Frédéric Basse's Payload-Packing Raspberry Pi Pico Pushes Ubuntu Onto a Google Nest Hub

Exploiting a vulnerability which had already been patched upstream, this secure bootloader bypass puts the OS of your choice on a Nest Hub.

Security researcher Frédéric Basse has found an unusual use for a second-generation Google Nest Hub, turning it into a functional Ubuntu desktop — by exploiting vulnerabilities to bypass its secure bootloader.

"In this post, we attack the Nest Hub (2nd Gen), an always-connected smart home display from Google, in order to boot a custom OS," Basse writes by way of introduction to his project. "First, we explore both hardware and software attack surface in search of security vulnerabilities that could permit arbitrary code execution on the device."

That search turns up a few possibilities — though an earlier vulnerability in the device's USB interface had been patched at the factory in the unit Basse examined. Further tests revealed a protected boot sequence locked behind an unknown password, button combinations that can prevent a successful boot, and an internal ribbon cable, which could be inserted into a custom-built breakout board for further examination.

Using the breakout board to access a UART bus, the Nest Hub was seen to be attempting to load a recovery image via USB — and while it verified the authenticity of any software it booted in this way, Basse was able to find a vulnerability — which, in an embarrassing revelation for Google, had already been patched upstream — that caused a stack overflow in U-Boot.

"In order to exploit this bug in the Nest Hub bootloader," Basse explains, "we need an USB Mass Storage device that supports larger-than-usual block size. One solution could be based on the Mass Storage Gadget from Linux USB Gadget framework with an USB OTG-enabled host (e.g. VIM3L SBC we used to dump the S905D3 boot ROM. But there's a cheaper option.

"Raspberry Pi Pico is a $4 microcontroller with USB Device support. It also has the great advantage of being supported by TinyUSB, an open-source cross-platform USB Host/Device stack."

Through experimentation, Basse was able to develop a payload which could be loaded onto a Raspberry Pi Pico and which, when connected to the Nest Hub's USB port, would bypass the protections in the bootloader — allowing the boot process to be interrupted and the Raspberry Pi Pico replaced with a USB stick containing a bootable copy of Canonical's Ubuntu Linux distribution, an operating system which would normally not be loaded on the device.

Basse alerted Google the vulnerabilities, and has since released the source code and pre-compiled payload on GitHub under the permissive MIT license; he warns, in his detailed write-up of the project, that those experimenting with it "are solely responsible for any damage caused to your hardware/software/keys/DRM licenses/warranty/data/cat/etc..."

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire:
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles