RootMyTV is a user-friendly exploit for rooting/jailbreaking LG webOS smart TVs.
Website: RootMy.TV
GitHub: https://github.com/RootMyTV/RootMyTV.github.io
For further details, and a full writeup, please check out the GitHub repo.
TL;DR; If you want root on any* current WebOS LG TV, do not install updates for the time being, and wait patiently. If you're a developer or researcher, read the latest update below.
*The exploit requires "ThinQ" support, which seems to only be available on TVs running WebOS 4.0+. I will update this when we know more about which versions support it.
RootMy.TV is an 0-click (kinda) web-to-root exploit for WebOS.
Website (placeholder): RootMy.TV
GitHub (placeholder): github.com/DavidBuchanan314/RootMyTV
After this bug in Download Manager was published (which, on its own, allows rooting the WebOS emulator), I was motivated to find new bugs which can be combined with it, to get root on actual TVs.
Given the relatively severe impact of this exploit chain, its publication will have to wait at least until LG makes official patches available for the Download Manager bug. After that, I will be publishing the exploit, along with a full writeup.
During my research, I received invaluable advice and information from members of the openlgtv Discord server - I definitely couldn't have done this without them. Please join us, if you would like to assist with testing the exploit etc. in the hopefully-near future: https://discord.gg/9sqAgHVRhP
Update 2021/02/15:
LG claims to have fixed the Download Manager bug, but they haven't really. To motivate LG to actually patch the bug, I will be disclosing my exploit chain to them under a 30-day public disclosure deadline - after which, I will be publishing the exploit here. Assuming I send my disclosure to LG email tonight, that sets the RootMyTV "release date" at 2021/03/19.
Update 2021/03/18:
The release date is now 2021/03/21 - I have a few things I need to finish up...
Update 2021/03/23:
Sorry for the delays...
I am attaching a bare-bones vulnerability report and PoC for the exploit, which is enough to get you root. This "pre-release" is intended for developers and researchers. If you're not a developer or researcher, please be wait for the "full" release, which will hopefully arrive in the coming weeks. The final release will be more user friendly, and include a "Homebrew Channel". If you would like to contribute to development of the Homebrew ecosystem, please visit us on Discord.
Some notes/disclaimers about the exploit: (READ FIRST!!!)
- This will void your warranty, don't blame me if anything goes wrong etc. etc.
- Amazon's "google play store" link, described in the writeup, is currently broken. As a workaround, you can search for "google search" on Amazon, Click the top result, Click "developer info", then click the link to Google's privacy policy. From there, you can click the menu icon in the top-right and continue with the rest of the instructions.
- Something I forgot to mention in the report - you must update the value of the "HOST_PREFIX" variable in index.html, to point to your local webserver.
- If you were previously using Developer Mode, then overwriting `start-devmode.sh` will have broken devmode features like `ares-install`, and the jailed sshd. You can fix this by putting the old `start-devmode.sh` back again, with some edits.
- For some TVs that don't have the ThinQ login page, you can access an equivalent page via "Account Management" in the settings. This doesn't work on my TV (the amazon link opens in the web browser), but apparently it works on some models/versions.
- The current version of the exploit will give you a root telnet server, accessible on the default port (23), without authentication.
*The exploit requires "ThinQ" support, which seems to only be available on TVs running WebOS 4.0+. I will update this when we know more about which versions support it.
RootMy.TV is an 0-click (kinda) web-to-root exploit for WebOS.
Website (placeholder): RootMy.TV
GitHub (placeholder): github.com/DavidBuchanan314/RootMyTV
After this bug in Download Manager was published (which, on its own, allows rooting the WebOS emulator), I was motivated to find new bugs which can be combined with it, to get root on actual TVs.
Given the relatively severe impact of this exploit chain, its publication will have to wait at least until LG makes official patches available for the Download Manager bug. After that, I will be publishing the exploit, along with a full writeup.
During my research, I received invaluable advice and information from members of the openlgtv Discord server - I definitely couldn't have done this without them. Please join us, if you would like to assist with testing the exploit etc. in the hopefully-near future: https://discord.gg/9sqAgHVRhP
Update 2021/02/15:
LG claims to have fixed the Download Manager bug, but they haven't really. To motivate LG to actually patch the bug, I will be disclosing my exploit chain to them under a 30-day public disclosure deadline - after which, I will be publishing the exploit here. Assuming I send my disclosure to LG email tonight, that sets the RootMyTV "release date" at 2021/03/19.
Update 2021/03/18:
The release date is now 2021/03/21 - I have a few things I need to finish up...
Update 2021/03/23:
Sorry for the delays...
I am attaching a bare-bones vulnerability report and PoC for the exploit, which is enough to get you root. This "pre-release" is intended for developers and researchers. If you're not a developer or researcher, please be wait for the "full" release, which will hopefully arrive in the coming weeks. The final release will be more user friendly, and include a "Homebrew Channel". If you would like to contribute to development of the Homebrew ecosystem, please visit us on Discord.
Some notes/disclaimers about the exploit: (READ FIRST!!!)
- This will void your warranty, don't blame me if anything goes wrong etc. etc.
- Amazon's "google play store" link, described in the writeup, is currently broken. As a workaround, you can search for "google search" on Amazon, Click the top result, Click "developer info", then click the link to Google's privacy policy. From there, you can click the menu icon in the top-right and continue with the rest of the instructions.
- Something I forgot to mention in the report - you must update the value of the "HOST_PREFIX" variable in index.html, to point to your local webserver.
- If you were previously using Developer Mode, then overwriting `start-devmode.sh` will have broken devmode features like `ares-install`, and the jailed sshd. You can fix this by putting the old `start-devmode.sh` back again, with some edits.
- For some TVs that don't have the ThinQ login page, you can access an equivalent page via "Account Management" in the settings. This doesn't work on my TV (the amazon link opens in the web browser), but apparently it works on some models/versions.
- The current version of the exploit will give you a root telnet server, accessible on the default port (23), without authentication.
Attachments
Last edited: