I’ve tried looking everywhere for an alternative to the horrible app Harman Kardon made for the AVR Series Receivers, they refused to disclose how it works. Screw them.

So naturally I tried all the good script kiddie stuff like nmap. Right away I found an open web server, on port 80,8080. 8080 Turned out to be useless, and was just part of the DLNA functionality. and port 80 refused all connections. Next I wiresharked the stereo, it turned out to be a very noisy affair, but alas I found some http posts, to port 10025, in XML Format. It looks something like this

<?xml version="1.0" encoding="UTF-8"?>
<harman>
 <avr>
 <common>
 <control>
 <name>volume-up</name>
 <zone>Main Zone</zone>
 <para />
 </control>
 </common>
 </avr>
</harman>

This can be sent using wget, although you won’t get a response, so you’ll need to kill wget yourself after sending.

wget --quiet \
 --method POST \
 --header 'content-type: application/xml' \
 --header 'cache-control: no-cache' \
 --body-data '<?xml version="1.0" encoding="UTF-8"?>\n<harman>\n <avr>\n <common>\n <control>\n <name>volume-up</name>\n <zone>Main Zone</zone>\n <para />\n </control>\n </common>\n </avr>\n</harman>' \
 --output-document \
 - http://192.168.1.177:10025/

I cannot yet find a detailed list of commands, but the great thing is that it takes a string, not some complicated or obfuscated code.

Later on I’ll create a wireshark filter for this xml, and mash buttons inside the app to collect some valid names of instructions.

Leave a Reply

Your email address will not be published. Required fields are marked *