TiVo Community Forum Archive 1
READ ONLY ARCHIVES

Welcome to the TiVo Community Forum Archive
This archive covers threads on TiVo Community Forum that have not been posted to from the start until June 30, 2004.  Any thread that has a post made to it between 7/1/04 and 12/31/05, that had not been posted to, will be found in Archive 2.
This is a READ ONLY site.

  Search | ARCHIVE 2 | MAIN SITE

TiVo Community Forum Archive 1 : Powered by vBulletin version 2.2.8 TiVo Community Forum Archive 1 > Underground Playground > TiVo Underground
>>> BASH prompt on Series2 running 3.2 software <<<

Pages (12): [1] 2 3 4 Next » ... Last »  
Forum Jump:
Search this Thread:
Last Thread   Next Thread
Author
Thread ---> Show Printable Version | Email this Page | Subscribe to this thread Post New Thread    Post A Reply
snaef is offline Old Post 01-22-2003 05:44 PM
Click Here to See the Profile for snaef Visit snaef's homepage! Find more posts by snaef Add snaef to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
snaef
New Member

Registered: Jan 2003
Location:
Posts: 10

Question BASH prompt on Series2 running 3.2 software

I have been getting mixed signals from various posts regarding the possibility of getting a BASH prompt on version 3.2 Series2 units. Can any of you definitively answer these questions?


Q: Can the stand alone Series2 running 3.2 software be hacked to get a BASH prompt over the USB/Ethernet bridge?

Q: Can the method used by people using DirectTivos running 3.1 be used on a stand alone 3.2?

Q: If it is not possible, is there any hope that it will be possible in the future?

Please help! It really sucks that they took away this capability. I was really looking forward to using TivoWeb.

POST #1 | Report this post to a moderator | IP: Logged

alansh is offline Old Post 01-22-2003 07:14 PM
Click Here to See the Profile for alansh Visit alansh's homepage! Find more posts by alansh Add alansh to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
alansh
Senior Member

Registered: Jan 2003
Location: Phoenix, AZ
Posts: 461


  1. No. The config files are protected by hashes, and the list and hash check program are in the kernel initrd, which is signed and checked by the boot ROM. Any changes and it will either replace the file or not boot at all.
  2. No. Unlocked software exists for the DTivos (before Tivo updated it), but all the Series2 stand alones always had the protected OS and ROMs.
  3. Who knows? There was an initial hack (set a BASH_ENV variable that makes bash run a script), but Tivo now checks for that. Changing the boot ROM is difficult, as it's soldered to the system board. If it's flashable (I haven't seen a definate yes or no), you still have to get into the system to run a flash program.

POST #2 | Report this post to a moderator | IP: Logged

timone is offline Old Post 01-25-2003 10:18 PM
Click Here to See the Profile for timone Find more posts by timone Add timone to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
timone
New Member

Registered: Jan 2003
Location:
Posts: 1

So does the BASH_ENV work

I assume from this that there is no way to change the startup files in a S2.

POST #3 | Report this post to a moderator | IP: Logged

Pent is offline Old Post 01-26-2003 05:58 AM
Click Here to See the Profile for Pent Find more posts by Pent Add Pent to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
Pent
Just Me!

Registered: Jan 2003
Location:
Posts: 53

I'm looking at rc.sysinit on a 3.2 60 hour image and I see the folowing:

====

# Read in our testing configuration, if there is one.
[ ! -f /test.conf ] || source /test.conf

# Some tcl scripts expect TIVO_ROOT to be set. It would be cleaner to
# just use the path, but that's not the way it is right now. The
# contents of TIVO_ROOT is prepended to paths, so the empty string is
# just fine.
TIVO_ROOT=
export TIVO_ROOT

if [ "$sysgen" = true ]; then
echo
echo
echo Starting shared library installation environment
echo You may Telnet in. The telnet connection
echo will run bash as the login shell.
echo

configEtherSysinit

echo Starting Telnet Listner ... >& /dev/console
/sbin/tnlited 23 /bin/bash >& /dev/console

echo Starting /proc Listener ... >& /dev/console
mount -n /proc /proc -t proc >& /dev/console
procd >& /dev/console

exit
fi

=====

Doesn't that seem to indicate if /test.conf exists you can start the telnet server or am I missing something completely?

POST #4 | Report this post to a moderator | IP: Logged

alansh is offline Old Post 01-26-2003 06:08 AM
Click Here to See the Profile for alansh Visit alansh's homepage! Find more posts by alansh Add alansh to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
alansh
Senior Member

Registered: Jan 2003
Location: Phoenix, AZ
Posts: 461

I'm not certain, but I think the startup also deletes "unknown" files from the system directories.

Although test.conf is in rc.sysinit, they may delete it when booting the normal release kernel.

POST #5 | Report this post to a moderator | IP: Logged

stormsweeper is offline Old Post 01-26-2003 06:38 AM
Click Here to See the Profile for stormsweeper Find more posts by stormsweeper Add stormsweeper to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
stormsweeper
How *you* doin'?

Registered: Nov 2001
Location: NYC, USA
Posts: 443

The file protection happens long before rc.sysinit is ever run.

POST #6 | Report this post to a moderator | IP: Logged

ADent is offline Old Post 01-26-2003 08:32 AM
Click Here to See the Profile for ADent Find more posts by ADent Add ADent to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
ADent
TiVo Forum Special Member

Registered: Jan 2000
Location: Denver, CO
Posts: 1290

There is a fix in the works (ROM Update), but it looks like soldering will be involved. TiVo lawyers could easily shut this down under DMCA.

The keys for the signatures could be brute forced, but it would take a astromonical amount of time to crack.

Maybe more holes can be found in the software, but those presumably will be fixed in the next rev.

POST #7 | Report this post to a moderator | IP: Logged

Pent is offline Old Post 01-26-2003 03:26 PM
Click Here to See the Profile for Pent Find more posts by Pent Add Pent to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
Pent
Just Me!

Registered: Jan 2003
Location:
Posts: 53

So what is doing the file protection then? I heard that the ROM won't let the kernel run unless its signed (cute trick). I guess if this is an honorable system in the classical sense I would like at least out of curiosity to know how the whole chain works.

BTW did anyone try this file yet?

POST #8 | Report this post to a moderator | IP: Logged

stormsweeper is offline Old Post 01-26-2003 04:03 PM
Click Here to See the Profile for stormsweeper Find more posts by stormsweeper Add stormsweeper to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
stormsweeper
How *you* doin'?

Registered: Nov 2001
Location: NYC, USA
Posts: 443

quote:
Originally posted by Pent
So what is doing the file protection then? I heard that the ROM won't let the kernel run unless its signed (cute trick). I guess if this is an honorable system in the classical sense I would like at least out of curiosity to know how the whole chain works.


subuni has posted the full process a couple of times, but the kernel itself runs a check on the filesystem, replacing or deleting files that don't match against a known good list.

POST #9 | Report this post to a moderator | IP: Logged

alansh is offline Old Post 01-27-2003 02:07 AM
Click Here to See the Profile for alansh Visit alansh's homepage! Find more posts by alansh Add alansh to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
alansh
Senior Member

Registered: Jan 2003
Location: Phoenix, AZ
Posts: 461

I did just check the /test.conf thing. It deletes the file and reboots. I also tried some other files that the logs say "not found" for, like /tvbin/Falcon. Same thing -- delete and reboot.

The ROM checks for a signature on the inital ram disk (initrd). The ROM uses TiVo's public signature to make sure it was signed by TiVo's private signature. If it passes, the initrd is loaded. Next, linuxrc (in the initrd) checks files in the system directories against a list of signatures contained in the initrd. If the signature doesn't match, it tries to restore it. If that fails, it won't boot. It also deletes unauthorized files, and removes "dangerous" items from the environment (like BASH_SHELL). It then passes control to the usual Linux startup.

You can't change any of the regular files because then they won't match their signatures. You can't change the signature list or the program that checks because that would alter the initrd and the ROM's signature check would fail. The only way to change the ROM is to unsolder it and burn a new one that lacks the signature check.

POST #10 | Report this post to a moderator | IP: Logged

bsnelson is offline Old Post 01-27-2003 02:13 AM
Click Here to See the Profile for bsnelson Visit bsnelson's homepage! Find more posts by bsnelson Add bsnelson to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
bsnelson
TiVo Forum Special Member

Registered: Oct 1999
Location: Allen, TX, USA
Posts: 4810

quote:
Originally posted by alansh
The only way to change the ROM is to unsolder it and burn a new one that lacks the signature check.
Which is the point I'm sure. Companies realize that preventing hacking is like preventing auto theft/burglary: It is impossible to prevent 100%. The trick is to make it so difficult that the average (and even most of the above average) users will find something else to hack.

Which, of course, means that there WILL be some who will have hacked HDVR2 units at some point!

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)

POST #11 | Report this post to a moderator | IP: Logged

Pent is offline Old Post 01-27-2003 04:30 PM
Click Here to See the Profile for Pent Find more posts by Pent Add Pent to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
Pent
Just Me!

Registered: Jan 2003
Location:
Posts: 53

So then ... the Series 1 Tivo and the Direct Tivo didn't have the ROM check. Series 2 does have the ROM check.

Do you know how they are checking the signature on the initrd? I mean ... I haven't seen a sample of the code before.

Thanks

PS: One could most likely reprogram the ROM from the diagnostic interface ... but then we need to ask if they connected that anywhere.

What a great piece of engineering .... pitty they are spending so much time making it difficult to enhance.

POST #12 | Report this post to a moderator | IP: Logged

ElectricLegs is offline Old Post 01-27-2003 06:33 PM
Click Here to See the Profile for ElectricLegs Visit ElectricLegs's homepage! Find more posts by ElectricLegs Add ElectricLegs to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
ElectricLegs
Member

Registered: Apr 2001
Location: Corpus Christi TX
Posts: 120

After the rom checks are disabled can you 0 the initrd like the DTivo's?

POST #13 | Report this post to a moderator | IP: Logged

snaef is offline Old Post 01-27-2003 07:00 PM
Click Here to See the Profile for snaef Visit snaef's homepage! Find more posts by snaef Add snaef to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
snaef
New Member

Registered: Jan 2003
Location:
Posts: 10

Brainstorming is a wonderful thing!

This is getting off topic...but relates to my original reason for posting the message. I want to be able to do things on my TiVo that it does not natively support. I want to be able to control it remotely, have it send me status alerts and all other sorts of wonderful things a networked appliance can do.

I have heard that TiVo is moving away from the hardware aspect of things, and moving into the area of managing the subscription services. When this happens, will we be able to develop our own system that use the TiVo subscription data?

I think this would be the best of both worlds for everybody. Those in the know can run modified PC's and have there own home grown "TiVo" and the general public can use the manufactured set top box. This would eliminate the need for TiVo to support hacked and broken equipment, fight content lawyers etc...

Have any of you heard anything along these lines?

POST #14 | Report this post to a moderator | IP: Logged

snaef is offline Old Post 01-27-2003 07:51 PM
Click Here to See the Profile for snaef Visit snaef's homepage! Find more posts by snaef Add snaef to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
snaef
New Member

Registered: Jan 2003
Location:
Posts: 10

Are any of the files used on series1 boxes the same as on series2? If so might it be possible to compare the signed file that is sent to the series2 with the unsigned one sent to the series1 and get a jump start on getting the signature code?

Just a thought...I am definitely not a crypto expert.

POST #15 | Report this post to a moderator | IP: Logged

stormsweeper is offline Old Post 01-27-2003 08:51 PM
Click Here to See the Profile for stormsweeper Find more posts by stormsweeper Add stormsweeper to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
stormsweeper
How *you* doin'?

Registered: Nov 2001
Location: NYC, USA
Posts: 443

quote:
Originally posted by ElectricLegs
After the rom checks are disabled can you 0 the initrd like the DTivo's?


You'd need to compile a custom kernel, I believe. The kernel code checks for the initrd to exist, and causes a kernel panic and reboot if it doesn't, or if you do something like pass "noinitrd" as a boot argument.

Last I checked, only the 3.0 kernel source was available, but it's unknown (AFAIK) what changes - if any - are present in the kernel in the 3.2 release.

POST #16 | Report this post to a moderator | IP: Logged

Pent is offline Old Post 01-27-2003 09:14 PM
Click Here to See the Profile for Pent Find more posts by Pent Add Pent to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
Pent
Just Me!

Registered: Jan 2003
Location:
Posts: 53

Here's an idea ... admittedly a little off base but what the heck. Tivo left themselves a back door to install new software. Why not use that back door to run arbitrary code. From what I understand at 2am or whatever it tries to run whatever update scripts it has ... what if one of these scripts flashed the ROM That would be nice for sure.

Or am I just barking up the wrong tree here.

POST #17 | Report this post to a moderator | IP: Logged

stormsweeper is offline Old Post 01-27-2003 10:23 PM
Click Here to See the Profile for stormsweeper Find more posts by stormsweeper Add stormsweeper to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
stormsweeper
How *you* doin'?

Registered: Nov 2001
Location: NYC, USA
Posts: 443

You'd have to get the scripts on the machine. Chicken and egg problem. And it doesn't check at 2am, a flag gets set by a call (test or daily) and the TiVo installs the new OS on the alternate partition, and then schedules a restart at 2am.

Plus most S2 systems don't have flashable PROMs.

POST #18 | Report this post to a moderator | IP: Logged

ahkbarr is offline Old Post 01-28-2003 12:11 AM
Click Here to See the Profile for ahkbarr Find more posts by ahkbarr Add ahkbarr to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
ahkbarr
New Member

Registered: Oct 2002
Location:
Posts: 1

bypass the FS when modifying sysinit?

I haven't tried yet, but has anyone tried to edit text inside /etc/rc.sysinit via a hex editor on the partition so the file's stat data does not change?

If the stat data of a file stays the same, does the kernel bother to check the hash on the file? I just find it difficult to believe they were so anal as to check the hash regardless.

Initially, I plan to change the one of the comment lines or something, then see if the change gets blown away.

Anyone willing to test this?

POST #19 | Report this post to a moderator | IP: Logged

stormsweeper is offline Old Post 01-28-2003 12:41 AM
Click Here to See the Profile for stormsweeper Find more posts by stormsweeper Add stormsweeper to your buddy list Show Printable Version Edit/Delete Message Reply w/Quote
stormsweeper
How *you* doin'?

Registered: Nov 2001
Location: NYC, USA
Posts: 443

Give it a shot, but I don't see why they wouldn't always check the hash. The TiVo rarely reboots, so it's not a huge concern from a "normal" user standpoint. I know that the boot time is significantly longer on my S2 Sony than it was on my S1 Sony.

POST #20 | Report this post to a moderator | IP: Logged

All times are GMT. The time now is 08:03 PM. Post New Thread    Post A Reply
Pages (12): [1] 2 3 4 Next » ... Last »   Last Thread   Next Thread
>>> BASH prompt on Series2 running 3.2 software <<<

TiVo Community Forum Archive 1 : Powered by vBulletin version 2.2.8 TiVo Community Forum Archive 1 > Underground Playground > TiVo Underground
Search The Internet
 
Show Printable Version | Email this Page | Subscribe to this thread

Forum Jump:
 
Search this Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is ON
 

< Contact Us - TiVo Community Forum Archive 1 >

Powered by: vBulletin Version 2.2.8
Copyright ©2000, 2001, Jelsoft Enterprises Limited.
(C)opyright - All Rights Reserved. No information may be posted elsewhere without written permission.
TiVoŽ is a registered trademark of TiVo Inc. This site is not affiliated with TiVo Inc.
Page generated in 0.03967595 seconds (86.63% PHP - 13.37% MySQL) with 22 queries.


Spider History Index