Open TiVo to backdoor hacks to reveal some configuration settings and features that the "untouched" TiVo does not normally allow access to.
Backdoors are the fun remote codes—the ones that require a little more knowledge to get into. You're not going to stumble upon these by accident; you have to know what you're looking for.
To use any of the backdoor remote control codes, we first have to ask TiVo to enable the as-yet-inactive backdoors code.
The one complication in enabling this mode is that it
fully depends on the version of the TiVo OS your TiVo is running. To
find out the version of your TiVo OS, go to the Messages & Setup menu and select
System Information. You'll see a
listing for "Software Version" that looks something like
3.0-01-1-010; that's what you're looking for!
In this case, TiVo is running OS Version 3.0—the first two digits are
the significant bits you're looking for.
If your TiVo OS version is 3.0 or earlier, then armed with that version number and the listings in Table 1-2, head to the Browse By Name or Search by Title screen—the one that provides you with an alphanumeric list by which to enter letters and numbers. Using the arrows and Select button on your TiVo remote control, enter the appropriate backdoor code in the same way you'd usually enter the name of a show you're looking for.
You must enter each of these backdoor codes verbatim, so pay
close attention to the spaces. You can enter a space by choosing
SP from the Search by Title or Browse By Name alphanumeric list.
Table 1-2. Backdoor codes for TiVos running OS 1.3 through OS 3.0
TiVo operating system version
OS 1.3 in the U.S. and 1.50 or 1.51 in the U.K.
OS 1.5.2 in the U.K.
OS 2.5 in the U.S. and 2.5.5 in the U.K.
OS 2.5.2 for DirectTiVo
button. You will hear three thumbs-up blings, and
your TiVo will briefly display
enabled!. If you check out your System Information screen, you'll also see
ENABLED! line at the top. At this point, you
are in like Flynn.
If your TiVo is running a version of the operating system newer than 3.0, then I'm afraid you'll have to do a lot more work to open that backdoor.
More recent versions of the TiVo operating system have started making it a little more difficult to enable backdoor mode. The previous keys were discovered by poking around TiVo's filesystem and seeking out the backdoor code itself, usually simply noted somewhere. Unfortunately, the more recent versions do not store the backdoor code "in the clear"; instead, they store a one-way, irreversible hash (read: scrambled) of the backdoor code. When you enter a potential code via Browse By Name or Search by Title as we did above, TiVo applies a special function to what you have entered and tests to see if the two hashes match up. The problem is, since the hash function is one-way, simply knowing the hash of backdoor code tells us nothing about what it is in the clear.
But it does tell us that if we know what kind of hash function the backdoor code uses (in the case of the TiVo, it uses the SHA-1 hash), then we can replace the existing hash with a new hash derived from text we do know. How about the hash of an empty string? Thankfully, Steve White has authored a utility, backdoorpw (http://prdownloads.sourceforge.net/tivoutils/backdoorpw.gz?download), that does just that.
Applying this hack is a little more complicated than the other hacks in this chapter and is going to require a few workarounds from Chapter 2. Download White's backdoor program, copy it on to a floppy disk, boot your PC using Kazymyr's bootdisk [Hack #26] with TiVo's hard drive connected [Hack #22], and then mount the floppy disk:
mount /dev/fd0 /mnt/floppy
Decompress the file:
gzip -d backdoor.gz
Then run the backdoor application on your TiVo's hard drive. Assuming that your TiVo's drive is mounted as the secondary master, use the following code:
Running the program should provide output very similar, but not identical, to the following:
Good! This is a TiVo drive Opening MFS Application Region partition: /dev/hdc10... searching offset 0x0fffd800 I was unable to find any occurrences of the backdoor hashes on /dev/hdc10 Opening MFS Application Region partition: /dev/hdc12... searching offset 0x0e3fdc60 Found 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4 at 0x0e41a29c searching offset 0x0f0fda58 Found 61508C7FC1C2250E1794624D8619B9ED760FFABA at 0x0f1eb342 Found 61508C7FC1C2250E1794624D8619B9ED760FFABA at 0x0f27a2f4 searching offset 0x0fffd850 Found 3 backdoor hashes on /dev/hdc12. These will now be changed. Patch #1 at offset 0x0e41a29c data at 0x0e41a29c is currently '96F8B204FD99534759A6C11A181EEDDFEB2DF1D4' data at 0x0e41a29c would be changed to 'EEA339DA0D4B6B5EEFBF5532901860950907D8AF' if we weren't paranoid Patch #2 at offset 0x0f1eb342 data at 0x0f1eb342 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA' data at 0x0f1eb342 would be changed to 'EEA339DA0D4B6B5EEFBF5532901860950907D8AF' if we weren't paranoid Patch #3 at offset 0x0f27a2f4 data at 0x0f27a2f4 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA' data at 0x0f27a2f4 would be changed to 'EEA339DA0D4B6B5EEFBF5532901860950907D8AF' if we weren't paranoid If everything appeared okay, please rerun the program with the following args: ./backdoor /dev/hdc y
data at 0x0e41a29c is currently '96F8B204FD99534759A6C11A181EEDDFEB2DF1D4' ... data at 0x0f1eb342 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA' ... data at 0x0f27a2f4 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA'
The number of hashes varies from TiVo to TiVo, but you
shouldn't have more than three, unless your box has gone through a
great deal of upgrades recently. It doesn't really matter, just so
long as the backdoor program detects at least two hashes. Also, the
certainly be different, so there's no need to worry about that
What you should pay attention to is the format of the
value inside the single quotes (e.g.,
Make sure this value looks like the SHA hash—all uppercase, consisting
of the numerals
9 and letters
F. If the value inside the single quotes
contains anything else, do not proceed any
further, as you will most likely corrupt your TiVo's
./backdoor /dev/hdc y
Good! This is a TiVo drive Opening MFS Application Region partition: /dev/hdc10... searching offset 0x0fffd800 I was unable to find any occurrences of the backdoor hashes on /dev/hdc10 Opening MFS Application Region partition: /dev/hdc12... searching offset 0x0fffd878 Found 3 backdoor hashes on /dev/hdc12. These will now be changed. Patch #1 at offset 0x0e41a29c Patch #2 at offset 0x0f1eb342 Patch #3 at offset 0x0f27a2f4 Success! You may now put the drive back in your TiVo. To enable backdoor mode, go into 'Search by Title' and press thumbsup.
The backdoor hash has been changed to an empty string. Put the drive back into your TiVo [Hack #27], revisit the Search by Title screen and simply press the