G0 baremetal app for a limited u-boot ver

[rearanger]

Managed to get a sec.bin to load however I am unable to figure out how to get kernel to load with sec.bin/ptsd also loaded. After loading sec.bin bootcmd=bootm gives an error.

bootcmd=loadk works on original boot up sequence. However loadk is not available after loading sec.bin

PTSD# printenv
bootargs=console=ttyAMA0,115200
bootdelay=1
baudrate=115200
ethaddr=a4:14:37:de:55:55
ipaddr=192.0.0.64
serverip=192.0.0.128
netmask=255.255.255.0
bootfile="uImage"
bootcmd=bootm
stdin=serial
stdout=serial
stderr=serial
verify=n
ver=U-Boot 2010.06 (Apr 19 2017 - 17:20:48)
OpenRD_base

Environment size: 289/524284 bytes
PTSD#

NAND: Check nand flash controller v610. found
Special NAND id table Version 1.36
Nand ID: 0x98 0xF1 0x80 0x15 0xF2 0x16 0x08 0x00
Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit/512
128 MiB
In: serial
Out: serial
Err: serial
Net: No ethernet found.
Hit any key to stop autoboot: 0
Wrong Image Format for bootm command
ERROR: can't get kernel image!

PTSD# help
? - alias for 'help'
base - print or set address offset
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootss - boot from snapshot image
chpart - change active partition
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddr - ddr training function
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
getinfo - print hardware information
go - start application at address 'addr'
help - print command description/usage
loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
md5sum - compute MD5 message digest
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtdparts- define flash/nand partitions
mtest - simple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
tftp - tftp - download or upload image via network using TFTP protocol
usb - USB sub-system
usbboot - boot from USB device
version - print monitor version
ydump - YAFFS device struct
yls - yaffs ls
ymkdir - YAFFS mkdir
ymount - mount yaffs
ymv - YAFFS mv
yrd - read file from yaffs
yrdm - read file to memory from yaffs
yrm - YAFFS rm
yrmdir - YAFFS rmdir
yumount - unmount yaffs
ywr - write file to yaffs
ywrm - write file from memory to yaffs
PTSD#

 

[alastairstevenson]

I am unable to figure out how to get kernel to load with sec.bin/ptsd also loaded.

You've seen the same problem as others when trying this alternate bootloader on these cameras -

Net: No ethernet found.

It's not built to find the ethernet interface.
So unfortunately there isn't much you can do with it.

 

[rearanger]

I have other sec.bin 's with ethernet however they will not load uImage using bootcmd=bootm. None of them will load the kernal.

all say the image is
Wrong Image Format for bootm command
ERROR: can't get kernel image!

You've seen the same problem as others when trying this alternate bootloader on these cameras -

Net: No ethernet found.

It's not built to find the ethernet interface.
So unfortunately there isn't much you can do with it.

 

[rearanger]

The cam I am playing with has an sdcard, I am assuming if kernel is loaded I will have access to it. And can transfer files in and out without ethernet(if I am unable to get ethernet working). Also loady(ymodem) does function in this sec.bin.

How do I run the current kernel with sec.bin loaded? or how do I load a new image using ymodem without corrupting the current one on the cam ?

 

[rearanger]

dummy uImage from another digicap.dav(unsure if its crashing)


In: serial
Out: serial
Err: serial
Net: No ethernet found.
Hit any key to stop autoboot: 0
Wrong Image Format for bootm command
ERROR: can't get kernel image!
PTSD# loady 0x80007fc0
## Ready for binary (ymodem) download to 0x80007FC0 at 115200 bps...
CCCCCxyzModem - CRC mode, 1(SOH)/3945(STX)/0(CAN) packets, 7 retries
## Total Size = 0x003da090 = 4038800 Bytes
PTSD# go 0x80008000
## Starting application at 0x80008000 ...
Uncompressing Linux... done, booting the kernel.

 

[rearanger]

@alastairstevenson

now have uImage loading with sec.bin and no ETH But what is zhimakaimen password?????



# zhimakaimen
AwAAAAAAAAAAAFa0rAM=
Password:
Incorrect Password. 4 Times Left
# 123456789abc
'123456789abc' Not Supported, Try 'help'
# zhimakaimen
AwAAAAAAAAAAAFa0rAM=
Password:
Incorrect Password. 3 Times Left
# zhimakaimen
AwAAAAAAAAAAAFa0rAM=
Password:
Incorrect Password. 2 Times Left
#

 

[alastairstevenson]

That's the same challenge/response authorisation as used in psh.
Presumably it's psh that's running from the uImage you've booted.
I don't have any ways to get through that.

For that uImage have you tried inhibiting psh with the bootargs parameters of
single init=/bin/sh debug

 

[rearanger]

Yes tried setenv single /debug various variations.

Is the password stored on original digicap.dav?

Any more ideas how to get ROOT?

 

[alastairstevenson]

Is the password stored on original digicap.dav?

My understanding is that it's an RSA signed challenge/response dialogue, no stored password, but I'm not totally sure.
But I have to admit it's not code that I have studied in depth.
I've found it easier just to bypass psh rather than attack it.

now have uImage loading with sec.bin

What did you do that was different to get that to work?
Is there an older uImage that does not have psh?

 

[rearanger]

What did you do that was different to get that to work?
Is there an older uImage that does not have psh?

Dumb stuff that would be simple if i new what i was doing lol.

Loaded uImage into correct mem location and executed at correct mem location. Was using "loady" , now using tftp

go.
loady 0x80007fc0 (uImage y modem transfer) or tftp 0x80007fc0 uImage

then
setenv bootcmd bootm 0x80007fc0
setenv bootfile
setenv mdio_intf mii
setenv bootdelay 6
saveenv

then
go 0x82000000 (execute sec.bin previously loaded with go.)

i was hoping it was going to still leave me in Bare metal shell

Where can i get old versions of G0 firmware?. (5.3.3 or 5.3.8 would be handy)
.
i am using 5.4.24.170303 and another 5.4.?? version. i am unable to decrypt 5.5's

 

[pepeEL]

I can share you 5.3.1 or 5.3.3 or 5.3.8 but in China version. I don't have English version in this number version.

 

[rearanger]

yes please to all if you have handy lol

 

[pepeEL]

 

[rearanger]

thanks, will have a little play with them

 

[pepeEL]

Ok. If you found solution please describe it because I also has G0 2035 with writed 5.5.x CN and can not back to multilanguage.

 

[alastairstevenson]

Was using "loady" , now using tftp

So you've managed to get the sec.bin to use the ethernet connection?
That's a big step forward, pretty good.

I can share you 5.3.1 or 5.3.3 or 5.3.8 but in China version. I don't have English version in this number version.

I only have CN versions of those also.

 

[rearanger]

So you've managed to get the sec.bin to use the ethernet connection?
.

Well I have 3 sec bin's here. one drops me into a hisilicon prompt. this is the one I am using currently.

 

[rearanger]

Ok. If you found solution please describe it because I also has G0 2035 with writed 5.5.x CN and can not back to multilanguage.

I want full root with latest firmware. I have not found a solution yet...lol

I will post if I get any further.

 

[rearanger]

I am unable to get the OP's sec.bin to work.
however the ones attached may be of use to someone.

sec_hisicon has tftp plus other commands

tftp 0x80007fc0 uImage
bootm 0x80007fc0 (will load and execute a uImage uncompressed from digicap.dav)

? - alias for 'help'
base - print or set address offset
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootss - boot from snapshot image
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddr - ddr training function
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
getinfo - print hardware information
go - start application at address 'addr'
help - print command description/usage
loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtest - simple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
tftp - tftp - download or upload image via network using TFTP protocol
usb - USB sub-system
usbboot - boot from USB device
version - print monitor version

sec_yaffs_noETH.bin (no ethernet)
Looks like a OLD yaffs direct implementation
loady 0x80007fc0 can be used to load a uImage

active partition ,mtparts and nand will need set
I was unable to get ymount to work (its an old yaffs direct binary and there is no "ydevconfig)
memory copy works can load kernel from nand and execute

PTSD# help
? - alias for 'help'
base - print or set address offset
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootss - boot from snapshot image
chpart - change active partition
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddr - ddr training function
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
getinfo - print hardware information
go - start application at address 'addr'
help - print command description/usage
loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
md5sum - compute MD5 message digest
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtdparts- define flash/nand partitions
mtest - simple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
tftp - tftp - download or upload image via network using TFTP protocol
usb - USB sub-system
usbboot - boot from USB device
version - print monitor version
ydump - YAFFS device struct
yls - yaffs ls
ymkdir - YAFFS mkdir
ymount - mount yaffs
ymv - YAFFS mv
yrd - read file from yaffs
yrdm - read file to memory from yaffs
yrm - YAFFS rm
yrmdir - YAFFS rmdir
yumount - unmount yaffs
ywr - write file to yaffs
ywrm - write file from memory to yaffs

 

[rearanger]

If the uImage from IPC_G0_CN_STD_5.4.24_170303 is extracted,loaded and executed with tftp/sec.bin. Then you can gain root access on most/many G0 cams upto firmware IPC_G0_CN_STD_5.5.53_180716.

IPC_G0_CN_STD_5.4.24_170303 uImage does not throw you into PSH. (also 5.4.41_170710)