This post relates to ONKYO TX-NR626. However, firmwares for other models seem to have similar encryption algorithm and should be well supported by the tool (Yes, I've tested it on some).
I bought this model of Onkyo receiver mostly for it's network capabilities, especially for Spotify support. Alas, the interface to control receiver remotely (the one running on port 60128) is pretty cumbersome and leaves much better to desire for. Network functions are painfully slow to my taste and it's not possible to use all Spotify features (even though libspotify.so developer library, which Onkyo embeds, exposes more functionality). Besides that, having a network device running Linux with no shell access to it makes me experience extreme consumer outrage :-) All that resulted in this quest to root the box and possibly make custom modded firmware.
#Scouting the Internet
Unusually, I wasn't able to find much information on "hacking Onkyo" online.
I contacted the author with some questions and surprisingly he told me someone else was in touch with him just now with the news that he has succeeded in decrypting firmware after using author's notes on obtaining serial shell access. Apparently, all the interesting stuff was happening in libupdater.so, including on-device decryption. The site author put me in touch with that person and without begging him to reveal the algorithm I only asked for a little gift in a form of the libupdater.so library... spending few days in IDA felt like a pleasant pastime to have :)
It's tricky to run static analysis without being able to execute the code and I haven't had much experience with ARM assembly before. Though it's always nice to practise old skills, recall my younger days of reverse-engineering mayhem on x86 :)
Fortunately, Onkyo is using very simple encryption algorithm and helping myself with ARM simulator to run chunks of assembly code for speedier learning, made figuring out Onkyo`s encryption easier.
Without further ado, I present you a tool to decrypt and extract streams from firmware .of files.
Run decryptor and it'll search in the current directory (or specify path as an argument) for all ".of" files and decrypt/extract them under ./extracted. You should get output directory of files similar to this:
$:/tmp/onkyo/ONKAVR0014_00EAEAEAEA00EA_110/extracted/$ file *
of0: ASCII text
of3.DA83XEA_010203040506.05111: Squashfs filesystem, little endian, version 4.0, 10806249 bytes,
412 inodes, blocksize: 131072 bytes, created: Tue Nov 12 07:33:54 2013
of4.DA83XEA_010203040506.06111: gzip compressed data, from Unix, last modified: Tue Nov 12 07:33:48 2013
of4.DA83XEA_010203040506.07111: Squashfs filesystem, little endian, version 4.0, 4357176 bytes, 22 inodes,
blocksize: 131072 bytes, created: Tue Nov 12 07:33:49 2013
of4.ONKAVR0014_00EAEAEAEA00EA.EA108: 8086 relocatable (Microsoft)
It's trivial then to unpack Squashfs and study what goodies are there.
.of2 dumps contain compressed Kernel, Linux runtime and Marvell chip (apparently used for video processing/upscaling) binaries.
.of3 is /opt filled with Onkyo stuff <-- most interesting.
.of4.03111 is DA8xx media processor binary (MAGICWORD (0x15223759) - Y7"), of4.06111 is gzipped /etc/ and several other dirs, of4.07111 is Linux system utilities and of4.EA108 is Onkyo bootloader and ISCP brains.
My next step will be enabling shell access and packing it into custom firmware. After that, hopefully, expanding Spotify and remote-controlling capabilities! :)
Happy reversing and do get in touch with your developments!
##Updated to version 2 on 19/04/2014
#Source code below: