IPTV Restream that means you use my stream with your server and your customer use from your server. The total user can use your IPTV service depends on...
greetings Absolutely everyone welcome to google Television set or how i learned to halt stressing in exploit secure boot my name is mike baker i'm a firmware developer i did open wrt we also have we also have Hans Nielsen can be a senior stability specialist at Madison oh we have CJ Here is an IT methods administrator gaiaphage I think he is out operating CTF at the moment and We've got Tom dwenger in the viewers and you realize stand up Tom and We have now a mirror in Matta is really a researcher at occupant labs and also the founding father of the gtv hacker team so GTV hacker is a bunch of about 6 hackers that hack to the Google Television line of products and solutions our Major purpose is usually to bypass the components and software program limits and open up up the unit the gtv hacker workforce was the main to exploit the Google Television and received a five-hundred-greenback bounty so what's the Google TV System the Google Tv set platform is really an Android system that connects on your Tv set so your Television essentially becomes the identical Android devices your cellphone it's got hdmi in HDMI out and I are some of them include blu-ray players the sony Tv set has an integrated google Tv set it's got a personalized Model of chrome and also a flash Variation that we will take a look at later so why do we hack the System we hacked System since as opposed to the google nexus equipment it's got a locked bootloader it's a heavily limited colonel as well as former era the generation one is currently stop of life and the flash participant I will reach that in the next slides so before we begin I will do an exceptionally quick recap on the stuff we did very last yr at Def Con I'll speed as a result of it so in case you skip anything go take a look at past 12 months's slides Hence the technology 1 components includes the logitech revue the sony blu-ray player plus the sony Television set the logitech revue they left a root uart we also have an exploit by dan rosenberg that employs dev ma'am and Sorak wrote a impactor plugin great so the sony very similar circumstance it's a no dev bug we also wrote a tailor made recovery for it and used k exact to load in a different kernel so now Now we have unsigned kernels so let's talk about the flash participant the flash player was blocked by different streaming web sites so for instance you can't enjoy hulu you can get redirected to a website that claims sorry this is the google Television set and also the fix for that is pretty much just altering the Edition string Just what exactly happened just after we hacked these Google Tv set gadgets we identified this this is a great concept from Logitech that they hid while in the android Restoration it is a rot thirteen cipher that says GTV hacker congratulations if you are examining this be sure to submit a Notice on the Discussion board and let's know let me know and incorporates all of our nicknames yes whoever is always that logitech that wrote you are brilliant this is why we hack equipment Therefore the boxee box is an extremely equivalent gadget that uses precisely the same SOC in the entire process of hacking the google TV we also arrived up with an exploit for that boxee that led the way in which on the boxee in addition Neighborhood arm and It is really continue to susceptible to make sure that's awesome so subsequent up is actually a mere Hello Every person I'm going to proceed the presentation my part regards gentoo components and among the to start with o times We will release for your platform gen two a minimum of so Jen to hardware We have now a multitude of products they boost the level of units they'd by like a factor of two and I guess they were about to raise the market share but in essence you might have the Korean LG https://iptvrestream.net U+ the su s dice the LG forty seven g2 and g3 the netgear Key the Sony NSG s 7 GS eight the Hisense pulse in the vizio co-star they may have the same components layout in the course of the vast majority of era short of the LG forty seven g2 and g3 era 2 features a marvel 88 de 3100 based mostly chipset It is an arm duel one level two gigahertz processor dubbed the Armada 1500 it includes a non die crypto processor with different memories and it does secure boot from rom via RSA verification and aes decryption this specific slide there's not an entire great deal that you really need to pull from this it absolutely was just straight from their advertising and marketing things to the chip yeah It is just below to demonstrate form of how they pried the chipset alone skip the placeholder apparently so System information the newest version of GTV is at this time on android three.
2 there was no community vulnerabilities that worked up right until every week ago perhaps each week as well as when the learn important vulnerability and you already know the key signing bugs have been major news an effect to wrote his remarkable Software or noticed groped his wonderful Instrument impactor It's not a bionic lipsy setup it is a Extra fat g lipsy setup and it does not aid Android indigenous libraries now so jen one particular was an Intel c4 to one hundred fifty which is upcoming 86 one or Adam 1.
2 gigahertz gen 2 is really a marvel Armada 1500 twin Main arm 1.
two gigahertz so I switched from x86 to arm android 4.
two incoming for Jen to adverts indigenous libraries and bionic lipsy from what we have read from the rumor mills so I'll experience these next products fairly immediately as you comprehend it's all community information I am guaranteed you guys You should not seriously care far too much a gigabyte MMC flashed inside the Sony NSC gs-seven it has the best remote Therefore if you are going to buy Google Television set I we possibly endorse this just one not easy to advocate Sony bigger form factor than some of the other Google Tv set units and it's developed-in IR blasters which looks like something which will be all over the entire System but it surely's sadly not the vizio co-star encompasses a more compact sort variable no voice look for a custom launcher $ninety nine MSRP and updates are literally accomplished via update logic as opposed to the typical Android checking program It is common in all Vizio devices it is the Hisense pulse was this has the next-greatest distant inside our feeling it was released with ADB managing his route when it initial was produced Therefore if you decide a single up ahead of It is really really current you might only a DB in a DB route and you know a DB is has root privileges so it had been patched shortly after and it's a $99 MSRP having a DB route there was also a UART route setup I suppose for debugging and whatnot and they had ro debuggable established as one particular so a DB route was all you really needed If you'd like a application route but for those who desired to have some funds you realize join your uart adapters that we Provide you with immediately after this you may technically connect to that pin out which is right up there yet again we'll Have a very pick amount of us bttl adapters Therefore the netgear neotv prime incorporates a horrible remote It can be 129 dollar MSRP we had to exploits for a person was true a person was technically an oversight at least in our opinion the oversight was they went forward and put the console to begin up on you're irrespective of what r 0 dot safe was set as ro dot secure is ready to for like should they're in a very debug ecosystem they're going to set r 0 dot safe 20 and if they don't seem to be in a very debug environmental stated it r dot secured 1 for just creating Particular lock downs then we did the NeoTV prime route which was basically a exploit that leveraged the update process about the Neo the netgear neotv primary primarily the process includes checking a persistent radio test method is enabled and whether it is it extracts a take a look at manner tgz from a USB travel to dust / temp and after that it just straight execute a shell script from that file so you operate it you obtain local command execution reasonably quickly with simply a thumb drive having a Specific TG acquire file and shell script so then the SCS cube it's the exact generation to Hardware Terrible remote again 139 greenback MSRP but we actually similar to this box due to this following component dice root so we experienced a lot of exciting using this type of we haven't basically performed a android an android apk that really leveraged one of our exploits up till this place so it was seriously neat in order to set this collectively and kinda certain users have been a large part of this so this was fantastic since we made an app that not simply exploits however it patches your sous cube since our complete worry was that releasing an exploit out there you are aware of if some other person usually takes a check out it they might you understand place it in their own individual application and you are aware of route your Google TVs so we established it up in order that it can do patching and it can do routing but in essence the way it labored since it exploited a helper application called oh play helper vo environment writable UNIX area socket the helper software earlier unsanitized enter on the mount command causing regional command execution we triggered the vulnerability from android apk that just practically confirmed Network permissions and it had been issue click on pone we added it to your google Enjoy keep only for pleasurable so with that staying mentioned it had been pulled by Google right after 6 days we routed all around 256 containers which include just one engineer Construct which was fairly interesting and it took two months for them to really patch it so you understand it would 6 times on the market can you visualize the sort of harm anyone might have essentially accomplished if they ended up seeking to be destructive and not only aid individuals unlock their gadgets so then we received towards the O'Working day that I advised you guys about We have not we've been working with this bug for some time to complete our investigations on like new products and investigate on new devices to style of see how things are set up so This is certainly sort of a thing that's in the vicinity of and dear to us since it's worked on your complete platform so far What exactly it is is we connect with it the magic USB we identical to expressing magic due to the fact we are on the Penn and Teller phase I guess so in case you recall our plastic exploits with the sony gen one GTV it necessary for us B's you may slim down the range to a lot decreased but You should Use a bunch of various visuals for that USB drive and it it leveraged it improperly mounted ext3 push that was mounted without no dev so This is certainly pretty similar to that It is really ntfs but it is not but in it's actually not carried out in Restoration nonetheless it's just as just as effective so all Google TVs and some other Android equipment are susceptible what this bug is is is in fact i'll get to that in the next slide the best way this is set up it demands a person to acquire an NTFS detachable storage product it calls for the equipment to become mounted no dev any time you plug it in to help you effortlessly just operate mount and see if It is really no dev and so it impacts a lot more than simply Android it has an effect on particular Colonel configuration so or undoubtedly configurations so using this specific setup bold mounts ntfs partitions devoid of no dev and slightly-acknowledged characteristic it it does help block products so our magic USB primarily the procedure is that you you go you have the key and slight hashes you set up a tool with a individual Laptop or computer on an NTFS formatted generate you plug it in on your Google TV and also you DD directly to that new glee made device that's on the USB Travel the colonel does it's magic Although the partitions are mounted only it overwrites them just beautifully so we dumped the boot picture we patching it up RC or default out prop 2 or 0 dot protected we publish it back as a user no root essential we reboot and we are rooted lots of containers need a further action so now I will go on and induce fingers Nielsen oh yeah good day I am heads so something that we actually really like undertaking in this article at do TV hacker is we like getting things aside and then we like soldering minor wires to matters it tickles something deep within our brain that makes us feel incredibly Superb so there is a couple platforms around you realize some some exciting Google Tv set folks have farms one of these Is that this TV that is created by LG It really is a fascinating implementation in the System they use a unique chip than the rest of the gen to Google TVs it's got a tailor made chip called the arm l9 it is a tailor made LG SOC they use in it LG also signed basically every thing in terms of photos to the flash file program including the boot splash photos so this System has generally kind of eluded us you are aware of It is really inside a forty seven inch Liquid crystal display TV and the Tauri up sector mainly because it's a Google TV you recognize it's cool so this issue's around a thousand bucks and you realize we really failed to want to spend a thousand dollars on it so Exactly what are we going to do very well I imply we like getting items apart we like putting points back jointly so we did the subsequent smartest thing which was on ebay we just purchased an influence provide along with a motherboard within the Television set we did not in fact buy the rest of the Television set and it turns out you can find that for not that Substantially so once we experienced this we did that factor that we like a lot of we soldered some wires to it so this components is based around that LG SOC as well as storage it makes use of on That is it utilizes in emmc flash chip so It can be similar to an SD card it just has a number of additional minimal bits that allow for for safe boot storage along with other stuff like that but basically what it allows us to do is always that we can just solder you already know not many range of wires to this matter and hook it up straight to an SD card reader and with that SD card reader we can examine and publish from your flash within the system at nicely you recognize no issues below It truly is like most equipment will have a nand chip It truly is Substantially trickier to write Individuals they have quite a bit far more pins the interface is you are aware of They simply are not as a lot of widespread out there pieces of hardware to browse that for yourself but SD Every person has an SD reader so to actually root this thing we commit a while digging throughout the filesystem seeing what exactly is he what is in this article you understand how can we pull stuff apart at 0 x 100000 hex we observed the partition data that tells us in which Each individual of the various partitions which have been used Within this system are so what we did now was we just went through Each individual on the partitions looking for okay Is that this one particular signal can we do just about anything with it can be there enjoyable stuff listed here so among the list of far more fascinating partitions as typical is procedure because which contains nearly all of the files utilised to truly operate Google Television set that's where by the many apks Dwell which is the place many of the lipsy life so like we said every one of the filesystem things was signed virtually but it seems that they didn't signal the process impression so at the time we figured that out it had been just a way of unpacking the program image working out what in that system picture receives rapidly called from the bootloader and then messing with it so it turns out that the boot partition you may see on the appropriate aspect listed here You can find Component of the boot scripts at the bottom it phone calls this seller bin in nonetheless pressured strip dot sh to make sure that's on which is on program so we just change that file to spawn a shell connected to you're I you know once again we really like soldering wires to points and there we go then We've got root all on a device that we never ever essentially acquired the full factor of so One more device that we did this to was the Sony NSC GF 7 and GS eight they also went using this type of emmc flash interface so on this System neither boot nor process ended up signed so only a subject of rewriting These partitions so the first thing that we did is the standard way to do this in android is you modify the boot Homes to convey Alright r 0 dot secure is 0 so as to just straight up a db2 the unit and all the things will just be good simple uncomplicated but we did that and it did not perform so it turns out that the init scripts were in fact checking signatures for a few stuff and it was also making certain that Many of these Houses were not established so It can be like alright I roof dot safe must be 1 nicely so we went about looking at how will be the signature things Performing into transit that they are just not verifying People signatures so it had been very uncomplicated to just change in it and then we ended up capable to do what ever we wished head yeah This is certainly why you do not have components use of systems simply because you reach do such things as this and then we get An additional fun aspect that this product experienced could it be had a SATA port unpopulated SATA header inside the gadget however it did actually have the required passive parts on the hardware dis for this so we soldered a SATA connector to it plugged within a hard disk up to now it will not surface that the colonel truly supports this stuff though the hard disk drive is in fact spinning up and we are pretty confident it truly is working and we will converse more about that so over and above All those two units is an additional gadget that arrived out extremely not too long ago very intriguing unit very similar It really is a fascinating evolution from the gtv loved ones google chromecast google announces product previous week last wednesday even It truly is $35 you know This really is purchase of magnitude less expensive than practically any GTD any present GTV product it does not have exactly the same out and in for HDMI that every one another GTV products do it just straight up you plug it into your Tv set and then you power with the USB cable and growth you've something which You need to use to share movies It really is actually a really amazing gadget and we predict it's very great in many ways we expect it solves many of the problems that GTV has had up to now with you already know It is really variety of high-priced niche System it's definitely appealing unit as opposed to being forced to thick purchasers to cope with things deal with material you now have one particular thinner product that goes with your thick machine say your cell phone or your computer and Then you can certainly share material straight to it so one of several intriguing things about that may be so that is a slim gadget how are you pushing material to this product nicely you are not just streaming video clip from a phone you realize that's that that is definitely gradual that is challenging to take action this machine is actually fairly powerful What exactly's in it nicely we pull it apart before long as we could and it seems that it has fairly fairly standard things you style of see for