Infrared Brute Force Attack Unlocks TiVo

While the era of the TiVo (and frankly, the idea of recording TV broadcasts) has largely come to a close, there are still dedicated users out there who aren’t quite ready to give up on the world’s best known digital video recorder. One such TiVo fanatic is [Gavan McGregor], who recently tried to put a TiVo Series 3 recorder into service, only to find the device was stuck in the family-friendly “KidZone” mode.

Without the code to get it out of this mode, and with TiVo dropping support for this particular recorder years ago, he had to hack his way back into this beloved recorder on his own. The process was made easier by the simplistic nature of the passcode system, which only uses four digits and apparently doesn’t impose any kind of penalty for incorrect entries. With only 10,000 possible combinations for the code and nothing to stop him from trying each one of them in sequence, [Gavan] just needed a way to bang them out.

After doing some research on the TiVo remote control protocol, he came up with some code for the Arduino using the IRLib2 library that would brute force the KidZone passcode by sending the appropriate infrared codes for each digit. He fiddled around with the timing and the delay between sending each digit, and found that the most reliable speed would allow his device to run through all 10,000 combinations in around 12 hours.

The key thing to remember here is that [Gavan] didn’t actually care what the passcode was, he just needed it to be entered correctly to get the TiVo out of the KidZone mode. So he selected the “Exit KidZone” option on the TiVo’s menu, placed his Arduino a few inches away from the DVR, and walked away. When he came back the next day, the TiVo was back into its normal mode. If you actually wanted to recover the code, the easiest way (ironically) would be to record the TV as the gadget works its way through all the possible digits.

Back in 2004, there were so many TiVo hacks hitting the front page of Hackaday that we actually gave them a dedicated subdomain. But by the end of 2007, we were asking what hackers would do with the increasingly discarded Linux-powered devices. That people are still hacking on these gadgets over a decade later is truly a testament to how dedicated the TiVo fanbase really is.

[Thanks to Chris for the tip.]

44 thoughts on “Infrared Brute Force Attack Unlocks TiVo

  1. I’d hope they hide the code when you’re entering it on the screen, else kids are going to learn what it is very quickly. Makes ‘recording the screen’ pointless.

    of course, there’s many simple ways to check what is on the screen and have the code paused once it changed significantly. A job for another day perhaps? (When he realise he needs said code to do 101 other things on the system?)

    1. time stamps and logging, sync the video to the code and then just watch for the screen change and look in the log file for the time entry that corresponds.

      Or just simply 4 7 segment displays attached to the Arduino that display the code being entered.

      I wouldn’t even worry about pausing the code upon some change in the screen, the code for recognizing what is happening on the screen would be overly complicated when compared to some of the other ways to do it.

      1. Point a video camera at the TV with the 7 segment display in frame.
        That seems like the simplest option. Maybe make the camera a RasPi that can run open CV and detect when the screen changes after kid mode has been exited and just save the seconds leading up top that so you don’t have 12 hours of video to go over.

      2. Hi Mike,

        For most of my runs, I used a MicroView OLED display / MCU to track the number being tested – though due to the run time, I would normally leave it overnight. If I was making one for someone else, I’d go with a 4, 5 or 8 x 7 Segment Display (one for the current passcode, and one for the current iteration). I’d probably also add a button for Start / Pause and Hold-To-Reset.

        I simplified (and re-tested) the circuit and code when I was writing it up to make it easier for people who don’t have much experience or equipment to use.

        You’re right that I didn’t have any mechanism in place to detect success. If the screen was unlocked, I knew that it had worked. I did think about some form of change detection to identify if it had worked – likely some kind of screen intensity (via an LDR) or colour change from some kind of colour measuring device. Like you, I decided that this would likely be too complicated for this particular problem.

        I ran it twice – once to exit KidZone, and once to turn off the KidZone.

        Gavan.

    2. Right, it shows four little TiVo logos instead of the actual digits when they are entered on the screen.

      But the Arduino is spitting out every attempted code over serial complete with a time code, so with that and the recording of the screen it shouldn’t be too hard to figure out which one popped the lock.

      1. Hi Tom,

        I actually ran the unit with a MicroView for UI output, and simplified (and retested) the circuit when I published to GitHub. Here’s a live action photo: https://photos.app.goo.gl/i2ooM6z4VBxr4Y1S6

        I didn’t have a long enough USB cable to reach from a powerpoint, and didn’t want to leave my laptop perched precariously on the cabinet. I actually ran this from a 9V battery pack.

        Cheers,

        Gavan.

    3. Record the TV and the Arduino and you can see the IR light in a camera recordings the TV. From that you could possibly decipher the code from the flashes. You could also use the timing to narrow down the code from the video. Alternately you could output the code to a display as it sends it to the TiVo and record both. There are a lot of ways to pull this off.

  2. The level of security is dependent on the nature of what is being secured. You don’t really need a Yubikey to protect against your kids seeing something they shouldn’t. Unfortunately there is (or was) one exterior door keypad lock that had the same security as described here–only four digits and no penalty for being wrong. That would be a concern since there the risk is someone getting into your house.

    As to why people still use DVRs the reasons should be obvious. They are more reliable than streaming, sports and commercial skip.

    1. The sports crowd really love their DVRs. A lot of video enthusiast also prefer the picture quality of OTA broadcast TV to that of streaming and cable. Others have bandwidth caps and OTA TV with a DVR keeps them from exceeding caps.

      I like my Tablo DVR because it’s cheaper then cable, I like to skip commercials, I occasionally save content for later, and often our primetime shows overlap.

    2. Sybex locks are most definitely still in use. They slow an intruder down which is sometimes enough. Of course you’d want to spray some graphite on the keys to highlight which ones are most used.

  3. “While the era of the TiVo (and frankly, the idea of recording TV broadcasts) has largely come to a close, there are still dedicated users out there who aren’t quite ready to give up on the world’s best known digital video recorder.”

    Cord-cutters and rabbit ears.

      1. Not everyone has access to uncapped broadband. My house in the city does, but my parents’ house 2 miles outside of the city limit doesn’t have access to anything aside from dialup, Cellular internet, and satellite. They had 4G cellular internet, but with a data cap of only 30GB streaming can blow through that in a day. They recently switched to Satellite with a 60GB data cap. Both of these plans claim they will only throttle you after you hit the limit “under times of congestion”, but with one of them operating a home based internet business and the other having to remote in as on-call for a tech job they can’t risk being throttled back to 600mbps or less.

        This is the case in a large part (geographically) of the US. The broadband maps show them as having access, but that is to a DSL service who’s circuits are all full and a long wait list. For people in these locations, streaming is a very limited or nonexistent option so DVR is the best way to go.

        1. Hi Hooty,

          I definitely agree.

          Australia does have some similar issues with capped broadband and rural/remote access, there is now a government sponsored project here to roll out “The NBN” (National Broadband Network) to improve speeds everywhere (with satellite for rural/remote).

          While I’m now lucky enough to be on a (moderately) high speed network that predates the NBN (my speeds are roughly 20Mbps download, 5Mbps upload), I haven’t always lived in locations with that speed. I spent several years with 400Kbps download, and capped traffic.

          The TiVo does / did indeed work very well in those situations – plus Netflix online wasn’t always available here – nor were the other streaming catchup services from the major domestic broadcasters.

          Cheers,

          Gavan.

      2. Are you in the USA? My Samsung Smart TV has DVR functionality – outside North America. Same model of TV, different options in its operating system. If I could flash EU software to it, it probably would be unable to tun in North American ATSC channels.

      3. You shouldn’t even post anything you do not have the facts!
        I just bought a 4K TV this past week with all this apps that can be downloaded it came with Fire TV but it did not come with a DVR!
        As far as watching the same programs on Netflix has on regular TV you are extremely wrong Netflix doesn’t have all the shows that cable has so you should just not even comment cuz again you do not know what you’re talkin about. you did not have your facts straight why don’t you post something here that is factual!.
        Netflix has a heck of a lot conten and selection of different genres t then cable does!

    1. I have Comcast for my ISP (thank you for your condolences). I have their bottom level of TV access (at $14 more a month) that gives me the 5 majors, two PBS, two old TV channels (7*24 Mash!) and 5 channels of other stuf. So we Tivo the broadcast shows. All of the Tivo’s in the house are connected, so I can watch what I want in the Robot Lab. While the total cost of Comcast and Tivo’s fees is on the line, the Tivo with Season Pass and the skip commercials is worth it. It was also cool to watch the entire series of Lost in Space!

      1. Forgot to say that I hate smart TV’s, they take 2+ minutes to boot up. Who knows what cruftware they are running that will stop and what data they are sending back and who it’s going to. Give me a plain instant on TV any time.

    2. Hi Ostracus,

      If I’m still using a TiVo, you should see how old my TV is!

      I have a fairly old (by modern standards) 32″ TV that I still use because it works, I don’t need a bigger one, and it was one of the last few widely made LED/LCD TVs that was made with a matte screen.

      There’s a few reasons why a local DVR/PVR is still a good fit for me, even though I use a smart blu-ray player for Netflix, SBS and ABC online services.

      * Our regional Netflix (Australia) doesn’t have as much content as the US (though VPN might be an option) – there are still some things I can’t get
      * Australia has two excellent national broadcasters – the ABC and the SBS. Although they also have a lot of content available through their online services – there are still some programs (especially news) that are not placed online.
      * I can upload DVD’s to repeat play easily (since it has a 1TB HDD)
      * I already had the TiVo, and prefer to reuse where possible.

      Plus, it was a fun project to work on with parts I mostly already had laying around (I just needed the IR transmitter and receiver).

      Cheers,

      Gavan.

      ABC – https://www.abc.net.au/
      SBS – https://www.sbs.com.au/

    3. Granted TiVo has been around for awhile. I don’t see it being the end of its reign.I just got rid of my DVR external that sucked it only had one tuner in it which the TiVo has 4 tuners . I had to have DVD’S and now I have no DVds with having the TiVo. I threw out 200 of those and I’ll tell you that really opened up the space in my entertainment center . As well as I can get apps and other stuff with the TiVo service so I for one don’t see this Tech being obsolete. I can get apps such as Hulu Netflix Firefox YouTube so this device is not at its end it is still quite useful.! It uses Android apps so I can get any app I want! People don’t write off the TiVo. just because you’re all techno snobs and you think it can’t do what the current tech can do

  4. Thats nothing to fancy for sure, but it’s a nice little problem showing that having some knowledge in electronics and programming can be useful. It’s like knowing the basics of command line to get that little option that is not in the GUI.

  5. Seems like an improvement could be to start with common passcodes rather than start from ‘0000’ and try all 10,000 permutations. 1234 still accounts for 10% of 4 digit codes so why not start there. There’s further breakdowns of common codes with 9999 and alternating digits eg; 1212 taking up some more common codes. Geometric patterns are also common given the grid layout of the keypad.

      1. Hi Leithoa,

        That is quite interesting – I think I would definitely look at this if I need to do this again. I think the actual passcode was around the high 19xx values.

        I did “cheat” a little in a second run by starting at 1000 instead of 0000 to make it a bit faster.

        Including a small table of the most common values would work well – though I’d need to double check on the program space available on the Arduino / ATmega chip if I was going to include a larger table.

        Likely a hybrid approach would make sense – have a short list (maybe Top 100), then check 1900-2100, and then brute force again (since the time saving of 300 checks out of 10K probably isn’t worth the complexity of excluding them).

        Gavan.

    1. Yeah absolutely. For a quick and dirty hack like this Gavan probably didn’t think it was worth the time/effort, but if you were creating a more robust IR “cracking” program, it would make sense to hit the most common ones first.

  6. “While the era of the TiVo (and frankly, the idea of recording TV broadcasts) has largely come to a close…” WHAT PLANET ARE YOU ON?? If I can’t record TV broadcasts, my viewing days are over. I watch nothing “live” and I will NOT be held hostage to “streaming”. Not everyone watches TV the way you think they should.

    1. Hey Bill,
      I was gonna say the same thing. I know Spectrum/Charter, FiOS, and a couple others do not allow you to fast fwd through commercials if watching on demand content. And while I’ve never owned a TiVo unit per se closest thing was my early direct TV recorder which used TiVo tech, I think I would be much happier with a TiVo than anything a provider would offer.

      1. the tivo is better than most of the other ones – and is easy to take out the security chip – put your own one in and mode the softare to do what you want ;-) The wife still users hers quite a bit…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.