Pioneer: Difference between revisions

From Lundman Wiki
No edit summary
 
No edit summary
 
Line 1: Line 1:
<google uid="C01">Unix</google>
== Pioneer ==
[[FXP.One]] - FXP.One project, engine daemon, clients, protocol API etc.


[[UFxp]] - Ultimate++ GUI client for the FXP.One engine
My old amp (home cinema audio system) died, so this gave me a chance to buy a new set.


[[LiON]] Lundman's Input Output Library.
I bought the Pioneer MCS-434 - mainly as it was in the rough price bracket I was willing to
pay for. (Ie, not too much).


[[L4IP]] Software load-balancer, health-check daemon for IP Filter.
I don't care that it has a bluray player in it (but had no models without in the store) but
that it could do UPNP Media devices was a nice surprise.


[[LundFTPD]] The famous single process FTP daemon.
I found it working rather well with llink. Some minor troubles.


[[SSL-lbnc]] FTP bnc/relay program with SSL.
* trickplay, ie, fast-forward and chapter skip did not work. llink was not sending the full DLNA flags required.
* ObjID has a maximum length of 64 chars. Even though the spec has no limit, clearly the Pioneer does. Use shorter paths.
* Refreshing (adding, or removing contents from a directory) does not work right.  


[[llink]] Media Streamer for Media Players. SSDP/UPNP/HTTP
The last issue is the only one I was unable to fix. The Pioneer subscribes to events in UPNP to be notified when
ContainerID has been updated. llink informs it of that, and the Pioneer re-issues a listing, as you would expect.


[[rbl-add-ip]] Perl program to modify BDBHPT driver for DLZ+named.
But what it asks for in the listing is only 1 item. Ie, '''StartingIndex=1, RequestedCount=1'''. And no sorting.
After that, it just stops. It is confusing as to what it expects to get here. I have sent a whole new record,
as well as updated timestamps etc. But it also fails to refresh against Windows Media Center, so I think it
is just plain broken.  


[[DLZUtil]] Perl script to run a generic DLZ BDBHPT (not customised for RBL)
I have attempted to contact Pioneer, and the developer of '''IPI/1.0 UPnP/1.0 DLNADOC/1.50''' but I have had no replies.


[[TeraStation]] My own programs and hacks for the Buffalo TeraStation RAID NAS.
So, attempting to gain access myself.


[[LimHD200i]] My attempts to improve things on Tomacros HD player.


[[NetworkedMediaTank]] My attempts to improve things on Syabas' Networked Media Tank (popcornhour etc)
=== Firmware ===


[[Dune HD Center]] My attempts to improve things on HDI's media player, Dune HD Center / Dune BD Prime
The first file of the firmware is quite straight forward:


[[librarchy]] Interposing libc calls to add direct streaming from RAR archives.
# binwalk MCS838_V00.38.bin
 
[[ZFS_RAID|ZFS RAID]] Home build ZFS RAID running Open Solaris.
DECIMAL        HEX            DESCRIPTION
 
-------------------------------------------------------------------------------------------------------
[[Random]] Useful trivia
66580          0x10414        Mediatek bootloader
 
119052          0x1D10C        Mediatek bootloader
[[mediainfo-rar]] Wrote a little front-end to MediaInfo to handle content in RAR archives, and ISO files
425000          0x67C28        U-Boot boot loader reference{
 
521792          0x7F640        uImage header, header size: 64 bytes, header CRC: 0xAC601819, created: Mon Oct  7 01:20:36 2013, image size: 1815444 bytes, Data Address: 0x3A00000, Entry Point: 0x3A00000, data CRC: 0xAD70A84B, OS: Linux,  CPU: ARM, image type: OS Kernel Image, compression type: none, image name: ""
[[android]] Section for Android apps and games
539189          0x83A35        gzip compressed data, maximum compression, from Unix, last modified: Mon Oct  7 01:17:17 2013{file-epoch:1381076237}
 
[[libdvdread.plus]] libdvdread plus version, with UDF2.50, bluray and RAR support.
4265104        0x411490        Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 65376434 bytes, {file-size:65376434} 1189 inodes, blocksize: 65536 bytes, created: Mon Oct  7 01:46:24 2013 {
 
69772432        0x428A490      PNG image, 1920 x 1080, 8-bit/color RGB, non-interlaced
[[MeLe A2000]] All Winner A10 device
69810320        0x4293890      PNG image, 720 x 480, 8-bit/color RGB, non-interlaced
 
69834368        0x4299680      U-Boot boot loader reference{
[[Hikari TV]] ひかりTV
 
[[Tsutaya TV]]


[[Pioneer]]
Unpacking the squashfs, the bulk of the GUI code appears to be in;


-rwxr-xr-x  1 lundman  admin  20197340 Oct  7 01:45 usr/local/bin/bdpprog


[[Game_PC|Gamer PC]] Built a mini-itx game PC
and it would appear that it has some sort of secret code, based on;


[[Tokyo_Trips|Tokyo]] Places to go in and around Tokyo.
g_onekey_secret_input
g_onekey_load_secret_input
g_onekey_sysinfo_secret_input
open_telnet
telnetd invoked ok
telnetd invoked failed


[[Amiga!_DS_Users]] For sharing Friend Codes.
But IDA has not revealed anything that works. My best guess was


[[Personal]] Area for personal stuff, not interesting to anyone.
g_onekey_load_secret_input DCD 0x20103


[[TWoTH]] The Way of the Hubba. Last game I worked on for the Amiga 1200.  ~1994
Ie, 0 2 1 3, at the place where it prints the mcu and dsp versions. But that alone does not appear to work. Also checks for 0x03010200


<paypal></paypal>
I could roll my own firmware file, with telnetd running, and figure out whatever checksums they might have, but not that much time.


[[Donations]] '''Hall of Fame. Seriously appreciated gifts from kind people. Feel free to click on some of the ads too.'''
Preferably, Pioneer fixes the last issue and I don't have to do any of this :)

Latest revision as of 08:23, 6 February 2014

Pioneer

My old amp (home cinema audio system) died, so this gave me a chance to buy a new set.

I bought the Pioneer MCS-434 - mainly as it was in the rough price bracket I was willing to pay for. (Ie, not too much).

I don't care that it has a bluray player in it (but had no models without in the store) but that it could do UPNP Media devices was a nice surprise.

I found it working rather well with llink. Some minor troubles.

  • trickplay, ie, fast-forward and chapter skip did not work. llink was not sending the full DLNA flags required.
  • ObjID has a maximum length of 64 chars. Even though the spec has no limit, clearly the Pioneer does. Use shorter paths.
  • Refreshing (adding, or removing contents from a directory) does not work right.

The last issue is the only one I was unable to fix. The Pioneer subscribes to events in UPNP to be notified when ContainerID has been updated. llink informs it of that, and the Pioneer re-issues a listing, as you would expect.

But what it asks for in the listing is only 1 item. Ie, StartingIndex=1, RequestedCount=1. And no sorting. After that, it just stops. It is confusing as to what it expects to get here. I have sent a whole new record, as well as updated timestamps etc. But it also fails to refresh against Windows Media Center, so I think it is just plain broken.

I have attempted to contact Pioneer, and the developer of IPI/1.0 UPnP/1.0 DLNADOC/1.50 but I have had no replies.

So, attempting to gain access myself.


Firmware

The first file of the firmware is quite straight forward: 

# binwalk MCS838_V00.38.bin 

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
66580           0x10414         Mediatek bootloader
119052          0x1D10C         Mediatek bootloader
425000          0x67C28         U-Boot boot loader reference{
521792          0x7F640         uImage header, header size: 64 bytes, header CRC: 0xAC601819, created: Mon Oct  7 01:20:36 2013, image size: 1815444 bytes, Data Address: 0x3A00000, Entry Point: 0x3A00000, data CRC: 0xAD70A84B, OS: Linux,  CPU: ARM, image type: OS Kernel Image, compression type: none, image name: ""
539189          0x83A35         gzip compressed data, maximum compression, from Unix, last modified: Mon Oct  7 01:17:17 2013{file-epoch:1381076237}

4265104         0x411490        Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 65376434 bytes, {file-size:65376434} 1189 inodes, blocksize: 65536 bytes, created: Mon Oct  7 01:46:24 2013 {
69772432        0x428A490       PNG image, 1920 x 1080, 8-bit/color RGB, non-interlaced
69810320        0x4293890       PNG image, 720 x 480, 8-bit/color RGB, non-interlaced
69834368        0x4299680       U-Boot boot loader reference{

Unpacking the squashfs, the bulk of the GUI code appears to be in; 

-rwxr-xr-x  1 lundman  admin  20197340 Oct  7 01:45 usr/local/bin/bdpprog

and it would appear that it has some sort of secret code, based on; 

g_onekey_secret_input
g_onekey_load_secret_input
g_onekey_sysinfo_secret_input
open_telnet
telnetd invoked ok
telnetd invoked failed

But IDA has not revealed anything that works. My best guess was 

g_onekey_load_secret_input DCD 0x20103

Ie, 0 2 1 3, at the place where it prints the mcu and dsp versions. But that alone does not appear to work. Also checks for 0x03010200

I could roll my own firmware file, with telnetd running, and figure out whatever checksums they might have, but not that much time.

Preferably, Pioneer fixes the last issue and I don't have to do any of this :)

Retrieved from "http://lundman.net/wiki/index.php?title=Pioneer&oldid=4519"