Download from the Store.
I purchased a Sony Bravia KDL-40EX525 a few months ago and noticed that there were official remote control apps for Android and iPhone from Sony but, unfortunatelly, not for WP7 (not even an unofficial one). Since I own a LG Optimus 7 I got curious about this and started to develop something similar for myself, specifically because I hate using the stock remote control to enter text.
I based my work on this blog post http://blogs.msdn.com/b/andypennell...ws-phone-7-5-mango-part-1-ssdp-discovery.aspx. Many thanks to Andy Pennell for that, his post was really helpful and a great starting point.
The app requires you to be on the same network as the TV.
If you want to try this make sure the TV is ON (give it time to initialize the services. It cannot be turned on/off with this app because it has to talk to the IRCC service that is only available when the device is ON). See the screen of your TV the first time you run the app because it requires that you register your device in order to be able to iterate.
I appreciate your feedbacks, suggestions, bug report or questions that you may have.
Tested on models:
- KDL-40EX525 (mine)
- KDL-32HX758 (thanks lordmaxey)
It should work on:
- Blu-ray Disc(TM) players: BDP-S370, S470, S570, S770, S1700, BX37, BX57, S380, S480, S580, S780, BX38, BX58, S390, S490, S590, S790, BX39, BX59, NSZ-GP9
- Blu-ray Disc(TM) Home Theater Systems: BDV-IZ1000W, HZ970W, E970W, E870, E770W, E670W, E570, E470, E370, T57, F7, F700, F500, E985W, E980W, E980, E880, E780W, E580, E380, T58, L800M, L800, L600, N990W, N890W, N790W, N590, E690, E490, E385, E390, E290, E190, NF720, NF620, EF420, EF220, T79, T39
- Streaming Player/Network Media Player: SMP-N100, SMP-N200, NSZ-GP7
- AV Receiver: STR-DN1020, STR-DN1030, STR-DA1800ES
- BRAVIA: KDL-HX92 series, HX82 series, HX72 series, NX72 series, EX72 series, EX62 series, EX52 series, EX42 series, EX32 series, CX52 series, HX85 series, HX75 series, EX65 series, EX55 series
- Sony Internet TV: NSX-24GT1, 32GT1, 40GT1, 46GT1, NSZ-GT1
- VAIO: VAIO L (SVL241)
wow, awesome!
I'll try immediately when i'm home.
lordmaxey said:
wow, awesome!
I'll try immediately when i'm home.
Click to expand...
Click to collapse
Great! if you can post your TV model it will be greatly apprecciated so we can add it to the "tested list" of models.
etrosce said:
Great! if you can post your TV model it will be greatly apprecciated so we can add it to the "tested list" of models.
Click to expand...
Click to collapse
Hi there,
i've got a Sony Bravia KDL-32HX758
I'll tell you when i've tested it looking forward!
Edit:
one word: awesome!
It works great and i absolutely LOVE it!! Great work!!! Congrats!
lordmaxey said:
Hi there,
i've got a Sony Bravia KDL-32HX758
I'll tell you when i've tested it looking forward!
Edit:
one word: awesome!
It works great and i absolutely LOVE it!! Great work!!! Congrats!
Click to expand...
Click to collapse
Thanks and enjoy :good:. I've just updated the post to list the models we know it works... Hope to see more feedback here
Hi!
I wanted to try your app, but my television (w655) didn't want to agree on that.
Are you maybe willing to share the source code of the app?
Or do you want to check why it's not working?
Thanks!
mendel129 said:
Hi!
I wanted to try your app, but my television (w655) didn't want to agree on that.
Are you maybe willing to share the source code of the app?
Or do you want to check why it's not working?
Thanks!
Click to expand...
Click to collapse
Hey there,
I've been researching a little bit about it before. It looks like Sony changed completely the way to remote control in latest models, specially W series. No documentation about that. So, the only way to try to discover how it works now, is to have a W series to try with (which I do not have)
Sorry about that.
What you can do is try to discover how the new service works by yourself, so we can expand the compatibility of the App. If you are interested, I can guide you with some clues, tools and techinches I used in the past to do so.
I may open the code, I haven't even considered it but I think it's a good idea.
etrosce said:
Hey there,
I've been researching a little bit about it before. It looks like Sony changed completely the way to remote control in latest models, specially W series. No documentation about that. So, the only way to try to discover how it works now, is to have a W series to try with (which I do not have)
Sorry about that.
What you can do is try to discover how the new service works by yourself, so we can expand the compatibility of the App. If you are interested, I can guide you with some clues, tools and techinches I used in the past to do so.
I may open the code, I haven't even considered it but I think it's a good idea.
Click to expand...
Click to collapse
I've been playing with our 2013 model a couple of days now, and it seems the controls still works (compatible with 2012) but the registration process is not necessary anymore...
Anyway, if you put the code somehwere, i'll try if it works somehow
thanks!
mendel129 said:
I've been playing with our 2013 model a couple of days now, and it seems the controls still works (compatible with 2012) but the registration process is not necessary anymore...
Anyway, if you put the code somehwere, i'll try if it works somehow
thanks!
Click to expand...
Click to collapse
Sounds good, give me a couple of days to set it up and will let you know.
In the meantime, does your device description xml look like this one? http://www.upnp-database.info/device.jsp?deviceId=662 (See Description XML tab). If so, you may want to try ScalarWebAPI service on your modes. In that xml you can get some urls that will return some valuable (or not) information that may give you some clues.
Stay tunned,
Esteban
i have Klv 32EX330
how can i to make it working with this app
life25ak said:
i have Klv 32EX330
how can i to make it working with this app
Click to expand...
Click to collapse
I'm not sure you model actually supports to be remote controlled as it isn't event listed by sony as supported (see supported models above).
Does the app find your model? (be sure both are connected to the same lan)
etrosce said:
I'm not sure you model actually supports to be remote controlled as it isn't event listed by sony as supported (see supported models above).
Does the app find your model? (be sure both are connected to the same lan)
Click to expand...
Click to collapse
no doesnt
thank you so much
life25ak said:
no doesnt
thank you so much
Click to expand...
Click to collapse
Well, I'm afraid, as I said before, it does not provides de services required for remote control support. Sorry.
etrosce said:
Sounds good, give me a couple of days to set it up and will let you know.
In the meantime, does your device description xml look like this one? http://www.upnp-database.info/device.jsp?deviceId=662 (See Description XML tab). If so, you may want to try ScalarWebAPI service on your modes. In that xml you can get some urls that will return some valuable (or not) information that may give you some clues.
Stay tunned,
Esteban
Click to expand...
Click to collapse
Hey man,
so, I gathered some information, please check following xml-files
http://mendelonline.be/sony/
Also, almost all commands from vremote (http://falcosoft.hu/softwares.html) are actually working
mendel129 said:
Hey man,
so, I gathered some information, please check following xml-files
http://mendelonline.be/sony/
Also, almost all commands from vremote (http://falcosoft.hu/softwares.html) are actually working
Click to expand...
Click to collapse
Hey, sorry for the delay on sharing the code, I changed laptop and had to re-setup my dev env. Will try to have it done for the weekend.
In the meantime...I wonder what all this urls return:
http://192.168.1.54/sony/guide
http://192.168.1.54/sony/system
....
http://192.168.1.54/sony/irCommandProxy
Basically everything under <av:X_ScalarWebAPI_ServiceList> from dmr.xml. Actually, I would try any url available in that file
We should see where getRemoteCommandList api is located (together with other relevant APIs)
In previous models it was returned as a result from http://192.168.1.54/cers/ActionList.xml. It should be somewhere else now.
Also, did you confirmed that there is no registration required now at all?
Thanks!!!
etrosce said:
Hey, sorry for the delay on sharing the code, I changed laptop and had to re-setup my dev env. Will try to have it done for the weekend.
In the meantime...I wonder what all this urls return:
http://192.168.1.54/sony/guide
http://192.168.1.54/sony/system
....
http://192.168.1.54/sony/irCommandProxy
Basically everything under <av:X_ScalarWebAPI_ServiceList> from dmr.xml. Actually, I would try any url available in that file
--edit--
ok, we've got an entire json conversation going to http://ip:80/sony/system
We should see where getRemoteCommandList api is located (together with other relevant APIs)
In previous models it was returned as a result from http://192.168.1.54/cers/ActionList.xml. It should be somewhere else now.
Also, did you confirmed that there is no registration required now at all?
Thanks!!!
Click to expand...
Click to collapse
No problem, didn't had time myself
Well, there basically 2 webservers/-services running.
One nginx on tcp:80, and something else on tcp:52323 (tcp header contains: Server=Linux/2.6 UPnP/1.0 KDL-42W655A/1.7)
actionlist is "gone", but i'm trying to capture network traffic from the official sony app to figure out the new location
--edit--
ok, so there's an entire "json conversation" going on http://ip:80/sony/system
--edit2--
bingo
--edit--
send this json command:
{"id":20,"method":"getRemoteControllerInfo","version":"1.0","params":[]}
to
http://192.168.1.61/sony/system
and this comes back as return:
{"id":20,"result":[{"bundled":true,"type":"RM-J1100"},[{"name":"PowerOff","value":"AAAAAQAAAAEAAAAvAw=="},{"name":"Input","value":"AAAAAQAAAAEAAAAlAw=="},{"name":"GGuide","value":"AAAAAQAAAAEAAAAOAw=="},{"name":"EPG","value":"AAAAAgAAAKQAAABbAw=="},{"name":"Favorites","value":"AAAAAgAAAHcAAAB2Aw=="},{"name":"Display","value":"AAAAAQAAAAEAAAA6Aw=="},{"name":"Home","value":"AAAAAQAAAAEAAABgAw=="},{"name":"Options","value":"AAAAAgAAAJcAAAA2Aw=="},{"name":"Return","value":"AAAAAgAAAJcAAAAjAw=="},{"name":"Up","value":"AAAAAQAAAAEAAAB0Aw=="},{"name":"Down","value":"AAAAAQAAAAEAAAB1Aw=="},{"name":"Right","value":"AAAAAQAAAAEAAAAzAw=="},{"name":"Left","value":"AAAAAQAAAAEAAAA0Aw=="},{"name":"Confirm","value":"AAAAAQAAAAEAAABlAw=="},{"name":"Red","value":"AAAAAgAAAJcAAAAlAw=="},{"name":"Green","value":"AAAAAgAAAJcAAAAmAw=="},{"name":"Yellow","value":"AAAAAgAAAJcAAAAnAw=="},{"name":"Blue","value":"AAAAAgAAAJcAAAAkAw=="},{"name":"Num1","value":"AAAAAQAAAAEAAAAAAw=="},{"name":"Num2","value":"AAAAAQAAAAEAAAABAw=="},{"name":"Num3","value":"AAAAAQAAAAEAAAACAw=="},{"name":"Num4","value":"AAAAAQAAAAEAAAADAw=="},{"name":"Num5","value":"AAAAAQAAAAEAAAAEAw=="},{"name":"Num6","value":"AAAAAQAAAAEAAAAFAw=="},{"name":"Num7","value":"AAAAAQAAAAEAAAAGAw=="},{"name":"Num8","value":"AAAAAQAAAAEAAAAHAw=="},{"name":"Num9","value":"AAAAAQAAAAEAAAAIAw=="},{"name":"Num0","value":"AAAAAQAAAAEAAAAJAw=="},{"name":"Num11","value":"AAAAAQAAAAEAAAAKAw=="},{"name":"Num12","value":"AAAAAQAAAAEAAAALAw=="},{"name":"VolumeUp","value":"AAAAAQAAAAEAAAASAw=="},{"name":"VolumeDown","value":"AAAAAQAAAAEAAAATAw=="},{"name":"Mute","value":"AAAAAQAAAAEAAAAUAw=="},{"name":"ChannelUp","value":"AAAAAQAAAAEAAAAQAw=="},{"name":"ChannelDown","value":"AAAAAQAAAAEAAAARAw=="},{"name":"SubTitle","value":"AAAAAgAAAJcAAAAoAw=="},{"name":"ClosedCaption","value":"AAAAAgAAAKQAAAAQAw=="},{"name":"Enter","value":"AAAAAQAAAAEAAAALAw=="},{"name":"DOT","value":"AAAAAgAAAJcAAAAdAw=="},{"name":"Analog","value":"AAAAAgAAAHcAAAANAw=="},{"name":"Teletext","value":"AAAAAQAAAAEAAAA/Aw=="},{"name":"Exit","value":"AAAAAQAAAAEAAABjAw=="},{"name":"Analog2","value":"AAAAAQAAAAEAAAA4Aw=="},{"name":"*AD","value":"AAAAAgAAABoAAAA7Aw=="},{"name":"Digital","value":"AAAAAgAAAJcAAAAyAw=="},{"name":"Analog?","value":"AAAAAgAAAJcAAAAuAw=="},{"name":"BS","value":"AAAAAgAAAJcAAAAsAw=="},{"name":"CS","value":"AAAAAgAAAJcAAAArAw=="},{"name":"BSCS","value":"AAAAAgAAAJcAAAAQAw=="},{"name":"Ddata","value":"AAAAAgAAAJcAAAAVAw=="},{"name":"PicOff","value":"AAAAAQAAAAEAAAA+Aw=="},{"name":"Tv_Radio","value":"AAAAAgAAABoAAABXAw=="},{"name":"Theater","value":"AAAAAgAAAHcAAABgAw=="},{"name":"SEN","value":"AAAAAgAAABoAAAB9Aw=="},{"name":"InternetWidgets","value":"AAAAAgAAABoAAAB6Aw=="},{"name":"InternetVideo","value":"AAAAAgAAABoAAAB5Aw=="},{"name":"Netflix","value":"AAAAAgAAABoAAAB8Aw=="},{"name":"SceneSelect","value":"AAAAAgAAABoAAAB4Aw=="},{"name":"Mode3D","value":"AAAAAgAAAHcAAABNAw=="},{"name":"iManual","value":"AAAAAgAAABoAAAB7Aw=="},{"name":"Audio","value":"AAAAAQAAAAEAAAAXAw=="},{"name":"Wide","value":"AAAAAgAAAKQAAAA9Aw=="},{"name":"Jump","value":"AAAAAQAAAAEAAAA7Aw=="},{"name":"PAP","value":"AAAAAgAAAKQAAAB3Aw=="},{"name":"MyEPG","value":"AAAAAgAAAHcAAABrAw=="},{"name":"ProgramDescription","value":"AAAAAgAAAJcAAAAWAw=="},{"name":"WriteChapter","value":"AAAAAgAAAHcAAABsAw=="},{"name":"TrackID","value":"AAAAAgAAABoAAAB+Aw=="},{"name":"TenKey","value":"AAAAAgAAAJcAAAAMAw=="},{"name":"AppliCast","value":"AAAAAgAAABoAAABvAw=="},{"name":"acTVila","value":"AAAAAgAAABoAAAByAw=="},{"name":"DeleteVideo","value":"AAAAAgAAAHcAAAAfAw=="},{"name":"PhotoFrame","value":"AAAAAgAAABoAAABVAw=="},{"name":"TvPause","value":"AAAAAgAAABoAAABnAw=="},{"name":"KeyPad","value":"AAAAAgAAABoAAAB1Aw=="},{"name":"Media","value":"AAAAAgAAAJcAAAA4Aw=="},{"name":"SyncMenu","value":"AAAAAgAAABoAAABYAw=="},{"name":"Forward","value":"AAAAAgAAAJcAAAAcAw=="},{"name":"Play","value":"AAAAAgAAAJcAAAAaAw=="},{"name":"Rewind","value":"AAAAAgAAAJcAAAAbAw=="},{"name":"Prev","value":"AAAAAgAAAJcAAAA8Aw=="},{"name":"Stop","value":"AAAAAgAAAJcAAAAYAw=="},{"name":"Next","value":"AAAAAgAAAJcAAAA9Aw=="},{"name":"Rec","value":"AAAAAgAAAJcAAAAgAw=="},{"name":"Pause","value":"AAAAAgAAAJcAAAAZAw=="},{"name":"Eject","value":"AAAAAgAAAJcAAABIAw=="},{"name":"FlashPlus","value":"AAAAAgAAAJcAAAB4Aw=="},{"name":"FlashMinus","value":"AAAAAgAAAJcAAAB5Aw=="},{"name":"TopMenu","value":"AAAAAgAAABoAAABgAw=="},{"name":"PopUpMenu","value":"AAAAAgAAABoAAABhAw=="},{"name":"RakurakuStart","value":"AAAAAgAAAHcAAABqAw=="},{"name":"OneTouchTimeRec","value":"AAAAAgAAABoAAABkAw=="},{"name":"OneTouchView","value":"AAAAAgAAABoAAABlAw=="},{"name":"OneTouchRec","value":"AAAAAgAAABoAAABiAw=="},{"name":"OneTouchStop","value":"AAAAAgAAABoAAABjAw=="}]]}
mendel129 said:
No problem, didn't had time myself
Well, there basically 2 webservers/-services running.
One nginx on tcp:80, and something else on tcp:52323 (tcp header contains: Server=Linux/2.6 UPnP/1.0 KDL-42W655A/1.7)
actionlist is "gone", but i'm trying to capture network traffic from the official sony app to figure out the new location
--edit--
ok, so there's an entire "json conversation" going on http://ip:80/sony/system
--edit2--
bingo
....
Click to expand...
Click to collapse
This is all good. It would be great if we find the url that actually returns the list of APIs. Have you tried http://ip:80/sony/system to see what it returns in the browser?
etrosce said:
This is all good. It would be great if we find the url that actually returns the list of APIs. Have you tried http://ip:80/sony/system to see what it returns in the browser?
Click to expand...
Click to collapse
just browsing to the "site" just gives an empty page...
it only reply's on json requests
all commands i've found so far are from capturing traffic from my android tablet
check here: http://mendelonline.be/sony/sony.txt
further, the "register" function exists, but it not really necesarry...
i noticed the sony tablet app registering, but i can just send commands from upnpspy directly from my pc without registering...
another thingy: wol is just basic wake on lan
I received an email from the creator of the windows app that works for our 2013 model bravia. (http://falcosoft.hu/softwares.html#sony_virtual_remote)
Hi,
I would like to share my experiences with you, maybe it can help in the
investigation of the new API structure.
1. The registered status is not required in 2011/12 Sony TV models either to
send pure IRCC SOAP messages (or use the X_SendIRCC UPnP service) .
2. The registered status is required to get meaningful response from url
based API functions (e.g sendText, getText, getRemoteCommandList etc..)
So just an idea: You should try to test these new URL based commands with a
registered status. To achieve this:
1. You should make a new registration and send these data with your browser
2. Use an existing registration e.g. Falcosoft's Sony Virtual Remote and
send the program's data with your browser.
I suggest to use Firefox with Modify Headers plugin. For option 2 here are
the required header fields:
'X-CERS-DEVICE-ID' -> 'vaio:11111111-D7A0-11DD-119C-6D990C3C4529' ;
'X-CERS-DEVICE-INFO' -> 'falco_virtual_remote' ;
Best Regards:
Zoltán Bacskó
Falcosoft
Ps: If you can ask the topic owner to authorize my xda-developers account to
send posts to this topic I would be grateful. My new xda-developers account
is 'Falcosoft'
mendel129 said:
I received an email from the creator of the windows app that works for our 2013 model bravia. (http://falcosoft.hu/softwares.html#sony_virtual_remote)
Hi,
I would like to share my experiences with you, maybe it can help in the
investigation of the new API structure.
1. The registered status is not required in 2011/12 Sony TV models either to
send pure IRCC SOAP messages (or use the X_SendIRCC UPnP service) .
2. The registered status is required to get meaningful response from url
based API functions (e.g sendText, getText, getRemoteCommandList etc..)
So just an idea: You should try to test these new URL based commands with a
registered status. To achieve this:
1. You should make a new registration and send these data with your browser
2. Use an existing registration e.g. Falcosoft's Sony Virtual Remote and
send the program's data with your browser.
I suggest to use Firefox with Modify Headers plugin. For option 2 here are
the required header fields:
'X-CERS-DEVICE-ID' -> 'vaio:11111111-D7A0-11DD-119C-6D990C3C4529' ;
'X-CERS-DEVICE-INFO' -> 'falco_virtual_remote' ;
Best Regards:
Zoltán Bacskó
Falcosoft
Ps: If you can ask the topic owner to authorize my xda-developers account to
send posts to this topic I would be grateful. My new xda-developers account
is 'Falcosoft'
Click to expand...
Click to collapse
Interesting fact that that app works for you. I think this is because that app uses some hardcoded data by default while BraviaControl completely relies on the APIs exposed by the services. It looks like some APIs where left there "hidden" for backward compatibility purposes. I think we should try something like: Cannot find the APIs?, try to force the use. In your case, it may partially (or completely, why not?) work.
Anyway, all that json conversation looks like to be the new way to comunicate with the TV, so, it will be nice to implement that sometime too.
Thanks! I have already set up the code in the cloud. Will be sending the details on how to access it soon (Sorry, I don't currently have very much time free for this project, so bear with me )
Hi All,
I've just managed to successfully intercept and change the whitelist for a flashed chromecast.
Steps:
Load custom cert onto device (replace nssdb with custom one) - nssdb I used and certs available here https://mega.co.nz/#!05wmDR4T!OMkBXwfO9D1wktt2bQpSwjNZ_Y9PB8q_Ryk3zSx4k1c
Load MITM on a linux host, route default gateway at linux host.
Route just google range towards MITM (so nothing else gets caught and just gets redirected)
iptables -t nat -A PREROUTING -p tcp -s 192.168.178.146 -m iprange --dst-range 74.125.237.0-74.125.237.255 -j REDIRECT --to-port 8080
load mitmproxy with
"mitmproxy -T --host -s chromefree.py"
chromefree.py is available https://mega.co.nz/#!doJX1YDS!TT3lolbgXta24QOpbj40PBAYRetZkH1s9cIvQBslBN8
note that chromefree.py refrences json.dat (which requires a gzip'd json file)
example json files are available here https://mega.co.nz/#!ghwAEI7D!a-HwECm4w_8XKfdaaZOLgFrVTx9B8xLMOYJchi1PAUY
(with this I redirected youtube to a local news site, so attempting to cast to youtube pulls up stuff.co.nz)
Appears to work well, here's a picture of my TV running the revision 3 app
http://i.imgur.com/nhLI0oC.jpg
While I applaud this news, this could likely be the reason why Google has been slow to throw the doors open. The big name media providers are probably really leaning on Google to make sure these kinds of hacks can't possibly take place.
While everyone knows that no system is infallible, I'm sure that Google is under pressure to make sure that the device is as airtight as it can possibly be, and then some, before permitting the SDK to be formally released to the public.
mkhopper said:
While I applaud this news, this could likely be the reason why Google has been slow to throw the doors open. The big name media providers are probably really leaning on Google to make sure these kinds of hacks can't possibly take place.
While everyone knows that no system is infallible, I'm sure that Google is under pressure to make sure that the device is as airtight as it can possibly be, and then some, before permitting the SDK to be formally released to the public.
Click to expand...
Click to collapse
Do you really think that people would be spending so much time trying to circumvent the whitelisting if the content was available from the get go. I was very optimistic at the start but losing patience now. I bought three and was ready to buy more, but will wait and see what happens. Don't want to invest more money and time into something that might not have a future. It is sad because it has the unprecedented potential for so many different uses.
Can this be dumbed down for the newbs
ramirez3805 said:
Can this be dumbed down for the newbs
Click to expand...
Click to collapse
I plan to have a service available for rooted chromecast in the next few days that allows access to non-google approved applications.
Kyonz said:
I plan to have a service available for rooted chromecast in the next few days that allows access to non-google approved applications.
Click to expand...
Click to collapse
Cant wait!!!:good:
networx2002 said:
Cant wait!!!:good:
Click to expand...
Click to collapse
You don't have to! I just released last night http://forum.xda-developers.com/showthread.php?t=2516164
Kyonz said:
Appears to work well, here's a picture of my TV running the revision 3 app
http://i.imgur.com/nhLI0oC.jpg
Click to expand...
Click to collapse
What did you use as the sender app?
so i have a question how do you load up an app for use in chromecast now that i have done this ? sorry for sounding so noobish but just wondering.
ahecht said:
What did you use as the sender app?
Click to expand...
Click to collapse
I used the demo html app sender to launch it (sorry not entirely sure on the name as I haven't started developing for chromecast yet). I'd really like to see someone try to reverse engineer the data that the receivers require and build apps out for these though.
BurnOmatic said:
so i have a question how do you load up an app for use in chromecast now that i have done this ? sorry for sounding so noobish but just wondering.
Click to expand...
Click to collapse
This really is a DEV thread in that it provided the exploit for chromecast, app launching would be through the demo dev apps - please check out Kyocast (http://forum.xda-developers.com/showthread.php?t=2516164) if you haven't and note that there are better things coming
Kyonz said:
I used the demo html app sender to launch it (sorry not entirely sure on the name as I haven't started developing for chromecast yet). I'd really like to see someone try to reverse engineer the data that the receivers require and build apps out for these though.
Click to expand...
Click to collapse
I must be dense, as I can't make heads or tails of the Chromecast API (I usually can't understand Google's documentation for the Android API either, but there are plenty of third-party resources for that). What do you use for Launch Parameters in the demo app?
Which boot loader number is vulnerable ? I can#t find the infos :/
12alex21 said:
Which boot loader number is vulnerable ? I can#t find the infos :/
Click to expand...
Click to collapse
Only build 12072 has a vulnerable bootloader. You have to boot into the stock OS and set the Chromecast up (on a Wi-Fi network which doesn't connect to the internet or else it will update automatically) to check the build number.
So I just saw the the little news about towelroot on the xda front page I'm wondering if that would work with the chromecast? Should I unplug this thing to stop updates or what?
Asadullah said:
So I just saw the the little news about towelroot on the xda front page I'm wondering if that would work with the chromecast? Should I unplug this thing to stop updates or what?
Click to expand...
Click to collapse
Sadly, I don't think it has any effect on Chromecast.
The trouble is that towelroot is an APK.
Chromecast won't let you sideload APKs due to whitelist.
Non-vulnerable Chromecast won't load unsigned code from bootloader/recovery.
Because you can't "just run an app" the way to get root on Chromecast is by flashing a pre-rooted ROM.
The only way to flash a ROM is to use FlashCast, which requires a vulnerable bootloader, because FlashCast is not signed by Google.
Non-vulnerable bootloaders will only run Google-signed code.
Thus, the existing root methods for Chromecast remain:
FlashCast on vulnerable bootloaders only
Replace the firmware/bootloader via physical chip removal and reprogramming
Once the bootloader gets (auto) updated, you can't flash anything because the bootloader will not execute FlashCast.
Another possibility would be to use a Chrome sandbox escape vulnerability and try to execute the kernel exploit this way - good luck with that :/
deeper-blue said:
Another possibility would be to use a Chrome sandbox escape vulnerability and try to execute the kernel exploit this way - good luck with that :/
Click to expand...
Click to collapse
That's an idea, but the trick is getting Chrome to execute the exploit to begin with... Essentially the Chromecast whitelist acts like parental control on a router - Chromecast can only access approved addresses unless it's been made a developer unit.
bhiga said:
That's an idea, but the trick is getting Chrome to execute the exploit to begin with... Essentially the Chromecast whitelist acts like parental control on a router - Chromecast can only access approved addresses unless it's been made a developer unit.
Click to expand...
Click to collapse
And even if you could manage to get it to run inside CCast Chrome...I'm sure the Sandbox seals it off from making any changes to the root or bootloader status.
bhiga said:
That's an idea, but the trick is getting Chrome to execute the exploit to begin with... Essentially the Chromecast whitelist acts like parental control on a router - Chromecast can only access approved addresses unless it's been made a developer unit.
Click to expand...
Click to collapse
There is one thing that comes to mind. The Netflix client on the Chromecast runs as native code out of /netflix/. I have a feeling there is some sort of vulnerability exposed there
neobear said:
There is one thing that comes to mind. The Netflix client on the Chromecast runs as native code out of /netflix/. I have a feeling there is some sort of vulnerability exposed there
Click to expand...
Click to collapse
possible... but you gotta find it, use it, then hope the big G doesn't push an update to fix it soon after.
-= this post enhanced with bonus mobile typos =-
neobear said:
There is one thing that comes to mind. The Netflix client on the Chromecast runs as native code out of /netflix/. I have a feeling there is some sort of vulnerability exposed there
Click to expand...
Click to collapse
Still have the issue being that the only way to launch it is via Netflix...
bhiga said:
possible... but you gotta find it, use it, then hope the big G doesn't push an update to fix it soon after.
-= this post enhanced with bonus mobile typos =-
Click to expand...
Click to collapse
even if they do it can be rooted therefore and updates blocked.. hence mission accomplished... like Sony's ps3.. I think sunny finally had given up now...
Sent from my Nexus 5 using Tapatalk
persianrisk said:
even if they do it can be rooted therefore and updates blocked.. hence mission accomplished... like Sony's ps3.. I think sunny finally had given up now...
Click to expand...
Click to collapse
Yes, much like the current bootloader exploit that FlashCast uses. It becomes major cat-and-mouse because Chromecast auto-updates without waiting for user intervention though.
Sony can give up more easily because a game console's success is not as heavily tied to content providers. Chromecast, on the other hand, would be sunk without any apps. Let's face, Chromecast for YouTube alone just won't cut it, even at $35.
bhiga said:
Yes, much like the current bootloader exploit that FlashCast uses. It becomes major cat-and-mouse because Chromecast auto-updates without waiting for user intervention though.
Sony can give up more easily because a game console's success is not as heavily tied to content providers. Chromecast, on the other hand, would be sunk without any apps. Let's face, Chromecast for YouTube alone just won't cut it, even at $35.
Click to expand...
Click to collapse
I understand. but Sony is equally tied to game content and also other media providers - hence when it was hacked its a bigger problem as some choose not to purchase their games whereas with rooted Chromecast you are still paying for the services even if using a proxy...
Sent from my Nexus 5 using Tapatalk
persianrisk said:
I understand. but Sony is equally tied to game content and also other media providers - hence when it was hacked its a bigger problem as some choose not to purchase three have whereas with rooted Chromecast you are still paying for the second albeit unusually through a proxy...
Click to expand...
Click to collapse
True, it does create an interesting secondary market.
Hi, I bought a Lenovo Smart Clock with the google assistant,
Here are some details from the box:
Wifi Hemp Grey 1G+8G
Lenovo Smart Clock
Model: Lenovo CD-24501F
Lenovo CD-24501F 1G+8GGRW-CA
CPU MediaTek * MT81675
Display 3.97 inch 480*800 WVGA IPS
Memory LP DDR3 1GB
WLAN 802.11 A/B/G/N/AC+BT5.0
OS Android things w/ Google Assistant
Battery No Battery
Click to expand...
Click to collapse
After setting it up and trying it for a few days I looked around online and I don't see much specifically about this device and if it can be modified or accessed in unconventional ways. can we root it? I would love to be able to cast to it youtube etc. HDMI out anyone? Has anyone else tinkered with it yet? The '1G+8G' marking on the box seems to suggest it has a 1GB of flash presuming to be for the android things OS and another 8GB of flash for apps or media or caches?
Here is details from the Google Home App:
System Firmware Version: OIMF.191015.004
Cast Firmware Verstion: 1.42.180336
Google Assistant Smart Clock application version: 6.27.8+prod.1.1.0.5961405
Language: English (Canada)
Country Code: CA
IP Address: 192.168.1.100
Click to expand...
Click to collapse
Info from the foot on the bottom (SN obfuscated):
Lenovo Smart Clock Model: Lenovo CD-24501F
Manufactured for Lenovo PC HK Limited Factory ID: LCHZ
FCC ID: O57CD24501F IC: 10407A-CD24501F Made in China
CAN ICES-3 (B)/NMB-3(B) S/N: ########-## Mfg: 2019-10-30
Click to expand...
Click to collapse
Here is NMAP of its ip address:
8008/tcp open http
8009/tcp open ajp13
8443/tcp open https-alt
9000/tcp open cslistener
10001/tcp open scp-config
Click to expand...
Click to collapse
The price was pretty low, $50CAD at best buy, I cant wait to see what people can do to hack it. Other smart displays seem to have USB/ADB/Fastboot connections, I havnt found one on this device yet.
I too would like to see some custom stuff on this cool little clock.
Yessss! It would be nice!
Open smartclock
Hi,
Does anyone know how to open this smartclock thanks.
Regards
Bob
We haven't hacked any google assistant devices yet that I know off, in fact, I dont think we even hacked android things yet. I am sure there is somebody that is trying to hack android things. Btw, youtube can be watched on the clock, by going to something like the weather page > taping weather.com > going to the menu > download app, clicking on the download on the app store logo, going to the menu, support, go to apple support youtube channel, taping the YouTube icon. It's only in 480p, I tried it, I would rather watch on my phone or tablet, also the video will stop and the clock will go back to home if you wait to long without touching the screen or wake up the google assistant. Other than that. Playback is smooth.
---------- Post added at 04:24 AM ---------- Previous post was at 04:20 AM ----------
snipes420 said:
Hi, I bought a Lenovo Smart Clock with the google assistant,
Here are some details from the box:
After setting it up and trying it for a few days I looked around online and I don't see much specifically about this device and if it can be modified or accessed in unconventional ways. can we root it? I would love to be able to cast to it youtube etc. HDMI out anyone? Has anyone else tinkered with it yet? The '1G+8G' marking on the box seems to suggest it has a 1GB of flash presuming to be for the android things OS and another 8GB of flash for apps or media or caches?
Here is details from the Google Home App:
Info from the foot on the bottom (SN obfuscated):
Here is NMAP of its ip address:
The price was pretty low, $50CAD at best buy, I cant wait to see what people can do to hack it. Other smart displays seem to have USB/ADB/Fastboot connections, I havnt found one on this device yet.
Click to expand...
Click to collapse
I plugged in an android device to the clock, and it came up with some message, I dont remember what itsaid, it was either for adb debugging or transferring files over usb. I think it was transfering files over usb. The usb port does allow data transfer. Plugging in a USB mouse will make a mouse show up and can move for example.
It probably isn't much but you can go to ip.of.smart.clock:8008/setup/eureka_info in a web browser to view the basic info of the device
Home Assistant
It could be great to have some custom home assistant displayed on smart clock screen instead of clock
Apparently it's possible to plug in a keyboard and/or mouse to it via the USB port on the back (a cursor will appear).
Just got one of these myself today. Best Buy had em for 40 bucks. Quite the awesome little thing. I'm really surprised I can't find much for it.
I'll see if maybe I can buy a second one to purposely "break" (just in case), and see if I can get anything working on it. The little screen is good quality and has great sound. Would be cool for a mini emulation station of some kind
Update: Realized mine doesn't have the usb-c port under the rubber feet like other's have stated here its supposed to. Really don't wanna tear into the carpeting around it. I have the exact same model as first post
Plugging in a usb keyboard works for typing
update 2: navigated my way to youtube and tried downloading an apk from a direct link, downloads don't work period
update 3: can not get device recognized by a pc via plugging in USB port on the back to a USB-C port on my laptop, also tried USB-A to USB-A, no results
Update 4 lol: Unlocked the bootloader, had to have device manager search online for the driver, but it found it and installed it just fine. to unlock the bootloader, simply type
Code:
fastboot flashing unlock
KaptinBoxxi said:
Update 4 lol: Unlocked the bootloader, had to have device manager search online for the driver, but it found it and installed it just fine. to unlock the bootloader, simply type
Code:
fastboot flashing unlock
Click to expand...
Click to collapse
Hello KaptinBoxxi,
How did you manage to unlock the bootloader, did you use ADB on computer via USB? or directly via a pluged in keyboard?
I'm a bit new to all of those types of hack but I'm very interested in getting into that since this device is small, cheap, good quality and could be a perfect smart display if there was any abilities to extend the frontend to better use cases.
Thanks
gussir said:
Hello KaptinBoxxi,
How did you manage to unlock the bootloader, did you use ADB on computer via USB? or directly via a pluged in keyboard?
I'm a bit new to all of those types of hack but I'm very interested in getting into that since this device is small, cheap, good quality and could be a perfect smart display if there was any abilities to extend the frontend to better use cases.
Thanks
Click to expand...
Click to collapse
Fastboot via computer. Although, if this is the first device you're picking up, I'd recommend it not be. No one's really done much with cracking/hacking Android Things (the version of Android that runs on this) as it isn't a full version of android. Its heavily stripped down. Grab an old phone that has a ton of support for modding/hacking but isn't exactly the easiest and do that. I'd recommend a Sprint variant of the HTC One M7 if you want a real challenge. I had to find my own custom method to S-OFF the device, unlock the bootloader, then ROM it and root it as no tutorials worked that were currently up and I wasn't willing to pay to unlock it. If that sounds a little too high end for now, get something like an unlock Galaxy S4 or Verizon Galaxy S5 and hope its a Toshiba model so you can unlock the bootloader
KaptinBoxxi said:
Fastboot via computer. Although, if this is the first device you're picking up, I'd recommend it not be. No one's really done much with cracking/hacking Android Things (the version of Android that runs on this) as it isn't a full version of android. Its heavily stripped down. Grab an old phone that has a ton of support for modding/hacking but isn't exactly the easiest and do that. I'd recommend a Sprint variant of the HTC One M7 if you want a real challenge. I had to find my own custom method to S-OFF the device, unlock the bootloader, then ROM it and root it as no tutorials worked that were currently up and I wasn't willing to pay to unlock it. If that sounds a little too high end for now, get something like an unlock Galaxy S4 or Verizon Galaxy S5 and hope its a Toshiba model so you can unlock the bootloader
Click to expand...
Click to collapse
Thanks a lot for your feedback, I'll start on with something easier and will definitively follow along with this thread to see how the hacking of this device is evolving. have a good day
KaptinBoxxi said:
Just got one of these myself today. Best Buy had em for 40 bucks. Quite the awesome little thing. I'm really surprised I can't find much for it.
I'll see if maybe I can buy a second one to purposely "break" (just in case), and see if I can get anything working on it. The little screen is good quality and has great sound. Would be cool for a mini emulation station of some kind
Update: Realized mine doesn't have the usb-c port under the rubber feet like other's have stated here its supposed to. Really don't wanna tear into the carpeting around it. I have the exact same model as first post
Plugging in a usb keyboard works for typing
update 2: navigated my way to youtube and tried downloading an apk from a direct link, downloads don't work period
update 3: can not get device recognized by a pc via plugging in USB port on the back to a USB-C port on my laptop, also tried USB-A to USB-A, no results
Update 4 lol: Unlocked the bootloader, had to have device manager search online for the driver, but it found it and installed it just fine. to unlock the bootloader, simply type
Code:
fastboot flashing unlock
Click to expand...
Click to collapse
Were you able to use adb?
I found a deal on this device and am debating if I should buy it. The thing is, I wanna run Spotify on it without voice commands. ;D
-gloim- said:
Were you able to use adb?
I found a deal on this device and am debating if I should buy it. The thing is, I wanna run Spotify on it without voice commands. ;D
Click to expand...
Click to collapse
You can use a Python Library called Pychromecast to remotely play media on it.
TheRookie_ said:
You can use a Python Library called Pychromecast to remotely play media on it.
Click to expand...
Click to collapse
Thank you for the recommendation. I actually meant that I want to control the music from the screen, though. : )
Installing Spotify should probably be possible if adb is working. But, I would still need to figure out some way to launch Spotify without opening the app over adb every time.
I have posted development related resources over in this thread
https://forum.xda-developers.com/co...me/lenovo-smart-clock-bootloader-avb-t4130295
Can anyone tell me how install hindi support for the Google assistant?