R Series Vulnerability Research

General forum talking area for R/QR series TVs.
Post Reply

Posts: 2
Joined: Fri Feb 12, 2021 3:09 am

R Series Vulnerability Research

Post by xxkryptos »

I picked up a un65ru7100fxza Samsung TV earlier this year. I've recently taken an interest in rooting it. I'm hoping to crowdsource some information and possibly find others who want to work towards this goal.

Here are some of my preliminary findings. This may be old news to most of you, but I really can't find a central location with pertinent information.

Tizen OS
Tizen is an open source operating system based on Linux which runs on modern Samsung TVs among other devices. It is primarily developed by Samsung. This claim leads me to believe it is entirely developed by Samsung. It is open source. You can find the source here https://review.tizen.org/git/?p=sdk/tar ... eads/tizen

This is likely an attack vector for most modern Samsung TVs. As shown by researchers at f-secure, Tizen exposes SDB (Samsung Debug?), UPnP, a web server, and a few other services to the network (https://labs.f-secure.com/blog/samsung- ... -smart-tv/). My goal is to root my TV locally which would open up a few other vectors. USB updates, supported USB devices, HDMI CEC. Not to mention network traffic that can be victim to MITM. Maybe an update request occurs over HTTP rather than HTTPS? My TV has an option for a tech support agent to connect and do who knows what.

The attack surface is plentiful, but we're probably not going to see memory corruption bugs exploited unless we can gain a shell, or emulate the target. Research is also somewhat dependent on dumping the file system. As mentioned earlier, Tizen is open source and that gives us a serious leg up.

If you want to develop apps for the TV, you can download Tizen Studio. Unfortunately there is no native development available for this platform (TV) so you're stuck using JS and HTML. I'm not hopeful about gaining much information this way.

Tizen Studio includes an Emulator for the TV platform. At least on Linux, it's got a qcow2 image which probably contains a lot of good binaries to look at. They're probably in the open source repo too.

Here I'm talking about the motherboard, the one with an x86 processor (depending on version I'm sure) and all the AV inputs.

Here, I personally found a couple SPI chips. I was able to dump them. Unfortunately, I have no clue what it is that I dumped. Doesn't look like BIOS or UEFI. I was hoping I might have some leverage over the Linux kernel command line here, find a key, etc. These dumps aren't useless to me, I just don't know what they are.

EMMC. This one is interesting. Judging by other projects I've looked at, the kernel, OS, filesystems are not encrypted or verified on flash. Write to the flash and you've got root. Conversely, get root and your modifications are permanent... this could take a little effort though. I've had some luck in the past reading onboard EMMC with only 4 wires rigged up to an SD card reader. There are at least a few papers put out by security researchers talking about this. When I've done this in the past, I've had to use a sacrificial board where the EMMC was removed by a painters hot air gun. Once off, the pinout can be determined, alternate points traced, and a live board can be read. I don't have the tools to do it the right way at this time. I've got a logic analyzer but that doesn't help when I forgot to buy a power supply :lol:. The boards pop up cheap enough. I may go this route.

The f-secure guys found some debug connections. It didn't lead anywhere. I'm willing to bet there's more to find.

Official SamyGO Developer
Posts: 6041
Joined: Wed May 04, 2011 5:10 pm

Re: R Series Vulnerability Research

Post by sectroyer »

You can PM for more info :)
I do NOT support "latest fw" at ALL. If you have one you should block updates on router and wait for it to STOP being "latest":)
If you want me to help you please paste FULL log(s) to "spoiler"/"code" bbcodes or provide link(s) to pasted file(s) on http://ctrlv.it/ Otherwise "NO HELP"!!!
If you want root DISABLE internet access to your device!!!!

Posts: 1
Joined: Tue Jun 01, 2021 8:18 pm

Re: R Series Vulnerability Research

Post by InStars »

Is Tizen OS using webkit for it's internet browser?
Maybe we can use that as an entry point for an exploit like it is used in Playstation consoles. Many older versions of webkit are vulnerable.

User avatar
SamyGO Project Donor
Posts: 226
Joined: Tue Apr 19, 2016 2:10 pm

Re: R Series Vulnerability Research

Post by Murdock »

If you look closely, almost all the previous Tizen exploits worked based on this.
Therefore, you should not update your software to the latest versions because these vulnerabilities will be patched first.

Post Reply

Return to “[R/QR] General”