Turbo's AppleTV Hacks @ 0xfeedbeef.com

Here's a list of some things I've done with my Apple TV. If you brick your Apple TV trying a hack listed here, it's not my fault.

The instructions on this page assume you've already got ssh installed on the machine and the appropriate launchdaemon. If you're not comfortable messing around with the command line, turn back now.

This page probably doesn't render properly in IE. Ensure that you have the proper line breaks in the code sections.

Thanks for all your support guys!!


AppleTV Enabler (2008-10-22 16:33)
 Purpose: Unshackle your AppleTV, now more than ever
 Notes: I'm releasing my new AppleTV Enabler (turbo_atv_enabler). You can download it here
  This new program replaces the old KEXT enabler, and includes some new functionality.
  Now featuring a new SSE3 emulator, which will allow you to run many stock OSX 10.4 applications on your AppleTV.
  This is especially useful for things like the Audio/MIDI Setup Utility, and CoreMIDI applications.
 Notes: This software may NOT be included in any other software distribution.

AppleTV 2.0 Update (2008-02-12 19:29)
 Notes: The AppleTV take 2 update has been released. The KEXT enabler works, but there are no patches for USB support yet.

Preparing for the AppleTV v2.0 update (2008-02-10 10:29)
 Notes: The AppleTV 2.0 update will be a big one. I expect that with the addition of rented media, Apple will try to lock the box down
  as much as possible, to prevent people from circumventing their rental time limit system.
  I do intend to try and update all of the hacks we've made so far to work with the new system.

Use external audio on the AppleTV (2008-02-10 10:20)
 Purpose: To enable use of an external audio S/PDIF output for DVD playback or an outboard DAC.
 Notes: I've been getting a lot of questions recently about using an outboard USB DAC with the AppleTV.
  Yes, any USB standard audio interface should work OK out of the box. You will probably need to run the OSX "Audio MIDI Setup" utility
  to configure the new output device. Don't click on the MIDI tab!

Enable kext loading on the AppleTV (2007-07-24 19:43)
 Purpose: To enable Bluetooth devices, and video capture, and SMB mounts, and USB Mass storage, and ...
 Notes: First, you'll need to mount your root partition read-write. You only need to do this once.
  If you've already done this, skip down to loading the kexts.
 Code:

sudo mount -uw / sudo touch /.readwrite sudo sync


  Next, reboot the AppleTV. When it comes back up, you'll have 2 new files /mach and /mach.sym. If you want, you can make it read-only again:
 Code:

sudo rm /.readwrite sudo sync sudo mount -ur /


  Now, you'll need some kexts to load. I've only tested with 10.4.9 kexts but I have at least one report of 10.4.10 working OK.
  This example will load the USB Mass Storage driver that you've installed in /System/Library/Extensions
 Code:

chmod 755 turbo_kext_enabler.bin sudo ./turbo_kext_enabler.bin sudo kextload -v 6 /System/Library/Extensions/IOUSBMassStorageClass.kext


  You'll need to run turbo_kext_enabler and kextload your extensions each time you reboot your AppleTV.
  Oh yeah, you'll need the turbo_kext_enabler.bin file also, you can get that here.
  Thanks go to Patrick for help unraveling the arguments.

USB easy patch for 1.1 kernel(2007-07-15 19:13)
 Purpose: Patch the 1.1 ATV kernel to use USB devices
 Code:

bspatch mach_kernel.prelink mach_kernel.patched turbo-11-usb-and-watchdog-20070623.bsdiff MD5 = 311f50ae644bc16967b7c0ac91cefaae


 Notes: I did this patch a while ago but found little reason to move to the 1.1 kernel. Here it is in case somebody wants to try it out.
  The binary patch is available here
 
  Verify that your patched mach_kernel.prelink matches the MD5, then just install your patched kernel file, and enjoy USB
  This hack does not enable the mouse cursor. To do that, see prasys's hack here.
  This hack might disable the watchdog too.

Apple updates AppleTV (2007-06-20 12:20)
 Notes: Apple has now released an update (YouTube functionality) to the AppleTV that will most likely break all of the hacks and patches listed here
  They also appear to have removed a significant amount of "standard OS X" functionality
  If you have the means, I recommend making a complete backup of your existing AppleTV disk before allowing the upgrade to proceed.

SSE3 Emulator (2007-05-10 22:31)
 Purpose: Allows you to run standard OSX applications like Finder or DVD Player, and frameworks like CoreMIDI
 Notes: I've modified my SSE3 Emulator to include dynamic in-memory patching for some instructions
  This means that you don't need to patch the binaries to get acceptable performance in cases like AppleVADriver
  I've also managed to finally package it into a single file. This means no more nasty hacks to try to get the emulator installed in each process on the system.

  I'm still not quite sure how best to distribute it like this but at least it's progress!
DVD Video (2007-05-09 12:46)
 Notes: OK, so I've got DVD Player.app working, playing back DVD video from a VIDEO_TS directory mounted on my fileserver.
  Getting this to work with the stock AppleTV OS requires some significant changes:
  Notably absent at the moment is AC3 passthrough.
  To use DVD Player on a full OS X install, only patching the DVDPlayback.framework is required to make it work

  semthex SSE3 emulator may be fast enough to handle the instructions where my user-space emu was not.

  Using the patches I created for AppleVADriver it takes about 40%-50% CPU on the AppleTV to play a DVD.
  More info and a couple of patches coming soon.
progress (2007-04-11 19:29)
 Notes: I've done some work to get the Finder and some other OS X applications to work with the stock AppleTV distribution
  This is no easy task, as almost all of the "regular" OS X applications and frameworks require an SSE3 capable processor.
  Semthex's replacement kernel includes an SSE3 emulator to take care of this, but at this point, swapping out the kernel
    means losing video capabilities and sound.

  What I've done is to write a user-space SSE3 emulator (no small task!)
  This is of course much much slower, but it's enough to get some applications to run with the "stock" kernel.
  What's working now:

mach_kernel.prelink patching information (2007-04-07 11:26)
 Notes: Here are some gory details on patching the mach_kernel.prelink file
  If you're just looking for the USB enabler, use the easy patch link below
Boot from a USB drive without opening your AppleTV (2007-04-04-18:25)
 Purpose: duh!
 Notes: This procedure needs its own page, here
Create a mach_kernel prelink (2007-04-02 23:09)
 Purpose: Create a kernel prelink with your own kernel and extensions
 Code:

kextcache -v 5 -a i386 -s -K ~/mach_kernel.semthex -c /tmp/mach_kernel.prelink /System/Library/Extensions


 Notes: This assumes your kernel is in your home directory and named mach_kernel.semthex, and that your extensions are in /System/Library/Extensions
  The new kernel prelink will be located in /tmp, place it appropriately.
USB easy patch (2007-03-30 00:43)
 Purpose: Easy way to apply the USB patch to mach_kernel.prelink
 Code:

bspatch mach_kernel.prelink mach_kernel.patched turbo-disable-usb-whitelist-20070330.bsdiff


 Notes: OK it didn't occur to me until just now, but because of the type of compression used (lzss) a binary diff would only be a couple of bytes
  It's actually 5 bytes, but instead of writing a tool to patch these 5 bytes I made a patch using bsdiff/bspatch because bspatch is included with OS X
  The binary patch is available here
  Verify that your patched mach_kernel.prelink matches the MD5, then just install your patched kernel file, and enjoy USB
  This hack does not enable the mouse cursor. To do that, see prasys's hack here.
  If you have any insight as to how the mouse cursor has been disabled, please let me know so we can re-enable it properly.

  If you downloaded my later usb and watchdog patch, you may have noticed it doesn't actually fix the watchdog.
  The binary patched proved to be too large to distribute reasonably.
Mouse Cursor
 Purpose: Sure makes using the mouse easier
 Notes: If you have any insight as to how the mouse cursor has been disabled, please let me know so we can re-enable it properly.
  Just in case somebody with some ideas comes across this, I've already tried
 Code:

CGDisplayShowCursor(kCGDirectMainDisplay); CGAssociateMouseAndMouseCursorPosition(1);


  And CGCursorIsVisible() already returns true (at least when BackRow isn't running)
Disable ripstop
 Purpose: Ripstop is part of the watchdog system that reboots if the default application doesn't run
 Code:

mkdir /etc/mach_init.disabled mv /etc/mach_init.d/ripstop.plist /etc/mach_init.disabled


 Notes: Make sure to make the startup script changes to disable the AppleTCOWatchdog kext or your machine will reboot. May no longer be necessary
Enable Quartz Extreme
 Purpose: experimentation - may have some benefit for applications?
 Code:

defaults write /Library/Preferences/com.apple.windowserver GLCompositor -dict tileHeight -int 256 tileWidth -int 256


 Notes: Must kill loginwindow or restart to take effect
Replace Finder.app
 Purpose: run another application that doesn't take over the entire UI so we can see what's going on
 Code:

defaults write /Library/Preferences/com.apple.loginwindow Finder /System/Library/ColorSync/Calibrators/Display\ Calibrator.app


 Notes: this runs the built-in display calibration app. It doesn't do anything useful, but it allows us to launch other apps via ssh without interference from the replacement Finder.app
See verbose startup
 Purpose: Easy way to get verbose startup for all boots without modifying any files - perfect for testing
 Code:

sudo nvram boot-args=-v


 Notes: You can clear NVRAM with Cmd-Opt-P-R
Up the number of reboots before triggering recovery
 Purpose: If the BackRow application doesn't launch after 5 boots, the built-in recovery procedure is run. Up it to 9 times.
 Code:

sudo nvram max-boot-attempts=%09



Some useful xnu links:

Thanks go to Nate (n8man) for this excellent dissection of the kernel prelink.
I refer to this several times a day, and it's helped a great deal in disassembling the individual KEXTs.


Modified 2013-09-06 13:19:38
Contact turbo here