TVs

postmarketOS does not currently supports any TVs. Some targets in the future could include WebOS and Tizen based systems (among others and older ones), which are already based on Linux. Android-based TVs (including Fire OS) already have pages.

Samsung
Samsung has used Tizen in their modern TVs. 2008-2014 models used the Orsay (possible codename, unknown source) or otherwise known as the (retroactively renamed) "Samsung Legacy Platform", see here.

Getting access via debug port (recommended method for root and most likely installation vector)
See https://wiki.samygo.tv/index.php?title=Ex-Link_Cable_for_C/D/E_Series_and_BD_players for Internet@TV and 2011 or 2012 Smart TV Models or https://wiki.samygo.tv/index.php?title=Ex-Link_Cable_for_J/K/M/Q/N/QN_Series for all Tizen based models

Extracting
1. Setup a Python 2.7 environment with pycryptodomex (most recommended), pycryptodome, or pycrypt/pycrypto (what the script is made for, but outdated and vulnerable) 2. Download samygo_patcher.py from https://github.com/george-hopkins/samygo-patcher/blob/master/samygo_patcher.py and aquire the firmware image of your television if you haven’t already (only up to E-Series (2012) is supported. Either extract the .EXE file using 7zip, or running it on Windows or Wine. 3. Run samygo_patcher.py in python 2, and tell it to decrypt_all and point to the folder beginning usually with T-. If you have renamed or moved the image folder or point to the image folder, you will get an error. 4. The decrypted image files can be extracted with 7zip or even better, mounted as a drive, except the file “Image” as it’s a binary file.
 * exe.img contains the Orsay operating system and its resources
 * rootfs.img contains most of the Linux kernel and it’s resources.
 * Image is an unextractable binary file, most likely uboot
 * emanual.img most likely contains the manual information for the television model.

Modifying firmwares
1. Follow the tutorial to extract the firmware, but mount the images in step 4 with write permission. 2. Modify the firmware however you would like 3. Run SamyGO patcher, but this time tell it to encrypt and point to the file you would like to encrypt, or say encrypt_all and point towards the folder. 4. Move or delete the decrypted files and install them on your TV (or TV motherboard, for you salvagers out there)

Method 1
This method works on almost all current (2010 onwards) Samsung LCD sets, including HD and UHD versions. Put the TV into standby mode. On the remote, press {Info} {Menu} {Mute} {Power} in sequence. If successful the TV will turn on and the service menu will now display.

Method 2
Put the TV into standby mode. On the remote, press {Mute} followed by {1},{8}, {2}, {Power} in sequence. If successful the service menu will now display.

Method 3
With the TV in standby, press the {DISPLAY} {P.STD} {MUTE} {POWER} on the remote.

Method 4
With the TV in standby, press the {SLEEP} {P.STD} {MUTE} {POWER} on the remote.

Method 5
With the TV in standby, press the {DISPLAY} {MENU} {MUTE} {POWER} on the remote.

Method 6
With the TV in standby. On the remote, press {MUTE} followed by {1} {1} {9} {ENTER} in sequence.

Tizen
Root tool published in late November of 2021: https://github.com/synacktiv/samsung-q60t-exploit/tree/main

Orsay/Samsung Legacy Platform
The user SkyBladeCloud has used the Ubuntu userspace on the 46ES8000, so it seems that the legacy platform is also Linux based. See here. The original TV operating system runs in an X-window server opened when the Smart Hub button on the remote is pressed, and may be available in pmOS as an application like Waydroid.

See also the SamyGo project and this LWN article about it.

Additionally, there is a vulnerability with hbbTV allowing root: https://youtu.be/bOJ_8QHX6OA

On Orsay, a Debian Chroot environment has been developed, specifically for the H-series/2014 models.

LG
LG used Netcast in their 2010-2014 models and WebOS (which uses OpenEmbedded) since then. 2014 is a tricky year, as both new models running webOS and NetCast were being sold at the same time that year. In 2012-2013 LG sold Google TV units, which are essentially Android-based along with a ChromeOS binary. LG also sold TVs running Roku OS at one point.

LG is publishing open source code on https://opensource.lge.com

According to an OpenLGTV developer, there are no TVs with mainline support, because there are a lot of hardware customizations. Booting a custom kernel requires hacking the bootloader which is normally verifying signatures.

webOS
webOS-based televisions can be rooted via visiting https://rootmy.tv/ and sliding the slider (just like JailbreakMe back in the old iPhone days), and will install the webOS Homebrew Channel (just like in the Wii days).

NetCast
See http://web.archive.org/web/20161119160745/http://openlgtv.org.ru/wiki/index.php/Wiki_index

Google TV/Android
LG has made two models based on Android, the 55G2 and the 47G2. Root can be achieved via Cydia Inpactor. https://forum.xda-developers.com/t/q-lg-google-tv-can-it-be-rooted.2811945/

Recovery Menus
According to a YouTube video there is way to access the recovery menu on the LG TV' that has Google TV (Android OS) on it.

Tested Hardware

 * LG 55" Class Cinema 3D LED Google TV - 55GA7900

Procedure
Shut down the TV and disconnect it from power.
 * Connect the TV to power but don't turn it on.
 * Press the "settings symbol" button first and while holding it press the "channel down" button.
 * Release the "settings symbol" button and then release the "channel down" button.

The TV will turn on and will show the Android Recover Menu. Use the volume keys to navigate the options and press the "Wheel-button" to select the options.

Source

 * Programmer Finds Way To Liberate Ransomware-Ridden Smart TV, Thanks To LG
 * YouTube Video

Roku OS
See Roku section

Philips
Philips used NetTV on older models and Android TV on newer TVs.

NetTV
https://fredericb.info/2014/11/exploitation-of-philips-smart-tv.html

The serial port, which is a generic 3.5mm port just like Samsung's is exploitable, and gives a shell, and is vulnerable to CVE-2012-5958.  Linux version 2.6.28.9-oslinuxR7.5 (root@lxdevenv) (gcc version 4.2.4) #1 Thu Jun 16 23:27:36 CEST 2011 console [early0] enabled CPU revision is: 00019651 (MIPS 24Kc) FPU revision is: 01739300 282 MB SDRAM allocated to Linux on MIPS 512 MB total SDRAM size Endianess : LITTLE [...]

Android TV
The Android TV models can be rooted, except when dm-verify is enabled: https://forum.xda-developers.com/t/guide-how-to-root-2015-philips-android-tv.3323912/

Possibility for booting into other kernels using kexec.

Sony
Sony Bravia TVs run a Linux-based proprietary operating system, however newer ones run Android TV.

Linux-based
Old exploit which has been patched by aa0206pf update: https://github.com/CFSworks/nimue

Android TV
CVE-2019-2215 is a temporary root vulnerability: https://github.com/LIznzn/CVE-2019-2215

Roku
RootMyRoku, a root exploit which has since been patched: https://github.com/llamasoft/RootMyRoku In theory, any Roku device running RokuOS v9.4.0 build 4200 or earlier that uses a Realtek WiFi chip is vulnerable.

Exploitee.rs, known as GTVHacker back then has published a guide earlier in the Roku 3 days: https://exploitee.rs/index.php/Exploiting_Roku, as of version 3063 this bug no longer works. We released this attack on a Saturday during the US New Year holiday weekend and it was patched the following day by an OTA update. The bug was introduced into Roku code two months prior to our finding it meaning that affected versions in the wild are scarce.

The Roku HD1000 has been hacked to install VLC media player: https://www.jpsaman.org/node/3

The Roku XT has been rooted in 2021 and covers a 6-part long documentation about the roku including internels and serial ports: https://tdot.fish/tag/roku/

Grundig
See https://www.techspot.com/news/68958-how-hacked-smart-tv-bed-command-injection.html

Opera TV
See https://github.com/ninakali/chip_scavenger/blob/main/src/scavenge/008_tv/index.md

Jadoo3
See "Syabas"

Jadoo4+
JadooTV models have renamed "su" binaries in /system/xbin/. All models of JadooTV past Jadoo4 including the Jadoo4 series run Android, dual core Jadoo4 models running 4.2.2 "Jelly Bean", Jadoo4 quad core models running Android 4.4.2 "KitKat", the Jadoo5 running Android 6.1.1 "Marshmallow", and the Jadoo7 running Android 9.0 "Pie". JadooTV boxes do NOT get official patches from AOSP due to them being based right off of AOSP.
 * 1) In the Jadoo4 series, it is named "su-j4" and another one called "sud"
 * 2) In the Jadoo5 series, it is named "su-j5"
 * 3) In the Jadoo7, it is named "su-j7". The Jadoo7 also has port 5554 on ADB open and can be used with ADB root to root it.

Syabas
See https://www.linuxquestions.org/questions/linux-embedded-and-single-board-computer-78/replacing-the-os-on-jadoo-3-syabas-popbox-v8-rev-1-1-a-4175673847/ for info on how to root

Toshiba
See https://shkspr.mobi/blog/2018/11/telnet-control-of-toshiba-smart-tvs/ for Tohiba Places.

Foxxum
See https://github.com/prototux/TCL-TV-reverse-engineering for reverse engineering of the Foxxum operating system on a TCL Smart TV

The app store, along with most of its apps can be almost completely be accessed in a normal web browser: http://6263467844-3673116133.am-live.fxmconnect.com/ and almost all app data is stored in cookies, so transfering from Foxxum to pmOS in the future will be simpler than with Android and the Waydroid program.

Other
https://exploitee.rs/index.php/ - contains information about many devices root, including all known GoogleTV (2012) units.

ONN TV
While booting into recovery for any reason, U-Boot will look for USB mass storage devices on the OTG port and, if it finds one, exec a script from its root called aml_autoscript if it finds one and then boot an image called recovery.img if it finds one. There are two implementations of fastboot on this device: one is in U-Boot and is a traditional bootloader fastboot, which can write basic flash partitions like,  , and. The other is in the recovery and is Android's fastbootd, which additionally knows how to write to Android dynamic partitions like  and.

To enter the bootloader fastboot, you can run  while booted into Android. Alternatively, you can enter it directly from power off by connecting the device to a computer over USB while holding the side button and waiting for a USB device with VID:PID  to show up. This device is the bootloader's implementation of Amlogic's proprietary USB download protocol, and you can use it to enter fastboot: first, download or clone pyamlboot, which implements the Amlogic protocol. Then, run  (don't worry if it prints an error), and the device should re-enumerate with USB VID:PID , which signifies fastboot mode.

To enter fastbootd, you can run  while booted into Android. There's also likely a command to boot into this mode from Amlogic download mode, since that mode lets you send arbitrary commands to U-Boot, but my device is not currently in a working enough state for me to find and test that command.

It's been reported that patching  with Magisk, following Magisk's standard instructions for that, and reflashing it to the   partition using fastboot is sufficient to root the device with no loss of functionality.

Set top boxes using an Amlogic SoC
Some Amlogic-based set top boxes are able to boot postmarketOS. See this page for more info.

Documentation
Some software and documentation is available in the repos of OpenLGTV here.

EPK Naming (previous convention)
Example:

EPK Naming (new convention)
Example:

Platform table
There is some platform/codename relation.

Samsung

 * SamyGO - a wiki about modding Samsung TV's

LG

 * OpenLGTV Discord (Note that postmarketOS doesn't recommend proprietary platforms like Discord.)
 * openLGTV wiki

All

 * https://exploitee.rs/ - Various IoT and some tvs
 * https://github.com/ReFirmLabs/binwalk - Firmware extraction and reverse engineering
 * https://discord.gg/wN9Nmh9pWT - Smart TV Archival discord, also assists in rooting