Results 1 to 11 of 11
Like Tree19Likes
  • 16 Post By rwhitby
  • 2 Post By dkirker
  • 1 Post By Pilotovef
  1.    #1  
    A source informs us that instructions have been published on gaining root access to a webOS TV. This is much harder than on the old phones and tablets. When this was done on legacy webOS, there was a wave of enhancements and tweaks made available to phone users from webOS Internals and other developers.


    NOTE: As stated in the article and original thread, this has the potential to brick your TV and void your warranty, which given the prices of the higher end TVs, could prove extremely expensive. Do not try this unless you are very sure of what you are doing and at your own risk.
    Last edited by Preemptive; 11/22/2017 at 01:17 PM.
  2. #2  
    I've done an analysis of the root access method described at ...

    Disclaimer: I do not have a webOS TV and have not attemped or verified these steps.

    There are 12 steps to the procedure:

    Steps 1, 2 and 3 are all about setting up a developer account, installing a Developer Mode application on your device, enabling Dev Mode Status and Key Server switches, and gaining SSH developer access to your device.

    Step 4 involves downloading a file from - you should be wary of downloading executables from random sites and executing them on your device.

    Steps 5 through 7 detail how to get this file onto your device.

    Steps 8 through 12 are running the script and getting the root shell.

    So, let's look at things in more detail ...

    The downloaded file is a shell script containing an embedded binary archive:
    match=$(grep -n '^PAYLOAD:$' $0 | cut -d ':' -f 1)
    payload_start=$((match + 1))
    if [[ $binary -ne 0 ]]; then
            tail -n +$payload_start $0 | tar -xzvf - > /dev/null
    chmod +x *
    rm firstg
    rm secstg
    rm su
    rm rep
    exit 0
    <... lots of binary encoded data ...>
    The way to extract the archive is to cut all of the data after the PAYLOAD: line, and insert it into a file with a .tar.gz extension.

    Here is the contents of the archive:
    $ tar ztvf ~/Downloads/6937580_root.tar.gz 
    drwxrwxrwx  0 root   root        0 Jul 28 16:21 ./
    -rwxrwxrwx  0 5482   5000      168 Jul 28 15:20 ./rep
    -rwxrwxrwx  0 5482   5000      416 Jul 28 15:35 ./
    -rwxrwxrwx  0 5482   5000    39987 Jul 28 15:19 ./secstg
    -rwxrwxrwx  0 5482   5000    11052 Jul 28 15:24 ./su
    -rwxrwxrwx  0 5482   5000    16236 Jul 28 15:19 ./firstg
    Let's look at each file individually:
    • - a shell script which sequences the rooting procedure
    • firstg - a binary executable
    • rep - a shell script which copies the su executable from /var/palm/jail/com.palm.devmode.openssh/media/developer/su to /dev/shm/test/su and changes ownership of the su executable to root
    • secstg - a binary executable
    • su - looks like the standard su program from busybox

    Let's take a deeper look at
    echo "first stage"
    ./firstg /usr/bin/ApplicationInstallerUtility rep > /dev/null 2>&1
    sleep 2
    echo "second stage"
    ./secstg > /dev/null 2>&1
    sleep 2
    echo "third stage - "
    echo "try install any app from market"
    echo "wait..."
    while [ ! -f /dev/shm/test/su ]
      sleep 2
      echo "try install any app from market"
    sleep 1
    echo "third stage ok"
    echo "try get root - input password 1111"
    The firstg binary contains the following interesting strings:
    usage: dirtyc0w target_file new_content
    GCC: (crosstool-NG linaro-1.13.1+bzr2709 - Linaro GCC 2014.11) 4.9.3 20141031 (prerelease)
    GNU C 4.9.3 20141031 (prerelease) -march=armv7-a -mfloat-abi=softfp -mfpu=vfpv3-d16 -mlittle-endian -mtune=cortex-a9 -mthumb -mtls-dialect=gnu -g -O2 -std=gnu99 -fgnu89-inline -fmerge-all-constants -frounding-math
    The dirtyc0w program name referenced in the usage string indicates that this is Dirty COW (CVE-2016-5195), a privilege escalation vulnerability in the Linux Kernel. See for more details on Dirty Cow.

    So firstg seems to be the canned exploit found at and the intent of the firstg call is to insert the contents of the rep script into the /usr/bin/ApplicationInstallerUtility binary.

    So let's look at the rep script:
    mkdir /dev/shm/test
    cp /var/palm/jail/com.palm.devmode.openssh/media/developer/su /dev/shm/test/
    chown root:root /dev/shm/test/su
    chmod u+s /dev/shm/test/su
    This takes the su binary which was unpacked in the openssh jail /media/developer directory, and places it in /dev/shm/test/ with root privileges.

    The secstg binary contains the following interesting strings:
    $ strings secstg 
     [-s] [-n] | [-h]
     -s  open directly a shell, if the exploit is successful;
     -n  combined with -s, doesn't restore the passwd file.
     -h  print this synopsis;
     If no param is specified, the program modifies the passwd file and exits.
     A copy of the passwd file will be create in the current directory as .ssh_bak
     (unprivileged user), if no parameter or -n is specified.
    Password overridden to: 
    Root password is:   
    Enjoy! :-)
    GNU C 4.9.4 20151028 (prerelease) -march=armv7-a -mtune=cortex-a9 -mfloat-abi=softfp -mfpu=vfpv3-d16 -mthumb -mtls-dialect=gnu -g -O2 -std=gnu99 -fgnu89-inline -fmerge-all-constants -frounding-math
    So secstg seems to be the canned exploit found at and the intent of the secstg call is to change the root password to "1111".

    The rest of the script then asks the user to install any application (which then causes the modified /usr/bin/ApplicationInstallerUtility binary to be called, which copies the su binary to a shared location accessible by the script, gives it root privileges and then executes it. The user then provides the new root password and is presented with a root shell.

    -- Rod
    Last edited by rwhitby; 08/12/2017 at 09:56 PM.
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ if you find our work useful.
    All donations go back into development.
  3. #3  
    I'm from I've root on TV for a while and can help you with translation or testing on LG webOS 1.4.
  4. #4  
    Quite interesting! Thanks for the analysis, Rod! (Also, nice to still see you around. )
    Did you know:

    webOS ran on a Treo 800 during initial development.
    hfGermany and gazaud like this.
  5. ashi's Avatar
    203 Posts
    Global Posts
    204 Global Posts
    Nice, I just ordered a 49" LG with WebOS. I don't know what I'll be able to tweak if anything, but rooting it sounds fun.
  6. #6  

    I want to install applications outside the store lg
  7. #7  
    Article how to use root to add Samba support in webOS:
  8. #8  
  9. Zibri's Avatar
    4 Posts
    Global Posts
    6 Global Posts
    Soon there will be news.
    Last edited by Zibri; 02/11/2018 at 12:56 AM.
  10. #10  
    New webOS TV root method is posted on xda deevelopers:
  11. #11  
    New simple method for rooting LG 2018-2021 TV's with webOS 4.0-5.0:
    Additional "features" opened: direct installing of *.ipk to TV, auto loading any app on TV startup, blocking autoupdates of firmware etc...
    codepoet80 likes this.

Similar Threads

  1. pivotce: LuneOS July Stable Release: Cortado
    By webOS Ports in forum LuneOS
    Replies: 18
    Last Post: 08/07/2018, 02:28 PM
  2. Replies: 0
    Last Post: 08/11/2017, 09:35 AM
  3. Replies: 0
    Last Post: 08/10/2017, 12:13 AM
  4. SlingTV app WebOS 3.0 - How-To or instructions?
    By elkcaps in forum LG webOS TV
    Replies: 0
    Last Post: 08/02/2017, 10:16 AM
  5. Migrating from pre3/webOS to Android - need help
    By dreamseekeroo in forum HP Pre 3
    Replies: 2
    Last Post: 07/23/2017, 08:04 PM

Posting Permissions