Search This Blog

To adblock users

Hello! If you see this, you are most likely using an ad blocker. (Or maybe you have JavaScript disabled. Or maybe my web server is down.) I have no problem with ad blockers; in fact I use one myself. If a site tries to deny me access unless I disable it, I just find a way to circumvent that. But if a site politely asks me to do so, but still allows access to the site, I disable it for the site. I am asking you to please do the same for this site. I can't make you, but I would appreciate it. Thank you! :-)

Sunday, September 28, 2014

Hacking the Bose Soundtouch, and its Linux-based OS

Did you know that the Bose SoundTouch line of home stereo systems runs on an embedded Linux system, complete with a shell? It does, and I figured out how to access said shell. Keep in mind that I take absolutely no responsibility for any damage you may do, and while if you know what you're doing I don't see how anything could go wrong, I still don't take any responsibility if you do manage to mess something up.

First of all, you're going to need a telnet client. I use PuTTY myself, but if you're on a Mac or Linux, you can just open a terminal and use the telnet command. Now figure out your device's IP address. It will tell you this when you set up your device in the Soundtouch app.

The first step is to telnet to the device on port 17000. You should see a "->" prompt. At this prompt, type "remote_services on" without quotes (you shouldn't include quotes for anything in this tutorial.) The device will respond with "remote services on". At this point you can simply close the connection, but there's also some other interesting stuff you can do here. You can type "help" to get a list of all the commands this prompt supports, or click here to see it on Pastebin.

Anyway, that command you just typed enabled remote shell access to the device. According to the aforementioned help screen, that command is "volatile", which I assume means if you restart the device you'll have to re-enter the command on port 17000 to re-enable shell access.

But from here accessing the shell is simple. Just telnet to the device again, this time on port 23, the default telnet port. You'll see the following screen:

 _______ __           __ __
|     __|  |--.-----.|  |  |--.--.--.
|__     |     |  -__||  |  _  |  |  |
|_______|__|__|_____||__|_____|___  |
                              |_____|


login:


Simply type "root" and press Enter. Some information will be printed, and then you'll be greeted with "root@lisa:root#". (I wonder who Lisa is?)

Enjoy your newfound freedom to hack your device!

EDIT: Upon first suspecting the existence of a shell after looking at a firmware update file in a hex editor, I contacted support to ask how to access the shell. Shortly after I figured out this method on my own. But then they emailed me back and said they weren't allowed to tell me because the information was "proprietary in nature." Good thing I'm not bound by the same contractual restrictions as their support personnel!

60 comments:

phillips321 said...

Nice, lets just hope they don't issue a firmware 'update' that sets the root password. Although i guess if they do that you could just diff the firmware image with the previous in order to identify where the changes are. Find the hash and either replace it with a known or crack it. (Make sure you store a copy of the vulnerable firmware as they'll likely remove it)

Mark Smith said...

As pointed out by some Hackaday commenters, aren't they bound by the GPL to present the license and source code of the GPL-based software? Are you sure it's Linux and not some other *nix? If it is indeed GPL, they don't mention it in the user manual, and you might want to pass this on to the FSF.

Flarn2006 said...

@Mark Smith, it is indeed Linux, as there are references to "linux" in filenames, like what I believe is the kernel. A quick look through the PDF manual doesn't show anything about the GPL, but there is at least one copy stored on the unit. Don't know of any accessible through officially-documented means though.

Anonymous said...

Output from 'uname -a' should settle the matter. If you are lucky, cd to /etc and see if there are any *release* files.

Anonymous said...

_______ __ __ __
| __| |--.-----.| | |--.--.--.
|__ | | -__|| | _ | | |
|_______|__|__|_____||__|_____|___ |
|_____|


login: root
eth0 Link encap:Ethernet HWaddr 00:0C:8A:B3:0C:E9
inet addr:192.168.0.131 Bcast:0.0.0.0 Mask:255.255.255.0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
usb0 Link encap:Ethernet HWaddr 8A:86:27:19:D5:E8
inet addr:203.0.113.1 Bcast:0.0.0.0 Mask:255.255.255.252
root@spotty:root# uname -a
Linux spotty 3.2.0+ #50 Wed Aug 13 19:20:17 EDT 2014 armv7l GNU/Linux
root@spotty:root#

Anonymous said...

I think the latest update has shut this down - looks like the only command that works at "->" is "help" (which I have to enter twice for some odd reason - the first attempt is not recognised as valid). "remote_services on" is also invalid, so doesn't seem to be the way to enable remote access any more.

Flarn2006 said...

@Anonymous, can you please pastebin the output of the help command on the updated version?

Anonymous said...

I'm not the same Anonymous but I can confirm that my new system does not have the same remote_services command anymore. Here is a pastebin of the new help:

http://pastebin.com/EwPKS26G

I don't think the other commands are changed. I'm guessing they removed the command from the help and probably just changed it to something else.

The 'sys ver' command yields "BoseApp version: 7.2.21.18505.1022282 epdbuild.trunk.hepdswbld05.2014-12-11T22:02:14"

Anonymous said...

Could you run 'scm list' through the port 17000 connection and post the resulting process list after turning on remote_services? If something unique shows up, it may be able to be started with 'scm restart '

Flarn2006 said...

Here's the output from "scm list":

http://pastebin.com/zRhdn0Tf

Anonymous said...

There was no difference with 'scm list'.

I've been messing with the port 17000 terminal a lot with little success. I haven't been able to find any commands that printf bad input buffers directly, which would be helpful to poke around the memory addressses.

I have a feeling there is a potential buffer overflow. The update package doesn't seem to include this program though (none of the strings are present). Could you (or anyone!) find and upload a copy of the program(s) that run on this port?

It likely is a single program that forks itself or another client program for each connection. If the telnet shell has something like 'ps' or 'top', it should be somewhat easy to determine which program is being spawned after making several connections.

Flarn2006 said...

I just remembered something. Someone told me in an email that there's another way to access the shell. I haven't tested it myself though. Buy this cable (http://bit.ly/1ykuC1e, you can probably find a cheaper one somewhere else) and plug it into your computer and the port on the back of the unit labeled "SERVICE". It'll appear on your computer as a serial port; use the settings 115200 8 N 1 N. Connect to it with a terminal like PuTTY and it should give you the shell prompt. If you try it, let me know if it works so I can post it here!

Bose Soundtouch said...

Did you know that the Bose SoundTouch line of home stereo systems runs on an embedded Linux system, complete with a shell? It does, and I ... bosesoundtouch.blogspot.de

Anonymous said...

Try local_services on instead

Anonymous said...

You do know that cable won't actually connect to anything on a Bose Soundtouch ? The service port is a micro USB, not a 3.5mm socket ...

Unknown said...

it has active service called "BTLESerial" - is it something related to Bluetooth console probably?

Unknown said...

Been a while on this. But is it possible to hack in the ability to add more Virtually Invisible speakers to the Soundtouch 300? Based on the fact these devices are all controlled by the same apps, the Soundtouch 300 would have the same ability to entry. I'd love to be able to add 2 more Virtually Invisibles seeing how good it sounds with the pair already.

Flarn2006 said...

@Anonymous: On mine it's a 3.5mm socket. If yours is a micro USB, try connecting it to your computer with a standard micro USB cable and see what it shows up as.

lmore377 said...
This comment has been removed by the author.
Unknown said...

Has anyone had a chance to access the shell after the recent firmware updates? I remember I managed to get access back in 2016, but now there's no such command as remote_services in the shell at port 17000 anymore

jakunar said...

Hi,

I got the same problem, or maybe even worse.
For me 'help' results in:

->help
Command not found

some command however still work, e.g.: scm list, key

Anonymous said...

sys timeout inactivity off works with the latest update

Anonymous said...

note you must run it twice:

->sys timeout inactivity off
Command not found
->sys timeout inactivity off
Inactivity timer is overrided
->OK
->->sys timeout inactivity off
Command not found
->sys timeout inactivity off
Inactivity timer is overrided

Anonymous said...

- Connect a USB/serialTTL converter to the 3,5mm "service" plug TX=tip, RX=ring, GND=GND
- Use Putty or similar at 115200 to view the boot process when powering on the soundtouch system-
- See Uboot, kernel and busybox until login prompt.
- Login as root, no password, you get: root@lisa:~#
- root@lisa:~# touch /mnt/nv/remote_services
- root@lisa:~# /etc/init.d/sshd start

You are finished now with the serial interface and can login with ssh root@ipaddress.
This persists on power cycles.
To disable sshd you have to delete the file /mnt/nv/remote_services.

A USB-Stick is mounted automatically onto /media/sda1.
/dev/sda1 on /media/sda1 type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

So you can store your mp3s on the stick and the system will see it.

This is where I need help. Can somebody build a kind of microdlna server that we run on the system (maybe from stick), that reads the mp3-files and stream it via the net. From there we could play it with the system as a dlna client.

Bose refused to give me links to the open source used under GPL.
Some insights:
root@lisa:~# uname -a
Linux lisa 3.14.43+ #2 Fri Jun 23 20:38:40 EDT 2017 armv7l GNU/Linux

root@lisa:~# busybox
BusyBox v1.19.4 (2017-04-14 14:30:45 EDT) multi-call binary.
Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.

Anonymous said...

I see all these usb parts are easily bought off ebay :) Guess what I just ordered.
Ill come back If all goes well with the Instructions Anonymous gave.

Anonymous said...

Im having a problem buying the correct parts for this to work.

The poster on Friday, September 08, 2017 2:46:00 PM

Can you give some pointers as i've bought
An OTG USB converter to get it to fit the Service port on the BOSE

Iv'e bought 2 different cables
PL2303TA USB TTL to RS232 Converter Serial Cable
USB to COM Cable UART PL2303HX

I have bought multiple different USB To RS232TTL but still have no activity.
CP2104 USB to TTL UART 6pin
STC RS232 CH340G
Pl2303 CP2102 USB To RS232TTL CH340G
PL2303 USB To RS232 TTL Converter Adapter Module with PL2303HX
USB To RS232 TTL Auto Converter

Any help In the right direction would be great.

Thought this would be something easy to do but clearly not :(

Anonymous said...

It is really easy.
I use this converter:
https://shop.in-circuit.de/product_info.php?cPath=38&products_id=78
Solder Tx to Tip, Rx to Ring and GND to GND on a 3,5mm plug.

Plug the 3,5mm jack into the soundsystem.
Plug the USB plug into the PC.

Samuel Checa said...

Hi.
Here I leave the service manual where you can find some interesting things about the service cable among others:
http://manualzz.com/doc/9792383/soundtouch-20-series-iii-service-manual

Anonymous said...

if [ -e "$mnt/remote_services" ]; then
touch /tmp/remote_services
/etc/init.d/sshd start
/etc/init.d/telnetd start
fi


Hope that helps...

Unknown said...

There is this infamous AUX delay in all SoundTouch devices which Bose acknowledges but cites as high quality audio processing as the culprit. I am not satisfied with this answer. Can someone figure out how to remove this delay because it obviously has to be software based cos all SoundTouch devices have the same delay length. And also a way to set the EQ would be nice. I paid 1000$ for the SA-5 amp and all I get is Bass Reduction and 100ms (roughly) audio from AUX input.

Mark Kaplan said...

This post worked perfectly over telnet.

Anonymous said...
note you must run it twice:

->sys timeout inactivity off
Command not found
->sys timeout inactivity off
Inactivity timer is overrided
->OK
->->sys timeout inactivity off
Command not found
->sys timeout inactivity off
Inactivity timer is overrided

U-LEE said...

Hi,

can anybody please provide am update.stu file from 2014
for Soundtouch Series II ?
I would like to do some tests, after i managed to bring
back some of them back to life

Would be very happy to get such a bin file !

Thanks

ggibby said...

On my SA-4 all I wanted was to disable auto power off/standby.

Connecting to the micro USB Setup port with a regular 'phone cable worked for me.

PuTTY telnet to
203.0.113.1
port 17000

--> sys timeout inactivity disable

Might require entering the command twice.

No more speaker 'pop' when I activate! Damn that has always been annoying.

Source hint:
https://www.bose.com/en_us/support/article/updating-soundtouch-sa4.html

Chris said...

I could log in into spotty after putting a usb with an empty file remote_services in it, might also work with local_services. I had a look into the various files (scripts and xml) put concerning the relevant firmware (PTSServer and BoseApp) there is little information. I would like to add a fast-forward function to be implemented with the websockets but this seems impossible without having the source files to re-compile it.

lmore377 said...

Turns out this speaker probably has the same SoC as the beaglebone black. In /boot, one of the dtb files is named am335x-boneblack.dtb which is the same name the beaglebone uses and this patch was made by someone at bose and they mention the beaglebone https://patchwork.ozlabs.org/project/uboot/patch/1340703483-27276-2-git-send-email-harman_sohanpal@ti.com/

Also like Chris said, putting a file named remote_services on a flash drive and plugging it in enables ssh and telnet with root and no password

About the serial console, it's on the aux in port but it looks like it doesn't use a standard trs connector. In the service manual, it looks like a trrs connector with an extra ring around the sleeve and it looks like the pinout would be like this:

Tip: Left Audio
Ring: Right Audio
Ring: Ground
Sleeve: Serial RX
Extra Ring: Serial TX

I'm going to open up my speaker tomorrow to see if I can get a part number off the aux jack because the service manual has one but searching it doesn't bring any results. If anybody wants to take a look at the part number, I'm looking at the Soundtouch 20 Series I & II manual and the reference designator is J603.

I feel like with enough work this speaker can run openwrt (routers aren't the only thing it's good for!)

Anonymous said...

I managed to log in to spotty as Chris described, but since the root fs is mounted as ro I can't change files like the telemetry scripts and some other changes I'd like to try. Some has an idea how to change the mount options, or how to change the UBI fs in the Update.stu file?

nitegate said...

Hi.
I've found this thread because my Amplifier SA-4 is stuck in an update loop. It hasn't been used for some time and the SoundTouch App wanted me to update the device.
Now the device boots up and blinks white. I can find the device in the bose app, but it says the device is updating. I can connect over Soundtouch API but I get






I'm able to connect on the 17000 port and see the "->" prompt but none of the above commands show any reaction. Not even the "help" command.
I've seen in the bose forum that somebody mentioned that a too big jump in firmware version might cause such a problem.
Does any one by any chance has an older firmware version for the SA-4 I could try? I'm on 26.0.1.
Thanks in advance.

pcbeard said...

Logging on using ssh (enabled via empty remote_services on USB stick), I noticed there's a .profile in /home/root, which contains references to the path:

/mnt/nv/BoseApp-Persistence/1/

This seems to contain all the configuration for the speaker as .xml files. For example, my speaker's time zone settings are in ClockDisplay.xml.

This directory is also writable from the root account.

kagapaetzold said...

Harrah's Cherokee Casino Resort - MapYRO
Find 논산 출장샵 Harrah's Cherokee Casino 보령 출장샵 Resort (North 부천 출장마사지 Carolina) 전라남도 출장마사지 location in North 제주도 출장샵 Carolina, revenue, industry and

Dalton said...

My soundtouch 20 is bricked by an update. Stays frozen at Installing Update 0%.
I did succeed at getting it to play again with all your help, thanks fellow posters!
Note that I am a regular user, a script kiddie, so don't be too intimidated by the Bose stuff. they have just ripped off Linux 3.4 kernel.

Insights from messing with this all weekend:
The poster who mentioned putting a blank file called remote_services on a flash drive is probably a Bose engineer or a genius. My device has a usb port. Having the flash drive connected acts like a key that unlocks telnet and ssh. I connected it to Ethernet and found it on my router table. On my network, I just open command prompt and type "ssh root@10.0.0.35" and I'm in. For telnet, you have to type "telnet 10.0.0.35 17000" for port 17000. Telnet is usually on port 23. if you connect to port 23, you get a BOSE ASCII artwork and are asked for username and password. I could not get past this. If anyone can help me crack it please comment.

OP asked "Who is Lisa?" its a codename for the Soundtouch Adapter.
There are different settings for the larger speakers. So it loads you into an environment based on the hardware present.
Lisa - Soundtouch Adapter
Rhino - ST10
Spotty - ST20
Mojo - ST30
Taigan - ST Portable

I was able to add WIFI settings through telnet or ssh.
type "network wi-fi profiles add $SSID$ wpa_or_wpa2 $PASSWORD$"
and it connected. Leave it on wpa_or_wpa2. Unless you have no security, put "none" or if you have wep put "wep". Thise are the only options.

Here is how I got mine to work. I left the flash drive with the remote_services file plugged in. This isn't necessary but I want to be able to quickly ssh if it gets disconnected from power. Every time it gets unplugged, mine goes back to the update 0% screen. I plugged it into a battery backup also.
I connected via telnet (ssh wont work for this) and typed "demo mode enter"
This makes the buttons work (on update screen, only long pressing AUX for a reset works)
Since the device is on the network, you can then find it int he soundtouch app. I recommend hosting the stream using a different spekaer then adding the messed up one. All of my presets synced and the speaker works normally.

its not a perfect fix but I have restored all functionality.

Dalton said...

Service manuals
ST20
https://manualzz.com/download/6441622
ST10
https://images-eu.ssl-images-amazon.com/images/I/D1WMdRovblS.pdf
ST30
https://elektrotanya.com/bose_soundtouch_30_series_i_ii.pdf/download.html

These describe using TeraTerm to connect to a serial interface and sending TAP commands that way. Lot of ways to skin a cat on this one.

There were two names left. Lovejoy and Burns. Perhaps one is the SL-4 amp? Or the SL-5?

In SSH, I was able to use the command "cd /" to go to the root folder, then "ls -a" to see whats in there. I used the cp command to copy all their precious proprietary files to the flash drive. I was also able to use WinSCP to do this. WinSCP was faster. As long as the remote_services flash drive is plugged in, you can copy info off the devise easily.

Dalton said...

Lisa, Lovejoy, and Burns are all Simpsons characters. I'm guessing Lovejoy is the Bose Wave pedestal, and Burns is the SL series amps.

Dalton said...


... --- ..- -. -.. - --- ..- -.-. ....

____ ____ _____ _________
/ __ )/ __ \/ ___// _______/
/ __ / / / /\__ \/ __/
____/ /_/ / /_/ /___/ / /___
/_________/\____//____/_____/


spotty login: root
eth0 Link encap:Ethernet HWaddr 00:0C:8A:8D:4F:AF
inet addr:10.0.0.35 Bcast:0.0.0.0 Mask:255.255.255.0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
usb0 Link encap:Ethernet HWaddr DA:3A:3B:8C:F5:48
inet addr:203.0.113.1 Bcast:0.0.0.0 Mask:255.255.255.252

Sun Jul 24 18:45:59 CDT 2022

Device name: "SoundTouch 20"
Country US, Region (not set)
Module type: scm
root@spotty:~# help
GNU bash, version 3.2.51(1)-release (arm-unknown-linux-gnueabi)
These shell commands are defined internally. Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled.

JOB_SPEC [&] (( expression ))
. filename [arguments] :
[ arg... ] [[ expression ]]
alias [-p] [name[=value] ... ] bg [job_spec ...]
bind [-lpvsPVS] [-m keymap] [-f fi break [n]
builtin [shell-builtin [arg ...]] caller [EXPR]
case WORD in [PATTERN [| PATTERN]. cd [-L|-P] [dir]
command [-pVv] command [arg ...] compgen [-abcdefgjksuv] [-o option
complete [-abcdefgjksuv] [-pr] [-o continue [n]
declare [-afFirtx] [-p] [name[=val dirs [-clpv] [+N] [-N]
disown [-h] [-ar] [jobspec ...] echo [-neE] [arg ...]
enable [-pnds] [-a] [-f filename] eval [arg ...]
exec [-cl] [-a name] file [redirec exit [n]
export [-nf] [name[=value] ...] or false
fc [-e ename] [-nlr] [first] [last fg [job_spec]
for NAME [in WORDS ... ;] do COMMA for (( exp1; exp2; exp3 )); do COM
function NAME { COMMANDS ; } or NA getopts optstring name [arg]
hash [-lr] [-p pathname] [-dt] [na help [-s] [pattern ...]
history [-c] [-d offset] [n] or hi if COMMANDS; then COMMANDS; [ elif
jobs [-lnprs] [jobspec ...] or job kill [-s sigspec | -n signum | -si
let arg [arg ...] local name[=value] ...
logout popd [+N | -N] [-n]
printf [-v var] format [arguments] pushd [dir | +N | -N] [-n]
pwd [-LP] read [-ers] [-u fd] [-t timeout] [
readonly [-af] [name[=value] ...] return [n]
select NAME [in WORDS ... ;] do CO set [--abefhkmnptuvxBCHP] [-o opti
shift [n] shopt [-pqsu] [-o long-option] opt
source filename [arguments] suspend [-f]
test [expr] time [-p] PIPELINE
times trap [-lp] [arg signal_spec ...]
true type [-afptP] name [name ...]
typeset [-afFirtx] [-p] name[=valu ulimit [-SHacdfilmnpqstuvx] [limit
umask [-p] [-S] [mode] unalias [-a] name [name ...]
unset [-f] [-v] [name ...] until COMMANDS; do COMMANDS; done
variables - Some variable names an wait [n]
while COMMANDS; do COMMANDS; done { COMMANDS ; }
root@spotty:~#


Figured it out. Telnet on Port 23 and type "root" for the user and just hit enter, no password. Now "HELP" isn't blocked. Lot more access this way.

Anonymous said...

FWIW, i was running an old firmware, and the udev script doesn't enable `remote_services` automagically.

> Version 9.0.41.23338.1383271 epdbuild.trunk.hepdswbld04.2015-08-19T15:31:01

So instead, I simply updated my Bose Soundtouch 10 to latest version:
> Version 13.0.9.29919.1889959 epdbuild.trunk.cepeswbld01.2016-08-05T12:19:13

Used a USB-OTG cable, created the file `remote_services` on usb drive formatted with an EXT2 filesystem, and it worked!

Mark Ethan said...

I resume this pretty old thread, I've recently bought for a penny a Soundtouch 30 first generation stuck in "installing update 0%" state. Tanks to Dalton and others, I gained access to Telnet and SSH as root and managed to make it work at 100% functionality, but when plugged off it reverts to "installing update 0%" state.
In /opt/Bose/, together with configuration xml files, I found the files "SoftwareUpdate" and "SoftwareUpdateInstaller", I think they're the scripts invoked during boot to search and install the updates.
So, to unlock the update problem with my Soundtouch 30, I was thinking to rename them and, alternatively, do nothing else, or create two empty files with the same name or two basic scripts that make something neutral. My fear is to interrupt the boot process doing so, ending up locked out fron the system if the network drivers and the remote_services files are not started/mounted, without the possibility of restoring the original files (and make the speaker work, even with the known problem).
Anyone has tried to do something similiar? Or is it completely nonsense, in your opinion? Thanks to all

Calire said...

Hi, I have a first or second generation Soundtouch 20 WiFi, and I can't seem to be able to update it, it gets stuck at 0% as some have mentioned.
I've read the blog carefully and I managed to connect through telnet on port 17000, but most of the commands mentioned don't work and I can't connect to port 23. Version is 26.0.1.
I would like to know how to update my Soundtouch to the latest version and get it working again, and I would be extremely grateful if anyone could help me. Thanks in advance.

Mark Ethan said...

@ Calire: if you can connect through telnet to port 17000 (i guess you have attached a FAT32 formatted usb drive with an empty "remote_services" file before turning on the system) try the command "demo enter" (not "demo mode enter" as suggested above, that doesn't work with my Soundtouch). That should unlock the system and make it configurable and usable, until it's plugged to the electric socket. I also give "sys timeout inactivity disable" and disable system standby in the Suoundtouch App. It often requires the commands to be sent at least twice before accepting them.
You'll need an ethernet connection, al least the first time, but you can set up a wifi connection then.
Once unplugged, you have to redo the procedure (or use an UPS to prevent).
If you desire to have your usb drive back for more interesting things than leaving it plugged to the Soundtouch, once logged as root through ssh, as suggested by an Anonymous before, give: "touch /mnt/nv/remote_services" (and "/etc/init.d/sshd start", if needed), then you'll no longer need usb dreive plugged in to access telnet and ssh as root (and persists through power cycles). Hope this helps, good luck.

Calire said...

Hello Mark, thank you very much for your help. I followed the steps you indicated and let me configure the speaker in the app soundtouch but not completely because when you want to install the update gives me an error "1029" and then an error "1046". The latter seems to indicate that the remote server is not working or it can't be reached. The app lets me play music through AUX, at least that's something.
Just to confirm, when I enter through Telnet "demo enter" at least twice what happens is that the WIFI icon lights up in white on the speaker but the update bar is still at 0%, is that also what happened to you or would have to jump another type of "screen"?
Thank you very much for your help

Mark Ethan said...

@ Calire: yes, mine too. And no way to install the update, unfortunately, neither with the command "swupdate abort". But I was successful in (temporarily) unlocking all the functions, at least until the system is plugged to the socket. Try to connect it to your router with an ethernet cable and access it throug your web browser at the ip assigned by the router itself (find it on the router's connected devices page or use an app on your phone, like Fing, to find its ip), you'll find a webpage to configure the wifi access and modify the device name, if you wish (and update, too, but impossible even in this way, for mine). The wifi configuration should persist on power cycles, even if can be necessary connect the ethernet cable the first time it's re-plugged to the socket to make the wifi power on (don't ask me why).
Once online, use the Soudtouch app to connect and try saving some presets on the buttons and check if they work. If not, try the same but connecting with the usb-A to micro-usb cable.
I suggest to disable the system standby option from Soundtouch app, too.
If nothing works and/or you prefer restarting from scratch, through telnet give the command "sys factorydefault" to reset its configuration. And no, neither this command does resolve the damn update issue (on mine).
If you're lucky and have a responding system back, write down a working reconfiguration routine to keep in touch for future use (and consider connecting the system to an UPS).
Good luck again and let me know if you'll ever find a definitive solution to our common problem.

Calire said...

Thanks again Mark. I don't know exactly if you got to the point I'm going to make, but it might be useful to others as well. Once you have done the process we have been discussing: "Through Telnet run the commands "demo enter" and "sys timeout inactivity disable" both at least twice you get the soundtouch app to recognise the device and you can configure it to a certain extent, but the "update" screen is not removed. Once you have reached this point and without disconnecting the speaker from the mains, if you press the "off/on" button on the bose speaker and then press it again, the system starts up "normally" and lets you use more functions of the app such as streaming radio. Unfortunately it does not let you update the system and once disconnected it returns to the update screen.

I have also tried to access through SSH using Putty to be able to use my usb for other things, but it doesn't let me access, I don't know if I'm doing something wrong, it says "Connection refused". I use the IP and port "115200". I don't know if you could explain me how you connected. Thank you very much in advance.

Mark Ethan said...

Hi Calire, understood, I'm in the same situation then, and I'm using it as is.
About ssh, I connect to the device ip using a cmd prompt on Win10 with "ssh root@xxx.xxx.xxx.xxx", nothing special.
I haven't further suggestions than checking your AV/firewall, at the moment.

lmore377 said...

@Claire and @Mark Have you guys tried updating with a USB drive? This method shouldn't fail as it should completely replace the OS. You just need to copy a file to a flash drive, hold some buttons while plugging it in and it just starts the update.

SoundTouch 20: https://support.bose.com/s/display-articles?language=en_US&productId=01t8c00000OydOPAAZ&articleId=ka08c000001brR2AAI

SoundTouch 30: https://support.bose.com/s/display-articles?language=en_US&productId=01t8c00000OydOSAAZ&articleId=ka08c000001brR2AAI

Just go to the "Updating the system using a USB drive" section.

Mark Ethan said...

@lmore: thanks for the suggestion, but tried many times with no success. I used a usb drive with activity led, to be sure it was read during the operation, and it was, but nope.
I precise that my Soundtouch seems to already have the latest firmware available installed (probabily it processed the update until a certain point, before bricking), so this could be a problem, too, as it doesn't find a different version in the Update.stu file. Maybe modifying the latter could be a path to try, but it's beyond my skills.

Calire said...

Hi Imore, thanks for the suggestion but I have the same problem as Mark said. I even tried formatting the speaker with the command "sys factorydefault" and then downloading an earlier version than the current one, version 26.0.1 which you can find on reddit, but there is no way to get the installation past 0% either via usb or the other ways.

Calire said...

Ok, thank you.

David said...

Has anyone managed to get into, for example, the Bose Wireless Adapter Link? Also it has a micro-usb (setup) port. I have a feeling I would need their special adapter that requires an audio-out connection.

Anonymous said...

I got the bricked ST20-II from my brother and got it working again.

@Flarn2006 - first of all thanks to you for having the possibility to access via ssh. That's essential.

I did investigation in the filesystem. At start the ST calls a script 'SoundTouch'. That calls 'sheperd' which itself is then starting all necessary deamons (=programs/services: WebServer, BoseApp, NetManager, ...) and also the problematic 'SoftwareUpdate' service. That 'SoundTouch' has parameters:

root@spotty:~# /etc/init.d/SoundTouch --help
usage: /etc/init.d/SoundTouch start [args...]
or: /etc/init.d/SoundTouch stop
or: /etc/init.d/SoundTouch restart
or: /etc/init.d/SoundTouch status
or: /etc/init.d/SoundTouch stop-noncore
or: /etc/init.d/SoundTouch start-noncore

I tried 'restart':

root@spotty:/# /etc/init.d/SoundTouch restart

Voila! The display unit is working again.

In the ssh output one can see the problem:

...
shepherdd: SoftwareUpdate is gone - Segmentation fault

So there seems to be a programming issue in the SoftwareUpdate binary (program) which let it crash. That blocks the display unit at start.

The 'restart' isn't a final solution because power off and problem exists again. So idea was to not more let start 'sheperd' the 'SoftwareUpdate' program. What it starts it gets from a config file (output shortened):

root@spotty:~# cat /opt/Bose/etc/Shepherd-spotty.xml


...

-c/opt/Bose/etc/BoseApp-spotty.xml

...

...


Next problem. That file is located in a read only filesystem (as usually in such devices). So it can't be modified. Fortunately I found a line of code in 'SoundTouch' where the programmer built in a back door for testing. It looks for the existence of the folder '/mnt/nv/shepherd' and takes the config from there when it exists. That folder is writable. So:

root@spotty:~# mkdir /mnt/nv/shepherd
root@spotty:~# cp -a /opt/Bose/etc/Shepherd-spotty.xml /mnt/nv/shepherd
root@spotty:~# cp -a /opt/Bose/etc/Shepherd-noncore.xml /mnt/nv/shepherd

Now one can do the commenting. The existing command line editors 'vi' and 'ed' are for linux freaks and really difficult to control. I did that with the functionality embedded in my preferred (ssh) tool 'MobaXTerm'
(https://mobaxterm.mobatek.net/download-home-edition.html)
There one can navigate on the left window column and double click the file for editing. In XML commenting a block is done in that way:



Next problem. After removing power cord and reconnecting - old situation. The comments did not more exist. Reason is that also this part has to be written back (in a complicated way) to a flash memory which does not have a filesystem. After further investigation I read that some embedded linux systems does that rewriting of changes delayed at shutdown automatically. So giving that a chance:

root@spotty:~# reboot

and keeping fingers crossed. It was successful...
Addi-DD-GER

Anonymous said...

There are issues with special characters when posting. It corrupted the output of the XML file as well as the essential text how to comment out the 'SoftwareUpdate' in that file. :(
It's done by "" below the 2nd line "recovery="ignore"/>". Hope this post will not be corrupted when publishing.
Addi-DD-GER

Anonymous said...

Again corruption occurred. Half of the sentence and special chars are gone :( :( :( :(
Next try. I did spaces in between each char.
< ! - -
< d a e m o n n a m e = " S o f t w a r e U p d a t e "
r e c o v e r y = " i g n o r e " / >
- - >
Addi-DD-GER

Remy S. said...

Recently I've been trying to fix a Wave SoundTouch Pedestal that's been bricked since i got it :(. the display only shows "installing 0" and occasionally "installing 50". It's an scm lisa unit and i've successfully installed multiple different firmware files, even got the app working with the newer wave soundtouch iv firmware (but alas no audio, plus the sw didn't detect wlan0). if you know enough about your device to choose the right firmware, there's a pretty comprehensive list of them on archive.org (https://archive.org/details/bose-soundtouch-software-and-firmware).

I don't know if you can downgrade every partition of the device successfully, but the bose app version does in fact downgrade with each firmware i've installed.

Idk if this is at all helpful info to anyone but i've been trying non-stop to get this to work :/

p.s. when i connect to the 3.5mm service port on my unit, i don't get access to the linux environment beyond seeing the extended boot process, it only gives me the same prompt as the telnet login :(