Jump to content

Canon Connect Station CS100


azzy9

Recommended Posts

Hi all,

I found this site a while back while searching for airstash hacking, and found the threads on the successor sandisk 32g.

 

I bought 2 Canon Connect Station CS100's for really cheap.
But I would like to get more out of it, I bought it thinking maybe I could get root access,
If not, they would still be useful as extremely cheap 1TB 2.5" HDD's

My Journey so far:

First, I ran a port scan.

results here:
https://pastebin.com/u2KgurBx

And saw no useful ports.
I then tried a keyboard in the USB, but would not provide any power to it.
It does access a USB flash drive inserted once (flashes once) on boot, but then after does nothing.
I assume it is looking for a new firmware file.

I then removed the HDD and connected it to my PC running Ubuntu.
The HDD consists of 6 partitions

The first partition has a file list posted here:
https://pastebin.com/m5Z1CRdK

The Linux kernel seems to be: Linux 2.6.35.9-32-sigma

There seems to be no SSH module that I can find and I am not sure on how to get to any terminal.


The firmware seems to be checked / updated by a script with the config in the 5th partition.
File: CMSTAPP.properties
Contains: http://gdlp01.c-wss.com/rmds/ic/connectstation/cs100/firmwareupdate/autoupdateservice_cmst10_urltable.xml
Firmware file: http://gdlp01.c-wss.com/gds/6/0400003256/01/firm_CS100_2.5.2_201705191000.frm

I am not sure where to continue from here.

I would like to install SSH, but with no apparent way to communicate with the device via terminal and with my Linux skills being that of a Noob I would not know where to go now.
Any help / suggestions would be greatly appreciated

 

Update: 06/02/2018

Info:

Cs100's fdisk -l

Cs100's dmesg

Mods:

Enable Telnet

Chroot Debian

External Resources:

Use HDD in other devices (by iintoxxicated @ desidime.com)

Basic Teardown (by zom @ boards.ie)

Link to comment
Share on other sites

  • 2 weeks later...
  • Replies 142
  • Created
  • Last Reply
  • 2 weeks later...

Hi nimrud.

Unfortunately I have not made any more progress.

What I have been attempting is to modify the ".sh" files to output variables into text files, but not got any success with that. (It is almost like they do not go into the files)

Sorry to say I have no experience with Jtagging , or even sure if it even has the connections for it. (I have only taken the bottom off to get to the HDD at the moment).

The heatsink is covering alot of the components on the other side of the PCB and the HDD will need to be taken out to unclip it to see what chips it has.

Thanks,

Azzy9

Link to comment
Share on other sites

17 hours ago, azzy9 said:

Hi nimrud.

Unfortunately I have not made any more progress.

What I have been attempting is to modify the ".sh" files to output variables into text files, but not got any success with that. (It is almost like they do not go into the files)

Sorry to say I have no experience with Jtagging , or even sure if it even has the connections for it. (I have only taken the bottom off to get to the HDD at the moment).

The heatsink is covering alot of the components on the other side of the PCB and the HDD will need to be taken out to unclip it to see what chips it has.

Thanks,

Azzy9

Hi azzy9,

well, I've received my CS100 last week, but I couldn't open it yet, I'm expecting to have some spare time by the end of the month so I'll take a look into it. I originally bought it to take out and use the internal disk, but if I can use the cs100 as a NAS would be nice.

If is not a problem, could you upload/give me access to some files to study how it manage the updates?

I found interesting some .sh files like :

/install_update.sh,12037

/sbin/firmware_load.sh,2972

/usr/local/firmware/install_firmware.sh,8452

and maybe...

/etc/cig/device.info,718

 

Could you tell me how many partitions it has? Can you pass me the "fdisk -l" result?

Thanks in advance!

Link to comment
Share on other sites

Hi Nimrud,

I Currently do not have access to the device, will have to do when I get home tonight. But I have the files on a USB So I could look at the files.

Files are on mega:

Link to comment
Share on other sites

The results of the fdisk -l

Disk /dev/sda: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device     Boot    Start        End    Sectors   Size Id Type
/dev/sda1             63    1953188    1953126 953.7M 83 Linux
/dev/sda2        1953189    2453189     500001 244.1M 82 Linux swap / Solaris
/dev/sda3        2453190    2703190     250001 122.1M 83 Linux
/dev/sda4        2703191 1953525167 1950821977 930.2G  5 Extended
/dev/sda5        2703254   10515754    7812501   3.7G 83 Linux
/dev/sda6       10515818   18328318    7812501   3.7G 83 Linux
/dev/sda7       18328382   33953382   15625001   7.5G 83 Linux
/dev/sda8       33953446 1953525167 1919571722 915.3G 83 Linux

Partition 1 does not start on physical sector boundary.
Partition 2 does not start on physical sector boundary.
Partition 3 does not start on physical sector boundary.
Partition 4 does not start on physical sector boundary.
Partition 5 does not start on physical sector boundary.
Partition 6 does not start on physical sector boundary.
Partition 7 does not start on physical sector boundary.
Partition 8 does not start on physical sector boundary.

 

Link to comment
Share on other sites

I too bought 2 of these with the idea of using the 1Tb hard drive, however it seems a good unit to pair with my Canon camera, so I may just keep it as is. The option of hacking the other is inviting, especially if it can be used as a NAS. I guess the easy thing to try is to swap out the hard drive and try a different OS.

This little box is ripe for hacking - Wifi, Ethernet, NFC, USB (which according to the manual doesn't support a hub)...

It might be worth noting that it uses 10W of power when on, 9.5W in standby and 0.5W when "off"

Also this bit is promising: 

Software under the GPL and LGPL
The product contains soflware modules licensed under the GPL and LGPL. If you need to obtain the source code of the software, please contact the Canon sales company in the country /
region where you purchased the product.

 

I assume that refers to the photo manipulation software rather than the OS though...

Link to comment
Share on other sites

On 3/1/2018 at 11:48 PM, azzy9 said:

The results of the fdisk -l


Disk /dev/sda: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device     Boot    Start        End    Sectors   Size Id Type
/dev/sda1             63    1953188    1953126 953.7M 83 Linux
/dev/sda2        1953189    2453189     500001 244.1M 82 Linux swap / Solaris
/dev/sda3        2453190    2703190     250001 122.1M 83 Linux
/dev/sda4        2703191 1953525167 1950821977 930.2G  5 Extended
/dev/sda5        2703254   10515754    7812501   3.7G 83 Linux
/dev/sda6       10515818   18328318    7812501   3.7G 83 Linux
/dev/sda7       18328382   33953382   15625001   7.5G 83 Linux
/dev/sda8       33953446 1953525167 1919571722 915.3G 83 Linux

Partition 1 does not start on physical sector boundary.
Partition 2 does not start on physical sector boundary.
Partition 3 does not start on physical sector boundary.
Partition 4 does not start on physical sector boundary.
Partition 5 does not start on physical sector boundary.
Partition 6 does not start on physical sector boundary.
Partition 7 does not start on physical sector boundary.
Partition 8 does not start on physical sector boundary.

 

Hi,

regarding the partition table and the files you've uploaded, it makes me think of a uboot loading a kernel from one of the partitions on disk, wich could give us a chance to play with it...

if it has a modern uboot version and it's not cropped maybe we can use netconsole to access like lacie devices (http://lacie-nas.org/doku.php?id=uboot), we can't probably use clunc as it's for lacie only, but maybe netconsole is available...

It would be a nice try to examine if at boot, it tries to get a dhcp lease (for the uboot), if that's happens, only will be available for seconds and we can try the netconsole (explained on the link I provided on section "Retrieve the NAS IP address")

Another option I want to try is to upload a compiled telnet/ssh/modified web cgi ...

Thanks!

PS: Regarding the GPL license, you need to contact CANON to get the files, maybe it worth a try...but I'm a bit sceptical

Link to comment
Share on other sites

On 1/11/2018 at 12:31 AM, LV426 said:

I just thought I'd ask if there is a tear down on these? If not I'll find the time and create one...

That would be awesome :)

 

6 hours ago, dmarkey said:

Anyone hacked this thing yet? Just ordered one..

 

I have figured out how to get telnet working on it.

1. Connect the HDD to a linux system and mount the partitions

2. chown file "etc/rc.d/rcS" on 1st partition

3. open file "etc/rc.d/rcS"

4. find the line with content: "allow_telnet=no" and change it to "allow_telnet=yes" (was on line 200 for me)

5. save the file, then set canon station up with the Ethernet port used to connect to router

6. use application to connect to telnet on port 23 with username as "root". no password required. (I used putty on my windows laptop)

Hope this helps.

 

 

Link to comment
Share on other sites

9 minutes ago, dmarkey said:

Nice!

 

Any specs? Processor? Memory? Wonder if we could get an ordinary distro on this thing

 

This of any help?

-bash-3.00# cat /proc/cpuinfo

system type             : Sigma Designs TangoX
SMP8XXX Chip ID         : 8673
SMP8XXX Rev ID          : 1
System bus frequency    : 398250000 Hz
CPU frequency           : 796500000 Hz
DSP frequency           : 398250000 Hz

processor               : 0
cpu model               : MIPS 74Kc V5.0  FPU V0.0
BogoMIPS                : 398.13
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0418, 0x06c8, 0x07                                                                                        e8, 0x02f0]
ASEs implemented        : mips16 dsp
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

 

-bash-3.00# free

             total       used       free     shared    buffers     cached
Mem:        176860     147812      29048          0       4520      70092
-/+ buffers/cache:      73200     103660
Swap:       249996          0     249996

 

-bash-3.00# cat /proc/meminfo

MemTotal:         176860 kB
MemFree:           29048 kB
Buffers:            4528 kB
Cached:            70092 kB
SwapCached:            0 kB
Active:            24300 kB
Inactive:          81356 kB
Active(anon):      15380 kB
Inactive(anon):    16192 kB
Active(file):       8920 kB
Inactive(file):    65164 kB
Unevictable:           0 kB
Mlocked:               0 kB
HighTotal:             0 kB
HighFree:              0 kB
LowTotal:         176860 kB
LowFree:           29048 kB
SwapTotal:        249996 kB
SwapFree:         249996 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:         31048 kB
Mapped:            35812 kB
Shmem:               536 kB
Slab:              36420 kB
SReclaimable:       1300 kB
SUnreclaim:        35120 kB
KernelStack:        1456 kB
PageTables:         1172 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:      338424 kB
Committed_AS:     875252 kB
VmallocTotal:    1015800 kB
VmallocUsed:        4008 kB
VmallocChunk:    1007600 kB

 

Link to comment
Share on other sites

3 minutes ago, dmarkey said:

It is!

dmesg would be also helpful?

here you go:

-bash-3.00# dmesg

Linux version 2.6.35.9-32-sigma (builder@buildmachine.com) (gcc version 4.4.1 (A                                                                                        VSourcery G++ Lite 4.4-303-2 with Java) ) #1 PREEMPT Fri May 19 10:18:22 JST 201                                                                                        7
Configured for SMP867x, detected SMP8673 (revision ES1).
Detected CPU/System/DSP Frequencies: 796.50/398.25/398.25MHz
SMP86xx Enabled Devices under Linux/XENV 0x9ebfbff4 = 0x002303f8
 Ethernet IR FIP I2CM I2CS SDIO SDIO1 USB SATA SCARD
Desired kernel memory size: 0x05c00000
Max. DRAM0/1 size allowed: 0x0b400000/0x00000000
 Mapped 0x80000000(size 0x04000000) via remap2
 Mapped 0x84000000(size 0x01c00000) via remap3
Final kernel memory size: 0x05c00000
CPU revision is: 00019750 (MIPS 74Kc)
FPU revision is: 01739700
Determined physical RAM map:
 memory: 05c00000 @ 04000000 (usable)
parsing kernel command line for memory options ..
Desired kernel memory size: 0x0b400000
Max. DRAM0/1 size allowed: 0x0b400000/0x00000000
 Mapped 0x80000000(size 0x04000000) via remap2
 Mapped 0x84000000(size 0x04000000) via remap3
 Mapped 0x88000000(size 0x03400000) via remap4
Final kernel memory size: 0x0b400000
User-defined physical RAM map:
 memory: 0b400000 @ 04000000 (usable)
Wasting 524288 bytes for tracking 16384 unused pages
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  DMA      0x00004000 -> 0x00020000
  Normal   empty
  HighMem  empty
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00004000 -> 0x0000f400
On node 0 totalpages: 46080
free_area_init_node: node 0, pgdat 8455b9a0, node_mem_map 84cc9000
  DMA zone: 360 pages used for memmap
  DMA zone: 0 pages reserved
  DMA zone: 45720 pages, LIFO batch:15
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 45720
Kernel command line: console=ttyS0 rootdelay=10 mem=180M
PID hash table entries: 1024 (order: 0, 4096 bytes)
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 16kB, 4-way, VIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 4-way, linesize 32 bytes.
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 169592k/184320k available (4399k kernel code, 14728k reserved, 1093k dat                                                                                        a, 7268k init, 0k highmem)
Hierarchical RCU implementation.
        RCU-based detection of stalled CPUs is disabled.
        Verbose stalled-CPUs detection is disabled.
NR_IRQS:256
Console: colour dummy device 80x25
console [ttyS0] enabled
Calibrating delay loop... 398.13 BogoMIPS (lpj=1990656)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
SCSI subsystem initialized
libata version 3.00 loaded.
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource TANGOX
NET: Registered protocol family 2
IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 8192 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 8192 bind 8192)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
timer0: interrupt registered.
registering mbus interrupt routines.
SMP86xx zxenv (254:0): driver loaded.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Slow work thread pool: Starting up
Slow work thread pool: Ready
JFFS2 version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
ROMFS MTD (C) 2007 Red Hat, Inc.
fuse init (API version 7.14)
JFS: nTxBlock = 1324, nTxLock = 10599
yaffs built May 19 2017 10:18:20 Installing.
msgmni has been set to 331
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x0 (irq = 9) is a 16550A
serial8250: ttyS1 at MMIO 0x0 (irq = 10) is a 16550A
serial8250: ttyS2 at MMIO 0x0 (irq = 71) is a 16550A
loop: module loaded
Uniform Multi-Platform E-IDE driver
SATA version 0x3139302a ID 0x0 is detected
scsi0 : Tangox SATA 0
ata1: SATA max UDMA/133 PHY RDY changed irq 49
SATA version 0x0 ID 0x0 is detected
scsi1 : Tangox SATA 0
ata2: SATA max UDMA/133 irq 62
[SMP_NAND] SMP8xxx NAND Driver 0.3 (multi-bits ECC: enabled)
[SMP_NAND]: checking NAND device on CS0 ..
ONFI flash detected
ONFI param page 0 valid
NAND device: Manufacturer ID: 0x01, Chip ID: 0xda (AMD NAND 256MiB 3,3V 8-bit)
Scanning device for bad blocks
[SMP_NAND]: detected NAND on CS0, 256MiB, erasesize 128KiB, pagesize 2048B, oobs                                                                                        ize 64B, oobavail 2B
[SMP_NAND]: checking NAND device on CS1 ..
No NAND device found.
[SMP_NAND]: detection completed, load partition information from XENV ..
[SMP_NAND]: load partition information for CS0 ..
Creating 8 MTD partitions on "S34ML02G1":
0x000000000000-0x000000400000 : "bootblocks"
0x000000400000-0x000000e00000 : "mainkernel"
0x000000e00000-0x000001800000 : "rescuekernel"
0x000001800000-0x000001e00000 : "xmaterial"
0x000001e00000-0x000002200000 : "imaterial"
0x000002200000-0x000008200000 : "rescuerootfs"
0x000008200000-0x000008c00000 : "diagprogram"
0x000008c00000-0x000010000000 : "reserved"
tangox_enet0: detected phy RTL8211E  at address 0x00
tangox_enet0: Ethernet driver for SMP8xxx internal MAC core 0: 1000Mbps Base at                                                                                         0x26000
tangox_enet0: mac address d8:49:2f:f7:9b:84
tangox_enet1: ethernet mac_core 1 support is disabled from XENV
usbcore: registered new interface driver asix
usbcore: registered new interface driver cdc_ether
usbcore: registered new interface driver net1080
usbcore: registered new interface driver rndis_host
usbcore: registered new interface driver cdc_subset
usbcore: registered new interface driver zaurus
usbcore: registered new interface driver zd1201
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Initializing Tangox EHCI USB Host Controller
TangoX USB initializing...
tangox-ehci-hcd-0 tangox-ehci-hcd-0: TangoX USB 2.0
tangox-ehci-hcd-0 tangox-ehci-hcd-0: new USB bus registered, assigned bus number                                                                                         1
tangox-ehci-hcd-0 tangox-ehci-hcd-0: irq 48, io mem 0xa0021500
tangox-ehci-hcd-0 tangox-ehci-hcd-0: USB 0.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
Initializing Tangox EHCI USB Host Controller
TangoX USB initializing...
tangox-ehci-hcd-1 tangox-ehci-hcd-1: TangoX USB 2.0
tangox-ehci-hcd-1 tangox-ehci-hcd-1: new USB bus registered, assigned bus number                                                                                         2
tangox-ehci-hcd-1 tangox-ehci-hcd-1: irq 15, io mem 0xa0025500
tangox-ehci-hcd-1 tangox-ehci-hcd-1: USB 0.0 started, EHCI 1.00
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
No OHCI in SMP8652/SMP8653/SMP8646/SMP8647/SMP867X.
Initializing USB Mass Storage driver...
ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
tangoxdog: Hardware Watchdog Timer for SMP864x/SMP865x/SMP867x/SMP868x/SMP89xx 0                                                                                        .2 (def. timeout: 30 sec)
oprofile: using mips/74K performance monitoring.
TCP cubic registered
NET: Registered protocol family 17
lib80211: common routines for IEEE802.11 drivers
lib80211_crypt: registered algorithm 'NULL'
ata1.00: ATA-9: WDC WD10JUCT-63CYNY0, 01.01A01, max UDMA/133
ata1.00: 1953525168 sectors, multi 0: LBA48 NCQ (depth 0/32)
ata1.00: configured for UDMA/133
scsi 0:0:0:0: Direct-Access     ATA      WDC WD10JUCT-63C 01.0 PQ: 0 ANSI: 5
ata1: dev 0 max request 512 sectors (lba48)
sd 0:0:0:0: [sda] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB)
sd 0:0:0:0: Attached scsi generic sg0 type 0
sd 0:0:0:0: [sda] 4096-byte physical blocks
usb 1-1: new high speed USB device using tangox-ehci-hcd-0 and address 2
sd 0:0:0:0: [sda] Write Protect is off
sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO                                                                                         or FUA
 sda: sda1 sda2 sda3 sda4 < sda5 sda6 sda7 sda8 >
sd 0:0:0:0: [sda] Attached SCSI disk
usb 2-1: new high speed USB device using tangox-ehci-hcd-1 and address 2
ata2: failed to resume link (SControl 0)
ata2: SATA link down (SStatus 0 SControl 0)
Freeing unused kernel memory: 7268k freed
hub 2-1:1.0: USB hub found
hub 2-1:1.0: 4 ports detected
usb 2-1.1: new high speed USB device using tangox-ehci-hcd-1 and address 3
scsi2 : usb-storage 2-1.1:1.0
usb 2-1.2: new high speed USB device using tangox-ehci-hcd-1 and address 4
scsi3 : usb-storage 2-1.2:1.0
EXT4-fs (sda1): INFO: recovery required on readonly filesystem
EXT4-fs (sda1): write access will be enabled during recovery
EXT4-fs (sda1): recovery complete
EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
Adding 249996k swap on /dev/sda2.  Priority:-1 extents:1 across:249996k
scsi 2:0:0:0: Direct-Access     Generic- Multiple Reader  1.11 PQ: 0 ANSI: 4
sd 2:0:0:0: Attached scsi generic sg1 type 0
sd 2:0:0:0: [sdb] Attached SCSI removable disk
scsi 3:0:0:0: Direct-Access     Generic- Multiple Reader  1.11 PQ: 0 ANSI: 4
sd 3:0:0:0: Attached scsi generic sg2 type 0
tangoxdog: Started watchdog timer.
tangoxdog: Started watchdog timer.
sd 3:0:0:0: [sdc] 31116288 512-byte logical blocks: (15.9 GB/14.8 GiB)
sd 3:0:0:0: [sdc] Write Protect is off
sd 3:0:0:0: [sdc] Mode Sense: 23 00 00 00
sd 3:0:0:0: [sdc] Assuming drive cache: write through
sd 3:0:0:0: [sdc] Assuming drive cache: write through
 sdc: sdc1
sd 3:0:0:0: [sdc] Assuming drive cache: write through
sd 3:0:0:0: [sdc] Attached SCSI removable disk
EXT4-fs (sda3): mounted filesystem with ordered data mode. Opts: nodelalloc,barr                                                                                        ier=1,data=ordered
EXT4-fs (sda6): mounted filesystem with ordered data mode. Opts: nodelalloc,barr                                                                                        ier=1,data=ordered
EXT4-fs (sda5): mounted filesystem with ordered data mode. Opts: (null)
EXT4-fs (sda7): barriers disabled
EXT4-fs (sda7): mounted filesystem with ordered data mode. Opts: nodelalloc,barr                                                                                        ier=0,data=ordered
SMP86xx ir (125:0): driver loaded (wait_period = 100ms, buffer_size = 6)
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
SDIO0 is enabled.
SDIO1 is enabled.
mmc0: Invalid maximum block size, assuming 512 bytes
mmc0: SDHCI controller on SDIO [sdhci0-tangox] using ADMA
mmc1: Invalid maximum block size, assuming 512 bytes
mmc1: SDHCI controller on SDIO [sdhci0-tangox] using ADMA
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
llad: module license 'LGPL' taints kernel.
Disabling lock debugging due to kernel taint
mumk_register_tasklet: (0) tasklet c054b000 status @c04c1e4c
em8xxx  [...kernel_src/krua.c:  1779] init_module: done. Found 1 em8xxx
wlan: Loading MWLAN driver
VID/PID = 1286/2040, Boot2 version = 3119
rx_work=0 cpu_num=1
WLAN FW is static
fw_cap_info=0xba3, dev_cap_mask=0xffffffff
usbcore: registered new interface driver usb8xxx
wlan: Driver loaded successfully
ir: Enable NEC decoder (0x00000000)
ir: Enable RC5 decoder (0x00000000)
ir: Enable RC6 decoder
EXT4-fs (sda8): barriers disabled
EXT4-fs (sda8): mounted filesystem with ordered data mode. Opts: nodelalloc,barr                                                                                        ier=0,data=ordered
tangoxdog: Stopped watchdog timer.
minor_release: too many openers (increase MAX_OPENERS)
ADDRCONF(NETDEV_UP): mlan0: link is not ready
tangoxdog: Started watchdog timer.
tangoxdog: Started watchdog timer.
wlan: SCAN COMPLETED: scanned AP count=0
wlan: SCAN COMPLETED: scanned AP count=8
tangox_enet0: PHY autonegotiation does not complete...
ADDRCONF(NETDEV_UP): eth0: link is not ready
wlan: SCAN COMPLETED: scanned AP count=7
ADDRCONF(NETDEV_CHANGE): mlan0: link becomes ready
mlan0: no IPv6 routers present
wlan: EVENT: Link lost (reason 0x0)
wlan: SCAN COMPLETED: scanned AP count=7
wlan: SCAN COMPLETED: scanned AP count=5
wlan: EVENT: Link lost (reason 0x0)
wlan: SCAN COMPLETED: scanned AP count=7
wlan: SCAN COMPLETED: scanned AP count=7
wlan: SCAN COMPLETED: scanned AP count=6
wlan: SCAN COMPLETED: scanned AP count=6
eth0: link up, 1000Mbps, full-duplex, lpa 0xCDE1
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
eth0: no IPv6 routers present
eth0: link down
eth0: link up, 1000Mbps, full-duplex, lpa 0xCDE1
wlan: SCAN COMPLETED: scanned AP count=4
wlan: SCAN COMPLETED: scanned AP count=4
wlan: SCAN COMPLETED: scanned AP count=3

 

Link to comment
Share on other sites

4 minutes ago, dmarkey said:

eth0: link up, 1000Mbps, full-duplex, lpa 0xCDE1 

Woo gigabit ethernet. I'll hack at this when I get it friday

The more people looking to hack & modify this for other uses, the better :)

some use cases I can think of for this if we progress:

NAS

Personal git server

light-weight PHP server

Low power Thin client

Link to comment
Share on other sites

I was writing a post about the investigation lines I'm following, but my Firefox crashed and all is gone, so long history short: It looks like the SoC is very similar to some Dune devices, so, we have here (http://wiki.yobi.be/wiki/Dune_HD) some info to try (and in some of the links, some info about compiling our own programs (http://scottjohnson.org/wiki/Dune/Hacking) ).

Also I noticed that the MTD map is showed on the dmesg log, 1st of all it's to make a backup.

Third and last, there are some binaries in the root folder we can take a look into (using binwalk)

On the other hand it looks like the SoC it's quite old, and the kernel version too, so maybe it's possible to run an old debian (maybe 5.X), but we will have some issues with some drivers...anyway, it's a possibility.

BR!

Link to comment
Share on other sites

No much progress, just want to show the result of "binwalking" the dumped images of the mtd:

mtdblock0.S34ML02G1.binwalk

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
264408        0x408D8         CRC32 polynomial table, little endian
490424        0x77BB8         ZBOOT firmware header, header size: 32 bytes, load address: 0x01000000, start address: 0x00000100, checksum: 0x62616E55, version: 0x7420656C, image size: 1701847151 bytes
526552        0x808D8         CRC32 polynomial table, little endian
752568        0xB7BB8         ZBOOT firmware header, header size: 32 bytes, load address: 0x01000000, start address: 0x00000100, checksum: 0x62616E55, version: 0x7420656C, image size: 1701847151 bytes
1048576       0x100000        romfs filesystem, version 1 size: 220048 bytes, named "YAMON_XLOAD"
1310720       0x140000        romfs filesystem, version 1 size: 2896 bytes, named "DRMKEYS"
4194304       0x400000        romfs filesystem, version 1 size: 5761056 bytes, named "MIPSLINUX_XLOAD"
14680064      0xE00000        romfs filesystem, version 1 size: 5760912 bytes, named "MIPSLINUX_XLOAD"
25165824      0x1800000       romfs filesystem, version 1 size: 449584 bytes, named "xmaterial"
31457280      0x1E00000       romfs filesystem, version 1 size: 3975728 bytes, named "imaterial"
35651584      0x2200000       UBI erase count header, version: 1, EC: 0x1, VID header offset: 0x800, data offset: 0x1000

mtdblock1.bootblocks.binwalk

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
264408        0x408D8         CRC32 polynomial table, little endian
490424        0x77BB8         ZBOOT firmware header, header size: 32 bytes, load address: 0x01000000, start address: 0x00000100, checksum: 0x62616E55, version: 0x7420656C, image size: 1701847151 bytes
526552        0x808D8         CRC32 polynomial table, little endian
752568        0xB7BB8         ZBOOT firmware header, header size: 32 bytes, load address: 0x01000000, start address: 0x00000100, checksum: 0x62616E55, version: 0x7420656C, image size: 1701847151 bytes
1048576       0x100000        romfs filesystem, version 1 size: 220048 bytes, named "YAMON_XLOAD"
1310720       0x140000        romfs filesystem, version 1 size: 2896 bytes, named "DRMKEYS"

mtdblock2.mainkernel.binwalk

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             romfs filesystem, version 1 size: 5761056 bytes, named "MIPSLINUX_XLOAD"

mtdblock3.rescuekernel.binwalk

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             romfs filesystem, version 1 size: 5760912 bytes, named "MIPSLINUX_XLOAD"

mtdblock4.xmaterial.binwalk

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             romfs filesystem, version 1 size: 449584 bytes, named "xmaterial"

mtdblock5.imaterial.binwalk

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             romfs filesystem, version 1 size: 3975728 bytes, named "imaterial"

mtdblock6.rescuerootfs.binwalk

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             UBI erase count header, version: 1, EC: 0x1, VID header offset: 0x800, data offset: 0x1000

mtdblock7.diagprogram.binwalk

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             UBI erase count header, version: 1, EC: 0x1, VID header offset: 0x800, data offset: 0x1000

mtdblock8.reserved.binwalk

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------


(empty)

Link to comment
Share on other sites

result of mtd_dumpxenv.sh

(0x00)     4 x.boot 00.58.00.00. 0x00005800
(0x00)     4 z.stage1_ga 00.00.60.81. 0x81600000
(0x00)     4 x.pll.1.pll 24.00.00.01. 0x01000024
(0x00)     4 x.mux 01.02.00.00. 0x00000201
(0x00)     4 x.ddr.0.density 06.00.00.00. 0x00000006
(0x00)     4 x.ddr.1.density ff.ff.ff.ff. 0xffffffff
(0x00)     4 x.ddr.grade 04.00.00.00. 0x00000004
(0x00)     4 x.ddr.fmin_mhz 5e.01.00.00. 0x0000015e
(0x00)     4 x.ddr.fmax_mhz 8f.01.00.00. 0x0000018f
(0x00)     4 x.ddr.method 50.31.01.10. 0x10013150
(0x00)     4 x.ddr.verbose 01.00.00.00. 0x00000001
(0x00)     4 a.avclk_mux 00.00.40.17. 0x17400000
(0x00)     4 a.hostclk_mux 31.01.00.00. 0x00000131
(0x00)     4 a.pll.1.div 0f.06.00.00. 0x0000060f
(0x00)     4 a.cd0_freq 00.00.00.00. 0x00000000
(0x00)     4 a.cd1_freq 00.00.00.00. 0x00000000
(0x00)     4 a.cd2_freq 00.d8.b8.05. 0x05b8d800
(0x00)     4 a.cd3_freq 00.87.93.03. 0x03938700
(0x00)     4 a.cd4_freq 00.00.00.00. 0x00000000
(0x00)     4 a.cd5_freq 00.00.00.00. 0x00000000
(0x00)     4 a.cd6_freq 00.d8.b8.05. 0x05b8d800
(0x00)     4 a.cd7_freq 00.00.00.00. 0x00000000
(0x00)     4 a.cd8_freq 00.00.00.00. 0x00000000
(0x00)     4 a.cd9_freq 00.00.00.00. 0x00000000
(0x00)     4 a.cd10_freq 00.00.00.00. 0x00000000
(0x00)     4 a.cd11_freq 00.00.00.00. 0x00000000
(0x00)     4 a.irq_rise_edge_lo 06.ca.28.ff. 0xff28ca06
(0x00)     4 a.irq_rise_edge_hi 1f.00.10.8c. 0x8c10001f
(0x00)     4 a.irq_fall_edge_lo 00.c0.00.00. 0x0000c000
(0x00)     4 a.irq_fall_edge_hi 00.00.00.00. 0x00000000
(0x00)     4 a.gpio_irq_map 00.08.0a.00. 0x000a0800
(0x00)     4 a.pcidev1_irq_route 01.01.01.01. 0x01010101
(0x00)     4 a.pcidev2_irq_route 01.01.01.01. 0x01010101
(0x00)     4 a.pcidev3_irq_route 01.01.01.01. 0x01010101
(0x00)     4 a.pcidev4_irq_route 01.01.01.01. 0x01010101
(0x00)     4 a.gpio_dir 0c.4b.10.00. 0x00104b0c
(0x00)     4 a.gpio_data 0c.40.10.00. 0x0010400c
(0x00)     4 a.pb_def_timing 02.02.08.03. 0x03080202
(0x00)     4 a.pb_cs_config 03.00.33.00. 0x00330003
(0x00)     4 a.pb_cs_config1 00.00.00.00. 0x00000000
(0x00)     4 a.pb_cs_ctrl 22.00.00.00. 0x00000022
(0x00)     4 a.pb_timing0 02.02.08.03. 0x03080202
(0x00)     4 a.pb_use_timing0 f3.03.00.00. 0x000003f3
(0x00)     4 a.uart_used_ports 07.00.00.00. 0x00000007
(0x00)     4 a.uart_console_port 00.00.00.00. 0x00000000
(0x00)     4 a.baudrate 00.c2.01.00. 0x0001c200
(0x00)     4 a.uart0_gpio_mode 6e.00.00.00. 0x0000006e
(0x00)     4 a.uart0_gpio_dir 00.00.00.00. 0x00000000
(0x00)     4 a.uart0_gpio_data 00.00.00.00. 0x00000000
(0x00)     4 a.uart0_baudrate 00.c2.01.00. 0x0001c200
(0x00)     4 a.uart1_gpio_mode 6e.00.00.00. 0x0000006e
(0x00)     4 a.uart1_gpio_dir 00.00.00.00. 0x00000000
(0x00)     4 a.uart1_gpio_data 00.00.00.00. 0x00000000
(0x00)     4 a.uart1_baudrate 00.c2.01.00. 0x0001c200
(0x00)     4 a.uart2_gpio_mode 7f.7f.00.00. 0x00007f7f
(0x00)     4 a.uart2_gpio_dir 1d.1f.00.00. 0x00001f1d
(0x00)     4 a.uart2_gpio_data 19.19.00.00. 0x00001919
(0x00)     4 a.uart2_baudrate 00.c2.01.00. 0x0001c200
(0x00)     4 a.ezb_origin 06.02.00.00. 0x00000206
(0x00)     4 a.stage2_origin 00.00.00.00. 0x00000000
(0x00)     4 a.scard_5v_pin 02.00.00.00. 0x00000002
(0x00)     4 a.scard_cmd_pin 01.00.00.00. 0x00000001
(0x00)     4 a.scard_off_pin 00.00.00.00. 0x00000000
(0x00)    17 a.board_id 63.6d.73.74.31.5f.4d.54.44.2d.63.75.73.74.6f.6d.00. cmst1_MTD-custom
(0x00)    97 xmb.comment 2d.2d.2d.20.72.65.76.69.65.77.20.78.6d.61.73.62.6f.6f.74.2f.63.6f.6e.66.69.67.73.2f.70.65.67.61.38.36.37.33.5f.4d.54.44.2d.63.75.73.74.6f.6d.2e.63.6f.6e.66.69.67.20.66.6f.72.20.64.65.74.61.69.6c.73.20.5b.78.6d.62.64.30.2d.65.7a.62.6f.6f.74.63.65.2d.6e.61.6e.64.5f.73.74.32.5d.20.2d.2d.2d.0a. --- review xmasboot/configs/pega8673_MTD-custom.config for details [xmbd0-ezbootce-nand_st2] ---.
(0x00)     4 a.enable_devices f8.03.23.00. 0x002303f8
(0x00)    15 a.eth1_mac 30.30.3a.31.36.3a.65.38.3a.30.30.2f.32.35.00. 00:16:e8:00/25
(0x00)     4 a.cs0_rsvd_pblk 00.08.00.00. 0x00000800
(0x00)     4 a.cs0_nand_timing1 06.0a.28.02. 0x02280a06
(0x00)     4 a.cs0_nand_timing2 28.06.04.08. 0x08040628
(0x00)     4 a.cs0_nand_devcfg 35.00.00.00. 0x00000035
(0x00)     4 a.cs0_nand_cfg1 19.00.da.01. 0x01da0019
(0x00)     4 a.cs0_nand_cfg2 bc.02.10.27. 0x271002bc
(0x00)     4 a.cs0_nand_cfg3 40.00.5a.1a. 0x1a5a0040
(0x00)     4 a.sata_channel_cfg 27.85.00.00. 0x00008527
(0x00)     4 z.boot0 00.00.10.00. 0x00100000
(0x00)     4 z.boot0_in_virtualzone 01.00.00.00. 0x00000001
(0x00)     4 z.boot1 00.00.40.00. 0x00400000
(0x00)     4 z.boot1_in_virtualzone 02.00.00.00. 0x00000002
(0x00)     4 z.boot2 00.00.e0.00. 0x00e00000
(0x00)     4 z.boot2_in_virtualzone 02.00.00.00. 0x00000002
(0x00)     4 z.imatromfs_offset 00.00.e0.01. 0x01e00000
(0x00)     4 z.imatromfs_in_virtualzone 02.00.00.00. 0x00000002
(0x00)     4 z.imatromfs_size 00.00.40.00. 0x00400000
(0x00)     4 z.imatromfs_mm 00.00.00.00. 0x00000000
(0x00)     4 z.xmatromfs_offset 00.00.80.01. 0x01800000
(0x00)     4 z.xmatromfs_in_virtualzone 02.00.00.00. 0x00000002
(0x00)     4 z.xmatromfs_size 00.00.60.00. 0x00600000
(0x00)     4 z.xmatromfs_mm 00.00.00.00. 0x00000000
(0x00)     4 z.drm_keys_offset 00.00.14.00. 0x00140000
(0x00)     4 z.drm_keys_size 00.00.02.00. 0x00020000
(0x00)     4 z.drm_keys_in_virtualzone 01.00.00.00. 0x00000001
(0x00)     4 z.interactive_boot_idx_sel 01.00.00.00. 0x00000001
(0x00)     2 z.bootdev_order 00.01. ..
(0x00)     9 y.testvar 79.61.6d.6f.6e.66.6f.6f.00. yamonfoo
(0x00)    95 y.b0 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.76.20.30.78.30.31.30.30.30.30.30.20.30.78.61.34.61.30.30.30.30.30.20.30.78.30.34.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.61.34.61.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.61.34.61.30.30.30.38.30.3b.20.67.6f.00. nflash read -v 0x0100000 0xa4a00000 0x040000 0; dump romfs 0xa4a00000; load zbf 0xa4a00080; go
(0x00)    94 y.b1 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.62.20.30.78.34.30.30.30.30.30.20.30.78.61.37.30.30.30.30.30.30.20.30.78.61.30.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.61.37.30.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.61.37.30.30.30.30.39.30.3b.20.67.6f.00. nflash read -b 0x400000 0xa7000000 0xa00000 0; dump romfs 0xa7000000; load zbf 0xa7000090; go
(0x00)    94 y.b2 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.62.20.30.78.65.30.30.30.30.30.20.30.78.61.37.30.30.30.30.30.30.20.30.78.61.30.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.61.37.30.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.61.37.30.30.30.30.39.30.3b.20.67.6f.00. nflash read -b 0xe00000 0xa7000000 0xa00000 0; dump romfs 0xa7000000; load zbf 0xa7000090; go
(0x00)    94 y.fb0 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.76.20.30.78.31.30.30.30.30.30.20.30.78.38.34.61.30.30.30.30.30.20.30.78.30.34.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.38.34.61.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.38.34.61.30.30.30.38.30.3b.20.67.6f.00. nflash read -v 0x100000 0x84a00000 0x040000 0; dump romfs 0x84a00000; load zbf 0x84a00080; go
(0x00)    94 y.fb1 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.62.20.30.78.34.30.30.30.30.30.20.30.78.38.37.30.30.30.30.30.30.20.30.78.61.30.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.38.37.30.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.38.37.30.30.30.30.39.30.3b.20.67.6f.00. nflash read -b 0x400000 0x87000000 0xa00000 0; dump romfs 0x87000000; load zbf 0x87000090; go
(0x00)    94 y.fb2 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.62.20.30.78.65.30.30.30.30.30.20.30.78.38.37.30.30.30.30.30.30.20.30.78.61.30.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.38.37.30.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.38.37.30.30.30.30.39.30.3b.20.67.6f.00. nflash read -b 0xe00000 0x87000000 0xa00000 0; dump romfs 0x87000000; load zbf 0x87000090; go
(0x00)    91 y.commit 6e.66.6c.61.73.68.20.77.72.69.74.65.20.2d.76.20.30.78.63.30.30.30.30.20.24.78.65.6e.76.5f.61.64.64.72.20.30.78.32.30.30.30.30.20.30.3b.20.6e.66.6c.61.73.68.20.77.72.69.74.65.20.2d.76.20.30.78.65.30.30.30.30.20.24.78.65.6e.76.5f.61.64.64.72.20.30.78.32.30.30.30.30.20.30.00. nflash write -v 0xc0000 $xenv_addr 0x20000 0; nflash write -v 0xe0000 $xenv_addr 0x20000 0
(0x00)    38 y.get_xxenv 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.76.20.30.20.30.78.61.37.30.30.30.30.30.30.20.30.78.32.30.30.30.30.20.30.00. nflash read -v 0 0xa7000000 0x20000 0
(0x00)    11 y.xxenv_addr 30.78.61.37.30.30.38.37.34.38.00. 0xa7008748
(0x00)   102 y.xcommit 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.76.20.30.78.30.30.31.38.30.30.30.30.20.30.78.38.34.30.30.30.30.30.30.20.30.78.32.30.30.30.30.20.30.3b.20.67.6f.20.30.78.38.34.30.30.30.30.30.30.3b.20.6e.66.6c.61.73.68.20.77.72.69.74.65.20.2d.76.20.30.20.30.78.61.37.30.30.30.30.30.30.20.30.78.32.30.30.30.30.20.30.00. nflash read -v 0x00180000 0x84000000 0x20000 0; go 0x84000000; nflash write -v 0 0xa7000000 0x20000 0
(0x00)    62 y.nwk 6c.6f.61.64.20.2d.62.20.74.66.74.70.3a.2f.2f.31.37.32.2e.33.30.2e.32.2e.32.31.32.2f.45.53.35.2f.76.6d.6c.69.6e.75.78.2d.6c.61.74.65.73.74.2e.62.69.6e.20.30.78.38.34.30.30.30.30.30.30.00. load -b tftp://172.30.2.212/ES5/vmlinux-latest.bin 0x84000000
(0x00)   116 y.nwg 67.6f.20.2e.20.72.6f.6f.74.3d.2f.64.65.76.2f.6e.66.73.20.6e.66.73.72.6f.6f.74.3d.31.37.32.2e.33.30.2e.36.33.2e.31.33.3a.2f.72.6f.6f.74.73.2f.64.65.62.69.6e.73.74.2d.79.6f.75.72.6c.6f.67.69.6e.20.69.70.3d.3a.3a.3a.3a.3a.3a.64.68.63.70.20.72.64.69.6e.69.74.3d.2f.6e.6f.6e.65.20.63.6f.6e.73.6f.6c.65.3d.74.74.79.53.30.20.6d.65.6d.3d.31.33.35.4d.42.00. go . root=/dev/nfs nfsroot=172.30.63.13:/roots/debinst-yourlogin ip=::::::dhcp rdinit=/none console=ttyS0 mem=135MB
(0x00)     4 a.cs0_pblk_part1_offset 00.00.00.00. 0x00000000
(0x00)     4 a.cs0_pblk_part1_size 00.00.40.00. 0x00400000
(0x00)     4 a.cs0_pblk_part2_offset 00.00.40.00. 0x00400000
(0x00)     4 a.cs0_pblk_part2_size 00.00.a0.00. 0x00a00000
(0x00)     4 a.cs0_pblk_part3_offset 00.00.e0.00. 0x00e00000
(0x00)     4 a.cs0_pblk_part3_size 00.00.a0.00. 0x00a00000
(0x00)     4 a.cs0_pblk_part4_offset 00.00.80.01. 0x01800000
(0x00)     4 a.cs0_pblk_part4_size 00.00.60.00. 0x00600000
(0x00)     4 a.cs0_pblk_part5_offset 00.00.e0.01. 0x01e00000
(0x00)     4 a.cs0_pblk_part5_size 00.00.40.00. 0x00400000
(0x00)     4 a.cs0_pblk_part6_offset 00.00.20.02. 0x02200000
(0x00)     4 a.cs0_pblk_part6_size 00.00.00.06. 0x06000000
(0x00)     4 a.cs0_pblk_part7_offset 00.00.20.08. 0x08200000
(0x00)     4 a.cs0_pblk_part7_size 00.00.a0.00. 0x00a00000
(0x00)     4 a.cs0_pblk_part8_offset 00.00.c0.08. 0x08c00000
(0x00)     4 a.cs0_pblk_part8_size 00.00.40.07. 0x07400000
(0x00)     4 a.cs0_pblk_parts 08.00.00.00. 0x00000008
(0x00)    11 a.cs0_pblk_part1_name 62.6f.6f.74.62.6c.6f.63.6b.73.00. bootblocks
(0x00)    11 a.cs0_pblk_part2_name 6d.61.69.6e.6b.65.72.6e.65.6c.00. mainkernel
(0x00)    13 a.cs0_pblk_part3_name 72.65.73.63.75.65.6b.65.72.6e.65.6c.00. rescuekernel
(0x00)    10 a.cs0_pblk_part4_name 78.6d.61.74.65.72.69.61.6c.00. xmaterial
(0x00)    10 a.cs0_pblk_part5_name 69.6d.61.74.65.72.69.61.6c.00. imaterial
(0x00)    13 a.cs0_pblk_part6_name 72.65.73.63.75.65.72.6f.6f.74.66.73.00. rescuerootfs
(0x00)    12 a.cs0_pblk_part7_name 64.69.61.67.70.72.6f.67.72.61.6d.00. diagprogram
(0x00)     9 a.cs0_pblk_part8_name 72.65.73.65.72.76.65.64.00. reserved
(0x00)    36 a.linux_cmd 63.6f.6e.73.6f.6c.65.3d.74.74.79.53.30.20.72.6f.6f.74.64.65.6c.61.79.3d.31.30.20.6d.65.6d.3d.31.38.30.4d.00. console=ttyS0 rootdelay=10 mem=180M
(0x00)     4 z.log2_xpu0_size 17.00.00.00. 0x00000017
(0x00)     4 z.dsp0_size 00.00.50.00. 0x00500000
(0x00)     4 z.zdata0_size 00.40.00.00. 0x00004000
(0x00)     4 z.uzdata0_size 00.c0.00.00. 0x0000c000
(0x00)     4 z.log2_xpu1_size 00.00.00.00. 0x00000000
(0x00)     4 z.dsp1_size 00.00.00.00. 0x00000000
(0x00)     4 z.zdata1_size 00.00.00.00. 0x00000000
(0x00)     4 z.uzdata1_size 00.00.00.00. 0x00000000
(0x00)     4 z.ruamm0_offset 00.00.40.0b. 0x0b400000
(0x00)     4 z.ruamm1_offset 00.00.00.00. 0x00000000
(0x00)     4 z.stage2_ga 00.00.00.80. 0x80000000
(0x00)     4 z.xos_public_mm 00.00.00.00. 0x00000000
(0x00)     4 z.log2_xos_public_size 11.00.00.00. 0x00000011
(0x00)     4 z.channel_index_mm 00.00.00.00. 0x00000000
(0x00)     4 z.ih_api_mm 00.00.00.00. 0x00000000
(0x00)     4 z.ios_mm 00.00.00.00. 0x00000000
(0x00)     4 z.ios_size 00.00.40.00. 0x00400000
(0x00)     4 z.splashscreen_enabled 01.00.00.00. 0x00000001
(0x00)     4 i.sp.scaler 04.00.00.00. 0x00000004
(0x00)     4 i.sp.digital_enable 01.00.00.00. 0x00000001
(0x00)     4 i.sp.component_enable 01.00.00.00. 0x00000001
(0x00)     4 i.sp.analog_enable 01.00.00.00. 0x00000001
(0x00)     4 i.sp.digital_standard 23.00.00.00. 0x00000023
(0x00)     4 i.sp.component_standard 65.00.00.00. 0x00000065
(0x00)     4 i.sp.analog_standard 7b.00.00.00. 0x0000007b
(0x00)    19 i.sp.picture 73.70.6c.61.73.68.5f.70.69.63.74.75.72.65.2e.73.64.64.00. splash_picture.sdd
(0x00)     4 i.sp.hdmi_chip 01.00.00.00. 0x00000001
(0x00)     4 i.sp.animation_enable 00.00.00.00. 0x00000000
(0x00)     4 i.dac.cav.bs f4.00.00.00. 0x000000f4
(0x00)     4 i.dac.cav.rs f4.00.00.00. 0x000000f4
(0x00)   140 a.ps.mt3_hs 1b.20.00.01.01.03.00.00.01.04.00.00.1a.00.14.35.2b.13.65.45.21.00.01.00.1a.00.14.35.2b.13.65.45.21.00.01.00.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0c.0c.0c.0c.80.80.80.80.7d.7f.7d.7f.05.05.05.05.05.05.05.05.0c.0c.0c.0c.80.80.80.80.7c.7c.7a.7a.05.05.05.05.05.05.05.05. . .............5+.eE!......5+.eE!...........................................................................}.}.................||zz........
(0x00)     4 a.ps.pll2 00.00.00.00. 0x00000000
(0x00)     4 a.ps.pll0 00.00.00.00. 0x00000000
(0x00)    12 a.standby.mt3_hs 1f.80.00.01.01.00.00.00.01.04.00.00. ............
(0x00)     4 a.standby.pll2 00.00.00.00. 0x00000000
(0x00)     4 a.standby.pll0 00.00.00.00. 0x00000000
(0x00)     4 a.standby.gpio_dir 80.02.00.00. 0x00000280
(0x00)     4 a.standby.gpio_data 00.00.00.00. 0x00000000
(0x00)     4 z.xmat_microcode 00.00.00.00. 0x00000000
(0x00)     6 a.model_id 43.53.31.30.30.00. CS100
(0x00)    17 a.eth_mac 44.38.3a.34.39.3a.32.46.3a.46.36.3a.46.46.3a.41.42. D8:49:2F:F6:FF:AB
(0x00)    12 a.sn 30.36.30.30.35.31.30.31.34.32.38.30. 060051014280
(0x00)     4 z.default_boot 01.00.00.00. 0x00000001

 

Link to comment
Share on other sites

I have a chrooted debian squeeze running! I found that the SoC it's very similar to the WDTV, so I gave it a try... tanks to http://b-rad.cc/

This means you can install available programs trough apt, but module dependant programs will not run (but at first step I think it's a huge one!)

More or less the steps I followed:

cd /home
wget http://files.wdlxtv.de/debian-squeeze.img.tgz
mkdir /home/debian
tar xzvf debian.tar.gz -C /home/debian
mount -o loop debian-squeeze.img /home/debian/
mount -t proc proc /home/debian/proc
mount -t sysfs sys /home/debian/sys
mount -o bind /dev /home/debian/dev
mount --bind /dev/pts /home/debian/dev/pts
chroot /home/debian/ /bin/bash

echo 'Acquire::Check-Valid-Until "false";' >/etc/apt/apt.conf.d/90ignore-release-date
echo "deb http://archive.debian.org/debian squeeze main" > /etc/apt/sources.list
echo "deb http://archive.debian.org/debian squeeze-lts main" >> /etc/apt/sources.list

apt-get update
...
use it under your own responsability!

 

Link to comment
Share on other sites

Hi @nimrud!

First of all, thank you very much for all your work. Hopefully we can hack this thing!
I bought 2 and I wanted to know you have only connected the hard drive to linux or you have connected the whole device.
These Linux commands, what exactly do they do? Install debian? Do you install the WDTV OS?
What do you have to do and put exactly to prove? I do not understand too much about hacking or linux but I am willing to try!
Thanks again for your work. Greetings!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...