Overview of Hacking an S3

[captain_video]

I've got my hacked S3 working fine with FIOS and two cablecards.

[lgkahn]

thanks yes mine is working too.. the issue I was asking about was specifically premium encrypted channels.. as i can watch other stuff no problem.. just thought it maybe was too much of a coincidence that it stopped working when I put the hacked drives in.. more likely it appears to be that they were not hooked up for 2-3 weeks and comcast changed something in my acct..

just wanted to make sure b4 I lambast them.

[captain_video]

All channels work for me. The only premium I have is HBO but I can record it and extract shows with no problem.

[lgkahn]

got both boxes working hacked with all pay channels.. thanks.. if i can help anyone else let me know..

also has anyone tried having a cable box in addition to the tivo and paid for a ppv etc. on the cable box and then tried to record the show on the tivo????

thanks omikron for doing prom mod..

think the problem actually was that omikron must have removed cable cards when doing mod and put them back in the wrong boxes so it wasn't really comcasts fault.. (obviously i didn't tell them that)

one card was dead anyway error 162 so they still needed to come out.

[lgkahn]

ok isolated the issue

encryption is off
pulling off shows with mfs ftp works fine...
pulling off with tytools works fine
converting to mpg with tytompg and putting back on with pytivo and they work fine

putting any .tmf or .ty back on (even those just pulled off and which convert to .mpg and then work fine) with
mfs_ftp doesn't work.. i get 600 or so seconds time and they only play a blank screen and go immediately to done..

is there a special fix for insertion using mfs_ftp on series 3 that I missed somewhere thanks..


this is the log inserting looks .like the number of bytes is wrong so it doesnt inser tthe object.
it really only sent about 512 meg.. in my little test file..

04:00:21:AM - 220 Mfs_Ftp ver 1.2.9p - {sock34} from "64.222.190.107:1677"
04:00:22:AM - 331 User name okay, need password.
04:00:23:AM - 230 Running in TiVo Mode.
04:00:24:AM - 200 Type set to I
04:00:25:AM - 250 Directory change successful.
04:00:31:AM - 200 PORT command successful.
04:00:31:AM - 150 Opening BINARY mode data connection for "{{Deadliest Catch}{2008-05-13}{Racing the Clock}{01.00 AM Tue May 02, 2006}{DSCHD}.tmf}"


inserted 1073 meg at 1605k/sec
04:05:47:AM - 226 File transfer complete
04:05:47:AM - mismatch, not setting csos
04:05:48:AM - updating cached recording info
.......

had replaced mfs_ftp with new version with patches but old files extracted with the old version would not insert correctly
(even though they converted to .mpg fine) had to re extract ... I think it had to do with the missing drm stuff in the .xml

anyway now it kinda workds but cannot play shows as they are reinserting while you used to be able to when using the older mfs_ftp on series 2.. Is this because we are not inserting till the end ??? whereas we use to do an insert after every part??????? If so can It be fixed.. it is a pain and unuseable to wait for an insert of a 8 gb show 2 hours b4 you can play it..

2nd I tried mucking with the Copy protection info object

I cleared it out on a movie recorded on hbohd

ie

#!/tvbin/tivosh

EnableTransactionHoldoff true
set fsid [lindex $argv 0]
set db [dbopen]

puts "ClearCopyP.tcl by lgkahn"
puts "Clearing the CopyProtectionInfo on a Recording"
puts "ths fsid is $fsid"

if { $fsid == "" } {
puts "Syntax: ClearCopyP.tcl fsid!"
dbclose $db
exit 0
}

itrans start
set rec [db $db openidconstruction $fsid]
set parts [dbobj $rec get Part]
set overalldrm [dbobj $rec get Drm]
set copyp [dbobj $overalldrm get CopyProtectionInfo]

puts "clearing copy protection bits on overall drm ... it was $copyp"
dbobj $overalldrm remove CopyProtectionInfo
itrans commit

puts ""
dbclose $db


it did not like that at all and had a flashing red flag by the show when i went back and wouldn't play any longer.. bummer
there must be a way to remove this so that it can be pulled off with mrv or tivotogo???
I will keep looking.. any suggestions would be appreciated.

[HDTVFanAtic]

Is this any place you can pay to have this mod done for you - for those of us that aren't so good with a soldering iron?

thanks!

[jt1134]

Better hurry.

[lrhorer]

Is there a simple way to find out which drive on the PC is the TiVo drive? I'm doing a little bit of automation, and the last manual bit left over is inputting the drive spec. It would be great if the script could find the TiVo drive itself, so there's no likelihood of a mistake. I'm running Debian "Etch" Linux on an AMD Athlon 64 x 2. Right now I've got the drive in as a run-time constant (sdb), but the drive mapping could easily change in between the times TiVo pushes an update.

Edit: Come to think of it, there is one other manual constant, and that is the software version. If there is an easy way to figure out the software version, I could automate that, as well.

[lrhorer]

If anyone is interested, here is the script so far. For any neophytes, it rather demonstrates the basic requirements for hacking a prom-modded Series III class TiVo. Forgive the very pedestrian approach to scripting.

hack_tivo:

Code:

#!/bin/bash

# Set up the static variables.  Edit as needed.
dstring=`date +%m-%d-%y`
HackDir=/hack
Nul_Init=$HackDir/null-linuxrc.img.gz  #*** Download directly as null-linuxrc.img.gz.zip and rename to null-linuxrc.img.gz ***
ReplacRd=$HackDir/replace_initrd.x86   #*** Extract directly from replace_initrd.x86.tar.gz ***
TivoPart=$HackDir/tivopart             #*** Extract bin/tivopart.x86 from tivopart-20040530.zip and rename to tivopart ***
BootPage=$HackDir/bootpage             #*** Extract directly from bootpage-20040921.zip ***
HackFile=$HackDir/hacks.fil            #*** Create using a text editor.  Sample included below ***
TarBall=$HackDir/tivohacks

# Make sure the expected directories exist
mkdir -p $HackDir/Saved_Kernels/
mkdir -p $HackDir/Saved_Apps/
mkdir -p /tivo

# Check that all the expected files exist
tvalid=0
if ! [[ -s $Nul_Init && -f $Nul_Init ]]
then
     echo "Null initrd file $Nul_Init not found."
     tvalid=1
fi

if ! [[ -s $ReplacRd && -f $ReplacRd ]]
then
     echo "Binary file $ReplacRd not found."
     tvalid=1
fi

if ! [[ -s $TivoPart && -f $TivoPart ]]
then
     echo "Binary file $TivoPart not found."
     tvalid=1
fi

if ! [[ -s $BootPage && -f $BootPage ]]
then
     echo "Binary file $BootPage not found."
     tvalid=1
fi

if ! [[ -f $HackFile ]]
then
     echo "Text file $HackFile not found."
     echo "Note: The file may be zero length (no hacks to process),"
     echo " but it must exist."
     tvalid=1
fi

if [[ $tvalid -eq 1 ]]
then
     echo "This hack will not work without all the correct files in $HackDir under"
     echo "the correct names.  Provide the correct files and try again."
     exit 1
fi

# Function to evaluate the hardware platform
tivo_hardware () {
hardware=$( dd if=$dspec"10" bs=8 count=1 | hexdump | grep 0000000 | cut -d" " -f4 )
case $hardware in
     baab)   # S3 TiVo
          echo 32
          return 0
     ;;

     baeb)   # Tivo_HD
          echo 64
          return 0
     ;;

     *)        # Not a TiVo
          echo
          return 1
     ;;
esac
}

# Scan for TiVo partitions
tvalid=1
for dspec in /dev/sd?;
do
        # Check the target is a hard drive then Attempt to load the drive partitions
        # Change the "disk" string if Linux thinks the drive is not a hard drive.  Typically,
        # this may happen if a USB / SATA adapter is used.
        ls -l $dspec | grep -q disk
        if [ $? -eq 0 ];
        then
                echo $dspec

                # Check for a tenth partition on the target drive.
                if [[ -b $dspec"10" ]]
                then
                        echo Tenth partition found for $dspec"10"

                        # Check to see if the tenth partition is a known TiVo partition type
                        tivo_type=$( tivo_hardware )
                        tvalid=$?
                        [[ $tvalid -eq 0 ]] && break
                else
                        # Attempt to rescan the drive to provide TiVo partitions
                        $TivoPart r $dspec 1> /dev/null 2>&1

                        # Check to see if a tenth partition has appeared
                        if [[ -b $dspec"10" ]]
                        then
                             # Check to see if the new tenth partition is a known TiVo partition type
                             tivo_type=$( tivo_hardware )
                             tvalid=$?
                             [[ $tvalid -eq 0 ]] && break
                        fi
                fi
        fi
done

if [ $tvalid -eq 1 ]
then
        echo Valid TiVo Drive not found.  Exiting.
        exit 1
fi
echo MFS file system is $tivo_type bits
echo

# Get the active root partition using bootpage (assumes root=/dev/hdaX is the first parameter).
root=$( $BootPage -p $dspec | cut -d" " -f1 )
echo $root | grep -q "root=/dev/hd"
if [ $? -ne 0 ];
then
     echo "Invalid bootpage parameters.  Please correct the bootpage parameters before continuing."
     echo "Current parameters: $( $BootPage -p $dspec )"
     exit 1;
fi

# Get the active kernel partition using bootpage
kerndrv=$dspec$( $BootPage -b $dspec )

# Use the name of the root partition on the TiVo to set the name of the root partition on the PC
rootdrv=$dspec${root##*hda}

# Set the partition for /var
vardrv=${dspec}9

# Display the active partitions and pause for 5 seconds.
echo
echo Boot = $kerndrv
echo Root = $rootdrv
echo /var = $vardrv
echo
tvar=5
until [ $tvar -lt 1 ];
do
        echo -ne "     "$tvar "\r"
        sleep 1
        tvar=$[ $tvar - 1 ];
done
echo  "       "

echo
echo Mounting Drives...
mount | grep $rootdrv || mount $rootdrv /tivo
mount | grep $vardrv || mount $vardrv /tivo/var

# Get the software version
sver=`cat /tivo/etc/build-version`
sver=${sver##*\ }

echo Writing new Kernel...
$ReplacRd $kerndrv $Nul_Init /hack/Saved_Kernels/"$sver"_Kernel:$dstring

echo
echo Replacing IP Tables Function
cd /tivo/sbin
cp iptables iptables.sav.$dstring
echo
tvar=5
until [ $tvar -lt 1 ];
do
        echo -ne "     "$tvar "\r"
        sleep 1
        tvar=$[ $tvar - 1 ];
done

echo Copying Files...
echo Copying tivohacks$tivo_type...
sleep 2
cd /tivo
if [[ -a $TarBall$tivo_type.tar ]];
then
     tar -xvf $TarBall$tivo_type.tar;
elif [[ -a $HackFile$tivo_type.tar.gz ]];
then
     tar -xzvf $TarBall$tivo_type.tar.gz;
else
     echo $TarBall$tivo_type.tar not found.  Exiting...
     exit 1;
fi
echo
echo Writing new tivoapp
$HackDir/hack_tivoapp

hack_tivoapp:

Code:

#!/bin/bash

# Check if this is running on a TiVo or a PC
# Assumes if the environment variable TIVO_ROOT exists
# then this running on a TiVo
set | grep -q "TIVO_ROOT="

if [[ $? -eq 0 ]]
then
        # Set up the static variables for running on a TiVo
        mkdir -p /var/hack/Saved_Apps/
        SaveFile=/var/hack/Saved_Apps/tivoapp.tmp
        dstring=`date +%m-%d-%y`
        Archive=/var/hack/Saved_Apps/tivoapp.sav
        HackFile=/var/hack/hacks.fil
        Platform=TiVo
        # Change to the directory containing tivoapp
        cd /tvbin
        # Change the root filesystem to read/write
        mount -o remount,rw /
else
        # Set up the static variables for running on a PC
        SaveFile=/hack/Saved_Apps/tivoapp.tmp
        Archive=/hack/Saved_Apps/tivoapp.sav
        HackFile=/hack/hacks.fil
        Platform=PC
       # Change to the directory containing tivoapp
       cd /tivo/tvbin
fi

if ! [[ -f $HackFile ]]
then
        echo "Text file hacks.fil not found in /hack.  Exiting"
        [[ $Platform == TiVo ]] && mount -o remount,ro /
        exit 1
fi

echo Creating temporary tivoapp
cp tivoapp $SaveFile

echo Getting the hacking parameters for tivoapp
fail=1
while read line
do
        offset=$(( $(echo $line | cut -d" " -f1) - 0x00400000 ))
        oldword=$(echo $line | cut -d" " -f2 | sed s'/"//g')
        newword=$(echo $line | cut -d" " -f3 | sed s'/"//g')
        echo $oldword $newword $offset

        if [[ $Platform == PC ]]
        then
                B1=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c11-12 )
                B2=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c9-10 )
                B3=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c16-17 )
                B4=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c14-15 )
                testword=$B1$B2$B3$B4
        else
                B1=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c9-12 )
                B2=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c14-17 )
                testword=$B1$B2
        fi

        echo $testword
        # Check to make sure the bytes match
        if [[ "$testword" == "$oldword" ]]
        then
                echo Updating tivoapp $( echo $line | cut -d" " -f4)
                # Convert the string into a 4 byte number expression
                escape="\x"
                H1=${newword:0:2}
                H2=${newword:2:2}
                H3=${newword:4:2}
                H4=${newword:6:2}
                newword=$escape$H1$escape$H2$escape$H3$escape$H4
                echo -ne "$newword" | dd conv=notrunc of=$SaveFile bs=1 seek=$offset
        elif [[ "$testword" == "$newword" ]]
        then
                echo Failed for $oldword $newword $offset
                echo Tivoapp already has patch at this location.
                test -e $SaveFile && rm $SaveFile
                [[ $Platform == TiVo ]] && mount -o remount,ro /
                exit 1
        else
                echo Failed for $oldword $newword $offset Old value: $testword
                echo Exiting
                [[ $Platform == TiVo ]] && mount -o remount,ro /
                test -e $SaveFile && rm $SaveFile
                exit 1
        fi
done < $HackFile

echo Saving old tivoapp
test -e $Archive.$dstring && mv $Archive.$dstring $Archive.$dstring.safety
mv tivoapp $Archive.$dstring
mv $SaveFile tivoapp
[[ $Platform == TiVo ]] && mount -o remount,ro /
echo
echo Done!

Both of these scripts are designed to be used on an ordinary fairly recent Linux distribution running on a PC with a kernel of 2.6.26 or later. They may also work with a Live CD, but may not. The hack_tivoapp script can also be run on a live TiVo (untested) (tested 10/03/2012 by Dave20042004).

Example hacks.fil (11.0k):

Code:

0x005d2dec 104000aa 100000aa //noencryption
0x006562a0 30b000ff 00008021 //cci1
0x006562c4 00e08821 24110000 //cci2
0x01046970 30b000ff 00008021 //cci3
0x00774f74 00008021 24100001 //backdoors	
0x009b3b20 12400003 10000003 //deletethisrecording?
0x00b8f910 14400026 10400026 //30secskip
0x00b93eb8 0c2e5325 00000000 //nopauseads

This of course assumes bootpage, tivopart, replace_initrd.x86 and its little null-linuxrc.img.gz null initrd are all in /hack on the PC under those exact names. It also requires a tarball (tivohacks.tar) (tivohacks32.tar or tivohacks64.tar) of all the files to be placed on the TiVo. I include the mfs utilities, TiVoWebPlus, busybox, /etc/profile, and /etc/rc.d/rc.sysinit.author as well as the iptables hack in the tarball.

Edit: Automated the code a bit and added a more sophisticated tivoapp hacking routine. Replaced a user edited version string with a date string for archived kernel and tivoapp. Added a customized tivohacks32.tar and tivohacks64.tar to automate upgrades for both S3 and THD TiVos. Added bootpage parameter check. Added additional file checks. Revised hack_tivoapp so it should run on either a PC or a live TiVo (untested) (tested 10/03/2012 by Dave20042004). Added static variables for all directories and files at the top of the script to make user customization easier. Fixed a bug that mistakenly checked for the wrong name for the tarball file. Fixed a couple of missing quote marks that made the error report look odd.

Note: There is a small "bug" in the script in that should the user have a drive other than the TiVo drive on the PC with more than 9 partitions whose drive spec is lower than the TiVo's, the script will think the non-TiVo drive is a TiVo drive and quit searching. This will cause the script to fail. Anyone who has a drive with more than 9 partitions may need to modify the script or their system accordingly. This should be fixed, now.

Note: The hack_tivo script performs a check to make sure the potential target is a hard drive. One user employed a USB - SATA adapter that caused Linux to think it was a floppy, causing the script to fail. Modifying the check in line 9 at the top of the script 87 fixed the issue for him.

Sample tivohacks files:
http://fletchergeek.com/images/tivohacks32.tar.gz
http://fletchergeek.com/images/tivohacks64.tar.gz

bootpage:
http://www.dealdatabase.com/forum/sh...56&#post193456

tivopart:
http://www.dealdatabase.com/forum/at...8&d=1085952312

replace_initrd:
http://dealdatabase.com/forum/showthread.php?t=53272
http://dealdatabase.com/forum/showth...itrd#post84133

[phdeez]

buechel, thanks for the guide man! I successfully hacked my TivoHD, got everything working.... and then upgraded to 9.4!! ARGH!

Time to pull my drive again...

But thanks none-the-less!

[lrhorer]

My TiVo HD finally got the 9.4 upgrade last night, so I loaded the drive on the Linux workstation and used the little script above to hack the drive. There was a little bug (fixed in the script above) which caused the iptables file to be overwritten rather than saving a backup of the file. Other than that, it seems to be working just fine.

It only took about 7 minutues start to finish to upgrade the drive, and that includes the time to move the drive back and forth and to boot up the host PC. (Gawd, I love Linux!!) Moving the primary drive into an external Antec MX-1 housing and implementing the script have really made the upgrade process easy, yet still readily accessible to the user at the lowest levels. I don't even have to open up either the TiVo or the host PC.

[enliteneer]

This looks pretty sweet! Any plans for an S2 version?

I did the prom mod, and pulled the drive to do the software but it's a pain to pull the drive everytime there's a tivo upgrade! Ideally, if I could put in in a usb enclosure, boot into linux, run a script that re-hacks it, *THAT* would be killer!!!!

I don't know anything about programming/scripting, but if someone can point me in the right direction, maybe I can modify it and post an s2 version?

Thanks!

[grwlfbg]

Hey all,

Jumping back into the scene after being gone for awhile. Had a hacked S1 in the 90's then moved to an HR10-250 a couple years ago. It's been working perfectly but now DirecTV's pulling the plug.

All I really do w/ my HR10-250 is extract shows for burning to DVD as well as enjoying Endpadplus to pad my recordings when possible.

So now I'm faced with buying a new TiVo. I'm planning to buy a TiVo HD XL and start service with my local cable company (I know DTV is coming out with a TiVo model but it'll be at least a year and they should have started working on this earlier).

So my question is, do I need to hack my PROM just to disable encryption? With my other TiVo models I just needed to install a hacked kernel.

I also recall that in the early days of the S2 there was talk of PROM hacking but an all-software solution was developed. Any chance of that here?

Basically I'm trying to find out if I should try and keep my HR10-250 running as long as possible or bite the bullet now and switch to a Cablecard TiVo.

[jt1134]

In order to change the kernel, you must hack the PROM. In order to change the root fs software, you must change the kernel. Unless you come up with a new software exploit, then you'll have to hack the hardware to do anything.

[Offspring2099]

So my question is, do I need to hack my PROM just to disable encryption? With my other TiVo models I just needed to install a hacked kernel.

If I remember correctly, I thought we had to use Superpatch for s2 to remove encryption.
But I too want to know, what do you have to do to remove encryption on s3. Has it been defeated yet?