PROM socketing

[KRavEN]

I know this is pretty self serving, but I keep seeing posts by people wanting to get this done and contemplating doing it themselves and this is something that should really not be attempted by someone that doesn't know what they are doing. It is very possible to render your TiVo totally worthless if you screw it up.

Unless you really know what you are doing with an iron, don't attempt it!

To remove the prom requires a special tip that can heat all pins on the prom at once so that it can be removed. Hot air can also be used to remove it. Last case is trying to use solder wick, but that would be very difficult to ensure all the solder is removed well enough that you don't damage the pads on the board when remove it.

Next the socket. Sockets in general are pretty hard, but PLCC (TiVO prom formfactor) sockets are much easier compared to TSOP sockets (xbox bios formfactor). There is still pretty much a requirement for a stereoscope or some other sort of magnification as the soldering is done on tiny points inside the socket itself and you have to be carefull not to bridge the legs or melt the pastic of the socket that is very close to the legs.

Flashing the prom also requires special equipment like a DATA I/O device that has PLCC sockets and is designed to flash chips. It may also be possible to flash the bios in motherboards that have a socketed PLCC bios chips in them. I have an ABIT BX2 that has this bios and socket, but I've not tried to flash non pc bios chips with it. I'm sure it's possible with the right software, I've just not looked for it.

If anyone is wanting to get this done, I have the facilities and the experience replacing and socketing the S2 TiVo proms. I can do both SA and DTiVo versions. Send me a PM if you are wanting to get it done, just don't screw up your TiVO cuz you don't know what you're doing.

---

UPDATE by alldeadhomiez, 7/24/2004:

KRavEN is no longer offering this service.

Sleeper and MudShark will socket and reflash your PROM for $50 plus shipping. Or, keep reading this thread to learn how to do it on your own.

At the time of this writing, the only model which needs a compromised PROM in order to boot a hacked drive is the HR10-250 (HD TiVo). It is suspected but not confirmed that the upcoming "silver" Series2 standalones may also require this modification.

UPDATE by JJBliss, 12/21/2004:

Sleeper is no longer a member of this Forum. Mudshark is, and has visited the forums recently. I am unaware if Mudshark is still doing PROM mods.

The HR10-250 no longer requires a modified PROM in order to boot modified software. killhdinitrd supports this unit as well as other non Series 2.5 units. Series 2.5 (nightlight and R10) units still require PROM socketing or modifications as of this writing.

[cali]

Kraven:

Is the PROM code publicly available?
Is the ONLY purpose of the prom code to allow Bash?
I have a series and have so far been able to d 120GB and Bash.


Thanks
Cali

[mrblack51]

Quote:

Originally posted by cali
Kraven:

Is the PROM code publicly available?
Is the ONLY purpose of the prom code to allow Bash?
I have a series and have so far been able to d 120GB and Bash.

There are only two changes needed to the prom code. If you grab the code off of your drive, the needed changes via a hex editor are simple enough.

The purpose of the modified prom is to allow booting of unsigned kernels. Bash is a visible effect of that. Basically, the kernel has signatures for everything in the root partition thats worth messing with, and deletes anything without a good signature. this prom hack lets you modify the kernel, thus allowing you to compromise that check. once that is done, you can do whatever you want.

[MuscleNerd]

The patches I came up with are posted over on AVS in this post . But yeah like Kraven said, knowing them and applying them are very different

By the way...I think at the time I was going for smallest patch possible. But with that version, it still computes the kernel and bootrom SHA hashes. Even though the comparison of final hash values is ignored, it still slows down the boot cycle. But I guess nobody has noticed

[mrblack51]

Quote:

Originally posted by MuscleNerd
The patches I came up with are posted over on AVS in this post . But yeah like Kraven said, knowing them and applying them are very different

By the way...I think at the time I was going for smallest patch possible. But with that version, it still computes the kernel and bootrom SHA hashes. Even though the comparison of final hash values is ignored, it still slows down the boot cycle. But I guess nobody has noticed

so this patch doesnt have the 'speed increases' that the s1 dtivo prom upgrade offered. ah well, while that would be nice, these have the needed effect.

thanks for your work btw

[cali]

Thanks for the replies guys. I have lots of prom chips at work and a nice data i/o less than 10ft away.
Ill get around to it one day....


cali

[geowar]

cali> Is the ONLY purpose of the prom code to allow Bash? I have a series and have so far been able to d 120GB and Bash.

How are you BASHing wo/PROM hack? I dd an old 3.0.2 kernel and BASH_ENV it to get in. My TiVo has the '39 part; I'm investigating getting it to flash in place.

[cali]

Im using the one version that allows you to do the hack...2.015 or something like that...

Look for mrblacks post on his hacking experience; everythign you need is in there.

Took me about a good hour to do it the first time.

[geowar]

>Im using the one version that allows you to do the hack...2.015 or something like that...

I'm using 3.0.2 which has USB network device support and also allows the BASH_ENV hack. v3.2 prevents the BASH_ENV hack.

I'll go read MrBlack's posts to see if there's something I missed. Thx. ;-)

[lazerexp]

Wouldn't another reason to do the PROM hack be that you can run any version of the software?


Kraven you still doing the mod?

[KRavEN]

Yeah I am. Primary reason for the new prom is to get in without the bash_env backdoor plus it's currently the only known way in with 3.2 software.

It's also very usefull if you want to compile and run your own kernel.

[KRavEN]

I now have the service in my webstore. Go here:


Prom Socketing Service under Hardware -> new in box -> accessories

[MuscleNerd]

Quote:

Originally posted by KRavEN
Yplus it's currently the only known way in with 3.2 software.

That post was before monte was publicly released (still, having a modded prom simplifies the boot process).

[SurfBoy]

what does PROM socketing do for the S2?

[MuscleNerd]

There are several links in the "chain" that keeps the S2 secure. By using a modded PROM, the very first link in that chain is broken, bypassing all the other links (BASH_ENV, the need for monte, etc).