But wait... That's my article ! Thank you guys for reading and sharing. I get so much great returns and kind messages. I'll keep you updated for the app !
but asking the author (who didn't even submit this link), to change his website due to your preference of not using js seems a bit priviliged. Enable js, or move on.
I've been browsing some website with js disabled and I must say, when it doesn't completely break a website (ex. website with paywalls or relying heavily on dynamic content), it feels like a much better version of the web. No flashy pop-ups, no randomly reloading content, no video ads every 2 paragraph, no banners(!).
Wouldn't say malware and js cryptominers are a big worry of mine though, unless you go on really disreputable websites.
I assume the GP comment isn't trying to suggest it's strange, just that it could be an imposter. The chain of trust could be restored going forward though, like if TFA (or anything on that domain) mentions owning this HN account, or various other scenarios with correct order of operations.
The co-working space I used to go right out of college used to have Sonos speakers. Occasionally, there'd be times when I wanted to work where the couches were but didn't want to listen to blaring pop music or something that was too rhythmic later in the day, so I started looking for ways to interrupt the audio stream going to the sonos devices. It turns out after a bit of snooping with nmap and looking at some Sonos forums that two specific ports are used to maintain sync between Sonos speakers and stream data to them. Then I just wrote a python script that would blast these ports with TCP traffic on the wifi (which the sonos speakers were also connected to) and would use the script when I wanted peace and quiet without headphones. Turns out that networking class I took in college wasn't a waste afterall.
1. - Not OP, but I believe the moment you put some music/radio on speakers for other people to listen, legally, you become a broadcaster. You can't just play anything you want, you need a license :) I recall my last workplace mentioning they're paying a few thousands a year to stream just one radio station, same 20-30 songs 24/7...
Interesting. I feel like the code could be simplified and be a lot more resistant to YouTube changes by just using yt-dlp, and selecting (or automatically extracting with ffmpeg) the audio-only AAC format YouTube serves. That would get rid of the YouTube request and MP4 parsing code.
I'm not sure it would, as the article seems to say that Sonos requires an ADTS container for the AAC audio, which YouTube doesn't offer. So the app takes an MP4 container, filters its contents to find the AAC audio blocks, then repacks them in an ADTS container.
Typically the other way around; ADTS is a way to get AAC within MPEG-TS through means of a wrapper. If you remux AAC from MPEG-TS (like e.g. a satellite feed) into MP4, it strips away the ADTS wrapper (and adds a single ASC header for the MP4 stream metadata) using the aac_adtstoasc filter.
I never really understood why you couldn't just put AAC directly into MPEG-TS without the ADTS wrapper, but MPEG-TS is pretty weird (and with super-high overhead) anyway.
Very interesting read. As a purely front end engineer, I am always fascinated by other peoples ability to reverse engineer everyday systems that I use and complain about. If I wanted to learn more about reverse engineering, do you have any recommended readings or talks?
There is tons to reverse engineer on the frontend. When you think about it, we have so much source code we can read through, some of it can hide bad engineering that lets you access something you shouldn't be able to. Like setting the price of an item via hidden form parameter, or finding an endpoint that lists every single promo code
Next time you find a website with a GraphQL API, try running the introspection query[1]. If that doesn't work, try fuzzing[2]. I've found multi-billion dollar companies who've
* Left open their GraphQL playground completely
* Enable introspection
Once you start you can dig into the API, and figure if you found anything interesting
Some companies/APIs do this on purpose as one of the benefits of graphql is the self documenting nature. If you have a well secured schema this shouldn’t be a problem. If you are doing security through absurdity by having stuff in the schema you don’t want people to discover, you are going to have a bad time.
I have something much, much worse: I've got a rabbit hole!
Here's two mirrors of a quite old website that is heavy on reverse engineering lore. While technological details may be outdated, many of the teachings certainly still apply.
Took a look to see what's up with that (I'm not familiar with javascript) but it looks like he was using a function that returned the number of years since 1900, with the "19" hardcoded. So for 1995-1999 it would've worked fine, but since 2000 it has been 19100, 19101, etc.
There is really not any way to give anyone a guide to doing what this guy does because it's not applying any special techniques to do anything. This isn't a binary reversing guide using a specific way to decode an encrypted executable, or whatever. This is quite literally just a guy who uses what he knows to figure out what is going on, and then learn more as is needed.
It will help not to put yourself into a box beforehand, like calling yourself a "purely frontend engineer." This is the kind of useless label for yourself that only serves to make you yourself think that you should stay in some arbitrary, badly specified corner of CS knowledge.
Literally just read about things, then use that knowledge to deconstruct other things. That's all that's going on.
Start by reverse engineering things in your comfort zone. You must already use a couple of libraries in your front end work. Hone your reverse engineering skills by trying to implement the same thing yourself. It's mostly about the ability to figure out how something works by observing and testing its behavior.
Man, there're so many opportunities to reverse engineer the front-end. One example is the web scraping of a SPA without using a browser. Let's say [reverse-engineering Google Maps pagination][1][2].
People on /r/webscraping are constantly asking about web scraping of JS-rendered websites. As a front-end engineer, you have the experience of front-end debugging and using the browser dev tools. People who come to web scraping from the back-end world don't have this experience and are willing to learn.
Start here. Start with the second one - 'From n00b to l33t: An Introduction to Reverse Engineering'.
"This workshop is a 1-2 hour introduction to what reverse engineering is. It assumes no knowledge of assembly and is done on paper worksheets rather than a computer setup for accessibility and to make the most efficient use of time."
It's by Maddie Stone, who's a Security Researcher at Google Project Zero.
Shameless plug: I did something similar 6 years ago and created sonos-web. Sadly I stopped working on the project, but it was indeed cool to play Youtube videos on your Sonos device (among other things).
An important reason why you can't play Youtube videos through Sonos is because the music providers are linked into the app. This means that it doesn't rely on the device to play the music. It also means that when I open up the app I can play music from my housemates Apple music account, as well as my Spotify account. But I agree, they did remove the ability push music from some apps directly to the Sonos app on Android & PC.
For me I play Youtube videos by Chromecasting them to the TV, which is connected to my Sonos playbar and the rest of the ecosystem.
Yep, the Sonos bar is the exception. But most of the products from sonos doesn't even have a audio input !
That's the why of this project.
You can only control a Sonos beam from their crappy app and what's drove me crazy.
The lack of audio input's is driving me bonkers. I have a record player and Sonos Beam. To use it, I have to plug in a mic adapter into my MacBook and connected that to the record player, then use Loopback Audio to redirect the input audio as Airplay audio to my Sonos Beam. Truly how "analog" audio was supposed to be listened to.
I've tried getting a Raspberry Pi and following some guides to turn it into an internet radio broadcaster that I can then pipe into Sonos, but the audio quality was always atrocious and the case that came with my Pi kit has a fan that is super loud.
I could get a Sonos Port for 700 AUD and do it the official way... but my record player is only like 300 AUD so it doesn't seem worth it. Here's hoping I can find a cheap used one.
Sonos needs to add an analog audio in port on more of their devices.
I just don't think Sonos speakers are built for that type of use case, they are first and foremost a wireless speaker and always have been. They were never designed to allow for devices to plug directly into the speakers, as it wouldn't then be controllable across the array of other Sonos devices, which is the point.
I agree that it wouldn't take much to do so and it would increase its accessibility, but I just don't think they have an appetite to do that.
The Sonos port device which they have had to allow you to physically connect devices has always been atrociously expensive. To think that I could buy two of their rear Sonos speakers and still have money left over be cheaper than the port is just silly.
The Port and Amp are definitely aimed at the very high end consumer who wants a whole wireless system in their house and wants to connect to non Sonos speakers.
I recently built the Murfie music service app for SONOS.
You can go to a web page served by any SONOS device and tell it a url to treat as a music service. Code up a SOAP service there and you'll be able to do anything that any other music service does.
I'd never done anything with SOAP before, so there was a bit of a learning curve, but once I got over that hurdle most of the other coding was fairly easy. Their developer portal explains basically all of the things you can do.
Getting the service approved was the hardest part.
Great article. Thanks very much for it. There's a typo in the heading "Or how to play YouTube videos on you SONOS, easy and for free." I think might want "your SONOS" instead. :)
Yes, even as a stream. The author mentions that a streaming conversion of mp4 to mp3 would be very difficult/impossible. I actually built that exact system for a simple youtube->mp3 downloader. FFMpeg can perform a streaming mp4->mp3 conversion. See here: https://github.com/matttt/youtubesampler/blob/master/main.js...
It's not impossible, but it would be way less efficient as it need complete re-encoding of the audio, as my system just re-format the container format.
In this case both mp4 and m4a (which are the same thing) use AAC. So no transcoding, but mp3 is not. So in the case of mp4 > mp3 it need a complete re-encoding of the audio.
YouTube sells YouTube music subscription, the SONOS has not been intended to play on a YouTube video. Now it does, that's the SONOS hack.
YouTube has not been designed to play YouTube videos on a SONOS outside of their YouTube Music subscription. Now it does, that's the YouTube hack.
The hacking community understands the definition of hacking to be 'modifying something to be used differently than it's intended purpose'.
The idea of 'hacking' you are referring to is a colloquialism that is shared by young teens and entertainment media. It is not a reflection of reality.
You're certainly right about the original definition of hacking, and even with that in mind, YouTube is not being modified: it was designed to deliver the MP4 stream to any client that asks. And even the Sonos device is arguably doing a thing it was designed (albeit undocumented) to do: consume an ADTS stream (i.e., if a burglar stole the Sonos, they would not possess a hacked Sonos). The middleware is what's getting hacked here.
Hacking doesn't just refer to security vulnerabilities and unauthorized access.
"A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means."
Seems reasonable by the above definition. I would say the standard way to consume audio from youtube is to play the video on youtube.com or in the app, not by writing an MP4 parser.
There was a time, not so long ago, security bugs hunters would claim they found some oddities within a sub module of some software, then disclose how it leads to escalation of privileges, 7 other severe flaws leading to remote code execution, ending with a mention that it makes half of the internet vulnerable since it's Apache or some other broadly used utility.
I just bought a Sonos soundbar and I have never had such a difficult time getting an app to pair and function with the device. It was also quite invasive requiring Location to be enabled, Microphone to be enabled, Local Devices to be accessed, just to get it to set up. It was already connected via HDMI and optical cable, as hardwired as you can get, and there were still cloud hoops to go through.
If you have purchased Sonos without reading how it works, probably the mistake is yours. First time setup requires this because Sonos uses your phone microphone to automatically measure your surrounding wall space to tune itself to best experience. In fact, this is why everyone loves Sonos as all you need is phone and everything is tuned.
Yes you’re right regarding the True Sound customization using the mic.
My difficulty is the Sonos app keeps dropping connection because my router is set DHCP and the app expects the same static IP address as the day before but I have dynamic addressing. Doesn’t occur with my other IoT.
Every day I'm frustrated by apps that I know were once highly simple and functional.
The idea that we're paying for devices and apps that are artificially limited and hobbled by others seeking more profit really has me worried about the future.
For example, Winamp ran several years as a music player, although it was not a very profitable operation, it functioned just like every other consumer music player since the 70s, with play, stop, track skipping, fast-forward, shuffle play etc...
Now music players have completely screwed up the model for a music player. They more often don't function properly unless a subscription is paid for.... They insert ads into music playlists, they often skip more than one track, they don't truly shuffle music, and they also add a ton of frustration with buffering and connectivity issues into the simple process of listening to music, even when I play my locally stored collection of music on them.
The practice of reducing features in something as simple as a music player, a device that is meant for enjoyment shows how grim the concept of a software-driven world should be. Products are rarely solving problems now, they are only introducing new and stupid problems, and not innovating further. It's a huge problem that should be addressed.
I'm tired of hobbled functionality, hack the planet. :P
Sonos built a great system then destroyed it with greed/planned obsolesence.
They shafted so many customers with the S1/S2 incompatibility, leaving so many expensive and perfectly capable 'legacy' systems unable to add new (S2) devices.
It was purely to try and force people to upgrade perfectly decent devices, and prematurely turn a whole lot of S1 devices into e-waste.
While their products are still good, I wouldn't buy one again for fear of them introducing an S3 and rendering another set of devices obsolete.
I was upset at the time, but in hindsight, and given how they've managed to continue to support both S1 and S2 product lines, I can't really say they did it wrong. Bifurcating your app to continue to provide support for 10+ year old hardware is a lot better than simply EOL'ing said hardware.
The problem is that '10 years old' in computing is fairly ancient, whereas in hi-fi, quality hardware will keep going for many decades with minimal maintenance.
Not sure why they felt the need to split the app into two rather than support the control of all devices through a single app, even if the S1 devices have a bit less functionality, or if S1 and S2 devices can't be grouped into a single zone.
And then they've prevented some new devices from running with the S1 app. My parents tried to buy an extra speaker, but it didn't work with their S1 system (whereas only a few months ago, they added a soundbar that worked fine)
It's a mess. It could have been handled a lot better. What new features do you even get with S2 that require more powerful hardware?
> What new features do you even get with S2 that require more powerful hardware?
* Airplay
* Hi-res audio formats
* Better onboarding experience (BLE based, and can take advantage of iOS APIs to share Wifi password)
* Support for DTS and Dolby Atmos
I suspect the reason for bifurcation is because the speakers form a cluster on your network. The apps don’t talk to individual speakers, the speakers elect a cluster leader and the app talks only with the leader. The leader then figures out how to get your command to the target speaker, which may be via your normal wifi, but could also be via the private Sonos Net mesh network the speakers form.
They want all the speakers to run exactly the same firmware because it’ll significantly reduce the complexity of their net code. No need to write forward or backwards compatible protocols, every speaks the same language. Side effect of this choice is that your firmware features become limited by your oldest hardware, even with feature flags, binary size could still be an issue for old devices.
So this means at some point you need either:
1. Start running two firmware versions, and some how make your net code forward/backwards compatible. Very difficult when dealing with tightly defined high entropy protocols needs for low latency comms, and super tight timing requirements.
2. Split make a set of your devices stuck on old software and incompatible with new hardware. So new and old can no longer join the same cluster. But simplify your net code.
Sonos obviously chose option 2, and I can understand why they made that choice. As for the apps, having them communicate with two different Sonos clusters, and somehow merge the UI sounds like a UI nightmare. Not unsolvable, but it wouldn’t surprise me if they tried it, and decided the experience was so crap and confusing, they were better of just making two apps.
Given what Sonos do, and rather extreme technical requirements of syncing audio to within a millisecond or two over dodgy wifi connections. I can sympathise with the difficult technical and product decisions that led to S1/S2. I personally doubt it’s an artificial limitation created for cynical profit pumping. But I can totally see it as way of reducing their software development complexity and costs, which is not an unreasonable business decision (Sonos isn’t a charity after all).
I got a cheap HIFI (I think) Samsung system from 20+ years ago (paid $100 second-hand at that time), I use it as an amplifier through aux for the last 15 years (2x15W). Beside that, still have my tiny pc speakers, even older, from around the win98 era.
Neither seem to be asking for any firmware update, seem to be working fine so far. Haven't seen any other speakers in stores so far which could beat in quality the pair of Samsungs I got, they're basically monitors..
They now make soundbars, sonoses, bluetooth speakers... it amazes me that people put up with all of this, it's truly amazing people are convinced this is better than the old, wired, boring stuff.
If you buy what I could call a standard/proper home theater receiver, it is likely to last you a lifetime. But with Sonos you are buying cutting edge features that have not been tried and tested in the long term and are likely to change.
The idea with Sonos was that they wouldn't release new hardware each year, but that the hardware would improve through software updates. For example, I have had two Play 3 speakers and the Sub since 2016. These worked great, then Sonos released TruePlay which allowed your speakers to configure themselves based on the space you were in. Its important to note that these speakers have been around since 2011 and 2013, so not a short space of time when it comes to technology.
The amazing thing with Sonos, was that anyone in the house could open up the app and play music through WiFi AND have a home theatre setup that could play from the TV. The beauty of the app is that it operates on its own, it doesn't rely on your mobile phone once you have left the house.
Sonos basically reinvented my Samsung remote. (+ the 8 meter cable I made as a 14 year old kid so I can connect it to the TV which was on the other side of the living room, cause my parents asked me if I could connect both for a house party).
I think the Sonos home theatre which consists of two rear channels, a sub and a dolby atmos playbar would give your cheap two Samsung speakers a run for their money. The beauty of it all is that don't need to plug anything in apart from power and a HDMI cable.
It's important to note that the creators of Sonos speakers were ex-JBL engineers. Not just randoms who wanted to create a smart speaker.
There's not as much lock-in with the analog formats, you want different speakers or a different head unit with the same speakers you just change shit out at the end of the wires.
All these strange products we are getting around media probably mostly has to do with licensing requirements for DRM.
I assume it's as much the industry these people are working with/coming from as it is the actual straight greed of sonos.
I solved this by just sticking with my S1 devices. Other than the horrible software, still going ok. When I eventually replace, it won't be sonos, but I've yet to see a really good option for replacing it.
On the contrary. Their S1 platform started in 2005. They continue to produce great new products with S2, yet S1 stuff continues to function, it just runs ships-in-the-night for those of us with both. Frankly, I'm amazed and impressed they retained compatibility for as long as they did. I have other electronic devices in my possession with such functional longevity, but I can count them on one hand, and none of the others try to perform anything remotely so sophisticated as a Sonos player does.
These allegations of being intentionally malicious / consumer hostile don't stand up to scrutiny, nor to comparison with known examples of planned obsolescence in consumer electrical, such as Canon inkjets or Bosch kitchen appliances.
There are literally hundreds of simple (and open-source) music players out there, including Winamp you mentioned and its offspring. What is preventing you from using those? IMO, this is the same argument like when people say "modern music sucks" without ever searching for amazing new bands outside the mainstream.
Oh I still have (32 bit) Winamp on my desktop, and it works great when I need it so far... The problem is that as Windows creeps towards 64 bit compatibility only, I'll eventually have to retire the original .exe(s) I've used, and change to something that might be a terrible experience.... Even online reviews and advice about what software to use is corrupted by brigadeers and marketers, so it's a wild west of who you can trust. I appreciate your advice, but you could just as well be a developer trying to encourage me to use your app that may have required in-app purchases (no offence).
Another tactic that developers now use is to have a fully functional app in the first-downloaded instance, but then the application slowly degrades as updates occur to encourage an up-sell. As a dev myself, I've directly seen this happen with apps I cannot specifically shame online.
I'm primarily referring to mobile apps. I have an SD card with my music library on it. The choice of apps there gets more complex... As phone makers remove SD card functionality, and headphone jacks, and limit out of the box music players, the ability to use my phone for music is also fading. I have had apps corrupt my locally saved music library as well in attempts to force me into buying streaming services perhaps, I no longer trust many services in app stores.
VLC is free and 64-bit. Not the most convenient for playing music but it plays everything. I use MAX Tray Player which is really old but still works. It's this great little program that sits in your taskbar off to the side so it doesn't take up icon or window space. I use it for internet radio and I made a skin for it to match my dark theme.
trayplayer.com
As for mobile audio I use Spotify but I have a library of mp3s on my SD card that I play with the default Samsung Music app which works just fine. No ads in that so far. If you haven't tried a modern BT 5.0 device, try giving bluetooth another chance.
All of the stuff your talking about could be solved by not upgrading to the latest X. If you want headphone jacks, etc, etc just search for a phone that has it and that lets you add music to it. If you want a 90s experience you don't HAVE to buy the latest iPhone or download the latest app.
YouTube music offered to import my personal music library (on my phone). I declined, because the last time I allowed that to happen on Google Play Music (now retired) it was covertly deleting music from my library, and carefully picking which songs to play every time I used it.
You simply can't trust free apps any more. Probably can't even trust many of the paid ones because making people buy the same thing multiple times is more profitable for opportunistic individuals.
re:FOSS music players I liked foobar2000 for music, esp. if you wanted to play lossless formats like FLAC files
re:parent comment, i feel like the streaming "free" music app/services are more iterations on radio stations rather than iterations on music players since radio has ads, pseudo random playlists, requirement to be "connected" etc.
Maybe unpopular opinion, but in comparison w/radio, I tend to think streaming actually looks pretty good.
When I moved from Windows 11 to Linux, the first thing I looked for was an audio player as simple, fast, full featured, and with small UI that won't occupy a large portion of the screen. I ended running WACUP with Wine and haven't looked back. The compact and stackable UI of Winamp is still the best after all these years, and it just works.
I think GP is confusing 'I went to the store and bought this CD, and burned it to MP3, which plays for free on Winamp' with 'Winamp was free and now I have to pay for that same experience via streaming.''
[The red one for sale at the moment doesn't make any sounds when you connect to it, the $0.79 black unit speaks ("now in bluetooth mode") when I connect to it, not great]
Bluetooth doesn't really cut it for me in a multi-person household, though If I was on my own I would be fine like that.
We have multiple people constantly playing, and multiple locations to play to. Bluetooth is good for a single speaker and single primary playing device but doesn't really solve multi-room multi-user music very well.
Music players were decoding local files and spitting out the output, now they're streaming platforms. Despite fitting the same niche of "I want to listen to music" for many people, they're not selling you the same product at all.
AFAIK the local players still exist, many still in active development, for those who want to own their data.
> They insert ads into music playlists, they often skip more than one track, they don't truly shuffle music, and they also add a ton of frustration with buffering and connectivity issues into the simple process of listening to music
Why are you comparing music players to streaming services? That's like comparing a Honda Civic to a cement mixer. You don't use both to accomplish the same job even if they both have four wheels and a gas pedal.
You are just being pedantic, while the parent comment offered a fairly useful distinction between those two types of services, even though it might not be the dictionary definition.
>Streaming services like Spotify, are music players by nature obviously...
Both a cement mixer and a honda civic are vehicles that one can drive on the road by nature. The point still stands that they shouldn't be compared directly, as they serve completely different purposes (despite them both being drivable vehicles).
I'm a bit alien to these kind of things and i cannot believe that a speaker could be limited in such a way. It's sole function is to play sound from a device and it utterly fails at that. Why do people put up with such rubbish? I get upset when i see a speaker without a jack port.
Also, the article is excellent but the title lets it down. Can i suggest it be changed to something like "reverse engineering SONOS to play YouTube". If deadf00d is still on maybe you should also rethink the title?
The author wants a speaker to pull a video off YouTube, which isn’t exactly know for be friendly to non-official clients, and play the audio. Please find me any speaker in the world that can be given a YouTube URL and will play the video audio with no other equipment involved. I’ve tried writing the URL on the speaker cone of my boring speaker, unfortunately no sound is coming out.
If the author just wanted to plug speakers into his computer and get sound, then he would have bought a non-smart speaker and amp. But clearly the author likes the ability to stream audio from the internet directly to his speakers. It’s just unfortunate that YouTube refuses to let people easily access the audio stream from their videos.
You're missing the point of Sonos entirely.
It's generally used to create zones in a house or workspace.
It's not meant to be just a bluetooth receiver, there are a zillion other products that do that just fine.
It's a WiFi connected speaker which is controlled through an app that you register music services on. This means that the audio ecosystem isn't reliant on streaming the music from your device, but from the service itself. All of the speakers are connected through the main controller app that you can use to group into rooms and setup as a home theatre.
I've had their products for the last 7 years and they've never missed a beat.
