Ask HN: Tips for hacking a TV?
I've got a spare television lying around (specifically, a Samsung UN24H4500), and I thought it'd be fun to take a crack at seeing what I can do with it. The only hitch is that I've never really done any hardware hacking before, so I don't really know where to start!
Any tips and pointers would be much appreciated, in terms of common ways to search for and exploit vulnerabilities, or the exploitation of other televisions. Alternatively, if this is an absolute fool's errand, and the whole thing is locked down tighter than Fort Knox, a firm warning that this is not a good thing to dick around with over a weekend would also be appreciated. Hacking TVs was a favourite pasttime of mine. There's nothing quite like flashing a TV with AOSP such that it thinks it's 55" smartphone. Lock screen and all. See if you can find a service manual for your TV. You'll want to get UART as soon as possible. Just remember crashes are for chumps: https://gist.github.com/Benjamin-Dobell/bb13f6169aaa48625453... PS. I think that may be my favourite piece of code I've ever written. Mostly because it's completely absurd but worked just fine. I have a Samsung smart tv which I’ve never accepted t&c and never connected to wifi. I’d love to make it dumb or at least get rid of the nags to accept t&c or connect when someone accidentally hits the wrong button on the remote. Anything out there to do that? I want that, so bad. Mine brings up the sign in screen every time you turn it on. I also want the ability to just change channels when you hit the channel button. My TV brings up a mini-guide when you hit the channel button, so that the down button goes up in station number and vice versa. Then once you select a channel, because it's not connected to the web, it blinks on and off for 5 seconds or so while it's trying to find program information from the internet connection it does not have. It's absolutely asinine. I miss the days when TV's were just screens to show whatever input I have connected to them. There are often hidden menus for “Hotel mode” that allow you to config which channel / input to default to on power up. No need to hack them. Same. I'd be happy to turn it on and not have a menu over half the screen every time. In a world where Raspberry Pi exists you’d think we’d be able to make such a TV happen. SamyGO used to be the go-to place for Samsung OS hacking, not sure how active they still are though: https://www.samygo.tv/ First step would be to contact Samsung and ask for the Linux kernel and other open source code for your TV. Without it you won't be able to replace the original OS properly. Also mention to them that they have to allow you to update Linux on the TV or they have to stop using Linux on their TVs. And they will provide it as required per law. Note that the law does not require them to provide that in a form that would be usable for anything practical without doing moderate to heavy amount of reverse engineering (e.g. here's the source, here's the toolchain that was released in approximately same period of time, go figure out if this can even be built without recreating part of their internal build system, missing configs, etc). See the blog post, the GPLv2 goes further than what you suggest. So if my Toyota head unit has FOSS they can provide that source code to me if I ask? For the parts covered under GPL, yes, which includes the kernel (if it uses Linux). If they're covered under a more permissive license (e.g. Apache, MIT) you're out of luck as these don't require redistribution of derivative work source code, only attribution. And how many times has this worked? Many times. OpenWRT is the most prominent example. Apart from SFC, in Germany, Harald Welte at gpl-violations.org was enforcing the GPL too for several years. Good luck. I learned an enormous amount about hardware design from a Philips plasma display I got for free some 20 years ago as it wouldn’t show an image for more than a few seconds and multiple repair people had said “buy a new one” to the business that gave it to me. £10,000 piece of kit, working. Philips were actually enormously helpful. I just called them up (well, after going to a TV repair shop, picking the guy’s brains, and getting the number from him), got through to their technical service dept, got them to send me the full service engineer manual, schematics and all, and they were happy for me to quiz them on likely root causes - like, the guy I spoke to a few times seemed genuinely excited that someone was actually trying to repair a TV, and correctly pointed me in the direction of a group of oscillators, one of which had a blown cap. Fixed the thing. Lived on the wall of our office for a decade until it fell off one day. On me. There’s karma. I guess it's the kind of excitement one gets when someone else actively reads the documentation you painstakingly put together. Must’ve been really nice for those cold days. Plasmas are great on someone else’s power connection. We had a great one that almost fully negated the need for a heater in the winter. Blackest blacks! Still miss it, but probably miss the $5k I shelled out for it. My 50" 2007 Pioneer Kuro Elite ($5,000 in 2007) still has the best picture I've ever seen. Almost 3D. No repairs/service ever. Not an answer but a follow-up question: is there open firmware for TVs like Openwrt for routers? I have never heard of such a project, but it sounds like it would be useful. There is this: Not open source OS, just a homebrew store. Not quite the same thing. Another one for LG TVs https://openlgtv.github.io/ That project has fallen victim to people losing interest. A section for 2011 model year TVs has WIP tags for the last 9 years. This might as well have a perpetual under construction shovelling man GIF. After I install it, then what? Perhaps Google TV(there is both an OS and a service by that name, the OS was once called Android TV)? Yes. I’d love this. The software on tvs is awful. Plus many new tvs have ads baked in. An open source OS would be a dream. Software on TV (and worst, set top boxes) is awful is due to the fact that it is an under power CPU and limited memory. The app you saw is either web app in Webkit Embedded or similar embedded, Android app (Android TV) or Roku brightscript app. Most of these TVs run Linux. This lawsuit by Software Freedom Conservancy is aiming for eventual creation of an OpenWRT-for-TVs project (similar to how an earlier lawsuit created OpenWRT). https://sfconservancy.org/copyleft-compliance/vizio.html
https://sfconservancy.org/copyleft-compliance/firmware-liber... TBH though, we don't need another distro specific to certain hardware types, instead we need standard distros like Fedora and Debian to support TV hardware and use-cases. Whatever you do, don’t touch the capacitors, especially if it’s an old TV, even if it’s unplugged. Could kill you. Old TV caps pack a serious punch (even when unplugged) The UN24H4500 is an LED monitor. The big risk in old TVs was the enormous voltages in the CRTs (which acted as a capacitor and stored energy even when off, and even pick up energy from background sources) Aren't a lot of old TVs 'live chassis' as well as using very high voltages? For faster startup, yes. I think that's no longer true for modern flatscreen TVs. Older CRT TVs had caps charged to a dangerously high voltage, but all the caps on an LED/LCD TV should be a low enough voltage to be touch safe. Mains will still kill you, even if its not 3.3kv or what was needed to run a CRT. Its always best to work out where the mains PSU is, and either cover/isolate it so that you don't touch it by accident. Even if turned off, there is a non-insigificant risk that there is either mains power lying around or some other large charge/current ready to bite. THe back of the inlet is also tends to be a hazard, so be really careful around there too. Can't echo this enough. If you're working on anything that has been connected to residential mains... use a multimeter. They're cheap! Check the power supply for residual voltage from PSU caps. Discharge them safely before working on the equipment! How do you discharge them safely? The correct answer is "bleeder resistor." The other answer is "pliers." (Make a connection across the terminals that have a voltage difference) If the maximum voltage is within range, a neon line tester with the button grounded should work well. When the light goes out, the remaining voltage is below the sustain voltage of the neon lamp. That kind of tester is usually built into a screwdriver and often comes free with some electrical items. They are maybe $2 otherwise. Except for the switching power supply, where you have capacitors charged at (rectified) mains voltage so around 155 or 325 volts depending on where you are. They should discharge relatively quickly, but they might be dangerous for a few minutes. Touch safe, how about lick safe? That’s what flyback transformers were for. If you licked them, you’d fly back. Some older flat panels use “cold-cathode fluorescent display backlights” and they’re driven by a high-voltage inverter, I believe - so it’s still a good idea to be wary. That may have been true a long time ago in the age of CRT (picture tube) televisions but anything with a flat screen contains a bog-standard switching power supply with a bunch of 450V-or-so capacitors which will give you a nasty bite but not much more than that. In CRT sets it typically [1] wasn't the discrete capacitors which posed a problem but the CRT itself which was used as a smoothing capacitor for the HT power supply. The in- and outside of the back of the tube were (are) covered with a conducting paint (e.g. 'Aquadag' [2], a colloidal graphite coating) with the inside connected to the HT power supply and the outside connected to ground. That 'internal capacitor' can keep its charge for a long time. As to whether it 'can kill you' that seems to depend on a lot of factors ranging from the discharge path, physical condition of the subject and more. There are many reports on people getting zapped who describe it as 'a nasty jolt' but survivor bias means this is not what you should go by - just avoid getting zapped by discharging the tube. [1] there are exceptions, e.g. older vacuum tube sets which used a mains-driven EHT circuit with discrete capacitors TVs that old didn't need to be hacked. Thank you very much! I will keep that in mind. Ya, i can relate. Me too. I was about 8 when I took my TV apart and brushed my arm against that capacitor. Packed a wallop, and kept my arm in a ridged state for a bit. you could try spamming/brute-forcing the IR spectrum with a IR diode in the hope of finding a debug access: https://hackaday.com/tag/smart-tv-hacks/ Oh hey, now there's an interesting thought! Thank you! I read Vizio TVs run Linux/systemd, after this lawsuit concludes, you should be able to get the source code and reinstall Linux at least. This is probably obvious, but so important that I feel it's worth saying: do not connect it to the internet! The last thing you want right now is up-to-date software, and chances are very good that if it goes online it will update its software and install all the latest security patches. You will need to connect it to a network in order to scan it for vulnerabilities, but make that a network that has no internet access. I would start by doing some searching on the exact make and model, especially searching through the CVE database to see what may be out there. There. If your TV has been connected to the internet, it may have had its software updated to patch any cves, but if it has not been connected, then there's a good chance it is still vulnerable and you can exploit them to get root or further access. You can also throw scans at it. I would start with nmap and scan all the ports, also do service recognition to try and figure out what exact service is running on the other side of the port. For something like a TV, I would not expect a high success rate with identifying, but it's easy to run. What you can identify, the most important part is typically the version number. You can take that version number and compare it with CVEs with a lot more precision to see if there are vulnerabilities. You can also try any number of scanners on it, such as nessus or openvas. There are tons of scanners out there so it's definitely worth doing some searches. I would suggest looking at the Kali Linux list of scanning tools, and either running Kali on a machine you have laying around, or use it with docker. If one of these scanners actually crashes the TV, that is ironically a great sign for your purposes. If the TV has been connected to the internet, and you aren't able to find any vulnerabilities, it might be worth keeping it off the internet for a while to give some time for new vulnerabilities to pop up. That does require a long-term commitment to this project, but it's not like you can't use the TV. I don't connect mine to the internet ever anyway, because I don't want it spying on me and I hate its ads and crappy built-in software. I just use it with a Chromecast with Google TV and good old HDMI. Depending on what you want to do, it's also worth going thoroughly through the menu and looking for any sort of developer or debug options. Sometimes these menus are very hidden, requiring on occasion weird keyboard incantations in order to even appear as options, but once you get these enabled you can connect using tools like ADB or SSH, and get a shell on the machine. All in all, good luck! It sounds like a very fun project. It's a shame we don't live near each other because this sounds like a fun weekend project :-) That's probably rare but I had a no name TV which just let me just enable adb over network with full root access. IIRC I had to install an app that can launch arbitrary activities so I could access the buildin Android settings menu instead of the crippled TV settings UI. Thank you so much for writing all this up! It'll take me a bit to get to it, but if you'd like I'll keep you posted on if I have any luck! Prior work for LG televisions: https://github.com/RootMyTV/RootMyTV.github.io Oh hey great! This might be really helpful. I've actually also got an LG TV upstairs, I'll have a peek at this, could be very helpful! Rootmytv is Not working anymore if you are above a specific webos version.
You can also try fiddling around with a USB to USB device and ADB shell. Per https://stackoverflow.com/questions/57528450/adb-connection-... newer Samsungs (after 2015 per https://news.samsung.com/us/six-advantages-of-tizen-os-on-sa...) run Tizen https://www.tizen.org/ It's fun reading all that posts about dangerous caps, dangerous flyback transformers...
Those fears, and your findings I can read - were/are something normal in my world. I was paid to do that. But faked technology advance, ruined service techicians job. And now mices take over... So you have it. Deal with it. And be afraid - be very afraid :) A decade ago my LG plasma TV had a serial port for using it as digital signage (I think). If I spammed the serial port during boot I could interrupt U-Boot but they had disabled echoing out. I never figured out if I could do something useful or not. Serial ports on tv are usually for screen control, as in turn on/off, change input, set volume... Like what you can do with the OSD and the remote Anyone know if there's anything for non-android Sony and Panasonic tv's? Get an axe. Try xda forum. I shit a brick when you said TV and thought you were talking about old CRTs. If you're going to hack on an OLD TV or microwave, please don't unless you know what you're doing. If you're still going to continue, at least unplug it for over 24+ hours before cracking it open. Those capacitors may still be charged and will not tickle. Microwaves are easy, the schematics are online and usually there is more than enough room to see something dangerous before touching it. An unshielded microwave won’t kill you but will destroy the WiFi noise floor in your dwelling. If your microwave doesn’t turn on, it’s likely due to a $0.25 switch that has failed (use the stop or off button folks, the emergency stop on the door switch takes the full brunt of the magnetron)
https://www.denso.com/global/en/opensource/ivi/toyota/