-
Notifications
You must be signed in to change notification settings - Fork 0
Firmware
In /system/etc, I found two scripts: init.thalmic.bnep_up.sh and init.thalmic.bnep_down.sh. Additionally there is the following entry in the boot image init.target.rc:
service bnep_up /system/bin/sh /system/etc/init.thalmic.bnep_up.sh
class late_start
user root
group root
oneshot
disabled
service bnep_down /system/bin/sh /system/etc/init.thalmic.bnep_down.sh
class late_start
user root
group root
oneshot
disabled
on property:sys.bluetooth.bnep.enabled=true
start bnep_up
on property:sys.bluetooth.bnep.enabled=false
start bnep_down
So perhaps finding a way to setprop sys.bluetooth.bnep.enable will enable some networking.
There is /system/etc/init.thalmic.ssh.sh which appears to enable an ssh server - and there are a number of public keys in /system/etc/ssh which some of the usernames i can trace back to actual embedded engineers - so I assume this method is definitely used for debugging.
I'm assuming if I can a) enable some form of networking, either through usb or bluetooth pan b) run the ssh init script (assuming it isn't already run), then this may come in handy.
The allowed users in sshd_config are "shell" and "root"
I think this is probably the most straightforward way - I'm just afraid to try it on the offchance it bricks my device. I also am not sure if the boot image is signed in any way to make sure it hasn't been modified.
As far as I can tell, there are certificates in several places that could possibly be overwritten:
- system's root certificates are in /system/etc/ssl/certs/cacert.pem
- /system/etc/security/otacerts.zip appears to have ota update signing certificate
- /system/etc/security/mac_permissions.xml has some sort of signature file, but not sure what this is used for
Given that I can write anything on the filesystem, maybe we can overwrite one of these?
https://github.com/bkerler/edl
connector/backup_partitions.sh
-
Once you have individual partition images, they can be mounted and explored with:
mount -o ro imagefile destfolder # destfolder must already exist -
Some images (such as boot.img) require further processing
- boot.img
This contains a ramdisk which has to be extracted
The following are a subset of default.prop found in the boot image related to usb and adb debugging:
ro.secure=1
security.perf_harden=1
ro.adb.secure=1
ro.allow.mock.location=0
ro.debuggable=0
ro.zygote=zygote32
...
persist.sys.usb.config=none
- system.img - mounted as /system
-
- /system/etc
-
- /system/etc/
-
-
- /system/etc/init.blackcoral.
-
- alexa_app
- alexa_service
- calendar_service
- contact_service
- daily_briefing
- demo_notes
- demo_tasks
- explore_app
- feature_manager
- flynss_app
- health_app
- herald
- jukebox_app
- music_id_app
- notes_app
- notification_app
- phoropter
- quest_app
- showcase
- sky_captain
- social_app
- sportscaster
- tasks_app
- telepath_lens
- telepath_service
- teleprompter
- unicorn
- weather_service