• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    Root webOS

    I could use your help rooting my lg 65uf6450-ua if you would. Thank you

    1. You need to install Developer Mode App and export private ssh-key with CLI (webostv.developer.lge.com/develop/app-test)
    2. Convert private ssh-key with puttygen [import key <your private ssh-key>, then save private key]
    3. Download exploit (zalil.su/6937580), then connect with TV User: prisoner, [<ip-tv>:9922] + private-key with WinSCP (or other SCP-client), upload to /media/developer on TV and rename it to root.
    on linux
    Code:
    ssh -i <your private ssh-key> [email protected]<ip-tv> -p 9922 "/bin/sh -i"
    4.
    Code:
    chmod +x root
    Code:
    ./root
    5. After try install any app from market go to LG App Store and try to install any app.
    6. if third stage ok. the insert password 1111 as said.
    7.
    Code:
    busybox chroot /proc/1/root
    Code:
    Code:
    uid=0(root) gid=0(root)........

    I personally use Linux Subsystem on Windows 10 for all of this.

    To install .ipk app:
    Code:
    ApplicationInstallerUtility -c install -p /tmp/<any-name>.ipk -u 0 -l /media/developer -d
    Info about your linux kernel and TV firmware:
    Code:
    luna-send -n 1 -f luna://com.palm.systemservice/osInfo/query '{ "subscribe": false }'
    Launch app:
    Code:
    luna-send -n 1 -f luna://com.webos.applicationManager/launch '{"id": "netflix"}'
    All apps ID you can find with
    Code:
    luna-send -n 1 "palm://com.palm.applicationManager/listLaunchPoints" "{}"
    or at a folder /media/cryptofs/apps/usr/palm/applications/<App ID>/appinfo.json


    For permanent root access through telnet:

    1)
    Code:
    [email protected]:/# mkdir -p /media/cryptofs/root/etc
    2)
    Code:
    [email protected]:/# cp -r /etc/* /media/cryptofs/root/etc
    3)
    Code:
    [email protected]:/# mount -o bind /media/cryptofs/root/etc /etc
    4)
    Code:
    [email protected]:/# passwd root
    Enter any new root password
    5)
    Code:
    cp /media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service/start-devmode.sh /tmp/start-devmode.sh
    6) Download with WinSCP start-devmode.sh and edit it locally.
    You need to add at the beginning
    Code:
    mount -o bind /media/cryptofs/root/etc /etc
    telnetd -l /sbin/sulogin &
    Plus you can add the line to launch any App at start, e.g:
    Code:
    luna-send -n 1 -f luna://com.webos.applicationManager/launch '{"id": "netflix", "params":{}}'
    And comment Dev Mode online check.

    Here it's mine start-devmode.sh. It's for webOS 1.4. It can be different for other webOS versions:
    Code:
    #!/bin/sh
    mount -o bind /media/cryptofs/root/etc /etc
    telnetd -l /sbin/sulogin &
    
    #luna-send -n 1 -f luna://com.webos.applicationManager/launch '{"id": "netflix", "params":{}}'
    
    # FIXME: disable this to turn off script echo
    set -x
    
    # FIXME: disable this to stop script from bailing on error
    # set -e
    
    # TODO: Check upstart daemon/process tracking (do we need to change /etc/init/devmode.conf? start sshd as daemon?)
    
    # set devmode ssh port here
    SSH_PORT="9922"
    
    # set arch:
    ARCH="armv71"
    grep -qs "qemux86" /etc/hostname && ARCH="i686"
    
    # set directories
    OPT_DEVMODE="/opt/devmode"
    OPT_SSH="/opt/openssh"
    DEVELOPER_HOME="/media/developer"
    DEVMODE_SERVICE_DIR="/media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service"
    CRYPTO_SSH="$DEVMODE_SERVICE_DIR/binaries-${ARCH}/opt/openssh"
    CRYPTO_OPT="$DEVMODE_SERVICE_DIR/binaries-${ARCH}/opt"
    
    if [ -s ${DEVMODE_SERVICE_DIR}/jail_app.conf ] ; then
       mv ${DEVMODE_SERVICE_DIR}/jail_app.conf ${DEVELOPER_HOME}
       mv ${DEVMODE_SERVICE_DIR}/jail_app.conf.sig ${DEVELOPER_HOME}
    fi
    
    if [ -r ${DEVMODE_SERVICE_DIR}/sessionToken ] ; then
       mv -f ${DEVMODE_SERVICE_DIR}/sessionToken /var/luna/preferences/devmode_enabled
    fi
    
    
    # Make sure the ssh binaries are executable (in service directory)
    if [ ! -x "${CRYPTO_SSH}/sbin/sshd" ] ; then
       chmod ugo+x ${CRYPTO_SSH}/sbin/sshd ${CRYPTO_SSH}/bin/ssh* ${CRYPTO_SSH}/bin/scp* || true
       chmod ugo+x ${CRYPTO_SSH}/bin/sftp ${CRYPTO_SSH}/lib/openssh/* || true
       chmod ugo+x ${CRYPTO_OPT}/devmode/usr/bin/* || true
    fi
    
    # TODO: (later) Look for "re-init" flag to re-generate ssh key if requested by app (via devkey service)
    # com.palm.service.devmode could have "resetKey" method to erase /var/lib/devmode/ssh/webos_rsa
    # Kind of dangerous though, since new key will need to be fetched on the desktop (after reboot)...
    # We could just require a hard-reset of the TV which should blow away /var/lib/devmode/ssh/...
    
    # Initialize the developer (client) SSH key pair, if it doesn't already exist
    if [ ! -e /var/lib/devmode/ssh/webos_rsa ] ; then
       mkdir -p /var/lib/devmode/ssh
       chmod 0700 /var/lib/devmode/ssh
       # get FIRST six (UPPER-CASE, hex) characters of 40-char nduid from nyx-cmd
       # NOTE: This MUST match passphrase as displayed in devmode app (main.js)!
            # PASSPHRASE="`/usr/bin/nyx-cmd DeviceInfo query nduid | head -c 6 | tr 'a-z' 'A-Z'`"
            # PASSPHRASE="`/usr/bin/nyx-cmd DeviceInfo query nduid | tail -n1 | head -c 6 | tr 'a-z' 'A-Z'`"
            PASSPHRASE="`tail /var/lib/secretagent/nduid -c 40 | head -c 6 | tr 'a-z' 'A-Z'`"
       ${CRYPTO_SSH}/bin/ssh-keygen -t rsa -C "[email protected]" -N "${PASSPHRASE}" -f /var/lib/devmode/ssh/webos_rsa
       # copy ssh key to /var/luna/preferences so the devmode service's KeyServer can read it and serve to ares-webos-cli tools
       cp -f /var/lib/devmode/ssh/webos_rsa /var/luna/preferences/webos_rsa
       chmod 0644 /var/luna/preferences/webos_rsa
       # if we generated a new ssh key, make sure we re-create the authorized_keys file
       rm -f ${DEVELOPER_HOME}/.ssh/authorized_keys
    fi
    
    # Make sure the /media/developer (and log) directories exists (as sam.conf erases it when devmode is off):
    mkdir -p ${DEVELOPER_HOME}/log
    chmod 777 ${DEVELOPER_HOME} ${DEVELOPER_HOME}/log
    
    # Install the SSH key into the authorized_keys file (if it doesn't already exist)
    if [ ! -e ${DEVELOPER_HOME}/.ssh/authorized_keys ] ; then
       mkdir -p ${DEVELOPER_HOME}/.ssh
       cp -f /var/lib/devmode/ssh/webos_rsa.pub ${DEVELOPER_HOME}/.ssh/authorized_keys || true
       # NOTE: authorized_keys MUST be world-readable else sshd can't read it inside the devmode jail
       # To keep sshd from complaining about that, we launch sshd with -o "StrictModes no" (below).
       chmod 755 ${DEVELOPER_HOME}/.ssh
       chmod 644 ${DEVELOPER_HOME}/.ssh/authorized_keys
       chown -R developer:developer ${DEVELOPER_HOME}/.ssh
    fi
    
    # FIXME: Can we move this to /var/run/devmode/sshd ?
    # Create PrivSep dir
    mkdir -p /var/run/sshd
    chmod 0755 /var/run/sshd
    
    # Create directory for host keys (rather than /opt/openssh/etc/ssh/)
    HOST_KEY_DIR="/var/lib/devmode/sshd"
    if [ ! -d "${HOST_KEY_DIR}" ] ; then
       mkdir -p ${HOST_KEY_DIR}
       chmod 0700 ${HOST_KEY_DIR}
    fi
    
    # Create initial keys if necessary
    if [ ! -f ${HOST_KEY_DIR}/ssh_host_rsa_key ]; then
       echo "  generating ssh RSA key..."
       ${CRYPTO_SSH}/bin/ssh-keygen -q -f ${HOST_KEY_DIR}/ssh_host_rsa_key -N '' -t rsa
    fi
    if [ ! -f ${HOST_KEY_DIR}/ssh_host_ecdsa_key ]; then
       echo "  generating ssh ECDSA key..."
       ${CRYPTO_SSH}/bin/ssh-keygen -q -f ${HOST_KEY_DIR}/ssh_host_ecdsa_key -N '' -t ecdsa
    fi
    if [ ! -f ${HOST_KEY_DIR}/ssh_host_dsa_key ]; then
       echo "  generating ssh DSA key..."
       ${CRYPTO_SSH}/bin/ssh-keygen -q -f ${HOST_KEY_DIR}/ssh_host_dsa_key -N '' -t dsa
    fi
    
    # Check config
    # NOTE: This should only be enabled for testing
    #${CRYPTO_SSH}/sbin/sshd -f ${CRYPTO_SSH}/etc/ssh/sshd_config -h ${HOST_KEY_DIR}/ssh_host_rsa_key -t
    
    # Set jailer command
    DEVMODE_JAIL="/usr/bin/jailer -t native_devmode -i com.palm.devmode.openssh -p ${DEVELOPER_HOME}/ -s /bin/sh"
    #DEVMODE_JAIL="echo"
    
    # Add for debugging, but this will cause sshd to exit after the first ssh login:
    # -ddd -e 
    
    # Make environment file for openssh
    DEVMODE_JAIL_CONF="/etc/jail_native_devmode.conf"
    DEVMODE_OPENSSH_ENV="${DEVELOPER_HOME}/.ssh/environment"
    if [ -f ${DEVMODE_JAIL_CONF} ]; then
       echo " generating environment file from jail_native_devmode.conf..."
       find ${DEVMODE_JAIL_CONF} | xargs awk '/setenv/{printf "%s=%sn", $2,$3}' > ${DEVMODE_OPENSSH_ENV}
       ${DEVMODE_JAIL} /usr/bin/env >> ${DEVMODE_OPENSSH_ENV}
    fi
    # Set path for devmode
    if [ -f ${DEVMODE_OPENSSH_ENV} ]; then
       echo "PATH=${PATH}:${OPT_DEVMODE}/usr/bin" >> ${DEVMODE_OPENSSH_ENV}
    fi
    
    sleep 5;
    for interface in $(ls /sys/class/net/ | grep -v -e lo -e sit);
    do
    if [ -r /sys/class/net/$interface/carrier ] ; then
      if [[ $(cat /sys/class/net/$interface/carrier) == 1 ]]; then OnLine=1; fi
    fi
    done
    #if [ $OnLine ]; then
    #   sessionToken=$(cat /var/luna/preferences/devmode_enabled);
    #   checkSession=$(curl --max-time 3 -s https://developer.lge.com/secure/CheckDevModeSession.dev?sessionToken=$sessionToken);
    
    #   if [ "$checkSession" != "" ] ; then
    #      result=$(node -pe 'JSON.parse(process.argv[1]).result' "$checkSession");
    #      if [ "$result" == "success" ] ; then
             rm -rf /var/luna/preferences/dc*;
    #         # create devSessionTime file to remain session time in devmode app
    #         remainTime=$(node -pe 'JSON.parse(process.argv[1]).errorMsg' "$checkSession");
    #         resultValidTimeCheck=$(echo "${remainTime}" | egrep "^([0-9]{1,4}(:[0-5][0-9]){2})$");
    #         if [ "$resultValidTimeCheck" != "" ] ; then
                echo '900:00:00' > ${DEVMODE_SERVICE_DIR}/devSessionTime;
                chgrp 5000 ${DEVMODE_SERVICE_DIR}/devSessionTime;
                chmod 664 ${DEVMODE_SERVICE_DIR}/devSessionTime;
    #         fi
    #      elif [ "$result" == "fail" ] ; then
    #         rm -rf /var/luna/preferences/devmode_enabled;
    #         rm -rf /var/luna/preferences/dc*;
    #         if [ -e ${DEVMODE_SERVICE_DIR}/devSessionTime ] ; then
    #            rm ${DEVMODE_SERVICE_DIR}/devSessionTime;
    #         fi
    #      fi
    #   fi
    #fi
    
    # Cache clear function added (except Local storage)
    if [ -e ${DEVMODE_SERVICE_DIR}/devCacheClear ] ; then
       rm -rf `ls | find /var/lib/webappmanager*/* -name "Local Storage" -o -name "localstorage" -prune -o -print`;
       rm ${DEVMODE_SERVICE_DIR}/devCacheClear;
    fi
    
    # Launch sshd
    ${DEVMODE_JAIL} ${OPT_SSH}/sbin/sshd 
      -o StrictModes=no 
      -f ${OPT_SSH}/etc/ssh/sshd_config 
      -h ${HOST_KEY_DIR}/ssh_host_rsa_key 
      -o PasswordAuthentication=no -o PermitRootLogin=no -o PermitUserEnvironment=yes 
      -D -p ${SSH_PORT}
    7) Upload new start-devmode.sh and rewrite the old one
    Code:
    cp /tmp/start-devmode.sh /media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service/start-devmode.sh
    8) Restart TV.
    Connect with telnet and type previously entered password.
    Code:
    telnet <ip-tv>
    Trying <ip-tv>...
    Connected to <ip-tv>].
    Escape character is '^]'.
    
    webOS TV 1.4.0 LGSmartTV
    
    
    Give root password for system maintenance
    (or type Control-D for normal startup):
    Entering System Maintenance Mode
    
    [email protected]:/#
    7
    Hello!
    I'm from webos-forums.ru. I've root on TV for a while and can help you with translation or testing on LG webOS 1.4.
    5
    pivotce.com informs that instructions have been published on gaining root access to a webOS TV. This is much harder than on the old phones and tablets. When this was done on legacy webOS, there was a wave of enhancements and tweaks made available to phone users from webOS Internals and other developers.

    The instructions can be found on the Russian webOS forums here: webos-forums.ru/topic4650.html (English Translation via Google).

    As the thread itself notes, this creates the possibility of fiddling with your TV in a way that may turn it into a large, thin brick and will almost certainly invalidate your warranty. The general user should stay well clear of this.

    pivotCE published this for information only and recommend leaving investigations to those who know what they are doing or who can afford to wreck expensive television sets. We will watch to see if anything interesting emerges from this development.

    +

    Detailed analysis of the root access method described above:
    forums.webosnation.com/lg-webos-tv/331754-pivotce-seems-webos-tv-has-been-rooted.html#post3450911
    4
    Tool Released here enjoy and you can always send logs there.
    3
    Hello,


    What about adding a new universal root tool for all models :) let me know if you're interested.