Exploiting Key Signing for Root

From Exploitee.rs
Revision as of 10:15, 31 December 2014 by Zenofex (talk | contribs)
Jump to navigationJump to search

About

A detailed analysis of the bug being exploited and its origination can be found on [Saurik's Blog].

Devices

This bug is present in all Google TV devices, unfortunately in can only be leverage for root in some. Below is a list of devices that are confirmed to get root and the remaining only get system privileges.

Update: Cydia Impactor now provides every Google TV device a form of root. The only difference is persistence, on some devices the exploit will need to be performed each time root is needed. On others Superuser.apk is provided and the exploit will only need to be done once.

The exploit will need to be run whenever root is needed on these devices:

  • Logitech Revue
  • Sony NSZ-GS7/8

The exploit will allow for persistent root on these devices:

  • All other Google TV devices.

Warnings

  • This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
  • This may brick your GTV. It shouldn't, but it still might!

Tools Needed

  • A vulnerable Google TV device.
  • Cydia Impactor (download link at bottom of page)
  • Google TV Modification Package

Pre-Setup

  1. Download Cydia Impactor below
  2. Download Google TV Modification Package below
  3. Unzip Google TV Modification Package.

Persistent Root Steps (For GTV devices other than Sony or Logitech)

  1. Setup your Google TV device to allow a connection from the pc you are going to be connecting from. This can be done by going into the Settings menu, clicking Applications, and then selecting the development option. Inside the development section you should see a place to change the "Debugger IP", set this field to the IP address of your computer.
  2. Launch Cydia Impactor
  3. Connect your PC to Impactor by going to "Bridge" and then "Connect" in the file menu.
  4. Input in the IP address of your Google TV in the "Bridge Connect" input box and press OK. (If successful, a dialog will prompt that you are connected.) Click OK.
  5. Select "echo ro.kernel.qemu=1 > /data/local.prop" from the drop down menu and click start. If the command execute successfully, you may proceed, if not troubleshoot your connection and try again.
  6. Reboot your Google TV by going to "Device" then "Reboot" from the Cydia Impactor file menu.
  7. Reconnect to your Google TV by repeating steps 3 and 4 above.
  8. In the Cydia Impactor file menu, choose "Device" then "Run Program".
  9. Select the "gtv_mod_pkg.sh" file extracted in the pre-setup.
  10. When the process is complete a dialogue box will display. Click OK
  11. Finally, in Cydia Impactor go to "Device" then "Reboot" to reboot your Google TV device for the final time.
  12. Your Google TV device is now rooted!
  • In order to get the content bypass portion working you still will need to change your user agent. This process is described on the [I've rooted... now what?!] page.

Non-Persistent Root Steps (For Logitech and Sony users)

  1. Setup your Google TV device to allow a connection from the pc you are going to be connecting from. This can be done by going into the Settings menu, clicking Applications, and then selecting the development option. Inside the development section you should see a place to change the "Debugger IP", set this field to the IP address of your computer.
  2. Launch Cydia Impactor
  3. Connect your PC to Impactor by going to "Bridge" and then "Connect" in the file menu.
  4. Input in the IP address of your Google TV in the "Bridge Connect" input box and press OK. (If successful, a dialog will prompt that you are connected.) Click OK.
  5. Select "/data/local/tmp/busybox telnetd -p 8899 -l sh" from the drop down menu and click start. If the command execute successfully, you may proceed, if not troubleshoot your connection and try again.
  6. On the Cydia Impactor file menu, choose "Device" then "Open Shell..."
  7. In the terminal window type: "/data/local/tmp/busybox telnet localhost 8899"
  8. If everything went as planned, you should be staring at a "#", type "id" to confirm root id.
  • This method does not provide a read/write file system which prevents current mods like our "Content Provider Bypass".

Known Issues

  • There are times where ADB hangs when connecting to the box, you can either wait the 90 seconds for the operation to time out or you can restart Cydia Impactor and try again.
  • If you are experiencing issues connecting to your device, you may want to verify that the ip address on your machine correctly matches the one white-listed on your Google TV.
  • If you do not see the "Bridge" or "Device" file menu, you may need to update "Cydia Impactor" which can be done by going to "File" then "Check For Updates"
  • If the process for you fails at step 8, there's a possibility that your device cannot leverage the key signing vulnerability for root. This is due to the device not processing the prop placed in /data/local.prop

Troubleshooting

  • You can get help from us or other users at:

Exploitee.rs Forums

Exploitee.rs Wiki

  • or you can chat with us on IRC at:

irc.freenode.net #Exploiteers

Freenode Webchat

(Someone may not be around right away to help, make sure to be willing to wait for a response)

Download

Cydia Impactor: [Mac OS X] or [Windows]

Google TV Modification Package [Exploitee.rs Download Site]