Search This Blog

To adblock users

Hello! If you see this, you are most likely using an ad blocker. (Or maybe you have JavaScript disabled. Or maybe my web server is down.) I have no problem with ad blockers; in fact I use one myself. If a site tries to deny me access unless I disable it, I just find a way to circumvent that. But if a site politely asks me to do so, but still allows access to the site, I disable it for the site. I am asking you to please do the same for this site. I can't make you, but I would appreciate it. Thank you! :-)

Sunday, September 28, 2014

Hacking the Bose Soundtouch, and its Linux-based OS

Did you know that the Bose SoundTouch line of home stereo systems runs on an embedded Linux system, complete with a shell? It does, and I figured out how to access said shell. Keep in mind that I take absolutely no responsibility for any damage you may do, and while if you know what you're doing I don't see how anything could go wrong, I still don't take any responsibility if you do manage to mess something up.

First of all, you're going to need a telnet client. I use PuTTY myself, but if you're on a Mac or Linux, you can just open a terminal and use the telnet command. Now figure out your device's IP address. It will tell you this when you set up your device in the Soundtouch app.

The first step is to telnet to the device on port 17000. You should see a "->" prompt. At this prompt, type "remote_services on" without quotes (you shouldn't include quotes for anything in this tutorial.) The device will respond with "remote services on". At this point you can simply close the connection, but there's also some other interesting stuff you can do here. You can type "help" to get a list of all the commands this prompt supports, or click here to see it on Pastebin.

Anyway, that command you just typed enabled remote shell access to the device. According to the aforementioned help screen, that command is "volatile", which I assume means if you restart the device you'll have to re-enter the command on port 17000 to re-enable shell access.

But from here accessing the shell is simple. Just telnet to the device again, this time on port 23, the default telnet port. You'll see the following screen:

 _______ __           __ __
|     __|  |--.-----.|  |  |--.--.--.
|__     |     |  -__||  |  _  |  |  |
|_______|__|__|_____||__|_____|___  |


Simply type "root" and press Enter. Some information will be printed, and then you'll be greeted with "root@lisa:root#". (I wonder who Lisa is?)

Enjoy your newfound freedom to hack your device!

EDIT: Upon first suspecting the existence of a shell after looking at a firmware update file in a hex editor, I contacted support to ask how to access the shell. Shortly after I figured out this method on my own. But then they emailed me back and said they weren't allowed to tell me because the information was "proprietary in nature." Good thing I'm not bound by the same contractual restrictions as their support personnel!


phillips321 said...

Nice, lets just hope they don't issue a firmware 'update' that sets the root password. Although i guess if they do that you could just diff the firmware image with the previous in order to identify where the changes are. Find the hash and either replace it with a known or crack it. (Make sure you store a copy of the vulnerable firmware as they'll likely remove it)

Mark Smith said...

As pointed out by some Hackaday commenters, aren't they bound by the GPL to present the license and source code of the GPL-based software? Are you sure it's Linux and not some other *nix? If it is indeed GPL, they don't mention it in the user manual, and you might want to pass this on to the FSF.

Flarn2006 said...

@Mark Smith, it is indeed Linux, as there are references to "linux" in filenames, like what I believe is the kernel. A quick look through the PDF manual doesn't show anything about the GPL, but there is at least one copy stored on the unit. Don't know of any accessible through officially-documented means though.

Anonymous said...

Output from 'uname -a' should settle the matter. If you are lucky, cd to /etc and see if there are any *release* files.

Anonymous said...

_______ __ __ __
| __| |--.-----.| | |--.--.--.
|__ | | -__|| | _ | | |
|_______|__|__|_____||__|_____|___ |

login: root
eth0 Link encap:Ethernet HWaddr 00:0C:8A:B3:0C:E9
inet addr: Bcast: Mask:
lo Link encap:Local Loopback
inet addr: Mask:
usb0 Link encap:Ethernet HWaddr 8A:86:27:19:D5:E8
inet addr: Bcast: Mask:
root@spotty:root# uname -a
Linux spotty 3.2.0+ #50 Wed Aug 13 19:20:17 EDT 2014 armv7l GNU/Linux

Anonymous said...

I think the latest update has shut this down - looks like the only command that works at "->" is "help" (which I have to enter twice for some odd reason - the first attempt is not recognised as valid). "remote_services on" is also invalid, so doesn't seem to be the way to enable remote access any more.

Flarn2006 said...

@Anonymous, can you please pastebin the output of the help command on the updated version?

Anonymous said...

I'm not the same Anonymous but I can confirm that my new system does not have the same remote_services command anymore. Here is a pastebin of the new help:

I don't think the other commands are changed. I'm guessing they removed the command from the help and probably just changed it to something else.

The 'sys ver' command yields "BoseApp version: epdbuild.trunk.hepdswbld05.2014-12-11T22:02:14"

Anonymous said...

Could you run 'scm list' through the port 17000 connection and post the resulting process list after turning on remote_services? If something unique shows up, it may be able to be started with 'scm restart '

Flarn2006 said...

Here's the output from "scm list":

Anonymous said...

There was no difference with 'scm list'.

I've been messing with the port 17000 terminal a lot with little success. I haven't been able to find any commands that printf bad input buffers directly, which would be helpful to poke around the memory addressses.

I have a feeling there is a potential buffer overflow. The update package doesn't seem to include this program though (none of the strings are present). Could you (or anyone!) find and upload a copy of the program(s) that run on this port?

It likely is a single program that forks itself or another client program for each connection. If the telnet shell has something like 'ps' or 'top', it should be somewhat easy to determine which program is being spawned after making several connections.

Flarn2006 said...

I just remembered something. Someone told me in an email that there's another way to access the shell. I haven't tested it myself though. Buy this cable (, you can probably find a cheaper one somewhere else) and plug it into your computer and the port on the back of the unit labeled "SERVICE". It'll appear on your computer as a serial port; use the settings 115200 8 N 1 N. Connect to it with a terminal like PuTTY and it should give you the shell prompt. If you try it, let me know if it works so I can post it here!

Bose Soundtouch said...

Did you know that the Bose SoundTouch line of home stereo systems runs on an embedded Linux system, complete with a shell? It does, and I ...

Anonymous said...

Try local_services on instead

Anonymous said...

You do know that cable won't actually connect to anything on a Bose Soundtouch ? The service port is a micro USB, not a 3.5mm socket ...

Unknown said...

it has active service called "BTLESerial" - is it something related to Bluetooth console probably?

Unknown said...

Been a while on this. But is it possible to hack in the ability to add more Virtually Invisible speakers to the Soundtouch 300? Based on the fact these devices are all controlled by the same apps, the Soundtouch 300 would have the same ability to entry. I'd love to be able to add 2 more Virtually Invisibles seeing how good it sounds with the pair already.

Flarn2006 said...

@Anonymous: On mine it's a 3.5mm socket. If yours is a micro USB, try connecting it to your computer with a standard micro USB cable and see what it shows up as.

lmore377 said...
This comment has been removed by the author.
Unknown said...

Has anyone had a chance to access the shell after the recent firmware updates? I remember I managed to get access back in 2016, but now there's no such command as remote_services in the shell at port 17000 anymore

jakunar said...


I got the same problem, or maybe even worse.
For me 'help' results in:

Command not found

some command however still work, e.g.: scm list, key

Anonymous said...

sys timeout inactivity off works with the latest update

Anonymous said...

note you must run it twice:

->sys timeout inactivity off
Command not found
->sys timeout inactivity off
Inactivity timer is overrided
->->sys timeout inactivity off
Command not found
->sys timeout inactivity off
Inactivity timer is overrided

Anonymous said...

- Connect a USB/serialTTL converter to the 3,5mm "service" plug TX=tip, RX=ring, GND=GND
- Use Putty or similar at 115200 to view the boot process when powering on the soundtouch system-
- See Uboot, kernel and busybox until login prompt.
- Login as root, no password, you get: root@lisa:~#
- root@lisa:~# touch /mnt/nv/remote_services
- root@lisa:~# /etc/init.d/sshd start

You are finished now with the serial interface and can login with ssh root@ipaddress.
This persists on power cycles.
To disable sshd you have to delete the file /mnt/nv/remote_services.

A USB-Stick is mounted automatically onto /media/sda1.
/dev/sda1 on /media/sda1 type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

So you can store your mp3s on the stick and the system will see it.

This is where I need help. Can somebody build a kind of microdlna server that we run on the system (maybe from stick), that reads the mp3-files and stream it via the net. From there we could play it with the system as a dlna client.

Bose refused to give me links to the open source used under GPL.
Some insights:
root@lisa:~# uname -a
Linux lisa 3.14.43+ #2 Fri Jun 23 20:38:40 EDT 2017 armv7l GNU/Linux

root@lisa:~# busybox
BusyBox v1.19.4 (2017-04-14 14:30:45 EDT) multi-call binary.
Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.

Anonymous said...

I see all these usb parts are easily bought off ebay :) Guess what I just ordered.
Ill come back If all goes well with the Instructions Anonymous gave.

Anonymous said...

Im having a problem buying the correct parts for this to work.

The poster on Friday, September 08, 2017 2:46:00 PM

Can you give some pointers as i've bought
An OTG USB converter to get it to fit the Service port on the BOSE

Iv'e bought 2 different cables
PL2303TA USB TTL to RS232 Converter Serial Cable
USB to COM Cable UART PL2303HX

I have bought multiple different USB To RS232TTL but still have no activity.
CP2104 USB to TTL UART 6pin
STC RS232 CH340G
Pl2303 CP2102 USB To RS232TTL CH340G
PL2303 USB To RS232 TTL Converter Adapter Module with PL2303HX
USB To RS232 TTL Auto Converter

Any help In the right direction would be great.

Thought this would be something easy to do but clearly not :(

Anonymous said...

It is really easy.
I use this converter:
Solder Tx to Tip, Rx to Ring and GND to GND on a 3,5mm plug.

Plug the 3,5mm jack into the soundsystem.
Plug the USB plug into the PC.

Samuel Checa said...

Here I leave the service manual where you can find some interesting things about the service cable among others:

Anonymous said...

if [ -e "$mnt/remote_services" ]; then
touch /tmp/remote_services
/etc/init.d/sshd start
/etc/init.d/telnetd start

Hope that helps...

Unknown said...

There is this infamous AUX delay in all SoundTouch devices which Bose acknowledges but cites as high quality audio processing as the culprit. I am not satisfied with this answer. Can someone figure out how to remove this delay because it obviously has to be software based cos all SoundTouch devices have the same delay length. And also a way to set the EQ would be nice. I paid 1000$ for the SA-5 amp and all I get is Bass Reduction and 100ms (roughly) audio from AUX input.

Mark Kaplan said...

This post worked perfectly over telnet.

Anonymous said...
note you must run it twice:

->sys timeout inactivity off
Command not found
->sys timeout inactivity off
Inactivity timer is overrided
->->sys timeout inactivity off
Command not found
->sys timeout inactivity off
Inactivity timer is overrided

U-LEE said...


can anybody please provide am update.stu file from 2014
for Soundtouch Series II ?
I would like to do some tests, after i managed to bring
back some of them back to life

Would be very happy to get such a bin file !


ggibby said...

On my SA-4 all I wanted was to disable auto power off/standby.

Connecting to the micro USB Setup port with a regular 'phone cable worked for me.

PuTTY telnet to
port 17000

--> sys timeout inactivity disable

Might require entering the command twice.

No more speaker 'pop' when I activate! Damn that has always been annoying.

Source hint:

Chris said...

I could log in into spotty after putting a usb with an empty file remote_services in it, might also work with local_services. I had a look into the various files (scripts and xml) put concerning the relevant firmware (PTSServer and BoseApp) there is little information. I would like to add a fast-forward function to be implemented with the websockets but this seems impossible without having the source files to re-compile it.

lmore377 said...

Turns out this speaker probably has the same SoC as the beaglebone black. In /boot, one of the dtb files is named am335x-boneblack.dtb which is the same name the beaglebone uses and this patch was made by someone at bose and they mention the beaglebone

Also like Chris said, putting a file named remote_services on a flash drive and plugging it in enables ssh and telnet with root and no password

About the serial console, it's on the aux in port but it looks like it doesn't use a standard trs connector. In the service manual, it looks like a trrs connector with an extra ring around the sleeve and it looks like the pinout would be like this:

Tip: Left Audio
Ring: Right Audio
Ring: Ground
Sleeve: Serial RX
Extra Ring: Serial TX

I'm going to open up my speaker tomorrow to see if I can get a part number off the aux jack because the service manual has one but searching it doesn't bring any results. If anybody wants to take a look at the part number, I'm looking at the Soundtouch 20 Series I & II manual and the reference designator is J603.

I feel like with enough work this speaker can run openwrt (routers aren't the only thing it's good for!)

Anonymous said...

I managed to log in to spotty as Chris described, but since the root fs is mounted as ro I can't change files like the telemetry scripts and some other changes I'd like to try. Some has an idea how to change the mount options, or how to change the UBI fs in the Update.stu file?

nitegate said...

I've found this thread because my Amplifier SA-4 is stuck in an update loop. It hasn't been used for some time and the SoundTouch App wanted me to update the device.
Now the device boots up and blinks white. I can find the device in the bose app, but it says the device is updating. I can connect over Soundtouch API but I get

I'm able to connect on the 17000 port and see the "->" prompt but none of the above commands show any reaction. Not even the "help" command.
I've seen in the bose forum that somebody mentioned that a too big jump in firmware version might cause such a problem.
Does any one by any chance has an older firmware version for the SA-4 I could try? I'm on 26.0.1.
Thanks in advance.

pcbeard said...

Logging on using ssh (enabled via empty remote_services on USB stick), I noticed there's a .profile in /home/root, which contains references to the path:


This seems to contain all the configuration for the speaker as .xml files. For example, my speaker's time zone settings are in ClockDisplay.xml.

This directory is also writable from the root account.

kagapaetzold said...

Harrah's Cherokee Casino Resort - MapYRO
Find 논산 출장샵 Harrah's Cherokee Casino 보령 출장샵 Resort (North 부천 출장마사지 Carolina) 전라남도 출장마사지 location in North 제주도 출장샵 Carolina, revenue, industry and

Dalton said...

My soundtouch 20 is bricked by an update. Stays frozen at Installing Update 0%.
I did succeed at getting it to play again with all your help, thanks fellow posters!
Note that I am a regular user, a script kiddie, so don't be too intimidated by the Bose stuff. they have just ripped off Linux 3.4 kernel.

Insights from messing with this all weekend:
The poster who mentioned putting a blank file called remote_services on a flash drive is probably a Bose engineer or a genius. My device has a usb port. Having the flash drive connected acts like a key that unlocks telnet and ssh. I connected it to Ethernet and found it on my router table. On my network, I just open command prompt and type "ssh root@" and I'm in. For telnet, you have to type "telnet 17000" for port 17000. Telnet is usually on port 23. if you connect to port 23, you get a BOSE ASCII artwork and are asked for username and password. I could not get past this. If anyone can help me crack it please comment.

OP asked "Who is Lisa?" its a codename for the Soundtouch Adapter.
There are different settings for the larger speakers. So it loads you into an environment based on the hardware present.
Lisa - Soundtouch Adapter
Rhino - ST10
Spotty - ST20
Mojo - ST30
Taigan - ST Portable

I was able to add WIFI settings through telnet or ssh.
type "network wi-fi profiles add $SSID$ wpa_or_wpa2 $PASSWORD$"
and it connected. Leave it on wpa_or_wpa2. Unless you have no security, put "none" or if you have wep put "wep". Thise are the only options.

Here is how I got mine to work. I left the flash drive with the remote_services file plugged in. This isn't necessary but I want to be able to quickly ssh if it gets disconnected from power. Every time it gets unplugged, mine goes back to the update 0% screen. I plugged it into a battery backup also.
I connected via telnet (ssh wont work for this) and typed "demo mode enter"
This makes the buttons work (on update screen, only long pressing AUX for a reset works)
Since the device is on the network, you can then find it int he soundtouch app. I recommend hosting the stream using a different spekaer then adding the messed up one. All of my presets synced and the speaker works normally.

its not a perfect fix but I have restored all functionality.

Dalton said...

Service manuals

These describe using TeraTerm to connect to a serial interface and sending TAP commands that way. Lot of ways to skin a cat on this one.

There were two names left. Lovejoy and Burns. Perhaps one is the SL-4 amp? Or the SL-5?

In SSH, I was able to use the command "cd /" to go to the root folder, then "ls -a" to see whats in there. I used the cp command to copy all their precious proprietary files to the flash drive. I was also able to use WinSCP to do this. WinSCP was faster. As long as the remote_services flash drive is plugged in, you can copy info off the devise easily.

Dalton said...

Lisa, Lovejoy, and Burns are all Simpsons characters. I'm guessing Lovejoy is the Bose Wave pedestal, and Burns is the SL series amps.

Dalton said...

... --- ..- -. -.. - --- ..- -.-. ....

____ ____ _____ _________
/ __ )/ __ \/ ___// _______/
/ __ / / / /\__ \/ __/
____/ /_/ / /_/ /___/ / /___

spotty login: root
eth0 Link encap:Ethernet HWaddr 00:0C:8A:8D:4F:AF
inet addr: Bcast: Mask:
lo Link encap:Local Loopback
inet addr: Mask:
usb0 Link encap:Ethernet HWaddr DA:3A:3B:8C:F5:48
inet addr: Bcast: Mask:

Sun Jul 24 18:45:59 CDT 2022

Device name: "SoundTouch 20"
Country US, Region (not set)
Module type: scm
root@spotty:~# help
GNU bash, version 3.2.51(1)-release (arm-unknown-linux-gnueabi)
These shell commands are defined internally. Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled.

JOB_SPEC [&] (( expression ))
. filename [arguments] :
[ arg... ] [[ expression ]]
alias [-p] [name[=value] ... ] bg [job_spec ...]
bind [-lpvsPVS] [-m keymap] [-f fi break [n]
builtin [shell-builtin [arg ...]] caller [EXPR]
case WORD in [PATTERN [| PATTERN]. cd [-L|-P] [dir]
command [-pVv] command [arg ...] compgen [-abcdefgjksuv] [-o option
complete [-abcdefgjksuv] [-pr] [-o continue [n]
declare [-afFirtx] [-p] [name[=val dirs [-clpv] [+N] [-N]
disown [-h] [-ar] [jobspec ...] echo [-neE] [arg ...]
enable [-pnds] [-a] [-f filename] eval [arg ...]
exec [-cl] [-a name] file [redirec exit [n]
export [-nf] [name[=value] ...] or false
fc [-e ename] [-nlr] [first] [last fg [job_spec]
for NAME [in WORDS ... ;] do COMMA for (( exp1; exp2; exp3 )); do COM
function NAME { COMMANDS ; } or NA getopts optstring name [arg]
hash [-lr] [-p pathname] [-dt] [na help [-s] [pattern ...]
history [-c] [-d offset] [n] or hi if COMMANDS; then COMMANDS; [ elif
jobs [-lnprs] [jobspec ...] or job kill [-s sigspec | -n signum | -si
let arg [arg ...] local name[=value] ...
logout popd [+N | -N] [-n]
printf [-v var] format [arguments] pushd [dir | +N | -N] [-n]
pwd [-LP] read [-ers] [-u fd] [-t timeout] [
readonly [-af] [name[=value] ...] return [n]
select NAME [in WORDS ... ;] do CO set [--abefhkmnptuvxBCHP] [-o opti
shift [n] shopt [-pqsu] [-o long-option] opt
source filename [arguments] suspend [-f]
test [expr] time [-p] PIPELINE
times trap [-lp] [arg signal_spec ...]
true type [-afptP] name [name ...]
typeset [-afFirtx] [-p] name[=valu ulimit [-SHacdfilmnpqstuvx] [limit
umask [-p] [-S] [mode] unalias [-a] name [name ...]
unset [-f] [-v] [name ...] until COMMANDS; do COMMANDS; done
variables - Some variable names an wait [n]
while COMMANDS; do COMMANDS; done { COMMANDS ; }

Figured it out. Telnet on Port 23 and type "root" for the user and just hit enter, no password. Now "HELP" isn't blocked. Lot more access this way.

Anonymous said...

FWIW, i was running an old firmware, and the udev script doesn't enable `remote_services` automagically.

> Version epdbuild.trunk.hepdswbld04.2015-08-19T15:31:01

So instead, I simply updated my Bose Soundtouch 10 to latest version:
> Version epdbuild.trunk.cepeswbld01.2016-08-05T12:19:13

Used a USB-OTG cable, created the file `remote_services` on usb drive formatted with an EXT2 filesystem, and it worked!