There is a similar project for LG TVs that doesn't require a bof, however messing with these TVs puts you deep inside BrickVille territory with no money for the cab ride home (no simple firmware recovery).
If you like the sound of tinkering with this stuff, buy a $70 Allwinner A10 stick and play with that. Consider it very cheap insurance for the $1000 TV you're plugging it into (this is perhaps especially relevant to any household with mid-teenage geeks running around). It's also worth note that the boards in these TVs tend to have very little RAM, and run slow, low power processors (MIPS architecture for LG IIRC). Most of the interesting stuff is done in hardware.
Finally, for LG TVs with the USB port labelled "service port", do not touch. The port is missing protective circuitry and there are many documented cases of the TV's internals being fried by connecting active devices.
I worked for one of the big TV Makers and you're absolutely right. Brickville headed your way. Hell, we "bricked" some in the lab.
As for the processor, almost all of these high end TVs are MIPS procs, though I know for a fact some of the newer ones (last year or so) are now ARM. However, even the ARM systems are terribly slow. All of the magic of video decoding / encoding is handled in HW and the proc + SW is just barely able to show you a menu and maintain a list of channels / frequencies in the background.
Frankly, I don't imagine that most TV processors are running fast enough to get excited about.. I think they were in the 400 mhz / 128 mb of RAM.
(OT, but I'm worried now:) Would using the "service port" on an LG TV purely as a powered USB port be a bad thing? (I've been using mine to power my speakers.)
At a loss to find a single web page now that you ask. The stuff I read was explicit about avoiding the TV's USB port unless it was specifically labelled a USB port. The last time I saw this was a post on Reddit from someone who'd killed their flatmate's TV via plugging stuff into the USB port, again an LG TV.
I've been playing with my Samsung HT-C5500 blu-ray player and 7.1 sound system that also runs linux in my spare time (not that I've had a lot of spare time). The firmware is xor-ciphered, but once you get past that it's similar to a FAT filesystem, but is in fact modified so you can't write to it and reassemble the firmware easily (I have an action to set up a VM with the ported RFS filesystem[1]).
My goal is to get a decent shell on that, then when I replace my TV later this year, root that and do some testing on HEC (HDMI Ethernet Channel) from inside an OS. There was some interesting research presented by Andy Davis of NGS at BHEU 12 earlier this year[2].
The scope for backdooring smart TVs is immense. These things are being used for video conferencing in businesses, as well as in homes and people aren't checking them out to make sure they're not being used to get access to networks, or to bug rooms. Hopefully I'll have something ready in time for BSides London[3] next year.
Interesting that it relies on a default password: "gemstar"
I knew I'd heard that name before associated with TVs, and it turns out they are a licensor of "interactive program guide technology to multichannel operators, such as cable and satellite television providers, and consumer electronics manufacturers."Maybe it was their code which is responsible?
Apparently they were bought by Macrovision, a name which I'm sure brings back as many happy memories of chinese-made "video stabiliser devices" for many of you as it does for me.
EDIT: this speculation is backed by line 208 of the sploit:
raise ExploitException('Guide did not accept password!')
Interesting that these Sony TVs run Linux. The Panasonic Viera line runs a version of FreeBSD.
I wonder if its possible to run programs such as XBMC on these embedded systems and make it output the picture to the TV screen. I mean its one thing to runs some command line binaries, another thing to actually share the screen with the other software on the TV, like its menus.
Maybe connecting a HDMI cable from a port on the TV back to itself, on another port would work?
Probably not, most of these devices are old school embedded systems, doing most of the decoding via HW with slow processors, so, many fancy things like XMBC are very out of the scope.
Probably in the next couple years, doing NNTP, bittorrent, xbmc inside our tv, could be a reality, now, not so much.
I might be weird in this regard, but I've got a Samsung SMART TV, and well, the interface reminds me so much of what the Internet used to be like in the late 90s, early 000s... I've been waiting for the day someone comes and changes it all.
Perhaps it'll be a hacker, hacking their TV, putting on their own firmware. That's the best kind of success.
All I want on my SMART TV is to set local channel numbers in my personal favorites. Currently setting a channel number changes it in all favorite lists.
Cool! But does anyone have a BusyBox binary to use? I'm having trouble compiling BusyBox on Lion.
...coreutils/Config.in:7: missing end statement for this entry
archival/Config.in:7: missing end statement for this entry
Config.in:12: missing end statement for this entry
make[1]: * [config] Error 1
make: * [config] Error 2
...
This is the best 'feature' to come along for quite some time.
Reading through the comments turned up the "Samygo Project" aimed towards rooting Samsung televisions.
I can't be the only one who's longed to have a dumb terminal with a big screen and lots of fancy inputs.
It is indeed very nice and clear, but it would be very interesting to have a line by line walkthrough for non-hackers who don't know what any of it is doing.
Also these days there are probably even lots of professional programmers who haven't heard of zmodem and the like.
I think it's good that we are able to get root access to the devices now. It's a positive development that we can controll these devices. It could get really popular if exploiting the TV gets easier for everybody and they could build an active homebrew community around it.
If you like the sound of tinkering with this stuff, buy a $70 Allwinner A10 stick and play with that. Consider it very cheap insurance for the $1000 TV you're plugging it into (this is perhaps especially relevant to any household with mid-teenage geeks running around). It's also worth note that the boards in these TVs tend to have very little RAM, and run slow, low power processors (MIPS architecture for LG IIRC). Most of the interesting stuff is done in hardware.
Finally, for LG TVs with the USB port labelled "service port", do not touch. The port is missing protective circuitry and there are many documented cases of the TV's internals being fried by connecting active devices.