红米小爱Play hack
视频 BV12T4y1E7nq
因为没找到什么入口,于是打算拆开ttl
要无损拆开,需要准备金属撬棒,大塑料撬棒,锤子
先找一个角,用金属撬棒向外顶着锤子敲开一点缝(因为4个角缝最小)
然后塑料撬棒塞进去翘一圈即可拆开
准备一个ttl小板,三根弯排针
pcb上有小字写着线的连接顺序,tx,rx与小板的反着接
插电,开机,开机完会看到控制台输出了sn_code: ,后面的复制下来,这样拼起来
sn码A20EDC68-62E5-70C6-76E8-75879721B8EC
到这里算一个32位小写md5,前14位就是root的密码
开启ssh:
dropbearkey -t rsa -f /data/dropbear_rsa_host_key
dropbear -r /data/dropbear_rsa_host_key
由于/是只读的,所以没法修改开机启动打开ssh,可以使用内置一个单片机来延时执行serial
播放音频:
mphelper tone 文件或链接
具体可以 cat /usr/bin/mphelper来了解提供的控制api
系统信息:
U-Boot 2018.05 (Dec 11 2019 - 02:53:20 +0000) Allwinner Technology, Build: jenkins-Mico_l07a_ota_publish-63
CPU: Allwinner Family
Model: sun8iw18
I2C: ready
DRAM: 64 MiB
Relocation Offset is: 00f48000
secure enable bit: 1
CPU=1008 MHz,PLL6=600 Mhz,AHB=200 Mhz, APB1=100Mhz MBus=264Mhz
Linux version 4.9.118 (jenkins@88969dbf45be) (gcc version 6.4.1 (OpenWrt/Linaro GCC 6.4-2017.11 2017-11) ) #1 SMP Wed Mar 25 02:19:05 UTC 2020
root@mico:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/root 23296 23296 0 100% /
devtmpfs 512 0 512 0% /dev
tmpfs 29240 204 29036 1% /tmp
tmpfs 512 0 512 0% /dev
/dev/by-name/UDISK 24981 3604 19497 16% /data
/dev/by-name/UDISK 24981 3604 19497 16% /etc/shadow
root@mico:~# free
total used free shared buffers cached
Mem: 58484 56312 2172 272 6532 16968
-/+ buffers/cache: 32812 25672
Swap: 0 0 0
root@mico:~# ps
PID USER VSZ STAT COMMAND
1 root 1324 S /sbin/procd
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [kworker/0:0]
5 root 0 SW< [kworker/0:0H]
6 root 0 SW [kworker/u4:0]
7 root 0 SW [rcu_sched]
8 root 0 SW [rcu_bh]
9 root 0 SW [migration/0]
10 root 0 SW< [lru-add-drain]
11 root 0 SW [cpuhp/0]
12 root 0 SW [cpuhp/1]
13 root 0 SW [migration/1]
14 root 0 SW [ksoftirqd/1]
15 root 0 SW [kworker/1:0]
16 root 0 SW< [kworker/1:0H]
17 root 0 SW [kdevtmpfs]
18 root 0 SW [kworker/u4:1]
205 root 0 SW [kworker/u4:2]
228 root 0 SW [oom_reaper]
229 root 0 SW< [writeback]
230 root 0 SW< [crypto]
232 root 0 SW< [bioset]
234 root 0 SW< [kblockd]
273 root 0 SW [kworker/1:1]
275 root 0 SW< [cfg80211]
304 root 0 SW [kworker/0:1]
320 root 0 SW [kswapd0]
321 root 0 SW< [vmstat]
452 root 0 SW< [bioset]
453 root 0 SW [nand]
454 root 0 SW [nftld]
466 root 0 SW [nand_rcd]
483 root 0 SW< [btfwwork]
484 root 0 SW [cfinteractive]
485 root 0 SW [autohotplug]
486 root 0 SW [irq/165-sunxi-m]
648 root 0 SW< [ipv6_addrconf]
666 root 0 SW< [kworker/0:1H]
667 root 0 SW< [kworker/1:1H]
858 root 972 S /sbin/ubusd
866 root 1040 S -ash
1250 root 0 SW< [krfcommd]
1331 root 1324 S /usr/sbin/dbus-daemon --system
1383 root 1412 S /sbin/netifd
1402 root 0 SW [jbd2/nand0p9-8]
1403 root 0 SW< [ext4-rsv-conver]
1410 root 2600 S< /usr/bin/quickplayer
1419 root 1040 S< /bin/ledserver
1461 root 1040 S /usr/sbin/crond -f -c /etc/crontabs -l 5
1479 root 4296 S {syslog-ng} supervising syslog-ng
1480 root 4348 S /usr/sbin/syslog-ng
1581 root 6440 S /usr/bin/xiaomi_dns_server
1630 root 0 SW [ksdioirqd/mmc0]
1641 root 0 SW [RTW_XMIT_THREAD]
1642 root 0 SW [RTW_CMD_THREAD]
1643 root 0 SW [RTWHALXT]
1655 root 1700 S /usr/sbin/wpa_supplicant -Dnl80211 -iwlan0 -c/data/w
1678 root 1040 S udhcpc -f -S -s /bin/simple_dhcp.sh -R -t 0 -i wlan0
1699 root 704 S odhcp6c -s /lib/netifd/odhcp6c-script.sh -P0 -e -v w
1702 root 1048 S {wireless_point.} /bin/sh /usr/bin/wireless_point.sh
2578 root 824 S rtk_hciattach -n -s 115200 ttyS1 rtk_h4
2628 nobody 872 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf -k -x /va
2651 root 9936 S /usr/bin/upnp-disc
2667 root 1340 S /usr/bin/alarmd
2687 root 7820 S /usr/bin/mico_aivs_lab
2700 root 0 SW< [kworker/u5:0]
2701 root 0 SW< [hci0]
2702 root 0 SW< [hci0]
2705 root 0 SW< [kworker/u5:1]
2706 root 0 SW< [kworker/u5:2]
2729 root 3420 S /usr/bin/bluetoothd -n
2776 root 10040 S /usr/bin/mediaplayer
2790 root 736 S /usr/sbin/wpa_cli -a/bin/wpa_action.sh
2791 root 8004 S /usr/bin/messagingagent --handler_threads 8
2809 root 1300 S /usr/bin/mico-helper
2823 root 1024 S /bin/wifitool
2899 root 5208 S /usr/bin/statpoints_daemon
2999 root 1032 S /usr/bin/miio_client -L /dev/null
3000 root 1092 S {miio_client_hel} /bin/sh /usr/bin/miio_client_helpe
3315 root 5248 S /usr/bin/bluealsa -i hci0 -p a2dp-sink
3316 root 5760 S /usr/bin/bluealsa-aplay 00:00:00:00:00:00 -vv -i hci
3317 root 5964 S /usr/bin/bluez_mibt_classical
3318 root 2628 S /usr/bin/bluez_mibt_ble
3385 root 564 S /usr/bin/miio_recv_line
3428 root 1236 S /usr/bin/miio_service
3449 mosquitt 844 S mosquitto -c /etc/mosquitto/mosquitto.conf
3482 root 18604 S< /usr/bin/mipns-horizon -c /usr/share/mipns/ -r opus3
3490 root 960 S /bin/touchpad
3668 root 5832 S /usr/bin/mibrain_service
3678 root 1400 S /usr/bin/mico_ai_crontab
3689 root 780 S /usr/bin/nano_httpd
3702 root 3316 S /usr/bin/pns_ubus_helper
3721 root 3204 S /usr/bin/mibt_mesh_proxy
4028 root 1040 S sleep 10s
4030 root 1040 R ps
root@mico:/data# ls /etc/init.d/
adbd dnsmasq mico_ai_crontab silentboot
alarm done mico_aivs_lab start_sound
alsa dropbear mico_helper statpoints_daemon
bluetooth fstab miio sysctl
bluetoothd gpio_switch mitv-disc sysfixtime
boot led mosquitto syslog-ng
boot_check logrotate nano_httpd system
check_mac mediaplayer network touchpad
coredump messagingagent odhcp6c umount
cron mibrain_service pns wifitool
dbus mibt_mesh pns_ubus_helper wireless
dhcpc mibt_mesh_proxy quickplayer xiaomi_dns_server
root@mico:/data# cat /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
#playback#
amixer -D hw:audiocodec cset name='External Speaker Switch' 1
amixer -D hw:audiocodec cset name='digital volume' 63
amixer -D hw:audiocodec cset name='LINEOUT volume' 23
amixer -D hw:audiocodec cset name='Right LINEOUT Mux' 1
#capture#
amixer -D hw:audiocodec cset name='Left Input Mixer MIC1 Boost Switch' 1
amixer -D hw:audiocodec cset name='Right Input Mixer MIC2 Boost Switch' 1
amixer -D hw:audiocodec cset name='Xadc Input Mixer MIC3 Boost Switch' 1
amixer -D hw:audiocodec cset name='MIC1 gain volume' 2
amixer -D hw:audiocodec cset name='MIC2 gain volume' 2
amixer -D hw:audiocodec cset name='MIC3 gain volume' 0
exit 0
root@mico:/data#
如果咩咩的文章对你有帮助,您可以 请我喝牛奶
大神,这个文件系统只读有解决的办法么?
没办法,不过既然是spiflash那肯定可以编程器读出来改了再写回去,不过他有一个分区是可以读写的,实际上可以用一个单片机来在串口执行命令来实现开机启动和运行软件什么的,听说最新的开发板密码已经变了,但是我没有收到ota