Google hasn’t said much about how its new OnHub router works—it’s a mysterious black box (blue cylinder, technically) with inactive radios and updatable firmware. The modders from Exploitee.rs have gotten their hands on an OnHub, and it didn’t take long for them to root it. Interestingly, they rooted it like a Chromebook because that’s sort of what the OnHub is—a Chromebook with no screen acting like a router.
The modders discovered the OnHub’s close relationship to a Chromebook by dumping the SPI flash and eMMC from the board. It was essentially running Chromium OS, but with modifications to function as a router. Based on what is known about Chromebooks, the team knew re-flashing the BIOS was the fastest way to gain root, but they lacked debug output. Luckily, the OnHub has another thing in common with some Chromebooks. On the bottom is a hidden switch screw that enables developer mode (presumably disabling write protect). Inputting ctrl+d prior to hitting that switch boots the OnHub in developer mode, allowing it to boot a USB image. That gave the team the necessary access.
So the root method for OnHub is really just a modified way of booting developer mode on a Chromebook. Now that we know the OnHub is at its heart a heavily modified Chromebook, it might be possible to create custom ROMs for the device. Maybe someone can enable that USB port Google has neglected to turn on.
- Source:
- Exploitee.rs