- Unscrew the case via the 4 screws on the back.
- Desolder the positive lead of the rechargeable battery. This is necessary because the bootloader of U4 is only present immediately after power-on.
- Configure Tigard (or other USB-TTL device) as follows:
- VTGT switch to 3V3
- TX to P1 (left side of U4, clearly marked
- RX to P2 (just above P1)
- GND to GND (just below P1, unmarked)
- Prep VTGT to connect to VTGT (just above P2, unmarked, trace goes to pin 2 of U4)
0xgalz
/ AutoFunc.py
Last active
November 20, 2024 07:23
IDAPython- Change Function Names in IDA According to their corresponding debug prints
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idc | |
| import idautils | |
| import idaapi | |
| FUNCTIONS_REGISTERS = {"g_log": "rcx", "g_log_error": "rdx"} | |
| def get_string_for_function(call_func_addr, register): | |
| """ | |
| :param start_addr: The function call address |
psimoesbits
/ LGTV_BootloaderAccess.cs
Created
February 13, 2019 22:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO.Ports; | |
| using System.Threading; | |
| namespace LGTV_BootloaderAccess | |
| { | |
| internal class Program | |
| { | |
| private static void Main(string[] args) | |
| { |
DavidBuchanan314
/ root_my_vm.py
Last active
August 18, 2024 03:00
Get root any running *nix VM by patching it's memory from the host.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| import sys | |
| import os | |
| import signal | |
| PATTERN = b"root:x:0:0:root" | |
| REPLACE = b"root::00:0:root" |
DavidBuchanan314
/ GetMeIn.c
Last active
March 1, 2024 23:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Decompiled from GetMeIn: https://forum.xda-developers.com/web-os/general/getmein-one-time-rooting-jailbreaking-t3887904 | |
| tl;dr it scans memory for its own `struct cred` in memory, changes its uid/gids to root. | |
| */ | |
| int __fastcall do_the_patching(uint8_t *a1, unsigned __int8 *creds, int a3, unsigned int a4) | |
| { | |
| int i; // [sp+20h] [bp-Ch] | |
| uint8_t *memptr; // [sp+24h] [bp-8h] |
Informatic
/ 50-customca
Last active
January 14, 2025 18:04
Let's Encrypt fix for webOS. Tested on 3.8 only, put this into /var/lib/webosbrew/init.d and you should be probably done.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Directory to store overlays in (one directory structure is created per overlay configured down below) | |
| OVERLAY_BASE=/var/lib/webosbrew/customca | |
| overlay() { | |
| set -e | |
| overlay_id="$(echo $1 | sed 's;/;__;g')" | |
| unset TARGET SOURCE FSTYPE OPTIONS | |
| eval $(findmnt -P $1) |
throwaway96
/ notes.md
Last active
May 30, 2025 01:24
Enabling debug and getting root on LG webOS by modifying NVM
What you do with this information is your own responsibility. If you brick your TV trying this, it's not my fault. You should probably have some electronics experience if you want to attempt this.
This is going to involve opening your TV and attaching wires to the pins of an integrated circuit. If you're not comfortable with that, this is not for you.
This document is a work in progress.
LG TVs since at least the era of NetCast and "Global Platform" (webOS predecessors) have had the notion of a debug level, generally called "debugstatus". There are three modes: DEBUG, EVENT, and RELEASE. TVs normally operate in RELEASE mode. DEBUG mode enables a variety of logging and other debugging features in webOS, including access to the bootloader console and debug menus via serial. EVENT is similar to DEBUG, although it may not enable as much logging and has other relatively minor differences.
I'm not going to be maintaining this document anymore. I'm leaving it as-is since much of the FAQ section is still accurate and has yet to be incorporated into other resources.
Use CanI.RootMy.TV to find an exploit for your TV.
shinyquagsire23
/ gist:7ddd17d1569acb21920683866570cb35
Created
February 23, 2023 07:43
LG MStar firmware disorganized notes -- Hotwords: AEON B2, MStar, LG DualUp Firmware, MST9W00V4, MST9U
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DDC/CI Command Codes (antiquated MStar function, not real): | |
| ------ | |
| 0xCC, 0xF1, 0xF0 - LG special? Only CC actually used. | |
| 3 | |
| 1 | |
| 0xC6 | |
| 0xC8 | |
| 0xF3 | |
| 0xF5 | |
| 0xB1 |
OlderNewer