Tivo Hacks. 100 Industrial-strength Tips Tools 2003
Hack 8 Opening the Backdoor
Open TiVo to backdoor hacks to reveal some configuration settings and features that the "untouched" TiVo does not normally allow access to .
Backdoors are the fun remote codesthe ones that require a little more knowledge to get into. You're not going to stumble upon these by accident ; you have to know what you're looking for.
To use any of the backdoor remote control codes, we first have to ask TiVo to enable the as-yet-inactive backdoors code.
The one complication in enabling this mode is that it fully depends on the version of the TiVo OS your TiVo is running. To find out the version of your TiVo OS, go to the Messages & Setup menu and select System Information . You'll see a listing for "Software Version" that looks something like 3.0-01-1-010 ; that's what you're looking for! In this case, TiVo is running OS Version 3.0the first two digits are the significant bits you're looking for.
Opening the Backdoor on TiVo OS 3.0 or Earlier
If your TiVo OS version is 3.0 or earlier, then armed with that version number and the listings in Table 1-2, head to the Browse By Name or Search by Title screenthe one that provides you with an alphanumeric list by which to enter letters and numbers . Using the arrows and Select button on your TiVo remote control, enter the appropriate backdoor code in the same way you'd usually enter the name of a show you're looking for.
|
Table 1-2. Backdoor codes for TiVos running OS 1.3 through OS 3.0
TiVo operating system version | Backdoor code |
---|---|
OS 1.3 in the U.S. and 1.50 or 1.51 in the U.K. | 0V1T |
OS 1.5.2 in the U.K. | 10J0M |
OS 2.0 | 2 TCD |
OS 2.5 in the U.S. and 2.5.5 in the U.K. | B D 2 5 |
OS 2.5.2 for DirectTiVo | B M U S 1 |
OS 3.0 | 3 0 BC |
Follow this by pressing the
The only way to disable backdoors (currently) is to reboot your TiVo.
If your TiVo is running a version of the operating system newer than 3.0, then I'm afraid you'll have to do a lot more work to open that backdoor.
Opening the Backdoor on TiVo OS 3.1 or Later
More recent versions of the TiVo operating system have started making it a little more difficult to enable backdoor mode. The previous keys were discovered by poking around TiVo's filesystem and seeking out the backdoor code itself, usually simply noted somewhere. Unfortunately, the more recent versions do not store the backdoor code "in the clear"; instead, they store a one-way, irreversible hash (read: scrambled) of the backdoor code. When you enter a potential code via Browse By Name or Search by Title as we did above, TiVo applies a special function to what you have entered and tests to see if the two hashes match up. The problem is, since the hash function is one-way, simply knowing the hash of backdoor code tells us nothing about what it is in the clear.
But it does tell us that if we know what kind of hash function the backdoor code uses (in the case of the TiVo, it uses the SHA-1 hash), then we can replace the existing hash with a new hash derived from text we do know. How about the hash of an empty string? Thankfully, Steve White has authored a utility, backdoorpw (http://prdownloads. sourceforge .net/tivoutils/backdoorpw.gz?download), that does just that.
Applying this hack is a little more complicated than the other hacks in this chapter and is going to require a few workarounds from Chapter 2. Download White's backdoor program, copy it on to a floppy disk, boot your PC using Kazymyr's bootdisk [Hack #26] with TiVo's hard drive connected [Hack #22], and then mount the floppy disk:
# mkdir /mnt/floppy # mount /dev/fd0 /mnt/floppy
Decompress the file:
# cd /mnt/floppy # gzip -d backdoor.gz
Then run the backdoor application on your TiVo's hard drive. Assuming that your TiVo's drive is mounted as the secondary master, use the following code:
# ./backdoor /dev/hdc
Don't worry about any damage occurring to your drive at this step. The code has a paranoia flag that, when set (which it is right now), prevents changes from being written to the drive.
Running the program should provide output very similar, but not identical, to the following:
Good! This is a TiVo drive Opening MFS Application Region partition: /dev/hdc10... searching offset 0x0fffd800 I was unable to find any occurrences of the backdoor hashes on /dev/hdc10 Opening MFS Application Region partition: /dev/hdc12... searching offset 0x0e3fdc60 Found 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4 at 0x0e41a29c searching offset 0x0f0fda58 Found 61508C7FC1C2250E1794624D8619B9ED760FFABA at 0x0f1eb342 Found 61508C7FC1C2250E1794624D8619B9ED760FFABA at 0x0f27a2f4 searching offset 0x0fffd850 Found 3 backdoor hashes on /dev/hdc12. These will now be changed. Patch #1 at offset 0x0e41a29c data at 0x0e41a29c is currently '96F8B204FD99534759A6C11A181EEDDFEB2DF1D4' data at 0x0e41a29c would be changed to 'EEA339DA0D4B6B5EEFBF5532901860950907D8AF' if we weren't paranoid Patch #2 at offset 0x0f1eb342 data at 0x0f1eb342 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA' data at 0x0f1eb342 would be changed to 'EEA339DA0D4B6B5EEFBF5532901860950907D8AF' if we weren't paranoid Patch #3 at offset 0x0f27a2f4 data at 0x0f27a2f4 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA' data at 0x0f27a2f4 would be changed to 'EEA339DA0D4B6B5EEFBF5532901860950907D8AF' if we weren't paranoid If everything appeared okay, please rerun the program with the following args: ./backdoor /dev/hdc y
The backdoor program will detect two or three hashes. In the previous output, these are the hashes:
data at 0x0e41a29c is currently '96F8B204FD99534759A6C11A181EEDDFEB2DF1D4' ... data at 0x0f1eb342 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA' ... data at 0x0f27a2f4 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA'
The number of hashes varies from TiVo to TiVo, but you shouldn't have more than three, unless your box has gone through a great deal of upgrades recently. It doesn't really matter, just so long as the backdoor program detects at least two hashes. Also, the offsets (e.g., 0x0e41a29c ) will certainly be different, so there's no need to worry about that either.
What you should pay attention to is the format of the value inside the single quotes (e.g., 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4 ). Make sure this value looks like the SHA hashall uppercase, consisting of the numerals through 9 and letters A through F . If the value inside the single quotes contains anything else, do not proceed any further, as you will most likely corrupt your TiVo's filesystem.
Provided everything looks good, rerun the program, telling it to actually write empty strings to the hash locations, like so:
# ./backdoor /dev/hdc y
The additional y flag will turn off the paranoia checks, this time writing changed hashes to the drive. Output should look something like this:
Good! This is a TiVo drive Opening MFS Application Region partition: /dev/hdc10... searching offset 0x0fffd800 I was unable to find any occurrences of the backdoor hashes on /dev/hdc10 Opening MFS Application Region partition: /dev/hdc12... searching offset 0x0fffd878 Found 3 backdoor hashes on /dev/hdc12. These will now be changed. Patch #1 at offset 0x0e41a29c Patch #2 at offset 0x0f1eb342 Patch #3 at offset 0x0f27a2f4 Success! You may now put the drive back in your TiVo. To enable backdoor mode, go into 'Search by Title' and press thumbsup.
The backdoor hash has been changed to an empty string. Put the drive back into your TiVo [Hack #27], revisit the Search by Title screen and simply press the
|
Top |