On 2 Feb 2012 at 17:31, alan.b.pearce@stfc.ac.uk wrote:

> > >
> > > I want to get access to the file system on this device, and the only =
way seems to
> > > be to break the root password, and the only way I can see to do that =
is to remove
> > > the NAND chip, read its contents, and see if I can find the password =
file, and work
> > > from there in dumping it to pass it through a cracker. However having=
 followed this
> > > discussion I am wondering if there may possibly be another way of get=
ting into it
> > > with removing the chip.
> >=20
> > Hardware wise, it would be JTAG, so if you can find the JTAG header and=
 hook up an
> > adapter, you should be able to read the raw data. Of course, this is pr=
obably
> > compressed, but if you have the image, you should be able to mount the =
image file on
> > a Linux host.
> >=20
> > Is there any way to interrupt the bootloader and modify the kernel comm=
and line? You
> > might be able to boot it in single user mode:
> > http://www.debuntu.org/recover-root-password-single-user-mode-and-grub
>=20
> OK, those are both methods I hadn't considered. I'll have to open the box=
 and have a look for the JTAG connector - or maybe just look up the chip da=
tasheet to see if it has JTAG ... sounds like tonight's homework ...
>=20
> I am guessing that the file system on the "hard disk" is yffs or one of i=
ts variants. If one was to copy the NAND contents onto a USB stick (doing a=
ny error correction along the way - that doesn't faze me) could it be plugg=
ed straight into a Linux system and be recognised? I'm thinking in terms of=
 taking each NAND block in turn as a logical block, and copying it to the s=
ame logical block on a USB stick.
>=20
> The only way to hook up a terminal is using Ethernet, as the screen on th=
e device only shows a 'booting' message and no Linux prompts. Would it be p=
ossible to interrupt the boot process this way? My suspicion is that this w=
ouldn't be active until it was already up and running in multi-user mode.
>=20
> I suspect the file system on the NAND device is loaded into RAM for event=
ual execution (possibly undergoing decompression on the way) so I guess if =
I let it boot up, then maybe that could be probed for the password file.=20
>=20
> Maybe this is what the OP wants to do, which is why he is asking about me=
mory addresses? Maybe the OP and I are wanting to do the same thing?
I have a similar device.But mine has, besides flash and SDRAM, BIOS.
BIOS is in eprom.
My device does not start if SDRAM ( any of the 4 modules)is faulty but does=
 not need  any=20
flash to "start".
By  "start", I mean that LCD panel shows some text eventhough the device do=
es not boot up=20
yet and  was stopped with an  error( e.g. because of faulty flash).
I use JTAG to read data, but to be able to read a proper data I must know t=
he address range=20
for SDRAM.
My flash is ( probably) SPI device

L.


--=20
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist
.