Remote root shell on LG TV 2013 (NetCast) models
Playing around with an older, 2013 TV model from LG (Model Name: 55LB580V-ZM), thanks to a helpful Discord (openlgtv, https://discord.gg/nKQW6FPWeM) and especially members @hellobox. and @Smx#2460 got remote root access on the TV. As this isn’t really described anywhere, I’m seeing it as my duty to finally do it 😉
What you’ll need
- A compatible TV (non-WebOS model, running LG NetCast – that’s the name for the OS on older TV models by LG)
- A FAT-formatted USB flash drive, 32 GB/USB 3.0 worked for me
- A way to get into the service menu of the TV – your normal remote control will not work for this, you could use…
- A dedicated LG MKJ39170828 Service Remote Control, these sell e.g. on Amazon or eBay
- A Flipper Zero equipped with the appropriate IR signals file
- Maybe you even have an old phone with an IR diode or an Arduino lying & IR LED somewhere around you – you gotta figure out a way to send the right signals then 😉
The TV model
This will not work on LG TVs running WebOS!
It only works on models running NetCast.
- Model Name: 55LB580V-ZM
- S/W Version: 04.04.27.01
- MICOM Version: 4.00.0
- BOOT Version: 3.00.13
- Chip Type: MTK 5398
Here’s an example of a TV that is not compatible (because it’s running WebOS):
Here’s an example of a TV that might work, because it’s running NetCast – see the UI differences in the pictures:
Preparations
Get yourself a FAT-formatted USB flash drive (32 GB, USB 3.0 worked for me) and prepare a tar file called pelinux_arm_sl_710.tar
This tar file should contain the following structure/files/directories:
drwxrwxr-x user/group       0 2023-11-23 20:37 temp/
-rwxrwxrwx user/group     101 2023-11-23 20:37 temp/endpoint
-rwxrwxrwx user/group  294174 2023-11-23 20:22 temp/socat
As you can see, the tar file only contains a single folder called temp and two files inside that folder (endpoint and socat), both of them being marked as executable.
The endpoint file is the script that gets executed by the TV as user root and contains the following:
#!/bin/sh
/tmp/temp/socat tcp-l:12346,reuseaddr,fork exec:/bin/sh,pty,setsid,setpgid,stderr,ctty &
As you can see, it executes /tmp/temp/socat which listens on port 12346 with a /bin/sh shell.
socat being a socat binary compiled by buildroot-nc4 to make it compatible with the TV. You can download a pre-built binary here: https://www.dateien.at/s/QiL8G46H8kRoCZP
Also, if you’re lazy, here’s a link to the .tar-file containing the correct structure: https://www.dateien.at/s/3ESeeRSKYRbsJMf
Entering the void service menu
First, turn the TV on and plug in the flash drive. Wait for the TV to display that it has detected the flash drive, press on “No” or “Cancel” to hide the notification:
Now, get hold of your service remote control. I’m using a Flipper Zero:
Press the IN START button of the remote control – a PIN input field should appear:
Now using your normal remote control, try these combinations – one of them should work:
0413
0000
7777
8743
8878
8741
The service menu should appear:
It contains a lot of useful information, the e.g. UTT value in the lower left corner – this is the screen-on-time (panel backlight active) for the TV, in the example above it’s 2066 hours.
Warning: Do not use the IN STOP button of your service remote.
It will factory reset the TV without any confirmation!Also, always take pictures of the screen before changing any values so you have a “backup” in case something goes wrong.
Running the payload
Using the arrow keys of your normal remote, press down as often as needed to select “8. Test Option”.
Find an option that says Chariot Endpoint on the right screen, use the right arrow button to navigate to it, press OK. It should say Success.
If everything was correct, your TV should now be listening on port 12346 for incoming connections, use nc (don’t use telnet as it might look weird) to connect:
nc <tv-ip-address> 12346
You should now have a root shell!
Comfortably downloading files via built-in webserver
You can instruct the built-in lighttpd web server to enable directory listing, thus, by creating a symlink to /, be able to view/download almost any files that are available in the device’s file system:
# Make a copy of the lighttpd config file in user-writeable space
cp /usr/local/bin/lighttpd.conf /mnt/user/lighttpd.exploit.conf
# Extend the config file with directory listing enabled
echo "server.dir-listing = \"enable\"" >> /mnt/user/lighttpd.exploit.conf
# Kill the web service
killall lighttpd
# Generate symlink to allow viewing files via webserver
ln -s / /tmp/www/root
# Start the webserver with the user-created config file
/usr/local/bin/lighttpd -f /mnt/user/lighttpd.exploit.conf
Result
Go to http://<device-ip>:8060
to access the created symlink:
lighttpd sends every Content-Type as octet-stream which leads to text files getting downloaded, as a quick workaround you can use a plugin like Open in Browser (Firefox) which lets you display the files as you would normally.
No comments yet.