If VMWare scares people there's always VirtualBox, or even qemu (for the brave of heart). Having years of network experience I wouldn't mind wasting an afternoon trying to get a Showstopper proxied through my PC (modem 'dial-in' or direct serial hack). That is, if I owned a Showstopper, which I don't.
I was reluctant to mention this before I took the time to check a Showstopper image
with extract_rtv5, but I think the StartupScript could prove a promising avenue of attack. It appears that the older models don't require a signature file for every script and executable binary worth attacking (the way RTV5K's do).
I obtained this information by using extract_rtv on the image file itself:
I strongly advise against testing these ideas unless your Showstopper's HDD is completely backed-up (or you've already extracted all the shows you want to keep) and you have confidence in your ability to successfully re-image your HDD. If you'd rather have a working box than a door-stop then STOP NOW!Still here?
extract_rtv5.exe "Showstopper&Replay30xximage3.02.rtv" -p1 -lv >3K_files.txt
(decide which files look interesting)
extract_rtv5.exe "Showstopper&Replay30xximage3.02.rtv" -p1 -e ./sys1/etc
(copy files into another folder for examination)
extract_rtv5.exe "Showstopper&Replay30xximage3.02.rtv" -p1 -e ./sys2/etc
(copy files into another folder for examination)
OK. This will require removing the HDD and rebooting your Showstopper TWO TIMES
. The plan is to replace some useless commands or comments in ALL of the factory StartupScript files (I have no idea which one will be executed on boot) with commands of your own, while maintaining (or reducing?) the total filesize of each file (and using the DOS-style CR-LF convention (0x0D0A)). Then use extract_rtv to install (overwrite) our substitute StartupScript files onto the originals. Put the HDD back into your Showstopper and let it boot (which may be slower than usual not entirely successful). After waiting a reasonable length of time (you would know better than I, but I'm guessing 5-10 minutes max) unplug the Showstopper. Finally, remove the HDD and put it back into your computer. Replace ALL the StartupScript files with their originals. The results of your modified commands (like 'copy') in the StartupScript files should be apparent with a quick extract_rtv listing.
.../sys2/etc/StartupScript.Sutter3 (the useless green text
is 394 bytes!):
; watchdog must be the very first thing to start (duh!)
watchdog.task 60 3
; cd to the active system directory and execute the one-shot
; startup script. This must happen before the main startup
; script to insure that any disk/file reorg happens before
; things in the startup script go looking for them.
; The one-shot script should delete itself.
; continue with the main startup script
echo "SHELL: EXECUTING StartupScript"
-fstore update 0x42534352 os/rom/bootscreen.bmp
echo "Welcome to ReplayTV"
The long comment alone is 272 bytes, more than enough to do some useful things. After removing enough useless text from each file you can add some lines of your own at the end. (You can put your commands anywhere, but I think your best chance is either at the very end or near the beginning. I'm thinking that because this is a TEXT file the entire reported filesize will be read into memory for execution. You may want to pad the end of your modified scripts with spaces and carriage returns to fluff it up to the original size otherwise duplicate, incomplete, and/or corrupted commands at the end of the original file may be executed.
) Henry, does extract_rtv nullify the target file's remaining contents when overwriting with a smaller file?
Maybe try something like this (219 bytes):
cp -f Customize/credits.txt OS/IRBlaster/C1982.OBJ
cp -f Customize/credits.txt OS/IRBlaster/C2000.OBJ
cp -f Customize/credits.txt OS/IRBlaster/S2000.OBJ
cp -f Setup/p-ir-blaster.panel OS/IRBlaster/IRBTable.txt
(Supposedly you can add a dash or hyphen ("-") at the beginning of each line to prevent errors from causing the script to terminate prematurely. The -f
option may not be acceptable in the older shell.)
go to current system directory (whichever system booted, the previous version is there as a backup)
copy a 325 byte file as a bogus C1982.OBJ
copy a 325 byte file as a bogus C2000.OBJ
copy a 325 byte file as a bogus S2000.OBJ
replace IRBTable.txt with a 2297 byte file (use extract_rtv to replace it with the original or your modified one)
turn ptvio on (I am still uncertain if 2K/3K's actually have this ability)
Now you have the option of using PTVIO in the future (are 2K/3K's capable of this?), 3 more 325-byte OBJ files (bigger than any factory OBJ) in your IRBlaster directory for future growth, and a 2297 byte IRBTable.txt to accommodate any possible future changes (especially after removing the comments).If
this works then you can replace one of the bogus files with the new DC50X OBJ, and add lots of code entries to the IRTable.txt if needed. Happy testing.