Flash Now TV Box with Roku LT firmware?

Search This thread
By:
Advanced…
L

legend474

Member
Mar 6, 2011
7
1
London
I had a look around the forums and couldn't find any information about this and was quite surprised to be honest.

Now TV Box: sorry, cant post links, but you can google it. It costs £9.99 as opposed to £35-49 for the Roku LT.

Already known that you can side load the Plex app for the Roku, but most people would wonder if someone can flash Roku firmware on this.

As far as I know, this Now TV Box is a rebranded Roku LT box with locked down interface.

Maybe I am wrong, maybe this is not doable or maybe no one can be bothered.

I am confident that someone will be able to do it with JTAG interface, but I am wondering if it might be possible to get flashed using the dev mode and some sort of script.

So the main question is, do you know if someone is trying to flash this box or not.
 
  • Like
Reactions: pat da punk
P

pickup9785

Member
Jun 21, 2010
21
7
Hi, not much help, but I was wondering the same thing, I have picked one of those up and would certainly like to turn it into a fully fledged Roku box.

I can understand why Sky have limited the box, but the amount of limit they have put on is a bit bad, the only way to install unofficial channels is as a zip, and I cannot find many zip files across the internet ?

Anybody have an sources for them ? Or anybody tried flashing this ? Does anybody have an official Roku that they could try and backup the firmware from, or is it somehow linked to the box ?

---------- Post added at 10:30 AM ---------- Previous post was at 10:26 AM ----------

The other option may be a proxy which provides the official lt firmware as an update instead of the now tv one ?
 
Bradshort

Bradshort

Senior Member
May 30, 2010
137
4
Huawei P40 Pro
I too am playing with this box. Plex is set up but I have encountered a snag when installing plex onto my lmited NAS.

So am too wondering if this can be flashed or what other apps are available as Zips to sideload?
 
I

ibmonkey

Member
Nov 17, 2010
25
8
Also wandering the exact same thing! Just got mine ordered today. It would be great to get it to be just like the normal roku as it sounds like they've limited the apps for it quite a bit.
Hopefully someone can figure this out!
 
P

pknut

New member
Aug 1, 2013
1
0
NOWTV Developer access gone?

I have just got the NOWTV box and have tried to get developer access - so i set it up on thenow tv box and it told me it was enabling developer mode.
However i cannot access the developer webservice from pc browser and even ping won't detect the NowTV device.

I got it in the 1st August and it immediately updated itself - i wonder if they have removed this developer access page.

Anyone any ideas?
 
Z

zingle

Member
Feb 6, 2010
28
0
pknut said:
I have just got the NOWTV box and have tried to get developer access - so i set it up on thenow tv box and it told me it was enabling developer mode.
However i cannot access the developer webservice from pc browser and even ping won't detect the NowTV device.

I got it in the 1st August and it immediately updated itself - i wonder if they have removed this developer access page.

Anyone any ideas?
Click to expand...
Click to collapse

just installed mine got plex on before I put the net in due to your post lol however the update does not kill dev mode
 
B

bobmarleypeople

New member
Apr 17, 2010
2
2
I got Plex on through the developer interface no problem, but I've not found many other apps out there available as source, so this method won't be very useful if you want things like Netflix, etc.

I've had a play about with the settings in the other secret menu (home x5, FF x3, RW x2) letting you change the channel store server and the software update server. The software update server can change from beta to release, but both just reinstall the same version. Changing the channel store server gives you 4 or 5 options, but only the main one actually work, the rest just return an error when you try to access the store, and in some cases the channels vanish from your home screen, so this wasn't helpful either.

What's worth mentioning is that, with traditional Roku LT boxes, you'd get a "link code" that you'd enter on the Roku website that lets you send channels from their website to the box, among other things. This NOW TV box didn't offer that code at all.

One last thing, in that secret menu I mentioned before. At the bottom of the info dump on the left, it ends with Uptime in minutes, followed by "unregistered". I'm curious what this means. Could be something to do with the Now TV subscription, not sure. If anyone has a NOW TV subscription, could you see if this says "registered" or something else?
 
  • Like
Reactions: richard-ski
F

furblefox

Member
Feb 2, 2008
5
0
Nope

bobmarleypeople said:
One last thing, in that secret menu I mentioned before. At the bottom of the info dump on the left, it ends with Uptime in minutes, followed by "unregistered". I'm curious what this means. Could be something to do with the Now TV subscription, not sure. If anyone has a NOW TV subscription, could you see if this says "registered" or something else?
Click to expand...
Click to collapse


I'm afraid not, I have a now TV package and it still shows as 'unregistered'. I suspect this is where it would say registered if the Roku box was linked to the Roku website, but as theres no link code... :/
 
B

bobmarleypeople

New member
Apr 17, 2010
2
2
furblefox said:
I'm afraid not, I have a now TV package and it still shows as 'unregistered'. I suspect this is where it would say registered if the Roku box was linked to the Roku website, but as theres no link code... :/
Click to expand...
Click to collapse

Thanks a lot. If you're right, I'm wondering if the capability to generate and display a link code is still available on the device, only hidden. If there is, there may be a way to get the online store to send non-Sky-authorised channels onto the box without the need to change the firmware. Sadly, I wouldn't be surprised if the function to generate said code is hidden away from 3rd party channels. I'll keep having a play.
 
  • Like
Reactions: richard-ski
B

Bouncer5

Senior Member
Jun 10, 2010
419
9
Glasgow
Now I don't own one, but if we can get this sorted I will be picking up a few.

Has anyone looked to see where the device tries to pull its updates from?
We could spoof a local server to delivery a standard Roku LT firmware to it instead. It see an update it does its install and bang. £10 Roku LT box.
 
  • Like
Reactions: erica_c40
S

scibot

Member
Mar 31, 2007
20
0
Tipton
Here is some info I found relating to the ROKU Netflix Branded box, sounds like a similar sort of affair.

http://www.cs.cmu.edu/~ecc/roku-nfp.html

A Signing key is needed. Not that this is a complete dead end, im sure that something can be hacked into place here. Its just a matter of the right people getting hold of the hardware. We can already run executables. Do executables not have the rights to 'root' the box?

I know fudge all about Roku development, so dont shoot me down in flames please. :)

Sci.

[Edit: This guy wanted to 'change the firmware' - if we use this method with official firmware, maybe the key is the same and it would work?]
 
Last edited:
W

wozhere

Senior Member
Sep 29, 2010
461
149
You can register a new account on the first form page of buying and simply close the second page asking for payment details.

Some anonymous Roku dev might be able to release a sideloadable Roku OS for this box?
 
speculatrix

speculatrix

Senior Member
Mar 7, 2006
708
136
Cambridge
I've been trying to hack the communication between the nowtv box and its servers using a mix of redirection on the firewall and burpsuite; like others I want to see if I block sw updates and then get it to download standard Roku firmware.
 
  • Like
Reactions: 6ix and ibmonkey
I

ibmonkey

Member
Nov 17, 2010
25
8
speculatrix said:
I've been trying to hack the communication between the nowtv box and its servers using a mix of redirection on the firewall and burpsuite; like others I want to see if I block sw updates and then get it to download standard Roku firmware.
Click to expand...
Click to collapse

No luck I'm guessing yet then?
Have you discovered anything that could be handy for others attempting this?

Good luck btw!
 
S

spikeeee

Member
Jan 1, 2007
43
8
Looking at the PCB, it seems that it is a depopulated board, its all marked out for the USB and everything else that is removed (see images below, sorry not my images). Though it does like its more than just the USB connection, it looks like some SM resistors and other bits are missing as well :(

ROKU LT board

Roku-2-Teardown-Top.png


NowTV Board

nowtv_boxHD_05_displaywatermarked1v3.jpg


Close up of USB area

nowtv_boxHD_04_displaywatermarked1v3.jpg
 
  • Like
Reactions: sifer69 and wozhere
Whiterat

Whiterat

Senior Member
Jun 20, 2006
169
8
andeq r0, r0, r0
Where do I start...

With regard to tricking the LT firmware onto it (which was my plan) this does appear to be a no-go.

It makes an HTTPS request out to Roku for what I imagine is some kind of manifest/xml which dictates what the latest firmware is and some kind of hash to verify it.
The box will then download the firmware over HTTP (yay I thought..) so dnsmasq to the ready I renamed the LT (aka giga/024) image, it downloads it but fails to verify (error 006).

The firmware images themselves still require a lot of investigation, uboot and a kernel are in there plain (as you would expect) but the main filesystem is still to be found - after routing through the GPL pages it would appear to still be cramfs with different magic, but even then this isn't visible in the firmware so most probably encrypted.

(#define CRAMFS_MAGIC 0x28cd3d47 /* cramfs as modified by Roku */)

Encrypted by what?
Again judging by the roku GPL source, they store a 16byte aes key within the Broadcom Videocore - I can't envisage this being easy to recover without userland access.

(static unsigned char aes_k[16];
vc_otp_read(46, 4, aes_k);)

Random Info:
Windsor does appear to be the codename for this box (makes sense for a british product I guess), other code names are giga, paolo, jackson and austin.
Mapping them out is not so straight forward though, the below is likely wrong:

ID -- Codename -- Model
024 giga Roku LT
025 ??
034 paolo ??
045 austin Roku 3
??? jackson ??

Failed Ideas:
MITM (SSL is validated - as you'd expect)
Firmware Interception/Replacement
thttpd exploits

Ideas Still to Look into:
Generate SSL certificate with "api.qa-uat.roku" as a subject alternative name, cycle channel store server to that and see what we can see.
libzip exploit (dev package upload - possibly too much hard work tbh, would need to know the target binary well)
There is a 20 pin arm jtag header exposed on the board...
 
  • Like
Reactions: wozhere
W

wozhere

Senior Member
Sep 29, 2010
461
149
Maybe writing a Roku plugin/app that loads immediately upon start up and blocks the channel to Roku or similar constant/var place holders to stop the firmware update?
 
Last edited:
You must log in or register to reply here.

Similar threads

B
[TUT]MTK Android (Sp flash tool ) tutorial
Replies
1K
Views
2M
tavoc
tavoc
A
[Tool] SP Flash Tool New Version v5.1352.01
Replies
104
Views
655K
R
rxf2g
yasmeene
[how to] flash LG KS20 with new rom, all included
Replies
670
Views
383K
A
Al-e-xa
sd_shadow
[Index] Motorola Flashing Utilities and Firmware (Unbrick Your Moto)
Replies
168
Views
401K
B
Blackstratolion
N
Odin Multi Downloader with pit and ops files
Replies
100
Views
568K
SodaWithYoda96
SodaWithYoda96

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 5
    S
    SlackR84
    Ok,

    So I removed the Roku 2 XD Nand and fitted it to the Now TV. It refuses to boot (dont even get the flashing LED to suggest firmware is loading). This suggests to me that uboot is either not booting or doing a check (key in OTP of the CPU vs firmware?) and refusing to boot the firmware. It could also be due to the lack of Bluetooth hardware (might work if I get an LT....)

    Looks like next step is to get serial output and see whats actually happening (if possible).

    I am now removing the CPU to trace out the above possible serial pins.

    Edit:

    I have removed the CPU and have a bunch of pictures to post - but I cant do that until I hit 10 posts apparently.
    View
    5
    speculatrix
    speculatrix
    by redirecting traffic to burpsuite I intercepted a call to download the firmware

    GET /windsor/074.09E08061A HTTP/1.1
    Connection: close
    Host: firmware.roku.com
    User-Agent: Roku/DVP-4.9 (074.09E08022A)

    you too can download it here: http://firmware.roku.com/windsor/074.09E08061A

    so now I have a 41M file which, using strings, begins "imgARMcC" and
    has interesting things like "BCM95001" and "Starting ARM with %dMB
    ARM clock speed at %dMHz **** failed to power up the USB interface" in it.
    View
    4
    X
    xXhighpowerXx
    sorry
    View
    3
    S
    SlackR84
    I have removed the nand chip from the Now TV and took a full dump. I also bought a Roku 2 XD and will be taking a full nand dump of this too, I will then reflash the now tv nand. I went with the XD as it supports 1080p and the only hardware difference is a microsd slot and the bluetooth (which are unpopulated on the now tv board).

    The lack of microsd wont be a problem - as there is nothing connected when the slot is empty anyway. Hopefully the lack of bluetooth wont stop the XD firmware booting. If it does, I will get a LT - but I figured 1080p support was a nice upgrade.

    There seems to be references to ttybcm0 in uboot, which also gives serial connection settings. I have the pinout of the BCM2835 (same as the raspberry pi) with the possible pins for serial (depending on how its configured).

    BCM2835%20UART.png


    I will probably remove the CPU and trace out these 3 combinations and try to get serial access. Assuming uboot isnt locked down, should be easy to flash from there.

    Bouncer5 said:
    Anybody want to soilder a USB port onto the space? See if we can't sideload something on it?
    Click to expand...
    Click to collapse

    That wont work, the USB controller is missing. The higher end rokus have a chip that handles USB and Ethernet - the SMSC LAN9512-JZX. This is a "Hi-Speed USB 2.0 Hub and High-Performance 10/100 Ethernet Controller". Without that chip (and the missing supporting surface mount components) you wont get USB or ethernet, even if you do solder in the port.

    spikeeee said:
    ROKU LT board
    Click to expand...
    Click to collapse

    That is a Roku 2 XS board, not a Roku LT. The LT board is the same as the Now TV board - i.e. a bunch of unpopulated parts.
    View
    3
    X
    xXhighpowerXx
    YAY Root shell :laugh:


    UART PIN:
    Reset GND
    3.19V 5V (Supply voltage)
    RX 3.16V
    0V TX
    GND GND
    N/C 0V 3.16V
    3.16V 3.16V
    3.16V 3.16V
    3.03V 3.16V
    3.19V 3.16V
    View

New posts