Saturday, March 13, 2021

SSH Login to Squeezebox Radio / Touch / Controller

Sometimes you may feel the need to see what's going on behind the scenes in your Squeezebox. The menus may offer some test functionality already but for the curious that's not satisfying enough.

The Squeezebox models mentioned are based on Dropbear which is essentially a tiny linux designed for embedded SoC (System on Chip) hardware where performance is not exceptional. So it's really lightweight but still features an actual Linux kernel that supports multi-tasking, memory management and more, basically on just any hardware.

Linux, as most of you probably know, has great built-in support for networking. A root shell is available via SSH (Secure SHell) that you can connect to wirelessly or wired. It's not particularly user-friendly in that it's just a text-based console, nothing graphic about it. Those who are more experienced with Linux will immediately feel at home as a lot of the usual commands works, such as cd, ls, rm, top, cat, tail, and so on.

The risk of destroying anything is rather low as the file system that you are seeing in there is basically a RAM-disk and is always refreshed when the device is powered up after a cold start. You should still be careful and make backups of files you modify. Don't hold me liable if any of this goes south. Please continue only if you agree you do this on your own risk!

By the way, you won't notice any difference on the user side of your Squeezebox while the SSH port is open or being used. It will behave as always, depending on what you do in the root shell it might be a bit slower maybe.

So how is all of this done?

As usual, it's not just the push of a button.

First I need to disappoint all Transporter, Boom, Receiver, Classic, SliMP owners. SSH is not available on your platform. Unfortunately no way is known about how to connect to their kernel. Maybe it isn't possible at all, or only via JTAG debugging which is way out of my skillset.

So we are focusing here on the three models I know support SSH: Touch, Radio, and Controller.

All of these offer an option to enable the SSH port. By default it is off so the device won't be reachable via SSH at all. This is preferable if you fear that somebody in your network might hijack your Squeezebox. Turning the port off entirely is the best and safest way to ensure nobody gets in there.

Enabling the SSH Port (22)

The option can be found in the menu here:

  • Settings (Einstellungen)
    • Advanced (Erweitert)
      • Remote Login (Remote-Anmeldung)
        • Enable SSH (SSH aktivieren)

The screen shown in the last step also reveals what you need to specify to connect and authenticate:


So another reason to keep the SSH port closed is the very weak protection of the root account. I think the password cannot be permanently changed and even if it could, it might interfere with functions the Squeezebox relies on.

Our takeaways here are:

SSH user name: root

Password: 1234

IP address: (varies depending on your network configuration)

The port is open as soon as you click the Enable SSH menu and the little bright box appears to indicate the option is now active. You can toggle it off in the same place at all times.

Okay, so far for the Squeezebox part of this.

Accessing the SSH Shell

SSH uses TCP port 22 by default. What you need is a piece of software to connect, and it needs to be able to handle secured connections. On Windows, PuTTY is one of the best tools for this purpose, and it's free to download, too. Linux has ssh built in already and does not need anything beyond that.

Linux

To set up the connection and start using it, just start a terminal of your choice and enter the following command:
ssh 192.168.74.40 -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no -l root
So what's all this? SSH accepts tons of parameters. Usually it is enough to specify just the target you want to connect to. However, the Squeezebox uses some very outdated key exchange and encryption algorithms that SSH won't easily accept so it needs to be made to.
The first parameter is the target IP address which in the case of my demo here is 192.168.74.40 but is something else in yours. Find the one that applies in your case in the Enable SSH screen (example screenshot above).
The -oKexAlgorithms parameter adds the SHA1 algorithm to the applicable algorithms for just this one command. All these options can also be made permanent but that's not desirable for security reasons. So we are adding it here to ensure that the next SSH connection you make will rely on only the secure and up-to-date mechanisms again.
-c aes128-cbc adds one of the encryption ciphers that the Squeezebox supports. It's also known to be rather weak nowadays so SSH must be forced to use it anyway.
The remaining -o parameters ensure that SSH won't accidentally pick up one of your public keys (from ~/.ssh) for authentication. The Squeezebox wouldn't know how to deal with that anyway. So we force it here to ignore any personal keys you might have.
-l root tells SSH to use the user account root to connect.
 
SSH will immediately connect once the command has been submitted, and ask you for the password after a short period. Enter 1234 and press <Return>.
This is what you will see:
 
 
 
The announcement about the RSA fingerprint will happen only once, SSH will register the remote host (-> your Squeezebox) and remember you agreed to the risks of connecting to it.
 
Sorry, could not resist showing this in Cool Retro Term, it's so much more fun that the dry plain text consoles. If you're interested, here is the source:
If you like snap images, you can get it ready-to-go from here:

Windows

Windows does not offer an integrated SSH tool, and Telnet which you can install as a feature won't cut it because it does not support key exchange and encryption (as far as I know - please correct me if this is no longer true).
So you will need a terminal program installed in your system. I recommend PuTTY as it is very feature-complete, vastly adjustable, and free do download without any nagging ads built in.
I won't go into the details of installing PuTTY, you can find plenty of information on that elsewhere.
Get PuTTY from here: https://www.putty.org/
After you have installed and started it, the window will look something like this:
 
 
Enter the IP address that your Squeezebox showed you on its screen into the Host Name (or IP address) box - as shown above.
Port 22, and the SSH connection type are preselected so you are basically ready to go. Click Open near the bottom right corner:

 
 
This is the point where Linux ssh would completely refuse the connection as it's too unsafe by today's standards. PuTTY lets you decide. Click Yes to go on.
The next prompt is about the Squeezebox host key that is still unknown to PuTTY and therefore untrusted:
 
 
The red crossed-out section belongs to the RSA2 key that the Squeezebox identifies itself with. This might be individual per device but my impression is that it's same for all of them. Anyway, to help me sleep at night, I obfuscated that portion of the screenshot.
You need to click Yes again to continue to the shell. PuTTY will register the key in its internal store and not ask you again. If you answer No, you will still connect but the key won't be registered and you will see the same prompt again next time you connect.
This is what you should see / enter:

 
Now enter root as the user name and 1234 as the password. You won't see any screen echo as you enter the password so be careful during your input. That is to make sure that nobody else can look over your shoulder and steal this secret from you *sniggle*. But that's a Linux default behavior and usually makes a lot of sense.
After submitting the credentials, you are logged in. Congratulations!

Once the Connection is Up (Linux and Windows)

The final number sign (#) in the console is the Dropbear standard prompt where you can now enter commands that directly execute inside the Squeezebox!

Terminating the Connection

Linux is very forgiving about abrupt connection termination but if you want to be graceful, you can enter the command exit to get out of the console. In Linux, you will be back in your regular terminal, exactly where you were before issuing the ssh command. PuTTY will close the window that represented your session once it has ended.

Looking around

Task Overview

Use the top command for a task manager:
Mem: 42156K used, 20220K free, 0K shrd, 7724K buff, 13604K cached CPU: 34% usr 2% sys 0% nic 63% idle 0% io 0% irq 0% sirq Load average: 0.25 0.40 0.21 2/39 709 PID PPID USER STAT VSZ %MEM %CPU COMMAND 579 1 root R 29580 47% 33% /usr/bin/jive 631 579 root S 8712 14% 2% jive_alsa -d default -c default -b 30000 -p 2 -s 16 -f 3 704 648 root R 2952 5% 1% top 554 2 root SW< 0 0% 0% [wlan_main_servi] 546 1 root S 3032 5% 0% /usr/sbin/inetd 533 1 root S 2956 5% 0% /sbin/syslogd -S 648 646 root S 2952 5% 0% -sh 581 1 root S 2952 5% 0% /sbin/getty tty3 9600 VC vt100 1 0 root S 2948 5% 0% init 535 1 root S 2948 5% 0% /sbin/klogd 580 1 root S 2948 5% 0% init 620 1 root S 2948 5% 0% udhcpc -R -a -p /var/run/udhcpc.eth0.pid -b --syslog -i eth0 -H SqueezeboxController -s /etc/network/udhcpc_action 646 546 root S 2644 4% 0% dropbear -i 277 1 root S < 2052 3% 0% /sbin/udevd -d 571 1 root S 1908 3% 0% /usr/sbin/wpa_supplicant -B -Dmarvell -ieth0 -c/etc/wpa_supplicant.conf 538 1 root S 1828 3% 0% /usr/sbin/watchdog 573 1 root S 1816 3% 0% /usr/sbin/wpa_cli -B -a/etc/network/wpa_action 163 2 root SW< 0 0% 0% [mtdblockd] 193 2 root SW< 0 0% 0% [s3c24xx-spi-gpi]
The list goes on a lot longer than shown here.
This gives you a quick overview of the memory and CPU usage and what processes are responsible for their consumption, updating about every 5 seconds. The most CPU-intensive processes are listed first. You will normally see jive here which is the process responsible for making a Squeezebox out of it all. It presents the user interface, listens to user input events, updates the display, and coordinates network and audio hardware control, among others. 
Exit out of top with <Ctrl-C>, or more gracefully, just pushing the <Q> key.

System Log

To trace the system log, you can enter the following:
tail -f /var/log/messages

This will show you the last 10 lines in the messages file, and keep updating if new content is appended to the file. <Ctrl-C> terminates tail and you will be back at the prompt.

If you want to review the entire file, use:

less /var/log/messages

less allows you to browse the file line by line or page by page, or jump to the end of it with <G> for instance. There are many more capabilities in less (despite the name). However, it won't update if the file has changes. You need to re-issue the command in order to see the latest content. Less can be quit with the <Q> key.

dmesg will give you the kernel log that was written from the moment the kernel was booted far enough to have file system access. So this shows very early stages of the startup processes and might reveal valuable information if you suspect a malfuction. Usually, dmesg will just dump the entire log into your console (around 160 lines) and you have to scroll back to the top to see all of it. If you want to page through it, type in:

dmesg | less

SD Card Access

Most people don't even know it but there's actually an SD card slot hidden in the battery compartment of the Squeezebox controller!

 

The battery needs to be removed in order to access the slot. Unfortunately, modern SD cards appear unreadable, probably the firmware supports only very old versions. A Nokia 128MB MicroSD card from my collection can be read without any trouble and auto-mounts to /media/mmcblk0p1, whereas a newer 16GB SanDisk model won't mount at all:

# cd /media # ls mmcblk0p1 # cd mmcblk0p1/ # ls -la drwxr-xr-x 2 root root 512 Jan 1 1970 . drwxr-xr-x 1 root root 0 Jan 1 1970 .. -rwxr-xr-x 1 root root 60416 Sep 29 2013 HXCFE_V1_8_2_40.upd #

Cool, eh?

So you can now copy (cp) files from and to the card as you wish.

The Touch also has an SD slot which is more well-known because it is exposed. I'm speculating here but probably it can be accessed inside SSH.

If you would like to copy and store some files, maybe exchange them with a PC or whatever, and find scp to troublesome to use, the SD card might be a comfortable way out. I will investigate further about the compatibility to SD cards in general, and add information here. For now, I think the older the card, the better the chance to make it work, at least in the Controller.

The Touch will probably support much newer cards as well as higher capacities are certainly desirable for the built-in Logitech Media Server.

Conclusion

So that's it for now, I'm curious what ideas you all might have how to utilize the SSH interface and whether anything useful can be done with it.
Feel free to ask any questions you might have, and let's explore this a bit!
Have a good time, and stay safe!