Cocktail Audio X10 Root Password

The Cocktail Audio X10 is a small Linux-based media server. You can use telnet to log in to it as root as long as you know the root password.

Once it was easy...

I discovered very early on that the web-based user interface's update routine performs a root login and the credentials are hard-coded in the update script. By looking in the right file, you can get the root password.

Assuming the X10 is accessible on the network by the hostname x10, the first step is to access the web user interface update files:

$ sudo mount -t cifs //x10/LocalStorages /mnt
$ cd /mnt/hdd1/.http/htdocs/ca_webgui_update

The root password is then located in update.php

fputs($fp,"aktdlTsmsrj\r");

So, the root password is aktdlTsmsrj

It's now a little harder

Originally, that was the full story but the PHP source files are now protected with Source Guardian. This is despite it being released with a GPLv3 license. However, the root password hasn't changed. All you need is to decode update.php and there are a number of services that claim to be able to do this for a fee

So look in older firmware

The alternative is to download an old firmware and take a peek inside. I used R1663 from August 30th 2012. Here's what I did.

The firmware pkg file is a romfs image. The kernel needs to have support for romfs built in for mounting to work. This wasn't the case on my Arch Linux system:

$  mount -t romfs X1-CA-1.3.0.r1663.pkg /mnt
mount: unknown filesystem type 'romfs'

The kernel of the SystemRescueCD 4.3.0 has this support, so I used that to peek inside the firmware package.

Boot up the SystemRescueCD, enable its network and then download the firmware file

$ wget http://www.cocktailaudio.co.uk/firmware/X1-CA-1.3.0.r1663.pkg

Now mount it

$ mount -t romfs X1-CA-1.3.0.r1663.pkg /mnt

The mounted filesystem looks like this

$ ls /mnt
total 0
drwxr-xr-x 1 root root        32 Jan  1  1970 bin
-rw-r--r-- 1 root root    131072 Jan  1  1970 nblock1
-rw-r--r-- 1 root root    196608 Jan  1  1970 nblock2
-rw-r--r-- 1 root root   7001088 Jan  1  1970 nblock3
-rw-r--r-- 1 root root   3894272 Jan  1  1970 nblock4
-rw-r--r-- 1 root root    147456 Jan  1  1970 nblock5
-rw-r--r-- 1 root root   2097152 Jan  1  1970 nblock6
-rw-r--r-- 1 root root   7394304 Jan  1  1970 nblock7
-rw-r--r-- 1 root root 129970176 Jan  1  1970 nblock8
-rw-r--r-- 1 root root        17 Jan  1  1970 version

The nblock files mostly appear to be filesystem images

$ file /mnt/nblock*
/mnt/nblock1: data
/mnt/nblock2: romfs filesystem, version 1 195936 bytes, named YAMON_XLOAD.
/mnt/nblock3: romfs filesystem, version 1 7000160 bytes, named MIPSLINUX_XLOAD.
/mnt/nblock4: romfs filesystem, version 1 3893664 bytes, named imaterial.
/mnt/nblock5: romfs filesystem, version 1 146480 bytes, named xmaterial.
/mnt/nblock6: data
/mnt/nblock7: romfs filesystem, version 1 7394176 bytes, named MIPSLINUX_XLOAD.
/mnt/nblock8: Linux rev 1.0 ext3 filesystem data, UUID=f9b12f50-8740-49b8-a3d9-a938c8e2b266, volume name "appDisk" 

The nblock8 one drew my attention due to it being the largest as well as an ext3 filesytem. I mounted that:

$ mount -o loop /mnt/nblock8 /mnt

It's a root filesystem image

$ ls /mnt
bin    dev  home  lib      lost+found  opt   root  sys     tmp  var
cdrom  etc  init  linuxrc  mnt         proc  sbin  tango3  usr

A quick rummage located the web gui in a zip file

$ ls /mnt/tango3/http.zip

Unzip that and we have a .http subdirectory containing the installer we're after .http/htdocs/ca_webgui_update/update.php with the root password inside:

$ grep fputs .http/htdocs/ca_webgui_update/update.php
            fputs($fp,"root\r");
            fputs($fp,"aktdlTsmsrj\r");
            fputs($fp,"cd /mnt/hdd1/.http/htdocs/ \r");
            fputs($fp,"sh /mnt/hdd1/.http/htdocs/update.sh");
            fputs($fp,"  \r");
            fputs($fp,"exit\r");

And there you have it, the root password is aktdlTsmsrj.

A second root login

Now, in case a future firmware changes the root password, add a second root login. Telnet onto the X10 and then edit /etc/passwd to duplicate the root entry for a new root2 account (or whatever you want to call it) so you have

root:x:0:0:root:/root:/bin/sh
root2:x:0:0:root:/root:/bin/sh

Do similarly with /etc/shadow so it's like this

root:$1$y5KdarWv$HWob.VDNkYeI05MWmU.k71:10933:0:99999:7:::
root2:$1$y5KdarWv$HWob.VDNkYeI05MWmU.k71:10933:0:99999:7:::

(unfortunately there is no useradd which would have made it possible to just to useradd -o -u 0 root2)

Now, change the password for root2:

$ passwd root2

It's probably wise to open a second telnet session and make sure that you can log in with both root and root2 before closing your current session.

Summary

Boot SystemRescueCD 4.3.0 (or later) on a PC with a network connection and then:

$ net-setup eth0  # to initialise the network
$ wget http://www.cocktailaudio.co.uk/firmware/X1-CA-1.3.0.r1663.pkg
$ mount -t romfs X1-CA-1.3.0.r1663.pkg /mnt
$ mount -o loop /mnt/nblock8 /mnt
$ unzip /mnt/tango3/http.zip
$ grep fputs .http/htdocs/ca_webgui_update/update.php

QED