dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
152441
naf
join:2017-12-12

4 edits

12 recommendations

naf

Member

Obihai OBi20x/30x + OBi1000 + OBi50x + OBi2000 firmware mods

So I want to add the ability to configure these devices for GV using oauth without obitalk, similar to the changes for the obi100 (and add an ssh server, for grins).

I think I have the MD5s in the firmware file worked out (its the same "Goodbye! Reboot Now" garbage as the 100), and I see where the oauth refresh token code is, so it should be pretty straightforward unless there is code signing that I missed.

The only hiccup is... I don't actually have an OBi20x :-(

Anyone have one of these devices that wants to be a guinea pig? You should definitely have a way to SPI the flash back *when* i brick the thing the first couple tries...

[or if someone has one sitting in the closet, you could just send it to me. ill name the fw after you ]

EDIT: speaking of flash, its supposed to have a w25x128 on board, but is it the SOIC package or some BGA madness?

QUICK SUMMARY:
Custom firmware made for all obi devices, thanks to the help of generous hardware donations and bold testers.
See obifirmware.com to download latest.
thUzu7AkU
Premium Member
join:2014-05-05
Beverly Hills, CA

2 edits

thUzu7AkU

Premium Member

Re: Obihai OBi200/202 firmware mod

said by naf:

[or if someone has one sitting in the closet, you could just send it to me. ill name the fw after you ]

PM sent.
divx_2
join:2005-07-01

divx_2 to naf

Member

to naf
I can help testing the modded FW.
naf
join:2017-12-12

naf

Member

said by divx_2:

I can help testing the modded FW.

ok great.

did i also get the impression from the other thread that you also had changes to obiapp? it should be a lot easier since we can run a debugger on the box »randywestergren.com/reve ··· -part-3/
OBi1FW
join:2017-12-27
Vienna, VA

OBi1FW

Member

I'd be very curious to know if it's possible to mod the firmware so that Google Voice will run on a 300/302.
naf
join:2017-12-12

2 edits

naf to divx_2

Member

to divx_2
said by divx_2:

said by naf:

And here's the hint: if you look in /obi/obiapp at the token refresh sub at 0xD9760, the obitalk refresh token is in [R7,#0x3C]. The AuthPassword should be in [R7,#0x38]. Just use that instead of all that sprintf concatenated crap.

Thanks. If I understand it correctly, after the patch it'll either use obi's access_token, or self generated refresh_token. It won't be able to refresh obi's token, unless I find a space to check the length of AuthPassword and refresh token conditionally.

Ya, moving the function to make more space is a little harder on this ARM code cause all the offsets are relative to the PC. Looks like maybe a dozen to change, between the function calls and the constants...

... and then there's the ELF wrapping...hmmm... maybe it should be easier to just overwrite it in place (hard to do it conditionally then)
naf

naf

Member

said by naf:

speaking of flash, its supposed to have a w25x128 on board, but is it the SOIC package or some BGA madness?

Turns out to be a w25q128bvieg, a WSON package, whatever the fuck that is.

UHF
All static, all day, Forever
MVM
join:2002-05-24

UHF

MVM

said by naf:

a WSON package, whatever the fuck that is

That was a new one for me too. Looks like a bitch to solder them.
naf
join:2017-12-12

naf

Member

ya, but pin spacing is still 0.05", so it might still work if anyone had one of them fancy SOIC clips

on the other hand, u-boot over serial should help, if i could figure out how to use sf or md successfully...
naf

2 recommendations

naf

Member

Click for full size
fuck it. ill just be confident and web-gui flash the thing without a backup:
divx_2
join:2005-07-01

1 edit

1 recommendation

divx_2

Member

As I remember there was a way to boot it into a recovery mode with it's own kernel and rootfs. You should be able to flash any FW version in that mode. In FW 4330 there were /obi/recovery utility that activated recovery mode after device reboot. Here is the code that it were executing:
  puts("Prepare to enter recovery mode: ");
  FLASHSPI_clear(0xC00000, 0x10000);
  puts("This unit will enter recovery mode after power cylce"); 
 
naf
join:2017-12-12

1 edit

naf

Member

ya, im just worried that ill fuck up the recovery ones too

apparantely the recovery is the partition that i originally overwrote, cause it only has uclibc. when i booted and didnt see my changes i had to switch to the other squashfs that had a rootfs, and it apparantely has real glibc so now i have to rebuild all the tools i was going to sneak on...

ETA: i did atleast turn telnetd on
naf

2 edits

1 recommendation

naf

Member

shouldnt i be able to backup this thing from userspace? anyone understand the /dev/mtd* stuff?

i have dev devices: mtd[0-8], mtd[0-8]ro, mtdblock[0-8], mtdchar[0-7]...

# cat /proc/mtd
dev: size erasesize name
mtd0: 00800000 00001000 "mtd-ram fs ro"
mtd1: 00800000 00001000 "mtd-ram"
mtd2: 00050000 00010000 "u-boot"
mtd3: 00280000 00010000 "kernel"
mtd4: 000c0000 00010000 "scratch"
mtd5: 006c0000 00010000 "rootfs"
mtd6: 01000000 00010000 "flash0"
mtd7: 00240000 00010000 "obi app"
mtd8: 00100000 00010000 "bluetooth"

i just wanna dump the whole goddamn thing
divx_2
join:2005-07-01

1 recommendation

divx_2

Member

If you have mtd_utils cross compiled for the platform than you should be able do dump mtd6 which is mapped to the whole flash.
naf
join:2017-12-12

naf

Member

oh, ha. totally missed mtd6. poor reading comprehension i guess.

cant i just cat /dev/mtd6 > somefile.bin ?
divx_2
join:2005-07-01

divx_2

Member

i'm not sure about mtd6, but it should work with mtdchar6.
naf
join:2017-12-12

naf

Member

# /lib/libc.so.6
GNU C Library stable release version 2.5, by Roland McGrath et al.
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 4.2.1.
Compiled on a Linux >>2.6.20-16-generic<< system on 2007-09-27.
Available extensions:
        crypt add-on version 2.1 by Michael Glad and others
        GNU Libidn by Simon Josefsson
        GNU libio by Per Bothner
        NIS(YP)/NIS+ NSS modules 0.19 by Thorsten Kukuk
        Native POSIX Threads Library by Ulrich Drepper et al
        Support for some architectures added on, not maintained in glibc core.
        BIND-8.2.3-T5B
Thread-local storage support included.
For bug reporting instructions, please see:
<http://www.gnu.org/software/libc/bugs.html>.
 

anybody got an easy way to build a arm toolchain with glibc 2.5? crostools-ng-1.23.0 in obsolete mode only goes back to 2.12.1 :-(
divx_2
join:2005-07-01

divx_2

Member

As I remember I built gcc 4.9.1 with libc-2.18 for this platform. I was able to rebuild mtd-tools and run.

Not sure if I run in chroot though. It was about 3 years ago. Still should have this toolchain somewhere.
naf
join:2017-12-12

3 recommendations

naf

Member

quick update: i got a crosscompiling toolchain setup for the old-as-fuck glibc/kernel, and i got dropbear compiled and running on the box... just gotta figure out how to set a root password and package up a fw with it...
naf

1 edit

1 recommendation

naf

Member

heres a problem: i dont really want to leave dropbear open to the outside world with a hardcoded root password. and i cant change the password from whatever i initially flash because its mounted readonly.

ideas?
limit to LAN side (assuming someone out there is smart enough with iptables to do this)?
some /etc over-mount foolishness?
something obvious and easier that im missing?
fuck anyone who doesn't firewall their obi in the first place?
divx_2
join:2005-07-01

2 recommendations

divx_2

Member

You can do over-mount for a single file:
 mount --bind /else/where/passwd /etc/passwd 
 
naf
join:2017-12-12

naf

Member

said by divx_2:

You can do over-mount for a single file:

 mount --bind /else/where/passwd /etc/passwd 
 

nice. i guess itd be nice to have a 'passwd'-like script to encrypt a password and shove the passwd in for root in the /else/where/passwd overlay.

ETA: atleast then there would be a chance in hell that anyone might actually change it...
naf

naf

Member

said by naf:

nice. i guess itd be nice to have a 'passwd'-like script to encrypt a password and shove the passwd in for root in the /else/where/passwd overlay.

and by script i mean ill just compile busybox's passwd after changing the file location...
naf

3 recommendations

naf

Member

bsdiff for OBi202-3-2-1-5757EX.fw

modifications:
1) add dropbear ssh server. default root passwd = "obi". (hint: login and change it asap)

jsolo1
Premium Member
join:2001-07-01
PRIL

jsolo1

Premium Member

Nice. Does that mean we can now change oauth2 credentials directly through ssh?
naf
join:2017-12-12

naf

Member

said by jsolo1:

Nice. Does that mean we can now change oauth2 credentials directly through ssh?

Not yet.

Since I don't see any tools that can increase the size of ELF sections (anyone?), I probably just gotta find some unused/unimportant space to stick some strings. That might make room to do an AuthPassword switch and still have the obitalk client/secret as a fallback all within the same amount of code space.
azrobert
join:2015-02-07
Fountain Hills, AZ

1 recommendation

azrobert

Member

said by divx_2:

BTW, by modding this structure you can easily enable 2nd phone port on obi200 that is connected to the 2nd pair of conductors of rj11.

Any chance for this?
thUzu7AkU
Premium Member
join:2014-05-05
Beverly Hills, CA

1 recommendation

thUzu7AkU to naf

Premium Member

to naf
@naf Thanks for all your hard work!
naf
join:2017-12-12

3 recommendations

naf

Member

bsdiff for OBi202-3-2-1-5757EX.fw

modifications:
1) add dropbear ssh server. default root passwd = "obi". [now started by custom startup script in /scratch/etc/rc.custom, change as you please]
2) patch obiapp to use oauth token request override, for provisioning GV without obitalk. Uses same AuthPassword format and provisioning xml as the obi1xx-naf7, like »obi1.s3-website.us-east- ··· /OAuth2/
OBi1FW
join:2017-12-27
Vienna, VA

2 edits

2 recommendations

OBi1FW

Member

Great.

I made the firmware file, but I don't have an OBI2 to test with. Like someone to test it please before I put it on the website, or maybe confirm the checksum is right.

»obi1.s3-website.us-east- ··· est.html

I also updated »obi1.s3-website.us-east- ··· TALK.xml which should be ok with all devices.