Kodil Repo Hijack & Exodus 4.xx.xx Forcing TVA addons Indigo Install !
The Kodil Repo Exodus “Hijack” Update
I was revisiting this recently and wanted to post an update, to make users more aware of what they install and from where. The full saga is posted below for further reference. However an update was pushed in late December to remove the indigo links and the Exodus repo – presumably as TV Addons were now pushing the Covenant forks via “other sources”.
TV AddonsSo why the alarm? TV Addons are on our side? I hate to break it to you, but Adam (TVA head guy) is in it for himself, and I have no problem with that, or people using web resources etc to make money from their efforts. Its not about monetising things, servers cost money and bills need paying, Im a capitalistic pragmatist myself – however, lying cheating and spreading malicious rumours is way off the track and bang out of order. The rumours? (just so you know Adam, several devs have confirmed the lies you propagated about the Ares Project- I just want you to know, we know. So don’t email me asking for our domains or for support, you two faced <insert appropriate expletive!>. If non of the BS happened, imagine how strong and united the community would be? This is why XBMC hub fractured in the past and saw devs leave to setup new groups, Xunity (now gone) and NaN – still going strong and a great contributor. NaN and their team are universally respected for the work they do and the great team they’ve built. What else should you realise about TV Addons is their, sorry HIS, hidden agenda, remember all those pops up they were pushing last year? Did you know they were selling boxes at that time? Why else push a false agenda about Kodi 16 being dead (it isn’t btw – several ‘https’ patched versions). They are still pushing this myth in an email they sent today (Feb 3rd 2018) oh and the irony of them saying new addons and devs are popping up all over the place! Why no guides to help members of “the community” with older devices that cant run Krypton? Surely this would be a good way to help folks who are often cash strapped and vulnerable to rogue box sellers? We wrote about forks and how they can help Kodi 16 forks and Kodi 17 forks for old boxes Ares provides links to a variety of Forks via its forum – to support (you will need to be a member to access these though – join our 100,000 strong community today)
Exodus & Kodil RepoLets review the Exodus hijack – as I just want to highlight how easy it is to add code, install whatever “the developer wants to add” and most users looking for their streaming fix don’t realise just what can be done. Oh and don’t think because you don’t have your banking app on your streaming device that your safe. Using the right methods once added to your streaming device, it can scan your network very easily, this is also true of android apps ( or any software you install The “hack” was removed on the 28th Dec 2017 as you can see here ( Gitub repos track changes, removals are red and additions/updates are green) Just to further reinforce the changes and the fact that TV Addons tried to cover their tracks – you can see the python declarations for each version – before and after here;
Why Kodil should be avoided!If you want to check this out yourself – just head over to github and have a look through the xml files listed in the Kodil Repo. You may also be interested to know that Kodil is also hosting colossus repos (still) and a whole stack of Cerebro stuff. You may not be aware lots of devs have been roasting Cerebro over on Twitter, for what appears to be an abysmally bad copy and paste of just about every scraper from every other developer. This isn’t about use of code, the whole point of open source code, is that people can copy and LEARN, but give credit to the original coder. Its courteous and respectful. All that is another debate, what I am pointing out is that Kodil are hoovering up lots of code without checking and thats VERY bad for the uninformed users. Kodil via one of its many hosted repos or addons was very recently pushing bad updates that were breaking the original add-ons ( if you’re interested – just check out the heated debate on Twitter!).
Why is Indigo Bad?Well forcing the install is a breach of trust and unethical, im pretty sure if Ares did something sneaky like that, we’d be savaged (and rightly so!), yet TVA think its justified. The other thing thats in this code is things like this – a script blocker – this has been here for a while to be honest, but why are TV Addons allowed to block scripts and nobody else? Mind you, theres always a huge outcry when this happens! Checkout the code snippet – (picked this up on Twitter and ive forgotten who to credit – apologies)
Other Hijacked “code”I would also remind you of what can happen when some idiotic dev decides to act in a malicious way – remember the Pulse build hijack? Merlin (Ryan Bailey) produced some code for Pulse – some skin edits and a way to name and shame people selling the Pulse build as their own. For reasons unknown (jealousy?) Ryan hooked that code, as he had access as David trusted him. Ryan then forced an change to play random videos to users, every time the build was started. Mildly amusing at best but what if he had decided to put a DDOS bot or crypto mining bot or other mailicious code instead? Read the full story here
Kodils Many Possible Security “Holes”Lets now consider that as well as pushing an infected add-on like Exodus to install other addons (eg Indigo) the repos that Kodil still host could be hijacked. How? Well if you copy the orginally github layouts you will then be “found” by any addons still lurking on devices. Imagine how many devices still have Genisis or Exodos and their repos stills lurking? This is how Exodus was hijacked originally (before it went into Kodil). You can see in the first image in the original post in Sept 17 that both Echo Coder and Metal Kettle posted warnings that their deleted Github repos had been recreated and were pushing updates. The Exodus one I have shown very clearly. This also happend with tknorris, the SALTS repo was recreated and updates pushed. Kodil is creating a huge hole through which anyone can create a copycat repo on Github, for free and anonymously and start pushing updates to your devices, IF you still have the repos installed. We recommend you remove Kodil from any devices and remove the old repos such as these listed below;
- tknorris rlease & tknorris beta
- Colossus & Colossus common
- Metal Kettle