FORUMS

GetMeIn : One time rooting/jailbreaking tool for webOS LG TV's

886 posts
Thanks Meter: 3,640
 
Post Reply Email Thread
Hello XDA,

After a long thinking i've decided to create a root or jailbreak tool for LG's awesome webOS, today am stating this thread to release this new root tool, but before that! am gonna ask you for some logs from webOS 3.5 and lower.

Everyone in this thread must know about webOS if not do your homework then get back again, LG did a great work on this operating system after HP and Palm's versions. they even supported Raspberry Pi module B. but webOS OSE aka Open Source Edition is really different from TV's version.

LG think about Security and frequently release updates that doesn't have anything new except some patches to close down known holes, one of my favorites was a directory traversal that can replace in tv files and binaries during install (partially closed recently).

let'stake a look at LG's partition filesystem types, on tv's they chooses to use ext4 for writable partitions (/var, some of /mnt/lg/*, /home and /media) everything else is using squashfs which is a read only compressed filesystem you cannot modify it.

If you can dump the squashfs partition unshquash it then recompress you will face another problem of hashes and crc checks (checkout the update binary for more details) if you dd it back to block device without kernel and/or bootloader patches. so this is not gonna just work easily.

What we can really do it play on the RW parts of the system, one of the design flaws on webOS is the devmode aka Developer Mode, they ship it in a Read Write partition so that's easy to be modified.

To do that you must have root access or some powerful exploits to achieve your goal.

This method is using memory access vulnerability to get root and then jailbreak the tv. i ported some parts of the other root thread even if some are not even needed.

To jailbreak connect to your tv via prisoner user after uploading GetMeIn binary into it then :

Code:
chmod +x GetMeIn
./GetMeIn
if root succeed and you saw some errors do this :
Code:
mkdir -p /media/cryptofs/root/etc
mkdir -p /media/cryptofs/root/lib
After that just reboot and enjoy your root with same ssh key, or use password "alpine".

there is some old pictures attached, i did some modifications after those.

Hope this is good enough.
Attached Thumbnails
Click image for larger version

Name:	Screenshot 2019-01-02 at 12.09.40.png
Views:	12586
Size:	27.6 KB
ID:	4682779   Click image for larger version

Name:	Screenshot 2019-01-09 at 00.29.43.png
Views:	12856
Size:	69.6 KB
ID:	4682780  
Attached Files
File Type: zip GetMeIn.zip - [Click for QR Code] (436.9 KB, 3638 views)
The Following 43 Users Say Thank You to Maroc-OS For This Useful Post: [ View ] Gift Maroc-OS Ad-Free
9th January 2019, 12:35 AM |#2  
Maroc-OS's Avatar
OP Retired Recognized Developer
Flag Casablanca
Thanks Meter: 3,640
 
Donate to Me
More
HOW-TO
To use this GetMeIn webOS Jailbreak tool please create a developer account on LG's developer portal, install developer mode application on your TV and connect with your recently created account.

Open dev mode app please set the Dev Mode Status to ON and Key Server to ON.

grab your ssh key with ares then connect to your tv using ssh :

Code:
[email protected]:~# ssh -i ~/.ssh/webOS_TV [email protected] -p 9922
when you get connected you just follow the steps on the thread.

Please test and share back screen shouts and logs from tv in both cases failure or success.

I need informations from your webOS v 3.5 and lower, TV model and webOS version and some commands from the tv.

okay first of all create a dir named logs :

Code:
mkdir logs
TV Infos :

Code:
cat /var/run/nyx/device_info.json > logs/device_info.json
(delete your nduid serial number and mac addresses)

webOS Infos :

Code:
cat /var/run/nyx/os_info.json > logs/os_info.json
Code:
cat /proc/cpuinfo > logs/cpu.log
Code:
ls -arls /var/log/ > logs/logdir.log
Code:
ls -arls /usr/lib/ > logs/libsdir.log
Code:
ls -arls /proc/ > logs/procdir.log
Code:
ls -arls /dev/ > logs/devices.log
In case the jailbreak works restart and run this additional commands :

Code:
mount > logs/mounts.log
i think that's everything i need, upload the logs dir somewhere and put a link here.
The Following 7 Users Say Thank You to Maroc-OS For This Useful Post: [ View ] Gift Maroc-OS Ad-Free
9th January 2019, 01:53 AM |#4  
MishaalRahman's Avatar
Editor in Chief
Thanks Meter: 2,014
 
More
So this only works on webOS 3.5 and below?
9th January 2019, 02:02 AM |#5  
Maroc-OS's Avatar
OP Retired Recognized Developer
Flag Casablanca
Thanks Meter: 3,640
 
Donate to Me
More
Quote:
Originally Posted by MishaalRahman

So this only works on webOS 3.5 and below?

that's what i think yes, but you can test

MishaalRahman it's confirmed, also some lower versions are not supported like 3.3.3

BTW, can you check up your PM.
The Following User Says Thank You to Maroc-OS For This Useful Post: [ View ] Gift Maroc-OS Ad-Free
10th January 2019, 09:17 PM |#6  
Member
Thanks Meter: 3
 
More
Hi,

unfortunately it does not work for me, I get the following output:

Code:
---------------------------------------------------------------
 MerrukTechnolog < webOS privelage escalation (www.merruk.com) 
---------------------------------------------------------------

GetMeIn: #* Opening memory IO!

GetMeIn: #! Cannot map memory data!
---------------------------------------------------------------
I already posted some logs of my LG OLED55B7D (05.80.15) in the other thread:
https://www.dropbox.com/s/ie5ix8vtsc...80_15.zip?dl=0

Maybe some of this helps to improve your script.
The Following User Says Thank You to blenni For This Useful Post: [ View ] Gift blenni Ad-Free
11th January 2019, 01:41 AM |#7  
Maroc-OS's Avatar
OP Retired Recognized Developer
Flag Casablanca
Thanks Meter: 3,640
 
Donate to Me
More
Quote:
Originally Posted by blenni

Hi,

unfortunately it does not work for me, I get the following output:

Code:
---------------------------------------------------------------
 MerrukTechnolog < webOS privelage escalation (www.merruk.com) 
---------------------------------------------------------------

GetMeIn: #* Opening memory IO!

GetMeIn: #! Cannot map memory data!
---------------------------------------------------------------
I already posted some logs of my LG OLED55B7D (05.80.15) in the other thread:
https://www.dropbox.com/s/ie5ix8vtsc...80_15.zip?dl=0

Maybe some of this helps to improve your script.

Your version is not supported by this tool, you have webos 3.8 unfortunately, and i really cannot help without access to tv with new api version, & i will need testers for newer devices.
The Following User Says Thank You to Maroc-OS For This Useful Post: [ View ] Gift Maroc-OS Ad-Free
13th January 2019, 09:08 PM |#8  
Junior Member
Thanks Meter: 1
 
More
@Maroc-OS
WebOS has the web socket endpoints to control the TV like
Code:
ssap://tv/getChannelList
After rooting the TV is possible to find out all the available endpoints on the TV? LG unfortunately has absolutely no documentation about it except the endpoints in the examples they provide.
If it is not too much work, could you please provide a list of all the available endpoints? I guess those needs to be defined somewhere in a config file...
14th January 2019, 06:54 PM |#9  
Junior Member
Thanks Meter: 3
 
More
Lg oled65g6v
Code:
/media/developer$ uname -a
Linux LGwebOSTV 3.16.7-77.deua.4 #1 SMP PREEMPT Thu Jun 21 17:26:37 KST 2018 armv7l GNU/Linux
/media/developer$ ./GetMeIn
---------------------------------------------------------------
 MerrukTechnolog < webOS privelage escalation (www.merruk.com) 
---------------------------------------------------------------

GetMeIn: #* Opening memory IO!

GetMeIn: #! Cannot map memory data!
---------------------------------------------------------------

/media/developer$ cat /var/run/nyx/os_info.json
{
    "core_os_kernel_version": "3.16.7-77.deua.4",
    "core_os_name": "Rockhopper",
    "core_os_release": "3.3.3-3807",
    "core_os_release_codename": "dreadlocks-dharug",
    "encryption_key_type": "prodkey",
    "webos_api_version": "4.1.0",
    "webos_build_datetime": "20180621081934",
    "webos_build_id": "3807",
    "webos_imagename": "starfish-dvb-secured",
    "webos_manufacturing_version": "05.30.25",
    "webos_name": "webOS TV",
    "webos_prerelease": "",
    "webos_release": "3.3.3",
    "webos_release_codename": "dreadlocks-dharug"
}
If I can be of any help to get this working on LG's 2016 OLED models gladly I would help...
Attached Files
File Type: zip logs_OLED65G6V.zip - [Click for QR Code] (14.4 KB, 132 views)
14th January 2019, 07:30 PM |#10  
Thank you for this awesomely fun opportunity to get into my panel! While I understand this is in its infancy, would you know a way of downgrading OS version? (Im on 4.x.x.x)

I hope sideload and extract creds in the best future. Thank you one again for the time and sharing of this. 🙏
14th January 2019, 11:32 PM |#11  
Senior Member
Thanks Meter: 91
 
More
What would be a good reason to root a smart tv? What can I do afterward?
The Following 13 Users Say Thank You to lucaterpirla For This Useful Post: [ View ] Gift lucaterpirla Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes