Page 3 of 24 FirstFirst 1234513 ... LastLast
Results 31 to 45 of 353

Thread: Overview of Hacking an S3

  1. #31
    Join Date
    Feb 2002
    Posts
    6,414
    I've got my hacked S3 working fine with FIOS and two cablecards.
    Please don't PM me or any other members looking for personal assistance. You'll do better by posting (after you've exhausted the search feature, of course) and taking advantage of the collective expertise of the membership instead of a single individual that may or may not be able to help you. Thank you and enjoy your stay at DDB!

  2. #32
    Join Date
    Jan 2004
    Location
    n.h. usa
    Posts
    958
    thanks yes mine is working too.. the issue I was asking about was specifically premium encrypted channels.. as i can watch other stuff no problem.. just thought it maybe was too much of a coincidence that it stopped working when I put the hacked drives in.. more likely it appears to be that they were not hooked up for 2-3 weeks and comcast changed something in my acct..

    just wanted to make sure b4 I lambast them.

  3. #33
    Join Date
    Feb 2002
    Posts
    6,414
    All channels work for me. The only premium I have is HBO but I can record it and extract shows with no problem.
    Please don't PM me or any other members looking for personal assistance. You'll do better by posting (after you've exhausted the search feature, of course) and taking advantage of the collective expertise of the membership instead of a single individual that may or may not be able to help you. Thank you and enjoy your stay at DDB!

  4. #34
    Join Date
    Jan 2004
    Location
    n.h. usa
    Posts
    958
    got both boxes working hacked with all pay channels.. thanks.. if i can help anyone else let me know..

    also has anyone tried having a cable box in addition to the tivo and paid for a ppv etc. on the cable box and then tried to record the show on the tivo????

    thanks omikron for doing prom mod..

    think the problem actually was that omikron must have removed cable cards when doing mod and put them back in the wrong boxes so it wasn't really comcasts fault.. (obviously i didn't tell them that)

    one card was dead anyway error 162 so they still needed to come out.

  5. #35
    Join Date
    Jan 2004
    Location
    n.h. usa
    Posts
    958
    ok isolated the issue

    encryption is off
    pulling off shows with mfs ftp works fine...
    pulling off with tytools works fine
    converting to mpg with tytompg and putting back on with pytivo and they work fine

    putting any .tmf or .ty back on (even those just pulled off and which convert to .mpg and then work fine) with
    mfs_ftp doesn't work.. i get 600 or so seconds time and they only play a blank screen and go immediately to done..

    is there a special fix for insertion using mfs_ftp on series 3 that I missed somewhere thanks..


    this is the log inserting looks .like the number of bytes is wrong so it doesnt inser tthe object.
    it really only sent about 512 meg.. in my little test file..

    04:00:21:AM - 220 Mfs_Ftp ver 1.2.9p - {sock34} from "64.222.190.107:1677"
    04:00:22:AM - 331 User name okay, need password.
    04:00:23:AM - 230 Running in TiVo Mode.
    04:00:24:AM - 200 Type set to I
    04:00:25:AM - 250 Directory change successful.
    04:00:31:AM - 200 PORT command successful.
    04:00:31:AM - 150 Opening BINARY mode data connection for "{{Deadliest Catch}{2008-05-13}{Racing the Clock}{01.00 AM Tue May 02, 2006}{DSCHD}.tmf}"


    inserted 1073 meg at 1605k/sec
    04:05:47:AM - 226 File transfer complete
    04:05:47:AM - mismatch, not setting csos
    04:05:48:AM - updating cached recording info
    .......

    had replaced mfs_ftp with new version with patches but old files extracted with the old version would not insert correctly
    (even though they converted to .mpg fine) had to re extract ... I think it had to do with the missing drm stuff in the .xml

    anyway now it kinda workds but cannot play shows as they are reinserting while you used to be able to when using the older mfs_ftp on series 2.. Is this because we are not inserting till the end ??? whereas we use to do an insert after every part??????? If so can It be fixed.. it is a pain and unuseable to wait for an insert of a 8 gb show 2 hours b4 you can play it..

    2nd I tried mucking with the Copy protection info object

    I cleared it out on a movie recorded on hbohd

    ie

    #!/tvbin/tivosh

    EnableTransactionHoldoff true
    set fsid [lindex $argv 0]
    set db [dbopen]

    puts "ClearCopyP.tcl by lgkahn"
    puts "Clearing the CopyProtectionInfo on a Recording"
    puts "ths fsid is $fsid"

    if { $fsid == "" } {
    puts "Syntax: ClearCopyP.tcl fsid!"
    dbclose $db
    exit 0
    }

    itrans start
    set rec [db $db openidconstruction $fsid]
    set parts [dbobj $rec get Part]
    set overalldrm [dbobj $rec get Drm]
    set copyp [dbobj $overalldrm get CopyProtectionInfo]

    puts "clearing copy protection bits on overall drm ... it was $copyp"
    dbobj $overalldrm remove CopyProtectionInfo
    itrans commit

    puts ""
    dbclose $db


    it did not like that at all and had a flashing red flag by the show when i went back and wouldn't play any longer.. bummer
    there must be a way to remove this so that it can be pulled off with mrv or tivotogo???
    I will keep looking.. any suggestions would be appreciated.
    Last edited by lgkahn; 05-22-2008 at 12:49 PM.

  6. #36
    Join Date
    Aug 2007
    Posts
    8
    Is this any place you can pay to have this mod done for you - for those of us that aren't so good with a soldering iron?

    thanks!

  7. #37
    Join Date
    Jun 2006
    Location
    Dougal County
    Posts
    1,014

  8. #38
    Join Date
    Dec 2004
    Posts
    831

    Finding the TiVo drive

    Is there a simple way to find out which drive on the PC is the TiVo drive? I'm doing a little bit of automation, and the last manual bit left over is inputting the drive spec. It would be great if the script could find the TiVo drive itself, so there's no likelihood of a mistake. I'm running Debian "Etch" Linux on an AMD Athlon 64 x 2. Right now I've got the drive in as a run-time constant (sdb), but the drive mapping could easily change in between the times TiVo pushes an update.

    Edit: Come to think of it, there is one other manual constant, and that is the software version. If there is an easy way to figure out the software version, I could automate that, as well.
    Last edited by lrhorer; 07-21-2008 at 04:27 AM.
    Having trouble with TyTool? Try TyTool Documentation
    Need to hack an S3 / THD? Try S3 Hacking Script

  9. #39
    Join Date
    Dec 2004
    Posts
    831
    If anyone is interested, here is the script so far. For any neophytes, it rather demonstrates the basic requirements for hacking a prom-modded Series III class TiVo. Forgive the very pedestrian approach to scripting.

    hack_tivo:

    Code:
    #!/bin/bash
    
    # Set up the static variables.  Edit as needed.
    dstring=`date +%m-%d-%y`
    HackDir=/hack
    Nul_Init=$HackDir/null-linuxrc.img.gz  #*** Download directly as null-linuxrc.img.gz.zip and rename to null-linuxrc.img.gz ***
    ReplacRd=$HackDir/replace_initrd.x86   #*** Extract directly from replace_initrd.x86.tar.gz ***
    TivoPart=$HackDir/tivopart             #*** Extract bin/tivopart.x86 from tivopart-20040530.zip and rename to tivopart ***
    BootPage=$HackDir/bootpage             #*** Extract directly from bootpage-20040921.zip ***
    HackFile=$HackDir/hacks.fil            #*** Create using a text editor.  Sample included below ***
    TarBall=$HackDir/tivohacks
    
    # Make sure the expected directories exist
    mkdir -p $HackDir/Saved_Kernels/
    mkdir -p $HackDir/Saved_Apps/
    mkdir -p /tivo
    
    # Check that all the expected files exist
    tvalid=0
    if ! [[ -s $Nul_Init && -f $Nul_Init ]]
    then
         echo "Null initrd file $Nul_Init not found."
         tvalid=1
    fi
    
    if ! [[ -s $ReplacRd && -f $ReplacRd ]]
    then
         echo "Binary file $ReplacRd not found."
         tvalid=1
    fi
    
    if ! [[ -s $TivoPart && -f $TivoPart ]]
    then
         echo "Binary file $TivoPart not found."
         tvalid=1
    fi
    
    if ! [[ -s $BootPage && -f $BootPage ]]
    then
         echo "Binary file $BootPage not found."
         tvalid=1
    fi
    
    if ! [[ -f $HackFile ]]
    then
         echo "Text file $HackFile not found."
         echo "Note: The file may be zero length (no hacks to process),"
         echo " but it must exist."
         tvalid=1
    fi
    
    if [[ $tvalid -eq 1 ]]
    then
         echo "This hack will not work without all the correct files in $HackDir under"
         echo "the correct names.  Provide the correct files and try again."
         exit 1
    fi
    
    # Function to evaluate the hardware platform
    tivo_hardware () {
    hardware=$( dd if=$dspec"10" bs=8 count=1 | hexdump | grep 0000000 | cut -d" " -f4 )
    case $hardware in
         baab)   # S3 TiVo
              echo 32
              return 0
         ;;
    
         baeb)   # Tivo_HD
              echo 64
              return 0
         ;;
    
         *)        # Not a TiVo
              echo
              return 1
         ;;
    esac
    }
    
    # Scan for TiVo partitions
    tvalid=1
    for dspec in /dev/sd?;
    do
            # Check the target is a hard drive then Attempt to load the drive partitions
            # Change the "disk" string if Linux thinks the drive is not a hard drive.  Typically,
            # this may happen if a USB / SATA adapter is used.
            ls -l $dspec | grep -q disk
            if [ $? -eq 0 ];
            then
                    echo $dspec
    
                    # Check for a tenth partition on the target drive.
                    if [[ -b $dspec"10" ]]
                    then
                            echo Tenth partition found for $dspec"10"
    
                            # Check to see if the tenth partition is a known TiVo partition type
                            tivo_type=$( tivo_hardware )
                            tvalid=$?
                            [[ $tvalid -eq 0 ]] && break
                    else
                            # Attempt to rescan the drive to provide TiVo partitions
                            $TivoPart r $dspec 1> /dev/null 2>&1
    
                            # Check to see if a tenth partition has appeared
                            if [[ -b $dspec"10" ]]
                            then
                                 # Check to see if the new tenth partition is a known TiVo partition type
                                 tivo_type=$( tivo_hardware )
                                 tvalid=$?
                                 [[ $tvalid -eq 0 ]] && break
                            fi
                    fi
            fi
    done
    
    if [ $tvalid -eq 1 ]
    then
            echo Valid TiVo Drive not found.  Exiting.
            exit 1
    fi
    echo MFS file system is $tivo_type bits
    echo
    
    # Get the active root partition using bootpage (assumes root=/dev/hdaX is the first parameter).
    root=$( $BootPage -p $dspec | cut -d" " -f1 )
    echo $root | grep -q "root=/dev/hd"
    if [ $? -ne 0 ];
    then
         echo "Invalid bootpage parameters.  Please correct the bootpage parameters before continuing."
         echo "Current parameters: $( $BootPage -p $dspec )"
         exit 1;
    fi
    
    # Get the active kernel partition using bootpage
    kerndrv=$dspec$( $BootPage -b $dspec )
    
    # Use the name of the root partition on the TiVo to set the name of the root partition on the PC
    rootdrv=$dspec${root##*hda}
    
    # Set the partition for /var
    vardrv=${dspec}9
    
    # Display the active partitions and pause for 5 seconds.
    echo
    echo Boot = $kerndrv
    echo Root = $rootdrv
    echo /var = $vardrv
    echo
    tvar=5
    until [ $tvar -lt 1 ];
    do
            echo -ne "     "$tvar "\r"
            sleep 1
            tvar=$[ $tvar - 1 ];
    done
    echo  "       "
    
    echo
    echo Mounting Drives...
    mount | grep $rootdrv || mount $rootdrv /tivo
    mount | grep $vardrv || mount $vardrv /tivo/var
    
    # Get the software version
    sver=`cat /tivo/etc/build-version`
    sver=${sver##*\ }
    
    echo Writing new Kernel...
    $ReplacRd $kerndrv $Nul_Init /hack/Saved_Kernels/"$sver"_Kernel:$dstring
    
    echo
    echo Replacing IP Tables Function
    cd /tivo/sbin
    cp iptables iptables.sav.$dstring
    echo
    tvar=5
    until [ $tvar -lt 1 ];
    do
            echo -ne "     "$tvar "\r"
            sleep 1
            tvar=$[ $tvar - 1 ];
    done
    
    echo Copying Files...
    echo Copying tivohacks$tivo_type...
    sleep 2
    cd /tivo
    if [[ -a $TarBall$tivo_type.tar ]];
    then
         tar -xvf $TarBall$tivo_type.tar;
    elif [[ -a $HackFile$tivo_type.tar.gz ]];
    then
         tar -xzvf $TarBall$tivo_type.tar.gz;
    else
         echo $TarBall$tivo_type.tar not found.  Exiting...
         exit 1;
    fi
    echo
    echo Writing new tivoapp
    $HackDir/hack_tivoapp
    hack_tivoapp:

    Code:
    #!/bin/bash
    
    # Check if this is running on a TiVo or a PC
    # Assumes if the environment variable TIVO_ROOT exists
    # then this running on a TiVo
    set | grep -q "TIVO_ROOT="
    
    if [[ $? -eq 0 ]]
    then
            # Set up the static variables for running on a TiVo
            mkdir -p /var/hack/Saved_Apps/
            SaveFile=/var/hack/Saved_Apps/tivoapp.tmp
            dstring=`date +%m-%d-%y`
            Archive=/var/hack/Saved_Apps/tivoapp.sav
            HackFile=/var/hack/hacks.fil
            Platform=TiVo
            # Change to the directory containing tivoapp
            cd /tvbin
            # Change the root filesystem to read/write
            mount -o remount,rw /
    else
            # Set up the static variables for running on a PC
            SaveFile=/hack/Saved_Apps/tivoapp.tmp
            Archive=/hack/Saved_Apps/tivoapp.sav
            HackFile=/hack/hacks.fil
            Platform=PC
           # Change to the directory containing tivoapp
           cd /tivo/tvbin
    fi
    
    if ! [[ -f $HackFile ]]
    then
            echo "Text file hacks.fil not found in /hack.  Exiting"
            [[ $Platform == TiVo ]] && mount -o remount,ro /
            exit 1
    fi
    
    echo Creating temporary tivoapp
    cp tivoapp $SaveFile
    
    echo Getting the hacking parameters for tivoapp
    fail=1
    while read line
    do
            offset=$(( $(echo $line | cut -d" " -f1) - 0x00400000 ))
            oldword=$(echo $line | cut -d" " -f2 | sed s'/"//g')
            newword=$(echo $line | cut -d" " -f3 | sed s'/"//g')
            echo $oldword $newword $offset
    
            if [[ $Platform == PC ]]
            then
                    B1=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c11-12 )
                    B2=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c9-10 )
                    B3=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c16-17 )
                    B4=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c14-15 )
                    testword=$B1$B2$B3$B4
            else
                    B1=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c9-12 )
                    B2=$( dd if=tivoapp skip=$offset bs=1 count=4 2> /dev/null | hexdump | grep 0000000 | cut -c14-17 )
                    testword=$B1$B2
            fi
    
            echo $testword
            # Check to make sure the bytes match
            if [[ "$testword" == "$oldword" ]]
            then
                    echo Updating tivoapp $( echo $line | cut -d" " -f4)
                    # Convert the string into a 4 byte number expression
                    escape="\x"
                    H1=${newword:0:2}
                    H2=${newword:2:2}
                    H3=${newword:4:2}
                    H4=${newword:6:2}
                    newword=$escape$H1$escape$H2$escape$H3$escape$H4
                    echo -ne "$newword" | dd conv=notrunc of=$SaveFile bs=1 seek=$offset
            elif [[ "$testword" == "$newword" ]]
            then
                    echo Failed for $oldword $newword $offset
                    echo Tivoapp already has patch at this location.
                    test -e $SaveFile && rm $SaveFile
                    [[ $Platform == TiVo ]] && mount -o remount,ro /
                    exit 1
            else
                    echo Failed for $oldword $newword $offset Old value: $testword
                    echo Exiting
                    [[ $Platform == TiVo ]] && mount -o remount,ro /
                    test -e $SaveFile && rm $SaveFile
                    exit 1
            fi
    done < $HackFile
    
    echo Saving old tivoapp
    test -e $Archive.$dstring && mv $Archive.$dstring $Archive.$dstring.safety
    mv tivoapp $Archive.$dstring
    mv $SaveFile tivoapp
    [[ $Platform == TiVo ]] && mount -o remount,ro /
    echo
    echo Done!
    Both of these scripts are designed to be used on an ordinary fairly recent Linux distribution running on a PC with a kernel of 2.6.26 or later. They may also work with a Live CD, but may not. The hack_tivoapp script can also be run on a live TiVo (untested) (tested 10/03/2012 by Dave20042004).

    Example hacks.fil (11.0k):

    Code:
    0x005d2dec 104000aa 100000aa //noencryption
    0x006562a0 30b000ff 00008021 //cci1
    0x006562c4 00e08821 24110000 //cci2
    0x01046970 30b000ff 00008021 //cci3
    0x00774f74 00008021 24100001 //backdoors	
    0x009b3b20 12400003 10000003 //deletethisrecording?
    0x00b8f910 14400026 10400026 //30secskip
    0x00b93eb8 0c2e5325 00000000 //nopauseads

    11.0m:

    Code:
    0x005d2e0c "104000aa 100000aa"	//noencryption
    0x006562c0 "30b000ff 00008021"	//cci1
    0x006562e4 "00e08821 24110000"	//cci2
    0x00772e70 "00008021 24100001"	//backdoors
    0x010826a0 "30b000ff 00008021"	//cci3
    0x009b3c28 "12400003 10000003"  //deletethisrecording?
    0x00b8f55c "14400026 10400026"  //30secskip
    0x00b93c20 "0c2e527f 00000000"  //nopauseads
    This of course assumes bootpage, tivopart, replace_initrd.x86 and its little null-linuxrc.img.gz null initrd are all in /hack on the PC under those exact names. It also requires a tarball (tivohacks.tar) (tivohacks32.tar or tivohacks64.tar) of all the files to be placed on the TiVo. I include the mfs utilities, TiVoWebPlus, busybox, /etc/profile, and /etc/rc.d/rc.sysinit.author as well as the iptables hack in the tarball.

    Edit: Automated the code a bit and added a more sophisticated tivoapp hacking routine. Replaced a user edited version string with a date string for archived kernel and tivoapp. Added a customized tivohacks32.tar and tivohacks64.tar to automate upgrades for both S3 and THD TiVos. Added bootpage parameter check. Added additional file checks. Revised hack_tivoapp so it should run on either a PC or a live TiVo (untested) (tested 10/03/2012 by Dave20042004). Added static variables for all directories and files at the top of the script to make user customization easier. Fixed a bug that mistakenly checked for the wrong name for the tarball file. Fixed a couple of missing quote marks that made the error report look odd.

    Note: There is a small "bug" in the script in that should the user have a drive other than the TiVo drive on the PC with more than 9 partitions whose drive spec is lower than the TiVo's, the script will think the non-TiVo drive is a TiVo drive and quit searching. This will cause the script to fail. Anyone who has a drive with more than 9 partitions may need to modify the script or their system accordingly. This should be fixed, now.

    Note: The hack_tivo script performs a check to make sure the potential target is a hard drive. One user employed a USB - SATA adapter that caused Linux to think it was a floppy, causing the script to fail. Modifying the check in line 9 at the top of the script 87 fixed the issue for him.

    Sample tivohacks files:
    http://fletchergeek.com/images/tivohacks32.tar.gz
    http://fletchergeek.com/images/tivohacks64.tar.gz

    bootpage:
    http://www.dealdatabase.com/forum/sh...56&#post193456

    tivopart:
    http://www.dealdatabase.com/forum/at...8&d=1085952312

    replace_initrd:
    http://dealdatabase.com/forum/showthread.php?t=53272
    http://dealdatabase.com/forum/showth...itrd#post84133
    Last edited by lrhorer; 09-02-2013 at 03:35 PM.
    Having trouble with TyTool? Try TyTool Documentation
    Need to hack an S3 / THD? Try S3 Hacking Script

  10. #40
    Join Date
    Mar 2005
    Posts
    60
    buechel, thanks for the guide man! I successfully hacked my TivoHD, got everything working.... and then upgraded to 9.4!! ARGH!

    Time to pull my drive again...

    But thanks none-the-less!

  11. #41
    Join Date
    Dec 2004
    Posts
    831

    9.4 Working

    My TiVo HD finally got the 9.4 upgrade last night, so I loaded the drive on the Linux workstation and used the little script above to hack the drive. There was a little bug (fixed in the script above) which caused the iptables file to be overwritten rather than saving a backup of the file. Other than that, it seems to be working just fine.

    It only took about 7 minutues start to finish to upgrade the drive, and that includes the time to move the drive back and forth and to boot up the host PC. (Gawd, I love Linux!!) Moving the primary drive into an external Antec MX-1 housing and implementing the script have really made the upgrade process easy, yet still readily accessible to the user at the lowest levels. I don't even have to open up either the TiVo or the host PC.
    Having trouble with TyTool? Try TyTool Documentation
    Need to hack an S3 / THD? Try S3 Hacking Script

  12. #42
    Join Date
    Apr 2003
    Posts
    41
    This looks pretty sweet! Any plans for an S2 version?

    I did the prom mod, and pulled the drive to do the software but it's a pain to pull the drive everytime there's a tivo upgrade! Ideally, if I could put in in a usb enclosure, boot into linux, run a script that re-hacks it, *THAT* would be killer!!!!

    I don't know anything about programming/scripting, but if someone can point me in the right direction, maybe I can modify it and post an s2 version?

    Thanks!

  13. #43
    Join Date
    Feb 2004
    Posts
    16
    Hey all,

    Jumping back into the scene after being gone for awhile. Had a hacked S1 in the 90's then moved to an HR10-250 a couple years ago. It's been working perfectly but now DirecTV's pulling the plug.

    All I really do w/ my HR10-250 is extract shows for burning to DVD as well as enjoying Endpadplus to pad my recordings when possible.

    So now I'm faced with buying a new TiVo. I'm planning to buy a TiVo HD XL and start service with my local cable company (I know DTV is coming out with a TiVo model but it'll be at least a year and they should have started working on this earlier).

    So my question is, do I need to hack my PROM just to disable encryption? With my other TiVo models I just needed to install a hacked kernel.

    I also recall that in the early days of the S2 there was talk of PROM hacking but an all-software solution was developed. Any chance of that here?

    Basically I'm trying to find out if I should try and keep my HR10-250 running as long as possible or bite the bullet now and switch to a Cablecard TiVo.

  14. #44
    Join Date
    Jun 2006
    Location
    Dougal County
    Posts
    1,014
    In order to change the kernel, you must hack the PROM. In order to change the root fs software, you must change the kernel. Unless you come up with a new software exploit, then you'll have to hack the hardware to do anything.

  15. #45
    Join Date
    Mar 2006
    Location
    Los Angeles, CA
    Posts
    141
    Quote Originally Posted by grwlfbg View Post
    So my question is, do I need to hack my PROM just to disable encryption? With my other TiVo models I just needed to install a hacked kernel.
    If I remember correctly, I thought we had to use Superpatch for s2 to remove encryption.
    But I too want to know, what do you have to do to remove encryption on s3. Has it been defeated yet?
    S3 / TCD648250b - Socketed
    Audio out of sync

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •