|Home Recent Work Science Fair About Me Contact Me Software|
Telnet Daemon, as well as all the other BusyBox utilities (even if they are not listed by name), is already installed on Sony players. You just need to get "telnetd" to run, then you will be able to access your player's bash shell remotely from any computer.
Method 1: Browser Library Preload
This is the safest method, because it involves no firmware modifications. The only drawback is that you will need to re-run the script (by re-launching the browser) each time you boot the player to re-enable Telnet access.
Also, some players, including the BDP-S480, do not support this method. Now that it is known publicly, it is a safe assumption that future firmware versions may also have this disabled.
Follow the instructions here to try this out. Telnet support is given as the example usage.
Download the code samples, including compiled for ARMv6 (some BDP players are ARMv6).
Method 2: Firmware Modification
If Method 1 doesn't work, apart from finding some other Linux or bdpprog vulnerability (I'm sure it's possible), the only way in seems to be through firmware update. Note though that the BDP-S470 appears to use firmware which is mostly encrypted, making this method most likely useless. Also some Panasonic firmware is RSA signed, also making modifications difficult or impossible.
When modifying firmware, I like to make my changes as small as possible, at least at first, to avoid possible problems. Before I knew that Method 1 was possible, I actually added a single line to /usr/local/bin/browser.sh (and somehow missed the LD_PRELOAD!):
If you looked at Method 1, you'll notice that this is exactly the same script I got libSegFault.so to run as it loads. Just two different methods to run the same script. The advantage of this is that the script is on the USB drive, so if you wrote something to that script that causes a crash, all you have to do is reboot, remove the USB drive, fix the script, and it should be back to normal. No firmware flashing necessary. The contents of script.sh on your USB key can be very simple as well:
This is enough to set the username/password combo to root:admin, and start the Telnet Daemon.
If you want it to run when the player boots, this is possible but a little more difficult. In the S390 at least, the initrd (init ramdisk) partition appears to be encrypted, making it difficult to make changes to the files that run as the player boots. Here is one way it is possible.
Since I brought up the fact that you can use any busybox utility even if it's not there by name, I'll quickly explain: busybox lets you create symlinks or hardlinks to utilities, which link to the main busybox executable. It then runs the utility by the name of the symlink. You can copy telnetd (or any other utility) to "/tmp/busybox" for example. Then it will be possible to run "/tmp/busybox <the name of the utility>". For example, you can then use "/tmp/busybox wget http://malcolmstagg.com/bdp/telnet.html" to download this webpage. Or you can make your own symlinks for the undefined utilities (e.g. cp -s telnetd /tmp/wget).
For method 1 look here.
For method 2 you will need to:
Downgrading has been successfully tested. That's all I can confirm. Modifying firmware is risky, may violate EULA agreements, and can potentially brick your Blu-Ray player. Be careful what you run/change even when connecting to your player remotely. You can brick your player using Telnet. Please try this at your own risk!
Copyright © 2013-2014 Malcolm Stagg