Flash Now TV Box with Roku LT firmware?

speculatrix · Aug 12, 2013

by redirecting traffic to burpsuite I intercepted a call to download the firmware

GET /windsor/074.09E08061A HTTP/1.1
Connection: close
Host: firmware.roku.com
User-Agent: Roku/DVP-4.9 (074.09E08022A)

you too can download it here: http://firmware.roku.com/windsor/074.09E08061A

so now I have a 41M file which, using strings, begins "imgARMcC" and
has interesting things like "BCM95001" and "Starting ARM with %dMB
ARM clock speed at %dMHz **** failed to power up the USB interface" in it.

spants · Aug 13, 2013

speculatrix said:
I found the thread on HUKD where someone had managed to break updates:

http://www.hotukdeals.com/deals/now-tv-box-10-inc-1615409?page=43#post18690920

On my hosts file on my router I added:

127.0.0.1 windsor.sw.roku.com

That stops it updating the firmware.....

spants · Aug 13, 2013

speculatrix said:
by redirecting traffic to burpsuite I intercepted a call to download the firmware

GET /windsor/074.09E08061A HTTP/1.1
Connection: close
Host: firmware.roku.com
User-Agent: Roku/DVP-4.9 (074.09E08022A)

you too can download it here: http://firmware.roku.com/windsor/074.09E08061A

so now I have a 41M file which, using strings, begins "imgARMcC" and
has interesting things like "BCM95001" and "Starting ARM with %dMB
ARM clock speed at %dMHz **** failed to power up the USB interface" in it.

You can use BINWALK (https://code.google.com/p/binwalk/) on this file to get more information.... but is this the whole of the update firmware? on http://www.cs.cmu.edu/~ecc/roku-nfp.html he mentions that there are 3 files to download...

Tried running it through https://code.google.com/p/firmware-mod-kit/ but it fails.

If the box was more expensive it would be worth getting an ARM jtag cable (wiggler) and using http://openocd.sourceforge.net/ on it

flibblesan · Aug 14, 2013

spants said:
You can use BINWALK (https://code.google.com/p/binwalk/) on this file to get more information.... but is this the whole of the update firmware? on http://www.cs.cmu.edu/~ecc/roku-nfp.html he mentions that there are 3 files to download...

The original Roku Netflix Player is very, very different to current Roku boxes. They use entirely different chipsets that are MIPS architecture rather than the ARM architecture as used in current Roku boxes. This obviously means that firmware format will be different and any hacks for the original Roku boxes just won't do anything.

The Roku 2 - which the LT & Now TV box are based upon - was first released in 2011 and two years later not one person has managed to hack the box to install unsigned firmware, additional apps etc etc. The Roku boxes are extremely well locked down and for good reason. I doubt very much they will ever be hacked.

If you want to run Roku firmware then buy an LT. They are only £35.

speculatrix · Aug 14, 2013

spants said:
You can use BINWALK (https://code.google.com/p/binwalk/) on this file to get more information.... but is this the whole of the update firmware? on http://www.cs.cmu.edu/~ecc/roku-nfp.html he mentions that there are 3 files to download...

Tried running it through https://code.google.com/p/firmware-mod-kit/ but it fails.

If the box was more expensive it would be worth getting an ARM jtag cable (wiggler) and using http://openocd.sourceforge.net/ on it

I've worked with a few people who do embedded Arm stuff, so I'll ask if anyone can loan me a jtag cable, or, wants to borrow the nowtv box to play.

---------- Post added at 11:31 AM ---------- Previous post was at 11:28 AM ----------

flibblesan said:
The Roku boxes are extremely well locked down and for good reason. I doubt very much they will ever be hacked.

If you want to run Roku firmware then buy an LT. They are only £35.

If I was going to do that, I'd buy a completely open system like a raspberry pi, or a beaglebone black. But where would be the fun in that?

speculatrix · Aug 14, 2013

spants said:
You can use BINWALK (https://code.google.com/p/binwalk/) on this file to get more information
If the box was more expensive it would be worth getting an ARM jtag cable (wiggler) and using http://openocd.sourceforge.net/ on it

hmm, interesting...

Code:

~/download/Roku$ binwalk windsor_firmware__074.09E08061A 

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
404064          0x62A60         U-Boot boot loader reference
36827492        0x231F164       gzip compressed data, was "Image", from Unix, last modified: Fri Jun 21 20:28:49 2013, max compression
39357391        0x2588BCF       gzip compressed data, has CRC, extra field, last modified: Tue Feb 24 17:08:22 2032
41441952        0x2785AA0       GIF image data, version "87a", 18759
41441960        0x2785AA8       GIF image data, version "89a", 24944
41960112        0x28042B0       Copyright string: " (c) 2010 Broadcomrge ? y == noutput_height || y == noutput_height+1 : y == pFile"
41998628        0x280D924       PNG image, 0 x 0, 0-bit grayscale, non-interlaced
41998636        0x280D92C       PNG image, 0 x 0, 0-bit grayscale, non-interlaced
42430052        0x2876E64       GIF image data, version "89a", 28515
42794144        0x28CFCA0       Copyright string: " (c) 1996-2009 Express Logic Inc. * ThreadX/SMP VideoCore Versic. * ThreadX/SMP VideoCore Version G5.3.5.2 (SP1) SN: 3009-115-"

tholmewood · Aug 15, 2013

I agree that the best and easiest way to increase functionality would be to somehow generate a link code and to push the good apps and private channels to the box. I wonder if there is anyway to figure out what a device's link code is from the model number?

Bouncer5 · Aug 16, 2013

Anybody want to soilder a USB port onto the space? See if we can't sideload something on it?

tonyt3rry · Aug 16, 2013

I have the now TV box its amazing with plex I love it. What kind of private channels do you all use

Sent from my GT-I9300 using xda app-developers app

SlackR84 · Aug 17, 2013

I have removed the nand chip from the Now TV and took a full dump. I also bought a Roku 2 XD and will be taking a full nand dump of this too, I will then reflash the now tv nand. I went with the XD as it supports 1080p and the only hardware difference is a microsd slot and the bluetooth (which are unpopulated on the now tv board).

The lack of microsd wont be a problem - as there is nothing connected when the slot is empty anyway. Hopefully the lack of bluetooth wont stop the XD firmware booting. If it does, I will get a LT - but I figured 1080p support was a nice upgrade.

There seems to be references to ttybcm0 in uboot, which also gives serial connection settings. I have the pinout of the BCM2835 (same as the raspberry pi) with the possible pins for serial (depending on how its configured).

I will probably remove the CPU and trace out these 3 combinations and try to get serial access. Assuming uboot isnt locked down, should be easy to flash from there.

Bouncer5 said:
Anybody want to soilder a USB port onto the space? See if we can't sideload something on it?

That wont work, the USB controller is missing. The higher end rokus have a chip that handles USB and Ethernet - the SMSC LAN9512-JZX. This is a "Hi-Speed USB 2.0 Hub and High-Performance 10/100 Ethernet Controller". Without that chip (and the missing supporting surface mount components) you wont get USB or ethernet, even if you do solder in the port.

spikeeee said:
ROKU LT board

That is a Roku 2 XS board, not a Roku LT. The LT board is the same as the Now TV board - i.e. a bunch of unpopulated parts.

SlackR84 · Aug 17, 2013

Ok,

So I removed the Roku 2 XD Nand and fitted it to the Now TV. It refuses to boot (dont even get the flashing LED to suggest firmware is loading). This suggests to me that uboot is either not booting or doing a check (key in OTP of the CPU vs firmware?) and refusing to boot the firmware. It could also be due to the lack of Bluetooth hardware (might work if I get an LT....)

Looks like next step is to get serial output and see whats actually happening (if possible).

I am now removing the CPU to trace out the above possible serial pins.

Edit:

I have removed the CPU and have a bunch of pictures to post - but I cant do that until I hit 10 posts apparently.

Whiterat · Aug 18, 2013

SlackR84's Pictures:

Code:

https://www.dropbox.com/sh/j0dcht8u6unghi7/14F6NdQq7c

Nice work!

spants · Aug 19, 2013

@SlackR84: In @Whiterats earlier post he mentioned that there is the possibility of a key stored in the broadcom chip. I wonder if the broadcom chip key is linked to the firmware partner - ie a key for Nowtv, a key for netflix - so that the firmware has to match the key?

btw - great job, I wonder how to get a copy of the nand dump?

SlackR84 · Aug 19, 2013

spants said:
@SlackR84: In @Whiterats earlier post he mentioned that there is the possibility of a key stored in the broadcom chip. I wonder if the broadcom chip key is linked to the firmware partner - ie a key for Nowtv, a key for netflix - so that the firmware has to match the key?

btw - great job, I wonder how to get a copy of the nand dump?

We have been speaking in PM about the key, it seems to be per device and based upon the serial of the unit. If true, that means another nowtv dump wouldnt work on a different nowtv.

To make any more progress, I need to get into the serial connection really - uboot seems to be fully featured, including flashing files via serial (aka ymodem). Which is fortunate as TFTP would likely be a no go, as I doubt it has wifi drivers at that stage.... and we have no ethernet on these lower end devices.

Regarding nand dump, it might contain usernames/passwords/wifi password - so I would rather not share it publicly... I dont remember if I hooked this one up to the internet before it gave its life to science.

HOMEBOYCRUSOE · Aug 21, 2013

Do any of you clever dudes know what IP address is used for the 'talkback' feature on this box or even a Roku LT box? I would like to block it as I have read the Privacy settings and certainly seems to do a lot of sniffing and recording about what you play and do on the box. Maybe I'm being overly paranoid adn it doesnt go as far as inspecting/recording content played?

Whiterat · Aug 21, 2013

HOMEBOYCRUSOE said:
Do any of you clever dudes know what IP address is used for the 'talkback' feature on this box or even a Roku LT box? I would like to block it as I have read the Privacy settings and certainly seems to do a lot of sniffing and recording about what you play and do on the box. Maybe I'm being overly paranoid adn it doesnt go as far as inspecting/recording content played?

Educated guess of 72.3.235.75 for NowTV and 72.32.45.19 for the LT.

terracotta4 · Aug 21, 2013

Where's the CPU?

Whiterat said:
SlackR84's Pictures:

Nice work!

These pics don't include the Broadcom CPU, has work to reveal this been completed? Looking forward to it!

Whiterat · Aug 21, 2013

^

The last 4 pics are of the SoC (CPU) - BCM2835

SlackR84 · Aug 22, 2013

As mentioned above, CPU is in the pictures. Ram is mounted on top of the CPU (which is quite an annoying configuration).

Whiterat has made some good progress with the raw nand dump (ECC, remapped blocks etc make working with nand images a little more complex than NOR!).

I have a week off next week, so I will hopefully trace out the serial port and make some more progress. I will keep this thread updated of anything discovered.

terracotta4 · Aug 22, 2013

SlackR84 said:
As mentioned above, CPU is in the pictures. Ram is mounted on top of the CPU (which is quite an annoying configuration).

Whiterat has made some good progress with the raw nand dump (ECC, remapped blocks etc make working with nand images a little more complex than NOR!).

I have a week off next week, so I will hopefully trace out the serial port and make some more progress. I will keep this thread updated of anything discovered.

Well I certainly wasn't expecting that! Well done indeed! I've done a little bit of work at m4rkh dot co dot vu but not got very far. Looking forward to finding the serial port!

Flash Now TV Box with Roku LT firmware?

Senior Member

Member

Member

Senior Member

Senior Member

Senior Member

Member

Senior Member

Senior Member

Member

Member

Senior Member

Member

Member

New member

Senior Member

New member

Senior Member

Member

New member

Similar threads

Top Liked Posts