Exploit for DangXPloit

Name: Exploit for DangXPloit
Rating: 5 (147 reviews)
2026-04-23 | CVSS 5.9
## https://sploitus.com/exploit?id=62EC2FEC-0D00-5D8D-9A33-D2A7D13D1055
# webOS 6.5.3 Root Exploit Chain (0-day)

**Target:** LG Smart TVs running webOS 6.x on MStar LM21U SoC (e.g. LG 55NANO886PB)

**Discovered:** April 2026

**Tested on:** LG 55NANO886PB, Firmware 03.53.45, Kernel 4.4.84-899.19.koli.1

## What This Does

Achieves **full persistent root (uid=0) shell access** on LG webOS 6.x TVs where all known public exploits are patched. Root survives reboots automatically — no manual intervention needed after initial setup.

The exploit chain uses two vulnerabilities:

1. **LS2 Permission Wildcard Escalation** — A sloppy wildcard in Luna Service 2 client permissions grants ALL access to any app matching `dangbei.adapter.plugin*`
2. **Dynamic Service Registration for Root Execution** — The `addOneManifest` Luna API allows registering arbitrary services that execute as root

## Prerequisites

- LG TV with webOS 6.x (tested on 6.5.3)
- Developer Mode enabled on the TV
- Homebrew Channel (HBC) installed
- SSH access as `prisoner` (comes with dev mode)
- Python 2 available on the TV (comes with webOS)

## Quick Start

### Step 1: Install the privileged app

Build and install the `dangbei.adapter.pluginx` IPK:

```bash
# From your PC with ares CLI configured:
cd pluginx-app
ares-package .
ares-install dangbei.adapter.pluginx_1.0.0_all.ipk
```

Or manually upload `pluginx-app/` contents to the TV and install via `dev/install`.

### Step 2: Launch PluginX once

Open **PluginX** from the TV's app launcher. This is only needed for the first-time exploit. After persistence is set up, PluginX is launched automatically on every boot.

### Step 3: Deploy files to TV

```bash
# SSH as prisoner
ssh -p 9922 -i  prisoner@

# Create directories
mkdir -p /media/developer/temp/rootkeep

# Copy service files
scp -P 9922 service-files/* prisoner@:/media/developer/temp/rootkeep/

# Copy exploit script
scp -P 9922 scripts/exploit_root.py prisoner@:/media/developer/temp/
```

### Step 4: Run the exploit

```bash
# On the TV via prisoner SSH:
cd /media/developer/temp
python exploit_root.py
```

### Step 5: Connect as root and set up persistence

```bash
# Connect as root
ssh -p 2222 -i  -o HostKeyAlgorithms=+ssh-rsa root@

# Install auto-root persistence (one-time setup)
sh /path/to/setup_persistence.sh
```

### Step 6: Reboot and verify

```bash
# Reboot the TV
reboot

# After ~90 seconds, root SSH is automatically available
# (the TV IP may change after reboot — scan your subnet if needed)
ssh -p 2222 -i  -o HostKeyAlgorithms=+ssh-rsa root@
```

## How Persistence Works

After initial setup, root access is **fully automatic** on every boot:

```
TV powers on
  -> HBC service auto-starts (registered activity)
  -> jumpstart.sh runs startup.sh (no jail, full system access)
  -> 00-autoroot.sh:
       1. Waits for DevTools to be ready (~30-60s)
       2. Launches PluginX via luna-send (automatic, no user action)
       3. Connects to PluginX via DevTools WebSocket
       4. Injects addOneManifest exploit via PalmServiceBridge
       5. Calls root service -> starts dropbear SSH on port 2222
       6. Loads USB ethernet kernel modules
  -> Root SSH available on port 2222
```

No manual app launching, no SSH commands — just turn on the TV and wait ~90 seconds.

## File Structure

```
lg-webos-root/
  README.md                    # This file
  EXPLOIT_DETAILS.md           # Full technical writeup
  .gitignore
  pluginx-app/                 # The privileged app (dangbei.adapter.pluginx)
    appinfo.json               #   Matches wildcard -> ALL Luna permissions
    index.html                 #   Minimal web app with PalmServiceBridge
  service-files/               # Luna service files for root execution
    manifest.json              #   Service manifest (addOneManifest target)
    svc.service                #   Service definition (ini format)
    role.json                  #   Role with trustLevel: oem
    api.json                   #   API permission groups
    perm.json                  #   Client permissions (allow all callers)
    run.sh                     #   Root payload (starts SSH + telnet)
  scripts/
    exploit_root.py            #   Main exploit (Python 2, runs on TV)
    setup_persistence.sh       #   One-time setup for auto-root on boot
    load_modules.sh            #   Manual USB ethernet module loading
  persistence/
    startup.sh                 #   HBC startup orchestrator
    00-autoroot.sh             #   Auto-root on boot (launches pluginx + exploit)
    01-root-ssh.sh             #   Starts root SSH on port 2222
    02-usb-ethernet.sh         #   Loads USB ethernet kernel modules
  kernel-modules/
    README.md                  #   How to cross-compile kernel modules
```

## USB Gigabit Ethernet

This exploit was originally developed to load USB Ethernet kernel modules for Gigabit streaming via Moonlight/Aurora. Supported adapters:

| Adapter | Chip | VID:PID | Driver |
|---------|------|---------|--------|
| TP-Link UE306 | AX88179 | 0B95:1790 | ax88179_178a.ko |
| UGREEN USB3 GbE | AX88179 | 0B95:1790 | ax88179_178a.ko |
| TP-Link UE300 | RTL8153 | 0BDA:8153 | r8152.ko |

See [kernel-modules/README.md](kernel-modules/README.md) for compilation instructions.

**Important:** Kernel modules MUST be compiled with LG's GPL kernel source (from opensource.lge.com), not vanilla kernel.org. Modules compiled against upstream headers will segfault due to LG's internal struct modifications.

## Disclaimer

This tool is for **educational and personal use only** on devices you own. The authors are not responsible for any misuse or damage. Rooting your TV may void your warranty.

## Credits

- Root exploit chain discovery and implementation
- LG kernel source obtained via GPL compliance ([opensource.lge.com](https://opensource.lge.com))
- Built on top of the excellent work by the [webOS Homebrew community](https://www.webosbrew.org/)