Difference between revisions of "Vizio CoStar LT (ISV-B11)"
m (1 revision: Moving from DC22 to main site.) |
m (Text replacement - "gtvcom-20" to "exploiteers-20") |
||
(One intermediate revision by one other user not shown) | |||
Line 7: | Line 7: | ||
== Purchase == | == Purchase == | ||
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. | Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. | ||
[http://www.amazon.com/gp/product/B00FRD1H4S/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00FRD1H4S&linkCode=as2&tag= | [http://www.amazon.com/gp/product/B00FRD1H4S/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00FRD1H4S&linkCode=as2&tag=exploiteers-20&linkId=THBZKBDSQA3B2X3Z Purchase the Vizio CoStar LT media player at Amazon] | ||
== Disassembly == | == Disassembly == | ||
Line 60: | Line 60: | ||
* If you are hijacking init to gain root you will need to run "/etc/rc.mount" prior to modifying "/etc/commonStart.sh" | * If you are hijacking init to gain root you will need to run "/etc/rc.mount" prior to modifying "/etc/commonStart.sh" | ||
== Demo == | |||
{{#ev:youtube|2oFaIEOopPA}} | |||
== U-Boot Env == | == U-Boot Env == |
Latest revision as of 01:22, 7 February 2016
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
This page will be dedicated to a general overview, descriptions, and information related to the Vizio CoStar LT media player.
Purchase
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Vizio CoStar LT media player at Amazon
Disassembly
UART
Exploiting The Vizio CoStar LT For Root
On booting the Vizio CoStar LT's bootloader checks for a "FS.sys" and a "safe-kernel.Img1" file on a FAT32 formatted thumb drive.
- "FS.sys" - This file is a u-boot script file. This is a text file with u-boot commands in it compiled with mkimage. The exact compilation arguments for mkimage are as follows.
mkimage -A arm -T script -d <SOURCE> <OUTPUT>
- "safe-kernel.Img1" - This is a kernel uImage.
For this particular tutorial we are going to use the u-boot script file "FS.sys" to Hijacking_Kernel_Init Hijack Kernel Init.
- Connect a USB-To-TTL adapter to the Vizio CoStar LT
- Format a USB drive to the "FAT32" format
- Add the following output to a file named FS.sys.txt
setenv cmdline "mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=2 ubi.mtd=3 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8 init=/bin/sh"
run bootcmd
- Compile the FS.sys.txt file with the following command.
mkimage -A arm -T script -d fs.sys.txt fs.sys
- Copy the fs.sys file to the root of the FAT32 formatted USB drive.
- Insert the USB drive into the Vizio CoStar LT.
- Restart the Vizio CoStar LT by unplugging and re-plugging in the power adapter.
- After the kernel boots it will drop your UART connection to a root shell.
- NOTE: hijacking the kernel init stops the kernel prior to it running crucial scripts. In most cases you will need to finish running the scripts within /etc/init.d prior to being able to access the entire file system.
Gaining Persistent Root Access After gaining root from the above method you can gain persistent root access by having the device boot a telnet root shell (or your choice of server) on boot. To do this you must find a write-able file on the device that is called on boot.
Lucky for us "/etc/commonStart.sh" is just that file. You can modify this file to do anything you'd like to happen on each boot.
For example adding:
telnetd -l /bin/sh
after "#!/bin/sh" will start a telnet server on each boot.
- If you are hijacking init to gain root you will need to run "/etc/rc.mount" prior to modifying "/etc/commonStart.sh"
Demo
U-Boot Env
Below is the u-boot environment output from the "printenv" u-boot command.
Logo_A=ubi read 82000000 Logo 3bc4e;showLogo 82000000 3bc4e Logo_B=ubi read 82000000 Logo 3bc4e;showLogo 82000000 3bc4e baudrate=115200 bootcmd=ubi part systemA_1;run Logo_A;ubi read 80100000 Kernel 800000;start_kernel bootcmd_A=ubi part systemA_1;run Logo_A;ubi read 80100000 Kernel 800000;start_kernel bootcmd_B=ubi part systemB_1;run Logo_B;ubi read 80100000 Kernel 800000;start_kernel bootdelay=1 cmdline=quiet mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=2 ubi.mtd=3 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8 cmdline_A=quiet mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=2 ubi.mtd=3 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8 cmdline_B=quiet mem=218M mem=32M@676M mem=26M@742M console=ttyS0,115200n8 MTD_NAME=mtd1,0,c8M MTD_NAME=mtd2,c8M,64M MTD_NAME=mtd3,12cM,12cM MTD_NAME=mtd4,258M,64M MTD_NAME=mtd5,2bcM,12cM MTD_NAME=mtd6,3e8M,12cM MTD_NAME=mtd7,514M,258M MTD_NAME=mtd8,76cM,90M MTD_NAME=mtd9,7fcM,4M ubi.mtd=4 ubi.mtd=5 ubi.mtd=6 ubi.mtd=7 ubi.mtd=8 console=console=ttyS0,115200n8 ethact=FTMAC100 ethaddr=00:9c:0a:c6:98:9c fileaddr=80100000 filesize=1BA ip=172.16.60.66:172.16.60.166:172.16.60.1 ipaddr=172.16.60.233 macaddr=macaddr=00:12:34:56:78:34 mem_layout=mem=128m mtddevname=boot mtddevnum=0 mtdids=nand0=nand0 mtdparts=mtdparts=nand0:200M(boot),100M(systemA_1),300M(systemA_2),100M(systemB_1),300M(systemB_2),300M(etc),600M(rwdata),4M(bbt) netmask=255.255.0.0 nfs=root=/dev/nfs nfsroot=172.16.60.166:/opt/bk_nfs/rootfs_fusion partition=nand0,0 reflash=usb start; fatload usb 0 80100000 fs.sys;source 80100000; fatload usb 0 82000000 safe-kernel.img1;crc_start_kernel 82000000 fscmdline serverip=172.16.60.125 stderr=serial stdin=serial stdout=serial tftp_update=set update_method TFTP;tftp fs.sys;source 80100000;tftp 82000000 safe-kernel.img1;crc_start_kernel 82000000 fscmdline update_method=USB usb_update=set update_method USB;usb start;if fatload usb 0 80100000 fs.sys;then source 80100000;else run bootcmd ;fi; if fatload usb 0 82000000 safe-kernel.img1;then crc_start_kernel 82000000 fscmdline;else run bootcmd;fi