Amazon might not be happy about it, but at least part of the success of their Fire TV Stick was due to the large hacking and modification scene that cropped up around the Android-powered device. A quick search on YouTube for “Fire Stick Hack” will bring up a seemingly endless array of videos, some with millions of views, which will show viewers how to install unofficial software on the little media dongle. Now it looks like their latest media device, the Fire TV Cube, is starting to attract the same kind of attention.
The team at [Exploitee.rs] has recently taken the wraps off their research which shows the new Fire TV Cube can be rooted with nothing more than an Arduino and an HDMI cable you’re willing to cut apart. Of course, it’s a bit more complicated than just that, but between the video they’ve provided and their WiKi, it looks like all the information is out there for anyone who wants to crack open their own Cube. Just don’t be surprised if it puts you on the Amazon Naughty List.
The process starts by putting the device’s Amlogic S905Z into Device Firmware Upgrade (DFU) mode, which is done by sending the string “boot@USB” to the board over the HDMI port’s I2C interface. That’s where the HDMI cable comes in: you can cut into one and wire it right up to your Arduino and run the sketch [Exploitee.rs] has provided to send the appropriate command. Of course, if you want to get fancy, you could use an HDMI breakout board instead.
With the board in DFU mode in you gain read and write access to the device’s eMMC flash, but that doesn’t exactly get you in because there’s still secure boot to contend with. But as these things tend to go, the team was able to identify a second exploit which could be used in conjunction with DFU mode to trick the device into disabling signature verification. Now with the ability to run unsigned code on the Fire TV Cube, [Exploitee.rs] implemented fastboot to make it easier to flash their custom rooted firmware images to the hardware.
As with the Fire TV Stick before it, make sure you understand the risks involved when you switch off a device’s security features. They’re often there to protect the end user as much as the manufacturer.
“Amazon might not be happy about it, but at least part of the success of their Fire TV Stick was due to the large hacking and modification scene that cropped up around the Android-powered device.”
And the “P” word as well.
I never understood that. It’s not like pirates are depending on an Amazon device for anything. There are always going to be ways–if you can view the media with your eyeballs, obviously there exists a way to copy it.
No, pirates depend on a ship. :-)
You mean the word for the male genital? Or the word for films were these are used? But there is not much connection to rooting (owning a device you bought with your money).
“They’re often there to protect the end user as much as the manufacturer.”
Ha! Good one.
I dream of the day when it will be illegal to prevent the end user from changing the signing keys so they can run their own code. I might be able to break the signing mechanism to run my own code, but I’ve lost any protection a verified boot could provide.
It seems ridiculous to sell furniture with drawers that are locked and cannot be opened. It should seem equally ridiculous to sell devices with section similarly closed off…….except that most people are ignorant that these sections exist, and never notice that they’ve been locked out.
I found a way to run cancer research via BOINC on my Fire Stick.
Is the raspberry pi able to access the same i2c lines in its HDMI port via /dev/i2c-2 (which requires a special “I know this could break my monitor” dtparam to turn on)? That seems like it would be an even easier solution for folks who don’t want to cut apart an hdmi cable.
The parameter you are looking for seems to be “dtparam=i2c2_iknowwhatimdoing” =)
https://raspberrypi.stackexchange.com/questions/80169/no-dev-i2c-to-read-edid-from-my-benq-projector
Very good point. As these sort of vulnerabilities become more common (there’s a PS4 HDMI exploit in wild now), I wouldn’t be surprised if we see more development along these lines.
The same approach can reach into an Hdmi sink