A little over 2 years ago a band of miscreants came together from an XDA developers forum post and started working together to get privileged code execution on the Google TV. Little did we know that the challenges would be greater than anyone could imagine.
When the Google TV was released it was easily one of the most locked down Android devices containing a signature enforced bootloader which established a “chain of trust” between it and every component loaded thereafter. The hardened state of the kernel the device came with made things even worse, with the kernel enforcing module signing as well as lacking most of the popular Android vulnerabilities that were plaguing the mobile world. This Android device was truly unlike most others.
So we began work attempting to win an advertised cash bounty for being the first to gain root access on the newly released device. After some work, we posted the first root method for the Logitech Revue, winning a $500 prize. Since then it has been our goal to make Google TV an open platform by unlocking each released device. There were plenty of challenges along the way, in the form of long nights reversing code and many bricked devices. But along with the challenges there have also been many triumphs in the form of releases.
Going over some of our biggest acheivements in the last 2 years:
Found and released a hardware root method for the Logitech Revue and assisted Dr. Dan Rosenberg in finding a software root exploit.
Found and released multiple exploits for the Sony NSZ-GT1 and Sony Google TV television line, breaking the established chain of trust.
Received a secret message from Logitech within the stock recovery on the Logitech Revue.
We released a modification package for the Hisense Pulse which leveraged the intial debug configuration of the device for root, disabled automatic updates, and modified the flash plug-in allowing you to watch Hulu and other previously blocked content providers.
In regards to the future of GTVHacker, over the past month we found and have been developing an exploit which will allow for custom kernels to be run on most of the newest generation of Google TV devices. We’ve also (cj_000 specifically) been busy making a custom recovery specifically designed for the Google TV. You may already know this but, there are a number of differences between the Google TV and other Android devices and these difference make it impossible to simply build a popular AOSP based recovery or kernel image. Due to these differences, we had to make our own recovery from scratch. At the time of writing this it’s still in a beta phase and rather simple. It only allows for installation of an update.zip package from usb. This can be a modified update, a superuser binary and apk or whatever else you wish. We’ve also started adb over ethernet to allow for custom system changes that may require more interaction than a update package.
Below is a quick demo of the custom recovery mentioned above being tested on a Sony NSZ-GS7 Google TV device. We currently don’t have a release date set as we are trying to keep most of the specifics private in order to avoid an update that could patch the exploit before the community gets to utilize it. We just wanted to give the community a sneak peek at what we’ve been working on privately over the last few months. So sit tight, 2013 will be a great year for the Google TV and GTVHacker!
Plus at the time of this posting you will also receive free shipping!
Even though, the recent Honeycomb update to the Revue has been slow and much anticipated we remain hopeful that its right around the bend. In the meantime, if you have a virgin box you can Root it, or Install HC3.1 leaked.
If you buy a few extras, we are always looking boxes to work on/with.
This is BETA, it is not meant to be widely used and has bugs. If that’s something you don’t care about and would like to risk it anyway, install the update. Also, If you want to help Logitech and Google out buy another Revue ( preferably from logitech.com ), at $99 its worth every penny.
If you want to help, mirror this file in as many places as possible. I’m sure it’ll be taken down quickly
For many moons now, GTHacker has been quietly looking for the next way into those little GoogleTV boxes and also furthering what progress has already been completed. As we progress forward, we have been considering adding a forum to our little family of sites, (wiki, and blog)
Apparently, some people have been looking for a forum to call home. In some cases, adding GoogleTv sections to other sites. Is this something we must add?
Leave me your thoughts and comments below. We’d love to know what yall think.
It has been a few short weeks since we released the hardware root on the Logitech Reuve and the community has really sprung up in support of the progress we have made. Almost immediately, people began requesting root for non-virgin boxes,(Passed the initial setup phase) and which did not require opening it to solder onto the board.
Although we remain committed to reaching the overall goal of opening the Revue up to the masses, our best efforts have still not resulted in what we all want, the elusive ROOT.
It took a team of people countless hours… literally countless hours to make the progress that has been made, and we realize there is more work to be done. Rest assured, we are trying most every avenue available to us, and once we have made progress we will release it to the world! Keep your eye on gtvhacker for the latest in developments.
Do you have a Revue? If so, did you hear about root in time to use it?
With the hardware root under our belt, we have been able to try a few other things. Here’s one cool thing thats been reported so far, Live Wallpapers! If you have an Android phone, you know them well. They are essentially wallpapers with different animations.
Have you been able to do anything on your rooted GoogleTV?
It has now been over a month since the GTVHacker team acquired a recovery mode root shell on the Logitech Revue. Since that time we have learned a lot about the internals of the Revue which allowed us to release the BreakVue script for enabling ADB support along with a trivial hack to demonstrate how certain content provider restrictions can be overcome.
Throughout January, we have received a flood of requests for a software based root technique. Specifically there is a lot of talk about rooting the Revue through malicious web content. This has been possible with Apple’s iOS as well as other systems which make use of Apple’s WebKit so it is often assumed that similar attacks should be possible on the Revue. As of yet however the most successful browser based attacks are only able to trigger a ‘Kill Page’ dialog from Chrome. The likely reason for this is that Chrome page rendering is being sandboxed through a chroot jail such that access to a malicious web site results in a crashed page rather than a compromised system. My personal opinion is that there is a better chance of compromise through specially crafted video files played through the Logitech Media Player than there is of getting root through a browser exploit. (Of course I am not much of an exploit developer and would love for someone to prove me wrong on this.)
Overall I have observed that the Logitech Revue is a very well hardened system and I strongly suspect that, if not for the slight oversight of leaving a root shell attached to UART1, we would still be scratching our heads about how to get root. Even now that we have root, the hardened kernel still has numerous protections in place:
read-only /system partition as per the flash layout in Logitech’s Linux kernel
Module signing is enforced to prevent untrusted loadable kernel modules
DEVMEM restrictions are in place to prevent tampering with kernel structures even by root
While we keep trying, it appears that a software one-click-root solution will most likely have to wait until official Market support is enabled on the Logitech Revue. Until then, feel free to check out our wiki where I have documented a few internal details of the Logitech Revue kernel: http://bit.ly/RevueKernel