Finding A Shell In A Bose SoundTouch

Bose, every salesperson’s favorite stereo manufacturer, has a line of Wi-Fi connected systems available. It’s an impressively innovative product, able to connect to Internet radio, Pandora, and music libraries stored elsewhere on the network. A really great idea, and since this connects to a bunch of web services, you just know there’s a Linux shell in there somewhere. [Sara] found it.

The SoundTouch is actually rather easy to get into. The only real work to be done is connecting to port 17000, turning remote services on, and then connecting with telnet. The username is root.

The telnet service on port 17000 is actually pretty interesting, and we’re guessing this is what the SoundTouch iOS app uses for all its wizardry. [Sara] put a listing of the ‘help’ command up on pastebin, and it looks like there are commands for toggling GPIOs, futzing around with Pandora, and references to a Bluetooth module.

Interestingly, when [Sara] first suspected there could be Linux inside this box, she contacted Bose support for any information. She figured out how to get in on her own, before Bose emailed her back saying the information is proprietary in nature.

49 thoughts on “Finding A Shell In A Bose SoundTouch

    1. I use a $40 chinese android tablet with some spare computer speakers to play music from samba shares as well as act as an alarm clock. Sure, the sound output is not quite up to Bose quality, but it’s also a fraction of the price.

  1. proprietary using linux? if it truely is linux something should be published by bose I know not all but something..

    now in reality do i expect bose to publish anything at all…..no. but they should

    1. You can (and many do) implement something that is largely proprietary on top of Linux, after all it’s a fairly rare product where the innovation is actually at the OS level; but if Bose Legal thinks that just saying “It’s a black box, go away!” constitutes GPL 2 compliance… They might need to work on that.

      1. but if you hand out GPLed code produced binaries, you are required to give a reference where to find the sources, even if you did not change it. At least to my understanding.
        So not giving away the info about which kernel version and so on might be forbidden by the license.

        1. Being forbidden by the license doesn’t mean much if they can afford bigger legal fees than anyone who gives a shit. Not right, not fair, but I’m not sure there’s a good answer.

          1. This is the exact reason the FSF encourages people who license under the GPL to assign copyright to the FSF: so when a project encounters a GPL copyright violation and the violator is unreasonable and behaves with bad-faith, they can take an GPL violator to court in order to enforce compliance with the copyright.

    2. Nothing is required if you don’t produce any derivative code. If the code you’re building off of is already available, without modifications, from another vendor in source form, then you’re in the clear to go 100% binary. The code you run on the machine does not have to be open source.

  2. The article forgot to say that the username is ‘root’ and the password is .. wait, there is NO PASSWORD!

    Right, a completely unsecured root shell on an internet connected device that is being sold to general public. Even better, one can get the root shell remotely!

    I was going to write whether this thing is secure against exploits like the recent Shellshock bug, but no need, it comes with a free backdoor already!

    Why are hardware companies shelling out millions for nice looking product design but then outsource firmware writing to the lowest bidder producing atrocious crap in the process? I am really wondering whether we should start treating all these “smart” devices or “Internet-of-things” gizmos as “hacked by default” because of the universal incompetence of the manufacturers. Soon my fridge is going to attempt to steal my washing machine credentials so that my bank account could be hacked :(

    1. Have you confirmed that the device actually allows connections from non-local IP addresses?

      Thankfully most home users are behind a NAT by default so accessing this thing remotely wouldn’t be possible.

    2. So what is it you’re afraid of happening? Not a snipe; I’m seriously asking. I’d assume they stripped down the install enough that it’d be non trivial to get the speaker to DO anything other than play unwanted audio.

    3. Because unlike you or I, most consumers could care less about security, in fact most relish in the fact that they can use their internet radio **anywhere**, or do their banking at the !!AIRPORT!!. or have their refrigerator send shopping lists to whole foods or whatever.

      Why would any company invest in technology that user doesn’t know exists or cares if it does. It’s not going to boost sales or even limit sales. For most, it just doesn’t matter.

      Is this a problem? Yes, but these are the times we live in.

    4. There’s a relatively high barrier to entry for hardware, but any stupid asshole can call themselves a programmer, and the suits in charge of the project aren’t equipped to tell the difference. If it were possible (and it is possible for some products) for stupid assholes to make atrocious crap hardware without the suits or most consumers noticing, they would.

  3. Another asshole big player, that is taking the communities work without giving anything back, not even credit.
    And even worse, they are too dumb to implement the faintest hint of security.

    Don’t touch them with a ten foot pole.

    1. I have a Soundtouch speaker, but I don’t have the original packaging or paperwork anymore, but out of curiosity I went scouring though the Soundtouch Android app I use for it and buried in the settings there is a link to licence documents which do mention GPL and several other licences they use.

  4. “The telnet service on port 17000 is actually pretty interesting, and we’re guessing this is what the SoundTouch iOS app uses for all its wizardry.”

    More random bits of unsubstantiated nonsense from Brian Benchoff. It’s highly unlikely they would open a telnet session from the iOS app and muck around with parsing ASCII strings. Any competent designer would use something off the shelf — like SOAP or REST.

    1. While I agree that Brian barely makes any sense at the best of times I don’t see why it’s impossible the iOS uses the “telnet” port. It’s just a socket with text being sent back and forth..

      >muck around with parsing ASCII strings.
      >like SOAP or REST

      Both of which would involve parsing “ASCII strings”.
      There’s no reason that the “telnet” port couldn’t go into some lower level less human friendly protocol. Why would you bother with SOAP when you could do all you need with a simple field and delimiter protocol?

      1. Because the iOS libraries for parsing http queries are well established and trivial to use.

        Why get into lower level networking when you can send an http request with half a dozen lines of code at most?

  5. Looks like they’ve closed it down in the latest release – the only command at the port 17000 “->” prompt not reported as invalid is “help”. This includes “remote_service on” so it’s not clear how to enable remote access any more either.

      1. It was never officially open, so No. Also there’s a full developers API available from the Bose site that details hoe to drive these programatically using XML over HTTP.

  6. Just got one myself. Port 17000 is still open over telnet.
    I also discoved that there is a websocket on port 8090 that returns XML.
    If you run webserver stats on the box and you’ll see something like this :
    -> webserver stats
    ========================
    mostRecentMSTimeInCURLSend = 127ms
    mostRecentURLSent:
    ‘http://localhost:8090/volume’

    maxMSTimeInCURLSendSoFar = 1039ms
    URLForMaxTime:
    ‘http://localhost:8090/swUpdateCheck’
    ========================
    WebSockets Total:
    TotalIncomingMessagesOverWebsocket = 53
    TotalOutgoingMessagesOverWebsocket = 65
    RequestsToBoseAppCount = 53
    ResponsesFromBoseAppCount = 53
    NumberOfOutstandingRequests = 0
    NotificationsSentOverWebSocket = 108
    NumberOfCURLErrorsReported = 0
    LastNotificationSent =
    MaxAllowedRequests = 50
    NumberOfOverflowErrors = 0
    WebAdapterFreePoolListCurrSize = 50

  7. Hello, I have been reading a little about soundtouch, because I live outside US and the BOSE server recognizes my location blocking the iHeart Radio app (the one why I bought this) This happens even downloading the iOS app from US ITunes account. I tried to use this account, because the iOS iHeartRadio app downloads and works perfectly outside US if you downloaded it with a registered US iTunes store account.
    So, I would like to know If there is any chance to modify this and avoid the BOSE server to find out where am I…I already denied location use by the Bose app and it did not work.

    I hope someone can solve this issue.

    Obs: I know that using the iHeart app with AirPlay works…but the idea is to be free of my phone/iPad to listen to the radio.

    Thank you and have a Fantastic 2016

  8. All said, is it possible to mod these knowing all this info? All the GPL violations aside, still a clearly hackable device :D I have the Soundtouch 300, I would love to be able to add a second pair of Virtually Invisibles to the setup. Bose has stated it only supports a single pair. But if the OS is controlling the hardware, then it should be trivial to unlock that if its handled by the OS.

  9. Hi,

    – Connect a USB/serialTTL converter to the 3,5mm “service” plug TX=tip, RX=ring, GND=GND
    – Use Putty or similar at 115200 to view the boot process when powering on the soundtouch system-
    – See Uboot, kernel and busybox until login prompt.
    – Login as root, no password, you get: root@lisa:~#
    – root@lisa:~# touch /mnt/nv/remote_services
    – root@lisa:~# /etc/init.d/sshd start

    You are finished now with the serial interface and can login with
    ssh root@ipaddress.
    This persists on power cycles.
    To disable sshd you have to delete the file /mnt/nv/remote_services.

    A USB-Stick is mounted automatically onto /media/sda1.
    /dev/sda1 on /media/sda1 type vfat
    (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

    So you can store your mp3s on the stick and the system will see it.

    This is where I need help. Can somebody build a kind of microdlna
    server that we run on the system (maybe from stick), that reads the
    mp3-files and stream it via the net. From there we could play it
    with the system as a dlna client.

    Bose refused to give me links to the open source used under GPL.
    Some insights:
    root@lisa:~# uname -a
    Linux lisa 3.14.43+ #2 Fri Jun 23 20:38:40 EDT 2017 armv7l GNU/Linux

    root@lisa:~# busybox
    BusyBox v1.19.4 (2017-04-14 14:30:45 EDT) multi-call binary.
    Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko
    and others. Licensed under GPLv2.

  10. I have a Bose SoundTouch 30 and the procedure to connect is a bit different than the ones stated above.

    1. You need to use the aux plug with a 3.5 mm jack to connect to the speaker. You need to use 4-pole connector and use the 3rd and 4th pole (second ring and sleeve). This will give you the possibility of receiving the boot output, to send data (commands) you will need to somehow connect to the pin on the outside of the connector (search for Bose SoundTouch 30 service manual and you will find a schematic). Furthermore, you need to use a USB/serialTTL, baudrate 115200.

    2. If you follow the step above you seem to be already authenticated as root (the drive is mounted as read-only but you can remount it).

    3. If you want to issue TAP commands, you will have to connect locally to port 17000 (telnet 127.0.0.1 17000). Unfortunately, the only commands that seem to work are: ‘async_responses on’ and ‘local_services on’, the rest don’t work, even if you type them several times.

    How I discovered all this?
    I bought the speaker from Facebook Marketplaces, and big surprise, it is not working. Meaning that it does not boot all the way, it stops at around 80% on the small display, the only button that seems to work is AUX (if I keep it pressed long enough it will cause a reboot), trying to update the firmware fails (all these methods fail: USB stick, micro-USB stick, micro-usb connected to computer). After using the procedures described above I managed to get a command line working. The interesting part is that the operating system does not detect the USB, wifi or ethernet – maybe a board is dead? However, the speaker connects to the wifi and if I plug a cable it also connects – but I cannot see the devices (ifconfig, ip link they only list the loopback connection). If I manually run the BoseApp I get a segmentation fault.

    Don’t expect anyone to be able to help, but I want to contribute with the steps I used to get the command line.

    1. I can’t figure out how to edit or delete posts, so apologies for the clutter.

      Connecting to the micro USB Setup port with a regular ‘phone cable worked for me.

      PuTTY telnet to
      203.0.113.1
      port 17000

      –> sys timeout inactivity disable

      Might require entering the command twice.

      The speakers still ‘pop’ when I activate after an extended period, indicating that the amp powered off. Dammit.

      Source hint:
      https://www.bose.com/en_us/support/article/updating-soundtouch-sa4.html

      BoseApp version: 24.0.7.46067.3722005 epdbuild.trunk.hepdswbld05.2020-01-29T17:25:57

      I recall seeing another command related to auto power off but I can’t find it now.
      This help list dump is sort of useful but outdated, I think, as some of the commands are not recognized:

      https://pastebin.com/EwPKS26G

      ‘?’ and ‘help’ are not recognized commands on my SA-4.

Leave a Reply to Blue Footed BoobyCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.