TransWikia.com

Reverse Engineering Firmware Aether Cone

Reverse Engineering Asked by Blaine O on December 6, 2020

I have been trying to work out if its possible to reverse engineer the firmware for the Aether Cone. This is a good sound quality WIFI and Bluetooth speaker, but with Aether going bust, there is no support only a final firmware that enabled spotify.

What Information I currently know:

Investigation:
I have tried using binwalk to examine and extract the files but I have had limited success.

$ binwalk FRM000104.03.01.0013.morse

DECIMAL       HEXADECIMAL     DESCRIPTION`

--------------------------------------------------------------------------------

27842795      0x1A8D8EB       StuffIt Deluxe Segment (data): f
30729686      0x1D4E5D6       MySQL MISAM compressed data file Version 7
57321984      0x36AAA00       POSIX tar archive, owner user name: "ader.img"

I have extracted the firmware to give this:

ls -larth _FRM000104.03.01.0013.morse-0.extracted/
total 29M
-rw-rw-r--  1    500   501   27 Oct  2  2015 version.txt
-rw-rw-r--  1    500   501  256 Oct  2  2015 signature.sha256
-rwxr-xr-x  1    500   501   12 Oct  2  2015 pre-inst.sh
-rwxr-xr-x  1    500   501  184 Oct  2  2015 post-inst.sh
-r--r-----  1    500   501 1.9K Oct  2  2015 cert.pem
-rw-rw-r--  1    500   501   31 Oct  2  2015 bootloader.ver
-rw-rw-r--  1    500   501 221K Oct  2  2015 bootloader.img
-rw-r--r--  1    root  root 29M Sep  8 08:06 1A8D8EB.sit
-rw-r--r--  1    root  root 231K Sep 8 08:07 36AAA00.tar

If I try and read these, there is nonsense. So I tried using strings, but I cannot get anything useful out of this:

# strings version.txt
# strings post-inst.sh
    ^       Gj
    p8-wR
# strings pre-inst.sh
# strings signature.sha
256
=DHri,
Z@pH
A9!J8a
# strings cert.pem
W69)
fPq2
:)M7
vj%<u
)s|5
];DE
OEFvD(
C"s6m
-T}1
Jjw-
FkY'
(Z4G
bf<`
]*$+
?j[
CVBG
p%XMi
|[q:
1nQ^
NAf&
' f&K
pt[679
# strings bootloader.ver

I would appreciate some assistance as I have definitely run out of ideas and talent now. My main aim would be to either get the root password as ssh is open on the device or be able to edit the firmware file to allow root so that I can update packages and hopefully keep this thing alive, people have had issues with the spotify connect plugin not working with more recent spotify versions.

2 Answers

as my previous answer was deleted (I'm guessing because it was not an answer per se) I've got more of an answer for you.

the firmware does nothing to stop you from using UART to interact with it except require a login. root login is enabled for such an endeavor and you already have the password in the buildroot.config file. from there you'll need to dig into the location of sshd_config as I'm not sure its in a standard place. Add a line in the Authentication section of the file that says "PermitRootLogin yes". Restart SSH server with "service sshd restart"

the firmware has an inserting security feature as it's using MetFS to encrypt the data. the password for this is also available on the device in the sysupdate script if you want to tinker with a firmware update to enable ssh or when airplay2 is available go multi-room with a few of these speakers.

Answered by Fidget on December 6, 2020

my findings on openwrt forum https://forum.openwrt.org/t/aether-cone-good-device-for-hacking/73890 also a link to the update script which can be helpful to see how to decode the firmware from github: https://pastebin.com/SXASpfnX

Answered by Daniel Kukula on December 6, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP