Page 4 of 4 FirstFirst ... 234
Results 46 to 59 of 59

Thread: S3 hack for CCI after PROM mod

  1. #46
    Join Date
    Aug 2010
    Posts
    4

    Follow-up

    Ok, I think I got a usb thumbdrive to mount (as a cdrom!) in MFSLive.

    Do I need to copy the files on the thumbdrive to a specific area or should I just be able to run them from the mounted thumbdrive? It doesn't seem like I am able to run the busybox.replace_initrd.x86 directly from the thumbdrive.

    Can anyone give me specific commands to run or some sort of guidance of where I'm going wrong?

    Thanks.

  2. #47
    Join Date
    Jan 2005
    Posts
    997
    Quote Originally Posted by tivodeal View Post
    At the "[mfslive:/]:" prompt I then type the command:
    "busybox.replace_initrd.x86 /dev/sda3 null-linuxrc.img.gz original_kernel.bak"

    When I hit enter I receive the message:

    "-bin/sh: busybox.replace_initrd.x86: not found"
    Looks like you need ./ since the working dir is not in your path, like:
    Code:
    ./busybox.replace_initrd.x86 /dev/sda3 null-linuxrc.img.gz original_kernel.bak
    Oh, and given that command it appears you will write the backup kernel to your floppy which could pose a problem...
    ScanMan --> Just another Tivo hacker...
    Killhdinitrd SA S2 Monte S2 Unscramble Upgrade Tivo Software

  3. #48
    Join Date
    Aug 2010
    Posts
    4

    ...or should I just use the vmlinux-Gen05.px ?

    Thanks for the quick response to my previous post!

    This is all starting to become clearer to me.

    I am just trying to remove the CCI flag from future recordings on my Series 3 (running 11.0h) with the active kernel in partition 3. Maybe in the future I'll explore the telnet, backdoors, etc.

    Would it be easier if I just copied Jamie's "vmlinux-Gen05.px" into a new hack directory in partition 9 and then execute the command:

    "dd if=vmlinux-Gen05.px of=/dev/sda3"

    to replace the initrd ? If so, would I want to run the dd from the hack directory or should I cd to the home directory?

    Then could I just mount sda4 at Tivo and apply the command lines:

    "echo -ne "\x00\x00\x80\x21" | dd conv=notrunc of=tivoapp bs=1 seek=2452864"
    "echo -ne "\x24\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=2452900"
    "echo -ne "\x00\x00\x80\x21" | dd conv=notrunc of=tivoapp bs=1 seek=13939052"

    Thanks again!

  4. #49
    Join Date
    Jan 2005
    Posts
    997
    Quote Originally Posted by tivodeal View Post
    Thanks for the quick response to my previous post!

    This is all starting to become clearer to me.

    I am just trying to remove the CCI flag from future recordings on my Series 3 (running 11.0h) with the active kernel in partition 3. Maybe in the future I'll explore the telnet, backdoors, etc.

    Would it be easier if I just copied Jamie's "vmlinux-Gen05.px" into a new hack directory in partition 9 and then execute the command:

    "dd if=vmlinux-Gen05.px of=/dev/sda3"

    to replace the initrd ? If so, would I want to run the dd from the hack directory or should I cd to the home directory?

    Then could I just mount sda4 at Tivo and apply the command lines:

    "echo -ne "\x00\x00\x80\x21" | dd conv=notrunc of=tivoapp bs=1 seek=2452864"
    "echo -ne "\x24\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=2452900"
    "echo -ne "\x00\x00\x80\x21" | dd conv=notrunc of=tivoapp bs=1 seek=13939052"

    Thanks again!
    Well first if you use Jamie's custom kernel you'll need to neuter 'iptables' to return "exit 0" or you'll run into rolling reboots. Also, the offsets in the tivoapp patches (seek=) are relative to tivoapp running in memory; they are not the same if you are patching offline.
    ScanMan --> Just another Tivo hacker...
    Killhdinitrd SA S2 Monte S2 Unscramble Upgrade Tivo Software

  5. #50
    Join Date
    Aug 2010
    Posts
    4
    man, there are alot of minefields in this! Thanks for bearing with me.

    re: the iptables and exit 0 - is there another kernel I should use? Or, if I used Jamie's kernel, do you think these commands would do the trick?:

    " cd tivo/sbin " ----------------- (i think this is a default directory)
    " mv iptables iptables.original " -- (to copy and rename the old iptables)
    " vi iptables " ------------------ (to open the visual editor)
    " #!/bin/bash " ----------------- (i think this allows me to edit the bash shell)
    " exit 0 " ---------------------- (this adds the 'exit 0' return that you mentioned)
    " :wq " ------------------------ (which saves the changes)
    " chmod 755 iptables " --------- (which makes 'iptables' executable to all)



    re: offsets, isn't the offline patching offset fixed at 0x400000 (in hex) which equals 4194304 in decimal? or does it move around? If it is fixed, couldn't I convert the each of the 3 patch execution addresses for CCI to decimal and then subtract the offset?

    for example for in the "11.0h is rolling out" thread, the address for cci1 is shown as 0x00656d80, so:

    cci1 = 0x00656d80 (hex)
    0x00656d80 = 6647168 (decimal)
    6647168 - 4194304 = 2452864

    so I would use "seek=2452864" in the command line as before?

    then I would use the same math for the two other cci patch addresses?


    Thanks again for your help!

  6. #51
    Join Date
    Jan 2005
    Posts
    997
    Quote Originally Posted by tivodeal View Post
    man, there are alot of minefields in this! Thanks for bearing with me.

    re: the iptables and exit 0 - is there another kernel I should use? Or, if I used Jamie's kernel, do you think these commands would do the trick?:

    " cd tivo/sbin " ----------------- (i think this is a default directory)
    " mv iptables iptables.original " -- (to copy and rename the old iptables)
    " vi iptables " ------------------ (to open the visual editor)
    " #!/bin/bash " ----------------- (i think this allows me to edit the bash shell)
    " exit 0 " ---------------------- (this adds the 'exit 0' return that you mentioned)
    " :wq " ------------------------ (which saves the changes)
    " chmod 755 iptables " --------- (which makes 'iptables' executable to all)



    re: offsets, isn't the offline patching offset fixed at 0x400000 (in hex) which equals 4194304 in decimal? or does it move around? If it is fixed, couldn't I convert the each of the 3 patch execution addresses for CCI to decimal and then subtract the offset?

    for example for in the "11.0h is rolling out" thread, the address for cci1 is shown as 0x00656d80, so:

    cci1 = 0x00656d80 (hex)
    0x00656d80 = 6647168 (decimal)
    6647168 - 4194304 = 2452864

    so I would use "seek=2452864" in the command line as before?

    then I would use the same math for the two other cci patch addresses?


    Thanks again for your help!
    Ah, I see you've been doing your homework, excellent! Yes, the iptables approach will work and your math for adjusting the offsets looks right. You could also patch tivoapp offline with a hex editor, the advantage being you are able to confirm the old value at the proper location before editing.
    ScanMan --> Just another Tivo hacker...
    Killhdinitrd SA S2 Monte S2 Unscramble Upgrade Tivo Software

  7. #52
    Join Date
    Jul 2009
    Posts
    1

    Finally Able To Kill CCI On My TiVoHD

    Quote Originally Posted by no_cci View Post
    Much of the discussion in this forum assumes you want to gain complete control of your TiVo and run your own software on it. Here I'll assume that all you want to do is transfer protected TV shows to your PC. This is easier.
    Thanks for this wonderful entry. I was finally able to kill the CCI on my TivoHD running 11.0j. I should probably admit to being a newbie so the more experienced user can just skip reading this.

    I had my PROM hacked by Omikron's service way back in 2009. I tried following mlcarson's instructions in the Newbie forum but all I got was a Tivo that would not boot. I got the welcome screen but it pretty much sat there or looped. I tried both Gen06 custom kernels but got the same result.

    I tried pulling the disk and looking for any log files but could not see any that might give me clue. I considered trying to build a console for my TiVo but it was hard for me to follow the forums and figure out what to do. The last thing I wanted to do was do permanent damage to my TiVo box due to my stupidity.

    I booted up with MFSLive 1.4. I found that plugging in the USB drive after Linux was up resulted in console messages that showed me where to find the USB device.

    Using the TiVo provided kernel and patching it with replace_initrd.x86 went very smoothly. I was then able to calculate the offset for the three CCI patches. That also went very smoothly.

    I put the drive back into my TiVo and it came right up. I did a few test recording on stations that had previously prevented transfers. I was able to move them to my PC and to my second TiVoHD. Life is good again!

    Thanks to all the people who contribute to this forum.

  8. #53
    Join Date
    Jun 2009
    Posts
    4

    upgradesoftware=false

    Quote Originally Posted by PilotHk View Post
    I was finally able to kill the CCI on my TivoHD running 11.0j.
    I'm glad this worked for you! After upgrading this way a couple of times I got tired of repeatedly hacking the disk, and so I turned off automatic software upgrades using the command

    bootpage -P "root=/dev/hda7 upgradesoftware=false" /dev/sda

    while the Tivo disk was still connected to my computer after hacking it. You might need "hda4" rather than "hda7" -- the number should be the bootpage plus 1. This worked for over a year, until suddenly the Web interface for transferring shows stopped working. When I checked the Media Access Key setting, I found that it was now stuck at "Temporarily not available". To fix this I needed to let the Tivo upgrade. Connecting the disk to my computer, I changed the boot parameters again

    bootpage -P "root=/dev/hda7 upgradesoftware=true" /dev/sda

    Then I let the Tivo reboot and install the software it had long ago downloaded. The Media Access Key was again available as soon as the Tivo connected to a Tivo server (rather than wait I told it to immediately connect using the Phone and Network setting). Then I unplugged the Tivo and rehacked the disk, as in my previous note. Before disconnecting it from my computer I again turned automatic upgrades off

    bootpage -P "root=/dev/hda4 upgradesoftware=false" /dev/sda

    Notice that the hda number has changed. If the hda number for the "root=" parameter isn't the bootpage number plus 1, the Tivo will not boot properly. I'm not sure how long this will work this time, before Tivo turns off my web interface again. We'll see.

    [Note added in October 2013: I needed to let it upgrade again after about 2 years. When I didn't upgrade for a few weeks, it eventually just stayed stuck on the boot screen, but allowing it to upgrade fixed this, and then I rehacked it.]

    BTW, it's worth mentioning that if you ever screw up hacking the kernel or the tivo app, so the machine won't boot, you can go back to the previous version of the software by changing the bootpage and the "root=" parameters. You can use "bootpage -b /dev/sda" to see what the current bootpage is (e.g., 3), and "bootpage -B 6 /dev/sda" to change it (if it was 6, change it to 3). Don't forget to set the "root=" parameter to match the bootpage plus 1. If you leave the "upgradesoftware" parameter set to true, the upgrade should be reinstalled when you reboot the Tivo, and then you can try the hack again. Be sure that the upgrade has happened before you hack: never touch the old (working) version of the software!
    Last edited by no_cci; 10-15-2013 at 03:04 AM. Reason: answered question about how long

  9. #54
    Join Date
    Jun 2009
    Posts
    4

    thumbdrive

    Quote Originally Posted by tivodeal View Post
    Ok, I think I got a usb thumbdrive to mount (as a cdrom!) in MFSLive.

    Do I need to copy the files on the thumbdrive to a specific area or should I just be able to run them from the mounted thumbdrive? It doesn't seem like I am able to run the busybox.replace_initrd.x86 directly from the thumbdrive.
    For me the thumbdrive showed up as sdb1, and I mounted it with the command

    mount /dev/sdb1 /mnt

    Then to run the busybox command, I changed to the /mnt directory (cd /mnt) and ran the command in that directory (./busybox.replace...).

  10. #55
    Join Date
    Jan 2011
    Posts
    9
    Quote Originally Posted by no_cci View Post
    Connecting the disk to my computer, I changed the boot parameters again

    bootpage -P "root=/dev/hda7 upgradesoftware=true" /dev/sda
    bootpage exists on the TiVo, you don't need to connect the hard drive to your PC just to change the bootpage parameters, assuming you've enabled telnet logins.

  11. #56
    Join Date
    Jun 2009
    Posts
    4

    telnet

    Quote Originally Posted by Kayle View Post
    bootpage exists on the TiVo, you don't need to connect the hard drive to your PC just to change the bootpage parameters, assuming you've enabled telnet logins.
    In post #37 I described a minimal hack to turn off CCI checking (which is all that I did). So I didn't even enable telnet, and just did everything with the disk connected to the computer.

  12. #57
    Join Date
    Dec 2004
    Posts
    831
    Quote Originally Posted by no_cci View Post
    In post #37 I described a minimal hack to turn off CCI checking (which is all that I did). So I didn't even enable telnet, and just did everything with the disk connected to the computer.
    I would say ftp and telnet are an absolute must for a hacked TiVo.
    Having trouble with TyTool? Try TyTool Documentation
    Need to hack an S3 / THD? Try S3 Hacking Script

  13. #58
    Join Date
    Jul 2007
    Posts
    201
    Quote Originally Posted by no_cci View Post
    I'm glad this worked for you! After upgrading this way a couple of times I got tired of repeatedly hacking the disk, and so I turned off automatic software upgrades using the command

    bootpage -P "root=/dev/hda7 upgradesoftware=false" /dev/sda

    while the Tivo disk was still connected to my computer after hacking it. You might need "hda4" rather than "hda7" -- the number should be the bootpage plus 1. This worked for over a year, until suddenly the Web interface for transferring shows stopped working. When I checked the Media Access Key setting, I found that it was now stuck at "Temporarily not available". To fix this I needed to let the Tivo upgrade. Connecting the disk to my computer, I changed the boot parameters again

    bootpage -P "root=/dev/hda7 upgradesoftware=true" /dev/sda

    Then I let the Tivo reboot and install the software it had long ago downloaded. The Media Access Key was again available as soon as the Tivo connected to a Tivo server (rather than wait I told it to immediately connect using the Phone and Network setting). Then I unplugged the Tivo and rehacked the disk, as in my previous note. Before disconnecting it from my computer I again turned automatic upgrades off

    bootpage -P "root=/dev/hda4 upgradesoftware=false" /dev/sda

    Notice that the hda number has changed. If the hda number for the "root=" parameter isn't the bootpage number plus 1, the Tivo will not boot properly. I'm not sure how long this will work this time, before Tivo turns off my web interface again. We'll see.

    BTW, it's worth mentioning that if you ever screw up hacking the kernel or the tivo app, so the machine won't boot, you can go back to the previous version of the software by changing the bootpage and the "root=" parameters. You can use "bootpage -b /dev/sda" to see what the current bootpage is (e.g., 3), and "bootpage -B 6 /dev/sda" to change it (if it was 6, change it to 3). Don't forget to set the "root=" parameter to match the bootpage plus 1. If you leave the "upgradesoftware" parameter set to true, the upgrade should be reinstalled when you reboot the Tivo, and then you can try the hack again. Be sure that the upgrade has happened before you hack: never touch the old (working) version of the software!
    For the benefit of future searchers, WinMFS has a tool called bootfix (or fixboot). Option 1 will set the drive to boot from 3 and 4, and option 2 will set it to boot from 6 and 7.
    Too busy TiVo wrangling to watch television anymore.

  14. #59
    Join Date
    May 2007
    Posts
    449
    Quote Originally Posted by lrhorer View Post
    I would say ftp and telnet are an absolute must for a hacked TiVo.
    Yep, no other way to add TWP and that is a must have app or you may as well not hack the Tivo...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •