From 34b9f14be7f56660ecc11747162ebedabd9cb3b1 Mon Sep 17 00:00:00 2001 From: Jan Wachsmuth Date: Sun, 31 Dec 2023 00:19:37 +0100 Subject: [PATCH] - --- Hardware.md | 140 +++++++++++++++++ TELNETD.md | 7 +- boot-process.md | 394 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 540 insertions(+), 1 deletion(-) create mode 100644 Hardware.md create mode 100644 boot-process.md diff --git a/Hardware.md b/Hardware.md new file mode 100644 index 0000000..08e72b2 --- /dev/null +++ b/Hardware.md @@ -0,0 +1,140 @@ +# Hardware +The specs for the Linkplay A31 module are as follows +``` +# cat /proc/cpuinfo +system type : MT7628 +processor : 0 +cpu model : MIPS 24Kc V5.5 +BogoMIPS : 386.04 +wait instruction : yes +microsecond timers : yes +tlb_entries : 32 +extra interrupt vector : yes +hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb] +ASEs implemented : mips16 dsp +shadow register sets : 1 +core : 0 +VCED exceptions : not available +VCEI exceptions : not available +``` + +Here are some useful links go get more information about the hardware: +https://openwrt.org/docs/techref/hardware/soc/soc.mediatek +https://openwrt.org/docs/techref/instructionset/mipsel_24kc + +There is an OpenWRT archive where you can get precompiled binaries for almost all utilities you may need: +https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/ +and +https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/ + +The binaries are included in packages, so you have to find out which packages includes a specific binary. A list of packages can be found here: https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/Packages + +Here's an example how to download a package and get the binaries from it for a SSH server (dropbear): + +``` +cd ~/Downloads +curl 'https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/packages/base/dropbear_2015.67-1_ramips_24kec.ipk' -o dropbear_2015.67-1_ramips_24kec.ipk +mkdir dropbear_2015.67-1_ramips_24kec +cd dropbear_2015.67-1_ramips_24kec +tar zxpvf ../dropbear_2015.67-1_ramips_24kec.ipk +tar zxpvf control.tar.gz +tar zxpvf data.tar.gz +# copy dropbear binary to a subdirectory on your webserver +cp usr/sbin/dropbear /Library/WebServer/Documents/a31/ +# you may open finder to search for additional information in the package +open . +``` +In the next step you can you can download and install dropbear on the Up2Stream device (telnetd already installed): +``` +cd /tmp +mkdir /tmp/bin +wget -O /tmp/bin/dropbear -T 5 'http://10.1.1.22/a31/dropbear' +chmod 777 /tmp/bin/dropbear +# create links for additional commands +ln -s /tmp/bin/dropbear /tmp/bin/dropbearkey +ln -s /tmp/bin/dropbear /tmp/bin/scp +ln -s /tmp/bin/dropbear /tmp/bin/dbclient +# not sure if PATH needs to be set (can't remember anymore) +# export PATH=$PATH:/tmp/bin +# generate SSH keys (only once - you may save and reuse your keys later) +dropbearkey -t rsa -f /tmp/rsa_host_key +# save public key to file (may also be used to show key) +dropbearkey -y -f rsa_host_key | grep ^ssh-rsa > key_public +# example how to use scp with dbclient (ssh client from dropbear) to copy +# key to a remote Linux system +scp -S /tmp/bin/dbclient /tmp/rsa_host_key pi@10.1.1.45:rsa_host_key +# later on you may reuse your saved keys to avoid key mismatches +# wget -O /tmp/rsa_host_key -T 5 'http://10.1.1.22/a31/rsa_host_key' +chmod 666 /tmp/rsa_host_key +dropbear -r /tmp/rsa_host_key +``` +Log in with ssh from remote by using username admin, password admin + +I tried to install a sftp server on my Up2Stream device to be able to add the file system via sshfs from my MacBook, but it's not working so far. Here are the commands that I've used: +``` +cd ~/Downloads +curl 'https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/packages/packages/openssh-sftp-server_7.1p2-1_ramips_24kec.ipk' -o openssh-sftp-server_7.1p2-1_ramips_24kec.ipk +mkdir openssh-sftp-server_7.1p2-1_ramips_24kec +cd openssh-sftp-server_7.1p2-1_ramips_24kec +tar zxpvf ../openssh-sftp-server_7.1p2-1_ramips_24kec.ipk +tar zxpvf control.tar.gz +tar zxpvf data.tar.gz +# copy sftp server binary to a subdirectory on your webserver +cp usr/lib/sftp-server /Library/WebServer/Documents/a31/ +# you may open finder to search for additional information in the package +open . +``` +and on the Up2Stream device: +``` +wget -O /tmp/bin/sftp-server -T 5 'http://10.1.1.22/a31/sftp-server' +chmod 777 /tmp/bin/sftp-server +``` + +Goal was to mount the Up2Stream device on my MacBook with sshfs: +``` +sshfs -C -o volname=up2stream -p 22 -o allow_other -o sftp_server=/tmp/bin/sftp-server admin@10.1.1.52:/ ~/Volumes/up2stream +``` + +-> segmentation fault for sftp server! + +tried older version from Barrier Breaker, but got the same error. +https://archive.openwrt.org/barrier_breaker/14.07/ramips/mt7620n/packages/packages/ + +there are also packages for newer version available: +https://downloads.openwrt.org/releases/18.06.8/targets/ramips/mt76x8/ + +Some useful utilites that I've tried, e.g. readelf, file and strings: +``` +# download binutils_2.24-3_ramips_24kec.ipk +mkdir binutils_2.24-3_ramips_24kec +cd binutils_2.24-3_ramips_24kec +tar zxpvf ../binutils_2.24-3_ramips_24kec.ipk +tar zxpvf control.tar.gz +tar zxpvf data.tar.gz + +# on Up2Stream device: +wget -O /tmp/readelf -T 5 'http://10.1.1.22/a31/readelf';/bin/chmod 777 /tmp/readelf + +# download libbfd_2.24-3_ramips_24kec.ipk +mkdir libbfd_2.24-3_ramips_24kec +cd libbfd_2.24-3_ramips_24kec +tar zxpvf ../libbfd_2.24-3_ramips_24kec.ipk +tar zxpvf control.tar.gz +tar zxpvf data.tar.gz + +# on Up2Stream device: +wget -O /tmp/libbfd-2.24.so -T 5 'http://10.1.1.22/a31/libbfd-2.24.so';/bin/chmod 777 /tmp/libbfd-2.24.so + +# download file_5.25-1_ramips_24kec.ipk +mkdir file_5.25-1_ramips_24kec +cd file_5.25-1_ramips_24kec +tar zxpvf ../file_5.25-1_ramips_24kec.ipk +tar zxpvf control.tar.gz +tar zxpvf data.tar.gz + +# on Up2Stream device: +wget -O /tmp/file -T 5 'http://10.1.1.22/a31/file';/bin/chmod 777 /tmp/file + +# on Up2Stream device: +wget -O /tmp/strings -T 5 'http://10.1.1.22/a31/strings';/bin/chmod 777 /tmp/strings +``` \ No newline at end of file diff --git a/TELNETD.md b/TELNETD.md index d05b551..104394d 100644 --- a/TELNETD.md +++ b/TELNETD.md @@ -13,7 +13,12 @@ wget -O /tmp/busybox -T 5 http://10.1.1.22/a31/busybox -q; /bin/chmod 777 /tmp/busybox; /tmp/busybox telnetd -l/bin/ash ``` -The tool **_"busybox"_** is like a swiss army knife and combines a lot of CLI commands in a single binary file. That file was stripped down already in my version and does not include a telnetd anymore. Therefore you have to get a full version from somewhere. Fortunately +The tool **_"busybox"_** is like a swiss army knife and combines a lot of CLI commands in a single binary file. That file was stripped down already in my version and does not include a telnetd anymore. Therefore you have to get a full version from somewhere. A version of busybox is provided here: + +There is an OpenWRT archive where you can get precompiled binaries for almost all utilities you may need: +https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/ + +The binaries are included in packages ``` diff --git a/boot-process.md b/boot-process.md new file mode 100644 index 0000000..909ef3e --- /dev/null +++ b/boot-process.md @@ -0,0 +1,394 @@ +# Reverse Engineering of boot process +Connect Pins from A31 module board to USB-to-Serial Board (FT232R) - Pin 24 RX, 25 TX, 28 GND + +Output with 57600 (after boot up) +``` +AXX+MUT+001 +AXX+BOT+DON +AXX+BOT+UP0 +AXX+MUT+000 +AXX+MIC+000 +AXX+MCU+RDY +AXX+GET+RTC +AXX+VOL+GET +AXX+CHN+GET +AXX+MCU+VER +AXX+PLM+GET +AXX+ETH+001 +AXX+WWW+001 +AXX+STA+002 +AXX+STA+001 +AXX+WWW+001 +AXX+WWW+001 +AXX+SET+RTC20201227223359& +AXX+SET+WEK0& +AXX+NXT+ALS-1& +``` +--> This is the communication between the WiFi module and the MCU + +## Installing tools +Guide to Mediatek development board LinkIt Smart 7688 that has the same SoC: +https://docs.labs.mediatek.com/resource/linkit-smart-7688/en/tutorials/firmware-and-bootloader/bootloader-and-kernel-console + +The Bootloader console and Linux kernel console are configured to serial port UART2 (P8/UART_TXD2 and P9/UART_RXD2) at a baud rate of 57600. + +--> This is specific for the Mediatek development board, but not the Linkplay A31 module! + +Tools were also available from https://docs.labs.mediatek.com/resource/linkit-smart-7688/en/downloads + +> **Note:** +> The links listed above seem not to work anymore and are redirected to a Chinese web site. + +I was able to download a firmware image (lks7688.img) version 0.9.4 and extract a binary of "**_busybox_**" with **_binwalk_**. You may download the binary from here or use a similar version from the Open WRT archive, see below. + +> **Note:** +> The busybox tool from the A31 module is a reduced version that does not contain many tools, not even a telnetd anymore! + + +Binary files are available from Open WRT archive, (Chaos Calmer) v15.05 and v15.05.1: +https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/ +and +https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/packages/ + + +Example to download the tools from the OpenWRT version Chaos Calmer: +----------------------------------------------- +uboot-envtools_2014.10-2_ramips_24kec.ipk + +mkdir uboot-envtools_2014.10-2_ramips_24kec +cd uboot-envtools_2014.10-2_ramips_24kec +tar zxpvf ../uboot-envtools_2014.10-2_ramips_24kec.ipk +tar zxpvf control.tar.gz +tar zxpvf data.tar.gz + +wget -O /tmp/fw_printenv -T 5 'http://10.1.1.22/a31/fw_printenv';/bin/chmod 777 /tmp/fw_printenv +ln -s /tmp/fw_printenv /tmp/fw_setenv + +curl 'https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/packages/base/dmesg_2.25.2-4_ramips_24kec.ipk' -o dmesg_2.25.2-4_ramips_24kec.ipk +mkdir dmesg_2.25.2-4_ramips_24kec +cd dmesg_2.25.2-4_ramips_24kec +tar zxpvf ../dmesg_2.25.2-4_ramips_24kec.ipk +tar zxpvf control.tar.gz +tar zxpvf data.tar.gz +open . +# copy ./usr/sbin/dmesg to your webserver, e.g. /Library/WebServer/Documents/a31 +on Up2Stream device: +wget -O /tmp/dmesg -T 5 'http://10.1.1.22/a31/dmesg';/bin/chmod 777 /tmp/dmesg + +cat /proc/version +Linux version 2.6.36+ (linkplay@linkplay-build-2) (gcc version 4.6.4 (Buildroot 2013.11) ) #1 Thu Feb 20 11:45:09 CST 2020 + +# cat /proc/mtd +dev: size erasesize name +mtd0: 01000000 00010000 "ALL" +mtd1: 00030000 00010000 "Bootloader" +mtd2: 00010000 00010000 "Config" +mtd3: 00010000 00010000 "Factory" +mtd4: 00200000 00010000 "bkKernel" +mtd5: 001df508 00010000 "Kernel" +mtd6: 00950af8 00010000 "RootFS" +mtd7: 00b30000 00010000 "Kernel_RootFS" +mtd8: 00080000 00010000 "user" +mtd9: 00200000 00010000 "user2" +# + +# dmesg +[ 0.000000] Linux version 2.6.36+ (linkplay@linkplay-build-2) (gcc version 4.6.4 (Buildroot 2013.11) ) #1 Thu Feb 20 11:45:09 CST 2020 +... +[ 0.000000] Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock6 +... +[ 0.444000] flash manufacture id: ef, device id 40 18 +[ 0.456000] W25Q128BV(ef 40180000) (16384 Kbytes) +[ 0.464000] mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0 +[ 0.484000] user1 00d80000 - 00e00000 size 00080000 +[ 0.492000] user2 00e00000 - 01000000 size 00200000 +[ 0.504000] Creating 10 MTD partitions on "raspi": +[ 0.512000] 0x000000000000-0x000001000000 : "ALL" +[ 0.524000] 0x000000000000-0x000000030000 : "Bootloader" +[ 0.532000] ===========check_rootfs offset=42f4c8 i=64, ret=0 ============== +[ 0.548000] name:Wiimu Rootfs +[ 0.552000] ih_time:0x9e024e5e +[ 0.560000] ih_magic:0x56190527 +[ 0.564000] ih_hcrc:0xb7e4affc +[ 0.572000] ih_size:6569984 Bytes +[ 0.580000] ih_dcrc:0x509122d0 +[ 0.584000] os=6, arch=5, type=7, comp=1 +[ 0.592000] ih_ksz:0x00000000 + + +[ 0.604000] 0x000000030000-0x000000040000 : "Config" +[ 0.616000] 0x000000040000-0x000000050000 : "Factory" +[ 0.624000] 0x000000050000-0x000000250000 : "bkKernel" +[ 0.636000] 0x000000250000-0x00000042f508 : "Kernel" +[ 0.648000] mtd: partition "Kernel" doesn't end on an erase block -- force read-only +[ 0.664000] 0x00000042f508-0x000000d80000 : "RootFS" +[ 0.672000] mtd: partition "RootFS" doesn't start on an erase block boundary -- force read-only +[ 0.692000] 0x000000250000-0x000000d80000 : "Kernel_RootFS" +[ 0.700000] 0x000000d80000-0x000000e00000 : "user" +[ 0.712000] 0x000000e00000-0x000001000000 : "user2" +... + +install dd from busybox and scp from dropbear package, then + +dd if=/dev/mtd1 of=/tmp/mtd1.cp bs=512 count=128000 skip=0 +scp -v -S /tmp/bin/dbclient /tmp/mtd1.cp pi@10.1.1.40:mtd1.cp +rm /tmp/mtd1.cp + +--> size 0x30000 = 196608 bytes. The command above tries to copy more data, so the whole mtd1 partition is copied. + +mtd1: 00030000 00010000 "Bootloader" - no environment variables +mtd2: 00010000 00010000 "Config" - from 0x2000 to 0x6000 +mtd3: 00010000 00010000 "Factory" +mtd4: 00200000 00010000 "bkKernel" +mtd5: 001df508 00010000 "Kernel" +mtd6: 00950af8 00010000 "RootFS" +mtd7: 00b30000 00010000 "Kernel_RootFS" +mtd8: 00080000 00010000 "user" +mtd9: 00200000 00010000 "user2" + +mkdir /var/lock + +create file /etc/fw_env.config +with +# MTD device name Device offset Env. size Flash sector size +/dev/mtd2 0x02000 0x4000 0x4000 + +before setting the correct values: +/tmp/fw_printenv +Warning: Bad CRC, using default environment +bootcmd=bootp; setenv bootargs root=/dev/nfs nfsroot=${serverip}:${rootpath} ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}::off; bootm +bootdelay=5 +baudrate=115200 + +with settings from above: +# fw_printenv +WebInit=1 +HostName=wiimu +OperationMode=3 +Platform=MT7628 +wanConnectionMode=DHCP +wan_ipaddr=192.168.1.1 +wan_netmask=255.255.255.0 +wan_gateway=192.168.1.254 +wan_primary_dns=168.95.1.1 +wan_secondary_dns=8.8.8.8 +wan_l2tp_server=l2tp_server +wan_l2tp_mode=0 +wan_l2tp_ip=192.168.1.1 +wan_l2tp_netmask=255.255.255.0 +wan_l2tp_gateway=192.168.1.254 +wan_pptp_server=pptp_server +wan_pptp_mode=0 +wan_pptp_ip=192.168.1.1 +wan_pptp_netmask=255.255.255.0 +wan_pptp_gateway=192.168.1.254 +lan_ipaddr=10.10.10.254 +lan_netmask=255.255.255.0 +dhcpEnabled=1 +dhcpStart=10.10.10.100 +dhcpEnd=10.10.10.200 +dhcpMask=255.255.255.0 +dhcpPriDns=168.95.1.1 +dhcpSecDns=8.8.8.8 +dhcpGateway=10.10.10.254 +dhcpLease=86400 +stpEnabled=0 +lltdEnabled=0 +igmpEnabled=0 +natEnabled=1 +IPPortFilterEnable=0 +PortForwardEnable=0 +MacFilterEnable=0 +DefaultFirewallPolicy=1 +DMZEnable=0 +CountryRegion=1 +CountryRegionABand=7 +CountryCode=DE +BssidNum=1 +SSID1=SoundSystem_305D +WirelessMode=9 +TxRate=0 +Channel=11 +BasicRate=15 +BeaconPeriod=100 +DtimPeriod=1 +TxPower=100 +DisableOLBC=0 +BGProtection=0 +TxPreamble=0 +RTSThreshold=2347 +FragThreshold=2346 +TxBurst=1 +PktAggregate=1 +TurboRate=0 +WmmCapable=1 +APAifsn=3;7;1;1 +APCwmin=4;4;3;2 +APCwmax=6;10;4;3 +APTxop=0;0;94;47 +APACM=0;0;0;0 +BSSAifsn=3;7;2;2 +BSSCwmin=4;4;3;2 +BSSCwmax=10;10;4;3 +BSSTxop=0;0;94;47 +BSSACM=0;0;0;0 +AckPolicy=0;0;0;0 +APSDCapable=0 +DLSCapable=0 +NoForwarding=0 +NoForwardingBTNBSSID=0 +HideSSID=0 +ShortSlot=1 +AutoChannelSelect=0 +SecurityMode=0 +VLANEnable=0 +VLANID=0 +VLANPriority=0 +WscConfMode=0 +WscConfStatus=2 +WscAKMP=1 +WscConfigured=0 +WscModeOption=0 +WscActionIndex=9 +WscRegResult=1 +WscUseUPnP=1 +WscUseUFD=0 +WscSSID=RalinkInitialAP +WscKeyMGMT=WPA-EAP +WscConfigMethod=138 +WscAuthType=1 +WscEncrypType=1 +WscNewKey=scaptest +IEEE8021X=0 +IEEE80211H=0 +CSPeriod=6 +PreAuth=0 +AuthMode=WPAPSKWPA2PSK +EncrypType=AES +RekeyInterval=3600 +RekeyMethod=DISABLE +PMKCachePeriod=10 +WPAPSK1=Plattfisch +DefaultKeyID=1 +Key1Type=0 +Key2Type=0 +Key3Type=0 +Key4Type=0 +HSCounter=0 +HT_HTC=1 +HT_RDG=0 +HT_LinkAdapt=0 +HT_OpMode=0 +HT_MpduDensity=5 +HT_EXTCHA=1 +HT_BW=0 +HT_AutoBA=1 +HT_BADecline=0 +HT_AMSDU=0 +HT_BAWinSize=64 +HT_GI=1 +HT_STBC=1 +HT_MCS=33 +HT_PROTECT=1 +HT_MIMOPS=3 +HT_40MHZ_INTOLERANT=0 +HT_TxStream=1 +HT_RxStream=1 +HT_DisallowTKIP=1 +HT_BSSCoexistence=0 +NintendoCapable=0 +AccessPolicy0=0 +AccessPolicy1=0 +AccessPolicy2=0 +AccessPolicy3=0 +WdsEnable=0 +WdsEncrypType=NONE +WirelessEvent=0 +RADIUS_Port=1812 +RADIUS_Acct_Port=1813 +session_timeout_interval=0 +idle_timeout_interval=0 +RadioOn=1 +Login=admin +Password=admin +WAN_MAC_ADDR=0:22:6C:14:30:60 + +CAP_STREAMS=fffffbfe +CAP_PLM=6 +Private_PrjName=RP0011_WB60_S +wiimuLanguage=en_us +LangInit=1 +PresetNumber=10 +CAP_CAP1=305200 +CAP_CAP2=28490a00 +ALI_PRJ_ID=RAKOIT_MA1 +MaxPromptVolume=50 +upnp_manufacture=RAKOIT +upnp_manufacture_url=https://www.rakoit.com/ +upnp_model_name=Up2Stream AMP +upnp_model_url=https://www.rakoit.com/ +upnp_model_description=RAKOIT Wi-Fi Sound System +SPOTIFY_TYPE=1 +SPOTIFY_NAME=RP0011_WB60_S +SPOTIFY_BRAND=RAKOIT +SPOTIFY_NAME_DISPLAY=SoundSystem +SPOTIFY_BRAND_DISPLAY=RAKOIT +SPOTIFY_PRODUCT_ID=0 +CAP_MPTV=0 +CAP_ALINK=0 +SSID_CONFIRM=1 +FIRST_BOOTUP=0 +mvProductId=RP0011_WB60_S +mvHardwareVersion=WiiMu-A31 +mv_uuid=FF31F09E2BE2384A4E6CF9BB +upnp_uuid=uuid:FF31F09E-2BE2-384A-4E6C-F9BBFF31F09E +rootfs_checked=1 +TIME_ZONE=1.0 +GroupName=Lab +DeviceName=Lab +part_ver_kernel=8827 +silenceOTA=1 +SoftEQ=1 +EQ_Bass=2 +EQ_Treble=1 +Prompt=1 +AudioCH=0 +NTPValid=1 +DefaultPassword=1 +SSID_HIDE=2 +TZ=CET-1CEST,M3.5.0,M10.5.0/3 +WpsApCliSsid= +WpsApCliWPAPSK=4B61726C4172736368 +WpsApCliAuthMode=WPA2PSK +WpsApCliEncrypType=AES +WpsApCliChannel=6 +ApCliEnable=1 +ApCliSsid=4D656C626F75726E65 +ApCliWPAPSK=5265645365613230303521 +ApCliAuthMode=WPA2PSK +ApCliEncrypType=AES +ApCliChannel=6 + +# show contents of NVRAM +ralink_init show 2860 + +--> similar output + +code snippet from a script: +srv=`nvram_get 2860 NTPServerIP` +sync=`nvram_get 2860 NTPSync` +tz=`nvram_get 2860 TZ` +nvram_set 2860 TZ + + +nvram_set 2860 RadioOn 0 +nvram_set 2860 ApCliEnable 0 + +--> blinking LED, but apcli0 and ra0 still enabled after reboot + +nvram_set 2860 TxPower 0 or 1 + +--> no effect + + The environment is usually at the end of the uboot partition. +