L09G

[mrmariosgithub]

Hi,

I recently got my hands on a L09G and started poking around using the informations available in issue #1 and the research folder.

I managed to connect an USB stick to the board by soldering to the test pins on the underside of the board. Running usb start recognises the connected usb stick:

axg_s420_v1_gva#usb start
(Re)start USB...
USB0:   USB3.0 XHCI init start
Register 1000140 NbrPorts 1
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
       scanning usb for storage devices... init_part() 282: PART_TYPE_DOS
1 Storage Device(s) found

I tried both fatinfo and fatls to confirm, that the USB stick can be accessed correcty:

axg_s420_v1_gva#fatinfo usb 0
Interface:  USB
  Device 0: Vendor: VendorCo Rev: 2.00 Prod: ProductCode
            Type: Removable Hard Disk
            Capacity: 3840.0 MB = 3.7 GB (7864320 x 512)
Filesystem: FAT32 "NO NAME    "
axg_s420_v1_gva#
axg_s420_v1_gva#
axg_s420_v1_gva#
axg_s420_v1_gva#fatls usb 0
  5570560   DSC02072.JPG
            System Volume Information/

1 file(s), 1 dir(s)

But now I have no idea how to continue. Can I dump the flash to the USB stick? Or can I flash a modified firmware from the USB stick?

KInd regards Mario

[mrmariosgithub]

Can we somehow unpack the update file mentioned here? https://github.com/duhow/xiaoai-patch/issues/1#issuecomment-1371028610

[duhow]

There is no modified firmware yet, you can use the tools provided to download the firmware file, unpack it, update the login (somehow?) and try get console access to it.

Still I don't have any idea on how to run this, so whatever you try, ensure you have a backup done of your flash memory, and ensure to be able to access the U-boot console.

[mrmariosgithub]

I didn't manage to get a flash backup. I tried nand read.raw followed by md.b afterwards, but I got some strange results. I copied two flash pages (zero and one) to RAM and printed them using md.b. Then, to verfiy that successive read of flash pages work, I read only flash page one and printed it again. But the second read did not print the expected results, there was a gap of 0x40 bytes that were missing. In case someone wants to try it, here are the commands I used:

axg_s420_v1_gva#nand read.raw 0x02000000 0 0x1000
axg_s420_v1_gva#md.b 0x02000000 0x1000

axg_s420_v1_gva#nand read.raw 0x02000000 0x800 0x800
axg_s420_v1_gva#md.b 0x02000000 0x800

Maybe I am using the wrong aproach to dump the flash, then I would appreciate a hint how to do it correctly.

Anyways, I managed to unpack the update file and extract the boot.img file. I copied it to the flash drive and was able to boot from the flash drive using the following commands:

usb start
fatload usb 0 ${loadaddr} boot.img
bootm ${loadaddr}

Then I tried to boot a modified boot.img (with the boot commandline embedded into the boot.img patched) but that failed because of the signature check:

aml log : Sig Check 1423

Do you have any ideas what to try next?

[mrmariosgithub]

I managed to dump the flash by dumping all nand pages and writing the result to a file. This was an incredible slow process which - fully automated - took around 23 hours.

I verified the dump by comparing the binwalk with the output of mtdparts:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1157          0x485           MySQL ISAM compressed data file Version 4
16777216      0x1000000       Android bootimg, kernel size: 6453248 bytes, kernel addr: 0x1080000, ramdisk size: 3143680 bytes, ramdisk addr: 0x1000000, product name: ""
27262976      0x1A00000       Android bootimg, kernel size: 6453248 bytes, kernel addr: 0x1080000, ramdisk size: 3602432 bytes, ramdisk addr: 0x1000000, product name: ""
39845888      0x2600000       Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 11356998 bytes, 1086 inodes, blocksize: 131072 bytes, created: 1970-01-01 00:00:00
56623104      0x3600000       Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 51200242 bytes, 175 inodes, blocksize: 131072 bytes, created: 1970-01-01 00:00:00
107954016     0x66F3F60       Zlib compressed data, best compression
128057344     0x7A20000       UBI erase count header, version: 1, EC: 0x1, VID header offset: 0x800, data offset: 0x1000

axg_s420_v1_gva#mtdparts
0x000000000000-0x000000200000 : "bootloader"
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001a00000 : "recovery"
0x000001a00000-0x000002600000 : "boot"
0x000002600000-0x000003600000 : "system"
0x000003600000-0x000007a20000 : "chrome"
0x000007a20000-0x000007e20000 : "factory"
0x000007e20000-0x000010000000 : "data"

I extracted the data partition from the dump file using dd:

dd if=dev_1.bin bs=1k skip=129152 count=132992 of=data.img

The extracted file seems to be a valid UBI image:

data.img: UBI image, version 1

As I can access an USB stick from u-boot, I should be able to update the nand with modified data.

For now I am out of ideas. Does anybody else know how to continue from here?

[mrmariosgithub]

Ping @ds2k5

[duhow]

The boot.img (kernel) shouldn't be needed to change. Ideally you'll need to:

• update the system partition and change the init running programs: disable google assistant, run sshd ?, update /etc/inittab to run a shell, update root password...
• check Makefile for the commands to generate an squashfs file and ensure to match the same compression settings (compare with original with file command)
• flash the new system partition at the specific position
• additionally, update the uboot bootarg (kernel boot options) and run a program after kernel load, but maybe this shouldn't be required.

What I'm concerned is whether uboot or the kernel (boot.img) will verify the system squashfs partition with a certificate / signature or not... That means the whole system might be signed and may need another way of running this.

[ds2k5]

@mrmariosgithu

Hi,

nice thanks for sharing how did you the dump ?

could you access with adb ?

I am seaching for a friend that have a smd soldering station to try to use adb for more possibilities

Got in the paste a LINK for Firmware download:

https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/l09g/mico_l09g_6c5c9_1.44.27.bin

may you can use to compare with your dump

[mrmariosgithub]

Before I post my updates, let my answer your questions first:

additionally, update the uboot bootarg (kernel boot options) and run a program after kernel load, but maybe this shouldn't be required.

I did not manage to start any processes using kernel boot parameters, I tried differend commandlines to spawn a shell on the serial console but without success.

how did you the dump?

I wrote a small programm that repetitively executed the nand dump command on the u-boot shell. This way I dumped each flash page and wrote the results to a dump file. This is an increadible slow process as each flash page takes around one second to dump and there are 131072 of them. In the end it took around 23h to dump the entire flash chip that way. The binwalk results of that files are posted above. I tried nand read and nand read.raw first but the results did not match the page dump results.

could you access with adb ?

No, unfortunatelly not. As it later turned out, the ADB service is disabled and cannot be activated using kernel boot parameters. And I found no other command to enable/start ADB from u-boot, which made sense to me.

Here are my new findings: TL;DR; Good news: I got SSH working Bad news: I ripped off the USB pads from the PCB Good news: I made the USB stick work again

Long story: I managed to solder on an micro USB socket. Unfortunatelly, my soldering iron was not beefy enough to heat through the THT holes which use used to mount the micro USB socket to the board as the holes are connected to massive ground planes. So I simply glued the socket in place. Using the fastboot command from u-boot, I got a new USB device showing up on the hub and responding to the fastboot tool provided by the Android platform-tools. I tried flashing the system.img file from the mico update file but that did not went well, the device failed to boot afterwards as it could not find the binaries on the system partition. While moving the board around on my desc, I (obviously) applied to much force to the micro USB socket and ripped it off. Unfortunatelly, the solder pads were gone, too. And the test pads on the bottom of the board - where I soldered the USB A socket to - did not work anymore. Luckily I was able to solder jumper wires to the USB ESD protection device pads and got the USB A socket working again.

Now that I got the USB stick working again, I started messing aroung with the NAND flash partitions. Turns out, that replacing the boot.img does not work because it is signed and kernel, ramdisk and second stage are encrypted. The encryption is not a problem - at least compared to the signature check. So replacing the kernel or ramdisk is a dead end (for now). However, I was able to restore the system partition using the extracted mico update file and the USB stick. Next, I tried modifying the system.img and it turned out that it's not signed so I was able to flash a modified system partition.

I noticed, that during boot the script set_usb_serialnumber.sh is executed which is part of the system.img. So I used that file as an entry point to the device started exploring by adding commands to the end of the file. Here are the most interesting results I got that way:

mount

rootfs / rootfs rw 0 0 tmpfs /dev tmpfs rw,relatime,size=4096k,mode=755 0 0 devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=000 0 0 proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,relatime 0 0 tmpfs /tmp tmpfs rw,nosuid,nodev,noexec,relatime,size=32768k 0 0 configfs /sys/kernel/config configfs rw,relatime 0 0 tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0 /dev/block/mtdblock4 /system.ro squashfs ro,nodev,noatime 0 0 /dev/block/mtdblock5 /chrome squashfs ro,nodev,noatime 0 0 /dev/ubi6_0 /factory ubifs rw,relatime 0 0 /dev/ubi7_0 /cache ubifs rw,relatime 0 0 overlay /system overlay rw,relatime,lowerdir=/system.ro,upperdir=/cache/.system.overlay,workdir=/cache/.system.work 0 0 /dev/ubi7_0 /data ubifs rw,relatime 0 0 none /sys/kernel/debug debugfs rw,relatime 0 0 tmpfs /data/chrome/tmp tmpfs rw,relatime,size=1024k 0 0 tmpfs /data/share/chrome/metrics tmpfs rw,relatime,size=1024k 0 0 tmpfs /data/chrome/metrics tmpfs rw,relatime,size=1024k 0 0 adb /dev/usb-ffs/adb functionfs rw,relatime 0 0

find / | grep conf

/chrome/setup/http/audio/data/config.json /system.ro/bin/ifconfig /system.ro/bin/third_party/btconfig /system.ro/chrome/setup/http/audio/data/config.json /system.ro/etc/asound.conf /system.ro/etc/bluetooth/bt_did.conf /system.ro/etc/bluetooth/bt_stack.conf /system.ro/etc/bluetooth/bt_stack.conf.debug /system.ro/etc/bluetooth/rtkbt.conf /system.ro/etc/bluetooth/rtl8821cs_config /system.ro/etc/dbus-1/system.conf /system.ro/etc/dhcpcd/dhcpcd-hooks/20-dns.conf /system.ro/etc/dhcpcd/dhcpcd-hooks/95-configured /system.ro/etc/dnsmasq.conf /system.ro/etc/fonts/fonts.conf /system.ro/etc/fonts/local.conf /system.ro/etc/fw_env.config /system.ro/etc/nsswitch.conf /system.ro/etc/ota_domain_default.conf /system.ro/etc/process_monitor.conf /system.ro/etc/resolv.conf /system.ro/etc/watchdog.conf.in /system.ro/etc/wpa_supplicant.conf.in /system.ro/usr/share/alsa/alsa.conf /system.ro/usr/share/alsa/cards/AACI.conf /system.ro/usr/share/alsa/cards/ATIIXP-MODEM.conf /system.ro/usr/share/alsa/cards/ATIIXP-SPDMA.conf /system.ro/usr/share/alsa/cards/ATIIXP.conf /system.ro/usr/share/alsa/cards/AU8810.conf /system.ro/usr/share/alsa/cards/AU8820.conf /system.ro/usr/share/alsa/cards/AU8830.conf /system.ro/usr/share/alsa/cards/Audigy.conf /system.ro/usr/share/alsa/cards/Audigy2.conf /system.ro/usr/share/alsa/cards/Aureon51.conf /system.ro/usr/share/alsa/cards/Aureon71.conf /system.ro/usr/share/alsa/cards/CA0106.conf /system.ro/usr/share/alsa/cards/CMI8338-SWIEC.conf /system.ro/usr/share/alsa/cards/CMI8338.conf /system.ro/usr/share/alsa/cards/CMI8738-MC6.conf /system.ro/usr/share/alsa/cards/CMI8738-MC8.conf /system.ro/usr/share/alsa/cards/CMI8788.conf /system.ro/usr/share/alsa/cards/CS46xx.conf /system.ro/usr/share/alsa/cards/EMU10K1.conf /system.ro/usr/share/alsa/cards/EMU10K1X.conf /system.ro/usr/share/alsa/cards/ENS1370.conf /system.ro/usr/share/alsa/cards/ENS1371.conf /system.ro/usr/share/alsa/cards/ES1968.conf /system.ro/usr/share/alsa/cards/Echo_Echo3G.conf /system.ro/usr/share/alsa/cards/FM801.conf /system.ro/usr/share/alsa/cards/FWSpeakers.conf /system.ro/usr/share/alsa/cards/FireWave.conf /system.ro/usr/share/alsa/cards/GUS.conf /system.ro/usr/share/alsa/cards/HDA-Intel.conf /system.ro/usr/share/alsa/cards/ICE1712.conf /system.ro/usr/share/alsa/cards/ICE1724.conf /system.ro/usr/share/alsa/cards/ICH-MODEM.conf /system.ro/usr/share/alsa/cards/ICH.conf /system.ro/usr/share/alsa/cards/ICH4.conf /system.ro/usr/share/alsa/cards/Loopback.conf /system.ro/usr/share/alsa/cards/Maestro3.conf /system.ro/usr/share/alsa/cards/NFORCE.conf /system.ro/usr/share/alsa/cards/PC-Speaker.conf /system.ro/usr/share/alsa/cards/PMac.conf /system.ro/usr/share/alsa/cards/PMacToonie.conf /system.ro/usr/share/alsa/cards/PS3.conf /system.ro/usr/share/alsa/cards/RME9636.conf /system.ro/usr/share/alsa/cards/RME9652.conf /system.ro/usr/share/alsa/cards/SB-XFi.conf /system.ro/usr/share/alsa/cards/SI7018.conf /system.ro/usr/share/alsa/cards/TRID4DWAVENX.conf /system.ro/usr/share/alsa/cards/USB-Audio.conf /system.ro/usr/share/alsa/cards/VIA686A.conf /system.ro/usr/share/alsa/cards/VIA8233.conf /system.ro/usr/share/alsa/cards/VIA8233A.conf /system.ro/usr/share/alsa/cards/VIA8237.conf /system.ro/usr/share/alsa/cards/VX222.conf /system.ro/usr/share/alsa/cards/VXPocket.conf /system.ro/usr/share/alsa/cards/VXPocket440.conf /system.ro/usr/share/alsa/cards/YMF744.conf /system.ro/usr/share/alsa/cards/aliases.conf /system.ro/usr/share/alsa/pcm/center_lfe.conf /system.ro/usr/share/alsa/pcm/default.conf /system.ro/usr/share/alsa/pcm/dmix.conf /system.ro/usr/share/alsa/pcm/dpl.conf /system.ro/usr/share/alsa/pcm/dsnoop.conf /system.ro/usr/share/alsa/pcm/front.conf /system.ro/usr/share/alsa/pcm/hdmi.conf /system.ro/usr/share/alsa/pcm/iec958.conf /system.ro/usr/share/alsa/pcm/modem.conf /system.ro/usr/share/alsa/pcm/rear.conf /system.ro/usr/share/alsa/pcm/side.conf /system.ro/usr/share/alsa/pcm/surround21.conf /system.ro/usr/share/alsa/pcm/surround40.conf /system.ro/usr/share/alsa/pcm/surround41.conf /system.ro/usr/share/alsa/pcm/surround50.conf /system.ro/usr/share/alsa/pcm/surround51.conf /system.ro/usr/share/alsa/pcm/surround71.conf /cache/.data/misc/bluedroid/bt_config.conf /cache/.data/wifi/wpa_supplicant.conf /cache/.data/watchdog/watchdog.conf /cache/.data/chrome/SourceSwitch.conf /cache/.data/chrome/chirp/.chirp.conf /cache/.data/chrome/fontconfig /cache/.data/chrome/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-7 /cache/.data/chrome/fontconfig/CACHEDIR.TAG /cache/.data/chrome/.eureka.conf /tmp/resolv.conf /system/bin/ifconfig /system/bin/third_party/btconfig /system/chrome/setup/http/audio/data/config.json /system/etc/asound.conf /system/etc/bluetooth/bt_did.conf /system/etc/bluetooth/bt_stack.conf /system/etc/bluetooth/bt_stack.conf.debug /system/etc/bluetooth/rtkbt.conf /system/etc/bluetooth/rtl8821cs_config /system/etc/dbus-1/system.conf /system/etc/dhcpcd/dhcpcd-hooks/20-dns.conf /system/etc/dhcpcd/dhcpcd-hooks/95-configured /system/etc/dnsmasq.conf /system/etc/fonts/fonts.conf /system/etc/fonts/local.conf /system/etc/fw_env.config /system/etc/nsswitch.conf /system/etc/ota_domain_default.conf /system/etc/process_monitor.conf /system/etc/resolv.conf /system/etc/watchdog.conf.in /system/etc/wpa_supplicant.conf.in /system/usr/share/alsa/alsa.conf /system/usr/share/alsa/cards/AACI.conf /system/usr/share/alsa/cards/ATIIXP-MODEM.conf /system/usr/share/alsa/cards/ATIIXP-SPDMA.conf /system/usr/share/alsa/cards/ATIIXP.conf /system/usr/share/alsa/cards/AU8810.conf /system/usr/share/alsa/cards/AU8820.conf /system/usr/share/alsa/cards/AU8830.conf /system/usr/share/alsa/cards/Audigy.conf /system/usr/share/alsa/cards/Audigy2.conf /system/usr/share/alsa/cards/Aureon51.conf /system/usr/share/alsa/cards/Aureon71.conf /system/usr/share/alsa/cards/CA0106.conf /system/usr/share/alsa/cards/CMI8338-SWIEC.conf /system/usr/share/alsa/cards/CMI8338.conf /system/usr/share/alsa/cards/CMI8738-MC6.conf /system/usr/share/alsa/cards/CMI8738-MC8.conf /system/usr/share/alsa/cards/CMI8788.conf /system/usr/share/alsa/cards/CS46xx.conf /system/usr/share/alsa/cards/EMU10K1.conf /system/usr/share/alsa/cards/EMU10K1X.conf /system/usr/share/alsa/cards/ENS1370.conf /system/usr/share/alsa/cards/ENS1371.conf /system/usr/share/alsa/cards/ES1968.conf /system/usr/share/alsa/cards/Echo_Echo3G.conf /system/usr/share/alsa/cards/FM801.conf /system/usr/share/alsa/cards/FWSpeakers.conf /system/usr/share/alsa/cards/FireWave.conf /system/usr/share/alsa/cards/GUS.conf /system/usr/share/alsa/cards/HDA-Intel.conf /system/usr/share/alsa/cards/ICE1712.conf /system/usr/share/alsa/cards/ICE1724.conf /system/usr/share/alsa/cards/ICH-MODEM.conf /system/usr/share/alsa/cards/ICH.conf /system/usr/share/alsa/cards/ICH4.conf /system/usr/share/alsa/cards/Loopback.conf /system/usr/share/alsa/cards/Maestro3.conf /system/usr/share/alsa/cards/NFORCE.conf /system/usr/share/alsa/cards/PC-Speaker.conf /system/usr/share/alsa/cards/PMac.conf /system/usr/share/alsa/cards/PMacToonie.conf /system/usr/share/alsa/cards/PS3.conf /system/usr/share/alsa/cards/RME9636.conf /system/usr/share/alsa/cards/RME9652.conf /system/usr/share/alsa/cards/SB-XFi.conf /system/usr/share/alsa/cards/SI7018.conf /system/usr/share/alsa/cards/TRID4DWAVENX.conf /system/usr/share/alsa/cards/USB-Audio.conf /system/usr/share/alsa/cards/VIA686A.conf /system/usr/share/alsa/cards/VIA8233.conf /system/usr/share/alsa/cards/VIA8233A.conf /system/usr/share/alsa/cards/VIA8237.conf /system/usr/share/alsa/cards/VX222.conf /system/usr/share/alsa/cards/VXPocket.conf /system/usr/share/alsa/cards/VXPocket440.conf /system/usr/share/alsa/cards/YMF744.conf /system/usr/share/alsa/cards/aliases.conf /system/usr/share/alsa/pcm/center_lfe.conf /system/usr/share/alsa/pcm/default.conf /system/usr/share/alsa/pcm/dmix.conf /system/usr/share/alsa/pcm/dpl.conf /system/usr/share/alsa/pcm/dsnoop.conf /system/usr/share/alsa/pcm/front.conf /system/usr/share/alsa/pcm/hdmi.conf /system/usr/share/alsa/pcm/iec958.conf /system/usr/share/alsa/pcm/modem.conf /system/usr/share/alsa/pcm/rear.conf /system/usr/share/alsa/pcm/side.conf /system/usr/share/alsa/pcm/surround21.conf /system/usr/share/alsa/pcm/surround40.conf /system/usr/share/alsa/pcm/surround41.conf /system/usr/share/alsa/pcm/surround50.conf /system/usr/share/alsa/pcm/surround51.conf /system/usr/share/alsa/pcm/surround71.conf /sys/kernel/config /sys/kernel/config/usb_gadget /sys/kernel/config/usb_gadget/amlogic /sys/kernel/config/usb_gadget/amlogic/os_desc /sys/kernel/config/usb_gadget/amlogic/os_desc/qw_sign /sys/kernel/config/usb_gadget/amlogic/os_desc/b_vendor_code /sys/kernel/config/usb_gadget/amlogic/os_desc/use /sys/kernel/config/usb_gadget/amlogic/strings /sys/kernel/config/usb_gadget/amlogic/strings/0x409 /sys/kernel/config/usb_gadget/amlogic/strings/0x409/serialnumber /sys/kernel/config/usb_gadget/amlogic/strings/0x409/product /sys/kernel/config/usb_gadget/amlogic/strings/0x409/manufacturer /sys/kernel/config/usb_gadget/amlogic/configs /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1 /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/ffs.adb /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/strings /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/strings/0x409 /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/strings/0x409/configuration /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/bmAttributes /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/MaxPower /sys/kernel/config/usb_gadget/amlogic/functions /sys/kernel/config/usb_gadget/amlogic/functions/ffs.adb /sys/kernel/config/usb_gadget/amlogic/UDC /sys/kernel/config/usb_gadget/amlogic/bcdUSB /sys/kernel/config/usb_gadget/amlogic/bcdDevice /sys/kernel/config/usb_gadget/amlogic/idProduct /sys/kernel/config/usb_gadget/amlogic/idVendor /sys/kernel/config/usb_gadget/amlogic/bMaxPacketSize0 /sys/kernel/config/usb_gadget/amlogic/bDeviceProtocol /sys/kernel/config/usb_gadget/amlogic/bDeviceSubClass /sys/kernel/config/usb_gadget/amlogic/bDeviceClass /sys/kernel/slab/configfs_dir_cache /sys/kernel/debug/tracing/events/mac80211/drv_config /sys/kernel/debug/tracing/events/mac80211/drv_config/format /sys/kernel/debug/tracing/events/mac80211/drv_config/trigger /sys/kernel/debug/tracing/events/mac80211/drv_config/filter /sys/kernel/debug/tracing/events/mac80211/drv_config/id /sys/kernel/debug/tracing/events/mac80211/drv_config/enable /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter/format /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter/trigger /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter/filter /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter/id /sys/kernel/debug/tracing/events/mac80211/drv_configure_filter/enable /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter/format /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter/trigger /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter/filter /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter/id /sys/kernel/debug/tracing/events/mac80211/drv_config_iface_filter/enable /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx/format /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx/trigger /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx/filter /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx/id /sys/kernel/debug/tracing/events/mac80211/drv_conf_tx/enable /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete/format /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete/trigger /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete/filter /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete/id /sys/kernel/debug/tracing/events/mac80211/drv_reconfig_complete/enable /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf/format /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf/trigger /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf/filter /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf/id /sys/kernel/debug/tracing/events/mac80211/drv_nan_change_conf/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config/format /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config/id /sys/kernel/debug/tracing/events/cfg80211/rdev_get_mesh_config/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config/format /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config/id /sys/kernel/debug/tracing/events/cfg80211/rdev_return_int_mesh_config/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config/format /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config/id /sys/kernel/debug/tracing/events/cfg80211/rdev_update_mesh_config/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config/format /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config/id /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_rssi_config/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config/format /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config/id /sys/kernel/debug/tracing/events/cfg80211/rdev_set_cqm_txe_config/enable /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf/format /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf/trigger /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf/filter /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf/id /sys/kernel/debug/tracing/events/cfg80211/rdev_nan_change_conf/enable /sys/kernel/debug/tracing/events/sched/sched_tune_config /sys/kernel/debug/tracing/events/sched/sched_tune_config/format /sys/kernel/debug/tracing/events/sched/sched_tune_config/trigger /sys/kernel/debug/tracing/events/sched/sched_tune_config/filter /sys/kernel/debug/tracing/events/sched/sched_tune_config/id /sys/kernel/debug/tracing/events/sched/sched_tune_config/enable /sys/kernel/debug/pinctrl/pinctrl@ff634480/pinconf-config /sys/kernel/debug/pinctrl/pinctrl@ff634480/pinconf-groups /sys/kernel/debug/pinctrl/pinctrl@ff634480/pinconf-pins /sys/kernel/debug/pinctrl/pinctrl@ff800014/pinconf-config /sys/kernel/debug/pinctrl/pinctrl@ff800014/pinconf-groups /sys/kernel/debug/pinctrl/pinctrl@ff800014/pinconf-pins /sys/firmware/devicetree/base/wifi_pwm_conf /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel2_conf /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel2_conf/times /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel2_conf/duty-cycle /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel2_conf/pwms /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel2_conf/name /sys/firmware/devicetree/base/wifi_pwm_conf/phandle /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel1_conf /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel1_conf/times /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel1_conf/duty-cycle /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel1_conf/pwms /sys/firmware/devicetree/base/wifi_pwm_conf/pwm_channel1_conf/name /sys/firmware/devicetree/base/wifi_pwm_conf/name /sys/firmware/devicetree/base/wifi/pwm_config /sys/firmware/devicetree/base/__symbols__/emmc_conf_pull_up /sys/firmware/devicetree/base/__symbols__/wifi_pwm_conf /sys/firmware/devicetree/base/__symbols__/emmc_conf_pull_done /sys/firmware/devicetree/base/dwc2_a/port-config /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux/groups /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux/function /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux/input-enable /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux/bias-pull-up /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/mux/name /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/phandle /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_up/name /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux/groups /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux/function /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux/bias-pull-down /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux/input-enable /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/mux/name /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/phandle /sys/firmware/devicetree/base/pinctrl@ff634480/emmc_conf_pull_done/name /sys/module/8821cs/parameters/rtw_tx_aclt_conf_default /sys/module/8821cs/parameters/rtw_tx_aclt_conf_ap_m2u /sys/module/configfs /sys/module/configfs/version /sys/module/configfs/uevent /sys/module/ipv6/parameters/autoconf /data/misc/bluedroid/bt_config.conf /data/wifi/wpa_supplicant.conf /data/watchdog/watchdog.conf /data/chrome/SourceSwitch.conf /data/chrome/chirp/.chirp.conf /data/chrome/fontconfig /data/chrome/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-7 /data/chrome/fontconfig/CACHEDIR.TAG /data/chrome/.eureka.conf

find / | grep init

/sys/kernel/debug/tracing/events/fence/fence_init /sys/kernel/debug/tracing/events/fence/fence_init/format /sys/kernel/debug/tracing/events/fence/fence_init/trigger /sys/kernel/debug/tracing/events/fence/fence_init/filter /sys/kernel/debug/tracing/events/fence/fence_init/id /sys/kernel/debug/tracing/events/fence/fence_init/enable /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter/format /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter/trigger /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter/filter /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter/id /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter/enable /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath/format /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath/trigger /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath/filter /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath/id /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath/enable /sys/kernel/debug/tracing/events/timer/timer_init /sys/kernel/debug/tracing/events/timer/timer_init/format /sys/kernel/debug/tracing/events/timer/timer_init/trigger /sys/kernel/debug/tracing/events/timer/timer_init/filter /sys/kernel/debug/tracing/events/timer/timer_init/id /sys/kernel/debug/tracing/events/timer/timer_init/enable /sys/kernel/debug/tracing/events/timer/hrtimer_init /sys/kernel/debug/tracing/events/timer/hrtimer_init/format /sys/kernel/debug/tracing/events/timer/hrtimer_init/trigger /sys/kernel/debug/tracing/events/timer/hrtimer_init/filter /sys/kernel/debug/tracing/events/timer/hrtimer_init/id /sys/kernel/debug/tracing/events/timer/hrtimer_init/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_fanotify_init/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init/id /sys/kernel/debug/tracing/events/syscalls/sys_exit_fanotify_init/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1 /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1 /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1/id /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module/id /sys/kernel/debug/tracing/events/syscalls/sys_exit_init_module/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_finit_module/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module/id /sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setaffinity/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity/id /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity/enable /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity/format /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity/trigger /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity/filter /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity/id /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getaffinity/enable /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getaffinity /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getaffinity/format /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getaffinity/trigger /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getaffinity/filter /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getaffinity/enable /sys/devices/platform/mtd/mtd6/mtdblock6/queue/rq_affinity /sys/devices/platform/mtd/mtd4/mtdblock4/queue/rq_affinity /sys/devices/platform/mtd/mtd2/mtdblock2/queue/rq_affinity /sys/devices/platform/mtd/mtd0/mtdblock0/queue/rq_affinity /sys/devices/platform/mtd/mtd7/mtdblock7/queue/rq_affinity /sys/devices/platform/mtd/mtd5/mtdblock5/queue/rq_affinity /sys/devices/platform/mtd/mtd3/mtdblock3/queue/rq_affinity /sys/devices/platform/mtd/mtd1/mtdblock1/queue/rq_affinity /sys/devices/virtual/block/loop1/queue/rq_affinity /sys/devices/virtual/block/loop6/queue/rq_affinity /sys/devices/virtual/block/loop4/queue/rq_affinity /sys/devices/virtual/block/loop2/queue/rq_affinity /sys/devices/virtual/block/loop0/queue/rq_affinity /sys/devices/virtual/block/loop7/queue/rq_affinity /sys/devices/virtual/block/zram0/initstate /sys/devices/virtual/block/zram0/queue/rq_affinity /sys/devices/virtual/block/loop5/queue/rq_affinity /sys/devices/virtual/block/loop3/queue/rq_affinity /sys/firmware/devicetree/base/chosen/linux,initrd-start /sys/firmware/devicetree/base/chosen/linux,initrd-end /sys/firmware/devicetree/base/rtc/init_date /sys/fs/ext4/features/lazy_itable_init /sys/module/kernel/parameters/initcall_debug /sys/module/8821cs/initsize /sys/module/8821cs/initstate /sys/module/8821cs/sections/.init.text /sys/module/8821cs/parameters/rtw_initmac /sys/module/miso/initsize /sys/module/miso/initstate /sys/module/miso/sections/.init.text /sys/module/mico_proc_l09g/initsize /sys/module/mico_proc_l09g/initstate /sys/module/mico_proc_l09g/sections/.init.text /sys/module/usbcore/parameters/initial_descriptor_timeout /sys/module/tcp_cubic/parameters/initial_ssthresh /sbin/init_properties /sbin/init /init.rc /init

cat /init.rc

on early-init start ueventd

mount tmpfs tmpfs /tmp nodev noexec nosuid size=32m

# we already have /dev mounted
mount tmpfs tmpfs /dev remount size=4m
mount configfs configfs /sys/kernel/config
# set core dump size limit to unlimited
# core dump will be generated in /data/coredump/
# if the directory exists and writable
#setrlimit 4  -1 -1
#write /proc/sys/kernel/core_pattern "|/bin/sh /sbin/coredump.sh /data/coredump %e %p %h %s %t"

# force VM to keep 4096KB of free bytes
# default value is 2102(KB)
write /proc/sys/vm/min_free_kbytes "4096"

on init # setup the global environment export PATH /bin:/usr/bin:/sbin:/xbin export LD_LIBRARY_PATH /system/vendor/lib:/system/lib:/usr/lib:/lib export SECURE_USER_BUILD 0

# create mount point
mkdir /cache 0700 root chrome
mkdir /data 0755 root root
mkdir /factory 0755 root chrome
mkdir /system.ro 0755 root root
mkdir /chrome 0755 chrome chrome

chmod 666 /var/lock/fw_printenv.lock

mkdir /dev/shm
mount tmpfs tmpfs /dev/shm size=64m nodev noexec nosuid

symlink /dev/snd/timer /dev/timer

chmod 777 /dev/uinput
# set interface name
setprop wifi.interface wlan0
setprop ap.interface uap0
setprop persist.chrome.tos_accepted true
setprop persist.chrome.opt_in.stats 1

#The following definitions enable audioplayer for dobly
export media_arm_audio_decoder dts,ac3,eac3,mp3,aac,pcm
export media_audio_use_hardabuf 0

# The following definitions enable model-based provisioning using software
# based keys. This exercises the full key generation flow, but is not
# secure and SHALL NOT be used in production devices.
export CAST_MODEL_CHAIN_SW /factory/model.crt
export CAST_MODEL_PRIVKEY_SW /factory/model.key.bin
export CAST_CLIENT_CERT /factory/client.crt
export CAST_CLIENT_PRIVKEY /factory/client.key.bin

on fs #mount squashfs /dev/mapper/system /system.ro ro nodev noatime mount squashfs /dev/block/mtdblock4 /system.ro ro nodev noatime mount squashfs /dev/block/mtdblock5 /chrome ro nodev noatime # mount system&factory&data partitions exec /sbin/busybox sh /sbin/mount_partitions.sh

# Note mounting /system needs to be the first thing. Some other commands
# might depend on /system binaries.
    mkdir /cache/.system.work 0755 root chrome
mkdir /cache/.system.overlay 0755 root chrome
mount overlay overlay /system lowerdir=/system.ro,upperdir=/cache/.system.overlay,workdir=/cache/.system.work

    symlink /system/lib/firmware /lib/firmware

# failure safe to re-generate cache if above steps fails
exec /bin/sh /sbin/check_and_mount_ubifs.sh 7 cache /cache 20

# Set the group of cache mount point to chrome
# so update_engine can create files freely, but set
# the sticky bit so that it can't mess with any
# files it doesn't own.
chown root chrome /cache
chmod 1775 /cache

# Mount /data inside of /cache so that we can share a single
# partition.  This allows us to spread wear across the
# flash better and allows for more flexibility.
mkdir /cache/.data 0755 root root

exec /bin/mount -o bind /cache/.data /data

# Mount debugfs
mount debugfs none /sys/kernel/debug
chown root chrome /sys/kernel/debug
chmod 0750 /sys/kernel/debug

# create directory for share
mkdir /data/share 0755 root root
mkdir /data/share/sntpd 0775 sntpd sntpd

# create directory for cast receiver package
mkdir /data/chrome 0770 chrome chrome
mkdir /data/share/chrome 0775 root chrome

mkdir /data/chrome/tmp 0770 chrome chrome
mount tmpfs tmpfs /data/chrome/tmp size=1m
chown chrome chrome /data/chrome/tmp
chmod 0770 /data/chrome/tmp

# create directory for external metrics
# Move it to /data/metrics.
mkdir /data/share/chrome/metrics 0730 metrics metrics
mount tmpfs tmpfs /data/share/chrome/metrics size=1m
chown metrics metrics /data/share/chrome/metrics
chmod 0730 /data/share/chrome/metrics

# create directory for cast_receiver metrics
mkdir /data/chrome/metrics 0700 chrome chrome
mount tmpfs tmpfs /data/chrome/metrics size=1m
chown chrome chrome /data/chrome/metrics
chmod 0700 /data/chrome/metrics

# create directory for crash_manager
mkdir /data/chrome/minidumps 0770 chrome chrome

# create directory for non-essential artifacts
mkdir /data/chrome/tmp 0770 chrome chrome

# create directory for update_engine
mkdir /data/chrome/update 0770 chrome chrome

# create directory for cast ota update
mkdir /data/chrome/cache 0770 chrome chrome

# create directory for wpa_supplicant
mkdir /data/wifi 0770 wifi wifi
mkdir /dev/socket/wifi 0770 wifi wifi

exec /bin/sudo -u wifi /bin/sh /setup/wpa_supplicant_setup.sh

# create directory for widevine
mkdir /data/widevine 0750 chrome chrome

exec /bin/sh /sbin/collectd_setup.sh

exec /bin/sh /sbin/bluetooth_setup.sh

exec /bin/sudo -u chrome /bin/sh /setup/mute_setup.sh

#Generate Bluetooth Mac Address
exec /sbin/busybox sh /setup/BT_mac_setup.sh

# create directory for tee secure storage
symlink /factory /tee

# Create the directory used to hold client auth device credentials
mkdir /data/castauth 0770 chrome chrome

mkdir /var/ 0666 root chrome
mkdir /var/lock/ 0666 root chrome
exec /bin/touch  /var/lock/fw_printenv.lock

#adbd mkdir /sys/kernel/config/usb_gadget/amlogic write /sys/kernel/config/usb_gadget/amlogic/idVendor "0x18D1" write /sys/kernel/config/usb_gadget/amlogic/idProduct "0x4e26" mkdir /sys/kernel/config/usb_gadget/amlogic/strings/0x409 write /sys/kernel/config/usb_gadget/amlogic/strings/0x409/serialnumber "0123456789ABCDEF" write /sys/kernel/config/usb_gadget/amlogic/strings/0x409/manufacturer "Xiaomi" write /sys/kernel/config/usb_gadget/amlogic/strings/0x409/product "L09G" mkdir /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1 mkdir /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/strings/0x409 write /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/strings/0x409/configuration "adb" mkdir /sys/kernel/config/usb_gadget/amlogic/functions/ffs.adb mkdir /dev/usb-ffs mkdir /dev/usb-ffs/adb mount functionfs adb /dev/usb-ffs/adb symlink /sys/kernel/config/usb_gadget/amlogic/functions/ffs.adb /sys/kernel/config/usb_gadget/amlogic/configs/amlogic.1/ffs.adb

on post-fs # once everything is setup, no need to modify / mount rootfs rootfs / ro remount

# network-related
exec /bin/ifconfig lo up
# exec /bin/alsactl restore -f /etc/asound.state
write /etc/hosts "127.0.0.1 localhost"
chmod 0644 /etc/hosts
write /proc/sys/kernel/hostname Chromecast
mkdir /data/property 0777 root root

# use IPv6 privacy addresses
write /proc/sys/net/ipv6/conf/default/use_tempaddr "2"
write /proc/sys/net/ipv6/conf/eth0/use_tempaddr "2"
write /proc/sys/net/ipv6/conf/wlan0/use_tempaddr "2"
write /proc/sys/net/ipv6/conf/wlan1/use_tempaddr "2"

# set tcp socket buffer size
# only max value differs from kernel default
write /proc/sys/net/ipv4/tcp_rmem "4096 87380 2097152"
write /proc/sys/net/ipv4/tcp_wmem "4096 16384 2097152"
write /proc/sys/net/core/rmem_max "1220608"
write /proc/sys/net/core/wmem_max "1220608"

# Enable ICMP echo for broadcast/multicast address
write /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts "0"

# logd: Increase datagram socket's qlen
write /proc/sys/net/unix/max_dgram_qlen 600

# sntpd
mkdir /data/sntpd 0700 sntpd sntpd

# Make kmsg readable/writeable to logd
chown root logd /dev/kmsg
chown root logd /proc/kmsg
chmod 0440 /proc/kmsg
chmod 0620 /dev/kmsg

# dhcpcd creates resolv.conf with wrong umask
# fill in Google DNS server in case router is not
# able to configure nameserver.
write /etc/resolv.conf "nameserver 8.8.8.8"
chmod 0644 /etc/resolv.conf
chown dhcp dhcp /etc/resolv.conf

# set defalt timezone to US pacific
symlink /usr/share/zoneinfo/America/Los_Angeles /data/share/chrome/localtime

chmod 0644 /etc/current_firmware_version.json

on boot exec /sbin/busybox sh /setup/wifi_mac_setup.sh exec /bin/sh /sbin/set_prompt_language.sh exec /bin/sh /sbin/mute_check_bootup.sh

# Enable heap randomization before services start
write  /proc/sys/kernel/randomize_va_space "2"

start logd

# run the client auth indiv for model-based method
exec /chrome/client_auth_indiv --action=ensure --logtofile

start mute_service

# Play a dummy file to initialize the ALSA plugins.
exec /bin/aplay -Dvolume /usr/share/empty.wav

#start cast_control_server

exec /bin/sh /usr/bin/insert_modules.sh
#chown root chrome /dev/tee0
#chmod 0660 /dev/tee0
#start tee-supplicant

# dump device msg to logcat
#start dump_msg

exec /bin/sh -c "mount -w -o remount /dev/block/rootfs /"

#setup Bluetooth Mac Address,if don`t set BT mac, bt will fail
exec /bin/logwrapper /bin/set_macaddr

exec /system/bin/ifconfig wlan0 up
exec /system/bin/iw wlan0 interface add uap0 type managed

start wpa_supplicant

exec /sbin/populate_sn.sh
exec /bin/sh -c "echo Serial Number: $(cat /factory/serial.txt) > /dev/ttyS0"

# network_service.sh starts dhcp and net_mgr if necessary.
exec /bin/sh /sbin/network_service.sh

# update bootid and urandom
exec /bin/sh /sbin/update_bootid_and_urandom.sh

# setup certs for platform-managed method
# exec /bin/sh /sbin/certs_setup.sh

start cast_auth_check

start cast_installer

start servicemanager

start bluetoothtbd

chmod 666 /sys/devices/platform/soc/ff800000.aobus/ff805000.i2c/i2c-1/1-003b/led_rgb

# for adb
exec /usr/bin/set_usb_serialnumber.sh
# thermal_governor manages digital volume gain from amplifier
# start thermal_governor

chown root chrome /chrome/chrome-sandbox
chmod 04755 /chrome/chrome-sandbox
chown root chrome system/bin/dumpstate
chmod 04750 system/bin/dumpstate

# for ota, need change to /chrome/cache
mkdir /chrome/cache
chown chrome chrome /chrome/cache

#cast_receiver is start on cast_installer.sh

start sntpd

chown root chrome /dev/input/event0
chown root chrome /dev/input/event1
chown root chrome /dev/input/event2
chown root chrome /dev/input/event3

chown root panel /dev/i2c-1
chmod 0660 /dev/i2c-1

start input_service

start console

start adbd
exec /bin/sleep 1
write /sys/kernel/config/usb_gadget/amlogic/UDC "ff400000.dwc2_a"

start sshd

exec /bin/sh /sbin/watchdog_setup.sh
start watchdog
#start iperf
#start iperf_udp

#exec /sbin/busybox sh /usr/bin/MSTC_DownTouchFW
#enable welcome message and Muted microphone warning message
#Create a file to signal that assistant should play a bootup done tone
#signalling that end of bootup should not be quiet
start force_bootup

    exec /bin/sh -c "echo 0 > /proc/sys/kernel/printk"
start boot_complete

# Disallow raw tracepoint access for unpriv
write /proc/sys/kernel/perf_event_paranoid "0"

start mountd

# oneshot service to uploader dumpstate after factory data reset
# start dumpstate

start collectd

start process_monitor

start fdr_notify

start ota_service

# start ota external control
    #start external_control

    #start audio_source

start panel_service
## Daemon processes to be run by init.
# Service class names:
#   onboot - services that should be started only once, on boot
#   services - services which may be restarted
#   <default> - oneshot services which are started explicitly (dhcpd, etc)
#
# These class names are used by the debug script /sbin/android, to allow core
# services to be bounced.

service ueventd /sbin/ueventd class onboot critical

service console /sbin/busybox sh console user root

service sntpd /bin/sntpd user root

service dhcpcd /bin/dhcpcd eth0 wlan0 -B --noarp -hXiaomi class service user root

service wpa_supplicant /bin/wpa_supplicant -Dnl80211 -iwlan0 -c/data/wifi/wpa_supplicant.conf socket wpa_wlan0 dgram 660 wifi wifi class service

service adbd /sbin/adbd disabled

service boot_complete /bin/sh /sbin/boot_complete.sh class service oneshot disabled

# sshd executable will be removed from the system image for secure
# builds (e.g. user builds) during the signing process.

service sshd /usr/bin/sshd -G -r /etc/rsa_host_key -F disabled

#service cast_receiver /bin/logwrapper /system/usr/bin/start_cast_shell.sh \
#    capabilities SYS_NICE SYS_RESOURCE
#    user chrome
#    group chrome graphics wifi net_mgr watchdog log panel metrics mdns audio inet root net_bt_stack led
#    oneshot

service cast_receiver /bin/logwrapper /chrome/cast_cli start cast async
--accept-resource-provider=false
--alsa-volume-device-name="default"
--alsa-amp-device-name="default"
--alsa-amp-element-name="SPK unmute"
--audio-output-channels=2
--enable-multizone=true
--audio-input-mic-sensitivity=-26
--alsa-fixed-output-sample-rate=48000
--alsa-output-start-threshold=4096
--alsa-output-buffer-size=4096
--alsa-output-period-size=256
--default-eureka-name-prefix="Mi Smart Speaker"
--max-output-volume-dba1m=80
--setup-ssid-suffix=n115
--user-eq-max-bands=2
--ui-volume-control-levels=10
--voice-control-volume-up-down-percentage=5
--enable-multichannel=true
--ota-directory=/data/chrome/cache/
--voice-call-aec-gain-fixed=53:0:49:4:42:11:35:18:31:22:28:25:28:25:28:25:28:25:28:25:28:25
--voice-call-aec-delay-params=180:228 capabilities SYS_NICE SYS_RESOURCE user chrome group chrome graphics wifi net_mgr watchdog log panel metrics mdns audio inet root net_bt_stack led oneshot

service cast_installer /bin/logwrapper /bin/sh /sbin/cast_installer.sh user root class service disabled oneshot

service input_service /bin/logwrapper /bin/input_service 0 user chrome group chrome panel input class service

service force_bootup /bin/logwrapper /bin/sh /sbin/force_bootup_sequence.sh user root class service disabled oneshot

#service cast_control_server /bin/logwrapper /bin/cast_control_server 8002
#    user root
#    group chrome system
#    class service
#    disabled

service net_mgr /bin/net_mgr socket net_mgr seqpacket 0660 root net_mgr class service

service dnsmasq /bin/dnsmasq class service disabled

on property:dnsmasq.enable=1 start dnsmasq

on property:dnsmasq.enable=0 stop dnsmasq

service watchdog /bin/watchdog -F socket watchdog seqpacket 0660 root watchdog class service oneshot disabled

#service iperf /bin/logwrapper /bin/iperf -s -p 8200 -i 2 -w 128K
#   oneshot

#service iperf_udp /bin/logwrapper /bin/iperf -s -p 8201 -i 2 -u
#   oneshot

service logd /system/bin/logd class service socket logd stream 666 logd logd socket logdr seqpacket 666 logd logd socket logdw dgram 222 logd logd capabilities SYSLOG AUDIT_CONTROL SETGID SETUID user logd group logd system package_info readproc

on property:logd.logpersistd.enable=true # all exec/services are called with umask(077), so no gain beyond 0700 mkdir /data/misc/logd 0700 logd log start logcatd

on property:logd.logpersistd.enable=false stop logcatd

service logcatd /system/bin/logcatd -b system,main -v threadtime -v printable -f /data/misc/logd/logcat -r 1024 -n 5 class late_start user logd # write to /data/misc/logd group log # read from log daemon

service mountd /sbin/mount_usb_drive.sh oneshot

#service tee-supplicant /bin/tee-supplicant
#    class service

on property:hostapd.enable=1 start hostapd

on property:hostapd.enable=0 stop hostapd

service dump_msg /bin/dump_msg class service

service panel_service /bin/logwrapper /bin/panel_service user root group panel watchdog chrome socket panel seqpacket 0660 root panel class service

service servicemanager /system/bin/servicemanager capabilities SYS_NICE user system group system critical oneshot

service fdr_notify /bin/logwrapper /bin/fdr_notify group chrome panel input class service

service ota_service /bin/logwrapper /bin/mi_ota_service class service

#service external_control /bin/logwrapper /bin/external_control
#    user chrome
#    group chrome
#    class service

# NET_ADMIN capability is required by rfkill (see kernel/net/rfkill/core.c)

service bluetoothtbd /system/bin/bluetoothtbd --enable-on-start=true capabilities SYS_NICE NET_ADMIN user bluetooth group chrome net_bt_stack input socket bluetooth_a2dp seqpacket 0660 net_bt_stack net_bt_stack class service

#service autostartscript /bin/sh -c "sleep 20; sh /data/autostart.sh"
#    user root
#    oneshot

# Start autostartscript only for builds without a release track.

on property:ro.product.release.track= start autostartscript

service collectd /bin/collectd -f user root class service disabled

service process_monitor /bin/process_monitor class service

#service thermal_governor /bin/logwrapper /bin/thermal_governor
#    class service

#service audio_source /bin/logwrapper /bin/audio_source
#   group chrome
#   class service

service mute_service /bin/mute_service user chrome group audio panel input class service

on property:persist.chrome.reboot=true setprop persist.chrome.reboot false exec system/bin/reboot

service cast_auth_check /bin/cast_auth_check user root oneshot

In the init.rc file, the SSH service is disabled, as well as ADB. But I grabbed the ssh service commandline from there and pasted it to the end of the set_usb_serialnumber.sh file: /usr/bin/sshd -G -r /etc/rsa_host_key

Please note that I removed the -F parameter, this way sshd forks and is no longer a sub process of the shell script.

As I disassembled my speaker before setting it up, it still creates its own hotspot when powered on. So I connected my laptop to the hotspot and was able to login via ssh with the root user and no password.

The question now is what to do next?

Here are some ideas:

1. Try modifying init.rc As the rootfs is mounted RW, I could try updating the init.rc file to enable the SSH service by default. But I doubt this will work as I am not sure if changes on the file will be written to then flash.
2. Block the speaker from phoning home Most likely by blocking a bunch of hosts in the hosts files. Persistance would not be needed for that as we could write that file on each boot.
3. Connecting the device to my home wifi and configuring it I currently have no idea how to do that
4. Disable unwanted services E.g. the updater. If changes on init.rc are persistant, this could be done there
5. Install additional services and run them at boot Should be no problem as we can modify the system partition now.

[duhow]

That's great news!! I'll need to gain some more trust to solder the USB header then... What I'd suggest is:

Using 1.44.27 firmware version as system base image, create patches for the l09g model:

• remove OTA run
• remove chrome run (Google Assistant)
• add ssh with persistence key in /data
• allow console shell with root (/etc/inittab, or other?)

You could then create 2 images based from the same system, one more "light" (less size) to boot, and other with all programs (MPD, snapcast) to be flashed at chrome partition (large). Maybe remount everything from / to the chrome partition.

[duhow]

I understand that "keeping Google services" may be desired, but my main objective with this project is to fully replace all the propietary software with open source alternatives, and having Home Assistant project that is promoting Assistant and Voice, I'm very confident we can come up with something for it. Also, we're here to experiment :D

[mrmariosgithub]

I'll need to gain some more trust to solder the USB header then

Thats pretty easy, there are labeled test points on the bottom side of the PCB if you don't want to solder to the micro USB contacts. You need to solder to the bottom side anyways as you need to grab the USB supply voltage from there as the voltage pin from the micro USB socket cannot be used. Once the USB A socket is glued to the board you are good to go.

add ssh with persistence key in /data

There is no need for that, there is already a ssh key present.

remove OTA run remove chrome run (Google Assistant) allow console shell with root (/etc/inittab, or other?)

There is no inittab in the filesystem. The file in question is the init.rc file where changes are not presistant. Regarding the shell, there has to be a command which stops the local shell, maybe we can use that to reenable the shell.

You could then create 2 images based from the same system, one more "light" (less size) to boot, and other with all programs (MPD, snapcast) to be flashed at chrome partition (large).

I havn't looked at the chrome partition yet, but using that for the new partitions sounds like a good idea to me.

I understand that "keeping Google services" may be desired

Nope, I also plan to remove all google services as well. The question here is: How do you configure your device afterwards? E.g. how do I configure the wifi interface?

[duhow]

Configuring wifi "afterwards" requires some software / script to allow doing so. That's still pending to do. What I'm using now is the script wifi_connect I wrote, but this is meant for mico images, not this Google one, so maybe it won't fully work for this case. Still, you should be able to follow similar commands to configure wpa_supplicant.

[mrmariosgithub]

I'll need to gain some more trust to solder the USB header then...

I am currently working on a small program to flash the system partition using only the serial interface thus making the USB port obsolete. Once SSH is enabled flashing can be done wirelessly.

I initially tried to use a bash script but that was horribly slow (I estimated around 36 hours for the 9MB system partition).

Using my c program I was able to write the system partition in around 90 minutes but it turned out that I was writing data to fast and crashing the u-boot that way. I hope that I can fix the bug by combining the write and the verification process. I hope this way u-boot has enough time to process thw commands.

I‘ll keep you updated on my progress.

[mrmariosgithub]

I finally managed to finialize and test the serial flash program. As stated before, I had to implement is in c because the shell script was terribly slow. I also created a small script to generate a modified system.img file with SSH enabled. I uploaded all my code to a dedicated repo: https://github.com/mrmariosgithub/l09g

Flashing the system partion takes about 6h to complete. To further speedup the process in the future we can generate a heavily stripped down system image.

[mrmariosgithub]

The following idea just came to my mind: Why not create a minimal system.img that contains all required binaries like the ssh server, busybox etc. (and all symlinks to busybox) that can be used to initially flash the L09G using the serial port. But, here comes the twist: besides starting the ssh server, the modified system image also checks for a custom script on the chrome partition. If the script exists, it executes that script.

That said script is our loader to start all required programs, kill google and xiaomi programs and patches things where needed. As discussed before, we want to flash the chrome partition with our programs anyways. By using this loader-on-the-chrome-partition approach, we only need to flash the system partition once and everything else can we done using ssh.

What do you think about that? If you agree, we should start with the minimal system image first before starting to work on the chrome partition. I think developing the system image should not take that long.

[duhow]

@mrmariosgithub I had to reimplement the same code in Python, I was facing some "line unmatch issues" (guessing due to the speed of serial processing), but got the same SSH working! 💪🏻 (root no password, lol) I'll spend some time investigating this and see what we can do...

[mrmariosgithub]

Very nice, good to hear that! Feel free to ping me if you want to discuss or test something :-)

[mrmariosgithub]

Hi, did you made any progress with the L09G?

[ds2k5]

Very nice, good to hear that! Feel free to ping me if you want to discuss or test something :-)

sorry not now ...... still waiting for a fried he will buy soldering station

hope end of june he have an can bring me the micro usb port on

[mrmariosgithub]

@duhow Can't we use this to dump the bootrom and OPT keys to flash a modified bootloader that does not check the signatures anymore?

The article is based on the sonos one gen2 which uses the same processor as the L09G but has more DRAM, so we might need to adjust some adresses. But as we have access to u-boot, we should be able to dump the FIP and BL3X from there. And as we have root access, we could use the kernel module as well.

[duhow]

@mrmariosgithub as the speaker components contain propietary modules for wifi, sound, LEDs and so, I don't know if replacing the kernel / bootloader may remove this functionality. I'm still on hold for the L09G due to work, but I plan to dedicate some time this summer. My main focus for this project is to "patch base system to add new applications", but of course feel free to test anything that can improve functions or upgrade components version.

[duhow]

File /init.rc contains all the command run execution , but I cannot find where this file is located at.

What I've been playing so far is to execute packages built for LX06 successfully - though Speaker (ALSA) needs some investigation work (can't get sound atm).

Also I couldn't find any A/B system partition, which may make this a little bit more complex than expected...

[mrmariosgithub]

File /init.rc contains all the command run execution , but I cannot find where this file is located at.

The init.rc file is part of the initramfs which is part of the bootloader. That’s why I wanted to have the possibility, to resign the bootloader or patch the signature verification.

What I've been playing so far is to execute packages built for LX06 successfully - though Speaker (ALSA) needs some investigation work (can't get sound atm).

Great!!

Also I couldn't find any A/B system partition, which may make this a little bit more complex than expected...

There is no A/B partition, there is just the system partition.

[ds2k5]

@mrmariosgithub

Hi, had luck my friend could soldering the micoUSB-Port to the PCB.

Now I need helping hand to check if the port is working....

Tryed with "adb" but "no devices" so How can I check in the bootloader or somthing else if the USB-Port is working ?

axg_s420_v1_gva#start usb Unknown command 'start' - try 'help' axg_s420_v1_gva#usb start (Re)start USB... USB0: USB3.0 XHCI init start Register 1000140 NbrPorts 1 Starting the controller USB XHCI 1.00 scanning bus 0 for devices... 1 USB Device(s) found scanning usb for storage devices... 0 Storage Device(s) found

[duhow]

@ds2k5 adb might not be right available while the speaker is running in normal mode, but still you may be able to access it in u-boot - also fastboot may be available, so you can dump and flash content from USB directly. Last, LX06 can be flashed with amlogic-flash-tool, so you can give it a try as well: https://github.com/duhow/xiaoai-patch/blob/master/research/lx06/install.md

[ds2k5]

hi @duhow,

thanks......

I tore off the mico-USB Port..... damned

Hope got help for repair....

[mrmariosgithub]

Using the usb start command from uboot enables you to use USB mass storage device to load stuff from there. You can use the fastboot command from u-boot, if your solder connections are good you should see a new USB device on your PC and you should be able to connect to uboot using the fastboot windows tool.

Unfortunately, you cannot dump the NAND flash using fastboot as u-boot misses some functions required to dump the flash. But you can flash the NAND flash using fastboot, which is a lot better than having to use an USB mass storage device.

If you ripped off the micro USB pads from the PCB, there is still hope. Next to the micro USB pads there are not populated ESD protection devices. You can use those pads to solder on jumper wires which you can then solder to an USB socket. The marked pads are labeled on the silk screen on the bottom of the PCB, so you know which pad is which. When connecting the USB socket you basically do not need the +5V connection from the socket.

I ripped off my micro USB pads too, so I am using an USB A socket now with jumper wires and a lot of hot glue to keep it in place.

[ds2k5]

@mrmariosgithub Thank you!

[Gaisberg]

Any updates on this?

[ds2k5]

from my side - sorry no.... need to check after my friend holliday