Rooting a Govee Wi-Fi TV Kit

The Govee WLAN TV Kit provides responsive LED backlights for your TV. Instead of passing through the video source it uses a small camera on top of your TV to process the image and color the LEDs accordingly.

The device connects to your Wi-Fi and communicates with to get the commands (i.e. on/off) you send via their mobile app.

We wanted to make sure the device does not transfer your Wi-Fi credentials, camera images or creates a reverse shell into your network.


Govee has an open port on tcp/23 which you might have guessed runs telnet:

Connected to
Escape character is '^]'.
(none) login:

We were not able (or maybe just not patient enough) to login by guessing the root password, so we took a look inside the enclosure by carefully pulling off the top:

The board contains a JTAG and UART interface. Connect a CP2102 USB to TTL serial converter using GND, TX and RX; remember to connect TX on the CP2102 with the RX on the board and vice verse:

Once powered up with the 3V adapter we are able to access the console:

System startup
U-Boot 2010.06-00011-g09f9c64-dirty (Oct 17 2018 - 18:47:43)
Check Flash Memory Controller v100 ... Found
SPI Nor(cs 0) ID: 0xef 0x40 0x18
spi_general_qe_enable(294): Error: Disable Quad failed! reg: 0x2
Block:64KB Chip:16MB Name:"W25Q128(B/F)V"
SPI Nor total size: 16MB
EMMC/MMC/SD controller initialization.
Card did not respond to voltage select!
No EMMC/MMC/SD device found !
*** Warning - bad CRC, using default environment
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  0 

In case you missed the key to stop autobooting, simply reboot the device by replugging the power source.

We check the environment variables, add “single” and “debug” to the boot arguments and continue booting:

hisilicon # printenv
bootargs=mem=48M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:1M(boot),3M(kernel),8M(rootfs),2M(app),2M(data)
bootcmd=sf probe 0;sf read 0x82000000 0x100000 0x300000;bootm 0x82000000
ver=U-Boot 2010.06-00011-g09f9c64-dirty (Oct 17 2018 - 18:47:43)
Environment size: 464/262140 bytes
hisilicon # setenv bootargs ${bootargs} single debug
hisilicon # sf probe 0;sf read 0x82000000 0x100000 0x300000;bootm 0x82000000
16384 KiB hi_fmc at 0:0 is now current device
## Booting kernel from Legacy Image at 82000000 ...
   Image Name:   Linux-3.4.35
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2855800 Bytes = 2.7 MiB
   Load Address: 80008000
   Entry Point:  80008000
   Loading Kernel Image ... OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0
Linux version 3.4.35 (hwl@ubuntu) (gcc version 4.8.3 20131202 (prerelease) (Hisilicon_v300) ) #2 Sat Sep 29 16:44:29 CST 2018
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Welcome to HiLinux.
/ # 

Finally we simply set a new root password and are from now on able to logon remotely using root and our newly generated password using telnet:

/ # cat /etc/passwd
/ # passwd root
Changing password for root
New password:
Retype password:
Password for root changed by root

Further analysis

The system establishes an outbound connection to Certificates are stored in /home/app/certs and are verified by /home/app/lib/, but apparently also uses certificate pinning (hardcoded in binaries); so no success with mitmproxy or sslsplit so far.

You may also like...

Leave a Reply