Onkyo TX-NR656 hacking - firmware decoding

Since writing my earlier post  about the TX-NR656 hacking Onkyo fixed the most blatant issue... open ssh port with known password.

So the recent receivers cannot be super simple hacked as ssh is no longer available.
Also the password has changed

Still the Onkyo receivers are super leaky.... e.g. this URL will show you your configured wifi passwords...

http://[your receiverip]:8080/..%2f..%2f..%2f..%2f..%2f..%2fmedia/settings/settings/network/profile

While the web interface is still super leaky, I wanted to explore the filesystem in an easy way.
For this I needed access to the file system in a simple way.

This can be done by taking a firmware and mount the filesystem.
The firmware can be downloaded from the Onkyo website. This file however can't be directly read.

Decrypt the firmware 

Compile https://gist.github.com/marcelrv/4edcad9b63b34e1c30ac5758cc88ba9c

Note: This is a fixed version from the original posted here http://divideoverflow.com/2014/04/decrypting-onkyo-firmware-files  (all credits to vZ@divideoverflow.com for writing this)

After this is compiled, unzip the firmware and  simply execute `./onkyo-dec` in the firmware folder. 

It creates an `extracted` folder with the output files

Get the decoded content and see what's there

$ file *

of0:                                 empty

of1.ONKAVR001F_E70000EAEAEOEO.hdr:   data

of2.ONKAVR001F_E70000EAEAEOEO.EA107: data

of2.ONKAVR001F_E70000EAEAEOEO.EA109: data

of2.ONKAVR001F_E70000EAEAEOEO.hdr:   data

of3.AM335XEO_010203040506.03296:     data

of3.AM335XEO_010203040506.04296:     u-boot legacy uImage, Linux-3.19.0, Linux/ARM, OS Kernel Image (Not compressed), 4625424 bytes, Tue Feb 12 03:24:24 2019, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0x01BD6550, Data CRC: 0x8D747944

of3.AM335XEO_010203040506.05296:     Linux Compressed ROM File System data, little endian size 61440 version #2 sorted_dirs CRC 0x61c58604, edition 0, 58 blocks, 8 files

of3.AM335XEO_010203040506.07296:     UBI image, version 1

of3.AM335XEO_010203040506.hdr:       data

of3.ONKAVR001F_E70000EAEAEOEO.hdr:   data

of4.ONKAVR001F_E70000EAEAEOEO.EO211: data

of4.ONKAVR001F_E70000EAEAEOEO.hdr:   data

Seems the file system is in of3.AM335XEO_010203040506.07296

 

$ blkid of3.AM335XEO_010203040506.07296

of3.AM335XEO_010203040506.07296: UUID="152348150" TYPE="ubi"

Now we need to mount this 

see the structure to confirm it is ubi is indeed 2048

$ hexdump of3.AM335XEO_010203040506.07296 -C | head -n 30

00000000  55 42 49 23 01 00 00 00  00 00 00 00 00 00 00 00  |UBI#............|

00000010  00 00 08 00 00 00 10 00  09 14 a5 f6 00 00 00 00  |................|

00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

00000030  00 00 00 00 00 00 00 00  00 00 00 00 5b 78 84 d4  |............[x..|

00000040  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|

*

00000800  55 42 49 21 01 01 00 05  7f ff ef ff 00 00 00 00  |UBI!............|

00000810  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000830  00 00 00 00 00 00 00 00  00 00 00 00 b8 25 64 a8  |.............%d.|

00000840  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|

*

00001000  00 00 03 95 00 00 00 01  00 00 00 00 01 00 00 06  |................|

00001010  72 6f 6f 74 66 73 00 00  00 00 00 00 00 00 00 00  |rootfs..........|

00001020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00001090  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

000010a0  00 00 00 00 00 00 00 00  69 d9 4a a6 00 00 00 00  |........i.J.....|

000010b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

 

Mount the file

$ modprobe nandsim modprobe nandsim first_id_byte=0x01 second_id_byte=0xf1 third_id_byte=0x80 fourth_id_byte=0x1d

$ ubiformat -O 2048 -f of3.AM335XEO_010203040506.07296 /dev/mtd0

ubiformat: mtd0 (nand), size 134217728 bytes (128.0 MiB), 1024 eraseblocks of 131072 bytes (128.0 KiB), min. I/O size 2048 bytes

libscan: scanning eraseblock 1023 -- 100 % complete

ubiformat: 1024 eraseblocks are supposedly empty

ubiformat: flashing eraseblock 715 -- 100 % complete

ubiformat: formatting eraseblock 1023 -- 100 % complete

$ modprobe ubi

$ ubiattach -O 2048 -p /dev/ubi0

UBI device number 0, total 1024 LEBs (130023424 bytes, 124.0 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)

$ ubinfo /dev/ubi0

ubi0

Volumes count:                           1

Logical eraseblock size:                 126976 bytes, 124.0 KiB

Total amount of logical eraseblocks:     1024 (130023424 bytes, 124.0 MiB)

Amount of available logical eraseblocks: 0 (0 bytes)

Maximum count of volumes                 128

Count of bad physical eraseblocks:       0

Count of reserved physical eraseblocks:  20

Current maximum erase counter value:     1

Minimum input/output unit size:          2048 bytes

Character device major/minor:            247:0

Present volumes:                         0

 

$ mkdir onkyofs

$ mount -t ubifs /dev/ubi0_0 ./onkyofs

Now you can browse the file system from ./onkyofs

To also mount some missing usr folder

$ mount ./onkyofs/home/root/usr.img ./onkyofs/usr

There is also the system.img which contains the chromecast details..Don't exactly know where this is normally mounted 

$ mkdir systemimg

$ mount ./onkyofs/home/root/system.img ./systemimg