GTVHacker – A Brief History And a Sneak Peek

Posted: January 3rd, 2013 | Author: | Filed under: GTVHacker | Tags: , , , , , , , , | Comments Off

A little over 2 years ago a band of miscreants came together from an XDA developers forum post and started working together to get privileged code execution on the Google TV. Little did we know that the challenges would be greater than anyone could imagine.

Google TV LogoWhen the Google TV was released it was easily one of the most locked down Android devices containing a signature enforced bootloader which established a “chain of trust” between it and every component loaded thereafter. The hardened state of the kernel the device came with made things even worse, with the kernel enforcing module signing as well as lacking most of the popular Android vulnerabilities that were plaguing the mobile world. This Android device was truly unlike most others.

So we began work attempting to win an advertised cash bounty for being the first to gain root access on the newly released device. After some work, we posted the first root method for the Logitech Revue, winning a $500 prize. Since then it has been our goal to make Google TV an open platform by unlocking each released device. There were plenty of challenges along the way, in the form of long nights reversing code and many bricked devices. But along with the challenges there have also been many triumphs in the form of releases.

Going over some of our biggest acheivements in the last 2 years:

  • Found and released a hardware root method for the Logitech Revue and assisted Dr. Dan Rosenberg in finding a software root exploit.
  • Found and released multiple exploits for the Sony NSZ-GT1 and Sony Google TV television line, breaking the established chain of trust.
  • Received a secret message from Logitech within the stock recovery on the Logitech Revue.
  • Released our own customized and completely open Google TV kernel which utilized a chain of exploits to execute.
  • Had the opportunity to present at the 20th annual “DEFCON” security conference in which we we teased a root exploit for the newly released NSZ-GS7 but are still waiting to leverage it until more hardware comes out.
  • While working on porting the Boxee OS to the Google TV we found and released 2 exploits which have enabled the Boxee community to install a popular modification package known as Boxee+.
  • We released a modification package for the Hisense Pulse which leveraged the intial debug configuration of the device for root, disabled automatic updates, and modified the flash plug-in allowing you to watch Hulu and other previously blocked content providers.

Custom Google TV RecoveryIn regards to the future of GTVHacker, over the past month we found and have been developing an exploit which will allow for custom kernels to be run on most of the newest generation of Google TV devices. We’ve also (cj_000 specifically) been busy making a custom recovery specifically designed for the Google TV. You may already know this but, there are a number of differences between the Google TV and other Android devices and these difference make it impossible to simply build a popular AOSP based recovery or kernel image. Due to these differences, we had to make our own recovery from scratch. At the time of writing this it’s still in a beta phase and rather simple. It only allows for installation of an update.zip package from usb. This can be a modified update, a superuser binary and apk or whatever else you wish. We’ve also started adb over ethernet to allow for custom system changes that may require more interaction than a update package.

Below is a quick demo of the custom recovery mentioned above being tested on a Sony NSZ-GS7 Google TV device. We currently don’t have a release date set as we are trying to keep most of the specifics private in order to avoid an update that could patch the exploit before the community gets to utilize it. We just wanted to give the community a sneak peek at what we’ve been working on privately over the last few months. So sit tight, 2013 will be a great year for the Google TV and GTVHacker!

Discuss More…

 


GTV 2.0 – Probably in 3 – 4 weeks

Posted: October 6th, 2011 | Author: | Filed under: Updates | Tags: , , , , | Comments Off

This just in folks, Google TV director of Content, Donagh O’Malley, dropped a ETA of 3-4 weeks on the release of GTV 2.0.

Although we are thrilled to hear this, we remain skeptical as there have been previous released dates that have come and passed without reason.

(Donagh O’Malley begins speaking about 36 minutes in mark and gives Honeycomb ETA at 57:50).

None the less, we are glad to see continued development of the the GTV line. When do you think the update will hit our beloved devices?

[Gnarld]


Logitech Revue for $89.99

Posted: October 6th, 2011 | Author: | Filed under: Logitech Revue | Tags: , , , , , , | Comments Off

There has been a recent drop in the price of the Revue once again! You can now pick up one these little beauties for $89.99!

Check out this http://www.buy.com/retail/product.asp?sku=219622139.

Plus at the time of this posting you will also receive free shipping!

Even though, the recent Honeycomb update to the Revue has been slow and much anticipated we remain hopeful that its right around the bend. In the meantime, if you have a virgin box you can Root it, or Install HC3.1 leaked.

If you buy a few extras, we are always looking boxes to work on/with.

UPDATED: The price has jumped up.


HC 3.1 on Revue

Posted: August 11th, 2011 | Author: | Filed under: Google TV Kernels, GTVHacker, Logitech Revue | Tags: , , , , , , , , | Comments Off

Since the release of HC on the Reuve, the worlds been discussing all the things possible. You can follow and join in the dicussion on our forums.

Heres the post we received from an unknown source.

Here it is everyone, Android 3.1 (Honeycomb) BETA On the Logitech Revue.

http://www.load2all.com/files/BE2FD2F97/1b3a6b1aa9fd.mp-signed-ota_update-b55579.zip.html

This is BETA, it is not meant to be widely used and has bugs. If that’s something you don’t care about and would like to risk it anyway, install the update. Also, If you want to help Logitech and Google out buy another Revue ( preferably from logitech.com ), at $99 its worth every penny.

If you want to help, mirror this file in as many places as possible. I’m sure it’ll be taken down quickly

Thanks!


Welcome our newest addition

Posted: July 25th, 2011 | Author: | Filed under: GTVHacker | Tags: , , | Comments Off

So, we’ve opened up the forum. There are still some hiccups and a few more things to setup. However, its up and running.

We are still working out how the layout and some things are going to be. So, yea, get to it. Visit our forum now! Its a little barren of course, but in time, itll feel just like home.


Where from here?

Posted: July 12th, 2011 | Author: | Filed under: GTVHacker | Tags: , , , | 3 Comments »

For many moons now, GTHacker has been quietly looking for the next way into those little GoogleTV boxes and also furthering what progress has already been completed. As we progress forward, we have been considering adding a forum to our little family of sites, (wiki, and blog)

Apparently, some people have been looking for a forum to call home. In some cases, adding GoogleTv sections to other sites. Is this something we must add?

Leave me your thoughts and comments below. We’d love to know what yall think.


Finding the Revue Software Root

Posted: February 7th, 2011 | Author: | Filed under: Logitech Revue, Root | Tags: , , , | 4 Comments »

It has been a few short weeks since we released the hardware root on the Logitech Reuve and the community has really sprung up in support of the progress we have made.  Almost immediately, people began requesting root for non-virgin boxes,(Passed the initial setup phase) and which did not require opening it to solder onto the board.

Although  we remain committed to reaching the overall goal of opening the Revue up to the masses, our best efforts have still not resulted in what we all want, the elusive ROOT.

It took a team of people countless hours… literally countless hours to make the progress that has been made, and we realize there is more work to be done.  Rest assured, we are trying most every avenue available to us, and once we have made progress we will release it to the world! Keep your eye on gtvhacker for the latest in developments.

Do you have a Revue? If so, did you hear about root in time to use it?


Live wallpapers on GoogleTV?

Posted: January 31st, 2011 | Author: | Filed under: Logitech Revue, Root | Tags: , , , | Comments Off

Google Tv Live WallpapersWith the hardware root under our belt, we have been able to try a few other things.  Here’s one cool thing thats been reported so far, Live Wallpapers! If you have an Android phone, you know them well.  They are essentially wallpapers with different animations.

Have you been able to do anything on your rooted GoogleTV?


Logitech Revue Software Root?

Posted: January 24th, 2011 | Author: | Filed under: Google TV Kernels, Logitech Revue | Tags: , , , , , , , | 2 Comments »

It has now been over a month since the GTVHacker team acquired a recovery mode root shell on the Logitech Revue. Since that time we have learned a lot about the internals of the Revue which allowed us to release the BreakVue script for enabling ADB support along with a trivial hack to demonstrate how certain content provider restrictions can be overcome.

Throughout January, we have received a flood of requests for a software based root technique. Specifically there is a lot of talk about rooting the Revue through malicious web content. This has been possible with Apple’s iOS as well as other systems which make use of Apple’s WebKit so it is often assumed that similar attacks should be possible on the Revue. As of yet however the most successful browser based attacks are only able to trigger a ‘Kill Page’ dialog from Chrome. The likely reason for this is that Chrome page rendering is being sandboxed through a chroot jail such that access to a malicious web site results in a crashed page rather than a compromised system. My personal opinion is that there is a better chance of compromise through specially crafted video files played through the Logitech Media Player than there is of getting root through a browser exploit. (Of course I am not much of an exploit developer and would love for someone to prove me wrong on this.)

Overall I have observed that the Logitech Revue is a very well hardened system and I strongly suspect that, if not for the slight oversight of leaving a root shell attached to UART1, we would still be scratching our heads about how to get root. Even now that we have root, the hardened kernel still has numerous protections in place:

  1. read-only /system partition as per the flash layout in Logitech’s Linux kernel
  2. Module signing is enforced to prevent untrusted loadable kernel modules
  3. DEVMEM restrictions are in place to prevent tampering with kernel structures even by root

While we keep trying, it appears that a software one-click-root solution will most likely have to wait until official Market support is enabled on the Logitech Revue.  Until then, feel free to check out our wiki where I have documented a few internal details of the Logitech Revue kernel: http://bit.ly/RevueKernel

–Craig
craig_at_gtvhacker_dot_com