Warning: include() [function.include]: URL file-access is disabled in the server configuration in /home/avsforum/archive.tivocommunity.com/tivo-vb/history/archive_functions.php on line 31

Warning: include(http://archive.tivocommunity.com/tivo-vb/history/header.php) [function.include]: failed to open stream: no suitable wrapper could be found in /home/avsforum/archive.tivocommunity.com/tivo-vb/history/archive_functions.php on line 31

Warning: include() [function.include]: Failed opening 'http://archive.tivocommunity.com/tivo-vb/history/header.php' for inclusion (include_path='.:/usr/local/lib/php') in /home/avsforum/archive.tivocommunity.com/tivo-vb/history/archive_functions.php on line 31
Pages:1 2 3 4 5 6



Getting the 3.2 Backdoor Code

(Click here to view the original thread with full colors/images)



Posted by: DVDerek

I'm new here so hang in there...

I know the old Backdoor Code does not work with 3.2. Everyone seems to be saying "well, just wait until someone releases it." Who is this magical someone? Is this something TiVo usually eventually leaks or do people actually work on getting the code? Is there a process for attempting to get the code? Who works on these things?

Thanks,
Derek



Posted by: markp99

A brilliant few willing to break the encrypted code... Like EdwinOlson did for the 3.0 code.

Read thru the following thread to appreciate some of the complications. Interesting.

http://www.tivocommunity.com/tivo-v...&threadid=54743

3.2 code will be even MORE difficult, because the file system is not accessible yet on Series2 (where 3.2 is now releasing).



I'm betting we get the code via a leak from TiVo, or someone simply stumbles upon it...



Posted by: donvickers

Do we have any news yet as to the code to open the "backdoor" on 3.2?
Is this the forum in which it's most likely to appear, if and when it's found?



Posted by: mtw2

Two steps:

1. The encrypted code must be retrieved from the drive. Since they aren't upgrading Series 1 boxes to 3.2 (presumably, this is the rumor I've heard) then someone with a series 2 must do it. This involves cracking the cover and putting the hard drive in a desktop machine.
I could do this, but I'm reluctant to crack open my Series2 and void the warranty, if I know I can't get a prompt or run TivoWeb on it yet.
Besides, I haven't got 3.2 yet.

2. The encrypted code must be cracked. If whoever cracked 3.0 can either post their brute force code or run it for us when the encrypted 3.2 code is posted here, then it should be a matter of hours to get the backdoor code, once extracted.

Caveat: If they thought we got it too quickly last time, then they may have altered the algorithm or altered how this is stored. In that case, it''ll take a bit more trial and error before it's discovered.

~mtw2

Still waiting for 3.2...



Posted by: mtw2

Update:
The way they got the encrypted string last time was from a command line app on the tivo. The MFS isn't a well understood fs, and you need Tivo's dumpobj tool to look at the resource elements. This may be a problem, since you can't get a shell (yet) on Series2, and they aren't rolling out 3.2 to series 1 boxes (afaik).
So, I'm proposing an alternate method. Use the mfs_info and mfs_dumpobj programs that come with vplay. (that's all I'll say here, google for more).

Update2:
The program to brute force a SHA1 code is in that 3.0 thread referenced above. A dictionary made with "302backdor" would be a good start, but Tivo may have broken from tradition and added new letters or numbers.



Posted by: CerebusUS

Dunno if this helps any or not, but I went to my system information today and saw the following:

Icebox files:
Path (null):
swsystem/3.2v4-01-2/...
.
.
.
.

So I'm guessing I've got the 3.2 code waiting on my box for an install command.

My Tivo is a Sony SVR-2000, upgraded with an old tivonet adapter (the ISA one) and an 80GB drive.



Posted by: subuni

quote:
Originally posted by CerebusUS
Dunno if this helps any or not, but I went to my system information today and saw the following:

So I'm guessing I've got the 3.2 code waiting on my box for an install command.

My Tivo is a Sony SVR-2000, upgraded with an old tivonet adapter (the ISA one) and an 80GB drive.



Everybody should have those files, as they came down via the Discovery Channel program. But it won't be installed on your Series 1. (Correct me if I'm wrong) The last number in a version number indicates the series it's for. For example: v3.0-01-1 is for Series1, v3.0-01-2 is for Series2. In this case, since the version is 3.2v4-01-2, the software is for Series2.



Posted by: subuni

Although I don't have a Series2, this was pretty trivial to find in the 3.2.V4-01-2 update files.

ResourceItem 999074/174 {
Id = 131251
String = 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4
}

I'm sure somebody will know how to have fun with that. :)

And as a side note:

ResourceItem 999074/220 {
Id = 131297
String = {Teach TiVo lets you rate programs, actors, directors and categories of programs using the THUMBS buttons. Based on these ratings, TiVo suggests other programs that you might like. What TiVo Thinks(tm) are shown with purple, square thumbs.}
}

If that means Teach TiVo is back and functional in 3.2.V4-01, and my Series 1 never gets upgraded to that... I will be a very unhappy camper.



Posted by: CerebusUS

I trust someone has already tried B B 32 and B B 3 2 right?

I'm just extrapolating a pattern... :)



Posted by: EdwinOlson

Hey guys. I'm trying my code on it.

So far, it looks bad; the same code that found it on 3.0 isn't finding it on 3.2.

I suspect that the tivo developers are probably pretty lazy folk when it comes down to it, and aren't too keen on entering in 7+ character passwords all the time.

I've searched all passwords up to 5 characters, i'm working on 6 (some of the "most likely" passwords have already been tried of length 6-8).

I suspect that something has changed. I'm still trying both endiannesses.

Brainstorming some possibilities:

- high ASCII?
- everything's lowercase?
(i'll try these two in a few minutes)
- Some arithmetic manipulation on the plaintext (e.g., XORing it with "TiVo", XORing each byte with 0xE9...) In order to make my search fail, the manipulation would have to convert the plaintext to use letters *outside* the TIVO alphabet.

One question: Does 3.2 change/add which letters you can enter? I'm using the alphabet "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ". Perhaps they've added hyphens or something? Can someone who has 3.2 report (perhaps privately) on this? (Do any other keys result in characters appearing in the search window? Perhaps thumbs-up, play,...?)

The disassembly of the relevant code that checks for the backdoor code, of course, would be extremely helpful!

-Ed

PS: Last time, the key insight came from someone who just threw out a random idea that happened to be right. (endianness was backwards). I dunno if I would have thought of it. So spew forth your ideas!



Posted by: gregstoll

I'm also trying the same things as last time - I'm in the middle of length 6 codes (all letters, numbers, space) and no luck. I think if that doesn't work, I'll try it with lowercase instead.

I have 3.2 and just checked the Search by Title screen - don't see any new characters (and I tried pressing random remote buttons as well).



Posted by: ADent

You can enter the quote character (hit the pause key) in at least some of the search screens.



Posted by: markp99

Does <pause> key produce a <quote> character, like it does elsewhere? Do not have access to TiVo now...



Posted by: EdwinOlson

a double quote or a single quote?

I don't think it's RIPEMD either.

I've already searched through all 6 letter and a quite a few 7 letter combinations, SHA0, SHA1, RIPEMD. Gonna try HAVAL in a bit.

I'm checking for all endianness possibilties. Also tried twiddle factors (XORs) over the ciphertext (i.e.., "TIVO', "TiVo", "tivo").

Tried lower case. Tried high ascii.

<grumble>

Are we sure that the resource entry isn't a decoy? Do you see any suspicious constants in the resources? (probably 32 bit)

-Ed



Posted by: markp99

pause = double quote...



Posted by: Barry

Hi all,
I've a question. Are you actually trying the backdoor codes manually by entering them at the remote, or have you automated the process? If so how?

Barry



Posted by: barclay

The process is automated. Look in the thread subuni referenced for all the juicy bits.

Basically, we're trying to brute-force the code out of the resource string by trying to encode lots of possibilities and seeing if they match.

I've extended the cracking program to try codes a few characters more in length. I doubt I'll get anywhere though.



Posted by: HookedOnTivo

Nerds. :D



Posted by: dbates

Keep trying guys! I'm rooting for you! I can't wait to try the Backdoor stuff. :)



Posted by: gregstoll

Dunno about the rest of y'all, but I'm trying all sorts of permutations of the hash function:

swapping hex codes 01 23 45 67 as:

and doing the same thing for swapping each byte (i.e. 01->10) and reversing the whole hash. Just some ideas if you have good ways of transforming the possible codes (I've basically only tried lowercase & uppercase...)

We can do it! :-)



Posted by: EdwinOlson

Ugh. I was hoping for a message from my computer this morning.

I've completed the 6 character search space with the alphabet "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\" " using SHA0, SHA1, RIPEMD-160, and checking for all 4 possible endian orders.

I've completed the 7 character search space with the alphabet "TIVOBD302ACKRPWE " using RIPEMD, SHA0, SHA1, TIGER, HAVAL, GOST, and even truncated SHA256, checking for all 4 possible endian orders.

I've tried some "likely" other combinations- lower case, high ascii, etc as described before.

At this point, I do suspect something's wrong; either my code is wrong, or they're doing something different (a different cipher, some transform on the input or output, etc.)

Ideas solicited. I'll keep going, but the next key spaces are gonna take a long time. (38^7 is a big number!.)

-Ed



Posted by: markp99

Last night I attempted to "type" special characters from the peanut keypad from search screen. I could not produce a <double quote> using the <pause> key...

I tried several other key combinations, and could not produce any new non-alpha/numeric characters...



Posted by: donvickers

Say, regarding version 3.2 .... has anyone been able to get the code to display to suggestions that are to be recorded?
In previous version it was:

ThumbDown
ThumbDown
ThumbUp
InstantReplay

I think. I can't seem to get it to take in 3.2
Should I keep trying or is it "dead in the water"?



Posted by: mtw2

At least in 3.0, that code requires backdoors to be on.... I suspect it won't work until we get the 3.2 code.



Posted by: gregstoll

subini - were there any other suspicious-looking resources in the 3.2 update file?



Posted by: DVDerek

Well, it seems we're moving on this. Very nice. However, it also seems that we're either barking up the wrong tree, or they've gotten trickier.

What language is your code written in EdwinOlson? If you post it and there are enough people here to look at it, we may all be able to make suggestions. Once we believe the code to be sufficiently good, we can all run the program with different ciphers, different code lenghts, and different alphabets. Breakup the key space.

I'm not a great programmer or cryptographer, but I can certianlty dedicate a machine and maybe 2 to running the brute force.

~Derek
hoping there are no DMCA enforcers out there...



Posted by: dkroboth

I'll be happy to donate a machine or two to the cause as well.



Posted by: EdwinOlson

I've added some code which I expect to generate spurious solutions every now and then (about one in 4 billion tests).

It just spit one out. It seems unlikely to be right, so don't get your hopes up, but if anyone can try it: "V U J N". That's V SPACE SPACE U SPACE J SPACE N. See? seems unlikely.

Worth a shot, I suppose.

-Ed



Posted by: subuni

quote:
Originally posted by gregstoll
subini - were there any other suspicious-looking resources in the 3.2 update file?


When I posted that originally, I had only quickly scanned through a handful of ResourceGroup's from the swsystem-7507302-53.slice update. That was the only interesting string that I encountered, and with it's location similar to the location of the 2.5/3.0 BD's .. seemed like a sure-fire winner.

Looking through a little more indepth, I now see:

% dumpobj -depth 1 /Server/7507324
(.. snipsnip ..)
Id = 1376273
String = {1006 1009 1011 1000 1001 1002 1003 1004 1005 1012 1013 1007 1014 1008 1010 1015}
}
(.. snipsnip ..)

Nothing else out of the ~3000 strings I looked at, look suspicious though.

quote:
The disassembly of the relevant code that checks for the backdoor code, of course, would be extremely helpful!


I've let Edwin know how he can get a binary of tivoapp for v3.2, incase he knows somebody that feels like disasm'ing it.

BTW Edwin: I love Blisstonia, due to it's high levels of Bliss.



Posted by: DVDerek

quote:
Originally posted by EdwinOlson
I've added some code which I expect to generate spurious solutions every now and then (about one in 4 billion tests).

It just spit one out. It seems unlikely to be right, so don't get your hopes up, but if anyone can try it: "V U J N". That's V SPACE SPACE U SPACE J SPACE N. See? seems unlikely.

Worth a shot, I suppose.

-Ed



Sorry... tried and it got nothing.



Posted by: lmurray

well, for what it's worth.. If i was tivo, I'd make the string longer, knowing that it would take longer to "match". anyway, EdwinOlson, if you want to post u'r lastest changes (source code), people can sign up to work all possible character combinations. I'm currently trying all possibilities on 7 letter combos. (Course I didn't catch the post about the quotation mark).

-lloyd-



Posted by: deebo

What happens if you put a drive that was upgraded to 3.2 in a Series 1? That way you could telnet in and look around from bash a little, and maybe have a better idea that you have the right hash?
-David



Posted by: subuni

quote:
Originally posted by MuscleNerd
S1 and S2 are completely different CPU architectures. Nothing would run (or even boot) if you did that.

On the other hand, it may be possible to "mount" an S2 MFS partition from an S1 machine. If that's the case, then you could change the backdoor MFS string as I suggested above to create your own backdoor password. One way of doing this would be to kill all the apps, start up mfsd by hand, and point to the S2 MFS partitions.

Some savvy people out there can probably even mount an MFS partition from their normal Linux boxes.



You could put the S2 drive into a S1 box (as the "B" drive), boot, telnet in, set MFS_DEVICE=/dev/hdb10, get into tivosh, and then try to mls /.. The only doubt I have with that working is the S2 drive being "byte-swapped" compared to what the PPC is looking for. Also, you can "mount" a dd image:

code:
bash-2.02# export MFS_DEVICE=/mnt/nobody/hda10 bash-2.02# tivosh % mls / Directory of / starting at '' Name Type FsId Date Time Size ---- ---- ---- ---- ---- ---- Anchor tyDir 310891 10/24/02 08:56 3336 ..snip..


Or, you could also put a S2 v3.2 drive into a Linux box, hexedit the 10th partition, and change the hash that way. I'm 99.99% confident it'll show up as a string in 2, or possibly 3, locations. 1- In the slice file stored in /SwModule, 2- In the ResourceItem (the one we want to modify), and possibly 3- in the icebox. Just search for 5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F23B, replace it with 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4 (The "3 0 BD" code), pop the drive back in the TiVo, and see if the old code works.

And there are a few other ways (to modify the hash on the S2 drive), but I'll leave those to the imagination of the reader.

I don't have a S2, nor a desire to drop $350 on one (not to find a silly backdoor code, atleast). So, I'll leave this for someone with a S2 3.2 that's feeling adventurous.



Posted by: EdwinOlson

The code I used on 3.0 is on my website, http://www.blisstonia.com.

I'm using a decendant of it now which, if anything, is slower because of additional checks it performs. It's for unix boxes with the openssl library installed.

I'm playing with some code to do a distributed attack. FYI, at this point, I've mostly lost hope-- either something's different or they've used a long password, or I've done something wrong. But I'll keep at it for a while just for self amusement. :)

-Ed



Posted by: EdwinOlson

Wow. I just couldn't figure out why I couldn't get objdump to produce meaningful results on tivoapp.

Well, duh, it's not powerpc anymore. :) I'm looking at it now. Hopefully I'll figure it out.

-Ed

PS: thanks to those who've provided me with info or have experimented on their boxes!



Posted by: DarkHelmet

quote:
Originally posted by EdwinOlson
Ideas solicited. I'll keep going, but the next key spaces are gonna take a long time. (38^7 is a big number!.)

Keep in mind that "B M U S 1" is 9 characters (DTivo 2.5.2 plaintext key). Do not assume that it has to be 7 or less.



Posted by: EdwinOlson

That is a long plain text-- I didn't know it before. However, I've long sinced searched that name space.

In other news, there IS SHA1 code in the tivoapp. All the function calls are done using $gp as the base register, which, unfortunately, I'm not experienced enough with to be able to "trace backwards". In other words, while I've find the crypto code, I'm not sure how to figure out where it's being called *from*. Any suggestions?



Posted by: Otto

Unfortunately it's probably something like "CRACK THIS YOU UNDERGROUND FREAKS" or some such. ;)



Posted by: DarkHelmet

Oh yeah, I bet we are providing loads of amusement at Tivo HQ. "Lets see you brute force this in 10 seconds <evil laugh>".

I wonder if they'll feel sorry for us and give us some hints before somebody finishes disassembling the binaries and decides to use one of the third party tools to edit the string to set it to a known value. Anybody want to bet on whether they changed the way of activating it? eg: enter the text on a different menu, change the key used to activate it (thumbs down, advance or pause vs thumbs up), etc.

Of course, thats assuming the string isn't compiled into the application and the MFS value isn't a decoy...



Posted by: gregstoll

This is a bit of a crazy idea...

But what if, after calculating the hash (presumably SHA1) of the string, the software just checks to see whether the result is "close enough" to the value stored? 160 bits is a large space of results from SHA1, large enough so that there probably wouldn't be any keys of short enough length to practically try that would also be close enough, so they wouldn't be losing anything...

I'll change my checker tomorrow for various definitions of "close enough" (only matches in 19 out of 20 bytes, all 20 bytes are within 1 of the result, etc.) and see if it comes up with anything. Yikes.



Posted by: DarkHelmet

The middle of a loop?? Uh oh. Can you verify whether or not it calls the sha1 hash once only? If it is doing some sort of incremental hashing then that dramatically increases the cost of searching.



Posted by: EdwinOlson

MuscleNerd-

that agrees with what I've found too. But i'm still having trouble following it all- perhaps you can help?

I see the call to the function which grabs a resource item 23552(gp), which I suppose is putting its result at sp+32?. Then there's a call to -23340 with arg0=172(s5). and a call to -18516. I have no idea what they're doing.

Then, I see the outer loop which is iterating over the 5 words of SHA output, and the inner loop which iterates over the 4 bytes in the word.

Inside the loop, there's an unnevering reference to a constant at -32688(gp) and a call to -3632. I don't understand this or the constant 8800 which is being used.

Then it looks like they zero-truncate the string with the sb zero,104(sp), and I'd guess the call to -12116 is the strcmp? I don't see any code that looks particularly like if !strcmp(x,y) backdoors=true-- looks like the test itself might be occuring in function -700?

Then at 0x5e43cc, there's an invalid instruction 0x50400053. Code path looks like it's gonna execute it. What is it for? It's not one of the standard COP instructions.

From here on out, I'm mostly confused.

The function which actually prints "BACKDOORS ENABLED!" is at 6344cc, using resources 0x20213 and 0x20214. I don't see where it chimes 4 or 5 times though; it must be inside one of the other calls. Dunno.

My math makes me think (based on the first few lines of code; it's safe to assume that gp is constant, isn't it?) gp=0x1003bc40. As expected, a bunch of data is loaded in around this address.

Maybe we should start looking at the other functions to see if they make sense/are doing anything iffy.

-Ed



Posted by: EdwinOlson

Thanks for your reply, MuscleNerd. Very helpful.

I don't have time to dive back into this tonight (dang ol' weekend is already over!).

And what a strange way of generating the ASCII sequence! snprintf is such a big hammer for that. It never would have occurred to me :) Explains why I never saw the shifts by 4 that I was expecting to see.

Curious: did you determine that -23340 was strlen by following the code and manually confirming that the disassembly at the target address performed a strlen, or did you have some other way of doing it?

-Ed



Posted by: bsnelson

Soooo.. doesn't this mean we can now apply a patch where the strcmp is called such that it's meaning is reversed, meaning that anything you enter EXCEPT the correct backdoor password is accepted?

Brad



Posted by: bsnelson

Ah, duh, the chicken and the egg.

Sounds like we're getting closer, though!

Brad



Posted by: DarkHelmet

In other words, it is a standard boring sha1 hash, just like with 3.0? That then means that we just have a longer search space since all the easy stuff has been checked many times now.

I guess it also means that it should be possible to insert a hash of a known value into that location. But that isn't as convenient as figuring it out.



Posted by: bsnelson

Yes, but at least if you put in a hash of a known value, and it worked, you'd confirm that we're searching for the right thing...

Brad



Posted by: subuni

quote:
Originally posted by bsnelson
Yes, but at least if you put in a hash of a known value, and it worked, you'd confirm that we're searching for the right thing...



Well, I decided to go buy a S2 tonight. I bought the 80 hour unit, to make sure I'd have 3.2 installed. I replaced the 3.2 hash with the one from 3.0 (5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F23B). Now when I use the "3 0 BC" code, backdoors are enabled (see the attached picture).

So, Otto probably has the right idea....
quote:
Originally posted by Otto
Unfortunately it's probably something like "CRACK THIS YOU UNDERGROUND FREAKS" or some such. ;)




Posted by: ADent

So which method did you use to modify the hash string? (There were several options listed in one of your earlier posts).



Posted by: EdwinOlson

alright... thanks to subuni, we know it's SHA1 and there's no funny business.

Sadly, that also means that the backdoor password is probably quite long (since I've already searched over most short codes and I'm about half way through 7 characters). If I have some time this week, I'll try to finish my distributed client. Perhaps my code is slow, but 7 characters takes about a day to search. We'll need a lot of CPU! (My goal would be about 38 machines, which would let us do 8 chars in a day plus a bunch of likely longer codes.)

-Ed



Posted by: lmurray

7 chars takes 1 day to finish??? Hell, my 233Mhz linux box is still hacking through 7 chars. (Think the program hung?)

cool. let us know if we can help. I've got a 700Mhz box I can put on the job too.

-lloyd-

P.S. I tried searchpattern("? ? ? ? ? ?") and came up w/ nothing.



Posted by: bsnelson

subuni - YEA!!!!

OK, now into speculation: All of the codes up until now have been short. Why? Because, presumably, it needs to be easy to enter. I think this would rule out Otto's choice. ;) So, perhaps it's now something like "AAAAAAAAAAAAAAAAAAA": Easy to enter, yet long.

Another, almost opposite take: Say TiVo wanted to leave the mechanism to enable backdoors in, but didn't want people doing it. They could, for example, put a completely bogus SHA1 hash in, with the premise of sending a runme or some other update to change it if need be. If this were the case, it would be conceivable that there IS no password, i.e. nothing in the limited character set hashes to that value.

Let's hope for the former... ;)

Brad



Posted by: lmurray

i'm now trying all 8 character solutions on a ~800Mhz box. I turned on the debugging so I can see where I'm at.
(in case anyone else is trying).

-lloyd-



Posted by: barclay

Well, I'm starting 8 characters as well on my dual-proc ~800mhz box.

I think I might throw in my other PCs to the mix as well.



Posted by: Otto

Well, at least we have a worst case scenario for 3.2 units: Someone writes a program to modify that value on the drive directly into a known hash.

If someone wants to be tricky about writing such a thing, here's the hash for "3 2 BC", so as to keep it a little separate (if you like):

115375040a7e5635b2f4afec691a0228c2586a14

quote:
Originally posted by EdwinOlson
alright... thanks to subuni, we know it's SHA1 and there's no funny business.


We also know it's expected endianness now too, BTW. So if you're still checking both, you can probably speed up your code a good deal.



Posted by: bsnelson

OK, I know this must be something stupid, but when I try to make the tivocrack app, I get the following:
code:
[root@fogo tivocrack]# make g++ -O4 -o tivocrack tivocrack.o -lssl tivocrack.o: In function `searchpattern_recursive(char *, int, char *)': tivocrack.o(.text+0x2b4): undefined reference to `SHA1' collect2: ld returned 1 exit status make: *** [tivocrack] Error 1


If I "nm" the libssl.a, I get:

code:
[root@fogo openssl-0.9.6c]# nm /usr/local/ssl/lib/libssl.a | grep SHA U SHA1_Final U SHA1_Init U SHA1_Update


Ideas?

Brad



Posted by: bsnelson

OK, maybe this is a difference in OpenSSL versions, but I had to use "-lcrypto" in the Makefile instead of "-lssl". Works fine now!

Brad



Posted by: StanSimmons

If anybody has a compiled Win32 app that can crack this, I have a pool of 1.8Ghz Win2k machines that I can run it on at night and weekends.



Posted by: lmurray

ok. i hacked on the code a bit this morning. I didn't want to output which string I was compairing everytime because it slowed the process down. I added code to print out which code you are on when you press control-c (signal handling).

Anyway, if someone wants it, PM me.

I used gcc -lssl tivocrak.c to compile.

-lloyd-


at ABQHI5Q" in all possible 8 char combos. :)



Posted by: bsnelson

OK, now that I've got it goin'...

I've tried all of the characters in the ALPHABET[], plus double quote and space, in strings of lengths up to 18 (e.g. A, AA, AAA, AAAA... B, BB, BBB) and no dice (though I didn't think it would be that easy).

Anyone want to split some of the bigger spaces?

Brad



Posted by: TreborPugly

Isn't there a way to enter an Asterisk "*" in wishlists? That isn't normally used in search by title, but it still may be possible to enter one. Should that be a possible character in your search string?

Treb.



Posted by: barclay

quote:
Originally posted by StanSimmons
If anybody has a compiled Win32 app that can crack this, I have a pool of 1.8Ghz Win2k machines that I can run it on at night and weekends.


I've attached a version I cobbled together to this post.

You'll need DevStudio to compile it, and will need to modify START_AT to pick a different start string for each machine and THREADS to match the number of processors for each box.

I'm working on tidying up the code that picks what thread is going to work on what so I can have it work across machines. If someone else decides to work on it, please PM me so we're not wasting each other's time.

Edit: Updated the source code
Edit: Deleted attachment. See here for the latest.



Posted by: DVDerek

quote:
Originally posted by StanSimmons
If anybody has a compiled Win32 app that can crack this, I have a pool of 1.8Ghz Win2k machines that I can run it on at night and weekends.


I agree. I'm not a C programmer. I'm more of a scripter. So porting to Win32 is not my style. If someone did it though, I could run it night and day on a 1.4GHz, and an aditional midrange machine or two at work. I have no access to *Nix boxes.



Posted by: DVDerek

quote:
Originally posted by barclay
I've attached a version I cobbled together to this post.

You'll need DevStudio to compile it, and will need to modify START_AT to pick a different start string for each machine and THREADS to match the number of processors for each box.

I'm working on tidying up the code that picks what thread is going to work on what so I can have it work across machines. If someone else decides to work on it, please PM me so we're not wasting each other's time.



Wow. Ask and ye shall receive, huh? I will give it a shot when I get home tonight. If you get this working across different machines, then it'd be AWESOME if we could get a pre-compiled version that takes command line arguments. We could get many more people running it this way.

Thanks for the work!



Posted by: tarman

quote:
Originally posted by DVDerek
Wow. Ask and ye shall receive, huh? I will give it a shot when I get home tonight. If you get this working across different machines, then it'd be AWESOME if we could get a pre-compiled version that takes command line arguments. We could get many more people running it this way.

I would be on it in a heartbeat!


Thanks for the work!





Posted by: lmurray

if anyone cares, the tivocrack code from Edwin Olson works in cygwin under windows (along w/ the hacks i've made).

-lloyd-



Posted by: tarman

quote:
Originally posted by lmurray
if anyone cares, the tivocrack code from Edwin Olson works in cygwin under windows (along w/ the hacks i've made).

-lloyd-



Thanks for the info Lloyd, but some of us have the equipment and the time to do a simple install and run, but do not have the Linux experience to do this (nor the time to learn how).

So, if we had access to a windows exe that we could fire off from a command prompt then we could add a lot of compute power to the fray :D

Tom



Posted by: gregstoll

quote:
Originally posted by lmurray
ok. i hacked on the code a bit this morning. I didn't want to output which string I was compairing everytime because it slowed the process down. I added code to print out which code you are on when you press control-c (signal handling).

Anyway, if someone wants it, PM me.

I used gcc -lssl tivocrak.c to compile.

-lloyd-


at ABQHI5Q" in all possible 8 char combos. :)



I have a version that I wrote similar to this. Working on 8 character combos now.

Don't forget, might as well compile with -O3 to get a tiny performance boost! :-)



Posted by: bsnelson

Guys, at the very least, we should vary our alphabets, or at least the order, when searching these eight character spaces. I have a PIII/600 and a dual processor PIII/500 that I can run stuff on; I've modified the tivocrack program to optionally take a alphabet as an argument, and I'm currently running:

code:
[1]- Running ./tivocracks "BDMUSTIVO3210ACE" & [2]+ Running ./tivocracks "ETAOINSRHLDCUMFPG0123 " &


The first is just a bunch of likely characters that have been previously discussed. The second is the first 17 letters plus some stuff from a letter frequency deal on a Google search (hardly scientific).

No hits yet...

Brad



Posted by: StanSimmons

Guys,

I have access to about 60 1.8GHz Win2K machines that I can run this on. I can't make large changes on these machines so I can't load Cygwin, but I can easily run a Win32 executable with some command line arguements on all 60 machines. If the input/output could be piped from/to a file, that would be good.

What I don't have is the time to install a compiler and compile the program.



Posted by: bsnelson

barclay, am I correct in seeing that your Windows version tries up to 20 character passwords? If so, maybe we should cut it down some; surely it's not that long!

Stan (and anyone else): I have a version of the Windows program that accepts an alphabet and a start_at string (both optional) from the command line. I haven't tested it much, but aside from the args, it does only what barclay's program does, nothing more, nothing less. PM me for the location..

Brad



Posted by: EdwinOlson

I suggest using Cygwin to run tivocrack on Windows. Remember if you have multiple processors, you'll need to run 1 instance per processor.

I plan to post my new version tomorrow, which should support distributed coordination. Wee :) There's a bunch of other useful stuff, like progress reporting that doesn't completely suck.

Otto- I've turned off all but 0123 and 3210 endian checks in my code; the endianness checks are actually very cheap, and I don't trust myself enough to pick just one :)

-Ed



Posted by: barclay

Allright, this should be interesting.

Attached is a win32 command line executable. Just run it to begin cracking.

- It's just a command line program, so there's not much in the way of fancy graphics .. sorry.
- If you have a multiproc box run it with the number of threads you want created, ie, "TiVoCrack 2" will create two worker-threads.
- It requires a connection to the internet. Basically, Internet Explorer needs to be able to load web pages (I'm using the Windows Internet API), so proxies will work.
- When you get bored and want to reclaim your system, just hit Ctrl-C to have it gracefully shut down.
- If someone requests a workload and doesn't finish it within 24 hours, it'll be put back in the queue
- It leaves behind a log.txt file of anything it spews out, feel free to delete it.
- As it's running on a work load, it'll spit out the current string it's trying once every ten minutes. Otherwise, there's no progress meter, so don't expect much.
- Once someone finds a match, the server will have everyone's client shutdown (and I'll think about letting every know what that match was :) )

And finally, please bear with me. I've tested this on a few machines, but I have no clue how crazy it'll get when people start using it for real.

Go here for the latest version.



Posted by: gregstoll

barclay - this is maybe a bit much to ask, but does it run on Linux? I've got my own stuff running but I'd rather be part of a distributed effort...



Posted by: barclay

Well, there are two things preventing a *nix version

- Threads
- The Windows Internet APIs

I can make a single threaded version (mostly the issue is I don't have ready access to a Linux box, only BSD). The fact I cheated and used the Windows Internet APIs is probably the bigger deal. I'll have to actually do some of the legwork and use winsock like a real programmer.

I'll probably do it, but it might actually be better for EdwinOlson to talk to me. If he can modify his app to talk to my server (which is just a webserver), then all the *nix folks can just keep using his app and still join in the fun.



Posted by: lmurray

i'd suggest a solution that could run on many platforms. (if we stick to ansi C/C++ we can do this.) cygwin is a solution for windows, and the install can just include the cygwin.dll. this code could also easily run on macosX.

and a suggestion for the server is that the progress be public (via the web) so we can see where we're at.

Anyway, barclay, when i run the code, i get:

10/29/2002 19:25:59: TiVoCrack 1.1 started
10/29/2002 19:25:59: Getting the next work load
10/29/2002 19:26:05: 10/29/2002 19:36:05: 10/29/2002 19:46:04: 10/29/2002 19:56:04: 10/29/2002 20:06:04:

it doesn't seem to print out the code it's working on. is this right? I'm running this under win98se.

thanks,
-lloyd-



Posted by: barclay

Nope that's not right. When it's run you should see something like:

code:
10/29/2002 17:32:42: TiVoCrack 1.1 started 10/29/2002 17:32:42: Getting the next work load 10/29/2002 17:32:47: [QU46AAHA]


If you want, you can PM me with your IP next time it claims to be getting a work load, and I'll see if it's just a UI bug, or something else.



Posted by: FUBAR

This is what i'm getting

10/29/2002 20:45:38: TiVoCrack 1.1 started
10/29/2002 20:45:38: Getting the next work load
10/29/2002 20:45:44: [WBR"AAIA]
10/29/2002 20:55:44: [CF4V1DIA]



Posted by: DarkHelmet

quote:
Originally posted by barclay
Well, there are two things preventing a *nix version

- Threads
- The Windows Internet APIs


Just post code and the problem will take care of itself. :)



Posted by: barclay

quote:
Originally posted by bsnelson
barclay, am I correct in seeing that your Windows version tries up to 20 character passwords? If so, maybe we should cut it down some; surely it's not that long!


Sorry I missed this post earlier.

It doesn't try 20 characters (that number has been bumped up to 30, btw). That's when it'll give up. It starts at one character, and then goes to two, and so on.

Right now, the current version is working on 8 characters.

I think it's a safe bet that people will stop running the app out of frustration before it hits the 30 character limit :)


And to those that asked for it, the updated source code is available in my earlier post.



Posted by: bsnelson

FUBAR, it looks like you are running OK...

Brad



Posted by: barclay

Indeed. It appears to be a win98 problem.

I'll dig around on groups.google.com and see if I can figure out what I'm missing.



Posted by: wallace

Well, I won't begin to understand a fraction of what you guys are talking about to break this code but I am always willing to help out when I can. I don't have 3.2 myself but at least this is something I can do to help the community. Barclay, it is off and running and for once my CPU is at max utilization :D



Posted by: tarman

Barclay,

Does it go out on port 80? I will be running it behind a firewall on a couple of machines tomorrow and I need to make sure it gets out OK.

Running fine on 1.4GHz Dell system.

Does it report when it goes to a new length?

What is the 10 minute report?

Thanks,

Tom



Posted by: lmurray

barclay,
is there a way that us unix/linux people can manually work on this? I'm assuming that u'r dividing the search pattern between machines, using a full alphabet.

just a thought,
-lloyd-

how many cpus are we gonna need to crack this thing if it's 20 chars long?



Posted by: bsnelson

1 hour, 40 minutes per workload on an Athlon 900Mhz, set to BelowNormal priority, with some light surfing going on...

Brad



Posted by: barclay

quote:
Originally posted by tarman
Does it go out on port 80? I will be running it behind a firewall on a couple of machines tomorrow and I need to make sure it gets out OK.


Yep, it runs on a normal web server on port 80. It should even work through caching proxies since every query to the server is unique.

quote:
Does it report when it goes to a new length? What is the 10 minute report?
It'll report the length of string it's working on. More precisely, every 10 minutes it spits out the last string it checked. So right now everyone is seeing 8 character strings reported every ten minutes (except for the win98 people). When we finish with this they'll just start being 9 character strings.

quote:
Originally posted by lmurray
is there a way that us unix/linux people can manually work on this? I'm assuming that u'r dividing the search pattern between machines, using a full alphabet.
I'm a bit weary of making a manual web page where people can enter batches they're working on by hand, too much can go wrong. If someone wants to add support to a unix client to query the page for results, let me know (or just figure it out from the source code). It's just a matter of loading a specific URL and dealing with the one line of text it responds.

quote:
how many cpus are we gonna need to crack this thing if it's 20 chars long?
A lot. My server will scale to a big number of clients, but I doubt we'll see enough people willing or able to run this app in this forum if it's 20 characters long.

In the end, this is all really frustratingly futile. If we do discover it, TiVo will just make it a few characters longer next time and we'll be really screwed. But, hey, it's fun to try :)



Posted by: DVDerek

quote:
Originally posted by barclay
Allright, this should be interesting.
Attached is a win32 command line executable. Just run it to begin cracking.



AWESOME! I've got it running on my 1.4GHz machine now. I'll run it on 2-3 more at work tomorrow. Will we be able to tell who's computer cracked it (if it eventually does) by an IP address or something? It'd be fun!

Hopefully it'll be <= 10 characters. If not, we'll have to consider limiting the alphabet or something. I'm going to try and get "Non Tivoers" to help out with their CPU Time as well.

Just curious... how does it decide who to give what workload to? How long until a workload times out and is given to a second machine? Do you have a way of seeing what workloads have not yet been reported back?

Thanks,
Derek



Posted by: JoeltheTiVoFan

I've started doing my part by having my machine run the distributed program. I seem to have the workload that has 8-character attempts ending in "XA" I am on "****TPXA" right now, after 1 hour, 10 minutes.

I may have to stop it when this workload ends... the right way for TiVo to have dealt with this problem is to leave the backdoor code as plaintext in the binary. Therefore, it would have been easy for us to find without TiVo incurring some liability by officially giving it to us. Truthfully, those backdoor codes make at least some of us very loyal users. Make it too hard to get to the backdoors, and other options might look more interesting.

A good technical company should provide a 'wink-wink-nudge-nudge' to the "friendly hacking community" (those who don't try to steal service, and alwyas legally pay for anything they use, but like 'fiddling' with the product.s they buy)

-Joel



Posted by: markp99

Crunching here too...

up to: [66MI9Q9A]



Posted by: drosoph

FUBAR, ... I started at [WBR"AALB] ...
Barclay, ... How are these distributed chunks broken up ????



Posted by: barclay

Each chunk is six characters of work. Ie, everything xxxxxxAB is a chunk. The chunk letters are given out in order (exception: see below) so that xxxxxxAA is handed out, then xxxxxxBA, eventually on to ...AB, and so on. When the two letter combinations are exhausted (which will happen with <space><space> .. I'm being thorough), it'll move on to ..AAA, and on wards. I hope that made sense.

A chunk has 24 hours after it's handed out before it's thrown back in the queue at the top.

And yes, I'll know the IP address and time of the result when the matching entry is found. Don't worry, I won't post the IP address, probably just the last quad so someone can take credit.

And if anyone's interested, so far I've received 24 completed packets, each taking an average of 1 hour 23 minutes to complete. Oh, and someone beat my dual-proc record of 1:00:06 by one second. Darn it :)



Posted by: StanSimmons

Any chance of making it a service that I can leave loaded without leaving the machine logged in?



Posted by: JoeltheTiVoFan

The log gives me a feeling that it got through most everything in *****XA

...the last entry in the every-10-minute log is 26RAW<space>XA


...now I am just sitting there...

I would think I'd get another chunk to run or something...

I've included the log file..

-Joel



Posted by: barclay

JoeltheTiVoFan, I'm guessing by the time I post this everything is okay.

The UI thread is the one responsible for making the request for the next chunk, and it'll do that when the worker thread is done. As the log sits, the worker thread is likely done, and just waiting for the UI thread to wake up at 21:47:08 and do it's thing.

It's a bit wasteful, but in the grand scheme of things, it works :)



Posted by: JoeltheTiVoFan

Thanks!

-Joel



Posted by: EdwinOlson

Humph. My distributed client is almost done. Wish you'd said you were working on one. Actually, mine is currently working, but it needs a bit of cleanup before I subject other people to it.

We're both insignificantly into the 8 char keyspace. Here's the question(s)-

Shall we take a day to combine our results? Have your windows code talk to my server, or vice versa? i.e., you provide windows clients, I provide linux clients? Perhaps our code can cross pollinate (or are you using mine? I dunno?)

My backend implementation sounds like it might be a bit more more hard core than yours, but you were short on details :) I'm using a MySQL-backend with an eye towards supporting real-time stats via the web... Like you, I'm using HTTP for data transport.

Or, we could stay independent and verify each other's results. Probably silly.

What do you think?

-Ed

PS: If any of you want to play with my code, it's here: http://eolson.dyndns.org/dtc/dclient.tgz. After building it, you run it with "./dclient http://eolson.dyndns.org/dtc/getwork.php YOURUSERNAME"

Please note that this is purely for feedback/debugging, and I plan on throwing away any completed blocks some time tomorrow. Also, you may notice ludicrous amounts of debug messages. Those will go away.



Posted by: subuni

quote:
Originally posted by ADent
So which method did you use to modify the hash string? (There were several options listed in one of your earlier posts).


Since I already had the drive in my PC (making a virgin Series2 backup image), I hexedit'ed the /dev/hda12 ("MFS App Region 2") partition. On non-80 hour units, it may be in /dev/hda10 -- I can't say since I haven't seen a non-80 hour unit.

There were two occurrences of the hash I had posted on the first page of this thread (As I had anticipated -- One was in the slice file in /SwModule, while the other was a ResourceItem -- the one that matters). I changed both to the known hash from 3.0, popped the drive back into the TiVo, and was able to enable backdoors. If there is enough demand, I can easily write a little patch program to automate the hash change. It would require pulling the drive to a PC, however.



Posted by: barclay

I think we both said we were working on this sort of thing near the same time :)

I'd be happy to have my client talk to your servers. My server is proven, and I'm proud of it. But if you have some sort of stat pages ready as well, yours is probably more useful.

As far as source code similarity: I tried to migrate your code over to compile cleanly on Win32 (without cygwin), but I quickly gave up. What's running is from scratch. Comparing the two is about as much fun as comparing any Win32 and Unix program.

I'll email you to see if there's some way I can trick my server to act as a dummy to talk to yours just so I can minimize client turn-over.

Edit: Fix typos, and made the post make sense.



Posted by: bsnelson

Well, you guys are the masterminds of this operation, but I can say, for me, there's value in having both *nix and Windows. I have access to the following (mostly sad) machines for the search:

900Mhz Duron - Windows
600Mhz PIII - Linux
500Mhz dual PIII - Linux
400Mhz PIII - Windows
350Mhz PII - Windows

So I've got 1.6Ghz of Linux and 1.65Ghz of Windows. ;)

yes, I know, it's comparing apples and hammers...

Brad



Posted by: mstroh

Thanks, I've got it running on two of my computers. (a 600 MHz Xeon [Win98SE] and a 2.2GHz P4 [WinXPPro]).

One problem, my XP system seems to be locking up. I am also running the United Devices program, should I turn this off in the mean time?

Also, can the computer be restarted without a problem with the Tivocrack program?

On a side note, I'm a long time lurker and finally found a way that I can help.



Posted by: EdwinOlson

A little compute can go a long way :) Join one and all, I say!

I believe both barclay's code and my code will deal fine with hosts rebooting (and abandoning work units). (I'm sure mine can, at least. :)

FYI: i just fixed a stupid little bug in my code that would cause the server to reject blocks (cuz it thinks you're trying to confuse it!), so if you downloaded the code before 2AM, grab it again please.

Sounds like barclay & i are going to collaborate on handing out blocks. Very cool... windows and linux working together.

-Ed



Posted by: bsnelson

OK, EdwinOlsen, I have my "big" (ha!) Linux boxen running your code now, once on the 600Mhz and twice on the dual 500. All three appear to be chewing vigorously...

Brad



Posted by: tarman

Guys,

From previous releases it seems that the code has always been single or double characters separated by SPACEs.

Should we not be concentrating the compute power on sequences that include SPACEs. (Maybe we are?!?)

Just a thought,

Tom



Posted by: markp99

My later batches have had spaces distributed through the 8char string...



Posted by: lmurray

has the 7 character space been fully checked ?



Posted by: DVDerek

Subuni... I can't believe no one's asked yet but.... Have you noticed anything new/different/cool in 3.2 with backdoors enabled. Also, from what you said earlier about which strings you replaced, it seems aparent that we STILL aren't sure which one it is (since you replaced both strings). Is this true?

It'd be a big bonus if you could get your servers co-operating in handing out blocks. Stats are cool, but unnecessary. I guess it'd be cool if barclay's server could report results to Ed's but it's more important to have them coordinate on what blocks to give out!

Please let this thing be less than 10 chars!

Gonne get barclay's code running on 2-3 more machines today.



Posted by: TK-421

Just added my 667 at work running on Win2k.. let's hope for the best.



Posted by: EdwinOlson

To whoever asked: I am concentrating on search spaces containing spaces. And the 7 char space is finished.

I have a release candidate here:

http://www.blisstonia.com/dtc

Please kick the wheels. At this point, I do not expect to have to throw away any blocks, and we're already searching portions of the 8 char space. In fact, there are 4 of us already running it!

While this version passes "internal quality control", there will doubtless be a revision to the client sometime tomorrow afternoon. It will probably only be cosmetic changes, but no promises! (Users tend to find bugs, damn them!) So, if you want to install this version, Super! But if you only want to install the code once, wait until tomorrow afternoon.

Please let me know how it goes!

-Ed

PS: I'm not worrying about windows clients at the moment. I think the plan is for barclay's client to talk to my server, but it hasn't happened yet.



Posted by: barclay

Indeed, that's looking like the plan. I'm talking to Ed, and will probably begin working on modifing my client to talk to his server, so there might be a new version today or tomorrow.



Posted by: dkroboth

Is there any way to pause the Windows version? Running it is causing some problems with another CPU intensive process I have to run very infrequently. So, if I want to use that program I need to pause tivocrack for about 15-30 seconds.

Dan



Posted by: bsnelson

OK, I'm running as full-bore as I can - I've got all suitable Windows boxen running barclay and suitable Linux running EdwinOlson (I don't consider my PI/133 firewall and 386/40 backup firewall to be suitable! ;))

Crackin', crackin', crackin'... keep those crackers crackin'!

Brad



Posted by: jDot

This is my first post; I've been lurking for about a year. Anyway....
I noticed that the various alphbets used so far are all missing the asterisk '*'.

Am I off base here or should we be including it?

BTW I was well into 7 char search (with * included) when we had a power glitch. I'll keep plugging.



Posted by: barclay

I might look at adding that as an option eventually (but probably not in time for the next release).

In the meantime, you can bump down it's priority using Task Manager in Windows NT/2K/XP. Hit Ctrl-Shift-Esc, go to processes, find TiVoCrack, and right click on it. Change the priority to Low, and ignore the warning. You can leave it at this priority, so it doesn't get in the way of your system when you're doing something else.



Posted by: bsnelson

quote:
Originally posted by dkroboth
Is there any way to pause the Windows version? Running it is causing some problems with another CPU intensive process I have to run very infrequently. So, if I want to use that program I need to pause tivocrack for about 15-30 seconds.

Dan

Dan, what Windows flavor are you running? In the NT family, you can set the priority with the task manager; I set my barclay to "BelowNormal" after starting it, and it seems to work fine, and my machine is just as responsive as it always is.

Brad



Posted by: Jonathan_S

I just kicked a few of linux boxes into working on EdwinOlson's client.

2 dual 533s and a dual 750.



Posted by: rbiro

A while back I read that DevStudio compiled apps by default using a sub-par heap manager while a better one is sitting idle.

Somewhere in TivoCrack's environment add:

set __MSVCRT_HEAP_SELECT=__GLOBAL_HEAP_SELECTED,1

Most likely, just put it in the global enviroment and apply. Then re-start TivoCrack under the new environment

The explanation:
Configuring VC++ Multithreaded Memory Management



Posted by: dkroboth

quote:
Originally posted by bsnelson
Dan, what Windows flavor are you running? In the NT family, you can set the priority with the task manager; I set my barclay to "BelowNormal" after starting it, and it seems to work fine, and my machine is just as responsive as it always is.

Brad



Win2K. Excellent. That works. It shocks me the crap I have no idea how to do in Windows (worked on Unix boxes almost exclusively until about 5 months ago.) I just hope I didn't munge anything up by ^C the TiVoCrack I was running earlier. I didn't want to have to explain that I wasn't getting work done because I was running TiVoCrack. :)

Dan



Posted by: EdwinOlson

How do you enter a '*' on the remote?

-Ed



Posted by: DVDerek

Ed and Barclay:

What alphabets are you both working on? I hope you're using the same alphabet.

At what point do we give up on a full alphabet crack and target characters we have reason to believe are in there.

What about a "known-plaintext" attack on "BC" or "B C" or something like that?



Posted by: quadra

Ok, For those us fortunate enough to not be running Redhat.. there are some fixes to help compile dclient on other distributions of linux and even BSD. So here goes...

In Makefile, line 8:
Change: $(CC) -o dclient $(DCLIENTOBJS) -lssl -lcrypt -mhash
To: $(CC) -o dclient $(DCLIENTOBJS) -lssl -lcrypto -mhash

For BSD systems..

In tivocrack.cpp

Change:
#include <netinet/in.h>

To:

#include <sys/types.h>
#include <netinet/in.h>


In: SSocket.h

Change:
#include <sys/socket.h>

To:
#include <sys/types.h>
#include <sys/socket.h>



Posted by: EdwinOlson

I'm currently using [A-Z][0-9]<space> and planning on adding " and possibly * (if that can actually be entered) in the next experiment.

I've searched the alphabet "TIVOBDAC320<space>" (plus a couple other letters, I can't remember) up through length 8+. We may try again now that we have so much more CPU power!

-Ed



Posted by: jDot

IIRC Asterisk is entered with the 'slow' button



Posted by: bsnelson

OK, I don't know if it's different on the new boxes, but I just went to "Search By Title" on one of my DTivos running 2.5.2, and here's what I found:

20 characters max
Only possible characters are A-Z, 0-9 and space
It is NOT possible, in this screen, to enter an asterisk or a (double) quote (although you CAN on wishlists)

So, it seems to me that the canonical alphabet would be:

"ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789"

Now, I suppose it's possible that TiVo's gotten tricky on us and moved the backdoor entry to the wishlist screen, but come on, what are the chances?

Brad



Posted by: markp99

Also, are we sure about the final "thumbs-up" keystroke to enable??



Posted by: colemanr

quote:
Originally posted by subuni
Well, I decided to go buy a S2 tonight. I bought the 80 hour unit, to make sure I'd have 3.2 installed. I replaced the 3.2 hash with the one from 3.0 (5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F23B). Now when I use the "3 0 BC" code, backdoors are enabled (see the attached picture).

So, Otto probably has the right idea....



Based on the post quoted above, nothing has changed with regard to where or how to enter it.



Posted by: lmurray

EdwinOlson,
dclient works well under cygwin. I added -lcrypto to the Makefile.

-lloyd-



Posted by: TreborPugly

Has anyone who has actually looked at the 3.2 code and/or replaced the hash string tried hash strings for some entry other than "3 0 BC", or verified that the code which checks this entry always does the same thing?

I could come up with many easy code changes that would make it appear that the entry code and hash are handled the same as they are in 3.0, but really handle them differently.

For example, they might use the old process if you enter a 6 character code, but for a 7 character code do something different like reverse the order first, or some other transformation.

A quick check for something like this, (if you can't verify it in the source code) might be to enter the hash table for some known codes of different length, and verify that they work to turn on back doors.

We are hypothesizing that Tivo decided to do a longer code, really for the only purpose to slow down the discovery of that code. However, what would be their purpose in this? If all they do is increase the time slightly before the back door code is generally known, why bother? If, however, they wish to actually make it much less likely that the code would be discovered, their only choice would be to some how change the encryption/authentication routine.

So here are the scenarios as I see them:

1. Ed and Brad have appropriate test code, with a sufficient alphabet, and Tivo has just increased the pass-code length. (unlikely, since what is in it for Tivo other than a few more weeks before the code is found)

2. Ed and Brad have appropriate test code, with an insufficient alphabet, and the Tivo pass-code is <8 characters long (only possible if *, ", or others do work in search by title on version 3.2. I have 3.2, and I'll try to make other characters tonight)

3. We have a sufficient alphabet, the Tivo pass-code is still short, but the test code is no longer appropriate. (how likely?)

4. We have a sufficient alphabet, the Tivo pass-code is now longer, and the test code is no longer appropriate. (how likely?)

5. We have an insufficient alphabet, the Tivo pass-code is now longer, and the test code is no longer appropriate. (God, I hope not)

My instinct, given the early failures is that TiVo has done something to make it less likely that we discover the code. Can anyone who knows better shoot down my theory? I didn't pay attention to how long it has taken in the past to discover the code, so maybe I'm just expecting results too soon?

Treb.



Posted by: tarman

Barclay,

Please put the "......KJ" group back into the pool. My machine crashed while running it and upon restart, it grabbed a whole new set, leaving this set unfinished.

Tom



Posted by: DarkHelmet

quote:
Originally posted by TreborPugly
Has anyone who has actually looked at the 3.2 code and/or replaced the hash string tried hash strings for some entry other than "3 0 BC", or verified that the code which checks this entry always does the same thing?


Yes. Read a few pages back. If you insert the value for a known plaintext, then it works as expected. There is even a screen capture posted showing that it works.

So that means we know it is on the right page. We know what the worst case dictionary is (alpha + numeric + space), the maximum length (20 chars), the byte swapping etc.

All we need is the key. :)



Posted by: bsnelson

I think what Trebor was saying was that we should generate some other hashes and verify them, varying the length and content, e.g.

32BC
B D 3 2
AAAAAAA
BACKDOOR

If we generated hashes for all of these, and tried each one in turn in the same manner that "3 0 BC" was verified, we could be fairly sure that they aren't pulling any monkey business on us, on top of the SHA1 hash.

Man, don't you know there's a continuous wave of laughter in Alviso right now over all of this...

:)

Brad



Posted by: DVDerek

quote:
Originally posted by tarman
Barclay,

Please put the "......KJ" group back into the pool. My machine crashed while running it and upon restart, it grabbed a whole new set, leaving this set unfinished.

Tom



As I understand it, that set will time out eventually and the server will give it out to someone else. No worries.



Posted by: Tonybeans

It's lost on me why TiVo wants to hide this so badly.

They include it in the software, they know we want it, they don't really care if we use it, and once it's found it's not rocket science for any web-savvy user to get the code from sites like this. Why can't they just leak it and let us get back to the "features" we've come to expect from backdoors?

Regardless, I'm sure I speak for thousands when I say thanks for your hard work!



Posted by: TreborPugly

quote:
Originally posted by DarkHelmet
Yes. Read a few pages back. If you insert the value for a known plaintext, then it works as expected. There is even a screen capture posted showing that it works.




The only plaintext checked and posted, was the code for "3 0 BC". My suggestion is that someone try a few other plaintext codes. If they were going to monkey with us, they might well hard-code an acceptance of this plain text / hash table pair.

Treb.



Posted by: dkroboth

quote:
Originally posted by TreborPugly
The only plaintext checked and posted, was the code for "3 0 BC". My suggestion is that someone try a few other plaintext codes. If they were going to monkey with us, they might well hard-code an acceptance of this plain text / hash table pair.

Treb.



That seems unlikely, because the 3 0 BC was tried by others before the replacement method was trieded. There has there been independent verification of the replacement method, right?

Dan



Posted by: DVDerek

It's a bit unsettling how long 8 character search seems to be taking. There have to be 50+ machines running this by now. I knew it'd be an expensive search, but wow!

My point is... should we consider limiting the alphabet and searching through a length of like 10 characters with that before we don the exhaustive search?

Also, I am concerned because earlier SubUni indicated that he replaced two strings with the old "known" hash from 3.0 and got backdoors enabled (at least that's how I understood it) because he wasn't sure which one it actually was. Are we checking against both strings or just the one we ASSumed was the correct string? Am I missing something here?



Posted by: gregstoll

quote:
Originally posted by dkroboth
That seems unlikely, because the 3 0 BC was tried by others before the replacement method was trieded. There has there been independent verification of the replacement method, right?

Dan



Plus they looked at the assembly code and there didn't seem to be any funny business. Although it wouldn't hurt to try...



Posted by: dkroboth

Also, and this is kinda of a dumb thing, but have we checked and make sure the distributed clients would pick up the 3.0 code from the hash? I realized that this code came from that crack program, but can has it been checked that those still work?



Posted by: barclay

I can't speak for EdwinOlson's version, but my version was initially run with the 3.0 hash, and it found it (rather quickly too :)

Fwiw, I'm nearly done with an updated version of the Windows client that talks to EdwinOlson's server. It should be ready in a couple of hours. (Actually, it's done now, I'm just verifing that it works by running a work unit myself first).



Posted by: Otto

quote:
Originally posted by bsnelson
I think what Trebor was saying was that we should generate some other hashes and verify them, varying the length and content, e.g.



Well, I see nothing to suggest they were *that* tricky about it, but if someone is bored enough to give it a shot...

32BC - e69916b31b2c8bd2108244af69a927305dbda1ee
B D 3 2 - 182fc6d19730e5765bb725b232be8e7659e34f5b
AAAAAAA - 9d86b2f92692cce63fd890b939c85e80859ccc15
BACKDOOR - 389dd8d6e5d37ccb8f532a989c59baa782a5d794



Posted by: GBL

On my PC one set takes about 1 hour to go through. Given that and that there are 38*38 sets (=1444) it would take 50 PCs about 29 hours to crunch through (if my math is correct).

barclay, what do your server stats look like? Can you confirm the effort?



Posted by: Otto

quote:
Originally posted by DVDerek
It's a bit unsettling how long 8 character search seems to be taking. There have to be 50+ machines running this by now. I knew it'd be an expensive search, but wow!


Expensive isn't even the right word for it. If the character set is A-Z,0-9,Space then the total possible combinations of 8 characters is 3,512,479,453,921. Three and a half trillion possibilities.

Total possible number of 7 characters is only 94,931,877,133, about 95 billion entries. Every character you add = 37 times as long to search the keyspace.



Posted by: tarman

One more idea. Since the previous codes have been of the form:
"x...x xx" or "x....x x" would it not be a good idea to parcel out the
"xxxxxx A", "xxxxxx B", ... groups first? I know the groups being
done now cover the "xxxxx xx" cases (although only a few per
assigned test group), so maybe one of the "experts" could
dedicate a special progran version that tests all "xxxxx xx"
cases first.

Tom



Posted by: Otto

tarman: The obvious cases are easier to test, and mostly already tested independantly. For example, codes of the form "X X XX" only amount to 1,874,161 possibilities. Enough for one PC to do in under 10 minutes.

You can name any case you like this way, only the number of changable characters is what controls the number of possibilities. And all the most obvious cases are under 6 changing characters.

An exhaustive search is the last resort, really.



Posted by: bsnelson

I think we'll have the whole 8 character space done before long. One of my barclay runs is servicing the xxxxxxJK space currently (his version reverses the order of the search, i.e. xxxxxxAA, xxxxxxBA... xxxxxx9A, xxxxxxAB etc.), so we should be getting close to halfway. That's checking EVERY combination of eight with letters, numbers, space and even the double quote.

It's if we don't get a hit on eight that it starts to get interesting...

EDIT: I just got a xxxxxx3M work unit at 3:30PM CST

;)

Brad



Posted by: EdwinOlson

Regression tests-

Yes, I periodically submit a test block on the old 3.0 password and make sure that someone reports success.

Which means, if you see "***Success***", you might want to make sure it's not '3 0 BC' :)



Posted by: DVDerek

quote:
Originally posted by Otto
Expensive isn't even the right word for it. If the character set is A-Z,0-9,Space then the total possible combinations of 8 characters is 3,512,479,453,921. Three and a half trillion possibilities.

Total possible number of 7 characters is only 94,931,877,133, about 95 billion entries. Every character you add = 37 times as long to search the keyspace.



Expensive in the "computer sense" might not be the right word for it (as the calculations are no more complex, just more of them to make). But in the business sense (TIME IS MONEY), it sure is!

Barclay and Ed have done wonders. Can we have any idea how many machines are working on this? I've got 4 going on it. At any given time, 3 will be full throttle while 1 will be a lower priority process (as I'll be using one machine). Actually, overnight all 4 will go full throttle. No luck getting non-tivoers to run it as they all just laugh at me. Oh well.



Posted by: Otto

The double quote doesn't need to be checked, BTW. It can't be entered on Search by name.



Posted by: Otto

quote:
Originally posted by DVDerek
Expensive in the "computer sense" might not be the right word for it (as the calculations are no more complex, just more of them to make). But in the business sense (TIME IS MONEY), it sure is!


No, I got the meaning.. I just meant it's way beyond "expensive". Wait until you hit 9-10 characters. :eek:



Posted by: TreborPugly

quote:
Originally posted by Otto
No, I got the meaning.. I just meant it's way beyond "expensive". Wait until you hit 9-10 characters. :eek:


For higher character searches, wouldn't it be reasonable to assume that the code will include at least one (probably two) spaces, and at least one (probably two) numbers. And, for that matter, at least one (probably two) letters? A few constraints like this and the 9-10 spaces get smaller than the 8 character, unrestricted space.

Treb.



Posted by: Jonathan_S

DVDerek
I have a total of 7 up right now, all dual proc linux machines running between 533 and 750 MHz.

I've got three more boxes I will add tonight, they are turned off so I have to wait until I can physically access them.

[All these computers had been participating the the distributed.net search for the rc5-64 key which was recently found]. About half of them are a friends, but he said it was cool to run this search on them :)



Posted by: subuni

quote:
Originally posted by TreborPugly
The only plaintext checked and posted, was the code for "3 0 BC". My suggestion is that someone try a few other plaintext codes. If they were going to monkey with us, they might well hard-code an acceptance of this plain text / hash table pair.


Although I think that's unlikely, it's a very good point. Otto had posted "115375040AE75635B2F4AFEC691A0228C2586A14" - "3 2 BC" earlier in this thread (page 4). I've replaced the hash on my 3.2 sytem with that, did "3<space>2<space>BC<thumbsup>" in "Search By Title", and got backdoors enabled.

quote:
Originally posted by DVDerek
Subuni... I can't believe no one's asked yet but.... Have you noticed anything new/different/cool in 3.2 with backdoors enabled. Also, from what you said earlier about which strings you replaced, it seems aparent that we STILL aren't sure which one it is (since you replaced both strings). Is this true?


I don't really use backdoors. I made sure I could view log files (clear-enter-clear-thumbsup) and that I could rebuild the suggestions. Those are the only two backdoors I use, and both worked. I tried the Teach TiVo code from 2.0, but it didn't work.

I know which hash it is to modify when in MFS. When I was hexediting it, I didn't really care to spend time figuring out which was which. Just as easy to modify both. Yet again I know which two I'm modifying, one is in a slice file (swsystem-7507302-53.slice -- think of it like a mini-TiVo rescue file. If something goes wrong on the TiVo, it may try and restore from this file to get things working). The other location is the one that gets read (and needs to be changed in order for the backdoor code to work), detailed below.

For the MFS example, which essentially came from the thread referenced on the first page of this thread.

code:
% mls /SwSystem Directory of /SwSystem starting at '' Name Type FsId Date Time Size ---- ---- ---- ---- ---- ---- 3.2.0-01-2-240 tyDb 2312 08/20/02 19:02 688 ACTIVE tyDb 2312 08/20/02 19:02 688 % dumpobj 2312 SwSystem 2312/11 { Active = 1 DbMajorVersion = 6 DbMinorVersion = 73 IndexPath = /SwSystem/3.2.0-01-2-240 /SwSystem/ACTIVE /Server/7088399 Module = 2/-1 6/-1 8/-1 10/-1 12/-1 14/-1 16/-1 18/-1 2313/-1 Name = 3.2.0-01-2-240 ResourceChecksum = 9ff44d3f0bacde68cf8717cfa6b85db8 ResourceGroup = 2314/-1 2315/-1 (... the rest is pointless for this example ....) % dumpobj 2315/174 ResourceItem 2315/174 { Id = 131251 String = 115375040AE75635B2F4AFEC691A0228C2586A14 } %


Or to try and explain it, you do an "mls /SwSystem", do a dumpobj of the fsid for 3.2 (2312), find the second ResourceGroup fsid (2315), change the -1 to 174 (the item number of the backdoor hash). If you modify that hash, you'll change the backdoor code. And if you wanted to modify it:

code:
RetryTransaction { set obj [db $db openid 2315 174] dbobj $obj set String "115375040AE75635B2F4AFEC691A0228C2586A14" }


(That's how I modified it to use the "3 2 BC" hash).



Posted by: tarman

quote:
Originally posted by Otto
tarman: The obvious cases are easier to test, and mostly already tested independantly. For example, codes of the form "X X XX" only amount to 1,874,161 possibilities. Enough for one PC to do in under 10 minutes.

You can name any case you like this way, only the number of changable characters is what controls the number of possibilities. And all the most obvious cases are under 6 changing characters.

An exhaustive search is the last resort, really.



I totally agree with you, however, if we are going to brute force it, maybe we should put our computers to work on a set of codes that are more likely, based on history, to contain THE valid one.

Tom



Posted by: Otto

tarman: I think what I meant was that all the obvious ones we can think of have been searched already.

Trebor: You certainly could reduce the keyspace by assuming it had, say, at least one space. If we assume it's an 8 character key with at least one space then you'd reduce the possibilities from 3.5 trillion to 759,455,017,064, or 7.6 billion. But can you assume it has a space in it? I mean, that's a fairly large assumption to make for such a big key (8 chars), IMO.

But you're correct, it would be a hell of a lot faster to search that. Hey Edwin, if the distributed code contained a search mask of some sort being sent from the server, you could change the possible searches at will, really. It'd have to be a pretty strange masking scheme to be able to say things like "at least one space in it" though.

Edit: Ahh, looking at the code I see it has a pattern entry. Cool. Probably not as complex a pattern as that though. Still will let you search the more obvious ones first by varying the pattern accordingly.



Posted by: barclay

Allright, as promised, I've got a new version of the windows client that talks to the right server. You can download it from this message.

It takes a few command line switches, most importantly, one for the username.

code:
TiVoCrack uExample

will run it with a user of "Example"

And, if you have a multi-proc box:
code:
TiVoCrack uExample t4

will run it with a user of "Example" with 4 threads for a 4 proc box.


In the next few minutes, my server will start reporting that there are no more keys to search. Sorry about this, but there's no way to integrate things at the backend.

Go here for the latest version.



Posted by: DarkHelmet

quote:
Originally posted by Otto
tarman: The obvious cases are easier to test, and mostly already tested independantly. For example, codes of the form "X X XX" only amount to 1,874,161 possibilities. Enough for one PC to do in under 10 minutes.


A 1.2GHz athlon-mp tests about 1.25 million keys per second per cpu. Pentium4's seem to be pretty slow at doing SHA1 for some reason.

BTW: Be sure to use gcc -static on x86 *nix systems since the libraries when compiled for PIC mode run slower.

FWIW, I've gone completely through 8 character space with
' 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
as a dictionary and tested the "easy" keys (only test those that have two spaces or more). Maybe that wasn't such a good assumption to make - the UK tivo backdoor key has no spaces, "10J0M". Neither did the 1.3 key.

I've checked the program on the old key. Using the full 37 character dictionary above and telling it to only test the keys with a space in it finds "3 0 BC" in 47 seconds.

I'd dearly love to run something at work. 8000 machines should be able to make pretty short work of the easy stuff.



Posted by: Otto

quote:
Originally posted by barclay
Allright, as promised, I've got a new version of the windows client that talks to the right server. You can download it from this message.



Is this right?

g_szAlphabet = strdup("ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");

That alphabet doesn't contain a space. Also, localmode doesn't seem to work right.. "Tivocrack l p?" keeps spitting out [B] for example.



Posted by: barclay

Local mode is largely untested, so it'll probably break in horrible ways. It's mostly there so I can section-test as I'm working. I'll probably fix it eventually, but it wasn't a high priority.

The alphabet is right. Rather, it doesn't really matter, it'll be overwritten by what the server says, which does contain a space.



Posted by: bsnelson

OK, I'm up and running on the "new barclay" on my Windows boxes and "ed" on the Linux boxes.

Question: Am I assuming that we're just using the "AAxxxxxx, ABxxxxxx" namespace progression now, and we've abandoned "xxxxxxAA, xxxxxxBA"?

Brad



Posted by: DBordello

If only we could submit this to seti@home or something, speed this up.

When can we expect to see the stats? :)



Posted by: Otto

quote:
Originally posted by barclay
Local mode is largely untested, so it'll probably break in horrible ways. It's mostly there so I can section-test as I'm working. I'll probably fix it eventually, but it wasn't a high priority.

The alphabet is right. Rather, it doesn't really matter, it'll be overwritten by what the server says, which does contain a space.



Okay. I was able to fix localmode anyway.. Just going over it for testing purposes.. I stuck in a debug mode so I could see all of the tests it does, and it appears to miss the first one of the set. For example, ??? as a pattern gets all of the set except for AAA. It starts at BAA. Haven't worked out why yet.



Posted by: DVDerek

quote:
Originally posted by barclay
Local mode is largely untested, so it'll probably break in horrible ways. It's mostly there so I can section-test as I'm working. I'll probably fix it eventually, but it wasn't a high priority.

The alphabet is right. Rather, it doesn't really matter, it'll be overwritten by what the server says, which does contain a space.



Did we at least get some way of you sending your completed workloads to Ed so we dont send them out again? I hope so!

Ok, 3/4 machines are running the new (1.2) code. I'll get the 4th up when I go home. Have fun!



Posted by: EdwinOlson

Please note that it is NOT necessary for every machine to have a unique user id. You can give every one of your machines the same user id. That way all of your blocks will be added together.

(i.e., on my 3 machines, each one is run as 'eolson').



Posted by: barclay

Otto: Right you are, it was skipping the first word.

This was by design. It had to do with the way my server worked, but it doesn't make much sense with Edwin's server.

I've fixed it in the post above, and version 1.3 is ready. That also fixes local mode (I think).

Hopefully this will be the last version for a while.



Posted by: DVDerek

quote:
Originally posted by barclay
Otto: Right you are, it was skipping the first word.

This was by design. It had to do with the way my server worked, but it doesn't make much sense with Edwin's server.

I've fixed it in the post above, and version 1.3 is ready. That also fixes local mode (I think).

Hopefully this will be the last version for a while.



HMMM... I just got 4 computers at work running 1.2 and then went home. Is this going to invalidate all of their results? Bummer. I'll get 1.3 running on my home machine now.



Posted by: dkroboth

quote:
Originally posted by barclay
Otto: Right you are, it was skipping the first word.


Do we need to search any of the key space again?



Posted by: Otto

quote:
Originally posted by barclay
Otto: Right you are, it was skipping the first word.

This was by design. It had to do with the way my server worked, but it doesn't make much sense with Edwin's server.

I've fixed it in the post above, and version 1.3 is ready. That also fixes local mode (I think).



Your local mode fix was much the same as what I did.

I also changed this:
code:
g_nWorkerRunning ++; CreateThread(NULL, 0, FindTiVoKey, 0, NULL, NULL);

Into this:
code:
HANDLE hThread; g_nWorkerRunning ++; hThread=CreateThread(NULL, 0, FindTiVoKey, 0, NULL, NULL); SetThreadPriority(hThread,THREAD_PRIORITY_BELOW_NORMAL) ;

In order to make the thread more friendly on the CPU. Lets me run it in the background without slowing down my other activities. It only runs slightly slower this way, and only when I'm actually doing something.



Posted by: barclay

It shouldn't invalidate any results.

I just ran through all of the possibilites that it 1.2 would have missed.

The answer isn't in any of them :)

Go ahead and upgrade when you can though. Once we hit another letter it might miss something, though I highly doubt it.



Posted by: DVDerek

quote:
Originally posted by barclay


I've fixed it in the post above, and version 1.3 is ready. That also fixes local mode (I think).



I just downloaded what was supposed to be the updated version but it has the same file date and size. When run it still reports 1.2.



Posted by: barclay

DVDerek: Sounds like you're behind a caching proxy or just have a confused browser.

Try again. I just changed it to 1.4, which adds as an option, Otto's suggestion (the option is "r"). I also changed the filename, which should get around any chaching problems.



Posted by: drosoph

ok barclay ... 3 versions in 1 hr ... let me at least finish one iteration ;)



Posted by: UncaAndoo

Up and running on my Windows box. Happy to contribute.



Posted by: barclay

Oh yeah, if some one is willing to try the latest version on Win 98, I'd appreciate it.

I'm not too hopeful that I've fixed the problem, but I did clean up a bit of the code I suspect was having troubles.



Posted by: Otto

BTW, if you use Proxomitron, add this to your bypass list to make it work:

[^/]++eolson.dyndns.org/



Posted by: mdscott

Running on an XP laptop -- on second work load...

mds



Posted by: markp99

mdscott,

Are you using v1.4 on XP. I tried an only see, "getting next work load", then quits. Log says "Next work load failed, exiting".

Did you feed username as command line? How on XP?

v1 worked like a charm all night last night...

m



Posted by: FUBAR

i'm using 1.4 on XP tivocrack.exe ufubar s1



Posted by: markp99

hmmm... just quits for me on XP...

10/30/2002 21:39:57: TiVoCrack 1.1 started
10/30/2002 21:39:57: Getting the next work load
10/30/2002 21:39:57: It looks like there's no more work to be done!
10/30/2002 21:39:57: Next workload failed, exiting



Posted by: DVDerek

quote:
Originally posted by barclay
DVDerek: Sounds like you're behind a caching proxy or just have a confused browser.

Try again. I just changed it to 1.4, which adds as an option, Otto's suggestion (the option is "r"). I also changed the filename, which should get around any chaching problems.



That was odd. Even with the filename pointing to tivocrack14.zip it was still downloading tivocrack.zip. Went out for an hour and now it works. Oh well.



Posted by: markp99

Nevermind...d-loaded again. Works fine. Off and running...



Posted by: bevinst

There might be a problem with tivocrack 1.4. I started it and it made it to the sleep message... I put it in the background at this time. A little later I checked the status and noticed it wasn't doing anything -- cpu load near zero. I typed in CTRL-C and got the message about "Z SRG BA" -- This was about an hour after I loaded it -- notice the time stamp in the log. After that, the cpu load hit 100% and it started updating the status messages.

I'm running Windows XP home on an AMD 1400. A capture of the screen follows:


D:\Download\TiVo>tivocrack ubevinst
10/30/2002 19:21:54: -- TiVoCrack 1.4 started --
10/30/2002 19:21:54: Getting the next work load
10/30/2002 19:21:59: User = [bevinst], Work Unit = 59463
10/30/2002 19:21:59: Alphabet = [ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789]
10/30/2002 19:21:59: Key = [96F8B204FD99534759A6C11A181EEDDFEB2DF1D4]
10/30/2002 19:21:59: Pattern = [Z ??????]
10/30/2002 19:21:59: Threads = 1, Local = false, Silent = false, Lower Priority
= false
10/30/2002 19:21:59: Sleep minutes = 5
10/30/2002 19:22:04: [Z SRG BA]
10/30/2002 20:33:09: [Z 1H604C]
10/30/2002 20:38:09: [Z F2V7 F]


-Tommy



Posted by: DVDerek

quote:
Originally posted by markp99
hmmm... just quits for me on XP...

10/30/2002 21:39:57: TiVoCrack 1.1 started
10/30/2002 21:39:57: Getting the next work load
10/30/2002 21:39:57: It looks like there's no more work to be done!
10/30/2002 21:39:57: Next workload failed, exiting



You look to be having the same problem I was. If the program downloaded correctly, it should be version 1.4. I don't know what's causing this. Try rebooting or clearing out your internet cache or something.

You're getting that message because 1.1 used Barclay's server which is no longer in use (despite all the work that was probably put into it).



Posted by: tarman

Running on 98. Get all of the headers and lines every 5 minutes without
and codes.

.......
.......
10/30/2002 20:06:14: Threads = 1, Local = false, Silent = false, Lower Priority
= false
10/30/2002 20:06:14: Sleep minutes = 5
10/30/2002 20:06:19:
10/30/2002 20:11:19:
10/30/2002 20:16:23:
10/30/2002 20:21:20:
10/30/2002 20:26:20:
10/30/2002 20:31:20:
10/30/2002 20:36:20:
10/30/2002 20:41:20:
10/30/2002 20:46:20:

Tom



Posted by: markp99

Yes, cleared cache, re-dl'd... all's fine now. On 2nd work unit...



Posted by: mstroh

Its working just fine on my XP machine, but is not working on my 98SE machine.

The program runs, dl's the work unit, goes to sleep, and then gives an update every minute. Its the same problem tarman has. I set the sleep setting as s1.

mike



Posted by: mdscott

quote:
Originally posted by markp99
mdscott,

Are you using v1.4 on XP. I tried an only see, "getting next work load", then quits. Log says "Next work load failed, exiting".

Did you feed username as command line? How on XP?

v1 worked like a charm all night last night...

m


Dell Inspiron 4150 w/ XP Home Edition. I did not enter user name; just expanded entire archive and then double clicked the exe -- let tivocrack assign username, Takes about 70 minutes per work load.

mds



Posted by: tarman

Is there a way to signal TiVoCrack (V1.2) to gracefully stop after the current workload is completed. I would like to stop it and start up V1.4 (with the r option) but I do not want to start and not finish a new workload.

I do have a Korn Shell so I can send any valid signal.

Is disconnecting the ethernet a method?

Tom



Posted by: TK-421

Upgraded my machine to 1.4.. Working on the ZQ block right now..



Posted by: markp99

Can someone post the valid switches to Tivocrack?

I've only used:

u-username
s-sleep

I have two machines at home crunching since last night. Just added my work computer (NT4) to the task, but would like to be able to set priority a bit lower during busy hours...

Any help?



Posted by: TreborPugly

I've received at least one work-load with a space as the first character. I played around with what you could enter in Search by Title last night, and you cannot start with a space. You must first have an alpha-numeric character before you can enter spaces.

Treb.



Posted by: tarman

quote:
Originally posted by markp99
Can someone post the valid switches to Tivocrack?

I've only used:

u-username
s-sleep

I have two machines at home crunching since last night. Just added my work computer (NT4) to the task, but would like to be able to set priority a bit lower during busy hours...

Any help?



In version 1.4 the parameter "r" lowers the priority quite nicely.

Tom



Posted by: markp99

"r" then value, or simple binary toggle?

[edit]: Answered my own question just "r" required!



Posted by: stahta01

switch h gives help info.

Tim S

Edit:

TiVoCrack - Options:

h - This help
l - Local mode
p<Pattern> - Pattern to use
u<User> - User name for server mode (default: random)
a<Alphabet> - Alphabet to use
t<Threads> - Number of threads to launch (default: 1)
c<Hash> - Use <Hash> (default: 3.2's hash)
q - Less information dumped
s<Minutes> - Sleep <minutes> between results (default: 5)
r - Lower the priority of the worker threads



Posted by: lmurray

ed,
your code ports nicley to macosX too. Ha.

Next, I'm going to compile this on my atari 2600!

:)

-lloyd-



Posted by: barclay

quote:
Originally posted by tarman
Is there a way to signal TiVoCrack (V1.2) to gracefully stop after the current workload is completed. I would like to stop it and start up V1.4 (with the r option) but I do not want to start and not finish a new workload.



There's no way to do this. Don't worry about it. Abandoned blocks will still be worked on.



Posted by: mdscott

Lloyd -- if you are willing to share -- along with instructions such as run from Terminal (yes?) etc. I can include another in the group this evening.

mds



Posted by: brianld

OK, just kicked it off on my P4 1.9ghz ... every little bit helps, right? :D



Posted by: stahta01

Hi All:

My computer working on its 4th block. It's taking about 2 hours 40 minutes an block/work load. I hope to get it using my username next time; last time I did not prefix it with an u so it used an random one.

Tim S



Posted by: dkroboth

Here is a silly idea....Giving TiVo's obsession will holidays as release/announcement dates anybody want to try some variations those as backdoor codes. (HAPPY HALLOWEEN) sorta thing :)



Posted by: markp99

Another hunch...

Around the the time that the 3.2 backdoors question was first raised, TiVoPony changed his avatar sig from "vrrrm vrrrm" to "It's October!". We know Pony has occasionally and crypically leaked little tidbits to us (S.O.R.T.)...

What's the 3.2 backdoor?: Why, it's "October"... ??

I've already played with MANY variants of "October" & "Oct" with "3.2" and "3 2", etc. No luck, obviously...

Hey, it was just an idea... :)




Warning: include() [function.include]: URL file-access is disabled in the server configuration in /home/avsforum/archive.tivocommunity.com/tivo-vb/history/archive_functions.php on line 37

Warning: include(http://archive.tivocommunity.com/tivo-vb/history/footer.php) [function.include]: failed to open stream: no suitable wrapper could be found in /home/avsforum/archive.tivocommunity.com/tivo-vb/history/archive_functions.php on line 37

Warning: include() [function.include]: Failed opening 'http://archive.tivocommunity.com/tivo-vb/history/footer.php' for inclusion (include_path='.:/usr/local/lib/php') in /home/avsforum/archive.tivocommunity.com/tivo-vb/history/archive_functions.php on line 37



vBulletin Copyright ©2000 - 2014, Jelsoft Enterprises Limited.
vB Easy Archive Final ©2000 - 2014 - Created by Stefan "Xenon" Kaeser Modified by Adam J. de Jaray