Rooting The Google OnHub

From Exploitee.rs
Jump to: navigation, search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Google OnHub.jpg

OnHub Root Instructions

The following process will allow a user to connect to a root shell on the Google OnHub.

Rooting the Google OnHub

Rooting the Google OnHub is a multi step process and involves the following.

  1. Creating a bootable OnHub USB
  2. Enabling "Developer Mode" on the OnHub
  3. Insert USB to boot into intermediary shell enabled kernel
    • You can choose to stop following the guide at this point if you just want to experiment with the OnHub without making any changes to the OnHub's normal boot method
  4. Resigning the kernel and disabling rootfs verification
  5. Running commands to modify the normal boot environment
  6. Rebooting and Exiting Developer Mode
  7. Enjoy!

Requirements:

  • Google OnHub
  • 4GB+ USB flash drive

Root Steps

Creating a bootable OnHub USB

  1. Download the Google OnHub USB image
  2. Unzip the downloaded file so that you are left with a .img file
  3. Write the image to your 4GB+ USB drive using your favorite tool (dd or win32diskimager for win)
    • dd example: dd if=<PATH-TO-USB-IMG> of=<PATH-TO-USB-Device> bs=64K

Enabling "Developer Mode" on the OnHub

  1. Make sure your Google OnHub is unplugged
  2. Remove the hidden screw under your OnHub to access the hidden "Developer Mode" switch
    • Google OnHub Hidden Switch.jpg
  3. Plug a USB keyboard into the router's USB
  4. Hold down the reset switch on the router (near the power jack plug, be careful as it's extremely delicate.)
  5. Plug the power cable back in
  6. The LED ring on the device should turn white, then blink orange, then red
  7. After the LED starts blinking red, Press CTRL + D on your keyboard and the LED should now start blinking purple.
  8. Now press the hidden "developer mode" switch under the OnHub
  9. The OnHub should then reboot and the LED should start blinking purple again
    • This indicates that we have successfully entered the Google OnHub's "Developer Mode".

Insert USB to boot into intermediary shell enabled kernel

  1. Insert the USB drive (we made in previous step) into your OnHub
  2. Press the hidden switch under the router to boot to USB
  3. Now, you should see your USB flash drive status light start blinking
  4. Plug in your Ethernet cable or connect to the OnHub over WiFi using the password under the base of the hub
  5. Telnet or ssh to your router
    • IP: 192.168.86.1 by default
    • User: root
    • Password: onhub
  6. You should now be connected to a root account on the Google OnHub

Modifying the OnHub Boot Environment

Flashing developer firmware + Resigning kernel + adding telnetd and busybox

  1. To reprogram firmware image with devkeys, run the following command:
    • /usr/share/vboot/bin/make_dev_firmware.sh

Output:

Disabling system software write protection status...
Reading system live firmware...

Using keyblocks (normal, normal)...
Preparing new firmware image...

      Backup of current firmware image is stored in:
        /mnt/stateful_partition/backups/firmware_WHIRLWIND_D3A-Q2Q-Q8B_20150623_223857.fd
      Please copy the backup file to a safe place ASAP.

      To stop using devkeys and restore original firmware, execute command:
        flashrom -w [PATH_TO_BACKUP_IMAGE]
      Ex: flashrom -w /mnt/stateful_partition/backups/firmware_WHIRLWIND_D3A-Q2Q-Q8B_20150623_223857.fd
      
Writing system live firmware...

Successfully changed firmware to Developer Keys. New HWID: WHIRLWIND D3A-Q2Q-Q8B DEV

The backup of the firmware will be stored on your USB drive, keep it safe so you can go back to original.

Resigning the kernel and disabling rootfs verification

  1. To disable rootfs verification and resign the kernel, run the following command:
    • /usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification --image /dev/mmcblk0

Output:

Kernel A: Disabled rootfs verification.
Backup of Kernel A is stored in: /mnt/stateful_partition/backups/kernel_A_20150623_223724.bin
Kernel A: Re-signed with developer keys successfully.
Kernel B: Disabled rootfs verification.
Backup of Kernel B is stored in: /mnt/stateful_partition/backups/kernel_B_20150623_223733.bin
Kernel B: Re-signed with developer keys successfully.
Successfully re-signed 2 of 2 kernel(s)  on device /dev/mmcblk0.

Running commands to modify the normal boot environment

  1. Enter the following commands into the ssh/telnetd root shell to add busybox and a telnetd shell to the normal boot environment:
    • mkdir /tmp/roota
    • mount /dev/mmcblk0p3 /tmp/roota/
    • mkdir /tmp/rootb
    • mount /dev/mmcblk0p5 /tmp/rootb/
    • cp /bin/busybox /tmp/roota/bin/busybox
    • cp /bin/busybox /tmp/rootb/bin/busybox
    • cp /etc/init/telnetd.conf /tmp/roota/etc/init/telnetd.conf
    • cp /etc/init/telnetd.conf /tmp/rootb/etc/init/telnetd.conf
    • chmod 755 /tmp/roota/bin/busybox
    • chmod 755 /tmp/rootb/bin/busybox
    • cp /etc/shadow /tmp/roota/etc/shadow
    • cp /etc/shadow /tmp/rootb/etc/shadow
    • sync
    • umount /dev/mmcblk0p3
    • umount /dev/mmcblk0p5
  2. Now the kernel has been signed with the dev keys and telnetd has been added to the rootfs

Rebooting and Exiting Developer Mode

  1. Reboot the router and unplug the USB drive
    • After the OnHub reboots, it will still be in Developer Mode and will be waiting for a USB device to boot. We need to exit this mode and boot to the internal flash.
  2. Plug in your USB keyboard
  3. Repeatedly tap spacebar and enter until the status LED is not blinking purple (If you find the exact key sequence hop on IRC and let us know.)
    • It might take a couple of tries but you can unplug your OnHub and try again
    • Note: First boot up may take up to 5 minutes
  4. Now the Google OnHub should begin to boot from the internal flash again

Enjoy!

  1. Telnet to your rooted OnHub and enjoy :)
    • IP: 192.168.86.1 (default)
    • User: root
    • Password: onhub (You should change this ASAP!)