Rob's Ramblings

Thursday, 7 April 2011

TiVo code injection

There may be one or two of you reading this that already know about TiVo. The quickest description for those that don't know about it is to say it's a PVR, like Sky+, but that's like saying Nescafé is good coffee. If you were about ten years ago, when it was last sold in the UK, you might remember the "it pauses live TV" adverts. But that's one of the most least useful features. A TiVo learns about what you watch, finds other things you might like, and remembers things from one year to the next. Most people never knew this, and the likes of Curreys, Comet, etc, seemed to have received little training on what it could do, so didn't try and sell the boxes they had. When Sky brought out Sky+, put all their marketing effort behind it, and all but gave the boxes away, it was the death toll for TiVo in the UK.

Thomson, the only people who licensed the TiVo software in the UK, only produced the one model, back around 2000, and had dropped it by 2002. At £399 for the box, and either a tenner a month subscription, or £200 for a lifetime sub, it was perceived as a little expensive for the feature being advertised!

Roll on to 2011. The old UK TiVo boxes still work, busy recording from Sky, Freeview, Freesat, Cable, or anything you feed into them. TiVo Inc finally strike a deal with Virgin Media to license the TiVo software on their cable boxes. Simultaneously, they announce that the EPG service they have provided for the last decade for the old boxes will cease on 1st June.

Cue much gnashing of teeth from us long-time users.

Long and short of it is that the "community" is going to set up a new server to supply the necessary EPG to the existing boxes out there. The trick will be telling the new boxes how to use it.

For boxes that have been modified with network cards, or for people who are happy pulling and upgrading discs, this is not an issue - upload and run a script, load up a new disc image, all are possible.

For unmodified boxes, where the only connection to the outside world is their daily call via the telephone line, it looked like being a problem. This is the task I took on addressing.

Stage 1 - the telephone call
Currently the TiVo dials an 0800 number to a standard ISP POP, logs in using it's service number, and connects to the TiVo servers on a specified IP address. It's safe to assume that the dial-up number will be withdrawn from service come June 1st.

Changing to another number is relatively easy - you can specify a dial-prefix in the TiVo GUI, and if you put an entire number in there, it will dial all of it. But where to connect to.

By setting up a simple dial-up server, using an obsolete modem rack and terminal server, I can now accept calls from TiVos, and connect them to the internet.

Stage 2 - redirecting to the new server
Once connected to the internet, the TiVo connects to a webserver on a specified IP address in order to check the service status, post it's logs, fetch software and guide updates, etc.

By passing the connection from the dial-up server to the internet through an old Firebrick firewall box, I can spot connections for one particular IP address, and redirect them to another!

This means we can accept calls from unmodified boxes and connect them to the new server, with only a simple change to the telephone number required, that can be done via the standard TV menus and remote control.

Stage 3 - updating the TiVo
One of the points that has been made is that the replacement server is using software that does not implement all the facilities that the original servers provide. This means that the softwre on the TiVo box still needs to be modified in order to use the new server. This looked to be an issue..

However, with full control of the server, it should be possible to send updates to the box. The standard way is to send a "runme" script, which the box will execute before loading the guide data updates, but this needs signing with a private key that only TiVo Inc hold in order to pass the security checks on the box.

My first thought was to brute force a signature for a simple file that could be used as a launcher for other scripts, but that looked like it would take an unreasonably long time.

However, some digging about in the client code and monitoring the transfers to see how the daily call mechanism works revealed a vulnerability that could be used to download and execute a script.

It was much simpler than I expected!

(Full details have been removed since this blog post was first published to prevent abuse outside the areas where service is not provided.)


Stage 4 - updating the TiVo
Now it's up to someone else who knows what changes need to be made!


PS: This is for the UK Tivo running software version 2.5.5 - I have no idea if this works on other versions.

Labels: , ,