Rooting ANY firmware level... the hard way

CloneNum3
Site Admin
Posts: 107
Joined: Wed Jan 07, 2015 10:02 am

Rooting ANY firmware level... the hard way

Postby CloneNum3 » Tue May 12, 2015 9:20 am

It would appear there is a method to root any functioning wink hub (haven't tried it on a link hub yet) but it is a bit more complicated.

The process requires:
*disassembling the hub (removing four torx screws)
*USB to TTL serial adapter (available for under $5 shipped on eBay, just needs Ground, RX, and TX wires)

Complete this process is at your own risk!

Here are the steps I took...
[*] Disassemble hub
[*] Connect serial USB to TTL adapter
[*] Set to 115200 N81
[*] Dry run to make sure your TTL adapter is working
[*] Find pin #29 on the NAND chip (1-24 is on one side, 25-48 is on the other, #29 is the 5th one in starting at 25)
[*] Use a wire or anything you have available to temporarily connect #29 to ground. I used one of the huge shields over one of the chips as a ground and the tip of a multimeter test lead to touch #29
[*] Power cycle the hub (I just hit the reset button to cycle it)
[*] Immediately connect #29 to ground if you haven't already (I'm not sure if it can be shorted before the power cycle or shortly there after, I'll need to test)
[*] The boot process should look something like this...

Code: Select all

LLC

U-Boot 2014.01-14400-gda781c6-dirty (Apr 30 2014 - 22:35:38)

CPU:   Freescale i.MX28 rev1.2 at 454 MHz
BOOT:  NAND, 3V3
DRAM:  64 MiB
NAND:  128 MiB
In:    serial
Out:   serial
Err:   serial
Net:   FEC0 [PRIME]
Hit any key to stop autoboot:  0
UBI: attaching mtd1 to ubi0
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: attached mtd1 to ubi0
UBI: MTD device name:            "mtd=3"
UBI: MTD device size:            8 MiB
UBI: number of good PEBs:        64
UBI: number of bad PEBs:         0
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     1
UBI: available PEBs:             6
UBI: total number of reserved PEBs: 58
UBI: number of PEBs reserved for bad PEB handling: 2
UBI: max/mean erase counter: 5/3
UBIFS: recovery needed
UBIFS: recovery deferred
UBIFS: mounted UBI device 0, volume 0, name "database"
UBIFS: mounted read-only
UBIFS: file system size:   5459968 bytes (5332 KiB, 5 MiB, 43 LEBs)
UBIFS: journal size:       1015809 bytes (992 KiB, 0 MiB, 6 LEBs)
UBIFS: media format:       w4/r0 (latest is w4/r0)
UBIFS: default compressor: LZO
UBIFS: reserved for root:  269835 bytes (263 KiB)
Loading file 'DO_UPDATE' to addr 0x42000000 with size 1 (0x00000001)...
Done
Total of 1 word(s) were the same

NAND read: device 0 offset 0x2b00000, size 0x400000
NAND read from offset 2b00000 failed -74
 0 bytes read: ERROR

NAND read: device 0 offset 0x300000, size 0x300000
NAND read from offset 300000 failed -74
 0 bytes read: ERROR
Wrong Image Format for bootm command
ERROR: can't get kernel image!
Falling back to updater...

NAND read: device 0 offset 0x300000, size 0x300000
NAND read from offset 300000 failed -74
 0 bytes read: ERROR

NAND read: device 0 offset 0x2b00000, size 0x400000
NAND read from offset 2b00000 failed -74
 0 bytes read: ERROR
Wrong Image Format for bootm command
ERROR: can't get kernel image!
=>


[*]At this point, you are at a boot prompt, enter printenv to see the boot environment

Code: Select all

=> printenv
app_boot=run appboot_args && nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}
app_boot_bad=run updater_args; setenv bootargs ${bootargs} badapp; nand read ${loadaddr} updater-kernel 0x00300000; bootm ${loadaddr}
appboot_args=setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi';
baudrate=115200
bd_addr=0021CC000000
boot_app=run app_boot || run app_boot_bad
boot_getflag=mtdparts default && ubi part database && ubifsmount ubi0:database && mw 42000000 0 8 && ubifsload 42000000 DO_UPDATE 1 && run boot_logic
boot_logic=mw 42000004 30; if cmp 42000000 42000004 1; then run boot_app; else run boot_updater; fi;
boot_updater=run updater_boot || run updater_boot_bad
bootargs=noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi badupdater
bootcmd=mtdparts default; run boot_getflag || echo Falling back to updater...; run boot_updater
bootdelay=0
bootfile=uImage
ethact=FEC0
ethaddr=00:04:00:00:00:00
ethprime=FEC0
filesize=1
loadaddr=0x42000000
mtddevname=u-boot
mtddevnum=0
mtdids=nand0=gpmi-nand
mtdparts=mtdparts=gpmi-nand:3m(u-boot),4m(updater-kernel),28m(updater-rootfs),8m(database),8m(app-kernel),-(app-rootfs)
partition=nand0,0
serialno=151312345XYZ6
stderr=serial
stdin=serial
stdout=serial
updater_args=setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=2 root=ubi0:rootfs rw gpmi';
updater_boot=run updater_args && nand read ${loadaddr} updater-kernel 0x00300000 && bootm ${loadaddr}
updater_boot_bad=run appboot_args; setenv bootargs ${bootargs} badupdater; nand read ${loadaddr} app-kernel 0x00400000; bootm ${loadaddr}
ver=U-Boot 2014.01-14400-gda781c6-dirty (Apr 30 2014 - 22:35:38)

Environment size: 1775/16379 bytes


Run the appboot_args line appending "init=/bin/sh" to the end just after gpmi
Then boot using the app_boot line starting with "nand read"

Example:

Code: Select all

=> setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi init=/bin/sh';
=> nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}

NAND read: device 0 offset 0x2b00000, size 0x400000
 4194304 bytes read: OK
## Booting kernel from Legacy Image at 42000000 ...
   Image Name:   Linux-2.6.35.3-flex-dvt
   Created:      2014-04-30   3:15:35 UTC
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1928460 Bytes = 1.8 MiB
   Load Address: 40008000
   Entry Point:  40008000
   Verifying Checksum ... OK
   Loading Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Linux version 2.6.35.3-flex-dvt (saurabh@localhost.localdomain) (gcc version 4.4.4 (4.4.4_09.06.2010) ) #32 PREEMPT Tue Apr 29 23:15:31 EDT 2014
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: Freescale MX28EVK board
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
Kernel command line: noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi init=/bin/sh
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 64MB = 64MB total
Memory: 60784k/60784k available, 4752k reserved, 0K highmem
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    DMA     : 0xfde00000 - 0xffe00000   (  32 MB)
    vmalloc : 0x84800000 - 0xf0000000   (1720 MB)
    lowmem  : 0x80000000 - 0x84000000   (  64 MB)
    modules : 0x7f000000 - 0x80000000   (  16 MB)
      .init : 0x80008000 - 0x80027000   ( 124 kB)
      .text : 0x80027000 - 0x803b6000   (3644 kB)
      .data : 0x803b6000 - 0x803deec0   ( 164 kB)
SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Hierarchical RCU implementation.
        RCU-based detection of stalled CPUs is disabled.
        Verbose stalled-CPUs detection is disabled.
NR_IRQS:288
Console: colour dummy device 80x30
console [ttyAM0] enabled
Calibrating delay loop... 226.09 BogoMIPS (lpj=1130496)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
regulator: core version 0.5
NET: Registered protocol family 16
regulator: vddd: 800 <--> 1575 mV at 1500 mV fast normal
regulator: vdddbo: 800 <--> 1575 mV fast normal
regulator: vdda: 1500 <--> 2275 mV at 1800 mV fast normal
vddio = 3380000, val=10
regulator: vddio: 2880 <--> 3680 mV at 3380 mV fast normal
regulator: overall_current: fast normal
regulator: vbus5v:
regulator: mxs-duart-1: fast normal
regulator: mxs-bl-1: fast normal
regulator: mxs-i2c-1: fast normal
regulator: mmc_ssp-1: fast normal
regulator: mmc_ssp-2: fast normal
regulator: charger-1: fast normal
regulator: power-test-1: fast normal
regulator: cpufreq-1: fast normal
i.MX IRAM pool: 124 KB@0x84820000
Initializing GPMI pins
bio: create slab <bio-0> at 0
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource mxs clock source
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
Bus freq driver module loaded
mxs_cpu_init: cpufreq init finished
Slow work thread pool: Starting up
Slow work thread pool: Ready
fuse init (API version 7.14)
msgmni has been set to 118
alg: No test for stdrng (krng)
cryptodev: driver loaded.
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
mxs-duart.0: ttyAM0 at MMIO 0x80074000 (irq = 47) is a DebugUART
mxs-auart.0: ttySP0 at MMIO 0x8006a000 (irq = 112) is a mxs-auart.0
Found APPUART 3.1.0
mxs-auart.1: ttySP1 at MMIO 0x8006c000 (irq = 113) is a mxs-auart.1
Found APPUART 3.1.0
mxs-auart.2: ttySP2 at MMIO 0x8006e000 (irq = 114) is a mxs-auart.2
Found APPUART 3.1.0
mxs-auart.3: ttySP3 at MMIO 0x80070000 (irq = 115) is a mxs-auart.3
Found APPUART 3.1.0
mxs-auart.4: ttySP4 at MMIO 0x80072000 (irq = 116) is a mxs-auart.4
Found APPUART 3.1.0
loop: module loaded
i.MX GPMI NFC
NFC: Version 1, 8-chip GPMI and BCH
Boot ROM: Version 1, Single-chip boot area, block mark swapping supported
Scanning for NAND Flash chips...
NAND device: Manufacturer ID: 0x01, Chip ID: 0xf1 (AMD NAND 128MiB 3,3V 8-bit)
-----------------------------
NAND Flash Device Information
-----------------------------
Manufacturer      : AMD (0x01)
Device Code       : 0xf1
Cell Technology   : SLC
Chip Size         : 128 MiB
Pages per Block   : 64
Page Geometry     : 2048+64
ECC Strength      : 4 bits
ECC Size          : 512 B
Data Setup Time   : 10 ns
Data Hold Time    : 5 ns
Address Setup Time: 10 ns
GPMI Sample Delay : 6 ns
tREA              : Unknown
tRLOH             : Unknown
tRHOH             : Unknown
Description       : S34ML01G1
-----------------
Physical Geometry
-----------------
Chip Count             : 1
Page Data Size in Bytes: 2048 (0x800)
Page OOB Size in Bytes : 64
Block Size in Bytes    : 131072 (0x20000)
Block Size in Pages    : 64 (0x40)
Chip Size in Bytes     : 134217728 (0x8000000)
Chip Size in Pages     : 65536 (0x10000)
Chip Size in Blocks    : 1024 (0x400)
Medium Size in Bytes   : 134217728 (0x8000000)
------------
NFC Geometry
------------
ECC Algorithm          : BCH
ECC Strength           : 8
Page Size in Bytes     : 2112
Metadata Size in Bytes : 10
ECC Chunk Size in Bytes: 512
ECC Chunk Count        : 4
Payload Size in Bytes  : 2048
Auxiliary Size in Bytes: 16
Auxiliary Status Offset: 12
Block Mark Byte Offset : 1999
Block Mark Bit Offset  : 0
-----------------
Boot ROM Geometry
-----------------
Boot Area Count            : 1
Boot Area Size in Bytes    : 3145728 (0x300000)
Stride Size in Pages       : 64
Search Area Stride Exponent: 2
Scanning device for bad blocks
Bad eraseblock 730 at 0x000005b40000
Boot area protection is enabled.
Creating 6 MTD partitions on "gpmi-nfc-main":
0x000000000000-0x000000300000 : "gpmi-nfc-0-boot"
0x000000300000-0x000000700000 : "updater-kernel"
0x000000700000-0x000002300000 : "updater-rootfs"
0x000002300000-0x000002b00000 : "database"
0x000002b00000-0x000003300000 : "app-kernel"
0x000003300000-0x000008000000 : "gpmi-nfc-general-use"
cmdlinepart partition parsing not available
UBI: attaching mtd5 to ubi0
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: attached mtd5 to ubi0
UBI: MTD device name:            "gpmi-nfc-general-use"
UBI: MTD device size:            77 MiB
UBI: number of good PEBs:        615
UBI: number of bad PEBs:         1
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     1
UBI: available PEBs:             0
UBI: total number of reserved PEBs: 615
UBI: number of PEBs reserved for bad PEB handling: 6
UBI: max/mean erase counter: 3/1
UBI: image sequence number: 99799859
UBI: background thread "ubi_bgt0d" started, PID 922
 ubiblka: unknown partition table
mice: PS/2 mouse device common for all mice
MXS RTC driver v1.0 hardware v2.3.0
mxs-rtc mxs-rtc.0: rtc core: registered mxs-rtc as rtc0
mxs watchdog: initialized, heartbeat 19 sec
mxs-mmc: MXS SSP Controller MMC Interface driver
__mxs_reset_block(f0010000): timeout when resetting
__mxs_reset_block(f0010000): timeout when resetting
__mxs_reset_block(f0010000): timeout when resetting
__mxs_reset_block(f0010000): timeout when resetting
__mxs_reset_block(f0010000): timeout when resetting
__mxs_reset_block(f0010000): timeout when resetting
mxs-mmc mxs-mmc.0: mmc0: MXS SSP MMC DMAIRQ 82 ERRIRQ 96
TCP cubic registered
NET: Registered protocol family 17
NET: Registered protocol family 15
lib80211: common routines for IEEE802.11 drivers
mxs-rtc mxs-rtc.0: setting system clock to 1970-01-01 00:20:01 UTC (1201)
mmc0: queuing unknown CIS tuple 0x80 (7 bytes)
mmc0: queuing unknown CIS tuple 0x80 (6 bytes)
UBIFS: recovery needed
mmc0: new high speed SDIO card at address 0001
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 0, name "rootfs"
UBIFS: file system size:   75423744 bytes (73656 KiB, 71 MiB, 594 LEBs)
UBIFS: journal size:       9023488 bytes (8812 KiB, 8 MiB, 72 LEBs)
UBIFS: media format:       w4/r0 (latest is w4/r0)
UBIFS: default compressor: zlib
UBIFS: reserved for root:  0 bytes (0 KiB)
VFS: Mounted root (ubifs filesystem) on device 0:11.
Freeing init memory: 124K
/bin/sh: can't access tty; job control turned off
/ #


[*] Required for ubiattach to work

Code: Select all

mount -a


[*] You should now be sitting at a root prompt, congrats, you have root!... but only temporarily, now to make it persistent through reboots.
[*] Mount the database partition by running "ubiattach -p /dev/mtd3"

Code: Select all

/ # ubiattach -p /dev/mtd3
UBI: attaching mtd3 to ubi1
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: attached mtd3 to ubi1
UBI: MTD device name:            "database"
UBI: MTD device size:            8 MiB
UBI: number of good PEBs:        64
UBI: number of bad PEBs:         0
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     1
UBI: available PEBs:             6
UBI: total number of reserved PEBs: 58
UBI: number of PEBs reserved for bad PEB handling: 2
UBI: max/mean erase counter: 5/3
UBI: image sequence number: 0
UBI: background thread "ubi_bgt1d" started, PID 1024
 ubiblkb: unknown partition table
UBI device number 1, total 64 LEBs (8126464 bytes, 7.8 MiB), available 6 LEBs (761856 bytes, 744.0 KiB), LEB size 126976 bytes (124.0 KiB)


[*] Then mount -t "ubifs ubi1:database /database"

Code: Select all

/etc # mount -t ubifs ubi1:database /database
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 1, volume 0, name "database"
UBIFS: file system size:   5459968 bytes (5332 KiB, 5 MiB, 43 LEBs)
UBIFS: journal size:       1015809 bytes (992 KiB, 0 MiB, 6 LEBs)
UBIFS: media format:       w4/r0 (latest is w4/r0)
UBIFS: default compressor: lzo
UBIFS: reserved for root:  257887 bytes (251 KiB)
/etc #


[*] Enable SSH by running "touch /database/ENABLE_SSH"

Code: Select all

/ # touch /database/ENABLE_SSH


[*] Uncomment the serial console line in /etc/inittab

Code: Select all

# vi /etc/inittab
ttyAM0::respawn:/sbin/getty -L  ttyAM0 115200 vt100 # GENERIC_SERIAL


[*] Set a new root passwd by running "passwd" OR edit /etc/shadow and remove the password

[*] Add your SSH key to /database/authorized_keys

[*] Remove the dropbear ssh options file restricting ssh login options

Code: Select all

rm -f /tmp/rootfs/etc/default/dropbear # removes the "DROPBEAR_ARGS=-sg" arguments preventing logins


[*] Apply any other modifications you wish (see http://www.rootwink.com/viewtopic.php?f=6&t=4)

[*] reboot

Code: Select all

/ # reboot

BotoTheClown
Posts: 6
Joined: Sun Jul 05, 2015 7:58 pm

Re: Rooting ANY firmware level... the hard way

Postby BotoTheClown » Sun Jul 05, 2015 8:09 pm

Good day!

First off, many thanks for publishing your findings on Wink investigation. It's awesome!

My hub is at 1.1 (updated by the app)
I followed the instructions above yet I get a failure when executing the ubiattach command...

Code: Select all

U-Boot 2014.01-14400-gda781c6-dirty (Apr 30 2014 - 22:35:38)

CPU:   Freescale i.MX28 rev1.2 at 454 MHz
BOOT:  NAND, 3V3
DRAM:  64 MiB
NAND:  128 MiB
In:    serial
Out:   serial
Err:   serial
Net:   FEC0 [PRIME]
Hit any key to stop autoboot:  0
=> setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi init=/bin/sh';
=> nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}

NAND read: device 0 offset 0x2b00000, size 0x400000
 4194304 bytes read: OK
## Booting kernel from Legacy Image at 42000000 ...
   Image Name:   Linux-2.6.35.3-flex-dvt
   Created:      2014-04-30   3:15:35 UTC
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1928460 Bytes = 1.8 MiB
   Load Address: 40008000
   Entry Point:  40008000
   Verifying Checksum ... OK
   Loading Kernel Image ... OK

Starting kernel ...

...
...
...


Code: Select all

UBIFS: recovery needed
mmc0: new high speed SDIO card at address 0001
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 0, name "rootfs"
UBIFS: file system size:   75550720 bytes (73780 KiB, 72 MiB, 595 LEBs)
UBIFS: journal size:       9023488 bytes (8812 KiB, 8 MiB, 72 LEBs)
UBIFS: media format:       w4/r0 (latest is w4/r0)
UBIFS: default compressor: zlib
UBIFS: reserved for root:  0 bytes (0 KiB)
VFS: Mounted root (ubifs filesystem) on device 0:11.


Code: Select all

Freeing init memory: 124K
/bin/sh: can't access tty; job control turned off
/ #
/ # ubiattach -p /dev/mtd3
ubiattach: error!: UBI is not present in the system


Is this something not supported in 1.1?

Thanks for your help!

CloneNum3
Site Admin
Posts: 107
Joined: Wed Jan 07, 2015 10:02 am

Re: Rooting ANY firmware level... the hard way

Postby CloneNum3 » Mon Jul 06, 2015 2:59 pm

What is the full output of "printenv" ?

cbnzb
Posts: 3
Joined: Mon Jul 06, 2015 9:38 am

Re: Rooting ANY firmware level... the hard way

Postby cbnzb » Mon Jul 06, 2015 5:35 pm

I just bought a hub and am getting the same error as Boto.

ChaosOfLife
Posts: 2
Joined: Mon Jul 06, 2015 8:44 am

Re: Rooting ANY firmware level... the hard way

Postby ChaosOfLife » Mon Jul 06, 2015 6:28 pm

I have recently purchased a wink to root, and have arrived at the same problem. Arriving at the root prompt and trying

Code: Select all

/ # ubiattach -p /dev/mtd3
ubiattach: error!: UBI is not present in the system

The variables are:

Code: Select all

/ # printenv
SHLVL=1
HOME=/
TERM=linux
PWD=/

ChaosOfLife
Posts: 2
Joined: Mon Jul 06, 2015 8:44 am

Re: Rooting ANY firmware level... the hard way

Postby ChaosOfLife » Mon Jul 06, 2015 6:39 pm

I have recently purchased a wink to root, and have arrived at the same problem. Arriving at the root prompt and trying

Code: Select all

/ # ubiattach -p /dev/mtd3
ubiattach: error!: UBI is not present in the system

The variables are:

Code: Select all

/ # printenv
SHLVL=1
HOME=/
TERM=linux
PWD=/

aj7
Posts: 2
Joined: Mon Jul 06, 2015 9:25 pm

Re: Rooting ANY firmware level... the hard way

Postby aj7 » Mon Jul 06, 2015 9:45 pm

Hi -- I'm encountering the same problem as above after the ubiattach command.

Code: Select all

/ # ubiattach -p /dev/mtd3
ubiattach: error!: UBI is not present in the system
/ #


Following is a dump of my environment vars -- Only bd_addr and serialno seem to be different from the post in this guide earlier.

Any help much appreciated!! :D

Code: Select all

=> printenv
app_boot=run appboot_args && nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}
app_boot_bad=run updater_args; setenv bootargs ${bootargs} badapp; nand read ${loadaddr} updater-kernel 0x00300000; bootm ${loadaddr}
appboot_args=setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi';
baudrate=115200
bd_addr=[color=#40BF00]0021CC086B98[/color]
boot_app=run app_boot || run app_boot_bad
boot_getflag=mtdparts default && ubi part database && ubifsmount ubi0:database && mw 42000000 0 8 && ubifsload 42000000 DO_UPDATE 1 && run boot_logic
boot_logic=mw 42000004 30; if cmp 42000000 42000004 1; then run boot_app; else run boot_updater; fi;
boot_updater=run updater_boot || run updater_boot_bad
bootargs=noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi badupdater
bootcmd=mtdparts default; run boot_getflag || echo Falling back to updater...; run boot_updater
bootdelay=0
bootfile=uImage
ethact=FEC0
ethaddr=00:04:00:00:00:00
ethprime=FEC0
filesize=1
loadaddr=0x42000000
mtddevname=u-boot
mtddevnum=0
mtdids=nand0=gpmi-nand
mtdparts=mtdparts=gpmi-nand:3m(u-boot),4m(updater-kernel),28m(updater-rootfs),8m(database),8m(app-kernel),-(app-rootfs)
partition=nand0,0
serialno=[color=#40BF00]151800116WZD1[/color]
stderr=serial
stdin=serial
stdout=serial
updater_args=setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=2 root=ubi0:rootfs rw gpmi';
updater_boot=run updater_args && nand read ${loadaddr} updater-kernel 0x00300000 && bootm ${loadaddr}
updater_boot_bad=run appboot_args; setenv bootargs ${bootargs} badupdater; nand read ${loadaddr} app-kernel 0x00400000; bootm ${loadaddr}
ver=U-Boot 2014.01-14400-gda781c6-dirty (Apr 30 2014 - 22:35:38)

Environment size: 1775/16379 bytes

BotoTheClown
Posts: 6
Joined: Sun Jul 05, 2015 7:58 pm

Re: Rooting ANY firmware level... the hard way

Postby BotoTheClown » Tue Jul 07, 2015 6:57 am

UBOOT environment looks identical to yours...

Printenv looks like this:

Code: Select all

app_boot=run appboot_args && nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}
app_boot_bad=run updater_args; setenv bootargs ${bootargs} badapp; nand read ${loadaddr} updater-kernel 0x00300000; bootm ${loadaddr}
appboot_args=setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi';
baudrate=115200
bd_addr=0021CC0892E7
boot_app=run app_boot || run app_boot_bad
boot_getflag=mtdparts default && ubi part database && ubifsmount ubi0:database && mw 42000000 0 8 && ubifsload 42000000 DO_UPDATE 1 && run boot_logic
boot_logic=mw 42000004 30; if cmp 42000000 42000004 1; then run boot_app; else run boot_updater; fi;
boot_updater=run updater_boot || run updater_boot_bad
bootargs=noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi badupdater
bootcmd=mtdparts default; run boot_getflag || echo Falling back to updater...; run boot_updater
bootdelay=1
bootfile=uImage
ethact=FEC0
ethaddr=00:04:00:00:00:00
ethprime=FEC0
loadaddr=0x42000000
mtddevname=u-boot
mtddevnum=0
mtdids=nand0=gpmi-nand
mtdparts=mtdparts=gpmi-nand:3m(u-boot),4m(updater-kernel),28m(updater-rootfs),8m(database),8m(app-kernel),-(app-rootfs)
partition=nand0,0
serialno=152201058WZD1
stderr=serial
stdin=serial
stdout=serial
updater_args=setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=2 root=ubi0:rootfs rw gpmi';
updater_boot=run updater_args && nand read ${loadaddr} updater-kernel 0x00300000 && bootm ${loadaddr}
updater_boot_bad=run appboot_args; setenv bootargs ${bootargs} badupdater; nand read ${loadaddr} app-kernel 0x00400000; bootm ${loadaddr}
ver=U-Boot 2014.01-14400-gda781c6-dirty (Apr 30 2014 - 22:35:38)

Environment size: 1762/16379 bytes

BotoTheClown
Posts: 6
Joined: Sun Jul 05, 2015 7:58 pm

Re: Rooting ANY firmware level... the hard way

Postby BotoTheClown » Tue Jul 07, 2015 7:14 am

I pasted the entire (normal) boot process here: http://pastebin.com/UVLREnut
And the logs from trying to follow the instructions here: http://pastebin.com/ScRtrCaP

Thanks for your help!

aj7
Posts: 2
Joined: Mon Jul 06, 2015 9:25 pm

Re: Rooting ANY firmware level... the hard way

Postby aj7 » Tue Jul 07, 2015 11:39 am

Hi - I'm having the same problem as above

I've got identical output (used diff) printenv as shown above at the beginning of this thread, with the exception of bd_addr and serialno


Return to “Upgrade to current firmware maintaining root”

Who is online

Users browsing this forum: No registered users and 1 guest