-
-
Save PASAf/bc75041914e5a73ed603 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://irclog.whitequark.org/linux-rockchip/ | |
| need dumps of | |
| -- | |
| dmesg | |
| cat /proc/modules | |
| cat /proc/filesystems | |
| #loop, cramfs, ext2, ext3, vfat | |
| cat /proc/mounts | |
| cat /proc/cmdline | |
| ip addr | |
| ip link | |
| ps auwwx | |
| uname -a | |
| printenv | |
| /proc/config.gz | |
| /var/log/syslog | |
| find / | |
| user land vectors | |
| -- | |
| . /keytest #dumps /dev/events to stdout | |
| . /hgtest #seems to test pixmap rendering to eink | |
| . /logo-test #seems to print embedded xpm | |
| . /ebook #the gui and monolithic book reader | |
| has some crude update-from-FAT hook | |
| is responsible for managing the ebook partition mount/umount and g_file gadget | |
| . /update | |
| libext3, opens raw flash and tweaks boot-parameters, can alter recovery partition args ("misc.img") --danger will robinson! | |
| /sbin/busybox 1.13.4 (circa 2008) | |
| /linuxrc and /sbin/init link to this. `busybox rcS` is PID1 | |
| telnetd | |
| mdev | |
| http://www.cvedetails.com/vulnerability-list/vendor_id-4282/product_id-7452/version_id-129281/Busybox-Busybox-1.13.4.html | |
| iptunnel | |
| cc,gcc,G++ | |
| chroot, env | |
| sulogin, getty | |
| tar,ar,zcat,gzip,gunzip,vi,sed | |
| flash_eraseall | |
| recovery.img user-land vecotrs | |
| --- | |
| misc.img -> | |
| http://www.freaktab.com/showthread.php?287-RockChip-ROM-Building-Tips-and-Tricks-by-Finless&p=4138&viewfull=1#post4138) | |
| http://irclog.whitequark.org/linux-rockchip/2013-12-26#5984500; | |
| recovery/bin/recovery | |
| libext3 | |
| recovery/app/update | |
| kernel vectors | |
| -- | |
| Linux version 2.6.25 (root@chf-virtual-machine) (gcc version 4.4.0 (GCC) ) #1198 Thu Sep 6 14:44:00 CST 2012 | |
| rockchip version 1.2.7 (ruiguan) #with debug infomation,add change arm frequency when enter 1level sleep. | |
| mem=64M console=ttyS0,115200 initrd=0x21100000,17000000 root=/dev/ram0 rw | |
| http://www.cvedetails.com/version/123232/Linux-Linux-Kernel-2.6.25.html | |
| -- | |
| usb hid input | |
| usbserial generic (ttyACM0) | |
| usbserial.product | |
| usbserial.vendor | |
| gadgetfs | |
| usbfs | |
| libertas SDIO wifi | |
| use rockchip pin mux to redefine the SDIO pins to GPIO bit bangers! or SDIO uart to drive an old SDIO UART console or GPS card.. | |
| ~/src/archos/Archos7HT_GPL/kernel//drivers/net/wireless/libertas/wifi_power.c | |
| . /install-wifi | uninstall-wifi | |
| unknown if all the .ko's were build against the installed kernel, and finding the SPI/SDIO mux pins on the board would be a feat | |
| http://docs.blackfin.uclinux.org/doku.php?id=linux-kernel:drivers:wifi_over_sdio | |
| http://www.ebay.com/itm/280635020362 http://andahammer.com/sdwifi/ | |
| gpio | |
| ~/src/archos/Archos7HT_GPL/kernel//arch/arm/mach-rockchip/gpio.c | |
| grep -rn rockchip_mux ~/src/archos/Archos7HT_GPL/kernel/ | |
| http://lxr.free-electrons.com/source/drivers/pinctrl/pinctrl-rockchip.c | |
| android configfs | |
| android binder | |
| android ram console: http://www.elinux.org/Android_Kernel_Features#RAM_CONSOLE : /proc/last_kmsg | |
| pppol2tp | |
| NFS + boot mode ip-config | |
| dwc_otg 2.7 | |
| dwc_otg_force_device,already in A_HOST mode,everest | |
| dwc_otg_force_device,already in B_PERIPHERAL,everest | |
| dwc_otg_force_host,already in A_HOST mode,everest | |
| debuglevel | |
| force_usb_mode | |
| rbd | |
| /dev/ram0.... use that with the g_file_gadget module to create a ram-based backchannel FS | |
| rockchip_serial | |
| which test point is the uart? seems to support both | |
| kernel blackboxes | |
| -- | |
| rk-eink DSP driver | |
| #loads/chksums waveform to DSP co-processor in RK2808A | |
| #inits TI TPS65180 panel power & temp chip and calibration EEPROMs | |
| #takes gfx input from /dev/fb0 and ioctls for forced updates | |
| #strings flex_update_1.0.5/rockdev/Image/kernel.img | grep -i dsp | |
| # https://code.google.com/p/k1099/source/browse/trunk/rk2808/Linux/drivers/rk28_dsp/rk28dsp.c?r=94 | |
| # can't find any of the eink-specific dsp code in the Archos kernel source :-( | |
| #cannot find the datasheet for it either, "RK28xx DSP sub-system.pdf" | |
| china kernel hacker build guide http://wenku.baidu.com/view/aab317f74693daef5ef73d18.html | |
| http://roverbooksteel.narod.ru/develop/kernel/index.html | |
| http://androtab.info/clockworkmod/rockchip/ | |
| http://www.freaktab.com/showthread.php?6569-Rockchip-Secrets-Exposed | |
| bootrom vectors | |
| ---- | |
| https://gist.github.com/sarg/5028505 | |
| exploit attempt ideas | |
| ------ | |
| make a FAT-hook | |
| run by script from mdev on mmc device re-appearance after USB host unmount | |
| checks for /hook directory, verifies timestamp is newer than last boot and in same month/year as the clock | |
| if time checks out, runs scripts within the hook in alpha order | |
| make this safer by exporting a ramdisk as a secondary lun with g_file_storage. store and run the hooks from the ramdisk | |
| if your hooks are bad and crash the thing, you can power-cycle back to working order | |
| let the hooks dump to a txt file on the user partition | |
| read your new exploit.txt book :-) | |
| add more gadget drvs | |
| Archos7HT_GPL/kernel/drivers/usb/gadget/f_adb.c CONFIG_USB_ANDROID=m | |
| /flex_update_1.0.5/rockdev/Image/boot/sbin/adbd : statically linked! no bionic worries | |
| mass storage mode | |
| Jan 23 01:07:38 pogoplug kernel: [1772158.245313] usb 1-1: new high-speed USB device number 6 using orion-ehci | |
| Jan 23 01:07:38 pogoplug kernel: [1772158.845283] usb 1-1: device not accepting address 6, error -71 | |
| Jan 23 01:07:56 pogoplug kernel: [1772176.685311] usb 1-1: new high-speed USB device number 8 using orion-ehci | |
| Jan 23 01:07:56 pogoplug kernel: [1772176.836258] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a5 | |
| Jan 23 01:07:56 pogoplug kernel: [1772176.843133] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 | |
| Jan 23 01:07:56 pogoplug kernel: [1772176.851666] usb 1-1: Product: File-backed Storage Gadget | |
| Jan 23 01:07:56 pogoplug kernel: [1772176.858142] usb 1-1: Manufacturer: Linux 2.6.25 with dwc_otg_pcd | |
| Jan 23 01:07:56 pogoplug kernel: [1772176.864387] usb 1-1: SerialNumber: 372041756775 | |
| Jan 23 01:07:57 pogoplug kernel: [1772176.876258] usb-storage 1-1:1.0: USB Mass Storage device detected | |
| Jan 23 01:07:57 pogoplug kernel: [1772176.888511] usb-storage 1-1:1.0: Quirks match for vid 0525 pid a4a5: 10000 | |
| Jan 23 01:07:57 pogoplug kernel: [1772176.897098] scsi4 : usb-storage 1-1:1.0 | |
| Jan 23 01:07:58 pogoplug kernel: [1772177.896277] scsi 4:0:0:0: Direct-Access ebook reader 0322 PQ: 0 ANSI: 0 | |
| Jan 23 01:07:58 pogoplug kernel: [1772177.911479] sd 4:0:0:0: Attached scsi generic sg1 type 0 | |
| Jan 23 01:07:58 pogoplug kernel: [1772177.927190] sd 4:0:0:0: [sdb] 15785984 512-byte logical blocks: (8.08 GB/7.52 GiB) | |
| Jan 23 01:07:58 pogoplug kernel: [1772177.943591] sd 4:0:0:0: [sdb] Write Protect is off | |
| Jan 23 01:07:58 pogoplug kernel: [1772177.955388] sd 4:0:0:0: [sdb] Mode Sense: 0f 00 00 00 | |
| Jan 23 01:07:58 pogoplug kernel: [1772177.955949] sd 4:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA | |
| Jan 23 01:07:58 pogoplug kernel: [1772177.980118] sdb: | |
| Jan 23 01:07:58 pogoplug kernel: [1772177.989051] sd 4:0:0:0: [sdb] Attached SCSI removable disk | |
| bootloader mode: | |
| power off. hold D-PAD:center for 5 secs and while keep holding connect usb -- -http://irclog.whitequark.org/linux-rockchip/2013-12-26#5984559; | |
| Jan 23 01:11:38 pogoplug kernel: [1772398.415328] usb 1-1: new high-speed USB device number 9 using orion-ehci | |
| Jan 23 01:11:38 pogoplug kernel: [1772398.565882] usb 1-1: unable to get BOS descriptor | |
| Jan 23 01:11:38 pogoplug kernel: [1772398.571134] usb 1-1: New USB device found, idVendor=071b, idProduct=3228 | |
| Jan 23 01:11:38 pogoplug kernel: [1772398.581542] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 | |
| https://github.com/crewrktablets/rkflashtools/blob/master/rkflashtool.c | |
| added my vid and pid | |
| root@pogoplug:~/src/wexler_hacks# ./rkflashtool p | |
| rkflashtool: info: rkflashtool v3.3 | |
| rkflashtool: info: Detected RK2808... | |
| rkflashtool: info: interface claimed | |
| rkflashtool: info: reading parameters at offset 0x00000000 | |
| rkflashtool: info: rkcrc: 0x4d524150 | |
| rkflashtool: info: size: 0x000001e0 | |
| FW_VERSION: 1.0.1 | |
| MAGIC: 0x5041524B | |
| ATAG: 0x60000800 | |
| MACHINE: 1616 | |
| CHECK_MASK: 0x80 | |
| KERNEL_IMG: 0x60008000 | |
| COMBINATION_KEY: F,0,1 | |
| CMDLINE: noinitrd console=ttyS0,115200n8n init=/init root=/dev/mtdblock4 mem=64M@0x60000000 mtdparts=rk28xxnand:0x00002000@0x00002000(misc),0x00004000@0x00004000(kernel),0x00002000@0x00008000(boot),0x00004000@0x0000A000(recovery),0x0001E000@0x0000E000(system),0x00006000@0x0002C000(backup),0x0002E000@0x00032000(cache),-@0x00060000(userdata) | |
| rkflashtool r 0x0000E000 0x0001E000 > system.img | |
| mount -o loop -t cramfs system.img /mnt/wexler | |
| umount /mnt/wexler | |
| rkflashtool w 0x0000E000 0x0001E000 > system.img | |
| http://wiki.radxa.com/Rock/flash_the_image | |
| or just pull/clip the flash chip and bitbang it with my Bus Blaster | |
| http://spritesmods.com/?art=ftdinand&page=2 | |
| http://hackingbtbusinesshub.wordpress.com/2012/10/25/reprogramming-the-2wire-nand-flash-ic/ | |
| http://www.raspberrypi.org/forums/viewtopic.php?f=44&t=16775 #xbox 360 clip |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment