Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Announcements       Thread starter PSXHAX       Start date May 21, 2021 at 2:35 AM       8      
Status
Not open for further replies.
Recently rmDevNull shared on Twitter RootMyRoku which is a root jailbreak for Roku OS v9.4.0 build 4200 devices using a Realtek WiFi chip with help from ammar2 and popeax from the Exploiteers (Twitter) Discord Channel giving end-users control over what channels they install among other modifications like Hacking a Roku TV to Control Lights. :geek:

Download: dev-channel.zip / GIT

:alert: Note: Engadget.com reports the RootMyRoku vulnerabilities have since been mitigated in both RokuOS v9.4 and RokuOS 10 software for those who recently updated their devices... so as with video game consoles, don't update if you wish to root and jailbreak your streaming devices. :sneaky:

Personally I use a Roku streaming media player to access my Plex Media Server, as I haven't had great luck with the native Plex app on my Samsung Smart TVs.

However, the general direction Plex is heading is quite disappointing over the last 12 months... so I'm open to alternatives that don't plaster the home screen with 'suggestions' on what (in your own library) to watch or spam it with Plex Live TV promotions, etc.

From the README.md: Root My Roku
  • A persistent root jailbreak for RokuOS v9.4.0 build 4200 devices using a Realtek WiFi chip.
  • A big thank you to ammar2 and popeax from the Exploitee.rs Discord for helping discover and develop this.
Features
  • Spawns a telnet server running as root on port 8023.
  • Enables the low-level hardware developer mode.
  • Adds many new secret screens and debug features to the main menu.
  • Blocks channel updates, firmware updates, and all communication with Roku servers.
Usage
  1. Download any new channels you might want to use after the jailbreak.
    Once you jailbreak your device, all communication with Roku's servers will be blocked.
    Any channels you currently have installed should continue to work.
    Please see the F.A.Q. below for details.
  2. Enable Developer Settings on your Roku device.
  3. Download the latest dev-channel.zip from the releases page.
  4. Upload dev-channel.zip using the guide from the previous step.
  5. Follow the prompts on screen, then reboot to jailbreak!
Applications
  • Using a Roku TV to drive ambient lighting:
    (details).
F.A.Q.

Which devices does this affect?

  • Affected devices include almost all Roku TVs and some Roku set-top boxes.
  • In theory, any Roku device running RokuOS v9.4.0 build 4200 or earlier that uses a Realtek WiFi chip is vulnerable.
  • You can check your current software version from Settings -> System -> About.
  • While it is not possible to manually check your WiFi chip manufacturer, the channel provided for this exploit will tell you if your device is vulnerable or not.
Can this brick my device?

No! It makes no changes to the underlying firmware that the device runs. If anything bad happens, a factory reset will always recover your device.

How do I un-jailbreak my device?

You have two options:
  • Factory reset your device. This will clear NVRAM and remove the jailbreak.
  • Using the telnet server on port 8023, delete /nvram/udhcpd-p2p.conf and reboot.
Is Roku aware of this exploit?
  • Some of the critical components required for the exploit chain no longer work in RokuOS v10.
  • The NFS mount option that is used for arbitrary file modification gets disabled, and the service used for persistence and privilege escalation is no longer used.
While RokuOS v10 has started rolling out, many devices have not received the update yet.

Why does the jailbreak block communication with Roku servers?

This is a precautionary measure to prevent the jailbreak from being disabled or removed.

In the past, Roku has taken some creative measures to forcefully patch jailbroken devices. One such example was an update to the screensaver channel that would check for a telnet service, connect to it, and command it to un-root and update the device.

Unfortunately, the servers used for channel and firmware updates the same ones used to communicate with Roku in general. Blocking updates means that no new channels can be installed and that certain features like "My Feed" and "Search" will no longer work.

Applications that communicate with other services (e.g. YouTube, Netflix, HBO) will still work.

How can I prevent my non-jailbroken Roku from updating?

Edit your modem/router's DNS settings to use the IP address of dns.rootmyroku.com. You can find the current IP address using nslookup, dig, or online DNS lookup tools.

Why should I trust the code you execute on my device?

You don't have to!

All of the files required to reproduce this exploit are available in this repo:
  • The local channel used to load the remote payload is available under local.
  • The remote payload loaded over NFS is available under remote.
  • The script used to create the NFS and DNS servers are available under server.
Exploit Details

There's two main vulnerabilities that make this exploit possible: arbitrary file modification and privilege escalation.

RokuOS actually does a decently good job at sandboxing channels to prevent them from accessing the underlying filesystem. In addition to running as a restricted user, a software sandbox, and a chroot jail, Roku's Linux kernel has grsecurity patches applied.

These patches mitigate common exploit techniques used in jailbreaks and privilege escalation. Furthermore, the entire root filesystem is read-only and baked into the firmware. Only persistent storage (NVRAM) and temp directories are writable.

Arbitrary File Modification

Two things conspired to allow arbitrary file modification. The first was that an undocumented pkg_nfs_mount channel manifest option. This option was meant to reduce the software development lifecycle when creating a channel by allowing the channel's source code to be hosted on a different machine using NFS. This removes the need to re-package and re-upload channels after every code change.

The second was a shortcoming of the grsecurity patches and the Linux kernel in general: symlinks over NFS act weird. While grsecurity was configured specifically to not allow symlinking to directories owned by other users, the ownership and permission checks no longer work properly when the symlink resides on an NFS mount.

This allows us to create a symlink in the remote channel's package that points to the root of the main filesystem. (See remote/source/Main.brs for details.) This provided us with the ability to modify persistent storage and temp files, but only as the app user.

Privilege Escalation

From there, we discovered that the process that configures udhcpd (a DHCP service used for pairing speakers and remotes) for Realtek chipsets could be made to read a config file from NVRAM, a location that the app user has access to. If we could leverage it properly, it would let us manipulate a service running as the root user and also give us a means of persisting across reboots.

Thankfully, udhcpd has an option for executing a script (notify_file) with a single parameter (lease_file) whenever a DHCP lease is created. It wasn't perfect though: the udhcpd service would only run the script if it has the "execute" bit set. While we could create arbitrary files using our previous exploit, we didn't have control over the file's permissions and as a result, none of the payload scripts we create are marked as executable.

To make matters more difficult, we couldn't pass the payload script as lease_file to the built-in shell executables because udhcpd would overwrite the script contents first.
Ultimately, the solution involved creating a lease_file value polyglot that is both an AWK script and a legal file name. (See remote/bootstrap.conf for details.)

Footnote

If anyone at Roku is reading this: you desperately need a real bug bounty program.

Without one, there's little incentive to research and report vulnerabilities when you're not sure if you'll be rewarded for your efforts or not. While we took this project on for fun as a hobby, almost no professional security researchers are going to dedicate as much effort as we did for a "maybe".
RootMyRoku A Root Jailbreak for Roku OS via rmDevNull Llamasoft.jpg
 

Comments

ahh roku is junk in my opinion not much you can do with them i find they're extremely limited, i rather build a custom android box with a raspberry pi that or run a jailbroken appletv. as far a plex servers go i cant be bothered to download things ahead of time and put them on a server.

best move in my opinion is get a service such as real-debrid for kodi on an android/appletv and just scrape 4k or 1080p links from the cloud and stream them in real time it has almost anything.

for example maybe i want to watch a movie from the early 80's it has it, and old uncommon tv show it has it. can find virtually anything no problem no waiting to download or anything its instant. just my two cents.
 
A few years ago I did the 'streaming' thing with Kodi on a Firestick, but eventually got tired of stream links to the old stuff I watch being down so ended up running my own media server basically.

It's time-consuming and tedious work upfront downloading all your favorite movies and TV shows and renaming all the episodes as you like, but after you do it one time each (with backups) you can enjoy them free for the rest of your life and never pay for 'services' like Netflix or Hulu (that periodically remove content subscribers pay for while raising their rates) again. :tup:

So far I've archived over 20TB (mostly classic TV shows from AWESOME folks like THIS) with youtube-dl being a big help in recent months for leeching entire series via Paramount Plus while it lasts. :giggle:
 
Sorry, but this seems useless to me. As for Roku, forget that, get something decent like Nvidia Shield TV. Anyway, if I am missing something here maybe I could be filled in. Thx.
 
It really depends on the intended use... I checked out the Nvidia Shield TV and it was $199.99 compared to a Roku Express for $24.99. 😜

For simply streaming a self-hosted video collection, Roku is one of the least expensive but still effective ways to go.

If someone is looking for an Android TV streaming box with bells and whistles like Google Assistant, 4K Chromecast functionality, etc then spring for an Nvidia Shield TV... or if money isn't an issue, build a custom streaming box! 🤑
 
I only used the free links, at the time I was ditching my monthly Netflix account so I didn't want to swap one 'paid' service for another... my goal was to be able to watch all my favorite shows for free forever basically.

Some friends of mine tried getting me into buying one of those 'Kodi boxes' people were selling at the time on Craigslist etc loaded with all the PPV premium channels hacked / included for free.

At the beginning the temptation was real to go that route, but over time as I visited them they kept having issues and constantly had to keep updating their stuff... which ended up being more of a hassle than it was worth, so in hindsight I'm glad I didn't jump on that bandwagon. 🙃

I can't wait to see what the future brings, I'm fairly confident in my lifetime technology will reach a point where I'll be able to carry all 20TB+ of movies and shows on a single microchip the size of a fingertip around with me and won't even need to stream then. :geek:
 
Status
Not open for further replies.
Back
Top