Logitech Revue UART root

From Exploitee.rs
Revision as of 00:49, 22 January 2011 by KernelJayOmega (talk | contribs) (Update about CONFIG_MODULE_SIG)
Jump to navigationJump to search
Revue-advert.gif

Updates

2011 January 21: CONFIG_MODULE_SIG on the Revue

I have finally identified why my attempts at loading my own modules onto the Revue have all failed (outside of recovery). As shown in /proc/config.gz, the Revue kernel was built with CONFIG_MODULE_SIG=y which means that any module will require a signature that can be verified with the public signatures compiled into the kernel. Anybody out there up for patching /dev/mem to remove the signature checking or perhaps add a new signature? If so, please contact us! --Craig

2011 January 16: FAT file systems and DOS line endings

I have received a few emails now from people having problems with the manual update script due to line endings and FAT file systems. If you do not understand what this means it is best to stick with using an extended (ext2) file system on your USB drive and extract everything under Linux rather than Windows. --Craig

2011 January 15: Breaking OTA Updates

Logitech recently began deploying a security update which will incidentally remove root access if it is allowed to install on a rooted device. (This was not the purpose of the update but it is an adverse effect for our community.) The GTVHacker dev team's initial attempts to break OTA updates by moving the otacerts.zip was not fully successful. In order to remove the auto-updating feature, Craig of the GTVHacker team has tested removal of /system/app/SystemUpdater.* with preliminary success. If this method works for others in the community, GTVHacker will consider the release of an updated manual update script with this and possibly other changes.

On a side note for non-rooted users, holding off on applying the update may expose your system to a vulnerability which could eventually be actively exploited to provide root access without a soldering iron. (This vulnerability could potentially be used maliciously so please consider this in deciding whether to apply the update.) Any (unrooted) box that is connected to the Internet over night will presumably be updated without user interaction.

2011 January 14: Avoiding an unexpected reboot

NOTICE: If you have not properly completed step 6 (including pressing ALT+L) in the hardware portion before proceeding to the software section, you are risking bricking the Revue. This step is mandatory because it gets you into the recovery menu and prevents the system from automatically rebooting in the middle of an update. The video output should show the recovery menu before proceeding to the software portion. (Thanks @stericson for the picture.)

2011 January 12: Logitech's Statement on Rooting

Logitech Issues a "Statement" regarding rooting the Revue

2011 January 5: Do I really need a virgin?

You ABSOLUTELY need a "virgin" Logitech Revue with NO updates in order to do this hack!!

Any previous device updates will disable the UART1 pins necessary for this hack!

Demonstration video.

Shows Filesystem access, Apps and the Market, as well as previously blocked websites. Check it out http://www.youtube.com/user/gtvhacker


GTVHACKER'S Guide to installing applications and rooting your Logitech Revue

This is being brought to you right before CES, we all worked hard and here it is.

Features

ADBD Running for adb access. Custom boot logo. Flash Plugin Update to allow previously blocked content providers.

Experimental method to block automatic updates (We would appreciate feedback on this as we we've been unable to confirm its success so far.)

About the Hack

The reason this is possible is due to the "out of factory" state of the Logitech Revue boxes not disabling the UART port on the board and allowing access to a root shell in recovery mode. After discovering this we were able to reverse the update files and manually upgrade the Revue to the most recent update. The attached files are our output of all the effort put forward by our team. Also as a notice to anyone performing the update, we are not responsible for any harm that may come of your box as an outcome of running our scripts. We will attempt to help you with any issues you may experience and have tried to make the process as safe as possible. Also if you have any suggestions or ideas on how we can make this process better please feel free to drop by our IRC channel and tell us.

About Manual Update

The manual-update.sh script is our attempt at duplicating the process done by the GTV scripts that update the box in recovery mode. There are also a few miscellaneous tweaks done to assure applications load correctly, backups are made, and that the box doesn't auto-update. Some portions of the script do things such as flash parts of the NAND so make sure you do not short circuit your box or accidentally remove power during the manual-update process.

Required Tools

Soldering Iron

USB->TTL or similar board/setup (An Arduino in tristate mode works great)

4 wires to attach board to TTL board

Terminal program (Minicom for Linux or Putty for Windows) A USB Drive (At least 1gb, 2+gb Recommended)

Hardware Portion

In order to complete the root you will need an un-updated box, it seems as if the first or second update to the box closed the serial access hole. If you have a "virgin" box then you are ready to proceed.

1.) Open your box, there are 4 screws (1 under each of the soft legs on the bottom of the box), the rest of the box un-clips very easily. A better explanation is available at http://www.ifixit.com/Teardown/Logitech-Revue-Teardown/3788/1

2.) After opening your box you will need to remove the led bar and look at the top front of the board. Locate the pins labeled UART1. These are the pins you will be sodering to.

3.) Solder 4 wires to your board. The appropriate pins can be view here: http://gtvhacker.com/index.php/File:XJHay.jpg . You MAY only need to solder to TX, RX, and GND.

4.) Attach wires to appropriate pins on your USB->TTL device

5.) Connect to the USB->TTL device on your computer using a program like Minicom or Putty. The appropriate settings are speed is 9600 baud with 8n1, make sure flow control is set to none.

6.) Reboot Revue into recovery mode by holding the pair button on the back of the board until the box shuts down and comes back up. Then press Alt+L (On the revue keyboard, not through the console) until "FORMATING DATA:" shows and stays, a menu should appear shortly after system is done clearing partitions. (More info: Logitech_Revue_Technical)

7.) If setup is correct so far you should be seeing logcat output through your terminal program (Putty/Minicom). Shortly after you will be presented with a # sign which is your console.

8.) Proceed to software portion.

NOTICE: If you have not properly completed step 6 you may risk having the Revue automatically reboot while you are flashing new firmware resulting in a bricked Revue. The video output should show the recovery menu before proceeding to the software portion.

Software Portion

1.) Place all files in manual update on USB (preferably to ext3) device keeping all the files inside of the "updatec99" folder for easiest installation.

2.) Insert the USB and run the following command for an ext3 USB device "mount -rw -t ext3 /dev/sdb1 /sdcard" substitute ext3 for vfat for a fat32 device (Also remove quotes)

3.) In minicom/putty browse to the /sdcard directory with "cd /sdcard/updatec99".

4.) Execute the update with the following command "sh manual-update.sh"

5.) If the process ends prompting "Complete" you are finished and may restart. You will then have adbd running on your Revue and can connect using "./adb connect LogitechRevue". If the process does not prompt you with "Complete" but some other error you will need to make sure you do not reboot your Revue or it may be bricked.

You are now complete and free to install applications on your box remotely through adb.

Note: when booting in normal mode, you will not see any console output. If you want a serial console again, go into recovery.

Building the code

The GTVHacker team has a script to simplify the download/configuration/installation of unofficial NDK/toolchain support which is documented here.

Troubleshooting

If you experience any issues, please check wiki as we will be updating it with the most common problems then visit our IRC if the wiki does not assist you.

About Us

This package is brought to you by the GTVHacker team over at irc.freenode.net #gtvhacker.

GTVHacker Team Members:

Thanks to everyone in the community who made this all possible. The GTVHacker Team

Related Files:

Google TV O/S modifications to achieve root are available at: http://www.multiupload.com/REVEQS6HII or http://bit.ly/gtvuc99

Script to simplify tool chain and sdk building : Beta1 or Beta2