dvr Keyfile extraction from LG TV

[kukulo2011]

I extracted dvr_std_mtk.bin from the epk firmware and renamed it to dvr to use with epk2extract. The unwrapped key is still reported 00 00 00 00 00... Are there some requirements for the keys that arbitrary keys cannot be used?

[smx-smx]

The dvr key is unique for each TV, you have to extract /mnt/lg/cmn_data/dvr (if i recall correctly) from the running device

[kukulo2011]

I do not have shell access, however I am able to modify extracted firmware inserting a cp command in rsc script to copy it to usb. Is it safe?

[kukulo2011]

rcs script

[smx-smx]

No its not. You will not be able to use a modified firmware, nor to create an EPK out of it due to the signature.

[kukulo2011]

Is there any solution to get shell access for the LM series smart TV. I tried to get the debug menu in power only mode, but it says Need access USB authentication. After exiting power only mode the TV does not respond to the normal RS232 commands. Shall I assume the TV is in debug mode? The Instart menu still shows Release debug status.

[klode82]

Do you know how to access to internal memory of LG Smart TV? I have a 60LB650V-NZ TV, with webOS 1.4.0.

[fteplitsky]

I have tv LG 65UH651Y. I have access yo the OS file system. How can I find the dvr key? What is the file name?
Help Pls...

[kukulo2011]

It is in the path /mnt/lg/cmn_data/dvr If you can copy it to a mounted usb or do a hex dump in the command line as here: https://stackoverflow.com/questions/2614764/how-to-create-a-hex-dump-of-file-containing-only-the-hex-characters-without-spac

The file is 24 bytes long as I remember.

[klode82]

@fteplitsky how do you have access to smart Tv? Please pm with your experience, or write here. It would be more appreciate. I'm trying with my LG without success...

[fteplitsky]

klode82

1. install http://webostv.developer.lge.com/sdk/
2. use ssh

[fteplitsky]

Hi
I ran
ls /mnt/lg #got
ciplus flash model res tvservice
there is no cmn_data
Do U have any other suggestion???

[kukulo2011]

They probably moved it in the Webos devices. Run epk2extract on downloaded firmware update then use a good arm disassembler (Hopper is quite good) or run a linux string extraction on binary executables you extracted with epk2exctract. Look for a path and file name dvr.

[smx-smx]

The key is stored in a crypted partition often referred to as "sedata" (secure data). This partition is guarded by the TEE firmware (tzfw), which has its own master key to decrypt the partition data. The easiest way to get the keys (including the epk keys that we make available on the repository), is by either intercepting the calls (gdb), linking against LG HAL libraries and writing your own code, or instrumenting RELEASE/tvservice.

[fteplitsky]

After
sudo fakeroot ./epk2extrac file.epk
........
........
[src/epk.c:245] ERROR: Cannot decrypt EPK content (proper AES key is missing).
Where can i find it?
Thanks in advance

[smx-smx]

We dump AES keys from running devices with shell access

[fteplitsky]

How???

[SilRo991]

Hey @ smx-smx, how do you do this?
Do we need root access or is the prisoner enough?
Can you give us more information or is there a walkthrough?

[MatteoGheza]

Hey @ smx-smx, how do you do this?
Do we need root access or is the prisoner enough?
Can you give us more information or is there a walkthrough?

Try rootmy.tv for getting shell access. You'll need to uninstall DevMode app.

[mikematijevic]

Is there a step by step guide to convert lg TV recordings and get them playable on PC? Being a newbie I am unable to extract files.
Thanks

[mikematijevic]

We dump AES keys from running devices with shell access

Hi,
could you please provide a step-by-step guide in order to perform this process?
I have 2014 LG Smart TV and I would love to convert/open contents recorded via time machine on external HD.
PS: I'm from Italy too.
Let me know
Regards

Vince

[Zibri]

very easy to do, 5 lines of python executed on the same tv.
not sure if it's good to post it here. lg is reading us.

[moykky]

So, long story short:
Everytime I run GetMeIn script, TV leaves telnet port open but does not accept "alpine" password.
SSH port was visible if I did NOT ran:
mkdir -p /media/cryptofs/root/etc
mkdir -p /media/cryptofs/root/lib

uname -a
<Linux LGwebOSTV 3.16.0-p.3.badlands.m14tv.1 #1 SMP PREEMPT Mon Apr 4 08:25:15 UTC 2022 armv7l GNU/Linux

cat /var/run/nyx/os_info.json
<{
"core_os_kernel_version": "3.16.0-p.3.badlands.m14tv.1",
"core_os_name": "Rockhopper",
"core_os_release": "2.2.3-178",
"core_os_release_codename": "beehive-biscayne",
"encryption_key_type": "prodkey",
"webos_api_version": "4.1.0",
"webos_build_id": "178",
"webos_imagename": "starfish-dvb-secured",
"webos_manufacturing_version": "04.06.75",
"webos_name": "webOS TV",
"webos_prerelease": "",
"webos_release": "2.2.3",
"webos_release_codename": "beehive-biscayne"
}

Another LG tv roots just fine (more recent model), just difficulties with ca-certificates are too old and running recent Kodi seems impossible.
I have pulled pem certificate from tv.

Whole point of this is to decrypt dvr files from hockey Olympics 2022.

[kukulo2011]

get root and run this command:
cat /mnt/lg/cmn_data/dvr

[throwaway96]

@moykky

Do not use GetMeIn. It is generally broken and unsafe. The hardcoded commands it runs are very fragile and lack any kind of error handling. At least one person has had their TV broken to the point that they would probably have to enable DEBUG to recover. Bind mounting over /etc at boot is not the safest idea in general, let alone without any failsafe mechanism or even error handling.

There is a modified version named getmenow that has had those commands stripped and just launches a telnet server with a root shell instead. (An open source replacement would be a much better solution. Patching credential structures isn't that hard.)

Once you have a root shell, you just need to make devmode_enabled a directory and install/elevate Homebrew Channel (see the crashd guide for an example). Since you're on webOS 2, which doesn't check the signature of start-devmode.sh, you can copy Homebrew Channel's jumpstart.sh over it (or extra_conf.sh like RootMyTV v2) for autostart functionality.

You can update the CA certificate store by having an init script add new certs. There's an example here, although you can use OverlayFS instead of bind mounts on webOS 2. Note that there are multiple cert stores, and which one is used will vary by application.

The PVR key is not in PEM format.

@kukulo2011

I'm pretty sure /mnt/lg/cmn_data/dvr is not present on webOS.

[moykky]

Thank you! I'll look into these. I can confirm there is no /mnt/lg/cmn_data/dvr on my devices.
I've made atleast 10 factory reset's after GetMeIn-script..

EDIT:TV is now rooted with getmenow and everything is good, but where I can find dvr/pvr encryption key?
And I want to add, recordings were made from public, freely available (ad-sponsored) channel, so no actual piracy going on here. This will come to just my own use/archives.