Logitech Revue Technical

From Exploitee.rs
Revision as of 16:20, 3 January 2011 by CJ (talk | contribs) (Update Procedure)

Update Procedure

Place new update labelled "update.zip" on a USB drive, with a single partition (ie, 1st partition on a USB disk, so say "/dev/sdc1")

Insert into Revue in the Right most USB port (if looking at the back, closest to the power jack)

Boot into recovery mode:

  1. Plug in the box, once the fan goes low, hold the sync button. Box should reboot, keep the sync button held until image on screen.
  2. Once you see the Arrow on your screen, using your keyboard press Alt+L - usually once or twice until Formatting DATA: shows on the screen, and does not go away
  3. You can then update the box, with a newer update. Downgrading fails however due to a date check.

Firmware Links

Kernel Revisions

  • Initial kernel observed on the Revue (?): 2.6.23.18-gc0a9a5fb ([email protected]) (gcc version 4.1.2) #3 PREEMPT Sat Jul 31 15:32:56 PDT 2010
  • 439c26f6af05.mp-signed-ota_update-b39389: 2.6.23.18-g5fd8f46f ([email protected]) #249 PREEMPT Tue Oct 5 09:55:20 BST 2010
  • 52057d168e2b.mp-signed-ota_update-b39953: 2.6.23.18-g5fd8f46f ([email protected]) #249 PREEMPT Tue Oct 5 09:55:20 BST 2010
  • c9914396d183.mp-signed-ota_update-b42449: 2.6.23.18-g5bba1a13 ([email protected]) #24 PREEMPT Fri Nov 19 11:13:31 PST 2010

Flash Layout

via: http://googletv.pastebin.com/233dZqZx


Creating 13 MTD partitions on "intel_ce_nand":

  • 0x00000000-0x00200000 : "mbr"
  • 0x00200000-0x00a00000 : "cefdk"
  • 0x00a00000-0x00c00000 : "redboot"
  • 0x00c00000-0x00e00000 : "cefdk-config"
  • 0x01000000-0x01800000 : "splash"
  • 0x01800000-0x01900000 : "fts"
  • 0x01900000-0x02d00000 : "recovery"
  • 0x02d00000-0x03200000 : "kernel"
  • 0x03200000-0x07200000 : "boot"
  • 0x07200000-0x1f200000 : "system"
  • 0x1f200000-0x3fa00000 : "data"
  • 0x3fa00000-0x3ff00000 : "keystore"
  • 0x3ff00000-0x40000000 : "bbt"

mbr - Master Boot Record

cefdk - Boot loader, may or may not have a shell

redboot - ?

cefdk-config - ?

Splash - Splash image, can be seen here ( http://img413.imageshack.us/img413/3144/splashc.png )

fts - Flash transactional key/value storage

Recovery - Full image, including kernel and small ramdisk (in squashfs format), boots to recovery menu

Kernel - The kernel image

Boot - Root partition, goes in hand with the kernel image, also in squashfs format

system - YAFFS

data - YAFFS

keystore - YAFFS

bbt - Bad block table

Serial Output

The logitech revue board contains a UART1 port on the front of the board which before receiving the boxes initial updates is active. In order to communicate with UART port you will need a USB to TTL adapter (or board that does a similar conversion).

The pins operate at 3.3v and the port at 9600 baud with the following pinout:

UART Pinout

Serial output

via: http://googletv.pastebin.com/233dZqZx Pasted Locally

PIC Access

  • There is a standard PIC access port to the right of the UART1 port. It can be accessed via a standard PIC Kit Debug board (Tested with version 2). The port has read/write access but the code is pulled from the chip as .hex file and is unreadable thus far.
  • The pinout starting from the left (pin with white square around it) corresponds to pin 1 or Vpp.The remaining pins follow the same layout. PIC Pinout

PIC Hex Dump Local PIC Hex Dump

Updates

The updates contain a subset of update files, a boot.img and a recovery.img

boot.img

The thread at xda-developer has the process to extract from the .img files (thx bftb0):

"the "boot.img" file is in (little-endian) "squashfs" format and unpacks just fine using "unsquashfs" from the (Ubuntu 8.0.04 LTS) squashfs-tools package."

recovery.img

system/boot/recovery.img is a standard Android boot image with some extra garbage (0x580 bytes) at the front. Remove it like so:

 dd if=system/boot/recovery.img bs=1408 skip=1 > recovery-ungarbaged.img

Unpack that like a normal Android boot image. Something like this Perl script works well.

The kernel (system/boot/kernel) is also a boot image with the same extra garbage at the front.

Odex files

The .odex files can be extracted by using the following guide Deodex Instructions

Open Ports

List nmap ports

Normal Mode, hooked to a Dish Network DVR (622) via WiFi:

  • Nmap scan report for LogitechRevue (192.168.1.142)
  • Host is up (0.060s latency).
  • Not shown: 65528 closed ports
  • PORT STATE SERVICE
  • 53/tcp open domain
  • 1100/tcp open unknown
  • 5222/tcp open unknown -- Extensible Messaging and Presence Protocol (XMPP) Service (http://xmpp.org/)
  • 5223/tcp open unknown -- SSL port for XMPP
  • 9551/tcp open unknown -- AnyMote Pairing Service through IpRemoteControlService -- SSL handshake requests cert and logs show errors from AnyMote
  • 9552/tcp open unknown -- AnyMote Connection Port
  • 35832/tcp open unknown

Available Pinouts

  • UART1 --> UART Pinout
  • J3 --> PIC Chip Access (Pin 1 = VPP/MCLR, Pin 2 = VDD, Pin 3 = VSS, Pin 4 = ICSPDAT/PGD, Pin 5 = ICSPCLK/PGC, Pin 6 = Auxiliary)
  • SW1 --> Push Button Switch (Use is unknown)
  • J20 --> I2C (Top left - GND Top right - ? Bottom left - SDA Bottom right - SCL)
  • J69 --> USB Pinout
  • SATA1 --> SATA Pinout (Pin 1 = GND, Pin 2 = TXP / A+ , Pin 3 = TXN / A-, Pin 4 = GND , Pin 5 = RXN / B-, Pin 6 = RXP / B+ , Pin 7 = GND)
  • J24 --> Unknown (Pin 1 = 3.3, Pin 2 = ?, Pin 3 = ?, Pin 4 = GND)
  • J13 --> Unknown (Power for SATA?) - (Pin 1 = ?, Pin 2 = GND, Pin 3 = GND, Pin 4 = 5v)
  • XDP1 --> Intel XDP Debug Adapter Information on XDP Debugging Page 23 Pinout

Volume Management Configuration

Similar to other android based products, external storage can be attached and the device will attempt to mount it to /sdcard as per the following vold.conf:

volume_sdcard {
    # NOTE: This path is overbroad and will capture any device on the
    # tatung3/tatung4 external PCI bus.  This needs to be fixed, in conjunction
    # with vold changes to handle logical device names (DEVPATH names are not
    # static, unfortunately.)
    media_path     /devices/pci0000:00/0000:00:01.0/0000:01:0d.1/usb2/
    media_type     scsi
    mount_point    /sdcard
    read_only      true
}

Note the interesting comment about the media_path as well as the read_only=true attribute.