Exploiting Key Signing for Root

From Exploitee.rs
Jump to navigationJump to search

About

A detailed analysis of the bug being exploited and its origination can be found on [Saurik's Blog].

Devices

This bug is present in all Google TV devices, unfortunately in can only be leverage for root in some. Below is a list of devices that are confirmed to get root and the remaining only get system privileges.

This is confirmed to get system privileges on the following devices:

  • Logitech Revue
  • Sony NSZ-GS7/8

This is confirmed to get root privileges on the following devices:

  • Vizio Co-Star

Warnings

  • This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
  • This may brick your GTV. It shouldn't, but it still might!

Tools Needed

  • A vulnerable Google TV device.
  • Cydia Impactor (download link at bottom of page)
  • Google TV Modification Package

Pre-Setup

  1. Download Cydia Impactor below
  2. Download Google TV Modification Package below
  3. Unzip Google TV Modification Package.

Steps

  1. Setup your Google TV device to allow a connection from the pc you are going to be connecting from. This can be done by going into the Settings menu, clicking Applications, and then selecting the development option. Inside the development section you should see a place to change the "Debugger IP", set this field to the IP address of your computer.
  2. Launch Cydia Impactor
  3. Connect your PC to Impactor by going to "Bridge" and then "Connect" in the file menu.
  4. Input in the IP address of your Google TV in the "Bridge Connect" input box and press OK. (If successful, a dialog will prompt that you are connected.) Click OK.
  5. Run the default command which should be "echo ro.kernel.qemu=1 > /data/local.prop" by clicking start. If successful you can proceed, but if not troubleshoot your connection and try again.
  6. Reboot your Google TV by going to "Device" then "Reboot" from the Cydia Impactor file menu.
  7. Reconnect to your Google TV by repeating steps 3 and 4 above.
  8. In the Cydia Impactor file menu, choose "Device" then "Run Program".
  9. Select the .sh file extracted in the pre-setup.
  10. When the process is complete a dialogue box will display. Click OK
  11. Finally, in Cydia Impactor go to "Device" then "Reboot" to reboot your Google TV device for the final time.
  12. Your Google TV device is now rooted!
  • In order to get the content bypass portion working you still will need to change your user agent. This process is described on the [I've rooted... now what?!] page.

Known Issues

  • There are times where ADB hangs when connecting to the box, you can either wait the 90 seconds for the operation to time out or you can restart Cydia Impactor and try again.
  • If you are experiencing issues connecting to your device, you may want to verify that the ip address on your machine correctly matches the one white-listed on your Google TV.
  • If you do not see the "Bridge" or "Device" file menu, you may need to update "Cydia Impactor" which can be done by going to "File" then "Check For Updates"
  • If the process for you fails at step 8, there's a possibility that your device cannot leverage the key signing vulnerability for root. This is due to the device not processing the prop placed in /data/local.prop

Troubleshooting

  • You can get help from us or other users at:

GTVHacker Forums

GTVHacker Wiki

  • or you can chat with us on IRC at:

irc.freenode.net #gtvhacker

Freenode Webchat

(Someone may not be around right away to help, make sure to be willing to wait for a response)

Download

Cydia Impactor: [Mac OS X] or [Windows]

Google TV Modification Package [GTVHacker Download Site]