IPTV Restream that means you use my stream with your server and your customer use from your server. The total user can use your IPTV service depends on...
greetings everyone welcome to google TV or how i discovered to stop stressing in exploit secure boot my identify is mike baker i'm a firmware developer i did open wrt we even have we also have Hans Nielsen is often a senior protection specialist at Madison oh We have now CJ Here is an IT units administrator gaiaphage I feel he's out operating CTF at this time and We now have Tom dwenger while in the audience and you recognize arise Tom and we have a mirror in Matta is really a researcher at occupant labs and in addition the founding father of the gtv hacker team so GTV hacker is a group of about six hackers that hack to the Google Tv set line of products and solutions our Principal intention should be to bypass the hardware and application constraints and open up up the device the gtv hacker team was the 1st to exploit the Google Television and received a five-hundred-dollar bounty so exactly what is the Google TV System the Google Television set System is undoubtedly an Android device that connects to the TV so your TV in essence gets the exact same Android equipment your mobile phone it has hdmi in HDMI out And that i are a number of them include things like blu-ray gamers the sony Television set has an built-in google TV it's got a personalized Model of chrome plus a flash version that we are going to look at later on so why do we hack the platform we hacked platform because contrary to the google nexus products it's got a locked bootloader it has a seriously restricted colonel as well as the former generation the generation one is now end of life along with the flash player I will get to that in the following slides so just before we begin I'm going to do a very fast recap of your things we did last 12 months at Def Con I will pace via it so should you overlook a little something go take a look at previous year's slides And so the era 1 components contains the logitech revue the sony blu-ray player along with the sony Tv set the logitech revue they remaining a root uart we even have an exploit by dan rosenberg that uses dev ma'am and Sorak wrote a impactor plugin amazing Hence the sony comparable situation it's got a no dev bug we also wrote a personalized Restoration for it and applied k specific to load in a fresh kernel so now we have unsigned kernels so let's speak about the flash participant the flash participant was blocked by several streaming web pages so by way of example You cannot view hulu you obtain redirected to the web page that claims sorry it is a google TV as well as resolve for that may be practically just shifting the version string What exactly transpired right after we hacked these Google Television set devices we found this that is a awesome information from Logitech they hid during the android Restoration it is a rot 13 cipher that says GTV hacker congratulations when you are studying this make sure you article a note on the forum and let us know let me know and incorporates all of our nicknames Of course whoever is always that logitech that wrote that you will be brilliant That is why we hack products so the boxee box is a really identical device that makes use of exactly the same SOC in the whole process of hacking the google Tv set we also arrived up having an exploit for that boxee that led the way in which towards the boxee plus community arm and It can be nevertheless susceptible to make sure that's amazing so following up is often a mere hi everyone I'll continue on the presentation my section regards gentoo components and one of several 1st o times we're going to release for that System gen two no less than so Jen to components We've a large number of units they boost the level of devices they had by like a factor of two and I guess they were being likely to improve the sector share but essentially you may have the Korean LG U+ the su s dice the LG 47 g2 and g3 the netgear Prime the Sony NSG s seven GS eight the Hisense pulse during the vizio co-star they have the same hardware style and design throughout the majority of the technology in need of the LG forty seven g2 and g3 era 2 includes a marvel 88 de 3100 centered chipset It is an arm duel 1 level two gigahertz processor dubbed the Armada 1500 it encompasses a non die crypto processor with individual memories and it does safe boot from rom by using RSA verification and aes decryption this individual slide you can find not an entire whole lot that you actually need to pull from this it was just directly from their advertising and marketing stuff for the chip yeah It is really just here to show you type of how they pried the chipset by itself skip the placeholder seemingly so System info the latest version of GTV is presently on android 3.
2 there was no public vulnerabilities that labored up until finally every week ago perhaps weekly additionally once the master critical vulnerability and you understand The true secret signing bugs have been major information an effect to wrote his astounding Software or observed groped his incredible Software impactor it is not a bionic lipsy setup it's a Excess fat g lipsy setup and it would not guidance Android indigenous libraries at this time so jen one particular was an Intel c4 to a hundred and fifty which is following 86 solitary or Adam one.
two gigahertz gen two is really a marvel Armada 1500 twin Main arm one.
two gigahertz so I switched from x86 to arm android 4.
two incoming for Jen to ads native libraries and bionic lipsy from what we've listened to inside the rumor mills so I'm going to undergo these up coming devices pretty promptly because you realize it's all general public info I am confident you men Never truly treatment a lot of a gigabyte MMC flashed inside the Sony NSC gs-7 it's got the ideal remote Therefore if you are going to acquire Google Television I we most likely recommend this one difficult to propose Sony much larger form aspect than several of the other Google TV units and it's got developed-in IR blasters which looks like a thing that could be through the full platform but it's Regrettably not the vizio co-star incorporates a lesser type issue no voice lookup a tailor made launcher $ninety nine MSRP and updates are literally done by way of update logic rather than the common Android examining technique it's common in all Vizio units it is the Hisense pulse was this has the next-most effective remote within our belief it was launched with ADB managing his route when it 1st was launched so if you choose 1 up in advance of It truly is truly up to date you might just a DB in the DB route and you recognize a DB is has root privileges so it was patched Soon right after and it's a $ninety nine MSRP by using a DB route there was also a UART route set up I guess for debugging and whatnot and they'd ro debuggable set as just one so a DB route was all you truly needed If you would like a software program route but in case you wished to have some resources you are aware of connect your uart adapters that we give you just after this you might technically connect with that pin out that is suitable up there all over again we are going to have a pick range of us https://iptvrestream.net bttl adapters And so the netgear neotv key has a Terrible remote it's 129 greenback MSRP we had to exploits for a single was genuine 1 was technically an oversight not less than in our view the oversight was they went ahead and place the console to begin up on that you are despite what r 0 dot protected was set as ro dot safe is about to for like when they're inside a debug ecosystem they'll established r 0 dot safe 20 and if they're not inside a debug environmental claimed it r dot secured one for just setting up Distinctive lock downs then we did the NeoTV prime route which was in essence a exploit that leveraged the update technique about the Neo the netgear neotv primary effectively the procedure will involve examining a persistent radio test mode is enabled and whether it is it extracts a examination method tgz from a USB push to dust / temp and after that it just straight execute a shell script from that file therefore you run it you have area command execution quite effortlessly with simply a thumb push which has a Unique TG receive file and shell script so then the SCS dice it is the similar generation to Hardware Terrible remote once more 139 dollar MSRP but we really similar to this box due to this following element dice root so we experienced a lot of fun with this We have not essentially performed a android an android apk that truly leveraged one of our exploits up until eventually this level so it absolutely was actually neat in order to set this together and kinda specified customers ended up a large part of this so this was excellent mainly because we developed an application that not just exploits but it really patches your sous cube because our full anxiety was that releasing an exploit on the market you understand if someone else will take a check out it they might you recognize place it in their very own application and you are aware of route all of your Google TVs so we set it up making sure that it can perform patching and it can perform routing but effectively how it worked as it exploited a helper application termed oh play helper vo world writable UNIX domain socket the helper application previous unsanitized input for the mount command causing neighborhood command execution we brought on the vulnerability from android apk that just literally confirmed Network permissions and it had been stage simply click pone we added it on the google Participate in store just for exciting so with that staying claimed it was pulled by Google immediately after six days we routed around 256 packing containers together with just one engineer build which was pretty awesome and it took two months for them to actually patch it so you know it might 6 days in the market are you able to picture the sort of hurt a person could have basically accomplished if they had been wanting to be malicious and not simply aid men and women unlock their gadgets so then we acquired to the O'Working day which i told you fellas about We have not we have been making use of this bug for quite a while to accomplish our investigations on like new gadgets and study on new products to form of see how matters are create so This is often style of something that's in the vicinity of and dear to us mainly because it's worked on the complete System to date Just what exactly it truly is is we get in touch with it the magic USB we similar to declaring magic due to the fact we are about the Penn and Teller stage I assume so in case you recall our plastic exploits Along with the sony gen one GTV it required for us B's you can slim down the selection to quite a bit reduced but You need to Have a very bunch of various illustrations or photos for that USB push and it it leveraged it improperly mounted ext3 push that was mounted with out no dev so This can be rather much like that It is ntfs but it's actually not but in it isn't really completed in Restoration nevertheless it's equally as equally as effective so all Google TVs and some other Android gadgets are vulnerable what this bug is is is definitely I am going to get to that in the following slide just how that this is set up it needs a person to possess an NTFS detachable storage device it necessitates the products being mounted no dev when you plug it in so you can very easily just run mount and find out if It is no dev and so it impacts additional than simply Android it has an effect on specified Colonel configuration so or definitely configurations so with this particular setup bold mounts ntfs partitions without no dev and a bit-acknowledged aspect it it does aid block gadgets so our magic USB basically the method is that you you go you get the major and slight hashes you set up a tool with a individual computer on an NTFS formatted push you plug it in on your Google Television and you simply DD straight to that new glee developed product that is on the USB Generate the colonel does it's magic Although the partitions are mounted only it overwrites them just fantastically so we dumped the boot image we patching it up RC or default out prop 2 or 0 dot protected we write it again to be a user no root wanted we reboot and we are rooted a great number of packing containers involve an additional move so now I'm going to go on and induce palms Nielsen oh yeah good day I'm heads so one thing that we really really like carrying out listed here at do TV hacker is we like using points aside after which we like soldering minimal wires to matters it tickles a thing deep in our Mind that makes us sense pretty Great so there's a couple platforms available you understand some some appealing Google TV individuals have farms one of these Is that this Tv set that is produced by LG It is an interesting implementation from the platform they use a distinct chip than the remainder of the gen to Google TVs it's got a custom chip known as the arm l9 it's a custom LG SOC they use in it LG also signed virtually everything concerning images to the flash file technique such as the boot splash photos so this System has generally form of eluded us you realize It is really in a very forty seven inch LCD TV and also the Tauri up market place because it's a Google Television you recognize It truly is amazing so this issue's around a thousand pounds and you understand we actually failed to want to spend a thousand pounds on it so Exactly what are we intending to do perfectly I signify we like taking items apart we like putting matters back jointly so we did the following neatest thing which was on ebay we just acquired a power source and a motherboard with the TV we failed to basically invest in the remainder of the Television set and it turns out you will get that for not that Significantly so once we experienced this we did that point that we appreciate a lot we soldered some wires to it so this components is based all around that LG SOC and the storage it works by using on This is often it uses in emmc flash chip so It truly is very similar to an SD card it just has a couple of additional tiny bits that allow for for secure boot storage and various things like that but in essence what it allows us to accomplish is that we could just solder you realize hardly any amount of wires to this detail and hook it up directly to an SD card reader and with that SD card reader we are able to browse and generate from your flash about the system at effectively you recognize no difficulties below It is like most gadgets should have a nand chip it's Considerably trickier to write down People they have got a good deal far more pins the interface is you are aware of they just are not as quite a few common obtainable parts of components to read through that to suit your needs but SD Everybody has an SD reader so to really root this factor we commit some time digging with the filesystem looking at precisely what is he what on earth is below you know the way can we pull stuff aside at 0 x 100000 hex we discovered the partition data that tells us exactly where Every of the various partitions which might be utilized With this device are so what we did now was we just went via Every of your partitions trying to find okay is this one indicator can we do nearly anything with it is there enjoyable stuff listed here so among the a lot more intriguing partitions as typical is technique for the reason that which contains nearly all of the documents applied to really run Google TV which is exactly where the many apks live that's wherever all the lipsy life so like we reported each of the filesystem things was signed essentially nonetheless it turns out that they didn't signal the method image so as soon as we figured that out it absolutely was simply a manner of unpacking the procedure graphic figuring out what in that process impression gets rapidly named with the bootloader and after that messing with it so it turns out that the boot partition you'll be able to see on the appropriate facet below There may be Portion of the boot scripts at the bottom it phone calls this vendor bin in nonetheless compelled strip dot sh in order that's on that's on technique so we just change that file to spawn a shell linked to you might be I you understand once again we adore soldering wires to issues and there we go then We have now root all on a device that we under no circumstances basically purchased the full detail of so Yet another unit that we did this to was the Sony NSC GF seven and GS 8 Additionally they went using this emmc flash interface so on this System neither boot nor procedure had been signed so merely a make a difference of rewriting Those people partitions so the very first thing that we did is the usual way To achieve this in android is you modify the boot Attributes to say Alright r 0 dot safe is 0 so that you can just straight up a db2 the device and anything will just be great easy uncomplicated but we did that and it didn't get the job done so it seems the init scripts were essentially checking signatures for a few stuff and it had been also ensuring that that some of these Qualities were not established so It can be like alright I roof dot secure need to be one properly so we went close to looking at how could be the signature things Doing work into transit that they're just not verifying Those people signatures so it was really uncomplicated to only swap in it then we have been in the position to do whatever we desired head yeah This really is why you do not have hardware use of techniques simply because you get to do such things as this and then we earn another enjoyable attribute that this gadget had is it experienced a SATA port unpopulated SATA header In the device but it really did even have the required passive elements around the hardware dis for this so we soldered a SATA connector to it plugged inside of a hard disk drive to date it will not look which the colonel essentially supports this stuff though the disk drive is definitely spinning up and we're really confident it truly is Performing and we will discuss more details on that so outside of These two gadgets is another system that came out incredibly a short while ago very exciting system really very similar It is an interesting evolution with the gtv relatives google chromecast google announces unit previous week last wednesday even It really is $35 you already know That is purchase of magnitude cheaper than pretty much any GTD any recent GTV gadget it doesn't have the same in and out for HDMI that all the opposite GTV units do it just straight up you plug it in the Television and Then you definately power with the USB cable and growth you may have something that You should use to share video clips It is basically a extremely magnificent machine and we predict it's very cool in numerous ways we think it solves a number of the troubles that GTV has experienced before with you realize It is form of costly area of interest System It is really exciting machine instead of needing to thick consumers to cope with things cope with information you now have one particular thinner gadget that goes with all your thick product say your telephone or your Computer system and then you can share articles straight to it so one of the attention-grabbing matters about that's so that is a thin system how are you currently pushing written content to this system well you're not just streaming movie from the telephone you know that's that that's definitely