FireFU Exploit

From Exploitee.rs


FireFULogo.png

FireFU

FireFU is an exploit chain leveraging a read write primitive from the FireTV Cube and Pendant’s Amlogic S905Z microcontroller along with a heap overflow within the parsing of the devices RSV partition table allowing for the running of unsigned code.

Attack Summary

This is all done through the exploit's install script but is documented here for the curious.

  1. We enter DFU mode by connecting to the devices HDMI port and passing “[email protected]” to the Amlogic S905Z through the HDMI’s i2c interface.
    1. In DFU mode, we are able to read and write memory. we leverage the read/write primitive to write to hardware registers for the MMC controller.
  2. After entering DFU, we write to the emmc controller to modify the devices flash.
    1. We copy the original RSV table to a new locations 3 blocks away.
    2. We modify the partition table layout to exploit a heap overflow within u-boot
      1. Heap overflow can be found in “bootloader/uboot-amlogic/p212/drivers/mmc/aml_emmc_partition.c” - get_ptbl_rsv()
        1. U-Boot doesn't check for buffer size correctly when reading the partition table from RSV in eMMC
        2. Exploit modifies the following in RAM
          1. amzn_target_is_unlocked() to alway return 1
          2. patch amzn_dm_verity_is_off to return true
          3. patch amzn_target_device_type to alway return engineering device
          4. fixup bootm address for fastboot
    3. Because we exploit u-boot early on in the boot chain and we do it every boot, we are able to modify u-boot in ram breaking the secure boot “chain of trust” and allowing for unsigned code to be ran.
  3. The HDMI i2c connection is then disconnected and the device is rebooted into fastboot
    1. From fastboot we flash the following
      1. a new boot.img with magisk installed for superuser access
      2. a new recovery to fix issues with the Fire Tv recovery accessing the old RSV location.
  4. We then reboot to complete the root process.

Flow Chart

FireFuFlow.png

Exploit

DFU + U-Boot Exploit for AFTV Stark + Needle

  • Tested on FW 6.2.5.5 for Needle
  • Tested on FW 6.2.5.5 for Stark

Disclaimer

Exploitee.rs would like to remind users that any flashing of unofficial firmware or usage of provided tools is done at your own risk and will likely void your device’s warranty.

Preamble

While this process can be done in a virtual machine, a lot of data is backed up and flashed during this process and a VM environment will drastically slow down communication in DFU mode.

Tools Needed

  1. AFTV Cube (stark) or Pendant (needle)
  2. HDMI breakout or an HDMI cable that can be cut
  3. Arduino, Teensy or any Arduino compatible dev board that provides an I2C bus.
  4. Linux box

Preparing HDMI dongle

This process has only been tested with the Arduino Due and Teensy 3. Other boards are untested!

  1. Please check Wikipedia for the standard HDMI pinout: https://en.wikipedia.org/wiki/HDMI
  2. connect following pin to your Arduino
    HDMIArduino
    PIN 15 (SCL)I2C SCL
    PIN 16 (SDA)I2C SDA
    PIN 17 (GND)I2C GND
  3. Hook up the Arduino to your PC and flash the hdmi_arduino.ino sketch in the hdmi_dongle/hdmi_arduino folder.

ArduinoHDMII2C.jpg

Rooting Proccess

  1. setup udev rules (or equivalent) to allow usb access for
    • idVendor=1b8e, idProduct=c003 (aml DFU)
      • ID 1b8e:c003 Amlogic, Inc.
    • idVendor=18d1, idProduct=0d02 (fastboot)
      • ID 18d1:0d02 Google Inc. Celkon A88
  2. DFU tool depends on libusb so make sure libusb is install
  3. Connect the HDMI dongle to your AFTV & power to your Arduino (or equivalent)
  4. Connect micro-usb cable to your AFTV
  5. Power up the FireTV device
  6. Check lsusb on your linux box to see if the device has entered DFU mode
    • look for something similar to this: ID 1b8e:c003 Amlogic, Inc.
    • if the device does not show up then try to reset the FireTV and try again
  7. Run install_exploit.sh on your linux box
    • This process can take about 30min-60min
    • Remember to keep your backup safe!
  8. Side load Magisk Manager apk on your AFTV
  9. Done :)

Miscellaneous Information

Disabling OTA

Any update can remove the code signing update or possibly brick the device. We recommend disabling OTA updates with the following.

  • Run following commands as root
    • pm disable com.amazon.tv.forcedotaupdater
    • pm disable com.amazon.device.software.ota
    • pm disable com.amazon.device.software.ota.override

You can also block update DNS domain at your router or install a custom recovery to be safe.

OTA Updates & Installing New Images

After each amazon supplied new image or OTA update, you must patch the boot and recovery images again (because of FireFu's RSV relocation).

Steps to patch boot+recovery image if you accidently flash unpatch image / take OTA image:

  1. Enter DFU mode with the HDMI dongle
  2. Dump the boot image:
    • ./aml_usb_mmc -r -s 0x16800 -c 0x8000 -f backup_boot.img
  3. Dump the recovery image:
    • ./aml_usb_mmc -r -s 0x1F000 -c 0x8000 -f backup_recovery.img
  4. Patch the boot image:
    • cd magisk_patcher
    • ./boot_patch.sh backup_boot.img
  5. Patch the recovery image:
    • cd magisk_patcher
    • AFTV_ONLY_RSV_TABLE=1 ./boot_patch.sh backup_recovery.img
  6. Enter Fastboot:
    • Enter DFU mode with the HDMI dongle
    • check to see if device enumerated with lsusb. if not, reboot and retry
    • run ./aml_reboot fastboot
    • The device should now be in fastboot mode
  7. Flash the boot image:
    • fastboot flash boot IMAGE.img
  8. Flash the recovery image:
    • fastboot flash recovery IMAGE.img

Video Demo

Downloads

Below is the download information for the exploit.

Exploit package

This download is intended for users who are only seeking the binaries to perform the exploit.

Source Code

This is for the users who are needing to recompile the exploit or are just curious about the process.