https://www.Exploitee.rs/api.php?action=feedcontributions&user=Martiniturbide&feedformat=atomExploitee.rs - User contributions [en]2024-03-29T13:31:04ZUser contributionsMediaWiki 1.37.2https://www.Exploitee.rs/index.php?title=Eject_Bug_Hack&diff=2642Eject Bug Hack2017-01-04T02:21:40Z<p>Martiniturbide: </p>
<hr />
<div>Here is a patchloader that consists of a script to detect and recover from the eject bug and the modification necessary to make that script be run as a service. The user can follow the instructions below to install this on their GTV.<br />
<br />
The install procedure and the workaround itself are run as root, so there is of course the risk that the user could brick their system with no recourse for recovery. As with any root-related activity, if you can't afford to lose it, don't do it.<br />
<br />
Developers: The patchloader framework used for this can be found [[Patchloader|here]] and used for deploying other fixes or updates.<br />
<br />
<pre>#!/bin/sh<br />
busybox tr -d '\r' <$0 | busybox sed '1,/^PATCHLOADER BEGIN$/ d; s|PATCHLOADER_SCRIPT=.*|PATCHLOADER_SCRIPT='$0'|' | /bin/sh 2>&1 | busybox tr -d '\r' | busybox sed '/^ *$/ d' # Keep comment here.<br />
exit # Do not change or delete these first two lines or their comments, or DOS breaks.<br />
<br />
# patchloader, by Catrane<br />
# Bluray disc eject workaround, by Catrane<br />
#<br />
# USER INSTRUCTIONS<br />
# -----------------<br />
# The patch developer should move these instructions to directly above the<br />
# "DEVELOPER INSTRUCTIONS" line atop this file, deleting these three<br />
# developer instructions lines.<br />
# 1) Save the full contents of this patchloader file to your computer. This may<br />
# involve copying and pasting, or just downloading.<br />
# 2) Connect to your device using adb. adb usage is outside the scope of this<br />
# document.<br />
# 3) Transfer this patchloader file to your device via adb so that it exists as<br />
# /patchloader.sh on your device.<br />
# e.g. adb push patchloader.sh /tmp/patchloader.sh<br />
# 4) Execute the patchloader by running the following command via adb.<br />
# adb shell /bin/sh /tmp/patchloader.sh<br />
# 5) Follow any instructions printed out by the patchloader.<br />
<br />
# DEVELOPER INSTRUCTIONS<br />
# -----------------<br />
# Search for these sections below:<br />
# PRE PATCH, PATCH PAYLOAD, PATCH MD5, POST PATCH, and USER INSTRUCTIONS.<br />
# Follow directions in each section.<br />
# Do not modify any other sections.<br />
<br />
# NECESSARY LINE<br />
# -----------------<br />
# Don't move or delete this line. The second line of the file needs it.<br />
PATCHLOADER BEGIN<br />
<br />
# PRE PATCH<br />
# -----------------<br />
# Add any commands below which should be run prior to applying the patch.<br />
<br />
# END PRE PATCH<br />
# -----------------<br />
<br />
# PATCH MD5<br />
# -----------------<br />
# Calculate the MD5 hash of the patch file and set here for validation.<br />
# The easiest way to get the right value is to run the script with "GARBAGE" as<br />
# the MD5 below and let it tell you the right value.<br />
PATCH_MD5="7fc5242685822432b8220b4e760629bf -" # PATCH_MD5="f7be3e1337c0d37b2850fabed5469d34 -"<br />
<br />
# MD5 VALIDATION<br />
# -----------------<br />
PATCHLOADER_SCRIPT=$0<br />
extractPatch ()<br />
{<br />
busybox tr -d '\r' <$PATCHLOADER_SCRIPT | busybox sed '1,/^PATCHLOADER PAYLOAD START$/ d; /^PATCHLOADER PAYLOAD END$/,$ d'<br />
}<br />
MD5_CALC="`extractPatch | busybox md5sum`"<br />
if [ "$PATCH_MD5" != "$MD5_CALC" ]<br />
then<br />
if [ "GARBAGE" != "$PATCH_MD5" ]<br />
then<br />
echo "FATAL: Failure to validate patch integrity. Please redownload and try again."<br />
else<br />
echo "patchloader MD5 hash is as follows. Users should not see this message."<br />
echo "$MD5_CALC"<br />
echo "A copy of your extracted patch is located at /tmp/extract.patch for verification."<br />
extractPatch > /tmp/extract.patch<br />
fi<br />
exit<br />
fi<br />
<br />
# PATCH APPLICATION<br />
# -----------------<br />
extractPatch | busybox patch -p1<br />
if [ "$?" != "0" ]<br />
then<br />
echo "FATAL: Error patching. Please redownload and try again."<br />
exit<br />
fi<br />
<br />
# POST PATCH<br />
# -----------------<br />
# Add any commands below which should be run prior to applying the patch.<br />
# Include here any instructions for user to reboot if necessary.<br />
chmod 755 /system/bin/eject_bug_workaround.sh<br />
rm $PATCHLOADER_SCRIPT<br />
echo Please reboot your GTV via the power cord or ctrl-alt-del for this patch<br />
echo to take effect.<br />
echo This patch has a 60 second safety when loaded, so it will not actually run<br />
echo until the GTV has been fully booted for 60 seconds.<br />
<br />
# END POST PATCH<br />
# -----------------<br />
<br />
# END OF SCRIPT. DO NOT MOVE OR REMOVE<br />
# -----------------<br />
exit<br />
<br />
# PATCH PAYLOAD<br />
# -----------------<br />
# Add patch content after the "PATCHLOADER PAYLOAD START" line here.<br />
PATCHLOADER PAYLOAD START<br />
---<br />
init.eagle.rc | 5 +++<br />
system/bin/eject_bug_workaround.sh | 53 ++++++++++++++++++++++++++++++++++++<br />
2 files changed, 58 insertions(+), 0 deletions(-)<br />
create mode 100644 system/bin/eject_bug_workaround.sh<br />
<br />
diff --git a/init.eagle.rc b/init.eagle.rc<br />
index 2004d8a..685ce6f 100644<br />
--- a/init.eagle.rc<br />
+++ b/init.eagle.rc<br />
@@ -329,6 +329,7 @@ on init<br />
setprop com.sony.btv.discplayer.enable 1<br />
export DISCPLAYER_KEEP_DMIX_ASIS true<br />
export DISCPLAYER_LOG_VERBOSE true<br />
+ start ejectworkaround<br />
<br />
## for lighttpd<br />
mkdir /var/log/lighttpd 0750 system system<br />
@@ -439,6 +440,10 @@ service discplayer /system/bin/discplayer<br />
user root<br />
group system<br />
<br />
+service ejectworkaround /system/bin/eject_bug_workaround.sh 60<br />
+ user root<br />
+ group system<br />
+<br />
on property:com.sony.btv.discplayer.enable=1<br />
start discplayer<br />
start discservice<br />
diff --git a/system/bin/eject_bug_workaround.sh b/system/bin/eject_bug_workaround.sh<br />
new file mode 100644<br />
index 0000000..1f4f282<br />
--- /dev/null<br />
+++ b/system/bin/eject_bug_workaround.sh<br />
@@ -0,0 +1,53 @@<br />
+#!/bin/sh<br />
+<br />
+# Reason:<br />
+# There is a known problem that, for an unknown reason, disc eject fails on rooted NSZ-GT1 systems.<br />
+# Side effects of this problem include the possibility that the disc is not ejected and in all cases<br />
+# the problem that discs cannot be played after attempted eject.<br />
+# Rebooting the system fixes the problem, but this solution eliminates the need for reboot.<br />
+<br />
+# Alternative solutions:<br />
+# Restart the device via the power cord or ctrl-alt-del.<br />
+<br />
+# Caveats:<br />
+# This fix does not detect the occurrence of any error, but rather occurrence of a known event which<br />
+# reliably preceeds the error and is reliably followed by the error situation.<br />
+# Error messages and odd behavior may be observed onscreen at the moment of eject, though none of<br />
+# this causes any side-effects.<br />
+<br />
+# Stimulus:<br />
+# From command: logcat -b main<br />
+# Output: I DiscPlayerManager: onStartCommand: com.sony.btv.discplayer.EJECT_DISC<br />
+<br />
+# Response:<br />
+# setprop com.sony.btv.discplayer.enable 0<br />
+# busybox eject /dev/block/sr0<br />
+# setprop com.sony.btv.discplayer.enable 1<br />
+<br />
+# Usage:<br />
+# eject_bug_workaround.sh &<br />
+# - Runs workaround in background.<br />
+# eject_bug_workaround.sh 600 &<br />
+# - Sleeps for 600 seconds before running, all in background.<br />
+# - Useful for ensuring a window of recovery in case any side-effects occur.<br />
+<br />
+if [ ! -z "$1" ]<br />
+then<br />
+ sleep $1<br />
+fi<br />
+<br />
+LASTDECT=$(date)<br />
+<br />
+logcat -b main DiscPlayerManager:I *:S|busybox awk '/onStartCommand: com.sony.btv.discplayer.EJECT_DISC/ {system("echo onStartCommand: com.sony.btv.discplayer.EJECT_DISC")}'|while busybox awk '/onStartCommand: com.sony.btv.discplayer.EJECT_DISC/ {exit 0}'<br />
+do<br />
+ if [ "$LASTDECT" != "$(date)" ]<br />
+ then<br />
+ echo Detected eject failure.<br />
+ setprop com.sony.btv.discplayer.enable 0<br />
+ busybox eject /dev/block/sr0<br />
+ setprop com.sony.btv.discplayer.enable 1<br />
+ echo Eject failure repair complete.<br />
+ LASTDECT=$(date)<br />
+ fi<br />
+done<br />
+<br />
-- <br />
1.7.6.1<br />
PATCHLOADER PAYLOAD END<br />
</pre><br />
<br />
[[Category:Google TV]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Hisense_Pulse&diff=2641Hisense Pulse2017-01-04T02:16:37Z<p>Martiniturbide: </p>
<hr />
<div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:pulse.jpg|200px|left|thumb]]<br />
This page will be dedicated to the hardware specifications, descriptions, and information related to the Hisense Pulse (GX1200V).<br />
<br />
== Purchase ==<br />
Buying Google TV devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next Google TV.<br />
<br />
[http://www.amazon.com/gp/product/B009VXUFLG/ref=as_li_ss_tl?ie=UTF8&tag=exploiteers-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B009VXUFLG Purchase the Hisense Pulse at Amazon]<br />
<br />
== Specs ==<br />
*Marvell Armada 1500(88de3100)<sup>1</sup> 1.2 GHz dual-core processor, with a 750 MHz GPU<sup>2</sup><br />
*1 GB DDR3 Memory <br />
*4 GB Flash NAND<br />
*Single USB Port<br />
*IR Blaster<br />
<br />
== Features ==<br />
*Microphone is in remote, however it does not work yet (software update required -v3 Google TV?)<br />
*Remote is IR / BT. IR in Recovery, BT in normal running mode, however will fall back to IR if the BT signal is lost.<br />
<br />
== Gallery ==<br />
<gallery><br />
File:pulse.jpg<br />
File:Pulse UART Side View.jpg<br />
</gallery><br />
<br />
== Connections / Connectors / Switches ==<br />
*(SPI / JTAG)?<br />
*XP25 - UART (115200 8n1)<br />
*XP21 - Wifi<br />
*USB<br />
*SW1 - Reboot (not populated)<br />
*SW2 - Factory Reset (recovery?)<br />
<br />
== UART Pinout ==<br />
The Hisense Pulse features a serial output that can be accessed. In the initial software version, this dropped directly into a root shell.<br />
<br />
Using a UART/TTL Adapter (3.3v), connect wire for wire to the pinout below. A connector is on the board, you can either route your wires out of the bottom of the box, or cut a small hole in the side (next to the USB port). Alternate points are also provided below (for soldering). <br />
<br />
Settings are 115200 8n1, no login or password. You will be dropped to a root shell after bootup<br />
<br />
{|<br />
|[[File:Pulse UART Side View.jpg|200px|left|thumb|Hisense Pulse UART pinout]] <br />
|[[File:6bitl.jpg|200px|center|thumb|Hisense Pulse Alternate UART pinout (Solder)]]<br />
|}<br />
<br />
== Update History ==<br />
*MASTER.user.hisense.20121122.124750 (BOX_2.22a.C0920_E_release) - Launch version, shipped on the box<br />
*MASTER.user.hisense.20121212.182643 (BOX_2.31a.C1204_E_release) - First OTA (12/31/2012). Removes root. Do not update to this. [http://android.clients.google.com/packages/ota/hisense_gx1200v/de6d381af592.update.zip Download]<br />
<br />
== Pulse Modification Package ==<br />
{|<br />
|[[File:Pulse Superuser prompt.png|250px|thumb|left]]<br />
|When the Hisense Pulse was released, it shipped mostly insecure with "ro.debuggable" being set to 1 which allowed adb to run as root. So to make utilizing this a bit easier we've created a package of the most sought after modifications and created an easy to use install script. This is currently patched by the first update received from the box after installation. If you would like to root your device, do not accept this update before performing the below steps.<br />
<br />
'''Package features:'''<br />
* Installs Super Su.apk and su binary to device.<br />
* Patches flash player to allow content to be played from previously blocked websites (Hulu, Fox, CBS, NBC, etc.).<br />
* Disables automatic updates to preserve root (can easily be reversed).<br />
|}<br />
<br />
'''Instructions:'''<br />
The instructions below rely on you already having installed the android sdk and having easy access to adb<br />
<br />
# adb connect <IP_OF_YOUR_GTV><br />
# adb root<br />
# adb connect <IP_OF_YOUR_GTV><br />
# adb push location_of_pulse_root.sh /tmp/pulse_root.sh<br />
# adb shell<br />
# In the adb shell prompt, which should currently be displaying a "#" enter the following without quotes: "cd /tmp; sh pulse_root.sh"<br />
# Reboot the device<br />
# After the reboot follow the steps below to modify Chrome's User Agent.<br />
<br />
Modifying Chromes User Agent<br />
# Open Chrome on the Pulse<br />
# Click the Menu button (Between Web and FN)<br />
# Choose Settings<br />
# Choose Advanced Settings<br />
# Click on "Under the Hood" in the left panel<br />
# Scroll down to the User Agent section and choose "Custom User Agent"<br />
# You can choose "Generic User Agent" if you'd like but we recommend using "Custom User Agent" along with a legitimate PC User Agent such as those found at [http://www.useragentstring.com/pages/Chrome/ UserAgentString.com]<br />
# You're finished, restart the device and enjoy Fox/NBC/CBS/Hulu/Etc.<br />
<br />
'''Download:''' [http://download.gtvhacker.com/file/pulse/pulse_root.zip Pulse Modification Script]<br />
<br />
'''MD5:''' e137a82a0e1e466b7aa5dbc21775d6f1 '''SHA1:''' c70db75e50673786b6bab15dfdd00a3caa072311<br />
<br />
== Links ==<br />
[http://www.amazon.com/gp/product/B009VXUFLG/ref=as_li_ss_tl?ie=UTF8&tag=exploiteers-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B009VXUFLG Amazon Product Description]<br />
<br />
[[Category:Hisense]]<br />
[[Category:Google TV]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Sony_NSX-40GT1_(Internet_TV)&diff=2640Sony NSX-40GT1 (Internet TV)2017-01-04T02:15:20Z<p>Martiniturbide: </p>
<hr />
<div>{{Disclaimer}}<br />
[[File:Sony_NSX-40GT1.jpg|250px|left|thumb]]<br />
<br />
==Specs==<br />
* [[Intel Atom CE4170]]<br />
<br />
== Recovery Mode ==<br />
Apeman42 from XDA Developers found [http://forum.xda-developers.com/showthread.php?t=812601 Recovery Menu]<br />
<br />
#Have everything plugged into the unit except the power coord. Have the power coord in your hand.<br />
#Press and hold the power button and plug the unit in.<br />
#Continue to hold down the power button for 3 seconds after plugging it in, then release the power button.<br />
#Wait a couple of seconds and it will say Sony, then you will see the recovery screen.<br />
#After it loads, press and hold the connect button on the unit. Then follow the directions at the bottom of the screen (Press and hold ALT+ENTER) for 8 seconds/until the bottom message changes. It will change back to it saying that you have to press the CONNECT button, but your remote IS connected.<br />
#You can now press the numbers assigned to the commands!<br />
<br />
== Serial Console ==<br />
The Sony NSX series TVs have an easy-open debug port on the back:<br />
<br />
[[File:Nsxgtvport.jpg]]<br />
<br />
Presumably the beige connector is for a custom ribbon cable. The row of four solder pads below it is the UART for ttyS0: GND, RX, TX, 3.3V. If you listen to the TX port while the TV boots up, you'll get a dmesg dump:https://pastee.org/v2ytp . This port echoes characters (if hardware flow control is off) but seems to totally ignore all incoming characters.<br />
<br />
Listening to the UART while going through the recovery mode menu items yields lots of juicy logs: https://pastee.org/ra8np [[nsx-40gt1 uart log]]<br />
<br />
On the ribbon cable connector, number the pins from 1 on the (lower) left side to 18 on the (upper) right side.<br />
<br />
# GND<br />
# ?<br />
# 3.3V (connected to the 4th solder pad)<br />
# N/C<br />
# (connected to the 4th solder pad)<br />
# N/C (Though it is routed to a via)<br />
# ? (normally high, but low during a reset)<br />
# GND<br />
# TX1 (Connected to 3rd solder pad)<br />
# RX1 (Connected to 2nd solder pad)<br />
# N/C<br />
# ? (normally high, but low during a reset)<br />
# ?<br />
# (connected to the 4th solder pad)<br />
# RESET<br />
# ? (high)<br />
# TX2 (bootloader output, 115200/8N1)<br />
# GND<br />
<br />
== USB Update ==<br />
The steps to access recovery mode are listed in the "Recovery Menu" section at the top of this page. Also, a list of OTA sony downloads can be found [http://gtvhacker.com/index.php/Sony_Update_Downloads#Download_Links Here]<br />
<br />
In recovery mode, any USB storage device will be automounted when inserted. If it's inserted at the start of recovery mode, the device will attempt to do a USB update. This executes the following:<br />
<pre><br />
cmd:ls /tmp/mnt/diskb1/package_list_*.zip | head -1 | grep "package_list_"<br />
cmd:/bin/sony/check_version.sh /tmp/mnt/diskb1/package_list_0.zip<br />
</pre><br />
<br />
For a USB update to succeed, the following are necessary (but not sufficient):<br />
# there must be a file matching /package_list_*.zip or else you get the error "find package error: no such a package !"<br />
# the zip must contain a file "system/build.prop" or else you get the error "caution: filename not matched: system/build.prop"<br />
# the zip must contain a file matching "package_list_*.txt" or else you get the error "caution: filename not matched: package_list_*.txt"<br />
# The system/build.prop must have an ro.build.id that is greater than the current values. Otherwise you get an onscreen message saying "USB data is old".<br />
# At '''this''' point, the signature is checked:<br />
<pre> <br />
package update start ! <br />
cmd:/package_update.sh -y -l 0 -p /tmp/mnt/diskb1/package_list_ogm_2.1_2011_asu1<br />
(*) Direct/Interface: Loaded 'PNG' implementation of 'IDirectFBImageProvider'. <br />
dtv_sym_tv_updating.png = w: 1920, h: 1080. <br />
Verifying.. <br />
Error in main(47):Footer Error <br />
Signing Verify Error <br />
Error!! <br />
</pre><br />
<br />
If a valid-looking zipfile on a USB storage device is plugged in when the system goes through a normal boot, it will abort and reboot into the recovery mode.<br />
<br />
== Device Menus ==<br />
Information can be found on the system menus at: [[Sony Settings Menus]]<br />
<br />
== GPL Code ==<br />
Code for the first gen Sony TV's can be found [http://www.sony.net/Products/Linux/TV/NSX-24GT1.html here]<br />
<br />
<br />
[[Category:Google TV]]<br />
[[Category:Sony NSX-40GT1]]<br />
[[Category:Sony]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Template:Disclaimer&diff=2639Template:Disclaimer2017-01-04T02:13:06Z<p>Martiniturbide: </p>
<hr />
<div>"''Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong.''"</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Template:Disclaimer&diff=2638Template:Disclaimer2017-01-04T02:11:57Z<p>Martiniturbide: </p>
<hr />
<div>Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong.</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Logitech_Revue_UART_root&diff=2635Logitech Revue UART root2017-01-03T20:24:23Z<p>Martiniturbide: </p>
<hr />
<div>[[File:Revue-advert.gif|250px|right|thumb]]<br />
{{Revue toc Inline}}<br />
{{Disclaimer}}<br />
[[Category:Logitech Revue]]<br />
<br />
== Updates ==<br />
Updates and other change log notes are available [[Revue Root Notes]]. Check these out before getting started.<br />
<br />
'''Any previous device updates will disable the UART1 pins necessary for this hack!'''<br />
<br />
== Demonstration video.==<br />
Shows Filesystem access, Apps and the Market, as well as previously blocked websites.<br />
Check it out http://www.youtube.com/user/gtvhacker<br />
<br />
<br />
== The Exploitee.rs Guide to installing applications and rooting your Logitech Revue ==<br />
<br />
This is being brought to you right before CES, we all worked hard and here it is. <br />
<br />
===Features===<br />
<br />
ADBD Running for adb access.<br />
Custom boot logo.<br />
Flash Plugin Update to allow previously blocked content providers.<br />
<br />
Experimental method to block automatic updates (We would appreciate feedback on this as we we've been unable to confirm its success so far.)<br />
<br />
===About the Hack===<br />
<br />
<br />
The reason this is possible is due to the "out of factory" state of the Logitech Revue boxes not disabling the UART port on the board and allowing access to a root shell in recovery mode. After discovering this we were able to reverse the update files and manually upgrade the Revue to the most recent update. The attached files are our output of all the effort put forward by our team. Also as a notice to anyone performing the update, we are not responsible for any harm that may come of your box as an outcome of running our scripts. We will attempt to help you with any issues you may experience and have tried to make the process as safe as possible. Also if you have any suggestions or ideas on how we can make this process better please feel free to drop by our IRC channel and tell us.<br />
<br />
===About Manual Update===<br />
<br />
The manual-update.sh script is our attempt at duplicating the process done by the GTV scripts that update the box in recovery mode. There are also a few miscellaneous tweaks done to assure applications load correctly, backups are made, and that the box doesn't auto-update. Some portions of the script do things such as flash parts of the NAND so make sure you do not short circuit your box or accidentally remove power during the manual-update process.<br />
<br />
===Required Tools===<br />
<br />
Soldering Iron<br />
<br />
USB->TTL or similar board/setup (An Arduino in tristate mode works great)<br />
<br />
4 wires to attach board to TTL board<br />
<br />
Terminal program (Minicom for Linux or Putty for Windows)<br />
A USB Drive (At least 1gb, 2+gb Recommended)<br />
<br />
===Hardware Portion===<br />
<br />
In order to complete the root you will need an un-updated box, it seems as if the first or second update to the box closed the serial access hole. If you have a "virgin" box then you are ready to proceed. <br />
<br />
1.) Open your box, there are 4 screws (1 under each of the soft legs on the bottom of the box), the rest of the box un-clips very easily. A better explanation is available at http://www.ifixit.com/Teardown/Logitech-Revue-Teardown/3788/1<br />
<br />
2.) After opening your box you will need to remove the led bar and look at the top front of the board. Locate the pins labeled UART1. These are the pins you will be sodering to.<br />
<br />
3.) Solder 4 wires to your board. The appropriate pins can be view here: http://Exploitee.rs/index.php/File:XJHay.jpg . You MAY only need to solder to TX, RX, and GND.<br />
<br />
4.) Attach wires to appropriate pins on your USB->TTL device<br />
<br />
5.) Connect to the USB->TTL device on your computer using a program like Minicom or Putty. The appropriate settings are speed is 9600 baud with 8n1, make sure flow control is set to none.<br />
<br />
6.) Reboot Revue into recovery mode by holding the pair button on the back of the board until the box shuts down and comes back up. Then press Alt+L (On the revue keyboard, not through the console) until "FORMATING DATA:" shows and stays, a menu should appear shortly after system is done clearing partitions. (More info: [[Logitech_Revue_Technical]])<br />
<br />
7.) If setup is correct so far you should be seeing logcat output through your terminal program (Putty/Minicom). Shortly after you will be presented with a # sign which is your console.<br />
<br />
8.) Proceed to software portion.<br />
<br />
<b>NOTICE: If you have not properly completed step 6 you may risk having the Revue automatically reboot while you are flashing new firmware resulting in a bricked Revue. The video output should show the recovery menu before proceeding to the software portion.</b><br />
<br />
===Software Portion===<br />
<br />
1.) Place all files in manual update on USB (preferably formatted to ext3) device keeping all the files inside of the "updatec99" folder for easiest installation.<br />
<br />
2.) Insert the USB and run the following command for an ext3 USB device "mount -rw -t ext3 /dev/sdb1 /sdcard" substitute ext3 for vfat for a fat32 device (Also remove quotes). If you choose to use a fat32 drive you will probably have problems with Netflix. Please format the drive to ext3 for best results!<br />
<br />
3.) In minicom/putty browse to the /sdcard directory with "cd /sdcard/updatec99".<br />
<br />
4.) Execute the update with the following command "sh manual-update.sh". If you chose a fat32 formatted usb drive you will receive "Permission denied" errors during the chmod process of the manual-update script, this is normal. <br />
<br />
5.) If the process ends prompting "Complete" you are finished and may restart (regardless of the permission denied errors on fat32). You will then have adbd running on your Revue and can connect using "./adb connect LogitechRevue". If the process does not prompt you with "Complete" but some other error you will need to make sure you do not reboot your Revue or it may be bricked. <br />
<br />
You are now complete and free to install applications on your box remotely through adb.<br />
<br />
Note: when booting in normal mode, ''you will not see any console output''. If you want a serial console again, go into recovery.<br />
<br />
===Installing Apps===<br />
After reboot, the Logitech Revue will now be running the [[Android Debug Bridge (adb)]] daemon to allow remote connections on port 5555. If you already have the Android SDK tools installed you are ready to begin installing applications with the standard 'adb install' commands or accessing shell via 'adb shell'.<br />
In case you are not familiar with using the [[Android Debug Bridge (adb)]], the following steps will help you get started:<br />
<br />
1.) Follow the steps outlined [http://developer.android.com/sdk/index.html here] to install the Android 2.1 SDK to the computer you wish to install apps from. Don't worry about USB drivers as you will not be using this with the Revue. (Newer SDK tools should work also, but keep in mind that the Revue is at SDK 7 when building apps.)<br />
<br />
2.) Determine the IP address of your Revue by checking with your DHCP server or viewing 'Network Information' in the Revue Settings app. This will be referred to as <GTV-IP> in subsequent steps.<br />
<br />
3.) Open a shell (i.e. bash/cygwin/dos/etc) on the machine with the SDK installed.<br />
<br />
4.) Verify that the sdk tools directory is in your PATH (Google can help if you don't understand this step.)<br />
<br />
5.) Run 'adb connect <GTV-IP>:5555' and you should see:<br />
$ adb connect 10.10.10.50:5555<br />
connected to 10.10.10.50:5555<br />
<br />
6.) Change to the directory containing the Android packages (APK) you wish to install and run 'adb install app.apk' (where app.apk is the app's filename)<br />
$ adb install Maps.apk<br />
pkg: /data/local/tmp/Maps.apk<br />
Success<br />
1062 KB/s (3993846 bytes in 3.672s)<br />
<br />
7.) If adb did not report any errors, your app should now be available in your Logitech Revue applications list. Please note that some Android apps make use of native code which runs outside of the [http://en.wikipedia.org/wiki/Dalvik_(software) DalvikVM]. These native pieces will need to be rebuilt for the Revue's x86 architecture. Refer to the [http://Exploitee.rs/index.php/GTv-OS_(AndroidTV)#SDK.2FToolchain_Support Toolchain Support] page for help rebuilding native code.<br />
<br />
===Building the code===<br />
<br />
The Exploitee.rs team has a [http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer.zip script] to simplify the download/configuration/installation of unofficial NDK/toolchain support which is [http://Exploitee.rs/index.php/GTv-OS_(AndroidTV)#SDK.2FToolchain_Support documented here].<br />
<br />
===Troubleshooting===<br />
<br />
If you experience '''any''' issues, please check wiki as we will be updating it with the most common problems then visit our IRC or the [http://forum.Exploitee.rs/ Exploitee.rs forums] if the wiki does not assist you. If you stop by IRC to ask a question please give us time to respond, we are not always at the computer so there may be times that no one will respond immediately. Also, feel free to send zenofex an email at zenofex at Exploitee.rs with questions.<br />
<br />
===About Us===<br />
This package is brought to you by the Exploitee.rs team over at irc.freenode.net #Exploiteers. <br />
<br />
Exploitee.rs Team Members:<br />
<br />
* [[Zenofex]]<br />
* CJ_000<br />
* [[Craigdroid]]<br />
* Tdweng<br />
<br />
Thanks to everyone in the community who made this all possible. <br />
The Exploitee.rs Team<br />
<br />
== Related Files: ==<br />
<br />
=== Logitech Revue Modified Updates ===<br />
{| border="1" cellspacing="0"<br />
! Version number<br />
! Update link <br />
! Update link 2<br />
! Date<br />
! Features<br />
|-<br />
| [[ Revue Update b54202 | b54202 ]]<br />
| http://www7.zippyshare.com/v/84320220/file.html<br />
| <br />
| 08-25-2011<br />
| <br />
|-<br />
| [[ Revue Update b49116 | b49116 ]]<br />
| http://www.multiupload.com/SSV46RGX44<br />
| <br />
| 04-05-2011<br />
| <br />
|-<br />
| [[ Revue Update b47773 | b47773 ]]<br />
| http://www.multiupload.com/ANOWNDJ4IS<br />
| <br />
| 03-20-2011<br />
| <br />
|-<br />
| [[ Revue Update b42732 | b42732 ]]<br />
| http://www.multiupload.com/NWXIUNZEF3<br />
| <br />
| 01-26-2011<br />
| <br />
|-<br />
| [[ Revue Update b42449 | b42449 ]]<br />
| http://www.multiupload.com/REVEQS6HII<br />
| http://bit.ly/gtvuc99<br />
| 01-05-2011<br />
|<br />
|}<br />
<br />
Script to simplify tool chain and sdk building : [http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer.zip Beta1] or [http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer-beta2.zip Beta2]<br />
<br />
<br />
[[Category:Logitech]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Revue_software_root&diff=2634Revue software root2017-01-03T20:23:43Z<p>Martiniturbide: </p>
<hr />
<div>== WARNING ==<br />
The links on this page contain the until now unreleased Revue root. This is being released as a way to allow the more skilled members of the community to look at. The root is incredibly unstable and we are providing it unpackaged to prevent it from being used by someone who may end up damaging their box. As bliss described it, “it is like punching the device in the face while telling it that it’s not getting hit”. If you are looking to get root to help achieve some form of optimal Android experience from the box, then please wait for a better packaged version with persistence. If you are technically savy and are willing to risk damaging your box, gambling on how skilled you are, then feel free to give it a shot. Please note that you are likely to brick your device much like we have bricked ours many times (but we have fancy-pants hardware recovery mechanisms).<br />
<br />
==About==<br />
[[File:Nandpwn.png|350px|left|border]]<br style="clear: both" /><br />
The Nandpwn package was created by Dan Rosenberg (@djrbliss) with remote testing on Exploitee.rs team member boxes (Dan doesn't actually own a revue). The exploit is highly complex and leverages a world readable device driver left open by Logitech.<br />
<br />
===About nandpwn===<br />
A local privilege escalation exploit for the Logitech Revue that leverages the ability to map the hardware registers of the NAND flash controller in conjunction with a Linux kernel information leak to clobber kernel memory in a way that allows gaining privileges.<br />
<br />
This exploit is highly unstable. Although it has never caused any permanent damage in testing, I take no responsibility if this turns your device into a brick. In addition, it is known to only succeed a fraction of the time, so you will probably have to try it repeatedly, and some of those attempts may cause your device to freeze (which can be solved by a reboot).<br />
<br />
===Exploit Flow===<br />
*Use /dev/devmem to map NAND controller's hardware registers into address space<br />
*Leverage kernel info leak to resolve virtual address of current process' kernel stack<br />
*Write to hardware registers to trigger DMA on top of offset from base of kernel stack<br />
*Since addr_limit is raised (hopefully), can read()/write() to write/read arbitrary kernel memory<br />
*Fixup sysenter_return, overwrite restart_block function pointer to point to payload<br />
*Trigger function pointer to escalate privileges and win!<br />
<br />
===About codesign===<br />
Once you have root, this can be run to disable code signing enforcement so custom kernel modules can be run. No known issues were observed during testing.<br />
<br />
===About blockwrite===<br />
'''NOVICES DO NOT USE!''' Remaps a specified block device as writable at both the MTD and block layers, to allow flashing a replacement. No known issues were observed during testing.<br />
<br />
==Work In Progress==<br />
===Hurdles===<br />
*ADBD designed to never run as root. (Completed)<br />
*Signed /system, /boot, kernel, recovery, bootloader<br />
*nosuid /cache, /data, /sdcard<br />
*nodev /cache, /data, /sdcard<br />
<br />
===Bugs===<br />
*'''Persistence''' - This is unstable and should be seen as more of a POC (Proof of concept) than a public release. This exploit is not persistent between boots (which means you will have to run this each time you start the device). We are working on fixing this but are having to jump through quite a few hurdles because of the signed partitions. We will update this page with progress when/if we come up with a work around.<br />
<br />
===Support===<br />
Due to the complexity of the bug and the agreement that this shouldn't currently be used by the public for general purpose use, neither us nor Dan Rosenberg will be offering support for this package until we have a public release which offers persistence. Even when we do have a package released, Dan will still be too busy to field questions and any help will need to come from our forums or the #Exploiteers channel on freenode. But just an early warning, if you brick your box you will either need to purchase and attach a NAND programmer, donate the box to one of us, or accept the fact that you now have an expensive paperweight. <br />
<br />
==Exploiting==<br />
===Required Tools===<br />
*ADB (Android Debug Bridge)<br />
*x86 Compiler<br />
<br />
===Building the code===<br />
We are not posting how to build the code as if you are unable to build an x86 binary you probably shouldn't be attempting this root in the first place.<br />
<br />
===Video===<br />
[http://www.youtube.com/watch?v=mo3IlbpfoFk Video of NandPwn in action]<br />
<br />
===Download===<br />
[https://github.com/djrbliss/revue/tree/master/nandpwn NandPwn] <-- Root Exploit<br />
<br />
[https://github.com/djrbliss/revue/tree/master/codesign Codesign] <-- Enables code Signing<br />
<br />
[https://github.com/djrbliss/revue/tree/master/blockwrite BlockWrite] <-- Allows writing to RO partitions (Beware most partitions are signed, modifications will cause a brick)<br />
<br />
<br />
[[Category:Logitech]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=User:Martiniturbide&diff=2633User:Martiniturbide2017-01-03T20:22:52Z<p>Martiniturbide: </p>
<hr />
<div>Martin Iturbide likes to organizes wikis from time to time.<br />
<br />
He is an avid fan of SmartTV's, Android TV and OS/2 Warp. <br />
<br />
[[Category:Contributors]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=User:Martiniturbide&diff=2632User:Martiniturbide2017-01-03T20:22:40Z<p>Martiniturbide: Created page with "Martin Iturbide likes to organizes wikis from time to time. He is an avid fan of SmartTV's and Android TV. Category:Contributors"</p>
<hr />
<div>Martin Iturbide likes to organizes wikis from time to time.<br />
<br />
He is an avid fan of SmartTV's and Android TV. <br />
<br />
[[Category:Contributors]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Zenofex&diff=2631Zenofex2017-01-03T20:21:52Z<p>Martiniturbide: </p>
<hr />
<div>'''Member Profile'''<br />
<br />
*XDA/Exploitee.rs Name: Zenofex<br />
*Real Name: Amir Etemadieh<br />
*Email: zenofex [at] Exploitee.rs<br />
*Twitter: [http://www.twitter.com/zenofex zenofex]<br />
*Area of expertise: Hardware Reversing, Exploit development, Software Development<br />
<br />
[[Category:Contributors]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Nest_Hacking&diff=2630Nest Hacking2017-01-03T20:21:12Z<p>Martiniturbide: </p>
<hr />
<div>== Hardware ==<br />
<br />
[https://www.ifixit.com/Teardown/Nest+Learning+Thermostat+2nd+Generation+Teardown/13818 Pictures]<br />
<br />
=== Backplate ===<br />
* ST Microelectronics STM32L151VB ultra-low-power 32 MHz ARM Cortex-M3 MCU<br />
* Sensirion SHT20 humidity and temperature sensor<br />
* Texas Instruments LW051A 8-channel CMOS analog multiplexer/demultiplexer<br />
<br />
=== Display ===<br />
* Texas Instruments AM3703CUS Sitara ARM Cortex A8 microprocessor<br />
* Texas Instruments TPS65921B power management and USB single chip<br />
* Samsung K4X51163PK 512 Mb mobile DRAM<br />
* Ember EM357 integrated ZigBee/802.15.4 system-on-chip<br />
* Micron MT29F2G16ABBEAH4 2 Gb NAND flash memory<br />
* Skyworks 2436L high power 2.4 GHz 802.15.4 front-end module<br />
* Texas Instruments WL1270B 802.11 b/g/n Wi-Fi solution<br />
* Avago ADBM-A350 optical finger navigation module (knob movement sensor)<br />
<br />
== Info ==<br />
* /dev/event1 is the knob; /dev/event2 is the button<br />
* /sys/class/hwmon/hwmon0/device/in0_battery_type * 0.003 is battery voltage<br />
** Nest turns off wifi below 3.7 V, and waits until 3.8 V to automatically reconnect<br />
* Display serial number is located in U-Boot environment variable "serial#"<br />
<br />
== Nest software ==<br />
/nestlabs/sbin/nlclient -config /nestlabs/etc/client.config -config /nestlabs/etc/Display/Display-2/client.config<br />
<br />
=== Backplate communications ===<br />
Backplate communications can be decoded from a (filtered) strace log using [http://luke.dashjr.org/programs/freeabode/kindling/NestDecode.pl NestDecode.pl], or decoded in real time using [http://luke.dashjr.org/programs/freeabode/kindling/nest-intercept.c nest-intercept.c].<br />
<br />
nest-intercept.c requires one argument, the thread id reading from the backplate controller.<br />
The easiest way to get this is to strace the nlclient process with -ff and look for a thread reading from fd 54.<br />
<br />
Note that nest-intercept.c also has a "hack" variable which can be set to 0 (default is 2) in order to corrupt the TFE version response and trigger nlclient into uploading the firmware again.<br />
<br />
=== Backplate firmware ===<br />
Found in /nestlabs/share/bp/data/firmware/nlbpfirmware.plist<br />
<br />
There are 12 different firmwares in the file:<br />
* Test vs Production<br />
* Backplate 2 vs Backplate 3<br />
* TFE (BP_D2 for Bp2, AMBER_BP for Bp3) vs BSL<br />
* For TFE firmwares, hex vs srec (which for some reason DO differ!)<br />
<br />
Python script to extract them into individual files: [http://luke.dashjr.org/programs/freeabode/kindling/extract-fw.py extract-fw.py]<br />
<br />
=== Backplate initialisation ===<br />
When the backplate is first connected, the following sequence occurs:<br />
tcflush(fd, TCIFLUSH)<br />
Set baud to 115200 (-opost -isig -icanon -echo ...)<br />
tcflush(fd, TCIOFLUSH)<br />
tcsendbreak(fd, 1)<br />
Send [[#Reset|00ff - Reset]]<br />
Recv 0001 - (message from backplate; ASCII)<br />
Recv [[#FET presence|0004 - FET presence]]<br />
Recv [[#FET presence|0009 - FET presence]]<br />
Send [[#FET presence|008f - FET presence]]<br />
Send [[#Periodic status|0083 - Periodic status request]]<br />
Send 0090 - get Mono/TFE id (no data; response 0010 with 3 bytes)<br />
Recv 0001 - (message from backplate; ASCII)<br />
Recv 0001 - (message from backplate; ASCII)<br />
Recv 0010 - (24-bit data)<br />
Send [[#Get Mono/TFE version|0098 - Get Mono/TFE version]]<br />
Recv 000a - (every second; 16-bit data)<br />
Recv 0007 - (every second; 16-bit data)<br />
Recv [[#Get Mono/TFE version|0018 - Get Mono/TFE version (response)]]<br />
Send [[#Get Mono/TFE build info|0099 - Get Mono/TFE build info]]<br />
Recv [[#Get Mono/TFE build info|0019 - Get Mono/TFE build info (response)]]<br />
Sometimes:<br />
Send 009d - get BSL id (no data; responds with 001d)<br />
Recv 001d - bsl id (response to 009d; 16-bit data)<br />
Sometimes:<br />
Send [[#Get BSL version|009b - Get BSL version]]<br />
Recv [[#Get BSL version|001b - Get BSL version (response)]]<br />
Sometimes:<br />
Send 009c - get BSL info (no data; responds with 001c (constant?) data="BSL")<br />
Recv 001c - Response to 009c; always(?) "BSL"<br />
Send [[#Get serial number|009f - Get serial number]]<br />
Recv [[#Get serial number|001f - Get serial number (response)]]<br />
Send [[#Get hardware version|009e - Get hardware version]]<br />
Recv [[#Get hardware version|001e - Get hardware version (response)]]<br />
<br />
== Nest backplate interface ==<br />
* Connected on /dev/ttyO2<br />
* All communications with backplate begin with (d5)d5aa96 (d5 is doubled only for data FROM backplate)<br />
* Everything is little endian<br />
* 16-bit command<br />
* 16-bit data length<br />
* <data><br />
* 16-bit checksum<br />
<br />
Monitor:<br />
strace -ff -p $(pidof nlclient) -x -s9999 -e read,write 2>&1 | grep '(54'<br />
<br />
NOTE: Most of this documentation is reverse engineered from firmware version BSL-2.1 and/or TFE_BP_D2-4.0.21 for Backplate-2.x.<br />
<br />
=== Checksum ===<br />
<Bytes-from-end>.<bit-value> <xor-with><br />
00.01 2110 (1021)<br />
00.02 4220 (2042: 1021<<1)<br />
00.04 8440 (4084: 2048<<1)<br />
00.08 0881 (8108: 4084<<1)<br />
00.10 3112 (1231: 8108<<1^1021)<br />
00.20 6224 (2462: 1231<<1)<br />
00.40 c448 (48c4: 2462<<1)<br />
00.80 8891 (9188: 48c4<<1)<br />
01.01 3133 (3313: 9188<<1^1021)<br />
01.02 6266<br />
01.04 c4cc<br />
01.08 a989<br />
01.10 7303<br />
01.20 e606<br />
01.40 cc0d<br />
01.80 981b<br />
02.01 3037<br />
02.02 606e<br />
...<br />
03.01 b476<br />
03.02 68ed<br />
03.04 f1ca<br />
03.08 c385<br />
03.10 a71b<br />
03.20 4e37<br />
03.40 9c6e<br />
03.80 38dd<br />
...<br />
07.20 687b<br />
<br />
If you compute the contribution of the individual bit changes in the data you end up with the xor table above; byte offset from the end of the data, bit pattern, xor value. Correcting for little endianess in the output you end up with the hex values in parenthesis. The least significant bit is 0x1021 and each subsequent bit is a shift left, if the XOR value has the 0x8000 bit set then it is XORed with 0x1021. This is the CRC-CCITT polynomial.<br />
<br />
8 7 6 5 4 3 2 1 0<br />
d5 aa 96 82 00 02 00 00 00: 08b2<br />
|| |<br />
|| 68ed<br />
|408b<br />
20d4<br />
<br />
08b2: 68ed ^ 408b ^ 20d4<br />
<br />
Starting at the least significant bit and filling in the XOR values for each bit gives the above diagram; the diagram stops at the 20d4 XOR value because at that point it matches the final CRC. This tells us that the CRC covers the 6 bytes prior.<br />
<br />
#!/usr/bin/env perl<br />
use Digest::CRC qw(crc);<br />
my $data = pack("H*", "820002000000");<br />
printf("%04x\n", crc($data,16,0,0,0,0x1021,0,0));<br />
<br />
We can also compute the same CRC in Perl; note the result will be byte swapped since the data encodes the number as little endian.<br />
<br />
=== Command ids ===<br />
<br />
==== Display to backplate ====<br />
[[#FET control|0082 - FET control]]<br />
[[#Periodic status|0083 - Periodic status request]]<br />
[[#FET presence|008f - FET presence]]<br />
0090 - get Mono/TFE id (no data; response 0010 with 3 bytes)<br />
[[#Backplate firmware upload|0091 - Backplate firmware upload (start)]]<br />
[[#Backplate firmware upload|0092 - Backplate firmware upload]]<br />
[[#Backplate firmware upload|0093 - Backplate firmware upload (finish)]]<br />
[[#Get Mono/TFE version|0098 - Get Mono/TFE version]]<br />
[[#Get Mono/TFE build info|0099 - Get Mono/TFE build info]]<br />
[[#Get BSL version|009b - Get BSL version]]<br />
009c - get BSL info (no data; responds with 001c (constant?) data="BSL")<br />
009d - get BSL id (no data; responds with 001d)<br />
[[#Get hardware version|009e - Get hardware version]]<br />
[[#Get serial number|009f - Get serial number]]<br />
00a1 - quiet (16-bit max sleep seconds)<br />
[[#"Buffers"|00a2 - Request "buffers" (every 30 seconds; no data; triggers [0025] [0027] 0022 0023 [0029] [002b] 000c 002f)]]<br />
[[#"Buffers"|00a3 - ACK to 002f (no data)]]<br />
00a4 - set wakeup mask (16-bit data)<br />
00b1 - "temperature lock" (sent when button pressed/unpressed; no data)<br />
00b3 - set humidity thresholds (32-bit data)<br />
00b5 - set near pir threshold (16-bit data)<br />
00b7 - set pir thresholds (??? data)<br />
00b8 - set proximity thresholds (??? data)<br />
00b9 - set als thresholds (32-bit data)<br />
00ba - set vergence mode (48-bit data)<br />
00c2 - set wakeup temperatures (48-bit data)<br />
00c3 - set temp comp mode request (??? data)<br />
00fe - DEBUG MODE<br />
[[#Reset|00ff - Reset]]<br />
<br />
==== Backplate to display ====<br />
0001 - (message from backplate; ASCII)<br />
[[#Temperature reading|0002 - Temperature reading (twice every 30 seconds; 32-bit data)]]<br />
[[#FET presence|0004 - FET presence]]<br />
0005 - pir? (32-bit data)<br />
0006 - "ack switch" (data: 8-bit switch id, 8-bit state)<br />
0007 - near pid? (every second; 16-bit data)<br />
0008 - proximity?<br />
[[#FET presence|0009 - FET presence]]<br />
000a - als? (every second; 2x(?) 16-bit data)<br />
[[#Backplate state|000b - Backplate state]]<br />
000c - sensor? (16-bit values: pir, px1, px1 divisor, px2, px2 divisor, alir, av; included in [[#"Buffers"|"buffers" data]])<br />
000e - power?<br />
0010 - (24-bit data)<br />
[[#Backplate firmware upload|0011 - Backplate firmware upload (ACK)]]<br />
0012 - ?<br />
0013 - "Wakeup"?<br />
0014 - "WakeVector" (16-bit data)<br />
[[#Get Mono/TFE version|0018 - Get Mono/TFE version (response)]]<br />
[[#Get Mono/TFE build info|0019 - Get Mono/TFE build info (response)]]<br />
[[#Get BSL version|001b - Get BSL version (response)]]<br />
001c - Response to 009c; always(?) "BSL"<br />
001d - bsl id (response to 009d; 16-bit data)<br />
[[#Get hardware version|001e - Get hardware version (response)]]<br />
[[#Get serial number|001f - Get serial number (response)]]<br />
[[#"Buffers"|0022 - buffered temperature reading (possibly multiple times)]]<br />
[[#"Buffers"|0023 - BufferedSourceTemperature (3x 16-bit data; possibly multiple times)]]<br />
[[#"Buffers"|0025 - BufferedNearPir (16-bit data; possibly multiple times)]]<br />
[[#"Buffers"|0027 - BufferedPassiveInfrared (64-bit data; possibly multiple times)]]<br />
[[#"Buffers"|0029 - BufferedAmbientLightSensor (48-bit data; likely 3x 16-bit; possibly multiple times)]]<br />
[[#"Buffers"|002b - BufferedPowerData (64-bit data; possibly multiple times)]]<br />
[[#"Buffers"|002f - End of "buffers" (16-bit data)]]<br />
<br />
=== Backplate firmware upload ===<br />
For uploading the firmware, the following sequence is used:<br />
Send 0091 data=0000<firmware type><br />
Recv 0011 data=0000<br />
Send 0092 data=0100...<br />
Recv 0011 data=0100<br />
Send 0092 data=0200...<br />
Recv 0011 data=0200<br />
...<br />
Send 0092 data=a901...<br />
Recv 0011 data=a901<br />
Send 0093 data=aa01<br />
Recv 0011 data=aa01<br />
Following the upload, the [[#Backplate initialisation|backplate initialisation process]] begins immediately (that is, without message 00ff being sent to order a reset).<br />
Presumably the 0011 message is an ACK, and the first 16 bits of each message is the line number.<br />
The format itself appears to be Motorola S-record (SREC).<br />
Uploading the BSL firmware was followed by the TFE firmware, so it may be required (though uploading the TFE firmware does ''not'' require uploading the BSL).<br />
<br />
Firmware type is either 4d for TFE or 42 for BSL.<br />
<br />
=== Backplate state ===<br />
Data:<br />
* 8-bit "state"<br />
* 8-bit "flags"<br />
** Bit 0x40 = charger off (?)<br />
* 8-bit "px0" (may be wider?)<br />
* ? 16-bit "sw" fraction (0800 = 08/00)<br />
* ? 8-bit "p2"<br />
* ? 16-bit "voc"<br />
* 16-bit centi-volts "vi"<br />
* 16-bit milli-volts "vo"<br />
* 16-bit milli-volts "vb"<br />
* 8-bit "pins"<br />
* 8-bit "wires"<br />
<br />
=== "Buffers" ===<br />
The 00a2 message requests the backplate send the contents of various "buffers", which are returned in messages [0025], [0027], 0022, 0023, [0029], and [002b] (empty ones will NOT be sent; brackets infer commonly-empty buffers).<br />
00a2 also triggers 000c immediately following these.<br />
After all the buffers (including 000c) have been sent, the message 002f indicates "end of buffers".<br />
The display is then expected to acknowledge it with message 00a3.<br />
<br />
Buffers:<br />
[[#Temperature reading|0022 - Temperature reading]]<br />
0023 - BufferedSourceTemperature (not sure what that means)<br />
0025 - BufferedNearPir<br />
0027 - BufferedPassiveInfrared<br />
0029 - BufferedAmbientLightSensor<br />
002b - BufferedPowerData<br />
<br />
=== FET control ===<br />
Turn on W1: d5aa96 8200 0200 00 01 29a2<br />
Turn off W1: d5aa96 8200 0200 00 00 08b2<br />
Turn on Y1: d5aa96 8200 0200 01 01 1891<br />
Turn off Y1: d5aa96 8200 0200 01 00 3981<br />
Turn on G : d5aa96 8200 0200 02 01 4bc4<br />
Turn off G : d5aa96 8200 0200 02 00 6ad4<br />
Turn on OB: d5aa96 8200 0200 03 01 7af7<br />
Turn off OB: d5aa96 8200 0200 03 00 5be7<br />
Turn on W2: d5aa96 8200 0200 04 01 ed6e<br />
Turn off W2: d5aa96 8200 0200 04 00 cc7e<br />
Turn on Y2: d5aa96 8200 0200 07 01 be3b<br />
Turn off Y2: d5aa96 8200 0200 07 00 9f2b<br />
Turn on * : d5aa96 8200 0200 0b 01 d37e<br />
Turn off * : d5aa96 8200 0200 0b 00 f26e<br />
<br />
For the sake of documentation, we will refer to the unique id numbers for each wire as "wire id numbers".<br />
So wire id 0 is W1, wire id 1 is Y1, wire id B is *, etc.<br />
<br />
=== FET presence ===<br />
The backplate will, at least upon connection, send information about which FETs have a wire present.<br />
This data is received with command ids 0004 and 0009, in that order.<br />
Each sensor is represented by one byte which is either 00 (not present) or 01 (present).<br />
<br />
The content of 0004 is in order of the "wire id numbers" used for control:<br />
W1, Y1, G, OB, W2, ?0, ?0, Y2, C, RC, ?0, *, ?0<br />
<br />
The content of 0009 is arranged differently and has 2 more values:<br />
W1, Y1, C, RC, ?0, G, OB, W2, ?0, Y2, ?0, *, ?0, ?0, ?0<br />
<br />
0009 seems to indicate a wire is physically plugged in, while 0004 indicates that it is connected to something (?).<br />
<br />
After these are received, the display sends back command 008f with the exact data from message 0004.<br />
Message 008f does not itself receive any response.<br />
<br />
In a power outage condition, 0004 will report all absent (including unknown ones), whereas 0009 will continue to report the same as when power is available.<br />
<br />
=== Get Mono/TFE build info ===<br />
Message 0099 (no data) requests the backplate report information about its build.<br />
The response will be message 0019 in ASCII (one line, no trailing newline).<br />
<br />
=== Get hardware version ===<br />
Message 009e (no data) requests the backplate report a "Backplate-"X.Y version string.<br />
Since the firmware file on the display CPU uses these strings as "MinApplicability" and "MaxApplicability" ranges, it is probable they refer to the hardware.<br />
<br />
Witnessed versions:<br />
"Backplate-2.8" - Florida Lowes<br />
<br />
=== Get BSL version ===<br />
Message 009b (no data) requests the backplate report its BSL version number.<br />
The response will be message 001b in ASCII.<br />
<br />
=== Get Mono/TFE version ===<br />
Message 0098 (no data) requests the backplate report its TFE version number.<br />
The response will be message 0018 in ASCII.<br />
<br />
=== Get serial number ===<br />
Message 009f (no data) requests the backplate report its serial number (a 64-bit hexadecimal value).<br />
The response will be message 001f in uppercase ASCII.<br />
<br />
=== Periodic status ===<br />
Sending message 0083 (no data) will trigger various periodic messages:<br />
[[#Temperature reading|0002 - Temperature reading (twice every 30 seconds; 32-bit data)]]<br />
0005 - (32-bit data)<br />
0007 - (every second; 16-bit data)<br />
000a - (every second; 16-bit data)<br />
<br />
The Nest client sends 0083 every 30 seconds, but at least the periodic temperature status will continue on for an hour before stopping.<br />
<br />
=== Power management ===<br />
Wake vector bits:<br />
0001 - timer<br />
0002 - buffers full<br />
0004 - temperature<br />
0008 - pir<br />
0010 - proximity<br />
0020 - humidity<br />
0040 - near pir<br />
0080 - als<br />
0100 - "vbat"<br />
0200 - "vergence"<br />
<br />
=== Temperature reading ===<br />
The backplate will send message 0002 every 30 seconds.<br />
The data contains two 16-bit numbers, which nlclient logs in decimal.<br />
The first number is the temperature in centi-celcius.<br />
The second number is the humidity in per-millis.<br />
<br />
See also: [[#"Buffers"|"Buffers"]]<br />
<br />
=== Reset ===<br />
At least upon connection, the display sends message 00ff to the backplate to reset.<br />
<br />
The backplate answers with:<br />
0001 msg "<version> <build timestamp "YYYY-MM-DD HH:MM:SS"> K"<br />
[[#FET presence|0004 FET presence]]<br />
[[#FET presence|0009 FET presence]]<br />
0001 msg "*sense 06d1 06d0 0001 0001 0000 0000 0000 0001 06d9 06d8 06d8; detect 09d3 065c"<br />
0001 msg "BRK"<br />
<br />
== Run BeagleBone/Debian programs ==<br />
ln -s . /lib/arm-linux-gnueabihf<br />
ln -s ld-2.11.1.so /lib/ld-linux-armhf.so.3<br />
<br />
[[Category:Google]]<br />
[[Category:Nest]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Exploiting_Key_Signing_for_Root&diff=2629Exploiting Key Signing for Root2017-01-03T20:20:35Z<p>Martiniturbide: </p>
<hr />
<div>== About ==<br />
A detailed analysis of the bug being exploited and its origination can be found on [[http://www.saurik.com/id/17 Saurik's Blog]].<br />
<br />
== Devices ==<br />
This bug is present in all Google TV devices,<strike> unfortunately in can only be leverage for root in some. Below is a list of devices that are confirmed to get root and the remaining only get system privileges.</strike><br />
<br />
'''Update''': Cydia Impactor now provides every Google TV device a form of root. The only difference is persistence, on some devices the exploit will need to be performed each time root is needed. On others Superuser.apk is provided and the exploit will only need to be done once. <br />
<br />
The exploit will need to be run whenever root is needed on these devices:<br />
* Logitech Revue<br />
* Sony NSZ-GS7/8<br />
<br />
The exploit will allow for persistent root on these devices:<br />
* All other Google TV devices.<br />
<br />
== Warnings ==<br />
* This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.<br />
* This may brick your GTV. It shouldn't, but it still might!<br />
<br />
== Tools Needed ==<br />
*A vulnerable Google TV device.<br />
*Cydia Impactor (download link at bottom of page)<br />
*Google TV Modification Package<br />
<br />
== Pre-Setup ==<br />
<br />
#Download Cydia Impactor below<br />
#Download Google TV Modification Package below<br />
#Unzip Google TV Modification Package.<br />
<br />
== Persistent Root Steps (For GTV devices other than Sony or Logitech) ==<br />
# Setup your Google TV device to allow a connection from the pc you are going to be connecting from. This can be done by going into the Settings menu, clicking Applications, and then selecting the development option. Inside the development section you should see a place to change the "Debugger IP", set this field to the IP address of your computer.<br />
# Launch Cydia Impactor<br />
# Connect your PC to Impactor by going to "Bridge" and then "Connect" in the file menu.<br />
# Input in the IP address of your Google TV in the "Bridge Connect" input box and press OK. (If successful, a dialog will prompt that you are connected.) Click OK.<br />
# Select "echo ro.kernel.qemu=1 > /data/local.prop" from the drop down menu and click start. If the command execute successfully, you may proceed, if not troubleshoot your connection and try again.<br />
# Reboot your Google TV by going to "Device" then "Reboot" from the Cydia Impactor file menu.<br />
# Reconnect to your Google TV by repeating steps 3 and 4 above.<br />
# In the Cydia Impactor file menu, choose "Device" then "Run Program".<br />
# Select the "gtv_mod_pkg.sh" file extracted in the pre-setup.<br />
# When the process is complete a dialogue box will display. Click OK<br />
# Finally, in Cydia Impactor go to "Device" then "Reboot" to reboot your Google TV device for the final time.<br />
# Your Google TV device is now rooted!<br />
<br />
* In order to get the content bypass portion working you still will need to change your user agent. This process is described on the [[http://gtvhacker.com/index.php/I%27ve_rooted..._now_what%3F!#Make_CBS.2C_hulu.2C_etc_work I've rooted... now what?!]] page.<br />
<br />
== Non-Persistent Root Steps (For Logitech and Sony users) ==<br />
# Setup your Google TV device to allow a connection from the pc you are going to be connecting from. This can be done by going into the Settings menu, clicking Applications, and then selecting the development option. Inside the development section you should see a place to change the "Debugger IP", set this field to the IP address of your computer.<br />
# Launch Cydia Impactor<br />
# Connect your PC to Impactor by going to "Bridge" and then "Connect" in the file menu.<br />
# Input in the IP address of your Google TV in the "Bridge Connect" input box and press OK. (If successful, a dialog will prompt that you are connected.) Click OK.<br />
# Select "/data/local/tmp/busybox telnetd -p 8899 -l sh" from the drop down menu and click start. If the command execute successfully, you may proceed, if not troubleshoot your connection and try again.<br />
# On the Cydia Impactor file menu, choose "Device" then "Open Shell..."<br />
# In the terminal window type: "/data/local/tmp/busybox telnet localhost 8899"<br />
# If everything went as planned, you should be staring at a "#", type "id" to confirm root id.<br />
<br />
* This method does not provide a read/write file system which prevents current mods like our "Content Provider Bypass".<br />
<br />
== Known Issues ==<br />
* There are times where ADB hangs when connecting to the box, you can either wait the 90 seconds for the operation to time out or you can restart Cydia Impactor and try again.<br />
* If you are experiencing issues connecting to your device, you may want to verify that the ip address on your machine correctly matches the one white-listed on your Google TV.<br />
* If you do not see the "Bridge" or "Device" file menu, you may need to update "Cydia Impactor" which can be done by going to "File" then "Check For Updates"<br />
* If the process for you fails at step 8, there's a possibility that your device cannot leverage the key signing vulnerability for root. This is due to the device not processing the prop placed in /data/local.prop<br />
<br />
== Troubleshooting ==<br />
<br />
*You can get help from us or other users at:<br />
<br />
[http://forum.Exploitee.rs/gtv-guides/topic1454.html Exploitee.rs Forums]<br />
<br />
[http://Exploitee.rs Exploitee.rs Wiki]<br />
<br />
*or you can chat with us on IRC at:<br />
<br />
irc.freenode.net #Exploiteers<br />
<br />
[http://webchat.freenode.net/?randomnick=1&channels=Exploiteers&uio=d4 Freenode Webchat]<br />
<br />
(Someone may not be around right away to help, make sure to be willing to wait for a response)<br />
<br />
== Download ==<br />
<br />
'''Cydia Impactor:'''<br />
[[https://cydia.saurik.com/api/latest/1 Mac OS X]] or [[https://cydia.saurik.com/api/latest/2 Windows]]<br />
<br />
'''Google TV Modification Package'''<br />
[[http://download.Exploitee.rs/file/generic/GTV_Mod_Pkg.zip Exploitee.rs Download Site]]<br />
<br />
<br />
[[Category:Google TV]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=GTv-OS_(AndroidTV)&diff=2628GTv-OS (AndroidTV)2017-01-03T17:04:14Z<p>Martiniturbide: </p>
<hr />
<div>{{Revue toc Inline}}<br />
<br />
== Overview ==<br />
The Google TV operating system is based on Android 2.1 on a [http://googletv-mirrored-source.googlecode.com/hg/linux/linux-2.6.23-gtv.tar.bz2?r=27705a482273e3a34e8bcdbfb4fdad9afcd65e93 Linux 2.6.23 based kernel]. The system enables security such as an NX (Non eXecutable) Stack and a [http://en.wikipedia.org/wiki/Chroot chrooted] chrome. Also making things difficult is the Operating Systems ability to push automatic updates without user intervention.<br />
<br />
The Operating System currently provides the following "stock" applications<br />
<br />
*CNBC Real-Time<br />
*Gallery<br />
*Google Chrome<br />
*Logitech Help Assistant (Logitech Only)<br />
*Logitech Media Player (Logitech Only)<br />
*Logitech Vid HD (Logitech Only)<br />
*Napster<br />
*NBA Game Time<br />
*Netflix<br />
*Pandora<br />
*Settings<br />
*TV<br />
*Twitter<br />
<br />
Gpl'd portions of the GoogleTV source can be found [http://code.google.com/p/googletv-mirrored-source/ here]<br />
<br />
== SDK/Toolchain Support ==<br />
<br />
The [http://googletv-mirrored-source.googlecode.com/hg/intel-sdk/intel-sdk-toolchain.tar.bz2?r=27705a482273e3a34e8bcdbfb4fdad9afcd65e93 Intel SDK Toolchain] is available as part of Google's GPL release for the Google TV. The toolchain is required to compile code to run on the Linux operating system of the Logitech Revue. (Sony devices as well as other future devices are most likely also compatible with this toolchain but since we don't have these products to root we don't know yet.)<br />
<br />
We have not yet documented a complete list of required dependencies but here are a few packages which might come in handy:<br />
*texinfo (we encountered some issues with certain supposedly supported versions of makeinfo but updating texinfo resolved this on most systems)<br />
*flex<br />
*bison<br />
*gawk -- Please note that some Ubuntu installs have mawk rather than the GNU awk (gawk); mawk is not compatible with the awk scripts in the Intel SDK<br />
*patch<br />
*gcc et al<br />
*build-essential (Ubuntu)<br />
<br />
To simplify the toolchain setup, [[craigdroid]] created [http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer.zip this script] which simplifies the process of configuring a build system. After preparing the toolchain you will want to run the following commands (which are demo'd in the script) to establish your environment:<br />
<pre><br />
export CROSS_COMPILE=i686-cm-linux-<br />
export LD_LIBRARY_PATH=~/googletv/sdk/i686-linux-elf/lib<br />
export PATH=$PATH:~/googletv/sdk/i686-linux-elf/bin/<br />
</pre><br />
<br />
== NDK Support ==<br />
<br />
Although at present Google has not released a proper NDK for the platform, the Exploitee.rs team have combined the Intel SDK Toolchain from the [http://code.google.com/p/googletv-mirrored-source/ Google TV Mirrored Source site] with the work of the [http://www.android-x86.org/ Android x86] project to provide unofficial support in the interim.<br />
<br />
The entire process of setting up unofficial NDK support has been simplified into an [http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer.zip easy to use script] by craigdroid. The script has been tested on a few of our systems running CentOS 5.4 32-bit, as well as 32-bit and 64-bit editions of Ubuntu. <br />
<br />
Since this is building the Intel toolchain automatically all of the caveats regarding the Intel SDK Toolchain apply here as well.<br />
<br />
To automatically download, build and configure NDK support first save yourself some time and check the dependencies list in the SDK/Toolchain Support section and then from any users shell:<br />
<pre><br />
wget http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer.zip && unzip gtvhacker-NDK-installer.zip && ./gtvhacker-NDK-installer.sh<br />
</pre><br />
<br />
This will install the NDK to ~/googletv/ndk/ for the current user. Some guidance on how to use the NDK is provided upon completion of successful script execution.<br />
<br />
== Support For USB Serial Converters ==<br />
<br />
The [http://googletv-mirrored-source.googlecode.com/hg/linux/linux-2.6.23-gtv.tar.bz2?r=27705a482273e3a34e8bcdbfb4fdad9afcd65e93 published kernel] from the [http://code.google.com/p/googletv-mirrored-source/ Google TV Mirrored Source site] is configured to have built-in support FTDI single interface USB serial adapters as a serial console.<br />
<pre><br />
#<br />
# USB Serial Converter support<br />
#<br />
CONFIG_USB_SERIAL=y<br />
CONFIG_USB_SERIAL_CONSOLE=y<br />
CONFIG_USB_SERIAL_GENERIC=y<br />
CONFIG_USB_SERIAL_FTDI_SIO=y<br />
</pre><br />
<br />
This configuration has been verified via the proc.gz file of a Logitech Revue at its latest firmware revision (using the BreakVue hack). Here is the [http://pastie.org/1437422 complete kernel configuration].<br />
<br />
Please note however that by default init does not appear to run a shell on this console. This is the only adapter which we have identified to have built-in driver support.<br />
<br />
[[Category:Google TV]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=GoogleTV_-_Version_Numbers&diff=2627GoogleTV - Version Numbers2017-01-03T17:03:23Z<p>Martiniturbide: </p>
<hr />
<div>Google TV Version numbers are unique per device.<br />
<br />
== How to determine my Version Number ==<br />
<br />
== Known Released Version Numbers ==<br />
=== Logitech Revue ===<br />
{| border="1" cellspacing="0"<br />
! Version number<br />
! ID<br />
! Date first seen<br />
! Update link<br />
! Announcement<br />
|-<br />
| [[ Revue Update b39389 | b39389 ]]<br />
|<br />
| unknown<br />
| http://android.clients.google.com/packages/ota/logitech_ka/439c26f6af05.mp-signed-ota_update-b39389.zip<br />
|<br />
|- <br />
| [[ Revue Update b39953| b39953]] <br />
|<br />
| unknown<br />
| http://android.clients.google.com/packages/ota/logitech_ka/52057d168e2b.mp-signed-ota_update-b39953.zip<br />
|<br />
|-<br />
| [[ Revue Update b42449| b42449]] <br />
| 2.1-Update1<br />
| 12-15-10<br />
| http://android.clients.google.com/packages/ota/logitech_ka/c9914396d183.mp-signed-ota_update-b42449.zip<br />
| [http://forums.logitech.com/t5/Revue-Product-Updates-Release/Revue-amp-Google-TV-Update-December-15-2010/td-p/537980 Logitech Forums]<br />
|-<br />
| [[ Revue Update b42732 | b42732]]<br />
| 2.1-Update1<br />
| 01-12-11<br />
| http://android.clients.google.com/packages/ota/logitech_ka/9504d579bade.mp-signed-ota_update-b42732.zip<br />
| [http://forums.logitech.com/t5/Revue-Product-Updates-Release/Revue-amp-Google-TV-Update-January-11-2011/td-p/557792 Logitech Forums]<br />
|-<br />
| [[ Revue Update b47773 | b47773]]<br />
| 2.1-Update1<br />
| 03-15-11<br />
| http://android.clients.google.com/packages/ota/logitech_ka/d0d70a7753a8.mp-signed-ota_update-b47773.zip<br />
| [http://forums.logitech.com/t5/Revue-Product-Updates-Release/Revue-amp-Google-TV-Update-March-15-2011/td-p/593504 Logitech Forums]<br />
|-<br />
| [[ Revue Update b49116 | b49116]]<br />
| 2.1-Update1<br />
| 03-29-11<br />
| http://android.clients.google.com/packages/ota/logitech_ka/4d9b9425b17f.mp-signed-ota_update-b49116.zip<br />
| [http://forums.logitech.com/t5/Revue-Product-Updates-Release/Revue-amp-Google-TV-Update-March-29-2011/td-p/600392 Logitech Forums]<br />
|-<br />
| [[ Revue Update b51795 | b51795]]<br />
| 2.1-Update1<br />
| 04-28-11<br />
| http://android.clients.google.com/packages/ota/logitech_ka/f008beb34df8.mp-signed-ota_update-b51795.zip<br />
| [http://forums.logitech.com/t5/Revue-Product-Updates-Release/Revue-amp-Google-TV-Update-April-28-2011/td-p/614258 Logitech Forums]<br />
|-<br />
| [[ Revue Update b54202 | b54202]]<br />
| 2.1-Update1<br />
| 06-27-11<br />
| http://android.clients.google.com/packages/ota/logitech_ka/b3cf00f78a60.mp-signed-ota_update-b54202.zip<br />
| [http://forums.logitech.com/t5/Revue-Product-Updates-Release/Revue-amp-Google-TV-Update-June-27-2011/td-p/640958 Logitech Forums]<br />
|}<br />
[[Category:Logitech Revue|Version Numbers]]<br />
<br />
=== Sony Blu Ray Player X ===<br />
{| border="1" cellspacing="0"<br />
! Version number<br />
! ID<br />
! Date first seen<br />
! Update link<br />
! Announcement<br />
|-<br />
| [[ Sony Update 164108| 164108]]<br />
| 2.1-update1<br />
| 01-10-11<br />
| ogm_2.1_2010121503ON.164108<br />
| The Chrome behavior has been improved.<br />
|}<br />
<br />
=== Sony GoogleTV X===<br />
== Known Development/Beta Vesion Numbers ==<br />
<br />
== Core GoogleTV Versions == <br />
These Version Numbers relate to GoogleTV Versions, which may or may not see release to the individual devices. Think of the difference between ASOP releases and device-specific releases.<br />
<br />
<br />
[[Category:Google TV]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=LogitechRevueUpdates&diff=2626LogitechRevueUpdates2017-01-03T17:02:49Z<p>Martiniturbide: </p>
<hr />
<div>Logitech Revue Version information and Update information has been moved to the [[GoogleTV_-_Version_Numbers | Google TV Version page]].<br />
{{Revue toc Inline}}<br />
<br />
<br />
[[Category:Logitech]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Boxee&diff=2625Boxee2017-01-03T17:00:29Z<p>Martiniturbide: </p>
<hr />
<div>[[File:Front-SMALL.jpg|250px|right|thumb]]<br />
<br />
{{Disclaimer}}<br />
<br />
The Boxee Box (DSM-380) is made by D-Link and features an Intel CE4100 SOC ([[Intel Atom CE4170]]).<br />
<br />
It is quite similiar in function to that (security wise) of the Logitech Revue, or Gen 1 Sony Google TV boxes.<br />
<br />
Specifically, the bootloader is signed, which calls a signed kernel. The kernel RSA verifies a read only ramdisk and then boots it.<br />
<br />
We unveiled two methods for rooting the Boxee at DEFCON 20, which are below. These are known to work as of the latest update, 1.5.1.23735.<br />
<br />
<br />
<br />
<br />
<br />
== Software Root Method (LCE) ==<br />
<br />
[[File:SettingsNetworkServers.jpg|500px|center|thumb]]<br />
<br />
Under Share Workgroup Name, you can simply add in another command with the semicolon.<br />
<br />
For instance, to run "custom.sh" off of your USB Drive (noting to replace LABEL with the label of your usb disk):<br />
<br />
;sh /mnt/LABEL/custom.sh ;<br />
<br />
This will cause custom.sh to run at each bootup. The script can then simply launch busybox from usb, and spawn a root telnet daemon on port 23.<br />
<br />
A video of the POC for this root used at our Defcon20 presentation can be found on [http://www.youtube.com/watch?v=-_wZiFmrwsw&feature=plcp our YouTube channel]<br />
<br />
== Hardware Method ==<br />
<br />
Scrape the two vias labeled in the picture below, solder wires to a UART adapter (TX/RX). Ground to any ground point. Once the box boots, it will drop you to a root shell.<br />
<br />
[[File:Boxeehw.jpg|500px|center|thumb]]<br />
<br />
[[Category:Boxee]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Boxee&diff=2624Boxee2017-01-03T16:59:53Z<p>Martiniturbide: </p>
<hr />
<div>[[File:Front-SMALL.jpg|250px|right|thumb]]<br />
<br />
{{Disclaimer}}<br />
<br />
The Boxee Box (DSM-380) is made by D-Link and features an Intel CE4100 SOC ([[Intel Atom CE4170]]).<br />
<br />
It is quite similiar in function to that (security wise) of the Logitech Revue, or Gen 1 Sony Google TV boxes.<br />
<br />
Specifically, the bootloader is signed, which calls a signed kernel. The kernel RSA verifies a read only ramdisk and then boots it.<br />
<br />
We unveiled two methods for rooting the Boxee at DEFCON 20, which are below. These are known to work as of the latest update, 1.5.1.23735.<br />
<br />
<br />
<br />
<br />
<br />
== Software Root Method (LCE) ==<br />
<br />
[[File:SettingsNetworkServers.jpg|500px|center|thumb]]<br />
<br />
Under Share Workgroup Name, you can simply add in another command with the semicolon.<br />
<br />
For instance, to run "custom.sh" off of your USB Drive (noting to replace LABEL with the label of your usb disk):<br />
<br />
;sh /mnt/LABEL/custom.sh ;<br />
<br />
This will cause custom.sh to run at each bootup. The script can then simply launch busybox from usb, and spawn a root telnet daemon on port 23.<br />
<br />
A video of the POC for this root used at our Defcon20 presentation can be found on [http://www.youtube.com/watch?v=-_wZiFmrwsw&feature=plcp our YouTube channel]<br />
<br />
== Hardware Method ==<br />
<br />
Scrape the two vias labeled in the picture below, solder wires to a UART adapter (TX/RX). Ground to any ground point. Once the box boots, it will drop you to a root shell.<br />
<br />
[[File:Boxeehw.jpg|500px|center|thumb]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Logitech_Revue_Hardware&diff=2623Logitech Revue Hardware2017-01-03T16:58:43Z<p>Martiniturbide: /* Specs */</p>
<hr />
<div>[[File:Revue-advert.gif|250px|left|thumb]]<br />
{{Revue toc Inline}}<br />
This page will be dedicated to the hardware specifications, descriptions, and information related to the Logitech Revue.<br />
<br />
The Revue was initially released October 21st 2010 (with official availability on the 25th) in the United States. The Revue was released initially as a pass-through device meant to augment your initial set top box connection to your display device. For customers using the "DISH Network" Satellite subscription television service, integration was available that allowed the Revue to communicate directly with the satellite receiver/set top box. For all other devices, an IR blaster was used to simulate remote control commands as a means to communicate between the Revue and the STB hardware.<br />
<br />
== Specs ==<br />
*[[Intel Atom CE4150]] 1.2 GHz processor, with a 400 MHz GPU <br />
*Gigabyte GA-SBKAN2 motherboard<br />
*Samsung K9F8G08U0M 1 GB NAND Flash (Single Level Cell) [http://www.samsung.com/global/system/business/semiconductor/product/2007/6/11/NANDFlash/SLC_LargeBlock/8Gbit/K9F8G08U0M/ds_k9f8g08x0m_rev10.pdf Datasheet] [http://zenosec.com/gtv/revue/ds_k9f8g08x0m_rev10.pdf Mirror]<br />
*Hynix H27UBG8T2ATR 4 GB NAND Flash (Multiple Level Cell) [http://www.szyuda88.com/uploadfile/cfile/201061714220663.pdf Datasheet]<br />
*Silicon Image Sil9135 HDMI 1.3 Receiver [http://dl.dropbox.com/u/217678/Silicon%20Image%20Sil9135%20Info.pdf Chip Information] [http://focus.tij.co.jp/jp/lit/an/spraav4/spraav4.pdf Datasheet from TI]<br />
*Nanya NT5CB128M8CN-CG 1 GB DDR3 SDRAM (1 Gb X 8) [http://dl.dropbox.com/u/217678/NTC-DDR3-1G-C-V58B-12-12-5.pdf Datasheet]<br />
*Realtek Semiconductor RTL8201N 10/100M PHYceiver [http://realtek.info/pdf/RTL8201N_1-1.pdf Datasheet]<br />
*Microchip PIC24FJ64GA004-I/PT 16-bit microcontroller [http://ww1.microchip.com/downloads/en/DeviceDoc/39881c.pdf Datasheet]<br />
*Phison S2251-50 USB to Flash Controller (Datasheet not available to end users according to manufacture)<br />
*IDT ICS9LPRS525AGLF Clock for CPU [http://dl.dropbox.com/u/217678/9LPRS525.pdf Datasheet]<br />
*IDT 6V49061 Clock for audio/video?<br />
*Genesys Logic GL850G USB Hub [http://www.genesyslogic.com/manage/upfile/12052255151.pdf Datasheet]<br />
<br />
The Logitech Revue was recently torndown and had its [http://www.ifixit.com/Teardown/Logitech-Revue-Teardown/3788/1 inners revealed].<br />
Direct link to the higher resolution picture of the [http://guide-images.ifixit.net/igi/5jWUcNNOrDvXZqEy.huge motherboard].<br />
<br />
SemiAccurate has a populated board similar to the one in the Revue: http://www.semiaccurate.com/2010/06/04/gigabyte-has-google-tv-ready-motherboard/<br />
<br />
== Usage ==<br />
Samsung K9F8G08U0M 1 GB NAND Flash<br />
*Used for storage of bootloader, kernel, boot flash graphics, Linux OS etc..<br />
<br />
Hynix H27UBG8T2ATR 4 GB NAND Flash (Long Term Storage)<br />
*Used for persistent storage, device is /dev/sda - possible to override with an external USB drive<br />
<br />
Microchip PIC24FJ64GA004-I/PT 16-bit microcontroller <br />
*Used to handle IR input/output for remotes/IR blasters and possible interface with wireless keyboard<br />
*System reboot/powerdown<br />
*Possibly HDMI CEC <br />
<br />
Silicon Image Sil9135 HDMI 1.3 Receiver<br />
*Used to process video to and from HDMI ports as well as audio over HDMI and SPDIF<br />
*Supports DTS even though the Revue does not (An update can probably enable this feature)<br />
<br />
IDT ICS9LPRS525AGLF Clock for CPU<br />
*Provides a clock for the Intel Atom CPU<br />
[[Category:Logitech Revue|Hardware]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Sony_NSX-40GT1_(Internet_TV)&diff=2622Sony NSX-40GT1 (Internet TV)2017-01-03T16:57:56Z<p>Martiniturbide: </p>
<hr />
<div>{{Disclaimer}}<br />
[[File:Sony_NSX-40GT1.jpg|250px|left|thumb]]<br />
[[Category:Sony NSX-40GT1]]<br />
[[Category:Sony]]<br />
<br />
==Specs==<br />
* [[Intel Atom CE4170]]<br />
<br />
== Recovery Mode ==<br />
Apeman42 from XDA Developers found [http://forum.xda-developers.com/showthread.php?t=812601 Recovery Menu]<br />
<br />
#Have everything plugged into the unit except the power coord. Have the power coord in your hand.<br />
#Press and hold the power button and plug the unit in.<br />
#Continue to hold down the power button for 3 seconds after plugging it in, then release the power button.<br />
#Wait a couple of seconds and it will say Sony, then you will see the recovery screen.<br />
#After it loads, press and hold the connect button on the unit. Then follow the directions at the bottom of the screen (Press and hold ALT+ENTER) for 8 seconds/until the bottom message changes. It will change back to it saying that you have to press the CONNECT button, but your remote IS connected.<br />
#You can now press the numbers assigned to the commands!<br />
<br />
== Serial Console ==<br />
The Sony NSX series TVs have an easy-open debug port on the back:<br />
<br />
[[File:Nsxgtvport.jpg]]<br />
<br />
Presumably the beige connector is for a custom ribbon cable. The row of four solder pads below it is the UART for ttyS0: GND, RX, TX, 3.3V. If you listen to the TX port while the TV boots up, you'll get a dmesg dump:https://pastee.org/v2ytp . This port echoes characters (if hardware flow control is off) but seems to totally ignore all incoming characters.<br />
<br />
Listening to the UART while going through the recovery mode menu items yields lots of juicy logs: https://pastee.org/ra8np [[nsx-40gt1 uart log]]<br />
<br />
On the ribbon cable connector, number the pins from 1 on the (lower) left side to 18 on the (upper) right side.<br />
<br />
# GND<br />
# ?<br />
# 3.3V (connected to the 4th solder pad)<br />
# N/C<br />
# (connected to the 4th solder pad)<br />
# N/C (Though it is routed to a via)<br />
# ? (normally high, but low during a reset)<br />
# GND<br />
# TX1 (Connected to 3rd solder pad)<br />
# RX1 (Connected to 2nd solder pad)<br />
# N/C<br />
# ? (normally high, but low during a reset)<br />
# ?<br />
# (connected to the 4th solder pad)<br />
# RESET<br />
# ? (high)<br />
# TX2 (bootloader output, 115200/8N1)<br />
# GND<br />
<br />
== USB Update ==<br />
The steps to access recovery mode are listed in the "Recovery Menu" section at the top of this page. Also, a list of OTA sony downloads can be found [http://gtvhacker.com/index.php/Sony_Update_Downloads#Download_Links Here]<br />
<br />
In recovery mode, any USB storage device will be automounted when inserted. If it's inserted at the start of recovery mode, the device will attempt to do a USB update. This executes the following:<br />
<pre><br />
cmd:ls /tmp/mnt/diskb1/package_list_*.zip | head -1 | grep "package_list_"<br />
cmd:/bin/sony/check_version.sh /tmp/mnt/diskb1/package_list_0.zip<br />
</pre><br />
<br />
For a USB update to succeed, the following are necessary (but not sufficient):<br />
# there must be a file matching /package_list_*.zip or else you get the error "find package error: no such a package !"<br />
# the zip must contain a file "system/build.prop" or else you get the error "caution: filename not matched: system/build.prop"<br />
# the zip must contain a file matching "package_list_*.txt" or else you get the error "caution: filename not matched: package_list_*.txt"<br />
# The system/build.prop must have an ro.build.id that is greater than the current values. Otherwise you get an onscreen message saying "USB data is old".<br />
# At '''this''' point, the signature is checked:<br />
<pre> <br />
package update start ! <br />
cmd:/package_update.sh -y -l 0 -p /tmp/mnt/diskb1/package_list_ogm_2.1_2011_asu1<br />
(*) Direct/Interface: Loaded 'PNG' implementation of 'IDirectFBImageProvider'. <br />
dtv_sym_tv_updating.png = w: 1920, h: 1080. <br />
Verifying.. <br />
Error in main(47):Footer Error <br />
Signing Verify Error <br />
Error!! <br />
</pre><br />
<br />
If a valid-looking zipfile on a USB storage device is plugged in when the system goes through a normal boot, it will abort and reboot into the recovery mode.<br />
<br />
== Device Menus ==<br />
Information can be found on the system menus at: [[Sony Settings Menus]]<br />
<br />
== GPL Code ==<br />
Code for the first gen Sony TV's can be found [http://www.sony.net/Products/Linux/TV/NSX-24GT1.html here]<br />
<br />
<br />
[[Category:Google TV]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Intel_Atom_CE4170&diff=2621Intel Atom CE41702017-01-03T16:56:58Z<p>Martiniturbide: </p>
<hr />
<div>Codename "Sodaville" (45 nm)<br />
* Package size: 27 mm × 27 mm<br />
* GPU (based on the PowerVR SGX535 from Imagination Technologies)<br />
<br />
==Devices using this Processor==<br />
* [[Sony NSZ-GT1 (Bluray Player)]] - CE4170<br />
* [[Sony NSX-40GT1 (Internet TV)]] - CE4170<br />
* [[Logitech Revue Hardware]] - CE4150<br />
* [[Boxee]] <br />
<br />
<br />
==Links==<br />
* [http://www.anandtech.com/show/4029/the-boxee-box-review The Boxee Box Review Information about Intel CE4100 Family]<br />
* [http://www.wpgholdings.com/epaper/US/newsRelease_20091215/255874.pdf Intel Product Description Brochure]<br />
* [https://web.archive.org/web/20130301011943/http://www.windowsfordevices.com/c/a/News/Intel-CE4100/ Windows for Devices Review - From Archive.org]<br />
* [http://en.wikipedia.org/wiki/List_of_Intel_Atom_microprocessors#CE_SoCs Wikipedia Information]<br />
<br />
[[Category:Intel]]<br />
[[Category:Processor]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=GoogleTV_Tips_and_Tricks&diff=2620GoogleTV Tips and Tricks2017-01-03T16:55:49Z<p>Martiniturbide: </p>
<hr />
<div>'''Basic Usage'''<br />
*Ctrl + Alt + Del = Reboot box<br />
* Long Pressing the Home key returns to the "window switcher"/tab cycle tool.<br />
<br />
'''Browser Hotkeys'''<br />
*Ctrl + Direction Left Returns to the previous page.<br />
*Ctrl + Direction Right Moves forward to the next page.<br />
*Ctrl + Shift + N or Ctrl + Shift + T Creates a new incognito tab.<br />
*Ctrl + L Bring the address bar.<br />
*Ctrl + N or Ctrl + T Opens a new tab.<br />
*Ctrl + W Closes a tab.<br />
*Ctrl + Tab Cycles through the open tabs.<br />
*Ctrl + Zooms in on browser.<br />
*Ctrl - Zooms out on browser.<br />
*Ctrl + 0 Zoom Reset.<br />
*Ctrl + D Saves a page in the Bookmarks.<br />
*Ctrl + F Brings up Find Text in Document search window.<br />
*Ctrl + R Refreshes the page.<br />
*Alt + Direction Left Returns to the previous page.<br />
*Alt + Direction Right Moves forward to the next page.<br />
<br />
[[Category:Google TV]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Sony_Settings_Menus&diff=2619Sony Settings Menus2017-01-03T16:55:14Z<p>Martiniturbide: </p>
<hr />
<div>Because I found these menus so disorganized that I needed to write them down. Also for handy reference when helping other GTV users. These are taken from an NSZ-GT1 Blu-ray Google TV running 3.2 root. Owners of the TV model can note any differences as they see them.<br />
<br />
'''Settings'''<br />
*'''Network'''<br />
*:Manage Internet Connection<br />
**'''Ethernet'''<br />
**'''Wi-Fi'''<br />
**'''Status'''<br />
**:View detailed network status<br />
***'''IP address'''<br />
***'''Ethernet MAC address'''<br />
***'''Wi-Fi MAC address'''<br />
***'''Local network'''<br />
***'''Internet'''<br />
***'''Ethernet''' (connection status)<br />
***'''Wi-Fi''' (connection status)<br />
***'''Private network'''<br />
**'''Home network setup'''<br />
**:Set up home network connections<br />
***'''Edit device name''' (default = Sony Internet TV)<br />
***'''Manage paired remote applications'''<br />
***:Remove pair remote application for mobile<br />
*'''Video input'''<br />
*:Set up TV service provider<br />
*:Lists configured devices. Scans for sources and allows manual addition of devices.<br />
**'''Edit channel list'''<br />
**:Select the channels this device receives<br />
**'''IR Blaster settings'''<br />
***'''Advanced settings'''<br />
****'''Zero padding''' (2..6 digits. Default = Minimum)<br />
****:Set the channel number digits<br />
****'''Key interval''' (100..1000 by 50s. Default = 250 msec)<br />
****:Set the transmission interval for the channel number<br />
****'''Send an "Enter" command (checkbox. Default = checked)<br />
****:Send an "Enter" command after the channel number<br />
****'''Test''' (launches test)<br />
****:Check if the setting is correct<br />
***'''Type''' (non-clickable)<br />
***'''Code''' (allows manual entry of code)<br />
**'''HD channels''' (checkbox. Default = checked)<br />
**:Enabled access to HD channels<br />
**'''Disconnect device'''<br />
**'''Default TV device'''<br />
**'''Edit channel lineup''' (launches provider selection)<br />
*'''TV & AVR'''<br />
*:Set the IR Blaster to control the TV & AV Receiver<br />
**'''TV control setting''' (opens manufacturer list)<br />
**'''AV Receiver setting'''<br />
***'''Control with IR Blaster''' (checkbox)<br />
***:Mark the checkbox to control the AV Receiver with the IR Blaster<br />
***'''Manufacturer''' (manually sets manufacturer)<br />
***'''Code''' (manually sets code)<br />
***'''IR Blaster test''' (launches test)<br />
**'''Enable TV control''' (checkbox)<br />
**:Mark the checkbox to control the TV with the IR Blaster<br />
**'''TV & volume control settings'''<br />
**:Available when Enable TV control is set to On<br />
***:You can check if the setting is correct<br />
*'''Picture & sound'''<br />
*:Adjust the picture and sound<br />
**'''3D settings'''<br />
**:Change the 3D viewing environment<br />
***'''3D output setting'''<br />
***:Choose whether to output in 2D or 3D<br />
***: Auto/Off (default = Auto)<br />
***'''TV screen size setting for 3D BD'''<br />
***:Set the screen size for 3D Blu-ray movies<br />
***:Three-digit selector for screen size in inches. (default = 46)<br />
**'''Resolution'''<br />
**:Select preferred TV resolution<br />
**:Auto/1080p/1080i/720p (3D will not work unless set to Auto. Default = Auto)<br />
**'''Picture size''' (launches overscan calibration utility from initial setup)<br />
**:Maximize your screen area<br />
**'''Screen format'''<br />
**:Set the source's aspect ratio when it differs from the TV<br />
**:Original/Fixed aspect ratio (default = Original)<br />
**'''YCbCr/RGB (HDMI'''<br />
**:Set the color space conversion for the video signal from HDMI<br />
**:Auto/YCbCr(4:4:4)/RGB (default = Auto)<br />
**'''Noise reduction'''<br />
**:Reduce repetitive random noise<br />
**:High/Medium/Low/Off (default = Off)<br />
**'''Screen saver'''<br />
**:Set the screen saver<br />
**:Off/10 min/30 min/1 h/2 h/3 h<br />
**'''Audio (HDMI)''' (inactive)<br />
**'''Audio output priority'''<br />
**:Set the jack type for audio equipment connection<br />
**:HDMI/Optical (default = HDMI)<br />
**'''BD audio mix setting'''<br />
**:Set whether to mix interactive audio and output<br />
**:On/Off (default = On)<br />
**'''Dolby Digital (Optical)'''<br />
**:Set the Dolby Digital output signal from DIGITAL OUT<br />
**:Off (Downmix PCM)/On (default = On)<br />
**'''Dolby Digital pass-through'''<br />
**:Send Dolby Digital signals from HDMI devices to your audio system<br />
**:On/Off (default = On)<br />
**'''DTS (Optical)'''<br />
**:Set the DTS output signal from DIGITAL OUT<br />
**:Off (Downmix PCM)/On (default = On)<br />
**'''Audio DRC'''<br />
**:Set the sound effect when playing a BD or DVD<br />
**:Auto/Standard/TV mode/Wide range (default = Auto)<br />
**'''Downmix'''<br />
**:Apply the surround effect to the output audio signal<br />
**:Surround/Stereo (default = Surround)<br />
**'''AV sync'''<br />
**:Adjust the timing between picture and sound<br />
**:0-120 msec at increments of 10 msec<br />
**'''Sound effects''' (checkbox. Default = unchecked)<br />
**:Enable sound effects<br />
**'''Notification sounds''' (Silent/Default. Default = Silent)<br />
**'''Text-to-speech'''<br />
***'''Listen to an example'''<br />
***:Play a short demonstration of speech synthesis<br />
***'''Always use my settings''' (checkbox. Default = unchecked)<br />
***:Default settings below override application settings<br />
***'''Default Engine''' (only option is Pico TTS)<br />
***:Sets the speech synthesis engine to be used for spoken text<br />
***'''Install voice data'''<br />
***:Install the voice data required for speech synthesis<br />
***'''Speech rate'''<br />
***:Speed at which the text is spoken<br />
***:Very slow/Slow/Normal/Fast/Very fast<br />
***'''Language''' (only option is English (United States))<br />
***:Sets the language-specific voice for the spoken text<br />
***'''Pico TTS'''<br />
***:Pico TTS settings<br />
*'''Disc Player settings'''<br />
*:Change general settings<br />
**'''Timer'''<br />
**:Set timer to power on or off<br />
**:Displays artsy clock. Allows multiple setting timers for on or off (or so it appears) to time, day of week, and duration, as well as sleep timer of 15-120 minutes.<br />
**'''Eco'''<br />
**:Change the settings related to power consumption<br />
***'''Quick start'''<br />
***:Set the unit to power on quickly<br />
***:On/Off. Unit powers on much more quickly but consumes more power while powered off.<br />
***'''Auto standby'''<br />
***:The unit automatically turns off after 2 hours of non-operation.<br />
***:On/Off (default = Off)<br />
**'''HDMI settings'''<br />
**:Change the settings for controlling compatible HDMI devices<br />
***'''Control for HDMI'''<br />
***:Control the unit with the HDMI-connected TV<br />
***:On/Off (default = On)<br />
***'''Unit auto power off'''<br />
***:Power off unit when the HDMI-connected TV is turned off<br />
***:On/Off (depends on previous option On. Default = Off)<br />
**'''Cinema conversion mode'''<br />
**:Set the conversion method for video or film material<br />
**:Auto/Video<br />
**'''BD-ROM 1080/24p output'''<br />
**:Output a 1080/24p video signal from HDMI<br />
**:Auto/Off<br />
**'''Auto display'''<br />
**:Display info when switching audio modes or during playback<br />
**:On/Off (default = On)<br />
**'''BD/DVD viewing settings'''<br />
**:Set the language displayed on BD or DVD menus<br />
***'''BD/DVD menu''' (opens language selector)<br />
***:Set the language displayed on BD or DVD menus<br />
***'''Audio''' (opens language selector. Default = Original)<br />
***:Set the audio language when playing a BD or DVD<br />
***'''Subtitle''' (opens language selector)<br />
***:Set the subtitle language when playing a BD or DVD<br />
**'''BD Internet connection'''<br />
**:Allow Internet connection from BD content<br />
**:Allow/Do not allow (default = Do not allow)<br />
**'''BD data management'''<br />
**:BD data management<br />
***'''Erase BD data'''<br />
***:Used capacity listed<br />
*'''Search'''<br />
*:Manage searchable items, clear shortcuts<br />
**'''Searchable items''' (opens list of installed applications with checkboxes for each)<br />
**:Choose applications to search<br />
**'''Clear shortcuts'''<br />
**:Clear shortcuts to recently chosen search suggestions<br />
*'''Applications'''<br />
*:Manage applications and development options<br />
**'''Manage applications'''<br />
**:Manage and remove installed applications<br />
**:View applications by Downloaded, All, or Running. View internal storage amount used/free and RAM amount used/free. View application storage use, access settings, and stop applications and services.<br />
**'''Running services'''<br />
**:View and control currently running services<br />
**:Same as previous menu option, opening to different default page.<br />
**'''Development'''<br />
**:Set options for application development<br />
***'''Remote debugging''' (checkbox. Default = checked)<br />
***:Allow connections from debugging tools<br />
***'''Debugger IP address'' (needs to be set to IP address of system you are running adb on)<br />
***'''Mock locations''' (checkbox. Default = checked)<br />
***:Allow mock locations<br />
*'''Input device'''<br />
*:Manage input devices, IP remotes<br />
**'''Manage IP remotes'''<br />
**:Connect and disconnect IP remotes<br />
***'''Connect to new IP remotes (checkbox. Default = checked)<br />
***:Accept new pairing requests<br />
***Paired IP remotes list if configured<br />
**'''Chrome to TV''' (launches feature setup)<br />
**:Push links to this device from Google Chrome<br />
**'''Pointer speed''' (opens selection slider)<br />
**:Mouse and trackpad speed<br />
**'''Current keyboard'''<br />
**:Configure current keyboard<br />
***'''English (US) Keyboard (Android keyboard)''' / '''English Voice (Android keyboard)''' / '''Remote Keyboard'''<br />
***'''Configure input methods''' (opens same panel as next option)<br />
**'''Configure input methods''' (opens panel with inactive options)<br />
**:Configure input methods<br />
*'''Accounts & sync'''<br />
*:Manage accounts and data sync<br />
**'''Background data''' (checkbox. Default = checked)<br />
**:Applications can sync, send, and receive data at any time<br />
**'''Auto-sync''' (checkbox. Default = checked)<br />
**:Applications sync data automatically<br />
**Accounts listed if configured<br />
**Option to add account<br />
*'''Privacy & safety'''<br />
*:Manage privacy, safety and lock settings<br />
**'''Reporting''' (checkbox. Default = unchecked)<br />
**:Automatically send Google TV usage statistics and crash reports to Google<br />
**'''Factory data reset''' (I'm not going to see if this is clickable.)<br />
**'''Video history''' (checkbox. Default = unchecked)<br />
**:Enable history of video watching such as TV channels<br />
**'''Clear video history''' (depends on previous option checked)<br />
**'''SafeSearch'''<br />
**:Block adult content from appearing in search results<br />
***'''Strict filtering''' / '''Moderate filtering''' (default) / '''Do not filter'''<br />
**'''Application lock'''<br />
**:Require PIN to use Google Chrome & Market<br />
***'''Lock Google Chrome & Market (checkbox. Default = unchecked)<br />
***'''Change PIN''' (depends on previous option checked)<br />
**'''Parental lock''' (launches prompt for "4 number" password)<br />
**:Block unwanted programs or content<br />
**'''Back up my data''' (checkbox. Default = checked if Google account configured)<br />
**:Back up application data and other settings to Google servers<br />
**'''Backup account''' (allows addition of account(s))<br />
**'''Automatic restore''' (checkbox. Default = checked if Google account configured)<br />
**:If I reinstall an application, restore backed up settings or other data<br />
*'''Storage'''<br />
*:Unmount USB storage, view available storage<br />
**'''Total''' (non-clickable. 3.72GB for NSZ-GT1)<br />
**'''Available''' (non-clickable)<br />
**'''Enable FTP access''' (checkbox. Default = unchecked)<br />
**Media storage devices listed if any are connected<br />
*'''Date, time & location'''<br />
*:Set date, time, time zone and formats<br />
**'''Automatic''' (checkbox. Default = checked)<br />
**:Use network-privded time<br />
**'''Set date''' (depends on first option unchecked)<br />
**'''Select time zone'''<br />
**'''Set time''' (depends on first option unchecked)<br />
**'''Use 24-hour format''' (checkbox. Default = unchecked)<br />
**'''Select date format'''<br />
**'''Set location''' (zip code)<br />
*'''Accessibility'''<br />
*:Manage accessibility options<br />
**'''Enable accessibility services''' (checkbox. Default = unchecked)<br />
**'''TalkBack''' (checkbox. depends on first option checked. Default = unchecked)<br />
**'''Download accessibility scripts''' (checkbox. depends on first option checked. Default = unchecked)<br />
**:Allow applications to download accessibility scripts from Google<br />
*'''About'''<br />
*:System information<br />
**'''System updates''' (checks for updates)<br />
**'''System tutorial''' (launches tutorial)<br />
**'''Model number''' (non-clickable)<br />
**'''Firmware version''' (non-clickable)<br />
**'''Build number''' (non-clickable)<br />
**'''Contact Sony'''<br />
**:Website and phone contact for Sony product support<br />
***'''Website support''' (opens website)<br />
***'''United States phone contact''' (non-clickable)<br />
***'''Model name''' (non-clickable)<br />
***'''Serial number''' (non-clickable)<br />
***'''Software version''' (non-clickable & shows no info)<br />
***'''Disc drive version''' (non-clickable)<br />
***'''Sub micro version''' (non-clickable)<br />
***'''RF module version''' (non-clickable)<br />
**'''Open source licenses''' (opens text window)<br />
**'''Google legal''' (opens legal browser)<br />
**'''Sony legal''' (opens legal browser)<br />
<br />
[[Category:Sony]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Sony_GTV_Troubleshooting&diff=2618Sony GTV Troubleshooting2017-01-03T16:54:55Z<p>Martiniturbide: </p>
<hr />
<div>A list of problems and solutions<br />
<br />
==NSZ-GT1 won't play 3D Blu-ray discs in 3D==<br />
Possible causes of this problem and their solutions:<br />
* Sony introduced 3D support in the 2012.01.26 update. Check your software version in Settings -> About to make sure that you have 2012.01.26 or later. If you have an older version of the software, you can update it by checking for updates in the menu or by downloading the appropriate update from [[Sony Update Downloads]] and installing it.<br />
* 3D will not work if your display resolution is not set to Auto or if you have 3D set to Off. In the Settings -> Picture set both of these to Auto in the respective submenus.<br />
* Of course, if your TV doesn't support 3D you won't have 3D.<br />
<br />
[[Category:Sony]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Vizio_Co-Star_Tips_%26_Tricks&diff=2617Vizio Co-Star Tips & Tricks2017-01-03T16:54:25Z<p>Martiniturbide: </p>
<hr />
<div><br />
==How to press Ctrl+Alt+Del to reboot?==<br />
For the moment the only want to reboot the Vizio Co-Star is to disconnect the power cable. <br />
<br />
==Recovery Mode==<br />
# Enable debug mode [https://developers.google.com/tv/android/docs/gtv_debug]<br />
<br />
==Bootloader Mode==<br />
<br />
==How to root Vizio Co-Star==<br />
There is a very quick tutorial on Exploitee.rs forum [http://forum.Exploitee.rs/star-vap430-f40/topic1547.html]<br />
<br />
==Custom ROMS==<br />
There are no custom ROMs available for the moment. <br />
<br />
==Sources== <br />
* [http://forum.Exploitee.rs/star-vap430-f40/topic1426.html?sid=74e402c4697fa0d66ff4e0e0ddf9069a GTVHacker Forums]<br />
* [http://www.googletvforum.org/forum/vizio-co-star/5958-co-star-tips.html#ctip100 Vizio Tips and Tricks]<br />
<br />
[[Category:Vizio]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Vizio&diff=2616Vizio2017-01-03T16:54:06Z<p>Martiniturbide: </p>
<hr />
<div>== Announced Devices ==<br />
<br />
42-inch R3D420VS<br />
<br />
47-inch R3D470VS<br />
<br />
55-inch R3D550VS<br />
<br />
65-inch R3D650VS<br />
<br />
65-inch M3D650SV<br />
<br />
VAP430 Stream Player<br />
<br />
VBR430 Blu-Ray Player<br />
<br />
[[Category:Vizio]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Belkin_WeMo_Insight_Switch&diff=2615Belkin WeMo Insight Switch2017-01-03T16:53:15Z<p>Martiniturbide: /* Disassembly */</p>
<hr />
<div>[[file:BelkinWemoInsightSwitch.png|200px|thumb]]<br />
==Information==<br />
* '''Name:''' Belkin WeMo Insight Switch<br />
* '''Model:''' F7C029<br />
* '''Latest Firmware:''' WeMo_WW_2.00.9399.PVT-OWRT-Insight<br />
<br />
It has a button on the top, an Micro USB port (with a label that says "restore") and little wifi led and a big led that indicates with the device is turned on. The wifi led blinks in green while it is connecting to the wifi network, after it connects it stays solid green for a while and the light shuts down after a while of being connected.<br />
<br />
==Hardware Specs==<br />
<br />
==Pictures==<br />
<br />
===Disassembly===<br />
<br />
<br />
[[Category:Belkin]]<br />
<br />
==Links==<br />
* [http://www.belkin.com/us/p/P-F7C029/ Official Web Site]<br />
* [http://www.belkin.com/us/support-product?pid=01t80000003JS3FAAW Official Support Site]<br />
<br />
[[Category:Home Automation]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Belkin_NetCam_HD%2B&diff=2614Belkin NetCam HD+2017-01-03T16:52:58Z<p>Martiniturbide: /* Links */</p>
<hr />
<div>[[file:BelkinNetCamHDp.jpg|200px|thumb]]<br />
<br />
[[file:BelkinNetCamHDp-2.jpg|200px|right|thumb]]<br />
<br />
This is a cloud exclusive wifi webcam. For the moment it only works with Belkin cloud powered by seedonk.<br />
<br />
==Information==<br />
* '''Name:''' Belkin NetCam HD+<br />
* '''Model:''' F7D7606v1<br />
* '''Code:''' 8830-188851 Rev. B00<br />
* '''Latest Firmware version:''' WeMo_NetCam_WW_2.00.7217.PVT<br />
<br />
==Hardware Specs==<br />
<br />
==More Information==<br />
It has a switch with two position. The "Gear/Configuration mode" to configure the device and the "Webcam Mode" that will turn on the webcam and connect it to the wifi network. <br />
<br />
It has three leds on the back. The gear, wifi icon and power icon. The power icon lights up when plugged, the gear icon lights up on "Gear/Configuration Mode" and the wifi icon lights up on "camera mode" when the device connects to a wifi network. The wifi icon blinks when it is on "Gear/Configuration Mode"<br />
<br />
===Configuration - Belkin Way===<br />
To configure the device you need to put it on "Gear/Configuration mode". It will start a new wifi network called "NetCamHDAC00".<br />
You require an Android or iOS device and install the "Belkin WebCam" application. From that application you need to follow the instructions to connect it to the Belkin cloud. <br />
<br />
[[file:MobileConfig001.png|100px]]<br />
[[file:MobileConfig002.png|100px]]<br />
[[file:MobileConfig003.png|100px]]<br />
[[file:MobileConfig004.png|100px]]<br />
[[file:MobileConfig005.png|100px]]<br />
[[file:MobileConfig006.png|100px]]<br />
[[file:MobileConfig007.png|100px]]<br />
[[file:MobileConfig008.png|100px]]<br />
[[file:MobileConfig009.png|100px]]<br />
<br />
On "Gear/Configuration Mode" the device will create a wifi network and assign to itself "10.68.68.22" IP with Subnet Mask "255.255.255.0". It will assign IPs from 10.68.68.100 to up to any device that will connect that SSID. <br />
<br />
You can not configure this webcam with the browser. When you access the "10.68.68.22" IP it will ask you for an unknown userid and password. <br />
<br />
[[file:BelkinAuthenticationRequired.png|300px]]<br />
<br />
==Using the Device==<br />
This device can be used from:<br />
* '''Belkin Cloud:''' Using a Browser from the Belking service [https://netcam.belkin.com] powered by seedonk. It requires a iSecurity+ player plugin or Flash installed. <br />
* '''Belkin Cloud:''' Mobile: using the Belkin Webcam application powered by seedonk. [https://play.google.com/store/apps/details?id=com.belkin.android.androidbelkinnetcam Android], [https://itunes.apple.com/us/app/belkin-netcam/id568129866 iOS].<br />
<br />
==Testing the Device==<br />
<br />
===Port Scanner===<br />
On a working device connected to the same network (Switched on the Webcam Mode) , using a port scanner you can find that the webcam shows two ports opened:<br />
* Port 80 - Commonly used for Hypertext Transfer Protocol.<br />
* Port 421 - Commonly used for SSL protocol.<br />
<br />
Switched on the "Gear/Configuration Mode" and connected to the same wifi network the camera generates you can find the following open ports:<br />
* <br />
*<br />
<br />
==Pictures==<br />
<br />
===Disassembly===<br />
<br />
==Links==<br />
* [http://www.belkin.com/us/F7D7606-Belkin/p/P-F7D7606/ Official Site]<br />
* [http://www.belkin.com/us/support-product?pid=01t80000003IPxUAAW Official Support Site]<br />
* [http://community.ispyconnect.com/ispybb2/viewtopic.php?t=507 Discussion on connecting this camera to iSpy]<br />
<br />
[[Category:Cameras]]<br />
[[Category:Belkin]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Belkin_Wemo%E2%80%8B&diff=2613Belkin Wemo2017-01-03T16:52:32Z<p>Martiniturbide: </p>
<hr />
<div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:BelkinWemo.png|200px|left|thumb]]<br />
[[Category:Home Automation]]<br />
This page will be dedicated to a general overview, descriptions, and information related to the Belkin Wemo.<br />
<br />
== Purchase ==<br />
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.<br />
[http://www.amazon.com/gp/product/B00BB2MMNE/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00BB2MMNE&linkCode=as2&tag=exploiteers-20&linkId=AKX4PJGS77XSRG57 Purchase the Belkin Wemo at Amazon]<br />
<br />
== UART Pinout ==<br />
<gallery><br />
File:BelkinWemoUart.png<br />
</gallery><br />
<br />
== Exploitation ==<br />
The Wemo has been the subject of many exploits, and below is another one that was believed closed by the community:<br />
<br />
While booting the Wemo in Recovery mode, a root console is accessible for under 1 second via UART. Within this time a command can be run to terminate the reset process, leaving us with a root shell and full device access.<br />
<br />
Start by connecting a UART adapter, as outlined in the above section, console speed 57600,8N1. Hold the recovery button while powering on the Wemo, and keep it held for 10 seconds.<br />
<br />
When seeing output regarding flash erasing, paste the command below and hit enter. Repeat until you get a root shell!<br />
<br />
<pre><br />
kill -9 $(ps | grep 'reboot'|sed -r -e 's/^ ([0-9]+) [0-9]+/\1/')<br />
</pre><br />
<br />
<br />
A second bug allows you to boot a new kernel or execute bootloader commands by holding down buttons 0-4 when powering on. This will let you boot a new kernel, or drop to a U-Boot shell and enter your own commands.<br />
<br />
==Root Demo==<br />
{{#ev:youtube|VQ-DMW-b9rM}}<br />
<br />
[[Category:Belkin]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Category:Google_TV&diff=2612Category:Google TV2017-01-03T16:46:28Z<p>Martiniturbide: Created page with "This category lists the Google TV's related articles."</p>
<hr />
<div>This category lists the Google TV's related articles.</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=LG_Google_TV_Recovery_Menu&diff=2611LG Google TV Recovery Menu2017-01-03T16:46:01Z<p>Martiniturbide: </p>
<hr />
<div>According to a recently released video there is way to access the recovery menu on the LG TV' that has Google TV (Android OS) on it.<br />
<br />
==Tested Hardware==<br />
* [[LG 55" Class Cinema 3D LED Google TV - 55GA7900]]<br />
<br />
==Procedure==<br />
Shut down the TV and disconnect it from power.<br />
* Connect the TV to power but don't turn it on.<br />
* Press the "settings symbol" button first and while holding it press the "channel down" button. <br />
* Release the "settings symbol" button and then release the "channel down" button.<br />
<br />
The TV will turn on and will show the Android Recover Menu. Use the volume keys to navigate the options and press the "Wheel-button" to select the options. <br />
<br />
[[image:LG-SmartTV-Recovery.png|400px]]<br />
<br />
<br />
<br />
==Source==<br />
* [http://www.theregister.co.uk/2017/01/03/programmer_finds_way_to_liberate_ransomwared_google_smart_tvs/ Programmer Finds Way To Liberate Ransomware-Ridden Smart TV, Thanks To LG]<br />
* [https://www.youtube.com/watch?v=0WZ4uLFTHEE YouTube Video]<br />
<br />
[[Category:Google TV]]<br />
[[Category:LG]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=LG_Google_TV_Recovery_Menu&diff=2610LG Google TV Recovery Menu2017-01-03T16:45:30Z<p>Martiniturbide: </p>
<hr />
<div>According to a recently released video there is way to access the recovery menu on the LG TV' that has Google TV (Android OS) on it.<br />
<br />
==Tested Hardware==<br />
* [[LG 55" Class Cinema 3D LED Google TV - 55GA7900]]<br />
<br />
==Procedure==<br />
Shut down the TV and disconnect it from power.<br />
* Connect the TV to power but don't turn it on.<br />
* Press the "settings symbol" button first and while holding it press the "channel down" button. <br />
* Release the "settings symbol" button and then release the "channel down" button.<br />
<br />
The TV will turn on and will show the Android Recover Menu. Use the volume keys to navigate the options and press the "Wheel-button" to select the options. <br />
<br />
[[image:LG-SmartTV-Recovery.png|400px]]<br />
<br />
<br />
<br />
==Source==<br />
* [http://www.theregister.co.uk/2017/01/03/programmer_finds_way_to_liberate_ransomwared_google_smart_tvs/ Programmer Finds Way To Liberate Ransomware-Ridden Smart TV, Thanks To LG]<br />
* [https://www.youtube.com/watch?v=0WZ4uLFTHEE YouTube Video]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=LG_47G2/55G2_(Internet_TV)&diff=2609LG 47G2/55G2 (Internet TV)2017-01-03T16:44:44Z<p>Martiniturbide: </p>
<hr />
<div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:LMG620.jpg|250px|left|thumb]]<br />
[[Category:LG]]<br />
This page will be dedicated to the hardware specifications, descriptions, and information related to the LG 47G2 and 55G2 (Previously LMG620 and LMG860) smart TVs.<br />
<br />
== Purchase ==<br />
Buying Google TV devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next Google TV.<br />
<br />
[http://www.amazon.com/gp/product/B0074WVYWA/ref=as_li_ss_tl?ie=UTF8&tag=exploiteers-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B0074WVYWA Purchase the LG 47G2 at Amazon]<br />
<br />
[http://www.amazon.com/gp/product/B0074WVYNO/ref=as_li_ss_tl?ie=UTF8&tag=exploiteers-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B0074WVYNO Purchase the LG 55G2 at Amazon]<br />
<br />
== Specs ==<br />
Coming Soon!<br />
<br />
==Recovery Meny==<br />
* [[LG Google TV Recovery Menu]]<br />
<br />
== Tear Down ==<br />
Coming Soon!<br />
<br />
== GPL Code ==<br />
You can find GPL code for the 47g2 and 55g2 at [http://www.lg.com/global/support/opensource/opensource.jsp LG] (Search for 47g2 or 55g2)<br />
<br />
== Related ==<br />
* [http://www.theregister.co.uk/2017/01/03/programmer_finds_way_to_liberate_ransomwared_google_smart_tvs/ Programmer finds way to liberate ransomware'd Google Smart TVs]<br />
<br />
<br />
[[Category:Google TV]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=LG_Google_TV_Recovery_Menu&diff=2608LG Google TV Recovery Menu2017-01-03T16:43:58Z<p>Martiniturbide: /* Source */</p>
<hr />
<div>According to a recently released video there is way to access the recovery menu on the LG TV' that has Google TV (Android OS) on it.<br />
<br />
==Tested Hardware==<br />
* [[LG 55GA7900]]<br />
<br />
==Procedure==<br />
Shut down the TV and disconnect it from power.<br />
* Connect the TV to power but don't turn it on.<br />
* Press the "settings symbol" button first and while holding it press the "channel down" button. <br />
* Release the "settings symbol" button and then release the "channel down" button.<br />
<br />
The TV will turn on and will show the Android Recover Menu. Use the volume keys to navigate the options and press the "Wheel-button" to select the options. <br />
<br />
[[image:LG-SmartTV-Recovery.png|400px]]<br />
<br />
<br />
<br />
==Source==<br />
* [http://www.theregister.co.uk/2017/01/03/programmer_finds_way_to_liberate_ransomwared_google_smart_tvs/ Programmer Finds Way To Liberate Ransomware-Ridden Smart TV, Thanks To LG]<br />
* [https://www.youtube.com/watch?v=0WZ4uLFTHEE YouTube Video]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=File:LG-SmartTV-Recovery.png&diff=2607File:LG-SmartTV-Recovery.png2017-01-03T16:43:40Z<p>Martiniturbide: </p>
<hr />
<div></div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=LG_Google_TV_Recovery_Menu&diff=2606LG Google TV Recovery Menu2017-01-03T16:43:26Z<p>Martiniturbide: Created page with "According to a recently released video there is way to access the recovery menu on the LG TV' that has Google TV (Android OS) on it. ==Tested Hardware== * LG 55GA7900 ==..."</p>
<hr />
<div>According to a recently released video there is way to access the recovery menu on the LG TV' that has Google TV (Android OS) on it.<br />
<br />
==Tested Hardware==<br />
* [[LG 55GA7900]]<br />
<br />
==Procedure==<br />
Shut down the TV and disconnect it from power.<br />
* Connect the TV to power but don't turn it on.<br />
* Press the "settings symbol" button first and while holding it press the "channel down" button. <br />
* Release the "settings symbol" button and then release the "channel down" button.<br />
<br />
The TV will turn on and will show the Android Recover Menu. Use the volume keys to navigate the options and press the "Wheel-button" to select the options. <br />
<br />
[[image:LG-SmartTV-Recovery.png|400px]]<br />
<br />
<br />
<br />
==Source==<br />
* [Programmer Finds Way To Liberate Ransomware-Ridden Smart TV, Thanks To LG http://www.theregister.co.uk/2017/01/03/programmer_finds_way_to_liberate_ransomwared_google_smart_tvs/]<br />
* [https://www.youtube.com/watch?v=0WZ4uLFTHEE YouTube Video]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=LG_47G2/55G2_(Internet_TV)&diff=2605LG 47G2/55G2 (Internet TV)2017-01-03T16:26:14Z<p>Martiniturbide: /* Related */</p>
<hr />
<div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:LMG620.jpg|250px|left|thumb]]<br />
[[Category:LG]]<br />
This page will be dedicated to the hardware specifications, descriptions, and information related to the LG 47G2 and 55G2 (Previously LMG620 and LMG860) smart TVs.<br />
<br />
== Purchase ==<br />
Buying Google TV devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next Google TV.<br />
<br />
[http://www.amazon.com/gp/product/B0074WVYWA/ref=as_li_ss_tl?ie=UTF8&tag=exploiteers-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B0074WVYWA Purchase the LG 47G2 at Amazon]<br />
<br />
[http://www.amazon.com/gp/product/B0074WVYNO/ref=as_li_ss_tl?ie=UTF8&tag=exploiteers-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B0074WVYNO Purchase the LG 55G2 at Amazon]<br />
<br />
== Specs ==<br />
Coming Soon!<br />
<br />
== Tear Down ==<br />
Coming Soon!<br />
<br />
== GPL Code ==<br />
You can find GPL code for the 47g2 and 55g2 at [http://www.lg.com/global/support/opensource/opensource.jsp LG] (Search for 47g2 or 55g2)<br />
<br />
== Related ==<br />
* [http://www.theregister.co.uk/2017/01/03/programmer_finds_way_to_liberate_ransomwared_google_smart_tvs/ Programmer finds way to liberate ransomware'd Google Smart TVs]<br />
<br />
<br />
[[Category:Google TV]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Belkin_NetCam_HD%2B&diff=2589Belkin NetCam HD+2016-07-31T17:36:19Z<p>Martiniturbide: /* Port Scanner */</p>
<hr />
<div>[[file:BelkinNetCamHDp.jpg|200px|thumb]]<br />
<br />
[[file:BelkinNetCamHDp-2.jpg|200px|right|thumb]]<br />
<br />
This is a cloud exclusive wifi webcam. For the moment it only works with Belkin cloud powered by seedonk.<br />
<br />
==Information==<br />
* '''Name:''' Belkin NetCam HD+<br />
* '''Model:''' F7D7606v1<br />
* '''Code:''' 8830-188851 Rev. B00<br />
* '''Latest Firmware version:''' WeMo_NetCam_WW_2.00.7217.PVT<br />
<br />
==Hardware Specs==<br />
<br />
==More Information==<br />
It has a switch with two position. The "Gear/Configuration mode" to configure the device and the "Webcam Mode" that will turn on the webcam and connect it to the wifi network. <br />
<br />
It has three leds on the back. The gear, wifi icon and power icon. The power icon lights up when plugged, the gear icon lights up on "Gear/Configuration Mode" and the wifi icon lights up on "camera mode" when the device connects to a wifi network. The wifi icon blinks when it is on "Gear/Configuration Mode"<br />
<br />
===Configuration - Belkin Way===<br />
To configure the device you need to put it on "Gear/Configuration mode". It will start a new wifi network called "NetCamHDAC00".<br />
You require an Android or iOS device and install the "Belkin WebCam" application. From that application you need to follow the instructions to connect it to the Belkin cloud. <br />
<br />
[[file:MobileConfig001.png|100px]]<br />
[[file:MobileConfig002.png|100px]]<br />
[[file:MobileConfig003.png|100px]]<br />
[[file:MobileConfig004.png|100px]]<br />
[[file:MobileConfig005.png|100px]]<br />
[[file:MobileConfig006.png|100px]]<br />
[[file:MobileConfig007.png|100px]]<br />
[[file:MobileConfig008.png|100px]]<br />
[[file:MobileConfig009.png|100px]]<br />
<br />
On "Gear/Configuration Mode" the device will create a wifi network and assign to itself "10.68.68.22" IP with Subnet Mask "255.255.255.0". It will assign IPs from 10.68.68.100 to up to any device that will connect that SSID. <br />
<br />
You can not configure this webcam with the browser. When you access the "10.68.68.22" IP it will ask you for an unknown userid and password. <br />
<br />
[[file:BelkinAuthenticationRequired.png|300px]]<br />
<br />
==Using the Device==<br />
This device can be used from:<br />
* '''Belkin Cloud:''' Using a Browser from the Belking service [https://netcam.belkin.com] powered by seedonk. It requires a iSecurity+ player plugin or Flash installed. <br />
* '''Belkin Cloud:''' Mobile: using the Belkin Webcam application powered by seedonk. [https://play.google.com/store/apps/details?id=com.belkin.android.androidbelkinnetcam Android], [https://itunes.apple.com/us/app/belkin-netcam/id568129866 iOS].<br />
<br />
==Testing the Device==<br />
<br />
===Port Scanner===<br />
On a working device connected to the same network (Switched on the Webcam Mode) , using a port scanner you can find that the webcam shows two ports opened:<br />
* Port 80 - Commonly used for Hypertext Transfer Protocol.<br />
* Port 421 - Commonly used for SSL protocol.<br />
<br />
Switched on the "Gear/Configuration Mode" and connected to the same wifi network the camera generates you can find the following open ports:<br />
* <br />
*<br />
<br />
==Pictures==<br />
<br />
===Disassembly===<br />
<br />
==Links==<br />
* [http://www.belkin.com/us/F7D7606-Belkin/p/P-F7D7606/ Official Site]<br />
* [http://www.belkin.com/us/support-product?pid=01t80000003IPxUAAW Official Support Site]<br />
* [http://community.ispyconnect.com/ispybb2/viewtopic.php?t=507 Discussion on connecting this camera to iSpy]<br />
<br />
[[Category:Cameras]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Belkin_NetCam_HD%2B&diff=2588Belkin NetCam HD+2016-07-31T17:35:55Z<p>Martiniturbide: /* Port Scanner */</p>
<hr />
<div>[[file:BelkinNetCamHDp.jpg|200px|thumb]]<br />
<br />
[[file:BelkinNetCamHDp-2.jpg|200px|right|thumb]]<br />
<br />
This is a cloud exclusive wifi webcam. For the moment it only works with Belkin cloud powered by seedonk.<br />
<br />
==Information==<br />
* '''Name:''' Belkin NetCam HD+<br />
* '''Model:''' F7D7606v1<br />
* '''Code:''' 8830-188851 Rev. B00<br />
* '''Latest Firmware version:''' WeMo_NetCam_WW_2.00.7217.PVT<br />
<br />
==Hardware Specs==<br />
<br />
==More Information==<br />
It has a switch with two position. The "Gear/Configuration mode" to configure the device and the "Webcam Mode" that will turn on the webcam and connect it to the wifi network. <br />
<br />
It has three leds on the back. The gear, wifi icon and power icon. The power icon lights up when plugged, the gear icon lights up on "Gear/Configuration Mode" and the wifi icon lights up on "camera mode" when the device connects to a wifi network. The wifi icon blinks when it is on "Gear/Configuration Mode"<br />
<br />
===Configuration - Belkin Way===<br />
To configure the device you need to put it on "Gear/Configuration mode". It will start a new wifi network called "NetCamHDAC00".<br />
You require an Android or iOS device and install the "Belkin WebCam" application. From that application you need to follow the instructions to connect it to the Belkin cloud. <br />
<br />
[[file:MobileConfig001.png|100px]]<br />
[[file:MobileConfig002.png|100px]]<br />
[[file:MobileConfig003.png|100px]]<br />
[[file:MobileConfig004.png|100px]]<br />
[[file:MobileConfig005.png|100px]]<br />
[[file:MobileConfig006.png|100px]]<br />
[[file:MobileConfig007.png|100px]]<br />
[[file:MobileConfig008.png|100px]]<br />
[[file:MobileConfig009.png|100px]]<br />
<br />
On "Gear/Configuration Mode" the device will create a wifi network and assign to itself "10.68.68.22" IP with Subnet Mask "255.255.255.0". It will assign IPs from 10.68.68.100 to up to any device that will connect that SSID. <br />
<br />
You can not configure this webcam with the browser. When you access the "10.68.68.22" IP it will ask you for an unknown userid and password. <br />
<br />
[[file:BelkinAuthenticationRequired.png|300px]]<br />
<br />
==Using the Device==<br />
This device can be used from:<br />
* '''Belkin Cloud:''' Using a Browser from the Belking service [https://netcam.belkin.com] powered by seedonk. It requires a iSecurity+ player plugin or Flash installed. <br />
* '''Belkin Cloud:''' Mobile: using the Belkin Webcam application powered by seedonk. [https://play.google.com/store/apps/details?id=com.belkin.android.androidbelkinnetcam Android], [https://itunes.apple.com/us/app/belkin-netcam/id568129866 iOS].<br />
<br />
==Testing the Device==<br />
<br />
===Port Scanner===<br />
On a working device connected to the same network (Switched on the Video Mode) , using a port scanner you can find that the webcam shows two ports opened:<br />
* Port 80 - Commonly used for Hypertext Transfer Protocol.<br />
* Port 421 - Commonly used for SSL protocol.<br />
<br />
Switched on the "Gear Mode" and connected to the same wifi network the camera generates you can find the following open ports:<br />
* <br />
*<br />
<br />
==Pictures==<br />
<br />
===Disassembly===<br />
<br />
==Links==<br />
* [http://www.belkin.com/us/F7D7606-Belkin/p/P-F7D7606/ Official Site]<br />
* [http://www.belkin.com/us/support-product?pid=01t80000003IPxUAAW Official Support Site]<br />
* [http://community.ispyconnect.com/ispybb2/viewtopic.php?t=507 Discussion on connecting this camera to iSpy]<br />
<br />
[[Category:Cameras]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Belkin_NetCam_HD%2B&diff=2587Belkin NetCam HD+2016-07-31T17:22:26Z<p>Martiniturbide: /* Using the Device */</p>
<hr />
<div>[[file:BelkinNetCamHDp.jpg|200px|thumb]]<br />
<br />
[[file:BelkinNetCamHDp-2.jpg|200px|right|thumb]]<br />
<br />
This is a cloud exclusive wifi webcam. For the moment it only works with Belkin cloud powered by seedonk.<br />
<br />
==Information==<br />
* '''Name:''' Belkin NetCam HD+<br />
* '''Model:''' F7D7606v1<br />
* '''Code:''' 8830-188851 Rev. B00<br />
* '''Latest Firmware version:''' WeMo_NetCam_WW_2.00.7217.PVT<br />
<br />
==Hardware Specs==<br />
<br />
==More Information==<br />
It has a switch with two position. The "Gear/Configuration mode" to configure the device and the "Webcam Mode" that will turn on the webcam and connect it to the wifi network. <br />
<br />
It has three leds on the back. The gear, wifi icon and power icon. The power icon lights up when plugged, the gear icon lights up on "Gear/Configuration Mode" and the wifi icon lights up on "camera mode" when the device connects to a wifi network. The wifi icon blinks when it is on "Gear/Configuration Mode"<br />
<br />
===Configuration - Belkin Way===<br />
To configure the device you need to put it on "Gear/Configuration mode". It will start a new wifi network called "NetCamHDAC00".<br />
You require an Android or iOS device and install the "Belkin WebCam" application. From that application you need to follow the instructions to connect it to the Belkin cloud. <br />
<br />
[[file:MobileConfig001.png|100px]]<br />
[[file:MobileConfig002.png|100px]]<br />
[[file:MobileConfig003.png|100px]]<br />
[[file:MobileConfig004.png|100px]]<br />
[[file:MobileConfig005.png|100px]]<br />
[[file:MobileConfig006.png|100px]]<br />
[[file:MobileConfig007.png|100px]]<br />
[[file:MobileConfig008.png|100px]]<br />
[[file:MobileConfig009.png|100px]]<br />
<br />
On "Gear/Configuration Mode" the device will create a wifi network and assign to itself "10.68.68.22" IP with Subnet Mask "255.255.255.0". It will assign IPs from 10.68.68.100 to up to any device that will connect that SSID. <br />
<br />
You can not configure this webcam with the browser. When you access the "10.68.68.22" IP it will ask you for an unknown userid and password. <br />
<br />
[[file:BelkinAuthenticationRequired.png|300px]]<br />
<br />
==Using the Device==<br />
This device can be used from:<br />
* '''Belkin Cloud:''' Using a Browser from the Belking service [https://netcam.belkin.com] powered by seedonk. It requires a iSecurity+ player plugin or Flash installed. <br />
* '''Belkin Cloud:''' Mobile: using the Belkin Webcam application powered by seedonk. [https://play.google.com/store/apps/details?id=com.belkin.android.androidbelkinnetcam Android], [https://itunes.apple.com/us/app/belkin-netcam/id568129866 iOS].<br />
<br />
==Testing the Device==<br />
<br />
===Port Scanner===<br />
On a working device connected to the same network, using a port scanner you can find that the webcam shows two ports opened:<br />
* Port 80 - Commonly used for Hypertext Transfer Protocol.<br />
* Port 421 - Commonly used for SSL protocol.<br />
<br />
==Pictures==<br />
<br />
===Disassembly===<br />
<br />
==Links==<br />
* [http://www.belkin.com/us/F7D7606-Belkin/p/P-F7D7606/ Official Site]<br />
* [http://www.belkin.com/us/support-product?pid=01t80000003IPxUAAW Official Support Site]<br />
* [http://community.ispyconnect.com/ispybb2/viewtopic.php?t=507 Discussion on connecting this camera to iSpy]<br />
<br />
[[Category:Cameras]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Belkin_NetCam_HD%2B&diff=2586Belkin NetCam HD+2016-04-07T19:20:52Z<p>Martiniturbide: /* Links */</p>
<hr />
<div>[[file:BelkinNetCamHDp.jpg|200px|thumb]]<br />
<br />
[[file:BelkinNetCamHDp-2.jpg|200px|right|thumb]]<br />
<br />
This is a cloud exclusive wifi webcam. For the moment it only works with Belkin cloud powered by seedonk.<br />
<br />
==Information==<br />
* '''Name:''' Belkin NetCam HD+<br />
* '''Model:''' F7D7606v1<br />
* '''Code:''' 8830-188851 Rev. B00<br />
* '''Latest Firmware version:''' WeMo_NetCam_WW_2.00.7217.PVT<br />
<br />
==Hardware Specs==<br />
<br />
==More Information==<br />
It has a switch with two position. The "Gear/Configuration mode" to configure the device and the "Webcam Mode" that will turn on the webcam and connect it to the wifi network. <br />
<br />
It has three leds on the back. The gear, wifi icon and power icon. The power icon lights up when plugged, the gear icon lights up on "Gear/Configuration Mode" and the wifi icon lights up on "camera mode" when the device connects to a wifi network. The wifi icon blinks when it is on "Gear/Configuration Mode"<br />
<br />
===Configuration - Belkin Way===<br />
To configure the device you need to put it on "Gear/Configuration mode". It will start a new wifi network called "NetCamHDAC00".<br />
You require an Android or iOS device and install the "Belkin WebCam" application. From that application you need to follow the instructions to connect it to the Belkin cloud. <br />
<br />
[[file:MobileConfig001.png|100px]]<br />
[[file:MobileConfig002.png|100px]]<br />
[[file:MobileConfig003.png|100px]]<br />
[[file:MobileConfig004.png|100px]]<br />
[[file:MobileConfig005.png|100px]]<br />
[[file:MobileConfig006.png|100px]]<br />
[[file:MobileConfig007.png|100px]]<br />
[[file:MobileConfig008.png|100px]]<br />
[[file:MobileConfig009.png|100px]]<br />
<br />
On "Gear/Configuration Mode" the device will create a wifi network and assign to itself "10.68.68.22" IP with Subnet Mask "255.255.255.0". It will assign IPs from 10.68.68.100 to up to any device that will connect that SSID. <br />
<br />
You can not configure this webcam with the browser. When you access the "10.68.68.22" IP it will ask you for an unknown userid and password. <br />
<br />
[[file:BelkinAuthenticationRequired.png|300px]]<br />
<br />
==Using the Device==<br />
This device can be used from:<br />
* '''Belkin Cloud:''' Using a Browser from the Belking service [https://netcam.belkin.com] powered by seedonk. It requires a iSecurity+ player plugin or Flash installed. <br />
* '''Belkin Cloud:''' Mobile: using the Belkin Webcam application powered by seedonk. [https://play.google.com/store/apps/details?id=com.belkin.android.androidbelkinnetcam Android], [https://itunes.apple.com/us/app/belkin-netcam/id568129866 iOS].<br />
<br />
==Pictures==<br />
<br />
===Disassembly===<br />
<br />
==Links==<br />
* [http://www.belkin.com/us/F7D7606-Belkin/p/P-F7D7606/ Official Site]<br />
* [http://www.belkin.com/us/support-product?pid=01t80000003IPxUAAW Official Support Site]<br />
* [http://community.ispyconnect.com/ispybb2/viewtopic.php?t=507 Discussion on connecting this camera to iSpy]<br />
<br />
[[Category:Cameras]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Google_Nexus_Player&diff=2516Google Nexus Player2015-09-19T15:24:00Z<p>Martiniturbide: /* Unofficial */</p>
<hr />
<div>__FORCETOC__<br />
{{Disclaimer}}<br />
This page will be dedicated to a general overview of descriptions and information related to the Google Nexus Player.<br />
[[File:Google-Nexus-Player-Stock.jpg|200px|left|thumb]]<br />
[[Category:AndroidTV]]<br />
<br />
== Purchase ==<br />
You can purchase the Google Nexus Player in the [https://play.google.com/store/devices/details?id=nexus_player Google Play Store].<br />
<br />
== Tear Down ==<br />
The Google Nexus Player is pretty easy to get apart once all the clips holding the case together are undone. In this tear down we used a guitar pick to separate the 2 pieces of the case but any similar small and durable piece of plastic would have worked.<br />
<br />
<gallery><br />
NP-Top-Case.jpg<br />
NP-Bottom-Case.jpg<br />
NP-Bottom-Case-Angle.jpg<br />
NP-Case-Open.jpg<br />
NP-Case-Opened-Top.jpg<br />
NP-Case-Open-Board.jpg<br />
NP-Case-Opened-Seal-Screw.jpg<br />
NP-Case-Open-Unscrewed.jpg<br />
NP-Case-Open-Heatsink-Removed.jpg<br />
NP-Case-Open-Heatsink-Removed-Thermal.jpg<br />
NP-Case-Open-Heatsink-Removed-Bottom.jpg<br />
NP-Case-Open-Heatsink-Removed-Bottom-Zoom.jpg<br />
NP-Board-Removed-Top.jpg<br />
NP-Board-Removed-Bottom.jpg<br />
NP-Board-Removed-Bottom-Shield-Removed.jpg<br />
</gallery><br />
<br />
==Links==<br />
===Official===<br />
[https://play.google.com/store/devices/details?id=nexus_player Google Play Page]<br />
<br />
===Unofficial===<br />
* [https://plus.google.com/communities/109694875004529508368 Android TV Google+ Community]<br />
* [https://www.exploitee.rs/index.php/Google_Nexus_Player exploitee.rs Asus Nexus Player Page]<br />
* [http://forum.xda-developers.com/nexus-player Nexus Player xda-developers Forums]<br />
* [http://forum.xda-developers.com/wiki/ASUS_Nexus_Player Nexus Player xda-developers Wiki]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Google_OnHub_(TP-Link)&diff=2515Google OnHub (TP-Link)2015-09-19T15:17:40Z<p>Martiniturbide: /* Official Links */</p>
<hr />
<div>[[File:OnHub_blue.png|200px|thumb]]<br />
<br />
==Information==<br />
* '''Name:''' Google OnHub<br />
* '''Manufacturer:''' TP-Link<br />
* '''Firmware Version:''' 7077.122.4<br />
<br />
The router appears to run Gentoo Linux.<br />
<br />
==Hardware Specs==<br />
* WiSoC – Qualcomm Atheros IPQ8064 dual core Krait processor @ 1.4 GHz<br />
* System Memory – 1GB DDR3L<br />
* Storage – 4GB eMMC, 8MB NOR flash<br />
* Connectivity<br />
** 802.11 b/g/n 3×3 with smart antenna<br />
** 802.11 a/n/ac 3×3 with smart antenna<br />
** AUX wireless (802.11 a/b/g/n/ac 1×1)<br />
** 10/100/1000M Mbps WAN and LAN port (QCA9337 Gigabit switch)<br />
** Compatible with Zigbee/Thread , Bluetooth 4.0<br />
** Wireless Security – WPA2-PSK<br />
** 13 antennas in total<br />
** Supports up to 128 devices over WiFi<br />
* USB – 1x USB 3.0<br />
* Audio – 3W Speaker<br />
* Security – Infineon SLB 9615 Trusted Platform Module<br />
* Misc – 6x tri-color array LEDs, ambient light sensor<br />
* Power Supply – 12V/3A DC, 100-240V 50-60Hz AC<br />
* Dimensions – 19.05 cm (H) x 11.68 cm (⌀)<br />
* Weight – 860 grams<br />
<br />
===Board Chipset===<br />
* Qualcomm Atheros IPQ8064 Internet Processor with 2 Krait 300 CPUs clocked at 1.4 GHz<br />
* Micron MT41K256M16HA 4 Gb DDR3L SDRAM<br />
* Qualcomm Atheros QCA8337<br />
* Qualcomm Atheros QCA9882<br />
* Qualcomm Atheros QCA9880<br />
* Silicon Labs EM3581 SOC network co-processor for ZigBee<br />
* Skyworks 66109 2.4 GHz ZigBee/Smart Energy front-end module<br />
* Skyworks SKY2623L 2.4 GHz WLAN power amplifier<br />
* Skyworks SKY85405 802.11ac 5 GHz WLAN power amplifier<br />
* Atheros 3012-BL3D Bluetooth radio<br />
* Bluetooth antenna<br />
* Micron MTFC4GACAAAM 4 GB NAND flash<br />
* Micron 25Q064A 64 Mb SPI flash<br />
* Infineon SLB9615 Trusted Platform Module<br />
<br />
==Configuration==<br />
For the moment it is reported that this router can only be configured from the Android or iOS "Google OnHub" application.<br />
<br />
==Pictures==<br />
[[File:OnHub_Colors.png|200px]] [[File:ObHub_Back.png|200px]]<br />
<br />
===Disassembly===<br />
<br />
[[File:Onhub-inside-01.jpg|200px]]<br />
<br />
[[File:GoogleOnHub-Board.jpg|200px]]<br />
<br />
==Links==<br />
<br />
===Official Links===<br />
* [https://on.google.com/hub/ Official WebPage]<br />
<br />
===Community Links===<br />
* [http://forum.xda-developers.com/onhub Google OnHub at XDADevelopers Forum] <br />
* [https://plus.google.com/communities/105738065696386405857 Google OnHub Google+ Unofficial Community] <br />
<br />
===Articles===<br />
* [https://www.ifixit.com/Teardown/OnHub+Teardown/48129 iFixit OnHub Teardown]<br />
<br />
[[Category:Wifi Router]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Google_OnHub_(TP-Link)&diff=2514Google OnHub (TP-Link)2015-09-19T15:15:39Z<p>Martiniturbide: </p>
<hr />
<div>[[File:OnHub_blue.png|200px|thumb]]<br />
<br />
==Information==<br />
* '''Name:''' Google OnHub<br />
* '''Manufacturer:''' TP-Link<br />
* '''Firmware Version:''' 7077.122.4<br />
<br />
The router appears to run Gentoo Linux.<br />
<br />
==Hardware Specs==<br />
* WiSoC – Qualcomm Atheros IPQ8064 dual core Krait processor @ 1.4 GHz<br />
* System Memory – 1GB DDR3L<br />
* Storage – 4GB eMMC, 8MB NOR flash<br />
* Connectivity<br />
** 802.11 b/g/n 3×3 with smart antenna<br />
** 802.11 a/n/ac 3×3 with smart antenna<br />
** AUX wireless (802.11 a/b/g/n/ac 1×1)<br />
** 10/100/1000M Mbps WAN and LAN port (QCA9337 Gigabit switch)<br />
** Compatible with Zigbee/Thread , Bluetooth 4.0<br />
** Wireless Security – WPA2-PSK<br />
** 13 antennas in total<br />
** Supports up to 128 devices over WiFi<br />
* USB – 1x USB 3.0<br />
* Audio – 3W Speaker<br />
* Security – Infineon SLB 9615 Trusted Platform Module<br />
* Misc – 6x tri-color array LEDs, ambient light sensor<br />
* Power Supply – 12V/3A DC, 100-240V 50-60Hz AC<br />
* Dimensions – 19.05 cm (H) x 11.68 cm (⌀)<br />
* Weight – 860 grams<br />
<br />
===Board Chipset===<br />
* Qualcomm Atheros IPQ8064 Internet Processor with 2 Krait 300 CPUs clocked at 1.4 GHz<br />
* Micron MT41K256M16HA 4 Gb DDR3L SDRAM<br />
* Qualcomm Atheros QCA8337<br />
* Qualcomm Atheros QCA9882<br />
* Qualcomm Atheros QCA9880<br />
* Silicon Labs EM3581 SOC network co-processor for ZigBee<br />
* Skyworks 66109 2.4 GHz ZigBee/Smart Energy front-end module<br />
* Skyworks SKY2623L 2.4 GHz WLAN power amplifier<br />
* Skyworks SKY85405 802.11ac 5 GHz WLAN power amplifier<br />
* Atheros 3012-BL3D Bluetooth radio<br />
* Bluetooth antenna<br />
* Micron MTFC4GACAAAM 4 GB NAND flash<br />
* Micron 25Q064A 64 Mb SPI flash<br />
* Infineon SLB9615 Trusted Platform Module<br />
<br />
==Configuration==<br />
For the moment it is reported that this router can only be configured from the Android or iOS "Google OnHub" application.<br />
<br />
==Pictures==<br />
[[File:OnHub_Colors.png|200px]] [[File:ObHub_Back.png|200px]]<br />
<br />
===Disassembly===<br />
<br />
[[File:Onhub-inside-01.jpg|200px]]<br />
<br />
[[File:GoogleOnHub-Board.jpg|200px]]<br />
<br />
==Links==<br />
<br />
===Official Links===<br />
<br />
<br />
===Community Links===<br />
* [http://forum.xda-developers.com/onhub Google OnHub at XDADevelopers Forum] <br />
* [https://plus.google.com/communities/105738065696386405857 Google OnHub Google+ Unofficial Community] <br />
<br />
===Articles===<br />
* [https://www.ifixit.com/Teardown/OnHub+Teardown/48129 iFixit OnHub Teardown]<br />
<br />
[[Category:Wifi Router]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Google_OnHub_(TP-Link)&diff=2513Google OnHub (TP-Link)2015-09-19T15:10:15Z<p>Martiniturbide: /* Board Chipset */</p>
<hr />
<div>[[File:OnHub_blue.png|200px|thumb]]<br />
<br />
==Information==<br />
* '''Name:''' Google OnHub<br />
* '''Manufacturer:''' TP-Link<br />
* '''Firmware Version:''' 7077.122.4<br />
<br />
The router appears to run Gentoo Linux.<br />
<br />
==Hardware Specs==<br />
* WiSoC – Qualcomm Atheros IPQ8064 dual core Krait processor @ 1.4 GHz<br />
* System Memory – 1GB DDR3L<br />
* Storage – 4GB eMMC, 8MB NOR flash<br />
* Connectivity<br />
** 802.11 b/g/n 3×3 with smart antenna<br />
** 802.11 a/n/ac 3×3 with smart antenna<br />
** AUX wireless (802.11 a/b/g/n/ac 1×1)<br />
** 10/100/1000M Mbps WAN and LAN port (QCA9337 Gigabit switch)<br />
** Compatible with Zigbee/Thread , Bluetooth 4.0<br />
** Wireless Security – WPA2-PSK<br />
** 13 antennas in total<br />
** Supports up to 128 devices over WiFi<br />
* USB – 1x USB 3.0<br />
* Audio – 3W Speaker<br />
* Security – Infineon SLB 9615 Trusted Platform Module<br />
* Misc – 6x tri-color array LEDs, ambient light sensor<br />
* Power Supply – 12V/3A DC, 100-240V 50-60Hz AC<br />
* Dimensions – 19.05 cm (H) x 11.68 cm (⌀)<br />
* Weight – 860 grams<br />
<br />
===Board Chipset===<br />
* Qualcomm Atheros IPQ8064 Internet Processor with 2 Krait 300 CPUs clocked at 1.4 GHz<br />
* Micron MT41K256M16HA 4 Gb DDR3L SDRAM<br />
* Qualcomm Atheros QCA8337<br />
* Qualcomm Atheros QCA9882<br />
* Qualcomm Atheros QCA9880<br />
* Silicon Labs EM3581 SOC network co-processor for ZigBee<br />
* Skyworks 66109 2.4 GHz ZigBee/Smart Energy front-end module<br />
* Skyworks SKY2623L 2.4 GHz WLAN power amplifier<br />
* Skyworks SKY85405 802.11ac 5 GHz WLAN power amplifier<br />
* Atheros 3012-BL3D Bluetooth radio<br />
* Bluetooth antenna<br />
* Micron MTFC4GACAAAM 4 GB NAND flash<br />
* Micron 25Q064A 64 Mb SPI flash<br />
* Infineon SLB9615 Trusted Platform Module<br />
<br />
==Configuration==<br />
For the moment it is reported that this router can only be configured from the Android or iOS "Google OnHub" application.<br />
<br />
==Pictures==<br />
[[File:OnHub_Colors.png|200px]] [[File:ObHub_Back.png|200px]]<br />
<br />
===Disassembly===<br />
<br />
[[File:Onhub-inside-01.jpg|200px]]<br />
<br />
[[File:GoogleOnHub-Board.jpg|200px]]<br />
<br />
==Links==<br />
<br />
==Official Links==<br />
<br />
<br />
==Community Links==<br />
* [http://forum.xda-developers.com/onhub Google OnHub at XDADevelopers Forum] <br />
* [https://plus.google.com/communities/105738065696386405857 Google OnHub Google+ Unofficial Community] <br />
<br />
[[Category:Wifi Router]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Google_OnHub_(TP-Link)&diff=2512Google OnHub (TP-Link)2015-09-19T15:08:13Z<p>Martiniturbide: /* Hardware Specs */</p>
<hr />
<div>[[File:OnHub_blue.png|200px|thumb]]<br />
<br />
==Information==<br />
* '''Name:''' Google OnHub<br />
* '''Manufacturer:''' TP-Link<br />
* '''Firmware Version:''' 7077.122.4<br />
<br />
The router appears to run Gentoo Linux.<br />
<br />
==Hardware Specs==<br />
* WiSoC – Qualcomm Atheros IPQ8064 dual core Krait processor @ 1.4 GHz<br />
* System Memory – 1GB DDR3L<br />
* Storage – 4GB eMMC, 8MB NOR flash<br />
* Connectivity<br />
** 802.11 b/g/n 3×3 with smart antenna<br />
** 802.11 a/n/ac 3×3 with smart antenna<br />
** AUX wireless (802.11 a/b/g/n/ac 1×1)<br />
** 10/100/1000M Mbps WAN and LAN port (QCA9337 Gigabit switch)<br />
** Compatible with Zigbee/Thread , Bluetooth 4.0<br />
** Wireless Security – WPA2-PSK<br />
** 13 antennas in total<br />
** Supports up to 128 devices over WiFi<br />
* USB – 1x USB 3.0<br />
* Audio – 3W Speaker<br />
* Security – Infineon SLB 9615 Trusted Platform Module<br />
* Misc – 6x tri-color array LEDs, ambient light sensor<br />
* Power Supply – 12V/3A DC, 100-240V 50-60Hz AC<br />
* Dimensions – 19.05 cm (H) x 11.68 cm (⌀)<br />
* Weight – 860 grams<br />
<br />
===Board Chipset===<br />
* Qualcomm Atheros IPQ8064 Internet Processor with 2 Krait 300 CPUs clocked at 1.4 GHz<br />
* Micron MT41K256M16HA 4 Gb DDR3L SDRAM<br />
* Qualcomm Atheros QCA8337<br />
* Qualcomm Atheros QCA9882<br />
* Qualcomm Atheros QCA9880<br />
* Silicon Labs EM3581 SOC network co-processor for ZigBee<br />
* Skyworks 66109 2.4 GHz ZigBee/Smart Energy front-end module<br />
<br />
==Configuration==<br />
For the moment it is reported that this router can only be configured from the Android or iOS "Google OnHub" application.<br />
<br />
==Pictures==<br />
[[File:OnHub_Colors.png|200px]] [[File:ObHub_Back.png|200px]]<br />
<br />
===Disassembly===<br />
<br />
[[File:Onhub-inside-01.jpg|200px]]<br />
<br />
[[File:GoogleOnHub-Board.jpg|200px]]<br />
<br />
==Links==<br />
<br />
==Official Links==<br />
<br />
<br />
==Community Links==<br />
* [http://forum.xda-developers.com/onhub Google OnHub at XDADevelopers Forum] <br />
* [https://plus.google.com/communities/105738065696386405857 Google OnHub Google+ Unofficial Community] <br />
<br />
[[Category:Wifi Router]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=File:GoogleOnHub-Board.jpg&diff=2511File:GoogleOnHub-Board.jpg2015-09-19T15:07:19Z<p>Martiniturbide: </p>
<hr />
<div></div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Google_OnHub_(TP-Link)&diff=2510Google OnHub (TP-Link)2015-09-19T15:05:54Z<p>Martiniturbide: /* Disassembly */</p>
<hr />
<div>[[File:OnHub_blue.png|200px|thumb]]<br />
<br />
==Information==<br />
* '''Name:''' Google OnHub<br />
* '''Manufacturer:''' TP-Link<br />
* '''Firmware Version:''' 7077.122.4<br />
<br />
The router appears to run Gentoo Linux.<br />
<br />
==Hardware Specs==<br />
* WiSoC – Qualcomm Atheros IPQ8064 dual core Krait processor @ 1.4 GHz<br />
* System Memory – 1GB DDR3L<br />
* Storage – 4GB eMMC, 8MB NOR flash<br />
* Connectivity<br />
** 802.11 b/g/n 3×3 with smart antenna<br />
** 802.11 a/n/ac 3×3 with smart antenna<br />
** AUX wireless (802.11 a/b/g/n/ac 1×1)<br />
** 10/100/1000M Mbps WAN and LAN port (QCA9337 Gigabit switch)<br />
** Compatible with Zigbee/Thread , Bluetooth 4.0<br />
** Wireless Security – WPA2-PSK<br />
** 13 antennas in total<br />
** Supports up to 128 devices over WiFi<br />
* USB – 1x USB 3.0<br />
* Audio – 3W Speaker<br />
* Security – Infineon SLB 9615 Trusted Platform Module<br />
* Misc – 6x tri-color array LEDs, ambient light sensor<br />
* Power Supply – 12V/3A DC, 100-240V 50-60Hz AC<br />
* Dimensions – 19.05 cm (H) x 11.68 cm (⌀)<br />
* Weight – 860 grams<br />
<br />
==Configuration==<br />
For the moment it is reported that this router can only be configured from the Android or iOS "Google OnHub" application.<br />
<br />
==Pictures==<br />
[[File:OnHub_Colors.png|200px]] [[File:ObHub_Back.png|200px]]<br />
<br />
===Disassembly===<br />
<br />
[[File:Onhub-inside-01.jpg|200px]]<br />
<br />
[[File:GoogleOnHub-Board.jpg|200px]]<br />
<br />
==Links==<br />
<br />
==Official Links==<br />
<br />
<br />
==Community Links==<br />
* [http://forum.xda-developers.com/onhub Google OnHub at XDADevelopers Forum] <br />
* [https://plus.google.com/communities/105738065696386405857 Google OnHub Google+ Unofficial Community] <br />
<br />
[[Category:Wifi Router]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Pure_Jongo_A2&diff=2509Pure Jongo A22015-09-17T17:36:08Z<p>Martiniturbide: /* Information */</p>
<hr />
<div>[[File:Pure-Jongo-A2-Top.jpg|200px]]<br />
<br />
==Information==<br />
* '''Model:''' Jongo A140B<br />
<br />
==Hardware Specs==<br />
* Wireless: 802.11b and 802.11g supported with WEP and WPA/WPA2. A2DP Bluetooth support<br />
* Codec support: Includes WMA (Standard V9), AAC, MP3, MP2<br />
* Input connectors: 5.5VDC power adapter socket (110-230V supplied), USB A for product upgrades and Ethernet connectivity (optional adapter available)<br />
* Controls: Power, Wi-Fi setup<br />
* Mains Power Supply: 110-230V AC to 5.5V DC external power adapter (supplied)<br />
* Dimensions: w 108mm x d 106mm x h 55.5mm<br />
* Weight: 1.4kg<br />
<br />
==Configuration==<br />
<br />
==Setup==<br />
<br />
* The Wifi button on the bottom will make the device to start his own SSID so you can connect to it to configure it with your browser. <br />
* You can connect to it with the browser only to set up the Wifi network to which the device connects and change the name of the device. <br />
<br />
[[File:1 - Set up your Jongo A2.png|200px]]<br />
<br />
[[File:2 - Set up your Jongo A2.png|200px]]<br />
<br />
<br />
==Using Pure Connect==<br />
There is the Android and iOS application Pure Connect to use it to hear radio and play files. <br />
<br />
===Use Pure Jongo A2 as a Bluetooth Speaker for Windows===<br />
Windows can recognize Pure Jongo A2 as a bluetooth speaker, so if you have you PC close to the Jongo device it can work that way. <br />
<br />
[[File:JongoA2-Sonido.png|200px]]<br />
<br />
<br />
<br />
==Pictures==<br />
[[File:Pure-Jongo-A2-rear.jpg|200px]]<br />
<br />
===Disassembly===<br />
<br />
==Links==<br />
<br />
===Official Links===<br />
* [http://www.pure.com/us/wireless-speakers/jongo-a2/black Official WebSite]<br />
* [http://support-uk.pure.com/kb/24-wireless-music-systems Official Support Site]<br />
<br />
==Community Links==<br />
<br />
[[Category:Audio]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Pure_Jongo_A2&diff=2508Pure Jongo A22015-09-17T17:35:49Z<p>Martiniturbide: /* Information */</p>
<hr />
<div>[[File:Pure-Jongo-A2-Top.jpg|200px]]<br />
<br />
==Information==<br />
* '''Model:''' Jongo A140<br />
<br />
==Hardware Specs==<br />
* Wireless: 802.11b and 802.11g supported with WEP and WPA/WPA2. A2DP Bluetooth support<br />
* Codec support: Includes WMA (Standard V9), AAC, MP3, MP2<br />
* Input connectors: 5.5VDC power adapter socket (110-230V supplied), USB A for product upgrades and Ethernet connectivity (optional adapter available)<br />
* Controls: Power, Wi-Fi setup<br />
* Mains Power Supply: 110-230V AC to 5.5V DC external power adapter (supplied)<br />
* Dimensions: w 108mm x d 106mm x h 55.5mm<br />
* Weight: 1.4kg<br />
<br />
==Configuration==<br />
<br />
==Setup==<br />
<br />
* The Wifi button on the bottom will make the device to start his own SSID so you can connect to it to configure it with your browser. <br />
* You can connect to it with the browser only to set up the Wifi network to which the device connects and change the name of the device. <br />
<br />
[[File:1 - Set up your Jongo A2.png|200px]]<br />
<br />
[[File:2 - Set up your Jongo A2.png|200px]]<br />
<br />
<br />
==Using Pure Connect==<br />
There is the Android and iOS application Pure Connect to use it to hear radio and play files. <br />
<br />
===Use Pure Jongo A2 as a Bluetooth Speaker for Windows===<br />
Windows can recognize Pure Jongo A2 as a bluetooth speaker, so if you have you PC close to the Jongo device it can work that way. <br />
<br />
[[File:JongoA2-Sonido.png|200px]]<br />
<br />
<br />
<br />
==Pictures==<br />
[[File:Pure-Jongo-A2-rear.jpg|200px]]<br />
<br />
===Disassembly===<br />
<br />
==Links==<br />
<br />
===Official Links===<br />
* [http://www.pure.com/us/wireless-speakers/jongo-a2/black Official WebSite]<br />
* [http://support-uk.pure.com/kb/24-wireless-music-systems Official Support Site]<br />
<br />
==Community Links==<br />
<br />
[[Category:Audio]]</div>Martiniturbidehttps://www.Exploitee.rs/index.php?title=Pure_Jongo_A2&diff=2507Pure Jongo A22015-09-17T17:33:36Z<p>Martiniturbide: /* Official Links */</p>
<hr />
<div>[[File:Pure-Jongo-A2-Top.jpg|200px]]<br />
<br />
==Information==<br />
* '''Model:''' Jongo A240<br />
<br />
==Hardware Specs==<br />
* Wireless: 802.11b and 802.11g supported with WEP and WPA/WPA2. A2DP Bluetooth support<br />
* Codec support: Includes WMA (Standard V9), AAC, MP3, MP2<br />
* Input connectors: 5.5VDC power adapter socket (110-230V supplied), USB A for product upgrades and Ethernet connectivity (optional adapter available)<br />
* Controls: Power, Wi-Fi setup<br />
* Mains Power Supply: 110-230V AC to 5.5V DC external power adapter (supplied)<br />
* Dimensions: w 108mm x d 106mm x h 55.5mm<br />
* Weight: 1.4kg<br />
<br />
==Configuration==<br />
<br />
==Setup==<br />
<br />
* The Wifi button on the bottom will make the device to start his own SSID so you can connect to it to configure it with your browser. <br />
* You can connect to it with the browser only to set up the Wifi network to which the device connects and change the name of the device. <br />
<br />
[[File:1 - Set up your Jongo A2.png|200px]]<br />
<br />
[[File:2 - Set up your Jongo A2.png|200px]]<br />
<br />
<br />
==Using Pure Connect==<br />
There is the Android and iOS application Pure Connect to use it to hear radio and play files. <br />
<br />
===Use Pure Jongo A2 as a Bluetooth Speaker for Windows===<br />
Windows can recognize Pure Jongo A2 as a bluetooth speaker, so if you have you PC close to the Jongo device it can work that way. <br />
<br />
[[File:JongoA2-Sonido.png|200px]]<br />
<br />
<br />
<br />
==Pictures==<br />
[[File:Pure-Jongo-A2-rear.jpg|200px]]<br />
<br />
===Disassembly===<br />
<br />
==Links==<br />
<br />
===Official Links===<br />
* [http://www.pure.com/us/wireless-speakers/jongo-a2/black Official WebSite]<br />
* [http://support-uk.pure.com/kb/24-wireless-music-systems Official Support Site]<br />
<br />
==Community Links==<br />
<br />
[[Category:Audio]]</div>Martiniturbide