The Series4 (TiVo Premiere) Development Thread

[swinokur]

In addition to the JTAG header there might also be a jumper somewhere needed to enable the JTAG.

It'd sure be nice to be able to write the PROM with a JTAG adapter...

[ray08]

Omikron, if you still need money for the PROM adaptor, let me know. I can afford to chip in a good amount.

[Omikron]

Omikron, if you still need money for the PROM adaptor, let me know. I can afford to chip in a good amount.

After the test chips and sockets that were ordered we still have about $215 to go.

[jt1134]

been poking around some of the premiere software today....meh

still using the old apple partition map

Code:

00000000  50 4d 00 00 00 00 00 0e  00 00 00 01 00 00 00 3f  |PM.............?|
00000010  41 70 70 6c 65 00 00 00  00 00 00 00 00 00 00 00  |Apple...........|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  41 70 70 6c 65 5f 70 61  72 74 69 74 69 6f 6e 5f  |Apple_partition_|
00000040  6d 61 70 00 00 00 00 00  00 00 00 00 00 00 00 00  |map.............|

busybox binary in /bin compiled to include most of the previously included stuff (dd,mv,cat,etc)

SwedishChef renamed to theProgramLauncherPreviouslyKnownAsSwedishChef in 14.0 and then re-renamed to tivoApplicationProxyLauncher in 14.1.

startup scripts and such very similar to previous hw/sw versions

[Omikron]

Looks like a couple more people chipped in and we were at $75 to go. In in the interest of "getting things done" I did place an order for a CX1011 socket adapter earlier this morning because there is a one to two week lead time on it.

TSOP56 sockets arrived today. Still waiting on other items.

As a side note, I've ditched my old TTL adapter design and I am migrating to a new design which may be very nice for people who brick their units frequently. Still waiting on those parts. Once I know it's going to work, I'll post more details.

Finally, in other news, my TiVo Premiere still doesn't boot. Still investigating...

[jt1134]

poking through /platform/utils/DeviceList/devlist.Gen07 I stumbled across this :

Code:

# usb keyboard
666 c  13  64 event0
666 c 180  96 hiddev0

hmmm...says I...interesting..

looks like someone else found it out first though :P

http://tivocommunity.com/tivo-vb/sho...d.php?t=446025

perhaps this could be backported the S3/HD once 14.x kernel source is published

[Jamie]

...
startup scripts and such very similar to previous hw/sw versions

Have a look at bsptest (testing that the broadcom secure processor features are enabled) and fswak (flash swiss army knife) in the startup scripts and in the platform subdirectory of the root partition to get an idea of the new chain of trust changes which may be in place.

[Omikron]

DigiKey parts arrived today. I will be playing around with the serial port first. I suspect that configuration and interface are identical to the TiVo HD.

[Omikron]

I was finally able to get my hands on my beloved FTDI TTL cable again, courtesy of DigiKey. I crimped on a fresh 4-pin connector a-la-TiVo HD and plugged it in.



This is what she wrote:

Code:

Shmoo Version=3.5                                                            
DDR Freq=0x0000018C                                                         
%00000001%                                                              
RC1=00000003                                                           
WC1=FFFFFFE2                                                        
RC2=00000018
WC2=0000002F
RC3=0000000D
WC3=FFFFFFE2
RC4=0000000D
WC4=0000002F
NWC=00000008
RC5=00000003
WC5=00000008
RC6=00000018
WC6=00000008
NRC=0000000D
RW=00000016
WW=0000004E
G=00000000 R=0000000D W=00000008 
BL=00000000
RC1=00000000
RC2=00000015

BL=00000001
RC1=00000003
RC2=00000015

BL=00000002
RC1=00000002
RC2=00000019

BL=00000003
RC1=00000003
RC2=00000019

BL=00000004
RC1=00000001
RC2=00000018
                                                                  
BL=00000005
RC1=00000004
RC2=00000019
                                                                  
BL=00000006
RC1=00000002
RC2=00000017
                                                                  
BL=00000007
RC1=00000002
RC2=00000019
                                                                  
TiVo Gen07 release 1.00 (2009-10-20 14:09:37)
Copyright 2009 TiVo Inc.  All Rights Reserved.
TSN: REDACTED  BREV: 0x1060  MAC: RE:DA:CT:ED
Thumbprint: 356515097AED79CCEC5097DA723F8FE654826A83
Disk: WDC WD3200AVVS-63L2B0  F/W: 01.03A01  S/N: WD-REDACTED 
Booting from partition 3... 3800064 bytes
Kernel signed by '... the Porridge bird ...'
Hashing kernel (SHA256)... done
Checking signature... done.
Signed, valid for release
Kernel entry point is 0x802b8000
                                              
cfeBootParms ===> root=/dev/sda4
Kernel boot options: root=/dev/sda4 console=ttyS0,115200 boardID=0x106001 HpkImp
Gen07
                                                                        
BOOTEDFROMFLASH, Base=1c000000
Initial CP0 22 value : 0xe30f3406
node [00000000, 10000000: RAM]
node [20000000, 10000000: RAM]
mips_counter_frequency = 202000000 from Calibration, = 202500000 from header(CPU_MHz/2)

As near as I can tell, the PROM boot menu that presents you with "What is password?" is gone.

[Omikron]

As I suspected, SW1 near the battery acts as a reset switch, which will be great for bench testing and such. Now you can reset the TiVo by shorting the terminals instead of having to unplug power cord.

If one were so inclined, it could even be wired to a PC in a way to allow you to remotely reset a misbehaving TiVo that is not responding to telnet.

[Jamie]

...
As near as I can tell, the PROM boot menu that presents you with "What is password?" is gone.

Hit control-C repeatable at poweron and you can get into a PROM menu. No password needed. The only commands I've found so far are boot, disk and reset. You can boot -3 or boot -6 to control which partition is booted from.

By the way, dsscon=true console=0,115200 are the kernel options to see a kernel serial console so you can see kernel messages on serial during the boot.

On the chain of trust and bsptest/fswak: One theory is that that there is yet another link in the chain of trust. The BSP checks the signature on the flash prom code and will refuse to transfer to it unless it is signed. From there, it is as before. It may be that the flash prom is unlocked, but signature checked, so they can still flash it in the field to invalidate software versions they don't want to allow to boot anymore. But if you attempt to flash with unsigned PROM code, you'll brick it.

Perhaps this is a worst case scenario, but I think it is pretty likely they have locked this one down hard. Unless there are exploits for the BSP, it is likely to be difficult to gain shell access in a way that they can't easily disabled.

Hoping this theory is wrong.

[jt1134]

[optimism]Have you looked at disassembling the bsptest binary? The disassembly is fairly small and not too difficult to follow. I spent a bit last night tracing through it.[/optimism]

That's of course meaningless unless the PROM is exploited first, and I don't even have a Premiere box to begin with.

[Omikron]

Well I have a feeling once the TSOP56 adapter for my programmer arrives from Hong Kong we'll have some real answers. I have everything else, including a few fresh StrataFlash chips and sockets.

To verify that the PROM signature is checked via BSP, I could just change a single bit in the data and see what the console says.

Either way, once we start looking at the PROM disassembly we should get some insight into what options we have, if any.

[Omikron]

Perhaps it's the sleep deprecation talking, but I'm having some trouble booting from the PROM menu using the additional dsscon flags.

Here's what I'm executing:

Code:

boot -3 dsscon=true console=0,115200

After about 3 seconds or so, it runs into this:

Code:

brcm-ohci-0 brcm-ohci-0.0: BRCM OHCI                                            
brcm-ohci-0 brcm-ohci-0.0: new USB bus registered, assigned bus number 2        
brcm-ohci-0 brcm-ohci-0.0: irq 63, io mem 0x10480400                            
usb usb2: configuration #1 chosen from 1 choice                                 
hub 2-0:1.0: USB hub found                                                      
hub 2-0:1.0: 2 ports detected                                                   
ip_conntrack version 2.4 (4096 buckets, 32768 max) - 172 bytes per conntrack    
ip_tables: (C) 2000-2006 Netfilter Core Team                                    
TCP bic registered                                                              
NET: Registered protocol family 1                                               
NET: Registered protocol family 17                                              
RAMDISK: romfs filesystem found at block 0                                      
RAMDISK: Loading 682KiB [1 disk] into ram disk... done.                         
VFS: Mounted root (romfs filesystem) readonly.                                  
Kernel panic - not syncing: No init found.  Try passing init= option to kernel. 
 Core of 0 bytes written                                                        
Rebooting in 3 seconds..

This only happens of course while I'm booting from the PROM menu. It seems that there's a flag or option that I'm not passing correctly, but I'm not seeing it.

[Jamie]

Perhaps it's the sleep deprecation talking, but I'm having some trouble booting from the PROM menu using the additional dsscon flags. ...

I don't think that is way you pass options via the PROm boot menu. Load the kernel options in the bootpage. I can verify that works.