Today we’re releasing the method that we’ve reversed engineered on how to get root and modify the firmware on a Google OnHub. This process involves booting of the OnHub into the “Developer Mode”, loading of an image from a USB disk, and also provides the ability to modify and resign a modified image with development keys. This method was reverse engineered based on an in depth look and dump of the hardware along with a disassembly of the Android app and Google OnHub USB Recovery Chrome extension. Below we’ll talk about the process and our findings in depth.
Our initial look at the Google OnHub was the iFixIt teardown, the device contains multiple radios (including the currently unused Zigbee radio) as well as a speaker and a plethora of antennas. The pieces that caught our eye however, were the eMMC and SPI flash ICs on the board. Based on our previous experience looking at devices, we knew that with our low voltage eMMC adapters as well as a Raspberry Pi (or Bus Pirate), we had an easy and quick way to dump both flash devices. Unfortunately, at that time we did not have access to a Google OnHub, so we were stuck having to work with what we had available.
At this point our sights were aimed at the Google OnHub Android App and Recovery USB Chrome extension with the main intention being to find the firmware update URL. After a short search we found this url which contained a URL to a recovery image of the eMMC flash. This was our first real look into the firmware running on the device.
We finally acquired a Google OnHub and went right into tearing it apart. We took the device apart and then proceeded to remove and dump the SPI flash first. For this we used a Raspberry Pi along with flashrom. After dumping and a quick look, we found that the SPI flash stored the BIOS data. We proceeded to dump the eMMC, and compare to what we found within the recovery image. We determined that the images highly resembled that of the Google Chromebook, and that the OnHub was a very close match in architecture. We spent the next day going over the dumps in depth and determining our attack plan.
Our initial attack plan involved a page we found on the feasibility of hacking the Google Chromebook. This page stated that the attacks that could not be protected by the secure boot setup used by ChromeOS were those that involved physical access and re-flashing of the BIOS. So, our initial attempts were of just that, we attempted to re-flash the SPI flash but were crippled by not having a valid method of receiving debug output while booting modified images.
After subsequent attempts we re-thought our game plan and looked deeper at the hardware that was packaged within the OnHub in comparison to the Google Chromebook. This is where we found the usage of a “hidden” switch that is contained on the bottom plate of the Google OnHub but is hidden by a screw. We would soon determine that this switch enables the ability of booting into the device’s Developer Mode but requires a special key sequence first. We began to comb through more ChromiumOS docs until we found “CTRL+D”. Hitting Ctrl+D prior to pressing the Developer Mode switch, switches the device into Developer Mode. After further research into the Chromebook and examining the USB image created by the OnHub Recovery USB Image Creator Chrome Extension we crafted a USB and attempted to boot the USB device. At this point we had our first major breakthrough and had the device booting a USB image. The rest was easy and entailed exploring the device teamed with reading more ChromiumOS docs, this helped form the rest of the root process which can be found on our wiki.
TLDR, The Google OnHub is at heart a Chromebook without a screen modified as a router, and our root method is just a modified version of booting Developer Mode.
Technical details of the Google OnHub visit: Exploitee.rs Wiki – Google OnHub
Root procedure can be found at: Exploitee.rs Wiki – Rooting The Google OnHub