Sign up here and you can log into the forum!

named pipes, read nand on hub

Have a question about devices internals, memory layout, reverse engineering, etc---This is the place for anything so technical that it would cause a n00b's head to 'splode

named pipes, read nand on hub   

Postby KAD » Wed Oct 22, 2014 9:13 am

ok, well I thought I might attempt to create a firmware for the hub
why ? well it keeps me entertained, lol

and maybe this is beyond me, or maybe I just need a little direction

the premis for running firmware on the hub is basically the same, we need to set the device to homebrew mode

some of the things I already worked out
there's no upload function on hub's webend, but I've already got a working package that can start telnet

so regarding setting homebrew mode, there's about 10 scripts and binaries actually required to do this on SMP
they are all interconnected, and call each other depending on if you are trying to read or write, etc ...
Most of these scripts do not exist on the hub
but the core script does, the script that actually writes to nand the value "sisi" enabling homebrew
that script exist and is identical to the one used on the SMP and on the new gen4 device

adding the extra scripts to the homebrew package is of coarse not a problem
except that there are some differences, which cause the supporting scripts to fail

specifically SMP and Gen4 read data from nand via a named pipe /dev/mtd0
this named pipe does not exist on the hub

I've tried searching for info on named pipes in google, which gives me a lot of entries of how to create named pipes, and basics on what they are used for
but what I'm interested in

if a named pipe already exist, and you don't know what 2 processes they connect (the script or shell that calls the pipe is obviously one side), but how do we find out what is on the other side of the connection

once reads are working, I suspect writes, might be a bit more straight forward, writes are done on /dev/mtdblock0 (also a named pipe) but it does exist on all 3 devices

or maybe you have a better idea on how to read nand on the hub
If you like my work please consider a Donation. Donate
Please read the appropriate documentation before posting questions! READ ME FAQ WIKI
PM's are for private matters. Post support questions to the appropriate forum, or they will be ignored.
User avatar
KAD
Global Moderator
 
Posts: 5103
Joined: Mon Apr 12, 2010 4:59 pm
Location: Seattle, WA USA

Re: named pipes, read nand on hub   

Postby mad_ady » Thu Oct 23, 2014 5:53 am

So, you want to find out what /dev/mtd0 connects to? You can use lsof to see which open files are in use at any point in time, but you would need to issue the command when the processes that do the work are attached to the pipe. Otherwise you can try to use inotify (not sure if it works in /dev though) and catch OPEN and CLOSE commands on the file.

Also, what is your goal? Putting the device in sisi mode? Or more than this?
User avatar
mad_ady
Developer
 
Posts: 4553
Joined: Fri Nov 05, 2010 9:08 am
Location: Bucharest, Romania

Re: named pipes, read nand on hub   

Postby KAD » Thu Oct 23, 2014 7:11 am

yeah that's pretty much the goal

just put the thing in sisi mode

I had hoped that I could confirm working reads before attempting to write

but at least the writing part, as I said should be much more straight forward because the correct pipe does exist
but without being able to read what the value is, we're sort of blind, we'd have no way to check what mode is currently being used

well except of coarse that in sisi mode runsit.sh will get executed at boot time, so we can see the effects whatever we put in that script
If you like my work please consider a Donation. Donate
Please read the appropriate documentation before posting questions! READ ME FAQ WIKI
PM's are for private matters. Post support questions to the appropriate forum, or they will be ignored.
User avatar
KAD
Global Moderator
 
Posts: 5103
Joined: Mon Apr 12, 2010 4:59 pm
Location: Seattle, WA USA

Re: named pipes, read nand on hub   

Postby mad_ady » Thu Oct 23, 2014 10:19 pm

Here's an additional idea. If you know what process does the reading, but you don't know from where (what file, what offset), you can try to use strace to see what system calls it makes. There are two ways of doing it:
1. The easy way - when you can call the program by hand with the correct parameters, just put strace in front of it (you might need to compile it/have a busybox ready). You should see the data and files used.
2. The hard way - when you the the program but can't call it directly. In this case you can replace the program with a simple bash wrapper that calls the original program through strace and writes the output to a file.

Play with strace to get comfortable with it.
User avatar
mad_ady
Developer
 
Posts: 4553
Joined: Fri Nov 05, 2010 9:08 am
Location: Bucharest, Romania

Re: named pipes, read nand on hub   

Postby mad_ady » Thu Oct 23, 2014 11:01 pm

Oh, one more idea. Make a dd copy of the /dev device you assume you'll be writing sisi to. Then write sisi to it (with the tools you say should already work). Then make a copy with dd again. Dump both copies to hex (with od for instance or hexdump) and run a diff. You should get the offset and the changes made...
User avatar
mad_ady
Developer
 
Posts: 4553
Joined: Fri Nov 05, 2010 9:08 am
Location: Bucharest, Romania

Re: named pipes, read nand on hub   

Postby KAD » Sat Oct 25, 2014 12:55 pm

after a weekend without kids and family, I think I have a solution

instead of attempting to get the SMP tools working on hub
I spent some time figuring out how to use the 1 script that does exist on all devices as a standalone tool that runs on mtdblock0

homebrew kit for hub will have to be quite a bit different
we write sisi or okok

but if we read, we'll be reading hex values

more testing is needed, but it seems to work ok
If you like my work please consider a Donation. Donate
Please read the appropriate documentation before posting questions! READ ME FAQ WIKI
PM's are for private matters. Post support questions to the appropriate forum, or they will be ignored.
User avatar
KAD
Global Moderator
 
Posts: 5103
Joined: Mon Apr 12, 2010 4:59 pm
Location: Seattle, WA USA

Re: named pipes, read nand on hub   

Postby KAD » Sun Oct 26, 2014 12:30 pm

ok, I think I've got this all working, but I do get a concearning error from php

here's the php code
Code: Select all
# cat ./home.php
<?php

print 'WDLXTV WD TV Homebrew Kit v4 -- Modified by kad' . PHP_EOL;
print 'Enabling...' . PHP_EOL;
shell_exec("rm /tmp/firmware_sign");

if (file_exists("/usr/bin/sudo"))
        shell_exec("sudo su - -c \"setxenv 0 l.alpha.fw_sign sisi\"");
else
        shell_exec("setxenv 0 l.alpha.fw_sign sisi");

if (file_exists("/usr/bin/sudo"))
        shell_exec("sudo su - -c \"setxenv 0 l.alpha.fw_sign | tail -n1 | cut -d ' ' -f 4 > /tmp/firmware_sign\"");
else
        shell_exec("setxenv 0 l.alpha.fw_sign | tail -n1 | cut -d ' ' -f 4 > /tmp/firmware_sign");

$x = shell_exec("cat /tmp/firmware_sign");
if (trim($x) == "0x69736973")
  print 'Success, homebrew enabled--place homebrew files on USB and reboot.' . PHP_EOL;
else
  print 'WTF? (Note: this command might not work from within wdlxtv)' . PHP_EOL;

die();

?>


the line causing the error is
Code: Select all
shell_exec("sudo su - -c \"setxenv 0 l.alpha.fw_sign sisi\"");
else
        shell_exec("setxenv 0 l.alpha.fw_sign sisi");

regardless of sudo or not, running from php produces this output
Code: Select all
# /usr/bin/php ./home.php
WDLXTV WD TV Homebrew Kit v4 -- Modified by kad
Enabling...
1+0 records in
1+0 records out
131072 bytes (128.0KB) copied, 0.027987 seconds, 4.5MB/s
16+0 records in
16+0 records out
16384 bytes (16.0KB) copied, 0.000508 seconds, 30.8MB/s
112+0 records in
112+0 records out
114688 bytes (112.0KB) copied, 0.002081 seconds, 52.6MB/s
cat: write error: Broken pipe
16+0 records in
16+0 records out
16384 bytes (16.0KB) copied, 0.001946 seconds, 8.0MB/s
1+0 records in
1+0 records out
131072 bytes (128.0KB) copied, 0.041317 seconds, 3.0MB/s
1+0 records in
1+0 records out
131072 bytes (128.0KB) copied, 0.033932 seconds, 3.7MB/s
16+0 records in
16+0 records out
16384 bytes (16.0KB) copied, 0.000495 seconds, 31.6MB/s
112+0 records in
112+0 records out
114688 bytes (112.0KB) copied, 0.003133 seconds, 34.9MB/s
Success, homebrew enabled--place homebrew files on USB and reboot.


the part I'm concearned about
Code: Select all
cat: write error: Broken pipe

this pipe is located not in the php but inside the script setxenv
running setxenv from cmd line does not produce any errors

but this here's the line of code
Code: Select all
cat $XENV2_TMP_FILE /dev/zero | dd of=$PHY_BLOCK_FILE bs=1K count=$XENV2_BLK_SIZE

for obvious reasons, it's concearning to see error message, when this gets piped to dd, which writes the output of cat back to nand

ironically everything actually seems to function, I have no bricked devices, and sisi or okok, which ever I specify is correctly written, I can't find any adverse effects
just looking for some input, I don't like the idea, the we might cat the wrong or incomplete content to dd
I found this https://bugs.php.net/bug.php?id=51160
which claims it's a php bug, but then somebody from the dev team at php, marks it as bogus, stating it's not a problem with php
If you like my work please consider a Donation. Donate
Please read the appropriate documentation before posting questions! READ ME FAQ WIKI
PM's are for private matters. Post support questions to the appropriate forum, or they will be ignored.
User avatar
KAD
Global Moderator
 
Posts: 5103
Joined: Mon Apr 12, 2010 4:59 pm
Location: Seattle, WA USA

Re: named pipes, read nand on hub   

Postby mad_ady » Mon Oct 27, 2014 12:20 am

To better understand what's going on, if setxenv is a shell script you can call it in debug mode and get all the internal commands printed. You can find out if you're missing some environment variables or something else...

Code: Select all
shell_exec("sudo su - -c \" sh -x setxenv 0 l.alpha.fw_sign sisi 2>&1\"");
User avatar
mad_ady
Developer
 
Posts: 4553
Joined: Fri Nov 05, 2010 9:08 am
Location: Bucharest, Romania

Re: named pipes, read nand on hub   

Postby KAD » Tue Oct 28, 2014 10:48 pm

well can't call sh -x setxenv due to setxenv is a symlink, and no the way the actual script is written we can't call it directly, or it will not function as it should

I can add the redirect, which will get rid of the error message, but still makes we wonder what is actually causing the error
as the redirect only hides the output does not actually solve the issue

which is maybe a non-issue, since script appears to function correctly regardless of output
If you like my work please consider a Donation. Donate
Please read the appropriate documentation before posting questions! READ ME FAQ WIKI
PM's are for private matters. Post support questions to the appropriate forum, or they will be ignored.
User avatar
KAD
Global Moderator
 
Posts: 5103
Joined: Mon Apr 12, 2010 4:59 pm
Location: Seattle, WA USA

Re: named pipes, read nand on hub   

Postby mad_ady » Tue Oct 28, 2014 11:07 pm

Well, based on the command pasted
Code: Select all
cat $XENV2_TMP_FILE /dev/zero | dd of=$PHY_BLOCK_FILE bs=1K count=$XENV2_BLK_SIZE


and the message "Broken pipe", I'd say something breaks the pipe :D

The pipe can break in two ways - the cat command runs out of output (impossible since /dev/zero is quite long), or the destination process terminates - and it would after $XENV2_BLK_SIZE kBytes. Now I don't know what $XENV2_TMP_FILE is at runtime, but I doubt it would change execution much. I'm puzzled that you don't get the error every time you run the command...

I can't seem to reproduce the issue by hand though, so what I've written above has to be completely untrue :)) ...
Code: Select all
adrianp@frost:~/temp$ cat /dev/zero | dd of=zero bs=1K count=50
50+0 records in
50+0 records out
51200 bytes (51 kB) copied, 0.000436097 s, 117 MB/s
adrianp@frost:~/temp$ VAR=fake
adrianp@frost:~/temp$ cat $VAR /dev/zero | dd of=zero bs=1K count=50
cat: fake: No such file or directory
50+0 records in
50+0 records out
51200 bytes (51 kB) copied, 0.000418917 s, 122 MB/s
adrianp@frost:~/temp$ touch empty
adrianp@frost:~/temp$ VAR=empty
adrianp@frost:~/temp$ cat $VAR /dev/zero | dd of=zero bs=1K count=50
50+0 records in
50+0 records out
51200 bytes (51 kB) copied, 0.00227198 s, 22.5 MB/s


Running sh -x should work accross symlinks without issues. Or you could add #!/bin/sh -x in the shebang in /bin/setxenv.sh. Also, you could add several echos to see the environment variables at runtime.
User avatar
mad_ady
Developer
 
Posts: 4553
Joined: Fri Nov 05, 2010 9:08 am
Location: Bucharest, Romania

Next

Return to WDTV Live

Who is online

Users browsing this forum: No registered users and 2 guests