Page 11 of 15 FirstFirst ... 910111213 ... LastLast
Results 151 to 165 of 211

Thread: The Series4 (TiVo Premiere) Development Thread

  1. #151
    Join Date
    Jul 2005
    Posts
    347
    Can I just ask an oddball question to folk here?

    If anyone has purchased an new premiere within the last couple of months, can you please look inside and take a photo of the PROM chip inside? The JS28F640P30B was discontinued years ago but all of the older Premiere's I've been working on have them. I'm curious if TiVo just bought a metric ton of them or if they switched to something else.
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  2. #152
    Join Date
    Jul 2005
    Posts
    347
    If possible, can someone post hi-res photos of the internals of the TiVo Premiere 4? As much as possible. Ideally, both sides of the motherboard would be good but I'll settle for just the top for now until I can get my hands on one.
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  3. #153
    Join Date
    Dec 2010
    Posts
    9
    Quote Originally Posted by karpodiem View Post
    I'm good for a single G
    Want to split the cost of buying Omikron a Premiere 4 with me?
    Or is anyone else willing and able to partially match investments like this?
    Last edited by topgun98; 02-08-2013 at 11:39 AM.

  4. #154
    Join Date
    Jul 2005
    Posts
    347
    Quote Originally Posted by topgun98 View Post
    Want to split the cost of buying Omikron a Premiere 4 with me?
    Or is anyone else willing and able to partially match investments like this?
    Before we start spending money, I'd like to continue bouncing around some ideas with the rest to see where money is most wisely spent. While the new quad tuner TiVo's do appear to have a completely new board layout and I am curious about their choice in PROM chip, I don't think there has been any major change in the security architecture, so a break on the regular S4's should still apply to the quad tuner models.

    However, there will definitely be some new costs involved with continuing development.
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  5. #155
    Join Date
    Jul 2005
    Posts
    347
    One thing that we found during research in 2010 was that the new BCM7413 CPU has different security bits that can be set that enable or secure boot and disable the JTAG debug port on the board. One idea that was tossed around was to simply replace the CPU with a new CPU that doesn't have the OTP security bits programmed yet.

    I've contacted a few suppliers and although most of them seem to have issued quotes in the range of 40 dollars per CPU, one of them is quoting 8 dollars per new BCM7413. The difficulty here, is that it's a fairly large BGA chip and requires specialized equipment and a good deal of labor to do. The cheapest IR rework equipment that I've found that will be able to reliably handle swapping the CPU out is in the $2000 range. :-(

    I'm going to continue hunting around to see if I can get access to an IR rework station and pay machine time which should hopefully be cheaper than buying the unit outright.
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  6. #156
    Join Date
    Aug 2010
    Posts
    17
    On the topic of the security, is there any central dumping ground for information or coordinating efforts (wiki, irc channel, etc.)? I've been debating picking up a premiere to poke around with but what's been keeping me back is a lack of any real info or source to obtain info on the hardware side of things (not a EE guy by any stretch of the word).

  7. #157
    Join Date
    Nov 2004
    Posts
    420
    This thread has the most information. Post any other questions you have here, and collectively folks can chime in with available information.

  8. #158
    Join Date
    Dec 2010
    Posts
    9
    Quote Originally Posted by Omikron View Post
    I'm going to continue hunting around to see if I can get access to an IR rework station and pay machine time which should hopefully be cheaper than buying the unit outright.
    Honestly, I don't know what an "IR rework station" is or does, but if it would be helpful, I'll buy you one. I'm going to PM you my phone number.

    Edit:
    Omikron has exceeded their stored private messages quota and cannot accept further messages until they clear some space.
    Omikron, please PM your phone number to me.
    Last edited by topgun98; 02-12-2013 at 07:51 AM.

  9. #159
    Join Date
    Aug 2010
    Posts
    17
    Quote Originally Posted by tivo4mevo View Post
    This thread has the most information. Post any other questions you have here, and collectively folks can chime in with available information.
    It's been a while since I've read through the thread, but the problem with threads this long is they aren't really great at organizing the information. For discussion sure.

    A central place to document and organize the information various chips, link to datasheets (assuming they're publicly available), boot process documentation, software, etc. would be a good thing to have. For example, something like WiiBrew, WiiUBrew, The iPhone Wiki, BoxeeBoxWiki is what I was asking about.

  10. #160
    Join Date
    Nov 2004
    Posts
    420
    No disagreement on your points. The board facilitates discussion, but is not as good a repository. I believe there was a tivo wiki hosted elsewhere at one point, though unfortunately I don't have a link handy. I wasn't sure whether there was much of a community to benefit from a wiki, but perhaps my logic is wrong (having a decent wiki would usher in the interested and foster a community)...

    In the absence of such a wiki (and to make good on my suggestion to pose your question), here's a rough run-down of the boot process any some history of some of the exploits from the past decade:

    For Series 3 and earlier units
    Code:
    Reset->(1)PROM->(2)Kernel/RamDisk scanner->(3)rc.sysinit bash scripts
    Each link in the chain verifies the integrity and authenticity of the next stage, so:

    (1) The PROM code was authored by tivo, contained a SHA-1 self-integrity check and subsequently verifies a TiVo cryptographic (Elgamal) Signature of the Kernel (which resides in its own partition on the hard drive, either partition 3 or 6). You'll find patches to modify and neuter the PROM in this link here.

    (2) Once the kernel is loaded, it mounts its bundled ramdisk image, which contains a filesystem scanner ("/linuxrc - autoscan"), which will, in turn, mount the Root filesystem (an ext2 filesystem residing in a partition on the tivo's hard disk one higher than the kernel, i.e., 4 or 7. It's worth noting that this Root filesystem contains all of the tivo's "application code"). The autoscanner contains SHA-1 hashes for each file in the filesystem, and will scan the entire filesystem to check for illegitimate files (or files in the wrong places). It attempts to repair or remove unrecognized files, and always triggers a reboot if the filesystem isn't correct.

    (3) Assuming the filesystem is intact and valid, it passes control to the rc.sysinit bash (startup) scripts that live in /etc/rc.d/. These are separated into different stages (subdirectories) and one can easily peruse those scripts to see what is happening. It's worth noting that to best separate themselves from GPL source disclosure requirements, tivo have put nearly all of the functionality into /tvbin/tivoapp. A massive, multi-call, user-land executable that handles nearly everything from the UI, to scheduling, to recordings, to network daemons, etc. You'll see a lot of "tivoapp patch" thread, detailing patches to alter functionality.

    For the Series 3 and earlier units, the PROM was a discrete chip on the mainboard, and was not flashable once soldered during manufacturing (the Series 1 units were in-circuit flashable, but are not covered here as they are more than a decade old). So the typical procedure was to desolder that chip, read out the PROM code, disassemble it, determine the necessary patches, and solder in a reprogrammed chip (or socket it for experimentation). After "socketing" the unit and inserting a patched PROM to ignore the result of the signature check, one could boot any kernel desired (there are threads with Jamie's pre-built, custom kernels).

    There were several different sw-only exploits over time, and you'll see evidence of them in various threads. killinitrd was a program to replace the ramdisk bundled with the kernel with a blank ramdisk, which transforms a "stock" TiVo compiled kernel into a nearly identical one, though without the autoscanner. Thus, on a "socketed" or "PROMMED" unit, a killinitrd kernel would be suitable for booting.

    There was a bash ENV exploit that allowed one to pass in kernel arguments and execute an arbitrary script, thus taking control. This was quickly closed, but it was possible to boot initial to the old, vulnerable software, and then chainload to newer software (monte).

    killhdinitrd was a sw-only exploit that allowed one to modify a stock kernel in such a way that it disabled the autoscanner, but yet still passed the boot PROM's Elgamal signature check. TiVo quickly made changes to the newer kernels to remove this exploit, but the damage was done, as the PROM code couldn't be changed, and one could still boot an old, vulnerable kernel, and then chainload into a newer kernel/software (using the monte kernel module ported to MIPS by MuscleNerd).

    killhdinitrd worked on Series 2 units (including the DirecTV HR10-250), however, since that, no one has released a sw-only exploit for models after that (Series 3 and Series 4).

    For Series 4 units, tivo utilizes the Broadcom CPU's Secure Processor (BSP) checking
    Code:
    Reset->(0)BSP->(1)PROM(now the Boot Partition of onboard Flash)->(2)Kernel/RamDisk scanner->(3)rc.sysinit bash scripts
    So nearly everything is the same, but the chain of trust is anchored in the Broadcom CPU itself, instead of in a (fairly easily removable and socketed) PROM chip. The BSP code is presumably metal mask ROM and is not easily studied, but it performs a check of the PROM code located in the Boot Partition of an onboard Flash also introduced with the premiere (see Omikron's descriptions of his steady hand earlier in this thread). The rest of the boot process after the BSP hands off control to the PROM/Boot Partition code remains largely the same as in previous generations.

    Thus, Omikron suggests replacement of the Broadcom CPU as an attack. The CPU has fuses to enable/require BSP checking of the Boot Flash. If one were to order a generic CPU, those fuses wouldn't be set, and presumably, one could boot from a modified Boot Partition, breaking the chain of trust.

    Please note that there are probably inaccuracies in my description (to be sure, some units' boot process diverge from this: e.g., DirecTV THR-22, Virgin Mobile Tivo etc.), but it should provide a conceptual framework to make better sense of some of the threads on the board.
    Last edited by tivo4mevo; 02-12-2013 at 05:09 PM.

  11. #161
    Join Date
    Nov 2004
    Posts
    420
    Quote Originally Posted by Omikron View Post
    One idea that was tossed around was to simply replace the CPU with a new CPU that doesn't have the OTP security bits programmed yet.
    Another approach would be some sort of sata injection device (or computer). It would sit between the tivo and the hard disk. When the BSP code checks the kernel, the device supplies a valid kernel. When the tivo goes to execute that kernel (and this would hinge upon the tivo issuing a second SATA read request to load the kernel for execution), the device supplies a modified kernel. Similar concept to this attack detailed here: link. Though this might be sizable development effort.
    Last edited by tivo4mevo; 02-12-2013 at 05:30 PM. Reason: fixed URL

  12. #162
    Join Date
    Jul 2005
    Posts
    347
    Quote Originally Posted by topgun98 View Post
    Honestly, I don't know what an "IR rework station" is or does, but if it would be helpful, I'll buy you one. I'm going to PM you my phone number.

    Edit:


    Omikron, please PM your phone number to me.
    PM issues have been fixed.
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  13. #163
    Join Date
    Jul 2005
    Posts
    347
    Quote Originally Posted by tivo4mevo View Post
    Another approach would be some sort of sata injection device (or computer). It would sit between the tivo and the hard disk. When the BSP code checks the kernel, the device supplies a valid kernel. When the tivo goes to execute that kernel (and this would hinge upon the tivo issuing a second SATA read request to load the kernel for execution), the device supplies a modified kernel. Similar concept to this attack detailed here: link. Though this might be sizable development effort.
    It's interesting you bring this up, because this is precisely the type of device suggested by one of the other researchers back in 2010. Unfortunately, it seems that the amount of development that it would take to create a hardware proxy fast enough to handle SATA 3.0 speeds is significant, and the resultant hardware would likely be fairly cost prohibitive. Still, the idea remains on the table.

    If that project progresses there will be a separate thread for it. ;-)
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  14. #164
    Join Date
    Nov 2004
    Posts
    420
    Yea, I thought a bit more about a sata injection device, and even assuming some sort of inexpensive, embedded device to sit between the tivo and drive (similar to an Arduino), one would have to write an ATA Command set handler/driver, which is probably difficult.

  15. #165
    Join Date
    Jul 2005
    Posts
    347
    Quote Originally Posted by tivo4mevo View Post
    Yea, I thought a bit more about a sata injection device, and even assuming some sort of inexpensive, embedded device to sit between the tivo and drive (similar to an Arduino), one would have to write an ATA Command set handler/driver, which is probably difficult.
    Another possibility is not to worry about speed when in "ghost" mode or whatever we decide to call it. Since we don't really care about fast I/O during boot, we could use a cheaper, low-speed device to serve as proxy during boot, and then once all is clear, hand over full control to the disk and allow a direct connection.
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •