IPTV Restream that means you use my stream with your server and your customer use from your server. The total user can use your IPTV service depends on...
greetings Absolutely everyone welcome to google Television set or how i learned to stop worrying in exploit safe boot my identify is mike baker i'm a firmware developer i did open wrt we also have we even have Hans Nielsen is really a senior stability consultant at Madison oh Now we have CJ This is an IT methods administrator gaiaphage I think he's out running CTF at this moment and We've got Tom dwenger within the viewers and you already know get up Tom and Now we have a mirror in Matta is usually a researcher at occupant labs in addition to the founding father of the gtv hacker group so GTV hacker is a group of about 6 hackers that hack in the Google Tv set line of solutions our Key target is to bypass the hardware and computer software limitations and open up the unit the gtv hacker group was the 1st to exploit the Google TV and received a 5-hundred-dollar bounty so what's the Google Television set System the Google Television set platform is undoubtedly an Android unit that connects to the Television set so your Television effectively gets to be precisely the same Android devices your cellphone it's hdmi in HDMI out and I are many of them include blu-ray players the sony Tv set has an built-in google Television it's got a custom made Edition of chrome and also a flash Edition that we are going to talk about afterwards so why do we hack the platform we hacked System for the reason that unlike the google nexus products it's got a locked bootloader it's a seriously restricted colonel and also the prior technology the era 1 is currently stop of daily life and also the flash player I am going to reach that in the subsequent slides so ahead of we start out I'll do a really fast recap with the things we did last 12 months at Def Con I'll pace by it so if you pass up something go check out very last year's slides And so the technology one hardware includes the logitech revue the sony blu-ray participant and the sony Television the logitech revue they still left a root uart we also have an exploit by dan rosenberg that works by using dev ma'am and Sorak wrote a impactor plugin wonderful And so the sony similar circumstance it's a no dev bug we also wrote a custom recovery for it and employed k actual to load in a whole new kernel so now We have now unsigned kernels so let's discuss the flash participant the flash participant was blocked by various streaming web-sites so for example You cannot observe hulu you obtain redirected into a site that claims sorry this is the google Television set and also the resolve for that is literally just switching the version string What exactly occurred just after we hacked these Google Television set units we identified this that is a awesome information from Logitech they hid within the android recovery it's a rot thirteen cipher that claims GTV hacker congratulations should you be looking at this remember to submit a Be aware on the Discussion board and let us know let me know and incorporates all of our nicknames Sure whoever is always that logitech that wrote that you will be brilliant This is certainly why we hack gadgets Therefore the boxee box is a really related product that takes advantage of the exact same SOC in the whole process of hacking the google Tv set we also came up with the exploit for that boxee that led how for the boxee furthermore Local community arm and It can be nonetheless vulnerable to ensure's brilliant so following up can be a mere Hello everyone I'll carry on the presentation my portion regards gentoo components and one of the initially o days we're going to launch for the System gen two no less than so Jen to hardware We have now a large number of equipment they raise the level of devices that they had by like a factor of two and I guess they have been intending to increase the market place share but basically you've got the Korean LG U+ the su s cube the LG 47 g2 and g3 the netgear Key the Sony NSG s 7 GS 8 the Hisense pulse while in the vizio co-star they have the same components structure through a lot of the generation in need of the LG forty seven g2 and g3 era 2 encompasses a marvel 88 de 3100 primarily based chipset It truly is an arm duel one position two gigahertz processor dubbed the Armada 1500 it encompasses a non die crypto processor with independent Recollections and it does protected boot from rom through RSA verification and aes decryption this unique slide you can find not a complete whole lot that you actually need to drag from this it absolutely was just straight from their advertising stuff to the chip yeah It is really just below to tell you about kind of how they pried the chipset alone skip the placeholder apparently so System data the latest Model of GTV is presently on android 3.
2 there was no community vulnerabilities that labored up until eventually weekly ago it's possible per week as well as in the event the grasp vital vulnerability and you are aware of the key signing bugs were being significant information an impression to wrote his awesome tool or noticed groped his remarkable Instrument impactor It is far from a bionic lipsy set up it is a fat g lipsy set up and it won't aid Android indigenous libraries currently so jen one particular was an Intel c4 to one hundred fifty which can be subsequent 86 one or Adam one.
2 gigahertz gen two is actually a marvel Armada 1500 twin Main arm 1.
2 gigahertz so I switched from x86 to arm android 4.
2 incoming for Jen to adverts native libraries and bionic lipsy from what we have read in the rumor mills so I'll go through these future equipment pretty immediately because you know it's all public info I'm guaranteed you fellas Will not actually care excessive a gigabyte MMC flashed inside the Sony NSC gs-7 it's got the most effective remote Therefore if you are going to get Google TV I we in all probability advocate this a single hard to advise Sony larger variety variable than a few of the other Google Television products and it's built-in IR blasters which looks like something which could be all over the whole platform but it really's sadly not the vizio co-star contains a scaled-down sort aspect no voice lookup a custom made launcher $99 MSRP and updates are literally performed by way of update logic instead of the regular Android checking system It's normal in all Vizio units it is the Hisense pulse was this has the 2nd-greatest distant inside our viewpoint it absolutely was released with ADB running his route when it initially was launched so if you pick a single up just before It really is essentially current you could simply a DB in a very DB route and you are aware of a DB is has root privileges so it was patched Soon immediately after and it's a $ninety nine MSRP which has a DB route there was also a UART route setup I guess for debugging and whatnot and they had ro debuggable established as one so a DB route was all you actually wanted If you'd like a program route but for those who desired to have some money you already know join your uart adapters that we Provide you with immediately after this you can technically hook up with that pin out that's proper up there again we are going to Have a very choose range of us bttl adapters Hence the netgear neotv key contains a Awful distant It is 129 greenback MSRP we needed to exploits for one was actual just one was technically an oversight no less than within our opinion the oversight was they went forward and set the console to begin up on you will be irrespective of what r 0 dot protected was set as ro dot protected is ready to for like when they're within a debug natural environment they'll set r 0 dot protected twenty and when they don't seem to be in a very debug environmental mentioned it r dot secured just one for just putting together Specific lock downs then we did the NeoTV prime route which was fundamentally a exploit that leveraged the update technique about the Neo the netgear neotv key in essence the method will involve examining a persistent radio exam method is enabled and whether it is it extracts a check method tgz from the USB push to dust / temp and then it just straight execute a shell script from that file which means you run it you receive neighborhood command execution relatively very easily with merely a thumb push having a Exclusive TG receive file and shell script so then the SCS dice it is the similar technology to Components horrible remote again 139 greenback MSRP but we really such as this box because of this subsequent element dice root so we experienced plenty of entertaining with this particular we haven't basically done a android an android apk that truly leveraged one of our exploits up until eventually this position so it was genuinely neat to be able to put this together and kinda specific users have been a big percentage of this so this was great mainly because we created an app that don't just exploits but it surely patches your sous dice for the reason that our full panic was that releasing an exploit in the market you know if somebody else normally takes a look at it they could you already know place it in their own application and you know route your Google TVs so we set it up so that it can do patching and it can perform routing but effectively the way it worked as it exploited a helper app identified as oh Perform helper vo environment writable UNIX area socket the helper software past unsanitized input towards the mount command resulting in nearby command execution we activated the vulnerability from android apk that just actually confirmed Community permissions and it was issue simply click pone we included it to the google Enjoy shop just for enjoyable so with that staying mentioned it had been pulled by Google just after six days we routed all-around 256 boxes together with just one engineer Create which was fairly neat and it took two months for them to really patch it so you already know it might 6 days out there could you think about the kind of hurt somebody might have actually performed if they were being trying to be malicious and not just aid people today unlock their gadgets so then we acquired to the O'Day that I explained to you guys about we haven't we have been employing this bug for a while to complete our investigations on like new devices and study on new equipment to sort of see how issues are create so This is certainly type of a thing that's close to and pricey to us since it's worked on your complete System so far so what it is actually is we contact it the magic USB we much like indicating magic for the reason that we're around the Penn and Teller stage I suppose so for those who remember our plastic exploits Together with the sony gen 1 GTV it essential for us B's you could slender down the amount to lots reduced but you have to Possess a bunch of various images to the USB drive and it it leveraged it improperly mounted ext3 drive which was mounted with no no dev so This is certainly pretty much like that It is ntfs but it is not but in it isn't really finished in recovery but it's just as just as highly effective so all Google TVs and Several other Android devices are susceptible what this bug is is is really i'll reach that in the following slide how this is about up it demands a user to have an NTFS detachable storage machine it requires the devices to generally be mounted no dev any time you plug it in in order to simply just operate mount and find out if It is no dev and so it influences much more than just Android it influences selected Colonel configuration so or absolutely configurations so using this type of particular set up Daring mounts ntfs partitions with no no dev and a little-known element it it does assistance block units so our magic USB effectively the process is you you go you will get the main and small hashes you setup a tool with a different computer on an NTFS formatted drive you plug it in to the Google Tv set and also you DD straight to that new glee developed system which is on your USB Push the colonel will it's magic Regardless that the partitions are mounted only it overwrites them just beautifully so we dumped the boot picture we patching it up RC or default out prop two or 0 dot safe we compose it back for a user no root necessary we reboot and we are rooted numerous bins demand an additional stage so now I'll go ahead and induce arms Nielsen oh yeah hello I am heads so one thing that we actually appreciate undertaking here at do Television hacker is we like getting points aside and afterwards we like soldering little wires to points it tickles some thing deep within our Mind which makes us sense incredibly Superb so there is a few platforms to choose from you recognize some some exciting Google TV folks have farms one of these Is that this TV that is created by LG it's an interesting implementation of your System they use a distinct chip than the remainder of the gen to Google TVs it has a custom made chip known as the arm l9 it is a custom LG SOC they use in it LG also signed basically almost everything regarding photos on the flash file program including the boot splash pictures so this System has usually type of eluded us you already know It is in a 47 inch LCD TV along with the Tauri up current market as it's a Google Television set you realize it's great so this point's in excess of a thousand dollars and you realize we actually didn't want to invest a thousand bucks on it so Exactly what are we likely to do perfectly I mean we like getting items aside we like putting points back again alongside one another so we did another best thing which was on ebay we just bought an influence provide as well as a motherboard through the TV we did not essentially acquire the rest of the Television and it turns out you will get that for not that much so the moment we had this we did that thing that we enjoy a great deal we soldered some wires to it so this components is predicated all over that LG SOC and the storage it uses on This really is it works by using in emmc flash chip so It can be similar to an SD card it just has a couple of excess minor bits that permit for secure boot storage and other stuff like that but effectively what it lets us to carry out is usually that we can easily just solder you understand not many variety of wires to this matter and hook it up on to an SD card reader and with that SD card reader we could go through and compose in the flash around the system at very well you recognize no problems listed here It really is like most units can have a nand chip it's A great deal trickier to write down Individuals they have got a good deal extra pins the interface is you know they just aren't as quite a few widespread offered pieces of components to go through that for you but SD Everybody has an SD reader so to truly root this factor we commit some time digging with the filesystem viewing precisely what is he what is right here you know the way can we pull things apart at 0 x 100000 hex we located the partition information and facts that tells us in which Each and every of different partitions that are utilised During this machine are Just what exactly we did now was we just went as a result of Each and every in the partitions searching for ok Is that this one particular indicator can we do something with it's there fun stuff in this article so among the extra exciting partitions as normal is procedure for the reason that which contains nearly all the files utilised to actually run Google Television set that's exactly where each of the apks Dwell which is exactly where all of the lipsy life so like we stated all of the filesystem stuff was signed pretty much but it surely seems that they did not indicator the program picture so at the time we figured that out it had been simply a manner of unpacking the technique picture working out what in that technique graphic will get speedily identified as via the bootloader after which messing with it so it seems which the boot partition you may see on the proper side in this article There is certainly Component of the boot scripts at The underside it calls this seller bin in still pressured strip dot sh to ensure that's on that's on method so we just replace that file to spawn a shell linked to you will be I you realize again we love soldering wires to things and there we go then Now we have root all on a tool that we never essentially bought the total detail of so A further system that we did this to was the Sony NSC GF 7 and GS eight Additionally they went with this emmc flash interface so on this System neither boot nor method have been signed so merely a make any difference of rewriting those partitions so the very first thing that we did is the standard way to do this in android is you modify the boot Houses to convey Okay r 0 dot safe is 0 so that you could just straight up a db2 the gadget and everything will just be great uncomplicated straightforward but we did that and it failed to get the job done so it seems the init scripts were actually checking signatures for a few stuff and it had been also ensuring that Many of these Houses were not set so It is like all right I roof dot protected must be a single perfectly so we went all around checking out how would be the signature stuff Operating into transit that they're just not verifying All those signatures so it had been rather very simple to only substitute in it after which we have been capable of do whatever we wished head yeah This can be why you do not have components use of techniques as you reach do things like this and after that we acquire Yet another entertaining characteristic that this machine had could it be had a SATA port unpopulated SATA header inside the gadget nonetheless it did even have the mandatory passive elements over the components dis for this so we soldered a SATA connector to it plugged in the harddisk up to now it does not seem the colonel really supports these things even so the harddrive is definitely spinning up and we're pretty confident it is actually Doing the job and we are going to communicate more about that so beyond those two equipment is an additional machine that arrived out extremely not too long ago incredibly interesting system incredibly similar It can be a fascinating evolution from the gtv spouse and children google chromecast google announces machine past week past wednesday even It is $35 you know That is purchase of magnitude less costly than pretty much any GTD any present GTV unit it doesn't have precisely the same in and out for HDMI that every one the other GTV equipment do it just straight up you plug it in the TV and Then you definitely energy from the USB cable and https://iptvrestream.net boom you might have something that you can use to share films It can be in fact a really great machine and we think it's totally interesting in some ways we expect it solves a lot of the concerns that GTV has had prior to now with you are aware of it's form of pricey market System It can be really attention-grabbing system as an alternative to being forced to thick consumers to manage things take care of information you now have a person thinner unit that goes using your thick machine say your mobile phone or your computer and then you can share articles on to it so one of the fascinating items about that may be so it is a skinny machine how are you presently pushing material to this machine nicely you're not just streaming online video out of your telephone you are aware that's that which is genuinely gradual that's tough