Rooting the webOS TV

Search This thread

Mazda77

New member
Aug 12, 2017
3
7
pivotce.com informs that instructions have been published on gaining root access to a webOS TV. This is much harder than on the old phones and tablets. When this was done on legacy webOS, there was a wave of enhancements and tweaks made available to phone users from webOS Internals and other developers.

The instructions can be found on the Russian webOS forums here: webos-forums.ru/topic4650.html (English Translation via Google).

As the thread itself notes, this creates the possibility of fiddling with your TV in a way that may turn it into a large, thin brick and will almost certainly invalidate your warranty. The general user should stay well clear of this.

pivotCE published this for information only and recommend leaving investigations to those who know what they are doing or who can afford to wreck expensive television sets. We will watch to see if anything interesting emerges from this development.

+

Detailed analysis of the root access method described above:
forums.webosnation.com/lg-webos-tv/331754-pivotce-seems-webos-tv-has-been-rooted.html#post3450911
 

teffd

Member
Aug 13, 2017
9
18
Root webOS

I could use your help rooting my lg 65uf6450-ua if you would. Thank you

1. You need to install Developer Mode App and export private ssh-key with CLI (webostv.developer.lge.com/develop/app-test)
2. Convert private ssh-key with puttygen [import key <your private ssh-key>, then save private key]
3. Download exploit (zalil.su/6937580), then connect with TV User: prisoner, [<ip-tv>:9922] + private-key with WinSCP (or other SCP-client), upload to /media/developer on TV and rename it to root.
on linux
Code:
ssh -i <your private ssh-key> [email protected]<ip-tv> -p 9922 "/bin/sh -i"
4.
Code:
chmod +x root
Code:
./root
5. After try install any app from market go to LG App Store and try to install any app.
6. if third stage ok. the insert password 1111 as said.
7.
Code:
busybox chroot /proc/1/root
Code:
Code:
uid=0(root) gid=0(root)........

I personally use Linux Subsystem on Windows 10 for all of this.

To install .ipk app:
Code:
ApplicationInstallerUtility -c install -p /tmp/<any-name>.ipk -u 0 -l /media/developer -d
Info about your linux kernel and TV firmware:
Code:
luna-send -n 1 -f luna://com.palm.systemservice/osInfo/query '{ "subscribe": false }'
Launch app:
Code:
luna-send -n 1 -f luna://com.webos.applicationManager/launch '{"id": "netflix"}'
All apps ID you can find with
Code:
luna-send -n 1 "palm://com.palm.applicationManager/listLaunchPoints" "{}"
or at a folder /media/cryptofs/apps/usr/palm/applications/<App ID>/appinfo.json


For permanent root access through telnet:

1)
Code:
[email protected]:/# mkdir -p /media/cryptofs/root/etc
2)
Code:
[email protected]:/# cp -r /etc/* /media/cryptofs/root/etc
3)
Code:
[email protected]:/# mount -o bind /media/cryptofs/root/etc /etc
4)
Code:
[email protected]:/# passwd root
Enter any new root password
5)
Code:
cp /media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service/start-devmode.sh /tmp/start-devmode.sh
6) Download with WinSCP start-devmode.sh and edit it locally.
You need to add at the beginning
Code:
mount -o bind /media/cryptofs/root/etc /etc
telnetd -l /sbin/sulogin &
Plus you can add the line to launch any App at start, e.g:
Code:
luna-send -n 1 -f luna://com.webos.applicationManager/launch '{"id": "netflix", "params":{}}'
And comment Dev Mode online check.

Here it's mine start-devmode.sh. It's for webOS 1.4. It can be different for other webOS versions:
Code:
#!/bin/sh
mount -o bind /media/cryptofs/root/etc /etc
telnetd -l /sbin/sulogin &

#luna-send -n 1 -f luna://com.webos.applicationManager/launch '{"id": "netflix", "params":{}}'

# FIXME: disable this to turn off script echo
set -x

# FIXME: disable this to stop script from bailing on error
# set -e

# TODO: Check upstart daemon/process tracking (do we need to change /etc/init/devmode.conf? start sshd as daemon?)

# set devmode ssh port here
SSH_PORT="9922"

# set arch:
ARCH="armv71"
grep -qs "qemux86" /etc/hostname && ARCH="i686"

# set directories
OPT_DEVMODE="/opt/devmode"
OPT_SSH="/opt/openssh"
DEVELOPER_HOME="/media/developer"
DEVMODE_SERVICE_DIR="/media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service"
CRYPTO_SSH="$DEVMODE_SERVICE_DIR/binaries-${ARCH}/opt/openssh"
CRYPTO_OPT="$DEVMODE_SERVICE_DIR/binaries-${ARCH}/opt"

if [ -s ${DEVMODE_SERVICE_DIR}/jail_app.conf ] ; then
   mv ${DEVMODE_SERVICE_DIR}/jail_app.conf ${DEVELOPER_HOME}
   mv ${DEVMODE_SERVICE_DIR}/jail_app.conf.sig ${DEVELOPER_HOME}
fi

if [ -r ${DEVMODE_SERVICE_DIR}/sessionToken ] ; then
   mv -f ${DEVMODE_SERVICE_DIR}/sessionToken /var/luna/preferences/devmode_enabled
fi


# Make sure the ssh binaries are executable (in service directory)
if [ ! -x "${CRYPTO_SSH}/sbin/sshd" ] ; then
   chmod ugo+x ${CRYPTO_SSH}/sbin/sshd ${CRYPTO_SSH}/bin/ssh* ${CRYPTO_SSH}/bin/scp* || true
   chmod ugo+x ${CRYPTO_SSH}/bin/sftp ${CRYPTO_SSH}/lib/openssh/* || true
   chmod ugo+x ${CRYPTO_OPT}/devmode/usr/bin/* || true
fi

# TODO: (later) Look for "re-init" flag to re-generate ssh key if requested by app (via devkey service)
# com.palm.service.devmode could have "resetKey" method to erase /var/lib/devmode/ssh/webos_rsa
# Kind of dangerous though, since new key will need to be fetched on the desktop (after reboot)...
# We could just require a hard-reset of the TV which should blow away /var/lib/devmode/ssh/...

# Initialize the developer (client) SSH key pair, if it doesn't already exist
if [ ! -e /var/lib/devmode/ssh/webos_rsa ] ; then
   mkdir -p /var/lib/devmode/ssh
   chmod 0700 /var/lib/devmode/ssh
   # get FIRST six (UPPER-CASE, hex) characters of 40-char nduid from nyx-cmd
   # NOTE: This MUST match passphrase as displayed in devmode app (main.js)!
        # PASSPHRASE="`/usr/bin/nyx-cmd DeviceInfo query nduid | head -c 6 | tr 'a-z' 'A-Z'`"
        # PASSPHRASE="`/usr/bin/nyx-cmd DeviceInfo query nduid | tail -n1 | head -c 6 | tr 'a-z' 'A-Z'`"
        PASSPHRASE="`tail /var/lib/secretagent/nduid -c 40 | head -c 6 | tr 'a-z' 'A-Z'`"
   ${CRYPTO_SSH}/bin/ssh-keygen -t rsa -C "[email protected]" -N "${PASSPHRASE}" -f /var/lib/devmode/ssh/webos_rsa
   # copy ssh key to /var/luna/preferences so the devmode service's KeyServer can read it and serve to ares-webos-cli tools
   cp -f /var/lib/devmode/ssh/webos_rsa /var/luna/preferences/webos_rsa
   chmod 0644 /var/luna/preferences/webos_rsa
   # if we generated a new ssh key, make sure we re-create the authorized_keys file
   rm -f ${DEVELOPER_HOME}/.ssh/authorized_keys
fi

# Make sure the /media/developer (and log) directories exists (as sam.conf erases it when devmode is off):
mkdir -p ${DEVELOPER_HOME}/log
chmod 777 ${DEVELOPER_HOME} ${DEVELOPER_HOME}/log

# Install the SSH key into the authorized_keys file (if it doesn't already exist)
if [ ! -e ${DEVELOPER_HOME}/.ssh/authorized_keys ] ; then
   mkdir -p ${DEVELOPER_HOME}/.ssh
   cp -f /var/lib/devmode/ssh/webos_rsa.pub ${DEVELOPER_HOME}/.ssh/authorized_keys || true
   # NOTE: authorized_keys MUST be world-readable else sshd can't read it inside the devmode jail
   # To keep sshd from complaining about that, we launch sshd with -o "StrictModes no" (below).
   chmod 755 ${DEVELOPER_HOME}/.ssh
   chmod 644 ${DEVELOPER_HOME}/.ssh/authorized_keys
   chown -R developer:developer ${DEVELOPER_HOME}/.ssh
fi

# FIXME: Can we move this to /var/run/devmode/sshd ?
# Create PrivSep dir
mkdir -p /var/run/sshd
chmod 0755 /var/run/sshd

# Create directory for host keys (rather than /opt/openssh/etc/ssh/)
HOST_KEY_DIR="/var/lib/devmode/sshd"
if [ ! -d "${HOST_KEY_DIR}" ] ; then
   mkdir -p ${HOST_KEY_DIR}
   chmod 0700 ${HOST_KEY_DIR}
fi

# Create initial keys if necessary
if [ ! -f ${HOST_KEY_DIR}/ssh_host_rsa_key ]; then
   echo "  generating ssh RSA key..."
   ${CRYPTO_SSH}/bin/ssh-keygen -q -f ${HOST_KEY_DIR}/ssh_host_rsa_key -N '' -t rsa
fi
if [ ! -f ${HOST_KEY_DIR}/ssh_host_ecdsa_key ]; then
   echo "  generating ssh ECDSA key..."
   ${CRYPTO_SSH}/bin/ssh-keygen -q -f ${HOST_KEY_DIR}/ssh_host_ecdsa_key -N '' -t ecdsa
fi
if [ ! -f ${HOST_KEY_DIR}/ssh_host_dsa_key ]; then
   echo "  generating ssh DSA key..."
   ${CRYPTO_SSH}/bin/ssh-keygen -q -f ${HOST_KEY_DIR}/ssh_host_dsa_key -N '' -t dsa
fi

# Check config
# NOTE: This should only be enabled for testing
#${CRYPTO_SSH}/sbin/sshd -f ${CRYPTO_SSH}/etc/ssh/sshd_config -h ${HOST_KEY_DIR}/ssh_host_rsa_key -t

# Set jailer command
DEVMODE_JAIL="/usr/bin/jailer -t native_devmode -i com.palm.devmode.openssh -p ${DEVELOPER_HOME}/ -s /bin/sh"
#DEVMODE_JAIL="echo"

# Add for debugging, but this will cause sshd to exit after the first ssh login:
# -ddd -e 

# Make environment file for openssh
DEVMODE_JAIL_CONF="/etc/jail_native_devmode.conf"
DEVMODE_OPENSSH_ENV="${DEVELOPER_HOME}/.ssh/environment"
if [ -f ${DEVMODE_JAIL_CONF} ]; then
   echo " generating environment file from jail_native_devmode.conf..."
   find ${DEVMODE_JAIL_CONF} | xargs awk '/setenv/{printf "%s=%sn", $2,$3}' > ${DEVMODE_OPENSSH_ENV}
   ${DEVMODE_JAIL} /usr/bin/env >> ${DEVMODE_OPENSSH_ENV}
fi
# Set path for devmode
if [ -f ${DEVMODE_OPENSSH_ENV} ]; then
   echo "PATH=${PATH}:${OPT_DEVMODE}/usr/bin" >> ${DEVMODE_OPENSSH_ENV}
fi

sleep 5;
for interface in $(ls /sys/class/net/ | grep -v -e lo -e sit);
do
if [ -r /sys/class/net/$interface/carrier ] ; then
  if [[ $(cat /sys/class/net/$interface/carrier) == 1 ]]; then OnLine=1; fi
fi
done
#if [ $OnLine ]; then
#   sessionToken=$(cat /var/luna/preferences/devmode_enabled);
#   checkSession=$(curl --max-time 3 -s https://developer.lge.com/secure/CheckDevModeSession.dev?sessionToken=$sessionToken);

#   if [ "$checkSession" != "" ] ; then
#      result=$(node -pe 'JSON.parse(process.argv[1]).result' "$checkSession");
#      if [ "$result" == "success" ] ; then
         rm -rf /var/luna/preferences/dc*;
#         # create devSessionTime file to remain session time in devmode app
#         remainTime=$(node -pe 'JSON.parse(process.argv[1]).errorMsg' "$checkSession");
#         resultValidTimeCheck=$(echo "${remainTime}" | egrep "^([0-9]{1,4}(:[0-5][0-9]){2})$");
#         if [ "$resultValidTimeCheck" != "" ] ; then
            echo '900:00:00' > ${DEVMODE_SERVICE_DIR}/devSessionTime;
            chgrp 5000 ${DEVMODE_SERVICE_DIR}/devSessionTime;
            chmod 664 ${DEVMODE_SERVICE_DIR}/devSessionTime;
#         fi
#      elif [ "$result" == "fail" ] ; then
#         rm -rf /var/luna/preferences/devmode_enabled;
#         rm -rf /var/luna/preferences/dc*;
#         if [ -e ${DEVMODE_SERVICE_DIR}/devSessionTime ] ; then
#            rm ${DEVMODE_SERVICE_DIR}/devSessionTime;
#         fi
#      fi
#   fi
#fi

# Cache clear function added (except Local storage)
if [ -e ${DEVMODE_SERVICE_DIR}/devCacheClear ] ; then
   rm -rf `ls | find /var/lib/webappmanager*/* -name "Local Storage" -o -name "localstorage" -prune -o -print`;
   rm ${DEVMODE_SERVICE_DIR}/devCacheClear;
fi

# Launch sshd
${DEVMODE_JAIL} ${OPT_SSH}/sbin/sshd 
  -o StrictModes=no 
  -f ${OPT_SSH}/etc/ssh/sshd_config 
  -h ${HOST_KEY_DIR}/ssh_host_rsa_key 
  -o PasswordAuthentication=no -o PermitRootLogin=no -o PermitUserEnvironment=yes 
  -D -p ${SSH_PORT}
7) Upload new start-devmode.sh and rewrite the old one
Code:
cp /tmp/start-devmode.sh /media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service/start-devmode.sh
8) Restart TV.
Connect with telnet and type previously entered password.
Code:
telnet <ip-tv>
Trying <ip-tv>...
Connected to <ip-tv>].
Escape character is '^]'.

webOS TV 1.4.0 LGSmartTV


Give root password for system maintenance
(or type Control-D for normal startup):
Entering System Maintenance Mode

[email protected]:/#
 
Last edited:

enkrypt3d

Senior Member
Jul 28, 2010
441
14
is it possible to install webOS 3.0 on an 65EF9500 that currently has WebOS 2.0 via the USB upgrade method?
 

syconu

Senior Member
Apr 16, 2011
72
2
Is there any method to get 3.0 installed over 1.4 I have a 49ub8500-ua
 

syconu

Senior Member
Apr 16, 2011
72
2
Is there anything hack related that I can do with this to and can is support a new air mouse with a dongle
 

steven817817

Member
Sep 11, 2014
19
2
Ok, so I get run the root app and first ,second , and third stage all are good. then it says try get root password is 1111. But the terminal keeps freezing after that happens. A couple times my tv rebooted too. I cant figure out what i could have messed up. ANyone with any experience using this method have any legit information?
 

teffd

Member
Aug 13, 2017
9
18
Ok, so I get run the root app and first ,second , and third stage all are good. then it says try get root password is 1111. But the terminal keeps freezing after that happens. A couple times my tv rebooted too. I cant figure out what i could have messed up. ANyone with any experience using this method have any legit information?

Try to delete all 'cache' files from exploit at /media/developer. It doesn't wotk twice as far as I concerned
 

syconu

Senior Member
Apr 16, 2011
72
2
Is there anyway I can root my 1.4.0 and if so what r the benefits of the root? Can I install Android or kodi? What's the point
 

diabluz

New member
Dec 16, 2007
1
0
Hi, would the root access allow somehow to connect other bluetooth devices different than LG? Thanks!
 

ddscentral

Member
Dec 28, 2010
10
1
Vilnius
You can do pretty much anything to the system with root, even include support for unsupported devices in form of additional kernel modules.

For example, I've added Samba support so I can mount use my NAS (see my blog at ddscentral dot org for details).
 

loris100

Senior Member
Oct 7, 2014
341
118
Hey guys is it possible to install android apps into WebOS? I just bought an Lg oled LG 55EG9A7V i want to use Perfect Player IPTV but i cant install it right now...Other then that i dont need anything else..

Can anyone help me?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    Root webOS

    I could use your help rooting my lg 65uf6450-ua if you would. Thank you

    1. You need to install Developer Mode App and export private ssh-key with CLI (webostv.developer.lge.com/develop/app-test)
    2. Convert private ssh-key with puttygen [import key <your private ssh-key>, then save private key]
    3. Download exploit (zalil.su/6937580), then connect with TV User: prisoner, [<ip-tv>:9922] + private-key with WinSCP (or other SCP-client), upload to /media/developer on TV and rename it to root.
    on linux
    Code:
    ssh -i <your private ssh-key> [email protected]<ip-tv> -p 9922 "/bin/sh -i"
    4.
    Code:
    chmod +x root
    Code:
    ./root
    5. After try install any app from market go to LG App Store and try to install any app.
    6. if third stage ok. the insert password 1111 as said.
    7.
    Code:
    busybox chroot /proc/1/root
    Code:
    Code:
    uid=0(root) gid=0(root)........

    I personally use Linux Subsystem on Windows 10 for all of this.

    To install .ipk app:
    Code:
    ApplicationInstallerUtility -c install -p /tmp/<any-name>.ipk -u 0 -l /media/developer -d
    Info about your linux kernel and TV firmware:
    Code:
    luna-send -n 1 -f luna://com.palm.systemservice/osInfo/query '{ "subscribe": false }'
    Launch app:
    Code:
    luna-send -n 1 -f luna://com.webos.applicationManager/launch '{"id": "netflix"}'
    All apps ID you can find with
    Code:
    luna-send -n 1 "palm://com.palm.applicationManager/listLaunchPoints" "{}"
    or at a folder /media/cryptofs/apps/usr/palm/applications/<App ID>/appinfo.json


    For permanent root access through telnet:

    1)
    Code:
    [email protected]:/# mkdir -p /media/cryptofs/root/etc
    2)
    Code:
    [email protected]:/# cp -r /etc/* /media/cryptofs/root/etc
    3)
    Code:
    [email protected]:/# mount -o bind /media/cryptofs/root/etc /etc
    4)
    Code:
    [email protected]:/# passwd root
    Enter any new root password
    5)
    Code:
    cp /media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service/start-devmode.sh /tmp/start-devmode.sh
    6) Download with WinSCP start-devmode.sh and edit it locally.
    You need to add at the beginning
    Code:
    mount -o bind /media/cryptofs/root/etc /etc
    telnetd -l /sbin/sulogin &
    Plus you can add the line to launch any App at start, e.g:
    Code:
    luna-send -n 1 -f luna://com.webos.applicationManager/launch '{"id": "netflix", "params":{}}'
    And comment Dev Mode online check.

    Here it's mine start-devmode.sh. It's for webOS 1.4. It can be different for other webOS versions:
    Code:
    #!/bin/sh
    mount -o bind /media/cryptofs/root/etc /etc
    telnetd -l /sbin/sulogin &
    
    #luna-send -n 1 -f luna://com.webos.applicationManager/launch '{"id": "netflix", "params":{}}'
    
    # FIXME: disable this to turn off script echo
    set -x
    
    # FIXME: disable this to stop script from bailing on error
    # set -e
    
    # TODO: Check upstart daemon/process tracking (do we need to change /etc/init/devmode.conf? start sshd as daemon?)
    
    # set devmode ssh port here
    SSH_PORT="9922"
    
    # set arch:
    ARCH="armv71"
    grep -qs "qemux86" /etc/hostname && ARCH="i686"
    
    # set directories
    OPT_DEVMODE="/opt/devmode"
    OPT_SSH="/opt/openssh"
    DEVELOPER_HOME="/media/developer"
    DEVMODE_SERVICE_DIR="/media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service"
    CRYPTO_SSH="$DEVMODE_SERVICE_DIR/binaries-${ARCH}/opt/openssh"
    CRYPTO_OPT="$DEVMODE_SERVICE_DIR/binaries-${ARCH}/opt"
    
    if [ -s ${DEVMODE_SERVICE_DIR}/jail_app.conf ] ; then
       mv ${DEVMODE_SERVICE_DIR}/jail_app.conf ${DEVELOPER_HOME}
       mv ${DEVMODE_SERVICE_DIR}/jail_app.conf.sig ${DEVELOPER_HOME}
    fi
    
    if [ -r ${DEVMODE_SERVICE_DIR}/sessionToken ] ; then
       mv -f ${DEVMODE_SERVICE_DIR}/sessionToken /var/luna/preferences/devmode_enabled
    fi
    
    
    # Make sure the ssh binaries are executable (in service directory)
    if [ ! -x "${CRYPTO_SSH}/sbin/sshd" ] ; then
       chmod ugo+x ${CRYPTO_SSH}/sbin/sshd ${CRYPTO_SSH}/bin/ssh* ${CRYPTO_SSH}/bin/scp* || true
       chmod ugo+x ${CRYPTO_SSH}/bin/sftp ${CRYPTO_SSH}/lib/openssh/* || true
       chmod ugo+x ${CRYPTO_OPT}/devmode/usr/bin/* || true
    fi
    
    # TODO: (later) Look for "re-init" flag to re-generate ssh key if requested by app (via devkey service)
    # com.palm.service.devmode could have "resetKey" method to erase /var/lib/devmode/ssh/webos_rsa
    # Kind of dangerous though, since new key will need to be fetched on the desktop (after reboot)...
    # We could just require a hard-reset of the TV which should blow away /var/lib/devmode/ssh/...
    
    # Initialize the developer (client) SSH key pair, if it doesn't already exist
    if [ ! -e /var/lib/devmode/ssh/webos_rsa ] ; then
       mkdir -p /var/lib/devmode/ssh
       chmod 0700 /var/lib/devmode/ssh
       # get FIRST six (UPPER-CASE, hex) characters of 40-char nduid from nyx-cmd
       # NOTE: This MUST match passphrase as displayed in devmode app (main.js)!
            # PASSPHRASE="`/usr/bin/nyx-cmd DeviceInfo query nduid | head -c 6 | tr 'a-z' 'A-Z'`"
            # PASSPHRASE="`/usr/bin/nyx-cmd DeviceInfo query nduid | tail -n1 | head -c 6 | tr 'a-z' 'A-Z'`"
            PASSPHRASE="`tail /var/lib/secretagent/nduid -c 40 | head -c 6 | tr 'a-z' 'A-Z'`"
       ${CRYPTO_SSH}/bin/ssh-keygen -t rsa -C "[email protected]" -N "${PASSPHRASE}" -f /var/lib/devmode/ssh/webos_rsa
       # copy ssh key to /var/luna/preferences so the devmode service's KeyServer can read it and serve to ares-webos-cli tools
       cp -f /var/lib/devmode/ssh/webos_rsa /var/luna/preferences/webos_rsa
       chmod 0644 /var/luna/preferences/webos_rsa
       # if we generated a new ssh key, make sure we re-create the authorized_keys file
       rm -f ${DEVELOPER_HOME}/.ssh/authorized_keys
    fi
    
    # Make sure the /media/developer (and log) directories exists (as sam.conf erases it when devmode is off):
    mkdir -p ${DEVELOPER_HOME}/log
    chmod 777 ${DEVELOPER_HOME} ${DEVELOPER_HOME}/log
    
    # Install the SSH key into the authorized_keys file (if it doesn't already exist)
    if [ ! -e ${DEVELOPER_HOME}/.ssh/authorized_keys ] ; then
       mkdir -p ${DEVELOPER_HOME}/.ssh
       cp -f /var/lib/devmode/ssh/webos_rsa.pub ${DEVELOPER_HOME}/.ssh/authorized_keys || true
       # NOTE: authorized_keys MUST be world-readable else sshd can't read it inside the devmode jail
       # To keep sshd from complaining about that, we launch sshd with -o "StrictModes no" (below).
       chmod 755 ${DEVELOPER_HOME}/.ssh
       chmod 644 ${DEVELOPER_HOME}/.ssh/authorized_keys
       chown -R developer:developer ${DEVELOPER_HOME}/.ssh
    fi
    
    # FIXME: Can we move this to /var/run/devmode/sshd ?
    # Create PrivSep dir
    mkdir -p /var/run/sshd
    chmod 0755 /var/run/sshd
    
    # Create directory for host keys (rather than /opt/openssh/etc/ssh/)
    HOST_KEY_DIR="/var/lib/devmode/sshd"
    if [ ! -d "${HOST_KEY_DIR}" ] ; then
       mkdir -p ${HOST_KEY_DIR}
       chmod 0700 ${HOST_KEY_DIR}
    fi
    
    # Create initial keys if necessary
    if [ ! -f ${HOST_KEY_DIR}/ssh_host_rsa_key ]; then
       echo "  generating ssh RSA key..."
       ${CRYPTO_SSH}/bin/ssh-keygen -q -f ${HOST_KEY_DIR}/ssh_host_rsa_key -N '' -t rsa
    fi
    if [ ! -f ${HOST_KEY_DIR}/ssh_host_ecdsa_key ]; then
       echo "  generating ssh ECDSA key..."
       ${CRYPTO_SSH}/bin/ssh-keygen -q -f ${HOST_KEY_DIR}/ssh_host_ecdsa_key -N '' -t ecdsa
    fi
    if [ ! -f ${HOST_KEY_DIR}/ssh_host_dsa_key ]; then
       echo "  generating ssh DSA key..."
       ${CRYPTO_SSH}/bin/ssh-keygen -q -f ${HOST_KEY_DIR}/ssh_host_dsa_key -N '' -t dsa
    fi
    
    # Check config
    # NOTE: This should only be enabled for testing
    #${CRYPTO_SSH}/sbin/sshd -f ${CRYPTO_SSH}/etc/ssh/sshd_config -h ${HOST_KEY_DIR}/ssh_host_rsa_key -t
    
    # Set jailer command
    DEVMODE_JAIL="/usr/bin/jailer -t native_devmode -i com.palm.devmode.openssh -p ${DEVELOPER_HOME}/ -s /bin/sh"
    #DEVMODE_JAIL="echo"
    
    # Add for debugging, but this will cause sshd to exit after the first ssh login:
    # -ddd -e 
    
    # Make environment file for openssh
    DEVMODE_JAIL_CONF="/etc/jail_native_devmode.conf"
    DEVMODE_OPENSSH_ENV="${DEVELOPER_HOME}/.ssh/environment"
    if [ -f ${DEVMODE_JAIL_CONF} ]; then
       echo " generating environment file from jail_native_devmode.conf..."
       find ${DEVMODE_JAIL_CONF} | xargs awk '/setenv/{printf "%s=%sn", $2,$3}' > ${DEVMODE_OPENSSH_ENV}
       ${DEVMODE_JAIL} /usr/bin/env >> ${DEVMODE_OPENSSH_ENV}
    fi
    # Set path for devmode
    if [ -f ${DEVMODE_OPENSSH_ENV} ]; then
       echo "PATH=${PATH}:${OPT_DEVMODE}/usr/bin" >> ${DEVMODE_OPENSSH_ENV}
    fi
    
    sleep 5;
    for interface in $(ls /sys/class/net/ | grep -v -e lo -e sit);
    do
    if [ -r /sys/class/net/$interface/carrier ] ; then
      if [[ $(cat /sys/class/net/$interface/carrier) == 1 ]]; then OnLine=1; fi
    fi
    done
    #if [ $OnLine ]; then
    #   sessionToken=$(cat /var/luna/preferences/devmode_enabled);
    #   checkSession=$(curl --max-time 3 -s https://developer.lge.com/secure/CheckDevModeSession.dev?sessionToken=$sessionToken);
    
    #   if [ "$checkSession" != "" ] ; then
    #      result=$(node -pe 'JSON.parse(process.argv[1]).result' "$checkSession");
    #      if [ "$result" == "success" ] ; then
             rm -rf /var/luna/preferences/dc*;
    #         # create devSessionTime file to remain session time in devmode app
    #         remainTime=$(node -pe 'JSON.parse(process.argv[1]).errorMsg' "$checkSession");
    #         resultValidTimeCheck=$(echo "${remainTime}" | egrep "^([0-9]{1,4}(:[0-5][0-9]){2})$");
    #         if [ "$resultValidTimeCheck" != "" ] ; then
                echo '900:00:00' > ${DEVMODE_SERVICE_DIR}/devSessionTime;
                chgrp 5000 ${DEVMODE_SERVICE_DIR}/devSessionTime;
                chmod 664 ${DEVMODE_SERVICE_DIR}/devSessionTime;
    #         fi
    #      elif [ "$result" == "fail" ] ; then
    #         rm -rf /var/luna/preferences/devmode_enabled;
    #         rm -rf /var/luna/preferences/dc*;
    #         if [ -e ${DEVMODE_SERVICE_DIR}/devSessionTime ] ; then
    #            rm ${DEVMODE_SERVICE_DIR}/devSessionTime;
    #         fi
    #      fi
    #   fi
    #fi
    
    # Cache clear function added (except Local storage)
    if [ -e ${DEVMODE_SERVICE_DIR}/devCacheClear ] ; then
       rm -rf `ls | find /var/lib/webappmanager*/* -name "Local Storage" -o -name "localstorage" -prune -o -print`;
       rm ${DEVMODE_SERVICE_DIR}/devCacheClear;
    fi
    
    # Launch sshd
    ${DEVMODE_JAIL} ${OPT_SSH}/sbin/sshd 
      -o StrictModes=no 
      -f ${OPT_SSH}/etc/ssh/sshd_config 
      -h ${HOST_KEY_DIR}/ssh_host_rsa_key 
      -o PasswordAuthentication=no -o PermitRootLogin=no -o PermitUserEnvironment=yes 
      -D -p ${SSH_PORT}
    7) Upload new start-devmode.sh and rewrite the old one
    Code:
    cp /tmp/start-devmode.sh /media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service/start-devmode.sh
    8) Restart TV.
    Connect with telnet and type previously entered password.
    Code:
    telnet <ip-tv>
    Trying <ip-tv>...
    Connected to <ip-tv>].
    Escape character is '^]'.
    
    webOS TV 1.4.0 LGSmartTV
    
    
    Give root password for system maintenance
    (or type Control-D for normal startup):
    Entering System Maintenance Mode
    
    [email protected]:/#
    7
    Hello!
    I'm from webos-forums.ru. I've root on TV for a while and can help you with translation or testing on LG webOS 1.4.
    5
    pivotce.com informs that instructions have been published on gaining root access to a webOS TV. This is much harder than on the old phones and tablets. When this was done on legacy webOS, there was a wave of enhancements and tweaks made available to phone users from webOS Internals and other developers.

    The instructions can be found on the Russian webOS forums here: webos-forums.ru/topic4650.html (English Translation via Google).

    As the thread itself notes, this creates the possibility of fiddling with your TV in a way that may turn it into a large, thin brick and will almost certainly invalidate your warranty. The general user should stay well clear of this.

    pivotCE published this for information only and recommend leaving investigations to those who know what they are doing or who can afford to wreck expensive television sets. We will watch to see if anything interesting emerges from this development.

    +

    Detailed analysis of the root access method described above:
    forums.webosnation.com/lg-webos-tv/331754-pivotce-seems-webos-tv-has-been-rooted.html#post3450911
    4
    Tool Released here enjoy and you can always send logs there.
    3
    Hello,


    What about adding a new universal root tool for all models :) let me know if you're interested.