Hi all,

I've been using OrenoSP to gain access to my TiVo externally.
For those who don't know OrenoSP, it's a reverse proxy you run on a PC on your LAN, and you connect to it from the internet, and it forwards connections to TiVo. Nice and secure etc etc.

However, due to my PC being somewhat irksome atm, I've got a nicer solution, which may be of interest to a few people.

I have acquired a Linksys WRT54GS (802.11G wireless broadband router). It's upgradable with 3rd party open source firmware.

I've now got said router running the Sveasoft f/w, and I can SSH into the router, and then tunnel into TiVo (or anything else on the LAN).

Much more secure than OrenoSP, and doesn't need my PC on!
And of course, there are mobile SSH clients too, so you can access it on the move...

The router costs about £50 to £80 and the SSH software is free. OrenoSP is now > £150 - although I have an old copy if anyone wants it! :)

Tutorials available on request if anyone wants them.

Why not just post the tutorial?

Mike

Can your TiVo now securely serve TiVoWeb aswell?

ptruman - do you know if a wired linksys router can so the same thing?

>Can your TiVo now securely serve TiVoWeb aswell?

If you have an SSH tunnel to inside of your Lan then you can tunnel TivoWeb through it.

I do a similar thing, but instead of ssh/tunneling via the router I ssh directly into the TiVo instead and securely browse TivoWeb through the ssh tunnel. That does eat a tiny amount of the Tivo's cpu time, when browsing TivoWeb but I've not seen it cause any problems so far.

Is there a quick guide to setting this up tefster? I'm currently using orenosp but having seen the figures people are posting for electricity usage when leaving a PC permanently on, I'm looking for a 'cheaper' solution!

There's an instruction guide within the README in the tarball here (http://www.planetbuilders.org/tivo/),
give it a whirl and let me know how you get on, a couple of
people have downloaded it but the only person so far whom I've
heard feedback from was one of the OzTivo guys who couldn't
get it working due to some wierdness in the C runtime library
version that they are using there.

Cheers tefster. Will give it a crack tomorrow night when I've a bit more time.

As an aside, can anyone compare/contrast opening up a port on the firewall and forwarding it to Orenosp running on a Windows box or forwarding it to an SSH server running on Tivo?

TIA.

Any chance you could post or post a link to your old, pre 1.0 version of OrenoSP?

>As an aside, can anyone compare/contrast opening up a port on the firewall and forwarding
>it to Orenosp running on a Windows box or forwarding it to an SSH server running on Tivo?

The main difference is less reliance on an extra box being up and running.

Running a tunnel via Orenosp and opening a firewall port to it means that you need an extra PC running all the time in order to access TivoWeb, however you do have the benefit of not having to run SSH server software on your Tivo and what's exposed to the outside world (Orenosp) is fairly well tested and stable.

Running an ssh server on the Tivo means having extra software in place on it, but does also mean that you don't need an extra PC running all the time in order to access TivoWeb. However when you are logged into it then as with any software the ssh server will eat up some CPU time, providing you aren't doing massive amounts of data transfer than I doubt that would be a problem though, certainly I've sat in front of Tivoweb/ssh tunnelled sessions and had recordings/play running without a problem. However, the dropbear ssh server port for the Tivo hasn't been hugely stress tested, and the kernel version that the UK TiVos run on is quite old, and so I'm not sure how well they would stand up to say a sustained SYN packet attack.

Am I right in saying that you need to have a specific client installed on the remote device, such as Putty? This would be a major drawback for me if it is, as I often access Tivoweb from my Smartphone.

Putty does SSH but there are SSH clients available for almost all platforms, I've SSH'd into my TiVo from my P900 phone, via the web (Java SSH client applet), etc.

For tunneling, it can be a bit more restrictive as not all clients will set up tunnels,
but there are certainly Java clients which do and so which should run on most
smartphones, and I've used native binary ports of PuTTY on Symbian smartphones

Guess I'll have to do some digging to see if there's a cleint for the proper Smartphones (with a capital 'S') i.e. Windows Mobile 2003SE/5 ;)

There's an instruction guide within the README in the tarball here (http://www.planetbuilders.org/tivo/),
give it a whirl and let me know how you get on, a couple of
people have downloaded it but the only person so far whom I've
heard feedback from was one of the OzTivo guys who couldn't
get it working due to some wierdness in the C runtime library
version that they are using there.I've just given this a whirl but am getting:

./dropbearkey: error in loading shared libraries
libcrypt.so.1: cannot open shared object file: No such file or directoryAny ideas?

Hmm, it should have the crypt routines compiled into the static binary. Unfortunately my
aging Wireless Access Point seems to have finally and so I can't get into my TiVo remotely
at present to check, when I get home I'll telnet into it and see if I have libcrypt on there.

Hmm, it should have the crypt routines compiled into the static binary. Unfortunately my
aging Wireless Access Point seems to have finally and so I can't get into my TiVo remotely
at present to check, when I get home I'll telnet into it and see if I have libcrypt on there.Did you manage to find anything tefster?

Ta.

Odd, it seems that somewhere along the way I acquired a libcrypt in my /var/hack/lib, not
sure where it came from and I don't remember cross-compiling it but there you go :) I need
to pull the drive tomorrow to re-do my network configuration with the new wireless bridge
and so I'll extract the libcrypt library and PM you it.

Cheers :)

here you go (http://www.planetbuilders.org/download/tivo/libcrypt.so.1)

here you go (http://www.planetbuilders.org/download/tivo/libcrypt.so.1)Many thanks. But, I've still got the same error as before. I've created a /var/hack/lib and but the library in there and changed the permissions. I've also put a copy in /var/hack/bin and done the same but still the same error message.

What have I missed? Are there any paths or links that I need to set for /var/hack/lib, or anything like that?

Thanks.

If this is the first library that you've added into /var/hack/lib then you'll need to add
"export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/hack/lib" (without the quotes) to
your .profile (which might be in /var/hack/.profile or might be in /.profile)

Thanks for that; another step forward.

Ok, Dropbear now running but unable to connect using PuTTY. Looking at the PuTTY log, it just seems to hang after "Connecting to a.b.c.d port 80". The PuTTY session window also appears to just hang.

Lo is Up on TiVo.

Any ideas? Thanks again.

Edit: Up and running now. It helps if you connect to the right port i.e. 22!

Got everything running perfectly with one exception. I can't get dropbear to start from rc.sysinit.author; I've tried most combinations of full paths in the shell script, .author and such like. The commands all work perfectly from a BASH prompt but reboot TiVo and everything but dropbear is started.

Any ideas/tips? Thanks again.

You'll probably need to add the /var/hack/lib to your library path within the script, the
.profile is only called for login sessions. Try adding the LIBPATH statement above (the one
you added to your .profile) to the script before the dropbear invocation.

Flippin' 'eck, you're clever :) I didn't think of that one! All working perfectly now. Thanks for all your help.

All I've got to get working now is the IP detection bit in Dailymail_jazz and I can keep the PC switched off; I don't have a static IP and my router doesn't support DynDNS updating and so I have to use DirectUpdate running on the PC).

One final question: Is there any way (or any point) in changing the SSH port number, perhaps to a higher, less likely to be probed number?

Thanks again.

I don't use DynDNS any more as I have a static subnet coming into the house pipe, but
for a while I used this script (http://www.nslu2-linux.org/wiki/HowTo/DynDNSupdate) to update a DynDNS account from a Linux box.

I haven't tried it on a TiVo, but in theory if you grab that, change the path of the shell, and
install the wget TiVo binary and OzTivo resolver library then you should be able to cron-enable the script and have it update your DynDNS account directly from the TiVo.

It wouldn't hurt to have it listening on a much higher port, I would also suggest
only opening up firewall access to it from known/trusted IP addresses and/or
subnets and not having it world-open.

Excellent stuff. I've now got TiVo detecting my WAN IP address and updating my DynDNS account :) PC can now formally be switched off!

One final question: I'm happy about changing the listening port on the non-TiVo/remote end of the tunnel. Is there any way though of changing the port that the SSH tunnel establishes with, or is it fixed at 22?

Many thanks again for all your help with this. My electric bill should be getting smaller from now!

No probs, glad I've helped the ozone layer a little ;)

You can change the port which dropbear listens on by adding a -p <port> to its invocation
command. Or, rather than forward port 22 on your router to port 22 on the Tivo then if your
router allows it remap a higher port on the router's outside edge to port 22 on the TiVo.

You can also change the listening port for the tunnel (ie the port on your client machine
that you browse via) via the SSH command. E.g. if you have dropbear accessed via port 22
(the default) then you can do
ssh -l tivo -L8080:127.0.0.1:80
to set up the client end of the tunnel to listen on localhost:8080
or
ssh -l tivo -L1234:127.0.0.1:80
to make it listen on port 1234, i.e. change the first parameter on the -L command. If you
are using e.g. PuTTY then just change the "source port" parameter on the tunnel definition.

If you do change the dropbear access port to something other than 22 then for
command line ssh clients add "-p <port>", e.g.
ssh -l tivo -p <dropbears_port> -L<localhost_port>:127.0.0.1:80
when you set the tunnel up.

Again though, I would definately suggest that you restrict the IP addresses which can
access your dropbear port so that only known trusted IP addresses can access it.

Hmm, I go away for a while, and someone replies to my thread! :P

In answer to various questions :

1) The Linksys router won't serve HTTPS, it doesn't need to - SSH is the same as HTTPS, your traffic just goes through it (tunnelled) so it won't look secure, but it will be.

2) You need a Linksys WRT54G or WRT54GS to do this. Comet are knocking them out for about £49 for the G and £79 for the GS (54 and 125 Mbps versions respectively)

Make DAMN sure you get a V1, V2 or V3 router. V4s are problematic, and V5s are INCOMPATIBLE with the flash. The version is under the router, and the serial numbers on the box betray the versions. V5 serials start "CDFB".
Google, you'll find the lists :) (I've lost the link)

3) You do NOT REPEAT NOT need SSH running on TiVo, and DO NOT need anything on a PC. You just need the router!

4) I can post the 0.84 Oreno if needed, but seriously, just get the router :)
(it's SOOOO much nicer)

5) The Alchemy ROM runs WOL, so you can wake up your PC if you keep a note of the MAC address and have a WOL capable NIC. Highly useful.

6) The Alchemy ROM runs a DYNDNS client, so you don't have to remember your DNS IP etc....or run it on TiVo!

7) I have two WRT54GS routers running a Meshed WLAN via Alchemy (RAR!) and can get TiVo tystreams to run a 880 mbps via 802.11G. Thats NOT bad...

THE INSTRUCTIONS!

You also need the Sveasoft Alchemy public ROM.
Thats available here > http://www.sveasoft.com/modules/phpBB2/dlman.php?func=file_info&file_id=146
HOWEVER you need to register

Flash your router in the normal Linksys way (read the manual!)

Go to the admin page, enable SSHD, DISABLE password login, and set the SSHD to 443 (compatible with most firewalls)

Make VERY sure you follow the bit which reads :

nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 7490 -j logaccept"
nvram commit

But change 7490 to 443 (or whatever port you're using!)

Follow the instructions at http://hetos.de/sshtut.html
You'll need Putty and PuttyGen (available at http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

This step is in conjunction with the HETOS info above.

Then, from whereever you are, with an SSH client and a copy of your private key, you can connect to your public IP, and get a shell on your router.

From there, you can telnet to Tivo. Or, if you use Putty and the instructions on tunnelling from the HETOS site above, you can tunnel web connections into TiVo via your router.

All traffic encrypted, all via 443, "legally" via most firewalls - the snag being you MAY be in breach of work policies as you are opening a secured connection outside/through firewalls....

Either way, it's secure, and allows TiVo or more (Terminal Services anyone?) services to be opened up.....

Next job, see if anyone can get HTTPS forwarding running on a WRT54G/GS to enable you to securely connect to TiVoWeb.

As an aside I am now running DD-WRT V23-beta 2 on my WRT54GS acting as a wireless bridge to a Netgear DG834G, with more than one device attached (unlike Satori and Alchemy) and using WPA wireless encryption. Works fine.

Next job, see if anyone can get HTTPS forwarding running on a WRT54G/GS to enable you to securely connect to TiVoWeb.

Why?!

SSHD on a common port will let you encrypt any traffic you like over a common firewall (using HTTP/S).

SSH is merely a secure shell protocol running over HTTPS (encapsulated and encrypted by default) and you can tunnel from the endpoint. Either setup a tunnelier server on your PC at the router end to get out, OR do what I do, and use Putty to tell the router to let me out whereever I please! (open a 'local' port which tunnels to my router which connects to my IMAP account to check my mail - it's all possible!)

You COULD enforce HTTPS on the router admin port, and MAY be able to set up something on the /www/user directory (virtual (ln) to /tmp/www) which may be riggable - if you can get the onboard CGI to talk to you.

Port forwarding will only "protocol forward" if the remote (TiVo) end supports HTTPS, so you'll have your work cut out - esp. as HTTPS = CPU overhead and TiVo isn't geared for that - unless you want your PC on to do the SSL for you, in which case use Oreno!

The easy options are:

a) Open (forward) tivo from the Router (insecure)
b) Reverse proxy (Oreno etc) from a PC with auth and forwarded ports - add OpenSSL if you want for encryption (but your PC is/has to be on)
c) Attempt port forward to TiVo from the router with ipchaining from a known address (i.e. your work/mobile network)
d) Setup some VERY odd port trigger oddness which you can access from outside to get a connection back to you (dodgy!)
e) SSHD to the router and tunnel into Tivo (a DAMN site more secure AND encrypted)

I have two WRT54GS routers working in Mesh mode, so I have one distributed (single SSID) WLAN in the house, with multiple devices hard wired to each router, and various roaming devices. Alchemy supports WDS (Wireless Distribution Service) to do this. There is a performance hit depending on your config (chain or star) but as mentioned, I can get 880mbps from Tivo (downstairs hardwire to router -> WLAN -> Upstairs router -> my PC).

TiVo sits alongside my PS2 (using XLink KAI to get net access) and behaves admirably.

ptruman - do you know if a wired linksys router can so the same thing?

Not entirely sure - check http://www.sveasoft.com for details. You can run the WRT54G or GS with WLAN disabled, so technically "yes" (the WRT54G and GS are 4 port 10/100 routers with net and WLAN capability) and they (and the WRT firmware) support various bits of Linksys and DLink kit....

The WRT45G (54mbps WiFi G compliant Broadband router) is now LESS then I paid for the BEFW11S4 (11mbps WiFi B compliant Broadband router).....

Sorry, to clarify, if anyone wants, I will post a list of instructions to do this, it just might take a while (I've not checked in about a fortnight and seen lots of responses!)

Also, the copy of Oreno I have is a RAR of my install, so it's not clean (changed configs) - I can tidy it up and repost it, but it is mostly sorted for anyone running IIS on Windows/i386 and wanting access to TiVo

Well, it was great fun setting up Dropbear, name resolution and dyndns updating all on TiVo before Xmas, and it probably saved a few quid not having to have my PC with Orenosp running 24/7.

However, last week my seperate wireless AP went down and so I thought what the heck, might as well get a combined doodah, such as the Linksys WRT54GS, and replace the (working) router too! (PMs if anybody is interested in a Linksys BEFSR41 V2 4 port router) ;)

The WRT54GS was a version 4 model but I had no problems whatsoever re-flashing it with the dd-wrt firmware (you have to flash the mini version first and then the full one, although both do have Dropbear SSH in the builds). Everything up and running very quickly indeed. The website/forums/wiki are very good with easy to follow instructions.

Thanks to ptruman for starting this thread and bringing to my attention what can be done with these routers (and also to tefster for the help in getting all the TiVo based bits up and running previously) :)

Thanks to tefster I have dropbear running on tivo, and it's accessible from the local LAN and from the outside world.

But I have noticed a few odd things when logging in via ssh, in particular the environment variables are a bit screwed up. If I telnet in the environment has:
HOME=/
PATH=/bin:/sbin:/tvbin:/devbin:/var/hack:/var/hack/bin
PWD=/var/tmp as expected.

Logging in via ssh gives:

HOME=/var/hack
PATH=/usr/gnu/bin:/usr/local/bin:/usr/ucb:/bin:/usr/bin:.:/var/hack:/var/hack/bin
PWD=/var/hack which is odd considering most of those directories in the path don't exist on tivo.

Have I done something wrong?

This looks an interesing post but have been putting it off in fear of killing my router but am now going to go for it.. I used to ssh to a seperate linux box on my lan and then I could telnet into Tivo. Also through this I could ftp files to the Tivo.

With this setup will there be any way to get files onto the Tivo remotely? i.e adding modules / logso etc. With this ssh will I be able to scp in?

Cheers

With this setup will there be any way to get files onto the Tivo remotely? i.e adding modules / logso etc. With this ssh will I be able to scp in?Do you mean with Dropbear running on TiVo or on the router (such as with the dd-wrt firmware)?

Either way, the answer's yes :)

Having never used SCP before I thought I'd give it a go to check. I SCP'd (using WinSCP) direct to dropbear on TiVo and all seemed fine. Then I set up an SSH connection to Dropbear on my router (usinf PuTTY) and with the appropriate port forwarding, could then setup an SCP connection to Dropbear running on TiVo. Phew :)

Have I done something wrong?

No, its a "feature" of the ported version :)

The PWD will be set to wherever the shell got invoked from, which will effectively be
wherever the dropbear binary lives. Your telnetd gets launched from a different location
in the filesystem tree and so the inherited PWD is different.

As for the other two, those are hard-coded into the dropbear binary (or at least they are
but I changed them to more TiVo-like defaults). It was so long ago since I did the port that
I can't quite remember the rationale, but basically from memory the forked bash shell needs
to have something in them otherwise it croaks when it runs.

I hard-coded a pseudo-passwd entry for the login user to have /var/hack as the home
directory, and for the PATH I just took the dropbear default and added the regular TiVo
binaries. In theory it shouldn't make too much different to use of it though.

I've been meaning for ages to roll my patches into the 0.44 version of dropbear, but my
new company has been keeping me busy. I'll try and get around to rolling the patches on
and at the same time I'll re-do the defaults to take out the non-existent directories. If you
find having them there causes problems though then yell and I'll re-do the current version.

Do you mean with Dropbear running on TiVo or on the router (such as with the dd-wrt firmware)?

Either way, the answer's yes :)



I did originally mean using the firmware but realised that my linksys router wasn't the corrcet version sop went with the dropbear approach.. works like a treat (after stumbling across all the same issues you had.. glad you asked them questions first :) )

Hurrah this is exactly what I wanted... Creating the dss key did freeze the Tivo worryingly for 5 minutes which I thought had killed it but it all burst back into life.

So in theory I can now disable the port forwading on my router for external http access to tivoweb and just tunnel it through this connection? Next job for today then :)

Cheers guys

I've been meaning for ages to roll my patches into the 0.44 version of dropbear, but my
new company has been keeping me busy. I'll try and get around to rolling the patches on
and at the same time I'll re-do the defaults to take out the non-existent directories. If you
find having them there causes problems though then yell and I'll re-do the current version.

It's not really causing any problems, it just surprised me when some of the common binaries weren't in my path.

I presume that after a successful ssh login the /.profile is executed? So I can just put a command in /.profile to reset the path to be the same as when I log in via telnet?

Yeah that should work, except (from memory) the profile will be executed from
$HOME/.profile i.e. /var/hack/.profile. You should be able to symlink /var/hack/.profile
to /.profile though.

Sort of newbie to this hacking TiVo lark!

In last few days have upgraded UK TiVo HD (again),
but this time added a cachecard & memory, tivoweb , endpad, logos, backupSP, showcase, wishlist, search, new themes, whatson, manual record, now showing, (to install: dailymail_jazz) also learnt how to allocate permissions & ftp the TiVo etc... All working OK.

Also got a V4 linksys router, flashed it with dd-wrt mini & then standard version. Setup Dynamic DNS.

Set router allowing putty, with private key ,to let me into router from an outside ip .
Using Putty I can get into router securely & Telnet from there into TiVo from outside.

Q. How do/Can I run Tivoweb from this?

Set up a port forward in Putty, something like:

source port - 1234
destination - tivoipaddress:80

Then web browse on remote machine to http://127.0.0.1:1234 and you should get Tivoweb.

Thanks Fozzie , that was it, I'm in.
didn't realise i had 2 put http://127.0.0.1:1234 i was using tivoaddress:80.
& ptruman for the suggestion in the first place.

No probs - you probably realise that '1234' can be whatever you want. If you had another Tivo (or say a webserver on another machine) then you could forward port xyz to othermachine:xyz and then browse to 127.0.0.1:xyz ;)

Excellent stuff. I've now got TiVo detecting my WAN IP address and updating my DynDNS account :) PC can now formally be switched off!


Anyone have a 'How-To' guide on setting this up on a TiVo ??

At the moment I am running DynDNS update software on my PC, but ideally would like it self contained on the TiVo itself.

Thanks
Daniel

Try this ;)

http://www.tivocommunity.com/tivo-vb/showthread.php?p=3668806&highlight=dns#post3668806

Been reading this thread - interesting.
I have bought one of the the Linksys routers and flashed it to use as a wireless bridge. This is probably obvious but can I still use it for dyndns ?

Next job, see if anyone can get HTTPS forwarding running on a WRT54G/GS to enable you to securely connect to TiVoWeb.

Why?!

SSHD on a common port will let you encrypt any traffic you like over a common firewall (using HTTP/S).

SSH is merely a secure shell protocol running over HTTPS (encapsulated and encrypted by default) and you can tunnel from the endpoint. Either setup a tunnelier server on your PC at the router end to get out, OR do what I do, and use Putty to tell the router to let me out whereever I please! (open a 'local' port which tunnels to my router which connects to my IMAP account to check my mail - it's all possible!)


(I'm not sure whether the orignal poster is referring to the router to Tivo traffic, or the internet to router traffic but...)

Main reason I can think of for wanting the router to act as a secure reverse proxy rather than just an SSH endpoint, is for situations in which you haven't got access to ssh client e.g. locked down machines, thin clients etc., in which case you'd want to be able to use just the browser...

I'm currrently hacking about with a Zywall P1 to see if I can load other firmware onto it with the aim of converting it to a secure reverse proxy type appliance (at the rate I'm going it's just for the mental challenge though)