[ { "path": "README.md", "content": "# \"NotABug\" - [superbird-bulkcmd](https://github.com/frederic/superbird-bulkcmd)\n\n[Spotify Car Thing](https://carthing.spotify.com/) (superbird) resources to access U-Boot shell over USB. Not a bug, it is a [\"feature\"](https://miro.medium.com/max/1200/1*KDfUqn6c66axcbsTPPWSpQ.jpeg).\n\n![Hacked Car Thing](https://i.imgur.com/VRjOR5v.jpg)\n\n*Note: this method has been tested on the factory firmware (device never used/updated : App Version 0.24.107 - OS Version 6.3.29), but should work on all firmware versions released as of this article's writing.*\n\n# Disclaimer\nYou are solely responsible for any damage caused to your hardware/software/keys/DRM licences/warranty/data/cat/etc...\n\n# Requirements\n- A Car Thing (superbird) without USB password\n- Either a USB A to C, or a C to C cable\n- A PC running some flavor of 64-bit GNU Linux\n- `libusb-dev` installed\n\n# FAQ\nDoes this process void my warranty on this device?\n- Probably, assume so.\n\nCan I OTA afterwards?\n- If you don't perform any persistent change, probably yes.\n- But if you disable dm-verity and modify on-device partitions, OTA updates will fail, though given this device is EOL, we don't expect further OTA updates.\n\nCan I still use stock features ?\n- Yes! Perfectly normal and usable, this just enables root access and ADB.\n\nCan I go back to stock after installing custom OS's or messing up the stock image?\n- Theoretically, if you have a good eMMC dump, the U-Boot shell should allow you to restore the partitions. **But this has not been tested thoroughly!**\n\n# Files\n- /bin/: prebuilt set of required tools\n - [update](https://github.com/khadas/utils/blob/master/aml-flash-tool/tools/linux-x86/update): Client for the USB Burning protocol implemented in Amlogic bootloaders\n- /images/: prebuilt images to upload via USB\n - [superbird.bl2.encrypted.bin](images/superbird.bl2.encrypted.bin) : dump of hardware partition *boot0* (mmcblk0boot0)\n - [superbird.bootloader.img](images/superbird.bootloader.img) : dump of user partition *bootloader* (mmcblk0p01)\n - [superbird.initrd-base.cpio](images/superbird.initrd-base.cpio) : created by provided script [extract-cpio.sh](scripts/extract-cpio.sh)\n - [superbird.initrd.img](images/superbird.initrd.img) : created by provided script [pack-initrd.sh](scripts/pack-initrd.sh)\n - [superbird.kernel.img](images/superbird.kernel.img) : zImage extracted from user partition *boot_a* (mmcblk0p12) + weird AML modifications reverted\n- /initrd/: files to customize the initrd image\n- /scripts/: scripts used to simplify interactions with the devices\n\n# Guide : U-Boot shell over USB (*USB burning mode*)\n1. Unplug the Car Thing from everything\n2. Clone/Download this repo locally, and change your shell's directory to it & ensure you `libusb-dev` installed\n3. Hold buttons 1 & 4 on the case, and plug the Car Thing into your PC via USB\n\nThe host should see a new USB device connection in `dmesg` like this one:\n```text\nusb 1-1: New USB device found, idVendor=1b8e, idProduct=c003, bcdDevice= 0.20\nusb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0\nusb 1-1: Product: GX-CHIP\nusb 1-1: Manufacturer: Amlogic\n```\n4. Release the button once this device has been detected by host computer.\n5. Execute script [scripts/burn-mode.sh](scripts/burn-mode.sh) to boot U-Boot in *USB burning mode*.\nA new USB device appears on host side :\n```\nusb 1-1: New USB device found, idVendor=1b8e, idProduct=c003, bcdDevice= 0.07\nusb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0\n```\n6. Execute the following commands to enable U-Boot shell at every boot.\n\n**WARNING: This step modifies the *env* partition. Changes are persistent, so it shall be executed only once.**\n```shell\n./bin/update bulkcmd 'amlmmc env'\n./bin/update bulkcmd 'setenv storeargs ${storeargs} run update\\;'\n./bin/update bulkcmd 'env save'\n```\n7. Reboot the device by unplugging and re-plugging the USB connection.\n\nAfter this modification, the device always boots in *USB burning mode* (U-Boot shell over USB) when connected to USB host : you can execute U-Boot commands using the [update](bin/update) tool, but you can't see any output (unless you open the device to connect the UART interface).\n\n*Note: if not connected to USB host, the device continues default boot sequence.*\n\n## Boot kernel from USB to enable ADB access\nOnce the device in *USB burning mode*, the script [scripts/upload-kernel.sh](scripts/upload-kernel.sh) can upload a Linux kernel image and boot it.\nThe init-ramdisk includes an *initd* script that starts the ADB server.\nSystem partition is not modified, so this is not persistent.\n\nThe ADB interface appears as a new USB device on the host:\n```\nusb 1-2: new high-speed USB device number 18 using xhci_hcd\nusb 1-2: New USB device found, idVendor=18d1, idProduct=4e40, bcdDevice= 2.23\nusb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3\nusb 1-2: Product: Superbird\nusb 1-2: Manufacturer: Spotify\nusb 1-2: SerialNumber: 123456\n```\n\n*Note: There is a script that is intended to be run from a UART shell included in scripts that will enable persistent ADB, but is not reccomended, as it will remove the abillity to OTA update. You can find that script [here](scripts/enable-adb.sh.client).*\n\n# Explanation\nWhen the Car Thing launched, it largely flew under most people's radar, and comically it wasn't until Spotify _deeply_ discounted it in late 2022, to $29.99 that it caught our eyes.\n\nThis device was designed to be a simple music selection device that mounts to your car dashboard or air-vents. It is unfortunately very underpowered, with a lower-end Amlogic chip, the S905D2, paired with 500 _MB_ of RAM - ouch.\n\nWhen the device was discounted, I (Nolen) picked up a few units for security research, and messaged Fred shortly after starting to ask about collaborating on it - and comically he had independently already started.\n\nTo start, U-boot and Linux kernel source code for this device is [public](https://github.com/spsgsb/) but advertised nowhere by Spotify.\n\nWe discovered shortly into research, that holding buttons 1 & 4 on boot put the deivce into Amlogic's USB mode, where you can upload BL2 images! Sweet.\n\nWe were able to upload a signed BL2, and then from there, upload a signed BL33, which kicked us into Amlogic's Burn Mode.\n\nFrom here we were able to execute U-Boot shell commands via Amlogic's `update` command, and the `bulkcmd` feature it houses.\n\nAt this point, it became clear UART would aid our efforts, and with some simple voltage sniffing and an educated guess, we discerned the UART has the following pin-out:\n![Car Thing UART Pin-out](https://i.imgur.com/LpP9VgB.jpg)\n\nFor our development case, we wanted more persistent access to the UART pins, so we removed the sticker on the rear of the device, dissasembled, removed the rear heat-shield, and then filed out part of the case, as shown below\n![Car Thing UART Setup](https://i.imgur.com/vpUnuvx.jpg)\n\nOnce we had UART console, we continued about, and crafted a method to enable a root shell over UART:\n```\nsudo update bulkcmd 'amlmmc env'\nsudo update bulkcmd 'setenv initargs init=/sbin/pre-init'\nsudo update bulkcmd 'setenv initargs ${initargs} ramoops.pstore_en=1'\nsudo update bulkcmd 'setenv initargs ${initargs} ramoops.record_size=0x8000'\nsudo update bulkcmd 'setenv initargs ${initargs} ramoops.console_size=0x4000'\nsudo update bulkcmd 'setenv initargs ${initargs} rootfstype=ext4'\nsudo update bulkcmd 'setenv initargs ${initargs} console=ttyS0,115200n8'\nsudo update bulkcmd 'setenv initargs ${initargs} no_console_suspend'\nsudo update bulkcmd 'setenv initargs ${initargs} earlycon=aml-uart,0xff803000'\nsudo update bulkcmd 'setenv storeargs ${storeargs} setenv avb2 0\\;'\nsudo update bulkcmd 'setenv initargs ${initargs} ro root=/dev/mmcblk0p15'\nsudo update bulkcmd 'env save'\n```\n\nThis gave us a local root shell, but still required UART - we took note that the device happened to have `adbd` locally installed, but not running.\n\nWe realized it wasn't as simple as _just_ starting the daemon, we had to [disable](scripts/disable-avb2.sh) [Android Verified Boot](https://source.android.com/docs/security/features/verifiedboot), and configure the device's USB connection in an `init.d` script, as shown in [scripts/enable-adb.sh.client](scripts/enable-adb.sh.client).\n\nAt this point we had full u-boot access, as well as persistent ADB (root) access, we initially wanted to try to bring-up Android Automotive on the device, but 500 MB of RAM made Android near-impossible to port.\n\nWe also tried to get other GUI applications _cough_ maybe doom _cough_ running, but this device utilizes a QT feature called [EGLFS](https://doc.qt.io/qt-6/embedded-linux.html), which doesn't have a window management system like X11 or Wayland, so it is hard to get additional applications running on the device, but hey, maybe someone in the community can get it working using the access we're providing!\n\nWe ended up settling on using a modified init-ramdisk loaded via USB to simplify attaining root-access for the end-user. Hope you enjoy!\n\n# Additional Scripts (for advanced use-cases)\n\n## To Be Executed from U-Boot shell\n- [scripts/dump.sh](scripts/dump.sh) : Dump eMMC over USB\n- [scripts/uart-shell.sh](scripts/uart-shell.sh) : Modify *env* partition to enable Linux root shell over UART\n(**note: Access to UART port requires to open the device**) - see the \"Utilizing UART\" section below for more information on that.\n- [scripts/disable-avb2.sh](scripts/disable-avb2.sh) : Modify *env* partition to disable `AVB2` & `dm-verity`\n- [scripts/uboot-continue.sh](scripts/uboot-continue.sh) : Exit U-Boot *USB Burning mode* and continue default boot sequence\n- [scripts/hacked-bootlogo.sh](scripts/hacked-bootlogo.sh) : Modify the device's bootlogo to the one shown in the header of this writeup.\n\n## Init-Ramdisk Customizations\n- [scripts/extract-cpio.sh](scripts/extract-cpio.sh) : Extract files from system partition dump to create initrd image\n- [scripts/pack-initrd.sh](scripts/pack-initrd.sh) : Pack custom initrd image\n\n## To Be Executed from an ADB (root) Shell on Device\n- [scripts/enable-adb.sh.client](scripts/enable-adb.sh.client) : Modify the local file-system to start the ADB daemon on each boot. This will remove the abillity to OTA update the device, and there are no factory images yet - *MAKE SURE YOU USE THE DUMP SCRIPT ABOVE BEFORE UTILIZING THIS.* To use, open the script, and copy paste each command into an existing ADB (root) shell, or push to the device (renaming to `.sh`), and execute it.\n\n# Known Dangerous Actions\n- Many developers may (as we did) think that the easiest path to running custom code on this device would be to use the provided burn-mode access to run `update bulkcmd fastboot` and then `fastboot flashing unlock` the device. *BE WARNED*, this bricked every device we tried it on. You will end up with a blank, black screen on boot, and we have yet to discern how to recover from this. This will be updated if this type of bricked device is recoverable.\n\n# Disclosure Notes\n- October 20, 2022 - Intitial notice sent to Spotify\n- October 21, 2022 - Spotify responded on HackerOne stating that the product is unsupported, and end-of-life, and therefore no bugs would be accepted pertaining to the product\n\n*Note: This writeup doesn't technically warrant disclosure, as it doesn't leverage any specific vulnerabillities, but instead chains together what we suspect to be unintentional access venues to gain root-access.*\n\n# Credits\n- Frédéric Basse (frederic) & Nolen Johnson (npjohnson): The \"exploit\", writeup, debugging/developing/theorizing the methodologies used.\n- Sean Hoyt (deadman): The awesome hacked-logo image.\n\n# Relevant Device Source Code\n- U-Boot: [superbird-uboot](https://github.com/spsgsb/uboot/tree/buildroot-openlinux-201904-g12a)\n- GNU/Linux: [superbird-linux](https://github.com/spsgsb/kernel-common)\n" }, { "path": "initrd/S49usbgadget", "content": "mkdir -p /dev/usb-ffs\nmkdir -p /dev/usb-ffs/adb\nmount -t configfs none /sys/kernel/config/\nmkdir -p /sys/kernel/config/usb_gadget/g1\necho 0x18d1 > /sys/kernel/config/usb_gadget/g1/idVendor\necho 0x4e40 > /sys/kernel/config/usb_gadget/g1/idProduct\necho 0x0223 > /sys/kernel/config/usb_gadget/g1/bcdDevice\necho 0x0200 > /sys/kernel/config/usb_gadget/g1/bcdUSB\nmkdir -p /sys/kernel/config/usb_gadget/g1/strings/0x409\necho 123456 > /sys/kernel/config/usb_gadget/g1/strings/0x409/serialnumber\necho Spotify > /sys/kernel/config/usb_gadget/g1/strings/0x409/manufacturer\necho Superbird > /sys/kernel/config/usb_gadget/g1/strings/0x409/product\nmkdir -p /sys/kernel/config/usb_gadget/g1/functions/ffs.adb\nmkdir -p /sys/kernel/config/usb_gadget/g1/configs/b.1\nmkdir -p /sys/kernel/config/usb_gadget/g1/configs/b.1/strings/0x409\necho 500 > /sys/kernel/config/usb_gadget/g1/configs/b.1/MaxPower\nmount -t functionfs adb /dev/usb-ffs/adb\nln -s /sys/kernel/config/usb_gadget/g1/configs/b.1 /sys/kernel/config/usb_gadget/g1/os_desc/b.1\necho adb > /sys/kernel/config/usb_gadget/g1/configs/b.1/strings/0x409/configuration\nln -s /sys/kernel/config/usb_gadget/g1/functions/ffs.adb /sys/kernel/config/usb_gadget/g1/configs/b.1/f1\n/usr/bin/adbd &\nsleep 5s\necho ff400000.dwc2_a > /sys/kernel/config/usb_gadget/g1/UDC\n" }, { "path": "initrd/init", "content": "#!/bin/sh\n#Mount things needed by this script\n/bin/mount -t sysfs sysfs /sys\n/bin/mount -t devtmpfs devtmpfs /dev\n/bin/mount -t proc proc /proc\necho Beginning init from initrd\n#Create device nodes\nmdev -s\n\n#Function for parsing command line options with \"=\" in them\n# get_opt(\"init=/sbin/init\") will return \"/sbin/init\"\nget_opt() {\n echo \"$@\" | cut -d \"=\" -f 2\n}\n\n#Defaults\nslot_suffix=\"_a\"\ninit=\"/sbin/pre-init\"\nroot=\"/dev/system\"\nrootfstype=\nkernel_version=\n#Process command line options\nfor i in $(cat /proc/cmdline); do\n case $i in\n root\\=*)\n root=$(get_opt $i)\n ;;\n rootfstype\\=*)\n rootfstype=$(get_opt $i)\n ;;\n init\\=*)\n init=$(get_opt $i)\n ;;\n androidboot.slot_suffix\\=*)\n slot_suffix=$(get_opt $i)\n ;;\n kernel_version\\=*)\n kernel_version=$(get_opt $i)\n ;;\n esac\ndone\n\n#Mount the root device\nroot_ab=${root}${slot_suffix}\n#Waiting for device to become ready\nTimedOut=10000 #10*1000 milisecond\nWaitedTime=0\nwhile [ \"$WaitedTime\" -lt \"$TimedOut\" ]\ndo\n if [ -b \"${root}\" ]; then\n echo \"${root} is ready now.\"\n break\n elif [ -b \"${root_ab}\" ]; then\n echo \"${root_ab} is ready now.\"\n root=${root_ab}\n break\n fi\n sleep 0.1\n WaitedTime=$((WaitedTime+100))\n echo \"${root} is not ready. Waited for ${WaitedTime} milisecond\"\ndone\n\nif [ \"${rootfstype}\" != \"\" ]; then\n mount -t ${rootfstype} -o ro \"${root}\" /mnt\nelse\n mount -o ro \"${root}\" /mnt\nfi\n\n#Check if $init exists and is executable\nif [[ -x \"/mnt/${init}\" ]] ; then\n #Unmount all other mounts so that the ram used by\n #the initramfs can be cleared after switch_root\n umount /sys /proc /dev\n\n #Overlay ADB script in initd scripts\n mount --bind /S49usbgadget /mnt/etc/init.d/S49usbgadget\n\n #Switch to the new root and execute init\n /bin/mount -t devtmpfs devtmpfs /mnt/dev\n exec 0/mnt/dev/console\n exec 2>/mnt/dev/console\n exec switch_root -c /dev/console /mnt \"${init}\"\nfi\n\n#This will only be run if the exec above failed\necho \"Failed to switch root, dropping to a shell\"\nexec /sbin/init \"$@\"\n" }, { "path": "scripts/burn-mode.sh", "content": "#!/bin/sh\n# Boot U-Boot in 'USB Burning' mode\nDIR=$(dirname $(realpath $0))\nUPDTOOL=$DIR/../bin/update\n\n$UPDTOOL write $DIR/../images/superbird.bl2.encrypted.bin 0xfffa0000\n$UPDTOOL run 0xfffa0000\n$UPDTOOL bl2_boot $DIR/../images/superbird.bootloader.img\n" }, { "path": "scripts/disable-avb2.sh", "content": "#!/bin/sh\n# Disable AVB2 & dm-verity\n# Define system_b (/dev/mmcblk0p15) as root partition (change to /dev/mmcblk0p14 for system_a).\n# WARNING : This disables A/B boot mechanism.\n\nDIR=$(dirname $(realpath $0))\nUPDTOOL=$DIR/../bin/update\n\n$UPDTOOL bulkcmd 'amlmmc env'\n$UPDTOOL bulkcmd 'setenv storeargs ${storeargs} setenv avb2 0\\;'\n$UPDTOOL bulkcmd 'setenv initargs ${initargs} ro root=/dev/mmcblk0p15'\n$UPDTOOL bulkcmd 'env save'" }, { "path": "scripts/dump.sh", "content": "#!/bin/bash\nDIR=$(dirname \"$(realpath \"$0\")\")\nUPDTOOL=$DIR/../bin/update\n\nOUTPATH=\"$DIR/../dump\"\nmkdir -p \"$OUTPATH\"\n\n$UPDTOOL bulkcmd \"amlmmc part 1\"\n$UPDTOOL mread store bootloader normal 0x400000 \"$OUTPATH/bootloader.dump\"\n$UPDTOOL mread store env normal 0x800000 \"$OUTPATH/env.dump\"\n$UPDTOOL mread store fip_a normal 0x400000 \"$OUTPATH/fip_a.dump\"\n$UPDTOOL mread store fip_b normal 0x400000 \"$OUTPATH/fip_b.dump\"\n$UPDTOOL mread store logo normal 0x800000 \"$OUTPATH/logo.dump\"\n$UPDTOOL mread store dtbo_a normal 0x400000 \"$OUTPATH/dtbo_a.dump\"\n$UPDTOOL mread store dtbo_b normal 0x400000 \"$OUTPATH/dtbo_b.dump\"\n$UPDTOOL mread store vbmeta_a normal 0x100000 \"$OUTPATH/vbmeta_a.dump\"\n$UPDTOOL mread store vbmeta_b normal 0x100000 \"$OUTPATH/vbmeta_b.dump\"\n$UPDTOOL mread store boot_a normal 0x1000000 \"$OUTPATH/boot_a.dump\"\n$UPDTOOL mread store boot_b normal 0x1000000 \"$OUTPATH/boot_b.dump\"\n$UPDTOOL mread store misc normal 0x800000 \"$OUTPATH/misc.dump\"\n$UPDTOOL mread store settings normal 0x10000000 \"$OUTPATH/settings.dump\"\n$UPDTOOL mread store system_a normal 0x2040B000 \"$OUTPATH/system_a.dump\"\n$UPDTOOL mread store system_b normal 0x2040B000 \"$OUTPATH/system_b.dump\"\n$UPDTOOL mread store data normal 0x889EA000 \"$OUTPATH/data.dump\" # if this command fails, try 0x859EA000 instead. Thanks bishopdynamics (issue #2 @ GitHub)\n" }, { "path": "scripts/enable-adb.sh.client", "content": "# Note, you must run disable-avb2.sh first!\nmount -o remount,rw /\necho \"mkdir -p /dev/usb-ffs\">/etc/init.d/S49usbgadget\necho \"mkdir -p /dev/usb-ffs/adb\">>/etc/init.d/S49usbgadget\necho \"mount -t configfs none /sys/kernel/config/\">>/etc/init.d/S49usbgadget\necho \"mkdir -p /sys/kernel/config/usb_gadget/g1\">>/etc/init.d/S49usbgadget\necho \"echo 0x18d1 > /sys/kernel/config/usb_gadget/g1/idVendor\">>/etc/init.d/S49usbgadget\necho \"echo 0x4e40 > /sys/kernel/config/usb_gadget/g1/idProduct\">>/etc/init.d/S49usbgadget\necho \"echo 0x0223 > /sys/kernel/config/usb_gadget/g1/bcdDevice\">>/etc/init.d/S49usbgadget\necho \"echo 0x0200 > /sys/kernel/config/usb_gadget/g1/bcdUSB\">>/etc/init.d/S49usbgadget\necho \"mkdir -p /sys/kernel/config/usb_gadget/g1/strings/0x409\">>/etc/init.d/S49usbgadget\necho \"echo 123456 > /sys/kernel/config/usb_gadget/g1/strings/0x409/serialnumber\">>/etc/init.d/S49usbgadget\necho \"echo Spotify > /sys/kernel/config/usb_gadget/g1/strings/0x409/manufacturer\">>/etc/init.d/S49usbgadget\necho \"echo Superbird > /sys/kernel/config/usb_gadget/g1/strings/0x409/product\">>/etc/init.d/S49usbgadget\necho \"mkdir -p /sys/kernel/config/usb_gadget/g1/functions/ffs.adb\">>/etc/init.d/S49usbgadget\necho \"mkdir -p /sys/kernel/config/usb_gadget/g1/configs/b.1\">>/etc/init.d/S49usbgadget\necho \"mkdir -p /sys/kernel/config/usb_gadget/g1/configs/b.1/strings/0x409\">>/etc/init.d/S49usbgadget\necho \"echo 500 > /sys/kernel/config/usb_gadget/g1/configs/b.1/MaxPower\">>/etc/init.d/S49usbgadget\necho \"mount -t functionfs adb /dev/usb-ffs/adb\">>/etc/init.d/S49usbgadget\necho \"ln -s /sys/kernel/config/usb_gadget/g1/configs/b.1 /sys/kernel/config/usb_gadget/g1/os_desc/b.1\">>/etc/init.d/S49usbgadget\necho \"echo adb > /sys/kernel/config/usb_gadget/g1/configs/b.1/strings/0x409/configuration\">>/etc/init.d/S49usbgadget\necho \"ln -s /sys/kernel/config/usb_gadget/g1/functions/ffs.adb /sys/kernel/config/usb_gadget/g1/configs/b.1/f1\">>/etc/init.d/S49usbgadget\necho \"/usr/bin/adbd &\">>/etc/init.d/S49usbgadget\necho \"sleep 5s\">>/etc/init.d/S49usbgadget\necho \"echo ff400000.dwc2_a > /sys/kernel/config/usb_gadget/g1/UDC\">>/etc/init.d/S49usbgadget\n" }, { "path": "scripts/env.txt", "content": "bootargs=rdinit=/init init=/sbin/pre-init ramoops.pstore_en=1 ramoops.record_size=0x8000 ramoops.console_size=0x4000 rootfstype=ext4 console=ttyS0,115200n8 no_console_suspend earlycon=aml-uart,0xff803000 root=/dev/system ro rootwait reboot_mode_android=normal logo=osd0,loaded,0x1f800000 fb_width=480 fb_height=800 vout=panel,enable panel_type=lcd_8 frac_rate_policy=1 osd_reverse=0 video_reverse=0 irq_check_en=0 androidboot.selinux=enforcing androidboot.firstboot=0 jtag=disable uboot_version=v1.0-57-gec3ec936c2 androidboot.hardware=amlogic androidboot.slot_suffix=_a" }, { "path": "scripts/extract-cpio.sh", "content": "#!/bin/sh\n# Extract base files from /system partition required to build an initramdisk.\n\nDIR=$(dirname $(realpath $0))\nSYSTEM_DIR=\nCPIO_BASE_FILE=$DIR/../images/superbird.initrd-base.cpio\n\nif [ -z \"$SYSTEM_DIR\" ] || [ ! -d \"$SYSTEM_DIR\" ]\nthen\necho 'Error: Set SYSTEM_DIR variable to path of mounted /system partition from the device.'\nexit 1\nelse\ncd $SYSTEM_DIR && cat $DIR/initrd.list | cpio --quiet -o -H newc > $CPIO_BASE_FILE\nfi" }, { "path": "scripts/hacked-bootlogo.sh", "content": "#!/bin/bash\nDIR=$(dirname \"$(realpath \"$0\")\")\nUPDTOOL=$DIR/../bin/update\n\n$UPDTOOL bulkcmd \"amlmmc part 1\"\n$UPDTOOL partition logo $DIR/../images/hacked_logo.img\n" }, { "path": "scripts/initrd.list", "content": ".\n./var\n./var/lib\n./var/lib/alsa\n./var/lib/misc\n./var/spool\n./var/cache\n./var/log\n./var/lock\n./var/run\n./var/tmp\n./var/www\n./lib\n./lib/arm-none-linux-gnueabihf\n./lib/ld-2.30.so\n./lib/ld-linux-armhf.so.3\n./lib/libatomic.so.1\n./lib/libatomic.so.1.2.0\n./lib/libblkid.so.1\n./lib/libblkid.so.1.1.0\n./lib/libc-2.30.so\n./lib/libcrypt-2.30.so\n./lib/libcrypt.so.1\n./lib/libc.so.6\n./lib/libdl-2.30.so\n./lib/libdl.so.2\n./lib/libfdisk.so.1\n./lib/libfdisk.so.1.1.0\n./lib/libgcc_s.so.1\n./lib/libm-2.30.so\n./lib/libmount.so.1\n./lib/libmount.so.1.1.0\n./lib/libm.so.6\n./lib/libnsl-2.30.so\n./lib/libnsl.so.1\n./lib/libnss_dns-2.30.so\n./lib/libnss_dns.so.2\n./lib/libnss_files-2.30.so\n./lib/libnss_files.so.2\n./lib/libpam.so.0\n./lib/libpam.so.0.84.2\n./lib/libpam_misc.so.0\n./lib/libpam_misc.so.0.82.1\n./lib/libpthread-2.30.so\n./lib/libpthread.so.0\n./lib/libresolv-2.30.so\n./lib/libresolv.so.2\n./lib/librt-2.30.so\n./lib/librt.so.1\n./lib/libsmartcols.so.1\n./lib/libsmartcols.so.1.1.0\n./lib/libutil-2.30.so\n./lib/libutil.so.1\n./lib/libuuid.so.1\n./lib/libuuid.so.1.3.0\n./mnt\n./bin\n./bin/mv\n./bin/egrep\n./bin/uname\n./bin/dnsdomainname\n./bin/login\n./bin/linux32\n./bin/gunzip\n./bin/vi\n./bin/sh\n./bin/gzip\n./bin/stty\n./bin/sleep\n./bin/mktemp\n./bin/df\n./bin/chgrp\n./bin/sync\n./bin/mt\n./bin/echo\n./bin/chown\n./bin/pipe_progress\n./bin/cat\n./bin/fgrep\n./bin/hostname\n./bin/dd\n./bin/linux64\n./bin/more\n./bin/mknod\n./bin/getopt\n./bin/zcat\n./bin/setarch\n./bin/printenv\n./bin/rmdir\n./bin/mountpoint\n./bin/setserial\n./bin/pidof\n./bin/sed\n./bin/tar\n./bin/date\n./bin/kill\n./bin/netstat\n./bin/run-parts\n./bin/true\n./bin/busybox\n./bin/rm\n./bin/ls\n./bin/grep\n./bin/pwd\n./bin/fdflush\n./bin/mkdir\n./bin/chmod\n./bin/ash\n./bin/false\n./bin/mount\n./bin/ping\n./bin/usleep\n./bin/umount\n./bin/cp\n./bin/su\n./bin/ln\n./bin/dmesg\n./bin/nice\n./bin/dumpkmap\n./bin/touch\n./bin/ps\n./bin/cpio\n./bin/watch\n./etc\n./etc/resolv.conf\n./etc/issue\n./etc/mke2fs.conf\n./etc/shadow\n./etc/hostname\n./etc/passwd\n./etc/profile\n./etc/group\n./etc/services\n./etc/network\n./etc/network/if-post-down.d\n./etc/network/if-up.d\n./etc/network/if-pre-up.d\n./etc/network/interfaces\n./etc/network/if-down.d\n./etc/ssl\n./etc/mtab\n./etc/hosts\n./etc/os-release\n./etc/init.d\n./etc/init.d/rcK\n./etc/init.d/rcS\n./etc/fstab\n./etc/inittab\n./etc/protocols\n./linuxrc\n./opt\n./root\n./sys\n./usr\n./usr/lib\n./usr/lib/arm-none-linux-gnueabihf\n./usr/lib/libglib-2.0.so.0\n./usr/lib/libe2p.so.2\n./usr/lib/libext2fs.so\n./usr/lib/libext2fs.so.2\n./usr/lib/libglib-2.0.so\n./usr/lib/libcom_err.so.2\n./usr/lib/libcom_err.so\n./usr/lib/libblkid.so\n./usr/lib/libcom_err.so.2.1\n./usr/lib/libe2p.so.2.3\n./usr/lib/libe2p.so\n./usr/lib/libext2fs.so.2.4\n./usr/lib/libuuid.so\n./usr/bin\n./usr/bin/xzcat\n./usr/bin/[[\n./usr/bin/xz\n./usr/bin/ipcs\n./usr/bin/lsof\n./usr/bin/install\n./usr/bin/top\n./usr/bin/setkeycodes\n./usr/bin/uuencode\n./usr/bin/sha512sum\n./usr/bin/lzcat\n./usr/bin/tee\n./usr/bin/uudecode\n./usr/bin/[\n./usr/bin/find\n./usr/bin/bzcat\n./usr/bin/vlock\n./usr/bin/id\n./bin/chattr\n./bin/lsattr\n./usr/bin/last\n./usr/bin/test\n./usr/bin/crontab\n./usr/bin/cksum\n./usr/bin/dos2unix\n./usr/bin/dc\n./usr/bin/reset\n./usr/bin/du\n./usr/bin/head\n./usr/bin/sha3sum\n./usr/bin/ipcrm\n./usr/bin/deallocvt\n./usr/bin/passwd\n./usr/bin/killall\n./usr/bin/fold\n./usr/bin/uniq\n./usr/bin/sha256sum\n./usr/bin/xargs\n./usr/bin/chrt\n./usr/bin/env\n./usr/bin/eject\n./usr/bin/dirname\n./usr/bin/free\n./usr/bin/readlink\n./usr/bin/chvt\n./usr/bin/lspci\n./usr/bin/expr\n./usr/bin/md5sum\n./usr/bin/mkfifo\n./usr/bin/less\n./usr/bin/yes\n./usr/bin/printf\n./usr/bin/sort\n./usr/bin/fuser\n./usr/bin/nohup\n./usr/bin/basename\n./usr/bin/hexdump\n./usr/bin/who\n./usr/bin/setsid\n./usr/bin/wc\n./usr/bin/bunzip2\n./usr/bin/cmp\n./usr/bin/awk\n./usr/bin/mesg\n./usr/bin/unlzma\n./usr/bin/clear\n./usr/bin/pango-view\n./usr/bin/microcom\n./usr/bin/unix2dos\n./usr/bin/seq\n./usr/bin/logname\n./usr/bin/whoami\n./usr/bin/uptime\n./usr/bin/ar\n./usr/bin/lzma\n./usr/bin/realpath\n./usr/bin/logger\n./usr/bin/unxz\n./usr/bin/diff\n./usr/bin/openvt\n./usr/bin/sha1sum\n./usr/bin/tail\n./usr/bin/which\n./usr/bin/hostid\n./usr/bin/resize\n./usr/bin/cut\n./usr/bin/patch\n./usr/bin/unzip\n./usr/bin/strings\n./usr/bin/renice\n./usr/bin/od\n./usr/bin/tty\n./usr/bin/time\n./usr/bin/lsusb\n./usr/bin/tr\n./usr/libexec\n./usr/lib32\n./usr/sbin\n./sbin/filefrag\n./sbin/e2label\n./sbin/mke2fs\n./sbin/mkfs.ext2\n./usr/sbin/delgroup\n./usr/sbin/fbset\n./usr/sbin/deluser\n./usr/sbin/rdate\n./usr/sbin/killall5\n./usr/sbin/addgroup\n./sbin/fsck.ext4\n./usr/sbin/loadfont\n./sbin/e2freefrag\n./usr/sbin/chroot\n./sbin/mklost+found\n./sbin/fsck\n./sbin/mkfs.ext4\n./usr/sbin/fdformat\n./sbin/e2fsck\n./sbin/e2undo\n./sbin/badblocks\n./usr/sbin/adduser\n./sbin/tune2fs\n./sbin/dumpe2fs\n./sbin/logsave\n./usr/sbin/readprofile\n./usr/sbin/arping\n./sbin/fsck.ext3\n./sbin/mkfs.ext3\n./usr/sbin/setlogcons\n./sbin/fsck.ext2\n./usr/sbin/crond\n./lib32\n./proc\n./dev\n./dev/pts\n./dev/log\n./sbin\n./sbin/lsmod\n./sbin/route\n./sbin/ipaddr\n./sbin/halt\n./sbin/getty\n./sbin/swapoff\n./sbin/poweroff\n./sbin/hdparm\n./sbin/init\n./sbin/blkid\n./sbin/iproute\n./sbin/modprobe\n./sbin/loadkmap\n./sbin/watchdog\n./sbin/losetup\n./sbin/syslogd\n./sbin/reboot\n./sbin/iptunnel\n./sbin/vconfig\n./sbin/runlevel\n./sbin/sulogin\n./sbin/rmmod\n./sbin/ifdown\n./sbin/ifconfig\n./sbin/makedevs\n./sbin/mkswap\n./sbin/swapon\n./sbin/start-stop-daemon\n./sbin/ifup\n./sbin/setconsole\n./sbin/sysctl\n./sbin/iplink\n./sbin/ip\n./sbin/devmem\n./sbin/pivot_root\n./sbin/nameif\n./sbin/iprule\n./sbin/insmod\n./sbin/klogd\n./sbin/freeramdisk\n./sbin/hwclock\n./sbin/switch_root\n./sbin/mdev\n./run\n./media\n./tmp\n" }, { "path": "scripts/pack-initrd.sh", "content": "#!/bin/sh\n# Pack the initrd image using base CPIO archive plus additional files from initrd/ directory\n# mkimage tool is available in Debian package u-boot-tools\nDIR=$(dirname $(realpath $0))\nINITRD_DIR=$DIR/../initrd\nCPIO_BASE_FILE=$DIR/../images/superbird.initrd-base.cpio\nCPIO_FILE=$DIR/../images/superbird.initrd.cpio\nINITRD_FILE=$DIR/../images/superbird.initrd.img\n\nif [ ! -f \"$CPIO_BASE_FILE\" ]\nthen\necho \"Error: File $CPIO_BASE_FILE must be extracted first using extract-cpio.sh script !\"\nexit 1\nfi\n\nmkdir -p $INITRD_DIR/dev\nsudo mknod -m 0622 $INITRD_DIR/dev/console c 5 1\n\ncp $CPIO_BASE_FILE $CPIO_FILE\ncd $INITRD_DIR && find . | cpio -o -H newc --append -F $CPIO_FILE\ncd -\ngzip $CPIO_FILE\nmkimage -n uInitrd -A arm64 -O linux -T ramdisk -C gzip -d $CPIO_FILE.gz $INITRD_FILE" }, { "path": "scripts/uart-shell.sh", "content": "#!/bin/bash\nDIR=$(dirname $(realpath $0))\nUPDTOOL=$DIR/../bin/update\n\n$UPDTOOL bulkcmd 'amlmmc env'\n$UPDTOOL bulkcmd 'setenv initargs init=/sbin/pre-init'\n$UPDTOOL bulkcmd 'setenv initargs ${initargs} ramoops.pstore_en=1'\n$UPDTOOL bulkcmd 'setenv initargs ${initargs} ramoops.record_size=0x8000'\n$UPDTOOL bulkcmd 'setenv initargs ${initargs} ramoops.console_size=0x4000'\n$UPDTOOL bulkcmd 'setenv initargs ${initargs} rootfstype=ext4'\n$UPDTOOL bulkcmd 'setenv initargs ${initargs} console=ttyS0,115200n8'\n$UPDTOOL bulkcmd 'setenv initargs ${initargs} no_console_suspend'\n$UPDTOOL bulkcmd 'setenv initargs ${initargs} earlycon=aml-uart,0xff803000'\n$UPDTOOL bulkcmd 'env save'\n" }, { "path": "scripts/uboot-continue.sh", "content": "#!/bin/sh\n# Exit U-Boot 'USB Burning' mode and continue default boot\nDIR=$(dirname $(realpath $0))\nUPDTOOL=$DIR/../bin/update\n\n$UPDTOOL bulkcmd 'mw.b 0x17f89754 1'\n" }, { "path": "scripts/upload-kernel.sh", "content": "#!/bin/sh\n# Upload & boot kernel/ramdisk when U-Boot is in 'USB Burning' mode\nDIR=$(dirname $(realpath $0))\nUPDTOOL=$DIR/../bin/update\nKERNEL=$DIR/../images/superbird.kernel.img\nKERNEL_ADDR=0x01080000\nINITRD=$DIR/../images/superbird.initrd.img\nINITRD_ADDR=0x13000000\nENV=$DIR/env.txt\nENV_ADDR=0x13000000\nENV_SIZE=`printf \"0x%x\" $(stat -c %s $ENV)`\n\n$UPDTOOL bulkcmd \"amlmmc env\"\n$UPDTOOL write $ENV $ENV_ADDR\n$UPDTOOL bulkcmd \"env import -t $ENV_ADDR $ENV_SIZE\"\n$UPDTOOL write $KERNEL $KERNEL_ADDR\n$UPDTOOL write $INITRD $INITRD_ADDR\necho 'Booting...'\n$UPDTOOL bulkcmd \"booti $KERNEL_ADDR $INITRD_ADDR\"\n" } ]