Getting Root On A Sony TV

The Sony Bravia series of HDTVs are a great piece of kit; they’re nice displays that usually have enough inputs for the craziest home theatre setups. These TVs also run Linux, but until now we haven’t seen anything that capitalizes on the fact these displays are wall-mounted Linux boxen. [Sam] sent in an exploit to root any Bravia TV – hopefully the first step towards replacing our home media server.

The exploit itself is a regular buffer overflow initialized by a Python script. The script sets up a Telnet server on any Sony Bravia with a USB port, and provides complete root access. [Sam] was able to get a Debian install running off a USB drive and all the Debian programs run correctly.

If you have a Bravia you’d like to test [Sam]’s script on, you’ll need a USB network adapter for the TV and a Telnet client to explore your TV’s file system. Right now there’s not much to do with a rooted Bravia, but at least now running XMBC or other media server on a TV is possible.

If anyone would like to start porting XMBC to a Bravia TV, [Sam] says he’s more than willing to help out. We’re not aware of any HDTV modding communities on the Internet, so if you’re part of one post a link in the comments.

138 thoughts on “Getting Root On A Sony TV

  1. KDL-40EX40B

    Is there anyway to modify the video decoder to read other file formats? I am using the PIVOS AIOS box to stream video since the DNLA is limited to about three video formats. Most of my video is .avi, .mkv, and .mp4. I also have a few .vob.

  2. I have a KDL 40HX805

    when I execute

    telnet 192.168.2.24 52323
    i get this

    Connected to 192.168.2.24.
    Escape character is ‘^]’.

    when and do nothing , after a few seconds the connection will be closed by the TV

    when I type any key (i.e. space) I get this

    HTTP/1.1 400 Bad Request
    Connection: close
    Date: Sat, 05 Jan 2013 11:00:08 GMT
    Server: Linux/2.6 UPnP/1.0 KDL-40HX805/1.7
    X-AV-Server-Info: av=5.0; cn=”Sony Corporation”; mn=”BRAVIA KDL-40HX805″; mv=”1.7″;
    X-AV-Physical-Unit-Info: pa=”BRAVIA KDL-40HX805″;

    my be this gives some ideas for you …

  3. Is there a way to get Simulview working, or at least getting the IR tranmitter to send left/left and right/right codes to the Sony glasses? Getting tired of waiting for Sony to do the update, especially when its all over the web of others using HDMI detective and such to use Simulview… one kid was able to get a Sony tablet to mimk the IR codes as well. It is really coming to be evident that Sony is limiting Simulview use by resricting authorized EDID codes from the Bravia TV’s.

    http://community.sony.com/t5/Television-Picture-Sound/SimulView-Updates-For-Bravia-Question-Query/m-p/45511

  4. Is there a way to get Simulview working, or at least getting the IR tranmitter to send left/left and right/right codes to the Sony glasses? Getting tired of waiting for Sony to do the update, especially when its all over the web of others using HDMI detective and such to use Simulview… one kid was able to get a Sony tablet to mimk the IR codes as well. It is really coming to be evident that Sony is limiting Simulview use by resricting authorized EDID codes from the Bravia TV’s.

    http://community.sony.com/t5/Television-Picture-Sound/SimulView-Updates-For-Bravia-Question-Query/m-p/45511

  5. hey… i’m not a techno geek but really into it for some devices. My Sony KLV-32BX300 runs only .mpg video files. If anyone has any idea how to install additional format codecs into it please do help.please. (abuzerali@hotmail.com).

  6. I have a BRAVIA KDL-46NX720
    when I execute

    telnet 192.168.2.5 52323
    i get this

    Connected to 192.168.2.5.
    Escape character is ‘^]’.

    when and do nothing , after a few seconds the connection will be closed by the TV

    when I type any key following output appears

    HTTP/1.1 400 Bad Request
    Connection: close
    Date: Sat, 10 Aug 2013 04:32:18 GMT
    Server: Linux/2.6 UPnP/1.0 KDL-46NX720/1.7
    X-AV-Server-Info: av=5.0; cn=”Sony Corporation”; mn=”BRAVIA KDL-46NX720″; mv=”1.
    7″;
    X-AV-Physical-Unit-Info: pa=”BRAVIA KDL-46NX720″;
    Connection to host lost.

  7. Hypothesis – Highly suspect any Cable Box-DVR when connected to a smart TV can and currently is being used as a gateway to access files on a connected USB Drive or similar connected device thru a cable network. IE big brother.. Now to prove it!

    1. There is already confirmation via Facebook partners IT that have a patent for a WI-Fi based Lidar type system to generate 3D models of residential homes and people inside for elderly peoples safety and Suspicious activity.

  8. angelomert are these the keys that your on about ?

    develop.key

    N : A4974EA6BADC526AD2F1AD323E694E4B983F8969395B2B7DC04B4825701B94A2113E47AF74CFBCF4EC7C42C6E3A0ABA6DFB770B31C6B7A518CF426A27F6962524230AC90800F2D9FFBCBA32A25386D1CE9AA15B892DFFC33E43BBFA4CB11D8A5AF672699982BDCD018A45BAD8503BB3AA3AB631AF1CF0F1D4B9966D0B2D4743E17C9D6A83CEEC750E8260DC8E08B6D4E4487970A1FAE51BD6E124D7BA6FB66F67DB6FF2ECF9212409D0E70D2814074F390EF845D33594CE5895B3BCDD8D8BC513CDCC43B5C717FC81E40A595154422DE01594EA14ACE0D4346859B6E30E1392ADBAA06235C167F1D882C722FCAC767310E7DC496EE6D35E5609D779C3A66F84D
    E : 03
    KEYID : 0
    HASHTYPE : SHA1

    PRODUCTION.KEY

    N : D8C1F78FBD67DE5425B3934E97E20D901EEF1465E006DE5B142F4D8CBAEB538331BC9791F94DCA881BE2C61E1DE2F8C69A980F3CFC26FC68397A3534FD9AD911CE6DC53F842284898E54B63F6B57F82D7A4A3805D368F1FCCE4339D0203C0697E0E91C05FA6AB2887BC8FE33FBF3C5B91A5FB6B15BAB737539453F49E55C96695DF22B66CB1CF10A55E847836C165A017E7BE5594E05D0938942937445180038243B5248A358757051C01556C9751E2BBDF7451382AFEDD84A6A6E169E6C372783A0AEC357E3EB32D48101E96EB435CF8B69E730167F70D650AFF61C301E9A680E128F94C8D257E505A7ADC8D886CDF3B1BDA58830BA9D98E323006CA0C23399
    E : 03
    KEYID : 0.0
    HASHTYPE : SHA1

    # Cryptocore 3.x key rights:
    # KEYRIGHTS : SIGN_IRAM

    if they are the right ones il upload if of any help to anyone

  9. Hi all! Thanks a lot for all this!
    I want to log onto my bravia KDL-40W605B, using wifi and a computer running Ubuntu.
    How can I?
    One interesting thing: when I had set up my wifi internet connection with the bravia, I created an allow exception on my access point wifi allowed device list, using the MAC address I found on my bravia using its own properties.
    Guess what? The MAC address provided with the tv, inside the tv, wasn’t correct!
    I had to deactivate wifi protections on the access point, so every device could access it, I found out the correct MAC address of the tv wifi card using Fing from my android smartphone and then wrote it down correctly and restored the allowed devices!

  10. Hi all! I have a Bravia KDL-40W605B.
    I couldn’t connect to my access point wifi, because the MAC address
    I read inside the tv Settings was INCORRECT!!!
    I had to allow every device to access my wifi, let the tv connect to
    it and then find out my tv correct MAC address using Fing from my android smartphone!
    I would love to run nimue.py on my tv, but how? Up to now I’m only at this point:

    ale@beast:~$ sudo nmap -sP 192.168.0.0/24
    Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-07 16:36 CET
    […]
    Nmap scan report for 192.168.0.8
    Host is up (0.050s latency).
    MAC Address: 38:B1:DB:6E:9B:DD (Unknown)
    […]
    Nmap done: 256 IP addresses (5 hosts up) scanned in 2.36 seconds
    ale@beast:~$

    ale@beast:~$ nmap 192.168.0.8 -p0-60000
    Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-07 16:45 CET
    Nmap scan report for 192.168.0.8
    Host is up (0.044s latency).
    Not shown: 59995 closed ports
    PORT STATE SERVICE
    80/tcp open http
    20031/tcp filtered unknown
    41824/tcp open unknown
    42824/tcp open unknown
    52323/tcp open unknown
    54400/tcp open unknown

    Nmap done: 1 IP address (1 host up) scanned in 25.96 seconds
    ale@beast:~$

    What can I do?

  11. I have Sony KDL-22EX420 TV and i downloaded source code too. please let me know how to compile those source code?, ie how to make .bin file(firmware PKG4.027GAA). I want to port VLC player on my TV

  12. Any news, then?
    I’m still trying to figure out how to log into my tv using telnet.
    My own goal would be to install just a browser that plays flash content and a media player.
    Please help, as I’m completely stuck and still did nothing more than a portscan in my own private house network. You can mail me.

    1. Thank you for this useful information. I have a KDL-32W653 with PKG4.491EUB firmware on-board. I wasn’t able to do anything special but standard features because of all restrictions. Little OTs: It is also a real pity Opera browser works only on HTML5 not including Flash Player plugin. I was only able to access its DB of video recordings via SQLlite on my iMac. Video recordings on external HDD are encrypted M2TS AVCHD file format. Anyone of you has decrypted it or know how to do it?

  13. Hi, I recently got a KDL-32W700B. I am interested in modding/updating the OS. Trying to figure out if it is possible to install Android or WebOS on this tv.

    I ran nmap with the following output.

    $ nmap 192.168.2.14 -p0-60000

    Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-15 13:23 BDT
    Strange error from connect (49):Can’t assign requested address
    Nmap scan report for 192.168.2.14
    Host is up (0.046s latency).
    Not shown: 57047 closed ports, 2949 filtered ports
    PORT STATE SERVICE
    80/tcp open http
    39835/tcp open unknown
    41824/tcp open unknown
    52323/tcp open unknown
    54400/tcp open unknown

    Nmap done: 1 IP address (1 host up) scanned in 150.51 seconds

    If anyone is interested in running other tests just let me know. I will help.

    Thanks in advance

  14. Hi, i’m also interested in, this is what i found:
    -The web browser is opera, file:// is blocked and also opera: but not opera:about, so you can know the opera version, the type of system(linux mips) and some info about directory(preferences, opera directory ecc…)
    -the “registered” usb flash drive can be read by linux, sony bravia format this in 3 partitions:
    -two contain:0001.db(sqlite database of rec, editable at 100%), 0001.enc(I do not know what it’s for)
    0001.sdt(empty file), VER.enc(I do not know what it’s for) and VERSION(simpy contain 1.00)
    -the third contai a folder called “stream” whitch contain the encrypted rec.
    the first rec is called 01000000.00
    the second 01000001.00 and so on
    If a record is very long it’s divided in part:
    0100000N.00
    0100000N.01
    ecc..

    I have two tv’s that have opera 11.60 and one that have 11.00, i’ve tried some exploit found on exploit-db but they didn’t work :(

    if someone has some idea, a tv with very old opera version, or of course a tv which still works the exploits of sam, please reply to me, i will receive a notify

  15. Hi All!
    I have a Sony Bravia KDL-40EX650. The 12345 port is closed, but Sony says on their website, there’s the possibility to update the firmware from an USB drive. So, I found the source code of the firmware on Sony’s website and I want to translate it to the necessary .bin firmware file. My question is, how can I do this? If it’s possible, than we can modify the source code, than update through USB and that’s it.

    I really want external subtitles through DLNA!

  16. Hi Rapid,
    Let me explain you the whole picture:

    The source code Sony releases in its web site is just the source code of Linux kernel. Imagine it like a blueprint of a car’s engine. Even if you build the engine (“translate” source code to bin in your words) you don’t have a car!

    You will need the drivers to interact with TV turner etc, you will need the user interface (UI) applications, etc.

    Then responding your question, to “translate” source code to .bin you will need a toolchain (with the GCC compiler), but more than that you will need to learn how to develop a Linux Embedded System. It takes time, you will need to dedicate your time doing it, the learning curve is deeply, specially for people whose are no programmers yet.

    You can find some material about Linux embedded system here: http://free-electrons.com/docs/

    Now the really bad news: every if you build the .bin you cannot flash it on USB stick and get the TV updating their original firmware with your firmware. Sony (and all other companies) puts some protections to prevent someone just replace the original firmware for security reasons. You need to assign your .bin firmware with Sony certificate, because their certificate is their secret, you cannot assign your firmware. Other option is if someone found a fault in the Sony bootloader and discover a way to bypass the signature process, but it didn’t happen yet.

  17. guys i need help. i accidentally flash wrong firmware 1.539 from INDIA but the latest firmware for my country M’SIA is 1.139

    FYI, Sony won’t allow to downgrade if detect the current firmware version is higher so i would like to edit the firmware on 1.139 & change it to a newer version like eg. 1.6 (something like that to trick Sony from detecting the actual version)

    my 4 HDMI port is not working due to the wrong firmware version. thanks.

    Regards,
    Ken

  18. I have sony kdl-42-w900. It is not a 3d, and it does not has wifi (hence, it is not a smart tv), plz someone tell me how can i upgrade it,s software and i want to customize it change it,s theme and change the background image of menu. I am becoming bored of it. Can anyone help?

  19. Hello is it possible to root the Sony Bravia directly by connecting an Android smartphone and then run the script? Or can I use smartphone wifi tethering? I don’t have the network adapter at the moment. Thanks.

  20. So, I was experimenting with trying to look for vulnerabilities for my KDL-32EX650 running firmware PKG2.12EUA-0002 (which was updated Over-The-Air a while ago, previous firmwares used to support 3D but it was removed in this one as far as I recall) and have come to two possible back doors that might give us an opening:

    1) When a USB wireless mouse + keyboard combo is connected, the mouse can be used in the browser, however, when trying to press any key on the keyboard, the TV says that the device is not supported.

    2) The RSS widget can fetch RSS data from any provided URL. Maybe this can be used to download and execute code? I tried making my own RSS link with http://fetchrss.com/ containing a download – I could see the text for the download but was not able to click on the link.

    I tried to access port 12345 on the TV IP address but it was closed. I get the message “not found” when accessing the IP address of the TV.

    Hope this information can help out someone.

  21. Hi thanks for this amazing script. Could you please give me a download link for the busybox? I searched the whole web for this file nimue-0.1.tar.bz2 but couldn’t find it neither on github nor anywhere else. Thank you!

    I can connect to the TV through ethernet cable. Here is the output:

    telnet 169.254.78.252 52323
    Trying 169.254.78.252…
    Connected to 169.254.78.252.
    Escape character is ‘^]’.
    id
    HTTP/1.1 400 Bad Request
    Connection: close
    Date: Thu, 01 Jan 1970 00:06:29 GMT
    Server: RTOS/1.0 UPnP/1.0 KDL-40W5500 /1.7
    X-AV-Server-Info: av=5.0; cn=”Sony Corporation”; mn=”BRAVIA KDL-40W5500 “; mv=”1.7”;
    X-AV-Physical-Unit-Info: pa=”BRAVIA KDL-40W5500 “;

    Connection closed by foreign host.

    It looks like only port 52323 is open on my Sony BRAVIA KDL-40W5500
    Scanning all ports with nmap crashes the TV…
    nmap -p 0-65535 169.254.78.252

    That’s a weird IP address right? I was expecting an IP address like 192.168.1.1 or something.
    This is the IP that’s shown in the “Network Settings” on the TV.
    To get the TV’s IP to show up you might have to click on “Network Diagnostics”

    I think I’m only missing the busybox and then I might have to replace the port in the script to 52323 and then I should be ready to launch the exploit.

    Thank you for the great work!

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.