Setenv serverip 10.42.0.1 Copy the flash to RAM To change both, run: setenv ipaddr 10.42.0.2 You can either change the IP of the machine hosting the server, or you can modify the environment variables. These will generally have default values. You are looking for ipaddr (the DVR’s IP) and serverip (the IP of the TFTP server). U-boot stores settings in something called “environment variables”. Files that are received by it will be stored by default in /srv/tftp. In Ubuntu 18.04 and 20.04, the package tftpd-hpa sets up a TFTP server: sudo apt install tftpd-hpa We can use this to copy data off the device. ![]() TFTP is Trivial FTP, a very simple file transfer protocol that U-boot often integrates. ![]() There is also a command md – memory display, which we can use to read the memory on the device out over serial. Other embedded devices vary it’s common to find U-boot only allows data to be download to the device. On most DVRs this allows data to be uploaded and downloaded. The USB commands are not of help.įrequently a protocol called TFTP is supported – Trivial File Transfer Protocol. Unfortunately (for us), U-boot is mostly concerned with copying data onto the SPI flash, whereas we want to copy data from the SPI flash. The number of commands supported varies from device to device, but most low-cost DVRs will have a fairly comprehensive list. Type help to see what commands are supported. In a later post we will look at ways of getting into the U-boot even when there is no obvious key sequence, by glitching one of the SPI flash signals. The “hisilicon” prompt is because this is a Hisilicon SoC using their version of U-boot. This is U-boot prompting to see if you want to go into the U-boot console. There will normally also be a countdown timer for a few seconds. ![]() It’s highly likely you will see a message: Hit any key to stop autoboot: You want to connect up a serial adapter, start your terminal emulator (minicom) and watch the screen as the device boots. We can use the U-boot console to dump the data out over serial, and rebuild it into a binary file! Getting to the U-boot console But what happens if we can’t get a full shell on the device? What happens if the kernel doesn’t have a serial console enabled? In previous posts, we saw how we could identify a serial console on a DVR, connect and interact with it, and – if full shell access was enabled – recover the firmware using a USB stick.
0 Comments
Leave a Reply. |