The NeoTV is a set top box built by Netgear to compete with the likes of Roku. It streams video from the usual Internet sources like Netflix, Hulu Plus, and YouTube. [Craig] recently cracked his unit open, and in the process discovered that the NeoTV can be rooted using nothing but the remote control.
He starts with a hardware overview. The box houses a single-board ARM design with a 128MB of NAND and 256MB of RAM. The serial port is easy to find, but it does not provide a root shell (which often is one of the easiest ways to root a device). He next turns to poking around the unencrypted firmware update to see what he can learn. That’s how he discovered that the SSID value when connecting to WiFi is fed into a system() command. This glaring security hole lets you run just about anything you want on the device by issuing commands as fake SSID names. It’s just a matter of a little Linux know-how and [Craig] now has root access on his device.
It is just amazing how small the boards are for some really powerful smart phones. For instance, the diminutive size of this Meizu MX Android phone’s board is only outshone by the intricate packaging the phone arrived in. [Adam Outler] did an unboxing of the device. But for him that mean tearing down all of the components and using a Bus Pirate to root the device.
In the video after the break he gives us a candid look at what it takes to exploit this piece of hardware. You might be a little spooked by the commands, which he reads aloud character by character, but watch closely and you’ll see they’re really quite common functions.
His rooting quest began by reading the datasheet for the main processor to find the USART parameters. With that information he hooked his Bus Pirate to ground, then probed around various test points on the board while it was rebooting until serial data started scrolling on the screen. He had found the USART lines and soldered a breakout connector onto them so that he had access after reassembling the phone.
From there he used the Bus Pirate to merge with the board’s terminal, then rebooted the phone using the Android Debug Bridge. Once it fires up, the Bus Pirate terminal window is sitting at a root prompt (many companies disable this but [Adam] was lucky). He remounts the internal file system to be rewritable, then uses the ADB to push the Linux substitute user (su) command onto the device as it will be needed by the Superuser.apk program. That is the next thing to be installed and once it is he officially has root.
Continue reading “Meizu MX rooted using the Bus Pirate”
The Sony Bravia series of HDTVs are a great piece of kit; they’re nice displays that usually have enough inputs for the craziest home theatre setups. These TVs also run Linux, but until now we haven’t seen anything that capitalizes on the fact these displays are wall-mounted Linux boxen. [Sam] sent in an exploit to root any Bravia TV – hopefully the first step towards replacing our home media server.
The exploit itself is a regular buffer overflow initialized by a Python script. The script sets up a Telnet server on any Sony Bravia with a USB port, and provides complete root access. [Sam] was able to get a Debian install running off a USB drive and all the Debian programs run correctly.
If you have a Bravia you’d like to test [Sam]’s script on, you’ll need a USB network adapter for the TV and a Telnet client to explore your TV’s file system. Right now there’s not much to do with a rooted Bravia, but at least now running XMBC or other media server on a TV is possible.
If anyone would like to start porting XMBC to a Bravia TV, [Sam] says he’s more than willing to help out. We’re not aware of any HDTV modding communities on the Internet, so if you’re part of one post a link in the comments.
The proud cry of “I am root” rings true once again, this time on Sony Google TV devices. Although a low-level exploit was found on previous firmware versions, a downgrade process lets you run unsigned kernels on updated TV or Bluray models of the Internet streaming devices.
These systems are Android-based, which currently run version 3.1 Honeycomb. This version patches the previous exploit, but with three different USB sticks you can downgrade, exploit, and upgrade to an altered and unsigned hack of the most recent kernel. This gives you the root access you may have been longing for, but other than the features discussed in the forum thread there’s not a whole lot of changes rolled into the exploit yet.
We’re always looking out for open source projects running on living-room devices and hope that someday we’ll see a branch of XBMC for the GTV. Until then we’ll just have to keep our fingers crossed for the viability of a RaspberryPI XBMC.
So you’ve been rooting devices eh? If you get caught you’re headed for the big house, the lockup, the pen, the joint, they’ll send you up the river, you better be careful! Seriously though, if you buy a device and circumvent the security features should that in itself be breaking the law? We’re not talking about stealing intellectual property, like playing copied games on a chipped system (yeah, that’s stealing). We mean unlocking a device so that you can use it for what you wish. Be it your own prototyping, or running open-source applications. Unfortunately if the current Digital Millennium Copyright Act exemptions expire it will be a crime.
Thankfully, [Bunnie] is doing something about this. You may remember him as the guy that found most of the ridiculous security holes in the original Xbox, or the brain behind the Chumby. Now’s he’s got an online petition where your voice can be heard. Speak up and let the US politicians know why unlocking a device isn’t a crime.
[Kubbur87] put together a guide to replacing the Non-touch Kindle 4 screensavers with your own images. We’ve already seen a way to remove the Special Offers banners from the newest version of Kindle Hardware, this hack lets you use your own 600×800 Portable Network Graphics (.png) file instead of the images pushed to the device by Amazon.
Frankly, we’re shocked at how easy this hack is. [Kubbur87] puts the device into developer mode, enables SSH, and then goes to work on the Linux shell within. It seems the only line of protection is the root password which he somehow acquired.
After the break you’ll find his videos which show how to enable developer mode and how to perform this hack. By putting a file named “ENABLE_DIAGS” with no extension on the device when it is recognized as a USB storage device you’ll gain access to the diagnostic menu system. From there it’s just a matter of cruising that menu to get SSH access. Like we said, you’ll need the root password, that that’s as easy as naming your favorite video game character from the 1980’s.
Continue reading “Custom screensaver on the non-touch Kindle 4”
[Chris’] family made the mistake of giving him a hackable Christmas gift. We’d bet they didn’t see much of him for the rest of the day as he set about rooting this Android wristwatch.
This thing has some pretty powerful hardware under the hood. It’s sporting an OMAP3 processor running at 600 MHz along with 256 MB of RAM. [Chris] needed to get his hands on a firmware image in order to look for security holes. He found a way to spoof the update application in order to intercept an upgrade image from the Internet.
He dumped the firmware locations and got to work searching for a way to exploit the device. Details are a bit scarce about want exactly he did, but you can download his modified image, letting you root your own Motorola Actv using the Android Debug Bridge.
We’ve embedded a demo video after the break. The OS is pretty snappy on the tiny device. We’re not sure what will come of this functionality, but we assume [Chris] was really only interested in the challenge of rooting process itself.
Continue reading “Rooting a Motorola Actv (Android wristwatch)”