RootMy.TV: v2.0 Released!

Search This thread

jason_a69

New member
Feb 29, 2020
4
0
With the just released firmware update for the 2021 OLED TV models, the last model without a fix has also received an update that fixes the corresponding security vulnerability.

Thus, the method used by RootMy.TV to gain root privileges should no longer work on any of LG's OLED TVs (2019-2022) if they have the most recent firmware version. Note that installing apps via RootMy.TV may still work.
I can confirm this is the case, my C8 updated to WebOS 05.50.10 yesterday and I had this message when I just tried to run the script.
 

Attachments

  • Screenshot from 2022-09-15 11-14-13.png
    Screenshot from 2022-09-15 11-14-13.png
    526.4 KB · Views: 712

olivier615

Member
May 23, 2022
5
0
Hello, I have rooted my tv with crashd Exploit Procedure.
I activated the ssh server in homebrew channel and restarted my tv but when I try to connect with putty the connection is refused without being asked for the credentials. What can I do ? Thanks
 

Near710

Senior Member
May 30, 2012
106
7
Palermo
Hi guys, i have LG NANO816PA software version 03.33.11, i launch the exploit everything seems to have gone correctly, but once I reboot I don't see the homebrew channel, do you have any ideas?
 

snake218

Senior Member
Nov 1, 2012
574
144
Hi guys, i have LG NANO816PA software version 03.33.11, i launch the exploit everything seems to have gone correctly, but once I reboot I don't see the homebrew channel, do you have any ideas?
Same problem with my B9 Firmware 05.30.10, The process seems to complete without errors, but the homebrew store did not install.
 

cambiasso2

Member
Nov 11, 2010
15
2
I confirm, Lg 65C9 with 5.20.35, root fine but Homebrew Channel don't show...
maybe it has been fixed? :(
we hope for a solution
 

snek1

New member
Oct 7, 2022
3
0
Hello, my television LG c8 update 5.50 can't be root ...please can you help me
 

bitcasual

Senior Member
Nov 22, 2010
88
14
Would this work with an LG TV from 2016, model 70uh700V-za, from 2016? I'm running WebOS TV Version 3.4.0-5711 (dreadlocks-digya). Firmware version 05.60.35

Edit: Confirmed to be working on LG 70uh700V running 3.4.0-5711, firmware 05.60.35!
 
Last edited:

Ansem

Senior Member
Sep 23, 2010
551
9
Hi everyone,
I just discovered rootmytv. I have an LG 55b7 that have webos 3.9. 0-62710(dreadlocks2-dudhwa). I currently have the firmware 06.00.30.
It's safe to try the root? Is it compatible?
 
Last edited:

MrAshen

New member
Nov 20, 2022
1
0
Hi guys, i have LG NANO816PA software version 03.33.11, i launch the exploit everything seems to have gone correctly, but once I reboot I don't see the homebrew channel, do you have any ideas?
Same here with LG OLED65B7D-Z. After upgrading from 06.10.01 to 6.10.30, rootmy.tv is processing but unfortunately neither homebrew channel nor evelavated root Access.
 

maleguard

Member
Feb 21, 2013
10
2
tekirdağ
Hello, webos version 4.9.5-10
aah... 4.x.x have startup script problem. but developers working on it. Add a repo to homebrew "https://repo.webosapp.club" and install run.telnet application. try connect telnet with putty port 23. and run this commands for ssh. its temporary solution for ssh. Sorry for my english.


Bash:
        mkdir -p /var/lib/webosbrew/sshd
        /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/bin/dropbear -R
        sed -r 's/root:.?:/root:xGVw8H4GqkKg6:/' /etc/shadow > /tmp/shadow
        chmod 400 /tmp/shadow
        mount --bind /tmp/shadow /etc/shadow
        sed 's/root:\*:/root:x:/' /etc/passwd > /tmp/passwd
        chmod 444 /tmp/passwd
        mount --bind /tmp/passwd /etc/passwd
 

Top Liked Posts

  • There are no posts matching your filters.
  • 22
    rmtv.png

    RootMyTV is a user-friendly exploit for rooting/jailbreaking LG webOS smart TVs.

    Website: RootMy.TV
    GitHub: https://github.com/RootMyTV/RootMyTV.github.io

    For further details, and a full writeup, please check out the GitHub repo.

    TL;DR; If you want root on any* current WebOS LG TV, do not install updates for the time being, and wait patiently. If you're a developer or researcher, read the latest update below.

    *The exploit requires "ThinQ" support, which seems to only be available on TVs running WebOS 4.0+. I will update this when we know more about which versions support it.


    RootMy.TV is an 0-click (kinda) web-to-root exploit for WebOS.

    Website (placeholder): RootMy.TV
    GitHub (placeholder): github.com/DavidBuchanan314/RootMyTV

    After this bug in Download Manager was published (which, on its own, allows rooting the WebOS emulator), I was motivated to find new bugs which can be combined with it, to get root on actual TVs.

    Given the relatively severe impact of this exploit chain, its publication will have to wait at least until LG makes official patches available for the Download Manager bug. After that, I will be publishing the exploit, along with a full writeup.

    During my research, I received invaluable advice and information from members of the openlgtv Discord server - I definitely couldn't have done this without them. Please join us, if you would like to assist with testing the exploit etc. in the hopefully-near future: https://discord.gg/9sqAgHVRhP

    Update 2021/02/15:
    LG claims to have fixed the Download Manager bug, but they haven't really. To motivate LG to actually patch the bug, I will be disclosing my exploit chain to them under a 30-day public disclosure deadline - after which, I will be publishing the exploit here. Assuming I send my disclosure to LG email tonight, that sets the RootMyTV "release date" at 2021/03/19.

    Update 2021/03/18:
    The release date is now 2021/03/21 - I have a few things I need to finish up...

    Update 2021/03/23:
    Sorry for the delays...
    I am attaching a bare-bones vulnerability report and PoC for the exploit, which is enough to get you root. This "pre-release" is intended for developers and researchers. If you're not a developer or researcher, please be wait for the "full" release, which will hopefully arrive in the coming weeks. The final release will be more user friendly, and include a "Homebrew Channel". If you would like to contribute to development of the Homebrew ecosystem, please visit us on Discord.

    Some notes/disclaimers about the exploit: (READ FIRST!!!)

    - This will void your warranty, don't blame me if anything goes wrong etc. etc.

    - Amazon's "google play store" link, described in the writeup, is currently broken. As a workaround, you can search for "google search" on Amazon, Click the top result, Click "developer info", then click the link to Google's privacy policy. From there, you can click the menu icon in the top-right and continue with the rest of the instructions.

    - Something I forgot to mention in the report - you must update the value of the "HOST_PREFIX" variable in index.html, to point to your local webserver.

    - If you were previously using Developer Mode, then overwriting `start-devmode.sh` will have broken devmode features like `ares-install`, and the jailed sshd. You can fix this by putting the old `start-devmode.sh` back again, with some edits.

    - For some TVs that don't have the ThinQ login page, you can access an equivalent page via "Account Management" in the settings. This doesn't work on my TV (the amazon link opens in the web browser), but apparently it works on some models/versions.

    - The current version of the exploit will give you a root telnet server, accessible on the default port (23), without authentication.
    7
    If someone can use this to make a custom firmware that adds back in the 120hz black frame insertion to the LG C9 (and maybe even older models) that would be amazing. LG removed the feature last minute despite it showing up in C9 reviews samples, but it did make it into the CX as OLED motion low and mid. I remember in some old interviews hearing that the feature is all algorithm based and could be added into older OLED TVs but they never did.

    You're in luck. Just this week a user at AVSForum reported that you could enable Motion Pro on the C9/E9 with a simple command on the tv. The only disadvantage was that you need to execute this command with root privileges. Now that is where this thread comes in.
    I've managed to get root access to my C9 and have executed the command and it works! Motion Pro low, medium and high is available and works at 120Hz.

    This is the command that you need to execute:

    Code:
    luna-send -n 1 -f "luna://com.webos.service.config/setConfigs" '{ "configs": { "tv.model.motionProMode": "OLED Motion Pro" } }'
    3
    If you are having trouble connecting to certain websites or using Plex or Emby on your TV, it may be because the services are using digital certificates signed by the new LetsEncrypt Certificate Authority cert, and LG have not updated the TV’s certificate trust store to include this new cert and remove the old expired one.

    If your TV is rooted, then you can use this shell script to fix thIs: https://github.com/tf318/lg
    3
    With the just released firmware update for the 2021 OLED TV models, the last model without a fix has also received an update that fixes the corresponding security vulnerability.

    Thus, the method used by RootMy.TV to gain root privileges should no longer work on any of LG's OLED TVs (2019-2022) if they have the most recent firmware version. Note that installing apps via RootMy.TV may still work.
    2
    Using com.webos.app.iot-thirdparty-login in webOS 4.9.1-53409 for this exploit doesn't seem to work anymore, because the app now seems to open all links in the web browser app instead of its own instance. No matter which link I tested, they all open the external web browser.

    Update:
    The underlying issue still exists though and I managed to use a slightly different method but the same privilege escalation method to get in anyways.

    Perhaps you might share the approach you found so others don't struggle helplessly?

    I had the same problem. After getting to the Amazon log in page, all links mentioned above opened in the web browser instead of within the ThinQ app. Eventually I tried entering non existent credentials into the Amazon login form, then after being prompted to enter a captcha, I again entered invalid credentials a second time. When shown the login form a third time I clicked the bottom link (can't remember what it was - maybe privacy or forgot password or similar) and this time the link opened within the ThinkQ app rather than an external browser, and I could then follow the rest of the exploit successfully.