
Getting root on a Sony TV - Garbage
http://hackaday.com/2012/06/20/getting-root-on-a-sony-tv/
======
forgotusername
There is a similar project for LG TVs that doesn't require a bof, however
messing with these TVs puts you deep inside BrickVille territory with no money
for the cab ride home (no simple firmware recovery).

If you like the sound of tinkering with this stuff, buy a $70 Allwinner A10
stick and play with that. Consider it very cheap insurance for the $1000 TV
you're plugging it into (this is perhaps especially relevant to any household
with mid-teenage geeks running around). It's also worth note that the boards
in these TVs tend to have very little RAM, and run slow, low power processors
(MIPS architecture for LG IIRC). Most of the interesting stuff is done in
hardware.

Finally, for LG TVs with the USB port labelled "service port", _do not touch_.
The port is missing protective circuitry and there are many documented cases
of the TV's internals being fried by connecting active devices.

~~~
CrazedGeek
(OT, but I'm worried now:) Would using the "service port" on an LG TV purely
as a powered USB port be a bad thing? (I've been using mine to power my
speakers.)

~~~
forgotusername
At a loss to find a single web page now that you ask. The stuff I read was
explicit about avoiding the TV's USB port unless it was specifically labelled
a USB port. The last time I saw this was a post on Reddit from someone who'd
killed their flatmate's TV via plugging stuff into the USB port, again an LG
TV.

Apologies for the total lack of references.

~~~
klausa
If we're thinking about the same thread on reddit, that would be it:

[http://www.reddit.com/r/AskReddit/comments/m16fd/i_kind_of_b...](http://www.reddit.com/r/AskReddit/comments/m16fd/i_kind_of_broke_my_friends_42_vizio_hdtv_someone)

Note that it was Vizio, not LG.

------
iuguy
I've been playing with my Samsung HT-C5500 blu-ray player and 7.1 sound system
that also runs linux in my spare time (not that I've had a lot of spare time).
The firmware is xor-ciphered, but once you get past that it's similar to a FAT
filesystem, but is in fact modified so you can't write to it and reassemble
the firmware easily (I have an action to set up a VM with the ported RFS
filesystem[1]).

My goal is to get a decent shell on that, then when I replace my TV later this
year, root that and do some testing on HEC (HDMI Ethernet Channel) from inside
an OS. There was some interesting research presented by Andy Davis of NGS at
BHEU 12 earlier this year[2].

The scope for backdooring smart TVs is immense. These things are being used
for video conferencing in businesses, as well as in homes and people aren't
checking them out to make sure they're not being used to get access to
networks, or to bug rooms. Hopefully I'll have something ready in time for
BSides London[3] next year.

[1] -
[http://wiki.samygo.tv/index.php5/RFS_file_system_support_for...](http://wiki.samygo.tv/index.php5/RFS_file_system_support_for_linux)

[2] - <http://www.youtube.com/watch?v=3TuCrd8Kvus>

[3] - <http://www.securitybsides.org.uk/>

------
ldite
Anyone who's tried this know if it's possible to extract the keys for the
device's CI+ certificate? If so it's a bit of a loophole in the DRM...

(Ref; <http://en.wikipedia.org/wiki/CI+> )

------
JonnieCache
Interesting that it relies on a default password: "gemstar"

I knew I'd heard that name before associated with TVs, and it turns out they
are a licensor of "interactive program guide technology to multichannel
operators, such as cable and satellite television providers, and consumer
electronics manufacturers."Maybe it was their code which is responsible?

Apparently they were bought by Macrovision, a name which I'm sure brings back
as many happy memories of chinese-made "video stabiliser devices" for many of
you as it does for me.

EDIT: this speculation is backed by line 208 of the sploit:

    
    
        raise ExploitException('Guide did not accept password!')

------
bni
Interesting that these Sony TVs run Linux. The Panasonic Viera line runs a
version of FreeBSD.

I wonder if its possible to run programs such as XBMC on these embedded
systems and make it output the picture to the TV screen. I mean its one thing
to runs some command line binaries, another thing to actually share the screen
with the other software on the TV, like its menus.

Maybe connecting a HDMI cable from a port on the TV back to itself, on another
port would work?

~~~
cicloid
Probably not, most of these devices are old school embedded systems, doing
most of the decoding via HW with slow processors, so, many fancy things like
XMBC are very out of the scope.

Probably in the next couple years, doing NNTP, bittorrent, xbmc inside our tv,
could be a reality, now, not so much.

------
veb
Wee bit OT...

I might be weird in this regard, but I've got a Samsung SMART TV, and well,
the interface reminds me _so_ much of what the Internet used to be like in the
late 90s, early 000s... I've been waiting for the day someone comes and
changes it all.

Perhaps it'll be a hacker, hacking their TV, putting on their own firmware.
That's the best kind of success.

~~~
VMG
All I want on my SMART TV is to set local channel numbers in my personal
favorites. Currently setting a channel number changes it in _all_ favorite
lists.

Huge step back from my 10 year old sat receiver.

------
simfoo
Mildly OT, but that script is a great example to show how beautiful python
code can be - so clean!

Link: <https://github.com/CFSworks/nimue/blob/master/nimue.py>

------
gouranga
My 26ex320 got a software update last night. I reckon that it's a fix for this
exploit.

The annoying thing is that this update pops up and yet we can't get 4od un the
UK still and Sony just don't seem to care about the users.

------
leoh
Cool! But does anyone have a BusyBox binary to use? I'm having trouble
compiling BusyBox on Lion.

...coreutils/Config.in:7: missing end statement for this entry
archival/Config.in:7: missing end statement for this entry Config.in:12:
missing end statement for this entry make[1]: __* [config] Error 1 make: __*
[config] Error 2 ...

~~~
mbreese
Have you thought about installing VirtualBox and then compiling it on a proper
Linux VM? That might be the easiest way to go...

------
sirlancer
This is the best 'feature' to come along for quite some time. Reading through
the comments turned up the "Samygo Project" aimed towards rooting Samsung
televisions. I can't be the only one who's longed to have a dumb terminal with
a big screen and lots of fancy inputs.

------
defdac
First open source routers running Linux. Next disruptive innovation: Open
Source Linux TVs?

~~~
mtgx
There's this:

<http://www.ubuntu.com/devices/tv>

And of course Google TV, but I don't think it will be open sourced until it
moves to ICS (probably after this I/O).

------
dbbolton
I'd be really interested in reading a comment-annotated version of the nimue
script.

~~~
webreac
The code is really easy to read. I think it is better to have so clear code
than to have long (and stupid) texts

~~~
JonnieCache
It is indeed very nice and clear, but it would be very interesting to have a
line by line walkthrough for non-hackers who don't know what any of it is
doing.

Also these days there are probably even lots of professional programmers who
haven't heard of zmodem and the like.

------
nodata
Anyone know what kind of hardware a Bravia has under the hood?

------
gouranga
This is awesome. I'm going to try it later today :)

------
shellox
I think it's good that we are able to get root access to the devices now. It's
a positive development that we can controll these devices. It could get really
popular if exploiting the TV gets easier for everybody and they could build an
active homebrew community around it.

