TiVo Community Forums Archives - While strolling through the logs one day....

TiVoCommunity.com
(c)opyright 1995-2005 All rights reserved
indexcheckTC
This area is a static history of posts in the TiVo Community Forum Archive.
This archive history was made for the simple indexing of search sites like Google.

Pages:1

While strolling through the logs one day....
(Click here to view the original thread with full colors/images)

Posted by: don99

I have noticed a few interesting things while looking at the Log Files (available on screen after backdoors are enabled) and thought we could use a thread to talk about them.

One was a reference to ip address 204.176.49.4:80
I won't bother to post the rest of the URL because what I found interesting was when I put this URL in my web browser... The 80 of course is the port and indicates it is http.. so I tried it, and got this:
"Ekki ekki ekki ekki p'ting zooooooop boing! Ni."
The page title is "Castle Anthrax home page"
I will give you a clue.. the TiVo uses a cgi script in a sub-dir of that page...
What is that all about??

Posted by: barrey

Sounds like someone at TiVo is a Python fan...

------------------
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them
In the Land of Mordor where the Shadows lie.

Posted by: jmccorm

The box on the remote end claims to be using Red Hat Linux 1.3.6 with the Apache web server. Can't telnet to it, finger it, FTP it. Does not have a hostname when doing a lookup by IP address. No matches found in Altavista or Google. Seems to be a bit of a mystery!

Posted by: Mike-W

I did a lookup for that IP and it registered to UUNET. I did a traceroute and the host before it is registered to UUNET and Tivo. I guess it is a subnet that they have but don't have any DNS info for (to hide from hackers like us). Hosts 204.176.49.1 - 204.176.49.4 respond to pings.

Posted by: MacPrince

Here's something interesting...from the About TiVo Inc. page:

quote:

Mike Ramsay (favorite TV show: Monty Python’s Flying Circus)

It seems that Mike the CEO is the Python fan in question.

------------------
The TiVolution begins...

[This message has been edited by MacPrince (edited 01-13-2001).]

[This message has been edited by MacPrince (edited 01-13-2001).]

Posted by: tgarcia

quote:
Originally posted by don99:
I have noticed a few interesting things while looking at the Log Files (available on screen after backdoors are enabled) and thought we could use a thread to talk about them.

One was a reference to ip address 204.176.49.4:80
I won't bother to post the rest of the URL because what I found interesting was when I put this URL in my web browser... The 80 of course is the port and indicates it is http.. so I tried it, and got this:
"Ekki ekki ekki ekki p'ting zooooooop boing! Ni."
The page title is "Castle Anthrax home page"
I will give you a clue.. the TiVo uses a cgi script in a sub-dir of that page...
What is that all about??

Could be how the TiVo gets guide data. It only makes sense that the box would use HTTP to get data from TiVo's servers as getting data from HTTP servers is fairly easy from the programmer's standpoint.

Posted by: Scutter

quote:
Originally posted by tgarcia:
Could be how the TiVo gets guide data. It only makes sense that the box would use HTTP to get data from TiVo's servers as getting data from HTTP servers is fairly easy from the programmer's standpoint.

In fact, that's exactly how it works, and also why pulling updates over the internet-connected serial port works. It's already well-documented in the Hack FAQ. I've had my modem unplugged for three months now.

FP

------------------
http://tivo.pineaus.com

Posted by: pv

quote:
Originally posted by don99:
so I tried it, and got this:
"Ekki ekki ekki ekki p'ting zooooooop boing! Ni."
The page title is "Castle Anthrax home page"

That's too many "Ekki"s! No shrubberies for the TiVo staff. PV

P.S. If Mr. Ramsay would like my first edition of the "Monty Python and the Holy Grail" script book (Out of print for 20 years), he can make me an offer. But since you can't even find these on eBay, it ain't going cheap...

Posted by: tgarcia

quote:
Originally posted by Scutter:
In fact, that's exactly how it works, and also why pulling updates over the internet-connected serial port works. It's already well-documented in the Hack FAQ. I've had my modem unplugged for three months now.

FP

Egads. I can't believe they didn't use an SSL connection for grabbing guide data. Hopefully they use some other encryption schema -- raw data is just a no-no if they don't want someone to start redistributing the information and giving away free TiVo service!

Posted by: HTH

quote:
Originally posted by tgarcia:
Egads. I can't believe they didn't use an SSL connection for grabbing guide data. Hopefully they use some other encryption schema -- raw data is just a no-no if they don't want someone to start redistributing the information and giving away free TiVo service!

Who said it was raw? I understood the data itself was encrypted for each individual unit using the crypto chip's encryption key, so you couldn't even use a caching proxy to serve all your units with the same data--the wrong decryption key would be used. Wouldn't adding SSL on top of that be excess paranoia?

------------------
http://www.war-of-the-worlds.org/tivo/HTH.gif

[This message has been edited by HTH (edited 01-16-2001).]

Posted by: TVGeeko

I just used 0v1t to get into the backdoors and read the logs too. I figured I'd be adventurous and try to hack into my TiVo through the PPP connection (With it's IP address gathered from it's logfile.). (Hey, it's no crime to try to hack into your own computer on the network.) The first thing I did was ping it. Either UUNet doesn't let you ping hosts on it's dialup system, or TiVo's kernel (2.1.24-TiVo.1 I think) rejects ICMP requests. As I guessed, it doesn't take ssh, rsh or telnet logins.

I DID go through the logs and find some interesting files it accesses over the network. The one file I did fetch from the server is:
http://204.176.49.30:8080//TivoData...61-363.slice.gz

(I was too chicken to go looking at other files - I have no idea how the TiVo people take to people downloading these with something other than a TiVo.)

Whether the extra / after the port number was necessary or not isn't something I know. The datafile format looks like some kind of archive containing graphics and text, but I could be mistaken. It's only gzip compressed (The text inside is not encrypted.). You can find the URLs it's fetching in /var/log/http (Accessible through the backdoors log system).

This kind of distro system for TV listings has been done before (http://www.tvhost.com/). An obscure file format distributed from public web servers - readable only by software which verifies a subscription. I suppose if you were bored you could hack the file format but it'd be of doubtful value unless you were going to rewrite MyWorld - and it would be unethical to use their listings with a TiVo which isn't subscribed.

Just some observations, sorry about the rant or if I'm being redundant to someone else.

I am curious if anyone did any work on figuring out what kind of data is in the .slice files.

Posted by: keeney

Open your downloaded file deltashowcase-361-363.slice with Photoshop (or similar) as a raw, 8-bit per pixel file with a width of 481 pixels (height of 1500 or so) to see some of the graphics.

They appear to be color-mapped.

Posted by: TVGeeko

>Open your downloaded file deltashowcase-361-363.slice with Photoshop (or similar) as a raw, 8-bit per pixel file with a width of 481 pixels (height >of 1500 or so) to see some of the graphics.
>They appear to be color-mapped

Thanks. Also noticed that some of the other files are .bnd files which can be "unzipped" with a program called CPIO under Linux. You can find the URLs in your TiVo's logfiles, I don't care to raise any ire at TiVo by constantly posting links to the files. (Look at the fake filename below for a hint.)

To "unbundle" it as TiVo refers to it in the logfile, you type:

cpio --extract <BLAH123_32312-v221_32314_v221.slice.bnd

(I'd recommend using the real name of the file :) )

I believe these are encrypted in some way with the Blowfish algorithm. After the .bnd file is uncompressed, there are three files with extention ".skey" and one file with extention ".slice.gz.bf". I don't know what the .skey files have or how TiVo implements their Blowfish algorithm. The .bf file seems to be a ciphertext of a .gz file containing the .slice file (Seems to be an archive/database format of some sort.).

Oh yeah, one more thing. The point of this exercise is...?

Posted by: Scutter

quote:
Originally posted by TVGeeko:
Oh yeah, one more thing. The point of this exercise is...?

"Why did you decrypt that code?"

"Because it was there."

FP

------------------
http://tivo.pineaus.com

Posted by: TVGeeko

Good point Scutter!

I've been playing with this all night - The archive's images are uncompressed PNG files. You can extract the pretty pictures by finding the PNG header and just copying out the data from the header (HEX: 89 50 4E 47) (Found in the file earlier mentioned at offset 0x000038) until you get to the end of the PNG (Search until you find the letters "IEND" and it will be followed by hex: AE 42 60 82). TiVo seems to be relying exclusively on gzip's compression because the first PNG is 29kb, and could have been reduced to 5kb with PNG's normal compression.

What really baffles me is the header:
uNÏ3€ÉASTD1tm38)uuid-000000000 http://www.avsforum.com/ubbtivo/frown.gif0.0.200.38)KÀu

found before the PNG. What does "uuid-000000000 http://www.avsforum.com/ubbtivo/frown.gif0.0.200.38)" mean - is it a kind of MFS filename or something? (I thought those were fsid)

Posted by: TVGeeko

Sorry about that - the correct spelling is

uuid-000000000:(0.0.200.38)

Posted by: Scutter

Lightn's Tivoweb includes a TCL script (called dumpimages.tcl that) will extract graphics from the MFS partition.

FP

------------------
http://tivo.pineaus.com

[This message has been edited by Scutter (edited 01-17-2001).]

Posted by: Otto

The slice files are encrypted using Blowfish. But then, of course, The Tivo unit itself can decrypt them. What did you think that crypto chip was for? http://www.avsforum.com/ubbtivo/biggrin.gif

------------------
Otto, Supreme TiVoWarrior - Moderator - AVS Forum - Tivo Underground
"If once you start down the dark path, forever will it dominate your destiny. Consume you it will!" -- Yoda

Posted by: TVGeeko

Thanks for the insight. I wasn't aware of the crypto chip in TiVo (Never bothered to pull mine apart.). I hope I'm not being too newbie for everyone.

I'd be tempted to go in and speculate about whether the crypto chip had a decryptor key built in or whether it was just a helper device like the kind you can buy for e-commerce servers, but it's pretty much a moot point and probably flamebait about "Stealing service" so I don't care to go there.