Frage von deti:As already announced some time ago, I was eager to have access to the Linux operating system, the AG-HPX301E. That this is possible in principle, was relatively quickly realized, as the firmware update file in TGZ format. After unpacking show a lot of shell scripts and CROMFS CRAMFS or images that can be easily mount it on Linux and watch. This format seems to be identical for all HVX2 * and *- HPX cameras to be. Already some time ago, here were obtained under http://deadhacker.com/2009/07/26/targeting-the-panasonic-hvx200-hd-camera/ already some evidence. As the former "hackers" did not succeed, was a log on the Linux system and the Execution of Programs.
Following s.The above findings I have succeeded in the first file the updater (vupfs.bin) to mount and examined. Here, only 0x420 bytes had s.Anfang the image file to the beginning of the GZIP header will be skipped:
dd if = vupfs.bin skip = 1056 bs = 1 of = vupfs.img.gz
gunzip vupfs.img.gz
vupfs.img sudo mount-o loop / mnt
The updater "/ etc / init.d / vupsys" starts, in substance, the update script vup2.sh "of the update package. This in turn built up from what is revealed is the camera subsystems and how these are addressed under Linux:
- In principle, there is a Linux system that provides while operating the menu functions and enables the thumbnail mode.
- Is added, a system controller (SYSCON) of the actual camera functions implemented - for this there is a separate update script "syscon_vup.sh.
- Then there is still an FPGA allows the home to seemingly the DVCPRO and AVC-Intra codec, and various DMA functions for direct access P2. This FPGA is updated on a further update script "vup.sh.
- Finally, there are several boot loader to start the Linux kernel from either the Flash or via Network.
So where do we find our vulnerability to access the Linux system?
- There is a serial console, which would Connections can only be found somewhere. Measure would be screwed and here is a solution. But this is invasive and time consuming.
- You could connect a network adapter or a RS232-USB adapter. This one really would have just the custom of MontaVista Linux kernel version 2.4.20_mvl31 companies ms7751r and compile the appropriate modules. Only now, the question arises of how to load these modules?
One possible solution would be to access the camera by a pseudo-update package builds. Unfortunately, camera is used in this mode any more, because the update mode, causing a complete reboot.
We now investigate the executables in the root Filesytem, we find "/ home / apli / sg" - this process seems to provide all the important menu functions of the camera. When one disassembles a bit, we find the call of a script "/ home / apli / ext_prgrm.sh" - that turn an arbitrary shell script (called with the extension. Sh) of the SD card, provided that the directory " PRIVATE/MEIGROUP/PAVCN/SBG/P2SD/MNTNC "lies. That would have been the main prize, but unfortunately, still missing a trick to this magic script ext_prgrm.sh "call. When you next disassembled, it is found in the application "/ home / apli / pa" Code of the seemingly looking for a file "PASSWD" in above the designated directory on the SD Card.
If you put a blank PASSWD File under "PRIVATE/MEIGROUP/PAVCN/SBG/P2SD/MNTNC" will appear in the thumbnail menu is an item "SERVICE" and including the point "EXTERNAL". If one now selects that point and confirmed is an arbitrary shell script for execution of the SD card (see picture enclosed). This raises the loading of Gerätertreibern start of any program and no longer a problem. So let's look at this, what's up on the camera as follows:
The Processor:
cpu family: SH-4
cache size: 8K-byte/16K-byte
bogomips: 197.83
Machine: 7751 Solution Engine
CPU clock: 198.00MHz
Bus clock: 99.00MHz
Peripheral module clock: 49.50MHz
The memory:
total: used: free: shared: buffers: cached:
Antwort von rudi:
Wow, the SH-4 is not even ARM, and you can use the dissassemblieren (or understand SH4 assembler): o
Then you can certainly synonymous times fast 'nen Dreamcast emulator port to the HPX301;) (was I believe synonymous SH-4)
So true. Hats off, Deti