DEF CON 21 – Panel – Google TV

IPTV Restream that means you use my stream with your server and your customer use from your server. The total user can use your IPTV service depends on...

 

greetings everyone welcome to google Television or how i learned to halt worrying in exploit safe boot my title is mike baker i'm a firmware developer i did open up wrt we even have we even have Hans Nielsen is really a senior stability guide at Madison oh We've CJ Here is an IT units administrator gaiaphage I believe he is out operating CTF today and We've got Tom dwenger in the audience and you realize rise up Tom and We've a mirror in Matta is usually a researcher at occupant labs and in addition the founding father of the gtv hacker team so GTV hacker is a gaggle of about 6 hackers that hack in the Google Television line of solutions our Key purpose would be to bypass the components and program restrictions and open up up the gadget the gtv hacker group was the 1st to take advantage of the Google TV and received a 5-hundred-greenback bounty so what's the Google Television platform the Google TV System is definitely an Android system that connects to the Television so your Television in essence results in being precisely the same Android equipment your cellphone it's hdmi in HDMI out and I are many of them incorporate blu-ray gamers the sony Television has an built-in google TV it's a personalized Model of chrome and also a flash version that we will mention later so How come we hack the platform we hacked platform simply because not like the google nexus gadgets it's a locked bootloader it's got a seriously restricted colonel and the former generation the generation 1 is now stop of daily life and also the flash player I will get to that in the next slides so ahead of we start off I will do a very rapid recap of the things we did previous year at Def Con I'll speed by it so should you miss out on anything go take a look at final 12 months's slides Hence the generation one hardware is made of the logitech revue the sony blu-ray participant and the sony Tv set the logitech revue they still left a root uart we also have an exploit by dan rosenberg that works by using dev ma'am and Sorak wrote a impactor plugin amazing Therefore the sony related circumstance it has a no dev bug we also wrote a custom made Restoration for it and utilized k precise to load in a brand new kernel so now We have now unsigned kernels so let us look at the flash player the flash player was blocked by many streaming internet sites so one example is You cannot enjoy hulu you will get redirected to a internet site that claims sorry this can be a google Tv set and also the deal with for that is certainly literally just switching the Model string so what transpired immediately after we hacked these Google Television products we discovered this this is a nice information from Logitech which they hid during the android recovery it is a rot 13 cipher that claims GTV hacker congratulations if you are looking through this be sure to put up a Observe over the Discussion board and allow us to know let me know and incorporates all of our nicknames Indeed whoever is the fact that logitech that wrote that you will be amazing This is often why we hack units so the boxee box is an extremely comparable system that takes advantage of exactly the same SOC in the whole process of hacking the google Television we also came up by having an exploit to the boxee that led how for the boxee plus Neighborhood arm and It is really continue to susceptible so that's awesome so upcoming up can be a mere hi Absolutely everyone I will proceed the presentation my segment regards gentoo components and among the first o days We'll launch to the System gen two not less than so Jen to components We have now a large number of equipment they raise the quantity of gadgets they had by like an element of two and I assume they were being likely to raise the market place share but primarily you have the Korean LG U+ the su s cube the LG forty seven g2 and g3 the netgear Key the Sony NSG s 7 GS 8 the Hisense pulse from the vizio co-star they have the same components style throughout the majority of the generation in need of the LG forty seven g2 and g3 technology 2 includes a marvel 88 de 3100 primarily based chipset it's an arm duel one point 2 gigahertz processor dubbed the Armada 1500 it includes a non die crypto processor with independent Reminiscences and it does protected boot from rom through RSA verification and aes decryption this certain slide there's not a whole whole lot that you really want to drag from this it absolutely was just directly from their advertising and marketing stuff for that chip yeah it's just listed here to provide you with kind of how they pried the chipset by itself skip the placeholder evidently so platform information and facts the newest version of GTV is currently on android 3.

2 there was no public vulnerabilities that worked up till each week in the past possibly per week additionally in the event the grasp key vulnerability and you already know the key signing bugs have been massive information an affect to wrote his awesome Instrument or saw groped his wonderful Instrument impactor It's not at all a bionic lipsy setup it's a Fats g lipsy set up and it does not aid Android indigenous libraries at present so jen a single was an Intel c4 to 150 which happens to be up coming 86 solitary or Adam 1.

two gigahertz gen two is a marvel Armada 1500 twin core arm 1.

two gigahertz so I switched from x86 to arm android 4.

2 incoming for Jen to advertisements native libraries and bionic lipsy from what we have heard while in the rumor mills so I will endure these future units pretty promptly as you comprehend it's all community facts I'm positive you fellas Do not seriously treatment an excessive amount of a gigabyte MMC flashed inside of the Sony NSC gs-7 it's got the ideal distant so if you're going to acquire Google Television set I we possibly recommend this a person difficult to propose Sony much larger variety aspect than some of the other Google Tv set gadgets and it has constructed-in IR blasters which looks like something that would be throughout the whole System but it really's sadly not the vizio co-star contains a more compact kind aspect no voice look for a custom made launcher $99 MSRP and updates are literally completed by means of update logic rather than the regular Android checking system It is common in all Vizio equipment it's the Hisense pulse was this has the second-very best distant within our viewpoint it was introduced with ADB functioning his route when it initially was released so if you choose just one up right before It can be in fact up-to-date you could potentially merely a DB within a DB route and you realize a DB is has root privileges so it absolutely was patched shortly right after and it's a $ninety nine MSRP having a DB route there was also a UART route https://iptvrestream.net set up I guess for debugging and whatnot and they had ro debuggable established as one particular so a DB route was all you really desired if you want a computer software route but in the event you planned to have some cash you understand connect your uart adapters that we Provide you with after this you can technically connect to that pin out that's suitable up there once again we are going to Use a pick number of us bttl adapters so the netgear neotv primary has a Terrible remote it's 129 dollar MSRP we needed to exploits for a person was authentic a person was technically an oversight at the least within our belief the oversight was they went in advance and set the console to begin up on you're regardless of what r 0 dot safe was set as ro dot secure is ready to for like whenever they're inside of a debug surroundings they will established r 0 dot protected twenty and if they don't seem to be in the debug environmental mentioned it r dot secured just one for just starting Exclusive lock downs then we did the NeoTV prime route which was basically a exploit that leveraged the update program over the Neo the netgear neotv primary primarily the method includes examining a persistent radio check manner is enabled and whether it is it extracts a take a look at method tgz from the USB generate to dust / temp and afterwards it just straight execute a shell script from that file so you run it you get community command execution fairly simply with simply a thumb travel with a Exclusive TG get file and shell script so then the SCS dice it is the identical technology to Components horrible remote all over again 139 greenback MSRP but we actually such as this box for that reason following part cube root so we had plenty of enjoyment with this We have not essentially completed a android an android apk that truly leveraged among our exploits up until finally this issue so it absolutely was truly neat to have the ability to place this together and kinda specific users were being a giant portion of this so this was terrific simply because we created an application that not just exploits but it surely patches your sous dice simply because our complete concern was that releasing an exploit available in the market you already know if someone else will take a have a look at it they may you are aware of put it in their unique app and you are aware of route your Google TVs so we set it up to make sure that it can do patching and it can perform routing but basically how it worked as it exploited a helper app identified as oh Perform helper vo environment writable UNIX domain socket the helper application earlier unsanitized enter towards the mount command resulting in community command execution we activated the vulnerability from android apk that just pretty much showed Network permissions and it was point click pone we included it towards the google Engage in keep just for entertaining so with that becoming reported it absolutely was pulled by Google after six days we routed close to 256 bins which include a single engineer Construct which was very amazing and it took two months for them to actually patch it so you realize it might 6 days on the market is it possible to think about the type of damage somebody might have basically performed should they were attempting to be destructive and not only enable persons unlock their products so then we received towards the O'Working day that I instructed you men about We've not we have been making use of this bug for some time to perform our investigations on like new products and investigate on new devices to form of see how issues are set up so This is certainly type of a thing that's in the vicinity of and pricey to us as it's worked on your entire System thus far What exactly it truly is is we simply call it the magic USB we identical to saying magic mainly because we're over the Penn and Teller phase I guess so in the event you recall our plastic exploits While using the sony gen one GTV it essential for us B's you might slim down the number to a lot decreased but You should Have a very bunch of different photographs for that USB generate and it it leveraged it improperly mounted ext3 travel which was mounted with out no dev so That is rather just like that It is really ntfs but it isn't but in it isn't carried out in Restoration nonetheless it's just as equally as strong so all Google TVs and some other Android products are vulnerable what this bug is is is definitely I will get to that in the next slide the way in which that this is set up it requires a consumer to obtain an NTFS removable storage gadget it needs the gadgets for being mounted no dev any time you plug it in to help you simply just operate mount and see if It really is no dev and so it has an effect on much more than simply Android it impacts particular Colonel configuration so or unquestionably configurations so using this type of distinct setup bold mounts ntfs partitions without the need of no dev and slightly-regarded element it it does support block equipment so our magic USB fundamentally the method is you you go you will get the main and minor hashes you set up a tool on a different Personal computer on an NTFS formatted generate you plug it in on your Google TV and you simply DD on to that new glee produced product that's with your USB Push the colonel will it's magic even though the partitions are mounted only it overwrites them just superbly so we dumped the boot image we patching it up RC or default out prop two or 0 dot secure we produce it back again being a consumer no root necessary we reboot and we're rooted a great number of boxes require a further step so now I'm going to go on and induce hands Nielsen oh yeah hello I'm heads so something that we really appreciate accomplishing here at do Television hacker is we like using items apart and afterwards we like soldering minor wires to items it tickles a little something deep within our brain that makes us sense incredibly Excellent so there's a several platforms available you are aware of some some attention-grabbing Google TV people have farms one of these Is that this Television that is made by LG It is a fascinating implementation with the System they use a different chip than the remainder of the gen to Google TVs it's got a customized chip called the arm l9 it's a custom LG SOC they use in it LG also signed essentially anything with regards to pictures to the flash file method such as the boot splash photos so this System has generally style of eluded us you understand it's in the forty seven inch Liquid crystal display TV and also the Tauri up market place because it's a Google Television you understand It is neat so this thing's in excess of a thousand bucks and you already know we really did not want to invest a thousand pounds on it so What exactly are we gonna do nicely I mean we like getting matters apart we like Placing items back with each other so we did the subsequent neatest thing which was on ebay we just purchased an influence offer and also a motherboard within the TV we didn't in fact invest in the rest of the TV and it turns out you may get that for not that much so as soon as we experienced this we did that thing that we really like a great deal we soldered some wires to it so this components is predicated all-around that LG SOC as well as the storage it utilizes on This is certainly it uses in emmc flash chip so It is very similar to an SD card it just has a few more small bits that allow for protected boot storage as well as other things like that but effectively what it will allow us to carry out is that we are able to just solder you are aware of only a few variety of wires to this issue and hook it up directly to an SD card reader and with that SD card reader we could study and produce in the flash to the gadget at perfectly you are aware of no difficulties below It truly is like most devices may have a nand chip It is really A great deal trickier to jot down those they've got a great deal extra pins the interface is you know They only aren't as several typical out there pieces of hardware to read that for yourself but SD Absolutely everyone has an SD reader so to actually root this detail we invest a while digging in the filesystem viewing what on earth is he what exactly is listed here you understand how can we pull stuff aside at 0 x 100000 hex we located the partition info that tells us wherever Every single of the different partitions which are employed With this machine are so what we did now was we just went by Each individual of your partitions on the lookout for alright is this just one sign can we do everything with it can be there enjoyment things right here so among the extra attention-grabbing partitions as usual is program simply because that contains nearly all of the documents applied to really operate Google TV that is exactly where all the apks live that is where the many lipsy life so like we stated all the filesystem stuff was signed practically but it seems that they didn't signal the process picture so at the time we figured that out it had been simply a method of unpacking the process image figuring out what in that system picture receives swiftly called from the bootloader and then messing with it so it turns out that the boot partition it is possible to see on the correct facet listed here There's Component of the boot scripts at the bottom it calls this vendor bin in still compelled strip dot sh to ensure that's on that is on program so we just exchange that file to spawn a shell linked to you will be I you realize all over again we love soldering wires to issues and there we go then Now we have root all on a tool that we never actually purchased the complete detail of so One more device that we did this to was the Sony NSC GF 7 and GS 8 Additionally they went using this type of emmc flash interface so on this platform neither boot nor system had been signed so only a make a difference of rewriting These partitions so the first thing that we did is the standard way To do that in android is you modify the boot Attributes to mention Alright r 0 dot safe is 0 so as to just straight up a db2 the gadget and all the things will just be excellent quick easy but we did that and it didn't work so it seems which the init scripts were being truly examining signatures for some stuff and it absolutely was also ensuring that that Many of these Houses were not established so It is like alright I roof dot secure should be one very well so we went all over checking out how may be the signature things Performing into transit that they're just not verifying Those people signatures so it had been very basic to only change in it after which you can we had been in the position to do whatsoever we needed head yeah This can be why you don't have hardware usage of systems as you reach do things such as this then we win another pleasurable aspect this device experienced could it be experienced a SATA port unpopulated SATA header Within the device however it did actually have the necessary passive factors about the components dis for this so we soldered a SATA connector to it plugged inside a hard disk drive up to now it won't seem which the colonel essentially supports these things although the hard disk is in fact spinning up and we are rather absolutely sure it is actually Operating and we'll communicate more details on that so further than Those people two equipment is an additional unit that came out incredibly not too long ago really attention-grabbing unit incredibly related It really is an interesting evolution on the gtv family google chromecast google announces device very last 7 days last wednesday even It is really $35 you already know this is get of magnitude less expensive than practically any GTD any present-day GTV system it doesn't have the same out and in for HDMI that all the other GTV units get it done just straight up you plug it in to the Television set and Then you really electrical power through the USB cable and increase you've something that You should use to share video clips it's really a really awesome product and we think it is very awesome in some ways we expect it solves some of the difficulties that GTV has experienced previously with you recognize It can be variety of pricey specialized niche System It truly is genuinely attention-grabbing product rather than having to thick clients to cope with stuff manage information you now have a single thinner product that goes together with your thick gadget say your mobile phone or your Computer system and Then you can certainly share content material straight to it so one of many interesting items about that is certainly so that is a