Security Enhancements Added to Channel Development

In an effort to increase the security of the Roku devices, we have added additional measures to protect the device when it comes to side-loading channels and accessing the device’s embedded HTTP server.

Beginning with the 5.2 release of the Roku firmware, side-loading a channel or accessing the device’s HTTP server on port 80 will now require a userid and password.

First thing’s first

If you have an existing Roku 2 or Roku 3 device with developer mode currently enabled, you will have to re-enable the developer mode, accept the developer agreement, and establish a password for that device after the initial 5.2 firmware update.

To access the Developer Settings screen and enable developer mode, press the following button sequence on your Roku remote.

[Home] [Home] [Home]  [Up] [Up] [Right] [Left] [Right] [Left] [Right]

This will take you to the Developer Settings screen.

Select Enable Installer and Restart.

Accept the Developer Agreement.

Enter a developer password when prompted and then follow instructions to restart the device.

You can reset the password at any time by visiting the Developer Settings screen and selecting the Rest Password option.

Your new login credentials for the device will be:
userid:  “rokudev”
password:  <password you set>

The IP address is also conveniently displayed for you on the Developer Settings screen as well.

You can test that your credentials work by opening a web browser going to the URL http://<ip of your device> and then entering your login credentials.  You can also use this URL to side-load zipped channel files.

Note:  Some browsers may exhibit issues when attempting to upload the zip via the “Install” option on this page.  If you encounter this problem, try a different browser to see if that resolves the issue.

Deploying to the Roku


If you are currently using Eclipse with the BrightScript plugin, you will need to update the plugin to the latest version.

If you have not installed the BrightScript Plugin, please visist and follow the instructions for installing the plugin.

If you already have the plugin installed, check for the latest updates (Help > Check For Updates) to ensure you have the latest and can deploy to the 5.2 firmware.

In Eclipse, when you export a BrightScript project, you will be presented with an updated window in the wizard.  The developer username is currently “rokudev” and cannot be altered.  The password setting is enabled when connected to a Roku box that requires a developer password.


The SDK examples use a makefile to build and install channels. Please download the latest SDK to get new makefile targets that prompt for a password when installing to a Roku box that requires it.

You can download the SDK here with the updated makefile here:

If you are using your own makefiles, we recommend augmenting your makefile to test the HTTP server on the device without passing credentials.  If it has the new firmware, it will return a 401 error when no or invalid credentials are set.  If the test returns a 401, then you can then appropriately set the device credentials for the digest authentication.

This assumes you have cURL installed.

ROKU_DEV_TARGET = <ip of your device>
USERPASS = rokudev:<your password>
HTTPSTATUS = $(shell curl --silent --write-out “\n%{http_code}\n” $(ROKU_DEV_TARGET))

Then under your make target that performs the upload, you would need to add the –user and –digest  options to your HTTP call if the server requires authentication.


@if [ “$(HTTPSTATUS)” == ” 401″ ]; \

then \

curl --user $(USERPASS) --digest -s -S -F “mysubmit=Install” -F “archive=@$(ZIPREL)/$(APPNAME).zip” -F “passwd=” http://$(ROKU_DEV_TARGET)/plugin_install

else \

curl -s -S -F “mysubmit=Install” -F “archive=@$(ZIPREL)/$(APPNAME).zip” -F “passwd=” http://$(ROKU_DEV_TARGET)/plugin_install



This entry was posted in sdk, Tips. Bookmark the permalink.
  • EnTerr

    “First things first”, not “First thing’s first” – see

    What will this contraption (requiring authentication on dev Roku) help with?
    Is basic authentication also ok – other than digest?

    • EnTerr

      Answering my own question from 3mo ago (Roku, read your comments!): no, only –digest works with firmware 5 and no-auth with firmware 3.

      To address both, use `–anyauth` switch in curl instead of the more complicated “try noauth, retry digest on 401 failure” suggested in the article.

  • rob brown

    Any way to turn this off? It breaks the builder system we’ve been using (which uploads the zip file via the “poster” module in node.js).

  • EnTerr

    Brad, your examples are broken, try copy&paste from the article to see it does not work. This is because double dashes (–user, –user, –silent, –write-out) have been converted to single N-dash character (U+2013) – probably by WinWord or Acrobat – and while they look kinda the same (–user, –digest, …), that won’t work in shell.

    • Brad

      Fixed. Thanks.

  • Ignacio

    This is good. Thanks.