Logitech Revue Technical

From Exploitee.rs
Jump to navigationJump to search

Update Procedure

Place new update labelled "update.zip" on a USB drive, with a single partition (ie, 1st partition on a USB disk, so say "/dev/sdc1")

Insert into Revue in the Right most USB port (if looking at the back, closest to the power jack)

Boot into recovery mode:

  1. Plug in the box, once the fan goes low, hold the sync button. Box should reboot, keep the sync button held until image on screen.
  2. Once you see the Arrow on your screen, using your keyboard press Alt+L - usually once or twice until Formatting DATA: shows on the screen, and does not go away (Note: The key combination has changed for updates after b42732)
  3. You can then update the box, with a newer update. Downgrading fails however due to a date check.

Firmware Links

Kernel Revisions

For details of the Revue kernel, refer to Logitech Revue Kernel

  • Initial kernel observed on the Revue (?): 2.6.23.18-gc0a9a5fb (richard@sayan) (gcc version 4.1.2) #3 PREEMPT Sat Jul 31 15:32:56 PDT 2010
  • 439c26f6af05.mp-signed-ota_update-b39389: 2.6.23.18-g5fd8f46f (richard@mtdoom) #249 PREEMPT Tue Oct 5 09:55:20 BST 2010
  • 52057d168e2b.mp-signed-ota_update-b39953: 2.6.23.18-g5fd8f46f (richard@mtdoom) #249 PREEMPT Tue Oct 5 09:55:20 BST 2010
  • c9914396d183.mp-signed-ota_update-b42449: 2.6.23.18-g5bba1a13 (sameer@sayan) #24 PREEMPT Fri Nov 19 11:13:31 PST 2010

SDK/Toolchain Support

The Intel SDK Toolchain is available as part of Google's GPL release for the Google TV. The toolchain is required to compile code to run on the Linux operating system of the Logitech Revue. (Sony devices as well as other future devices are most likely also compatible with this toolchain but since we don't have these products to root we don't know yet.)

We have not yet documented a complete list of required dependencies but here are a few packages which might come in handy:

  • texinfo (we encountered some issues with certain supposedly supported versions of makeinfo but updating texinfo resolved this on most systems)
  • flex
  • bison
  • awk
  • patch
  • gcc et al
  • build-essential (Ubuntu)

To simplify the toolchain setup, craigdroid created this script which simplifies the process of configuring a build system. After preparing the toolchain you will want to run the following commands (which are demo'd in the script) to establish your environment:

export CROSS_COMPILE=i686-linux-cm-
export LD_LIBRARY_PATH=~/googletv/sdk/i686-linux-elf/lib
export PATH=$PATH:~/googletv/sdk/i686-linux-elf/bin/

NDK Support

Although at present Google has not released a proper NDK for the platform, the Exploitee.rs team have combined the Intel SDK Toolchain from the Google TV Mirrored Source site with the work of the Android x86 project to provide unofficial support in the interim.

The entire process of setting up unofficial NDK support has been simplified into an easy to use script by craigdroid. The script has been tested on a few of our systems running CentOS 5.4 32-bit, as well as 32-bit and 64-bit editions of Ubuntu.

Since this is building the Intel toolchain automatically all of the caveats regarding the Intel SDK Toolchain apply here as well.

To automatically download, build and configure NDK support first save yourself some time and check the dependencies list in the SDK/Toolchain Support section and then from any users shell:

wget http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer.zip && unzip gtvhacker-NDK-installer.zip && ./gtvhacker-NDK-installer.sh

Update This script no longer works as is please edit the line

wget -O ~/googletv/sdk/intel-sdk-toolchain.tar.bz2 http://googletv-mirrored-source.googlecode.com/hg/intel-sdk/intel-sdk-toolchain.tar.bz2?r=27705a482273e3a34e8bcdbfb4fdad9afcd65e93

to

wget -O ~/googletv/sdk/intel-sdk-toolchain.tar.bz2 http://v1.googletv-mirrored-source.googlecode.com/hg-history/v1/intel-sdk/intel-sdk-toolchain.tar.bz2

This will install the NDK to ~/googletv/ndk/ for the current user. Some guidance on how to use the NDK is provided upon completion of successful script execution.

Flash Hard Drive

The Revue has an internal hard drive stored on an sdram chip (flash memory). It contains the complete file system for the Revue as well as the user data (if their is not external storage provided). More information about the layout of this file system can be found File System Details.

Serial Output

The logitech revue board contains a UART1 port on the front of the board which before receiving the boxes initial updates is active. In order to communicate with UART port you will need a USB to TTL adapter (or board that does a similar conversion).

The pins operate at 3.3v and the port at 9600 baud with the following pinout:

UART Pinout

Serial output

via: http://googletv.pastebin.com/233dZqZx Pasted Locally

PIC Access

  • There is a standard PIC access port to the right of the UART1 port. It can be accessed via a standard PIC Kit Debug board (Tested with version 2). The port has read/write access but the code is pulled from the chip as .hex file and is unreadable thus far.
  • The pinout starting from the left (pin with white square around it) corresponds to pin 1 or Vpp.The remaining pins follow the same layout. PIC Pinout

PIC Hex Dump Local PIC Hex Dump

PIC Disassembly

Updates

The updates contain a full set of system files (changed and unchanged), including a boot.img and a recovery.img

boot.img

The thread at xda-developer has the process to extract from the .img files (thx bftb0):

"the "boot.img" file is in (little-endian) "squashfs" format and unpacks just fine using "unsquashfs" from the (Ubuntu 8.0.04 LTS) squashfs-tools package."

recovery.img

system/boot/recovery.img is a standard Android boot image with some extra garbage (0x580 bytes) at the front. Remove it like so:

 dd if=system/boot/recovery.img bs=1408 skip=1 > recovery-ungarbaged.img

Unpack that like a normal Android boot image. Something like this Perl script works well.

The kernel (system/boot/kernel) is also a boot image with the same extra garbage at the front.

Odex files

The .odex files can be extracted by using the following guide Deodex Instructions

Open Ports

List nmap ports

Normal Mode, hooked to a Dish Network DVR (622) via WiFi:

  • Nmap scan report for LogitechRevue (192.168.1.142)
  • Host is up (0.060s latency).
  • Not shown: 65528 closed ports
  • PORT STATE SERVICE
  • 53/tcp open domain
  • 1100/tcp open unknown
  • 5222/tcp open unknown -- Extensible Messaging and Presence Protocol (XMPP) Service (http://xmpp.org/)
  • 5223/tcp open unknown -- SSL port for XMPP
  • 9551/tcp open unknown -- AnyMote Pairing Service through IpRemoteControlService -- SSL handshake requests cert and logs show errors from AnyMote
  • 9552/tcp open unknown -- AnyMote Connection Port
  • 35832/tcp open unknown

Also of course, with root - port 5555, for ADB!

Available Pinouts

  • UART1 --> Console (Bottom left = +3v3, Bottom right = interface TX, Top left = interface RX, Top right = GND) UART Pinout
  • J3 --> PIC Chip Access (Pin 1 = VPP/MCLR, Pin 2 = VDD, Pin 3 = VSS, Pin 4 = ICSPDAT/PGD, Pin 5 = ICSPCLK/PGC, Pin 6 = Auxiliary)
  • J4 --> Fan (Pin 1 = GND, Pin 2 = VCC +5v, Pins 3-4 = Sense/Control)
  • J13 --> Unknown (Power for SATA?) - (Pin 1 = ?, Pin 2 = GND, Pin 3 = GND, Pin 4 = 5v)
  • J20 --> I2C (Top left = GND, Top right = ?, Bottom left = SDA, Bottom right = SCL), I2C lines are also on XDP1 reachable, lines are without pullups and no activity is visible
  • J24 --> Unknown (Pin 1 = 3.3, Pin 2 = ?, Pin 3 = ?, Pin 4 = GND)
  • J66 --> (Pin1 = +3V3, Pin2 = IR-reciever to PIC PIN41, Pin3 = GND, Pin4 = D7 LED(green) to PIC PIN2, Pin6 = GND, Pin7 = D8 LED(green) to PIC PIN38, Pin8 = GND, Pin9 = IR-leds to PIC PIN37, Pin10 = 12V) Numbered from bottom left
  • J67 --> USB (Pin 1 = GND, Pin 2 = D-, Pin 3 = D+, Pin 4 = FREE, Pin 5 = VCC +5V) used for RF daughter board. IMG
  • J68 --> USB (Pin 1 = VCC +5v, Pin 4 = GND, Pin 5 = NC) to WiFi module
  • J69 --> USB Pinout like J67
  • SATA1 --> SATA Pinout (Pin 1 = GND, Pin 2 = TXP / A+ , Pin 3 = TXN / A-, Pin 4 = GND , Pin 5 = RXN / B-, Pin 6 = RXP / B+ , Pin 7 = GND)
  • SW1 --> Unknown Push Button Switch (Facing button, left = GND, right = ?)
  • SW2 --> Sync Push Button Switch (Facing button, left = GND, right = GPIO somewhere?)
  • XDP1 --> Intel XDP Debug Adapter Information on XDP Debugging Page 23 Pinout
  • Samsung K9F8G08U0M Alternative Pin-out

Volume Management Configuration

Similar to other android based products, external storage can be attached and the device will attempt to mount it to /sdcard as per the following vold.conf:

volume_sdcard {
    # NOTE: This path is overbroad and will capture any device on the
    # tatung3/tatung4 external PCI bus.  This needs to be fixed, in conjunction
    # with vold changes to handle logical device names (DEVPATH names are not
    # static, unfortunately.)
    media_path     /devices/pci0000:00/0000:00:01.0/0000:01:0d.1/usb2/
    media_type     scsi
    mount_point    /sdcard
    read_only      true
}

Note the interesting comment about the media_path as well as the read_only=true attribute.

I2C Busses

HDMI out

traffic observed

XDP & J20

No pull-up is present so no members can assert traffic.

IDT 6V49061 (another programmable multi-output clock?)

Pin 43 = CLK, Pin 42 = SDA

Found devices at: 0xD4(0x6A W) 0xD5(0x6A R)

Brief register description in /etc/platform_config/ce4100/platform_config.hcfg line 73

IDT ICS9LPRS525AGLF (CK505) & Silicon Image Sil9135 TI I2C Datasheet

Found devices at: 0x60(0x30 W) 0x61(0x30 R) 0x68(0x34 W) 0x69(0x34 R) 0xD2(0x69 W) 0xD3(0x69 R)

0x30 - The following 256 byte read comes from 0x61 after writing a single data byte (0x00) to 0x60. The Bus Pirate command is [0x60,0x00[0x61,r:256] with output reformatted here:

0000000: 0100 3591 0400 0000 0480 3400 0000 0000  ..5.......4.....
0000010: 0000 0000 0000 0000 0000 b4d3 f514 c4ff  ................
0000020: ffff ffff ffff ffbf 7fff ffff ffff 8000  ................
0000030: 0000 0000 0000 0001 0000 0000 0000 0000  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: e001 230a 0100 0001 0000 0000 0000 0000  ..#.............
0000060: 0000 03e4 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0006 0000 0100 0000  ................
0000080: 0020 083a 5a3a 3a3a 9a36 0001 0400 0000  . .:Z:::.6......
0000090: 0000 0000 00da 0002 0aba dafa 0060 0000  .............`..
00000a0: 0022 0755 0000 0000 0000 0000 0000 0000  .".U............
00000b0: 0000 0000 0000 0000 0000 0000 0101 01ff  ................
00000c0: ff01 0001 0001 0000 0000 0000 0000 0000  ................
00000d0: 0000 0000 0000 1000 0000 0000 0000 0001  ................
00000e0: 2345 6789 abcd effe dcba 9876 5432 10f0  #Eg........vT2..
00000f0: e1d2 c300 0000 0000 0001 0000 0000 0000  ................

0x34 - The following 256 byte read comes from 0x69 after writing a single data byte (0x00) to 0x68. The Bus Pirate command is [0x68,0x00[0x69,r:256] with output reformatted here:

0000000: 0000 5200 0000 000c 0000 0000 683c 0100  ..R.........h<..
0000010: 3000 060f 0000 0011 0c00 001c 3005 0005  0...........0...
0000020: 0715 17ff 7f00 4001 e418 0000 0002 0200  ......@.........
0000030: 010b 0000 0006 0000 0c00 0002 0101 c7ed  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0083  ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000b0: 0000 0000 0000 0000 0000 0000 0000 0085  ................
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000f0: 0000 0000 0000 0000 0000 0000 0000 0004  ................

0x69 (CK505) initialization on boot looks something like:

[0xD2+0x02+][0xD3+0x1A+][0xD2+0x02+0x05][0xD2+0x00+0x01+]

Later in boot, some jumbled traffic is observed, but the target seen here does not ACK scans or explicit requests matching the sniffed traffic.

[0xA0+0x00-0xA1+0x00-0xFD-0xFB-0xF7-0xEF-0xDF-0x80+0x35-[0x5A+0xA4+0x00+0x00+0x00+0x00+0x00+0x85+0x00-[0x03+]

Microchip PIC24FJ64GA004

No traffic recognizable via Bus Pirate