Middle Of Tech Ramblings of tech, software development, chocolate, marathons…


Sonos Hacking – The Final Post

This has been a long time in coming, without really too much good news on the hack front. I wanted to compile the information that we have so far, so that if someone is interested they can maybe take what's been learned here and do something with it. A strong caveat is that Sonos has been actively working on the firmware updates and this information is more than likely out of date.


Another caveat, messing with this stuff can ruin very expensive hardware/software. Mess around with this stuff at your own risk.


Here's what we know so far.

1.) The firmware uses CramFS.

2.) The root password is encrypted on the bridge, but is (was?) wide open on the S5.

3.) The firmware is pretty easy to get to. If you look at the http links in my previous Sonos post and view the source of some of the pages, the link to the firmware can be found in there. Just search within the source for "firmware". You are looking for a giant link in the source that includes your Sonos ID (SID). The links are dynamically created for every Sonos household. Put the link that you find in your browser and it will spit out a firmware file.

4.) There are some html files in the firmware called "dealernetsetup.htm"  which could be useful to see if the Sonos is broadcasting? Don't enable this though, it will set the SSID to some demo SSID and you won't be able to revert it. You'll need to do a hard reset it to get it back.

5.) Looks like you can also change the country of your Sonos utilizing the region.htm.

6.) Haven't been able to telnet or ssh into the S5.

7.) http://Sonos's IP address:1400/status/jffs/upgrade.log. The download link for the firmware should be in here as well.

8.) Use "binwalk" and "firmware mod kit" to unpack and analyze the cramfs. This only works on linux.


Some hack ideas for the Sonos.

1.) Making the Sonos work over standard wifi and bypass the bridge equipment. The bridge simply acts as a literal "bridge" N router. This was the main goal I had in mind, but wasn't able to make it happen. I had setup an Ubuntu machine that ran some of the scripts found in the firmware, but never was able to get this to work.

2.) Apple Airtunes integration.

3.) Creating your own speaker clients without having to purchase Sonos gear. Emulating an S5 using a small computer, etc...

Filed under: Tech Leave a comment
Comments (5) Trackbacks (0)
  1. Nice work! Surprised there isn’t more of an interest in the hacking community for Sonos.

  2. Adam – I really am as well. When I started out messing with the stuff, I was thinking I’d find a lot more.

  3. unlock.htm starts telnetd. THe correct input is a HEX representation private.key file on the device. Once telnetd is running you can well, telnet to the device. The root password is on ALL devices. We need a hardware person who can interact with the bootloader via JTAG. The bootloader will need to be unlocked to allow modified firmware to be loaded.

  4. I use 7zip to unpack the cramfs file.
    I don’t have an play5; can somebody send me the root password?
    Also, the signature is based on a md5 hash which is promising for a prefix-collision attack

  5. address also provides a lot of technical information http://192.168.1.xxx:1400/support/aggregate

Leave a comment

No trackbacks yet.