 |
 |
 |
 |
 |
 |
|
|
|
  |
Compare Products, Prices & Stores For: COMPUTERS, COMPONENTS, COMPUTER ACCESSORIES, COMPUTER MEMORY, HARDWARE, INPUT DEVICES, NETWORKING, PDAs & MOBILE ELECTRONICS, SOFTWARE, STORAGE & MEDIA, DIGITAL CAMERAS, HOME AUDIO, TV& VIDEO |
|
|
|
|
#1
08-03-2004, 11:37 PM
|
||||
|
||||
|
killhdinitrd 0.9.x
####################### This utility disables the initial ramdisk (initrd) on various 3.x, 4.x & 5.x kernels in such a way that they still pass the prom signature check. No PROM modification is needed to boot the modified kernel. Please donate to the EFF if you find this program useful. Suggested donation: $25. Paypal is also accepted: send to accounting@eff.org. If you wish, you may paste a link to this post in the "reasons" box so they are aware of our interests (fair use of legitimately purchased copyrighted materials). TERMS OF USE: DO NOT DOWNLOAD THE ATTACHMENT IF YOU DO NOT ACCEPT THESE TERMS This software is for personal, non-commercial use only. You MAY NOT sell or redistribute this software, modified versions, or ANY derivative work in ANY form, period. This software, given a suitable TiVo kernel image, injects its own code into the image. THAT CODE IS COPYRIGHTED and distributed under the same terms as above. That is to say, ANY kernel image altered by this software is copyrighted both by us AND by TiVo (as their initrd is NOT covered by the GPL). You MAY NOT redistribute any kernel image modified by our software, or any derivative thereof. You MAY examine or reverse engineer our code, but understand that doing so implies that any "clone" of killhdinitrd is a derivative work of our project and MAY NOT be redistributed in any form. Verbatim, unmodified copies of this software may be hosted on dealdatabase.com. As the SOLE exception to our no-redistribution policy, you may submit modified versions to ourselves or to the dealdatabase.com staff (privately); staff members may choose to post your modified copy. Our intent is that you will be allowed to add support for additional kernel versions, provided that our restrictions apply to any of the derivative works you create. If we use your modifications, we will give you credit. This project exists for the sole purpose of allowing interoperability under 17 USC 1201(f). It is NOT to be used for circumventing controls on copyrighted material, and provides no facility for doing so. End of terms ####################### the DDB forum sponsor PTVupgrade has been granted exclusive rights to redistribute the killhdinitrd utility this decision is the result of several factors, a few of which include 1) a substantial donation to the EFF 2) one of the more annoying ebay effects as we've seen with other utils some will undoubtedly get suckered & come here for support. those folks should be greeted with the standard "contact the seller for support" the util is free to anyone via ddb but no support is provided. ptv provides support to their customers so they won't clutter the forum with basic installation questions this is a done deal - if you wish to debate the merits do so HERE or in the sewer ####################### Edit 2004/09/29: I am attaching source, documentation, and binaries for version 0.9.2. Per the license agreement, we (the DDB mods) have updated the release with patches submitted by DDB users. ####################### Edit 2006/03/12: Attached version 0.9.3, incorporating user-contributed support for the 7.2.2-oth-K1 kernel. ####################### Edit 2006/12/12: Updated 0.9.3 archive to include "mingw" directory for Win32 sources/binaries. ####################### The supported kernels can be extracted from the following TiVo software releases: Code:
7.2.2-oth-K1: Linux version 2.4.20 (build@buildmaster50)
(gcc version 3.3.4) #1 Tue Feb 14 20:55:02 PST 2006
MD5: fd71b861a767de9ad4a13dc5f78b6ae1
Supports DTiVo Uma4/Uma6/Phoenix, and all known SA Series2.0
3.1.5: Linux version 2.4.20 (build@buildmaster5)
(gcc version 3.0) #22 Fri Feb 20 18:19:25 PST 2004
MD5: 8d31d9eb8077a0a91a9356d23a4e9fb8
Supports DTiVo Uma4/Uma6/Phoenix, and all known SA Series2.0
EXCEPT "140" series
3.1.1c: Linux version 2.4.4-TiVo-3.0 (build@buildmaster10)
(gcc version 3.0) #9 Wed Jan 7 10:05:19 PST 2004
MD5: 8430fccf5c26bb5668c5e14ca3fc4582
Supports DTiVo Uma4/Uma6, and all known SA Series2.0
4.0.1a: Linux version 2.4.18 (build@buildmaster19)
(gcc version 3.0) #38 Thu Oct 23 10:48:29 PDT 2003
MD5: 567ffaf194278f82e7c7b86bb411c93e
Supports DTiVo Uma4, and all known SA Series2.0
3.1.U5: Linux version 2.4.4-TiVo-3.0 (build@buildmaster10)
(gcc version 3.0) #27 Sat Sep 28 21:47:44 PDT 2002
MD5: 5217ce0190595f4fe2461a429ce18121
Supports DTiVo Uma4, and all known SA Series2.0
(this kernel is supported but 3.1.1c is recommended)
Please do not link directly to the file attachments. Link to this thread instead, to give your readers the benefit of updates, errata, and support information. Last edited by alldeadhomiez; 12-12-2006 at 02:47 PM. 
|
|
#2
08-03-2004, 11:47 PM
|
||||
|
||||
|
Do NOT post support questions in this thread. Any question not directly related to furthering the development of this hack will be summarily deleted.
There is a support thread in the Series 2 Support Forum located here Edit: Other useful resources: Download killhdinitrd-compatible kernels monte-mips: a way to chain-load a custom kernel (after you use killhdinitrd to compromise the box) Discussion thread on using killhdinitrd with monte Why you probably don't need a killhdinitrd that supports your exact software version Last edited by alldeadhomiez; 01-17-2005 at 07:52 PM.
|
|
#3
08-07-2004, 03:35 PM
|
|||
|
|||
|
MuscleNerd pointed out that some of the initrd kill offsets for 2.4.4-TiVo-3.0 on 3.1.1c did not match up:
Code:
{
"2.4.4-TiVo-3.0 from TiVo OS 3.1.1c",
0x8000432c, 0x8019f380, 0x0e6fae51, 0x801b8304, 0x40,
"\x02\x00\x28\x21" /* do as i say, not as i do. */
"\x3c\x1f\x80\x00"
"\x20\x1e\x00\x3a"
"\xa7\xfe\x4e\x4a"
"\x20\x1e\x00\x33"
"\xa7\xfe\x4e\x86"
"\x20\x1e\x00\x30"
"\xa7\xfe\x4e\x92"
"\x20\x1e\x00\x2e"
"\xa7\xfe\x4e\x9a"
"\x3c\x1f\x80\x12"
"\xaf\xe0\x68\xf0"
"\x3c\x1f\x80\x00"
"\x27\xff\x43\x2c"
"\x03\xe0\x00\x08"
"\x00\x00\x00\x00"
},
Code:
{
"2.4.4-TiVo-3.0 from TiVo OS 3.1.1c",
0x8000432c, 0x8019f380, 0x0e6fae51, 0x801b8304, 0x40,
"\x02\x00\x28\x21" /* do as i say, not as i do:
move $a1, $s0 */
"\x3c\x1f\x80\x00" /* lui $ra, 0x8000 */
"\x20\x1e\x00\x3a" /* li $s8, 0x003a */
"\xa7\xfe\x4e\x4a" /* sh $s8, 0x4e4a($ra) */
"\x20\x1e\x00\x33" /* li $s8, 0x0033 */
"\xa7\xfe\x4e\x66" /* sh $s8, 0x4e66($ra) */
"\x20\x1e\x00\x30" /* li $s8, 0x0030 */
"\xa7\xfe\x4e\x72" /* sh $s8, 0x4e72($ra) */
"\x20\x1e\x00\x2e" /* li $s8, 0x002e */
"\xa7\xfe\x4e\x7a" /* sh $s8, 0x4e7a($ra) */
"\x3c\x1f\x80\x12" /* lui $ra, 0x8012 */
"\xaf\xe0\x68\xf0" /* sw $zero, 0x68f0($ra) */
"\x3c\x1f\x80\x00" /* lui $ra, 0x8000 */
"\x27\xff\x43\x2c" /* addiu $ra, $ra, 0x432c */
"\x03\xe0\x00\x08" /* jr $ra */
"\x00\x00\x00\x00" /* nop */
},
Does "do as I say, not as I do" refer to the weird offsets, or does it refer to taking $a1 (BORD type) from $s0 - something that clearly breaks when you are loading the kernel from something other than the TiVo PROM code? Both the original code and the new code worked correctly when I tried them, but it is disturbing to see potential corruption of kernel memory. Comments?
|
|
#4
08-11-2004, 03:43 AM
|
||||
|
||||
|
Curious....
For those of us who don't understand exactly what is going on here, how is it that these modifications do not invalidate the kernels' digital signature? AFAIK if so much as a single bit has been modified, the kernel signature will be invalidated unless you have the private keys to sign the modifications accordingly. How is this patch an exception to that?
MODs: This isn't a support question, I just want to understand the method in better detail. Feel free to move it if you feel it's inappropriate though.
__________________
Before PMing me: I’m not your personal tech support. If you have a question, ask in public so I don't have to repeat if somebody else asks. If you want images or slices, use emule. I will ignore all support PMs. Sponsor a vegetarian! I have taken the pledge, how about you? Last edited by AlphaWolf; 08-11-2004 at 03:50 AM.
|
|
#5
08-11-2004, 08:11 AM
|
|||
|
|||
|
Here is a utility you can use to examine a ".px" file and split it into components.
|
|
#6
08-11-2004, 07:52 PM
|
|||
|
|||
|
Quote:
Code:
scripts/elfextract vmlinux vmlinux
$(OBJCOPY) -O binary vmlinux vmlinux.data
if [ -f extra ]; then cat extra >> vmlinux.data ; fi
ifeq ($(TV_FEATURE_STRONG_CRYPTO),0)
dd if=/dev/zero bs=269 count=1 > vmlinux.sig
else
$(TOOLROOT)/tvbin/crypto -sfh $(ROOT)/tvlib/keys/kernel-dev.prv vmlinux.data > vmlinux.sig
endif
scripts/makeppceval vmlinux.info vmlinux.data vmlinux.sig vmlinux.px
"extra" is the initrd image.
|
|
#7
09-26-2004, 06:44 AM
|
||||
|
||||
|
Quote:
|
|
#8
08-21-2006, 11:54 AM
|
||||
|
||||
|
How do I find the kernel version number?
Tivo displays 7.2.2-oth.01-2-64 (I have a backup) and in last 2-3 days got updated to 7.3.1 (I have a backup for this too) Want to put telnet, ftp, etc on my Toshiba SD-H400. Tried killhdinitrd on both versions but it reports FATAL: No exploit found for this kernel also If I do manage to get the hacks installed will they be removed during next update from tivo?
|
|
#9
08-21-2006, 11:59 AM
|
|||
|
|||
|
Usage questions belong in the support thread, not the development thread.
Use the 7.2.2-oth-K1 kernel with any 7.x software version on a Series2. One source for kernels that work with killhdinitrd is the $5 PTVUpgrade lba48 CD.
|
|
#10
04-20-2007, 07:54 PM
|
|||
|
|||
|
CD isnt working
Unfortunately the CD doesnt work for those of us with the TDC649080 version (Series2 DT). Using any of the Kernels on the $5 CD ends up giving you a grey screen. Would be nice if there was a util to patch your own Kernel... yes yes I am lazy
|
|
#11
04-20-2007, 08:45 PM
|
|||
|
|||
|
Quote:
|
 |
| Thread Tools | |
| Display Modes | Rate This Thread |
|
|
Linear Mode
