DSmooth's (a.k.a. ][ronMan's) HDTivo (HR10-250) Hacking Guide v1.10

After much exploring, searching, etc. I was not able to find a single document that would easily walk you step-by-step through the process of going from unhacked to hacked. This is my attempt at such a document. This guide assumes you have already acquired a Linksys USB200M USB2.0 network adapter.

1 Files you'll need and where to locate them

First off you'll need the LBA48 MFS Tools CD from PTV Upgrade. You can find this here:
http://www.ptvupgrade.com/downloads/ptv-mfstools2-large-disk.iso

Next, you'll want to put the following on a floppy:

tivoftp.mips - from http://prdownloads.sourceforge.net/tivoutils/tivoftpd.mips.gz?download
killhdinitrd - from http://www.dealdatabase.com/forum/attachment.php?attachmentid=3574

In addition to those files, you'll want the following archives ready to be ftp'd to HR10-250 after the initial hacking is done:

Series 2 devbin archive - http://prdownloads.sourceforge.net/tivoutils/devbin-s2.tgz?download
Series 2 netbin archive - http://prdownloads.sourceforge.net/tivoutils/netbin-s2.tgz?download
Series 2 ps executable - http://prdownloads.sourceforge.net/tivoutils/ps-s2.gz?download

Then, for convenience, you'll want:

TivoWeb Plus - http://tivo.fp2000.org/twp/tivowebplus-1.0-final.zip
OTA HD patched TivoWeb files - http://www.imbetterthanyou.com/hr10-250/twebplus-patched.tar

For extraction, you'll want:

mfs_ftp - http://www.dealdatabase.com/forum/attachment.php?attachmentid=2339
series 2 binaries for mfs_ftp - http://www.dealdatabase.com/forum/attachment.php?attachmentid=2900
ciphercheck.tcl - http://www.dealdatabase.com/forum/attachment.php?attachmentid=3146
csoscout.tcl - http://www.dealdatabase.com/forum/attachment.php?attachmentid=3379
Tytool - http://www.dealdatabase.com/forum/attachment.php?attachmentid=3614
Cygwin library for Tytool - http://www.dealdatabase.com/forum/attachment.php?attachmentid=3493
Series 2 tserver - http://www.dealdatabase.com/forum/attachment.php?attachmentid=1905

2 Connecting the drive to your PC

The easiest way to do this without us having to change any jumpers is to attach the drive to the secondary master ide controller on the PC. Primary master and slave can be your normal drive(s), secondary master should be the HR10-250 hard drive, and the secondary slave should be your CD-ROM (or DVD-ROM drive). If we all use this same setup, it makes the step-by-step directions in this guide accurate to the letter.

3 Boot off the LBA48 MFS Tools CD we burned in step 1

'Nuff said. Now our HR10-250 drive is hdc in linux.

4 Backing up

In case of problems down the road, it's always a good idea to back up your drive and restore it onto a new drive. You can then safely do all of your hacking on the backup copy while putting away the original drive in a safe place. I'm not going into details here, but feel free to follow this thread to perform your backup, then come back for the remaining directions.

http://www.tivocommunity.com/tivo-vb/showthread.php?postid=2046838#post2046838

5 Killing initrd

Mount the floppy that we copied tivoftpd.mips and killhdinitrd onto:

mount /dev/fd0 /floppy

Run killhdinitrd from the floppy. All of the new HR10-250's use partition 6 as the active kernel partition.

/floppy/killhdinitrd /dev/hdc6

Mount the HR10-250's var partition to copy over the ftpd:

         mkdir /mnt/var
         mount /dev/hdc9 /mnt/var
         mkdir /mnt/var/hack
         cp /floppy/tivoftpd.mips /mnt/var/hack
         chmod 755 /mnt/var/hack/tivoftpd.mips
         mkdir /mnt/var/hack/bin
         mkdir /mnt/var/hack/lib
         mkdir /mnt/var/hack/root

Now unmount the floppy and the var partition and shutdown the pc:

         umount /mnt/floppy
         umount /mnt/var
         halt

          Wait for all the halting text to finish before shutting the PC off and disconnecting the drive.

6 Verify drive boots correctly in HR10-250

Place the drive back in the HR10-250 and allow it to boot completely (until there is some show playing on your TV), then you can shut down the HR10-250 and disconnect the drive again.

7 Replace the drive in the PC

Reconnect the drive to the secondary master of your PC and boot off the LBA48 MFS Tools CD again

8 Configuring rc.sysinit.author and .profile

We will now configure rc.sysinit.author to configure your network, and start ftp and telnet. So far everyone who has received a HR10-250 has had their active partition as partition 7. If you complete the following steps and see no changes, try performing them again on hdc4 instead of hdc7.

Create a mount point for the partition and mount it:

mkdir /mnt/mnt7
mount /dev/hdc7 /mnt/mnt7

Change to the directory that will house rc.sysyinit.author

cd /mnt/mnt7/etc/rc.d

Edit rc.sysinit.author:

pico rc.sysinit.author

Create the file as follows, except substitute the correct IP address, broadcast address and netmask for your network. When you are done editing the file, hit ctrl-x and pico will prompt you to save it.

         #!/bin/bash

         #load usb and ethernet modules
         insmod /lib/modules/usbcore.o
         insmod /lib/modules/ehci-hcd.o
         insmod /lib/modules/ax8817x.o
         sleep 15

         #configure Linksys USB200M
         ifconfig eth0 192.168.1.100 broadcast 192.168.1.255 netmask 255.255.255.0
         sleep 60

         #start telnetd
         tnlited 23 /bin/bash -login &

       #start ftpd
         /var/hack/tivoftpd.mips

After saving the file, make it executable:

chmod 755 rc.sysinit.author

Now switch to the root dir of the mount point

cd /mnt/mnt7

Edit .profile

pico .profile

Create the file as follows, then ctrl-x and follow the prompts to save it.

         export PATH=/tivo-bin/:$PATH":"/var/hack/bin/:/var/mfs_ftp:/var/hack:
         export LD_LIBRARY_PATH=/var/hack/lib/":"$LD_LIBRARY_PATH
         export HOME=/var/hack/root

Unmount the directory and halt the PC:

         cd /
         umount /mnt/mnt7
         halt

9 Re-boot the network capable Tivo

After replacing the drive in the Tivo, connecting the USB200M to your network and rebooting the HR10-250, you should be up and running on the network. The following steps will be done remotely.

10 FTP key files over to the HR10-250

Using your favorite ftp application, ftp the following files to the HR10-250. All of these files come from the various archives above. Put them in the /var/hack directory on the HR10-250 for now. Make sure you send all files in binary mode.

devbin-s2.tar (from devbin-s2.tgz)
netbin-s2.tar (from netbin-s2.tgz)
ps-s2 (from ps-s2.gz)
TivoWebPlus-1.0-final.tivo.tpm (from tivowebplus-1.0-final.zip)
twebplus-patched.tar
mfs_ftp.tar (from mfs_ftp.1.2.9p.tar.zip)
s2bins.tar (from s2bins.tar.zip)
ciphercheck.tcl
csoscout.tcl
tserver_mfs and NowShowing.tcl (from tserver_mnerd.zip)

11 Telnet to your HR10-250

Using whatever telnet program you prefer, telnet to the ip address you gave the HR10-250.

12 Install basic unix commands

Let's get tar, ls, etc. on the box. They'll make our lives a lot easier

         cd /var/hack/bin
         cpio -idu -H tar < ../devbin-s2.tar
         chmod 755 *

Now lets get the network programs and ps in there too

         tar xvf ../netbin-s2.tar
         mv ../ps-s2 ./ps
         chmod 755 *

13 Install and update TivoWebPlus

First, let's go to where we copied over the installer

cd /var/hack

Now lets chmod the installer and run it. Keep all the default options for TivoWebPlus. Let it start at boot time, and have it start now.

chmod 755 TivoWebPlus-1.0-final.tivo.tpm
./TivoWebPlus-1.0-final.tivo.tpm

After the install is complete, we'll copy in the patched files so that the OTA channels also appear in the Channel List, etc. of TivoWebPlus

cd /var/local/tivoweb-tcl/modules
tar xvf /var/hack/twebplus-patched.tar

Now if you use a web browser and connect to your HR10-250's IP address, you'll see TivoWebPlus. You'll need to restart it to get the patch to take effect. Click on Restart, then Full Reload. It'll say it was successful, but in reality you have to wait like 30 or 40 seconds before you can click on Main Menu to get to your fully operational , patched TivoWebPlus.

14 Install mfs_ftp

Change to the /var directory

cd /var

Extract the mfs_ftp archive, then the series two support binaries

tar xvf /var/hack/mfs_ftp.tar
tar xvf /var/hack/s2bins.tar

We will not start mfs_ftp automatically, but there is a readme.txt in /var/mfs_ftp if you want to start it.

15 Patch tivoapp to disable encryption

Change to the /var/hack directory

cd /var/hack

Chmod the encryption test programs

chmod 755 ciphercheck.tcl
chmod 755 csoscout.tcl

Now we'll back up tivoapp and patch it

         mount -o remount,rw /
         cd /tvbin
         cp -p tivoapp tivoapp.good
         mv tivoapp tivoapp.tmp
         cp -p tivoapp.good tivoapp
         echo -ne "\x3C\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=6978700
         chmod 755 tivoapp
         mount -o remount,ro /
         reboot

Your HR10-250 should now be rebooting. After it's up and running, make a few 1 or 2 minute recordings from various HD channels so that we can test if encryption is off. After you have made a few recordings, telnet back in to the HR10-250, then do the following:

cd /var/hack
tivosh ./ciphercheck.tcl

You should now see output that looks something like the following. What we are really concerned about are seeing "TyStream encryption is currently disabled" and that the first two columns of the table say "No" for the recordings you made post patching tivoapp.

     bash-2.02# tivosh ciphercheck.tcl
     CipherCheck.tcl by AlphaWolf_HK

     TyStream encryption is currently disabled.

     Here is the status of your current recordings:

     Encrypted CSO Set Stream Name
     --------- ------- -----------------------------------------------------------
     No        No      Building the Great Pyramid
     No        No      Trading Spaces
     No        No      The Casino
     No        No      Da Ali G Show

If you ever want to back out the patch, just remount / as rw, cd /tvbin, cp -p tivoapp.good tivoapp, chmod 755 tivoapp, remount / as ro, and reboot.

If you have any pre-recorded shows that won't playback because they are encrypted, you can do the following:

         mount -o remount,rw /
         cd /var/hack
         tivosh ./csoscout.tcl
         mount -o remount,ro /
         reboot

16 Starting tserver_mfs

After you unzip the client side of TyTool (TyTool9r17.zip) on your PC, there is plenty of documentation in there on how to use it. On the HR10-250 side, you need to make sure that tserver_mfs and NowShowing.tcl are both executable by doing the following:

         cd /var/hack
         chmod 755 tserver_mfs
         chmod 755 NowShowing.tcl

After you start tserver_mfs you'll be able to connect and extract using TyTool. If you want to start tserver running in the background, just do the following:

cd /var/hack
./tserver_mfs &>/dev/null &

That's about all there is to it. By now your HR10-250 should be about 8 million times cooler than it already was when you first opened the box. Good luck!

Derek J. Nolan a.k.a. DSmooth a.k.a. ][ronMan