Using noxon iRadio favorites offline

My kitchen radio, a noxon iRadio, plays happily music from my UPnP server. This is what I bought it for. Unfortunately for me, it is also able to store favorites online, list thousands of online radio stations and play them.

So far so good. Two problems:

While this items are no problems themselves, the combination of them and the fact that I am offline at home are a problem. When you open one of those 5 menu entries or the favorites, the radio hangs. This is because it can't reach any servers it wants to connect to. A mail to the support got me in contact with one of the developers, and he told me that setting the timeout down to some seconds - so that it would be usable for me - is not possible, and never will. Not to speak of deactivating the whole online crap.

Help yourself

So with no help to expect from the producer (Ha! When do you ever get that?) I had to find a solution myself. By installing tcpdump on my home server (which also acts as gateway) and running

tcpdump -i ppp0 -s 1500 -w noxon.tcpdump
  

while clicking around the menu, I got some data that helped me to identify the problem. The file can be opened with Wireshark.

This lid up my mind: The radio sends 6 DNS requests and waits for the domains (radio567.vtuner.com, radio5672.vtuner.com and gatekeeper.my-noxon.net) to be resolved. This it what hangs the radio - when I'm offline, no DNS requests can be answered apart from the names of my own machines.

So some entries in the gateway's /etc/hosts file made the radio react even when I am offline: It simply redirects the host names to some non-existant ip address. Favorites, here we come!

More discoveries

Inspecting the network communication dump file further told me how the radio's menu system works. The main menu entries call just some hard coded URLs which responds with an XML file that tells what to display.

On all requests, the radio transmits its own MAC address, language and firmware version number. The MAC address authenticates you when retrieving your favorites. This means by providing a different MAC, you could retrieve someone else's favs.

To prevent that simple attack on your privacy, the radio retrieves an encryption token which is later used to encrypt the mac address. The only problem seems to be that this token does not change for at least a day. So as soon as you capture someone's radio network traffic, you have full access to their favorites as long as the token does not change.

What also bothers me a bit is that both servers (vtuner and my-noxon gatekeeper) return the same encryption token, although they are different boxes and they use different scripting languages (asp and PHP). This could be a sign that this token is hard-coded. In that case, the only thing that prevents one to retrieve everyone's favorites (and other my-noxon services the one could even have paid for) is that the encryption method is secret.

Seems a bit like security by obscurity. Here are some encryption examples. The token is used to get the encrypted mac address:

Real MAC:  00:16:E3:EA:52:B9

Encryption examples:

token:     0000000000000000
mac:       3B834F07044E1DA94792258E5E777FE9

token:     0000000000000001
mac:       E696881E02E16DBB6CD734CDE5413387

token:     1111111111111111
mac:       5F7B1751BB0AAB22F90A72B0997718EE

token:     a6703ded78821be5
mac:       B2FB31BE594C9FD322408AB8CC8F7679
  

XML Menu structure

The XML data coming back from the sites is a ListOfItems that either tell the radio to display a message, or list some directories and radio station streams.



 
  Display
  -- Empty List --
 

]]>

or



 
  Previous
  http://radio567.vtuner.com/setupapp/radio567/asp/BrowseXML/loginXML.asp?gofile=
  http://radio5672.vtuner.com/setupapp/radio567/asp/BrowseXML/loginXML.asp?gofile=
 
 
  Dir
  Afrika
  http://radio567.vtuner.com/setupapp/radio567/asp/BrowseXML/navXML.asp?gofile=S-ByLocation-Africa
  http://radio5672.vtuner.com/setupapp/radio567/asp/BrowseXML/navXML.asp?gofile=S-ByLocation-Africa
 
 
  Dir
  Asien
  http://radio567.vtuner.com/setupapp/radio567/asp/BrowseXML/navXML.asp?gofile=S-ByLocation-Asia
  http://radio5672.vtuner.com/setupapp/radio567/asp/BrowseXML/navXML.asp?gofile=S-ByLocation-Asia
 
 ...

]]>

The lists can be made non-cachable (Why should we respect HTTP headers?) by providing a <NoCache>Yes</NoCache> directly after the opening ListOfItems tag.

Knowing this format, one could make the menu entries actually useful by creating a noxonXml-to-MediaTomb gateway with Services_MediaTomb :)

Written by Christian Weiske.

Comments? Please send an e-mail. Or Reply or Like.