STOP Buying ANDROID TV Boxes!

[TannerMcCoolman]

These Android TV boxes have been around just about as long as Android has. Odds are, you or someone you know has had one over the years. But beneath their crunchy Android exterior lies a deep, dark secret. What evils will befall you should you choose to bring such a device into your house? And what alternatives are there?

[Commodus]

Reminds me of how someone in my old apartment put up flyers for an Android TV box whose marketing screamed "buy this to pirate shows!" It was virtually guaranteed to be a poorly cobbled-together machine that would be as much a threat to your home network as anything else.

[danalog]

That's why I build my own infrastructure, from NAS and storage down to HTPCs...

[manikyath]

i just want to mention that the video seems to imply that kodi is inherently enabling piracy.. which is *actually* a big problem for the kodi project.

 

kodi itself has no piracy-enabling features, and the official plugin repository (shouldnt) either.

all the piracy garbage is in (equally shady as these boxes) 3rd party plugin repositories... which is a thing that appears to be entirely missing from this video, and is actually a pretty major part of the problem.

 

meanwhile kodi is actually in legal hot water because of these boxes, with the only way to protect themselves being the choice to either fight expensive legal battles trying to explain to a 179 year old judge what a "plugin" is, or to just remove 3rd party plugins as a possibility outright.

 

this might be the first time i'm *actually* annoyed by a detail being missed in an LTT video, because of the enormous impact this detail has... and i'm pretty darn sure linus himself is aware of this detail.

 

possibly matter for a follow-up (part two-ish) about the garbage these boxes shove into their kodi installs?

[ahuckphin]

I wonder if the security risks mentioned in this video extends to the various no brand Android based in car radio things

[Baconface]

What implications does this have on IPTV boxes? Let's say you have a subscription service that uses an infomir/mag box. Would it be vulnerable to similar malware behaviour, and if so, what tools are required to monitor / check whether there's suspicious activity?
In general, what vulnerabilities could be exploited? Could it monitor my desktop's network activity through my router?

[manikyath]

3 minutes ago, Baconface said:

Let's say you have a subscription service

you'd assume that the company you have a subscription from either develops their thing in-house, or uses a reliable partner.

[chris233]

As someone who has spent months trying to get vanilla Linux running on a T95, I feel personally triggered when people go "well, just install Linux and..." For the Allwinner SOC at least, it is absolutely not that easy.

 

These ARM boards usually get released with a Board Support Package (BSP), which help you compile the Linux kernel and include support for the various hardware on the board. Best case scenario is that the hardware is supported in Linux and in U-Boot upstream. Second best case scenario is something like what NXP does, which is frequently update their BSP for the latest Linux kernels. After that, there are companies that release a BSP when the release their hardware, and that's the last thing they ever do. Then, there's Allwinner, where I don't even know how a BSP escapes for their hardware, and your best bet as an English-speaking developer is to download shady looking shit on Chinese-only websites.

 

Anyway, for the T95 H616 in particular, Linux 4.9.170 (I think) is the kernel someone built for Android 10 to support the H616 and, that's it. I can't find any kernel source, Allwinner BSP, U-boot source... So to "just install Linux" you need to either convince the vendor-provided U-Boot to boot a different kernel than it has been set to load, or boot from an SD card using the upstream U-Boot, tweaked with hardware parameters that are known by very very few people. Any modification to the 4.9.170 kernel bricks the T95, and I never succeeded in finding RAM timings that allowed the mainstream U-Boot to get completely up and running.

 

This is a crime, because for the most part, this is really good hardware (although I think it's probably the case it's as shoddily assembled as the Android that runs on it). But it's stuck running malware-ridden Android.

[CerealExperimentsLain]

58 minutes ago, manikyath said:

i just want to mention that the video seems to imply that kodi is inherently enabling piracy.. which is *actually* a big problem for the kodi project.

 

kodi itself has no piracy-enabling features, and the official plugin repository (shouldnt) either.

all the piracy garbage is in (equally shady as these boxes) 3rd party plugin repositories... which is a thing that appears to be entirely missing from this video, and is actually a pretty major part of the problem.

Yup.  I have multiple Kodi HTPCs across my home.  But they're all accessing local storage, UnRAID servers and a MariaDB database, for media playback.  The lone exception is the YouTube addon I also use.  I've ripped so many DVDs and BDs to that server.

 

What's wild to me is, IMO, Kodi is pretty good for 'local/LAN file playback' but pretty atrocious as a streaming interface.  Yet since it's open source and easy to build pirate addons, it's popular for it anyway despite honestly being kinda terrible for streaming much of anything.

[MoiInActie]

It would have been helpful if we would have gotten a list of which devices were actually tested and which are suspected of/confirmed having malware. Just saying this T95 is bad and a NVidia Shield is good isn't very helpful.

 

For example, how about the Nokia streaming boxes? You'd say they're from a reputable brand, but are they good or bad? Not everyone can go and use Wireshark or a PiHole to debug logs and find out.

[r.razavi]

I believe you might be wrong about these devices not supporting 4K playback. I work for a multimedia company, and my experience is that Android devices, like desktop computers, have two types of resolutions: desktop (or screen) resolution and display resolution. Two kinds of resolutions determine the image quality displayed on the screen. Even in Nvidia Shield, the desktop resolution is not at 4K when it's connected to a 4K display. When media players properly use Android media codec to play a 4K video(keep in mind a lot of these Mediatek, Rockchip, etc. chips support 4K only for H265 or recently AV1, 4K is not generally supported for H264 if you look at SoC specs) the VPU will decode the video generates RAW buffers and directly pop them on devices GPU front buffer, This is how 4K contents get playback on these devices.

[Jimr1203904]

Is there possible to get list any list which soc's/makes are mainly targeted by this found backdoor rather than saying "all of them". For example im more interest to hear do any Amlogic boxes suffer from same issue.

If boxes you bought had all allwinner soc on them that was kinda stupid move to have test only on them. Also would be more interesting to hear does affect event the highend models and makes with emmc etc...

[hishnash]

I think they should have suggested the Apple TV as an alternative setup box along side the shield. 

[aqarwaen29]

tbh only reason why i use this android box,cuse tv like samsung dont have ability to select manumally subtitles.

with this i mean why samsung  tvdont let me manumaly select from folder like kodi app allows,if it cant auto detect them............

[Sudhish9]

How does no one talk about those Xiaomi Tv boxes? The Mi Box S and the Mi tv Stick

[DesktopECHO]

Glad to hear you picked this up from my January post on the forum:

I don't suppose you could apply a bit of gentle pressure on Linode who STILL host this botnet on:

 

ycxrl.com (currently down)

ycxrldow.com (139-162-38-240.ip.linodeusercontent.com)

cbphe.com (172-104-164-76.ip.linodeusercontent.com)

cbpheback.com (139-162-8-8.ip.linodeusercontent.com)

 

At least it'll slow them down a bit... It's possible Linode could uncover who is behind this, based on the billing info they've had on file for years at this point.  

 

I added some additional info but it's stuck in your YT mod queue.

 

Cheers,

Dan M.

[Error 52]

13 hours ago, hishnash said:

I think they should have suggested the Apple TV as an alternative setup box along side the shield. 

Sideloading is kinda the big thing here.

[mykeworthy]

6 hours ago, Error 52 said:

Sideloading is kinda the big thing here.

yeah or i think they would have mentioned roku

[Required]

Cable?! Pay for Free to Watch in crappy Quality...

Beside of that I got an Fujitsu FUTRO S920 for 38€ back then I guess with addional Ram and SSD now its a nice Machine who run Win10 IoT and I can install VLC and other Software...!

[alpenqmil]

LTT forgot to review 100 % open source ports from OFFICIAL lineageos. Dynalink TV Box (4K) (wade)

https://wiki.lineageos[.]org/devices/wade/

 

Amazon or Walmart

[edindetroit]

How about Walmart's Onn TV box? It's basically a clone of the Google Chromecast with Google TV.

[alpenqmil]

Another possibility is the firmware supply-chain vulnerabilities - security is totally non-existent in the factories. I am sure the SoC provider gives it to someone else and it is totally forgotten.

[Parker64lol]

Hi I have a android TV box called STRONG Leap-S1 and I'm worried its the same as the ones mentioned in the video is there any chance someone could found out or if it is the same, here is the link to the one I have if needed to do research on STRONG Leap-S1 Smart Box Android TV Streaming Media Player, 4K Ultra HD Streaming Device with Google Voice Assistant, Built-In Netflix Disney+ Prime Video, WiFi 5 with Bluetooth 4.2 https://amzn.eu/d/1dzPQgM

[Kisai]

On 4/13/2023 at 11:54 AM, MoiInActie said:

It would have been helpful if we would have gotten a list of which devices were actually tested and which are suspected of/confirmed having malware. Just saying this T95 is bad and a NVidia Shield is good isn't very helpful.

 

Most of the piracy IPTV STB devices sold in the US/Canada are Nvidia Shield devices preloaded with Kodi and the piracy plugins, and has always been that way.

 

And they don't work very long either, my dad was ... into this stuff... and it's such an absurd pain in the behind to actually watch anything on the device I, at the time, volunteered my netflix account to my mom to just not use this stupid thing.

 

Which worked fine until February of this year. Mom is never going to subscribe to Netflix, she barely knows how to use the SmartTV.

 

Like, holding nothing back, a person must be incredibly bored to want to go through this much effort to watch a cammed film same-day showing with chinese subtitles on it.  These IPTV piracy boxes basically connect you to websites like facebook being used as "file dumps", and things disappear pretty fast. If you wanted to watch a movie, you might spend 2 hours trying to find a working one. It is not worth the effort, but some people like to be spiteful pirates. It's a game to them if they can get the thing for free.

 

Personally, I'm surprised Nvidia has yet to withdraw the shield device and put some proprietary OS on them so that they can't be used as piracy boxes. But they probably don't care either.

 

Just saying "buy a nvidia shield instead" has to be said with "from NVIDIA directly".

[TannerMcCoolman]

On 4/20/2023 at 1:48 PM, Parker64lol said:

Hi I have a android TV box called STRONG Leap-S1 and I'm worried its the same as the ones mentioned in the video is there any chance someone could found out or if it is the same, here is the link to the one I have if needed to do research on STRONG Leap-S1 Smart Box Android TV Streaming Media Player, 4K Ultra HD Streaming Device with Google Voice Assistant, Built-In Netflix Disney+ Prime Video, WiFi 5 with Bluetooth 4.2 https://amzn.eu/d/1dzPQgM

As far as I'm able to tell, Strong is legit. They are a white label of Skyworth and officially supported by Google. The Leap S2 and S3 are even Google TV devices. That being said, I have not touched one in person, let alone tested it