GetMeIn : One time rooting/jailbreaking tool for webOS LG TV's

[Maroc-OS]

Hello XDA,

After a long thinking i've decided to create a root or jailbreak tool for LG's awesome webOS, today am stating this thread to release this new root tool, but before that! am gonna ask you for some logs from webOS 3.5 and lower.

Everyone in this thread must know about webOS if not do your homework then get back again, LG did a great work on this operating system after HP and Palm's versions. they even supported Raspberry Pi module B. but webOS OSE aka Open Source Edition is really different from TV's version.

LG think about Security and frequently release updates that doesn't have anything new except some patches to close down known holes, one of my favorites was a directory traversal that can replace in tv files and binaries during install (partially closed recently).

let'stake a look at LG's partition filesystem types, on tv's they chooses to use ext4 for writable partitions (/var, some of /mnt/lg/*, /home and /media) everything else is using squashfs which is a read only compressed filesystem you cannot modify it.

If you can dump the squashfs partition unshquash it then recompress you will face another problem of hashes and crc checks (checkout the update binary for more details) if you dd it back to block device without kernel and/or bootloader patches. so this is not gonna just work easily.

What we can really do it play on the RW parts of the system, one of the design flaws on webOS is the devmode aka Developer Mode, they ship it in a Read Write partition so that's easy to be modified.

To do that you must have root access or some powerful exploits to achieve your goal.

This method is using memory access vulnerability to get root and then jailbreak the tv. i ported some parts of the other root thread even if some are not even needed.

To jailbreak connect to your tv via prisoner user after uploading GetMeIn binary into it then :

chmod +x GetMeIn
./GetMeIn

if root succeed and you saw some errors do this :

mkdir -p /media/cryptofs/root/etc
mkdir -p /media/cryptofs/root/lib

After that just reboot and enjoy your root with same ssh key, or use password "alpine".

there is some old pictures attached, i did some modifications after those.

Hope this is good enough.:angel:

 

[Maroc-OS]

HOW-TO

To use this GetMeIn webOS Jailbreak tool please create a developer account on LG's developer portal, install developer mode application on your TV and connect with your recently created account.

Open dev mode app please set the Dev Mode Status to ON and Key Server to ON.

grab your ssh key with ares then connect to your tv using ssh :

[email protected]:~# ssh -i ~/.ssh/webOS_TV [email protected] -p 9922

when you get connected you just follow the steps on the thread.

Please test and share back screen shouts and logs from tv in both cases failure or success.

I need informations from your webOS v 3.5 and lower, TV model and webOS version and some commands from the tv.

okay first of all create a dir named logs :

mkdir logs

TV Infos :

cat /var/run/nyx/device_info.json > logs/device_info.json

(delete your nduid serial number and mac addresses)

webOS Infos :

cat /var/run/nyx/os_info.json > logs/os_info.json

cat /proc/cpuinfo > logs/cpu.log

ls -arls /var/log/ > logs/logdir.log

ls -arls /usr/lib/ > logs/libsdir.log

ls -arls /proc/ > logs/procdir.log

ls -arls /dev/ > logs/devices.log

In case the jailbreak works restart and run this additional commands :

mount > logs/mounts.log

i think that's everything i need, upload the logs dir somewhere and put a link here.

 

[Maroc-OS]

Reserved again.

 

[MishaalRahman]

So this only works on webOS 3.5 and below?

 

[Maroc-OS]

So this only works on webOS 3.5 and below?

that's what i think yes, but you can test

MishaalRahman it's confirmed, also some lower versions are not supported like 3.3.3

BTW, can you check up your PM.

 

[blenni]

Hi,

unfortunately it does not work for me, I get the following output:

---------------------------------------------------------------
 MerrukTechnolog < webOS privelage escalation (www.merruk.com) 
---------------------------------------------------------------

GetMeIn: #* Opening memory IO!

GetMeIn: #! Cannot map memory data!
---------------------------------------------------------------

I already posted some logs of my LG OLED55B7D (05.80.15) in the other thread:
https://www.dropbox.com/s/ie5ix8vtscxjr3n/LG55B7D_05_80_15.zip?dl=0

Maybe some of this helps to improve your script.

 

[Maroc-OS]

Hi,

unfortunately it does not work for me, I get the following output:

---------------------------------------------------------------
 MerrukTechnolog < webOS privelage escalation (www.merruk.com) 
---------------------------------------------------------------

GetMeIn: #* Opening memory IO!

GetMeIn: #! Cannot map memory data!
---------------------------------------------------------------

I already posted some logs of my LG OLED55B7D (05.80.15) in the other thread:
https://www.dropbox.com/s/ie5ix8vtscxjr3n/LG55B7D_05_80_15.zip?dl=0

Maybe some of this helps to improve your script.

Your version is not supported by this tool, you have webos 3.8 unfortunately, and i really cannot help without access to tv with new api version, & i will need testers for newer devices.

 

[wybielacz]

@Maroc-OS
WebOS has the web socket endpoints to control the TV like

ssap://tv/getChannelList

After rooting the TV is possible to find out all the available endpoints on the TV? LG unfortunately has absolutely no documentation about it except the endpoints in the examples they provide.
If it is not too much work, could you please provide a list of all the available endpoints? I guess those needs to be defined somewhere in a config file...

 

[bombenbodo]

Lg oled65g6v

/media/developer$ uname -a
Linux LGwebOSTV 3.16.7-77.deua.4 #1 SMP PREEMPT Thu Jun 21 17:26:37 KST 2018 armv7l GNU/Linux
/media/developer$ ./GetMeIn
---------------------------------------------------------------
 MerrukTechnolog < webOS privelage escalation (www.merruk.com) 
---------------------------------------------------------------

GetMeIn: #* Opening memory IO!

GetMeIn: #! Cannot map memory data!
---------------------------------------------------------------

/media/developer$ cat /var/run/nyx/os_info.json
{
    "core_os_kernel_version": "3.16.7-77.deua.4",
    "core_os_name": "Rockhopper",
    "core_os_release": "3.3.3-3807",
    "core_os_release_codename": "dreadlocks-dharug",
    "encryption_key_type": "prodkey",
    "webos_api_version": "4.1.0",
    "webos_build_datetime": "20180621081934",
    "webos_build_id": "3807",
    "webos_imagename": "starfish-dvb-secured",
    "webos_manufacturing_version": "05.30.25",
    "webos_name": "webOS TV",
    "webos_prerelease": "",
    "webos_release": "3.3.3",
    "webos_release_codename": "dreadlocks-dharug"
}

If I can be of any help to get this working on LG's 2016 OLED models gladly I would help...

 

[ramsesht]

Thank you for this awesomely fun opportunity to get into my panel! While I understand this is in its infancy, would you know a way of downgrading OS version? (Im on 4.x.x.x)

I hope sideload and extract creds in the best future. Thank you one again for the time and sharing of this. ?

 

[lucaterpirla]

What would be a good reason to root a smart tv? What can I do afterward?

 

[Sage]

now THIS is interesting! well done!

 

[mlock420]

Same will we be able to download apps like Showbox or shadow tech(cloud gaming service)? After rooting we are all familiar with root on the phone side but rooting tv is definitely a first

 

[MarcTremonti]

What would be a good reason to root a smart tv? What can I do afterward?

thats what i'm asking myself too.
or was this the first step and now homebrew apps will rise?
please enlighten me someone. :laugh:

 

[LGMAN2]

Sorry if this is a dumb question, but does this mean that Android TV could be ported over? That would be fantastic.

 

[TheUndertaker21]

Fuking crazy
I'm about to root today after work.
Hope we get Android apps soon

 

[Silvers91]

This is awesome! and coming from someone from my home country. Genius!
Would it be possible to install Android TV after using this method?
Thank you very much!

 

[LGMAN2]

I haven't tried the jailbreak yet, but here are the logs from two of my LG TVs:
LG EF9500: mediafire.com/file/8da335aynddi4se/LG_EF9500_Logs.zip
LG UF6400: mediafire.com/file/8045q0d0o6j8453/LG_UF6400_Logs.zip

XDA wont let me add hyperlinks so you'll have to copy and paste.

 

[Maroc-OS]

Wow seems there is some reactions to this topic.

first of all thank you for testing and reacting to this subject.
i will replay to every post one by one after this post.

thanks for you all.

 

[Maroc-OS]

@Maroc-OS
WebOS has the web socket endpoints to control the TV like

ssap://tv/getChannelList

After rooting the TV is possible to find out all the available endpoints on the TV? LG unfortunately has absolutely no documentation about it except the endpoints in the examples they provide.
If it is not too much work, could you please provide a list of all the available endpoints? I guess those needs to be defined somewhere in a config file...

Interesting. i did not knew about this, i will let you know once check this out.