Pioneer

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Pioneer

My old amp (home cinema audio system) died, so this gave me a chance to buy a new set.

I bought the Pioneer MCS-434 - mainly as it was in the rough price bracket I was willing to pay for. (Ie, not too much).

I don't care that it has a bluray player in it (but had no models without in the store) but that it could do UPNP Media devices was a nice surprise.

I found it working rather well with llink. Some minor troubles.

trickplay, ie, fast-forward and chapter skip did not work. llink was not sending the full DLNA flags required.
ObjID has a maximum length of 64 chars. Even though the spec has no limit, clearly the Pioneer does. Use shorter paths.
Refreshing (adding, or removing contents from a directory) does not work right.

The last issue is the only one I was unable to fix. The Pioneer subscribes to events in UPNP to be notified when ContainerID has been updated. llink informs it of that, and the Pioneer re-issues a listing, as you would expect.

But what it asks for in the listing is only 1 item. Ie, StartingIndex=1, RequestedCount=1. And no sorting. After that, it just stops. It is confusing as to what it expects to get here. I have sent a whole new record, as well as updated timestamps etc. But it also fails to refresh against Windows Media Center, so I think it is just plain broken.

I have attempted to contact Pioneer, and the developer of IPI/1.0 UPnP/1.0 DLNADOC/1.50 but I have had no replies.

So, attempting to gain access myself.

Firmware

The first file of the firmware is quite straight forward:

# binwalk MCS838_V00.38.bin 

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
66580           0x10414         Mediatek bootloader
119052          0x1D10C         Mediatek bootloader
425000          0x67C28         U-Boot boot loader reference{
521792          0x7F640         uImage header, header size: 64 bytes, header CRC: 0xAC601819, created: Mon Oct  7 01:20:36 2013, image size: 1815444 bytes, Data Address: 0x3A00000, Entry Point: 0x3A00000, data CRC: 0xAD70A84B, OS: Linux,  CPU: ARM, image type: OS Kernel Image, compression type: none, image name: ""
539189          0x83A35         gzip compressed data, maximum compression, from Unix, last modified: Mon Oct  7 01:17:17 2013{file-epoch:1381076237}

4265104         0x411490        Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 65376434 bytes, {file-size:65376434} 1189 inodes, blocksize: 65536 bytes, created: Mon Oct  7 01:46:24 2013 {
69772432        0x428A490       PNG image, 1920 x 1080, 8-bit/color RGB, non-interlaced
69810320        0x4293890       PNG image, 720 x 480, 8-bit/color RGB, non-interlaced
69834368        0x4299680       U-Boot boot loader reference{

Unpacking the squashfs, the bulk of the GUI code appears to be in;

-rwxr-xr-x  1 lundman  admin  20197340 Oct  7 01:45 usr/local/bin/bdpprog

and it would appear that it has some sort of secret code, based on;

g_onekey_secret_input
g_onekey_load_secret_input
g_onekey_sysinfo_secret_input
open_telnet
telnetd invoked ok
telnetd invoked failed

But IDA has not revealed anything that works. My best guess was

g_onekey_load_secret_input DCD 0x20103

Ie, 0 2 1 3, at the place where it prints the mcu and dsp versions. But that alone does not appear to work. Also checks for 0x03010200

I could roll my own firmware file, with telnetd running, and figure out whatever checksums they might have, but not that much time.

Preferably, Pioneer fixes the last issue and I don't have to do any of this :)