Things on Unix, bytes, and SF.
Sharp sells some TVs with the “Aquos” brand that have some neat embedded media features. One of the advertised features is a “web browser” — only it’s locked down to only display approved widgets. Ugh.
I found a way to liberate it from its walled garden by hijacking its requests to the server that serves the widgets and serving back other things. Since it lets you add bookmarks for URLs (but wont let you edit the URL content), it’s possible to bookmark something like Google and just search for the URL or sites you want to browse to.
Here’s how I convinced it to bookmark “http://google.com”.
Step one in this cunning plan is to re-direct HTTP requests from the television to go to my laptop. In order to support it still reaching the internet, I enabled IP routing on my linux machine with
sysctl -w net.ipv4.conf.all.forwarding=1
and then masqueraded all IP traffic going out with
iptables -t nat -A POSTROUTING -o [OUTGOING INTERFACE] -j MASQUERADE"
Then, I started up arpspoof with
arpspoof -i [INTERFACE] -t [TV IP] [GATEWAY]
to fake out the TV into routing traffic through my laptop instead of its normal default gateway.
I then added an iptables rule to redirect DNS traffic to my computer with
iptables -t nat -A PREROUTING -d [REAL DNS SERVER IP] -p udp --dport 53 -j DNAT --to-destination [MY IP]
iptables -t nat -A PREROUTING -d [MY IP] -p udp --dport 53 -j REDIRECT --to-ports 5353"
I then started dnsmasq as an easy-to-start DNS server that could be used to send fake responses to DNS requests so that connections to “www.aquos.net” could be resolved to my IP.
I invoked it with:
dnsmasq --listen-address=[MY IP] --address=/www.aquos.net/[MY IP] --no-daemon --log-queries --port=5353"
Next, I created a temporary directory and started a simple HTTP server to serve it:
mkdir -p ~/tmp/foo && \ cd ~/tmp/foo && \ python -mSimpleHTTPServer
I then created a simple HTML file in there that had a single anchor tag pointing to “http://google.com”
As the TV access their site with HTTPS, I had to create a fake certificate:
openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt openssl rsa -in server.key -out server.key.insecure mv server.key server.key.secure mv server.key.insecure server.key
And started up stunnel:
stunnel -p server.pem -d [MY IP]:4343 -r 127.0.0.1:8000 -f -P ''
I needed some iptables rules to redirect TCP/80 and TCP/443 to my servers started on un-privileged ports. So I:
iptables -t nat -A PREROUTING -d [MY IP] -p tcp --dport 80 -j REDIRECT --to-ports 8000 iptables -t nat -A PREROUTING -d [MY IP] -p tcp --dport 443 -j REDIRECT --to-ports 4343
Then, I fired up the browser and was immediately presented with a file index of my directory! Hurrah! I clicked on the link to Google, bookmarked the page, and then used the TV browser in the manner that Vint intended.