I actually forgot that I did in fact write about this! https://medium.com/@stephencwan/hacking-airplay-into-sonos-9...

A bit light on the technical details perhaps, but I recall getting stuck on getting the right airplay parameters, learning how byte endianness works... happy to try to answer any other questions as best I can remember.

EDIT: Sorry, I realized that I didn't actually answer the other question. I first got interested in reversing from console hacking, specifically this talk about wii hacking: https://youtu.be/0rjaiNIc4W8 (including marcan of asahi linux fame!). Their group also had more writing at: https://fail0verflow.com/blog/. Also interesting to read about mgba emulator development: https://mgba.io/tag/debugging/, v8 internals: https://mrale.ph, react internals: https://overreacted.io/

Consuming a lot of literature on how different systems work helped me develop intuitions around how you might take something apart. Then it's a matter of trying things and banging your head against the wall a lot, e.g. at some point I was interested in how compilers worked so I tried hacking typescript syntax support into babel (circa 2017 maybe) - I got pretty far! and got a lot better sense of how compilers work.

Step 1 — study popular protocols to understand how client/server interactions typically work.

Step 2 — deploy the network appliance in question to your LAN and intercept its packets with wireshark.

Step 3 — begin inference of protocol from observed behavior and test hypothesis by sending hand-crafted payloads to the server in question.

Step 4 — rinse and repeat until assumptions are proven to be correct with a high degree of reliability.

A good way to ensure you’ve captured the major parts of the protocol is to record about 72 hours of traffic and then replay it through a proxy that directs traffic to your newly created service.

If you can interpret the vast majority of the messages without error, you’re getting close to a reliable implementation.

Step 5 — use this strategy to develop a deep understanding of both protocols in question.

Step 6 — write an “adapter” that can translate protocol A to protocol B and vice versa.

Step 7 — implement the adapter towards whatever use case you have in mind.

> Step 3 — begin inference of protocol from observed behavior and test hypothesis by sending hand-crafted payloads to the server in question.

Curious about common tactics people use for avoiding the ban-hammer from the company at this stage. Surely they can tell the difference between normal operations and this kind of hand crafted probing?

The repository https://github.com/stephen/airsonos has the code and is surprisingly accessible.

The meat for the airplay side is here: https://github.com/stephen/nodetunes

Please excuse the code quality... I think I was still learning how to write js at the time.