Search This Blog

To adblock users

Hello! If you see this, you are most likely using an ad blocker. (Or maybe you have JavaScript disabled. Or maybe my web server is down.) I have no problem with ad blockers; in fact I use one myself. If a site tries to deny me access unless I disable it, I just find a way to circumvent that. But if a site politely asks me to do so, but still allows access to the site, I disable it for the site. I am asking you to please do the same for this site. I can't make you, but I would appreciate it. Thank you! :-)

Sunday, September 28, 2014

Hacking the Bose Soundtouch, and its Linux-based OS

Did you know that the Bose SoundTouch line of home stereo systems runs on an embedded Linux system, complete with a shell? It does, and I figured out how to access said shell. Keep in mind that I take absolutely no responsibility for any damage you may do, and while if you know what you're doing I don't see how anything could go wrong, I still don't take any responsibility if you do manage to mess something up.

First of all, you're going to need a telnet client. I use PuTTY myself, but if you're on a Mac or Linux, you can just open a terminal and use the telnet command. Now figure out your device's IP address. It will tell you this when you set up your device in the Soundtouch app.

The first step is to telnet to the device on port 17000. You should see a "->" prompt. At this prompt, type "remote_services on" without quotes (you shouldn't include quotes for anything in this tutorial.) The device will respond with "remote services on". At this point you can simply close the connection, but there's also some other interesting stuff you can do here. You can type "help" to get a list of all the commands this prompt supports, or click here to see it on Pastebin.

Anyway, that command you just typed enabled remote shell access to the device. According to the aforementioned help screen, that command is "volatile", which I assume means if you restart the device you'll have to re-enter the command on port 17000 to re-enable shell access.

But from here accessing the shell is simple. Just telnet to the device again, this time on port 23, the default telnet port. You'll see the following screen:

 _______ __           __ __
|     __|  |--.-----.|  |  |--.--.--.
|__     |     |  -__||  |  _  |  |  |
|_______|__|__|_____||__|_____|___  |


Simply type "root" and press Enter. Some information will be printed, and then you'll be greeted with "root@lisa:root#". (I wonder who Lisa is?)

Enjoy your newfound freedom to hack your device!

EDIT: Upon first suspecting the existence of a shell after looking at a firmware update file in a hex editor, I contacted support to ask how to access the shell. Shortly after I figured out this method on my own. But then they emailed me back and said they weren't allowed to tell me because the information was "proprietary in nature." Good thing I'm not bound by the same contractual restrictions as their support personnel!

Tuesday, September 16, 2014

I haven't died!

I just noticed I haven't posted to this blog in over a year! (Until now, that is.) That's never happened before. I think that's mainly because I've been posting things in other places, like on Twitter, and on my website (which, unlike this blog, is on my server! .....nobody remembers what I'm referring to, do they.....)