Gaining Root On The Google OnHub

Posted: October 8th, 2015 | Author: | Filed under: Routers | 4 Comments »

Google_OnHubToday we’re releasing the method that we’ve reversed engineered on how to get root and modify the firmware on a Google OnHub. This process involves booting of the OnHub into the “Developer Mode”, loading of an image from a USB disk, and also provides the ability to modify and resign a modified image with development keys. This method was reverse engineered based on an in depth look and dump of the hardware along with a disassembly of the Android app and Google OnHub USB Recovery Chrome extension. Below we’ll talk about the process and our findings in depth.

Our initial look at the Google OnHub was the iFixIt teardown, the device contains multiple radios (including the currently unused Zigbee radio) as well as a speaker and a plethora of antennas. The pieces that caught our eye however, were the eMMC and SPI flash ICs on the board. Based on our previous experience looking at devices, we knew that with our low voltage eMMC adapters as well as a Raspberry Pi (or Bus Pirate), we had an easy and quick way to dump both flash devices. Unfortunately, at that time we did not have access to a Google OnHub, so we were stuck having to work with what we had available.

At this point our sights were aimed at the Google OnHub Android App and Recovery USB Chrome extension with the main intention being to find the firmware update URL. After a short search we found this url which contained a URL to a recovery image of the eMMC flash. This was our first real look into the firmware running on the device.

Google OnHub eMMC RemovedWe finally acquired a Google OnHub and went right into tearing it apart. We took the device apart and then proceeded to remove and dump the SPI flash first. For this we used a Raspberry Pi along with flashrom. After dumping and a quick look, we found that the SPI flash stored the BIOS data. We proceeded to dump the eMMC, and compare to what we found within the recovery image. We determined that the images highly resembled that of the Google Chromebook, and that the OnHub was a very close match in architecture. We spent the next day going over the dumps in depth and determining our attack plan.

Our initial attack plan involved a page we found on the feasibility of hacking the Google Chromebook. This page stated that the attacks that could not be protected by the secure boot setup used by ChromeOS were those that involved physical access and re-flashing of the BIOS. So, our initial attempts were of just that, we attempted to re-flash the SPI flash but were crippled by not having a valid method of receiving debug output while booting modified images.

OnHub_Hidden_SwitchAfter subsequent attempts we re-thought our game plan and looked deeper at the hardware that was packaged within the OnHub in comparison to the Google Chromebook. This is where we found the usage of a “hidden” switch that is contained on the bottom plate of the Google OnHub but is hidden by a screw. We would soon determine that this switch enables the ability of booting into the device’s Developer Mode but requires a special key sequence first. We began to comb through more ChromiumOS docs until we found “CTRL+D”. Hitting Ctrl+D prior to pressing the Developer Mode switch, switches the device into Developer Mode. After further research into the Chromebook and examining the USB image created by the OnHub Recovery USB Image Creator Chrome Extension we crafted a USB and attempted to boot the USB device. At this point we had our first major breakthrough and had the device booting a USB image. The rest was easy and entailed exploring the device teamed with reading more ChromiumOS docs, this helped form the rest of the root process which can be found on our wiki.

TLDR, The Google OnHub is at heart a Chromebook without a screen modified as a router, and our root method is just a modified version of booting Developer Mode.

Technical details of the Google OnHub visit: Exploitee.rs Wiki – Google OnHub

Root procedure can be found at: Exploitee.rs Wiki – Rooting The Google OnHub

 

Video:


4 Comments on “Gaining Root On The Google OnHub”

  1. 1 Alex Davies said at 9:54 am on October 12th, 2015:

    Hello guys

    I’m not great with software, but this looks like the OnHub isn’t using the new Brillo OS that Google made a lot of noise about.

    Is that correct?

    Nice work!

  2. 2 Jay said at 3:37 am on October 13th, 2015:

    Hey maximus,

    I got pretty far in the process I even created a guides to restore stock firmware and auto root script. Where is write protection switch?

    Screenshot:
    https://drive.google.com/file/d/0B3K4uPOuzXLed0RBaHFiblRnMzg/view?usp=sharing

    I catted out the auto root.sh

    Script:
    https://github.com/jaytarang92/onhub-autoroot

    OnHub Vids:
    https://www.youtube.com/channel/UCYL8rlGPCo8OfxZG1YPl5Lw

  3. 3 tapeworm4602 said at 4:45 pm on October 14th, 2015:

    I’m stuck at entering the root password, it always gets rejected as ‘incorrect’. Any thoughts?

  4. 4 Jay said at 3:46 am on October 17th, 2015:

    @tapeworm4602

    Some times ssh will crap out . I would suggest re-connecting to the wifi first. Then use ‘ssh 192.168.86.1’ and ‘onhub’ as password. Else do ‘ssh root@192.168.86.1′ and password ‘onhub’. Take a look at my site for more help, or my vids.

    OnHub Vids:
    https://www.youtube.com/channel/UCYL8rlGPCo8OfxZG1YPl5Lw

    Site: craportech.com