Modify TiVoApp to disable encryption and add other features
From DVRpedia
Overview
TiVoApp is one of the main programs that runs on every TiVo. This application can be modified to enable features that are disabled by default. The exact features that can be enabled vary depending on the version of TiVo and TiVo software you have. Here is a list of some of the features that may be enabled.
- Disable Commercial Skip Offset (encryption) for recorded shows
- Enable permanent 30 second skip
- Sort the Now Playing List in a specific order by default
- Enable Backdoors
- Enable Multi-Room Viewing (MRV)
Patching Method 1: How to Apply Patches directly on the TiVo
The advantage of using this method (versus FTPing tivoapp to your PC and performing a hex edit) is that it is quick and easy. The disadvantage is that there is no verification or checks with this process. The modification to tivoapp occurs regardless of which version you are actually running. With hex patching on your PC, you actually verify the original value before replacing with the new value; patching directly does not check what is being overwritten. An incorrect patch will lead to a non-functional TiVo and you may have to pull the drive and revert to the unpatched tivoapp to get it back up an running.
- First, you'll need to backup you tivoapp. Then you'll need to copy/move the original; this is a workaround for the issue of being unable to patch tivoapp while it is running. After you've copied tivoapp to a new file name and then moved that one back to the original, you are ready to apply the patch specific to your version of software, which is listed below.
Make sure your root partition is writable:
mount -o remount,rw /
Make a backup copy of /tvbin/tivoapp:
cp /tvbin/tivoapp /tvbin/tivoapp.orig
Move and then copy tivoapp back to the original location so it can be patched. Use one of the following options to do this (either the 1-line or the multi-line option, both give the same result.)
1-line version:
mv -i /tvbin/tivoapp /tvbin/tivoapp.orig && cp -pi /tvbin/tivoapp.orig /tvbin/tivoapp
or you can use the Multi-line version:
cd /tvbin mv tivoapp tivoapp.tmp cp tivoapp.tmp tivoapp chmod 755 tivoapp rm tivoapp.tmp
Your are now ready to apply patch(es) to your tivoapp.
Warning: If you apply the wrong patch to your version of software, it will not result in the intended result and it will cause major problems down the road and may result in your TiVo being totally non-functional. Be sure your make a backup of your original, virgin tivoapp and be sure you apply only the correct patches for your version of software.
Patching Option 2: How to patch tivoapp on your PC using a hex editor
Patching tivoapp on your PC is the most reliable method because you verify the original value before replacing it with a new value.
- Download and install a HEX editor on your PC, such as UltraEdit http://www.ultraedit.com
- Telnet into your TiVo mount the root partition as Read Write
mount -o remount,rw /
- Ftp into your TiVo copy tivoapp over to your PC. Its located at /tvbin/tivoapp
- Make a backup of the original version on your PC
- Open tivoapp on your PC using UltraEdit, find the offset, find the original value, and replace it with the new hex value
- The left column of the screen in a hex editor is the offset (address). In the middle section, each pair of hex characters (for example, E0) is a byte. Each row has 16 bytes, or 32 hex characters. The offset for the first byte in the row is the number in the left column that ends in 0. To get the offset for other bytes in the row, count upward in hexadecimal (0-F).
- Save the file
- FTP it back to the TiVo
- Reboot the TiVo
How to Convert between Patching Methods
Patches can be applied using a HEX editor on your PC or using the echo -ne command on TiVo. The same patch is applied either way, you just need to apply the patch in the appropriate format. If you are applying the patch using one method, but only have to patching info for the other, you can convert the patch data to the appropriate format.
To make a echo -ne command line equivalent patch of one given in HEX format, follow this procedure:
- Original HEX format values:
Offset Original New --------- -------- -------- 00422c60h 7f64db78 38800001
- New command line echo -ne equivalent:
echo -ne "\xHH\xHH\xHH\xHH" | dd conv=notrunc of=tivoapp bs=1 seek=<dec offset>
- Where the 8 H's are the hex data of the new value in its given order, and the <dec offset> is the first 8 characters of the patch offset converted from hexadecimal to decimal.
- If you don't know how to convert from hex to dec, you can use this page: http://www.parkenet.com/apl/HexDecConverter.html
- So, for the above example, the echo -ne equivalent would be
echo -ne "\x38\x80\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=4336736
If you are given a VMA offset, this is not the same as the offset required to identify the position of the code in a hex editor. VMA = virtual memory address, which is where the code is loaded into memory at execution time. This is how you find the code in a disassembly. On Linux MIPS/ELF, file offset 0 generally corresponds to VMA 0x400000. file offset = the absolute position in the file where you can find the code (this is what you look for in the hex editor). When you invoke dd with bs=1, the seek= parameter specifies the file offset in decimal. Many/most hex editors will want you to specify file offsets in hex.
Version 3.1.0 for Series 1
Disable encryption:
echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=4678216
Version 3.1.0 for Series 2
Disable encryption:
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=6484124
Version 3.1.0b for Series 1
Disable encryption:
echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=4678456
Version 3.1.0c for Series 1
Disable encryption:
echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=4678664
Version 3.1.0c2 for Series 1
Disable encryption:
echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=4678532
Version 3.1.1b for Series 2
Disable encryption:
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=6493084
Version 3.1.5f for Series 2
Disable Encryption:
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=11173004
(I looked at this offset in my HD Tivo HR10-250, 3.1.5f, and it was NOT the right seek (e.g. offset). One below this seems CORRECT)
Version 3.1.5f for Series 2
Disable Encryption:
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=6984684
Version 3.5 for Series 1
echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp.tmp bs=1 seek=5108848
Version 3.5b for Series 1
Disable Encryption:
echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=5119668
Version 3.5c/3.5d for Series 1
Patching on the TiVo from the command line via telnet: unscramble
echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=5120680
30 sec skip
echo -ne "\x40\x86\x00\x40" | dd conv=notrunc of=tivoapp bs=1 seek=4641828
backdoors
echo -ne "\x38\x80\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=4336744
Patching TiVo app on a PC using UltraEdit
Change Offset (not vma) Original Value New Value --------- ---------------- -------------- ---------- Scramble 004e22a8h 41860038 48000038 30 sec skip 0046d424h 41860040 40860040 Backdoors 00422c68h 7f64db78 38800001
Version 4.0 for Series 2
Disable encryption:
echo -ne "\x3c\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=8593192
Version 4.0.1 for Series 2
Disable encryption:
echo -ne "\x3c\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=8618248
Version 4.0.1b for Series 2
Disable encryption:
echo -ne "\x3c\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=8618248
Version 5.1.1b for Series 2
Disable Encryption:
echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=10001408
Version 5.2 for Series 2
Disable Encryption:
echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=11437232
Version 5.3 for Series 2
Disable Encryption:
echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=10028224
Version 6.2 for Series 2
Disable Encryption:
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=10705308
Enable Networking
echo -ne "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1815124
Version 6.2a for Series 2
Enable Networking
echo -ne "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1815364
Disable Encryption
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=10713996
Version 6.3 for Series 2
Disable encryption:
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=1602412
Enable Backdoors:
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=2804900
Version 6.3a/6.3b/6.3c/6.3d for Series 2
Disable encryption:
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=1602412
30sec skip:
echo -ne "\x10\x40\x00\x2b" | dd conv=notrunc of=tivoapp bs=1 seek=6713220
Enable Backdoors:
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=2804900
HMO/HME:
echo -ne "\x34\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=903436 echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1118524 echo -ne "\x10\x00\x00\x14" | dd conv=notrunc of=tivoapp bs=1 seek=5724672
Note: This script should only be ran on software version 6.3a, 6.3b, 6.3c and 6.3d.
Here is a patch to remove the "TiVo Plus features (trial ends today)" footer from DirecTV Central. Lightly tested, so buyer beware. Note that you only need this patch in two situations: 1. your girlfriend, roommate, dog, hamster, etc. yammers on nightly about the "trial ending today." 2. you want your tivo to be the prettiest one in the whole world.
Note: this is not what you type into the telnet window. The below is the hex and offset location. Someone please update this and add the corresponding "echo -ne . . ." command.
Offset (VMA) Original Value New Value 0x004e00d0 0c144441 24020000
Version 6.3e for Series 2
Disable encryption:
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=1601872
30sec skip:
echo -ne "\x10\x40\x00\x2b" | dd conv=notrunc of=tivoapp bs=1 seek=6717416
Backdoors
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=2804964
HMO/HME
echo -ne "\x34\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=903776 echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1118188 echo -ne "\x10\x00\x00\x14" | dd conv=notrunc of=tivoapp bs=1 seek=5704588
removes *TiVo Plus features (trial ends today)
echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=918052
Note: This script should only be ran on software version 6.3e.
Version 6.3f for Series 2
Disable encryption:
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=1602336
30sec skip:
echo -ne "\x10\x40\x00\x2b" | dd conv=notrunc of=tivoapp bs=1 seek=6707932
Backdoors
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=2804772
HMO/HME
echo -ne "\x34\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=903776 echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1118652 echo -ne "\x10\x00\x00\x14" | dd conv=notrunc of=tivoapp bs=1 seek=5705052
removes *TiVo Plus features (trial ends today)
echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=918052
Note: This script should only be ran on software version 6.3f.
Version 6.4a for Series 2
Disable encryption:
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=1598904
30sec skip:
echo -ne "\x10\x40\x00\x2b" | dd conv=notrunc of=tivoapp bs=1 seek=6883312
Backdoors
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=2806144
HMO/HME
echo -ne "\x34\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=906328 echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1119964 echo -ne "\x10\x00\x00\x14" | dd conv=notrunc of=tivoapp bs=1 seek=5874104
removes *TiVo Plus features (trial ends today)
echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=920520
Note: This script should only be run on software version 6.4a.
Version 7.1b for Series 2
echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=2691728
Final Steps
Remount root as readonly:
sync mount -o remount,ro /
Reboot your tivo
reboot
If you use MFS_FTP
If you use MFS_FTP, clear out your XML cache, e.g. (assuming mfs_ftp is in /var/mfs_ftp)
mfs_ftp=`find / -name mfs_ftp` rm `find $mfs_ftp/cache/ -name *.xml`
How to check the Patches are correctly applied
First, check to make sure that the checksum is the same for both the original tivoapp (the backup) and the patched version:
sum tivoapp.original tivoapp
You should see something like the following. Note that the second set of numbers should match for both tivoapps.
07982 7005 tivoapp.origianl 60425 7005 tivoapp
Check that encryption is disabled
If you have a Series 2, download, install, and run ciphercheck.tcl from Dealdatabase.com S2-All-In-One-Utilities thread and it will tell you if recordings are encrypted or not.
