Tmphack
Hacking the HDX-1000 media player.
Firmware analysis
The HDX-1000 minidevice player seems to communicate on port 1441.
The bytes captured are:
host <<=>> minidevice Run 1
======================
>> port 1441 Syn?
<< Syn!
>> 04 "0900" 05 # 04 = new request ? The response seems to be, 01 stuff, 02 stuff, 03 stuff, 04 end
<< 01 "0001" 02 "09000021800000000080000000 " 03 09 # This says "8" and there are 8 records
# possibly read as 09 00002 18 00" as the 18 might be the 17 digits after
>> 10 30 # something
<< 04 # 04 = ok?
>> 04 "0700" 05 # new request ?
<< "0700" 04 # empty?
>> 04 "0600" 05 # ?
<< 01 "0001" 02 "longstringofdata" 03 0d # lots of data
>> 10 30 # something? (clear?)
<< 04 # ok
>> 04 "1901" 05 # request for 1901?
<< 10 30
>> 01 "0002" 02 "1911 " 03 0b # spaces, normal 01,02,03 reply, but what is it
<< 10 31 # 10 31 now
>> 04 # ok
>> 04 "0600" 05 # again, give me 0600 again?
<< "0600" 04 # now its empty
>> Fin
<< Fin
The longstring of data, appears to contain:
01 30 3030 31 "0001" 02 #Start of record, total of 8 records this time 3331 "31" 3230 3038 3130 3033 3038 3436 "200810030846" # known 3030 3031 "0001" 3030 3030 3030 3132 3232 "0000001222" # known 3030 3031 "0001" #Start of next record 3331 "31" ... etc .. 3030 3031 "0001" # end 03 0d
Later on, around noon:
01 "0001" 02 "31" "200810031243" "0003" "0000001148" "8901" "31" # etc # Follow by 8 other "0003" and "8901". We have one: "31" "200810031323" "0004" "0000001139" "0001"
host <<=>> minidevice Run 2 ====================== >> 04 "0900" 05 << 01 "0001" 02 "09000021800000000240000000 " 03 07 # This says 24 and there are 24 records >> 10 30 << 04 >> 04 "0700" 05 << "0700" 04 >> 04 "0600" 05 << 01 "0001" << 02 "longstringdata" 03 0e # 8 records >> 10 30 << 01 "0001" << 02 "more long data" 03 0e # 8 records >> 10 30 << 01 "0001" << 02 "more long data" 03 04 # 8 records >> 10 30 << 04 >> 04 "1901" 05 << 10 30 >> 01 "0002" 02 "1911 " 03 0b << 10 31 >> 04 >> 04 "0600" 05 << "0600" 04 >> Fin << Fin