TiVoToGo Transfers Fail Due To Expired Cookie

tivo-desktop

TiVo subscribers looking to offload DVR recordings were caught by surprise when TiVo Desktop and other methods of transfer inexplicably failed. As it turns out, TiVo To Go has been crippled by an expired server-side cookie of some sort. Of course, you probably aren’t so concerned with the reason and are more interested in a resolution. While one TiVo support rep tried to pin this on a recent Microsoft update and suggested waiting 24-48 hours for a Redmond fix, we know better. And the simplest workaround is to merely set your computer clock to an earlier day, week, or even year. Assuming that approach doesn’t negatively impact other applications, like local email. Other options including constructing your own replacement cookie, should you be sufficiently geeky and motivated, or swapping out TiVo’s antiquated software for kmttg and updating the default curl download method to Java.

As to how this happened (and when it may be fixed), one can only guess. But we’ve seen it before from apps like Rhapsody and even prior versions of TiVo Desktop. And we suspect it’s related to contracting out a significant amount of what you might call non-core DVR functionality, as we see with the existing (and exceptional) TiVo iOS app developed by Duff Research. So while TiVo wisely contracts out the skills they need, without being burdened by long-term overhead, projects without champions have a way of failing via entropy. In this case, maybe it’s a simple oversight, maybe a preoccupation with a TiVo Desktop successor, or maybe the ship really is rudderless. Regardless, I imagine they’ll get it corrected in due course.

Update: The cookie in question expired 2/16 and, as we’ve yet to hear anything through TiVo’s social media team or via an online support note, we’ve been tracking TiVo’s support responses.

  • 2/16 – TiVo unaware of issue and suspects users have issues due to Microsoft patches. While this could be conceivable on Windows machines, it doesn’t cover Mac transfer failures. (Open source TiVo desktop replacement kmttg updated to work around the issue and without requiring Java.)
  • 2/17 – TiVo realizes there’s a problem and begins taking bug reports.
  • 2/18 – TiVo tells callers that they’re aware of the issue and engineers are working on it. When service is restored, they will send a notice to TiVo DVRs. Asked if a fix would be in this week, the rep I spoke to believed it was possible but said it could also be next week. (Hybrid TV Australia posts a support note, while TiVo, Inc maintains radio silence.)
  • 2/19 – TiVo Support web chat reps are now providing customers a canned reply that has also been posted on their support forum. Here’s an excerpt, “As of February 16th 2013, the TiVoToGo feature of the TiVo Desktop application for Windows PCs is temporarily unavailable and no longer allows transfers from the DVR to the PC. All TiVoToGo-compatible TiVo DVRs are affected. We are aware of the issue and apologize for any inconvenience that this may have caused. We are working to restore this feature as soon as possible.” When asked for more detail on timing, the agent replied “it may take up to a week.”
  • 2/20 – TiVo support rep posts, “We are actively pursuing a solution which would bypass the need for a workaround, but until that solution is developed, a workaround will be required if content needs to be transferred. As soon as I learn more about a permanent solution, I’ll be sure to share it.”
  • 2/27 – Stock TiVo Desktop still broken and no official support note has been posted. I reached out to an online support rep who said engineers are working on the issue but they haven’t been provided a timeline on resolution.
  • 3/1 – TiVo web support rep didn’t know the status of an updated TiVo Desktop package. I asked if there is a way to register for an email or DVR alert once a fix is in, and he thought the TiVo webpage would be updated when it’s ready.
  • 3/5 -A TiVo support representative has posted a new update… without any sort of ETA. However, it sounds like the short term fix will be an updated TiVo Desktop software package, probably using a hack similar to morac’s approach, followed at some point by software updates to TiVo Series 4, 3, and 2 DVR hardware.
  • 3/8 – After three weeks, a TiVo Desktop “patch” has been released as a stop-gap (using morac’s method) until TiVo DVRs can be updated and presumably until a fully supported Windows 8 version of TiVo Desktop is prepared.

(Thanks Morac!)

50 thoughts on “TiVoToGo Transfers Fail Due To Expired Cookie”

  1. It turns out the http server on the TiVo box only cares that there the client sends a SID cookie, not that it’s correct. That’s most likely a bug, but it’s a lucky break as it means the fix doesn’t require a TiVo software patch. As such the current work around of choice is to simply send a bogus SID cookie.

    Kmttg has already been patched and there are browser addons to add/modify cookies if you want to use a web browser.

    That leaves only TiVo Desktop. Theoretically that can be patched to as it uses Curl, which can send user specified cookies. That’s what kmttg does. The problem is that TiVo Desktop sends it’s own command line parameters to curl.exe. So short of replacing the curl.exe with a new one with the cookie hard coded in it or possibly patching TiVo Desktop to send the “correct” parameters, there’s not much that can be done for TD until TiVo fixes this.

    At least there are work arounds though. The next problem to happen will likely be the SSL certificate on the TiVo boxes expiring. The Series 3 box’s SSL certificate expires in December 2016. The Series 2 could be sooner.

  2. Thanks for the explanation and the easy workaround with the clock. I’m getting on a plane in the morning and have a number of shows I wanted to transfer today. When it did not work, I contacted Tivo and got the “MSFT update” explanation. Changing my clock solved the issue – now I can catch up on TV on the plane tomorrow!

  3. Using iTivo on my Mac and couldn’t figure out why it kept reporting that it was unable to download. Thanks for the post and workaround!

  4. “Thanks for the explanation and the easy workaround with the clock. I’m getting on a plane in the morning and have a number of shows I wanted to transfer today.”

    But, of course, this means you’ll miss your plane because your clock will be back-set. Tradeoffs, tradeoffs…

  5. I am always surprised that people still use TiVo Desktop over KMTTG. Of course if TiVo kept it up to date or on par with the iPad app I would probably consider it.

  6. “I am always surprised that people still use TiVo Desktop over KMTTG.”

    Entirely agreed. Although, of course, you have to know enough to know about the existence of KMTTG…

    —–

    “or swapping out TiVo’s antiquated software for kmttg and updating the default curl download method to Java.”

    Fresh spanking new edition of KMTTG already released that works with curl.

    Gotta love active open-source development communities.

  7. I agree that I would never go back to Tivo Desktop after using ktmmg, but as Chucky said, first, you need to know about its existence but while it isn’t too difficult to set up, it is far more difficult than Tivo Desktop’s InstallShield and take the defaults install. Just requiring Java is enough intimidation for some users…

  8. “Just requiring Java is enough intimidation for some users…”

    Dunno about Windows, but on the OS X side, both TiVo Desktop and the Toast Titanium TiVo Transfer app rely on Java. So all the “official” TiVo OS X tools rely on Java, not just KMTTG.

    And who the hell doesn’t have Java installed? It’s a damn useful brew. I disabled it in my browsers a decade ago for all the obvious reasons, but I’ve got more standalone apps that are built upon it than I can count on two hands…

  9. Yeah, I’m wondering what percent of “civilians” know of kmttg. But I think Morac is single handedly saving TiVo’s bacon. Instead of fixing the root problem, I suspect they’ll fast track an updated TiVo Desktop with his .ini workaround. As to TiVo Transfer, the Roxio ship may have sailed… It’s going to be interesting – and after 24+ hours still no comment from TiVo.

  10. Honestly, I think the bigger question is who has Java installed. Its been a leaky sieve that I don’t know that I would install if it weren’t for kmttg (and I do some Java development at work). Maybe if Oracle would separate their browser plugin from the installer I wouldn’t be quite as reluctant to install)

  11. Java shouldn’t be installed on anyone’s computer unless that person does Java development. Well technically Java’s plugin shouldn’t be installed, but because installing Java automatically installs and enables the plugin, I’ll stick with what I said that the average user should not have it installed.

    Oracle does not have a good track record with security. There’s a reason Apple removed it from OS X, browsers are disabling it left and right and even the U.S. Government has issued warnings against having Java installed.

  12. “Java shouldn’t be installed on anyone’s computer … because installing Java automatically installs and enables the plugin … even the U.S. Government has issued warnings against having Java installed.”

    Similarly, nobody should drink Scotch, because drinking Scotch doesn’t automatically make your car keys disappear from your pocket.

    I mean, seriously folks, enabling Java plug-ins in the browser has been a massively bad idea for pretty much as long as Java has been around. This is nothing new. But there are many pieces of limited-audience standalone software which just wouldn’t exist without a write-once, deploy everywhere runtime. Like KMTTG, for one example among many. (I’m not joking when I say I’ve got more useful standalone Java apps than I can count on the fingers of two hands.) We’d all be poorer in a world without the Java runtime.

    And despite all the scaremongering, there is no security risk as long as you’re not using the web plug-in.

    (And, of course, if you really do need access to web-based Java at a trusted site, which I occasionally do, it’s pretty trivial to set up a site-specific browser limited to only that trusted site with access to the plug-in.)

    Folks go nuts about having a Java runtime installed, but are upset about having to wait for an invite to let a third party startup with unknown security protocols and unknown motives have full access to their email accounts. It’s a weird world we live in.

    “There’s a reason Apple removed it from OS X”

    Yup. Same reason Apple doesn’t want any middleware on their OS now that they’re focussed more on lock-in than converts, which (not so) coincidentally is the reason Microsoft didn’t want any middleware on their OS in the late ’90’s back before the antitrust case. And that reason is not about security.

    (I really didn’t mean to rant at you, Morac, but how difficult is it to just say, “disable or delete the web plug-in”? It’s the correct advice to give.)

  13. Honestly, it is VERY difficult to say disable or delete the web plugin. First off, people need to know what a web plugin is. Next, people need to be made aware that they have it installed. They then need to find out that it is vulnerable. Then, they need to find instructions for how to delete it in their specific browser version.

    Honestly, I have no problem with Java – I agree that it is good for the write-once model — I just think that the installer should never have installed the plugin, or if it did, allow it to only run from whitelisted sites. Oracle finally decided to only allow sites with valid certificate to run by default but I think even that is too loose of a restriction as the site could quite possibly be hacked/hijacked. Whitelisting is the way to go.

  14. Yeah, I have a business need for the Java web plugin and it’d be nice if I could restrict it to that single site. Ironically, it’s used to scan my system – simultaneously making me vulnerable while ensuring I have appropriate protections in place. Ha?

  15. “Honestly, it is VERY difficult to say disable or delete the web plugin. First off, people need to know what a web plugin is. Next, people need to be made aware that they have it installed. They then need to find out that it is vulnerable. Then, they need to find instructions for how to delete it in their specific browser version.”

    Well, as always, dunno about Windows, but on the OS X side you can simply communicate a one line terminal command to exterminate the plug-in for folks to copy/paste. Easy, peasy. Or you can, with only slightly more complexity, explain how to do so from the Finder.

    So, at least from my POV, saying how to remove the plug-in doesn’t seem much more difficult than saying Don’t Install Java. And given that it’s the correct advice, turning a sentence into a short paragraph doesn’t seem too difficult to me.

    “I just think that the installer should never have installed the plugin”

    It’d obviously be nice if the installer at least had the option to not install the plug-in, preferably with that as the default option. But let’s not throw out the baby with the bathwater here…

  16. “Yeah, I have a business need for the Java web plugin and it’d be nice if I could restrict it to that single site.”

    If you’re on OS X, use Fluid to create a browser restricted to that single site, and only enable the plug-in there.

    If you’re not on OS X, I’d assume there would be some kind of similar software available on whatever platform.

    Otherwise, if you really do have the plug-in enabled in a browser you use for other purposes, you’re driving after drinking a whole bottle of Scotch…

  17. I have KMTTG on my TiVo Desktop machine and have used it in the past. But I have always preferred using TiVo Desktop.

  18. I guess the things I like about KMTTG are just features that TiVo Desktop doesn’t offer. Even there transferring options pale in comparison to KMTTG. I especially use the integrated season pass manager along with the ability to save and export your season passes.

  19. “(I really didn’t mean to rant at you, Morac, but how difficult is it to just say, “disable or delete the web plug-in”? It’s the correct advice to give.)”

    Trying to explain to my Mom how to do this usually results in a large headache for me. First off she doesn’t know what Java is, let along how it got on her machine. I actually just uninstalled it from her machine when the first major Java exploit came out. It turns out a web site she goes to was nice enough to re-install it for her (despite not even really needed it). We’re now on major exploit 3 (or is it 4) in less than 2 months.

    Granted Oracle has made it easier to disable the Java plugin in newer version of Java, but for people who still think Internet Explorer is the Internet, that’s not going to be very helpful.

    Like I said Java has it’s place. I actually code in Java, but it should never have been used to run code on a web site. I think a prerequisite of installing Java should be to know what it is and what it does. :)

  20. Thank you! I got some from vacation and noticed nothing since Thursday got converted. I played with it for 45 minutes this morning without luck. Once I read this, I set the clock back and everything is working.

  21. “Trying to explain to my Mom how to do this usually results in a large headache for me.”

    Hey, if you’d explained it as a Mom Technical Support Issue™, I’d have reacted quite differently.

    MTSI’s have their own very special logic, and anyone dealing with a MTSI should definitely consider adopting strict No-Java policy measures.

  22. Chris, did TiVo Transfer ever stop working for you? While I had confirmation things were gunked up on the Mac, I didn’t have info on which TiVo Desktop version or if it was kmttg. Hm, interesting.

  23. Dave,

    When I found out that neither of my Win 7 computers was working with either of my Tivos, I booted up my macbook fired up the roxio tivo transfer app and sure enough everything transferred to the mac from both Tivos with zero problems.

  24. “Chris, did TiVo Transfer ever stop working for you? While I had confirmation things were gunked up on the Mac, I didn’t have TiVo Desktop version or if it was kmttg. Hm, interesting.”

    My completely speculative hypothesis is simply that, as Roxio’s TiVo Transfer is a Java app in a Cocoa wrapper, the app does all its transfers via Java instead of curl due to bad coding decisions, which just happened to prove very handy in this particular weird circumstance.

  25. In that case, getting a patched up Windows TiVo Desktop out the door should be pretty quick. For TiVo anyway. Although they chose a really strange time to advertise their “whole home” experience on Facebook during effectively an outage for some… resulting in a few comments and unanswered queries like these:

    Fix the DeskTop its been down since Friday enough is enough

    does Tivo know that Tivo Desktop is hard broken? And is a fix on the way?

    https://www.facebook.com/TiVo/posts/260389754095691

  26. I just find it silly that they are advertising whole home experience without the mini being released. They did this a few months ago and a few comments (including my own) were that they expected this to be the announcement of the mini.

  27. “In that case, getting a patched up Windows TiVo Desktop out the door should be pretty quick.”

    Considering that there is an upside to using curl over Java for xfers, wouldn’t it be more sensible to software update the TiVo boxes themselves with a different cookie? Not to mention that software updating the TiVo boxes would fix the problem without users needing to do anything…

  28. @Chucky — I haven’t been paying too much attention as to whether this affects only Tivo Premier or also affects Series 2 and Series 3 boxes. If it affects all of the older boxes as well, then it may make sense to update desktop to ignore the cookie so they don’t have to patch their “end of life” boxes.

  29. Yeah, I can’t see them quickly updating DVR software across three platforms in a week. The only realistic fix, if time is of the essence, is to use Morac’s solution. Assuming they have engineers on staff who know how to update the installer package.

  30. “The only realistic fix, if time is of the essence, is to use Morac’s solution. Assuming they have engineers on staff who know how to update the installer package.”

    I see your point, given that Morac’s solution still uses curl.

    But can it really be that hard to push out a simple new cookie across platforms? Maybe it really is that hard, but it’d certainly be a more elegant solution.

    —–

    And now we can at least understand why TiVo first blamed Microsoft. Everything worked fine on OS X when they did a quick test.

  31. Agree with Chucky’s sentiments on Java. Just don’t enable the web plugin. Firefox at least makes this easy–it disables it for you. Unless you notice the little banner at the bottom informing you that the java plugin has been disabled by Firefox and if you’d like to enable it click here, you’ll never get the web plugin, no matter what Oracle tries to do.

    And by the way, if you aren’t using Ninite yet, you really should. Want to update Java, just navigate to http://www.ninite.com/java and run the executable it downloads to your machine. No prompts, no McAfee spam, nothing. All automated. Works for all the common stuff like Air, Java, Flash, Acrobat, etc.

  32. “Agree with Chucky’s sentiments on Java. Just don’t enable the web plugin.”

    Seems as if we need to open a Mom Technical Support Issue™ ticket for Apple, Facebook, and Twitter employees…

  33. Yeah, the Java thing hitting Apple developers seems a bit odd, seeing as Safari takes so many steps to keep Java at bay–MACs don’t come with Java installed, Safari has the web plugin disabled by default, will disable it after it is enabled if you don’t use it for a while, prompts you if you try to use it, etc etc.

    But hey, who knows what these particular developers were doing. Maybe they’re testing backward compatibility with older versions of OSX and Safari or something…

  34. Many thanks to this web site. Morac’s fake sid cookie worked great for me (win 7 and TiVo sys 3). I’m also playing with kmttg, which is AWESOME as far as I can see so far.

    I would like to clarify the Java vulnerability issue. As I understand it, if you open the Java Control Panel, Security tab, and un-check”Enable Java content in the browser” all should be OK, Java-security wise. Please correct me if that’s not so. Cheerio.

  35. “Speaking of TiVo, TiVo To Go Desktop transfers have been busted a week now. Company suggests rolling back PC clock.”

    But they (admirably) do have nice things to say about Morac’s fix for “power users”:

    “The workaround posted by morac is a great and relatively easy solution for power users like the community found on the forums, but an average or inexperienced user may have difficulty or be slightly intimidated in applying those changes.”

  36. “Yeah, the Java thing hitting Apple developers seems a bit odd … But hey, who knows what these particular (Apple) developers were doing. Maybe they’re testing backward compatibility with older versions of OSX and Safari or something…”

    Judging from what’s happened to OS X post-10.6, Occam’s razor would simply suggest that that Apple has replaced all of their devs with Moms.

  37. Just checked today. Same answer to every question. “Don’t have a fix date”. When I personally pressured the rep he said call back on Wednesday. Why Wed. I said…cause its supposed to be fixed by Monday. So he was not able to say that 10 minutes earlier. Okay..I’m with Dave Zatz…comp me for the rest of the life of this puppy which, likely won’t be too long anyway. So many other ways to get programming.

  38. The fix posted by TiVo does work. Surprising my google search did not find the TiVo site, but this one. Thanks for having this on your web page.

  39. Did anyone else notice that the cookie expiration data was set to exactly 4 years after the planned analog broadcast TV turnoff date in 2009? Perhaps that’s sort of related to how long TiVo expects the Lifetime of a bit of their hardware to be.

    I was writing my own program to transfer files to and from the server in C++ and ran into the cookie problem today. I worked around the problem by noticing a cookie request and setting a cookie but ignoring the actual expiration date. It was nice to read your comments here and see that I could have been setting any bogus sid just to satisfy the tivo.

Comments are closed.