{"id":21813023,"url":"https://github.com/llamasoft/rootmyroku","last_synced_at":"2025-06-22T18:09:18.798Z","repository":{"id":47648206,"uuid":"368070410","full_name":"llamasoft/RootMyRoku","owner":"llamasoft","description":"A persistent root jailbreak for most Roku devices.","archived":false,"fork":false,"pushed_at":"2022-02-21T20:58:43.000Z","size":249,"stargazers_count":311,"open_issues_count":1,"forks_count":25,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-05-20T10:01:53.286Z","etag":null,"topics":["jailbreak","roku","roku-tv"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/llamasoft.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-05-17T05:51:17.000Z","updated_at":"2025-05-05T15:07:33.000Z","dependencies_parsed_at":"2022-09-23T15:02:13.504Z","dependency_job_id":null,"html_url":"https://github.com/llamasoft/RootMyRoku","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/llamasoft/RootMyRoku","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/llamasoft%2FRootMyRoku","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/llamasoft%2FRootMyRoku/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/llamasoft%2FRootMyRoku/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/llamasoft%2FRootMyRoku/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/llamasoft","download_url":"https://codeload.github.com/llamasoft/RootMyRoku/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/llamasoft%2FRootMyRoku/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261338998,"owners_count":23143900,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jailbreak","roku","roku-tv"],"created_at":"2024-11-27T14:26:42.827Z","updated_at":"2025-06-22T18:09:13.767Z","avatar_url":"https://github.com/llamasoft.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Root My Roku\n\nA persistent root jailbreak for RokuOS v9.4.0 build 4200 devices using a Realtek WiFi chip.  \nA big thank you to ammar2 and popeax from the [Exploitee.rs](https://exploitee.rs/) Discord for helping discover and develop this.\n\n## Features\n\n- Spawns a telnet server running as root on port 8023.\n- Enables the low-level hardware developer mode.\n- Adds many new secret screens and debug features to the main menu.\n- *Blocks channel updates, firmware updates, and all communication with Roku servers.*\n\n## Usage\n\n1. Download any new channels you might want to use after the jailbreak.  \n   Once you jailbreak your device, all communication with Roku's servers will be blocked.  \n   Any channels you currently have installed should continue to work.  \n   Please see the F.A.Q. below for details.\n1. Enable [Developer Settings](https://developer.roku.com/docs/developer-program/getting-started/developer-setup.md#step-1-set-up-your-roku-device-to-enable-developer-settings) on your Roku device.\n1. Download the latest `dev-channel.zip` from the [releases page](https://github.com/llamasoft/RootMyRoku/releases/latest).\n1. Upload `dev-channel.zip` using the guide from the previous step.\n1. Follow the prompts on screen, then reboot to jailbreak!\n\n## Applications\n\n* Using a Roku TV to drive ambient lighting: https://www.youtube.com/watch?v=V_enynuw-rc\n  ([details](https://blog.ammaraskar.com/roku-tv-philips-hues/)).\n\n\n## F.A.Q.\n\n### Which devices does this affect?\n\nAffected devices include _almost all_ Roku TVs and some Roku set-top boxes.  \nIn theory, any Roku device running RokuOS v9.4.0 build 4200 or earlier that uses a Realtek WiFi chip is vulnerable.  \nYou can check your current software version from Settings -\u003e System -\u003e About.  \nWhile it is not possible to manually check your WiFi chip manufacturer, the channel\nprovided for this exploit will tell you if your device is vulnerable or not.\n\n### Can this brick my device?\n\nNo!  It makes no changes to the underlying firmware that the device runs.  \nIf anything bad happens, a [factory reset](https://support.roku.com/article/208757008) will always recover your device.\n\n### How do I un-jailbreak my device?\n\nYou have two options:\n- Factory reset your device.  This will clear NVRAM and remove the jailbreak.\n- Using the telnet server on port 8023, delete `/nvram/udhcpd-p2p.conf` and reboot.\n\n### Is Roku aware of this exploit?\n\nSome of the critical components required for the exploit chain no longer work in RokuOS v10.  \nThe NFS mount option that is used for arbitrary file modification gets disabled,\nand the service used for persistence and privilege escalation is no longer used.\n\nWhile RokuOS v10 has started rolling out, many devices have not received the update yet.\n\n### Why does the jailbreak block communication with Roku servers?\n\nThis is a precautionary measure to prevent the jailbreak from being disabled or removed.  \nIn the past, Roku has taken some _creative_ measures to forcefully patch jailbroken devices.\nOne such example was an update to the screensaver channel that would check for a telnet service,\nconnect to it, and command it to un-root and update the device.\n\nUnfortunately, the servers used for channel and firmware updates the same ones used\nto communicate with Roku in general.  Blocking updates means that no new channels can\nbe installed and that certain features like \"My Feed\" and \"Search\" will no longer work.  \nApplications that communicate with other services (e.g. YouTube, Netflix, HBO) will still work.\n\n### How can I prevent my non-jailbroken Roku from updating?\n\nEdit your modem/router's DNS settings to use the IP address of `dns.rootmyroku.com`.  \nYou can find the current IP address using `nslookup`, `dig`, or [online DNS lookup tools](https://dnstools.ws/lookup/dns.rootmyroku.com/A/).\n\n### Why should I trust the code you execute on my device?\n\nYou don't have to!\n\nAll of the files required to reproduce this exploit are available in this repo:\n- The local channel used to load the remote payload is available under `local`.\n- The remote payload loaded over NFS is available under `remote`.\n- The script used to create the NFS and DNS servers are available under `server`.\n\n\n## Exploit Details\n\nThere's two main vulnerabilities that make this exploit possible: arbitrary file modification and privilege escalation.\n\nRokuOS actually does a decently good job at sandboxing channels to prevent them from accessing the underlying filesystem.\nIn addition to running as a restricted user, a software sandbox, and a chroot jail, Roku's Linux kernel has\n[grsecurity patches](https://grsecurity.net/) applied.  These patches mitigate common exploit techniques used in \njailbreaks and privilege escalation.  Furthermore, the entire root filesystem is read-only and baked into the firmware.\nOnly persistent storage (NVRAM) and temp directories are writable.\n\n### Arbitrary File Modification\n\nTwo things conspired to allow arbitrary file modification.  The first was that an undocumented `pkg_nfs_mount`\n[channel manifest](https://developer.roku.com/en-gb/docs/developer-program/getting-started/architecture/channel-manifest.md) option.\nThis option was meant to reduce the software development lifecycle when creating a channel by allowing the channel's source code\nto be hosted on a different machine using [NFS](https://en.wikipedia.org/wiki/Network_File_System).\nThis removes the need to re-package and re-upload channels after every code change.  \nThe second was a shortcoming of the grsecurity patches and the Linux kernel in general: symlinks over NFS act weird.\nWhile grsecurity was configured specifically to not allow symlinking to directories owned by other users,\nthe ownership and permission checks no longer work properly when the symlink resides on an NFS mount.\nThis allows us to create a symlink in the remote channel's package that points to the root of the main filesystem.\n(See [`remote/source/Main.brs`](/remote/source/Main.brs) for details.)  \nThis provided us with the ability to modify persistent storage and temp files, but only as the app user.\n\n### Privilege Escalation\n\nFrom there, we discovered that the process that configures udhcpd (a DHCP service used for pairing speakers and remotes)\nfor Realtek chipsets could be made to read a config file from NVRAM, a location that the app user has access to.\nIf we could leverage it properly, it would let us manipulate a service running as the root user and also give us a means\nof persisting across reboots.  Thankfully, udhcpd has an option for executing a script (`notify_file`) with a single parameter (`lease_file`)\nwhenever a DHCP lease is created.  It wasn't perfect though: the udhcpd service would only run the script if it has the \"execute\" bit set.\nWhile we could create arbitrary files using our previous exploit, we didn't have control over the file's permissions and\nas a result, none of the payload scripts we create are marked as executable.  To make matters more difficult, we couldn't pass the\npayload script as `lease_file` to the built-in shell executables because udhcpd would overwrite the script contents first.  \nUltimately, the solution involved creating a `lease_file` value polyglot that is both an AWK script and a legal file name.\n(See [`remote/bootstrap.conf`](/remote/bootstrap.conf) for details.)\n\n## Footnote\n\nIf anyone at Roku is reading this: you desperately need a _real_ bug bounty program.\n\nWithout one, there's little incentive to research and report vulnerabilities\nwhen you're not sure if you'll be rewarded for your efforts or not.\nWhile we took this project on for fun as a hobby, almost no professional\nsecurity researchers are going to dedicate as much effort as we did for a \"maybe\".\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fllamasoft%2Frootmyroku","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fllamasoft%2Frootmyroku","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fllamasoft%2Frootmyroku/lists"}