Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

L09G #49

Open
mrmariosgithub opened this issue Apr 28, 2023 · 61 comments
Open

L09G #49

mrmariosgithub opened this issue Apr 28, 2023 · 61 comments
Labels
help wanted Extra attention is needed L09G research

Comments

@mrmariosgithub
Copy link

mrmariosgithub commented Apr 28, 2023
edited
Loading

Hi,

I recently got my hands on a L09G and started poking around using the informations available in issue #1 and the research folder.

I managed to connect an USB stick to the board by soldering to the test pins on the underside of the board. Running usb start recognises the connected usb stick:

axg_s420_v1_gva#usb start
(Re)start USB...
USB0:   USB3.0 XHCI init start
Register 1000140 NbrPorts 1
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
       scanning usb for storage devices... init_part() 282: PART_TYPE_DOS
1 Storage Device(s) found

I tried both fatinfo and fatls to confirm, that the USB stick can be accessed correcty:

axg_s420_v1_gva#fatinfo usb 0
Interface:  USB
  Device 0: Vendor: VendorCo Rev: 2.00 Prod: ProductCode
            Type: Removable Hard Disk
            Capacity: 3840.0 MB = 3.7 GB (7864320 x 512)
Filesystem: FAT32 "NO NAME    "
axg_s420_v1_gva#
axg_s420_v1_gva#
axg_s420_v1_gva#
axg_s420_v1_gva#fatls usb 0
  5570560   DSC02072.JPG
            System Volume Information/

1 file(s), 1 dir(s)

But now I have no idea how to continue. Can I dump the flash to the USB stick? Or can I flash a modified firmware from the USB stick?

KInd regards
Mario
@mrmariosgithub mrmariosgithub changed the title L05G L09G Apr 28, 2023
@mrmariosgithub
Copy link
Author

Can we somehow unpack the update file mentioned here? #1 (comment)

@duhow duhow added the L09G label Apr 28, 2023
@duhow
Copy link
Owner

duhow commented Apr 28, 2023

There is no modified firmware yet, you can use the tools provided to download the firmware file, unpack it, update the login (somehow?) and try get console access to it.

Still I don't have any idea on how to run this, so whatever you try, ensure you have a backup done of your flash memory, and ensure to be able to access the U-boot console.

@mrmariosgithub
Copy link
Author

I didn't manage to get a flash backup. I tried nand read.raw followed by md.b afterwards, but I got some strange results. I copied two flash pages (zero and one) to RAM and printed them using md.b. Then, to verfiy that successive read of flash pages work, I read only flash page one and printed it again. But the second read did not print the expected results, there was a gap of 0x40 bytes that were missing. In case someone wants to try it, here are the commands I used:

axg_s420_v1_gva#nand read.raw 0x02000000 0 0x1000
axg_s420_v1_gva#md.b 0x02000000 0x1000

axg_s420_v1_gva#nand read.raw 0x02000000 0x800 0x800
axg_s420_v1_gva#md.b 0x02000000 0x800

Maybe I am using the wrong aproach to dump the flash, then I would appreciate a hint how to do it correctly.

Anyways, I managed to unpack the update file and extract the boot.img file. I copied it to the flash drive and was able to boot from the flash drive using the following commands:

usb start
fatload usb 0 ${loadaddr} boot.img
bootm ${loadaddr}

Then I tried to boot a modified boot.img (with the boot commandline embedded into the boot.img patched) but that failed because of the signature check:

aml log : Sig Check 1423

Do you have any ideas what to try next?

@mrmariosgithub
Copy link
Author

mrmariosgithub commented Apr 30, 2023
edited
Loading

I managed to dump the flash by dumping all nand pages and writing the result to a file. This was an incredible slow process which - fully automated - took around 23 hours.

I verified the dump by comparing the binwalk with the output of mtdparts:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1157          0x485           MySQL ISAM compressed data file Version 4
16777216      0x1000000       Android bootimg, kernel size: 6453248 bytes, kernel addr: 0x1080000, ramdisk size: 3143680 bytes, ramdisk addr: 0x1000000, product name: ""
27262976      0x1A00000       Android bootimg, kernel size: 6453248 bytes, kernel addr: 0x1080000, ramdisk size: 3602432 bytes, ramdisk addr: 0x1000000, product name: ""
39845888      0x2600000       Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 11356998 bytes, 1086 inodes, blocksize: 131072 bytes, created: 1970-01-01 00:00:00
56623104      0x3600000       Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 51200242 bytes, 175 inodes, blocksize: 131072 bytes, created: 1970-01-01 00:00:00
107954016     0x66F3F60       Zlib compressed data, best compression
128057344     0x7A20000       UBI erase count header, version: 1, EC: 0x1, VID header offset: 0x800, data offset: 0x1000

axg_s420_v1_gva#mtdparts
0x000000000000-0x000000200000 : "bootloader"
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001a00000 : "recovery"
0x000001a00000-0x000002600000 : "boot"
0x000002600000-0x000003600000 : "system"
0x000003600000-0x000007a20000 : "chrome"
0x000007a20000-0x000007e20000 : "factory"
0x000007e20000-0x000010000000 : "data"

I extracted the data partition from the dump file using dd:

dd if=dev_1.bin bs=1k skip=129152 count=132992 of=data.img

The extracted file seems to be a valid UBI image:

data.img: UBI image, version 1

As I can access an USB stick from u-boot, I should be able to update the nand with modified data.

For now I am out of ideas. Does anybody else know how to continue from here?

@mrmariosgithub
Copy link
Author

Ping @ds2k5

@duhow
Copy link
Owner

duhow commented May 1, 2023

The boot.img (kernel) shouldn't be needed to change.
Ideally you'll need to:

  • update the system partition and change the init running programs: disable google assistant, run sshd ?, update /etc/inittab to run a shell, update root password...
  • check Makefile for the commands to generate an squashfs file and ensure to match the same compression settings (compare with original with file command)
  • flash the new system partition at the specific position
  • additionally, update the uboot bootarg (kernel boot options) and run a program after kernel load, but maybe this shouldn't be required.

What I'm concerned is whether uboot or the kernel (boot.img) will verify the system squashfs partition with a certificate / signature or not... That means the whole system might be signed and may need another way of running this.

@ds2k5
Copy link

ds2k5 commented May 2, 2023
edited
Loading

@mrmariosgithu

Hi,

nice thanks for sharing
how did you the dump ?

could you access with adb ?

I am seaching for a friend that have a smd soldering station to
try to use adb for more possibilities

Got in the paste a LINK for Firmware download:

https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/l09g/mico_l09g_6c5c9_1.44.27.bin

may you can use to compare with your dump

@mrmariosgithub
Copy link
Author

Before I post my updates, let my answer your questions first:

additionally, update the uboot bootarg (kernel boot options) and run a program after kernel load, but maybe this shouldn't be required.

I did not manage to start any processes using kernel boot parameters, I tried differend commandlines to spawn a shell on the serial console but without success.

how did you the dump?

I wrote a small programm that repetitively executed the nand dump command on the u-boot shell. This way I dumped each flash page and wrote the results to a dump file. This is an increadible slow process as each flash page takes around one second to dump and there are 131072 of them. In the end it took around 23h to dump the entire flash chip that way. The binwalk results of that files are posted above. I tried nand read and nand read.raw first but the results did not match the page dump results.

could you access with adb ?

No, unfortunatelly not. As it later turned out, the ADB service is disabled and cannot be activated using kernel boot parameters. And I found no other command to enable/start ADB from u-boot, which made sense to me.

Here are my new findings:
TL;DR;
Good news: I got SSH working
Bad news: I ripped off the USB pads from the PCB
Good news: I made the USB stick work again

Long story:
I managed to solder on an micro USB socket. Unfortunatelly, my soldering iron was not beefy enough to heat through the THT holes which use used to mount the micro USB socket to the board as the holes are connected to massive ground planes. So I simply glued the socket in place. Using the fastboot command from u-boot, I got a new USB device showing up on the hub and responding to the fastboot tool provided by the Android platform-tools. I tried flashing the system.img file from the mico update file but that did not went well, the device failed to boot afterwards as it could not find the binaries on the system partition. While moving the board around on my desc, I (obviously) applied to much force to the micro USB socket and ripped it off. Unfortunatelly, the solder pads were gone, too. And the test pads on the bottom of the board - where I soldered the USB A socket to - did not work anymore. Luckily I was able to solder jumper wires to the USB ESD protection device pads and got the USB A socket working again.

Now that I got the USB stick working again, I started messing aroung with the NAND flash partitions. Turns out, that replacing the boot.img does not work because it is signed and kernel, ramdisk and second stage are encrypted. The encryption is not a problem - at least compared to the signature check. So replacing the kernel or ramdisk is a dead end (for now). However, I was able to restore the system partition using the extracted mico update file and the USB stick. Next, I tried modifying the system.img and it turned out that it's not signed so I was able to flash a modified system partition.

I noticed, that during boot the script set_usb_serialnumber.sh is executed which is part of the system.img. So I used that file as an entry point to the device started exploring by adding commands to the end of the file. Here are the most interesting results I got that way:

mount rootfs / rootfs rw 0 0 tmpfs /dev tmpfs rw,relatime,size=4096k,mode=755 0 0 devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=000 0 0 proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,relatime 0 0 tmpfs /tmp tmpfs rw,nosuid,nodev,noexec,relatime,size=32768k 0 0 configfs /sys/kernel/config configfs rw,relatime 0 0 tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0 /dev/block/mtdblock4 /system.ro squashfs ro,nodev,noatime 0 0 /dev/block/mtdblock5 /chrome squashfs ro,nodev,noatime 0 0 /dev/ubi6_0 /factory ubifs rw,relatime 0 0 /dev/ubi7_0 /cache ubifs rw,relatime 0 0 overlay /system overlay rw,relatime,lowerdir=/system.ro,upperdir=/cache/.system.overlay,workdir=/cache/.system.work 0 0 /dev/ubi7_0 /data ubifs rw,relatime 0 0 none /sys/kernel/debug debugfs rw,relatime 0 0 tmpfs /data/chrome/tmp tmpfs rw,relatime,size=1024k 0 0 tmpfs /data/share/chrome/metrics tmpfs rw,relatime,size=1024k 0 0 tmpfs /data/chrome/metrics tmpfs rw,relatime,size=1024k 0 0 adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
find / | grep conf /chrome/setup/http/audio/data/config.json /system.ro/bin/ifconfig /system.ro/bin/third_party/btconfig /system.ro/chrome/setup/http/audio/data/config.json /system.ro/etc/asound.conf /system.ro/etc/bluetooth/bt_did.conf /system.ro/etc/bluetooth/bt_stack.conf /system.ro/etc/bluetooth/bt_stack.conf.debug /system.ro/etc/bluetooth/rtkbt.conf /system.ro/etc/bluetooth/rtl8821cs_config /system.ro/etc/dbus-1/system.conf /system.ro/etc/dhcpcd/dhcpcd-hooks/20-dns.conf /system.ro/etc/dhcpcd/dhcpcd-hooks/95-configured /system.ro/etc/dnsmasq.conf /system.ro/etc/fonts/fonts.conf /system.ro/etc/fonts/local.conf /system.ro/etc/fw_env.config /system.ro/etc/nsswitch.conf /system.ro/etc/ota_domain_default.conf /system.ro/etc/process_monitor.conf /system.ro/etc/resolv.conf /system.ro/etc/watchdog.conf.in /system.ro/etc/wpa_supplicant.conf.in /system.ro/usr/share/alsa/alsa.conf /system.ro/usr/share/alsa/cards/AACI.conf /system.ro/usr/share/alsa/cards/ATIIXP-MODEM.conf /system.ro/usr/share/alsa/cards/ATIIXP-SPDMA.conf /system.ro/usr/share/alsa/cards/ATIIXP.conf /system.ro/usr/share/alsa/cards/AU8810.conf /system.ro/usr/share/alsa/cards/AU8820.conf /system.ro/usr/share/alsa/cards/AU8830.conf /system.ro/usr/share/alsa/cards/Audigy.conf /system.ro/usr/share/alsa/cards/Audigy2.conf /system.ro/usr/share/alsa/cards/Aureon51.conf /system.ro/usr/share/alsa/cards/Aureon71.conf /system.ro/usr/share/alsa/cards/CA0106.conf /system.ro/usr/share/alsa/cards/CMI8338-SWIEC.conf /system.ro/usr/share/alsa/cards/CMI8338.conf /system.ro/usr/share/alsa/cards/CMI8738-MC6.conf /system.ro/usr/share/alsa/cards/CMI8738-MC8.conf /system.ro/usr/share/alsa/cards/CMI8788.conf /system.ro/usr/share/alsa/cards/CS46xx.conf /system.ro/usr/share/alsa/cards/EMU10K1.conf /system.ro/usr/share/alsa/cards/EMU10K1X.conf /system.ro/usr/share/alsa/cards/ENS1370.conf /system.ro/usr/share/alsa/cards/ENS1371.conf /system.ro/usr/share/alsa/cards/ES1968.conf /system.ro/usr/share/alsa/cards/Echo_Echo3G.conf /system.ro/usr/share/alsa/cards/FM801.conf /system.ro/usr/share/alsa/cards/FWSpeakers.conf /system.ro/usr/share/alsa/cards/FireWave.conf /system.ro/usr/share/alsa/cards/GUS.conf /system.ro/usr/share/alsa/cards/HDA-Intel.conf /system.ro/usr/share/alsa/cards/ICE1712.conf /system.ro/usr/share/alsa/cards/ICE1724.conf /system.ro/usr/share/alsa/cards/ICH-MODEM.conf /system.ro/usr/share/alsa/cards/ICH.conf /system.ro/usr/share/alsa/cards/ICH4.conf /system.ro/usr/share/alsa/cards/Loopback.conf /system.ro/usr/share/alsa/cards/Maestro3.conf /system.ro/usr/share/alsa/cards/NFORCE.conf /system.ro/usr/share/alsa/cards/PC-Speaker.conf /system.ro/usr/share/alsa/cards/PMac.conf /system.ro/usr/share/alsa/cards/PMacToonie.conf /system.ro/usr/share/alsa/cards/PS3.conf /system.ro/usr/share/alsa/cards/RME9636.conf /system.ro/usr/share/alsa/cards/RME9652.conf /system.ro/usr/share/alsa/cards/SB-XFi.conf /system.ro/usr/share/alsa/cards/SI7018.conf /system.ro/usr/share/alsa/cards/TRID4DWAVENX.conf /system.ro/usr/share/alsa/cards/USB-Audio.conf /system.ro/usr/share/alsa/cards/VIA686A.conf /system.ro/usr/share/alsa/cards/VIA8233.conf /system.ro/usr/share/alsa/cards/VIA8233A.conf /system.ro/usr/share/alsa/cards/VIA8237.conf /system.ro/usr/share/alsa/cards/VX222.conf /system.ro/usr/share/alsa/cards/VXPocket.conf /system.ro/usr/share/alsa/cards/VXPocket440.conf /system.ro/usr/share/alsa/cards/YMF744.conf /system.ro/usr/share/alsa/cards/aliases.conf /system.ro/usr/share/alsa/pcm/center_lfe.conf /system.ro/usr/share/alsa/pcm/default.conf /system.ro/usr/share/alsa/pcm/dmix.conf /system.ro/usr/share/alsa/pcm/dpl.conf /system.ro/usr/share/alsa/pcm/dsnoop.conf /system.ro/usr/share/alsa/pcm/front.conf /system.ro/usr/share/alsa/pcm/hdmi.conf /system.ro/usr/share/alsa/pcm/iec958.conf /system.ro/usr/share/alsa/pcm/modem.conf /system.ro/usr/share/alsa/pcm/rear.conf /system.ro/usr/share/alsa/pcm/side.conf /system.ro/usr/share/alsa/pcm/surround21.conf /system.ro/usr/share/alsa/pcm/surround40.conf /system.ro/usr/share/alsa/pcm/surround41.conf /system.ro/usr/share/alsa/pcm/surround50.conf /system.ro/usr/share/alsa/pcm/surround51.conf /system.ro/usr/share/alsa/pcm/surround71.conf /cache/.data/misc/bluedroid/bt_config.conf /cache/.data/wifi/wpa_supplicant.conf /cache/.data/watchdog/watchdog.conf /cache/.data/chrome/SourceSwitch.conf /cache/.data/chrome/chirp/.chirp.conf /cache/.data/chrome/fontconfig /cache/.data/chrome/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-7 /cache/.data/chrome/fontconfig/CACHEDIR.TAG /cache/.data/chrome/.eureka.conf /tmp/resolv.conf /system/bin/ifconfig /system/bin/third_party/btconfig /system/chrome/setup/http/audio/data/config.json /system/etc/asound.conf /system/etc/bluetooth/bt_did.conf /system/etc/bluetooth/bt_stack.conf /system/etc/bluetooth/bt_stack.conf.debug /system/etc/bluetooth/rtkbt.conf /system/etc/bluetooth/rtl8821cs_config /system/etc/dbus-1/system.conf /system/etc/dhcpcd/dhcpcd-hooks/20-dns.conf /system/etc/dhcpcd/dhcpcd-hooks/95-configured /system/etc/dnsmasq.conf /system/etc/fonts/fonts.conf /system/etc/fonts/local.conf /system/etc/fw_env.config /system/etc/nsswitch.conf /system/etc/ota_domain_default.conf /system/etc/process_monitor.conf /system/etc/resolv.conf /system/etc/watchdog.conf.in /system/etc/wpa_supplicant.conf.in /system/usr/share/alsa/alsa.conf /system/usr/share/alsa/cards/AACI.conf /system/usr/share/alsa/cards/ATIIXP-MODEM.conf /system/usr/share/alsa/cards/ATIIXP-SPDMA.conf /system/usr/share/alsa/cards/ATIIXP.conf /system/usr/share/alsa/cards/AU8810.conf /system/usr/share/alsa/cards/AU8820.conf /system/usr/share/alsa/cards/AU8830.conf /system/usr/share/alsa/cards/Audigy.conf /system/usr/share/alsa/cards/Audigy2.conf /system/usr/share/alsa/cards/Aureon51.conf /system/usr/share/alsa/cards/Aureon71.conf /system/usr/share/alsa/cards/CA0106.conf /system/usr/share/alsa/cards/CMI8338-SWIEC.conf /system/usr/share/alsa/cards/CMI8338.conf /system/usr/share/alsa/cards/CMI8738-MC6.conf /system/usr/share/alsa/cards/CMI8738-MC8.conf /system/usr/share/alsa/cards/CMI8788.conf /system/usr/share/alsa/cards/CS46xx.conf /system/usr/share/alsa/cards/EMU10K1.conf /system/usr/share/alsa/cards/EMU10K1X.conf /system/usr/share/alsa/cards/ENS1370.conf /system/usr/share/alsa/cards/ENS1371.conf /system/usr/share/alsa/cards/ES1968.conf /system/usr/share/alsa/cards/Echo_Echo3G.conf /system/usr/share/alsa/cards/FM801.conf /system/usr/share/alsa/cards/FWSpeakers.conf /system/usr/share/alsa/cards/FireWave.conf /system/usr/share/alsa/cards/GUS.conf /system/usr/share/alsa/cards/HDA-Intel.conf /system/usr/share/alsa/cards/ICE1712.conf /system/usr/share/alsa/cards/ICE1724.conf /system/usr/share/alsa/cards/ICH-MODEM.conf /system/usr/share/alsa/cards/ICH.conf /system/usr/share/alsa/cards/ICH4.conf /system/usr/share/alsa/cards/Loopback.conf /system/usr/share/alsa/cards/Maestro3.conf /system/usr/share/alsa/cards/NFORCE.conf /system/usr/share/alsa/cards/PC-Speaker.conf /system/usr/share/alsa/cards/PMac.conf /system/usr/share/alsa/cards/PMacToonie.conf /system/usr/share/alsa/cards/PS3.conf /system/usr/share/alsa/cards/RME9636.conf /system/usr/share/alsa/cards/RME9652.conf /system/usr/share/alsa/cards/SB-XFi.conf /system/usr/share/alsa/cards/SI7018.conf /system/usr/share/alsa/cards/TRID4DWAVENX.conf /system/usr/share/alsa/cards/USB-Audio.conf /system/usr/share/alsa/cards/VIA686A.conf /system/usr/share/alsa/cards/VIA8233.conf /system/usr/share/alsa/cards/VIA8233A.conf /system/usr/share/alsa/cards/VIA8237.conf /system/usr/share/alsa/cards/VX222.conf /system/usr/share/alsa/cards/VXPocket.conf /system/usr/share/alsa/cards/VXPocket440.conf /system/usr/share/alsa/cards/YMF744.conf /system/usr/share/alsa/cards/aliases.conf /system/usr/share/alsa/pcm/center_lfe.conf /system/usr/share/alsa/pcm/default.conf /system/usr/share/alsa/pcm/dmix.conf /system/usr/share/alsa/pcm/dpl.conf /system/usr/share/alsa/pcm/dsnoop.conf /system/usr/share/alsa/pcm/front.conf /system/usr/share/alsa/pcm/hdmi.conf /system/usr/share/alsa/pcm/iec958.conf /system/usr/share/alsa/pcm/modem.conf /system/usr/share/alsa/pcm/rear.conf /system/usr/share/alsa/pcm/side.conf /system/usr/share/alsa/pcm/surround21.conf /system/usr/share/alsa/pcm/surround40.conf /system/usr/share/alsa/pcm/surround41.conf /system/usr/share/alsa/pcm/surround50.conf /system/usr/share/alsa/pcm/surround51.conf /system/usr/share/alsa/pcm/surround71.conf /sys/kernel/config /sys/kernel/config/usb_gadget /sys/kernel/config/usb_gadget/amlogic /sys/kernel/config/usb_gadget/amlogic/os_desc /sys/kernel/config/usb_gadget/amlogic/os_desc/qw_sign /sys/kernel/config/usb_gadget/amlogic/os_desc/b_vendor_code /sys/kernel/config/usb_gadget/amlogic/os_desc/use /sys/kernel/config/usb_gadget/amlogic/strings /sys/kernel/config/usb_gadget/amlogic/strings/0x409 /sys/kernel/config/usb_gadget/amlogic/strings/0x409/serialnumber /sys/kernel/config/usb_gadget/amlogic/strings/0x409/product /sys/kernel/config/usb_gadget/amlogic/strings/0x409/manufacturer /sys/kernel/config/usb_gadget/amlogic/configs /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1 /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/ffs.adb /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/strings /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/strings/0x409 /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/strings/0x409/configuration /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/bmAttributes /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/MaxPower /sys/kernel/config/usb_gadget/amlogic/functions /sys/kernel/config/usb_gadget/amlogic/functions/ffs.adb /sys/kernel/config/usb_gadget/amlogic/UDC /sys/kernel/config/usb_gadget/amlogic/bcdUSB /sys/kernel/config/usb_gadget/amlogic/bcdDevice /sys/kernel/config/usb_gadget/amlogic/idProduct /sys/kernel/config/usb_gadget/amlogic/idVendor /sys/kernel/config/usb_gadget/amlogic/bMaxPacketSize0 /sys/kernel/config/usb_gadget/amlogic/bDeviceProtocol /sys/kernel/config/usb_gadget/amlogic/bDeviceSubClass /sys/kernel/config/usb_gadget/amlogic/bDeviceClass /sys/kernel/slab/configfs_dir_cache /sys/kernel/debug/tracing/events/mac80211/drv_config /sys/kernel/debug/tracing/events/mac80211/drv_config/format /sys/kernel/debug/tracing/events/mac80211/drv_config/trigger /sys/kernel/debug/tracing/events/mac80211/drv_config/filter /sys/kernel/debug/tracing/events/mac80211/drv_config/id /sys/kernel/debug/tracing/events/mac80211/drv_config/enable /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter/format /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter/trigger /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter/filter /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter/id /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter/enable /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter/format /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter/trigger /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter/filter /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter/id /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter/enable /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx/format /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx/trigger /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx/filter /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx/id /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx/enable /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete/format /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete/trigger /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete/filter /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete/id /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete/enable /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf/format /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf/trigger /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf/filter /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf/id /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config/format /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config/id /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config/format /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config/id /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config/format /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config/id /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config/format /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config/id /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config/format /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config/id /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf/format /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf/id /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf/enable /sys/kernel/debug/tracing/events/sched/sched_tune_config /sys/kernel/debug/tracing/events/sched/sched_tune_config/format /sys/kernel/debug/tracing/events/sched/sched_tune_config/trigger /sys/kernel/debug/tracing/events/sched/sched_tune_config/filter /sys/kernel/debug/tracing/events/sched/sched_tune_config/id /sys/kernel/debug/tracing/events/sched/sched_tune_config/enable /sys/kernel/debug/pinctrl/pinctrl@ff634480/pinconf-config /sys/kernel/debug/pinctrl/pinctrl@ff634480/pinconf-groups /sys/kernel/debug/pinctrl/pinctrl@ff634480/pinconf-pins /sys/kernel/debug/pinctrl/pinctrl@ff800014/pinconf-config /sys/kernel/debug/pinctrl/pinctrl@ff800014/pinconf-groups /sys/kernel/debug/pinctrl/pinctrl@ff800014/pinconf-pins /sys/firmware/devicetree/base/wifi_pwm_conf /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel2_conf /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel2_conf/times /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel2_conf/duty-cycle /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel2_conf/pwms /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel2_conf/name /sys/firmware/devicetree/base/wifi_pwm_conf/phandle /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel1_conf /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel1_conf/times /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel1_conf/duty-cycle /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel1_conf/pwms /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel1_conf/name /sys/firmware/devicetree/base/wifi_pwm_conf/name /sys/firmware/devicetree/base/wifi/pwm_config /sys/firmware/devicetree/base/__symbols__/emmc_conf_pull_up /sys/firmware/devicetree/base/__symbols__/wifi_pwm_conf /sys/firmware/devicetree/base/__symbols__/emmc_conf_pull_done /sys/firmware/devicetree/base/dwc2_a/port-config /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux/groups /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux/function /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux/input-enable /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux/bias-pull-up /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux/name /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/phandle /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/name /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux/groups /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux/function /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux/bias-pull-down /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux/input-enable /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux/name /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/phandle /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/name /sys/module/8821cs/parameters/rtw_tx_aclt_conf_default /sys/module/8821cs/parameters/rtw_tx_aclt_conf_ap_m2u /sys/module/configfs /sys/module/configfs/version /sys/module/configfs/uevent /sys/module/ipv6/parameters/autoconf /data/misc/bluedroid/bt_config.conf /data/wifi/wpa_supplicant.conf /data/watchdog/watchdog.conf /data/chrome/SourceSwitch.conf /data/chrome/chirp/.chirp.conf /data/chrome/fontconfig /data/chrome/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-7 /data/chrome/fontconfig/CACHEDIR.TAG /data/chrome/.eureka.conf
find / | grep init /sys/kernel/debug/tracing/events/fence/fence_init /sys/kernel/debug/tracing/events/fence/fence_init/format /sys/kernel/debug/tracing/events/fence/fence_init/trigger /sys/kernel/debug/tracing/events/fence/fence_init/filter /sys/kernel/debug/tracing/events/fence/fence_init/id /sys/kernel/debug/tracing/events/fence/fence_init/enable /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter/format /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter/trigger /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter/filter /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter/id /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter/enable /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath/format /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath/trigger /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath/filter /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath/id /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath/enable /sys/kernel/debug/tracing/events/timer/timer_init /sys/kernel/debug/tracing/events/timer/timer_init/format /sys/kernel/debug/tracing/events/timer/timer_init/trigger /sys/kernel/debug/tracing/events/timer/timer_init/filter /sys/kernel/debug/tracing/events/timer/timer_init/id /sys/kernel/debug/tracing/events/timer/timer_init/enable /sys/kernel/debug/tracing/events/timer/hrtimer_init /sys/kernel/debug/tracing/events/timer/hrtimer_init/format /sys/kernel/debug/tracing/events/timer/hrtimer_init/trigger /sys/kernel/debug/tracing/events/timer/hrtimer_init/filter /sys/kernel/debug/tracing/events/timer/hrtimer_init/id /sys/kernel/debug/tracing/events/timer/hrtimer_init/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init/id /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1 /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1 /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1/id /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module/id /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module/id /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity/id /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getaffinity /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getaffinity/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getaffinity/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getaffinity/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getaffinity/enable /sys/devices/platform/mtd/mtd6/mtdblock6/queue/rq_affinity /sys/devices/platform/mtd/mtd4/mtdblock4/queue/rq_affinity /sys/devices/platform/mtd/mtd2/mtdblock2/queue/rq_affinity /sys/devices/platform/mtd/mtd0/mtdblock0/queue/rq_affinity /sys/devices/platform/mtd/mtd7/mtdblock7/queue/rq_affinity /sys/devices/platform/mtd/mtd5/mtdblock5/queue/rq_affinity /sys/devices/platform/mtd/mtd3/mtdblock3/queue/rq_affinity /sys/devices/platform/mtd/mtd1/mtdblock1/queue/rq_affinity /sys/devices/virtual/block/loop1/queue/rq_affinity /sys/devices/virtual/block/loop6/queue/rq_affinity /sys/devices/virtual/block/loop4/queue/rq_affinity /sys/devices/virtual/block/loop2/queue/rq_affinity /sys/devices/virtual/block/loop0/queue/rq_affinity /sys/devices/virtual/block/loop7/queue/rq_affinity /sys/devices/virtual/block/zram0/initstate /sys/devices/virtual/block/zram0/queue/rq_affinity /sys/devices/virtual/block/loop5/queue/rq_affinity /sys/devices/virtual/block/loop3/queue/rq_affinity /sys/firmware/devicetree/base/chosen/linux,initrd-start /sys/firmware/devicetree/base/chosen/linux,initrd-end /sys/firmware/devicetree/base/rtc/init_date /sys/fs/ext4/features/lazy_itable_init /sys/module/kernel/parameters/initcall_debug /sys/module/8821cs/initsize /sys/module/8821cs/initstate /sys/module/8821cs/sections/.init.text /sys/module/8821cs/parameters/rtw_initmac /sys/module/miso/initsize /sys/module/miso/initstate /sys/module/miso/sections/.init.text /sys/module/mico_proc_l09g/initsize /sys/module/mico_proc_l09g/initstate /sys/module/mico_proc_l09g/sections/.init.text /sys/module/usbcore/parameters/initial_descriptor_timeout /sys/module/tcp_cubic/parameters/initial_ssthresh /sbin/init_properties /sbin/init /init.rc /init
cat /init.rc on early-init start ueventd 
mount tmpfs tmpfs /tmp nodev noexec nosuid size=32m

# we already have /dev mounted
mount tmpfs tmpfs /dev remount size=4m
mount configfs configfs /sys/kernel/config
# set core dump size limit to unlimited
# core dump will be generated in /data/coredump/
# if the directory exists and writable
#setrlimit 4  -1 -1
#write /proc/sys/kernel/core_pattern "|/bin/sh /sbin/coredump.sh /data/coredump %e %p %h %s %t"

# force VM to keep 4096KB of free bytes
# default value is 2102(KB)
write /proc/sys/vm/min_free_kbytes "4096"

on init
# setup the global environment
export PATH /bin:/usr/bin:/sbin:/xbin
export LD_LIBRARY_PATH /system/vendor/lib:/system/lib:/usr/lib:/lib
export SECURE_USER_BUILD 0

# create mount point
mkdir /cache 0700 root chrome
mkdir /data 0755 root root
mkdir /factory 0755 root chrome
mkdir /system.ro 0755 root root
mkdir /chrome 0755 chrome chrome

chmod 666 /var/lock/fw_printenv.lock

mkdir /dev/shm
mount tmpfs tmpfs /dev/shm size=64m nodev noexec nosuid

symlink /dev/snd/timer /dev/timer

chmod 777 /dev/uinput
# set interface name
setprop wifi.interface wlan0
setprop ap.interface uap0
setprop persist.chrome.tos_accepted true
setprop persist.chrome.opt_in.stats 1

#The following definitions enable audioplayer for dobly
export media_arm_audio_decoder dts,ac3,eac3,mp3,aac,pcm
export media_audio_use_hardabuf 0

# The following definitions enable model-based provisioning using software
# based keys. This exercises the full key generation flow, but is not
# secure and SHALL NOT be used in production devices.
export CAST_MODEL_CHAIN_SW /factory/model.crt
export CAST_MODEL_PRIVKEY_SW /factory/model.key.bin
export CAST_CLIENT_CERT /factory/client.crt
export CAST_CLIENT_PRIVKEY /factory/client.key.bin

on fs
#mount squashfs /dev/mapper/system /system.ro ro nodev noatime
mount squashfs /dev/block/mtdblock4 /system.ro ro nodev noatime
mount squashfs /dev/block/mtdblock5 /chrome ro nodev noatime
# mount system&factory&data partitions
exec /sbin/busybox sh /sbin/mount_partitions.sh

# Note mounting /system needs to be the first thing. Some other commands
# might depend on /system binaries.
    mkdir /cache/.system.work 0755 root chrome
mkdir /cache/.system.overlay 0755 root chrome
mount overlay overlay /system lowerdir=/system.ro,upperdir=/cache/.system.overlay,workdir=/cache/.system.work

    symlink /system/lib/firmware /lib/firmware

# failure safe to re-generate cache if above steps fails
exec /bin/sh /sbin/check_and_mount_ubifs.sh 7 cache /cache 20

# Set the group of cache mount point to chrome
# so update_engine can create files freely, but set
# the sticky bit so that it can't mess with any
# files it doesn't own.
chown root chrome /cache
chmod 1775 /cache

# Mount /data inside of /cache so that we can share a single
# partition.  This allows us to spread wear across the
# flash better and allows for more flexibility.
mkdir /cache/.data 0755 root root

exec /bin/mount -o bind /cache/.data /data

# Mount debugfs
mount debugfs none /sys/kernel/debug
chown root chrome /sys/kernel/debug
chmod 0750 /sys/kernel/debug

# create directory for share
mkdir /data/share 0755 root root
mkdir /data/share/sntpd 0775 sntpd sntpd

# create directory for cast receiver package
mkdir /data/chrome 0770 chrome chrome
mkdir /data/share/chrome 0775 root chrome

mkdir /data/chrome/tmp 0770 chrome chrome
mount tmpfs tmpfs /data/chrome/tmp size=1m
chown chrome chrome /data/chrome/tmp
chmod 0770 /data/chrome/tmp

# create directory for external metrics
# Move it to /data/metrics.
mkdir /data/share/chrome/metrics 0730 metrics metrics
mount tmpfs tmpfs /data/share/chrome/metrics size=1m
chown metrics metrics /data/share/chrome/metrics
chmod 0730 /data/share/chrome/metrics

# create directory for cast_receiver metrics
mkdir /data/chrome/metrics 0700 chrome chrome
mount tmpfs tmpfs /data/chrome/metrics size=1m
chown chrome chrome /data/chrome/metrics
chmod 0700 /data/chrome/metrics

# create directory for crash_manager
mkdir /data/chrome/minidumps 0770 chrome chrome

# create directory for non-essential artifacts
mkdir /data/chrome/tmp 0770 chrome chrome

# create directory for update_engine
mkdir /data/chrome/update 0770 chrome chrome

# create directory for cast ota update
mkdir /data/chrome/cache 0770 chrome chrome

# create directory for wpa_supplicant
mkdir /data/wifi 0770 wifi wifi
mkdir /dev/socket/wifi 0770 wifi wifi

exec /bin/sudo -u wifi /bin/sh /setup/wpa_supplicant_setup.sh

# create directory for widevine
mkdir /data/widevine 0750 chrome chrome

exec /bin/sh /sbin/collectd_setup.sh

exec /bin/sh /sbin/bluetooth_setup.sh

exec /bin/sudo -u chrome /bin/sh /setup/mute_setup.sh

#Generate Bluetooth Mac Address
exec /sbin/busybox sh /setup/BT_mac_setup.sh

# create directory for tee secure storage
symlink /factory /tee

# Create the directory used to hold client auth device credentials
mkdir /data/castauth 0770 chrome chrome

mkdir /var/ 0666 root chrome
mkdir /var/lock/ 0666 root chrome
exec /bin/touch  /var/lock/fw_printenv.lock

#adbd
mkdir /sys/kernel/config/usb_gadget/amlogic
write /sys/kernel/config/usb_gadget/amlogic/idVendor "0x18D1"
write /sys/kernel/config/usb_gadget/amlogic/idProduct "0x4e26"
mkdir /sys/kernel/config/usb_gadget/amlogic/strings/0x409
write /sys/kernel/config/usb_gadget/amlogic/strings/0x409/serialnumber "0123456789ABCDEF"
write /sys/kernel/config/usb_gadget/amlogic/strings/0x409/manufacturer "Xiaomi"
write /sys/kernel/config/usb_gadget/amlogic/strings/0x409/product "L09G"
mkdir /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1
mkdir /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/strings/0x409
write /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/strings/0x409/configuration "adb"
mkdir /sys/kernel/config/usb_gadget/amlogic/functions/ffs.adb
mkdir /dev/usb-ffs
mkdir /dev/usb-ffs/adb
mount functionfs adb /dev/usb-ffs/adb
symlink /sys/kernel/config/usb_gadget/amlogic/functions/ffs.adb /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/ffs.adb

on post-fs
# once everything is setup, no need to modify /
mount rootfs rootfs / ro remount

# network-related
exec /bin/ifconfig lo up
# exec /bin/alsactl restore -f /etc/asound.state
write /etc/hosts "127.0.0.1 localhost"
chmod 0644 /etc/hosts
write /proc/sys/kernel/hostname Chromecast
mkdir /data/property 0777 root root

# use IPv6 privacy addresses
write /proc/sys/net/ipv6/conf/default/use_tempaddr "2"
write /proc/sys/net/ipv6/conf/eth0/use_tempaddr "2"
write /proc/sys/net/ipv6/conf/wlan0/use_tempaddr "2"
write /proc/sys/net/ipv6/conf/wlan1/use_tempaddr "2"

# set tcp socket buffer size
# only max value differs from kernel default
write /proc/sys/net/ipv4/tcp_rmem "4096 87380 2097152"
write /proc/sys/net/ipv4/tcp_wmem "4096 16384 2097152"
write /proc/sys/net/core/rmem_max "1220608"
write /proc/sys/net/core/wmem_max "1220608"

# Enable ICMP echo for broadcast/multicast address
write /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts "0"

# logd: Increase datagram socket's qlen
write /proc/sys/net/unix/max_dgram_qlen 600

# sntpd
mkdir /data/sntpd 0700 sntpd sntpd

# Make kmsg readable/writeable to logd
chown root logd /dev/kmsg
chown root logd /proc/kmsg
chmod 0440 /proc/kmsg
chmod 0620 /dev/kmsg

# dhcpcd creates resolv.conf with wrong umask
# fill in Google DNS server in case router is not
# able to configure nameserver.
write /etc/resolv.conf "nameserver 8.8.8.8"
chmod 0644 /etc/resolv.conf
chown dhcp dhcp /etc/resolv.conf

# set defalt timezone to US pacific
symlink /usr/share/zoneinfo/America/Los_Angeles /data/share/chrome/localtime

chmod 0644 /etc/current_firmware_version.json

on boot
exec /sbin/busybox sh /setup/wifi_mac_setup.sh
exec /bin/sh /sbin/set_prompt_language.sh
exec /bin/sh /sbin/mute_check_bootup.sh

# Enable heap randomization before services start
write  /proc/sys/kernel/randomize_va_space "2"

start logd

# run the client auth indiv for model-based method
exec /chrome/client_auth_indiv --action=ensure --logtofile

start mute_service

# Play a dummy file to initialize the ALSA plugins.
exec /bin/aplay -Dvolume /usr/share/empty.wav

#start cast_control_server

exec /bin/sh /usr/bin/insert_modules.sh
#chown root chrome /dev/tee0
#chmod 0660 /dev/tee0
#start tee-supplicant

# dump device msg to logcat
#start dump_msg

exec /bin/sh -c "mount -w -o remount /dev/block/rootfs /"

#setup Bluetooth Mac Address,if don`t set BT mac, bt will fail
exec /bin/logwrapper /bin/set_macaddr

exec /system/bin/ifconfig wlan0 up
exec /system/bin/iw wlan0 interface add uap0 type managed

start wpa_supplicant

exec /sbin/populate_sn.sh
exec /bin/sh -c "echo Serial Number: $(cat /factory/serial.txt) > /dev/ttyS0"

# network_service.sh starts dhcp and net_mgr if necessary.
exec /bin/sh /sbin/network_service.sh

# update bootid and urandom
exec /bin/sh /sbin/update_bootid_and_urandom.sh

# setup certs for platform-managed method
# exec /bin/sh /sbin/certs_setup.sh

start cast_auth_check

start cast_installer

start servicemanager

start bluetoothtbd

chmod 666 /sys/devices/platform/soc/ff800000.aobus/ff805000.i2c/i2c-1/1-003b/led_rgb

# for adb
exec /usr/bin/set_usb_serialnumber.sh
# thermal_governor manages digital volume gain from amplifier
# start thermal_governor

chown root chrome /chrome/chrome-sandbox
chmod 04755 /chrome/chrome-sandbox
chown root chrome system/bin/dumpstate
chmod 04750 system/bin/dumpstate

# for ota, need change to /chrome/cache
mkdir /chrome/cache
chown chrome chrome /chrome/cache

#cast_receiver is start on cast_installer.sh

start sntpd

chown root chrome /dev/input/event0
chown root chrome /dev/input/event1
chown root chrome /dev/input/event2
chown root chrome /dev/input/event3

chown root panel /dev/i2c-1
chmod 0660 /dev/i2c-1

start input_service

start console

start adbd
exec /bin/sleep 1
write /sys/kernel/config/usb_gadget/amlogic/UDC "ff400000.dwc2_a"

start sshd

exec /bin/sh /sbin/watchdog_setup.sh
start watchdog
#start iperf
#start iperf_udp

#exec /sbin/busybox sh /usr/bin/MSTC_DownTouchFW
#enable welcome message and Muted microphone warning message
#Create a file to signal that assistant should play a bootup done tone
#signalling that end of bootup should not be quiet
start force_bootup

    exec /bin/sh -c "echo 0 > /proc/sys/kernel/printk"
start boot_complete

# Disallow raw tracepoint access for unpriv
write /proc/sys/kernel/perf_event_paranoid "0"

start mountd

# oneshot service to uploader dumpstate after factory data reset
# start dumpstate

start collectd

start process_monitor

start fdr_notify

start ota_service

# start ota external control
    #start external_control

    #start audio_source

start panel_service
## Daemon processes to be run by init.
# Service class names:
#   onboot - services that should be started only once, on boot
#   services - services which may be restarted
#   <default> - oneshot services which are started explicitly (dhcpd, etc)
#
# These class names are used by the debug script /sbin/android, to allow core
# services to be bounced.

service ueventd /sbin/ueventd
class onboot
critical

service console /sbin/busybox sh
console
user root

service sntpd /bin/sntpd
user root

service dhcpcd /bin/dhcpcd eth0 wlan0 -B --noarp -hXiaomi
class service
user root

service wpa_supplicant /bin/wpa_supplicant -Dnl80211 -iwlan0 -c/data/wifi/wpa_supplicant.conf
socket wpa_wlan0 dgram 660 wifi wifi
class service

service adbd /sbin/adbd
disabled

service boot_complete /bin/sh /sbin/boot_complete.sh
class service
oneshot
disabled

# sshd executable will be removed from the system image for secure
# builds (e.g. user builds) during the signing process.

service sshd /usr/bin/sshd -G -r /etc/rsa_host_key -F
disabled

#service cast_receiver /bin/logwrapper /system/usr/bin/start_cast_shell.sh \
#    capabilities SYS_NICE SYS_RESOURCE
#    user chrome
#    group chrome graphics wifi net_mgr watchdog log panel metrics mdns audio inet root net_bt_stack led
#    oneshot

service cast_receiver /bin/logwrapper /chrome/cast_cli start cast async
--accept-resource-provider=false
--alsa-volume-device-name="default"
--alsa-amp-device-name="default"
--alsa-amp-element-name="SPK unmute"
--audio-output-channels=2
--enable-multizone=true
--audio-input-mic-sensitivity=-26
--alsa-fixed-output-sample-rate=48000
--alsa-output-start-threshold=4096
--alsa-output-buffer-size=4096
--alsa-output-period-size=256
--default-eureka-name-prefix="Mi Smart Speaker"
--max-output-volume-dba1m=80
--setup-ssid-suffix=n115
--user-eq-max-bands=2
--ui-volume-control-levels=10
--voice-control-volume-up-down-percentage=5
--enable-multichannel=true
--ota-directory=/data/chrome/cache/
--voice-call-aec-gain-fixed=53:0:49:4:42:11:35:18:31:22:28:25:28:25:28:25:28:25:28:25:28:25
--voice-call-aec-delay-params=180:228
capabilities SYS_NICE SYS_RESOURCE
user chrome
group chrome graphics wifi net_mgr watchdog log panel metrics mdns audio inet root net_bt_stack led
oneshot

service cast_installer /bin/logwrapper /bin/sh /sbin/cast_installer.sh
user root
class service
disabled
oneshot

service input_service /bin/logwrapper /bin/input_service 0
user chrome
group chrome panel input
class service

service force_bootup /bin/logwrapper /bin/sh /sbin/force_bootup_sequence.sh
user root
class service
disabled
oneshot

#service cast_control_server /bin/logwrapper /bin/cast_control_server 8002
#    user root
#    group chrome system
#    class service
#    disabled

service net_mgr /bin/net_mgr
socket net_mgr seqpacket 0660 root net_mgr
class service

service dnsmasq /bin/dnsmasq
class service
disabled

on property:dnsmasq.enable=1
start dnsmasq

on property:dnsmasq.enable=0
stop dnsmasq

service watchdog /bin/watchdog -F
socket watchdog seqpacket 0660 root watchdog
class service
oneshot
disabled

#service iperf /bin/logwrapper /bin/iperf -s -p 8200 -i 2 -w 128K
#   oneshot

#service iperf_udp /bin/logwrapper /bin/iperf -s -p 8201 -i 2 -u
#   oneshot

service logd /system/bin/logd
class service
socket logd stream 666 logd logd
socket logdr seqpacket 666 logd logd
socket logdw dgram 222 logd logd
capabilities SYSLOG AUDIT_CONTROL SETGID SETUID
user logd
group logd system package_info readproc

on property:logd.logpersistd.enable=true
# all exec/services are called with umask(077), so no gain beyond 0700
mkdir /data/misc/logd 0700 logd log
start logcatd

on property:logd.logpersistd.enable=false
stop logcatd

service logcatd /system/bin/logcatd -b system,main -v threadtime -v printable -f /data/misc/logd/logcat -r 1024 -n 5
class late_start
user logd # write to /data/misc/logd
group log # read from log daemon

service mountd /sbin/mount_usb_drive.sh
oneshot

#service tee-supplicant /bin/tee-supplicant
#    class service

on property:hostapd.enable=1
start hostapd

on property:hostapd.enable=0
stop hostapd

service dump_msg /bin/dump_msg
class service

service panel_service /bin/logwrapper /bin/panel_service
user root
group panel watchdog chrome
socket panel seqpacket 0660 root panel
class service

service servicemanager /system/bin/servicemanager
capabilities SYS_NICE
user system
group system
critical
oneshot

service fdr_notify /bin/logwrapper /bin/fdr_notify
group chrome panel input
class service

service ota_service /bin/logwrapper /bin/mi_ota_service
class service

#service external_control /bin/logwrapper /bin/external_control
#    user chrome
#    group chrome
#    class service

# NET_ADMIN capability is required by rfkill (see kernel/net/rfkill/core.c)

service bluetoothtbd /system/bin/bluetoothtbd --enable-on-start=true
capabilities SYS_NICE NET_ADMIN
user bluetooth
group chrome net_bt_stack input
socket bluetooth_a2dp seqpacket 0660 net_bt_stack net_bt_stack
class service

#service autostartscript /bin/sh -c "sleep 20; sh /data/autostart.sh"
#    user root
#    oneshot

# Start autostartscript only for builds without a release track.

on property:ro.product.release.track=
start autostartscript

service collectd /bin/collectd -f
user root
class service
disabled

service process_monitor /bin/process_monitor
class service

#service thermal_governor /bin/logwrapper /bin/thermal_governor
#    class service

#service audio_source /bin/logwrapper /bin/audio_source
#   group chrome
#   class service

service mute_service /bin/mute_service
user chrome
group audio panel input
class service

on property:persist.chrome.reboot=true
setprop persist.chrome.reboot false
exec system/bin/reboot

service cast_auth_check /bin/cast_auth_check
user root
oneshot

In the init.rc file, the SSH service is disabled, as well as ADB. But I grabbed the ssh service commandline from there and pasted it to the end of the set_usb_serialnumber.sh file: /usr/bin/sshd -G -r /etc/rsa_host_key

Please note that I removed the -F parameter, this way sshd forks and is no longer a sub process of the shell script.

As I disassembled my speaker before setting it up, it still creates its own hotspot when powered on. So I connected my laptop to the hotspot and was able to login via ssh with the root user and no password.

The question now is what to do next?

Here are some ideas:

  1. Try modifying init.rc
    As the rootfs is mounted RW, I could try updating the init.rc file to enable the SSH service by default. But I doubt this will work as I am not sure if changes on the file will be written to then flash.
  2. Block the speaker from phoning home
    Most likely by blocking a bunch of hosts in the hosts files. Persistance would not be needed for that as we could write that file on each boot.
  3. Connecting the device to my home wifi and configuring it
    I currently have no idea how to do that
  4. Disable unwanted services
    E.g. the updater. If changes on init.rc are persistant, this could be done there
  5. Install additional services and run them at boot
    Should be no problem as we can modify the system partition now.

@duhow
Copy link
Owner

duhow commented May 3, 2023

That's great news!! I'll need to gain some more trust to solder the USB header then...
What I'd suggest is:

Using 1.44.27 firmware version as system base image, create patches for the l09g model:

  • remove OTA run
  • remove chrome run (Google Assistant)
  • add ssh with persistence key in /data
  • allow console shell with root (/etc/inittab, or other?)

You could then create 2 images based from the same system, one more "light" (less size) to boot, and other with all programs (MPD, snapcast) to be flashed at chrome partition (large).
Maybe remount everything from / to the chrome partition.

@duhow
Copy link
Owner

duhow commented May 3, 2023

I understand that "keeping Google services" may be desired, but my main objective with this project is to fully replace all the propietary software with open source alternatives, and having Home Assistant project that is promoting Assistant and Voice, I'm very confident we can come up with something for it.
Also, we're here to experiment :D

@mrmariosgithub
Copy link
Author

I'll need to gain some more trust to solder the USB header then

Thats pretty easy, there are labeled test points on the bottom side of the PCB if you don't want to solder to the micro USB contacts. You need to solder to the bottom side anyways as you need to grab the USB supply voltage from there as the voltage pin from the micro USB socket cannot be used. Once the USB A socket is glued to the board you are good to go.

add ssh with persistence key in /data

There is no need for that, there is already a ssh key present.

remove OTA run
remove chrome run (Google Assistant)
allow console shell with root (/etc/inittab, or other?)

There is no inittab in the filesystem. The file in question is the init.rc file where changes are not presistant. Regarding the shell, there has to be a command which stops the local shell, maybe we can use that to reenable the shell.

You could then create 2 images based from the same system, one more "light" (less size) to boot, and other with all programs (MPD, snapcast) to be flashed at chrome partition (large).

I havn't looked at the chrome partition yet, but using that for the new partitions sounds like a good idea to me.

I understand that "keeping Google services" may be desired

Nope, I also plan to remove all google services as well. The question here is: How do you configure your device afterwards? E.g. how do I configure the wifi interface?

@duhow
Copy link
Owner

duhow commented May 3, 2023

Configuring wifi "afterwards" requires some software / script to allow doing so. That's still pending to do.
What I'm using now is the script wifi_connect I wrote, but this is meant for mico images, not this Google one, so maybe it won't fully work for this case.
Still, you should be able to follow similar commands to configure wpa_supplicant.

@duhow duhow mentioned this issue May 3, 2023
Closed
@mrmariosgithub
Copy link
Author

I'll need to gain some more trust to solder the USB header then...

I am currently working on a small program to flash the system partition using only the serial interface thus making the USB port obsolete. Once SSH is enabled flashing can be done wirelessly.

I initially tried to use a bash script but that was horribly slow (I estimated around 36 hours for the 9MB system partition).

Using my c program I was able to write the system partition in around 90 minutes but it turned out that I was writing data to fast and crashing the u-boot that way. I hope that I can fix the bug by combining the write and the verification process. I hope this way u-boot has enough time to process thw commands.

I‘ll keep you updated on my progress.

@mrmariosgithub
Copy link
Author

I finally managed to finialize and test the serial flash program. As stated before, I had to implement is in c because the shell script was terribly slow. I also created a small script to generate a modified system.img file with SSH enabled. I uploaded all my code to a dedicated repo: https://github.com/mrmariosgithub/l09g

Flashing the system partion takes about 6h to complete. To further speedup the process in the future we can generate a heavily stripped down system image.

@mrmariosgithub
Copy link
Author

The following idea just came to my mind: Why not create a minimal system.img that contains all required binaries like the ssh server, busybox etc. (and all symlinks to busybox) that can be used to initially flash the L09G using the serial port. But, here comes the twist: besides starting the ssh server, the modified system image also checks for a custom script on the chrome partition. If the script exists, it executes that script.

That said script is our loader to start all required programs, kill google and xiaomi programs and patches things where needed. As discussed before, we want to flash the chrome partition with our programs anyways. By using this loader-on-the-chrome-partition approach, we only need to flash the system partition once and everything else can we done using ssh.

What do you think about that? If you agree, we should start with the minimal system image first before starting to work on the chrome partition. I think developing the system image should not take that long.

@duhow
Copy link
Owner

duhow commented May 10, 2023

@mrmariosgithub I had to reimplement the same code in Python, I was facing some "line unmatch issues" (guessing due to the speed of serial processing), but got the same SSH working! 💪🏻 (root no password, lol)
I'll spend some time investigating this and see what we can do...

@mrmariosgithub
Copy link
Author

Very nice, good to hear that! Feel free to ping me if you want to discuss or test something :-)

@duhow duhow added help wanted Extra attention is needed research labels May 26, 2023
@mrmariosgithub
Copy link
Author

Hi, did you made any progress with the L09G?

@ds2k5
Copy link

ds2k5 commented May 27, 2023

Very nice, good to hear that! Feel free to ping me if you want to discuss or test something :-)

sorry not now ...... still waiting for a fried he will buy soldering station

hope end of june he have an can bring me the micro usb port on

@mrmariosgithub
Copy link
Author

@duhow Can't we use this to dump the bootrom and OPT keys to flash a modified bootloader that does not check the signatures anymore?

The article is based on the sonos one gen2 which uses the same processor as the L09G but has more DRAM, so we might need to adjust some adresses. But as we have access to u-boot, we should be able to dump the FIP and BL3X from there. And as we have root access, we could use the kernel module as well.

@duhow
Copy link
Owner

duhow commented Jun 4, 2023

@mrmariosgithub as the speaker components contain propietary modules for wifi, sound, LEDs and so, I don't know if replacing the kernel / bootloader may remove this functionality.
I'm still on hold for the L09G due to work, but I plan to dedicate some time this summer.
My main focus for this project is to "patch base system to add new applications", but of course feel free to test anything that can improve functions or upgrade components version.

@duhow
Copy link
Owner

duhow commented Jun 19, 2023

File /init.rc contains all the command run execution , but I cannot find where this file is located at.

What I've been playing so far is to execute packages built for LX06 successfully - though Speaker (ALSA) needs some investigation work (can't get sound atm).

Also I couldn't find any A/B system partition, which may make this a little bit more complex than expected...

@mrmariosgithub
Copy link
Author

File /init.rc contains all the command run execution , but I cannot find where this file is located at.

The init.rc file is part of the initramfs which is part of the bootloader. That’s why I wanted to have the possibility, to resign the bootloader or patch the signature verification.

What I've been playing so far is to execute packages built for LX06 successfully - though Speaker (ALSA) needs some investigation work (can't get sound atm).

Great!!

Also I couldn't find any A/B system partition, which may make this a little bit more complex than expected...

There is no A/B partition, there is just the system partition.

@ds2k5
Copy link

ds2k5 commented Jun 26, 2023
edited
Loading

@mrmariosgithub

Hi,
had luck my friend could soldering the micoUSB-Port to the PCB.

Now I need helping hand to check if the port is working....

Tryed with "adb" but "no devices"
so How can I check in the bootloader or somthing else if the USB-Port is working ?

axg_s420_v1_gva#start usb
Unknown command 'start' - try 'help'
axg_s420_v1_gva#usb start
(Re)start USB...
USB0: USB3.0 XHCI init start
Register 1000140 NbrPorts 1
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 1 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found

@duhow
Copy link
Owner

duhow commented Jun 26, 2023

@ds2k5 adb might not be right available while the speaker is running in normal mode, but still you may be able to access it in u-boot - also fastboot may be available, so you can dump and flash content from USB directly.
Last, LX06 can be flashed with amlogic-flash-tool, so you can give it a try as well: https://github.com/duhow/xiaoai-patch/blob/master/research/lx06/install.md

@ds2k5
Copy link

ds2k5 commented Dec 27, 2023

sorry no from my side could not fix the usb-port welding

@psolyca
Copy link

psolyca commented Jan 8, 2024

Following this ^^ thanks guys for all this information.
I'm really interested. Already hacked some other devices ^^
It's just not my priority yet.

@duhow
Copy link
Owner

duhow commented Jan 8, 2024

Ideally we should reflash a new entire rootfs image, uboot and so, but I'm not risking to brick another speaker... Meanwhile we do have access to part of the system via ssh, so any findings are welcome :)

@G33KatWork
Copy link

G33KatWork commented Jan 10, 2024
edited
Loading

I know this might be naive, because they just might give a flying fuck about the GPL, but did anybody ever request the GPL sources for this thing from Xiaomi? We should at least get u-boot and the kernel which is everything we need.

edit: Sent an email to the German Xiaomi support. I can't wait to get ignored by them!

@psolyca
Copy link

psolyca commented Jan 10, 2024

You can try but I already know the answer.
I have done it for a project and people I know for others projects and it is really really hard to get them. If there are some proprietaries drivers it's impossible.

@cosash
Copy link

cosash commented Jan 10, 2024
edited
Loading

@mrmariosgithub Would you share your "small programm that repetitively executed the nand dump command on the u-boot shell"? I have serial access but no usb stick soldered (my solder skills are really bad...), and I want a backup before I flash your modified system.img with ssh enabled. By the way: Thank you for your efforts on the L09G!

@cosash
Copy link

cosash commented Jan 10, 2024

@duhow Can't we use this to dump the bootrom and OPT keys to flash a modified bootloader that does not check the signatures anymore?

The article is based on the sonos one gen2 which uses the same processor as the L09G but has more DRAM, so we might need to adjust some adresses. But as we have access to u-boot, we should be able to dump the FIP and BL3X from there. And as we have root access, we could use the kernel module as well.

@G33KatWork Nice to see you here. Did you notice the linked article? I bet you are able to apply this..Or you know some hacker friend who is 😉

@mrmariosgithub
Copy link
Author

@mrmariosgithub Would you share your "small programm that repetitively executed the nand dump command on the u-boot shell"?

The nand dump command dumps flash pages, you cannot (directly) use the dump to restore the partition. However, the system partition is part of the update file and you can simply extract the update and use the system partition image from there to reflash in case something went wrong.

@G33KatWork Nice to see you here. Did you notice the linked article? I bet you are able to apply this..Or you know some hacker friend who is 😉

I tried to go that path but with no success. But I am no hacker, so someone else might succeed there.

There is an other approach to use a custom kernel module to dump the secure keys from within the booted OS. I managed to compile and load the module, but I did not manage to make it work as described.

However, there seems to be a way to patch/disable the u-boot signature verification. I first heard about that in a talk of Dennis Giese on how they hacked vacuum robots. The way it works is the following: u-boot is loaded to RAM and is executed from there. As the addresses of u-boot in RAM is fixed, the address of the signature verification routine is fixed as well. By patching a few bytes in RAM the verification can be disabled and u-boot no longer refuses to boot unsigned kernel images. Once the patch (both the bytes to patch and the address to patch) we can add the patch to one of the commands executed by u-boot at bootup and the signature validation is permanently turned off.

@psolyca
Copy link

psolyca commented Jan 10, 2024

I will give it a try also. Same process than tegra hack (Switch)

@G33KatWork
Copy link

@G33KatWork Nice to see you here. Did you notice the linked article? I bet you are able to apply this..Or you know some hacker friend who is 😉

Oh shit, I have a reputation now and people know me? 😳
Yes, I know blasty personally. I need to get an L09G first. The black ones seem to be particularly rare right now and the white ones are now 60€ compared to November when they were still 40€ according to price search engines.
I'd like to scatter them around the house and use snapcast on them to realize a multi-room audio system.

However, there seems to be a way to patch/disable the u-boot signature verification. I first heard about that in a talk of Dennis Giese on how they hacked vacuum robots. The way it works is the following: u-boot is loaded to RAM and is executed from there. As the addresses of u-boot in RAM is fixed, the address of the signature verification routine is fixed as well. By patching a few bytes in RAM the verification can be disabled and u-boot no longer refuses to boot unsigned kernel images. Once the patch (both the bytes to patch and the address to patch) we can add the patch to one of the commands executed by u-boot at bootup and the signature validation is permanently turned off.

Yes. When you have a u-boot shell, u-boot is executing from RAM and not in-place from non-volatile flash and you can use memory write commands from the shell, it's game over. Just find the RSA signature check function and patch it to return true all the time. That's it. You have to do that on every boot, but if the environment is writable, the memory write command containing the patch can just be executed as part of the bootcmd.

@psolyca
Copy link

psolyca commented Jan 10, 2024

Ok, just made the link with @G33KatWork... I'm please to meet you ^^
I watch many times your CCC video for glitching the Switch to apply this to an old Tegra T20 but did not have all the hardware to do it. This SOC is the only one we can not get the key ^^ and Fusee Gelee does not work on it.
So more skill than me on this ^^

@duhow
Copy link
Owner

duhow commented Jan 15, 2024
edited
Loading

I'm thinking of an experimental flash that can go well or too bad, so bear with me for the results...

In short, planning to flash an old L09A all image to L09G.
https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/l09a/mico_all_d632e_1.54.0.bin

Steps involved:

  • have ssh to L09G and utils
  • flash bootloader and tpl (u-boot)
  • flash meson.dtb
  • flash boot0 kernel
  • flash custom system0 image to have access
  • edit u-boot env settings to match L09A and boot kernel

Problem is that mtd partition schema differs, so I'm planning to flash directly by skipping bytes.
Also L09G has 2x flash size.

part	size		name_google	size		name_xiaomi
mtd0:	00200000	bootloader	00200000	bootloader
mtd1:	00800000	tpl		00800000	tpl
mtd2:	00a00000	recovery	00600000	boot0
mtd3:	00c00000	boot		00600000	boot1
mtd4:	01000000	system		02800000	system0
mtd5:	04420000	chrome		02800000	system1
mtd6:	00400000	factory		01400000	data
mtd7:	081e0000	data

@duhow
Copy link
Owner

duhow commented Jan 15, 2024

Bad news.
I am stuck in a booloop from u-boot.

AXG:BL1:d1dbf2:a4926f;FEAT:F0DC31BC:2000;POC:F;EMMC:800;NAND:0;READ:0;CHK:1F;READ:0;CHK:1F;READ:0;CHK:1F;READ:0;CHK:1F;READ:0;CHK:1F;READ:83;READ:0;CHK:1F;READ:0;CHK:1F;SD:800;USB:8;

@jingyibo123

This comment was marked as off-topic.

Sign in to view
@duhow

This comment was marked as off-topic.

Sign in to view
@phste
Copy link

phste commented Jan 25, 2024

At the moment I'm trying to patch the signature verification. Loading of the kernel overrides the init bootarg, with the value in boot.img. I can preload the image with imgread kernel boot 1080000 and then modify the init arg in memory and then boot with bootm 1080000. This change then triggers the signature check, but is only temporary and lost after a reboot. U-Boot is loaded into memory by relocation to 0x1fec3000, therefore I dumped a lot of memory from there and searched in the code for the signature check. At the moment I'm able to ignore the check for the boot if I call mw.l 1fec8e40 d503201f before bootm. Unfortunately, this somehow bricks the decompression of the kernel image. I then get this log

aml log : R-2048 check fail with ERR = 1376

aml log : Sig Check 1376
avb2: 0
save_power_post ...
avb2: 0
## Booting Android Image at 0x01080000 ...
Kernel command line: rootfstype=ramfs init=/bin/sh console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000
[store]Is good fdt check header, no need decrypt!
load dtb from 0x1000000 ......
      Amlogic Multi-DTB tool
      Single DTB detected
   Loading Kernel Image(COMP_NONE) ... OK
   kernel loaded at 0x01080000, end = 0x016a7800
Bad Linux ARM64 Image magic!(Maybe unsupported zip mode.)

If anybody has some ideas. Fixing the signature check would definitely allow us to modify the images as we please.

@duhow
Copy link
Owner

duhow commented Jan 25, 2024

I can preload the image with imgread kernel boot 1080000 and then modify the init arg in memory and then boot with bootm 1080000.

If so, you can write a new env run command and use it by default as persistent, right?

@phste
Copy link

phste commented Jan 25, 2024
edited
Loading

If so, you can write a new env run command and use it by default as persistent, right?

I was able to modify env variables at least in memory, I did not try saveenv yet. As I'm worried that it won't boot after that anymore.

@duhow
Copy link
Owner

duhow commented Jan 25, 2024

As long as you can return back to uboot, saveenv does not imply any risks.
Make sure to have a backup just in case, but if you're not deleting any entry should be fine :)

@phste
Copy link

phste commented Jan 26, 2024

@mrmariosgithub I believe I managed to patch the signature check in memory. I tried to modify party of the boot partition but this does not work as it is encrypted. Maybe my work can help you modify the initrc as you were thinking about.

The encryption is not a problem - at least compared to the signature check.

Also I was wondering why the encryption is a smaller problem than the signature check?

@mrmariosgithub
Copy link
Author

I believe I managed to patch the signature check in memory.

That’s great news, good job!

The encryption is not a problem - at least compared to the signature check.

Also I was wondering why the encryption is a smaller problem than the signature check?

Once the signature check is gone we can flash and boot our own kernel/system.

@mrmariosgithub
Copy link
Author

@phste Is the command mw.l 1fec8e40 d503201f still correct to disable the signature verification?

@phste
Copy link

phste commented Feb 1, 2024

@mrmariosgithub Yes. I can check later this evening. It disables that U-Boot checks the signature before trying to boot, but one problem is the method which I patched is doing a systemcall to the secure call monitor. A bit deeper into the bootloader a stage below U-Boot, its BL31. What I could not verify is whether it would boot an unencrypted boot.img. As the system call is causing the encryption as far as I could see.

@FloMaetschke
Copy link

Hi guys,
I also received an L09G today. I actually thought I had ordered an L09A, but that wasn't the case.

Unfortunately, I don't have much experience in device hacking. But I have already hacked a few devices following the instructions, connected TTL-to-serial, used uboot etc. My last project was a Kubernetes cluster running on several Android TV boxes.

So I'm not completely inexperienced, technically I could also understand what has been achieved so far and what you still have planned.

I am happy to offer my help if you want to check things again, e.g. run a tool for patching to see if a script runs as desired, etc. I still have the Smartspeaker here in its original packaging and will do my best to avoid setting it up.

My goal is also to get rid of the Google Assistant and use the whole thing as a Home Assistant Speaker/ MultiRoom Audio at some point.

Thank you for the good work you have already done.

@FloMaetschke
Copy link

@mrmariosgithub Yes. I can check later this evening. It disables that U-Boot checks the signature before trying to boot, but one problem is the method which I patched is doing a systemcall to the secure call monitor. A bit deeper into the bootloader a stage below U-Boot, its BL31. What I could not verify is whether it would boot an unencrypted boot.img. As the system call is causing the encryption as far as I could see.

Have you found a solution to this?

@noah-be
Copy link

noah-be commented Mar 22, 2024

I have 3 L09G. If I can be any help let me know. I would love to use these speaker like my roborock with valetudo. I would donate if someone could make this happen.

@mrmariosgithub
Copy link
Author

I've got some spare minutes a few days ago and revisisted this issue.

I downloaded the firmware 1.44.21 for the L09G and extracted the boot.img. Then I cloned into https://github.com/CyanogenMod/android_system_core.git and unpacked the boot.img:

$ python3 android_system_core/mkbootimg/unpackbootimg -i boot.img -o tmp
Android magic found at: 0
BOARD_KERNEL_CMDLINE rootfstype=ramfs init=/init console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000
BOARD_KERNEL_BASE 01080000
BOARD_RAMDISK_OFFSET 01000000
BOARD_SECOND_OFFSET 00f00000
BOARD_TAGS_OFFSET 00000100
BOARD_PAGE_SIZE 2048
BOARD_SECOND_SIZE 47104
BOARD_DT_SIZE 0

I immediatelly repacked it to get an unsigned boot image:

python3 android_system_core/mkbootimg/mkbootimg \
--base "0x$(cat tmp/boot.img-base)" \
--cmdline "$(cat tmp/boot.img-cmdline)" \
--kernel tmp/boot.img-zImage \
--kernel_offset "0x$(cat tmp/boot.img-kernel_offset)" \
--ramdisk tmp/boot.img-ramdisk.gz \
--ramdisk_offset "0x$(cat tmp/boot.img-ramdisk_offset)" \
--second tmp/boot.img-second \
--second_offset "0x$(cat tmp/boot.img-second_offset)" \
--output ./new-boot.img

Now I have "the same" boot image twice:

$ file boot.img new-boot.img
boot.img:     Android bootimg, kernel (0x1080000), ramdisk (0x1000000), second stage (0xf00000), page size: 2048, cmdline (rootfstype=ramfs init=/init console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000)
new-boot.img: Android bootimg, kernel (0x1080000), ramdisk (0x1000000), second stage (0xf00000), page size: 2048, cmdline (rootfstype=ramfs init=/init console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000)
$
$ ls -la --time-style=+"" boot.img new-boot.img
-rw-rw-r-- 1 mario mario 9148928  boot.img
-rw-rw-r-- 1 mario mario 9148416  new-boot.img

I copied both files to an USB drive and tried loading them with signature check on and patched. The stock boot.img worked in both cases.

Loading the new-boot.img with signature check on obviously makes the check fail:

axg_s420_v1_gva#usb start
(Re)start USB...
USB0:   USB3.0 XHCI init start
Register 1000140 NbrPorts 1
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
       scanning usb for storage devices... init_part() 282: PART_TYPE_DOS
1 Storage Device(s) found
axg_s420_v1_gva#fatload usb 0 ${loadaddr} new-boot.img
9148416 bytes read in 421 ms (20.7 MiB/s)
axg_s420_v1_gva#bootm ${loadaddr}

aml log : Sig Check 1423
axg_s420_v1_gva#

Patching the signature check leads to the error described above:

axg_s420_v1_gva#mw.l 1fec8e40 d503201f
axg_s420_v1_gva#usb start
(Re)start USB...
USB0:   USB3.0 XHCI init start
Register 1000140 NbrPorts 1
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
       scanning usb for storage devices... init_part() 282: PART_TYPE_DOS
1 Storage Device(s) found
axg_s420_v1_gva#fatload usb 0 ${loadaddr} new-boot.img
9148416 bytes read in 421 ms (20.7 MiB/s)
axg_s420_v1_gva#bootm ${loadaddr}

aml log : Sig Check 1423
avb2: 0
save_power_post ...
avb2: 0
## Booting Android Image at 0x01080000 ...
Kernel command line: rootfstype=ramfs init=/init console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000
[store]Is good fdt check header, no need decrypt!
load dtb from 0x1000000 ......
      Amlogic Multi-DTB tool
      Single DTB detected
Host not halted after 16000 microseconds.
   Loading Kernel Image(COMP_NONE) ... OK
   kernel loaded at 0x01080000, end = 0x016a6000
Bad Linux ARM64 Image magic!(Maybe unsupported zip mode.)
axg_s420_v1_gva#

There are two possiblities that can cause the issue:

  1. The signature patch is not working as intended
  2. The repacked new-boot.img is corrupted

If someone comes up with an idea what to test next (new patch or fixed repacking) I can easily try that.

@mrmariosgithub
Copy link
Author

I was able to compile and "boot" a custom kernel on the L09G 😀

Unfortunately the kernel gets stuck at a kernel panic. If someone can help me to get past that issue and drop into a busybox initramfs shell that would be awesome!

(You need both UART and USB soldered to the board for this)

Here is what I did:

Download and extract the kernel

The L09G uses a 4.9.113 kernel with custom/proprietary code. I decided to go for the 5.19.9 kernel as it is more recent and I thougt it could be better suited. I downloaded the kernel sources from here: https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.19.9.tar.xz

Create default config

make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- mrproper
make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- defconfig

Tweak config

make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- menuconfig

Main menu -> Virtualization ==> disable
Main menu -> Platform selection ==> disable all and enable "Amlogic Platforms"
Main menu -> Boot options -> UEFI runtime support ==> disable

Create and configure internal initramfs

See https://trac.gateworks.com/wiki/linux/initramfs

Compile kernel and generate boot image

make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- Image -j8
mkimage -A arm64 -O linux -T kernel -C none -a 0x1080000 -e 0x1080000 -n l09g-custom -d arch/arm64/boot/Image ../uImage

Load and boot the kernel on the L09G

axg_s420_v1_gva#mw.l 1fec8e40 d503201f
axg_s420_v1_gva#usb start
(Re)start USB...
USB0:   USB3.0 XHCI init start
Register 1000140 NbrPorts 1
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
       scanning usb for storage devices... init_part() 282: PART_TYPE_DOS
1 Storage Device(s) found
axg_s420_v1_gva#fatload usb 0 ${loadaddr} uImage
22464584 bytes read in 1006 ms (21.3 MiB/s)
axg_s420_v1_gva#setenv bootargs "keep_bootcon loglevel=15 debug noinitrd console=ttyS0,115200 no_console_suspend earlycon=meson,0xff803000"
axg_s420_v1_gva#bootm ${loadaddr}

Boot log

aml log : Sig Check 1423
avb2: 0
save_power_post ...
avb2: 0
## Booting kernel from Legacy Image at 01080000 ...
   Image Name:   l09g-custom
   Image Type:   AArch64 Linux Kernel Image (uncompressed)
   Data Size:    22464520 Bytes = 21.4 MiB
   Load Address: 01080000
   Entry Point:  01080000
   Verifying Checksum ... OK
[store]Is good fdt check header, no need decrypt!
load dtb from 0x1000000 ......
      Amlogic Multi-DTB tool
      Single DTB detected
Host not halted after 16000 microseconds.
   Loading Kernel Image(COMP_NONE) ... OK
   kernel loaded at 0x01080000, end = 0x025ec808
   Loading Device Tree to 000000001dea3000, end 000000001deb11af ... OK
fdt_fixup_memory_banks, reg:0000000000000000

Starting kernel ...

uboot time: 78618866 us
[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.19.9 (mario@luigi) (aarch64-linux-gnu-gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #2 SMP PREEMPT Fri May 3 06:23:57 UTC 2024
[    0.000000] Machine model: Amlogic
[    0.000000] printk: debug: skip boot console de-registration.
[    0.000000] earlycon: meson0 at MMIO 0x00000000ff803000 (options '')
[    0.000000] printk: bootconsole [meson0] enabled
[    0.000000] [Firmware Bug]: Kernel image misaligned at boot, please fix your bootloader!
[    0.000000] Reserved memory: created CMA memory pool at 0x0000000005000000, size 4 MiB
[    0.000000] OF: reserved mem: initialized node linux,secmon, compatible id shared-dma-pool
[    0.000000] NUMA: No NUMA configuration found
[    0.000000] NUMA: Faking a node at [mem 0x0000000000000000-0x000000001fffffff]
[    0.000000] NUMA: NODE_DATA [mem 0x1febeb40-0x1fec0fff]
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x0000000000000000-0x000000001fffffff]
[    0.000000]   DMA32    empty
[    0.000000]   Normal   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x000000001fffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x000000001fffffff]
[    0.000000] cma: Reserved 32 MiB at 0x000000001be00000
[    0.000000] psci: probing for conduit method from DT.
[    0.000000] psci: PSCIv1.0 detected in firmware.
[    0.000000] psci: Using standard PSCI v0.2 function IDs
[    0.000000] psci: MIGRATE_INFO_TYPE not supported.
[    0.000000] psci: SMC Calling Convention v1.1
[    0.000000] percpu: Embedded 19 pages/cpu s38760 r8192 d30872 u77824
[    0.000000] pcpu-alloc: s38760 r8192 d30872 u77824 alloc=19*4096
[    0.000000] pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3
[    0.000000] Detected VIPT I-cache on CPU0
[    0.000000] CPU features: kernel page table isolation forced ON by KASLR
[    0.000000] CPU features: detected: Kernel page table isolation (KPTI)
[    0.000000] CPU features: detected: ARM erratum 845719
[    0.000000] Fallback order for Node 0: 0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 129024
[    0.000000] Policy zone: DMA
[    0.000000] Kernel command line: keep_bootcon loglevel=15 debug noinitrd console=ttyS0,115200 no_console_suspend earlycon=meson,0xff803000 reboot_mode=normal
[    0.000000]
[    0.000000] Unknown kernel command line parameters "reboot_mode=normal", will be passed to user space.
[    0.000000] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes, linear)
[    0.000000] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes, linear)
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 453340K/524288K available (12544K kernel code, 1394K rwdata, 4700K rodata, 3136K init, 478K bss, 34084K reserved, 36864K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] rcu: Preemptible hierarchical RCU implementation.
[    0.000000] rcu:     RCU event tracing is enabled.
[    0.000000] rcu:     RCU restricting CPUs from NR_CPUS=256 to nr_cpu_ids=4.
[    0.000000]  Trampoline variant of Tasks RCU enabled.
[    0.000000]  Tracing variant of Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[    0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[    0.000000] GIC: GICv2 detected, but range too small and irqchip.gicv2_force_probe not set
[    0.000000] Root IRQ handler: gic_handle_irq
[    0.000000] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[    0.000000] arch_timer: cp15 timer(s) running at 24.00MHz (phys).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x588fe9dc0, max_idle_ns: 440795202592 ns
[    0.000001] sched_clock: 56 bits at 24MHz, resolution 41ns, wraps every 4398046511097ns
[    0.008424] Console: colour dummy device 80x25
[    0.012598] Calibrating delay loop (skipped), value calculated using timer frequency.. 48.00 BogoMIPS (lpj=96000)
[    0.022842] pid_max: default: 32768 minimum: 301
[    0.027533] LSM: Security Framework initializing
[    0.032244] Mount-cache hash table entries: 1024 (order: 1, 8192 bytes, linear)
[    0.039468] Mountpoint-cache hash table entries: 1024 (order: 1, 8192 bytes, linear)
[    0.048782] cblist_init_generic: Setting adjustable number of callback queues.
[    0.054570] cblist_init_generic: Setting shift to 2 and lim to 1.
[    0.060706] cblist_init_generic: Setting shift to 2 and lim to 1.
[    0.066913] rcu: Hierarchical SRCU implementation.
[    0.071584] rcu:     Max phase no-delay instances is 1000.
[    0.078320] smp: Bringing up secondary CPUs ...
[    0.082023] Detected VIPT I-cache on CPU1
[    0.082105] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[    0.082782] Detected VIPT I-cache on CPU2
[    0.082848] CPU2: Booted secondary processor 0x0000000002 [0x410fd034]
[    0.083479] Detected VIPT I-cache on CPU3
[    0.083540] CPU3: Booted secondary processor 0x0000000003 [0x410fd034]
[    0.083632] smp: Brought up 1 node, 4 CPUs
[    0.117268] SMP: Total of 4 processors activated.
[    0.121980] CPU features: detected: 32-bit EL0 Support
[    0.127158] CPU features: detected: CRC32 instructions
[    0.132657] CPU: All CPU(s) started at EL2
[    0.136441] alternatives: patching kernel code
[    0.142045] devtmpfs: initialized
[    0.150707] KASLR disabled due to lack of seed
[    0.150926] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.159362] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[    0.167407] pinctrl core: initialized pinctrl subsystem
[    0.172611] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[    0.178713] DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations
[    0.184687] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
[    0.192394] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
[    0.200362] audit: initializing netlink subsys (disabled)
[    0.205938] audit: type=2000 audit(0.136:1): state=initialized audit_enabled=0 res=1
[    0.206472] thermal_sys: Registered thermal governor 'step_wise'
[    0.213497] thermal_sys: Registered thermal governor 'power_allocator'
[    0.219923] cpuidle: using governor menu
[    0.230203] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[    0.236961] ASID allocator initialised with 32768 entries
[    0.242275] HugeTLB: can optimize 4095 vmemmap pages for hugepages-1048576kB
[    0.249361] HugeTLB: can optimize 127 vmemmap pages for hugepages-32768kB
[    0.256184] HugeTLB: can optimize 7 vmemmap pages for hugepages-2048kB
[    0.262746] HugeTLB: can optimize 0 vmemmap pages for hugepages-64kB
[    0.269976] Serial: AMBA PL011 UART driver
[    0.291920] HugeTLB registered 1.00 GiB page size, pre-allocated 0 pages
[    0.293001] HugeTLB registered 32.0 MiB page size, pre-allocated 0 pages
[    0.299768] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[    0.306490] HugeTLB registered 64.0 KiB page size, pre-allocated 0 pages
[    0.315162] iommu: Default domain type: Translated
[    0.318142] iommu: DMA domain TLB invalidation policy: strict mode
[    0.324781] SCSI subsystem initialized
[    0.328377] libata version 3.00 loaded.
[    0.332278] usbcore: registered new interface driver usbfs
[    0.337582] usbcore: registered new interface driver hub
[    0.342910] usbcore: registered new device driver usb
[    0.348360] pps_core: LinuxPPS API ver. 1 registered
[    0.352945] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <[email protected]>
[    0.362141] PTP clock support registered
[    0.366188] EDAC MC: Ver: 3.0.0
[    0.370188] FPGA manager framework
[    0.372717] Advanced Linux Sound Architecture Driver Initialized.
[    0.379575] vgaarb: loaded
[    0.381916] clocksource: Switched to clocksource arch_sys_counter
[    0.387878] VFS: Disk quotas dquot_6.6.0
[    0.391587] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.404455] NET: Registered PF_INET protocol family
[    0.404648] IP idents hash table entries: 8192 (order: 4, 65536 bytes, linear)
[    0.411706] tcp_listen_portaddr_hash hash table entries: 256 (order: 0, 4096 bytes, linear)
[    0.419442] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[    0.427164] TCP established hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.434991] TCP bind hash table entries: 4096 (order: 4, 65536 bytes, linear)
[    0.442174] TCP: Hash tables configured (established 4096 bind 4096)
[    0.448614] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
[    0.455079] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
[    0.462231] NET: Registered PF_UNIX/PF_LOCAL protocol family
[    0.468211] RPC: Registered named UNIX socket transport module.
[    0.473736] RPC: Registered udp transport module.
[    0.478456] RPC: Registered tcp transport module.
[    0.483151] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.489635] PCI: CLS 0 bytes, default 64
[    0.502348] armv8-pmu ff634680.arm_pmu: hw perfevents: no interrupt-affinity property, guessing.
[    0.510063] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available
[    0.515119] Initialise system trusted keyrings
[    0.518205] workingset: timestamp_bits=42 max_order=17 bucket_order=0
[    0.530240] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.531112] NFS: Registering the id_resolver key type
[    0.535596] Key type id_resolver registered
[    0.539732] Key type id_legacy registered
[    0.543832] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[    0.550493] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[    0.558156] 9p: Installing v9fs 9p2000 file system support
[    0.599098] Key type asymmetric registered
[    0.599123] Asymmetric key parser 'x509' registered
[    0.602501] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 246)
[    0.609889] io scheduler mq-deadline registered
[    0.614436] io scheduler kyber registered
[    0.619627] irq_meson_gpio: 100 to 8 gpio interrupt mux initialized
[    0.630792] axg-clkc ff63c000.clock-controller: failed to get HHI regmap
[    0.631881] axg-clkc: probe of ff63c000.clock-controller failed with error -22
[    0.644428] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    0.647953] cacheinfo: Unable to detect cache hierarchy for CPU 0
[    0.657238] loop: module loaded
[    0.658093] megasas: 07.719.03.00-rc1
[    0.661993] tun: Universal TUN/TAP device driver, 1.6
[    0.664179] thunder_xcv, ver 1.0
[    0.666801] thunder_bgx, ver 1.0
[    0.670004] nicpf, ver 1.0
[    0.673051] hns3: Hisilicon Ethernet Network Driver for Hip08 Family - version
[    0.679942] hns3: Copyright (c) 2017 Huawei Corporation.
[    0.685361] hclge is initializing
[    0.688628] e1000: Intel(R) PRO/1000 Network Driver
[    0.693501] e1000: Copyright (c) 1999-2006 Intel Corporation.
[    0.699322] e1000e: Intel(R) PRO/1000 Network Driver
[    0.704262] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[    0.710248] igb: Intel(R) Gigabit Ethernet Network Driver
[    0.715639] igb: Copyright (c) 2007-2014 Intel Corporation.
[    0.721271] igbvf: Intel(R) Gigabit Virtual Function Network Driver
[    0.727537] igbvf: Copyright (c) 2009 - 2012 Intel Corporation.
[    0.733676] sky2: driver version 1.30
[    0.737641] VFIO - User Level meta-driver version: 0.3
[    0.743918] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    0.748924] ehci-pci: EHCI PCI platform driver
[    0.753400] ehci-platform: EHCI generic platform driver
[    0.758776] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    0.764850] ohci-pci: OHCI PCI platform driver
[    0.769312] ohci-platform: OHCI generic platform driver
[    0.774959] usbcore: registered new interface driver usb-storage
[    0.782056] i2c_dev: i2c /dev entries driver
[    0.787027] sdhci: Secure Digital Host Controller Interface driver
[    0.791104] sdhci: Copyright(c) Pierre Ossman
[    0.795799] Synopsys Designware Multimedia Card Interface Driver
[    0.801974] sdhci-pltfm: SDHCI platform and OF driver helper
[    0.807896] ledtrig-cpu: registered to indicate activity on CPUs
[    0.814084] usbcore: registered new interface driver usbhid
[    0.818810] usbhid: USB HID core driver
[    0.825294] NET: Registered PF_PACKET protocol family
[    0.827940] 9pnet: Installing 9P2000 support
[    0.832115] Key type dns_resolver registered
[    0.836774] registered taskstats version 1
[    0.840443] Loading compiled-in X.509 certificates
[    0.851942] ALSA device list:
[    0.851984]   No soundcards found.
[    0.852737] Warning: unable to open an initial console.
[    0.859170] Freeing unused kernel memory: 3136K
[    0.874094] Run /init as init process
[    0.874135]   with arguments:
[    0.875091]     /init
[    0.877366]   with environment:
[    0.880535]     HOME=/
[    0.882885]     TERM=linux
[    0.885591]     reboot_mode=normal
[    0.899799] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000
[    0.901855] CPU: 3 PID: 1 Comm: init Not tainted 5.19.9 #2
[    0.907362] Hardware name: Amlogic (DT)
[    0.911214] Call trace:
[    0.913662]  dump_backtrace.part.0+0xc8/0xd4
[    0.917949]  show_stack+0x18/0x5c
[    0.921274]  dump_stack_lvl+0x68/0x84
[    0.924949]  dump_stack+0x18/0x34
[    0.928274]  panic+0x16c/0x32c
[    0.931336]  do_exit+0x8c4/0x8cc
[    0.934574]  do_group_exit+0x34/0xa0
[    0.938161]  __arm64_sys_exit_group+0x18/0x20
[    0.942536]  invoke_syscall+0x48/0x114
[    0.946299]  el0_svc_common.constprop.0+0x44/0xfc
[    0.951024]  do_el0_svc+0x30/0xc0
[    0.954349]  el0_svc+0x34/0xb0
[    0.957411]  el0t_64_sync_handler+0xbc/0x140
[    0.961699]  el0t_64_sync+0x18c/0x190
[    0.965379] SMP: stopping secondary CPUs
[    0.969319] Kernel Offset: 0x80000 from 0xffff800008000000
[    0.974824] PHYS_OFFSET: 0x0
[    0.977711] CPU features: 0x0000,00120010,00001082
[    0.982524] Memory Limit: none
[    0.985593] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000 ]---

@phste
Copy link

phste commented May 3, 2024

@mrmariosgithub Unfortunately, I was unable to devote a lot of time to it the last few weeks. But its amazing that you are able to get a kernel to start booting up with the signature patch! What I was suspecting is that the kernel image is somehow encrypted, and by skipping the signature check (as my code is doing), the decryption is hindered. One aspect I'm not sure about is whether the kernel has some binary blobs in it for the audio processing and whether a 100% custom kernel destroys the audio recording quality. But that's a thing for testing. What also could be possible to replace the uboot with a custom compiled uboot that does not check for signature... I'll be checking out your kernel build, hopefully today or the next few days, to see whether I can somehow help.

@FloMaetschke
Copy link

Heya, any progress on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed L09G research
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests