3

I am trying to understand how Tivoization worked; but the Internet is filled with discussions about the legal aspect of the matter, rather than technical details of how it was implemented.

My understanding is that the hardware would refuse to load binaries that were not digitally signed with the private key of the manufacturer. I am assuming that the public key had to be hardcoded or stored somewhere.

Why was it not possible to circumvent tivoization by simply overwriting the public key? What kind of storage mechanism guarantees that it would not get overwritten?

If it was hardcoded, then it is a simple matter of finding the offset in a raw binary file and overwriting that data with another key.

It could have been stored in a security module (like a smart card), but to the best of my knowledge those will dearly protect private keys (storing them in a way that does not allow them to be retrieved), whereas public keys are regarded as "just data" and can be easily extracted and modified (if you have the required permissions).

ralien
  • 265
  • 1
  • 5
  • I don't know how it works, but there is memory that can't be overwritten. For instance classic mask-programmed ROM. Maybe they use something similar? Also using a TPM like you described works because "we programmed it that way". Maybe they made their own implementation but still would use the physical security it offers? – Lucas Kauffman Nov 08 '16 at 10:53
  • Is your question how the TiVo worked? Maybe they used TPM: https://en.wikipedia.org/wiki/Trusted_Platform_Module – Antonius Bloch Nov 08 '16 at 11:01
  • How would you overwrite anything? Do you get your soldering iron, remove the memory and connect it to some other controller? – CodesInChaos Nov 08 '16 at 11:20
  • I just read a blurb that TiVo users overwrote the bios disabling TPM... so no solder required. – Antonius Bloch Nov 08 '16 at 11:24

1 Answers1

1

Tivoiazation was added to the Series 2 line. I tracked down a 2003 TiVo community thread discussing the new protections:

The ROM checks for a signature on the inital ram disk (initrd). The ROM uses TiVo's public signature to make sure it was signed by TiVo's private signature. If it passes, the initrd is loaded. Next, linuxrc (in the initrd) checks files in the system directories against a list of signatures contained in the initrd. If the signature doesn't match, it tries to restore it. If that fails, it won't boot. It also deletes unauthorized files, and removes "dangerous" items from the environment (like BASH_SHELL). It then passes control to the usual Linux startup.

By the end of the thread we find someone has successfully flashed a unit and is offering physical disks with patched versions of telnetd and ftpd. Here he posts his success with at least on variant of the series 2:

http://www.dealdatabase.com/forum/archive/index.php/t-25116.html

I also found this thread:

http://www.tivocommunity.com/community/index.php?threads/hacking-your-series-2-dtivo-just-got-a-whole-lot-easier.265929/

Antonius Bloch
  • 507
  • 2
  • 9