azzy9 Posted December 14, 2017 Share Posted December 14, 2017 Hi all, I found this site a while back while searching for airstash hacking, and found the threads on the successor sandisk 32g. I bought 2 Canon Connect Station CS100's for really cheap. But I would like to get more out of it, I bought it thinking maybe I could get root access, If not, they would still be useful as extremely cheap 1TB 2.5" HDD's My Journey so far: First, I ran a port scan. results here:https://pastebin.com/u2KgurBx And saw no useful ports. I then tried a keyboard in the USB, but would not provide any power to it. It does access a USB flash drive inserted once (flashes once) on boot, but then after does nothing. I assume it is looking for a new firmware file. I then removed the HDD and connected it to my PC running Ubuntu. The HDD consists of 6 partitions The first partition has a file list posted here:https://pastebin.com/m5Z1CRdK The Linux kernel seems to be: Linux 2.6.35.9-32-sigma There seems to be no SSH module that I can find and I am not sure on how to get to any terminal. The firmware seems to be checked / updated by a script with the config in the 5th partition. File: CMSTAPP.properties Contains: http://gdlp01.c-wss.com/rmds/ic/connectstation/cs100/firmwareupdate/autoupdateservice_cmst10_urltable.xml Firmware file: http://gdlp01.c-wss.com/gds/6/0400003256/01/firm_CS100_2.5.2_201705191000.frm I am not sure where to continue from here. I would like to install SSH, but with no apparent way to communicate with the device via terminal and with my Linux skills being that of a Noob I would not know where to go now. Any help / suggestions would be greatly appreciated Update: 06/02/2018 Info: Cs100's fdisk -l Cs100's dmesg Mods: Enable Telnet Chroot Debian External Resources: Use HDD in other devices (by iintoxxicated @ desidime.com) Basic Teardown (by zom @ boards.ie) Link to comment Share on other sites More sharing options...
nimrud Posted December 23, 2017 Share Posted December 23, 2017 Hi, any progress in your goal? I just bought one with the same purpose of yours... Probably the best option will be to found a serial port on the PCB or so... Do you have any info on the specs of the hardware? Thanks in advance! BR Link to comment Share on other sites More sharing options...
azzy9 Posted January 2, 2018 Author Share Posted January 2, 2018 Hi nimrud. Unfortunately I have not made any more progress. What I have been attempting is to modify the ".sh" files to output variables into text files, but not got any success with that. (It is almost like they do not go into the files) Sorry to say I have no experience with Jtagging , or even sure if it even has the connections for it. (I have only taken the bottom off to get to the HDD at the moment). The heatsink is covering alot of the components on the other side of the PCB and the HDD will need to be taken out to unclip it to see what chips it has. Thanks, Azzy9 Link to comment Share on other sites More sharing options...
nimrud Posted January 3, 2018 Share Posted January 3, 2018 17 hours ago, azzy9 said: Hi nimrud. Unfortunately I have not made any more progress. What I have been attempting is to modify the ".sh" files to output variables into text files, but not got any success with that. (It is almost like they do not go into the files) Sorry to say I have no experience with Jtagging , or even sure if it even has the connections for it. (I have only taken the bottom off to get to the HDD at the moment). The heatsink is covering alot of the components on the other side of the PCB and the HDD will need to be taken out to unclip it to see what chips it has. Thanks, Azzy9 Hi azzy9, well, I've received my CS100 last week, but I couldn't open it yet, I'm expecting to have some spare time by the end of the month so I'll take a look into it. I originally bought it to take out and use the internal disk, but if I can use the cs100 as a NAS would be nice. If is not a problem, could you upload/give me access to some files to study how it manage the updates? I found interesting some .sh files like : /install_update.sh,12037 /sbin/firmware_load.sh,2972 /usr/local/firmware/install_firmware.sh,8452 and maybe... /etc/cig/device.info,718 Could you tell me how many partitions it has? Can you pass me the "fdisk -l" result? Thanks in advance! Link to comment Share on other sites More sharing options...
azzy9 Posted January 3, 2018 Author Share Posted January 3, 2018 Hi Nimrud, I Currently do not have access to the device, will have to do when I get home tonight. But I have the files on a USB So I could look at the files. Files are on mega: https://mega.nz/#!wbJmiLwT!Y2GUNSUVOyCY_W0SJkpp4VTKx53LHL5lMTvryPSKkBY https://mega.nz/#!5W4AUa7A!CdRWymXXRZgHyq2ZBrwQ0OBSQftdU79qo61TB5W5XHw https://mega.nz/#!gWYnEDiZ!GPnQRFf7O68bLPmIMC_CSOxZxOR6tZmvJ_lZM9ggpqg https://mega.nz/#!kPQjDDzA!zvcAhuqqz730lLp0b5eWCHxB7U9Q2IMbgoQ9tepZCH8 As for partitions there are 6: Partition 1: Main OS Partition 2: System Sounds ( .wav & .m4a ) Partition 3: System Update Scripts Partition 4: Logs Partition 5: System Config Partition 6: Own Media I will run the fdisk list command when I get home Thanks, Azzy9 Link to comment Share on other sites More sharing options...
azzy9 Posted January 3, 2018 Author Share Posted January 3, 2018 The results of the fdisk -l Disk /dev/sda: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 33553920 bytes Disklabel type: dos Disk identifier: 0x00000000 Device Boot Start End Sectors Size Id Type /dev/sda1 63 1953188 1953126 953.7M 83 Linux /dev/sda2 1953189 2453189 500001 244.1M 82 Linux swap / Solaris /dev/sda3 2453190 2703190 250001 122.1M 83 Linux /dev/sda4 2703191 1953525167 1950821977 930.2G 5 Extended /dev/sda5 2703254 10515754 7812501 3.7G 83 Linux /dev/sda6 10515818 18328318 7812501 3.7G 83 Linux /dev/sda7 18328382 33953382 15625001 7.5G 83 Linux /dev/sda8 33953446 1953525167 1919571722 915.3G 83 Linux Partition 1 does not start on physical sector boundary. Partition 2 does not start on physical sector boundary. Partition 3 does not start on physical sector boundary. Partition 4 does not start on physical sector boundary. Partition 5 does not start on physical sector boundary. Partition 6 does not start on physical sector boundary. Partition 7 does not start on physical sector boundary. Partition 8 does not start on physical sector boundary. Link to comment Share on other sites More sharing options...
LV426 Posted January 5, 2018 Share Posted January 5, 2018 I too bought 2 of these with the idea of using the 1Tb hard drive, however it seems a good unit to pair with my Canon camera, so I may just keep it as is. The option of hacking the other is inviting, especially if it can be used as a NAS. I guess the easy thing to try is to swap out the hard drive and try a different OS. This little box is ripe for hacking - Wifi, Ethernet, NFC, USB (which according to the manual doesn't support a hub)... It might be worth noting that it uses 10W of power when on, 9.5W in standby and 0.5W when "off" Also this bit is promising: Software under the GPL and LGPL The product contains soflware modules licensed under the GPL and LGPL. If you need to obtain the source code of the software, please contact the Canon sales company in the country / region where you purchased the product. I assume that refers to the photo manipulation software rather than the OS though... Link to comment Share on other sites More sharing options...
nimrud Posted January 5, 2018 Share Posted January 5, 2018 On 3/1/2018 at 11:48 PM, azzy9 said: The results of the fdisk -l Disk /dev/sda: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 33553920 bytes Disklabel type: dos Disk identifier: 0x00000000 Device Boot Start End Sectors Size Id Type /dev/sda1 63 1953188 1953126 953.7M 83 Linux /dev/sda2 1953189 2453189 500001 244.1M 82 Linux swap / Solaris /dev/sda3 2453190 2703190 250001 122.1M 83 Linux /dev/sda4 2703191 1953525167 1950821977 930.2G 5 Extended /dev/sda5 2703254 10515754 7812501 3.7G 83 Linux /dev/sda6 10515818 18328318 7812501 3.7G 83 Linux /dev/sda7 18328382 33953382 15625001 7.5G 83 Linux /dev/sda8 33953446 1953525167 1919571722 915.3G 83 Linux Partition 1 does not start on physical sector boundary. Partition 2 does not start on physical sector boundary. Partition 3 does not start on physical sector boundary. Partition 4 does not start on physical sector boundary. Partition 5 does not start on physical sector boundary. Partition 6 does not start on physical sector boundary. Partition 7 does not start on physical sector boundary. Partition 8 does not start on physical sector boundary. Hi, regarding the partition table and the files you've uploaded, it makes me think of a uboot loading a kernel from one of the partitions on disk, wich could give us a chance to play with it... if it has a modern uboot version and it's not cropped maybe we can use netconsole to access like lacie devices (http://lacie-nas.org/doku.php?id=uboot), we can't probably use clunc as it's for lacie only, but maybe netconsole is available... It would be a nice try to examine if at boot, it tries to get a dhcp lease (for the uboot), if that's happens, only will be available for seconds and we can try the netconsole (explained on the link I provided on section "Retrieve the NAS IP address") Another option I want to try is to upload a compiled telnet/ssh/modified web cgi ... Thanks! PS: Regarding the GPL license, you need to contact CANON to get the files, maybe it worth a try...but I'm a bit sceptical Link to comment Share on other sites More sharing options...
LV426 Posted January 11, 2018 Share Posted January 11, 2018 I just thought I'd ask if there is a tear down on these? If not I'll find the time and create one... Link to comment Share on other sites More sharing options...
nimrud Posted January 11, 2018 Share Posted January 11, 2018 4 hours ago, LV426 said: I just thought I'd ask if there is a tear down on these? If not I'll find the time and create one... My cs100 is still in it box... Link to comment Share on other sites More sharing options...
dmarkey Posted January 16, 2018 Share Posted January 16, 2018 Anyone hacked this thing yet? Just ordered one.. Link to comment Share on other sites More sharing options...
azzy9 Posted January 16, 2018 Author Share Posted January 16, 2018 On 1/11/2018 at 12:31 AM, LV426 said: I just thought I'd ask if there is a tear down on these? If not I'll find the time and create one... That would be awesome :) 6 hours ago, dmarkey said: Anyone hacked this thing yet? Just ordered one.. I have figured out how to get telnet working on it. 1. Connect the HDD to a linux system and mount the partitions 2. chown file "etc/rc.d/rcS" on 1st partition 3. open file "etc/rc.d/rcS" 4. find the line with content: "allow_telnet=no" and change it to "allow_telnet=yes" (was on line 200 for me) 5. save the file, then set canon station up with the Ethernet port used to connect to router 6. use application to connect to telnet on port 23 with username as "root". no password required. (I used putty on my windows laptop) Hope this helps. Link to comment Share on other sites More sharing options...
dmarkey Posted January 16, 2018 Share Posted January 16, 2018 Nice! Any specs? Processor? Memory? Wonder if we could get an ordinary distro on this thing Link to comment Share on other sites More sharing options...
azzy9 Posted January 16, 2018 Author Share Posted January 16, 2018 9 minutes ago, dmarkey said: Nice! Any specs? Processor? Memory? Wonder if we could get an ordinary distro on this thing This of any help? -bash-3.00# cat /proc/cpuinfo system type : Sigma Designs TangoX SMP8XXX Chip ID : 8673 SMP8XXX Rev ID : 1 System bus frequency : 398250000 Hz CPU frequency : 796500000 Hz DSP frequency : 398250000 Hz processor : 0 cpu model : MIPS 74Kc V5.0 FPU V0.0 BogoMIPS : 398.13 wait instruction : yes microsecond timers : yes tlb_entries : 64 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0418, 0x06c8, 0x07 e8, 0x02f0] ASEs implemented : mips16 dsp shadow register sets : 1 core : 0 VCED exceptions : not available VCEI exceptions : not available -bash-3.00# free total used free shared buffers cached Mem: 176860 147812 29048 0 4520 70092 -/+ buffers/cache: 73200 103660 Swap: 249996 0 249996 -bash-3.00# cat /proc/meminfo MemTotal: 176860 kB MemFree: 29048 kB Buffers: 4528 kB Cached: 70092 kB SwapCached: 0 kB Active: 24300 kB Inactive: 81356 kB Active(anon): 15380 kB Inactive(anon): 16192 kB Active(file): 8920 kB Inactive(file): 65164 kB Unevictable: 0 kB Mlocked: 0 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 176860 kB LowFree: 29048 kB SwapTotal: 249996 kB SwapFree: 249996 kB Dirty: 0 kB Writeback: 0 kB AnonPages: 31048 kB Mapped: 35812 kB Shmem: 536 kB Slab: 36420 kB SReclaimable: 1300 kB SUnreclaim: 35120 kB KernelStack: 1456 kB PageTables: 1172 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 338424 kB Committed_AS: 875252 kB VmallocTotal: 1015800 kB VmallocUsed: 4008 kB VmallocChunk: 1007600 kB Link to comment Share on other sites More sharing options...
dmarkey Posted January 16, 2018 Share Posted January 16, 2018 It is! dmesg would be also helpful? Link to comment Share on other sites More sharing options...
azzy9 Posted January 16, 2018 Author Share Posted January 16, 2018 3 minutes ago, dmarkey said: It is! dmesg would be also helpful? here you go: -bash-3.00# dmesg Linux version 2.6.35.9-32-sigma (builder@buildmachine.com) (gcc version 4.4.1 (A VSourcery G++ Lite 4.4-303-2 with Java) ) #1 PREEMPT Fri May 19 10:18:22 JST 201 7 Configured for SMP867x, detected SMP8673 (revision ES1). Detected CPU/System/DSP Frequencies: 796.50/398.25/398.25MHz SMP86xx Enabled Devices under Linux/XENV 0x9ebfbff4 = 0x002303f8 Ethernet IR FIP I2CM I2CS SDIO SDIO1 USB SATA SCARD Desired kernel memory size: 0x05c00000 Max. DRAM0/1 size allowed: 0x0b400000/0x00000000 Mapped 0x80000000(size 0x04000000) via remap2 Mapped 0x84000000(size 0x01c00000) via remap3 Final kernel memory size: 0x05c00000 CPU revision is: 00019750 (MIPS 74Kc) FPU revision is: 01739700 Determined physical RAM map: memory: 05c00000 @ 04000000 (usable) parsing kernel command line for memory options .. Desired kernel memory size: 0x0b400000 Max. DRAM0/1 size allowed: 0x0b400000/0x00000000 Mapped 0x80000000(size 0x04000000) via remap2 Mapped 0x84000000(size 0x04000000) via remap3 Mapped 0x88000000(size 0x03400000) via remap4 Final kernel memory size: 0x0b400000 User-defined physical RAM map: memory: 0b400000 @ 04000000 (usable) Wasting 524288 bytes for tracking 16384 unused pages Initrd not found or empty - disabling initrd Zone PFN ranges: DMA 0x00004000 -> 0x00020000 Normal empty HighMem empty Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00004000 -> 0x0000f400 On node 0 totalpages: 46080 free_area_init_node: node 0, pgdat 8455b9a0, node_mem_map 84cc9000 DMA zone: 360 pages used for memmap DMA zone: 0 pages reserved DMA zone: 45720 pages, LIFO batch:15 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 45720 Kernel command line: console=ttyS0 rootdelay=10 mem=180M PID hash table entries: 1024 (order: 0, 4096 bytes) Dentry cache hash table entries: 32768 (order: 5, 131072 bytes) Inode-cache hash table entries: 16384 (order: 4, 65536 bytes) Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes. Primary data cache 16kB, 4-way, VIPT, no aliases, linesize 32 bytes MIPS secondary cache 256kB, 4-way, linesize 32 bytes. Writing ErrCtl register=00000000 Readback ErrCtl register=00000000 Memory: 169592k/184320k available (4399k kernel code, 14728k reserved, 1093k dat a, 7268k init, 0k highmem) Hierarchical RCU implementation. RCU-based detection of stalled CPUs is disabled. Verbose stalled-CPUs detection is disabled. NR_IRQS:256 Console: colour dummy device 80x25 console [ttyS0] enabled Calibrating delay loop... 398.13 BogoMIPS (lpj=1990656) pid_max: default: 32768 minimum: 301 Mount-cache hash table entries: 512 NET: Registered protocol family 16 bio: create slab <bio-0> at 0 SCSI subsystem initialized libata version 3.00 loaded. usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb cfg80211: Calling CRDA to update world regulatory domain Switching to clocksource TANGOX NET: Registered protocol family 2 IP route cache hash table entries: 2048 (order: 1, 8192 bytes) TCP established hash table entries: 8192 (order: 4, 65536 bytes) TCP bind hash table entries: 8192 (order: 3, 32768 bytes) TCP: Hash tables configured (established 8192 bind 8192) TCP reno registered UDP hash table entries: 256 (order: 0, 4096 bytes) UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) NET: Registered protocol family 1 RPC: Registered udp transport module. RPC: Registered tcp transport module. RPC: Registered tcp NFSv4.1 backchannel transport module. timer0: interrupt registered. registering mbus interrupt routines. SMP86xx zxenv (254:0): driver loaded. squashfs: version 4.0 (2009/01/31) Phillip Lougher Slow work thread pool: Starting up Slow work thread pool: Ready JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc. ROMFS MTD (C) 2007 Red Hat, Inc. fuse init (API version 7.14) JFS: nTxBlock = 1324, nTxLock = 10599 yaffs built May 19 2017 10:18:20 Installing. msgmni has been set to 331 alg: No test for stdrng (krng) io scheduler noop registered io scheduler deadline registered io scheduler cfq registered (default) Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled serial8250: ttyS0 at MMIO 0x0 (irq = 9) is a 16550A serial8250: ttyS1 at MMIO 0x0 (irq = 10) is a 16550A serial8250: ttyS2 at MMIO 0x0 (irq = 71) is a 16550A loop: module loaded Uniform Multi-Platform E-IDE driver SATA version 0x3139302a ID 0x0 is detected scsi0 : Tangox SATA 0 ata1: SATA max UDMA/133 PHY RDY changed irq 49 SATA version 0x0 ID 0x0 is detected scsi1 : Tangox SATA 0 ata2: SATA max UDMA/133 irq 62 [SMP_NAND] SMP8xxx NAND Driver 0.3 (multi-bits ECC: enabled) [SMP_NAND]: checking NAND device on CS0 .. ONFI flash detected ONFI param page 0 valid NAND device: Manufacturer ID: 0x01, Chip ID: 0xda (AMD NAND 256MiB 3,3V 8-bit) Scanning device for bad blocks [SMP_NAND]: detected NAND on CS0, 256MiB, erasesize 128KiB, pagesize 2048B, oobs ize 64B, oobavail 2B [SMP_NAND]: checking NAND device on CS1 .. No NAND device found. [SMP_NAND]: detection completed, load partition information from XENV .. [SMP_NAND]: load partition information for CS0 .. Creating 8 MTD partitions on "S34ML02G1": 0x000000000000-0x000000400000 : "bootblocks" 0x000000400000-0x000000e00000 : "mainkernel" 0x000000e00000-0x000001800000 : "rescuekernel" 0x000001800000-0x000001e00000 : "xmaterial" 0x000001e00000-0x000002200000 : "imaterial" 0x000002200000-0x000008200000 : "rescuerootfs" 0x000008200000-0x000008c00000 : "diagprogram" 0x000008c00000-0x000010000000 : "reserved" tangox_enet0: detected phy RTL8211E at address 0x00 tangox_enet0: Ethernet driver for SMP8xxx internal MAC core 0: 1000Mbps Base at 0x26000 tangox_enet0: mac address d8:49:2f:f7:9b:84 tangox_enet1: ethernet mac_core 1 support is disabled from XENV usbcore: registered new interface driver asix usbcore: registered new interface driver cdc_ether usbcore: registered new interface driver net1080 usbcore: registered new interface driver rndis_host usbcore: registered new interface driver cdc_subset usbcore: registered new interface driver zaurus usbcore: registered new interface driver zd1201 ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Initializing Tangox EHCI USB Host Controller TangoX USB initializing... tangox-ehci-hcd-0 tangox-ehci-hcd-0: TangoX USB 2.0 tangox-ehci-hcd-0 tangox-ehci-hcd-0: new USB bus registered, assigned bus number 1 tangox-ehci-hcd-0 tangox-ehci-hcd-0: irq 48, io mem 0xa0021500 tangox-ehci-hcd-0 tangox-ehci-hcd-0: USB 0.0 started, EHCI 1.00 hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected Initializing Tangox EHCI USB Host Controller TangoX USB initializing... tangox-ehci-hcd-1 tangox-ehci-hcd-1: TangoX USB 2.0 tangox-ehci-hcd-1 tangox-ehci-hcd-1: new USB bus registered, assigned bus number 2 tangox-ehci-hcd-1 tangox-ehci-hcd-1: irq 15, io mem 0xa0025500 tangox-ehci-hcd-1 tangox-ehci-hcd-1: USB 0.0 started, EHCI 1.00 hub 2-0:1.0: USB hub found hub 2-0:1.0: 1 port detected No OHCI in SMP8652/SMP8653/SMP8646/SMP8647/SMP867X. Initializing USB Mass Storage driver... ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300) usbcore: registered new interface driver usb-storage USB Mass Storage support registered. tangoxdog: Hardware Watchdog Timer for SMP864x/SMP865x/SMP867x/SMP868x/SMP89xx 0 .2 (def. timeout: 30 sec) oprofile: using mips/74K performance monitoring. TCP cubic registered NET: Registered protocol family 17 lib80211: common routines for IEEE802.11 drivers lib80211_crypt: registered algorithm 'NULL' ata1.00: ATA-9: WDC WD10JUCT-63CYNY0, 01.01A01, max UDMA/133 ata1.00: 1953525168 sectors, multi 0: LBA48 NCQ (depth 0/32) ata1.00: configured for UDMA/133 scsi 0:0:0:0: Direct-Access ATA WDC WD10JUCT-63C 01.0 PQ: 0 ANSI: 5 ata1: dev 0 max request 512 sectors (lba48) sd 0:0:0:0: [sda] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB) sd 0:0:0:0: Attached scsi generic sg0 type 0 sd 0:0:0:0: [sda] 4096-byte physical blocks usb 1-1: new high speed USB device using tangox-ehci-hcd-0 and address 2 sd 0:0:0:0: [sda] Write Protect is off sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00 sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA sda: sda1 sda2 sda3 sda4 < sda5 sda6 sda7 sda8 > sd 0:0:0:0: [sda] Attached SCSI disk usb 2-1: new high speed USB device using tangox-ehci-hcd-1 and address 2 ata2: failed to resume link (SControl 0) ata2: SATA link down (SStatus 0 SControl 0) Freeing unused kernel memory: 7268k freed hub 2-1:1.0: USB hub found hub 2-1:1.0: 4 ports detected usb 2-1.1: new high speed USB device using tangox-ehci-hcd-1 and address 3 scsi2 : usb-storage 2-1.1:1.0 usb 2-1.2: new high speed USB device using tangox-ehci-hcd-1 and address 4 scsi3 : usb-storage 2-1.2:1.0 EXT4-fs (sda1): INFO: recovery required on readonly filesystem EXT4-fs (sda1): write access will be enabled during recovery EXT4-fs (sda1): recovery complete EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null) Adding 249996k swap on /dev/sda2. Priority:-1 extents:1 across:249996k scsi 2:0:0:0: Direct-Access Generic- Multiple Reader 1.11 PQ: 0 ANSI: 4 sd 2:0:0:0: Attached scsi generic sg1 type 0 sd 2:0:0:0: [sdb] Attached SCSI removable disk scsi 3:0:0:0: Direct-Access Generic- Multiple Reader 1.11 PQ: 0 ANSI: 4 sd 3:0:0:0: Attached scsi generic sg2 type 0 tangoxdog: Started watchdog timer. tangoxdog: Started watchdog timer. sd 3:0:0:0: [sdc] 31116288 512-byte logical blocks: (15.9 GB/14.8 GiB) sd 3:0:0:0: [sdc] Write Protect is off sd 3:0:0:0: [sdc] Mode Sense: 23 00 00 00 sd 3:0:0:0: [sdc] Assuming drive cache: write through sd 3:0:0:0: [sdc] Assuming drive cache: write through sdc: sdc1 sd 3:0:0:0: [sdc] Assuming drive cache: write through sd 3:0:0:0: [sdc] Attached SCSI removable disk EXT4-fs (sda3): mounted filesystem with ordered data mode. Opts: nodelalloc,barr ier=1,data=ordered EXT4-fs (sda6): mounted filesystem with ordered data mode. Opts: nodelalloc,barr ier=1,data=ordered EXT4-fs (sda5): mounted filesystem with ordered data mode. Opts: (null) EXT4-fs (sda7): barriers disabled EXT4-fs (sda7): mounted filesystem with ordered data mode. Opts: nodelalloc,barr ier=0,data=ordered SMP86xx ir (125:0): driver loaded (wait_period = 100ms, buffer_size = 6) sdhci: Secure Digital Host Controller Interface driver sdhci: Copyright(c) Pierre Ossman SDIO0 is enabled. SDIO1 is enabled. mmc0: Invalid maximum block size, assuming 512 bytes mmc0: SDHCI controller on SDIO [sdhci0-tangox] using ADMA mmc1: Invalid maximum block size, assuming 512 bytes mmc1: SDHCI controller on SDIO [sdhci0-tangox] using ADMA NET: Registered protocol family 10 lo: Disabled Privacy Extensions llad: module license 'LGPL' taints kernel. Disabling lock debugging due to kernel taint mumk_register_tasklet: (0) tasklet c054b000 status @c04c1e4c em8xxx [...kernel_src/krua.c: 1779] init_module: done. Found 1 em8xxx wlan: Loading MWLAN driver VID/PID = 1286/2040, Boot2 version = 3119 rx_work=0 cpu_num=1 WLAN FW is static fw_cap_info=0xba3, dev_cap_mask=0xffffffff usbcore: registered new interface driver usb8xxx wlan: Driver loaded successfully ir: Enable NEC decoder (0x00000000) ir: Enable RC5 decoder (0x00000000) ir: Enable RC6 decoder EXT4-fs (sda8): barriers disabled EXT4-fs (sda8): mounted filesystem with ordered data mode. Opts: nodelalloc,barr ier=0,data=ordered tangoxdog: Stopped watchdog timer. minor_release: too many openers (increase MAX_OPENERS) ADDRCONF(NETDEV_UP): mlan0: link is not ready tangoxdog: Started watchdog timer. tangoxdog: Started watchdog timer. wlan: SCAN COMPLETED: scanned AP count=0 wlan: SCAN COMPLETED: scanned AP count=8 tangox_enet0: PHY autonegotiation does not complete... ADDRCONF(NETDEV_UP): eth0: link is not ready wlan: SCAN COMPLETED: scanned AP count=7 ADDRCONF(NETDEV_CHANGE): mlan0: link becomes ready mlan0: no IPv6 routers present wlan: EVENT: Link lost (reason 0x0) wlan: SCAN COMPLETED: scanned AP count=7 wlan: SCAN COMPLETED: scanned AP count=5 wlan: EVENT: Link lost (reason 0x0) wlan: SCAN COMPLETED: scanned AP count=7 wlan: SCAN COMPLETED: scanned AP count=7 wlan: SCAN COMPLETED: scanned AP count=6 wlan: SCAN COMPLETED: scanned AP count=6 eth0: link up, 1000Mbps, full-duplex, lpa 0xCDE1 ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready eth0: no IPv6 routers present eth0: link down eth0: link up, 1000Mbps, full-duplex, lpa 0xCDE1 wlan: SCAN COMPLETED: scanned AP count=4 wlan: SCAN COMPLETED: scanned AP count=4 wlan: SCAN COMPLETED: scanned AP count=3 Link to comment Share on other sites More sharing options...
dmarkey Posted January 16, 2018 Share Posted January 16, 2018 eth0: link up, 1000Mbps, full-duplex, lpa 0xCDE1 Woo gigabit ethernet. I'll hack at this when I get it friday Link to comment Share on other sites More sharing options...
azzy9 Posted January 16, 2018 Author Share Posted January 16, 2018 4 minutes ago, dmarkey said: eth0: link up, 1000Mbps, full-duplex, lpa 0xCDE1 Woo gigabit ethernet. I'll hack at this when I get it friday The more people looking to hack & modify this for other uses, the better :) some use cases I can think of for this if we progress: NAS Personal git server light-weight PHP server Low power Thin client Link to comment Share on other sites More sharing options...
dmarkey Posted January 16, 2018 Share Posted January 16, 2018 It also in theory has enough oomph to run kodi but the support isnt there. Defo possible to torrent on this thing. Link to comment Share on other sites More sharing options...
tarod Posted January 17, 2018 Share Posted January 17, 2018 This is great news. I guess that the first step would be map the device so it can be accesible as a network drive and/or smb. I'd like to help. Any guidelines to follow? Link to comment Share on other sites More sharing options...
nimrud Posted January 17, 2018 Share Posted January 17, 2018 I was writing a post about the investigation lines I'm following, but my Firefox crashed and all is gone, so long history short: It looks like the SoC is very similar to some Dune devices, so, we have here (http://wiki.yobi.be/wiki/Dune_HD) some info to try (and in some of the links, some info about compiling our own programs (http://scottjohnson.org/wiki/Dune/Hacking) ). Also I noticed that the MTD map is showed on the dmesg log, 1st of all it's to make a backup. Third and last, there are some binaries in the root folder we can take a look into (using binwalk) On the other hand it looks like the SoC it's quite old, and the kernel version too, so maybe it's possible to run an old debian (maybe 5.X), but we will have some issues with some drivers...anyway, it's a possibility. BR! Link to comment Share on other sites More sharing options...
nimrud Posted January 19, 2018 Share Posted January 19, 2018 No much progress, just want to show the result of "binwalking" the dumped images of the mtd: mtdblock0.S34ML02G1.binwalk DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 264408 0x408D8 CRC32 polynomial table, little endian 490424 0x77BB8 ZBOOT firmware header, header size: 32 bytes, load address: 0x01000000, start address: 0x00000100, checksum: 0x62616E55, version: 0x7420656C, image size: 1701847151 bytes 526552 0x808D8 CRC32 polynomial table, little endian 752568 0xB7BB8 ZBOOT firmware header, header size: 32 bytes, load address: 0x01000000, start address: 0x00000100, checksum: 0x62616E55, version: 0x7420656C, image size: 1701847151 bytes 1048576 0x100000 romfs filesystem, version 1 size: 220048 bytes, named "YAMON_XLOAD" 1310720 0x140000 romfs filesystem, version 1 size: 2896 bytes, named "DRMKEYS" 4194304 0x400000 romfs filesystem, version 1 size: 5761056 bytes, named "MIPSLINUX_XLOAD" 14680064 0xE00000 romfs filesystem, version 1 size: 5760912 bytes, named "MIPSLINUX_XLOAD" 25165824 0x1800000 romfs filesystem, version 1 size: 449584 bytes, named "xmaterial" 31457280 0x1E00000 romfs filesystem, version 1 size: 3975728 bytes, named "imaterial" 35651584 0x2200000 UBI erase count header, version: 1, EC: 0x1, VID header offset: 0x800, data offset: 0x1000 mtdblock1.bootblocks.binwalk DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 264408 0x408D8 CRC32 polynomial table, little endian 490424 0x77BB8 ZBOOT firmware header, header size: 32 bytes, load address: 0x01000000, start address: 0x00000100, checksum: 0x62616E55, version: 0x7420656C, image size: 1701847151 bytes 526552 0x808D8 CRC32 polynomial table, little endian 752568 0xB7BB8 ZBOOT firmware header, header size: 32 bytes, load address: 0x01000000, start address: 0x00000100, checksum: 0x62616E55, version: 0x7420656C, image size: 1701847151 bytes 1048576 0x100000 romfs filesystem, version 1 size: 220048 bytes, named "YAMON_XLOAD" 1310720 0x140000 romfs filesystem, version 1 size: 2896 bytes, named "DRMKEYS" mtdblock2.mainkernel.binwalk DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 romfs filesystem, version 1 size: 5761056 bytes, named "MIPSLINUX_XLOAD" mtdblock3.rescuekernel.binwalk DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 romfs filesystem, version 1 size: 5760912 bytes, named "MIPSLINUX_XLOAD" mtdblock4.xmaterial.binwalk DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 romfs filesystem, version 1 size: 449584 bytes, named "xmaterial" mtdblock5.imaterial.binwalk DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 romfs filesystem, version 1 size: 3975728 bytes, named "imaterial" mtdblock6.rescuerootfs.binwalk DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 UBI erase count header, version: 1, EC: 0x1, VID header offset: 0x800, data offset: 0x1000 mtdblock7.diagprogram.binwalk DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 UBI erase count header, version: 1, EC: 0x1, VID header offset: 0x800, data offset: 0x1000 mtdblock8.reserved.binwalk DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- (empty) Link to comment Share on other sites More sharing options...
nimrud Posted January 19, 2018 Share Posted January 19, 2018 result of mtd_dumpxenv.sh (0x00) 4 x.boot 00.58.00.00. 0x00005800 (0x00) 4 z.stage1_ga 00.00.60.81. 0x81600000 (0x00) 4 x.pll.1.pll 24.00.00.01. 0x01000024 (0x00) 4 x.mux 01.02.00.00. 0x00000201 (0x00) 4 x.ddr.0.density 06.00.00.00. 0x00000006 (0x00) 4 x.ddr.1.density ff.ff.ff.ff. 0xffffffff (0x00) 4 x.ddr.grade 04.00.00.00. 0x00000004 (0x00) 4 x.ddr.fmin_mhz 5e.01.00.00. 0x0000015e (0x00) 4 x.ddr.fmax_mhz 8f.01.00.00. 0x0000018f (0x00) 4 x.ddr.method 50.31.01.10. 0x10013150 (0x00) 4 x.ddr.verbose 01.00.00.00. 0x00000001 (0x00) 4 a.avclk_mux 00.00.40.17. 0x17400000 (0x00) 4 a.hostclk_mux 31.01.00.00. 0x00000131 (0x00) 4 a.pll.1.div 0f.06.00.00. 0x0000060f (0x00) 4 a.cd0_freq 00.00.00.00. 0x00000000 (0x00) 4 a.cd1_freq 00.00.00.00. 0x00000000 (0x00) 4 a.cd2_freq 00.d8.b8.05. 0x05b8d800 (0x00) 4 a.cd3_freq 00.87.93.03. 0x03938700 (0x00) 4 a.cd4_freq 00.00.00.00. 0x00000000 (0x00) 4 a.cd5_freq 00.00.00.00. 0x00000000 (0x00) 4 a.cd6_freq 00.d8.b8.05. 0x05b8d800 (0x00) 4 a.cd7_freq 00.00.00.00. 0x00000000 (0x00) 4 a.cd8_freq 00.00.00.00. 0x00000000 (0x00) 4 a.cd9_freq 00.00.00.00. 0x00000000 (0x00) 4 a.cd10_freq 00.00.00.00. 0x00000000 (0x00) 4 a.cd11_freq 00.00.00.00. 0x00000000 (0x00) 4 a.irq_rise_edge_lo 06.ca.28.ff. 0xff28ca06 (0x00) 4 a.irq_rise_edge_hi 1f.00.10.8c. 0x8c10001f (0x00) 4 a.irq_fall_edge_lo 00.c0.00.00. 0x0000c000 (0x00) 4 a.irq_fall_edge_hi 00.00.00.00. 0x00000000 (0x00) 4 a.gpio_irq_map 00.08.0a.00. 0x000a0800 (0x00) 4 a.pcidev1_irq_route 01.01.01.01. 0x01010101 (0x00) 4 a.pcidev2_irq_route 01.01.01.01. 0x01010101 (0x00) 4 a.pcidev3_irq_route 01.01.01.01. 0x01010101 (0x00) 4 a.pcidev4_irq_route 01.01.01.01. 0x01010101 (0x00) 4 a.gpio_dir 0c.4b.10.00. 0x00104b0c (0x00) 4 a.gpio_data 0c.40.10.00. 0x0010400c (0x00) 4 a.pb_def_timing 02.02.08.03. 0x03080202 (0x00) 4 a.pb_cs_config 03.00.33.00. 0x00330003 (0x00) 4 a.pb_cs_config1 00.00.00.00. 0x00000000 (0x00) 4 a.pb_cs_ctrl 22.00.00.00. 0x00000022 (0x00) 4 a.pb_timing0 02.02.08.03. 0x03080202 (0x00) 4 a.pb_use_timing0 f3.03.00.00. 0x000003f3 (0x00) 4 a.uart_used_ports 07.00.00.00. 0x00000007 (0x00) 4 a.uart_console_port 00.00.00.00. 0x00000000 (0x00) 4 a.baudrate 00.c2.01.00. 0x0001c200 (0x00) 4 a.uart0_gpio_mode 6e.00.00.00. 0x0000006e (0x00) 4 a.uart0_gpio_dir 00.00.00.00. 0x00000000 (0x00) 4 a.uart0_gpio_data 00.00.00.00. 0x00000000 (0x00) 4 a.uart0_baudrate 00.c2.01.00. 0x0001c200 (0x00) 4 a.uart1_gpio_mode 6e.00.00.00. 0x0000006e (0x00) 4 a.uart1_gpio_dir 00.00.00.00. 0x00000000 (0x00) 4 a.uart1_gpio_data 00.00.00.00. 0x00000000 (0x00) 4 a.uart1_baudrate 00.c2.01.00. 0x0001c200 (0x00) 4 a.uart2_gpio_mode 7f.7f.00.00. 0x00007f7f (0x00) 4 a.uart2_gpio_dir 1d.1f.00.00. 0x00001f1d (0x00) 4 a.uart2_gpio_data 19.19.00.00. 0x00001919 (0x00) 4 a.uart2_baudrate 00.c2.01.00. 0x0001c200 (0x00) 4 a.ezb_origin 06.02.00.00. 0x00000206 (0x00) 4 a.stage2_origin 00.00.00.00. 0x00000000 (0x00) 4 a.scard_5v_pin 02.00.00.00. 0x00000002 (0x00) 4 a.scard_cmd_pin 01.00.00.00. 0x00000001 (0x00) 4 a.scard_off_pin 00.00.00.00. 0x00000000 (0x00) 17 a.board_id 63.6d.73.74.31.5f.4d.54.44.2d.63.75.73.74.6f.6d.00. cmst1_MTD-custom (0x00) 97 xmb.comment 2d.2d.2d.20.72.65.76.69.65.77.20.78.6d.61.73.62.6f.6f.74.2f.63.6f.6e.66.69.67.73.2f.70.65.67.61.38.36.37.33.5f.4d.54.44.2d.63.75.73.74.6f.6d.2e.63.6f.6e.66.69.67.20.66.6f.72.20.64.65.74.61.69.6c.73.20.5b.78.6d.62.64.30.2d.65.7a.62.6f.6f.74.63.65.2d.6e.61.6e.64.5f.73.74.32.5d.20.2d.2d.2d.0a. --- review xmasboot/configs/pega8673_MTD-custom.config for details [xmbd0-ezbootce-nand_st2] ---. (0x00) 4 a.enable_devices f8.03.23.00. 0x002303f8 (0x00) 15 a.eth1_mac 30.30.3a.31.36.3a.65.38.3a.30.30.2f.32.35.00. 00:16:e8:00/25 (0x00) 4 a.cs0_rsvd_pblk 00.08.00.00. 0x00000800 (0x00) 4 a.cs0_nand_timing1 06.0a.28.02. 0x02280a06 (0x00) 4 a.cs0_nand_timing2 28.06.04.08. 0x08040628 (0x00) 4 a.cs0_nand_devcfg 35.00.00.00. 0x00000035 (0x00) 4 a.cs0_nand_cfg1 19.00.da.01. 0x01da0019 (0x00) 4 a.cs0_nand_cfg2 bc.02.10.27. 0x271002bc (0x00) 4 a.cs0_nand_cfg3 40.00.5a.1a. 0x1a5a0040 (0x00) 4 a.sata_channel_cfg 27.85.00.00. 0x00008527 (0x00) 4 z.boot0 00.00.10.00. 0x00100000 (0x00) 4 z.boot0_in_virtualzone 01.00.00.00. 0x00000001 (0x00) 4 z.boot1 00.00.40.00. 0x00400000 (0x00) 4 z.boot1_in_virtualzone 02.00.00.00. 0x00000002 (0x00) 4 z.boot2 00.00.e0.00. 0x00e00000 (0x00) 4 z.boot2_in_virtualzone 02.00.00.00. 0x00000002 (0x00) 4 z.imatromfs_offset 00.00.e0.01. 0x01e00000 (0x00) 4 z.imatromfs_in_virtualzone 02.00.00.00. 0x00000002 (0x00) 4 z.imatromfs_size 00.00.40.00. 0x00400000 (0x00) 4 z.imatromfs_mm 00.00.00.00. 0x00000000 (0x00) 4 z.xmatromfs_offset 00.00.80.01. 0x01800000 (0x00) 4 z.xmatromfs_in_virtualzone 02.00.00.00. 0x00000002 (0x00) 4 z.xmatromfs_size 00.00.60.00. 0x00600000 (0x00) 4 z.xmatromfs_mm 00.00.00.00. 0x00000000 (0x00) 4 z.drm_keys_offset 00.00.14.00. 0x00140000 (0x00) 4 z.drm_keys_size 00.00.02.00. 0x00020000 (0x00) 4 z.drm_keys_in_virtualzone 01.00.00.00. 0x00000001 (0x00) 4 z.interactive_boot_idx_sel 01.00.00.00. 0x00000001 (0x00) 2 z.bootdev_order 00.01. .. (0x00) 9 y.testvar 79.61.6d.6f.6e.66.6f.6f.00. yamonfoo (0x00) 95 y.b0 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.76.20.30.78.30.31.30.30.30.30.30.20.30.78.61.34.61.30.30.30.30.30.20.30.78.30.34.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.61.34.61.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.61.34.61.30.30.30.38.30.3b.20.67.6f.00. nflash read -v 0x0100000 0xa4a00000 0x040000 0; dump romfs 0xa4a00000; load zbf 0xa4a00080; go (0x00) 94 y.b1 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.62.20.30.78.34.30.30.30.30.30.20.30.78.61.37.30.30.30.30.30.30.20.30.78.61.30.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.61.37.30.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.61.37.30.30.30.30.39.30.3b.20.67.6f.00. nflash read -b 0x400000 0xa7000000 0xa00000 0; dump romfs 0xa7000000; load zbf 0xa7000090; go (0x00) 94 y.b2 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.62.20.30.78.65.30.30.30.30.30.20.30.78.61.37.30.30.30.30.30.30.20.30.78.61.30.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.61.37.30.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.61.37.30.30.30.30.39.30.3b.20.67.6f.00. nflash read -b 0xe00000 0xa7000000 0xa00000 0; dump romfs 0xa7000000; load zbf 0xa7000090; go (0x00) 94 y.fb0 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.76.20.30.78.31.30.30.30.30.30.20.30.78.38.34.61.30.30.30.30.30.20.30.78.30.34.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.38.34.61.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.38.34.61.30.30.30.38.30.3b.20.67.6f.00. nflash read -v 0x100000 0x84a00000 0x040000 0; dump romfs 0x84a00000; load zbf 0x84a00080; go (0x00) 94 y.fb1 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.62.20.30.78.34.30.30.30.30.30.20.30.78.38.37.30.30.30.30.30.30.20.30.78.61.30.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.38.37.30.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.38.37.30.30.30.30.39.30.3b.20.67.6f.00. nflash read -b 0x400000 0x87000000 0xa00000 0; dump romfs 0x87000000; load zbf 0x87000090; go (0x00) 94 y.fb2 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.62.20.30.78.65.30.30.30.30.30.20.30.78.38.37.30.30.30.30.30.30.20.30.78.61.30.30.30.30.30.20.30.3b.20.64.75.6d.70.20.72.6f.6d.66.73.20.30.78.38.37.30.30.30.30.30.30.3b.20.6c.6f.61.64.20.7a.62.66.20.30.78.38.37.30.30.30.30.39.30.3b.20.67.6f.00. nflash read -b 0xe00000 0x87000000 0xa00000 0; dump romfs 0x87000000; load zbf 0x87000090; go (0x00) 91 y.commit 6e.66.6c.61.73.68.20.77.72.69.74.65.20.2d.76.20.30.78.63.30.30.30.30.20.24.78.65.6e.76.5f.61.64.64.72.20.30.78.32.30.30.30.30.20.30.3b.20.6e.66.6c.61.73.68.20.77.72.69.74.65.20.2d.76.20.30.78.65.30.30.30.30.20.24.78.65.6e.76.5f.61.64.64.72.20.30.78.32.30.30.30.30.20.30.00. nflash write -v 0xc0000 $xenv_addr 0x20000 0; nflash write -v 0xe0000 $xenv_addr 0x20000 0 (0x00) 38 y.get_xxenv 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.76.20.30.20.30.78.61.37.30.30.30.30.30.30.20.30.78.32.30.30.30.30.20.30.00. nflash read -v 0 0xa7000000 0x20000 0 (0x00) 11 y.xxenv_addr 30.78.61.37.30.30.38.37.34.38.00. 0xa7008748 (0x00) 102 y.xcommit 6e.66.6c.61.73.68.20.72.65.61.64.20.2d.76.20.30.78.30.30.31.38.30.30.30.30.20.30.78.38.34.30.30.30.30.30.30.20.30.78.32.30.30.30.30.20.30.3b.20.67.6f.20.30.78.38.34.30.30.30.30.30.30.3b.20.6e.66.6c.61.73.68.20.77.72.69.74.65.20.2d.76.20.30.20.30.78.61.37.30.30.30.30.30.30.20.30.78.32.30.30.30.30.20.30.00. nflash read -v 0x00180000 0x84000000 0x20000 0; go 0x84000000; nflash write -v 0 0xa7000000 0x20000 0 (0x00) 62 y.nwk 6c.6f.61.64.20.2d.62.20.74.66.74.70.3a.2f.2f.31.37.32.2e.33.30.2e.32.2e.32.31.32.2f.45.53.35.2f.76.6d.6c.69.6e.75.78.2d.6c.61.74.65.73.74.2e.62.69.6e.20.30.78.38.34.30.30.30.30.30.30.00. load -b tftp://172.30.2.212/ES5/vmlinux-latest.bin 0x84000000 (0x00) 116 y.nwg 67.6f.20.2e.20.72.6f.6f.74.3d.2f.64.65.76.2f.6e.66.73.20.6e.66.73.72.6f.6f.74.3d.31.37.32.2e.33.30.2e.36.33.2e.31.33.3a.2f.72.6f.6f.74.73.2f.64.65.62.69.6e.73.74.2d.79.6f.75.72.6c.6f.67.69.6e.20.69.70.3d.3a.3a.3a.3a.3a.3a.64.68.63.70.20.72.64.69.6e.69.74.3d.2f.6e.6f.6e.65.20.63.6f.6e.73.6f.6c.65.3d.74.74.79.53.30.20.6d.65.6d.3d.31.33.35.4d.42.00. go . root=/dev/nfs nfsroot=172.30.63.13:/roots/debinst-yourlogin ip=::::::dhcp rdinit=/none console=ttyS0 mem=135MB (0x00) 4 a.cs0_pblk_part1_offset 00.00.00.00. 0x00000000 (0x00) 4 a.cs0_pblk_part1_size 00.00.40.00. 0x00400000 (0x00) 4 a.cs0_pblk_part2_offset 00.00.40.00. 0x00400000 (0x00) 4 a.cs0_pblk_part2_size 00.00.a0.00. 0x00a00000 (0x00) 4 a.cs0_pblk_part3_offset 00.00.e0.00. 0x00e00000 (0x00) 4 a.cs0_pblk_part3_size 00.00.a0.00. 0x00a00000 (0x00) 4 a.cs0_pblk_part4_offset 00.00.80.01. 0x01800000 (0x00) 4 a.cs0_pblk_part4_size 00.00.60.00. 0x00600000 (0x00) 4 a.cs0_pblk_part5_offset 00.00.e0.01. 0x01e00000 (0x00) 4 a.cs0_pblk_part5_size 00.00.40.00. 0x00400000 (0x00) 4 a.cs0_pblk_part6_offset 00.00.20.02. 0x02200000 (0x00) 4 a.cs0_pblk_part6_size 00.00.00.06. 0x06000000 (0x00) 4 a.cs0_pblk_part7_offset 00.00.20.08. 0x08200000 (0x00) 4 a.cs0_pblk_part7_size 00.00.a0.00. 0x00a00000 (0x00) 4 a.cs0_pblk_part8_offset 00.00.c0.08. 0x08c00000 (0x00) 4 a.cs0_pblk_part8_size 00.00.40.07. 0x07400000 (0x00) 4 a.cs0_pblk_parts 08.00.00.00. 0x00000008 (0x00) 11 a.cs0_pblk_part1_name 62.6f.6f.74.62.6c.6f.63.6b.73.00. bootblocks (0x00) 11 a.cs0_pblk_part2_name 6d.61.69.6e.6b.65.72.6e.65.6c.00. mainkernel (0x00) 13 a.cs0_pblk_part3_name 72.65.73.63.75.65.6b.65.72.6e.65.6c.00. rescuekernel (0x00) 10 a.cs0_pblk_part4_name 78.6d.61.74.65.72.69.61.6c.00. xmaterial (0x00) 10 a.cs0_pblk_part5_name 69.6d.61.74.65.72.69.61.6c.00. imaterial (0x00) 13 a.cs0_pblk_part6_name 72.65.73.63.75.65.72.6f.6f.74.66.73.00. rescuerootfs (0x00) 12 a.cs0_pblk_part7_name 64.69.61.67.70.72.6f.67.72.61.6d.00. diagprogram (0x00) 9 a.cs0_pblk_part8_name 72.65.73.65.72.76.65.64.00. reserved (0x00) 36 a.linux_cmd 63.6f.6e.73.6f.6c.65.3d.74.74.79.53.30.20.72.6f.6f.74.64.65.6c.61.79.3d.31.30.20.6d.65.6d.3d.31.38.30.4d.00. console=ttyS0 rootdelay=10 mem=180M (0x00) 4 z.log2_xpu0_size 17.00.00.00. 0x00000017 (0x00) 4 z.dsp0_size 00.00.50.00. 0x00500000 (0x00) 4 z.zdata0_size 00.40.00.00. 0x00004000 (0x00) 4 z.uzdata0_size 00.c0.00.00. 0x0000c000 (0x00) 4 z.log2_xpu1_size 00.00.00.00. 0x00000000 (0x00) 4 z.dsp1_size 00.00.00.00. 0x00000000 (0x00) 4 z.zdata1_size 00.00.00.00. 0x00000000 (0x00) 4 z.uzdata1_size 00.00.00.00. 0x00000000 (0x00) 4 z.ruamm0_offset 00.00.40.0b. 0x0b400000 (0x00) 4 z.ruamm1_offset 00.00.00.00. 0x00000000 (0x00) 4 z.stage2_ga 00.00.00.80. 0x80000000 (0x00) 4 z.xos_public_mm 00.00.00.00. 0x00000000 (0x00) 4 z.log2_xos_public_size 11.00.00.00. 0x00000011 (0x00) 4 z.channel_index_mm 00.00.00.00. 0x00000000 (0x00) 4 z.ih_api_mm 00.00.00.00. 0x00000000 (0x00) 4 z.ios_mm 00.00.00.00. 0x00000000 (0x00) 4 z.ios_size 00.00.40.00. 0x00400000 (0x00) 4 z.splashscreen_enabled 01.00.00.00. 0x00000001 (0x00) 4 i.sp.scaler 04.00.00.00. 0x00000004 (0x00) 4 i.sp.digital_enable 01.00.00.00. 0x00000001 (0x00) 4 i.sp.component_enable 01.00.00.00. 0x00000001 (0x00) 4 i.sp.analog_enable 01.00.00.00. 0x00000001 (0x00) 4 i.sp.digital_standard 23.00.00.00. 0x00000023 (0x00) 4 i.sp.component_standard 65.00.00.00. 0x00000065 (0x00) 4 i.sp.analog_standard 7b.00.00.00. 0x0000007b (0x00) 19 i.sp.picture 73.70.6c.61.73.68.5f.70.69.63.74.75.72.65.2e.73.64.64.00. splash_picture.sdd (0x00) 4 i.sp.hdmi_chip 01.00.00.00. 0x00000001 (0x00) 4 i.sp.animation_enable 00.00.00.00. 0x00000000 (0x00) 4 i.dac.cav.bs f4.00.00.00. 0x000000f4 (0x00) 4 i.dac.cav.rs f4.00.00.00. 0x000000f4 (0x00) 140 a.ps.mt3_hs 1b.20.00.01.01.03.00.00.01.04.00.00.1a.00.14.35.2b.13.65.45.21.00.01.00.1a.00.14.35.2b.13.65.45.21.00.01.00.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0b.0c.0c.0c.0c.80.80.80.80.7d.7f.7d.7f.05.05.05.05.05.05.05.05.0c.0c.0c.0c.80.80.80.80.7c.7c.7a.7a.05.05.05.05.05.05.05.05. . .............5+.eE!......5+.eE!...........................................................................}.}.................||zz........ (0x00) 4 a.ps.pll2 00.00.00.00. 0x00000000 (0x00) 4 a.ps.pll0 00.00.00.00. 0x00000000 (0x00) 12 a.standby.mt3_hs 1f.80.00.01.01.00.00.00.01.04.00.00. ............ (0x00) 4 a.standby.pll2 00.00.00.00. 0x00000000 (0x00) 4 a.standby.pll0 00.00.00.00. 0x00000000 (0x00) 4 a.standby.gpio_dir 80.02.00.00. 0x00000280 (0x00) 4 a.standby.gpio_data 00.00.00.00. 0x00000000 (0x00) 4 z.xmat_microcode 00.00.00.00. 0x00000000 (0x00) 6 a.model_id 43.53.31.30.30.00. CS100 (0x00) 17 a.eth_mac 44.38.3a.34.39.3a.32.46.3a.46.36.3a.46.46.3a.41.42. D8:49:2F:F6:FF:AB (0x00) 12 a.sn 30.36.30.30.35.31.30.31.34.32.38.30. 060051014280 (0x00) 4 z.default_boot 01.00.00.00. 0x00000001 Link to comment Share on other sites More sharing options...
nimrud Posted January 19, 2018 Share Posted January 19, 2018 I have a chrooted debian squeeze running! I found that the SoC it's very similar to the WDTV, so I gave it a try... tanks to http://b-rad.cc/ This means you can install available programs trough apt, but module dependant programs will not run (but at first step I think it's a huge one!) More or less the steps I followed: cd /home wget http://files.wdlxtv.de/debian-squeeze.img.tgz mkdir /home/debian tar xzvf debian.tar.gz -C /home/debian mount -o loop debian-squeeze.img /home/debian/ mount -t proc proc /home/debian/proc mount -t sysfs sys /home/debian/sys mount -o bind /dev /home/debian/dev mount --bind /dev/pts /home/debian/dev/pts chroot /home/debian/ /bin/bash echo 'Acquire::Check-Valid-Until "false";' >/etc/apt/apt.conf.d/90ignore-release-date echo "deb http://archive.debian.org/debian squeeze main" > /etc/apt/sources.list echo "deb http://archive.debian.org/debian squeeze-lts main" >> /etc/apt/sources.list apt-get update ... use it under your own responsability! Link to comment Share on other sites More sharing options...
acarus36 Posted January 19, 2018 Share Posted January 19, 2018 Hi @nimrud! First of all, thank you very much for all your work. Hopefully we can hack this thing! I bought 2 and I wanted to know you have only connected the hard drive to linux or you have connected the whole device. These Linux commands, what exactly do they do? Install debian? Do you install the WDTV OS? What do you have to do and put exactly to prove? I do not understand too much about hacking or linux but I am willing to try! Thanks again for your work. Greetings! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.