Hacking Apple TV without a patchstick?

by editor @ AppleTVHacks.net on June 20, 2008


Wouldn’t it be nice to update your Apple TV with the latest hacks/plugins all without opening it up or using the troublesome patchstick?  What if all this can be done by just clicking on the “Update Software” option from the Apple TV menu.

In theory, it is entirely possible.  And it will be quite a breakthrough if someone can make it a reality.

It is simple, really.  The whole idea behind this hack is to use DNS spoofing technique to “trick” the Apple TV to think that it is getting software updates from Apple.  However, the reality is that it is getting the updates from a fake server that we setup with all the hacked updates.

Here are steps:

  1. setup internet sharing on a local computer on a private network.
  2. connect Apple TV that computer.
  3. setup a fake update server on the same private network.
  4. on the computer shared internet connection, tell it to override the Apple update server with the IP address of the fake server.
  5. put dummy software update on the fake update server.
  6. run software update on the Apple TV to download the dummy software update.

Now, though the idea is simple but, in reality, it is not as simple as it sounds.  This is mainly due to the fact that each software update package is “signed” with a special signature.  And so far, nobody knows knows about how the signature is generated yet.

So there, the idea has been presented.  If anybody has any insights into how the  software update package is signed, we can really revolutionize the way Apple TV is hacked.

  • Jim Rossignol

    How the signature is generated? That’s trivial. What we don’t have is the private key that signed the certificate. They can be brute-force reverse-engineered, but that takes an incredible amount of CPU power (on the order of several hundred to several thousand CPU-years in many cases). So that’s probably out of the question.

    Unless the AppleTV can be fooled into accepting an unsigned update…

  • luck

    OK, Jim. That was exactly what I meant. We don’t have the private key.

    Fooling Apple TV into accepting unsigned updates? I think the Apple TV has to be hacked first. And to do that you probably need a patchstick. Kinda defeats the purpose.

    But anyhow, thanks for your input.

  • pman

    This won’t work. As stated above all Apple software updates are cryptographically signed by Apple. Without Apple’s private key it would be impossible to spoof the updates. You would need to modify the public key that is already on the Apple TV, which isn’t possible until the device is hacked.

    I think a better route would be to look for buffer overflows that can be exploited via media playback, but that’s a tough one.

  • Mojo

    But it would be easier to upgrade to future versions of atv without losing all plugins and hacks.
    Of course, first you’ll need to hack your atv. But that could happen with a linux patchstick as well. This patchstick just installs/hacks the update app. Then just select update and it connects to an update.awktwardtv.org and downloads the last atv os + all available hacks.

  • anonymous coward

    You don’t need to use internet sharing. Just set up the DNS server on your local LAN to point mesu.apple.com to a local address.

  • Mojo

    Wouldn’t it be sufficient to just set the new ip adress in the /etc/hosts? This way it is possible to block update …

  • anonymous coward

    How would you set up a new IP address in /etc/hosts before you’ve hacked your ATV? You’ve got a chicken/egg situation there.

  • Mojo

    You absolutely need a patchstick to install the hosts file and disable the update integrity check. Then though it will be possible to install any provided update. This, of cource, is not the solution. But it’s a more comfortable way than to install ssh then copy some files, run some updates, install some files again …

    The other way mentioned is to hack the private key so it is possible to sign selfmade updates …. not very likely

  • Nutz

    I’d like to get dmg’s and .signature files for past updates to compare. Anyone have 2.0 and 2.0.1?

  • HMM, what if you guys modify the real updates by apple and add the hacks to be installed along with updates, I kow it sounds simple but it may be very hard but then again, there wont be no need to find the “signature”.
    if there was a way you could open the update package and add your hack or replace them with its original files, there would be no need for anything else, right??
    I have done this for other stuff, and it works most of the time.

  • GZ

    A Man in the middle could work. Inject once the signature is retrieved. Setup a proxy, haven’t checked if the appleTV can use a proxy, might have to do a double NAT to filter all traffic through the proxy.

  • Andrew

    Actually the whole problem is not getting the AppleTV to talk to your fake update server, it is making it accept an unsigned file. Forget cracking the signature, it is not viable.

    Also, if you do crack the signature, you might as well get involved with iPhone hacking, which also uses signed firmware. The dev team’s Pwnage “fixes” this, but by making the device ignore the mismatching signature, rather than getting the signature right. It would require previous modification of the AppleTV for this technique to work though, so it kind of beats the purpose of this.

    The only way to do it without previously modifying the AppleTV would have to be via some sort of vulnerability exploit, but then it would work only for a short while (until the next software update), so I believe this idea does not have a lot of potential, unless we can get the AppleTV to ignore the signature checking (quite hard to do, if you ask me).

Previous post:

Next post: