Hacking the Marantz M-CR603

By Cèbe, . Permalink Hardware

To adapt when looked more closely: shamelessly stolen from Source: Hacking the Marantz MCR-610 for the time being.

Information gathered through the Owner's Manual

There is some open source software in use, namely:

  • Boost: Set of C++ libraries
  • Expat: XML Parser Toolkit
  • FastDelegate: "Member Function Pointers and the Fastest Possible C++ Delegates"
  • libogg
  • libvorbis
  • Tremolo: "Tremolo is an ARM optimised version of the Tremor lib from xiph.org"
  • Tremor
  • zlib
  • cURL: "command line tool for transferring data with URL syntax"
  • c-ares: "C library for asynchronous DNS requests"

Marantz offers to provide sources through costumer service, we should check whether this includes any additional sources/details than the libraries named above!

Information from disassembly of the case

  • It uses a CX870-3B-D60 module. The company now belongs to Microchip and the features of the processor are documented here. It is basically a triple-core processor with a 240MHz ARM926EJ ARM core, an "Audio Engine" and a security processor for DRM.
  • There is a separate printed circuit board labeled "DEBUG" with space for a connector named "UPDATE" (this might be JTAG). There also is a connector populated which can be connected from outside of the case. It is labeled "MP" and seems to provide a serial console: GND +3.3V TX RX
    • The signals of the serial port seem to be like given in the following picture (9600 bps, 8-N-1)
    • Please note that I am not sure about the RX port, it seems to be an input, but it does not really react do data sent there.

Information from the webserver

GET / HTTP/1.0
HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Date: Sat Jan  1 00:00:00 2000
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://host/index.asp
  • So GoAhead is used: http://embedthis.com/products/goahead/index.html

Portscan

Starting Nmap 6.00 ( http://nmap.org ) at 2014-03-15 13:27 CET
Nmap scan report for 192.168.2.53
Host is up (0.00041s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE        VERSION
23/tcp   open  telnet?
80/tcp   open  http           GoAhead-Webs embedded httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
443/tcp  open  ssl/https?
1024/tcp open  rtsp           Apple AirTunes rtspd 141.9 (Apple TV)
| rtsp-methods: 
|_  ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, TEARDOWN, OPTIONS, GET_PARAMETER, SET_PARAMETER, POST, GET
5000/tcp open  upnp?
5001/tcp open  commplex-link?
6666/tcp open  tcpwrapped
|_irc-info: Unable to open connection
8080/tcp open  http-proxy?
|_http-open-proxy: Proxy might be redirecting requests
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5001-TCP:V=6.00%I=7%D=3/15%Time=53244745%P=i686-pc-linux-gnu%r(NULL
SF:,1,">")%r(WMSRequest,1,">");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=6.00%I=7%D=3/15%Time=53244745%P=i686-pc-linux-gnu%r(GetR
SF:equest,145,"HTTP/1\.1\x20200\x20OK\r\nCONTENT-TYPE:\x20text/html\r\nCON
SF:TENT-LENGTH:\x20260\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD
SF:\x20HTML\x204\.01\x20Frameset//EN\"\x20\"http://www\.w3\.org/TR/html4/f
SF:rameset\.dtd\">\r\n<html>\r\n<head>\r\n<meta\x20http-equiv=\"Content-Ty
SF:pe\"\x20content=\"text/html;\x20charset=iso-8859-1\">\r\n</head>\r\n\r\
SF:n<body>\r\n\r\n<H1>PRESENTATION\x20PAGE</H1>\r\n</body>\r\n</html>\r\n"
SF:)%r(FourOhFourRequest,1A,"HTTP/1\.1\x20404\x20Not\x20Found\r\n\r\n");
MAC Address: XX:XX:XX:XX:XX:XX (Marantz Brand Company)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.00%E=4%D=3/15%OT=23%CT=1%CU=31672%PV=Y%DS=1%DC=D%G=Y%M=000678%T
OS:M=532447B9%P=i686-pc-linux-gnu)SEQ(SP=11%GCD=FA7F%ISR=9C%TI=I%CI=I%II=I%
OS:SS=S%TS=U)OPS(O1=M5B4%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FFF
OS:F%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=N%T=81%W=FFFF%O=M5B
OS:4%CC=N%Q=)T1(R=Y%DF=N%T=81%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=N%T=81
OS:%W=FFFF%S=O%A=O%F=A%O=%RD=0%Q=)T4(R=Y%DF=N%T=81%W=FFFF%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=N%T=81%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=81%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=81%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=81%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=81%CD=S)
Network Distance: 1 hop
Service Info: OS: Mac OS X; Device: media device; CPE: cpe:/o:apple:mac_os_x
TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 192.168.2.53
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.78 seconds

Serial Port

The externally accessible serial port outputs some data when changing input sources or channels. Sometimes some of the display content is output and sometimes it just seems to print the device name.

Firmware Upgrade Process

  • The device connects to https://pfw.marantz.info/ for firmware updates
  • On a first attempt the device could not be fooled by sslsniff to break SSL encryption

Page top