Of the people out there enjoying Google TV, a good percentage of them are hardware hackers who enjoy adding features and removing limitations from normally locked-down hardware. Next week, at the upcoming DEFCON hacker conference, the GTVHacker group will unveil their keys to the kingdom at the Penn and Teller theater, in a talk entitled “Google TV: Or How I Learned to Stop Worrying and Exploit Secure Boot.”
A new post at the GTVHacker blog also reveals that, despite its name, Chromecast is very much a part of the Google TV family, running an operating system more akin to Android than the Chome OS, which has allowed the group to apply its existing bag of tricks to the popular new media streaming dongle.
The (very techy) explanation how it GTVHacker’s trick works follows:
How does the exploit work?
Lucky for us, Google was kind enough to GPL the bootloader source code for the device. So we can identify the exact flaw that allows us to boot the unsigned kernel. By holding down the single button, while powering the device, the Chromecast boots into USB boot mode. USB boot mode looks for a signed image at 0×1000 on the USB drive. When found, the image is passed to the internal crypto hardware to be verified, but after this process the return code is never checked! Therefore, we can execute any code at will.
ret = VerifyImage((unsigned int)k_buff, cpu_img_siz, (unsigned int)k_buff);
The example above shows the call made to verify the image, the value stored in ret is never actually verified to ensure that the call to “VerifyImage” succeeded. From that, we are able to execute our own kernel. Hilariously, this was harder to do than our initial analysis of exploitation suggested. This was due to the USB booted kernel needing extra modifications to allow us to modify /system as well as a few other tweaks.
So given the waiting list for the device, by the time you actually receive one, GTVHacker’s lock pick should be at your disposal.