Slashdot Mirror
Distributed TiVo Code Cracking
Twostep writes "With the newest version of the TiVo software (Version 3.2), TiVo has once again changed the secret password to enter "backdoor" mode, which lets advanced users enable hidden features. Unlike last time, people were not able to quickly find the new code, so a distributed computing project was started to find the backdoor codes. You can read about it Here, grab the Linux or Windows clients and pitch in some CPU time for a good cause."
TV! Now there's a cause I can get behind.
If some vendor decides, rightly or wrongly, that giving hardware away is a sensible business model, that doesn't in any way entitle them to any control over what you do with it once you take it home. Think of the stupid CueCat bar code wands from Radio Shack. The "legitimate" application intended for those things is long dead, but people continue to do useful things with the wands using software based on reverse engineering them.
Why are people still buying these devices if they don't offer the features they want or expect out of the box?
- This is a serious question, mod as such.
This isn't true, unfortunately. When the implementations of strong hash checking are done properly (everything in one chip, ROM a la Xbox), they WILL succeed in locking everyone else out without very expensive hacks.
Personally I think new law is needed to render this illegal, unless it is under the control of the user.
If you think that sounds extreme, consider that the persistent state for all copyrighted works is that they are in the public domain. It is a temporary aberration of a few years that the works are allowed to be held privately. After that they are meant to be available for everyone. As it is these encrypted fortresses inside consumer products will never yield up their secrets.
God-damn independent people...doing whatever they want to with their own property. This must be stopped!
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Compiles fine on Mac OS X. Just add:
typedef int socklen_t;
to the top of SSocket.h
and change:
-lcrypt
to
-lcrypto
in the Makefile.
-Ben
A different, and possibly more interesting question is this: Why does the builder of the bike chain it to a bike rack *after* you have bought it and not give you the combination to the new lock? The scary thing is that according to the laws passed recently in the United States (by congressmen who likely did not understand the ramifications of what they were voting on), it is not only illegal to unlock your bike, but the original builders of the bike are allowed to lock it down any way they want after you have purchaced it, and it is illegal for you to even discuss the lock with other people or try to unlock it by yourself so you can use the bike. It is generally illegal (not always, but often) to take apart the bike to turn it into a tandem bike. And if you discuss bike locks in general including starting up a website or discussing them via email it's not only illegal, but you might be a political activist, one of the threats to the United States according to the intelligence community:
Political activism on the Internet has generated a wide range of activity, from using e-mail and web sites to organize, to web page defacements and denial-of-service attacks.
Life in these United States scares me of late. People have just about convinced themselves that they don't need to have physical power (the right to bear arms), and society is now casting organized groups in a bad light. First the right to bear arms, now the right to assemble.
And you, a presumably intelligent person, cannot understand that you should have the right to crack into your own private property? Or that there is anything wrong with the fact that you have to do so?
Ah, well...
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
First off, if you really want backdoors enabled, that thread on tivocommunity.com details how to do it by changing the hash yourself. You can change the hash it's checking on the disk and voila, no problem.
So this search is basically pointless, but again, it's only for the hell of it.
How it works:
1. Tivo changed the backdoor code in 3.0 to be an SHA1 hash. So when you input the backdoor code, it hashes it, compares the hashes, and enables backdoors if it matches.
2. The hash for 3.0 was reasonably simple to crack. It was short (6 characters) and so was found quickly. 3.2 is longer (everything up to and including 8 characters has been searched already). That's really all there is to it and why it's now a distributed client.
3. The slashdotting I now expect will probably take the server down. I really wish this hadn't been posted. In any case, too late now.
For more info about Tivo backdoors, see here.
For more info about the 3.0 hash crack (the easy one), see here.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Now I know why IBM wants CPU time to be a metered utility... all the TIVO consumers have to do is buy some CPU time on IBM supercomputers, and voila :-)
I can now see why IBM's business will succeed.
What's under yellowstone?
In TiVo's case, would just removing the backdoor altogether work instead of just putting a new, totally hackable and insecure password on there?
I don't work for TiVo, so I don't know their intentions. But I can speculate. You can do some nasty damage to your TiVo through use of some of the back doors (Node Navigator being the most famous method). So, you get Joe Blow who accidently does this to his TiVo, screws it up, and calls support -- Their costs have now increased.
It's too difficult to remove the backdoors. They're quite useful inhouse during dev/test cycles (a QA tester notices a bug, they can easily view the log files, etc). Two branches of the software, one inhouse with the backdoors, and one w/o them for the public is a lot to deal with. What if you applied a patch to one branch, forgot about the other. Now QA has to test both branches, to make sure they're the same. QA people whine, a lot (rightfully so sometimes). They won't like that.
So, whats the best option? While doing inhouse testing, use a nice simple code (1234). Right before you're ready to GM it, change it the something "impossible" (i.e. uses characters that can't be entered through the TiVo). The code-base is the same, so QA can get away with just running a quick set of happy-path tests. And, this now reduces Joe Blow's chance of killing his TiVo (since he can't enable backdoors), it lowers support costs, and everybody (inside TiVo) is happy. A "win" situation for TiVo.
Of course, a "hacker" can go in and change the code to something that isn't "impossible", but if they screw up their TiVo and call support, support doesn't have to help them this time. They voided their warranty when they opened the case, to pull the drive, to change the backdoor code. Another "win" siutation for TiVo.
Whether or not this is the case, I don't know... But, it sounds very likely to me.
I agree, it wouldn't be very nice to set fire to my Tivo and throw it through your window. Conversely if I rip the silencer off my motor, it would be perfectly OK to drive it around on private land (with permission) 20 miles from the nearest inhabitant (in the UK at least).
One reason I may want to mod the box is this: consider that maybe I want to use and pay for the Tivo service but I also want to add some random feature. That would be in the same league as installing an amp in my car or whatever. I do not expect to have to ask the manufacturer's permission to disassemble my dashboard.
The other reason I may want to crack the unit is that it's my box - I paid for it, I own it, it's on my property.
I take on board your argument supporting varying business models - but I hold that the business model is flawed. Sell the box at a profit and discount the service. In a way Tivo's business model is basically parallel to the "loss-leader" trick employed by supermarkets. They offer something at an attractive discount (actually with a negative profit margin) in the hope that I will buy other products. However, it is perfectly reasonable for me to isolate all the loss leaders and buy them and nothing else, thus making a loss for the company. That's the risk they took. On average it works out well for them (or they'd stop doing it).
I'm sorry - if Tivo want to guarantee that I will buy their service, they shouldn't sell the box on it's own. Or they shouldn't at least sell it at a loss. I can buy a phone without a phone line or rent a phone line without a phone. It would be silly, but I can do it and it doesn't cause the telco or the phone makers any problems.
I generally subscribe to the view "What I own I can take the lid off and poke around" as a starting point. I am very much against any business model which is so flimsy that it needs laws like the DMCA to support it.
All of which is why I've added 2 machines at home to the cracking pool :-)
Sod the DMCA and everything like it in Europe!
Best, Timbo
Why can't women be like Hedy Lamarr - beautiful, talented and inventors of frequency-hopping spread-spectrum techn
Wrong. I *can* do whatever I want to a 2003 ford mustang. I can remove the muffler, modify the camshaft... hell I can strap a rocket on the back if it pleases me. Obviously the manufacturer won't honor my warranty once I cross certain lines, and obviously because of laws for the common good, I won't be able to legally drive it on public highways after a certain point as well. But at any stage in whatever process, Ford will be more than happy to supply me all the technical data and help I need when it comes to how their car is designed and built - although some of the more advanced manuals come at a reasonable cost.
If TiVo were the same, then they should allow me to turn the box into a linux unreal tournament machine or an X.10 controller or whatever the hell else I want to do with it, and provide specs and documentation as neccesary to boot. They would of course void my warranty and/or tech support when I open the case or make invasive software changes - and at some point down the mod path they may no longer allow me to subscribe to their services, and may even disclaim to me that it's no longer legal for me to hook my TiVo up to a cable/satellite network (however dubious that may be) - but they wouldn't stop me from doing whatever I wanted with the hardware in my own home.
11*43+456^2
A better example might be buying a 2003 Ford Mustang, ripping off the exhaust and installing an aftermarket exhaust system for 2003 Ford Mustangs. If Ford says "but we sell our Mustangs at a loss, the EULA says you will buy parts and maintenance from Ford" you would tell them to go fuck themselves. Likewise when a hardware or software maker tells me what I can do with a product I legally purchased.
I find it amazing that Tivo appologists fall for this type of tactic. The only reason they do is that they have not woken up to the fact that Tivo is not the only maker of PVRs.
I do not expect Tivo to survive. The clueless business model only works if there is no competition. There is plenty of competition in the space and that is only going to increase. Nobody succeeds with a razor and blades business model (the Tivo subscription) when there is a cheaper option flat fee.
Every one of the clueless 'I just want 0.01% of every transaction on the net' payment schemes failled miserably.
But every time we have a Tivo story the Tivo heads rush in to explain why everyone should pay twice the going rate for the technology. It is as pathetic as the Apple appologists, 'Macs are fastest, speed is what matters, buy a Mac, oops they are no longer fastest, well it isn't just CPU power that matters, its benchmarks, no its the pretty case'. Apple's price gouging and constant interface changing games to make old peripherals obsolete should be criticised as much as if not more than Microsoft's tactics. But they get away with it.
I don't want the video to decide what to record, I do that. I want a recorder with a removable disk so that the thing is not always full. There is an interesting port on the back of my DishPlayer PVR, anyone know what it does?
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
It's too difficult to remove the backdoors. They're quite useful inhouse during dev/test cycles (a QA tester notices a bug, they can easily view the log files, etc). Two branches of the software, one inhouse with the backdoors, and one w/o them for the public is a lot to deal with. What if you applied a patch to one branch, forgot about the other. Now QA has to test both branches, to make sure they're the same. QA people whine, a lot (rightfully so sometimes). They won't like that.
Not intending flamebait, but isn't this exactly what we're usually complaining about companies doing? This is one of the highest examples of insecure design. It's not that difficult to remove the backdoor code from the public release, if you code it right to begin with. I know it's just a TiVo, but at some point, a lot of these things that we refer to as "just a" will be network connected, and it's best to start early on best practices, especially since the TiVo is networkable.
Yes, people like to get into their TiVos (and other gadgets) and tinker with them. A friend who has a TiVo does it all the time, and when I see word of a new hack on Slashdot, I usually let him know. That being said, he's perfectly well aware that what he's doing can seriously screw him if he breaks something. If TiVo really wanted to lock people out, they'd disable the backdoors to begin with, and if they really needed to see the logs on a defective unit, they could load it up on a custom system that can pull the logs from the drives after putting them in a read-only configuration. It wouldn't stop everyone from getting in, but it would stop all but the most determined.
You can never go home again... but I guess you can shop there.
From a post (from "Otto", discussion forum, 10-31-2002 08:14 PM):
So, people: Relax. And: If you want to join Just For Fun[tm] (like I do), do it.
42. Easy. What is 32 + 8 + 2?
"!seineew era sreenigne VTetamitlU"
+++ UGUCAUCGUAUUUCU
I think the persistent state for all copyrighted works made after Micky Mouse will continue to be copyrighted...
Disney: "You can have Micky Mouse, when you pry it from my cold dead fingers"
What we see depends on mainly what we look for. -- John Lubbock Now search for that bug slave!
They have already tried most of the 9-character space to no avail, and every additional character makes the search take 37 times longer. And, as was said numerous times, when they find it, TiVo will just change it again and tack on a couple more characters.
Plus, there is no verification of results, so surely someone will cheat a la SETI@Home just to inflate his score by returning a bunch of bogus results, and the results will be invalid. Worse yet, a truly malicious person could return bad results for a whole lot of valid usernames, and it may be impossible to separate the good results from the bad. (I don't know if the server tracks IP addresses, but those can be spoofed too.)
So, this is kind of futile, but it looks like they're having fun. :-)
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
The code to enable 30-second skips is "select" "play" "select" "3" "0" "select", and does not require the "master back door enable" code referenced by this thread. The "master back door enable" code opens up about two dozen other codes. See the Tivo backdoor page for details.