The LEIGHTRONIX TCD/IP

by slick0

Ever watch the movie Hackers?

If you have, I'm sure you've seen "Crash Override" control a videotape loading machine to control what's being broadcast and thought: "Just like everything else in the movie, it probably can't happen that easily."

Well, I'm not sure about back when the movie was produced, but it sure is possible now.  As usual, you are the only one responsible for what you do with this information.  If you somehow air porn on a public access channel, get caught and fined by the FCC, that's on you.

The company known as LEIGHTRONIX control Products (www.leightronix.com) makes quite a bit of equipment used for scheduling and running programming for television networks nationwide.  The piece of their equipment I am writing about is the TCD/IP Network Managed Video System Controller.  No, that is not a typo, and yes, that is what they named it.

The TCD/IP can control:

64 PRO-BUS tape decks, DVD players, etc.

16 PLUS-BUS decks, tape loading machines, DVD players, DVD changers, video servers, etc.

An audio/video switcher with up to 250 inputs by 250 outputs.

Scheduling for all of these.

A client computer can connect to the TCD/IP several ways: RS-232 serial (safest), crossover Cat 5 (also safe), or over a LAN (you decide, but it's what LEIGHTRONIX recommends).

With the friendly software they provide, LEIGHTRONIX makes it easy for a user to log on to the TCD/IP, control anything interfaced to it, remotely reboot it, create schedules, encode video from one deck to a server, change the time and date, change the IP, change the netmask, and change the subnet.  All that kind of stuff.

The TCD/IP has a default administrator name and password:
User Name: admin
Password: (Default: The last six digits of the TCD/IP's serial number)
If guessing a login isn't easy enough, by default the TCD/IP also allows a guest account with full superuser privileges.  This can all be changed, of course, but probably isn't.

At this point you may be thinking, "That's good and all, but what can I do without their software?"

Well, a port scan reveals that 21, 23, and 80 are open.

A user, as well as the guest account, can login through a web interface and do their work from any computer in the network that doesn't have the software.  Usually used only by the software, you can also connect to its FTP and Telnet ports.

FTP is used by the software for upgrades to the TCD/IP or interfaces connected to it, schedule uploads/downloads, etc.

The Telnet port is how the client software communicates with it.  Many commands, including deck control, can be run from here, even as a guest user with all rights disabled!  Quite a big hole if you ask me.  This hole seems to be only possible through the Telnet port.

Once you Telnet to the TCD/IP, it greets you with a prompt: TCD/IP>

With default settings you don't have to do another thing for full access.  A Telnet connection is treated as a guest login.

Entering in ? or help will display a list of commands you can run from the prompt.  That's a very nice thing, but it's not a complete list.

I used Ethereal to sniff many of the unlisted commands that the client software was sending to the TCD/IP, learning much about how the software works.

TCD/IP Commands Discovered by Packet Sniffing

Some of these output usage help when entered without options, some I have typed a description for, and others are more or less self-explanatory.

However, a few had me stumped...

PROMPTOFF  - Removes prompt from Telnet session.

PROMPTON  - Returns prompt to Telnet session.

GETFEATS  - Shows hex representation of features?

PLAYTILCONFLICTACTION  - Returns on or off?

PLUSBUSINFO  - Gets PLUS-BUS info.

PLUSBUSSTAT

PLUSBUS   - There's a lot that can be done with this.  Read on for a section about it.

GPISTAT  - GPI status.

GETTABCONFIG   - Get tab configuration for schedule.

SETTABCONFIG  - <tab# (1-8)> <option val> <name> <out1 alias> <out2 alias (opt)> <out3 alias (opt)> <out4 alias (opt)>

GETSWALIAS

SETSWALIAS  - <I/O> <Input or Output# (0-250)> <Alias, or no arg to clear>

GETPL232MSGS

GETSWDEV

SETSWDEV  - <I/O> <Input or Output# (0-250)> <Alias, or no arg to clear>

GETMACROS

GETSWSTAT

VERSION

GETACTLIST   - Gets a list of accounts.

ADDACCOUNT   - Adds an account.

REMOVEACCOUNT   - Removes an account.

XPASS   - Submit a password hash to the TCD/IP.

Commands Revealed by Help

USER <user account name>  - Enter account login name.

PASS <password>   - Enter account password.

LOGOFF   - Logoff and clear session to guest rights.

XSTAT   - Detailed status message.

TIME   - Get/set the time HH:MM:SS.

DATE   - Get/set the date MM/DD/YYYY.

LOADSCH <path+filename>   - Load and execute the specified schedule file.

STOPSCH   - Stop the schedule engine.

DOKEY <nn>   - Send a "key" command to the script engine.

STOPSCR   - Stop the script engine.

GETSITEINFO   - Get the current site info settings.

SETSITEINFO <site name>|<site location>|<time zone string>|<time zone bias>   - Set the current site info.

SETIPADDR <nnn.nnn.nnn.nnn>   - Set the IP address.

SETSUBNET <nnn.nnn.nnn.nnn>   - Set the subnet mask.

SETGATEWAY <nnn.nnn.nnn.nnn>   - Set the gateway address.

GETIPADDR   - Get the current IP address.

GETGATEWAY   - Get the current gateway.

GETSUBNET   - Get the current subnet mask.

SETDST <on/off>   - Turn daylight savings on or off.

GETDST   - Get the current daylight savings setting.

GETDISKFREE   - Get free disk space.

XREMOTEREBOOT   - Reboot the unit.

GETSWINFO   - Get the current switcher settings.

XGETTIME  - Get the time and date.

XSETTIME HH:MM:SS MM/DD/YYYY  - Set the time and date.

XRENAME <orig path/file> <new path/file>  - Rename a file.

XREMOVE <filename>  - Delete a file.

XGETDIR <directory/searchparams>  - Get the directory of the specified path.

XFORCEDECK <deck #> <function>  - Execute a PRO-BUS deck function.

XFORCESW <input> <out1> <out2> (optional) <out3> (optional)  - Execute a switch.

Commands Found by Playing

XGETFILE  - Transfer a file from the TCD/IP to machine connected.

XPUTFILE  - Transfer a file from connected machine to the TCD/IP.

The software submits their password as a hash over the line, but so can you!

Imagine sniffing their packet information and getting a hold of a user's password hash.  You wouldn't need to crack the hash or even know what type of hash it is.

Just run USER with the user's name as the command option and then run XPASS with the password hash for that user.  That user's access, that easy!

Everything I got from sniffing was sent over the line in plain text.  Now to go into detail on the PLUSBUS command.

The Possibilities of the PLUSBUS Command

As previously mentioned, the PLUSBUS command can be sent over connection to the Telnet port no matter what the user privileges are.  You can even be a guest with absolutely no rights!

Here is a list of commands for the many different devices it can control.

For a Leitch VR440/VR420:

PLUSBUS <device name> CUECHAN <channel:HH:MM:SS:FF>

PLUSBUS <device name> DELTRBYNAME <name>

PLUSBUS <device name> LOADCHAN <channel:name

PLUSBUS <device name> PAUSECHAN <channel>

PLUSBUS <device name> PLAYCHAN <channel>

PLUSBUS <device name> PLAYNEXTCH <channel:name>

PLUSBUS <device name> PLAYTILCH <channel:HH:MM:SS:FF>

PLUSBUS <device name> PLAYTILEND <channel>

PLUSBUS <device name> RECCHAN <channel>

PLUSBUS <device name> RECFILECH <channel:name>

PLUSBUS <device name> REWCHAN <channel>

PLUSBUS <device name> STOPCHAN <channel>

For a Leightronix TCD R/P:

PLUSBUS <device name> AUTOPLAY <name:timecode:duration:out>

PLUSBUS <device name> DELTRBYNAME <name>

PLUSBUS <device name> LIVE

PLUSBUS <device name> PLAYTILEND

PLUSBUS <device name> PLAYTRBYNAME <name>

PLUSBUS <device name> RECSTOP

PLUSBUS <device name> RECTRBYNAME <name>

PLUSBUS <device name> RESETENCODER

For a generic RS-232 controlled device:

PLUSBUS <device name> SENDPRESET <preset #>

PLUSBUS <device name> SENDSTR <text string>

PLUSBUS <device name> SERCONFIG <baud,parity,data,stop>

For a Visual Circuits DVP, POP, Firefly:

PLUSBUS <device name> LOADCHAN <card:channel:path\file>

PLUSBUS <device name> LOADINITCHAN <card:channel:path\file>

PLUSBUS <device name> PLAYCHAN <card:channel>

PLUSBUS <device name> PLAYTILEND <card:channel>

PLUSBUS <device name> STOPCHAN <card:channel>

For a Doremi Labs V1 or Fast Forward Video Omega:

PLUSBUS <device name> CUE <HH:MM:SS:FF>

PLUSBUS <device name> CUETRBYNAME <name>

PLUSBUS <device name> DELTRBYNAME <name>

PLUSBUS <device name> PAUSE

PLUSBUS <device name> PLAY

PLUSBUS <device name> PLAYNEXT <name>

PLUSBUS <device name> PLAYTIL <HH:MM:SS:FF>

PLUSBUS <device name> PLAYTILEND

PLUSBUS <device name> RECORD

PLUSBUS <device name> RECFILE <name>

PLUSBUS <device name> REWIND

PLUSBUS <device name> STOP

For a LEIGHTRONIX MVP-2000:

PLUSBUS <device name> CUETRBYNAME <name>

PLUSBUS <device name> DELTRBYNAME <name>

PLUSBUS <device name> PAUSE

PLUSBUS <device name> PLAY

PLUSBUS <device name> PLAYNEXT <name>

PLUSBUS <device name> PLAYTILEND

PLUSBUS <device name> PLAYTRBYNAME <name>

PLUSBUS <device name> STOP

For an Alcorn McBride DVM2:

PLUSBUS <device name> LOADFILE <file>

PLUSBUS <device name> PAUSE

PLUSBUS <device name> PLAY

PLUSBUS <device name> PLAYTILEND

PLUSBUS <device name> STOP

For a Sony RS422 Protocol Deck:

PLUSBUS <device name> CUE <HH:MM:SS:FF>

PLUSBUS <device name> FFW

PLUSBUS <device name> PAUSE

PLUSBUS <device name> PLAY

PLUSBUS <device name> PLAYTIL <HH:MM:SS:FF>

PLUSBUS <device name> RECORD

PLUSBUS <device name> REWIND

PLUSBUS <device name> STOP

For a Panasonic RS-232 Deck:

PLUSBUS <device name> CUE <HH:MM:SS:FF>

PLUSBUS <device name> FFW

PLUSBUS <device name> PAUSE

PLUSBUS <device name> PLAY

PLUSBUS <device name> PLAYTIL <HH:MM:SS:FF>

PLUSBUS <device name> RECORD

PLUSBUS <device name> REWIND

PLUSBUS <device name> STOP

For a Panasonic MicroCart:

PLUSBUS <device name> CUE <HH:MM:SS:FF>

PLUSBUS <device name> EJECT

PLUSBUS <device name> FFW

PLUSBUS <device name> LOAD <tape #>

PLUSBUS <device name> PAUSE

PLUSBUS <device name> PLAY

PLUSBUS <device name> PLAYTIL <HH:MM:SS:FF>

PLUSBUS <device name> RECORD

PLUSBUS <device name> REWIND

PLUSBUS <device name> STOP

For a Pioneer or Tascam DVD:

PLUSBUS <device name> CUECHAP <title:chapter>

PLUSBUS <device name> CUETIME <title:MMM:SS>  (Pioneer Only)

PLUSBUS <device name> PAUSE

PLUSBUS <device name> PLAY

PLUSBUS <device name> PLAYTILCHAP <title:chapter>

PLUSBUS <device name> PLAYTILTIME <title:MMM:SS>

PLUSBUS <device name> POWEROFF  (Tascam Only)

PLUSBUS <device name> STOP

For a Pioneer DV-F07 or Sony DVP-CX777ES:

PLUSBUS <device name> CUECHAP <title:chapter>

PLUSBUS <device name> CUETIME <title:MMM:SS>  (Pioneer Only)

PLUSBUS <device name> LOAD <disc #>

PLUSBUS <device name> PAUSE

PLUSBUS <device name> PLAY

PLUSBUS <device name> PLAYTILCHAP <title:chapter>

PLUSBUS <device name> PLAYTILTIME <title:MMM:SS>  (Pioneer Only)

PLUSBUS <device name> STOP

For a COMO MPEG-2 @Disk player:

PLUSBUS <device name> CUE <HH:MM:SS:FF>

PLUSBUS <device name> CUETRACK <track #>

PLUSBUS <device name> CUETRBYNAME <name>

PLUSBUS <device name> DELTRBYNAME <name>

PLUSBUS <device name> PAUSE

PLUSBUS <device name> PLAY

PLUSBUS <device name> PLAYTIL <HH:MM:SS:FF>

PLUSBUS <device name> PLAYTILEND

PLUSBUS <device name> PLAYTILTRACK <track #>

PLUSBUS <device name> PLAYTRACK <track #>

PLUSBUS <device name> PLAYTRBYNAME <name>

PLUSBUS <device name> RECORD

PLUSBUS <device name> RECTRBYNAME <name>

PLUSBUS <device name> STOP

These are all the commands you will need to know to get control of anything in a tape deck, DVD player, video server, etc.

I would go into detail on each and every PLUSBUS command and what it does, but where's the fun in that for you?  If you find one to play with, have fun.

Standard disclaimer shit: Don't delete anything, disrupt scheduling, rape, pillage, etc.

Shoutouts to all from NYC2600, bucket, and Omniscan!  This notice of the TCD/IP's insecurity was brought to you by the letter "Y."

Return to $2600 Index