Here are some of my preliminary findings. This may be old news to most of you, but I really can't find a central location with pertinent information.
Tizen is an open source operating system based on Linux which runs on modern Samsung TVs among other devices. It is primarily developed by Samsung. This claim leads me to believe it is entirely developed by Samsung. It is open source. You can find the source here https://review.tizen.org/git/?p=sdk/tar ... eads/tizen
This is likely an attack vector for most modern Samsung TVs. As shown by researchers at f-secure, Tizen exposes SDB (Samsung Debug?), UPnP, a web server, and a few other services to the network (https://labs.f-secure.com/blog/samsung- ... -smart-tv/). My goal is to root my TV locally which would open up a few other vectors. USB updates, supported USB devices, HDMI CEC. Not to mention network traffic that can be victim to MITM. Maybe an update request occurs over HTTP rather than HTTPS? My TV has an option for a tech support agent to connect and do who knows what.
The attack surface is plentiful, but we're probably not going to see memory corruption bugs exploited unless we can gain a shell, or emulate the target. Research is also somewhat dependent on dumping the file system. As mentioned earlier, Tizen is open source and that gives us a serious leg up.
If you want to develop apps for the TV, you can download Tizen Studio. Unfortunately there is no native development available for this platform (TV) so you're stuck using JS and HTML. I'm not hopeful about gaining much information this way.
Tizen Studio includes an Emulator for the TV platform. At least on Linux, it's got a qcow2 image which probably contains a lot of good binaries to look at. They're probably in the open source repo too.
Here I'm talking about the motherboard, the one with an x86 processor (depending on version I'm sure) and all the AV inputs.
Here, I personally found a couple SPI chips. I was able to dump them. Unfortunately, I have no clue what it is that I dumped. Doesn't look like BIOS or UEFI. I was hoping I might have some leverage over the Linux kernel command line here, find a key, etc. These dumps aren't useless to me, I just don't know what they are.
EMMC. This one is interesting. Judging by other projects I've looked at, the kernel, OS, filesystems are not encrypted or verified on flash. Write to the flash and you've got root. Conversely, get root and your modifications are permanent... this could take a little effort though. I've had some luck in the past reading onboard EMMC with only 4 wires rigged up to an SD card reader. There are at least a few papers put out by security researchers talking about this. When I've done this in the past, I've had to use a sacrificial board where the EMMC was removed by a painters hot air gun. Once off, the pinout can be determined, alternate points traced, and a live board can be read. I don't have the tools to do it the right way at this time. I've got a logic analyzer but that doesn't help when I forgot to buy a power supply . The boards pop up cheap enough. I may go this route.
The f-secure guys found some debug connections. It didn't lead anywhere. I'm willing to bet there's more to find.
If you want me to help you please paste FULL log(s) to "spoiler"/"code" bbcodes or provide link(s) to pasted file(s) on http://ctrlv.it/ Otherwise "NO HELP"!!!
If you want root DISABLE internet access to your device!!!!
DO NOT EVER INSTALL FIRMWARE UPGRADE !!!!