For a while now I've wanted a standalone internet radio; something that only required power and had wifi and would then stream audio from my desktop machine. A bit like the Slim Squeezebox but without the need to plug it into a HiFi setup. I'd found the range of devices based on the Reciva Barracuda module, but they all seemed a bit too expensive to impulse buy. Currys are now doing the Logik IR100, which uses this module, for £49.99, at which point I decided it was worth a look.

I'd already done some investigation about the module. It runs Linux, Reciva do the Right Thing and make their code available, and it can have its firmware upgraded. There used to be a wiki of info, but it's disappeared recently. Richard Kalton has a blog of his progress - he's got a shell, but doesn't seem to have found any serial console pinouts and seems to have gained the info required to get a shell (which he doesn't disclose) from reading the flash off the board itself. 'bill888' also has a general Logik IR100 page.

The radio itself seems quite consumer friendly. You plug it in, press the on button and tell it to search for networks. It then shows a list of ESSIDs which you can select from. It'll let you enter a WEP/WPA key if necessary, but I setup an unencrypted wireless network for testing. It then downloads a station list and you can chose what you want to listen to. Seems to do exactly what it says on the box.

It doesn't support Oggs though. And all my music is Ogged. So I want in. As a first approach I'm trying not to take it apart - it doesn't seem like anyone's got serial access, or confirmed JTAG as working, so there doesn't seem to be anything to be gained by opening it up yet. So I decided to watch network traffic, in particular what it does when you ask it to check for new firmware.

The initial request is for:

http://copper.reciva.com/cgi-bin/service-pack.pl?serial=<serialno>;sp=<current service pack>&hw=<hardware id>&sv=<serial firmware>&check=1

This then sends a redirect to:

reciva://copper.reciva.com:6000/service-pack/sp-wrap-cache/sp.255-c-158.tar

Now reciva:// is an encrypted custom protocol it seems, that passes the serial number to the server, which then returns a challenge, which the device then hashes up and generates a session key, passes back to the server and asks for the file. You can see this in lib/rtp.c from the curl tarball on the Reciva GPL site. Unfortunately there are bits missing - several files (rtp_encrypt.h, rtp_encrypt.c, sernum.c) and it appears to want to talk to some sort of sernum daemon. As such I haven't been able to get a copy of the firmware upgrade tarball. :(

However, if I could get one and have a look to see the format (is it a full file system image, or just changed files? Is it relative or absolute paths?) then I think it should be possible to build a new firmware image, hijack the connections to copper.reciva.com on my local network, and redirect to a http:// URL rather than a reciva:// URL, thus avoiding having to do the encryption stuff. Assuming, of course, that the upgrade isn't itself signed or encrypted. More prodding required...