Hack into my new LX06

[danielk117]

Hi @duhow,

just received my LX06 and disassembled it. According to https://github.com/Jian-Xian/CVE-POC/blob/master/picture/CVE-2020-10263_1.jpg, the following three contacts are needed.

Tx, Rx, GND (from left to right)?

[duhow]

Contacts should be as in this pic: https://github.com/duhow/xiaoai-patch/blob/master/research/lx06/board.jpg

[danielk117]

Ok, serial connection is working.

AXG:BL1:d1dbf2:a4926f;FEAT:E0DC318C:2000;POC:F;EMMC:800;NAND:0;READ:0;0.0;CHK:0;
sdio debug board detected
TE: 23660

BL2 Built : 15:46:00, Sep 29 2019. axg g8667414 - sentao.gao@droid08-bj

set vcck to 1140 mv
set vddee to 1070 mv
Board ID = 5
CPU clk: 1200MHz
DDR low power enabled
DDR DQS-calibration enabled
DDR scramble enabled
DDR3 chl: Rank0 16bit @ 792MHz - PASS
Rank0: 128MB(auto)-2T-11
DataBus test pass!
AddrBus test pass!
NAND init
chk page: 00000500
chk page: 00000540
chk page: 00000580
chk page: 000005c0
bbt blk:00000014
bbt page:00000000
0000000000000000000000000000000000000000000000000000000000000000
Load FIP HDR from NAND, src: 0x0000c000, des: 0x01700000, size: 0x00004000
Load BL3x from NAND, src: 0x00010000, des: 0x01704000, size: 0x00080000
NOTICE:  BL31: v1.3(release):87b5e26
NOTICE:  BL31: Built : 11:33:44, Apr 10 2020
NOTICE:  BL31: AXG normal boot!
NOTICE:  BL31: BL33 decompress pass
[Image: axg_v1.1.3268-b93dd79 2017-12-01 14:22:18 huan.biao@droid12]
OPS=0x43
68 77 5 fa 69 a2 2b b5 a1 c0 8a 51 bl30:axg ver: 9 mode: 0
bl30:axg thermal0
[0.014497 Inits done]
secure task start!
high task start!
low task start!
ERROR:   Error initializing runtime service opteed_fast

U-Boot 2015.01 (Jun 28 2021 - 02:53:53), Build: jenkins-Mico_lx06_ota_publish-251

DRAM:  128 MiB
Relocation Offset is: 06f17000
register usb cfg[0][1] = 0000000007f89648
NAND:  nand id: 0xec 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: ec f1 0 95 42 c6
NAND device: Manufacturer ID: 0xec, Chip ID: 0xec (Samsung M Generation NAND 1Gib FS33ND01GS108TFI0)
oob avail size 6
Creating 1 MTD partitions on "M Generation NAND 1Gib FS33ND01GS108TFI0":
0x000000000000-0x000000200000 : "bootloader"
M Generation NAND 1Gib FS33ND01GS108TFI0 initialized ok
nand id: 0xec 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: ec f1 0 95 42 c6
NAND device: Manufacturer ID: 0xec, Chip ID: 0xec (Samsung M Generation NAND 1Gib FS33ND01GS108TFI0)
PLANE change!
aml_nand_init :oobmul=1,oobfree.length=8,oob_size=64
oob avail size 8
bbt_start=20 env_start=24 key_start=32 dtb_start=40
nbbt: info size=0x400 max_scan_blk=24, start_blk=20
nbbt : phy_blk_addr=20, ec=0, phy_page_addr=0, timestamp=1
nbbt free list:
blockN=21, ec=-1, dirty_flag=0
blockN=22, ec=-1, dirty_flag=0
blockN=23, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=1
aml_nand_scan_rsv_info 1254
nbbt valid addr: 280000
aml_nand_bbt_check 1389 bbt is valid, reading.
aml_nand_read_rsv_info:397,read nbbt info to 280000
nenv: info size=0x10000 max_scan_blk=32, start_blk=24
nenv : phy_blk_addr=25, ec=6, phy_page_addr=0, timestamp=14
nenv free list:
blockN=24, ec=6, dirty_flag=1
blockN=26, ec=-1, dirty_flag=0
blockN=27, ec=-1, dirty_flag=0
blockN=28, ec=-1, dirty_flag=0
blockN=29, ec=-1, dirty_flag=0
blockN=30, ec=-1, dirty_flag=0
blockN=31, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=32
aml_nand_scan_rsv_info 1254
nenv valid addr: 330000
nkey: info size=0x8000 max_scan_blk=40, start_blk=32
nkey : phy_blk_addr=32, ec=0, phy_page_addr=0, timestamp=1
nkey free list:
blockN=33, ec=-1, dirty_flag=0
blockN=34, ec=-1, dirty_flag=0
blockN=35, ec=-1, dirty_flag=0
blockN=36, ec=-1, dirty_flag=0
blockN=37, ec=-1, dirty_flag=0
blockN=38, ec=-1, dirty_flag=0
blockN=39, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=16
aml_nand_scan_rsv_info 1254
nkey valid addr: 418000
ndtb: info size=0x20000 max_scan_blk=44, start_blk=40
ndtb : phy_blk_addr=40, ec=0, phy_page_addr=0, timestamp=1
ndtb free list:
blockN=41, ec=-1, dirty_flag=0
blockN=42, ec=-1, dirty_flag=0
blockN=43, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=64
aml_nand_scan_rsv_info 1254
ndtb valid addr: 500000
tpl: off 8388608, size 8388608
 NAND bbt detect factory Bad block at 4060000
aml_nand_add_partition:1794 factory bad addr=203
 NAND bbt detect factory Bad block at 7fe0000
Creating 6 MTD partitions on "M Generation NAND 1Gib FS33ND01GS108TFI0":
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001600000 : "boot0"
0x000001600000-0x000001c00000 : "boot1"
0x000001c00000-0x000004420000 : "system0"
 NAND bbt detect factory Bad block at 4060000
0x000004420000-0x000006c20000 : "system1"
0x000006c20000-0x000008000000 : "data"
 NAND bbt detect factory Bad block at 7fe0000
M Generation NAND 1Gib FS33ND01GS108TFI0 initialized ok
aml_key_init 170
MMC:
uboot env amlnf_env_read : ####
aml_nand_read_rsv_info:397,read nenv info to 330000
In:    serial
Out:   serial
Err:   serial
InUsbBurn
noSof
Hit Enter or space or Ctrl+C key to stop autoboot -- :  0
Saving Environment to aml-storage...
uboot env amlnf_env_save : ####
aml_nand_save_rsv_info:656, nenv: valid=1, pages=32
release_free_node 61: bitmap=1fffff
release_free_node 74: bitmap=1ffff7
aml_nand_save_rsv_info:716,save info to 300000
aml_nand_write_rsv:520,write info to 300000
[burnup]Rd:Up sz 0x401800 to align 0x1000
save_power_post ...
## Booting Android Image at 0x01080000 ...
reloc_addr =70343f0
copy done
load dtb from 0x1000000 ......
      Amlogic multi-dtb tool
      Cannot find legal dtb!
ERROR: image is not a fdt - must RESET the board to recover.
load dtb from 0x75243f0 ......
      Amlogic multi-dtb tool
      Multi dtb detected
      Multi dtb tool version: v2 .
      Support 2 dtbs.
        aml_dt soc: xiaomi platform: lx06 variant: v02
        dtb 0 soc: xiaomi   plat: lx06   vari: v01
        dtb 1 soc: xiaomi   plat: lx06   vari: v02
      Find match dtb: 1
amlkey_init() enter!
amlnf_key_read key data len too much
aml_nand_read_rsv_info:397,read nkey info to 418000
[EFUSE_MSG]keynum is 4
   Uncompressing Kernel Image ... OK
   kernel loaded at 0x01080000, end = 0x0185c808
   Loading Ramdisk to 06ea1000, end 07004502 ... OK
   Loading Device Tree to 0000000006e95000, end 0000000006ea0036 ... OK

Starting kernel ...

uboot time: 1598591 us
domain-0 init dvfs: 4
[    0.292812@2] ff803000.serial: clock gate not found
[    0.300089@2] amlogic-new-usb3 ffe09080.usb3phy: This phy has no usb port
[    0.345172@2] nand: Could not find valid JEDEC parameter page; aborting
[    0.350910@2] nand: Could not find valid JEDEC parameter page; aborting
[    1.194935@2] hub 2-0:1.0: config failed, hub doesn't have any ports! (err -19)
LED AW20054
LX06
curr_boot is boot0
Booting from boot0
/dev/mtdblock4 is ready now.
[    2.762352@3] meson-pinctrl pinctrl@ff634480: function 'gpioa_20' not supported
[    2.764018@3] meson-pinctrl pinctrl@ff634480: invalid function gpioa_20 in map table
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
Please press Enter to activate this console.
micocfg[1121]: cfg get: success: /usr/share/mico/system.cfg k:model v:LX06
micocfg[1121]: cfg get: success: /data/etc/device.info k:board_id v:5
micocfg[1126]: cfg get: success: /usr/share/mico/system.cfg k:model v:LX06
micocfg[1126]: cfg get: success: /usr/share/mico/system.cfg k:buildts v:1624847511
micocfg[1128]: cfg get: success: /usr/share/mico/system.cfg k:model v:LX06
micocfg[1128]: cfg get: success: /usr/share/mico/system.cfg k:model v:LX06
micocfg[1129]: cfg get: success: /usr/share/mico/system.cfg k:model v:LX06
micocfg[1129]: bt_enable_set  argv[1] 1
micocfg[1129]: cfg update success: /data/bt/bluetooth.cfg k:enable v:1
micocfg[1129]: cfg set string free tmp
micocfg[1130]: cfg get: success: /usr/share/mico/system.cfg k:model v:LX06
micocfg[1130]: No 'super_admin' setting in configuration file '/data/etc/messaging.cfg'
micocfg[1130]: funtion uid result empty
ledserver[1177]: Build Time: Jun 28 2021 03:01:59
ledserver[1177]: starting
ledserver[1177]: pipe try (fw_env -g board_id)
ledserver[1177]: info pipe (fw_env -g board_id) exited, exit code: 0 buf:5.
ledserver[1177]: pipe (fw_env -g board_id) exited, exit code: 0 buf:5.
ledserver[1177]: current model lx06.

ledserver[1177]: LEDSBAK EXISITS

ledserver[1177]: cfg get: success: /data/etc/nightmode.cfg k:total v:night
ledserver[1177]: cfg get: success: /data/etc/nightmode.cfg k:light v:night
ledserver[1177]: cfg get: success: /data/etc/nightmode.cfg k:volume v:night
ledserver[1177]: cfg get: success: /data/etc/nightmode.cfg k:start v:22:00
ledserver[1177]: cfg get: success: /data/etc/nightmode.cfg k:stop v:06:00
crond[1202]: crond (busybox 1.27.2) started, log level 5

[   11.126762@2] pdm_dclk is : 0
[   11.629547@2] wlan: Loading MWLAN driver
[   11.630156@0] vendor=0x02DF device=0x9149 class=0 function=1
[   11.633659@0] Attach moal handle ops, card interface type: 0x105
[   11.639460@0] No module param cfg file specified
[   11.644179@0] SDIO: max_segs=1024 max_seg_size=131072
[   11.649035@0] rx_work=1 cpu_num=4
[   11.653761@1] Request firmware: nxp/sduart8987_combo.bin
[   12.620249@0] invalid toddr src
[   13.285721@1] WLAN FW is active
[   13.285766@1] on_time is 13284249379
[   13.286787@1] Download txpwrlimit_cfg=nxp/txpwrlimit_cfg_8987.bin
[   13.452469@1] wlan: version = SD8987----16.92.10.p170-MXM4X16258-GPL-(FP92)
[   13.454752@2] wlan: Driver loaded successfully
[   13.752292@0] wlan: Starting AP
[   13.753717@0] fw doesn't support 11ax
[   13.764983@0] wlan: AP started
[   13.767998@0] Set AC=3, txop=47 cwmin=3, cwmax=7 aifs=1
[   13.770465@3] Set AC=2, txop=94 cwmin=7, cwmax=15 aifs=1
[   13.775309@1] Set AC=0, txop=0 cwmin=15, cwmax=63 aifs=3
[   13.780862@0] Set AC=1, txop=0 cwmin=15, cwmax=1023 aifs=7
[   13.932336@0] HCI UART driver ver 2.2-M2614100[   13.932420@3] HCI H4 protocol initialized
[   16.409959@3] ps_init_work...
[   16.409988@3] ps_init_timer...
[   16.411017@0] ps_init...
[   20.478884@0] ps_init_work...
[   20.478915@0] ps_init_timer...
[   20.479800@3] ps_init...
[   22.269431@3] ps_init...

LX06 login: root
magic[release]: 23948/*********EFC06027
password:

How to get the root password? The mi_passwd.html seems not to work...

[duhow]

Looks like this speaker has a new firmware version, IIRC this magic string appear starting in 1.74.1 version. Try to run U-boot by pressing any key in serial port, gather as much information as possible (maybe dump NAND via rx?). You can also try to change env data to have Linux kernel boot directly /bin/sh or something like that. Try to downgrade to this firmware update: https://bigota.miwifi.com/xiaoqiang/rom/lx06/mico_firmware_8b63c_1.58.13.bin (and block internet whenever possible to avoid OTA)

[duhow]

Check more information in Hassbian forums: https://bbs.hassbian.com/thread-8754-12-1.html

[danielk117]

and block internet whenever possible to avoid OTA

Yes. I didn't setup the speaker, so it isn't able to connect to the internet for now.

I will try to get into uboot tomorrow. A dump of the NAND is a good idea.

Any idea how to downgrade the speaker? I only found the following method: http://javabin.cn/2021/xiaoai_fm.html

EDIT:

Hit Enter or space or Ctrl+C key to stop autoboot -- :  0

bootdelay is 0, can't stop autoboot. None of the keys was working...

[danielk117]

I'm still not able to get into uboot... at least not the "normal" way 😉

I looked into my previous posted log and googled some of the commands.

"amlogic" and "InUsbBurn" seems interesting to me.

• http://openlinux.amlogic.com:8000/download/A113/DOC/Amlogic_update_usb_tool_user_guide.pdf
• http://openlinux.amlogic.com:8000/download/A113/Tool/windows/USB_Burning_Tool_v2.1.3.zip
• http://openlinux.amlogic.com:8000/download/A113/Tool/flash-tool-v4.7/flash-tool/tools/windows/update.exe (and the 4 dll in the same folder, webserver allow DirectoryListening)

So I connected a cable to the microUSB port on that board, installed the driver and played around with the update utility. Running update.exe identify while starting the device:

> update.exe identify
AmlUsbIdentifyHost
This firmware version is 0-7-0-16-0-0-0-0

So I tried...

> update.exe bulkcmd "printenv"
AmlUsbBulkCmd[printenv]

While the serial connection shows me the output!!!

BULKcmd[printenv]
baudrate=115200
board_id=5
boot_failcnt=1
boot_failed=if itest ${boot_failcnt} == 1; then setenv boot_failcnt 2; setenv boot_part boot1; else if itest ${boot_failcnt} == 2; then setenv boot_failcnt 1; setenv boot_part boot0; else run set_boot_flag;fi;fi;
boot_part=boot0
bootargs=rootfstype=ramfs init=/init console=ttyS0,115200 no_console_suspend quiet earlycon=aml_uart,0xff803000 jtag=apao reboot_mode=cold_boot uboot=U-Boot 2015.01 (Jun 28 2021 - 02:53:53)
bootcmd=run storeboot
bootdelay=0
dtb_mem_addr=0x1000000
factory_detect=echo no need detect now.
fdt_high=0x20000000
firstboot=1
identifyWaitTime=1000
initargs=rootfstype=ramfs init=/init console=ttyS0,115200 no_console_suspend quiet earlycon=aml_uart,0xff803000
jtag=apao
loadaddr=1080000
preboot=run storeargs;if test ${reboot_mode} = cold_boot; then run try_auto_burn; fi;
product_model=lx06
reboot_mode=cold_boot
rpmb_state=0
set_boot_flag=if test ${boot_part} = boot0; then setenv boot_failcnt 1; else setenv boot_failcnt 2; fi;
silent_boot=0
stderr=serial
stdin=serial
stdout=serial
storeargs=setenv bootargs ${initargs} jtag=${jtag}; setenv bootargs ${bootargs} reboot_mode=${reboot_mode} uboot=${version};
storeboot=if test ${reboot_mode} = cold_boot; then run set_boot_flag; else run boot_failed; fi; saveenv; if imgread kernel ${boot_part} ${loadaddr}; then bootm ${loadaddr}; fi; reset;
try_auto_burn=update 500 1000;
ubootenv_version=1
upgrade_step=2
version=U-Boot 2015.01 (Jun 28 2021 - 02:53:53)

Environment size: 1536/65532 bytes
[MSG]ret = 0
[info]success

because some of these things are new to me, i play very cautiously. but i think i could dump AND flash everything with the update tool (or at leat restore access to uboot)... or what do you think? 😆

[duhow]

Interesting... You may try increasing the bootdelay? Should be something like:

printenv bootdelay
setenv bootdelay 3
saveenv

[danielk117]

BULKcmd[printenv bootdelay]
bootdelay=0
[MSG]ret = 0
[info]success
BULKcmd[setenv bootdelay 3]
[MSG]ret = 0
[info]success
BULKcmd[saveenv]
Saving Environment to aml-storage...
uboot env amlnf_env_save : ####
aml_nand_save_rsv_info:656, nenv: valid=1, pages=32
aml_nand_save_rsv_info:716,save info to 330000
aml_nand_write_rsv:520,write info to 330000
[MSG]ret = 0
[info]success

Restart device and again no real countdown. Cant interupt uboot...

Hit Enter or space or Ctrl+C key to stop autoboot -- :  0

But I realize a really really small delay after this line. So I tried again and was able to stop it! I set bootdelay to 30 now. Now I had enough time to stop autoboot. It is counting really fast, so in my case 30 are not 30 seconds, it's only around 3 seconds... I think thats the reason why I can't access the uboot on bootdelay=0.

So, trying to unterstand the google-translated version of http://javabin.cn/2021/xiaoai_fm.html 😆

What you think, should I flash an old untouched (like you posted 1.58.13) or an touched image (https://bbs.hassbian.com/forum.php?mod=redirect&goto=findpost&ptid=8754&pid=368909 1.70.4)? Old one for getting root should be fine, because I want build my own patched firmware using your scripts, right? 😉

[duhow]

I'm running my software in the old firmware, then I just keep patching it. Ensure to backup all content (dump MTD) before writing! Also you may want to flash system1 (second partition), extract kernel from update file or just clone the same boot0 to boot1. Then just change uboot env "boot_part".

[danielk117]

So, I created dumps from all partitions. Can i flash the .bin directly or do I need a .img?

Edit: My boot1 and system1 were empty (I think because my speaker is new and I didn't set it up). So I read/write content from boot0 to boot1 and flashing the bin (and later img) to system1. All dump/flashing was done with the amlogic update tool.

Booting with the bin didn't work, but the img was successful. I will try to make a squashfs of the bin using binwalk later. I don't know what they have done with this image (https://bbs.hassbian.com/forum.php?mod=redirect&goto=findpost&ptid=8754&pid=368909 1.70.4), but it it does not allow me to login as root. When pressing enter and typing root...

LX06 login: root
Login incorrect

I'am not asked for any password. I think they just block OTA and activated SSH. So i might set up wifi and see, if SSH is running... Or the problem is the boot1 partition. Do you have an dump of an „older“ boot partition?

[duhow]

bin file is the zip of the updates, cannot be flashed directly. Use https://github.com/NyaMisty/mkxqimage_rev to extract content root.squashfs and boot.img.

mkxq -r -x mico_firmware_8b63c_1.58.13.bin

You should be able to flash those files. Check /bin/boardupgrade.sh file to get more details.

If boot is wrong or invalid, the speaker should attempt to boot the previous partition.

Password may be stored permanently in /dev/mtd6 mounted as /data/console/shadow. You can format that partition with ubimkvol or update the file directly, check /etc/init.d/boot script.

[danielk117]

Used binwalk before you answered and flashed it. I was able to boot. But...

mico login: root
Password:
Login incorrect

Created a password using the mi_speaker_pwd.html file, but v1 or v2 aren't working...

Is /dev/mtd6 the data partition? ubimkvol isn't available in uboot. But i can erase using nand erase.

Erasing the data partition is no problem?

EDIT:

I tried mkxq and created a root.squashfs and boot.img successful. I flashed it but wasn't able to boot... So I restored my boot0 backup to boot1. Boot is working and able to login as root... I'M IN!!!! Firmware 1.58.13 and generated password v1 was working...

mico login: root
Password:

BusyBox v1.27.2 () built-in shell (ash)

  _____  _              __     __ __  ___  ___
 |     ||_| ___  ___   |  |   |  |  ||   ||  _|
 | | | || ||  _|| . |  |  |__ |-   -|| | || . |
 |_|_|_||_||___||___|  |_____||__|__||___||___|
------------------------------------------------

      ROM Type:release / Ver:1.58.13
------------------------------------------------
root@mico:~# ls -lah /
drwxr-xr-x   16 root     root         224 Nov 13 14:27 .
drwxr-xr-x   16 root     root         224 Nov 13 14:27 ..
drwxr-xr-x    2 root     root        1.4K Nov 13 14:27 bin
drwxr-xr-x   23 root     root        1.8K Nov 13 14:49 data
drwxr-xr-x    7 root     root        2.8K Nov 13 14:49 dev
drwxrwxr-x   25 root     root        1.1K Nov 13 14:27 etc
-rwxrwxr-x    1 root     root        3.0K Nov 13 14:27 init
drwxrwxr-x   10 root     root        1.0K Nov 13 14:27 lib
drwxr-xr-x    2 root     root           3 Nov 13 14:27 mnt
drwxr-xr-x    2 root     root           3 Nov 13 14:27 overlay
dr-xr-xr-x  126 root     root           0 Jan  1  1970 proc
drwxrwxr-x    2 root     root          27 Nov 13 14:27 rom
drwxr-xr-x    2 root     root           3 Nov 13 14:27 root
drwxr-xr-x    2 root     root         640 Nov 13 14:27 sbin
dr-xr-xr-x   15 root     root           0 Jan  1  2015 sys
drwxrwxrwt   23 root     root         800 Nov 13 14:50 tmp
drwxr-xr-x    7 root     root         101 Nov 13 14:27 usr
lrwxrwxrwx    1 root     root           4 Nov 13 14:27 var -> /tmp

[duhow]

Yay! Congrats! By the way, if you can share the latest squash firmware it will be appreciated, I can try to analyze some content there to see how it works.

[danielk117]

Yes, i will share the latest firmware.

When starting the device with the latest firmware it is creating an access point. The older firmware should do this as well, right? It don't...

I try to configure using uci, running /etc/init.d/wireless start, wpa_supplicant or hostapd -d /etc/wifi/hostapd.conf without success.

root@mico:~# ifconfig wlan0 up
ifconfig: SIOCGIFFLAGS: No such device

Your photo shows a wifi chip from "Marvell". Mine is from "NXP", because they bought them. Both chips have a simular model number, but my configs files on data contains this for example.

root@mico:~# cat /data/etc/device.info
...
board_id = "5";
board_name = "lx06_nxp8987";
wifi_chip = "nxp8987";

So I think, the 1.58.13 might be to old for running on the latest speaker... So I build a 1.66.8 and flashed it. I was able to get root without entering any password...

  _____  _              __     __ __  ___  ___
 |     ||_| ___  ___   |  |   |  |  ||   ||  _|
 | | | || ||  _|| . |  |  |__ |-   -|| | || . |
 |_|_|_||_||___||___|  |_____||__|__||___||___|
------------------------------------------------

      ROM Type:release / Ver:1.66.8
------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@LX06:~#

Same for 1.70.4: Login as root with no password, but no wlan0 and AP... So I repeated the process for 1.74.1 and got the magic password back...

Next try: following this instructions to patch the latest firmware. Own password for root and enabled SSH. And its working! wlan0 with AP and working SSH.

  _____  _              __     __ __  ___  ___
 |     ||_| ___  ___   |  |   |  |  ||   ||  _|
 | | | || ||  _|| . |  |  |__ |-   -|| | || . |
 |_|_|_||_||___||___|  |_____||__|__||___||___|
------------------------------------------------

      ROM Type:release / Ver:1.74.1
------------------------------------------------
root@LX06:/# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:359 errors:0 dropped:0 overruns:0 frame:0
          TX packets:359 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:23543 (22.9 KiB)  TX bytes:23543 (22.9 KiB)

wlan0     Link encap:Ethernet  HWaddr 5C:02:14:1A:2A:EB
          inet addr:10.0.0.1  Bcast:10.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::5e02:14ff:fe1a:2aeb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:13 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

[danielk117]

By the way, if you can share the latest squash firmware it will be appreciated, I can try to analyze some content there to see how it works.

Here is my mtd4. It seems to be a "1.74.10".

I've build the docker (had some errors with the latest wget2, so I set version to 1.99.2) and patched the 1.74.10. It's running my speaker now. What I have noticed until now:

• Using wget throws some errors and has problem with certificates.

  root@LX06:/tmp# wget https://www.dreamweaver.at/music-free/dreamweaver_-_Inspiring-Guitar-Song_01.mp3
  Unknown configuration key 22 (maybe this config value should be of another type?)
  Unknown configuration key 21 (maybe this config value should be of another type?)
  Could not complete TLS handshake: certificate verify failed
  Failed to connect: Certificate error
  Failed to open tmpfile '/root/.local/share/wget/.wget-ocsp_hostsIIfcR6' (2)
  Failed to write to OCSP hosts to '/root/.local/share/wget/.wget-ocsp_hosts'
  Failed to open tmpfile '/root/.local/share/wget/.wget-ocspAVkEz3' (2)
  Failed to write to OCSP fingerprints to '/root/.local/share/wget/.wget-ocsp'

• Can't discover bluetooth. Daemon is running and config seems to ok.

[duhow]

For SSL, check it isn't 2021 (date). ntpd -q -p pool.ntp.org. Still need to fix this for LX06. Regarding bluetooth, you should connect to bluetoothctl and ensure it is visible and discoverable. Didn't mess with it too much, but I remember having some headaches when trying to play audio... -.-

I'll try to check this firmware to see what changes. As you shared this is 1.74.10 28 Jun 2021 10:31:51 +0800. The Git tag in there does not change for any firmware, so I'm skipping it. uci -c /usr/share/mico show

mico_firmware_9c712_1.74.10.bin - fe6edc680d58620019c9afe4fd79c712

[duhow]

As now you already have access to the speaker, I'll close this issue. If you face any other errors or want to improve some building stuff, feel free to open new issues or contritube back! :D

[danielk117]

For SSL, check it isn't 2021 (date). ntpd -q -p pool.ntp.org. Still need to fix this for LX06.

Good idea, but it didn't solved it. As said before, I've changed the build for wget2 from latest to 1.99.2 (because of an build error). Might be a reason for the error. Should i open a new issue for this?

root@LX06-9341:/tmp# date
Sun Jan 16 22:17:41 +01 2022
root@LX06-9341:/tmp# wget https://www.dreamweaver.at/music-free/dreamweaver_-_Inspiring-Guitar-Song_01.mp3
Unknown configuration key 22 (maybe this config value should be of another type?)
Unknown configuration key 21 (maybe this config value should be of another type?)
Could not complete TLS handshake: certificate verify failed
Failed to connect: Certificate error
Failed to open tmpfile '/root/.local/share/wget/.wget-ocsp_hostsAMiolM' (2)
Failed to write to OCSP hosts to '/root/.local/share/wget/.wget-ocsp_hosts'
Failed to open tmpfile '/root/.local/share/wget/.wget-ocspGOxKvo' (2)
Failed to write to OCSP fingerprints to '/root/.local/share/wget/.wget-ocsp'

[duhow]

Yep, please open a new issue. Also curl should work?

[danielk117]

curl is working. i will create a new issue.

BTW, thanks for your help 😃 I will write an short instruction how to hack lx06 with the amlogic update tool. I think there is no need to solder TX/RX/GND.

[danielk117]

any idea where to place my instruction? i could contribute it in a makdown file to your research directory...

[duhow]

Sure, do a PR in a file research/lx06/install.md or similar. Thanks!

[Hcy1142]

i cant find the http://openlinux.amlogic.com:8000/download/A113/Tool/flash-tool-v4.7/flash-tool/tools/windows/update.exe tool, can you share this with me?

[duhow]

https://github.com/osmc/aml-flash-tool

[jingyibo123]

I think some recent patch on LX06 also blocked access with Amlogic tool vis USB.

Does anyone have any idea on how to bypass that?

[duhow]

@jingyibo123 please open a new issue 🙏🏻