Sony Bravia 4K 2015 (KD-55X8505C EU)
(Types/model explained: KD=TV,55=inch,X=premium,8=model,5=submodel,05=localdesign,C=2015)
WARNING: Everything is
AT YOUR OWN RISK (as you may brick / destroy a good TV)!
Hi guys/gals,
I am still using this Android TV 7.0 by Sony (Bravia), and have lots of info, but even more questions still, most important being:
Part 1) Can I install the newest international (US/Asia) firmware (
6.827 - Android 8.0) instead of our much older lame EU one (
5.457 - Android 7.0)? Same hardware thus compatible or??
Part 2) Can we (temp) root it, and/or unlock bootloader, and/or install Magisk or any other custom images? Can I downgrade / revert back to older firmwares (to make it weaker to root)?
A lot of info can be found via the links (like the BeoBuild Vision & SmartTVHacking) and in the attached files from my TV.
ADB can be connected remotely, by first
enabling Developer Options & USB Debugging, and using the IP of your TV in the command: adb connect [IP]
Part 1
I am still running 5.435 because it may be weaker. It would also may be able to downgrade, to re-enable some holes/weaknesses (see 2).
I would love to upgrade to Oreo (8.0) like everyone in the world with this TV except Europe.
Is it possible by;
1.1) Altering the firmware of Sony (see 2.2) or the download method by changing the IP by local DNS etc.?
1.2) Changing the TV region/settings/specs so it fits (see Service Menu)? Is the hardware exactly the same as Asia or US or is this dangerous?!
Part 2
2.1) Can we unlock the bootloader? I can boot to fastboot, but did not dare to try. There is no OEM Unlock option in Developers Options in Android.
Btw: A 'getvar all' in fastboot will give the partitions and then crash. A hard reboot is needed and then a 'fastboot reboot'.
2.2) Can we extract (or even package) the firmware (PKG = EPK?) files given to us by Sony?
Binwalker seems to give us some but it seems you need a specific (unknown?) key to extract all, or to (re)package. For some other device types there are hacktools to extract firmwares by Sony,
epk2extract by
OpenLGtv or the older fork,
pk2extract by p0isk (for same chipsetted HiSense, LG, Philips etc.)!
2.3) Is any of the hardware vulnerable? Like the MediaTek MT5890 (= MT5595 = ATV1) or Bluetooth chip/stack (using
BlueBorne etc.)?
2.4) Can we use the
serial method (RS-232C) using the mini jack (or VGA port) to connect and do some stuff?
2.5) Is Google (Chrome)Cast (this old 1.56.275391) vulnerable, or usable to do malicious stuff? Ports 8008, 8009, 8443 and 9000 are open. Maybe with altered sploits like
HubCap or
FlashCast etc (
Team Eureka & fail0verflow & GTVHacker)? We can influence it anyways by using tools like
pychromecast etc.
2.6) Are Sony's own systems for streaming and remote connection vulnerable? See Links for
Control by Serial/IP/HTML5.
2.7) Are any of the preinstalled apps vulnerable, like Vewd browser (see links!) or any lib (see links!) etc.?
2.8) Does any of the closed source one click rooters (KingRoot/KingoRoot/One Click Root/Root Genius etc. etc.) work?
I will never try and do not trust rooters! It was mentioned that King or Kingo works by some users (own risk!).
2.9a) Is the so called
TVoodoo attack by Valerio Mulas (using a Rubber Ducky / Remote IR spoofer) a valid one, or just a fun idea to use ADB etc?
2.9b) Can we use
hidden/secret/extra IR codes (non official) to do stuff? In other words, which keys of the IR matrix are mapped or on any official remotes, and which ones are ALSO received/interpreted/useful?
2.10) Was the port 12345 (now closed)
attack Nimue possible on our TV with older firmwares (seems only up to 2012)? And universals like
Framaroot?
Towelroot? BlueBorne? Etc?
2.11) Is the
p0isk kernel to any use for us/me?
2.12) Can we use exploits like within Metasploit? Any
vulns/exploits for Android in general? Like the mp4
HEVC-fright PoC (
CVE-2019-2107) or
Janus PoC (
CVE-2017-13156)(with ie unsigned AmazonVideo.apk) or any
User-After-Free (UAF)? Must be, with such old hardware and software a few years old!?
2.13) Injection/escalation possible using the
Sony Channel Editor software or 3rd party
ChanSort or
SDBeditor etc? I remember another (Sony?) to be vulnerable to injection of chars/code into the channel list (sdb.xml) or so when (re-)importing to the TV (in Android or in Service Menu!)?
Service / Secret / Diagnostics Menu
Diagnostics menu: TV is off, then press in this order: i+ (or DISPLAY) > 5 > Volume DOWN > Power (on)
Service menu: TV is off, then press in this order: i+ (or DISPLAY) > 5 > Volume UP > Power (on)
Use numbers 1 and 4 to select item to adjust, and numbers 3 and 6 to adjust item (8 + 0/Enter will restore factory defaults). Then use Mute + 0/Enter to save (word Write will appear). Then turn TV off.
Other ATV with similar hardware
Bang & Olufsen BeoVision Horizon-40 (QM153E / bno_MT5593Uplus_EU)
HiSense (Vidaa TV)
Philips (and
this one)
Sony Bravia (KD/KDL)
??? (you tell me!)
Links
BeoBuild Vision Hackathon by Labitat with lots of info (MT5890 ? MT5593)
WordPress -
SmartTVHacking KDL-48R510C with MT5565 (? MT5880)(nice try, lots of info!)
XDA -
Rooting MediaTek Based Linux Smart TV
XDA -
Root on a Sony 65X8500G (via this
very interesting Chinese post on Baidu)
TVoodoo attack by Valerio Mulas
AskVG -
Service and Secret Menus
-
Sony -
API/Dev info for Control by Serial/IP/HTML5
Sony - Source Codes for Devs (
this/my KDL) !!!
Comprehensive List of Bravia Firmwares (via
Bravia on Reddit)
-
GitHub -
p0isk Kernel
GitHub -
p0isk pkg2extract
-
ZeroDayInitiative -
Vewd (browser < 4.11) sploit #1 (Pwn2Own)(test/find sploits in the
Vewd Emulator 4.10 or
4.13 in
VM?)(CVE-2017-5030
PoC by Brendon Tiszka etc.)
ZeroDayInitiative -
Vewd (browser < 4.11) sploit #2 (Pwn2Own)
GitHub -
Team Eureka Google Chromecast (dongle) sploits
