Resno: Text replacement - "gtvcom-20" to "exploiteers-20"

2016-02-07T01:22:41Z

Text replacement - "gtvcom-20" to "exploiteers-20"

← Older revision		Revision as of 01:22, 7 February 2016
Line 7:		Line 7:
	== Purchase ==		== Purchase ==
	Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.		Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
	[http://www.amazon.com/gp/product/B00FRD1H4S/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00FRD1H4S&linkCode=as2&tag=~~gtvcom~~-20&linkId=THBZKBDSQA3B2X3Z Purchase the Vizio CoStar LT media player at Amazon]		[http://www.amazon.com/gp/product/B00FRD1H4S/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00FRD1H4S&linkCode=as2&tag=exploiteers-20&linkId=THBZKBDSQA3B2X3Z Purchase the Vizio CoStar LT media player at Amazon]

	== Disassembly ==		== Disassembly ==

Zenofex at 11:00, 17 August 2014

2014-08-17T11:00:23Z

← Older revision		Revision as of 11:00, 17 August 2014
Line 60:		Line 60:

	* If you are hijacking init to gain root you will need to run "/etc/rc.mount" prior to modifying "/etc/commonStart.sh"		* If you are hijacking init to gain root you will need to run "/etc/rc.mount" prior to modifying "/etc/commonStart.sh"

			== Demo ==
			{{#ev:youtube\|2oFaIEOopPA}}

	== U-Boot Env ==		== U-Boot Env ==

Zenofex: 1 revision: Moving from DC22 to main site.

2014-08-17T08:22:51Z

1 revision: Moving from DC22 to main site.

← Older revision		Revision as of 08:22, 17 August 2014
(No difference)

Zenofex: /* Exploiting The Vizio CoStar LT For Root */

2014-08-06T12:16:53Z

Exploiting The Vizio CoStar LT For Root

New page

__FORCETOC__
{{Disclaimer}}
[[File:VizioCoStarLT.jpg|200px|left|thumb]]
[[Category:Media Players]]
This page will be dedicated to a general overview, descriptions, and information related to the Vizio CoStar LT media player.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/gp/product/B00FRD1H4S/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00FRD1H4S&linkCode=as2&tag=gtvcom-20&linkId=THBZKBDSQA3B2X3Z Purchase the Vizio CoStar LT media player at Amazon]

== Disassembly ==
<gallery>
File: Vizio_CoStar_LT_000.JPG
File: Vizio_CoStar_LT_001.JPG
File: Vizio_CoStar_LT_003.JPG
File: Vizio_CoStar_LT_004.JPG
File: Vizio_CoStar_LT_005.JPG
File: Vizio_CoStar_LT_006.JPG
File: Vizio_CoStar_LT_007.JPG
File: Vizio_CoStar_LT_008.JPG
File: Vizio_CoStar_LT_009.JPG
</gallery>

== UART ==
<gallery>
File:Vizio_CoStar_LT_UART.JPG
</gallery>

== Exploiting The Vizio CoStar LT For Root ==
On booting the Vizio CoStar LT's bootloader checks for a "FS.sys" and a "safe-kernel.Img1" file on a FAT32 formatted thumb drive.

* "FS.sys" - This file is a u-boot script file. This is a text file with u-boot commands in it compiled with mkimage. The exact compilation arguments for mkimage are as follows. <pre>mkimage -A arm -T script -d <SOURCE> <OUTPUT></pre>

* "safe-kernel.Img1" - This is a kernel uImage.

For this particular tutorial we are going to use the u-boot script file "FS.sys" to [[Hijacking_Kernel_Init Hijack Kernel Init]].

# Connect a USB-To-TTL adapter to the Vizio CoStar LT
# Format a USB drive to the "FAT32" format
# Add the following output to a file named FS.sys.txt <pre>setenv cmdline "mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=2 ubi.mtd=3 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8 init=/bin/sh"
run bootcmd</pre>
# Compile the FS.sys.txt file with the following command. <pre>mkimage -A arm -T script -d fs.sys.txt fs.sys</pre>
# Copy the fs.sys file to the root of the FAT32 formatted USB drive.
# Insert the USB drive into the Vizio CoStar LT.
# Restart the Vizio CoStar LT by unplugging and re-plugging in the power adapter.
# After the kernel boots it will drop your UART connection to a root shell.

* NOTE: hijacking the kernel init stops the kernel prior to it running crucial scripts. In most cases you will need to finish running the scripts within /etc/init.d prior to being able to access the entire file system.

'''Gaining Persistent Root Access'''
After gaining root from the above method you can gain persistent root access by having the device boot a telnet root shell (or your choice of server) on boot. To do this you must find a write-able file on the device that is called on boot.

Lucky for us "/etc/commonStart.sh" is just that file. You can modify this file to do anything you'd like to happen on each boot.

For example adding:
<pre>
telnetd -l /bin/sh
</pre>
after "#!/bin/sh" will start a telnet server on each boot.

* If you are hijacking init to gain root you will need to run "/etc/rc.mount" prior to modifying "/etc/commonStart.sh"

== U-Boot Env ==
Below is the u-boot environment output from the "printenv" u-boot command.

<pre>
Logo_A=ubi read 82000000 Logo 3bc4e;showLogo 82000000 3bc4e
Logo_B=ubi read 82000000 Logo 3bc4e;showLogo 82000000 3bc4e
baudrate=115200
bootcmd=ubi part systemA_1;run Logo_A;ubi read 80100000 Kernel 800000;start_kernel
bootcmd_A=ubi part systemA_1;run Logo_A;ubi read 80100000 Kernel 800000;start_kernel
bootcmd_B=ubi part systemB_1;run Logo_B;ubi read 80100000 Kernel 800000;start_kernel
bootdelay=1
cmdline=quiet mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=2 ubi.mtd=3 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8
cmdline_A=quiet mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=2 ubi.mtd=3 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8
cmdline_B=quiet mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=4 ubi.mtd=5 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8
console=console=ttyS0,115200n8
ethact=FTMAC100
ethaddr=00:9c:0a:c6:98:9c
fileaddr=80100000
filesize=1BA
ip=172.16.60.66:172.16.60.166:172.16.60.1
ipaddr=172.16.60.233
macaddr=macaddr=00:12:34:56:78:34
mem_layout=mem=128m
mtddevname=boot
mtddevnum=0
mtdids=nand0=nand0
mtdparts=mtdparts=nand0:200M(boot),100M(systemA_1),300M(systemA_2),100M(systemB_1),300M(systemB_2),300M(etc),600M(rwdata),4M(bbt)
netmask=255.255.0.0
nfs=root=/dev/nfs nfsroot=172.16.60.166:/opt/bk_nfs/rootfs_fusion
partition=nand0,0
reflash=usb start; fatload usb 0 80100000 fs.sys;source 80100000; fatload usb 0 82000000 safe-kernel.img1;crc_start_kernel 82000000 fscmdline
serverip=172.16.60.125
stderr=serial
stdin=serial
stdout=serial
tftp_update=set update_method TFTP;tftp fs.sys;source 80100000;tftp 82000000 safe-kernel.img1;crc_start_kernel 82000000 fscmdline
update_method=USB
usb_update=set update_method USB;usb start;if fatload usb 0 80100000 fs.sys;then source 80100000;else run bootcmd ;fi; if fatload usb 0 82000000 safe-kernel.img1;then crc_start_kernel 82000000 fscmdline;else run bootcmd;fi
</pre>

Vizio CoStar LT (ISV-B11)​ - Revision history

Resno: Text replacement - "gtvcom-20" to "exploiteers-20"

Zenofex at 11:00, 17 August 2014

Zenofex: 1 revision: Moving from DC22 to main site.

Zenofex: /* Exploiting The Vizio CoStar LT For Root */

Vizio CoStar LT (ISV-B11) - Revision history