IPTV Restream that means you use my stream with your server and your customer use from your server. The total user can use your IPTV service depends on...
greetings Everybody welcome to google Tv set or how i discovered to prevent stressing in exploit safe boot my name is mike baker i'm a firmware developer i did open up wrt we even have we even have Hans Nielsen is usually a senior safety advisor at Madison oh We have now CJ here's an IT units administrator gaiaphage I believe he's out operating CTF at this moment and We've Tom dwenger within the viewers and you understand stand up Tom and We've a mirror in Matta can be a researcher at occupant labs and likewise the founding father of the gtv hacker team so GTV hacker is a gaggle of about 6 hackers that hack in to the Google TV line of goods our Most important target is to bypass the components and software package restrictions and open up the unit the gtv hacker staff was the main to exploit the Google Tv set and gained a 5-hundred-dollar bounty so what is the Google Television System the Google Television set platform is definitely an Android system that connects to your Television so your TV in essence turns into https://iptvrestream.net a similar Android gadgets your mobile phone it has hdmi in HDMI out and I are some of them incorporate blu-ray players the sony TV has an integrated google TV it's a personalized version of chrome and also a flash version that we will talk about afterwards so why do we hack the System we hacked System due to the fact in contrast to the google nexus devices it's a locked bootloader it's got a closely restricted colonel plus the past technology the generation one is now end of existence plus the flash participant I'll reach that in the subsequent slides so prior to we get started I'm going to do a really quick recap with the things we did previous 12 months at Def Con I'm going to speed by way of it so should you overlook a thing go evaluate past 12 months's slides Therefore the era one hardware includes the logitech revue the sony blu-ray player as well as the sony TV the logitech revue they left a root uart we even have an exploit by dan rosenberg that works by using dev ma'am and Sorak wrote a impactor plugin brilliant Therefore the sony equivalent situation it's a no dev bug we also wrote a customized Restoration for it and made use of k correct to load in a fresh kernel so now We've unsigned kernels so let's look at the flash player the flash player was blocked by a variety of streaming web sites so for instance You cannot observe hulu you will get redirected to the site that says sorry this can be a google Tv set as well as correct for that may be basically just switching the Model string Just what exactly took place just after we hacked these Google Television set equipment we located this this is a good message from Logitech that they hid during the android recovery it's a rot 13 cipher that says GTV hacker congratulations if you are examining this you should post a Observe about the forum and allow us to know allow me to know and includes all of our nicknames Sure whoever is the fact logitech that wrote that you'll be amazing this is why we hack devices Therefore the boxee box is an extremely related system that uses exactly the same SOC in the entire process of hacking the google Television set we also arrived up with the exploit to the boxee that led the way in which for the boxee moreover Group arm and it's continue to susceptible making sure that's brilliant so subsequent up can be a mere hi everyone I will carry on the presentation my section regards gentoo components and one of many initially o days We'll release with the System gen two no less than so Jen to hardware We have now a large number of equipment they boost the level of devices they'd by like a factor of two and I assume they were going to increase the industry share but fundamentally you've the Korean LG U+ the su s dice the LG 47 g2 and g3 the netgear Key the Sony NSG s 7 GS 8 the Hisense pulse while in the vizio co-star they may have an analogous hardware layout during the majority of the generation in need of the LG 47 g2 and g3 era 2 features a marvel 88 de 3100 based mostly chipset It is an arm duel one place 2 gigahertz processor dubbed the Armada 1500 it incorporates a non die crypto processor with independent Reminiscences and it does protected boot from rom through RSA verification and aes decryption this specific slide there's not a complete lot that you really want to tug from this it had been just straight from their advertising stuff to the chip yeah It is really just below to explain to you style of how they pried the chipset alone skip the placeholder evidently so platform details the most recent Variation of GTV is at the moment on android three.
2 there was no general public vulnerabilities that labored up until eventually weekly back perhaps a week additionally if the grasp essential vulnerability and you know The real key signing bugs had been large news an impact to wrote his remarkable tool or observed groped his wonderful Resource impactor It's not at all a bionic lipsy setup it is a Unwanted fat g lipsy set up and it isn't going to help Android native libraries at this time so jen one particular was an Intel c4 to 150 and that is subsequent 86 solitary or Adam 1.
two gigahertz gen two is usually a marvel Armada 1500 dual core arm 1.
2 gigahertz so I switched from x86 to arm android four.
two incoming for Jen to adverts native libraries and bionic lipsy from what we have listened to while in the rumor mills so I will endure these future gadgets fairly immediately since you comprehend it's all public info I am sure you guys Will not definitely treatment an excessive amount of a gigabyte MMC flashed inside of the Sony NSC gs-seven it's got the most effective distant so if you are going to get Google Television I we most likely propose this 1 not easy to propose Sony much larger variety issue than a number of the other Google TV gadgets and it has built-in IR blasters which seems like a thing that might be all through the overall platform but it's sadly not the vizio co-star contains a scaled-down sort issue no voice search a personalized launcher $ninety nine MSRP and updates are actually performed by means of update logic versus the conventional Android examining process It's normal in all Vizio products it's the Hisense pulse was this has the next-most effective remote within our opinion it absolutely was released with ADB functioning his route when it first was introduced Therefore if you choose a person up just before It truly is in fact updated you might simply a DB within a DB route and you realize a DB is has root privileges so it had been patched shortly right after and it's a $ninety nine MSRP that has a DB route there was also a UART route setup I suppose for debugging and whatnot and they had ro debuggable established as a single so a DB route was all you really needed If you would like a application route but for those who desired to have some cash you know connect your uart adapters that we Supply you with after this you can technically hook up with that pin out that is ideal up there all over again we will Possess a pick out number of us bttl adapters Hence the netgear neotv prime features a Awful distant It truly is 129 dollar MSRP we had to exploits for one was actual a single was technically an oversight at least inside our view the oversight was they went in advance and put the console to start up on you happen to be despite what r 0 dot protected was established as ro dot secure is about to for like whenever they're inside of a debug natural environment they are going to established r 0 dot protected twenty and if they are not in the debug environmental claimed it r dot secured just one for just putting together Unique lock downs then we did the NeoTV key route which was basically a exploit that leveraged the update system on the Neo the netgear neotv key fundamentally the process involves checking a persistent radio check manner is enabled and if it is it extracts a take a look at method tgz from the USB travel to dust / temp and then it just straight execute a shell script from that file therefore you run it you obtain nearby command execution fairly conveniently with only a thumb push using a Specific TG obtain file and shell script so then the SCS dice it's the very same technology to Hardware Awful remote once more 139 greenback MSRP but we actually similar to this box due to this subsequent portion dice root so we had loads of pleasurable using this type of We have not truly accomplished a android an android apk that really leveraged one of our exploits up until eventually this point so it was genuinely neat to be able to set this collectively and kinda specified members were being an enormous percentage of this so this was good because we established an application that not only exploits nevertheless it patches your sous cube simply because our total dread was that releasing an exploit out there you recognize if another person will take a examine it they may you understand set it in their own individual app and you are aware of route all of your Google TVs so we set it up to make sure that it can perform patching and it can perform routing but essentially the way it worked because it exploited a helper app referred to as oh play helper vo entire world writable UNIX area socket the helper software earlier unsanitized input for the mount command resulting in neighborhood command execution we triggered the vulnerability from android apk that just virtually showed Community permissions and it had been stage simply click pone we additional it on the google Perform shop just for enjoyable so with that remaining stated it absolutely was pulled by Google after 6 days we routed about 256 boxes which include 1 engineer Develop which was pretty great and it took two months for them to really patch it so you recognize it could six days available in the market could you think about the sort of damage anyone could have truly accomplished if they ended up seeking to be malicious and not just aid people today unlock their products so then we acquired to your O'Working day that I told you fellas about We have not we've been using this bug for quite a while to perform our investigations on like new equipment and analysis on new gadgets to sort of see how factors are set up so This is certainly kind of a thing that's near and dear to us because it's labored on the complete System to date What exactly it is is we call it the magic USB we just like expressing magic due to the fact we're on the Penn and Teller stage I guess so for those who recall our plastic exploits with the sony gen 1 GTV it necessary for us B's you could potentially slender down the range to a good deal lower but You should Possess a bunch of different images for your USB drive and it it leveraged it improperly mounted ext3 drive that was mounted without having no dev so This is certainly pretty comparable to that It really is ntfs but it is not but in it's not carried out in recovery but it really's equally as just as potent so all Google TVs and some other Android units are vulnerable what this bug is is is actually I will get to that in the subsequent slide how that this is set up it demands a person to acquire an NTFS removable storage device it involves the devices being mounted no dev if you plug it in so that you can simply just operate mount and see if It is no dev and so it affects extra than simply Android it affects certain Colonel configuration so or unquestionably configurations so with this particular setup Daring mounts ntfs partitions devoid of no dev and slightly-regarded aspect it it does aid block devices so our magic USB in essence the procedure is that you you go you have the major and insignificant hashes you put in place a device with a independent computer on an NTFS formatted drive you plug it in for your Google Television set so you DD on to that new glee created gadget that's in your USB Generate the colonel does it's magic Though the partitions are mounted only it overwrites them just superbly so we dumped the boot graphic we patching it up RC or default out prop two or 0 dot protected we produce it back again like a user no root needed we reboot and we are rooted numerous packing containers involve a further action so now I'm going to go ahead and induce fingers Nielsen oh yeah hi there I'm heads so something that we actually like accomplishing here at do Television hacker is we like using factors aside after which you can we like soldering minor wires to points it tickles some thing deep in our Mind which makes us really feel pretty Great so there is a number of platforms on the market you are aware of some some intriguing Google Tv set people have farms one of these Is that this Television that's produced by LG it's an interesting implementation from the System they use a distinct chip than the rest of the gen to Google TVs it has a personalized chip called the arm l9 it's a personalized LG SOC they use in it LG also signed just about everything with regard to photographs to the flash file process such as the boot splash visuals so this platform has often sort of eluded us you recognize It is inside of a 47 inch LCD Television set plus the Tauri up industry since it's a Google Television you know It truly is amazing so this detail's more than a thousand dollars and you recognize we really didn't want to spend a thousand pounds on it so Exactly what are we going to do very well I imply we like having factors aside we like putting items back collectively so we did the subsequent smartest thing which was on ebay we just purchased an influence offer plus a motherboard within the Tv set we failed to essentially acquire the remainder of the TV and it seems you will get that for not that Considerably so the moment we experienced this we did that point that we appreciate so much we soldered some wires to it so this components is predicated all-around that LG SOC and the storage it uses on this is it uses in emmc flash chip so It is similar to an SD card it just has a couple of more small bits that let for protected boot storage together with other stuff like that but primarily what it permits us to carry out is that we will just solder you already know hardly any quantity of wires to this thing and hook it up on to an SD card reader and with that SD card reader we could examine and write from your flash within the device at effectively you understand no troubles here It can be like most products could have a nand chip It truly is A great deal trickier to write down Those people they've got a good deal additional pins the interface is you understand They simply are not as numerous common accessible items of components to read through that for you personally but SD All people has an SD reader so to truly root this detail we devote a while digging with the filesystem viewing what's he what on earth is below you know the way can we pull stuff apart at 0 x 100000 hex we observed the partition data that tells us wherever Each individual of the various partitions which are used With this unit are Just what exactly we did now was we just went by means of Every of the partitions trying to find ok is this 1 indicator can we do nearly anything with it can be there entertaining stuff right here so one of several more fascinating partitions as normal is method due to the fact which contains nearly all of the files used to actually operate Google Tv set that's exactly where many of the apks Dwell that is in which each of the lipsy life so like we explained all the filesystem stuff was signed practically nonetheless it seems that they didn't sign the procedure picture so at the time we figured that out it had been only a manner of unpacking the procedure image working out what in that procedure image receives promptly known as by the bootloader and afterwards messing with it so it seems which the boot partition you are able to see on the right facet listed here There is certainly Element of the boot scripts at The underside it calls this vendor bin in still compelled strip dot sh to ensure's on that is on process so we just replace that file to spawn a shell linked to you're I you already know once again we love soldering wires to items and there we go then we have root all on a device that we under no circumstances in fact purchased the full issue of so A further unit that we did this to was the Sony NSC GF 7 and GS 8 they also went using this emmc flash interface so on this System neither boot nor technique had been signed so only a matter of rewriting Those people partitions so the very first thing that we did is the same old way to do this in android is you modify the boot properties to mention ok r 0 dot secure is 0 to be able to just straight up a db2 the system and everything will just be great simple straightforward but we did that and it failed to operate so it turns out the init scripts were essentially examining signatures for many stuff and it had been also making certain that Many of these Homes weren't set so it's like ok I roof dot safe need to be one particular effectively so we went close to checking out how is definitely the signature stuff Functioning into transit that they're just not verifying Individuals signatures so it absolutely was really very simple to only switch in it and then we have been able to do no matter what we preferred head yeah This can be why you do not have hardware access to techniques since you reach do things such as this after which you can we win another entertaining feature this gadget experienced can it be had a SATA port unpopulated SATA header In the unit nevertheless it did even have the necessary passive elements over the hardware dis for this so we soldered a SATA connector to it plugged in the hard disk thus far it does not show up that the colonel essentially supports this stuff but the hard drive is really spinning up and we're really positive it really is Performing and we will discuss more about that so over and above Those people two gadgets is another gadget that came out extremely recently very intriguing product really identical It is an interesting evolution with the gtv family members google chromecast google announces machine very last week last wednesday even It can be $35 you understand That is order of magnitude more affordable than essentially any GTD any present GTV system it doesn't have the exact same in and out for HDMI that every one the other GTV units do it just straight up you plug it in to the TV and You then power from your USB cable and growth you might have something that You should use to share video clips It really is basically a extremely brilliant device and we expect it's totally cool in many ways we expect it solves several of the troubles that GTV has experienced in past times with you recognize It is really variety of expensive specialized niche System It really is seriously appealing product rather than having to thick consumers to manage things deal with content you now have one thinner gadget that goes using your thick device say your cell phone or your Personal computer and You'll be able to share written content straight to it so among the attention-grabbing things about that is definitely so that is a slim device how will you be pushing articles to this unit effectively you are not just streaming video clip from the telephone you are aware that's that that's really sluggish which is difficult to do so this device is actually moderately effective so