FORUMS
Remove All Ads from XDA

Rooting MediaTek Based Linux Smart TV

60 posts
Thanks Meter: 20
 
By borillion_star, Member on 5th July 2015, 12:36 AM
Post Reply Email Thread
Hi Guys,

I am looking for methods to get root on my Linux smart tv. Anyone have any ideas?

I ran metasploit against it and had no luck, it did find some open ports for upnp and something
called twonkymedia but I was not able to get anywhere with that.

I have a Hisense LTDN50K220GWUS (Hisense 50H5GB) Smart TV that is running what appears to be a customized version of "Opera TV OS"
Its running on "Linux-3.0.13" and is using Uboot, I tried connecting a usb keyboard to the ports and pounding escape and other buttons
but that didn't get me anywhere.

Using Binwalk I was able to extract so info from a rom firmware image:

Code:
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
613           0x265           Unix path: /DTV/ROMCODE/NANDBOOT/V01.00
778954        0xBE2CA         ELF, 32-bit LSB relocatable, ARM, version 1 (SYSV)
779300        0xBE424         Unix path: /home/gfkfcmo/CMO/MTK5651_US_II_WFD/vm_linux/chiling/uboot/drv_lib/mt5880/inc
1188782       0x1223AE        UBI volume ID header, version: 1, type: 1, volume id: 0, size: 0
1190830       0x122BAE        UBIFS superblock node, CRC: 0x50BF95C5, flags: 0x0, min I/O unit size: 2048, erase block size: 126976, erase block count: 1016, max erase blocks: 3271, format version: 4, compression type: lzo
1321902       0x142BAE        UBIFS master node, CRC: 0xCC5C7044, highest inode: 2313, commit number: 0
1452974       0x162BAE        UBIFS master node, CRC: 0xC06C8559, highest inode: 2313, commit number: 0
2632671       0x282BDF        XML document, version: "1.0"
2633575       0x282F67        XML document, version: "1.0"
2636223       0x2839BF        XML document, version: "1.0"
2637455       0x283E8F        XML document, version: "1.0"
{{{ TRUNKATED }}}
132181160     0x7E0ECA8       Unix path: /mtk94064/p4_views/yaocheng.fei/ws_*<
132236386     0x7E1C462       Unix path: /i686/bin/../sysroot/usr/include
132240154     0x7E1D31A       Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*=
132277477     0x7E264E5       Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132295801     0x7E2AC79       Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132320817     0x7E30E31       Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132336687     0x7E34C2F       Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132337438     0x7E34F1E       Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132362676     0x7E3B1B4       Base64 standard index table
132404806     0x7E45646       Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132432505     0x7E4C279       mcrypt 2.5 encrypted data, algorithm: "N", keysize: 440 bytes, mode: "\",
132462804     0x7E538D4       Base64 standard index table
132499502     0x7E5C82E       Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132532241     0x7E64811       mcrypt 2.5 encrypted data, algorithm: "N", keysize: 440 bytes, mode: "\",
132547032     0x7E681D8       Unix path: /mtk94064/p4_views/yaocheng.fei/ws_*<
133142037     0x7EF9615       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
133142057     0x7EF9629       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
133599305     0x7F69049       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
134172625     0x7FF4FD1       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
134360038     0x8022BE6       Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 7064247 bytes, 126 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:46:16
141462558     0x86E8C1E       Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 27403340 bytes, 1215 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:47:38
168987734     0xA128C56       Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 27403340 bytes, 1215 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:47:38
196508814     0xBB67C8E       uImage header, header size: 64 bytes, header CRC: 0x2C8E13D2, created: 2015-01-13 09:35:35, image size: 2060549 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x5A54C3A0, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
196508878     0xBB67CCE       LZO compressed data
196508929     0xBB67D01       uImage header, header size: 64 bytes, header CRC: 0xCB5E2D0F, created: 2015-01-13 09:35:33, image size: 3839076 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x354C5FF1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
197183535     0xBC0C82F       SHA256 hash constants, little endian
198761115     0xBD8DA9B       uImage header, header size: 64 bytes, header CRC: 0x2C8E13D2, created: 2015-01-13 09:35:35, image size: 2060549 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x5A54C3A0, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
198761179     0xBD8DADB       LZO compressed data
198761230     0xBD8DB0E       uImage header, header size: 64 bytes, header CRC: 0xCB5E2D0F, created: 2015-01-13 09:35:33, image size: 3839076 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x354C5FF1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
199435836     0xBE3263C       SHA256 hash constants, little endian
Attached Files
File Type: txt binwalk.txt - [Click for QR Code] (203.5 KB, 476 views)
5th July 2015, 12:39 AM |#2  
OP Member
Thanks Meter: 20
 
More
The Firmware can be found here, its a zipped *.pkg file http://hisense-usa.com/support/firmw...a.F0113_us.zip
5th July 2015, 12:45 AM |#3  
OP Member
Thanks Meter: 20
 
More
If it helps I also have the ports that metasploit was able to find on it"

Code:
10.0.0.76	unknown	8060	tcp	
10.0.0.76	upnp	9085	tcp	TwonkyMedia UPnP UPnP 1.0; pvConnect SDK 1.0; Twonky SDK 1.1
10.0.0.76		13000	tcp	
10.0.0.76	tcpwrapped	56789	tcp	
10.0.0.76	tcpwrapped	56790	tcp
6th April 2016, 04:54 AM |#5  
OP Member
Thanks Meter: 20
 
More
Yes I did you can you binwalk, and it can extract the files from the pkg. Vache if you need help let me know.
7th April 2016, 02:05 AM |#6  
Member
Thanks Meter: 10
 
More
Hi
How did you progress with rooting?
I would like to do the same to LTDN**K720WTSEU
And your post is the only lead I got.
The
Good luck
7th April 2016, 10:21 PM |#7  
OP Member
Thanks Meter: 20
 
More
Quote:
Originally Posted by tommyk999

Hi
How did you progress with rooting?
I would like to do the same to LTDN**K720WTSEU
And your post is the only lead I got.
The
Good luck

@tommyk999 and @vache The pkg files do not contain any files such as /etc/shadow or /etc/passwd that can be used to get the root account password.
I think the only way is to try and dump the tv firmware, there appears to be a serial or uart on the mainboard but I have not had the chance to try that yet.
8th April 2016, 11:50 AM |#8  
vache's Avatar
Recognized Developer
Flag Paris
Thanks Meter: 3,594
 
Donate to Me
More
Quote:
Originally Posted by borillion_star

Yes I did you can you binwalk, and it can extract the files from the pkg. Vache if you need help let me know.

Yes, i was able to unpack firmware using binwalk.
Still looking into filesystem to find some backdoors.
8th April 2016, 07:22 PM |#9  
Member
Thanks Meter: 10
 
More
App for rooting hisense TV, it may help you.

https://mega.nz/#!twYhHZhS!ZW_fdid_P...OEluYDrLrE0qM4

Sent from my SM-N910F using Tapatalk
10th April 2016, 11:44 PM |#10  
Member
Thanks Meter: 10
 
More
Any update on progress? Would be possible to connect raspberry pi with already rooted firmware to go around stock firmware? So you won't void warranty and when anything goes wrong you just disconnect raspb. Pi and go with stock.

Sent from my SM-N910F using Tapatalk
11th April 2016, 07:33 AM |#11  
OP Member
Thanks Meter: 20
 
More
Quote:
Originally Posted by tommyk999

App for rooting hisense TV, it may help you.

https://mega.nz/#!twYhHZhS!ZW_fdid_P...OEluYDrLrE0qM4

Sent from my SM-N910F using Tapatalk

Because I don't know where this came from, and what it will do to to my computer if I try to run anything in it, or on my tv. I am going to take a look at it figure it out.
Probably going to be a couple days until I get to it.

As for the Raspberry Pi, yes you can always connect any device over HDMI and disconnect it without changing the TV firmware in any way. That somewhat defeats the goal
of rooting the linux running on the tv though. :P
Post Reply Subscribe to Thread

Tags
exploit, hisense, linux, root, smart tv

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes