Revue software root
WARNING
The links on this page contain the until now unreleased Revue root. This is being released as a way to allow the more skilled members of the community to look at. The root is incredibly unstable and we are providing it unpackaged to prevent it from being used by someone who may end up damaging their box. As bliss described it, “it is like punching the device in the face while telling it that it’s not getting hit”. If you are looking to get root to help achieve some form of optimal Android experience from the box, then please wait for a better packaged version with persistence. If you are technically savy and are willing to risk damaging your box, gambling on how skilled you are, then feel free to give it a shot. Please note that you are likely to brick your device much like we have bricked ours many times (but we have fancy-pants hardware recovery mechanisms).
About
The Nandpwn package was created by Dan Rosenberg (@djrbliss) with remote testing on GTVHacker team member boxes (Dan doesn't actually own a revue). The exploit is highly complex and leverages a world readable device driver left open by Logitech.
About nandpwn
A local privilege escalation exploit for the Logitech Revue that leverages the ability to map the hardware registers of the NAND flash controller in conjunction with a Linux kernel information leak to clobber kernel memory in a way that allows gaining privileges.
This exploit is highly unstable. Although it has never caused any permanent damage in testing, I take no responsibility if this turns your device into a brick. In addition, it is known to only succeed a fraction of the time, so you will probably have to try it repeatedly, and some of those attempts may cause your device to freeze (which can be solved by a reboot).
Exploit Flow
- Use /dev/devmem to map NAND controller's hardware registers into address space
- Leverage kernel info leak to resolve virtual address of current process' kernel stack
- Write to hardware registers to trigger DMA on top of offset from base of kernel stack
- Since addr_limit is raised (hopefully), can read()/write() to write/read arbitrary kernel memory
- Fixup sysenter_return, overwrite restart_block function pointer to point to payload
- Trigger function pointer to escalate privileges and win!
About codesign
Once you have root, this can be run to disable code signing enforcement so custom kernel modules can be run. No known issues were observed during testing.
About blockwrite
NOVICES DO NOT USE! Remaps a specified block device as writable at both the MTD and block layers, to allow flashing a replacement. No known issues were observed during testing.
Work In Progress
Hurdles
- ADBD designed to never run as root. (Completed)
- Signed /system, /boot, kernel, recovery, bootloader
- nosuid /cache, /data, /sdcard
- nodev /cache, /data, /sdcard
Bugs
- Persistence - This is unstable and should be seen as more of a POC (Proof of concept) than a public release. This exploit is not persistent between boots (which means you will have to run this each time you start the device). We are working on fixing this but are having to jump through quite a few hurdles because of the signed partitions. We will update this page with progress when/if we come up with a work around.
Exploiting
Required Tools
- ADB (Android Debug Bridge)
- x86 Compiler
Building the code
We are not posting how to build the code as if you are unable to build an x86 binary you probably shouldn't be attempting this root in the first place.
Download
NandPwn <--Root Exploit
Codesign <-- Enables code Signing
BlockWrite <--Allows writing to RO partitions (Beware most partitions are signed, modifications will cause a brick)