Middle Of Tech Ramblings of tech, software development, chocolate, marathons…


Sonos Hacking – Hidden Sonos Http Pages

Awhile back I posted how to get the Sonos Controller up and running in Ubuntu. (It actually installs rather nicely on wine). However I wiped my Ubuntu install on my netbook and switched to a nightly build of Chromium OS, so I lost my Sonos controller from my netbook. This has prompted me to see if I can some how roll my own Sonos Controller on Chromium OS. From the research I've done so far (pretty limited) it seems that Sonos uses UPnP for its interaction and music control. I was hoping for a more REST style HTTP type API, but not so much. I have found several hidden HTTP pages that seem to be served on port 1400 though that seem interesting. I'll post more once I delve into the dragons of UPnP and Sonos.

  • http://192.168.1.XXX:1400/reboot - Reboots the Sonos
  • http://192.168.1.XXX:1400/advconfg.htm - Not quite sure what this is doing, it has an enable/disable list box and the ability to submit the selection.
  • http://192.168.1.XXX:1400/support/review - Lists a brief summary of the connected devices on your Sonos network.
  • http://192.168.1.XXX:1400/status - Has several links that provide status information regarding the Sonos. There are ~30ish links on this page. Some of the more interesting ones are "dmesg", "mount", and "upnp"
  • http://192.168.1.XXX:1400/unlock.htm - Not sure what this one does, but seems like it could be potentially interesting. All that the page provides is a text box and a "submit" button.


Filed under: Tech Leave a comment
Comments (63) Trackbacks (0)
  1. Hey,
    I got the UPD file too. I opened it in a text editor and it comes up with part of an sh script and then a bunch of gibberish. I’m assuming the upd combines a shell script and the update bit. I’m going to try to see if I can dump it somehow.

  2. Yes, the upd file had got a format. Try to find the magic 4 bytes. Each part is a 16 byte header containing a magic, type, length and a data part. Start with the script part. Heads up: Models 13&14 are encrypted :(

  3. Finally I got the .upd extracted, first I booted into Kali Linux and used binwalk to extract the first bit of the file. Then I used the firmware-mod-kit and the uncramfs tool to extract the final part. I’m not sure if this is the updated file system or a temp upgrade system acting as an intermediate when the new data gets written to the NAND flash. If anybody wants the dumped FS, I will be willing to put it up. -jm

  4. Hi Jack,

    I’d be interested in the dumped FS. Let me know if you’re able to share.

  5. As I’m assuming you have a Sonos, I’d be willing to. However, some information:

    – the OS contains many binaries which I can’t decompile
    – it’s an intermediary OS which runs an “upgrade” command to pull new data from the sonos servers.
    – it’s compiled for ARM (possibly?) but definately NOT x86.

  6. Just as a hint – it`s compiled for sh4 architecture. Binaries run fine for examaple in a sh4 port of debian, running in qemu.

    If you have a look at the first comments-page of this page, you`ll find a lot useful information of 3 years ago.

    Nice to see someone else working on it after some years of not hearing something.

  7. Which one is sh4 – all of them, or just an old PLAY:5, new PLAY:5, etc?
    PS- I really wish there was a Linux program decompiler. Unless I’m missing something, that would be a really good tool for a project like this.

  8. I know these architectures and their model numbers:
    – ppc = 1.8, 1.9, 1.16, 1.17
    – mipsb = 1.5, 1.7, 1.12
    – arm = 1.6
    – sh4 = 1.1, 1.2
    I know an old play5 has model 1.16. I haven’t got a model play5v2 so i cannot find out.

  9. I just checked online; the play5v2 has modelnumber 1.13. Both modelnumber 13&14 are encrypted. Model14 is the new playbase/playbar_v2…

  10. Just found a new codename in the bin/upgrade(.elf) binary:


  11. Oooh, that’s new. I still need some sort of UNIX decompiler/disassembler.

    Also shameless plug: if you want to do some Sonos hacking, I have a Discord for that.


  12. I joined discord. Everyone else can join as well I expect? Its indeed easier to discus some details there.

Leave a comment

No trackbacks yet.