The Freebox HD is a set-top box with media player capabilities designed and built by the French ISP 'Free' in 2006, and distributed to customers since (including me). It is still in use and will be maintained until the end of 2025.

When I got it, I wanted to run homebrew software on it, so I decided to reverse engineer it. The initial goal was to get arbitrary code execution. The Freebox HD being largely undocumented, this talk shows the full process of reverse engineering it from scratch:

• Initial visual inspection
• Disassembly and inspection of the insides
• Attack surface analysis and choice of the target
• Search and exploitation of a vulnerability in PrBoom (a Doom source port running on the Freebox HD)
• Analysis of the Linux system running on the Freebox HD
• Search and exploitation of a Linux kernel exploit to escape the sandbox and gain root privileges
• Decryption and dump of the firmware
• Analysis of the Linux system and the programs of the Freebox HD
• Playing with the remote control capabilities
• Reverse engineering of the private networks of the ISP

The two exploits used to gain full root access were both discovered for this specific hack, which makes them 0-day exploits.

The analysis leads to some interesting discoveries about the device itself, but also the ISP, how their technical support works and accesses the devices remotely, and much more!