Reverse Engineering Asked by Blaine O on December 6, 2020
I have been trying to work out if its possible to reverse engineer the firmware for the Aether Cone. This is a good sound quality WIFI and Bluetooth speaker, but with Aether going bust, there is no support only a final firmware that enabled spotify.
What Information I currently know:
CPU MCIMX6L3DVN10AB Arm Cortex A9:
https://www.nxp.com/part/MCIMX6L3DVN10AB
Storage 4G Sandisk:
https://d3nevzfk7ii3be.cloudfront.net/igi/NYUMNKWYff1QtBte.huge
Board images:
https://www.ifixit.com/Guide/Aether+Cone+Speaker+Disassembly/102058
Firmware: This can be got from the GitHub page as a .morse file.
https://github.com/AetherThings/AetherCone/wiki
Investigation:
I have tried using binwalk to examine and extract the files but I have had limited success.
$ binwalk FRM000104.03.01.0013.morse
DECIMAL HEXADECIMAL DESCRIPTION`
--------------------------------------------------------------------------------
27842795 0x1A8D8EB StuffIt Deluxe Segment (data): f
30729686 0x1D4E5D6 MySQL MISAM compressed data file Version 7
57321984 0x36AAA00 POSIX tar archive, owner user name: "ader.img"
I have extracted the firmware to give this:
ls -larth _FRM000104.03.01.0013.morse-0.extracted/
total 29M
-rw-rw-r-- 1 500 501 27 Oct 2 2015 version.txt
-rw-rw-r-- 1 500 501 256 Oct 2 2015 signature.sha256
-rwxr-xr-x 1 500 501 12 Oct 2 2015 pre-inst.sh
-rwxr-xr-x 1 500 501 184 Oct 2 2015 post-inst.sh
-r--r----- 1 500 501 1.9K Oct 2 2015 cert.pem
-rw-rw-r-- 1 500 501 31 Oct 2 2015 bootloader.ver
-rw-rw-r-- 1 500 501 221K Oct 2 2015 bootloader.img
-rw-r--r-- 1 root root 29M Sep 8 08:06 1A8D8EB.sit
-rw-r--r-- 1 root root 231K Sep 8 08:07 36AAA00.tar
If I try and read these, there is nonsense. So I tried using strings, but I cannot get anything useful out of this:
# strings version.txt
# strings post-inst.sh
^ Gj
p8-wR
# strings pre-inst.sh
# strings signature.sha
256
=DHri,
Z@pH
A9!J8a
# strings cert.pem
W69)
fPq2
:)M7
vj%<u
)s|5
];DE
OEFvD(
C"s6m
-T}1
Jjw-
FkY'
(Z4G
bf<`
]*$+
?j[
CVBG
p%XMi
|[q:
1nQ^
NAf&
' f&K
pt[679
# strings bootloader.ver
I would appreciate some assistance as I have definitely run out of ideas and talent now. My main aim would be to either get the root password as ssh is open on the device or be able to edit the firmware file to allow root so that I can update packages and hopefully keep this thing alive, people have had issues with the spotify connect plugin not working with more recent spotify versions.
as my previous answer was deleted (I'm guessing because it was not an answer per se) I've got more of an answer for you.
the firmware does nothing to stop you from using UART to interact with it except require a login. root login is enabled for such an endeavor and you already have the password in the buildroot.config file. from there you'll need to dig into the location of sshd_config as I'm not sure its in a standard place. Add a line in the Authentication section of the file that says "PermitRootLogin yes". Restart SSH server with "service sshd restart"
the firmware has an inserting security feature as it's using MetFS to encrypt the data. the password for this is also available on the device in the sysupdate script if you want to tinker with a firmware update to enable ssh or when airplay2 is available go multi-room with a few of these speakers.
Answered by Fidget on December 6, 2020
my findings on openwrt forum https://forum.openwrt.org/t/aether-cone-good-device-for-hacking/73890 also a link to the update script which can be helpful to see how to decode the firmware from github: https://pastebin.com/SXASpfnX
Answered by Daniel Kukula on December 6, 2020
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP