Member in Training.
Ok, I think I got a usb thumbdrive to mount (as a cdrom!) in MFSLive.
Do I need to copy the files on the thumbdrive to a specific area or should I just be able to run them from the mounted thumbdrive? It doesn't seem like I am able to run the busybox.replace_initrd.x86 directly from the thumbdrive.
Can anyone give me specific commands to run or some sort of guidance of where I'm going wrong?
Thanks.
Diamond Member
Looks like you need ./ since the working dir is not in your path, like:Originally Posted by tivodeal
Oh, and given that command it appears you will write the backup kernel to your floppy which could pose a problem...Code:./busybox.replace_initrd.x86 /dev/sda3 null-linuxrc.img.gz original_kernel.bak
ScanMan --> Just another Tivo hacker...
Killhdinitrd SA S2 Monte S2 Unscramble Upgrade Tivo Software
Member in Training.
Thanks for the quick response to my previous post!
This is all starting to become clearer to me.
I am just trying to remove the CCI flag from future recordings on my Series 3 (running 11.0h) with the active kernel in partition 3. Maybe in the future I'll explore the telnet, backdoors, etc.
Would it be easier if I just copied Jamie's "vmlinux-Gen05.px" into a new hack directory in partition 9 and then execute the command:
"dd if=vmlinux-Gen05.px of=/dev/sda3"
to replace the initrd ? If so, would I want to run the dd from the hack directory or should I cd to the home directory?
Then could I just mount sda4 at Tivo and apply the command lines:
"echo -ne "\x00\x00\x80\x21" | dd conv=notrunc of=tivoapp bs=1 seek=2452864"
"echo -ne "\x24\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=2452900"
"echo -ne "\x00\x00\x80\x21" | dd conv=notrunc of=tivoapp bs=1 seek=13939052"
Thanks again!
Diamond Member
Well first if you use Jamie's custom kernel you'll need to neuter 'iptables' to return "exit 0" or you'll run into rolling reboots. Also, the offsets in the tivoapp patches (seek=) are relative to tivoapp running in memory; they are not the same if you are patching offline.
ScanMan --> Just another Tivo hacker...
Killhdinitrd SA S2 Monte S2 Unscramble Upgrade Tivo Software
Member in Training.
man, there are alot of minefields in this! Thanks for bearing with me.
re: the iptables and exit 0 - is there another kernel I should use? Or, if I used Jamie's kernel, do you think these commands would do the trick?:
" cd tivo/sbin " ----------------- (i think this is a default directory)
" mv iptables iptables.original " -- (to copy and rename the old iptables)
" vi iptables " ------------------ (to open the visual editor)
" #!/bin/bash " ----------------- (i think this allows me to edit the bash shell)
" exit 0 " ---------------------- (this adds the 'exit 0' return that you mentioned)
" :wq " ------------------------ (which saves the changes)
" chmod 755 iptables " --------- (which makes 'iptables' executable to all)
re: offsets, isn't the offline patching offset fixed at 0x400000 (in hex) which equals 4194304 in decimal? or does it move around? If it is fixed, couldn't I convert the each of the 3 patch execution addresses for CCI to decimal and then subtract the offset?
for example for in the "11.0h is rolling out" thread, the address for cci1 is shown as 0x00656d80, so:
cci1 = 0x00656d80 (hex)
0x00656d80 = 6647168 (decimal)
6647168 - 4194304 = 2452864
so I would use "seek=2452864" in the command line as before?
then I would use the same math for the two other cci patch addresses?
Thanks again for your help!
Diamond Member
Ah, I see you've been doing your homework, excellent! Yes, the iptables approach will work and your math for adjusting the offsets looks right. You could also patch tivoapp offline with a hex editor, the advantage being you are able to confirm the old value at the proper location before editing.
ScanMan --> Just another Tivo hacker...
Killhdinitrd SA S2 Monte S2 Unscramble Upgrade Tivo Software
Member in Training.
Thanks for this wonderful entry. I was finally able to kill the CCI on my TivoHD running 11.0j. I should probably admit to being a newbie so the more experienced user can just skip reading this.
I had my PROM hacked by Omikron's service way back in 2009. I tried following mlcarson's instructions in the Newbie forum but all I got was a Tivo that would not boot. I got the welcome screen but it pretty much sat there or looped. I tried both Gen06 custom kernels but got the same result.
I tried pulling the disk and looking for any log files but could not see any that might give me clue. I considered trying to build a console for my TiVo but it was hard for me to follow the forums and figure out what to do. The last thing I wanted to do was do permanent damage to my TiVo box due to my stupidity.
I booted up with MFSLive 1.4. I found that plugging in the USB drive after Linux was up resulted in console messages that showed me where to find the USB device.
Using the TiVo provided kernel and patching it with replace_initrd.x86 went very smoothly. I was then able to calculate the offset for the three CCI patches. That also went very smoothly.
I put the drive back into my TiVo and it came right up. I did a few test recording on stations that had previously prevented transfers. I was able to move them to my PC and to my second TiVoHD. Life is good again!
Thanks to all the people who contribute to this forum.
Member in Training.
I'm glad this worked for you! After upgrading this way a couple of times I got tired of repeatedly hacking the disk, and so I turned off automatic software upgrades using the command
bootpage -P "root=/dev/hda7 upgradesoftware=false" /dev/sda
while the Tivo disk was still connected to my computer after hacking it. You might need "hda4" rather than "hda7" -- the number should be the bootpage plus 1. This worked for over a year, until suddenly the Web interface for transferring shows stopped working. When I checked the Media Access Key setting, I found that it was now stuck at "Temporarily not available". To fix this I needed to let the Tivo upgrade. Connecting the disk to my computer, I changed the boot parameters again
bootpage -P "root=/dev/hda7 upgradesoftware=true" /dev/sda
Then I let the Tivo reboot and install the software it had long ago downloaded. The Media Access Key was again available as soon as the Tivo connected to a Tivo server (rather than wait I told it to immediately connect using the Phone and Network setting). Then I unplugged the Tivo and rehacked the disk, as in my previous note. Before disconnecting it from my computer I again turned automatic upgrades off
bootpage -P "root=/dev/hda4 upgradesoftware=false" /dev/sda
Notice that the hda number has changed. If the hda number for the "root=" parameter isn't the bootpage number plus 1, the Tivo will not boot properly. I'm not sure how long this will work this time, before Tivo turns off my web interface again. We'll see.
BTW, it's worth mentioning that if you ever screw up hacking the kernel or the tivo app, so the machine won't boot, you can go back to the previous version of the software by changing the bootpage and the "root=" parameters. You can use "bootpage -b /dev/sda" to see what the current bootpage is (e.g., 3), and "bootpage -B 6 /dev/sda" to change it (if it was 6, change it to 3). Don't forget to set the "root=" parameter to match the bootpage plus 1. If you leave the "upgradesoftware" parameter set to true, the upgrade should be reinstalled when you reboot the Tivo, and then you can try the hack again. Be sure that the upgrade has happened before you hack: never touch the old (working) version of the software!
Last edited by no_cci; 06-26-2011 at 06:24 PM. Reason: improved wording at end
Member in Training.
For me the thumbdrive showed up as sdb1, and I mounted it with the command
mount /dev/sdb1 /mnt
Then to run the busybox command, I changed to the /mnt directory (cd /mnt) and ran the command in that directory (./busybox.replace...).
Member in Training.
bootpage exists on the TiVo, you don't need to connect the hard drive to your PC just to change the bootpage parameters, assuming you've enabled telnet logins.
Member in Training.
In post #37 I described a minimal hack to turn off CCI checking (which is all that I did). So I didn't even enable telnet, and just did everything with the disk connected to the computer.
Diamond Member
I would say ftp and telnet are an absolute must for a hacked TiVo.
Having trouble with TyTool? Try TyTool Documentation
Need to hack an S3 / THD? Try S3 Hacking Script
Senior Member
For the benefit of future searchers, WinMFS has a tool called bootfix (or fixboot). Option 1 will set the drive to boot from 3 and 4, and option 2 will set it to boot from 6 and 7.
Too busy TiVo wrangling to watch television anymore.
Senior Member
Yep, no other way to add TWP and that is a must have app or you may as well not hack the Tivo...
Posting Permissions
Reply With Quote