Difference between revisions of "Logitech Revue Technical"

From Exploitee.rs
Jump to navigationJump to search
 
(57 intermediate revisions by 11 users not shown)
Line 1: Line 1:
== Specs ==
{{Revue toc Inline}}
*Intel Atom CE4150 1.2 GHz processor, with a 400 MHz GPU 
*Gigabyte GA-SBKAN2 motherboard
*Samsung K9F8G08U0M 1 GB NAND Flash (Single Level Cell) [http://www.samsung.com/global/system/business/semiconductor/product/2007/6/11/NANDFlash/SLC_LargeBlock/8Gbit/K9F8G08U0M/ds_k9f8g08x0m_rev10.pdf Datasheet] [http://zenosec.com/gtv/revue/ds_k9f8g08x0m_rev10.pdf Mirror]
*Hynix H27UBG8T2ATR 4 GB NAND Flash (Multiple Level Cell)
*Silicon Image Sil9135 HDMI 1.3 Receiver [http://dl.dropbox.com/u/217678/Silicon%20Image%20Sil9135%20Info.pdf  Chip Information] [http://focus.tij.co.jp/jp/lit/an/spraav4/spraav4.pdf Datasheet from TI]
*Nanya NT5CB128M8CN-CG 1 GB DDR3 SDRAM (1 Gb X 8) [http://dl.dropbox.com/u/217678/NTC-DDR3-1G-C-V58B-12-12-5.pdf Datasheet]
*Realtek Semiconductor RTL8201N 10/100M PHYceiver [http://realtek.info/pdf/RTL8201N_1-1.pdf Datasheet]
*Microchip PIC24FJ64GA004-I/PT 16-bit microcontroller [http://ww1.microchip.com/downloads/en/DeviceDoc/39881c.pdf Datasheet]
*Phison S2251-50 USB to Flash Controller (Datasheet not available to end users according to manufacture)
*IDT ICS9LPRS525AGLF Clock for CPU [http://dl.dropbox.com/u/217678/9LPRS525.pdf Datasheet]
 
The Logitech Revue was recently torndown and its [http://www.ifixit.com/Teardown/Logitech-Revue-Teardown/3788/1 inners revealed].
Direct link to the higher resolution picture of the [http://guide-images.ifixit.net/igi/5jWUcNNOrDvXZqEy.huge motherboard].
 
SemiAccurate has a populated board similar to the one in the Revue: http://www.semiaccurate.com/2010/06/04/gigabyte-has-google-tv-ready-motherboard/
 
== Usage ==
Samsung K9F8G08U0M 1 GB NAND Flash
*Used for storage of bootloader, kernel, boot flash graphics, Linux OS etc..
 
Hynix H27UBG8T2ATR 4 GB NAND Flash (Long Term Storage)
*Used for persistent storage, device is /dev/sda - possible to override with an external USB drive
 
Microchip PIC24FJ64GA004-I/PT 16-bit microcontroller
*Used to handle IR input/output for remotes/IR blasters and possible interface with wireless keyboard
*System reboot/powerdown
*Possibly HDMI CEC
 
Silicon Image Sil9135 HDMI 1.3 Receiver
*Used to process video to and from HDMI ports as well as audio over HDMI and SPDIF
*Supports DTS even though the Revue does not (An update can probably enable this feature)
 
IDT ICS9LPRS525AGLF Clock for CPU
*Provides a clock for the Intel Atom CPU


== Update Procedure ==
== Update Procedure ==


Place new update labeled "update.zip" on a USB drive, with a single partition (ie, 1st partition on a USB disk, so say "/dev/sdc1")  
Place new update labelled "update.zip" on a USB drive, with a single partition (ie, 1st partition on a USB disk, so say "/dev/sdc1")  


Insert into Revue in the Right most USB port (if looking at the back, closest to the power jack)
Insert into Revue in the Right most USB port (if looking at the back, closest to the power jack)


Boot into recovery mode: (confirm?)
Boot into recovery mode:


#Hold the Sync button while plugging in the Revue, keep it held, at the same time hold Menu+L on the keyboard.
#Plug in the box, once the fan goes low, hold the sync button. Box should reboot, keep the sync button held until image on screen.
#Box will reboot, continue to hold Sync button, then hold Alt+L (or mash, your choice), and it should then enter recovery mode.
#Once you see the Arrow on your screen, using your keyboard press Alt+L - usually once or twice until Formatting DATA: shows on the screen, and does not go away ('''Note: The key combination has changed for updates after b42732''')
#You can then update the box, with a newer update. Downgrading fails however due to a date check.
#You can then update the box, with a newer update. Downgrading fails however due to a date check.


== Firmware Links ==
== Firmware Links ==


http://android.clients.google.com/packages/ota/logitech_ka/439c26f6af05.mp-signed-ota_update-b39389.zip
*http://android.clients.google.com/packages/ota/logitech_ka/439c26f6af05.mp-signed-ota_update-b39389.zip
*http://android.clients.google.com/packages/ota/logitech_ka/52057d168e2b.mp-signed-ota_update-b39953.zip
*http://android.clients.google.com/packages/ota/logitech_ka/c9914396d183.mp-signed-ota_update-b42449.zip
*http://android.clients.google.com/packages/ota/logitech_ka/9504d579bade.mp-signed-ota_update-b42732.zip
*http://android.clients.google.com/packages/ota/logitech_ka/d0d70a7753a8.mp-signed-ota_update-b47773.zip
*http://android.clients.google.com/packages/ota/logitech_ka/4d9b9425b17f.mp-signed-ota_update-b49116.zip
*http://android.clients.google.com/packages/ota/logitech_ka/f008beb34df8.mp-signed-ota_update-b51795.zip
*http://android.clients.google.com/packages/ota/logitech_ka/0454e41c9583.mp-signed-ota_update-b65871_relapks.zip
 
== Kernel Revisions ==
For details of the Revue kernel, refer to [[Logitech Revue Kernel]]


http://android.clients.google.com/packages/ota/logitech_ka/52057d168e2b.mp-signed-ota_update-b39953.zip
*Initial kernel observed on the Revue (?): 2.6.23.18-gc0a9a5fb (richard@sayan) (gcc version 4.1.2) #3 PREEMPT Sat Jul 31 15:32:56 PDT 2010
*439c26f6af05.mp-signed-ota_update-b39389: 2.6.23.18-g5fd8f46f (richard@mtdoom) #249 PREEMPT Tue Oct 5 09:55:20 BST 2010
*52057d168e2b.mp-signed-ota_update-b39953: 2.6.23.18-g5fd8f46f (richard@mtdoom) #249 PREEMPT Tue Oct 5 09:55:20 BST 2010
*c9914396d183.mp-signed-ota_update-b42449: 2.6.23.18-g5bba1a13 (sameer@sayan) #24 PREEMPT Fri Nov 19 11:13:31 PST 2010


http://android.clients.google.com/packages/ota/logitech_ka/c9914396d183.mp-signed-ota_update-b42449.zip
== SDK/Toolchain Support ==


(Add update history?)
The [http://googletv-mirrored-source.googlecode.com/hg/intel-sdk/intel-sdk-toolchain.tar.bz2?r=27705a482273e3a34e8bcdbfb4fdad9afcd65e93 Intel SDK Toolchain] is available as part of Google's GPL release for the Google TV.  The toolchain is required to compile code to run on the Linux operating system of the Logitech Revue. (Sony devices as well as other future devices are most likely also compatible with this toolchain but since we don't have these products to root we don't know yet.)


== Flash Layout ==
We have not yet documented a complete list of required dependencies but here are a few packages which might come in handy:
*texinfo (we encountered some issues with certain supposedly supported versions of makeinfo but updating texinfo resolved this on most systems)
*flex
*bison
*awk
*patch
*gcc et al
*build-essential (Ubuntu)


via: http://googletv.pastebin.com/233dZqZx
To simplify the toolchain setup, craigdroid created [http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer.zip this script] which simplifies the process of configuring a build system.  After preparing the toolchain you will want to run the following commands (which are demo'd in the script) to establish your environment:
<pre>
export CROSS_COMPILE=i686-linux-cm-
export LD_LIBRARY_PATH=~/googletv/sdk/i686-linux-elf/lib
export PATH=$PATH:~/googletv/sdk/i686-linux-elf/bin/
</pre>


== NDK Support ==


Creating 13 MTD partitions on "intel_ce_nand":
Although at present Google has not released a proper NDK for the platform, the Exploitee.rs team have combined the Intel SDK Toolchain from the [http://code.google.com/p/googletv-mirrored-source/ Google TV Mirrored Source site] with the work of the [http://www.android-x86.org/ Android x86] project to provide unofficial support in the interim.
*0x00000000-0x00200000 : "mbr"
*0x00200000-0x00a00000 : "cefdk"
*0x00a00000-0x00c00000 : "redboot"
*0x00c00000-0x00e00000 : "cefdk-config"
*0x01000000-0x01800000 : "splash"
*0x01800000-0x01900000 : "fts"
*0x01900000-0x02d00000 : "recovery"
*0x02d00000-0x03200000 : "kernel"
*0x03200000-0x07200000 : "boot"
*0x07200000-0x1f200000 : "system"
*0x1f200000-0x3fa00000 : "data"
*0x3fa00000-0x3ff00000 : "keystore"
*0x3ff00000-0x40000000 : "bbt"


mbr - Master Boot Record
The entire process of setting up unofficial NDK support has been simplified into an [http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer.zip easy to use script] by craigdroid.  The script has been tested on a few of our systems running CentOS 5.4 32-bit, as well as 32-bit and 64-bit editions of Ubuntu. 


cefdk - Boot loader, may or may not have a shell
Since this is building the Intel toolchain automatically all of the caveats regarding the Intel SDK Toolchain apply here as well.


Splash - Splash image, can be seen here ( http://img413.imageshack.us/img413/3144/splashc.png )
To automatically download, build and configure NDK support first save yourself some time and check the dependencies list in the SDK/Toolchain Support section and then from any users shell:
<pre>
wget http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer.zip && unzip gtvhacker-NDK-installer.zip && ./gtvhacker-NDK-installer.sh
</pre>


Recovery - Full image, including kernel and small ramdisk (in squashfs format), boots to recovery menu
'''Update''' This script no longer works as is please edit the line


Kernel - The kernel image
wget -O ~/googletv/sdk/intel-sdk-toolchain.tar.bz2 http://googletv-mirrored-source.googlecode.com/hg/intel-sdk/intel-sdk-toolchain.tar.bz2?r=27705a482273e3a34e8bcdbfb4fdad9afcd65e93


Boot - Root partition, goes in hand with the kernel image, also in squashfs format
to


fts - Flash transactional key/value storage
wget -O ~/googletv/sdk/intel-sdk-toolchain.tar.bz2 http://v1.googletv-mirrored-source.googlecode.com/hg-history/v1/intel-sdk/intel-sdk-toolchain.tar.bz2


bbt - Bad block table
This will install the NDK to ~/googletv/ndk/ for the current user.  Some guidance on how to use the NDK is provided upon completion of successful script execution.


system - yaffs
== Flash Hard Drive ==


data - yaffs
The Revue has an internal hard drive stored on an sdram chip (flash memory).  It contains the complete file system for the Revue as well as the user data (if their is not external storage provided).  More information about the layout of this file system can be found [[ GTV_FileSystem | File System Details.]]


== Serial Output ==
== Serial Output ==
Line 116: Line 98:


[http://googletv.pastebin.com/PBWRCAqB PIC Hex Dump] [[Local PIC Hex Dump]]
[http://googletv.pastebin.com/PBWRCAqB PIC Hex Dump] [[Local PIC Hex Dump]]
[http://dl.dropbox.com/u/217678/Bootloader%20from%20PIC.TXT PIC Disassembly]


== Updates ==
== Updates ==
The updates contain a subset of update files, a boot.img and a recovery.img
The updates contain a full set of system files (changed and unchanged), including a boot.img and a recovery.img


'''boot.img'''
'''boot.img'''
Line 137: Line 121:


The .odex files can be extracted by using the following guide [http://code.google.com/p/smali/wiki/DeodexInstructions Deodex Instructions]
The .odex files can be extracted by using the following guide [http://code.google.com/p/smali/wiki/DeodexInstructions Deodex Instructions]
== Open Ports ==
List nmap ports
Normal Mode, hooked to a Dish Network DVR (622) via WiFi:
*Nmap scan report for LogitechRevue (192.168.1.142)
*Host is up (0.060s latency).
*Not shown: 65528 closed ports
*PORT      STATE SERVICE
*53/tcp    open  domain
*1100/tcp  open  unknown
*5222/tcp  open  unknown -- [http://xmpp.org/ Extensible Messaging and Presence Protocol (XMPP) Service (http://xmpp.org/)]
*5223/tcp  open  unknown -- SSL port for [http://xmpp.org/ XMPP]
*9551/tcp  open  unknown -- [[AnyMote]] Pairing Service through IpRemoteControlService -- SSL handshake requests cert and logs show errors from [[AnyMote]]
*9552/tcp  open  unknown -- [[AnyMote]] Connection Port
*35832/tcp open  unknown
Also of course, with root - port 5555, for ADB!


== Available Pinouts ==
== Available Pinouts ==
*UART1 --> [http://i.imgur.com/xJHay.jpg UART Pinout]
*UART1 --> Console (Bottom left = +3v3, Bottom right = interface TX, Top left = interface RX, Top right = GND) [http://i.imgur.com/xJHay.jpg UART Pinout]
*J3 --> PIC Chip Access
*J3 --> PIC Chip Access (Pin 1 = VPP/MCLR, Pin 2 = VDD, Pin 3 = VSS, Pin 4 = ICSPDAT/PGD, Pin 5 = ICSPCLK/PGC, Pin 6 = Auxiliary)
*SW1 --> Push Button Switch (Use is unknown)
*J4 --> Fan (Pin 1 = GND, Pin 2 = VCC +5v, Pins 3-4 = Sense/Control)
*J20 --> I2C (Top left - GND Top right - ? Bottom left - SDA Bottom right - SCL)
*J13 --> Unknown (Power for SATA?) - (Pin 1 = ?, Pin 2 = GND, Pin 3 = GND, Pin 4 = 5v)
*J69 --> USB Pinout
*J20 --> I2C (Top left = GND, Top right = ?, Bottom left = SDA, Bottom right = SCL), I2C lines are also on XDP1 reachable, lines are without pullups and no activity is visible
*J24 --> Unknown (Pin 1 = 3.3, Pin 2 = ?, Pin 3 = ?, Pin 4 = GND)
*J66 --> (Pin1 = +3V3, Pin2 = IR-reciever to PIC PIN41, Pin3 = GND, Pin4 = D7 LED(green) to PIC PIN2, Pin6 = GND, Pin7 = D8 LED(green) to PIC PIN38, Pin8 = GND, Pin9 = IR-leds to PIC PIN37, Pin10 = 12V) Numbered from bottom left
*J67 --> USB (Pin 1 = GND, Pin 2 = D-, Pin 3 = D+, Pin 4 = FREE, Pin 5 = VCC +5V) used for RF daughter board. [http://www.chrispix.com/googleTV.jpg IMG]
*J68 --> USB (Pin 1 = VCC +5v, Pin 4 = GND, Pin 5 = NC) to WiFi module
*J69 --> USB Pinout like J67
*SATA1 --> SATA Pinout (Pin 1 = GND, Pin 2 = TXP / A+ , Pin 3 = TXN / A-, Pin 4 = GND , Pin 5 = RXN / B-, Pin 6 = RXP / B+ , Pin 7 = GND)
*SATA1 --> SATA Pinout (Pin 1 = GND, Pin 2 = TXP / A+ , Pin 3 = TXN / A-, Pin 4 = GND , Pin 5 = RXN / B-, Pin 6 = RXP / B+ , Pin 7 = GND)
*J24 --> Unknown (Pin 1 = 3.3, Pin 2 = ?, Pin 3 = ?, Pin 4 = GND)
*SW1 --> Unknown Push Button Switch (Facing button, left = GND, right = ?)
*J13 --> Unknown (Power for SATA?) - (Pin 1 = ?, Pin 2 = GND, Pin 3 = GND, Pin 4 = 5v)
*SW2 --> Sync Push Button Switch (Facing button, left = GND, right = GPIO somewhere?)
*XDP1 --> Intel XDP Debug Adapter [http://software.intel.com/sites/products/documentation/hpc/atom/application/device_driver_debugging.pdf Information on XDP Debugging] [ftp://download.intel.com/design/Pentium4/guides/31337301.pdf Page 23 Pinout]
*XDP1 --> Intel XDP Debug Adapter [http://software.intel.com/sites/products/documentation/hpc/atom/application/device_driver_debugging.pdf Information on XDP Debugging] [ftp://download.intel.com/design/Pentium4/guides/31337301.pdf Page 23 Pinout]
*Samsung K9F8G08U0M Alternative [http://Exploitee.rs/index.php/File:Revue-NAND-Alt.jpg Pin-out]
== Volume Management Configuration ==
Similar to other android based products, external storage can be attached and the device will attempt to mount it to /sdcard as per the following vold.conf:
<pre>
volume_sdcard {
    # NOTE: This path is overbroad and will capture any device on the
    # tatung3/tatung4 external PCI bus.  This needs to be fixed, in conjunction
    # with vold changes to handle logical device names (DEVPATH names are not
    # static, unfortunately.)
    media_path    /devices/pci0000:00/0000:00:01.0/0000:01:0d.1/usb2/
    media_type    scsi
    mount_point    /sdcard
    read_only      true
}
</pre>
Note the interesting comment about the media_path as well as the read_only=true attribute.
== I2C Busses ==
=== HDMI out ===
traffic observed
=== XDP & J20 ===
No pull-up is present so no members can assert traffic.
=== IDT 6V49061 (another programmable multi-output clock?) ===
Pin 43 = CLK, Pin 42 = SDA
Found devices at:
0xD4(0x6A W) 0xD5(0x6A R)
Brief register description in /etc/platform_config/ce4100/platform_config.hcfg line 73
=== IDT ICS9LPRS525AGLF (CK505) & Silicon Image Sil9135 [http://www.ti.com/general/docs/lit/getliterature.tsp?baseLiteratureNumber=SPRUER0&track=no TI I2C Datasheet] ===
Found devices at:
0x60(0x30 W) 0x61(0x30 R) 0x68(0x34 W) 0x69(0x34 R) 0xD2(0x69 W) 0xD3(0x69 R)
0x30 - The following 256 byte read comes from 0x61 after writing a single data byte (0x00) to 0x60.  The Bus Pirate command is [0x60,0x00[0x61,r:256] with output reformatted here:
<pre>
0000000: 0100 3591 0400 0000 0480 3400 0000 0000  ..5.......4.....
0000010: 0000 0000 0000 0000 0000 b4d3 f514 c4ff  ................
0000020: ffff ffff ffff ffbf 7fff ffff ffff 8000  ................
0000030: 0000 0000 0000 0001 0000 0000 0000 0000  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: e001 230a 0100 0001 0000 0000 0000 0000  ..#.............
0000060: 0000 03e4 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0006 0000 0100 0000  ................
0000080: 0020 083a 5a3a 3a3a 9a36 0001 0400 0000  . .:Z:::.6......
0000090: 0000 0000 00da 0002 0aba dafa 0060 0000  .............`..
00000a0: 0022 0755 0000 0000 0000 0000 0000 0000  .".U............
00000b0: 0000 0000 0000 0000 0000 0000 0101 01ff  ................
00000c0: ff01 0001 0001 0000 0000 0000 0000 0000  ................
00000d0: 0000 0000 0000 1000 0000 0000 0000 0001  ................
00000e0: 2345 6789 abcd effe dcba 9876 5432 10f0  #Eg........vT2..
00000f0: e1d2 c300 0000 0000 0001 0000 0000 0000  ................
</pre>
0x34 - The following 256 byte read comes from 0x69 after writing a single data byte (0x00) to 0x68.  The Bus Pirate command is [0x68,0x00[0x69,r:256] with output reformatted here:
<pre>
0000000: 0000 5200 0000 000c 0000 0000 683c 0100  ..R.........h<..
0000010: 3000 060f 0000 0011 0c00 001c 3005 0005  0...........0...
0000020: 0715 17ff 7f00 4001 e418 0000 0002 0200  ......@.........
0000030: 010b 0000 0006 0000 0c00 0002 0101 c7ed  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0083  ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000b0: 0000 0000 0000 0000 0000 0000 0000 0085  ................
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000f0: 0000 0000 0000 0000 0000 0000 0000 0004  ................
</pre>
0x69 (CK505) initialization on boot looks something like:
<pre>
[0xD2+0x02+][0xD3+0x1A+][0xD2+0x02+0x05][0xD2+0x00+0x01+]
</pre>
Later in boot, some jumbled traffic is observed, but the target seen here does not ACK scans or explicit requests matching the sniffed traffic.
<pre>
[0xA0+0x00-0xA1+0x00-0xFD-0xFB-0xF7-0xEF-0xDF-0x80+0x35-[0x5A+0xA4+0x00+0x00+0x00+0x00+0x00+0x85+0x00-[0x03+]
</pre>
=== Microchip PIC24FJ64GA004 ===
No traffic recognizable via Bus Pirate
[[Category:Logitech Revue]]
[[Category:Logitech Revue|Technical]]

Latest revision as of 10:48, 31 December 2014

Update Procedure

Place new update labelled "update.zip" on a USB drive, with a single partition (ie, 1st partition on a USB disk, so say "/dev/sdc1")

Insert into Revue in the Right most USB port (if looking at the back, closest to the power jack)

Boot into recovery mode:

  1. Plug in the box, once the fan goes low, hold the sync button. Box should reboot, keep the sync button held until image on screen.
  2. Once you see the Arrow on your screen, using your keyboard press Alt+L - usually once or twice until Formatting DATA: shows on the screen, and does not go away (Note: The key combination has changed for updates after b42732)
  3. You can then update the box, with a newer update. Downgrading fails however due to a date check.

Firmware Links

Kernel Revisions

For details of the Revue kernel, refer to Logitech Revue Kernel

  • Initial kernel observed on the Revue (?): 2.6.23.18-gc0a9a5fb (richard@sayan) (gcc version 4.1.2) #3 PREEMPT Sat Jul 31 15:32:56 PDT 2010
  • 439c26f6af05.mp-signed-ota_update-b39389: 2.6.23.18-g5fd8f46f (richard@mtdoom) #249 PREEMPT Tue Oct 5 09:55:20 BST 2010
  • 52057d168e2b.mp-signed-ota_update-b39953: 2.6.23.18-g5fd8f46f (richard@mtdoom) #249 PREEMPT Tue Oct 5 09:55:20 BST 2010
  • c9914396d183.mp-signed-ota_update-b42449: 2.6.23.18-g5bba1a13 (sameer@sayan) #24 PREEMPT Fri Nov 19 11:13:31 PST 2010

SDK/Toolchain Support

The Intel SDK Toolchain is available as part of Google's GPL release for the Google TV. The toolchain is required to compile code to run on the Linux operating system of the Logitech Revue. (Sony devices as well as other future devices are most likely also compatible with this toolchain but since we don't have these products to root we don't know yet.)

We have not yet documented a complete list of required dependencies but here are a few packages which might come in handy:

  • texinfo (we encountered some issues with certain supposedly supported versions of makeinfo but updating texinfo resolved this on most systems)
  • flex
  • bison
  • awk
  • patch
  • gcc et al
  • build-essential (Ubuntu)

To simplify the toolchain setup, craigdroid created this script which simplifies the process of configuring a build system. After preparing the toolchain you will want to run the following commands (which are demo'd in the script) to establish your environment:

export CROSS_COMPILE=i686-linux-cm-
export LD_LIBRARY_PATH=~/googletv/sdk/i686-linux-elf/lib
export PATH=$PATH:~/googletv/sdk/i686-linux-elf/bin/

NDK Support

Although at present Google has not released a proper NDK for the platform, the Exploitee.rs team have combined the Intel SDK Toolchain from the Google TV Mirrored Source site with the work of the Android x86 project to provide unofficial support in the interim.

The entire process of setting up unofficial NDK support has been simplified into an easy to use script by craigdroid. The script has been tested on a few of our systems running CentOS 5.4 32-bit, as well as 32-bit and 64-bit editions of Ubuntu.

Since this is building the Intel toolchain automatically all of the caveats regarding the Intel SDK Toolchain apply here as well.

To automatically download, build and configure NDK support first save yourself some time and check the dependencies list in the SDK/Toolchain Support section and then from any users shell:

wget http://dl.dropbox.com/u/1886948/gtvhacker-NDK-installer.zip && unzip gtvhacker-NDK-installer.zip && ./gtvhacker-NDK-installer.sh

Update This script no longer works as is please edit the line

wget -O ~/googletv/sdk/intel-sdk-toolchain.tar.bz2 http://googletv-mirrored-source.googlecode.com/hg/intel-sdk/intel-sdk-toolchain.tar.bz2?r=27705a482273e3a34e8bcdbfb4fdad9afcd65e93

to

wget -O ~/googletv/sdk/intel-sdk-toolchain.tar.bz2 http://v1.googletv-mirrored-source.googlecode.com/hg-history/v1/intel-sdk/intel-sdk-toolchain.tar.bz2

This will install the NDK to ~/googletv/ndk/ for the current user. Some guidance on how to use the NDK is provided upon completion of successful script execution.

Flash Hard Drive

The Revue has an internal hard drive stored on an sdram chip (flash memory). It contains the complete file system for the Revue as well as the user data (if their is not external storage provided). More information about the layout of this file system can be found File System Details.

Serial Output

The logitech revue board contains a UART1 port on the front of the board which before receiving the boxes initial updates is active. In order to communicate with UART port you will need a USB to TTL adapter (or board that does a similar conversion).

The pins operate at 3.3v and the port at 9600 baud with the following pinout:

UART Pinout

Serial output

via: http://googletv.pastebin.com/233dZqZx Pasted Locally

PIC Access

  • There is a standard PIC access port to the right of the UART1 port. It can be accessed via a standard PIC Kit Debug board (Tested with version 2). The port has read/write access but the code is pulled from the chip as .hex file and is unreadable thus far.
  • The pinout starting from the left (pin with white square around it) corresponds to pin 1 or Vpp.The remaining pins follow the same layout. PIC Pinout

PIC Hex Dump Local PIC Hex Dump

PIC Disassembly

Updates

The updates contain a full set of system files (changed and unchanged), including a boot.img and a recovery.img

boot.img

The thread at xda-developer has the process to extract from the .img files (thx bftb0):

"the "boot.img" file is in (little-endian) "squashfs" format and unpacks just fine using "unsquashfs" from the (Ubuntu 8.0.04 LTS) squashfs-tools package."

recovery.img

system/boot/recovery.img is a standard Android boot image with some extra garbage (0x580 bytes) at the front. Remove it like so:

 dd if=system/boot/recovery.img bs=1408 skip=1 > recovery-ungarbaged.img

Unpack that like a normal Android boot image. Something like this Perl script works well.

The kernel (system/boot/kernel) is also a boot image with the same extra garbage at the front.

Odex files

The .odex files can be extracted by using the following guide Deodex Instructions

Open Ports

List nmap ports

Normal Mode, hooked to a Dish Network DVR (622) via WiFi:

  • Nmap scan report for LogitechRevue (192.168.1.142)
  • Host is up (0.060s latency).
  • Not shown: 65528 closed ports
  • PORT STATE SERVICE
  • 53/tcp open domain
  • 1100/tcp open unknown
  • 5222/tcp open unknown -- Extensible Messaging and Presence Protocol (XMPP) Service (http://xmpp.org/)
  • 5223/tcp open unknown -- SSL port for XMPP
  • 9551/tcp open unknown -- AnyMote Pairing Service through IpRemoteControlService -- SSL handshake requests cert and logs show errors from AnyMote
  • 9552/tcp open unknown -- AnyMote Connection Port
  • 35832/tcp open unknown

Also of course, with root - port 5555, for ADB!

Available Pinouts

  • UART1 --> Console (Bottom left = +3v3, Bottom right = interface TX, Top left = interface RX, Top right = GND) UART Pinout
  • J3 --> PIC Chip Access (Pin 1 = VPP/MCLR, Pin 2 = VDD, Pin 3 = VSS, Pin 4 = ICSPDAT/PGD, Pin 5 = ICSPCLK/PGC, Pin 6 = Auxiliary)
  • J4 --> Fan (Pin 1 = GND, Pin 2 = VCC +5v, Pins 3-4 = Sense/Control)
  • J13 --> Unknown (Power for SATA?) - (Pin 1 = ?, Pin 2 = GND, Pin 3 = GND, Pin 4 = 5v)
  • J20 --> I2C (Top left = GND, Top right = ?, Bottom left = SDA, Bottom right = SCL), I2C lines are also on XDP1 reachable, lines are without pullups and no activity is visible
  • J24 --> Unknown (Pin 1 = 3.3, Pin 2 = ?, Pin 3 = ?, Pin 4 = GND)
  • J66 --> (Pin1 = +3V3, Pin2 = IR-reciever to PIC PIN41, Pin3 = GND, Pin4 = D7 LED(green) to PIC PIN2, Pin6 = GND, Pin7 = D8 LED(green) to PIC PIN38, Pin8 = GND, Pin9 = IR-leds to PIC PIN37, Pin10 = 12V) Numbered from bottom left
  • J67 --> USB (Pin 1 = GND, Pin 2 = D-, Pin 3 = D+, Pin 4 = FREE, Pin 5 = VCC +5V) used for RF daughter board. IMG
  • J68 --> USB (Pin 1 = VCC +5v, Pin 4 = GND, Pin 5 = NC) to WiFi module
  • J69 --> USB Pinout like J67
  • SATA1 --> SATA Pinout (Pin 1 = GND, Pin 2 = TXP / A+ , Pin 3 = TXN / A-, Pin 4 = GND , Pin 5 = RXN / B-, Pin 6 = RXP / B+ , Pin 7 = GND)
  • SW1 --> Unknown Push Button Switch (Facing button, left = GND, right = ?)
  • SW2 --> Sync Push Button Switch (Facing button, left = GND, right = GPIO somewhere?)
  • XDP1 --> Intel XDP Debug Adapter Information on XDP Debugging Page 23 Pinout
  • Samsung K9F8G08U0M Alternative Pin-out

Volume Management Configuration

Similar to other android based products, external storage can be attached and the device will attempt to mount it to /sdcard as per the following vold.conf:

volume_sdcard {
    # NOTE: This path is overbroad and will capture any device on the
    # tatung3/tatung4 external PCI bus.  This needs to be fixed, in conjunction
    # with vold changes to handle logical device names (DEVPATH names are not
    # static, unfortunately.)
    media_path     /devices/pci0000:00/0000:00:01.0/0000:01:0d.1/usb2/
    media_type     scsi
    mount_point    /sdcard
    read_only      true
}

Note the interesting comment about the media_path as well as the read_only=true attribute.

I2C Busses

HDMI out

traffic observed

XDP & J20

No pull-up is present so no members can assert traffic.

IDT 6V49061 (another programmable multi-output clock?)

Pin 43 = CLK, Pin 42 = SDA

Found devices at: 0xD4(0x6A W) 0xD5(0x6A R)

Brief register description in /etc/platform_config/ce4100/platform_config.hcfg line 73

IDT ICS9LPRS525AGLF (CK505) & Silicon Image Sil9135 TI I2C Datasheet

Found devices at: 0x60(0x30 W) 0x61(0x30 R) 0x68(0x34 W) 0x69(0x34 R) 0xD2(0x69 W) 0xD3(0x69 R)

0x30 - The following 256 byte read comes from 0x61 after writing a single data byte (0x00) to 0x60. The Bus Pirate command is [0x60,0x00[0x61,r:256] with output reformatted here:

0000000: 0100 3591 0400 0000 0480 3400 0000 0000  ..5.......4.....
0000010: 0000 0000 0000 0000 0000 b4d3 f514 c4ff  ................
0000020: ffff ffff ffff ffbf 7fff ffff ffff 8000  ................
0000030: 0000 0000 0000 0001 0000 0000 0000 0000  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: e001 230a 0100 0001 0000 0000 0000 0000  ..#.............
0000060: 0000 03e4 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0006 0000 0100 0000  ................
0000080: 0020 083a 5a3a 3a3a 9a36 0001 0400 0000  . .:Z:::.6......
0000090: 0000 0000 00da 0002 0aba dafa 0060 0000  .............`..
00000a0: 0022 0755 0000 0000 0000 0000 0000 0000  .".U............
00000b0: 0000 0000 0000 0000 0000 0000 0101 01ff  ................
00000c0: ff01 0001 0001 0000 0000 0000 0000 0000  ................
00000d0: 0000 0000 0000 1000 0000 0000 0000 0001  ................
00000e0: 2345 6789 abcd effe dcba 9876 5432 10f0  #Eg........vT2..
00000f0: e1d2 c300 0000 0000 0001 0000 0000 0000  ................

0x34 - The following 256 byte read comes from 0x69 after writing a single data byte (0x00) to 0x68. The Bus Pirate command is [0x68,0x00[0x69,r:256] with output reformatted here:

0000000: 0000 5200 0000 000c 0000 0000 683c 0100  ..R.........h<..
0000010: 3000 060f 0000 0011 0c00 001c 3005 0005  0...........0...
0000020: 0715 17ff 7f00 4001 e418 0000 0002 0200  ......@.........
0000030: 010b 0000 0006 0000 0c00 0002 0101 c7ed  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0083  ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000b0: 0000 0000 0000 0000 0000 0000 0000 0085  ................
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000f0: 0000 0000 0000 0000 0000 0000 0000 0004  ................

0x69 (CK505) initialization on boot looks something like:

[0xD2+0x02+][0xD3+0x1A+][0xD2+0x02+0x05][0xD2+0x00+0x01+]

Later in boot, some jumbled traffic is observed, but the target seen here does not ACK scans or explicit requests matching the sniffed traffic.

[0xA0+0x00-0xA1+0x00-0xFD-0xFB-0xF7-0xEF-0xDF-0x80+0x35-[0x5A+0xA4+0x00+0x00+0x00+0x00+0x00+0x85+0x00-[0x03+]

Microchip PIC24FJ64GA004

No traffic recognizable via Bus Pirate