Xiaomi console access

Some more interesting Ambarella info:
https://www.defcon.org/images/defco...N-21-Manning-Lanier-GoPro-or-GTFO-Updated.pdf

Maybe it's not useful for me to post links to every bit of Ambarella info I find in here. I'm just hoping that somewhere in all this info is the key to find a way to interactively run the kind of commands that would normally live in autoexec.ash, and to try the manual exposure commands that were listed in an extract from the firmware.
 
Zach, there IS a serial console and i will investigate where is it going, if amba rtos or (hopefuly) busybox.
 
SOLVED: in short you need to create a file named "enable_info_display.script" in the root directory of the SD card.
Is this no longer working with V1.2.0? Telnet reports: unable to connect with remote host; connection refused.
 
it does - verified &used
 
@Andy_S Thanks for your reassurance. Silly me, I created a folder; not a file.
 
Happens :)

When in doubt, C4
 
Zach, there IS a serial console and i will investigate where is it going, if amba rtos or (hopefuly) busybox.
My Yi arrived and I'm in via telnet. Poked around a bit to see if I could find ambsh.
 
telnet != serial console. But i managed to do what i needed without it, so i don't know what it is. Telnet is of course running in busybox.
 
telnet != serial console. But i managed to do what i needed without it, so i don't know what it is. Telnet is of course running in busybox.

ambsh is accessible if you take apart the camera, solder on some wires to the TX/RX pins on the PCB, and then boot it up. I have verified that this works. FYI console gives access to Ambarella's RTOS, but using their ipc tool you should theoretically be able to exec commands on linux just like many do with autoexec.sh

Any luck on tweaking wifi.conf or running shell scripts to switch to STA mode for wifi?
 
Go the old text file........... Who'd of thought :D

I get great pleasure out of converting something that's readable ;)
 
I output it to a file.

help > output.txt

I am not getting anything in the file. I tried as above and also creating the file first and putting the full path. is there more to it?

sleep 9
#
lu_util exec 'if [ ! -f /tmp/fuse_d/out.txt ]; then touch /tmp/fuse_d/out.txt; fi'

sleep 2
help > /tmp/fuse_d/out.txt
 
in autoexec.ash, you can't use /tmp/fuse_d
try:
Code:
help > d:/out.txt
because:
Code:
d: == /tmp/fuse_d
a: == /tmp/fuse_a
 
Does anyone know how to connect directly to ambsh serial console on camera`s pcb?
 
I know this is an old thread, but does anyone still have a copy of that github repo?
 
Back
Top