What’s That AccessUSB Menu In My LG SmartTV?

Mockup of an LG SmartTV, showing the webOS logo, saying "debug status: DEBUG, SIGN Key: PRODKEY, Access USB Status: 0/100(C)", and showing a console prompt on the bottom.

One boring evening, [XenRE] was looking through service menus on their LG Smart TV (Russian, Google Translate), such menus accessible through use of undocumented IR remote codes. In other words, a fairly regular evening. They noticed an “Access USB Status” entry and thought the “Access USB” part looked peculiar. A few service manuals hinted that there’s a service mode you could access with an adapter made out of two back-to-back PL2303 USB-UART adapters – a few female-female jumper wires later, serial prompt greeted our hacker, and entering ‘debug’ into the prompt responded with some text, among it, “Access USB is NOT opened!!!”.

[XenRE] found the WebOS firmware for the TV online, encrypted and compressed into a proprietary LG .epk format, but liberated with an open-source tool. A few modules referred to AccessUSB there, and one detour into investigating and explaining WebOS USB vendor lock-in implementation later, they programmed an STM32 with the same VID and PID as the mythical AccessUSB device found in relevant WebOS modules decompiled with IDA. By this point, AccessUSB could safely be assumed to be a service mode dongle. The TV didn’t quite start beeping in a different pattern as we’d expect in a sci-fi movie, but it did notify about a “new USB device” – and started asking for a 6-symbol service menu password instead of a 4-symbol one.

Another firmware module was loaded into IDA, this time, the module responsible for AccessUSB verification. Some password rate limiting, but also time- and number-of-uses limitations were found – apparently, implemented so that LG can limit AccessUSB use by service centers, since, you see, even repairability has to have means-testing. In the same vein, it was found that the AccessUSB dongle requires RSA2048 and RSA4096-certificate-based authentication – thus, the TV was reflashed with a different RSA2048 key, and hacking continued. In the end, the AccessUSB option in the service menus got successfully unlocked. What happened?

A whole lot of previously greyed-out options in the InStart and EzAdjust service menus became changeable. From the factory, your TV might have options accessible but locked or hidden, just like your laptop’s BIOS. Such options might be region lock toggles that limit content playback depending on volatile and senseless media sharing agreements, or the “DVR” ability that might be disabled to comply with a bullet point in a media conglomerate contract. Oh, and it gives you a root shell on the TV. [XenRE] left a lot of things untold and code un-shared, sadly, but the description of this journey is valuable enough on its own; and comments (Google Translate) under that post even have an ex-service technician reminisce about the good old times.

Smart TVs areYet Another Linux Computer You Own But Cannot Program, universally a net negative when it comes to repairability, eco-friendliness, and growth of new generations of hackers and engineers. It is not fair that such possibilities are locked behind a cryptography-enforced engineering mode. Not that it limits anyone except consumers – we’ve even seen leaked CIA exploits to turn your Smart TV into a remote microphone. One could design all the beautiful custom Raspberry Pi sticks to make our TVs all that much “smarter”, but maybe the solution is taking a hammer to it instead. The “USB-UART adapter and IDA” hammer, to be clear.

21 thoughts on “What’s That AccessUSB Menu In My LG SmartTV?

  1. “From the factory, your TV might have options accessible but locked or hidden, just like your laptop’s BIOS. Such options might be region lock toggles that limit content playback depending on volatile and senseless media sharing agreements, or the “DVR” ability that might be disabled to comply with a bullet point in a media conglomerate contract.”

    Wow, you think there’s a secret DVR function in your smart TV?

    1. For LG, it’s not a secret. There is a big red “record” button right next to the “watch” button in the TV guide.
      The thing is they disable the button only for certain shows or channels, based on where you live. Unlocking it would result in all channels/shows letting you record, instead of just some of them.

      I suppose the DVR might be disabled over all channels for some very unlucky locations. Perhaps you’re in one of those places, and that’s why you aren’t aware it exists?

    2. Yes, a similar functionality also exists in (semi-)professional printers & scanners.
      In some circumstances there are legal requirements to be able to audit everything that was printed/scanned.

      Even beamers are starting to get such functionality were they store “printscreens” at regular intervals.

  2. “ adapter made out of two back-to-back PL2303 USB-UART”

    Does anyone sell these as a finished product? Oh boy I have a lot of USB ports that I’d like to try this on.

    I sat next to a like minded fellow on a plane once and we listed through all the IO we could use to talk to the infotainment display in the seat back…this combo did not come up in that chat :)

    *disclaimer – don’t hack things you’re flying in. Probably bad for health.

    1. Sounds like what we used to call a null-modem cable, except that this has PL2303 USB-serial ICs at each end.

      That being the case, you can buy PL2303 USB-serial cables pretty much anywhere (Jaycar and RS are both places that I have bought PL2303 serial cables from) and a null modem cable shouldn’t be hard to locate or fabricate.

    2. The infotainment system is usually completely separate from any of the avionics or flight control systems. I’m sure the airline still wouldn’t like it though.

    3. I bought a serial device which happens to have the same VID PID as the LG manual for my LG TV states is needed.
      But even after plugging that in and waiting for the text to appear on boot I get nothing at all.
      The hope was being able to control it better than the crappy CEC implementation which I find on many brand of TV’s allows you to turn it on with an RPI but never off !!

      1. It is, because it’s none of their business. There are still countries where people go to jail because of reading the wrong books, watching the wrong TV channels, using the wrong apps, listening to the wrong radio stations.
        Therefore, nobody should be able to record this. Doing so, is complicity to morderous regimes. Only no data is safe data.

    1. I like my TV’s big and dumb. My tv just works as a big monitor for my computer. 99.9% of the time it’s displaying an HDMI signal. Why bother using Netflix in some horrible tv app that requires a horrible tv remote for the input? Pfft.. people.

  3. Couple of comments:
    WebOS is the latest version of PalmOS. LG uses this to drive the built-in Digital Signage capacity on their commercial and some of their consumer displays.
    The USB to RS232C adapter is very generic and the controls commands are well documented in the service manual.

  4. I got a very good deal on a 4K smart TV, Android with Blaupunkt branding, that turned out to have a lot of chatter between it and ratings/advertising agencies etc. so I gave it a factory reset and blocked it at my firewall then turned it into a HDMI monitor for a seperate Linux box. Even with that blank set up it regularly tries to break out of our LAN and phone home. But hey I won in the end as the price was so good it had to have been subsidised by those seeking to spy on consumers. :-)

  5. Makes you wonder how many manufacturers are selling consumers the exact same hardware, and then turning the features on and off via software. I just saw how Audi is doing that in their cars. “Yes your car has an A/C built in, but you didn’t pay for that feature, so you can’t use it”

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.