TiVo Community Forum Archive 1
Show all 1147 posts from this thread on one page

TiVo Community Forum Archive 1 (http://archive.tivocommunity.com/tivo-vb/index.php)
- TiVo Underground (http://archive.tivocommunity.com/tivo-vb/forumdisplay.php?forumid=8)
-- Getting the 3.2 Backdoor Code (http://archive.tivocommunity.com/tivo-vb/showthread.php?threadid=80657)


Posted by DVDerek on 10-17-2002 05:30 PM:

Getting the 3.2 Backdoor Code

I'm new here so hang in there...

I know the old Backdoor Code does not work with 3.2. Everyone seems to be saying "well, just wait until someone releases it." Who is this magical someone? Is this something TiVo usually eventually leaks or do people actually work on getting the code? Is there a process for attempting to get the code? Who works on these things?

Thanks,
Derek

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by markp99 on 10-17-2002 05:42 PM:

A brilliant few willing to break the encrypted code... Like EdwinOlson did for the 3.0 code.

Read thru the following thread to appreciate some of the complications. Interesting.

http://www.tivocommunity.com/tivo-v...&threadid=54743

3.2 code will be even MORE difficult, because the file system is not accessible yet on Series2 (where 3.2 is now releasing).



I'm betting we get the code via a leak from TiVo, or someone simply stumbles upon it...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by donvickers on 10-23-2002 07:04 PM:

Do we have any news yet as to the code to open the "backdoor" on 3.2?
Is this the forum in which it's most likely to appear, if and when it's found?


Posted by mtw2 on 10-23-2002 09:52 PM:

HOWTO for getting 3.2 code

Two steps:

1. The encrypted code must be retrieved from the drive. Since they aren't upgrading Series 1 boxes to 3.2 (presumably, this is the rumor I've heard) then someone with a series 2 must do it. This involves cracking the cover and putting the hard drive in a desktop machine.
I could do this, but I'm reluctant to crack open my Series2 and void the warranty, if I know I can't get a prompt or run TivoWeb on it yet.
Besides, I haven't got 3.2 yet.

2. The encrypted code must be cracked. If whoever cracked 3.0 can either post their brute force code or run it for us when the encrypted 3.2 code is posted here, then it should be a matter of hours to get the backdoor code, once extracted.

Caveat: If they thought we got it too quickly last time, then they may have altered the algorithm or altered how this is stored. In that case, it''ll take a bit more trial and error before it's discovered.

~mtw2

Still waiting for 3.2...


Posted by mtw2 on 10-23-2002 10:14 PM:

Update:
The way they got the encrypted string last time was from a command line app on the tivo. The MFS isn't a well understood fs, and you need Tivo's dumpobj tool to look at the resource elements. This may be a problem, since you can't get a shell (yet) on Series2, and they aren't rolling out 3.2 to series 1 boxes (afaik).
So, I'm proposing an alternate method. Use the mfs_info and mfs_dumpobj programs that come with vplay. (that's all I'll say here, google for more).

Update2:
The program to brute force a SHA1 code is in that 3.0 thread referenced above. A dictionary made with "302backdor" would be a good start, but Tivo may have broken from tradition and added new letters or numbers.


Posted by CerebusUS on 10-23-2002 11:20 PM:

Dunno if this helps any or not, but I went to my system information today and saw the following:

Icebox files:
Path (null):
swsystem/3.2v4-01-2/...
.
.
.
.

So I'm guessing I've got the 3.2 code waiting on my box for an install command.

My Tivo is a Sony SVR-2000, upgraded with an old tivonet adapter (the ISA one) and an 80GB drive.


Posted by subuni on 10-23-2002 11:53 PM:

quote:
Originally posted by CerebusUS
Dunno if this helps any or not, but I went to my system information today and saw the following:

So I'm guessing I've got the 3.2 code waiting on my box for an install command.

My Tivo is a Sony SVR-2000, upgraded with an old tivonet adapter (the ISA one) and an 80GB drive.



Everybody should have those files, as they came down via the Discovery Channel program. But it won't be installed on your Series 1. (Correct me if I'm wrong) The last number in a version number indicates the series it's for. For example: v3.0-01-1 is for Series1, v3.0-01-2 is for Series2. In this case, since the version is 3.2v4-01-2, the software is for Series2.


Posted by subuni on 10-24-2002 12:55 AM:

Although I don't have a Series2, this was pretty trivial to find in the 3.2.V4-01-2 update files.

ResourceItem 999074/174 {
Id = 131251
String = 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4
}

I'm sure somebody will know how to have fun with that.

And as a side note:

ResourceItem 999074/220 {
Id = 131297
String = {Teach TiVo lets you rate programs, actors, directors and categories of programs using the THUMBS buttons. Based on these ratings, TiVo suggests other programs that you might like. What TiVo Thinks(tm) are shown with purple, square thumbs.}
}

If that means Teach TiVo is back and functional in 3.2.V4-01, and my Series 1 never gets upgraded to that... I will be a very unhappy camper.


Posted by CerebusUS on 10-24-2002 02:03 AM:

I trust someone has already tried B B 32 and B B 3 2 right?

I'm just extrapolating a pattern...


Posted by EdwinOlson on 10-24-2002 04:06 PM:

Hey guys. I'm trying my code on it.

So far, it looks bad; the same code that found it on 3.0 isn't finding it on 3.2.

I suspect that the tivo developers are probably pretty lazy folk when it comes down to it, and aren't too keen on entering in 7+ character passwords all the time.

I've searched all passwords up to 5 characters, i'm working on 6 (some of the "most likely" passwords have already been tried of length 6-8).

I suspect that something has changed. I'm still trying both endiannesses.

Brainstorming some possibilities:

- high ASCII?
- everything's lowercase?
(i'll try these two in a few minutes)
- Some arithmetic manipulation on the plaintext (e.g., XORing it with "TiVo", XORing each byte with 0xE9...) In order to make my search fail, the manipulation would have to convert the plaintext to use letters *outside* the TIVO alphabet.

One question: Does 3.2 change/add which letters you can enter? I'm using the alphabet "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ". Perhaps they've added hyphens or something? Can someone who has 3.2 report (perhaps privately) on this? (Do any other keys result in characters appearing in the search window? Perhaps thumbs-up, play,...?)

The disassembly of the relevant code that checks for the backdoor code, of course, would be extremely helpful!

-Ed

PS: Last time, the key insight came from someone who just threw out a random idea that happened to be right. (endianness was backwards). I dunno if I would have thought of it. So spew forth your ideas!

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by gregstoll on 10-24-2002 06:33 PM:

I'm also trying the same things as last time - I'm in the middle of length 6 codes (all letters, numbers, space) and no luck. I think if that doesn't work, I'll try it with lowercase instead.

I have 3.2 and just checked the Search by Title screen - don't see any new characters (and I tried pressing random remote buttons as well).


Posted by ADent on 10-24-2002 06:37 PM:

You can enter the quote character (hit the pause key) in at least some of the search screens.


Posted by markp99 on 10-24-2002 06:39 PM:

Does <pause> key produce a <quote> character, like it does elsewhere? Do not have access to TiVo now...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by EdwinOlson on 10-24-2002 07:23 PM:

a double quote or a single quote?

I don't think it's RIPEMD either.

I've already searched through all 6 letter and a quite a few 7 letter combinations, SHA0, SHA1, RIPEMD. Gonna try HAVAL in a bit.

I'm checking for all endianness possibilties. Also tried twiddle factors (XORs) over the ciphertext (i.e.., "TIVO', "TiVo", "tivo").

Tried lower case. Tried high ascii.

<grumble>

Are we sure that the resource entry isn't a decoy? Do you see any suspicious constants in the resources? (probably 32 bit)

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by markp99 on 10-24-2002 07:27 PM:

pause = double quote...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by Barry on 10-24-2002 08:09 PM:

Hi all,
I've a question. Are you actually trying the backdoor codes manually by entering them at the remote, or have you automated the process? If so how?

Barry


Posted by barclay on 10-24-2002 08:14 PM:

The process is automated. Look in the thread subuni referenced for all the juicy bits.

Basically, we're trying to brute-force the code out of the resource string by trying to encode lots of possibilities and seeing if they match.

I've extended the cracking program to try codes a few characters more in length. I doubt I'll get anywhere though.


Posted by HookedOnTivo on 10-24-2002 08:45 PM:

Talking

Nerds.


Posted by dbates on 10-25-2002 06:36 AM:

Keep trying guys! I'm rooting for you! I can't wait to try the Backdoor stuff.

__________________
1 60hr Series2


Posted by gregstoll on 10-25-2002 08:56 AM:

Dunno about the rest of y'all, but I'm trying all sorts of permutations of the hash function:

swapping hex codes 01 23 45 67 as:


and doing the same thing for swapping each byte (i.e. 01->10) and reversing the whole hash. Just some ideas if you have good ways of transforming the possible codes (I've basically only tried lowercase & uppercase...)

We can do it! :-)


Posted by EdwinOlson on 10-25-2002 12:46 PM:

Ugh. I was hoping for a message from my computer this morning.

I've completed the 6 character search space with the alphabet "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\" " using SHA0, SHA1, RIPEMD-160, and checking for all 4 possible endian orders.

I've completed the 7 character search space with the alphabet "TIVOBD302ACKRPWE " using RIPEMD, SHA0, SHA1, TIGER, HAVAL, GOST, and even truncated SHA256, checking for all 4 possible endian orders.

I've tried some "likely" other combinations- lower case, high ascii, etc as described before.

At this point, I do suspect something's wrong; either my code is wrong, or they're doing something different (a different cipher, some transform on the input or output, etc.)

Ideas solicited. I'll keep going, but the next key spaces are gonna take a long time. (38^7 is a big number!.)

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by markp99 on 10-25-2002 01:47 PM:

Last night I attempted to "type" special characters from the peanut keypad from search screen. I could not produce a <double quote> using the <pause> key...

I tried several other key combinations, and could not produce any new non-alpha/numeric characters...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by donvickers on 10-25-2002 02:26 PM:

Say, regarding version 3.2 .... has anyone been able to get the code to display to suggestions that are to be recorded?
In previous version it was:

ThumbDown
ThumbDown
ThumbUp
InstantReplay

I think. I can't seem to get it to take in 3.2
Should I keep trying or is it "dead in the water"?


Posted by mtw2 on 10-25-2002 02:48 PM:

At least in 3.0, that code requires backdoors to be on.... I suspect it won't work until we get the 3.2 code.


Posted by gregstoll on 10-25-2002 04:49 PM:

subini - were there any other suspicious-looking resources in the 3.2 update file?


Posted by DVDerek on 10-25-2002 06:10 PM:

Suggestions...

Well, it seems we're moving on this. Very nice. However, it also seems that we're either barking up the wrong tree, or they've gotten trickier.

What language is your code written in EdwinOlson? If you post it and there are enough people here to look at it, we may all be able to make suggestions. Once we believe the code to be sufficiently good, we can all run the program with different ciphers, different code lenghts, and different alphabets. Breakup the key space.

I'm not a great programmer or cryptographer, but I can certianlty dedicate a machine and maybe 2 to running the brute force.

~Derek
hoping there are no DMCA enforcers out there...

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by dkroboth on 10-25-2002 06:49 PM:

I'll be happy to donate a machine or two to the cause as well.


Posted by EdwinOlson on 10-25-2002 09:42 PM:

I've added some code which I expect to generate spurious solutions every now and then (about one in 4 billion tests).

It just spit one out. It seems unlikely to be right, so don't get your hopes up, but if anyone can try it: "V U J N". That's V SPACE SPACE U SPACE J SPACE N. See? seems unlikely.

Worth a shot, I suppose.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by subuni on 10-25-2002 10:00 PM:

quote:
Originally posted by gregstoll
subini - were there any other suspicious-looking resources in the 3.2 update file?


When I posted that originally, I had only quickly scanned through a handful of ResourceGroup's from the swsystem-7507302-53.slice update. That was the only interesting string that I encountered, and with it's location similar to the location of the 2.5/3.0 BD's .. seemed like a sure-fire winner.

Looking through a little more indepth, I now see:

% dumpobj -depth 1 /Server/7507324
(.. snipsnip ..)
Id = 1376273
String = {1006 1009 1011 1000 1001 1002 1003 1004 1005 1012 1013 1007 1014 1008 1010 1015}
}
(.. snipsnip ..)

Nothing else out of the ~3000 strings I looked at, look suspicious though.

quote:
The disassembly of the relevant code that checks for the backdoor code, of course, would be extremely helpful!


I've let Edwin know how he can get a binary of tivoapp for v3.2, incase he knows somebody that feels like disasm'ing it.

BTW Edwin: I love Blisstonia, due to it's high levels of Bliss.


Posted by DVDerek on 10-25-2002 11:24 PM:

quote:
Originally posted by EdwinOlson
I've added some code which I expect to generate spurious solutions every now and then (about one in 4 billion tests).

It just spit one out. It seems unlikely to be right, so don't get your hopes up, but if anyone can try it: "V U J N". That's V SPACE SPACE U SPACE J SPACE N. See? seems unlikely.

Worth a shot, I suppose.

-Ed



Sorry... tried and it got nothing.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by lmurray on 10-25-2002 11:32 PM:

well, for what it's worth.. If i was tivo, I'd make the string longer, knowing that it would take longer to "match". anyway, EdwinOlson, if you want to post u'r lastest changes (source code), people can sign up to work all possible character combinations. I'm currently trying all possibilities on 7 letter combos. (Course I didn't catch the post about the quotation mark).

-lloyd-


Posted by deebo on 10-26-2002 12:11 AM:

What happens if you put a drive that was upgraded to 3.2 in a Series 1? That way you could telnet in and look around from bash a little, and maybe have a better idea that you have the right hash?
-David


Posted by subuni on 10-26-2002 01:36 AM:

quote:
Originally posted by MuscleNerd
S1 and S2 are completely different CPU architectures. Nothing would run (or even boot) if you did that.

On the other hand, it may be possible to "mount" an S2 MFS partition from an S1 machine. If that's the case, then you could change the backdoor MFS string as I suggested above to create your own backdoor password. One way of doing this would be to kill all the apps, start up mfsd by hand, and point to the S2 MFS partitions.

Some savvy people out there can probably even mount an MFS partition from their normal Linux boxes.



You could put the S2 drive into a S1 box (as the "B" drive), boot, telnet in, set MFS_DEVICE=/dev/hdb10, get into tivosh, and then try to mls /.. The only doubt I have with that working is the S2 drive being "byte-swapped" compared to what the PPC is looking for. Also, you can "mount" a dd image:

code:
bash-2.02# export MFS_DEVICE=/mnt/nobody/hda10 bash-2.02# tivosh % mls / Directory of / starting at '' Name Type FsId Date Time Size ---- ---- ---- ---- ---- ---- Anchor tyDir 310891 10/24/02 08:56 3336 ..snip..


Or, you could also put a S2 v3.2 drive into a Linux box, hexedit the 10th partition, and change the hash that way. I'm 99.99% confident it'll show up as a string in 2, or possibly 3, locations. 1- In the slice file stored in /SwModule, 2- In the ResourceItem (the one we want to modify), and possibly 3- in the icebox. Just search for 5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F23B, replace it with 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4 (The "3 0 BD" code), pop the drive back in the TiVo, and see if the old code works.

And there are a few other ways (to modify the hash on the S2 drive), but I'll leave those to the imagination of the reader.

I don't have a S2, nor a desire to drop $350 on one (not to find a silly backdoor code, atleast). So, I'll leave this for someone with a S2 3.2 that's feeling adventurous.


Posted by EdwinOlson on 10-26-2002 03:03 PM:

The code I used on 3.0 is on my website, http://www.blisstonia.com.

I'm using a decendant of it now which, if anything, is slower because of additional checks it performs. It's for unix boxes with the openssl library installed.

I'm playing with some code to do a distributed attack. FYI, at this point, I've mostly lost hope-- either something's different or they've used a long password, or I've done something wrong. But I'll keep at it for a while just for self amusement.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by EdwinOlson on 10-26-2002 06:02 PM:

Wow. I just couldn't figure out why I couldn't get objdump to produce meaningful results on tivoapp.

Well, duh, it's not powerpc anymore. I'm looking at it now. Hopefully I'll figure it out.

-Ed

PS: thanks to those who've provided me with info or have experimented on their boxes!

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by DarkHelmet on 10-26-2002 08:46 PM:

quote:
Originally posted by EdwinOlson
Ideas solicited. I'll keep going, but the next key spaces are gonna take a long time. (38^7 is a big number!.)

Keep in mind that "B M U S 1" is 9 characters (DTivo 2.5.2 plaintext key). Do not assume that it has to be 7 or less.

__________________
Sony SVR-2000 (3.0 - 103 hours + turbonet + RCA430)
Philips HDR-112 (hard drive died, no backup)
Hughes GXCEB0T (3.1.0c2 - 149 hours + turbonet)
Hughes GXCEB0T (3.1.0c2 - 143 hours + turbonet)
Sony SAT-T60 (3.1.0c2 - 149 hours + turbonet)


Posted by EdwinOlson on 10-26-2002 10:38 PM:

That is a long plain text-- I didn't know it before. However, I've long sinced searched that name space.

In other news, there IS SHA1 code in the tivoapp. All the function calls are done using $gp as the base register, which, unfortunately, I'm not experienced enough with to be able to "trace backwards". In other words, while I've find the crypto code, I'm not sure how to figure out where it's being called *from*. Any suggestions?

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by Otto on 10-26-2002 10:55 PM:

Unfortunately it's probably something like "CRACK THIS YOU UNDERGROUND FREAKS" or some such.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by DarkHelmet on 10-27-2002 12:45 AM:

Oh yeah, I bet we are providing loads of amusement at Tivo HQ. "Lets see you brute force this in 10 seconds <evil laugh>".

I wonder if they'll feel sorry for us and give us some hints before somebody finishes disassembling the binaries and decides to use one of the third party tools to edit the string to set it to a known value. Anybody want to bet on whether they changed the way of activating it? eg: enter the text on a different menu, change the key used to activate it (thumbs down, advance or pause vs thumbs up), etc.

Of course, thats assuming the string isn't compiled into the application and the MFS value isn't a decoy...

__________________
Sony SVR-2000 (3.0 - 103 hours + turbonet + RCA430)
Philips HDR-112 (hard drive died, no backup)
Hughes GXCEB0T (3.1.0c2 - 149 hours + turbonet)
Hughes GXCEB0T (3.1.0c2 - 143 hours + turbonet)
Sony SAT-T60 (3.1.0c2 - 149 hours + turbonet)


Posted by gregstoll on 10-27-2002 06:38 AM:

This is a bit of a crazy idea...

But what if, after calculating the hash (presumably SHA1) of the string, the software just checks to see whether the result is "close enough" to the value stored? 160 bits is a large space of results from SHA1, large enough so that there probably wouldn't be any keys of short enough length to practically try that would also be close enough, so they wouldn't be losing anything...

I'll change my checker tomorrow for various definitions of "close enough" (only matches in 19 out of 20 bytes, all 20 bytes are within 1 of the result, etc.) and see if it comes up with anything. Yikes.


Posted by DarkHelmet on 10-27-2002 08:09 PM:

The middle of a loop?? Uh oh. Can you verify whether or not it calls the sha1 hash once only? If it is doing some sort of incremental hashing then that dramatically increases the cost of searching.

__________________
Sony SVR-2000 (3.0 - 103 hours + turbonet + RCA430)
Philips HDR-112 (hard drive died, no backup)
Hughes GXCEB0T (3.1.0c2 - 149 hours + turbonet)
Hughes GXCEB0T (3.1.0c2 - 143 hours + turbonet)
Sony SAT-T60 (3.1.0c2 - 149 hours + turbonet)


Posted by EdwinOlson on 10-27-2002 08:53 PM:

MuscleNerd-

that agrees with what I've found too. But i'm still having trouble following it all- perhaps you can help?

I see the call to the function which grabs a resource item 23552(gp), which I suppose is putting its result at sp+32?. Then there's a call to -23340 with arg0=172(s5). and a call to -18516. I have no idea what they're doing.

Then, I see the outer loop which is iterating over the 5 words of SHA output, and the inner loop which iterates over the 4 bytes in the word.

Inside the loop, there's an unnevering reference to a constant at -32688(gp) and a call to -3632. I don't understand this or the constant 8800 which is being used.

Then it looks like they zero-truncate the string with the sb zero,104(sp), and I'd guess the call to -12116 is the strcmp? I don't see any code that looks particularly like if !strcmp(x,y) backdoors=true-- looks like the test itself might be occuring in function -700?

Then at 0x5e43cc, there's an invalid instruction 0x50400053. Code path looks like it's gonna execute it. What is it for? It's not one of the standard COP instructions.

From here on out, I'm mostly confused.

The function which actually prints "BACKDOORS ENABLED!" is at 6344cc, using resources 0x20213 and 0x20214. I don't see where it chimes 4 or 5 times though; it must be inside one of the other calls. Dunno.

My math makes me think (based on the first few lines of code; it's safe to assume that gp is constant, isn't it?) gp=0x1003bc40. As expected, a bunch of data is loaded in around this address.

Maybe we should start looking at the other functions to see if they make sense/are doing anything iffy.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by EdwinOlson on 10-28-2002 03:09 AM:

Thanks for your reply, MuscleNerd. Very helpful.

I don't have time to dive back into this tonight (dang ol' weekend is already over!).

And what a strange way of generating the ASCII sequence! snprintf is such a big hammer for that. It never would have occurred to me Explains why I never saw the shifts by 4 that I was expecting to see.

Curious: did you determine that -23340 was strlen by following the code and manually confirming that the disassembly at the target address performed a strlen, or did you have some other way of doing it?

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by bsnelson on 10-28-2002 04:04 AM:

Soooo.. doesn't this mean we can now apply a patch where the strcmp is called such that it's meaning is reversed, meaning that anything you enter EXCEPT the correct backdoor password is accepted?

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by bsnelson on 10-28-2002 08:16 PM:

Ah, duh, the chicken and the egg.

Sounds like we're getting closer, though!

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by DarkHelmet on 10-28-2002 09:06 PM:

In other words, it is a standard boring sha1 hash, just like with 3.0? That then means that we just have a longer search space since all the easy stuff has been checked many times now.

I guess it also means that it should be possible to insert a hash of a known value into that location. But that isn't as convenient as figuring it out.

__________________
Sony SVR-2000 (3.0 - 103 hours + turbonet + RCA430)
Philips HDR-112 (hard drive died, no backup)
Hughes GXCEB0T (3.1.0c2 - 149 hours + turbonet)
Hughes GXCEB0T (3.1.0c2 - 143 hours + turbonet)
Sony SAT-T60 (3.1.0c2 - 149 hours + turbonet)


Posted by bsnelson on 10-28-2002 10:16 PM:

Yes, but at least if you put in a hash of a known value, and it worked, you'd confirm that we're searching for the right thing...

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by subuni on 10-29-2002 07:08 AM:

quote:
Originally posted by bsnelson
Yes, but at least if you put in a hash of a known value, and it worked, you'd confirm that we're searching for the right thing...



Well, I decided to go buy a S2 tonight. I bought the 80 hour unit, to make sure I'd have 3.2 installed. I replaced the 3.2 hash with the one from 3.0 (5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F23B). Now when I use the "3 0 BC" code, backdoors are enabled (see the attached picture).

So, Otto probably has the right idea....
quote:
Originally posted by Otto
Unfortunately it's probably something like "CRACK THIS YOU UNDERGROUND FREAKS" or some such.


Posted by ADent on 10-29-2002 07:32 AM:

So which method did you use to modify the hash string? (There were several options listed in one of your earlier posts).


Posted by EdwinOlson on 10-29-2002 01:14 PM:

alright... thanks to subuni, we know it's SHA1 and there's no funny business.

Sadly, that also means that the backdoor password is probably quite long (since I've already searched over most short codes and I'm about half way through 7 characters). If I have some time this week, I'll try to finish my distributed client. Perhaps my code is slow, but 7 characters takes about a day to search. We'll need a lot of CPU! (My goal would be about 38 machines, which would let us do 8 chars in a day plus a bunch of likely longer codes.)

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by lmurray on 10-29-2002 02:18 PM:

7 chars takes 1 day to finish??? Hell, my 233Mhz linux box is still hacking through 7 chars. (Think the program hung?)

cool. let us know if we can help. I've got a 700Mhz box I can put on the job too.

-lloyd-

P.S. I tried searchpattern("? ? ? ? ? ?") and came up w/ nothing.


Posted by bsnelson on 10-29-2002 02:47 PM:

subuni - YEA!!!!

OK, now into speculation: All of the codes up until now have been short. Why? Because, presumably, it needs to be easy to enter. I think this would rule out Otto's choice. So, perhaps it's now something like "AAAAAAAAAAAAAAAAAAA": Easy to enter, yet long.

Another, almost opposite take: Say TiVo wanted to leave the mechanism to enable backdoors in, but didn't want people doing it. They could, for example, put a completely bogus SHA1 hash in, with the premise of sending a runme or some other update to change it if need be. If this were the case, it would be conceivable that there IS no password, i.e. nothing in the limited character set hashes to that value.

Let's hope for the former...

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by lmurray on 10-29-2002 03:41 PM:

i'm now trying all 8 character solutions on a ~800Mhz box. I turned on the debugging so I can see where I'm at.
(in case anyone else is trying).

-lloyd-


Posted by barclay on 10-29-2002 03:54 PM:

Well, I'm starting 8 characters as well on my dual-proc ~800mhz box.

I think I might throw in my other PCs to the mix as well.


Posted by Otto on 10-29-2002 05:19 PM:

Well, at least we have a worst case scenario for 3.2 units: Someone writes a program to modify that value on the drive directly into a known hash.

If someone wants to be tricky about writing such a thing, here's the hash for "3 2 BC", so as to keep it a little separate (if you like):

115375040a7e5635b2f4afec691a0228c2586a14

quote:
Originally posted by EdwinOlson
alright... thanks to subuni, we know it's SHA1 and there's no funny business.


We also know it's expected endianness now too, BTW. So if you're still checking both, you can probably speed up your code a good deal.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by bsnelson on 10-29-2002 05:51 PM:

OK, I know this must be something stupid, but when I try to make the tivocrack app, I get the following:

code:
[root@fogo tivocrack]# make g++ -O4 -o tivocrack tivocrack.o -lssl tivocrack.o: In function `searchpattern_recursive(char *, int, char *)': tivocrack.o(.text+0x2b4): undefined reference to `SHA1' collect2: ld returned 1 exit status make: *** [tivocrack] Error 1


If I "nm" the libssl.a, I get:

code:
[root@fogo openssl-0.9.6c]# nm /usr/local/ssl/lib/libssl.a | grep SHA U SHA1_Final U SHA1_Init U SHA1_Update


Ideas?

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by bsnelson on 10-29-2002 06:08 PM:

OK, maybe this is a difference in OpenSSL versions, but I had to use "-lcrypto" in the Makefile instead of "-lssl". Works fine now!

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by StanSimmons on 10-29-2002 06:37 PM:

If anybody has a compiled Win32 app that can crack this, I have a pool of 1.8Ghz Win2k machines that I can run it on at night and weekends.

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by lmurray on 10-29-2002 06:38 PM:

ok. i hacked on the code a bit this morning. I didn't want to output which string I was compairing everytime because it slowed the process down. I added code to print out which code you are on when you press control-c (signal handling).

Anyway, if someone wants it, PM me.

I used gcc -lssl tivocrak.c to compile.

-lloyd-


at ABQHI5Q" in all possible 8 char combos.


Posted by bsnelson on 10-29-2002 06:38 PM:

OK, now that I've got it goin'...

I've tried all of the characters in the ALPHABET[], plus double quote and space, in strings of lengths up to 18 (e.g. A, AA, AAA, AAAA... B, BB, BBB) and no dice (though I didn't think it would be that easy).

Anyone want to split some of the bigger spaces?

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by TreborPugly on 10-29-2002 07:14 PM:

Asterisk?

Isn't there a way to enter an Asterisk "*" in wishlists? That isn't normally used in search by title, but it still may be possible to enter one. Should that be a possible character in your search string?

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by barclay on 10-29-2002 08:04 PM:

quote:
Originally posted by StanSimmons
If anybody has a compiled Win32 app that can crack this, I have a pool of 1.8Ghz Win2k machines that I can run it on at night and weekends.


I've attached a version I cobbled together to this post.

You'll need DevStudio to compile it, and will need to modify START_AT to pick a different start string for each machine and THREADS to match the number of processors for each box.

I'm working on tidying up the code that picks what thread is going to work on what so I can have it work across machines. If someone else decides to work on it, please PM me so we're not wasting each other's time.

Edit: Updated the source code
Edit: Deleted attachment. See here for the latest.


Posted by DVDerek on 10-29-2002 08:06 PM:

quote:
Originally posted by StanSimmons
If anybody has a compiled Win32 app that can crack this, I have a pool of 1.8Ghz Win2k machines that I can run it on at night and weekends.


I agree. I'm not a C programmer. I'm more of a scripter. So porting to Win32 is not my style. If someone did it though, I could run it night and day on a 1.4GHz, and an aditional midrange machine or two at work. I have no access to *Nix boxes.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by DVDerek on 10-29-2002 08:10 PM:

quote:
Originally posted by barclay
I've attached a version I cobbled together to this post.

You'll need DevStudio to compile it, and will need to modify START_AT to pick a different start string for each machine and THREADS to match the number of processors for each box.

I'm working on tidying up the code that picks what thread is going to work on what so I can have it work across machines. If someone else decides to work on it, please PM me so we're not wasting each other's time.



Wow. Ask and ye shall receive, huh? I will give it a shot when I get home tonight. If you get this working across different machines, then it'd be AWESOME if we could get a pre-compiled version that takes command line arguments. We could get many more people running it this way.

Thanks for the work!

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by tarman on 10-29-2002 08:27 PM:

quote:
Originally posted by DVDerek
Wow. Ask and ye shall receive, huh? I will give it a shot when I get home tonight. If you get this working across different machines, then it'd be AWESOME if we could get a pre-compiled version that takes command line arguments. We could get many more people running it this way.

I would be on it in a heartbeat!


Thanks for the work!


Posted by lmurray on 10-29-2002 08:54 PM:

if anyone cares, the tivocrack code from Edwin Olson works in cygwin under windows (along w/ the hacks i've made).

-lloyd-


Posted by tarman on 10-29-2002 09:05 PM:

quote:
Originally posted by lmurray
if anyone cares, the tivocrack code from Edwin Olson works in cygwin under windows (along w/ the hacks i've made).

-lloyd-



Thanks for the info Lloyd, but some of us have the equipment and the time to do a simple install and run, but do not have the Linux experience to do this (nor the time to learn how).

So, if we had access to a windows exe that we could fire off from a command prompt then we could add a lot of compute power to the fray

Tom


Posted by gregstoll on 10-29-2002 09:32 PM:

quote:
Originally posted by lmurray
ok. i hacked on the code a bit this morning. I didn't want to output which string I was compairing everytime because it slowed the process down. I added code to print out which code you are on when you press control-c (signal handling).

Anyway, if someone wants it, PM me.

I used gcc -lssl tivocrak.c to compile.

-lloyd-


at ABQHI5Q" in all possible 8 char combos.



I have a version that I wrote similar to this. Working on 8 character combos now.

Don't forget, might as well compile with -O3 to get a tiny performance boost! :-)


Posted by bsnelson on 10-29-2002 10:04 PM:

Guys, at the very least, we should vary our alphabets, or at least the order, when searching these eight character spaces. I have a PIII/600 and a dual processor PIII/500 that I can run stuff on; I've modified the tivocrack program to optionally take a alphabet as an argument, and I'm currently running:

code:
[1]- Running ./tivocracks "BDMUSTIVO3210ACE" & [2]+ Running ./tivocracks "ETAOINSRHLDCUMFPG0123 " &


The first is just a bunch of likely characters that have been previously discussed. The second is the first 17 letters plus some stuff from a letter frequency deal on a Google search (hardly scientific).

No hits yet...

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by StanSimmons on 10-29-2002 10:36 PM:

Guys,

I have access to about 60 1.8GHz Win2K machines that I can run this on. I can't make large changes on these machines so I can't load Cygwin, but I can easily run a Win32 executable with some command line arguements on all 60 machines. If the input/output could be piped from/to a file, that would be good.

What I don't have is the time to install a compiler and compile the program.

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by bsnelson on 10-29-2002 11:38 PM:

barclay, am I correct in seeing that your Windows version tries up to 20 character passwords? If so, maybe we should cut it down some; surely it's not that long!

Stan (and anyone else): I have a version of the Windows program that accepts an alphabet and a start_at string (both optional) from the command line. I haven't tested it much, but aside from the args, it does only what barclay's program does, nothing more, nothing less. PM me for the location..

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by EdwinOlson on 10-30-2002 12:08 AM:

I suggest using Cygwin to run tivocrack on Windows. Remember if you have multiple processors, you'll need to run 1 instance per processor.

I plan to post my new version tomorrow, which should support distributed coordination. Wee There's a bunch of other useful stuff, like progress reporting that doesn't completely suck.

Otto- I've turned off all but 0123 and 3210 endian checks in my code; the endianness checks are actually very cheap, and I don't trust myself enough to pick just one

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by barclay on 10-30-2002 12:17 AM:

Allright, this should be interesting.

Attached is a win32 command line executable. Just run it to begin cracking.

- It's just a command line program, so there's not much in the way of fancy graphics .. sorry.
- If you have a multiproc box run it with the number of threads you want created, ie, "TiVoCrack 2" will create two worker-threads.
- It requires a connection to the internet. Basically, Internet Explorer needs to be able to load web pages (I'm using the Windows Internet API), so proxies will work.
- When you get bored and want to reclaim your system, just hit Ctrl-C to have it gracefully shut down.
- If someone requests a workload and doesn't finish it within 24 hours, it'll be put back in the queue
- It leaves behind a log.txt file of anything it spews out, feel free to delete it.
- As it's running on a work load, it'll spit out the current string it's trying once every ten minutes. Otherwise, there's no progress meter, so don't expect much.
- Once someone finds a match, the server will have everyone's client shutdown (and I'll think about letting every know what that match was )

And finally, please bear with me. I've tested this on a few machines, but I have no clue how crazy it'll get when people start using it for real.

Go here for the latest version.


Posted by gregstoll on 10-30-2002 12:44 AM:

barclay - this is maybe a bit much to ask, but does it run on Linux? I've got my own stuff running but I'd rather be part of a distributed effort...


Posted by barclay on 10-30-2002 01:04 AM:

Well, there are two things preventing a *nix version

- Threads
- The Windows Internet APIs

I can make a single threaded version (mostly the issue is I don't have ready access to a Linux box, only BSD). The fact I cheated and used the Windows Internet APIs is probably the bigger deal. I'll have to actually do some of the legwork and use winsock like a real programmer.

I'll probably do it, but it might actually be better for EdwinOlson to talk to me. If he can modify his app to talk to my server (which is just a webserver), then all the *nix folks can just keep using his app and still join in the fun.


Posted by lmurray on 10-30-2002 01:20 AM:

i'd suggest a solution that could run on many platforms. (if we stick to ansi C/C++ we can do this.) cygwin is a solution for windows, and the install can just include the cygwin.dll. this code could also easily run on macosX.

and a suggestion for the server is that the progress be public (via the web) so we can see where we're at.

Anyway, barclay, when i run the code, i get:

10/29/2002 19:25:59: TiVoCrack 1.1 started
10/29/2002 19:25:59: Getting the next work load
10/29/2002 19:26:05: 10/29/2002 19:36:05: 10/29/2002 19:46:04: 10/29/2002 19:56:04: 10/29/2002 20:06:04:

it doesn't seem to print out the code it's working on. is this right? I'm running this under win98se.

thanks,
-lloyd-


Posted by barclay on 10-30-2002 01:41 AM:

Nope that's not right. When it's run you should see something like:

code:
10/29/2002 17:32:42: TiVoCrack 1.1 started 10/29/2002 17:32:42: Getting the next work load 10/29/2002 17:32:47: [QU46AAHA]


If you want, you can PM me with your IP next time it claims to be getting a work load, and I'll see if it's just a UI bug, or something else.


Posted by FUBAR on 10-30-2002 01:52 AM:

This is what i'm getting

10/29/2002 20:45:38: TiVoCrack 1.1 started
10/29/2002 20:45:38: Getting the next work load
10/29/2002 20:45:44: [WBR"AAIA]
10/29/2002 20:55:44: [CF4V1DIA]

__________________
You? you get no pony!

p::/w..eees:par/kcosmht.pey.ztx.xyzsp:t
F.U.B.A.R.


Posted by DarkHelmet on 10-30-2002 02:06 AM:

quote:
Originally posted by barclay
Well, there are two things preventing a *nix version

- Threads
- The Windows Internet APIs


Just post code and the problem will take care of itself.

__________________
Sony SVR-2000 (3.0 - 103 hours + turbonet + RCA430)
Philips HDR-112 (hard drive died, no backup)
Hughes GXCEB0T (3.1.0c2 - 149 hours + turbonet)
Hughes GXCEB0T (3.1.0c2 - 143 hours + turbonet)
Sony SAT-T60 (3.1.0c2 - 149 hours + turbonet)


Posted by barclay on 10-30-2002 02:11 AM:

quote:
Originally posted by bsnelson
barclay, am I correct in seeing that your Windows version tries up to 20 character passwords? If so, maybe we should cut it down some; surely it's not that long!


Sorry I missed this post earlier.

It doesn't try 20 characters (that number has been bumped up to 30, btw). That's when it'll give up. It starts at one character, and then goes to two, and so on.

Right now, the current version is working on 8 characters.

I think it's a safe bet that people will stop running the app out of frustration before it hits the 30 character limit


And to those that asked for it, the updated source code is available in my earlier post.


Posted by bsnelson on 10-30-2002 02:15 AM:

FUBAR, it looks like you are running OK...

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by barclay on 10-30-2002 02:18 AM:

Indeed. It appears to be a win98 problem.

I'll dig around on groups.google.com and see if I can figure out what I'm missing.


Posted by wallace on 10-30-2002 02:55 AM:

Well, I won't begin to understand a fraction of what you guys are talking about to break this code but I am always willing to help out when I can. I don't have 3.2 myself but at least this is something I can do to help the community. Barclay, it is off and running and for once my CPU is at max utilization


Posted by tarman on 10-30-2002 03:18 AM:

Barclay,

Does it go out on port 80? I will be running it behind a firewall on a couple of machines tomorrow and I need to make sure it gets out OK.

Running fine on 1.4GHz Dell system.

Does it report when it goes to a new length?

What is the 10 minute report?

Thanks,

Tom

__________________
Tom


Posted by lmurray on 10-30-2002 03:32 AM:

barclay,
is there a way that us unix/linux people can manually work on this? I'm assuming that u'r dividing the search pattern between machines, using a full alphabet.

just a thought,
-lloyd-

how many cpus are we gonna need to crack this thing if it's 20 chars long?


Posted by bsnelson on 10-30-2002 03:38 AM:

1 hour, 40 minutes per workload on an Athlon 900Mhz, set to BelowNormal priority, with some light surfing going on...

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by barclay on 10-30-2002 03:50 AM:

quote:
Originally posted by tarman
Does it go out on port 80? I will be running it behind a firewall on a couple of machines tomorrow and I need to make sure it gets out OK.


Yep, it runs on a normal web server on port 80. It should even work through caching proxies since every query to the server is unique.

quote:
Does it report when it goes to a new length? What is the 10 minute report?
It'll report the length of string it's working on. More precisely, every 10 minutes it spits out the last string it checked. So right now everyone is seeing 8 character strings reported every ten minutes (except for the win98 people). When we finish with this they'll just start being 9 character strings.

quote:
Originally posted by lmurray
is there a way that us unix/linux people can manually work on this? I'm assuming that u'r dividing the search pattern between machines, using a full alphabet.
I'm a bit weary of making a manual web page where people can enter batches they're working on by hand, too much can go wrong. If someone wants to add support to a unix client to query the page for results, let me know (or just figure it out from the source code). It's just a matter of loading a specific URL and dealing with the one line of text it responds.

quote:
how many cpus are we gonna need to crack this thing if it's 20 chars long?
A lot. My server will scale to a big number of clients, but I doubt we'll see enough people willing or able to run this app in this forum if it's 20 characters long.

In the end, this is all really frustratingly futile. If we do discover it, TiVo will just make it a few characters longer next time and we'll be really screwed. But, hey, it's fun to try


Posted by DVDerek on 10-30-2002 04:07 AM:

quote:
Originally posted by barclay
Allright, this should be interesting.
Attached is a win32 command line executable. Just run it to begin cracking.



AWESOME! I've got it running on my 1.4GHz machine now. I'll run it on 2-3 more at work tomorrow. Will we be able to tell who's computer cracked it (if it eventually does) by an IP address or something? It'd be fun!

Hopefully it'll be <= 10 characters. If not, we'll have to consider limiting the alphabet or something. I'm going to try and get "Non Tivoers" to help out with their CPU Time as well.

Just curious... how does it decide who to give what workload to? How long until a workload times out and is given to a second machine? Do you have a way of seeing what workloads have not yet been reported back?

Thanks,
Derek

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by JoeltheTiVoFan on 10-30-2002 04:08 AM:

Random thoughts on all this

I've started doing my part by having my machine run the distributed program. I seem to have the workload that has 8-character attempts ending in "XA" I am on "****TPXA" right now, after 1 hour, 10 minutes.

I may have to stop it when this workload ends... the right way for TiVo to have dealt with this problem is to leave the backdoor code as plaintext in the binary. Therefore, it would have been easy for us to find without TiVo incurring some liability by officially giving it to us. Truthfully, those backdoor codes make at least some of us very loyal users. Make it too hard to get to the backdoors, and other options might look more interesting.

A good technical company should provide a 'wink-wink-nudge-nudge' to the "friendly hacking community" (those who don't try to steal service, and alwyas legally pay for anything they use, but like 'fiddling' with the product.s they buy)

-Joel


Posted by markp99 on 10-30-2002 04:12 AM:

Crunching here too...

up to: [66MI9Q9A]

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by drosoph on 10-30-2002 04:14 AM:

FUBAR, ... I started at [WBR"AALB] ...
Barclay, ... How are these distributed chunks broken up ????

__________________
TiVo Codes List -- tivo.drosoph.com


Posted by barclay on 10-30-2002 05:15 AM:

Each chunk is six characters of work. Ie, everything xxxxxxAB is a chunk. The chunk letters are given out in order (exception: see below) so that xxxxxxAA is handed out, then xxxxxxBA, eventually on to ...AB, and so on. When the two letter combinations are exhausted (which will happen with <space><space> .. I'm being thorough), it'll move on to ..AAA, and on wards. I hope that made sense.

A chunk has 24 hours after it's handed out before it's thrown back in the queue at the top.

And yes, I'll know the IP address and time of the result when the matching entry is found. Don't worry, I won't post the IP address, probably just the last quad so someone can take credit.

And if anyone's interested, so far I've received 24 completed packets, each taking an average of 1 hour 23 minutes to complete. Oh, and someone beat my dual-proc record of 1:00:06 by one second. Darn it


Posted by StanSimmons on 10-30-2002 05:28 AM:

Any chance of making it a service that I can leave loaded without leaving the machine logged in?

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by JoeltheTiVoFan on 10-30-2002 05:45 AM:

My TivoCrack copy is not using any CPU

The log gives me a feeling that it got through most everything in *****XA

...the last entry in the every-10-minute log is 26RAW<space>XA


...now I am just sitting there...

I would think I'd get another chunk to run or something...

I've included the log file..

-Joel


Posted by barclay on 10-30-2002 05:49 AM:

JoeltheTiVoFan, I'm guessing by the time I post this everything is okay.

The UI thread is the one responsible for making the request for the next chunk, and it'll do that when the worker thread is done. As the log sits, the worker thread is likely done, and just waiting for the UI thread to wake up at 21:47:08 and do it's thing.

It's a bit wasteful, but in the grand scheme of things, it works


Posted by JoeltheTiVoFan on 10-30-2002 05:57 AM:

Thumbs up You're right - it's working! Now on the ******DC chunk!

Thanks!

-Joel


Posted by EdwinOlson on 10-30-2002 05:58 AM:

Humph. My distributed client is almost done. Wish you'd said you were working on one. Actually, mine is currently working, but it needs a bit of cleanup before I subject other people to it.

We're both insignificantly into the 8 char keyspace. Here's the question(s)-

Shall we take a day to combine our results? Have your windows code talk to my server, or vice versa? i.e., you provide windows clients, I provide linux clients? Perhaps our code can cross pollinate (or are you using mine? I dunno?)

My backend implementation sounds like it might be a bit more more hard core than yours, but you were short on details I'm using a MySQL-backend with an eye towards supporting real-time stats via the web... Like you, I'm using HTTP for data transport.

Or, we could stay independent and verify each other's results. Probably silly.

What do you think?

-Ed

PS: If any of you want to play with my code, it's here: http://eolson.dyndns.org/dtc/dclient.tgz. After building it, you run it with "./dclient http://eolson.dyndns.org/dtc/getwork.php YOURUSERNAME"

Please note that this is purely for feedback/debugging, and I plan on throwing away any completed blocks some time tomorrow. Also, you may notice ludicrous amounts of debug messages. Those will go away.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by subuni on 10-30-2002 06:02 AM:

quote:
Originally posted by ADent
So which method did you use to modify the hash string? (There were several options listed in one of your earlier posts).


Since I already had the drive in my PC (making a virgin Series2 backup image), I hexedit'ed the /dev/hda12 ("MFS App Region 2") partition. On non-80 hour units, it may be in /dev/hda10 -- I can't say since I haven't seen a non-80 hour unit.

There were two occurrences of the hash I had posted on the first page of this thread (As I had anticipated -- One was in the slice file in /SwModule, while the other was a ResourceItem -- the one that matters). I changed both to the known hash from 3.0, popped the drive back into the TiVo, and was able to enable backdoors. If there is enough demand, I can easily write a little patch program to automate the hash change. It would require pulling the drive to a PC, however.


Posted by barclay on 10-30-2002 06:15 AM:

I think we both said we were working on this sort of thing near the same time

I'd be happy to have my client talk to your servers. My server is proven, and I'm proud of it. But if you have some sort of stat pages ready as well, yours is probably more useful.

As far as source code similarity: I tried to migrate your code over to compile cleanly on Win32 (without cygwin), but I quickly gave up. What's running is from scratch. Comparing the two is about as much fun as comparing any Win32 and Unix program.

I'll email you to see if there's some way I can trick my server to act as a dummy to talk to yours just so I can minimize client turn-over.

Edit: Fix typos, and made the post make sense.


Posted by bsnelson on 10-30-2002 06:23 AM:

Well, you guys are the masterminds of this operation, but I can say, for me, there's value in having both *nix and Windows. I have access to the following (mostly sad) machines for the search:

900Mhz Duron - Windows
600Mhz PIII - Linux
500Mhz dual PIII - Linux
400Mhz PIII - Windows
350Mhz PII - Windows

So I've got 1.6Ghz of Linux and 1.65Ghz of Windows.

yes, I know, it's comparing apples and hammers...

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by mstroh on 10-30-2002 06:56 AM:

Thanks, I've got it running on two of my computers. (a 600 MHz Xeon [Win98SE] and a 2.2GHz P4 [WinXPPro]).

One problem, my XP system seems to be locking up. I am also running the United Devices program, should I turn this off in the mean time?

Also, can the computer be restarted without a problem with the Tivocrack program?

On a side note, I'm a long time lurker and finally found a way that I can help.

__________________
My mantra: "If I watch it, it will end up getting cancelled!" This mantra almost made me give up TV altogether. I changed my mind after I got a TiVo, now I can watch it even after it gets cancelled!!


Posted by EdwinOlson on 10-30-2002 07:03 AM:

A little compute can go a long way Join one and all, I say!

I believe both barclay's code and my code will deal fine with hosts rebooting (and abandoning work units). (I'm sure mine can, at least.

FYI: i just fixed a stupid little bug in my code that would cause the server to reject blocks (cuz it thinks you're trying to confuse it!), so if you downloaded the code before 2AM, grab it again please.

Sounds like barclay & i are going to collaborate on handing out blocks. Very cool... windows and linux working together.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by bsnelson on 10-30-2002 08:20 AM:

OK, EdwinOlsen, I have my "big" (ha!) Linux boxen running your code now, once on the 600Mhz and twice on the dual 500. All three appear to be chewing vigorously...

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by tarman on 10-30-2002 02:15 PM:

Are we "light" on SPACES

Guys,

From previous releases it seems that the code has always been single or double characters separated by SPACEs.

Should we not be concentrating the compute power on sequences that include SPACEs. (Maybe we are?!?)

Just a thought,

Tom


Posted by markp99 on 10-30-2002 02:17 PM:

My later batches have had spaces distributed through the 8char string...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by lmurray on 10-30-2002 02:39 PM:

has the 7 character space been fully checked ?


Posted by DVDerek on 10-30-2002 02:43 PM:

Subuni... I can't believe no one's asked yet but.... Have you noticed anything new/different/cool in 3.2 with backdoors enabled. Also, from what you said earlier about which strings you replaced, it seems aparent that we STILL aren't sure which one it is (since you replaced both strings). Is this true?

It'd be a big bonus if you could get your servers co-operating in handing out blocks. Stats are cool, but unnecessary. I guess it'd be cool if barclay's server could report results to Ed's but it's more important to have them coordinate on what blocks to give out!

Please let this thing be less than 10 chars!

Gonne get barclay's code running on 2-3 more machines today.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by TK-421 on 10-30-2002 02:43 PM:

Just added my 667 at work running on Win2k.. let's hope for the best.

__________________
"TK-421, why aren't you at your post?"
Phillips HDR31202 125hr v3.0


Posted by EdwinOlson on 10-30-2002 03:46 PM:

To whoever asked: I am concentrating on search spaces containing spaces. And the 7 char space is finished.

I have a release candidate here:

http://www.blisstonia.com/dtc

Please kick the wheels. At this point, I do not expect to have to throw away any blocks, and we're already searching portions of the 8 char space. In fact, there are 4 of us already running it!

While this version passes "internal quality control", there will doubtless be a revision to the client sometime tomorrow afternoon. It will probably only be cosmetic changes, but no promises! (Users tend to find bugs, damn them!) So, if you want to install this version, Super! But if you only want to install the code once, wait until tomorrow afternoon.

Please let me know how it goes!

-Ed

PS: I'm not worrying about windows clients at the moment. I think the plan is for barclay's client to talk to my server, but it hasn't happened yet.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by barclay on 10-30-2002 04:12 PM:

Indeed, that's looking like the plan. I'm talking to Ed, and will probably begin working on modifing my client to talk to his server, so there might be a new version today or tomorrow.


Posted by dkroboth on 10-30-2002 04:18 PM:

Is there any way to pause the Windows version? Running it is causing some problems with another CPU intensive process I have to run very infrequently. So, if I want to use that program I need to pause tivocrack for about 15-30 seconds.

Dan


Posted by bsnelson on 10-30-2002 04:24 PM:

OK, I'm running as full-bore as I can - I've got all suitable Windows boxen running barclay and suitable Linux running EdwinOlson (I don't consider my PI/133 firewall and 386/40 backup firewall to be suitable! )

Crackin', crackin', crackin'... keep those crackers crackin'!

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by jDot on 10-30-2002 04:29 PM:

Alphabet

This is my first post; I've been lurking for about a year. Anyway....
I noticed that the various alphbets used so far are all missing the asterisk '*'.

Am I off base here or should we be including it?

BTW I was well into 7 char search (with * included) when we had a power glitch. I'll keep plugging.


Posted by barclay on 10-30-2002 04:29 PM:

I might look at adding that as an option eventually (but probably not in time for the next release).

In the meantime, you can bump down it's priority using Task Manager in Windows NT/2K/XP. Hit Ctrl-Shift-Esc, go to processes, find TiVoCrack, and right click on it. Change the priority to Low, and ignore the warning. You can leave it at this priority, so it doesn't get in the way of your system when you're doing something else.


Posted by bsnelson on 10-30-2002 04:32 PM:

quote:
Originally posted by dkroboth
Is there any way to pause the Windows version? Running it is causing some problems with another CPU intensive process I have to run very infrequently. So, if I want to use that program I need to pause tivocrack for about 15-30 seconds.

Dan

Dan, what Windows flavor are you running? In the NT family, you can set the priority with the task manager; I set my barclay to "BelowNormal" after starting it, and it seems to work fine, and my machine is just as responsive as it always is.

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by Jonathan_S on 10-30-2002 04:36 PM:

I just kicked a few of linux boxes into working on EdwinOlson's client.

2 dual 533s and a dual 750.

__________________
Sony T-60 - 109 hours


Posted by rbiro on 10-30-2002 04:37 PM:

Increasing performance on multi-processor Windows boxes

A while back I read that DevStudio compiled apps by default using a sub-par heap manager while a better one is sitting idle.

Somewhere in TivoCrack's environment add:

set __MSVCRT_HEAP_SELECT=__GLOBAL_HEAP_SELECTED,1

Most likely, just put it in the global enviroment and apply. Then re-start TivoCrack under the new environment

The explanation:
Configuring VC++ Multithreaded Memory Management


Posted by dkroboth on 10-30-2002 04:43 PM:

quote:
Originally posted by bsnelson
Dan, what Windows flavor are you running? In the NT family, you can set the priority with the task manager; I set my barclay to "BelowNormal" after starting it, and it seems to work fine, and my machine is just as responsive as it always is.

Brad



Win2K. Excellent. That works. It shocks me the crap I have no idea how to do in Windows (worked on Unix boxes almost exclusively until about 5 months ago.) I just hope I didn't munge anything up by ^C the TiVoCrack I was running earlier. I didn't want to have to explain that I wasn't getting work done because I was running TiVoCrack.

Dan


Posted by EdwinOlson on 10-30-2002 04:54 PM:

How do you enter a '*' on the remote?

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by DVDerek on 10-30-2002 05:00 PM:

Ed and Barclay:

What alphabets are you both working on? I hope you're using the same alphabet.

At what point do we give up on a full alphabet crack and target characters we have reason to believe are in there.

What about a "known-plaintext" attack on "BC" or "B C" or something like that?

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by quadra on 10-30-2002 05:06 PM:

Fixes for dclient

Ok, For those us fortunate enough to not be running Redhat.. there are some fixes to help compile dclient on other distributions of linux and even BSD. So here goes...

In Makefile, line 8:
Change: $(CC) -o dclient $(DCLIENTOBJS) -lssl -lcrypt -mhash
To: $(CC) -o dclient $(DCLIENTOBJS) -lssl -lcrypto -mhash

For BSD systems..

In tivocrack.cpp

Change:
#include <netinet/in.h>

To:

#include <sys/types.h>
#include <netinet/in.h>


In: SSocket.h

Change:
#include <sys/socket.h>

To:
#include <sys/types.h>
#include <sys/socket.h>


Posted by EdwinOlson on 10-30-2002 05:06 PM:

I'm currently using [A-Z][0-9]<space> and planning on adding " and possibly * (if that can actually be entered) in the next experiment.

I've searched the alphabet "TIVOBDAC320<space>" (plus a couple other letters, I can't remember) up through length 8+. We may try again now that we have so much more CPU power!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by jDot on 10-30-2002 05:08 PM:

IIRC Asterisk is entered with the 'slow' button


Posted by bsnelson on 10-30-2002 05:54 PM:

OK, I don't know if it's different on the new boxes, but I just went to "Search By Title" on one of my DTivos running 2.5.2, and here's what I found:

20 characters max
Only possible characters are A-Z, 0-9 and space
It is NOT possible, in this screen, to enter an asterisk or a (double) quote (although you CAN on wishlists)

So, it seems to me that the canonical alphabet would be:

"ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789"

Now, I suppose it's possible that TiVo's gotten tricky on us and moved the backdoor entry to the wishlist screen, but come on, what are the chances?

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by markp99 on 10-30-2002 06:15 PM:

Also, are we sure about the final "thumbs-up" keystroke to enable??

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by colemanr on 10-30-2002 06:20 PM:

quote:
Originally posted by subuni
Well, I decided to go buy a S2 tonight. I bought the 80 hour unit, to make sure I'd have 3.2 installed. I replaced the 3.2 hash with the one from 3.0 (5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F23B). Now when I use the "3 0 BC" code, backdoors are enabled (see the attached picture).

So, Otto probably has the right idea....



Based on the post quoted above, nothing has changed with regard to where or how to enter it.

__________________
Rob


Posted by lmurray on 10-30-2002 06:55 PM:

EdwinOlson,
dclient works well under cygwin. I added -lcrypto to the Makefile.

-lloyd-


Posted by TreborPugly on 10-30-2002 06:55 PM:

Has anyone who has actually looked at the 3.2 code and/or replaced the hash string tried hash strings for some entry other than "3 0 BC", or verified that the code which checks this entry always does the same thing?

I could come up with many easy code changes that would make it appear that the entry code and hash are handled the same as they are in 3.0, but really handle them differently.

For example, they might use the old process if you enter a 6 character code, but for a 7 character code do something different like reverse the order first, or some other transformation.

A quick check for something like this, (if you can't verify it in the source code) might be to enter the hash table for some known codes of different length, and verify that they work to turn on back doors.

We are hypothesizing that Tivo decided to do a longer code, really for the only purpose to slow down the discovery of that code. However, what would be their purpose in this? If all they do is increase the time slightly before the back door code is generally known, why bother? If, however, they wish to actually make it much less likely that the code would be discovered, their only choice would be to some how change the encryption/authentication routine.

So here are the scenarios as I see them:

1. Ed and Brad have appropriate test code, with a sufficient alphabet, and Tivo has just increased the pass-code length. (unlikely, since what is in it for Tivo other than a few more weeks before the code is found)

2. Ed and Brad have appropriate test code, with an insufficient alphabet, and the Tivo pass-code is <8 characters long (only possible if *, ", or others do work in search by title on version 3.2. I have 3.2, and I'll try to make other characters tonight)

3. We have a sufficient alphabet, the Tivo pass-code is still short, but the test code is no longer appropriate. (how likely?)

4. We have a sufficient alphabet, the Tivo pass-code is now longer, and the test code is no longer appropriate. (how likely?)

5. We have an insufficient alphabet, the Tivo pass-code is now longer, and the test code is no longer appropriate. (God, I hope not)

My instinct, given the early failures is that TiVo has done something to make it less likely that we discover the code. Can anyone who knows better shoot down my theory? I didn't pay attention to how long it has taken in the past to discover the code, so maybe I'm just expecting results too soon?

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by tarman on 10-30-2002 06:58 PM:

Barclay,

Please put the "......KJ" group back into the pool. My machine crashed while running it and upon restart, it grabbed a whole new set, leaving this set unfinished.

Tom

__________________
Tom


Posted by DarkHelmet on 10-30-2002 07:08 PM:

quote:
Originally posted by TreborPugly
Has anyone who has actually looked at the 3.2 code and/or replaced the hash string tried hash strings for some entry other than "3 0 BC", or verified that the code which checks this entry always does the same thing?


Yes. Read a few pages back. If you insert the value for a known plaintext, then it works as expected. There is even a screen capture posted showing that it works.

So that means we know it is on the right page. We know what the worst case dictionary is (alpha + numeric + space), the maximum length (20 chars), the byte swapping etc.

All we need is the key.

__________________
Sony SVR-2000 (3.0 - 103 hours + turbonet + RCA430)
Philips HDR-112 (hard drive died, no backup)
Hughes GXCEB0T (3.1.0c2 - 149 hours + turbonet)
Hughes GXCEB0T (3.1.0c2 - 143 hours + turbonet)
Sony SAT-T60 (3.1.0c2 - 149 hours + turbonet)


Posted by bsnelson on 10-30-2002 07:13 PM:

I think what Trebor was saying was that we should generate some other hashes and verify them, varying the length and content, e.g.

32BC
B D 3 2
AAAAAAA
BACKDOOR

If we generated hashes for all of these, and tried each one in turn in the same manner that "3 0 BC" was verified, we could be fairly sure that they aren't pulling any monkey business on us, on top of the SHA1 hash.

Man, don't you know there's a continuous wave of laughter in Alviso right now over all of this...



Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by DVDerek on 10-30-2002 07:18 PM:

quote:
Originally posted by tarman
Barclay,

Please put the "......KJ" group back into the pool. My machine crashed while running it and upon restart, it grabbed a whole new set, leaving this set unfinished.

Tom



As I understand it, that set will time out eventually and the server will give it out to someone else. No worries.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by Tonybeans on 10-30-2002 07:28 PM:

It's lost on me why TiVo wants to hide this so badly.

They include it in the software, they know we want it, they don't really care if we use it, and once it's found it's not rocket science for any web-savvy user to get the code from sites like this. Why can't they just leak it and let us get back to the "features" we've come to expect from backdoors?

Regardless, I'm sure I speak for thousands when I say thanks for your hard work!


Posted by TreborPugly on 10-30-2002 07:37 PM:

quote:
Originally posted by DarkHelmet
Yes. Read a few pages back. If you insert the value for a known plaintext, then it works as expected. There is even a screen capture posted showing that it works.




The only plaintext checked and posted, was the code for "3 0 BC". My suggestion is that someone try a few other plaintext codes. If they were going to monkey with us, they might well hard-code an acceptance of this plain text / hash table pair.

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by dkroboth on 10-30-2002 07:52 PM:

quote:
Originally posted by TreborPugly
The only plaintext checked and posted, was the code for "3 0 BC". My suggestion is that someone try a few other plaintext codes. If they were going to monkey with us, they might well hard-code an acceptance of this plain text / hash table pair.

Treb.



That seems unlikely, because the 3 0 BC was tried by others before the replacement method was trieded. There has there been independent verification of the replacement method, right?

Dan


Posted by DVDerek on 10-30-2002 08:37 PM:

It's a bit unsettling how long 8 character search seems to be taking. There have to be 50+ machines running this by now. I knew it'd be an expensive search, but wow!

My point is... should we consider limiting the alphabet and searching through a length of like 10 characters with that before we don the exhaustive search?

Also, I am concerned because earlier SubUni indicated that he replaced two strings with the old "known" hash from 3.0 and got backdoors enabled (at least that's how I understood it) because he wasn't sure which one it actually was. Are we checking against both strings or just the one we ASSumed was the correct string? Am I missing something here?

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by gregstoll on 10-30-2002 08:40 PM:

quote:
Originally posted by dkroboth
That seems unlikely, because the 3 0 BC was tried by others before the replacement method was trieded. There has there been independent verification of the replacement method, right?

Dan



Plus they looked at the assembly code and there didn't seem to be any funny business. Although it wouldn't hurt to try...


Posted by dkroboth on 10-30-2002 08:56 PM:

Also, and this is kinda of a dumb thing, but have we checked and make sure the distributed clients would pick up the 3.0 code from the hash? I realized that this code came from that crack program, but can has it been checked that those still work?


Posted by barclay on 10-30-2002 09:08 PM:

I can't speak for EdwinOlson's version, but my version was initially run with the 3.0 hash, and it found it (rather quickly too

Fwiw, I'm nearly done with an updated version of the Windows client that talks to EdwinOlson's server. It should be ready in a couple of hours. (Actually, it's done now, I'm just verifing that it works by running a work unit myself first).


Posted by Otto on 10-30-2002 09:11 PM:

quote:
Originally posted by bsnelson
I think what Trebor was saying was that we should generate some other hashes and verify them, varying the length and content, e.g.



Well, I see nothing to suggest they were *that* tricky about it, but if someone is bored enough to give it a shot...

32BC - e69916b31b2c8bd2108244af69a927305dbda1ee
B D 3 2 - 182fc6d19730e5765bb725b232be8e7659e34f5b
AAAAAAA - 9d86b2f92692cce63fd890b939c85e80859ccc15
BACKDOOR - 389dd8d6e5d37ccb8f532a989c59baa782a5d794

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by GBL on 10-30-2002 09:15 PM:

On my PC one set takes about 1 hour to go through. Given that and that there are 38*38 sets (=1444) it would take 50 PCs about 29 hours to crunch through (if my math is correct).

barclay, what do your server stats look like? Can you confirm the effort?

__________________
"Driving requires the brain cells of a mule, and a license." dswallow

1 Sony SVR2000 (upgraded to 75 hrs), 1 Philips HDR612, 2 HDR112s (upgraded to 75 and 140 hrs), 1 SA8000HD (160GB)
unpaid volunteer, TiVo army


Posted by Otto on 10-30-2002 09:18 PM:

quote:
Originally posted by DVDerek
It's a bit unsettling how long 8 character search seems to be taking. There have to be 50+ machines running this by now. I knew it'd be an expensive search, but wow!


Expensive isn't even the right word for it. If the character set is A-Z,0-9,Space then the total possible combinations of 8 characters is 3,512,479,453,921. Three and a half trillion possibilities.

Total possible number of 7 characters is only 94,931,877,133, about 95 billion entries. Every character you add = 37 times as long to search the keyspace.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by tarman on 10-30-2002 09:19 PM:

One more idea. Since the previous codes have been of the form:
"x...x xx" or "x....x x" would it not be a good idea to parcel out the
"xxxxxx A", "xxxxxx B", ... groups first? I know the groups being
done now cover the "xxxxx xx" cases (although only a few per
assigned test group), so maybe one of the "experts" could
dedicate a special progran version that tests all "xxxxx xx"
cases first.

Tom

__________________
Tom


Posted by Otto on 10-30-2002 09:26 PM:

tarman: The obvious cases are easier to test, and mostly already tested independantly. For example, codes of the form "X X XX" only amount to 1,874,161 possibilities. Enough for one PC to do in under 10 minutes.

You can name any case you like this way, only the number of changable characters is what controls the number of possibilities. And all the most obvious cases are under 6 changing characters.

An exhaustive search is the last resort, really.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by bsnelson on 10-30-2002 09:27 PM:

I think we'll have the whole 8 character space done before long. One of my barclay runs is servicing the xxxxxxJK space currently (his version reverses the order of the search, i.e. xxxxxxAA, xxxxxxBA... xxxxxx9A, xxxxxxAB etc.), so we should be getting close to halfway. That's checking EVERY combination of eight with letters, numbers, space and even the double quote.

It's if we don't get a hit on eight that it starts to get interesting...

EDIT: I just got a xxxxxx3M work unit at 3:30PM CST



Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by EdwinOlson on 10-30-2002 09:28 PM:

Regression tests-

Yes, I periodically submit a test block on the old 3.0 password and make sure that someone reports success.

Which means, if you see "***Success***", you might want to make sure it's not '3 0 BC'

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by DVDerek on 10-30-2002 09:29 PM:

quote:
Originally posted by Otto
Expensive isn't even the right word for it. If the character set is A-Z,0-9,Space then the total possible combinations of 8 characters is 3,512,479,453,921. Three and a half trillion possibilities.

Total possible number of 7 characters is only 94,931,877,133, about 95 billion entries. Every character you add = 37 times as long to search the keyspace.



Expensive in the "computer sense" might not be the right word for it (as the calculations are no more complex, just more of them to make). But in the business sense (TIME IS MONEY), it sure is!

Barclay and Ed have done wonders. Can we have any idea how many machines are working on this? I've got 4 going on it. At any given time, 3 will be full throttle while 1 will be a lower priority process (as I'll be using one machine). Actually, overnight all 4 will go full throttle. No luck getting non-tivoers to run it as they all just laugh at me. Oh well.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by Otto on 10-30-2002 09:29 PM:

The double quote doesn't need to be checked, BTW. It can't be entered on Search by name.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by Otto on 10-30-2002 09:35 PM:

quote:
Originally posted by DVDerek
Expensive in the "computer sense" might not be the right word for it (as the calculations are no more complex, just more of them to make). But in the business sense (TIME IS MONEY), it sure is!


No, I got the meaning.. I just meant it's way beyond "expensive". Wait until you hit 9-10 characters.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by TreborPugly on 10-30-2002 09:46 PM:

quote:
Originally posted by Otto
No, I got the meaning.. I just meant it's way beyond "expensive". Wait until you hit 9-10 characters.


For higher character searches, wouldn't it be reasonable to assume that the code will include at least one (probably two) spaces, and at least one (probably two) numbers. And, for that matter, at least one (probably two) letters? A few constraints like this and the 9-10 spaces get smaller than the 8 character, unrestricted space.

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by Jonathan_S on 10-30-2002 09:48 PM:

DVDerek
I have a total of 7 up right now, all dual proc linux machines running between 533 and 750 MHz.

I've got three more boxes I will add tonight, they are turned off so I have to wait until I can physically access them.

[All these computers had been participating the the distributed.net search for the rc5-64 key which was recently found]. About half of them are a friends, but he said it was cool to run this search on them

__________________
Sony T-60 - 109 hours


Posted by subuni on 10-30-2002 09:51 PM:

quote:
Originally posted by TreborPugly
The only plaintext checked and posted, was the code for "3 0 BC". My suggestion is that someone try a few other plaintext codes. If they were going to monkey with us, they might well hard-code an acceptance of this plain text / hash table pair.


Although I think that's unlikely, it's a very good point. Otto had posted "115375040AE75635B2F4AFEC691A0228C2586A14" - "3 2 BC" earlier in this thread (page 4). I've replaced the hash on my 3.2 sytem with that, did "3<space>2<space>BC<thumbsup>" in "Search By Title", and got backdoors enabled.

quote:
Originally posted by DVDerek
Subuni... I can't believe no one's asked yet but.... Have you noticed anything new/different/cool in 3.2 with backdoors enabled. Also, from what you said earlier about which strings you replaced, it seems aparent that we STILL aren't sure which one it is (since you replaced both strings). Is this true?


I don't really use backdoors. I made sure I could view log files (clear-enter-clear-thumbsup) and that I could rebuild the suggestions. Those are the only two backdoors I use, and both worked. I tried the Teach TiVo code from 2.0, but it didn't work.

I know which hash it is to modify when in MFS. When I was hexediting it, I didn't really care to spend time figuring out which was which. Just as easy to modify both. Yet again I know which two I'm modifying, one is in a slice file (swsystem-7507302-53.slice -- think of it like a mini-TiVo rescue file. If something goes wrong on the TiVo, it may try and restore from this file to get things working). The other location is the one that gets read (and needs to be changed in order for the backdoor code to work), detailed below.

For the MFS example, which essentially came from the thread referenced on the first page of this thread.

code:
% mls /SwSystem Directory of /SwSystem starting at '' Name Type FsId Date Time Size ---- ---- ---- ---- ---- ---- 3.2.0-01-2-240 tyDb 2312 08/20/02 19:02 688 ACTIVE tyDb 2312 08/20/02 19:02 688 % dumpobj 2312 SwSystem 2312/11 { Active = 1 DbMajorVersion = 6 DbMinorVersion = 73 IndexPath = /SwSystem/3.2.0-01-2-240 /SwSystem/ACTIVE /Server/7088399 Module = 2/-1 6/-1 8/-1 10/-1 12/-1 14/-1 16/-1 18/-1 2313/-1 Name = 3.2.0-01-2-240 ResourceChecksum = 9ff44d3f0bacde68cf8717cfa6b85db8 ResourceGroup = 2314/-1 2315/-1 (... the rest is pointless for this example ....) % dumpobj 2315/174 ResourceItem 2315/174 { Id = 131251 String = 115375040AE75635B2F4AFEC691A0228C2586A14 } %


Or to try and explain it, you do an "mls /SwSystem", do a dumpobj of the fsid for 3.2 (2312), find the second ResourceGroup fsid (2315), change the -1 to 174 (the item number of the backdoor hash). If you modify that hash, you'll change the backdoor code. And if you wanted to modify it:

code:
RetryTransaction { set obj [db $db openid 2315 174] dbobj $obj set String "115375040AE75635B2F4AFEC691A0228C2586A14" }


(That's how I modified it to use the "3 2 BC" hash).


Posted by tarman on 10-30-2002 09:52 PM:

quote:
Originally posted by Otto
tarman: The obvious cases are easier to test, and mostly already tested independantly. For example, codes of the form "X X XX" only amount to 1,874,161 possibilities. Enough for one PC to do in under 10 minutes.

You can name any case you like this way, only the number of changable characters is what controls the number of possibilities. And all the most obvious cases are under 6 changing characters.

An exhaustive search is the last resort, really.



I totally agree with you, however, if we are going to brute force it, maybe we should put our computers to work on a set of codes that are more likely, based on history, to contain THE valid one.

Tom


Posted by Otto on 10-30-2002 10:03 PM:

tarman: I think what I meant was that all the obvious ones we can think of have been searched already.

Trebor: You certainly could reduce the keyspace by assuming it had, say, at least one space. If we assume it's an 8 character key with at least one space then you'd reduce the possibilities from 3.5 trillion to 759,455,017,064, or 7.6 billion. But can you assume it has a space in it? I mean, that's a fairly large assumption to make for such a big key (8 chars), IMO.

But you're correct, it would be a hell of a lot faster to search that. Hey Edwin, if the distributed code contained a search mask of some sort being sent from the server, you could change the possible searches at will, really. It'd have to be a pretty strange masking scheme to be able to say things like "at least one space in it" though.

Edit: Ahh, looking at the code I see it has a pattern entry. Cool. Probably not as complex a pattern as that though. Still will let you search the more obvious ones first by varying the pattern accordingly.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by barclay on 10-30-2002 10:05 PM:

Allright, as promised, I've got a new version of the windows client that talks to the right server. You can download it from this message.

It takes a few command line switches, most importantly, one for the username.

code:
TiVoCrack uExample

will run it with a user of "Example"

And, if you have a multi-proc box:
code:
TiVoCrack uExample t4

will run it with a user of "Example" with 4 threads for a 4 proc box.


In the next few minutes, my server will start reporting that there are no more keys to search. Sorry about this, but there's no way to integrate things at the backend.

Go here for the latest version.


Posted by DarkHelmet on 10-30-2002 10:09 PM:

quote:
Originally posted by Otto
tarman: The obvious cases are easier to test, and mostly already tested independantly. For example, codes of the form "X X XX" only amount to 1,874,161 possibilities. Enough for one PC to do in under 10 minutes.


A 1.2GHz athlon-mp tests about 1.25 million keys per second per cpu. Pentium4's seem to be pretty slow at doing SHA1 for some reason.

BTW: Be sure to use gcc -static on x86 *nix systems since the libraries when compiled for PIC mode run slower.

FWIW, I've gone completely through 8 character space with
' 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
as a dictionary and tested the "easy" keys (only test those that have two spaces or more). Maybe that wasn't such a good assumption to make - the UK tivo backdoor key has no spaces, "10J0M". Neither did the 1.3 key.

I've checked the program on the old key. Using the full 37 character dictionary above and telling it to only test the keys with a space in it finds "3 0 BC" in 47 seconds.

I'd dearly love to run something at work. 8000 machines should be able to make pretty short work of the easy stuff.

__________________
Sony SVR-2000 (3.0 - 103 hours + turbonet + RCA430)
Philips HDR-112 (hard drive died, no backup)
Hughes GXCEB0T (3.1.0c2 - 149 hours + turbonet)
Hughes GXCEB0T (3.1.0c2 - 143 hours + turbonet)
Sony SAT-T60 (3.1.0c2 - 149 hours + turbonet)


Posted by Otto on 10-30-2002 10:12 PM:

quote:
Originally posted by barclay
Allright, as promised, I've got a new version of the windows client that talks to the right server. You can download it from this message.



Is this right?

g_szAlphabet = strdup("ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");

That alphabet doesn't contain a space. Also, localmode doesn't seem to work right.. "Tivocrack l p?" keeps spitting out [B] for example.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by barclay on 10-30-2002 10:19 PM:

Local mode is largely untested, so it'll probably break in horrible ways. It's mostly there so I can section-test as I'm working. I'll probably fix it eventually, but it wasn't a high priority.

The alphabet is right. Rather, it doesn't really matter, it'll be overwritten by what the server says, which does contain a space.


Posted by bsnelson on 10-30-2002 10:22 PM:

OK, I'm up and running on the "new barclay" on my Windows boxes and "ed" on the Linux boxes.

Question: Am I assuming that we're just using the "AAxxxxxx, ABxxxxxx" namespace progression now, and we've abandoned "xxxxxxAA, xxxxxxBA"?

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by DBordello on 10-30-2002 10:26 PM:

If only we could submit this to seti@home or something, speed this up.

When can we expect to see the stats?

__________________
1 happy Phillips DSR6000 TiVo with 108 hours of freedom


Posted by Otto on 10-30-2002 11:15 PM:

quote:
Originally posted by barclay
Local mode is largely untested, so it'll probably break in horrible ways. It's mostly there so I can section-test as I'm working. I'll probably fix it eventually, but it wasn't a high priority.

The alphabet is right. Rather, it doesn't really matter, it'll be overwritten by what the server says, which does contain a space.



Okay. I was able to fix localmode anyway.. Just going over it for testing purposes.. I stuck in a debug mode so I could see all of the tests it does, and it appears to miss the first one of the set. For example, ??? as a pattern gets all of the set except for AAA. It starts at BAA. Haven't worked out why yet.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by DVDerek on 10-30-2002 11:21 PM:

quote:
Originally posted by barclay
Local mode is largely untested, so it'll probably break in horrible ways. It's mostly there so I can section-test as I'm working. I'll probably fix it eventually, but it wasn't a high priority.

The alphabet is right. Rather, it doesn't really matter, it'll be overwritten by what the server says, which does contain a space.



Did we at least get some way of you sending your completed workloads to Ed so we dont send them out again? I hope so!

Ok, 3/4 machines are running the new (1.2) code. I'll get the 4th up when I go home. Have fun!

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by EdwinOlson on 10-31-2002 12:09 AM:

Please note that it is NOT necessary for every machine to have a unique user id. You can give every one of your machines the same user id. That way all of your blocks will be added together.

(i.e., on my 3 machines, each one is run as 'eolson').

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by barclay on 10-31-2002 12:15 AM:

Otto: Right you are, it was skipping the first word.

This was by design. It had to do with the way my server worked, but it doesn't make much sense with Edwin's server.

I've fixed it in the post above, and version 1.3 is ready. That also fixes local mode (I think).

Hopefully this will be the last version for a while.


Posted by DVDerek on 10-31-2002 12:25 AM:

quote:
Originally posted by barclay
Otto: Right you are, it was skipping the first word.

This was by design. It had to do with the way my server worked, but it doesn't make much sense with Edwin's server.

I've fixed it in the post above, and version 1.3 is ready. That also fixes local mode (I think).

Hopefully this will be the last version for a while.



HMMM... I just got 4 computers at work running 1.2 and then went home. Is this going to invalidate all of their results? Bummer. I'll get 1.3 running on my home machine now.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by dkroboth on 10-31-2002 12:26 AM:

quote:
Originally posted by barclay
Otto: Right you are, it was skipping the first word.


Do we need to search any of the key space again?


Posted by Otto on 10-31-2002 12:28 AM:

quote:
Originally posted by barclay
Otto: Right you are, it was skipping the first word.

This was by design. It had to do with the way my server worked, but it doesn't make much sense with Edwin's server.

I've fixed it in the post above, and version 1.3 is ready. That also fixes local mode (I think).



Your local mode fix was much the same as what I did.

I also changed this:
code:
g_nWorkerRunning ++; CreateThread(NULL, 0, FindTiVoKey, 0, NULL, NULL);

Into this:
code:
HANDLE hThread; g_nWorkerRunning ++; hThread=CreateThread(NULL, 0, FindTiVoKey, 0, NULL, NULL); SetThreadPriority(hThread,THREAD_PRIORITY_BELOW_NORMAL) ;

In order to make the thread more friendly on the CPU. Lets me run it in the background without slowing down my other activities. It only runs slightly slower this way, and only when I'm actually doing something.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by barclay on 10-31-2002 12:30 AM:

It shouldn't invalidate any results.

I just ran through all of the possibilites that it 1.2 would have missed.

The answer isn't in any of them

Go ahead and upgrade when you can though. Once we hit another letter it might miss something, though I highly doubt it.


Posted by DVDerek on 10-31-2002 12:30 AM:

quote:
Originally posted by barclay


I've fixed it in the post above, and version 1.3 is ready. That also fixes local mode (I think).



I just downloaded what was supposed to be the updated version but it has the same file date and size. When run it still reports 1.2.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by barclay on 10-31-2002 12:41 AM:

DVDerek: Sounds like you're behind a caching proxy or just have a confused browser.

Try again. I just changed it to 1.4, which adds as an option, Otto's suggestion (the option is "r"). I also changed the filename, which should get around any chaching problems.


Posted by drosoph on 10-31-2002 01:12 AM:

ok barclay ... 3 versions in 1 hr ... let me at least finish one iteration

__________________
TiVo Codes List -- tivo.drosoph.com


Posted by UncaAndoo on 10-31-2002 01:24 AM:

Up and running on my Windows box. Happy to contribute.

__________________
FOR SALE!!! Philips 14-hour SA w/lifetime

Philips 230-hour Combo Unit


Posted by barclay on 10-31-2002 01:32 AM:

Oh yeah, if some one is willing to try the latest version on Win 98, I'd appreciate it.

I'm not too hopeful that I've fixed the problem, but I did clean up a bit of the code I suspect was having troubles.


Posted by Otto on 10-31-2002 01:51 AM:

BTW, if you use Proxomitron, add this to your bypass list to make it work:

[^/]++eolson.dyndns.org/

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by mdscott on 10-31-2002 02:17 AM:

Running on an XP laptop -- on second work load...

mds

__________________
TiVo S2 245 Hrs; S2 80 Hrs
Mixed Wireless/Wired Net
Dell Ispiron XP SP2
Mac G4 867 OS X 10.3.7


Posted by markp99 on 10-31-2002 02:34 AM:

mdscott,

Are you using v1.4 on XP. I tried an only see, "getting next work load", then quits. Log says "Next work load failed, exiting".

Did you feed username as command line? How on XP?

v1 worked like a charm all night last night...

m

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by FUBAR on 10-31-2002 02:36 AM:

i'm using 1.4 on XP tivocrack.exe ufubar s1

__________________
You? you get no pony!

p::/w..eees:par/kcosmht.pey.ztx.xyzsp:t
F.U.B.A.R.


Posted by markp99 on 10-31-2002 02:41 AM:

hmmm... just quits for me on XP...

10/30/2002 21:39:57: TiVoCrack 1.1 started
10/30/2002 21:39:57: Getting the next work load
10/30/2002 21:39:57: It looks like there's no more work to be done!
10/30/2002 21:39:57: Next workload failed, exiting

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by DVDerek on 10-31-2002 02:42 AM:

quote:
Originally posted by barclay
DVDerek: Sounds like you're behind a caching proxy or just have a confused browser.

Try again. I just changed it to 1.4, which adds as an option, Otto's suggestion (the option is "r"). I also changed the filename, which should get around any chaching problems.



That was odd. Even with the filename pointing to tivocrack14.zip it was still downloading tivocrack.zip. Went out for an hour and now it works. Oh well.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by markp99 on 10-31-2002 02:45 AM:

Nevermind...d-loaded again. Works fine. Off and running...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by bevinst on 10-31-2002 02:46 AM:

There might be a problem with tivocrack 1.4. I started it and it made it to the sleep message... I put it in the background at this time. A little later I checked the status and noticed it wasn't doing anything -- cpu load near zero. I typed in CTRL-C and got the message about "Z SRG BA" -- This was about an hour after I loaded it -- notice the time stamp in the log. After that, the cpu load hit 100% and it started updating the status messages.

I'm running Windows XP home on an AMD 1400. A capture of the screen follows:


D:\Download\TiVo>tivocrack ubevinst
10/30/2002 19:21:54: -- TiVoCrack 1.4 started --
10/30/2002 19:21:54: Getting the next work load
10/30/2002 19:21:59: User = [bevinst], Work Unit = 59463
10/30/2002 19:21:59: Alphabet = [ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789]
10/30/2002 19:21:59: Key = [96F8B204FD99534759A6C11A181EEDDFEB2DF1D4]
10/30/2002 19:21:59: Pattern = [Z ??????]
10/30/2002 19:21:59: Threads = 1, Local = false, Silent = false, Lower Priority
= false
10/30/2002 19:21:59: Sleep minutes = 5
10/30/2002 19:22:04: [Z SRG BA]
10/30/2002 20:33:09: [Z 1H604C]
10/30/2002 20:38:09: [Z F2V7 F]


-Tommy


Posted by DVDerek on 10-31-2002 02:49 AM:

quote:
Originally posted by markp99
hmmm... just quits for me on XP...

10/30/2002 21:39:57: TiVoCrack 1.1 started
10/30/2002 21:39:57: Getting the next work load
10/30/2002 21:39:57: It looks like there's no more work to be done!
10/30/2002 21:39:57: Next workload failed, exiting



You look to be having the same problem I was. If the program downloaded correctly, it should be version 1.4. I don't know what's causing this. Try rebooting or clearing out your internet cache or something.

You're getting that message because 1.1 used Barclay's server which is no longer in use (despite all the work that was probably put into it).

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by tarman on 10-31-2002 02:52 AM:

Running on 98. Get all of the headers and lines every 5 minutes without
and codes.

.......
.......
10/30/2002 20:06:14: Threads = 1, Local = false, Silent = false, Lower Priority
= false
10/30/2002 20:06:14: Sleep minutes = 5
10/30/2002 20:06:19:
10/30/2002 20:11:19:
10/30/2002 20:16:23:
10/30/2002 20:21:20:
10/30/2002 20:26:20:
10/30/2002 20:31:20:
10/30/2002 20:36:20:
10/30/2002 20:41:20:
10/30/2002 20:46:20:

Tom

__________________
Tom


Posted by markp99 on 10-31-2002 02:52 AM:

Yes, cleared cache, re-dl'd... all's fine now. On 2nd work unit...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by mstroh on 10-31-2002 07:15 AM:

Its working just fine on my XP machine, but is not working on my 98SE machine.

The program runs, dl's the work unit, goes to sleep, and then gives an update every minute. Its the same problem tarman has. I set the sleep setting as s1.

mike


Posted by mdscott on 10-31-2002 11:30 AM:

quote:
Originally posted by markp99
mdscott,

Are you using v1.4 on XP. I tried an only see, "getting next work load", then quits. Log says "Next work load failed, exiting".

Did you feed username as command line? How on XP?

v1 worked like a charm all night last night...

m


Dell Inspiron 4150 w/ XP Home Edition. I did not enter user name; just expanded entire archive and then double clicked the exe -- let tivocrack assign username, Takes about 70 minutes per work load.

mds

__________________
TiVo S2 245 Hrs; S2 80 Hrs
Mixed Wireless/Wired Net
Dell Ispiron XP SP2
Mac G4 867 OS X 10.3.7


Posted by tarman on 10-31-2002 12:50 PM:

Is there a way to signal TiVoCrack (V1.2) to gracefully stop after the current workload is completed. I would like to stop it and start up V1.4 (with the r option) but I do not want to start and not finish a new workload.

I do have a Korn Shell so I can send any valid signal.

Is disconnecting the ethernet a method?

Tom

__________________
Tom


Posted by TK-421 on 10-31-2002 01:28 PM:

Upgraded my machine to 1.4.. Working on the ZQ block right now..

__________________
"TK-421, why aren't you at your post?"
Phillips HDR31202 125hr v3.0


Posted by markp99 on 10-31-2002 01:43 PM:

Can someone post the valid switches to Tivocrack?

I've only used:

u-username
s-sleep

I have two machines at home crunching since last night. Just added my work computer (NT4) to the task, but would like to be able to set priority a bit lower during busy hours...

Any help?

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by TreborPugly on 10-31-2002 01:44 PM:

Leading Space

I've received at least one work-load with a space as the first character. I played around with what you could enter in Search by Title last night, and you cannot start with a space. You must first have an alpha-numeric character before you can enter spaces.

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by tarman on 10-31-2002 01:47 PM:

quote:
Originally posted by markp99
Can someone post the valid switches to Tivocrack?

I've only used:

u-username
s-sleep

I have two machines at home crunching since last night. Just added my work computer (NT4) to the task, but would like to be able to set priority a bit lower during busy hours...

Any help?



In version 1.4 the parameter "r" lowers the priority quite nicely.

Tom


Posted by markp99 on 10-31-2002 01:49 PM:

"r" then value, or simple binary toggle?

[edit]: Answered my own question just "r" required!

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by stahta01 on 10-31-2002 01:54 PM:

switch h gives help info.

Tim S

Edit:

TiVoCrack - Options:

h - This help
l - Local mode
p<Pattern> - Pattern to use
u<User> - User name for server mode (default: random)
a<Alphabet> - Alphabet to use
t<Threads> - Number of threads to launch (default: 1)
c<Hash> - Use <Hash> (default: 3.2's hash)
q - Less information dumped
s<Minutes> - Sleep <minutes> between results (default: 5)
r - Lower the priority of the worker threads

__________________
AT&T TiVo Series2 40Hr (130)
TiVo Series2 TCD240080

Sanity is greatly over rated.


Posted by lmurray on 10-31-2002 02:46 PM:

ed,
your code ports nicley to macosX too. Ha.

Next, I'm going to compile this on my atari 2600!



-lloyd-


Posted by barclay on 10-31-2002 04:03 PM:

quote:
Originally posted by tarman
Is there a way to signal TiVoCrack (V1.2) to gracefully stop after the current workload is completed. I would like to stop it and start up V1.4 (with the r option) but I do not want to start and not finish a new workload.



There's no way to do this. Don't worry about it. Abandoned blocks will still be worked on.


Posted by mdscott on 10-31-2002 04:11 PM:

MaxOSX executable

Lloyd -- if you are willing to share -- along with instructions such as run from Terminal (yes?) etc. I can include another in the group this evening.

mds

__________________
TiVo S2 245 Hrs; S2 80 Hrs
Mixed Wireless/Wired Net
Dell Ispiron XP SP2
Mac G4 867 OS X 10.3.7


Posted by brianld on 10-31-2002 05:39 PM:

OK, just kicked it off on my P4 1.9ghz ... every little bit helps, right?


Posted by stahta01 on 10-31-2002 05:52 PM:

Hi All:

My computer working on its 4th block. It's taking about 2 hours 40 minutes an block/work load. I hope to get it using my username next time; last time I did not prefix it with an u so it used an random one.

Tim S

__________________
AT&T TiVo Series2 40Hr (130)
TiVo Series2 TCD240080

Sanity is greatly over rated.


Posted by dkroboth on 10-31-2002 05:58 PM:

Here is a silly idea....Giving TiVo's obsession will holidays as release/announcement dates anybody want to try some variations those as backdoor codes. (HAPPY HALLOWEEN) sorta thing


Posted by markp99 on 10-31-2002 06:08 PM:

Another hunch...

Around the the time that the 3.2 backdoors question was first raised, TiVoPony changed his avatar sig from "vrrrm vrrrm" to "It's October!". We know Pony has occasionally and crypically leaked little tidbits to us (S.O.R.T.)...

What's the 3.2 backdoor?: Why, it's "October"... ??

I've already played with MANY variants of "October" & "Oct" with "3.2" and "3 2", etc. No luck, obviously...

Hey, it was just an idea...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by markp99 on 10-31-2002 06:11 PM:

Consecutive Spaces??

I realize the log.txt file is just a snapshot of current string based on sleep setting, but I have not seen a sample with TWO (or more) consecutive spaces. I have seen strings with TWO spaces, just not consecutive... Would be a valid permutation, right? I have sleep=1 on 6 threads, so I can see LOTS of samples in the log...

Just wondering...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by barclay on 10-31-2002 06:22 PM:

Consecutive spaces are being tried. It's just not likely you'll see them in the few samples that get dumped in the log.

Also: Do you actually have a 6-proc box? If you don't, I'd guess the six threads are mostly just fighting each other. I've never actually tested to see if it's any faster, but I somehow doubt it is.


Posted by markp99 on 10-31-2002 06:28 PM:

I have 2 parallel threads running on each of 3 machines (single processor, reduced priority). My guess was that the result should be the SAME maybe marginally better, where CPU cycles will continue for thread2, while thread1 was doing housekeeping tasks...

I was gonna ask the question, never got around to it... Both threads write to the same log file...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by Otto on 10-31-2002 07:02 PM:

mark: Actually, the threads don't write to the log file. They modify a shared variable for the main loop. The main loop writes to the screen/logfile.

The extra threads won't really help you much. The main loop starts X number of testing threads, so the main loop is separate from the testing threads already. It wakes every so often (5 minutes) to spit out the current state but beyond that, it just sits there on a "wait" for the break keypress. A thread in "wait" uses no CPU cycles to speak of.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by DVDerek on 10-31-2002 07:04 PM:

quote:
Originally posted by markp99
Another hunch...

Around the the time that the 3.2 backdoors question was first raised, TiVoPony changed his avatar sig from "vrrrm vrrrm" to "It's October!". We know Pony has occasionally and crypically leaked little tidbits to us (S.O.R.T.)...

What's the 3.2 backdoor?: Why, it's "October"... ??

I've already played with MANY variants of "October" & "Oct" with "3.2" and "3 2", etc. No luck, obviously...

Hey, it was just an idea...



GOOD POINT. I have a machine that is kinda slow so I'm running Barclay's code in local mode on it with the alphabet of "OCTOBERAKD 0123456789" on strings of lenght 8. Actually, I suppose that's gonna take a really long time to complete. We shall see, I guess.

I used that alphabet because it has "OCTOBER" and "BACKDOOR".

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by DVDerek on 10-31-2002 07:11 PM:

Has anyone thought about putting the call out in the "Coffee House" forum for some computing power? I'm new to these boards so I didn't want to go ahead and do that if it was going to be something that would be frowned upon.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by CraigEagle on 10-31-2002 07:14 PM:

Is there any way to put a "!" into the wishlist. In TivoPony's avatar sig there is one. Just a thought, I am runing 7 chars against "ABCKDTVIO3210R*! " just to be sure we didnt miss it.
- Craig

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by TK-421 on 10-31-2002 07:14 PM:

Here's the command line for the win32 version I'm using in case anyone needs a sample..

tivocrack uTK-421 s1 r

That makes it only sleep 1 minute between each hash, run lower priority in the background, and uses my username.


Posted by DVDerek on 10-31-2002 07:17 PM:

quote:
Originally posted by CraigEagle
Is there any way to put a "!" into the wishlist. In TivoPony's avatar sig there is one. Just a thought, I am runing 7 chars against "ABCKDTVIO3210R*! " just to be sure we didnt miss it.
- Craig



Maybe there is, but we're only concerned with the search by title screen. You dont enter the code in Wishlist screen. This has been confirmed.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by markp99 on 10-31-2002 07:17 PM:

quote:
Originally posted by CraigEagle
Is there any way to put a "!" into the wishlist. In TivoPony's avatar sig there is one. Just a thought, I am runing 7 chars against "ABCKDTVIO3210R*! " just to be sure we didnt miss it.

There is no way to enter the "*" or "!" characters from the search screen...where you would enter the backdoor code...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by GBL on 10-31-2002 07:32 PM:

barclay,

any easy way to increase the internet connection retries? My cable modem was down for a few minutes and tivocrack could not return the result etc. From the log it appears to fail rather quickly:

code:
0/31/2002 12:02:50: Getting the next work load 10/31/2002 12:02:51: User = [GBL], Work Unit = 60934 10/31/2002 12:02:51: Alphabet = [ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789] 10/31/2002 12:02:51: Key = [96F8B204FD99534759A6C11A181EEDDFEB2DF1D4] 10/31/2002 12:02:51: Pattern = [A Q??????] 10/31/2002 12:02:51: Threads = 1, Local = false, Silent = false, Lower Priority = false 10/31/2002 12:02:51: Sleep minutes = 5 10/31/2002 12:02:56: [A Q6UE3BA] 10/31/2002 12:07:56: [A QVH94CD] 10/31/2002 12:12:56: [A Q23O0CG] 10/31/2002 12:17:56: [A QCOLZDJ] 10/31/2002 12:22:56: [A Q73JTEM] 10/31/2002 12:27:56: [A QWREVFP] 10/31/2002 12:32:56: [A QR7CPGS] 10/31/2002 12:37:56: [A QFV7QHV] 10/31/2002 12:42:56: [A QIL0WIY] 10/31/2002 12:47:56: [A QLBU1J0] 10/31/2002 12:52:56: [A QO1M7K3] 10/31/2002 12:57:56: [A QYLJ5L6] 10/31/2002 13:02:56: [A Q1S2UN9] 10/31/2002 13:03:58: [A QUYS799] 10/31/2002 13:03:58: Sending the results 10/31/2002 13:04:19: Unable to open URL! 10/31/2002 13:04:19: Getting the next work load 10/31/2002 13:04:34: Unable to open URL! 10/31/2002 13:04:34: Next workload failed, exiting

__________________
"Driving requires the brain cells of a mule, and a license." dswallow

1 Sony SVR2000 (upgraded to 75 hrs), 1 Philips HDR612, 2 HDR112s (upgraded to 75 and 140 hrs), 1 SA8000HD (160GB)
unpaid volunteer, TiVo army


Posted by markp99 on 10-31-2002 07:35 PM:

quote:
Originally posted by GBL
[A Q6UE3BA]

Cool! 9-character strings...

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by TreborPugly on 10-31-2002 07:39 PM:

quote:
Originally posted by markp99
Cool! 9-character strings...



Cool? This means there isn't an 8 character string that works, and now we have to spend 37 times the amount of effort spent so far to explore this new space! UGH!

__________________
I'm not a Bug, I'm a Feature!


Posted by StanSimmons on 10-31-2002 07:50 PM:

I know that I accidentally dropped several 8 char. workloads during testing. I could be in one of those, and would be recycled within 24 hours according to previous posts.

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by lmurray on 10-31-2002 07:56 PM:

Here's the macosx client. It's ed's client, w/ one minor change. (gcc didn't like the typedef of the socklen, so i made it an int.)

Included is the source, and a compiled version. run it just like eds linux version:

./dclient http://eolson.dyndns.org/dtc/getwork.php username

just unzip the following attachment.

I've only tested this on one system.

let me know if you have questions.

-lloyd-


Posted by sacherjj on 10-31-2002 08:09 PM:

quote:
Originally posted by TreborPugly
Cool? This means there isn't an 8 character string that works, and now we have to spend 37 times the amount of effort spent so far to explore this new space! UGH!


Anybody else get the feeling that some TiVo engineers are reading this thread and laughing.

__________________
Tivo Series 2 @ 240 Gig.


Posted by Otto on 10-31-2002 08:11 PM:

quote:
Originally posted by TK-421
Here's the command line for the win32 version I'm using in case anyone needs a sample..

tivocrack uTK-421 s1 r

That makes it only sleep 1 minute between each hash, run lower priority in the background, and uses my username.



Just so you know, the s1 only makes it display the current hash once a minute. It's actually running a few thousand hashes every second.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by Otto on 10-31-2002 08:14 PM:

As has been stated already, this search is essentially for fun. If you want to get the backdoors on your S2 unit, it's already been stated how to do it. Load up the drive in a computer and change that code to the other one. Voila. This power search is just out of boredoom's sake, and to see if we can do it. I'll be cool to find it, but it's not actually going to give us access to anything new, okay?

So mark, even if they change it, that's not the point. We can change it too.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by markp99 on 10-31-2002 08:33 PM:

Otto,

Agreed. I'm just too lazy to pull the drive out of my TiVo...and maybe a just bit chicken to hack at that level...

Yes, this is an interesting exercise!! 18 work units complete (53,100 points) and I've hardly broken a sweat!!

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by TK-421 on 10-31-2002 08:35 PM:

quote:
Originally posted by Otto
Just so you know, the s1 only makes it display the current hash once a minute. It's actually running a few thousand hashes every second.


Oh.. well, I like more info then.. watching all the results is interesting

__________________
"TK-421, why aren't you at your post?"
Phillips HDR31202 125hr v3.0


Posted by TreborPugly on 10-31-2002 08:37 PM:

quote:
Originally posted by Otto
As has been stated already, this search is essentially for fun. If you want to get the backdoors on your S2 unit, it's already been stated how to do it. Load up the drive in a computer and change that code to the other one. Voila. This power search is just out of boredoom's sake, and to see if we can do it. I'll be cool to find it, but it's not actually going to give us access to anything new, okay?

So mark, even if they change it, that's not the point. We can change it too.



Well, some of us don't have the spousal authority to pop open that $650 investment to employ the technique you describe. I'm looking forward to the cracked code, so I can enjoy the few backdoor code's I'd gotten used to using with 3.0. (suggestion recordings shown in to do list, enhanced program information, advanced wishlists)

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by Jonathan_S on 10-31-2002 08:39 PM:

Also, once we know this works, we will have the infrastructure in place to look for new codes if/when they update the backdoor code in future releases.

And its fun.
Currently 441000 points

__________________
Sony T-60 - 109 hours


Posted by DVDerek on 10-31-2002 08:46 PM:

quote:
Originally posted by Jonathan_S

And its fun.
Currently 441000 points



Hmph... How are you guys getting point totals??

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by markp99 on 10-31-2002 08:46 PM:

quote:
Originally posted by Jonathan_S
Currently 441000 points

Show off!!

Looks like you got the CRAY in your basement onto the task...


While the rest of us whack away with our antique abaci!!

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by markp99 on 10-31-2002 08:51 PM:

DVDerek,

Your're the number 9 all-time scorer...and you didn't even know!!!

check it out!

http://www.blisstonia.com/dtc/stats.php?USERID=DVDerek

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by DVDerek on 10-31-2002 09:02 PM:

quote:
Originally posted by markp99
DVDerek,

Your're the number 9 all-time scorer...and you didn't even know!!!

check it out!

http://www.blisstonia.com/dtc/stats.php?USERID=DVDerek



HAHA... Nice. My competitive nature is kicking in. Almost makes me want to abandon my 9 charachter search I'm running locally with "OCTBERAKD 0123456789"

Guess I'll go ahead and eliminate 456789 and shorten the alphabet quite a bit.

EDIT: Yeah, I've decided to go with "OCTBERAKD 23" to significantly shorten the space. I was doing this to play a hunch, yet for some reason included digits that weren't part of my hunch. Just thought I'd make that known just in case anyone qout there is playing the same hunch.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by EdwinOlson on 10-31-2002 09:24 PM:

As you've noticed, we've exhausted the 8 character search space. (Good work everyone! We have a LOT of CPU power already!)

We've started the 8+1 search space, i.e., 8 unknown characters plus one space. There are seven such spaces, thus the next phase of our search will be 7 times the effort of our previous search.

I'm open to suggestions as to what the next search should be. Probably 8+2 (which is almost as bad as 9+0 but probably more likely). We'll still need more CPU power, so keep spreading the word!

I plan on making a few (mostly cosmetic) improvements to the client and trying to package up a cygwin version for those Windows who would prefer it. It should be available tomorrow-ish. I value your suggestions!

Improvmenets are happening all the time to the stats page. Keep an eye out. The next improvement is a display which shows the progress of each experiment, so you know what we're all working on.

AN APPEAL TO SOURCE CODE MODIFIERS:

I'll ask you not to modify the code in any way when you're running it against the server. I want to minimize the possibility of introducing a bug that would cause us to miss data. If you feel the uncontrollable urge to modify the code--even a trivial little tweak--please contact me so I can make the improvement in my tree and perform the proper testing.

If you just aren't willing to do that, *PLEASE* at least change the CLIENTVERSION define in the dclient.cpp file so that, god forbid, if something does break, we know which blocks to requeue.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by CraigEagle on 10-31-2002 09:25 PM:

Might want to try HALOWEN too.
- Craig

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by Otto on 10-31-2002 09:25 PM:

quote:
Originally posted by MuscleNerd
Jonathan: this particular distributed infrastructure won't be of much help if they triple or quadruple the length of the password.


Or if the next version simply changes the hashing method entirely.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by Jonathan_S on 10-31-2002 09:40 PM:

Well that would depend on how they changed the hash. It they just used another algorithm that the ssl library these clients use supports it would be a simple code change and recompile.

Of course it they added a bunch of code mangling the input before hashing or made up their own hash alg then this would all be useless.

And I was referring more to the practice EdwinOlson and bsnelson got in putting together a distributed infrastructure to support the search, than the specific clients they distributed. Figuring out how to do it the first time is always the hardest.

__________________
Sony T-60 - 109 hours


Posted by CraigEagle on 10-31-2002 09:45 PM:

Correct me if I'm wrong but if they changed the algorithm then replacing the hash with a known hash would not work. This has worked so I believe we know they are using the same algorithm.
- Craig

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by marlborobell on 10-31-2002 09:51 PM:

Quick point: it's perfectly possible that TiVo has put quotes and stars in the password -- there's nothing saying that the backdoor entry HAS to come from the Search By Title screen. It's quite possible that they've restricted it to only actually work from the Wishlist screen by including something from the extra alphabet there.

Just because the old password can be entered from Search by Title, and works, doesn't mean that the correct password can be entered there.

So... if we aren't checking work units with stars in, we should be.

(Anyone checked a password of just eight stars? It's what passwords look like, after all...)


Posted by DVDerek on 10-31-2002 10:20 PM:

quote:
Originally posted by marlborobell
Quick point: it's perfectly possible that TiVo has put quotes and stars in the password -- there's nothing saying that the backdoor entry HAS to come from the Search By Title screen. It's quite possible that they've restricted it to only actually work from the Wishlist screen by including something from the extra alphabet there.

Just because the old password can be entered from Search by Title, and works, doesn't mean that the correct password can be entered there.

So... if we aren't checking work units with stars in, we should be.

(Anyone checked a password of just eight stars? It's what passwords look like, after all...)



Think of the complexity you'd be adding with that 1 star and weigh the benefits of it. I just don't think it's likely they changed the spot to enter the code. Perhaps they did... but I hope not.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by barclay on 10-31-2002 10:49 PM:

All right, here's version 1.5 of the win32 client.

- Default username is anonymous
- Reports the version to the server
- Retries any communications to the webserver on a fail. This is configurable, but it defaults to trying ten times before giving up.
- Cleanup of the output
- I installed Win98, and figured out the problem, so that's fixed.

I haven't had time, nor will I till tomorrow likely to report back if it sucessfully runs a full cycle, so I'm dropping the version off in this message, and leaving the older message around incase something is horribly broken with this version.

Go here for the latest version.


Posted by mstroh on 10-31-2002 11:16 PM:

I just downloaded v15 and installed it on my 98SE box and it started running correctly, even showing the keys that it was working on.

Thanks.

When it completely finishes a workgroup I will post that here.

__________________
My mantra: "If I watch it, it will end up getting cancelled!" This mantra almost made me give up TV altogether. I changed my mind after I got a TiVo, now I can watch it even after it gets cancelled!!


Posted by mdscott on 11-01-2002 12:04 AM:

quote:
Originally posted by lmurray
Here's the macosx client. [snip]

-lloyd-



It is working happily on QuickSilver 867 OSX 10.2.1

thanks
mds

__________________
TiVo S2 245 Hrs; S2 80 Hrs
Mixed Wireless/Wired Net
Dell Ispiron XP SP2
Mac G4 867 OS X 10.3.7


Posted by brianld on 11-01-2002 12:20 AM:

Anyone have so much time on their hands that they'd cough up an HP-UX 11.0 port? I don't think it's worth the effort if it's just my one box, but perhaps there are others in here who could use it?


Posted by tarman on 11-01-2002 12:20 AM:

Cranking on win98!!

quote:
Originally posted by barclay
All right, here's version 1.5 of the win32 client.

- I installed Win98, and figured out the problem, so that's fixed.



Looks good on this sloooooooow laptop.

Tom



Posted by aceman on 11-01-2002 01:06 AM:

1.5 appears to be working fine for me on XP. I've completed one work unit, sent it off, and got another one to work on.

__________________
200 hour AT&T Series2


Posted by EdwinOlson on 11-01-2002 01:47 AM:

I would suspect that the unix code (http://eolson.dyndns.org/dtc) might just compile and run, provided you have the right libraries installed. Some tweaking of the header files and makefile might be required. If you get it to work, send me a diff. (And don't forget to change the CLIENTVERSION if you need to make any changes!)

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by StanSimmons on 11-01-2002 03:12 AM:

I have about 60 machines (P4 1.8G W2k) running either v1.4 or v1.5 of barclay's code right now and can bring another 60 or so online this weekend if they are needed.

Is there a projection on the 9 character completion with the current processing power?

Something that would help me is if there was a command line switch that would turn off all screen output and only write to the log file. If that was available I could have a perl script startup a remote command on each of the lab machines instead of having to manually open a remote command window and then forcing it to end after the process starts.

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by StanSimmons on 11-01-2002 03:26 AM:

It might be fun to see what everyone's points per hour were (in a table)...

Or would that just be gloating?

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by markp99 on 11-01-2002 03:30 AM:

quote:
Originally posted by StanSimmons
Or would that just be gloating?

Yup, gloating... Mr. 257 work units (1333200 points)!

I feel so in adequate now @ 25 work units (99000 points)

Way to go getting soooo many machines crunching...


PS> your value of pi is wayyy short:
3. 1415926535897932384626433832795028841971693993751058209
7494459230781640628620899862803482534211706798214808651
3282306647093844609550582231725359408128481117450284102
7019385211055596446229489549303819644288109756659334461
2847564823378678316527120190914564856692346034861045432
6648213393607260249141273724587006606315588174881520920
9628292540917153643678925903600113305305488204665213841
4695194151160943305727036575959195309218611738193261179
3105118548074462379962749567351885752724891227938183011
9491298336733624406566430860213949463952247371907021798
6094370277053921717629317675238467481846766940513200056
8127145263560827785771342757789609173637178721468440901
2249534301465495853710507922796892589235420199561121290
2196086403441815981362977477130996051870721134999999837
2978049951059731732816096318595024459455346908302642522
3082533446850352619311881710100031378387528865875332083
8142061717766914730359825349042875546873115956286388235
3787593751957781857780532171226806613001927876611195909
2164201989380952572010654858632788659361533818279682303
0195203530185296899577362259941389124972177528347913151
5574857242454150695950829533116861727855889075098381754
6374649393192550604009277016711390098488240128583616035
637076601047101819429555961989467678

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by StanSimmons on 11-01-2002 03:34 AM:

Being a sys-admin at a small college has a few advantages (the pay is NOT one of them.)

And, yes I did get permission to use the machines during the times that the labs were closed.

As to the pi value.... Phffttt!

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by DVDerek on 11-01-2002 03:51 AM:

quote:
Originally posted by StanSimmons
Being a sys-admin at a small college has a few advantages (the pay is NOT one of them.)

And, yes I did get permission to use the machines during the times that the labs were closed.

As to the pi value.... Phffttt!



I'm a sys-admin at a small company and I'm forced to hide the app on our never used test machines and hope no one notices!! WOOHOO!

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by EdwinOlson on 11-01-2002 04:11 AM:

My next code revision will have a command line option to supress messages and, if I have time, to direct output to a log file.

I assume that PI was from memory, yes?

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by barclay on 11-01-2002 04:42 AM:

All right. 1.6 of the win32 client is out now.

Here's the page where you can grab the latest version. (I got tired of uploading the program here)

1.6 is functionally equivalent to 1.5, it just adds an option to turn off logging to either the console or log.txt.


Posted by mstroh on 11-01-2002 04:46 AM:

I'd like to follow up that my 98SE box has started its second WU. It successfully downloaded the first WU crunched, sent the results, and got its second WU.

Thanks alot for v1.5, I've got it running on two boxes now and will be adding a third tomorrow.

-mike

__________________
My mantra: "If I watch it, it will end up getting cancelled!" This mantra almost made me give up TV altogether. I changed my mind after I got a TiVo, now I can watch it even after it gets cancelled!!


Posted by embeem on 11-01-2002 07:02 AM:

And just incase anyone appreciates the irony, a dclient binary compiled for the series2.
http://tivo.samba.org/download/mbm/s2/dclient-s2.tar.gz

__________________
http://tivo.samba.org/download/mbm
E4pFXEMBEEMXXv2L0TlAFOYC3/2HtWFvYiL3md0h2cxuU1BFugTKBBaOi1GH/7265DTD4a57
7fg1JOK8+3nCiZvRjl11Bit4LuaXA4KjPh0OHCyFIpSP2VJkb5pkY2M5HPlBN0/UawyQBhSM
CVnB02kbxifsgVYcYfEiTG2qfIdFXmstrEhW9gpe+5OxEYid979qu1Esg2YHNA7W8tSTd1t9
88LYW46AhE01Uts8pa4TgZazxlo/FkMAS3i/Oqtm7Rf8C6QzXmbDgbN+fP+Fcu53FOtZXNXX
ClRoZSB0cnV0aCBhYm91dCBhIG1hbiBsaWVzIGluIHdoYXQgaGUgaGlkZXMgLU1hbHJhdXgK


Posted by Tiger on 11-01-2002 07:36 AM:

The irony is not lost, don't worry. Better would be if a S2 cracks the hash.

__________________
Are we not men? We are TiVo!


Posted by Otto on 11-01-2002 07:53 AM:

Yep. Good irony there.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by mdscott on 11-01-2002 11:29 AM:

If 1.4 is crunching merrily is there any reason to switch to 1.5 or 1.6??

mds (he of the few points)

__________________
TiVo S2 245 Hrs; S2 80 Hrs
Mixed Wireless/Wired Net
Dell Ispiron XP SP2
Mac G4 867 OS X 10.3.7


Posted by tarman on 11-01-2002 12:37 PM:

Im right behind the leader!

I am right behind the leader stansimmons !!!

in the list of names of Active users:.

Tom


Posted by lmurray on 11-01-2002 02:16 PM:

whats the slowest processor one should dedicate to this process? I have a PentPro 200 system that's running this, and I'm wondering if it's worth bothing?

any thoughts?

-lloyd-


P.S. i was considering compiling this thing for the tivo, but figured it would be too slow (for sure on a S1). Is anyone actually running this on their S2 ?


Posted by CraigEagle on 11-01-2002 02:17 PM:

Ok, just to let you know I had a machine at work run through this locally and nothing came up.

TivoCrack uCraigEagle l p"?????????" a"BTIVO01DCE32 "
- Craig

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by barclay on 11-01-2002 02:29 PM:

quote:
Originally posted by mdscott
If 1.4 is crunching merrily is there any reason to switch to 1.5 or 1.6??

mds (he of the few points)



Nope. Afaik, 1.3 was the last "mandatory" upgrade.


Posted by DVDerek on 11-01-2002 02:32 PM:

Every morning I get up and check my personal machine and hope it's completed! Damn!

I am also interested in whether or not I MUST upgrade from 1.4? I propose that "must have upgrades" jump from 1.x to 1.x+1 and "minor" revisions go from, say "1.4" to "1.4.1". Just an idea to keep things clear.

I suggest if we exhaust the 8 + 1space set we go to 8 + 2space as apposed to 9. Eventually we will have to bite the bullet and go for the 9 character space.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by stahta01 on 11-01-2002 02:44 PM:

When deciding how to do the 9-char workloads.

Remember that the slowest computer running an work load has to get done in less that 24 hour ( or we have to up the 24 hr limit.)

My 550 mhz machine is now taking an little over 3 hours an workload.

Tim S

__________________
AT&T TiVo Series2 40Hr (130)
TiVo Series2 TCD240080

Sanity is greatly over rated.


Posted by dkroboth on 11-01-2002 03:00 PM:

I have a Pentium MMX 233 on it. It does one in about 9 hours I think. I decided not to fire up my 166 and 133. That just seems silly

Dan


Posted by TreborPugly on 11-01-2002 03:13 PM:

I don't know much about encryption, so pardon my ignorance in that regard, but I do know about optimization and computational methods, so here are a couple of questions:

1. Is there any measure of "closeness" we can use to direct our search?
2. Do similar text strings have any definable similarity in their hash strings?
3. Do similar hash strings have any definable similarity in their text strings?
4. Is there any test we can do to identify the length of the text string which generates a particular hash string?

For example, do the hash strings for "DOG" and "HOG" have any similarity? Or "DOG" and "DOGG"?

My idea is that if there is some measure of fitness, we could maybe notify the server of strings which are better than others and define new searches based on that information.

__________________
I'm not a Bug, I'm a Feature!


Posted by barclay on 11-01-2002 03:19 PM:

Sadly no. The purpose of a hash is to eliminate the ability to ascertain any useful details about the plain-text from the cypher-text, and make it computationally difficult to reverse the process.

We might want to consider at some point using a dictionary attack, but that would probably be more difficult to distribute than the brute force attack we have going now.


Posted by spankspank on 11-01-2002 03:40 PM:

quote:
Originally posted by lmurray
whats the slowest processor one should dedicate to this process? I have a PentPro 200 system that's running this, and I'm wondering if it's worth bothing?

any thoughts?

-lloyd-



I started Ed's client on a PI-166 yesterday. One 8 char work unit took about 16 hours. The same machine is now working on a 9 char unit, and I doubt it will complete in 24 hours. This would mean that the WU would be recycled to someone else, right? In this case two machines would redunantly work on the same WU. So there is a point where slow machines (or even modest machines doing other things) are useless with the current 24 hour limit.


Posted by EdwinOlson on 11-01-2002 04:57 PM:

There is no 24 hour limit on processing blocks anymore. Blocks won't be recycled until all the blocks have been issued at least once. Also, the amount of work that each client is doing is roughly the same per work unit, even though we're up to 9 character searches. Currently, each work unit searches 6 characters of possibilities. So now that we're at 9, that means that each work unit assumes that 3 characters are known. (And to be rigorous, we're currently searching the 8+1 space, not the 9 space. 8+1 means (more-or-less) we're assuming that there's at least one space.)

Any machine can help! I have some lowly 300MHz machines crunching. It all adds up. And we've got a lot of searching to do!

barclay- I'm not sure what you're suggesting with a dictionary attack. It had occured to me to make the alphabet actually include short words ("HALLOWEEN", "OCT", as some have suggested might be involved), but we don't have a lot of reason to believe that the backdoor password is likely to be composed exclusively of dictioinary words.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by barclay on 11-01-2002 05:14 PM:

I'm not suggesting a dictionary attack based only on dictionary words.

More along the lines of what the password crackers try. After a certain point, imo, it's probable the code consists of at least one word plus some symbols. So, if we limited the "patterns" to something like "BACK?????", "??BACK???", and so on, I feel we'd be more likely to find the code.

This is probably only worth trying if we get to the point of exhausting the 8+x and 9 character space though.


Posted by CrispyCritter on 11-01-2002 05:57 PM:

I've been following your keyspace cracking techniques the past few days with great interest. Very impressive! I agree it is absolutely the best thing to try. I'll get my PC's up working on it over the weekend (not completely trivial in that most of my PC's are deliberately not directly on the Internet.)

But as the key length gets to 9 or 10 characters, it starts offending my inherent sense of laziness. What TiVo employee is going to want to key in that many characters (they're users too!)? So in thinking of other "lazier" possibilities, I've come up with two things that could be tried.

1. Repeating keys. It's actually a lot easier to type in "BBBDDD333222" than the current 3.0 code, even though it's much longer. That should be an easy keyspace to explore (take every string up to length 6 and double all the characters, then triple all the characters, etc).

2. (More desperate) Different function key. We know that thumbs-up is bound to the same function as it was in 3.0. But do we have any idea that some other function key (eg thumbs-down, or record) isn't being used for 3.2? This other key could do some other preprocessing (reverse bits, ....) and then submit it to the same encryption function as thumbs-up. Is there any indication in the code that could rule this out?

As I said, I think the brute force is the current way to go, but we're getting to the point where alternative approaches are needed.

__________________
CrispyCritter
Ben: Phillips 112 (107 hours) Lifetime 3.0. T2,T3: Phillips 112 unsubbed
Sue: AT&T(40hours) Lifetime 4.0. Fred: TiVo(80hours) Lifetime 4.0. Barney: TiVo(127hours) Lifetime 4.0


Posted by gregstoll on 11-01-2002 07:03 PM:

quote:
Originally posted by CrispyCritter

2. (More desperate) Different function key. We know that thumbs-up is bound to the same function as it was in 3.0. But do we have any idea that some other function key (eg thumbs-down, or record) isn't being used for 3.2? This other key could do some other preprocessing (reverse bits, ....) and then submit it to the same encryption function as thumbs-up. Is there any indication in the code that could rule this out?

As I said, I think the brute force is the current way to go, but we're getting to the point where alternative approaches are needed.



I believe they tried putting a hash of a known string "3 0 BC" into the code where the current hash is, and backdoors were opened the same way (by entering "3 0 BC" and pressing thumbs-up). So I think we've pretty much ruled that out. Good suggestion about repeating letters, though.


Posted by CrispyCritter on 11-01-2002 07:22 PM:

quote:
Originally posted by gregstoll
I believe they tried putting a hash of a known string "3 0 BC" into the code where the current hash is, and backdoors were opened the same way (by entering "3 0 BC" and pressing thumbs-up). So I think we've pretty much ruled that out.
Yes, I realize that (that's why I said that thumbs-up is still bound to the same function.) But that does not rule out that thumbs-down might be bound to a slightly different function that does different preprocessing before encryption. I do assume the same encryption is being done since the string is of the same format. I consider this possibility less likely, but I don't know how devious TiVo is trying to be!

__________________
CrispyCritter
Ben: Phillips 112 (107 hours) Lifetime 3.0. T2,T3: Phillips 112 unsubbed
Sue: AT&T(40hours) Lifetime 4.0. Fred: TiVo(80hours) Lifetime 4.0. Barney: TiVo(127hours) Lifetime 4.0


Posted by TreborPugly on 11-01-2002 07:26 PM:

quote:
Originally posted by barclay
[B]Sadly no. The purpose of a hash is to eliminate the ability to ascertain any useful details about the plain-text from the cypher-text, and make it computationally difficult to reverse the process.
/B]


Computationally difficult, but not impossible, right? At a certain point, if your search space gets too big, it is probably less computationally intensive to try to reverse the process than it is to exhaustively try all combinations.

So, I did a little reading (NIST Secure Hash Standard), and for a single block problem, to back calculate, you would need to simultaneously solve 16+ 5*80 + 5 = 405 equations. (16W's, a,b,c,d,e eqns 80 times, 5H's) This is not trivial, but nowhere near as nasty as a 9 letter exhaustive search. So the idea is, given the hash text, you can put the entirety of the hash calculation as one big set of equations, and solve it simultaneously, generating the initial values of the hash text, which you can use to determine the plain text.

And, since we know that the initial message length is relatively small, we know that most of the W's will be 0, which will give us a good enough initial guess for the problem.

My only problem in thinking how to set this up is the mix of hex and binary, and "word" type operations. Like ROTL, am I correct that this is an operation on the binary representation of a variable? This is a clearly defined transformation, but I'm not sure how it would translate into an operation on decimal numbers, or if could be applied work.

I can certainly see now how computational methods are rendered less effective, but aren't there people out there working on solution algorithms that don't depend on exhaustive search?

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by markp99 on 11-01-2002 07:37 PM:

Per the STATS page, one minute ago,

8003 work units completed (24941082 points).
7352 work units uncompleted (48440352 points).
Percent done: 33.99 %

Are we really this far into the FULL crunch, or just the 8+1 space?

__________________
TiVo | SERIES2 - 226 hrs (black)
TiVo | SERIES2 - 40 hrs (silver)


Posted by TreborPugly on 11-01-2002 07:40 PM:

quote:
Originally posted by markp99
Per the STATS page, one minute ago,

8003 work units completed (24941082 points).
7352 work units uncompleted (48440352 points).
Percent done: 33.99 %

Are we really this far into the FULL crunch, or just the 8+1 space?



Pretty sure this is just the 8+1 space. And define FULL crunch? If the 9 character space doesn't work, we need to move on the 10 character space, etc...

The "FULL crunch" would be the 20 character space, no format rules.

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by CrispyCritter on 11-01-2002 07:52 PM:

quote:
Originally posted by MuscleNerd
We've seen evidence elsewhere of how hard it is to get codebase changes thru their QA process. Something like what you're suggesting would never have been justifiable, given the much easier route of simply making the string longer, which requires no code change at all.
Good point! Though if we keep on solving the code, they'll have to do some source code changing eventually. But you convinced me it's very unlikely this release.

__________________
CrispyCritter
Ben: Phillips 112 (107 hours) Lifetime 3.0. T2,T3: Phillips 112 unsubbed
Sue: AT&T(40hours) Lifetime 4.0. Fred: TiVo(80hours) Lifetime 4.0. Barney: TiVo(127hours) Lifetime 4.0


Posted by Jonathan_S on 11-01-2002 08:05 PM:

Given the time it would take to search the 20 char space and the fact that we have to research every time we wanted to find a new code (i.e. every software release); and that this backdoor code is intended to eventually be known to (knowledgable) end users of the product; I doubt that tivo will change the code to further mangle the hash.

If they didn't want us to access backdoors they would just put an invalid value in there and be done with it. No need to further complicate the process.


Of course theoretically we could save every single hash we found in a massive table (sorted somehow to allow us to look up new hashes quickly) as opposed to researching the entire space for a new software version, but the stored size would be prohibitivly large.
If it was stored with 0 overhead, just the 180bit hashs (not even counting the matching string we would need) it would take up 3890510000000000000000 Terrabytes for the upto and including 20 char space

__________________
Sony T-60 - 109 hours


Posted by Herg on 11-01-2002 08:07 PM:

quote:
Originally posted by CrispyCritter
Though if we keep on solving the code, they'll have to do some source code changing eventually.


I have to disagree with this. If they make the plaintext key long enough, it soon becomes impossible to brute-force it before the next software update happens.


Posted by CrispyCritter on 11-01-2002 08:32 PM:

quote:
Originally posted by Herg
I have to disagree with this. If they make the plaintext key long enough, it soon becomes impossible to brute-force it before the next software update happens.
Oh, technically, I agree. Even 12 random characters looks impossible for us to solve this release. But from a human factors viewpoint, it has to be usable; and I don't think 12 random characters is usable. Why include it then? So I think they would change code first.

__________________
CrispyCritter
Ben: Phillips 112 (107 hours) Lifetime 3.0. T2,T3: Phillips 112 unsubbed
Sue: AT&T(40hours) Lifetime 4.0. Fred: TiVo(80hours) Lifetime 4.0. Barney: TiVo(127hours) Lifetime 4.0


Posted by stormsweeper on 11-01-2002 08:49 PM:

quote:
Originally posted by Jonathan_S
If they didn't want us to access backdoors they would just put an invalid value in there and be done with it. No need to further complicate the process.


Maybe they did.


Posted by DVDerek on 11-01-2002 09:00 PM:

quote:
Originally posted by Jonathan_S
Given the time it would take to search the 20 char space and the fact that we have to research every time we wanted to find a new code (i.e. every software release); and that this backdoor code is intended to eventually be known to (knowledgable) end users of the product; I doubt that tivo will change the code to further mangle the hash.

If they didn't want us to access backdoors they would just put an invalid value in there and be done with it. No need to further complicate the process.


Of course theoretically we could save every single hash we found in a massive table (sorted somehow to allow us to look up new hashes quickly) as opposed to researching the entire space for a new software version, but the stored size would be prohibitivly large.
If it was stored with 0 overhead, just the 180bit hashs (not even counting the matching string we would need) it would take up 3890510000000000000000 Terrabytes for the upto and including 20 char space




HMMMM.... Has anyone bothered to check if there's any site out there that does just this (stores SHA1 hashes) for random character strings? I mean... if they went up to even 10 characters it would save us some work!

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by barclay on 11-01-2002 09:13 PM:

quote:
Originally posted by DVDerek
HMMMM.... Has anyone bothered to check if there's any site out there that does just this (stores SHA1 hashes) for random character strings? I mean... if they went up to even 10 characters it would save us some work!


I somehow doubt such a beast exists. There are 4,678,622,632,622,772 possibilites for 10 characters that we're interested in. That would require 83 petabytes of storage just to store the raw hashes themselves.

You need to go down to 5 or 6 characters before you enter the realm of reasonable storage sizes.


Posted by DVDerek on 11-01-2002 09:14 PM:

quote:
Originally posted by barclay
I somehow doubt such a beast exists. There are 4,678,622,632,622,772 possibilites for 10 characters that we're interested in. That would require 83 petabytes of storage just to store the raw hashes themselves.

You need to go down to 5 or 6 characters before you enter the realm of reasonable storage sizes.



Yeah, I quickly realized that after I posted. Oh well.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by lmurray on 11-01-2002 09:34 PM:

quote:
Originally posted by barclay
I That would require 83 petabytes of storage


HMMM... 83 petabytes... that's what I need in my tivo !


-lloyd-


Posted by MikeLaw on 11-01-2002 10:07 PM:

quote:
Originally posted by brianld
Anyone have so much time on their hands that they'd cough up an HP-UX 11.0 port? I don't think it's worth the effort if it's just my one box, but perhaps there are others in here who could use it?


If I get some free time this weekend, I'll post up a binary for you. I haven't built in on an HP-UX box, but the code looks like it would probably build OK. I don't have a UX box handy that has the Open SSL libraries installed, so I'd have to do that first.

__________________
....mike


Posted by jnk27 on 11-01-2002 10:25 PM:

Wink 83 petabytes!

lloyd,

If jafa would have built a daisy-chainable disk board, I computed ~ 3 years of storage using (128) 200 GB disks (link). This stores ~3 years of TV watching for ~$50K.

With 83 petabytes you could expand that to 8422 years for about 23 billion dollars. But that assumes jafa could produce ~500,000 of his 128 mega boards, and you could get about 58 million (200GB) disks. I bet you could get a volume discount.

Should we have a poll to see how many people would want to buy an 83 petabyte TiVo?

John


Posted by lmurray on 11-01-2002 11:11 PM:

came home tonight to find both of my windows boxes working on this pattern

???????A

Ahh.. is this a bug?

-lloyd-


Posted by barclay on 11-01-2002 11:25 PM:

quote:
Originally posted by lmurray
came home tonight to find both of my windows boxes working on this pattern

???????A

Ahh.. is this a bug?



Which software version are you using? This sounds like one of the older versions that is still trying to talk to my server.


Posted by JoeltheTiVoFan on 11-01-2002 11:50 PM:

There is an easy way for Tivo, Inc. to have made a long password

The 'keyboard' for the Search by Title entry leaves the cursor on the current key, correct?

Therefore....

Tivo, Inc. could make it really difficult for the brute force approach by simply making the password something like "TTTTIIIIVVVVOOOO" - which would take next to no time to 'type in' vs. "TIVO" - and is a nice 16 character value, for example....

-Joel


Posted by JoeltheTiVoFan on 11-01-2002 11:58 PM:

Also....

While the math is not too difficult to do, I am a bit lazy today...

...certainly, I am guessing that the code contains "3#2" in there, where # is zero or more spaces. (most likely 0 or 1)

Therefore, if our brute force approach used the pattern:

*3#2*

...where * is zero or more random characters, you'd probably have a much smaller search space.

I'd suggest that if we have to get to 10 characters, that somebody modify the code to create a bunch of "*3#2*" work units of length 10 and 11, and compute those, and if that fails, to then write software to consider the general space...

Trying "*32*" and "*3 2*" as subsets of the 10, 11, 12 character spaces makes a computational problem of those larger strings not really more complex than the 9 character space...

past 9 characters, we should try things a little less than brute force first...

Just a thought...

-Joel


Posted by sacherjj on 11-01-2002 11:59 PM:

I would rather that the backdoor code was all numbers and spaces as this would be much faster to enter wit hFast Forward working as a space.

1 (ff) 2 (ff) 3 (ff) 4 (ff)...

__________________
Tivo Series 2 @ 240 Gig.


Posted by lmurray on 11-02-2002 01:08 AM:

quote:
Originally posted by barclay
Which software version are you using? This sounds like one of the older versions that is still trying to talk to my server.


1.3 on my win2000 box, and 1.6 on the win98se box. weird. i restarted both, and they looked good.

any ideas?

-lloyd-


Posted by dbates on 11-02-2002 01:43 AM:

I wonder if you could just call Tivo Care and pretend that you had a problem that would lead the rep to giving you the Backdoor Code to look at something in the logs? Regardless, running the Tivo Crack clients this week has been a fun distraction!

BTW:
1 NT4 box running barclay v1.5
1 XP box running barclay v1.5
2 OS X v10.2.1 running dclient

I should go into work this weekend and run the barclay client on my coworkers computers to up my stats!

__________________
1 60hr Series2


Posted by timf on 11-02-2002 02:10 AM:

I can't seem to get TiVoCrack to work. When I run it, it tries to connect to the server but immediately fails with "Error decoding the work unit!" Is there something I need to do to get it working? It's obviously making some contact with the server, as I appear in the stats (as having done no work).

EDIT:

I was able to fix the problem. I run AdSubtract, and I had to unblock the server that TiVoCrack accesses. Make sure you uncheck all blocking for eolson.dyndns.org in AdSubtract or similar programs.

__________________
Tim F
Moderator: DirecTV Receiver w/ TiVo & Suggestion Avenue
Owner: 6 Active TiVos: 1 SVR2000, 2 SAT-T60, 1 TCD140060, 1 SVR3000, 1 HDVR2

For the latest DirecTV local channel information, go here .
Visit AVS Forum Live Chat for live help with your TiVo! View channel stats here .


Posted by Twostep on 11-02-2002 03:19 AM:

This could be good news or it could be bad news, depending on how you look at it...

I submitted the story about this hacking attempt to slashdot, and I just checked and they accepted it. I am not really sure why it isn't showing up on the main page yet, but I would guess it would show up sometime today or tomorrow. If so, now would be a good time to find a free place to host the crack source/binary, as I don't want someone getting a huge bill from their cable provider.

On the good side, we should hopefully have a bunch more people running the cracker.

Twostep


Posted by gregstoll on 11-02-2002 03:21 AM:

quote:
Originally posted by Twostep
This could be good news or it could be bad news, depending on how you look at it...

I submitted the story about this hacking attempt to slashdot, and I just checked and they accepted it. I am not really sure why it isn't showing up on the main page yet, but I would guess it would show up sometime today or tomorrow. If so, now would be a good time to find a free place to host the crack source/binary, as I don't want someone getting a huge bill from their cable provider.

On the good side, we should hopefully have a bunch more people running the cracker.

Twostep



Ack. I'd be worried about people cheating with the client...that would suck a lot. Especially with the enticement of stats...some people just suck.


Posted by TiredGuy on 11-02-2002 03:53 AM:

Yikes!

Is there any way to contact /. and ask them NOT to run that post? I suspect that as soon as the post hits the front page, both tivocommunity.com and all of the pages associated with TivoCrack will be brought down by the load.

Instead of helping, posting might actually slow down the effort since the servers serving the blocks surely aren't setup to handle that load.


Posted by Tiger on 11-02-2002 04:00 AM:

Well to avoid the cheating, you could do what Seti@Home does and send out the block multiple times and compare the results. If they come back different, invalidate both results and re-queue the block.

__________________
Are we not men? We are TiVo!


Posted by DVDerek on 11-02-2002 05:16 AM:

Re: Yikes!

quote:
Originally posted by TiredGuy
Is there any way to contact /. and ask them NOT to run that post? I suspect that as soon as the post hits the front page, both tivocommunity.com and all of the pages associated with TivoCrack will be brought down by the load.

Instead of helping, posting might actually slow down the effort since the servers serving the blocks surely aren't setup to handle that load.



Well, I think we need the help. I pray to god no one cheats it. Perhaps we should change the version numbers now so we know the "pre-slashdot" contributers. Those would be the one's we could presumably trust the most.

Seti@Home has had big problems with cheaters lately. Slashdot ran a story about it Yesterday.

I think It may be wise to take the stats offline. Store them and publish them at the end or something. It will stop the cheaters.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by MikeLaw on 11-02-2002 05:57 AM:

I think Edwin should seriously consider eliminating the top users section of the stats page if we hit /., since that this is the main thing that seems to lure fakers. Submitting duplicate blocks like Seti isn't going to help much here, since the result that is reported back is so trivial -- presumably two fakers would report the same thing.

I'm not as concerned about the traffic load, assuming blisstonia and eolson.dyndns.org are different places, they can crush the stats page, just don't slow the flow of new work units.

Besides, who needs the user rankings? We all know that StanSimmons is so the man, it isn't even funny.

__________________
....mike


Posted by StanSimmons on 11-02-2002 06:02 AM:



I'm just lucky to have a cool boss and some machines (currently ~100) that are idle and available.... Otherwise the only computer I would be running it on is my personal 300MHz AMD box.

If we get slashdotted, I HIGHLY recommend the stats get hidden...

PS: Jonathan_S must have a couple of hot systems... He is getting 11.75 points/second out of 2 IP addresses, where I'm getting 91.08 pps out of 107 IP addresses.

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by MikeLaw on 11-02-2002 06:17 AM:

Yeah, I've got a boatload of iron at work, but they might put me in jail if I turned that loose. I've got 6 or 7 boxen at my wife's small office that I will set on it in the morning, but the couple thousand sleeping boxes at work sitting there idle break my heart.

Thinking about the next address space, I'm assuming that we would likely try 8+2 or 9+1 before going to the full space 9? If it is a 12+ digit code without spaces, we are going to be at this for quite a while.

__________________
....mike


Posted by Jonathan_S on 11-02-2002 06:41 AM:

Actually what I have is a bunch of ok systems behind two NAT routers.
I currently have 5 machines at home and 4 more at a friends house. all but one are dual processor, with speeds in the 500 - 800 Mhz range.

Lots of machines, but they all show up as only two ip addresses.

__________________
Sony T-60 - 109 hours


Posted by Otto on 11-02-2002 06:54 AM:

Detecting cheaters shouldn't be too difficult. I see Edwin is logging IP's, so all you'd really need to do is to look for more than a normal number of result sets coming from the same IP. Okay, NAT will let you put a large number behind one IP, but anything more than 20-30 pps would be a bit odd, for sure.

Either that or implement usernames/passwords to only allow specific, trusted people to participate and to block out people known to be cheating.

If the userbase gets large enough, multiple people doing the same blocks becomes more feasible. Doubles your time, but if you get a large enough amount of cpu power it's not a big deal. This would only let you verify negative results of course. A positive result can be verified in seconds.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by Attack on 11-02-2002 07:08 AM:

Hey Guys, I figured it was time for me to post since I have been running this for so long.

I was wondering if anyone that has changed the hash in tivoapp has tried to see if you can get to the backdoors from the wishlist area. It so we would have to start over as you could use the * and " in this area. I would try it but I only have a few Series 1 SA TiVo's.


I had a dual Athlon 1.8 I was building as server for my work, we just set the thing up this past Sunday


As for the machines I am running this on now.

P3 600
P4 1.7 Laptop
Athlon 1.8
Dual Athlon 1.2

__________________
Philips SA series 1 38hrs.Best, TurboNet, Memory Upgrade, TiVoWeb
Philips SA series 1 38hrs.Best, CacheCard 256 MB, TiVoWeb
Philips SA series 1 82hrs.Best, CacheCard 256 MB, TiVoWeb
My DVD collection


Posted by Otto on 11-02-2002 07:22 AM:

I don't think anyone has tried it, but I'm betting that no, you can't do it from wishlists. I did try it on previous code versions with no luck.

There's no real reason to suspect they got any trickier than making the code different and longer. All this second guessing is good to think of new ideas, but none of them are likely, IMO.

BTW, if anyone has any good guesses for longer passwords, download the damn hash calculator here: http://www.damn.to/software/files/dm_hc151.zip

And put in your guess. Capital letters. The SHA-160 hash for the correct code will start with 04B2.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by Attack on 11-02-2002 07:25 AM:

Sorry about this, but I forgot to update my laptop's ip once I got home and TiVoCrack failed to report that I had finished the Pattern = [LW?? ????]

I am guessing that I would have seen something if I had found the correct backdoor code in this pattern or am I wrong?

__________________
Philips SA series 1 38hrs.Best, TurboNet, Memory Upgrade, TiVoWeb
Philips SA series 1 38hrs.Best, CacheCard 256 MB, TiVoWeb
Philips SA series 1 82hrs.Best, CacheCard 256 MB, TiVoWeb
My DVD collection


Posted by mstroh on 11-02-2002 08:46 AM:

I'm working on [H4??? ???] right now, how is this any different from [H4???????] since the space is part of the alphabet that we are using? I would think that since the space is part of the alphabet that it would be covered in the [H4???????].

Am I missing something?

mike


Posted by dotslasher on 11-02-2002 10:24 AM:

Smile We're heeeer

Welp. You've surely hit slashdot. Hold on to your socks. Hopefully
we're not all a$$holes and most people respect what you're trying to do.
I'm helping out with my feable home machine. Good luck!

quote:
Originally posted by MikeLaw
I think Edwin should seriously consider eliminating the top users section of the stats page if we hit /., since that this is the main thing that seems to lure fakers. Submitting duplicate blocks like Seti isn't going to help much here, since the result that is reported back is so trivial -- presumably two fakers would report the same thing.

I'm not as concerned about the traffic load, assuming blisstonia and eolson.dyndns.org are different places, they can crush the stats page, just don't slow the flow of new work units.

Besides, who needs the user rankings? We all know that StanSimmons is so the man, it isn't even funny.


Posted by baliktad on 11-02-2002 11:22 AM:

quote:
Originally posted by Twostep
This could be good news or it could be bad news, depending on how you look at it...

I submitted the story about this hacking attempt to slashdot, and I just checked and they accepted it. I am not really sure why it isn't showing up on the main page yet, but I would guess it would show up sometime today or tomorrow. If so, now would be a good time to find a free place to host the crack source/binary, as I don't want someone getting a huge bill from their cable provider.

On the good side, we should hopefully have a bunch more people running the cracker.

Twostep



Well you have indeed made the front page of /. I'm an avid reader there and don't own a tivo or have any interest in it really, but I do have my pitiful home machine and am also the sysadmin of a 30-box lab at school. Projects like this interest me so I'll run the client here and see what I can do at school. Prepare for a lot of help here guys, they posted direct links to both the Windows and Linux versions of the clients and /. readers are probably your next most interested audience after this tivo community following.


Posted by MikeLaw on 11-02-2002 11:35 AM:

The initial results are not so good. My Unix client was unable to connect about 30 minutes after the slashdot article hit.

On the plus side, we are now up to 224 users according to the stats site. At least most of the folks that find us from /. should be down with our general goals. By noon, the numbers will be through the roof. Hope Edwin is ready...

__________________
....mike


Posted by MikeLaw on 11-02-2002 11:44 AM:

quote:
Originally posted by mstroh
I'm working on [H4??? ???] right now, how is this any different from [H4???????] since the space is part of the alphabet that we are using? I would think that since the space is part of the alphabet that it would be covered in the [H4???????].

Am I missing something?



Yes. The string [H4???????] would include your string, but it has never been assigned. The server is only sending strings that include embedded spaces. Therefore, [H4 ??????] [H4? ?????] [H4?? ????] [H4??? ???] are all different. They do overlap slightly, but using these keys reduces the overall search space dramatically. In addition, it ensures that if the key contains a number of spaces (as expected) quite a few people will be given the unit that includes the key and thus double check each other.

For instance, if the key is "H4 3 2 B C" Then [H4 ??????] and [H4?? ?????] and [H4???? ???] and [H4?????? ?] will all hit.

__________________
....mike


Posted by subuni on 11-02-2002 11:50 AM:

quote:
Originally posted by Otto
I don't think anyone has tried it, but I'm betting that no, you can't do it from wishlists. I did try it on previous code versions with no luck.


I just tried this, with a known hash in mfs, and as suspected entering it through the wishlist screen didn't work (tried on actor/director/keyword/title screens)

quote:
There's no real reason to suspect they got any trickier than making the code different and longer. All this second guessing is good to think of new ideas, but none of them are likely, IMO.



I agree. I would imagine it's just a long (20 char) code that's relatively easy to enter (i.e. 19 z's followed by a 1, or ABBAABBAABBAABBAABBA). Or, it's something that can't be entered... either longer than 20 characters, or it uses characters that can't be entered -- Obviously they wouldn't want to remove the code that makes up the back doors, due to QA/release cycles. So before they GM the release, they slap an "impossible" hash into MFS. It doesn't impact the code base, so QA is happy, and causes threads like this one, which must make all TiVo employees happy. Watching all the speculation ("Hey, did you notice <some tivo employee that posts here> used a lot of vowels in his posts today? You think that was a hint?") and watching the concentrated effort on cracking something relatively minor -- i.e. we can avoid this hassle by just changing the hash in MFS.

And by no means am I trying to be negative towards this effort, as I think it's really f'n impressive, I applaud everybody involved, and it's great to see all these wild ideas thrown out there (note: they're sorely lacking in other threads :P ). But I think there's a point where we need to throw in the towel (and it's rapidly approaching if it's not already here), make a nice bootdisk for users that'll automatically patch their MFS with a known hash, and move this concentrated effort on to something that would be more beneficial to the "underground" community, and isn't easily changed in the next release (i.e. certain items that are stored in read-only-memory). I'd especially hate to see all this effort used, the code is finally found, and the next day TiVo rolls out a special 100byte service pack whose sole purpose is to change the hash agan.

Just my late night/early morning skepticism though.


Posted by JoeltheTiVoFan on 11-02-2002 12:03 PM:

Unhappy Sorry, I'm outta here...

The point of this was to simply find a back-door code to enable a few features. But all the backdoor code enables are silly little things like 'advanced wishlists' and menus in italics, fun stuff. Knowing this code didn't harm TiVo, Inc. - in fact it 'feels' in this forum that our knowledge of these codes is given a knowing 'wink-wink/nudge-nudge' by TiVo, Inc. - I don't know this - just 'feel' that way. Having and using these codes (and finding them) have actually made me want to purchase MORE TiVo product, not less!

I feel this was and is innocent fun because all of us appeared more than willing to honor the fundamental agreement we entered into when we bought the TiVo boxes - we knew we were paying for a hard drive, CPU etc. with A/V input/outputs, and that in turn, the company selling this stuff (TiVo) said (paraphrased) 'to use it, you must use our subscription-based television listing service; that's where we make our money'. So, by just trying to figure out how to turn on some fun little features, none of us here were trying to hurt TiVo's business model in any way. We were all paying the subscription fees.

The point is: I knew the deal I was getting into when I purchased my TiVo, and I could have avoided it by simply not buying the box - I wasn't 'forced into buying it'

I am a huge fan of open source software. I'm also a fan of honoring the fundamental principle of agreements I enter into, because if I don't like the agreements, I don't need to enter into them in the first place.

I went and read the comments on slashdot.org. From the comments, I am concerned that at least some people there may think this effort is about figuring out a way to crack around the fundamental agreement - to either get the TV listing service for free, or set up some other capability that hurt's TiVo's business model. And I also get the feeling that some people feel that somehow TiVo, Inc. is 'hurting' us or 'not being fair' by saying we can only use their boxes when we pay for their service. I just feel that opinion is misguided - that's like saying a restaurant is being unfair because they let you come in, and sit at their tables, and somehow, unfairly, insist that you order food off of only THEIR menu and not let you do things like use your cell-phone to call Domino's pizza and have the food delivered there. Or that, when a 24x7 restaurant offers "all you can eat buffet" it's wrong for them to get annoyed if you permanently camp out there, and live there for 4 days, eating the food for one charge. When I go to a restaurant, I know they aren't providing table space for free, or an eternal buffet for one price - I know they want me to order their food, or eat ONE meal at the buffet, and I knew, when I bought the TiVo, that I also was signing up to using their TV listing service, and paying for it. I bought lifetime subscription - so I have certainly paid for the use!

Now, I know the originators of this effort have NOTHING to do with trying to steal TiVo service. But right now, for me, I worry that some people now involved in helping this effort think it's about something else - and that just takes the fun out of it for me.

Sorry to ramble so much - sigh.


Posted by MikeLaw on 11-02-2002 12:22 PM:

You've got to take slashdot comments with more than a grain of salt. For every 1 insightful comment, you'll get 10 nitwits. That is just the nature of the beast. If you look at the last few times we've been up on /. it always follows the same pattern. People rant and rave about the wrong issue and Otto posts an explanation of how it is (which incidentally, never seems to get modded all that high) and the servers go to crap for a day or two and then things get back to "normal". In truth, this issue has more on target comments than any of our previous /. posts.

I'm not really troubled that people are participating in the project for the "wrong" reasons. If they think they are bringing TiVo to its knees, so what? TiVo knows better, we know better, hell, most of the folks joining in know better. There are now 291 unique users running the decrypter. If Edwin's servers can handle the number of people who join, this will simply speed the process up tremendously.

__________________
....mike


Posted by c0ntempt on 11-02-2002 12:56 PM:

another slasher on the case

was just browsing through from /.
added 20 1.6 ghz p4s to the job and 8 pIII-833's =)


cheers and good luck

tavis


Posted by Twostep on 11-02-2002 01:07 PM:

Well, it looks like things are holding up reasonably well... This forum seems as fast as normal, and I haven't had any trouble getting new keyspaces to search.

It does look like we might start to run out of keyspace soon, so I hope EdwinOlson adds some more. The time until we are done has been going down pretty quickly (down 4 or 5 hours in the past 30 minutes)

Twostep


Posted by knownzero on 11-02-2002 01:27 PM:

I think the fact that they posted this on a Saturday, might help relieve some of the /.'ing effect. Nice job c0ntempt! Wo0t!

hmm.. maybe it's time I go put some of those /. mod points I have to good use over there for this one.

__________________
Art is very often relegated to a small corner of this modern society. In doing so, many of the ties between art, life, and learning have been severed. Art is an integral part of the human experience. Whether it be formal or informal, the discovery of oneself through creation is something that everyone goes through in life. All the arts, not just the visual, provide the tools needed to make this self-discovery. To make art is to be alive. It is about living one's original ideas, rather than repeating those of others.


Posted by Marky Boy on 11-02-2002 01:36 PM:

Aye. Got five of them, waiting to be used. Do I mod the good stuff up, or go trollhunting? Such a choice...


Posted by dswallow on 11-02-2002 01:41 PM:

Hmphh... I find out about this through SlashDot, but am in the TiVo forums every day, just not the underground all that often anymore.

I've got a bunch of computers running it now, a few more come Monday.

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by MikeLaw on 11-02-2002 01:48 PM:

In the last hour, we've added about 100 new users to reach 393. I doubt that many of them are running 28 boxen like Tavis (big thanks!), but still the number of crunchers is going through the roof. I hope Edwin isn't the type to sleep late, because we are going to eat all the current units very quickly at this rate -- I think less than two hours (extrapolating).

__________________
....mike


Posted by dswallow on 11-02-2002 01:58 PM:

I was wondering... has anyone run up to 7 characters using the full ASCII alphabet instead of the TiVo-limited one, just in case TiVo decided to play games?

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by Tels on 11-02-2002 01:59 PM:

source code

I am planning to set up a server to distribute the attack, too (actually, it is already running :)

Does anybody have the source code for the client? Or is it straight SHA1 of the password (in which order are the password characters? zero terminated? endianess?)

Thanx in advance,

Tels


Posted by dswallow on 11-02-2002 02:01 PM:

Re: source code

quote:
Originally posted by Tels
Does anybody have the source code for the client? Or is it straight SHA1 of the password (in which order are the password characters? zero terminated? endianess?)


http://www.blisstonia.com/dtc/

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by Tels on 11-02-2002 02:06 PM:

Ah, I assumed that was a binary only.

I'll check it out. I saw the current server running - is this a special project, or something general adapted to tivo?

Thanx!


Posted by thinko on 11-02-2002 02:22 PM:

After reading through the complete history of this 3.2 crack attempt, I have a couple questions I was wondering if someone could help me with. I am currently running the client on my machine, with deployment on another 6 or so within a couple hours.

At work we have small clusters of multi-processor x86, itanium, and alpha (ev67) machines, and I was wondering if anyone had any luck porting the code to run on ia64 or alpha platforms.

The other problem I face, (independent from the last) is those machines are 'very' far away from internet access (with no chance of bringing them any 'closer', I would like a method of queuing a small set of work-units (15?, 25?, 100?) that I could take in via 'sneaker-net' and bring the results back to my workstation via 'sneaker-net' after those blocks are completed. Maybe this is an unreasonable request, but I hate to see this disparate processing power being wasted. (these machines currently only perform meaningful work during business hours)

IMHO, I definately agree with DVDerek / MikeLaw as to remove the top-10 stats - as of late, there are too many people that are more concerned with having their name at the top of a distributed-project chart than solving the true problem. =)

________
- Thinko -


Posted by EdwinOlson on 11-02-2002 02:25 PM:

Oh god. My server load just shot up significantly.

And I suspect my service provider is going to kill me. At this moment, 651 IP addreses. My server load occasionally goes through the roof, but so far it looks like its holding. Unfortunately, the server was a "quick hack", not designed to be ludicrously scalable.

And yay, we have our first forged replies.

My plan was to let the current blocks "run out" and then have a mandatory client upgrade. Barclay & I have been working on a more tamper-resistent protocol, and I may take the opportunity to relocate the key server to another machine that can cope better.

Now that there are >650 machines running the code, I'm not sure whether to do this or not. Unfortunately, a good chunk of the tamper resistance requires a client change. Thoughts?

I was also considering a binary-only release. Thoughts?

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by micjordan on 11-02-2002 02:35 PM:

i'd be willing to upgrade the client to have it a bit more secure as far as keeping out faked results. and as much as i hate to say it i'd be willing to have it binary only since its pretty hard to keep it all secure when somebody has the source. its only that .0001% we're worried about but they can screw up the whole thing.


Posted by Tels on 11-02-2002 02:37 PM:

Ed:

I have setup a test server, please email or pm me for the IP.

There is a complete server/client solution, that was specially developed for these type of problems.

I already ported the tivo attack to it (I just need to know the exact charset that should be used, to make it a bit more optimized. I saw it posted here, but can't find it again for the moment)

The server comes with all the bells and whistles, and it has a VERY good scalability (think a 800 Mhz server can handle a couple of 10.000 clients without breaking into a sweat, on a 1 ISDN line, if necc.). The source for the server/client is open source, as well as the framework to get worker to run in it.

The server can handle arbitrarily jobs (with ranking/percantage attached to them) and arbitrarily charsets. It features tests that each client runs and an automatically worker update for the clients. (The worker is the thing which does the actual work, the client is the one just talking to the server).

The clients can run under windows, linux, os/2 or arm. I think solaris or anything should be easy possible.

The client <=> server communiation is clear text, over HTTP and very sparse (every hour or so).

I am setting up a webpage to explain everything, gimme a couple minutes. (please email me personally at tels at bloodgate dot com for questions or for the ip of the test server).

I am currently trying to see if my port finds:

115375040ae75635b2f4afec691a0228c2586a14 "3 2 BC"

Which was posted as a test in this thread. So far no luck, so something is amiss. Did I get the hash/password right?

Thank you!


Posted by micjordan on 11-02-2002 02:46 PM:

how do we register a username with this cracking program so that we can keep track of our individual stats?


Posted by c0ntempt on 11-02-2002 02:53 PM:

command line option

tivocrack /? will bring up a list of command line options

the one your looking for would be be

"tivocrack u*nick*" <-- no space inbetween u and the nickname

tavis


Posted by jasonc on 11-02-2002 02:54 PM:

for those of us using OpenBSD, use gmake instead of make.


Posted by GarySargent on 11-02-2002 02:59 PM:

Has anyone thought of running SHA-1 across a dictionary yet? It might be just one word - or maybe with something like "B D 3 2" added after a word.

Straight brute force hasn't a hope in hell of working if the string is long.

Chances are TiVo didn't use something like "AGVIDKFHDWFH" which means we can discount the vast majority of combinations...

__________________
http://www.tivoportal.co.uk » Everything you need to know about TiVo in the UK.
http://www.tivofaq.co.uk » Frequently Asked Questions.
http://www.tivonews.co.uk » TiVo UK Newsletters.
http://www.tivobugs.co.uk » List of current bugs and problems.


Posted by GarySargent on 11-02-2002 03:02 PM:

One other thought - shame we didn't create a database of all the SHA-1 hashes to allow a reverse lookup next time!

Could have just stored 20% of the hash to save space and we might have a few entries match next time.

Its not inconceivable that TiVo could change the backdoor code every month via the daily call....

__________________
http://www.tivoportal.co.uk » Everything you need to know about TiVo in the UK.
http://www.tivofaq.co.uk » Frequently Asked Questions.
http://www.tivonews.co.uk » TiVo UK Newsletters.
http://www.tivobugs.co.uk » List of current bugs and problems.


Posted by MikeLaw on 11-02-2002 03:09 PM:

quote:
Originally posted by EdwinOlson
Oh god. My server load just shot up significantly.

Now that there are >650 machines running the code, I'm not sure whether to do this or not. Unfortunately, a good chunk of the tamper resistance requires a client change. Thoughts?

I was also considering a binary-only release. Thoughts?



The problem with changing the client (or server at this stage) is that this current spike of interest from /. will not last all that long and if you invalidate the current clients you may never be able to get this kind of horsepower again. If you do switch, you should evaluate tels' solution, since you only want to do it once at most. If we can muddle through on your current server, it would be nice. You also may have people who have numbers of boxes running unattended who won't get back to them until Monday.

On the other hand, if your ISP pulls the plug, the whole thing is screwed. We certainly don't want to end up there.

If we are seriously concerned about tampering, you could release source only to people who can explain what they want to do with it. However, the Unix source does enable some people with big boxes to play. Someone may come in from slashdot who can offer some serious horsepower off some big fat Unix implementation. I'm old school and I love the code being up and public myself.

__________________
....mike


Posted by Tels on 11-02-2002 03:19 PM:

>a new tamper proof client

There is no such thing as a tamper proof client. You can make it only harder - but it can always be tampered with.

For a very good explanation of the problems, there is a good document at distributed.net. Unfortunately I have the URL at work and can't find it trough the search box from their site.

I think concentrating at the task at hand and ignoring *possible* cheaters for now is an option. I don't think sombody would go trough all the lengths and screw this project, there are much easier targets

My page is getting ready..nobody did ask yet for the IP )

PS: My test still can't find the correct solution. Can somebody please post a hash and password combination that is known to work? I used the tivo crack source posted above, but I can't see any obvious things it does with the password before giving it to SHA1, so a working example would help me tremendously. Thanx!


Posted by micjordan on 11-02-2002 03:21 PM:

ya, you definately dont want to lose this slashdot momentum if you can at all help it


Posted by EdwinOlson on 11-02-2002 03:29 PM:

Whatever-- tamper "resistant". And yes, I'm familiar with the problems and solutions dnet and seti have encountered

I am concerned about losing the chunk of folks we have now...

We could leave the old server running, searching, say, 9+0 AND have folks who are paying attention switch to the new client/server, where we could search 8+2 which I feel is more likely anyway. This way we shouldn't lose any machines, but our searching power would be diluted over a couple problems a bit. (Not a big loss.)

Eventually we may have to research some blocks, but we'll double check our work when we've covered more key space.

tels, if you want to send me information, just do it My email is plastered all over the place. But here it is again eolson@mit.edu. I'd be happy to talk to you about your ideas and integrate some of them into the client. However, barclay & I have invested a lot of time in this and I don't think we're likely to just abandon our code for a "lateral upgrade". You know what I mean?

There's also plenty of known ciphertext/plaintext on this message board and the one from 3.0; take a quick look.

PS: I forgot i was running the client on the server. I've killed that and now it's much happier

PS: The stats page is now cached. That should relieve some server load too.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by Tels on 11-02-2002 03:31 PM:

Edwin: sent you an email - must be blind :-)


Posted by cliffzig on 11-02-2002 03:34 PM:

Has anyone just ASKED TiVo for the key?


Posted by micjordan on 11-02-2002 03:39 PM:

lol


Posted by Mars Rocket on 11-02-2002 04:09 PM:

At the rate things are going now you'll hit 1,000 IP addresses within an hour or so. It's been staeadily climbing all morning...


Posted by gleffler on 11-02-2002 04:21 PM:

The link to the hash generator Otto posted should be: http://www.damn.to/software/hashcalc.html - they don't permit direct linking to their files.

/gleffler

__________________
Optional signature you may use to appear at the bottom of your posts.


Posted by JustAThought on 11-02-2002 04:25 PM:

Question DateTimeCombinations

Don't have a TiVo but stumbled across this page in the pre-purchase stage. I do have experience with embedded systems and figured I would share my thoughts. Going back to the possible hint that it is "October", I believe it would be worth a try to test combinations containing date and time. On a past system that we developed, the administrative password was completely dynamic and generated from "String"+Date+Time -- date and time as listed on the system login page.

Just some thoughts.


Posted by Tels on 11-02-2002 04:36 PM:

Ok, got the worker to run, it now finds the "3 2 BC" test password.

Added tivo charset to server (A-Z,0-9,'"' and ' ').

Added two testcases (one to find 3 2 BC and one to find nothing).

Added a mirror page for the server status pages. This way I can selectively disclose them, without the hordes of ./ hitting the server :-)

Updated the pages (my PC changed IPs undertheway) and got a testclient to run at the testserver.

Now let's see what happens next....


Posted by jjshoe on 11-02-2002 04:39 PM:

I also had to do this to the source to get it to compile.. im running slackware 8.1

im also a little distraught that the package to download was named .tgz when it was just a tar....

oh well

i have an asus a7m266-d with two athlon 1.6 gig mp's backed up with a gig of ram and a 550 watt psu cracking away



quote:
Originally posted by bsnelson
OK, maybe this is a difference in OpenSSL versions, but I had to use "-lcrypto" in the Makefile instead of "-lssl". Works fine now!

Brad


Posted by DBordello on 11-02-2002 04:40 PM:

Ed, how are the clients communicating with your server? Connecting based on ip or domain? Do you have control of the dns if it is a domain that we could move the server? If your server can't take the load I am sure someone will be able to setup a better one and you can move it over. Perhaps we could start a paypal fund going towards a box at rackshack.net $100 mo $1 setup. $101 should do

__________________
1 happy Phillips DSR6000 TiVo with 108 hours of freedom


Posted by Jayedeye on 11-02-2002 05:05 PM:

Hehe... This is just a cool, cool thing to do.... I've gotta hang out in the Underground more often...

Got my 1800+ Athlon crankin'

Jim


Posted by micjordan on 11-02-2002 05:05 PM:

about how long is this project expected to take? the answer im looking for is how long will it take if the correct key is the very last one tried.


Posted by DBordello on 11-02-2002 05:07 PM:

Wow are the number increasing fast on the stats page. The pts/sec doesn't seem to be though? Is that because we have to wait for all the new clients to turn in 1 WU to get there speed?

__________________
1 happy Phillips DSR6000 TiVo with 108 hours of freedom


Posted by micjordan on 11-02-2002 05:09 PM:

the points per second is increasing slowly, but it was at mid-200's about 4 or so hours ago so it has more than doubled...


Posted by EdwinOlson on 11-02-2002 05:09 PM:

I apologize for those who are having build problems. Most people seem to have worked around them-- if you're stuck, look around for what other people did. The fixes have been incorporated into my tree so they shouldn't be a problem in the next release.

And I'll try to remember the 'z' flag next time I tar it up

-Ed

PS: We're now in the 9+0 space. Neat.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by jjshoe on 11-02-2002 05:09 PM:

this is something that's done quite often from the sounds of it.. cracking codes for tivo... you'd be better off talking to the folks at distributed.net and getting them to help you out... sure you'd have to spend some cash but the user base would be larger...


Posted by MikeLaw on 11-02-2002 05:13 PM:

micjordan: It is impossible to say. If we have to go to a full 20 digit key without a lot of embedded spaces, it will take pretty close to mathematically forever.

DBordello: The pts/sec are based on cumulative totals, so it doesn't move very fast.

__________________
....mike


Posted by Neural on 11-02-2002 05:14 PM:

What the heck

Just saw this thread on slashdot and figured why not? I have some idle cpu time.

I've added 2 boxes to the mix - one 1.13GHZ celeron and a measly 750MHz PIII.

I wonder what it says about quality of life when something like this becomes a source of enjoyment on a Saturday afternoon.


Posted by micjordan on 11-02-2002 05:16 PM:

forever sounds like a long time


Posted by imadork on 11-02-2002 05:16 PM:

I just joined on. My Athlon is chugging along at 40 minutes/unit. My G3 Macs are a bit slower...

I'm impressed at how far this has developed. By reading through this thread, it seems that you did all this in the past two weeks. And all in your spare time, to boot. I just have to say that's simply amazing!


Posted by Mars Rocket on 11-02-2002 05:18 PM:

Can somebody tell me how to include a space in the alphabet when running in local mode? I can specify it like:

tivocrack l p????? aABCDE01234

but if I try to put a space into the alphabet string it thinks I've added an unrecognized parameter and doesn't start.


Posted by DBordello on 11-02-2002 05:22 PM:

We sure could use dnet's power, but i think we have grown huge with /. I think that it would be very dumb to switch clients now, we have 582 active users!

How many users did we have before the /. post?

db

__________________
1 happy Phillips DSR6000 TiVo with 108 hours of freedom


Posted by micjordan on 11-02-2002 05:24 PM:

i think its more important how many active ips there are since we cant tell how many people didnt bother changing their name from anonymous, and i'm sure about 85% didnt if not more.


Posted by jjshoe on 11-02-2002 05:25 PM:

most slashdot users who are old enough to be able to understand and use the client are in of one two boats.

1) you read the user liscence when you bought it, to bad for you

and

2) they have every right (but that doesnt mean they'll join in)

now personaly... if you offerd a free tivo etc. to the person who finds the proper key you just might be suprised how many more machines i dedicate to this hunt... just my two cents.


Posted by dmurphy on 11-02-2002 05:26 PM:

Can't get dclient to compile ...

I'm using Mac OS X and can't get dclient to compile ...

I'm getting this:

dmurphy@gazoo: make
g++ -Wall -O3 -c httppost.cpp
In file included from httppost.cpp:6:
SSocket.h:14: 'socklen_t' is used as a type, but is not defined as a type.
make: *** [httppost.o] Error 1


The requisite code from SSocket.h:
struct sockaddr _addr;
socklen_t _addrlen;

The only thing relevant from /usr/include/sys/socket.h:


/*
* Data types.
*/
typedef u_char sa_family_t;
#ifdef _BSD_SOCKLEN_T_
typedef _BSD_SOCKLEN_T_ socklen_t;
#undef _BSD_SOCKLEN_T_
#endif


Now, it's been a LONG time since I did any C programming, so I'm probably missing something trivial ....

'lil help?

--DM

(p.s. I have a 1GHz PowerPC processor and an 800mhz PPC processor I want to throw at this. When I get to work Monday, I can dig up some Sun SPARC machines as well -- probably 8 CPU machines or somesuch .... A month ago, I had a "spare" 32-way E10k, but it's being used now... d'oh!)


Posted by tarman on 11-02-2002 05:27 PM:

quote:
Originally posted by Mars Rocket
Can somebody tell me how to include a space in the alphabet when running in local mode? I can specify it like:

tivocrack l p????? aABCDE01234

but if I try to put a space into the alphabet string it thinks I've added an unrecognized parameter and doesn't start.



Put the strings in " "

tivocrack l p"?????" a"ABC DEF"


Posted by DVDerek on 11-02-2002 05:33 PM:

quote:
Originally posted by jjshoe
most slashdot users who are old enough to be able to understand and use the client are in of one two boats.

1) you read the user liscence when you bought it, to bad for you

and

2) they have every right (but that doesnt mean they'll join in)

now personaly... if you offerd a free tivo etc. to the person who finds the proper key you just might be suprised how many more machines i dedicate to this hunt... just my two cents.



Keep dreaming. There are enough people who will do it for the hell of it. A prize just entices cheaters.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by imadork on 11-02-2002 05:33 PM:

Re: Can't get dclient to compile ...

quote:
Originally posted by dmurphy
I'm using Mac OS X and can't get dclient to compile ...



Shamelessly stolen from /. :


http://slashdot.org/comments.pl?sid=44005&cid=4583338


Posted by Tuz on 11-02-2002 05:33 PM:

I joined in last night when this article was first posted on /. and I DONT EVEN OWN A TIVO. However, I've been thinking about getting one because I like the whole idea of DVR.

I've got my single 1.85 Ghz overclocked Athlon 2200+ chunking under the username Tuz at the moment.

Also- I have a few questions. How does Tivo work? If you buy a Tivo unit, are you required to pay a subscription to Tivo to make it work or can you just use the local listings from your newspaper to figure out when you and to record stuff, etc etc I would really love to own one but being that I'm just a poor college student I really cant afford another 20$ bill each month.


Posted by Tuz on 11-02-2002 05:37 PM:

quote:
Originally posted by DVDerek
Keep dreaming. There are enough people who will do it for the hell of it. A prize just entices cheaters.



LOL, You mean like me? I just think its worth it to stick it to the man

I don't even own a Tivo.

Recently I've been cracking passwords on PDF documents. My friend has a professor who is being a royal ass and not letting his students download and print his lecture notes. He claims to be writing a text-book or something and says they're copyright. No one in his class gives a damn about stealing his notes, they just dont want to have to take notes. Well the idiot posts the passworded PDF files on his website and I've been using a PDF password cracker to crack it. I found one of his passwords but apparently he has changed it recently, still working on the new one
When I saw this Tivo thing I thought- hey - that woukl be a good cause. So I immediately started.


Posted by MightyYar on 11-02-2002 05:41 PM:

Re: Can't get dclient to compile ...

quote:
Originally posted by dmurphy
I'm using Mac OS X and can't get dclient to compile ...

I'm getting this:

dmurphy@gazoo: make
g++ -Wall -O3 -c httppost.cpp
In file included from httppost.cpp:6:
SSocket.h:14: 'socklen_t' is used as a type, but is not defined as a type.
make: *** [httppost.o] Error 1


The requisite code from SSocket.h:
struct sockaddr _addr;
socklen_t _addrlen;

...



I had to make three changes to compile for Mac. First I had to define socklen_t as an int in SSocket.h:

typedef int socklen_t;

Next I had to change the paths to the openssl headers in tivocrack.cpp to reflect where fink stuck them:

#include "/sw/include/openssl/sha.h"
#include "/sw/include/openssl/ripemd.h"

Finally, I had to change the Makefile to change the -lcrypt flag to -lcrypto:

$(CC) -o dclient $(DCLIENTOBJS) -lssl -lcrypto -mhash

After that, full steam ahead!


Posted by dmurphy on 11-02-2002 05:48 PM:

If you're using Jaguar or any of the later 10.1.x releases, you don't need to use the openssl libs from Fink -- the default ones that ship with the OS work fine -- They're in /usr/include/openssl/*.h

Adding the typedef and changing the -lcrypt to -lcrypto worked fine! Thanks!!

--DM


Posted by Cletus on 11-02-2002 05:49 PM:

quote:
Originally posted by micjordan
about how long is this project expected to take? the answer im looking for is how long will it take if the correct key is the very last one tried.


Hopefully less than "bovine" RC5.

__________________
If you can't beat'em... pay someone to do it.


Posted by astrange on 11-02-2002 05:50 PM:

Saw this on Slashdot...
If you want to make the client run faster on OS X 10.2, put '-mdynamic-no-pic -mcpu=750 -mmultiple' at the end of the first line of the Makefile.


Posted by Attack on 11-02-2002 06:03 PM:

quote:
Originally posted by Tuz

Also- I have a few questions. How does Tivo work? If you buy a Tivo unit, are you required to pay a subscription to Tivo to make it work or can you just use the local listings from your newspaper to figure out when you and to record stuff, etc etc I would really love to own one but being that I'm just a poor college student I really cant afford another 20$ bill each month.





Tuz: To use the TiVo you have to pay for service, $12.95 a month or you can pay $250.00 for the lifetime of the unit.


Now if you are recording from a cable signal you will want to get a Series 1 SA TiVo since you can't run all the cool stuff on the new Series 2 units.
Here are the model numbers I happen to know are Series 1 SA units.
Philips HDR112 = 14hr
Philips HDR212 = 20hr
Philips HDR312 = 30hr

You can find them on Ebay all the time, here is a 20 hour

Feel free to email me with any questions attack at archondev dot com

__________________
Philips SA series 1 38hrs.Best, TurboNet, Memory Upgrade, TiVoWeb
Philips SA series 1 38hrs.Best, CacheCard 256 MB, TiVoWeb
Philips SA series 1 82hrs.Best, CacheCard 256 MB, TiVoWeb
My DVD collection


Posted by Tels on 11-02-2002 06:05 PM:

Otto wrote:

Well, at least we have a worst case scenario for 3.2 units: Someone writes a program to modify that value on the drive directly into a known hash.

If someone wants to be tricky about writing such a thing, here's the hash for "3 2 BC", so as to keep it a little separate (if you like):

115375040ae75635b2f4afec691a0228c2586a14

This is actually wrong!

Checking commandline arguments...done
Initializing password generator...
Read 9 charsets.
Password generator v0.2 successfully initiliazed.
done
Initializing tables...Enabled comparisons:
0123: 11 53 75 04 0A E7 56 35 B2 F4 AF EC 69 1A 02 28 C2 58 6A 14
3210: 04 75 53 11 35 56 E7 0A EC AF F4 B2 28 02 1A 69 14 6A 58 C2
done
Starting main loop
md: 04 75 53 11 35 56 7E 0A EC AF F4 B2 28 02 1A 69 14 6A 58 C2
0123: 11 53 75 04 0A E7 56 35 B2 F4 AF EC 69 1A 02 28 C2 58 6A 14
3210: 04 75 53 11 35 56 E7 0A EC AF F4 B2 28 02 1A 69 14 6A 58 C2
differ 4 11
mem 0123 1
differ 4 11
differ 7e e7
mem 3210 1
differ 7e e7

You swapped 7e and e7 - this did cost me an hour to find :-/

Did somebody check and double-check the the real hash for 3.2 isn't actually garbled or swapped or something? :)


Posted by dmurphy on 11-02-2002 06:06 PM:

On a G4 processor, wouldn't -mcpu=7450 be more appropriate?

A PPC750 is a "G3" processor ...


--DM


Posted by syukton on 11-02-2002 06:22 PM:

Not to be a cynic or anything, but if the code is really 20 characters long, what will happen first; its discovery, or seti@home finding intelligent life in the universe?

on that seti@home note though, seti@home was having a lot of problems with bad results, so they just put work units back in the pool to be re-checked a number of times before declaring them done.

now, similar to the code that we're trying to crack, can't we just have the client authenticate with the server using some exorbitantly long code that nobody would ever bother cracking, and just ensure security that way? Derive it from an md5 of the executable or something. I don't know how much effort the average a$$hole will put forth just to screw with our innocent password cracking efforts.

__________________
-sy


Posted by IlIIllllI1 on 11-02-2002 06:29 PM:

saw this on /. and have a couple questions as i dont have a tivo and am curious about a couple things. what does 9+0 space mean?

quote:
Originally posted by subuni
Well, I decided to go buy a S2 tonight. I bought the 80 hour unit, to make sure I'd have 3.2 installed. I replaced the 3.2 hash with the one from 3.0 (5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F23B). Now when I use the "3 0 BC" code, backdoors are enabled


how did you replace the 3.2 hash with 3.0 one? and does that mean that backdoors were then enabled in 3.2? isnt that what the goal is? or is the goal now to just find out what the pw is just to do it? how did you find out what the hash was in 3.2? by connection the tivo harddrive to a computer?


Posted by Drewster on 11-02-2002 06:29 PM:

I think I'll wait for the OS X port to catch up with all the compile options.

__________________
-Andrew

That's my boy! Updated November 9
Recent Punditry: Interarchy 7.2
Fora: Ars Mac Achaia : FlyerTalk : Food Network : Oracle Calendar : TiVoCommunity : Voldemort

"I wish I could breastfeed..." -- BryanMC
8/30/04 - The Day I Stumped the SOAK.


Posted by Tuz on 11-02-2002 06:34 PM:

Thanks for the info, Attack.


Posted by Tels on 11-02-2002 06:40 PM:

>quote:Originally posted by DVDerek
>Keep dreaming. There are enough people who will do it for the >hell of it. A prize just entices cheaters.

The "price" (if there was one, but see below) will be given to the one finding/posting the correct password.

If you cheat (like returning chunks without checking them as "checked), you won't be able to get the price.

Actually, I think about donating some money and make a price for the winner. But that depends on if we switch servers. I would of course only pay the price if it was found trough the new one :-P


Cheers,

Tels


Posted by Tuz on 11-02-2002 06:43 PM:

Attack- you say get a SA1 model because you can run the "cool stuff" on it. What is the cool stuff you speak of?


Posted by Mars Rocket on 11-02-2002 06:52 PM:

See here: http://www.tivocommunity.com/tivo-v...&threadid=78635

for a list of "cool stuff" hacks that can be done to a Series 1 TiVo but not (easily) to a Series 2 TiVo.

Also see here: http://www.tivocommunity.com/tivo-v...&threadid=26530

for why it's handy to have the backdoor code.


Posted by Attack on 11-02-2002 07:05 PM:

quote:
Originally posted by Tuz
Attack- you say get a SA1 model because you can run the "cool stuff" on it. What is the cool stuff you speak of?



The ability to telnet into the TiVo if you install a TurboNet card.
TiVoWeb since you can schedule a recording over the internet.

(Some other things not allowed to talk about on the forum)

__________________
Philips SA series 1 38hrs.Best, TurboNet, Memory Upgrade, TiVoWeb
Philips SA series 1 38hrs.Best, CacheCard 256 MB, TiVoWeb
Philips SA series 1 82hrs.Best, CacheCard 256 MB, TiVoWeb
My DVD collection


Posted by Tuz on 11-02-2002 07:30 PM:

Ah ok. Thanks.


Posted by Otto on 11-02-2002 07:42 PM:

quote:
Originally posted by Tels
Otto wrote:
...
115375040ae75635b2f4afec691a0228c2586a14

This is actually wrong!
...
You swapped 7e and e7 - this did cost me an hour to find :-/



Oops. Sorry. I did that reversal by hand.

I'll edit the original post to eliminate it.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by DBordello on 11-02-2002 07:46 PM:

Tels, I think we all appreciate your hard work, but you have to understand where we stand. We have a working system that well, works. most of the bugs are ironed out. There has been substantial work done by 2 great individuals. There is no reason to switch servers now, it would just cause confusion.

thanks
db

__________________
1 happy Phillips DSR6000 TiVo with 108 hours of freedom


Posted by Tels on 11-02-2002 08:01 PM:

quote:
Tels, I think we all appreciate your hard work, but you have to understand where we stand. We have a working system that well, works. most of the bugs are ironed out. There has been substantial work done by 2 great individuals. There is no reason to switch servers now, it would just cause confusion.


I understand this perfectly. However, I think that the work was re-inventing the wheel and I want to prevent this from happening again. (I am sorry hat I just read today about this, if I had know two weeks ago I could have saved you/them a lot of work :)

(I am speaking about the server/client part that distributes the work - not the worker part that does the actual hashing. The worker needs of course to be redone for new hashes/algorithmns, but the server/client problems are already solved and don't need to be redone everytime)

I would be glad if the my stuff could be tested, which is what this is all about. And what would be better than an actual problem :-)

And who knows, maybe it proves so usefull that it will be used, either for this time or the next time.

The last thing I want to do is to split up the workforce, that would be silly.

I have send eolson the link and will send it to anyone who asks - it is for you to decide what you use, of course.

Btw, there is no real reason to have "my" server running at my machine, everbody can download it and set it up. It's just that I know how to do this and already did it, so that it saved time. But nobody prevents somebody to set up one at a serverrack or something (which would be actually good, since that saves me from running my PC 24/7 :-)

Cheers,

Tels


Posted by Cletus on 11-02-2002 08:03 PM:

Looking at the stats, I cannot help but wonder who this guy "anonymous" is... he's doing a helluva job.

__________________
If you can't beat'em... pay someone to do it.


Posted by DBordello on 11-02-2002 08:06 PM:

Tels, I guess I am still confused. What are you trying to do?

__________________
1 happy Phillips DSR6000 TiVo with 108 hours of freedom


Posted by Tels on 11-02-2002 08:20 PM:

>Tels, I guess I am still confused. What are you trying to do?

:-)

I did take an existing server/client open source framework for distributing key rooms (read: brute force attacks or similiar things) and set it up.

I "ported" the tivo SHA1 attack program to this framework by using the an existing framework for the aforementioned client/server model.

Now my own PC runs a testclient that works on the testserver on my PC on a tivo test hash.

Basically, I duplicated in about 3 hours what the people here already were doing all along :-)

(Ok, ok, I did not need to find how the password is hashed and tested. This is of course always a neccessary step before attacking the hash - getting to know the algoritmn.)

The reason I did this are:

* because I wanted to see if I can :)
* there were problems reported with the current server (load, bandwidth, etc)
* This test allows to see whether the exisitin server/client framework can cope with this problem, and if not, how to improve it.

Did this make it clear? If not, just ask me.

Cheers,

Tels


Posted by David Scavo on 11-02-2002 08:33 PM:

Hi all. I am running WinXP SP1 behind a Linksys firewall/router.....
I tried to load TivoCrack and I get the following error:

[c:\]TiVoCrack uxxx r
11/2/2002 15:32:15: -- TiVoCrack 1.5 started --
11/2/2002 15:32:15: Getting the next work load
11/2/2002 15:32:16: Unable to open URL!
11/2/2002 15:32:16: Call failed, trying again
11/2/2002 15:32:16: Sleeping for a minute

Any ideas ?


Posted by Dogun on 11-02-2002 08:52 PM:

keyspace reduction

In the event of 15 or 30 character ciphertext it would almost certainly be better to rely on the fact that the hash length isn't that large and just go for a full character set (not just ascii) in searching for a working key.

of course, this would be bad if they ever changed the salt...


Posted by DanT on 11-02-2002 09:12 PM:

Has anyone with a Series 2 tried to connect a USB keyboard and use that to enter searches and wishlists? If so, the backdoor code may be using characters that can't be entered from the remote, like lowercase, punctuation, etc. Unfortunately, that would greatly increase the charset/alphabet needed for our search. I have DTiVos, so I have no idea if the Series 2 supports a USB keyboard directly, but thought it was worth asking.


Earlier someone asked about just calling TiVo and pretending to have a problem so they'd give out the BD code to look at the logs. But it doesn't work that way. If TiVo Inc. wants to see your logs, the next time your TiVo phones in, they send it a message saying "upload the logs" and then they look at them that way.


Finally, I think someone should have mentioned this in the Happy Hour forum sooner, because I almost never go into the Underground anymore, so I (and I'm sure many others) missed it. We could have added a lot of CPU time before the slashdotting.

__________________
Dan T.
RKBA!

SB: "Captain, do you mind if I say Grace?"
MR: "Only if you say it out loud."


Posted by DBordello on 11-02-2002 10:23 PM:

Tels, aaah I understand I think that we should continue to use the current system for now, and when this is all done and finished then evaluate what what system to setup for new problems.

__________________
1 happy Phillips DSR6000 TiVo with 108 hours of freedom


Posted by Tels on 11-02-2002 11:27 PM:

>In the event of 15 or 30 character ciphertext it would almost >certainly be better to rely on the fact that the hash length isn't >that large and just go for a full character set (not just ascii) in >searching for a working key.

Uh, I don't understand this. There is no "ciphertext" because the pwd is just hashed. The hash output is 20 bytes (SHA1). The input is variable length (1 to x characters, the old pwd was 6, but we don't know the new one yet)

>of course, this would be bad if they ever changed the salt...

There is no salt, just the password is hashed. Or did I miss something?

Cheers!


Posted by Otto on 11-02-2002 11:44 PM:

quote:
Originally posted by David Scavo
Hi all. I am running WinXP SP1 behind a Linksys firewall/router.....
I tried to load TivoCrack and I get the following error:

[c:\]TiVoCrack uxxx r
11/2/2002 15:32:15: -- TiVoCrack 1.5 started --
11/2/2002 15:32:15: Getting the next work load
11/2/2002 15:32:16: Unable to open URL!
11/2/2002 15:32:16: Call failed, trying again
11/2/2002 15:32:16: Sleeping for a minute

Any ideas ?



If you're using any kind of proxy like the Proxomitron or anything like that, set up a bypass to connect to http://eolson.dyndns.org.

For Proxomitron, this means adding this line to the Bypass List.txt file:
[^/]++eolson.dyndns.org/

The Linksys router doesn't interfere in any way, it's just a normal web request. I'm running it on an XP-SP1 laptop behind a Linksys router. Works fine.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by stahta01 on 11-03-2002 12:07 AM:

quote:
Originally posted by DanT
Has anyone with a Series 2 tried to connect a USB keyboard and use that to enter searches and wishlists?


I just tried my microsoft Natural Keyboard Pro on my 80 hour Series 2 Tivo.

The keyboard acted like it had no power. I even re-booted the computer.

I will try again later, but I think it won't work. But I will try using it on the wish list screen, to see if it only works on it. Also plan to goto the system screen to see if some options show up to configure it.

Edit: Tried it on the search screen still acted like it was off.
Found nothing new under system config.

Tim S

__________________
AT&T TiVo Series2 40Hr (130)
TiVo Series2 TCD240080

Sanity is greatly over rated.


Posted by MikeLaw on 11-03-2002 12:13 AM:

A couple of suggestions:

1) After the 9+0 space, we might want to concentrate exclsuively on the +1 or +2 spaces, since the evidence would suggest that past codes have been space rich. If I ruled the world, I'd rather we were crunching 9+1 than 9+0 just based on previous keys.

2) It would be nice if the client would retry the connection when posting results a few times before it bailed. I'm still trying to get home and running this on a laptop from the road that needs to dial out. If I let the connection drop before the unit completes, the code times out in httppost and the however long spent crunching the unit gets lost.

__________________
....mike


Posted by BlueOtto on 11-03-2002 12:14 AM:

Other methods of input

Besides the possibility of a USB keyboard, how about this scenario--

Tivo could send a special IR code that works as a special character that's not of the normal. Just as the pause button does the * (or whatever), this IR code submits, say, a dollar sign ($) that is (or is a part of) the password.


Posted by David Scavo on 11-03-2002 12:14 AM:

quote:
Originally posted by Otto
If you're using any kind of proxy like the Proxomitron or anything like that, set up a bypass to connect to http://eolson.dyndns.org.

I forgot I had installed a proxy switcher program.

Removed that and rebooted and now have my first unit of work

Thanks for jogging my memory....


Posted by GBL on 11-03-2002 12:19 AM:

quote:
Originally posted by MikeLaw
A couple of suggestions:

2) It would be nice if the client would retry the connection when posting results a few times before it bailed.



Version 1.5 and up supports retries already. Which version are you running?

__________________
"Driving requires the brain cells of a mule, and a license." dswallow

1 Sony SVR2000 (upgraded to 75 hrs), 1 Philips HDR612, 2 HDR112s (upgraded to 75 and 140 hrs), 1 SA8000HD (160GB)
unpaid volunteer, TiVo army


Posted by lmurray on 11-03-2002 12:25 AM:

i don't mind us searching the +1 or +anything space, but if we take that approach, is there a way to not duplicate our effort if we do a +0 ?
I'm not sure the software is setup to do that. If this is the case, I vote for us plowing ahead on the +0 set. either way, i figure the choice is up to edwin.

my 2 cents
-lloyd-


Posted by dbates on 11-03-2002 12:44 AM:

quote:
Originally posted by MikeLaw


1) After the 9+0 space, we might want to concentrate exclsuively on the +1 or +2 spaces, since the evidence would suggest that past codes have been space rich. If I ruled the world, I'd rather we were crunching 9+1 than 9+0 just based on previous keys.



I agree. The +1 or +2 spaces seems much more likely.

__________________
1 60hr Series2


Posted by Darthnice on 11-03-2002 02:11 AM:

Ok, dumb question time: After you run through all the patterns how do you know which one is correct? Or, how do you know you have found the correct pattern and that it's ok to stop?


Posted by astrange on 11-03-2002 04:13 AM:

quote:
Originally posted by dmurphy
On a G4 processor, wouldn't -mcpu=7450 be more appropriate?

A PPC750 is a "G3" processor ...


--DM



A G4 processor is basically a G3 with AltiVec. So -mcpu=750 works fine.

Although an AltiVeced dclient would be neat


Posted by astrange on 11-03-2002 04:18 AM:

quote:
Originally posted by dmurphy
On a G4 processor, wouldn't -mcpu=7450 be more appropriate?

A PPC750 is a "G3" processor ...


--DM



A G4 processor is basically a G3 with AltiVec. So -mcpu=750 works fine.

Although an AltiVeced dclient would be neat


Posted by StanSimmons on 11-03-2002 05:49 AM:

Man... That anonymous guy is kicking my a**!

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by amobiuz on 11-03-2002 05:55 AM:

tivocrack mods for Unix (Solaris)

Does someone have the code mods to compile on Unix? I'm not a programmer but know how to make/compile code if it is ported to a platform. Have several Sparc III boxes to put on this baby.

I've done:
1) change tivocrack.cpp includes to have right paths to openssl
2) change Makefile from -lcrypt to -lcrypto
3) ???

I'm using g++(GCC) 3.1 and gnu make 3.79.1 on Solaris 8

Here's my errors:

# make
g++ -Wall -O3 -c httppost.cpp
g++ -Wall -O3 -c SSocket.cpp
g++ -Wall -O3 -c dclient.cpp
g++ -Wall -O3 -c Table.cpp
g++ -Wall -O3 -c StringBuffer.cpp
g++ -Wall -O3 -c tabletoform.cpp
g++ -Wall -O3 -c tivocrack.cpp
g++ -Wall -O3 -o dclient httppost.o SSocket.o dclient.o Table.o StringBuffer.o tabletoform.o tivocrack.o -lssl -lcrypto -mhash
Undefined first referenced
symbol in file
getpeername SSocket.o
gethostbyname SSocket.o
accept SSocket.o
setsockopt SSocket.o
__xnet_bind SSocket.o
__xnet_socket SSocket.o
__xnet_connect SSocket.o
listen SSocket.o
ld: fatal: Symbol referencing errors. No output written to dclient
collect2: ld returned 1 exit status
make: *** [dclient] Error 1


Posted by Worf on 11-03-2002 06:02 AM:

add -lsocket to your GCC link command line. You need to use libsocket if you want to do socket programming on solaris/sunos.


Posted by realcoolguy on 11-03-2002 06:27 AM:

Well it looks like we've hit the 24 hour mark! (well on the 9+0 space anyway) omg u guys have ammassed so much cpu power... of course you'll have to get 34 times the number of users each time u increase one char... well seems to me that after we hit 10 characters it's time to do data mining the old fashioned way... *envisions linch mob circling tivo engineers* man i'd be scared if i were one of those guys ;-) the last statement was just a joke (no one's going to hurt a tivo engineer we love them) anyway, i'm sure they'll be getting a whole ton of extra phone calls if this thing gets beyond the current (reasonable) power of brute force. I'm sure one of them will end up spilling... of course if not it'll have to be one of those things you'll have to open up the case to get... :-(
*sigh* just when i was thinking of buying a tivo 2... :-)
(to avoid any lawsuits please replace the words tivo engineer with "monkey"....)
end


Posted by spankspank on 11-03-2002 08:37 AM:

Re: tivocrack mods for Unix (Solaris)

quote:
Originally posted by amobiuz
Does someone have the code mods to compile on Unix? I'm not a programmer but know how to make/compile code if it is ported to a platform. Have several Sparc III boxes to put on this baby.

I've done:
1) change tivocrack.cpp includes to have right paths to openssl
2) change Makefile from -lcrypt to -lcrypto
3) ???

I'm using g++(GCC) 3.1 and gnu make 3.79.1 on Solaris 8

Here's my errors:

# make
g++ -Wall -O3 -c httppost.cpp
g++ -Wall -O3 -c SSocket.cpp
g++ -Wall -O3 -c dclient.cpp
g++ -Wall -O3 -c Table.cpp
g++ -Wall -O3 -c StringBuffer.cpp
g++ -Wall -O3 -c tabletoform.cpp
g++ -Wall -O3 -c tivocrack.cpp
g++ -Wall -O3 -o dclient httppost.o SSocket.o dclient.o Table.o StringBuffer.o tabletoform.o tivocrack.o -lssl -lcrypto -mhash
Undefined first referenced
symbol in file
getpeername SSocket.o
gethostbyname SSocket.o
accept SSocket.o
setsockopt SSocket.o
__xnet_bind SSocket.o
__xnet_socket SSocket.o
__xnet_connect SSocket.o
listen SSocket.o
ld: fatal: Symbol referencing errors. No output written to dclient
collect2: ld returned 1 exit status
make: *** [dclient] Error 1




Add -lsocket -lnsl to the Makefile right after -lcrypto


Posted by The Evil One on 11-03-2002 10:41 AM:

Bleh

Took me something like 3 hours to read the entire thread... finally, it's over *cries happily*

Saw this effort on /. and am putting my machines to work on it (nothing special), cause they lie dormant most of the time anyway!

Good luck!

Anyone know if the Tivo service is available in Australia?

__________________
Claiming that your operating system is the best in the world because more people use it is like saying McDonalds makes the best food in the world.


Posted by MikeLaw on 11-03-2002 12:03 PM:

quote:
Originally posted by GBL
Version 1.5 and up supports retries already. Which version are you running?


I'm running the Linux client and it doesn't appear to retry. Maybe I'm a dumbass and missed the command line switch. I'll check it next time I restart. I did peek at the httpost.cpp and it didn't appear to have any retry code.

__________________
....mike


Posted by ravingcow on 11-03-2002 12:16 PM:

Okay... *Big* ask, I know, but are there any chances that the client could be set up to download work units, work on them without a connection to the net, and when a connection comes up again (or a `flush' command is given), update current work units and grab some more. This would be great for those people who are still on dialup. (Or is that only me, these days?

This would, of course, introduce problems about how long before you give up on a packet of work, etc.

What do other people think? Would this be widely used, or is this too big a complication for a project which will, with any luck, finish soon? (Maybe... Hopefully...)


Posted by Tels on 11-03-2002 12:24 PM:

My setup can't do this, but it would be easy to teach this to the client. The hold-time at the server can be already adjusted and should just set to 48 hours for each chunk.

Guess I have to hack something on the client :-P

Cheers!

PS: Can somebody please post or mail the original 3.2 hash, that is used for the current attack? I have only one for a testkey, and can't find the real one in this thread (its so big :) Thanx!


Posted by kevinv on 11-03-2002 01:45 PM:

How to find solution?

quote:
Originally posted by Darthnice
Ok, dumb question time: After you run through all the patterns how do you know which one is correct? Or, how do you know you have found the correct pattern and that it's ok to stop?


The pattern to compare against has been pulled from the code on the TIVO. We just have to keep creating hashes until the matching pattern is found (the pattern is a SHA1 hash of the password)

http://www.rsasecurity.com/rsalabs/faq/3-6-5.html


Posted by kevinv on 11-03-2002 02:09 PM:

11 hours to go

well the stats page is showing 11 hours remain in the 9 space. what the possibilites that someone is checking in false negatives and we missed the password?

also, i had to abort the program on my OS X box a couple of times. did it resume at the work it was already doing, or did it redownload new blocks of work? will the missing blocks be re-checked (if indeed they are missing)

kevin
1 400Mhz PIII
1 1GHZ AMD Duron
1 667Mhz G4


Posted by dmurphy on 11-03-2002 02:17 PM:

Try adding -lresolv and -lnsl to the first line in the Makefile ...

-lsocket may also be required...

I'm going to try compiling on my 'Blade 1000 now; I'll let you know definitely what you need in a few minutes ...

Good luck!

--DM


Posted by dmurphy on 11-03-2002 02:21 PM:

Yep, you need to add -lnsl -lresolv -lsocket there and you should be good to go!

Also, if you're like me and installed OpenSSL in /opt/local/openssl, then you need to edit tivocrack.ccp and change the #include path, as well as add -L/opt/local/openssl/lib to the compiler string in the Makefile ...

And that'll make it go on Solaris!

--DM


Posted by deebo on 11-03-2002 02:38 PM:

What is the record for the most replies in a single thread in this forum ?


Posted by MikeLaw on 11-03-2002 03:19 PM:

Re: 11 hours to go

quote:
Originally posted by kevinv
well the stats page is showing 11 hours remain in the 9 space. what the possibilites that someone is checking in false negatives and we missed the password?

also, i had to abort the program on my OS X box a couple of times. did it resume at the work it was already doing, or did it redownload new blocks of work? will the missing blocks be re-checked (if indeed they are missing)



There is no way to know if someone is reporting false negatives, short of retrying the whole space. Given that the space left unexplored is so much larger than the space checked, it doesn't make much sense to go back and recheck. Therefore we are going to have to have faith in our fellow man.

When you abort the program, that block is lost. You will never report it complete. Unchecked blocks are reassigned and rechecked eventually. Last time, the 8+1 blocks that weren't returned were reassigned at the end of the 8+1 space (or so it appeared to me). Presumably the same thing will be done with the 9+0 space.

__________________
....mike


Posted by cica on 11-03-2002 03:53 PM:

As was previously mentioned, the sort function is enabled using other keys. This wouldn't be the first time that they strayed off the alphanumeric path. Is there a way to include the ascii codes generated by these function buttons as well?

-Tom


Posted by kevinv on 11-03-2002 04:04 PM:

quote:
Originally posted by cica
As was previously mentioned, the sort function is enabled using other keys. This wouldn't be the first time that they strayed off the alphanumeric path. Is there a way to include the ascii codes generated by these function buttons as well?

-Tom



There is only one way (that has been found) to enable backdoor mode (it's from the search by title screen) -- however there are many special functions that can be enabled without backdoors being turned on (i use 30-sec jump, sort order change, and the clock in the lower right corner without enabling backdoors) -- however we're looking to get into the backdoor mode so we can limit the search to those characters enterable in the search by title screen.

Even if another way into backdoors is possible from another screen, the fact that you can get into it from search by title (proven by the hash hack done earlier) means the characters used are probably from that list.


Posted by DBordello on 11-03-2002 05:05 PM:

The longer this goes on the longer i feel it will take If it isn't in the 9+0 space, we are in for a long trip.

db

__________________
1 happy Phillips DSR6000 TiVo with 108 hours of freedom


Posted by Attack on 11-03-2002 05:24 PM:

Re: Bleh

quote:
Originally posted by The Evil One
Anyone know if the Tivo service is available in Australia?



You can't pay for service in Australia but if you check out this thread it should help you get it going if you really want one.

__________________
Philips SA series 1 38hrs.Best, TurboNet, Memory Upgrade, TiVoWeb
Philips SA series 1 38hrs.Best, CacheCard 256 MB, TiVoWeb
Philips SA series 1 82hrs.Best, CacheCard 256 MB, TiVoWeb
My DVD collection


Posted by Entreri_- on 11-03-2002 05:59 PM:

lmurray, or anyone else..

i cannot get this code compiled on my MAC OS X box, but would like to help. It's an 800 MHz Flatpanel, so should be able to do some moderate work...

I'm getting the following error when compiling for Mac OSX.. Any help is appreciated, as I am definately not a programmer!

g++ -Wall -O3 -c httppost.cpp
In file included from httppost.cpp:6:
SSocket.h:14: 'socklen_t' is used as a type, but is not defined as a type.
make: *** [httppost.o] Error 1


Thanks!


quote:
Originally posted by lmurray
ed,
your code ports nicley to macosX too. Ha.

Next, I'm going to compile this on my atari 2600!



-lloyd-


Posted by amobiuz on 11-03-2002 06:01 PM:

Re: Re: tivocrack mods for Unix (Solaris)

quote:
Originally posted by spankspank
Add -lsocket -lnsl to the Makefile right after -lcrypto


Thanks! That worked.

Any ideas on how to make a static binary with this guy? I'm using the "-static" flag but I think some of the underlying libraries are shared libraries so it errors out.


Posted by Entreri_- on 11-03-2002 06:04 PM:

Anyone tried this simple solution?

Can anyone recode the client to try an arbitrary number of whitespaces AFTER the code?

I wouldn't be suprised if the code was something like "g o a w a y " or something... You get the meaning..

Ricardo


Posted by lmurray on 11-03-2002 06:11 PM:

the code, and answers for compiling are all over this thread. anyway, attached is the latest code compiled for macosx. there's no optimizations in the makefile. feel free to add them.

-lloyd-


Posted by Entreri_- on 11-03-2002 06:27 PM:

Thanks!

Got it figured out.. thanks lmurray! BTW - i recompiled with the following string. I don't know how much it'll help, but I'll post my stats later on.

-mdynamic-no-pic -mcpu=7450 -mmultiple -faltivec

Hope my little 800 MHz G4 can help out..

I compiled it with GCC 3.1 (standard Jaguar Version)

If anyone knows of any other appropriate optimizers for OS X, there are plenty here that would be all ears.


Posted by Attack on 11-03-2002 07:23 PM:

Did the server just go down, or did we get the backdoor code?

__________________
Philips SA series 1 38hrs.Best, TurboNet, Memory Upgrade, TiVoWeb
Philips SA series 1 38hrs.Best, CacheCard 256 MB, TiVoWeb
Philips SA series 1 82hrs.Best, CacheCard 256 MB, TiVoWeb
My DVD collection


Posted by spankspank on 11-03-2002 07:24 PM:

Re: Re: Re: tivocrack mods for Unix (Solaris)

quote:
Originally posted by amobiuz
Thanks! That worked.

Any ideas on how to make a static binary with this guy? I'm using the "-static" flag but I think some of the underlying libraries are shared libraries so it errors out.



I'm not sure. Did you "make clean" first?

If that's not it, try -lcrypt instead of -lcrypto.


Posted by Cletus on 11-03-2002 07:25 PM:

My clients (on all the machines) are now only sending the results after multiple tries, and aren't getting back any more work units (again after multiple tries).

And I can't open the stats page anymore. Oh no, did we crash the server?

Update: sending completed units took 8-9 tries, and getting back work units the same. I guess the server isn't down, just heavily pounded upon. Maybe it's time to think about spreading the load. Either this project is insanely successful, or someone is tampering with it.

__________________
If you can't beat'em... pay someone to do it.


Posted by Mars Rocket on 11-03-2002 07:29 PM:

Maybe it's time for a subgroup to start seaching for longer codes (10-15 in length) using a restircted alphabet, like"TIVOUSBACKDR 0123".


Posted by tsoutherwood on 11-03-2002 07:38 PM:

quote:
Originally posted by Attack
Did the server just go down, or did we get the backdoor code?


I think the server has finally been slash-dotted. My clients were happy
until about 2pm (GMT). Then I turned my systems off to do some DIY.
Just tried running the dclients and they are unable to connect.
Time now 7:40PM GMT.

Hmm.

No - tell a lie - one client just managed to get in.


Posted by knownzero on 11-03-2002 07:39 PM:

I keep getting errors too, can't connect to the server....

__________________
Art is very often relegated to a small corner of this modern society. In doing so, many of the ties between art, life, and learning have been severed. Art is an integral part of the human experience. Whether it be formal or informal, the discovery of oneself through creation is something that everyone goes through in life. All the arts, not just the visual, provide the tools needed to make this self-discovery. To make art is to be alive. It is about living one's original ideas, rather than repeating those of others.


Posted by Otto on 11-03-2002 07:43 PM:

It looks like it's cycled back to unreturned results from the first pass now. My current pattern is "8N???? ?" which is in the 7+1 space. I expect it'll go very quickly shortly..

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by Cletus on 11-03-2002 07:45 PM:

Some clients here got 9+0, some 8+0 (0E??????).

The stats page is back on, with everything blank.

__________________
If you can't beat'em... pay someone to do it.


Posted by EdwinOlson on 11-03-2002 07:48 PM:

The server just had a hissy fit and has been rebooted. I took the opportunity to bump the RAM up some, but the load is hovering around 10. Eek. It seems to be slowly working its way down as it deals with the backlog of block requests.

I've added 7+0, 8+0 to the queue for rechecking purposes (it shouldn't take long).

I'm checking with a couple people about a different server (my lousy machine just isn't doing well!)

Who would have expected 3000 machines?

-Ed

PS: Well, I poked around the mysql server and did some 'EXPLAIN's. It wasn't using my indexes, apparently, because it can't optimize 'where field!=1'. Well, I changed it to 'where field=0' (it's a boolean) and system load is now down to 0.36. Woo Hey, I'm no DBA.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by StanSimmons on 11-03-2002 08:08 PM:

Will changing to boolean allow you to start the userstats.php again?

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by Cletus on 11-03-2002 08:11 PM:

quote:
Originally posted by StanSimmons
Will changing to boolean allow you to start the userstats.php again?


I'd suggest you do not do that even if it's possible. Let's keep this clean.

__________________
If you can't beat'em... pay someone to do it.


Posted by amobiuz on 11-03-2002 08:12 PM:

quote:
Originally posted by EdwinOlson

PS: Well, I poked around the mysql server and did some 'EXPLAIN's. It wasn't using my indexes, apparently, because it can't optimize 'where field!=1'. Well, I changed it to 'where field=0' (it's a boolean) and system load is now down to 0.36. Woo Hey, I'm no DBA.



any "not" logic causes full scans because set logic sez you need all values to find the "nots"

Glad it running faster.

PS. I am a DBA


Posted by slaeyer on 11-03-2002 08:18 PM:

Just thought I should chime in, although I do not own a TiVo, I am interested in purchasing one. After seeing this thread on /. I thought I'd check it out. I'm now happily running the TiVoCrack app on a a PowerMac G4 450 Dual Processor w/ 512 MB RAM! Simply amazing what a few intrepid users can create in such a short time! Hope I get to be the lucky one to crack the password!

__________________
Through the router, Along the cable,
Down the fiber, Nuttin but Net


Posted by DBordello on 11-03-2002 08:19 PM:

It appears that our active IPs are going down Oh well, hopefully we will retain most of the processing power.

__________________
1 happy Phillips DSR6000 TiVo with 108 hours of freedom


Posted by Cletus on 11-03-2002 08:24 PM:

slaeyer: welcome to the family.

__________________
If you can't beat'em... pay someone to do it.


Posted by okema on 11-03-2002 08:36 PM:

EdwinOlson, the clock on your server looks to be 1 hour ahead of real time.

[Update:] Fixed now!

Thanks for this service. It's phenomenal how it has come together! May the calculations be with us.

---
One P2 350 [RedHat Linux]
Two Windows Laptops
One P4 1800 [WinXP]
...all working on this and goin' great!


Posted by Cletus on 11-03-2002 09:12 PM:

quote:
Originally posted by RC3105


that version is good for folks with dialup access, it can be left running offline and the next time you log on it will connect to upload results & get the next work unit

--
Riley



Nice. But even nicer would be a client that caches locally a few work units (not too many, say 4-5) so that you don't waste the CPU time between logins. Not to mention that it would also solve the problem of the current unit being lost if the client is aborted.

Edit: hmm, I'm getting 9+1 now. Does this mean that 9+0 is finished (with no result obviously)? And, since we're into 9+1, how about doing the 8+2 in parallel as well? I think it stands better chances.

__________________
If you can't beat'em... pay someone to do it.


Posted by DBordello on 11-03-2002 09:49 PM:

9+1 should contain all the WUs that 8+2 contains correct?

db

__________________
1 happy Phillips DSR6000 TiVo with 108 hours of freedom


Posted by Cletus on 11-03-2002 10:04 PM:

Yes, I was thinking mainly of prioritizing. Sorry if I didn't make it clear.

__________________
If you can't beat'em... pay someone to do it.


Posted by EinarH on 11-03-2002 10:24 PM:

Need some help..

I saw this on /. the yesterday, and it looks like a great project. Im impressed of what you have been able of putting together in such a short time. :-)

However, I havent been able to find out how i change the work load from normal to idle. I guess its possible, or?
[im running win 98. Have some *nix boxes that i might put in in the future, but right now there is a lot of traffic , so i have to wait.]

How do i change the username from anonymous to something else. I guess its a command line option, but havent found out what.

Your FAQ was, ehh not very extensive.... As more users hear about this project, assigning someone to write a better FAQ/HOWTO would be worth the investment in time instead of answering all the questions one by one.

Regards
EinarH


Posted by baliktad on 11-03-2002 10:36 PM:

Re: Need some help..

quote:
Originally posted by EinarH
I saw this on /. the yesterday, and it looks like a great project. Im impressed of what you have been able of putting together in such a short time. :-)
-snip
How do i change the username from anonymous to something else. I guess its a command line option, but havent found out what.

Your FAQ was, ehh not very extensive.... As more users hear about this project, assigning someone to write a better FAQ/HOWTO would be worth the investment in time instead of answering all the questions one by one.


I agree on the FAQ page, I would have appreciated a single all-inclusive page for answers. In any case, you may specify the username at the command line thusly:

TivoCrack.exe u[username]

Do not put a space between the u and your desired username. You can find out the other options by running

TivoCrack.exe h

I didn't use a - (dash) or / (forward slash) prefix to my command line arguments as is common in the Windows world but I believe your options will work all the same.


Posted by barclay on 11-03-2002 11:04 PM:

Re: Need some help..

quote:
Originally posted by EinarH
Your FAQ was, ehh not very extensive.... As more users hear about this project, assigning someone to write a better FAQ/HOWTO would be worth the investment in time instead of answering all the questions one by one.


FAQ. What's that?

Good point. I've added some more detail to my webpage for the win32 client.

It should cover the questions I've had to address, and yours specifically.


Posted by eples on 11-04-2002 03:58 AM:

Question Space Notation

I'm kind of curious as to what the search space notation is. I see "8 +2" and "9 +0" etc. so I can only infer that the first number is the total number of characters in the attempted password, and the second number is the number of spaces it can be padded with?

The previous password was.. 4 +3 then? How many levels of padding are we searching?! Shouldn't we search from N +0 to N +(N-1) ? Or maybe we are, I couldn't find it mentioned anywhere.

So if we are on the 9 digit work units, we should search from 9 +0 all the way to 9 +8 ?


Posted by DVDerek on 11-04-2002 04:15 AM:

Re: Space Notation

quote:
Originally posted by eples
I'm kind of curious as to what the search space notation is. I see "8 +2" and "9 +0" etc. so I can only infer that the first number is the total number of characters in the attempted password, and the second number is the number of spaces it can be padded with?

The previous password was.. 4 +3 then? How many levels of padding are we searching?! Shouldn't we search from N +0 to N +(N-1) ? Or maybe we are, I couldn't find it mentioned anywhere.

So if we are on the 9 digit work units, we should search from 9 +0 all the way to 9 +8 ?



AFAIK, 9 + 0 space would be all 9 character possibilities (within the specified alphabet). 8 + 1 space would be all 9 character combinations when you make the assumption that at least one character is a space. Likewise, 8 + 2 makes the assumption that at least two characters are spaces.

On a different note... for some reason I think something is up. Perhaps the hash is impossible to enter with the tivo alphabet. I dunno. I hate to think they'd do that.

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by eples on 11-04-2002 04:27 AM:

Re: Re: Space Notation

quote:
Originally posted by DVDerek
Likewise, 8 + 2 makes the assumption that at least two characters are spaces.


Right, but isn't there a space specified as part of the alphabet already?! If the program was searching every permutation of the possible password using the supplied alphabet, then there should be no need to specify a number of spaces; the program SHOULD already consider every possible combination of 8 characters including the space. This would include something like all 8 characters being a space just as easily as it would include all 8 characters being the letter 'A'. (Or every other character being the letter 'A' or a space, etc. etc..)

Do you see what I mean? The notation isn't making sense to me.


Posted by baliktad on 11-04-2002 05:00 AM:

Re: Re: Space Notation

quote:
Originally posted by DVDerek
On a different note... for some reason I think something is up. Perhaps the hash is impossible to enter with the tivo alphabet. I dunno. I hate to think they'd do that.
I think it's been tossed around before, but perhaps the Tivo team has some sort of custom remote built... either with some sort of weird character (or even the whole 20-character-long password) mapped to an extra key (or on a completely different remote... even my HP 48 can emit IR strong enough to control a TV from across the room). QA doesn't care because the actual password-processing code doesn't change and they will never produce the "custom" remotes for market, management is happy cause the public will have only a very slim chance of figuring it out, engineers are cool with it because now they only have to hit one key to enter their code.

Everyone wins but the Tivo users.

I guess I'm just having a hard time believing that the code is going to be "I PD??????" given the history.


Posted by Otto on 11-04-2002 05:39 AM:

Re: Re: Re: Space Notation

quote:
Originally posted by eples
Right, but isn't there a space specified as part of the alphabet already?! If the program was searching every permutation of the possible password using the supplied alphabet, then there should be no need to specify a number of spaces; the program SHOULD already consider every possible combination of 8 characters including the space. This would include something like all 8 characters being a space just as easily as it would include all 8 characters being the letter 'A'. (Or every other character being the letter 'A' or a space, etc. etc..)

Do you see what I mean? The notation isn't making sense to me.



It's a matter of speed.

9+0 contains all combinations of 9 characters. 8+1 is the notation used to define 8 randoms plus 1 assumed space. Add the numbers together to get the total length of the string. Both 9+0 and 8+1 = 9 characters.

9+0 does indeed contain 8+1, but 8+1 is much smaller and thus, faster to search. So basically, by doing things like 8+1 first, we're searching the more likely combinations first.

This hopefully reduces the search time. We don't have to search everything, we only have to search until the answer is found, and then we can stop. See?

The current search pattern is 9+1. That's 10 characters total, 9 random, 1 assumed space.

Basically, think of it like this: 8+2 is a subset of 9+1 which is itself a subset of 10+0. Since we're searching 9+1, we're searching all subsets of it too. So searching 8+2 is not needed, we've already done it if/when we finish 9+1. Later, if 9+1 comes up with nothing, we can search the rest of 10+0.

The assumption of a space in the pattern reduces the total amount of keys to search by a factor dependant upon the total number of random characters in the superpattern. So 9+1 is 10 times less keyspace to search than 10+0.

Another way to look at it is that 9+1 contains everything with at least 1 space. Everything else in 10+0 has no spaces whatsoever.

Simple.

To put it a final way, if you don't get it, don't worry about it. Edwin gets it, and he's basically controlling the search. So it's taken care of.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by EdwinOlson on 11-04-2002 05:42 AM:

n+m means n unknown characters with m spaces assumed. For example, there are seven different 8+1 searches. 21 different 8+2. 1 different 9+0. 8 different 9+1.

An 8+1 search is a subset of a 9+0 search. An 8+2 search is NOT a subset of 9+0, and is a significantly smaller search space. 8+2 is *hugely* less than 10+0. So if spaces are in there, it's a win to make that assumption.

In all cases, the alphabet contains a space. Yes, we spend some time searching "silly" sequences, like 9 spaces in a row. But I think at this point, with years of CPU time behind us, we'd feel pretty silly if we'd ruled that out and it turned out to be just that!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by Otto on 11-04-2002 05:49 AM:

quote:
Originally posted by EdwinOlson
n+m means n unknown characters with m spaces assumed.

An 8+1 search is a subset of a 9+0 search. An 8+2 search is NOT a subset of 9+0, and is a significantly smaller search space. So if spaces are in there, it's a win to make that assumption.



To further explain, the size of the current search space is defined as follows:

For N+M: Number of keys to search = (37^N) * ( N! / (N - M)! )

N! = N Factorial, in case you didn't know. N! = (N) * (N-1) * (N-2) * ... * (1)

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by The Evil One on 11-04-2002 07:56 AM:

What might make mandatory updates work better is that the client sends its version string to the server, and the server can deny units if it's too old.

You could also make it auto-update if you wanted...

__________________
Claiming that your operating system is the best in the world because more people use it is like saying McDonalds makes the best food in the world.


Posted by micjordan on 11-04-2002 08:59 AM:

The Evil One, i think the reason mcdonalds is so popular is their convenience. people know they dont have the greatest food, but for the convenience and because theyre on every street corner people are willing to put up with slightly less quality food as long as it gets the job done which means theyre not still hungry.


Posted by Michael R on 11-04-2002 11:42 AM:

"Distributed TiVo Code Cracking" discussed in Slashdot

http://slashdot.org/articles/02/11/...4.shtml?tid=129

__________________
HDR31204 185 Hours & SD-DVR40 DTiVo 35 Hours
C/Ku BUD-Lite/4DTV & DVB & Sirius Satellite Radio
ChannelPlus Video Distribution & RCA IR Extenders


Posted by kevinv on 11-04-2002 01:13 PM:

Since we're searching subsets of the 10+0 space, if we're forced to search the full 10+0 space will it skip over subsets already searched? Dunno if that would give us much speedup (what size of 10+0 is 8+2?) and it would give us a redunancy check which would be good if we have fraudulent clients running.


hmmm, 8+2 is 1/38 the size of the 10+0? (blatent rough guess before I had coffee so don't quote me 8-)

kevin


Posted by eples on 11-04-2002 01:48 PM:

Search Spaces

Okay - so what was the last 8 character space we searched? 8 +2?

Shouldn't we go all the way through to 8 +7?
And 9 +8, and 10 +9, etc?

Or maybe it is.


Posted by eples on 11-04-2002 02:50 PM:

quote:
Originally posted by EdwinOlson
Yes, we spend some time searching "silly" sequences, like 9 spaces in a row.


Well of course! I was just concerned that maybe the space in the alphabet wasn't being used, which you have now indicated is not the case.

The spaces seem to have been an integral part of the password in the past. I do understand what you are saying when you state that 8 +1 will run faster than 9 +0.

What I am thinking is that on the +0 work units how much faster could we compute them by leaving the space out of the alphabet since they have already been computed.

it's the difference between 1.015 E 14 and 1.299 E 14. Isn't that along the order fo 290 trillion redundant operations?

Maybe I'm still not getting it.


Posted by EdwinOlson on 11-04-2002 03:12 PM:

I don't enqueue work units unless I have some reason to think we will have enough CPU power to work through it in a reasonable amount of time.

So, suppose we decide that we can reasonably attack 10+0. I'm not going to worry about it if we've already searched 8+2, even though that's a subset. Why? If we have any hope of doing 10+0 in a reasonable amount of time, then the amount of time we waste "redoing" 8+2 is negligible. I'd probably spend more time manually removing the redundant search areas (or writing code to do it) than it would take the 2500 machines we have to just do the wok. Anyway, it's a good way to verify results!

The slashdot effect is slowly waning, but we still have a huge amount of CPU power. Also note that I've only enqueued the 1st of eight 9+1 tests. We've got a long way to go before we worry about 10+0.

-Ed

PS: Oh, and some have asked why we search which blocks-- i.e., whether we do 9+1 or 8+2. My feeling is that we're generally better off assuming fewer spaces, provided we can afford to do the search. I think that our assumptions about what the key looks like it have gone out the window-- we would have found the key already if we were right! Also, patterns like 8+7 are a bit silly looking and really long... they don't seem likely to me.

In other words, I'm using my gut to pick search space. I certainly solicit suggestions and discussion about which areas we should cover, though! I keep waiting for an email from tivo.com with a "simple addition problem". (e.g., Have you ever wondered what 6+4 is?)

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by grecorj on 11-04-2002 03:13 PM:

what if there is no backdoor code?

__________________
106 hr Philips DSR6000 TiVo
120 hr Hughes HDVR2 TiVo
Stock 40 hr Hughes HDVR2 TiVo -- unsubbed

Looking for news about TiVo? Try TiVoNews


Posted by brisvegas1 on 11-04-2002 04:16 PM:

quote:
Originally posted by EdwinOlson
The slashdot effect is slowly waning, but we still have a huge amount of CPU power. Also note that I've only enqueued the 1st of eight 9+1 tests. We've got a long way to go before we worry about 10+0.


I have some thoughts on the slashdot effect and this project.

Given the size of the potential search space we may be dealing with continued growth of the number of machines participating is, if not vital, extremely important to the eventual success of this project.

This should not be too hard to achieve - as not only is the project cool in and of itself, but using an insane amount of processing power to achieve it makes it even more fun.

With that in mind - I have a couple of questions:

1. What is the maximum number of clients the server will support?
2. Would you consider bringing back features like the individual statististics? - I believe they help maintain peoples interest.
3. Could we include a graph over time of the number of clients/ip addresses/units per hour etc.


With the current number of participants the search space will soon increase to a size beyond my desire to leave my computer running for long enough to see it completed.

As a solution beyond cosmetic changes to the stats / reporting site.

1) We send out press releases to more online tech reporting sites like the register www.theregister.co.uk and the inquirer www.theinquirer.net
2) We send out press releases to news sites more generally - once a story like this gets on the wires it is bound to be published
3) We put out a call to people working at uni's etc for some computer time on some big iron. - I know people who work in the visac labs at the university of Queensland http://visac.uq.edu.au/. they have quite a few nice toys at their disposal that students can bok time on....SGI Onyx Infinite Reality 3 - 4 Processors, 2 Gb. Memory, 256 Mb Texture Memory, 1Graphics Pipeline and 20 dual processor SGI 330 dual boot PC's

If we could say that we had had any time at all on a machine like this - it would make a great story.

(Anyone familiar with irix - the sgi unix variant - we would need to rcomplie the client for it, but hey I am sure that it would be worth it )

4) We prepare a follow up story for slashdot....


I think you get the picture.

What do you all think - is this worthwhile, is it needed.

I write press releases for a living - so I would be happy to do that side of things, I would just need some facts about the project to date, for example the processing power we have used, how it stacks up to time on some big iron etc... you know the sort of thing.

Of course - all of this is only worthwhile if it is needed, and if the server could handle more clients.

Cheers,

Mark F.


Posted by dbates on 11-04-2002 04:19 PM:

Blasphemy!

quote:
Originally posted by grecorj
what if there is no backdoor code?

__________________
1 60hr Series2


Posted by Otto on 11-04-2002 04:20 PM:

Re: Search Spaces

quote:
Originally posted by eples
Okay - so what was the last 8 character space we searched? 8 +2?


No, 8+2 is a ten character space. Not 8. The last 8 character space we searched was 8+0, which is all 8 character sequences, period.

grecorj: At some point (I'd say at around 13 or 14 characters) we give up, simply because, at that point, we have no chance in hell of finding it in my lifetime with these meager resources. It's either that or we kick it up a notch into hundreds of thousands of computers instead of a piddly couple thousand.

Anyway, if we give up, then it simply becomes a matter of someone writing a tiny app to make it easy to change the hash on the disk. So that you'd need to pull the drive to get backdoor access. That's all.

But if we are going to kick it up a notch, then probably a better server/client solution will be needed. I'm not sure Edwin's system could handle the strain.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by cica on 11-04-2002 05:51 PM:

There doesn't seem to be very many posts to this thread. Are all of your CPU cycles being used for something else?

-Tom


Posted by TreborPugly on 11-04-2002 06:45 PM:

quote:
Originally posted by Otto
I don't think anyone has tried it, but I'm betting that no, you can't do it from wishlists. I did try it on previous code versions with no luck.

There's no real reason to suspect they got any trickier than making the code different and longer. All this second guessing is good to think of new ideas, but none of them are likely, IMO.

BTW, if anyone has any good guesses for longer passwords, download the damn hash calculator here: http://www.damn.to/software/files/dm_hc151.zip

And put in your guess. Capital letters. The SHA-160 hash for the correct code will start with 04B2.



Otto, if I do "3 0 BC" or "3 2 BC" in this program, the SHA-160 hash I get is NOT the one's reported in this forum. Not just a character swap, but completely different. Do we need to pad it out to 20 chars or something else strange? (I'm not using quotes in the program)

Thanks,

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by barclay on 11-04-2002 07:36 PM:

If you type 3 0 BC in the program, the value it spits back for SHA-160 is DBD9A55CAB8B33E59CC79086BC10939A3BF2A8D3, which is the correct hash. It's the endian reversed version of 5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F23B .


Posted by Otto on 11-04-2002 07:37 PM:

TreborPugly, it's byteswapped. 00112233 becomes 33221100. Five times in a row.

Annoying, isn't it?

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by Lightn on 11-04-2002 07:53 PM:

If you want to make the project more popular, here is my list of suggestions for improvements, including some already posted.

Stats are definetly a good thing. Graphs of various things are fun to look at. It would also be nice to see the progress on the individual challenges, IE 8+0, 8+1, 9+0, etc. Individual stats are good for competition. Also, changing the stats to be the number of keys tested would mean more to people. Like the distributed.net client told you your number of kilokeys/sec (and it did so while processing).

If you are worried about cheating, there is a good way to prevent this given the nature of the project. If someone seems to be sending in results too fast, ask them for a solution to a generated hash, one that you create. IE choose a random starting point and select a key a random distance away (in terms of the alphabetic order you are trying), create the hash of it and ask them for the solution. It wouldn't have to take too long to find the solution, just long enough to know what kind of speed the computer is actually capable of. Note this might require a (hidden) unique ID for each computer, so you know speeds per computer not per user. And if they just modified the client to send back negative results, you would know instantly that they are cheating.

Direct links to optimized binaries for various platforms. I think newer openssl packages have code optimized for different processors (they do on debian anyway). But you might want to check for windows and other platforms. On more recent architectures this could make a big difference. Also a check on startup that the hash is computed correctly couldn't hurt (do you do this already?).

State saving on exit (and/or periodically) would be useful. It could save the current challenge block, last key, userid, etc. And if you added in queued WUs, it generally makes the process a lot easier for a number of different situations. But for the longer it takes for computers to report in, the longer you have to allow your server software to wait before requeuing, which would generally mean adding larger WU sections to the todo.

As key lengths get larger and search lengths longer, the redudant checks between 8+1 and 9+0 types of key spaces may become important. And once we get to infeasible key lengths, having a more dynamic and smarter generator of keys will probably be the only reasonable next step.

Oh and a title tag for you web page, so people can bookmark it.


Posted by Tiger on 11-04-2002 08:12 PM:

Regarding redundancy checks between say 8+1 and 9+0... That should be simple - 8+1 should have checked every single possible key with any number of spaces in it, up to 9 spaces. Therefore, 9+0 does not need to include space in the alphabet. Similarly, once 8+2 has been done, 9+1 only needs to check keys with exactly one space in it. Therefore, it can pass blocks with the space already added, and an alphabet again excluding space.

__________________
Are we not men? We are TiVo!


Posted by Otto on 11-04-2002 11:06 PM:

quote:
Originally posted by Lightn
If you are worried about cheating, there is a good way to prevent this given the nature of the project. If someone seems to be sending in results too fast, ask them for a solution to a generated hash, one that you create. IE choose a random starting point and select a key a random distance away (in terms of the alphabetic order you are trying), create the hash of it and ask them for the solution. It wouldn't have to take too long to find the solution, just long enough to know what kind of speed the computer is actually capable of. Note this might require a (hidden) unique ID for each computer, so you know speeds per computer not per user. And if they just modified the client to send back negative results, you would know instantly that they are cheating.


Good call! I was trying to think of a way to do this sort of check, but this didn't occur to me. I forgot that the hash was included in the data sent from the server.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by nontivouser on 11-04-2002 11:52 PM:

quote:
Originally posted by Lightn
Direct links to optimized binaries for various platforms. I think newer openssl packages have code optimized for different processors (they do on debian anyway). But you might want to check for windows and other platforms. On more recent architectures this could make a big difference. Also a check on startup that the hash is computed correctly couldn't hurt (do you do this already?).

I have static binaries for ix86 Linux, optimized for Athlon-XP and Pentium-2 here: http://rekl.yi.org/tivo/


Posted by ravingcow on 11-05-2002 04:18 AM:

quote:
And if they just modified the client to send back negative results, you would know instantly that they are cheating.


On the other hand, everybody by now knows the hash we are working on. If someone wanted to cheat, they could just cheat on the work packets which contain the real hash, and do actual work on the packets which don't.

One could, in theory, compare the time a computer takes checking hashes on fake units with real units to see if they are similar or not, but this could get really messy...

There are only two reasons I can see why people would cheat:

1. To appear on the stats pages. (Which, ATM, don't really show much at all)

2. Disgruntled TiVo employees disturbing the effort. (Can we look at the IP addresses of people looking at these boards and the server stats page, and see if we can trace them back to TiVo at all )


Posted by Wolf on 11-05-2002 05:09 AM:

Comments

Found this thread posted elsewhere -- seems like everyone is having fun; I just had a few comments.

Considering that the backdoor support is considered to be for the diehard fans, has anyone considered that the compiled in hash is invalid and that a diehard fan would have to manually insert a known good hash (like was done) in order to use the backdoor functionality? This would prevent all casual users from being able to do it.

That said, maybe someone should try running a "full" dictionary against key for the shorter password lengths, just to see if it matches.

Second, has anyone noticed any of the keys take a small pause before their characters appears on the screen? Such that hitting it two/three/four times rapidly might cause a different character to occur?


Posted by dswallow on 11-05-2002 05:24 AM:

Re: Comments

quote:
Originally posted by Wolf
That said, maybe someone should try running a "full" dictionary against key for the shorter password lengths, just to see if it matches.


I ran the full printable ASCII character set for 1, 2, 3, 4, 5 & 6 characters. I was running the same for 7 characters but stopped it about 1/4 of the way through as I needed to reboot after installing some stuff.

If it's a dictionary word, it's one that's more than 6 characters long, or multiple words together.

What's the chance that the hash key is modified in memory by some other operation, then results in a valid match to some sequence of characters?

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by EdwinOlson on 11-05-2002 05:50 AM:

The security scheme barclay & I plan on the next release (more on that in a second)- works as follows:

Each work block as a corresponding "proof" cookie, which is the XOR of all the SHA'd keys attempted in that block. This cannot be computed without actually computing the SHA for every plain text. The client submits the results of the block along with the proof. Now we have a way of verifying negative results from different clients. Yay! Anyone who is rapidly returning blocks in order to inflate their stats cannot possibly be computing the proof.

[Note that this does not have the problem that generating known-to-be-solvable blocks does-- namely, that if you generate a different ctext, you've already announced that you're doing something odd, and the malicious client can be cautious and actually do the work.] That said, the new server code better supports regression tests.

A malicious client could still lie about finding a solution and return the correct proof though, but it would require doing all of the work. But the theory is that there's only a small percentage of cheaters, and the vast majority of them are interested in inflating their statistics. Ultimately, there's little we can do about the small percentage of really nasty people out there whose goal is to screw up the search at any cost.

Needless to say, the change to support proofs is incompatible with current clients. This is the main improvement in the new versions that barclay & I have. We have tested the system and it seems to work!

My current belief, however, is that we are likely to have very few cheaters, and that the fidelity of our current search is very high. That (hopefully) being the case, I think it would be a bad idea to disrupt the search by introducing a non backwards-compatible change at this time. Barclay & I are also taking the time to make sure that our next release is solid, and I have located a server with bandwidth & CPU capable of supporting our effort indefinitely. My goal is to start a public beta of the new clients to iron out any last bugs. As before, any work units completed using the beta v2 clients will likely be thrown away until we announce the official launch of the new software... but we'd like to have your input on the clients (and fix as many build problems as possible!

Until then (and even afterwards), I'll continue to operate the 1.0 server until the bulk of users have had time to migrate to the new system.

Sound like a plan?

-Ed
(Who really has to get some other stuff done this week!
Namely, http://maslab.lcs.mit.edu. It's cool.)

PS: I've tried /usr/dict/words. None of them are the key.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by ravingcow on 11-05-2002 06:08 AM:

Can we get the Win32 port onto the http://www.blisstonia.com/ server (or at least a link to it). Or is the Win32-port in a state of evilness?


Posted by TheDoctor on 11-05-2002 07:07 AM:

On the subject of cheating... Since the code is open source, what keeps a few tivo techs from faking 'faled' results for the correct key value and submitting them? Would that keep valid key from being issued for testing? I admit I have not read all 25 pages, so sorry if this has already been covered.


Posted by DJRobX on 11-05-2002 07:46 AM:

That would require that the "malicious" TiVo tech be lucky enough to have the "magic" work load fall on his PC.

I know there's been a lot of discussion about testing "obvious" values, but has anyone tried to modify the key search algorithm to look for repeating patterns? As we've mentioned before, the backdoor key is probably something that can be entered easily. Given that TiVo knows how we broke the last one, my fear is that we may have a key like:

X A F G X A F G X A F

.. that's 20 characters long, but not so repetitive as to be obvious. Or something insidious like

"ZZ32 <16 spaces> "

Even with the very cool distributed project going, at the rate of a 9 character block per day, if TiVo did something as simple as make the key take the full length of the input box, we probably will not find the code before another software release comes out!

-- Rob


Posted by brisvegas1 on 11-05-2002 08:35 AM:

so we should wait

so we should wait until the new client and server are finalised before doing a big push for new members....?


What other features should we implement in the new system -

1) state saving - so clients can be restarted without loss of work
2) more stats
3) anti cheat functions
4) optimisation for various cpus
6) I think if we could make multi language versions (or just multi language press releases) so that our european and asian friends could get on board.

If we aim to hit slashdot on a week day - wed/thursday would be best so people have time to set it up before they leave work for the weekend (lucky devils) - that would be great.


the numbers seem to be dropping steadily.

at what point do we have to start making hard decisions?


Posted by pdog on 11-05-2002 02:18 PM:

Current windows port here:

http://www.scottandmichelle.net/scott/tcrk/


Posted by Cletus on 11-05-2002 02:25 PM:

quote:
Originally posted by EdwinOlson

PS: I've tried /usr/dict/words. None of them are the key.



Which brings back another idea to my mind: this effort will be pretty moot if the key is on the order of 18-20 characters or more. The only chance we got in that case is if the key is a phrase, which would make it susceptible to a multi-word dictionary attack. Knowing the guys at TiVo, I wouldn't be surprised at all if it were something like "THE SPY WHO SHAGGED ME".

__________________
If you can't beat'em... pay someone to do it.


Posted by DVDerek on 11-05-2002 03:06 PM:

Re: Comments

quote:
Originally posted by Wolf

has anyone considered that the compiled in hash is invalid and that a diehard fan would have to manually insert a known good hash (like was done) in order to use the backdoor functionality? This would prevent all casual users from being able to do it.



Yes. About a billion times. I know the thread is real long, but at least glance over the last 2 or 3 pages!

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by cica on 11-05-2002 03:16 PM:

I can't get out through my proxy server with 1.6. Is there a way to modify the program to specify a proxy server? I am able to run it on the machine that is directly connected, and I could add several more machines if they could access a proxy machine. These machines have no problem using IE to get out.

Also, as was mentioned before, can this program be run silently as a service on an NT machine?


Posted by den628 on 11-05-2002 03:30 PM:

quote:
Originally posted by pdog
Current windows port here:

http://www.scottandmichelle.net/scott/tcrk/



I am using your TivoCrack 1.6 for windows on a Windows 2000 machine, it seems to work well, except that the r switch seems to have no effect. I run it as follows.

C:\TivoCrack>tivocrack uden628 r
11/5/2002 7:22:33: -- TiVoCrack 1.6 started --
11/5/2002 7:22:33: Getting the next work load
11/5/2002 7:22:34: User = [den628], Work Unit = 186563
11/5/2002 7:22:34: Alphabet = [ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789]
11/5/2002 7:22:34: Key = [96F8B204FD99534759A6C11A181EEDDFEB2DF1D4]
11/5/2002 7:22:34: Pattern = [I0 3??????]
11/5/2002 7:22:34: Threads = 1, Local = false, Silent = false
11/5/2002 7:22:34: Priority = lower, Sleep = 5min, Retries = 10
11/5/2002 7:22:34: Logging = both

But when I go to the task manager (it takes quite a while to get there!) I see the thread priority as normal, and my machine is basically unusable until I change the priority to below normal. Because of that, I would recomend makeing the priority below normal by default.

Actually, it still makes my system unusable slow even once I lower the priority to below normal, I will reboot and try again in a bit. Has anyone else had similar problems?

Thanks.
den


Posted by mtw2 on 11-05-2002 03:33 PM:

quote:
Originally posted by cica
Also, as was mentioned before, can this program be run silently as a service on an NT machine?


I can help with the service issue:
http://support.microsoft.com/defaul...;EN-US;q137890&

"Instrsrv.exe installs and removes system services from Windows NT and Srvany.exe allows any Windows NT application to run as a service."

~J


Posted by Otto on 11-05-2002 03:47 PM:

quote:
Originally posted by den628
I am using your TivoCrack 1.6 for windows on a Windows 2000 machine, it seems to work well, except that the r switch seems to have no effect. I run it as follows.
...
But when I go to the task manager (it takes quite a while to get there!) I see the thread priority as normal, and my machine is basically unusable until I change the priority to below normal. Because of that, I would recomend makeing the priority below normal by default.

Actually, it still makes my system unusable slow even once I lower the priority to below normal, I will reboot and try again in a bit. Has anyone else had similar problems?



Your machine is broken then. I'm running it on a Windows 2000 box and the r switch definitely *does* work. It doesn't make the main loop run at low priority (since it's just sleeping, there's no point), but it does run the worker threads at low priority and does shift into the background. I see no problems with usability or opening the task manager, or any kind of slowdown at all, for that matter, when using the r option. I'm also running it on an NT box and an XP box and the r option works on all of them.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by den628 on 11-05-2002 03:50 PM:

quote:
Originally posted by Otto
Your machine is broken then. I'm running it on a Windows 2000 box and the r switch definitely *does* work. It doesn't make the main loop run at low priority (since it's just sleeping, there's no point), but it does run the worker threads at low priority and does shift into the background. I see no problems with usability or opening the task manager, or any kind of slowdown at all, for that matter, when using the r option. I'm also running it on an NT box and an XP box and the r option works on all of them.


You are using version 1.6? Guess I will try it on a few more machines and see if I have the same problem or not...


Posted by sacherjj on 11-05-2002 03:54 PM:

The "r" switch worked on my Win2k box for versions 1.4 on up.

__________________
Tivo Series 2 @ 240 Gig.


Posted by barclay on 11-05-2002 04:14 PM:

quote:
Originally posted by den628
C:\TivoCrack>tivocrack uden628 r
[...]
11/5/2002 7:22:34: Priority = lower, Sleep = 5min, Retries = 10

But when I go to the task manager (it takes quite a while to get there!) I see the thread priority as normal, and my machine is basically unusable until I change the priority to below normal. Because of that, I would recomend makeing the priority below normal by default.



This is the first I've heard of "r" not working. You'll note, the switch is working on some level since it's reporting a lower priority. As Otto pointed out, TaskMan will claim the process is running at normal priority since the main UI thread is run at normal priority, only the worker thread is run at a lower priority.

What kind of machine do you have? If you don't have enough memory (though, TiVoCrack doesn't take a ton, only ~8 megs) or not enough processor power, I can see it killing system performance.

I've had it running on my machine for a few days now, and I can only notice a slow down when I try to do something else that's rather CPU intensive.


Posted by barclay on 11-05-2002 04:18 PM:

quote:
Originally posted by mtw2
I can help with the service issue:
http://support.microsoft.com/defaul...;EN-US;q137890&

"Instrsrv.exe installs and removes system services from Windows NT and Srvany.exe allows any Windows NT application to run as a service."



I'll save some poor soul the trouble. Don't do this.

TiVoCrk won't respond kindly to it, and kill itself when a user logs out. The next version will be able to run in the system tray (Actually the next version will be a GUI app, so this is a no-brainer), and I'll look into what's needed to make it run as a native service.


Posted by barclay on 11-05-2002 04:22 PM:

quote:
Originally posted by cica
I can't get out through my proxy server with 1.6. Is there a way to modify the program to specify a proxy server? I am able to run it on the machine that is directly connected, and I could add several more machines if they could access a proxy machine. These machines have no problem using IE to get out.



It should work through the proxy that IE is configured to use, since I'm just using the Windows Internet APIs to connect to the outside world. Most of my computers use a proxy (and a non-standard one at that).

Check out Otto's post further up if you're using some sort of anti-ad proxy, since some of them apparently need to be configured to allow traffic through to Blisstonia.com

Edit: Here's a copy of what Otto said.


Posted by bevinst on 11-05-2002 04:46 PM:

quote:
Originally posted by den628

Actually, it still makes my system unusable slow even once I lower the priority to below normal, I will reboot and try again in a bit. Has anyone else had similar problems?

Thanks.
den



So far the only problem I've encountered with this is running another DOS program at the same time on XP. I have to manually set the priority lower on tivocrack to get decent response from the DOS program.

I'm currently running version 1.6 on a 2 processor AMD, using 2 threads and the r option under W2000, and can't really see any performance hit on system response.

-Tommy


Posted by MikeLaw on 11-05-2002 04:50 PM:

quote:
Originally posted by barclay
It should work through the proxy that IE is configured to use, since I'm just using the Windows Internet APIs to connect to the outside world. Most of my computers use a proxy (and a non-standard one at that).


Actually, I've also seen the program refuse to connect when behind a proxy server at two different locations. Once I thought it might be because the proxy requires authentication, but the other case was a simple MS Proxy Server install and it wouldn't work there either. I have had success running it behing a WinSock Proxy, however.

__________________
....mike


Posted by barclay on 11-05-2002 04:54 PM:

quote:
Originally posted by MikeLaw
Actually, I've also seen the program refuse to connect when behind a proxy server at two different locations. Once I thought it might be because the proxy requires authentication, but the other case was a simple MS Proxy Server install and it wouldn't work there either. I have had success running it behing a WinSock Proxy, however.


That's rather weird. For those that are failing behind proxies, what OS are you using and what version of IE do you have?

I'll have to do some digging and see if the wininet stuff doesn't do what it claims on some versions.


Posted by CraigEagle on 11-05-2002 06:15 PM:

quote:
Originally posted by barclay
That's rather weird. For those that are failing behind proxies, what OS are you using and what version of IE do you have?

I'll have to do some digging and see if the wininet stuff doesn't do what it claims on some versions.



WinXP
IE6.0.26

- Craig


Posted by MikeLaw on 11-05-2002 06:51 PM:

quote:
Originally posted by barclay
That's rather weird. For those that are failing behind proxies, what OS are you using and what version of IE do you have?

I'll have to do some digging and see if the wininet stuff doesn't do what it claims on some versions.



At my wife's office there were clients on W95/W98 and W2000. I know she uses some flavor of IE 5.x, but not sure which from here. Where I am located this afternoon, I'm on a W/2000 client with IE 5.50 and it fails.

You might also check out The Coffee House thread where a guy claims to have sent a patched version of the client that works behind firewalls.

__________________
....mike


Posted by cica on 11-05-2002 06:54 PM:

I'm running IE6 with winXP. I'm also having a problem getting through MS Proxy Server. Is there a port I need to open up?

-Tom


Posted by barclay on 11-05-2002 06:56 PM:

quote:
Originally posted by MikeLaw
You might also check out The Coffee House thread where a guy claims to have sent a patched version of the client that works behind firewalls.


They're talking about the *nix client, which is a different beast.

I'll toss in an option to manually assign the proxy in the next build. I shouldn't need to, but it's looking like InternetOpen is just flakey when it's told to use whatever proxy the user has set.


Posted by mpulver on 11-05-2002 06:56 PM:

quote:
Actually, it still makes my system unusable slow even once I lower the priority to below normal, I will reboot and try again in a bit. Has anyone else had similar problems?



Yeup, I have the same problem on one of the machines I'm running it on.

At home, I'm running the 1.4 client on Win2k SP3 on an Athlon 800, clocked to 880, 512meg. It runs fine with the "r" switch.

At work, I have the 1.4 client running on a PIII 500, Win2k SP3, 512meg. This is the problem machine.

Both tasks are kicked off with the same command line ("t1 r s5 umpulver"), configured as a shortcut in the startup folder.

At home, everything is fine. At work, the main process is sucking a LOT of CPU, ALL the time. Setting it to "below normal" priority has no effect (the overall machine response still drags in 20sec spurts every minute or so). Setting the main process to "low" priority _fixes_ the issue.

It's not a disk related slow-down... TiVoCrack isn't logging any I/O; it's not being swapped out; it's not sucking handles...

Both machines have the same additional toys running all the time... Trillian, seti command line, email client.


Posted by barclay on 11-05-2002 07:45 PM:

I have a new version of the client (1.61) that should fix the proxy issues (at least, it did for cica), and also lowers the priority of the process itself when option "r" is specified. While I'm not sure what's causing the slow downs for some, this should fix that too, since it's doing the same thing as Task Manager does at this point to lower the processes priority.

You can download it from my website.

Thanks goes out to cica for testing this so quickly.


Posted by Otto on 11-05-2002 07:47 PM:

mpulver: Er.. it's supposed to suck *all* the CPU, except when something else needs it. That's the point. The CPU usage should immediately jump to 100% and stay there when it's running. But it's below the normal level of priority so it should drop into the background for other programs.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by tarman on 11-05-2002 07:50 PM:

quote:
Originally posted by DJRobX
That would require that the "malicious" TiVo tech be lucky enough to have the "magic" work load fall on his PC.

I know there's been a lot of discussion about testing "obvious" values, but has anyone tried to modify the key search algorithm to look for repeating patterns? As we've mentioned before, the backdoor key is probably something that can be entered easily. Given that TiVo knows how we broke the last one, my fear is that we may have a key like:

X A F G X A F G X A F

.. that's 20 characters long, but not so repetitive as to be obvious. Or something insidious like

"ZZ32 <16 spaces> "
.....

-- Rob



I have tested all of the cases of type
XXXXXbbbbbbbbbbbbbbb
where the 5 X's are from the A-Z, 0-9, and blank set and the string of b's is 15 blanks, 14 blanks, 13 blanks, ..., with (obviously) no score.

Tom


Posted by CraigEagle on 11-05-2002 07:57 PM:

quote:
Originally posted by barclay
I have a new version of the client (1.61) that should fix the proxy issues (at least, it did for cica), and also lowers the priority of the process itself when option "r" is specified. While I'm not sure what's causing the slow downs for some, this should fix that too, since it's doing the same thing as Task Manager does at this point to lower the processes priority.

You can download it from my website.

Thanks goes out to cica for testing this so quickly.



I still have proxy problems. I am getting this:
11/5/2002 14:57:13: -- TiVoCrack 1.61 started --
11/5/2002 14:57:13: Getting the next work load
11/5/2002 14:57:14: Error decoding the work unit!
11/5/2002 14:57:14: Call failed, trying again
11/5/2002 14:57:14: Sleeping for a minute
11/5/2002 14:57:17: Stopping
11/5/2002 14:57:18: Stopped
11/5/2002 14:57:18: Next workload failed, exiting
- Craig Eagle


Posted by barclay on 11-05-2002 08:03 PM:

I'm guessing something about your proxy server is munging the work unit from the server. Unfortunately, back-porting some of the improved error reporting I have waiting in 2.0 is too difficult for this rare scenario. If you can hold off till 2.0 is released and try again, we'll at least have some better error reporting to track down what's happening.


Posted by tarman on 11-05-2002 08:04 PM:

quote:
Originally posted by Otto
mpulver: Er.. it's supposed to suck *all* the CPU, except when something else needs it. That's the point. The CPU usage should immediately jump to 100% and stay there when it's running. But it's below the normal level of priority so it should drop into the background for other programs.


On a W2K system running version 1.61 (the newest) the tivocrack process consumes 99% of cpu when the system is quiet (as expected) however, I am also running OutLook with an Exchange Server on the local (100MB) network.

Usually when OutLook syncs up with the Exchange server, it takes about 15 seconds and consumes a lot of CPU during that time. With crack running, it gets 1-3% of the CPU in little chunks (crack stays at 98-95%) and it takes over 15 minutes to complete the sync.

I do not understand why. And yes the "r" parameter starts tivocrack up in LOW priority. The outlook processes are NORMAL priority.

[Also "Hotsync'ing" my palm to outlook fails (times out) if TivoCrack is running.]

Tom


Posted by mpulver on 11-05-2002 08:10 PM:

quote:
mpulver: Er.. it's supposed to suck *all* the CPU, except when something else needs it. That's the point. The CPU usage should immediately jump to 100% and stay there when it's running. But it's below the normal level of priority so it should drop into the background for other programs.


Yeup, I understand that, but my point is that it's not letting go when another task at the same priority needs the machine. For example, typing in this reply... If I set the main task at NORMAL, then I will get stalled out while typing for at 20-30 seconds once a minute or more.

The same symptoms happen with the task at BELOW NORMAL. The only way to get it to back off is to set the main thread to LOW.

The calculation thread may be running at a low priority, but it feels like the main thread isn't actually blocked on an event,and is spinning instead.

Also, the machine at home runs fine, the one here at work is the issue.


Posted by barclay on 11-05-2002 08:18 PM:

quote:
Originally posted by mpulver
Also, the machine at home runs fine, the one here at work is the issue.


1.61 should at least automate the work around you're doing.

As for a better fix: I doubt I'll be able to come up with one. No one can really get the problem to a point where I can repro it, so I'm screwed. The main thread is spending most of it's life on "WaitForSingleObject", I don't know how to get any more system friendly than that really.

It sounds like a driver issue, but even that doesn't make a whole lot of sense. In the end it's probably just Windows scheduling weirdness, and I don't want to spend a ton of time trying to figure out why Windows code is screwy.


Posted by iamabot on 11-05-2002 08:34 PM:

FreeBSD

Has anyone had any luck compiling on FreeBSD? I've run into some problems compiling.
./bot


Posted by mpulver on 11-05-2002 08:41 PM:

quote:
The main thread is spending most of it's life on "WaitForSingleObject", I don't know how to get any more system friendly than that really.
[/B]


Hmmm.. This is interesting... I'm running a debug build of the code now under DevStudio and it seems to be a lot "better" at sharing. But, that could be from the debug library.

WaitForSingleObject is definitely stopping, so something else must be coming into play. I'll poke around, but like you say, if this is some weirdness in Windows' scheduler, it's not worth fighting.


Thanks Barclay.


Posted by mij on 11-05-2002 08:48 PM:

quote:
Originally posted by mpulver
Yeup, I understand that, but my point is that it's not letting go when another task at the same priority needs the machine. For example, typing in this reply... If I set the main task at NORMAL, then I will get stalled out while typing for at 20-30 seconds once a minute or more.

The same symptoms happen with the task at BELOW NORMAL. The only way to get it to back off is to set the main thread to LOW.

The calculation thread may be running at a low priority, but it feels like the main thread isn't actually blocked on an event,and is spinning instead.

Also, the machine at home runs fine, the one here at work is the issue.



On my laptop I'm running a PIII 700 with 256Mb and the same outlook client with exchange server configuration and my outlook also gets very slow when running the rev 1.6 client with the -r option... Trillian / web pages / other applications are all ok. I bet it's just an outlook thing It can be a bit of a CPU hog when it wants to do things. I though about raising it's priority, but generally that scares me...

-Mij


Posted by mpulver on 11-05-2002 08:56 PM:

quote:
I bet it's just an outlook thing It can be a bit of a CPU hog when it wants to do things.


I love to bash Outlook, but this time I can't - . The closest I get to it is when I have to schedule a meeting and even then I use the web client. I refuse to use it for email, I think I'm only one of two in the company that doesn't.

Barclay, I have some more info... I've recompiled the client (I'm actually running 1.5, not 1.4) and am running "fine" with a debug build (outside of DevStudio). I also did a release build, and noticed that it's 16k larger than the binary you shipped in the package.

What version of Dev Studio are you running? This is 6.0 Enterprise with SP 5.

I'll pull the 1.61 release and test that as well.

My new release build seem to be playing more fair as well, but it hasn't been running long.


Posted by mij on 11-05-2002 08:58 PM:

I should have done this earlier... but I just upgraded this machine to 161 and things are working much better. Outlook isn't quick by any means... but it is very usable and doesn't suffer from the pausing / stopping. awesome. one more PC that I can devote to running this full time...

Mij


Posted by Cletus on 11-05-2002 09:13 PM:

Re: FreeBSD

quote:
Originally posted by iamabot
Has anyone had any luck compiling on FreeBSD? I've run into some problems compiling.
./bot



Read the rest of this thread. Somewhere around page 8 (I think) there are instructions for compiling on BSD, Mac OSX, etc.

__________________
If you can't beat'em... pay someone to do it.


Posted by barclay on 11-05-2002 09:33 PM:

quote:
Originally posted by mpulver
What version of Dev Studio are you running? This is 6.0 Enterprise with SP 5.


Good point, I should be using a 6sp5, I was using something else.

I've switched to the proper libraries in the Dev Studio build, and released version 1.62.


Posted by cica on 11-05-2002 09:41 PM:

Is 1.61 faster? I seem to be processing workloads more quickly now. I have an AMD 1.4mhz and it is processing a packet about every 70 minutes. Did someone tighten up the code?

-Tom

P.S. I'm still waiting for the GUI version with the dancing Tivo


Posted by mpulver on 11-05-2002 10:08 PM:

quote:
I've switched to the proper libraries in the Dev Studio build, and released...


Thanks!

Okay, 1.62 is running here and feeling normal.

I miss the TiVo icon though.. Actually, it looks like your project file is a bit whacky. The workspace doesn't have the project file in it by default and the Internet*() API's are unresolved... Aren't the Internet* calls a WinCE API?


Posted by barclay on 11-05-2002 10:19 PM:

quote:
Originally posted by mpulver
Okay, 1.62 is running here and feeling normal.

I miss the TiVo icon though.. Actually, it looks like your project file is a bit whacky. The workspace doesn't have the project file in it by default and the Internet*() API's are unresolved... Aren't the Internet* calls a WinCE API?



Huh? The Tivo icon is still in the download. At least it is for me, and on my clean test box. And, as far as I can tell, it still compiles cleanly.

The Internet* APIs are part of wininet.lib


Posted by mpulver on 11-05-2002 10:24 PM:

My bad. I think that DevStudio was playing games with me. It's fine.


Posted by iamabot on 11-05-2002 10:54 PM:

Re: Re: FreeBSD

quote:
Originally posted by Cletus
Read the rest of this thread. Somewhere around page 8 (I think) there are instructions for compiling on BSD, Mac OSX, etc.


Found the post on page 6 or 7. I'll repost below for those running a BSD variant on x86.


-------------
Ok, For those us fortunate enough to not be running Redhat.. there are some fixes to help compile dclient on other distributions of linux and even BSD. So here goes...

In Makefile, line 8:
Change: $(CC) -o dclient $(DCLIENTOBJS) -lssl -lcrypt -mhash
To: $(CC) -o dclient $(DCLIENTOBJS) -lssl -lcrypto -mhash

For BSD systems..

In tivocrack.cpp

Change:
#include <netinet/in.h>

To:

#include <sys/types.h>
#include <netinet/in.h>


In: SSocket.h

Change:
#include <sys/socket.h>

To:
#include <sys/types.h>
#include <sys/socket.h>


Posted by nontivouser on 11-05-2002 11:00 PM:

quote:
Originally posted by cica
Is 1.61 faster? I seem to be processing workloads more quickly now. I have an AMD 1.4mhz and it is processing a packet about every 70 minutes. Did someone tighten up the code?

I'm processing a packet every ~48.1 minutes, and I have a Duron 1.0 GHz. It's a relatively idle machine.. some web surfing and some email. Are there other CPU-intensive processes running on your machine? Why am I processing packets so much faster?? (I'm using the latest version from http://www.blisstonia.com/dtc/)


Posted by cica on 11-05-2002 11:05 PM:

My last packet took 60 minutes. I do use this machine for work, so I might be slowing it down. I don't know why its not faster than your Duron.

-Tom


Posted by den628 on 11-05-2002 11:39 PM:

quote:
Originally posted by barclay
Good point, I should be using a 6sp5, I was using something else.

I've switched to the proper libraries in the Dev Studio build, and released version 1.62.



I am using 1.62 now, and things seem much better, thanks.


Posted by IgD on 11-05-2002 11:43 PM:

Windows service client

Right now to run the Windows client I have to open a dos window. Is there a way to make it run as a service so it doesn't require a window?

Is there a way to do this with the Linux version as well?


Posted by mpulver on 11-05-2002 11:54 PM:

The console window is required because this is a console application. There's no GUI.

Under Windows, you can still create a shortcut to the EXE on your desktop, in a folder ("startup" for example) and run the app in a small console window. Just specifiy the command line options that you use after the EXE name in the "target" field of the shortcut.

Set the Run option to "Minimized", and when the app launches, it will immediately collapse.

If you want to, you can resize the window, and the new window size (and position) will be saved with the shortcut. To do this, right click on the title bar of the console window, select "Properties", then "Layout". I dragged the window to the lower right of the screen then set width=35, height = 10, buffer height=500, and unchecked the "let system position window". When you click "Ok" you'll get a dialog box that gives you the option of modifying the shortcut. Select that, hit OK, and you're set.

The next time that the app starts, it will start in the same place with the same window params.


Posted by kibo on 11-06-2002 12:01 AM:

I'm a bit concerned with this output:

C:\TEMP\tivocrack162\Release>tivocrack l o3 a"0123456789" p???????? s1
11/5/2002 18:40:54: User = [anonymous], Work Unit = 0
11/5/2002 18:40:54: Alphabet = [0123456789]
11/5/2002 18:40:54: Key = [96F8B204FD99534759A6C11A181EEDDFEB2DF1D4]
11/5/2002 18:40:54: Pattern = [????????]
11/5/2002 18:40:54: Threads = 1, Local = true, Silent = false
11/5/2002 18:40:54: Priority = normal, Sleep = 1min, Retries = 10
11/5/2002 18:40:54: Logging = console
11/5/2002 18:40:54: -- TiVoCrack 1.62 started --
11/5/2002 18:40:59: [00000220]
11/5/2002 18:41:59: [00000092]
11/5/2002 18:42:59: [00000065]
11/5/2002 18:43:59: [00000428]
11/5/2002 18:44:39: [00000899]
11/5/2002 18:44:39: All done

why are the left 5 digits always zero? Even if I fire up a couple of tivocracks at the same time (splitting the CPU over N processes) the zeros remain. This doesn't seem right at first glance. Am I missing something?


Posted by barclay on 11-06-2002 12:11 AM:

quote:
Originally posted by kibo
why are the left 5 digits always zero? Even if I fire up a couple of tivocracks at the same time (splitting the CPU over N processes) the zeros remain. This doesn't seem right at first glance. Am I missing something?


This is a result of the way TiVoCrack works and the fact you've picked a 10 character alphabet. You'll get more interesting results if you add or remove a character to your alphabet.

Basically TiVo crack internally works in chunks of 200,000 units, and only ever displays the first "word" from one of these chunks (unless it finds the match). Because of how the chunks end up getting split up, you're only going to see 0s in the first 5 digits that it cycles through. Never fear, it is actually calculating all of the posibilities. If you want to verify this for yourself, add a simple printf() to IsTiVoKey().

Edit: I considered making the chunk size a prime number so this event never happened, but I figured no one would ever notice, so it wasn't worth the trouble of finding a suitably sized prime number. Guess I was wrong


Posted by kibo on 11-06-2002 12:18 AM:

quote:
Originally posted by barclay
This is a result of the way TiVoCrack works...


OK, thanks for the explanation. I trudged through this whole thread, but I might have missed a previous explanation.


Posted by barclay on 11-06-2002 12:18 AM:

Re: Windows service client

quote:
Originally posted by IgD
Right now to run the Windows client I have to open a dos window. Is there a way to make it run as a service so it doesn't require a window?


I do have a question: Do people really want the windows client to run as a service? Or do more people just want an app that minimizes to the system tray?

I'm almost down with the sytem tray route. I can do the service route too if it's really desired, but I just want to make sure there's not some sort of miscommunication going on.


Posted by cica on 11-06-2002 12:22 AM:

Services could be run in the background of several hundred machines without being too conspicuous.

I have 5 machines dedicated right now, but that's because there's a dos window there.

-Tom


Posted by mpulver on 11-06-2002 12:26 AM:

I like having the window available so that I can see what's going on. But, I can certainly see cica's position.


Posted by cica on 11-06-2002 01:20 AM:

I have an idea. Why don't you program a hotkey that would toggle the window on and off.

-Tom


Posted by barclay on 11-06-2002 01:54 AM:

quote:
Originally posted by cica
I have an idea. Why don't you program a hotkey that would toggle the window on and off.


As opposed to the icon in the system tray approach, a la programs like ICQ?

Here's what I have right now:

Default: Normal window, if you minimize it, all that remains is the system tray icon.
Optional: Hidden window, and no system tray icon. This requires you kill it via task manager, or some such.

I know this makes a few people happy, but do the rest of you still want a service, or a hotkey to toggle visibility?


Posted by StanSimmons on 11-06-2002 03:10 AM:

quote:
Originally posted by barclay
As opposed to the icon in the system tray approach, a la programs like ICQ?

Here's what I have right now:

Default: Normal window, if you minimize it, all that remains is the system tray icon.
Optional: Hidden window, and no system tray icon. This requires you kill it via task manager, or some such.

I know this makes a few people happy, but do the rest of you still want a service, or a hotkey to toggle visibility?



The hidden window and no systray icon is perfect for the 100+ computers that I am using. I am using some tools from http://www.sysinternals.com/ntw2k/f...e/pstools.shtml to start and stop TiVoCrack remotely. If anyone wants details on how I am doing it, please let me know...

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by sciencewhiz on 11-06-2002 05:54 AM:

I'd much prefer a service as opposed to a hidden window, just because the machine I want to put it on is multi-user, and I want it to run no matter who's logged on.


Posted by TK-421 on 11-06-2002 01:40 PM:

Put my vote for a systray version. I don't need to hide it, but it will be nice to not take up taskbar space with the dos window.


Posted by brisvegas1 on 11-06-2002 02:21 PM:

systray vs service for win clients

I think both are required -

systray will be good for individuals, but sysadmins running the clients on hundreds of machines that each may have multiple users have to be catered for too.

If you look at the stats for the top ten in the last 24 hours it is pretty clear that just 9 individuals are doing around 1.5 times the work of all the anonymous users out there. Anything we can do to facilitate that sort of participation should be encouraged

Unfortunately - participation does seem to be slacking off. I would love to have all the figures so that we can work out the half life / attention span of the slashdot effect... hehe

Anyway... roll on with the new client so we can get spruiking for new participants. The code will be found!!!

Cheers,

Mark F


Posted by mij on 11-06-2002 02:37 PM:

Maybe we can have a post asking for CPU cycles pinned to the top of each of the other forums? Just with a link that will bring people to the download page for where the latest and greatest version of the windows and *nix clients will be.... and then point them to this thread to discuss? Seems like a no brainer that everyone reading this board should want to help....

-Mij


Posted by TeRmInAlCrAzY on 11-06-2002 03:35 PM:

Hi,

/. sent me here.

Have the app running on my own work beast - would have access to more pc's (about 3-4) if I could have service capability.

Would prefer for my own machine a system tray icon.

So, my vote is for service + system tray, a gui was mentioned previously, that would work for me.

rgds

Alan

__________________
--
.sig fault - core dumped


Posted by AlanHatesNicks on 11-06-2002 05:35 PM:

Run as a Service

You can run the existing client as a service. Just run srvany. It was available in the NT resource kit. Here's a page that has installation instructions and registry changes.

http://www22.brinkster.com/mleadley/setihome.asp

One last change to his instructions, add the registry string value "AppParameters" containing the command line params you want tivocrack to run with.

-Alan


Posted by EdwinOlson on 11-06-2002 05:48 PM:

An appeal-

Before we do any more recruiting, we want to push out the new software. I'm installing the new server software on a fresh machine with enough CPU & bandwidth to handle it all. (Though it's a little light on RAM. Stupid expensive RDRAM.)

When that's up and running, we should be able to do stats and other fun 'n exciting stuff. Woo. But until then, I don't want to add any load to my poor machine at home. Hey, the password isn't going anywhere

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by barclay on 11-06-2002 05:53 PM:

Re: Run as a Service

quote:
Originally posted by AlanHatesNicks
One last change to his instructions, add the registry string value "AppParameters" containing the command line params you want tivocrack to run with.


Fwiw, this probably won't work. At least, if you log out (any user on the box), TiVoCrack will politely kill itself on receiving the "someone logged out" message.

The next version of TiVoCrack won't have this problem, and will most likely be able to run as a service on it's own.


Posted by Otto on 11-06-2002 06:52 PM:

Re: Re: Run as a Service

quote:
Originally posted by barclay
Fwiw, this probably won't work. At least, if you log out (any user on the box), TiVoCrack will politely kill itself on receiving the "someone logged out" message.

The next version of TiVoCrack won't have this problem, and will most likely be able to run as a service on it's own.



No, it should work. If it's running as a service under the system account then it won't get the log off event when someone logs off.. Unless, of course, they were using the system account, which can't log on anyway...

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by barclay on 11-06-2002 07:03 PM:

Re: Re: Re: Run as a Service

quote:
Originally posted by Otto
No, it should work. If it's running as a service under the system account then it won't get the log off event when someone logs off.. Unless, of course, they were using the system account, which can't log on anyway...


From MSDN:
quote:
CTRL_LOGOFF_EVENT: A signal that the system sends to all console processes when a user is logging off. This signal does not indicate which user is logging off, so no assumptions can be made.

--and--

If your Console application has registered a Console event handler (via SetConsoleCtrlHandler), it must ignore CTRL_LOGOFF_EVENT in order to survive the logoff.


I haven't tested this, so if someone wants to test this, feel free to, but it's my understanding that the Logoff event is broadcast to all SetConsoleCtrlHandler aware apps, regardless of which account they're running under. Since mine doesn't pay attention to the message being sent, much less which user is logging off, it'll start to close itself when it receives one of these messages.


Posted by dellis on 11-06-2002 07:39 PM:

Are we there yet?

I have a better understanding of how my son feels when we take a road trip and he doesn't know where we are.


Using a healthy number of distributed computers to determine the backdoor, is it just a matter of time or is it a sure thing?


Posted by cica on 11-06-2002 07:44 PM:

quote:
Using a healthy number of distributed computers to determine the backdoor, is it just a matter of time or is it a sure thing?


Yes.







Assuming there is a valid password, and it doesn't change before we get there, it is a sure thing. The question is, how many years will it take? Also, this will go from being fun to being monotonous.

-Tom


Posted by bsnelson on 11-06-2002 07:49 PM:

It's not a sure thing. As has been pointed out earlier in this thread and elsewhere, TiVo could have generated the hash using the string "!@!FKLAS@$!*(&%", making it (literally) impossible to enter it using our limited character set.

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by kgidley on 11-06-2002 08:01 PM:

quote:
Originally posted by bsnelson
It's not a sure thing. As has been pointed out earlier in this thread and elsewhere, TiVo could have generated the hash using the string "!@!FKLAS@$!*(&%", making it (literally) impossible to enter it using our limited character set.

Brad



It's a sure thing that we will be able to determine the string that matches the hashcode - whether we can enter that string via the remote is a different problem... ;-)

__________________
Ken
HR10-250 - my new toy!
2 Hughes DTivos, (lifetime, 1 upgraded to ~188 hours, the other upgraded to ~230 hours.)


Posted by DVDerek on 11-06-2002 08:20 PM:

quote:
Originally posted by kgidley
It's a sure thing that we will be able to determine the string that matches the hashcode - whether we can enter that string via the remote is a different problem... ;-)


Actually, not if we maintain the "Tivo Standard Alphabet". If the answer falls outside this alphabet then it is NOT a Sure thing. In fact, we will never find it (as we're not testing non-tivo characters).

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by AlanHatesNicks on 11-06-2002 08:32 PM:

Re: Re: Re: Run as a Service

quote:
Originally posted by Otto
No, it should work. If it's running as a service under the system account then it won't get the log off event when someone logs off.. Unless, of course, they were using the system account, which can't log on anyway...


Nope... The system account doesn't have net access, unless and I could be wrong about this too, you check the interact with desktop checkbox. But this opens up a console which I didn't want.

I'm sticking with what I have (svrany with console tivocrack) for now. It gets rid of the console which is all I want. If anyone tries this route, just remember to "net stop XXX" followed by "net start XXX" if you log out and back in.

Probably better to wait for the new rev.

-Alan


Posted by cica on 11-06-2002 08:36 PM:

quote:
TiVo could have generated the hash using the string "!@!FKLAS@$!*(&%", making it (literally) impossible to enter it using our limited character set.



Nope. I just tried "!@!FKLAS@$!*(&%" and that's not it. That's one less we'll have to check later.

-Tom


Posted by AlanHatesNicks on 11-06-2002 08:43 PM:

Re: Re: Re: Re: Run as a Service

quote:
Originally posted by AlanHatesNicks
Nope... The system account doesn't have net access...


Well, that appears to be wrong. I thought I read that somewhere. In any event, after a retry it eventually got the workgroup with thge system account. However, the logoff still killed tivocrack.

-Alan


Posted by bsnelson on 11-06-2002 09:29 PM:

quote:
Originally posted by cica
Nope. I just tried "!@!FKLAS@$!*(&%" and that's not it. That's one less we'll have to check later.

-Tom

Oh, I'm sorry, I had a couple of the characters twiddled. Can you try ""!@!FKLAS$@!*(&%"?



Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by MarkofT on 11-06-2002 10:25 PM:

Has someone told stansimmons that epithumia is catching him quickly? He better throw a few more PCs into the pool. 8-)


Posted by Llama on 11-06-2002 10:34 PM:

quote:
Originally posted by cica
Is 1.61 faster? I seem to be processing workloads more quickly now. I have an AMD 1.4mhz and it is processing a packet about every 70 minutes. Did someone tighten up the code?

Originally posted by nontivouser
I'm processing a packet every ~48.1 minutes, and I have a Duron 1.0 GHz. It's a relatively idle machine.. some web surfing and some email. Are there other CPU-intensive processes running on your machine? Why am I processing packets so much faster?? (I'm using the latest version from http://www.blisstonia.com/dtc/)


I've looked at the code, and the Unix (dclient) client is probably more efficient than the windows one (tivocrack). tivocrack generates a big array of strings and then tests them, but dclient calls a recursive function that cycles characters in a single string buffer. tivocrack uses 8MB of RAM, which is way bigger than anyone's L2 cache (nobody's running this on a Power4, are they. dclient's test loop is a lot smaller, and probably fits in L1 cache. There are a lot of function calls, which is slow, though.

tivocrack uses a built-in sha1 implementation in C. dclient uses openssl, so if you've got an optimized openssl, it's using a hand-tweaked x86 assembly version, which is about 1.3 times faster for short messages. (according to openssl speed sha1.)

I'm working on optimizing dclient, probably integrating an optimized sha1 implementation into it. I've been thinking about how to use MMX or SSE to speed up sha1, and I think storing the entire 16 int W array in packed SSE registers might be useful, since SSE can xor between registers. Putting it in MMX registers would fill all of them without any room left for operations, but SSE regs are twice as big. SSE and MMX both lack rotate operations, so I'd have to synthesize it, or do the rotate in a normal integer register.

I'll see if it compiles with mingw32, which would make it possible to build a standalone win32 .exe (not using cygwin).

--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BC


Posted by dswallow on 11-06-2002 11:13 PM:

Re: Re: Re: Re: Re: Run as a Service

quote:
Originally posted by AlanHatesNicks
Well, that appears to be wrong. I thought I read that somewhere. In any event, after a retry it eventually got the workgroup with thge system account. However, the logoff still killed tivocrack.

-Alan



Services running under the SYSTEM account don't have network access (as in authenticated access to LAN resources), but internet access should be fine, as long as your internet access isn't through an authentication-based proxy.

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by epithumia on 11-06-2002 11:54 PM:

quote:
Originally posted by MarkofT
Has someone told stansimmons that epithumia is catching him quickly? He better throw a few more PCs into the pool.


The more the merrier. I think I've got close to 100 machines on it right now, and I'd run it on my 32 node cluster but the nodes don't have access to the 'net. I can't quite get over the 6 million point/day mark.

Unfortunately keeping track of that many machines gets to be somewhat of a pain; the client seems to stop getting new work or exit occasionally for no reason that I can find.


Posted by imadork on 11-07-2002 12:20 AM:

For the OS X heads:

Compiling with '-mdynamic-no-pic -mcpu=7450 -mmultiple'

improved my time by 325 seconds!

Of course, it's still taking close to 2 1/2 hours per unit on my B&W G3.... ugh.


Posted by EdwinOlson on 11-07-2002 02:20 AM:

epithumia- are you using the *nix client? if so, yea, it's a real hack job

I invite any suggestions from you sys-admin types who can suggest ways to make deploying on large #s of machines easier.

Stay excited until the new client comes out it sucks noticably less.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by smirx on 11-07-2002 02:23 AM:

I don't think I've seen this in the thread yet:

Perhaps they are hashing lowercase characters instead of uppercase ones, and doing some case-insensitive match?


Posted by iamabot on 11-07-2002 03:17 AM:

old sun hardware

i'll hopefully be adding a few multi processor sun E450's and possibly a nice E4500 fully loaded with processors (if i can find a drive array for it) within the next few days. possibly as early as friday.

thanks to all who posted tips compiling on both freebsd and solaris.


Posted by StanSimmons on 11-07-2002 03:33 AM:

Yeah, I noticed him catching me. The more the merrier!

Unfortunately, I am limited to how many machines and what times I can run them... These are active student lab machines at the College I work for. I have almost all (around 100) of the 1.8GHz P4s loaded, I may bring the slower 450MHz-900MHz machines online this weekend (another 100 or so.)

The pstools utilities that I mentioned earlier in the thread make installing and running the app remotely on large numbers of Win2K machines. If the app were a service, it would be even easier. I'll probably writeup a how=to for the way I am doing it tomorrow or Friday.

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by sbourgeo on 11-07-2002 03:56 AM:

Re: Re: Re: Re: Run as a Service

quote:
Originally posted by barclay
From MSDN:


I haven't tested this, so if someone wants to test this, feel free to, but it's my understanding that the Logoff event is broadcast to all SetConsoleCtrlHandler aware apps, regardless of which account they're running under. Since mine doesn't pay attention to the message being sent, much less which user is logging off, it'll start to close itself when it receives one of these messages.



I can confirm that this works.

I threw together a dll that does this when I had problems with services I created with the Perl Win32::Daemon module. All of the perl processes would crash if you logged out of the box without the dll.

Strangely, this was only true on Windows NT for i386, but not for Windows NT on Alpha (before that port was killed).


EDIT: If anyone is interested, source and compiled debug and release dll's can be found here.




Steve

__________________
"Gimme that booze ya little pumpkin-pie haircutted freak!"


Posted by Wolf on 11-07-2002 04:14 AM:

Optimization

Has anyone profiled and tried to improve the code in the clients? That recursive function that builds the key in the Unix version is horribly inefficient, but I have no idea how it compares to the encoder library.


Posted by Llama on 11-07-2002 04:30 AM:

Re: Optimization

quote:
Originally posted by Wolf
Has anyone profiled and tried to improve the code in the clients? That recursive function that builds the key in the Unix version is horribly inefficient, but I have no idea how it compares to the encoder library.


I'm working on it. I'm too much of a perfectionist to leave it at that. I'm trying to figure out how to speed up SHA1 with SSE and MMX. (see my earlier post). I haven't tried to figure out how much time is spent doing SHA1 vs. how much time is spend in the recursive functions. If someone thinks it's really significant, I could post some code that uses nested loops for the last four wildcards, instead of the recursive function, or something like that.

If it's any consolation, I think the Windows client is slower, since it generates an array of 200000 strings to test, then reads them (from main memory) and does them.

I hope Ed and barclay put their heads together and made some optimized "cruncher" code that both versions will use with their next release.

__________________
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BC


Posted by epithumia on 11-07-2002 05:12 AM:

quote:
Originally posted by EdwinOlson
epithumia- are you using the *nix client? if so, yea, it's a real hack job


Yes, al of my machines run Linux; I wouldn't bother if I had to futz with windows and my Solaris machines are far too slow to be of any use.

Management is simply looping over the relevant hostnames (all conveniently numbered consecutively) and using ssh to either start the client or grep out the relevant line from ps. Pretty trivial, actually. Plus I fired off a few instances on my Mosix cluster and let them walk around the fabric.

The memory requirement of the client is so small so when it's running niced the owners of the machines don't even notice.

Anyway, this is a fun exercise but I'm not sure how long I'll be able to keep it up. Maybe tomorrow I'll add in another group of machines; it would be nice to try and break seven million points per day.


Posted by s0bellzard on 11-07-2002 06:25 AM:

ok, been lurking for like 2-3 weeks in the forums, finally decided to create an account.

First, I love the idea of this distributed client. I've been running it on my Dual Athlon 1600 box on low priority for about 4 days now. It's a rendering box, so at times it's pretty low priority, but it does it's job. I just fired it up on 10 more workstations, all pretty quick.

Anyways, good luck with the crack attempt

/*
S0Be
*/

(lurking again)


Posted by Drewster on 11-07-2002 06:27 AM:

quote:
Originally posted by imadork
For the OS X heads:

Compiling with '-mdynamic-no-pic -mcpu=7450 -mmultiple'

improved my time by 325 seconds!

Of course, it's still taking close to 2 1/2 hours per unit on my B&W G3.... ugh.



Just for comparison, my dual-450Mhz G4 clocked its last unit at 8205 seconds. (136.75 minutes)

Does the client report it's platform/platform back to the server? It'd be interesting to see ranking stats.

__________________
-Andrew

That's my boy! Updated November 9
Recent Punditry: Interarchy 7.2
Fora: Ars Mac Achaia : FlyerTalk : Food Network : Oracle Calendar : TiVoCommunity : Voldemort

"I wish I could breastfeed..." -- BryanMC
8/30/04 - The Day I Stumped the SOAK.


Posted by TheAmigo on 11-07-2002 06:31 AM:

Processor variations

Don't know what version I'm running, but ls -l shows:
-rw-r--r-- 1 amigo thelab 3961 Oct 30 09:42 dclient.cpp

I'm running it on 3 linux boxen at home with various CPU types and speeds. For reference, I've timed a couple of the on-screen updates with a stopwatch and extrapolated numbers for complete datasets:

Celeron 800: 130.01 minutes
P3 Xeon 550: 104.96 minutes
Athlon 1800: 36.51 minutes

I guess having a small cache would account for the Celeron being so much slower. All 3 machines are mostly CPU idle. Both the Xeon and the Athlon are running X11, but neither is being stressed.

I also calculated out a what-if scenario. Please feel free to point out any errors in my thinking here. Since the SHA1 hash has 160 bits, presumably, the longest useful string is 20 chars and that what were looking for isn't any longer. Further assuming that it is a string possible to type from the remote, there are only 37^20 possibilities. Given the rate we were processing at on Monday (IIRC it said ~2500 IPs and 1100 users), we could run through all the possible passwords in a few as 10^15 years.

The optimist in me is hoping it's not more than 10 chars or it's made of dictionary words.

__________________
--The Amigo


Posted by cwerdna on 11-07-2002 06:44 AM:

Post speeds

For me, running the Windows client on all of them at low priority it takes about:

1 ghz Athlon Win2k: about 1.5 hours/unit running Win2k
1 ghz P3 Win2k: a little over 2 hours/unit, slightly more stressed from other tasks than Athlon
p3-550 running Win98 SE: takes about 3 hours/unit
p3-500 (I think, have to double check): also about 3 hours/unit

I'd love to see what kinda optimization work could be done on the clients to speed this up.

__________________
RCA DVR80 unhacked 3.1.1e-01-2-321
Sony hacked SVR-2000 w/180 hours, 3.0-01-1-010
Philips hacked HDR212 w/121 hours, 3.0-01-1-000


Posted by Drewster on 11-07-2002 06:48 AM:

Is the client mostly integer or floating point work?

If floating point, I'd think that if it took advantage of AltiVec on the G4, it would simply scream.

__________________
-Andrew

That's my boy! Updated November 9
Recent Punditry: Interarchy 7.2
Fora: Ars Mac Achaia : FlyerTalk : Food Network : Oracle Calendar : TiVoCommunity : Voldemort

"I wish I could breastfeed..." -- BryanMC
8/30/04 - The Day I Stumped the SOAK.


Posted by EdwinOlson on 11-07-2002 12:43 PM:

The workload is entirely integer math. The code and data should fit into the L1 in even the lowliest of x86 processors. So the big factor in performance should be integer performance. SHA1 has a bunch of rotates and shifts, and some processors are better than this than others. [Did I read somewhere that the P4 lacks a barrel shifter? That might hurt it a lot.]

Athlons have pretty mean integer performance, so I would expect them to be pretty strong. PIIIs also seem to do pretty well, but they're not clocked as fast

If AltiVec supports shifts/rotates, it might be fast, but I have no experience writing AltiVec vectorized code. If someone would like to contribute SHA code for AltiVec, SSE, MMX, etc., I'll gladly incorporate it!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by brisvegas1 on 11-07-2002 01:30 PM:

how long..

How long does it look like it will be before we get a new client to play with?

The slashdotters seem to be dropping off pretty fast.


Posted by stormsweeper on 11-07-2002 01:52 PM:

quote:
Originally posted by EdwinOlson
If AltiVec supports shifts/rotates, it might be fast, but I have no experience writing AltiVec vectorized code. If someone would like to contribute SHA code for AltiVec, SSE, MMX, etc., I'll gladly incorporate it!

-Ed



You can read some high level descriptions of the G4e/Pentium4 chips here:

http://arstechnica.com/cpu/01q4/p4a...4andg4e2-1.html


Posted by sbourgeo on 11-07-2002 02:44 PM:

Re: speeds

quote:
Originally posted by cwerdna
For me, running the Windows client on all of them at low priority it takes about :

1 ghz Athlon Win2k: about 1.5 hours/unit running Win2k
1 ghz P3 Win2k: a little over 2 hours/unit, slightly more stressed from other tasks than Athlon
p3-550 running Win98 SE: takes about 3 hours/unit
p3-500 (I think, have to double check): also about 3 hours/unit



My data points:

266 mhz P2 - SuSE Linux 7.2: about 3.5 hours/unit
dual 866 mhz P3 - WinXP: about 2 hours/unit per processor
2.26 ghz P4 - Red Hat Linux 7.1: about 1 hour/unit



Steve

__________________
"Gimme that booze ya little pumpkin-pie haircutted freak!"


Posted by tube013 on 11-07-2002 03:12 PM:

for comparison:


P3 Mobile 1133MHz, Linux (Mandrake 9.0) = ~3150 sec (52-53 min)

Athlon XP 1800 (1533MHz), Linux (Mandrake pre9.0 -an RC) = ~ 1920 sec (32 min)

Athlon 1000 MHz, Linux (Mandrake 9.0) ~ 2740 sec (45-46 min) -- goes through times where it gets no data.- sleeps, for some reason.

Duron 700 MHz, Linux (Mandrake 8.2) ~ 4065 sec (67-68 min)

these are the times reported as elapsed from the dclient.
the times were during idle times, last night, all have X running.


Posted by EdwinOlson on 11-07-2002 03:33 PM:

Re: how long..

quote:
Originally posted by brisvegas1
How long does it look like it will be before we get a new client to play with?

The slashdotters seem to be dropping off pretty fast.



Some time this evening I hope to release the first test version, for those who would like to experiment with it. [Probably the real version this weekend.]

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by bsnelson on 11-07-2002 04:09 PM:

Duron 900Mhz Win2K, otherwise idle: 82 minutes/load

Dual PIII/500 Linux, 2 copies, otherwise idle: 107 minutes/load

EDIT: Add Linux box

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by zaknafein on 11-07-2002 04:37 PM:

Athlon 1600+ Linux (RH7.2), 3033 seconds (This box has a number of different tasks, so dclient gets a pretty low priority)

__________________
Walk down to the railroad track and ride a rusty train
With a million other faces I shoot through the city veins
Goodbye, goodbye, goodbye old friend
You wanted to be free
And somewhere beyond the bitter end is where I wanna be


Posted by gregpr on 11-07-2002 05:04 PM:

P4 1.7 ghz, running XP pro

About 90 minutes per unit, when machine is otherwise unoccupied.


Posted by rbiro on 11-07-2002 05:37 PM:

Getting the tools to compile on Mandrake 9.0

After I installed Mandrake Linux 9.0 on my PC, I pulled the IDE cables and re-wired so I could do a backup of my TiVo hard-drives.
HDA remained the Linux drive, but I had to move the CDRom to from HDC to HDD

I want to add this machine to the hunt, but before I can compile, I need to install the OpenSSL. However, the Mandrake Installer is convinced that my CD Drive is still at HDC. No matter how many reboots I do.

Can anybody either post a compiled client for Mandrake 9 or tell me where I can change setting that points my system to HDC instead of HDD for the CD Drive?
I'd rather not reinstall Linux or redo the cables.
Thanks


Posted by tube013 on 11-07-2002 06:11 PM:

Check /etc/fstab, maybe it has the wrong set up, there or 2 setup for /mnt/cdrom.

other thing to check is run edit-urpm-sources.pl and hightlight the sources and edit them to direct them to the correct place. mine looks like this:

URL: removable://mnt/cdrom/Mandrake/RPMS
Relative Path... : ../base/hdlist1.cz

hope that helps..


Posted by rbiro on 11-07-2002 07:03 PM:

quote:
Originally posted by tube013
Check /etc/fstab, maybe it has the wrong set up, there or 2 setup for /mnt/cdrom.

other thing to check is run edit-urpm-sources.pl and hightlight the sources and edit them to direct them to the correct place. mine looks like this:

URL: removable://mnt/cdrom/Mandrake/RPMS
Relative Path... : ../base/hdlist1.cz

hope that helps..



Thanks, I'll try it tonight.


Posted by Nomad on 11-07-2002 07:44 PM:

Thanks for the Linux binaries. 2 more boxes up and running, dual-p2-300 and a P4-2Ghz.


Posted by baliktad on 11-07-2002 08:02 PM:

quote:
Originally posted by EdwinOlson
I invite any suggestions from you sys-admin types who can suggest ways to make deploying on large #s of machines easier.


I tried posting something like this the other day but the tivocommunity went "down for maintenance" for about 10 minutes and I lost the whole post. In any case:
- service: excellent idea. This would also make me expect features such as automatic work unit saving on a shutdown notice and automatic resume on restart.
- tray icon: good idea as well. The console window could definitely be ditched for a small icon where I won't accidentally close it
- exclusivity: I'm not sure if the previous 2 are exclusive but it would seem to me they aren't. I would appreciate a "hidden" mode that could be activated by 1) the popup menu on the tray icon ("hide now") 2) an option in the main gui window ("hide on minimize to tray"), and 3) a command line switch. It could possibly be unhidden using a hotkey (Ctrl+Alt+Tab+T+Home+F7. hey if tivo can be sneaky why shouldn't we...) similar to how l0phtcrack functions
- .ini file: Something where I could specify the command line options in a file instead of on the command line. This would be especially useful in a service program, especially if the service checked the .ini file for new options every newblock/hour/day/otherinterval. Extremely geeky would be an option shutdown=yes which would stop the client.
My background: I admin 25-50 various windows boxes, and if we take a really long time on this project, a couple hundred win2000 boxes (not until January, let's pray this doesn't take that long).


Posted by Jonathan_S on 11-07-2002 10:01 PM:

Just wondering, EdwinOlson have you reissued any/all of the blocks that hadn't been returned for the spaces smaller than 9+1?

I know originally it was stated that blocks would automatically be reissued after 24 hours, but then it was said that that was changed.

I'm just wondering what percentage of the shorter spaces have been checked. Is there still a chance that the key could be somewhere in the 8+0 or 9+0 spaces?


It is nice to see the amount of computing power that this search has attracted; even if I did get knocked out of the top 10 overall last night

__________________
Sony T-60 - 109 hours


Posted by Mars Rocket on 11-07-2002 11:34 PM:

quote:
Originally posted by subuni
Well, I decided to go buy a S2 tonight. I bought the 80 hour unit, to make sure I'd have 3.2 installed. I replaced the 3.2 hash with the one from 3.0 (5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F23B). Now when I use the "3 0 BC" code, backdoors are enabled (see the attached picture).



This has been confusing me ever since I first read it. The SHA-160 hash of "3 0 BC" is "DBD9A55CAB8B33E59CC79086BC10939A3BF2A8D3"; what you've put back to enable "3 0 BC" to work on your Series 2 is a byte-swapped version of the hash.

Given this, can't we assume that the hash that was originally there (96F8B204FD99534759A6C11A181EEDDFEB2DF1D4) is a byte-swapped version of what we should be searching for (04B2F896475399FD1AC1A659DFED1E18D4F12DEB)?


Posted by subuni on 11-08-2002 12:06 AM:

quote:
Originally posted by Mars Rocket
This has been confusing me ever since I first read it. The SHA-160 hash of "3 0 BC" is "DBD9A55CAB8B33E59CC79086BC10939A3BF2A8D3"; what you've put back to enable "3 0 BC" to work on your Series 2 is a byte-swapped version of the hash.

Given this, can't we assume that the hash that was originally there (96F8B204FD99534759A6C11A181EEDDFEB2DF1D4) is a byte-swapped version of what we should be searching for (04B2F896475399FD1AC1A659DFED1E18D4F12DEB)?



Just because I love copying/pasting from a tivosh:

code:
% mls /SwSystem Directory of /SwSystem starting at '' Name Type FsId Date Time Size ---- ---- ---- ---- ---- ---- 3.0-01-1-000 tyDb 79351 10/27/02 08:34 652 ACTIVE tyDb 79351 10/27/02 08:34 652 % dumpobj 79351 SwSystem 79351/11 { Active = 1 IndexPath = /SwSystem/3.0-01-1-000 /SwSystem/ACTIVE /Server/6406306 Module = 78560/-1 78562/-1 78564/-1 78566/-1 78568/-1 78570/-1 78572/-1 78575/-1 79352/-1 Name = 3.0-01-1-000 ResourceChecksum = 2561393d51da083831d2f0714914888a ResourceGroup = 79353/-1 79354/-1 (.. extra resourcegroups cut out ..) ServerId = 6406306 ServerVersion = 51 Version = 2 } % dumpobj 79354/176 ResourceItem 79354/176 { Id = 131253 String = 5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F 23B } %


That's from a 3.0 system (the version number is colored red). You can see the hash (colored "sandybrown"). That has is "3 0 BC", and is the hash I entered into the 3.2 system. I didn't byteswap anything, I didn't do anything 'funky'. I had two terminal windows open, one to my 3.0 box and one to my 3.2 box. I just copied the 3.0 hash, and replaced the 3.2 hash with it. Go to page 9 of this thread, and you can see the method used for replacing the hash.

On page one of this thread, there were links to the thread regarding "cracking" the 3.0 backdoor code (Who's going to be first to discover the backdoor code in 3.0?). You can jump to page 4, see Edwin's announcement when he cracked it. He certainly knows the endian issues involved, and I'm pretty confident his tivocrack code checks both little & big endian (because it doesn't negatively impact performance, so "why not?").


Posted by dswallow on 11-08-2002 12:19 AM:

quote:
Originally posted by EdwinOlson
Did I read somewhere that the P4 lacks a barrel shifter? That might hurt it a lot.


From http://www.emulators.com/docs/pentium_1.htm:

"MISTAKE #6 - Shifts and rotates are slow - It seems Intel has taken yet another step back to the days of the 486, even the days of the 286, by eliminating the high-speed barrel shifter found in all previous 386, 486, Pentium, 68020, 68030, 68040, and PowerPC chips. Instead, they created the shift/rotate execution unit, which by design operates at normal clock speed (not double clock speed), but in my testing actually operates even slower. A typical shift operation on the Pentium 4 requires 4 to 6 clock cycles to complete. Compare this with a single clock cycle on any 486, Pentium, or Athlon processor.

How bad is this mistake? For emulation code, it's absolutely devastating. Shift operations are used for table lookups, for bit extractions, for byte swapping, and for any number of other operations. For some reason, Intel's engineers just could not spare a few extra transistors to keep shifts fast, yet they waste transistors on idle double speed ALUs.

Intel's own documentation is now contradictory. On the one hand, Intel has for years advocated the use of shift and add operations to avoid costly multiply operations. For example, to multiply by 10, it is quicker on the 486 and Pentium to use shifts to quickly multiply by 2 and 8 and then add the results. However, on the Pentium 4 this trick of shift and add can take as long as 6 or 7 clock cycle, which negates much of the benefit over using a multiply.

This appears to have something to do with the fact that the original Pentium 4 design called for there to be two address generation units, which are circuits to quickly calculate addresses for memory operations. In previous chips, the AGU contained a barrel shifter to quickly handle indexed table lookups, which the Pentium 4 now handles using the much slower ALU. The "add and shift" trick was usually accomplished by the AGU by a programming trick using the LEA (load effective address) instruction. This trick is now rendered useless thanks to Intel cutting out the part."

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by TheAmigo on 11-08-2002 02:29 AM:

Post Dual proc reminder

I'm guessing most people that spend the money on a dual proc system already know how to use it, but I figured I'd post a quick note just as a reminder.

Since this program (like most) is not multi-threaded, if you only run it once, it's only keeping one CPU busy. For a 4 proc system, you'd have to run 4 copies of the program.

Sorry if someone else already mentioned it, but with a thread this long, it prolly doesn't hurt to bring it up again.

__________________
--The Amigo


Posted by bsnelson on 11-08-2002 02:57 AM:

Well, it wouldn't hurt if it weren't (partially) incorrect. The UNIX client must be run once per processor, but the Windows client has thread support and an argument to run as many threads as you have processors.

Also, I'm sorry to bring it up, but it's "probably"...

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by Mars Rocket on 11-08-2002 03:14 AM:

quote:
Originally posted by subuni
I'm pretty confident his tivocrack code checks both little & big endian (because it doesn't negatively impact performance, so "why not?").


You're right, it is checking both. For some reason I thought it wasn't, but I must have made a mistake when I was testing it out a few days ago.

Thanks for the explanation.


Posted by rbiro on 11-08-2002 04:53 AM:

quote:
Originally posted by tube013
Check /etc/fstab, maybe it has the wrong set up, there or 2 setup for /mnt/cdrom.

hope that helps..



/etc/fstab did the trick!

I've now got a 4th machine on the hunt.


Posted by Otto on 11-08-2002 05:43 AM:

quote:
Originally posted by Mars Rocket
You're right, it is checking both. For some reason I thought it wasn't, but I must have made a mistake when I was testing it out a few days ago.


You were right, BTW. It is checking both, but it really only needs to check the 04B2 one.

Probably.

Anyway, it's very fast to check both, so you might as well.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by micjordan on 11-08-2002 06:06 AM:

you can make it run multiple threads by adding t# when running tivocrack.exe. for example if you have 4 processors run "tivocrack.exe t4" to give it 4 threads.


Posted by s0bellzard on 11-08-2002 06:08 AM:

ummm... error?

http://bn557.servebeer.com/error.jpg

(take note of the times on the clients)

The way I had done this(I think) was I pressed pause on the terminal window while my internet connection went through a down time(damn ISP) and when I unpaused it, it didn't immediately realize it was the next day.

S0be


Posted by slaeyer on 11-08-2002 06:19 AM:

Not a programmer, but if / when a new *nix version of the client comes available, I would in turn like a Darwin PPC port!

__________________
Through the router, Along the cable,
Down the fiber, Nuttin but Net


Posted by barclay on 11-08-2002 06:32 AM:

quote:
Originally posted by s0bellzard
The way I had done this(I think) was I pressed pause on the terminal window while my internet connection went through a down time(damn ISP) and when I unpaused it, it didn't immediately realize it was the next day.



I think you just explained the issue then. You paused the client around 1:00pm, and then unpaused it just after midnight.

I don't see an error (other than no UI to indicate you paused things)


Posted by s0bellzard on 11-08-2002 06:37 AM:

It jumps from hour 13 to hour 0 is the problem
(it was paused for maybe 10 minutes)

s0be


Posted by nontivouser on 11-08-2002 06:53 AM:

My 1.0GHz Duron, running Gentoo Linux, compiled with gcc 3.2, was taking ~2880 seconds/packet. (= 48.1 mins/packet)

quote:
linux boxen ...
Celeron 800: 130.01 minutes
P3 Xeon 550: 104.96 minutes
Athlon 1800: 36.51 minutes

quote:
1 ghz Athlon Win2k: about 1.5 hours/unit running Win2k
1 ghz P3 Win2k: a little over 2 hours/unit, slightly more stressed from other tasks than Athlon
p3-550 running Win98 SE: takes about 3 hours/unit
p3-500 (I think, have to double check): also about 3 hours/unit

quote:
266 mhz P2 - SuSE Linux 7.2: about 3.5 hours/unit
dual 866 mhz P3 - WinXP: about 2 hours/unit per processor
2.26 ghz P4 - Red Hat Linux 7.1: about 1 hour/unit

quote:
P3 Mobile 1133MHz, Linux (Mandrake 9.0) = ~3150 sec (52-53 min)
Athlon XP 1800 (1533MHz), Linux (Mandrake pre9.0 -an RC) = ~ 1920 sec (32 min)
Athlon 1000 MHz, Linux (Mandrake 9.0) ~ 2740 sec (45-46 min) -- goes through times where it gets no data.- sleeps, for some reason.
Duron 700 MHz, Linux (Mandrake 8.2) ~ 4065 sec (67-68 min)

quote:
Duron 900Mhz Win2K, otherwise idle: 82 minutes/load
Dual PIII/500 Linux, 2 copies, otherwise idle: 107 minutes/load

quote:
Athlon 1600+ Linux (RH7.2), 3033 seconds (This box has a number of different tasks, so dclient gets a pretty low priority)

quote:
P4 1.7 ghz, running XP pro, About 90 minutes per unit, when machine is otherwise unoccupied.

The observations from these reports:
1) The Linux client running on a Linux machine is faster than the Windows client on a Windows machine
2) AMD CPUs run the client faster than Intel CPUs, given the same OS


Posted by mstroh on 11-08-2002 11:08 AM:

Just a FYI:

I have 3 Windoze (all Intel) boxes running, the only one I watch on a regular basis is a 2.24GHz (P4) XP Pro box, it finishes a WU at just over an hour.

Also, I just recieved 9+0 WU's, so I assume the above (x+y) WU's are done.

-mike


Posted by Lightn on 11-08-2002 02:12 PM:

I think with all this manual reporting of elapsed time per WU on different combinations of CPU/OS, it would be very useful for the tivocrack software to do this automatically. IE it should grab an OS string, CPU id, CPU speed, and elapsed CPU time of the worker thread(s), which would give it an accurate elapsed time. That would lend itself well to interesting stats data and help with judging the effectiveness of different optimizations and comparisons between the linux and windows client.

The proof cookie is a very good idea for being able to verify results, I hope the server software puts it to good use in identifying cheaters.

And again, please look at my other suggestions a ways back.


Posted by EdwinOlson on 11-08-2002 04:00 PM:

I don't know of a cross-platform way in which I can programmatically get CPU type/speed. That makes reporting stats automatically very difficult.

I'm planning on a web-based reporting app though.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by EdwinOlson on 11-08-2002 04:15 PM:

G'morning, y'all.

I'd like to start beta testing of the 2.0 client and server. Please note that the workunits being handed out by the 2.0 server have already been searched once and include quite a few regression tests. But I'd like to identify any potential nasty bugs/build problems as soon as possible, so please give it a try!

Please note that the server has changed, as have the command line arguments. Type "./dclient" with no arguments for a list.

Here's the page-

http://edo.lcs.mit.edu/dclient

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by epithumia on 11-08-2002 04:54 PM:

I fired up the new client; it seems to be working fine. In fact, work unit 1400 had the 3.0 backdoor code:

Requesting work unit.
Processing work unit 1400
Searching pattern '??????', seed '3'.
SOLUTION FOUND: '3 0 BC'
Work results submitted.

What do I win?

If only the 3.2 code was that easy.


Posted by Nomad on 11-08-2002 05:43 PM:

Moving both my boxes to the new client.


Posted by barclay on 11-08-2002 07:04 PM:

quote:
Originally posted by EdwinOlson
I'd like to start beta testing of the 2.0 client and server.
...
Here's the page-
http://edo.lcs.mit.edu/dclient



And fwiw, the Win32 client is available now (same page).


Posted by EdwinOlson on 11-08-2002 07:34 PM:

User stats are now available on the 2.0 server.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by Llama on 11-08-2002 08:04 PM:

I'm going away for the weekend, and I haven't finished tweaking Ed's code, so I sent him what I've done so far. I'm posting it here, too, for the benefit of anyone who wants to improve on my ideas. I've attached my patch to this post, and hopefully my browser (galeon) supports doing that. Silly forum doesn't support .gz, only .zip, but whatever. If not, ask Ed for a copy if you want it before I get back Sunday night. Otherwise, just email me. (my addr is in my .sig).

(This is copied from an email to Ed, which is why I'm addressing him as "you".)

The important things I've done are:
- disabled networking by setting the URL to 127.0.0.1/nonexistant. (not the
best way to disable networking, esp. if an httpd is running.)

- rearranged the order things appear in the code. I don't remember if g++
can inline functions if they are defined after they are called, but I think
it used to be that way. Best to make things easy for g++ to inline, anyway.
Making them static means that g++ doesn't have to emit definitions for them
if every instance is inlined.

- make searchpattern_recursive() propagate return values all the way up. (I
see you did that in the 2.0 beta.

- change searchpattern() to call my fastsearch_tivoalp_4q() function when the
alphabet is [A-Z 0-9]* (tivoalph), and the pattern ends with four question
marks (4q).
fastsearch_...() is based on sp_recursive(), but it calls
innerloop1_tivoalph_4q() to handle the last four wildcards with nested loops
instead of recursive function calls. I'm not done with the innerloop
function; There are probably ways to make it faster. (I don't really like
the innermost loop, since I'd like to have SHA1 inlined inside the loop, but
not 3 times!) However, it makes up a pretty small amount of the total
execution time compared with SHA1. If SHA1 can be optimized because we know
our string is short, that could help a lot. It'll be hard to get much out
of it, because that amounts to cryptanalysis, which I'm not exactly an
expert at.

My fastsearch_...() doesn't print out status as often as your recursive
function, because the loop isn't reached as often. It's probably not a big
deal.

- added a provision to define testPtext to an increment of a volatile global
variable. This takes almost no time, because it will be in L1 cache, but
g++ can't optimize it away because of the volatile qualifier. Measuring the
run time then essentially gives the overhead of the loops and stuff.

-change the Makefile with general improvements, and make it build a dclient
with and without my fastsearch_...().

I've been doing test runs with things like this:
time ./dclient_fast FFFF '????123456????' 33
time ./dclient FFFF '????123456????' 33

dclient_fast (without checking SHA1) takes about 42 seconds for that work
unit, while dclient takes 3 min 44s, or something like that. That's only a
couple minutes out of however long a 6 wildcard work unit would take, and my
nested-loop version takes up extra L1 instruction cache space. (and this is
supposed to be a background task, so we need to avoid cache pollution when
we can.)

__________________
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BC


Posted by mij on 11-08-2002 08:37 PM:

Hmm... Not sure if this is something I did wrong, or an actual problem... It seemed to chug right along through the process, and at the end I got the error message below. Here is the output that was left on the screen. The same machine had been processing (and is not back using) the first version of the client.

-MIj

./dclient -rs http://edo.lcs.mit.edu/dclient/getwork.php -u Mij
*******************************************************
*
Requesting work unit.
Processing work unit 1418
Searching pattern '???????', seed 'L'.
Proof: 0FA47FB4
SERVER SAID: Wrong nonce.
Can't submit work to server. Sleeping.
SERVER SAID: Wrong nonce.
Can't submit work to server. Sleeping.


Posted by mpulver on 11-08-2002 09:46 PM:

quote:
And fwiw, the Win32 client is available now (same page).
http://edo.lcs.mit.edu/dclient



I'm running it now, and it looks good guys. Thank you!

A suggestion... For Windows, adding a right-click menu option to go to the server would be a "nice to have".


Posted by jnk27 on 11-08-2002 10:05 PM:

Thumbs up

2.00 working as a Windows Service on both XP and Windows 2000.

Good job, guys!

John


Posted by Mike Farrington on 11-08-2002 10:40 PM:

Looks nice, but I can get it to run as a service. It crashes.

-Mike


Posted by cica on 11-09-2002 12:16 AM:

I hate to ask a stupid question, but how live is 2.0 beta? I have about 8 machines dedicated to this project, but I'm afraid to switch them over until their results are productive. Also, if I can't get to the machines until Tuesday, will they still be contributing if they are on (a) 1.62, and (b) 2.0b.

(win32 client)

-Tom


Posted by EdwinOlson on 11-09-2002 12:39 AM:

You didn't do anything wrong; you were just unlucky You happened to be working on a block that I accidentally created and then deleted. Once your client gives up on that block (or you restart it), it'll be fine.

-Ed


quote:
Originally posted by mij
Hmm... Not sure if this is something I did wrong, or an actual problem... It seemed to chug right along through the process, and at the end I got the error message below. Here is the output that was left on the screen. The same machine had been processing (and is not back using) the first version of the client.

-MIj

./dclient -rs http://edo.lcs.mit.edu/dclient/getwork.php -u Mij
*******************************************************
*
Requesting work unit.
Processing work unit 1418
Searching pattern '???????', seed 'L'.
Proof: 0FA47FB4
SERVER SAID: Wrong nonce.
Can't submit work to server. Sleeping.
SERVER SAID: Wrong nonce.
Can't submit work to server. Sleeping.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by mpulver on 11-09-2002 12:39 AM:

quote:
how live is 2.0 beta?


It's not. Ed is running through a list of keys that have already been searched in order to shake out any issues with the 2.0 client. 1.62 is still the latest "live" client.


Posted by EdwinOlson on 11-09-2002 12:40 AM:

While we're not currently searching new space with 2.0, we're doing valuable double-checking of keyspace we've already done. And probably later tonight, we'll be on new space anyway.

-Ed

quote:
Originally posted by cica
I hate to ask a stupid question, but how live is 2.0 beta? I have about 8 machines dedicated to this project, but I'm afraid to switch them over until their results are productive. Also, if I can't get to the machines until Tuesday, will they still be contributing if they are on (a) 1.62, and (b) 2.0b.

(win32 client)

-Tom

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by barclay on 11-09-2002 01:23 AM:

quote:
Originally posted by Mike Farrington
Looks nice, but I can get it to run as a service. It crashes.


When you say it crashes, what specifically happens? Anything get left in the log.txt file? What are you putting in settings.txt?


Posted by EdwinOlson on 11-09-2002 02:01 AM:

I've posted a new version of dclient, dclient2c. It is functionally identical to dclient2b (i.e., no bug fixes), but it includes two speed optimizations that increase performance by about 10%. I implemented Llama's suggestion of eliminating the recursion, though I did it in a very different and more general way. A larger improvement was made by rewriting memcmp which was mysteriously bad!

Available on the website... http://edo.lcs.mit.edu/dclient

PS: If anyone knows of a wicked-fast SHA1 implementation (probably assembly), let me know.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by deebo on 11-09-2002 02:16 AM:

2.0 is wonderfull excellent job Barclay!!!! I have it running on 3 XP and 4 2000 machines like a champ!! No maintenance required set them all up as a service to run automatically no hassle!!
-David


Posted by Out of Focus on 11-09-2002 03:27 AM:

quote:
Originally posted by EdwinOlson
PS: If anyone knows of a wicked-fast SHA1 implementation (probably assembly), let me know. [/B]


I did a web search, I think this is what you are looking for. Hope it helps.
http://www.programmersheaven.com/zone5/cat20/6755.htm

code:
From SHA1.H // SHA-1 hashing algorithm // v. 0.1 // // This is a C style header file for NASM implenatation of the SHA-1 algorithm // This implementation is placed in public domain // Please report bugs and make suggestion to // tomas@frydrych.freeserve.co.uk // // These are all 32-bit rutines and WILL NOT RUN on lesser than 486 // COMPILING THE ASSEMBLER SOURCE CODE: // first get the NASM executable (just search the web for NASM) // the file will compile directly into Borland obj or MS Win32 obj file (they are not the same!) // if you are using a different output format you may need to make some changes to the // segment directives (there are two in there, one for code one for init. data) depending // on the output format (see NASM documentation), but otherwise, this code is platform // independent (by the virtue of NASM). // // My own test (for what they are worth) seem to indicate that the implementation is // about 2 times faster than a C quivalent. // // There are couple of defines that you can uncomment in the source to change the final // product, you will find details in the source file


Posted by EdwinOlson on 11-09-2002 03:52 AM:

You can now report the performance of your client on the website for comparison purposes. Follow the link under "stats" on the main page.

http://edo.lcs.mit.edu/dclient

That's probably it for a while from me, barring any urgent bug fixes. I've got a robotics contest to make happen! (http://maslab.lcs.mit.edu)

Provided everything goes smoothly for the next 24 hours or so, I'll add the unsearched blocks to the client. So, this is the last 24 hours of beta!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by sciencewhiz on 11-09-2002 04:01 AM:

There is a problem with in the mailto link on http://edo.lcs.mit.edu/dclient/

code:
<a href="mailto:eolson.mit.edu>let me know!">let me know!</a>
should be
code:
<a href="mailto:eolson@mit.edu">let me know!</a>


Posted by Attack on 11-09-2002 04:07 AM:

quote:
Originally posted by EdwinOlson
You can now report the performance of your client on the website for comparison purposes. Follow the link under "stats" on the main page.

http://edo.lcs.mit.edu/dclient

-Ed



I want to report my findings but I don't know of any way to get the values from the Windows client. Can I caculate it using information given to me in the logs?

__________________
Philips SA series 1 38hrs.Best, TurboNet, Memory Upgrade, TiVoWeb
Philips SA series 1 38hrs.Best, CacheCard 256 MB, TiVoWeb
Philips SA series 1 82hrs.Best, CacheCard 256 MB, TiVoWeb
My DVD collection


Posted by EdwinOlson on 11-09-2002 04:18 AM:

I'm talking to Scott (Barclay) about adding a benchmarking option to his client. Give it a day or so

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by barclay on 11-09-2002 04:18 AM:

quote:
Originally posted by Attack
I want to report my findings but I don't know of any way to get the values from the Windows client. Can I caculate it using information given to me in the logs?


There's no userland option to turn on stats gathering. Gathering the stats was left as a #define to turn it on and off. You can work backwards from the information in the logs, but that's not really for the faint of heart.

I'll add an option to add the level of stats that dclient is reporting and let y'all know when it's ready.


Posted by srs5694 on 11-09-2002 04:50 AM:

quote:
Originally posted by EdwinOlson
If anyone knows of a wicked-fast SHA1 implementation (probably assembly), let me know.


I'd like to request that, if an assembly routine is used, it be placed in #ifdefs and standard C (or C++) code be left in place in other #ifdefs, as well. I'm running the current stuff on an iMac, which obviously won't run x86 assembly code. I'm sure there are others using non-x86 CPUs, too.


Posted by ahecht on 11-09-2002 05:02 AM:

I'm using the 2.0 client in WinXP, and I've found that it gets stuck on "Getting the next work load" if I run in with the "r" parameter, and won't finish downloading the work unit until I change the priority to normal using the Task Manager. Has anyone else had this problem?


Posted by barclay on 11-09-2002 05:34 AM:

I've added option "i" to report the number of kkeys a second. I also swapped out the sha1 code with the asm code posted above. There's not much of a performance gain, either that's a sign that my compiler is pretty decent, or my cache-to-memory scheme is so broken it doesn't matter.

I'll probably play with removing the cache-to-memory scheme somepoint this week, but for now, this is good enough.

You can download 2.01 from here as usual.


Posted by smf on 11-09-2002 05:39 AM:

dclient2c is working fine on my FreeBSD 4.7 system, but I did have to make one minor patch to Cracker.cpp before it would compile:

code:
--- Cracker.cpp.orig Fri Nov 8 21:11:53 2002 +++ Cracker.cpp Fri Nov 8 21:12:05 2002 @@ -1,6 +1,7 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <sys/types.h> #include <netinet/in.h> #include <openssl/sha.h>

I think it's portable to do this for Linux too, but I don't have a system handy to test with.
-smf


Posted by Attack on 11-09-2002 06:17 AM:

I tried using version 2.01 of the windows client on my dual Athlon 1.2 PC (Win2k) with 2 threads but it crashes after it downloads the work unit. I tried it with just one thread and it works just fine.

Log of 2.01 starting
---
1:02:27: -- TiVoCrack 2.01 started --
1:02:27: Getting the next work load
1:02:28: User = [Attack], Work Unit = 3736
1:02:28: Alphabet = [ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789]
1:02:28: Key = [96F8B204FD99534759A6C11A181EEDDFEB2DF1D4]
1:02:28: Pattern = [Y8??????]
1:02:28: Threads = 2, Local = false, Silent = false
1:02:28: Priority = normal, Sleep = 5min, Retries = infinite
1:02:28: Logging = both
1:02:33: [Y8PD8DAA]
----

Once the last line is displayed it crashes. screen-shot of the error message that pops up.

__________________
Philips SA series 1 38hrs.Best, TurboNet, Memory Upgrade, TiVoWeb
Philips SA series 1 38hrs.Best, CacheCard 256 MB, TiVoWeb
Philips SA series 1 82hrs.Best, CacheCard 256 MB, TiVoWeb
My DVD collection


Posted by barclay on 11-09-2002 06:59 AM:

Ugh. It looks like somehow the ASM version of SHA1 isn't thread safe.

I'll look into making it be the version that's called for the single thread version, and fall back on the other code otherwise, but for now, I've just backed it out. 2.02 is available now.


Posted by Stubtify on 11-09-2002 12:16 PM:

Speed difference?

Well, been following the program for a while now and was wondering why is there such a huge speed difference between the win32 and *nix clients. I'm not complaining, just wondering if its a limitation of the program which is attempting to be overcome or if its an underlying problem with windows. We're running a 1ghz P3, 1.33 Athlon and a 1.8 P4 in our apartment and as it stands the P4 and athlon turn in a session in roughly 75 minutes and the 1ghz is closer to 105, but these numbers are being had in *nix by machines much slower.

Would it be worth my wile to get a linux session running in VPC on the three computers in our small apartment, or will the speed gap close up? Our speeds are on par with between a P2 350 and a P3 700. At those speeds I might also consider dusting off my old 400 and setting it up.

I must say that the program is keeping our apartment a lot warmer during this cold Southern California Winter...


Posted by cica on 11-09-2002 01:24 PM:

Are we there yet?


Posted by jnk27 on 11-09-2002 01:36 PM:

Question stats computation

I wanted to report my 'i' switch stats, but for some reason it is reporting a negative number, viz.:

code:
6:26:40: Getting the next work load 6:26:40: User = [jnk27], Work Unit = 4438 6:26:40: Alphabet = [ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789] 6:26:40: Key = [96F8B204FD99534759A6C11A181EEDDFEB2DF1D4] 6:26:40: Pattern = [AG7??????] 6:26:40: Threads = 1, Local = false, Silent = false 6:26:40: Priority = lower, Sleep = 5min, Retries = infinite 6:26:40: Logging = log.txt 6:26:45: [AG75DOKBA] 6:31:45: [AG7PW5AJC] ... 7:52:23: Elapsed time: 5143.03 seconds 7:52:23: -336.2 kKeys/s 7:52:23: Sending the results 7:52:23: Done


Shouldn't that be 37^6/5143.03 ~= 500 kKeys/s? I am running TiVocrack as a service on XP with the settings 'ujnk27 r i o2'.

Thanks.
John

P.S. Edited to say this is version 2.01.


Posted by swhobbit on 11-09-2002 01:58 PM:

quote:
Originally posted by EdwinOlson
I've posted a new version of dclient, dclient2c.
.
.
.
Available on the website... http://edo.lcs.mit.edu/dclient

PS: If anyone knows of a wicked-fast SHA1 implementation (probably assembly), let me know.



One small change, please, to make it cleanly compile on FreeBSD systems:

diff -ru tmp/dclient2c/Cracker.cpp src/dclient2c/Cracker.cpp
--- tmp/dclient2c/Cracker.cpp Fri Nov 8 20:32:09 2002
+++ src/dclient2c/Cracker.cpp Fri Nov 8 22:05:04 2002
@@ -1,6 +1,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/types.h>
#include <netinet/in.h>

#include <openssl/sha.h>


Posted by EdwinOlson on 11-09-2002 03:10 PM:

I've made the change and the the source file now contains this patch. I didn't change the version number. (We're still at 2c.)

quote:
Originally posted by swhobbit
One small change, please, to make it cleanly compile on FreeBSD systems:

diff -ru tmp/dclient2c/Cracker.cpp src/dclient2c/Cracker.cpp
--- tmp/dclient2c/Cracker.cpp Fri Nov 8 20:32:09 2002
+++ src/dclient2c/Cracker.cpp Fri Nov 8 22:05:04 2002
@@ -1,6 +1,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/types.h>
#include <netinet/in.h>

#include <openssl/sha.h>

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by kvandivo on 11-09-2002 03:58 PM:

and to make it link on solaris, the library options are:

-lnsl

not

-nsl

__________________
Everything I say is probably pure speculation.


Posted by EdwinOlson on 11-09-2002 05:12 PM:

fixed in the Makefile comment.

quote:
Originally posted by kvandivo
and to make it link on solaris, the library options are:

-lnsl

not

-nsl

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by barclay on 11-09-2002 08:07 PM:

And now I'm up to 2.03. This fixes the kkeys report, and also has some minor speed improvements.

Hopefully this will be the final version from me for a while.


Posted by embeem on 11-09-2002 08:53 PM:

quote:
Originally posted by EdwinOlson

PS: If anyone knows of a wicked-fast SHA1 implementation (probably assembly), let me know.



I ran across some nasm routines not too long ago ...
http://www.frydrych.freeserve.co.uk/casm/sha1.zip

__________________
http://tivo.samba.org/download/mbm
E4pFXEMBEEMXXv2L0TlAFOYC3/2HtWFvYiL3md0h2cxuU1BFugTKBBaOi1GH/7265DTD4a57
7fg1JOK8+3nCiZvRjl11Bit4LuaXA4KjPh0OHCyFIpSP2VJkb5pkY2M5HPlBN0/UawyQBhSM
CVnB02kbxifsgVYcYfEiTG2qfIdFXmstrEhW9gpe+5OxEYid979qu1Esg2YHNA7W8tSTd1t9
88LYW46AhE01Uts8pa4TgZazxlo/FkMAS3i/Oqtm7Rf8C6QzXmbDgbN+fP+Fcu53FOtZXNXX
ClRoZSB0cnV0aCBhYm91dCBhIG1hbiBsaWVzIGluIHdoYXQgaGUgaGlkZXMgLU1hbHJhdXgK


Posted by Cletus on 11-09-2002 09:34 PM:

Re: Speed difference?

quote:
Originally posted by Stubtify
Well, been following the program for a while now and was wondering why is there such a huge speed difference between the win32 and *nix clients. .


FWIW, the same Unix client, version 2c, when compiled under cygwin and run on Windows, is much slower too than when run natively on Linux. A p2-266 machine with Linux gets 280kkeys/s, whereas the cygwin-compiled client on a p2-400 gets only 250kkeys/s under Windows XP. So the issue may not be entirely related to the client, but also to the environment.

__________________
If you can't beat'em... pay someone to do it.


Posted by cica on 11-09-2002 09:42 PM:

quote:
Hopefully this will be the final version from me for a while


Before you take a break, I have lost several workloads by accidentally closing the window instead of minimizing it. Would it be possible to add a "Don't be a moron" dialog so this doesn't happen. IOW, when you hit the close box, ask if you're sure you want to quit.

Thanks
-Tom


Posted by tarman on 11-09-2002 09:56 PM:

quote:
Originally posted by cica
Before you take a break, I have lost several workloads by accidentally closing the window instead of minimizing it. Would it be possible to add a "Don't be a moron" dialog so this doesn't happen. IOW, when you hit the close box, ask if you're sure you want to quit.

Thanks
-Tom



And while you are at it could you make the first CTRL-C set it to stop after the workload is finished and the results have been sent. A second CTRL-C would stop it right away.

This is because ANYTIME I stop now, I lose half a workload and it has to be rerun later.

Thanks,

Tom

EDIT: I didn't see the "s" sleep parameter. That will work. Thanks!

__________________
Tom


Posted by barclay on 11-09-2002 11:53 PM:

quote:
Originally posted by cica
Before you take a break, I have lost several workloads by accidentally closing the window instead of minimizing it. Would it be possible to add a "Don't be a moron" dialog so this doesn't happen. IOW, when you hit the close box, ask if you're sure you want to quit.


All right, done.

2.04 is available. When it's running in remote mode, it'll warn you before exiting, and you can have it exit after the current work unit is done and sent back to the server.


Posted by cica on 11-10-2002 03:29 AM:

Thank you.

BTW, I take it the dancing Tivo guy is not going to happen?

-Tom


Posted by StanSimmons on 11-10-2002 05:04 AM:

The 2.0 beta seems to be going well. I have a few machines cranking away with the 2.00 service, and I'll be switching them to the 2.04 tomorrow.

When should I switch the other 100 machines to the new client and server?

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by swhobbit on 11-10-2002 05:08 AM:

Smile

quote:
Originally posted by StanSimmons
When should I switch the other 100 machines to the new client and server?


As late as possible, because then the rest of our standings won't drop like a rock so fast.


Posted by sciencewhiz on 11-10-2002 03:28 PM:

from the stats page of the old site:

quote:
Announcement: The 2.0 client and server are now available here: http://edo.lcs.mit.edu/dclient. All users should migrate to the new software in the couple days.

Hope that answeres your question, stansimmons


Posted by barclay on 11-10-2002 05:53 PM:

And 2.05 is available.

Please upgrade to this one as soon as possible, as this fixes a bug with the way units are reported to the server (don't worry, nothing should be lost, this will just make it so Edward doesn't have to fix anything that's reported by hand)


Posted by imadork on 11-10-2002 06:03 PM:

Just compiled the 2.0 code on my 'Venerable' B&W G3 running OS X.

Two notes:

1) I had to add the
typedef int socklen_t;
to the top of SSocket.h again. Any chance of putting this in the README file?

2) The Makefile lists one of the compiler options for the G3 and G4 as --multiple, it's really -mmultiple, of course.


Posted by sciencewhiz on 11-10-2002 06:06 PM:

quote:
Originally posted by barclay
Please upgrade to this one as soon as possible, as this fixes a bug with the way units are reported to the server


What's the proper way to upgrade it when it is running as a service in windows 9x?

I'm too lazy to unregister the service, reboot so it's not running, then upgrade, reregister, and reboot again. Is there an easier way? When I upgraded from 2.02 to 2.04, I just replaced the executable, and the next time that I rebooted, it wasn't running.


Posted by barclay on 11-10-2002 06:40 PM:

quote:
Originally posted by sciencewhiz
I'm too lazy to unregister the service, reboot so it's not running, then upgrade, reregister, and reboot again. Is there an easier way? When I upgraded from 2.02 to 2.04, I just replaced the executable, and the next time that I rebooted, it wasn't running.


I can't really test this now, but you should at least be able to use the Ctrl-Alt-Del window to close the TiVoCrack process, then de-register, upgrade, re-register the exe.

Actually, I'm rather suprised that you can't just kill the process, swap out the executable and be done with it. I'll have to play with that when I have more ready access to my win98 box again.


Posted by EdwinOlson on 11-10-2002 06:40 PM:

Unix code version 2d is now available. It is NOT a necessary update. If 2c is working for ya, then don't sweat this update.

It includes some Makefile fixes based on suggestions from the forum.

It also includes a 0.7% performance improvement. Woopie.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by Lightn on 11-10-2002 08:26 PM:

EdwinOlson:
Have you looked at the asm code embeem posted? I'm getting about a 15% speedup over 2d, but I think on newer cpus you will see more. There are a couple strange needs for the code, would you like me to send you a patch?


Posted by EdwinOlson on 11-10-2002 09:22 PM:

I only poked at it a little bit, but had trouble getting nasm to produce a .o I could link to with gcc... If you got it to work, by all means-- let me know (and tell me how)! In any event, I may give it another shot later on.

-Ed


quote:
Originally posted by Lightn
EdwinOlson:
Have you looked at the asm code embeem posted? I'm getting about a 15% speedup over 2d, but I think on newer cpus you will see more. There are a couple strange needs for the code, would you like me to send you a patch?

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by embeem on 11-10-2002 10:12 PM:

Linking NASM code --

It wasn't hard to get the asm version going, just change the SEGMENT macros to 'SECTION .text align=32' and 'SECTION .data align=32' respectively. The code provides a '_sha1(message, length, digest)' with the requirements that message be writable and padded by 72 bytes and digest be padded to 320 bytes for temporary storage.

Since you seem to like c++:

extern "C" {
extern char * _sha1(unsigned char * msg, unsigned long len, void * dgst);
}

....

nasm -f elf sha1.asm -o sha1.o
g++ program.c sha1.o -o program

...

If you don't mind bswapping the target hash you can shave a few cycles by commenting out the calls to bswap near the write and write2 labels.

(do you really need a patch?)

__________________
http://tivo.samba.org/download/mbm
E4pFXEMBEEMXXv2L0TlAFOYC3/2HtWFvYiL3md0h2cxuU1BFugTKBBaOi1GH/7265DTD4a57
7fg1JOK8+3nCiZvRjl11Bit4LuaXA4KjPh0OHCyFIpSP2VJkb5pkY2M5HPlBN0/UawyQBhSM
CVnB02kbxifsgVYcYfEiTG2qfIdFXmstrEhW9gpe+5OxEYid979qu1Esg2YHNA7W8tSTd1t9
88LYW46AhE01Uts8pa4TgZazxlo/FkMAS3i/Oqtm7Rf8C6QzXmbDgbN+fP+Fcu53FOtZXNXX
ClRoZSB0cnV0aCBhYm91dCBhIG1hbiBsaWVzIGluIHdoYXQgaGUgaGlkZXMgLU1hbHJhdXgK


Posted by EdwinOlson on 11-11-2002 01:29 PM:

If you haven't migrated your machines to the 2.0 client, please do so.

Thanks!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by EdwinOlson on 11-11-2002 01:39 PM:

I tried the patches that Josha Foust sent me that include the assembly version of sha1.

Applying them resulted, at least on my machine, in a significant decrease in performance of about 13%... Kind of a bummer. But a testament, I suppose, to how decent the openssl implementation is!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by adavidw on 11-11-2002 04:06 PM:

quote:
Originally posted by EdwinOlson
If you haven't migrated your machines to the 2.0 client, please do so.

Thanks!

-Ed




When will work units stop being served to the old clients?

-Aaron


Posted by mstroh on 11-11-2002 05:13 PM:

Edwin,

At some point all of the Tivo Community Users will be switched to the new clients and the new server, how many people will still be using the old client/server at that point? They will likely be /.ers, etc. who do not regularly visit this board to know about the new client/server.

Do you think that rather than completely shutting down that operation and potentially losing some boxes that you could start sending longer sequences to search to the old clients? (Like 14-15 characters) That way, at least we wouldn't completely lose those boxes, at least until a new press release or /. article is posted. I'm not sure how many boxes would fall into this category, but I'm sure it couldn't hurt.


Posted by rbiro on 11-11-2002 05:28 PM:

quote:
Originally posted by barclay
And 2.05 is available.

Please upgrade to this one as soon as possible, as this fixes a bug with the way units are reported to the server (don't worry, nothing should be lost, this will just make it so Edward doesn't have to fix anything that's reported by hand)



When I try to run the service, TivoCrack 2.05 crashes immediately. Both on Win2K and Winnt4. As regular apps they start normally. I've tried with and without the settings.txt file.
It crashes before the logfile gets written to. Nor is there any extra info in the EventViewer.


Posted by barclay on 11-11-2002 05:37 PM:

quote:
Originally posted by rbiro
When I try to run the service, TivoCrack 2.05 crashes immediately. Both on Win2K and Winnt4. As regular apps they start normally. I've tried with and without the settings.txt file.
It crashes before the logfile gets written to. Nor is there any extra info in the EventViewer.



Any one else running it as a service under Win2k or NT4?

I'll probably try to install Win2K to see if I can get it to crash as well and diagnose the problem.


Posted by TivoChris on 11-11-2002 05:43 PM:

Changing the string

Wouldnt it be possible to just change the string back to the old hashed string that we already know the code for? Just a thought.

__________________
I'm gonna make him an offer he can't refuse.


Posted by rbiro on 11-11-2002 05:53 PM:

quote:
Originally posted by barclay
Any one else running it as a service under Win2k or NT4?

I'll probably try to install Win2K to see if I can get it to crash as well and diagnose the problem.



I'm now trying to run it through the debugger, but I haven't figured out how to attach the debugger to a service.

But by building in debug mode, I found the line where it seems to happen.
In tivocrack.cpp where it uses fgets to parse the service command line option it asserts that
fgets.c, line 60, expression: str != NULL
If I try to go into the debugger there, all I can do it get to the assembly for fgets.

My settings.txt file contains:
urbiro r

Does anyone know how to start a service through the debugger? Since the app crashes so quickly, on startup, I can't just attach the debugger to the process.


Posted by StanSimmons on 11-11-2002 06:03 PM:

I have it running as a service on about 130 Win2K machines. Barclay, I can give you remote access to one of them if that would help.

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by colemanr on 11-11-2002 06:08 PM:

quote:
Wouldnt it be possible to just change the string back to the old hashed string that we already know the code for? Just a thought.


See page 3:

quote:
Originally posted by subuni
Well, I decided to go buy a S2 tonight. I bought the 80 hour unit, to make sure I'd have 3.2 installed. I replaced the 3.2 hash with the one from 3.0 (5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F23B). Now when I use the "3 0 BC" code, backdoors are enabled (see the attached picture).

So, Otto probably has the right idea....

__________________
Rob


Posted by barclay on 11-11-2002 06:12 PM:

quote:
Originally posted by rbiro
fgets.c, line 60, expression: str != NULL


Random Guess: What path are you running TiVoCrack from?


Posted by tube013 on 11-11-2002 07:03 PM:

Can somebody post a OS X (10.2) binary of version 2? I want to put the client on my dad's imac, but don't have any of them developers tools installed, so I can't compile form source.

thanks.


Posted by rbiro on 11-11-2002 07:26 PM:

quote:
Originally posted by barclay
Random Guess: What path are you running TiVoCrack from?


Files reside in:
C:\Temp\TivoCrack

Full Path to TivoCrack.exe
C:\Temp\TivoCrack\TivoCrack.exe


Posted by lmurray on 11-11-2002 07:39 PM:

quote:
Originally posted by tube013
Can somebody post a OS X (10.2) binary of version 2? I want to put the client on my dad's imac, but don't have any of them developers tools installed, so I can't compile form source.

thanks.



Attached is a compiled version for MacOSX w/ source of course.

I used the following CFLAG line in the Makefile:

CCFLAGS = -O2 -Dsocklen_t=int -mdynamic-no-pic -mcpu=7450 -mmultiple -O2

enjoy
-lloyd-

P.S. this is client version 2d.


Posted by imadork on 11-11-2002 07:49 PM:

quote:
Originally posted by lmurray
I used the following CFLAG line in the Makefile:

CCFLAGS = -O2 -Dsocklen_t=int -mdynamic-no-pic -mcpu=7450 -mmultiple -O2

enjoy
-lloyd-



So, if you add -Dsocklen_t=int to the compiler options in the makefile then you don't have to modify that header file in the source code? Sweet!

(Can you guess that I don't write software for a living...)


Posted by tube013 on 11-11-2002 07:59 PM:

quote:
Originally posted by lmurray
Attached is a compiled version for MacOSX w/ source of course.

I used the following CFLAG line in the Makefile:

CCFLAGS = -O2 -Dsocklen_t=int -mdynamic-no-pic -mcpu=7450 -mmultiple -O2

enjoy
-lloyd-



Works great thanks.


Posted by merced on 11-11-2002 08:21 PM:

Anyone else experimenting with HP-UX? Here's where I've been able to get so far using /usr/local/bin/make:

HP-UX B.11.11 U 9000/785

Makefile
LIBS = -lssl -lcrypto -lnsl

It compiles cleanly (no errors) as long as the correct libraries are installed. It benches just fine. It also works perfectly in local mode. It seg faults in remote mode...Any ideas??


Posted by barclay on 11-11-2002 08:44 PM:

Without going into too much, it looks like I got on too many people's radar working on this project, so I'm going to pull out. I really don't want to get in any hot water related to this project. This is related to where I work, so there's no need for anyone else out there to be concerned. Finding the back door code is fun and all, but I’d much prefer a paycheck.

This will be my last comment on this project, either on the forum, or in email. Best of luck to you all.


Posted by StanSimmons on 11-11-2002 08:52 PM:

Exclamation Install remotely on Win2K machines

Attached is a zip file that contains the tools and batch files that I used to install Barclay's windows client on 140 Windows 2000 machines. The 71,524 byte remoteinstall.zip file contains Barclay's v2.05 client, a readme.txt file with a link to PSTools for Win2K, some batch and text files.

I know that it is a crude and ugly setup, but the tools were free and I was hoping that we would have the code by now, so I just did it quick and dirty...

Enjoy!

Thank you Barclay for all of your hard work. I couldn't have added near the horsepower to this project without your Windows Client.

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by sbourgeo on 11-11-2002 08:52 PM:

quote:
Originally posted by barclay
Without going into too much, it looks like I got on too many people's radar working on this project, so I'm going to pull out. I really don't want to get in any hot water related to this project. This is related to where I work, so there's no need for anyone else out there to be concerned. Finding the back door code is fun and all, but I’d much prefer a paycheck.

This will be my last comment on this project, either on the forum, or in email. Best of luck to you all.



barclay, thanks for all of your hard work.

Since I mostly live in the UNIX world, I learned alot from looking through your source code.


Steve

__________________
"Gimme that booze ya little pumpkin-pie haircutted freak!"


Posted by bsnelson on 11-11-2002 09:09 PM:

barclay, thanks for all of your hard work, and even if we never find the password, we had a great time!

(and a big razzie to whomever got you into trouble!)

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by dswallow on 11-11-2002 10:13 PM:

Does anyone have barclay's most recent distribution that includes source code? The last I downloaded was 2.00; I think he was up to 2.05 before he bowed out and removed his web page with the download.

If someone can email me a copy to me at doug@2150.com I'll place it on my server so it's available to all.

I'll update this message when I get one, so don't worry about me getting multiple copies; just send one if this message doesn't say I already got it!

--got it-- thanks

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by rbiro on 11-11-2002 10:18 PM:

quote:
Originally posted by dswallow
Does anyone have barclay's most recent distribution that includes source code?


StanSimmons has everything ziopped up, including I'm assuming the source as well as executable.


Posted by dswallow on 11-11-2002 10:24 PM:

quote:
Originally posted by rbiro
StanSimmons has everything ziopped up, including I'm assuming the source as well as executable.


I'd looked in the remoteinstall.zip file he posted; no source code there.

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by Cletus on 11-11-2002 10:27 PM:

I have it at work; unfortunately I'm at home now so I cannot post it. If no one else has it, I'll put it someplace tomorrow.

__________________
If you can't beat'em... pay someone to do it.


Posted by Cletus on 11-11-2002 10:33 PM:

I found it at home as well, complete with source code. I've added a copy of the web page to the archive. The page was saved when 2.03 was released, but it's still valid info.

Can't figure out how to attach a file to a previous post, so I'm making a new one.

__________________
If you can't beat'em... pay someone to do it.


Posted by Spire on 11-11-2002 10:35 PM:

Arrow

TiVoCrack 2.05 with source code included.


Posted by GarySargent on 11-12-2002 11:43 AM:

For those that are still trying their own combinations instead of using brute force, here's something to try....

It would appear from the brute force attacks, that they string is reasonably long. This being the case its likely that the string is simple to make it easy to enter - possibly all numbers (TiVo's phone number?!).

Numbers are much easier to enter than letters as they can be entered directly with a remote - has anyone tried brute forcing just numbers?

Also maybe the code is something like "AAAAAAAAAAAAAAA" or similar with numbers added.

I very much doubt the code would be "AHFGCIEL23ISAQPX" as this would be both very hard to remember, and hard to enter.

I've also mentioned this once but not got a response - did anyone try SHA-1'ing a dictionary?

__________________
http://www.tivoportal.co.uk » Everything you need to know about TiVo in the UK.
http://www.tivofaq.co.uk » Frequently Asked Questions.
http://www.tivonews.co.uk » TiVo UK Newsletters.
http://www.tivobugs.co.uk » List of current bugs and problems.


Posted by EdwinOlson on 11-12-2002 01:13 PM:

Yes, I've tried a dictionary.

Yes, I've tried just numbers. The problem is just one out-of-dictonary character and your search won't find it. If you want to include "a few" letters, you're still in trouble. We're pretty sure the combo is at least 10 chars long. Even with a limited alphabet of, say, 12 characters, the search space starts getting awfully big around 9 characters. That said, I encourage you to play with around.

Once we finish 10+0, I'm open to suggestions of which space to search, because I doubt that attacking 11+0 is really reasonable.

Note that the unix version can take cases from stdin. If you want to pipe in some possibilities, it can handle it fairly well.

-Ed

quote:
Originally posted by GarySargent

I've also mentioned this once but not got a response - did anyone try SHA-1'ing a dictionary?

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by Stubtify on 11-12-2002 01:41 PM:

While I agree that it does seem likely it is a simple word or pattern I also see that said pattern could be almost anything, and as stated even one added space or number after a word makes the search all that more infinite (practically) from a brute force standpoint. Even an insanly long dictionary wouldn't help. And in the event that it is "Purplemonkeydishwasher" or soemthing using the whole space, we're hosed so... I was wondering:

What is the likelyhood of Tivo telling us? what do they gain from not releasing this information? I understand the 30 second skip problem which could arise, but seriously? Wouldn't someone on the inside offer up the phrase? or maybe a "search 12 letter words starting WE and ending 234" tip thus breaking things down into managable areas? I guess it might be wishfull thinking but I don't see why it can't be leaked... the world has gotten its hands on much more sensitive data in the past through "sources," why not now?

Thanks to everyone who's worked so hard on this...


Posted by gregstoll on 11-12-2002 02:53 PM:

quote:
Originally posted by Stubtify

What is the likelyhood of Tivo telling us? what do they gain from not releasing this information? I understand the 30 second skip problem which could arise, but seriously? Wouldn't someone on the inside offer up the phrase? or maybe a "search 12 letter words starting WE and ending 234" tip thus breaking things down into managable areas? I guess it might be wishfull thinking but I don't see why it can't be leaked... the world has gotten its hands on much more sensitive data in the past through "sources," why not now?



I believe the issue is that the big switch to release 3.2 to everyone has not been flipped yet, and they are presumably monitoring reports from 3.2 users about things that don't work. Enabling the backdoor code probably screws that up, since it's not officially supported. (that seems to be the general consensus, anyway...)


Posted by EdwinOlson on 11-12-2002 03:02 PM:

And anyway, the search is fun!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by cica on 11-12-2002 03:38 PM:

I've been keeping an eye on TiVoPony's posts. I'm sure he's not going to just give the password away, but he's usually very helpful.

One of his posts mentioned:

quote:
A * is entered by using the slow motion button


This was taken out of context, as it only applies to wishlists, but is it possible to enter this character in the search by name screen? If so, this might be a hint.

-Tom


Posted by embeem on 11-12-2002 03:47 PM:

quote:
Originally posted by cica

This was taken out of context, as it only applies to wishlists, but is it possible to enter this character in the search by name screen? If so, this might be a hint.

-Tom



It's impossible to enter anything other than the 0-9 A-Z shown on the grid, also, you can't start with a space.

__________________
http://tivo.samba.org/download/mbm
E4pFXEMBEEMXXv2L0TlAFOYC3/2HtWFvYiL3md0h2cxuU1BFugTKBBaOi1GH/7265DTD4a57
7fg1JOK8+3nCiZvRjl11Bit4LuaXA4KjPh0OHCyFIpSP2VJkb5pkY2M5HPlBN0/UawyQBhSM
CVnB02kbxifsgVYcYfEiTG2qfIdFXmstrEhW9gpe+5OxEYid979qu1Esg2YHNA7W8tSTd1t9
88LYW46AhE01Uts8pa4TgZazxlo/FkMAS3i/Oqtm7Rf8C6QzXmbDgbN+fP+Fcu53FOtZXNXX
ClRoZSB0cnV0aCBhYm91dCBhIG1hbiBsaWVzIGluIHdoYXQgaGUgaGlkZXMgLU1hbHJhdXgK


Posted by Cletus on 11-12-2002 03:48 PM:

I still think it's worth doing a multi-word dictionary search, I just don't have the time for it.

__________________
If you can't beat'em... pay someone to do it.


Posted by EdwinOlson on 11-12-2002 04:21 PM:

Someone could hack the crack executable (used for guessing unix passwords) to feed into SHA1. That would be a useful experiment...

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by grecorj on 11-12-2002 04:25 PM:

Well, if it's a super-long password we're looking for, and it isn't totally non-sensical like aopiuahoadhfj7lkj, then has anyone tried this (or a variation of it) for fun?

Super Karate Monkey

It's TiVoPony's favorite Title WL (to find the News Radio episode, "Super Karate Monkey Death Car").

__________________
106 hr Philips DSR6000 TiVo
120 hr Hughes HDVR2 TiVo
Stock 40 hr Hughes HDVR2 TiVo -- unsubbed

Looking for news about TiVo? Try TiVoNews


Posted by bobsoron on 11-12-2002 05:12 PM:

Can I suggest something?

The Almost Complete Code List mentions a variety of situations where tech support will step you through a procedure to solve it.

Maybe someone can call tech support, claim to be plagued by one of those scenarios, and have tech support step her or him through the procedure to solve it.

While doing so, maybe said someone could write down said password.

(I'd do it, really, if I had 3.2. Really. I swear.


Posted by SnakeEyes on 11-12-2002 05:28 PM:

you mean it's not "I Want A Pony"?

__________________
"I've this creeping... suspicion that things here are not as they seem"


Posted by TivoKid on 11-12-2002 05:35 PM:

I read this whole thread. What do I win?
You guys are awesome. I wish I understood 1/millionth of what you guys know. Thanks in advance for all your efforts! I love the codes and appreciate it that I can have the customizable features like changing the delay and offset on the FF, etc., due to the backdoor codes already found.
:::::::::::all hail the Underground::::::::::
signed,
a grateful mere user


Posted by rbiro on 11-12-2002 05:44 PM:

quote:
Originally posted by barclay
Random Guess: What path are you running TiVoCrack from?


I stepped through the code last night and found that fopen was failing, but the code wasn't checking for that error. I added a small change that if the settings.txt file is missing, then it starts with no args.

Hopefully tonight I'll clean it up and add to features:
0) Vaguely graceful error checking on settings.txt file
1) Settings from the registry. HKLM\TivoCrack\2\Parameters
2) Option to output data to EventLog\Application. Remotely monitoring via the Event Log feels easier to me than mounting a share and opening a file.

I'll submit my proposed changes to the TivoCrack authorities.


Posted by kvandivo on 11-12-2002 05:48 PM:

heh heh... heh heh..

Is your computer on TivoCrack?

heh heh... heh heh...

__________________
Everything I say is probably pure speculation.


Posted by cica on 11-12-2002 05:58 PM:

Hi

Does anyone have a binary for Sco Unix Openserver 5? I can't figure out how to compile the source.

Thanks
-Tom


Posted by Cletus on 11-12-2002 06:06 PM:

Most Requested Feature(TM): save state. C'mon!

__________________
If you can't beat'em... pay someone to do it.


Posted by Otto on 11-12-2002 06:29 PM:

quote:
Originally posted by bobsoron
The Almost Complete Code List mentions a variety of situations where tech support will step you through a procedure to solve it.

Maybe someone can call tech support, claim to be plagued by one of those scenarios, and have tech support step her or him through the procedure to solve it.

While doing so, maybe said someone could write down said password.



I can see no scenario in which tech support would tell you to enter the backdoor code. All the bits you're talking about (which never happen anyway) don't require backdoors to actually be turned on.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by Lightn on 11-12-2002 06:42 PM:

EdwinOlson:
You might want to try out that assembly sha1 implementation on different CPUs and platforms. Because I'm definely seeing a speed increase on my K6-2. It might not be a gain on all platforms, but could be on some. And what about the use of the intel compiler? I saw some stats on your page that seems to indicate a speedup using it.


Posted by sbourgeo on 11-12-2002 07:44 PM:

quote:
Originally posted by cica
Hi

Does anyone have a binary for Sco Unix Openserver 5? I can't figure out how to compile the source.

Thanks
-Tom



Ouch!

And I was mildly annoyed getting this to compile and link on Solaris...


Steve

__________________
"Gimme that booze ya little pumpkin-pie haircutted freak!"


Posted by Cletus on 11-12-2002 10:19 PM:

Hmm. Are Intel-compiled binaries really that fast? I would certainly like to try, but the darn compiler won't install, because I don't use a rpm-based distribution. Could someone post their binaries?

__________________
If you can't beat'em... pay someone to do it.


Posted by sbourgeo on 11-12-2002 10:39 PM:

quote:
Originally posted by Cletus
Hmm. Are Intel-compiled binaries really that fast? I would certainly like to try, but the darn compiler won't install, because I don't use a rpm-based distribution. Could someone post their binaries?


Here are mine compiled and linked on Red Hat 7.1 with -march=i686.

It's not statically linked, so I don't know if it'll do you any good.


Steve

__________________
"Gimme that booze ya little pumpkin-pie haircutted freak!"


Posted by spankspank on 11-12-2002 11:10 PM:

quote:
Originally posted by cica
Hi

Does anyone have a binary for Sco Unix Openserver 5? I can't figure out how to compile the source.

Thanks
-Tom



With any port you need to point the ssl sha.h include to the correct place on your machine, i.e.

#include "/usr/include/openssl/sha.h"

For SCO, I had to cast the first bzero arg in SSocket.cpp to (char *).
The Makefile lines are:

CCFLAGS = -O3 -Wall -static -funroll-loops -finline-functions -Dsocklen_t=int
LIBS = -lssl -lcrypto -lsocket

Here is a dclient2d binary for SCO Open Server 5


Posted by Spire on 11-13-2002 02:26 AM:

quote:
Originally posted by Cletus
Most Requested Feature(TM): save state. C'mon!
I was thinking about looking into implementing this, but then I quickly realized that it would potentially open a huge door to cheating. Some safeguards would be necessary to prevent casual users from abusing a save-state feature.


Posted by joker81 on 11-13-2002 04:45 AM:

Using the * key and other keys not availible to input.

I don't know if this has been posted yet but:

It is debated in not to include the * key or not. Is it possible that the person who copied the Hash into their 3.2 from 3.0 could check to see if they can get the backdoor enabled in the wishlist part. If they can't then we wouldn't need to worry about the * or other inputs that cannot be entered.


Posted by subuni on 11-13-2002 05:09 AM:

Re: Using the * key and other keys not availible to input.

quote:
Originally posted by joker81
I don't know if this has been posted yet but:

It is debated in not to include the * key or not. Is it possible that the person who copied the Hash into their 3.2 from 3.0 could check to see if they can get the backdoor enabled in the wishlist part. If they can't then we wouldn't need to worry about the * or other inputs that cannot be entered.



This was discussed on page 19 of this thread. I entered a known hash into MFS, and was unable to enable backdoors through the Actor, Director, Keyword, and Title Wishlist screens.


Posted by embeem on 11-13-2002 05:44 AM:

Re: Re: Using the * key and other keys not availible to input.

quote:
Originally posted by subuni
This was discussed on page 19 of this thread. I entered a known hash into MFS, and was unable to enable backdoors through the Actor, Director, Keyword, and Title Wishlist screens.


And just for kicks I've independantly verified this.

The backdoors will not work from the wishlist screen

__________________
http://tivo.samba.org/download/mbm
E4pFXEMBEEMXXv2L0TlAFOYC3/2HtWFvYiL3md0h2cxuU1BFugTKBBaOi1GH/7265DTD4a57
7fg1JOK8+3nCiZvRjl11Bit4LuaXA4KjPh0OHCyFIpSP2VJkb5pkY2M5HPlBN0/UawyQBhSM
CVnB02kbxifsgVYcYfEiTG2qfIdFXmstrEhW9gpe+5OxEYid979qu1Esg2YHNA7W8tSTd1t9
88LYW46AhE01Uts8pa4TgZazxlo/FkMAS3i/Oqtm7Rf8C6QzXmbDgbN+fP+Fcu53FOtZXNXX
ClRoZSB0cnV0aCBhYm91dCBhIG1hbiBsaWVzIGluIHdoYXQgaGUgaGlkZXMgLU1hbHJhdXgK


Posted by sciencewhiz on 11-13-2002 07:01 AM:

I am getting results of between 530-570 kKeys/s with the intel compiler on my PIII mobile 700. My results with GCC were 520-530 kKeys/s.

I used the options -O3 -tpp6 -xK -ipo.

linking staticly makes a much slower binary, both with ICC and GCC, so a staticly linked ICC binary is slower then a dynamicly linked binary with GCC, so you are better off compiling on your own.


Posted by Cletus on 11-13-2002 02:14 PM:

quote:
Originally posted by sbourgeo
Here are mine compiled and linked on Red Hat 7.1 with -march=i686.

It's not statically linked, so I don't know if it'll do you any good.


Steve



Thanks! Beside making a couple of symlinks (libraries seem to be named differently on RH than other distributions) it works fine. I even see a 0.5% speed improvement (went from 224kkeys/s to 225 kkeys/s) on a P2/266.

__________________
If you can't beat'em... pay someone to do it.


Posted by DVDerek on 11-13-2002 03:15 PM:

Big Switch

I've seen a lot of talk on the boards about the 3.2 Big Switch (rolling 3.2 out to all customers). I think it's ENTIRELY POSSIBLE that when the big switch is thrown, this hash will change and that the hash is currently unmatchable with the tivo alphabet. I'm leaning in that direction... not a permanent removal of backdoors, just a temporary one while they test out 3.2

__________________
Mozilla Firefox 1.0: Get It. It's Just Better.


Posted by dd9 on 11-13-2002 03:41 PM:

Re: Big Switch

quote:
Originally posted by DVDerek
I've seen a lot of talk on the boards about the 3.2 Big Switch (rolling 3.2 out to all customers). I think it's ENTIRELY POSSIBLE that when the big switch is thrown, this hash will change and that the hash is currently unmatchable with the tivo alphabet. I'm leaning in that direction... not a permanent removal of backdoors, just a temporary one while they test out 3.2


If this were true, they would have to re-upgrade all the existing 3.2 units for this change. That seems unlikely to me.....but who knows?


Posted by cica on 11-13-2002 03:45 PM:

Quick question.

I'm assuming the "m" parameter allow you to ask for several workloads at one time. Does the program still report at the conclusion of each workload, or does it wait to finish all of the queue before reporting. The reason I'm asking is my proxy server went down last night and several machines sat and waited for about 8 hours before I got the service back up.

Could someone verify the behavior of this parameter for me?

Thank you
-Tom


Posted by TreborPugly on 11-13-2002 03:47 PM:

Re: Re: Big Switch

quote:
Originally posted by dd9
If this were true, they would have to re-upgrade all the existing 3.2 units for this change. That seems unlikely to me.....but who knows?


Not such a big deal, if the "little switch" is only 1-5% of the customers.

And the way they distribute updates, can they just send one small file of the upgrade and add it to what they've already sent, then force a reboot and update with the slightly modified code?

__________________
I'm not a Bug, I'm a Feature!


Posted by stahta01 on 11-13-2002 04:05 PM:

quote:
Originally posted by cica
Quick question.

I'm assuming the "m" parameter allow you to ask for several workloads at one time. Does the program still report at the conclusion of each workload, or does it wait to finish all of the queue before reporting. The reason I'm asking is my proxy server went down last night and several machines sat and waited for about 8 hours before I got the service back up.

Could someone verify the behavior of this parameter for me?

Thank you
-Tom



If it does not have connection it reports all of them at the end, if it gets an connection before it gives up. I have no idea when it reports if it has an always on connection.

I am running dial-up and I downloaded 3 WU and went off line and when I reconnected it sent all 3 results according to the log file.

Tim S

__________________
AT&T TiVo Series2 40Hr (130)
TiVo Series2 TCD240080

Sanity is greatly over rated.


Posted by JPriller on 11-13-2002 08:45 PM:

Re: Big Switch

quote:
Originally posted by DVDerek
I've seen a lot of talk on the boards about the 3.2 Big Switch (rolling 3.2 out to all customers). I think it's ENTIRELY POSSIBLE that when the big switch is thrown, this hash will change and that the hash is currently unmatchable with the tivo alphabet. I'm leaning in that direction... not a permanent removal of backdoors, just a temporary one while they test out 3.2
Or that after 3.2 is rolled out, they just let us know what the code is. I know TivoPony said he couldn't tell, but perhaps that's only until the switch gets thrown.

I just can't imagine Tivo going to an unbreakable (for our purposes) code length and not letting the evangelical faithful know what it is. Perhaps they're just making it plain that they CAN make things bloody difficult if they want to.

__________________
WWJKD - what would Jim Kirk do?


Posted by swhobbit on 11-13-2002 09:00 PM:

Re: Re: Big Switch

quote:
Originally posted by JPriller
I just can't imagine Tivo going to an unbreakable (for our purposes) code length and not letting the evangelical faithful know what it is.

All it takes is one good lawyer scaring them about Internet security, warranty or other product liability issues to make the company better secure the box.

They already made the hardware changes to the Series 2 to make software hacking of the box non-trivial.

So welcome to the new TiVo world order. Sorry.

-ahd-


Posted by Cletus on 11-13-2002 09:33 PM:

Re: Re: Re: Big Switch

quote:
Originally posted by swhobbit
All it takes is one good lawyer to scare them about Internet security, warranty or other product liability issues to make the company better secure the box.

They already made the hardware changes to the Series 2 to make software hacking of the box non-trivial.

So welcome to the new TiVo world order. Sorry.

-ahd-



Perhaps. Or maybe they're just toying with us. If they wanted, they _could_ have made things _really_ difficult. Case in point:

1. replacing the hash with the 3.0 one defeats the new password. They could have changed the algorithm, it can't be that hard.

2. Why have a backdoor at all if nobody'll use it? I know, internal testing. But it could be removed on production systems.

Somehow, I get this strange feeling that someone at TiVo is reading my post right now and laughs his ass off.

__________________
If you can't beat'em... pay someone to do it.


Posted by joker81 on 11-14-2002 04:46 AM:

Completing the 8 character namespace

I was looking at the stats and there are 35910 more codes to check on the name space. Why are there still keys out there when the 9 char namespace is almost done and the 10's have started?


Posted by SpamapS on 11-14-2002 08:44 AM:

Red face Firewall-1 issues with linux client?

Has anyone tried using the clients behind a box running Firewall-1 NG with the HTTP security server turned on? It is possible that this is just due to some acls on the firewall, but I am a little perplexed.

When the client makes a request from a box that is behind said firewall, but in a zone configured to not use the HTTP security server(basically a testing and development LAN), things work fine.

When the request is made from a machine in the general population behind the HTTP security server, I get this:

[dclient request]
POST http://edo.lcs.mit.edu/dclient/getwork.php HTTP/1.0
Accept: */*
User-Agent: edHTTPc
Host: edo.lcs.mit.edu
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
USERID=SpamapS&RUNTYPES=TC2

[response generated by FW-1]
HTTP/1.0 200
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 84

<TITLE>Error</TITLE>
<BODY>
<H1>Error</H1>
FW-1 at fw01-noc: Access denied.</BODY>

The request does look valid... though I'd say its HTTP/1.1, not HTTP/1.0. The only alarming thing to me is that it is posting to the full URL, which FW-1 may be denying as an attempt to proxy...

anyways... thanks to Edwin and Barclay for all the work.... this has been a fun little project to participate in. Go Team SpamapS! ;-)


Posted by dd9 on 11-14-2002 12:10 PM:

Re: Completing the 8 character namespace

quote:
Originally posted by joker81
I was looking at the stats and there are 35910 more codes to check on the name space. Why are there still keys out there when the 9 char namespace is almost done and the 10's have started?


Probably because if someone had taken a set to check, but abandoned it for some reason, it will sit idle for 24 hours before the server determines that it truly has been abandoned and then let someone else grab it. I'm sure there are lots of people running this that don't leave their box on 24/7. When they are done for the day, they shut down and effectively abandon the set they were crunching.


Posted by swhobbit on 11-14-2002 12:17 PM:

Re: Re: Re: Re: Big Switch

quote:
Originally posted by Cletus
... maybe they're just toying with us.


The password wasn't made non-trivial as a joke. TiVo has better things to do than to toy with power users, like showing a profit. No profit, no company.
quote:

If they wanted, they _could_ have made things _really_ difficult. Case in point:

1. replacing the hash with the 3.0 one defeats the new password. They could have changed the algorithm, it can't be that hard.


Replacing the password requires hacking the hard drive, something most people won't do. I can't even do that (I own a Series 2) without hairy hardware modifications.

Hackers would reverse any engineer any new algorithm as well.

Security you can't crack even with source code is basic quality of a secure system. Given a non-trivial password, the SHA1 hash TiVo is using meets that requirement well.
quote:

2. Why have a backdoor at all if nobody'll use it? I know, internal testing. But it could be removed on production systems.


Because then TiVo has to QA the altered system again. Any superior QA department wants perform the testing on exactly what ships.


Posted by mpulver on 11-14-2002 01:22 PM:

Re: Re: Completing the 8 character namespace

quote:
Originally posted by joker81
I was looking at the stats and there are 35910 more codes to check on the name space. Why are there still keys out there when the 9 char namespace is almost done and the 10's have started?
quote:
Originally posted by dd9
Probably because if someone had taken a set to check, but abandoned it for some reason, it will sit idle for 24 hours before the server determines that it truly has been abandoned and then let someone else grab it.


But... We've all been asked to move to the 2.0 client which is running against the 2.0 server, so... Does the 2.0 server know about these abandoned keys and will it serve them up?


Posted by StanSimmons on 11-14-2002 02:02 PM:

HFC! USCtivo has ~700 machines crunching!

__________________
Stan

"easy as 3.1415926535897932384626433832795028841"
Ask me about Vonage.


Posted by jag111 on 11-14-2002 03:33 PM:

Edit: Due to work pressure, going back into clandestine mode. All for the greater good though. =)


Posted by Cletus on 11-14-2002 03:40 PM:

quote:
Originally posted by StanSimmons
HFC! USCtivo has ~700 machines crunching!


Well, I've got 5 now, so... beware!

__________________
If you can't beat'em... pay someone to do it.


Posted by EdwinOlson on 11-14-2002 04:09 PM:

Re: Re: Re: Completing the 8 character namespace

quote:
Originally posted by mpulver

But... We've all been asked to move to the 2.0 client which is running against the 2.0 server, so... Does the 2.0 server know about these abandoned keys and will it serve them up?



Of course But it's *not* a hard 24 hour limit. The old blocks get recycled at some point. Not to worry

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by Cletus on 11-14-2002 08:27 PM:

Wow, this thread has over 100k views already - soon we'll catch up with the "complete codes list" thread, which has been running much, much longer.

24h limit, huh? Guess I can stop dusting off this pile of 486 machines that I was planning of throwing in.

__________________
If you can't beat'em... pay someone to do it.


Posted by SpamapS on 11-14-2002 09:07 PM:

Team SpamapS is not just SpamapS(me)

Hey I just wanted to post on here to thank the members of Undernet's #LinuxHelp channel. They've all rallied behind my username, SpamapS, and as you can see, we are charging ahead! I don't know that we'll catch some of you out there with 750+ machines.. but either way.. This is totally fun. I was getting tired of calculating optimal golomb rulers.

As a consolation to the TiVo corporate types... if you guys can (secretly?) pass on the word to somebody involved that we are indeed on the right track... I'll buy a series 2 right away! :-D

#LinuxHelp


Posted by Cletus on 11-14-2002 09:36 PM:

I have a funny problem. I am running the latest clients on a variety of machines, including Linux, W2k and XP. On Windows I run the 2.05 as a service, everywhere. The W2k machines are completely stable with it, but each of the two XP machines experiences random reboots every 2-3h when running the client. I should mention that the 2.05 client is the only thing running on them at that time (and at reduced priority, but it still gets 99% of the CPU because it's the only active process).

It happens every time in the middle of a unit, usually 10-15 minutes into it. There's no clue as to the cause of the reboot in the system or client logs. Both of these machines are very stable otherwise, I've never had them reboot even under heavy load.

__________________
If you can't beat'em... pay someone to do it.


Posted by Gerg on 11-14-2002 11:07 PM:

Question: Why isn't anyone using social engineering to get the backdoor code?

Wasn't the code designed to enable special debugging for Tivo support when certain kinds of problems are being reported by the customer?

-Greg

__________________
Why does man kill? He kills for food.
And not only food: frequently there must be a beverage.
-- Woody Allen, "Without Feathers"


Posted by EdwinOlson on 11-14-2002 11:13 PM:

If someone is interested in becoming the maintainer of the win32 port, contact me. I simply don't have time to work on that too!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by DBordello on 11-15-2002 01:33 AM:

We will miss you oh king of win32 Thanks for all of your help. I hope you can bounce in every once in a while wheh you can.

db

__________________
1 happy Phillips DSR6000 TiVo with 108 hours of freedom


Posted by brianld on 11-15-2002 08:53 PM:

http://www.cnn.com/2002/TECH/biztec...r.ap/index.html

Anyone feel like contacting them and asking if they'll run the client on their system?


Posted by Llama on 11-16-2002 12:06 AM:

quote:
Originally posted by Cletus
I have a funny problem. I am running the latest clients on a variety of machines, including Linux, W2k and XP. On Windows I run the 2.05 as a service, everywhere. The W2k machines are completely stable with it, but each of the two XP machines experiences random reboots every 2-3h when running the client. I should mention that the 2.05 client is the only thing running on them at that time (and at reduced priority, but it still gets 99% of the CPU because it's the only active process).


My first guess is that your computers are overheating. A good way to try to detect problems at high loads is to run Linux and compile something big with gcc. This FAQ might be helpful: http://www.bitwizard.nl/sig11/. Running dclient at nice=19 while you compile will keep the CPU hot while it's waiting for disk IO, for extra stress.

If your hardware supports temperature sensing, use that to see how hot your CPU/mobo is. This is the kind of problem overclockers run into, but even if you aren't overclocking, you might need extra cooling. Also check out http://www.memtest86.com/ to give your RAM a thorough checkup.

quote:

It happens every time in the middle of a unit, usually 10-15 minutes into it. There's no clue as to the cause of the reboot in the system or client logs. Both of these machines are very stable otherwise, I've never had them reboot even under heavy load.



If you've never had this problem with something else that makes your CPU hot, like distributed.net's client, then maybe it isn't hardware. If your other high loads have included a lot of memory access, then your CPU wouldn't have gotten as hot. CMOS logic only uses power when transistors switch from on to off, and waiting for memory doesn't make many transistors active.

Hope this helps

__________________
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BC


Posted by Cletus on 11-16-2002 01:38 AM:

quote:
Originally posted by Llama
My first guess is that your computers are overheating. A good way to try to detect problems at high loads is to run Linux and compile something big with gcc. This FAQ might be helpful: http://www.bitwizard.nl/sig11/. Running dclient at nice=19 while you compile will keep the CPU hot while it's waiting for disk IO, for extra stress.


Not likely. These machines have been made by hand by me, and tested thoroughly. They both have enough cooling for overclocking, but are not overclocked. One of them is multi-boot (a kind of Frankenstein really, no less than 6 OS on it). This same machine is running the Windows client completely stable in W2k. And it also doesn't crash when I compile both the kernel and glibc simultaneously AND running the client at the same time in Linux.

No, there's something particular about the combination of XP + the Windows client. The pattern is very reproducible: the first 2 units get finished, the third crashes after 10-15 minutes; reboot, no time off to cool the CPU or anything and on to more cracking; again the next 2 units get finished, the third crashes. That's a total of roughly 2h between reboots.

__________________
If you can't beat'em... pay someone to do it.


Posted by dr_mal on 11-16-2002 02:51 AM:

FWIW, both my WinME and WinXP boxes crashed last night after installing the 2.05 client earlier on. The WinME box is a little flaky, granted, but the XP box hadn't needed a boot for quite some time before last night. Prior to running the TiVoCrack app, they were both running the UD Ligandfit program, so I don't think it's the load issue.

__________________
Read everything the good Doc wrote.


Posted by mstroh on 11-16-2002 06:32 AM:

FWIW, I have it running on 2 Win98 boxes and 1 XPPro box. Since, upgrading to the 2.05 client I have not had any problems on the XPPro box.


Posted by mstroh on 11-16-2002 01:12 PM:

quote:
Originally posted by Cletus
Wow, this thread has over 100k views already - soon we'll catch up with the "complete codes list" thread, which has been running much, much longer.


Well, the codes list has been running since 5/15 (154K views) and this thread has been running since 10/17 (103K views). By my rough, off of the top of my head, calculations this thread should surpass the code list in two-three weeks .

Very, very interesting. Guess it shows the desires and wants of the community.

Although, it would be nice if the thread would be updated so I don't need to read 18 pages just to find out what all of the codes are, which are mostly meaningless to me until we know this code since I have an S2.


Posted by dd9 on 11-16-2002 02:46 PM:

quote:
Originally posted by mstroh
Although, it would be nice if the thread would be updated so I don't need to read 18 pages just to find out what all of the codes are, which are mostly meaningless to me until we know this code since I have an S2.


The codes thread is updated by Otto in the very first post as new codes are discovered. No need to wade through the entire post.


Posted by dd9 on 11-16-2002 02:50 PM:

quote:
Originally posted by StanSimmons
HFC! USCtivo has ~700 machines crunching!


Hmmm. Something seems to have happened to most of his clients. He was getting over 200 points/sec, but now is down to about 70. He "only" has 81 IP addresses now as compared to over 700 a few days ago.


Posted by blueshoo on 11-16-2002 03:21 PM:

quote:
Wow, this thread has over 100k views already - soon we'll catch up with the "complete codes list" thread, which has been running much, much longer


On Nov 2nd there was a Slashdot link to this thread, which could've easily brought in 100k views..

http://slashdot.org/article.pl?sid=...=thread&tid=129


Posted by Cletus on 11-16-2002 03:56 PM:

quote:
Originally posted by mstroh
Well, the codes list has been running since 5/15 (154K views) and this thread has been running since 10/17 (103K views). By my rough, off of the top of my head, calculations this thread should surpass the code list in two-three weeks .

Very, very interesting. Guess it shows the desires and wants of the community.

Although, it would be nice if the thread would be updated so I don't need to read 18 pages just to find out what all of the codes are, which are mostly meaningless to me until we know this code since I have an S2.



Actually, that thread was moved here some time ago, it was running for quite a while (don't remember exactly, about a year and a half) in another part of this board called "tips and tricks", which was discontinued; the thread was saved because it was important. So, it has been running much longer than it appears.

Note: oh yeah, look at the year. 5/15, right, but 2001.

__________________
If you can't beat'em... pay someone to do it.


Posted by Llama on 11-16-2002 05:21 PM:

quote:
Originally posted by Cletus

No, there's something particular about the combination of XP + the Windows client. The pattern is very reproducible: the first 2 units get finished, the third crashes after 10-15 minutes; reboot, no time off to cool the CPU or anything and on to more cracking; again the next 2 units get finished, the third crashes. That's a total of roughly 2h between reboots.



Hmm. Reproduceability is a good sign that it's _not_ a flaky hardware problem, so I suppose my first guess was wrong. Well, hang a horseshoe over your computer, and sacrifice a goat to the gods of proprietary and closed source software.

__________________
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BC


Posted by EdwinOlson on 11-16-2002 07:35 PM:

As an experiment, you could try running the unix client in cygwin. It should stress the CPU pretty much the same.

In general, though, a sudden reboot is probably indicative of some sort of hardware issue. It could be bad ram, overheating CPU, or a bad power supply.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by Cletus on 11-16-2002 09:45 PM:

quote:
Originally posted by EdwinOlson
As an experiment, you could try running the unix client in cygwin. It should stress the CPU pretty much the same.

In general, though, a sudden reboot is probably indicative of some sort of hardware issue. It could be bad ram, overheating CPU, or a bad power supply.

-Ed



I have. It does not cause reboots (but performance is poorer than the native win32 app).

__________________
If you can't beat'em... pay someone to do it.


Posted by Stubtify on 11-17-2002 01:29 AM:

hmm I run XP and the client on three machines and don't have any problems with reboots etc. I notice higher heat than idle, but that is expected, it never goes too too high on my machine (the hottest of the three).

Don't know if it matters but we're running all different chips: amd, P4, and P3 as well as both XP home and Pro...


Posted by ADent on 11-17-2002 04:13 AM:

quote:
Originally posted by Cletus
Wow, this thread has over 100k views already - soon we'll catch up with the "complete codes list" thread, which has been running much, much longer.



How long until we catch up to this thread: http://www.tivocommunity.com/tivo-v...&threadid=75379 ? It has over 200,000 views and hasn't been slashdotted (AFAIK). It started 10 SEP 2002

----

Anybody compile a true Mac client (ie Mac OS 8/9)?


Posted by TheAmigo on 11-17-2002 04:23 AM:

keyspace suggestion

Looking at the past tendency to use multiple spaces in the password, here's something else we might try.

It looks like we're pretty much done searching 9+0 and I don't recall how many other variations (e.g. 8+1, 8+2, etc) were searched.

In my own notes, I made imaginary functions called w(x,y) where w(20,6) would be all of the 20 char strings with 6 alph-nums and 14 spaces. So w(9,8) is how I would write 8+1... it's a 9 char string where 8 are not spaces. Then I went further to use a capital W to mean all the variations leading up to 20 char strings. So W(6) = w(6,6) + w(7,6) + w(8,6) + ... + w(20,6). In simpler terms, W(6) means all passwords from 6 to 20 chars with exactly 6 letters and numbers, but anywhere from 0 to 14 spaces mixed in with them.

By my calculations, given the current amount of CPU power working on the project, we should be able to check all of W(6) in just under a week.

However, searching W(7) is just over 100 times harder than W(6) so it would take about 2 years rather than a week.

Ed, would this be possible with the current client? Since 9+0 encompases 6+3, is it possible for you to add 6+4 ... 6+14 as 11 extra search-spaces without modifying the current client?

__________________
--The Amigo


Posted by Llama on 11-17-2002 09:16 AM:

Re: keyspace suggestion

quote:
Originally posted by TheAmigo

would this be possible with the current client? Since 9+0 encompases 6+3, is it possible for you to add 6+4 ... 6+14 as 11 extra search-spaces without modifying the current client?



The client gets a pattern, which can be something like "? ?? ? ? ? ? ?" if you want it to be. The client also gets a seed, which tells it what to use for the first seedlen question marks in the pattern. So if seed="ABC", applying it to the pattern would give "A BC ? ? ? ? ?". The client code is fully generalized to handle arbitrary pattern lengths and arbitrary wild-card placement, so this would work.

BTW, nice work on the non-recursive loop, Ed. Even with the gotos to scare away the wimps. I compiled the client with -pg, and the profiler output indicates that for a 2:41 minutes run, 5.28 seconds of execution time were used in Cracker::searchpattern_nonrec. (my openssl library wasn't compiled with -pg, so only time spent not doing SHA1 is counted. There is some overhead in the library SHA1 implementation, since it's a general implementation that doesn't take advantage of the fact that our max string length + mandatory padding (by SHA1) is less than SHA1's block size (64bytes).

I've modified the client to renice itself to 19 (minimum priority). I was going to make this a command line option, but I think it would just be clutter and featuritis in the interface for everyone except people working on the code. I've got code now such that you can choose at compile time whether to provide a command line control for it or not, but that's even more clutter in the code, if less in the interface. The reason I mention this here is to solicit feedback on whether the cllient should automatically go to idle priority (except in benchmark mode), or whether you should be able to tell it what priority to use (still with default=idle).

This patch also improves the makefile (unlike my last patch, which just had my own stuff in the Makefile and probably wasn't useful). I've tested it on a GNU and a Solaris system (using Solaris's /usr/ccs/bin/make, not GNU make. I've avoided GNUisms for portability, but the code doesn't compile with SUN's Workshop compiler: CC: Sun WorkShop 6 update 2 C++ 5.3 2001/05/15. It barfs on the template, as well as something a const char* to char* assignment in httppost (via strstr). I've never done stuff with C++ templates, so if someone else can look into this, it would be good.).

happy hacking,

PS: I've found that using -funroll-loops actually makes dclient version 1 slower. (I forgot to test for v2, but I would recommend not unrolling loops.) It spends all its time in SHA1 anyway, so taking up more I-cache space at the expense of slightly more branch overhead is obviously not a good tradeoff.

__________________
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BC


Posted by joker81 on 11-17-2002 10:49 AM:

Re: Completing the 8 character namespace

quote:
Originally posted by joker81
I was looking at the stats and there are 35910 more codes to check on the name space. Why are there still keys out there when the 9 char namespace is almost done and the 10's have started?



Its been almost 72 hours since my original post. And I haven't really seen any change in the stats for the 8 character namespace. except that they we xxx time 10^6 so we don't get an exact number.

Someone said that these units would be redistributed in a padded 24 hours. I would think that after 72 there would be a lot more done.

Someone else suggested that with the upgrade to a newer version maybe these aren't gonna be dristributed.

The chances are the code is in the missing 8 char keys is low. But since it would be so quick to even redo all of the 8's if we don't know what the missing codes are I think its important to get them just to see.


Posted by coldtoes on 11-18-2002 03:10 AM:

quote:
Originally posted by ADent
How long until we catch up to this thread: http://www.tivocommunity.com/tivo-v...&threadid=75379
Well, longer, now that you linked it here, due to folks like me who just have to go see what it is.


Posted by dd9 on 11-18-2002 01:53 PM:

On the stats page, there is a claim (currently) that we have all used:

"We've used about 17 years, 161 days, 14 hours and 0 minutes of CPU time."

What is that number based on? What type of CPU is being assumed for this baseline?


Posted by EdwinOlson on 11-18-2002 02:09 PM:

It's based on a machine which scores 1 point per second, which is a slightly faster than average machine. (I believe it was a P-III 1.3GHz).

So we've probably used quite a lot more than that, considering most machines are slower than that!

quote:
Originally posted by dd9
On the stats page, there is a claim (currently) that we have all used:

"We've used about 17 years, 161 days, 14 hours and 0 minutes of CPU time."

What is that number based on? What type of CPU is being assumed for this baseline?

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by cica on 11-18-2002 05:29 PM:

Based on the 20 pages of posts, and our lack of success, I'm beginning to think that a key sequence was added that will enable the entry of a non-standard character to the screen. IOW, maybe a Select-Play-Select option will add the % character to the search by title screen. This would still allow the 3.0 hash to work without special codes, but would allow entry of a non-alpha numeric character to enable the 3.2 hash to work.

Any way of verifying this?

-Tom


Posted by CraigEagle on 11-18-2002 08:04 PM:

quote:
Originally posted by cica
Based on the 20 pages of posts, and our lack of success, I'm beginning to think that a key sequence was added that will enable the entry of a non-standard character to the screen. IOW, maybe a Select-Play-Select option will add the % character to the search by title screen. This would still allow the 3.0 hash to work without special codes, but would allow entry of a non-alpha numeric character to enable the 3.2 hash to work.

Any way of verifying this?

-Tom



It is also possible that once the "Big Switch" gets flipped for the 3.2 release and everyone gets it, they might change the code to something usable. We still don't know when that is going to happen.
- Craig

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by tube013 on 11-18-2002 11:56 PM:

Say the Hash changes with a switch is thrown.... Say the hash changes to something we've already searched. Is the server keeping a database/log of what has been searched and the results. ie is the server saving the results? or would we have to start all over if the hash changes. Sorry if this has been covered already.


Posted by Spire on 11-19-2002 12:11 AM:

quote:
Originally posted by tube013
Is the server keeping a database/log of what has been searched and the results.
It is not feasible to do this, as it would take too much space.


Posted by Cletus on 11-19-2002 12:19 AM:

If the hash changes when the switch is thrown, we have to start over no matter what we did so far. It's irrelevant if a list of "searched" units exists or not.

__________________
If you can't beat'em... pay someone to do it.


Posted by subuni on 11-19-2002 12:39 AM:

quote:
Originally posted by tube013
Say the Hash changes with a switch is thrown.... Say the hash changes to something we've already searched. Is the server keeping a database/log of what has been searched and the results. ie is the server saving the results? or would we have to start all over if the hash changes. Sorry if this has been covered already.


This has been covered/discussed somewhere in this thread. But, I can't recall where and I'm too lazy to find it, so here's my attempt at math.

Each hash is 40 characters long (i.e. 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4). 37 characters are being tested (26 alphabet, 10 numerical, 1 space). If you take a length of 6 characters, there are a total of 2,565,726,409 possibilities (37^6). Multiple that number by 40 (the length of each hash), and you find that 102,629,056,360 bytes (95gigabytes) would be required to store all of those hashes. Take this a step further to a length of 10 characters, which would have 4,808,584,372,417,849 possibilities (37^10). That would require 192,343,374,896,713,960 bytes (170petabytes) to store all the possible hashes. Or, the worst case scenario, 37^20 would have 23,122,483,666,661,158,726,686,253,786,801 possibilities, weighing in at 924,899,346,666,446,349,067,450,151,472,040 bytes (765,058,808 yottabytes).


Posted by mstroh on 11-19-2002 01:34 AM:

When this 'switch' is thrown to upgrade to 3.2, what happens to those people who are using 3.0 and earlier that have enabled backdoors already? Are there any types of problems that will arise from this or will backdoors remain enabled?

-mike


Posted by ADent on 11-19-2002 01:50 AM:

I think it is very long and very sparse. Something like "BD 3<spc><spc><spc><spc><spc><spc><spc><spc><spc><spc><spc>2" or "BD32000000000000000" and the TiVo guys did it knowing it would take forever (or close enough) to crack it with brute force.

------
When up get upgraded the backdoors goes away (it goes away when you reboot and a S/W upgrade requires a boot cycle) unless it is activated by the debug card (TiVo/TurboNet).

It causes no problems.


Posted by TheAmigo on 11-19-2002 03:06 AM:

quote:
I think it is very long and very sparse. Something like "BD 3<spc><spc><spc><spc><spc><spc><spc><spc><spc><spc><spc>2"


I agree.

That's what my previous post was attempting to address. We could find any such password that only had 6 non-spaces in about a week. But 7 wouldn't be so easy taking ~2 years.

But just my measly 2.3 points/sec would take about 10 years so it's really gotta be a group effort.

__________________
--The Amigo


Posted by Mars Rocket on 11-19-2002 04:18 AM:

quote:
Originally posted by mstroh
When this 'switch' is thrown to upgrade to 3.2, what happens to those people who are using 3.0 and earlier that have enabled backdoors already? Are there any types of problems that will arise from this or will backdoors remain enabled?

-mike



Backdoors are turned off by default whenever your TiVo reboots, so they'll be off after you get upgraded to 3.2 (the upgrade process reboots your TiVo after it is complete.)


Posted by juanian on 11-19-2002 07:37 AM:

My Series 2 TiVo just rebooted, and it installed a software update. (It now shows 3.2-01-2-1F0, but it used to be 3.2-V4-2-1F0.)

What is the chance that they might have also changed the backdoor code while they were at it (pleeeez don't say 'back to square one'.)

Juan

P.S. Harsh - I was in the middle of downloading to tape (yes, using the "Save to VCR" choice), and it did the (first) reboot at 2 AM right in the middle of my download. (I certainly hope that the reboot would be postponed if TiVo was actually recording a requested show at that time!)


Posted by CraigEagle on 11-19-2002 01:58 PM:

quote:
Originally posted by juanian
My Series 2 TiVo just rebooted, and it installed a software update. (It now shows 3.2-01-2-1F0, but it used to be 3.2-V4-2-1F0.)

What is the chance that they might have also changed the backdoor code while they were at it (pleeeez don't say 'back to square one'.)

Juan

P.S. Harsh - I was in the middle of downloading to tape (yes, using the "Save to VCR" choice), and it did the (first) reboot at 2 AM right in the middle of my download. (I certainly hope that the reboot would be postponed if TiVo was actually recording a requested show at that time!)



Tivo will not reboot mid-recording, but any other activity and it will (such as Save-To-VCR).

As for them changing the Backdoor Code I would say it is likely. Is there anyone out there who has recieved then new update who could check the hash?

It might not be that bad, remmember if it is changed it coud be a 6 or 7 digit code, something that wouldn't take us that long to crack.
- Craig

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by Cletus on 11-19-2002 04:23 PM:

I vote for "333333 222222 BBBBBBCCCCCC".

__________________
If you can't beat'em... pay someone to do it.


Posted by dd9 on 11-19-2002 05:26 PM:

Could the code be rewritten to do a quick offline test? I know I'm asking a lot....

What I'm thinking is that it's something that has a space between every character. The space adds lots of time to cracking, yet keeps the password easy to remember. A 13 char password could be remembered as a 7 char word/phrase with spaces stuffed in between each one. They took this route with several other BD codes.....

So, assuming spaces in every other slot, you'd still be brute-forcing 7 digits with a limited character set. How much CPU time would that take (based on our current model), and could it be done offline with 1 box ?


Posted by cica on 11-19-2002 05:34 PM:

quote:
Could the code be rewritten to do a quick offline test? I know I'm asking a lot....


Just specify a pattern of "? ? ? ? ? ? ?" in local mode.

-Tom


Posted by heh2k on 11-19-2002 07:57 PM:

Angry i want my 30sec skip

not having the 30sec skip is annoying enough to the point that i will STRONGLY consider selling my tivo and getting a moxy(sp) or whatever else there is that has a 30sec skip. it's not just usefull for skipping commercials (that we've all seen 100 times). it's VERY annoying to have to ff and deal with the autocorrection, if you just want to jump ahead a little, or if you hit replay too many times. it has significantly reduced how much i enjoy my tivo.

i too suspect it's a long string, and probably pointless to try to crack, now that we know it isn't 8 chars. they can easily change it faster than we can crack it.

what's needed is an anon post from someone at tivo who knows it, or for someone (eg, a friend of an employee) to get it from them (through peaceful means please - no torture ). of course, the problem of them just changing it again still remains.

i guess i'll just have to void my warrenty, open it up, and fireup hexedit. (which i'd prefer not to do, now that i'm starting to get ocassional stopples, especially on enterprise.)


Posted by colemanr on 11-19-2002 08:01 PM:

Re: i want my 30sec skip

quote:
Originally posted by heh2k
not having the 30sec skip is annoying enough to the point that i will STRONGLY consider selling my tivo and getting a moxy(sp) or whatever else there is that has a 30sec skip.


Does 30 second skip now require backdoors to be enabled? It did when it was first implemented, but I was under the impression that that restriction was dropped.

__________________
Rob


Posted by CraigEagle on 11-19-2002 08:08 PM:

Re: Re: i want my 30sec skip

quote:
Originally posted by colemanr
Does 30 second skip now require backdoors to be enabled? It did when it was first implemented, but I was under the impression that that restriction was dropped.


No, 30 Sec Skip still does not require backdoors.
Just Select-Play-Select-3-0-Select (It is easiest to do this while playing something you have recorded)
- Craig

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by Mars Rocket on 11-19-2002 08:14 PM:

30-second skip can be enabled at any time, regardless of whether Backdoors are on or off. This is true for v3.0 at least.


Posted by Mike Farrington on 11-19-2002 08:27 PM:

I know that cracking the code is the ultimate goal, but is there a way to trick your internet-connected TiVo into downloading a script that changes the backdoor code to a known value?

If you give your PC thet same IP address that TiVo connects to nightly, and emulate whatever handshaking protocol there is, then couldn't you serve up some sort of script that changes the backdoor code?

-Mike


Posted by Tonybeans on 11-19-2002 08:51 PM:

In this latest version of 3.2 (mine just rebooted a couple days ago) you don't need backdoors for 30-second skip or to sort Now Playing.


Posted by heh2k on 11-19-2002 08:51 PM:

Re: Re: Re: i want my 30sec skip

quote:
Originally posted by CraigEagle
No, 30 Sec Skip still does not require backdoors.



d'oh! still, i want to see my uptime.


Posted by heh2k on 11-19-2002 08:56 PM:

quote:
Originally posted by Mike Farrington
If you give your PC thet same IP address that TiVo connects to nightly, and emulate whatever handshaking protocol there is, then couldn't you serve up some sort of script that changes the backdoor code?



you'd almost certainly have to give it a whole file, and then the install command. so, you'd have to get the file to modify off the drive, at which point you may as well just use a hex editor and put the old hash output in.


Posted by joker81 on 11-20-2002 03:59 AM:

quote:
Originally posted by heh2k
you'd almost certainly have to give it a whole file, and then the install command. so, you'd have to get the file to modify off the drive, at which point you may as well just use a hex editor and put the old hash output in.


Im suprised something like this hasn't happened. I remember reading about those internet stations everyone bought and how by changing your lmhost file you would connect to this guys website that would install some neato software to run linux off of it. It wouldn't be too hard to figure out what ip the information is collected from. I would think it would be possible to figure out whats being sent. There might be a way also to trick the information server into thinking your machine(computer) is a tivo by collecting the packets that a Tivo sends out. (I am in no way trying to bypass service fee's) But if someone could emulate a tivo and recieve the files(hopefully an upgrade file its the most important.) then someone or that person could disect the file to figure out how one could make a remote upgrade site for all tivo users. It would be cool if I could just change my host file so I could get linux stuff on my tivo instead of taking the chance of ruining my tivo by opening it up.

Hopefully this post isn't against the rules.


Posted by jkeegan on 11-20-2002 06:26 AM:

Right.. To hack an Audrey (Palm's kitchen internet appliance), you set your DNS server to this DNS server hosted by some guy on the net.. That DNS server was a normal DNS server except that they overrode some hostname that was hardcoded into the audrey to instead resolve to another public machine of his.. That machine acted like the servers that used to exist at Palm, except that it fed an update of the OS to the Audrey that had been enhanced.. So you scheduled a daily call to check for upgrades, it'd try to resolve the hostname, it'd get this other IP address, it'd go to that machine, and download what it thought was an update.

Wow.. Yeah, imagine a simple program on the PC that talked over the serial line, simply emulated the modem responses, and sent over a particular version of the software. Hacking without cracking the case.
It could get complicated if you were downloading some old version and the next service call replaced it, but it'd be especially useful someday if the unthinkable ever happens.

(Then again, it'd be much slower than just opening the case and putting in a new disk with an image on it)

..Jeff

__________________
..Jeff Keegan (Biscuitboy on Xbox Live)

seven syllables
(kee gan dot org slash ti vo )
they explain it all


Posted by mstroh on 11-20-2002 08:53 AM:

The only problem with this is that I would be afraid that if a program like this got out into the wild and some unscrupulous user used it to give unsubscribed users the channel info. This would only work as long as TiVo stayed in business, but as soon as TiVo went out of business all of the users would be without guid data. I definitely do not want that to happen!

If I was capable of writing a program like that I would definitely be reluctant to release it.

I like the idea, but very afraid of its uses.

-mike

__________________
My mantra: "If I watch it, it will end up getting cancelled!" This mantra almost made me give up TV altogether. I changed my mind after I got a TiVo, now I can watch it even after it gets cancelled!!


Posted by bsnelson on 11-20-2002 03:16 PM:

A couple of notes:

TiVo WILL reboot at 2:00AM if it's in "pending restart" even if a scheduled recording is in progress. This has been a sore spot in the past, but TiVo basically says "it ain't changing".

Re: faking out the TiVo servers: TiVo thought of this on about the third day of their existance, folks. The files are digitally signed, and unless you know TiVo's private key, you can forget making fake files. This isn't an option.

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by Otto on 11-20-2002 04:01 PM:

It could be done. But if Tivo has any intelligence, the data they send to the Tivo is encrypted using their private key. I know it's encrypted, I just don't know by what method (haven't really been interested enough to check). Anyway, if the unit expects to get private key encrypted data, and doesn't work with unencrypted data, and there's no easy workaround, then forget it. You'd need their private key to be able to emulate Tivo's servers via a IP spoofing trick.

But, that's only a possibility. I don't know exactly by what method the slice files and so forth are encrypted. So it may not be as hard as all that. But it could be very difficult indeed, is my point.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."


Posted by jkeegan on 11-20-2002 04:43 PM:

Again, I'm only talking about this in a worst-case what-if-the-sky-falls scenario where our beloved company is no more. In that case, I'd hope that either someone there would leak the key (if they really were out of business), or that a group would start a massive distributed brute-force attempt to find the key. Maybe 5 years after that or so, it wouldn't seem as difficult as it would today. Depends on the size of the key, I guess.

It's be nice to have that key in some kinda escrow account..

Ok, enough negative thoughts. Long live TiVo!

..Jeff

__________________
..Jeff Keegan (Biscuitboy on Xbox Live)

seven syllables
(kee gan dot org slash ti vo )
they explain it all


Posted by SpamapS on 11-20-2002 04:59 PM:

Exclamation teoma bustin out with just one IP...

Anyone know who teoma is? I'm not saying he's cheating, but in less than 24 hours his stats are ahead of mine in every category, and he only has 1 IP (versus my 18 active IPs ... go #linuxhelp!!)

Teoma ... if you're reading this... pipe up! I'd love to hear what you're running this on.


Posted by CraigEagle on 11-20-2002 05:02 PM:

Now that the "Big Switch" has been thrown could someone with the REAL 3.2 check that the hash is the same? If it isn't we need to replace ours with the new one and unfortunately start from scratch. Although, if there is a new hash, it could be considerably smaller than the one we are looking for now.
- Craig Eagle

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by Mars Rocket on 11-20-2002 06:05 PM:

Re: teoma bustin out with just one IP...

quote:
Originally posted by SpamapS
Anyone know who teoma is? I'm not saying he's cheating, but in less than 24 hours his stats are ahead of mine in every category, and he only has 1 IP (versus my 18 active IPs ... go #linuxhelp!!)



He could have 300 PCs running behind a router running NAT. I have 3 under one IP that way myself.


Posted by EdwinOlson on 11-20-2002 06:30 PM:

I haven't seen any proof failures yet (except from the known-to-be-buggy <2.05 windows clients), including teomas. So hopefully, he's just got a lot of machines running!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by CraigEagle on 11-20-2002 09:31 PM:

quote:
Originally posted by subuni
Although I don't have a Series2, this was pretty trivial to find in the 3.2.V4-01-2 update files.

ResourceItem 999074/174 {
Id = 131251
String = 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4
}




Could someone check if this string has changed with the new version of 3.2 (3.2-01-2-1F0)? If it has we need to replace our hash.
- Craig

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by kgidley on 11-20-2002 10:21 PM:

quote:
Originally posted by CraigEagle
Could someone check if this string has changed with the new version of 3.2 (3.2-01-2-1F0)? If it has we need to replace our hash.
- Craig



This hash shown above is what my client received from the server, so I don't think it has changed.

__________________
Ken
HR10-250 - my new toy!
2 Hughes DTivos, (lifetime, 1 upgraded to ~188 hours, the other upgraded to ~230 hours.)


Posted by brianld on 11-20-2002 10:43 PM:

quote:
Originally posted by kgidley
This hash shown above is what my client received from the server, so I don't think it has changed.


The fact that your client received the same hash has nothing to do with whether or not the actual hash was changed in the 3.2 "big switch" version. The hash you are receiving from the server for cracking the backdoor code was extracted from a version of 3.2 from a few weeks ago, so CraigEagle has a good point. Someone who has the ability and has received the 3.2 "big switch" version should check it again.


Posted by FUBAR on 11-21-2002 12:43 AM:

I've got the big switch, but i don't know how to look at the has on the drive, any tips?

__________________
You? you get no pony!

p::/w..eees:par/kcosmht.pey.ztx.xyzsp:t
F.U.B.A.R.


Posted by kgidley on 11-21-2002 01:02 AM:

quote:
Originally posted by brianld
The fact that your client received the same hash has nothing to do with whether or not the actual hash was changed in the 3.2 "big switch" version. The hash you are receiving from the server for cracking the backdoor code was extracted from a version of 3.2 from a few weeks ago, so CraigEagle has a good point. Someone who has the ability and has received the 3.2 "big switch" version should check it again.


Silly me - I had assumed that the hash CraigEagle posted was the one he got from the 'big switch' version, not the one we've already been working with...

__________________
Ken
HR10-250 - my new toy!
2 Hughes DTivos, (lifetime, 1 upgraded to ~188 hours, the other upgraded to ~230 hours.)


Posted by rhagopian on 11-21-2002 04:07 AM:

Re: teoma bustin out with just one IP...

quote:
Originally posted by SpamapS
Anyone know who teoma is? I'm not saying he's cheating, but in less than 24 hours his stats are ahead of mine in every category, and he only has 1 IP (versus my 18 active IPs ... go #linuxhelp!!)

Teoma ... if you're reading this... pipe up! I'd love to hear what you're running this on.



Hehe... Yeah, probably should have posted here when I started this - these are a bunch of new servers for teoma.com expansion, we were just burning them in w/dclient (and a couple crashed - excellent!). It's about 175-185 dual PIII-1.4Ghz boxes w/4G RAM (about 1150 kKeys/sec/processor), all behind one NAT as someone suggested... Unfortunately we're installing the apps and dbs on them now so we have to take them out of the cracking effort :-(

It was fun while it lasted!

(and I think you might recall seeing a smaller cluster I was running as hagopiar in the 9 space :-) )

-Rob Hagopian


Posted by brianld on 11-21-2002 08:10 PM:

Re: Re: teoma bustin out with just one IP...

quote:
Originally posted by rhagopian
Hehe... Yeah, probably should have posted here when I started this - these are a bunch of new servers for teoma.com expansion, we were just burning them in w/dclient (and a couple crashed - excellent!). It's about 175-185 dual PIII-1.4Ghz boxes w/4G RAM (about 1150 kKeys/sec/processor), all behind one NAT as someone suggested... Unfortunately we're installing the apps and dbs on them now so we have to take them out of the cracking effort :-(

It was fun while it lasted!

(and I think you might recall seeing a smaller cluster I was running as hagopiar in the 9 space :-) )

-Rob Hagopian



Serious horsepower! Too bad you had to give them up ...


Posted by dswallow on 11-21-2002 08:32 PM:

Someone should package up the client as a screen saver with some TiVo guy graphics; that'd make it viable to just leave on computers.

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by binaryc on 11-22-2002 06:46 AM:

I would have posted this before, but I didn't feel like registering...

I wrote a program to search the entire ([A-Z0-9]{0,20}){1,5} space meaning basically I searched everything from
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
to
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
including
AAAAAAAAAABBBBBBBBBAAAAAAAACCCCCCCCDDDD
etc...

I also tried every combination of spaces, up to 5 spaces per key.
so for example, i tried all of these:
A AAAAAAA
AA AAAAAA
A A AAAAAA
A AA AAAAA
etc...

I capped the string length to 20 characters.

Needless to say, I didn't find a match.

You can get the source here: http://www.binaryc.com/main.cpp
(you'll need sha1.cpp/h from tivocrack)


I also seached the entire keyspace up to 5 characters with the entire ascii character set (all 255 characters) as my alphabet. Also no match.


Posted by dd9 on 11-22-2002 02:24 PM:

quote:
Originally posted by binaryc
I also tried every combination of spaces, up to 5 spaces per key.
so for example, i tried all of these:
A AAAAAAA
AA AAAAAA
A A AAAAAA
A AA AAAAA
etc...

I capped the string length to 20 characters.



OK, well that nixed my theory.

I was somewhat optimistic that they followed suit as they have in the past by using a space between each character. Oh well.......the crunching continues.


Posted by Cletus on 11-22-2002 03:36 PM:

It seems to me it gets a little foolish to chug along without any confirmation on whether the hash has been changed or not in the final release. Anyone?

__________________
If you can't beat'em... pay someone to do it.


Posted by cica on 11-22-2002 04:05 PM:

I'm confused.

Is binaryc trying to say that he has single-handedly searched everything up to 20 characters?

-Tom


Posted by MikeLaw on 11-22-2002 04:40 PM:

quote:
Originally posted by cica
Is binaryc trying to say that he has single-handedly searched everything up to 20 characters?


No. He just searched a limited set of keys with lots of repeated characters.

__________________
....mike


Posted by brianld on 11-22-2002 04:49 PM:

quote:
Originally posted by Cletus
It seems to me it gets a little foolish to chug along without any confirmation on whether the hash has been changed or not in the final release. Anyone?


Agreed. Has anyone been able to confirm whether or not the hash changed?


Posted by jag111 on 11-22-2002 04:53 PM:

I still don't have the 3.2 software yet. So if a big switch has been thrown, it seems I've been left in the dark.


Posted by CraigEagle on 11-22-2002 05:08 PM:

quote:
Originally posted by jag111
I still don't have the 3.2 software yet. So if a big switch has been thrown, it seems I've been left in the dark.


TivoPony indicated that it would take a couple of weeks before everyone had the update. When someone who knows how to extract the has gets it PLEASE post it here. Then we will know we are looking for the right code.
- Craig

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by kdelande on 11-22-2002 05:25 PM:

TivoPony's blurb...

Anyone else noticed TivoPony's changed the blurb that appears above his avatar? Probably nothing but it is some jibberish word/letters...

KD


Posted by CraigEagle on 11-22-2002 05:47 PM:

wephmush
It's an anagram for:
Push Me WH
or
We Push MH
or
He Push MW

None of which make any sense to me.
I will keep working on it.
- Craig

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by Mike Farrington on 11-22-2002 09:51 PM:

Has anyone tried that as the backdoor code? Think it's a clue?

-Mike


Posted by Rombaldi on 11-22-2002 10:07 PM:

anagrama...

eh hp mu sw
eh hp swum
eh hump sw
eh MS uh wp
eh Ms uh wp
eh mp sw uh
eh mu ph sw
eh mu sh wp
eh mush wp
eh ph swum
eh pm sw uh
em hp sw uh
em hush wp
em ph sw uh
em sh uh wp
he hp mu sw
he hp swum
he hump sw
he MS uh wp
he Ms uh wp
he mp sw uh
he mu ph sw
he mu sh wp
he mush wp
he ph swum
he pm sw uh
hemp sw uh
hep hum sw
hep sh umw
hew hp sum
hew hum ps
hew humps
hew mph US
hew mph us
hew ph sum
hew sh ump
hews hp mu
hews hump
hews mp uh
hews mu ph
hews pm uh
hp hum sew
hp MS uh we
hp Ms uh we
hp me sw uh
hp mews uh
hp mu sh we
hp mu shew
hp mush we
hp she umw
hp smew uh
hue mph sw
hue sh WPM
huh MS pew
huh Ms pew
huh mew ps
huh mp sew
huh pm sew
huh se WPM
hum pew sh
hum ph sew
hum she wp
hump sh we
hump shew
humph sew
hush me wp
hush mp we
hush pm we
MS ph uh we
MS phew uh
Ms ph uh we
Ms phew uh
me ph sw uh
me sh uh wp
mesh uh wp
mews ph uh
mp sh uh we
mp shew uh
mph sew uh
mu ph sh we
mu ph shew
mu phew sh
mush ph we
mush phew
ph she umw
ph smew uh
pm sh uh we
pm shew uh
she uh WPM


Posted by jag111 on 11-22-2002 10:18 PM:

wephmush

I was looking at this and thinking you could turn it upside down in your head to get a different set of random letters/numbers to anagram and check.

4snw4dam

or

4snw4dem (if you don't count the upsidedown e as translatable to anything)


Posted by rbiro on 11-22-2002 11:08 PM:

But these suggestions on wephmush all reside in the 8 char or 8+n space which has been exhaustively searched.
I think somebody already did a full ASCII search on 8char which I assume includes lowercase.

I'm just skeptical about wephmush.


Posted by gregstoll on 11-22-2002 11:29 PM:

quote:
Originally posted by rbiro
But these suggestions on wephmush all reside in the 8 char or 8+n space which has been exhaustively searched.
I think somebody already did a full ASCII search on 8char which I assume includes lowercase.



True, but that was the hash in the "old" 3.2 version - we don't know what it is in the final 3.2 version yet. So one of these might work...


Posted by joker81 on 11-23-2002 01:23 AM:

quote:
Originally posted by rbiro
But these suggestions on wephmush all reside in the 8 char or 8+n space which has been exhaustively searched.
I think somebody already did a full ASCII search on 8char which I assume includes lowercase.

I'm just skeptical about wephmush.




http://edo.lcs.mit.edu/dclient/stats.php

Actually if you look at the stats Not all of the 8 characther name space has been completed. I made a comment about this about a week ago and someone said that the server would distribute the timed out chunks. It still hasn't.

I think that someone should definitly check to see why the 8 char chunks are not being distributed. Although Someone should check the Hash before hand definitly.


Posted by EdwinOlson on 11-23-2002 01:39 AM:

Joker, you need to chill! You worry *way* too much.

The blocks will be recycled. It will happen. The server is attempting to give slow clients as much time as they might need. Perhaps it's overly conservative. That doesn't mean the blocks won't be reissued. Many old blocks have already been reissued. Some of those have been reissued multiple times.

So take a deep breath. Aaahh. We'll all be okay.

-Ed

ps: and wephmush or whatever it was, is not the password. Nor is any permutation of its letters (plus space) less than or equal to 10 characters.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by gregstoll on 11-23-2002 05:51 AM:

quote:
Originally posted by EdwinOlson

ps: and wephmush or whatever it was, is not the password. Nor is any permutation of its letters (plus space) less than or equal to 10 characters.



But it might be, because the final 3.2 version might have a different hash for the backdoor code, right? Or has someone who has 3.2 checked it?


Posted by IgD on 11-23-2002 06:04 PM:

TiVo Counter Attack

Hey what if TiVo (knowing the code) sent your server a marker that it had been checked and was not valid???


Posted by dd9 on 11-23-2002 07:28 PM:

Did we get a hit??!! The server isn't giving out any more work units!


code:
14:24:46: 11/23/2002 14:24:46: -- TiVoCrack 2.05 started -- 14:24:46: Getting the next work load 14:25:54: 11/23/2002 14:25:54: -- TiVoCrack 2.05 started -- 14:25:54: Getting the next work load 14:25:56: Error: No more work to do 14:25:56: Didn't receive WUID from server! 14:25:56: Didn't receive RESULTURL from server! 14:25:56: Didn't receive NONCE from server! 14:25:56: Didn't receive RUN from server! 14:25:56: Didn't receive CTEXT from server! 14:25:56: Didn't receive ALPHABET from server! 14:25:56: Didn't receive PATTERN from server! 14:25:56: Didn't receive SEED from server! 14:25:56: Error decoding the work unit! 14:25:56: Call failed, trying again 14:25:56: Sleeping for a minute


Posted by smitty99 on 11-23-2002 07:54 PM:

Nope, still searching...

I wondered if the game was over, so I came here...but then I re-launched my client and got another WU again. My guess is the server was acting up for a bit, but it's better now.


Posted by dd9 on 11-23-2002 07:56 PM:

Yea, bummer. I just got another one too. So much for wishful thinking with that "no more work to do" message!

Edwin - any idea what happened?


Posted by EdwinOlson on 11-23-2002 07:56 PM:

I'm not quite sure what's up, but it seems as though every now and then an absolutely insane number of requests come in. The server load spikes enormously as a excessive # of httpd processes are spawned off. Contention over mysql access then slows things down further. Ultimately, php runs exceeds the maximum # of connections to php and things start failing.

I'm trying to tune away the problem, but it shouldn't really matter too much from user perspectives; it's a "clean" and temporary failure. Your client will retry and eventually succeed.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by GBL on 11-23-2002 08:09 PM:

quote:
Originally posted by EdwinOlson
...
Your client will retry and eventually succeed.

-Ed



Ed,

looks like my Windows client 2.05 did give up:
code:
13:32:38: Try number 14 13:32:38: Getting the next work load 13:32:38: Error: No more work to do 13:32:38: Didn't receive WUID from server! 13:32:38: Didn't receive RESULTURL from server! 13:32:38: Didn't receive NONCE from server! 13:32:38: Didn't receive RUN from server! 13:32:38: Didn't receive CTEXT from server! 13:32:38: Didn't receive ALPHABET from server! 13:32:38: Didn't receive PATTERN from server! 13:32:38: Didn't receive SEED from server! 13:32:38: Error decoding the work unit! 13:32:38: Sleeping for a minute 13:33:38: Try number 15 13:33:38: Getting the next work load 13:34:45: Unable to open URL! 13:34:45: Sleeping for a minute 13:35:45: Try number 16 13:35:45: Getting the next work load 13:37:31: Next workload failed, giving up


PS: Hi from Minnesota!

__________________
"Driving requires the brain cells of a mule, and a license." dswallow

1 Sony SVR2000 (upgraded to 75 hrs), 1 Philips HDR612, 2 HDR112s (upgraded to 75 and 140 hrs), 1 SA8000HD (160GB)
unpaid volunteer, TiVo army


Posted by EdwinOlson on 11-23-2002 08:18 PM:

Is the default timeout in 2.05 only 1 minute? Geesh! Also, did it really fail 16 times in a row, or did it fail a *total* of 16 times over the course of your client's invocation?

The timeout really should be quite a lot larger... 5 or 10 minutes. Otherwise, the pounding of thousands of machines every minute might cause a ton of trouble when the server eventually recovers!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by GBL on 11-23-2002 08:28 PM:

quote:
Originally posted by EdwinOlson
Is the default timeout in 2.05 only 1 minute? Geesh! Also, did it really fail 16 times in a row, or did it fail a *total* of 16 times over the course of your client's invocation?

The timeout really should be quite a lot larger... 5 or 10 minutes. Otherwise, the pounding of thousands of machines every minute might cause a ton of trouble when the server eventually recovers!

-Ed



ed,

I attached more of the log; I'm just using all the defaults (except userID).

__________________
"Driving requires the brain cells of a mule, and a license." dswallow

1 Sony SVR2000 (upgraded to 75 hrs), 1 Philips HDR612, 2 HDR112s (upgraded to 75 and 140 hrs), 1 SA8000HD (160GB)
unpaid volunteer, TiVo army


Posted by EdwinOlson on 11-23-2002 09:04 PM:

GBL- Sounds like you were unlucky in that you didn't get to talk to the server in your 15 tries, but you would have been more successful with a more reasonable retry delay. Oh well. Perhaps if we get a new maintainer for the win32 port we can adjust that.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by GBL on 11-23-2002 09:13 PM:

quote:
Originally posted by EdwinOlson
GBL- Sounds like you were unlucky in that you didn't get to talk to the server in your 15 tries, but you would have been more successful with a more reasonable retry delay. Oh well. Perhaps if we get a new maintainer for the win32 port we can adjust that.

-Ed



Ed,

what is the proportion of Win32 clients? Is it significant enough to explain the server load spikes you have been seeing?

__________________
"Driving requires the brain cells of a mule, and a license." dswallow

1 Sony SVR2000 (upgraded to 75 hrs), 1 Philips HDR612, 2 HDR112s (upgraded to 75 and 140 hrs), 1 SA8000HD (160GB)
unpaid volunteer, TiVo army


Posted by Myname17 on 11-23-2002 11:02 PM:

Re: TivoPony's blurb...

quote:
Originally posted by kdelande
Anyone else noticed TivoPony's changed the blurb that appears above his avatar? Probably nothing but it is some jibberish word/letters...

KD



Just for grins I used this as a seed:

tivocrack -l -pWEPHMUSH?????? a"ABCDEFGHIJKLMNOPQRSTUVWXYZ 1234567890"

No luck.

Mike

10:13:33: 11/23/2002
10:13:33: User = [anonymous], Work Unit = (none)
10:13:33: Alphabet = [ABCDEFGHIJKLMNOPQRSTUVWXYZ 1234567890]
10:13:33: Key = [96F8B204FD99534759A6C11A181EEDDFEB2DF1D4]
10:13:33: Pattern = [WEPHMUSH??????]
10:13:33: Threads = 1, Local = true, Silent = false
10:13:33: Priority = normal, Sleep = 5min, Retries = infinite
10:13:33: Logging = both
10:13:33: -- TiVoCrack 2.05 started --
10:13:38: [WEPHMUSHSRG BA]
10:18:38: [WEPHMUSHSPYL8C]
10:23:38: [WEPHMUSHDKH43F]
10:28:38: [WEPHMUSHT2NC I]
10:33:39: [WEPHMUSH5PVGUL]
10:38:39: [WEPHMUSHL0OANO]
10:43:39: [WEPHMUSH2TI5FR]
10:48:39: [WEPHMUSHVYWYBU]
10:53:39: [WEPHMUSHIBUK5W]
10:58:39: [WEPHMUSH BEYYZ]
11:03:39: [WEPHMUSHJ0FDT2]
11:08:39: [WEPHMUSHDVKQP5]
11:13:38: [WEPHMUSHTCRZL8]
11:18:24: [WEPHMUSHUYS800]
11:18:24: All done


Posted by Sketchy on 11-24-2002 03:59 AM:

Re: TivoPony's blurb...

quote:
Originally posted by kdelande
Anyone else noticed TivoPony's changed the blurb that appears above his avatar? Probably nothing but it is some jibberish word/letters...

KD



I have been thinking about this. I don't think the code is any combination of "wephmush" at all. What if wephmush is some kind of word puzzle that results in the code, or a reference to something else? Or what if it's a word puzzle that when solved refers to something that is entered as the code?

It wouldn't be anything easily found, like an anagram. It wouldn't be anything easily googled, either.

It could be an acronym-style abbreviation for a longer sentence. Hmm, "we elves put hot mitts under steady hands".... uh, maybe not.

It could be another random kind of abbreviation. I notice that p, h, and m all form words when suffixed with "ush". Maybe the code is "WE PUSH HUSH MUSH"?

So, any good word puzzle solvers out there? Might be worth thinking about for a while.


Posted by krymaney on 11-24-2002 04:51 AM:

Here's some food for thought....maybe it has nothing to do with the backdoor code?

See...
mwep (username) was the first forum user to post he got the new HDVR2.

It was DOA. He was upset (rightfully so)

mwep complained quite loudly about it both publicly and privately with TivoPony.

Apparently he believes (from his posts) that Tivo isn't doing enough to fix the problem...("I haven't gotten a call from either Tivo OR Hughes")

What if "wephmush" stands for something like...."Wep Has Mush" or.."Mwep Hush!"


Just a thought.

A way to vent, without venting?

__________________
GoochPhotos.com
Sony T-60 DirecTivo - 140 Hours


Posted by subuni on 11-24-2002 05:10 AM:

quote:
Originally posted by CraigEagle
Could someone check if this string has changed with the new version of 3.2 (3.2-01-2-1F0)? If it has we need to replace our hash.


Good news: The effort hasn't been wasted.
Bad news: I just verified the hash in 3.2-01-2-1F0, and it is the same.

code:
% dumpobj 90336/174 ResourceItem 90336/174 { Id = 131251 String = 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4 } %


Posted by Mr. Soze on 11-24-2002 01:08 PM:

quote:
Originally posted by krymaney


What if "wephmush" stands for something like...."Wep Has Mush" or.."Mwep Hush!"


Just a thought.

A way to vent, without venting?

k

Not a bad thought indeed. (I don't have a Tivo to try it out on, tick tock, CC, tick tock).

My thought. Swapping around letters in an easy to remember phrase is a good way to generate passwords. Could it be as simple as something pig latin like "ackdoor32b" or something along those lines. It's 10 chars even without throwing a few logical spaces in it, so the brute force effort might not hit it for a while. Easy to remember too, if you already know it.

My first contribution to the underground. Hope it adds something.


Posted by ct williams on 11-24-2002 08:37 PM:

quote:
Originally posted by krymaney
Here's some food for thought....maybe it has nothing to do with the backdoor code?

What if "wephmush" stands for something like...."Wep Has Mush" or.."Mwep Hush!"


Just a thought.

A way to vent, without venting?



I think you may have it! I am going with Mwep Hush. Pony must be laughing at all this. That was a great deduction.

CT


Posted by rewilson on 11-24-2002 11:30 PM:

Unable to get a work unit!

I just upgraded my Norton Internet Security from 2002 to 2003 on one system. I've set up the firewall to permit access from tivocrack, but am unable to get any more work units on that machine. Another machine has obtained a unit. Any help? The output on the problem machine is (Windows 2000 Pro):

18:30:55: 11/24/2002
18:30:55: -- TiVoCrack 2.05 Started --
18:30:55: Getting the next work load
18:30:55: Error processing line from server
18:30:55: Error processing line from server
18:30:55: Error decoding the work unit!
18:30:55: Sleeping for a minute

It then announced try 2 (and so forth), then repeats the "Getting next..." through "Sleeping..." lines. It was involked with "tivocrack.exe urewilson"

Thanks,
Bob

Edit: Going for over an hour now (try 61), so probably not a busy server.

Edit: Seems that Norton Internet Security is messing things up. This is with the 2003 version. If I disable ALL functions using the main "Security" on/off toggle, then Tivocrack works. If I leave the main Security switch turned on, but then disable ALL of the individual components (Personal Firewall; Intrusion Detection; Privacy Control; Ad Blocking; Spam Alert; Parental Controls), then it still fails. Obviously, I don't want to run with the entire firewall disabled! HELP!


Posted by Robs67 on 11-25-2002 05:03 AM:

A MUSH is an online gaming term (Multi User Shared Hallucination). I am not into that scene. Does anyone know who "pushes" online gaming? Perhaps the answer is along those lines.

-Robert


Posted by Robs67 on 11-25-2002 05:07 AM:

...and ya know, the big "Sims Online" is being heavily advertised and is due out soon. That will be a huge MUSH! "Electronic Arts" is pushing that one.


Posted by Smiles on 11-25-2002 07:34 AM:

Maybe "wephmush" is an acronym, like Where Every Password Hacker Must Use Silly Handles.

If someone can come up with a better, more clueful version there could be a hint there, too ...

__________________
Visit my moblog


Posted by embeem on 11-25-2002 09:27 AM:

quote:
Originally posted by Smiles
Maybe "wephmush" is an acronym, like Where Every Password Hacker Must Use Silly Handles.

If someone can come up with a better, more clueful version there could be a hint there, too ...



I tried running every rot-n variation through an anagram generator:
ax fan lip
ax fin lap
ax fin pal
ax flap in
ax flip an
ax if plan
ex cup map
ex cup pam
ex pup cam
ex pup mac
ex up camp
fix lap an
fix nap al
fix pal an
fix pan al
flax pain
flax pi an
hump hews
lax fan pi
lax if nap
lax if pan

I'm thinking either an acronym or just a random jumble of letters designed to draw us away from more useful things.

edit: it looks to be an odd way to say 'tivopony' .. same length and both have a duplicated letter

__________________
http://tivo.samba.org/download/mbm
E4pFXEMBEEMXXv2L0TlAFOYC3/2HtWFvYiL3md0h2cxuU1BFugTKBBaOi1GH/7265DTD4a57
7fg1JOK8+3nCiZvRjl11Bit4LuaXA4KjPh0OHCyFIpSP2VJkb5pkY2M5HPlBN0/UawyQBhSM
CVnB02kbxifsgVYcYfEiTG2qfIdFXmstrEhW9gpe+5OxEYid979qu1Esg2YHNA7W8tSTd1t9
88LYW46AhE01Uts8pa4TgZazxlo/FkMAS3i/Oqtm7Rf8C6QzXmbDgbN+fP+Fcu53FOtZXNXX
ClRoZSB0cnV0aCBhYm91dCBhIG1hbiBsaWVzIGluIHdoYXQgaGUgaGlkZXMgLU1hbHJhdXgK


Posted by TreborPugly on 11-25-2002 02:31 PM:

quote:
Originally posted by subuni
Good news: The effort hasn't been wasted.
Bad news: I just verified the hash in 3.2-01-2-1F0, and it is the same.

code:
% dumpobj 90336/174 ResourceItem 90336/174 { Id = 131251 String = 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4 } %



I don't mean to be distrustful, but am I correct that subuni is the only source for the 3.2 Hash? He gave us the hash that began this effort and now he's the only one giving verification that the hash with the "big switch" release is the same. Any other hackers out there independently verified it?

__________________
I'm not a Bug, I'm a Feature!


Posted by grecorj on 11-25-2002 02:56 PM:

3.1 code for DTiVos? <sigh> Wishful thinking.

quote:
Originally posted by Smiles
Maybe "wephmush" is an acronym, like Where Every Password Hacker Must Use Silly Handles.

If someone can come up with a better, more clueful version there could be a hint there, too ...

__________________
106 hr Philips DSR6000 TiVo
120 hr Hughes HDVR2 TiVo
Stock 40 hr Hughes HDVR2 TiVo -- unsubbed

Looking for news about TiVo? Try TiVoNews


Posted by edw on 11-25-2002 04:37 PM:

Interesting, if you go to http://babelfish.altavista.com/babelfish/tr and enter in wephmush you get:"to shepyumusyu" as a Russian to english translation.

Thought that was interesting, not helpful, but interesting.

__________________
Ed Williams


Posted by TheAmigo on 11-26-2002 06:20 AM:

Since those aren't cyrillic characters, it does sometimes come up with interesting results. There is no W in Russian, but the letter that looks kinda like a W sounds like sh. The sh sound on the end is usually indicitive of a 2nd person verb conjugation so it probably put a to in front thinking it's a verb. Pretty much a fudged phonetic translation of something that isn't a word in either language.

Try having it translate an English web page from Russian to English... looks pretty garbled

__________________
--The Amigo


Posted by davistw on 11-26-2002 01:39 PM:

Lightbulb Ask Tivopony?

Dumb question but has anyone asked Tivopony what the wephmush means? Could be the first letters of his dogs/cats/kids/wifes.

I bet he is rolling with laughter right now.....


Posted by SPR on 11-26-2002 03:18 PM:

wephmush

Possibly another red-herring but WEP is an encryption standard.....


Posted by Mr. Soze on 11-26-2002 04:33 PM:

Re: Ask Tivopony?

quote:
Originally posted by davistw
Dumb question but has anyone asked Tivopony what the wephmush means? Could be the first letters of his dogs/cats/kids/wifes.

I bet he is rolling with laughter right now.....



I did - no reply


Posted by CraigEagle on 11-26-2002 06:34 PM:

Re: wephmush

quote:
Originally posted by SPR
Possibly another red-herring but WEP is an encryption standard.....


True, but it's a wireless security protocol, WEP stands for Wired Equivalent Privacy. I wouldnt bet on this having anythign to do with anything because WEP generally has to do with 802.11x networks. I could be wrong though.
- Craig

__________________
If you haven't gotten where you're going you aren't there yet. - George Carlin


Posted by joshg on 11-26-2002 07:30 PM:

Hi... first time contributor here. I'm now running TivoCrack on several machines to help out.

Any reason why this hasn't been promoted in CoffeeHouse or other "mainstream" boards here to solicit more machines into the effort? Now that it's a nice windows app, I suspect we could get LOTS more machines on the effort by promoting it elsewhere... I suspect only a small fraction of visitors to the Tivo forums venture into this board.


Posted by gart on 11-26-2002 08:46 PM:

Success Results?

I'm running TivoCrack on 5 Windows Servers (1 a dual) and a linux box.

Anyways, I hardly, if ever, look at the consoles for those systems.

If someone discovers the answer, does the user have to report success or will the server inform the appropriate people?

--Pat


Posted by dd9 on 11-27-2002 03:29 PM:

Has anyone (Edwin?) given thought to an effort for the 3.1 code for combos ? I just noticed that someone posted the hash in the other thread asking about this.

I'm asking here because this thread is more visible now.


Posted by jcase on 11-27-2002 06:48 PM:

hmm, check this out
http://www.cs.rice.edu/~astubble/wep/
Here is the text of a search I did for WEP

Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
AT&T Labs Technical Report TD-4ZCPZZ, Revision 2, August 21, 2001
Authors
Adam Stubblefield
John Ioannidis
Aviel D. Rubin

Abstract
We implemented an attack against WEP, the link-layer security protocol for 802.11 networks. The attack was described in a recent paper by Fluhrer, Mantin, and Shamir. With our implementation, and permission of the network administrator, we were able to recover the 128 bit secret key used in a production network, with a passive attack. The WEP standard uses RC4 IVs improperly, and the attack exploits this design failure. This paper describes the attack, how we implemented it, and some optimizations to make the attack more efficient. We conclude that 802.11 WEP is totally insecure, and we provide some recommendations.

++++++++++++++++++++++++++++++++++++++++++++++++

Another one http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
Abstract from above site:
Problems
WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext.

This mode of operation makes stream ciphers vulnerable to several attacks. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The statistical attacks become increasingly practical as more ciphertexts that use the same key stream are known. Once one of the plaintexts becomes known, it is trivial to recover all of the others.

WEP has defenses against both of these attacks. To ensure that a packet has not been modified in transit, it uses an Integrity Check (IC) field in the packet. To avoid encrypting two ciphertexts with the same key stream, an Initialization Vector (IV) is used to augment the shared secret key and produce a different RC4 key for each packet. The IV is also included in the packet. However, both of these measures are implemented incorrectly, resulting in poor security.

The integrity check field is implemented as a CRC-32 checksum, which is part of the encrypted payload of the packet. However, CRC-32 is linear, which means that it is possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken. In other words, flipping bit n in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum on the modified message. Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid.

The initialization vector in WEP is a 24-bit field, which is sent in the cleartext part of a message. Such a small space of initialization vectors guarantees the reuse of the same key stream. A busy access point, which constantly sends 1500 byte packets at 11Mbps, will exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours. (The amount of time may be even smaller, since many packets are smaller than 1500 bytes.) This allows an attacker to collect two ciphertexts that are encrypted with the same key stream and perform statistical attacks to recover the plaintext. Worse, when the same key is used by all mobile stations, there are even more chances of IV collision. For example, a common wireless card from Lucent resets the IV to 0 each time a card is initialized, and increments the IV by 1 with each packet. This means that two cards inserted at roughly the same time will provide an abundance of IV collisions for an attacker. (Worse still, the 802.11 standard specifies that changing the IV with each packet is optional!)


Posted by jcase on 11-27-2002 07:07 PM:

Military acronyms http://www.fas.org/news/reference/lexicon/acw.htm
WEP 1WWMCCS® evaluation program, 2Windows® exit procedure, 3weapon effect planning, 4work execution plan

WEPH weapon phenomenology


Posted by UncaAndoo on 11-28-2002 05:33 AM:

Is everything okay? My client seems to be working fine, but my stats would indicate otherwise.

__________________
FOR SALE!!! Philips 14-hour SA w/lifetime

Philips 230-hour Combo Unit


Posted by DarkHelmet on 11-28-2002 07:09 AM:

FWIW, the 3.1 DTivo key is the same as the 3.2 SA key. We do not need to split the search effort.

Like on the 3.2 SA release, changing the 3.1 DTivo release key to a known hash yields the expected results.

__________________
Sony SVR-2000 (3.0 - 103 hours + turbonet + RCA430)
Philips HDR-112 (hard drive died, no backup)
Hughes GXCEB0T (3.1.0c2 - 149 hours + turbonet)
Hughes GXCEB0T (3.1.0c2 - 143 hours + turbonet)
Sony SAT-T60 (3.1.0c2 - 149 hours + turbonet)


Posted by T_RJ on 11-29-2002 09:43 PM:

DarkHelmet

Your backdoor script works just fine on 3.1.
My DTiVo now opens backdoors with T1V0.

Thanks again for your help.

T


Posted by rbiro on 11-29-2002 10:10 PM:

If the 3.1 and 3.2 hashes are the same, that implies that any dictionary/limited-alphabet based approach should not rely on the version information (3.0, 3.1, 3.2)


Posted by rhagopian on 12-01-2002 01:21 AM:

Re: Re: Re: teoma bustin out with just one IP...

quote:
Originally posted by brianld
Serious horsepower! Too bad you had to give them up ...


Well, it's back for a bit this weekend :-)

-Rob


Posted by mark937 on 12-01-2002 04:41 PM:

quote:
Originally posted by T_RJ


Your backdoor script works just fine on 3.1.
My DTiVo now opens backdoors with T1V0.

T



Waiiiit....If 3.2 and 3.1 hashes are the same, why would an old backdoor code work on a 3.1 DTivo? Anyone try T1V0 on theire 3.2???

__________________
Tivo Series 2- Unhacked 60hrs
Powered by 3.2 (Upgraded 12/11/02)


Posted by colemanr on 12-01-2002 05:09 PM:

quote:
Originally posted by mark937
Waiiiit....If 3.2 and 3.1 hashes are the same, why would an old backdoor code work on a 3.1 DTivo?


Because the backdoor script that he mentions changes the hash code to a known value (the one for "T1V0"). You can perform the same operation on a 3.2 box to change the hash code.

__________________
Rob


Posted by ThreeSoFar on 12-01-2002 06:04 PM:

Your algorithm(s) alllow trailing spaces, right?

And two spaces in a row? Something like <3> <space> <space> <2> <space> <B> <space> <D>?

__________________
I think ThreeSoFar's advice is by far the best...gregpr

Four TiVos now, all with single Samsung drives:
Humax DRT800 w/DVD-R (174hrs)
Two older Series 2's (142hrs and 157hrs),and a newer nightlight
Series 2, a stupid case design IMO (174hrs)
All but the last are lifetimed. TiVite since 2000. There is a Good IR solution.

Got Vonage 4/9/03--need a referral credit?


Posted by dd9 on 12-02-2002 12:20 PM:

Did the server take a dirt nap?

All my clients errored over the last few hours and stopped retrying. If this happened for everyone else, it may be a few days before everyone realizes it and starts up again.

As of this post, I still cannot get a new workload.


Posted by EdwinOlson on 12-02-2002 01:57 PM:

The default sleep interval for the windows client is only one minute, which is really unfortunate.

If the server starts getting pounded, windows clients start failing, but keep pounding every minute. Thus the load goes up. So more requests fail, and so on and so on.

The server was innundated by requests. It was nuts! This sure has been an interesting lesson in server scalability.

I took it offline briefly, reoptimized the database (that seems to help a lot), and brought it back up. If you are restarting your windows client, please specify a longer timeout (10 minutes or so). If the server's down, trying again in just 60 seconds only makes things worse!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by cica on 12-02-2002 07:30 PM:

quote:
If the server starts getting pounded, windows clients start failing, but keep pounding every minute. Thus the load goes up. So more requests fail, and so on and so on.


Ed

I've run across this before. The only problem with your 10 minute request is that you're setting up a bomb that will go off in 10 minutes. It would be better if everyone picked a different multiplier for each machine. That way if you get innundated with requests at some moment, the subsequent requests will be spread out over the next several minutes.

-Tom


Posted by kgidley on 12-02-2002 07:47 PM:

Still better would be to modify the client itself to use a longer default sleep and to randomize the actual amount of time it slept before retrying. I.e. the default is 10 minutes, and it picks a random number distributed around that time (say 5-15 minutes).

I'm not too familiar with Windows development, but I have some time on my hands and I might be interested in taking a look at the client and making these mods. What is the development environment? I assume MFC?

__________________
Ken
HR10-250 - my new toy!
2 Hughes DTivos, (lifetime, 1 upgraded to ~188 hours, the other upgraded to ~230 hours.)


Posted by Wayne Bundrick on 12-03-2002 01:37 AM:

How about borrowing an idea from Ethernet? The good old binary exponential collision backoff algorithm! If a request fails, generate a random sleep interval between 1 and 2^k minutes where k is the number of consecutive retries, starting with 0. You can max out k at some high value, perhaps 6 for a sleep interval of up to 64 minutes. And don't forget to reset k to 0 upon success.


Posted by cica on 12-03-2002 03:36 PM:

The random retry interval was what I was alluding to, but i was trying to avoid a 2.06 distribution.

-Tom


Posted by Jonathan_S on 12-03-2002 04:44 PM:

Maybe I'm braindead, but I was looking at the command line parameters for the windows 2.05 client and I don't see a way to modify the retry interval.

I'd like to configure my windows clients so they were nicer about it (probably not a big deal since I only have 3, but still...)

__________________
Sony T-60 - 109 hours


Posted by SpamapS on 12-03-2002 05:53 PM:

A solution to the evil windows clients (sort of)

Hi guys. Team SpamapS checking in here. As you may have read before, most of the stats for SpamapS are coming from the members of #LinuxHelp on Undernet

Anyways, one of our users was monkeying around with cygwin, and actually has gotten significantly higher numbers on XP with cygwin, than on the exact same box running Linux. He did this by compiling the client and openssl with some heavy optimizations. Here is the text of the email he sent me:

--------------------------------
On my Athlon XP 1600+ (1400mhz) I am running WIndows XP. When running
the native windows client for tivo I got about 810kKeys/sec with it.
Noting that many people were getting closer to 1kKey:1Mhz performance
ratio for AMD chips I decided to seee what I coudl to to optimize it.
The Windows client requires the MS development tools to compile, so I go
the latest Cygwin and installed (virtually) everything it had to offer.
the openssl 0.9.6g I got from openssl.org DID NOT compile for me, so
what I did was got the source for it during the cygwin installation (its
an install-time option). The latest cygwin chips with gcc3.2 so I was
all set to optimize openssl, and then dclient. Here is the ./config
line I used for openssl:

./config --prefix=/usr/local --openssldir=/usr/local/openssl 386 shared
"cygwin:gcc -O4 -fstrict-aliasing -fomit-frame-pointer -funroll-loops
-finline-functions -mfpmath=sse -march=athlon-xp -mcpu=athlon-xp"

then a simple 'make; make install' will finish the openssl installation.
After optimizing and installing openssl, I altered the makefile for
dclient and compiled it against the new openssl I installed in
/usr/local/lib. The only things I changed in here were the LIBS= and
CCFLAGS= lines:

LIBS = -L/usr/local/lib -lssl -lcrypto
CCFLAGS = -O4 -fstrict-aliasing -fomit-frame-pointer -funroll-loops
-finline-functions -march=athlon-xp -mcpu=athlon-xp

The final product, after recompiling openssl and dclient is
1375kKeys/sec (about a 70% increase) which is well worth the extra
effort. After I saw that, I went ahead and did the same thing to my
dualboot P3 1ghz laptop (changing the -march= and -mcpu values of
course). with identical sompilers, cimpile flags and whatnot on the same
physical machine I get about 810kKeys/sec on the linux side, and near
840kKeys/sec in WindowsXP. No explanation for this, but I thought it was
worth mentioning. As with all things, YMMV. Good luck with your
optimizations!

----------------------------------


Posted by Myname17 on 12-04-2002 02:30 AM:

quote:
Originally posted by Jonathan_S
Maybe I'm braindead, but I was looking at the command line parameters for the windows 2.05 client and I don't see a way to modify the retry interval.

I'd like to configure my windows clients so they were nicer about it (probably not a big deal since I only have 3, but still...)



Neither could I. I found it in the source code, but I've never compiled anything for Windows. Does anyone know what compiler Barclay used? Do you need to use the same one, or will any C compiler do?

Mike


Posted by EdwinOlson on 12-04-2002 03:22 AM:

Version 2e is now available.

Changes:

* Has a new -t | --test mode which can be used for burning in machines/testing whether a machine is flakey. I encourage everyone to run the client in -t mode for >5 minutes before running in -r mode.

* Fixes a possible segfault that occurs when connection to the server fails

It's available here (in the usual place):

http://edo.lcs.mit.edu/dclient

If you aren't having problems with 2d, you don't need to upgrade. xemu, t7, can you try it in -t mode and see how long it takes it to fail?

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by Cletus on 12-04-2002 03:32 PM:

Quick fix until someone comes with a better solution - Windows TiVoCrack 2.05 recompiled with a max number of retries set to 50, and interval between retries 2.5 minutes. I also changed the version to 2.051. This was an easy change, don't rely on me for more subtle adjustments.

__________________
If you can't beat'em... pay someone to do it.


Posted by Cletus on 12-04-2002 05:57 PM:

Okay, for the binary attached to my previous post I "borrowed" a friend's machine with Visual C++ 6.0 installed. I don't have VC++, so I have been working on converting the sources to a more budget-friendly development environment. I used Borland C++ 5.5 (free download from borland.com) with Quincy2000 as an IDE (from ftp.alstevens.com/quincy2000).

Attached you'll find an archive of the source files, including the Quincy .prj project file, and a few headers from Microsoft to help the resource file compile. The project file assumes that Borland C++ is installed in c:\bcpp - feel free to change it, but don't forget to reset the locations of includes, libs and in particular inet.lib. The project compiles with a few warnings.


BTW, it does not include the 50 retries/2.5 minutes modification from my previous post.

__________________
If you can't beat'em... pay someone to do it.


Posted by Cletus on 12-04-2002 05:59 PM:

And here's the binary.

__________________
If you can't beat'em... pay someone to do it.


Posted by TreborPugly on 12-04-2002 09:37 PM:

Source of the Hash other than subuni?

I asked this question many posts ago, with no response from anyone, perhaps because most people now participating in this thread are just interested in the task, but don't necessarily have a TiVo.

However, here it is again:

Has anyone besides subuni supplied the Hash table for 3.2? I know Otto supplied the table from 3.0 for testing, and some people have talked about successfully placing their own Hash table in to bypass this entire problem. But I have not seen independent verification that the hash we are working on is indeed the 3.2 Hash. Can anyone reassure me here?

Thanks,

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by ThreeSoFar on 12-05-2002 01:14 AM:

The 3.2 backdoor code is....

And I've been looking for the following in this thread ever since I found it:


"I found it!!!! The 3.2 backdoor code is...."

Unfortunately, I have yet to see it.

__________________
I think ThreeSoFar's advice is by far the best...gregpr

Four TiVos now, all with single Samsung drives:
Humax DRT800 w/DVD-R (174hrs)
Two older Series 2's (142hrs and 157hrs),and a newer nightlight
Series 2, a stupid case design IMO (174hrs)
All but the last are lifetimed. TiVite since 2000. There is a Good IR solution.

Got Vonage 4/9/03--need a referral credit?


Posted by ThreeSoFar on 12-05-2002 01:20 AM:

until now...

__________________
I think ThreeSoFar's advice is by far the best...gregpr

Four TiVos now, all with single Samsung drives:
Humax DRT800 w/DVD-R (174hrs)
Two older Series 2's (142hrs and 157hrs),and a newer nightlight
Series 2, a stupid case design IMO (174hrs)
All but the last are lifetimed. TiVite since 2000. There is a Good IR solution.

Got Vonage 4/9/03--need a referral credit?


Posted by tahoe2k on 12-06-2002 12:24 AM:

I am New, so please excuse. I made a linux boot disk and tried to look at the drive through a ( C). When it boots up it says:

(none) login:

Is this what you all are talking about?????
Just curious.


Posted by DarkHelmet on 12-06-2002 01:54 AM:

Re: Source of the Hash other than subuni?

quote:
Originally posted by TreborPugly
Has anyone besides subuni supplied the Hash table for 3.2? I know Otto supplied the table from 3.0 for testing, and some people have talked about successfully placing their own Hash table in to bypass this entire problem. But I have not seen independent verification that the hash we are working on is indeed the 3.2 Hash. Can anyone reassure me here?


Yes. Well, sort of. I found that DTivo-3.1 has got the exact same hash as the SA-3.2 release. Several folks have disassembled the part of the binary that deals with this string and confirmed that there is no funny business.

However, that doesn't guarantee that tivo didn't generate a bogus (ie: impossible) hash specifically for the release builds.

But that isn't the reassurance that you wanted, was it?

__________________
Sony SVR-2000 (3.0 - 103 hours + turbonet + RCA430)
Philips HDR-112 (hard drive died, no backup)
Hughes GXCEB0T (3.1.0c2 - 149 hours + turbonet)
Hughes GXCEB0T (3.1.0c2 - 143 hours + turbonet)
Sony SAT-T60 (3.1.0c2 - 149 hours + turbonet)


Posted by rewilson on 12-06-2002 03:41 AM:

Unhappy Can't run tivocrack under NIS 2003

Help! I've been slowly forced to remove some of my computers from the TiVoCrack effort. I had been able to have it running on 4 systems, but now two have reached the end of their Norton Antivirus update year. Rather than re-subscribe, I've upgraded them to the latest version of Norton Internet Security (2003). Once I've done that, TiVoCrack will no longer work. It connects fine, but the packet always comes back to it with an error (something like "error decoding packet"). My fastest system's AV updates expire in a few weeks, so it will soon be out of the effort if no one can come up with a way for me to get TiVoCrack running under NIS 2003!

I've tried disabling essentially ALL NIS functions, but the packets still can't be decoded. If I completely disable NIS 2003, then it works--but then I have NO protection. Using NetPeeker, it seems as if the packet returned to TiVoCrack with NIS2003 running is one byte longer than the one returned with it disabled. But then, I'm not an expert at interpreting NetPeeker output.

I've been delaying my upgrades of NIS until my AV subscriptions expire on each system--but I'm NOT going to go without up-to-date virus definitions!

Thanks for any help!
--Bob


Posted by EdwinOlson on 12-06-2002 01:37 PM:

rewilson- you could try running the unix version from cygwin. it uses different code to connect which may, or may not, have better luck connecting to the server.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by Gerg on 12-06-2002 02:01 PM:

Why doesn't someone call Tivo support and fake the kind of problem that would make them ask you to enter the backdoor code? (i.e. get the code via social engineering)

-Greg

__________________
Why does man kill? He kills for food.
And not only food: frequently there must be a beverage.
-- Woody Allen, "Without Feathers"


Posted by bobsoron on 12-06-2002 03:02 PM:

quote:
Originally posted by Gerg
Why doesn't someone call Tivo support and fake the kind of problem that would make them ask you to enter the backdoor code? (i.e. get the code via social engineering)

-Greg


Careful. I was smacked around a little when I suggested that here a coupla weeks ago.


Posted by WayneGoode on 12-06-2002 05:36 PM:

Windows version 2.06 to solve server retry problem

Here is version 2.06 of the Windows client that deals with the problem of server retries. As was discussed in the thread, there is a problem when too many clients request a workunit from the server at the same time. Since the retry is the same for all clients, this just delays the problem a minute and everyone retries again at the same time.

As was suggested earlier in the thread, I changed the retry time. It was previously 1 minute. It is now a random exponential. On the first try it will wait a random interval between 1 and 2 minutes, the next try between 2 and 4 minutes, etc., up to between 32 and 64 minutes. I have also changed the definition of "infinite retries" (the default) from 10 to 100. This should take of care of the retry problem.

I also added a ‘b’ flag for other preset alphabets, ‘bn’ is numbers and space, ‘ba’ is letters and space, and, for the conspiracy theorists, ‘bp’ for all printable characters (ASCII 32-127).

I complied this under Visual C++ 6.0 with the latest service pack (SP6?).

Although this is my first post, I read the entire thread after reading about the project in Good Morning Silicon Valley (http://gmsv.com) and have been running 2 computers on it since then (userid: WayneGoode).

I used to be a c and c++ programmer but now all I do is Access, VBA and ASP so I appreciate the chance to do a bit of c again.

All this and I don’t even own a TiVo. I have a ReplayTV, upgraded to 80G.

__________________
"Never play tri-dimensional chess with a robot that has a planet for a first name." Harry in "Prodigy" by Arthur Bryan Cover


Posted by Krugar on 12-06-2002 10:16 PM:

Is there something special I need to open in my firewall? I continue to get the following message:

quote:

16:55:36: -- TiVoCrack 2.05 started --
16:55:36: Getting the next work load
16:55:36: Error processing line from server
16:55:36: Error processing line from server
16:55:36: Error decoding the work unit!
16:55:36: Call failed, trying again
16:55:36: Sleeping for a minute



I can't find anything funny in my firewall logs either. No denials of traffic or rules failed. Hrmmm... I have about 20 PIII 1.2 GHZ with 512 MB each I would like to run over this weekend. But I can't get the dang thing to work. Any suggestions?


Posted by rewilson on 12-06-2002 11:55 PM:

quote:
Originally posted by Krugar
Is there something special I need to open in my firewall? I continue to get the following message:



I can't find anything funny in my firewall logs either. No denials of traffic or rules failed. Hrmmm... I have about 20 PIII 1.2 GHZ with 512 MB each I would like to run over this weekend. But I can't get the dang thing to work. Any suggestions?



Are you running Norton Internet Security 2003 (or Personal Firewall 2003)? I started getting the exact same error when I upgraded two systems from the 2002 version to the 2003 version (see my message about 6 posts up).

EdwinOlsen--
Can I run the unix client under Win 2000 pro workstation? The systems upgraded are running windows and need to be kept up for other uses. If I can, where would I find the instructions? Thanks!

--Bob


Posted by Gerg on 12-07-2002 12:04 AM:

quote:
Gerg:
why isn't anyone using social engineering?

quote:
bobsoron:
Careful. I was smacked around a little when I suggested that here a coupla weeks ago.
I suggested it 3-4 weeks ago and was thoroughly ignored. I guess the thread participants just want to do it the hard way...

-Greg

__________________
Why does man kill? He kills for food.
And not only food: frequently there must be a beverage.
-- Woody Allen, "Without Feathers"


Posted by sjf on 12-07-2002 12:59 AM:

It has been said before -- there are NO senarios that would prompt a CSR to try to enable backdoors. It is not a subscriber feature -- its for (presumably) engineering development.

__________________
Instructions on a Swedish chainsaw: "Do not attempt to stop chain with your hands or genitals."


Posted by EdwinOlson on 12-07-2002 02:11 AM:

We climb the mountain because it's there. We search the keyspace for the same reason.

quote:
Originally posted by Gerg
I suggested it 3-4 weeks ago and was thoroughly ignored. I guess the thread participants just want to do it the hard way...

-Greg

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by EdwinOlson on 12-07-2002 02:13 AM:

Cygwin (http://www.cygwin.com) provides a unix-like environment on windows which can be used to compile and run the unix client. (Make sure you install openssl-devel, gcc, etc.)

The unix version doesn't have the capability of being run as a service so may not be appropriate in a computer lab context. There's no guarantee that the unix version will solve your problems, either. But it's worth a try!

-Ed

quote:
Originally posted by rewilson
EdwinOlsen--
Can I run the unix client under Win 2000 pro workstation? The systems upgraded are running windows and need to be kept up for other uses. If I can, where would I find the instructions? Thanks!

--Bob [/B]

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by dd9 on 12-07-2002 02:41 AM:

quote:
Originally posted by Gerg
I suggested it 3-4 weeks ago and was thoroughly ignored. I guess the thread participants just want to do it the hard way...


Nobody is stopping you from picking up the phone. Have a party.


Posted by sjf on 12-07-2002 02:46 AM:

quote:
Originally posted by EdwinOlson
We climb the mountain because it's there. We search the keyspace for the same reason.


Reminds me of that old song -- "On a clear disk, you can seak forever!"

__________________
Instructions on a Swedish chainsaw: "Do not attempt to stop chain with your hands or genitals."


Posted by Wayne Bundrick on 12-07-2002 05:12 AM:

quote:
As was suggested earlier in the thread, I changed the retry time. It was previously 1 minute. It is now a random exponential.


I've been immortalized in code! But it wasn't my idea, I just borrowed it from Robert Metcalfe. Still, it makes as much sense for distributed computing projects as it did for Ethernet.


Posted by Krugar on 12-07-2002 07:19 AM:

hrmm not sure what the problem is. Edwin does the server do any sort of checks for fully qualified domain resolution or send an ICMP request hoping for a response? If so that is probably why my computers won't work at work. However, I have it running at home and talked a few friends into doing the same. oh well...


Posted by EdwinOlson on 12-08-2002 12:13 AM:

Huh?

We assume the URL is fully qualified, do DNS lookup if needed, then open up a socket to that IP. No ICMP.

quote:
Originally posted by Krugar
hrmm not sure what the problem is. Edwin does the server do any sort of checks for fully qualified domain resolution or send an ICMP request hoping for a response? If so that is probably why my computers won't work at work. However, I have it running at home and talked a few friends into doing the same. oh well...

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by jwdeff on 12-08-2002 01:46 AM:

What do you think the chances are that a developer already "tested" the real password and returned it as a "doesn't work"? Does the distributed software only allow the results back from the people it gave the work to?

Just a thought, haven't been watching the forum since it was slashdotted.


Posted by EdwinOlson on 12-09-2002 05:12 AM:

Clients can't choose which blocks they're issued, and unless you are issued (or conspire with another client who is issued a particular block), you can't submit results for it. (Each block has a 32 bit random # assosciated with it which is issued with the block and must be returned when the block is checked in.)

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by ElVee on 12-09-2002 01:18 PM:

This from a complete novice who's been lurking and rooting you guys on, so if this question sounds crazy, please forgive me.

Is it possible that the code is actually something simple, something along the lines of those already suggested but the way it is entered has changed?

Say something like 3 2 B C ThumbsDown instead of ThumbsUp? Or 3 2 B C ThumbsUp ThumbsUp.

Or is the way it is entered not a factor. I'm not sure how the TivoCrack program works and whether or not it takes into account how a code is entered.

Just curious


Posted by Cletus on 12-09-2002 02:39 PM:

Hmm. I have 4 machines cranking on this, but the userstats page says it gets data from 3 IPs only. However when I look at the logs, all 4 are sending and receiving workunits. I wonder what's up with that. All 4 machines have unique public IP addresses.

__________________
If you can't beat'em... pay someone to do it.


Posted by bsnelson on 12-09-2002 03:51 PM:

quote:
Originally posted by ElVee
This from a complete novice who's been lurking and rooting you guys on, so if this question sounds crazy, please forgive me.
"You're crazy" (shameless "Win Ben Stein's Money" reference).

It's already been proven that, if the old hash is substituted for the new one, the old password (and entry technique) works. So, it's the same.

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by rbiro on 12-09-2002 05:41 PM:

The only thing the substitution (3.0 for 3.2) definitely proves is that the last key required is a Thumbs-Up after the hash.
Is it possible that the Hash contains Thumb characters?
If I were in front of my Tivo now (3.0), I would try the backdoor code with random Thumbs in the middle. If 3 0 BC still worked, then those inputs are ignored and we'd know those 2 special chars are not in the hash alphabet.


Posted by EdwinOlson on 12-09-2002 05:57 PM:

I'd double check that all have the correct user name. If they do, and you suspect something is wrong on my end, I can scan my logs for your IP addresses and try to figure out what's going on.

-Ed

quote:
Originally posted by Cletus
Hmm. I have 4 machines cranking on this, but the userstats page says it gets data from 3 IPs only. However when I look at the logs, all 4 are sending and receiving workunits. I wonder what's up with that. All 4 machines have unique public IP addresses.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by WayneGoode on 12-09-2002 06:09 PM:

quote:
Originally posted by Krugar
Is there something special I need to open in my firewall?

16:55:36: -- TiVoCrack 2.05 started --
16:55:36: Getting the next work load
16:55:36: Error processing line from server
16:55:36: Error processing line from server
16:55:36: Error decoding the work unit!
16:55:36: Call failed, trying again
16:55:36: Sleeping for a minute



I have the same problem with a machine behind a firewall. I ran the program in the Visaul C++ debugger. The workload that is returned looks valid. There is just a problem parsing it. In particualar, the error is generated because the program finds the end of the string at character 233 when looking for "=".

I will try to look at this in more detail when I get some time.

__________________
"Never play tri-dimensional chess with a robot that has a planet for a first name." Harry in "Prodigy" by Arthur Bryan Cover


Posted by SpamapS on 12-09-2002 06:31 PM:

quote:
Originally posted by EdwinOlson
[The unix version doesn't have the capability of being run as a service so may not be appropriate in a computer lab context. There's no guarantee that the unix version will solve your problems, either. But it's worth a try!

-Ed [/B]


Actually, you can use this command line:

cygrunsrv.exe --install dclient --path /usr/local/bin/dclient.exe --args '-rs http://edo.lcs.mit.edu/dclient/getwork.php -u SpamapS' --desc 'TiVo password cracking client'

You can change the username..... if you want.

Oh, and if you have problems with the service refusing to start ... you can uninstall/reinstall cygwin. That did the trick for me. :-P

I'm working on getting the cygwin version going, as a service, with nothing more than cygrunsrv.exe , dclient.exe, and cygwin1.dll . Time is kind of short this time of year though.


Posted by Piquan on 12-09-2002 07:09 PM:

quote:
Originally posted by rbiro
The only thing the substitution (3.0 for 3.2) definitely proves is that the last key required is a Thumbs-Up after the hash.


Here's a theory. This is total hypothesis, not anything based on reality.

Each time that thumbs-up is pressed, the buffer is rehashed. The first thumbs-up hashes the user entry area. The second would hash the result of that. After each thumbs-up, the hash buffer is compared to the constant.

This means that the code could be "3 2 BC" thumbs-up thumbs-up, or something. That would account for both the old code working, and our problems finding a new code.

Somebody disassembled that section before... can I get a confirm/deny here?


Posted by AALANman on 12-10-2002 04:15 AM:

Added 2 XP boxes to the effort today. Probably 2 more this weekend!


Posted by killersoundz on 12-10-2002 07:00 AM:

to compile or not to compile....

hello...

This is my first post, but i have been following this thread and running the client for some time.

I want to compile the unix client for a system that i don't use for much... but get an error.

make
don't know how to make httppost.o (bu42).

the system is an sgi running IRIX 6.5.something and has a mips processor.

i figured i could add at least a little muscle with this old box, but i can't get the client to even begin to compile.

also, speak as to a child concerning unix and unix like environments... still learning

Thanks,
killersoundz

__________________
No trees were harmed in the sending of this message, however, a large number of electrons were severely inconvenienced. :)


Posted by Piquan on 12-10-2002 08:46 AM:

A slightly different approach

I'm thinking that maybe some domain-specific knowledge may be useful here.

In particular, we can be relatively sure that there's a lot of repetition going on here. No developer is going to want to type in a long backdoor code without a lot of repetition. Our current work assumes liberal use of spaces (since the FF key makes this easy), but straight reps are just as fast.

So, I've been playing around with a brute-force approach that uses a small number of characters, but repeats them a lot. This version is pretty much a quick hack, but I'm hoping it inspires some good thought from the 3.2 community.

Included is the program I'm playing with right now. It uses the FreeBSD-specific SHA1 routines; could somebody please let me know how to use the (more portable) OpenSSL routines? If you want to see the progress things stand, press Ctrl-T. You'll see the CPU time its used (before the letter "u"), the CPU percentage, the current hash, how many keys have been tested, and the current plaintext key (along with a few other stats).

For reference, on my 800 MHz K6, I'm getting 624332 keys/sec, not including the ones that are skipped because they're longer than the 20-character limit.

Any thoughts on this approach?

Another idea to explore involve character ordering. For example, if there's a B and a D, then the B probably comes first. Also, I understand that every possible key of length < 8 has been tested, so I may want to add code to skip them out of pocket.

Share and enjoy,
Piquan


Posted by mstroh on 12-10-2002 08:48 AM:

FWIW,

My tivo switched to 3.2 about an hour ago.

No more backdoors, just when I was learning how to use them!

-mike

BTW, I went from 3.0 directly to 3.2 and I have had my S2 (with lifetime sub) for about 2 months.


Posted by mackman on 12-10-2002 10:00 AM:

SHA hashes?

Can someone please post the 3.0 and 3.2 backdoor code SHA hashes? I'd like to write my own app to help crack it.


Posted by dd9 on 12-10-2002 02:38 PM:

Re: SHA hashes?

quote:
Originally posted by mackman
Can someone please post the 3.0 and 3.2 backdoor code SHA hashes? I'd like to write my own app to help crack it.


They're in this thread somewhere if you dig a little.

Curiously, what are you going to be able to do on your own that a consolidated effort cannot? Wouldn't you be better off just contributing your machine by running the client?


Posted by gmitch64 on 12-10-2002 03:00 PM:

quote:
Originally posted by WayneGoode
I have the same problem with a machine behind a firewall. I ran the program in the Visaul C++ debugger. The workload that is returned looks valid. There is just a problem parsing it. In particualar, the error is generated because the program finds the end of the string at character 233 when looking for "=".

I will try to look at this in more detail when I get some time.




I am getting the same error from behind our office firewall as well.


Posted by Piquan on 12-10-2002 07:03 PM:

Re: Re: SHA hashes?

quote:
Originally posted by dd9
Curiously, what are you going to be able to do on your own that a consolidated effort cannot? Wouldn't you be better off just contributing your machine by running the client?

There may be other approaches to the problem that are worth trying (see my last post, on the previous page). For example, it's a pretty safe bet that the distributed client will not find anything over 12 characters before the next TiVo version is released and it becomes irrelevant.

While I think the client is a great piece of work, and want it running on as many machines as possible, I also think it's time to explore alternative techniques. I think that we may need to get talking again about other things to check. For example, I've got a computer running over the next four days, looking for any pattern with of four charaters, each repeated up to five times, and with up to three whitespace characters after each. I personally think that this is another set worth checking, most of which won't ever be tested by the client.

So, I think we need to share some of the tools for everybody to do their own investigation.

In response to the OP: The 3.0 hash "3 0 BC" is 5CA5D9DBE5338BAB8690C79C9A9310BCD3A8F23B. The 3.2 hash is 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4, and there are now multiple confirmations that it hasn't changed since the official release.

Remember that these are in a byte-swapped order from what an x86 will produce. Enclosed is a perl script to perform the conversion. (Sorry about the filename; the message board won't let me attach files without a txt extention.) Just feed it any hashes you want to convert, one per line. The operation is symmetric: the same program converts x86->PPC and PPC->x86.

If you want to generate a hash from the command line, you can do so easily enough from Unix using openssl and the enclosed program:
thor$ echo -n '3 0 BC' | openssl dgst -sha1 | tivoswab
5ca5d9dbe5338bab8690c79c9a9310bcd3a8f23b

I also have a couple of Perl scripts that are frameworks to generate and test variations of keys, and the C program from my last post can be used if you've got a lot of keys to check. Let me know if you need them.


Posted by WayneGoode on 12-10-2002 07:54 PM:

Solving errors behind firewalls

Here is Windows version 2.07 to (hopefully) solve the problem some people are having when trying to run behind a firewall.

By comparing a Work Unit received on a computer behind a firewall that had an error to one received on a computer not behind a firewall that did not have an error, I found the work unit that failed had 7 extra characters, specifically ^M ^J 0 ^M ^J ^M ^J. I don’t know what causes this.

My simple fix is to look for “STATUS=OKAY^J”, which appears to be the last text in a valid Work Unit and if the next character is a control character, then chop off it and everything after it. The program reports to the log the number of characters that were chopped off.

This solved the problem for me. If you are having a problem behind a firewall, try this and let me know if it solves the problem.

__________________
"Never play tri-dimensional chess with a robot that has a planet for a first name." Harry in "Prodigy" by Arthur Bryan Cover


Posted by rwc101010 on 12-10-2002 09:13 PM:

Ok, so here's my theory . . . maybe there are "new features" included in the newest versions of the TiVo software that just aren't ready for primetime yet (maybe they are in distributed BETA testing or something). If that were the case, it would make sense that TiVo would want to make the code very hard to guess (or brute force), and would avoid the release of the codes until after they have released such "new features" to the general public.

That being said, has anyone that has been successful in changing their backdoor code and accessing the backdoors function noticed anything new in the latest software versions?

If so, what have you seen, and what hardware platform are you on.

Anyone under NDA need not respond

-- Robert

__________________
HDVR2 - 200+ Hours
HDVR2 - Stock
HR10-250 - Stock


Posted by David Bolling on 12-10-2002 09:51 PM:

Can the server give more priority to the patterns that include spaces?

For example I would think we would want to first check all patterns that include one character words (with each word separated by a space), up to a length of 12 or so characters, then move on to the patterns that include one or two character words of all lengths up to 12 characters, then move on to the 1-3 character word patterns. Within those searches include the "space" character as a valid character for a word, so as to include consecutive spaces in the search space.

As my machine chugs along checking a password that starts with "QKTC", I'm just not inclined to think that will generate a match. And it seems we could be giving more priority to patterns with a space as the most common character.

And as a final point, if the alphabet set had the "space" listed first, we'd at least be checking the space before the rest of the characters, probably a good idea as the pattern length increases.

Have these ideas been discussed? I apologize for not reading all the pages of this thread carefully enough to know.


Posted by rewilson on 12-10-2002 11:24 PM:

Re: Solving errors behind firewalls

quote:
Originally posted by WayneGoode
Here is Windows version 2.07 to (hopefully) solve the problem some people are having when trying to run behind a firewall.

By comparing a Work Unit received on a computer behind a firewall that had an error to one received on a computer not behind a firewall that did not have an error, I found the work unit that failed had 7 extra characters, specifically ^M ^J 0 ^M ^J ^M ^J. I don’t know what causes this.

My simple fix is to look for “STATUS=OKAY^J”, which appears to be the last text in a valid Work Unit and if the next character is a control character, then chop off it and everything after it. The program reports to the log the number of characters that were chopped off.

This solved the problem for me. If you are having a problem behind a firewall, try this and let me know if it solves the problem.



Thanks for the update. However, I'm still getting the "error decoding work unit" error behind the Norton Internet Security 2003 firewall. From the limited analysis using netpeek, it looked like I was only getting 1 extra character. Is it possible to have it look for "STATUS=OKAY" (not including ANY control charaters in the match), and replacing anything afterwars with just ^J?

--Bob


Posted by Piquan on 12-10-2002 11:51 PM:

quote:
Originally posted by David Bolling
Can the server give more priority to the patterns that include spaces?

The way I understand it, the current system does not use spaces the same as it uses other characters, because of how previous codes have looked. Instead, an individual key consists of a pattern and characters to plug into it. For example, the pattern "? ? ??" combined with the characters "32BC" will result in testing "3 2 BC".

Piquan

Add'l: Okay, it looks like I may have spoken too soon. While that is how the client works, the server seems to be sending out patterns of just straight questionmarks (presently "??????????"), and letting spaces be part of the alphabet.


Posted by Piquan on 12-11-2002 12:06 AM:

I think I may have a hypothesis on the firewall issues.

It looks like dclient (so probably also tivocrk) uses HTTP to get its work units, probably so that firewalls pass it. However, HTTP (like all Internet protocols, IRC being the only notable exception) uses ^M^J (\r\n) as the line terminator, whereas it looks like dclient uses just ^J (\n) as the line terminator.

This confuses firewalls that act as transparent proxies, so they inject garbage.

Just a hypothesis, but it seems to make sense.


Posted by gmitch64 on 12-11-2002 01:59 AM:

Re: Re: Re: SHA hashes?

The 3.2 hash is 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4

I assume that there's been confirmation from 2 or more people that the hash is the same on both their 3.2 machines? I'm thinking about them maybe being different on each machine, using something like their serial number etc as the Backdoor key?


Graham
(Just upgraded to 3.2 30 mins ago)


Posted by Piquan on 12-11-2002 02:04 AM:

Re: Re: Re: Re: SHA hashes?

quote:
Originally posted by gmitch64
The 3.2 hash is 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4

I assume that there's been confirmation from 2 or more people that the hash is the same on both their 3.2 machines?



Yes.


Posted by gmitch64 on 12-11-2002 01:36 PM:

Re: Solving errors behind firewalls

> Here is Windows version 2.07 to (hopefully) solve the problem some .
> people are having when trying to run behind a firewall.

I am still getting the error when running behind our office firewall.


Graham


Posted by EdwinOlson on 12-11-2002 03:30 PM:

We're getting a lot of repeats of old questions. Rather than answer them again, if you haven't read or searched this thread, you should do that For the record, I encourage people to try other approaches. I've searched all of the "probable" keyspace that I can think of-- hence, the very brute-force attack. Searching 11+0 is utterly pointless, so after 10+0, I give up! Of course, that's about 60 days from now...

Oh, and there's a very minor revision of the client available, version 2f, which should fix bus errors on architectures which are picky about integer alignment. (sparcs, for example.) Only those who can't get the client to run need bother.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by ThreeSoFar on 12-11-2002 03:40 PM:

Is there any chance you've already passed it in something under 10 characters? I.e., would any of the code changes/fixes involved have led to skipping some of the space?

__________________
I think ThreeSoFar's advice is by far the best...gregpr

Four TiVos now, all with single Samsung drives:
Humax DRT800 w/DVD-R (174hrs)
Two older Series 2's (142hrs and 157hrs),and a newer nightlight
Series 2, a stupid case design IMO (174hrs)
All but the last are lifetimed. TiVite since 2000. There is a Good IR solution.

Got Vonage 4/9/03--need a referral credit?


Posted by David Bolling on 12-11-2002 03:44 PM:

quote:
Originally posted by EdwinOlson
We're getting a lot of repeats of old questions. Rather than answer them again, if you haven't read or searched this thread, you should do that
Is there a way to search a thread that I don't know about? I know I can search the forums to find threads, but searching a particular thread that has over a hundred pages is very difficult. I can search for particular posts, but not limited to one thread, and even that produces pages of at most 25 posts. If there was a way to get the whole thread on one page, or a way to download the thread, it would be easier. But as is, I think we'd have to go through every page looking for the info we're looking for. I know it might be a pain to answer the same questions, but that might be necessary in a thread such as this given the forum limitations. At the same time you could add the answer to the FAQ on DClient Central.


Posted by DaveLessnau on 12-11-2002 05:06 PM:

I don't know if this link will work, but it's supposed to be a printable version of all 937 posts in this thread on one page:

http://www.tivocommunity.com/tivo-v...657&perpage=937

You can generate it yourself by clicking the "Show Printable Version" at the very top or bottom of the screen in the thread and then telling it to put it all on one page. Just found it myself. Cool.

__________________
Dave Lessnau

TiVo TCD240080 w/ Belkin F5D5050 USB Ethernet Adapter and 160GB 7200RPM Samsung SP1604N drive (150hrs 53mins @ Basic) with 4.0.1 Philips HDR112 w/ TurboNET and 120GB 5400 RPM Maxtor drive (145hrs 6mins @ Basic) with 3.0. Both hooked through powerlines to the internet via LinkSys PLEBR10 PowerLine EtherFast 10/100 Bridges, a D-Link DSS-5+ Switch, a SonicWall SOHO3 Internet Security Appliance, and finally a Toshiba PCX1100U Cable Modem (PCX DOCSIS)


Posted by Cletus on 12-11-2002 05:23 PM:

quote:
Originally posted by EdwinOlson
We're getting a lot of repeats of old questions. Rather than answer them again, if you haven't read or searched this thread, you should do that For the record, I encourage people to try other approaches. I've searched all of the "probable" keyspace that I can think of-- hence, the very brute-force attack. Searching 11+0 is utterly pointless, so after 10+0, I give up! Of course, that's about 60 days from now...
-Ed



95 days and dropping, according to the stats page...

__________________
If you can't beat'em... pay someone to do it.


Posted by David Bolling on 12-11-2002 05:45 PM:

quote:
Originally posted by DaveLessnau
I don't know if this link will work, but it's supposed to be a printable version of all 937 posts in this thread on one page ... You can generate it yourself by clicking the "Show Printable Version" at the very top or bottom of the screen in the thread and then telling it to put it all on one page. Just found it myself. Cool.
Cool indeed. Thanks. That's exactly what I needed to search the whole thread for "space".

After reviewing that disucussion I have two comments:

1) We should do 8+2, 8+3, 8+4, and 8+5 spaces before we go on to 10+0.

2) I saw no mention of the optimization whereby the alphabet need NOT include the space character in an 8+3 search once 9+2 has already been searched.


Posted by David Bolling on 12-11-2002 06:02 PM:

quote:
Originally posted by David Bolling
2) I saw no mention of the optimization whereby the alphabet need NOT include the space character in an 8+3 search once 9+2 has already been searched.
I meant it the other way around. Once 8+3 has been searched, a 9+2 search need not include the space character in the alphabet.

I also think no more +0 search spaces need be done. It seems a better use of time to concentrate on search spaces with no more than 8 alphanumeric characters, using the above alphabet optimization where possible.


Posted by David Bolling on 12-11-2002 06:33 PM:

quote:
Originally posted by Cletus
95 days and dropping, according to the stats page...
Is that to finish our current search space?

I see I counted wrong, also. We're already working on 10+0.

Should we suspend working on 10+0 and switch to working on the other 8+n spaces that haven't been done, up to 8+5, then move to the 9+n spaces up to 9+4?

The reason I suggest this is because interest in participaing appears to be waning, and I would think we'd want to work on the more likely patterns first. I think 8+5 is more likely to find a match than 10+0, and is quite a bit smaller of a search space.


Posted by UncaAndoo on 12-11-2002 08:25 PM:

Do we really want it?

I am one of the people who thinks the code is something like "AAAAAAAAAAAAAAAA". As such, we won't find the code in a reasonable amount of time.

I don't know if I should say it, but that being said, there is a simple way to find the backdoor code.

http://arstechnica.com/archive/news/1039634153.html

$1200/hour of 14TFLOP processing.

__________________
FOR SALE!!! Philips 14-hour SA w/lifetime

Philips 230-hour Combo Unit


Posted by UncaAndoo on 12-11-2002 10:03 PM:

Seriously though, does anyone with more distributed computing/supercomputing know how much processing time would be necessary?

__________________
FOR SALE!!! Philips 14-hour SA w/lifetime

Philips 230-hour Combo Unit


Posted by EdwinOlson on 12-11-2002 11:57 PM:

Let's put some of this in perspective:

9+2 is NOT a subset of 8+3. It's the other way around. M+N doesn't mean it includes exactly N spaces, it means it includes AT LEAST N spaces. Hey, it's my notation, I get to decide.

8+1, 8+2 are searched. How big is 8+3? Well, that's 4 times longer than 9+0. In other words, a couple weeks of our computing power. How big is 8+4? About half of 10+0. 8+5? about the same size as 10+0. It's not like these are little pocket change sequences that we can search really fast. At this point, we're talking about sequences so long that any sequence at all-- no matter how you constrain it-- is still a huge search space.

11+0 is a lost cause for us too. It's 69 MILLION work units. We'd measure the search time in years.

Someone mentioned using a super computer. How long would it take to search 15+0? We'd need a million machines (at 1 MKey/sec) for 10,000 years. 14TFlops is perhaps the same as ~30,000 slowish machines. I think they say 9,000 in the article? So in other words, it wouldn't really help us. The full search space is equivilent to about 104 bits. That's so big it makes my eyes bulge out.

I would *definitely* encourage someone to try to find a way to search "repetitive" key spaces. It's not as easy as it sounds, but there are a lot of smart people on this forum.

Where's my money? Well, I'm about 60% thinking that the hash is bogus. About 20% thinking that it's a really long string that may someday get leaked out to us (or perhaps we'll find). The other 20% is that--and I hate this one--there's a problem with our approach. Maybe there was a small change to the SHA1 that we didn't see by looking at the assembly. Maybe there's some awful endianness problem. Maybe my code is just buggy and isn't actually searching the keyspace right. That's one of the reasons it's open source!

I think it's absolutely great, though, how much support this project has gotten. And I've had a heck of a lot of fun working on it! So hurrahs all around.

-Ed
(PS: keep cracking!)

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by Piquan on 12-12-2002 12:14 AM:

It depends a LOT on the keylength. The keyspace we've got left in 10-character keys should be doable in about two days ($72k) using this network. The entire remaining keyspace would take about 7,312,316,880,125,952 times that much.

To put it differently: If Mars's moon Phobos was made of 6 karat gold, we could use it to pay for the CPU time needed to crack a 20-character key.


Posted by Piquan on 12-12-2002 01:10 AM:

quote:
Originally posted by EdwinOlson
I would *definitely* encourage someone to try to find a way to search "repetitive" key spaces. It's not as easy as it sounds, but there are a lot of smart people on this forum.
I've got a program running now to do that; see my recent post on the matter. I'm presently searching all keyspaces of the form "AA BBB C DDDD ", where the letters are chosen from the typable alphabet (A-Z0-9), the number of repetitons of each letter is from 1-5, and the whitespace after each letter varies from 0-3. I'm presently on "KK 333 RRR I ". (This increments from right to left, first the whitespace, then the reps of the letter, then the letter, so I'm about 1/4 of the way through after almost a day.) I recently stopped dclient so I can give more CPU to this program.

I encourage other people to come up with other approaches. I've already sent out three helper utilities that you can use as "shells" to write your own ideas, or use as-is to test whims.
quote:
Where's my money? Well, I'm about 60% thinking that the hash is bogus.

I don't think it's bogus. I don't see the developers putting in a bogus hash just to toy with us; I'd expect they'd have cut out the backdoor instead.

Remember that the early 3.2 stuff that leaked into the marketplace via new S2 purchases had the same hash code, so I also don't think they just left it as a useful code during beta and later changed it to random bytes.
quote:
About 20% thinking that it's a really long string that may someday get leaked out to us (or perhaps we'll find).

I think this is possibly the most likely scenario. I also think that perhaps it's based on repetition, since not many developers are going to write a backdoor code that's a royal pain for them to enter. Remember that Larry Wall says that laziness is one of the three great virtues of programmers.
quote:
The other 20% is that--and I hate this one--there's a problem with our approach. Maybe there was a small change to the SHA1 that we didn't see by looking at the assembly. Maybe there's some awful endianness problem. Maybe my code is just buggy and isn't actually searching the keyspace right. That's one of the reasons it's open source!
Hmm... The idea of changing SHA1 is interesting. A change to the IV would mean that the 3.0 hash would no longer work, period. However, there are a few strange pertubations that may still be used. For example, if the message padding used a constant of 48 in place of the length word, then the 3.0 hash would still work, but it would frustrate our currnt key-cracking efforts, (assuming that the key is not of length 6), despite being cryptographically weaker. (There's some flaws with this particular hypothesis, but I don't want to give better pertubations for fear of giving TiVo ideas!)

I suppose the best way to test this would be to plug in computed hashes for selected keys, and an operator tests each one to see if it works. To reduce the time it takes, is there a way to change resources on a running TiVo, or maybe with just a kill and restart to myworld?

A bug in the program would be possible, although I think the "3 0 BC" tests you occassionally run may help prevent that. (You have run a test with the keyspace you use for a "3 0 BC" test, while searching for the new hash, right?)
quote:
I think it's absolutely great, though, how much support this project has gotten. And I've had a heck of a lot of fun working on it! So hurrahs all around.
Me too! I think that the dclient effort is a great thing, but I also think other approaches may be useful.

Cheers,
Piquan


Posted by mstroh on 12-12-2002 05:39 AM:

quote:
Originally posted by EdwinOlson
We're getting a lot of repeats of old questions. Rather than answer them again, if you haven't read or searched this thread, you should do that

...

-Ed



quote:
Originally posted by David Bolling
Is there a way to search a thread that I don't know about? I know I can search the forums to find threads, but searching a particular thread that has over a hundred pages is very difficult. I can search for particular posts, but not limited to one thread, and even that produces pages of at most 25 posts. If there was a way to get the whole thread on one page, or a way to download the thread, it would be easier.

...

At the same time you could add the answer to the FAQ on DClient Central.



I would recommend (wish I could do this myself, but I am in the middle of exams) that someone could compile a thorough FAQ on everything that has happened in this thread so far.

Plus, if DVDerek would be kind enough to edit his original post (since his post is #1 in this thread) with big gigantic bold letters pointing to a link where the FAQ is located that would be especially swell. Actually, now that I think about it, he should put a link to the page that all of the windows and *nix versions of TiVocrack/DClient are located for download as well.

IF the FAQ is not completed by the new year, I could help on the general stuff, but I have no knowledge of programming or cryptology so someone else would need to do that (especially all of the M+N stuff, what it is and what has been completed so far).

The only reason I say this is that we are at page 48 and, speaking from experience, it really is alot to expect someone new to this thread to really read and/or search through that many pages. Frankly, I wouldn't and I doubt most people will, maybe I'm too cynical, dunno.

-mike


Posted by mstroh on 12-12-2002 05:42 AM:

Oh, I forgot, my hat is off to you Ed and everyone else that has helped with the creation and continued updating of the clients and server. In an environment like this it isn't said often, but you all have done a wonderful job and I hope you people that are smarter than I continue to do such a great job!

-mike

__________________
My mantra: "If I watch it, it will end up getting cancelled!" This mantra almost made me give up TV altogether. I changed my mind after I got a TiVo, now I can watch it even after it gets cancelled!!


Posted by TheAmigo on 12-12-2002 06:22 AM:

quote:
Originally posted by EdwinOlson
I would *definitely* encourage someone to try to find a way to search "repetitive" key spaces. It's not as easy as it sounds, but there are a lot of smart people on this forum.


Is there a way to link to a specific post? Or to search within a thread?

After a bit of tedious searching, I found an old post of mine in this thread (dated 11-17-2002 04:23 AM). Basically, I'm in favor of searching 6+5, 6+6, 6+7... all the way to 6+14. By my calculations, that should only take us a couple weeks (well maybe several now that our CPU power has dwindled).

If that fails to find anything then how about a new scheme where in place of a space, any single char is repeated several times. Then use a different notation in place of the plus. So you could have 4%3 be a seven char string where 3 of the chars are the same and the other four are cycled through. To further clarify the notation, specify the char that is repeated, e.g. a work unit of 4%3G would mean a seven char string with 3 Gs in it and any 4 other chars.

Trying to search 6%14 would be a bit out of reach (couple years of work), but 5%15 should be only a few weeks.

__________________
--The Amigo


Posted by Airlie on 12-12-2002 03:13 PM:

I was wondering if it would be feasible to give priority to 'easy to enter' codes.

For instance if the first letter is 'A' then the second letter is unlikely to be 'Z'. Letters that are closer in the TiVos text entry menu to the last entered letter require less effort.

Spaces and numbers, being right on the remote are the easiest of all. (hmm has anyone searched for a code made up of just numbers and spaces? How big is that keyspace? Something like '123_456_789_0' would be easy to enter and hard to search for. Evil and simple at the same time!)

Of course representing this programatically, so that 'easy to enter' codes are give priority, would probably be extremely difficult.

Thoughts?

__________________
Jason Airlie
Camp Dixie Summer Camps


Posted by lmurray on 12-12-2002 03:25 PM:

anyone having problems connecting? I've been running this client for weeks, and this morning, I'm stuck at "Requesting work unit."

Ed, did the server take a vacation ? Or is this a problem on my side ?

thanks,
-lloyd-


UPDATE: never mind, it took a few minutes, but then I connected........


Posted by Mars Rocket on 12-12-2002 03:38 PM:

You can run the client in local mode and give it whatever alphabet you want. I think several people have tried " 0123456789" out to 10 or 11 characters at least.


Posted by martinp13 on 12-12-2002 04:06 PM:

Mine isn't connecting again this morning also... it came back with "there is no more work to do", so I thought we'd found it!

EDIT: The DClient website isn't responding either, so I guess it took a hit.

__________________
> Martin (Proudly infecting my family and friends with the TiVolution since Jan 2001)

TC-Con 05/Las Vegas : Come on, you KNOW you want to go! Check it out!

"We're out of our elephant..." - uncdrew's client
"My implants are frozen!" - One of the bimbos who slept on a glacier in The Amazing Race 6


Posted by CaptCaveman on 12-12-2002 04:38 PM:

what is this error ... PROOF?

*******************************************************
*
Requesting work unit.
Processing work unit 909049
Searching pattern '??????????', seed 'Q485'.
Proof: 3635C9B7

__________________
Hughes HDVR2


Posted by CaptCaveman on 12-12-2002 04:41 PM:

Re: what is this error ... PROOF?

quote:
Originally posted by CaptCaveman
****************************************************
****
Requesting work unit.
Processing work unit 909049
Searching pattern '??????????', seed 'Q485'.
Proof: 3635C9B7




more info:
I have two clients running on a dual cpu box.
This client wasn't showing up in the top display, so I thought it crashed...

I scanned the source code quickly this morning, and I think Proof: is used in testing?
Why would I get that in the middle of a scan of a work unit?

Also... this is a linux box...

__________________
Hughes HDVR2


Posted by CaptCaveman on 12-12-2002 04:44 PM:

Re: what is this error ... PROOF?

quote:
Originally posted by CaptCaveman
****************************************************
****
Requesting work unit.
Processing work unit 909049
Searching pattern '??????????', seed 'Q485'.
Proof: 3635C9B7




nevermind... work unit submitted...
It was just hanging...

__________________
Hughes HDVR2


Posted by TK-421 on 12-12-2002 05:07 PM:

Maybe a silly question..

But should we try 6+2? (Since the original was 3 0 BC)
Or 7+3? (B D 2 5)

Or have I missed it and we already have?

__________________
"TK-421, why aren't you at your post?"
Phillips HDR31202 125hr v3.0


Posted by dd9 on 12-12-2002 06:00 PM:

Re: Maybe a silly question..

quote:
Originally posted by TK-421
[B]But should we try 6+2? (Since the original was 3 0 BC)
Or 7+3? (B D 2 5)B]


Don't forget that the hash is the same for the new SW on the combo boxes and their previous code was (B M U S 1), so it could be at least that long.


Posted by Myname17 on 12-12-2002 06:29 PM:

Re: Do we really want it?

quote:
Originally posted by UncaAndoo
I am one of the people who thinks the code is something like "AAAAAAAAAAAAAAAA". As such, we won't find the code in a reasonable amount of time.

I don't know if I should say it, but that being said, there is a simple way to find the backdoor code.

http://arstechnica.com/archive/news/1039634153.html

$1200/hour of 14TFLOP processing.



I have been involved in situations where people were doing things to "my" computers that I did not want them to do. My first line of defense has always been to change the password and to make it generally harder to guess. Tivo has done just that. First no password. Then a short password. If I were Tivo, the current password would be 19 characters consisting of mangled words and some random characters like cu198atskool123ovit. And if this gets cracked, change SHA1 to SHA256 in the next release.

Mike


Posted by toddcurry on 12-12-2002 07:05 PM:

Re: Re: Do we really want it?

quote:
Originally posted by Myname17
If I were Tivo, the current password would be 19 characters consisting of mangled words and some random characters like cu198atskool123ovit.


I disagree completely -- 19 characters of text entry is just too frustrating.

This is Curry Conjecture #771:
1. Backdoors are used by the TiVo programmers
2. Programmers therefore have to enter a code to enable backdoors
3. The navigate-and-select method of entering text is cumbersome (for all)
4. Programmers (like all of us) prefer a simpler password to a more complex password, as it means less frustration with nav-select entering.
5. Therefore, the password is likely to be simple

Now, there is also Curry Conjecture #772:
1. Text entry is cumbersome in TiVo
2. Not all key entries have to display text
3. Certain key entries might display hidden text
4. It might be possible to enter a longer "password" by using certain keys, where some part of the password is actually hidden.
5. Therefore, the password is something like thumbs-up, thumbs-up, play, thumbs-up, abc. That might generate in the text buffer: QUOZHNR5abc but only display (for the user to see) abc.
6. This method has the advantage of simplicity in text entry for programmers, yet complexity for TivoCrack users.

Discuss and dissect. In the mean time, I'm happily running TiVo Crack on all my PCs...

Oh, is it possible to dissassemble the TiVo kernel and see what it does during text entry? A casual look around the net on the subject of password cracking reveals that many passwords are broken that way. (note: this has nothing to do with video extraction or service stealing, so I'm treading carefully around the TOS).

__________________
post hoc, ergo propter hoc -- the curse of newscasters since the dawn of language


Posted by toddcurry on 12-12-2002 07:11 PM:

quote:
Originally posted by Airlie
I was wondering if it would be feasible to give priority to 'easy to enter' codes.

For instance if the first letter is 'A' then the second letter is unlikely to be 'Z'. Letters that are closer in the TiVos text entry menu to the last entered letter require less effort.

Spaces and numbers, being right on the remote are the easiest of all. (hmm has anyone searched for a code made up of just numbers and spaces? How big is that keyspace? Something like '123_456_789_0' would be easy to enter and hard to search for. Evil and simple at the same time!)

Of course representing this programatically, so that 'easy to enter' codes are give priority, would probably be extremely difficult.

Thoughts?



I think this has a lot of merit. If someone can explain how to configure TiVo crack to search on this, I'd gladly help pursue it.

__________________
post hoc, ergo propter hoc -- the curse of newscasters since the dawn of language


Posted by TK-421 on 12-12-2002 07:23 PM:

Re: Re: Maybe a silly question..

quote:
Originally posted by dd9
Don't forget that the hash is the same for the new SW on the combo boxes and their previous code was (B M U S 1), so it could be at least that long.


Hmm.. well, then I nominate these three for our next runs when 10+0 runs out..

4+2 (3 0 BC)
4+3 (D B 2 5)
5+4 (B M U S 1)

If we haven't already done them of course and I just don't realize it

__________________
"TK-421, why aren't you at your post?"
Phillips HDR31202 125hr v3.0


Posted by EdwinOlson on 12-12-2002 07:26 PM:

Re: Re: Re: Maybe a silly question..

We've searched all of this space.

"3 0 BC" is in 4+2, 5+1, 6+0.
"D B 2 5" is in 4+3, 5+2, 6+1, 7+0
"B M U S 1" is in 5+4, 6+3, 7+2, 8+1, 9+0

10+0 is a really big space. One of the reasons I'm a bit pessimistic about finding the answer is that--even if the password were repetitive and "easy to enter"--I would have wagered that it was less than 10 characters long.

-Ed

quote:
Originally posted by TK-421
Hmm.. well, then I nominate these three for our next runs when 10+0 runs out..

6+2 (3 0 BC)
7+3 (D B 2 5)
9+4 (B M U S 1)

If we haven't already done them of course and I just don't realize it

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by snedecor on 12-12-2002 07:56 PM:

Problem with DClient web page?

Am I the only one having problems with Edwin's page?

I'm getting a lot of "can't connect to server" via IE, when I want to view stats, and lately, the page came up with ZERO stats (everything was reset to ZERO! My clients seem to be getting work units OK, though, although they are now failing ........Are they the same server?

Edwin, are you backing the results up? I'd hate for us to lose all that work!

Snedecor


Posted by TreborPugly on 12-12-2002 08:11 PM:

Considering the theory that they've included an unavailable character in the hash.

Add into that that they must be able to test the actual code we have, so they would need some new way to enter a character that is unavailable to us.

Would it mess too much with their quality-control system to have added an IR code for a new character, say ^ or $, that our remotes can't generate, but they have remotes that can. So to activate back doors, they enter a code in the same place we do, but they can send an IR code to the Tivo that it recognizes as a $, which then gets processed by the password checker and accepts say a password of 'B $ 32'. The only change to their code base would be to recognize a new IR code as the character $ on the Search by Title page.

Does this seem at all plausible? Would it make sense (and has anyone done this already) to search the 6x0 space with the complete ASCII character set? And how difficult would that be?

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by toddcurry on 12-12-2002 09:35 PM:

Search(min(keypresses), max(length))?

The most difficult backdoor key to enter is not necessarily the longest one

Looking among the older backdoor keys...
0V1T = 13 key presses (incl TU), though only 4 characters long
B_D_2_5=11 key presses (incl TU), though it is 7 characters long

The record holder among past codes is B_M_U_S_1 at 20 key presses (incl TU)
(r,sel,ff,d,d,d,L,sel,ff,d,d,sel,ff,r,r,u,sel,ff,1,tu)

Letters generally take considerably more key presses to enter than do numbers, and that is not taking into consideration the inevitable backspaces that plague the fat-fingered.

It is possible to arrange the letters in terms of difficulty of entry, where each number corresponds to the number of key presses required to enter it (from the initial position). Once a letter has been pressed, the matrix changes to reflect that selection and the computer scientists among us can figure out the code in less time than I've spent writing this line.

So initially:
1A
2B
2E
3C
3F
3I
4D
4G
4J
4M
5H
5K
5N
5Q
6L
6O
6R
6U
7P
7S
7V
7Y
8T
8W
8Z
9X

Thus, if the code were "XAXA...." repeated to 20 chars, it would require 180 keypresses -- a ridiculous amount for someone to enter!!!

Might it be worthwhile to constrain the code search to codes that require fewer than ~20 keypresses? Call it a "practicality" limit on the search.

Search to all 20 places, but stop searching when any branch exceeds the max number of keypresses.

Thus the search set would include:
- any number to 20 places
- the letter A to 20 places
- The letter B to 19 places (first time is two presses, but from then on is only one key press
- the letter X to only 12 places (first time is 9, next time is just one each)

This constraint would also stop branches that are just impractical. An example is anything following "AXA" -- that's 20 keypresses already (with TU), so anything else in the AXA* branch would be skipped. If you're looking to 20 places, that is a huge chunk of work that was just removed -- and it is only one example of many.

It is beyond my programming abilities to do the required matrix re-sorting for the alphabet after one character is entered, but someone out there must be able to sum up the keypresses and stop executing on a branch when max keypresses is reached.

I know this is long and from a non-programmer, but I'm hoping to find some way to take advantage of the incredible tool that Edwin has provided, yet guide it along the most "practical" route for finding the code. As the TiVo entry method has its peculiarities, we should take that into consideration in the search, IMO.

Thanks,

Todd

__________________
post hoc, ergo propter hoc -- the curse of newscasters since the dawn of language


Posted by Spire on 12-12-2002 10:01 PM:

Todd, that's very insightful thinking, and potentially the beginning of a new, more practical approach than pure brute force.

__________________
begin 644 .sig22&%I;"P@9F5L;&]W(&=E96LA`end

Last edited by Melody Chalis on Today at 03:47 AM


Posted by Piquan on 12-12-2002 10:33 PM:

Todd, I like your idea. There's some interesting possibilities for a breadth-first search. I think I'll play around with the idea some.

Anybody else have sort heuristics to propose?

Cheers,
Piquan


Posted by Catboy17 on 12-12-2002 10:45 PM:

I think everyone here is nuts. Just look at the old passwords and you'll realize that it's probably something simple. What's more-check out the thread to crack the 3.0 password. While everyone is freaking out and dissecting their tivos, it turned out to be 3 0 BC. While you may think they are trying to make it harder to get into, thats what everyone thought for 3.0 as well and it turned out to be 3.0 BC! Think simple people. If everyone just spends a few hours trying codes with LOGIC and not BRUTE FORCE CRACKING, we might get somewhere faster. Or... We could just kidnap TivoPony...Your choice.

__________________
Peter


Posted by stormsweeper on 12-12-2002 11:04 PM:

quote:
Originally posted by Catboy17
I think everyone here is nuts. Just look at the old passwords and you'll realize that it's probably something simple. What's more-check out the thread to crack the 3.0 password. While everyone is freaking out and dissecting their tivos, it turned out to be 3 0 BC. While you may think they are trying to make it harder to get into, thats what everyone thought for 3.0 as well and it turned out to be 3.0 BC! Think simple people. If everyone just spends a few hours trying codes with LOGIC and not BRUTE FORCE CRACKING, we might get somewhere faster. Or... We could just kidnap TivoPony...Your choice.


I've personally run a brute force search on every 10+0 combination using all the characters previously used for backdoor codes. Nothing came up.

I personally think it's an invalid hash.


Posted by toddcurry on 12-12-2002 11:06 PM:

here's the matrix

<Sound of palm slapping forehead>

Just use (X,Y) coordinates for the letters in the TiVo Matrix:
A (1,1)
B (2,1)
C (3,1)
D (4,1)
E (1,2)
F (2,2)
G (3,2)
H (4,2)
I (1,3)
J (2,3)
K (3,3)
L (4,3)
M (1,4)
N (2,4)
O (3,4)
P (4,4)
Q (1,5)
R (2,5)
S (3,5)
T (4,5)
U (1,6)
V (2,6)
W (3,6)
X (4,6)
Y (1,7)
Z (2,7)

So the number of keypresses involved in moving from any letter to another is abs(x1-x2)+abs(y1-y2)+1(for hitting select).

Heck, if I knew C, I'd start coding this myself!! ;D

Todd

note: if you like (row,column) coordinates, just interpose the coordinates.

__________________
post hoc, ergo propter hoc -- the curse of newscasters since the dawn of language


Posted by Piquan on 12-12-2002 11:44 PM:

quote:
Originally posted by Catboy17
I think everyone here is nuts. Just look at the old passwords and you'll realize that it's probably something simple. What's more-check out the thread to crack the 3.0 password. While everyone is freaking out and dissecting their tivos, it turned out to be 3 0 BC.

After Christopher Columbus returned from the New World, there was a banquet in his honor. There were a number of people in the aristocracy present, some of whom scoffed at his accomplishment. "Anybody who sailed West would have found the New World," they said. "What you did was no big deal."

Columbus (so the legend goes) picked up an egg from the banquet table. It was hard-boiled, but unshelled. He challenged the scoffers to-- without external aid-- balance the egg on its end. They tried, but couldn't. "It's impossible!" they cried. Columbus then picked up the egg, and pushed it onto the table, hard enough to break the shell slightly. The broken shell propped the egg up, and it balanced.

Once something's been done, the solution always seems simple.

There have been a number of efforts at finding reasonable codes, before and since dclient was developed. So far, none of them have been successful. That's why we started the brute force effort. We've tested every typable password of up to 8 characters, almost every one up to 9, and half of the 10 character passwords. If it were something relatively short (such as "3 2 BKDR") then it would have already been found. So the code is more complex than the codes we've seen before.

A lot of people tried codes one-by-one, with no matches. I think that it's more useful to have programs search large keyspaces, since there are a very number of reasonable and mnemonic possibilities for keys. There is still lots of room for searching heuristically-defined spaces. For example, I've written a program that is currently testing codes with lots of repetition, such as "333 22 BBBDDD".

If you feel you have logical ideas to try, then I suggest you do so. If you want to test particular keys, I've enclosed a Perl program to let you do so. Enter your keys to test, one per line. The program will print out the hash, and alert you (and exit) if you've entered the right one. It also is looking for the 3.0 hash ("3 0 BC"), so you can test it easily.
quote:
While you may think they are trying to make it harder to get into, thats what everyone thought for 3.0 as well and it turned out to be 3.0 BC!

They did make it harder to get into on 3.0. Previously, we could find the code just by looking in the binary. Starting with 3.0, that was no longer possible.
quote:
Think simple people. If everyone just spends a few hours trying codes with LOGIC and not BRUTE FORCE CRACKING, we might get somewhere faster.

I've given you a tool to test as many logical codes as you want. Feel free to try them out and see what you find. Let me know how it goes.

Cheers,
Piquan


Posted by wanzong on 12-13-2002 02:17 AM:

Tivo Remote Control Presses

I've skimmed this thread, and I noticed some comments regarding the number of key strokes it takes to navigate thru the letters being a limiting factor to the password. I have a feeling this isn't an issue for the Tivo folks... way back when, when Tivo first came out, they posted a Pronto remote control file which contained all their remote control codes. These included discrete codes for each letter.

So, if they have a pronto or other similar device, they can simply type in the letters 1 press per letter. OR, more likely, they program the password into the Pronto/PDA, and simply send it with one button press.

Just my 2 cents...

Mike


Posted by TK-421 on 12-13-2002 02:27 AM:

quote:
Originally posted by Piquan
After Christopher Columbus returned from the New World, there was a banquet in his honor. There were a number of people in the aristocracy present, some of whom scoffed at his accomplishment. "Anybody who sailed West would have found the New World," they said. "What you did was no big deal."

Columbus (so the legend goes) picked up an egg from the banquet table. It was hard-boiled, but unshelled. He challenged the scoffers to-- without external aid-- balance the egg on its end. They tried, but couldn't. "It's impossible!" they cried. Columbus then picked up the egg, and pushed it onto the table, hard enough to break the shell slightly. The broken shell propped the egg up, and it balanced.

Once something's been done, the solution always seems simple.




I nominate this for post of the month.

__________________
"TK-421, why aren't you at your post?"
Phillips HDR31202 125hr v3.0


Posted by toddcurry on 12-13-2002 02:55 AM:

Re: Tivo Remote Control Presses

quote:
Originally posted by wanzong
way back when, when Tivo first came out, they posted a Pronto remote control file which contained all their remote control codes. These included discrete codes for each letter.


Really! That is great to hear. But, I've just done some looking around for this thread you mention and I can't find it (in fact, I've found the contrary: old posts where people are expressing frustration at having to key in macros for the letters -- see: http://www.tivocommunity.com/tivo-v...onto+and+letter).

Any chance you can point me to that thread? I may use a few tricks to crank out some codes via the Pronto.

quote:
So, if they have a pronto or other similar device, they can simply type in the letters 1 press per letter. OR, more likely, they program the password into the Pronto/PDA, and simply send it with one button press.


This is definitely true, though the longer the password the longer you have to aim your pronto at the IR receiver AND the greater the likelihood that something gets messed up in the string. Beyond about 8 - 10 button presses requires a very steady hand, but I'm no brain surgeon (really steady hands). Try this yourself -- put in a series of up/down combinations with selects and account for the delays in TiVo response (not instantaneous) and I think you'll find that longer is more painful. Your point is well taken, though.

Todd

__________________
post hoc, ergo propter hoc -- the curse of newscasters since the dawn of language


Posted by killersoundz on 12-13-2002 03:14 AM:

compilation failed

hello...

This is my second post, but i have been following this thread and running the client for some time.

I want to compile the unix client for a system that i don't use for much... but get an error.

make
don't know how to make httppost.o (bu42).

the system is an sgi running IRIX 6.5.something and has a mips processor.

i figured i could add at least a little muscle with this old box, but i can't get the client to even begin to compile.

also, speak as to a child concerning unix and unix like environments... still learning

Thanks,
killersoundz

__________________
No trees were harmed in the sending of this message, however, a large number of electrons were severely inconvenienced. :)


Posted by Catboy17 on 12-13-2002 03:26 AM:

I'm not a programmer, so in response to this brute force act I have a question:

If it was something like 32 BD Thumbs Down Thumbs Down Thumbs Down, would your program catch it? If not, I think we (and by we and mean you) must do a little reprogramming. I honestly believe that this mode is not, in reality, just for tivo workers to test, but also to stir up some tivo enthusiasm for the more avid tivo fans. If this were not so, they would probably find a way to block crackers, such as an external dongle (as they use for product verification on the program Lightwave) or possibly backdoor mode only sent to certain people on a list of phone numbers of programmers). All I'm saying is that if Tivo really wanted to block you, they could, and this whole charade is probably to stir up interest in tivo (meaning its probably not something utterly impossible) and so that they don't have to give support for using buggy feautures they haven't officially added yet.

Thanks to everyone who's working on this.

__________________
Peter


Posted by Spire on 12-13-2002 03:37 AM:

Re: Tivo Remote Control Presses

quote:
Originally posted by wanzong
way back when, when Tivo first came out, they posted a Pronto remote control file which contained all their remote control codes. These included discrete codes for each letter.
I've done some remote hacking with my TiVo recorders, and without going into boring detail, let me say that I'm almost 100% sure that there are no discrete remote control codes for letters on TiVo recorders.

__________________
begin 644 .sig22&%I;"P@9F5L;&]W(&=E96LA`end

Last edited by Melody Chalis on Today at 03:47 AM


Posted by Spire on 12-13-2002 03:43 AM:

quote:
Originally posted by Catboy17
If it was something like 32 BD Thumbs Down Thumbs Down Thumbs Down, would your program catch it?
This question is moot, as it's already been verified that the remote sequence is terminated with a single Thumbs Up just as in previous versions. It was verified by replacing the 3.2 hash with the old 3.0 hash and then trying "3 0 BC" -- which worked.

Unless the TiVo programmers are being improbably evil and special-casing "3 0 BC" just to mess with our heads, this is reasonable assurance that the system still works the same way it always did.

__________________
begin 644 .sig22&%I;"P@9F5L;&]W(&=E96LA`end

Last edited by Melody Chalis on Today at 03:47 AM


Posted by buzzard on 12-13-2002 03:49 AM:

If we would just collect $1.00 from each person who viewed this thread, we could probably bribe one of the TiVo employees with the code. Anyone want to sell the code for $130,000.00?

__________________
(1) Philips DSR6000 (~149 Hours)


Posted by DarkHelmet on 12-13-2002 06:28 AM:

Do not assume it has anything to do with "3 2" just because we had "3 0 BC" before. This identical hash is also used on the 3.1 release for dtivo.

What I'd be more interested to know is what the heck "B M U S 1" stands for. I wonder if it is something like TivoPony's "Superfriends Of Reality-Tv" (SORT)...

Heck, I'd settle for knowing for sure if it actually is a code that can be keyed in on the remote.. For all we know, the development tivos have USB keyboard drivers and can enter any character at all..

__________________
Sony SVR-2000 (3.0 - 103 hours + turbonet + RCA430)
Philips HDR-112 (hard drive died, no backup)
Hughes GXCEB0T (3.1.0c2 - 149 hours + turbonet)
Hughes GXCEB0T (3.1.0c2 - 143 hours + turbonet)
Sony SAT-T60 (3.1.0c2 - 149 hours + turbonet)


Posted by subuni on 12-13-2002 07:09 AM:

quote:
Originally posted by DarkHelmet
What I'd be more interested to know is what the heck "B M U S 1" stands for. I wonder if it is something like TivoPony's "Superfriends Of Reality-Tv" (SORT)...


Beam Me Up Scotty


Posted by gregstoll on 12-13-2002 11:18 AM:

quote:
Originally posted by Piquan

If you feel you have logical ideas to try, then I suggest you do so. If you want to test particular keys, I've enclosed a Perl program to let you do so. Enter your keys to test, one per line. The program will print out the hash, and alert you (and exit) if you've entered the right one. It also is looking for the 3.0 hash ("3 0 BC"), so you can test it easily.

Cheers,
Piquan



Attached is a Python script (sorry, I'm too tired to think in Perl ) that will generate all strings of a given length that take at most a given number of keystrokes to type in. Together with the aforementioned Perl script (although I wrote a C program of my own, since it'll probably be faster), enterprising individuals can give it a shot...

Enjoy!


Posted by David Bolling on 12-13-2002 01:36 PM:

I just finished testing all the following patterns without success. It is all 11 character passwords that contain 3_2 and at least 3 other space characters (and 10 character passwords that contain at least 2 other spaces). I tested similar patterns with 3_1 and 3_0 as well, also without success.

code:
3 2 ????? 3 2 ? ???? 3 2 ?? ??? 3 2 ??? ?? 3 2 ???? ? 3 2 ????? 3 2 ? ???? 3 2 ?? ??? 3 2 ??? ?? 3 2 ???? ? 3 2 ? ???? 3 2 ? ? ??? 3 2 ? ?? ?? 3 2 ? ??? ? 3 2 ?? ??? 3 2 ?? ? ?? 3 2 ?? ?? ? 3 2 ??? ?? 3 2 ??? ? ? 3 2 ???? ? ? 3 2 ???? ?? 3 2 ??? ??? 3 2 ?? ???? 3 2 ? ????? 3 2 ? 3 2 ???? ? 3 2 ? ??? ? 3 2 ?? ?? ? 3 2 ??? ? ? 3 2 ???? ?? 3 2 ??? ?? 3 2 ? ?? ?? 3 2 ?? ? ? ? 3 2 ??? ?? 3 2 ??? ??? 3 2 ?? ??? 3 2 ? ? ? ?? 3 2 ?? ?? ? 3 2 ?? ??? 3 2 ?? ???? 3 2 ? ? ??? 3 2 ? ?? ?? 3 2 ? ??? ? 3 2 ? ???? 3 2 ? ? ???? 3 2 ?? ??? 3 2 ??? ?? 3 2 ???? ? 3 2 ????? 3 2 ? ???? 3 2 ? ? ??? 3 2 ? ?? ?? 3 2 ? ??? ? 3 2 ? ???? 3 2 ?? ??? 3 2 ?? ? ?? 3 2 ?? ?? ? 3 2 ?? ??? 3 2 ??? ?? 3 2 ??? ? ? 3 2 ??? ?? 3 2 ???? ? 3 2 ???? ? 3 2 ????? 3 2


Posted by marka on 12-13-2002 03:19 PM:

quote:
Originally posted by DarkHelmet
What I'd be more interested to know is what the heck "B M U S 1" stands for.


Main Entry: be*muse
Pronunciation: bi-'myüz
Function: transitive verb
Date: 1735
1 : to make confused : BEWILDER
2 : to occupy the attention of : ABSORB


Posted by lmurray on 12-13-2002 03:21 PM:

Blah.. having trouble connecting again. Anyone else in this boat ? I'm trying this from 3 different IPs, with no luck.


anyone.... Bueller...
-lloyd-


Posted by trojanrabbit on 12-13-2002 04:03 PM:

Same here, things seem to have stopped working yesterday afternoon. I recall seeing the stats go to zero as well.

__________________
Paul

Don't ask for more than you can handle, you may get it. - The Great Gazoo


Posted by EdwinOlson on 12-13-2002 06:08 PM:

I don't have any idea what happened-- the server seemed happy, the httpds were running, it just wouldn't accept any connections. (the stats engine is operated via httpd too, so thats why that failed.)

I restarted the server and it seems happy again.

Explanations solicited

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by TiredGuy on 12-13-2002 06:47 PM:

quote:
Explanations solicited


It was gnomes.


Posted by kgidley on 12-13-2002 07:24 PM:

B M U S 1 - Backdoor Mode United States 1. That's my guess to the meaning.

__________________
Ken
HR10-250 - my new toy!
2 Hughes DTivos, (lifetime, 1 upgraded to ~188 hours, the other upgraded to ~230 hours.)


Posted by Piquan on 12-13-2002 07:44 PM:

I always assumed it was Blue Manticores Usually Swim 1ce (once). It seems to be the most logical expansion I can think of.


Posted by WayneGoode on 12-13-2002 11:48 PM:

Solving errors behind firewalls

quote:
Originally posted by gmitch64
> Here is Windows version 2.07 to (hopefully) solve the problem some .
> people are having when trying to run behind a firewall.

I am still getting the error when running behind our office firewall.

Graham



I saw what the firewall was doing to my Work Unit and I created a version that solved that problem. So if I can get some examples of what firewalls are doing to other people, I can make it more general. That would seem a better approach than creating versions until one solves all the problems.

If you are having problems running behind a firewall, download and run the attachment and tell me what your Work Unit string is. This is an executable only and will print the Work Unit if you have an error. Control characters are preceded by ^. The Work Unit is rather long so you will probably need to copy it out of the log file.

If you post it on the board, replace the digits after the WUID and NONCE will all zeros. I don’t need to know what they are and this preserves the security of the Work Unit check-in system.

After seeing what the firewalls are doing to the Work Unit, I should be able to make a change that will work for all of them.

Sorry for the delay in responding. My “Real Job” has been keeping me busy.

__________________
"Never play tri-dimensional chess with a robot that has a planet for a first name." Harry in "Prodigy" by Arthur Bryan Cover


Posted by wanzong on 12-14-2002 12:15 AM:

Re: Re: Tivo Remote Control Presses

quote:
Originally posted by toddcurry
Really! That is great to hear. But, I've just done some looking around for this thread you mention and I can't find it (in fact, I've found the contrary: old posts where people are expressing frustration at having to key in macros for the letters -- see: http://www.tivocommunity.com/tivo-v...onto+and+letter).



It actually wasn't a post in the forum, but rather a contest page on Tivo's website. After some surfing around it WAS http://www.tivo.com/central/pronto.html. It's gone now, tho. They provided a sample pronto file that contained all the remote codes, and asked people to enter their pronto remote designs. They picked the top three, and posted them for download.

It's been a long time, but I thought the winning design had a keyboard, which I assumed (you know what that does) meant there were discrete codes for the letters. I may still have that download kicking around, I'll look when I get home.

Mike


Posted by subuni on 12-14-2002 01:35 AM:

Of course, that's why the Way Back Machine was invented.

TiVo IR Codes

TiVo Presents a Pronto CCF Contest

Click here to download the winning CCF


Posted by subuni on 12-14-2002 02:18 AM:

Re: Re: Re: Tivo Remote Control Presses

quote:
Originally posted by wanzong
It's been a long time, but I thought the winning design had a keyboard, which I assumed (you know what that does) meant there were discrete codes for the letters. I may still have that download kicking around, I'll look when I get home.


Thanks to the Way Back Machine, I downloaded the Pronto CCF with the "keyboard" (Available Here). I opened it up in the Tonto Pronto Editor.

The keyboard is just a bunch of aliases to move the cursor over the letter, hit select, and then move back to the "home" position. i.e. "Clicking" A on the keyboard, causes: Up, Up, Left, Select, Right, Down, Down. "Clicking" G causes Up, Right, Select, Left, Down.

So, it's not sending out 'discrete' codes for the letters. It's just intelligent enough to always move the cursor back to a known location.


Posted by Jobius on 12-14-2002 06:25 AM:

Maybe obvious, but... numeric keypad?

With all this talk about counting keystrokes, and whether TiVo would use a password that took forever to enter...

Digits 0-9 can be entered directly from the buttons on the remote, so it would be quite easy to enter a long mostly-numeric password. Could we (or has someone already) do a search of all possibilities that included, say, up to ten digits, nine spaces, but no more than five of the larger character set?

Joe


Posted by Piquan on 12-14-2002 07:18 AM:

Re: Maybe obvious, but... numeric keypad?

quote:
Originally posted by Jobius
Digits 0-9 can be entered directly from the buttons on the remote, so it would be quite easy to enter a long mostly-numeric password.

I've tried a few obvious ones (like TiVo HQ's address and ZIP code). I'm also working on a brute-force crack program that will try keys in order of fewest keystrokes, so the numerics will be the among first it will try.

Piquan


Posted by rewilson on 12-14-2002 01:20 PM:

Re: Solving errors behind firewalls

quote:
Originally posted by WayneGoode
If you are having problems running behind a firewall, download and run the attachment and tell me what your Work Unit string is. This is an executable only and will print the Work Unit if you have an error. Control characters are preceded by ^. The Work Unit is rather long so you will probably need to copy it out of the log file.

If you post it on the board, replace the digits after the WUID and NONCE will all zeros. I don’t need to know what they are and this preserves the security of the Work Unit check-in system.



Here is my log from one of my problem systems that runs NIS 2003 (I ran it twice, both runs are shown):

8:23:12: 12/14/2002
8:23:12: -- TiVoCrack 2.07 started --
8:23:12: Getting the next work load
8:23:31: Error processing line from server
8:23:31: Error processing line from server
8:23:31: Error decoding the work unit!!!
8:23:31: WUID=000000^JNONCE=0000000000^JRUN=TC2^M^JCTEXT=96F8B20
4FD99534759A6C11A181EEDDFEB2DF1D4^M^JRESULTURL=http://edo.lcs.mit.edu/dclient/putwork.php^M^J^JALPHABET=ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789^JPATTERN=??????????^J^JSEED=RIQJ^JSTATUS=OKAY^JKAY^J^M^J0^M^J^M^J
8:23:31: Stopping
8:23:32: Stopped
8:24:11: 12/14/2002
8:24:11: -- TiVoCrack 2.07 started --
8:24:11: Getting the next work load
8:24:30: Error processing line from server
8:24:30: Error processing line from server
8:24:30: Error decoding the work unit!!!
8:24:30: WUID=000000^JNONCE=000000000^JRUN=TC2^M^JCTEXT=96F8B204
FD99534759A6C11A181EEDDFEB2DF1D4^M^JRESULTURL=http://edo.lcs.mit.edu/dclient/putwork.php^M^J^JALPHABET=ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789^JPATTERN=??????????^J^JSEED=RIQT^JSTATUS=OKAY^JKAY^J^M^J0^M^J^M^J
8:24:30: Stopping
8:24:31: Stopped


There are extra characters at the end. Looks like truncateing after "STATUS=OKAY^J" would work? I also noticed that some lines are terminated with ^J only, while others are terminated with ^M^J.

Thanks for looking at this!
Bob


Posted by bsnelson on 12-14-2002 04:17 PM:

Nothing new to add here - I just wanted to be the person to make the one thousandth post (1,000!!!!!) to this thread.

Carry on. BTW, I vote for "Beam Me Up Scotty" as the underlying message in the old backdoor password - good call, poster!

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by Catboy17 on 12-14-2002 06:25 PM:

Problems with Tivo Crack

I'd like to join the tivo crack, but whenever I go to http://www.scottandmichelle.net/scott/tcrk/ ,

It gives me the message: Not Found
The requested URL /scott/tcrk/ was not found on this server.

What's wrong? Can I get it somewhere else? Is this just temporary or do I have a broken link or what?

__________________
Peter


Posted by jag111 on 12-14-2002 07:18 PM:

quote:
Originally posted by Catboy17
I'd like to join the tivo crack, but whenever I go to http://www.scottandmichelle.net/scott/tcrk/ ,

It gives me the message: Not Found
The requested URL /scott/tcrk/ was not found on this server.

What's wrong? Can I get it somewhere else? Is this just temporary or do I have a broken link or what?



Wrong link. The person hosting the site there was forced to take it down. It was originally the site specifically for the win32 version. Now, all versions are hosted here:

http://edo.lcs.mit.edu/dclient/


Posted by mackman on 12-15-2002 07:34 PM:

I've posted my own 3.2 backdoor cracking software. The announcement is at:

http://www.tivocommunity.com/tivo-v...&threadid=90522


Posted by Piquan on 12-15-2002 09:55 PM:

I've run a set of codes, and come up with nothing. Every key of the form "A BB CCC DDDDD ", where there are always 4 letters chosen from the set [A-Z0-9], the each letter repeats 1-5 times, and each letter is followed by 0-3 spaces. No luck.


Posted by mstroh on 12-16-2002 03:22 AM:

I have decided to attempt to do some sample searches on one of my three machines that I have devoted to this project.

I was wondering if someone could tell me a formula to determine how long each cylce would take. Basically, the variables are: # of characters in the alphabet, # of ?'s in the search pattern, and Kkeys/s? I don't think there are any variable I should be concerned with. My comp is running in 800-850 Kkeys/s range, I think (its been a while since I actually looked).

Thanks.

-mike

__________________
My mantra: "If I watch it, it will end up getting cancelled!" This mantra almost made me give up TV altogether. I changed my mind after I got a TiVo, now I can watch it even after it gets cancelled!!


Posted by subuni on 12-16-2002 04:35 AM:

quote:
Originally posted by mstroh
I was wondering if someone could tell me a formula to determine how long each cylce would take. Basically, the variables are: # of characters in the alphabet, # of ?'s in the search pattern, and Kkeys/s? I don't think there are any variable I should be concerned with. My comp is running in 800-850 Kkeys/s range, I think (its been a while since I actually looked).


numOfChars^length.

We're testing 37 characters (ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890<space> ),

To try every possible combination of those characters, 9 characters long (i.e. the length of: B<space>M<space>U<space>S<space>1)

37^9 = 129,961,739,795,077 total possibilities.
129,961,739,795,077/800000 = 162,452,174 seconds (based on your 800,000 keys/sec).
162,452,174 seconds / 60 seconds = 2,707,536 minutes.
2,707,536 minutes / 60 minutes = 45,125 hours.
45,125 hours / 24 hours = 1,880 days.
1,880 days / 7 days = 268 weeks.
268 weeks / 52 weeks = 5 years.

The "next level" would be 37^10, which is 191 years at 800,000 keys/sec.

Or my personal favorite:

37^20 = 3,122,483,666,661,158,726,686,253,786,801 possibilities
3,122,483,666,661,158,726,686,253,786,801 posibilities / 800,000 keys/sec = 28,903,104,583,326,448,408,357,817 seconds
28,903,104,583,326,448,408,357,817 seconds / 60 seconds = 481,718,409,722,107,473,472,630 minutes
481,718,409,722,107,473,472,630 minutes / 60 minutes = 8,028,640,162,035,124,557,877 hours
8,028,640,162,035,124,557,877 hours / 24 hours = 334,526,673,418,130,189,911 days
334,526,673,418,130,189,911 days / 7 days = 47,789,524,774,018,598,558 weeks
47,789,524,774,018,598,558 weeks / 52 weeks = 919,029,322,577,280,741 years

So, 919,029,322,577,280,741 years for you to search all of 37^20.


**Edit 2002.12.17 -- Apparently it's easier to read 7 lines full of numbers instead 2 lines of nicely formatted text, because you won't have to scroll horizontally ever so slightly.


Posted by mackman on 12-16-2002 04:59 AM:

Uh, what about the other characters such as , * and "

They may be new to 3.2, but I'm sure they're fair game for the code. I sure hope the current cracking software has been trying them.


Posted by embeem on 12-16-2002 05:36 AM:

quote:
Originally posted by mackman
Uh, what about the other characters such as , * and "

They may be new to 3.2, but I'm sure they're fair game for the code. I sure hope the current cracking software has been trying them.



Last I checked there was no way to use those characters on the 'search by title' screen.

__________________
http://tivo.samba.org/download/mbm
E4pFXEMBEEMXXv2L0TlAFOYC3/2HtWFvYiL3md0h2cxuU1BFugTKBBaOi1GH/7265DTD4a57
7fg1JOK8+3nCiZvRjl11Bit4LuaXA4KjPh0OHCyFIpSP2VJkb5pkY2M5HPlBN0/UawyQBhSM
CVnB02kbxifsgVYcYfEiTG2qfIdFXmstrEhW9gpe+5OxEYid979qu1Esg2YHNA7W8tSTd1t9
88LYW46AhE01Uts8pa4TgZazxlo/FkMAS3i/Oqtm7Rf8C6QzXmbDgbN+fP+Fcu53FOtZXNXX
ClRoZSB0cnV0aCBhYm91dCBhIG1hbiBsaWVzIGluIHdoYXQgaGUgaGlkZXMgLU1hbHJhdXgK


Posted by Spire on 12-16-2002 05:39 AM:

In version 3.0, the * and " characters cannot be entered in the Search By Title screen. Has this changed in version 3.2?

__________________
begin 644 .sig22&%I;"P@9F5L;&]W(&=E96LA`end

Last edited by Melody Chalis on Today at 03:47 AM


Posted by subuni on 12-16-2002 06:00 AM:

quote:
Originally posted by mackman
Uh, what about the other characters such as , * and "

They may be new to 3.2, but I'm sure they're fair game for the code. I sure hope the current cracking software has been trying them.



Uh, how do you suggest I enter these characters? This has been discussed throughout the thread, but what the hell.. Beating a dead horse countless times always serves for fun on a Sunday night.

It has been verified by many people here (in this thread), that the only place you can enter the backdoor code is in the "Search by Title" screen. We've verified this by inserting a known hash value into MFS, and attempting to enable backdoors through all of the Wishlist screens (Actor/Director/Keyword/Title). MuscleNerd (and possibly others) have disassembled the tivoapp binary. The only place you can activate backdoor mode through is in the "Search by Title" screen. With that in mind....



That's a picture of the "Search by Title" screen from a 3.2 system (pardon the flash). It's clear which characters can be entered. A-Z, 0-9, and a space. Hitting PLAY, PAUSE, SLOW, instant reply, or jump-to-current on this screen does nothing. No sound effects, no magical characters. Hitting FWD will enter a space for you. Hitting BACK will delete the current character for you. If you have a program selected, RECORD will take you to the "Record this showing" screen.



That's a picture of the "Choose Keywords" screen, one of the Wishlist options. Here, it's clear how to enter a quotation mark (PAUSE) and an asterik (SLOW). The rest of the keys behave similar to above (FWD enters a space, BACK deletes, etc).



That's a picture of the "Pick Actor by Last Name" screen, another one of the Wishlist options. Here, it's clear how to enter a comma (it's where 0 used to be). The keys behave as they did in the "Search by Title" screen. i.e. They don't do anything.

So, knowing that we can only enter the password into the "Search by Title" screen, and these characters you talk about can only be entered on other screens (comma only on "Pick Actor By Last Name", asterik and quotation mark only on "Choose Keywords"), I ask you again... how do you suggest I enter a comma, an asterik, or a quotation mark on the "Search by Title" screen?

And, the characters aren't new to 3.2. They're in the same screens on 3.0 systems.

** Edit 2003.03.15- Changed image links from sekrut.net to archaic-apples.com


Posted by mackman on 12-16-2002 06:30 AM:

I guess you may be right. I was unaware that the only screen the backdoor code could be entered from was the Search By Title screen. I thought I had read that it worked on any screen that accepted text input. My bad. It still might be worth looking for though. Perhaps the buttons on the keypad (pause and slow) which enter those characters on other screens might still cause something to happen even in the Search By Title screen. I'm sure disassembly could tell, but I haven't broken open my TiVo nor do I plan to.


Posted by toddcurry on 12-16-2002 04:44 PM:

quote:
Originally posted by subuni
That's a picture of the "Search by Title" screen from a 3.2 system (pardon the flash). It's clear which characters can be entered. A-Z, 0-9, and a space. Hitting PLAY, PAUSE, SLOW, instant reply, or jump-to-current on this screen does nothing. No sound effects, no magical characters.
...
So, knowing that we can only enter the password into the "Search by Title" screen, and these characters you talk about can only be entered on other screens (comma only on "Pick Actor By Last Name", asterik and quotation mark only on "Choose Keywords"), I ask you again... how do you suggest I enter a comma, an asterik, or a quotation mark on the "Search by Title" screen?



Two things:
1. Are we entirely sure that someone can't hook up a USB keyboard to the series 2 and enter extended (high ASCII) characters. If so, worrying about comma and quote is like re-arranging deck chairs on the Titanic.

If people could figure out how to connect WiFi to Series 1, I think some plucky user out there can engineer the connection of a USB keyboard.

2. Are we entirely sure that some of the "non-responsive" keys or key combinations can't/don't generate hidden text in the text buffer. So entering two thumbs-down before a B M U S 3 2 might generate *#(@*B M U S 3 2 in the text buffer and give you the keys to the castle.

Disassembler tools might be helpful. They are da norm in password cracking, or so a casual search around the world of Google suggests...

__________________
post hoc, ergo propter hoc -- the curse of newscasters since the dawn of language


Posted by stormsweeper on 12-16-2002 05:06 PM:

quote:
Originally posted by toddcurry
Two things:
1. Are we entirely sure that someone can't hook up a USB keyboard to the series 2 and enter extended (high ASCII) characters. If so, worrying about comma and quote is like re-arranging deck chairs on the Titanic.

If people could figure out how to connect WiFi to Series 1, I think some plucky user out there can engineer the connection of a USB keyboard.




The normal kernel does not have USB-HID support. It looks like there may be a module available, but it's not loaded by default. Even if it was, the software itself would need to pay attention to the device for input.

But if you're going to that effort, you already have the means to change the hash to a known value.


quote:
Originally posted by toddcurry
2. Are we entirely sure that some of the "non-responsive" keys or key combinations can't/don't generate hidden text in the text buffer. So entering two thumbs-down before a B M U S 3 2 might generate *#(@*B M U S 3 2 in the text buffer and give you the keys to the castle.

Disassembler tools might be helpful. They are da norm in password cracking, or so a casual search around the world of Google suggests...



It'd be really easy for anyone who has changed the hash or has a pre-3.1/3.2 machine to try hitting one of those keys in the middle of entering the known code.

As for disassembly, how do you think MuscleNerd figured out how to modify tivoapp? The password is not stored in cleartext in the app, it's a one-way hash (which is why it's annoying to break). Disassembly has already been used (see earlier ion the thread) to verify the same process is happening with input, which was corroborated by subuni and others changing the hash to a known value and it working.


Posted by mackman on 12-16-2002 06:04 PM:

My opinion: we ain't gonna find it.

TiVo version 2 had a plaintext backdoor code. They didn't want us to find it or they would have published it. I bet TiVo didn't think we would figure out their file system or their resource format. We found it anyway.

TiVo version 3.0 had a hashed backdoor code. They didn't want us to find it or they would have left it plaintext. I bet TiVo didn't think we would figure out their cypher. It was significantly more difficult to discover that the plaintext one, but we found it anyway.

TiVo version 3.2 comes around. They still don't want us to find it or they would have left it simple enough that we would have already found it. We know the mechanism is the same by changing the hash to that of a known plaintext. So without changing the mechanism, what could they do to prevent us from finding it? Their last resort: make it impossible to find.

I am strongly of the opinion that either the code is so long as to be impossible to crack or that it contains characters that cannot be entered on a TiVo. For that matter, the hash value might truly be random. TiVo underestimated the TiVo community twice already, and I don't think they would risk making the same mistake thrice.

Nowhere is it written that there is a working backdoor code waiting to be found. I think our search will be fruitless and our cycles better devoted to other distributed projects.

Just my 2 cents.

PS: If you're a TiVo employee, can you let us know if we're gonna find it or not?


Posted by Cletus on 12-16-2002 07:40 PM:

Re: My opinion: we ain't gonna find it.

quote:
Originally posted by mackman

PS: If you're a TiVo employee, can you let us know if we're gonna find it or not?



Of course they won't do that. If they did, they'd lose the bunch of funny people they can point their finger at while LOL.

__________________
If you can't beat'em... pay someone to do it.


Posted by subuni on 12-17-2002 01:34 AM:

quote:
Originally posted by toddcurry
Two things:
1. Are we entirely sure that someone can't hook up a USB keyboard to the series 2 and enter extended (high ASCII) characters. If so, worrying about comma and quote is like re-arranging deck chairs on the Titanic.



Okay, here's my attempt to kill the keyboard theory (as it's about as annoying as the *", theory). There are a few problems:

1) The only time the USB ports are probed is during the startup scripts (rc.arch). There isn't a daemon monitoring the ports, or anything remotely elegant (this is TiVo we're talking about). rc.arch installs the core USB drivers, looks at the devices connected (/proc/bus/usb/devices), and if the product/vendor id's match those that are supported in the pegasus or rtl8150 modules, it insmod's the respective module. If neither of those two modules are loaded, it removes the core USB drivers. So without cracking open the box, no way to currently get your USB keyboard to work.

Ignoring that, and carrying on:

2) TiVo didn't include any USB HID drivers. However these can be easily compiled, or you lazy folks can download them. Of course, to insert these modules, would require shell access on a S2 running v3.2. Ignoring that, and carrying on:

code:
bash-2.02# insmod /lib/modules/usbcore.o bash-2.02# insmod /lib/modules/usb-ohci.o bash-2.02# insmod /var/hack/modules/input.o bash-2.02# insmod /var/hack/modules/hid.o bash-2.02# insmod /var/hack/modules/keybdev.o /var/hack/modules/keybdev.o: unresolved symbol handle_scancode /var/hack/modules/keybdev.o: unresolved symbol keyboard_tasklet /var/hack/modules/keybdev.o: unresolved symbol kbd_ledfunc


So, it can't find some symbols. Looks like we'd need to recompile the kernel with keyboard support. This isn't a terribly big issue, except that we can't boot it unless we have a modified PROM or TiVo's private release or debug keys.

Ignoring that, and carrying on, so we now have working keyboard drivers. But what to do with them now... I'd be surprised if tivoapp ever noticed stdin. So, perhaps it's communicating directly with the device? Looking at the strings from tivoapp, in regards to /dev entries, we see:

/dev/bcmgfx /dev/bcmpax /dev/bcmpcm /dev/besrec /dev/besstartcode /dev/brcm0 /dev/brcmgfx /dev/brcmpax /dev/brcmrec /dev/brcmrecdata /dev/console /dev/cua1 /dev/hda /dev/hdb3 /dev/i2c /dev/input /dev/irblast0 /dev/ircatch0 /dev/kfir /dev/log /dev/mem /dev/mem2 /dev/mpeg0a /dev/mpeg0v /dev/mswitch0 /dev/null /dev/ptmx /dev/pts /dev/tty /dev/ttyDSS /dev/ttyS0 /dev/ttyS3 /dev/urandom

Looking at that list, it doesn't really look like it would interact with our keyboard. A bunch of broadcom related entries, serial ports (modem, "unsupport" for pppd over serial, etc). And no, /dev/input doesn't deal with keyboards/mice .

So now it'd seem in order to use our USB keyboard, we'd either need a custom build from TiVo with that support, or need a copy of their sourcetree in which we can add our own support.

But to top it off, even if this were the case, that you must have a USB keyboard to enter the code... the hash is the same on S1 DTiVo units running v3.1. Those units lack USB ports, so how would TiVo/DirecTV engineers enter the code during the dev cycle on one of these units?

quote:
2. Are we entirely sure that some of the "non-responsive" keys or key combinations can't/don't generate hidden text in the text buffer. So entering two thumbs-down before a B M U S 3 2 might generate *#(@*B M U S 3 2 in the text buffer and give you the keys to the castle.


Try it for yourself on your system. If you're running 3.0, do something like: "3<space><pause><thumbsdown><play>0<space>BC<thumbsup>".

I just did "3<space>0<space><play><pause><slow>BC<thumbsup>", on my S1/SA v3.0 system, and it enabled backdoor mode.

Although I'm sure the paranoid folks will chime in, saying that those buttons have no effect on v3.0, and that they only work on v3.1 and v3.2. I'd suggest somebody with a v3.1 system to verify it, although I'm sure after that's verified, the excuse will be that it doesn't work on v3.1 systems, that it only works on v3.2 systems.

But being that I'd really like to kill this theory right now, once and for all, I just went and tried this on my 3.2 system as well. It's hash had been modified to that of "3 0 BC". I did the same thing that I did on my 3.0 system:

3<space>0<space><play><pause><slow>BC<thumbsup>

And, hold on to your seats... it worked. Those three buttons have absolutely no effect.

So, can we please end the '*",' and keyboard theories?


Posted by DaveLessnau on 12-17-2002 01:42 AM:

subuni: for some reason, your post, and no one else's, doesn't automatically wrap each line when it runs off the screen. Even the border for your post is pushed way off to the right. Did you do anything odd when you posted it?

__________________
Dave Lessnau

TiVo TCD240080 w/ Belkin F5D5050 USB Ethernet Adapter and 160GB 7200RPM Samsung SP1604N drive (150hrs 53mins @ Basic) with 4.0.1 Philips HDR112 w/ TurboNET and 120GB 5400 RPM Maxtor drive (145hrs 6mins @ Basic) with 3.0. Both hooked through powerlines to the internet via LinkSys PLEBR10 PowerLine EtherFast 10/100 Bridges, a D-Link DSS-5+ Switch, a SonicWall SOHO3 Internet Security Appliance, and finally a Toshiba PCX1100U Cable Modem (PCX DOCSIS)


Posted by Duke on 12-17-2002 07:15 AM:

sure makes it a bit hard to read....

Duke


Posted by bsnelson on 12-17-2002 04:00 PM:

I think the problem with subuni's post is the quoted material; that material didn't have line breaks.

As for the original topic: Folks, we've known from about day 3 into this effort that it was possible the password would never be found. I wholeheartedly agree that all of this "*" and keyboard stuff is crazy.

Consider this: All they would have to do is create a hash for the password they wanted, twiddle two characters in it, and that would effectively break all attempts to find it. It could be that simple.

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by geowar on 12-17-2002 04:17 PM:

>Consider this: All they would have to do is create a hash for the password they wanted,
> twiddle two characters in it, and that would effectively break all attempts to find it. It
> could be that simple.

If that were the case then the old (3.0?) hash wouldn't work anymore. And it does.

__________________
--
Enjoy,
George Warner, (408)974-0668
Schizophrenic Optimization Scientists
Apple Developer Technical Support (DTS)


Posted by bsnelson on 12-17-2002 06:42 PM:

No, what I mean was, they twiddle the bytes in the hash that's part of the GA release, and if they need to use backdoors in the field for some reason, they send a runme to change the hash. In other words, I know they didn't change the algorithm; I'm just suggesting that they made the hash invalid after the final beta release.

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by geowar on 12-17-2002 06:56 PM:

Gocha; It's a totally bogus hash put out just to keep us busy.

Gee, what if we actually found a key sequence that would generate that hash? ;-)

LOL!

__________________
--
Enjoy,
George Warner, (408)974-0668
Schizophrenic Optimization Scientists
Apple Developer Technical Support (DTS)


Posted by ADent on 12-17-2002 07:14 PM:

The old 'Bogus Hash' theory.

Can't really disprove this for the next couple of million years.

We assume that the guys using the backdoor want to see stuff w/o opening the box or modifying the code or anything.

They could use a good code for testing and a bad hash code for production. They have not done this in the past and has anyone noted if they used the same hash value during 3.1 beta testing?

Why go to the hassle when you can use a long (but easy to enter) code that can't be cracked (in a reasonable time).


Posted by toddcurry on 12-17-2002 08:21 PM:

OK, Subuni, I'm sold on keyboard and high ASCII.

But I'm still convinced it was someone in the grassy knoll and not Oswald.

Todd

__________________
post hoc, ergo propter hoc -- the curse of newscasters since the dawn of language


Posted by subuni on 12-17-2002 10:11 PM:

quote:
Originally posted by ADent
Why go to the hassle when you can use a long (but easy to enter) code that can't be cracked (in a reasonable time).


Why go to the trouble of remembering a long code, when you just modify your build environment ever so slightly....

ifdef CONFIG_TIVO_DEVEL # in-house development
BACKDOOR_HASH="d1564d0fbf7807e2ec52102e099521b360b68f23" # BD
else # this is a release version
BACKDOOR_HASH="9f25f9199ca255a61dbcee03b0fb47f872e2a095" # AVSWILLNEVERHACKTHIS
endif

You throw that into your build environment, modify whatever is used to generate the swsystem slice file so it looks for the variable BACKDOOR_HASH, and then when you do a dev build you get a nice easy password of "BD", and when you do a release build you get an impossible-to-crack 20 character long password.

There's no extra hassle when building, since you have to specify the build type anyways. And as bsnelson points out, if for whatever reason they ever need to activate backdoor mode in the field, they send down a runme/slice to that user's box (targetted via serial number) that changes the hash. Once the problem is solved, they send down another one that changes it back. No extra hassle there, either. It's no different than what they do for special one-off debug versions, when they send out beta's to beta testers, or when they slowly roll out software to a group of people... It's all targeted via serial number.


Posted by snedecor on 12-18-2002 01:57 AM:

Proxomitron proxy server string

I use Proxomitron to kill pop-up's, ads, etc.

When it's enabled, I can't use Tivocrack.

Here's the string :

<!--//--><script>var PrxLC=new Date(0);var PrxModAtr=0;var PrxInst; if(!PrxInst++) PrxRealOpen=window.open;function PrxOMUp(){PrxLC=new Date();}function PrxNW(){return(this.window);} function PrxOpen(url,nam,atr){ if(PrxLC){ var cdt=new Date(); cdt.setTime(cdt.getTime()-PrxLC.getTime()); if(cdt.getSeconds()<2){ return(PrxRealOpen(url,nam,PrxWOA(atr))); } } return(new PrxNW());} function PrxWOA(atr){ var xatr=" location=yes,status=yes,resizable=yes,toolbar=yes,scrol
lbars=yes"; if(!PrxModAtr) return(atr); if(atr){ var hm; hm=atr.match(/height=[0-9]+/i); if(hm) xatr+="," + hm; hm=atr.match(/width=[0-9]+/i); if(hm) xatr+="," + hm; } return(xatr);}window.open=PrxOpen;</script>^M^J<!--//--><script> function NoError(){return(true);} onerror=NoError; </script>^M^J<!--//--><script> function moveTo(){return true;}function resizeTo(){return true;}</script> ^M^JWUID=1000114^JNONCE=1000536684^JRUN=TC2^M^JCTEXT=96
F8B204FD99534759A6C11A181EEDDFEB2DF1D4^M^JRESULTURL=htt
p://edo.lcs.mit.edu/dclient/putwork.php^M^J^JA

WorkUnit is there, just jumbled amongst the stuff proxomitron added.

Snedecor


Posted by WayneGoode on 12-18-2002 08:51 PM:

Re: Proxomitron proxy server string

quote:
Originally posted by snedecor
I use Proxomitron to kill pop-up's, ads, etc.

When it's enabled, I can't use Tivocrack.

WorkUnit is there, just jumbled amongst the stuff proxomitron added.

Snedecor



It is missing stuff at the end of the Work Unit. After what is listed should follow ALPHABET, PATTERN, SEED, and STATUS.

I could modifiy v2.07 to also rip stuff off the front, but I don't know anything to do about the stuff missing on the end.

__________________
"Never play tri-dimensional chess with a robot that has a planet for a first name." Harry in "Prodigy" by Arthur Bryan Cover


Posted by TonyB on 12-18-2002 10:09 PM:

Is the hash case sensitive?

In other words, does "I WANT A PONY" produce the same hash as "i WaNT a PoNY" ?

If they change certain letters or letters in a certain position in the string to lower case, wouldn't the crack program have run right past the answer because it doesn't check lower case?


Posted by subuni on 12-18-2002 10:54 PM:

Hashes are case sensitive...

code:
1dc6f4aaa2e8c5dc0fdebedad92c483b4d43a9ae hello f8995fc6da6a37c5d546dcdd6257cfcbb75ee5f9 HELLO


And this has already been tried. 88d2416051119f4174d199111eae052db4d76931 ("30bc") was inserted into MFS, and backdoor mode could not be enabled.


Posted by dd9 on 12-18-2002 10:57 PM:

quote:
Originally posted by TonyB
Is the hash case sensitive?


You can't enter lower case letters on the Tivo screen - so no.


Posted by embeem on 12-18-2002 11:38 PM:

quote:
Originally posted by TonyB
Is the hash case sensitive?

In other words, does "I WANT A PONY" produce the same hash as "i WaNT a PoNY" ?

If they change certain letters or letters in a certain position in the string to lower case, wouldn't the crack program have run right past the answer because it doesn't check lower case?



The hashes for upper and lowercase letters are indeed different. There's no way to enter in lowercase letters in the user interface and it's difficult to perform a case insensitive match.

basically you're dealing with
code:
hash(input) = run input through sha if hash(input) equals hash(mfs_backdoor_pass) then enable backdoors


the way most case insensitive matches work is like this:

code:
if lowercase(a) equals lowercase(b) then ...


now, you can't possibly change the case of the hash from mfs to upper/lowercase so you have to assume that one of the following happens:

#1 no case conversion is done on the input, hash(input) should equal hash(backdoor_from_mfs) given the right input

#2 the input is converted to lowercase to match the hash in mfs which was lowercase

#3 the tivo hashes every upper/lowercase variation on the input

#4 the tivo changes the case of the input in a predetermined pattern of upper/lowercase

...

#2 doesn't work, I've tried setting the backdoor to "test" and then keying in "TEST" -- this also rules out #3.

Given that a hash of "TEST" works we know that #1 is valid. #4 may be a possibility but it seems unlikely and without knowing the pattern you'd have to run the cracker though a large number of combinations to handle every variation.

You could check the possibility of #4 by setting the hash to one of the following
BAr, BaR, Bar, bAR, bAr, baR, bar
and seeing if any of those matched and try to figure out the pattern of upper/lowercase but I doubt you're likely to match on any of those anyways.

__________________
http://tivo.samba.org/download/mbm
E4pFXEMBEEMXXv2L0TlAFOYC3/2HtWFvYiL3md0h2cxuU1BFugTKBBaOi1GH/7265DTD4a57
7fg1JOK8+3nCiZvRjl11Bit4LuaXA4KjPh0OHCyFIpSP2VJkb5pkY2M5HPlBN0/UawyQBhSM
CVnB02kbxifsgVYcYfEiTG2qfIdFXmstrEhW9gpe+5OxEYid979qu1Esg2YHNA7W8tSTd1t9
88LYW46AhE01Uts8pa4TgZazxlo/FkMAS3i/Oqtm7Rf8C6QzXmbDgbN+fP+Fcu53FOtZXNXX
ClRoZSB0cnV0aCBhYm91dCBhIG1hbiBsaWVzIGluIHdoYXQgaGUgaGlkZXMgLU1hbHJhdXgK


Posted by marka on 12-19-2002 05:25 PM:

Re: Re: Proxomitron proxy server string

quote:
Originally posted by WayneGoode
It is missing stuff at the end of the Work Unit. After what is listed should follow ALPHABET, PATTERN, SEED, and STATUS.

I could modifiy v2.07 to also rip stuff off the front, but I don't know anything to do about the stuff missing on the end.



That wouldn't fix the root of the problem. The real problem is on the server. The server is sending "Content-Type: text/html" when it should be sending "Content-Type: text/plain".


Posted by dswallow on 12-19-2002 10:46 PM:

My thought was that there's something else, even on a different screen, that you might have to do which would affect what happens in the hashing for the text entered as the backdoor code.

Has anyone traced through the execution of the code to see if there's something that might conditionally modify the input text as it's input or hashed?

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by jsessler on 12-19-2002 11:10 PM:

is http://edo.lcs.mit.edu/dclient/ down?

I tried to contact it but it is not responding or handing out keys.

Jeff


Posted by leebo on 12-20-2002 12:57 AM:

It worked for me just now...but it seemed to take a bit longer to connect.


Posted by snedecor on 12-20-2002 02:23 AM:

Web site up, not getting work units

The web site is reachable, but neither the workgroup passing out, nor the statistics are working.

I think this happened once before, the server was up but the database was not taking connections (or something like that).


Posted by EdwinOlson on 12-20-2002 03:31 AM:

Well, I'm thoroughly convinced that using mysql the way I am wasn't such a brilliant idea. It seems that as the workunits table gets bigger, everything is taking longer to do, and even though we have fewer machines participating than a while ago, the server is under more load.

Periodically, I reoptimize the table which seems to help a lot. Also, the stats calculations seem to be a major issue-- it's very slow. I may bump it down to every 4 hours or something.

Anyhoo, I never really thought we'd be big enough to tackle 10+0 so hurrah Always learning something!

The server seems to be up and happier again.

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by lmurray on 12-20-2002 02:21 PM:

ed, can you check again. I'm having problems connecting from 2 different IPs.

thanks,
-lloyd-


Posted by tarman on 12-20-2002 02:28 PM:

quote:
Originally posted by lmurray
ed, can you check again. I'm having problems connecting from 2 different IPs.

thanks,
-lloyd-



Ditto here!

__________________
Tom


Posted by trojanrabbit on 12-20-2002 02:29 PM:

make that 3

__________________
Paul

Don't ask for more than you can handle, you may get it. - The Great Gazoo


Posted by Cletus on 12-20-2002 02:41 PM:

3 of my computers are now inactive because they don't get any work units from the server. The 4th is slower and still has work to do from yesterday.

__________________
If you can't beat'em... pay someone to do it.


Posted by Rura Penthe on 12-21-2002 08:10 PM:

I'd love to add a few computers to the project but I can't get a work unit.

What kind of bandwidth does the server use doing this project?

Edit: I stand corrected, it's working now.


Posted by jeffles37 on 12-23-2002 05:46 AM:

RE: Proximitron

Make sure you have [^/]++eolson.dyndns.org/ in your bypass.txt. You should be able to get in then barring any flukey problems serverside.


Posted by rewilson on 12-23-2002 02:15 PM:

Re: Solving errors behind firewalls

quote:
Originally posted by WayneGoode
If you are having problems running behind a firewall, download and run the attachment and tell me what your Work Unit string is. This is an executable only and will print the Work Unit if you have an error. Control characters are preceded by ^. The Work Unit is rather long so you will probably need to copy it out of the log file.

If you post it on the board, replace the digits after the WUID and NONCE will all zeros. I don’t need to know what they are and this preserves the security of the Work Unit check-in system.

After seeing what the firewalls are doing to the Work Unit, I should be able to make a change that will work for all of them.



Hello! Any luck with the work unit strings I posted (about 3 pages back). I will have to upgrade my fastest system to Norton Internet Security 2003 within the next few days if I want to keep my virus definitions up-to-date. That will take that system out of the hunt until a version of TiVocrack is developed that works with NIS 2003.

Thanks for your help!
--Bob


Posted by TiredGuy on 12-24-2002 01:24 AM:

Grinding to a halt...

I've got 6 machines running, and I think they've only been able to get 10 work units today total.

Edwin, do you need help analyzing the bottleneck on the keys table? It looks like the project may come to a halt soon if the bottleneck isn't improved...


Posted by jp78 on 12-24-2002 07:38 AM:

Holy moly... I can't believe I read this whole thread (it only took me four days! ).

Well, I'd make a comment on how well we're doing but I can't seem to get any info from the stats page tonight.

Has anyone already tried short strings (5, 6, 7 chars) padded out to 20 chars with trailing spaces? Might be worth some fiddling.


Posted by EdwinOlson on 12-27-2002 12:54 AM:

Hey folks!

At this point, I just can't keep things up and running adequately, so I'm just gonna throw up my arms and say:

"Hey, we had a good run! But who really cares anymore?"

That said, this project was a success beyond any expectations!

- At one point, we had more than 2000 machines participating! I originally expected ~100.

- We searched a HUGE key space. Originally, my goal was to finish 8+0, 8+1, and maybe 8+2. If things went *really* well, I hoped to attempt 9+0. Well, we clobbered 9+0 and did half of 10+0. Wow.

- The client was ported by others to a very large number of platforms-- just check out the system reports page! http://edo.lcs.mit.edu/dclient/systemreports.php

- I received patches and comments from about 20 different people, not counting the extensive work done by Barclay on the windows client way back!

- This thread has been incredibly popular, with an insane number of viewings and postings in a relatively small amount of time.

All in all, the Tivo community is an awfully impressive group. This was a great opportunity for me personally-- there was an immense exchange of knowledge in which I was largely a recipient. In the end, I wasn't able to keep up with the project, and I apologize if any of you feel let-down.

Thanks to all of you!

-Ed

PS: I'll keep the server up and running for a while, and I'll post the server code afterwards.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by David5150 on 12-27-2002 04:14 AM:

Thanks Ed!...I never ran the program, but I have watched the conversation with much hope. Someone will crack it, sooner or later.

Good Luck To Everyone!
David


Posted by ErrorF002 on 12-28-2002 05:29 AM:

This is too bad. I just finished skimming through this thread and I have to admit you have all done a fine job of organizing yourselves. I was also looking forward to helping out. I just got my series 2 TiVo with 3.2-01-2-1F0. Without these backdoor codes..... what can I do with this box? I was thinking about getting a USB network adapter but without the ability to telnet in to work with it I won't be able to justify the purchase. We can't just let this initiative die.

Ed,
Let us know what we need to do in order to continue your work. I don't have any beefy servers to use as the main server but I have two workstations I am willing to contribute.


Posted by David Bolling on 12-28-2002 02:04 PM:

I'm really disappointed too, but it's primarily directed at Tivo. Not having the FF-auto-correction set exactly as I like is a big peeve of mine. I like the other capabilites backdoors get me too, but that one is a necessity in terms of useability, IMO.


Posted by ThreeSoFar on 12-30-2002 04:03 AM:

quote:
Originally posted by ErrorF002
thinking about getting a USB network adapter but without the ability to telnet in to work with it I won't be able to justify the purchase.

Expense? It's like $16, with shipping...

__________________
I think ThreeSoFar's advice is by far the best...gregpr

Four TiVos now, all with single Samsung drives:
Humax DRT800 w/DVD-R (174hrs)
Two older Series 2's (142hrs and 157hrs),and a newer nightlight
Series 2, a stupid case design IMO (174hrs)
All but the last are lifetimed. TiVite since 2000. There is a Good IR solution.

Got Vonage 4/9/03--need a referral credit?


Posted by ErrorF002 on 12-30-2002 06:07 AM:

quote:
Originally posted by ThreeSoFar
Expense? It's like $16, with shipping...


Well If I am going to do it I would need to get a WET11 as well and that's around $100. That is why I don't want to take the plunge unless I know i will get some functionality out of it.


Posted by Dr. Anon Nym on 12-30-2002 03:59 PM:

EdwinOlson

Is there no way to continue this project? Should we? I'd rather have my cycles allow fun for future Tivo users (me included) then figure out a optimum global ruller.

Anyone have the resources to finish the current keyspace? GreaterGood seems to be swimming in it!


Posted by ErrorF002 on 12-30-2002 04:22 PM:

Perhaps Ed can post the stats of his server and see what we can do about arranging for another peice of hardware. For me it isn't about getting the code. Its about not losing.

Another Area of concern is whether or not the system is screwing with case when we input. Perhaps we can resart the effort from the begining with lowercase as well. Assuming that the keyspace does not exceed 10. Is the server still up?

I have been trying to download the client and I keep getting 404.


Posted by ErrorF002 on 12-30-2002 04:26 PM:

nm its working now.

But I am having one problem. I attempt to register my user name but the log says:


11:52:05: User = [], Work Unit = 1148749

When it starts up. Am I registered?

I am using 2.05 and my start shortcut is using the following:

"....\TiVoCrack.exe" -u ErrorF002 -z1 -r -s1 -i

all the other options set fine and are acknowledged in the startup log but username.

I am on WinXP. Lemme know cause I have a lot of computer at work that I can dedicate to this.


Posted by jp78 on 12-30-2002 05:43 PM:

quote:
Originally posted by ErrorF002

"....\TiVoCrack.exe" -u ErrorF002 -z1 -r -s1 -i



lose the space between -u and ErrorF002.


Posted by ErrorF002 on 12-30-2002 06:46 PM:

Funny..... I could have sworn I tried that. Thanks for the help.


A suggestion on the help text:

Include an example string like:

TivoCrack.exe -uAlfalfa -z1

I had to search through the posts to find an example. To many people out there like me will find a way to start it up wrong :-)


Posted by EdwinOlson on 12-30-2002 10:57 PM:

The machine is a P-III/800 with 256 MB of RDRAM.

The biggest problem was actually how the performance of the mysql database scaled. Of course, this is a function of how I use the database, but I was still surprised since I thought I'd created the appropriate indexes. I tried to log darn near everything, and some operations required locking the table because my mysql build doesn't support transactions. This, combined with the row-per-workunit design, just made the database work too hard.

To continue the project, I think it'd require a different server software setup. I think I've learned enough to know what to do (talk about learning by fire!)-- make the table contain only issued workunits and dynamically generate fresh ones, for example--but I've long since exceeded the amout of time I planned on putting in on this little lark.

If someone else would like to pick it up, I'd encourage them to! But I'll just be running the client.


quote:
Originally posted by ErrorF002
Perhaps Ed can post the stats of his server and see what we can do about arranging for another peice of hardware. For me it isn't about getting the code. Its about not losing.

I have been trying to download the client and I keep getting 404.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by dswallow on 12-30-2002 11:31 PM:

Well, I have a Windows 2000 Server with Microsoft SQL server, and hosting it would require a few changes in the server-side stuff no doubt, but it's on a dual P3/1GHz with 2GB of RAM, connected over a bunch of OC-12, T-3 and T-1 connections, and I have no problems making space available to continue this project if someone would like to handle or at least help with the getting-it-up part (no puns, please).

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by ErrorF002 on 12-31-2002 02:02 AM:

quote:
Originally posted by dswallow
Well, I have a Windows 2000 Server with Microsoft SQL server, and hosting it would require a few changes in the server-side stuff no doubt, but it's on a dual P3/1GHz with 2GB of RAM, connected over a bunch of OC-12, T-3 and T-1 connections, and I have no problems making space available to continue this project if someone would like to handle or at least help with the getting-it-up part (no puns, please).


Well dswallow that sounds like a great box. I have a box at work as well but I am weary of using it as it isn't exactly available I will be more than happy to help you on the setup although I am not an expert with databases, I do have the basic concepts down.

Ed,
I know that you have been carrying the torch on this for quite some time and no one in the Underground can say that you haven't given it 110%. But I was wondering if you can supply me with an ERD of the database that you have envisioned. And perhaps you won't mind a couple of pestering emails with questions I will PM you my email address so that you can send me what every you can.

For the record:

I am not a programmer
I am a far cry from a DBA
I am a Network admin that wants to help. I am willing to get the database structure in place from whatever input Ed can give me so that we can restore it on dswallow's server. I can't handle the client changes or the server side software changes so if anyone can handle that it would be great!


Posted by ldeleski on 12-31-2002 03:04 AM:

I too am willing to lend a hand, but I'm afraid I came upon this thread only yeaterday. I have access to lots of aailable server capacity and a DS-3.

If anyone wants to continue this effort please let me know what I can do to help.


Posted by ErrorF002 on 12-31-2002 02:50 PM:

ldeleski
That is good to hear. As soon as Ed reorganizes his thoughts and preps a passdown we are going to restructure from there and pick up where the old system left off.

Ed,
Here is an issue I encounterd on a few of my clients after running them for the first time. I come in this morning to find my client stopped and the logs have the following.

1:08:02: Getting the next work load
1:08:02: Error: No more work to do
1:08:02: Didn't receive WUID from server!
1:08:02: Didn't receive RESULTURL from server!
1:08:02: Didn't receive NONCE from server!
1:08:02: Didn't receive RUN from server!
1:08:02: Didn't receive CTEXT from server!
1:08:02: Didn't receive ALPHABET from server!
1:08:02: Didn't receive PATTERN from server!
1:08:02: Didn't receive SEED from server!
1:08:02: Error decoding the work unit!
1:08:02: Call failed, trying again
1:08:02: Sleeping for a minute
1:09:02: Try number 2
1:09:02: Getting the next work load
1:09:02: Error: No more work to do
1:09:02: Didn't receive WUID from server!
1:09:02: Didn't receive RESULTURL from server!
1:09:02: Didn't receive NONCE from server!
1:09:02: Didn't receive RUN from server!
1:09:02: Didn't receive CTEXT from server!
1:09:02: Didn't receive ALPHABET from server!
1:09:02: Didn't receive PATTERN from server!
1:09:02: Didn't receive SEED from server!
1:09:02: Error decoding the work unit!
1:09:02: Sleeping for a minute
1:10:02: Try number 3
1:10:02: Getting the next work load
1:11:18: Next workload failed, giving up

I set my system to sleep for a minute and retries are set to infinite. Why does my client give up? Is my sleep period too aggressive?(every clock cycle counts ). I imagine I am unable to get a work load becuase the server is too busy at the moment. Is this a bug in the client or is there something wrong with my start string?

-uErrorF002 -z1 -r -s1 -i

For now I am going to remove -s1 to go back to the default of 5min and hopefully that will help keep my clients crunching.

Another thing I have noticed is that if you restart the client and the server is not able to assign a workload, the client waits patiently at "Getting the next work load" untill it is assigned one. Perhaps we can make this the default behaviour or is this a drain on the server?


Posted by buzzard on 12-31-2002 03:51 PM:

I am pretty good at tuning Microsoft SQL as writing SQL has been my job for the last 7 years. If you want me to help tune the SQL, give me an account on the database and I will take a look.

No promises though

__________________
(1) Philips DSR6000 (~149 Hours)


Posted by jp78 on 12-31-2002 04:15 PM:

quote:
Originally posted by ErrorF002
l Is my sleep period too aggressive?(every clock cycle counts ). I imagine I am unable to get a work load becuase the server is too busy at the moment.


Well, this was discussed earlier in this thread (but since this thread is soooooooo long, you probably didn't read it all). The problem has been that the server gets too busy doing something DB related, and then all of the zillions of windows clients out there start pounding it every minute for more work. That's why the default sleep period was raised in the first place. You should leave it at the default.

HTH


Posted by talbright on 01-02-2003 02:56 AM:

Hi there! I am new to TiVo but pretty computer literate. Since my TiVo is new I am leery about opening the box and messing with it. I would love to look at the logs to see why my network adapter isn't working. I am guessing it just isn't supported but kinda want to see anyway. Is there any way to look at the logs without knowing the new backdoor password? I have a series 2 40 hour. The USB network adapter I bought is a Linksys compact 10/100 adapter. It's not on the (un)supported list, which I found out after buying it. Any advice?

Tracy


Posted by ADent on 01-02-2003 07:03 AM:

The two ways to look at the logs are via the backdoor password and see them on screen on your TV or pull the drives and mount them on your PC using one of the boot floppies or CDs around here.


Posted by int1 on 01-04-2003 11:24 PM:

EdwinOlson/current server maintainer:

Just curious if you could post a static page with overall project stats in lieu of the prior dynamic one? I'd love to see how many days we have left at the current rate. It seems to me that we are blowing through the "alphabet" quicker the last few days.

Thanks for all the great work!
int1


Posted by bsnelson on 01-05-2003 07:49 AM:

OK, this doesn't help with finding the actual password, but if you're going to the effort to hack the encrypted string in MFS, why make it "0V1T" or "B M U S 1" or whatever? Use this string:

code:
E24CCD6DEEE2883D54BA6895637C006C1B1C13D9


This makes the backdoor password become "A" (that's just one character: letter A). So, all you have to do is "Search By Title", then Select, then thumbs-up (the A is already highlighted).

That's MY kind of password!

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by embeem on 01-05-2003 09:07 AM:

Well, technically you don't need to enter in any value

If you encode an empty string you end up with
EEA339DA0D4B6B5EEFBF5532901860950907D8AF

.. in other words just go into the search screen and hit thumbs up

__________________
http://tivo.samba.org/download/mbm
E4pFXEMBEEMXXv2L0TlAFOYC3/2HtWFvYiL3md0h2cxuU1BFugTKBBaOi1GH/7265DTD4a57
7fg1JOK8+3nCiZvRjl11Bit4LuaXA4KjPh0OHCyFIpSP2VJkb5pkY2M5HPlBN0/UawyQBhSM
CVnB02kbxifsgVYcYfEiTG2qfIdFXmstrEhW9gpe+5OxEYid979qu1Esg2YHNA7W8tSTd1t9
88LYW46AhE01Uts8pa4TgZazxlo/FkMAS3i/Oqtm7Rf8C6QzXmbDgbN+fP+Fcu53FOtZXNXX
ClRoZSB0cnV0aCBhYm91dCBhIG1hbiBsaWVzIGluIHdoYXQgaGUgaGlkZXMgLU1hbHJhdXgK


Posted by bsnelson on 01-05-2003 07:57 PM:

Good point. Doh!

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by embeem on 01-06-2003 10:05 PM:

MuscleNerd:
worked fine when I tried it on 3.2

__________________
http://tivo.samba.org/download/mbm
E4pFXEMBEEMXXv2L0TlAFOYC3/2HtWFvYiL3md0h2cxuU1BFugTKBBaOi1GH/7265DTD4a57
7fg1JOK8+3nCiZvRjl11Bit4LuaXA4KjPh0OHCyFIpSP2VJkb5pkY2M5HPlBN0/UawyQBhSM
CVnB02kbxifsgVYcYfEiTG2qfIdFXmstrEhW9gpe+5OxEYid979qu1Esg2YHNA7W8tSTd1t9
88LYW46AhE01Uts8pa4TgZazxlo/FkMAS3i/Oqtm7Rf8C6QzXmbDgbN+fP+Fcu53FOtZXNXX
ClRoZSB0cnV0aCBhYm91dCBhIG1hbiBsaWVzIGluIHdoYXQgaGUgaGlkZXMgLU1hbHJhdXgK


Posted by int1 on 01-14-2003 01:29 AM:

bump

bump.

(Just a reminder that we are still working this, and continue to need more people running tivocrack to finish sooner!)

int1


Posted by paladin732 on 01-14-2003 01:58 AM:

its gonna be version 4.0 before they find anything for 3.1 or 3.2

__________________
Life's a Glitch, Then You Die


Posted by heh2k on 01-14-2003 02:50 PM:

Re: bump

quote:
Originally posted by int1

(Just a reminder that we are still working this, and continue to need more people running tivocrack to finish sooner!)



i thought it was over. where's the new server?


Posted by mij on 01-14-2003 02:53 PM:

I haven't been running it for a while... Seems like we need a new thread, or some kind of way to let people know what is going on. I started my client up and got a work unit.. hopefully it's grabbing the right thing???

Mij


Posted by int1 on 01-15-2003 05:37 PM:

Re: Re: bump

quote:
Originally posted by heh2k
i thought it was over. where's the new server?


http://edo.lcs.mit.edu/dclient/

Looks like it might be down again temporarily. It was working great for a couple of weeks. It'll probably be up again shortly.

int1


Posted by Dr. Anon Nym on 01-17-2003 01:41 PM:

Is there server down?

I've had no work units for 4 days. Is the server down? Is it over?

This machine seems to be down. -->edo.lcs.mit.edu

I started using a dnet client to fill the time. I have 4 machine that have to run all of the time. It's a shame to waste the cycles.


Posted by jp78 on 01-17-2003 07:03 PM:

FYI, I just got a new work unit (after several days of not getting any), so it's back up!


Posted by adrianblack on 01-18-2003 10:36 PM:

quote:
Originally posted by embeem
If you encode an empty string you end up with
EEA339DA0D4B6B5EEFBF5532901860950907D8AF

.. in other words just go into the search screen and hit thumbs up



I gave this a try and it worked perfectly. Much easier after rebooting.... I just used 'hexedit' to do it. (taken from my linux box, using a floppy with the Tivo boot cd.)

Thanks embeem.

__________________
Tivo Series2 89hr, 4.0.1, HMO, Ethernet (First revision)
Tivo Series2 89hr, 4.0.1, HMO, Ethernet

I'm SICK of failing hard drives. All units single Seagate Barracuda drives.... and multiroom viewing rocks!


Posted by EdwinOlson on 01-19-2003 04:28 PM:

I've taken the server offline for good now. Thanks again to those who participated.

I've posted source code and some thoughts about the project here:

http://edo.lcs.mit.edu/dclient/

Cheers!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by snedecor on 01-19-2003 05:43 PM:

Made it to 123rd!

Thanks Edwin for your work on this project.

Bacause of TivoCrack, I was inspired to:

1) Create 3 computers out of the boneyard of the upgrades of my main computer. They didn't even have monitors, just ran TivoCrack client.
2) Purchase a wireless router and card, so my laptop could TivoCrack.
3) Talk my sons into TivoCracking
4) Load the client on several computers at work.

I know I wasn't GreaterGood, but at least I tried.


I would be still interested in participating in a resurrected effort, but only on the client end (no smarts, no software, etc.)

It's been fun!


Posted by bsnelson on 01-19-2003 06:25 PM:

Ed, you deserve a big round of applause for your efforts in the TiVoCrack "project". Although we didn't find the password, I think a great time was had by all, and a lot was learned as well.

Thanks a ton for your investment of time and knowledge!

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)


Posted by qwertyasd on 01-19-2003 06:36 PM:

Has anyone considered asking/bribing a TiVo employee? It seems that if the TiVoCrack program already tried all combinations of space through Z up to 10 characters, the BC is something that they don't want to be known.


Posted by paladin732 on 01-19-2003 06:39 PM:

quote:
Originally posted by qwertyasd
Has anyone considered asking/bribing a TiVo employee? It seems that if the TiVoCrack program already tried all combinations of space through Z up to 10 characters, the BC is something that they don't want to be known.
yea someone should pay tivopony ten bux for the 3.1 backdoor code.. maybe he will throw in your 3.2 one also


Posted by DarkHelmet on 01-20-2003 07:31 AM:

The 3.1 and 3.2 code is the same.

__________________
Sony SVR-2000 (3.0 - 103 hours + turbonet + RCA430)
Philips HDR-112 (hard drive died, no backup)
Hughes GXCEB0T (3.1.0c2 - 149 hours + turbonet)
Hughes GXCEB0T (3.1.0c2 - 143 hours + turbonet)
Sony SAT-T60 (3.1.0c2 - 149 hours + turbonet)


Posted by miniyoda on 01-21-2003 03:37 PM:

quote:
Originally posted by paladin732
yea someone should pay tivopony ten bux for the 3.1 backdoor code.. maybe he will throw in your 3.2 one also


or we each chip in $10 for the code (small price to pay). TivoPony......how much is your standard bribe?


Posted by mstroh on 01-29-2003 11:11 AM:

Has there been any movement on finding a new server and/or on the 'chipping' project?

-mike


Posted by rpalmeri on 02-01-2003 03:34 AM:

Ask Tivo!

I asked them. Here's the email.

Hello Russ,

Thank you for contacting TiVo!

We are unable to assist you with your request. TiVo does not support the feature you inquired about. We do not support changing any of the features of the TiVo service. For your convenience, we have created case number 920652. If you contact us, please refer to this case number.

Sincerely,

Erica

TiVo Customer Support


******************************

--- Original Message ---
From: rpalmeri@
Received: 11/18/2002 10:51pm Eastern Standard Time (GMT - 5:00 )
To: tivocare@tivo.com
Subject: [[TiVo Support] How do I...?] Submitted From Support Form



Issue Description:
can you tell me how to turn on the "backdoor" on system 3.2?

Thanks,

RP


Posted by bhawbaker on 02-01-2003 05:16 AM:

Talking re: ask tivo- nope

i tried it... 920652.. no luck



bob


Posted by jp78 on 02-02-2003 03:39 AM:

Might be worth asking DirecTV... since they control the combo boxes now. Likely to get a similar response, but hey, who knows?


Posted by Pent on 02-02-2003 04:27 AM:

We're working on getting a new kernel in there as we speak ... when we do that we can replace the backdoor code with whatever we want ... see
http://www.tivocommunity.com/tivo-v...20&pagenumber=3


Posted by Saturn on 02-03-2003 08:04 PM:

Is it safe to assume that a backdoor for this particular password doesn't exist? Did TiVo effectively disable backdoors by inserting a random value where the SHA-1 hash should be?

__________________

"You sir, are my hero." -scooterboy


Posted by Jonathan_S on 02-03-2003 08:12 PM:

Saturn49. As the search effort only checked up to about half of the possible length of the password (10 char, where up to 20 are possible) I don't think it is safe to say that the password doesn't exist; it is entirely possible that it does, but that it is longer than 10 characters. (Or possibly even 10 chars, as we didn't finish searching all of the 10 char space)

Note: Half the length is nowhere near half the effort to search, each extra character of length adds 37 times more codes to try.

__________________
Sony T-60 - 109 hours


Posted by edelske on 02-04-2003 12:07 AM:

Strike !!!!!!!!!!!!

If Tivo wont give us the Backdoor Code - we threaten to go "on strike" and migrate to Replay!! Lord knows the Replay system/community certainly needs lots of tech support to help it along !

__________________
Please do not refer to me as a blithering idiot.
I never blither.


Posted by DropZone on 02-14-2003 10:05 PM:

I've read thru the posts, and searched the forums as well as Google. Am I correct that there is no backdoor code for 3.1.0?


Posted by DanT on 02-14-2003 10:18 PM:

None that's known publicly.

__________________
Dan T.
RKBA!

SB: "Captain, do you mind if I say Grace?"
MR: "Only if you say it out loud."


Posted by DaveLessnau on 02-16-2003 02:03 PM:

I don't even pretend that I understand the stuff in this thread (though I've skimmed through it). But, is it possible the backdoor is now something like the "s0rt" (s=SLOW, 0=zero, r=RECORD, t=Thumbs Up) code in Now Playing? It could be entered even at screens that don't accept inputs and would be made up of more than the standard alphanumeric characters.

__________________
Dave Lessnau

TiVo TCD240080 w/ Belkin F5D5050 USB Ethernet Adapter and 160GB 7200RPM Samsung SP1604N drive (150hrs 53mins @ Basic) with 4.0.1 Philips HDR112 w/ TurboNET and 120GB 5400 RPM Maxtor drive (145hrs 6mins @ Basic) with 3.0. Both hooked through powerlines to the internet via LinkSys PLEBR10 PowerLine EtherFast 10/100 Bridges, a D-Link DSS-5+ Switch, a SonicWall SOHO3 Internet Security Appliance, and finally a Toshiba PCX1100U Cable Modem (PCX DOCSIS)


Posted by colemanr on 02-16-2003 03:07 PM:

While there's no way to discount the possibility that there are multiple ways to get into backdoor mode, it has been confirmed many times in this thread that if you put the hash of a known string (such as the one for verison 2.5) into the proper resource location, entering the old code in the same place works properly. That's actually one way to enable backdoors in 3.1/3.2, and is described, in detail, somewhere in this thread or in another in the same time frame.

__________________
Rob


Posted by TreborPugly on 02-19-2003 03:20 PM:

quote:
Originally posted by colemanr
While there's no way to discount the possibility that there are multiple ways to get into backdoor mode, it has been confirmed many times in this thread that if you put the hash of a known string (such as the one for version 2.5) into the proper resource location, entering the old code in the same place works properly. That's actually one way to enable backdoors in 3.1/3.2, and is described, in detail, somewhere in this thread or in another in the same time frame.


This is true. But it is my suspicion that if Tivo did put an infeasible hash in 3.1/3.2, (Hash for text including $ or ! or some other character that can't be entered through the interface) then they might have created a new way to turn on back doors. They still need to be able to test the production version, so they must have some way of activating back doors on what we have. Possible methods I can think of:

1. A very long password. This stymies our search attempts, but it is a small hassle for the testers to enter lots of characters.

2. A password with new characters like $ or !. They could potentially have done this, if they also added some IR code recognitions for the other characters, and then they have a special remote which can send those codes. I think this was discussed on this thread already, and is pretty infeasible.

3. They put a non-working hash in the normal location, but added a new way to get into back doors. This would mean discovering the new place in the interface where a back door code could be entered, and a different hash at some other resource location that holds the password for the new method. (They might not even have it encrypted though, since we don't even know where to enter it)

4. The password is not long, but they've added some code to foil our attempts at cracking it via brute force. They might be using a different encryption when the Hash hasn't been altered. They might have something in the code which detects if the original hash is there, and in that situation use a different encryption, or mung the text before encryption somehow. If it detects a change in the hash, it uses the old method. This would give the developers a short password, and fool us into thinking nothing has changed in the encryption.

5. Other clever, elegant changes that don't make things more complex for Tivo developers, but fool us.

I hate it, but I think we need to resign ourselves to the fact that Tivo has made back doors a private thing again..

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by toddc on 02-19-2003 03:33 PM:

Red face Getting the 3.2 Backdoor Code

Is it worth trying to get the backdoor code for 4.0 (assuming one exists)? with the extra characters in the alphabet? Also could they be using encryption with a higher number is bits to foil us?


Posted by alansh on 02-19-2003 06:52 PM:

I'd say #1 or possibly #2 are the most likely. A long password wouldn't be too bad if they have a learning remote that could store a macro. They probably don't have to get into the back doors all that often during the development cycle. Or they could use an "easy" hash during the development cycle, and change it to the "hard" one for release.

All the other possibilities don't answer: why would TiVo allow a changed hash to work? The whole point is to keep people out, so if they created a different sort of hash or backdoor mechanism, they would have disabled the old one.


Posted by Jonathan_S on 02-19-2003 10:35 PM:

While it doesn't rule out a new locations to activate back doors; fairly early in this thread a couple of people walked through the actual code and determined that it taking the data, hashing it unaltered, and compairing it to the stored value.
So there doesn't appear to be any code changing what is compaired based on altered/unaltered hash result.

I tend to think they just went with a very long code.

__________________
Sony T-60 - 109 hours


Posted by ufo4sale on 02-20-2003 01:38 AM:

so did we actually find the back door code for 3.1/3.2 and if so can we just enter it using are tivo's or do we have to do something more?


Posted by jimdan on 02-20-2003 01:35 PM:

We?


Posted by toddc on 02-20-2003 05:07 PM:

Oui!


Posted by ADent on 02-20-2003 08:52 PM:

There is no known backdoor code for 3.1/3.2. You can replace the 3.1/3.2 code with one from another version, but that entails pulling the drives.


Posted by TreborPugly on 02-20-2003 10:19 PM:

quote:
Originally posted by alansh

All the other possibilities don't answer: why would TiVo allow a changed hash to work? The whole point is to keep people out, so if they created a different sort of hash or backdoor mechanism, they would have disabled the old one.



To throw us off the track, and to keep their quality control issues down. It is easier to authorize changing the hash than it is to remove the code. And there is a very small minority of Tivo users who will actually do the resource change to get back doors working. There is a much larger set of users who would enter a back door code if someone else found it and posted it.

Treb.

__________________
I'm not a Bug, I'm a Feature!


Posted by JTAnderson on 04-02-2003 08:37 PM:

So has anyone provided a utility that would help us non-Linux hackers pull the TiVo drive(s), put them in a PC, boot Linux (probably using the MFSTOOLS CD) and set the backdoor password?


Posted by subuni on 04-07-2003 08:44 PM:

As much as I hate to resurface this blasted thread.... Just thought I'd point out the new 4.0 backdoor hash, which is:

61508C7FC1C2250E1794624D8619B9ED760FFABA

I briefly tried everything up to 8 characters, but would of course suggest others to try as well incase I overlooked something.


Posted by computercbj on 07-25-2003 03:19 AM:

Lightbulb keyboard

has anyone tryed hooking a computer keyboard to the usb port to see if it accepts characters on there


Posted by ErrorF002 on 07-25-2003 02:40 PM:

It rises again

My God the thread is back... Just when I thought it would be buried forever. It would be good to see if someone cracks this one. I don't have time to play with my TiVo anymore :- (


Posted by HTH on 07-25-2003 09:53 PM:

quote:
Originally posted by MuscleNerd
Yes a USB keyboard will work (with the correct setup).
You intrigue me. Do you have more information on how to get this setup (or do I have to finish catching up on a month's worth of old messages)?

Would be nice to hook up a wireless USB keyboard to two Series2 units (I use standby mode).

__________________
┌──┬──┐
─├┤┬├┤─ There is no spool.
└─────┘

If you are dissatisfied with your life, return unused portion for partial refund.


Posted by GarySargent on 08-19-2003 08:10 PM:

What if the hash is encoded somehow (eg they added a 1 to each digit to fool us).

The code could still be small and easy to enter.

How about a script that runs on TiVo and issues remote control codes - brute force it on the TiVo.

__________________
http://www.tivoportal.co.uk » Everything you need to know about TiVo in the UK.
http://www.tivofaq.co.uk » Frequently Asked Questions.
http://www.tivonews.co.uk » TiVo UK Newsletters.
http://www.tivobugs.co.uk » List of current bugs and problems.


Posted by Jonathan_S on 08-19-2003 08:45 PM:

The hash doesn't appear to be "encoded somehow" because:
first off a couple of people way back on this thread looked at the compiled code and traced the flow of the backdoor code through the hashing algorithm and to the comparison with the stored hash.
And secondly if you replace the stored hash with a sha-1 hash of a known string, typing that string in will enable the backdoors.

So that is pretty clear proof that the backdoor software is checking a straight sha-1 hash of the input string against the stored value. This doesn't mean that the stored value has a meaningful reversed value; but the code is doing a straightforward comparison of a generated sha-1 hash.

So there doesn't seem to be any benefit to using a script to do remote code inputs, vs using an optimized program running on a much faster computer.

__________________
Sony T-60 - 109 hours


Posted by HTH on 08-19-2003 10:12 PM:

Well, I did get caught up to a month's worth of old messages and didn't see anything about Series2 supporting USB keyboards. So, more information, MuscleNerd?

__________________
┌──┬──┐
─├┤┬├┤─ There is no spool.
└─────┘

If you are dissatisfied with your life, return unused portion for partial refund.


Posted by inio on 09-13-2003 11:00 PM:

Sorry to resurrect an old thread, but I may have access to a large amount of Mac G4 compute power and was wondering if I might be able to help here. I have working AltiVec implementation of SHA-1 (hashes 5 blocks in parallel: 4 in altivec and one in scalar) that gets can do a little over 5 million codes per second on a 1ghz G4 7450. Is this "competitive"? The following remark in a previous post makes me think it isn't:

quote:
Originally posted by subuni
I briefly tried everything up to 8 characters, but would of course suggest others to try as well incase I overlooked something.


By my calculations, my code on a single 1ghz G4 7450 would take a little over 2 weeks to run through that set with only the 40 characters available on the Ouija board.

[edit] Updated to reflect today's optimizations. [/edit]

My code is based off the RFC, with some optimizations to avoid the abcde rotation, moved the circular buffer into registers, and completely unrolled the loops, early-out 4 steps before the normal end.

__________________
"He who breaks a
thing to find out what it is, has left
the path of wisdom."
- Gandalf the Gray-Hat


Posted by EdwinOlson on 09-15-2003 08:32 PM:

5 million keys per second is quite fast, especially for a 1ghz machine. For reference, my celeron 1.3ghz (p3 core) mustered about 0.7 million keys/sec, and if I recall, the fastest machines that participated in the hacking were around 2 million keys per second. [Note, no particular effort was made to optimize the SSE code; I simply pulled in the openssl library.]

Unfortunately, the key space is so large that a speed-up of 2x isn't enough to make it practical.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by inio on 09-15-2003 08:52 PM:

I realise the keyspace is extremely large, but has any serious attempt been made at the 4.0 password? Say, covering all remote-enterable codes through 9 characters?

__________________
"He who breaks a
thing to find out what it is, has left
the path of wisdom."
- Gandalf the Gray-Hat


Posted by dkroboth on 09-15-2003 09:49 PM:

The 4.0 backdoor code hash is the same as 3.2.
I thought I read that the 4.0.1 code was different, but I don't remember if the poster said what the new code was, or determined that he was mistaken and it was the same.


Posted by inio on 09-15-2003 09:52 PM:

I found (in one of the brief 4.0 backdoor threads I think) that the 3.1/3,2 hash was:

96F8B204 FD995347 59A6C11A 181EEDDF EB2DF1D4

and the 4.0 hash was:

61508C7F C1C2250E 1794624D 8619B9ED 760FFABA

__________________
"He who breaks a
thing to find out what it is, has left
the path of wisdom."
- Gandalf the Gray-Hat


Posted by dkroboth on 09-16-2003 01:53 PM:

d'oh!


Posted by EdwinOlson on 09-16-2003 08:48 PM:

For those visiting this thread, the (static) snapshots of our stats when we stopped the attempt is here:

http://www.blisstonia.com/software/...ck/wwwsnapshot/

An archive of software, and a post-mortem analysis is here:

http://www.blisstonia.com/software/TivoCrack/

Summary:

We searched every combination (assuming nothing funky on Tivo's end) of remote-enterable characters up to 9 characters long.

We searched almost exactly half of the space up to 10 characters long. At this point, the database of "finished" workunits got too big and the server fell over. I'd never expected us to even try 10 characters (the apriori liklihood of such a long password is very small). I got burned out and wasn't interested in pursuing it any further, so I called it quits.

That's 85 CPU years.

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by inio on 09-16-2003 09:43 PM:

Very interesting postmortem. I've actually been thinking about the distributed aspect of this a bit, and I'd like your input on one aspect:

For the "proof": Since checking against multiple hashes doesn't increase the work required noticeably, Include multiple target hashes in each work unit. Have two of these hashes be be fake hashes generated from randomly selected keys, each with a 50% probability of being in the work unit's keyspace. This forces the client to check every key in the work unit to produce a valid result.

Oh, and as for tracking results in a relational DB: I was thinking of blocking the keyspace into chunks of a couple thousand work units. I'd only keep 2 or 3 work units live in the DB at any one time, with unit allocation preference given to the oldest block.

P.S. After looking at the disassembler output from my previous version, I was rather unhappy. I'm re-writing it in pure assembler, and I'm hoping for a 10-30% speed up.

__________________
"He who breaks a
thing to find out what it is, has left
the path of wisdom."
- Gandalf the Gray-Hat


Posted by inio on 09-17-2003 03:28 AM:

quote:
From the post-mortem:
The 10 character key space however, has 1.8 million workunits.


The only way I could come up with 1.8e6 was 37^4, indicating that you were using an alphabet of 37 characters.

Does the Create WishList Ouija board screen accept back door passwords? Has anyone tried loading up a hash for passwords that contains comma (replaces 0 on Actor/Director WishList Ouija board), quote, or asterisk (pause and slow on title/keyword WishList board) and checking if it works? If someone's willing, I can generate a hash if you need one

If this does work then the TivoCrack search missed about 10% of the keyspace. The total number of keys of length k would be: 37^k+37^(k-1)+2*39^(k-1) which sums to 10.9% more than 37^k for k over 2..9.

__________________
"He who breaks a
thing to find out what it is, has left
the path of wisdom."
- Gandalf the Gray-Hat


Posted by ADent on 09-17-2003 03:49 AM:

If you would read all 57 pages of this thread - no you can not enter an asterisk on the search by name screen, that is supposedly the only location the code can be entered.

I do not recall anyone trying to replace , for a 0 in the hash.

There seemed to be two camps. One that said TiVo used a really long password (probably reasonably easy to enter say 111222333444555 ) or TiVo did some secret voodoo - which could pretty much be anything.

The first camp could conceivably crack the code with enough computing time but the second was either uncrackable or you needed to know 'the secret' before it was crackable.


Posted by inio on 09-17-2003 05:23 AM:

OK, I wasn't sure which Ouija boards had the backdoor unlock code associated with them (and I remember reading in some other thread that any Ouija board would work, there may have been conditions on that statement though). As for there being a secret to entering the code, there are a few possibilities:


However, any of the above would show up if someone disassembled the code that manages the Ouija board screen. I know this was done with 3.0/3.2 builds, but has anyone disassembled the Ouija board code for 4.0? I know MIPS, so if someone can get the code out I'd happily dig through it (spotting the SHA-1 algo shouldn't be hard, and tracing that back to the caller is easy).

The other thing I've been trying to figure out is: why is the backdoor activation logic present in the release builds at all? I'm sure this has been hashed over many times, but the most likely case I can see is to allow techs to debug simple stuff without opening the box. Thus I think the chance that they flipped a bit in it to prevent it from working is extremely low. If they did either use a ridiculously long password or generate a bogus hash, why change the hash in 4.0?

__________________
"He who breaks a
thing to find out what it is, has left
the path of wisdom."
- Gandalf the Gray-Hat


Posted by Dennis Wilkinson on 09-18-2003 04:23 PM:

quote:
Originally posted by inio
[*]There is a special remote that service techs have that generates a magic signal to insert a special character (which makes such a search pointless because you'd need special hardware to utilize the outcome).


While I can't rule it out completely, I think this is pretty unlikely. I spent some time running all of the possible codes in the TiVo device set (with a Pronto) through various places in the TiVo interface, including Search by Title, and found only two codes not on the peanut remote (one that goes directly to Now Playing like the Sony's 'list' button, and a second for standby.) I was actually hoping for discrete codes for all the posisble characters on the Ouija board, but no such luck.

So, unless they utilized a different IR device code, I don't think we need to worry about that.

__________________
Dennis


Posted by EdwinOlson on 09-18-2003 04:51 PM:

inio- yes, I had considered an additional proof mechanism like that... repeating what you said, have the server generate a list of possible keys that might occur somewhere in each work unit's key space. For example, with each work unit, you get 10 hashes. Somewhere between 1 and 9 of them will actually occur in that work unit space. The server knows which ones occur and which do not. If the client gets it wrong, the client is up to something.

The problem is generating these hashes. There's no easy way to find a plaintext string that will hash to values in a work unit (it is, after all, a one-way hash For suitably large work units, the probability of finding *some* hashes in the work unit space becomes almost acceptable, but it is a real nightmare to consider generating thousands of work units this way!

If I were going to re-do the server (one more time), I would use a relational database to manage currently pending work units, and a flat-file log to store completed work units. If a user generated bogus work units, you could scan over the log and add the work units back to the rdb. The rdb would never need to be more than a tens of thousands of work units. When the rdb ran low on blocks, it would run a work unit generation program to add in the next, say, 1000 work units.

Regarding "really long passwords": If you make assumptions like "they probably only used four different characters repeated a bunch of times, e.g., 111222333444555", the resulting key space is very small.

Quite a few people (myself included) searched these spaces (and other spaces we thought were likely) up to very long lengths (some spaces over 20 characters long). The key spaces for specific assumptions are so small that there's no need to use a distributed infrastructure to do it; any particular search generally took under an hour on a single machine. As far as I know, there's no record of which spaces were searched. I probably tried about 100 such key spaces, and other people probably tried even harder.

You can use the dclient2f code to perform many of these searches by passing in alternative alphabets (i.e., "1234567890") and alternative search patterns (i.e., "????????????" would search 12 char space). Some searches might require additional modifications to the source code (i.e., searching for repeated groups.)

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by inio on 09-18-2003 08:46 PM:

quote:
Originally posted by EdwinOlson
The problem is generating these hashes. There's no easy way to find a plaintext string that will hash to values in a work unit
Maybe I'm mis-understanding something here but, isn't a work unit a defined sub-set of the plain-text keyspace? Finding a key inside the work unit is trivial, then you just compute the hash of it (which is also fast).
quote:
You can use the dclient2f code to perform many of these searches by passing in alternative alphabets (i.e., "1234567890") and alternative search patterns (i.e., "????????????" would search 12 char space). Some searches might require additional modifications to the source code (i.e., searching for repeated groups.)

For efficiency reasons my code is limited to 11 characters (lets me save a non-trival amount of setup and XORing work in the first 30 or so passes over the 16-entry buffer). Also the first two characters are part of the unknown ( by not dealing with addressing into the key I save yet more setup work). I only make about a dozen data memory accesses per key. (though at least 4 of those are loading 16 bytes of memory in a single access). The assembler version is coming along, right now I'm trying to track down a bug that crops up at t==20 (and yes, I am changing k there so that's not it).

__________________
"He who breaks a
thing to find out what it is, has left
the path of wisdom."
- Gandalf the Gray-Hat


Posted by EdwinOlson on 09-19-2003 12:39 AM:

inio- re the other challenges, you're right It's been a while since I was working on this and my brain decided that we were searching over ciphertext space, not plaintext space. Of course, it's not. See how the brain goes when you get old?

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by HTH on 09-25-2003 12:59 AM:

Angry

I should stop posting in this thread. Every time I do it goes silent and my questions to it remain unanswered anyway, even when resurrected.

__________________
┌──┬──┐
─├┤┬├┤─ There is no spool.
└─────┘

If you are dissatisfied with your life, return unused portion for partial refund.


Posted by qwertyasd on 12-13-2003 05:49 AM:

In the spirit of beating a dead horse, I have a question. Based on the string length of the output, isnt there a maximum effective size for the input? If it's a true hash it should be reversable and probably works by null padding then trimming the input. If it's not reversible (and probably isn't as it only has to compare to a preset value) then input length could vary and multiple solutions would exist. Just a though (combined with some rambling).

PS- Has anyone considered the possibility that the hash algorythm simply cannot match the stored code? It would be a perfect way to permanently disable backdoors.

__________________
There are no stupid questions, but there are a lot of inquisitive idiots.
- from despair.com website
Check them out.


Posted by dswallow on 12-13-2003 08:16 AM:

quote:
Originally posted by qwertyasd
PS- Has anyone considered the possibility that the hash algorythm simply cannot match the stored code? It would be a perfect way to permanently disable backdoors.
Innumerable times in this thread that's been mentioned as a possibility, but just based on what's been tested, it could still just be a long string. And it would make some sense if it were something that could readily be entered but long enough and wierd enough not to be easily guessed/brute forced.

__________________
Doug Swallow
doug@2150.com
Customize your own Now Playing - TV Show Talk forum index
TiVo Community Forum Member Posting Statistics (updated daily)
List your local digital television broadcast stations by direction/distance
AVSForum Local HDTV Info & Reception index by DMA/City


Posted by Piquan on 12-15-2003 09:24 AM:

quote:
Originally posted by qwertyasd
Based on the string length of the output, isnt there a maximum effective size for the input? If it's a true hash it should be reversable and probably works by null padding then trimming the input.

I don't know why you think it would have to be reversable. Hashes are very rarely reversable in practice; I'll discuss that more below.

Hashes are always fixed length, that is, the output length doesn't depend on the input length, and I've never seen one that limits the input length. That's pretty much the definition of a hash function: it takes an indefinitely-long input, and returns a fixed-length output. The National Institute of Standards and Technology's Dictionary of Algorithms and Data Structures defines a hash function as follows:
quote:
Definition: A function that maps keys to integers, usually to get an even distribution on a smaller set of values.

Note: The range of integers is typically [0 ... m-1] where m is a prime number or a power of 2.


Hashes are usually used for three purposes: data integrity, table lookups, and cryptography, and in none of these fields are they reversable in general. The desired characteristics of the hash depend on its use. By the way: you later refer to the idea of two inputs producing the same output; this is called a "collision". I bring it up because I'll be using this term for the next few paragraphs.

For data integrity, hashes normally have an output length of one machine word or less. The hash value is computed once when the data is written, and again when the data is read. The simplest example is parity, used in some RAM and serial lines. This is a one-bit hash function, which is simply the XOR of all the input bits. A slightly longer example would be TCP. TCP uses 16-bit checksums, which is a very simple (and poor) hash function. Since the 80s, CRC (a polynomial-based hash function) has been preferred for this purpose, since checksums are defeated if the data is simply reordered. CRC is used in Ethernet, ZIP archives, and most disk formats, and most other areas. Some types of ECC RAM use hamming functions, which are hash functions with some built-in data recovery capabilities. In data integrity, the hash function should be fast, and resistant to most common transmission or storage errors. For example, inverting a block of bits (which can happen on many types of magnetic media, which use edges to indicate 1s and stability to indicate 0) should produce a different hash.

For lookups, hashes normally have an output length of one machine word (and are usually taken modulo the hash table length). These should be extremely fast. They should also be resistant to collisions across the expected input space. For example, if you're hashing names, then collisions if the eighth bits are toggled is relatively insignificant, because English characters don't fall into that space. It is, however, important to note that lookup hashes do frequently collide, and much research has gone into dealing with hash collisions. If a hash generates collisions, then it is clearly non-reversable.

For cryptography, hashes normally have an output length of several bytes. The most popular cryptographic hash today is MD5 (which has a fixed output length of 16 bytes), but SHA-1 (20 bytes) is a close second that's rapidly becoming more popular. Speed is less important in cryptographic hashes than resistance to collisions. Cryptographic hashes have to be strong against collisions to prevent tampering; that's their job. A cryptographic hash should have the property that, given a known string, it should be difficult to find another string with the same hash value. For a stronger hash (and most well-known cryptographic hashes have this property), it should be difficult to find any two strings with the same hash value. Finally, in all cryptographic hashes, the hash value should tell you nothing about the input.

In all three types of hashes, you have a fixed output width: in data storage and transmission, you need to fit the output into a fixed-size header block; in lookups, you need a machine word to efficently modulo it against your table size; in cryptography, you don't want the width to be a clue about the content. A fixed output width means that it's inherently non-reversable, if the input length is unbound (which is the case in every hash function I've heard of).

(Beware: this paragraph is purely hypothetical, and serves no practical purpose other than education.) If you restrict your input length to no more than your hash function's output length, then you might have a reversable hash function. This is the case with parity and checksums (which degenerate to the identity function under these conditions), and I think CRC does (it doesn't degenerate thusly but I think does become mathematically reversable). Lookup hash functions may or may not: an ideal hash function would be theoretically reversable (although possibly not without a brute-force search), but most practical lookup hashes don't have this property. Cryptographic hashes (when properly written) are never reversable without a brute-force search, and might still not be reversable.

In practice, cryptographic hashes are designed to specifically prevent being reversable, and other types of hashes generally have too narrow of output for that to be practically useful.

I'm not sure what you were thinking about in your post. Maybe you were thinking of stream ciphers. Any hash function can be converted into a stream cipher, and the ciphertext length does generally tell you the plaintext length.

As it turns out, the hash function we're dealing with here is SHA-1. This 20-byte cryptographic hash is specifically designed to be non-reversable, and is often used to store passwords in a similar manner. (For example, both Linux and FreeBSD have this capability.) SHA-1 always returns 20 bytes. For example, the SHA-1 hash of the empty string is da39a3ee5e6b4b0d3255bfef95601890afd80709, and the hash of "War and Peace" is cc780def1bb81614ba957349f62a9f47f9bbb91d.
quote:
Originally posted by qwertyasd
If it's not reversible (and probably isn't as it only has to compare to a preset value) then input length could vary and multiple solutions would exist.

This is absolutely true. For any hash, collisions exist; this is a natural consequence of having a fixed output length. If there's a collision, then on a random search, we're just as likely to find a collision partner as we are the "true" password. (Many of our searches, such as the one I ran, haven't been random; they've been looking for likely passwords.) But here's a few things to consider. First, SHA-1 is designed to make collisions difficult to find; that's a property of a strong cryptographic hash. (Technically, that's not completely relevant.)

Now, how likely is it that there are collisions? Well, SHA-1 has 20 bytes, or 160 bits, of output space. Given the input set of A-Z, 0-9, and space, and a 20 character-long input field (the TiVo space-pads the input to 20 characters, much as you suspected), we have an input set of 20*log2(37) = about 104.18 bits of input. So there's much more space in the output than in the input. There's actually a high probability that there's collisions somewhere in there. There's a high probability that there's some string, of indeterminate length, that collides with our target password. But there's a low probability- I make it 1 in 63,206,948,630,615,720- that the password we're looking for has a collision partner that we can enter in the TiVo entry screen. That's about the same probability that the first grain of sand I touched on the first U.S. beach I visited, is the same grain of sand that you first touched on the first U.S. beach you visited. (Note: I'm almost sure there's something wrong with that calculation, but it should be about the right order of magnitude.)

You've got some good ideas, but unfortunately the scheme that TiVo used was specifically designed to defeat them.


Posted by Jonathan_S on 12-15-2003 09:29 PM:

quote:
PS- Has anyone considered the possibility that the hash algorythm simply cannot match the stored code? It would be a perfect way to permanently disable backdoors.
Yes, we have considered this. But at least in my opinion that is unlikely (unless TiVo really felt like playing a joke on the forum).

Basically, if TiVo just wanted a output value that couldn't be matched by the hash algorithm, there are a number of easy ways that would guarantee that output.

For example, since the output of the hash function is represented as a hexadecimal value, and digits in the stored value that weren't 0-9, a-f would be automatically unmatchable. There is no way for the hash function to generate that output.

Or since SHA-1 always outputs 20 bytes, a stored value longer or shorter than 20 bytes would be impossible for the hash function to generate.

But the value they stored is 20 bytes, and is made up exclusively of hexadecimal values. While this could be a randomly generated value, it would risk being a collision of a string you could actually input into the hash function (admittedly a low probability). It seems that unless TiVo decided to make a joke of the search, there is no reason for them to create a random value that has the potential to be created by the hash algorithm. It seems much more likely that they simply used a very long input string.

Also at least in the past it has been indicated that the backdoor code is useful for people at TiVo to use, which decreased the possibility of a non-working string.

Version 4 uses a different stored value for the hash output (which is also a 20 byte hexadecimal string), which I feel increases the likelihood that these are the results of different long input strings.

__________________
Sony T-60 - 109 hours


Posted by HTH on 12-16-2003 11:49 PM:

I wonder if I can silence the thread yet again.

I forget what versions run on what. Is 3.2 on systems that have other ouija boards that allow a greater character set to be entered? And if the hash is replaced with a known hash, can the corresponding backdoor code be entered on these alternate ouija boards to enable backdoors?

__________________
┌──┬──┐
─├┤┬├┤─ There is no spool.
└─────┘

If you are dissatisfied with your life, return unused portion for partial refund.


Posted by ADent on 12-17-2003 04:13 AM:

Someone stepped thru the code (though they didn't do it 100% right IIRC) and showed the existing ouiji board worked fine. And the hash has been replaced with a known code and worked.

I don't know if anybody really looked to see if any of the other ouiji boards would work as an input, but they are not know. If the other boards you can enter * and ".


Posted by Jonathan_S on 12-17-2003 07:58 PM:

I thought the other ouiji boards had been shown not to work (with a known hash), but I'm not sure I trust my memory about this

__________________
Sony T-60 - 109 hours


Posted by HTH on 12-24-2003 12:48 AM:

There's another ouija board that allows lowercase text entry on some models. Somewhere in network settings. The test would be to reset the code to a known string, then enter that string on the other boards to see if it is accepted. If so, they may be the ones we have to enter the true backdoor code, and the code could contain a greater variety of characters.

__________________
┌──┬──┐
─├┤┬├┤─ There is no spool.
└─────┘

If you are dissatisfied with your life, return unused portion for partial refund.


Posted by dbird on 03-02-2004 12:39 AM:

any interest in trying again???

Is there any interest in trying this project again??? I can try and modify the server code for more scalablity and use it to test out a new server going onling.


Posted by toddc on 03-02-2004 04:44 PM:

I would be


Posted by HTH on 03-02-2004 08:47 PM:

As would I.

I miss being able to set up Advanced Wishlists on my Series2 boxes.

__________________
┌──┬──┐
─├┤┬├┤─ There is no spool.
└─────┘

If you are dissatisfied with your life, return unused portion for partial refund.


Posted by MichaelK on 03-02-2004 08:54 PM:

i'm in


Posted by samkuhn on 03-03-2004 01:22 AM:

of course!


Posted by samkuhn on 03-03-2004 01:23 AM:

of course!


Posted by dbird on 03-03-2004 01:23 AM:

Ok, what is the current version of Tivo software? I saw the hash for 4.0 posted on the last page. I assume it would make sense to search for the 4.0 code instead of the 3.2 code at this point?


Posted by kenr on 03-03-2004 05:58 AM:

quote:
Originally posted by dbird
Ok, what is the current version of Tivo software? I saw the hash for 4.0 posted on the last page. I assume it would make sense to search for the 4.0 code instead of the 3.2 code at this point?
I'm a Series 1 owner and would prefer that we search for the 3.1 code.


Posted by toddc on 03-03-2004 07:55 PM:

I would assume searching the latest version not necessarily 4.0. I would be fairly sure that the code for the incremental updates (4.0a 4.0b, etc.) would have the same code.

What I assume is that before the code is released that the backdoor is somehow disabled and that cracking it would not matter.


Posted by dkroboth on 03-03-2004 08:08 PM:

It has been demonstrated that replacing the current hash with a known hash will allow backdoors to be activated. So, it would work were we to find the proper code. Whether the string which generates the current hash is reachable using the keypad or not is another issue.


Posted by toddc on 03-03-2004 08:37 PM:

And we have determined that it will not take a USB keyboard? May they are attaching a USB device of some sort to help debug.


Posted by futerfas on 03-04-2004 08:52 PM:

Since we know the hash, what makes this code different that we can't figure out the code? Mabye its longer and requires more time with the brute force?

__________________
"Gosh! I never wanted to give futerfas any good sig fodder!" - rhuntington3
"Futerfas is such a nice boychick, and the future Grand Aleph Godol." -Turtleboy
"I was about to say exactly what futerfas said." -Loadstar
"keep going son, you'll make a fine lawyer" -Marco
"ever since Junior High Futerfas has had a fear of having his picture taken" -ZeoTiVo
"I keep 'em [signatures] turned off so no matter how creative they are, no matter how much time and effort you put into yours, there's at least one person here who'll never see it to appreciate it." -SparkleMotion
"Nothing is more permanent than a temporary solution." -edhara


Posted by dsmdriver on 03-05-2004 12:08 AM:

Not all hashes have answers. There's a possibility that the hash is "broken" and has no corresponding result. Or the result is really, really long, meaning a very long time to brute force it.


Posted by HTH on 03-05-2004 12:31 AM:

Or contains characters not in our search set.

Has anyone closely investigated the ouija board code for any secret sequences that can produce unusual characters?

__________________
┌──┬──┐
─├┤┬├┤─ There is no spool.
└─────┘

If you are dissatisfied with your life, return unused portion for partial refund.


Posted by EdwinOlson on 03-05-2004 08:08 PM:

Ugh. This thread just won't die!

Folks, the search space is enormous. We've already covered a ludicrously enormous part of the search space. Continuing a brute force attack is just silly, barring something that will increase our search speed by a couple orders of magnitude. We had >1,000 machines participating for a while (thanks to slashdot). 100x that is... well, a lot to hope for. If you merely matched what we had, then it would take 2 years to search just one more letter.

If you believe that there is a password, the best way to proceed is to guess a form of the password and test that subspace of the keyspace. Do you think it's made up of just numbers? Well, search that space. Do you think it's a n letter sequence repeated m times? Search that!

Given that the password, if it exists, is likely to be easy to remember/type, but that it is KNOWN not to be short, the best bet is to try to search easily remembered/typed sequences.

And this you can do on your own, right now. Download the last dclient2f and build it. You can run it locally--without any server. You can specify patterns of letters and an alphabet to use. It will happily chug along and tell you of any solutions. You could write a simple shell script to call dclient repeatedly on more complicated variations of patterns and alphabets too, for example in the 'n letters repeated m times' case. Or modify the source to generate those patterns internally. Or run a local server and populate your own database with patterns that you're suspicous of.

This is actually how I originally found the "3 0 BC" code. I suspected it would have a lot of spaces in it, and I searched the space ? ? ?? (among many other spaces.) Searching a 4-space takes about 1% as long as searching a 6-space. Given some theory on what the password looks like, you could reasonably check spaces up to 20 chars long.

In fact, I know that some people (myself included) have already looked for some of these probable sequences. I've checked extremely long passwords composed only of numbers. Perhaps some of you remember namespaces like 8+2, which was 8 characters with at least two spaces. This was a variation of the idea I'm suggesting.

But the main point is that creativity is the requisite quantity here. A centralized approach--relying on one person to think of the theories-- ain't gonna work.

Good luck!

-Ed

__________________
http://www.blisstonia.com
Tivo 14hr -> 50hr + TurboNET (stupid modem dying!)


Posted by HTH on 03-05-2004 08:30 PM:

Link for dclient2f.

__________________
┌──┬──┐
─├┤┬├┤─ There is no spool.
└─────┘

If you are dissatisfied with your life, return unused portion for partial refund.


Posted by dbird on 03-05-2004 10:32 PM:

Post wiki setup

I set up a wiki to document things like the known hashes and ideas and a time line for restarting this project. You can visit it at http://www.egads.net/~dbird/ewiki/



It is on a slow link/server right now.. I will move it later when the new server is done being set up.


Posted by dbird on 03-09-2004 01:28 AM:

hmmmm...

I am not sure what to make of the silence for a few days after my last post.

Does this mean the information I put at http://www.egads.net/~dbird/ewiki/s...ge=TivoBackdoor
is accurate, and no one is volunteering to help with any of the tasks at present?


Posted by GBaz on 03-15-2004 11:07 PM:

DO you think a project like SETI@Home could help?

__________________
Should Frigidaire be held legally liable for distracting TV viewers who leave the room during commercial breaks to grab a glass of milk?
-----Doug Isenberg


Posted by bevinst on 03-16-2004 03:24 AM:

quote:
Originally posted by GBaz
DO you think a project like SETI@Home could help?


Read the thread. It was tried, obviously not on the scale of SETI, but we tried. It included people interested in it from this board and we even got a boost from a slashdot.org article. Bottom line, the remote only code: is ridiculously long, uses invalid characters from the TiVo screen, or is corrupted before released.

It's possible to obtain access to the backdoor, but the effort is just not worth it for me. Everything that I normally use a series 1 is currently included in the series 2 software.

-Tommy


Posted by marrone on 05-24-2004 10:32 PM:

I know someone actually emailed tivo support about it (and got a case #), and was denied...has anyone directly asked Pony?

Didn't he at one point (maybe it was RB, I dunno) give a hint at a backdoor many many moons ago in a weird type of story? Perhaps if we ask nicely, he'll do the same again!

Just a thought.

-Mike

(I bet the tivo folks were laughing hysterically at this attempt, and are probably disappointed it wasn't found. Personally I think it's worth attempting again...computers are getting faster and faster. And I do compliment Ed (and/or whoever else involved) for doing this project in the first place))

__________________
1 Phillips DSR6000 146Hrs
1 Hughes SD-DVR40 35Hrs


Posted by dkroboth on 05-24-2004 10:59 PM:

quote:
Originally posted by marrone
Didn't he at one point (maybe it was RB, I dunno) give a hint at a backdoor many many moons ago in a weird type of story? Perhaps if we ask nicely, he'll do the same again!



The SORT code was given away with a wired Superfriends of Reality TV story...is that what you are thinking of?


Posted by marrone on 05-25-2004 09:29 PM:

Good memory! That must be what I was thinking of.

-Mike

__________________
1 Phillips DSR6000 146Hrs
1 Hughes SD-DVR40 35Hrs


All times are GMT. The time now is 03:56 AM.
Show all 1147 posts from this thread on one page

Powered by: vBulletin Version 2.2.8
Copyright © Jelsoft Enterprises Limited 2000 - 2002.
(C)opyright - All Rights Reserved. No information may be posted elsewhere without written permission.
TiVo® is a registered trademark of TiVo Inc. This site is not affiliated with TiVo Inc.