Registered: Not Yet
Location:
Posts: N/A

While strolling through the logs one day....

I have noticed a few interesting things while looking at the Log Files (available on screen after backdoors are enabled) and thought we could use a thread to talk about them.

One was a reference to ip address 204.176.49.4:80
I won't bother to post the rest of the URL because what I found interesting was when I put this URL in my web browser... The 80 of course is the port and indicates it is http.. so I tried it, and got this:
"Ekki ekki ekki ekki p'ting zooooooop boing! Ni."
The page title is "Castle Anthrax home page"
I will give you a clue.. the TiVo uses a cgi script in a sub-dir of that page...
What is that all about??

POST #1 | Report this post to a moderator | IP: Logged

Registered: Nov 2001
Location: Santa Clara, CA
Posts: 4

Sounds like someone at TiVo is a Python fan...

------------------
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them
In the Land of Mordor where the Shadows lie.

POST #2 | Report this post to a moderator | IP: Logged

Registered: Oct 2000
Location: Tulsa, OK
Posts: 9

The box on the remote end claims to be using Red Hat Linux 1.3.6 with the Apache web server. Can't telnet to it, finger it, FTP it. Does not have a hostname when doing a lookup by IP address. No matches found in Altavista or Google. Seems to be a bit of a mystery!

POST #3 | Report this post to a moderator | IP: Logged

Registered: Dec 2001
Location: Ledgewood, NJ
Posts: 3

I did a lookup for that IP and it registered to UUNET. I did a traceroute and the host before it is registered to UUNET and Tivo. I guess it is a subnet that they have but don't have any DNS info for (to hide from hackers like us). Hosts 204.176.49.1 - 204.176.49.4 respond to pings.

POST #4 | Report this post to a moderator | IP: Logged

Registered: Dec 2000
Location: Crystal Lake, IL 60014
Posts: 0

Here's something interesting...from the About TiVo Inc. page:

quote:

---

Mike Ramsay (favorite TV show: Monty Python�s Flying Circus)

---

POST #5 | Report this post to a moderator | IP: Logged

Registered: Not Yet
Location:
Posts: N/A

quote:

---

Originally posted by don99:
I have noticed a few interesting things while looking at the Log Files (available on screen after backdoors are enabled) and thought we could use a thread to talk about them.

One was a reference to ip address 204.176.49.4:80
I won't bother to post the rest of the URL because what I found interesting was when I put this URL in my web browser... The 80 of course is the port and indicates it is http.. so I tried it, and got this:
"Ekki ekki ekki ekki p'ting zooooooop boing! Ni."
The page title is "Castle Anthrax home page"
I will give you a clue.. the TiVo uses a cgi script in a sub-dir of that page...
What is that all about??

---

POST #6 | Report this post to a moderator | IP: Logged

Registered: Oct 2000
Location: Noblesville, IN
Posts: 5

quote:

---

Originally posted by tgarcia:
Could be how the TiVo gets guide data. It only makes sense that the box would use HTTP to get data from TiVo's servers as getting data from HTTP servers is fairly easy from the programmer's standpoint.

---

POST #7 | Report this post to a moderator | IP: Logged

Registered: Aug 2000
Location: Chicago,IL,USA
Posts: 267

quote:

---

Originally posted by don99:
so I tried it, and got this:
"Ekki ekki ekki ekki p'ting zooooooop boing! Ni."
The page title is "Castle Anthrax home page"

---

POST #8 | Report this post to a moderator | IP: Logged

Registered: Not Yet
Location:
Posts: N/A

quote:

---

Originally posted by Scutter:
In fact, that's exactly how it works, and also why pulling updates over the internet-connected serial port works. It's already well-documented in the Hack FAQ. I've had my modem unplugged for three months now.

FP

---

POST #9 | Report this post to a moderator | IP: Logged

Registered: Aug 2000
Location: Lincoln, NE
Posts: 3582

quote:

---

Originally posted by tgarcia:
Egads. I can't believe they didn't use an SSL connection for grabbing guide data. Hopefully they use some other encryption schema -- raw data is just a no-no if they don't want someone to start redistributing the information and giving away free TiVo service!

---

Who said it was raw? I understood the data itself was encrypted for each individual unit using the crypto chip's encryption key, so you couldn't even use a caching proxy to serve all your units with the same data--the wrong decryption key would be used. Wouldn't adding SSL on top of that be excess paranoia?

------------------


[This message has been edited by HTH (edited 01-16-2001).]

POST #10 | Report this post to a moderator | IP: Logged

Registered: Not Yet
Location:
Posts: N/A

I just used 0v1t to get into the backdoors and read the logs too. I figured I'd be adventurous and try to hack into my TiVo through the PPP connection (With it's IP address gathered from it's logfile.). (Hey, it's no crime to try to hack into your own computer on the network.) The first thing I did was ping it. Either UUNet doesn't let you ping hosts on it's dialup system, or TiVo's kernel (2.1.24-TiVo.1 I think) rejects ICMP requests. As I guessed, it doesn't take ssh, rsh or telnet logins.

I DID go through the logs and find some interesting files it accesses over the network. The one file I did fetch from the server is:
http://204.176.49.30:8080//TivoData...61-363.slice.gz

(I was too chicken to go looking at other files - I have no idea how the TiVo people take to people downloading these with something other than a TiVo.)

Whether the extra / after the port number was necessary or not isn't something I know. The datafile format looks like some kind of archive containing graphics and text, but I could be mistaken. It's only gzip compressed (The text inside is not encrypted.). You can find the URLs it's fetching in /var/log/http (Accessible through the backdoors log system).

This kind of distro system for TV listings has been done before (http://www.tvhost.com/). An obscure file format distributed from public web servers - readable only by software which verifies a subscription. I suppose if you were bored you could hack the file format but it'd be of doubtful value unless you were going to rewrite MyWorld - and it would be unethical to use their listings with a TiVo which isn't subscribed.

Just some observations, sorry about the rant or if I'm being redundant to someone else.

I am curious if anyone did any work on figuring out what kind of data is in the .slice files.

POST #11 | Report this post to a moderator | IP: Logged

Registered: Not Yet
Location:
Posts: N/A

Open your downloaded file deltashowcase-361-363.slice with Photoshop (or similar) as a raw, 8-bit per pixel file with a width of 481 pixels (height of 1500 or so) to see some of the graphics.

They appear to be color-mapped.

POST #12 | Report this post to a moderator | IP: Logged

Registered: Not Yet
Location:
Posts: N/A

>Open your downloaded file deltashowcase-361-363.slice with Photoshop (or similar) as a raw, 8-bit per pixel file with a width of 481 pixels (height >of 1500 or so) to see some of the graphics.
>They appear to be color-mapped

Thanks. Also noticed that some of the other files are .bnd files which can be "unzipped" with a program called CPIO under Linux. You can find the URLs in your TiVo's logfiles, I don't care to raise any ire at TiVo by constantly posting links to the files. (Look at the fake filename below for a hint.)

To "unbundle" it as TiVo refers to it in the logfile, you type:

cpio --extract <BLAH123_32312-v221_32314_v221.slice.bnd

(I'd recommend using the real name of the file )

I believe these are encrypted in some way with the Blowfish algorithm. After the .bnd file is uncompressed, there are three files with extention ".skey" and one file with extention ".slice.gz.bf". I don't know what the .skey files have or how TiVo implements their Blowfish algorithm. The .bf file seems to be a ciphertext of a .gz file containing the .slice file (Seems to be an archive/database format of some sort.).

Oh yeah, one more thing. The point of this exercise is...?

POST #13 | Report this post to a moderator | IP: Logged

Registered: Oct 2000
Location: Noblesville, IN
Posts: 5

quote:

---

Originally posted by TVGeeko:
Oh yeah, one more thing. The point of this exercise is...?

---

POST #14 | Report this post to a moderator | IP: Logged

Registered: Not Yet
Location:
Posts: N/A

Good point Scutter!

I've been playing with this all night - The archive's images are uncompressed PNG files. You can extract the pretty pictures by finding the PNG header and just copying out the data from the header (HEX: 89 50 4E 47) (Found in the file earlier mentioned at offset 0x000038) until you get to the end of the PNG (Search until you find the letters "IEND" and it will be followed by hex: AE 42 60 82). TiVo seems to be relying exclusively on gzip's compression because the first PNG is 29kb, and could have been reduced to 5kb with PNG's normal compression.

What really baffles me is the header:
uN
�3���ASTD1tm38)uuid-000000000 0.0.200.38)K
�u

found before the PNG. What does "uuid-000000000 0.0.200.38)" mean - is it a kind of MFS filename or something? (I thought those were fsid)

POST #15 | Report this post to a moderator | IP: Logged

Registered: Not Yet
Location:
Posts: N/A

Sorry about that - the correct spelling is

uuid-0000000000.0.200.38)

POST #16 | Report this post to a moderator | IP: Logged

Registered: Oct 2000
Location: Noblesville, IN
Posts: 5

Lightn's Tivoweb includes a TCL script (called dumpimages.tcl that) will extract graphics from the MFS partition.

FP


------------------
http://tivo.pineaus.com



[This message has been edited by Scutter (edited 01-17-2001).]

POST #17 | Report this post to a moderator | IP: Logged

Registered: Mar 2000
Location:
Posts: 1031

The slice files are encrypted using Blowfish. But then, of course, The Tivo unit itself can decrypt them. What did you think that crypto chip was for?

------------------
Otto, Supreme TiVoWarrior - Moderator - AVS Forum - Tivo Underground
"If once you start down the dark path, forever will it dominate your destiny. Consume you it will!" -- Yoda

POST #18 | Report this post to a moderator | IP: Logged

Registered: Not Yet
Location:
Posts: N/A

Thanks for the insight. I wasn't aware of the crypto chip in TiVo (Never bothered to pull mine apart.). I hope I'm not being too newbie for everyone.

I'd be tempted to go in and speculate about whether the crypto chip had a decryptor key built in or whether it was just a helper device like the kind you can buy for e-commerce servers, but it's pretty much a moot point and probably flamebait about "Stealing service" so I don't care to go there.

POST #19 | Report this post to a moderator | IP: Logged