IPTV Restream that means you use my stream with your server and your customer use from your server. The total user can use your IPTV service depends on...
greetings All people welcome to google Tv set or how i learned to halt worrying in exploit protected boot my title is mike baker i'm a firmware developer i did open up wrt we also have we also have Hans Nielsen is actually a senior protection expert at Madison oh We've CJ Here is an IT techniques administrator gaiaphage I believe he is out working CTF today and Now we have Tom dwenger while in the viewers and you know stand up Tom and We now have a mirror in Matta can be a researcher at occupant labs and in addition the founding father of the gtv hacker team so GTV hacker is a gaggle of about six hackers that hack in to the Google TV line of goods our primary aim is usually to bypass the hardware and software restrictions and open up up the unit the gtv hacker group was the initial to use the Google Television and received a 5-hundred-greenback bounty so exactly what is the Google Television platform the Google Tv set System is an Android gadget that connects on your Television set so your TV effectively gets the exact same Android products your cell phone it's hdmi in HDMI out and I are some of them involve blu-ray players the sony TV has an built-in google Tv set it's a personalized version of chrome and a flash Model that we are going to discuss later so How come we hack the platform we hacked System mainly because as opposed to the google nexus equipment it's a locked bootloader it has a seriously limited colonel along with the past generation the generation one has become conclusion of lifetime and the flash participant I'll reach that in the next slides so right before we start I'll do an exceedingly brief recap of your things we did very last year at Def Con I will speed through it so should you pass up a little something go look at previous 12 months's slides so the era one hardware is made of the logitech revue the sony blu-ray participant and also the sony TV the logitech revue they left a root uart we also have an exploit by dan rosenberg that works by using dev ma'am and Sorak wrote a impactor plugin wonderful Hence the sony identical situation it has a no dev bug we also wrote a custom Restoration for it and applied k correct to load in a whole new kernel so now We've unsigned kernels so let's take a look at the flash player the flash player was blocked by many streaming web pages so for instance you can't enjoy hulu you obtain redirected to your site that says sorry this is a google Television as well as the fix for that is practically just switching the Model string What exactly happened soon after we hacked these Google TV devices we found this it is a awesome message from Logitech that they hid while in the android Restoration it is a rot 13 cipher that claims GTV hacker congratulations if you're examining this you should publish a Take note on the Discussion board and let's know allow me to know and involves all of our nicknames Certainly whoever is usually that logitech that wrote that you will be wonderful That is why we hack units Therefore the boxee box is a really related product that takes advantage of a similar SOC in the process of hacking the google Television set we also arrived up by having an exploit for your boxee that led the best way on the boxee plus community arm and It really is however susceptible in order that's amazing so up coming up is actually a mere hi Absolutely everyone I'm going to continue the presentation my part regards gentoo hardware and one of many first o times we're going to launch for that platform gen two a minimum of so Jen to hardware We now have a large number of devices they maximize the level of gadgets they had by like an element of two and I guess they had been intending to raise the industry share but essentially you have the Korean LG U+ the su s cube the LG 47 g2 and g3 the netgear Prime the Sony NSG s 7 GS eight the Hisense pulse in the vizio co-star they have got an analogous hardware layout during almost all of the technology short of the LG forty seven g2 and g3 technology two contains a marvel 88 de 3100 primarily based chipset It is an arm duel one stage 2 gigahertz processor dubbed the Armada 1500 it incorporates a non die crypto processor with different memories and it does protected boot from rom via RSA verification and aes decryption this unique slide you will find not a complete large amount that you really want to drag from this it was just directly from their advertising and marketing stuff for that chip yeah it's just in this article to tell you about style of how they pried the chipset itself skip the placeholder evidently so System information the latest version of GTV is at the moment on android 3.
two there was no public vulnerabilities that labored up till each week back probably each week additionally once the grasp key vulnerability and you recognize The crucial element signing bugs have been significant news an effects to wrote his wonderful Instrument or saw groped his astounding Instrument impactor It isn't a bionic lipsy set up it's a fat g lipsy set up and it isn't going to aid Android native libraries now so jen one was an Intel c4 to one hundred fifty which happens to be upcoming 86 one or Adam 1.
2 gigahertz gen 2 is usually a marvel Armada 1500 dual core arm one.
2 gigahertz so I switched from x86 to arm android four.
2 incoming for Jen to advertisements indigenous libraries and bionic lipsy from what we have read from the rumor mills so I will undergo these future equipment really promptly since you realize it's all general public data I am confident you guys Really don't definitely care far too much a gigabyte MMC flashed inside the Sony NSC gs-seven it has the ideal remote so if you are going to get Google Tv set I we likely endorse this 1 challenging to recommend Sony much larger form aspect than a few of the other Google Television set units and it has crafted-in IR blasters which seems like a thing that might be all through the whole System but it surely's Unfortunately not the vizio co-star incorporates a lesser form issue no voice lookup a personalized launcher $ninety nine MSRP and updates are actually completed through update logic as opposed to the regular Android checking process It's normal in all Vizio devices it's the Hisense pulse was this has the next-finest remote in our view it was released with ADB jogging his route when it initially was unveiled so if you decide just one up before It is really essentially updated you may just a DB inside a DB route and you know a DB is has root privileges so it absolutely was patched shortly right after and it has a $ninety nine MSRP that has a DB route there was also a UART route setup I assume for debugging and whatnot and they'd ro debuggable set as a single so a DB route was all you actually necessary If you need a software program route but should you wished to have some funds you already know connect your uart adapters that we Supply you with soon after this you could technically connect with that pin out that's suitable up there all over again we'll Have a very choose quantity of us bttl adapters Therefore the netgear neotv key contains a Awful distant it's 129 greenback MSRP we needed to exploits for a single was true one was technically an oversight at least in our feeling the oversight was they went ahead and place the console to start out up on you might be irrespective of what r 0 dot secure was set as ro dot protected is about to for like if they're inside of a debug ecosystem they'll set r 0 dot protected twenty and if they're not in a debug environmental reported it r dot secured one particular for just creating Exclusive lock downs then we did the NeoTV primary route which was primarily a exploit that leveraged the update technique about the Neo the netgear neotv primary in essence the procedure requires examining a persistent radio take a look at manner is enabled and if it is it extracts a examination method tgz from a USB travel to dust / temp and then it just straight execute a shell script from that file so that you run it you have community command execution rather effortlessly with simply a thumb generate by using a Specific TG acquire file and shell script so then the SCS dice it's the exact technology to Components Awful remote again 139 greenback MSRP but we actually similar to this box for this reason upcoming section cube root so we had lots of pleasurable with this particular we haven't really accomplished a android an android apk that truly leveraged considered one of our exploits up right up until this place so it was seriously neat to be able to set this together and kinda sure members were being an enormous percentage of this so this was good for the reason that we designed an application that not merely exploits but it really patches your sous dice simply because our entire anxiety was that releasing an exploit on the market you already know if somebody else takes a have a look at it they may you realize place it in their own personal app and you know https://iptvrestream.net route all your Google TVs so we set it up so that it can perform patching and it can do routing but effectively how it labored mainly because it exploited a helper app termed oh Engage in helper vo planet writable UNIX domain socket the helper application past unsanitized enter to your mount command resulting in regional command execution we activated the vulnerability from android apk that just virtually confirmed Community permissions and it was issue click pone we additional it for the google Enjoy keep just for fun so with that currently being explained it absolutely was pulled by Google right after 6 times we routed all-around 256 bins like one particular engineer Construct which was pretty great and it took two months for them to truly patch it so you recognize it would six days available in the market are you able to consider the kind of problems somebody could have in fact completed should they were being wanting to be malicious and not simply support individuals unlock their products so then we bought on the O'Working day which i instructed you guys about We've not we've been applying this bug for some time to carry out our investigations on like new equipment and investigation on new units to kind of see how matters are setup so This is often style of something which's near and pricey to us as it's worked on the whole System to date Just what exactly it's is we get in touch with it the magic USB we the same as declaring magic because we are about the Penn and Teller phase I suppose so in case you remember our plastic exploits with the sony gen one GTV it needed for us B's you could potentially slender down the quantity to quite a bit lessen but You need to Use a bunch of different visuals for that USB travel and it it leveraged it improperly mounted ext3 travel which was mounted with out no dev so This is often rather just like that It is ntfs but it's not but in it isn't finished in Restoration but it surely's just as equally as powerful so all Google TVs and A few other Android units are vulnerable what this bug is is is in fact i'll reach that in another slide how this is ready up it demands a consumer to own an NTFS detachable storage machine it involves the units to be mounted no dev if you plug it in so that you can conveniently just run mount and find out if it's no dev and so it affects far more than just Android it impacts specific Colonel configuration so or undoubtedly configurations so using this type of individual set up Daring mounts ntfs partitions with out no dev and just a little-known characteristic it it does assist block devices so our magic USB essentially the procedure is that you you go you get the most important and insignificant hashes you put in place a device on a separate computer on an NTFS formatted push you plug it in on your Google Television and you DD on to that new glee made gadget that is on your own USB Push the colonel does it's magic Despite the fact that the partitions are mounted only it overwrites them just superbly so we dumped the boot graphic we patching it up RC or default out prop 2 or 0 dot safe we produce it back again being a consumer no root needed we reboot and we're rooted numerous containers require yet another action so now I will go ahead and induce arms Nielsen oh yeah good day I'm heads so one thing that we really adore doing listed here at do Tv set hacker is we like having factors aside after which you can we like soldering minimal wires to factors it tickles a thing deep within our brain that makes us come to feel really Great so there is a number of platforms around you know some some fascinating Google Television people have farms one of them Is that this Television set which is made by LG It truly is a fascinating implementation of the platform they use another chip than the remainder of the gen to Google TVs it has a custom chip called the arm l9 it is a custom LG SOC which they use in it LG also signed pretty much almost everything concerning photographs about the flash file process such as the boot splash visuals so this System has always type of eluded us you recognize It truly is inside a 47 inch Liquid crystal display Television along with the Tauri up marketplace as it's a Google TV you recognize It is interesting so this matter's more than a thousand dollars and you understand we really did not want to invest a thousand pounds on it so What exactly are we intending to do perfectly I indicate we like using factors aside we like Placing items again collectively so we did the subsequent neatest thing which was on ebay we just purchased an influence offer plus a motherboard from your Tv set we did not in fact acquire the remainder of the Tv set and it turns out you can get that for not that A great deal so as soon as we had this we did that thing that we really like a great deal we soldered some wires to it so this hardware relies around that LG SOC along with the storage it utilizes on This can be it utilizes in emmc flash chip so It is really very similar to an SD card it just has several additional small bits that allow for protected boot storage along with other stuff like that but in essence what it makes it possible for us to carry out is that we can easily just solder you realize very few quantity of wires to this point and hook it up on to an SD card reader and with that SD card reader we are able to study and publish from your flash within the gadget at effectively you realize no issues below It really is like most devices could have a nand chip It is A lot trickier to put in writing Individuals they've a lot much more pins the interface is you understand They simply usually are not as a lot of widespread out there pieces of hardware to read through that for you but SD Absolutely everyone has an SD reader so to really root this factor we shell out some time digging in the filesystem viewing what on earth is he exactly what is in this article you know the way can we pull things aside at 0 x 100000 hex we located the partition facts that tells us the place Each individual of the several partitions which have been utilized During this product are so what we did now was we just went through each of your partitions seeking all right Is that this a single sign can we do anything with it truly is there enjoyment stuff below so among the list of additional fascinating partitions as normal is method mainly because that contains the majority of the documents utilised to really run Google Television set which is where by every one of the apks Dwell that is in which the many lipsy life so like we stated most of the filesystem stuff was signed just about nevertheless it seems that they didn't indication the technique picture so at the time we figured that out it was just a fashion of unpacking the method picture determining what in that procedure image will get quickly referred to as through the bootloader and then messing with it so it turns out that the boot partition you may see on the correct aspect below There's Portion of the boot scripts at the bottom it calls this vendor bin in yet forced strip dot sh so that's on which is on process so we just swap that file to spawn a shell connected to that you are I you understand all over again we like soldering wires to points and there we go then we have root all on a tool that we in no way basically purchased the total point of so Yet another product that we did this to was the Sony NSC GF 7 and GS 8 In addition they went with this emmc flash interface so on this platform neither boot nor method have been signed so simply a matter of rewriting Individuals partitions so the very first thing that we did is the same old way To accomplish this in android is you modify the boot properties to say Okay r 0 dot secure is 0 to be able to just straight up a db2 the product and everything will just be excellent easy simple but we did that and it did not perform so it seems the init scripts were in fact examining signatures for some stuff and it absolutely was also making certain that Some properties weren't established so It can be like ok I roof dot safe must be 1 properly so we went all-around thinking about how would be the signature things Operating into transit that they are just not verifying Individuals signatures so it was rather straightforward to only change in it and then we have been in the position to do no matter what we wished head yeah That is why you don't have hardware access to devices because you reach do things such as this and then we get An additional exciting function that this unit experienced could it be had a SATA port unpopulated SATA header In the device but it really did even have the necessary passive elements around the hardware dis for this so we soldered a SATA connector to it plugged within a hard disk to date it would not look which the colonel really supports this stuff but the harddisk is definitely spinning up and we're fairly positive it truly is Operating and we'll speak more about that so over and above Individuals two equipment is yet another unit that arrived out very recently really appealing product extremely similar It is really an interesting evolution with the gtv relatives google chromecast google announces machine last 7 days previous wednesday even It really is $35 you realize This can be buy of magnitude much less expensive than practically any GTD any present GTV gadget it doesn't have precisely the same out and in for HDMI that every one the other GTV products do it just straight up you plug it to the Television and then you electrical power from your USB cable and growth you have got something that You should use to share video clips It is really in fact a extremely brilliant machine and we predict it's very great in numerous ways we think it solves some of the troubles that GTV has had before with you already know It is really form of pricy niche platform It is definitely interesting gadget as opposed to needing to thick purchasers to manage stuff take care of material you now have one thinner device that goes with your thick machine say your cellphone or your Personal computer and Then you can certainly share material directly to it so one of many exciting items about that is definitely so this is a slender device how have you been pushing information to this system perfectly you're not just streaming video from your telephone you recognize that's that that is seriously slow that is really hard to do so this machine is actually fairly impressive