Saturday, September 29, 2012

hacking my Pioneer VSX-53 receiver, part I

Well, not hacking.  Just exploring the Pioneer VSX-53.

I added the IP of the receiver and added it to my hosts file as the hostname "vsx" for ease-of-use.

Nmap with the device in standby:
Nmap scan report for vsx (192.168.1.xx)
Host is up (0.032s latency).
rDNS record for 192.168.1.xx: pioneer
Not shown: 991 closed ports
PORT      STATE SERVICE     VERSION
23/tcp    open  telnet?
80/tcp    open  http        GoAhead-Webs embedded httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
443/tcp   open  ssl/https?
1024/tcp  open  rtsp        Apple AirTunes rtspd 103.2
| rtsp-methods: 
|_  ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, TEARDOWN, OPTIONS, GET_PARAMETER, SET_PARAMETER, POST, GET
1900/tcp  open  tcpwrapped
8080/tcp  open  http-proxy?
|_http-open-proxy: Proxy might be redirecting requests
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
Device type: media device
Running: Bowers & Wilkins embedded, Denon embedded, Marantz embedded
OS details: Audio receiver: Bowers & Wilkins Zeppelin Air, Denon AVR-1912, or Marantz NR1602
Network Distance: 1 hop


Port 80










Port 8080










Port 443
From Firefox: guess Pioneer licenses some tech from Denon:
vsx uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate is only valid for avr.denon.jp\00
The certificate expired on 2/12/99 7:00 PM. The current time is 9/29/12 11:41 AM.



Port 443 will lead you to the same index file (Download MCACC data).  Interesting that the extension on the default home page is .asp.

HTTP Server response headers
mac:pioneer newuser$ wget --server-response http://vsx/index.asp
--2012-09-30 11:15:03--  http://vsx/index.asp
Resolving vsx... 192.168.1.xx
Connecting to vsx|192.168.1.xx|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Date: Sat Jan  1 00:00:00 2000
  Server: GoAhead-Webs
  Pragma: no-cache
  Cache-Control: no-cache
  Content-type: text/html
Length: unspecified [text/html]


Telnet Port 23
Start the unit by typing "PO" once connected
mac:log newuser$ telnet vsx 23
Trying 192.168.1.xx...
Connected to pioneer.
Escape character is '^]'.
PO
PWR0
LM0701
LM0701
FL0220202020482E4D2E472E20202020
FN26
VTA111111111111111111000000000000
VTA100000111111111110000000000000
GBH08
GCH0010000""
GDH000010000100001
GEH01000"STARTING H.M.G."
GEH02000"Please wait..."
GEH03000""
GEH04000""
GEH05000""
GEH06000""
GEH07000""
GEH08000""
FL02202050434D204449524543542020
FL025354415254494E4720482E4D2E47
GBH08
GCH0110000"Top Menu"
GDH000010000800008
GEH01101"Internet Radio"
GEH02001"Rhapsody"
GEH03001"Sirius"
GEH04001"Pandora"
GEH05001"EyeConnect (MACLTSFRASE)"
GEH06001"Favorites"
GEH07001"Recently Played"
GEH08001"Setup"
FL0392496E7465726E65742052616469
GBH08
GCH0100000"Top Menu"
GDH000010000800008
GEH01101"Internet Radio"
GEH02001"Rhapsody"
GEH03001"Sirius"
GEH04001"Pandora"
GEH05001"EyeConnect (MACLTSFRASE)"
GEH06001"Favorites"
GEH07001"Recently Played"
GEH08001"Setup"
FL03926E7465726E657420526164696F
FL03927465726E657420526164696F20

You can use other commands like "VU" or "VD" for Volume Up (VU) or Volume Down (VD).  Referenced website and PDF show you more.

Command prompt updates when I connect to an Internet radio station via iTunes:

GBH08
GCH0611010""
GDH000010000100001
GEH01020""
GEH02023"0:00"
GEH03021""
GEH04022""
GEH05000""
GEH06000""
GEH07000""
GEH08000""
GBH08
GCH0601010""
GDH000010000100001
GEH01020"AirPlay"
GEH02023"0:00"
GEH03021"Sucessfully connected to network"
GEH04022""
GEH05000""
GEH06000""
GEH07000""
GEH08000""
GBH08
GCH0201010""
GDH000010000100001
GEH01020"AirPlay"
GEH02023"0:00"
GEH03021"Sucessfully connected to network"
GEH04022""
GEH05000""
GEH06000""
GEH07000""
GEH08000""
GBH08
GCH0201010""
GDH000010000100001
GEH01020"wshu-baroque"
GEH02023"0:00"
GEH03021""
GEH04022""
GEH05000""
GEH06000""
GEH07000""
GEH08000""


Interesting.

Next, I want to put a sniffer on the wire to tell me how much bandwidth the Pio uses.  Eventually, it would be great to overwrite the firmware and install a Linux server to show visualizations through Project-M while audio is running through the box instead of the lame, static Pioneer song title display.

Reference
http://blog.raymondjulin.com/2012/07/15/remote-control-your-pioneer-vsx-receiver-over-telnet/

Feel free to drop me a line or ask me a question.