Dan JulioProMark helpfully left a second's worth of delay in UBoot before staring the boot process available on the serial port. This meant I could get a UBoot prompt and output the machine's environment variables which show some interesting information (the output of "printenv" shown at the end of this post). It also meant I could try to boot into a single-user prompt which I was ultimately able too after a bunch of experimenting and a friend's helpful suggestion to watch some master's manipulation of UBoot on youtube. The trick for this device is to set "flashargs" as shown below to boot into /bin/sh.
setenv flashargs ‘run commonargs; set bootargs ${bootargs} root=${flashroot} rootfstype=${flashrootfstype} noinitrd init=/bin/sh’
boot
I also changed the boot delay to 3 seconds to make it easier to interrupt the boot process (which is simply sending some character via the console serial port). "saveenv" writes the changes permanently to the flash memory (as opposed to the change I made above to flashargs which does not persevere over a power-cycle).
setenv bootdelay 3 saveenv
The system uses busybox to provide most functions including "cat". I took a look at /etc/passwd from the single-user prompt and was disappointed. The system allows no logins, whatsoever, even though it allows a telnet connection and provides a login on the serial port. Score one for the security conscious developers at ProMark. Here's the contents of the /etc/passwd file from the single-user prompt (all the way from setting the UBoot environment variable "flashargs" through the boot and cat of /etc/passwd):
ipcam # setenv flashargs 'run commonargs; set bootargs ${bootargs} root=${flashroot} rootfstype=${flashrootfstype} noinitrd init=/bin/sh'
ipcam # printenv flashargs
flashargs=run commonargs; set bootargs ${bootargs} root=${flashroot} rootfstype=${flashrootfstype} noinitrd init=/bin/sh
ipcam # boot
Booting from SPI Flash...
8192 KiB hi_sfc at 0:0 is now current device
## Booting kernel from Legacy Image at 81000000 ...
Image Name: Linux-3.0.8
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1723048 Bytes = 1.6 MiB
Load Address: 80008000
Entry Point: 80008000
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Linux version 3.0.8 (root@hiber) (gcc version 5.2.0 (Buildroot 2015.11.1) ) #4 Thu Aug 25 05:42:37 EDT 2016
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: hi3518
Memory policy: ECC disabled, Data cache writeback
AXI bus clock 200000000.
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 10160
Kernel command line: mem=40M mmz=24M console=ttyAMA0,115200n8 mtdparts=hi_sfc:512k(uboot)ro,256k(uboot-env),256k(mfd),3m(kernel),4m(rootfs) hieth.mdioifu=1 hieth.mdioifd=1 hieth.phyaddru=0 hieth.phyaddrd=1 root=/dev/mtdblock4 rootfstype=squashfs,jffs2 noinitrd init=/bin/sh
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 40MB = 40MB total
Memory: 35852k/35852k available, 5108k reserved, 0K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xffc00000 - 0xffe00000 ( 2 MB)
vmalloc : 0xc3000000 - 0xfe000000 ( 944 MB)
lowmem : 0xc0000000 - 0xc2800000 ( 40 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.init : 0xc0008000 - 0xc0027000 ( 124 kB)
.text : 0xc0027000 - 0xc044b000 (4240 kB)
.data : 0xc044c000 - 0xc047d740 ( 198 kB)
.bss : 0xc047d764 - 0xc0496d70 ( 102 kB)
SLUB: Genslabs=13, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128 nr_irqs:128 128
sched_clock: 32 bits at 100MHz, resolution 10ns, wraps every 42949ms
Calibrating delay loop... 218.72 BogoMIPS (lpj=1093632)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
devtmpfs: initialized
NET: Registered protocol family 16
Serial: AMBA PL011 UART driver
uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 5) is a PL011 rev2
console [ttyAMA0] enabled
uart:1: ttyAMA1 at MMIO 0x20090000 (irq = 5) is a PL011 rev2
bio: create slab at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource timer1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
JFFS2 version 2.2. (NAND) .. 2001-2006 Red Hat, Inc.
fuse init (API version 7.16)
msgmni has been set to 70
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
brd: module loaded
Spi id table Version 1.22
Spi(cs1) ID: 0xEF 0x40 0x17 0x00 0x00 0x00
SPI FLASH start_up_mode is 3 Bytes
Spi(cs1):
Block:64KB
Chip:8MB
Name:"W25Q64FV"
spi size: 8MB
chip num: 1
5 cmdlinepart partitions found on MTD device hi_sfc
Creating 5 MTD partitions on "hi_sfc":
0x000000000000-0x000000080000 : "uboot"
0x000000080000-0x0000000c0000 : "uboot-env"
0x0000000c0000-0x000000100000 : "mfd"
0x000000100000-0x000000400000 : "kernel"
0x000000400000-0x000000800000 : "rootfs"
Fixed MDIO Bus: probed
himii: probed
RTL871X: module init start
RTL871X: rtl8188eu v4.3.24_16705.20160509
RTL871X: build time: Aug 25 2016 05:41:55
usbcore: registered new interface driver rtl8188eu
RTL871X: module init ret=0
usbmon: debugfs is not available
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
hiusb-ehci hiusb-ehci.0: HIUSB EHCI
hiusb-ehci hiusb-ehci.0: new USB bus registered, assigned bus number 1
hiusb-ehci hiusb-ehci.0: irq 15, io mem 0x100b0000
hiusb-ehci hiusb-ehci.0: USB 0.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
hiusb-ohci hiusb-ohci.0: HIUSB OHCI
hiusb-ohci hiusb-ohci.0: new USB bus registered, assigned bus number 2
hiusb-ohci hiusb-ohci.0: irq 16, io mem 0x100a0000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
sp805-wdt dev:wdog: registration successful
TCP cubic registered
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
registered taskstats version 1
.VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
devtmpfs: mounted
Freeing init memory: 124K
usb 1-1: new high speed USB device number 2 using hiusb-ehci
/bin/sh: can't access tty; job control turned off
/ # bFWReady == _FALSE call reset 8051...
RTL871X: hal_com_config_channel_plan chplan:0x08
RTL871X: rtw_ndev_init(wlan0) if1 mac_addr=00:0a:e2:1f:49:59
/ #
/ # cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
operator:x:37:37:Operator:/var:/bin/false
nobody:x:99:99:nobody:/home:/bin/false
dbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false
/ #
The system filesystem is booted into a Read-only state so modifying files during runtime is not possible. This means that we have to either modify them on the SPI flash chip (the HI3518 boots from an 8-pin SPI flash chip) or upload a modified firmware update (which, sadly, ProMark seems to have none of...). Since I don't have access to Wifi (yet?) from single-user prompt then right now the only possibility seems to be to offload the SPI chip and then modify the data before reprogramming it (a chore...). Perhaps later or sooner if some expert gives me some advice...
Output of UBoot "printenv":
ipcam # printenv
bootargs=mem=40M console=ttyAMA0,115200
bootcmd=run autoboot
bootdelay=1
baudrate=115200
ethaddr=00:00:23:34:45:66
ipaddr=192.168.1.10
serverip=192.168.1.2
preboot=mw 200f000c 0; mw 20150400 10; mw 20150040 10
rootpath=/tftpboot/hi3518/rootfs
gatewayip=192.168.1.1
netmask=255.255.255.0
bootfile=hi3518/uImage
loadaddr=0x81000000
mdio_intf=rmii
phyaddru=0
phyaddrd=1
meminfo=mem=40M
mmzinfo=mmz=24M
console=ttyAMA0,115200n8
netdev=eth0
nfsopts=hard,tcp,vers=3
hieth=hieth.mdioifu=1 hieth.mdioifd=1 hieth.phyaddru=0 hieth.phyaddrd=1
flashroot=/dev/mtdblock4
flashrootfstype=squashfs,jffs2
mtdparts=hi_sfc:512k(uboot)ro,256k(uboot-env),256k(mfd),3m(kernel),4m(rootfs)
commonargs=setenv bootargs ${meminfo} ${mmzinfo} console=${console} mtdparts=${mtdparts} ${hieth}
flashargs=run commonargs; set bootargs ${bootargs} root=${flashroot} rootfstype=${flashrootfstype}
flashboot=echo Booting from SPI Flash...; run flashargs; sf probe 0 && sf read ${loadaddr} 0x100000 0x300000 && bootm
nfsargs=run commonargs; setenv bootargs ${bootargs} root=/dev/nfs nfsroot=${serverip}:${rootpath},${nfsopts}
addip=setenv bootargs ${bootargs} ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}:${netdev}:off
nfsboot=run nfsargs; run addip; tftp ${loadaddr} ${bootfile} && bootm ${loadaddr}
serialboot=echo Booting from serial (Y-MODEM)...; run commonargs; loady && bootm
autoboot=if run flashboot; then; else run serialboot; fi
sensor_type=gc1014
hwmode=g
mLwFlg=0
wifi_channel=2
ssid=P70-VR
Mirror=1
stdin=serial
stdout=serial
stderr=serial
verify=n
ver=U-Boot 2010.06 (Jul 26 2016 - 01:40:47)
Environment size: 1587/65531 bytes
ipcam #
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.