天猫精灵X1破解

拿到了一个天猫精灵,板子上有USB调试接口,通过焊接拉了一条线出来。

直接serial 串口链接进去,发现有adbd服务,但是没有服务的文件,手动导入一个adbd到/data/usr/bin/目录下,重启天猫精灵,提示输入账号密码。

直接root,密码为空,拿到shell。 是个root权限。

subway ~/Desktop/ccc$ adb shell
sh-3.2#
sh-3.2#
sh-3.2#
sh-3.2# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:470 errors:0 dropped:0 overruns:0 frame:0
TX packets:470 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:41235 (40.2 KiB) TX bytes:41235 (40.2 KiB)

wlan0 Link encap:Ethernet HWaddr 18:BC:5A:17:5B:A8
inet addr:10.88.15.192 Bcast:10.88.15.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10374 errors:0 dropped:0 overruns:0 frame:0
TX packets:1663 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1642807 (1.5 MiB) TX bytes:106668 (104.1 KiB)

看看mtd信息,Nandflash

sh-3.2# cat /proc/mtd
Nand part number is “MX30LF2G18AC 2G 3.3V 8-bit”
dev: size erasesize name
mtd0: 00080000 00020000 “UBOOT”
mtd1: 00400000 00020000 “NVRAM”
mtd2: 00c00000 00020000 “BOOTIMG1”
mtd3: 00c00000 00020000 “BOOTIMG2”
mtd4: 00080000 00020000 “SEC_RO”
mtd5: 00080000 00020000 “MISC”
mtd6: 00200000 00020000 “TEE1”
mtd7: 00200000 00020000 “TEE2”
mtd8: 03300000 00020000 “ROOTFS1”
mtd9: 03300000 00020000 “ROOTFS2”
mtd10: 07700000 00020000 “USRDATA”

 

mtdinfo信息

sh-3.2# mtd
mtd_debug mtdinfo mtdpart
sh-3.2# mtdinfo
Count of MTD devices: 11
Present MTD devices: mtd0, mtd1, mtd2, mtd3, mtd4, mtd5, mtd6, mtd7, mtd8, mtd9, mtd10
Sysfs interface supported: yes

sh-3.2# clear
sh-3.2# mtdinfo /dev/mtd0
mtd0
Name: UBOOT
Type: nand
Eraseblock size: 131072 bytes, 128.0 KiB
Amount of eraseblocks: 4 (524288 bytes, 512.0 KiB)
Minimum input/output unit size: 2048 bytes
Sub-page size: 2048 bytes
OOB size: 64 bytes
Character device major/minor: 90:0
Bad blocks are allowed: true
Device is writable: true

sh-3.2# mtdinfo /dev/mtd1
mtd1
Name: NVRAM
Type: nand
Eraseblock size: 131072 bytes, 128.0 KiB
Amount of eraseblocks: 32 (4194304 bytes, 4.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size: 2048 bytes
OOB size: 64 bytes
Character device major/minor: 90:2
Bad blocks are allowed: true
Device is writable: true

sh-3.2# mtdinfo /dev/mtd2
mtd2
Name: BOOTIMG1
Type: nand
Eraseblock size: 131072 bytes, 128.0 KiB
Amount of eraseblocks: 96 (12582912 bytes, 12.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size: 2048 bytes
OOB size: 64 bytes
Character device major/minor: 90:4
Bad blocks are allowed: true
Device is writable: true

sh-3.2# mtdinfo /dev/mtd3
mtd3
Name: BOOTIMG2
Type: nand
Eraseblock size: 131072 bytes, 128.0 KiB
Amount of eraseblocks: 96 (12582912 bytes, 12.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size: 2048 bytes
OOB size: 64 bytes
Character device major/minor: 90:6
Bad blocks are allowed: true
Device is writable: true

sh-3.2# mtdinfo /dev/mtd4
mtd4
Name: SEC_RO
Type: nand
Eraseblock size: 131072 bytes, 128.0 KiB
Amount of eraseblocks: 4 (524288 bytes, 512.0 KiB)
Minimum input/output unit size: 2048 bytes
Sub-page size: 2048 bytes
OOB size: 64 bytes
Character device major/minor: 90:8
Bad blocks are allowed: true
Device is writable: true

sh-3.2# mtdinfo /dev/mtd5
mtd5
Name: MISC
Type: nand
Eraseblock size: 131072 bytes, 128.0 KiB
Amount of eraseblocks: 4 (524288 bytes, 512.0 KiB)
Minimum input/output unit size: 2048 bytes
Sub-page size: 2048 bytes
OOB size: 64 bytes
Character device major/minor: 90:10
Bad blocks are allowed: true
Device is writable: true

sh-3.2# mtdinfo /dev/mtd6
mtd6
Name: TEE1
Type: nand
Eraseblock size: 131072 bytes, 128.0 KiB
Amount of eraseblocks: 16 (2097152 bytes, 2.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size: 2048 bytes
OOB size: 64 bytes
Character device major/minor: 90:12
Bad blocks are allowed: true
Device is writable: true

sh-3.2# mtdinfo /dev/mtd7
mtd7
Name: TEE2
Type: nand
Eraseblock size: 131072 bytes, 128.0 KiB
Amount of eraseblocks: 16 (2097152 bytes, 2.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size: 2048 bytes
OOB size: 64 bytes
Character device major/minor: 90:14
Bad blocks are allowed: true
Device is writable: true

sh-3.2# mtdinfo /dev/mtd8
mtd8
Name: ROOTFS1
Type: nand
Eraseblock size: 131072 bytes, 128.0 KiB
Amount of eraseblocks: 408 (53477376 bytes, 51.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size: 2048 bytes
OOB size: 64 bytes
Character device major/minor: 90:16
Bad blocks are allowed: true
Device is writable: true

sh-3.2# mtdinfo /dev/mtd9
mtd9
Name: ROOTFS2
Type: nand
Eraseblock size: 131072 bytes, 128.0 KiB
Amount of eraseblocks: 408 (53477376 bytes, 51.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size: 2048 bytes
OOB size: 64 bytes
Character device major/minor: 90:18
Bad blocks are allowed: true
Device is writable: false

sh-3.2# mtdinfo /dev/mtd10
mtd10
Name: USRDATA
Type: nand
Eraseblock size: 131072 bytes, 128.0 KiB
Amount of eraseblocks: 952 (124780544 bytes, 119.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size: 2048 bytes
OOB size: 64 bytes
Character device major/minor: 90:20
Bad blocks are allowed: true
Device is writable: true

 

Leave a Reply