I'm not going to be maintaining this document anymore. I'm leaving it as-is since much of the FAQ section is still accurate and has yet to be incorporated into other resources.
Use CanI.RootMy.TV to find an exploit for your TV.
See dejavuln-autoroot for a simpler exploit that works on webOS 3.5+ TVs (i.e., models from 2017 and later). It is unpatched as of 2024-04-21 and does not require Developer Mode or even a network connection—just a USB drive.
Otherwise:
- If you have a webOS 5–8 TV with old enough firmware, WTA (which does not require Dev Mode) will still work.
- If you have a webOS 4.x TV, you can also try CVE-2023-6319, which is unpatched on the latest (final?) firmware for webOS 4.0 (2018) models.
- While there will eventually be fully software-based exploits released for older models, they can currently be rooted via NVM.
If you have a 2024 webOS TV (webOS 24/9), please contact us on Discord.
Warning
The current Dev Mode app prevents exploitation even on vulnerable firmware.
Since approximately 2024-04-02, the latest LG Dev Mode app (2.1.2 in the Content Store) copies and resets the permissions of jail_app.conf
/jail_app.conf.sig
on every boot. Therefore, jailpatch.sh
etc. will no longer work, making creating files in /var/log/crashd
impossible. It's not worth releasing a workaround, as the only models that haven't received patches removing clouduploadd
have other vulnerabilities that do not require Dev Mode.
Important
Firmware that removes the vulnerability has been released for almost all models from 2019 and later.
LG has released firmware without clouduploadd
—which contains the underlying vulnerability exploited in this guide—for nearly all webOS 4.5+ models. (No idea what's going on with LM21AN/W22A.) At this point, it looks like webOS 4.0 will not be patched.
Note: The information in this table is only useful if you somehow have an old version of the Dev Mode app installed and/or a method of exploiting clouduploadd
that does not require writing to /var/log/crashd
.
The first known patched firmware version for each OTAID is shown in the table below. Note that firmware versions for each OTAID should be considered separately.
How to use the table
- Get your TV's OTAID. The OTAID identifies what firmware your TV uses. As an example, the OTAID used by most 2023 OLEDs is
HE_DTV_W23O_AFABATAA
. - Note the four-character section in the middle of the OTAID. It will start with "W" (unless your TV was not made by LG, in which case it will start with "C"). Next will be the last 2 digits of the year the model was released, followed by a letter identifying the SoC. For the example OTAID above, this would be
W23O
. - Find the row in the table that matches your OTAID and note the versions shown. For the example
W23O
, 03.30.60 is listed as both the first prerelease and release version to be patched. - Find your TV's firmware version. LG refers to it as the "software version". It is available in the section of the settings menu where you can disable automatic updates. It may also be displayed on the hidden menu accessible by pressing the mute button three times. For the sake of our example, say it is 03.30.70.
- Compare your firmware version with the ones listed in the table. If your firmware version is equal to or higher than either of the versions in the table, it is patched. For the above example, 03.30.70 is newer than 03.30.60, so the firmware is patched.
If your TV is running patched firmware, you will not be able to root it with this guide.
Notes: You should not have a prerelease firmware version unless you changed the NSU Mode in the Instart menu (which is generally not recommended). However, the table may be incomplete or out of date. Therefore if you have a release version that is newer than the prerelease version in the table, you should still assume it is patched (even if no release version is listed).
OTAID | First patched in | |
---|---|---|
Prerelease | Release | |
W23A | 03.20.61 | 03.20.61 |
W23H | 03.30.60 | 03.30.77 |
W23M | 03.30.85 | 03.30.85 |
W23O | 03.30.60 | 03.30.60 |
W23P | 03.30.60 | 03.30.76 |
W22A | 04.41.10 | – |
W22H | 04.40.75 13.30.13 | 04.40.75 |
W22L | 04.40.85 | 04.40.90 |
W22O | 04.40.80 13.30.15 | 04.40.90 |
W22P | 04.40.75 | 04.40.85 |
C22H | 04.40.75 | 03.34.40 |
C22P | 04.41.00 | 03.34.40 |
N21D | <03.43.11 | <03.43.11 |
W21A | 03.40.80 | 03.40.80 |
W21K | 03.40.85 | 03.40.85 |
W21O | 03.40.85 | 03.40.85 |
W21P | 03.40.80 | 03.40.80 |
W21U | 03.40.80 | 03.40.80 |
W20H | 04.50.56 | 04.50.56 |
W20L | 04.50.56 | 04.50.56 |
W20O | 04.50.56 | 04.50.56 |
W20P | 04.50.56 | 04.50.56 |
C20P | 04.50.61 | 04.50.61 |
W19H | 05.40.20 | 05.40.20 |
W19O | 05.30.45 | 05.30.45 |
W19P | 05.40.20 | 05.40.20 |
W19R | 05.40.20 | 05.40.20 |
W18A | – | – |
W18H | – | – |
W18M | – | – |
W18O | – | – |
W18R | – | – |
Note: There are many models that we are unable to provide patch information for, but you may be able to help. Please contact us via Discord if you have a TV with an OTAID containing W22K, C22L, N22D, W23K, or W23L.
THIS ONLY WORKS ON webOS 4+!
This guide explains how to root an LG TV using a vulnerability in crashd
. It works on webOS 4 and above, but patched firmware is gradually being rolled out. This means that if your TV is not running at least webOS 4.0 (i.e., it is a 2018 model or newer), it is not vulnerable. If you are running an older version of webOS, your options are:
- RootMyTV — Firmware released since roughly mid-2022 is probably not vulnerable. This document lists vulnerable versions for certain SoCs.
GetMeIn— No longer recommended. It only ever worked on certain combinations of SoCs and webOS versions. You would have to modifyjail_app.conf
to get access to/dev/mem
, which is no longer possible since version 2.1.2 of the Dev Mode app. Thegetmein
binary from the XDA thread is dangerous, as it automatically modifiesstart-devmode.sh
in ways that can cause semi-permanent damage to your TV that will not be fixable with a factory reset. Additionally, it will result in apps being removed on webOS versions that have RootMyTV patched.- modifying debugstatus in the NVM — Involves opening your TV and directly accessing the an EEPROM IC. After enabling debug mode, you'll need to spawn a root shell and use it to permanently enable developer mode and install/elevate Homebrew Channel.
Please don't ask me whether a specific firmware version is vulnerable. First, I probably don't know. Second, I'll update this document if LG starts releasing patched firmware. See the News section above. Also note that a firmware version without the corresponding model number is practically meaningless.
It is recommended that anyone attempting this procedure do their own research in order to understand how the process works. In general, unless you understand exactly why you're doing something, you shouldn't do it. While there is relatively low risk of permanent damage to your TV, you're ultimately responsible if anything goes wrong.
This guide assumes you're working from a desktop PC, although the same process can be performed from a smartphone. Where PuTTY is used in this guide, any telnet client will work. You can also use LG's CLI tools or any SSH client instead of the Dev Manager program, although complete instructions for those are not (yet) provided. (There are some hints, though.)
If you have trouble with any of these steps, the solution is probably somewhere in this document. Basically everything that can go wrong is discussed in the FAQ section below (in particular the Rooting questions). If you're going to ask for help, make sure you know both the webOS and firmware/"software" versions. Also, if you are going to ask about a specific firmware version, please provide an OTAID so people can know what you're talking about.
- This will only work on webOS 4+.
- You can copy and paste commands into recent versions of Dev Manager.
- For many commands (e.g.,
touch
,mkdir
,rm
), there will be no output if the command is successful. The prompt (>
) in Dev Manager will be blue after a successful command and red after an error. - The commands involved in this process should complete more or less instantly. If it hasn't completed after 30 seconds, cancel it and try again.
- Use the latest version of Dev Manager and Homebrew Channel.
- Make sure Quick Start+ is disabled for rebooting to be effective.
- OLEDs may have to be unplugged to properly reboot, as they can remain on for a while despite appearing to be off.
-
Read this guide. Seriously. Especially the introduction above. Check the table at the top of this document to see if your firmware is patched. If your TV is already rooted, do not continue; you will lose root. If you have issues, look at the tips and FAQ before asking any questions. If your TV runs webOS 1, 2, or 3, stop now and read the introduction.
-
Enable Developer Mode on the TV: See this guide from LG. If you have trouble (e.g., not getting the prompt to sign in), try rebooting. (You can ignore the "UPDATE NOTICE" about needing to install webOS TV CLI v1.12.4 or later.) A reboot is required after setting Dev Mode Status to ON. The Developer Mode app should look something like this:
-
Download and install the following software on your PC:
- WebOS-Dev-Manager - Use the latest version (1.13.3 as of 2024-04-21), or you will have problems.
- PuTTY
Download the following file to your PC:
- Homebrew Channel IPK - Use the latest version (0.6.3 as of 2024-04-21).
-
Disable Quick Start+ on the TV. This is in the menu, but its exact location depends on the webOS version. For example, on webOS 5, after pressing the menu button on the remote, it can be found in All Settings > General > Additional Settings. On webOS 6 and 7, it is under All Settings > General > Devices > TV Management.
-
Reboot the TV (e.g., by turning it off and then back on) again. This is in addition to the reboot required when enabling developer mode. Make sure Quick Start+ is disabled!
Note: If you have an OLED TV, it may stay on for a while (to run the Pixel Refresher) despite appearing to be off. Thus, when you turn it back on, it won't have actually rebooted. You can unplug it to be sure it's off. -
In the LG Developer Mode app, enable the Key Server. It should look like this:
Note that the key server only needs to be enabled while you are connecting for the first time. It will be automatically disabled on reboot. -
In Dev Manager, perform these steps:
a. Click "+ Add Device"
b. Enter IP address of your TV in "Host Address" field
c. Enter passphrase displayed on LG Developer Mode app in "Passphrase" field
d. Keep other settings at default, click "Add" (troubleshooting errors)
e. Click "Install" in the top right corner
f. Choose Homebrew Channel IPK
g. Make sure Homebrew Channel is installed on your TV
h. Click on "Terminal"
i. Usejailpatch.sh
to generate an oldjail_app.conf
with a valid signature:curl -L -o /tmp/jailpatch.sh https://raw.githubusercontent.com/throwaway96/install-jail-conf/main/jailpatch.sh && sh /tmp/jailpatch.sh
Make sure the output says
verification of current conf successful
before continuing.
If it doesn't work, see the update about Dev Mode version 2.1.2. -
Reboot the TV (e.g., by turning it off and then back on) for a third time. Make sure Quick Start+ is disabled!
-
In Dev Manager, go to "Terminal" and input this command EXACTLY, then press enter:
touch /var/log/crashd/"x;telnetd -l sh"
Note: The character after the dash is a lowercase L, not a one.
If you get an error likesh: touch: not found
, just repeat the command. When successful there should be no output.
If you get a "Permission denied" error, you probably didn't complete the previous steps regardingjail_app.conf
correctly or did not reboot afterward. -
In PuTTY perform these steps:
a. Type your TV's IP address in "Host Name" field
b. Validate that "Other" and "Telnet" are selected under "Connection type"
Note: The default port of 23 is correct.
c. Open the telnet connection to your TV. If you can't connect, see the FAQ for help.
d. Execute this to give root permissions to Homebrew Channel (you can paste into PuTTY by right clicking or pressing Shift+Insert):/media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/elevate-service
e. Execute this command to ensure developer mode never expires:
rm -rf /var/luna/preferences/devmode_enabled && mkdir -p /var/luna/preferences/devmode_enabled
f. If you have used RootMyTV before (even unsuccessfully), execute this command to remove leftover files:
rm /var/lib/webosbrew/startup.sh /mnt/lg/cmn_data/wam/extra_conf.sh
-
Uninstall developer mode app from TV home menu.
WARNING: Do NOT reinstall the LG Developer Mode app while your TV is rooted! -
Power off your TV. Make sure Quick Start+ is disabled!
Note: If an "Install Homebrew Channel" prompt appears (unlikely), don't choose "yes". -
After restart, confirm that "Root status" in Homebrew Channel is "ok"
-
Turn on SSH in Homebrew Channel and restart
Note: The default SSH password isalpine
. -
Enjoy your rooted TV!
Note: If you want to block update notifications, you'll need to block certain domains.
Based on instructions by Shadow0304
If this guide helped you, please donate to support further development.
The default root password (for SSH/SFTP) is alpine
. Installing a public key for SSH authentication is recommended and will disable the default password. (The default password is not set on boot when /home/root/.ssh/authorized_keys
exists.) This can be accomplished with the following commands:
mkdir -p /home/root/.ssh
chmod 700 /home/root/.ssh
echo '<key>' > /home/root/.ssh/authorized_keys
chmod 600 /home/root/.ssh/authorized_keys
Replace <key>
with your key. It will look something like ssh-rsa LongBase64String== comment
. See this guide for more information on setting up public key SSH authentication.
Make sure you're using the latest version of Homebrew Channel (currently 0.6.3).
Note: The webOS version is not the same as the firmware version.
The TV models for each year all run the same major version of webOS. It is not possible to update from one major version to another, with a few exceptions. Note that webOS 3.0 and 3.5 are separate "major" versions despite having the same leading digit. This is also true for webOS 4.0 and 4.5.
Year | Version | Codename |
---|---|---|
2014 | 1.x | afro |
2015 | 2.x | beehive |
2016 | 3.0–3.4 | dreadlocks |
2017 | 3.5–3.9 | dreadlocks2 |
2018 | 4.0–4.4 | goldilocks |
2019 | 4.5–4.10 | goldilocks2 |
2020 | 5.x | jhericurl |
2021 | 6.x | kisscurl |
2022 | 7.x (22) | mullet |
2023 | 8.x (23) | number1 |
2024 | 9.x (24) | ombre |
Each major version has a codename that is a hairstyle. Each minor version has a codename that is a national park (or similar). The full codename of webOS 4.5, for example, is goldilocks2-grandcanyon
.
With webOS 7, LG added a marketing name of "webOS 22", with the 22 indicating the year (2022). The webOS 8/23 situation is similar.
The firmware version is often called "software version". Firmware versions look like 03.44.55
, with each of the three components being zero-padded to two digits. Production firmware versions all have a first component of at least 03, as lower numbers are reserved for testing.
- How do I know what version of webOS I am running?
- How can I find my TV's IP address?
- How do I reboot the TV?
- Why do I get a
No such file or directory
error? - Why didn't I see any output after running a command?
- Why am I unable to connect to telnet with PuTTY?
- Why am I seeing
LD_PRELOAD
errors while rooting? - Why isn't
telnetd
starting? - How do I download the key for the developer mode SSH server?
- Can I use something other than Dev Manager?
- How do I install an app from the command line?
- Why doesn't the Dev Mode app's key server stay enabled after rebooting?
- How can I verify the signature of
jail_app.conf
? - Why can't I add my TV in Dev Manager?
- Why do I still see update notifications?
- Why doesn't SSH (or telnet/other services) start at boot?
- Should I re-enable Quick Start+ after rooting?
- Can I update to a new firmware release?
- How do I find my TV's OTAID?
- How do I perform a firmware downgrade?
- Can I upgrade to a new webOS version?
- Should I change the "NSU Mode" setting in the Instart menu?
- How do I install APKs on webOS?
- Can I redirect audio output through a USB DAC?
- Can I add support for new filesystems?
- How do I disable automatic firmware updates?
- Why are all my apps deleted after 6 weeks (or after rebooting)?
- Why did I lose root after updating the Homebrew Channel app?
- Why can't I connect to my TV with Dev Manager after uninstalling the LG Developer Mode app?
- How do I determine what SoC my TV has?
- Can I install Android (or some other OS) on my LG TV?
- How can I free up space on my TV?
This information can be found in the menu (accessed by pressing the button with a gear on the remote). The exact location within the menu varies across webOS versions.
The firmware and webOS versions are shown in the Host Diagnostics (HostDiag) screen. I have written instructions for entering HostDiag.
You also may be able to find the webOS major version by pressing the mute button three times rapidly. This is an example on a webOS 6 TV:
Note that the firmware version and model number are also shown. On webOS 7, this window looks similar but lacks the "Platform" field.
However, on other webOS versions including 3.5, 4.0, and 5, only the firmware version is shown:
To find the version number through the menu on webOS 6 or 7, first press the menu button on the remote, then choose "All Settings":
Next, choose "Devices" under "General":
Note: This screenshot is from webOS 6. The icons and some menu items are different on webOS 7.
Then select "TV Management", followed by "TV Information":
The webOS version is under "webOS TV Version":
The TV may have up to two IP addresses: one for the wired connection, and one for Wi-Fi. You can find the IP address for each interface by in the settings menu under "Network".
You can check whether you have the right IP address for your TV by connecting to either http://<tv ip>:3000/
or https://<tv ip>:3001/
in a web browser. At least one of these ports should be open as long as you have screen share/second screen/"LG Connect" enabled. Port 3000 should show a Hello world
message, while you will likely get a certificate error on port 3001 (and bypassing that should also result in Hello world
).
If your TV is already rooted, you can use the "System reboot" feature on the Homebrew Channel settings screen or run the reboot
command via SSH or telnet. These are effective regardless of whether Quick Start+ is enabled.
If Quick Start+ is not enabled, turning the TV off (so that the red standby LED comes on) and back on is usually sufficient. However, OLED TVs will sometimes appear to be off when they are actually running the Pixel Refresher. The Pixel Refresher is triggered on shutdown when the TV has been on for more than four hours since its previous run. To make sure that an OLED (or any TV) is actually off, you can unplug it. Unplugging the TV will also force a fresh boot when Quick Start+ is enabled.
If you still have trouble getting a proper reboot (possibly due to Snapshot Boot), you should be able to force a reboot by disabling certain EULA options. You can then re-enable them after the reboot.
LG released a new developer mode jail configuration around 2023-01-26 that does not mount /var/log/crashd
. It results in an error like this:
~ $ touch /var/log/crashd/"x;telnetd -l sh"
touch: /var/log/crashd/x;telnetd -l sh: No such file or directory
This configuration is downloaded by the Developer Mode app. It is located in /media/developer
and named jail_app.conf
. It is accompanied by jail_app.conf.sig
, a cryptographic signature used to prevent a modified configuration from working. However, if jail_app.conf
is not present a default configuration will be used. Since the default configuration does mount /var/log/crashd
, it will work for our purposes.
Deleting /media/developer/jail_app.conf
and rebooting the TV would allow the exploit to work until an update to the Developer Mode app in March 2023. The permissions of /media/developer
were restricted so that jail_app.conf
could no longer be deleted. Its contents could still be overwritten with the same result, but firmware updates rolled out starting in June of 2023 prevent a jailed application from running when jail_app.conf
exists without a valid signature. Therefore, an old version of jail_app.conf
is now required.
Some commands, such as touch
, do not produce output when successful. As long as you do not see an error message, it likely worked. Dev Manager displays a blue >
when the last command succeeded and a red one when it failed.
First, confirm your firmware has not been patched.
Make sure your PuTTY configuration is correct:
- Under "Connection type", select "Other" and "Telnet"
- "Port" should be 23 (the default when "Telnet" is selected)
- Ensure you are using the correct IP address for your TV
You can check whether the exploit was successful by running pgrep telnetd
in the Dev Manager terminal. If the telnet server is running, this command will output a number. (The number itself is the process ID of the telnet server and is not important.)
These errors appear because LG set an environment variable incorrectly. They are harmless, but you can prevent them from appearing by running this command:
unset LD_PRELOAD
Certain EULAs must be accepted in order for this exploit to work. If the touch
command is successful but telnetd
does not start, this may be the problem. There are two primary EULAs ("Terms of Use" and "Privacy Policy") that are known to be needed, at least in the United States. Other regions may require additional EULAs and/or have a single UI option control multiple underlying EULA settings. You can use the command below to check what you're actually enabling.
Two EULAs accepted on webOS 6.
Changing "Privacy Policy" via the UI requires a reboot. How to find the EULA screen depends on the webOS version. On webOS 6, it can be reached by pressing the menu button then choosing All Settings > Support > Privacy & Terms > User Agreements.
This command will tell you which EULAs have been accepted:
luna-send-pub -f -n 1 'luna://com.webos.settingsservice/getSystemSettings' '{"keys":["eulaStatus"]}'
The "Terms of Use" and "Privacy Policy" agreements correspond to networkAllowed
and generalTermsAllowed
, respectively.
To download the private key, named webos_rsa
, "Key Server" must be enabled in the Developer Mode app. You don't need to reboot after enabling it. When it's enabled, the key file will be available via HTTP on port 9991. Thus it can be downloaded with a web browser at http://<TV IP>:9991/webos_rsa
.
The webos_rsa
file is encrypted. The passphrase needed to decrypt it is the 6-character string shown in the LG Developer Mode app.
The webOS CLI tools can run commands and install apps on webOS TVs. You can find some additional information about using these on the webosbrew site. Note that there are some differences between the webOS OSE CLI tools and the webOS TV ones.
Any decent SSH client can also be used to run commands on the TV. The OpenSSH ssh
client is commonly available on Linux and is an optional feature on recent versions of Windows. Assuming you've downloaded the private key file from the TV and have it in the current directory, you can SSH to the TV with the following command:
ssh -i webos_rsa -p 9922 prisoner@<TV IP>
The passphrase for the key is the 6-character string displayed in the LG Developer Mode app. It is case-sensitive. If you get an error like PTY allocation request failed on channel 0
, you won't have a prompt or some shell features, but you should still have sufficient functionality to run commands and see their output.
Note that you may need additional options to allow older SSH features depending on your client. For example, you may get an error like this:
Unable to negotiate with 192.168.1.123 port 9922: no matching host key type found. Their offer: ssh-rsa
You should be able to solve the problem by adding the options -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa
to the ssh
command above.
If you want to use PuTTY, you'll have to convert the key file to PuTTY's PPK format using PuTTYgen. Open PuTTYgen and import the key using "Import key" in the "Conversions" menu. You'll need the 6-character passphrase displayed in the LG Developer Mode app to decrypt it. After it's loaded, you can optionally change or remove the passphrase for the generated PPK by editing the "Key passphrase" and "Confirm passphrase" fields. (If you leave them alone, the PPK will have the same passphrase as the original key.) To save the PPK file, click the "Save private key" button.
Apps can be installed by transferring the IPK using SFTP then running luna-send-pub
on the TV with the appropriate arguments. To connect with the OpenSSH command-line sftp
client, you can use:
sftp -i webos_rsa -P 9922 prisoner@<TV IP>
App installation is triggered over the Luna bus. The prisoner
user available in developer mode has limited access to the Luna bus using the luna-send-pub
command. To install an app, the IPK file must already be on the TV. Files can be transferred using SFTP.
The Luna endpoint for installing developer mode apps is luna://com.webos.appInstallService/dev/install
. Luna calls include a JSON payload. For this endpoint, the id
, ipkUrl
, and subscribe
parameters are required. The path of the IPK is supplied in ipkUrl
. Setting subscribe
to true
(along with the -i
flag) means that multiple response messages will be sent as the status of the request changes. The contents of id
are not important here.
For example, if the IPK of the app you want to install exists at /tmp/app.ipk
, you could use the following command to install it:
luna-send-pub -i 'luna://com.webos.appInstallService/dev/install' '{"id":"com.ares.defaultName","ipkUrl":"/tmp/app.ipk","subscribe":true}'
There will be a series of messages as the installation progresses. After the process completes, you'll have to press control+C to kill luna-send-pub
.
Note that developer mode apps are installed in a different location than apps installed via the store, and they are deleted when developer mode is disabled or expires.
That's how it's supposed to work. The key server is only necessary the first time you connect to the TV. Dev Manager downloads the key file and saves it for future use. (For other clients, you usually have to download the key file yourself.) You may need to enable the key server again if you do something that changes the key (e.g., factory reset) or you are connecting from a different client that doesn't already have the key. Otherwise, the same key will continue to work.
If you would like to verify that your jail_app.conf
and jail_app.conf.sig
match, you can use the following command:
openssl smime -verify -noverify -inform pem -in jail_app.conf.sig -content jail_app.conf >/dev/null
When you add a device in using the "Developer Mode" authentication method, Dev Manager downloads the RSA key from an HTTP server on port 9991. This is what "Key Server" in the Developer Mode app refers to.
If you get a "failed to fetch private key" error when trying to add your TV in Dev Manager, Dev Manager was unable to retrieve the RSA key.
Make sure you are using the correct IP address for your TV. You can try downloading the key with a web browser to check that the Key Server is working.
If you're unable to download the key, the problem is likely on the TV side. You can try disabling and re-enabling Dev Mode to fix the key server. If it still doesn't work, try leaving Developer Mode enabled and forcing a reboot using the EULA method. Remember to re-enable the Key Server after rebooting.
Homebrew Channel's startup scripts currently run relatively late in the boot process. This means the TV's update program has already started by the time Homebrew Channel's "Block system updates" option has had a chance to take effect. If you want to make sure updates are completely disabled (and not see the notifications), block these domains (e.g., on your router):
snu.lge.com
su.lge.com
su-ssl.lge.com
snu-dev.lge.com
su-dev.lge.com
nsu.lge.com
(Listed roughly in order of importance.)
Note that the autostart method used by Homebrew Channel 0.5.1+ on webOS 4.5+ only works when certain EULAs have been accepted. Which EULAs are required depends on your region but seem to be the same as those discussed in this section.
The method used for autostart by Homebrew Channel 0.5.1+ only works on webOS 4.5+. A new autostart method will be implemented in future Homebrew Channel versions, but you can try setting it up manually yourself. It is described here. You can also try the webosbrew-autostart app as a workaround.
There is a bug in Homebrew Channel 0.5.1 that may prevent the startup.sh
file from being automatically installed on webOS versions older than 5.0. This was fixed in Homebrew Channel 0.6.0. You can also install the startup script manually:
mkdir -p /var/lib/webosbrew
cp /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/startup.sh /var/lib/webosbrew/startup.sh
chmod 755 /var/lib/webosbrew/startup.sh
chown root:root /var/lib/webosbrew/startup.sh
If you are using Homebrew Channel 0.5.1 on webOS 22 (internally, webOS 7), the included SSH server won't work. Homebrew Channel 0.6.0 and later include binaries that are compatible with webOS 22. If for some reason you can't update Homebrew Channel, patched binaries are attached to previous revisions of this guide.
It's up to you. Just be aware that when Quick Start+ is on, turning the TV off won't actually shut it down. If you need to perform a proper reboot (e.g., so that startup scripts will run), you can use "System reboot" on the Homebrew Channel settings page.
In general, updating is not recommended because LG could fix vulnerabilities used for rooting. The crashd vulnerability has been patched in the latest firmware for most post-2018 models, although you should retain root during a firmware update with Homebrew Channel 0.5.1+. (Note that this does not necessarily apply if your TV was rooted with RootMyTV or GetMeIn.)
See the list of patched firmware to determine whether there is a known patched version for your OTAID. If there is no production version listed, it should still be vulnerable after an update. It is always possible that LG has released a new version since the list was last updated, though. Also, if you messed with the NSU Mode setting in the Instart menu, you may be updating to a prerelease version (which is not recommended).
Note that if you lose root for any reason after updating to a firmware version that is not rootable, there is no way to regain it until new a exploit is released. There are a number of situations (e.g., running out of space, database corruption) that will cause webOS to automatically reset itself in a way that will cause root to be lost.
If you are going to ask about anything relating to a specific firmware version, please provide an OTAID so people can know what you're talking about.
The OTAID is an identifier included in every EPK (i.e., firmware image) and used with LG's SNU update system to request the latest firmware update information. For example, the OTAID for 2021 TVs with a K7Lp SoC is HE_DTV_W21P_AFADATAA
. There are several ways to find your TV's OTAID.
First, you can use nyx-cmd
(this may not work if you don't have root):
nyx-cmd DeviceInfo query hardware_id
Second, it should be in /var/run/nyx/device_info.json
, which contains JSON-formatted output from nyx-cmd
. You can view it by running cat /var/run/nyx/device_info.json
, and the OTAID will be on the hardware_id
line. This file also has other information such as the TV's model number and SoC. You may not want to share its full contents in public, as it contains unique identifiers for your TV (specifically: the serial number, MAC address(es), and NDUID).
Third, you can use a Luna request, which should not require root:
luna-send-pub -n 1 'luna://com.webos.service.tv.systemproperty/getSystemInfo' '{"keys":["otaId"]}'
The otaId
key seems to only be available on webOS 4.0+. Use another method for earlier webOS versions (but note that webOS versions prior to 4.0 are not vulnerable to the crashd
exploit).
Another option is to make a request over SSAP to the URI ssap://com.webos.service.update/getCurrentSWInformation
with an empty payload ({}
). The response's model_name
property will contain the OTAID.
There is a file in the TV's /etc/starfish
directory that contains the OTAID. Its name is either /etc/starfish/model_id
(on older webOS versions) or /etc/starfish/model_id.json
(on newer webOS; also contains SoC, region, and webOS major version).
LG has blocked firmware downgrades, even with "expert mode" enabled. Downgrades are only allowed when an AccessUSB device is connected. (AccessUSB devices are hardware tokens that enable debug access. They are presumably provided to LG partners on a limited basis.)
I have a tool to restore access to the "expert mode" features, including installing firmware with a lower version and NSU images. However, it is (semi-intentionally) not user-friendly and only intended for use by those with the ability to recover if something goes wrong. It is probably a good idea to perform a factory reset after downgrading.
While updating your firmware may increase the webOS minor version, it is usually not possible to update across major versions. This includes updating from 3.4 to 3.5+ or 4.4 to 4.5+.
However, in late 2023 LG announced their webOS Re:New program (with an apparent internal codename of pine
), which will eventually allow certain high-end 2022 models to be upgraded to webOS 8 (a.k.a. webOS 23). So far (2024-02-18) it has not been officially released outside of Korea, and changing your NSU Mode in order to upgrade early may get you into trouble unless you really know what you're doing. The only SoCs that LG currently seems to be working on support for are O22 (including O228K) and K8Hp.
In February 2024, LG opened a beta program that provides access to the webOS 23 upgrade. It is currently only available in certain regions (possibly just the US and Korea). For more information, see the webOS TV Beta Program site for your region:
So far most of LG's beta programs seem to have been private. However, since they have publicized the Beta Program site and app, they may be planning to offer more public betas in the future. So it might be worth signing up even if you're not eligible for the webOS 23 upgrade test.
If you have to ask, the answer is no. You should leave it on the default ("User Mode") unless you really know what you're doing and understand the implications.
Setting NSU Mode to anything other than User Mode may result in updates to prerelease firmware. Prerelease firmware can be broken in various ways. It often has a higher version number than following release versions, meaning you may not be able to return to release firmware for some time. Unless you have a way to reprogram the eMMC with a working firmware image and otherwise recover from a broken system, you should avoid prerelease firmware.
If you do update to a prerelease firmware version, you may have to perform a factory reset to restore some functionality. While downgrading is technically possible with root, it is obviously not supported by LG and may not go smoothly.
You can't. APKs are for Android, and webOS is not Android.
While it may be possible to build the appropriate kernel drivers, it is unlikely you would be able to get much of the TV's audio output to use such a device. Some audio goes through PulseAudio (and ALSA output is directed through PulseAudio), but the media playback pipeline uses proprietary, undocumented SoC audio peripherals. It may (or may not) be theoretically possible to reverse engineer these enough to be able to redirect audio, but it would almost certainly be a major undertaking requiring significant skill and a substantial time commitment.
You can build the kernel modules needed to support various filesystems. However, you would not be able to truly integrate any of them into webOS, as filesystem support is hardcoded in various system applications such as Attached Storage Manager (ASM) and Physical Device Manager (PDM).
The "Auto Update" setting can be found in the menu. The steps to reach this setting vary across webOS versions.
On webOS 6, it can be found by pressing the menu button, choosing "All Settings", "Support", then "Software Update":
The firmware version is also displayed here.
If all your installed apps are being deleted 6 weeks or so after installation (due to the expiration of the development mode timer, which is now 1000 hours) or on boot, your TV is likely not properly rooted. The /var/luna/preferences/devmode_enabled
directory created during the above procedure should stop development mode apps from being deleted.
You should not install the LG developer mode app when rooted, as it can cause all apps to be removed. The existence of /var/luna/preferences/devmode_enabled
as a directory may prevent LG's developer mode app from working. If you lose root access while this directory exists, a factory reset may be required in order to get the developer mode app working.
LG changed something in webOS 7 that causes Homebrew Channel's self-update feature to fail in all versions prior to 0.6.3. If you have webOS 22/7, don't update Homebrew Channel from within the app unless it's at least version 0.6.3. Updating Homebrew Channel using current versions of Dev Manager (at least through v1.9.11) will also cause root to be lost.
You can use the Homebrew Channel Updater tool, which is in the default Homebrew Channel repo, to safely update on webOS 7. It is also possible to update manually as long as you keep a telnet/SSH session open to run /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/elevate-service
after the update completes and before rebooting.
The SSH server on port 9922 is provided by LG's Developer Mode app, which is uninstalled at the end of the rooting process. After rooting, you can enable Homebrew Channel's SSH server, which uses port 22. You'll need to reconfigure Dev Manager to use this new SSH server, including changing the login credentials. The easiest way to accomplish this is adding a new device within Dev Manager.
How to configure Dev Manager to connect to a TV using the default password.
The username is root
. If you have not set up public key authentication, you must select "Password" from the "Authentication Method" dropdown and enter the password alpine
. If you are using a public key, you'll need to choose the "Local Private Key" authentication method, then enter its name and passphrase. The key file itself must be placed in the ~/.ssh
directory (or %USERPROFILE%\.ssh
on Windows). Note that current versions of Dev Manager support a somewhat limited range of key types.
The name of the SoC is displayed in the Instart menu next to "Chip Type".
This TV has a Realtek K7Lp SoC.
You can also find it by running this command:
nyx-cmd DeviceInfo query device_name
The same information can be found in the file /var/run/nyx/device_info.json
, which is created at boot from the output of nyx-cmd
.
The practical answer is no. LG uses a secure boot system that verifies the signatures of all system components. The TV will refuse to boot if anything (e.g., bootloader, kernel, root filesystem) is not signed with the correct LG key. Additionally, there is no documentation or code available for most of the interesting peripherals (such as the video pipeline), meaning a hypothetical Android system would not be particularly useful.
While it is technically possible to bypass some of the secure boot chain and run unsigned code, all existing attempts to do so are proofs of concept and nowhere near ready for any kind of serious use.
The eMMC storage on many webOS TVs is not very large. The filesystem structure is also complex, with many partitions being mounted in multiple places. The vast majority of usable space is on either the apps
or data
partition. The mount points of the apps
partition (which, as its name suggests, primarily stores apps) include /media
and /mnt/lg/appstore
. Most of the other writable space (including /home
, /var
, and several directories under /mnt/lg/cache
) is on the data
partition, which is mounted at /mnt/lg/cmn_data
.
You can use findmnt
and df
to get more information about mount points and free space. The names and sizes of all eMMC partitions are listed in /proc/partinfo
. Some models ship with large sample files in /media/preload/storedemo
that do not seem to be important.
As an example, on a 2018 TV with an LM18A SoC, the apps
partition has a total size of less than 600 MB, while the data
partition is exactly 500 MiB. This TV had a 300 MB+ video named /media/preload/storedemo/Swiss_171026_LCD_UHD_HDR_01.lge
; deleting it has not caused any problems.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
I have a large collection of TV boards and supporting hardware that I use for development and testing of stuff like this. It can get expensive (especially with all the weird cables LG likes to use). If you can afford to, please donate via ko-fi to support my work. I also may be interested in TV parts (and other electronics or test/measurement gear).
@team-orangeBlue
If you used RootMyTV v1 and didn't remove the modified
start-devmode.sh
, updating to firmware that checks its signature will cause dev mode apps to be wiped. Otherwise, firmware updates have so far not affected dev mode/root. (Updating is still not recommended though.)All writable filesystems are mounted
nosuid
. AccessUSB uses public key cryptography (specifically, RSA). Somebody made an emulated one, but that only worked because they already had root to replace the public key on the TV. I am not aware of anyone who has gotten hold of a legit AccessUSB.Did you read the note at the top of the guide?