Author Topic: Hacking the HMT350 Internet Radio  (Read 15702 times)

0 Members and 1 Guest are viewing this topic.

Offline Bored@WorkTopic starter

  • Super Contributor
  • ***
  • Posts: 3932
  • Country: 00
Hacking the HMT350 Internet Radio
« on: January 15, 2011, 10:59:12 am »
This is a rough sketch about hacking the HMT350 Internet radio. It might or might not work. It also might or might not work for the Xenta KMP510, Disgo TV Go, Corbell Cayenne Funbox, or Arnova. Further, the operating systems mentions configurations like "Foxmann", "Inprice", "Ion", "Kjell", "Linepro", "Otek", and "Pearl".

Warnings

First, a number of warnings:

It might be illegal in your country. I live in a juristication where reverse engineering is legal. I worked with equipment I fully own and is my property. I only sniffed network traffic in my home network, which I fully own, is my property, was my network traffic, and the network was not shared by others at that time.

This can kill your Internet radio. I killed one in the process.

You can kill your PC. I didn't.

You can kill your network. I didn't.

This requires some clue. If you are the hackaday or instructable type of fanboy, busy scratching your private parts and shouting "awesome" when you see a blinking LED, doing weed, or thinking the Arduino is god's gift to embedded programming, you probably don't have the required clue.

I don't plan to write more than what is written here. If you don't get it or need hand-holding, see the previous warning. Let me repeat that: I don't plan to write more than what is written here.

This is not a description. It is a collection of hints, with errors and omissions. It was written in a hurry. Use at your own risk.

About the HMT350

In my opinion the HMT350 is a mediocre Internet radio. It looks fucking ugly.  Its radio-station lists and "TV"-station lists are badly administered. I don't need that many Chinese propaganda stations, while there are barely any stations in my native language I find useful. SHOUTcast didn't work at all. I can't recommend it as an Internet radio. And I don't recommend to buy one just to hack it. But if you have one sitting idle, can afford to lose it, and if you have a clue ...

Because of the stupid station list I went out to figure out where that thing gets its radio station list from - and I found something different:

The HMT350 runs an embedded Linux.

Looking at my HMT350, the user manual and packaging that came with it I could not find the complete source code included as required by the GPL, or a written offer how to get it, or a copy of the GPL stating my rights. I am sure the supplier/distributor/vendor/retailer just forgot to provide a copy of the GPL and source code ... Yeah, sure ...

[Note: Some fragments of the code can be found on the processor manufacturer's web site. In my layman view (I am not a lawyer) this might not be sufficient, but hey, I am sure everything is fine with the copyright, Yeah, sure ...]

There are a few preparations to be done to make it possible to hack the HMT350.

* Getting the internal flash disk configured. Some models or some series might have that already configured. If not, set it up as described later. That is needed to do a firmware update from the flash disk instead of via the Internet.

* Figure out the download site. It was my original intention to find the station list download site. In the end I found the firmware update site, too. We will need this firmware update in the process.

Experienced people probably already know where this is heading. We will prepare a special firmware update and deploy it to hack into the HMT350.

Setting up the internal flash disk

Instead of using the USB socket for the power supply, plug the HMT350 into the USB bus of your PC. I recommend you use a self-powered USB hub to make sure the HMT350 gets enough power.

lsusb should show something like

   Netchip Technology, Inc. Linux-USB File Storage Gadget

This is a first hint that the thing is running Linux.

By the way, a port scan of my HMT350 reveals that the telnet and the sunrpc port are open. Telneting to the HMT350 gives a second clue about that thing running Linux. The password is unknown, but that is what we will fix with our firmware hack. How dare of the vendor/manufacturer to run an open telnet port on that thing with an unknown password.

Back to the USB ...

Check if the Linux-USB File Storage Gadget already has a file system on it. Mine didn't. It just had some random junk on it, including something that looked like fragments of a Windows program. If you don't have a file system, figure out the device and format it. If you care, create a backup of the junk before formating.

Code: [Select]
dd if=/dev/sd... of=hmt350-storage.img
mkdosfs -I -F 32 /dev/sd...

Just for fun, copy an image or a media file to the new disk, unmount it, unplug the HMT350 from USB, power it via the power supply, go to the Local Play menu, select the internal disk, and then the file.

We will need that internal disk to initiate a firmware update from the disk, as opposite to one from the Internet. For that we need a special firmware update, and for that we rework an existing firmware update, which we first need to get from the HMT350's firmware download site.

Figuring out the download site

Do a firmware update over the Internet. While doing so recored the IP address / domain name where the thing goes to.

If you can get a packet sniffer between your AP and your Internet modem use it to sniff the complete conversation to figure out where the new firmware finally comes from.

If you can't, just record the IP address, e.g. from your router's NAT table. Then reconfigure your home network so you can give your own PC that IP address, and you can packetsniff on your own PC. Either set up a web server or a dummy receiver (netcat -l) to see the requests from the radio.

I found my radio initiates a firmware update via the following get request
to 202.155.201.93:8080

Code: [Select]
GET /iRadio168/update.jsp?model=KMP510.0%20hmt350&type=RM001&fw=V1.8 HTTP/1.1
Host:www.iradio168.com:8080
User-Agent:MPlayer/1.0rc2-4.1.2

The response is not the firmware, but some XML code with the firmware location. In my case:

Code: [Select]
<xml version="1.0" encoding="UTF-8"?>
<Result>
  <Value>2</Value>
  <Url>http://www.iradio168.com:8080/iRadio168_All/xoro/update-firmware.bin</Url>
  <MD5>bbb3833cbbf3eb8a8203d8b6960</MD5>
</Result>

Get the firmware update and unpack it

Download the  firmware update from the location you just found. In my case it was  

Code: [Select]
http://www.iradio168.com:8080/iRadio168_All/xoro/update-firmware.bin

Unpack the file

Code: [Select]
mkdir fw
cd fw
tar xvfz ../update-firmware.bin
mkdir root
cd root
tar xvfz ../update-files.tar.gz

Update the password file

Lets see if we have hit the jackpot:

Code: [Select]
cd etc
cat passwd

The output should be something like

Code: [Select]
root:<passwd checksum>:0:0:root:/:/bin/sh

BINGO! We struck gold. The password file, with the password, which is between us and being able to enjoy the GPLed Linux on our HMT350.

I didn't bother to crack the password. I simply replaced it. My device, my network, my rights under the GPL, my password. You get the idea.

Generate a password checksum for your own password

Code: [Select]
mkpasswd -m mf5
Replace the original checksum in the passwd file with the one you just
generated for your own password.

Create your own update firmware

Repack the whole firmware update with the updated passwd file:
Code: [Select]
cd ..
rm ../update-files.tar.gz
tar cvfz ../update-files.tar.gz .
cd ..
mv ../update-firmware.bin ../update-firmware.bin.original
tar cvfz ../update-firmware.bin .

Update the Radio

Plug the radio in via USB. Mount the radio's flash drive. Copy the just generated update-firmware.bin to the top level directory of the flash drive. Unmount the radio's flash drive.

Now it gets exciting. Power the radio via the power supply. Go to the Settings menu. Select firmware update, select the internal flash drive as source, and perform the update.

If the HMT350 is still alive after the update, telnet into it and have fun with your Linux.

Random Details

Unfortunately the radio application is a proprietary monolithic application (but calls free software). So it will require some work replacing that application with something that uses reasonable station lists. There is also a bunch of proprietary device drivers, tainting the kernel.

The thing uses busybox for most of the typical userland programs, which is typical for an embedded Linux. The CPU is a Chinese Ingenic JC4755 (two cores, one for media processing, one for the normal Linux, MIPS instruction set. I have no idea if they licensed the MIPS core or "reinvented" it). The display is a framebuffer device (you didn't expect X11, did you?  :)). The FM radio is a RDK580E. The WLAN chip is an Atheros AR6102G.

The flash is divided into ten sections, some permanently mounted under /mnt, the others can be mounted there. You will find things like the favorite list and the wlan configuration on the flash drives. Nbr. 9, by the way, is the flash drive you just formated.

The mystery connections

During network sniffing I saw that the HMT350 attempted to connect to 192.168.1.222:6888. Now, 192.168.1.222 is an IP address in a private network, but not my private network. 6888 is a port commonly used by some fucking file sharing software. I have no idea what on earth the HMT350 is trying to do.

I have also no idea why they run the Sun rpc portmapper. There is some hint about an attempt to mount network drives via NFS (which AFAIK requires the portmapper). But what on earth do they want to do with those drives?

As fare as I could see, the thing contains complete PPPoE software which one would need to talk to some DSL modems. I have no idea why they have it, because that isn't needed when you have an AP. And an AP you have, because  the only network interface is via WLAN.

There is a web server binary on the HMT350, but the web server is not started and there is no content. The UPnP software is proprietary and sets up its own separate webserver.

There is a proprietary touchscreen library on that thing. The HMT350 doesn't have a touchscreen. Maybe other radios have.
« Last Edit: January 15, 2011, 11:27:07 am by BoredAtWork »
I delete PMs unread. If you have something to say, say it in public.
For all else: Profile->[Modify Profile]Buddies/Ignore List->Edit Ignore List
 

Offline Polossatik

  • Frequent Contributor
  • **
  • Posts: 295
  • Country: be
Re: Hacking the HMT350 Internet Radio
« Reply #1 on: January 15, 2011, 12:29:40 pm »
whow that is one ugly "radio"...
I hope you got it free or won it in a raffle :)

I think the Ingenic JC4755 should be Ingenic JZ4755 , family of the cpu used in the dingo http://www.dingux.com/
Real Circuit design time in minutes= (2 + Nscopes) Testim + (40 +120 Kbrewski) Nfriends

Testim = estimated time in minutes Nscopes= number of oscilloscopes present Kbrewski = linear approx of the nonlinear beer effect Nfriends = number of circuit design friends present
 

Offline eva.luation

  • Newbie
  • Posts: 1
Re: Hacking the HMT350 Internet Radio
« Reply #2 on: January 28, 2011, 06:53:13 pm »
Hi,

I recently bought a "Archos Arnova Web Radio & TV" and searching for Tipps&Tricks according to the device I found your article here.
And I was very angry as I found out that (at this time) even Archos itself did not mention the thing on their own website. Now it is mentioned but there are not downloads and no firmware update available.
Thus I decided to send the thing back to the seller.

But what is this: telnet-port is open and root-user has no password?!?!

Since then I try to optimize things in the linux background in order to overcome the suboptimal handling of the user interface.
While tracing the internet communication I found out that iradio168.com seems to be the central server providing the structures of internet tv, internet radio and podcasts.
But the content isn't well structured and the shoutcast function does't work at all.

Thinking about a solution I created the following idea:
What about starting httpd on the device and redirecting iradio168.com to localhost. Then I just have to implement a CGI which provides the needed internet TV/radio/podcast structures and that's it.

Finally I managed to do this using httpd and a shell script which was mapped to the jsp-extention (which is used by Arnove to communicate with iradio168.com). Now I can create my own structures which are calculated on the device itself.

There is only one thing open and perhaps someone can give me a hint?

How can I automatically start a startup-script which sets up the /etc/hosts, the www-root and startd httpd. Unfortunately after a reboot all my changes are overwritten by factory default linux.
The "rom"-linux seems to be stored in the MTD-devices but I can only mount mtd7-9.

So how can I savely make some minor changes to the flashed linux in order to start a script from the internal memory? Any suggestions?

Greetings
 Eva Luation :-)
 

Offline voyager

  • Newbie
  • Posts: 1
Re: Hacking the HMT350 Internet Radio
« Reply #3 on: March 08, 2011, 09:42:38 am »
I got a similar device under the Envivio brand name. Unfortunately it has a big problem loading station lists.
It gets a time out and then hangs the device.

I found some firmware for the Mediabox 135 which is similar to the HMT350.
When I try to load that in my device it gives an "incorrect hardware" error.
I modified the “update-script” file to reflect the correct hardware and changed the MD5 as well.
Now it gives “file error” thus I must have missed something that should be changed as well.
Do you guys know where I can find firmware files for any other models?
« Last Edit: March 08, 2011, 10:18:33 am by voyager »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf