IPTV Restream that means you use my stream with your server and your customer use from your server. The total user can use your IPTV service depends on...
greetings Anyone welcome to google Television set or how i realized to stop worrying in exploit safe boot my title is mike baker I am a firmware developer i did open up wrt we also have we even have Hans Nielsen is usually a senior safety advisor at Madison oh We've CJ here's an IT methods administrator gaiaphage I think he is out jogging CTF right now and We now have Tom dwenger in the viewers and you understand rise up Tom and Now we have a mirror in Matta is actually a researcher at occupant labs and likewise the founding father of the gtv hacker group so GTV hacker is a bunch of about 6 hackers that hack in the Google Television set line of solutions our Most important purpose would be to bypass the hardware and software program limits and open up up the product the gtv hacker team was the main to exploit the Google Tv set and gained a five-hundred-greenback bounty so exactly what is the Google Television set System the Google TV platform can be an Android product that connects towards your TV so your Television essentially gets to be exactly the same Android equipment your cell phone it's got hdmi in HDMI out And that i are many of them incorporate blu-ray players the sony Tv set has an built-in google Tv set it's a custom Variation of chrome along with a flash Model that we will take a look at later on so How come we hack the platform we hacked System because not like the google nexus gadgets it's a locked bootloader it's a closely restricted colonel plus the former technology the generation one is currently close of lifetime as well as flash player I'll get to that in another slides so prior to we start I'm going to do a very quick recap on the things we did last yr at Def Con I will velocity via it so when you miss out on a little something go check out very last yr's slides Hence the technology 1 hardware contains the logitech revue the sony blu-ray participant and also the sony Television the logitech revue they still left a root uart we also have an exploit by dan rosenberg that works by using dev ma'am and Sorak wrote a impactor plugin great Hence the sony comparable problem it's a no dev bug we also wrote a custom made recovery for it and employed k exact to load in a brand new kernel so now we have unsigned kernels so let's discuss the flash player the flash participant was blocked by many streaming web pages so such as You can not check out hulu you get redirected to some web-site that says sorry this can be a google Television set and also the resolve for which is basically just transforming the version string What exactly happened after we hacked these Google Tv set products we discovered this this can be a good information from Logitech that they hid from the android recovery it is a rot thirteen cipher that claims GTV hacker congratulations for anyone who is reading this you should publish a Notice about the forum and let's know let me know and incorporates all of our nicknames Certainly whoever is always that logitech that wrote that you will be amazing That is why we hack equipment Therefore the boxee box is an extremely identical product that takes advantage of exactly the same SOC in the whole process of hacking the google Television we also arrived up by having an exploit for that boxee that led the way to your boxee in addition Local community arm and It can be however susceptible in order that's amazing so upcoming up is actually a mere hi Absolutely everyone I'll proceed the presentation my portion regards gentoo components and among the list of initially o days We'll release for your platform gen two at the least so Jen to components We have now a large number of products they improve the quantity of products that they had by like an element of two and I guess they were being gonna increase the market share but fundamentally you have got the Korean LG U+ the su s dice the LG 47 g2 and g3 the netgear Prime the Sony NSG s 7 GS 8 the Hisense pulse inside the vizio co-star they have got an identical hardware structure through the vast majority of generation in need of the LG forty seven g2 and g3 era 2 features a marvel 88 de 3100 based chipset it's an arm duel 1 place 2 gigahertz processor dubbed the Armada 1500 it incorporates a non die crypto processor with different Recollections and it does safe boot from rom by means of RSA verification and aes decryption this certain slide there is not a complete ton that you really need to drag from this it was just straight from their marketing things to the chip yeah It is just in this article to provide you with type of how they pried the chipset itself skip the placeholder seemingly so System details the newest Edition of GTV is at the moment on android 3.
2 there was no general public vulnerabilities that labored up right until a week in the past probably each week in addition in the event the master key vulnerability and you know the key signing bugs were being major information an affect to wrote his amazing Instrument or noticed groped his wonderful Software impactor it is not a bionic lipsy set up it's a Extra fat g lipsy set up and it doesn't assistance Android native libraries at present so jen a person was an Intel c4 to a hundred and fifty and that is upcoming 86 solitary or Adam one.
2 gigahertz gen two is actually a marvel Armada 1500 twin Main arm 1.
two gigahertz so I switched from x86 to arm android 4.
2 incoming for Jen to ads native libraries and bionic lipsy from what we've read from the rumor mills so I'm going to go through these future units pretty promptly since you understand it's all community info I am certain you men Will not really care an excessive amount of a gigabyte MMC flashed inside of the Sony NSC gs-7 it's got the most effective distant Therefore if you are going to get Google Television I we probably recommend this one tough to advocate Sony larger sized type element than a few of the other Google Tv set equipment and it has created-in IR blasters which appears like something which will be through the whole System nonetheless it's Regrettably not the vizio co-star incorporates a smaller sized form factor no voice look for a personalized launcher $ninety nine MSRP and updates are actually accomplished by means of update logic as opposed to the standard Android examining technique it's common in all Vizio products it's the Hisense pulse was this has the next-most effective distant in our viewpoint it was introduced with ADB functioning his route when it 1st was unveiled so if you pick just one up in advance of it's basically up to date you might simply a DB inside of a DB route and you understand a DB is has root privileges so it had been patched shortly right after and it has a $ninety nine MSRP using a DB route there was also a UART route set up I guess for debugging and whatnot and that they had ro debuggable set as a single so a DB route was all you truly essential If you need a program route but when you needed to have some funds you know join your uart adapters that we give you right after this you could technically connect with that pin out that's ideal up there yet again we'll have a pick number of us bttl adapters Therefore the netgear neotv primary provides a horrible distant It truly is 129 greenback MSRP we needed to exploits for a person was true just one was technically an oversight no less than within our feeling the oversight was they went ahead and put the console to start up on you are irrespective of what r 0 dot safe was established as ro dot secure is about to for like when they're inside a debug ecosystem they are going to established r 0 dot protected twenty and if they're not in a debug environmental said it r dot secured one for just starting Specific lock downs then we did the NeoTV prime route which was basically a exploit that leveraged the update system about the Neo the netgear neotv prime basically the process includes checking a persistent radio take a look at manner is enabled and whether it is it extracts a examination manner tgz from the USB drive to dust / temp then it just straight execute a shell script from that file and that means you run it you will get community command execution pretty simply with simply a thumb travel having a Distinctive TG get file and shell script so then the SCS dice it is the exact generation to Hardware Terrible distant all over again 139 dollar MSRP but we actually such as this box for that reason next aspect dice root so we had a lot of enjoyment with this We've not actually carried out a android an android apk that really leveraged among our exploits up right up until this position so it absolutely was definitely neat in order to put this jointly and kinda sure associates ended up a big percentage of this so this was good since we made an application that not only exploits but it patches your sous dice mainly because our whole dread was that releasing an exploit in the market you know if another person will take a evaluate it they could you know put it in their particular app and you know route all of your Google TVs so we established it up to ensure it can perform patching and it can perform routing but primarily how it worked since it exploited a helper application referred to as oh Enjoy helper vo environment writable UNIX area socket the helper software past unsanitized input to your mount command resulting in regional command execution we activated the vulnerability from android apk that just actually showed Network permissions and it had been position click pone we added it on the google Enjoy shop just for pleasurable so with that staying stated it absolutely was pulled by Google after six days we routed all around 256 containers which includes a single engineer Establish which was very great and it took two months for them to truly patch it so you are aware of it would 6 times out there are you able to think about the kind of harm another person could have really completed if they were looking to be malicious and not only help people today unlock their gadgets so then we received into the O'Day that I instructed you men about we haven't we've been applying this bug for a while to accomplish our investigations on like new gadgets and research on new gadgets to style of see how points are build so This is often style of something that's close to and pricey to us because it's labored on all the System thus far so what it can be is we contact it the magic USB we similar to expressing magic since we're about the Penn and Teller stage I assume so when you remember our plastic exploits Along with the sony gen 1 GTV it required for us B's you can slim down the range to lots reduced but You should have a bunch of various pictures for that USB drive and it it leveraged it improperly mounted ext3 travel which was mounted without having no dev so This is certainly fairly much like that it's ntfs but it's not but in it isn't really completed in Restoration but it surely's equally as equally as highly effective so all Google TVs and Several other Android products are susceptible what this bug is is is definitely i'll get to that in the subsequent slide the way in which this is about up it requires a person to possess an NTFS detachable storage gadget it necessitates the devices being mounted no dev if you plug it in in order to very easily just run mount and find out if It truly is no dev and so it impacts far more than simply Android it impacts specified Colonel configuration so or absolutely configurations so using this individual setup Daring mounts ntfs partitions without no dev and just a little-recognised function it it does help block equipment so our magic USB essentially the method is you you go you receive the major and slight hashes you build a tool with a independent Laptop on an NTFS formatted travel you plug it in for your Google TV and you also DD on to that new glee created gadget that is with your USB Generate the colonel does it's magic While the partitions are mounted only it overwrites them just wonderfully so we dumped the boot graphic we patching it up RC or default out prop 2 or 0 dot protected we publish it back again for a user no root wanted we reboot and we're rooted countless bins involve an extra stage so now I will go on and induce arms Nielsen oh yeah hello I am heads so one thing that we really appreciate executing in this article at do TV hacker is we like using items aside and afterwards we like soldering minimal wires to factors it tickles a thing deep inside our Mind that makes us feel incredibly very good so there's a few platforms on the market you are aware of some some appealing Google Tv set folks have farms one of them is this Television set which is produced by LG It truly is an interesting implementation with the System they use another chip than the rest of the gen to Google TVs it's a tailor made chip called the arm l9 it is a customized LG SOC they use in it LG also signed pretty much every little thing concerning visuals on the flash file program such as the boot splash photos so this platform has generally style of eluded us you recognize It can be in a 47 inch Liquid crystal display TV plus the Tauri up market since it's a Google Tv set you are aware of It is awesome so this detail's over a thousand pounds and you understand we actually failed to want to invest a thousand dollars on it so What exactly are we intending to do perfectly I imply we like getting points apart we like Placing things back again jointly so we did another neatest thing which was on ebay we just bought an influence source and a motherboard from your Tv set we did not essentially invest in the remainder of the TV and it turns out you can obtain that for not that A great deal so as soon as we had this we did that point that we appreciate so much we soldered some wires to it so this hardware relies all-around that LG SOC as well as storage it utilizes on This is certainly it utilizes in emmc flash chip so It really is very similar to an SD card it just has a couple of added tiny bits that enable for safe boot storage and various things like that but basically what it enables us to accomplish is the fact that we are able to just solder you know only a few amount of wires to this thing and hook it up straight to an SD card reader and with that SD card reader we are able to browse and generate in the flash within the product at properly you recognize no difficulties below It is like most devices can have a nand chip It is A lot trickier to write those they have got a good deal a lot more pins the interface is you already know They simply usually are not as numerous prevalent accessible pieces of components to examine that for you but SD everyone has an SD reader so to actually root this matter we devote some time digging with the filesystem observing what is he what on earth is below you know the way can we pull things aside at 0 x 100000 hex we found the partition details that tells us where Just about every of the different partitions that are used During this machine are so what we did now was we just went by each on the partitions looking for ok Is that this one indicator can we do just about anything with it can be there pleasurable things here so one of many more appealing partitions as standard is process because which contains many the documents made use of to really operate Google Television set which is the place many of the apks Dwell which is where all of the lipsy life so like we said all the filesystem things was signed just about but it surely seems that they didn't sign the procedure image so at the time we figured that out it had been only a fashion of unpacking the technique picture figuring out what in that program graphic gets swiftly known as from the bootloader and afterwards messing with it so it turns out which the boot partition you may see on the best facet right here there is Section of the boot scripts at the bottom it calls this vendor bin in still compelled strip dot sh to ensure's on which is on program so we just change that file to spawn a shell linked to you happen to be I you already know all over again we love soldering wires to items and there we go then Now we have root all on a tool that we under no circumstances truly purchased the full factor of so One more machine that we did this to was the Sony NSC GF seven and GS 8 In addition they went using this type of emmc flash interface so on this System neither boot nor procedure had been signed so merely a matter of rewriting Individuals partitions so the first thing that we did is the usual way To do that in android is you modify the boot Attributes to mention Okay r 0 dot safe is 0 so that you could just straight up a db2 the product and almost everything will just be wonderful straightforward very simple but we did that and it didn't perform so it seems which the init scripts were being actually examining signatures for a few stuff and it absolutely was also ensuring that Some Houses were not set so It truly is like alright I roof dot safe needs to be just one effectively so we went all over taking a look at how may be the signature stuff Operating into transit that they are just not verifying Those people signatures so it absolutely was quite very simple to just exchange in it and after that we were being capable of do whichever we needed head yeah This can be why you do not have hardware access to techniques since you get to do things like this and afterwards we gain Yet another fun characteristic that this system experienced could it be had a SATA port unpopulated SATA header inside the system nonetheless it did even have the necessary passive parts about the components dis for this so we soldered a SATA connector to it plugged in a very hard disk up to now it will not surface which the colonel in fact supports this stuff but the hard disk drive is really spinning up and we're quite guaranteed it's working and we will communicate more details on that so outside of Those people two products is an additional product that arrived out really lately really appealing system extremely very similar It really is a fascinating evolution on the gtv spouse and children google chromecast google announces product last week very last wednesday even It really is $35 you recognize this is order of magnitude less costly than pretty much any GTD any present-day GTV gadget it doesn't have precisely the same in and out for HDMI that all the other GTV equipment get it done just straight up you plug it into https://iptvrestream.net the Tv set and Then you certainly ability from your USB cable and increase you've something that You need to use to share videos It truly is actually an extremely amazing unit and we think it is very neat in numerous ways we predict it solves a number of the difficulties that GTV has had previously with you recognize It truly is form of expensive niche platform it's genuinely intriguing gadget as an alternative to having to thick customers to cope with things cope with content you now have 1 thinner unit that goes with your thick machine say your phone or your Pc and then you can share information on to it so one of the fascinating items about that is certainly so this is a skinny gadget how are you currently pushing content material to this machine properly you're not just streaming video out of your phone you know that's that that is actually sluggish that's hard to take action this unit is in fact reasonably potent so what's in it nicely we pull it apart shortly as we could and it turns out that