OothecaPickle

NOTES: I AM NOT RESPONSIBLE FOR ANY DAMAGE DONE TO YOUR CONSOLE! PLEASE MAKE A NAND BACKUP AND HAVE AN EXTERNAL PROGRAMMER IN THE EVENT OF A BRICKED CONSOLE

PLEASE DO NOT SELL DOWNGRADED CONSOLES!

Please do not use this guide for any malicious or scammy behavior. I only want this guide to be used for personal projects/nostalgia.

THIS WILL NOT RE-ENABLE ANY PATCHED EXPLOITS LIKE THE JTAG EXPLOIT. THERE IS NO WAY TO DOWNGRADE CB TO RE-ENABLE THESE.

Thanks to everyone that made this possible:

grimdoomer: For the Bad Update exploit

InvoxiPlayGames: For the FreeMyXe project

9eSIM 產品 (在售、測試) 詳情

Manufacturer: Kigen

Products v2/v2.x non-STK

Products v3/v3.x with-STK

目前在售SKU：v2s、v3

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Update: I've disabled comments as of 2025-01-26 to avoid everyone having notifications for something a year on if someone wants to suggest a correction. Folks are free to email to suggest corrections still, of course.

Background

WTA backdoor/vulnerability

Overview

There is a vulnerability/backdoor in webOS 5+ that allows you to easily run arbitrary commands as root during the boot process. The easiest way to exploit it simply involves putting a file on a USB drive and having it connected to your TV while it boots. There are two other methods that are more complex and require additional exploits.

Remove Apple MDM

Note: Apple will store Wifi passwords on the T2 chip. SSD cleaning won't make it forget the password. You have to turn the network off, or change the password on the router.

Different Paths

Start from Path 1. If you get any messages about the MDM on the first usage, start all over from the Path 2.

Path 1

Get into recovery mode (Cmd + r) during start up.

News

EOL (2024-07-21)

I'm not going to be maintaining this document anymore. I'm leaving it as-is since much of the FAQ section is still accurate and has yet to be incorporated into other resources.

Use CanI.RootMy.TV to find an exploit for your TV.

New exploit for webOS 3.5+: DejaVuln (2024-04-21)

Warnings

What you do with this information is your own responsibility. If you brick your TV trying this, it's not my fault. You should probably have some electronics experience if you want to attempt this.

This is going to involve opening your TV and attaching wires to the pins of an integrated circuit. If you're not comfortable with that, this is not for you.

This document is a work in progress.

debugstatus

LG TVs since at least the era of NetCast and "Global Platform" (webOS predecessors) have had the notion of a debug level, generally called "debugstatus". There are three modes: DEBUG, EVENT, and RELEASE. TVs normally operate in RELEASE mode. DEBUG mode enables a variety of logging and other debugging features in webOS, including access to the bootloader console and debug menus via serial. EVENT is similar to DEBUG, although it may not enable as much logging and has other relatively minor differences.

	export PATH=/data/data/com.termux/files/usr/bin:$PATH
	sshd \
	-D -dd \
	-p 2222 -e

	iPhone:~ root# nvram bootdelay=10
	iPhone:~ root# nvram -p
	auto-boot true
	bootdelay 10
	backlight-level 1507
	restore-step-monitor {0x11010207:"wifexited"}
	restore-step-warnings {0x11060100:{0:"NVRAM access is not currently available"}}
	debug-uarts 3
	boot-args serial=3
	boot-command fsboot