Rooting your M6+/M4+

helg

Member
Joined
Feb 9, 2018
Messages
99
Reaction score
57
Country
Germany
Dash Cam
M4+, miniONE, Mola N3, mini5, X5 Pro
M6+ is a dream Linux microcomputer using Hisilicon Hi3516 (armv7 core) CPU equipped with 32MB SPI flash and 256MB SDRAM (only 96MB are usable for the user applications, the rest is reserved for the AV codec buffers) and employing the u-blox7 GPS receiver, which generates the 10 Hz NMEA output. I did not like the idea of running it with spyware cloud apps and unknown communication protocols and decided to take over the control. You know that M6+ is running a telnet server app at port 1123. Logging in with username 'ddpai' and password 'ddpai.com' lets you access the engineering menu! Be careful with the commands there. I have just used the 'devm cmd /usr/sbin/telnetd' to start the "real" telnetd from busybox, running at port 23. Then one can log in as user 'root' with an empty password and obtain full interactive control of the device, as you normally do with Linux boxes!
 
wouha Great info!

Anyway, i try to install an Arm7 lite sshserver (dropbear), it seems that /etc/ and /usr/ are in read only mode, any idea to mount them in rw?
 
it seems that /etc/ and /usr/ are in read only mode, any idea to mount them in rw?
WARNING: you should really know what you are doing when modifying the built-in filesystems!
Reflashing the SPI flash (WSON-8 formfactor) with external tools will be a major PITA,
and we don't yet know if the TP2 and TP3 near the CPU are the RX/TX pair for UART0 console port.
BTW, the rootfs is already corrupt as delivered by DDPAI ;)
Code:
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x003c97e8: 0x0044 instead
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x003c97ec: 0xd300 instead
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x003c97f0: 0x0206 instead
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x003c97f4: 0x0001 instead
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x003c97f8: 0x81a4 instead
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x003c9824: 0x041b instead
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x003c9828: 0x0005 instead
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x003c9830: 0x7400 instead
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x003c9834: 0x0002 instead
jffs2: Further such events for this erase block will not be printed
so after i have remounted it in RW mode and modified /etc/passwd it will become even more corrupted
Code:
jffs2: jffs2_scan_eraseblock(): Node at 0x003c97e4 {0x1985, 0xc002, 0x00000044) has invalid CRC 0x88c4d300 (calculated 0x98f7fb1d)
What you can do with relatively small potential harm, is to add the dropbear call into /app/script/recover.sh
after /app/bin/VYUpdate & (this is the main dashcam app which starts VYCam).
I have tested it with 'date > /mnt/sd/foobaz' and it worked after reboot.
The "/app/bin/sample_audio" is producing this annoying 'hello ddpai' at startup.
 
wow, you seems spend a certain amount of time on this device! :love:

Big (y) up!

on dmesg from the boot while it load module, it loads module for Hi3516a, i get the block schem :

ss (2018-02-12 at 12.31.44).png

UART0 as "debug"

ss (2018-02-12 at 12.33.56).png


According it "may" (certainly) not be exaclty that...


BTW, I already see for corruption, that why i, more or less:)sneaky:), stop investigation.


Did you do something interesting with the telnet menu (their engineering menu)?
 
Did you do something interesting with the telnet menu (their engineering menu)?
The source code for u-boot and Linux kernel for hi3516 (hi35xx-buildroot) are available on github: https://github.com/hi35xx
Unfortunately booting from SD card in u-boot is currently
supported only for the hi3518 (armv5 on cheap cameras) and
hi3535 devices.
I am trying to collect the information about GPIO/IRQ usage, they are a bit contradictory
depending on data source (kernel module and VYCam), and need some more work:
Code:
GPIO0_5 INP          gps test
GPIO0_6 INP REdge    ?             IRQ79 button int? NB
GPIO0_7 OUT          audio power?

GPIO5_0              reset btn
GPIO5_1 INP FEdge    USB on        IRQ84 USB Power
GPIO5_2 OUT          btn do match
GPIO5_3 OUT          ? green led ?
GPIO5_6 OUT          =1 blue gps led off
GPIO5_7 OUT          =1 red power led on

GPIO9_0 INP REdge    ?             IRQ87 GSensor G_Sensor
GPIO9_7              ACC mon       IRQ87 LTE RI?
The console uses UART0, UART1 is unused (reserved for PTZ), GPS is connected to UART2@115200 bps,
but is used in a very tricky way without the kernel UART driver, by doing direct DMA to the RAM buffer referenced by its physical address accessible in /proc/udma (!)
The camera is controlled over I2C0 and the GSensor uses I2C1.
The SD card is on SDIO0, and Wifi on SDIO1.
RTC and temperature are read out over SPI0, this needs more research.
VYCam is also maintaining the watchdog WDT0, so you can't just kill it without a HW reboot in 10 sec :)
I have an impression that the chinese programmers with little Linux knowlegde ported VYCam as a RTOS-style app.
Another possible (simple) project is to switch the video codec from H.264 to H.265
 
Last edited:
M6+ is a dream Linux microcomputer using Hisilicon Hi3516 (armv7 core) CPU equipped with 32MB SPI flash and 256MB SDRAM (only 96MB are usable for the user applications, the rest is reserved for the AV codec buffers) and employing the u-blox7 GPS receiver, which generates the 10 Hz NMEA output. I did not like the idea of running it with spyware cloud apps and unknown communication protocols and decided to take over the control. You know that M6+ is running a telnet server app at port 1123. Logging in with username 'ddpai' and password 'ddpai.com' lets you access the engineering menu! Be careful with the commands there. I have just used the 'devm cmd /usr/sbin/telnetd' to start the "real" telnetd from busybox, running at port 23. Then one can log in as user 'root' with an empty password and obtain full interactive control of the device, as you normally do with Linux boxes!

Hi, I was wondering how you were able to determine the username and password for the telnet client listening on 1123. Those credentials don't work on the 3.3.12 version of the firmware I'm using. I would like to know how you figured it out. Thank You!
 
ok, the way I got into my M6 was to poach the update.sh script from a firmware update, put a linux command into it to start telnetd, and then put it on my SD card. When the camera was booted telnetd was started by the update.sh script and then I could log in as root, with no password.
 
ok, the way I got into my M6 was to poach the update.sh script from a firmware update, put a linux command into it to start telnetd, and then put it on my SD card. When the camera was booted telnetd was started by the update.sh script and then I could log in as root, with no password.
Can you please explain the details of the log in process?
Using telnet? then you should know the ip address and port I think??
 
Back
Top