-
-
Save kfix/b0819cda099be050adae to your computer and use it in GitHub Desktop.
http://irclog.whitequark.org/linux-rockchip/ | |
need dumps of | |
-- | |
dmesg | |
cat /proc/modules | |
cat /proc/filesystems | |
#loop, cramfs, ext2, ext3, vfat | |
cat /proc/mounts | |
cat /proc/cmdline | |
ip addr | |
ip link | |
ps auwwx | |
uname -a | |
printenv | |
/proc/config.gz | |
/var/log/syslog | |
find / | |
user land vectors | |
-- | |
. /keytest #dumps /dev/events to stdout | |
. /hgtest #seems to test pixmap rendering to eink | |
. /logo-test #seems to print embedded xpm | |
. /ebook #the gui and monolithic book reader | |
has some crude update-from-FAT hook | |
is responsible for managing the ebook partition mount/umount and g_file gadget | |
. /update | |
libext3, opens raw flash and tweaks boot-parameters, can alter recovery partition args ("misc.img") --danger will robinson! | |
/sbin/busybox 1.13.4 (circa 2008) | |
/linuxrc and /sbin/init link to this. `busybox rcS` is PID1 | |
telnetd | |
mdev | |
http://www.cvedetails.com/vulnerability-list/vendor_id-4282/product_id-7452/version_id-129281/Busybox-Busybox-1.13.4.html | |
iptunnel | |
cc,gcc,G++ | |
chroot, env | |
sulogin, getty | |
tar,ar,zcat,gzip,gunzip,vi,sed | |
flash_eraseall | |
recovery.img user-land vecotrs | |
--- | |
misc.img -> | |
http://www.freaktab.com/showthread.php?287-RockChip-ROM-Building-Tips-and-Tricks-by-Finless&p=4138&viewfull=1#post4138) | |
http://irclog.whitequark.org/linux-rockchip/2013-12-26#5984500; | |
recovery/bin/recovery | |
libext3 | |
recovery/app/update | |
kernel vectors | |
-- | |
Linux version 2.6.25 (root@chf-virtual-machine) (gcc version 4.4.0 (GCC) ) #1198 Thu Sep 6 14:44:00 CST 2012 | |
rockchip version 1.2.7 (ruiguan) #with debug infomation,add change arm frequency when enter 1level sleep. | |
mem=64M console=ttyS0,115200 initrd=0x21100000,17000000 root=/dev/ram0 rw | |
http://www.cvedetails.com/version/123232/Linux-Linux-Kernel-2.6.25.html | |
-- | |
usb hid input | |
usbserial generic (ttyACM0) | |
usbserial.product | |
usbserial.vendor | |
gadgetfs | |
usbfs | |
libertas SDIO wifi | |
use rockchip pin mux to redefine the SDIO pins to GPIO bit bangers! or SDIO uart to drive an old SDIO UART console or GPS card.. | |
~/src/archos/Archos7HT_GPL/kernel//drivers/net/wireless/libertas/wifi_power.c | |
. /install-wifi | uninstall-wifi | |
unknown if all the .ko's were build against the installed kernel, and finding the SPI/SDIO mux pins on the board would be a feat | |
http://docs.blackfin.uclinux.org/doku.php?id=linux-kernel:drivers:wifi_over_sdio | |
http://www.ebay.com/itm/280635020362 http://andahammer.com/sdwifi/ | |
gpio | |
~/src/archos/Archos7HT_GPL/kernel//arch/arm/mach-rockchip/gpio.c | |
grep -rn rockchip_mux ~/src/archos/Archos7HT_GPL/kernel/ | |
http://lxr.free-electrons.com/source/drivers/pinctrl/pinctrl-rockchip.c | |
android configfs | |
android binder | |
android ram console: http://www.elinux.org/Android_Kernel_Features#RAM_CONSOLE : /proc/last_kmsg | |
pppol2tp | |
NFS + boot mode ip-config | |
dwc_otg 2.7 | |
dwc_otg_force_device,already in A_HOST mode,everest | |
dwc_otg_force_device,already in B_PERIPHERAL,everest | |
dwc_otg_force_host,already in A_HOST mode,everest | |
debuglevel | |
force_usb_mode | |
rbd | |
/dev/ram0.... use that with the g_file_gadget module to create a ram-based backchannel FS | |
rockchip_serial | |
which test point is the uart? seems to support both | |
kernel blackboxes | |
-- | |
rk-eink DSP driver | |
#loads/chksums waveform to DSP co-processor in RK2808A | |
#inits TI TPS65180 panel power & temp chip and calibration EEPROMs | |
#takes gfx input from /dev/fb0 and ioctls for forced updates | |
#strings flex_update_1.0.5/rockdev/Image/kernel.img | grep -i dsp | |
# https://code.google.com/p/k1099/source/browse/trunk/rk2808/Linux/drivers/rk28_dsp/rk28dsp.c?r=94 | |
# can't find any of the eink-specific dsp code in the Archos kernel source :-( | |
#cannot find the datasheet for it either, "RK28xx DSP sub-system.pdf" | |
china kernel hacker build guide http://wenku.baidu.com/view/aab317f74693daef5ef73d18.html | |
http://roverbooksteel.narod.ru/develop/kernel/index.html | |
http://androtab.info/clockworkmod/rockchip/ | |
http://www.freaktab.com/showthread.php?6569-Rockchip-Secrets-Exposed | |
bootrom vectors | |
---- | |
https://gist.github.com/sarg/5028505 | |
exploit attempt ideas | |
------ | |
make a FAT-hook | |
run by script from mdev on mmc device re-appearance after USB host unmount | |
checks for /hook directory, verifies timestamp is newer than last boot and in same month/year as the clock | |
if time checks out, runs scripts within the hook in alpha order | |
make this safer by exporting a ramdisk as a secondary lun with g_file_storage. store and run the hooks from the ramdisk | |
if your hooks are bad and crash the thing, you can power-cycle back to working order | |
let the hooks dump to a txt file on the user partition | |
read your new exploit.txt book :-) | |
add more gadget drvs | |
Archos7HT_GPL/kernel/drivers/usb/gadget/f_adb.c CONFIG_USB_ANDROID=m | |
/flex_update_1.0.5/rockdev/Image/boot/sbin/adbd : statically linked! no bionic worries | |
mass storage mode | |
Jan 23 01:07:38 pogoplug kernel: [1772158.245313] usb 1-1: new high-speed USB device number 6 using orion-ehci | |
Jan 23 01:07:38 pogoplug kernel: [1772158.845283] usb 1-1: device not accepting address 6, error -71 | |
Jan 23 01:07:56 pogoplug kernel: [1772176.685311] usb 1-1: new high-speed USB device number 8 using orion-ehci | |
Jan 23 01:07:56 pogoplug kernel: [1772176.836258] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a5 | |
Jan 23 01:07:56 pogoplug kernel: [1772176.843133] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 | |
Jan 23 01:07:56 pogoplug kernel: [1772176.851666] usb 1-1: Product: File-backed Storage Gadget | |
Jan 23 01:07:56 pogoplug kernel: [1772176.858142] usb 1-1: Manufacturer: Linux 2.6.25 with dwc_otg_pcd | |
Jan 23 01:07:56 pogoplug kernel: [1772176.864387] usb 1-1: SerialNumber: 372041756775 | |
Jan 23 01:07:57 pogoplug kernel: [1772176.876258] usb-storage 1-1:1.0: USB Mass Storage device detected | |
Jan 23 01:07:57 pogoplug kernel: [1772176.888511] usb-storage 1-1:1.0: Quirks match for vid 0525 pid a4a5: 10000 | |
Jan 23 01:07:57 pogoplug kernel: [1772176.897098] scsi4 : usb-storage 1-1:1.0 | |
Jan 23 01:07:58 pogoplug kernel: [1772177.896277] scsi 4:0:0:0: Direct-Access ebook reader 0322 PQ: 0 ANSI: 0 | |
Jan 23 01:07:58 pogoplug kernel: [1772177.911479] sd 4:0:0:0: Attached scsi generic sg1 type 0 | |
Jan 23 01:07:58 pogoplug kernel: [1772177.927190] sd 4:0:0:0: [sdb] 15785984 512-byte logical blocks: (8.08 GB/7.52 GiB) | |
Jan 23 01:07:58 pogoplug kernel: [1772177.943591] sd 4:0:0:0: [sdb] Write Protect is off | |
Jan 23 01:07:58 pogoplug kernel: [1772177.955388] sd 4:0:0:0: [sdb] Mode Sense: 0f 00 00 00 | |
Jan 23 01:07:58 pogoplug kernel: [1772177.955949] sd 4:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA | |
Jan 23 01:07:58 pogoplug kernel: [1772177.980118] sdb: | |
Jan 23 01:07:58 pogoplug kernel: [1772177.989051] sd 4:0:0:0: [sdb] Attached SCSI removable disk | |
bootloader mode: | |
power off. hold D-PAD:center for 5 secs and while keep holding connect usb -- -http://irclog.whitequark.org/linux-rockchip/2013-12-26#5984559; | |
Jan 23 01:11:38 pogoplug kernel: [1772398.415328] usb 1-1: new high-speed USB device number 9 using orion-ehci | |
Jan 23 01:11:38 pogoplug kernel: [1772398.565882] usb 1-1: unable to get BOS descriptor | |
Jan 23 01:11:38 pogoplug kernel: [1772398.571134] usb 1-1: New USB device found, idVendor=071b, idProduct=3228 | |
Jan 23 01:11:38 pogoplug kernel: [1772398.581542] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 | |
https://github.com/crewrktablets/rkflashtools/blob/master/rkflashtool.c | |
added my vid and pid | |
root@pogoplug:~/src/wexler_hacks# ./rkflashtool p | |
rkflashtool: info: rkflashtool v3.3 | |
rkflashtool: info: Detected RK2808... | |
rkflashtool: info: interface claimed | |
rkflashtool: info: reading parameters at offset 0x00000000 | |
rkflashtool: info: rkcrc: 0x4d524150 | |
rkflashtool: info: size: 0x000001e0 | |
FW_VERSION: 1.0.1 | |
MAGIC: 0x5041524B | |
ATAG: 0x60000800 | |
MACHINE: 1616 | |
CHECK_MASK: 0x80 | |
KERNEL_IMG: 0x60008000 | |
COMBINATION_KEY: F,0,1 | |
CMDLINE: noinitrd console=ttyS0,115200n8n init=/init root=/dev/mtdblock4 mem=64M@0x60000000 mtdparts=rk28xxnand:0x00002000@0x00002000(misc),0x00004000@0x00004000(kernel),0x00002000@0x00008000(boot),0x00004000@0x0000A000(recovery),0x0001E000@0x0000E000(system),0x00006000@0x0002C000(backup),0x0002E000@0x00032000(cache),-@0x00060000(userdata) | |
rkflashtool r 0x0000E000 0x0001E000 > system.img | |
mount -o loop -t cramfs system.img /mnt/wexler | |
umount /mnt/wexler | |
rkflashtool w 0x0000E000 0x0001E000 > system.img | |
http://wiki.radxa.com/Rock/flash_the_image | |
or just pull/clip the flash chip and bitbang it with my Bus Blaster | |
http://spritesmods.com/?art=ftdinand&page=2 | |
http://hackingbtbusinesshub.wordpress.com/2012/10/25/reprogramming-the-2wire-nand-flash-ic/ | |
http://www.raspberrypi.org/forums/viewtopic.php?f=44&t=16775 #xbox 360 clip |
/dev/mtdblock7
is inner memory (that mounts as USB Storage Device in PC).
You need to put autorun.sh
(or whatever name you wish) to root of connected storage, then just reboot.
You could also try adding some script to /poweroff
but I have no luck with that yet (mount
does not work there for some reason).
Perhaps, if you have toolchain build with ARM926EJ-S support and linked with dynamic uClibc loader, you could try build dropbear for it.
I purchased Wexler Flex One couple of weeks ago. I tired to read PDF on this device but it was not good as screen is small. There is no reflow option in this model. Is it possible to install KOReader in this device so that I can read pdf easily. Please help me in this regards.
KOreader would be nice!
but I think that uses directfb and this OS uses /dev/rk28-dsp
. haven't rooted it yet so am not really sure, this was all gleaned just by picking apart a firmware dump.
the 1st commenter seems to have made a bunch of mods to the Wexler OEM firmware and published how to use rkflashtool
to update it, here:
https://www.savagemessiahzine.com/forum/index.php?showtopic=610167
mine is still in pieces from my 1st teardown and the 3.7v lipo battery is now a magic pillow....
still would like to find the serial port on it, supposedly test points 2 & 3 are RX & TX for UART0. and rkflashtool says they'll be a 115kbaud. but no labels on its 30+ testpoints!
i'd only bother because while there have been a few hackable eink devices released (inkplate), none have are flexible screens like this weird old one-off wexler.
Here you go requested dumps: dumps.tar
Are not present in the system.
Is empty.
Got it via adding
to
/etc/init.d/dcS.iped
Hope it helps.
Cheers.