Welcome guest, is this your first visit? Click the "Create Account" button now to join.
Results 1 to 4 of 4
  1. #1
    Junior Member
    Join Date
    Aug 2013
    Location
    Earth
    Posts
    3
    Rep Power
    0

    Default TomTom Carminat Live UART

    Hello everybody,

    It is all about Ecran A7 259153411R from Renault Megane 3 2012.

    I got the access to the Carminat UART console.

    So, here is photo of connection points:
    Spoiler: Uart
    2emq6ia

    If it doesn't work just switch rx and tx.
    Baudrate: 115200

    Here is boot log:
    Spoiler: Bootlog
    Code:
    Please Login or Register to see the links


    Bootloader is locked. I can't get access to the u-boot console and it's the main problem.
    But there is full root access to the linux.
    So I decided to play with it. From the boot log you can see that the root is mounting from the /content/rootfs.img. It is the internal 2Gb mmc drive.
    And there is write access to that drive.
    I tried to run external applications from sd card(/media/sdcard), but got permission denied.
    After some investigation I found out that all file systems except root are mounted with noexec option and 'mount -o remount,exec' can't remove it.
    But there is support for 'mount -o bind'. It allows to mount directories and files from sd card to the directories and files on the root partition. It does not allow to exec external binaries, but we can replace config files.

    From the u-boot partition I got some u-boot config options:
    Spoiler: u-boot options
    Code:
    Please Login or Register to see the links


    In this config we can see that there are two boot scenarios. First use partition 5 (/content) and is default. Second is rescue and will boot kernel image from partition 1(have backup of this partition). Second will boot if first failed.

    So, I decided to try dangerous thing. I did the next:
    cd /content
    cp zImage z1mage #backup original kernel
    cp rootfs.img rootfs.1mg #backup original root partition
    cp /media/sdcard/9.844/zImage ./ #replace kernel with older one. I have navcore 9.884
    cp /media/sdcard/9.844/rootfs.img ./ #replace rootfs with older one.
    And before the end of last command I got failed. Got read error for cp tool. It was bad idea trying copy file to the file which was mounted as a root partition.
    The correct(not tested) algorithm is:
    Code:
    Please Login or Register to see the links
    If it will be success, we can add and replace tools in the rootfs. For example tomplayer or patched ttn binary to load maps.

    For now I have infinity reboot:
    1. U-boot loads zImage successfully.
    2. Kernel tries to mount rootfs.img, but it is broken.
    3. Repeat previous step ten times
    4. Reboot.


    From that I understand that the kernel does not check rootfs.img checksum. It means that we can easy modify it.

    To restore my device I have few variants:
    1. Get access to u-boot and change kernel options to boot rootfs from rootfs.1mg.
    2. Get access to the flash directly with some kind of jtag or programmer.

    If you know how to break u-boot boot process and get console access, please, help.
    I tried different combinations: ctrl+c; ~;`; space+1;. Nothing helps(


    P.S. I am not going to stop and will order another device.

  2.    Advertissements


  3. #2
    Junior Member
    Join Date
    Aug 2013
    Location
    Earth
    Posts
    3
    Rep Power
    0

    Default

    Got direct access to the internal memory!!! Probably can change bootloader.
    Does anybody has bootloader, kernel and rootfs from 8.844 version?

  4. #3
    TomTom SModerator

    QUIN1965's Avatar
    Join Date
    May 2012
    Location
    al lado del mundo
    Age
    50
    Posts
    2,606
    Rep Power
    872

    Default

    Quote Originally Posted by sSpeaker View Post
    Got direct access to the internal memory!!! Probably can change bootloader.
    Does anybody has bootloader, kernel and rootfs from 8.844 version?
    No boot navcore carminat 8.844,8840,8841,8842

    [Only registered and activated users can see links. ]

    How to unhide links: After clicking LIKE this post, hidden links will be available.
    sncmz5
    [Only registered and activated users can see links. ]

  5. #4
    Junior Member
    Join Date
    Apr 2015
    Location
    Amsterdam
    Age
    56
    Posts
    1
    Rep Power
    0

    Default

    Hi sSpeaker,

    I am very interested in your activities in this area!
    I think it is a nice attempt to open-up a device that has been locked-down by the vendor.

    Any luck so far, despite the fact that apparently, a boot loader isn't directly available?

    Quote Originally Posted by sSpeaker View Post
    Got direct access to the internal memory!!! Probably can change bootloader.
    Does anybody has bootloader, kernel and rootfs from 8.844 version?

 

 

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
This website uses cookies
We use cookies to store session information to facilitate remembering your login information, to allow you to save website preferences, to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.