The Cocktail Audio X10 is a small Linux-based media server. You can use
telnet to log in to it as
root as long as you know the root password.
Once it was easy...
I discovered very early on that the web-based user interface's update routine performs a root login and the credentials are hard-coded in the update script. By looking in the right file, you can get the root password.
Assuming the X10 is accessible on the network by the hostname
x10, the first step is to access the web user interface update files:
$ sudo mount -t cifs //x10/LocalStorages /mnt $ cd /mnt/hdd1/.http/htdocs/ca_webgui_update
The root password is then located in
So, the root password is
It's now a little harder
Originally, that was the full story but the PHP source files are now protected with Source Guardian. This is despite it being released with a GPLv3 license. However, the root password hasn't changed. All you need is to decode
update.php and there are a number of services that claim to be able to do this for a fee
So look in older firmware
The alternative is to download an old firmware and take a peek inside. I used R1663 from August 30th 2012. Here's what I did.
pkg file is a romfs image. The kernel needs to have support for romfs built in for mounting to work. This wasn't the case on my Arch Linux system:
$ mount -t romfs X1-CA-1.3.0.r1663.pkg /mnt mount: unknown filesystem type 'romfs'
The kernel of the SystemRescueCD 4.3.0 has this support, so I used that to peek inside the firmware package.
Boot up the SystemRescueCD, enable its network and then download the firmware file
$ wget http://www.cocktailaudio.co.uk/firmware/X1-CA-1.3.0.r1663.pkg
Now mount it
$ mount -t romfs X1-CA-1.3.0.r1663.pkg /mnt
The mounted filesystem looks like this
$ ls /mnt total 0 drwxr-xr-x 1 root root 32 Jan 1 1970 bin -rw-r--r-- 1 root root 131072 Jan 1 1970 nblock1 -rw-r--r-- 1 root root 196608 Jan 1 1970 nblock2 -rw-r--r-- 1 root root 7001088 Jan 1 1970 nblock3 -rw-r--r-- 1 root root 3894272 Jan 1 1970 nblock4 -rw-r--r-- 1 root root 147456 Jan 1 1970 nblock5 -rw-r--r-- 1 root root 2097152 Jan 1 1970 nblock6 -rw-r--r-- 1 root root 7394304 Jan 1 1970 nblock7 -rw-r--r-- 1 root root 129970176 Jan 1 1970 nblock8 -rw-r--r-- 1 root root 17 Jan 1 1970 version
nblock files mostly appear to be filesystem images
$ file /mnt/nblock* /mnt/nblock1: data /mnt/nblock2: romfs filesystem, version 1 195936 bytes, named YAMON_XLOAD. /mnt/nblock3: romfs filesystem, version 1 7000160 bytes, named MIPSLINUX_XLOAD. /mnt/nblock4: romfs filesystem, version 1 3893664 bytes, named imaterial. /mnt/nblock5: romfs filesystem, version 1 146480 bytes, named xmaterial. /mnt/nblock6: data /mnt/nblock7: romfs filesystem, version 1 7394176 bytes, named MIPSLINUX_XLOAD. /mnt/nblock8: Linux rev 1.0 ext3 filesystem data, UUID=f9b12f50-8740-49b8-a3d9-a938c8e2b266, volume name "appDisk"
nblock8 one drew my attention due to it being the largest as well as an
ext3 filesytem. I mounted that:
$ mount -o loop /mnt/nblock8 /mnt
It's a root filesystem image
$ ls /mnt bin dev home lib lost+found opt root sys tmp var cdrom etc init linuxrc mnt proc sbin tango3 usr
A quick rummage located the web gui in a zip file
$ ls /mnt/tango3/http.zip
Unzip that and we have a
.http subdirectory containing the installer we're after
.http/htdocs/ca_webgui_update/update.php with the root password inside:
$ grep fputs .http/htdocs/ca_webgui_update/update.php fputs($fp,"root\r"); fputs($fp,"aktdlTsmsrj\r"); fputs($fp,"cd /mnt/hdd1/.http/htdocs/ \r"); fputs($fp,"sh /mnt/hdd1/.http/htdocs/update.sh"); fputs($fp," \r"); fputs($fp,"exit\r");
And there you have it, the root password is
A second root login
Now, in case a future firmware changes the root password, add a second root login. Telnet onto the X10 and then edit
/etc/passwd to duplicate the
root entry for a new
root2 account (or whatever you want to call it) so you have
Do similarly with
/etc/shadow so it's like this
(unfortunately there is no
useradd which would have made it possible to just to
useradd -o -u 0 root2)
Now, change the password for root2:
$ passwd root2
It's probably wise to open a second telnet session and make sure that you can log in with both
root2 before closing your current session.
Boot SystemRescueCD 4.3.0 (or later) on a PC with a network connection and then:
$ net-setup eth0 # to initialise the network $ wget http://www.cocktailaudio.co.uk/firmware/X1-CA-1.3.0.r1663.pkg $ mount -t romfs X1-CA-1.3.0.r1663.pkg /mnt $ mount -o loop /mnt/nblock8 /mnt $ unzip /mnt/tango3/http.zip $ grep fputs .http/htdocs/ca_webgui_update/update.php