There is a vulnerability/backdoor in webOS 5+ that allows you to easily run arbitrary commands as root during the boot process. The easiest way to exploit it simply involves putting a file on a USB drive and having it connected to your TV while it boots. There are two other methods that are more complex and require additional exploits.
See dejavuln-autoroot for a simpler exploit that works on webOS 3.5+ TVs (i.e., models from 2017 and later). It is unpatched as of 2024-04-21 and does not require Developer Mode or even a network connection—just a USB drive.
Otherwise:
- If you have a webOS 5–8 TV with old enough firmware, WTA (which does not require Dev Mode) will still work.
- If you have a webOS 4.x TV, you can also try CVE-2023-6319, which is unpatched on the latest (final?) firmware for webOS 4.0 (2018) models.
- While there will eventually be fully software-based exploits released for older models, they can currently be rooted via NVM.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 16 TB drive with ext4 file system optimized for max available space: | |
# -------------------------------------------------------------------- | |
$ sudo mkfs.ext4 -m 0 -T largefile4 /dev/sdX | |
/dev/sdX: 8 bytes were erased at offset 0x00000200 (gpt): 45 46 49 20 50 41 52 54 | |
/dev/sdX: 8 bytes were erased at offset 0xe8d7dfffe00 (gpt): 45 46 49 20 50 41 52 54 | |
/dev/sdX: 2 bytes were erased at offset 0x000001fe (PMBR): 55 aa | |
/dev/sdX: calling ioctl to re-read partition table: Success | |
mke2fs 1.45.5 (07-Jan-2020) | |
Creating filesystem with 3906461696 4k blocks and 3814912 inodes | |
Filesystem UUID: 3ea950c5-ae13-4755-a6b8-6f317f6f8dea |
This gist will no longer be updated as the changelog will be on the official website.
- Sublime Text/Merge Official Discord chat server: https://discord.gg/D43Pecu
- Sublime Text/Merge 中文 Telegram 交流群組: https://t.me/sublime_tw
Converted via https://domchristie.github.io/turndown
If you created your key pair using AWS, you can use the OpenSSL tools to generate a fingerprint as follows:
$ openssl pkcs8 -in path_to_private_key -inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c
If you created a key pair using a third-party tool and uploaded the public key to AWS, you can use the OpenSSL tools to generate the fingerprint as follows:
$ openssl rsa -in path_to_private_key -pubout -outform DER | openssl md5 -c