Rooting Logitech Revue

Trying to further the development of the Android on the Revue? Talk about it hear and document it on the wiki: http://www.wiki.gtvhacker.com

Moderator: Revue Mod

User avatar
Chinpokomon
Android 1.0
Posts: 36
Joined: Mon Aug 01, 2011 10:13 pm

Re: Rooting Logitech Revue

Post by Chinpokomon »

jd567890 wrote:I'm pretty sure we won't be waiting for eternity to get 3.1 rooted. But, if I had soldered my $300 box to root it I wouldn't be giving that up anytime soon - even as great as 3.1 is! Surely it can't be that hard for a dev to take the 3.1 update file and create a rooted version?
I'm pretty sure it isn't a cakewalk either. There are several hurdles to overcome, and the Intel MC4150 that powers the Revue boxes seems to be a big source of them.

From the Product Brief of the CE4100 line (includes the CE4150):
• Security Features Support
– 2 smart card (ISO 7816) interfaces
– HDCP content protection for HDMI
– ROVI*4 (v7.1.L1) and CGMS-A protection on analog video
– DES, 3DES, AES, MULTI2 and DVB-CSA transport stream descrambling
– Dedicated security processor with hardware acceleration
– Support for security access schemes
– Secure boot

It is that last one that is causing so much difficulty in hacking this device. It isn't just a mater of replacing the signed system files, it is replacing everything in a way that works with the security capabilities of the processor. If this were a PC, you could just replace the validation code in the boot-loader and then walk the chain, compromising the signature checking at every step along the way. With authentication in the silicon, it makes it improbable to circumvent without identifying some exploit in the hardware.
bitbang3r
Android 1.0
Posts: 6
Joined: Thu Aug 04, 2011 1:01 pm

Re: Rooting Logitech Revue

Post by bitbang3r »

^^^ That's what I was afraid of.

Does it at least look reasonably likely that Google/Logitech isn't going to take away the ability to install .apk files from non-Market sources from Honeycomb at some future time? I'll admit that 99% of my motive for rooting was being able to run arbitrary .apk files (including those I build myself). If that were taken away, the Revue would basically be useless to me because its official out-of-the-box capabilities are pretty lame. Its ability to run arbitrary unblessed non-Market apps is what makes it *interesting*.
havikx
1.6 Donut
Posts: 146
Joined: Mon Aug 08, 2011 8:14 pm
GTV Device Owned: Logitech Revue
Location: New Jersey, SEVEN3II

Re: Rooting Logitech Revue

Post by havikx »

Are there any other devices that use the atom processor that are android and have been rooted. If so...id say start there. I'm on 3.1 and was looking up how to root some 3.1 tabs but they all look device specific exploits.

I'm down to mess around if any1 has any ideas.
HTC one s - cm10 jellybean unofficial
T-mobile g1 - cm6
T-Mobile g2- andromadus ics beta
T-Mobile hd2- cm9 by tytung
HP touchpad- CM9 alpha 2
Logitech revue- OTA downgrade 3.1
Member xda forums
User avatar
Chinpokomon
Android 1.0
Posts: 36
Joined: Mon Aug 01, 2011 10:13 pm

Re: Rooting Logitech Revue

Post by Chinpokomon »

havikx wrote:Are there any other devices that use the atom processor that are android and have been rooted. If so...id say start there. I'm on 3.1 and was looking up how to root some 3.1 tabs but they all look device specific exploits.

I'm down to mess around if any1 has any ideas.
Android has been predominately ARM, and of the x86 Android devices that I know of, none of them except the GTV devices use one of the Intel Atom CE processors.

I found this list of SoCs and the devices they're in:
Intel CE4100 (Sodaville) family - SGX535 + Atom-based CPU
Orange Orange Box
Sony Bravia Internet TV NSX-GT1
Sony Internet TV Blu-Ray Player NSZ-GT1
Intel CE4110 (Sodaville) - SGX535 at 200MHz + Atom-based CPU at 1.2GHz[6]
D-Link Boxee Box
Intel CE4150 (Sodaville) - SGX535 at 400MHz + Atom-based CPU at 1.2GHz
Logitech Revue (970-000001)
Iliad Freebox Revolution
AcRyan `FLUXX` Media Player

I've italicized the ones that I know are Android... nothing else on the list is in the family. The Sony devices are listed as CE4100, but the CE4100 doesn't have HDMI input. I suspect they are either CE4130's or CE4150's, and more likely they are CE4150's so that their graphical capabilities are on par with the Revue.

I'm also having problems tracking down any white paper or other information regarding how the CE4100's implement their boot security. Presumably the devices themselves have a public key on them (on the SoC), and then they authenticate the signatures on what boot code they find. If the public key is stored in some flashable region of the device, we might be able to replace it with another key to match our private (and then publicized) key. Resigning all the code thereafter with our new private key. If it is in an ASIC or on-die, that would suggest that the public/private keys are produced for a vendor (in our case Logitech) for each production run... that sounds expensive. Maybe it is a key available with the SDK, in which case if we got the SDK, we might be able to recompile or sign our own code. Lastly, maybe it is a hashing system, whereby each vendor has their own key that can be authenticated with a public key stored on-die, and that key points back to a vendor. In this way, if the key is ever leaked, you would know what vendor to blame, and you might be able to implement a black-list system where the SoC rejects known compromised keys. This last approach works well for systems like BluRay and HD-DVD, but I don't know if something like the CE4100's would be able to implement a black-list... how would it receive updates?

With so few devices supporting these chips, it is unlikely that we're going to just happen upon an exploit on some other device.

edit: More up to date list of Intel SoC, doesn't change anything - http://imgtech.wikispaces.com/List+of+I ... d+products
havikx
1.6 Donut
Posts: 146
Joined: Mon Aug 08, 2011 8:14 pm
GTV Device Owned: Logitech Revue
Location: New Jersey, SEVEN3II

Re: Rooting Logitech Revue

Post by havikx »

People have tried the usual root methods too...as far as I know. Gingerbreak, universal root, super one click. Maybe we could use a method from a tab that runs 3.1. Though like I said...most of those roots look device specific.

We need honeybreak. Lol
HTC one s - cm10 jellybean unofficial
T-mobile g1 - cm6
T-Mobile g2- andromadus ics beta
T-Mobile hd2- cm9 by tytung
HP touchpad- CM9 alpha 2
Logitech revue- OTA downgrade 3.1
Member xda forums
User avatar
Chinpokomon
Android 1.0
Posts: 36
Joined: Mon Aug 01, 2011 10:13 pm

Re: Rooting Logitech Revue

Post by Chinpokomon »

havikx wrote:People have tried the usual root methods too...as far as I know. Gingerbreak, universal root, super one click. Maybe we could use a method from a tab that runs 3.1. Though like I said...most of those roots look device specific.

We need honeybreak. Lol
I doubt any of the tablet or phone roots will work directly. Completely the wrong platform. As far as I know, a lot of the rooting came through exploits in things like Bluetooth, running a payload as an elevated user. The techniques might work, but the payload would have to be rewritten to support the x86 platform, and the additional security mechanisms in the CE4150 may sandbox any code like that.
havikx
1.6 Donut
Posts: 146
Joined: Mon Aug 08, 2011 8:14 pm
GTV Device Owned: Logitech Revue
Location: New Jersey, SEVEN3II

Re: Rooting Logitech Revue

Post by havikx »

I'm sure there is an exploit in the 3.1 leak. Just need some1 with more skills to figure out where. Its a beta., after all. Not all the holes gave been patched yet.
HTC one s - cm10 jellybean unofficial
T-mobile g1 - cm6
T-Mobile g2- andromadus ics beta
T-Mobile hd2- cm9 by tytung
HP touchpad- CM9 alpha 2
Logitech revue- OTA downgrade 3.1
Member xda forums
Itsjusttim
Android 1.0
Posts: 22
Joined: Mon Aug 01, 2011 9:33 pm

Re: Rooting Logitech Revue

Post by Itsjusttim »

havikx wrote:I'm sure there is an exploit in the 3.1 leak. Just need some1 with more skills to figure out where. Its a beta., after all. Not all the holes gave been patched yet.
Agreed, there has to be something in 3.1! Sounds dumb but has anyone asked logitech for root? With the samsung galaxy s we had some development who where intouch with samsung to get us access to things they needed.

Just thinking out loud.
User avatar
Chinpokomon
Android 1.0
Posts: 36
Joined: Mon Aug 01, 2011 10:13 pm

Re: Rooting Logitech Revue

Post by Chinpokomon »

Chinpokomon wrote:I'm also having problems tracking down any white paper or other information regarding how the CE4100's implement their boot security. Presumably the devices themselves have a public key on them (on the SoC), and then they authenticate the signatures on what boot code they find. If the public key is stored in some flashable region of the device, we might be able to replace it with another key to match our private (and then publicized) key. Resigning all the code thereafter with our new private key. If it is in an ASIC or on-die, that would suggest that the public/private keys are produced for a vendor (in our case Logitech) for each production run... that sounds expensive. Maybe it is a key available with the SDK, in which case if we got the SDK, we might be able to recompile or sign our own code. Lastly, maybe it is a hashing system, whereby each vendor has their own key that can be authenticated with a public key stored on-die, and that key points back to a vendor. In this way, if the key is ever leaked, you would know what vendor to blame, and you might be able to implement a black-list system where the SoC rejects known compromised keys. This last approach works well for systems like BluRay and HD-DVD, but I don't know if something like the CE4100's would be able to implement a black-list... how would it receive updates?
Well, this is ominous. Compare the System Block Diagram for the CE3100 (on page 14) with the System Block Diagram for the CE4100 (on page 2). For the Security Processor, moving from the CE3100 to the CE4100, the block labeled "Keys" has been replaced with "On Die Fuses." This adds another possibility, that the private key doesn't have to be burnt into the die when manufactured, and that maybe the vendor can actually blow fuses to create their own.

Finally, I did find this white paper from Amino Communications talking about the security on the CE4100 as it is proposed for use with a MeeGo TV. I suppose the Revue and Sony devices have similar implementations.
havikx
1.6 Donut
Posts: 146
Joined: Mon Aug 08, 2011 8:14 pm
GTV Device Owned: Logitech Revue
Location: New Jersey, SEVEN3II

Re: Rooting Logitech Revue

Post by havikx »

After looking thur root explorer... I've come to find that there is a partition on the internal memory for the sdcard to exsist. It contains the usual sdcard folders. Music. Ringtones. Notifications.

A usb stick is mounted under /mnt/media/

Has any1 tried to mount the device itself to a computer? I check usb debugging in the apps settings.
HTC one s - cm10 jellybean unofficial
T-mobile g1 - cm6
T-Mobile g2- andromadus ics beta
T-Mobile hd2- cm9 by tytung
HP touchpad- CM9 alpha 2
Logitech revue- OTA downgrade 3.1
Member xda forums
Post Reply