Page 3 of 6

Re: Rooting Logitech Revue

Posted: Wed Aug 10, 2011 1:24 pm
by Chinpokomon
havikx wrote:Has any1 tried to mount the device itself to a computer? I check usb debugging in the apps settings.
I'm pretty sure the USB on the Revue is host mode only. My quick search seems to confirm this as I don't know of any USB controller in the Revue other than what is built into the CE4150, and documentation thereof says "2x USB 2.0 Host".

Technical reasons aside from why we can't hook up the revue to a PC to read this, I expect the USB stick you see is just a directory setup to put those files in the directories that Android expects to find them. When I finish rooting my Revue tonight I'll look into it.

Last night I installed the header pins on the Mother Board... that ground plane can sure suck out a lot of heat. That one pin took forever.

Re: Rooting Logitech Revue

Posted: Wed Aug 10, 2011 7:46 pm
by Itsjusttim
If we can't go through the USB ports, what about through the HDMI in to find a possible exploit?

Re: Rooting Logitech Revue

Posted: Wed Aug 10, 2011 8:05 pm
by Chinpokomon
Itsjusttim wrote:If we can't go through the USB ports, what about through the HDMI in to find a possible exploit?
HDMI is basically DVI-D or DVI-I with audio thrown in. It does have other signals beyond that, but it is a bit like asking if you can send a radio broadcast that will make your car drive for you. I haven't researched it in depth, but I think you're safe to say that HDMI is not going to have an exploit that will let us compromise the Revue.

Re: Rooting Logitech Revue

Posted: Wed Aug 10, 2011 8:47 pm
by Itsjusttim
Thanks, I was just thinking out loud.

Re: Rooting Logitech Revue

Posted: Thu Aug 11, 2011 5:48 am
by mrandroid
Chinpokomon wrote:
Itsjusttim wrote:If we can't go through the USB ports, what about through the HDMI in to find a possible exploit?
HDMI is basically DVI-D or DVI-I with audio thrown in. It does have other signals beyond that, but it is a bit like asking if you can send a radio broadcast that will make your car drive for you. I haven't researched it in depth, but I think you're safe to say that HDMI is not going to have an exploit that will let us compromise the Revue.
Actually the current version of HDMI is quite different. HDMI is no longer just audo/video. Ethernet, device control, etc.. can all be passed through with HDMI 1.4 and above. This is how the revue controls some connected devices (like my tivo). Whether or not that communication is two way is a whole different story, but the point is that you can do more than just audio/video with HDMI now.

Re: Rooting Logitech Revue

Posted: Thu Aug 11, 2011 7:10 am
by txyaloo
mrandroid wrote:
Chinpokomon wrote:
Itsjusttim wrote:If we can't go through the USB ports, what about through the HDMI in to find a possible exploit?
HDMI is basically DVI-D or DVI-I with audio thrown in. It does have other signals beyond that, but it is a bit like asking if you can send a radio broadcast that will make your car drive for you. I haven't researched it in depth, but I think you're safe to say that HDMI is not going to have an exploit that will let us compromise the Revue.
Actually the current version of HDMI is quite different. HDMI is no longer just audo/video. Ethernet, device control, etc.. can all be passed through with HDMI 1.4 and above. This is how the revue controls some connected devices (like my tivo). Whether or not that communication is two way is a whole different story, but the point is that you can do more than just audio/video with HDMI now.
This. The Motorola Photon 4G was rooted through its HDMI dock and required connecting it to a TV to root. It's entirely possible some similar type of exploit could be found on the Revue.

Re: Rooting Logitech Revue

Posted: Thu Aug 11, 2011 11:13 am
by havikx
What do you mean? How did they exploit the hdmi for the photon?

Re: Rooting Logitech Revue

Posted: Thu Aug 11, 2011 1:11 pm
by Chinpokomon
txyaloo wrote:This. The Motorola Photon 4G was rooted through its HDMI dock and required connecting it to a TV to root. It's entirely possible some similar type of exploit could be found on the Revue.
I'm aware of interesting hacks for the Atrix, mostly because that is how the docking system displays it's content, over HDMI. I am not aware of any root exploits that use the HDMI port.

Now, you are correct in that there is something called CEC or the Consumer Electronics Control Bus. http://www.hdmi.org/pdf/whitepaper/Desi ... roduct.pdf This is generally how one HDMI device can control another. It is also bidirectional, which is more than likely how the Atrix receives feedback from the dock. I know this is how my Samsung BRD Player and my Samsung TV talk to each other, allowing one device to control the other.

That said, it is still a protocol. This is the spec. http://xtreamerdev.googlecode.com/files/CEC_Specs.pdf I can't imagine, having looked over it, that there is a command or set of commands that could run elevated code on a device. I also don't know how any of this would be used by the Revue. If there isn't any stack to receive and use these commands on the Revue, and I can't think of a reason why Logitech would have built that capability into the device, I think they'd just be dropped.

Re: Rooting Logitech Revue

Posted: Thu Aug 11, 2011 1:34 pm
by Chinpokomon
havikx wrote:What do you mean? How did they exploit the hdmi for the photon?
Ok, I found some discussion about this root hack. http://forum.xda-developers.com/showthr ... ?t=1199098

It looks like they rely on a vulnerability in WebTop application... an application that ships with the Photon. Then by running the downloaded package, they can write it somewhere on the device that they would not normally have the rights to access, /var/temp. Basically they are looking for a place on the filesystem where they can launch their root exploit from. Finally they run the app "pa_race", which I guess is an exploit for the Linux kernel that elevates their privilege. Once they have root (an actual root), they are able to install everything else.

HDMI isn't really how they rooted the device. They rooted the device by using the vulnerability in an application triggered by the HDMI Dock event. You could probably accomplish the same thing by firing off the intent with another application. Then by using a vulnerability of the WebTop application, they were able to download their payload to the device. Finally using a shell, they were able to use another vulnerability to elevate their privilege. HDMI isn't going to help us with the Revue.

Re: Rooting Logitech Revue

Posted: Thu Aug 11, 2011 1:37 pm
by Chinpokomon
Chinpokomon wrote:Last night I installed the header pins on the Mother Board... that ground plane can sure suck out a lot of heat. That one pin took forever.
Turns out the refurbished Revue I got already had the UART turned off. I went ahead and fully updated to the latest firmware and played with the Revue last night... works really well with my setup at home, although I had read that there were incompatibilities with my STB and the Revue. I guess I'll be trying out the HC build next and look for a software root.