search

guino / Merkury720

Root and Customization for Merkury 720P and similar cameras
111 stars 20 forks source link

Quick question about the rooting #30

Closed MathisLec closed 1 year ago

MathisLec commented 1 year ago

Hi, I succeed to root the camera, big thanks for that. But there is something that I don't understand and I wanted an answer in order to make my school project's presentation interesting. I understood that custom initrun.sh in sdcard is certainly loaded in the camera memory (or the device boot from the sdcard?), then run custom.sh, then launch telnet server, httpd server ... But I am not able to understand what it is specifically done when we boot the camera while pressing reset button, is it turned into another mode that boot in the sdcard or something? Is it mentioned in flash dump? Sorry if my English sucks :/

Thanks in advance.

guino commented 1 year ago

When you boot the device with the reset button pressed we activate a specific boot function that reads the ppsMmcTool.txt file from the SD card. We make that file with instructions for what the bootloader should do — in our case we request a firmware upgrade but we don’t actually do it, we just use the commands executed by the device (in the file we provide) to update boot settings on the device.

Our custom boot settings are picked up by one of the device’s boot scripts causing it to execute our initrun.sh file which starts custom.sh and our processes.

Which boot settings and what scripts are available vary by device, once we get a script to execute from the SD card it’s mostly the same for every device.

Figuring out the boot settings (or anything we can use to execute our script from the SD card) is usually the hardest part. For most devices it takes getting a firmware dump and reviewing it to see how it interacts with any files in the SD card OR how it may process some boot settings. Most devices have some sort of ‘development’ setting used by the manufacturer for testing changes before making a final firmware - if they leave some of that behind in the final firmware it’s usually something we can try to exploit.

I usually try to post information on steps I take to root the devices, but it sometimes can take a lot of hours looking at code in ghidra to find anything we can use. Rooting a device with a hardware programmer is usually simple but requires having the tools, opening the device and many times requires removing the flash chip from the board and soldering it back. Coming up with a process to root the device without opening it is usually much more involved.

MathisLec commented 1 year ago

Thank you for these clarifications. Can I dump the firmware in a different way once I rooting the camera ?

guino commented 1 year ago

I am not sure I have ever tried, but I would expect this to work in telnet (the command is a single line):

cat /dev/mtdblock0 /dev/mtdblock1 /dev/mtdblock2 /dev/mtdblock3 /dev/mtdblock4 /dev/mtdblock5 /dev/mtdblock6 > /mnt/mmc01/flash.bin

it will take a minute or two and display the prompt again but you should have a flash.bin file in the root of the SD card.

MathisLec commented 1 year ago

Worked for me:

$ binwalk flash.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
113992        0x1BD48         CRC32 polynomial table, little endian
458752        0x70000         uImage header, header size: 64 bytes, header CRC: 0xF37D6C05, created: 2021-01-22 06:15:30, image size: 2798888 bytes, Data Address: 0x81C08000, Entry Point: 0x81C08040, data CRC: 0xD9857B6F, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
458816        0x70040         Linux kernel ARM boot executable zImage (little-endian)
472671        0x7365F         xz compressed data
472892        0x7373C         xz compressed data
3604480       0x370000        CramFS filesystem, little endian, size: 2473984, version 2, sorted_dirs, CRC 0x30691753, edition 1, 605 blocks, 3 files
6095178       0x5D014A        Zlib compressed data, default compression
6099285       0x5D1155        Zlib compressed data, default compression
6103392       0x5D2160        Zlib compressed data, default compression
6107499       0x5D316B        Zlib compressed data, default compression
6111606       0x5D4176        Zlib compressed data, default compression
6115713       0x5D5181        Zlib compressed data, default compression
6119820       0x5D618C        Zlib compressed data, default compression
6123927       0x5D7197        Zlib compressed data, default compression
6128034       0x5D81A2        Zlib compressed data, default compression
6132141       0x5D91AD        Zlib compressed data, default compression
6136248       0x5DA1B8        Zlib compressed data, default compression
6140355       0x5DB1C3        Zlib compressed data, default compression
6144462       0x5DC1CE        Zlib compressed data, default compression
6148569       0x5DD1D9        Zlib compressed data, default compression
6152676       0x5DE1E4        Zlib compressed data, default compression
6156783       0x5DF1EF        Zlib compressed data, default compression
6160890       0x5E01FA        Zlib compressed data, default compression
6164997       0x5E1205        Zlib compressed data, default compression
6169104       0x5E2210        Zlib compressed data, default compression
6173211       0x5E321B        Zlib compressed data, default compression
6177318       0x5E4226        Zlib compressed data, default compression
6181425       0x5E5231        Zlib compressed data, default compression
6185532       0x5E623C        Zlib compressed data, default compression
6189639       0x5E7247        Zlib compressed data, default compression
6193746       0x5E8252        Zlib compressed data, default compression
6197853       0x5E925D        Zlib compressed data, default compression
6201960       0x5EA268        Zlib compressed data, default compression
6206067       0x5EB273        Zlib compressed data, default compression
6210174       0x5EC27E        Zlib compressed data, default compression
6214281       0x5ED289        Zlib compressed data, default compression
6218388       0x5EE294        Zlib compressed data, default compression
6222495       0x5EF29F        Zlib compressed data, default compression
6226602       0x5F02AA        Zlib compressed data, default compression
6230709       0x5F12B5        Zlib compressed data, default compression
6234816       0x5F22C0        Zlib compressed data, default compression
6238923       0x5F32CB        Zlib compressed data, default compression
6243030       0x5F42D6        Zlib compressed data, default compression
6247137       0x5F52E1        Zlib compressed data, default compression
6251244       0x5F62EC        Zlib compressed data, default compression
6255351       0x5F72F7        Zlib compressed data, default compression
6259458       0x5F8302        Zlib compressed data, default compression
6263565       0x5F930D        Zlib compressed data, default compression
6267672       0x5FA318        Zlib compressed data, default compression
6271779       0x5FB323        Zlib compressed data, default compression
6275886       0x5FC32E        Zlib compressed data, default compression
6279993       0x5FD339        Zlib compressed data, default compression
6284100       0x5FE344        Zlib compressed data, default compression
6288207       0x5FF34F        Zlib compressed data, default compression
6292314       0x60035A        Zlib compressed data, default compression
6296421       0x601365        Zlib compressed data, default compression
6300528       0x602370        Zlib compressed data, default compression
6304635       0x60337B        Zlib compressed data, default compression
6308742       0x604386        Zlib compressed data, default compression
6312849       0x605391        Zlib compressed data, default compression
6316956       0x60639C        Zlib compressed data, default compression
6321063       0x6073A7        Zlib compressed data, default compression
6325170       0x6083B2        Zlib compressed data, default compression
6329277       0x6093BD        Zlib compressed data, default compression
6333384       0x60A3C8        Zlib compressed data, default compression
6337491       0x60B3D3        Zlib compressed data, default compression
6341598       0x60C3DE        Zlib compressed data, default compression
6345705       0x60D3E9        Zlib compressed data, default compression
6349812       0x60E3F4        Zlib compressed data, default compression
6353891       0x60F3E3        Zlib compressed data, default compression
6357998       0x6103EE        Zlib compressed data, default compression
6362105       0x6113F9        Zlib compressed data, default compression
6366131       0x6123B3        Zlib compressed data, default compression
6370238       0x6133BE        Zlib compressed data, default compression
6374345       0x6143C9        Zlib compressed data, default compression
6378452       0x6153D4        Zlib compressed data, default compression
6382559       0x6163DF        Zlib compressed data, default compression
6386666       0x6173EA        Zlib compressed data, default compression
6390773       0x6183F5        Zlib compressed data, default compression
6394880       0x619400        Zlib compressed data, default compression
6398987       0x61A40B        Zlib compressed data, default compression
6403094       0x61B416        Zlib compressed data, default compression
6407201       0x61C421        Zlib compressed data, default compression
6411308       0x61D42C        Zlib compressed data, default compression
6415415       0x61E437        Zlib compressed data, default compression
6419522       0x61F442        Zlib compressed data, default compression
6423629       0x62044D        Zlib compressed data, default compression
6427736       0x621458        Zlib compressed data, default compression
6431843       0x622463        Zlib compressed data, default compression
6435950       0x62346E        Zlib compressed data, default compression
6440057       0x624479        Zlib compressed data, default compression
6444164       0x625484        Zlib compressed data, default compression
6448271       0x62648F        Zlib compressed data, default compression
6452378       0x62749A        Zlib compressed data, default compression
6456440       0x628478        Zlib compressed data, default compression
6460547       0x629483        Zlib compressed data, default compression
6464654       0x62A48E        Zlib compressed data, default compression
6468761       0x62B499        Zlib compressed data, default compression
6472831       0x62C47F        Zlib compressed data, default compression
6476554       0x62D30A        Zlib compressed data, default compression
6480661       0x62E315        Zlib compressed data, default compression
6484768       0x62F320        Zlib compressed data, default compression
6488875       0x63032B        Zlib compressed data, default compression
6492982       0x631336        Zlib compressed data, default compression
6496719       0x6321CF        Zlib compressed data, default compression
6500493       0x63308D        Zlib compressed data, default compression
6504600       0x634098        Zlib compressed data, default compression
6508707       0x6350A3        Zlib compressed data, default compression
6512814       0x6360AE        Zlib compressed data, default compression
6516921       0x6370B9        Zlib compressed data, default compression
6521028       0x6380C4        Zlib compressed data, default compression
6525135       0x6390CF        Zlib compressed data, default compression
6529242       0x63A0DA        Zlib compressed data, default compression
6533349       0x63B0E5        Zlib compressed data, default compression
6537456       0x63C0F0        Zlib compressed data, default compression
6541563       0x63D0FB        Zlib compressed data, default compression
6545670       0x63E106        Zlib compressed data, default compression
6549777       0x63F111        Zlib compressed data, default compression
6553884       0x64011C        Zlib compressed data, default compression
6557991       0x641127        Zlib compressed data, default compression
6562098       0x642132        Zlib compressed data, default compression
6566205       0x64313D        Zlib compressed data, default compression
6568452       0x643A04        Zlib compressed data, default compression
6621627       0x6509BB        Zlib compressed data, default compression
6625734       0x6519C6        Zlib compressed data, default compression
6629841       0x6529D1        Zlib compressed data, default compression
6633948       0x6539DC        Zlib compressed data, default compression
6638055       0x6549E7        Zlib compressed data, default compression
6642162       0x6559F2        Zlib compressed data, default compression
6646269       0x6569FD        Zlib compressed data, default compression
6650376       0x657A08        Zlib compressed data, default compression
6654483       0x658A13        Zlib compressed data, default compression
6658590       0x659A1E        Zlib compressed data, default compression
6662697       0x65AA29        Zlib compressed data, default compression
6666804       0x65BA34        Zlib compressed data, default compression
6670911       0x65CA3F        Zlib compressed data, default compression
6675018       0x65DA4A        Zlib compressed data, default compression
6679125       0x65EA55        Zlib compressed data, default compression
6683232       0x65FA60        Zlib compressed data, default compression
6687339       0x660A6B        Zlib compressed data, default compression
6691446       0x661A76        Zlib compressed data, default compression
6695553       0x662A81        Zlib compressed data, default compression
6699600       0x663A50        Zlib compressed data, default compression
6703707       0x664A5B        Zlib compressed data, default compression
6707777       0x665A41        Zlib compressed data, default compression
6711884       0x666A4C        Zlib compressed data, default compression
6715991       0x667A57        Zlib compressed data, default compression
6720098       0x668A62        Zlib compressed data, default compression
6724205       0x669A6D        Zlib compressed data, default compression
6728312       0x66AA78        Zlib compressed data, default compression
6732419       0x66BA83        Zlib compressed data, default compression
6736526       0x66CA8E        Zlib compressed data, default compression
6740633       0x66DA99        Zlib compressed data, default compression
6744740       0x66EAA4        Zlib compressed data, default compression
6748847       0x66FAAF        Zlib compressed data, default compression
6752954       0x670ABA        Zlib compressed data, default compression
6757061       0x671AC5        Zlib compressed data, default compression
6761168       0x672AD0        Zlib compressed data, default compression
6765275       0x673ADB        Zlib compressed data, default compression
6769382       0x674AE6        Zlib compressed data, default compression
6773489       0x675AF1        Zlib compressed data, default compression
6777596       0x676AFC        Zlib compressed data, default compression
6781703       0x677B07        Zlib compressed data, default compression
6785810       0x678B12        Zlib compressed data, default compression
6789917       0x679B1D        Zlib compressed data, default compression
6794024       0x67AB28        Zlib compressed data, default compression
6798131       0x67BB33        Zlib compressed data, default compression
6802238       0x67CB3E        Zlib compressed data, default compression
6806345       0x67DB49        Zlib compressed data, default compression
6810452       0x67EB54        Zlib compressed data, default compression
6814559       0x67FB5F        Zlib compressed data, default compression
6818666       0x680B6A        Zlib compressed data, default compression
6822773       0x681B75        Zlib compressed data, default compression
6826880       0x682B80        Zlib compressed data, default compression
6830987       0x683B8B        Zlib compressed data, default compression
6835094       0x684B96        Zlib compressed data, default compression
6839201       0x685BA1        Zlib compressed data, default compression
6843308       0x686BAC        Zlib compressed data, default compression
6847415       0x687BB7        Zlib compressed data, default compression
6851522       0x688BC2        Zlib compressed data, default compression
6855629       0x689BCD        Zlib compressed data, default compression
6859736       0x68ABD8        Zlib compressed data, default compression
6863807       0x68BBBF        Zlib compressed data, default compression
6867855       0x68CB8F        Zlib compressed data, default compression
6871962       0x68DB9A        Zlib compressed data, default compression
6876069       0x68EBA5        Zlib compressed data, default compression
6880176       0x68FBB0        Zlib compressed data, default compression
6884283       0x690BBB        Zlib compressed data, default compression
6888390       0x691BC6        Zlib compressed data, default compression
6892497       0x692BD1        Zlib compressed data, default compression
6896604       0x693BDC        Zlib compressed data, default compression
6900711       0x694BE7        Zlib compressed data, default compression
6904818       0x695BF2        Zlib compressed data, default compression
6908925       0x696BFD        Zlib compressed data, default compression
6913032       0x697C08        Zlib compressed data, default compression
6917139       0x698C13        Zlib compressed data, default compression
6921246       0x699C1E        Zlib compressed data, default compression
6925353       0x69AC29        Zlib compressed data, default compression
6929460       0x69BC34        Zlib compressed data, default compression
6933567       0x69CC3F        Zlib compressed data, default compression
6937674       0x69DC4A        Zlib compressed data, default compression
6941781       0x69EC55        Zlib compressed data, default compression
6945888       0x69FC60        Zlib compressed data, default compression
6949995       0x6A0C6B        Zlib compressed data, default compression
6954102       0x6A1C76        Zlib compressed data, default compression
6958209       0x6A2C81        Zlib compressed data, default compression
6962316       0x6A3C8C        Zlib compressed data, default compression
6966423       0x6A4C97        Zlib compressed data, default compression
6970530       0x6A5CA2        Zlib compressed data, default compression
6974637       0x6A6CAD        Zlib compressed data, default compression
6978744       0x6A7CB8        Zlib compressed data, default compression
6982851       0x6A8CC3        Zlib compressed data, default compression
6986958       0x6A9CCE        Zlib compressed data, default compression
6991065       0x6AACD9        Zlib compressed data, default compression
6995172       0x6ABCE4        Zlib compressed data, default compression
6999279       0x6ACCEF        Zlib compressed data, default compression
7003386       0x6ADCFA        Zlib compressed data, default compression
7007427       0x6AECC3        Zlib compressed data, default compression
7011534       0x6AFCCE        Zlib compressed data, default compression
7015641       0x6B0CD9        Zlib compressed data, default compression
7019748       0x6B1CE4        Zlib compressed data, default compression
7023855       0x6B2CEF        Zlib compressed data, default compression
7027962       0x6B3CFA        Zlib compressed data, default compression
7032069       0x6B4D05        Zlib compressed data, default compression
7036176       0x6B5D10        Zlib compressed data, default compression
7040139       0x6B6C8B        Zlib compressed data, default compression
7044246       0x6B7C96        Zlib compressed data, default compression
7048353       0x6B8CA1        Zlib compressed data, default compression
7052460       0x6B9CAC        Zlib compressed data, default compression
7056567       0x6BACB7        Zlib compressed data, default compression
7060674       0x6BBCC2        Zlib compressed data, default compression
7064781       0x6BCCCD        Zlib compressed data, default compression
7068888       0x6BDCD8        Zlib compressed data, default compression
7072995       0x6BECE3        Zlib compressed data, default compression
7077102       0x6BFCEE        Zlib compressed data, default compression
7081209       0x6C0CF9        Zlib compressed data, default compression
7085316       0x6C1D04        Zlib compressed data, default compression
7089423       0x6C2D0F        Zlib compressed data, default compression
7093530       0x6C3D1A        Zlib compressed data, default compression
7097637       0x6C4D25        Zlib compressed data, default compression
7101744       0x6C5D30        Zlib compressed data, default compression
7105851       0x6C6D3B        Zlib compressed data, default compression
7109958       0x6C7D46        Zlib compressed data, default compression
7114065       0x6C8D51        Zlib compressed data, default compression
7118172       0x6C9D5C        Zlib compressed data, default compression
7122279       0x6CAD67        Zlib compressed data, default compression
7126386       0x6CBD72        Zlib compressed data, default compression
7130493       0x6CCD7D        Zlib compressed data, default compression
7134600       0x6CDD88        Zlib compressed data, default compression
7138707       0x6CED93        Zlib compressed data, default compression
7142814       0x6CFD9E        Zlib compressed data, default compression
7146921       0x6D0DA9        Zlib compressed data, default compression
7151028       0x6D1DB4        Zlib compressed data, default compression
7155135       0x6D2DBF        Zlib compressed data, default compression
7159242       0x6D3DCA        Zlib compressed data, default compression
7163349       0x6D4DD5        Zlib compressed data, default compression
7167456       0x6D5DE0        Zlib compressed data, default compression
7171563       0x6D6DEB        Zlib compressed data, default compression
7175670       0x6D7DF6        Zlib compressed data, default compression
7179777       0x6D8E01        Zlib compressed data, default compression
7183884       0x6D9E0C        Zlib compressed data, default compression
7187991       0x6DAE17        Zlib compressed data, default compression
7192098       0x6DBE22        Zlib compressed data, default compression
7196205       0x6DCE2D        Zlib compressed data, default compression
7200312       0x6DDE38        Zlib compressed data, default compression
7204419       0x6DEE43        Zlib compressed data, default compression
7208526       0x6DFE4E        Zlib compressed data, default compression
7212633       0x6E0E59        Zlib compressed data, default compression
7216740       0x6E1E64        Zlib compressed data, default compression
7220847       0x6E2E6F        Zlib compressed data, default compression
7224954       0x6E3E7A        Zlib compressed data, default compression
7229061       0x6E4E85        Zlib compressed data, default compression
7233168       0x6E5E90        Zlib compressed data, default compression
7237275       0x6E6E9B        Zlib compressed data, default compression
7241382       0x6E7EA6        Zlib compressed data, default compression
7245489       0x6E8EB1        Zlib compressed data, default compression
7249596       0x6E9EBC        Zlib compressed data, default compression
7253703       0x6EAEC7        Zlib compressed data, default compression
7257810       0x6EBED2        Zlib compressed data, default compression
7261917       0x6ECEDD        Zlib compressed data, default compression
7266024       0x6EDEE8        Zlib compressed data, default compression
7270131       0x6EEEF3        Zlib compressed data, default compression
7274238       0x6EFEFE        Zlib compressed data, default compression
7278345       0x6F0F09        Zlib compressed data, default compression
7282452       0x6F1F14        Zlib compressed data, default compression
7286559       0x6F2F1F        Zlib compressed data, default compression
7290666       0x6F3F2A        Zlib compressed data, default compression
7294773       0x6F4F35        Zlib compressed data, default compression
7298880       0x6F5F40        Zlib compressed data, default compression
7302987       0x6F6F4B        Zlib compressed data, default compression
7307094       0x6F7F56        Zlib compressed data, default compression
7307932       0x6F829C        Zlib compressed data, default compression
7735160       0x760778        JFFS2 filesystem, little endian
7737344       0x761000        JFFS2 filesystem, little endian
7762916       0x7673E4        JFFS2 filesystem, little endian
7783748       0x76C544        JFFS2 filesystem, little endian
7785928       0x76CDC8        JFFS2 filesystem, little endian
7811072       0x773000        JFFS2 filesystem, little endian
7816000       0x774340        JFFS2 filesystem, little endian
7818380       0x774C8C        JFFS2 filesystem, little endian
7819264       0x775000        JFFS2 filesystem, little endian
7858792       0x77EA68        JFFS2 filesystem, little endian
7907012       0x78A6C4        JFFS2 filesystem, little endian
7907752       0x78A9A8        JFFS2 filesystem, little endian
7926752       0x78F3E0        JFFS2 filesystem, little endian
7927600       0x78F730        JFFS2 filesystem, little endian
7929856       0x790000        JFFS2 filesystem, little endian
7951732       0x795574        JFFS2 filesystem, little endian
7954144       0x795EE0        JFFS2 filesystem, little endian
8069876       0x7B22F4        JFFS2 filesystem, little endian
8070616       0x7B25D8        JFFS2 filesystem, little endian
8072844       0x7B2E8C        JFFS2 filesystem, little endian
8073216       0x7B3000        JFFS2 filesystem, little endian
8084952       0x7B5DD8        JFFS2 filesystem, little endian
8098228       0x7B91B4        JFFS2 filesystem, little endian
8098968       0x7B9498        JFFS2 filesystem, little endian
8099708       0x7B977C        JFFS2 filesystem, little endian
8101888       0x7BA000        JFFS2 filesystem, little endian
8141968       0x7C3C90        JFFS2 filesystem, little endian
8142860       0x7C400C        JFFS2 filesystem, little endian
8178364       0x7CCABC        JFFS2 filesystem, little endian
8180292       0x7CD244        JFFS2 filesystem, little endian
8180464       0x7CD2F0        JFFS2 filesystem, little endian
8186028       0x7CE8AC        JFFS2 filesystem, little endian
8186880       0x7CEC00        JFFS2 filesystem, little endian
8187904       0x7CF000        JFFS2 filesystem, little endian

thanks a lot!