The Sony Bravia series of HDTVs are a great piece of kit; they’re nice displays that usually have enough inputs for the craziest home theatre setups. These TVs also run Linux, but until now we haven’t seen anything that capitalizes on the fact these displays are wall-mounted Linux boxen. [Sam] sent in an exploit to root any Bravia TV – hopefully the first step towards replacing our home media server.
The exploit itself is a regular buffer overflow initialized by a Python script. The script sets up a Telnet server on any Sony Bravia with a USB port, and provides complete root access. [Sam] was able to get a Debian install running off a USB drive and all the Debian programs run correctly.
If you have a Bravia you’d like to test [Sam]’s script on, you’ll need a USB network adapter for the TV and a Telnet client to explore your TV’s file system. Right now there’s not much to do with a rooted Bravia, but at least now running XMBC or other media server on a TV is possible.
If anyone would like to start porting XMBC to a Bravia TV, [Sam] says he’s more than willing to help out. We’re not aware of any HDTV modding communities on the Internet, so if you’re part of one post a link in the comments.
This is where Chromium would be great!
I love that you can now root TVs as well!
omg this. That is an amazing idea.
This this would be a nice this! omg! this!
How can it be done? I would love to know. I’m so disappointed with the “smart” part of the tv
Just the ability to add new codecs so it can play .mkv files off the network would be great.
the player should be based on mplayer i think.
Plex and Chromecast for MKV’s over network. Rock solid
FAILURE: No connection could be made because the target machine actively refused it
:(
I had heard about 12345 being open on some older models but my 2010 model EX403 apparently isnt up for it.
And I would so have loved to work out how to add new codecs :P
Portscan?
PORT STATE SERVICE
9784/tcp open unknown
52323/tcp open unknown
MAC Address: 78:84:3C:50:B2:09 (Unknown)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.22
Those ports are used for network remote control (smartphone app kinda thing) and for renderer function. Nothing too fun unfortunately.
Has inspired me to download firmware and try to decode it tho, and perhaps work out if there are firewall rules i can work my way around.
Hey mark, I hope you are doing well after 13 years lol!
How did it go? Were you able to decode the fw?
I have a 2009 model and it asks for a password, interesting.
then the sploit should work. the password is gemstar
…hopefully
try gemstar
braviadventures, gemstar worked fine on my TV. Now I just need time to try this out. My wife watches the TV and I seldom get near it. ;-)
Freaking awesome.
Well, theres the samygo project that aims at modding Samsung TVs…good to see some work on Sony sets now too
what kind of hardware have the bravia tv?
panasonic runs linux to my understanding and the model i have has SD card port for upgrading no usb though. Any info on that?
I rooted my Samsung TV and found out it runs android…JK.
Anyone hack a samsung yet?
like hellohere said
“Samygo project”
Hmm, my Bravia has an ethernet port. Wonder if I still need the usb dongle?
Well I’d better sit down and build busy box for the mips.
Sammy go anyone. samsung tv’s are hacked as well.
I popped open my LG TV a while back to repair some blown caps in the PSU, I found a TTL level serial port and investigated. It too runs a MIPS chip and boots Linux. I fired off an email to LG and they actually sent me the source code. Never went anywhere with it but it was interesting to see Linux in such an unexpected place.
Which lg tv? I have a px990 I’d love to add dts support to but the firmware is nicely compressed and protected :-(
sigh… I couldn’t get root in a brothel…
Probly find a busy box tho.
classic
Hey, I know that guy! I KNOW A FAMOUS PERSON.
I would pay money to get XBMC running on my Sony Bravia!
well when it runs on debian it would be as root: sudo apt-get install xbmc
what kind of distro is bravia anyway?
Some of them run linux while the WxxxA series run Android (Interesting)
There doesn’t seem to be all that much documentation included in the git, so how does one go about running this on /any/ bravia tv?
If anyone is interested, I did a teardown of a sony bravia a while ago, and I still have the components, so if I can help in any way by taking more detailed pictures (D5100 now), or sending actual boards, feel free to contact me! I would be happy to help! :)
http://hak8or.com/projects/
http://dangerousprototypes.com/forum/viewtopic.php?f=2&t=3397
This telnets to port 12345 on the TV to run a few commands. The port is open on my Bravia KDL52W5150 (a couple years old). I discovered port 12345 with wireshark a few years ago, but couldn’t find any documentation on the password. Interestingly enough, I still can’t find any info on the password on the Internet, but it’s in the python script: “gemstar”.
I can verify that this isn’t working on a KDL52W5150. It’s able to log into the tv, but fails on the cp command.
0d.00:07:27> cp lost+found test
cp lost+found test
Error 803
0d.00:07:31>
Weird, I’ve been messing with the CLI for a bit and I’m magically able to copy folders now. I did run the command “reset exception”, which I believe emulates an exception and causes the TV to reboot. I’m not sure if that has anything to do with why I’m able to copy folders now. Also, keep in mind that I have no idea what any of these commands actually do, so try them at your own risk. I think I’m at the point where I need to cross-compile busybox for mipsel. The pre-compiled version on busybox’s website does not work, see the output below when using that version.
~/Desktop/bravia/CFSworks-nimue-7f74653$/nimue.py 192.168.1.77
Preparing… OK
Connecting… OK
Logging in… OK
Creating exploit directory… OK
Creating padding directory… OK
Switching zmodem mode… OK
Injecting stage1… OK
Injecting stage2 and overflowing buffer… OK
Giving stage2 a moment to set up… OK
Connecting to stage2’s port… OK
Uploading busybox… OK
Giving busybox a moment to start… OK
Connecting to busybox… OK
Setting up Telnet server… Traceback (most recent call last):
File “./nimue.py”, line 312, in
nimue.run()
File “./nimue.py”, line 148, in run
self.do_step(‘Setting up Telnet server’, self.setup_telnet)
File “./nimue.py”, line 127, in do_step
func(*args, **kwargs)
File “./nimue.py”, line 244, in setup_telnet
d = self.sock.recv(1024)
socket.error: [Errno 104] Connection reset by peer
Hi!
That can happen if you compile busybox without the “FEATURE_PREFER_APPLETS” configuration item set. I would suggest either building from my config file in the repository (busybox/config) or using the precompiled version in nimue-0.1.tar.bz2
The awesome thing is, if you’ve made it this far, the exploit is already working for you. What is your TV and firmware version so I can record this in the docs?
Works on my 2009 52W5150 ! I didn’t need the USB dongle.
I didn’t notice the download in github, thanks for pointing that out. With your busybox, the script works as expected and I have root on the TV. Thanks for all of your work on this.
TV Model: KDL52W5150
Software Version: aa0194pn
We can handle the hosting of the bravia root project, at hackzwiki.com.
we have had a forum setup specifically for this for 2 months…
http://www.hackzwiki.com/forum/index.php?board=140.0
Domain is dead.
Neat! I wonder what kind of resources would be available. It would be pretty cool to run Hulu or Youtube directly on the TV itself, pulling straight from wifi!
This is a great first step! Keep on with it!
Neat, but it’s probably cheaper to jailbreak an appletv and hook it it up to a cheap hdtv. Are the sound and graphics chip already recognized? It might be possible to create a custom kernel, boot and flash (or brick) the tv with it so mplayer can be play directly on the tv itself.
Is this confirmed to be working with USB-Ethernet only?
I have a W5500, port 12345 seems to be closed with built in ethernet.
Might chances be better with USB?
I’m wondering the same. My KDL-32EX600 only has ports 9784 and 52323 open.
Be a shame as the sony USB-wifi dongles are expensive.
My KDL-46V5500 does not have port 12345 open either :(
I think a list of confirmed working bravia models would help.
Anyone found the filesystem location of the channel list?
Regrettably last week i just get a new LG 32LK450 LCD instead of a sony bravia.
It have a Male DB9 Serial Input in the back but no instructions of how to use. Also it’s possible to donwload the open source codes from http://opensource.lge.com.
I will apreciate if anybody can share some tips on how to connect and/or how to deal with the codes.
Best regards, Pescadito
I have Sony Bravia BX35 Series HDTV…
is this possible to root and get a shell???
and does this void out guarantee???
My Sony “KDL-40EX500” reboots/crashes when I do
nmap -p 1-65535 192.168.0.x (tv IP)
Wondered if there was a way get root on it, the user manual/license thingy says it uses a lot of different open source SW. Also think I’ll disable SW updates on my TV for now, just in case they fix it and roll out a firmware update.
The same happens with me on my KDL37EX503.
Scanning the open port (52323) with nmap doesn’t do anything. After some random testing I’ve found that probing ranges 1-46000 doesn’t crash it, but 1-46001 does.
Interestingly changing the range to 2-46002 doesn’t cause crashes, but probing port 46001 doesn’t do anything special.
I think it’s probably a buffer overflow in the TCP stack, but that doesn’t explain why ranges of the same size but different start and end points don’t trigger it.
Hopefully the internet connected Sanyo tv’s will be next. (Although since there aren’t many out there, I won’t expected it.) Currently they only have netflix, vudu, pandora and then some other mostly useless stuff…
And they don’t update it. It hasn’t changed content since I got it.
After what happened to geohot, aren’t you afraid Sony will retaliate? lol
I don’t buy Sony anymore, just because of what they did to this kid.
Similar thinking here. I’ll also add that Sony has pretty much abandoned their product with lousy support. So far there’s been very little use of the ethernet port on the TV I bought. Sony has no dev kit to work with. The previous version was Japanese only and abandoned a short time after it was released. The TV can see my see my dlna server but it’s so limited in what it can view (need the exact audio & video codecs in the correct format). Too bad they failed to understand that by doing something like an Android phone they would have had a fun and useful product.
Do you have to have the TV connected to a router for dhcp is there a static subnet that you can configuee for access to the TV?
Just set the TV up with a static address and you can hook up back to back (with a cross over cable) to your Linux PC or through a hub.
Hi Neil,
The Linux PC is a must?
Can the Windows PC use the telnet client to connect to the Sony Bravia through USB network adapter?
Sorry for the noob question, I am a complete noob with Telnet
telnet is telnet. on linux or windows or mac. that should work. but what will you do if you get inside the system and you dont know linux?
Some instructions would be useful for the less experienced people.
I have a European KDL-32V5500 from 2009 with the latest (withdrawn) firmware: 1.750EA. If I understand it right, when I boot the TV with a USB drive, it should execute nimue.py from the root (so has a Python interpreter and looking for this magic file) which should inject the required payloads, start the busybox/busybox binary and look for Telnet access?
Tried it with a few modifications (busybox binary in the root), but nothing happened. Tried to Telnet into the TV (have a wired connection through a router, not really useful but I can transcode stuff from PS3 Media Server, so probably there are no firewalled ports and I assume this connection isn’t worse than a wireless one with a USB adapter) with PuTTY and Windows Telnet on port 23 and port 12345, but there was no answer or prompt for the password.
I’m stuck. :(
You’re supposed to run this from your machine, it connects to the TV via the network, sends the payload, and runs it.
If port 12345 isn’t open it won’t work. Have you made sure PuTTY is set to use the telnet protocol rather than SSH when you try port 12345?
Got it after reading the second time, unfortunately jumped on it too quickly, thought that it’s a plug and play solution, and there was no way to cancel my stupid comment. :(
The port was correct, the setup wasn’t, either the vulnerability was removed from the EU firmwares or is only exploitable the described way with a USB network adapter. (And the Python script exited with an error under the latest Windows install, so I wasn’t able to run it. Anyway since port 12345 isn’t open for me, I guess it would be useless on my setup.)
I hope things will lead somewhere, and a more useful custom firmware will pop out one day. Sony really abandoned the 2009 EU models right after the release.
There are other resources for LG open sources
– http://www.lg-hack.info/
– http://plexapp.com/press_LG.php
– http://douglas.sourceforge.net (LGTV embedded OS)
Linux source code used by Sony found here:
http://www.sony.net/Products/Linux/TV/category03.html
Better start here ;-)
http://www.sony.net/Products/Linux/common/search.html
Does these Sony TV’s support OpenGL ES or other GPU 3D hardware accelerated rendering that XBMC requires?
By the way, it is XBMC, nor XMBC. As in formerly XBox Media Center, not XMedia Box Center ;P
Bravia KDL-40EX725 not working :((
even port 12345 not open
I’ve tried to telnet with ports from 1 to 65535
I’ve made bash loop for this and telnet was successfull only on open ports but these ports were 80 2 ports of upnp and 1 port 52323/tcp I don’t know what this is ….
open ports on my TV (LAN and WiFi)
PORT STATE SERVICE
80/tcp open http
8963/tcp open unknown
9784/tcp open unknown
52323/tcp open unknown
It looks like 52323 is used for remote controlling: http://forum.xda-developers.com/showthread.php?t=2091564&page=2
I did notice that my KDL-46s4100 wouldn’t finish booting when I left my nook on the “service only” port after charging a while ago. Grabbing usb-ethernet now.
Did anyone try this with KDL HX805 series?
I have an 46HX805 and will try on the weekend.
Ok i tried with my KDL-46HX805
There are 2 open ports i could find:
Host is up (0.0060s latency).
Not shown: 64999 closed ports
PORT STATE SERVICE
9784/tcp open unknown
52323/tcp open unknown
I tried both with the following results:
Port 9784
python Sony.py 192.168.1.33
Preparing… OK
Connecting… OK
Logging in… FAILURE: Guide did not accept password!
and Port 52323
python Sony.py 192.168.1.33
Preparing… OK
Connecting… FAILURE: Connection refused
I tried over my 100 Mbit network going over a
switch. Would that work or do i need to go via the USB/ network adaptor (or direct cable??)?
Also what does “Guide did not accept password!” tell me?
I have 46HX800, would be interested to follow you…
I have the same one. Has there been any news since? Can’t seem to find any recent postings.
I’m working with KDL-32EX700. Port 12345 is open, I can login with gemstar. Initial run of nimue hits error with cp command.
If I login via telnet and create lost+found by cd’ing into /, exec’ing ‘cp RW junk’, then cd RW, ‘cp junk lost+found’, then I can run the script and get a little further.
Now, it gets to ‘Connecting to stage2’s port…’
I get “Connection refused’, and then the TV reboots. I suspect the buffer overflow is either crashing the TV directly, or that some code that is running after a successful overflow causes the crash.
Still poking around, but appreciate any suggestions…
I have KDL55EX720.
Ports open are
80 (DLNA presentation I think)
8963 (UPnP)
9784 (UPnP)
52323 (Unknown)
Using putty to telnet into 52323 causes a remote disconnect.
Could somebody please post a way to compile a suitable busybox for use with this exploit? TIA
Check the Downloads link on the nimue github page for a .tgz containing a ready-made busybox. If this doesn’t meet your needs, you must set up a cross-compilation environment for mips and build your own.
Sony Bravia
KDL-32EX403
sw: PKG4.110EUL-0108
Connected via ethernet (no USB dongle).
Nmap – Not shown: 65533 closed ports
PORT STATE SERVICE
9784/tcp open unknown
52323/tcp open unknown
trying 9784
Preparing… OK
Connecting… OK
Logging in… FAILURE: Guide did not accept password!
trying 52323 –
./nimue.py 192.168.1.xxx
Preparing… OK
Connecting… OK
Logging in… FAILURE: TV unexpectedly closed connection
any more news on this project, has a forum/webpage been created yet? where we can track the process?
srt subtitles on sony would be soooo nice.
Unfortunately port 12345 is not open in 40NX715:
# nmap -sT -p 1-65000 192.168.1.120
Starting Nmap 5.21 ( http://nmap.org )
Nmap scan report for braviaxxx.lan (192.168.1.120)
Host is up (0.020s latency).
Not shown: 64999 closed ports
PORT STATE SERVICE
9784/tcp open unknown
52323/tcp open unknown
MAC Address: xx:xx:xx:xx:xx:xx (Mitumi Electric CO.)
Nmap done: 1 IP address (1 host up) scanned in 37.91 seconds
Need to find out an alternative.
Doesn’t work on my KDL-32EX709 with PKG4.110EUL-0108
Nmap shows 9784 and 52323. Same result as “mon” on June 28, 2012 at 9:17 am.
Why isn’t there more information about this exploit? I think it’s a really big thing!
I forgot to mention, that I was using the integrated Ethernet port. My USB dongle wasn’t recognized. (0fe6:8101 Kontron)
Sony have probably closed any backdoors, as linux is getting more known and they get smarter. Linksys as interface with any tv is better and the interfaces are geting cheap as miniX for $70, with allthe programmability and software linux can supply with full internet connectivity.
3 things why you want to run it native on the TV
1. Same remote for all funtions.
2. Same interface for TV and media player
3. No Cables for external device such as HDMI & power
all in all higher WAF factor with integrated linux xmbc
I have a feeling sony closed port 12345 in a recent firmware update. It was definitly open on my TV not too long ago and now it’s suddenly refusing all connections on that port.. bummer =\
Does anyone know how to downgrade the firmware on a Sony Bravia KDL-46z5100?
I didn’t have enough time to block the TV’s internet access after it said that there was a mandatory update.
The new firmware is version aa0206pf, which rejects connections on port 12345. The previous aa0195fn firmware worked.
On another note, there have been reports that the KDL-46v5100, a very similar model, can be downgraded.
Thanks in advance!
with this hack can i fix the ‘This TV only support JPEG YCbCr 422/420 formats, JPEG YCbCr 444 is not supported’ issue? whole story@http://www.sony-asia.com/support/faq/445536# thx