Closed Nold360 closed 2 years ago
stale[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
s00500
commented
2 years ago How did you get the original firmware ? I am currently playing with a victure PC420, have not gotten a root shell yet... but I have access to uboot... any tipps how to get the original root fs ?
benjjyman
commented
2 years ago huh been scouring internet for victure pc220 root access info or anyway to dump firmware (back is called IPC_flash_up.bin) running on an Ingenic T20 Xburst
no matter how I play with Uboot it will either reboot after 3 seconds or close console early.....
keep me informed if you have better luck please
benjjyman
commented
2 years ago How did you get the original firmware ? I am currently playing with a victure PC420, have not gotten a root shell yet... but I have access to uboot... any tipps how to get the original root fs ?
Nold360
commented
2 years ago How did you get the original firmware ? I am currently playing with a victure PC420, have not gotten a root shell yet... but I have access to uboot... any tipps how to get the original root fs ?
Hey, sorry this was quite i while ago.. but IIRC there are commands in uboot, which allow reading flash & also accessing the sd-card. or at least write data to it.. basically the opposite of this command:
fatload mmc 0:1 0x80600000 rootfsmod.bin
0x80600000 should be the address of the root partition, mmc 0:1 the sd-card[-partition!?] and rootfsmod.bin the name of the file on the sd-card.
What i did to get the "original" firmware, was basically dump all these partitions.
benjjyman
commented
2 years ago How did you get the original firmware ? I am currently playing with a victure PC420, have not gotten a root shell yet... but I have access to uboot... any tipps how to get the original root fs ?
Hey, sorry this was quite i while ago.. but IIRC there are commands in uboot, which allow reading flash & also accessing the sd-card. or at least write data to it.. basically the opposite of this command:
fatload mmc 0:1 0x80600000 rootfsmod.bin
0x80600000should be the address of the root partition,mmc 0:1the sd-card[-partition!?] androotfsmod.binthe name of the file on the sd-card.What i did to get the "original" firmware, was basically dump all these partitions.
Sorry to bother you again, after reading my logs last night in my sleep deprived state I've copied the line "fatload mmc 0:1 0x80600000 rootfsmod.bin" To putty and ran this has now produced
[ 1.893865] SQUASHFS error: unable to read id index table
Im assuming that I did this before I dumped flash to console overnight, so that's probably missing the "id index for SQUASHFS"
So as this only my 2nd attempt at reverse engineering anything I'm guessing I've bricked the cam unless I can recreate the ID INDEX or obtain an original copy of firmware ??? ( Victure line looks very siimilar to YI cameras, (shape and components) maybe worth flashing with that ??)
Any suggestions please ( the camera was a find , cost me nothing its just a learning experience ). Thanks
Nold360
commented
2 years ago [ 1.893865] SQUASHFS error: unable to read id index table
According to this the error means that the end of the filesystem has been truncated. so the rootfsmod.bin doesn't seem to be a valid squashfs
s00500
commented
2 years ago Hi @Nold360, Thanks for still answering! If I got this correctly then fatload mmc 0:1 0x80600000 rootfsmod.bin Will try to load a file called rootfsmod.bin from the sd card...
But I am trying to do the oposite... now the fatload function seems to be not what I should use for that... I could try to have uboot print out the memory contents via serial (using md) and then store them to a file, but I feel there must be a better way to tell uboot to dump it to a file on the sd card... I am just unsure what command to use...
isvp_t20# help
? - alias for 'help'
base - print or set address offset
boot - boot default, i.e., run 'bootcmd'
boota - boot android system
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
chpart - change active partition
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
echo - echo args to console
env - environment handling commands
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
gettime - get timer val elapsed,
go - start application at address 'addr'
help - print command description/usage
jzsoc - jz soc info
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mw - memory write (fill)
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
sleep - delay execution for some time
source - run script from memory
tftpboot- boot image via network using TFTP protocol
version - print monitor, compiler and linker version
isvp_t20# @s00500 Hi Ive not quite got figured it out but from :- https://cybergibbons.com/hardware-hacking/recovering-firmware-through-u-boot/
we need to read flash into ram
sf probe 0 (intialise flash)
DEMO VALUES ONLY !! YOUR PARTITIONS WILL BE DIFFERENT CHECK YOUR LOGS sf read 0x82000000 0x0 0x1000000 (read a parttion into memory)
then we can either use the rest of the above tutorial to dump memory to console, save the log, edit and use the python program to rebuild the bin (I assume we can recover partitions from this)
OR
the mmc write command can be used to dump to SD card which is quicker but the data is written raw to SD card and I havent figured out how to parse it back together and not 100% sure if its the targeted portion of memory .
Best of luck.
s00500
commented
2 years ago @benjjyman Hihi I found the exact same blogpost earlier, I think I will just try to dump the memory via serial, this seems easiest after all, lets see where I will get...
s00500
commented
2 years ago Hey all, I managed to successfully get a shell today, used the blogpost to dump the firmware, found something thaat looked like a squashfs in it, (both of them actually) unpacked one, activated the telnet in the init script and then put it on the sd card and flashed it back with the same offsets as in the original post here. Now I can get in via telnet =D
I actually did not add 0 padding to the squashfs... and I just got much further than I expected, so if any of you has some inspiration what to test / experiment next please let me know
I think the next things I wanna figure out is if I can get some selfcompiled binary to run on it and see if I can find the original streamer software... again, pointers are welcome =D
Description
I'm currently working on a Victure PC330. I couldn't get a serial root shell but I was able to dump the flash by writing it to the SD-card.
Also i was able to create a modified rootfs.img with telnetd running & flash it back using the same method.
Extract the rootfs.bin using
unsquashfsmodify /etc/init.d/rcS [uncomment
#telnetd]Repack with
mksquashfs squashfs-root roothack.bin -b 131072 -comp xz -Xdict-size 100%Add padding
dd if=/dev/zero of=zeros.img bs=323584 count=1 && cat roothack.bin zeros.img > rootfsmod.binCopy
rootfsmod.binto SD-Card, connect UART to camera & boot it up.Flash modified image:
The bootloader is also looking for a file named
update.img- sadly i have no idea how that update file needs to be structured.I will do some more work soon & update this issue.
Hardware
SOC: T20L RAM: 64MB? Flash: 8Mb Wifi Chip: Realtek 8188FTV
Data
DHCP Hostname: IPC365
uBoot
Linux
dmesg:
Some RAM seems to be reserved?! swap = zram