Modify TiVoApp to disable encryption and add other features

From DVRpedia

Revision as of 20:10, 20 December 2008 by 24.16.73.197 (Talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Overview

TiVoApp is one of the main programs that runs on every TiVo. This application can be modified to enable features that are disabled by default. The exact features that can be enabled vary depending on the version of TiVo and TiVo software you have. Here is a list of some of the features that may be enabled.

  1. Disable Commercial Skip Offset (encryption) for recorded shows
  2. Enable permanent 30 second skip
  3. Sort the Now Playing List in a specific order by default
  4. Enable Backdoors
  5. Enable Multi-Room Viewing (MRV)

Patching Method 1: How to Apply Patches directly on the TiVo

The advantage of using this method (versus FTPing tivoapp to your PC and performing a hex edit) is that it is quick and easy. The disadvantage is that there is no verification or checks with this process. The modification to tivoapp occurs regardless of which version you are actually running. With hex patching on your PC, you actually verify the original value before replacing with the new value; patching directly does not check what is being overwritten. An incorrect patch will lead to a non-functional TiVo and you may have to pull the drive and revert to the unpatched tivoapp to get it back up an running.

  • First, you'll need to backup you tivoapp. Then you'll need to copy/move the original; this is a workaround for the issue of being unable to patch tivoapp while it is running. After you've copied tivoapp to a new file name and then moved that one back to the original, you are ready to apply the patch specific to your version of software, which is listed below.

Make sure your root partition is writable:

mount -o remount,rw /

Make a backup copy of /tvbin/tivoapp:

cp /tvbin/tivoapp /tvbin/tivoapp.orig

Move and then copy tivoapp back to the original location so it can be patched. Use one of the following options to do this (either the 1-line or the multi-line option, both give the same result.)

1-line version:

mv -i /tvbin/tivoapp /tvbin/tivoapp.orig && cp -pi /tvbin/tivoapp.orig /tvbin/tivoapp

or you can use the Multi-line version:

cd /tvbin
mv tivoapp tivoapp.tmp
cp tivoapp.tmp tivoapp
chmod 755 tivoapp
rm tivoapp.tmp

Your are now ready to apply patch(es) to your tivoapp.

Warning: If you apply the wrong patch to your version of software, it will not result in the intended result and it will cause major problems down the road and may result in your TiVo being totally non-functional. Be sure your make a backup of your original, virgin tivoapp and be sure you apply only the correct patches for your version of software.

Patching Option 2: How to patch tivoapp on your PC using a hex editor

Patching tivoapp on your PC is the most reliable method because you verify the original value before replacing it with a new value.

  • Download and install a HEX editor on your PC, such as UltraEdit http://www.ultraedit.com
  • Telnet into your TiVo mount the root partition as Read Write
mount -o remount,rw /
  • Ftp into your TiVo copy tivoapp over to your PC. Its located at /tvbin/tivoapp
  • Make a backup of the original version on your PC
  • Open tivoapp on your PC using UltraEdit, find the offset, find the original value, and replace it with the new hex value
  • The left column of the screen in a hex editor is the offset (address). In the middle section, each pair of hex characters (for example, E0) is a byte. Each row has 16 bytes, or 32 hex characters. The offset for the first byte in the row is the number in the left column that ends in 0. To get the offset for other bytes in the row, count upward in hexadecimal (0-F).
  • Save the file
  • FTP it back to the TiVo
  • Reboot the TiVo

How to Convert between Patching Methods

Patches can be applied using a HEX editor on your PC or using the echo -ne command on TiVo. The same patch is applied either way, you just need to apply the patch in the appropriate format. If you are applying the patch using one method, but only have to patching info for the other, you can convert the patch data to the appropriate format.

To make a echo -ne command line equivalent patch of one given in HEX format, follow this procedure:

  • Original HEX format values:
Offset    Original New
--------- -------- --------
00422c60h 7f64db78 38800001
  • New command line echo -ne equivalent:
echo -ne "\xHH\xHH\xHH\xHH" | dd conv=notrunc of=tivoapp bs=1 seek=<dec offset>
  • Where the 8 H's are the hex data of the new value in its given order, and the <dec offset> is the first 8 characters of the patch offset converted from hexadecimal to decimal.
  • If you don't know how to convert from hex to dec, you can use this page: http://www.parkenet.com/apl/HexDecConverter.html
  • So, for the above example, the echo -ne equivalent would be
 echo -ne "\x38\x80\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=4336736

If you are given a VMA offset, this is not the same as the offset required to identify the position of the code in a hex editor. VMA = virtual memory address, which is where the code is loaded into memory at execution time. This is how you find the code in a disassembly. On Linux MIPS/ELF, file offset 0 generally corresponds to VMA 0x400000. file offset = the absolute position in the file where you can find the code (this is what you look for in the hex editor). When you invoke dd with bs=1, the seek= parameter specifies the file offset in decimal. Many/most hex editors will want you to specify file offsets in hex.

Version 3.1.0 for Series 1

Disable encryption:

echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=4678216

Version 3.1.0 for Series 2

Disable encryption:

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=6484124

Version 3.1.0b for Series 1

Disable encryption:

echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=4678456

Version 3.1.0c for Series 1

Disable encryption:

echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=4678664

Version 3.1.0c2 for Series 1

Disable encryption:

echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=4678532

Version 3.1.1b for Series 2

Disable encryption:

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=6493084

Version 3.1.5f for Series 2

Disable Encryption:

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=11173004

(I looked at this offset in my HD Tivo HR10-250, 3.1.5f, and it was NOT the right seek (e.g. offset). One below this seems CORRECT)

Version 3.1.5f for Series 2

Disable Encryption:

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=6984684

Version 3.5 for Series 1

echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp.tmp bs=1 seek=5108848

Version 3.5b for Series 1

Disable Encryption:

echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=5119668


Version 3.5c/3.5d for Series 1

Patching on the TiVo from the command line via telnet: unscramble

echo -ne "\x48\x00\x00\x38" | dd conv=notrunc of=tivoapp bs=1 seek=5120680

30 sec skip

echo -ne "\x40\x86\x00\x40" | dd conv=notrunc of=tivoapp bs=1 seek=4641828

backdoors

echo -ne "\x38\x80\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=4336744

Patching TiVo app on a PC using UltraEdit

Change          Offset (not vma) Original Value   New Value
---------       ---------------- --------------   ----------
Scramble        004e22a8h        41860038         48000038
30 sec skip     0046d424h        41860040         40860040
Backdoors       00422c68h        7f64db78         38800001

Version 4.0 for Series 2

Disable encryption:

echo -ne "\x3c\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=8593192

Version 4.0.1 for Series 2

Disable encryption:

echo -ne "\x3c\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=8618248

Version 4.0.1b for Series 2

Disable encryption:

echo -ne "\x3c\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=8618248

Version 5.1.1b for Series 2

Disable Encryption:

echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=10001408

Version 5.2 for Series 2

Disable Encryption:

echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=11437232

Version 5.3 for Series 2

Disable Encryption:

echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=10028224

Version 6.2 for Series 2

Disable Encryption:

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=10705308

Enable Networking

echo -ne "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1815124

Version 6.2a for Series 2

Enable Networking

echo -ne "\x24\x02\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1815364

Disable Encryption

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=10713996

Version 6.3 for Series 2

Disable encryption:

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=1602412

Enable Backdoors:

echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=2804900

Version 6.3a/6.3b/6.3c/6.3d for Series 2

Disable encryption:

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=1602412

30sec skip:

echo -ne "\x10\x40\x00\x2b" | dd conv=notrunc of=tivoapp bs=1 seek=6713220

Enable Backdoors:

echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=2804900

HMO/HME:

echo -ne "\x34\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=903436
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1118524
echo -ne "\x10\x00\x00\x14" | dd conv=notrunc of=tivoapp bs=1 seek=5724672

Note: This script should only be ran on software version 6.3a, 6.3b, 6.3c and 6.3d.

Here is a patch to remove the "TiVo Plus features (trial ends today)" footer from DirecTV Central. Lightly tested, so buyer beware. Note that you only need this patch in two situations: 1. your girlfriend, roommate, dog, hamster, etc. yammers on nightly about the "trial ending today." 2. you want your tivo to be the prettiest one in the whole world.

Note: this is not what you type into the telnet window. The below is the hex and offset location. Someone please update this and add the corresponding "echo -ne . . ." command.

Offset (VMA)     Original Value    New Value
0x004e00d0       0c144441          24020000

Version 6.3e for Series 2

Disable encryption:

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=1601872

30sec skip:

echo -ne "\x10\x40\x00\x2b" | dd conv=notrunc of=tivoapp bs=1 seek=6717416

Backdoors

echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=2804964

HMO/HME

echo -ne "\x34\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=903776
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1118188
echo -ne "\x10\x00\x00\x14" | dd conv=notrunc of=tivoapp bs=1 seek=5704588

removes *TiVo Plus features (trial ends today)

echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=918052

Note: This script should only be ran on software version 6.3e.

Version 6.3f for Series 2

Disable encryption:

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=1602336

30sec skip:

echo -ne "\x10\x40\x00\x2b" | dd conv=notrunc of=tivoapp bs=1 seek=6707932

Backdoors

echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=2804772

HMO/HME

echo -ne "\x34\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=903776
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1118652 
echo -ne "\x10\x00\x00\x14" | dd conv=notrunc of=tivoapp bs=1 seek=5705052

removes *TiVo Plus features (trial ends today)

echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=918052

Note: This script should only be ran on software version 6.3f.

Version 6.4a for Series 2

Disable encryption:

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=1598904

30sec skip:

echo -ne "\x10\x40\x00\x2b" | dd conv=notrunc of=tivoapp bs=1 seek=6883312

Backdoors

echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=2806144

HMO/HME

echo -ne "\x34\x11\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=906328
echo -ne "\x24\x10\x00\x01" | dd conv=notrunc of=tivoapp bs=1 seek=1119964 
echo -ne "\x10\x00\x00\x14" | dd conv=notrunc of=tivoapp bs=1 seek=5874104

removes *TiVo Plus features (trial ends today)

echo -ne "\x24\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=920520

Note: This script should only be run on software version 6.4a.

Version 7.1b for Series 2

echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=2691728





Final Steps

Remount root as readonly:

sync
mount -o remount,ro /

Reboot your tivo

reboot

If you use MFS_FTP

If you use MFS_FTP, clear out your XML cache, e.g. (assuming mfs_ftp is in /var/mfs_ftp)

mfs_ftp=`find / -name mfs_ftp`
rm `find $mfs_ftp/cache/ -name *.xml`

How to check the Patches are correctly applied

First, check to make sure that the checksum is the same for both the original tivoapp (the backup) and the patched version:

sum tivoapp.original tivoapp

You should see something like the following. Note that the second set of numbers should match for both tivoapps.

07982 7005 tivoapp.origianl
60425 7005 tivoapp

Check that encryption is disabled

If you have a Series 2, download, install, and run ciphercheck.tcl from Dealdatabase.com S2-All-In-One-Utilities thread and it will tell you if recordings are encrypted or not.