The Kodil Repo Exodus “Hijack” Update

I was revisiting this recently and wanted to post an update, to make users more aware of what they install and from where. The full saga is posted below for further reference. However an update was pushed in late December to remove the indigo links and the Exodus repo – presumably as TV Addons were now pushing the Covenant forks via “other sources”.

TV Addons

So why the alarm? TV Addons are on our side? I hate to break it to you, but Adam (TVA head guy) is in it for himself, and I have no problem with that, or people using web resources etc to make money from their efforts.  Its not about monetising things, servers cost money and bills need paying, Im a capitalistic pragmatist myself – however, lying cheating and spreading malicious rumours is way off the track and bang out of order.  The rumours? (just so you know Adam, several devs have confirmed the lies you propagated about the Ares Project-  I just want you to know, we know. So don’t email me asking for our domains or for support, you two faced <insert appropriate expletive!>.  If non of the BS happened, imagine how strong and united the community would be? This is why XBMC hub fractured in the past and saw devs leave to setup new groups, Xunity (now gone) and NaN – still going strong and a great contributor. NaN and their team are universally respected for the work they do and the great team they’ve built. What else should you realise about TV Addons is their, sorry HIS, hidden agenda, remember all those pops up they were pushing last year? Did you know they were selling boxes at that time? Why else push a false agenda about Kodi 16 being dead (it isn’t btw – several ‘https’ patched versions). They are still pushing this myth in an email they sent today (Feb 3rd 2018) oh and the irony of them saying new addons and devs are popping up all over the place! Why no guides to help members of “the community” with older devices that cant run Krypton? Surely this would be a good way to help folks who are often cash strapped and vulnerable to rogue box sellers? We wrote about forks and how they can help Kodi 16 forks and Kodi 17 forks for old boxes Ares provides links to a variety of Forks via its forum – to support (you will need to be a member to access these though – join our 100,000 strong community today) tva addons

Exodus & Kodil Repo

Lets review the Exodus hijack – as I just want to highlight how easy it is to add code, install whatever “the developer wants to add” and most users looking for their streaming fix don’t realise just what can be done. Oh and don’t think because you don’t have your banking app on your streaming device that your safe.  Using the right methods once added to your streaming device, it can scan your network very easily, this is also true of android apps ( or any software you install The “hack” was removed  on the 28th Dec 2017 as you can see here ( Gitub repos track changes, removals are red and additions/updates are green) tva & kodil repo   Just to further reinforce the changes and the fact that TV Addons tried to cover their tracks – you can see the python declarations for each version – before and after here; exodus repo hack

Why Kodil should be avoided!

If you want to check this out yourself – just head over to github and have a look through the xml files listed in the Kodil Repo. You may also be interested to know that Kodil is also hosting colossus repos (still) and a whole stack of Cerebro stuff. You may not be aware lots of devs have been roasting Cerebro over on Twitter, for what appears to be an abysmally bad copy and paste of just about every scraper from every other developer. This isn’t about use of code, the whole point of open source code, is that people can copy and LEARN, but give credit to the original coder. Its courteous and respectful. All that is another debate, what I am pointing out is that Kodil are hoovering up lots of code without checking and thats VERY bad for the uninformed users.  Kodil via one of its many hosted repos or addons was very recently pushing bad updates that were breaking the original add-ons ( if you’re interested – just check out the heated debate on Twitter!).

Why is Indigo Bad?

Well forcing the install is a breach of trust and unethical, im pretty sure if Ares did something sneaky like that, we’d be savaged (and rightly so!), yet TVA think its justified. The other thing thats in this code is things like this – a script blocker – this has been here for a while to be honest, but why are TV Addons allowed to block scripts and nobody else? Mind you, theres always a huge outcry when this happens! Checkout the code snippet – (picked this up on Twitter and ive forgotten who to credit – apologies) indigo add-on blocker  

Other Hijacked “code”

I would also remind you of what can happen when some idiotic dev decides to act in a malicious way – remember the Pulse build hijack? Merlin (Ryan Bailey) produced some code for Pulse – some skin edits and a way to name and shame people selling the Pulse build as their own. For reasons unknown (jealousy?) Ryan hooked that code, as he had access as David trusted him. Ryan then forced an change to play random videos to users, every time the build was started. Mildly amusing at best but what if he had decided to put a DDOS bot or crypto mining bot or other mailicious code instead? Read the full story here

Kodils Many Possible Security “Holes”

Lets now consider that as well as pushing an infected add-on like Exodus to install other addons (eg Indigo) the repos that Kodil still host could be hijacked. How? Well if you copy the orginally github layouts you will then be “found” by any addons still lurking on devices. Imagine how many devices still have Genisis or Exodos and their repos stills lurking? This is how Exodus was hijacked originally (before it went into Kodil). You can see in the first image in the original post in Sept 17 that both Echo Coder and Metal Kettle posted warnings that their deleted Github repos had been recreated and were pushing updates. The Exodus one I have shown very clearly. This also happend with tknorris, the SALTS repo was recreated and updates pushed. Kodil is creating a huge hole through which anyone can create a copycat repo on Github, for free and anonymously and start pushing updates to your devices, IF you still have the repos installed. We recommend you remove Kodil from any devices and remove the old repos such as these listed below;
  • tknorris rlease & tknorris beta
  • Dandymedia
  • Exodus
  • Colossus & Colossus common
  • aresproject
  • Metal Kettle
  • podgod
  • zeus
  • k3l3vra
Leaving these on devices is leaving a backdoor, through which forced installs and bad updates could be pushed to do, well, who knows what. The Exodus hack we have shown here, is a proof of concept and this can be done to any of the repos listed (and many others) and any addons in those repos. This is about reporting facts and things with proof, to educate users. I don’t care especially what some dev or other does, or indeed things they say about me or Ares. Its not about saying dont install  this or that, at the end of the day, thats your call. However you should be aware of the consequences of doing so and how easily things can be installed via numerous easy ways that would not be picked up by a virus checker, or firewall. If someone decides to hijack some code and push it out there, we have seen time and time again that things can break  or someone can push their agenda.

Avoid “All in One Repos”

The best thing is to avoid all in one repos, especially if they’re not removing dead add-ons and repos (Super repo & Kodil for instance) as they can so easily leave you exposed to forced installs or other hijacks. You should avoid tubers repos too, another random store of random addons and repos that may have already been altered in some way. There is no need to create these big ass repos with tons of stuff in  – thats for fame and clicks. Just install the actual dev repos from their official sources. Support the actual developers, coders and folks who make all this possible. Stop supporting tubers and fake devs crying for donations.

The Original  Exodus “infection” Story (Sept 17)

Exodus appears to have been resurrected and an update has been pushed. However, users are concerned that this update is forcing Indigo ( the former TV Addons tool of choice for installing add-ons, and popups). It would appear the former “Exodus repo” has been “ressurected” and an update pushed. You may want to consider some comments on Twitter, many many similar comments and also Metal Kettle warning his repo has been hijacked too;

Indigo Forced Installs

The Exodus dependencies have been modified to force the installation of Indigo. You will have no doubt seen the outbreak of panic on Facebook already. This looks like a move to re-deploy Indigo to as many devices as possible – regardless of the users wishes. You can see from the add-on depencies (<requires> tags) – that Indigo has been added, even though its not actually requited to function. Clearly TVA are anxious to push Indigo via any means. It also appears to link back to the TVA resolver and TVA release repositories on Github. There are multiple repos and sources linked in to guarantee its installation even if one or two sources are removed – which I will explain.

The TV Addons ‘Backlink’

You can see by reading through the various xmls on the Github listings, that TV Addons repos have now been linked via the Exodos repo, to ensure that forced installed of Indigo via this Exodus repo can backlink into the TVA repos to access the addons listed there.   The curious thing you may notice here is the referencing to several other repos, which are duplicates of the Exodus repo. This could be an attempt to mitigate DMCA takedown of the original “Exodus repo” or some other plan to allow access to multiple installation points. Paranoia may well kick in, it does with me, even though at this time, I see no “malicious” code nor does a Wireshark trace show anything “worrying”. However, the installation is unneeded and mostly unwanted judging by user comments on social media. Duplicate Repo Links If you read the links in the image above, alongwith with the TVA (tvaddonsco) links there are a few others, nrwzum/freelance, bridgegirl/lonelycode & brandonfire/winnerwinnerchickendinner – what are these for? Bridgegirl/lonely code bradonfire/winnerwinnerchickendinner It sees either a case of multiple links to protect against the original repo (Exodus) being removed, or obfuscation for some other future plans.

Kodi Israel (Kodil) Also “Infected”

The kodil repo is now also carrying this Exodus 4.0.0 version, so you will have to remove this too,  alongwith the Exodus repo to ensure it doesnt update the current Exodus you maybe using. I dont understand why folk have been hanging onto this, Covenant is the official fork and Exodus has been without an update for 2 months. A further curious point to note, is the Kodil repo was upated with Exodus 4.0.0 almost 3 hours before the update was pushed via the Exodus repo, so this was a pre-arranged update, as the “official” release didn’t occur till 3 hours later.

Exodus Updates to 4.0.0

There is nothing to suggest that Exodus has actually been fixed though according to the changelog, its had a major revamp  – [B]4.0.0[/B] – Major Revamp [B]3.1.19[/B] – Fix Python < 2.7 bug in subtitles – Fix Python < 2.7 bug in sources.py

Exodus 4/ Indigo Forced Install in Summary

It is clear this is a determined attempt either by TV Addons or someone passing themselves off as TV Addons to force install Indigo by hijacking the Exodus repository and including the links to the TV Addons repository and to Indigo their installer tool. If this is “innocent” why force this via a long dead repo? Why all the extra “duplicate” repo links that appear to show (for now) duplicate of Exodus repo? Lots of questions and no answers. This is actually a very simple thing to do, its also very easy to make all this look like TVA, equally it could just be TVA forcing this and knowing how to push it out. Metal Kettle took to twitter to warn of a potential hijack of his old repo, so if you have that, remove it too. It could be the next hijack attempt. How you view this situation will depend on how you feel about having things “force” installed on your devices, how you feel about TVA pushing this by hijacking an old repo. I’m pretty sure if this were any other developer there would be hell to pay and calls for them to be burned at the stake. Its no secret that TVA have circulated groundless rumours about other “providers”. They denounced IPTV sellers, but sold their own, and of course their box selling business too. Its a messy situation indeed, draw your own conclusions. Maybe its a good thing Indigo is back, but shouldn’t user have the right to decide that?

Removal Of Exodus & Indigo

You should remove the Exodus and Kodil repos, Indigo and then Exodus 4.0.0. If you want to use an older version of Exodus, you cannot have these repos installed unless you turn off “auto updates”. If you cannot uninstall these using the add-on manager, then you will have to check the profile folder, under, packages, addons and so forth, deleting the files manually and rebooting your device.