jof

1. Making Sharp Aquos TV’s Function as Advertised

   Sharp sells some TVs with the “Aquos” brand that have some neat embedded media features. One of the advertised features is a “web browser” — only it’s locked down to only display approved widgets. Ugh.

   I found a way to liberate it from its walled garden by hijacking its requests to the server that serves the widgets and serving back other things. Since it lets you add bookmarks for URLs (but wont let you edit the URL content), it’s possible to bookmark something like Google and just search for the URL or sites you want to browse to.

   Here’s how I convinced it to bookmark “http://google.com”.

   • Redirect traffic to my laptop

   Step one in this cunning plan is to re-direct HTTP requests from the television to go to my laptop. In order to support it still reaching the internet, I enabled IP routing on my linux machine with

   sysctl -w net.ipv4.conf.all.forwarding=1

   and then masqueraded all IP traffic going out with

   iptables -t nat -A POSTROUTING -o [OUTGOING INTERFACE] -j MASQUERADE"

   Then, I started up arpspoof with

   arpspoof -i [INTERFACE] -t [TV IP] [GATEWAY]

   to fake out the TV into routing traffic through my laptop instead of its normal default gateway.

   I then added an iptables rule to redirect DNS traffic to my computer with

   iptables -t nat -A PREROUTING -d [REAL DNS SERVER IP] -p udp --dport 53 -j DNAT --to-destination [MY IP]

   and

   iptables -t nat -A PREROUTING -d [MY IP] -p udp --dport 53 -j REDIRECT --to-ports 5353"

   • Start dnsmasq to futz with DNS

   I then started dnsmasq as an easy-to-start DNS server that could be used to send fake responses to DNS requests so that connections to “www.aquos.net” could be resolved to my IP.

   I invoked it with:

   dnsmasq --listen-address=[MY IP] --address=/www.aquos.net/[MY IP] --no-daemon --log-queries --port=5353"

   • Start a simple web server

   Next, I created a temporary directory and started a simple HTTP server to serve it:

   mkdir -p ~/tmp/foo && \
   cd ~/tmp/foo && \
   python -mSimpleHTTPServer
   

   I then created a simple HTML file in there that had a single anchor tag pointing to “http://google.com”

   • Start stunnel

   As the TV access their site with HTTPS, I had to create a fake certificate:

   openssl genrsa -des3 -out server.key 4096
   openssl req -new -key server.key -out server.csr
   openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
   openssl rsa -in server.key -out server.key.insecure
   mv server.key server.key.secure
   mv server.key.insecure server.key

   And started up stunnel:

   stunnel -p server.pem -d [MY IP]:4343 -r 127.0.0.1:8000 -f -P ''

   • Add HTTP and HTTPS redirect rules

   I needed some iptables rules to redirect TCP/80 and TCP/443 to my servers started on un-privileged ports. So I:

   iptables -t nat -A PREROUTING -d [MY IP] -p tcp --dport 80 -j REDIRECT --to-ports 8000
   iptables -t nat -A PREROUTING -d [MY IP] -p tcp --dport 443 -j REDIRECT --to-ports 4343
   

   • Profit

   Then, I fired up the browser and was immediately presented with a file index of my directory! Hurrah! I clicked on the link to Google, bookmarked the page, and then used the TV browser in the manner that Vint intended.

   permalink

<- Previous Archive Next ->