Breaking Secure-Boot on the Roku

Posted: December 28th, 2013 | Author: | Filed under: Roku, Uncategorized | 12 Comments »
Hello Universe, welcome back. It’s been a while since our last post due to a lack of new Google TV hardware and developments. When we have free time we tend to look at other interesting opportunities that come our way and recently we came into just such a situation when we found ourselves auditing multiple Roku devices.
Roku-PileYou may not know it by looking at the device, but the Roku is considerably more secure than most entertainment devices in its genre (even our namesake). The engineers at Roku not only implemented a decently hardened grsec kernel, they did it where we hadn’t seen before, on ARM. The layers above that contain a miscellaneous assortment of secure boot and encryption methods with configurations varying between the different chipsets throughout the platform. Our package leverages one such configuration, the bcm2835 chipset, in which user accessible per box keys are used to sign the initial “stage 1” portion of the bootloader. This allows us, from the initial root bug, to modify a portion of the system boot and remove signature verification checks. Effectively breaking the “chain of trust” established and allowing us to load any compatible image desired.
roku3-rooted
Now for the details. The initial root exploit utilizes a local command execution vulnerability within the developer settings menu of the device. Specifically, the bug is within the development password field, and due to poor sanitation of input, the bug lets us run commands as root. This affects the majority of updated Roku devices and was ironically introduced as a security improvement.  The downside to this bug is that it does not provide a persistent root method (or, in short, a method that continues beyond system restarts). This left us looking for a method to persist root on the device, which is when we noticed the configuration of the bcm2835 Roku devices. In this chipset, the bootloader is signed by a per box key which, in all tested bcm2835 devices, is included on the box.  By having the per box key we are able to break the chain of trust and load a modified “stage 2” bootloader image. In our case we modify the stock U-Boot to include the “dev=1” kernel cmdline argument that identifies a developer device. We then take advantage of a init.d script which allows us to place files in a non-signature validated portion of the file system that is executed when the “dev=1” kernel cmdline argument is set. We use this file to place commands to mount a replacement version of “/bin/Application”, Roku’s main content shell binary, to allow us to disable automatic updates on each boot.
We’ve packaged up all of the above into a nicely commented script which can be downloaded from our download servers at:

The file above contains a script with a cpio archive that includes the following 5 files:

  •     bpatch – compiled for the device and used to apply binary patches to files
  •     mtd1-uboot.patch – a patch file for bpatch used to patch the U-Boot portion of mtd1
  •     nandboot.patch – a patch file for bpatch used to patch nandboot.bin (stage1 bootloader)
  •     roku2-nandwrite.ko – a custom kernel module used to modify kernel cmdline in memory and trick the NAND driver into allowing bootloader writes.
  •     Application.patch – a patch file for bpatch used to patch /bin/Application to disable updates.
The entire GTVHacker team has put a lot of work into this release and we hope the Roku community enjoys it. We invite others to continue our work and are happy to share progress made while we work to further leverage the current exploits before a patch is released. In the mean time, if you have a second generation Roku, root it. And if you don’t, buy one quick!
This bug will probably get patched soon. So in other words, exploit now or forever hold your peace.

12 Comments on “Breaking Secure-Boot on the Roku”

  1. 1 Toily said at 2:58 am on December 29th, 2013:

    Hey this is awesome, I recently buy a roku 3 for my parents, unfortunately they live in Mexico and region lock prevents Netflix to be added to the channel list. This could be the thing they are waiting for, thanks for your work and I’m looking forward (if it’s possible and this wonderful team finds the time) for a Roku 3 persistent hack :). Again thankyou for your effort and happy new year for you all 🙂

  2. 2 larry996 said at 2:59 am on December 29th, 2013:

    So download the r2-Ice.sh file. Load it on an SD card. CD to Sdcard on roku, then execute sh? Correct?

  3. 3 jay said at 3:42 am on December 29th, 2013:

    Need a OTA update? I pulled one down the other night.

  4. 4 G. Snedecor said at 3:32 pm on December 29th, 2013:

    Tried this on a Roku HD, which is a model 2500.
    The script executed, but failed the platform check returning “paolo” instead of “giga”. Is this particular unit not included in Roku 2’s even though it’s a model 2500?

    Great job, hope you can expand to my model at some point!

  5. 5 BaCs said at 7:03 pm on December 29th, 2013:

    Great work guys!! Rooted and happy 🙂

  6. 6 Tanker said at 8:24 pm on December 29th, 2013:

    Awesome! Thank you :). Can’t wait to see what more comes from this.

  7. 7 Doug Ames said at 8:53 pm on December 29th, 2013:

    Thanks so much for publishing this work. I ran the shell script on my Roku 2 XS, and it seemed to work fine. My home menu has changed to show extra items. Is there anything I should do to verify that everything was modified correctly? Should I telnet in and check something as shown at the end of the video? Any other steps to take right away? I don’t think I can contribute to the development, but glad to help test.

  8. 8 N. said at 12:55 am on December 30th, 2013:

    So excited to try this, but before I do I have 4 questions to ask.
    1. Does this work on the regular Roku 2 (as in the one without xd, hd, xs at the end of the name.)
    2. If I does work on Roku 2 will it be persistent (be there after a reboot and an update).
    3. How do you enable developer mode on Roku 2.
    4. Can you brick your Roku doing this?
    Thanks to anyone who can help I can’t wait to try this out!!

  9. 9 rebol said at 12:57 pm on December 30th, 2013:

    hmm i didn’t know it was hard to root these devices . perhaps you should just go and ask Carl (Sassenrath, Amiga OS ,Rebol code , and now Technical Lead, Software Engineering at Roku) what procedures he included in there to make this easier for simple hacking.

    as he says he prefers to be “Very efficient. I don’t like wasting time…. Facebook was a disaster for me. Seems like my page became endless spew about nothing. Some people love that kind of stuff. Not me.”

    https://www.youtube.com/watch?v=_r2iIIxjbjc

    http://www.linkedin.com/pub/carl-sassenrath/84/99b/26

    https://github.com/hostilefork/rebol/wiki/StackOverflow-Chat-FAQ

  10. 10 James said at 1:20 am on December 31st, 2013:

    It looks like there was a quick update made on December 30th, and the local command execution in the developer settings menu doesn’t work; the entry bar just clears without accepting the input, when attempting to enter the commands 🙁

  11. 11 yoxxx said at 4:53 am on December 31st, 2013:

    It seems they already patched this because it doesn’t let you enter commands anymore and when hit enter it clears the box.

  12. 12 drh said at 8:49 am on January 7th, 2014:

    As Roku have been arses and blocked this hack already, I’ve returned my Roku 2 XS for a refund. Allowing us to tinker with our hardware to use 3rd party services like XBMC etc wouldn’t have hurt them, if anything it would have encouraged more sales. It is however their prerogative to curtail their devices usage and its our prerogative to say screw you then have it back if we can’t do what we want with our purchases 🙂