I am happy to report that my Onkyo TX-NR626 is now properly owned ;-)

Custom firmware was packed, encrypted, flashed with crossed fingers and works perfectly!

I didn't expect that much could go wrong and the device can be bricked - I am only touching .of3 firmware file (original name da83x_rootfs_opt.img) which is Squashfs filesystem image. The file is saved into /tmp/squashfs and then mounted read-only as /opt. If I messed something there the worst would have been a failure to start Onkyo`s opt-ware but the OS should have booted fine and allowed USB re-flashing (not even mentioning recovery flashing options!).

Packing firmware with shell access

I was looking to enable telnetd and strings in the binary suggested it was present as busybox module. There was several auto-starting .sh files in the filesystem and I opted to change /opt/onkyo/avr/etc/thttpd_alive script adding "/bin/busybox telnetd &" to execute on startup.

Alas, after flashing firmware, the telnet port wasn't answering.

I thought that I could be invoking command incorrectly and played with different variations of busybox calling, different ports & parameters, flashing firmware again and again but without any luck.

Then I decided to write reverse-shell program which would connect to my listening port and spawn /bin/sh. Packed it as .cgi to /www folder, reflashed, invoked it via URL. It did connect back but immediately dropped the connection...hmm.

This started to get annoying. I compiled a simple telnetd daemon (utelnetd), included it into /opt/onkyo/avr/bin, called it from the above mentioned script and also quickly coded a simple network daemon which would listen for incoming connections and pipe received commands to /bin/sh. I made it chown root:root, setuid and packed it as a .cgi script.

So two ways to get access.. one of them must be good!

Reboot... trying to connect to utelnetd on port 23... damn, "Connection closed by foreign host.".

OK, let's try our daemon then.. calling http://192.168.0.20/shellserv.cgi and ... voilà!

# telnet 192.168.0.20 9999
Trying 192.168.0.20...
Connected to 192.168.0.20.
Escape character is '^]'.
pwd
/opt/onkyo/avr/www

whoami
root

uname -a
Linux TX-NR626 2.6.33-rc4 #1 PREEMPT Fri Mar 1 22:06:02 JST 2013 armv5tejl unknown

^]
telnet> quit
Connection closed.

Be my guest

It's nice to be in and have powers to control your hardware :)

First of all I checked what prevented telnetd from starting.. It appears busybox doesn't have telnet module (applet) compiled in (even though there were strings in the binary with telnetd help page.. hm). Then, utelnetd didn't work and was throwing 'All network ports in use!' errors on the console. After investigating I found that pseduo-tty devices under /dev are missing and kernel is compiled without devpts support. So connecting to pseduo-terminal is out of luck (no telnet/ssh) without further altering firmware files.

And I don't think I would be spending any more time on that. Having root access via socket to /bin/sh is enough for me for now.

What's next?

I'll give Spotify & Onkyo a month or two to release "Spotify Connect". It was already announced to be coming on newer Onkyo models. I do hope existing customers will not be neglected. After all, it's only a matter of adding extra software to the existing setup. Onkyo - I know there is slightly more than 5MB left unused on that /opt partition ;-)

But if they don't - we'll take matters into our own hands:)