4 edits
12 recommendations |
naf
Member
2018-Jan-16 8:53 pm
Obihai OBi20x/30x + OBi1000 + OBi50x + OBi2000 firmware modsSo I want to add the ability to configure these devices for GV using oauth without obitalk, similar to the changes for the obi100 (and add an ssh server, for grins). I think I have the MD5s in the firmware file worked out (its the same "Goodbye! Reboot Now" garbage as the 100), and I see where the oauth refresh token code is, so it should be pretty straightforward unless there is code signing that I missed. The only hiccup is... I don't actually have an OBi20x :-( Anyone have one of these devices that wants to be a guinea pig? You should definitely have a way to SPI the flash back *when* i brick the thing the first couple tries... [or if someone has one sitting in the closet, you could just send it to me. ill name the fw after you ] EDIT: speaking of flash, its supposed to have a w25x128 on board, but is it the SOIC package or some BGA madness? QUICK SUMMARY: Custom firmware made for all obi devices, thanks to the help of generous hardware donations and bold testers. See obifirmware.com to download latest.
|
|
thUzu7AkU Premium Member join:2014-05-05 Beverly Hills, CA 2 edits |
Re: Obihai OBi200/202 firmware modsaid by naf:[or if someone has one sitting in the closet, you could just send it to me. ill name the fw after you ] PM sent. |
|
|
to naf
I can help testing the modded FW. |
|
|
naf
Member
2018-Jan-18 5:11 am
said by divx_2:I can help testing the modded FW. ok great. did i also get the impression from the other thread that you also had changes to obiapp? it should be a lot easier since we can run a debugger on the box » randywestergren.com/reve ··· -part-3/ |
|
OBi1FW join:2017-12-27 Vienna, VA |
OBi1FW
Member
2018-Jan-18 10:43 am
I'd be very curious to know if it's possible to mod the firmware so that Google Voice will run on a 300/302. |
|
|
2 edits |
to divx_2
said by divx_2:said by naf:And here's the hint: if you look in /obi/obiapp at the token refresh sub at 0xD9760, the obitalk refresh token is in [R7,#0x3C]. The AuthPassword should be in [R7,#0x38]. Just use that instead of all that sprintf concatenated crap. Thanks. If I understand it correctly, after the patch it'll either use obi's access_token, or self generated refresh_token. It won't be able to refresh obi's token, unless I find a space to check the length of AuthPassword and refresh token conditionally. Ya, moving the function to make more space is a little harder on this ARM code cause all the offsets are relative to the PC. Looks like maybe a dozen to change, between the function calls and the constants... ... and then there's the ELF wrapping...hmmm... maybe it should be easier to just overwrite it in place (hard to do it conditionally then) |
|
naf |
naf
Member
2018-Jan-19 12:56 pm
said by naf:speaking of flash, its supposed to have a w25x128 on board, but is it the SOIC package or some BGA madness? Turns out to be a w25q128bvieg, a WSON package, whatever the fuck that is. |
|
UHFAll static, all day, Forever MVM join:2002-05-24 |
UHF
MVM
2018-Jan-19 3:18 pm
said by naf:a WSON package, whatever the fuck that is That was a new one for me too. Looks like a bitch to solder them. |
|
|
naf
Member
2018-Jan-19 3:35 pm
ya, but pin spacing is still 0.05", so it might still work if anyone had one of them fancy SOIC clips
on the other hand, u-boot over serial should help, if i could figure out how to use sf or md successfully... |
|
naf
2 recommendations |
naf
Member
2018-Jan-19 6:06 pm
fuck it. ill just be confident and web-gui flash the thing without a backup: |
|
1 edit
1 recommendation |
divx_2
Member
2018-Jan-19 6:23 pm
As I remember there was a way to boot it into a recovery mode with it's own kernel and rootfs. You should be able to flash any FW version in that mode. In FW 4330 there were /obi/recovery utility that activated recovery mode after device reboot. Here is the code that it were executing: puts("Prepare to enter recovery mode: ");
FLASHSPI_clear(0xC00000, 0x10000);
puts("This unit will enter recovery mode after power cylce");
|
|
1 edit |
naf
Member
2018-Jan-19 7:01 pm
ya, im just worried that ill fuck up the recovery ones too apparantely the recovery is the partition that i originally overwrote, cause it only has uclibc. when i booted and didnt see my changes i had to switch to the other squashfs that had a rootfs, and it apparantely has real glibc so now i have to rebuild all the tools i was going to sneak on... ETA: i did atleast turn telnetd on |
|
naf 2 edits
1 recommendation |
naf
Member
2018-Jan-19 7:34 pm
shouldnt i be able to backup this thing from userspace? anyone understand the /dev/mtd* stuff?
i have dev devices: mtd[0-8], mtd[0-8]ro, mtdblock[0-8], mtdchar[0-7]...
# cat /proc/mtd dev: size erasesize name mtd0: 00800000 00001000 "mtd-ram fs ro" mtd1: 00800000 00001000 "mtd-ram" mtd2: 00050000 00010000 "u-boot" mtd3: 00280000 00010000 "kernel" mtd4: 000c0000 00010000 "scratch" mtd5: 006c0000 00010000 "rootfs" mtd6: 01000000 00010000 "flash0" mtd7: 00240000 00010000 "obi app" mtd8: 00100000 00010000 "bluetooth"
i just wanna dump the whole goddamn thing |
|
1 recommendation |
divx_2
Member
2018-Jan-19 8:04 pm
If you have mtd_utils cross compiled for the platform than you should be able do dump mtd6 which is mapped to the whole flash. |
|
|
naf
Member
2018-Jan-19 8:18 pm
oh, ha. totally missed mtd6. poor reading comprehension i guess.
cant i just cat /dev/mtd6 > somefile.bin ? |
|
|
divx_2
Member
2018-Jan-19 8:32 pm
i'm not sure about mtd6, but it should work with mtdchar6. |
|
|
naf
Member
2018-Jan-19 8:49 pm
# /lib/libc.so.6
GNU C Library stable release version 2.5, by Roland McGrath et al.
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 4.2.1.
Compiled on a Linux >>2.6.20-16-generic<< system on 2007-09-27.
Available extensions:
crypt add-on version 2.1 by Michael Glad and others
GNU Libidn by Simon Josefsson
GNU libio by Per Bothner
NIS(YP)/NIS+ NSS modules 0.19 by Thorsten Kukuk
Native POSIX Threads Library by Ulrich Drepper et al
Support for some architectures added on, not maintained in glibc core.
BIND-8.2.3-T5B
Thread-local storage support included.
For bug reporting instructions, please see:
<http://www.gnu.org/software/libc/bugs.html>.
anybody got an easy way to build a arm toolchain with glibc 2.5? crostools-ng-1.23.0 in obsolete mode only goes back to 2.12.1 :-( |
|
|
divx_2
Member
2018-Jan-19 11:11 pm
As I remember I built gcc 4.9.1 with libc-2.18 for this platform. I was able to rebuild mtd-tools and run.
Not sure if I run in chroot though. It was about 3 years ago. Still should have this toolchain somewhere. |
|
3 recommendations |
naf
Member
2018-Jan-21 6:56 pm
quick update: i got a crosscompiling toolchain setup for the old-as-fuck glibc/kernel, and i got dropbear compiled and running on the box... just gotta figure out how to set a root password and package up a fw with it... |
|
naf 1 edit
1 recommendation |
naf
Member
2018-Jan-21 9:27 pm
heres a problem: i dont really want to leave dropbear open to the outside world with a hardcoded root password. and i cant change the password from whatever i initially flash because its mounted readonly.
ideas? limit to LAN side (assuming someone out there is smart enough with iptables to do this)? some /etc over-mount foolishness? something obvious and easier that im missing? fuck anyone who doesn't firewall their obi in the first place? |
|
2 recommendations |
divx_2
Member
2018-Jan-21 9:57 pm
You can do over-mount for a single file: mount --bind /else/where/passwd /etc/passwd
|
|
|
naf
Member
2018-Jan-21 10:24 pm
said by divx_2:You can do over-mount for a single file:
mount --bind /else/where/passwd /etc/passwd
nice. i guess itd be nice to have a 'passwd'-like script to encrypt a password and shove the passwd in for root in the /else/where/passwd overlay. ETA: atleast then there would be a chance in hell that anyone might actually change it... |
|
naf |
naf
Member
2018-Jan-21 10:51 pm
said by naf:nice. i guess itd be nice to have a 'passwd'-like script to encrypt a password and shove the passwd in for root in the /else/where/passwd overlay. and by script i mean ill just compile busybox's passwd after changing the file location... |
|
naf
3 recommendations |
naf
Member
2018-Jan-22 11:12 am
bsdiff for OBi202-3-2-1-5757EX.fw modifications: 1) add dropbear ssh server. default root passwd = "obi". (hint: login and change it asap) |
|
jsolo1 Premium Member join:2001-07-01 PRIL |
jsolo1
Premium Member
2018-Jan-22 12:29 pm
Nice. Does that mean we can now change oauth2 credentials directly through ssh? |
|
|
naf
Member
2018-Jan-22 1:45 pm
said by jsolo1:Nice. Does that mean we can now change oauth2 credentials directly through ssh? Not yet. Since I don't see any tools that can increase the size of ELF sections (anyone?), I probably just gotta find some unused/unimportant space to stick some strings. That might make room to do an AuthPassword switch and still have the obitalk client/secret as a fallback all within the same amount of code space. |
|
azrobert join:2015-02-07 Fountain Hills, AZ
1 recommendation |
said by divx_2:BTW, by modding this structure you can easily enable 2nd phone port on obi200 that is connected to the 2nd pair of conductors of rj11. Any chance for this? |
|
thUzu7AkU Premium Member join:2014-05-05 Beverly Hills, CA
1 recommendation |
to naf
@naf Thanks for all your hard work! |
|
3 recommendations |
naf
Member
2018-Jan-23 9:51 am
bsdiff for OBi202-3-2-1-5757EX.fw modifications: 1) add dropbear ssh server. default root passwd = "obi". [now started by custom startup script in /scratch/etc/rc.custom, change as you please] 2) patch obiapp to use oauth token request override, for provisioning GV without obitalk. Uses same AuthPassword format and provisioning xml as the obi1xx-naf7, like » obi1.s3-website.us-east- ··· /OAuth2/ |
|
OBi1FW join:2017-12-27 Vienna, VA 2 edits
2 recommendations |
OBi1FW
Member
2018-Jan-23 11:09 pm
Great. I made the firmware file, but I don't have an OBI2 to test with. Like someone to test it please before I put it on the website, or maybe confirm the checksum is right. » obi1.s3-website.us-east- ··· est.htmlI also updated » obi1.s3-website.us-east- ··· TALK.xml which should be ok with all devices. |
|