Page 14 of 14 FirstFirst ... 4121314
Results 196 to 209 of 209

Thread: The Series4 (TiVo Premiere) Development Thread

  1. #196
    Join Date
    Aug 2010
    Posts
    18
    Quote Originally Posted by Omikron View Post
    Does anyone have any good ultra-high res photos of some Roamio's?

    Development will likely shift to the new platform directly, hopefully being able to re-use what we've learned from the S4 so far.
    The best I've run across so far are these, but they are rather blurry.

    Perhaps, before this thread gets muddled, a new thread for Roamio efforts is in order? If/When I get my hands on a Roamio I'll post up some better pics.

  2. #197
    Join Date
    Apr 2008
    Posts
    5
    dumb thought. Microsoft was tricked by a fake update, can you not imitate the the TIVO update mechanism? Let the TIVO think it is an official update?

  3. #198
    Join Date
    Jan 2002
    Location
    Sonoran Desert
    Posts
    2,831
    Quote Originally Posted by aerospaced View Post
    dumb thought. Microsoft was tricked by a fake update, can you not imitate the the TIVO update mechanism? Let the TIVO think it is an official update?
    The updates themselves are digitally signed, and then when they actually deploy they do so with binaries that have also been signed (otherwise it won't boot.)

    Unless we have a way of forging RSA signatures, it's not going to happen.
    Before PMing me: Iím not your personal tech support. If you have a question, ask in public so I don't have to repeat if somebody else asks. If you want images or slices, use emule. I will ignore all support PMs.

    Sponsor a vegetarian! I have taken the pledge, how about you?

  4. #199
    Join Date
    Mar 2004
    Posts
    7
    Quote Originally Posted by AlphaWolf View Post
    The updates themselves are digitally signed, and then when they actually deploy they do so with binaries that have also been signed (otherwise it won't boot.)

    Unless we have a way of forging RSA signatures, it's not going to happen.
    Well you don't have to necessarily forge the RSA signature. You could re-use the original Tivo signature if the update payload has the same hash as the source so it will validate. If they're using a weak hashing algo, one where multiple inputs can have the same result, then maybe its possible. Attacking the hash is easier than the RSA private key. Given the industry has only recently started using SHA2 hashes, its possible that Tivo is using a SHA1 or MD5, but it still would take significant cpu to find the right padding to masquerade the update though.

    Has anyone ever attempted a hack like this that actually keeps the chain of trust intact?
    Last edited by 1fatboy; 11-16-2013 at 06:29 PM.

  5. #200
    Join Date
    Jan 2002
    Location
    Sonoran Desert
    Posts
    2,831
    Quote Originally Posted by 1fatboy View Post
    Well you don't have to necessarily forge the RSA signature. You could re-use the original Tivo signature if the update payload has the same hash as the source so it will validate. If they're using a weak hashing algo, one where multiple inputs can have the same result, then maybe its possible. Attacking the hash is easier than the RSA private key. Given the industry has only recently started using SHA2 hashes, its possible that Tivo is using a SHA1 or MD5, but it still would take significant cpu to find the right padding to masquerade the update though.

    Has anyone ever attempted a hack like this that actually keeps the chain of trust intact?
    As far as I'm aware tivo uses full 80 round SHA1 everywhere, and there aren't any known 80 round SHA1 collisions in the world for anything period.
    Before PMing me: Iím not your personal tech support. If you have a question, ask in public so I don't have to repeat if somebody else asks. If you want images or slices, use emule. I will ignore all support PMs.

    Sponsor a vegetarian! I have taken the pledge, how about you?

  6. #201
    Join Date
    May 2014
    Posts
    1
    Quote Originally Posted by Omikron View Post
    One of my friends finally found some time to break out the fuming nitric acid...

    Here's a teaser for anyone who's curious...



    Hi guys


    super dooper nice thread you guys have here, just found out the thread on the big brother and decided to post due to my interest on similar equipment, so basically the newer generation BCM have a chipset protection mechanism.

    this is common to all newer BCM cpus, they use the keyllader mechanism, i would love to get some workout study on them...

    Basically everything is signed on cpu keyllader mechanism, so i guess the only way to go forward is to glitch the cpu in order to try to read out its contents right?

    So looking on the keyllader mechanism

    the CPU has got a OTP area, where chip id + ESCK (encrypted secret content key ) + decryption ESCK mechanism is stored.

    Manufacturer does say that this content is programmed on CPU at factory stage and cannot be written back or read ( i have my doubts regarding read)

    so this information mentioned above, will generate a decrypted SCK (Secret Content Key)

    This Secret content key in return will be used to generate a ROOT KEY, them main key from the keyllader mechanism

    This root key gets generated using a unknown algorithm (could be AES or 3DES) and it also contains as seeds a VENDOR ID + Module ID

    So final stage will be a unique ROOT KEY = 16 bytes / 128bits key and this route key on CPU can also be described as K3 or eK3 depending on CPU models.. as this is the top key of keyllader it will be used to decrypt below keys such as K2 or eK2 (this K2 decryted data will be used to decrypt the below key on keyllader the K1 or eK1)

    So basically in simple laymanīs terms we need to get in the cpu, so i am thinking of glitching techniques.. but for that we would need real BCM cpu datasheets so we could workout their pinouts..

    We would also need to have busybox access CFE to one of the boxes to make some testing..

    i do remember a few years back some flash models had some security protections to read certains areas with the universal programmer that could be simply resolved by lowering vcc and it would dump the full content of flash.....

    Anyways nice readings here i hope the thread is not stopped, because we never know what might come out of it.

    But its a known fact the keyllader mechanism is used on all BCM 7xxx series.. it contains challenge responses for jtag,flash read, flash write, ram read , rom read, so this could be a way..

    by the way as anyone confirmed if this boxe have TTL por active, is CFE console also active on this units ??? as some newer generation units have CFE console blocked access amongst other things

  7. #202
    Join Date
    Dec 2002
    Posts
    73
    Apparently Comcast is beginning to transition to MPEG4, which means hacked TivoHD's will die, and more incentive to find a Series 4 solution.

    http://www.zatznotfunny.com/2014-08/...g4-transition/

  8. #203
    Join Date
    Apr 2002
    Posts
    887
    Quote Originally Posted by kmt View Post
    Apparently Comcast is beginning to transition to MPEG4, which means hacked TivoHD's will die, and more incentive to find a Series 4 solution.

    http://www.zatznotfunny.com/2014-08/...g4-transition/
    We know Tivo HD can handle MPEG4. Hacking the S3 software to allow recording of mp4 channels might be more doable then hacking Premier or Roamio.

  9. #204
    Join Date
    Dec 2001
    Posts
    611
    Quote Originally Posted by newbie View Post
    We know Tivo HD can handle MPEG4. Hacking the S3 software to allow recording of mp4 channels might be more doable then hacking Premier or Roamio.
    No THAT would make me reapply the jailbreak on my TivoHD with modded chip

    MPEG4 and protected channel recording.....

    Then move the resulting files to my Premiers

  10. #205
    Join Date
    Jan 2002
    Location
    Sonoran Desert
    Posts
    2,831
    Drat, the NSA stole my hard disk hacking idea. Sneaky little spies.

    Succeeded with it too, apparently.

    http://www.kaspersky.com/about/news/...yber-espionage
    Last edited by AlphaWolf; 02-17-2015 at 12:55 AM.
    Before PMing me: Iím not your personal tech support. If you have a question, ask in public so I don't have to repeat if somebody else asks. If you want images or slices, use emule. I will ignore all support PMs.

    Sponsor a vegetarian! I have taken the pledge, how about you?

  11. #206
    Join Date
    Dec 2002
    Posts
    73
    Well, Comcast just sent me a notice that they are going to MPEG4 for HD in the next few weeks. I presume that will leave my modded Tivo HD out in the cold. Is there any hope for getting it to work with MPEG4, or news on a Series 4 Mod?

    Otherwise, I guess I'm going to have to give up on Tivo.

  12. #207
    Join Date
    Dec 2001
    Posts
    611
    People talk about some kind of MPeg4 hack for tivohd. I know hardware-wise it can do it and it is a hacked solution, so I wonder if someone way smarter than me can patch tivoapp to allow mpeg4 playback?

    It would allow our HD tivos to record without cci byt set, even mpeg4 channels.

    Since the Premiere and Roamio can't be hacked, does someone think this might be a worthwhile effort????

  13. #208
    Join Date
    Jan 2002
    Posts
    79
    Has anyone thought about glitching the CPU? That might be a viable avenue, especially since Premiere is not manufactured anymore and any glitching vulnerabilities that exist won't change.

  14. #209
    Join Date
    Jan 2002
    Posts
    79
    Has anyone thought about glitching the CPU? That might be a viable avenue, especially since Premiere is not manufactured anymore and any glitching vulnerabilities that exist won't change.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •