Difference between revisions of "Logitech Revue Technical"

From Exploitee.rs
Jump to navigationJump to search
Line 179: Line 179:
*J24 --> Unknown (Pin 1 = 3.3, Pin 2 = ?, Pin 3 = ?, Pin 4 = GND)
*J24 --> Unknown (Pin 1 = 3.3, Pin 2 = ?, Pin 3 = ?, Pin 4 = GND)
*J13 --> Unknown (Power for SATA?) - (Pin 1 = ?, Pin 2 = GND, Pin 3 = GND, Pin 4 = 5v)
*J13 --> Unknown (Power for SATA?) - (Pin 1 = ?, Pin 2 = GND, Pin 3 = GND, Pin 4 = 5v)
*J67 --> USB (Pin 1 = GND, Pin 2 = D-, Pin 3 = D+, Pin 4 = FREE, Pin 5 = VCC +5V) used for RF daughter board.
*J67 --> USB (Pin 1 = GND, Pin 2 = D-, Pin 3 = D+, Pin 4 = FREE, Pin 5 = VCC +5V) used for RF daughter board. IMG: [http://www.chrispix.com/googleTV.jpg]
*XDP1 --> Intel XDP Debug Adapter [http://software.intel.com/sites/products/documentation/hpc/atom/application/device_driver_debugging.pdf Information on XDP Debugging] [ftp://download.intel.com/design/Pentium4/guides/31337301.pdf Page 23 Pinout]
*XDP1 --> Intel XDP Debug Adapter [http://software.intel.com/sites/products/documentation/hpc/atom/application/device_driver_debugging.pdf Information on XDP Debugging] [ftp://download.intel.com/design/Pentium4/guides/31337301.pdf Page 23 Pinout]
[[Category:Logitech Revue]]
[[Category:Logitech Revue]]

Revision as of 03:49, 10 January 2011

Update Procedure

Place new update labelled "update.zip" on a USB drive, with a single partition (ie, 1st partition on a USB disk, so say "/dev/sdc1")

Insert into Revue in the Right most USB port (if looking at the back, closest to the power jack)

Boot into recovery mode:

  1. Plug in the box, once the fan goes low, hold the sync button. Box should reboot, keep the sync button held until image on screen.
  2. Once you see the Arrow on your screen, using your keyboard press Alt+L - usually once or twice until Formatting DATA: shows on the screen, and does not go away
  3. You can then update the box, with a newer update. Downgrading fails however due to a date check.

Firmware Links

Kernel Revisions

  • Initial kernel observed on the Revue (?): 2.6.23.18-gc0a9a5fb (richard@sayan) (gcc version 4.1.2) #3 PREEMPT Sat Jul 31 15:32:56 PDT 2010
  • 439c26f6af05.mp-signed-ota_update-b39389: 2.6.23.18-g5fd8f46f (richard@mtdoom) #249 PREEMPT Tue Oct 5 09:55:20 BST 2010
  • 52057d168e2b.mp-signed-ota_update-b39953: 2.6.23.18-g5fd8f46f (richard@mtdoom) #249 PREEMPT Tue Oct 5 09:55:20 BST 2010
  • c9914396d183.mp-signed-ota_update-b42449: 2.6.23.18-g5bba1a13 (sameer@sayan) #24 PREEMPT Fri Nov 19 11:13:31 PST 2010

SDK/Toolchain Support

The Intel SDK Toolchain is available as part of Google's GPL release for the Google TV. The toolchain is required to compile code to run on the Linux operating system of the Logitech Revue. (Sony devices as well as other future devices are most likely also compatible with this toolchain but since we don't have these products to root we don't know yet.)

We have not yet documented a complete list of required dependencies but here are a few packages which might come in handy:

  • texinfo (we encountered some issues with certain supposedly supported versions of makeinfo but updating texinfo resolved this on most systems)
  • flex
  • bison
  • awk
  • patch
  • gcc et al
  • build-essential (Ubuntu)

To simplify the toolchain setup, craigdroid created this script which simplifies the process of configuring a build system. After preparing the toolchain you will want to run the following commands (which are demo'd in the script) to establish your environment:

export CROSS_COMPILE=i686-linux-cm-
export LD_LIBRARY_PATH=~/googletv/sdk/i686-linux-elf/lib
export PATH=$PATH:~/googletv/sdk/i686-linux-elf/bin/

NDK Support

Although at present Google has not released a proper NDK for the platform, the gtvhacker team have combined the Intel SDK Toolchain from the Google TV Mirrored Source site with the work of the Android x86 project to provide unofficial support in the interim.

The entire process of setting up unofficial NDK support has been simplified into an easy to use script by craigdroid. The script has been tested on a few of our systems running CentOS 5.4 32-bit, as well as 32-bit and 64-bit editions of Ubuntu.

Since this is building the Intel toolchain automatically all of the caveats regarding the Intel SDK Toolchain apply here as well.

To automatically download, build and configure NDK support first save yourself some time and check the dependencies list in the SDK/Toolchain Support section and then from any users shell:

wget http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer.zip && unzip gtvhacker-NDK-installer.zip && ./gtvhacker-NDK-installer.sh

This will install the NDK to ~/googletv/ndk/ for the current user. Some guidance on how to use the NDK is provided upon completion of successful script execution.

Flash Layout

via: http://googletv.pastebin.com/233dZqZx

(What's an MTD partition?)

Creating 13 MTD partitions on "intel_ce_nand":

  • 0x00000000-0x00200000 : "mbr"
  • 0x00200000-0x00a00000 : "cefdk"
  • 0x00a00000-0x00c00000 : "redboot"
  • 0x00c00000-0x00e00000 : "cefdk-config"
  • 0x01000000-0x01800000 : "splash"
  • 0x01800000-0x01900000 : "fts"
  • 0x01900000-0x02d00000 : "recovery"
  • 0x02d00000-0x03200000 : "kernel"
  • 0x03200000-0x07200000 : "boot"
  • 0x07200000-0x1f200000 : "system"
  • 0x1f200000-0x3fa00000 : "data"
  • 0x3fa00000-0x3ff00000 : "keystore"
  • 0x3ff00000-0x40000000 : "bbt"

mbr - Mostly blank, repeats "01c0000 b00b dead 000f a901 0000 0000 0000 0000"

cefdk - Boot loader? It's Data - Wouldn't say crypted, but no strings.

redboot - All FF's

cefdk-config - Holds Box SN, repeats (like MBR)

Splash - Says its a BMP, doesnt totally look like one (on quick look)

fts - Repeats this data, mostly: "F*TS..e.L.......bootloader.command=boot-recovery.bootloader.recovery=recovery.--wipe_data."

Recovery - Full image, including kernel and small ramdisk (in squashfs format), boots to recovery menu

Kernel - The kernel image

Boot - Root partition, goes in hand with the kernel image, also in squashfs format

system - /system partition. Holds most of the crucial system files. It's YAFFS

data - YAFFS

keystore - Don't delete this . Has Keys for communication w/ Google & Logitech YAFFS

bbt - Bad block table

Serial Output

The logitech revue board contains a UART1 port on the front of the board which before receiving the boxes initial updates is active. In order to communicate with UART port you will need a USB to TTL adapter (or board that does a similar conversion).

The pins operate at 3.3v and the port at 9600 baud with the following pinout:

UART Pinout

Serial output

via: http://googletv.pastebin.com/233dZqZx Pasted Locally

PIC Access

  • There is a standard PIC access port to the right of the UART1 port. It can be accessed via a standard PIC Kit Debug board (Tested with version 2). The port has read/write access but the code is pulled from the chip as .hex file and is unreadable thus far.
  • The pinout starting from the left (pin with white square around it) corresponds to pin 1 or Vpp.The remaining pins follow the same layout. PIC Pinout

PIC Hex Dump Local PIC Hex Dump

PIC Disassembly

Updates

The updates contain a full set of system files (changed and unchanged), including a boot.img and a recovery.img

boot.img

The thread at xda-developer has the process to extract from the .img files (thx bftb0):

"the "boot.img" file is in (little-endian) "squashfs" format and unpacks just fine using "unsquashfs" from the (Ubuntu 8.0.04 LTS) squashfs-tools package."

recovery.img

system/boot/recovery.img is a standard Android boot image with some extra garbage (0x580 bytes) at the front. Remove it like so:

 dd if=system/boot/recovery.img bs=1408 skip=1 > recovery-ungarbaged.img

Unpack that like a normal Android boot image. Something like this Perl script works well.

The kernel (system/boot/kernel) is also a boot image with the same extra garbage at the front.

Odex files

The .odex files can be extracted by using the following guide Deodex Instructions

Open Ports

List nmap ports

Normal Mode, hooked to a Dish Network DVR (622) via WiFi:

  • Nmap scan report for LogitechRevue (192.168.1.142)
  • Host is up (0.060s latency).
  • Not shown: 65528 closed ports
  • PORT STATE SERVICE
  • 53/tcp open domain
  • 1100/tcp open unknown
  • 5222/tcp open unknown -- Extensible Messaging and Presence Protocol (XMPP) Service (http://xmpp.org/)
  • 5223/tcp open unknown -- SSL port for XMPP
  • 9551/tcp open unknown -- AnyMote Pairing Service through IpRemoteControlService -- SSL handshake requests cert and logs show errors from AnyMote
  • 9552/tcp open unknown -- AnyMote Connection Port
  • 35832/tcp open unknown

Also of course, with root - port 5555, for ADB!

Available Pinouts

  • UART1 --> UART Pinout
  • J3 --> PIC Chip Access (Pin 1 = VPP/MCLR, Pin 2 = VDD, Pin 3 = VSS, Pin 4 = ICSPDAT/PGD, Pin 5 = ICSPCLK/PGC, Pin 6 = Auxiliary)
  • SW1 --> Push Button Switch (Use is unknown)
  • J20 --> I2C (Top left - GND Top right - ? Bottom left - SDA Bottom right - SCL)
  • J69 --> USB Pinout
  • SATA1 --> SATA Pinout (Pin 1 = GND, Pin 2 = TXP / A+ , Pin 3 = TXN / A-, Pin 4 = GND , Pin 5 = RXN / B-, Pin 6 = RXP / B+ , Pin 7 = GND)
  • J24 --> Unknown (Pin 1 = 3.3, Pin 2 = ?, Pin 3 = ?, Pin 4 = GND)
  • J13 --> Unknown (Power for SATA?) - (Pin 1 = ?, Pin 2 = GND, Pin 3 = GND, Pin 4 = 5v)
  • J67 --> USB (Pin 1 = GND, Pin 2 = D-, Pin 3 = D+, Pin 4 = FREE, Pin 5 = VCC +5V) used for RF daughter board. IMG: [1]
  • XDP1 --> Intel XDP Debug Adapter Information on XDP Debugging Page 23 Pinout

Volume Management Configuration

Similar to other android based products, external storage can be attached and the device will attempt to mount it to /sdcard as per the following vold.conf:

volume_sdcard {
    # NOTE: This path is overbroad and will capture any device on the
    # tatung3/tatung4 external PCI bus.  This needs to be fixed, in conjunction
    # with vold changes to handle logical device names (DEVPATH names are not
    # static, unfortunately.)
    media_path     /devices/pci0000:00/0000:00:01.0/0000:01:0d.1/usb2/
    media_type     scsi
    mount_point    /sdcard
    read_only      true
}

Note the interesting comment about the media_path as well as the read_only=true attribute.