Hacking the Noxon 90elf [UPDATE]
Today I bought a Noxon 90elf on ebay for the nice price of 60 Euros.
It's a decent WLAN/LAN Internet Radio that is able to play via UPNP or the usual streaming stuff.
It is pretty cheap compared to the Noxon iRadio which looks exactly the same but has 2 differences:
- The first 4 channels are preset to live soccer transmission stations
- There is a startup sound playing when turning on the device ("welcome to the blablabla soccer blabla";)
While I haven't received the device yet, as far as I've heard, this can be quite annoying and as a person who doesn't care all that much about soccer, I intend to change that.
My first preliminary findings:
- The firmware of the 90elf and the iRadio are similar in big parts of the Binary-Image
- The device seems to get the startup jingle from the internet:
$ strings TerraTec_NOXON_90elf_Firmware_6921.bcd | grep .mp3 | grep Start
- There are a bunch of strings dealing with the startup process
$ strings TerraTec_NOXON_90elf_Firmware_6921.bcd | grep StartUp Enable StartUp URL -> System reset needed /cfg/Application/StartUp StartUpURLEnabled Disable StartUp URL -> System reset needed /cfg/Application/StartUp StartUpURLEnabled /cfg/Application/StartUp StartUpURLEnabled
- Looking at the hex-dump, you can see that the protected presets are predefined in the firmware image:
[Presets Enabled 1 NumberOfEntries 10 [Entry0 Entry protected 0 ] [Entry1 Entry
protected 1 ] [Entry2 Entry protected 1 ] [Entry3 Entry protected 1 ] [Entry4 Entry protected 1 ] [Entry5 Entry protected 0 ] [Entry6 Entry protected 0 ] [Entry7 Entry protected 0 ] [Entry8 Entry protected 0 ] [Entry9 Entry protected 0 ] ]
Initial thoughts:
Things to try:
- some simple firmware patching COULD do the trick.
- At least the startup sound could be blocked by disabling the URL in my router
- The firmware images are really similar, maybe cross-flashing could work. Might have to change some hardware ID in the image though
- Find a JTAG port, this could be having an active debug console
----->
UPDATE 1 <------
It arrived and so far, I'm pretty happy with the device. It has a really decent sound for such a small speaker (even a built-in woofer). It also plays the MP3 files on the external harddisc which is attached to my Fritzbox. The Fritzbox acts as a UPNP Media Server in this context. (awesome!)
I wasn't able to flash a modified image.
To flash an image, you boot the box into a bootloader mode that simply connects to the WLAN and waits for an image file (TFTP? Maybe sniffing the traffic would be useful). Trying to upload a modified image file will result in an error message along the lines of "Not a valid bcd file";. I'll have to check if it's some javascript code that does the verification or if it's transfered over to the box and checked.
What DID work though: simply block gatekeeper.my-noxon.net (217.115.128.138) in my router. Sadly, my Fritzbox hasn't got a a real URL filter (or even IPtables accessable), so I had to set a new Route:
1 2 3 |
Network: 217.115.128.138 Subnet: 255.255.255.255 Gateway: 127.0.0.1 |
This will result in timeouts when accidentally pushing "Favourites"; or "90elf"; in the menu, but it WILL also stop the jingle from playing. It may even interfere with saving channels.
Next steps:
- trying to find the checksum and alter it (should be a standard MD(4/5)/SHA1/… Hash of the image file.
- opening up the fritzbox using freetz and enable specific URL redirects / blocking
----->
UPDATE 2 <------
Looked at the flashing process. The Wireshark dumps indicate that the firmware is actually transfered to the device and then checked for correctness
Here's a port scan with the device in "normal"; mode:
1 2 3 4 |
PORT STATE SERVICE 80/tcp open http 6666/tcp open irc 8080/tcp open http-proxy |
Port 8080 seems to be used for the child protection stuff (proxy)
In the "ready to flash, awaiting firmware"; mode:
1 2 |
PORT STATE SERVICE 80/tcp open http |
UPDATE 2:
There is a lot more information over at the comments of the mydealz product page and the computerbase boards with a description of how to crossflash the device to the noxon 2 firmware or simply remove the limitations of the 90elf one