Getting root on a Sony TV

The Sony Bravia series of HDTVs are a great piece of kit; they’re nice displays that usually have enough inputs for the craziest home theatre setups. These TVs also run Linux, but until now we haven’t seen anything that capitalizes on the fact these displays are wall-mounted Linux boxen. [Sam] sent in an exploit to root any Bravia TV – hopefully the first step towards replacing our home media server.

The exploit itself is a regular buffer overflow initialized by a Python script. The script sets up a Telnet server on any Sony Bravia with a USB port, and provides complete root access. [Sam] was able to get a Debian install running off a USB drive and all the Debian programs run correctly.

If you have a Bravia you’d like to test [Sam]‘s script on, you’ll need a USB network adapter for the TV and a Telnet client to explore your TV’s file system. Right now there’s not much to do with a rooted Bravia, but at least now running XMBC or other media server on a TV is possible.

If anyone would like to start porting XMBC to a Bravia TV, [Sam] says he’s more than willing to help out. We’re not aware of any HDTV modding communities on the Internet, so if you’re part of one post a link in the comments.

Comments

  1. cknopp says:

    This is where Chromium would be great!

    I love that you can now root TVs as well!

  2. Black_Like_a_cat says:

    Just the ability to add new codecs so it can play .mkv files off the network would be great.

  3. Mark says:

    FAILURE: No connection could be made because the target machine actively refused it

    :(

    I had heard about 12345 being open on some older models but my 2010 model EX403 apparently isnt up for it.

  4. J says:

    Freaking awesome.

  5. hellothere says:

    Well, theres the samygo project that aims at modding Samsung TVs…good to see some work on Sony sets now too

  6. GinPB says:

    what kind of hardware have the bravia tv?

  7. nicholas says:

    panasonic runs linux to my understanding and the model i have has SD card port for upgrading no usb though. Any info on that?

  8. Golddigger says:

    I rooted my Samsung TV and found out it runs android…JK.

    Anyone hack a samsung yet?

  9. Neil Cherry says:

    Hmm, my Bravia has an ethernet port. Wonder if I still need the usb dongle?

    Well I’d better sit down and build busy box for the mips.

  10. johnny says:

    Sammy go anyone. samsung tv’s are hacked as well.

  11. BadHaddy says:

    I popped open my LG TV a while back to repair some blown caps in the PSU, I found a TTL level serial port and investigated. It too runs a MIPS chip and boots Linux. I fired off an email to LG and they actually sent me the source code. Never went anywhere with it but it was interesting to see Linux in such an unexpected place.

  12. garym53 says:

    sigh… I couldn’t get root in a brothel…

  13. Seth says:

    Hey, I know that guy! I KNOW A FAMOUS PERSON.

  14. Ned says:

    I would pay money to get XBMC running on my Sony Bravia!

  15. Lucas says:

    There doesn’t seem to be all that much documentation included in the git, so how does one go about running this on /any/ bravia tv?

  16. hak8or says:

    If anyone is interested, I did a teardown of a sony bravia a while ago, and I still have the components, so if I can help in any way by taking more detailed pictures (D5100 now), or sending actual boards, feel free to contact me! I would be happy to help! :)

    http://hak8or.com/projects/

    http://dangerousprototypes.com/forum/viewtopic.php?f=2&t=3397

  17. Mike says:

    This telnets to port 12345 on the TV to run a few commands. The port is open on my Bravia KDL52W5150 (a couple years old). I discovered port 12345 with wireshark a few years ago, but couldn’t find any documentation on the password. Interestingly enough, I still can’t find any info on the password on the Internet, but it’s in the python script: “gemstar”.

    I can verify that this isn’t working on a KDL52W5150. It’s able to log into the tv, but fails on the cp command.

    0d.00:07:27> cp lost+found test
    cp lost+found test
    Error 803
    0d.00:07:31>

    • Mike says:

      Weird, I’ve been messing with the CLI for a bit and I’m magically able to copy folders now. I did run the command “reset exception”, which I believe emulates an exception and causes the TV to reboot. I’m not sure if that has anything to do with why I’m able to copy folders now. Also, keep in mind that I have no idea what any of these commands actually do, so try them at your own risk. I think I’m at the point where I need to cross-compile busybox for mipsel. The pre-compiled version on busybox’s website does not work, see the output below when using that version.

      ~/Desktop/bravia/CFSworks-nimue-7f74653$/nimue.py 192.168.1.77
      Preparing… OK
      Connecting… OK
      Logging in… OK
      Creating exploit directory… OK
      Creating padding directory… OK
      Switching zmodem mode… OK
      Injecting stage1… OK
      Injecting stage2 and overflowing buffer… OK
      Giving stage2 a moment to set up… OK
      Connecting to stage2’s port… OK
      Uploading busybox… OK
      Giving busybox a moment to start… OK
      Connecting to busybox… OK
      Setting up Telnet server… Traceback (most recent call last):
      File “./nimue.py”, line 312, in
      nimue.run()
      File “./nimue.py”, line 148, in run
      self.do_step(‘Setting up Telnet server’, self.setup_telnet)
      File “./nimue.py”, line 127, in do_step
      func(*args, **kwargs)
      File “./nimue.py”, line 244, in setup_telnet
      d = self.sock.recv(1024)
      socket.error: [Errno 104] Connection reset by peer

      • CFSworks says:

        Hi!

        That can happen if you compile busybox without the “FEATURE_PREFER_APPLETS” configuration item set. I would suggest either building from my config file in the repository (busybox/config) or using the precompiled version in nimue-0.1.tar.bz2

        The awesome thing is, if you’ve made it this far, the exploit is already working for you. What is your TV and firmware version so I can record this in the docs?

      • Neil Cherry says:

        Works on my 2009 52W5150 ! I didn’t need the USB dongle.

      • Mike says:

        I didn’t notice the download in github, thanks for pointing that out. With your busybox, the script works as expected and I have root on the TV. Thanks for all of your work on this.

        TV Model: KDL52W5150
        Software Version: aa0194pn

  18. Phillip says:

    We can handle the hosting of the bravia root project, at hackzwiki.com.
    we have had a forum setup specifically for this for 2 months…

    http://www.hackzwiki.com/forum/index.php?board=140.0

  19. Huluer says:

    Neat! I wonder what kind of resources would be available. It would be pretty cool to run Hulu or Youtube directly on the TV itself, pulling straight from wifi!

  20. Steve Z says:

    This is a great first step! Keep on with it!

  21. fsiefken says:

    Neat, but it’s probably cheaper to jailbreak an appletv and hook it it up to a cheap hdtv. Are the sound and graphics chip already recognized? It might be possible to create a custom kernel, boot and flash (or brick) the tv with it so mplayer can be play directly on the tv itself.

  22. Philipp says:

    Is this confirmed to be working with USB-Ethernet only?
    I have a W5500, port 12345 seems to be closed with built in ethernet.
    Might chances be better with USB?

  23. w00dst0ck says:

    I think a list of confirmed working bravia models would help.

    Anyone found the filesystem location of the channel list?

  24. sergioambort says:

    Regrettably last week i just get a new LG 32LK450 LCD instead of a sony bravia.

    It have a Male DB9 Serial Input in the back but no instructions of how to use. Also it’s possible to donwload the open source codes from http://opensource.lge.com.

    I will apreciate if anybody can share some tips on how to connect and/or how to deal with the codes.

    Best regards, Pescadito

  25. vs4vijay says:

    I have Sony Bravia BX35 Series HDTV…
    is this possible to root and get a shell???

    and does this void out guarantee???

  26. mclemme says:

    My Sony “KDL-40EX500″ reboots/crashes when I do

    nmap -p 1-65535 192.168.0.x (tv IP)

    Wondered if there was a way get root on it, the user manual/license thingy says it uses a lot of different open source SW. Also think I’ll disable SW updates on my TV for now, just in case they fix it and roll out a firmware update.

    • mathewjhall says:

      The same happens with me on my KDL37EX503.

      Scanning the open port (52323) with nmap doesn’t do anything. After some random testing I’ve found that probing ranges 1-46000 doesn’t crash it, but 1-46001 does.

      Interestingly changing the range to 2-46002 doesn’t cause crashes, but probing port 46001 doesn’t do anything special.

      I think it’s probably a buffer overflow in the TCP stack, but that doesn’t explain why ranges of the same size but different start and end points don’t trigger it.

  27. Ryan says:

    Hopefully the internet connected Sanyo tv’s will be next. (Although since there aren’t many out there, I won’t expected it.) Currently they only have netflix, vudu, pandora and then some other mostly useless stuff…

    And they don’t update it. It hasn’t changed content since I got it.

  28. Philippe says:

    After what happened to geohot, aren’t you afraid Sony will retaliate? lol

    I don’t buy Sony anymore, just because of what they did to this kid.

    • Neil Cherry says:

      Similar thinking here. I’ll also add that Sony has pretty much abandoned their product with lousy support. So far there’s been very little use of the ethernet port on the TV I bought. Sony has no dev kit to work with. The previous version was Japanese only and abandoned a short time after it was released. The TV can see my see my dlna server but it’s so limited in what it can view (need the exact audio & video codecs in the correct format). Too bad they failed to understand that by doing something like an Android phone they would have had a fun and useful product.

  29. beegee says:

    Do you have to have the TV connected to a router for dhcp is there a static subnet that you can configuee for access to the TV?

  30. Average Joe says:

    Some instructions would be useful for the less experienced people.

    I have a European KDL-32V5500 from 2009 with the latest (withdrawn) firmware: 1.750EA. If I understand it right, when I boot the TV with a USB drive, it should execute nimue.py from the root (so has a Python interpreter and looking for this magic file) which should inject the required payloads, start the busybox/busybox binary and look for Telnet access?

    Tried it with a few modifications (busybox binary in the root), but nothing happened. Tried to Telnet into the TV (have a wired connection through a router, not really useful but I can transcode stuff from PS3 Media Server, so probably there are no firewalled ports and I assume this connection isn’t worse than a wireless one with a USB adapter) with PuTTY and Windows Telnet on port 23 and port 12345, but there was no answer or prompt for the password.

    I’m stuck. :(

    • mathewjhall says:

      You’re supposed to run this from your machine, it connects to the TV via the network, sends the payload, and runs it.

      If port 12345 isn’t open it won’t work. Have you made sure PuTTY is set to use the telnet protocol rather than SSH when you try port 12345?

      • Average Joe says:

        Got it after reading the second time, unfortunately jumped on it too quickly, thought that it’s a plug and play solution, and there was no way to cancel my stupid comment. :(

        The port was correct, the setup wasn’t, either the vulnerability was removed from the EU firmwares or is only exploitable the described way with a USB network adapter. (And the Python script exited with an error under the latest Windows install, so I wasn’t able to run it. Anyway since port 12345 isn’t open for me, I guess it would be useless on my setup.)

        I hope things will lead somewhere, and a more useful custom firmware will pop out one day. Sony really abandoned the 2009 EU models right after the release.

  31. sergioambort says:

    There are other resources for LG open sources
    http://www.lg-hack.info/
    http://plexapp.com/press_LG.php
    http://douglas.sourceforge.net (LGTV embedded OS)

  32. SilentBob says:

    Linux source code used by Sony found here:

    http://www.sony.net/Products/Linux/TV/category03.html

  33. Harley says:

    Does these Sony TV’s support OpenGL ES or other GPU 3D hardware accelerated rendering that XBMC requires?

    By the way, it is XBMC, nor XMBC. As in formerly XBox Media Center, not XMedia Box Center ;P

  34. H_C_K says:

    Bravia KDL-40EX725 not working :((

    even port 12345 not open

    I’ve tried to telnet with ports from 1 to 65535
    I’ve made bash loop for this and telnet was successfull only on open ports but these ports were 80 2 ports of upnp and 1 port 52323/tcp I don’t know what this is ….

    open ports on my TV (LAN and WiFi)
    PORT STATE SERVICE
    80/tcp open http
    8963/tcp open unknown
    9784/tcp open unknown
    52323/tcp open unknown

  35. stephengeorgewest says:

    I did notice that my KDL-46s4100 wouldn’t finish booting when I left my nook on the “service only” port after charging a while ago. Grabbing usb-ethernet now.

  36. mon says:

    Did anyone try this with KDL HX805 series?
    I have an 46HX805 and will try on the weekend.

  37. mon says:

    Ok i tried with my KDL-46HX805
    There are 2 open ports i could find:

    Host is up (0.0060s latency).
    Not shown: 64999 closed ports
    PORT STATE SERVICE
    9784/tcp open unknown
    52323/tcp open unknown

    I tried both with the following results:

    Port 9784
    python Sony.py 192.168.1.33
    Preparing… OK
    Connecting… OK
    Logging in… FAILURE: Guide did not accept password!

    and Port 52323

    python Sony.py 192.168.1.33
    Preparing… OK
    Connecting… FAILURE: Connection refused

    I tried over my 100 Mbit network going over a
    switch. Would that work or do i need to go via the USB/ network adaptor (or direct cable??)?

    Also what does “Guide did not accept password!” tell me?

  38. kodemunky says:

    I’m working with KDL-32EX700. Port 12345 is open, I can login with gemstar. Initial run of nimue hits error with cp command.

    If I login via telnet and create lost+found by cd’ing into /, exec’ing ‘cp RW junk’, then cd RW, ‘cp junk lost+found’, then I can run the script and get a little further.

    Now, it gets to ‘Connecting to stage2’s port…’

    I get “Connection refused’, and then the TV reboots. I suspect the buffer overflow is either crashing the TV directly, or that some code that is running after a successful overflow causes the crash.

    Still poking around, but appreciate any suggestions…

  39. eckyecky says:

    I have KDL55EX720.

    Ports open are
    80 (DLNA presentation I think)
    8963 (UPnP)
    9784 (UPnP)
    52323 (Unknown)

    Using putty to telnet into 52323 causes a remote disconnect.

  40. robotb says:

    Could somebody please post a way to compile a suitable busybox for use with this exploit? TIA

  41. kodemunky says:

    Check the Downloads link on the nimue github page for a .tgz containing a ready-made busybox. If this doesn’t meet your needs, you must set up a cross-compilation environment for mips and build your own.

  42. robotb says:

    Sony Bravia
    KDL-32EX403
    sw: PKG4.110EUL-0108

    Connected via ethernet (no USB dongle).

    Nmap – Not shown: 65533 closed ports
    PORT STATE SERVICE
    9784/tcp open unknown
    52323/tcp open unknown

    trying 9784

    Preparing… OK
    Connecting… OK
    Logging in… FAILURE: Guide did not accept password!

    trying 52323 –

    ./nimue.py 192.168.1.xxx
    Preparing… OK
    Connecting… OK
    Logging in… FAILURE: TV unexpectedly closed connection

  43. henrik says:

    any more news on this project, has a forum/webpage been created yet? where we can track the process?

  44. henrik says:

    srt subtitles on sony would be soooo nice.

  45. acassis says:

    Unfortunately port 12345 is not open in 40NX715:

    # nmap -sT -p 1-65000 192.168.1.120

    Starting Nmap 5.21 ( http://nmap.org )
    Nmap scan report for braviaxxx.lan (192.168.1.120)
    Host is up (0.020s latency).
    Not shown: 64999 closed ports
    PORT STATE SERVICE
    9784/tcp open unknown
    52323/tcp open unknown
    MAC Address: xx:xx:xx:xx:xx:xx (Mitumi Electric CO.)

    Nmap done: 1 IP address (1 host up) scanned in 37.91 seconds

    Need to find out an alternative.

  46. Juun says:

    Doesn’t work on my KDL-32EX709 with PKG4.110EUL-0108

    Nmap shows 9784 and 52323. Same result as “mon” on June 28, 2012 at 9:17 am.

    Why isn’t there more information about this exploit? I think it’s a really big thing!

  47. Steve S says:

    Sony have probably closed any backdoors, as linux is getting more known and they get smarter. Linksys as interface with any tv is better and the interfaces are geting cheap as miniX for $70, with allthe programmability and software linux can supply with full internet connectivity.

    • henrik tranaes says:

      3 things why you want to run it native on the TV
      1. Same remote for all funtions.
      2. Same interface for TV and media player
      3. No Cables for external device such as HDMI & power
      all in all higher WAF factor with integrated linux xmbc

  48. Zelenka says:

    I have a feeling sony closed port 12345 in a recent firmware update. It was definitly open on my TV not too long ago and now it’s suddenly refusing all connections on that port.. bummer =\

  49. chenxiaolong says:

    Does anyone know how to downgrade the firmware on a Sony Bravia KDL-46z5100?

    I didn’t have enough time to block the TV’s internet access after it said that there was a mandatory update.

    The new firmware is version aa0206pf, which rejects connections on port 12345. The previous aa0195fn firmware worked.

    On another note, there have been reports that the KDL-46v5100, a very similar model, can be downgraded.

    Thanks in advance!

  50. e3k says:

    with this hack can i fix the ‘This TV only support JPEG YCbCr 422/420 formats, JPEG YCbCr 444 is not supported’ issue? whole story@http://www.sony-asia.com/support/faq/445536# thx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,736 other followers