Results 1 to 12 of 12

Thread: killhdinitrd 0.9.x

  1. #1
    Join Date
    Mar 2002
    Posts
    1,339

    killhdinitrd 0.9.x

    Posted on behalf of HD TeAm, 2004/08/03.

    #######################

    This utility disables the initial ramdisk (initrd) on various 3.x, 4.x & 5.x kernels in such a way that they still pass the prom signature check. No PROM modification is needed to boot the modified kernel.

    Please donate to the EFF if you find this program useful. Suggested donation: $25. Paypal is also accepted: send to accounting@eff.org. If you wish, you may paste a link to this post in the "reasons" box so they are aware of our interests (fair use of legitimately purchased copyrighted materials).

    TERMS OF USE: DO NOT DOWNLOAD THE ATTACHMENT IF YOU DO NOT ACCEPT THESE TERMS

    This software is for personal, non-commercial use only. You MAY NOT sell or redistribute this software, modified versions, or ANY derivative work in ANY form, period.

    This software, given a suitable TiVo kernel image, injects its own code into the image. THAT CODE IS COPYRIGHTED and distributed under the same terms as above. That is to say, ANY kernel image altered by this software is copyrighted both by us AND by TiVo (as their initrd is NOT covered by the GPL). You MAY NOT redistribute any kernel image modified by our software, or any derivative thereof.

    You MAY examine or reverse engineer our code, but understand that doing so implies that any "clone" of killhdinitrd is a derivative work of our project and MAY NOT be redistributed in any form.

    Verbatim, unmodified copies of this software may be hosted on dealdatabase.com.

    As the SOLE exception to our no-redistribution policy, you may submit modified versions to ourselves or to the dealdatabase.com staff (privately); staff members may choose to post your modified copy. Our intent is that you will be allowed to add support for additional kernel versions, provided that our restrictions apply to any of the derivative works you create. If we use your modifications, we will give you credit.

    This project exists for the sole purpose of allowing interoperability under 17 USC 1201(f). It is NOT to be used for circumventing controls on copyrighted material, and provides no facility for doing so.

    End of terms

    #######################

    the DDB forum sponsor PTVupgrade has been granted exclusive rights to redistribute the killhdinitrd utility

    this decision is the result of several factors, a few of which include

    1) a substantial donation to the EFF

    2) one of the more annoying ebay effects

    as we've seen with other utils some will undoubtedly get suckered & come here for support. those folks should be greeted with the standard "contact the seller for support"

    the util is free to anyone via ddb but no support is provided. ptv provides support to their customers so they won't clutter the forum with basic installation questions


    this is a done deal - if you wish to debate the merits do so HERE or in the sewer

    #######################

    Edit 2004/09/29:

    I am attaching source, documentation, and binaries for version 0.9.2. Per the license agreement, we (the DDB mods) have updated the release with patches submitted by DDB users.

    #######################

    Edit 2006/03/12:

    Attached version 0.9.3, incorporating user-contributed support for the 7.2.2-oth-K1 kernel.

    #######################

    Edit 2006/12/12:

    Updated 0.9.3 archive to include "mingw" directory for Win32 sources/binaries.

    #######################

    The supported kernels can be extracted from the following TiVo software releases:

    Code:
    7.2.2-oth-K1:  Linux version 2.4.20 (build@buildmaster50)
                   (gcc version 3.3.4) #1 Tue Feb 14 20:55:02 PST 2006
                   MD5: fd71b861a767de9ad4a13dc5f78b6ae1
                   Supports DTiVo Uma4/Uma6/Phoenix, and all known SA Series2.0
    
    3.1.5:         Linux version 2.4.20 (build@buildmaster5)
                   (gcc version 3.0) #22 Fri Feb 20 18:19:25 PST 2004
                   MD5: 8d31d9eb8077a0a91a9356d23a4e9fb8
                   Supports DTiVo Uma4/Uma6/Phoenix, and all known SA Series2.0
                   EXCEPT "140" series
    
    3.1.1c:        Linux version 2.4.4-TiVo-3.0 (build@buildmaster10)
                   (gcc version 3.0) #9 Wed Jan 7 10:05:19 PST 2004
                   MD5: 8430fccf5c26bb5668c5e14ca3fc4582
                   Supports DTiVo Uma4/Uma6, and all known SA Series2.0
    
    4.0.1a:        Linux version 2.4.18 (build@buildmaster19)
                   (gcc version 3.0) #38 Thu Oct 23 10:48:29 PDT 2003
                   MD5: 567ffaf194278f82e7c7b86bb411c93e
                   Supports DTiVo Uma4, and all known SA Series2.0
    
    3.1.U5:        Linux version 2.4.4-TiVo-3.0 (build@buildmaster10)
                   (gcc version 3.0) #27 Sat Sep 28 21:47:44 PDT 2002
                   MD5: 5217ce0190595f4fe2461a429ce18121
                   Supports DTiVo Uma4, and all known SA Series2.0
                   (this kernel is supported but 3.1.1c is recommended)
    2.4.18 from 4.0 is not supported as a suitable jump point has not been found. The 2.4.18/4.0 kernel support added in release 0.9.1 does not work in most circumstances. The newer Series2.5 "nightlight" models are not supported at all.

    Please do not link directly to the file attachments. Link to this thread instead, to give your readers the benefit of updates, errata, and support information.
    Attached Files Attached Files
    Last edited by alldeadhomiez; 12-12-2006 at 02:47 PM.

  2. #2
    Join Date
    Jan 2002
    Location
    New York
    Posts
    2,407
    Do NOT post support questions in this thread. Any question not directly related to furthering the development of this hack will be summarily deleted.

    There is a support thread in the Series 2 Support Forum located here

    Edit:

    Other useful resources:

    Download killhdinitrd-compatible kernels
    monte-mips: a way to chain-load a custom kernel (after you use killhdinitrd to compromise the box)
    Discussion thread on using killhdinitrd with monte
    Why you probably don't need a killhdinitrd that supports your exact software version
    Last edited by alldeadhomiez; 01-17-2005 at 07:52 PM.

  3. #3
    Join Date
    Jan 2002
    Posts
    1,778
    MuscleNerd pointed out that some of the initrd kill offsets for 2.4.4-TiVo-3.0 on 3.1.1c did not match up:

    Code:
            {
                    "2.4.4-TiVo-3.0 from TiVo OS 3.1.1c",
                    0x8000432c, 0x8019f380, 0x0e6fae51, 0x801b8304, 0x40,
                    "\x02\x00\x28\x21"      /* do as i say, not as i do. */
                    "\x3c\x1f\x80\x00"
                    "\x20\x1e\x00\x3a"
                    "\xa7\xfe\x4e\x4a"
                    "\x20\x1e\x00\x33"
                    "\xa7\xfe\x4e\x86"
                    "\x20\x1e\x00\x30"
                    "\xa7\xfe\x4e\x92"
                    "\x20\x1e\x00\x2e"
                    "\xa7\xfe\x4e\x9a"
                    "\x3c\x1f\x80\x12"
                    "\xaf\xe0\x68\xf0"
                    "\x3c\x1f\x80\x00"
                    "\x27\xff\x43\x2c"
                    "\x03\xe0\x00\x08"
                    "\x00\x00\x00\x00"
            },
    Based on the changes made by killinitrd-3.x at tivoutils.sf.net, these are the new offsets I came up with:

    Code:
    	{
    		"2.4.4-TiVo-3.0 from TiVo OS 3.1.1c",
    		0x8000432c, 0x8019f380, 0x0e6fae51, 0x801b8304, 0x40,
    		"\x02\x00\x28\x21"	/* do as i say, not as i do:
    					   move $a1, $s0 */
    		"\x3c\x1f\x80\x00"	/* lui $ra, 0x8000 */
    		"\x20\x1e\x00\x3a"	/* li $s8, 0x003a */
    		"\xa7\xfe\x4e\x4a"	/* sh $s8, 0x4e4a($ra) */
    		"\x20\x1e\x00\x33"	/* li $s8, 0x0033 */
    		"\xa7\xfe\x4e\x66"	/* sh $s8, 0x4e66($ra) */
    		"\x20\x1e\x00\x30"	/* li $s8, 0x0030 */
    		"\xa7\xfe\x4e\x72"	/* sh $s8, 0x4e72($ra) */
    		"\x20\x1e\x00\x2e"	/* li $s8, 0x002e */
    		"\xa7\xfe\x4e\x7a"	/* sh $s8, 0x4e7a($ra) */
    		"\x3c\x1f\x80\x12"	/* lui $ra, 0x8012 */
    		"\xaf\xe0\x68\xf0"	/* sw $zero, 0x68f0($ra) */
    		"\x3c\x1f\x80\x00"	/* lui $ra, 0x8000 */
    		"\x27\xff\x43\x2c"	/* addiu $ra, $ra, 0x432c */
    		"\x03\xe0\x00\x08"	/* jr $ra */
    		"\x00\x00\x00\x00"	/* nop */
    	},
    Remember that byte 0x20 of the kernel image is loaded to 0x80002000 on all known Series2 (NEC Vr5432 based) kernels.

    Does "do as I say, not as I do" refer to the weird offsets, or does it refer to taking $a1 (BORD type) from $s0 - something that clearly breaks when you are loading the kernel from something other than the TiVo PROM code?

    Both the original code and the new code worked correctly when I tried them, but it is disturbing to see potential corruption of kernel memory.

    Comments?

  4. #4
    Join Date
    Jan 2002
    Location
    Sonoran Desert
    Posts
    2,823

    Curious....

    For those of us who don't understand exactly what is going on here, how is it that these modifications do not invalidate the kernels' digital signature? AFAIK if so much as a single bit has been modified, the kernel signature will be invalidated unless you have the private keys to sign the modifications accordingly. How is this patch an exception to that?

    MODs: This isn't a support question, I just want to understand the method in better detail. Feel free to move it if you feel it's inappropriate though.
    Last edited by AlphaWolf; 08-11-2004 at 03:50 AM.
    Before PMing me: Iím not your personal tech support. If you have a question, ask in public so I don't have to repeat if somebody else asks. If you want images or slices, use emule. I will ignore all support PMs.

    Sponsor a vegetarian! I have taken the pledge, how about you?

  5. #5
    Join Date
    Jan 2002
    Posts
    1,778
    Here is a utility you can use to examine a ".px" file and split it into components.
    Attached Files Attached Files

  6. #6
    Join Date
    Jan 2002
    Posts
    1,778
    Quote Originally Posted by AlphaWolf
    Hmm...I was previously under the assumption that the entire kernel image was factored into the digital signature.
    Code:
            scripts/elfextract vmlinux vmlinux
            $(OBJCOPY) -O binary vmlinux vmlinux.data
            if [ -f extra ]; then cat extra >> vmlinux.data ; fi
    ifeq ($(TV_FEATURE_STRONG_CRYPTO),0)
            dd if=/dev/zero bs=269 count=1 > vmlinux.sig
    else
            $(TOOLROOT)/tvbin/crypto -sfh $(ROOT)/tvlib/keys/kernel-dev.prv vmlinux.data > vmlinux.sig
    endif
            scripts/makeppceval vmlinux.info vmlinux.data vmlinux.sig vmlinux.px
    Code is from linux/Makefile in some kernels (such as the 4.x source distribution).

    "extra" is the initrd image.

  7. #7
    Join Date
    Mar 2002
    Posts
    1,339
    Quote Originally Posted by pbolya
    All HD TiVos are upgrading to 3.1.5d and 0.9.2 does not seem to support the new kernel. Is there a new version comming out so we can hack our HR10-250's again ?

    Thanks,
    Peter
    stop cross-posting

  8. #8
    Join Date
    Aug 2006
    Posts
    98
    How do I find the kernel version number?

    Tivo displays 7.2.2-oth.01-2-64 (I have a backup)
    and in last 2-3 days got updated to 7.3.1 (I have a backup for this too)

    Want to put telnet, ftp, etc on my Toshiba SD-H400.

    Tried killhdinitrd on both versions but it reports
    FATAL: No exploit found for this kernel

    also If I do manage to get the hacks installed will they be removed during next update from tivo?

  9. #9
    Join Date
    Aug 2004
    Posts
    4,085
    Usage questions belong in the support thread, not the development thread.

    Use the 7.2.2-oth-K1 kernel with any 7.x software version on a Series2. One source for kernels that work with killhdinitrd is the $5 PTVUpgrade lba48 CD.

  10. #10
    Join Date
    Jan 2004
    Posts
    4

    CD isnt working

    Unfortunately the CD doesnt work for those of us with the TDC649080 version (Series2 DT). Using any of the Kernels on the $5 CD ends up giving you a grey screen. Would be nice if there was a util to patch your own Kernel... yes yes I am lazy

  11. #11
    Join Date
    Jul 2005
    Posts
    573
    Quote Originally Posted by lims View Post
    Unfortunately the CD doesnt work for those of us with the TDC649080 version (Series2 DT). Using any of the Kernels on the $5 CD ends up giving you a grey screen. Would be nice if there was a util to patch your own Kernel... yes yes I am lazy
    If you have a S2DT, you shouldn't be using killhdinitrd at all. After you've replaced the PROM on your unit, you want to use replace_initrd to patch your kernel. Just searching for "replace_initrd" should yield some useful results.

  12. #12
    Join Date
    Jan 2004
    Posts
    4

    Thanks

    Thanks for the reply, I will give this a shot today.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •