Are you an LG TV owner running webOS 4 or above and want to ”root LG TV’? If so, you’re in luck! This guide will walk you through the process of rooting your LG TV using the crashd vulnerability. This method is currently unpatched as of 2023-05-22, making it a viable option for TVs with webOS 4.0 or newer (2018 models and onwards).
If you have an older webOS version, don’t worry, we’ll explore alternative methods as well. Before we begin, please note that rooting your TV comes with certain risks, so it’s essential to understand the process and take full responsibility for any consequences.I would like to give a thumbs up to the user “thowaway96” on GITHUB for providing this helpful guide.
Step 1: Enable Developer Mode To start the rooting process.
You need to enable Developer Mode on your LG TV. Follow the instructions provided by LG to enable Developer Mode. If you encounter any issues, try rebooting your TV after setting the Dev Mode Status to ON. Remember, a reboot is required for the changes to take effect.
Step 2: Download Required Software Before proceeding further.
Ensure you have the necessary software tools:
- WebOS-Dev-Manager
- PuTTY
- Homebrew Channel IPK (Latest version, currently 0.6.3)
Step 3: Disable Quick Start+
Access the TV’s menu and locate the Quick Start+ option.
The exact location may vary depending on your webOS version. For example, on webOS 5, you can find it in All Settings > General > Additional Settings. On webOS 6 and 7, it is under All Settings > General > Devices > TV Management. Disable Quick Start+ to proceed.
Step 4: Reboot the TV
Perform a TV reboot by turning it off and then back on.
It’s important to ensure that Quick Start+ remains disabled. Note that OLED TVs might stay on for a while to run the Pixel Refresher, so unplug the TV to ensure a complete restart.
Step 5: Enable the Key Server
In the Developer Mode App
Launch the LG Developer Mode app on your TV and enable the Key Server. This step is necessary for the subsequent steps.
Step 6: Dev Manager Setup.
Open the Dev Manager tool and follow these steps:
- Click “+ Add Device.”
- Enter the IP address of your TV in the “Host Address” field.
- Enter the passphrase displayed on the LG Developer Mode app in the “Passphrase” field.
- Keep other settings at default and click “Add.”
- Click “Install” in the top right corner.
- Choose the Homebrew Channel IPK file.
- Ensure that the Homebrew Channel is successfully installed on your TV.
- Click on “Terminal.”
- Enter the following command into the terminal prompt: “echo lol>/media/developer/jail_app.conf”
- Note: You can copy and paste the command into recent versions of Dev Manager.
- There will be no output if the command is successful.
- Reboot the TV for the changes to take effect.
Step 7: Execute Commands in PuTTY Now.
Open PuTTY and perform the following steps:
- Enter your TV’s IP address in the “Host Name” field.
- Ensure that “Other” and “Telnet” are selected under “Connection type.”
- Click “Open” to establish a telnet connection with your TV.
- Execute the command: “
/media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/elevate-service” to grant root permissions to Homebrew Channel. - Execute the command:
"rm -rf /var/luna/preferences/devmode_enabled && mkdir -p /var/luna/preferences/devmode_enabled” to ensure that Developer Mode doesn’t expire after 48 hours. - Execute the command: “
rm /var/lib/webosbrew/startup.sh /mnt/lg/cmn_data/wam/extra_conf.sh” (only if you’ve used RootMyTV before).
Step 8: Uninstall Developer Mode App
Return to your TV’s home menu and uninstall the Developer Mode app. This step ensures a clean root and removes any unnecessary traces.
Step 9: Power Off the TV.
Turn off your TV completely and wait for a few seconds.
To ensure a clean start and finalize the rooting process, it’s important to power off your TV completely and perform a cold start. Follow these steps:
- Using your TV remote control, navigate to the power options menu.
- Select the power-off option and wait for your TV to completely shut down.
- Once the TV is powered off, unplug it from the power source.
- Wait for at least 30 seconds to ensure all residual power is drained from the TV.
- Plug the TV back into the power source.
- Press the power button on the TV or use the TV remote control to turn it on.
Performing a cold start helps ensure that all previous configurations and settings are reset, providing a clean slate for your rooted LG TV.
Step 10: Restart and Verify Root Status Power on your TV again.
Once it boots up, navigate to the Homebrew Channel. Verify that the “Root status” shows “ok.” If it does, congratulations! Your LG TV is successfully rooted.
Step 11: Turn on SSH (Optional)
If you want to enable SSH access to your TV, open the Homebrew Channel and navigate to its settings. Look for the option to turn on SSH, and once enabled, restart your TV to apply the changes.
Conclusion
Rooting an LG TV using the crashd vulnerability is an advanced procedure that allows you to gain full control over your device. However, it’s important to understand the risks involved and the potential consequences, such as voiding warranties and security vulnerabilities. Proceed with caution and take responsibility for any outcomes. Enjoy exploring the extended capabilities of your rooted LG TV!
Disclaimer: This guide is for informational purposes only. Rooting a device may void warranties, violate terms of service, and potentially introduce security risks. The author and publisher of this guide are not responsible for any damage, loss of functionality, or other issues that may occur during or after the rooting process.
FAQ ( Frequently Asked Questions)
General
How can I determine the version of webOS running on my device?
To find out the version of webOS you are running, you can access the menu by pressing the button with a gear icon on the remote control. The exact location of the version information within the menu may vary depending on your webOS version.
Alternatively, on some webOS versions like webOS 6, you can press the mute button three times rapidly to display the webOS major version along with the firmware version and model number. However, on webOS 7, this window does not include the “Platform” field.
For webOS 3.5, only the firmware version is shown.
To find the version number through the menu on webOS 6 or 7, follow these steps:
- Press the menu button on the remote control.
- Select “All Settings” from the menu.
- Choose “Devices” under the “General” section.
- Select “TV Management” and then “TV Information”.
- The webOS version can be found under “webOS TV Version”.
How can I find my TV’s IP address?
To find the IP address of your TV, go to the settings menu and navigate to the “Network” section. There you will find the IP address for each interface, including both the wired connection and Wi-Fi.
You can also verify the correct IP address for your TV by connecting to either http://<tv ip>:3000/ or https://<tv ip>:3001/ in a web browser. If the screen share/second screen/”LG Connect” feature is enabled, at least one of these ports should be open. Port 3000 should display a “Hello world” message, while port 3001 may show a certificate error.
How do I reboot the TV?
If your TV is already rooted, you can use the “System reboot” feature on the Homebrew Channel settings screen or run the reboot command via SSH or telnet. These methods work regardless of whether Quick Start+ is enabled.
If Quick Start+ is not enabled, turning off the TV (so that the red standby LED comes on) and then turning it back on is usually sufficient to reboot. However, OLED TVs might appear to be off when they are actually running the Pixel Refresher. To ensure the TV is actually off, you can unplug it. Unplugging the TV will also trigger a fresh boot when Quick Start+ is enabled.
While Rooting
Why am I getting a “No such file or directory” error?
If you encounter a “No such file or directory” error, it might be because LG has released a new developer mode jail configuration that does not mount the “/var/log/crashd” directory. To work around this issue, you can delete the “jail_app.conf” file located in “/media/developer” and reboot the TV. The exploit should then work as intended.
Why am I not seeing any output after running a command?
Some commands, such as “touch”, do not produce output when they execute successfully. If you do not see an error message, it means the command likely worked as expected.
Why am I unable to connect to telnet with PuTTY?
If you are experiencing difficulties connecting to telnet using PuTTY, ensure that your PuTTY configuration is correct. Select the “Other” connection type and choose “Telnet”. Set the port to 23 (the default for telnet) and make sure you are using the correct IP address for your TV.
To check if the exploit was successful, you can run the command “pgrep telnetd” in the Dev Manager terminal. If the telnet server is running, this command will output a number, which represents the process ID.
Rooting – Troubleshooting and Tips
Why am I getting a “No such file or directory” error?
As of January 26, 2023, LG has introduced a new developer mode jail configuration that doesn’t mount the “/var/log/crashd” directory. This may result in a “No such file or directory” error when running certain commands. However, you can delete the “jail_app.conf” file located in “/media/developer” and reboot your TV to allow the exploit to work. Please note that the latest Developer Mode app restricts the permissions of “/media/developer,” preventing the deletion of “jail_app.conf.” Nevertheless, you can overwrite the contents of the file to achieve the same result.
Why don’t I see any output after running a command?
Some commands, like “touch,” do not produce output when executed successfully. If you don’t see an error message, it’s likely that the command worked as intended.
Why am I unable to connect to telnet with PuTTY?
Ensure that your PuTTY configuration is accurate. Select “Other” and “Telnet” as the connection type, set the port to 23 (default for Telnet), and provide the correct IP address of your TV. You can verify if the exploit was successful by running the command “pgrep telnetd” in the Dev Manager terminal. If the telnet server is running, it will output a number (the process ID of the telnet server).
Why am I seeing LD_PRELOAD errors while rooting?
These errors occur because LG incorrectly set an environment variable. Although they are harmless, you can prevent them from appearing by running the following command:
unset LD_PRELOAD
Why isn’t telnetd starting?
To ensure the successful execution of the exploit, you need to accept certain EULAs. If the “touch” command is successful but telnetd doesn’t start, it may indicate that you haven’t accepted the necessary EULAs. Check if you have accepted the “Terms of Use” and “Privacy Policy” agreements by running the command:
webos6-eula
To access the EULA screen, follow the appropriate steps based on your webOS version. For webOS 6, press the menu button, navigate to All Settings > Support > Privacy & Terms > User Agreements.
How do I download the key for the developer mode SSH server?
To download the private key, “webos_rsa,” you need to enable the “Key Server” in the Developer Mode app. The key file will be available via HTTP on port 9991, and you can download it using a web browser by accessing “http://<TV IP>:9991/webos_rsa.” The webos_rsa file is encrypted, and you’ll need the 6-character passphrase displayed in the LG Developer Mode app to decrypt it.
Can I use something other than Dev Manager?
Yes, you can use the webOS CLI tools or any decent SSH client to run commands on the TV. The webOS CLI tools allow you to execute commands and install apps on webOS TVs. If you prefer an SSH client, you can use the OpenSSH ssh client or PuTTY to connect to the TV. Remember to convert the key file to PuTTY’s PPK format using PuTTYgen if you choose to use PuTTY.
How do I install an app from the command line?
App installation is triggered over the Luna bus using the luna-send-pub command. To install an app, make sure the IPK file is already on the TV. You can transfer files using SFTP. The Luna endpoint for installing developer mode apps is “luna://com.webos.appInstallService/dev/install.” You need to provide the app’s ID, IPK URL, and set the “subscribe” parameter to true. Here’s an example command to install an app:
luna-send-pub -i ‘luna://com.webos.appInstallService/dev/install‘ ‘{“id”:”com.ares.defaultName”,”ipkUrl”:”/tmp/app.ipk”,”subscribe”:true}’
During the installation process, you’ll receive multiple response messages indicating the status of the request. Press Ctrl+C to exit luna-send-pub after the installation is complete. Please note that developer mode apps are installed in a different location and are deleted when developer mode is disabled or expires.
After Rooting – Troubleshooting and Tips
Why do I still see update notifications after rooting?
The Homebrew Channel’s “Block system updates” option takes effect relatively late in the boot process, after the TV’s update program has started. To completely disable updates and prevent notifications, you can block the following domains on your router:
- snu.lge.com
- su.lge.com
- su-ssl.lge.com
- snu-ssl.lge.com
- snu-dev.lge.com
- su-dev.lge.com
- nsu.lge.com
Why doesn’t SSH (or telnet/other services) start at boot?
Please note that the autostart method used by Homebrew Channel 0.5.1+ on webOS 4.5+ requires accepting certain EULAs. The required EULAs may vary based on your region but are likely similar to the ones discussed in this section.
- For webOS 4.0–4.4: The autostart method is only compatible with webOS 4.5+. You can try using the webosbrew-autostart app as a workaround.
- For webOS 4.5–4.9: Homebrew Channel 0.5.1 has a bug that may prevent the automatic installation of the startup.sh file on webOS versions older than 5.0. This issue was fixed in Homebrew Channel 0.6.0. Alternatively, you can manually install the startup script using the following steps:
- Create the directory:
mkdir -p /var/lib/webosbrew - Copy the startup script:
cp /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/startup.sh /var/lib/webosbrew/startup.sh - Set permissions:
chmod 755 /var/lib/webosbrew/startup.sh - Set ownership:
chown root:root /var/lib/webosbrew/startup.sh
- Create the directory:
- For webOS 7/22: If you are using Homebrew Channel 0.5.1 on webOS 22 (internally, webOS 7), the included SSH server will not work. Homebrew Channel 0.6.0 and later versions include compatible binaries for webOS 22. If updating Homebrew Channel is not possible, you can find patched binaries in previous revisions of the guide.
Should I re-enable Quick Start+ after rooting?
Enabling Quick Start+ is a personal choice. However, keep in mind that with Quick Start+ enabled, turning off the TV will not completely shut it down. If you need to perform a proper reboot to ensure that startup scripts run, you can use the “System reboot” option in the Homebrew Channel settings page.
Can I update to a new firmware release?
In general, it is not recommended to update your firmware after rooting because LG may fix vulnerabilities used for rooting. However, as of now, the crashd vulnerability has not been patched, so you can retain root access during a firmware update with Homebrew Channel 0.5.1+ (unless your TV was rooted with RootMyTV or GetMeIn).
How do I perform a firmware downgrade?
LG has blocked firmware downgrades, even with “expert mode” enabled. Downgrades are only possible when an AccessUSB device is connected. These devices are hardware tokens that enable debug access and are typically provided to LG partners on a limited basis.
Can I update to a new webOS version?
While updating your firmware may increase the webOS minor version, it is not possible to update across major versions. For example, updating from 3.4 to 3.5+ or 4.4 to 4.5+ is not supported.
How do I disable automatic firmware updates?
The “Auto Update” setting can be found in the menu, but the steps to reach this setting vary across webOS versions. On webOS 6, you can press the menu button, choose “All Settings”, then go to “Support” and “Software Update”. The firmware version is also displayed in this menu.
Why are all my apps deleted after 48 hours (or after rebooting)?
If all your installed apps are being deleted after approximately 48 hours (due to the expiration of the development mode timer) or upon boot, it indicates that your TV is not properly rooted. The directory /var/luna/preferences/devmode_enabled, created during the rooting process, should prevent development mode apps from being deleted.
Avoid installing the LG developer mode app when rooted, as it can cause all apps to be removed. If you lose root access while the /var/luna/preferences/devmode_enabled directory exists, a factory reset may be required to make the developer mode app work again.
Why did I lose root after updating the Homebrew Channel app?
In webOS 7, LG made changes that cause the self-update feature of Homebrew Channel to fail in versions prior to 0.6.3. If you have webOS 22/7, do not update Homebrew Channel from within the app unless it is at least version 0.6.3. Updating Homebrew Channel using current versions of Dev Manager may also result in root access being lost. To update safely on webOS 7, you can use the Homebrew Channel Updater tool found in the default Homebrew Channel repo. Alternatively, you can update manually and run /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/elevate-service via telnet/SSH after the update and before rebooting.
Why can’t I connect to my TV with Dev Manager after uninstalling the LG Developer Mode app?
The SSH server on port 9922 is provided by LG’s Developer Mode app, which is uninstalled during the rooting process. After rooting, you can enable Homebrew Channel’s SSH server, which uses port 22. To connect using Dev Manager, you’ll need to reconfigure it to use the new SSH server and update the login credentials. The easiest way is to add a new device within Dev Manager, providing the necessary details.
How do I determine what SoC my TV has?
The name of the System on Chip (SoC) can be found in the Instart menu next to “Chip Type”. Alternatively, you can run the command nyx-cmd DeviceInfo query device_name. The same information can also be found in the file /var/run/nyx/device_info.json, which is created at boot based on the output of nyx-cmd.
Note: This guide specifically applies to LG TVs running webOS 4 and above, which are currently unpatched as of May 22, 2023. Please ensure that your TV meets the requirements before proceeding. For TVs running older versions of webOS, alternative methods are available but not covered in this guide.
Is my TV vulnerable to this rooting method?
This rooting method works on webOS 4 and above, which includes TVs released in 2018 or later. If you are unsure about your TV’s webOS version, refer to the vulnerability list provided for certain SoCs in the “RootMyTV” and “GetMeIn” options mentioned below. It’s important to note that firmware released since mid-2022 may not be vulnerable.
What are the alternative options for older versions of webOS?
For older versions of webOS, there are a few alternative options available:
RootMyTV: This method relies on firmware vulnerabilities and is suitable for certain SoCs. Refer to the provided list to determine if your TV is vulnerable.
GetMeIn: This method works on specific SoCs, possibly limited to Realtek. It has been tested on webOS 2.2 and 3.4.2. However, using GetMeIn may result in the removal of apps on webOS versions where RootMyTV is patched. More details can be found in the mentioned RootMyTV document.
Modifying debugstatus in the NVM: This method involves physically accessing your TV and manipulating an EEPROM IC to enable debug mode. It requires spawning a root shell to permanently enable developer mode and install/elevate the Homebrew Channel.
Please note that these alternative options have their own requirements and risks, so thorough research and understanding of the process are necessary before proceeding.
How can I determine if a specific firmware version is vulnerable?
As firmware vulnerabilities can vary, it is challenging to provide specific vulnerability information for each version. It’s recommended to consult the provided document and keep an eye on LG’s firmware updates for any patches. The document will be updated accordingly. Additionally, ensure you have the corresponding model number for a firmware version to accurately assess its vulnerability.
It’s essential to emphasize that users should take responsibility for their actions and understand the risks involved. If you encounter any issues, refer to the FAQ section below and thoroughly review this guide. Providing specific webOS and firmware/software versions will be helpful if seeking assistance.
Can I use other telnet clients or SSH tools instead of Dev Manager or PuTTY?
Absolutely! While this guide primarily mentions Dev Manager and PuTTY, you can use any telnet client or SSH tool of your choice. LG’s CLI tools or various SSH clients are viable alternatives. Although complete instructions are not provided in this guide, you can find hints and information on the webOSbrew site. It’s important to note that the instructions may differ based on the tool you choose to use.
What should I do if I encounter issues during the process?
If you encounter any difficulties while following the steps, this guide and the FAQ section, particularly the Rooting questions, should provide solutions for most problems. Make sure to refer to the FAQ and the instructions thoroughly. When seeking help, ensure you know both the webOS version and firmware/software versions of your TV, as this information will be crucial in troubleshooting.
Please note that although the risk of permanent damage to your TV is relatively low, you assume responsibility for any issues that may arise during the rooting process.
Remember, it is highly recommended to conduct your own research and have a clear understanding of the process before proceeding. Only proceed if you fully comprehend the actions you are taking.
Pingback: How to Install Third Party Apps on LG Smart TV WEBOS - Techkyskills 2023