Boxee

From Exploitee.rs
Revision as of 01:11, 31 July 2012 by CJ (talk | contribs)
Jump to navigationJump to search
Front-SMALL.jpg

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

The Boxee Box (DSM-380) is made by D-Link and features an Intel CE4100 SOC.

It is quite similiar in function to that (security wise) of the Logitech Revue, or Gen 1 Sony Google TV boxes.

Specifically, the bootloader is signed, which calls a signed kernel. The kernel RSA verifies a read only ramdisk and then boots it.

We unveiled two methods for rooting the Boxee at DEFCON 20, which are below. These are known to work as of the latest update, 1.5.1.23735.



Software Root Method (LCE)

SettingsNetworkServers.jpg

Under Share Workgroup Name, you can simply add in another command with the semicolon.

For instance, to run "custom.sh" off of your USB Drive (noting to replace LABEL with the label of your usb disk):

;sh /mnt/LABEL/custom.sh ;

This will cause custom.sh to run at each bootup. The script can then simply launch busybox from usb, and spawn a root telnet daemon on port 23.

Hardware Method

Scrape the two vias labeled in the picture below, solder wires to a UART adapter (TX/RX). Ground to any ground point. Once the box boots, it will drop you to a root shell.

Boxeehw.jpg