hacker:: [[turmio]]
= Hacking Yamaha RX-V475 =
* http://usa.yamaha.com/products/audio-visual/av-receivers-amps/rx/rx-v475_black_u/
== nmap ==
{{{
$ sudo nmap -sT -p 1-65535 -v -A 192.168.2.33
Initiating OS detection (try #1) against 192.168.2.33
NSE: Script scanning 192.168.2.33.
Initiating NSE at 15:28
Completed NSE at 15:29, 30.12s elapsed
Nmap scan report for 192.168.2.33
Host is up (0.00051s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
80/tcp open tcpwrapped
|_http-favicon: Unknown favicon MD5: 731538E62E7F79E7418995F493609777
|_http-title: Site doesn't have a title (text/html).
1024/tcp open rtsp Apple AirTunes rtspd 141.9 (Apple TV)
| rtsp-methods:
|_ ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, TEARDOWN, OPTIONS, GET_PARAMETER, SET_PARAMETER, POST, GET
1900/tcp open tcpwrapped
8080/tcp open http-proxy?
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Site doesn't have a title (text/html).
10200/tcp open unknown
50000/tcp open ibm-db2?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port8080-TCP:V=6.40%I=7%D=12/3%Time=529DDBF2%P=x86_64-apple-darwin13.0.
SF:0%r(GetRequest,145,"HTTP/1\.1\x20200\x20OK\r\nCONTENT-TYPE:\x20text/htm
SF:l\r\nCONTENT-LENGTH:\x20260\r\n\r\n\r\n\r\n
\r\n\r\n\r\n\r\n\r\n\r\nPRESENTATION\x20PAGE
\r\n\r\n\r\n")%r(FourOhFourRequest,1A,"HTTP/1\.1\x20404\x20Not\x20Found\r\n\
SF:r\n");
MAC Address: 00:A0:DE:A1:A4:84 (Yamaha)
Device type: media device
Running: Denon embedded
OS CPE: cpe:/h:denon:avr-2113
OS details: Denon AVR-2113 audio receiver
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=17 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Mac OS X; Device: media device; CPE: cpe:/o:apple:mac_os_x
}}}
##content goes here
== Chips ==
* Zentel a3v56s30ftp-G6 256Mb DRAM 166Mhz [[http://webcache.googleusercontent.com/search?q=cache:lswB2i3VI4wJ:61.222.70.43/upload/product/datasheet_18_2013-02-22_10-58-32.1+&cd=1&hl=en&ct=clnk&client=safari|Link]]
* HanRun hr903125C Ethernet (Can not find with google)
* smsc 8700c http://pdf1.alldatasheet.com/datasheet-pdf/view/170571/SMSC/LAN8700.html
* Spansion S29GL256S90TFi02 256Mb flash
* silicon image s 19573CTUC NFW308D 1305 AH01PD2
* Cinema DSP TMS320070YE101BRFP
* SMSC DM850A (AirPlay)
* Some Logig chip: probably r5f3650enfb (hard to see)
* PCM9211 (Digital audio) http://www.ti.com/product/pcm9211
{{{
curl -v 10.0.2.52 > /dev/null
* Rebuilt URL to: 10.0.2.52/
* Hostname was NOT found in DNS cache
* Trying 10.0.2.52...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 10.0.2.52 (10.0.2.52) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.37.0
> Host: 10.0.2.52
> Accept: */*
>
< HTTP/1.1 200 OK
* Server AV_Receiver/3.1 (RX-V475) is not blacklisted
< Server: AV_Receiver/3.1 (RX-V475)
< Content-Encoding: gzip
< Content-Type: text/html
< Content-Length: 15819
< Content-Language: en
<
{ [data not shown]
100 15819 100 15819 0 0 87857 0 --:--:--
}}}
{{{
curl -v 10.0.2.52:8080
* Rebuilt URL to: 10.0.2.52:8080/
* Hostname was NOT found in DNS cache
* Trying 10.0.2.52...
* Connected to 10.0.2.52 (10.0.2.52) port 8080 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.37.0
> Host: 10.0.2.52:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< CONTENT-TYPE: text/html
< CONTENT-LENGTH: 260
<
PRESENTATION PAGE
}}}
description:: Yamaha RX-v475 reverse engineering
started:: 2013-12-03
----
CategoryProjekti