RootMy.TV: Coming soon! (Developer "pre-release" available now!)

Search This thread

retr0id

New member
  • Oct 24, 2016
    4
    12
    rmtv.png

    TL;DR; If you want root on any* current WebOS LG TV, do not install updates for the time being, and wait patiently. If you're a developer or researcher, read the latest update below.

    *The exploit requires "ThinQ" support, which seems to only be available on TVs running WebOS 4.0+. I will update this when we know more about which versions support it.


    RootMy.TV is an 0-click (kinda) web-to-root exploit for WebOS.

    Website (placeholder): RootMy.TV
    GitHub (placeholder): github.com/DavidBuchanan314/RootMyTV

    After this bug in Download Manager was published (which, on its own, allows rooting the WebOS emulator), I was motivated to find new bugs which can be combined with it, to get root on actual TVs.

    Given the relatively severe impact of this exploit chain, its publication will have to wait at least until LG makes official patches available for the Download Manager bug. After that, I will be publishing the exploit, along with a full writeup.

    During my research, I received invaluable advice and information from members of the openlgtv Discord server - I definitely couldn't have done this without them. Please join us, if you would like to assist with testing the exploit etc. in the hopefully-near future: https://discord.gg/9sqAgHVRhP

    Update 2021/02/15:
    LG claims to have fixed the Download Manager bug, but they haven't really. To motivate LG to actually patch the bug, I will be disclosing my exploit chain to them under a 30-day public disclosure deadline - after which, I will be publishing the exploit here. Assuming I send my disclosure to LG email tonight, that sets the RootMyTV "release date" at 2021/03/19.

    Update 2021/03/18:
    The release date is now 2021/03/21 - I have a few things I need to finish up...

    Update 2021/03/23:
    Sorry for the delays...
    I am attaching a bare-bones vulnerability report and PoC for the exploit, which is enough to get you root. This "pre-release" is intended for developers and researchers. If you're not a developer or researcher, please be wait for the "full" release, which will hopefully arrive in the coming weeks. The final release will be more user friendly, and include a "Homebrew Channel". If you would like to contribute to development of the Homebrew ecosystem, please visit us on Discord.

    Some notes/disclaimers about the exploit: (READ FIRST!!!)

    - This will void your warranty, don't blame me if anything goes wrong etc. etc.

    - Amazon's "google play store" link, described in the writeup, is currently broken. As a workaround, you can search for "google search" on Amazon, Click the top result, Click "developer info", then click the link to Google's privacy policy. From there, you can click the menu icon in the top-right and continue with the rest of the instructions.

    - Something I forgot to mention in the report - you must update the value of the "HOST_PREFIX" variable in index.html, to point to your local webserver.

    - If you were previously using Developer Mode, then overwriting `start-devmode.sh` will have broken devmode features like `ares-install`, and the jailed sshd. You can fix this by putting the old `start-devmode.sh` back again, with some edits.

    - For some TVs that don't have the ThinQ login page, you can access an equivalent page via "Account Management" in the settings. This doesn't work on my TV (the amazon link opens in the web browser), but apparently it works on some models/versions.

    - The current version of the exploit will give you a root telnet server, accessible on the default port (23), without authentication.
     

    Attachments

    • xda_prerelease.zip
      215.2 KB · Views: 714
    Last edited:

    tjacoblux

    New member
    Aug 19, 2010
    3
    0
    This is exciting! I knew in my gut that I should avoid the update I saw pop up a few days ago. Can't wait to see what this all entails. Please give us an update when you can! :]
     

    Bobsilvio

    Member
    Feb 4, 2014
    5
    0
    For me worked
    OLED65CX6LA in italy
    soft ver. 03.21.16
    thanks

    Connected to lgwebostv.fritz.box.
    Escape character is '^]'.

    webOS TV 5.2.0 LGwebOSTV

    / # ls
    bin etc lib mnt proc share usr
    boot home linuxrc opt run sys var
    dev lg media overlay sbin tmp www
    / #


    is possible to use oscam now?
     
    Last edited:

    peace2341

    New member
    Mar 16, 2021
    2
    0
    I am the same model as your TV. However, as you mentioned, I searched for google search on Amazon and went in, and after that, I proceeded the same, but rooting did not work. Are there any other points where I can rooting?
     

    LLP42

    Member
    Mar 15, 2021
    5
    1
    Using com.webos.app.iot-thirdparty-login in webOS 4.9.1-53409 for this exploit doesn't seem to work anymore, because the app now seems to open all links in the web browser app instead of its own instance. No matter which link I tested, they all open the external web browser.

    Update:
    The underlying issue still exists though and I managed to use a slightly different method but the same privilege escalation method to get in anyways.
    Code:
    Connected to XXXXXXXXXX.
    Escape character is '^]'.
    
    webOS TV 4.9.1 LGwebOSTV
    
    / # uname -a
    Linux LGwebOSTV 4.4.84-169.gld4tv.4 #1 SMP PREEMPT Fri Mar 12 02:53:12 EST 2021 aarch64 GNU/Linux
    / # whoami
    root
     
    Last edited:

    spartakles

    New member
    Apr 5, 2021
    2
    3
    Using com.webos.app.iot-thirdparty-login in webOS 4.9.1-53409 for this exploit doesn't seem to work anymore, because the app now seems to open all links in the web browser app instead of its own instance. No matter which link I tested, they all open the external web browser.

    Update:
    The underlying issue still exists though and I managed to use a slightly different method but the same privilege escalation method to get in anyways.

    Perhaps you might share the approach you found so others don't struggle helplessly?

    I had the same problem. After getting to the Amazon log in page, all links mentioned above opened in the web browser instead of within the ThinQ app. Eventually I tried entering non existent credentials into the Amazon login form, then after being prompted to enter a captcha, I again entered invalid credentials a second time. When shown the login form a third time I clicked the bottom link (can't remember what it was - maybe privacy or forgot password or similar) and this time the link opened within the ThinkQ app rather than an external browser, and I could then follow the rest of the exploit successfully.
     

    roykaandorp

    Member
    Dec 30, 2007
    36
    9
    Does rooting WebOS remove the DRM? Could someone check if Netflix is still working?
    And if the DRM will be removed, is it possible to restore it by resetting it by it's factory defaults or a software update?
    @retr0id awesome work! Have been waiting on this for a long time
     

    Informatic

    Member
    Jan 26, 2011
    5
    1
    Warsaw
    Does rooting WebOS remove the DRM? Could someone check if Netflix is still working?
    And if the DRM will be removed, is it possible to restore it by resetting it by it's factory defaults or a software update?
    @retr0id awesome work! Have been waiting on this for a long time

    Currently root exploit in the first post only exposes root unjailed telnet session and disables some telemetry. It does not affect any existing apps, unless content providers add explicit root detection. (which in of itself would require jail escape exploit on their part) Netflix seems to work fine so far on 2018-era webOS 3.8 LG TV.
     
    • Like
    Reactions: roykaandorp

    LLP42

    Member
    Mar 15, 2021
    5
    1
    Perhaps you might share the approach you found so others don't struggle helplessly?
    If there really is a "0-click" exploit as promised, these steps become unnecessary.

    Until then, anyone who knows the ropes should have no problem finding the way I mentioned. At least when you take a closer look at the source code of com.webos.app.iot-thirdparty-login. And if you have problems with this, you should probably leave this method alone anyway.

    That's why I won't post any more details about it - at least for now.
     

    spartakles

    New member
    Apr 5, 2021
    2
    3
    If there really is a "0-click" exploit as promised, these steps become unnecessary.

    Until then, anyone who knows the ropes should have no problem finding the way I mentioned. At least when you take a closer look at the source code of com.webos.app.iot-thirdparty-login. And if you have problems with this, you should probably leave this method alone anyway.

    That's why I won't post any more details about it - at least for now.
    What gibberish.

    I provided a way forward to others in my response. I followed it and it worked, so I shared it.

    You simply turned up with no useful information, just to say "hey your instructions no longer work. I found a way round it. Not going to share". It would seem you're posting on entirely the wrong forum.
     
    • Like
    Reactions: fritzeman

    LLP42

    Member
    Mar 15, 2021
    5
    1
    You simply turned up with no useful information, just to say "hey your instructions no longer work. I found a way round it. Not going to share"
    That's not true at all. The info I shared is that the vulnerability is still present in the latest firmware v05.00.30 of the 2019 models and that it's still possible to use the exploit.
    I also said that I do not share the details "for now", depending on the "0-click" exploit status.

    It would seem you're posting on entirely the wrong forum.
    The official subtitle of this forum is:
    Technical discussion of WebOS development and hacking. No noobs please.
    So if anyone is wrong here, it's you.
    This forum is not for users who need step-by-step instructions.
     

    MaxSnacks18

    New member
    Apr 14, 2021
    2
    0
    If someone can use this to make a custom firmware that adds back in the 120hz black frame insertion to the LG C9 (and maybe even older models) that would be amazing. LG removed the feature last minute despite it showing up in C9 reviews samples, but it did make it into the CX as OLED motion low and mid. I remember in some old interviews hearing that the feature is all algorithm based and could be added into older OLED TVs but they never did.
     

    Mysteriouslog6

    Senior Member
    Aug 21, 2018
    80
    16
    LG V20
    Xiaomi Redmi Note 5 Pro
    If someone can use this to make a custom firmware that adds back in the 120hz black frame insertion to the LG C9 (and maybe even older models) that would be amazing. LG removed the feature last minute despite it showing up in C9 reviews samples, but it did make it into the CX as OLED motion low and mid. I remember in some old interviews hearing that the feature is all algorithm based and could be added into older OLED TVs but they never did.
    If I am not wrong the OS does verification , so trying to modify something will trigger it to not boot....
    As of now.
     

    VinnieM

    New member
    Aug 14, 2010
    1
    4
    If someone can use this to make a custom firmware that adds back in the 120hz black frame insertion to the LG C9 (and maybe even older models) that would be amazing. LG removed the feature last minute despite it showing up in C9 reviews samples, but it did make it into the CX as OLED motion low and mid. I remember in some old interviews hearing that the feature is all algorithm based and could be added into older OLED TVs but they never did.

    You're in luck. Just this week a user at AVSForum reported that you could enable Motion Pro on the C9/E9 with a simple command on the tv. The only disadvantage was that you need to execute this command with root privileges. Now that is where this thread comes in.
    I've managed to get root access to my C9 and have executed the command and it works! Motion Pro low, medium and high is available and works at 120Hz.

    This is the command that you need to execute:

    Code:
    luna-send -n 1 -f "luna://com.webos.service.config/setConfigs" '{ "configs": { "tv.model.motionProMode": "OLED Motion Pro" } }'
     

    Top Liked Posts

    • There are no posts matching your filters.
    • 4
      If someone can use this to make a custom firmware that adds back in the 120hz black frame insertion to the LG C9 (and maybe even older models) that would be amazing. LG removed the feature last minute despite it showing up in C9 reviews samples, but it did make it into the CX as OLED motion low and mid. I remember in some old interviews hearing that the feature is all algorithm based and could be added into older OLED TVs but they never did.

      You're in luck. Just this week a user at AVSForum reported that you could enable Motion Pro on the C9/E9 with a simple command on the tv. The only disadvantage was that you need to execute this command with root privileges. Now that is where this thread comes in.
      I've managed to get root access to my C9 and have executed the command and it works! Motion Pro low, medium and high is available and works at 120Hz.

      This is the command that you need to execute:

      Code:
      luna-send -n 1 -f "luna://com.webos.service.config/setConfigs" '{ "configs": { "tv.model.motionProMode": "OLED Motion Pro" } }'
      2
      Running PoC...
      Downloading devmode startup script...
      Failed to download: {"errorCode":-1,"errorText":"PalmServiceBridge is not found.","returnValue":false}

      There is a solution.

      This error takes place when you are trying to download a script from a standard browser.
      The idea of this method is to download the script via the login UI. So if Amazon throws you to the standard browser, please use another method:
      Try to authorize via google account. Then you should create a new account completely until there will be a page with google's Confidentiality Policy. Click on it and then you should continue as in the original guide (menu button -> search -> and so on)

      Thanks to @andrewttrb from webos-forums for the idea
      1
      If there really is a "0-click" exploit as promised, these steps become unnecessary.

      Until then, anyone who knows the ropes should have no problem finding the way I mentioned. At least when you take a closer look at the source code of com.webos.app.iot-thirdparty-login. And if you have problems with this, you should probably leave this method alone anyway.

      That's why I won't post any more details about it - at least for now.
      What gibberish.

      I provided a way forward to others in my response. I followed it and it worked, so I shared it.

      You simply turned up with no useful information, just to say "hey your instructions no longer work. I found a way round it. Not going to share". It would seem you're posting on entirely the wrong forum.
      1
      Still works on this version:

      webOS TV 5.2.1 LGwebOSTV

      / # ls
      bin etc lib mnt proc share usr
      boot home linuxrc opt run sys var
      dev lg media overlay sbin tmp www
    • 12
      rmtv.png

      TL;DR; If you want root on any* current WebOS LG TV, do not install updates for the time being, and wait patiently. If you're a developer or researcher, read the latest update below.

      *The exploit requires "ThinQ" support, which seems to only be available on TVs running WebOS 4.0+. I will update this when we know more about which versions support it.


      RootMy.TV is an 0-click (kinda) web-to-root exploit for WebOS.

      Website (placeholder): RootMy.TV
      GitHub (placeholder): github.com/DavidBuchanan314/RootMyTV

      After this bug in Download Manager was published (which, on its own, allows rooting the WebOS emulator), I was motivated to find new bugs which can be combined with it, to get root on actual TVs.

      Given the relatively severe impact of this exploit chain, its publication will have to wait at least until LG makes official patches available for the Download Manager bug. After that, I will be publishing the exploit, along with a full writeup.

      During my research, I received invaluable advice and information from members of the openlgtv Discord server - I definitely couldn't have done this without them. Please join us, if you would like to assist with testing the exploit etc. in the hopefully-near future: https://discord.gg/9sqAgHVRhP

      Update 2021/02/15:
      LG claims to have fixed the Download Manager bug, but they haven't really. To motivate LG to actually patch the bug, I will be disclosing my exploit chain to them under a 30-day public disclosure deadline - after which, I will be publishing the exploit here. Assuming I send my disclosure to LG email tonight, that sets the RootMyTV "release date" at 2021/03/19.

      Update 2021/03/18:
      The release date is now 2021/03/21 - I have a few things I need to finish up...

      Update 2021/03/23:
      Sorry for the delays...
      I am attaching a bare-bones vulnerability report and PoC for the exploit, which is enough to get you root. This "pre-release" is intended for developers and researchers. If you're not a developer or researcher, please be wait for the "full" release, which will hopefully arrive in the coming weeks. The final release will be more user friendly, and include a "Homebrew Channel". If you would like to contribute to development of the Homebrew ecosystem, please visit us on Discord.

      Some notes/disclaimers about the exploit: (READ FIRST!!!)

      - This will void your warranty, don't blame me if anything goes wrong etc. etc.

      - Amazon's "google play store" link, described in the writeup, is currently broken. As a workaround, you can search for "google search" on Amazon, Click the top result, Click "developer info", then click the link to Google's privacy policy. From there, you can click the menu icon in the top-right and continue with the rest of the instructions.

      - Something I forgot to mention in the report - you must update the value of the "HOST_PREFIX" variable in index.html, to point to your local webserver.

      - If you were previously using Developer Mode, then overwriting `start-devmode.sh` will have broken devmode features like `ares-install`, and the jailed sshd. You can fix this by putting the old `start-devmode.sh` back again, with some edits.

      - For some TVs that don't have the ThinQ login page, you can access an equivalent page via "Account Management" in the settings. This doesn't work on my TV (the amazon link opens in the web browser), but apparently it works on some models/versions.

      - The current version of the exploit will give you a root telnet server, accessible on the default port (23), without authentication.
      4
      If someone can use this to make a custom firmware that adds back in the 120hz black frame insertion to the LG C9 (and maybe even older models) that would be amazing. LG removed the feature last minute despite it showing up in C9 reviews samples, but it did make it into the CX as OLED motion low and mid. I remember in some old interviews hearing that the feature is all algorithm based and could be added into older OLED TVs but they never did.

      You're in luck. Just this week a user at AVSForum reported that you could enable Motion Pro on the C9/E9 with a simple command on the tv. The only disadvantage was that you need to execute this command with root privileges. Now that is where this thread comes in.
      I've managed to get root access to my C9 and have executed the command and it works! Motion Pro low, medium and high is available and works at 120Hz.

      This is the command that you need to execute:

      Code:
      luna-send -n 1 -f "luna://com.webos.service.config/setConfigs" '{ "configs": { "tv.model.motionProMode": "OLED Motion Pro" } }'
      2
      Using com.webos.app.iot-thirdparty-login in webOS 4.9.1-53409 for this exploit doesn't seem to work anymore, because the app now seems to open all links in the web browser app instead of its own instance. No matter which link I tested, they all open the external web browser.

      Update:
      The underlying issue still exists though and I managed to use a slightly different method but the same privilege escalation method to get in anyways.

      Perhaps you might share the approach you found so others don't struggle helplessly?

      I had the same problem. After getting to the Amazon log in page, all links mentioned above opened in the web browser instead of within the ThinQ app. Eventually I tried entering non existent credentials into the Amazon login form, then after being prompted to enter a captcha, I again entered invalid credentials a second time. When shown the login form a third time I clicked the bottom link (can't remember what it was - maybe privacy or forgot password or similar) and this time the link opened within the ThinkQ app rather than an external browser, and I could then follow the rest of the exploit successfully.
      2
      Running PoC...
      Downloading devmode startup script...
      Failed to download: {"errorCode":-1,"errorText":"PalmServiceBridge is not found.","returnValue":false}

      There is a solution.

      This error takes place when you are trying to download a script from a standard browser.
      The idea of this method is to download the script via the login UI. So if Amazon throws you to the standard browser, please use another method:
      Try to authorize via google account. Then you should create a new account completely until there will be a page with google's Confidentiality Policy. Click on it and then you should continue as in the original guide (menu button -> search -> and so on)

      Thanks to @andrewttrb from webos-forums for the idea
      1
      Thanks again for the efforts! I can confirm that worked like charm, I have tested on LGC9 05.00.03, very smooth, haven't seen any errors.
      pbgBYOV.png
    Our Apps
    Get our official app!
    The best way to access XDA on your phone
    Nav Gestures
    Add swipe gestures to any Android
    One Handed Mode
    Eases uses one hand with your phone