Hacking The Google T Presented by: Amir "zenofex" Etemadieh, CJ "cj_000" Heres, Tom "tdweng" Dwenger, and Dan "bliss" Rosenberg GTVHacker http ://gtvhacker . com/pres/dc2 .ppt TVHacker: The Team GTVHacker is a group of 6 hackers with individual skill sets who work together to unlock Google TV devices. Our primary goal is to bypass hardware and software restrictions to allow for unsigned kernels to be loaded and used. To date the team has released multiple methods for unlocking Google TV devices. GTVHacker team won $500 bounty for being the first to root the Google TV. GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Team Members The GTVHacker team officially consists of 6 members: • AgentHH - First human outfitted with metal legs. • cj_000 - Destroyer of words • Gynophage - German rockstar reverse engineer • [mbm] - known for founding the Open-WRT project and tossing 251 children down a well • Tdweng - software d ev eloper turn ed super hero. • zenofex - 1 m I m Hi HHH H H H With special guest: • Bliss - a vulnerability researcher who takes sick pleasure in exploiting anything with a CPU. He once punched an Android in the face. .^•^ ^^^» mm * http://gtvhacker.eom/pres/dc20.ppt ^GTVHacker Google TV: What is it? Go gleTV TV MEETS WEB. WEB MEETS TV. ■ Google TV is a platform that bridges the gap between your TV and an Android device. ■ Platform creates an overlay on television stream and also contains an IR transmitter to transmit to media center devices (cable box, TV, sound system). ■ Device was originally released without the Android Market available but was eventually updated to include it. ■ Platform receives Over-the-Air updates automatically from OEM manufacturer. ■ Platform contains forked version of Chrome with all plug-ins and extensions other than Flash disabled. .£3 GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Although Google TV runs Android there are differences: ■ The device has a Chrome browser out of the box which provides a fairly reliable and safe browsing experience ■ The Gen 1 Google TV platform is currently the only x86 set of Android devices. ■ Although the platform does have the Android market, the amount of actual applications available is far below that of the actual market. ■ Due to the fact that some Android applications include native code, some applications are not able to run on the x86 chip-set. ■ Unlike most Android devices, GTV devices are USB hosts requiring ADB to be used over the network and ADB is restricted to one white- listed IP. .£3 http ://gtvhacker . com/pres/dc2 .ppt .£3 Most commonly deployed boxes are x86 Newest Google TV Devices are ARM based Devices by Sony, LG and Vizio (Availability is still limited) More on the ARM devices a bit later! GTVHacker http ://gtvhacker . com/pres/dc2 .ppt GTV vs Content Providers hulu .£3 From the initial release of the platform, the Google TV has been in a constant battle with the content providers. Content providers believed giving Google access to television programming advertising streams would strengthen Google's position in web advertising, as well as convince users to drop services like cable. Websites enforced checks by verifying the browser User-Agent as well as the Flash version string. — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker Platform: x86 Android There are no other mainstream Android x86 devices. Architecture differences makes for a crippled marketplace. Code compiled for device can usually be compiled without the need for compiler toolchain. GTVHacker http ://gtvhacker . com/pres/dc2 .ppt x86 / Gen 1 CPU ^^^^^^ [ • Current generation of Google TV devices use an Intel CE41xx CPU. • 45nm Atom core 1 .2 Ghz with System-on-Chip (SoC). • "On-die" security processor to handle DRM. • Revue -CE4 100 • Sony TV / Blu-Ray - CE41 50 GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Bootloader (Gen1) The bootloader for the CE41xx devices is known as the "Intel CEFDK" (Consumer Electronics Firmware Development kit). Bootloader is signed and signature is verified by security processor, beginning "chain of trust". Intel supplies a stage 1 and stage 2 boot-loader in the SDK. Logitech uses both stages of CEFDK in its device. Sony uses Intel's stage 1 and it's own proprietary "NBL" for stage 2. .£3 GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Chain Of Trust' GTV platform utilizes a "Chain of Trust" boot 1) SoC decrypts and verifies signature of stage 1 CEFDK 2) Stage 1 CEFDK boots, checks signature, and decrypts Stage 2 3) Stage 2 boots and checks signature on Kernel 4) Kernel takes over 5) (Sony) Kernel SHA1 hashchecks init 6) (Sony) Init RSA verifies init.rc / init.(eagle/asura).rc .£3 GTVHacker http ://gtvhacker . com/pres/dc2 .ppt ernel Security .£3 1 Kernel requires modules to be properly signed before being inserted. 1 All partitions except /data & /cache are marked as RO by the kernel. 1 ADB shell only allows RW access to folders with "shell" permissions. 1 Functions like ptrace are left out of the kernel. 1 Access /dev/mem is restricted. 1 Kernel is patched from all known public Android vulnerabilities. —_ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker urrent Devices Google TV GTVHacker http ://gtvhacker . com/pres/dc2 .ppt ogitech Revue • Released October 2010 • Full sized keyboard with built in touchpad • Originally priced at $249 later reduced to $199 and finally $99 • Discontinued but still favoured by a majority of GTV users GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Logitech Revue Motherboard GTVHacker Image via ifixit.com http ://gtvhacker . com/pres/dc2 .ppt • UART1 - Console • J3 - PICKIT2 • SW1 - Unused switch • J20 - I2C • J69-USB • SATA1 - SATA Header • J24 - Unknown • J1 3 -Power for SATA • XDP1 - Intel XDP Debug Header Recovery mode is an "Android 2e recovery" which is standard on many Android devices. • Reboot • Apply Update from USB (update.zip) • Wipe data/factory reset • Wipe cache partition All update files provided are RSA verified before the box attempts installation. .£3 GTVHacker http ://gtvhacker . com/pres/dc2 .ppt UART On The Revue .£3 First root on the Google TV Platform. Required a virgin Revue. Still works on newly purchased Revues. Soldering to four pads on the Revue and booting into recovery mode. Method allowed for Read/Write access to File System. GTVHacker http ://gtvhacker . com/pres/dc2 .ppt UART On The Revu Created a manual update process that mirrored Google's but did not perform any of the signature checks. Continued to release modified updates which included an ADB running as root as well as our first attempt at a content provider bypass. GTVHacker http ://gtvhacker . com/pres/dc2 .ppt irst "Content Provider Bypass' Bypassing Hulu/CBS/NBC/ABC's browser/flash checks was relatively easy and could be done quickly with a hex editor and RW /system access. All that was required was a simple change from: To: Changing one letter in the flash version string as well as changing the browser user agent (which can be done directly from the box in Chrome's settings) will allow a user to watch normally restricted content. 00969F5269 6E 3A 00 09969F63^H 69 56 6C 75 67 49 6E 66 35 2E 31 66 25 32 ■.Plugln.5.1.%2 0G969F5269 6E 3A 00 - : 93M3^| 00 50 6C 75 67 49 6E 00 35 2E 31 00 25 32 |.PlugIn.5.U2 GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Honeycomb Suprises: Message from Logitech*? 00 00 6b 65 76 62 71 76 66 72 61 20 79 72 67 65 6a 5f 00 5b 65 6e 00 00 72 73 61 66 61 74 20 63 6c 62 67 20 6e 74 30 30 6d 62 67 00 00 00 20 70 20 76 20 67 62 66 68 65 7a 72 48 48 30 00 6d 5d 74 61 e0 41 62 61 73 20 75 76 67 20 20 73 20 78 00 5a 63 72 00 72 74 75 20 40 74 65 6c 62 66 20 6e 20 62 65 61 62 65 6e 61 69 65 73 6e 67 67 74 76 6e 67 68 68 65 20 00 00 63 61 62 67 68 7a 20 6a 20 3b 6f 66 65 67 64 72 6e 6f 00 34 00 53 68 61 63 79 6e 67 65 72 6e 79 72 6e 72 20 62 67 62 20 29 00 41 78 00 63 6f 69 64 74 64 77 63 64 74 A @gtvhac kers pbatenghyng vbaf vs Ibhe ern qvat guvf . .cyrn fr cbfg n abgr b a Ibhe sbehz gb yrg zr xabj ;) .A □entHH. BSBBHEH .c j_000.craigdroid . [mbm] .resno.tdw eng.tatung4.ccdt .£3 Logitech removed the recovery menu and replaced it with a message to the GTVHacker team. Removed functionality to install manual updates therefore removing a user's ability to recover other than via the automatic process of erasing /cache and /data. The message was encoded in a ROT13 cypher. Each of the current GTVHacker team members' names were listed as no longer functioning recovery menu items. — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker "A @gtvhackers congratulations if your reading this please post a note on your forum to let me know ;)" lash Sabotage: Revue Getting a secret message from Logitech was awesome. Having them remove the recovery menu functionality was not. So we needed a way to play with the update functionality of the box... The OTA updater writes to /cache/recovery/command, which uses the following syntax: --update_package=CACHE:/somefile.zip Now if only we had a way to write to cache... — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker lash Sabotage: Revue • /cache and /chrome are EXT3 partitions stored on NAND flash. • Luckily, that flash is connected to the Revue via a USB Controller. • It's a flash drive! • We can tap the data lines and stick our own flash drive in line. GTVHacker http ://gtvhacker . com/pres/dc2 .ppt evue Kernel Exploi Revue root kernel exploit To be added GTVHacker http ://gtvhacker . com/pres/dc2 .ppt 'evue Module Signing Expl Revue RSA kernel module signing bypass To be added GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Sony Devices (Gen1 Blu-Ray Player (NSZ-GT1) Television 24" - 46" (NSX-#GT1) GTV hardware is nearly identical, other than the obvious differences. GTVHacker http ://gtvhacker . com/pres/dc2 .ppt SATA Sabotage: Sony r 1 uuoy J ' — ' ' ' " ■ -—^ ^ SAMSUNG 028 1 K9HCG08UID 5 • Internal SSD via SATA • GBDriver RS2AES encrypts all data on NAND flash. • ATA Password • Sony stored all data on SSD, except bootloader and kernel. • Risky procedure. Small points. • Able to "redirect" SATA bus to our own device, which we had RW access to externally. • Used this to downgrade to old SW versions, to look for flaws. GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Sony GTV: Recove mm imm*m* m******* ****** w • Far more interesting than that of the Revue. • Like the Revue, has a similar "Update from USB" feature. • Nearly entire backend is done through a series of scripts. Not standard Android, so no debug log is left behind. Though not impossible thanks to the UART. • Sony updates are RC4 encrypted. GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Sony Google TV ommand Execution Through Recovery Can you spot the problem here? Is /tmp/mnt/diskb1/package_list_*.zip | head -1 | grep ,, package_list_" /bin/sony/check_version.sh $1 — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker Sony Google TV ommand Execution Through Recovery Sony Google TV ommand Execution Through Recovery The exploit was simple, a package with a command: package_list_;cd tmp; cd mnt; cd diskbl; sh t.sh; .zip /package-updater.sh -I -p /tmp/mnt/diskb1/package_list_;cd /tmp;cd /mnt;cd /diskbl ;sh t.sh;.zip The command above involved a t.sh bash script (to meet filename size limitations) which spawned a shell over UART and telnetd. From there we proceeded to dump the recovery file system. GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Sony Google TV ommand Execution Through Recovery Unfortunately this exploit was patched in the 7/201 1 update. "It's not exactly what we'd call a easy jailbreak, seeing as how it requires a soldering iron, a NAND format procedure, and a Logitech Revue that's never even been powered on, but it looks like it is possible to root a Google TV box after all." - engadget.com That was said about 4 large pads for the Revue. Needless to say, this was not a viable option for the public. — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker Sony Google TV UART 1 Active UART line (output only) • After initial hack - achieved root console in Linux. 1 Memory dump shows existence of "NBL" - an extra step after Intel's initial bootloader. 1 Mashing escape over UART at start-up brings us to a "Password:" 1 Password found after reversing NBL areas of memory: console ON GTVHacker http ://gtvhacker . com/pres/dc2 .ppt ony Google TV RT / Bootloader • NBL options included loading files into memory, and executing from internal flash or network via TFTP. • Insecure booting features were disabled on production units. • NBL Utilized signature and hash checks similar to the normal start-up mode. Remember that exploitable recovery version? GTVHacker http ://gtvhacker . com/pres/dc2 .ppt iony Google TV URT / Bootloader Successful patch applied! SEC FW: SEC ready SEC FW: flrnware nodule sent to SEC for authentication and load Successful flrnware download! SEC FW: flrnware version valid: 2.1.8.6. ferity stage2 PASS Intel(R) Consuner Electronics Flrnware Developnent Kit (Intel(R) CEFDK) :opyright (C) 1999-2919 Intel Corporation. All rights reserved. Juild Tine (96/11/19 16:99:37). .oading 8951 Microcode at 9x89999 jATA 9: BTVSSD91 - 8G jATA 1: SONYBDP-410 - 9G Password: JBL BTV-EC 5.7,1 (base: 5,9-BTV_29199797) lachlne: EAGLE (1386/sodavllle/btv) *AM: 9x90199909-9x02999099 available Ida: BTVSSD91 (C/H/S = 3B72B/16/32, Total 15728649 sectors) JBL? boot -f net:tftp:/vnllnux_recovery,trf -c "root=/dev/ranO console=ttyS9, 115299 nen=exactnap nennap=lM$9 nennap=199M@lM" -Initrd net:tftp:/initrd,trf L8254x: Ethernet address: 54:42:49:d4:66:d2 L8254x: Link is up, 199Mbps Full Duplex lev net.c:net getparans: enable bootp because IP==0 aootp: 'rcyip' is 192.168.1.121 'serverip' is 192.168.1,148 )ootp: nask: 255.255.255.0 iet_open: client addr: 192.168.1.121 letopen: subnet nask: 255.255.255.9 letopen: net gateway: 192,168,1.2 iet_open: root addr: 192,168,1,148 iet_open: server addr: 192,168,1.148 letopen: server path: / letopen: file nane: vnlinux_recovery ,trf FRF file is loaded : start = 9x99199999, length = 9x99396986 L8254x: Ethernet address: 54:42:49:d4:66:d2 L8254x: Link Is up, 190Mbps Full Duplex ony Google TV RT / Bootloader Booting via TFTP allowed us to set kernel args. boot -f net:tftp:/vmlinux_recovery.trf -c "root=/dev/ramO console=ttyS0,115200" -initrd net:tftp:/initrd.trf Booting via TFTP however kept the internal SSD ATA locked. The good news was that when that recovery booted to a locked ATA, the box dropped us into a console! — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker Sony Google TV UART / Bootloader Exploitable Recovery: • System boot binaries stored on flash at /dev/Glob_Spectraa2 • ATA was locked, flash was not! Drivers just needed to be loaded. • Replaced new recovery on flash with the old, exploitable version. • Now we had an exploitable recovery! • Wait for the rumored 3.2 release in late September to release exploit • Google and Sony were slow - it was December. http ://gtvhacker . com/pres/dc2 .ppt Sony Google TV owngrade via USB (nodev ■17 • Come the 3.2 release in December, we did not want to let on about the bootloader password being found. So, two weeks of intense bug finding was started. • We found a few bugs, but not what we needed for privileged code execution • However, we got to really, really know the update process... — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker Sony Google TV owngrade via USB (nodev •r* Do you really want to update tho syste 9: Update and Faotory Data Reset ■ DMA- 1 _EA©LE_20 1 20 1 260 1 _WWV_ORSC (MASTER) « gtvhacker (GTVHacker Downgrade ) Keypad not paired. Pres nd hold (CONNECT) on the body for 3 ? Recovery mounts USB to /tmp/mnt/diskb1 Looks for package_list_*.zip Passes this to package_updater.sh package_updater.sh then copies the file to /cache package_updater then unzips build. prop, and displays to the user If the update is accepted, it's copied again to /cache I'm sure they checked to see if there was a destination file... GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Sony Google TV owngrade via USB (nodev) The Sony recovery mounted ext2/3 partitions with no mount parameters meaning a block device on the USB could allow us to write to a device node as root. USB1 contains update file which fools the updater to think a properly formatted update is on the drive. USB2 contains update file which is a file system node point to /dev/Glob_Spectraa2 USB1 is used again now that the FS node is in place, we restart update and perform part 2 of attack. USB3 contains update file which contains files to overwrite .trfs on /dev/Glob_Spectraa2 Recovery confirms that an update is inserted and asks the user if they'd like to continue. Recovery moves the FS node to /cache/package_list_*.zip and then errors leaving the file in place. Recovery confirms that an update is inserted and asks the user if they'd like to continue. The recovery version is now ^ downgraded to the LCE exploitable GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Sony Google TV owngrade via USB (nodev Assuming the downgrade went correctly, use LCE recovery exploit. Exploit: • Re-partitions internal SSD • Copies /boot to a new partition. • Edits initial /boot to include kexec files. • Hijacks initial boot process to call kexec. .£3 ttiuy Ijusyljcjx ■ LM |; -i ML iiLiS hill busy usybox cp /ttnp/1 GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Sony Google TV nsigned Kernels "kexec (kernel execution) is a mechanism of the Linux kernel that allows "live" booting of a new kernel "over" the currently running kernel. " ~ Wikipedia • Kexec is normally built into the kernel, so we opted to build it as a kernel module. • Kexec allows us to boot the system, have it kick over after in less than 1 second, and load our unsigned kernel. But what about that init hash, and those RSA signatures? http ://gtvhacker . com/pres/dc2 .ppt Sony Google TV nsigned Kernels • Chain of Trust needed to be broken • kexec had to to be called before the platform's security firmware was loaded. • Where do we attack? • /bin/e2fsck • / is mounted from sdal , on the SSD, that we can now write to — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker Sony Google TV nsigned Kernels /bin/e2fsck was replaced with a script which: • Mounted /system • insmod our kexec modules • kexec to load our new kernel Our new kernel, apart from featuring no hash on init, had a few other tweaks: • no initd hash • no signed init.rc • no signed init.(eagle/asura).rc • modified init.rc • modified init.(eagle/asura).rc • modified default.prop • ro.secure=0 • ro.debuggable=1 .£3 http ://gtvhacker . com/pres/dc2 .ppt Sony Google TV ontent Provider Bypass But wait - there's more! Our update script pulled Chrome's Flash player and mutated the Flash plug-in string randomly per each install. Since each box has a unique ID, content providers will have a harder time blocking streaming content for Google TV users. — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker Google TV uture" / ARM Devices In the last few months we've seen a release of the second generation of Google TV devices, all of which are ARM: Sony NSZ-GS7 - Network Streamer Sony NSZ-GP9 - Blu-Ray Player *unreleased* Vizio VAP430 (CoStar) - Network Streamer *unreleased* Vizio VBR430 - Blu-Ray Player *unreleased* Vizio R3D*0VS (42/47/55/65) - Google TV *unreleased* LG 47/55G2 (LMG620) - Google TV — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker Google TV tony - ARM Devices • The Sony ARM devices feature a Marvell 88DE3100 SoC, which has a 1.2GHZ Dual Core Processor. • The Blu-Ray variant should be close to identical specs wise, but with a Blu-ray drive, and a BD playback app. • Sony has yet to branch off into TV integration, as they may have jumped the gun the first time around. .£3 GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Google TV izio - ARM Devices • The Vizio ARM devices, like the Sony's feature a Marvell 88DE3100 SoC, which has a 1.2GHZ Dual-Core processor. • Again, the Blu-Ray variant should be close to identical specs wise, but with a Blu-ray drive, and a BD playback app. • Multiple devices, a streamer, BD player, and integrated TV. • Hey, you - guy on stage. Is the streamer out yet? GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Google TV _G - ARM Devices & LG Google TV |M| • LG Google TV's are a bit more mysterious. • 47" & 55" (G2 / LMG620) • Mostly, there have been few purchases, and at $1200 each, a bit out of our price ranges! • Dual Core ??? MHZ processor • Anyone care to donate one? GTVHacker http ://gtvhacker . com/pres/dc2 .ppt GTVHacker Timelin Date Event 1 2/201 Logitech UART found (and live) 1/2011 Root package released (content bypass) 7/2011 Sony (Blu-ray) unit acquired Sony unit rooted (SATA modification) Sony recovery command execution found Software root method found Sony update encryption keys found, reversed, decrypted 8/2011 Revue 3.1 "Honeycomb" leaked 9/2011 Sony 3.1 Released Sony TV acquired Sony TV rooted GTVHacker http ://gtvhacker . com/pres/dc2 .ppt GTVHacker Timelin Date Event (Continued) 10/2011 Sony bootloader shell found/downgrade achieved 11/2012 kexec ported as module to x86, unsigned kernels for Sony (saving for 3.2 rls) 12/2012 3.2 for Sony released 1/2012 Sony nodev recovery downgrade released 1/2012 Sony exploit package released (unsigned kernels) 3/2012 Revue signed module exploit achieved (needed root privileges) 4/2012 Logitech Revue kernel exploit (awaiting 3.2 release) 5/201 2 Revue 3.2 Released 6/30/2012 NSZ-GP7 Acquired 6/30/2012 NSZ-GP7 Root Exploit GTVHacker http ://gtvhacker . com/pres/dc2 .ppt Sony NSZ-GP7 Newest Sony device Released this month Tear down posted at GTVHacker.com CN2000 looks familiar! GTVHacker http ://gtvhacker . com/pres/dc2 .ppt ■ Noticed that last bit on the time line? Yeah. ■ We gained root access on 6/30, and proceeded to explore ■ Our goal is to get unsigned kernels running before a release, which may or may not be done already (you, with the microphone?) http ://gtvhacker . com/pres/dc2 .ppt SZ-GP7 Root Dem Demo — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker uestions? More information can be found at: http://www.GTVHacker.com/ http://forum.GTVHacker.com/ http://blog.GTVHacker.com/ — _ _____ http://gtvhacker.com/pres/dc20.ppt GTVHacker