The Sony Bravia series of HDTVs are a great piece of kit; they’re nice displays that usually have enough inputs for the craziest home theatre setups. These TVs also run Linux, but until now we haven’t seen anything that capitalizes on the fact these displays are wall-mounted Linux boxen. [Sam] sent in an exploit to root any Bravia TV – hopefully the first step towards replacing our home media server.
The exploit itself is a regular buffer overflow initialized by a Python script. The script sets up a Telnet server on any Sony Bravia with a USB port, and provides complete root access. [Sam] was able to get a Debian install running off a USB drive and all the Debian programs run correctly.
If you have a Bravia you’d like to test [Sam]’s script on, you’ll need a USB network adapter for the TV and a Telnet client to explore your TV’s file system. Right now there’s not much to do with a rooted Bravia, but at least now running XMBC or other media server on a TV is possible.
If anyone would like to start porting XMBC to a Bravia TV, [Sam] says he’s more than willing to help out. We’re not aware of any HDTV modding communities on the Internet, so if you’re part of one post a link in the comments.
any more news on this? Where I can track the process of developing additional features for Bravia TV’s?
How to use a tv kdl-32ex340??
I do not know which firmware uses
Is there still work going on with this? where can I track developments?
how do i run the script on tv?
can anyone post the step by step procedure!
KDL-40EX40B
Is there anyway to modify the video decoder to read other file formats? I am using the PIVOS AIOS box to stream video since the DNLA is limited to about three video formats. Most of my video is .avi, .mkv, and .mp4. I also have a few .vob.
Could someone add support for IPTV in Sony BRAVIA KDL-32W5500 with this hack?
Any progress here or did it just stop working? Would love to jailbreak my Sony…
I have a KDL 40HX805
when I execute
telnet 192.168.2.24 52323
i get this
Connected to 192.168.2.24.
Escape character is ‘^]’.
when and do nothing , after a few seconds the connection will be closed by the TV
when I type any key (i.e. space) I get this
HTTP/1.1 400 Bad Request
Connection: close
Date: Sat, 05 Jan 2013 11:00:08 GMT
Server: Linux/2.6 UPnP/1.0 KDL-40HX805/1.7
X-AV-Server-Info: av=5.0; cn=”Sony Corporation”; mn=”BRAVIA KDL-40HX805″; mv=”1.7″;
X-AV-Physical-Unit-Info: pa=”BRAVIA KDL-40HX805″;
my be this gives some ideas for you …
Is there a way to get Simulview working, or at least getting the IR tranmitter to send left/left and right/right codes to the Sony glasses? Getting tired of waiting for Sony to do the update, especially when its all over the web of others using HDMI detective and such to use Simulview… one kid was able to get a Sony tablet to mimk the IR codes as well. It is really coming to be evident that Sony is limiting Simulview use by resricting authorized EDID codes from the Bravia TV’s.
http://community.sony.com/t5/Television-Picture-Sound/SimulView-Updates-For-Bravia-Question-Query/m-p/45511
Is there a way to get Simulview working, or at least getting the IR tranmitter to send left/left and right/right codes to the Sony glasses? Getting tired of waiting for Sony to do the update, especially when its all over the web of others using HDMI detective and such to use Simulview… one kid was able to get a Sony tablet to mimk the IR codes as well. It is really coming to be evident that Sony is limiting Simulview use by resricting authorized EDID codes from the Bravia TV’s.
http://community.sony.com/t5/Television-Picture-Sound/SimulView-Updates-For-Bravia-Question-Query/m-p/45511
This is finally something that may lead me to scripting my own JB and HB’s… Iv been playing by their rules for a bit now and am done with the way the treat their existing consumer base!!!
Could someone make something useful based on this exploit? For example ability to watch IPTV channels without additional hardware.
hey… i’m not a techno geek but really into it for some devices. My Sony KLV-32BX300 runs only .mpg video files. If anyone has any idea how to install additional format codecs into it please do help.please. (abuzerali@hotmail.com).
Linux source code
http://www.sony.net/Products/Linux/TV/KDL-40NX700.html
Do you still have your rooted sony? what about reading out the keys used to encrypt firmware updates?
Looking for firmware upgrade for Sony Bravia KDL40X3100 that will enable EPG, any ideas???
I have a BRAVIA KDL-46NX720
when I execute
telnet 192.168.2.5 52323
i get this
Connected to 192.168.2.5.
Escape character is ‘^]’.
when and do nothing , after a few seconds the connection will be closed by the TV
when I type any key following output appears
HTTP/1.1 400 Bad Request
Connection: close
Date: Sat, 10 Aug 2013 04:32:18 GMT
Server: Linux/2.6 UPnP/1.0 KDL-46NX720/1.7
X-AV-Server-Info: av=5.0; cn=”Sony Corporation”; mn=”BRAVIA KDL-46NX720″; mv=”1.
7″;
X-AV-Physical-Unit-Info: pa=”BRAVIA KDL-46NX720″;
Connection to host lost.
Hypothesis – Highly suspect any Cable Box-DVR when connected to a smart TV can and currently is being used as a gateway to access files on a connected USB Drive or similar connected device thru a cable network. IE big brother.. Now to prove it!
There is already confirmation via Facebook partners IT that have a patent for a WI-Fi based Lidar type system to generate 3D models of residential homes and people inside for elderly peoples safety and Suspicious activity.
My Sony KDL-32EX340 wont even start the update. I only get a message on the screen that says that It cant read the USB. This TV set doesnt have any other port =( what can I do?
Unfortunately, it did not work with Sony Bravia model KDL-40EX500
sw PKG4.117EUL-0108. Sony locked all open ports.
Can some One help me, with Sony Bravia KDL-26EX30R , japan made, accidentally Hard disk was formatted and now just displays only Sony, nothing works plz help Thank you so much
angelomert are these the keys that your on about ?
develop.key
N : A4974EA6BADC526AD2F1AD323E694E4B983F8969395B2B7DC04B4825701B94A2113E47AF74CFBCF4EC7C42C6E3A0ABA6DFB770B31C6B7A518CF426A27F6962524230AC90800F2D9FFBCBA32A25386D1CE9AA15B892DFFC33E43BBFA4CB11D8A5AF672699982BDCD018A45BAD8503BB3AA3AB631AF1CF0F1D4B9966D0B2D4743E17C9D6A83CEEC750E8260DC8E08B6D4E4487970A1FAE51BD6E124D7BA6FB66F67DB6FF2ECF9212409D0E70D2814074F390EF845D33594CE5895B3BCDD8D8BC513CDCC43B5C717FC81E40A595154422DE01594EA14ACE0D4346859B6E30E1392ADBAA06235C167F1D882C722FCAC767310E7DC496EE6D35E5609D779C3A66F84D
E : 03
KEYID : 0
HASHTYPE : SHA1
PRODUCTION.KEY
N : D8C1F78FBD67DE5425B3934E97E20D901EEF1465E006DE5B142F4D8CBAEB538331BC9791F94DCA881BE2C61E1DE2F8C69A980F3CFC26FC68397A3534FD9AD911CE6DC53F842284898E54B63F6B57F82D7A4A3805D368F1FCCE4339D0203C0697E0E91C05FA6AB2887BC8FE33FBF3C5B91A5FB6B15BAB737539453F49E55C96695DF22B66CB1CF10A55E847836C165A017E7BE5594E05D0938942937445180038243B5248A358757051C01556C9751E2BBDF7451382AFEDD84A6A6E169E6C372783A0AEC357E3EB32D48101E96EB435CF8B69E730167F70D650AFF61C301E9A680E128F94C8D257E505A7ADC8D886CDF3B1BDA58830BA9D98E323006CA0C23399
E : 03
KEYID : 0.0
HASHTYPE : SHA1
# Cryptocore 3.x key rights:
# KEYRIGHTS : SIGN_IRAM
if they are the right ones il upload if of any help to anyone
Hi all! Thanks a lot for all this!
I want to log onto my bravia KDL-40W605B, using wifi and a computer running Ubuntu.
How can I?
One interesting thing: when I had set up my wifi internet connection with the bravia, I created an allow exception on my access point wifi allowed device list, using the MAC address I found on my bravia using its own properties.
Guess what? The MAC address provided with the tv, inside the tv, wasn’t correct!
I had to deactivate wifi protections on the access point, so every device could access it, I found out the correct MAC address of the tv wifi card using Fing from my android smartphone and then wrote it down correctly and restored the allowed devices!
Hi all! I have a Bravia KDL-40W605B.
I couldn’t connect to my access point wifi, because the MAC address
I read inside the tv Settings was INCORRECT!!!
I had to allow every device to access my wifi, let the tv connect to
it and then find out my tv correct MAC address using Fing from my android smartphone!
I would love to run nimue.py on my tv, but how? Up to now I’m only at this point:
ale@beast:~$ sudo nmap -sP 192.168.0.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-07 16:36 CET
[…]
Nmap scan report for 192.168.0.8
Host is up (0.050s latency).
MAC Address: 38:B1:DB:6E:9B:DD (Unknown)
[…]
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.36 seconds
ale@beast:~$
ale@beast:~$ nmap 192.168.0.8 -p0-60000
Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-07 16:45 CET
Nmap scan report for 192.168.0.8
Host is up (0.044s latency).
Not shown: 59995 closed ports
PORT STATE SERVICE
80/tcp open http
20031/tcp filtered unknown
41824/tcp open unknown
42824/tcp open unknown
52323/tcp open unknown
54400/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 25.96 seconds
ale@beast:~$
What can I do?
I have Sony KDL-22EX420 TV and i downloaded source code too. please let me know how to compile those source code?, ie how to make .bin file(firmware PKG4.027GAA). I want to port VLC player on my TV
Any news, then?
I’m still trying to figure out how to log into my tv using telnet.
My own goal would be to install just a browser that plays flash content and a media player.
Please help, as I’m completely stuck and still did nothing more than a portscan in my own private house network. You can mail me.
Thank you for this useful information. I have a KDL-32W653 with PKG4.491EUB firmware on-board. I wasn’t able to do anything special but standard features because of all restrictions. Little OTs: It is also a real pity Opera browser works only on HTML5 not including Flash Player plugin. I was only able to access its DB of video recordings via SQLlite on my iMac. Video recordings on external HDD are encrypted M2TS AVCHD file format. Anyone of you has decrypted it or know how to do it?
Hey, if bravia is linux based, is it possible to install android OS onto it?
Hi, I recently got a KDL-32W700B. I am interested in modding/updating the OS. Trying to figure out if it is possible to install Android or WebOS on this tv.
I ran nmap with the following output.
$ nmap 192.168.2.14 -p0-60000
Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-15 13:23 BDT
Strange error from connect (49):Can’t assign requested address
Nmap scan report for 192.168.2.14
Host is up (0.046s latency).
Not shown: 57047 closed ports, 2949 filtered ports
PORT STATE SERVICE
80/tcp open http
39835/tcp open unknown
41824/tcp open unknown
52323/tcp open unknown
54400/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 150.51 seconds
If anyone is interested in running other tests just let me know. I will help.
Thanks in advance
Hi, i’m also interested in, this is what i found:
-The web browser is opera, file:// is blocked and also opera: but not opera:about, so you can know the opera version, the type of system(linux mips) and some info about directory(preferences, opera directory ecc…)
-the “registered” usb flash drive can be read by linux, sony bravia format this in 3 partitions:
-two contain:0001.db(sqlite database of rec, editable at 100%), 0001.enc(I do not know what it’s for)
0001.sdt(empty file), VER.enc(I do not know what it’s for) and VERSION(simpy contain 1.00)
-the third contai a folder called “stream” whitch contain the encrypted rec.
the first rec is called 01000000.00
the second 01000001.00 and so on
If a record is very long it’s divided in part:
0100000N.00
0100000N.01
ecc..
I have two tv’s that have opera 11.60 and one that have 11.00, i’ve tried some exploit found on exploit-db but they didn’t work :(
if someone has some idea, a tv with very old opera version, or of course a tv which still works the exploits of sam, please reply to me, i will receive a notify
ops i forgot to click “Notify me of new comments via email”, now i’ve clicked:D
Hi All!
I have a Sony Bravia KDL-40EX650. The 12345 port is closed, but Sony says on their website, there’s the possibility to update the firmware from an USB drive. So, I found the source code of the firmware on Sony’s website and I want to translate it to the necessary .bin firmware file. My question is, how can I do this? If it’s possible, than we can modify the source code, than update through USB and that’s it.
I really want external subtitles through DLNA!
Hi Rapid,
Let me explain you the whole picture:
The source code Sony releases in its web site is just the source code of Linux kernel. Imagine it like a blueprint of a car’s engine. Even if you build the engine (“translate” source code to bin in your words) you don’t have a car!
You will need the drivers to interact with TV turner etc, you will need the user interface (UI) applications, etc.
Then responding your question, to “translate” source code to .bin you will need a toolchain (with the GCC compiler), but more than that you will need to learn how to develop a Linux Embedded System. It takes time, you will need to dedicate your time doing it, the learning curve is deeply, specially for people whose are no programmers yet.
You can find some material about Linux embedded system here: http://free-electrons.com/docs/
Now the really bad news: every if you build the .bin you cannot flash it on USB stick and get the TV updating their original firmware with your firmware. Sony (and all other companies) puts some protections to prevent someone just replace the original firmware for security reasons. You need to assign your .bin firmware with Sony certificate, because their certificate is their secret, you cannot assign your firmware. Other option is if someone found a fault in the Sony bootloader and discover a way to bypass the signature process, but it didn’t happen yet.
I have a Sony Kdl-32hx759
guys i need help. i accidentally flash wrong firmware 1.539 from INDIA but the latest firmware for my country M’SIA is 1.139
FYI, Sony won’t allow to downgrade if detect the current firmware version is higher so i would like to edit the firmware on 1.139 & change it to a newer version like eg. 1.6 (something like that to trick Sony from detecting the actual version)
my 4 HDMI port is not working due to the wrong firmware version. thanks.
Regards,
Ken
that root xploit sony bravia support the model KDL-S5100?
I have sony kdl-42-w900. It is not a 3d, and it does not has wifi (hence, it is not a smart tv), plz someone tell me how can i upgrade it,s software and i want to customize it change it,s theme and change the background image of menu. I am becoming bored of it. Can anyone help?
Hello is it possible to root the Sony Bravia directly by connecting an Android smartphone and then run the script? Or can I use smartphone wifi tethering? I don’t have the network adapter at the moment. Thanks.
Any news, folks?
Id just like to have my Bravia start up on a particular web address ie user-defined home page
Hi John,
Just checking – did you ever find a way to do this?
Omg …..Help please…is there a way to downgrade update )-:
Are we still looking to upgrade to new TV rather than to find an way to install Android on older versions of bravia.
2019… I installed Kodi from the Play Store. But I need to root the tv because I can not use the USB drive the way I want, or the way I need.
Hi
I have a Bravia KDL 46z4100, and I’d like to get to root so i can dump some files
But idk how to compile the stuff ;p
Can someone help me, please¿
Any news, then ?
I have sony KDL 40NX700
So, I was experimenting with trying to look for vulnerabilities for my KDL-32EX650 running firmware PKG2.12EUA-0002 (which was updated Over-The-Air a while ago, previous firmwares used to support 3D but it was removed in this one as far as I recall) and have come to two possible back doors that might give us an opening:
1) When a USB wireless mouse + keyboard combo is connected, the mouse can be used in the browser, however, when trying to press any key on the keyboard, the TV says that the device is not supported.
2) The RSS widget can fetch RSS data from any provided URL. Maybe this can be used to download and execute code? I tried making my own RSS link with http://fetchrss.com/ containing a download – I could see the text for the download but was not able to click on the link.
I tried to access port 12345 on the TV IP address but it was closed. I get the message “not found” when accessing the IP address of the TV.
Hope this information can help out someone.
Hi thanks for this amazing script. Could you please give me a download link for the busybox? I searched the whole web for this file nimue-0.1.tar.bz2 but couldn’t find it neither on github nor anywhere else. Thank you!
I can connect to the TV through ethernet cable. Here is the output:
telnet 169.254.78.252 52323
Trying 169.254.78.252…
Connected to 169.254.78.252.
Escape character is ‘^]’.
id
HTTP/1.1 400 Bad Request
Connection: close
Date: Thu, 01 Jan 1970 00:06:29 GMT
Server: RTOS/1.0 UPnP/1.0 KDL-40W5500 /1.7
X-AV-Server-Info: av=5.0; cn=”Sony Corporation”; mn=”BRAVIA KDL-40W5500 “; mv=”1.7”;
X-AV-Physical-Unit-Info: pa=”BRAVIA KDL-40W5500 “;
Connection closed by foreign host.
It looks like only port 52323 is open on my Sony BRAVIA KDL-40W5500
Scanning all ports with nmap crashes the TV…
nmap -p 0-65535 169.254.78.252
That’s a weird IP address right? I was expecting an IP address like 192.168.1.1 or something.
This is the IP that’s shown in the “Network Settings” on the TV.
To get the TV’s IP to show up you might have to click on “Network Diagnostics”
I think I’m only missing the busybox and then I might have to replace the port in the script to 52323 and then I should be ready to launch the exploit.
Thank you for the great work!