killhdinitrd 0.9.x

[rc3105]

Posted on behalf of HD TeAm, 2004/08/03.

#######################

This utility disables the initial ramdisk (initrd) on various 3.x, 4.x & 5.x kernels in such a way that they still pass the prom signature check. No PROM modification is needed to boot the modified kernel.

Please donate to the EFF if you find this program useful. Suggested donation: $25. Paypal is also accepted: send to accounting@eff.org. If you wish, you may paste a link to this post in the "reasons" box so they are aware of our interests (fair use of legitimately purchased copyrighted materials).

TERMS OF USE: DO NOT DOWNLOAD THE ATTACHMENT IF YOU DO NOT ACCEPT THESE TERMS

This software is for personal, non-commercial use only. You MAY NOT sell or redistribute this software, modified versions, or ANY derivative work in ANY form, period.

This software, given a suitable TiVo kernel image, injects its own code into the image. THAT CODE IS COPYRIGHTED and distributed under the same terms as above. That is to say, ANY kernel image altered by this software is copyrighted both by us AND by TiVo (as their initrd is NOT covered by the GPL). You MAY NOT redistribute any kernel image modified by our software, or any derivative thereof.

You MAY examine or reverse engineer our code, but understand that doing so implies that any "clone" of killhdinitrd is a derivative work of our project and MAY NOT be redistributed in any form.

Verbatim, unmodified copies of this software may be hosted on dealdatabase.com.

As the SOLE exception to our no-redistribution policy, you may submit modified versions to ourselves or to the dealdatabase.com staff (privately); staff members may choose to post your modified copy. Our intent is that you will be allowed to add support for additional kernel versions, provided that our restrictions apply to any of the derivative works you create. If we use your modifications, we will give you credit.

This project exists for the sole purpose of allowing interoperability under 17 USC 1201(f). It is NOT to be used for circumventing controls on copyrighted material, and provides no facility for doing so.

End of terms

#######################

the DDB forum sponsor PTVupgrade has been granted exclusive rights to redistribute the killhdinitrd utility

this decision is the result of several factors, a few of which include

1) a substantial donation to the EFF

2) one of the more annoying ebay effects

as we've seen with other utils some will undoubtedly get suckered & come here for support. those folks should be greeted with the standard "contact the seller for support"

the util is free to anyone via ddb but no support is provided. ptv provides support to their customers so they won't clutter the forum with basic installation questions


this is a done deal - if you wish to debate the merits do so HERE or in the sewer

#######################

Edit 2004/09/29:

I am attaching source, documentation, and binaries for version 0.9.2. Per the license agreement, we (the DDB mods) have updated the release with patches submitted by DDB users.

#######################

Edit 2006/03/12:

Attached version 0.9.3, incorporating user-contributed support for the 7.2.2-oth-K1 kernel.

#######################

Edit 2006/12/12:

Updated 0.9.3 archive to include "mingw" directory for Win32 sources/binaries.

#######################

The supported kernels can be extracted from the following TiVo software releases:

Code:

7.2.2-oth-K1:  Linux version 2.4.20 (build@buildmaster50)
               (gcc version 3.3.4) #1 Tue Feb 14 20:55:02 PST 2006
               MD5: fd71b861a767de9ad4a13dc5f78b6ae1
               Supports DTiVo Uma4/Uma6/Phoenix, and all known SA Series2.0

3.1.5:         Linux version 2.4.20 (build@buildmaster5)
               (gcc version 3.0) #22 Fri Feb 20 18:19:25 PST 2004
               MD5: 8d31d9eb8077a0a91a9356d23a4e9fb8
               Supports DTiVo Uma4/Uma6/Phoenix, and all known SA Series2.0
               EXCEPT "140" series

3.1.1c:        Linux version 2.4.4-TiVo-3.0 (build@buildmaster10)
               (gcc version 3.0) #9 Wed Jan 7 10:05:19 PST 2004
               MD5: 8430fccf5c26bb5668c5e14ca3fc4582
               Supports DTiVo Uma4/Uma6, and all known SA Series2.0

4.0.1a:        Linux version 2.4.18 (build@buildmaster19)
               (gcc version 3.0) #38 Thu Oct 23 10:48:29 PDT 2003
               MD5: 567ffaf194278f82e7c7b86bb411c93e
               Supports DTiVo Uma4, and all known SA Series2.0

3.1.U5:        Linux version 2.4.4-TiVo-3.0 (build@buildmaster10)
               (gcc version 3.0) #27 Sat Sep 28 21:47:44 PDT 2002
               MD5: 5217ce0190595f4fe2461a429ce18121
               Supports DTiVo Uma4, and all known SA Series2.0
               (this kernel is supported but 3.1.1c is recommended)

2.4.18 from 4.0 is not supported as a suitable jump point has not been found. The 2.4.18/4.0 kernel support added in release 0.9.1 does not work in most circumstances. The newer Series2.5 "nightlight" models are not supported at all.

Please do not link directly to the file attachments. Link to this thread instead, to give your readers the benefit of updates, errata, and support information.

[JJBliss]

Do NOT post support questions in this thread. Any question not directly related to furthering the development of this hack will be summarily deleted.

There is a support thread in the Series 2 Support Forum located here

Edit:

Other useful resources:

Download killhdinitrd-compatible kernels
monte-mips: a way to chain-load a custom kernel (after you use killhdinitrd to compromise the box)
Discussion thread on using killhdinitrd with monte
Why you probably don't need a killhdinitrd that supports your exact software version

[alldeadhomiez]

MuscleNerd pointed out that some of the initrd kill offsets for 2.4.4-TiVo-3.0 on 3.1.1c did not match up:

Code:

        {
                "2.4.4-TiVo-3.0 from TiVo OS 3.1.1c",
                0x8000432c, 0x8019f380, 0x0e6fae51, 0x801b8304, 0x40,
                "\x02\x00\x28\x21"      /* do as i say, not as i do. */
                "\x3c\x1f\x80\x00"
                "\x20\x1e\x00\x3a"
                "\xa7\xfe\x4e\x4a"
                "\x20\x1e\x00\x33"
                "\xa7\xfe\x4e\x86"
                "\x20\x1e\x00\x30"
                "\xa7\xfe\x4e\x92"
                "\x20\x1e\x00\x2e"
                "\xa7\xfe\x4e\x9a"
                "\x3c\x1f\x80\x12"
                "\xaf\xe0\x68\xf0"
                "\x3c\x1f\x80\x00"
                "\x27\xff\x43\x2c"
                "\x03\xe0\x00\x08"
                "\x00\x00\x00\x00"
        },

Based on the changes made by killinitrd-3.x at tivoutils.sf.net, these are the new offsets I came up with:

Code:

	{
		"2.4.4-TiVo-3.0 from TiVo OS 3.1.1c",
		0x8000432c, 0x8019f380, 0x0e6fae51, 0x801b8304, 0x40,
		"\x02\x00\x28\x21"	/* do as i say, not as i do:
					   move $a1, $s0 */
		"\x3c\x1f\x80\x00"	/* lui $ra, 0x8000 */
		"\x20\x1e\x00\x3a"	/* li $s8, 0x003a */
		"\xa7\xfe\x4e\x4a"	/* sh $s8, 0x4e4a($ra) */
		"\x20\x1e\x00\x33"	/* li $s8, 0x0033 */
		"\xa7\xfe\x4e\x66"	/* sh $s8, 0x4e66($ra) */
		"\x20\x1e\x00\x30"	/* li $s8, 0x0030 */
		"\xa7\xfe\x4e\x72"	/* sh $s8, 0x4e72($ra) */
		"\x20\x1e\x00\x2e"	/* li $s8, 0x002e */
		"\xa7\xfe\x4e\x7a"	/* sh $s8, 0x4e7a($ra) */
		"\x3c\x1f\x80\x12"	/* lui $ra, 0x8012 */
		"\xaf\xe0\x68\xf0"	/* sw $zero, 0x68f0($ra) */
		"\x3c\x1f\x80\x00"	/* lui $ra, 0x8000 */
		"\x27\xff\x43\x2c"	/* addiu $ra, $ra, 0x432c */
		"\x03\xe0\x00\x08"	/* jr $ra */
		"\x00\x00\x00\x00"	/* nop */
	},

Remember that byte 0x20 of the kernel image is loaded to 0x80002000 on all known Series2 (NEC Vr5432 based) kernels.

Does "do as I say, not as I do" refer to the weird offsets, or does it refer to taking $a1 (BORD type) from $s0 - something that clearly breaks when you are loading the kernel from something other than the TiVo PROM code?

Both the original code and the new code worked correctly when I tried them, but it is disturbing to see potential corruption of kernel memory.

Comments?

[AlphaWolf]

For those of us who don't understand exactly what is going on here, how is it that these modifications do not invalidate the kernels' digital signature? AFAIK if so much as a single bit has been modified, the kernel signature will be invalidated unless you have the private keys to sign the modifications accordingly. How is this patch an exception to that?

MODs: This isn't a support question, I just want to understand the method in better detail. Feel free to move it if you feel it's inappropriate though.

[alldeadhomiez]

Here is a utility you can use to examine a ".px" file and split it into components.

[alldeadhomiez]

Hmm...I was previously under the assumption that the entire kernel image was factored into the digital signature.

Code:

        scripts/elfextract vmlinux vmlinux
        $(OBJCOPY) -O binary vmlinux vmlinux.data
        if [ -f extra ]; then cat extra >> vmlinux.data ; fi
ifeq ($(TV_FEATURE_STRONG_CRYPTO),0)
        dd if=/dev/zero bs=269 count=1 > vmlinux.sig
else
        $(TOOLROOT)/tvbin/crypto -sfh $(ROOT)/tvlib/keys/kernel-dev.prv vmlinux.data > vmlinux.sig
endif
        scripts/makeppceval vmlinux.info vmlinux.data vmlinux.sig vmlinux.px

Code is from linux/Makefile in some kernels (such as the 4.x source distribution).

"extra" is the initrd image.

[rc3105]

All HD TiVos are upgrading to 3.1.5d and 0.9.2 does not seem to support the new kernel. Is there a new version comming out so we can hack our HR10-250's again ?

Thanks,
Peter

stop cross-posting

[justdoit]

How do I find the kernel version number?

Tivo displays 7.2.2-oth.01-2-64 (I have a backup)
and in last 2-3 days got updated to 7.3.1 (I have a backup for this too)

Want to put telnet, ftp, etc on my Toshiba SD-H400.

Tried killhdinitrd on both versions but it reports
FATAL: No exploit found for this kernel

also If I do manage to get the hacks installed will they be removed during next update from tivo?

[Jamie]

Usage questions belong in the support thread, not the development thread.

Use the 7.2.2-oth-K1 kernel with any 7.x software version on a Series2. One source for kernels that work with killhdinitrd is the $5 PTVUpgrade lba48 CD.

[lims]

Unfortunately the CD doesnt work for those of us with the TDC649080 version (Series2 DT). Using any of the Kernels on the $5 CD ends up giving you a grey screen. Would be nice if there was a util to patch your own Kernel... yes yes I am lazy

[Omikron]

Unfortunately the CD doesnt work for those of us with the TDC649080 version (Series2 DT). Using any of the Kernels on the $5 CD ends up giving you a grey screen. Would be nice if there was a util to patch your own Kernel... yes yes I am lazy

If you have a S2DT, you shouldn't be using killhdinitrd at all. After you've replaced the PROM on your unit, you want to use replace_initrd to patch your kernel. Just searching for "replace_initrd" should yield some useful results.

[lims]

Thanks for the reply, I will give this a shot today.