Results 1 to 12 of 12

Thread: Decryption

  1. #1
    Join Date
    Sep 2006
    Posts
    648

    Decryption

    I've been around on the forums for a while and I see a lot of OMG, my Tivo HDD is dying and I have encryption on. What can I do? Or I'm trying to extract a file and it fails (because encryption is on).

    Short of a kernel hack, I haven't seen a way to deal with this. Does anybody know how to find the key and/or what the encryption algorithm is? Is the value in the CSO the actual key?

    The reason I ask is that if it's a common algorithm and the key is available, it wouldn't take too much to write something to decrypt on the fly.

  2. #2
    Join Date
    Sep 2001
    Location
    West of Bermuda
    Posts
    1,021
    we sort of already have that. there's an unscramble.o for series 1 and a s2_unscramble for series 2. basically, it's just easier to turn encryption off and not have to worry about it.

    ronny

  3. #3
    Join Date
    Sep 2006
    Posts
    648
    Quote Originally Posted by ronnythunder View Post
    we sort of already have that. there's an unscramble.o for series 1 and a s2_unscramble for series 2. basically, it's just easier to turn encryption off and not have to worry about it.

    ronny
    Doesn't s2_unscramble require a custom kernel? That's a little nerve racking for most. Even if you can monte, it is still not easy (my first monte required a Torx screw driver )

  4. #4
    Join Date
    Sep 2001
    Location
    West of Bermuda
    Posts
    1,021
    Quote Originally Posted by dburckh View Post
    Doesn't s2_unscramble require a custom kernel? That's a little nerve racking for most. Even if you can monte, it is still not easy (my first monte required a Torx screw driver )
    yes, it does. it seems clear that the author intended for it to be mainly used to "rescue" encrypted recordings and that users should move forward with encryption disabled.

    ronny

  5. #5
    Join Date
    Aug 2004
    Posts
    4,085
    The encryption key is formed from the recording specific MFS metadata (aka CSO keys in older software versions), the DiskConfigurationKey in MFS, and data on the tivo motherboard cryptochip. This is briefly discussed in the mfs_ftp scramble_utils/readme.txt file. The descrambling is done in hardware using the keys provided by the software via an ioctl.

    It might be possible to reverse this. You'd need to figure out how the 3 data sources are combined into a key, and develop a software implementation of the hw decryption the tivo uses. I suspect it isn't trivial, or it would have been done by now. Just being able to construct the crypto key from the three data sources would be a good start, as it would allow decrypted extraction without a custom kernel.

  6. #6
    Join Date
    Sep 2006
    Posts
    648
    If the encryption algorithm isn't known or is proprietary, that's a pretty big show stopper.

    I was hoping it would be software based and possibly part of the s2_unscramble stuff. Since it's hardware based, I don't think it's going to be easy to identify, maybe impossible.

    Java implements a lot of standard encryption algorithms, most notably AES and DES. I was hoping it would be a supported one, then the encryption would be easy to add. All that would be left was deriving the keys.

  7. #7
    Join Date
    Aug 2004
    Posts
    4,085
    Quote Originally Posted by dburckh View Post
    If the encryption algorithm isn't known or is proprietary, that's a pretty big show stopper.

    I was hoping it would be software based and possibly part of the s2_unscramble stuff. Since it's hardware based, I don't think it's going to be easy to identify, maybe impossible.

    Java implements a lot of standard encryption algorithms, most notably AES and DES. I was hoping it would be a supported one, then the encryption would be easy to add. All that would be left was deriving the keys.
    You can probably dig around product data sheets to see if you can figure out the hw scramble/descrambling algorithm. If I remember right, in the old days, it was done in a custom tivo asic that did all the scrambled disk I/O. On recent hw, it's done by the broadcom integrated STB chips, I think.

    If you can derive the keys, it would be relatively simple to descramble-on-the-fly in the tivo side software (e.g. mfs_uberexport/tserver/vserver etc). As far as I know, no one has been able to do this, hence the s2_unscramble method of having the kernel cache the keys for us.
    Last edited by Jamie; 08-27-2007 at 06:51 PM.

  8. #8
    Join Date
    Sep 2006
    Posts
    648
    Looks like it's they use BlowFish for data transmission.

    http://www.tivo.com/assets/pdfs/policies/ftc_letter.pdf

    And here's the Java cypher library:

    http://www.koders.com/java/fid3CAADD...spx?s=blowfish

    Now to figure out how to get the keys...
    Last edited by dburckh; 08-27-2007 at 10:40 PM. Reason: Jumped the gun

  9. #9
    Join Date
    Aug 2004
    Posts
    4,085
    Quote Originally Posted by dburckh View Post
    Looks like it's they use BlowFish for data transmission.

    http://www.tivo.com/assets/pdfs/policies/ftc_letter.pdf

    ...
    It uses blowfish for communications with the "TiVo Broadcast Center" (aka the mothership), but I'm not at all convinced that the streams are blowfish encrypted. Did you see something there that indicated that? As far as I can see, that white paper concentrates on describing how private user data is protected via encryption, not how recordings are protected.
    Last edited by Jamie; 08-27-2007 at 11:02 PM.

  10. #10
    Join Date
    Sep 2006
    Posts
    648
    Yeah. I got a little too excited there. I saw a post on another forum that one model uses a AT90SC6464, but I couldn't find any information on that chip. It might be unique per model too.

    Anyway, time for a little BioShock!

  11. #11
    Join Date
    Jan 2002
    Location
    Sonoran Desert
    Posts
    2,823
    Quote Originally Posted by dburckh View Post
    Doesn't s2_unscramble require a custom kernel? That's a little nerve racking for most. Even if you can monte, it is still not easy (my first monte required a Torx screw driver )
    Not really, it's only slightly more complicated than installing a hard drive to a PC, and there is virtually no risk in bricking anything if all you remove/unplug is the hard disk. You want nerve wracking, try doing a prom mod.
    Before PMing me: Iím not your personal tech support. If you have a question, ask in public so I don't have to repeat if somebody else asks. If you want images or slices, use emule. I will ignore all support PMs.

    Sponsor a vegetarian! I have taken the pledge, how about you?

  12. #12
    Join Date
    Sep 2006
    Posts
    648
    There are different levels. Personally, I would never do a prom mod myself. I shake like tree in the wind with a soldering iron in my hand. I had to repaint a trace with a defroster repair kit when I hacked my X-Box.

    Until you do something the first time, it's pretty intimidating. Some of us having only been doing this for 9 months.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •