Offload #1

Made use of an old Moonbox III I had lying around.

J. (Admin)November 5th. 20189:03 PM PST

Background

So recently, I've seen many TV boxes including TVPads and MoonBoxes, Rokus, and more. I happened to have a Moonbox laying around for about a year or two, and haven't used it since we moved on to having a Smart TV. I decided to turn it on since it had Android 4 installed to see if I could maybe turn it into a home server or something, and immediately after, I was greeted by a lock-up asking for me to email them for more information. A little bit of Googling told me that the company behind it shut down their servers and that it was a kind of lock-up of those devices after they shut down.

This means that this device essentially becomes a brick without modifying the software in it.

Existing Workarounds

Other information I had seen suggested while researching:

  • Blocking port 9011 to a specific IP address (you'll see why soon) or

  • Flashing custom firmware

All of this added a bit too much risk for me, and I didn't want to tinker too much with it beyond installing some software or slightly modifying some of the existing software. I wanted to find my own way, so here I am now.

Messing Around

After discovering this, I immediately got to work trying to find out how it was locking me out and how it knew to lock me out. There had to be some way it got this message, especially since it hasn't been turned on for a long time.

As it turns out, there was a way that the box got this information - and it happened every time the launcher (the home screen) booted up.

I discovered that when I turned off my Wi-Fi (or unplugged the ethernet if you used wired) the box didn't lock up! This told me that in some way - the box was getting the information to lock up from a server from somewhere on the internet. 10 minutes later, one handy dandy Fiddler installation later, I set up the proxy on my Moonbox, and discovered API requests to a `http://stb1.quliebiao.com:9011/stbauth.php` with get parameters `fver`, `mver`, `mac`(mac of box), and `model`(model of the box). The request returns a JSON response with a code, and a message. Not diving into the other details, but it also checks for updates, messages, ads, and hardware matches, which isn't a surprise considering that there's quite a bit of content on the screen.

Turning on developer mode in the box, and I see that the launcher the box ships with - MBUI is the most likely culprit, so I get an APK extractor app, sent it to my computer, and decompiled it with APKTool and, as expected, I found a service that performs requests to the API and locks us up if it responded in a certain way. (I tested this by firing up my own server with some custom code and used some HOSTS trickery to see if the message changes, and yes it did).

A bit while later, I was able to modify the APK so that the launcher is unable to access the internet, resigned it with SignAPK, and magic - I have a fully functioning MoonBox again!

SOLUTION

The updated APK is available here: https://github.com/jasoryeh/offload-files/tree/master/offload1

Feel free to decompile and audit the code, I only made a trivial change to the APK, so I promise I didn't intentionally add anything nefarious into it.

Please note that this has only been tested on the MoonBox III, and I am not responsible for any damage/bricks caused; however, this is simply a reinstall of an Android launcher, so it should be reversible by deleting my version (I specifically modified the app to install, and not replace the default factory launcher).

Steps to update:

  • Download the APK to your computer

  • Move it via SD/USB drive or any other way as long as your box can access it

  • Turn off Wi-Fi/unplug the ethernet cable

  • Using a file explorer, find and open the APK file and install it

    • It should now be on your launcher (note your default launcher should not be affected)

  • Open the new MBUI(I named it 'MBUI 2')

  • Restart your MoonBox

  • It should prompt you to choose your default launcher.

    • Select MBUI 2

    • Click 'Always' to instruct it to use the replacement at startup

  • Restart your MoonBox

  • You now should be able to re-enable your internet, and enjoy your MoonBox again!