O'Reilly logo

TiVo Hacks by Raffi Krikorian

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Hack #8. Opening the Backdoor

Open TiVo to backdoor hacks to reveal some configuration settings and features that the "untouched" TiVo does not normally allow access to.

Backdoors are the fun remote codes—the ones that require a little more knowledge to get into. You're not going to stumble upon these by accident; you have to know what you're looking for.

To use any of the backdoor remote control codes, we first have to ask TiVo to enable the as-yet-inactive backdoors code.

The one complication in enabling this mode is that it fully depends on the version of the TiVo OS your TiVo is running. To find out the version of your TiVo OS, go to the Messages & Setup menu and select System Information. You'll see a listing for "Software Version" that looks something like 3.0-01-1-010; that's what you're looking for! In this case, TiVo is running OS Version 3.0—the first two digits are the significant bits you're looking for.

Opening the Backdoor on TiVo OS 3.0 or Earlier

If your TiVo OS version is 3.0 or earlier, then armed with that version number and the listings in Table 1-2, head to the Browse By Name or Search by Title screen—the one that provides you with an alphanumeric list by which to enter letters and numbers. Using the arrows and Select button on your TiVo remote control, enter the appropriate backdoor code in the same way you'd usually enter the name of a show you're looking for.

Warning

You must enter each of these backdoor codes verbatim, so pay close attention to the spaces. You can enter a space by choosing SP from the Search by Title or Browse By Name alphanumeric list.

Table 1-2. Backdoor codes for TiVos running OS 1.3 through OS 3.0

TiVo operating system version

Backdoor code

OS 1.3 in the U.S. and 1.50 or 1.51 in the U.K.

0V1T

OS 1.5.2 in the U.K.

10J0M

OS 2.0

2 0 TCD

OS 2.5 in the U.S. and 2.5.5 in the U.K.

B D 2 5

OS 2.5.2 for DirectTiVo

B M U S 1

OS 3.0

3 0 BC

Follow this by pressing the

image with no caption

button. You will hear three thumbs-up blings, and your TiVo will briefly display Backdoors enabled!. If you check out your System Information screen, you'll also see a Backdoors: ENABLED! line at the top. At this point, you are in like Flynn.

The only way to disable backdoors (currently) is to reboot your TiVo.

If your TiVo is running a version of the operating system newer than 3.0, then I'm afraid you'll have to do a lot more work to open that backdoor.

Opening the Backdoor on TiVo OS 3.1 or Later

More recent versions of the TiVo operating system have started making it a little more difficult to enable backdoor mode. The previous keys were discovered by poking around TiVo's filesystem and seeking out the backdoor code itself, usually simply noted somewhere. Unfortunately, the more recent versions do not store the backdoor code "in the clear"; instead, they store a one-way, irreversible hash (read: scrambled) of the backdoor code. When you enter a potential code via Browse By Name or Search by Title as we did above, TiVo applies a special function to what you have entered and tests to see if the two hashes match up. The problem is, since the hash function is one-way, simply knowing the hash of backdoor code tells us nothing about what it is in the clear.

But it does tell us that if we know what kind of hash function the backdoor code uses (in the case of the TiVo, it uses the SHA-1 hash), then we can replace the existing hash with a new hash derived from text we do know. How about the hash of an empty string? Thankfully, Steve White has authored a utility, backdoorpw (http://prdownloads.sourceforge.net/tivoutils/backdoorpw.gz?download), that does just that.

Applying this hack is a little more complicated than the other hacks in this chapter and is going to require a few workarounds from Chapter 2. Download White's backdoor program, copy it on to a floppy disk, boot your PC using Kazymyr's bootdisk [Hack #26] with TiVo's hard drive connected [Hack #22], and then mount the floppy disk:

# mkdir /mnt/floppy
# mount /dev/fd0 /mnt/floppy

Decompress the file:

# cd /mnt/floppy
# gzip -d backdoor.gz

Then run the backdoor application on your TiVo's hard drive. Assuming that your TiVo's drive is mounted as the secondary master, use the following code:

# ./backdoor /dev/hdc

Don't worry about any damage occurring to your drive at this step. The code has a paranoia flag that, when set (which it is right now), prevents changes from being written to the drive.

Running the program should provide output very similar, but not identical, to the following:

Good! This is a TiVo drive
Opening MFS Application Region partition: /dev/hdc10...
searching offset 0x0fffd800
I was unable to find any occurrences of the backdoor hashes on /dev/hdc10
Opening MFS Application Region partition: /dev/hdc12...
searching offset 0x0e3fdc60
Found 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4 at 0x0e41a29c
searching offset 0x0f0fda58
Found 61508C7FC1C2250E1794624D8619B9ED760FFABA at 0x0f1eb342

Found 61508C7FC1C2250E1794624D8619B9ED760FFABA at 0x0f27a2f4
searching offset 0x0fffd850
Found 3 backdoor hashes on /dev/hdc12. These will now be changed.
Patch #1 at offset 0x0e41a29c
data at 0x0e41a29c is currently '96F8B204FD99534759A6C11A181EEDDFEB2DF1D4'
data at 0x0e41a29c would be changed to 
'EEA339DA0D4B6B5EEFBF5532901860950907D8AF' if we weren't paranoid
Patch #2 at offset 0x0f1eb342
data at 0x0f1eb342 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA'
data at 0x0f1eb342 would be changed to 
'EEA339DA0D4B6B5EEFBF5532901860950907D8AF' if we weren't paranoid
Patch #3 at offset 0x0f27a2f4
data at 0x0f27a2f4 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA'
data at 0x0f27a2f4 would be changed to 
'EEA339DA0D4B6B5EEFBF5532901860950907D8AF' if we weren't paranoid
If everything appeared okay, please rerun the program with the following args:
./backdoor /dev/hdc y

The backdoor program will detect two or three hashes. In the previous output, these are the hashes:

data at 0x0e41a29c is currently '96F8B204FD99534759A6C11A181EEDDFEB2DF1D4'
...
data at 0x0f1eb342 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA'
...
data at 0x0f27a2f4 is currently '61508C7FC1C2250E1794624D8619B9ED760FFABA'

The number of hashes varies from TiVo to TiVo, but you shouldn't have more than three, unless your box has gone through a great deal of upgrades recently. It doesn't really matter, just so long as the backdoor program detects at least two hashes. Also, the offsets (e.g., 0x0e41a29c) will certainly be different, so there's no need to worry about that either.

What you should pay attention to is the format of the value inside the single quotes (e.g., 96F8B204FD99534759A6C11A181EEDDFEB2DF1D4). Make sure this value looks like the SHA hash—all uppercase, consisting of the numerals 0 through 9 and letters A through F. If the value inside the single quotes contains anything else, do not proceed any further, as you will most likely corrupt your TiVo's filesystem.

Provided everything looks good, rerun the program, telling it to actually write empty strings to the hash locations, like so:

# ./backdoor /dev/hdc y

The additional y flag will turn off the paranoia checks, this time writing changed hashes to the drive. Output should look something like this:

Good! This is a TiVo drive
Opening MFS Application Region partition: /dev/hdc10...
searching offset 0x0fffd800
I was unable to find any occurrences of the backdoor hashes on /dev/hdc10
Opening MFS Application Region partition: /dev/hdc12...
searching offset 0x0fffd878
Found 3 backdoor hashes on /dev/hdc12. These will now be changed.
Patch #1 at offset 0x0e41a29c
Patch #2 at offset 0x0f1eb342
Patch #3 at offset 0x0f27a2f4
Success! You may now put the drive back in your TiVo.
To enable backdoor mode, go into 'Search by Title' and press thumbsup.

The backdoor hash has been changed to an empty string. Put the drive back into your TiVo [Hack #27], revisit the Search by Title screen and simply press the

image with no caption

button on your remote to open the backdoor.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required