Roku player software cracked open temporarily, root now to run XBMC later

Roku's line of set-top boxes have been popular thanks to their simple controls, large set of available apps (recently expanded to include YouTube for the new Roku 3) and hardware ranging in price from inexpensive to downright cheap. Still, despite an active and encouraged developer community with custom channels and well-supported media player apps like Plex, the hardware has remained largely on lockdown -- until now. The GTVHacker team that previously unlocked Google TV and Chromecast has found a way to run its commands as root on any Roku 2 or Roku 3 using the most recent software version (unfortunately, that does not at this time include Sky TV's cheap Now TV player, which runs on older software). While the player overall is credited as "considerably more secure than others in the entertainment field" (Samsung comes to mind but it's from from the only one) a development password field provided a way in.

Currently they've only achieved persistence on the Roku 2, which in this case means they can maintain control even after the box reboots by breaking the secure boot process and modifying the initial boot loader. Since Roku 2 runs on the same Broadcom chip used by the popular Raspberry Pi, team member CJ Heres expects to see ports for third-party home theater PC software like XBMC very quickly. The Roku 3 will be a bit trickier since it runs on different hardware, and right now it needs to have the command entered each time the box starts.

Those well-versed in using the command line should find the process simple. A WGET command entered via the development password field pulls down a script -- available from the GTVHacker team -- that makes sure you have the right box and does all the dirty work before rebooting, leaving you with a rooted box, as seen above. Hardware level access on mobile platforms has lead to a number of custom software projects and we'll have to see if the same path is followed here, but if all this does is create a simple $40 XBMC box, it's probably still worth looking into -- and quickly, the team expects this security hole will be patched soon.