Matthew Garrett ([personal profile] mjg59) wrote2014-04-20 07:39 pm
Entry tags:

Home entertainment implementations are pretty appalling

I picked up a Panasonic BDT-230 a couple of months ago. Then I discovered that even though it appeared fairly straightforward to make it DVD region free (I have a large pile of PAL region 2 DVDs), the US models refuse to play back PAL content. We live in an era of software-defined functionality. While Panasonic could have designed a separate hardware SKU with a hard block on PAL output, that would seem like unnecessary expense. So, playing with the firmware seemed like a reasonable start.

Panasonic provide a nice download site for firmware updates, so I grabbed the most recent and set to work. Binwalk found a squashfs filesystem, which was a good sign. Less good was the block at the end of the firmware with "RSA" written around it in large letters. The simple approach of hacking the firmware, building a new image and flashing it to the device didn't appear likely to work.

Which left dealing with the installed software. The BDT-230 is based on a Mediatek chipset, and like most (all?) Mediatek systems runs a large binary called "bdpprog" that spawns about eleventy billion threads and does pretty much everything. Runnings strings over that showed, well, rather a lot, but most promisingly included a reference to "/mnt/sda1/vudu/vudu.sh". Other references to /mnt/sda1 made it pretty clear that it was the mount point for USB mass storage. There were a couple of other constraints that had to be satisfied, but soon attempting to run Vudu was actually setting a blank root password and launching telnetd.

/acfg/config_file_global.txt was the next stop. This is a set of tokens and values with useful looking names like "IDX_GB_PTT_COUNTRYCODE". I tried changing the values, but unfortunately made a poor guess - on next reboot, the player had reset itself to DVD region 5, Blu Ray region C and was talking to me in Russian. More inconveniently, the Vudu icon had vanished and I couldn't launch a shell any more.

But where there's one obvious mechanism for running arbitrary code, there's probably another. /usr/local/bin/browser.sh contained the wonderful line:
export LD_PRELOAD=/mnt/sda1/bbb/libSegFault.so
, so then it was just a matter of building a library that hooked open() and launched inetd and dropping that into the right place, and then opening the browser.

This time I set the country code correctly, rebooted and now I can actually watch Monkey Dust again. Hurrah! But, at the same time, concerning. This software has been written without any concern for security, and it listens on the network by default. If it took me this little time to find two entirely independent ways to run arbitrary code on the device, it doesn't seem like a stretch to believe that there are probably other vulnerabilities that can be exploited with less need for physical access.

The depressing part of this is that there's no reason to believe that Panasonic are especially bad here - especially since a large number of vendors are shipping much the same Mediatek code, and so probably have similar (if not identical) issues. The future is made up of network-connected appliances that are using your electricity to mine somebody else's Dogecoin. Our nightmarish dystopia may be stranger than expected.

GPL

(Anonymous) 2014-04-21 07:53 am (UTC)(link)
No chance of finding some GPLed piece of code on the player, therefore opening a way to getting full source from Panasonic?

RSA Signatures

(Anonymous) 2014-04-21 08:25 am (UTC)(link)
I assume that you would likely agree, the fact that firmware is being signed in itself isn't necessarily a bad thing. What is bad, is that the owner is not able to manage which keys his device should consider as trustworthy. Therefore a very interesting piece of information would be, where the trusted keys are stored, which are used to verify the signatures. Do you have any thoughts on how one could come about such information? Could this be typical UEFI / Secure Boot related infrastructure? Or something custom?
reddragdiva: (Default)

[personal profile] reddragdiva 2014-04-21 12:40 pm (UTC)(link)
*psst* "appalling"

(Anonymous) 2014-04-21 02:48 pm (UTC)(link)
> the player had reset itself to DVD region 5, Blu Ray region C and was talking to me in Russian

Please consider this a fair punishment for hosting a blog on dreamwidth.org (which is completely blocked in Russia by its IP address, that's why I have to post this comment through Tor) :)

Still, congratulations for a successful hack.

References on building a library?

(Anonymous) 2014-04-21 04:27 pm (UTC)(link)
Hey, I'm interested in how you built a new library for the Mediatek.

I'm not really sure where to start, but I'm certainly interested in trying to hack my player!

Thanks!

Re: References on building a library?

(Anonymous) 2014-04-21 08:52 pm (UTC)(link)
Buildroot (http://buildroot.uclibc.org/) will build you a gcc that emits ARM code. It also builds you a kernel and most everything else you need for an embedded system. Expect a full build to consume about 15-25GB disk and take "a while" :)

--j1

(Anonymous) 2014-04-21 07:24 pm (UTC)(link)
worth getting ahold of the original transmissions of monkey dust - the use of pop music is excellent and that all got replaced for the DVDs.
sweh: (Default)

[personal profile] sweh 2014-04-22 10:52 am (UTC)(link)
Did this just remove the PAL limitation, or did you also remove DVD region restrictions? What about BD region restrictions?

(This is tempting me to look at my BD player; I'd love to be able to get rid of the DVD player which I only have to play my UK region 2 disks)
damerell: (computers)

[personal profile] damerell 2014-04-23 03:35 pm (UTC)(link)
Presumably the future is only that if the "Internet of Things" types succeed in giving all these devices publicly-addressable IPV6 addresses. Although presumably if you get one hostile device into your house...

libSegFault.so

(Anonymous) 2014-05-10 05:24 pm (UTC)(link)
Hi Matthew,

Is there any chance that you can share/send via email the libSegFault.so?

Sure, no security for you.

(Anonymous) 2014-05-12 12:34 am (UTC)(link)
Sure, these DVD-crapmakers only care about security of locking out users from their devices and fail even here in numerous ways. I fail to understand why people want to buy locked-down devices.

Hacked Panasonic DMP-BD79

(Anonymous) 2014-07-18 10:33 am (UTC)(link)
I "hacked" my Panasonic DMP-BD79 and got root shell. It's very easy because if you look into the squashfs image it will execute /mnt/sda1/QFacebook if you launch the facebook app. Binaries are compatible with current Debian ARM so putting dropbear and ssh-keys onto the USB stick plus some shell stuff gave me access.

I've stopped any further activities because the CPU is too slow IMHO:

-sh-3.2# time sh -c "dd if=/dev/urandom bs=1M count=64 | gzip -9 > /dev/null "
64+0 records in
64+0 records out
67108864 bytes (67 MB) copied, 107.929 s, 622 kB/s

real 1m48.034s
user 0m48.835s
sys 0m57.991s

So no reason to try to get XBMC running on that box.

Cheers Leif