My Pal...and Roku hacking


28 posts   Page 1 of 2   1, 2
by garyamort » Mon Oct 17, 2011 2:20 pm
My youngest loves her My Pal, http://www.leapfrog.com/en/pag.....y_pal.html

But I was very disappointed that the options for customization are very limited.

Plus your stuck with only 2 choices for design.

As such, I want to make an open source custom MyPal app, it would need to integrate with speakers, microphone, and some sewable switches to trigger events[and perhaps some LED's].

The problem is, I have not been able to run across a system board flexible enough to handle everything I want...while at the same time low cost enough for anyone to play with.

So the Raspberry Pi is extremely promising...allowing me to bypass having to deal with system programming, and just code for linux. At 25$ it makes the project extremely feasible[obviously the more gpio pins and other inputs available the better...but worst case scenario USB can always be used for some functions]

Now my problem is that waiting till the Pi is released is killing me.

As such, from what I've read, the Roku 2 uses the same system on chip model...and even going with the high end 99$ one for a dev board isn't all that bad[after the Pi is released, I could always hopefully restore it and use it as a media player].

I was wondering if anyone has hacked around with backing up the system image on the roku 2 and replacing it with a more vanilla linux platform for hacking?
Posts: 15
Joined: Mon Oct 17, 2011 1:09 pm
by tufty » Mon Oct 17, 2011 4:39 pm
Looking around, it doesn't seem that Roku have released kernel source for the Roku 2 (they have for the earlier, NXP chipped ones), so getting a usable linux on the board would probably be hard.
Posts: 1368
Joined: Sun Sep 11, 2011 2:32 pm
by rwaltman » Mon Oct 17, 2011 8:38 pm
garyamort
I was wondering if anyone has hacked around with backing up the system image on the roku 2 and replacing it with a more vanilla linux platform for hacking?


I bought a Roku 2 XS for that purpose. With no available documentation on the SOC, board and current software, I was planning to do it the hard(ware) way:
desolder the few data and control pins in the flash memory, connect them to any small micro with a serial or USB interface and dump the contents to a PC.
Unfortunately the fine pitch devices are above my (and my tools) skill level.
Will have to get a microscope, a new soldering station, etc. before I can do it with any level of confidence on the outcome.

--
Roberto Waltman
Posts: 31
Joined: Mon Sep 05, 2011 3:16 pm
by tufty » Tue Oct 18, 2011 6:03 am
Quote from rwaltman on October 17, 2011, 21:38I bought a Roku 2 XS for that purpose. With no available documentation on the SOC

Please mail support@roku.com, pointing out that the version of the linux kernel sources they have on their website (http://support.roku.com/entrie.....-resources) is for the NXP-based original Roku devices, and that they are thus in violation of the GPL WRT (at least) the kernel on the Roku 2. Be polite, don't threaten with legal action, and cc to legal-request@lists.gpl-violations.org

Simon
Posts: 1368
Joined: Sun Sep 11, 2011 2:32 pm
by Lob0426 » Tue Oct 18, 2011 7:00 am
The ROKU2 will be a little tougher to get a usable Linux on than a RasPi. It only has 64MiB of system memory to work with according to a report I read. It also has 64MiB of NAND flash. At least the part numbers they are stating appear to be 64MiBx32 units.
http://www.mycablealternatives.....-teardown/
512MB version 2.0 as WordPress Server
Motorola Lapdock with 512MB
Modded Rev 1.0 with pin headers at USB

http://rich1.dyndns.tv/
(RS)Allied ships old stock to reward its Customers for long wait!
User avatar
Posts: 1940
Joined: Fri Aug 05, 2011 4:30 pm
Location: Susanville CA.
by jamesh » Tue Oct 18, 2011 7:40 am
Quote from tufty on October 18, 2011, 07:03
Quote from rwaltman on October 17, 2011, 21:38I bought a Roku 2 XS for that purpose. With no available documentation on the SOC

Please mail support@roku.com, pointing out that the version of the linux kernel sources they have on their website (http://support.roku.com/entrie.....-resources) is for the NXP-based original Roku devices, and that they are thus in violation of the GPL WRT (at least) the kernel on the Roku 2. Be polite, don't threaten with legal action, and cc to legal-request@lists.gpl-violations.org

Simon


Well, you are assuming it runs Linux. (it probably is, but you are still assuming!)
Soon to be employed engineer - Hurrah! Volunteer at the Raspberry Pi Foundation, helper at PiAcademy September 2014.
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 11923
Joined: Sat Jul 30, 2011 7:41 pm
by tufty » Tue Oct 18, 2011 10:07 am
Quote from jamesh on October 18, 2011, 08:40
Well, you are assuming it runs Linux. (it probably is, but you are still assuming!)

That's true enough. I thought I'd read an official announcement that the Roku2 also used Linux, but I'm damned if I can find it now. Plugging into the ethernet port and hitting it up with nmap would probably be a worthwhile exercise.

Simon
Posts: 1368
Joined: Sun Sep 11, 2011 2:32 pm
by rwaltman » Tue Oct 18, 2011 5:58 pm
Lob0426
The ROKU2 will be a little tougher to get a usable Linux on than a RasPi. It only has 64MiB of system memory to work with ...


I am interested in running real-time kernels such as FreeRTOS, echos, RTEMS, etc. on the Raspberry-Pi. (and on the Roku as a stepping stone.)
64MByte RAM and 64Mbyte FLASH is more than enough for many applications.

As somebody else already posted, I do not know yet which OS the Roku 2 XS is running.
--
Roberto Waltman.
Posts: 31
Joined: Mon Sep 05, 2011 3:16 pm
by tufty » Tue Oct 18, 2011 6:40 pm
Hi Roberto.

A first, and totally non-destructive, step is to use nmap on it, that should give you an extremely good idea of what OS is hiding behind the network adaptor. Plug it into your network, let nmap rip on it for a few minutes.

Simon
Posts: 1368
Joined: Sun Sep 11, 2011 2:32 pm
by garyamort » Wed Oct 19, 2011 1:08 am
Quote from jamesh on October 18, 2011, 08:40
\
Well, you are assuming it runs Linux. (it probably is, but you are still assuming!)


I did run across one decent link on hacking...not promising but some good info.

http://www.cs.cmu.edu/~ecc/roku-nfp.html

According to his tests:
1) The Roku2 downloads it's boot image from the network every time it powers on.

2) Yup, their linux boot images.

3) The images are digitally signed, you can't just replace them with your own image file and boot.

Though depending on how popular hacking it becomes, 3 isn't much of an issue if people are determined.
Posts: 15
Joined: Mon Oct 17, 2011 1:09 pm
by rwaltman » Wed Oct 19, 2011 1:29 am
garyamort
I did run across ... http://www.cs.cmu.edu/~ecc/roku-nfp.html


Thanks for the link, but that page is from August 2008, so the information there is not likely to apply to the current models. ( It mentions "Roku", not "Roku 2", and "MIPS assembler" )

According to his tests ... The Roku2 [ Roku-not-2] downloads it's boot image from the network every time it powers on.


My Roku 2 settings screen says it "checks for updates automatically once per day."
The one time it found a newer version to update, it took a long time to download, so I believe is booting from local flash.

The images are digitally signed, you can't just replace them with your own image file and boot.


That may be the "variety of reasons" that somebody (jamesh?) say will stop an R-PI image from running on the Roku.

I just arrived home from work, about to download and run nmap and see what it reveals...

---
Roberto Waltman
Posts: 31
Joined: Mon Sep 05, 2011 3:16 pm
by rwaltman » Wed Oct 19, 2011 2:22 am
rwaltman
... about to download and run nmap and see what it reveals...


No luck. nmap found 8 open TCP ports on the Roku 2, but failed to recognize the services provided and/or the OS.

--
Roberto Waltman
Posts: 31
Joined: Mon Sep 05, 2011 3:16 pm
by tufty » Wed Oct 19, 2011 6:24 am
Quote from rwaltman on October 19, 2011, 03:22
No luck. nmap found 8 open TCP ports on the Roku 2, but failed to recognize the services provided and/or the OS.

Ah, dammit. Worth a try though. As a matter of interest, what ports were open?

The earlier link sounds promising, too - hooking into the software update process could well be a useful step. Although they're probably crypto-ing their binaries by now.
Posts: 1368
Joined: Sun Sep 11, 2011 2:32 pm
by jamesh » Wed Oct 19, 2011 7:37 am
Just so you don't ask, I'm know nothing about the Roku security or the particulars of its software. The Roku2 was developed in the States, where I am not! And I wouldn't be able to comment on it anyway even if I did know.
Soon to be employed engineer - Hurrah! Volunteer at the Raspberry Pi Foundation, helper at PiAcademy September 2014.
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 11923
Joined: Sat Jul 30, 2011 7:41 pm
by rwaltman » Wed Oct 19, 2011 5:34 pm
jamesh
Just so you don't ask, I'm know nothing about the Roku security or the particulars of its software...


Sorry, foggy memory. I'm sure one of the admins wrote that "an R-PI binary would not run on the Roku 2 for a variety of reasons", but I don't remember the exact wording, and could not find the original post in the Forums.

--
Roberto Waltman.
Posts: 31
Joined: Mon Sep 05, 2011 3:16 pm
by Nexy » Fri Oct 28, 2011 12:22 am
Another question is can the Hulu and Pandora stuff be ported to the RasPi?
Posts: 72
Joined: Sun Oct 09, 2011 9:03 pm
by M1cha » Sat Jun 02, 2012 5:07 pm
Can anyone who owns a roku2 please sniff the url where the player downloads it's firmware-updates? If we could dump the system-image of roku we could port the roku2-firmware to the raspberry-pi because it uses the same chipset.

I don't want to buy both roku2 and raspberry pi just for hacking that's the only reason why I'm asking that. I will give detailed advise on how to get the URL if anyone with a roku2 wants to help.
Posts: 4
Joined: Sat Jun 02, 2012 5:04 pm
by cochin007 » Mon Jun 04, 2012 5:14 pm
Hi,
I got the url and the firware downloaded .. I think so... Not sure what is inside coz it is a Zip format
and the normal zip doesnt open this since i feel roku altered the zip using some encryption or used a customized zip program...
I can send any one the link or program.. But it wont help in any way..
cochin
Posts: 11
Joined: Mon Jun 04, 2012 5:11 pm
by M1cha » Tue Jun 05, 2012 2:12 pm
cochin007 wrote:Hi,
I got the url and the firware downloaded .. I think so... Not sure what is inside coz it is a Zip format
and the normal zip doesnt open this since i feel roku altered the zip using some encryption or used a customized zip program...
I can send any one the link or program.. But it wont help in any way..
cochin

From where you got this? As far as I know Rokus only supports only-update.
However I would like to take a look on that file. If you don't want to publish it here just send me the file or a download-link to that file to m1cha-dev AT web.de
Posts: 4
Joined: Sat Jun 02, 2012 5:04 pm
by cochin007 » Tue Jun 05, 2012 10:11 pm
i tracked the link roku goes by sniffing the update option. and it opens rackspacecloud.com
and downloads this file.
Its some sort of zip and if we can unzip we will be able to decode it....
I clicked on update and it downloads this and I have roku 1 not 2...
But i think it all comes from same server.
any site to upoad since the attach on this will not support 1mb..
I think it might have details aboutt the firware location since it will not be 1mb for full firmware.
Wireshark was my choice....
George
Posts: 11
Joined: Mon Jun 04, 2012 5:11 pm
by M1cha » Wed Jun 06, 2012 5:38 am
Before it downloads the firmware itself there should be a request where it loads some a manifest or something else where your serialnumber and firmware-version are sent so the player knows if you need a new version.
Can you please post or mail me the download link? I really want to analyze that file.
Posts: 4
Joined: Sat Jun 02, 2012 5:04 pm
by cochin007 » Wed Jun 06, 2012 10:36 am
https://rapidshare.com/files/61043643/f ... c1cfce.zip
is the file..

Another link it was downloading for some updateof netflix i think
If some how we can make it run in rasperry in same way we can have an open
media player....

Changed the serial Number But same digits

/dev/mtd2=http://netflix.software.rokulabs.com/bigsw/013.01E01017A.big
sha1(/dev/mtd2)=17934c9e6115e77e18405d8e77921e77805d675e
bigsw_version=0
version=013.01E01017A
sn=J0A123456789
ck=7d046176795a21c750ec21f69b0ca829

This is another file which got downloaded as update...

http://netflix.software.rokulabs.com/bi ... 01017A.big
Hope it helps
The first file will say invalid since zip cannot open it.. Use word or notepad to see the code
and try some disassembler.. I think experts are there watching this thread...
Posts: 11
Joined: Mon Jun 04, 2012 5:11 pm
by M1cha » Thu Jun 07, 2012 7:25 pm
I have some experience in reverse engineering FileFormats but that one is really hard.
I don't know if this is some type of modified compression or an encryption. Second one would be bad for us.

The only thing I can say is that it's some type of container with multiple images (sys-image and kernel). BTW: your "zip"-file is something very different it's a package with roku-channels but not a full system-image.

Maybe it would be easier to dump the NAND with an external reader :D
However, this would only be useful with an roku2 because roku1 has an different arch(mipsel).
Posts: 4
Joined: Sat Jun 02, 2012 5:04 pm
by cochin007 » Fri Jun 08, 2012 12:51 pm
oh i didnt know it has diff architecture in roku 2..
ANy way the encryption and way of os is implemented will be same
What is meant by Nand with external reader?
Y ait might be package list but it happens when i click on update of Firmware.
I dont have much experiance in debugging..So learning to use it...
Posts: 11
Joined: Mon Jun 04, 2012 5:11 pm
by ZeCableGuy » Tue Jun 26, 2012 3:26 am
Posts: 2
Joined: Tue Jun 26, 2012 3:24 am