Vizio CoStar LT (ISV-B11)​

From Exploitee.rs
Jump to navigationJump to search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

VizioCoStarLT.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Vizio CoStar LT media player.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Vizio CoStar LT media player at Amazon

Disassembly

UART

Exploiting The Vizio CoStar LT For Root

On booting the Vizio CoStar LT's bootloader checks for a "FS.sys" and a "safe-kernel.Img1" file on a FAT32 formatted thumb drive.

  • "FS.sys" - This file is a u-boot script file. This is a text file with u-boot commands in it compiled with mkimage. The exact compilation arguments for mkimage are as follows.
    mkimage -A arm -T script -d <SOURCE> <OUTPUT>
  • "safe-kernel.Img1" - This is a kernel uImage.

For this particular tutorial we are going to use the u-boot script file "FS.sys" to Hijacking_Kernel_Init Hijack Kernel Init.

  1. Connect a USB-To-TTL adapter to the Vizio CoStar LT
  2. Format a USB drive to the "FAT32" format
  3. Add the following output to a file named FS.sys.txt
    setenv cmdline "mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=2 ubi.mtd=3 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8 init=/bin/sh"

run bootcmd

  1. Compile the FS.sys.txt file with the following command.
    mkimage -A arm -T script -d fs.sys.txt fs.sys
  2. Copy the fs.sys file to the root of the FAT32 formatted USB drive.
  3. Insert the USB drive into the Vizio CoStar LT.
  4. Restart the Vizio CoStar LT by unplugging and re-plugging in the power adapter.
  5. After the kernel boots it will drop your UART connection to a root shell.
  • NOTE: hijacking the kernel init stops the kernel prior to it running crucial scripts. In most cases you will need to finish running the scripts within /etc/init.d prior to being able to access the entire file system.

Gaining Persistent Root Access After gaining root from the above method you can gain persistent root access by having the device boot a telnet root shell (or your choice of server) on boot. To do this you must find a write-able file on the device that is called on boot.

Lucky for us "/etc/commonStart.sh" is just that file. You can modify this file to do anything you'd like to happen on each boot.

For example adding:

telnetd -l /bin/sh

after "#!/bin/sh" will start a telnet server on each boot.

  • If you are hijacking init to gain root you will need to run "/etc/rc.mount" prior to modifying "/etc/commonStart.sh"

Demo

U-Boot Env

Below is the u-boot environment output from the "printenv" u-boot command.

Logo_A=ubi read 82000000 Logo 3bc4e;showLogo 82000000 3bc4e
Logo_B=ubi read 82000000 Logo 3bc4e;showLogo 82000000 3bc4e
baudrate=115200
bootcmd=ubi part systemA_1;run Logo_A;ubi read 80100000 Kernel 800000;start_kernel
bootcmd_A=ubi part systemA_1;run Logo_A;ubi read 80100000 Kernel 800000;start_kernel
bootcmd_B=ubi part systemB_1;run Logo_B;ubi read 80100000 Kernel 800000;start_kernel
bootdelay=1
cmdline=quiet mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=2 ubi.mtd=3 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8
cmdline_A=quiet mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=2 ubi.mtd=3 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8
cmdline_B=quiet mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=4 ubi.mtd=5 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8
console=console=ttyS0,115200n8
ethact=FTMAC100
ethaddr=00:9c:0a:c6:98:9c
fileaddr=80100000
filesize=1BA
ip=172.16.60.66:172.16.60.166:172.16.60.1
ipaddr=172.16.60.233
macaddr=macaddr=00:12:34:56:78:34
mem_layout=mem=128m
mtddevname=boot
mtddevnum=0
mtdids=nand0=nand0
mtdparts=mtdparts=nand0:200M(boot),100M(systemA_1),300M(systemA_2),100M(systemB_1),300M(systemB_2),300M(etc),600M(rwdata),4M(bbt)
netmask=255.255.0.0
nfs=root=/dev/nfs nfsroot=172.16.60.166:/opt/bk_nfs/rootfs_fusion
partition=nand0,0
reflash=usb start; fatload usb 0 80100000 fs.sys;source 80100000; fatload usb 0 82000000 safe-kernel.img1;crc_start_kernel 82000000 fscmdline
serverip=172.16.60.125
stderr=serial
stdin=serial
stdout=serial
tftp_update=set update_method TFTP;tftp fs.sys;source 80100000;tftp 82000000 safe-kernel.img1;crc_start_kernel 82000000 fscmdline
update_method=USB
usb_update=set update_method USB;usb start;if fatload usb 0 80100000 fs.sys;then source 80100000;else run bootcmd ;fi; if fatload usb 0 82000000 safe-kernel.img1;then crc_start_kernel 82000000 fscmdline;else run bootcmd;fi