Comments on: Hacking Apple TV without a patchstick?

By: Andrew

Andrew — Sun, 20 Jul 2008 08:02:14 +0000

Actually the whole problem is not getting the AppleTV to talk to your fake update server, it is making it accept an unsigned file. Forget cracking the signature, it is not viable.

Also, if you do crack the signature, you might as well get involved with iPhone hacking, which also uses signed firmware. The dev team’s Pwnage “fixes” this, but by making the device ignore the mismatching signature, rather than getting the signature right. It would require previous modification of the AppleTV for this technique to work though, so it kind of beats the purpose of this.

The only way to do it without previously modifying the AppleTV would have to be via some sort of vulnerability exploit, but then it would work only for a short while (until the next software update), so I believe this idea does not have a lot of potential, unless we can get the AppleTV to ignore the signature checking (quite hard to do, if you ask me).

By: GZ

GZ — Sat, 19 Jul 2008 23:46:16 +0000

A Man in the middle could work. Inject once the signature is retrieved. Setup a proxy, haven’t checked if the appleTV can use a proxy, might have to do a double NAT to filter all traffic through the proxy.

By: Mark

Mark — Tue, 15 Jul 2008 02:25:51 +0000

HMM, what if you guys modify the real updates by apple and add the hacks to be installed along with updates, I kow it sounds simple but it may be very hard but then again, there wont be no need to find the “signature”.
if there was a way you could open the update package and add your hack or replace them with its original files, there would be no need for anything else, right??
I have done this for other stuff, and it works most of the time.

By: Nutz

Nutz — Fri, 11 Jul 2008 13:18:42 +0000

I’d like to get dmg’s and .signature files for past updates to compare. Anyone have 2.0 and 2.0.1?

By: Mojo

Mojo — Tue, 01 Jul 2008 11:18:30 +0000

You absolutely need a patchstick to install the hosts file and disable the update integrity check. Then though it will be possible to install any provided update. This, of cource, is not the solution. But it’s a more comfortable way than to install ssh then copy some files, run some updates, install some files again …

The other way mentioned is to hack the private key so it is possible to sign selfmade updates …. not very likely

By: anonymous coward

anonymous coward — Sun, 29 Jun 2008 22:32:10 +0000

How would you set up a new IP address in /etc/hosts before you’ve hacked your ATV? You’ve got a chicken/egg situation there.

By: Mojo

Mojo — Thu, 26 Jun 2008 08:13:57 +0000

Wouldn’t it be sufficient to just set the new ip adress in the /etc/hosts? This way it is possible to block update …

By: anonymous coward

anonymous coward — Wed, 25 Jun 2008 21:40:39 +0000

You don’t need to use internet sharing. Just set up the DNS server on your local LAN to point mesu.apple.com to a local address.

By: Mojo

Mojo — Sun, 22 Jun 2008 08:33:23 +0000

But it would be easier to upgrade to future versions of atv without losing all plugins and hacks.
Of course, first you’ll need to hack your atv. But that could happen with a linux patchstick as well. This patchstick just installs/hacks the update app. Then just select update and it connects to an update.awktwardtv.org and downloads the last atv os + all available hacks.

By: pman

pman — Fri, 20 Jun 2008 20:16:12 +0000

This won’t work. As stated above all Apple software updates are cryptographically signed by Apple. Without Apple’s private key it would be impossible to spoof the updates. You would need to modify the public key that is already on the Apple TV, which isn’t possible until the device is hacked.

I think a better route would be to look for buffer overflows that can be exploited via media playback, but that’s a tough one.