Skip to content

Instantly share code, notes, and snippets.

@kfix
Created April 29, 2014 20:47
Show Gist options
  • Save kfix/b0819cda099be050adae to your computer and use it in GitHub Desktop.
Save kfix/b0819cda099be050adae to your computer and use it in GitHub Desktop.
wexler flex ereader rooting
http://irclog.whitequark.org/linux-rockchip/
need dumps of
--
dmesg
cat /proc/modules
cat /proc/filesystems
#loop, cramfs, ext2, ext3, vfat
cat /proc/mounts
cat /proc/cmdline
ip addr
ip link
ps auwwx
uname -a
printenv
/proc/config.gz
/var/log/syslog
find /
user land vectors
--
. /keytest #dumps /dev/events to stdout
. /hgtest #seems to test pixmap rendering to eink
. /logo-test #seems to print embedded xpm
. /ebook #the gui and monolithic book reader
has some crude update-from-FAT hook
is responsible for managing the ebook partition mount/umount and g_file gadget
. /update
libext3, opens raw flash and tweaks boot-parameters, can alter recovery partition args ("misc.img") --danger will robinson!
/sbin/busybox 1.13.4 (circa 2008)
/linuxrc and /sbin/init link to this. `busybox rcS` is PID1
telnetd
mdev
http://www.cvedetails.com/vulnerability-list/vendor_id-4282/product_id-7452/version_id-129281/Busybox-Busybox-1.13.4.html
iptunnel
cc,gcc,G++
chroot, env
sulogin, getty
tar,ar,zcat,gzip,gunzip,vi,sed
flash_eraseall
recovery.img user-land vecotrs
---
misc.img ->
http://www.freaktab.com/showthread.php?287-RockChip-ROM-Building-Tips-and-Tricks-by-Finless&p=4138&viewfull=1#post4138)
http://irclog.whitequark.org/linux-rockchip/2013-12-26#5984500;
recovery/bin/recovery
libext3
recovery/app/update
kernel vectors
--
Linux version 2.6.25 (root@chf-virtual-machine) (gcc version 4.4.0 (GCC) ) #1198 Thu Sep 6 14:44:00 CST 2012
rockchip version 1.2.7 (ruiguan) #with debug infomation,add change arm frequency when enter 1level sleep.
mem=64M console=ttyS0,115200 initrd=0x21100000,17000000 root=/dev/ram0 rw
http://www.cvedetails.com/version/123232/Linux-Linux-Kernel-2.6.25.html
--
usb hid input
usbserial generic (ttyACM0)
usbserial.product
usbserial.vendor
gadgetfs
usbfs
libertas SDIO wifi
use rockchip pin mux to redefine the SDIO pins to GPIO bit bangers! or SDIO uart to drive an old SDIO UART console or GPS card..
~/src/archos/Archos7HT_GPL/kernel//drivers/net/wireless/libertas/wifi_power.c
. /install-wifi | uninstall-wifi
unknown if all the .ko's were build against the installed kernel, and finding the SPI/SDIO mux pins on the board would be a feat
http://docs.blackfin.uclinux.org/doku.php?id=linux-kernel:drivers:wifi_over_sdio
http://www.ebay.com/itm/280635020362 http://andahammer.com/sdwifi/
gpio
~/src/archos/Archos7HT_GPL/kernel//arch/arm/mach-rockchip/gpio.c
grep -rn rockchip_mux ~/src/archos/Archos7HT_GPL/kernel/
http://lxr.free-electrons.com/source/drivers/pinctrl/pinctrl-rockchip.c
android configfs
android binder
android ram console: http://www.elinux.org/Android_Kernel_Features#RAM_CONSOLE : /proc/last_kmsg
pppol2tp
NFS + boot mode ip-config
dwc_otg 2.7
dwc_otg_force_device,already in A_HOST mode,everest
dwc_otg_force_device,already in B_PERIPHERAL,everest
dwc_otg_force_host,already in A_HOST mode,everest
debuglevel
force_usb_mode
rbd
/dev/ram0.... use that with the g_file_gadget module to create a ram-based backchannel FS
rockchip_serial
which test point is the uart? seems to support both
kernel blackboxes
--
rk-eink DSP driver
#loads/chksums waveform to DSP co-processor in RK2808A
#inits TI TPS65180 panel power & temp chip and calibration EEPROMs
#takes gfx input from /dev/fb0 and ioctls for forced updates
#strings flex_update_1.0.5/rockdev/Image/kernel.img | grep -i dsp
# https://code.google.com/p/k1099/source/browse/trunk/rk2808/Linux/drivers/rk28_dsp/rk28dsp.c?r=94
# can't find any of the eink-specific dsp code in the Archos kernel source :-(
#cannot find the datasheet for it either, "RK28xx DSP sub-system.pdf"
china kernel hacker build guide http://wenku.baidu.com/view/aab317f74693daef5ef73d18.html
http://roverbooksteel.narod.ru/develop/kernel/index.html
http://androtab.info/clockworkmod/rockchip/
http://www.freaktab.com/showthread.php?6569-Rockchip-Secrets-Exposed
bootrom vectors
----
https://gist.github.com/sarg/5028505
exploit attempt ideas
------
make a FAT-hook
run by script from mdev on mmc device re-appearance after USB host unmount
checks for /hook directory, verifies timestamp is newer than last boot and in same month/year as the clock
if time checks out, runs scripts within the hook in alpha order
make this safer by exporting a ramdisk as a secondary lun with g_file_storage. store and run the hooks from the ramdisk
if your hooks are bad and crash the thing, you can power-cycle back to working order
let the hooks dump to a txt file on the user partition
read your new exploit.txt book :-)
add more gadget drvs
Archos7HT_GPL/kernel/drivers/usb/gadget/f_adb.c CONFIG_USB_ANDROID=m
/flex_update_1.0.5/rockdev/Image/boot/sbin/adbd : statically linked! no bionic worries
mass storage mode
Jan 23 01:07:38 pogoplug kernel: [1772158.245313] usb 1-1: new high-speed USB device number 6 using orion-ehci
Jan 23 01:07:38 pogoplug kernel: [1772158.845283] usb 1-1: device not accepting address 6, error -71
Jan 23 01:07:56 pogoplug kernel: [1772176.685311] usb 1-1: new high-speed USB device number 8 using orion-ehci
Jan 23 01:07:56 pogoplug kernel: [1772176.836258] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a5
Jan 23 01:07:56 pogoplug kernel: [1772176.843133] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Jan 23 01:07:56 pogoplug kernel: [1772176.851666] usb 1-1: Product: File-backed Storage Gadget
Jan 23 01:07:56 pogoplug kernel: [1772176.858142] usb 1-1: Manufacturer: Linux 2.6.25 with dwc_otg_pcd
Jan 23 01:07:56 pogoplug kernel: [1772176.864387] usb 1-1: SerialNumber: 372041756775
Jan 23 01:07:57 pogoplug kernel: [1772176.876258] usb-storage 1-1:1.0: USB Mass Storage device detected
Jan 23 01:07:57 pogoplug kernel: [1772176.888511] usb-storage 1-1:1.0: Quirks match for vid 0525 pid a4a5: 10000
Jan 23 01:07:57 pogoplug kernel: [1772176.897098] scsi4 : usb-storage 1-1:1.0
Jan 23 01:07:58 pogoplug kernel: [1772177.896277] scsi 4:0:0:0: Direct-Access ebook reader 0322 PQ: 0 ANSI: 0
Jan 23 01:07:58 pogoplug kernel: [1772177.911479] sd 4:0:0:0: Attached scsi generic sg1 type 0
Jan 23 01:07:58 pogoplug kernel: [1772177.927190] sd 4:0:0:0: [sdb] 15785984 512-byte logical blocks: (8.08 GB/7.52 GiB)
Jan 23 01:07:58 pogoplug kernel: [1772177.943591] sd 4:0:0:0: [sdb] Write Protect is off
Jan 23 01:07:58 pogoplug kernel: [1772177.955388] sd 4:0:0:0: [sdb] Mode Sense: 0f 00 00 00
Jan 23 01:07:58 pogoplug kernel: [1772177.955949] sd 4:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
Jan 23 01:07:58 pogoplug kernel: [1772177.980118] sdb:
Jan 23 01:07:58 pogoplug kernel: [1772177.989051] sd 4:0:0:0: [sdb] Attached SCSI removable disk
bootloader mode:
power off. hold D-PAD:center for 5 secs and while keep holding connect usb -- -http://irclog.whitequark.org/linux-rockchip/2013-12-26#5984559;
Jan 23 01:11:38 pogoplug kernel: [1772398.415328] usb 1-1: new high-speed USB device number 9 using orion-ehci
Jan 23 01:11:38 pogoplug kernel: [1772398.565882] usb 1-1: unable to get BOS descriptor
Jan 23 01:11:38 pogoplug kernel: [1772398.571134] usb 1-1: New USB device found, idVendor=071b, idProduct=3228
Jan 23 01:11:38 pogoplug kernel: [1772398.581542] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
https://github.com/crewrktablets/rkflashtools/blob/master/rkflashtool.c
added my vid and pid
root@pogoplug:~/src/wexler_hacks# ./rkflashtool p
rkflashtool: info: rkflashtool v3.3
rkflashtool: info: Detected RK2808...
rkflashtool: info: interface claimed
rkflashtool: info: reading parameters at offset 0x00000000
rkflashtool: info: rkcrc: 0x4d524150
rkflashtool: info: size: 0x000001e0
FW_VERSION: 1.0.1
MAGIC: 0x5041524B
ATAG: 0x60000800
MACHINE: 1616
CHECK_MASK: 0x80
KERNEL_IMG: 0x60008000
COMBINATION_KEY: F,0,1
CMDLINE: noinitrd console=ttyS0,115200n8n init=/init root=/dev/mtdblock4 mem=64M@0x60000000 mtdparts=rk28xxnand:0x00002000@0x00002000(misc),0x00004000@0x00004000(kernel),0x00002000@0x00008000(boot),0x00004000@0x0000A000(recovery),0x0001E000@0x0000E000(system),0x00006000@0x0002C000(backup),0x0002E000@0x00032000(cache),-@0x00060000(userdata)
rkflashtool r 0x0000E000 0x0001E000 > system.img
mount -o loop -t cramfs system.img /mnt/wexler
umount /mnt/wexler
rkflashtool w 0x0000E000 0x0001E000 > system.img
http://wiki.radxa.com/Rock/flash_the_image
or just pull/clip the flash chip and bitbang it with my Bus Blaster
http://spritesmods.com/?art=ftdinand&page=2
http://hackingbtbusinesshub.wordpress.com/2012/10/25/reprogramming-the-2wire-nand-flash-ic/
http://www.raspberrypi.org/forums/viewtopic.php?f=44&t=16775 #xbox 360 clip
@PASAf
Copy link

PASAf commented Oct 23, 2014

Here you go requested dumps: dumps.tar

/proc/config.gz
/var/log/syslog

Are not present in the system.

cat /proc/modules

Is empty.

Got it via adding

/bin/mount -t vfat -o codepage=936,iocharset=utf8 /dev/mtdblock7 /mnt/dos
/bin/cp /mnt/dos/autorun.sh /tmp/autorun.sh
/bin/chmod 755 /tmp/autorun.sh
/tmp/autorun.sh

to /etc/init.d/dcS.iped
Hope it helps.
Cheers.

@PASAf
Copy link

PASAf commented Oct 25, 2014

/dev/mtdblock7 is inner memory (that mounts as USB Storage Device in PC).
You need to put autorun.sh (or whatever name you wish) to root of connected storage, then just reboot.

You could also try adding some script to /poweroff but I have no luck with that yet (mount does not work there for some reason).

Perhaps, if you have toolchain build with ARM926EJ-S support and linked with dynamic uClibc loader, you could try build dropbear for it.

@tahmush
Copy link

tahmush commented Jan 1, 2017

I purchased Wexler Flex One couple of weeks ago. I tired to read PDF on this device but it was not good as screen is small. There is no reflow option in this model. Is it possible to install KOReader in this device so that I can read pdf easily. Please help me in this regards.

@kfix
Copy link
Author

kfix commented Jul 31, 2022

KOreader would be nice!

but I think that uses directfb and this OS uses /dev/rk28-dsp . haven't rooted it yet so am not really sure, this was all gleaned just by picking apart a firmware dump.

the 1st commenter seems to have made a bunch of mods to the Wexler OEM firmware and published how to use rkflashtool to update it, here:
https://www.savagemessiahzine.com/forum/index.php?showtopic=610167

mine is still in pieces from my 1st teardown and the 3.7v lipo battery is now a magic pillow....

still would like to find the serial port on it, supposedly test points 2 & 3 are RX & TX for UART0. and rkflashtool says they'll be a 115kbaud. but no labels on its 30+ testpoints!

@kfix
Copy link
Author

kfix commented Jul 31, 2022

i'd only bother because while there have been a few hackable eink devices released (inkplate), none have are flexible screens like this weird old one-off wexler.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment