Difference between revisions of "Installing Custom Recovery (Gen 2 Only)"

From Exploitee.rs
Jump to navigationJump to search
 
(11 intermediate revisions by 2 users not shown)
Line 15: Line 15:
*A vulnerable Google TV device.
*A vulnerable Google TV device.
*1 USB Drive (to be formatted)
*1 USB Drive (to be formatted)
*1 USB Keyboard


== Pre-Setup ==
== Pre-Setup ==
#Boot Linux (Live CD or Install)
#Boot Linux (Live CD or Install)
#Download Custom Recovery Package for Device
#Download Custom Recovery Package for Device
#Download GTVHacker SecureBoot update.zip
#Unzip Custom Recovery Package
#Unzip Custom Recovery Package


Line 44: Line 46:
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin</code>
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom recovery.
#: Now the recovery is installed, but to prevent it from being overwritten and to add su you MUST do the following.
#Disconnect from adb and format a FAT32 drive.
#Copy GTVHacker-secureboot-update.zip to root of FAT32 drive.
#Rename GTVHacker-secureboot-update.zip to update.zip
#Unmount and eject FAT32 drive.
#Plug FAT32 Drive and USB Keyboard into Google TV
#On host PC enter in the following to boot GoogleTV into recovery mode.
#: <code>adb reboot recovery</code>
#After entering GTVHacker recovery press 1 to install from update.zip.
#If install is successful, you will be prompted to press Q to exit.


== Developers Only (CUBE, PULSE) (UART console required) ==
== Developers Only (CUBE, PULSE) (UART console required) ==
Line 70: Line 81:
#Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
#: <code>./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-mtd8 /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code>
#: ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-kernel /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
 
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize


== Custom Recovery Steps (Sony) ==
== Custom Recovery Steps (Sony) ==
Line 78: Line 91:
#cd to the drive, and issue the following commands:
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/block for the recovery block.
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/block for the recovery block.
#: <code>mknod gtvhacker-recovery c 179 10</code>
#: <code>mknod gtvhacker-recovery b 179 10</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
#: CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
Line 88: Line 101:
#Install the recovery (where usb.LABEL is the name of your usb drive from above):
#Install the recovery (where usb.LABEL is the name of your usb drive from above):
#: <code>
#: <code>
#: cd /data/local/tmp
#: cp /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-recovery</code>
#: cp /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-recovery</code>
#Issue an adb reboot, and you have a custom recovery.
#: Now the recovery is installed, but to prevent it from being overwritten and to add su you MUST do the following.
#Disconnect from adb and format a FAT32 drive.
#Copy GTVHacker-secureboot-update.zip to root of FAT32 drive.
#Rename GTVHacker-secureboot-update.zip to update.zip
#Unmount and eject FAT32 drive.
#Plug FAT32 Drive and USB Keyboard into Google TV
#On host PC enter in the following to boot GoogleTV into recovery mode.
#: <code>adb reboot recovery</code>
#After entering GTVHacker recovery press 1 to install from update.zip.
#If install is successful, you will be prompted to press Q to exit.


== Developers Only (SONY) (UART console required) ==
== Developers Only (SONY) (UART console required) ==
Line 98: Line 119:
#cd to the drive, and issue the following commands:
#cd to the drive, and issue the following commands:
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
#: <code>mknod gtvhacker-kernel c 179 7</code>
#: <code>mknod gtvhacker-kernel b 179 7</code>
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#Then, copy over our files for your specific box, to the root of your NTFS flash drive
#: uboot-VENDOR-MODEL-GTVHACKER.bin
#: uboot-VENDOR-MODEL-GTVHACKER.bin
Line 104: Line 125:
#Connect via adb, and issue the shell command.
#Connect via adb, and issue the shell command.
#Install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#Install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
#: <code>cd /data/local/tmp
#: <code>
#: cp /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-mtd8</code>
#: cp /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-kernel</code>
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
#Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
*To then boot from USB (try other ports if its not detected):
<code>usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 </code>
: 0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize


== Troubleshooting ==
== Troubleshooting ==
*'''Help! By recovery doesn't persist after a reboot?!'''
: You must use the custom recovery to install the Secure Boot update.zip file for recovery to persist, otherwise it will be overwritten on the first normal boot. Installing this .zip puts a su binary on the box, installs the flash content bypass, kills OTA updates, and persists the recovery.
*'''Recovery is saying that the update.zip file cannot be found.'''
: You must have the USB drive plugged in prior to booting the box and the USB drive must be FAT32 formatted. Use "fdisk -l" to verify the device has a correctly structured partition table.


*You can get help from us or other users at:
*You can get help from us or other users at:


[http://forum.gtvhacker.com/ GTVHacker Forums]
[http://forum.Exploitee.rs/ Exploitee.rs Forums]


[http://www.gtvhacker.com GTVHacker Wiki]
[http://Exploitee.rs Exploitee.rs Wiki]


*or you can chat with us on IRC at:
*or you can chat with us on IRC at:


irc.freenode.net #gtvhacker
irc.freenode.net #Exploiteers


[http://webchat.freenode.net/?randomnick=1&channels=gtvhacker&uio=d4 Freenode Webchat]
[http://webchat.freenode.net/?randomnick=1&channels=Exploiteers&uio=d4 Freenode Webchat]


(Someone may not be around right away to help, make sure to be willing to wait for a response)
(Someone may not be around right away to help, make sure to be willing to wait for a response)


== Download ==
== Download ==
'''GTVHacker SecureBoot update.zip'''
*[http://download.gtvhacker.com/file/generic/GTVHacker-secureboot-update.zip SecureBoot Update.zip]


'''Custom Recovery:'''
'''Custom Recovery:'''

Latest revision as of 10:13, 31 December 2014

About

This custom recovery currently exploits a secure boot flaw in the second generation of Google TV devices to allow booting an unsigned kernel on the Google TV. Below we allow users to install a custom recovery on the Google TV which allows full read write access to the device as well as an automated process for installing updates (of which we do not check the signature.)

Devices

  • ASUS Cube
  • Hisense Pulse
  • Sony NSZ-GS7/GS8

Warnings

  • This will definitely void your warranty, if you want to keep your warranty please do not do any of the steps in this guide.
  • This may brick your GTV. It shouldn't, but it still might!

Tools Needed

  • Linux Live CD or Linux Installed
  • A vulnerable Google TV device.
  • 1 USB Drive (to be formatted)
  • 1 USB Keyboard

Pre-Setup

  1. Boot Linux (Live CD or Install)
  2. Download Custom Recovery Package for Device
  3. Download GTVHacker SecureBoot update.zip
  4. Unzip Custom Recovery Package

Custom Recovery Steps (Cube and Pulse)

  1. Format a drive NTFS, and mount it.
  2. cd to the drive, and issue the following commands:
    The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the recovery mtd.
    mknod gtvhacker-recovery c 90 32
  3. Then, copy over our files for your specific box, to the root of your NTFS flash drive
    nandwrite
    flash_erase
    CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
  4. Unmount the drive, and insert it into your Google TV.
  5. Connect via adb, and issue the shell command.
  6. To find out what USB drive you plugged in, issue this command:
    ls /mnt/media/
    cd /mnt/media/usb.LABEL (where label = the rest from above)
  7. Now, issue these commands:
    cp flash_erase /data/local/tmp
    cp nandwrite /data/local/tmp
    chmod 755 /data/local/tmp/flash_erase
    chmod 755 /data/local/tmp/nandwrite
    cd /data/local/tmp
  8. Finally, to install the recovery (where usb.LABEL is the name of your usb drive from above):
    ./flash_erase /mnt/media/usb.LABEL/gtvhacker-recovery 0 0
    ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-recovery /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
    Now the recovery is installed, but to prevent it from being overwritten and to add su you MUST do the following.
  9. Disconnect from adb and format a FAT32 drive.
  10. Copy GTVHacker-secureboot-update.zip to root of FAT32 drive.
  11. Rename GTVHacker-secureboot-update.zip to update.zip
  12. Unmount and eject FAT32 drive.
  13. Plug FAT32 Drive and USB Keyboard into Google TV
  14. On host PC enter in the following to boot GoogleTV into recovery mode.
    adb reboot recovery
  15. After entering GTVHacker recovery press 1 to install from update.zip.
  16. If install is successful, you will be prompted to press Q to exit.

Developers Only (CUBE, PULSE) (UART console required)

We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install. To install the uboot custom bootloader (developers only, UART console required):

  1. Format a drive NTFS, and mount it.
  2. cd to the drive, and issue the following commands:
    The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
    mknod gtvhacker-kernel c 90 16
  3. Then, copy over our files for your specific box, to the root of your NTFS flash drive
    nandwrite
    flash_erase
    uboot-VENDOR-MODEL-GTVHACKER.bin
  4. Unmount the drive, and insert it into your Google TV.
  5. Connect via adb, and issue the shell command.
  6. To find out what USB drive you plugged in, issue this command:
    ls /mnt/media/
    cd /mnt/media/usb.LABEL (where label = the rest from above)
  7. Now, issue these commands:
    cp flash_erase /data/local/tmp
    cp nandwrite /data/local/tmp
    chmod 755 /data/local/tmp/flash_erase
    chmod 755 /data/local/tmp/nandwrite
    cd /data/local/tmp
  8. Finally, to install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
    ./flash_erase /mnt/media/usb.LABEL/gtvhacker-kernel 0 0
    ./nandwrite -p /mnt/media/usb.LABEL/gtvhacker-kernel /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin
  9. Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
  • To then boot from USB (try other ports if its not detected):
usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 
0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

Custom Recovery Steps (Sony)

  1. Format a drive NTFS, and mount it.
  2. cd to the drive, and issue the following commands:
    The major and minor hash for these commands is pulled from an "ls -l" on /dev/block for the recovery block.
    mknod gtvhacker-recovery b 179 10
  3. Then, copy over our files for your specific box, to the root of your NTFS flash drive
    CustomRecovery-VENDOR-MODEL-GTVHACKER.bin
  4. Unmount the drive, and insert it into your Google TV.
  5. Connect via adb, and issue the shell command.
  6. To find out what USB drive you plugged in, issue this command:
    ls /mnt/media/
    cd /mnt/media/usb.LABEL (where label = the rest from above)
  7. Install the recovery (where usb.LABEL is the name of your usb drive from above):
    cp /mnt/media/usb.LABEL/CustomRecovery-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-recovery
    Now the recovery is installed, but to prevent it from being overwritten and to add su you MUST do the following.
  8. Disconnect from adb and format a FAT32 drive.
  9. Copy GTVHacker-secureboot-update.zip to root of FAT32 drive.
  10. Rename GTVHacker-secureboot-update.zip to update.zip
  11. Unmount and eject FAT32 drive.
  12. Plug FAT32 Drive and USB Keyboard into Google TV
  13. On host PC enter in the following to boot GoogleTV into recovery mode.
    adb reboot recovery
  14. After entering GTVHacker recovery press 1 to install from update.zip.
  15. If install is successful, you will be prompted to press Q to exit.

Developers Only (SONY) (UART console required)

We are preparing a update package to be installed from the recovery GUI which will automate the custom bootloader install. To install the uboot custom bootloader (developers only, UART console required):

  1. Format a drive NTFS, and mount it.
  2. cd to the drive, and issue the following commands:
    The major and minor hash for these commands is pulled from an "ls -l" on /dev/mtd for the kernel mtd.
    mknod gtvhacker-kernel b 179 7
  3. Then, copy over our files for your specific box, to the root of your NTFS flash drive
    uboot-VENDOR-MODEL-GTVHACKER.bin
  4. Unmount the drive, and insert it into your Google TV.
  5. Connect via adb, and issue the shell command.
  6. Install the custom bootloader (where usb.LABEL is the name of your usb drive from above):
    cp /mnt/media/usb-LABEL/uboot-VENDOR-MODEL-GTVHACKER.bin /mnt/media/usb.LABEL/gtvhacker-kernel
  7. Issue an adb reboot, and you have a custom DEVELOPER ONLY bootloader.
  • To then boot from USB (try other ports if its not detected):
usb start; fatload usb 0:1 0x01308000 zImage 20568700; go 0x01308000 
0x01308000 is the load address, zImage is the name of the file on a vfat formatted USB drive, and 20568700 is it's filesize

Troubleshooting

  • Help! By recovery doesn't persist after a reboot?!
You must use the custom recovery to install the Secure Boot update.zip file for recovery to persist, otherwise it will be overwritten on the first normal boot. Installing this .zip puts a su binary on the box, installs the flash content bypass, kills OTA updates, and persists the recovery.
  • Recovery is saying that the update.zip file cannot be found.
You must have the USB drive plugged in prior to booting the box and the USB drive must be FAT32 formatted. Use "fdisk -l" to verify the device has a correctly structured partition table.
  • You can get help from us or other users at:

Exploitee.rs Forums

Exploitee.rs Wiki

  • or you can chat with us on IRC at:

irc.freenode.net #Exploiteers

Freenode Webchat

(Someone may not be around right away to help, make sure to be willing to wait for a response)

Download

GTVHacker SecureBoot update.zip

Custom Recovery: