AltEPG

[trilobite]

There are a couple more possible backdoors I can think of that might be able to install a "new EPG source" hack without opening the lid and without the need to enter anything complicated.

1) I seem to remember that some models of unhacked TiVo are supposed to be able to get a root shell on the serial port jack plug. Anyone know if this is possible on a UK S1, or does it need hacked rc scripts? If it can be done, then given a source of guide data, it might be possible to put together a little hardware device with a cheap microcontroller in it. Joe Public could plug it into the socket, and the device would issue commands to get a shell and from there reprogram the target phone number and any other PPP settings that might be needed. If it's possible it would be a zero-touch means of modifying units.

Of course, this method assumes there's a modem bank of some sort. Might just be possible using cheap/free SIP dial-in numbers (plus something like iaxmodem), if a TiVo modem speed of 9600 would work OK.

2) Some web sources say it's possible to enter a dial prefix that tells the TiVo to use an external modem connected to that serial port. Again, not something I have tried, and I have no idea if it's supported on a UK Series 1 unit. However you could envisage using this to give the TiVo a fake modem that's actually a small computer (e.g. a repurposed cheap router) that connects to a LAN on the other side to get the guide data. This would allow a network download of guide data without the need to install an internal network card.

Obviously this is all just speculation until we actually have a guide source. But from playing around with xmltv and Guide Tools over the past day or so, it does look like it ought to be feasible to put one together relatively quickly - so it's probably worth collecting ideas in the hope that we'll have alternative guide data before May/June.

As for database resets vs. ID synchronisation - if the price of continuing to use a TiVo is having to clear everything out, I'd have thought it would be one most people would be willing to put up with.

[irrelevant]

Long prefix number is confirmed - I connected my two tivos all back up again earlier, and certainly it is possible to enter a full telephone number in the dial prefix field. That makes it positively easy to redirect where it connects to. Unfortunately one box didn't power up, and the other was set to network dial in the scripts somewhere, so I couldn't check it actually dialled, not to mention not having a proper phone line up there, but I see no reason why it won't work. Add a couple of pauses after the number and it shouldn't even confuse any LCR boxes.

So... I'll try to sort out a phone line in the attic, or move the tivo nearer to one, and check up on iaxmodem again, see if I can get it to answer the high speed modem in a TiVo. (Last time I tried, I was attempting to answer a V23 (1200/75bps) modem call which is well outside what most people use it for!) If I can pipe that to pppd, then we're all set on that front.

All that needs doing then is to let a real tivo (that has an active subscription..) chat to the real tivo server via that network and capture the dialogue. Given the knowledge out there, I'm sure that it'd be easy to replicate the server side, given that level of detail of what's going on.


Guess I'll need to set up a new *nix box with asterisk on it for that, though, keep things separate. Anyone else wants to jump in, please do, I quickly run out of spare time around here

[lloyd]

All that needs doing then is to let a real tivo (that has an active subscription..) chat to the real tivo server via that network and capture the dialogue. Given the knowledge out there, I'm sure that it'd be easy to replicate the server side, given that level of detail of what's going on.


Guess I'll need to set up a new *nix box with asterisk on it for that, though, keep things separate. Anyone else wants to jump in, please do, I quickly run out of spare time around here

Doesn't the dial up simply initiate a ppp connection? If that is the case, surely capturing the conversation with a sniffer on a network connection would be easier? Or have I missed the point?

[irrelevant]

Doesn't the dial up simply initiate a ppp connection? If that is the case, surely capturing the conversation with a sniffer on a network connection would be easier? Or have I missed the point?

Um, yes, probably that would work too..

[Countryman]

I was going to say that I suspect that it is BSkyB who 'own' the telephone number that our TiVo's dial into rather than TiVo Inc but you seem to have sussed not only a way round that but also an option available to non-techie users without having to resort to sending in their TiVo's to have the number tweaked!

Great bit of lateral thinking on your part.

[Tcm2007]

You need to get a clone of the Aussie system running as a first step. Getting that going in three months is possible, but will be challenging.

I'm afraid trying to cater for people who are not prepared to hack their TiVos in the timescale available is not going to happen. It's making the back end task much harder, for no benefit to those who will be owing the heavy lifting.

[bigflyer]

To be honest I think you have to be careful of overcomplicating things and thus delaying it.

Trying to replicate the existing TiVo service will be harder to do than using scripts.

Most people who still have an S1 TiVo will either be techies or people who really love their TiVo. Those who love their TiVos but aren't techies will probably be happy to send their TiVos to somewhere who can put scripts onto their servers for them for a small cost.

So, yes, running a PPP service to allow dial-in support (without a network card) may be a good idea to minimise cost/disruption for Joe Public, but if requiring scripts means we can definitely do this in 3 months whereas trying to replicate TiVos service directly means there's a chance it will take longer, then we need to decide to concentrate on the script method first.

[irrelevant]

That's exactly why I asked, over on page 1,

Two questions therefore -

- how many people are there out there actually still running non-networked TiVos? i.e. what's the target audience for this?

- what is the aim of this exercise? To keep *our* TiVos running, or to keep *everybodies* TiVos running?

I'm only pitching in with ideas that I've had some experience or knowledge with, and might be able to help with. Obviously the data needs to be there first, and the existing scripts will obviously be easiest to implement quickly, but there are others out there that have the experience to work with those already.

My skills are mainly in comms, and I've had successes in reverse engineering client-server protocols in the past, so feel that it's an achievable aim. But no, certainly don't wait for it! However, if we can allow unmodified boxes to continue to work by simply getting their owners to change a telephone number, then I think that it is an aim worth pursuing, even if only as a side-project.

[Tcm2007]

I'm not sure a just-chang-the-number solution is possible.

You'd have at the very least to do a full clear all on the machine, but much more likely you'd need to run a full Guided Setup - which would mean emulating the server side of the GS. Which just made the task much harder!

The guide data we make would not have the same unique identifiers as the TiVo supplied data, so not only would a SP for Top Gear start recording the Antiques Roadshow, it would probably try to tune in to S4C and use the remote codes for a Sky box with your Freeview STB.

If you provide a starting image, then all that basic data can be preloaded and controlled.

[irrelevant]

I'm not sure a just-chang-the-number solution is possible.

You'd have at the very least to do a full clear all on the machine, but much more likely you'd need to run a full Guided Setup - which would mean emulating the server side of the GS. Which just made the task much harder!

These are good points, and certainly something that needs to be addressed.

The guide data we make would not have the same unique identifiers as the TiVo supplied data, so not only would a SP for Top Gear start recording the Antiques Roadshow, it would probably try to tune in to S4C and use the remote codes for a Sky box with your Freeview STB.

I've not looked at the guide data scripts yet, but I have to ask ... why should that need to be the case? Since we'd be starting fresh, could we not just allocate the same IDs for these things that TiVo already uses? Then we're interoperable from the start, for not much extra work.

If you provide a starting image, then all that basic data can be preloaded and controlled.

The other problem with people having to load a new drive image is that surely it will wipe out all their existing recordings? I can see some people not wanting to go that route, either.

[trilobite]

You need to get a clone of the Aussie system running as a first step. Getting that going in three months is possible, but will be challenging.

I'm afraid trying to cater for people who are not prepared to hack their TiVos in the timescale available is not going to happen. It's making the back end task much harder, for no benefit to those who will be owing the heavy lifting.

As far as I can tell from what's out there on the web, the "Aussie system" already includes emulating the TiVo server (which delivers headend and update data slices via HTTP). So if that's the aim here, it might not need *any* extra work on the backend side to be able to support unhacked units, if we can find a suitable backdoor. As you say, anything that would make the backend work any harder is probably a non-starter.

From what I've read so far, the Australian approach used to have an on-device script that loaded guide data but they dropped support for it when they got stable service emulation working. I've been assuming so far that we are aiming at a copy of the emulator rather than a script.

The other assumption is that the emulator is already capable of taking an unmodified TiVo through Guided Setup. Which I guess we can try and see.

I don't see a way to do this yet without a complete device clear - we have no way of matching up programme IDs etc. with the ones previously used by TiVo without an impossible amount of work. (Though it would be much nicer if the guide database, season passes and thumbs could be cleared without also clearing stored programmes...)

[Kitschcamppalace]

Iirc, the the latter is possible. I think I have a script for it.

[garysargent]

FYI you can 100% definitely add a different phone number to the dial prefix and TiVo will call it just fine. We have done this in the past - when the 0800 number stopped working we could change to use an 0845 backup number by placing the whole number in the dial prefix field.

You'd need to make it dial a private dial-up service where you can have a server that has the same IP address as the TiVo one (or use something like NAT to translate the address to another one).

This would be the easiest route for non-techies, though as others have pointed out emulating the full service would be difficult - mainly because of the blowfish encryption.

[LarryDavidJr]

FYI you can 100% definitely add a different phone number to the dial prefix and TiVo will call it just fine. We have done this in the past - when the 0800 number stopped working we could change to use an 0845 backup number by placing the whole number in the dial prefix field.

You'd need to make it dial a private dial-up service where you can have a server that has the same IP address as the TiVo one (or use something like NAT to translate the address to another one).

This would be the easiest route for non-techies, though as others have pointed out emulating the full service would be difficult - mainly because of the blowfish encryption.

Interesting, I didn't know it was encrypted. I assumed that the dial up was to a closed-network scenario, with authentication based on a sub number. Is the entire transmission encrypted, or just certain parts do you know?

Regardless this would indeed make backwards-engineering emulation of the service nigh-on impossible.

Bugger.

[garysargent]

You are testing my memory now! But as far as I remember the slices are delivered in an encrypted form, and then decrypted on the TiVo box and processed.

The Aus method I think just uses non-encrypted slices and kicks off the next step.

For a non hacked TiVo though I don't think you could miss out the encryption step, and we don't have the private key to encrypt slices.