Hacking your DirecTiVo

Rob Whall
rwhall1 at mindspring dot com



Kernel: 3.1.1c with killinird applied. Obtained from PTVupgrades. Product info: LBA48-401DD PTVupgrade LBA48 4.01 with Enhancements.

This document outlines how to add a new, larger hard drive, get a bash prompt over a serial port, install the USB 2.0 networking drivers, bring up eth0, and get the tivo ready for installing the extraction in control hacks (TyTools, TivoWebPlus, mfs_ftp, and mplayer are my personal favorites).

I have a DirecTiVo Phillips DSR 7000 running version 3.1.1e of the TiVo kernel & software, but I was able to make everything work well, despite the fact that only up to 3.1.1d is covered in the book. Apparently there are folks out there who have gotten 4.0 tivo software to work on the DirecTivo's, but I'm not quite that adventurous yet.

In order to get the DirecTivo hacks working for Bash and extraction, I had to download the 3.1.1c tivo kernel from PTVdatabase. It had already had the killinitrd hack applied. This cost me $5.00, but was well worth it.

I also needed the Linux usb drivers for my configuration. I got those from genTiVo_HackPack.zip. One of the steps was to unzip the file, and load the contents of the ethernet_drivers directory on to the new TiVo drive. I'm using a linksys USB200M usb network adapter, which is fairly common and available in most computer stores as of right now (January 2005).

I couldn't find a kernel/root combination that worked for me on the net, and spent 3 evenings trying various combinations, getting a tivo that wouldn't boot, restoring, and trying again. The first time it wouldn't boot I had the crap scared out of me, but restoring the partitions and running bootpage to reset the boot parameter to a simple "root=/dev/hda7" fixed it right up.

I carried out this entire procedure on a Linux PC, and therefore had access to my every-day use hard drive for backing up small partitions, downloading docs from the net, etc... It was very convenient. I burned the CD image to a CD, and copied it back to my PC in preparation for this procedure.

Many of the steps here refer to "Hacking the Tivo, Second Edition" by Bill von Hagen. Other information was gleaned from the DealDatabase TiVo forums.

Here goes:

  1. I followed the instructions from "Getting a Command Prompt on a Series 2 TiVo" (Chapter 8, page 252) from steps 1 to 12.
  2. I then backed up my crucial partitions. This saved my butt, as I was able to restore them by reversing the if & of parameters, which brought back a non-booting tivo more then once.

    Note: hdb was my new TiVo disk, and hda was my personal hard drive.

    I mounted my regular every-day hard drive to use as a file source and backup repository:

    mkdir /mnt/mypc
    mount /dev/hda5 /mnt/mypc
  3. I backed up the stock root & kernel partitions:
    dd if=/dev/hdb6 of=/mnt/mypc/home/rwhall/tivo/backups/partition6_kernel.img
    dd if=/dev/hdb3 of=/mnt/mypc/home/rwhall/tivo/backups/partition3_kernel.img
    dd if=/dev/hdb4 of=/mnt/mypc/home/rwhall/tivo/backups/partition4_root_fs.img bs=32k
    dd if=/dev/hdb7 of=/mnt/mypc/home/rwhall/tivo/backups/partition7_root_fs.img bs=32k
  4. Switching to the instructions in the "Doing the Monte" section on page 263 of Chapter 8, I performed an amended step 16. I left the root file systems alone, and used the 3.1.1c kernel from PTVUpgrade on both kernel partitions. The kernel is called vmlinux.px, and is in the 3.1.1c directory on the CD. I had copied the CD over to my regular hard drive before beginning this procedure.
      dd if=/mnt/mypc/home/rwhall/tivo/files/vmlinux.px of=/dev/hdb6
      dd if=/mnt/mypc/home/rwhall/tivo/files/vmlinux.px of=/dev/hdb3
  5. I then copied the contents of the ethernet drivers from the generationtivo website archive and mounted the tivo hack partition created while following the steps in the book:
    mount /dev/hdb9 /mnt/tivo
    mkdir /mnt/tivo/hack/ethernet_files
    cp /mnt/mypc/home/rwhall/tivo/files/genTiVo_HackPack_m/ethernet_drivers /mnt/tivo/hack/ethernet_files
  6. OK, back to "Getting a Command Prompt on a Series 2 TiVo". I performed step 13, only slightly modified:
    bootpage -P "root=/dev/hda7 dsscon=true console=2,115200 BASH_ENV=\`mount\$IFS-n\$IFS/dev/hda16\$IFS/mnt;echo\$IFS/mnt/hacks\`" -C /dev/hdb

    Note: That must all be typed on one line!

  7. At that point, I shut down my PC and re-mounted it in my DirecTivo. I was able to boot, and to see the bash prompt on the serial line. After 4 days of trying, THAT was a big moment!

  8. My next mis-step was to mix & match the USB drivers that came shipped with the tivo, and from the generation tivo hack pack. That was ugly, and caused several kernel panic's and reboots. Finally, I hit upon the idea of only using the hack pack drivers. I modified the instructions from the hack pack and copied the modules I needed to the /lib/modules directory:
    cp usbcore.o /lib/modules/hack_usbcore.o
    cp hcd.o /lib/modules/hack_hcd.o
    cp ehci-hcd.o /lib/modules/hack_ehci-hcd.o
    cp ax8817x.o /lib/modules/hack_ax8817x.o
  9. I chanced to the modules directory, and inserted them into the kernel:
    cd /lib/modules
    insmod hack_usbcore.o
    insmod hack_hcd.o
    insmod hack_ehci-hcd.o
    insmod ax8817x
  10. Finally, I brought up the network. This had to be done manually, as dhcpcd doesn't exist on the 3.1.1c series 2 directivo's:
    ifconfig eth0 netmask up
    route add default gw
  11. Once this worked, I started the ftp and telnet daemons as outlined in the "Starting FTP and Telnet on Your TiVo" section, chapter 8, page 274.

  12. I telneted into the machine, and was de-shackled from the 10 foot serial cable. Hurrah!

  13. I added the module insertion and daemon starting to the rc.sysinit file. This was not fancy at all, and I will probably refine it, but I was going for quick & dirty:
    /sbin/insmod /lib/modules/hack_usbcore.o
    /sbin/insmod /lib/modules/hack_hcd.o
    /sbin/insmod /lib/modules/hack_ehci-hcd.o
    /sbin/insmod /lib/modules/hack_ax8817x.o
    sleep 10
    /sbin/ifconfig eth0 netmask up
    /sbin/route add default gw
    /sbin/tnlited 23 /bin/bash -login &
    /var/hack/bin/tivoftpd &
    One lesson I learned the hard way: Mark the file as executable. Mark the file as executable. Mark the file as executable. When I saw the console output, and realized it couldn't execute the sysinit file and just hung, I was bummed. I had backed up the file and created a new one, so the original was preserved, but missed the crucial 'mark as executable' step. I had to pull the drive and Mark the file as executable:
    chmod u+x rc.sysinit
  14. After that, I rebooted the tivo twice to ensure that it would come up on the network. It did!
  15. There was one more wrinkle: I have a 3.1.1e root filesystem, as that remained unchanged, and a 3.1.1c kernel. So far that has presented me with no issues. The flip side, however, is that to shut off the encryption, I could find no documentation. The book only goes up to 3.1.1c. After much searching, I came across a post from AlphaWolf, who has one a tremendous amount of work on this sort of thing. According to his information, the 3.1.1e tivoapp is the same one as the 3.1.1d, so those instructions would work with it. I applied them, and everything worked fine. The AlhpaWolf post is here.

    To turn off encryption on my tivo ( from Chapter 12 of the book, section 'Disabling Video Encryption', page 457):

    mount -o remount,rw /
    cd /tvbin
    cp tivoapp tivoapp.orig
    mv tivoapp tivoapp.save
    cp tivoapp.orig tivoapp
    cp tivoapp.orig tivapp
    chmod 755 tivoapp
    From the AlphaWolf post:
    echo -ne "\x3c\x02\x00\x00" | dd conv=notrunc of=tivoapp bs=1 seek=6500332
  16. From there, I followed the instructions in the book on setting up mfs_ftp, TyTools, and mplayer for streaming.

Happy Hacking!