Difference between revisions of "Boxee"

From Exploitee.rs
Jump to navigationJump to search
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
__FORCETOC__
{{Disclaimer}}
{{Disclaimer}}
[[File:Front-SMALL.jpg|120px|left|thumb]]
[[Category:Media Players]]


[[File:Front-SMALL.jpg|250px|right|thumb]]
== Boxee ==
This page will be dedicated to a general overview, descriptions, and information related to the Boxee media player.


The Boxee Box (DSM-380) is made by D-Link and features an Intel CE4100 SOC.
The Boxee Box (DSM-380) is made by D-Link and features an Intel CE4100 SOC ([[Intel Atom CE4170]]).


It is quite similiar in function to that (security wise) of the Logitech Revue, or Gen 1 Sony Google TV boxes.
It is quite similiar in function to that (security wise) of the Logitech Revue, or Gen 1 Sony Google TV boxes.
Line 9: Line 13:
Specifically, the bootloader is signed, which calls a signed kernel. The kernel RSA verifies a read only ramdisk and then boots it.
Specifically, the bootloader is signed, which calls a signed kernel. The kernel RSA verifies a read only ramdisk and then boots it.


We unveiled two methods for rooting the Boxee at DEFCON 20, which are below.
We unveiled two methods for rooting the Boxee at DEFCON 20, which are below. These are known to work as of the latest update, 1.5.1.23735.
 
 


== Software Root Method (LCE) ==
== Software Root Method (LCE) ==
Line 24: Line 26:


This will cause custom.sh to run at each bootup. The script can then simply launch busybox from usb, and spawn a root telnet daemon on port 23.
This will cause custom.sh to run at each bootup. The script can then simply launch busybox from usb, and spawn a root telnet daemon on port 23.
A video of the POC for this root used at our Defcon20 presentation can be found on [http://www.youtube.com/watch?v=-_wZiFmrwsw&feature=plcp our YouTube channel]


== Hardware Method ==
== Hardware Method ==
Line 30: Line 34:


[[File:Boxeehw.jpg|500px|center|thumb]]
[[File:Boxeehw.jpg|500px|center|thumb]]
[[Category:Boxee]]

Latest revision as of 13:04, 5 August 2017

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Front-SMALL.jpg

Boxee

This page will be dedicated to a general overview, descriptions, and information related to the Boxee media player.

The Boxee Box (DSM-380) is made by D-Link and features an Intel CE4100 SOC (Intel Atom CE4170).

It is quite similiar in function to that (security wise) of the Logitech Revue, or Gen 1 Sony Google TV boxes.

Specifically, the bootloader is signed, which calls a signed kernel. The kernel RSA verifies a read only ramdisk and then boots it.

We unveiled two methods for rooting the Boxee at DEFCON 20, which are below. These are known to work as of the latest update, 1.5.1.23735.

Software Root Method (LCE)

SettingsNetworkServers.jpg

Under Share Workgroup Name, you can simply add in another command with the semicolon.

For instance, to run "custom.sh" off of your USB Drive (noting to replace LABEL with the label of your usb disk):

;sh /mnt/LABEL/custom.sh ;

This will cause custom.sh to run at each bootup. The script can then simply launch busybox from usb, and spawn a root telnet daemon on port 23.

A video of the POC for this root used at our Defcon20 presentation can be found on our YouTube channel

Hardware Method

Scrape the two vias labeled in the picture below, solder wires to a UART adapter (TX/RX). Ground to any ground point. Once the box boots, it will drop you to a root shell.

Boxeehw.jpg