Archive

Posts Tagged ‘hack’

How to Play Netflix HD on any Android Device with Widevine Level 1 DRM

November 28th, 2016 12 comments

A while ago I wrote an article entitled “Why Doesn’t your Android TV Box Play Full HD or 4K Videos in Netflix?” basically explaining that most TV boxes running Android could only play SD quality, because HD and higher quality requires both Widevine Level 1 DRM, and Netflix certification, and the second part is the most difficult since Netflix need to spend time testing a given product, and may not agree to do so for smaller manufacturers. The end result is that only a small subset of devices can play Netflix HD.

netflix-hd-tabletSamsung Tab S2 is one of the device with Widevine Level 1, but is not certified by Netflix, and by default can only play SD quality. But XDA Forum user chenxiaolong apparently found a workaround and as the photo above shows is now able to reach HD resolutions (e.g. 1920×1080) with Netflix using his tablet. After analyzing packets between the server and his two Samsung tablets, he noticed that he could set “enableWidevineL1” from the JSON response to true, and provided a method showing how to change the app without uploaded a modded apk. But others followed his instructions and released a modified Netflix HD apk.

Although it might or might not breach Netflix TOS, please note that this has nothing to do with piracy at all, nor does it skip DRM, as it still requires both a Netflix HD subscription and a device supporting Widevine Level 1 DRM. Sadly that also means the trick will still not work on most cheap Android TV boxes that are limited to Level 3 security. It’s also quite possible Netflix eventually notices and changes the code to prevent this little hack. You can check Widevine DRM support with DRM Info app.

Thanks to Theguyuk for the tip.

Categories: Android Tags: Android, hack, netflix, tablet, TV box

Nintendo NES Classic is Powered by Allwinner R16 SoC, Likely Hackable

November 8th, 2016 28 comments

Nintendo NES Classic Edition is a small replica of Nintendo NES, both adapted to modern times with an HDMI output, and keeping with nostalgia thanks to connectors for original game controllers, and pre-loaded with 30 classic games.

Nintendo_NES_Classic

If you planned to add your own games however, the lack of USB ports, micro SD card slot, or any other storage or network interface could make it impossible. But based on a recent photo tweeted by Peter Brown, senior review editor at GameSpot, there may be light out of the tunnel, as while the main storage device (4Gbit NAND flash) is soldered to the board, the main board is powered by Allwinner R16 quad core Cortex A7 processor with a Mali-400MP2, and it’s quite likely UART / serial console and/or FEL interfaces are exposed on the board, making it possible to hack the device and potentially load your own games.

Click to Enlarge

Click to Enlarge

The other side of the board would really help finding out whether the UART pins are indeed available where I marked them [Update: Correct. NES Classic Hacked, see comments section]. If so, it would still be quite inconvenient to hack the board, as you’d need to connect a USB to serial debug board (normally a couple of dollars) in order to access the terminal, and either copy/paste code, or transfer data to the board. If some of the other connectors are carrying USB signal, it might also be possible to do some hardware hacking to add USB ports.

Software-wise, some references for Allwinner R16 Parrot board can be found in mainline Linux. Allwinner also released Linux based Tina OS for the processor on Github a few weeks ago.

Thanks to Zoobab for the tip.

Hacking ARM TrustZone / Secure Boot on Amlogic S905 SoC

October 6th, 2016 4 comments

Amlogic S905 processor used in many Android TV boxes and ODROID-C2 development board implements ARM TrustZone security extensions to run a Trusted Execution Environment (TEE) used for DRM & other security features.

amlogic-s905-security

He explains the steps they went through and how they managed to exploit vulnerability to bypass secure boot in a detailed technical blog post.

They first started by looking for info in Amlogic S905 datasheet, but most info about TrustZone had been removed from the public version. So not that much help here except a potential address for BOM Root (ROMBOOT_START   0xD9040000). The next step was to connect the UART pins in order to access the serial console, but he could not read the BootROM from there most probably because you can’t access secure code from an non-secure memory.

However, a closer look at the boot log lead them to find the bootloaders were based on the ARM Trusted Firmware (ATF) reference implementation, which include BL1x (BootROM in SoC), BL2, and BL3x bootloaders as shown in the diagram below.

arm-trusted-firmware-architecture

At this point everything becomes much more technical, as he explains various attempts using U-Boot bootloader, SMC (Secure Monitor Call) interface, and bypassing the Secure Boot chain. The first attempt was a non-stater, the second could have been exploitable but might have required some expert skills and time, but the third one was successful after an analysis of  the mechanism used by BL2 to parse and authenticate the BL31 image, and finding out the cryptographic code came from OSS PolarSSL/mbed TLS project.

Further reverse-engineering of the “authentication” header revealed that BL2 is only using SHA-256 hash to verify the integrity of the firmware, and that there’s no actually authentication. To confirm their findings, they customized a BL31 firmware, updated the SHA-256 hash (using aml-bootloader-tool script), and it would boot, and eventually they managed to dump the BootROM from Amlogic S905 SoC.

That’s the conclusion:

The S905 SoC provides hardware features to support Secure Boot, however OEMs can still choose to enable it or not. But even when Secure Boot is enforced, a flaw in the current version of Amlogic’s BL2 allows to bypass it. So Trusted Execution Environment cannot be trusted. The good news is BL2 can be patched, unlike BootROM.

Routers, IP Cameras/Phones & IoT Devices can be Security Risks even with the Latest Firmware, and a Strong Admin Password

October 6th, 2016 43 comments

I’ve just read an interesting article entitled “who makes the IoT things under attack“, explaining that devices connected to the Internet such as router, IP cameras, IP Phones, etc.. may be used by Botnet to launch DDoS attacks, and they do so using the default username and password. So you may think once you’ve updated the firmware when available, and changes the default admin/admin in the user interface, you’d be relatively safe. You’d be wrong, because the malware mentioned in the article, Mirai, uses Telnet or SSH trying a bunch of default username and password.

That made me curious, so I scanned the ports on my TP-Link wireless router and ZTE ZXHN F600W fiber-to-the-home GPON modem pictured below, and installed by my Internet provider, the biggest in the country I live, so there may be hundred of thousands or millions of such modems in the country with the same default settings.

zte-zxhn-f600wI’ve started by scanning the TP-Link router in the local network:

UPnP and the web interface ports are open, plus an extra post likely opened by UPnP, which looked fine.

Now I did the same on the ZTE modem in the local network first:

The telnet port is opened that’s not good… I would be much worse if  it was also open with the public IP:

Oh boy…. That’s not good at all. Can I access it from the outside?

No, because I don’t know the password. That is until I do a quick web search and find this video telling me to use root and Zte521 to login to ZTE modem. Bingo!

That’s huge as it means millions of modem routers can be access (likely) around the world with minimal knowledge, I would not even consider this a hack…. Telnet is also kind enough to return the modem model number (F600W), so any script would be able to detect that and try the default username / password. This little trick should also works on other ZTE modems/routers, and since the HTTP server is also running by default, you don’t even need to check the model number as the server field indicates it’s a ZTE device…

I don’t know if the Internet provided uses telnet for any purpose, but it could be a good idea to at least change the password or completely disable the service. However the rootfs is in read-only mode:

Normally, this is no problem as you can remount the root partition in read/write mode:

But it’s not working in this case… I’m not there must be a way to remount the system to change the password, or edit the configuration to disable telnet, but I have not found a solution yet. Those are the command at our disposal:

busybox
BusyBox v1.01 (2015.01.15-08:36+0000) multi-call binary

Currently defined functions:
[, ash, awk, brctl, busybox, cat, chmod, chrt, cmp, cp, cut, date,
df, diagput, echo, egrep, free, fuser, getty, grep, hexdump, hostname,
ifconfig, init, insmod, kill, killall, linuxrc, ln, login, ls,
lsmod, mkdir, mknod, mount, mv, passwd, ping, ping6, ps, pwd,
reboot, rm, rmdir, rmmod, sed, sh, sleep, sync, taskset, test,
tftp, top, traceroute, umount, wget

A temporary solution is to kill telnet:

But obviously telnet will run again, at next boot time…

Anyway, it would be good if the service providers could make sure to change the default password before installing them on the customer premise, and hopefully, they’ll be able to change the password, or disable them remotely in due time…

ArduBoy Arduino Compatible Portable Game Console Sells for $39

September 9th, 2016 1 comment

Ardubox feels like the little brother of PocketCHIP portable & hackable game console with its transparent case, but instead of running Linux on a 32-bit ARM processor, Ardubox is based on the same Atmel ATmega32u4 MCU used in Arduino Leonardo & Micro boards.

arduboyArduboy specifications:

  • MCU – Atmel ATmega32u4 AVR MCU with 32KB flash, 2.5KB RAM, and 1KB EEPROM
  • Display – 128×64 1-bit OLED display
  • USB – 1x micro USB 2.0 port for power and programming
  • User Inputs – 6x momentary tactile buttons
  • Audio – 2 channel Piezo Speaker
  • Misc – 1x LED
  • Battery – 180 mAh Thin-Film Li-Po battery good for over 8 hours

Beside the Arduino IDE, The board can also be programmed with Codebender, GCC & AVRDude. There’s also a fairly long list of games to play with, and it can be hacked as a virtual business card, a USB mouse and keyboard, a synthesizer, and more.

The Arduino game console was first launched via Kickstarter last year, raised $433,038 out of 7,221 backers, and has been shipped to all backers in August. However, it’s now available for pre-order on Arduboy website for $39, and SeeedStudio is organizing a crowdbuy where it can be had for $37.95. More details can be found on Arduboy website which features a community forum, and a getting started guide.

Categories: Atmel AVR, Hardware, Video Tags: arduino, battery, games, hack, oled

USB Fun – Tiny USB WiFi and Hub Boards and micro USB Hub

September 1st, 2016 11 comments

I’ve come across a few interesting tiny USB boards and hubs in the last few days, so instead of writing a post for each, I’ve gathered all info into a single article.

Small ESP8285 USB Board

A couple of weeks ago, CNLohr released his first ESPUSB virtual USB implementation for ESP8266 allowing to use USB with external hardware, barring a resistor, and only two GPIOs. He has now made a tiny board based on ESP8285 with a USB interface leveraging ESPUSB.

ESP8285_USB_BoardHardware files can be found on github. So what can you do with it? CNLohr leveraged the work of the community in order to emulate a keyboard and mouse using a smartphone.

The only bit of bad news in the video is that finally USB full speed (12 Mbps) can’t be supported.

NanoUSB Hub Board

Mux wanted to add more USB devices to its tablets, but there was none free, so he decided to create a USB hub board small enough to fit inside tablets and called it NanoUSB measuring just 12x12x1.5mm, and provides two USB ports from one USB host port in the target hardware.

Tiny_USB_Hub_PortHe could use it to add a Bluetooth USB dongle inside Cube i7 Stylus tablet as shown in the video below.

You can find documentation on Muxtronics, and purchase the board on Tindie for $8.90 + shipping.

Micro USB hub

Smartphones usually only have one micro USB OTG port or USB-C port, but for example if you want re-purpose your smartphone for other tasks, or want to use a USB device while charging your phone, you’d need a hub connected via a USB OTG adapter. Another solution is to directly use a micro USB hub with 3 USB ports and one micro USB port which I found on DealExtreme for $4.71 including shipping.

 

micro-USB-hub-smartphoneIt could also be useful for Raspberry Pi Zero board for example. If you have a more recent device with a USB-C connector you might consider a USB-C to USB hub instead. DX sells one for $5.12.

Categories: Espressif, Hardware, Video Tags: esp8285, hack, hardware, usb

ESP8266 Gets USB Support Thanks to ESPUSB Software Stack

August 8th, 2016 5 comments

Neither ESP8266 nor ESP32 support USB, so what am I babbling about? No, ESP8622 did not suddenly grow a USB PHY, but cnlohr decided to implement virtual USB support using two GPIOs (12 & 13) for the D+/D- USB signals, meaning you can connect any ESP8266 module through USB, or even update the firmware through USB without external hardware, apart from a single extra resistor.

ESP8266_USB_Firmware_UpdateThe source code is available on espusb repo on github. Please note that the code is currently work in progress, and USB implementation currently only works at 1.5 Mbit/s, with potentially future support for 12 Mbit/s.

That’s the demo, and an explanation about the design process.

Categories: Espressif, Hardware, Video Tags: esp8266, hack, usb

DIY Wireless Window/Glass Mounted Camera Based on Raspberry Pi Zero Board

June 22nd, 2016 2 comments

A few weeks ago, the Raspberry Pi foundation announced a new version of the Raspberry Pi Zero with a CSI camera connector. Since the solution is quite lightweight, Steven Cassidy had the idea to make a WiFi enabled window camera by soldering a USB WiFi module and fitting the hardware to a plastic part with two suction cups.

Raspberry_Zero_Camera_Suction_CupsOnce the assembly is done, you can stuck the hardware to a window or glass of your choice in your home, car, aquarium, etc…

Pi_Zero_Camera_WindowIf you like the concept but would like to have something working out of the box instead of making your own, the Pi Hut has design ZeroView on the same principle, and which will sell for 7 GBP (~$10.3).