Boxee

From Exploitee.rs
Revision as of 13:04, 5 August 2017 by Zenofex (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Front-SMALL.jpg

Boxee

This page will be dedicated to a general overview, descriptions, and information related to the Boxee media player.

The Boxee Box (DSM-380) is made by D-Link and features an Intel CE4100 SOC (Intel Atom CE4170).

It is quite similiar in function to that (security wise) of the Logitech Revue, or Gen 1 Sony Google TV boxes.

Specifically, the bootloader is signed, which calls a signed kernel. The kernel RSA verifies a read only ramdisk and then boots it.

We unveiled two methods for rooting the Boxee at DEFCON 20, which are below. These are known to work as of the latest update, 1.5.1.23735.

Software Root Method (LCE)

SettingsNetworkServers.jpg

Under Share Workgroup Name, you can simply add in another command with the semicolon.

For instance, to run "custom.sh" off of your USB Drive (noting to replace LABEL with the label of your usb disk):

;sh /mnt/LABEL/custom.sh ;

This will cause custom.sh to run at each bootup. The script can then simply launch busybox from usb, and spawn a root telnet daemon on port 23.

A video of the POC for this root used at our Defcon20 presentation can be found on our YouTube channel

Hardware Method

Scrape the two vias labeled in the picture below, solder wires to a UART adapter (TX/RX). Ground to any ground point. Once the box boots, it will drop you to a root shell.

Boxeehw.jpg