Home Live Radio Podcast Live TV Vodcast Forum Files Login Register :     Contact : 
 
Forum index Forum: Device: SkyTC - KMP510 (Envivo Otek Xenta Arnova) Topic: tutorial: remove root password while upgrading fw on xoro hmt350 Last replied to: July 28, 2011, 11:39 am Back to post view
AuthorPostOptions
Posted by jandy123 Message # 1     Posted at July 28, 2011, 8:43 am,     subject: tutorial: remove root password while upgrading fw on xoro hmt350  
Messages: 14 posts
Registration date: July 28, 2011
Status: Offline

This is a follow-up of http://www.eevblog.com/forum/index.php?topic=2232.0 about  hacking the HMT 350 internet radio. The"old" method described above does not seem to work with newer firmwares/hw. version. Trying the steps in the tutorial above delivered invariably "file error". So it became obvious to me that another protection layer has been deployed for newer fw/hw version. This tutorial will help you gain root access and perform a fw. upgrade to version 1.8.9.

If you stick to the steps below, the chances of damaging you device are very small. However, I am not responsible if something goes wrong...

Ok, my HMT 350 came with fw. 1.8.3, model: KMP510.0  HMT 350, type RM002.
Trying to update using the old method above, I was invariably getting a "file error" message. This is because an additional checksum is now used to check the fw. file update-firmware.bin.

Requirements:
- linux box
- wireless router

Steps:

1. If you want  to perform a fw. update, you'll have to get the fw. appropriate for your device. You can do this as follows. On your linux box, open firefox and type:

http://www.ilookee.tv:8080/iRadio168/update.jsp?model=KMP510.0%20hmt350&type=RM002&fw=V1.8

with the correct model and type (the string above apply to my device). Save file update.jsp on you linux box. In my case the content of the above file is:

<?xml version="1.0" encoding="UTF-8"?>
<Result>
  <Value>2</Value>
  <Url>http://www.iradio168.com:8080/update/xoro512/update-firmware.bin</Url>
  <MD5>c69b56bffd997d36283a0a893424bdcf</MD5>
</Result>

Get the file above using wget:

wget http://www.iradio168.com:8080/update/xoro512/update-firmware.bin

This means that I can now upgrade my device to the latest fw.

2. Extract fw. content and modify it.

tar xvfz update-firmware.bin

Extract actual update:

tar xvfz update-files.tar.gz

Modify /etc/passwd as follows:  root::0:0:root:/:/bin/sh
This essentially opens-up telnet.

3. Build updated fw. Please see steps in http://www.eevblog.com/forum/index.php?topic=2232.0

After this, you should have the updated update-files.tar.gz.

4. Recompute md5 checksums for update-files.tar.gz. Type:

md5sum update-files.tar.gz

Overwrite the checksum string in update-files.tar.gz.md5 with the resulting checksum.

5. Refer to http://www.eevblog.com/forum/index.php?topic=2232.0 to make the modified update-firmware.bin (basically tar cvfz ../update-firmware.bin . ).

6. Calculate checksum of the whole fw. update file:

md5sum update-firmware.bin

7. At this step you could try to update your fw. with the new patched one by performing a local update. If you get a HW related error, then the firmware is not
compatible with your device. DO NOT PROCEED ANY FURTHER. If you get a "File Error" message and the upgrade procedure ends, follow the steps below.

8. Now we have to update the fw. via the online method, but force the device to download your patched fw, and not the original one from:

http://www.iradio168.com:8080/update/xoro512/update-firmware.bin

Basically you'll need to reconfigure your local network such that your linux box gets assigned ip address 58.64.154.189 (corresponding to www.iradio168.com).

After you've made sure your linux box has IP 58.64.154.189, you should run an http server to deliver the modified update-firmware.bin to your device.

I used thttpd which can be installed on ubuntu: apt-get install thttpd. By default the www directory is /var/www. Create directory /var/www/iRadio168 . Copy in this directory the patched firmware and create in the same directory a file update.jsp with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<Result>
  <Value>2</Value>
  <Url>http://www.ilookee.tv:8080/iRadio168/update-firmware.bin</Url>
  <MD5>xxx</MD5>
</Result>

Replace the xxx (MD5 string) with the one you calculated in step 6. The content of
/var/www/iRadio168 should now be:
 update-firmware.bin
 update.jsp
 
9. Start thttpd with: sudo thttpd -D -P 8080 -C /etc/thttpd/thttpd.conf

10. Go to the device, and perform fw. update via online. If step 8 was performed correctly, the device should now update its fw. with your patched one.

11. Reconfigure your local network as it was, and verify that telnet works (with empty root password).


This should work fine for people with Xoro HMT 350. People with Arnova devices, may not be able to obtain a fw. from http://www.iradio168.com. Since I am not sure what the differences between the actual hw. are, I do not advise flashing the Xoro fw. Instead you should try to create update-files.tar.gz which only contains /etc/passwd andtry to update the update-script accordingly, i.e.:

hardware_version=KMP510.0 hmt350
software_version=V1.8sp
type_version=RM002
md5_check=update-script
md5_check=update-files.tar.gz
command_execute=umount /etc
/etc/passwd

Of course, the hw, version and type version should match your device. If you try this, please make sure you recompute the checksums of both update-files.tar.gz and update-script itself, as  they both have to be verified (i.e. do not remove the lines

md5_check=update-script
md5_check=update-files.tar.gz

from the update-script, but instead make sure they match).

That's it . Let me know if it works for you.

If you manage to get in and find interesting things, please post your findings.

andy



 
Posted by penbex Message # 2     Posted at July 28, 2011, 10:35 am,     subject: tutorial: remove root password while upgrading fw on xoro hmt350  
Messages: 2260 posts
Registration date: May 21, 2009
Status: Offline

Hi,

Thanks for your info. Let me add a few notes to it. 

To start with, the modification is an added md5 checksum which was introduced after firmware 1.7.
This was probably added so that it is less likely to brick the box when the firmware was not correctly transmitted.
I only found one firmware 1.7 image that made this clear.

Requirements:
You can use Cygwin so you dont really need a linux box. (Of course the http daemon story also changes but you dont need that either)

Step 1: You need a firmware version to modify. So you try to download it from the SkyTC (manufacturer) website in the same way your box would grab a firmware update.
This indeed works for the HMT350. However, for most of our boxes (Envivo, Arnova, Pearl, Xenta etc) the manufacturer is not providing any update files at all.
So there is nothing to download from their site.

Step 3: Perhaps add the building instructions in you post in case eevblog is offline/not available for whatever reason.

Step 9: Why not load the update from the internal memory? Connect the box to a PC, load the firmware image onto the found "flash drive" and load it from "internal memory".
When you already have a firmware version 1.8.6 or higher you can also load a new firmware from the SD card.

Note that all modified firmwares that you can downlaod from this server have the root password removed, so you have access through telnet.

Btw, modified firmware for the HMT350-RM002, Arno and Wiwa will be posted asap.
Completely new firmware with lots of added features is in development and should be available in a few weeks.
My box is already booting up with a new menu and I think it looks so much nicer

BR,
William

 
Posted by jandy123 Message # 3     Posted at July 28, 2011, 10:48 am,     subject: tutorial: remove root password while upgrading fw on xoro hmt350  
Messages: 14 posts
Registration date: July 28, 2011
Status: Offline

Hi William,

Step 9, as you propose it, never worked for me. I get the same file error if I try to update from internal memory, even if I also create  update-firmware.bin.md5 with the appropriate content.

Could you let us how to get rid of the cumbersome IP faking steps ?

andy
 
Posted by penbex Message # 4     Posted at July 28, 2011, 10:56 am,     subject: tutorial: remove root password while upgrading fw on xoro hmt350  
Messages: 2260 posts
Registration date: May 21, 2009
Status: Offline

From the Penbex radios we know that they have similar problems with the update process. (you also need to load a firmware image to the device which is connected as a flash drive to a pc.)
The problem seems to happen with both linux and windows pc's.

We never got the Linux pc's working correctly with the Penbex radios. However, the Windows pc's are fine when you connect, copy firmware to the flash drive and then use "Eject" from "MyComputer". Not using Eject will not finalize the written file and using the eject on the taskbar also sometimes gives problems.

We recently gained access to a Wiwa box (thanks Pjotr ) and had the same problem. The update file was not accepted until Eject was used from the "My Computer" screen.
See if that works for you too..

~W.

 

 

 

 
Posted by jandy123 Message # 5     Posted at July 28, 2011, 11:01 am,     subject: tutorial: remove root password while upgrading fw on xoro hmt350  
Messages: 14 posts
Registration date: July 28, 2011
Status: Offline

Hi William,

Well, I'm not going to try, now that I have a working system...

However, I'm looking forward for your new fw.

Could you let us know what to expect ?




 
Posted by penbex Message # 6     Posted at July 28, 2011, 11:29 am,     subject: tutorial: remove root password while upgrading fw on xoro hmt350  
Messages: 2260 posts
Registration date: May 21, 2009
Status: Offline

So far the released firmwares are just patches so that you can use this server and with that you have the ability to manage and add your own stations. You can even add private stations pointing to a local IP address so you can stream from a home PC to the device.
With the original firmware you have to rely on SkyTC and they dont seem to make changes more than twice a year.
For the earlier mentioned brands there were no such patched firmwares yet, I will post these in a day or so.


For the completely new firmware things are different.
The main application is written from scratch and this allows me to make anything I want.
the menu will be a bit nicer (ok, thats just taste) , better support for streams, weather info, rss feeds for news etc. the alarm clock will actually work, support for multiple access points, brightness control, samba support, etc etc.
There is a thread with a wishlist to which a lot of people here contributed. This list is based on the current firmwares and shows what is broken and what people think is missing.
The things listed in that thread will be included.

Of course it will take a bit of time to make and I am sure there will be bugs in the releases..
but at least we have the forum here for feedback so we can fix any bugs that might be there.
Also the aim is to have one version for all devices.

 

 


 

 

 
Posted by jandy123 Message # 7     Posted at July 28, 2011, 11:39 am,     subject: tutorial: remove root password while upgrading fw on xoro hmt350  
Messages: 14 posts
Registration date: July 28, 2011
Status: Offline


Can't wait for your firmware !

Until it comes, I realized that I can already use this site's database, without modifying  /usr/jz-project/jz-media-app by just crating a file called main_server_xml in /mnt/mtdblock7/ with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<Items>
  <Item>
    <ItemName>ListenLive</ItemName>
    <ItemIP>http://www.listenlive.nl</ItemIP>
    <ItemUrl>http://www.listenlive.nl/Genreinfo.xml</ItemUrl>
    <ItemMD5>c446892311c11fd055f1e667e506139c</ItemMD5>
  </Item>
</Items>

andy


(Last Edited by jandy123 on July 28, 2011, 1:06 pm)