Hacking Roku: Part 1

I have always been fascinated by hardware hacking. It seems like a dark art, only accessible to people with special skills and special (expensive) tools.

Part 1 - Introduction

DEFCON 27 (2019)

At DEFCON 27 I watched Philippe Laulheret’s Intro to Hardware Hacking and was awestruck by what I saw even if a lot of it was beyond my comprehension. I read and heard about how, within hours of receiving their badges, DC27 attendees had dumped the badge firmware and not long after had modified badges to understand or even complete the built-in “quest”. It all seemed like something that I would always watch from the sidelines, unable to gather the correct knowledge or tools to even get started.

DEFCON 28 - “Safe Mode” (2020)

DEFCON 28 was a little bit of a downer for me. While my employer still granted my entire team a “research week” free of our regular penetration testing duties to allow us to participate in DC28 along with focusing on personal research projects, it was hard for me to really get “into” the convention while sitting home at my desk. While I watched many recordings after the fact, I only watched a single live talk during DC28. I just happened to see a tweet about it minutes before it started. It sounded interesting and the timing was convenient, so I jumped in.

That talk, part of the IoT Village, was Deral Heiland’s Getting Started Building an IoT Hardware Hacking Lab. If you’re interested in hardware hacking but don’t have any idea where to begin, this talk is a great starting point. Deral covers all of the tools and gadgets that you need to get started, and even calls out some inexpensive devices to begin experimenting with. The two biggest takeaways that I got from this talk were: First, some of the entry level tools are surprisingly cheap, and second, that I already had a lot of what I needed! I realized that with a fairly small cash investment I might actually be able to get started in hardware hacking. I made a quick trip to Amazon for some essentials - jumper wires, header pins, wire-wrapping wire, a basic USB/UART adapter, and a cheap logic analyzer.

I just needed a device to experiment with. Something cheap. Or better still, something I already had in the house. Preferably something old and no longer used. Something that I would not feel bad about if I broke it. A few days later I was straightening up at home and I picked up on outdated media streaming device that is no longer used. I was about to set it in the e-waste recycling pile…and I realized I had found my test device…

Roku XD

The Roku XD was one of the earlier streaming devices in the Roku lineup. It has an HDMI output and Analog A/V outputs, along with both ethernet and WiFi for connectivity. The device dates back to 2010, and even though it nominally works, it is no longer supported and some streaming services are no longer working with it at all. I was no longer using it anyway, since now just about every TV and Blu-Ray player comes with streaming services built-in anyway. It had been collecting dust for quite some time. Since I was just about to get rid of it, it seemed like the perfect guinea pig, with one hitch: it is a very proprietary device. There is very little documentation available and it does not have a hacking community focused on it. It can be really hard to learn a hacking technique on closed system where you can never be sure if you’re Doing It Wrong or if there’s just nothing there to attack. But, shopping my closet (as it were) was faster, easier and less expensive than sourcing another device…nothing much to lose at least having a go at it.

Coming Up

In the next installment, we’ll:

• Go over some of the basic tools needed
• Lay out a test plan
• Examine the Roku device