This is a rough sketch about hacking the HMT350 Internet radio. It might or might not work. It also might or might not work for the Xenta KMP510, Disgo TV Go, Corbell Cayenne Funbox, or Arnova. Further, the operating systems mentions configurations like "Foxmann", "Inprice", "Ion", "Kjell", "Linepro", "Otek", and "Pearl".
WarningsFirst, a number of warnings:
It might be illegal in your country. I live in a juristication where reverse engineering is legal. I worked with equipment I fully own and is my property. I only sniffed network traffic in my home network, which I fully own, is my property, was my network traffic, and the network was not shared by others at that time.
This can kill your Internet radio. I killed one in the process.
You can kill your PC. I didn't.
You can kill your network. I didn't.
This requires some clue. If you are the hackaday or instructable type of fanboy, busy scratching your private parts and shouting "awesome" when you see a blinking LED, doing weed, or thinking the Arduino is god's gift to embedded programming, you probably don't have the required clue.
I don't plan to write more than what is written here. If you don't get it or need hand-holding, see the previous warning. Let me repeat that: I don't plan to write more than what is written here.
This is not a description. It is a collection of hints, with errors and omissions. It was written in a hurry. Use at your own risk.
About the HMT350In my opinion the HMT350 is a mediocre Internet radio. It looks fucking ugly. Its radio-station lists and "TV"-station lists are badly administered. I don't need that many Chinese propaganda stations, while there are barely any stations in my native language I find useful. SHOUTcast didn't work at all. I can't recommend it as an Internet radio. And I don't recommend to buy one just to hack it. But if you have one sitting idle, can afford to lose it, and if you have a clue ...
Because of the stupid station list I went out to figure out where that thing gets its radio station list from - and I found something different:
The HMT350 runs an embedded Linux.
Looking at my HMT350, the user manual and packaging that came with it I could not find the complete source code included as required by the GPL, or a written offer how to get it, or a copy of the GPL stating my rights. I am sure the supplier/distributor/vendor/retailer just forgot to provide a copy of the GPL and source code ... Yeah, sure ...
[Note: Some fragments of the code can be found on the processor manufacturer's web site. In my layman view (I am not a lawyer) this might not be sufficient, but hey, I am sure everything is fine with the copyright, Yeah, sure ...]
There are a few preparations to be done to make it possible to hack the HMT350.
* Getting the internal flash disk configured. Some models or some series might have that already configured. If not, set it up as described later. That is needed to do a firmware update from the flash disk instead of via the Internet.
* Figure out the download site. It was my original intention to find the station list download site. In the end I found the firmware update site, too. We will need this firmware update in the process.
Experienced people probably already know where this is heading. We will prepare a special firmware update and deploy it to hack into the HMT350.
Setting up the internal flash diskInstead of using the USB socket for the power supply, plug the HMT350 into the USB bus of your PC. I recommend you use a self-powered USB hub to make sure the HMT350 gets enough power.
lsusb should show something like
Netchip Technology, Inc. Linux-USB File Storage Gadget
This is a first hint that the thing is running Linux.
By the way, a port scan of my HMT350 reveals that the telnet and the sunrpc port are open. Telneting to the HMT350 gives a second clue about that thing running Linux. The password is unknown, but that is what we will fix with our firmware hack. How dare of the vendor/manufacturer to run an open telnet port on that thing with an unknown password.
Back to the USB ...
Check if the
Linux-USB File Storage Gadget already has a file system on it. Mine didn't. It just had some random junk on it, including something that looked like fragments of a Windows program. If you don't have a file system, figure out the device and format it. If you care, create a backup of the junk before formating.
dd if=/dev/sd... of=hmt350-storage.img
mkdosfs -I -F 32 /dev/sd...
Just for fun, copy an image or a media file to the new disk, unmount it, unplug the HMT350 from USB, power it via the power supply, go to the Local Play menu, select the internal disk, and then the file.
We will need that internal disk to initiate a firmware update from the disk, as opposite to one from the Internet. For that we need a special firmware update, and for that we rework an existing firmware update, which we first need to get from the HMT350's firmware download site.
Figuring out the download siteDo a firmware update over the Internet. While doing so recored the IP address / domain name where the thing goes to.
If you can get a packet sniffer between your AP and your Internet modem use it to sniff the complete conversation to figure out where the new firmware finally comes from.
If you can't, just record the IP address, e.g. from your router's NAT table. Then reconfigure your home network so you can give your own PC that IP address, and you can packetsniff on your own PC. Either set up a web server or a dummy receiver (netcat -l) to see the requests from the radio.
I found my radio initiates a firmware update via the following get request
to 202.155.201.93:8080
GET /iRadio168/update.jsp?model=KMP510.0%20hmt350&type=RM001&fw=V1.8 HTTP/1.1
Host:www.iradio168.com:8080
User-Agent:MPlayer/1.0rc2-4.1.2
The response is not the firmware, but some XML code with the firmware location. In my case:
<xml version="1.0" encoding="UTF-8"?>
<Result>
<Value>2</Value>
<Url>http://www.iradio168.com:8080/iRadio168_All/xoro/update-firmware.bin</Url>
<MD5>bbb3833cbbf3eb8a8203d8b6960</MD5>
</Result>
Get the firmware update and unpack itDownload the firmware update from the location you just found. In my case it was
http://www.iradio168.com:8080/iRadio168_All/xoro/update-firmware.bin
Unpack the filemkdir fw
cd fw
tar xvfz ../update-firmware.bin
mkdir root
cd root
tar xvfz ../update-files.tar.gz
Update the password fileLets see if we have hit the jackpot:
cd etc
cat passwd
The output should be something like
root:<passwd checksum>:0:0:root:/:/bin/sh
BINGO! We struck gold. The password file, with the password, which is between us and being able to enjoy the GPLed Linux on our HMT350.
I didn't bother to crack the password. I simply replaced it. My device, my network, my rights under the GPL, my password. You get the idea.
Generate a password checksum for your own password
mkpasswd -m mf5Replace the original checksum in the
passwd file with the one you just
generated for your own password.
Create your own update firmwareRepack the whole firmware update with the updated passwd file:
cd ..
rm ../update-files.tar.gz
tar cvfz ../update-files.tar.gz .
cd ..
mv ../update-firmware.bin ../update-firmware.bin.original
tar cvfz ../update-firmware.bin .Update the RadioPlug the radio in via USB. Mount the radio's flash drive. Copy the just generated
update-firmware.bin to the top level directory of the flash drive. Unmount the radio's flash drive.
Now it gets exciting. Power the radio via the power supply. Go to the Settings menu. Select firmware update, select the internal flash drive as source, and perform the update.
If the HMT350 is still alive after the update, telnet into it and have fun with your Linux.
Random DetailsUnfortunately the radio application is a proprietary monolithic application (but calls free software). So it will require some work replacing that application with something that uses reasonable station lists. There is also a bunch of proprietary device drivers, tainting the kernel.
The thing uses
busybox for most of the typical userland programs, which is typical for an embedded Linux. The CPU is a Chinese Ingenic JC4755 (two cores, one for media processing, one for the normal Linux, MIPS instruction set. I have no idea if they licensed the MIPS core or "reinvented" it). The display is a framebuffer device (you didn't expect X11, did you?
). The FM radio is a RDK580E. The WLAN chip is an Atheros AR6102G.
The flash is divided into ten sections, some permanently mounted under
/mnt, the others can be mounted there. You will find things like the favorite list and the wlan configuration on the flash drives. Nbr. 9, by the way, is the flash drive you just formated.
The mystery connectionsDuring network sniffing I saw that the HMT350 attempted to connect to 192.168.1.222:6888. Now, 192.168.1.222 is an IP address in a private network, but not my private network. 6888 is a port commonly used by some fucking file sharing software. I have no idea what on earth the HMT350 is trying to do.
I have also no idea why they run the Sun rpc portmapper. There is some hint about an attempt to mount network drives via NFS (which AFAIK requires the portmapper). But what on earth do they want to do with those drives?
As fare as I could see, the thing contains complete PPPoE software which one would need to talk to some DSL modems. I have no idea why they have it, because that isn't needed when you have an AP. And an AP you have, because the only network interface is via WLAN.
There is a web server binary on the HMT350, but the web server is not started and there is no content. The UPnP software is proprietary and sets up its own separate webserver.
There is a proprietary touchscreen library on that thing. The HMT350 doesn't have a touchscreen. Maybe other radios have.
Home
Help
Search
Login
Register
