Getting Root On A Sony TV

The Sony Bravia series of HDTVs are a great piece of kit; they’re nice displays that usually have enough inputs for the craziest home theatre setups. These TVs also run Linux, but until now we haven’t seen anything that capitalizes on the fact these displays are wall-mounted Linux boxen. [Sam] sent in an exploit to root any Bravia TV – hopefully the first step towards replacing our home media server.

The exploit itself is a regular buffer overflow initialized by a Python script. The script sets up a Telnet server on any Sony Bravia with a USB port, and provides complete root access. [Sam] was able to get a Debian install running off a USB drive and all the Debian programs run correctly.

If you have a Bravia you’d like to test [Sam]’s script on, you’ll need a USB network adapter for the TV and a Telnet client to explore your TV’s file system. Right now there’s not much to do with a rooted Bravia, but at least now running XMBC or other media server on a TV is possible.

If anyone would like to start porting XMBC to a Bravia TV, [Sam] says he’s more than willing to help out. We’re not aware of any HDTV modding communities on the Internet, so if you’re part of one post a link in the comments.

138 thoughts on “Getting Root On A Sony TV

  1. FAILURE: No connection could be made because the target machine actively refused it

    :(

    I had heard about 12345 being open on some older models but my 2010 model EX403 apparently isnt up for it.

      1. PORT STATE SERVICE
        9784/tcp open unknown
        52323/tcp open unknown
        MAC Address: 78:84:3C:50:B2:09 (Unknown)
        Device type: general purpose
        Running: Linux 2.6.X
        OS details: Linux 2.6.22

        Those ports are used for network remote control (smartphone app kinda thing) and for renderer function. Nothing too fun unfortunately.

        Has inspired me to download firmware and try to decode it tho, and perhaps work out if there are firewall rules i can work my way around.

  2. I popped open my LG TV a while back to repair some blown caps in the PSU, I found a TTL level serial port and investigated. It too runs a MIPS chip and boots Linux. I fired off an email to LG and they actually sent me the source code. Never went anywhere with it but it was interesting to see Linux in such an unexpected place.

  3. This telnets to port 12345 on the TV to run a few commands. The port is open on my Bravia KDL52W5150 (a couple years old). I discovered port 12345 with wireshark a few years ago, but couldn’t find any documentation on the password. Interestingly enough, I still can’t find any info on the password on the Internet, but it’s in the python script: “gemstar”.

    I can verify that this isn’t working on a KDL52W5150. It’s able to log into the tv, but fails on the cp command.

    0d.00:07:27> cp lost+found test
    cp lost+found test
    Error 803
    0d.00:07:31>

    1. Weird, I’ve been messing with the CLI for a bit and I’m magically able to copy folders now. I did run the command “reset exception”, which I believe emulates an exception and causes the TV to reboot. I’m not sure if that has anything to do with why I’m able to copy folders now. Also, keep in mind that I have no idea what any of these commands actually do, so try them at your own risk. I think I’m at the point where I need to cross-compile busybox for mipsel. The pre-compiled version on busybox’s website does not work, see the output below when using that version.

      ~/Desktop/bravia/CFSworks-nimue-7f74653$/nimue.py 192.168.1.77
      Preparing… OK
      Connecting… OK
      Logging in… OK
      Creating exploit directory… OK
      Creating padding directory… OK
      Switching zmodem mode… OK
      Injecting stage1… OK
      Injecting stage2 and overflowing buffer… OK
      Giving stage2 a moment to set up… OK
      Connecting to stage2’s port… OK
      Uploading busybox… OK
      Giving busybox a moment to start… OK
      Connecting to busybox… OK
      Setting up Telnet server… Traceback (most recent call last):
      File “./nimue.py”, line 312, in
      nimue.run()
      File “./nimue.py”, line 148, in run
      self.do_step(‘Setting up Telnet server’, self.setup_telnet)
      File “./nimue.py”, line 127, in do_step
      func(*args, **kwargs)
      File “./nimue.py”, line 244, in setup_telnet
      d = self.sock.recv(1024)
      socket.error: [Errno 104] Connection reset by peer

      1. Hi!

        That can happen if you compile busybox without the “FEATURE_PREFER_APPLETS” configuration item set. I would suggest either building from my config file in the repository (busybox/config) or using the precompiled version in nimue-0.1.tar.bz2

        The awesome thing is, if you’ve made it this far, the exploit is already working for you. What is your TV and firmware version so I can record this in the docs?

      2. I didn’t notice the download in github, thanks for pointing that out. With your busybox, the script works as expected and I have root on the TV. Thanks for all of your work on this.

        TV Model: KDL52W5150
        Software Version: aa0194pn

  4. Neat, but it’s probably cheaper to jailbreak an appletv and hook it it up to a cheap hdtv. Are the sound and graphics chip already recognized? It might be possible to create a custom kernel, boot and flash (or brick) the tv with it so mplayer can be play directly on the tv itself.

  5. Regrettably last week i just get a new LG 32LK450 LCD instead of a sony bravia.

    It have a Male DB9 Serial Input in the back but no instructions of how to use. Also it’s possible to donwload the open source codes from http://opensource.lge.com.

    I will apreciate if anybody can share some tips on how to connect and/or how to deal with the codes.

    Best regards, Pescadito

  6. My Sony “KDL-40EX500” reboots/crashes when I do

    nmap -p 1-65535 192.168.0.x (tv IP)

    Wondered if there was a way get root on it, the user manual/license thingy says it uses a lot of different open source SW. Also think I’ll disable SW updates on my TV for now, just in case they fix it and roll out a firmware update.

    1. The same happens with me on my KDL37EX503.

      Scanning the open port (52323) with nmap doesn’t do anything. After some random testing I’ve found that probing ranges 1-46000 doesn’t crash it, but 1-46001 does.

      Interestingly changing the range to 2-46002 doesn’t cause crashes, but probing port 46001 doesn’t do anything special.

      I think it’s probably a buffer overflow in the TCP stack, but that doesn’t explain why ranges of the same size but different start and end points don’t trigger it.

  7. Hopefully the internet connected Sanyo tv’s will be next. (Although since there aren’t many out there, I won’t expected it.) Currently they only have netflix, vudu, pandora and then some other mostly useless stuff…

    And they don’t update it. It hasn’t changed content since I got it.

    1. Similar thinking here. I’ll also add that Sony has pretty much abandoned their product with lousy support. So far there’s been very little use of the ethernet port on the TV I bought. Sony has no dev kit to work with. The previous version was Japanese only and abandoned a short time after it was released. The TV can see my see my dlna server but it’s so limited in what it can view (need the exact audio & video codecs in the correct format). Too bad they failed to understand that by doing something like an Android phone they would have had a fun and useful product.

      1. Hi Neil,

        The Linux PC is a must?
        Can the Windows PC use the telnet client to connect to the Sony Bravia through USB network adapter?
        Sorry for the noob question, I am a complete noob with Telnet

  8. Some instructions would be useful for the less experienced people.

    I have a European KDL-32V5500 from 2009 with the latest (withdrawn) firmware: 1.750EA. If I understand it right, when I boot the TV with a USB drive, it should execute nimue.py from the root (so has a Python interpreter and looking for this magic file) which should inject the required payloads, start the busybox/busybox binary and look for Telnet access?

    Tried it with a few modifications (busybox binary in the root), but nothing happened. Tried to Telnet into the TV (have a wired connection through a router, not really useful but I can transcode stuff from PS3 Media Server, so probably there are no firewalled ports and I assume this connection isn’t worse than a wireless one with a USB adapter) with PuTTY and Windows Telnet on port 23 and port 12345, but there was no answer or prompt for the password.

    I’m stuck. :(

    1. You’re supposed to run this from your machine, it connects to the TV via the network, sends the payload, and runs it.

      If port 12345 isn’t open it won’t work. Have you made sure PuTTY is set to use the telnet protocol rather than SSH when you try port 12345?

      1. Got it after reading the second time, unfortunately jumped on it too quickly, thought that it’s a plug and play solution, and there was no way to cancel my stupid comment. :(

        The port was correct, the setup wasn’t, either the vulnerability was removed from the EU firmwares or is only exploitable the described way with a USB network adapter. (And the Python script exited with an error under the latest Windows install, so I wasn’t able to run it. Anyway since port 12345 isn’t open for me, I guess it would be useless on my setup.)

        I hope things will lead somewhere, and a more useful custom firmware will pop out one day. Sony really abandoned the 2009 EU models right after the release.

  9. Does these Sony TV’s support OpenGL ES or other GPU 3D hardware accelerated rendering that XBMC requires?

    By the way, it is XBMC, nor XMBC. As in formerly XBox Media Center, not XMedia Box Center ;P

  10. Bravia KDL-40EX725 not working :((

    even port 12345 not open

    I’ve tried to telnet with ports from 1 to 65535
    I’ve made bash loop for this and telnet was successfull only on open ports but these ports were 80 2 ports of upnp and 1 port 52323/tcp I don’t know what this is ….

    open ports on my TV (LAN and WiFi)
    PORT STATE SERVICE
    80/tcp open http
    8963/tcp open unknown
    9784/tcp open unknown
    52323/tcp open unknown

  11. I did notice that my KDL-46s4100 wouldn’t finish booting when I left my nook on the “service only” port after charging a while ago. Grabbing usb-ethernet now.

  12. Ok i tried with my KDL-46HX805
    There are 2 open ports i could find:

    Host is up (0.0060s latency).
    Not shown: 64999 closed ports
    PORT STATE SERVICE
    9784/tcp open unknown
    52323/tcp open unknown

    I tried both with the following results:

    Port 9784
    python Sony.py 192.168.1.33
    Preparing… OK
    Connecting… OK
    Logging in… FAILURE: Guide did not accept password!

    and Port 52323

    python Sony.py 192.168.1.33
    Preparing… OK
    Connecting… FAILURE: Connection refused

    I tried over my 100 Mbit network going over a
    switch. Would that work or do i need to go via the USB/ network adaptor (or direct cable??)?

    Also what does “Guide did not accept password!” tell me?

  13. I’m working with KDL-32EX700. Port 12345 is open, I can login with gemstar. Initial run of nimue hits error with cp command.

    If I login via telnet and create lost+found by cd’ing into /, exec’ing ‘cp RW junk’, then cd RW, ‘cp junk lost+found’, then I can run the script and get a little further.

    Now, it gets to ‘Connecting to stage2’s port…’

    I get “Connection refused’, and then the TV reboots. I suspect the buffer overflow is either crashing the TV directly, or that some code that is running after a successful overflow causes the crash.

    Still poking around, but appreciate any suggestions…

  14. I have KDL55EX720.

    Ports open are
    80 (DLNA presentation I think)
    8963 (UPnP)
    9784 (UPnP)
    52323 (Unknown)

    Using putty to telnet into 52323 causes a remote disconnect.

  15. Check the Downloads link on the nimue github page for a .tgz containing a ready-made busybox. If this doesn’t meet your needs, you must set up a cross-compilation environment for mips and build your own.

  16. Sony Bravia
    KDL-32EX403
    sw: PKG4.110EUL-0108

    Connected via ethernet (no USB dongle).

    Nmap – Not shown: 65533 closed ports
    PORT STATE SERVICE
    9784/tcp open unknown
    52323/tcp open unknown

    trying 9784

    Preparing… OK
    Connecting… OK
    Logging in… FAILURE: Guide did not accept password!

    trying 52323 –

    ./nimue.py 192.168.1.xxx
    Preparing… OK
    Connecting… OK
    Logging in… FAILURE: TV unexpectedly closed connection

  17. Unfortunately port 12345 is not open in 40NX715:

    # nmap -sT -p 1-65000 192.168.1.120

    Starting Nmap 5.21 ( http://nmap.org )
    Nmap scan report for braviaxxx.lan (192.168.1.120)
    Host is up (0.020s latency).
    Not shown: 64999 closed ports
    PORT STATE SERVICE
    9784/tcp open unknown
    52323/tcp open unknown
    MAC Address: xx:xx:xx:xx:xx:xx (Mitumi Electric CO.)

    Nmap done: 1 IP address (1 host up) scanned in 37.91 seconds

    Need to find out an alternative.

  18. Doesn’t work on my KDL-32EX709 with PKG4.110EUL-0108

    Nmap shows 9784 and 52323. Same result as “mon” on June 28, 2012 at 9:17 am.

    Why isn’t there more information about this exploit? I think it’s a really big thing!

  19. Sony have probably closed any backdoors, as linux is getting more known and they get smarter. Linksys as interface with any tv is better and the interfaces are geting cheap as miniX for $70, with allthe programmability and software linux can supply with full internet connectivity.

    1. 3 things why you want to run it native on the TV
      1. Same remote for all funtions.
      2. Same interface for TV and media player
      3. No Cables for external device such as HDMI & power
      all in all higher WAF factor with integrated linux xmbc

  20. I have a feeling sony closed port 12345 in a recent firmware update. It was definitly open on my TV not too long ago and now it’s suddenly refusing all connections on that port.. bummer =\

  21. Does anyone know how to downgrade the firmware on a Sony Bravia KDL-46z5100?

    I didn’t have enough time to block the TV’s internet access after it said that there was a mandatory update.

    The new firmware is version aa0206pf, which rejects connections on port 12345. The previous aa0195fn firmware worked.

    On another note, there have been reports that the KDL-46v5100, a very similar model, can be downgraded.

    Thanks in advance!

  22. with this hack can i fix the ‘This TV only support JPEG YCbCr 422/420 formats, JPEG YCbCr 444 is not supported’ issue? whole story@http://www.sony-asia.com/support/faq/445536# thx

Leave a Reply to monCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.