Hello everybody,

It is all about Ecran A7 259153411R from Renault Megane 3 2012.

I got the access to the Carminat UART console.

So, here is photo of connection points:
Spoiler: Uart
2emq6ia

If it doesn't work just switch rx and tx.
Baudrate: 115200

Here is boot log:
Spoiler: Bootlog
Code:
Please Login or Register to see the links


Bootloader is locked. I can't get access to the u-boot console and it's the main problem.
But there is full root access to the linux.
So I decided to play with it. From the boot log you can see that the root is mounting from the /content/rootfs.img. It is the internal 2Gb mmc drive.
And there is write access to that drive.
I tried to run external applications from sd card(/media/sdcard), but got permission denied.
After some investigation I found out that all file systems except root are mounted with noexec option and 'mount -o remount,exec' can't remove it.
But there is support for 'mount -o bind'. It allows to mount directories and files from sd card to the directories and files on the root partition. It does not allow to exec external binaries, but we can replace config files.

From the u-boot partition I got some u-boot config options:
Spoiler: u-boot options
Code:
Please Login or Register to see the links


In this config we can see that there are two boot scenarios. First use partition 5 (/content) and is default. Second is rescue and will boot kernel image from partition 1(have backup of this partition). Second will boot if first failed.

So, I decided to try dangerous thing. I did the next:
cd /content
cp zImage z1mage #backup original kernel
cp rootfs.img rootfs.1mg #backup original root partition
cp /media/sdcard/9.844/zImage ./ #replace kernel with older one. I have navcore 9.884
cp /media/sdcard/9.844/rootfs.img ./ #replace rootfs with older one.
And before the end of last command I got failed. Got read error for cp tool. It was bad idea trying copy file to the file which was mounted as a root partition.
The correct(not tested) algorithm is:
Code:
Please Login or Register to see the links
If it will be success, we can add and replace tools in the rootfs. For example tomplayer or patched ttn binary to load maps.

For now I have infinity reboot:
  1. U-boot loads zImage successfully.
  2. Kernel tries to mount rootfs.img, but it is broken.
  3. Repeat previous step ten times
  4. Reboot.


From that I understand that the kernel does not check rootfs.img checksum. It means that we can easy modify it.

To restore my device I have few variants:
1. Get access to u-boot and change kernel options to boot rootfs from rootfs.1mg.
2. Get access to the flash directly with some kind of jtag or programmer.

If you know how to break u-boot boot process and get console access, please, help.
I tried different combinations: ctrl+c; ~;`; space+1;. Nothing helps(


P.S. I am not going to stop and will order another device.