-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can I read my device's flash memory without a programmer or UART access? #11
Comments
Adding to the list, I believe my device (Tuya Mini 7C derivative) loads to 0x81808000.
{
"WiFi MAC": "7c:a7:b0:db:de:7f",
"authkey": "---",
"deviceid": "---",
"devname": "Smart Home Camera",
"firmwareversion": "ppstrong-a2-tuya2_teco-2.7.4.20191111",
"hardwareversion": "M7C_AK_V10_1245",
"identity": "MR2003120400934967",
"model": "Mini 7C",
"pid": "aaa",
"serialno": "---",
"softwareversion": "2.7.4"
} |
@thomasloven maybe you want to post your fw bin file somewhere I can get it (or email me a link) so I can take a look. Sometimes binwalk doesn’t give good results but maybe a slight change in in the file can make a difference, I would expect at least the bootloader to be unencrypted ? So someone with enough time could find the function that decrypts/loads it into memory ? I mean I doubt they have anything hardware side doing the decryption. |
Sorry, I missed this message and posted the bin in #13 (comment). |
I just got a Mini 7C camera from walmart for $25 to play with it -- so you can expect a way to patch it soon. |
@guino I have a Mini 7C too. output of /devices/deviceinfo:
I could not get a proper flash.bin. It is the correct size, but nothing is listed when I check it with binwalk. I tried a few times with address 42000000, 81000000, and 81808000. The result is always the same. Please let me know what you find. I have no UART or programmer but I am happy to help in any way I can. I had no success with #13 either. output of /proc/cmdline:
|
Bad news, while trying to get the flash chip out I pulled a track and damaged the board. I no longer have a mini 7c ($25 down the drain). |
@guino That ppsMmcTool.txt did not work either. @thomasloven mentioned he "soldered into a UART . . . ran the same commands with some tweaks" and then tried to translate them back to ppsMmcTool.txt format. So is the translation not correct, or are we thinking the ppsMmcTool.txt method just won't work for the Mini 7C? |
I'm quite certain the ppsMmcTool method should work for the Mini 7C too. I can try some things to see if I can get this to actually work, though I already fried one sd card, so I'll be moving forward slowly and carefully... |
@thomasloven with UART access here's what I'd do: |
So I did more testing with my Mini 7C. I am getting the same output from binwalk regardless of what ppsMmcTool.txt I use. I can tell something is happening, because the LED begins flashing between red and blue for a few seconds after booting the camera with reset button pressed for 5 seconds. And this only happens when ppsMmcTool.txt is present, so I know my camera sees that file and it is trying to do something with it. But I can tell nothing is written to the 16 MiB unallocated portion of the SD card which we are dumping using dd. I confirmed with md5sum, the .bin dump of my freshly formatted SD card and the flash.bin from my flash dump attempts are the same. Here is the output I am getting from binwalk:
|
@swisslegacy I was hoping to iron out the correct commands for ppsMmcTool.txt when I got a mini 7C but since my board got damaged I no longer have that option. Chances are some command needs a tweak/different parameter, but without UART access (to see output/errors) that's not easy to figure out. I tested the commands in the 1st post on 2.9.6 version and expect anyone with 2.9.x bootloared to be able to use it, but for 2.7.x bootloader (older) we need someone to play with it and iron out the commands like I wanted to do. |
@guino I see. I am very new to this but willing to learn. Can you explain how to get UART access so I may try to assist as well? Additionally, FWIW, I think there was something wrong with the SD card I was using earlier. I tested all the ppsMmcTool.txt I used earlier with a new SD card, and my binwalk output is different now, but it still remained the same after every ppsMmcTool.txt I tried though.
|
For UART access you need a serial-ttl level adapter for 3.3v. There are some USB and some serial too, then basically you solder some wires to the board and have a way to view and send commands to the bootloader which include functions that read and write the flash chip. If you don’t have the adapter or soldering skills it may not be for you. I didn’t want to play with the commands without a flash image taken by programmer and damaged the board when disconnecting the pin to read the flash - and I am fairly experienced with the soldering iron. Still soldering the UART wires is piece of cake compared to removing surface mount chips/pins without the proper tools. |
Interesting! Well, I'm not sure where exactly to start with that, but I have an extra camera and I'm willing to try if you can guide me. |
The points marked 2 and 3 at the top right in the second picture are 3.3V RX and TX at 115200 baud. |
From what I remember testing point 4 was ground and 2/3 are RX/TX (3.3v) as @thomasloven said. Using the screw hole for ground is very smart as it can be difficult to solder point 4 and these boards seem very fragile. |
I got a working mini 7c again and from what I can tell the issue is that the ppsMmcTool.txt isn't being loaded by the bootloader correctly. It looks like it tries and fails likely because of something not yet initialized by the bootloader. That said it seems you can read the flash using the UART (still testing). I'm trying to see if there's anything we can do to make it read the chip correctly (gonna try different SD card). |
looks like a different SD card did the trick to read ppsMmcTool.txt but it is not parsing the file the same way as newer boot loaders, I'm trying to find the boot loader load address so I can review it in ghidra, maybe @thomasloven could share it since he's already been looking at it. |
Ok, to read the flash on mini 7C (2.7.x) this works:
I am still looking to see if we can pass in boot parameters to this device but worst case scenario I'll make an app.img file that can be loaded from SD card using similar steps (reset button + ppsMmcTool.txt). |
Ok, I got root access with a variation of #13 working on mini 7c (no programmer, no UART, no soldering required), but I think I'm going to make a new github project for this older boot loader because the busybox version we have been using on this project doesn't work on this board (I'll have to look for an older busy box that works on it). So right now I have root access using the built-in telnetd (which is present on this one but not present on the newer boards). Spent a lot of hours on this today so I'm calling it for the night. I'll publish the files/steps on the new project (hopefully along with a working busybox version) soon. |
Found your new repo. Works like a charm! |
I just purchased a new iteration of the LCS action doorbell camera (bell5c, anyka chipset). I have not 'enrolled' it (e.g. connected it to the internet/wifi network) as I have no intend on using the standard software. I will eventually run a isolated hotspot for the device to connect to, to enable all of our hackery and get root; however as a first step, I wanted to dump the flash. I do have UART access mind you :) Using U-Boot on the device (U-Boot 2013.10.0-AK_V3.0.07 (Jan 22 2021 - 14:16:01) I tried many variations, however, it seems like they have removed the Here is my ppcmmctool.txt content:
which works fine, except of course the mmc write error
Interestingly enough; my 2GB disk gets miss-identified as 3.7 ... however, the result is the same with a 16G card
Someone must have been looking over the interwebz, found this usefull trick, and decided to disable it. Or, all evilness aside, they just wanted to shrink the bootloader more.
pcbMenu was interesing, as you could configure various boards that this bootloader supports. Anyway, I'll try to see what I can do to pull the flash; worst case, I'll just print all the data, and convert it after reading it from the serial port. Porbably start small with just the bootloader, and see if I can get the password string. Should be compiled into the binary, so not too hard to find, and we do have u-boot source which should offer this as a standard feature (could be they created their own password feature of course ...) 'uartdown' might be intresting, as they may have used this to provision these boards in the factory maybe ... then again, the direction is wrong of course :( and no x/y/z modem options enabled of course. I could get into Linux, and dump it much easier from there; and I'll do that eventually I suppose. edit: Hah, so, I didn't even realize, but if we look closely:
we can see that while there's no size limit on loading the file, (184 is the size of the txt) the buffer actually gets cut off. So i'll use the 'env' trick from the mini7c next :) edit:
I should have played closer attention once more; this failed due to this u-boot loading the env at different offset. With this small change (maybe I did it? :p) it actually worked to dump the spi flash :) now to analyzing the dump, to check if i have it all. |
@oliv3r write me an email (my address is on my github profile) and I can give you some help for UART access. I have seen many cases where they modify the command and don’t bother modifying the help information, so chances are the mmc write command is there just not in that format listed in the help. |
I did, from 2 addresses, the one it bounced with MS blocking me, from my other address, it seemed to have worked; but maybe it ended up in your spam. I will e-mail from my gmail; 3times is a charm @guino :) |
@oliv3r I sent you an email reply, let me know if you didn't get it. |
This is how to read/dump your device's flash memory without a programmer or UART/serial access.
Requirements
WARNING This WILL erase everything you have on the SD card so copy what you want from it before you start and if you're unsure of something ask for help because if you do something wrong in the steps below you could potentially erase the wrong disk (i.e. your entire computer).
Process
This process has been tested with 2.9.x firmware only -- likely won't work with 2.7.x as it would require different commands to work with older boot loader.
sudo su
lsblk
the device will usually show up as mmcblkX or sdX depending on the type of adapter but it should be easy to identify by the size of the device.fdisk /dev/<device>
(where<device>
is mmcblkX or sdX from the previous step, such asfdisk /dev/sdb
), then: type o and press enter, type n and press enter, type p and press enter, press enter (for default partition 1), type 32769 for first sector and press enter, press enter (for default last sector), type w and press enter.fdisk -l /dev/<device>
(where<device>
is the same as from step 4). The last line of the output should show/dev/mmcblkXp1
or/dev/sdX1
and it under 'Start' it should say 32769 confirming the previous operation.mkfs.vfat /dev/<partition>
(where<partition>
is the value listed on the last line from step 5 above (i.e. /dev/mmcblk0p1 or /dev/sdb1).dd if=/dev/<device> of=flash.bin skip=1 bs=512 count=32768
(where<device>
is the same from step 4 above like /dev/mmcblk0 or /dev/sdb).The flash.bin file created in step 13 should be a full dump of your device's flash memory, please note that the process above will create a 16Mb file but your flash may be smaller than that, in fact most devices I have seen have 8Mb of flash (I have only seen a few that have 16Mb).
Confirmation
To confirm that the process worked, you should run 'binwalk' on the flash.bin file, and it should detect some recognizable components such as u-boot, uImage and cramfs/jffs filesystems, here's a sample section from mine:
If your binwalk output has similar parts (uboot, uImage/kernel and cramfs/jffs2 filesystems), then that is your confirmation that the process worked and you should have a full dump of your devices flash memory in flash.bin. You can then execute
binwalk -M -e flash.bin
to 'extract' all known parts from the flash.bin file (for review/patch/etc).If your binwalk output is empty or does not look like the above, chances are the process did not work on your device (i.e. device doesn't support ppsMmcTool.txt) in which case your only options are to use a programmer (or UART) review/make any changes to the device.
NOTICE: One device I saw used address 81000000 instead of 42000000 to load data, there's no way to know for sure the address your device will load the data unless you have UART access, so I recommend trying 42000000 first (default value in ppsMmcTool.txt), if that doesn't get you valid results it doesn't hurt to try modifying all 42000000 values in ppsMmcTool.txt to 81000000 and trying again.
The text was updated successfully, but these errors were encountered: