hacker:: [[turmio]] = Hacking Yamaha RX-V475 = * http://usa.yamaha.com/products/audio-visual/av-receivers-amps/rx/rx-v475_black_u/ == nmap == {{{ $ sudo nmap -sT -p 1-65535 -v -A 192.168.2.33 Initiating OS detection (try #1) against 192.168.2.33 NSE: Script scanning 192.168.2.33. Initiating NSE at 15:28 Completed NSE at 15:29, 30.12s elapsed Nmap scan report for 192.168.2.33 Host is up (0.00051s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 80/tcp open tcpwrapped |_http-favicon: Unknown favicon MD5: 731538E62E7F79E7418995F493609777 |_http-title: Site doesn't have a title (text/html). 1024/tcp open rtsp Apple AirTunes rtspd 141.9 (Apple TV) | rtsp-methods: |_ ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, TEARDOWN, OPTIONS, GET_PARAMETER, SET_PARAMETER, POST, GET 1900/tcp open tcpwrapped 8080/tcp open http-proxy? |_http-open-proxy: Proxy might be redirecting requests |_http-title: Site doesn't have a title (text/html). 10200/tcp open unknown 50000/tcp open ibm-db2? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port8080-TCP:V=6.40%I=7%D=12/3%Time=529DDBF2%P=x86_64-apple-darwin13.0. SF:0%r(GetRequest,145,"HTTP/1\.1\x20200\x20OK\r\nCONTENT-TYPE:\x20text/htm SF:l\r\nCONTENT-LENGTH:\x20260\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n

PRESENTATION\x20PAGE

\r\n\r\n\r\n")%r(FourOhFourRequest,1A,"HTTP/1\.1\x20404\x20Not\x20Found\r\n\ SF:r\n"); MAC Address: 00:A0:DE:A1:A4:84 (Yamaha) Device type: media device Running: Denon embedded OS CPE: cpe:/h:denon:avr-2113 OS details: Denon AVR-2113 audio receiver Network Distance: 1 hop TCP Sequence Prediction: Difficulty=17 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Mac OS X; Device: media device; CPE: cpe:/o:apple:mac_os_x }}} ##content goes here == Chips == * Zentel a3v56s30ftp-G6 256Mb DRAM 166Mhz [[http://webcache.googleusercontent.com/search?q=cache:lswB2i3VI4wJ:61.222.70.43/upload/product/datasheet_18_2013-02-22_10-58-32.1+&cd=1&hl=en&ct=clnk&client=safari|Link]] * HanRun hr903125C Ethernet (Can not find with google) * smsc 8700c http://pdf1.alldatasheet.com/datasheet-pdf/view/170571/SMSC/LAN8700.html * Spansion S29GL256S90TFi02 256Mb flash * silicon image s 19573CTUC NFW308D 1305 AH01PD2 * Cinema DSP TMS320070YE101BRFP * SMSC DM850A (AirPlay) * Some Logig chip: probably r5f3650enfb (hard to see) * PCM9211 (Digital audio) http://www.ti.com/product/pcm9211 {{{ curl -v 10.0.2.52 > /dev/null * Rebuilt URL to: 10.0.2.52/ * Hostname was NOT found in DNS cache * Trying 10.0.2.52... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 10.0.2.52 (10.0.2.52) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.37.0 > Host: 10.0.2.52 > Accept: */* > < HTTP/1.1 200 OK * Server AV_Receiver/3.1 (RX-V475) is not blacklisted < Server: AV_Receiver/3.1 (RX-V475) < Content-Encoding: gzip < Content-Type: text/html < Content-Length: 15819 < Content-Language: en < { [data not shown] 100 15819 100 15819 0 0 87857 0 --:--:-- }}} {{{ curl -v 10.0.2.52:8080 * Rebuilt URL to: 10.0.2.52:8080/ * Hostname was NOT found in DNS cache * Trying 10.0.2.52... * Connected to 10.0.2.52 (10.0.2.52) port 8080 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.37.0 > Host: 10.0.2.52:8080 > Accept: */* > < HTTP/1.1 200 OK < CONTENT-TYPE: text/html < CONTENT-LENGTH: 260 <

PRESENTATION PAGE

}}} description:: Yamaha RX-v475 reverse engineering started:: 2013-12-03 ---- CategoryProjekti