MalcolmStagg.com
Home    Recent Work    Science Fair    About Me    Contact Me    Software

project bdp

Overview

Telnet Daemon, as well as all the other BusyBox utilities (even if they are not listed by name), is already installed on Sony players. You just need to get "telnetd" to run, then you will be able to access your player's bash shell remotely from any computer.

Method 1: Browser Library Preload

This is the safest method, because it involves no firmware modifications. The only drawback is that you will need to re-run the script (by re-launching the browser) each time you boot the player to re-enable Telnet access.

Also, some players, including the BDP-S480, do not support this method. Now that it is known publicly, it is a safe assumption that future firmware versions may also have this disabled.

Follow the instructions here to try this out. Telnet support is given as the example usage.

Download the code samples, including compiled for ARMv6 (some BDP players are ARMv6).

Method 2: Firmware Modification

If Method 1 doesn't work, apart from finding some other Linux or bdpprog vulnerability (I'm sure it's possible), the only way in seems to be through firmware update. Note though that the BDP-S470 appears to use firmware which is mostly encrypted, making this method most likely useless. Also some Panasonic firmware is RSA signed, also making modifications difficult or impossible.

When modifying firmware, I like to make my changes as small as possible, at least at first, to avoid possible problems. Before I knew that Method 1 was possible, I actually added a single line to /usr/local/bin/browser.sh (and somehow missed the LD_PRELOAD!):

/mnt/sda1/script.sh
	

If you looked at Method 1, you'll notice that this is exactly the same script I got libSegFault.so to run as it loads. Just two different methods to run the same script. The advantage of this is that the script is on the USB drive, so if you wrote something to that script that causes a crash, all you have to do is reboot, remove the USB drive, fix the script, and it should be back to normal. No firmware flashing necessary. The contents of script.sh on your USB key can be very simple as well:

#!/bin/sh
echo root:admin | chpasswd
telnetd
	

This is enough to set the username/password combo to root:admin, and start the Telnet Daemon.

If you want it to run when the player boots, this is possible but a little more difficult. In the S390 at least, the initrd (init ramdisk) partition appears to be encrypted, making it difficult to make changes to the files that run as the player boots. Here is one way it is possible.

Notes

Since I brought up the fact that you can use any busybox utility even if it's not there by name, I'll quickly explain: busybox lets you create symlinks or hardlinks to utilities, which link to the main busybox executable. It then runs the utility by the name of the symlink. You can copy telnetd (or any other utility) to "/tmp/busybox" for example. Then it will be possible to run "/tmp/busybox <the name of the utility>". For example, you can then use "/tmp/busybox wget http://malcolmstagg.com/bdp/telnet.html" to download this webpage. Or you can make your own symlinks for the undefined utilities (e.g. cp -s telnetd /tmp/wget).

Conclusion

For method 1 look here.

For method 2 you will need to:

  1. Extract the firmware files
  2. Modify the files (e.g. /usr/local/bin/browser.sh)
  3. Modify date & version to make the player think it is newer
  4. Re-generate the firmware files
  5. Burn to a CD and update your player

DISCLAIMER

Downgrading has been successfully tested. That's all I can confirm. Modifying firmware is risky, may violate EULA agreements, and can potentially brick your Blu-Ray player. Be careful what you run/change even when connecting to your player remotely. You can brick your player using Telnet. Please try this at your own risk!

Copyright © 2013-2014 Malcolm Stagg