TiVo Community Forum Archive 1
READ ONLY ARCHIVES

Welcome to the TiVo Community Forum Archive
This archive covers threads on TiVo Community Forum that have not been posted to from the start until June 30, 2004.  Any thread that has a post made to it between 7/1/04 and 12/31/05, that had not been posted to, will be found in Archive 2.
This is a READ ONLY site.

  Search | ARCHIVE 2 | MAIN SITE

TiVo Community Forum Archive 1 : Powered by vBulletin version 2.2.8 TiVo Community Forum Archive 1 > Underground Playground > TiVo Underground
>>> Tivo with NYB Virus <<<

 
Forum Jump:
Search this Thread:
Last Thread   Next Thread
Author
Thread ---> Show Printable Version | Email this Page | Subscribe to this thread Post New Thread    Post A Reply
Old Post 05-10-2001 07:38 PM
Show Printable Version Edit/Delete Message Reply w/Quote
HumanoidLifeform
Guest

Registered: Not Yet
Location:
Posts: N/A

Arrow Tivo with NYB Virus

Hello. I have what I hope is a unique problem.

I followed all of the appropriate steps to upgrading my Tivo, but still had a problem:
1. Turn on virgin Tivo to make sure it boots.
2. Shut down power.
3. Open unit and remove 'A' drive.
4. Backup up 'A' drive using the mirror image technique to
a Maxtor 15 GB drive (14 hour Tivo). (I had to unlock
the drive using the dlgchk.exe program).
5. Store backup for safe keeping.
6. Using Dylan's boot disk, I blessed a Maxtor 81 GB drive.
7. Reinstalled the 'A' drive and added the new 'B' drive
with the bracket from 9thTee.
8. Turned on the power.

The Tivo will not even boot now.
I removed the new 'B' drive and restored the backup to the
original 'A' drive.
The Tivo will still not boot.

Being involved with Forensic computer investigation
technology, I reconstructed my process and was horrified
to discover that the diskette that I used to unlock the
original 'A' drive was infected with the NYB virus and
without a doubt it propagated to the Boot section of the
Tivo 'A' drive. This happened before the backup, so the
backup copy has the same problem.

The NYB virus is a boot sector virus that can render even
Linux and NT drives unbootable, however since it is
primarily a Microsoft disk structure entity I believe that
it could only affect the boot loader on the Tivo 'A' drive.
I think that the rest of the drive is probably still intact.

I am hoping that someone out there can help with information
that will enable me to somehow restore the boot loader
(LILO?) on the Tivo 'A' drive. I am even willing to hand
enter the boot code using a disk sector editor which I am
extremely familiar with.

Thanks in advance to anyone attempting to help.

Paul.

POST #1 | Report this post to a moderator | IP: Logged

embeem is offline Old Post 05-10-2001 08:15 PM
Click Here to See the Profile for embeem Visit embeem's homepage! Find more posts by embeem Add embeem to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
embeem

Registered: Apr 2001
Location: edge of tomorrow
Posts: 233

Talking

If you're running 1.3 and not using the original quantum A drive then add runideturbo=false to the boot params.

Traditionally boot sector viruses only overwrite the master boot sector -- the drive set as master on the first IDE channel. The instructions for dylans boot disk specifically state not to hook the TiVo drive up that way, although for other reasons.

POST #2 | Report this post to a moderator | IP: Logged

Old Post 05-10-2001 08:19 PM
Show Printable Version Edit/Delete Message Reply w/Quote
jeddy
Guest

Registered: Not Yet
Location:
Posts: N/A

Talking

Don't know if my problem is similar to this or not, but here are the symptoms. Let me know if this is what you are seeing:

bakcdoor menu clip from terminal:

Verify password: *******
Console switched to DSS port
------- System Info --------
Processor speed = 50 MHz
Bus speed = 25 MHz
Amount of DRAM = 16 MBytes
Video configuration 3, Serial number 0
Enet MAC address= 0:0:0:0:0:0
Hostname =
----------------------------
--- Device Configuration ---
Power-On Test Devices:
000 Disabled System Memory [RAM]
----------------------------
Boot Sources:
002 Enabled EIDE disk Controller [EIDE]
gateway: 0.0.0.0
----------------------------
B - Boot from disk
N - Network (tftp) boot
X - print extended menu
-&gt;p
Old: root=/dev/hda4 shondss=true runideturbo=false
New(- to abort): -
B - Boot from disk
N - Network (tftp) boot
X - print extended menu
-&gt;b
IDEprom: Invalid block 0. signature=0x1492

-------------------------
Note the "Invalid block 0" part.
It is saying this is the IDEprom, but could it really be a boot sector virus?

I tried dumping the first few sectors of my backup over to this drive, and it still won't boot like your symptoms.

I haven't had this drive in a pc for a long time now, but I did copy some TiVo native binary files over recently and run them.

In any case, I will be interested in how you come out of this. Now, I can read and write the drive fine (when I set it up as /dev/hdb), but just can't boot from it.


POST #3 | Report this post to a moderator | IP: Logged

Russ Arcuri is offline Old Post 05-10-2001 09:05 PM
Click Here to See the Profile for Russ Arcuri Find more posts by Russ Arcuri Add Russ Arcuri to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
Russ Arcuri
Senior Member

Registered: Feb 2001
Location: somewhere in the ether
Posts: 6

Talking

Just a general comment, unrelated to the virus issue. Assuming you get back up and running at some point, you'll want to change your procedure for the hack in the future. To the point: Backup your original A drive to a backup disk, and run your TiVo off of the BACKUP, storing the original A drive away for safe keeping. This accomplishes two things: 1. You know for sure that the backup was good because it's actually running. (Peace of mind). 2. You can return your TiVo to a genuine "factory" configuration with the original factory drive if necessary simply by returning the original drive to the TiVo -- no need for a restore operation.

------------------
Russ Arcuri
Sony v2.0.1 Z16

POST #4 | Report this post to a moderator | IP: Logged

Old Post 05-10-2001 09:22 PM
Show Printable Version Edit/Delete Message Reply w/Quote
cworley
Guest

Registered: Not Yet
Location:
Posts: N/A

Talking

quote:
Originally posted by HumanoidLifeform:
Being involved with Forensic computer investigation
technology, I reconstructed my process and was horrified
to discover that the diskette that I used to unlock the
original 'A' drive was infected with the NYB virus and
without a doubt it propagated to the Boot section of the
Tivo 'A' drive. This happened before the backup, so the
backup copy has the same problem.



Where did this DBD come from? Could you find a "clean machine" and see if the virus is on the image downloaded (or did you bring some of your dirty work home with you)?

Also, I've seen cases of NYB being reported where there was none, including linux boot records being mistaken for NYB... but I'm sure you know what you're doing and didn't make that mistake.

Finally, no other processor boots like an Intel. There is no lilo for "PowerPC", there is no bios expecting archane x86 boot record information.

TiVo does put some magic numbers in the boot block... and won't boot if they're missing. See section 3.8 of the Hack FAQ

Did you remember to return jumpers to the proper master/slave settings befor reassembling your TiVo?



[This message has been edited by cworley (edited 05-10-2001).]

POST #5 | Report this post to a moderator | IP: Logged

Old Post 05-11-2001 08:12 AM
Show Printable Version Edit/Delete Message Reply w/Quote
HumanoidLifeform
Guest

Registered: Not Yet
Location:
Posts: N/A

Talking

I got into the diagnostic ROM monitor. My parameters are somewhat different than yours, but the IDEProm message is the same saying "Invalid Block 0". The signature is different though as I would expect.

I believe this confirms that my problem is because the virus wrote to sector 0 on the drive thinking that it was a standard PC drive with a Boot block and Partition table.
In my case the virus will have written x86 Intel code which will mess up anything that was already there especially since Tivo is a PowerPC machine.

Now all I have to do is try to find out what should be there or how to restore what should be there. This should be fun. Sarcasm.

Thanks for your info, I will let you know what happens,
Paul

quote:
Originally posted by jeddy:
Don't know if my problem is similar to this or not, but here are the symptoms. Let me know if this is what you are seeing:

bakcdoor menu clip from terminal:

Verify password: *******
Console switched to DSS port
------- System Info --------
Processor speed = 50 MHz
Bus speed = 25 MHz
Amount of DRAM = 16 MBytes
Video configuration 3, Serial number 0
Enet MAC address= 0:0:0:0:0:0
Hostname =



POST #6 | Report this post to a moderator | IP: Logged

Old Post 05-11-2001 07:24 PM
Show Printable Version Edit/Delete Message Reply w/Quote
jeddy
Guest

Registered: Not Yet
Location:
Posts: N/A

Talking

Have to agree with the note on storing the original TiVo disk, and booting off the copy. That is what I did on my first backup. I imaged the 15G to a 20G (lost some space). set the runideturbo=false, put the new drive in as A and blessed B drive in.

If nothing else, booting from the fresh backup verifies it is a good backup. If you can't run the TiVo from the backup, you may not be able to restore from it.

As to the block 0 thing.... How do you write to block 0 under Linux? I tried doing a dd and went from /dev/hda to /dev/hdb (on tivo, so no byte swapping issues). That didn't get rid of the problem, but pdisk reports the partition table as starting at block 1, not block 0.

I don't remember having to do anything but just:
dd if=/dev/hda of=/dev/hdb bs=1024k
to image the original drive over to my 80G before I made the Tiger style mods.

If that type of copy doesn't write to block 0, how did it get the right stuff to allow bootup to begin with?

Confusion is the first step to realizing you have much to learn.

POST #7 | Report this post to a moderator | IP: Logged

Worf is offline Old Post 05-12-2001 09:55 AM
Click Here to See the Profile for Worf Visit Worf's homepage! Find more posts by Worf Add Worf to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
Worf
Senior Member

Registered: Sep 2000
Location:
Posts: 422

Talking

Block 0 stores stuff like the boot parameters and stuff like that, IIRC. I think the TiVoMad disk had a little utility which could write at least the boot parameters into block 0.

Not usre if the rest of block 0 is mapped (it is only 512 bytes... anyone...?)

POST #8 | Report this post to a moderator | IP: Logged

Peter Creath is offline Old Post 05-12-2001 03:39 PM
Click Here to See the Profile for Peter Creath Find more posts by Peter Creath Add Peter Creath to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
Peter Creath
Senior Member

Registered: Feb 2000
Location:
Posts: 2

Talking

Block 0 is documented in the hack FAQ. If I recall correctly, you can also tell BlessTiVo to perform only the first part of blessing -- namely writing block 0. That will generate a default boot block.

You'll definitely want to refer to the documentation, though, for two reasons:

- You'll need to set the primary and backup kernel partitions appropriately (it's either one way or the other, e.g. 3 and 6 vs. 6 and 3)
- You'll need to set the boot parameters to root=/dev/hdaX, where X is the proper / partition. Again, there are two of them.

The main reason their are two of each is to provide safe software upgrades. You're running one kernel and one root filesystem. Then during upgrade, it writes to the other kernel and other root filesystem. When it's done, it changes the boot block to swap the primary/secondary kernels and the root partition.

Generally on new machines, it will be pretty obvious which root is the right one (the other one is zeroed out). I'm not sure if that's also true for the kernels, but you should pick the kernel which corresponds to the proper root.

Good luck!

POST #9 | Report this post to a moderator | IP: Logged

Old Post 05-15-2001 05:27 PM
Show Printable Version Edit/Delete Message Reply w/Quote
jeddy
Guest

Registered: Not Yet
Location:
Posts: N/A

Talking

Ok, I found what I did wrong.

I was trying to change the kernel that I boot from and gave the wrong parameters to the command "bootpage"

From the BASH prompt on the tivo:

WRONG:
bootpage -B /dev/hda3 -A /dev/hda6 /dev/hda

RIGHT:
bootpage -B 3 -A 6 /dev/hda

If you want to see your current boot parameters try:
bootpage -q /dev/hda
Here is an example from one of my drives:

bash-2.02# bootpage -q /dev/hda
IP address: 10.67.130.254
Primary boot partition: 6
Alternate boot partition: 3
Hostname: unnamed
Boot parameters: root=/dev/hda7 shondss=true
MAC address: 73:33:11:c1:9d:2e

and another (set as secondary drive in TiVo):

bash-2.02# bootpage -q /dev/hdb
IP address: 10.75.75.48
Primary boot partition: 3
Alternate boot partition: 6
Hostname: unnamed
Boot parameters: root=/dev/hda4 runideturbo=false shondss=true MYWORLD_ENABLE_BACKDOORS=1 MORE_INFO=1 LIVE_CACHE_SIZE=20700
MAC address: b9:80:9e:6d:f0:60

Here is an example of what was wrong and causing the system not to boot:

bash-2.02# bootpage -q /dev/hdb
IP address: 10.119.156.184
Primary boot partition: 0
Alternate boot partition: 0
Hostname: unnamed
Boot parameters: root=/dev/hda7 runideturbo=false shondss=true
MAC address: 64:4c:85:bd:70:59

Note that the primary and alternate kernel partitions are set to 0. They must be 3, 6 or 6, 3.

To set the primary kerner partition to /dev/hda3:
bootpage -B 3 /dev/hda

To set the alternate kernel to /dev/hda6:
bootpage -A 6 /dev/hda

To check the primary kernel setting:
bootpage -b /dev/hda
&lt;returns the number of the primary boot partition&gt;

To check the alternate kernel setting:
bootpage -a /dev/hda
&lt;returns the number of the alternate boot partition&gt;

To set the boot params
bootpage -P "root=/dev/hda4 &lt;etc....&gt;" /dev/hda

To verify all the boot param settings
bootpage -q /dev/hda
&lt;see examples above&gt;

To flip the primary and alternate kernels:
bootpage -f /dev/hda
&lt;swaps 3, 6 to 6, 3 or vice versa&gt;

Don't know many other options for this, but I think maybe a -D will write a default boot page too.

Knowledge is power, Why do I feel like my batteries are low.

POST #10 | Report this post to a moderator | IP: Logged

dmprantz is offline Old Post 05-15-2001 09:36 PM
Click Here to See the Profile for dmprantz Find more posts by dmprantz Add dmprantz to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
dmprantz
New Member

Registered: Oct 2000
Location: St. Louis, MO 63132
Posts: 23

Talking

In addition to what Belboz said, while you can try to compile a customized version of BlessTiVo with the appropriate block0, I am personally working on another program which just creates a TiVo block 0. It's all written, I just haven't gotten around to testing it yet. If you can't or don't want to use BlessTiVo to recreate your block 0, send me a PM, and I'll see about doing a quick test and getting my program to you. Let me know if you need it.

Daniel M. Pomerantz

[This message has been edited by dmprantz (edited 05-15-2001).]

POST #11 | Report this post to a moderator | IP: Logged

All times are GMT. The time now is 09:16 AM. Post New Thread    Post A Reply
  Last Thread   Next Thread
>>> Tivo with NYB Virus <<<

TiVo Community Forum Archive 1 : Powered by vBulletin version 2.2.8 TiVo Community Forum Archive 1 > Underground Playground > TiVo Underground
Search The Internet
 
Show Printable Version | Email this Page | Subscribe to this thread

Forum Jump:
 
Search this Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is ON
 

< Contact Us - TiVo Community Forum Archive 1 >

Powered by: vBulletin Version 2.2.8
Copyright ©2000, 2001, Jelsoft Enterprises Limited.
(C)opyright - All Rights Reserved. No information may be posted elsewhere without written permission.
TiVoŽ is a registered trademark of TiVo Inc. This site is not affiliated with TiVo Inc.
Page generated in 0.03396106 seconds (76.52% PHP - 23.48% MySQL) with 20 queries.


Spider History Index