Hurrah - away with OrenoSP!

Discussion in 'TiVo Series 1 - UK' started by ptruman, Nov 26, 2005.

  1. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    Many thanks. But, I've still got the same error as before. I've created a /var/hack/lib and but the library in there and changed the permissions. I've also put a copy in /var/hack/bin and done the same but still the same error message.

    What have I missed? Are there any paths or links that I need to set for /var/hack/lib, or anything like that?

    Thanks.
     
  2. tefster

    tefster New Member

    300
    0
    Mar 15, 2004
    London (NE), UK
    If this is the first library that you've added into /var/hack/lib then you'll need to add
    "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/hack/lib" (without the quotes) to
    your .profile (which might be in /var/hack/.profile or might be in /.profile)
     
  3. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    Thanks for that; another step forward.

    Ok, Dropbear now running but unable to connect using PuTTY. Looking at the PuTTY log, it just seems to hang after "Connecting to a.b.c.d port 80". The PuTTY session window also appears to just hang.

    Lo is Up on TiVo.

    Any ideas? Thanks again.

    Edit: Up and running now. It helps if you connect to the right port i.e. 22!
     
  4. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    Got everything running perfectly with one exception. I can't get dropbear to start from rc.sysinit.author; I've tried most combinations of full paths in the shell script, .author and such like. The commands all work perfectly from a BASH prompt but reboot TiVo and everything but dropbear is started.

    Any ideas/tips? Thanks again.
     
  5. tefster

    tefster New Member

    300
    0
    Mar 15, 2004
    London (NE), UK
    You'll probably need to add the /var/hack/lib to your library path within the script, the
    .profile is only called for login sessions. Try adding the LIBPATH statement above (the one
    you added to your .profile) to the script before the dropbear invocation.
     
  6. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    Flippin' 'eck, you're clever :) I didn't think of that one! All working perfectly now. Thanks for all your help.

    All I've got to get working now is the IP detection bit in Dailymail_jazz and I can keep the PC switched off; I don't have a static IP and my router doesn't support DynDNS updating and so I have to use DirectUpdate running on the PC).

    One final question: Is there any way (or any point) in changing the SSH port number, perhaps to a higher, less likely to be probed number?

    Thanks again.
     
  7. tefster

    tefster New Member

    300
    0
    Mar 15, 2004
    London (NE), UK
    I don't use DynDNS any more as I have a static subnet coming into the house pipe, but
    for a while I used this script to update a DynDNS account from a Linux box.

    I haven't tried it on a TiVo, but in theory if you grab that, change the path of the shell, and
    install the wget TiVo binary and OzTivo resolver library then you should be able to cron-enable the script and have it update your DynDNS account directly from the TiVo.

    It wouldn't hurt to have it listening on a much higher port, I would also suggest
    only opening up firewall access to it from known/trusted IP addresses and/or
    subnets and not having it world-open.
     
  8. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    Excellent stuff. I've now got TiVo detecting my WAN IP address and updating my DynDNS account :) PC can now formally be switched off!

    One final question: I'm happy about changing the listening port on the non-TiVo/remote end of the tunnel. Is there any way though of changing the port that the SSH tunnel establishes with, or is it fixed at 22?

    Many thanks again for all your help with this. My electric bill should be getting smaller from now!
     
  9. tefster

    tefster New Member

    300
    0
    Mar 15, 2004
    London (NE), UK
    No probs, glad I've helped the ozone layer a little ;)

    You can change the port which dropbear listens on by adding a -p <port> to its invocation
    command. Or, rather than forward port 22 on your router to port 22 on the Tivo then if your
    router allows it remap a higher port on the router's outside edge to port 22 on the TiVo.

    You can also change the listening port for the tunnel (ie the port on your client machine
    that you browse via) via the SSH command. E.g. if you have dropbear accessed via port 22
    (the default) then you can do
    ssh -l tivo -L8080:127.0.0.1:80
    to set up the client end of the tunnel to listen on localhost:8080
    or
    ssh -l tivo -L1234:127.0.0.1:80
    to make it listen on port 1234, i.e. change the first parameter on the -L command. If you
    are using e.g. PuTTY then just change the "source port" parameter on the tunnel definition.

    If you do change the dropbear access port to something other than 22 then for
    command line ssh clients add "-p <port>", e.g.
    ssh -l tivo -p <dropbears_port> -L<localhost_port>:127.0.0.1:80
    when you set the tunnel up.

    Again though, I would definately suggest that you restrict the IP addresses which can
    access your dropbear port so that only known trusted IP addresses can access it.
     
  10. ptruman

    ptruman New Member

    190
    0
    Jan 8, 2003
    Hmm, I go away for a while, and someone replies to my thread! :p

    In answer to various questions :

    1) The Linksys router won't serve HTTPS, it doesn't need to - SSH is the same as HTTPS, your traffic just goes through it (tunnelled) so it won't look secure, but it will be.

    2) You need a Linksys WRT54G or WRT54GS to do this. Comet are knocking them out for about £49 for the G and £79 for the GS (54 and 125 Mbps versions respectively)

    Make DAMN sure you get a V1, V2 or V3 router. V4s are problematic, and V5s are INCOMPATIBLE with the flash. The version is under the router, and the serial numbers on the box betray the versions. V5 serials start "CDFB".
    Google, you'll find the lists :) (I've lost the link)

    3) You do NOT REPEAT NOT need SSH running on TiVo, and DO NOT need anything on a PC. You just need the router!

    4) I can post the 0.84 Oreno if needed, but seriously, just get the router :)
    (it's SOOOO much nicer)

    5) The Alchemy ROM runs WOL, so you can wake up your PC if you keep a note of the MAC address and have a WOL capable NIC. Highly useful.

    6) The Alchemy ROM runs a DYNDNS client, so you don't have to remember your DNS IP etc....or run it on TiVo!

    7) I have two WRT54GS routers running a Meshed WLAN via Alchemy (RAR!) and can get TiVo tystreams to run a 880 mbps via 802.11G. Thats NOT bad...

    THE INSTRUCTIONS!

    You also need the Sveasoft Alchemy public ROM.
    Thats available here > http://www.sveasoft.com/modules/phpBB2/dlman.php?func=file_info&file_id=146
    HOWEVER you need to register

    Flash your router in the normal Linksys way (read the manual!)

    Go to the admin page, enable SSHD, DISABLE password login, and set the SSHD to 443 (compatible with most firewalls)

    Make VERY sure you follow the bit which reads :

    nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 7490 -j logaccept"
    nvram commit

    But change 7490 to 443 (or whatever port you're using!)

    Follow the instructions at http://hetos.de/sshtut.html
    You'll need Putty and PuttyGen (available at http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

    This step is in conjunction with the HETOS info above.

    Then, from whereever you are, with an SSH client and a copy of your private key, you can connect to your public IP, and get a shell on your router.

    From there, you can telnet to Tivo. Or, if you use Putty and the instructions on tunnelling from the HETOS site above, you can tunnel web connections into TiVo via your router.

    All traffic encrypted, all via 443, "legally" via most firewalls - the snag being you MAY be in breach of work policies as you are opening a secured connection outside/through firewalls....

    Either way, it's secure, and allows TiVo or more (Terminal Services anyone?) services to be opened up.....
     
  11. Ian_m

    Ian_m Active Member

    1,518
    0
    Jan 9, 2001
    Southampton,...
    Next job, see if anyone can get HTTPS forwarding running on a WRT54G/GS to enable you to securely connect to TiVoWeb.

    As an aside I am now running DD-WRT V23-beta 2 on my WRT54GS acting as a wireless bridge to a Netgear DG834G, with more than one device attached (unlike Satori and Alchemy) and using WPA wireless encryption. Works fine.
     
  12. ptruman

    ptruman New Member

    190
    0
    Jan 8, 2003
    Next job, see if anyone can get HTTPS forwarding running on a WRT54G/GS to enable you to securely connect to TiVoWeb.

    Why?!

    SSHD on a common port will let you encrypt any traffic you like over a common firewall (using HTTP/S).

    SSH is merely a secure shell protocol running over HTTPS (encapsulated and encrypted by default) and you can tunnel from the endpoint. Either setup a tunnelier server on your PC at the router end to get out, OR do what I do, and use Putty to tell the router to let me out whereever I please! (open a 'local' port which tunnels to my router which connects to my IMAP account to check my mail - it's all possible!)

    You COULD enforce HTTPS on the router admin port, and MAY be able to set up something on the /www/user directory (virtual (ln) to /tmp/www) which may be riggable - if you can get the onboard CGI to talk to you.

    Port forwarding will only "protocol forward" if the remote (TiVo) end supports HTTPS, so you'll have your work cut out - esp. as HTTPS = CPU overhead and TiVo isn't geared for that - unless you want your PC on to do the SSL for you, in which case use Oreno!

    The easy options are:

    a) Open (forward) tivo from the Router (insecure)
    b) Reverse proxy (Oreno etc) from a PC with auth and forwarded ports - add OpenSSL if you want for encryption (but your PC is/has to be on)
    c) Attempt port forward to TiVo from the router with ipchaining from a known address (i.e. your work/mobile network)
    d) Setup some VERY odd port trigger oddness which you can access from outside to get a connection back to you (dodgy!)
    e) SSHD to the router and tunnel into Tivo (a DAMN site more secure AND encrypted)

    I have two WRT54GS routers working in Mesh mode, so I have one distributed (single SSID) WLAN in the house, with multiple devices hard wired to each router, and various roaming devices. Alchemy supports WDS (Wireless Distribution Service) to do this. There is a performance hit depending on your config (chain or star) but as mentioned, I can get 880mbps from Tivo (downstairs hardwire to router -> WLAN -> Upstairs router -> my PC).

    TiVo sits alongside my PS2 (using XLink KAI to get net access) and behaves admirably.
     
  13. ptruman

    ptruman New Member

    190
    0
    Jan 8, 2003
    Not entirely sure - check http://www.sveasoft.com for details. You can run the WRT54G or GS with WLAN disabled, so technically "yes" (the WRT54G and GS are 4 port 10/100 routers with net and WLAN capability) and they (and the WRT firmware) support various bits of Linksys and DLink kit....

    The WRT45G (54mbps WiFi G compliant Broadband router) is now LESS then I paid for the BEFW11S4 (11mbps WiFi B compliant Broadband router).....
     
  14. ptruman

    ptruman New Member

    190
    0
    Jan 8, 2003
    Sorry, to clarify, if anyone wants, I will post a list of instructions to do this, it just might take a while (I've not checked in about a fortnight and seen lots of responses!)

    Also, the copy of Oreno I have is a RAR of my install, so it's not clean (changed configs) - I can tidy it up and repost it, but it is mostly sorted for anyone running IIS on Windows/i386 and wanting access to TiVo
     
  15. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    Well, it was great fun setting up Dropbear, name resolution and dyndns updating all on TiVo before Xmas, and it probably saved a few quid not having to have my PC with Orenosp running 24/7.

    However, last week my seperate wireless AP went down and so I thought what the heck, might as well get a combined doodah, such as the Linksys WRT54GS, and replace the (working) router too! (PMs if anybody is interested in a Linksys BEFSR41 V2 4 port router) ;)

    The WRT54GS was a version 4 model but I had no problems whatsoever re-flashing it with the dd-wrt firmware (you have to flash the mini version first and then the full one, although both do have Dropbear SSH in the builds). Everything up and running very quickly indeed. The website/forums/wiki are very good with easy to follow instructions.

    Thanks to ptruman for starting this thread and bringing to my attention what can be done with these routers (and also to tefster for the help in getting all the TiVo based bits up and running previously) :)
     
  16. poppadum

    poppadum New Member

    10
    0
    Oct 3, 2002
    York, UK
    Thanks to tefster I have dropbear running on tivo, and it's accessible from the local LAN and from the outside world.

    But I have noticed a few odd things when logging in via ssh, in particular the environment variables are a bit screwed up. If I telnet in the environment has:
    Code:
    HOME=/
    PATH=/bin:/sbin:/tvbin:/devbin:/var/hack:/var/hack/bin
    PWD=/var/tmp
    as expected.

    Logging in via ssh gives:
    Code:
    HOME=/var/hack
    PATH=/usr/gnu/bin:/usr/local/bin:/usr/ucb:/bin:/usr/bin:.:/var/hack:/var/hack/bin
    PWD=/var/hack
    which is odd considering most of those directories in the path don't exist on tivo.

    Have I done something wrong?
     
  17. goodisonboy

    goodisonboy New Member

    69
    0
    Feb 19, 2002
    Reading, RG5
    This looks an interesing post but have been putting it off in fear of killing my router but am now going to go for it.. I used to ssh to a seperate linux box on my lan and then I could telnet into Tivo. Also through this I could ftp files to the Tivo.

    With this setup will there be any way to get files onto the Tivo remotely? i.e adding modules / logso etc. With this ssh will I be able to scp in?

    Cheers
     
  18. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    Do you mean with Dropbear running on TiVo or on the router (such as with the dd-wrt firmware)?

    Either way, the answer's yes :)

    Having never used SCP before I thought I'd give it a go to check. I SCP'd (using WinSCP) direct to dropbear on TiVo and all seemed fine. Then I set up an SSH connection to Dropbear on my router (usinf PuTTY) and with the appropriate port forwarding, could then setup an SCP connection to Dropbear running on TiVo. Phew :)
     
  19. tefster

    tefster New Member

    300
    0
    Mar 15, 2004
    London (NE), UK
    No, its a "feature" of the ported version :)

    The PWD will be set to wherever the shell got invoked from, which will effectively be
    wherever the dropbear binary lives. Your telnetd gets launched from a different location
    in the filesystem tree and so the inherited PWD is different.

    As for the other two, those are hard-coded into the dropbear binary (or at least they are
    but I changed them to more TiVo-like defaults). It was so long ago since I did the port that
    I can't quite remember the rationale, but basically from memory the forked bash shell needs
    to have something in them otherwise it croaks when it runs.

    I hard-coded a pseudo-passwd entry for the login user to have /var/hack as the home
    directory, and for the PATH I just took the dropbear default and added the regular TiVo
    binaries. In theory it shouldn't make too much different to use of it though.

    I've been meaning for ages to roll my patches into the 0.44 version of dropbear, but my
    new company has been keeping me busy. I'll try and get around to rolling the patches on
    and at the same time I'll re-do the defaults to take out the non-existent directories. If you
    find having them there causes problems though then yell and I'll re-do the current version.
     
  20. goodisonboy

    goodisonboy New Member

    69
    0
    Feb 19, 2002
    Reading, RG5
    I did originally mean using the firmware but realised that my linksys router wasn't the corrcet version sop went with the dropbear approach.. works like a treat (after stumbling across all the same issues you had.. glad you asked them questions first :) )

    Hurrah this is exactly what I wanted... Creating the dss key did freeze the Tivo worryingly for 5 minutes which I thought had killed it but it all burst back into life.

    So in theory I can now disable the port forwading on my router for external http access to tivoweb and just tunnel it through this connection? Next job for today then :)

    Cheers guys
     

Share This Page