Page 2 of 43 FirstFirst 123412 ... LastLast
Results 16 to 30 of 638

Thread: killhdinitrd 0.9.x Support Thread

  1. #16
    Join Date
    Jun 2004
    Location
    Central FL
    Posts
    6

    29

    I just want to thank the HDteam for such a cool and simple hack.
    I yanked the disk at lunch and had it up and running with my hacks soon afterwards. I get my tivoweb and the wife gets her callerID.
    Way cool. Thanks much!

  2. #17
    Join Date
    Jan 2002
    Location
    New York
    Posts
    2,406
    Quote Originally Posted by w2kr
    If I follow everything discussed thus far, if I want >137 GB support on a DSR704, I'd still have to monte to a LBA-48 compatible kernel, right?
    Yes. The lba48 kernel is only native to 3.1.5

  3. #18
    Join Date
    Jan 2002
    Posts
    1,777
    Quote Originally Posted by JJBliss
    Yes. The lba48 kernel is only native to 3.1.5
    3.1.5 should run on a Uma6 SD box, but not a lot of people have copies of it.

  4. #19
    Join Date
    Jan 2003
    Posts
    388
    Is there a simple description of the vulnerability and how it was exploited?

    This utility is being released because the kernel entry address handling has been revamped on the TCD540040 (Silver SA Series2 with nightlight). No further reason exists for keeping it private.
    To illustrate a long-standing flaw in TiVo's security architecture (now corrected on the Uma2c board).
    Can someone explain what "kernel entry address handling" is and what the "Uma2c board" does?

    Thanks.

  5. #20
    Join Date
    Aug 2001
    Location
    Florham Park, NJ
    Posts
    187
    Quote Originally Posted by alldeadhomiez
    3.1.5 should run on a Uma6 SD box, but not a lot of people have copies of it.
    Knowing that 3.1.5 will run on a Uma6 (aka DSR704 or the other Toshiba RID unit) is very good information. If I produce this kernel by getting the Linux kernel source and applying the changes from the TiVo site and cross-compiling it for MIPS, will killhdinitrd work on that kernel or does the kernel have to be exactly the one shipped with the HD-Tivo?

    Edit: originally mistyped the name of killhdinitrd
    Last edited by w2kr; 08-04-2004 at 05:25 PM.

  6. #21
    Join Date
    Apr 2002
    Posts
    80
    Can someone give me a walkthru on doing this? I have successfully done xtreme to a series 1 and used sleeper's ISO on a HDVR2 but I don't really know how I am supposed to apply the kill patch here. How do I even get the file over to the HD box? If someone could just point me in the right direction I would appreciate it.

    Also, as an aside, are any of you worried about doing this hack, knowing that there have been a lot of problems with these units? I have read over at tivocommunity about a lot of DVI inputs crapping out. It would be nice to know that we could revert our units back to normal to take advantage of warranties or extended service plans like the one I bought from Best Buy.

    That is all for now.

    saltydog4791

  7. #22
    Join Date
    May 2004
    Posts
    233
    Best to back up your original drive (and run off the backup) so you can restore your original drive into the TiVo if you have any problems.

  8. #23
    Join Date
    Apr 2002
    Posts
    80
    I definitely hear that cheez but don't really know for sure how to get to that point. I guess in the past I have been somewhat spoiled by a lot of the automated stuff that's been put out there. Once bash is in place and I can talk to the tivo I am pretty self-reliant but up to that point, I am somewhat clueless. I am sure someone is going to come up with a more detailed how-to but I am salivating already.

    saltydog4791

  9. #24
    Join Date
    May 2004
    Posts
    233
    I'm in the same boat. Worsened by the fact that I'm looking for MacOS X versions of the tools

  10. #25
    Join Date
    Jun 2003
    Posts
    611
    I don't have an HD box (or even a DTivo) so I can't say for sure, but from reading the source I think I have a high-level handle on what it does.

    You'll need to pull your drive from the Tivo and connect it to your PC, boot into a *nix OS, and run the killhdinitrd binary specifying either an image of the kernel partition or the kernel partition itself.

    i.e. killhdinitrd /dev/hdX[3,6] or
    killhdinitrd /path-to/vmlinuz

    The utility will write some new code to the partition/image and change the kernel entry address in the px header to point to the new code. This effectively disables the initrd (which would normally check for and delete unauthorized software on your drive) but still allows the kernel to pass the signature check.

    So what does this mean? Basically, once you've run this utility against your kernel you can then add your hacks to the drive, modify tivoapp, etc. and it will survive the boot process.

    What I'd like to know is why the changes being made don't invalidate the kernel signature?

    -psxboy
    TCD652160 TivoHD
    1TB
    11.0n.J1-01-2-652

  11. #26
    Join Date
    Apr 2002
    Posts
    80
    Quote Originally Posted by Cheezmo
    I'm in the same boat. Worsened by the fact that I'm looking for MacOS X versions of the tools
    hehe. I hear you cheez. I am in the same boat. Sometimes I think I only have a sh*tty old windows box is for tivo hacking.

    saltydog4791

    P.S. FWIW I am still kind of lost. Are you saying that I can just boot from mfstools and apply the hack? And if so, how do I talk to the tivo after doing that? Maybe my questions are a bit too broad and I should just wait for a kind soul out there to come up with all the details when he/she gets to it. As usual, I am just being a little impatient, that's all.

  12. #27
    Join Date
    May 2002
    Posts
    314
    Quote Originally Posted by psxboy
    What I'd like to know is why the changes being made don't invalidate the kernel signature?
    All changes that are made are outside the signed portion of the kernel. The header isn't signed (but there is sanity checking of the values within it).

  13. #28
    Join Date
    May 2002
    Posts
    314
    Quote Originally Posted by Cheezmo
    I'm in the same boat. Worsened by the fact that I'm looking for MacOS X versions of the tools
    To compile on a Mac, change this line in the makefile:
    Code:
     $(CC) -static -Wall -Wl,--strip-all -o $@ $^
    to:
    Code:
     $(CC) -Wall -o $@ $^

  14. #29
    Join Date
    Sep 2001
    Posts
    69

    Works fine on DSR704 that was monte'd

    I just put this on a previously monte'd DSR704 via bash. No need to pull the drive if you already have bash access. The worst problem was to find the "original" 3.1.1c kernel. I had to get it off the original drive as I never saved it anywhere (never thought I'd need it, as monte was working ok)

    Here is essentially what needs to be done to unmonte the DSR704:

    1) Get a copy of the 3.1.1c kernel to a x86 linux machine and run the killhdinitrd on it. Put the modified kernel back on the tivo.
    2) dd the modified kernel onto the non active partition (current root number minus one)
    3) switch the bootpage around for the kernels

    see what bootpage -a /dev/hda returns and replace following X with it:

    bootpage -B X /dev/hda

    see what bootpage -b /dev/hda returns and replace following X with it:

    bootpage -A X /dev/hda

    4) switch the bootparms for the root partition

    run df, note the root (/) partition and use that in:

    bootpage -P "root=/dev/hdaX" /dev/hda

    5) cross fingers and reboot.

    Disclaimer: This may not work for anyone else. You monte may vary. Void where prohibited. If you break it, you own both pieces. If you care about your system, wou should probably pull the drive and do a backup before this...hmm did someone ever redo mftools to backup a monte'd system? If they did, it isn't as useful as it once was.

    Thanks to everyone who worked on this. I am impressed.

  15. #30
    Join Date
    Jun 2003
    Posts
    611
    Quote Originally Posted by MuscleNerd
    All changes that are made are outside the signed portion of the kernel. The header isn't signed (but there is sanity checking of the values within it).
    Ahh, ok. After I wrote that I kinda figured that the px header wasn't included in the signature but I had no reference for where the block of code was being written to. Thanks for the clarification, mn.

    Also, I should probably take a moment to thank HD TeAm ... both for coming up with this method & for rallying support for the EFF. I've always been a bit skeptical about these shadowy groups and their motives, but HD TeAm has proven that they have a conscience. (And I've been a fan of the EFF ever since they ponied-up the cash to hire a high-profile attorney and to cover the court costs for some people I work with closely when they were being attacked for some content that they posted on their website.) Kudos, gentlemen.

    -psxboy
    TCD652160 TivoHD
    1TB
    11.0n.J1-01-2-652

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •