Registered: Jan 2003
Location:
Posts: 10

BASH prompt on Series2 running 3.2 software

I have been getting mixed signals from various posts regarding the possibility of getting a BASH prompt on version 3.2 Series2 units. Can any of you definitively answer these questions?


Q: Can the stand alone Series2 running 3.2 software be hacked to get a BASH prompt over the USB/Ethernet bridge?

Q: Can the method used by people using DirectTivos running 3.1 be used on a stand alone 3.2?

Q: If it is not possible, is there any hope that it will be possible in the future?

Please help! It really sucks that they took away this capability. I was really looking forward to using TivoWeb.

POST #1 | Report this post to a moderator | IP: Logged

Registered: Jan 2003
Location: Phoenix, AZ
Posts: 461

1. No. The config files are protected by hashes, and the list and hash check program are in the kernel initrd, which is signed and checked by the boot ROM. Any changes and it will either replace the file or not boot at all.
   
2. No. Unlocked software exists for the DTivos (before Tivo updated it), but all the Series2 stand alones always had the protected OS and ROMs.
   
3. Who knows? There was an initial hack (set a BASH_ENV variable that makes bash run a script), but Tivo now checks for that. Changing the boot ROM is difficult, as it's soldered to the system board. If it's flashable (I haven't seen a definate yes or no), you still have to get into the system to run a flash program.
   

POST #2 | Report this post to a moderator | IP: Logged

Registered: Jan 2003
Location:
Posts: 1

I assume from this that there is no way to change the startup files in a S2.

POST #3 | Report this post to a moderator | IP: Logged

Registered: Jan 2003
Location:
Posts: 53

I'm looking at rc.sysinit on a 3.2 60 hour image and I see the folowing:

====

# Read in our testing configuration, if there is one.
[ ! -f /test.conf ] || source /test.conf

# Some tcl scripts expect TIVO_ROOT to be set. It would be cleaner to
# just use the path, but that's not the way it is right now. The
# contents of TIVO_ROOT is prepended to paths, so the empty string is
# just fine.
TIVO_ROOT=
export TIVO_ROOT

if [ "$sysgen" = true ]; then
echo
echo
echo Starting shared library installation environment
echo You may Telnet in. The telnet connection
echo will run bash as the login shell.
echo

configEtherSysinit

echo Starting Telnet Listner ... >& /dev/console
/sbin/tnlited 23 /bin/bash >& /dev/console

echo Starting /proc Listener ... >& /dev/console
mount -n /proc /proc -t proc >& /dev/console
procd >& /dev/console

exit
fi

=====

Doesn't that seem to indicate if /test.conf exists you can start the telnet server or am I missing something completely?

POST #4 | Report this post to a moderator | IP: Logged

Registered: Jan 2003
Location: Phoenix, AZ
Posts: 461

I'm not certain, but I think the startup also deletes "unknown" files from the system directories.

Although test.conf is in rc.sysinit, they may delete it when booting the normal release kernel.

POST #5 | Report this post to a moderator | IP: Logged

Registered: Nov 2001
Location: NYC, USA
Posts: 443

The file protection happens long before rc.sysinit is ever run.

POST #6 | Report this post to a moderator | IP: Logged

Registered: Jan 2000
Location: Denver, CO
Posts: 1290

There is a fix in the works (ROM Update), but it looks like soldering will be involved. TiVo lawyers could easily shut this down under DMCA.

The keys for the signatures could be brute forced, but it would take a astromonical amount of time to crack.

Maybe more holes can be found in the software, but those presumably will be fixed in the next rev.

POST #7 | Report this post to a moderator | IP: Logged

Registered: Jan 2003
Location:
Posts: 53

So what is doing the file protection then? I heard that the ROM won't let the kernel run unless its signed (cute trick). I guess if this is an honorable system in the classical sense I would like at least out of curiosity to know how the whole chain works.

BTW did anyone try this file yet?

POST #8 | Report this post to a moderator | IP: Logged

Registered: Nov 2001
Location: NYC, USA
Posts: 443

quote:

---

Originally posted by Pent
So what is doing the file protection then? I heard that the ROM won't let the kernel run unless its signed (cute trick). I guess if this is an honorable system in the classical sense I would like at least out of curiosity to know how the whole chain works.

---

POST #9 | Report this post to a moderator | IP: Logged

Registered: Jan 2003
Location: Phoenix, AZ
Posts: 461

I did just check the /test.conf thing. It deletes the file and reboots. I also tried some other files that the logs say "not found" for, like /tvbin/Falcon. Same thing -- delete and reboot.

The ROM checks for a signature on the inital ram disk (initrd). The ROM uses TiVo's public signature to make sure it was signed by TiVo's private signature. If it passes, the initrd is loaded. Next, linuxrc (in the initrd) checks files in the system directories against a list of signatures contained in the initrd. If the signature doesn't match, it tries to restore it. If that fails, it won't boot. It also deletes unauthorized files, and removes "dangerous" items from the environment (like BASH_SHELL). It then passes control to the usual Linux startup.

You can't change any of the regular files because then they won't match their signatures. You can't change the signature list or the program that checks because that would alter the initrd and the ROM's signature check would fail. The only way to change the ROM is to unsolder it and burn a new one that lacks the signature check.

POST #10 | Report this post to a moderator | IP: Logged

Registered: Oct 1999
Location: Allen, TX, USA
Posts: 4810

quote:

---

Originally posted by alansh
The only way to change the ROM is to unsolder it and burn a new one that lacks the signature check.

---

Which is the point I'm sure. Companies realize that preventing hacking is like preventing auto theft/burglary: It is impossible to prevent 100%. The trick is to make it so difficult that the average (and even most of the above average) users will find something else to hack.

Which, of course, means that there WILL be some who will have hacked HDVR2 units at some point!

Brad

__________________
(3) Philips DSR6000R (188, 146 and 106 hours, in hibernation),
(2) Hughes HDVR2 (221 and 35 hours),
(1) Philips DSR7000/17 (144 hours),
(1) Samsung SIR4040R (35 hours)

POST #11 | Report this post to a moderator | IP: Logged

Registered: Jan 2003
Location:
Posts: 53

So then ... the Series 1 Tivo and the Direct Tivo didn't have the ROM check. Series 2 does have the ROM check.

Do you know how they are checking the signature on the initrd? I mean ... I haven't seen a sample of the code before.

Thanks

PS: One could most likely reprogram the ROM from the diagnostic interface ... but then we need to ask if they connected that anywhere.

What a great piece of engineering .... pitty they are spending so much time making it difficult to enhance.

POST #12 | Report this post to a moderator | IP: Logged

Registered: Apr 2001
Location: Corpus Christi TX
Posts: 120

After the rom checks are disabled can you 0 the initrd like the DTivo's?

POST #13 | Report this post to a moderator | IP: Logged

Registered: Jan 2003
Location:
Posts: 10

Brainstorming is a wonderful thing!

This is getting off topic...but relates to my original reason for posting the message. I want to be able to do things on my TiVo that it does not natively support. I want to be able to control it remotely, have it send me status alerts and all other sorts of wonderful things a networked appliance can do.

I have heard that TiVo is moving away from the hardware aspect of things, and moving into the area of managing the subscription services. When this happens, will we be able to develop our own system that use the TiVo subscription data?

I think this would be the best of both worlds for everybody. Those in the know can run modified PC's and have there own home grown "TiVo" and the general public can use the manufactured set top box. This would eliminate the need for TiVo to support hacked and broken equipment, fight content lawyers etc...

Have any of you heard anything along these lines?

POST #14 | Report this post to a moderator | IP: Logged

Registered: Jan 2003
Location:
Posts: 10

Are any of the files used on series1 boxes the same as on series2? If so might it be possible to compare the signed file that is sent to the series2 with the unsigned one sent to the series1 and get a jump start on getting the signature code?

Just a thought...I am definitely not a crypto expert.

POST #15 | Report this post to a moderator | IP: Logged

Registered: Nov 2001
Location: NYC, USA
Posts: 443

quote:

---

Originally posted by ElectricLegs
After the rom checks are disabled can you 0 the initrd like the DTivo's?

---

POST #16 | Report this post to a moderator | IP: Logged

Registered: Jan 2003
Location:
Posts: 53

Here's an idea ... admittedly a little off base but what the heck. Tivo left themselves a back door to install new software. Why not use that back door to run arbitrary code. From what I understand at 2am or whatever it tries to run whatever update scripts it has ... what if one of these scripts flashed the ROM That would be nice for sure.

Or am I just barking up the wrong tree here.

POST #17 | Report this post to a moderator | IP: Logged

Registered: Nov 2001
Location: NYC, USA
Posts: 443

You'd have to get the scripts on the machine. Chicken and egg problem. And it doesn't check at 2am, a flag gets set by a call (test or daily) and the TiVo installs the new OS on the alternate partition, and then schedules a restart at 2am.

Plus most S2 systems don't have flashable PROMs.

POST #18 | Report this post to a moderator | IP: Logged

Registered: Oct 2002
Location:
Posts: 1

I haven't tried yet, but has anyone tried to edit text inside /etc/rc.sysinit via a hex editor on the partition so the file's stat data does not change?

If the stat data of a file stays the same, does the kernel bother to check the hash on the file? I just find it difficult to believe they were so anal as to check the hash regardless.

Initially, I plan to change the one of the comment lines or something, then see if the change gets blown away.

Anyone willing to test this?

POST #19 | Report this post to a moderator | IP: Logged

Registered: Nov 2001
Location: NYC, USA
Posts: 443

Give it a shot, but I don't see why they wouldn't always check the hash. The TiVo rarely reboots, so it's not a huge concern from a "normal" user standpoint. I know that the boot time is significantly longer on my S2 Sony than it was on my S1 Sony.

POST #20 | Report this post to a moderator | IP: Logged