![\"\"](\"http:\/\/www.computersolutions.cn\/blog\/wp-content\/uploads\/2012\/06\/Unknown.jpeg\" "\\"Unknown\\"")
<\/a><\/p>\nI don’t have one, but I took a quick look at the data provided, and it looks fairly straightforward to “hack”.<\/p>\n
It actually took me less than 30 minutes to have most of the good bits extracted from receiving the file!<\/p>\n
There are 2 files on the SD card.<\/p>\n
One is a 64 byte file called sn.bin which contains this data:<\/p>\n
This looks suspiciously like a header, but I haven’t taken a clear look.<\/p>\n The second file is called x3rodl.bin, and contains a Linux firmware in ARM format.<\/p>\n The first few hundred bytes look like this:<\/p>\n Its obviously in ARM format, as the first set of bytes are ARM no-op codes.<\/p>\n 00 00 A0 E1, which repeats 8 times. 18 28 6F 01 = 0x016f2818<\/p>\n Linux code looks something like this for identifying if its a kernel:<\/p>\n 9 * 4 = 36, which is our location, and this happens to have our magic number. The following bits of data, contain the setup for the kernel, and the boot code.<\/p>\n This continues on until the compressed kernel+ramdisk. That starts with 1F 8B 08 (gzip header bytes) over at 0x3EF2, until roughly the end of the file.<\/p>\n I extracted that part and had a quick look. Linux version is: 2.6.36-FriendlyARM<\/p>\n Boot params are: RAMDISK File System starts at 0x20000, and looks like this:<\/p>\n The bootup script for this looks like this:<\/p>\n PATH=\/sbin:\/bin:\/usr\/sbin:\/usr\/bin echo st.<\/p>\n # cmdline=`cat \/proc\/cmdline`<\/p>\n ROOT=none for x in $cmdline ; do \tesac if [ ! -z $NFSROOT ] ; then else \tmount -n -t yaffs2 -o noatime -o nodiratime -o ro \/dev\/mtdblock2 \/r<\/p>\n \tif [ -e \/r\/home\/plg\/reboot ]; then fi<\/p>\n ONE_WIRE_PROC=\/proc\/driver\/one-wire-info [ -e \/r\/etc\/friendlyarm-ts-input.conf ] && . \/r\/etc\/friendlyarm-ts-input.conf #lilxc debug here # for running game The secondary loader in init looks like this:<\/p>\n #! \/bin\/sh<\/p>\n PATH=\/sbin:\/bin:\/usr\/sbin:\/usr\/bin:\/usr\/local\/bin: # [ -e \/proc\/1 ] || \/bin\/mount -n -t proc none \/proc echo \/sbin\/mdev > \/proc\/sys\/kernel\/hotplug \/sbin\/hwclock -s<\/p>\n echo \" \" > \/dev\/tty1 #\/etc\/rc.d\/init.d\/netd start \/etc\/rc.d\/init.d\/mkjoy #echo \" \" > \/dev\/tty1 #\/sbin\/ifconfig lo 127.0.0.1 #\/bin\/qtopia & cd \/sdcard <\/code><\/p>\n Fairly easy to reverse!<\/p>\n Refs: Someone from the JammaForums.co.uk emailed me a copy of the firmware in their SD card from a XinYe 138 in 1. Card looks something like this: I don’t have one, but I took a quick look at the data provided, and it looks fairly straightforward to “hack”. It actually took me less than 30 minutes […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[390,282,25],"tags":[392,197,391,393],"class_list":["post-868","post","type-post","status-publish","format-standard","hentry","category-arcade-machines","category-firmware-2","category-technical-mumbo-jumbo","tag-arm","tag-firmware","tag-jamma","tag-reverse-engineering"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=868"}],"version-history":[{"count":1,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/868\/revisions"}],"predecessor-version":[{"id":872,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/868\/revisions\/872"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a><\/p>\n<\/a><\/p>\n
\n02 00 00 EA, then…
\n18 28 6F 01 – Which is a magic word indicating that this contains a zImage (compressed Linux kernel)<\/p>\nif (*(ulong *)(to + 9*4) != LINUX_ZIMAGE_MAGIC) {
\n printk(\"Warning: this binary is not compressed linux kernel image\/n\");
\n printk(\"zImage magic = 0x%08lx\/n\", *(ulong *)(to + 9*4));
\n } else {
\n printk(\"zImage magic = 0x%08lx\/n\", *(ulong *)(to + 9*4));
\n }
\n<\/code><\/p>\n
\nSo, we know its a kernel. Its also probably the VIVI bootloader from Samsung, as that uses that style MAGIC.<\/p>\n
\nIts about 7.7M size unpacked.<\/p>\n
\nconsole=ttySAC0,115200 root=\/dev\/ram init=\/linuxrc initrd=0x51000000,6M ramdisk_size=6144<\/p>\nlawrence$ ls -al
\ntotal 24
\ndrwxr-xr-x 13 lawrence staff 442 Jun 17 23:09 .
\ndrwxr-xr-x 4 lawrence staff 136 Jun 17 23:08 ..
\ndrwxr-xr-x 51 lawrence staff 1734 Jun 17 23:09 bin
\ndrwxr-xr-x 2 lawrence staff 68 Jun 17 23:09 dev
\ndrwxr-xr-x 11 lawrence staff 374 Jun 17 23:09 etc
\n-rwxr-xr-x 1 lawrence staff 3821 Jun 17 23:09 init
\n-rw-r--r-- 1 lawrence staff 3821 Jun 17 23:09 init~
\nlrwxrwxrwx 1 lawrence staff 11 Jun 17 23:09 linuxrc -> bin\/busybox
\ndrwxr-xr-x 2 lawrence staff 68 Jun 17 23:09 proc
\ndrwxr-xr-x 2 lawrence staff 68 Jun 17 23:09 r
\ndrwxr-xr-x 19 lawrence staff 646 Jun 17 23:09 sbin
\ndrwxr-xr-x 2 lawrence staff 68 Jun 17 23:09 sdcard
\ndrwxr-xr-x 4 lawrence staff 136 Jun 17 23:09 usr
\n<\/code><\/p>\n
\n#! \/bin\/sh<\/p>\n
\nrunlevel=S
\nprevlevel=N
\numask 022
\nexport PATH runlevel prevlevel<\/p>\n
\n#\tTrap CTRL-C &c only in this shell so we can interrupt subprocesses.
\n#
\ntrap \":\" INT QUIT TSTP
\n\/bin\/hostname FriendlyARM
\n\/bin\/mount -n -t proc proc \/proc<\/p>\n
\nROOTFLAGS=
\nROOTFSTYPE=
\nNFSROOT=
\nIP=
\nINIT=\/sbin\/init
\n#run_fs_image=\/images\/linux\/rootfs_xin1arm_sdhotplug.ext3<\/p>\n
\n\tcase $x in
\n\troot=*)
\n\t\tROOT=${x#root=}
\n\t\t;;
\n\trootfstype=*)
\n\t\tROOTFSTYPE=\"-t ${x#rootfstype=}\"
\n\t\t;;
\n\trootflags=*)
\n\t\tROOTFLAGS=\"-o ${x#rootflags=}\"
\n\t\t;;
\n\tinit=*)
\n\t\tINIT=${x#init=}
\n\t\t;;
\n\tnfsroot=*)
\n\t\tNFSROOT=${x#nfsroot=}
\n\t\t;;
\n\tip=*)
\n\t\tIP=${x#ip=}
\n\t\t;;<\/p>\n
\ndone<\/p>\n
\n\techo $NFSROOT | sed s\/:\/\\ \/g > \/dev\/x ; read sip dir < \/dev\/x\n\techo $IP | sed s\/:\/\\ \/g > \/dev\/x; read cip sip2 gip netmask hostname device autoconf < \/dev\/x\n\trm \/dev\/x\n\t#echo $sip $dir $cip $sip2 $gip $netmask $hostname $device $autoconf\n\tmount -t nfs $NFSROOT \/r -o nolock,proto=tcp\n\t#[ -e \/r\/dev\/console ] || exec \/bin\/sh\n\nelif [ ! -z $run_fs_image ] ; then\n\t#lilxc\n\t#echo $run_fs_image\n\techo sdroot.\n\n\tif [ ! -e \/dev\/mmcblk0p2 ] ; then\n\t\techo \"p2 not found.\"\n\t\treboot\n\t\tsleep 5\n\tfi\n\n\tROOTFSTYPE=\"-t ext3\"\n\tfor i in 1 2 3 4 5 ; do\n\t#\/bin\/mount -n -o sync -o noatime -o nodiratime -o ro -t vfat \/dev\/mmcblk0p1 \/sdcard && break\n\t\/bin\/mount -n -o sync -o noatime -o nodiratime -o ro -t ext3 \/dev\/mmcblk0p2 \/sdcard && break\n\techo Waiting for SD Card...\n\n\tif [ $i = 4 ] ; then\n\t\techo \" p2 failed. \"\n\t\treboot\n\t\tsleep 5\n\t\tbreak;\n\tfi\t\n\n\tsleep 1\n\tdone\n\n\t#echo ------begin----------------------------------------\n\t#sleep 1\n\t#lilxc\n\t#ls -l \/dev\n\t#sleep 1\n\t#echo -----------------------------------------------\n\t#ls -l \/sdcard\n\t#sleep 1\n\t#echo ------end------------------------------------------\n\n\t#\/sbin\/losetup \/dev\/loop0 \/sdcard\/$run_fs_image\n\t#\/bin\/mount $ROOTFSTYPE \/dev\/loop0 \/r\n\t#\/bin\/mount $ROOTFSTYPE -o noatime -o nodiratime -o ro \/dev\/mmcblk0p2 \/r > \/dev\/null 2>&1
\n\t\/bin\/mount $ROOTFSTYPE -n -o noatime -o nodiratime -o ro \/dev\/mmcblk0p3 \/r > \/dev\/null 2>&1
\n\tmount -o move \/sdcard \/r\/sdcard
\n\t#\/sbin\/losetup \/dev\/loop1 \/r\/sdcard\/swap
\n\t#\/sbin\/swapon \/dev\/loop1<\/p>\n
\n#\t\/bin\/mount -n $ROOTFLAGS $ROOTFSTYPE $ROOT \/r
\n#\techo \"Readonly mount...(lilxc)\"
\n#\tmount -n -t yaffs2 -o noatime -o nodiratime -o ro \/dev\/mtdblock2 \/r
\n#\tmount -n -t yaffs2 -o noatime -o nodiratime \/dev\/mtdblock2 \/r<\/p>\n
\n\t\tumount \/r
\n\t\tmount -n -t yaffs2 -o noatime -o nodiratime \/dev\/mtdblock2 \/r
\n\tfi<\/p>\n
\nETC_BASE=\/r\/etc
\n[ -d \/r\/system\/etc ] && ETC_BASE=\/r\/system\/etc
\n[ -e $ETC_BASE\/ts.detected ] && . $ETC_BASE\/ts.detected
\n[ -z $CHECK_1WIRE ] && CHECK_1WIRE=Y
\nif [ $CHECK_1WIRE = \"Y\" -a -e $ONE_WIRE_PROC ] ; then
\n\tif read lcd_type fw_ver tail < $ONE_WIRE_PROC ; then\n\t\tif [ x$lcd_type = \"x0\" -a x$fw_ver = \"x0\" ] ; then\n\t\t\tTS_DEV=\/dev\/touchscreen\n\t\telse\n\t\t\tTS_DEV=\/dev\/touchscreen-1wire\n\t\t\techo \"1Wire touchscreen OK\"\n\t\tfi\n\t\tif [ -e $ETC_BASE\/friendlyarm-ts-input.conf ]; then\n\t\t\tsed \"s:^\\(TSLIB_TSDEVICE=\\).*:\\1$TS_DEV:g\" $ETC_BASE\/friendlyarm-ts-input.conf > $ETC_BASE\/ts-autodetect.conf
\n\t\t\tmv $ETC_BASE\/ts-autodetect.conf $ETC_BASE\/friendlyarm-ts-input.conf -f
\n\t\t\techo \"CHECK_1WIRE=N\" > $ETC_BASE\/ts.detected
\n\t\tfi
\n\tfi
\nfi<\/p>\n
\n[ -e \/r\/system\/etc\/friendlyarm-ts-input.conf ] && . \/r\/system\/etc\/friendlyarm-ts-input.conf
\nexport TSLIB_TSDEVICE<\/p>\n
\n#\/bin\/mount -n -o sync -o noatime -o nodiratime -t vfat \/dev\/mmcblk0p1 \/sdcard
\n#cp \/sdcard\/lktcmd \/r\/tmp
\n#exec \/bin\/sh<\/p>\n
\numount \/proc
\nexec switch_root \/r $INIT <\/r\/dev\/console >\/r\/dev\/console 2>&1
\n<\/code><\/p>\n<\/p>\n
\nrunlevel=S
\nprevlevel=N
\numask 022
\nexport PATH runlevel prevlevel<\/p>\n
\n#\tTrap CTRL-C &c only in this shell so we can interrupt subprocesses.
\n#
\ntrap \":\" INT QUIT TSTP
\n\/bin\/hostname FriendlyARM<\/p>\n
\n[ -e \/sys\/class ] || \/bin\/mount -n -t sysfs none \/sys
\n[ -e \/dev\/tty ] || \/bin\/mount -t ramfs none \/dev
\n\/bin\/mount -n -t usbfs none \/proc\/bus\/usb<\/p>\n
\n\/sbin\/mdev -s
\n\/bin\/hotplug
\n# mounting file system specified in \/etc\/fstab
\nmkdir -p \/dev\/pts
\nmkdir -p \/dev\/shm
\n\/bin\/mount -n -t devpts none \/dev\/pts -o mode=0622
\n\/bin\/mount -n -t tmpfs tmpfs \/dev\/shm
\n\/bin\/mount -n -t ramfs none \/tmp
\n\/bin\/mount -n -t ramfs none \/var
\nmkdir -p \/var\/empty
\nmkdir -p \/var\/log
\nmkdir -p \/var\/lock
\nmkdir -p \/var\/run
\nmkdir -p \/var\/tmp<\/p>\n
\necho \"System starting... \" > \/dev\/tty1
\nsyslogd<\/p>\n
\n#echo \" \" > \/dev\/tty1
\n#echo \"Starting networking...\" > \/dev\/tty1
\n#sleep 1
\n#\/etc\/rc.d\/init.d\/httpd start
\n#echo \" \" > \/dev\/tty1
\n#echo \"Starting web server...\" > \/dev\/tty1
\n#sleep 1
\n#\/etc\/rc.d\/init.d\/leds start
\n#echo \" \" > \/dev\/tty1
\n#echo \"Starting leds service...\" > \/dev\/tty1
\n#echo \" \"
\n#sleep 1<\/p>\n
\n#echo \" \" > \/dev\/tty1
\n#echo \"System Starting... \" > \/dev\/tty1
\n#echo \" \" > \/dev\/tty1 <\/p>\n
\n\/etc\/rc.d\/init.d\/alsaconf start
\n#echo \"Loading sound card config...\" > \/dev\/tty1
\n#echo \" \"<\/p>\n
\n#\/etc\/init.d\/ifconfig-eth0<\/p>\n
\n#echo \" \" > \/dev\/tty1
\n#echo \"Starting Qtopia, please waiting...\" > \/dev\/tty1<\/p>\n
\n.\/run.sh
\nreboot<\/p>\n
\nhttp:\/\/www.jammaplus.co.uk\/
\nhttp:\/\/blog.csdn.net\/liangkaiming\/article\/details\/6259189<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"