Netgear Push2TV (PTV3000) - Revision history

Resno: Text replacement - "gtvcom-20" to "exploiteers-20"

2016-02-07T01:22:40Z

Text replacement - "gtvcom-20" to "exploiteers-20"

← Older revision		Revision as of 01:22, 7 February 2016
Line 7:		Line 7:
	== Purchase ==		== Purchase ==
	Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.		Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
	[http://www.amazon.com/gp/product/B00904JILO/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00904JILO&linkCode=as2&tag=~~gtvcom~~-20&linkId=TZYDPVXAW3YVMF7N Purchase the Netgear Push2TV at Amazon]		[http://www.amazon.com/gp/product/B00904JILO/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00904JILO&linkCode=as2&tag=exploiteers-20&linkId=TZYDPVXAW3YVMF7N Purchase the Netgear Push2TV at Amazon]

	== Pinout ==		== Pinout ==

Zenofex at 04:18, 8 March 2015

2015-03-08T04:18:38Z

← Older revision		Revision as of 04:18, 8 March 2015
Line 22:		Line 22:
	* There is also a command injection in the web interface. By inserting a command in the box nickname field (say ;reboot;) the command will be executed as root.		* There is also a command injection in the web interface. By inserting a command in the box nickname field (say ;reboot;) the command will be executed as root.
	* Finally, the SPI flash chip holds the U-Boot environment, it can be reflashed to load a modified environment		* Finally, the SPI flash chip holds the U-Boot environment, it can be reflashed to load a modified environment

			==Root Demo==
			{{#ev:youtube\|CaL8O26oXas}}

Zenofex: 1 revision: Moving from DC22 to main site.

2014-08-17T08:22:52Z

1 revision: Moving from DC22 to main site.

← Older revision	Revision as of 08:22, 17 August 2014
(No difference)

CJ: /* Exploitation */

2014-08-11T23:29:47Z

Exploitation

New page

__FORCETOC__
{{Disclaimer}}
[[File:NetgearPush2TV.jpg|200px|left|thumb]]
[[Category:Media Players]]
This page will be dedicated to a general overview, descriptions, and information related to the Netgear Push2TV.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/gp/product/B00904JILO/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00904JILO&linkCode=as2&tag=gtvcom-20&linkId=TZYDPVXAW3YVMF7N Purchase the Netgear Push2TV at Amazon]

== Pinout ==
<gallery>
File:Push2tv-uart.jpg
</gallery>

== Exploitation ==

There are multiple vulnerabilities in the Netgear Push2TV (PTV3000)

* Connecting to the UART per the input above, press the spacebar while booting to interrupt the bootloader, U-Boot. From here you can execute your own bootloader commands. "setenv bootargs init=/bin/sh" will drop you to a root shell
* If you miss that, via UART again, a root console is active for 2-3 seconds after booting. As long as you enter your commands while it boots, they will be executed.
* There is also a command injection in the web interface. By inserting a command in the box nickname field (say ;reboot;) the command will be executed as root.
* Finally, the SPI flash chip holds the U-Boot environment, it can be reflashed to load a modified environment

Netgear Push2TV (PTV3000)​​ - Revision history

Resno: Text replacement - "gtvcom-20" to "exploiteers-20"

Zenofex at 04:18, 8 March 2015

Zenofex: 1 revision: Moving from DC22 to main site.

CJ: /* Exploitation */

Netgear Push2TV (PTV3000) - Revision history