Difference between revisions of "Installing Custom Recovery (Gen 2 Only)"
From Exploitee.rs
Jump to navigationJump to search
Line 48: | Line 48: | ||
== Developers Only (UART console required) == | == Developers Only (UART console required) == | ||
''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.''' | ''' We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install.''' | ||
To install the uboot custom bootloader (developers only, UART console required): | To install the uboot custom bootloader (developers only, UART console required): | ||
#Format a drive NTFS, and mount it. | #Format a drive NTFS, and mount it. | ||
#cd to the drive, and issue | #cd to the drive, and issue the following commands: | ||
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd | #: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd. | ||
#: <code>mknod gtvhacker-kernel c 90 16</code> | #: <code>mknod gtvhacker-kernel c 90 16</code> | ||
#Then, copy over our files for your specific box, to the root of your NTFS flash drive | #Then, copy over our files for your specific box, to the root of your NTFS flash drive | ||
Line 77: | Line 72: | ||
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-mtd8 /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code> | #: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-mtd8 /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code> | ||
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader. | #Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader. | ||
== Custom Recovery Steps (Sony) == | |||
#Format a drive NTFS, and mount it. | |||
#cd to the drive, and issue the following commands: | |||
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd. | |||
#: <code>mknod gtvhacker-recovery c 90 32</code> | |||
#Then, copy over our files for your specific box, to the root of your NTFS flash drive | |||
#: nandwrite | |||
#: flash_erase | |||
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin | |||
#Unmount the drive, and insert it into your Google TV. | |||
#Connect via adb, and issue the shell command. | |||
#To find out what USB drive you plugged in, issue this command: | |||
#: <code>ls /mnt/media/ | |||
#: cd /mnt/media/usb.LABEL (where label = the rest from above)</code> | |||
#Now, issue these commands: | |||
#: <code>cp flash_erase /data/local/tmp | |||
#: cp nandwrite /data/local/tmp | |||
#: chmod 755 /data/local/tmp/flash_erase | |||
#: chmod 755 /data/local/tmp/nandwrite | |||
#: cd /data/local/tmp</code> | |||
#Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above): | |||
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0 | |||
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin</code> | |||
#Issue an adb reboot, and you have a custom recovery. | |||
== Troubleshooting == | == Troubleshooting == |
Revision as of 00:49, 7 August 2013
About
This custom recovery currently exploits a secure boot flaw in the second generation of Google TV devices to allow booting an unsigned kernel on the Google TV. Below we allow users to install a custom recovery on the Google TV which allows full read write access to the device as well as an automated process for installing updates (of which we do not check the signature.)
Devices
- ASUS Cube
- Hisense Pulse
- NSZ-GS7/GS8
Warnings
- This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
- This may brick your GTV. It shouldn't, but it still might!
Tools Needed
- Linux Live CD or Linux Installed
- A vulnerable Google TV device.
- 1 USB Drive (to be formatted)
Pre-Setup
- Boot Linux (Live CD or Install)
- Download Custom Recovery Package for Device
- Unzip Custom Recovery Package
Custom Recovery Steps (Cube and Pulse)
- Format a drive NTFS, and mount it.
- cd to the drive, and issue the following commands:
- The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd.
mknod gtvhacker-recovery c 90 32
- Then, copy over our files for your specific box, to the root of your NTFS flash drive
- nandwrite
- flash_erase
- CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
- Unmount the drive, and insert it into your Google TV.
- Connect via adb, and issue the shell command.
- To find out what USB drive you plugged in, issue this command:
ls /mnt/media/
cd /mnt/media/usb.LABEL (where label = the rest from above)
- Now, issue these commands:
cp flash_erase /data/local/tmp
- cp nandwrite /data/local/tmp
- chmod 755 /data/local/tmp/flash_erase
- chmod 755 /data/local/tmp/nandwrite
cd /data/local/tmp
- Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above):
./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
- Issue an adb reboot, and you have a custom recovery.
Developers Only (UART console required)
We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install. To install the uboot custom bootloader (developers only, UART console required):
- Format a drive NTFS, and mount it.
- cd to the drive, and issue the following commands:
- The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
mknod gtvhacker-kernel c 90 16
- Then, copy over our files for your specific box, to the root of your NTFS flash drive
- nandwrite
- flash_erase
- uboot-VENDOR-MODEL-GTVHACKER.bin
- Unmount the drive, and insert it into your Google TV.
- Connect via adb, and issue the shell command.
- To find out what USB drive you plugged in, issue this command:
ls /mnt/media/
cd /mnt/media/usb.LABEL (where label = the rest from above)
- Now, issue these commands:
cp flash_erase /data/local/tmp
- cp nandwrite /data/local/tmp
- chmod 755 /data/local/tmp/flash_erase
- chmod 755 /data/local/tmp/nandwrite
cd /data/local/tmp
- Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-mtd8 /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin
- Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
Custom Recovery Steps (Sony)
- Format a drive NTFS, and mount it.
- cd to the drive, and issue the following commands:
- The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd.
mknod gtvhacker-recovery c 90 32
- Then, copy over our files for your specific box, to the root of your NTFS flash drive
- nandwrite
- flash_erase
- CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
- Unmount the drive, and insert it into your Google TV.
- Connect via adb, and issue the shell command.
- To find out what USB drive you plugged in, issue this command:
ls /mnt/media/
cd /mnt/media/usb.LABEL (where label = the rest from above)
- Now, issue these commands:
cp flash_erase /data/local/tmp
- cp nandwrite /data/local/tmp
- chmod 755 /data/local/tmp/flash_erase
- chmod 755 /data/local/tmp/nandwrite
cd /data/local/tmp
- Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above):
./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
- Issue an adb reboot, and you have a custom recovery.
Troubleshooting
- You can get help from us or other users at:
- or you can chat with us on IRC at:
irc.freenode.net #gtvhacker
(Someone may not be around right away to help, make sure to be willing to wait for a response)
Download
Custom Recovery: