A team of security researchers using the “llamasoft” branding have released a jailbreak for the popular streaming devices called “RootMyRoku.” The code for it is free and available on GitHub, and its purpose is to unlock the device and let users download whatever new channels they would like to enjoy. Moreover, the jailbreak unlocks low-level hardware developer mode features, adds new secret screens and debug features on the main menu, and also blocks all channel or firmware updates as well as communication with Roku servers.
The catch is that RootMyRoku will only work on devices that are still using the RokuOS v9.4.0 build 4200, as the vulnerabilities that are being exploited to make the jailbreak work aren’t present on RokuOS 10. Considering that this release (v9.4) came out only last September and was replaced by RokuOS 10 only in April 2021, there must still be a respectable number of users using the older version of the operating system. Another prerequisite is that the device must be using the Realtek WiFi chip, but most of them should be covered.
The developer claims that installing the jailbreak won’t make any changes to the underlying firmware of the device, so bricking it isn’t a risk. However, we should warn you that running tools that intervene with your devices at the system level are always accompanied by risks. As such, we are not advising you to use the available jailbreak, and TechNadu has no responsibility for whatever happens on your device if you choose to install it.
The flaws include an arbitrary file modification and a privilege escalation - chained together. There are two bugs that create the ground for the first flaw, namely an undocumented channel manifest option and a grsecurity misconfiguration on the Linux kernel. As for the privilege escalation, this lies in the process that configures the DHCP service for Realtek chipsets.
Although the exploited flaws appear to be known for Roku - and as such, they were fixed in the latest version of the RokuOS - the cracker is openly calling the firm to launch a bug bounty program. If they had one in place, security researchers like him would instead report their findings to the company and reap the rewards instead of creating practical problems for them by releasing jailbreaks.