Page 1 of 8 123 ... LastLast
Results 1 to 15 of 109

Thread: TivoHD -- my 1st attempt

  1. #1
    Join Date
    Jul 2004
    Posts
    13

    TivoHD -- my 1st attempt

    This is my personal experience with hacking the TivoHD so that I can transfer all files to my personal computer rather than only those deemed by the local cable company as not copy protected.
    The first step was to get a prom socket placed on my TivoHD and have a prom programmed so that files could be modified/added to the hard drive. I used Omikron's service on this website -- http://www.dealdatabase.com/forum/sh...ad.php?t=53722. The work seemed professional and the unit arrived back quickly. I plugged the Tivo back in without making any changes and verified it still worked as expected and it did. So, my TivoHD is now hackable but the process is not documented very well due to the history of the board with hacking the series 1, 2, and 3. Those that hacked the earlier series already knew the terminology, tools, and methods involved. For those getting started with a TivoHD, it's more confusing and I believe there's an intentional barrier of entry or there would be more posts like this. The revised index is nice but I would have preferred more recent stories regarding my specific hardware -- the TivoHD. So, I'm going to outline my story so far....
    Hardware
    Tivo: TivoHD
    PC: Gigabyte GA-EP45-DS3R
    Drives:
    Sata0: 640GB HD (internal)
    Sata1: 640GB HD (internal)
    Sata2: 640GB HD (internal)
    Sata3: unused
    Sata4: CD/DVD drive
    Sata5: External Icy Dock EZ-Dock
    OS: Windows 7 RC1
    AHCI: Native -- not legacy

    I had already upgraded my Tivo's HD to a 1TB WD10EADS the first day I had purchased it. I used the program WinMFS to copy my original TivoHD drive to the new drive. The program is located at www.mfslive.org and the documentation is more than adequate to explain how to upgrade your Tivo's HD. I used this same program though in my first step of my hacking progress.

    So, use a Torx T10 screwdriver to open the TivoHD. Remove the HD bay (4 screws). Remove the HD from the bay (4 screws). I wanted the bare HD so I could simply drop it in my SATA EZ-Dock. Run the WinMFS program as Administrator -- if you don't run as Administrator it will show no drives. I backed up the Tivo Drive to a TivoHD-truncated TBK image (450,942KB). I backed up the Bootpage to a TivoHD-bootpage.tbp file (1KB). I backed up the kernel to a TivoHD-active-kernel.tak file (1,879KB). I've not had to use any of these yet but it's good insurance. While in WinMFS, I printed a copy of the MFSINFO Partition maps (15 paritions). This was an important reference later for me. So, we have some backups and a partition map at this point.

    Next, download the MFSLive Linux Boot CD ISO and burn it to a CD. This is the OS from which we'll do the actual Tivo Hacking. There may be a way of using VMWare to boot off the CD ISO and to point the virtual machine at the physical SATA drive connection so you can have Windows up at the same time -- I may look into this later. But I had a second PC available for perusing the Internet for help while using the MFSLive Linux Boot CD so didn't really need the Vmware option.

    Next, we need to download the various tools we'll need and burn them to a second CD. I decided I wanted to replace the kernel with a prebuilt custom kernel. See Files - All Tivo & DTivo Files -> Custom Kernels thread (http://www.dealdatabase.com/forum/sh...ad.php?t=54047). The TivoHD is a GEN06 device so we need a GEN06 kernel. I chose the Gen06-netopt-ext3.tar.bz2 image. http://www.dealdatabase.com/forum/at...2&d=1225075964

    We also need Tivotools.tar (http://www.dealdatabase.com/forum/at...5&d=1166725883) to enable FTP and to add a lot of other misc utilities. See thread: http://dealdatabase.com/forum/showthread.php?t=37602

    And our ultimate goal is to patch the Tivoapp to disable the encryption and the CCI flag. The latest tool for this appears to be the tvapppatch.tcl tool (v1.7) with patches contained in tvapppatches.tcl.

    I used the tvapppatches-11.0c.tcl (http://www.dealdatabase.com/forum/at...8&d=1240142449) since my TivoHD is using SW version 11.0c. It's located in this thread http://www.dealdatabase.com/forum/sh...t=60303&page=2. I downloaded the app from this thread http://www.dealdatabase.com/forum/sh...ad.php?t=60304 which appears to be the official release thread and is at version 1.7. The patches file in this thread seems to be at version 1.1b and supports up to SW 11.0 but not 11.0c so this is why I used the 4/19/09 11.0c version.

    I believe the above files are the only ones I needed to burn to CD. After I had these files burned, I booted off the MFS Live Linux Boot CD with my Tivo hard drive in the Icy Dock. The CD prompts for options 1-4. I chose option 1 which is the default option and claims it's the graphic option. The only graphics I remember seeing were different text colors. You're being placed at a Linux command prompt -- not some GUI. At this point, you don't have drives mounted for either the Tivo or the CDROM. So, let's get the CDROM mounted. Take the MFS Live CD out (the os is loaded in ram) and place the CD with your kernel and tivo patches in the CD drive.

    The CDROM mounting was an issue for me. I expected to be able to:
    mount /dev/cdrom /cdrom
    This didn't work. The /dev/cdrom is a link to the /dev/hdb device which was NOT my CDROM. My CDROM was actually device /dev/SR0 which didn't exist in the /dev directory. I corrrected this by using the /sbin/mkdev -s command. This created a lot of new devices in the /dev directory including /dev/sr0. I was then able to:
    mount /dev/sr0 /cdrom
    This gave me access to my cdrom. I believe a SATA CD/DVD drive will become SR0 rather than the default of HDB.

    So, next I wanted to mount one of my TIVOHD partitions but didn't know which device the Tivo drive was being mapped to. In order to determine this, I did the following command:
    cat /proc/partitions

    Based on the partition sizes and numbers -- I was able to determine my TivoHD was being locally mapped to /dev/sdd. But sdd had 15 partitions -- sdd1-sdd15. This is why I printed off the partition map from WINMFS earlier. There are 2 possible root partitions -- #4 and #7. To see which is the active partition -- use the command bootpage -p /dev/sdd. This yielded HDA4 so I knew /dev/sdd4 was the active partition. Tivo uses the inactive partition for the software upgrade process. Since /dev/sdd4 is the active partion, /dev/sdd3 is the active Kernel partition.

    Time to do some more mounts:
    mount /dev/sdd4 /tivo
    mkdir /tivovar
    mount /dev/sdd9 /tivovar

    I mounted partition 9 (/var) as /tivovar. I'm going to use this partition to store the files on CD and any backups.

    cd /tivovar
    mkdir hacks
    cd hacks

    So, let's copy over our CD files to this new directory.
    cp /cdrom .

    Time to unzip and untar the kernel.
    bunzip2 Gen06-netopt-ext3.tar.bz2
    tar -xvf Gen06-netopt-ext3

    This should yield 2 files placed in a subdirectory:
    bcmenet.o
    vmlinux-Gen06-netopt-ext3.px

    The vmlinux-Gen06-netopt-ext3.px is the kernel image.
    Let's backup our existing kernel -- even though we should have it from our earlier WINMFS backup.

    dd if=/dev/sdd3 of=kernel-backup

    Now let's install the new kernel
    dd if=vmlinux-Gen06-netopt-ext3.px of=/dev/sdd3

    This kernel requires replacing the network driver -- the bcmenet.o file -- in order to function. This is located in the /platform/lib/modules directory but we've mounted the tivo drive as /tivo so this directory is /tivo/platform/lib/modules. Let's make a copy of the original and then replace it with the new module.

    cd /tivo/platform/lib/modules
    mv bcmenet.o bcmenet.original
    cp /tivovar/hacks/Gen06-netopt-ext/bcmenet.o .

    We've updated the kernel and replaced the network driver but there's one more thing we have to do -- remove the firewall (iptables).

    cd /tivo/sbin
    mv iptables iptables.original

    vi iptables
    #!/bin/bash
    exit 0
    :wq

    chmod 755 iptables

    The new kernel and network drivers should now work but it doesn't get us anywhere yet. We've not added the telnet or ftp services. Let's start with adding the tivotools to a directory called tivo-bin

    mkdir /tivo-bin
    cd /tivo-bin
    tar -xvf /cdrom/tivotools.tar

    Now that we have a /tivo-bin with a ftp server in it -- let's create a rc.sysinit.author file to launch these services. See http://dealdatabase.com/forum/showpo...98&postcount=2

    cd /tivo/etc/rc.d/
    touch rc.sysinit.author

    vi rc.sysinit.author
    #!/bin/bash
    export PATH=./:.:/bin:/sbin:/tvbin:/tivo-bin
    export TIVO_ROOT=
    export MFS_DEVICE=/dev/hda10
    #serial bash... BE EXACT WITH THIS OR SERIAL WONT WORK!
    /bin/bash</dev/ttyS1&>/dev/ttyS1&
    #telnet
    /sbin/tnlited 23 /bin/bash -login &
    #ftp
    /tivo-bin/tivoftpd

    :wq

    Save file and exit vi. Next we change the permissions for this file to rwx rx rx
    chmod 755 rc.sysinit.author

    The rest of the modifications can be done remotely so let's unmount our partitions.
    umount /tivo
    umount /tivovar
    umount /cdrom
    poweroff

    You can now put the hard drive back in the Tivo and see if it still boots properly and whether thereis is telnet and ftp access to it. If everything was done correctly, we can now telnet to the tivo. Check the settings menu and discover it's IP address and then telnet from your PC to this address. There's no userid/password by default.

    We created a /tivovar/hacks directory while in Linux so this should now be /var/hacks on the TivoHD.

    cd /var/hacks
    cp tvapppatches-11.0c.tcl tvapppatches.tcl
    ./tvapppatch.tcl

    The above copies the patches file to the default name so no parameters are necessary when calling the tvapppatch.tcl tool. This tool supposedly patches the tivoapp with
    "noencrypt"
    "backdoors"
    "30secskip"
    "cci1"
    "cci2"
    "cci3"

    I rebooted the tivo after this and things appear to be working. Shows which were being flagged copy protected are no longer being flagged. Older recordings are still working. I'm able to transfer and play files via the Tivo Desktop software.

    I've not looked at trying to prevent software updates or using other software for faster transfers yet. I thought I'd try writing this up while it was still fresh in my memory and let people post where I went wrong or what I have yet to do.
    Last edited by mlcarson; 06-30-2009 at 03:22 AM.

  2. #2
    Join Date
    Jun 2009
    Posts
    24

    Wow!

    Holy Crap! Thank you for this awesome writeup! Almost makes me feel like I could do it!

    Now, after the next update walks over your hacks, how much of this has to be repeated? (I'm braced for the answer = "all of it".)

    Also, if I'm understanding this post by cartouchbea correctly, doing the noencrpyt patch actually is not desirable if your primary interest is TTG rather than MRV (which is my case). Is that correct? In your procedure, how would you eliminate the noencrpyt patch but do the rest?

    And I see three cci patches. Has that always been the case for cci, or do they do different things?

    Again, thanks for this major effort!
    VideoReDo users: Try VideoReDo-Autoprocessor (VAP)
    pyTivo users: Try PyTivoMetaGen and MetaToExcel

  3. #3
    Join Date
    Jul 2004
    Posts
    13
    I'm a newb -- not pretending to be an expert. Just documented what I did last night as best I could on my first attempt at a Tivo Hack after pulling the knowledge from the threads on this board. The results so far are what I wanted. Things are not getting flagged copy protected and are not encrypted after transferring with Tivo Desktop. Tivo Desktop brings over the files as .tivo and I can open them with Videoredo and save as normal mpeg without a reencode. I only have 1 Tivo so MRV is not what I'm after either -- TivoToGo is. The recordings I've transferred play fine so maybe they're still being encrypted and decrypted as part of the Tivo Desktop transfer or the no encrypt patch is no longer an issue. Tivo Desktop is version 2.7 (323086).

    The CCI patch is just done by modifying tivoapp in 3 places -- it's not really 3 patches.

    I'll probably read more about what has to be done to prevent an update via bootpage but assuming I did nothing and an update happened -- I don't believe the /var partition gets wiped out. So, worse case my files are all still there and I need a new tvapppatches for the new tivoapp software. It's just the hassle of moving the HD over to the PC again and being notified that an update happened before recording too much new stuff. So, I can mitigate the pain of moving the HD by preventing the update or alternatively putting the HD in an external case and swapping the internal and external SATA connections for ease of movement.

  4. #4
    Join Date
    Oct 2001
    Posts
    1,243
    You can do an in place hack/upgrade of the new software before you let the TiVo upgrade itself. Use this thread as a guide http://www.dealdatabase.com/forum/sh...ad.php?t=60195

  5. #5
    Join Date
    Jun 2006
    Location
    Dougal County
    Posts
    1,007
    Quote Originally Posted by mlcarson View Post
    #serial bash... BE EXACT WITH THIS OR SERIAL WONT WORK!
    /bin/bash</dev/ttyS2&>/dev/ttyS2&
    I find the warning ironic
    Serial port is mapped to /dev/ttyS1 on S3 tivos
    #fakecall
    /tivo-bin/fakecall.tcl
    SA tivos get their guide data from daily calls so it would be a good idea not to run fakecall.

  6. #6
    Join Date
    Jun 2009
    Posts
    24
    Quote Originally Posted by T_RJ View Post
    You can do an in place hack/upgrade of the new software before you let the TiVo upgrade itself. Use this thread as a guide http://www.dealdatabase.com/forum/sh...ad.php?t=60195
    hmmm... I looked at the linked thread and got lost. Can you spell out what you're talking about for us newbs?

    For example, how do you control when you "let the TiVo upgrade itself"? Is this possible because you have already hacked it to NOT do upgrades? Or is there some reliable notification system that tells you an upgrade has been TiVo-pushed into one of the two partition groups but has not yet been activated, so you can hack it before it gets activated? (Or what?).

    Being able to handle future upgrades "in place" is obviously a major attraction.
    VideoReDo users: Try VideoReDo-Autoprocessor (VAP)
    pyTivo users: Try PyTivoMetaGen and MetaToExcel

  7. #7
    Join Date
    Jun 2009
    Posts
    24
    Quote Originally Posted by jt1134 View Post
    I find the warning ironic
    Serial port is mapped to /dev/ttyS1 on S3 tivos

    SA tivos get their guide data from daily calls so it would be a good idea not to run fakecall.
    Do either of these comments apply to TiVo HD models? There is some confusion because both S3 and HD models are classed as S3. And I don't know what an SA model is -- but I assume it isn't an S3 (or HD).
    VideoReDo users: Try VideoReDo-Autoprocessor (VAP)
    pyTivo users: Try PyTivoMetaGen and MetaToExcel

  8. #8
    Join Date
    Jun 2006
    Location
    Dougal County
    Posts
    1,007
    my comments apply to both the tivohd and original s3

    sa == standalone ; ie: not a directv combo box

  9. #9
    Join Date
    Jun 2009
    Posts
    24
    Quote Originally Posted by jt1134 View Post
    my comments apply to both the tivohd and original s3

    sa == standalone ; ie: not a directv combo box
    OK, what is "ironic" about mlcarlson's statement?:

    Code:
    /bin/bash</dev/ttyS2&>/dev/ttyS2&
    Are you saying it's wrong and should use ttyS1 instead?
    VideoReDo users: Try VideoReDo-Autoprocessor (VAP)
    pyTivo users: Try PyTivoMetaGen and MetaToExcel

  10. #10
    Join Date
    Jul 2004
    Posts
    13
    It's probably wrong. This was taken from an old thread on different hardware (word for word) which is why it's difficult to get the proper instructions when you're just starting. I don't have console output yet on my TivoHD -- no parts just sitting around which will work. The bootpage stuff I was looking into made me think it should be port 1 rather than port 2 though. Thanks for pointing it out.

  11. #11
    Join Date
    Aug 2004
    Posts
    4,075
    /dev/ttyDSS should always work, and is a link to the correct ttyS# device.

    Note that getting serial port access on a tivohd takes some hardware work too. There's a thread about it here.

  12. #12
    Join Date
    Jun 2009
    Posts
    24
    Quote Originally Posted by Jamie View Post
    /dev/ttyDSS should always work, and is a link to the correct ttyS# device.

    Note that getting serial port access on a tivohd takes some hardware work too. There's a thread about it here.
    Does one have to have serial port access on the HD to (in-place) hack it? Isn't there a way to use the ethernet port and telnet client? (I did look at the linked thread but it didn't help me.)
    VideoReDo users: Try VideoReDo-Autoprocessor (VAP)
    pyTivo users: Try PyTivoMetaGen and MetaToExcel

  13. #13
    Join Date
    Aug 2004
    Posts
    4,075
    Quote Originally Posted by dlfl View Post
    Does one have to have serial port access on the HD to (in-place) hack it? Isn't there a way to use the ethernet port and telnet client? (I did look at the linked thread but it didn't help me.)
    You can get by in a pinch without serial port access. The main issue is that if you have problems getting networking to work, you're flying completely blind without serial port access. Also, if you have serial port access and have set a PROM password, you can often repair problems without needing to pull the drive. So it is highly recommended.
    Last edited by Jamie; 06-29-2009 at 12:20 PM.

  14. #14
    Join Date
    Jan 2002
    Posts
    5,601
    Quote Originally Posted by dlfl View Post
    hmmm... I looked at the linked thread and got lost. Can you spell out what you're talking about for us newbs?

    For example, how do you control when you "let the TiVo upgrade itself"? Is this possible because you have already hacked it to NOT do upgrades? Or is there some reliable notification system that tells you an upgrade has been TiVo-pushed into one of the two partition groups but has not yet been activated, so you can hack it before it gets activated? (Or what?).

    Being able to handle future upgrades "in place" is obviously a major attraction.
    By using bootpage to add upgradesoftware=false to the boot parameters you can block installation of software upgrades. The files are downloaded and saved, but not installed. Once hacks are available for the new software, it is a trivial task to telnet in, make two changes to the upgrade script, and install the upgrade into the alternate partition set. (One of the changes blocks the automatic reboot.)

    At that point the new kernel is overwritten with the existing custom kernel, and the appropriate files are transferred to the new root partition. A reboot, and you are running the latest version of software. No need to pull the drive.

    Under normal circumstances, using the serial port is unnecessary IF the network is working properly. Networking problems are notoriously hard to troubleshoot. I compare attempting this without a serial port to searching for a black cat in a dark room - when the cat is hiding in the closet in the next room.

    mlcarson, good job. I believe the iptables patch you used is obsolete, there is a simpler one.

    PlainBill
    Last edited by PlainBill; 06-29-2009 at 02:35 PM.
    There's a difference between needing help, and just being plain ole' lazy.

    "You cannot teach a man anything. You can only help him find it for himself." Galileo Galilei (1564-1642)

    HR20-700 with 2 TB, HR22-100, HR22-100, HR22-100, HR23-100 all running 0x5cd and networked.

  15. #15
    Join Date
    Jan 2005
    Posts
    1,008
    Quote Originally Posted by PlainBill View Post
    <snip>I believe the iptables patch you used is obsolete, there is a simpler one.
    Just to clarify, the "exit 0" iptables fix is required for custom (i.e., replace_initrd) kernels. The iptables flush won't work. But hey don't take my word for it; here is a quote from the custom kernel thread.
    All kernels are compiled with ext3 built in, CONFIG_NETFILTER off, and CONFIG_NET_FAST_TCP on. You will want to replace /sbin/iptables, as described here if you use these kernels. Otherwise, you might see crashes when the tivo software tries to load iptable rules.
    ScanMan --> Just another Tivo hacker...
    Killhdinitrd SA S2 Monte S2 Unscramble Upgrade Tivo Software

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •