Rooting Your Google WiFi Router with a Screwdriver and GaleForce

Alasdair Allan
3 min readJul 18, 2017

In the past a lot of computer security has assumed that you didn’t have physical access to the machine. But the arrival of the internet in our homes, and especially the growth in the Internet of Things, has changed all of that. Because now these devices are things we can hold in our hands, and a lot of the time, that’s the whole point.

If you know any of the history behind the iPhone jailbreak community you’ll realise that what can be made can be unmade. Which means I’m pleased, but somewhat unsurprised, to see the Google WiFi router—released at the end of last year in the US, and a couple of months ago in the UK—rooted.

The Google WiFi router (📷: Google)

The Google WiFi router is actually a pretty interesting device. An out-of-the-box expandable mesh WiFi system which is relatively easy to set up and, like Apple’s AirPort routers, it can be managed using an app rather than a clunky web interface.

At least in theory Google’s Network Assist software should also take care of complex settings behind the scenes, so everything just works and you don’t have to spend time fiddling with router settings to optimise your network.

Google’s WiFi router runs a Chrome OS distribution codenamed ‘Gale’. However a much of the operating system is shipped as binary blobs accompanying code. which means you can’t just build a Chrome OS distribution for the device. Instead you have to modify the existing one, which is exactly what GaleForce—a project by Marcos Scriven—does, allowing you to obtain root SSH access to the device and set up extra features—like a default VPN server, or dynamic DNS client.

Building and installing the image is actually pretty simple, as simple as unscrewing a single screw and pushing a button on the PCB to put the router into developer mode. While there have been iPhone jailbreaks in the past that have been simpler, most Android and iPhone root and jailbreaks are somewhat more involved.

The internals of the Google WiFi router, with the tiny bubble switch you need to press to flip it into developer mode highlighted in yellow. (📷: Marcos Scriven)

Whether it’s there by chance, or intentionally the presence of the tiny bubble switch on the the Google WiFi router’s PCB to flip it into developer mode is at the heart of a debate that’s started around Internet of Things hardware. Whether these sort of features should be removed from shipping hardware after prototyping is complete, and the hardware design itself should be obfuscated to add security.

Because while it’s great that we can access our own hardware, it also means that bad actors can access other peoples. The balance between security and the “right to repair” is tricky for consumer hardware like the Google’s WiFi router.

However, if you do want to go ahead an install GaleForce on your Google WiFi routers, I’ve saved the best for last.

GaleFore doesn’t interfere with automatic updates, and will be persistent through them. Which means that you get the best of everything, a rooted router with full access via SSH, and the mesh WiFi and app-based management that you bought Google’s router for in the first place.

But, if you do install GaleForce, please make sure you change the password.

--

--