Random car thing findings

[lmore377]

I'll just be logging random stuff I figure out here lol

Older firmware versions seem to use a very stripped down chromium thing for it's UI but newer versions (not sure when they made the switch) use a much more fully featured copy of chromium that has a new tab page and everything. Easiest way to access it is to edit /etc/supervisord.conf and remove the kiosk and webapp flags from the chrome command.

If you dump the fw from a brand new car thing you can essentially treat that dump like a factory image. A bit more info and a script to flash it are here: https://github.com/frederic/superbird-bulkcmd/issues/12

[lmore377]

Extra little tidbit, I tried to use the swu file linked in the readme but just got an error. I just pushed it over adb

Edit: it likely failed because avb was disabled

/tmp # swupdate-client 5.2.6.swu
swupdate_async_start returns 1
Now getting status
Status: 1 message: Software Update started !
Status: 2 message:
Status: 2 message: Installation in progress
Status: 2 message: [readfront] : Entering readfront handler
Status: 4 message: ERROR : HASH mismatch : aa146ea1454021a6224b7436fd78361aa37cd1c2658b64cf004513af12f26854 <--> 3bd60fa4876f1124e11be472c876336174ebb34c53e9b156da8c9ee888343b8d
Status: 4 message: ERROR : readfront verification failed, status=-14
Status: 4 message: ERROR : execute preinstall scripts failed
Status: 4 message: Installation failed !
Status: 0 message: Waiting for requests...
Swupdate *failed* !

[lmore377]

It seems like spotify actually tries pretty hard to update car thing. Reset it and almost immediately after pairing it to my phone it started downloading the update (figured this out by watching /var/log/superbird.info while connecting) but it fails when avb is disabled. OTAs are stored in /var/cache/ota while downloading and I managed to get the file for the latest version (8.1.6 as of Oct 29). It takes about 6 minutes total for the OTA to download. I'll double check tomorrow but I think the download process can be interrupted and it'll resume where it left off next time bluetooth connects.

[lmore377]

Managed to get an OTA flashed manually. You just need to use the upload-kernel.sh script to boot with adb without disabling avb, push the update over adb then run swupdate-client. Log: log.txt

[sgreenlay]

Can you share the changes you made to the upload-kernel.sh script to boot with adb without disabling avb?

[lmore377]

I didn't make any changes. Disabling AVB is only necessary if you want to permanently enable ADB like with the uart script. Since upload-kernel.sh uploads a modified kernel and boots it from ram it pretty much completely bypasses the AVB verification step. I was planning on modifying the kernel/initramfs of the latest version of the firmware because the one in the other repository is from the factory firmware and doesn't work well with car things that have been updated

[sgreenlay]

Do you have to do anything to get the update to persist across reboots? I booted using upload-kernel.sh, copied over superbird-os_8.1.6-release_c47e1676f88ebf61796f940713d0423f.swu using adb, ran swupdate-client and got the same output that you shared. After rebooting I'm back to the factory OS Version + Model Number.

[lmore377]

Nope it updated perfectly fine for me. Try doing this to manually switch the active boot slot. I'm thinking it didn't automatically switch for whatever reason https://github.com/err4o4/spotify-car-thing-reverse-engineering/issues/5

[sgreenlay]

Got it. Had to change my env.txt from androidboot.slot_suffix=_a to androidboot.slot_suffix=_b.

[lmore377]

We should figure out if there's a way to pull the active boot slot from u-boot instead of having it hardcoded like that. It'll be one less thing to worry about when messing with this stuff

[lmore377]

Managed to find a fw_printenv/fw_setenv that runs on the device and also figured out the config needed for it. Just push all these files to /tmp over adb (remove the .txt extensions. little workaround to upload any file to github issues) and run the utilities with -c env.config fw_setenv.txt fw_printenv.txt env.config.txt

This should make it way easier to edit uboot variables. The two binaries were extracted from an older u-boot-tools debian package. I'll link it later when I'm back at my computer

[null-dev]

Managed to find a fw_printenv/fw_setenv that runs on the device and also figured out the config needed for it. Just push all these files to /tmp over adb (remove the .txt extensions. little workaround to upload any file to github issues) and run the utilities with -c env.config fw_setenv.txt fw_printenv.txt env.config.txt

This should make it way easier to edit uboot variables. The two binaries were extracted from an older u-boot-tools debian package. I'll link it later when I'm back at my computer

Can't you just use the uenv command?

[lmore377]

.....I didn't know that was a command lmao

[lmore377]

I came up with a better command for step 6 in the superbird-bulkcmd repo

./bin/update bulkcmd 'amlmmc env'
./bin/update bulkcmd 'setenv storeargs ${storeargs} if gpio input GPIOA_3\;'
./bin/update bulkcmd 'setenv storeargs ${storeargs} then run update\; fi\;'
./bin/update bulkcmd 'env save'

This will only put the car thing into usb burning mode when you hold down preset button 4 while plugging in usb. For some reason when trying to set this with only one setenv command the update utility just randomly drops a letter from the command, making it fail and causing the thing to not boot at all:

superbird-bulkcmd# ./bin/update bulkcmd 'setenv storeargs ${storeargs} if gpio input GPIOA_3\; then run update\; fi\;'
AmlUsbBulkCmd[setenv storeargs ${storeargs} if gpio input GPIOA_3\; then run updte\; fi\;]
[AmlUsbRom]Inf:bulkInReply success

[lmore377]

If you pull /usr/share/qt-superbird-app/webapp/, run adb forward tcp:8890 tcp:8890 and open index.html in chrome or firefox you can interact with the car thing ui on your computer and it'll actually send commands to your phone. Keys are: 1,2,3,4: Presets M: Settings/Power Menu Esc: Back Left/Right: Scroll Wheel Left/Right

I feel like qt-superbird-app could possibly run on a raspberry pi and/or other arm devices. It doesn't seem to have any special dependencies and bluetooth seems to just be standard bluez. No practical reason for this it's just for fun tbh

[lmore377]

So I managed to get it running a bit. I can connect the gui to it and it can pair to my phone but immediately after getting song info it just crashes with no obvious reason

Edit: Giving up on this for now. I don't want to waste that much time on it

[lmore377]

Managed to get it working as a second display for windows in probably the worst and least performant way possible lmao. Essentially I setup a socks5 proxy, forwarded it over ADB then ran the spacedesk html5 viewer in chrome. Tried going directly to YouTube but that just straight up said unsupported

[aarondj122]

Great work! did you remove the cover for the wheel button?

[lmore377]

Yeah it's because chrome complains when you run it with --no-sandbox (which is required bc root) and I couldn't reach the little x to close the warning without taking it off. It comes off really easy just pull it off the edge that sticks out a bit then carefully pull forward

[nervous-inhuman]

/usr/share/qt-superbird-app/webapp/

@lmore377 Just got my Car Thing today, and I'm exploring the device, so excuse me if I missed something obvious.

Seems like webapp is not in that path for me

/usr/share/qt-superbird-app # ls -al
total 4104
drwxr-xr-x    2 root     root          4096 May  4  2020 .
drwxr-xr-x   28 root     root          4096 May  4  2020 ..
-rw-r--r--    1 root     root        408956 May  4  2020 libyobe.so
-rw-r--r--    1 root     root        611959 May  4  2020 musiccmds_voice_hub_vad_en-US_v3.0_permanent.snsr
-rw-r--r--    1 root     root       1196880 May  4  2020 sensory-thf-enUS-heyspotify_delivery19lbu_db0a81403.snsr
-rw-r--r--    1 root     root        559728 May  4  2020 sensory-thf-enUS-heyspotify_delivery21ftu_hpf500_a29a58b6e_am.snsr
-rw-r--r--    1 root     root        560683 May  4  2020 sensory-thf-enUS-heyspotify_delivery22ftu_hpf750_6273e4262_am.snsr
-rw-r--r--    1 root     root        354248 May  4  2020 voice_hub_3p_voice_assistants_v2.0.snsr
-rw-r--r--    1 root     root        488368 May  4  2020 vui_4micLinear_CarThing_AmbiNL_v6_0.awb

[lmore377]

You need to update your firmware. Earlier versions don't have the web app as a separate folder

Edit: give me a bit I'm just going to upload a dump with the updated firmware

[nervous-inhuman]

You need to update your firmware. Earlier versions don't have the web app as a separate folder

Edit: give me a bit I'm just going to upload a dump with the updated firmware

I do have it, it seems to have downloaded it on it's own. But it seems to have a problem with flashing it.

For the record, this is with the "adb kernel" booted, haven't done anything to the partitions yet.

/var/cache/ota # swupdate-client superbird-os_8.1.6-release_c47e1676f88ebf6
1796f940713d0423f.swu
swupdate_async_start returns 1
Now getting status
Status: 1 message: Software Update started !
Status: 2 message:
Status: 2 message: Installation in progress
Status: 4 message: ERROR : execute preinstall scripts failed
Status: 4 message: Installation failed !
Status: 0 message: Waiting for requests...
Swupdate *failed* !

[lmore377]

swupdate is really picky about whether or not it'll allow an update so it could be a number of different things keeping you from updating. I'm just double checking the dump and I'm about to upload it. It'll be ready in ~15mins

[lmore377]

@nervous-inhuman Sorry that took so long my internet was slower than usual. I put it here https://github.com/err4o4/spotify-car-thing-reverse-engineering/issues/22

[mogorman]

the chromium out of the box doesnt seem to be able to handle ssl correctly. I was able to work around it for my needs by adding --ignore-urlfetcher-cert-requests --ignore-certificate-errors flags to the chromium command. I couldn't get it to play html5 video or audio.