Google TV: The Next Generation

so i wanted to get my one star trek reference now apart from the title google keep the next generation the cube in the background will be later explained if nobody knows what i'm talking about it works so to start off for mine i am cjs i'm a web developer most of the time for non-profit um i see consultants of fixed computers all that kind of stuff but in actuality i enjoyed breaking results consumer electronics medical devices be it google tvs dvd players smart tvs and fusion pumps i just like to break these it's very rewarding i think the best approach includes a little bit of hardware a little bit of software um not one that's totally says you know

breaking something totally software you also have a bit of hardwood and attention but it also includes some streaming and i love content and i am one of the founding members of gtv you may be asking who's gtv gtp hack is a small group of i can spoke st um who wanted full access throughout the routines um a group consists of nbm he's a firmware developer co-founder of the open wrt project some of you may have that just drove installed in your order right now sorry um hth security was in he protects networks from evolution during the day cj 000 who's me um dino phage he always finds me guaranteed he's an expert at practically everything he's won a couple

defcon ctfs he's decent suzette to say the least uh tdw eng he's a software developer by day he will stay programs with job he dates it he's great for pressing android applications and scene effects who continue to be happy we've exploited every google tv device on the market and some betterment credibility such as the boxee box and we presented some of our findings on first generation of defcon last year so if you don't know what is the google key google tv is essentially your android phone but on your tv considerably it has a desktop version of chrome flash play youtube netflix google play so you can install a bunch of applications but the features that center pod include the

ielts livestock a bluetooth remote like this one it works well like you can change slides with it which is very cool and wi-fi obviously and also hdmi and an hdmi hub now what that is if you look at this picture you can see um the little bar at the bottom the hdmi in and out allows the google tv to overlay the entire user experience will be a cable set top box so if you're watching tv and as an actor you want to sing you can press the search button on the remote a box will pop up while your tv is still playing you can enter the person's name and find out exactly what they're in you

can also search for movies t units on you know index content between amazon netflix stuff possibly on your local network or ttl but it still isn't like a normal android device because it is truly close source most android devices at least have some almost a source code android open source project this has none it also has no native library support and runs an updated version of android which is honeycomb version 3.2 and there are ridiculous levels of security on the device most phones you can just quickly group and be done with it the google tv is a different story and i'll explain that in a few and as i mentioned the hdmi can put hand over

so for hardware types you have generation one hardware which includes the logitech review the sony nsc gt1 and the sony nsx tv series they have a 24 32 party and 46 inch kindle they're planning on making 55 but they pulled back because the hot tub

generation 2 which is new stuff over the past few months includes the sony nsc gs7 in the upper left-hand corner the lg g2 ga 6400 and 7900 which is similar looking to that tv there that's actually g2 uh then you have the high sense pulse at the top again the neck and neo tv prime and the asus cube and the physio coaster all very similar form factor which i'll elaborate more when i get to the generation change stuff so what does the google tv need it actually needs a lot it needs native code support which will bring cool applications most games that you run on your phone or tablet use native app use native libraries to actually use the

hardware to its fullest potential but google tv cannot do that it needs to be more like android so hot native quote support for the biggest difference is that the underlying linux kernel and well not specifically the kernel but the online linux distribution uses a normal web c just like in like a snapdragon but android uses bionicle c so that means stuff made for the android's bionecrypsy in terms of native code doesn't work on google tv and vice versa and because of that the play store is extremely limited you only have a handful of applications firstly tens of thousands if not more and also we need many experts the box is very locked down closed source makes

custom wrongs and recoveries nearly impossible there are actually none totally out yet from generation g but why should you buy one we've been talking about this for months no just believed us until there's an actual announcement at i o just the other day google announced that they'll be bringing jelly bean version 12.2 to the latest greatest android to the generation 2 devices this includes native library support so practically any game attorney phone should be able to easily be ported to the google tv if not run immediately have a bionic liberty so it will be again extremely similar to your phone and it may we've got some hints from developers that we get some information from

merge the google tv code base into aosp so we could at least stop the foundation of creating customers it's essentially what google tv should have been but considerably better your phone but on a big screen within this one and we also have some awesome exploits so one second we got accent generation one so the generation one um intel ce 4100 based using the intel atom processor uh the logistic view which many are familiar with at the left-hand comma at 1.2 gigahertz and the sony sets at about 1.68 gigahertz for the generation 2 they are arm based using the marvel 88 3100 system-on-chip which features a dual-core 1.2 gigahertz arm processor sony vizio high sense netgear asus and lg all

are considering generation 2 devices tcl and other manufacturers will be coming up with more soon and of course lg uses a different cpu which is their what they call that l9 or the 115g we will get to some exploits very sharp because that's the best part quick overview of the general security uh chain of trust boots secure move everything's encrypted let's go tomorrow so the system on ship will initially decrypt and then verify the signature in stage 2 google so inside the cpu it will run a little bit of code grab some stuff from flash verify it decrypt it and then run if that works it repeats with stage three stage three then does the same

thing to the current so everything's checked and signed so you can't really find a way in on sony devices the kernel also has checks the binary and the init binary rsa verifies the scripts while the security our best guess demands from content clients they want to keep whatever little bit of they want to have some sort of semblance of security furthermore since the box has hdmi input and output it may strip htcp in the process which you could then possibly leverage to extract all the data off an hdmi line which has been done many times before but who knows abc's website cbs nbc nbc fox hulu you can't even visit that website on google tv to stream

your latest tv ships specifically hubu which carries a lot of these programs they compromise pop-ups and google tv is not available in the device it never has been no reason why it shouldn't be we've actually every box we've exploited we've dropped a bypass so you can use who but we're guessing they want a nice big catchphrase so for the first generation we've accomplished once uh for the logitech review we won a bounty for the first review group um it was we ended up finding it it was a recovery ui so a recovery console that was spawned by a pick up a ttl adapter to if you can access if we publish there's schematics on the wiki unless you find the totally

merchant box this will not work anymore a couple years old but it's still still decent we kept this version up to date by back quoting updates so every time they come up with a new update and backboard to keep the people uprooted the devices still up to date when 3.1 hit they took a step further they crippled the recovery sid checked the politicians rsa signed the kernel modules and just because they rolled all the keys so we couldn't use an old boot boater with a new kernel or vice versa we were just but doing some digging we came across the recovery they crippled and found this code in something but next slide was kind of good

first normal recovery android recovery i'm guessing at least people familiar with android knows what it looks like get a few options reboot apply and update wipe data light cache a few things that you can use to fix your device logitech changed it to this a broad 13 ciphered message that said action tv hackers congratulations if you're reading this please post and open the forums let me know and included at the current time all of my team's names it was rather rather interesting and a bit scary to see your name in firmware device from a large area we were worried at first but nothing ever happened which was very good but because of this we couldn't any box

that was even like soft bricks like you know if you may have your phone you installed something wrong just got to reset it so it works well couldn't do that through so we came up what we call flash sabotage generally android updates access they look for a specific file when recovery boots at catch specifically cache recovery command this is a special line of text that will be positive cache is conveniently located on an internal usb drive that's the flash chip highlighted in yellow and the control is right to the left i can't make it out but there is a pin out there it's also with you we pretty much replaced that ship with an external

usb drive which then were able to replace the command file and at least push back assigned update to fix soft brakes which was useful because we did a lot of testing but for bricks we couldn't fix that flash recovery used i used a usb nand flash program was quiet directly than that which that wiring could be a bit better wise um the programmer actually was repurposed from an old ps3 and xbox mod chip um a lot of testing occur with a and we could restore backup without having to blow up two devices myself i have three logitech reviews one is bricked there's also this one and a working one actually totally on 14 with five bricks

i actually have too many but one about one of each but we still wanted to land review software so dan rosenberg also known as bliss approached us he's very well known he recently exploited the latest and greatest motorola phones which was awesome he found a floor and you just have to read about it but he approached us he wanted to pack the review he thought he could do it rather quickly took him considerably longer than i thought he found an awesome exploit on the review dev devman had both rightful permissions and using a large series of what just call it magic it wasn't magic but he jumped from memory to the flash controller to the

nand back to the kernel all the way to execute code it's an idef on 20 presentation i suggest if you're interested check it out we gave a very good talk about that in the middle of our generation one stuff and with so many devices actually that's cooler same hardware just one tv one has a program player uh both running about 1.6 1.7 gigahertz no major differences of how trying to get to people right now first first up on the blu-ray player this also actually works on the tv is what i call sata sabotage we need a way into the sony the updates were encrypted so we couldn't you know just get an update and look at it and figure out how

to get it poland once we get hardware to attack pulling up we found the tdk chip at the top it's pretty much they call it a mini ssd it converts nand flash right onto it to be accessible over smta then we set an ata password so we couldn't just wire up to that and dump it out and also the flash chip was encrypted with abs so we also could just talk flash tripod so what we didn't said was wire up the bus to an external hard drive and the system would think that the hard disk is empty and then when we moved to recovery it would prompt us for an update and go through the entire process keeping in

mind the kernel and the boot loader were not stored there part of the uber would have recovered the seven shipping so i'll get to the sony recovery one second so starter recovery unlike the logitech one had many options but it was a custom recovery made by some it's actually direct fb wrapper over a past year the bash script was about a thousand lines long full of interesting bits that i'll get to um it was debugging output over uh no input but we could at least listen to what it said and the updates were actually after pulling a pot of recovery in our c4 stream cycle we did pull the key out we didn't publish it because

sony edit has a thing about going after people who publish keys using these exploits you could find the binary pull it out it's rather simple it's actually fairly obvious so our first thing we did we initially downgraded back to an old question we found a local command execution via recovery so pretty much the first command is run budget the first two commands get run in the direct fb repo it does an ls on usb drive looking for a package under scope list underscore set then does it head to take the first one and grabs package lists though and then pass that check version and check version passes to package up data never gets verified so we could simply

drop in a package list and semicolon change that direction usb drive xq and sh so our bash script will run as root privileges we have total controls we put on in the recovery we dropped in a ui shell so we could actually interface with it telnet busy boxing where everyone upon upgrading the box we realized they catch this which wasn't good so we started looking for another way in i came up with recovery downgrading a little complex but then the um early january 2012 versions of the recovery and pride actually this was good up until july sony recovery mounted the xt20xt3 partitions with no mod parameters so if you have most of the time they have a

mount parameter of no data so you can put the device node on a flash drive and use it they didn't do that so through this complex series of steps um what we did we had a drive that we labeled usb 1. it had just a fake update file a really small couple of kilobytes just to pass initial checks the system would pass the initial checks we put usb 1 it passed the initial checks then it would prompt us do you want to install this update at that point and swapped the usb drive what we call usb 2. usb 2 had a file system node which since it wasn't mounted with any parameters we were able to put that in

that pointed to where the recovery partition is saved we put that in let it settle hit a button then it would copy that file system node into patch with a specific file name but it would error hub however we found out that it would actually leave the file in place it wouldn't delete it so we were good there we then exit onto there while the box is still on put usb 1 again to the same fake that we had a good update and then we'd insert usb3 which was a full image of the exploitable recovery version so we hit ok then we copied the exploitable recovery to the system node and then it would downgrade our box all with a few

series of usb swaps and that let us let us get back to our downgrade it's unbreakable i'm sorry our exploitable recovery version that we could then take it with it we also found a computer backdoor upon point part of the system's memory we found there was a show on the google we didn't really know the password but we found that lots of mashing escape brings up the password prompt and after reversing more of the bootloader we found the password was surprisingly a console and just go on so if you i can't take out this picture if you check the sides and it's also on the wiki um if you you can append boot arguments to the right the kernel of the

start if you move with factory they'll have to back door they'll automatically spawn so that you can get it they then patch this as well but the new thing that we actually mentioned once or twice before but they've never patched i want to re-mention it it's a tftp from that same command line you can tftp load a vulnerable version of the recovery that's on our website get back to the old recovery then mount the system and copy the vulnerable recovery into it it's a little complex and you have to do it within about two or three minutes but it gets you back to a downgraded version of people on irc all the time so you may

be asking while the exploits just for profits unsigned kernels again keep in mind that everything was sync checked and encrypted and done like three more times over itself so we put in k exec which lets you reload the kernel on the linux system to x86 as a module usually it's built into the kernel in this case we modularized it it would search for find the cisco table inject itself kind of what some root kits would do actually which the linux kernel and later versions have actually patched this but this kernel was still fine we modified the running system the ssd on board to then boot to an unsigned kernel disabled all hash checks you could edit whatever you wanted this

would all happen within the first segment of the drone you turn the box on it would automatically flip over to one side kernel and you that also allowed us to run proxy box software which is a version of xbmc and even dpn on the box we'll admit we never did release these there was not very much interest for post above if anybody wants any information about it i'll be glad to share one issue with dpn uh boxing work plan the one issue with demon i didn't have any graphics acceleration for video so it still worked well it was just slow and mentioning the boxee box to get the boxee box software on our sewing device

we had to actually get a boxee box and root it because they were twofold there was one there was a missing certificate for netflix that was needed to make netflix work so pull up the boxy box and ironically secondly hdcp wouldn't work it was permanently disabled we had to pull the binaries off the boxee box so then stick onto the sony box to fix hdcp which is ridiculous but we didn't want to step on anybody's toes to easily disable it so boxy box again we found two different routes in both still viable today uh hardware room a back of the box there are two tiny little videos that you have to scratch off the pc to get to you can

sign into it it's a hardware ui once it's through and we also have a software local command execution via the work group failed if you just drop it you know semicolon reboot you could get in as a result of this it's from the boxy plus log community there have been over 219 000 views with boxing boxing plus mod fred on the official boxy forms they haven't even operated it's fixed bugs and features it's made the box worth boxy drop support farm they don't didn't patch it hopefully they were just being nice and let the infusion play but we're grateful for it so now on to the on to the good stuff generation two including an excellent you just lose

yesterday and a new one that we haven't finished yet so generation two all is just about the same hardware with the exception of the lg dual dual coil 1.2 gigahertz om cpu use the module 88de 3100 chipset which they internally called the amount of 1500. again it's arm-based small boxes they're only about maybe a little bigger than this kind of thing more oems sony vizio high sense netkit asus lg all making boxes um it has bluetooth again like this remote is bluetooth and voice search someone wrote you can press a button like your phone say turn on cnn and i'm going to turn on cnn you don't have to know the channel numbers it will just do it

again generation two security a little more complex than the first generation the system on ship decryption verifies the signature signature of the stage to boot modem but it does this on a separate security processor inside the cpu with its own secure ram which makes it even more difficult to get into it will then do all its decryption and checking inside that secure processor inside that secure ram it decrypts runs kernel and it binaries funny thing about the sony box the first time i got an exploit on it the box kept rebooting they left in one line of code that purposely detected if the box was rooted to constantly reboot the box and they assumed since they rsa verified the

strip that they did it in that would prevent us from changing it needless to say we got around it but it took a good 45 minutes to figure out what they were actually doing because it was a tiny little line of code messing everything up so the sony box there's the nfc gs7 i think it's the best powder of the bunch best remote tune remote works very well it's built like a sony it's durable i mean when you just open it look at the build quality is very good we don't have a public exploit card yet but we are sitting on something going back to the jelly bean exploit you know it will work for that we're going

to wait maybe about two months release an exploit for all these boxes at once or at least new expo for all these boxes at once so you can leverage your group for privileges right on the latest software version we could surely

ah no they're updating it to jelly bean but we have vulnerability and jelly bean it's also in okay so whether i take that we have a vulnerability in honeycomb okay yeah so we're keeping it very quiet it does only work on certain devices but it's very useful so you don't want to spill too many details but i will demo something at the end that might give you some hints um msrp is about 199. you can find it on the street for about 150 maybe a little cheaper it doesn't help the voice search remote that's an extra fifty dollars um sony recently published actually then publish anything the nse gsa wi-fi certification about three weeks ago there's been no moves on it

my hunch is it will be 199 from the voice search remote same exact topic and may also be running jelly beans coming out possibly end of june and of course like the first gen encrypted updates but it's it's more of a cipher i suppose it's something based off the file name i haven't figured out too much i'll elaborate on that a little more but we do have a way of next box the vizio co-stop small fall factor again above this size 99 msrp so by the cheap i've seen returns on ebay for about 67 bucks very easy to get into doesn't have a voice search it has a custom launcher so it doesn't have a traditional bar at the

bottom it has more of a far side but it still works really well um these updates also encrypted provided by update with logic which all vizio products use so if you have smart physio smart tv here's a webcam easier tablet update project it didn't stop us from decrypting them but this still encouraged me again we're holding on to an exploit for this as well so the high sense pulse was the next box came out about three months ago we expected a challenge based off the first two boxes so we do our best to date a hotbed rulings from whatever defender we can buy it buy it overnight tear it apart screenshots look for vulnerabilities put a chair

down on our wiki try to eat i fix it which we have for everyone except costa um all out with you at gtp hacker.com if you don't look at internal pictures i always like that um so we checked the internet scripts and realized it spawned a root shell over you up right out of the box kind of going back to the logitech review it just was already open which was great so we're we're getting that thing ready telling people you know open your box solder to it or if you have connected connect to it it'd be good hilariously oversight on ipod and high senses android normally works the default dot problem in a specific area

that you can't change that says arrow secure one an hour debugging with zero so you don't you can't have privileges over adb over uh shell nothing high sense said it wrong and they sent it to our republic bubble department equals one which meant we could gain root with a simple adb group it just simply worked so they patched this within about a week but the same day that we got the hardware and ended up being about three o'clock in the morning so if we can send 24 hour period uh we published a little package that automated this because people for some reason don't know how to use adb i mean it can be difficult but if you're looking to root your phone

you should read up on adb people like it automated scripts but we again automated this and we modified flash player to work online content and bought the box from getting updates you could easily revert it but we don't want to bought an update to automatically download information so the flash modifications all right one minute where you get to look at ice text as i said who and others check the version strength of the flash to play a plugin um a lot of websites didn't go to it says you know this version of flash play is too old check the same thing we found that by using the script it's uh gtb and santa claus we changed it

initially to atv but we figured that might be a little too specific um so then we came up with a random mutated brain would generate a string when it was run and then we got better than that we just took the latest windows version and put it in there you always got a blocker windows box so it just kind of worked with all unsupported sites like espn free you get full access so instead of having a walk down boxing club use the internet you could next box is the netganyotp product which this is from what i have with it i thought i'd be walking around doing this type of thing but it wasn't um so we figured not two in our own

the same day as the box was released we dropped two separate exports one was more for lx white build was another site first the oversight in the init script they left in this content that autosponder root show where god was of power secure you can tell if the property is arrows for zero stock console if it's one stock console the console automatically sponsors they left it in there in the initial version and the update and the next update i believe they patched it after that it took him a few weeks to realize this and the second one which is more of an exploit well i'll get to you out first pull the box apart four wires uh brown

tx rx vcc if you need it hit once again on our website tear down it got worse we found a factory backdoor uh in what they call test mode service keep in mind testcode service was also on all the boxes but they usually the vizio was sick checked it first and we didn't have the keys that or they were rather useless and they just brand it use a shove right on the box which you get in reality so quick overview as to how the neotp prime root x bookmarks go to the right hand to the left the box will first boot and check if persist radio test mode enabled is 1-0 if it's zero which it

usually is it will then look at this usb drive if not it will boot down if there is one go check there's a file called dot test mode and it will check if it contains the string test mode if it doesn't again boots normally if it does it will then set persist radio test mode enable to one reproof the box so we come back to the top um we'll then check again and persist radio tesla enabled one of zeros one we'll extract tesco.tgz from the usb drive to temp it does this all automatically and then checks if temp test mode testbook.she exists which it does with put that if so it will extract it run this route

and we have full access again a script install super user su flash bypass um watts updates it will then reset test phone and delete our files in the box so you have root on that that way as well now the asus cube came up two three weeks ago i think this is the best one to date um originally not hardware the exploit the hardware the remote's kind of crap sony i still say has the best remote the problem cubes remote and the netgear remote is that the okay button and the down button and the help button uh very sensitive so if you hit okay you might hit down or hit excuse me you might hit okay it's a very

clunky panel you know it fails if you press down but you actually end up pressing vice versa so um the cube's remote uses a slightly different frequency it's off by about two megahertz with bluetooth um same hardware just a bigger box with fairly amount of empty space inside quick picture inside left hand side is the arc module right hand side that silver cable goes to an sdio which is like nice you know sd card for wi-fi bluetooth module ui one is at photocenter which you can see there um then the cpu is under a lot of heatsink obviously we found a few exploits if you have this box when you go home search on the play store for

cuber and run it no cube root still exists in the play store hopefully it has yet to be pulled we'll see how long it lasts um so the cube has kernel support for mounting nfs chips that's all fine it uses a helper application to mount it the helper application runs his room our application talks to the helper application over a world's rifle socket because they have it set up to also access these shares via immediate play we can then use the helper application um help our application will not only mount nfs you know given options with an ip address we can substitute in that ip address for all command execution running rsh built in right to our apk our app will then

connect to the socket run the custom command run our script which then dissolves suv super su mutates the flash and also patches of vulnerability that's the important part right now with an asus cube if you go on the play store any app could be packed with this vulnerability i doubt the case but it could be packing the vulnerability that could either break your box or do some sort of reverse tunnel and let attackers then be able to use your box and leverage it for something else so it's a decent plug to say the least so i want to show you a quick demo video i've got a minute to show it my time is decent

so this is it running i skipped ahead and i'm going to skip back so pressed engaged the box is rooted left-hand side have adv connected just going to show running su at the moment this super user permissions this video is also on youtube it's a lot longer you can check it out but we'll then just check the build.com you should verify it's the cube part of the latest software version which it is you can see version 3.2 the latest version all the application 327 even though it was released just a few days ago and if i cut ahead some um there's the patching press patch it uses the same exploit but attaching the exploit by modifying the

helper application to not be able to amount to nfs ships just keeping everything safe and if i kind of had some after we've been walked just start off um as you get super user request um then you can deny it granted obviously we have granted because we want access and there's our access format so that's that is cube to the most cod and again don't know when it's going to be pulled you can check it out on the google play store just search with right in your app rather right on your cube it only works the cube nothing else as a result we had to go through 1400 check boxes in the play developer console unchecking of the boxes that

weren't supported which makes no sense but you can grab it there next one i'm going to go pretty quick the lg 4755 g2 other one of the bunch arm cpu dual core signed everything trust zone it's ridiculously secure um they also to the point the boot up image just a splash screen also encrypted and signed i don't know why um so the lg one one five two or l9 it's not my white rail i've been wanting it but i did not want to drop thousand dollars on the tv i didn't need it um so to the next best thing about 100 bucks 150 about house fine motherboard no panel but just power supply on the

motherboard hardware approach the flash is emmc emmc works like an mmc code an mmc pod is electrically compatible with an sd phone an sd card can be put into spi mode so as a result you can wire up with five wires to the emmc flash drop into spi mode it's a little bit slow well it's actually a little bit slower but it still works it takes you about a half hour if you write four gigabytes five wise will get you full access so powerline brown line the emmc's command line clock line data zero that's all you need these pin outs will be on the wiki let's say tomorrow because doctor who's on tonight tonight um so pointing pop the flash there's a

partition map um at a hundred thousand if you take the file name from it count back six bytes in white swap you find out the location of where it is so we were tagging the system partition at a decimal 122 million 159.494 so plugging this this contraption into an sd card reader into a 1x box from this mount command that will mount the ext4 partition reframe which keep in mind is very good because we will need it since the root file system is a signed image kernel sign recovery sign the next best thing at s we found that the init script called system vendo bin and then for strip dot sh that was on the system that we could

modify we modified it to spawn a telnet root shell over ua books fund telnet as root a root shuttle of uh and also over the usb cellular adapter the reason for the adapter was that there is a also a deflug engine that runs over the ui so if you have the same odd rate you have to enter the same key like four times there may be a backdrop to combine agent but it's nearly impossible to find your natural panel it needs a special dongle to figure things out there's a bunch of crypto involved but this still works there's more one more thing customer recovery you recall how i kept going on and on about how it's impossible to do

not for us but it's nearly impossible uh the challenges of customer recovery box is closed source google order kernel random stuff startup scripts all signed depending on the box also encrypted or both um also you have custom problems put back on the box some people ask why not work everybody who sits on their android phones with some bearing it's based off aosp's recovery aosp needs a frame buffer the google tv's recovery does not have a frame buffer that's compatible the frame buffer it uses uses a bunch of vendor specific calls prefixed with model to do its bidding we didn't want to represent so we did the next best thing we made one from stretch all scratch code

works incredible um it uses direct fb going back to the generation one so i'm working that display data on the screen but unlike the sony it does its back-end isn't a giant script it's an actual c code um netflix on the box is direct fp as well so that's we've got our library so we're keeping space to the screen hence documentary our recovery has a root shell of uwat you write to everything let's install update dot zips with like super user anything you want no signal should check at all you don't have to fake science just put in and i have a very quick demo of it rebooting and then going into the recovery this video also online is about

nine minutes i followed up the autofocus five times going in there with um an update that contains no change to nature pulled directly from the book so hold the connect bottom at the bottom to trigger recovery on this box you could probably go with it now but i have to help because going on do i have a good reason why i'm not you screen coming up in a

moment our custom recovery i'm going to quickly install an update from usb keep in mind it's only working usb keyboard for the moment but we're working on bluetooth support the actual normal recovery doesn't work with the bluetooth keyboard it just you have to press the keyboard multiple times which is foolish

there we go so it displays the information from the update. which is the updated script inside into the meta lineup folder does all this fun stuff install complete i'm going to skip ahead for a little bit because of your time so box removed you can see super user installed there we're going to pull up connect pod

so you probably can't make it up but up left-hand corner typing in showing shell's commission's typing an su that'll pop up for the super user request which sorry you can't see but the video there are better videos that i have thought this did not hurt the downfalls of a full of right back with lgbt credit cards but see super users have been been granted permissions and you have group privileges throughout customer recovery that we're hoping to release right right around when google releases children because otherwise that would be kind of foolish anyone have any questions in the limited time we have asked if not i'm always on irc freehold gtv hack up gtbhaka.com tweet us

uh at cj000tv.com but i'll take questions for whatever time we upload

well it's not that it's so different even honeycomb exploits with tablets homework all right um the google tv it's a totally separate focus it's honeycomb and look but they keep the kernel up to date it's it has no public vulnerabilities at all so they have very good keeping on top of keeping things patchy which unfortunate for us good for channel security but unfortunate for us and anyone who wants to actually use their clients

we have something coming for every gen every model based generation chip device i i want to spill it but i'm hoping for deathcon i've got paper and it's it's it's worth it it's right if not we're still going to release it but we still want to wait for jellyfish to come up which about august timeframe will be just great and will will it be will it be pretty much sort of plug and play exploit or will it require some of the it should be there shouldn't be any hardware required i we have to leverage one exploit another and we're trying to find the third because we don't want to give up one but we have time worst case new

rules that we have it will be emotionally the flash drive that's it and maybe it seems a bit off topic but it seems like there's rather limited content in here at the very beginning of your thing there's very limited content it seems do you foresee that they're going to keep selling these things for them well i i think they will because what google finally did apparently to add some management changes in the google tv department recently they've migrated the code base to jelly blue which means everything on the phone will work so if you want any type of media app it should just work if you want to visit any website it will work and again there's also netflix um

amazon video on demand all that stuff plus google has what they call prime time it's a built-in guide so when you go to search it will search apart from things on your local you know any locally connected disks any network connected disks possibly anything on your tv it also search for things like channels to subscribe to um also hbo go it will also search through netflix through amazon so you can rail in with one button press search every all the content you have for something specific so hopefully that plus the changes that i'm making local phones yeah i'm just surprised that uh what's the other company um i can't remember what their name is right now i

just device uh yeah the other company that makes a device how they could negotiate good deals with