Difference between revisions of "Logitech Revue Technical"

From Exploitee.rs
(Open Ports)
Line 119: Line 119:
 
*53/tcp    open  domain
 
*53/tcp    open  domain
 
*1100/tcp  open  unknown
 
*1100/tcp  open  unknown
*5222/tcp  open  unknown -- Extensible Messaging and Presence Protocol (XMPP) Service (http://xmpp.org/)
+
*5222/tcp  open  unknown -- [http://xmpp.org/ Extensible Messaging and Presence Protocol (XMPP) Service (http://xmpp.org/)]
*5223/tcp  open  unknown -- SSL port for XMPP
+
*5223/tcp  open  unknown -- SSL port for [http://xmpp.org/ XMPP]
*9551/tcp  open  unknown -- AnyMote Pairing Service? -- SSL handshake requests cert and logs show errors from AnyMote
+
*9551/tcp  open  unknown -- [[AnyMote]] Pairing Service? -- SSL handshake requests cert and logs show errors from [[AnyMote]]
*9552/tcp  open  unknown -- AnyMote Connection Port
+
*9552/tcp  open  unknown -- [[AnyMote]] Connection Port
 
*35832/tcp open  unknown
 
*35832/tcp open  unknown
  

Revision as of 22:03, 30 December 2010

Update Procedure

Place new update labeled "update.zip" on a USB drive, with a single partition (ie, 1st partition on a USB disk, so say "/dev/sdc1")

Insert into Revue in the Right most USB port (if looking at the back, closest to the power jack)

Boot into recovery mode: (confirm?)

  1. Hold the Sync button while plugging in the Revue, keep it held, at the same time hold Menu+L on the keyboard.
  2. Box will reboot, continue to hold Sync button, then hold Alt+L (or mash, your choice), and it should then enter recovery mode.
  3. You can then update the box, with a newer update. Downgrading fails however due to a date check.

Firmware Links

http://android.clients.google.com/packages/ota/logitech_ka/439c26f6af05.mp-signed-ota_update-b39389.zip

http://android.clients.google.com/packages/ota/logitech_ka/52057d168e2b.mp-signed-ota_update-b39953.zip

http://android.clients.google.com/packages/ota/logitech_ka/c9914396d183.mp-signed-ota_update-b42449.zip

(Add update history?)

Flash Layout

via: http://googletv.pastebin.com/233dZqZx


Creating 13 MTD partitions on "intel_ce_nand":

  • 0x00000000-0x00200000 : "mbr"
  • 0x00200000-0x00a00000 : "cefdk"
  • 0x00a00000-0x00c00000 : "redboot"
  • 0x00c00000-0x00e00000 : "cefdk-config"
  • 0x01000000-0x01800000 : "splash"
  • 0x01800000-0x01900000 : "fts"
  • 0x01900000-0x02d00000 : "recovery"
  • 0x02d00000-0x03200000 : "kernel"
  • 0x03200000-0x07200000 : "boot"
  • 0x07200000-0x1f200000 : "system"
  • 0x1f200000-0x3fa00000 : "data"
  • 0x3fa00000-0x3ff00000 : "keystore"
  • 0x3ff00000-0x40000000 : "bbt"

mbr - Master Boot Record

cefdk - Boot loader, may or may not have a shell

redboot - ?

cefdk-config - ?

Splash - Splash image, can be seen here ( http://img413.imageshack.us/img413/3144/splashc.png )

fts - Flash transactional key/value storage

Recovery - Full image, including kernel and small ramdisk (in squashfs format), boots to recovery menu

Kernel - The kernel image

Boot - Root partition, goes in hand with the kernel image, also in squashfs format

system - YAFFS

data - YAFFS

keystore - ?

bbt - Bad block table

Serial Output

The logitech revue board contains a UART1 port on the front of the board which before receiving the boxes initial updates is active. In order to communicate with UART port you will need a USB to TTL adapter (or board that does a similar conversion).

The pins operate at 3.3v and the port at 9600 baud with the following pinout:

UART Pinout

Serial output

via: http://googletv.pastebin.com/233dZqZx Pasted Locally

PIC Access

  • There is a standard PIC access port to the right of the UART1 port. It can be accessed via a standard PIC Kit Debug board (Tested with version 2). The port has read/write access but the code is pulled from the chip as .hex file and is unreadable thus far.
  • The pinout starting from the left (pin with white square around it) corresponds to pin 1 or Vpp.The remaining pins follow the same layout. PIC Pinout

PIC Hex Dump Local PIC Hex Dump

Updates

The updates contain a subset of update files, a boot.img and a recovery.img

boot.img

The thread at xda-developer has the process to extract from the .img files (thx bftb0):

"the "boot.img" file is in (little-endian) "squashfs" format and unpacks just fine using "unsquashfs" from the (Ubuntu 8.0.04 LTS) squashfs-tools package."

recovery.img

system/boot/recovery.img is a standard Android boot image with some extra garbage (0x580 bytes) at the front. Remove it like so:

 dd if=system/boot/recovery.img bs=1408 skip=1 > recovery-ungarbaged.img

Unpack that like a normal Android boot image. Something like this Perl script works well.

The kernel (system/boot/kernel) is also a boot image with the same extra garbage at the front.

Odex files

The .odex files can be extracted by using the following guide Deodex Instructions

Open Ports

List nmap ports

Normal Mode, hooked to a Dish Network DVR (622) via WiFi:

Available Pinouts

  • UART1 --> UART Pinout
  • J3 --> PIC Chip Access (Pin 1 = VPP/MCLR, Pin 2 = VDD, Pin 3 = VSS, Pin 4 = ICSPDAT/PGD, Pin 5 = ICSPCLK/PGC, Pin 6 = Auxiliary)
  • SW1 --> Push Button Switch (Use is unknown)
  • J20 --> I2C (Top left - GND Top right - ? Bottom left - SDA Bottom right - SCL)
  • J69 --> USB Pinout
  • SATA1 --> SATA Pinout (Pin 1 = GND, Pin 2 = TXP / A+ , Pin 3 = TXN / A-, Pin 4 = GND , Pin 5 = RXN / B-, Pin 6 = RXP / B+ , Pin 7 = GND)
  • J24 --> Unknown (Pin 1 = 3.3, Pin 2 = ?, Pin 3 = ?, Pin 4 = GND)
  • J13 --> Unknown (Power for SATA?) - (Pin 1 = ?, Pin 2 = GND, Pin 3 = GND, Pin 4 = 5v)
  • XDP1 --> Intel XDP Debug Adapter Information on XDP Debugging Page 23 Pinout