Rooting the Philips MCI500h micro stereo

This entry describes how to get a root shell on your Philips MCI500h micro stereo, with a few easy steps. Basically, what we need to do is to enable SSH and then SSH into it. There are three, very simple steps to do this:

• Set the dbg_startsshd NVRAM parameter to true


• Reboot the MCI500h


• Login via SSH

The Philips NVRAM daemon listens to port 6481, which conveniently is a web interface. Just pointing your browser to that port will give you a list of the current NVRAM contents. What we want to do is to set dbg_startsshd to true, which we can do via the web interface like this:

In your web browser, go to http://[your-mci500h-ip]:6481/dbg_startsshd?true , and you should see a screen with OK. If you reload http://[your-mci500h-ip]:6481 in your browser, you will see the new setting.

Then reboot your stereo. It's not enough to press the power button, but unplugging it should do the trick, or telnetting to port 10023 and running the # command. After the stereo has booted up, ssh will be enabled and you should be able to ssh to it like below:

  ska@x41:~$ ssh root@192.168.1.129
  root@192.168.1.129's password: 
  Welcome to NXP Semiconductors PNX8706 Linux !!


  BusyBox v1.2.1 (2010.01.21-08:20+0000) Built-in shell (ash)
  Enter 'help' for a list of built-in commands.

  g2 trunk 6869 Island:# ls
  blob1.bin       wl.o            wl_recovery.ko
  g2 trunk 6869 Island:# uname -a
  Linux pnx0106 2.4.27-vrs1-6869 #1 Thu Jan 21 16:16:41 CST 2010 armv5EJl unknown

The root password is root, which I managed to guess the first time :-)


A few words about how I found this out as well. Well, I first downloaded the firmware image. This is a CRAMFS filesystem image, which can be uncompressed as described here.

Looking around in that image, I started looking in /etc/ and /usr/local, where the Philips-specific stuff is located. Seeing that /etc/init.d/rcS contained this line:

  [ "$(/usr/local/bin/nvram get dbg_startsshd)" = "true" -a -x /usr/bin/dropbear ] && \
  { echo "Starting dropbear SSH server...";

it was fairly easy to run strings on /usr/local/bin/nvramd and find these interesting strings:

  GET / SIMPLE
  GET /%s SIMPLE
  usage: nvram [get name] [set name=value] [unset name] [show]
  GET /%s?%s SIMPLE
  unset
  GET /%s? SIMPLE
  show

And after some poking, I found out how to set the NVRAM values. The password was easy to guess, thanks for that Philips :-)


So now that we've got root, what are we going to do with it?

Update: Instead of telnetting to 6481, just pass the new NVRAM variable via the web browser.