Lg Tv There Is a Temporary Problem With the Network. Please Try Again. (6003)

You are using an out of date browser. It may non brandish this or other websites correctly.
You should upgrade or use an alternative browser.

• #1

RootMyTV is a user-friendly exploit for rooting/jailbreaking LG webOS smart TVs.

Website: RootMy.TV
GitHub: https://github.com/RootMyTV/RootMyTV.github.io

For further details, and a full writeup, please check out the GitHub repo.

TL;DR; If you want root on any* electric current WebOS LG TV, do not install updates for the fourth dimension being, and wait patiently. If you're a developer or researcher, read the latest update beneath.

*The exploit requires "ThinQ" support, which seems to only be available on TVs running WebOS 4.0+. I will update this when we know more well-nigh which versions support information technology.

RootMy.Television set is an 0-click (kinda) spider web-to-root exploit for WebOS.

Website (placeholder): RootMy.Telly
GitHub (placeholder): github.com/DavidBuchanan314/RootMyTV

Later on this bug in Download Director was published (which, on its own, allows rooting the WebOS emulator), I was motivated to find new bugs which can be combined with it, to get root on actual TVs.

Given the relatively severe impact of this exploit concatenation, its publication will have to wait at least until LG makes official patches bachelor for the Download Manager bug. After that, I volition be publishing the exploit, along with a full writeup.

During my research, I received invaluable advice and information from members of the openlgtv Discord server - I definitely couldn't have done this without them. Please bring together us, if you would like to aid with testing the exploit etc. in the hopefully-about future: https://discord.gg/9sqAgHVRhP

Update 2021/02/15:
LG claims to have fixed the Download Managing director issues, simply they haven't actually. To motivate LG to actually patch the bug, I will be disclosing my exploit chain to them under a 30-mean solar day public disclosure deadline - after which, I will be publishing the exploit here. Assuming I send my disclosure to LG email tonight, that sets the RootMyTV "release date" at 2021/03/19.

Update 2021/03/18:
The release date is now 2021/03/21 - I have a few things I need to end upwardly...

Update 2021/03/23:
Sorry for the delays...
I am attaching a blank-bones vulnerability report and PoC for the exploit, which is enough to get you root. This "pre-release" is intended for developers and researchers. If yous're not a developer or researcher, please exist wait for the "total" release, which will hopefully go far in the coming weeks. The final release will be more user friendly, and include a "Homebrew Channel". If y'all would like to contribute to evolution of the Homebrew ecosystem, delight visit u.s.a. on Discord.

Some notes/disclaimers almost the exploit: (READ Showtime!!!)

- This will void your warranty, don't blame me if annihilation goes incorrect etc. etc.

- Amazon's "google play store" link, described in the writeup, is currently cleaved. As a workaround, you lot tin search for "google search" on Amazon, Click the pinnacle result, Click "developer info", then click the link to Google'south privacy policy. From in that location, yous tin can click the menu icon in the acme-correct and continue with the rest of the instructions.

- Something I forgot to mention in the written report - you must update the value of the "HOST_PREFIX" variable in index.html, to point to your local webserver.

- If you were previously using Developer Mode, then overwriting `get-go-devmode.sh` will have cleaved devmode features like `ares-install`, and the jailed sshd. You can fix this past putting the old `beginning-devmode.sh` back once more, with some edits.

- For some TVs that don't have the ThinQ login page, you can access an equivalent folio via "Account Direction" in the settings. This doesn't work on my Boob tube (the amazon link opens in the web browser), but apparently information technology works on some models/versions.

- The current version of the exploit volition give you a root telnet server, accessible on the default port (23), without authentication.

Attachments

Terminal edited: January 15, 2022

• #2

Howdy, my device OLED65CX6LA wait your Hack ..

• #three

This is exciting! I knew in my gut that I should avoid the update I saw pop up a few days agone. Can't wait to run into what this all entails. Delight give us an update when you tin can! :]

• #4

neat chore, thanks for this, can't await for the final release

• #v

Cheers once more for the efforts! I can confirm that worked like charm, I accept tested on LGC9 05.00.03, very smooth, haven't seen any errors.

• #6

For me worked
OLED65CX6LA in italian republic
soft ver. 03.21.xvi
cheers

Connected to lgwebostv.fritz.box.
Escape character is '^]'.

webOS Goggle box 5.2.0 LGwebOSTV

/ # ls
bin etc lib mnt proc share usr
boot home linuxrc opt run sys var
dev lg media overlay sbin tmp world wide web
/ #

is possible to use oscam now?

Final edited: Mar 23, 2021

• #7

lg 55uk6470plc
software version 5.30.10
WebOS version four.three.0-9703

Confirmed working!

• #8

Is information technology possible to install Web OS FW of a LG Commercial Signage Display on to a matching Consumer Retail model? How?

• #9

I am the same model as your TV. However, every bit yous mentioned, I searched for google search on Amazon and went in, and after that, I proceeded the same, but rooting did non work. Are there any other points where I tin can rooting?

• #10

Using com.webos.app.iot-thirdparty-login in webOS 4.9.one-53409 for this exploit doesn't seem to piece of work anymore, because the app now seems to open all links in the spider web browser app instead of its own case. No matter which link I tested, they all open the external web browser.

Update:
The underlying issue even so exists though and I managed to use a slightly different method but the same privilege escalation method to go in anyways.

                              Continued to XXXXXXXXXX. Escape graphic symbol is '^]'.  webOS Tv four.9.ane LGwebOSTV  / # uname -a Linux LGwebOSTV 4.4.84-169.gld4tv.iv #1 SMP PREEMPT Fri Mar 12 02:53:12 EST 2022 aarch64 GNU/Linux / # whoami root                            

• #11

Using com.webos.app.iot-thirdparty-login in webOS 4.ix.i-53409 for this exploit doesn't seem to piece of work anymore, because the app at present seems to open all links in the spider web browser app instead of its ain instance. No matter which link I tested, they all open the external web browser.

Update:
The underlying consequence still exists though and I managed to use a slightly different method but the same privilege escalation method to go far anyways.

Perhaps yous might share the approach you institute so others don't struggle helplessly?

I had the same problem. After getting to the Amazon log in page, all links mentioned above opened in the web browser instead of within the ThinQ app. Eventually I tried inbound non real credentials into the Amazon login form, then after being prompted to enter a captcha, I once more entered invalid credentials a second time. When shown the login form a third fourth dimension I clicked the bottom link (can't recall what it was - perchance privacy or forgot password or similar) and this time the link opened within the ThinkQ app rather than an external browser, and I could and then follow the rest of the exploit successfully.

• #12

Does rooting WebOS remove the DRM? Could someone check if Netflix is still working?
And if the DRM will exist removed, is information technology possible to restore it by resetting it by information technology's manufactory defaults or a software update?
@retr0id crawly work! Have been waiting on this for a long fourth dimension

• #13

Does rooting WebOS remove the DRM? Could someone check if Netflix is however working?
And if the DRM will be removed, is it possible to restore it by resetting it by it's manufacturing plant defaults or a software update?
@retr0id crawly work! Have been waiting on this for a long time

Currently root exploit in the kickoff post only exposes root unjailed telnet session and disables some telemetry. It does not bear on any existing apps, unless content providers add together explicit root detection. (which in of itself would require jail escape exploit on their part) Netflix seems to work fine so far on 2018-era webOS 3.viii LG TV.

• #fourteen

Perhaps yous might share the arroyo you constitute and then others don't struggle helplessly?

If in that location actually is a "0-click" exploit as promised, these steps become unnecessary.

Until then, anyone who knows the ropes should have no trouble finding the way I mentioned. At to the lowest degree when y'all have a closer look at the source code of com.webos.app.iot-thirdparty-login. And if you lot have problems with this, you lot should probably go out this method alone anyhow.

That's why I won't post any more details almost it - at least for at present.

• #15

If there really is a "0-click" exploit every bit promised, these steps go unnecessary.

Until then, anyone who knows the ropes should have no problem finding the way I mentioned. At to the lowest degree when y'all take a closer look at the source code of com.webos.app.iot-thirdparty-login. And if you have bug with this, you lot should probably leave this method lone anyway.

That'due south why I won't post whatsoever more details about information technology - at least for at present.

What gibberish.

I provided a mode forward to others in my response. I followed it and it worked, so I shared information technology.

You simply turned up with no useful information, but to say "hey your instructions no longer work. I found a way circular it. Not going to share". It would seem you're posting on entirely the wrong forum.

• #sixteen

Yous but turned up with no useful data, just to say "hey your instructions no longer work. I establish a mode round information technology. Not going to share"

That's non truthful at all. The info I shared is that the vulnerability is nevertheless present in the latest firmware v05.00.xxx of the 2022 models and that it'due south yet possible to use the exploit.
I also said that I exercise non share the details "for at present", depending on the "0-click" exploit condition.

It would seem you lot're posting on entirely the wrong forum.

The official subtitle of this forum is:

Technical discussion of WebOS evolution and hacking. No noobs please.

So if anyone is wrong here, it's you.
This forum is not for users who demand step-by-step instructions.

• #17

If someone tin employ this to make a custom firmware that adds back in the 120hz black frame insertion to the LG C9 (and mayhap fifty-fifty older models) that would be amazing. LG removed the feature terminal minute despite it showing upward in C9 reviews samples, but information technology did make it into the CX as OLED motion depression and mid. I remember in some old interviews hearing that the feature is all algorithm based and could be added into older OLED TVs just they never did.

• #18

has anyone tested a LG 65SK8500LLA? Dont want to brick my ane

• #nineteen

If someone can use this to make a custom firmware that adds dorsum in the 120hz black frame insertion to the LG C9 (and perchance even older models) that would be amazing. LG removed the feature last infinitesimal despite it showing upwards in C9 reviews samples, but it did make it into the CX equally OLED motion low and mid. I remember in some old interviews hearing that the feature is all algorithm based and could exist added into older OLED TVs only they never did.

If I am not incorrect the OS does verification , then trying to modify something will trigger it to not boot....
Equally of now.

• #20

If someone can utilize this to make a custom firmware that adds back in the 120hz black frame insertion to the LG C9 (and maybe fifty-fifty older models) that would be amazing. LG removed the feature last infinitesimal despite information technology showing up in C9 reviews samples, but it did make it into the CX equally OLED motion low and mid. I remember in some old interviews hearing that the feature is all algorithm based and could be added into older OLED TVs but they never did.

Yous're in luck. Just this week a user at AVSForum reported that you could enable Movement Pro on the C9/E9 with a simple command on the tv. The but disadvantage was that you need to execute this command with root privileges. Now that is where this thread comes in.
I've managed to get root access to my C9 and have executed the command and it works! Motility Pro depression, medium and loftier is available and works at 120Hz.

This is the command that yous need to execute:

                              luna-send -n 1 -f "luna://com.webos.service.config/setConfigs" '{ "configs": { "tv.model.motionProMode": "OLED Movement Pro" } }'                            

Similar threads

harrisdrowed.blogspot.com

Source: https://forum.xda-developers.com/t/rootmy-tv-v2-0-released.4232223/

Share this post