我得到了一个AllShare Cast设备(三星的Chormecast之类的设备),像这样:
不知道如何处理它,我想:“等一下,应该有Linux ...如果有Linux-就有SoC ...如果有有SoC,所以有一个UART接口,您可以通过该接口在此Linux上获得shell和根权限!”首先,我们需要:- 设备本身,没有它会在哪里。
- 螺丝起子
- USB-> UART适配器(3.3伏,绝不是RS-232,只会烧录设备!)
- 测试线会粘在板上的触点上。
让我们开始拆卸设备,首先必须从外壳底部卸下橡胶“底”,下面有三个螺钉(红色标记):拧开螺钉后,可用平头螺丝刀戳上盖(位于闩锁上)。在封面下,您将看到:现在,您可以小心地拉出板子并将适配器连接到板上。接线如下图所示,信号名称相对于适配器上的引脚。注意:适配器和加密狗必须连接到同一台计算机,或者将设备板上任何连接器的外壳连接到适配器的GND引脚。UPD:端口速度为115200波特。在终端窗口中按住Enter键的同时,打开计算机上的终端并将电源连接到加密狗。如果没有发生,装载者应该高兴地与我们见面:U-Boot 2011.06-svn10711(2012年6月12日-21:21:34)
I2C:准备就绪
内存:256 MiB
SF:不受支持的制造商c8
SPI速度为[R:23MHz / W:47MHz]闪存大小:64KB
NAND:256 MiB
MMC:
初始化安全环境
在页131008 0x01版上找到错误的块表
在页130944(版本0x01)中找到错误的块表
输入:序列号
输出:串行
错误:串行
MAC:00:1a:cc:00:00:01
按任意键停止自动启动:0
CNCl800L>
好了,现在我们的任务是加载内核并获取外壳。它只是无法执行此操作,因为整个内核和initrd都是经过加密和签名的。要获取根shell,您需要将以下命令驱动到引导加载程序中(不应键入注释):nand read 06020000 2400000 2000000
cryptotest 06020000 08080000 2000000
nand read 8000000 5801000 20000
cryptotest 8000000 bfff000 20000
setenv bootargs ${bootargs} rdinit=/bin/sh
bootm 08080000
将会进行进一步的加载,之后,我们将看到以下内容:CNCl800L> nand read 06020000 2400000 2000000 && cryptotest 06020000 08080000 2000000 && nand read 8000000 5801000 20000 && cryptotest 8000000 bfff000 20000 && setenv bootargs ${bootargs} rdinit=/bin/sh && bootm 08080000
NAND read: device 0 offset 0x2400000, size 0x2000000
33554432 bytes read: OK
length 33554432: 511 whole chunks with 65536 remainder
done!
NAND read: device 0 offset 0x5801000, size 0x20000
131072 bytes read: OK
length 131072: 1 whole chunks with 65536 remainder
done!
Image Name: 12448_samsung_H
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 30727842 Bytes = 29.3 MiB
Load Address: 08080040
Entry Point: 08080040
XIP Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux............................................................................................................................................... done, booting the kernel.
Linux version 2.6.32.45-SDK-0.7 (builder@qabuild2) (gcc version 4.4.1 (Sourcery G++ Lite 2010q1-202) )
CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7), cr=00c5387f
CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
Machine: Celestial CNC1800L
Ignoring unrecognised tag 0x00000000
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 28448
Kernel command line: console=ttyS0,115200 rdinit=/bin/sh ethaddr=00:1A:CC:00:00:01
CSM ETH Readed MAC:00:1a:cc:00:00:01
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 112MB = 112MB total
Memory: 80980KB available (4160K code, 382K data, 120K init, 0K highmem)
SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Hierarchical RCU implementation.
NR_IRQS:73
Clock event Set mode Periodic
Console: colour dummy device 80x30
Calibrating delay loop... 539.03 BogoMIPS (lpj=2695168)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
devtmpfs: initialized
NET: Registered protocol family 16
CNC GPIO at 0xf8260000, 64 lines
disp_base 0xfc900000, tve0_base 0xf8168000, tve1_base 0xf8160000
CNC1800L Display System Version : 0.1
cnc1800l_df: CNC Display feeder driver was initialized, at address@[phyical addr = b1800000, size = 1000]
cnc1800l_df: CNC TVE0 driver was initialized, at address@[phyical addr = 80168000, size = 1000]
cnc1800l_df: CNC TVE1 driver was initialized, at address@[phyical addr = 80160000, size = 1000]
There is 112M for user!
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
HERE cnc18xx_i2c_probe
Bluetooth: Core ver 2.15
NET: Registered protocol family 31
Bluetooth: HCI device and connection manager initialized
Bluetooth: HCI socket layer initialized
Switching to clocksource cs_clocksource
Slow work thread pool: Starting up
Slow work thread pool: Ready
FS-Cache: Loaded
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
NET: Registered protocol family 1
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Trying to unpack rootfs image as initramfs...
Clock event Set mode oneshot
Freeing initrd memory: 27860K
CNC18XX PINMUX at 0xb2110000, 16 lines
CNC1800L_CLOCK init at b2100000
NTFS driver 2.1.29 [Flags: R/O].
JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.13)
msgmni has been set to 212
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
fb0: CNC frame buffer @[0xc000000, 0xc8000000] size 0x4000000
fb1: CNC frame buffer @[0xc000000, 0xc8000000] size 0x4000000
fb2: CNC frame buffer @[0xc800000, 0xcd000000] size 0x3800000
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x801f1000 (irq = 12) is a 16550A
console [ttyS0] enabled
serial8250.1: ttyS1 at MMIO 0x801f2000 (irq = 13) is a 16550A
brd: module loaded
loop: module loaded
Creating 3 MTD partitions on "s25f":
0x000000000000-0x00000000c000 : "spi_cavm_miniloader"
0x00000000c000-0x00000000e000 : "spi_cavm_bootloader_env1"
0x00000000e000-0x000000010000 : "spi_cavm_bootloader_env2"
Enable HW ECC for CNC18xx!
NAND device: Manufacturer ID: 0xec, Chip ID: 0xda (Samsung NAND 256MiB 3,3V 8-bit)
Creating 19 MTD partitions on "cnc_nand.0":
0x000000000000-0x000000020000 : "cavm_miniloader"
0x000000020000-0x0000000a0000 : "cavm_uboot1"
0x0000000a0000-0x000000120000 : "cavm_uboot2"
0x000000120000-0x000000140000 : "cavm_nvram_factory"
0x000000140000-0x000000160000 : "cavm_nvram1"
0x000000160000-0x000000180000 : "cavm_nvram1b"
0x000000180000-0x0000001a0000 : "cavm_nvram2"
0x0000001a0000-0x0000001c0000 : "cavm_nvram2b"
0x0000001c0000-0x0000003c0000 : "cavm_splash"
0x0000003c0000-0x0000003e0000 : "cavm_all_img1_info"
0x0000003e0000-0x000000400000 : "cavm_blob_info"
0x000000400000-0x000002400000 : "cavm_netHD_Image1"
0x000002400000-0x000004400000 : "cavm_netHD_Image2"
0x000004400000-0x000005780000 : "cavm_free1"
0x000005780000-0x0000057c0000 : "cavm_uboot2_img_info"
0x0000057c0000-0x000005800000 : "cavm_netHD_img2_info"
0x000005800000-0x000005c00000 : "cavm_blob"
0x000005c00000-0x000007c00000 : "cavm_ffs"
0x000007c00000-0x000008000000 : "customer_area"
Celestial MAC eth0: 0xb1400000 IRQ 24 MAC:00:1a:cc:00:00:01
usbcore: registered new interface driver cdc_ether
usbcore: registered new interface driver rndis_host
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
cnc18xx-ehci cnc18xx-ehci: CNC18XX EHCI
cnc18xx-ehci cnc18xx-ehci: new USB bus registered, assigned bus number 1
cnc18xx-ehci cnc18xx-ehci: irq 22, io mem 0x80200000
cnc18xx-ehci cnc18xx-ehci: USB 0.0 started, EHCI 1.00
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb1: Product: CNC18XX EHCI
usb usb1: Manufacturer: Linux 2.6.32.45-SDK-0.7 ehci_hcd
usb usb1: SerialNumber: cnc18xx
usb usb1: configuration
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
cnc18xx-ohci cnc18xx-ohci: CNC18XX OHCI
cnc18xx-ohci cnc18xx-ohci: new USB bus registered, assigned bus number 2
cnc18xx-ohci cnc18xx-ohci: irq 27, io mem 0x80210000
usb usb2: New USB device found, idVendor=1d6b, idProduct=0001
usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb2: Product: CNC18XX OHCI
usb usb2: Manufacturer: Linux 2.6.32.45-SDK-0.7 ohci_hcd
usb usb2: SerialNumber: cnc18xx-ohci
usb usb2: configuration
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
usbcore: registered new interface driver cdc_wdm
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver sisusb
mice: PS/2 mouse device common for all mice
Linux video capture interface: v2.00
gspca: main v2.7.0 registered
usbcore: registered new interface driver zc3xx
zc3xx: registered
usbcore: registered new interface driver uvcvideo
USB Video Class driver (v0.1.0)
Bluetooth: Generic Bluetooth SDIO driver ver 0.1
cpuidle: using governor ladder
cpuidle: using governor menu
mshci: Mobile Storage Host Controller Interface driver
mshci: Copyright(c) Pierre Ossman
mmc0: Version ID 0x5342230a.
mmc0: FIFO WMARK FOR RX 0x20 WX 0x1.
mmc0: MSHCI controller on cavium-mshci [cnc1800l-mshci.0] using IDMA
usbcore: registered new interface driver usbhid
usbhid: v2.6:USB HID core driver
Celestial Smart Card interface initialized!
CNC18XX Watchdog Timer: timer margin 40 sec
CNC1800L Video System Version : 0.1
CNC1800 Audio System Version : 0.2
cnc1800_audio: CNC Audio driver was initialized, at address@[phyical addr = b1200000, size = 100000]
cnc1800_audio: CNC Audio stuff at address@[phyical addr = 070f1000, size = 300000]
CS BLIT Initialed
TCP cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 17
NET: Registered protocol family 15
VFP support v0.3: implementor 41 architecture 1 part 20 variant b rev 5
Freeing init memory: 120K
/bin/sh: can't access tty; job control turned off
# mmc0: new high speed SDIO card at address 0001
现在按Enter享受。文献:关于该主题的技巧(方法从那里开始,但是纠正了很多事情)致谢:#expliteers freenode上的irc频道