We have our work cut out for us since we don't have the major advantage that the TiVo hackers have- Linux.
I think there are benefits to doing this underground, instead of on AVSForum- one of which is not having to answer a bunch of "what's the status?" questions. Also, the programmers might not be so quick to fix a back door that they don't know is open.
I've listed reasons, goals, questions and some of my info below.
Please let me know if you are interested. Thanks.
who am I?
2. to enhance the product
3. because it's fun
2. to enhance the product
CFP, hidden zones, Easter eggs
I've been playing around with the dial up. I looked up a lot of access numbers on Replay's site and searched for them on Yahoo. Many ISPs list these numbers, such as SurfGuard, who says they only use AT&T. I also found many numbers in iPass's list. iPass lists several toll-free numbers, but I don't think Replay's login is set up on them.
It's easy to force the unit to dial any phone number by setting the "dialing prefix" to the number you want to dial (instead of *70, to disable call waiting). It will call that number, then harmlessly dial the remaining digits. Also note that the "Input" button inserts a W to wait for dialtone, rewind backspaces, and stop clears the field.
I also used an old Radio Shack demon dialer to connect the unit directly to my PC. I hum into a phone since there's no dialtone, and the box happily dials. When it's through dialing, I type ATA on a terminal program on the PC. Here's a dump.
In the old days, I tape recorded the line when I dialed into a BBS with my PC. I was able to play the tape back to my modem and watch the session. By setting the modem up as originate or terminate, I could see both sides. I'm not sure if this is still possible, since modern modems have to train, etc.
By having the RTV unit dial my PC, I found that it's using the login name rns11lka@replaytv.net, but I don't know the password.
I built a 25-pin M to 25-pin F cable, then tapped Rx and gnd to a 9-pin connector. I hooked that to my laptop, and ran a term program and captured everything sent by the RTV unit to my PC when attempting to dial in. I verified the login name, and got the password as well. I was able to create a Windows DUN connection to my local RTV # using the login name and password, but I'm not sure what's next. Probably an FTP somewhere? I guess I could probe around the RTV unit's board looking for serial data to capture to the laptop.
I am having problems getting the RTV unit to dial into my PC since it's login name is so long. As far as I can tell, Window's limit is 19 or 20 characters, but it's sending 21.
I hacked one of the registry files that I found and shortened the login name. I created the same name on my PC and was able to get the RTV unit to dial up and connect. I could ping the unit, but not FTP, telnet or surf to it.
There's a bunch of text that appears to be valid screens, but I don't know how to get them to display.
611 Service Screen Got it!
Somehow you can pull up this screen. It contains 4 configuration items: Unit Type (Replay/Panasonic), Country (US, Japan, Canada, UK, Mexico), Replay Zone Prefix (?), and Raw Dialup #. If you hit 611+Z, the unit does not go to the Zones screen as it does with unknown codes (such as 231+Z, for instance). It looks like a flag is checked, and if it's disabled, nothing happens. Maybe you type something into the claw foot portal to enable it? I found a registry setting on the hard drive called Software/ServiceScreen Enabled, but setting it to TRUE still doesn't make 611+Z work.
111+Z also does not go to the Zones screen (but when you set Software/DBG Enabled to TRUE, 111+Z tic-tac-toe!)
Customization
There is a customization screen that lets you change the color palette, add/remove channels, edit dialing settings, toggle demo mode, and set the date and time.
Miscellaneous
Before setting up the RTV the first time, I think 777+RZ lets you set an option to preserve the demo after setup.
Text
There's a reference to Precise Software, www.psti.com and MQX, leading me to believe that's the RTOS used.
PMON is also on the drive.
There are many shell commands listed, as well as shell scripts. Maybe there's a way to open a shell window from the CFP? Got it!
utilities
test the PMON serial port
capture close captioning to file
mount/format/test
mountfat
dumppart/mkpart/addpart/rmpart - OMFS/FAT16/FAT16s/FAT12
Working from Robman's description, I wrote a program to convert the Pronto ReplayTV codes to binary. Here's an example of the power toggle code:
0000 0072 0000 001c 0060 0020 0010 0010 0010 0010 0010 0020 0010 0020 0020 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0020 0020 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0010 0020 0010 0010 0020 0010 0010 0010 0f64 36360.933755 MHz 28 pulses 34 bits ------ - - - - -- - - - - - - -- - - - - - - - - - - - -- - - - __ _ _ __ __ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ __ _ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1 1 1 0 1 1 1 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 03 B9 01 00 0CI found this table on the hard drive.
00AED980 65 6C 6C 00 6D 6F 64 65 5F 72 65 70 6C 61 79 74 ell.mode_replayt 00AED990 76 00 00 00 6D 6F 64 65 5F 63 62 6C 65 00 00 00 v...mode_cble... 00AED9A0 6D 6F 64 65 5F 73 61 74 00 00 00 00 6D 6F 64 65 mode_sat....mode 00AED9B0 5F 72 63 76 72 00 00 00 6D 6F 64 65 5F 64 76 64 _rcvr...mode_dvd 00AED9C0 00 00 00 00 6D 6F 64 65 5F 76 63 72 00 00 00 00 ....mode_vcr.... 00AED9D0 6D 6F 64 65 5F 74 76 00 65 78 70 5F 32 00 00 00 mode_tv.exp_2... 00AED9E0 65 78 70 5F 31 00 00 00 69 6E 70 75 74 00 00 00 exp_1...input... 00AED9F0 72 65 70 6C 61 79 67 75 69 64 65 00 69 6E 73 74 replayguide.inst 00AEDA00 61 6E 74 72 65 70 6C 61 79 00 00 00 63 6F 6D 6D antreplay...comm 00AEDA10 65 72 63 69 61 6C 73 6B 69 70 00 00 63 61 74 63 ercialskip..catc 00AEDA20 68 75 70 00 73 74 6F 70 00 00 00 00 72 65 77 69 hup.stop....rewi 00AEDA30 6E 64 00 00 66 61 73 74 66 6F 72 77 61 72 64 00 nd..fastforward. 00AEDA40 70 61 75 73 65 00 00 00 70 6C 61 79 00 00 00 00 pause...play.... 00AEDA50 72 65 63 6F 72 64 00 00 63 68 61 6E 5F 67 75 69 record..chan_gui 00AEDA60 64 65 00 00 64 69 73 70 6C 61 79 00 65 78 69 74 de..display.exit 00AEDA70 00 00 00 00 65 78 65 63 75 74 65 00 6D 65 6E 75 ....execute.menu 00AEDA80 00 00 00 00 6E 6F 72 74 68 77 65 73 74 00 00 00 ....northwest... 00AEDA90 77 65 73 74 00 00 00 00 73 6F 75 74 68 77 65 73 west....southwes 00AEDAA0 74 00 00 00 73 6F 75 74 68 00 00 00 73 6F 75 74 t...south...sout 00AEDAB0 68 65 61 73 74 00 00 00 65 61 73 74 00 00 00 00 heast...east.... 00AEDAC0 6E 6F 72 74 68 65 61 73 74 00 00 00 6E 6F 72 74 northeast...nort 00AEDAD0 68 00 00 00 72 65 73 65 72 76 65 64 00 00 00 00 h...reserved.... 00AEDAE0 63 68 2D 00 63 68 2B 00 6F 66 66 00 6F 6E 00 00 ch-.ch+.off.on.. 00AEDAF0 70 6F 77 65 72 00 00 00 6A 75 6D 70 00 00 00 00 power...jump.... 00AEDB00 65 6E 74 65 72 00 00 00 39 00 00 00 38 00 00 00 enter...9...8... 00AEDB10 37 00 00 00 36 00 00 00 35 00 00 00 34 00 00 00 7...6...5...4... 00AEDB20 33 00 00 00 32 00 00 00 31 00 00 00 30 3...2...1...0
I've figured out the basics of the filesystem- OMFS. I've now dumped over 1000 files- nearly 600 BMPs, some .txt files, xml, fonts, and lots more. Here's a pic from an RTV 3060 (NOT a ShowStopper).
I'm using WinHex to search the drive image and to make changes to the drive.
Here's what I've figured out on the filesystem:
I haven't found a directory list yet, but there are 4K-long structures that I'm calling file entries that start on 4K boundaries. There are usually 2 copies, in adjacent 4K blocks. They contain the filename, length and location on the hard drive. Parts of them are 0 or garbage, but other parts are always 00 or FF. I've identified these offsets into the structure- file name at 0x98, file length at 0x198, file type (D for dir, F for file) at 0x53, location on drive at 0x1e0, parent file entry location at 0x18, file date/time at 0x28 in 1000ths/second since 1/1/70. I have not yet found a "file deleted" flag.
Toots from AVSForum told me how to interpret the directory entries: in each directory file entry at offset 0x1b8 is a list of file entry pointers. These are the files and subdirectories underneath this directory (0xFFFFFFFF means unused). I wrote a program to scan all directories in my first partition, and found 1555 active files in 268 directories. I'm not sure what happens if there are more than 73 entries in a sub-directory, though.
Here's a list of all the directories and files that I found in the first 100M of my drive.
Here are some things I'm still trying to figure out-
How are the CFP commands encoded? CRC? Where's the table? Got it!
What do all the 0x9cxxxxxx words in PTV.bin mean? Pointers? Got it!Likewise, what does RZTB denote? File hunks?
How do you get to a shell? Through the CFP? Registry setting? Serial port? IR? Got it!
There are some funny strings that are null-terminated but also have the length stored in ASCII before the string.
The startupscript mentions a debug switch. I'm guessing it's not populated, just a test pad, or maybe 2 of the serial port lines?
The Sipex SP208 serial interface chip used has 4 drivers and 4 receivers, so maybe there's more than 1 serial port available?
Toots' Win2K upgrade/2-drive patch program
Wolfgang's linux upgrade/2-drive patch program
Flipflop's file extraction program
VBcoder's disk copier/expander
updated 12/30/00
I decided to add a "News" section since there's been a lot going on recently. Many of the things I wanted to get accomplished have been: larger HDs, 2 HDs, setting the clock, finding the config info, login/passwords, the CFP commands, the hidden zones, opening a shell, disassembling some software.