Recently I went into some issues with my Elgato Netstream – a nice TV tuner that run over the network. I wanted to obtain a raw video stream – this feature is normally available on the web interface, but strangely, the button to download a M3U – playlist file, compatible with VLC – is now dead. It was working before.

I contacted Elgato on their twitter, and they promptly reply with a new firmware image and a proposal of reseting the unit. Unfortunately, the new firmware did not fix the issue. Still, amazing support :-).

A quick look on the Internets indicate that the device is possibly running linux, and that this m3u is generated by accessing http://netstream.local/status/m3u. Returns a blank page to me. Strangely the direct stream linux work great.

So time to investigate by myself.

I recover the last firmware update, and performed a bit of binwalk analysis :

binwalk –dd=jffs2:jffs2 eyetv-netstream-1.1.4-409.update

DECIMAL HEX DESCRIPTION
——————————————————————————————————-
2048 0x800 JFFS2 filesystem, little endian

Looks like this is a jffs2 image. We obtain a 800.jffs2, a dump of the JFFS2 portion. Let’s mount it on a Linux VM :

mknod /dev/mtdblock0 b 31 0 # create the device (missing on my ubuntu 12.10)
modprobe mtd
modprobe jffs2
modprobe mtdram
modprobe mtdchar
modprobe mtdblock
dd if=800.jffs2 of=/dev/mtd0
mount -t jffs2 /dev/mtdblock0 /tmp/toto

And that’s it. Let’s try to take a look at the interesting bits :

bin etc lib persistent resources sys var
boot flash linuxrc persistent_active root tmp version
dev home mnt proc sbin usr www

Obviously, there are some interesting stuff, but let’s look at the /etc/shadow. Two accounts are active : root and service. And obviously the password on these two accounts is the same. Let’s try « service » as a password on the real unit before any bruteforce

ssh root@netstream.local
root@netstream:~

Great. A quick look confirms that his is an ARM-based device (ARM926EJ-S). I measured a steady 6W of power consumption. Not bad with two tuners, a network interface and a ARM processor.

Let’s now try to understand this m3u problem.

The webpage are served through a lighthttpd – with the following working URLs :

  1. /status -> redirect the stream to « TomaStatus »
  2. /stream -> redirect the stream to « TomaStreamer »
  3. /control -> redirect the query to « TomaControl »
  4. bonus : /server-status and /server-config are active.

Toma* are home made binaries. A quick strings on the binary :

$ strings TomaStatus | grep -i m3u
m3u?Key=
%s%s%s.m3u
DoM3U

Looks like the url that call the m3u file – http://netstream/status/m3u has evolved to http://netstream/status/m3u?Key=%s%s%s.m3u , so I’m not crazy :-).

Obviously the firmware has a bad state in its memory – the box keeps the channels settings from one session to another – and it is corrupting the web interface. Following finally the advice of Elgato people, I reset the unit, and after a reconfiguration, the unit is working both on web interface and all clients (mobile or EyeTV).  Yeah !

Bonus : while I was reconfiguring the tuner, I looked at the traffic. EyeTV and netstream app on mobile devices are using a JSON-based interface. Example of request :

POST /control HTTP/1.1
Content-Length: 57
Host: EyeTV

{« id »:0, »method »: »Toma.GetDeviceInformation », »params »:[]}

HTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 766
Date: Tue, 12 Mar 2013 22:06:47 GMT
Server: lighttpd/1.4.22

{ « MACAddress »: [ ], « SoftwareVersion »:, « SoftwareVersionText »: « 1.1.4 build 419 », « HardwareVersion »:, « HardwareVersionText »: « 1.0.2 », « APIVersion »:, « APIVersionText »: « 1.1.0 », « SerialNumber »: «  », « ProductName »: « EyeTV Netstream DTT », « DeviceName »: « netstream », « DeviceBonjourName »: « foobar », « PIN »: «  », « USBInitializedStatus »: 0, « NetworkInformation »: { « NetworkConfiguration »: « DHCP », « NetworkMask »: « 255.255.255.0 », « IPAddress »: «  », « GatewayAddress »: «  », « Nameserver1Address »: «  », « Nameserver2Address »: «  » }, « NumberOfTuners »: 2, « IsSuspended »: 0, « SpeedTestPort »: 10000, « SelectedCountry »: « GBR », « AvailableCountries »: [ « GBR » ], « error »: null, « id »: 0 }

Note that UPNP is apparently enabled, but I did not managed to make it run through Skifta.

Last word : this device is really well built. It has a good amount of engineering inside – and it is nearly flawless in its execution. Yes, you need a computer with OSX or Windows to configure it – but after it is usable with any VLC and can be remote controlled via simple web calls. Great for home projects !

UPDATE (31/08) : Bernard Pottier just informed me that Elgato is having a webpage with all the sources. Thanks Bernard !

 

 

 

 

 

 

Catégories : Hack