UPDATE: The password for the service is: gemstar You can find out lots more info from http://hackaday.com/2012/06/20/getting-root-on-a-sony-tv/ There is also nimue on github. Which is the exploit that is linked to from the hack-a-day article.

So I own a Sony Bravia KDL-46W5100. I was bored this weekend and decided to to take a look at its network foot print. I did a bit of googling and came up kind of blank. Doing a quick port scan I found that port 9784, and 12345 are open. 9784 is tcpwrapped and disconnects me as soon as I connect. I suspect that if I set my machine to a particular IP I would be able to connect to it there in some fashion. However, port 12345 is far more interesting. Nmap reported it back as echo, which struck me as a little odd. Sure enough though when I connect to it, I am not greeted with a banner and anything I type gets echoed back to me. However after the echo I am greeted with the following prompt. 6d.22:34:26:PASSWORD]

For example; $ nc 12345 asdf asdf 6d.23:13:21:PASSWORD]

Anything I type gets echoed back, and I again get the same prompt. However if I enter in a single \ I get the following. 6d.23:13:21:PASSWORD] \

flushrstinfo - flush system reset information debug - show subcommands zmodemmode - Change File Mode of zmodem rz - Rx file from ZModem sz - Tx file through ZModem cd - Go to directory ls - List file rm - Remove file cp - Copy file or directory pwd - current directory diag - dump the diagnostics information reset - perform a reset commitdata - commit data demo - Load demo data settime - Force time idd - Internet data delivery download on current channel dl - scheduled download info dretest - data reception engine tests searchNext - host search next channel happ - Host App APIs htime - Host Date/Time APIs hsetup - Host Setup APIs hui - Host UI APIs hchlist - Host Channel List APIs run - execute commands from script file sleep - delay for specified seconds fsopen - Open file fsread - Read file fswrite - Write file fsclose - Close file fdp - file content dump prog - get listing nprog - get next show cat - get all category codes catprog - search program by cat code actprog - search program by actor ID seriesprog - search program by series ID schev - schedule event job - job related function device - device related function loadimg - load image gc - Garbage Collection Testing channel - Channel tuning and editing commit - Commit data to the DB qatest - QA test specific command clearresetinfo - Clear Reset Info command cleareventlog - Clear Event Log command configtimeout - Configure the Console Timeout csstatus - set the Click Stream Enable/Disable status cspack - pack/unpack the Click Stream File cps - cps related functions dbtest - for DB test memtool - memory measurement tools zip - zip/unzip a file ad - begin/end house keeping mode dbdebug - Turn on/off DB debuging messages mins2time - Convert integer minutes to human-readable date/time secs2time - Convert integer seconds to human-readable date/time grfxlog - Turn on/off graphics logging 6d.22:54:30:PASSWORD]

Which to me looks like a help menu. I can not execute any of the listed commands as if I type them I only get the command echoed back at me, and that stupid password prompt. All googling attempt to figure out the password have failed.
Other things of note. I can enter in as many \ in a row as I want, and I get the same display, however if I end the \’s with two non \ characters I get that echoed back to me. if I press and send an esc I can reset everything back to its start. Meaning no password display prompt.

I will work on this some more when I get the time. I think I found my new project.