A couple months ago I bought a set of LG 49WL95C-W monitors, and of course after unboxing, the next logical thing to do is to start reverse engineering.
After finding out that LG's OnScreen utility (for macOS or Windows) can update the firmware, I opened up Activity Monitor to check what files were open.
I could have opened up Cache.db in a SQLite viewer, but strings works to get what I want to know: the firmware URL.
https://lmu.lge.com/ExternalService/onscreencontrol/fw/49WL900G/MODEL_49WL900G_SV3.02_PV1.0.5_NV2.18_20190422.zip
After downloading this file and trying to extract it, it turns out there's a password, which was trivial to spot in the binary.
Using "49WL900G!LGdasusodkug!@#" as the password worked as expected, and now I have the following firmware files!
img=images/Scaler/WL95C_MSTAR_MST9W00V4_V3.2.2_RscV1.0_0xA2A1_rev3136_190415.bin
area=
ver=3.02
res=1.00
img=images/PD/20181002_49WL95C_FW1_12_08_V1_0_5_GUI4_01_Low.bin:
ver=1.0.5
img=images/NXP/LPC11U68_NXP_V218__rev595_181002.bin
The last file matches up with what I found listed on LG's open source website, which lists FreeRTOS as running on a NXP LPC11U68 (Cortex-M0+). http://opensource.lge.com/osSch/list?types=ALL&search=49WL95C
Time to look at the firmware in more detail in a later blog post!
how was that password obvious, from the big list?
ReplyDeleteThe password has the same model number as the file name in it (49WL900G).
Deleteahh, that makes sense
ReplyDelete