access goes through a reverse squid proxy using SSL but I was too lazy to set it up. It's not perfect but secure enough for me.

    Sprint charges $15/month for unlimited net access from the Treo. It's fun to access my Tivo from anywhere I can find a PCS cell repeater. It's akin to the experience Jeff Keegan wrote about with accessing the tivo with his palm pilot at a football game. The Treo has become my second favorite piece of electronics.



    Editted for grammar and content
    Last edited by cojonesdetoro; 07-18-2004 at 10:31 PM.
    perl -e 'print unpack("u","\@2\&\%V92\!Y;W4\@:&\%C:V5D(\%E/55\(\@5\&EV\;R\!T;V1A>3\\-\`"),"\n";'

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •