TiVo Community Forum Archive 1
READ ONLY ARCHIVES

Welcome to the TiVo Community Forum Archive
This archive covers threads on TiVo Community Forum that have not been posted to from the start until June 30, 2004.  Any thread that has a post made to it between 7/1/04 and 12/31/05, that had not been posted to, will be found in Archive 2.
This is a READ ONLY site.

  Search | ARCHIVE 2 | MAIN SITE

TiVo Community Forum Archive 1 : Powered by vBulletin version 2.2.8 TiVo Community Forum Archive 1 > Underground Playground > TiVo Underground
>>> No, you cannot hack a series 2 box (yet) <<<

Pages (7): [1] 2 3 4 Next » ... Last »  
Forum Jump:
Search this Thread:
Last Thread   Next Thread
Author
Thread ---> Show Printable Version | Email this Page | Subscribe to this thread Post New Thread    Post A Reply
Otto is offline Old Post 09-27-2002 12:27 AM
Click Here to See the Profile for Otto Find more posts by Otto Add Otto to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
Otto

Registered: Mar 2000
Location:
Posts: 1031

Exclamation No, you cannot hack a series 2 box (yet)

This is coming up so often now that a sticky seems to be needed.

What needs to occur to hack a series 2 box:

1. Firmware must be hacked to disable the kernel signature check.
2. Kernel then must be hacked to disable the initrd that restores the software on the box.

These have not been done. If you accomplish them, post it, okay?

Drive upgrades, BTW, can be done on a S2 box. They don't involve either of these.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."

POST #1 | Report this post to a moderator | IP: Logged

richiela is offline Old Post 09-27-2002 01:00 AM
Click Here to See the Profile for richiela Find more posts by richiela Add richiela to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
richiela
New Member

Registered: Sep 2002
Location:
Posts: 0

I'm fairly new and haven't seen much discussion on how this protection works, but by your description:

1) The firmware does a kernel signature check, theres no real way around this unless you add a hardware hack that bypassees or updates the firmware.

2) Kernel runs initrd that restores the software? So by the sounds of it, you can get code onto the box, the problem is the rc.sysinit or whatever is getting whacked every time? What files are actually "protected"?

I mean if you can get any code on the box, you can simply use cron, or some other mechnasisms to update files or run code. I may be over simplying or just clueless, but as i said, i haven't seen any strong technical discussions on this. Thanks

Richie

POST #2 | Report this post to a moderator | IP: Logged

Zirak is offline Old Post 09-27-2002 02:10 AM
Click Here to See the Profile for Zirak Find more posts by Zirak Add Zirak to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
Zirak
TiVo Forum Special Member

Registered: Apr 2002
Location: New York
Posts: 968

quote:
Originally posted by richiela

1) The firmware does a kernel signature check, theres no real way around this unless you add a hardware hack that bypassees or updates the firmware.



AFAIK:

The most probable method would be to flash the prom with firmware that does not do a kernel signature check. When 2.5 came along, D-Tivos got new firmware that does a similar check. The solution was to reflash the prom with the old firmware.

It is more complex with an S2, because there is no old firmware to reflash with. Someone would have to decode the current firmware and remove the check. Much more complex.

quote:
Originally posted by richiela

2) Kernel runs initrd that restores the software? So by the sounds of it, you can get code onto the box, the problem is the rc.sysinit or whatever is getting whacked every time? What files are actually "protected"?



IIRC:

The root partition is checked as opposed to individual files, the restore is triggered if the checksum doesn't match. I believe that key files get restored, and "rogue" files get removed. rc.sysinit is certainly a key file. I am not certain about the extent of the restoration, but the effect is the same.

quote:
Originally posted by richiela

I mean if you can get any code on the box, you can simply use cron, or some other mechnasisms to update files or run code. I may be over simplying or just clueless, but as i said, i haven't seen any strong technical discussions on this. Thanks

Richie



You can get the code on the box, but it gets removed, whether it is crond, a telnet daemon, some benign one line text file, or whatever.

Thats the general idea, please feel free to chime about any technical inaccuracies.

POST #3 | Report this post to a moderator | IP: Logged

richiela is offline Old Post 09-27-2002 02:23 AM
Click Here to See the Profile for richiela Find more posts by richiela Add richiela to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
richiela
New Member

Registered: Sep 2002
Location:
Posts: 0

quote:
Originally posted by Zirak

IIRC:

The root partition is checked as opposed to individual files, the restore is triggered if the checksum doesn't match. I believe that key files get restored, and "rogue" files get removed. rc.sysinit is certainly a key file. I am not certain about the extent of the restoration, but the effect is the same.

You can get the code on the box, but it gets removed, whether it is crond, a telnet daemon, some benign one line text file, or whatever.

Thats the general idea, please feel free to chime about any technical inaccuracies.



You mention the "root partition" ... I'm not famalier with the filesystem of a tivo, but i assume the partition where the videos are stored is seperate so you could get code there that will remain? Or on a seperate drive?

Is that accurate? If so, the problem becomes finding a weakness in the init.d loading or rc.* loading that lets us inject some code in... thoughts

Richie

POST #4 | Report this post to a moderator | IP: Logged

jafa is offline Old Post 09-27-2002 02:32 AM
Click Here to See the Profile for jafa Visit jafa's homepage! Find more posts by jafa Add jafa to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
jafa
TiVo Forum Special Member

Registered: Jan 2002
Location:
Posts: 2223

As a point of interest the S2 prom cannot be in-system reflashed.

Nick

__________________
Silicondust - Tivo CacheCARD/Turbonet/Airnet
Roomba Robotics - Roomba Community

POST #5 | Report this post to a moderator | IP: Logged

trubin is offline Old Post 09-27-2002 06:07 AM
Click Here to See the Profile for trubin Find more posts by trubin Add trubin to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
trubin
Member

Registered: Aug 2002
Location: Lincoln Park, Michigan
Posts: 45

I have been watching and looking for a hack that will work on the series II

On this board, you can read more on the subject at...

http://www.tivocommunity.com/tivo-v...&threadid=65960

and here

http://www.tivocommunity.com/tivo-v...&threadid=59201

I feel that preventing me from doing whatever I want with the TIVO that I paid $400 is discriminatory. There wasn't any disclaimer at best by that the OS was protected, this Message board was created so that TIVO users can team up and create additional functionality. But we can't use any of it on the new units, and this was caused by TIVO.

Last edited by trubin on 10-31-2002 at 09:21 AM

POST #6 | Report this post to a moderator | IP: Logged

feldon23 is offline Old Post 09-27-2002 06:12 AM
Click Here to See the Profile for feldon23 Visit feldon23's homepage! Find more posts by feldon23 Add feldon23 to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
feldon23
MythBuster

Registered: Mar 2001
Location: Houston, TX
Posts: 1821

I think TiVo is just trying to make investors and broadcast paranoids happy by providing the illusion of security.

__________________
1 Philips DirecTiVo (126 hours) & 1 Hughes HDVR2
Read the HDTiVo FAQ! & follow the SBC DirecTV drama
My Aquarium

POST #7 | Report this post to a moderator | IP: Logged

jafa is offline Old Post 09-27-2002 06:30 AM
Click Here to See the Profile for jafa Visit jafa's homepage! Find more posts by jafa Add jafa to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
jafa
TiVo Forum Special Member

Registered: Jan 2002
Location:
Posts: 2223

Hi,

I have spoken to Tivo about this - they need to keep the S2 box secure.

The impression that I have been getting is that they are not against third party development but can't compromise security.

I have presented a proposal to allow third-party development without compromising security but I don't blame them for not considering this their highest priority.

Nick

__________________
Silicondust - Tivo CacheCARD/Turbonet/Airnet
Roomba Robotics - Roomba Community

Last edited by jafa on 09-27-2002 at 07:14 AM

POST #8 | Report this post to a moderator | IP: Logged

trubin is offline Old Post 09-27-2002 07:06 AM
Click Here to See the Profile for trubin Find more posts by trubin Add trubin to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
trubin
Member

Registered: Aug 2002
Location: Lincoln Park, Michigan
Posts: 45

I also wanted to post this link to the outside, but wanted it in a different post, since I don't know all of the rules of this Mboard.

http://************.com/forum/showt...?threadid=16484

Last edited by trubin on 09-28-2002 at 04:50 AM

POST #9 | Report this post to a moderator | IP: Logged

Otto is offline Old Post 09-27-2002 07:46 AM
Click Here to See the Profile for Otto Find more posts by Otto Add Otto to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
Otto

Registered: Mar 2000
Location:
Posts: 1031

quote:
Originally posted by Zirak
The most probable method would be to flash the prom with firmware that does not do a kernel signature check. When 2.5 came along, D-Tivos got new firmware that does a similar check. The solution was to reflash the prom with the old firmware.

It is more complex with an S2, because there is no old firmware to reflash with. Someone would have to decode the current firmware and remove the check. Much more complex.



Just wanted to point out that this is incorrect. The 2.0 firmware on the D-Tivo's *did* do a signature check on the kernel. The 2.0 kernel was, in fact, signed. It simply did not have the initrd code to restore the partition.

The hack to the D-Tivo firmware was not accomplished by reflashing with older firmware, a binary hack was made to the firmware to bypass the signature check, and that was flashed onto the PROM. Then the kernel's initrd was patched.

The "tivoflash" actually copies the signed 2.0 kernel to the Tivo's alternate root, boots that, and sets it up so that it flashes the firmware with the hacked firmware. Then it reboots back into 2.5. Then you can alter the initrd to disable it.

__________________
All comments made in this post are my opinion and my opinion alone. Deal with it.
Otto, Zen TiVo Master - Moderator - AVS Tivo Forums - Tivo Underground, Tivo Coffee House
"I've always been mad, I know I've been mad, like most of us...very hard to explain why you're mad, even if you're not mad..."

POST #10 | Report this post to a moderator | IP: Logged

trubin is offline Old Post 09-27-2002 08:17 AM
Click Here to See the Profile for trubin Find more posts by trubin Add trubin to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
trubin
Member

Registered: Aug 2002
Location: Lincoln Park, Michigan
Posts: 45

The last post is correct. I had to use this flahs process to correct a broken modem on a Direct-Tivo. t-60. The original problem with this unit was that it would get to the almost there screen and then just hang.

I tried to rename the modem test files (to a .bak),as another thread mentioned, then placed the drive back in the t-60. After getting the same results, I tried modifing the second boot partition, placed the drive back in the unit, got the same result.

So I then checked to see if my changes were still the way I had left them.

To my amazement, they were no longer there. The .bak files were gone, and the modem test files were on the OS again. However, the inactive partition wasn't touched, but the boot was modified.

Through more searching, I found the prom flash utility for the t-60. I think it was an extrem image, but not for certain.

After flashing the prom, I was able to rename the modem files, and the unit booted, with the hacks I had installed.

This seems very similar to what the series II is doing. On my series II (that I was mucking with), I am not sure if the /var was scanned for any of the changes that one of the scripts had added. I will have to open this unit up again, one of these days, and look a little more extensivly at the os and the canges I know I made, vers whats left.

Last edited by trubin on 09-28-2002 at 05:11 AM

POST #11 | Report this post to a moderator | IP: Logged

richiela is offline Old Post 09-27-2002 08:27 AM
Click Here to See the Profile for richiela Find more posts by richiela Add richiela to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
richiela
New Member

Registered: Sep 2002
Location:
Posts: 0

After reading all the threads people have mentioned i've got even more questions

1) is it not acceptable to hack the series 2 to do stuff? theres lots of mention of DTV getting in trouble for figuring a way around security?

2) If the sequence really goes
* prom boots
* kernel
* initrd
* rc.sysinit

and everytihng outside of /var is checked, the key becomes finding a way to exploit the startup scripts easily. I'm sure they made a mistake there somewhere... Which leads me to...

3) does anyone have a tarball image of the FS? i'm assuming the FS is just ext2 or something and you can just tar up the files? particulary, /etc/init.d and /etc/rc*?

4) Even if there is a weakness, is tivo just going to update it on the next version and kill it? I was under the impression tivo was cool with people hacking it, but if thtas the case, whats the need for the security?

I'm very adept at software, but hardware scares me which is why i haven't just opened my box up and found all this out for myself... if only i could telnet in.. hmmm ...

Richie

POST #12 | Report this post to a moderator | IP: Logged

Zirak is offline Old Post 09-27-2002 12:11 PM
Click Here to See the Profile for Zirak Find more posts by Zirak Add Zirak to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
Zirak
TiVo Forum Special Member

Registered: Apr 2002
Location: New York
Posts: 968

quote:
Originally posted by jafa
As a point of interest the S2 prom cannot be in-system reflashed.

Nick



Good to know.

I would like to know more of the details of which you speak. I'm sure there is a reason none are included.


quote:
Originally posted by Otto

Just wanted to point out that this is incorrect. The 2.0 firmware on the D-Tivo's *did* do a signature check on the kernel. The 2.0 kernel was, in fact, signed. It simply did not have the initrd code to restore the partition.

The hack to the D-Tivo firmware was not accomplished by reflashing with older firmware, a binary hack was made to the firmware to bypass the signature check, and that was flashed onto the PROM. Then the kernel's initrd was patched.

The "tivoflash" actually copies the signed 2.0 kernel to the Tivo's alternate root, boots that, and sets it up so that it flashes the firmware with the hacked firmware. Then it reboots back into 2.5. Then you can alter the initrd to disable it.



Obviously, I don't have a D-Tivo, and have merely repeated what I have read.

Thanks for the technical correction. It would seem that hacking the S2 isn't so different than the D-Tivo, as I had been misled to believe by some post somewhere at sometime. Still, as jafa pointed out, the inability to reflash on the S2 does indeed make the operation more complex, probably requiring some hardware work.

POST #13 | Report this post to a moderator | IP: Logged

FUBAR is offline Old Post 09-27-2002 12:43 PM
Click Here to See the Profile for FUBAR Find more posts by FUBAR Add FUBAR to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
FUBAR
That Guy

Registered: Jul 2002
Location: United States
Posts: 532

Well, if Tivo can digitally "sign" a kernal, then SOMEONE should be able to sign their own kernal... doubt it's worth the time and effort. If you can't flash the PROM from the box or with software, they have to have some way to get the tivo to except a new kernal. It's only a matter of time until somone can do this. BTW i have a series two that i'm not afraid to take apart if anyone needs any more info... i'm not that experinced with linux, but i can follow instrucitons very well, and have a good backup just in case.

__________________
You? you get no pony!

p::/w..eees:par/kcosmht.pey.ztx.xyzsp:t
F.U.B.A.R.

POST #14 | Report this post to a moderator | IP: Logged

jtl is offline Old Post 09-27-2002 03:05 PM
Click Here to See the Profile for jtl Find more posts by jtl Add jtl to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
jtl
Member

Registered: Feb 2002
Location: Portland, OR
Posts: 3

quote:
Well, if Tivo can digitally "sign" a kernal, then SOMEONE should be able to sign their own kernal...
Yes, all you need is the magic number.

That route is useless for a couple more years, at least.

POST #15 | Report this post to a moderator | IP: Logged

jakeyr is offline Old Post 09-28-2002 03:41 AM
Click Here to See the Profile for jakeyr Visit jakeyr's homepage! Find more posts by jakeyr Add jakeyr to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
jakeyr
New Member

Registered: Sep 2002
Location: San Mateo, CA
Posts: 0

--- snip ---
Yes, all you need is the magic number.

That route is useless for a couple more years, at least.
--- snip ---

Or until someone at TiVo leaks the private key. I'm not familiar with the details of their company, so I don't know how likely that is.

Until then, I totally agree with richiela in that I believe the real route to go down is insecurity in the TiVo Tcl source code. If you could somehow store a bash shell and your own code on the video partition and exploit a weakness in the TiVo code to execute it, you'd be in business.

I'm not too familiar with the TiVo partition layout. Any reason this isn't possible?

A tarball of the source would be great, if anyone has it. I'd like to take a look.

A couple of random ideas:

1) Anyone know what version of Tcl/Tk is running on the series2 3.0 kernel? There may be already-known and easy-to-exploit vulnerabilities in an older version.

2) When I began thinking about this, the first thing I thought of was the mail messages... if one could insert one's own mail messages with Tcl code... you get the idea.

-jake

POST #16 | Report this post to a moderator | IP: Logged

jtl is offline Old Post 09-28-2002 03:48 AM
Click Here to See the Profile for jtl Find more posts by jtl Add jtl to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
jtl
Member

Registered: Feb 2002
Location: Portland, OR
Posts: 3

The video partition isn't a kernel-understandable filesystem, so that's a no-go. /var may be usable for this.

I thought I'd heard that they had moved away from TCL for the series 2 software, but that doesn't mean there might not be other exploitable bugs.

I finally got a series 2; I'll pull the drive this weekend and poke around some.

POST #17 | Report this post to a moderator | IP: Logged

jakeyr is offline Old Post 09-28-2002 03:58 AM
Click Here to See the Profile for jakeyr Visit jakeyr's homepage! Find more posts by jakeyr Add jakeyr to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
jakeyr
New Member

Registered: Sep 2002
Location: San Mateo, CA
Posts: 0

quote:
The video partition isn't a kernel-understandable filesystem, so that's a no-go. /var may be usable for this.


Gotcha, that's what I was afraid of. So I assume then that /var is not checksumed? How could it be, considering the log messages and such.

quote:
I thought I'd heard that they had moved away from TCL for the series 2 software, but that doesn't mean there might not be other exploitable bugs.


I wasn't aware of that; can anyone confirm this? What are they using then?

thanks,

-jake

POST #18 | Report this post to a moderator | IP: Logged

geowar is offline Old Post 09-28-2002 04:01 AM
Click Here to See the Profile for geowar Find more posts by geowar Add geowar to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
geowar
TiVo junkie

Registered: Sep 2002
Location: San Fran. Bay area (Santa Clara)
Posts: 79

Question initrd image from where?

First off it appears that /var isn't getting restored. My /var/hack/ directory is intact after initrd.

Question: Where is initrd restoring _FROM_? The flash ROM? an image _on_disk_? If this image could be built with initrd disabled would the ROM hang in a restore from image cycle or just boot to our (modified) image?

__________________
--
Enjoy,
George Warner, (408)974-0668
Schizophrenic Optimization Scientists
Apple Developer Technical Support (DTS)

POST #19 | Report this post to a moderator | IP: Logged

trubin is offline Old Post 09-28-2002 06:20 AM
Click Here to See the Profile for trubin Find more posts by trubin Add trubin to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
trubin
Member

Registered: Aug 2002
Location: Lincoln Park, Michigan
Posts: 45

I believe, as others expressed, one of the major helpers will be for an image to be examined out side of the linux os it rides on. From this point you could try a brute force method of examining files, to find the one that is a compressed image. The tivo os is at least 10 meg, you can't fit that much code on a chip from a cost stand point.

When I got my series II, it had 2.5 installed. On the first call it upgraded itself to 3.0.
The 3.0 load, crosses many different platforms, each from a couple of different manufactures. The hardware from each company is unique from what I understand. This was very well planned.

I can't imagine that there are very many differences between the Series two 3.0 os and a series one 3.0 os. Coming from a software development background, when trying to cross compile, you start with the same source code. When a bug crops up, you can fix it all in one place. From a testing stand point it would be next to impossible to contain bugs without using this method.

the 2.5 load has to have different checksums than the 3.0.

the signature couldn't possibly be the same for each.

If you are implementing security, why would you only have one key. As mentioned, if the key got out, then no more security. At a guess, the key could be compressed in one of the os files, but without knowing what to look for, it could never be found.

code would have to be written to run on the processor in the series II that could flash the prom. When the os gets updated from 2.5 to 3.0, the prom would almost certainly have to be changed to accept the new OS. on the D-tivo, the older boot kernel is used to initiate the prom flash.

This is the layout for the t-60 direct-tivo( which is a series one, with the similar boot prom to the series two)

hdc1: bootstrap partition
hdc3: kernel 1 image
hdc4: root 1 filesystem
hdc6: kernel 2 image
hdc7: root 2 filesystem
hdc9: /var filesystem (contains the kernel logfile)
found in http://www.tivocommunity.com/tivo-v...hlight=t60+hack

This was the same layout that I found on my series two.

Last edited by trubin on 09-28-2002 at 06:28 AM

POST #20 | Report this post to a moderator | IP: Logged

All times are GMT. The time now is 01:18 PM. Post New Thread    Post A Reply
Pages (7): [1] 2 3 4 Next » ... Last »   Last Thread   Next Thread
>>> No, you cannot hack a series 2 box (yet) <<<

TiVo Community Forum Archive 1 : Powered by vBulletin version 2.2.8 TiVo Community Forum Archive 1 > Underground Playground > TiVo Underground
Search The Internet
 
Show Printable Version | Email this Page | Subscribe to this thread

Forum Jump:
 
Search this Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is ON
 

< Contact Us - TiVo Community Forum Archive 1 >

Powered by: vBulletin Version 2.2.8
Copyright ©2000, 2001, Jelsoft Enterprises Limited.
(C)opyright - All Rights Reserved. No information may be posted elsewhere without written permission.
TiVoŽ is a registered trademark of TiVo Inc. This site is not affiliated with TiVo Inc.
Page generated in 0.08127093 seconds (87.33% PHP - 12.67% MySQL) with 22 queries.


Spider History Index