search

openlgtv / epk2extract

Extraction tool for LG, Hisense, Sharp, Philips/TPV, Thompson and similar TVs/Embedded Devices
GNU General Public License v2.0
297 stars 68 forks source link

dvr Keyfile extraction from LG TV #4

Open kukulo2011 opened 8 years ago

kukulo2011 commented 8 years ago

I extracted dvr_std_mtk.bin from the epk firmware and renamed it to dvr to use with epk2extract. The unwrapped key is still reported 00 00 00 00 00... Are there some requirements for the keys that arbitrary keys cannot be used?

smx-smx commented 8 years ago

The dvr key is unique for each TV, you have to extract /mnt/lg/cmn_data/dvr (if i recall correctly) from the running device

kukulo2011 commented 8 years ago

I do not have shell access, however I am able to modify extracted firmware inserting a cp command in rsc script to copy it to usb. Is it safe?

kukulo2011 commented 8 years ago

rcs script

smx-smx commented 8 years ago

No its not. You will not be able to use a modified firmware, nor to create an EPK out of it due to the signature.

kukulo2011 commented 8 years ago

Is there any solution to get shell access for the LM series smart TV. I tried to get the debug menu in power only mode, but it says Need access USB authentication. After exiting power only mode the TV does not respond to the normal RS232 commands. Shall I assume the TV is in debug mode? The Instart menu still shows Release debug status.

klode82 commented 6 years ago

Do you know how to access to internal memory of LG Smart TV? I have a 60LB650V-NZ TV, with webOS 1.4.0.

fteplitsky commented 5 years ago

I have tv LG 65UH651Y. I have access yo the OS file system. How can I find the dvr key? What is the file name? Help Pls...

kukulo2011 commented 5 years ago

It is in the path /mnt/lg/cmn_data/dvr If you can copy it to a mounted usb or do a hex dump in the command line as here: https://stackoverflow.com/questions/2614764/how-to-create-a-hex-dump-of-file-containing-only-the-hex-characters-without-spac

The file is 24 bytes long as I remember.

klode82 commented 5 years ago

@fteplitsky how do you have access to smart Tv? Please pm with your experience, or write here. It would be more appreciate. I'm trying with my LG without success...

fteplitsky commented 5 years ago

klode82

  1. install http://webostv.developer.lge.com/sdk/
  2. use ssh
fteplitsky commented 5 years ago

Hi I ran ls /mnt/lg #got ciplus flash model res tvservice there is no cmn_data Do U have any other suggestion???

kukulo2011 commented 5 years ago

They probably moved it in the Webos devices. Run epk2extract on downloaded firmware update then use a good arm disassembler (Hopper is quite good) or run a linux string extraction on binary executables you extracted with epk2exctract. Look for a path and file name dvr.

smx-smx commented 5 years ago

The key is stored in a crypted partition often referred to as "sedata" (secure data). This partition is guarded by the TEE firmware (tzfw), which has its own master key to decrypt the partition data. The easiest way to get the keys (including the epk keys that we make available on the repository), is by either intercepting the calls (gdb), linking against LG HAL libraries and writing your own code, or instrumenting RELEASE/tvservice.

fteplitsky commented 5 years ago

After sudo fakeroot ./epk2extrac file.epk ........ ........ [src/epk.c:245] ERROR: Cannot decrypt EPK content (proper AES key is missing). Where can i find it? Thanks in advance

smx-smx commented 5 years ago

We dump AES keys from running devices with shell access

fteplitsky commented 5 years ago

How???

SilRo991 commented 3 years ago

Hey @ smx-smx, how do you do this? Do we need root access or is the prisoner enough? Can you give us more information or is there a walkthrough?

MatteoGheza commented 3 years ago

Hey @ smx-smx, how do you do this? Do we need root access or is the prisoner enough? Can you give us more information or is there a walkthrough?

Try rootmy.tv for getting shell access. You'll need to uninstall DevMode app.

mikematijevic commented 11 months ago

Is there a step by step guide to convert lg TV recordings and get them playable on PC? Being a newbie I am unable to extract files. Thanks

mikematijevic commented 11 months ago

We dump AES keys from running devices with shell access

Hi, could you please provide a step-by-step guide in order to perform this process? I have 2014 LG Smart TV and I would love to convert/open contents recorded via time machine on external HD. PS: I'm from Italy too. Let me know Regards

Vince

Zibri commented 8 months ago

very easy to do, 5 lines of python executed on the same tv. not sure if it's good to post it here. lg is reading us.

moykky commented 5 months ago

So, long story short: Everytime I run GetMeIn script, TV leaves telnet port open but does not accept "alpine" password. SSH port was visible if I did NOT ran: mkdir -p /media/cryptofs/root/etc mkdir -p /media/cryptofs/root/lib

uname -a <Linux LGwebOSTV 3.16.0-p.3.badlands.m14tv.1 #1 SMP PREEMPT Mon Apr 4 08:25:15 UTC 2022 armv7l GNU/Linux

cat /var/run/nyx/os_info.json <{ "core_os_kernel_version": "3.16.0-p.3.badlands.m14tv.1", "core_os_name": "Rockhopper", "core_os_release": "2.2.3-178", "core_os_release_codename": "beehive-biscayne", "encryption_key_type": "prodkey", "webos_api_version": "4.1.0", "webos_build_id": "178", "webos_imagename": "starfish-dvb-secured", "webos_manufacturing_version": "04.06.75", "webos_name": "webOS TV", "webos_prerelease": "", "webos_release": "2.2.3", "webos_release_codename": "beehive-biscayne" }

Another LG tv roots just fine (more recent model), just difficulties with ca-certificates are too old and running recent Kodi seems impossible. I have pulled pem certificate from tv.

Whole point of this is to decrypt dvr files from hockey Olympics 2022.

kukulo2011 commented 5 months ago

get root and run this command: cat /mnt/lg/cmn_data/dvr

throwaway96 commented 5 months ago

@moykky

Do not use GetMeIn. It is generally broken and unsafe. The hardcoded commands it runs are very fragile and lack any kind of error handling. At least one person has had their TV broken to the point that they would probably have to enable DEBUG to recover. Bind mounting over /etc at boot is not the safest idea in general, let alone without any failsafe mechanism or even error handling.

There is a modified version named getmenow that has had those commands stripped and just launches a telnet server with a root shell instead. (An open source replacement would be a much better solution. Patching credential structures isn't that hard.)

Once you have a root shell, you just need to make devmode_enabled a directory and install/elevate Homebrew Channel (see the crashd guide for an example). Since you're on webOS 2, which doesn't check the signature of start-devmode.sh, you can copy Homebrew Channel's jumpstart.sh over it (or extra_conf.sh like RootMyTV v2) for autostart functionality.

You can update the CA certificate store by having an init script add new certs. There's an example here, although you can use OverlayFS instead of bind mounts on webOS 2. Note that there are multiple cert stores, and which one is used will vary by application.

The PVR key is not in PEM format.

@kukulo2011

I'm pretty sure /mnt/lg/cmn_data/dvr is not present on webOS.

moykky commented 5 months ago

Thank you! I'll look into these. I can confirm there is no /mnt/lg/cmn_data/dvr on my devices. I've made atleast 10 factory reset's after GetMeIn-script..

EDIT:TV is now rooted with getmenow and everything is good, but where I can find dvr/pvr encryption key? And I want to add, recordings were made from public, freely available (ad-sponsored) channel, so no actual piracy going on here. This will come to just my own use/archives.