Exploitee.rs

I am unable to test this myself due to being on holiday.

This bug is present in all Google TV devices, unfortunately in can only be leverage for root in some. Below is a list of devices that are confirmed to get root and the remaining only get system privileges.

This is confirmed to get system privileges on the following devices:
Logitech Revue
Sony NSZ-GS7/8

This is confirmed to get root privileges on the following devices:
Vizio Co-Star

Sources:
http://www.gtvhacker.com/index.php/Expl ... g_for_Root
http://forum.gtvhacker.com/gtv-guides/topic1454.html

That´s sounds Great!!, but right now its only system privileges, I tried to install on my NSZ GS7, but in the end I get permission denied on the temporary folder, I do not know if it is normal, or am I doing something wrong.

### Google TV Modification Package ###
For Support Visit: http//wwwGTVHacker.com
/data/local/tmp/impactor-1:cannot create /tmp/log: permission denied

bovoro wrote:That´s sounds Great!!, but right now its only system privileges, I tried to install on my NSZ GS7, but in the end I get permission denied on the temporary folder, I do not know if it is normal, or am I doing something wrong.

### Google TV Modification Package ###
For Support Visit: http//wwwGTVHacker.com
/data/local/tmp/impactor-1:cannot create /tmp/log: permission denied

Did you get passed the debugger error? If So how?

I just followed the instructions of Saurik, http://gtvhacker.com/index.php/Exploiti ... g_for_Root

and in step 9 I get the error mentioned above

NOTE: Sony NSZ-GS7 boxes
this is NOT working for NSZ-GSx boxes.

the "init" of the kernel boot, do not even look in /data/ for a local.prop to start QEMU mode.

So system privs are ONLY gained with telnetd and root is NOT achieved here.

I got all excited, but oh well, will wait for DEF CON (not sure exactly when that is though)

Aug 1-4

i actually got a little further with the "system" privilege given here.

but not close enough to gain root, sadly.

One of the old way to allow access to /dev/block filesystem is getting a dyn. link to that device, by having a folder in like /data/av_logging set as dyn. link to mmcblk0p11 and when init.rc boots and set ownership, it will switch the device into having 777 rights and you can easily read and dump that file system.
problem was that even with 777, i could not write back the dump of /system, like done on other devices with this trick.

with debugfs, you can actually make a "su" duplicate in /data/local/tmp and access this with debugfs command and change the su command (using write su su) and change owner to 0 and use 0105777 and rights.
ie.
debugfs -w /dev/mmcblk0p14
cd local/tmp
lcd /data/local/tmp
write su su2
mi su2
---
and you can update the su2 command to have root rights. sadly the SuperSU.apk works only partly, since /data is a nosuid partition and i cannot write to /system with debugfs.

maybe this can help others, maybe not!

updates from wiki :

This bug is present in all Google TV devices.

Update: Cydia Impactor now provides every Google TV device a form of root. The only difference is persistence, on some devices the exploit will need to be performed each time root is needed. On others Superuser.apk is provided and the exploit will only need to be done once.
The exploit will need to be run whenever root is needed on these devices:
Logitech Revue
Sony NSZ-GS7/8
The exploit will allow for persistent root on these devices:
All other Google TV devices.

so close to full (untethered) root!