hacker:: [[turmio]] <> = Onkyo TX-NR509 = This is page for my notes for hacking Onkyo Tx-NR509. Everything is dumped mainly to my own use. Watch http://www.happyhacking.org/ for more formal text. * My goal is to: * Get access to shell (done) * Find hidden features (some) * Learn how it works :) (pretty much) * If you find something interesting please contact me with e-mail: mikko.kenttala(ä)gmail.com or via IRC Turmio@IRCnet == Links == * Model: http://www.eu.onkyo.com/en/products/tx-nr509-35637.html * Softwares inside: http://www.eu.onkyo.com/downloads/1/2/0/2/0/21966034_49cbbea4e5.pdf * Current firmware: http://www.eu.onkyo.com/en/articles/firmware-update-tx-nr509-15-12-2011-53085.html * Customer service: http://www.eu.onkyo.com/en/products/tx-nr509-35637.html?tab=Support * Service Manual [[attachment:onkyo_tx-nr509_[ET].pdf]] * Might be useful [[attachment:onkyo_repair-tips_[ET].pdf]] * There might be something useful [[attachment:onkyo_tx-nr1000-service_tips-av-receiver_[ET].pdf]] * Decrypting firmware: http://divideoverflow.com/2014/04/decrypting-onkyo-firmware-files/ == Services == {{{ $ nmap -A -sT -p 1-65535 10.0.2.137 Starting Nmap 5.21 ( http://nmap.org ) at 2011-09-06 18:08 EEST Strange error from connect (65):No route to host Nmap scan report for 10.0.2.137 Host is up (0.015s latency). Not shown: 59802 filtered ports, 5731 closed ports PORT STATE SERVICE VERSION 80/tcp open http? 8888/tcp open sun-answerbook? 60128/tcp open unknown Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . }}} == Web-server == === Basic information === * No authentication * http:///10.0.2.137/info.cgi [[attachment:info.png]] * http:///10.0.2.137/station.cgi [[attachment:station.png]] * http:///10.0.2.137/network.cgi [[attachment:network.png]] * http://10.0.2.137/customer_setting/customer_setting.cgi [[attachment:customer.png]] === Skipfish findings === * Skipfish found "secret" page. http://10.0.2.137/config.cgi [[attachment:configpage.png]] * Surffing to http://10.0.2.137/station.cgi?page=2147483647 cause this: [[attachment:strange.png]] (Page number should be 0 or 1 to work. * http://10.0.2.137/station.cgi?page=294967999 <-- resulted empty answer {{{ $ curl -v "http://10.0.2.137/station.cgi?page=294967999" * About to connect() to 10.0.2.137 port 80 (#0) * Trying 10.0.2.137... connected * Connected to 10.0.2.137 (10.0.2.137) port 80 (#0) > GET /station.cgi?page=294967999 HTTP/1.1 > User-Agent: curl/7.21.2 (x86_64-unknown-openbsd4.9) libcurl/7.21.2 OpenSSL/1.0.0a zlib/1.2.3 libidn/1.19 > Host: 10.0.2.137 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Content-type: text/html < * Closing connection #0 }}} * Buggy web-page in html [[/stationHTML]] == Serialport socket == * Sone kind of hack to forward old serial port to socket. * Wrote smiple test code at one night: [[attachment:tOnkyo.py]] (You don't want to use it ;) ) * You can find the codes to reviver serial ports from the internet: [[attachment:onkyo.xls]] == Serial port and J-TAG == * It seems that there is Serial port and J-TAG inside. {{attachment:jtag-rs232.png}} === NET/ USB section (This seems to be valid) === {{attachment:uart-rs232-net.png}} * Ugly hack to get shell: [[attachment:IMG_2403.JPG]] and [[attachment:IMG_2405.JPG]] * You need to have account to get to shell * login: ''root'' password: ''morimori'' (john the ripper did the trick) * [[/BootEnvironment]] * [[/Boot-message]] * [[/psOutput]] * [[/CommandsAvailable]] * [[/InfosInside]] == USB-interface == * You can play mp3's etc. from USB == UPnP support == {{{ $sudo tcpdump -i en1 -s 65535 -A host 10.0.2.137 18:34:30.134432 IP 10.0.2.137.ssdp > 239.255.255.250.ssdp: UDP, length 345 E..u..@...z. ........l.l.a.dNOTIFY * HTTP/1.1 HOST: 239.255.255.250:1900 CACHE-CONTROL: max-age=1801 LOCATION: http://10.0.2.137:8888/upnp_descriptor_0 NT: urn:schemas-upnp-org:service:AVTransport:1 NTS: ssdp:alive SERVER: Linux/2.6.33-rc4 UPnP/1.0 MediabolicUPnP/1.8.225 USN: uuid:65b0dc02-c3dc-02b9-14d5-0209c3b9ca73::urn:schemas-upnp-org:service:AVTransport:1 }}} Server header: {{{ < HTTP/1.1 200 OK < Content-type: text/xml; charset=utf-8 < Content-length: 3297 < Server: MediabolicMWEB/1.8.225 < Connection: keep-alive < * Connection #0 to host 10.0.2.137 left intact * Closing connection #0 }}} {{{ $ lynx --dump "http://10.0.2.137:8888/upnp_descriptor_0" 10urn:schemas-upnp-org:device:MediaRenderer:1TX-NR509 test AAAONKYOhttp://www.onkyo.comAV ReceiverTX-NR509TX-NR509http://www.onkyo.comuuid:65b0dc02-c3dc-02b9-14d 5-0209c3b9ca73urn:schemas-upnp-org:service:RenderingControl:1urn:upnp-o rg:serviceId:RenderingControl/upnp_control_0/upnp_event_0/scpd/Renderin gControl_1urn:schemas-upnp-org:service:ConnectionManager:1urn:upnp-org: serviceId:ConnectionManager/upnp_control_1/upnp_event_1/scpd/Connection Manager_1urn:schemas-upnp-org:service:AVTransport:1urn:upnp-org:service Id:AVTransport/upnp_control_2/upnp_event_2/scpd/AVTransport_1http://10. 0.2.137/VEN_1666&DEV_1100&REV_01 VEN_0033&DEV_000C&REV_01DMR-1.50Multimedia.DMRMS_DigitalMediaDeviceClas s_DMR_V001image/jpeg12012024http://10.0.2.137/icon/onkyo_low_120.jpgima ge/jpeg484824http://10.0.2.137/icon/onkyo_low_048.jpgimage/jpeg323224ht tp://10.0.2.137/icon/onkyo_low_032.jpgimage/png12012024http://10.0.2.13 7/icon/onkyo_low_120.pngimage/png484824http://10.0.2.137/icon/onkyo_low _048.pngimage/png323224http://10.0.2.137/icon/onkyo_low_032.pngMediaDev ices01 }}} === AMP fetches data from the server === {{{ GET /upnphost/udhisapi.dll?content=uuid:8178c854-4d03-42c8-8195-24fba0cb8abf HTTP/1.1 Host: 10.0.2.18:2869 User-Agent: Mediabolic-IMHTTP/1.8.225 UPNP/1.0 DLNADOC/1.50 14:25:09.292366 IP 10.0.2.137.43029 > 10.0.2.18.2869: Flags [P.], seq 1:173, ack 1, win 2920, options [nop,nop,TS val 328932421 ecr 11972172], length 172 E.....@.@... ... ......5jV..."B....h.g..... ...E...LGET /upnphost/udhisapi.dll?content=uuid:8178c854-4d03-42c8-8195-24fba0cb8abf HTTP/1.1 Host: 10.0.2.18:2869 User-Agent: Mediabolic-IMHTTP/1.8.225 UPNP/1.0 DLNADOC/1.50 14:25:12.721323 IP 10.0.2.137.43030 > 10.0.2.18.2869: Flags [P.], seq 1:173, ack 1, win 2920, options [nop,nop,TS val 328932764 ecr 11972515], length 172 @.@..p ... ......5n.T}.......h....... ........GET /upnphost/udhisapi.dll?content=uuid:8178c854-4d03-42c8-8195-24fba0cb8abf HTTP/1.1 Host: 10.0.2.18:2869 User-Agent: Mediabolic-IMHTTP/1.8.225 UPNP/1.0 DLNADOC/1.50 }}} == Firmware update over network == [[/UpdateFromConsole]] {{{ 10.0.2.137:50127 -> 10.0.0.1:53 .............avrupd.onkyo.com..... # U 10.0.0.1:53 -> 10.0.2.137:50127 .............avrupd.onkyo.com.....¿.......Q....updsrv¿.¿.......Q...“..L¿... ....5Ï...ns1.onkyo.co.jp.¿.......5Ï...ns1.omp.ne¿`¿S......5Ï..“«™N¿p......5 Ï..“.." #### T 10.0.2.137:51273 -> 210.134.145.76:80 [AP] POST /release/cgi/download.cgi HTTP/1.1..Host: avrupd.onkyo.com..Accept: */ *..User-Agent: AVR/1.0..Content-Type: application/x-www-form-urlencoded..Co ntent-Length: 69....hwaddr=00:09:b0:c1:d5:c3&filename=AVR0007/ONKAVR0007_00 NA00EA00NA.of1 # T 210.134.145.76:80 -> 10.0.2.137:51273 [AP] HTTP/1.1 200 OK..Server: Apache..Status: 200 OK..Date: Sun, 04 Sep 2011 20: 09:21 GMT..Content-length: 256..Content-Type: application/octet-stream..... BÀW/¡∂.zË;∏∆¸ Ã≠i.I.?2..Æ~,≤¸aœsË.|O..v.J.sN©.P.U∆¬B>….ÔF.ÚË....F...> description:: Getting shell from Onkyos AVR with network capabilities started:: 2011-09-06 ---- CategoryProjekti