Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 57

Thread: "Series2.5" / TCD540040 / "nightlight SA" / Humax / DirecTV R10 initial observations

  1. #16
    Join Date
    Jun 2001
    Posts
    3,108
    Quote Originally Posted by my0gr81
    For this release of hardware it is true, the rom is still separate.

    This new "set top box in a chip" solution does offer possibilities for TIVO to forego the separate rom and use the built in one for future releases.
    the sky is falling the sky is falling! wait, not its not.

    yeah, they may add that in the future...however, this thread is about current hardware observations, not about possible things tivo could do as they become more paranoid
    Step one: search button!
    Silly Wabbit, guides are for kids

  2. #17
    Join Date
    Jan 2002
    Posts
    1,777
    The BORD ID is 0x10f8: "0x000010 Gen04 standalone 1".

    5.3 includes the following kernel modules:

    Code:
    Common:
    
    af_packet.o ax8817x.o cdrom.o cobra.o fan.o fanstub.o fat.o tivoconfig.o
    isofs.o kaweth.o msdos.o oslink.o p80211.o pegasus.o prism2_usb.o
    router.o rtl8150.o scsi_mod.o sd_mod.o sg.o sr_mod.o therm.o usb-ohci.o
    usb-storage.o usbcore.o usbnet.o vfat.o vnetusba.o
    
    For Series2.0 only:
    
    fpga.o
    ideturbo.o (?)
    
    Not in 5.1, may be for Series2.5 only:
    
    tivo_pwmdrv.o (this might control the nightlight brightness)
    ubuddy.o
    bcm7315tty.o (definitely for Series2.5 only)
    
    Separate by architecture:
    
    brcmdrv-7315.o brcmdrv-rb.o
    i2c_Gen04.o i2c_Series2.o
    irblast.o irblast_Gen04.o ircatch-atmel.o
    ircatch.o ircatch_Gen04.o
    kfirm.o kfirm_Gen04.o
    modemtty_Gen04.o modemtty_Series2.o
    tvinput.o tvinput_Gen04.o tvinput_falcon.o

  3. #18
    Join Date
    Jun 2004
    Posts
    3
    Quote Originally Posted by mrblack51
    this thread is about current hardware observations
    An observation: streaking video (7.5M MP4) on a TCD540040 w/5.3 sw. Observed ab. two minutes after reboot, both on tuner and s-video sources, and subsequently intermittently either in Live TV or in recordings (various qualities.) Apparently there are some timing issues to be resolved on the new hw.
    Last edited by uucee; 09-19-2004 at 09:02 PM. Reason: Sortened URI

  4. #19
    Join Date
    Oct 2004
    Posts
    2

    Bash via emergency phone home?

    Is it possible to hook another PC up to the modem phone port and intercept a bash call back to Tivo? I see there is an kickstart.expect script in tvbin or tvlib that initiates a call back to tivo and just leaves a bash session running on the line.

    # Copyright (c) 2001, 2002 TiVo Inc.
    # Expect script for phoning home in an emergency
    ...
    overlay -0 $modem -1 $modem -2 $modem /bin/bash -i

    1. Would this require special hardware or additional power for the modem line -- if I don't really want it connected to the phone service at the time? Or will I have to use a real phone line and trick it to calling my cell phone?
    2. Is it possible to trigger this call with one of the secret remote combinations? Or is this just a developer or old script that will never run?

    Anyhow, my hope would be to get this connection going, then start up some daemons or maybe monte into a new kernel on a series2.5.

    --

    Edit - nevermind, i see that the last thing the script does is pass an auth token around that's been encrypted with the machines public key, and then waits for the system on the other end to decrypt it and send it back. I assume this would be hard to fake.
    Last edited by sadseries2; 10-10-2004 at 11:07 PM.

  5. #20
    Join Date
    Oct 2004
    Posts
    1

    How to upgrade PROM?

    I am somewhat a newbie, so please excuse my ignorance. I have one of these TCD540040 Tivo's and I understand that to get the goodies on it you must hack the PROM. I'm a hardware guy and pretty comfortable soldering my Tivo, but I can't seem to find information on how to flash the tivo's PROM. Can someone please point me to this information? Thanks!

  6. #21
    Join Date
    Jan 2002
    Posts
    1,777
    Quote Originally Posted by ubermensch
    I am somewhat a newbie, so please excuse my ignorance. I have one of these TCD540040 Tivo's and I understand that to get the goodies on it you must hack the PROM. I'm a hardware guy and pretty comfortable soldering my Tivo, but I can't seem to find information on how to flash the tivo's PROM. Can someone please point me to this information? Thanks!
    The cheap way: use a willem programmer or hot swap it on a compromised TiVo (see the flash39 thread).

    The expensive way: drop a grand on a commercial programmer.

    As for the mods to make, the TCF archives tell us:

    Quote Originally Posted by MuscleNerd
    Here's a PROM patch for S2 for those of you with access to a burner. The patch will allow you to boot any kernel, whether it's signed correctly or not.

    Somewhere within your TiVoProm.bin image, you should see the following instruction word:

    0x1043000c

    You want to change that 0x43 to a 0x42. Just that one byte change is all you need...it changes a conditional branch to an unconditional one. This essentially discards the results of the signature checking routine.

    The above 4-byte word will probably appear as 0x43100c00 in the image file itself (endian issues). I've only hand-verified the patch on 1.15 and 1.18 images (1.18 came out with version 3.2 of the software. 1.15 was posted on this board but it wasn't completely there). In 1.18, the file offset of the byte to change is 0x2b40.

    ---

    As it turns out, before the boot code even verifies the kernel signature, it verifies itself. It computes the sha1 hash of its own in-memory image (after a certain offset) and compares the result to one stored in its own image (before that certain offset). So in addition to patching over the signature checking results as I showed 2 posts back, you have to patch over this too.

    This second patch also consists of a single byte change. Somewhere in your 1.15 or 1.18 image you should find the following instruction word:
    0x14830004
    You want to change that 0x83 byte to 0x84. This word will probably appear as 0x83140400 in the .bin image file itself.
    So socket it, dump it, change the integrity checks, and reflash.

  7. #22
    Join Date
    Jan 2002
    Posts
    1,777
    Quote Originally Posted by karak
    1) Are the modifications that you quoted here exactly what you did to the unit that you successfully compromised at the start of this thread? (Basically, I'm trying to reassure myself that the same trick that worked for Series2 ROM works for Series2.5 ROM as well)
    These are the changes I made:

    Code:
      958c = 14830004 -> 14840004 (disable prom sha-160)
      a4c0 = 1043000a -> 1042000a (disable kernel check)
      9f88 = 0c771ac1 00000000 0440ff95 -> 0c771a83 00000000 24020000 (skip memchk)
      8974 = 10400011 -> 00000000 (enable debug msgs)
    (yadda yadda, 1201(f) notice goes here, don't violate any copyrights)

    Note that the debug message hack isn't necessarily a good idea on an SA, since it will be transmitting "junk" on the serial cable box control line.

    2) Did the smaller board form factor make the socket and reset job noticably more difficult than with earlier hardware revisions?
    No.

  8. #23
    Join Date
    Nov 2004
    Posts
    1
    Quote Originally Posted by alldeadhomiez
    ...we will know more once the 5.3 kernel source is posted.
    Please correct me if I'm wrong (as I'm new here), but it appears the 5.3 source has been posted here. Has any progress been made on figuring out how to gain access to these newer TiVo units? I have the "night light" model and would love to hack on it with some further assistance from this forum.

    Thanks.

  9. #24
    Join Date
    Jan 2002
    Posts
    1,777
    Quote Originally Posted by RedFive
    Please correct me if I'm wrong (as I'm new here), but it appears the 5.3 source has been posted here.
    Correct, and as predicted, you now must choose whether you want to support Series2.0 OR Series2.5 in the kernel configuration.

    Has any progress been made on figuring out how to gain access to these newer TiVo units? I have the "night light" model and would love to hack on it with some further assistance from this forum.
    Socket the PROM. Instructions are in this thread. Or post a request in the For Sale forum.

    Or, wait an indefinite amount of time for a software exploit that may or may not ever go public (or exist).

    Edit 2005/01/07:

    I will provide some background information for those of you who have not worked with a Series2.0 unit.

    All Series2.0 and Series2.5 units employ a security mechanism to prevent unauthorized code from booting. The normal boot process looks something like:

    1. PROM initializes the hardware
    2. PROM code computes a SHA-160 over most of the PROM image, and compares it to the stored hash. If there is a mismatch, an error is displayed on the serial console
    3. PROM reads the bootpage (sector 0) from the first IDE disk, checks the boot signature, and saves the active (boot) kernel partition number
    4. PROM looks up the boot kernel's partition in the Mac partition table, reads the "px header," then loads the kernel image into memory
    5. PROM conducts several sanity checks on the px header (accounting for boot failure reasons 53-59)
    6. PROM computes a SHA-1 hash across the kernel and across the initrd stored in the kernel image
    7. PROM compares the hash with the SHA-1 stored in the signature at the end of the kernel image. If it does not match, boot failure 60 is thrown and startup halts
    8. PROM verifies that the hash is properly signed with the "Kernel Release Key." The public half of this release key is stored in the PROM. If the signature is bad, boot failure 60 is thrown and startup halts
    9. PROM checks the new TCD1 section of the kernel image, a signed area that mirrors most of the px header's parameters. This prevents a killhdinitrd-style attack. If a mismatch is found, startup halts and an error code (61+) is displayed on the serial console
    10. PROM passes control to the (now verified) kernel image
    11. Linux kernel boots, mounts the initrd, and runs linuxrc from the initrd
    12. linuxrc checks boot parameters for forbidden stuff (like BASH_ENV), then mounts the root filesystem to look for unauthorized files or files that don't match the SHA-1 stored in the initrd's signature database
    13. After linuxrc is satisfied, the ext2 root filesystem is remounted and control passes to /sbin/init

    In order to do anything interesting with the unit, we must find a way to make persistent changes to the root filesystem. So, what are the weaknesses in the chain of trust? The biggest weakness is the PROM: it is relatively easy to replace it with an IC containing a modified image that does not check the kernel signature. In this way, we can boot a non-approved kernel without an initrd, and make persistent changes to the root filesystem.

    A naive approach (e.g. "just add bash to rc.sysinit," "just compute a new checksum," etc.) is highly unlikely to be successful. These units were designed to keep us out. As a general rule in computer security: "if your question begins with 'why can't we just...', the answer is NO!" If you don't understand why, ask in the Newbie forum.

    It is entirely possible that there is a way to gain control of the unit later on in the boot process, due to the fact that the TiVo software handles such a large quantity of untrusted data (particularly data coming from the network). However, this hack is less than ideal: once you have a way to run your own code on the unit, you don't have a way to reflash the PROM. Ditto for hacks involving the EJTAG. You will have to use the same exploit every time you want to run your hacks; there is no obvious way to leverage it in a way that lets you affect the 13 steps I listed. All Series2.5 units use the SST37 PROM, which is not reflashable in this circuit.

    For this reason, the current recommendation is to socket your PROM, or pay somebody else to do it.

    References:

    Software flashing SST39s (requires replacement of the flash IC on all Series2.5 and most Series2.0 units)
    Preliminary dissection of the Series2.0 PROM code
    Tiros attempts to flash an SST37 in-circuit on a Series2.0
    Information on socketing the PROM yourself
    Last edited by alldeadhomiez; 01-07-2005 at 06:53 PM.

  10. #25
    Join Date
    Jan 2002
    Posts
    1,777
    I have attached two 2.4.20 kernels for the Series2.5:

    boot/vmlinux.px - this was built with the script I posted above. I have been running this kernel with no problems for a few weeks now.

    boot/vmlinux.px-nonetfilter - in the USB 2.4.27 thread, Jamie noted that on a Series2.0 machine, a network performance gain could be realized by disabling netfilter. I have not tried this yet on a Series2.5, but it is worth exploring due to the abysmally slow networking performance on these boxes.

    lib/modules - modules built by my script. ehci-hcd.o is included, for the adventurous. Don't expect it to work.

    Obviously, neither of these kernels includes or needs an initrd image.

  11. #26
    Join Date
    Jan 2002
    Posts
    1,777
    DirecTV has posted the owner's manual for the new RCA/DirecTV R10 DVR. I quickly looked through this document for any interesting tidbits on the new device; here are my observations:

    • The system information screenshot was taken from a -3F1 HDVR2 (?) running a 3.1.1c beta. The manufacturer and model were blacked out. This may have been done because a working R10 was not available at the time the manual was finalized.
    • Groups (folders) were mentioned as a feature of the R10, but again no R10 screenshot was provided.
    • Under the section on ordering and recording PPV showings, no mention was made of the new copy/retention control features that have been in the news. The manual states that PPV recordings will default to "keep until I delete."
    • It is very likely that the R10 will run 6.1 software, as it is probably easier to make a few DTiVo-specific changes to the 5.3/5.4 codebase than to backport all of the Series2.5 changes and security enhancements to 3.1.x.


    Based on the header files from tivo.com, it appears that we now have three different Series2.5 boards:

    Gen04 standalone: BORD 0x10xx - TiVo SA nightlight models, Humax SA models
    "Elmo" P0: BORD 0x12xx - Humax/Toshiba models with DVD-R
    "Bryce": BORD 0x21xx - DirecTV R10
    Last edited by alldeadhomiez; 11-19-2004 at 07:31 PM.

  12. #27
    Join Date
    Apr 2002
    Location
    Wales UK
    Posts
    26
    DRT-800 seems to be fairly similar platform. 37 proms
    Two off I assume the one near the ESS is the dvd prom and the one by the battery is the TIvo Prom.
    There are pics at if any one wants a lookat http://www.yllain.plus.com/TiVo/
    in the big dir you will find full size
    jpegs from the cam .
    I'm guessing the connector labled CN16 is an ejtag, can we do something with that? I assume we could do in place flash with that interface and the right software.
    There is also a jumper at J33 real close to the prom , I wonder what that is for. Im just looking up the ST data sheets now.

  13. #28
    Join Date
    Jan 2002
    Posts
    1,777
    Quote Originally Posted by alunj
    I'm guessing the connector labled CN16 is an ejtag, can we do something with that? I assume we could do in place flash with that interface and the right software.
    Tiros claims that the system controller used with the VR5432 (Series2.0) CPU is not able to generate the correct memory timings to program an SST37, even if there is a way to provide Vpp to the IC. Although the multiplexed address/data bus is not used on the Series2.5, I expect that it will be a challenge to generate the proper write pulse width as we have no documentation on the BCM7317's internal peripherals/registers.

    Best bet is to socket and reflash the PROM.
    Last edited by alldeadhomiez; 12-12-2004 at 03:19 AM.

  14. #29
    Join Date
    Apr 2002
    Location
    Wales UK
    Posts
    26
    Yeah I found the 37/39 datasheet. Just orderd the willem programmer
    I wonder if one other way to make it easier for the hords would be to make
    like a piggy back plcc socket-socket adaptor and bring out the CE to a switch / logic on a board . That would only require a cut on one pin and a wire to that but like chippin a playstation.
    Am I right the Tivo prom is the one by the batt on the DRT ?

    Alun

  15. #30
    Join Date
    Jan 2002
    Posts
    1,777
    Quote Originally Posted by alunj
    Am I right the Tivo prom is the one by the batt on the DRT ?
    Yes .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •