Page 6 of 14 FirstFirst ... 45678 ... LastLast
Results 76 to 90 of 203

Thread: The Series4 (TiVo Premiere) Development Thread

  1. #76
    Join Date
    Aug 2004
    Posts
    4,086
    Quote Originally Posted by Jamie View Post
    No change. Still single core.
    Still true with 14.4.

  2. #77
    Join Date
    Jul 2005
    Posts
    574
    I don't suppose we could get this thread moved to the newly created Series4 forum, could we?
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  3. #78
    Join Date
    Jun 2010
    Posts
    2

    Naive question, but here goes . . .

    The series 4 hacking work is really awesome - keep it up! I've really enjoyed this thread.

    I'm new to the Tivo hacking world, but I'm curious about the goals. Making a prom hack seems to be a solid way to rewrite the static root of trust in such a way that you can do what you want to your Tivo -- cool, makes sense.

    However, since the bootloader isn't locked and you can pass arguments to the kernel via a serial connection, can't you just bypass the root filesystem signature scan as long as you're willing to live with the Tivo controlled kernel?

    (Is the kernel even being checked by the CPU? Does changing it with bootpage.x86 cause failure?)

    Clearly, it makes sense to break open the whole chain of trust, from both a exploratory and persistence point of view, but I wonder if you could get a quick hack with a small device that you hang off of the TTL. When the +5v is powered, it starts sending Ctrl+C for n seconds. Then it transmits a bootloader cmd like:

    boot -3 "root=/dev/sda4 noinitrd"

    Unless Tivo compiled out the noinitrd cmdline option, that should bypass using the initrd. From reading the console log that was posted (again - thanks!), it looks like /linuxrc does a signature scan of the root filesystem prior to calling pivot_root, but maybe I'm reading too much into the output. If not and you moved over needed files from the initrd to the boot drive (or made a new root partition that was your own equivalent to the initrd but without the key checks), then it seems that you can break the chain of trust with a tiny serial dongle that just redirects the bootloader at power-on, then chills out. But I don't have a full view of which bits of the initrd and/or rootfs are being signature checked.

    Obviously, that is a suboptimal solution, but I wonder if it would work as a starting point. If anyone gets a dump of the kernel (vmlinuz) and initrd, it'd be great to see it posted. Even if the noinitrd option isn't included, it'd be interesting to see which filesystems are supported. The kernel listed is not brand new so I bet you could compromise the kernel with filesystem metadata (since it looks like they just hash the files). (Make an exploit payload on /dev/sdaX then tell it root=THAT and compromise the kernel when it mounts it.)

    Sorry if I've asked a bunch of already-known questions or am way off-topic. Feel free to disregard this post.

    - mp

  4. #79
    Join Date
    Aug 2004
    Posts
    4,086
    Quote Originally Posted by moar.piggies View Post
    ... (Is the kernel even being checked by the CPU? Does changing it with bootpage.x86 cause failure?)
    The BSP (Broadcom Secure Processor) checks the PROM. The PROM checks the kernel image. The kernel image initrd checks the filesystem. That's the essence of the chain of trust.

    Unless Tivo compiled out the noinitrd cmdline option, ...
    They did. And the initrd checks the kernel cmdline to avoid, for instance, the old BASH_ENV hack.

    The obvious exploits have been closed. You'll have to work a little harder than that to get in.

  5. #80
    Join Date
    Jun 2010
    Posts
    2

    Figures

    Quote Originally Posted by Jamie View Post
    They did. And the initrd checks the kernel cmdline to avoid, for instance, the old BASH_ENV hack.
    Cool.

    Quote Originally Posted by Jamie View Post
    The obvious exploits have been closed. You'll have to work a little harder than that to get in.
    Just being hopeful! It sounded like password-less bootloader access was a regression, and it wasn't clear if any extras came with it. There is still room for any number of runtime attacks, but without device (or vmlinuz/initrd) access, that's harder to posit.

    Thanks for responding -mp

  6. #81
    Join Date
    Sep 2001
    Location
    West of Bermuda
    Posts
    1,021
    Quote Originally Posted by Omikron View Post
    I don't suppose we could get this thread moved to the newly created Series4 forum, could we?
    nope, sorry, can't be done.

    ronny

  7. #82
    Join Date
    Sep 2004
    Posts
    5
    What would it take to change the CPU to break trust?
    Would we have to change the rom as well?

  8. #83
    Join Date
    Jul 2005
    Posts
    574
    Quote Originally Posted by j4hill View Post
    What would it take to change the CPU to break trust?
    Would we have to change the rom as well?
    The short answer?

    A lot. :-)
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  9. #84
    Join Date
    Sep 2004
    Posts
    5
    Quote Originally Posted by Omikron View Post
    The short answer?

    A lot. :-)
    [FONT="Comic Sans MS"]I was thinking we could put a short boot in the CPU rom, break trust, and do the rest from disk without reading the rom at all. Big parts of the rom may have to be moved to disk where they could be modified and run from there. Would rather not have to mess with the rom too If we had to change the CPU.

    Changing the CPU is probalbly beond the scope of a proctical hack.

    We can read the rom, can we read the CPU rom as well?
    What ever needed functionality besides security would need to be moved to disk.
    [/font|

  10. #85
    Join Date
    Jan 2002
    Location
    Sonoran Desert
    Posts
    2,829
    From the sound of things this wouldn't be practical without another killhdinitrd style exploit, or at least some kind of kernel level exploit that can be done prior to tivoapp loading. (anything after would require hacks that are broken with software updates)
    Before PMing me: Iím not your personal tech support. If you have a question, ask in public so I don't have to repeat if somebody else asks. If you want images or slices, use emule. I will ignore all support PMs.

    Sponsor a vegetarian! I have taken the pledge, how about you?

  11. #86
    Join Date
    Sep 2004
    Posts
    5
    Has anyone been able to get a non Tivo expansion drive to work? I would like to plug 2 TB in to each of mine... Can I just hook up a drive or do I have to pay money some place to get the drives "configured", what ever that entails?

  12. #87
    Join Date
    Jul 2005
    Posts
    507
    Perhaps we shouldn't assume the second core has been disabled because of instability or lack of testing. What if security issues are the reason its not currently enabled?

    drmuzik: No offense intended but CCI problems (especially with Time Warner) and the lack of a work around for the TiVo Premiere are both common knowledge in the TiVo world. It might have been better if you had asked the day before you bought the unit!

    I'm curious why you didn't get a TiVo HD?
    Last edited by ciper; 08-09-2010 at 06:22 AM.

  13. #88
    Join Date
    Jul 2005
    Posts
    574
    Let's try to keep this thread on-topic. :-)
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  14. #89
    Join Date
    Sep 2004
    Location
    Maryland
    Posts
    2

    Disk expansion for S4/Premiere

    Slightly OT, but: Since there was a post earlier in this thread asking, and there aren't any threads in the Series 4 Support forum, I'll note that over on TCF, there's a Java-based tool (currently known as "jmfs") that allows for expansion of Premiere drives--yes, S4 uses a slightly different set of MFS parameters and available tools that previously worked for TiVo HD didn't work for Premiere. I'm planning to test it this weekend by replacing the drives of two NIB Premieres with 2TB drives.

    Not posting a URL, but PM me if that's needed.

    EDIT: Fix sentence that sense not make.
    Last edited by ripple; 08-25-2010 at 02:41 PM.

  15. #90
    Join Date
    Sep 2001
    Location
    West of Bermuda
    Posts
    1,021
    i've relocated the "premier vs. tivo hd" posts to a new thread in the support forum - please keep this thread on topic as development. since the jmfs info is relevant, i'll leave it here for now.

    ronny

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •