It’s always nice to get down to the root directory of a device, especially if the device in question is one that you own. It’s no huge surprise that a Google product allows access to the root directory but the OnHub requires locating the hidden “developer mode” switch which [Maximus64] has done. The Google engineers have been sneaky with this button, locating it at the bottom of a threaded screw hole. Has anyone seen this implemented on other hardware before?
There isn’t a blog post regarding this, however [Maximus64] shared a video on YouTube walking us through the steps to root and un-root Google’s OnHub, which is embedded after the break. He also states “wiki coming soon” in the description of the video, so we’ll keep eye on it for an update.
We covered the product announcement back in August and have heard a few reviews/opinions about the device but not enough to make an opinionated assumption. Rooting the device doesn’t seem to increase the OnHub’s number of LAN ports but we think it’s still worth the effort.
This was a group effort, We have updated the wiki and tutorial video moved to main exploiteers channel: https://www.exploitee.rs/index.php/Rooting_The_Google_OnHub
https://www.youtube.com/watch?v=ylc9pKGLaZY
Video is still private though.
the video is private…
Video clip is locked to only friends for some reason.
We move it to our main channel
https youtu.be ylc9pKGLaZY
sorry can’t post link for some reason, fill in the blank :)
coral cache.. https://youtu.be/ylc9pKGLaZY
We are not supposed to know. It is the compulsory paranoia at work.
Today’s society for you.
This appears to be the same video.
https://www.youtube.com/watch?v=ylc9pKGLaZY
I haven’t heard of the reset button under a threaded screw hole before, but I’ve experienced screw holes blocked with a plastic washer, and the Hot Wheels Radar Gun has plugs shaped to the slope and the same color of the surface plugging its screw holes.
A small crochet hook pulled out the washers, and a small hole drilled into the plugs and an eye screw threaded into the HWRG plugs got those out.
This HaD post would probably have been a bit more relevant. http://hackaday.com/2015/09/21/this-is-what-a-real-bomb-looks-like/
You have me interest now. What do I gain by locating these plugs? Is it just access to disassemble, or some cool way to interface with the radar gun? I have one and would love to tinker, but keep the original functionality. We use it for a surprising amount of things.
I don’t know about root, but don’t some Chromebooks have a screw making electrical contact with a write-protect function on their firmware? I could have sworn I read that recently, but I can’t find where.
The Samsung ARM Chromebook has a separated pad on the motherboard that is connected to the write protect line on the firmware EEPROM. There’s supposed to be a conductive sticker that bridges the pad and prevents software from modifying the first stage bootloader, but curiously my unit shipped without one. Unfortunately it was never clear to me how to build my own firmware that would only boot my own signed kernel images and bypass the obnoxious developer mode warning message and beep on boot. Secure boot is a good thing, but there’s seemingly not enough information out there to enable people to use it properly.
See also: http://www.flashrom.org/pipermail/flashrom/2013-December/011932.html
The Flip Camera had a reset button at the bottom of a screw hole, too
The engineer that decided on the placement of the developer switch is a genius.
I view it as both and acknowledgement as well as an invitation to hack. It’s almost an artistic statement in a way- to hack it is to take it apart, to take it apart you remove screws but once it’s known it becomes a single screw hack. Somewhat minimalist if you think about it.
manufacturers should make there devices like a bomb , so it takes skill to root it . anyone who does deserves it. and you get a name tag on the manufacturer webpage who rooted it first.
then you make one that cant be rooted = profit $$$
why to all of it, why? (or even more importantly how?)
a non rootable device is like nonburnable wood, it might technically be fire retardant but throw it into the sun and it will burn all the same.
I’m not really sure that creating two marketing streams for consumer items would be profitable. The person who roots the “bomb” is likely to publish the process, negating the need for the manufacturer to create another product. Announcing such an award a manufacturer would be admitting they released a product that could be compromised, not great for sales most likely. Then again I might not be understanding your thought process.
And now kit it out with privoxy or another slew of tracking and ad blocking goodness. That would be poetic..
you have to login to view these youtube videos?
Now it is time to put Kali on it. Just imagine. “Beaking News! Recent store hack was caused by a modified Google Onhub router!” That would be glorious.
Breaking* I need a keyobard lesson….. :-:
meh..
I was hoping for memory corruption or glitching
It seems to be confounding accessing ‘root directory’ with gaining ‘root access’. I’m sure you get the difference but the way you wrote the article sounds weird.
No offence, I appreciate the article, thanks.
Not specifically a root switch, but I’ve seen (and made!) industrial data loggers that use this mechanism for the power switch. Typically the device is a sealed box with the special screw removed or backed out a bit. Screwing it in all the way closes a lever switch inside and activates the device. It’s a very cheap way to make a weatherproof, vibrations resistant switch while avoiding openings on the enclosure. Most of these devices are fairly set-n-forget, so you don’t want people randomly fiddling with the switch before it’s time to collect the data anyway.