IPTV Restream that means you use my stream with your server and your customer use from your server. The total user can use your IPTV service depends on...
greetings Everybody welcome to google Tv set or how i learned to stop stressing in exploit safe boot my title is mike baker I am a firmware developer i did open up wrt we also have we also have Hans Nielsen is actually a senior safety expert at Madison oh We've got CJ This is an IT systems administrator gaiaphage I think he's out running CTF right https://iptvrestream.net now and We've Tom dwenger in the viewers and you recognize stand up Tom and We've a mirror in Matta is actually a researcher at occupant labs and in addition the founding father of the gtv hacker team so GTV hacker is a bunch of about six hackers that hack in the Google TV line of solutions our primary aim will be to bypass the hardware and application restrictions and open up up the product the gtv hacker staff was the main to use the Google TV and gained a 5-hundred-greenback bounty so what's the Google Tv set System the Google Television set platform is undoubtedly an Android unit that connects on your Television so your TV essentially gets to be a similar Android gadgets your cell phone it has hdmi in HDMI out And that i are some of them incorporate blu-ray gamers the sony Tv set has an built-in google TV it's a custom Model of chrome as well as a flash version that we are going to discuss later so How come we hack the System we hacked platform simply because compared with the google nexus units it's got a locked bootloader it has a heavily limited colonel plus the earlier generation the era one is currently conclude of lifestyle plus the flash player I'll reach that in the next slides so right before we start out I will do a really brief recap in the stuff we did final calendar year at Def Con I'm going to speed through it so in case you miss out on something go have a look at very last calendar year's slides so the era one components is made up of the logitech revue the sony blu-ray player as well as sony TV the logitech revue they remaining a root uart we even have an exploit by dan rosenberg that works by using dev ma'am and Sorak wrote a impactor plugin magnificent And so the sony similar scenario it's a no dev bug we also wrote a customized recovery for it and employed k precise to load in a different kernel so now We now have unsigned kernels so let us discuss the flash participant the flash player was blocked by many streaming web sites so as an example You can not observe hulu you obtain redirected to a web site that claims sorry this can be a google TV and the fix for that's actually just shifting the Edition string What exactly took place after we hacked these Google Television devices we observed this this is the great concept from Logitech that they hid within the android recovery it's a rot 13 cipher that claims GTV hacker congratulations if you're reading through this make sure you submit a Take note on the forum and let us know allow me to know and involves all of our nicknames yes whoever is usually that logitech that wrote you are amazing This can be why we hack devices so the boxee box is a very similar system that works by using the exact same SOC in the whole process of hacking the google Television set we also arrived up with the exploit for your boxee that led just how on the boxee as well as community arm and It really is however vulnerable to make sure that's brilliant so future up is often a mere Hello Every person I'm going to proceed the presentation my section regards gentoo components and on the list of initially o times we're going to release for the platform gen two not less than so Jen to hardware Now we have a large number of units they enhance the quantity of products they'd by like an element of two and I suppose they have been going to boost the market place share but basically you have got the Korean LG U+ the su s cube the LG forty seven g2 and g3 the netgear Prime the Sony NSG s seven GS 8 the Hisense pulse from the vizio co-star they've got an identical components design all over the vast majority of technology short of the LG forty seven g2 and g3 era two includes a marvel 88 de 3100 based chipset It is really an arm duel one level 2 gigahertz processor dubbed the Armada 1500 it incorporates a non die crypto processor with separate memories and it does safe boot from rom by means of RSA verification and aes decryption this individual slide there's not an entire great deal that you actually need to drag from this it absolutely was just straight from their internet marketing things to the chip yeah It truly is just listed here to demonstrate form of how they pried the chipset by itself skip the placeholder evidently so System data the most recent Variation of GTV is currently on android three.
2 there was no community vulnerabilities that worked up till each week in the past probably per week plus when the learn crucial vulnerability and you recognize The crucial element signing bugs ended up huge news an influence to wrote his amazing Resource or noticed groped his wonderful Device impactor It's not a bionic lipsy setup it is a Extra fat g lipsy setup and it does not assist Android indigenous libraries at this time so jen a person was an Intel c4 to one hundred fifty that is upcoming 86 single or Adam 1.
2 gigahertz gen 2 is really a marvel Armada 1500 twin core arm 1.
two gigahertz so I switched from x86 to arm android 4.
2 incoming for Jen to adverts indigenous libraries and bionic lipsy from what we've listened to inside the rumor mills so I'll undergo these future units pretty immediately because you know it's all community details I am confident you guys don't genuinely care a lot of a gigabyte MMC flashed inside the Sony NSC gs-7 it's got the best distant so if you are going to purchase Google Television set I we in all probability recommend this a single hard to advise Sony larger sized form element than some of the other Google Television products and it's got designed-in IR blasters which seems like something that could well be all over the overall System but it really's sadly not the vizio co-star contains a more compact form aspect no voice look for a customized launcher $ninety nine MSRP and updates are actually finished as a result of update logic versus the regular Android checking method it's common in all Vizio products it's the Hisense pulse was this has the second-best remote inside our feeling it was introduced with ADB managing his route when it initial was produced Therefore if you pick 1 up ahead of it's really up-to-date you could merely a DB within a DB route and you are aware of a DB is has root privileges so it had been patched Soon soon after and it has a $99 MSRP by using a DB route there was also a UART route set up I suppose for debugging and whatnot and they'd ro debuggable set as a person so a DB route was all you really needed If you need a software package route but in case you planned to have some cash you realize hook up your uart adapters that we Supply you with immediately after this you may technically hook up with that pin out that's appropriate up there once more we are going to Have got a pick number of us bttl adapters Hence the netgear neotv prime incorporates a Awful remote It can be 129 greenback MSRP we needed to exploits for one particular was serious a person was technically an oversight at the least inside our belief the oversight was that they went ahead and put the console to begin up on you will be despite what r 0 dot safe was set as ro dot protected is set to for like whenever they're inside a debug natural environment they are going to set r 0 dot secure twenty and when they're not in a debug environmental mentioned it r dot secured a person for just organising Distinctive lock downs then we did the NeoTV prime route which was effectively a exploit that leveraged the update system to the Neo the netgear neotv primary fundamentally the procedure entails examining a persistent radio test mode is enabled and whether it is it extracts a check method tgz from a USB generate to dust / temp then it just straight execute a shell script from that file so that you operate it you will get area command execution pretty easily with merely a thumb generate using a special TG receive file and shell script so then the SCS cube it is the exact same generation to Components horrible remote all over again 139 greenback MSRP but we actually similar to this box because of this subsequent portion dice root so we experienced loads of enjoyment using this type of we haven't in fact performed a android an android apk that really leveraged certainly one of our exploits up until finally this point so it absolutely was definitely neat to have the ability to place this collectively and kinda certain customers ended up a major percentage of this so this was terrific for the reason that we created an app that not merely exploits however it patches your sous dice because our complete concern was that releasing an exploit in the market you understand if somebody else will take a check out it they might you recognize set it in their own personal application and you understand route your Google TVs so we established it up in order that it can do patching and it can do routing but essentially how it worked since it exploited a helper app named oh Enjoy helper vo earth writable UNIX area socket the helper software earlier unsanitized enter to your mount command resulting in nearby command execution we induced the vulnerability from android apk that just pretty much confirmed Community permissions and it had been stage click on pone we extra it into the google Engage in retail outlet just for entertaining so with that getting reported it was pulled by Google soon after six days we routed about 256 boxes together with just one engineer build which was very interesting and it took two months for them to actually patch it so you recognize it could 6 times in the market are you able to envision the type of damage anyone might have essentially finished whenever they ended up attempting to be malicious and not merely aid individuals unlock their devices so then we bought into the O'Day which i advised you fellas about we haven't we have been using this bug for quite a while to do our investigations on like new products and research on new equipment to style of see how items are put in place so This can be form of something that's around and pricey to us because it's labored on the whole platform so far What exactly it truly is is we simply call it the magic USB we much like saying magic since we are to the Penn and Teller stage I guess so should you remember our plastic exploits Together with the sony gen 1 GTV it necessary for us B's you could narrow down the variety to a lot decreased but It's important to Have got a bunch of various photographs for your USB travel and it it leveraged it improperly mounted ext3 generate which was mounted with out no dev so This is certainly quite much like that It is ntfs but it isn't but in it's actually not finished in recovery nonetheless it's equally as just as potent so all Google TVs and some other Android equipment are vulnerable what this bug is is is actually I am going to get to that in another slide the way this is ready up it requires a user to own an NTFS detachable storage system it necessitates the devices to generally be mounted no dev whenever you plug it in so that you can effortlessly just operate mount and see if It can be no dev and so it affects a lot more than just Android it impacts specified Colonel configuration so or absolutely configurations so using this distinct set up Daring mounts ntfs partitions devoid of no dev and a little-acknowledged characteristic it it does help block products so our magic USB basically the method is you you go you obtain the major and minor hashes you build a device on a separate Pc on an NTFS formatted push you plug it in to the Google Television set and you DD on to that new glee designed unit that's in your USB Travel the colonel will it's magic Despite the fact that the partitions are mounted only it overwrites them just wonderfully so we dumped the boot picture we patching it up RC or default out prop two or 0 dot secure we generate it back being a user no root wanted we reboot and we are rooted countless packing containers call for yet another phase so now I will go ahead and induce arms Nielsen oh yeah good day I'm heads so something that we really like doing here at do Television hacker is we like taking items apart and after that we like soldering little wires to things it tickles anything deep in our Mind that makes us come to feel incredibly Superb so there's a several platforms to choose from you recognize some some interesting Google TV folks have farms one of these Is that this TV which is produced by LG It truly is a fascinating implementation on the System they use a distinct chip than the rest of the gen to Google TVs it's a customized chip known as the arm l9 it is a custom LG SOC that they use in it LG also signed virtually every little thing regarding photos around the flash file method such as the boot splash images so this platform has always form of eluded us you understand It can be inside of a forty seven inch Liquid crystal display TV plus the Tauri up market place since it's a Google Television you realize It truly is cool so this thing's more than a thousand dollars and you know we actually did not want to spend a thousand dollars on it so What exactly are we about to do well I indicate we like getting factors apart we like putting things again jointly so we did the following best thing which was on ebay we just bought a power provide as well as a motherboard with the TV we failed to truly obtain the remainder of the TV and it seems you will get that for not that A lot so once we experienced this we did that detail that we love a lot of we soldered some wires to it so this components relies all over that LG SOC as well as storage it takes advantage of on This really is it makes use of in emmc flash chip so It really is similar to an SD card it just has a few additional tiny bits that make it possible for for secure boot storage and various things like that but basically what it will allow us to perform is that we can just solder you understand hardly any range of wires to this thing and hook it up directly to an SD card reader and with that SD card reader we could study and compose in the flash about the gadget at very well you recognize no troubles in this article It really is like most devices could have a nand chip It is Significantly trickier to jot down These they've a good deal much more pins the interface is you understand They only are not as numerous prevalent available items of hardware to examine that in your case but SD Every person has an SD reader so to really root this detail we expend some time digging through the filesystem seeing what's he precisely what is in this article you know the way can we pull stuff aside at 0 x 100000 hex we found the partition data that tells us where by Every of the various partitions that happen to be employed in this product are What exactly we did now was we just went as a result of Every single of the partitions in search of okay Is that this one particular indication can we do everything with it is actually there enjoyment stuff listed here so among the additional appealing partitions as typical is process because which contains virtually all the information utilized to actually run Google Television set which is wherever many of the apks Reside that is the place the many lipsy lives so like we reported all the filesystem stuff was signed virtually but it seems that they did not sign the system image so the moment we figured that out it had been just a way of unpacking the program impression determining what in that technique graphic receives immediately named from the bootloader after which you can messing with it so it turns out that the boot partition you may see on the appropriate facet right here There exists Portion of the boot scripts at The underside it calls this vendor bin in nevertheless forced strip dot sh to make sure that's on that is on program so we just exchange that file to spawn a shell connected to you're I you know once again we appreciate soldering wires to points and there we go then we have root all on a device that we by no means basically acquired the complete matter of so One more unit that we did this to was the Sony NSC GF seven and GS 8 In addition they went using this type of emmc flash interface so on this System neither boot nor method had been signed so simply a subject of rewriting These partitions so the very first thing that we did is the same old way to do this in android is you modify the boot Attributes to mention Okay r 0 dot protected is 0 so that you could just straight up a db2 the unit and every little thing will just be excellent simple basic but we did that and it failed to operate so it seems the init scripts have been in fact examining signatures for many things and it had been also making sure that Many of these Houses were not established so It really is like alright I roof dot secure has to be a single well so we went all-around thinking about how is definitely the signature stuff Performing into transit that they're just not verifying All those signatures so it absolutely was quite easy to simply swap in it after which you can we had been in a position to do no matter what we required head yeah This is certainly why you don't have components entry to units since you get to do things like this and afterwards we earn another enjoyable aspect that this machine experienced could it be experienced a SATA port unpopulated SATA header In the system however it did even have the necessary passive factors over the components dis for this so we soldered a SATA connector to it plugged within a hard drive to this point it would not show up the colonel basically supports this stuff nevertheless the hard disk is in fact spinning up and we are really positive it can be Doing the job and we'll chat more details on that so outside of Individuals two equipment is another device that came out really just lately pretty exciting machine very identical It truly is an interesting evolution of the gtv family google chromecast google announces unit past 7 days previous wednesday even It is $35 you realize This is certainly buy of magnitude cheaper than practically any GTD any present-day GTV gadget it does not have exactly the same out and in for HDMI that each one another GTV devices do it just straight up you plug it in to the Television set and Then you really electrical power in the USB cable and boom you have something that You can utilize to share videos It truly is actually an extremely great product and we predict it's very interesting in many ways we predict it solves some of the problems that GTV has had up to now with you understand It truly is type of expensive market platform It really is genuinely intriguing device in place of having to thick clientele to cope with things handle content material you now have one thinner gadget that goes using your thick system say your cellular phone or your Pc and You'll be able to share content on to it so one of many appealing issues about that is definitely so this is the thin system how are you pushing written content to this product perfectly you're not just streaming online video from your cell phone you know that's that that is genuinely gradual that is hard to take action this gadget is in