Software SSH Shell Activation

From Sharpfin
Jump to navigation Jump to search

Enabling Login

REMINDER: The purpose of the project is to provide alternative firmware / patches to the reciva offering. The Sharpfin Project does not condone, and will not be party to any reverse engineering activities of any reciva application, the project deals with GPL code only.

The NAND Flash in the reciva radio is partitioned into 5 areas:

dev:    size   erasesize  name
mtd0: 00004000 00004000 "NAND BootAgent"
mtd1: 000fc000 00004000 "Linux Kernel"
mtd2: 00d00000 00004000 "Root"
mtd3: 00100000 00004000 "Config"
mtd4: 00100000 00004000 "Debug"

What we need to do is obtain the Root NAND partition, unpack it and add some files, repack it and upload it back into the radio.

  • Use your favorite JTAG programmer to extract the Root partition to a file: 2ro
  • Install jffs2 software
  • Use unpack.jffs2 script to unpack the file
  • untar the following over the unpacked tree
  • Use mkfs.jffs2 to pack the file back up again
  • Use your favorite JTAG programmer to reinstall the image

You will then be able to login as 'admin' password 'admin' onto your radio.

Install jffs2 software

# cvs -d login (password: anoncvs)
# cvs -d co mtd
You may also need to install the gbootroot rpm to provide the blkmtd driver

extract the root filesystem

Use the following script to unpack the root filesystem from the file 2ro in the current directory


modprobe loop
modprobe mtdblock

losetup /dev/loop0 2ro
insmod blkmtd erasesz=256 device=/dev/loop0
mkdir /mnt/mtd2
mount -t jffs2 /dev/mtdblock0 /mnt/mtd2

/bin/rm -rf mtd2
mkdir mtd2
(cd /mnt/mtd2 ; tar cf - . ) | (cd mtd2 ; tar xvf - )

umount /mnt/mtd2
rmmod blkmtd
losetup -d /dev/loop0
rmmod loop
rmmod mtdblock
rmmod mtdcore

Unpack the dropbear tools into the tree

<< to be added >>

Use mkfs.jffs2 to pack the file back up again

<< to be added >>