IPTV Restream that means you use my stream with your server and your customer use from your server. The total user can use your IPTV service depends on...
greetings Anyone welcome to google TV or how i learned to halt worrying in exploit safe boot my identify is mike baker i'm a firmware developer i did open wrt we also have we also have Hans Nielsen is usually a senior security marketing consultant at Madison oh We've CJ Here is an IT systems administrator gaiaphage I feel he's out running CTF at this moment and We've got Tom dwenger from the audience and you understand arise Tom and we have a mirror in Matta is actually a researcher at occupant labs and also the founding father of the gtv hacker team so GTV hacker is a group of about 6 hackers that hack in to the Google Television line of goods our Main intention is always to bypass the components and software limitations and open up up the device the gtv hacker staff was the main to use the Google Television and gained a 5-hundred-greenback bounty so what's the Google Television set System the Google Tv set System is definitely an Android product that connects for your Tv set so your Tv set in essence becomes the identical Android gadgets your mobile phone it has hdmi in HDMI out And that i are a number of them include blu-ray players the sony TV has an built-in google Television it has a personalized Model of chrome plus a flash Model that we will look at later on so why do we hack the platform we hacked System since as opposed to the google nexus units it's a locked bootloader it's got a closely limited colonel plus the former generation the era 1 is now close of daily life as well as flash player I am going to get to that in the subsequent slides so right before we start off I will do an extremely quick recap of your things we did last 12 months at Def Con I'll velocity by means of it so for those who miss out on a little something go have a look at very last yr's slides And so the generation one hardware consists of the logitech revue the sony blu-ray player as well as the sony Television the logitech revue they still left a root uart we even have an exploit by dan rosenberg that uses dev ma'am and Sorak wrote a impactor plugin brilliant Hence the sony identical predicament it's a no dev bug we also wrote a tailor made Restoration for it and made use of k correct to load in a whole new kernel so now Now we have unsigned kernels so let's speak about the flash player the flash participant was blocked by different streaming sites so for instance You cannot check out hulu you can get redirected to some web-site that claims sorry this can be a google TV along with the resolve for which is literally just shifting the Edition string Just what exactly happened just after we hacked these Google Television equipment we uncovered this it is a pleasant message from Logitech they hid from the android Restoration it's a rot thirteen cipher that says GTV hacker congratulations if you are studying this you should publish a note over the Discussion board and let us know let me know and incorporates all of our nicknames yes whoever is the fact that logitech that wrote you are great This really is why we hack units And so the boxee box is a really equivalent unit that makes use of the same SOC in the entire process of hacking the google Television we also came up having an exploit with the boxee that led how towards the boxee in addition community arm and It can be even now susceptible to ensure that's amazing so future up is often a mere Hello Absolutely everyone I'll go on the presentation my area regards gentoo components and among the list of 1st o days We will launch for the System gen two not less than so Jen to components We've a large number of devices they raise the amount of devices they had by like a factor of two and I guess they were being intending to improve the industry share but in essence you might have the Korean LG U+ the su s cube the LG 47 g2 and g3 the netgear Key the Sony NSG s seven GS 8 the Hisense pulse during the vizio co-star they've got an identical components structure through almost all of the technology in need of the LG forty seven g2 and g3 generation two features a marvel 88 de 3100 based chipset It really is an arm duel one point 2 gigahertz processor dubbed the Armada 1500 it contains a non die crypto processor with different memories and it does safe boot from rom by means https://iptvrestream.net of RSA verification and aes decryption this particular slide there is certainly not a complete good deal that you really want to drag from this it had been just straight from their marketing and advertising things to the chip yeah It truly is just below to provide you with sort of how they pried the chipset alone skip the placeholder evidently so platform data the latest Edition of GTV is at this time on android 3.
two there was no public vulnerabilities that worked up until eventually each week in the past maybe per week furthermore if the learn crucial vulnerability and you know The important thing signing bugs had been significant news an impact to wrote his awesome Resource or observed groped his wonderful Device impactor It's not necessarily a bionic lipsy setup it is a Unwanted fat g lipsy setup and it isn't going to assist Android indigenous libraries presently so jen 1 was an Intel c4 to 150 which is subsequent 86 solitary or Adam one.
2 gigahertz gen 2 is actually a marvel Armada 1500 dual core arm 1.
two gigahertz so I switched from x86 to arm android four.
two incoming for Jen to advertisements native libraries and bionic lipsy from what we've heard while in the rumor mills so I'll go through these up coming devices rather speedily since you realize it's all general public information and facts I am confident you fellas Never truly treatment too much a gigabyte MMC flashed inside the Sony NSC gs-7 it's got the top remote so if you're going to purchase Google Television I we likely advise this one hard to endorse Sony larger type factor than several of the other Google TV equipment and it has created-in IR blasters which sounds like something that would be all through the total System but it surely's Unfortunately not the vizio co-star incorporates a scaled-down sort issue no voice lookup a custom launcher $ninety nine MSRP and updates are actually completed as a result of update logic versus the typical Android checking technique It is common in all Vizio gadgets it is the Hisense pulse was this has the 2nd-finest remote within our feeling it was launched with ADB running his route when it initial was released so if you choose a person up ahead of It is really in fact updated you may merely a DB within a DB route and you understand a DB is has root privileges so it had been patched Soon just after and it has a $99 MSRP having a DB route there was also a UART route set up I suppose for debugging and whatnot and they'd ro debuggable set as a single so a DB route was all you truly necessary If you need a software package route but should you needed to have some cash you already know hook up your uart adapters that we Present you with after this you could technically connect to that pin out that is proper up there once more we'll have a select quantity of us bttl adapters so the netgear neotv key includes a Terrible distant It really is 129 dollar MSRP we needed to exploits for a person was genuine one particular was technically an oversight not less than within our opinion the oversight was they went forward and set the console to start up on you are no matter what r 0 dot protected was established as ro dot protected is ready to for like whenever they're in a very debug natural environment they will established r 0 dot protected twenty and if they are not inside a debug environmental stated it r dot secured one for just starting Unique lock downs then we did the NeoTV key route which was essentially a exploit that leveraged the update method over the Neo the netgear neotv key in essence the procedure involves checking a persistent radio test mode is enabled and whether it is it extracts a examination mode tgz from the USB travel to dust / temp after which it just straight execute a shell script from that file so that you run it you have area command execution pretty simply with just a thumb travel with a Particular TG obtain file and shell script so then the SCS dice it's the similar era to Components Terrible remote again 139 greenback MSRP but we actually like this box because of this next element cube root so we experienced plenty of enjoyment with this particular We have not truly completed a android an android apk that truly leveraged one of our exploits up until eventually this level so it had been genuinely neat in order to put this together and kinda selected members ended up a huge portion of this so this was excellent due to the fact we developed an application that don't just exploits but it really patches your sous dice since our whole fear was that releasing an exploit out there you understand if some other person usually takes a have a look at it they may you already know set it in their own individual app and you recognize route your Google TVs so we established it up so that it can do patching and it can perform routing but in essence the way it labored because it exploited a helper app referred to as oh Enjoy helper vo globe writable UNIX domain socket the helper software previous unsanitized input to your mount command leading to neighborhood command execution we induced the vulnerability from android apk that just pretty much confirmed Community permissions and it absolutely was place click on pone we extra it for the google play store only for exciting so with that getting explained it was pulled by Google following 6 days we routed about 256 containers which include a person engineer Establish which was pretty interesting and it took two months for them to really patch it so you recognize it could six days in the market are you able to think about the type of destruction anyone could have truly finished if they were being wanting to be malicious and not merely support people unlock their products so then we obtained to your O'Day which i advised you guys about we haven't we have been applying this bug for quite a while to carry out our investigations on like new devices and research on new equipment to form of see how issues are build so this is sort of something that's close to and pricey to us because it's worked on the whole platform to date What exactly it's is we phone it the magic USB we identical to declaring magic mainly because we are over the Penn and Teller stage I assume so should you remember our plastic exploits with the sony gen one GTV it essential for us B's you could potentially slender down the quantity to a great deal decreased but You need to have a bunch of different photographs with the USB drive and it it leveraged it improperly mounted ext3 drive that was mounted without the need of no dev so That is fairly just like that it's ntfs but it isn't but in it is not completed in recovery but it really's just as just as powerful so all Google TVs and some other Android units are vulnerable what this bug is is is actually I will get to that in the following slide how this is set up it demands a person to own an NTFS detachable storage unit it demands the equipment to generally be mounted no dev whenever you plug it in so you're able to very easily just operate mount and find out if It truly is no dev and so it has an effect on far more than simply Android it has an effect on certain Colonel configuration so or undoubtedly configurations so using this type of individual set up Daring mounts ntfs partitions with out no dev and somewhat-regarded characteristic it it does assist block equipment so our magic USB in essence the procedure is that you you go you will get the key and minimal hashes you create a device on a separate Personal computer on an NTFS formatted drive you plug it in for your Google Television set therefore you DD directly to that new glee established machine that is on your own USB Push the colonel does it's magic Though the partitions are mounted only it overwrites them just superbly so we dumped the boot image we patching it up RC or default out prop two or 0 dot secure we generate it again for a consumer no root essential we reboot and we're rooted numerous packing containers have to have yet another stage so now I'm going to go on and induce hands Nielsen oh yeah howdy I am heads so another thing that we really like executing in this article at do Television set hacker is we like taking points aside after which you can we like soldering minimal wires to issues it tickles something deep in our Mind that makes us sense incredibly Superb so there is a number of platforms around you already know some some appealing Google Television set folks have farms one of these is this Tv set which is created by LG It can be an interesting implementation with the System they use a special chip than the rest of the gen to Google TVs it has a custom chip called the arm l9 it is a tailor made LG SOC which they use in it LG also signed essentially every little thing in terms of illustrations or photos to the flash file method including the boot splash photos so this platform has constantly form of eluded us you realize It really is inside a 47 inch Liquid crystal display TV as well as Tauri up current market since it's a Google Television set you understand It is neat so this point's above a thousand dollars and you are aware of we actually failed to want to spend a thousand dollars on it so Exactly what are we intending to do well I suggest we like getting things apart we like putting items back again with each other so we did the next neatest thing which was on ebay we just purchased a power supply and a motherboard in the Television set we didn't basically get the remainder of the Television and it turns out you can get that for not that Significantly so the moment we had this we did that thing that we appreciate much we soldered some wires to it so this hardware relies all around that LG SOC as well as the storage it utilizes on This is often it uses in emmc flash chip so It is really similar to an SD card it just has some excess tiny bits that allow for secure boot storage along with other things like that but essentially what it allows us to carry out is the fact that we could just solder you understand very few number of wires to this thing and hook it up straight to an SD card reader and with that SD card reader we can read through and produce within the flash over the gadget at very well you already know no issues in this article it's like most equipment should have a nand chip It is much trickier to write Individuals they've quite a bit a lot more pins the interface is you realize they just usually are not as a lot of typical available pieces of hardware to browse that in your case but SD Absolutely everyone has an SD reader so to truly root this point we commit some time digging throughout the filesystem viewing what on earth is he what on earth is listed here you know the way can we pull stuff apart at 0 x 100000 hex we identified the partition facts that tells us where Every of the several partitions which are utilised in this product are What exactly we did now was we just went by way of Every single of the partitions in search of okay Is that this a person sign can we do something with it can be there entertaining stuff listed here so one of several a lot more exciting partitions as common is process mainly because which contains nearly all the documents applied to really run Google Television set that's where by every one of the apks Reside that's the place many of the lipsy lives so like we claimed the entire filesystem things was signed essentially however it turns out that they didn't signal the technique impression so the moment we figured that out it was just a way of unpacking the process image determining what in that procedure picture gets quickly termed because of the bootloader and then messing with it so it seems the boot partition you'll be able to see on the right aspect in this article There is certainly Component of the boot scripts at the bottom it phone calls this seller bin in but compelled strip dot sh making sure that's on that is on technique so we just exchange that file to spawn a shell linked to you're I you are aware of once more we love soldering wires to factors and there we go then We now have root all on a device that we by no means essentially purchased the total issue of so A further product that we did this to was the Sony NSC GF 7 and GS eight they also went using this type of emmc flash interface so on this System neither boot nor procedure were being signed so merely a make a difference of rewriting those partitions so the very first thing that we did is the same old way To achieve this in android is you modify the boot Qualities to mention Alright r 0 dot secure is 0 so as to just straight up a db2 the system and every little thing will just be good uncomplicated uncomplicated but we did that and it did not get the job done so it seems which the init scripts had been actually checking signatures for a few things and it had been also ensuring that that some of these Qualities were not established so It is really like all right I roof dot protected have to be just one nicely so we went close to thinking about how could be the signature things Doing the job into transit that they are just not verifying These signatures so it had been pretty straightforward to just substitute in it and afterwards we ended up able to do whichever we preferred head yeah This is certainly why you don't have hardware use of units because you reach do things like this and then we win Yet another enjoyment element this gadget had could it be had a SATA port unpopulated SATA header inside the device however it did actually have the necessary passive factors on the components dis for this so we soldered a SATA connector to it plugged in a disk drive to this point it isn't going to surface which the colonel basically supports this stuff but the hard drive is really spinning up and we are rather absolutely sure it is actually Doing work and we are going to converse more details on that so over and above These two equipment is yet another gadget that came out incredibly recently pretty appealing system extremely equivalent It really is an interesting evolution of your gtv spouse and children google chromecast google announces gadget very last week very last wednesday even It is really $35 you know That is order of magnitude less costly than essentially any GTD any recent GTV gadget it doesn't have the exact same in and out for HDMI that each one the other GTV units get it done just straight up you plug it in to the TV and Then you certainly energy in the USB cable and growth you have something that You can utilize to share films it's really a very brilliant machine and we think it's very amazing in numerous ways we predict it solves a few of the issues that GTV has experienced in past times with you understand it's variety of costly specialized niche platform It is really actually attention-grabbing unit as an alternative to being forced to thick purchasers to cope with stuff deal with written content you now have a person thinner gadget that goes along with your thick system say your mobile phone or your computer and Then you can certainly share content material on to it so one of the appealing things about that may be so it is a thin system how are you presently pushing information to this device