+- Kodi Community Forum (https://forum.kodi.tv)
+-- Forum: Discussions (https://forum.kodi.tv/forumdisplay.php?fid=222)
+--- Forum: Hardware (https://forum.kodi.tv/forumdisplay.php?fid=112)
+--- Thread: Hacking the Boxee Box to run XBMC? (/showthread.php?tid=64578)
- teaguecl - 2010-12-18
topfs2 Wrote:Ah, yeah I'm sure it have helped them in discussions being able to say its essentially the same hardware as the GoogleTV, and as you say, probably have made prices come down for dlink.
I also wonder if a D-Link brand GoogleTV product may be in the works - with hardware surprisingly similar to the Boxee Box.
- poofyhairguy - 2010-12-18
teaguecl Wrote:I also wonder if a D-Link brand GoogleTV product may be in the works - with hardware surprisingly similar to the Boxee Box.
It seems like D-Link is really pushing Boxee hard. I guess they think that is how they will stand out against other GoogleTV devices.
But deep down, the hardware is still the same as a Logitech Revue or one of those new GoogleTV Sony TVs:
http://en.wikipedia.org/wiki/List_of_PowerVR_products
If this hardware gets hacked, the Boxee box is just the tip of the iceberg. XBMC could be on TVs!!!!
- outleradam - 2010-12-18
ok, so apparently, the CGI interface runs unencrypted CGI software and it is possible to exploit that to run netcat and gain shell access and set user id as 0(root).
uname -a shows
Linux boxeebox 2.6.28 #6 PREEMPT Thu Aug 12 11:39:42 CST 2010 i686 unknown
http://boxeeboxwiki.org/wiki/Operating_System
bash commands available:
Code:
[, [[, addgroup, adjtimex, ar, arp, arping, ash, awk, basename, bunzip2, bzcat, bzip2, cal, cat, catv,
chattr, chmod, chpasswd, chpst, chroot, chrt, cksum, clear, cmp, comm, cp, cpio, cut, date, dc, dd,
deallocvt, df, diff, dirname, dmesg, dos2unix, du, echo, ed, egrep, eject, env, envdir, envuidgid, expand,
expr, false, fdisk, fgrep, find, fold, free, freeramdisk, ftpget, ftpput, fuser, getopt, getty, grep,
gunzip, gzip, halt, hdparm, head, hexdump, hostid, hostname, hwclock, id, ifconfig, inetd, init, insmod,
install, ip, ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute, iprule, kill, killall, killall5, klogd, length,
less, linux32, linux64, linuxrc, ln, logger, logread, losetup, ls, lsattr, lsmod, lzmacat, makedevs,
md5sum, mesg, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, more, mount, mountpoint, mv, nameif, nc,
netstat, nice, nmeter, nohup, nslookup, od, openvt, patch, pgrep, pidof, ping, ping6, pipe_progress,
pkill, poweroff, printenv, printf, ps, pwd, rdate, readahead, readlink, realpath, reboot, renice, reset,
rm, rmdir, rmmod, route, rpm2cpio, run-parts, runsv, runsvdir, rx, script, sed, seq, setarch, setconsole,
setlogcons, setsid, sh, sha1sum, slattach, sleep, softlimit, sort, split, start-stop-daemon, stat, strings,
stty, sum, sv, svlogd, swapoff, swapon, sync, syslogd, tac, tail, tar, taskset, tcpsvd, tee, telnet,
telnetd, test, tftp, tftpd, time, top, touch, tr, traceroute, true, tty, ttysize, udhcpc, udpsvd, umount,
uname, uncompress, unexpand, uniq, unix2dos, unlzma, unzip, uptime, usleep, uudecode, uuencode, vi,http://boxeeboxwiki.org/wiki/Storage
Being that they left the nice command in there, it would be possible to launch some sort of DOS attack against boxee by renicing the process and running arbitrary code to suck up the processor. Then, it may be possible to see what boxee does in the background while it's running at ~1mhz.
We are dealing with a standard Linux OS running on a JFFS2 filesystem. This is probly the reason that people have had problems with permissions in the past on boxee's filesystem. Who uses JFFS?
After it loads JFFS2 it appears to create a FUSE FS (Filesystem in User SpacE). Then a ramdisk is created and EXT4 FS is mounted to the ramdisk.
They may be obfuscating the actual operating system files running on JFSS2 with a FuseFS...
Any filesystem / dmesg experts here? http://boxeeboxwiki.org/wiki/Dmesg That's too complex for me to understand.
- Hannes The Hun - 2010-12-18
JFFS actually is used by most embedded linux distributions that run from flash ROM
- outleradam - 2010-12-19
Hey check this out. Does boxee have a PHP interpreter?
http://www.derekfountain.org/security_c99madshell.php
c99madshell provides bash and FTP access from the username of the person running it. In this case it would be the apache server or whoever is responsible for serving web pages. This interface would allow for serious action on the boxee....
- outleradam - 2010-12-19
Btw.. I've had the chance to play with cmadshell before and it is quite easy to operate. This should be able to replace many of the steps required to gain root access mentioned in the wiki... Hell, just upload a file, use your webbrowser to gain access and then elevate your permissions to root from there.
- topfs2 - 2010-12-19
yeah, I doubt boxee box have apache.... Also, root access is not the hard part, getting it to disable to eat a custom update img is...
- outleradam - 2010-12-19
It has cgi. If no apache, then what is the webbrowser interface used to gain root? A CGI script is executed from a web browser. It may be able to execute php
- topfs2 - 2010-12-19
You should pay more attention to my latter part, gaining root is _not_ the hard part atm, getting it to update from a custom image is.
- outleradam - 2010-12-19
That is the part I don't understand. Why update it from an image? Why not mount binaries from a network share? It seems that arbitrary code execution is possible... Kill boxer and xinit xbmc.bin. I really need to get one of these boxes. Unfortunately I asked for an arduino prototyping platform for Christmas.
If they locked it down so much, why did they leave so many holes like most of the core of Linux and busybox.
- topfs2 - 2010-12-19
Because running arbitrary code on an linux installation made for boxee is not as fun as making an image which is tailored for xbmc.
- outleradam - 2010-12-19
... Well, why not have a 2 part boxee installation....
1. USB external storage drive with XBMC
2. Program on boxee which checks for XBMC on drive when mounting which will mount the image with proper permissions, killall boxee and xinit XBMC.
This would be an all-around solution right? It would allow the already loaded drivers to be used.
- BAG_Ass - 2010-12-20
outleradam
easy way to test is cgi script for kill boxee and start xbmc - and i ready to live that way.
But nobody here can compile xbmc for boxee to test.
- outleradam - 2010-12-20
Boxer is a i686 platform running Linux.
Have you tried running any 3rd party apps on boxee yet?
I'm not seeing where anyone has tried or failed. There is no package manager, but what happens when you try to run custom software?
- BAG_Ass - 2010-12-20
there is unique features in each linux (as i know) and any apps can`t be run from any linux.