├── .gitignore ├── .gitmodules ├── .vscode └── settings.json ├── README.md └── devices ├── S18-One ├── BOM.md ├── CONSOLE.md ├── EEPROM.md ├── EFUSES.md ├── JTAGSWD.md ├── KERNEL.md ├── MDP.md ├── README.md ├── TEARDOWN.md ├── UBOOT.md ├── datasheets │ └── .gitignore ├── dumps │ ├── .gitignore │ ├── j3-console-boot.txt │ ├── j3-linux-boot.txt │ └── sonos-tupelo-v1.dts ├── images │ ├── photographs │ │ ├── .gitignore │ │ ├── logicboard-001.jpg │ │ ├── logicboard-002.jpg │ │ ├── logicboard-003.jpg │ │ ├── ports-uart.jpg │ │ ├── radio-i2c-001.jpg │ │ ├── teardown-001.jpg │ │ ├── teardown-002.jpg │ │ ├── teardown-003.jpg │ │ ├── teardown-004.jpg │ │ ├── teardown-005.jpg │ │ ├── teardown-006.jpg │ │ ├── teardown-007.jpg │ │ ├── teardown-008.jpg │ │ ├── teardown-009.jpg │ │ ├── teardown-010.jpg │ │ └── teardown-011.jpg │ └── s18-one.png ├── scripts │ ├── arm-trusted-calculator.py │ ├── dump-from-mmc.py │ ├── dump-kernel-from-itb.py │ ├── dump-mdp.py │ ├── dump-sox-header.py │ ├── ezpwn.sh │ ├── gzip-to-its.py │ ├── i2c-thief.py │ ├── string-code-from-relocations.py │ └── write-what-where.py └── sources │ ├── .gitiginore │ └── README.md └── ZP120 ├── BOM.md ├── CONSOLE.md ├── README.md ├── TEARDOWN.md ├── UBOOT.md ├── dumps ├── j15005-console-boot.txt ├── j15005-console-os-boot.txt └── j15005-recoverme.txt ├── images ├── photographs │ ├── logicboard-001.jpg │ ├── logicboard-002.jpg │ ├── logicboard-003.jpg │ ├── logicboard-004.jpg │ ├── logicboard-005.jpg │ ├── ports-uart.jpg │ ├── teardown-001.jpg │ ├── teardown-002.jpg │ ├── teardown-003.jpg │ ├── teardown-004.jpg │ ├── teardown-005.jpg │ ├── teardown-006.jpg │ └── teardown-007.jpg └── zp120.png └── scripts └── boot-brute.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | 131 | # Mac OS files. 132 | .DS_Store 133 | 134 | NOTES.md -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "devices/S18-One/sources/u-boot-amlogic"] 2 | path = devices/S18-One/sources/u-boot-amlogic 3 | url = https://gitlab.denx.de/u-boot/custodians/u-boot-amlogic 4 | branch = master 5 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "files.associations": { 3 | "*.s": "c", 4 | "locale": "c" 5 | } 6 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Sonor 2 | 3 | A collaborative effort to liberate Sonos devices from their cloudy masters. 4 | 5 | The primary objective of this project is to determine whether it is possible 6 | to recover Sonos devices which have been placed into so-called 'recycling 7 | mode'. If this is not possible due to server side blacklisting of devices 8 | then this project will instead focus effort of whether 'recycled' hardware 9 | can be repurposed - ideally via software modification. 10 | 11 | ## Devices 12 | 13 | Support / validation against the following devices is currently being worked 14 | on: 15 | 16 | 1. [Sonos One (Generation 2) [S18]](devices/S18-One/README.md) 17 | 2. [Sonos ZP120](devices/ZP120/README.md) 18 | 19 | ## Collaboration 20 | 21 | Please feel free to open issues and pull requests with information collected 22 | during analysis of Sonos devices. Information will be merged into the 23 | respective trees with all credit provided for contributions. 24 | 25 | In order to add a new device, please open a pull request with a tree set-out 26 | in the same manner as `devices/S18-One/`. 27 | 28 | -------------------------------------------------------------------------------- /devices/S18-One/BOM.md: -------------------------------------------------------------------------------- 1 | ## Bill Of Materials (BOM) 2 | 3 | 1. [Overview](#overview) 4 | 1. [Flattened DeviceTree (FDT)](#flattened-devicetree-fdt) 5 | 1. [Data Sheets](#data-sheets) 6 | 7 | ### Overview 8 | 9 | The following list details the major components on the logic board of a Sonos 10 | One (Generation 2) [S18]. 11 | 12 | |Package|Manufacturer|Part Number|Description|Silk Screen|Board| 13 | |-|-|-|-|-|-| 14 | |LFBGA|Amlogic|A113D|A113D SoC (ARM Cortex-A53)|Ui|Logic Board| 15 | |FBGA|Kingston|EMMC04G-M627|4GB eMMC Flash Memory|U4|Logic Board| 16 | |TFBGA|Nanya|NT5CC512M8EQ|DDR3(L) 4Gb SDRAM (512MB)|U74|Logic Board| 17 | |TFBGA|Nanya|NT5CC512M8EQ|DDR3(L) 4Gb SDRAM (512MB)|U75|Logic Board| 18 | |VQFN|TI|DP83822I|10/100Mbps Ethernet PHY|U17|Logic Board| 19 | |QFN|Cypress|CY8C4245LQI|PSoC 4200 (ARM Cortex-M0)|U1|Microphone Board| 20 | |TFBGA|Mediatek|MT7615N|"Router-on-a-chip" 5-port 10/100/1000 PHY, 1 RGMII|U10|Radio Board| 21 | |DFN8|ST|M24C64|64-Kbit EEPROM (i2c)|U13|Radio Board| 22 | 23 | ### Flattened DeviceTree (FDT) 24 | 25 | The FDT was successfully extracted over the `i2c` bus and converted back to 26 | DTS format - using the `dtc` utility. This tree contains information about 27 | components, their addressing, and other parameters which may be of 28 | assistance. 29 | 30 | * [Sonos-Tupelo-v1.dts](./dumps/sonos-tupelo-v1.dts) 31 | 32 | ### Data Sheets 33 | 34 | * [Amlogic A113D](https:///) 35 | * [Nanya NT5CC512M8EQ](https://www.nanya.com/Files/667?Filename=4Gb_DDR3_E_Die_component_Datasheet.PDF&ProductId=4,245) 36 | * [Kingston NT5CC512M8EQ](https:///) 37 | * [Cypress CY8C4245LQI](https://www.cypress.com/file/138656/download) 38 | * [TI DP83822I](http://www.ti.com/lit/ds/symlink/dp83822i.pdf) 39 | * [Mediatek MT7615N](https:///) 40 | * [ST M24C64](https://www.st.com/resource/en/datasheet/m24c64-r.pdf) 41 | -------------------------------------------------------------------------------- /devices/S18-One/CONSOLE.md: -------------------------------------------------------------------------------- 1 | ## Console 2 | 3 | 1. [Overview](#overview) 4 | 1. [Pinout](#pinout) 5 | 1. [Boot Console](#boot-console) 6 | 7 | ### Overview 8 | 9 | An unpopulated connector which provides a serial console can be found at the 10 | base of the logic board PCB labelled as `J3` on the Sonos One (Generation 2) 11 | [S18]. 12 | 13 | The console baud is `115200` (`8N1`). 14 | 15 | ### Pinout 16 | 17 | The pinout for `J3` is as follows: 18 | 19 | ![UART / Console Pinout](./images/photographs/ports-uart.jpg?raw=true) 20 | 21 | ### Boot Console 22 | 23 | The boot-time output from the unit can be found in the following text dump: 24 | 25 | * [J3-Console-Boot.txt](./dumps/j3-console-boot.txt) 26 | -------------------------------------------------------------------------------- /devices/S18-One/EEPROM.md: -------------------------------------------------------------------------------- 1 | ## EEPROM 2 | 3 | 1. [Overview](#overview) 4 | 1. [Reading](#reading) 5 | 6 | ### Overview 7 | 8 | An ST M24C64 EEPROM (i2c) appears to be present on the 'radio board' of a 9 | Sonos One (Generation 2) [S18]. The purpose of this EEPROM is not currently 10 | completely clear, but it may be used to store configuration data for the 11 | unit - perhaps related to WiFi radio configuration? 12 | 13 | ### Reading 14 | 15 | As U-Boot on the unit supports reading memory via i2c, it is possible to read 16 | data from this EEPROM through the bootloader. This said, read operation do 17 | seem to be temperamental when executed via U-Boot. 18 | 19 | The EEPROM appears to be addressed on the i2c bus as `0x55`: 20 | 21 | ``` 22 | Sonos Tupelo > i2c md 0x55 0x00.2 10 23 | 0000: 53 4f 4e 4f 53 2e 30 31 00 00 00 00 00 00 07 24 SONOS.01.......$ 24 | ``` 25 | 26 | In order to get better access to the EEPROM, the clock and data pins for the 27 | i2c bus the EEPROM is connected to is exposed via `TP18` (`SCK`) and `TP20` 28 | (`SDA`) on the radio board. 29 | 30 | ![i2c Radio EEPROM](./images/photographs/radio-i2c-001.jpg?raw=true) 31 | -------------------------------------------------------------------------------- /devices/S18-One/EFUSES.md: -------------------------------------------------------------------------------- 1 | ## eFuses 2 | 3 | 1. [Overview](#overview) 4 | 1. [Retail State](#retail-state) 5 | 1. [Fuses](#fuses) 6 | 7 | ### Overview 8 | 9 | TBD. 10 | 11 | ### Fuses 12 | 13 | The following has been extracted from the efuse driver from the Sonos GPL 14 | sources: 15 | 16 | |Index|Name|Expected Length (Bytes)| 17 | |-|-|-| 18 | |0|`ENABLE_SECURE_BOOT`|1| 19 | |1|`ENABLE_ENCRYPTION`|1| 20 | |2|`REVOKE_KPUB_0`|1| 21 | |3|`REVOKE_KPUB_1`|1| 22 | |4|`REVOKE_KPUB_2`|1| 23 | |5|`REVOKE_KPUB_3`|1| 24 | |6|`ENABLE_ANTIROLLBACK`|1| 25 | |7|`ENABLE_JTAG_PASSWORD`|1| 26 | |8|`ENABLE_SCAN_PASSWORD`|1| 27 | |9|`DISABLE_JTAG`|1| 28 | |10|`DISABLE_SCAN`|1| 29 | |11|`ENABLE_USB_BOOT_PASSWORD`|1| 30 | |12|`DISABLE_USB_BOOT`|1| 31 | |257|`SBOOT_KPUB_SHA`|32| 32 | |259|`JTAG_PASSWD_SHA_SALT`|32| 33 | |260|`SCAN_PASSWD_SHA_SALT`|32| 34 | |263|`SBOOT_AES256_SHA2`|32| 35 | |512|`GP_REE`|16| 36 | 37 | ### Retail State 38 | 39 | The fuses appear to be in the following state on a retail unit: 40 | 41 | ``` 42 | fuse_read(ENABLE_SECURE_BOOT): 01 43 | fuse_read(ENABLE_ENCRYPTION): 01 44 | fuse_read(REVOKE_KPUB_0): 01 45 | fuse_read(REVOKE_KPUB_1): 00 46 | fuse_read(REVOKE_KPUB_2): 00 47 | fuse_read(REVOKE_KPUB_3): 00 48 | fuse_read(ENABLE_ANTIROLLBACK): 00 49 | fuse_read(ENABLE_JTAG_PASSWORD): 00 50 | fuse_read(ENABLE_SCAN_PASSWORD): 00 51 | fuse_read(DISABLE_JTAG): 01 52 | fuse_read(DISABLE_SCAN): 01 53 | fuse_read(ENABLE_USB_BOOT_PASSWORD): 00 54 | fuse_read(DISABLE_USB_BOOT): 01 55 | fuse_read(SBOOT_KPUB_SHA): 56 | 96014ed3460b0a136dc0d9fafb05c92e6cc05edf9c7c83be1620c27062c939c3 57 | fuse_read(JTAG_PASSWD_SHA_SALT): 58 | 919b8668592db9fdc80e971cba307f04789ccf5e1db0198d3c0efbee5efa3c0d 59 | fuse_read(SCAN_PASSWD_SHA_SALT): 60 | 4659e01b96105535097eb51f26b55f4f9536b2f26ab3c0234c59d545ecfb7102 61 | fuse_read(SBOOT_AES256_RAW): skipped (write-only) 62 | fuse_read(SBOOT_AES256_SHA2): 63 | dbb823015c2972f7e632bdd03fbc13e4c330a2e53fe40030c7803f0ba72eb0c7 64 | fuse_read(GP_REE): ffffffffffffffff0000000000000000 65 | fuse_read(CPUID): REMOVED_FROM_OUTPUT_BY_AUTHOR__ 66 | ``` 67 | -------------------------------------------------------------------------------- /devices/S18-One/JTAGSWD.md: -------------------------------------------------------------------------------- 1 | ## JTAG / SWD 2 | 3 | 1. [Overview](#overview) 4 | 5 | ### Overview 6 | 7 | Enablement of JTAG is very likely not possible on a retail Sonos One 8 | (Generation 2) [S18] - at least for the A113D SoC. This is based on the 9 | use of OTP fuses to set a `DISABLE_JTAG` flag. 10 | 11 | Though it's unknown how JTAG is disabled when this flag is set at this stage, 12 | the value of the fuse itself cannot be modified (decremented) once set: 13 | 14 | ``` 15 | Sonos Tupelo > socfuse read DISABLE_JTAG 16 | fuse_read(DISABLE_JTAG): 01 17 | Sonos Tupelo > socfuse write DISABLE_JTAG 00 18 | fuse_write(DISABLE_JTAG) succeeded 19 | Sonos Tupelo > socfuse read DISABLE_JTAG 20 | fuse_read(DISABLE_JTAG): 01 21 | ``` 22 | -------------------------------------------------------------------------------- /devices/S18-One/KERNEL.md: -------------------------------------------------------------------------------- 1 | ## Kernel 2 | 3 | 1. [Overview](#overview) 4 | 1. [Obtaining the 'Sox' Image](#obtaining-the-kernel) 5 | 1. [Carving the Kernel](#carving-the-kernel) 6 | 1. [Dumping `initramfs`](#dumping-initramfs) 7 | 8 | ### Overview 9 | 10 | The Sonos One (Generation 2) [S18] boot image appears to be encapsulated on 11 | disk in an unknown, potentially propriatary, format. This can be identified 12 | by the file magic of `0x21 0x78 0x6f 0x53`. As this value becomes `Sox!` if 13 | the byte order is flipped this image format is referred to as 'Sox' in this 14 | document. 15 | 16 | ### Obtaining the 'Sox' Image 17 | 18 | Firstly, the contents of the `kern0` parition of the unit will need to be 19 | dumped. This can be done by using the provided script in 20 | [`scripts/dump-from-mmc.py`](scripts/dump-from-mmc.py) which allows for 21 | arbitrary data to be dumped from the MMC over the serial console. 22 | 23 | Please be aware that this is a slow process, and takes just over two hours to 24 | dump a kernel image. 25 | 26 | ```bash 27 | # List all partitions on the MMC, and their start and end blocks. 28 | python3 dump-from-mmc.py 29 | 30 | # Dump the contents of kern0 to 'kernel.bin' 31 | python3 dump-from-mmc.py kernel.bin 0x00004000 0x0000bfff 32 | ``` 33 | 34 | Once the contents of the `kern0` parition is dumped, the FIT image and kernel 35 | must first be 'carved' from the 'Sox' image. 36 | 37 | ### Carving the Kernel 38 | 39 | Although the 'Sox' image format appears to be custom the layout does not 40 | appear complicated. A Python snippet to parse and dump the known / required 41 | fields from this header can be found in 42 | [`scripts/dumps-sox-header.py`](./scripts/dump-sox-header.py). 43 | 44 | One caveat to the above is that the 'kernel offset' output by this script 45 | is not the beginning of the FIT image. Instead it is the location of a 46 | 364-Byte signature which the `sonosboot` U-Boot command appears to use to 47 | validate the authenticity of the FIT image. This can simply be discarded as 48 | the `sonosboot` command will not be used when loading modified FIT images 49 | over TFTP. As a result, the 'real' location of the start of the FIT image 50 | should be `k_offset + 364`. 51 | 52 | 1. Run `dump-sox-header.py` to parse the required information from the 53 | Sox image. 54 | ```bash 55 | $ python3 ../scripts/dump-sox-header.py ./kern0.bin 56 | SoxHeader( 57 | magic=1399814177, 58 | version=1, 59 | bootgen=0, 60 | kernel_offset=64, 61 | kernel_checksum=1981269588, 62 | kernel_length=6936732 63 | ) 64 | ``` 65 | 2. Carve the FIT from the Sox image using `dd`: 66 | ```bash 67 | $ dd if=kern0.bin of=kern0.itb bs=1 skip=$((64 + 364)) count=6936732 68 | ``` 69 | 3. Ensure that the first eight bytes of the extracted image are `d00dfeed` 70 | ```bash 71 | $ xxd kern0.itb | head -n 1 72 | 00000000: d00d feed 0069 d730 0000 0038 0069 d354 .....i.0...8.i.T 73 | ``` 74 | 4. (Optiona) Convert the extracted `itb` (Image Tree Binary) file into an 75 | Image Tree Source (`its`) file for easier viewing. This can be done using 76 | the `dtc` tool: 77 | ```bash 78 | dtc -I dtb -O dts -o kern0.its kern0.itb 79 | ``` 80 | 5. Finally, the Kernel image can be extracted from `/images/kernel@1` using 81 | the `dump-kernel-from-itb.py` script: 82 | ```bash 83 | # Dump the kernel gzip. 84 | $ python3 ../scripts/dump-kernel-from-itb.py kern0.itb kern0.gz 85 | [-] Attempting to load ITB from /home/darkarnium/Desktop/Scratch/Sonos/dump/kern0.itb 86 | [-] Looking for kernel@1 image in ITB 87 | [-] Attempting to write kernel to /home/darkarnium/Desktop/Scratch/Sonos/dump/kern0.gz 88 | [+] Write complete, have fun! :) 89 | 90 | # Spot check. 91 | $ file kern0.gz 92 | kern0.gz: gzip compressed data, was "Image", last modified: Mon Nov 12 23:29:26 2018, from Unix 93 | ``` 94 | 95 | ### Dumping `initramfs` 96 | 97 | The following are 'scratch' notes for how to modify the initramfs and repack 98 | both the Kernel and ITB / FIT for booting. 99 | 100 | ```bash 101 | # Gunzip the Kernel. 102 | $ gunzip kern0.gz 103 | 104 | # Dump the initramfs from Kernel 105 | $ dd if=kern0 of=initramfs.gz bs=1 skip=9800328 count=1900200 106 | 107 | # Back it up. 108 | $ cp kern0 kern0.original 109 | $ cp initramfs.gz initramfs.original.gz 110 | 111 | # Initial size. 112 | $ ls -la initramfs.gz 113 | -rw-rw-r-- 1 darkarnium darkarnium 1900200 Jan 11 18:38 initramfs.gz 114 | 115 | # Ensure no trailing garbage. 116 | $ gunzip -v initramfs.gz 117 | 118 | # Extract CPIO. 119 | $ mkdir -p rootfs/ 120 | $ cp initramfs rootfs/ 121 | $ cd rootfs 122 | $ cat initramfs | sudo cpio -idmv 123 | $ rm initramfs 124 | 125 | # Patch /init 126 | 127 | # Create cpio. 128 | $ find . -print0 | sudo cpio --null --create --verbose --format=newc > initramfs 129 | 130 | # Gzip it. 131 | $ gzip initramfs 132 | 133 | # Check size, and add pad file to CPIO until same size. 134 | $ ls -la initramfs.gz 135 | -rw-r--r-- 1 darkarnium darkarnium 1899459 Jan 11 18:45 initramfs.gz 136 | 137 | # Recheck size, and ensure it matches now. 138 | $ ls -la initramfs.gz 139 | -rw-r--r-- 1 darkarnium darkarnium 1900200 Jan 11 18:51 initramfs.gz 140 | 141 | # Patch it in using dd. 142 | $ dd conv=notrunc if=initramfs.gz of=kern0 bs=1 seek=9800328 143 | 144 | # Ensure the patched file is the same size. 145 | $ ls -la kern0 kern0.original 146 | -rw-rw-r-- 1 darkarnium darkarnium 12361736 Jan 11 18:54 kern0 147 | -rw-rw-r-- 1 darkarnium darkarnium 12361736 Jan 11 18:52 kern0.original 148 | 149 | # Gzip the kernel. 150 | $ gzip --best kern0 151 | 152 | # Convert into ITS compatible format. 153 | $ python3 ../scripts/gzip-to-its.py kern0.gz data-fragment.its 154 | ``` -------------------------------------------------------------------------------- /devices/S18-One/MDP.md: -------------------------------------------------------------------------------- 1 | ## MDP (Manufacturer Device Page) 2 | 3 | 1. [Overview](#overview) 4 | 1. [Structure](#structure) 5 | 1. [U-Boot](#u-boot) 6 | 1. [Modify `mdp_authorized_flags`](#modify-mdp_authorized_flags) 7 | 1. [References](#references) 8 | 9 | ### Overview 10 | 11 | The Sonos One (Generation 2) [S18] appears to have a section of flash for 12 | storage of unit specific configuration, known as the 'Manufacturer Device 13 | Page' or MDP. 14 | 15 | ### Structure 16 | 17 | This section appears to be `0x5200` bytes long and is defined as the 18 | following structures - per the `mdp.h` from the Sonos GPL packages. 19 | 20 | ```c 21 | #define MDP_MAGIC 0xce10e47d 22 | #define MDP_MAGIC2 0xca989b4a 23 | #define MDP_MAGIC2_ENC 0xfa87b921 24 | #define MDP_MAGIC3 0xcba979f0 25 | ``` 26 | 27 | ```c 28 | struct smdp { 29 | struct manufacturing_data_page mdp; 30 | struct manufacturing_data_page2 mdp2; 31 | struct manufacturing_data_page3 mdp3; 32 | }; 33 | ``` 34 | 35 | ```c 36 | #define MDP_PIN_LENGTH 8 37 | #define MDP_SERIES_ID_LENGTH 4 38 | 39 | struct manufacturing_data_page { 40 | uint32_t mdp_magic; 41 | uint32_t mdp_vendor; 42 | uint32_t mdp_model; 43 | uint32_t mdp_submodel; 44 | uint32_t mdp_revision; 45 | uint8_t mdp_serial[8]; 46 | uint32_t mdp_region; 47 | uint32_t mdp_reserved; 48 | char mdp_copyright_statement[64]; 49 | uint32_t mdp_flags; 50 | uint32_t mdp_hwfeatures; 51 | uint8_t mdp_ch11spurimmunitylevel; 52 | uint8_t mdp_reserved2[3]; 53 | uint32_t mdp_version; 54 | uint32_t mdp2_version; 55 | uint32_t mdp3_version; 56 | uint32_t mdp_pages_present; 57 | uint32_t mdp_authorized_flags; 58 | uint32_t mdp_unused; 59 | uint32_t mdp_fusevalue; 60 | uint32_t mdp_sw_features; 61 | char mdp_pin[MDP_PIN_LENGTH]; 62 | char mdp_series_id[MDP_SERIES_ID_LENGTH]; 63 | uint8_t mdp_reserved3[100]; 64 | union { 65 | uint8_t u_reserved[256]; 66 | struct { 67 | int32_t mdp_zp_dcofs[4]; 68 | } zp; 69 | } u; 70 | }; 71 | ``` 72 | 73 | ```c 74 | struct manufacturing_data_page2 { 75 | uint32_t mdp2_magic; 76 | uint32_t mdp2_keylen; 77 | union { 78 | uint8_t mdp2_key[4088]; 79 | struct { 80 | uint8_t old_rsa_private[708]; 81 | uint8_t old_rsa_sig[128]; 82 | uint8_t old_fsn_sig[128]; 83 | uint8_t old_unit_sig[128]; 84 | uint32_t old_variant; 85 | 86 | uint8_t old_reserved[4088 - (708 + (128 * 3) + 4)]; 87 | } ; 88 | struct { 89 | uint8_t prod_rsa_private[1024]; 90 | uint8_t prod_unit_sig[128]; 91 | uint32_t prod_cert_flags; 92 | 93 | uint8_t dev_rsa_private[1024]; 94 | uint8_t dev_unit_sig[128]; 95 | uint32_t dev_cert_flags; 96 | 97 | uint8_t prod_rsa_sig[128]; 98 | uint8_t dev_rsa_sig[128]; 99 | 100 | uint32_t variant; 101 | 102 | 103 | uint8_t dev_reserved[4088 - ((1024 * 2) + (128 * 4) + (4 * 3))]; 104 | } ; 105 | } mdp2_sigdata; 106 | }; 107 | ``` 108 | 109 | ```c 110 | struct manufacturing_data_page3 { 111 | uint32_t mdp3_magic; 112 | uint32_t mdp3_version; 113 | uint8_t mdp3_reserved[376]; 114 | 115 | uint8_t mdp3_auth_sig[512]; 116 | uint8_t mdp3_cpuid_sig[512]; 117 | 118 | uint8_t mdp3_fskey1[256]; 119 | uint8_t mdp3_fskey2[256]; 120 | uint8_t mdp3_model_private_key[2048]; 121 | 122 | uint8_t mdp3_prod_unit_rsa_key[2048]; 123 | uint8_t mdp3_prod_unit_rsa_cert[2048]; 124 | uint8_t mdp3_dev_unit_rsa_key[2048]; 125 | uint8_t mdp3_dev_unit_rsa_cert[2048]; 126 | 127 | uint8_t mdp3_reserved2[4096 + 128]; 128 | }; 129 | ``` 130 | 131 | ### Dump 132 | 133 | ``` 134 | mmc read 0x300000 0x3200 0x29 135 | md 0x300000 0x1480 136 | ``` 137 | 138 | ### U-Boot 139 | 140 | Methods exist in U-Boot to read from and write to the MDP. These are as 141 | follows: 142 | 143 | * `0x1004DA0` - `sonos_mdp_read(...)` 144 | * `0x1004DB4` - `sonos_mdp_write(...)` 145 | 146 | #### Modify `mdp_authorized_flags` 147 | 148 | Patch the address of the `printf` operation in the `do_mdp` command to print 149 | `mdp3_version` in place of `mdp_sw_features` when the `mdp` command is run 150 | without arguments. This should be done to ensure offsets are calculated 151 | correctly as a bad write to the MDP would be extremely problematic, and may 152 | not be recoverable. 153 | 154 | If successful the value of `MDP sw_features` should read `2` rather than `0`. 155 | This is due to the `mdp3_version` member from the `manufacturing_data_page` 156 | being read, rather than `mdp_sw_features` - as the patch changes the offset 157 | from `0x220` to `0x200`. 158 | 159 | ```shell 160 | # 161 | # Original - mdp_sw_features 162 | # 163 | # 0x10051F0 - LDR W1, [X29, #220] - (A1 DF 40 B9) 164 | # 1 0 1 1 1 0 0 1 0 1 0 0 0 0 0 0 1 1 0 1 1 1 1 1 1 0 1 0 0 0 0 1 165 | # \_____________________/\________/\________/ 166 | # IMM12 Rn Rt 167 | # 168 | $ python3 i2c-thief.py 0x10051F0 0x10051F4 169 | 170 | # 171 | # Patch to mdp3_version 172 | # 173 | # 0x10051F0 - LDR W1, [X29, #200] - (A1 CB 40 B9) 174 | # 1 0 1 1 1 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 1 0 1 1 1 0 1 0 0 0 0 1 175 | # \_____________________/\________/\________/ 176 | # IMM12 Rn Rt 177 | # 178 | $ python3 i2c-thief.py 0x10051F0 0x10051F4 179 | $ python3 write-what-where.py 0x10051F1 0xCB 180 | 181 | # 182 | # Confirm the `mdp` command now returns `mdp3_version` in place of 183 | # `sw_features` 184 | # 185 | $ stty -F /dev/ttyUSB0 min 100 time 2 186 | $ echo 'mdp' > /dev/ttyUSB0 && cat /dev/ttyUSB0 187 | MDP is initialized, diags are disabled 188 | MDP model is 26 189 | MDP MDP_FLAG_HAS_VERSION yes 190 | MDP mdp_version 4 191 | MDP mdp2_version 5 192 | MDP mdp3_version 2 193 | MDP mdp_pages_present 7 194 | MDP auth_flags 0 195 | MDP sw_features 2 196 | Sonos Tupelo > ^C 197 | ``` 198 | 199 | Next, reboot the unit before attempting to patch. A reboot must be performed 200 | before patching to ensure everything is clean. Failure to do so may cause 201 | irreparable damage to the MDP. 202 | 203 | After a reboot use the `mdp sw_features` command to set `mdp_sw_features` to 204 | the same value as will be set later in `mdp_authorized_flags`: 205 | 206 | ```shell 207 | # 208 | # MDP_AUTH_FLAG_KERNEL_PRINTK_ENABLE = 0x00000001 209 | # MDP_AUTH_FLAG_CONSOLE_ENABLE = 0x00000002 210 | # MDP_AUTH_FLAG_TELNET_ENABLE = 0x00000008 211 | # MDP_AUTH_FLAG_EXEC_ENABLE = 0x00000010 212 | # MDP_AUTH_FLAG_UBOOT_UNLOCK_ENABLE = 0x00000020 213 | # 214 | # print( 215 | # '{0:08x}'.format( 216 | # MDP_AUTH_FLAG_KERNEL_PRINTK_ENABLE | 217 | # MDP_AUTH_FLAG_CONSOLE_ENABLE | 218 | # MDP_AUTH_FLAG_TELNET_ENABLE | 219 | # MDP_AUTH_FLAG_EXEC_ENABLE | 220 | # MDP_AUTH_FLAG_UBOOT_UNLOCK_ENABLE 221 | # ) 222 | # ) 223 | # 224 | mdp sw_features 0000003b 225 | ``` 226 | 227 | Patch the `do_mdp` command so that the `sw_features` subcommand writes the 228 | specified value to the address of `mdp_authorized_flags`, rather than to 229 | `mdp_sw_features`. This provides an easy way of writing to 230 | `mdp_authorized_flags` which is not possible using the `mdp` command without 231 | modification. 232 | 233 | ```shell 234 | # 235 | # Original - mdp_sw_features 236 | # 237 | # 0x1005024 - STR W0, [X29, #220] - (A0 DF 00 B9) 238 | # 1 0 1 1 1 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 1 1 1 1 1 0 1 0 0 0 0 0 239 | # \_____________________/\________/\________/ 240 | # IMM12 Rn Rt 241 | $ python3 i2c-thief.py 0x1005024 0x1005028 242 | 243 | # 244 | # Patch to mdp_authorized_flags 245 | # 246 | # 0x1005024 - STR W0, [X29, #208] - (A0 D3 00 B9) 247 | # 1 0 1 1 1 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 1 1 1 1 1 0 1 0 0 0 0 0 248 | # \_____________________/\________/\________/ 249 | # IMM12 Rn Rt 250 | # 251 | $ python3 i2c-thief.py 0x1005024 0x1005028 252 | $ python3 write-what-where.py 0x1005025 0xD3 253 | ``` 254 | 255 | Use the now modified `mdp sw_features` command to write the following flags 256 | to `mdp_authorized_flags`. This should be done via a terminal emulator if 257 | performed interactively, as a `Really modify MDP info ` prompt must be 258 | answered before writes will occur: 259 | 260 | ```shell 261 | # 262 | # MDP_AUTH_FLAG_KERNEL_PRINTK_ENABLE = 0x00000001 263 | # MDP_AUTH_FLAG_CONSOLE_ENABLE = 0x00000002 264 | # MDP_AUTH_FLAG_TELNET_ENABLE = 0x00000008 265 | # MDP_AUTH_FLAG_EXEC_ENABLE = 0x00000010 266 | # MDP_AUTH_FLAG_UBOOT_UNLOCK_ENABLE = 0x00000020 267 | # 268 | # print( 269 | # '{0:08x}'.format( 270 | # MDP_AUTH_FLAG_KERNEL_PRINTK_ENABLE | 271 | # MDP_AUTH_FLAG_CONSOLE_ENABLE | 272 | # MDP_AUTH_FLAG_TELNET_ENABLE | 273 | # MDP_AUTH_FLAG_EXEC_ENABLE | 274 | # MDP_AUTH_FLAG_UBOOT_UNLOCK_ENABLE 275 | # ) 276 | # ) 277 | # 278 | mdp sw_features 0000003b 279 | ``` 280 | 281 | Use the `mdp` command to confirm that the new `mdp_authorized_flags` value 282 | has been written, and reboot. 283 | 284 | ```shell 285 | $ stty -F /dev/ttyUSB0 min 100 time 2 286 | $ echo 'mdp' > /dev/ttyUSB0 && cat /dev/ttyUSB0 287 | MDP is initialized, diags are disabled 288 | MDP model is 26 289 | MDP MDP_FLAG_HAS_VERSION yes 290 | MDP mdp_version 4 291 | MDP mdp2_version 5 292 | MDP mdp3_version 2 293 | MDP mdp_pages_present 7 294 | MDP auth_flags 3b 295 | MDP sw_features 3b 296 | Sonos Tupelo > ^C 297 | ``` 298 | 299 | ### References 300 | 301 | * [Sonos GPL 10.6](http://www.sonos.com/documents/gpl/10.6/gpl.html) 302 | -------------------------------------------------------------------------------- /devices/S18-One/README.md: -------------------------------------------------------------------------------- 1 | ## Sonos One (Generation 2) [S18] 2 | 3 | ![S18](images/s18-one.png?raw=true) 4 | 5 | ### Overview 6 | 7 | Sonos One (Generation 2) [S18] Smart Speaker with Voice Control 8 | 9 | * **FCC ID** - [SBVRM016](https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=bLGpZcw1Jbl9WfAEwj9jpw%3D%3D&fcc_id=SBVRM016) 10 | 11 | ### Summary 12 | 13 | Sonos One (Generation 2) [S18] is powered by an Amlogic A113D SoC (ARM 14 | Cortex-A53). Though Amlogic have a Linux distrubution called 15 | [OpenLinux](http://openlinux.amlogic.com/) the data sheet for the A113D 16 | SoC itself appears to be restricted. 17 | 18 | ### Detail 19 | 20 | The following pages contain more information about the respective components 21 | / areas of this device. 22 | 23 | 1. [Tear Down](./TEARDOWN.md) 24 | 1. [Bill Of Materials](./BOM.md) 25 | 1. [Serial Console](./CONSOLE.md) 26 | 1. [U-Boot](./UBOOT.md) 27 | 1. [MDP](./MDP.md) 28 | 1. [eFuses](./EFUSES.md) 29 | 1. [EEPROM](./EEPROM.md) 30 | 1. [JTAG / SWD](./JTAGSWD.md) 31 | 1. [Kernel](./KERNEL.md) 32 | 1. [GPL / Sources](./sources/README.md) 33 | 34 | ### References 35 | 36 | * [Amlogic OpenLinux](http://openlinux.amlogic.com/) 37 | * [Linux Kernel A113D Support](https://patchwork.kernel.org/patch/10006105/) 38 | -------------------------------------------------------------------------------- /devices/S18-One/TEARDOWN.md: -------------------------------------------------------------------------------- 1 | ## Teardown 2 | 3 | 1. [Overview](#overview) 4 | 1. [Tools](#tools) 5 | 1. [Process](#process) 6 | 1. [References](#references) 7 | 8 | ### Overview 9 | 10 | The following guide details the tear down of a Sonos One (Generation 2) [S18] 11 | in order to access the logic board. 12 | 13 | ### Tools 14 | 15 | * T8 Torx Screwdriver 16 | * T10 Torx Screwdriver 17 | * Plastic Spudger 18 | 19 | ### Process 20 | 21 | 1. Using a plastic spudger, remove the rubber feet from the base of the unit. 22 | 23 | ![teardown-002.jpg](./images/photographs/teardown-002.jpg?raw=true) 24 | 25 | 2. Remove the four bottom screws using a T10 Torx. 26 | 27 | ![teardown-003.jpg](./images/photographs/teardown-003.jpg?raw=true) 28 | 29 | 3. Gently pull the base away from the unit, using a plastic spudger if needed. 30 | 31 | ![teardown-004.jpg](./images/photographs/teardown-004.jpg?raw=true) 32 | 33 | 4. Remove the ground strap screw using a T10 Torx. 34 | 35 | ![teardown-005.jpg](./images/photographs/teardown-005.jpg?raw=true) 36 | 37 | 5. Slide the grill cover off of the unit. 38 | 39 | ![teardown-007.jpg](./images/photographs/teardown-007.jpg?raw=true) 40 | 41 | 6. Turn the device onto its front, and remove the four visible T8 Torx 42 | screws. In addition to this, gently cut the plastic film covering the 43 | four additional screws near the top of the unit. 44 | 45 | ![teardown-008.jpg](./images/photographs/teardown-008.jpg?raw=true) 46 | 47 | 7. Remove the top of the unit. The flex cable will need to be carefully 48 | disconnected from its associated connector on the top part of the unit 49 | before the top can be separated from the rest of the unit. An additional 50 | two T8 torx screws can then be accessed and removed. 51 | 52 | ![teardown-009.jpg](./images/photographs/teardown-009.jpg?raw=true) 53 | 54 | 8. Using a plastic spudger, gently remove the back panel from the unit. 55 | When separated, disconnect the speaker, antenna, and power connectors in 56 | order to separate the logic board arrangement from the rest of the unit. 57 | 58 | ![teardown-010.jpg](./images/photographs/teardown-010.jpg?raw=true) 59 | 60 | 9. Finally, remove the six remaining T10 Torx screws, and gently separate 61 | the logic board from the heatsink / back panel. 62 | 63 | ![teardown-011.jpg](./images/photographs/teardown-011.jpg?raw=true) 64 | -------------------------------------------------------------------------------- /devices/S18-One/UBOOT.md: -------------------------------------------------------------------------------- 1 | ## U-Boot 2 | 3 | 1. [Overview](#overview) 4 | 1. [Options / Commands](#options--commands) 5 | 1. [Locked](#locked) 6 | 1. [Unlocked](#unlocked) 7 | 1. [Memory Read-Out](#memory-read-out) 8 | 1. [Write-What-Where](#write-what-where) 9 | 1. [Via `write-what-where.py`](#via-write-what-wherepy) 10 | 1. [Manually](#manually) 11 | 1. [Enable Privileged Commands](#enable-privileged-commands) 12 | 13 | ### Overview 14 | 15 | Based on the Sonos employee email in the U-Boot version string it is likely 16 | that this version of U-Boot is customised for Sonos. It likely also contains 17 | Amlogic provided U-Boot patches for the A113 SoC. 18 | 19 | Unfortunately, it appears that `tftp`, `base`, and other commands which may 20 | assist in either dumping or loading data from U-Boot have been removed. 21 | 22 | Although the full scope of the differences between vanilla U-Boot and the 23 | Sonos `U-Boot 2016.11-A113-Strict-Rev0.14` version used by this unit are 24 | currently unknown, the 'vanilla' U-Boot sources for `2016.11` can be found 25 | at the following URL: 26 | 27 | * [U-Boot 2016.11](https://github.com/u-boot/u-boot/tree/29e0cfb4f77f7aa369136302cee14a91e22dca71) 28 | 29 | ### Options / Commands 30 | 31 | A brief summary of the commands available at the U-Boot prompt can be found 32 | in the following sections: 33 | 34 | #### Locked 35 | 36 | When a unit is 'locked' U-Boot is restricted to the following: 37 | 38 | ``` 39 | Sonos Tupelo > help 40 | boot - boot default, i.e., run 'bootcmd' 41 | ddp - ddputil - Diagnostic Data Page utility 42 | ddr - DDR memory Bank-Row-Col Access Test 43 | diag - perform board diagnostics 44 | help - print command description/usage 45 | i2c - I2C sub-system 46 | memtest - memtest Memory sub-system 47 | ping - send ICMP ECHO_REQUEST to network host 48 | printenv- print environment variables 49 | reset - Perform RESET of the CPU 50 | run - run commands in an environment variable 51 | saveenv - save environment variables to persistent storage 52 | setenv - set environment variables 53 | sleep - delay execution for some time 54 | sonosboot- Boot the freshest section (or optionally the least fresh) 55 | unlock - device unlock 56 | update - Upgrade U-boot image on flash 57 | usb - USB sub-system 58 | version - print monitor, compiler and linker version 59 | ``` 60 | 61 | #### Unlocked 62 | 63 | When a unit is 'unlocked' U-Boot provides the following: 64 | 65 | ``` 66 | Sonos Tupelo > help 67 | ? - alias for 'help' 68 | aml_gpio- Amlogic A113 GPIO dump 69 | audio - audio sub-system 70 | base - print or set address offset 71 | bdinfo - print Board Info structure 72 | boot - boot default, i.e., run 'bootcmd' 73 | bootd - boot default, i.e., run 'bootcmd' 74 | bootgen - displays the bootgen stored in a Sonos section 75 | booti - boot arm64 Linux Image image from memory 76 | bootp - boot image via network using BOOTP/TFTP protocol 77 | bootz - boot Linux zImage image from memory 78 | burnfuse- check and burn all security-related OTP fuses 79 | ccg3 - CCG3 sub-system 80 | cmp - memory compare 81 | coninfo - print console devices and information 82 | cp - memory copy 83 | crc32 - checksum calculation 84 | dcache - enable or disable data cache 85 | ddp - ddputil - Diagnostic Data Page utility 86 | ddr - DDR memory Bank-Row-Col Access Test 87 | dhcp - boot image via network using DHCP/TFTP protocol 88 | diag - perform board diagnostics 89 | dm - Driver model low level access 90 | echo - echo args to console 91 | editenv - edit environment variable 92 | env - environment handling commands 93 | erase - erase FLASH memory 94 | exit - exit script 95 | false - do nothing, unsuccessfully 96 | fdt - flattened device tree utility commands 97 | flinfo - print FLASH memory information 98 | go - start application at address 'addr' 99 | gpio - query and control gpio pins 100 | gpt - GUID Partition Table 101 | help - print command description/usage 102 | i2c - I2C sub-system 103 | icache - enable or disable instruction cache 104 | iminfo - print header information for application image 105 | imxtract- extract a part of a multi-image 106 | itest - return true/false on integer compare 107 | led_test- Test app for testing U-boot LED patterns 108 | loadb - load binary file over serial line (kermit mode) 109 | loads - load S-Record file over serial line 110 | loadx - load binary file over serial line (xmodem mode) 111 | loady - load binary file over serial line (ymodem mode) 112 | loop - infinite loop on address range 113 | md - memory display 114 | mdio - MDIO utility commands 115 | mdp - Display MDP or initialize the MDP and turn autodiag on 116 | really (UNSAFE) command on a secure unit 117 | memtest - memtest Memory sub-system 118 | mii - MII utility commands 119 | mm - memory modify (auto-incrementing address) 120 | mmc - MMC sub system 121 | mmcinfo - display MMC info 122 | mw - memory write (fill) 123 | nm - memory modify (constant address) 124 | pci - list and access PCI Configuration Space 125 | ping - send ICMP ECHO_REQUEST to network host 126 | printenv- print environment variables 127 | protect - enable or disable FLASH write protection 128 | rarpboot- boot image via network using RARP/TFTP protocol 129 | reset - Perform RESET of the CPU 130 | run - run commands in an environment variable 131 | saveenv - save environment variables to persistent storage 132 | setenv - set environment variables 133 | setexpr - set environment variable as the result of eval expression 134 | showvar - print local hushshell variables 135 | sleep - delay execution for some time 136 | smi - smi - isues read/write command on smi for switch registers 137 | socfuse - read and write SoC-specific OTP fuses 138 | sonosboot- Boot the freshest section (or optionally the least fresh) 139 | source - run script from memory 140 | temp - DIAG: display CPU/PA board temperature 141 | test - minimal test like /bin/sh 142 | tftpboot- boot image via network using TFTP protocol 143 | true - do nothing, successfully 144 | unlock - device unlock 145 | update - Upgrade U-boot image on flash 146 | upgrade - Upgrade a section/kernel/rootfs 147 | usb - USB sub-system 148 | version - print monitor, compiler and linker version 149 | ``` 150 | 151 | ### Memory Read-Out 152 | 153 | Arbitrary memory read-out has been achived by abusing the `i2c` commands 154 | present in the version of U-Boot as shipped with the unit. Though the use of 155 | Python, and the [serial console](./CONSOLE.md) it is possible to read and 156 | write to memory 1-byte at a time. 157 | 158 | The following script (`i2c-thief.py`) provides a working example of how this 159 | can be achieved. 160 | 161 | * [i2c-thief.py](./scripts/i2c-thief.py) 162 | 163 | ### Write-What-Where 164 | 165 | A write-what-where primitive is possible by using the i2c bus, and a writable 166 | register on a device already present - such as the PWM register of the LP5562 167 | LED controller. This process effectively abuses the i2c bus and the LP5562 LED 168 | controller (which controls the lights on the top of the unit) in order to 169 | provide a 'staging area' for bytes to allow for run-time patching of U-Boot. 170 | 171 | #### Via `write-what-where.py` 172 | 173 | This example allows for overwriting arbitrary memory with the provided 174 | values: 175 | 176 | ``` 177 | $ python3 write-what-where.py 178 | Usage: write-what-where.py
179 | ``` 180 | 181 | * [write-what-where.py](./scripts/write-what-where.py) 182 | 183 | #### Manually 184 | 185 | The crux of this example is to flip the `op` bit to convert instruction 186 | `CBZ` (`0x34`) to `CBNZ` (`0x35`) in the `sonosboot` U-Boot command. This 187 | will cause the `enable_console=1` argument to be added to the Linux Kernel 188 | boot arguments (`init`). 189 | 190 | 0. Trigger an Abort by attempting to read from trustzone addresses to leak 191 | the address of the `i2c_write` function via the `ELR`. Calculate the base 192 | address by subtracting the known offset of this address from the address in 193 | the `ELR` register. In the case of this version of U-Boot on this platform 194 | this offset is `0x2C494`, and thus base address is `0x3FF21000`. 195 | ``` 196 | i2c write 0x82000030 0x51 0x00 0x1 197 | ``` 198 | 199 | 1. Read initial opcode bits from instruction at `0x1005830` to LED controller 200 | (`LP5562`) PWM register. 201 | ``` 202 | i2c write 0x3ff26833 0x30 0x70 0x1 203 | ``` 204 | 205 | 2. Get the initial instruction value from the LP5562 PWM register to ensure 206 | it is an `CBZ` (`0x34`) instruction as expected. 207 | ``` 208 | i2c md 0x30 0x70 0x1 209 | ``` 210 | 211 | 3. Flip the `op` bit in the instruction to patch to `CBNZ` (`0x35`), and write 212 | to the LP5562 PWM register. This is required as only values that already exist 213 | somewhere on the i2c bus can be written into memory, so this register is used 214 | as a 'spool'. 215 | ``` 216 | i2c mw 0x30 0x70 0x35 217 | i2c md 0x30 0x70 0x1 218 | ``` 219 | 220 | 4. Read the new instruction from the i2c bus into memory over the top of the 221 | old `CBZ` instruction. 222 | ``` 223 | i2c read 0x30 0x70 0x1 0x3ff26833 224 | ``` 225 | 226 | 5. Confirm the write by reading back to the PWM register to confirm the write 227 | was successful. 228 | ``` 229 | i2c write 0x3ff26833 0x30 0x70 0x1 230 | i2c md 0x30 0x70 0x1 231 | ``` 232 | 233 | 6. Boot the device. 234 | ``` 235 | sonosboot 236 | ``` 237 | 238 | 7. Observe the new console output, though no shell due to additional checks 239 | implemented by Sonos in `secure_console.sh`. 240 | 241 | 8. Be sad :( 242 | 243 | ### Enable Privileged Commands 244 | 245 | The version of U-Boot which ships with the Sonos One (Generation 2) [S18] 246 | appears to contain a number of 'privileged' commands which are only enabled 247 | on a unit marked as being 'unlocked'. 248 | 249 | It's possible to patch the check used by U-Boot to determine whether the 250 | device is 'unlocked' by patching a `CBNZ` and `MOV` operation to force the 251 | procedure to return `0x1` rather than `0x0`. The procedure itself is at 252 | `0x100CCEC` and has been labelled as the author as `is_device_locked` based 253 | on its operation. 254 | 255 | 1. Try MDP (privileged) command, to confirm it is not accessible. 256 | ```shell 257 | stty -F /dev/ttyUSB0 min 100 time 2 258 | echo 'mdp' > /dev/ttyUSB0 && cat /dev/ttyUSB0 259 | 260 | ``` 261 | 2. Patch `CBNZ` to `CBZ` in `is_device_locked`. 262 | 263 | ```shell 264 | python3 i2c-thief.py 0x100CD14 0x100CD18 265 | python3 write-what-where.py 0x100CD17 0x34 266 | ``` 267 | 268 | 3. Patch `MOV W0, #0` to `MOV W0, #1` in `is_device_locked`. 269 | ```shell 270 | python3 i2c-thief.py 0x100CDAC 0x100CDB0 271 | python3 write-what-where.py 0x100CDAC 0x20 272 | ``` 273 | 274 | 4. Try MDP command again. 275 | ```shell 276 | stty -F /dev/ttyUSB0 min 100 time 2 277 | echo 'mdp' > /dev/ttyUSB0 && cat /dev/ttyUSB0 278 | ``` 279 | 280 | 5. Be happy :) 281 | -------------------------------------------------------------------------------- /devices/S18-One/datasheets/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/datasheets/.gitignore -------------------------------------------------------------------------------- /devices/S18-One/dumps/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/dumps/.gitignore -------------------------------------------------------------------------------- /devices/S18-One/dumps/j3-console-boot.txt: -------------------------------------------------------------------------------- 1 | AXG:BL1:d1dbf2:a4926f;FEAT:F0D4219C:3000;POC:F;EMMC:0;READ:0;0.0;0.0;CHK:0; 2 | sdio debug board detected 3 | TE: 201193 4 | 5 | BL2 Built : 17:22:55, Oct 4 2018. axg g - secbuild@LIN-200 6 | 7 | set vcck to 1100 mv 8 | set vddee to 950 mv 9 | Board ID = 8 10 | CPU clk: 1200MHz 11 | DDR3 chl: Rank0 16bit @ 912MHz 12 | bist_test rank: 0 1b 04 32 24 0c 3c 1e 07 35 26 0e 3e 00 00 00 00 00 00 00 00 00 00 00 00 772 - PASS 13 | Rank0: 1024MB(auto)-2T-13 14 | AddrBus test pass! 15 | -s 16 | my cpuid 25:CO:FF:EE:CO:FF:EE:CO:FF:EE:CO:FF:EE:CO:FF:EE: 17 | whitelist check completed 18 | Load FIP HDR from eMMC, src: 0x0000c200, des: 0x01700000, size: 0x00004000 19 | emmc load img ok 20 | Load BL3x from eMMC, src: 0x00010200, des: 0x01704000, size: 0x000b4000 21 | emmc load img ok 22 | NOTICE: BL31: v1.3(release):ee6c709 23 | NOTICE: BL31: Built : 12:35:15, May 1 2018 24 | NOTICE: BL31: AXG secure boot! 25 | [Image: axg_v1.1.3255-86bca5b-dirty 2018-08-09 12:22:25 alex.deng@droid13-sz] 26 | OPS=0x23 27 | 22 51 40 f6 be 6 e8 60 af 8e 42 bc bl30:axg ver: 9 mode: 0 28 | bl30:axg thermal0 29 | [0.017586 Inits done] 30 | secure task start! 31 | high task start! 32 | low task start! 33 | ��ROR: tnitializing runtime service opteed_fast 34 | 35 | U-Boot 2016.11-A113-Strict-Rev0.14 (Oct 04 2018 - 17:21:58 -0400), Build: jenkins-mainline-uboot-ondemand-87 36 | 37 | SoC: Amlogic A113 38 | Board: Sonos Tupelo Revision 0x01 39 | I2C: ready 40 | DRAM: 1 GiB 41 | MMC: SDIO Port C: 0 42 | *** Warning - bad CRC, using default environment 43 | 44 | PCI: 45 | 00:00.0 - 16c3:abcd - Bridge device 46 | 01:00.0 - 14c3:7615 - Build before PCI Rev2.0 47 | In: serial 48 | Out: serial 49 | Err: serial 50 | Net: dwmac.ff3f0000 51 | checking cpuid whitelist (my cpuid is 25:CO:FF:EE:CO:FF:EE:CO:FF:EE:CO:FF:EE:CO:FF:EE)... 52 | whitelist check completed 53 | Hit any key to stop autoboot: 0 54 | burn_at_boot: DISABLE_JTAG fuse already set 55 | pending_unlock: no pending DevUnlock 56 | Image header on sect 0 57 | Magic: 536f7821 58 | Version 1 59 | Bootgen 0 60 | Kernel Offset 40 61 | Kernel Checksum 7617c654 62 | Kernel Length 69d89c 63 | Rootfs Offset 0 64 | Rootfs Checksum 0 65 | Rootfs Length 0 66 | Rootfs Format 2 67 | Image header on sect 1 68 | Magic: 536f7821 69 | Version 40 70 | Kernel Checksum 7617c654 71 | Kernel Length 69d89c 72 | Rootfs Offset 0 73 | Rootfs Checksum 0 74 | Rootfs Length 0 75 | Rootfs Format 2 76 | Both headers OK,Length 0 77 | Rootfs Format 2 78 | Both headers OK, bootgens 0 2 79 | uboot: section-1 selected 80 | boot_state 0 81 | 364 byte kernel signature verified successfully 82 | disable_usb: DISABLE_USB_BOOT fuse already set 83 | srk_fuses: not revoking any more SRK keys (0x1) 84 | srk_fuses: locking SRK revocation fuses 85 | Start the watchdog timer before starting the kernel... 86 | ## Loading kernel from FIT Image at 00100040 ... 87 | Using 'conf@18' configuration 88 | Trying 'kernel@1' kernel subimage 89 | Description: Sonos Linux kernel for A113 90 | Type: Kernel Image 91 | Compression: gzip compressed 92 | Data Start: 0x00100128 93 | Data Size: 6735332 Bytes = 6.4 MiB 94 | Architecture: AArch64 95 | OS: Linux 96 | Load Address: 0x01080000 97 | Entry Point: 0x01080000 98 | Hash algo: crc32 99 | Hash value: 1fe7e1a4 100 | Verifying Hash Integrity ... crc32+ OK 101 | ## Loading fdt from FIT Image at 00100040 ... 102 | Using 'conf@18' configuration 103 | Trying 'fdt@18' fdt subimage 104 | Description: Flattened Device Tree Sonos Tupelo V1 105 | Type: Flat Device Tree 106 | Compression: uncompressed 107 | Data Start: 0x00795148 108 | Data Size: 32561 Bytes = 31.8 KiB 109 | Architecture: AArch64 110 | Hash algo: crc32 111 | Hash value: 7a0d253a 112 | Verifying Hash Integrity ... crc32+ OK 113 | Booting using the fdt blob at 0x795148 114 | Uncompressing Kernel Image ... OK 115 | Loading Device Tree to 000000003f3f2000, end 000000003f3fcf30 ... OK 116 | 117 | Starting kernel ... 118 | 119 | domain-0 init dvfs: 4 120 | -------------------------------------------------------------------------------- /devices/S18-One/dumps/j3-linux-boot.txt: -------------------------------------------------------------------------------- 1 | Sonos Tupelo > sonosboot 2 | burn_at_boot: DISABLE_JTAG fuse already set 3 | pending_unlock: no pending DevUnlock 4 | Image header on sect 0 5 | Magic: 536f7821 6 | Version 1 7 | Bootgen 0 8 | Kernel Offset 40 9 | Kernel Checksum 7617c654 10 | Kernel Length 69d89c 11 | Rootfs Offset 0 12 | Rootfs Checksum 0 13 | Rootfs Length 0 14 | Rootfs Format 2 15 | Image header on sect 1 16 | Magic: 536f7821 17 | Version 1 18 | Bootgen 2 19 | Kernel Offset 40 20 | Kernel Checksum 7617c654 21 | Kernel Length 69d89c 22 | Rootfs Offset 0 23 | Rootfs Checksum 0 24 | Rootfs Length 0 25 | Rootfs Format 2 26 | Both headers OK, bootgens 0 2 27 | uboot: section-1 selected 28 | boot_state 0 29 | 364 byte kernel signature verified successfully 30 | disable_usb: DISABLE_USB_BOOT fuse already set 31 | srk_fuses: not revoking any more SRK keys (0x1) 32 | srk_fuses: locking SRK revocation fuses 33 | Start the watchdog timer before starting the kernel... 34 | ## Loading kernel from FIT Image at 00100040 ... 35 | Using 'conf@18' configuration 36 | Trying 'kernel@1' kernel subimage 37 | Description: Sonos Linux kernel for A113 38 | Type: Kernel Image 39 | Compression: gzip compressed 40 | Data Start: 0x00100128 41 | Data Size: 6735332 Bytes = 6.4 MiB 42 | Architecture: AArch64 43 | OS: Linux 44 | Load Address: 0x01080000 45 | Entry Point: 0x01080000 46 | Hash algo: crc32 47 | Hash value: 1fe7e1a4 48 | Verifying Hash Integrity ... crc32+ OK 49 | ## Loading fdt from FIT Image at 00100040 ... 50 | Using 'conf@18' configuration 51 | Trying 'fdt@18' fdt subimage 52 | Description: Flattened Device Tree Sonos Tupelo V1 53 | Type: Flat Device Tree 54 | Compression: uncompressed 55 | Data Start: 0x00795148 56 | Data Size: 32561 Bytes = 31.8 KiB 57 | Architecture: AArch64 58 | Hash algo: crc32 59 | Hash value: 7a0d253a 60 | Verifying Hash Integrity ... crc32+ OK 61 | Booting using the fdt blob at 0x795148 62 | Uncompressing Kernel Image ... OK 63 | Loading Device Tree to 000000003f3f2000, end 000000003f3fcf30 ... OK 64 | 65 | Starting kernel ... 66 | 67 | [ 0.000000@0] PID hash table entries: 4096 (order: 3, 32768 bytes) 68 | [ 0.000000@0] Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes) 69 | [ 0.000000@0] Inode-cache hash table entries: 65536 (order: 7, 524288 bytes) 70 | [ 0.000000@0] Memory: 994508K/1047552K available (7102K kernel code, 488K rwdata, 2192K rodata, 2240K init, 902K bss, 32564K reserved, 20480K cma-reserved) 71 | [ 0.000000@0] Virtual kernel memory layout: 72 | [ 0.000000@0] modules : 0xffffff8000000000 - 0xffffff8008000000 ( 128 MB) 73 | [ 0.000000@0] vmalloc : 0xffffff8008000000 - 0xffffffbebfff0000 ( 250 GB) 74 | [ 0.000000@0] .text : 0xffffff8009080000 - 0xffffff8009770000 ( 7104 KB) 75 | [ 0.000000@0] .rodata : 0xffffff8009770000 - 0xffffff80099a0000 ( 2240 KB) 76 | [ 0.000000@0] .init : 0xffffff80099a0000 - 0xffffff8009bd0000 ( 2240 KB) 77 | [ 0.000000@0] .data : 0xffffff8009bd0000 - 0xffffff8009c4a008 ( 489 KB) 78 | [ 0.000000@0] .bss : 0xffffff8009c4a008 - 0xffffff8009d2bb84 ( 903 KB) 79 | [ 0.000000@0] fixed : 0xffffffbefe7fd000 - 0xffffffbefec00000 ( 4108 KB) 80 | [ 0.000000@0] PCI I/O : 0xffffffbefee00000 - 0xffffffbeffe00000 ( 16 MB) 81 | [ 0.000000@0] vmemmap : 0xffffffbf00000000 - 0xffffffc000000000 ( 4 GB maximum) 82 | [ 0.000000@0] 0xffffffbf00004000 - 0xffffffbf01000000 ( 15 MB actual) 83 | [ 0.000000@0] memory : 0xffffffc000100000 - 0xffffffc040000000 ( 1023 MB) 84 | [ 0.000000@0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1 85 | [ 0.000000@0] Preemptible hierarchical RCU implementation. 86 | [ 0.000000@0] Build-time adjustment of leaf fanout to 64. 87 | [ 0.000000@0] RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=4. 88 | [ 0.000000@0] RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=4 89 | [ 0.000000@0] NR_IRQS:64 nr_irqs:64 0 90 | [ 0.000000@0] axg_aoclkc_init: register ao clk ok![ 0.000000@0] axg_amlogic_init_sdemmc: register amlogic sdemmc clk 91 | [ 0.000000@0] axg_amlogic_init_sdemmc: register amlogic sdemmc clk 92 | [ 0.000000@0] axg_amlogic_init_media: register meson media clk 93 | [ 0.000000@0] axg_amlogic_init_misc: register amlogic axg misc clks 94 | [ 0.000000@0] axg_amlogic_init_misc: register amlogic sdemmc clk 95 | [ 0.000000@0] axg_clkc_init initialization complete 96 | [ 0.000000@0] arm_arch_timer: Architected cp15 timer(s) running at 24.00MHz (phys). 97 | [ 0.000000@0] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x588fe9dc0, max_idle_ns: 440795202592 ns 98 | [ 0.000004@0] sched_clock: 56 bits at 24MHz, resolution 41ns, wraps every 4398046511097ns 99 | [ 0.008249@0] meson_bc_timer: mclk->mux_reg =ffffff8008008190,mclk->reg =ffffff800800a194 100 | [ 0.016765@0] Console: colour dummy device 80x25 101 | [ 0.021106@0] Calibrating delay loop (skipped), value calculated using timer frequency.. 48.00 BogoMIPS (lpj=96000) 102 | [ 0.031586@0] pid_max: default: 32768 minimum: 301 103 | [ 0.036457@0] Security Framework initialized 104 | [ 0.040695@0] SELinux: Initializing. 105 | [ 0.044429@0] Mount-cache hash table entries: 2048 (order: 2, 16384 bytes) 106 | [ 0.051283@0] Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes) 107 | [ 0.059450@0] sched-energy: CPU device node has no sched-energy-costs 108 | [ 0.065140@0] Invalid sched_group_energy for CPU0 109 | [ 0.069832@0] CPU0: update cpu_capacity 1024 110 | [ 0.074130@0] ASID allocator initialised with 65536 entries 111 | [ 0.112281@0] Meson chip version = RevB (25:B - 23:0) 112 | [ 0.148046@1] Detected VIPT I-cache on CPU1 113 | [ 0.148099@1] Invalid sched_group_energy for CPU1 114 | [ 0.148102@1] CPU1: update cpu_capacity 1024 115 | [ 0.148105@1] CPU1: Booted secondary processor [410fd034] 116 | [ 0.176076@2] Detected VIPT I-cache on CPU2 117 | [ 0.176112@2] Invalid sched_group_energy for CPU2 118 | [ 0.176115@2] CPU2: update cpu_capacity 1024 119 | [ 0.176118@2] CPU2: Booted secondary processor [410fd034] 120 | [ 0.204130@3] Detected VIPT I-cache on CPU3 121 | [ 0.204162@3] Invalid sched_group_energy for CPU3 122 | [ 0.204165@3] CPU3: update cpu_capacity 1024 123 | [ 0.204167@3] CPU3: Booted secondary processor [410fd034] 124 | [ 0.204237@0] Brought up 4 CPUs 125 | [ 0.257627@0] SMP: Total of 4 processors activated. 126 | [ 0.262534@0] CPU features: detected feature: 32-bit EL0 Support 127 | [ 0.268610@0] CPU: All CPU(s) started at EL2 128 | [ 0.272876@0] alternatives: patching kernel code 129 | [ 0.277615@0] Invalid sched_group_energy for CPU3 130 | [ 0.282224@0] Invalid sched_group_energy for Cluster3 131 | [ 0.287295@0] Invalid sched_group_energy for CPU2 132 | [ 0.292020@0] Invalid sched_group_energy for Cluster2 133 | [ 0.297095@0] Invalid sched_group_energy for CPU1 134 | [ 0.301820@0] Invalid sched_group_energy for Cluster1 135 | [ 0.306894@0] Invalid sched_group_energy for CPU0 136 | [ 0.311620@0] Invalid sched_group_energy for Cluster0 137 | [ 0.317342@0] devtmpfs: initialized 138 | [ 0.328243@0] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns 139 | [ 0.332591@0] futex hash table entries: 1024 (order: 5, 131072 bytes) 140 | [ 0.339638@0] pinctrl core: initialized pinctrl subsystem 141 | [ 0.345613@0] NET: Registered protocol family 16 142 | [ 0.365175@0] cpuidle: using governor menu 143 | [ 0.365518@0] vdso: 2 pages (1 code @ ffffff8009777000, 1 data @ ffffff8009bd4000) 144 | [ 0.371274@0] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers. 145 | [ 0.379264@0] DMA: preallocated 256 KiB pool for atomic allocations 146 | [ 0.385058@0] pstore: using zlib compression 147 | [ 0.389314@0] console [pstore-1] enabled 148 | [ 0.393007@0] pstore: Registered ramoops as persistent store backend 149 | [ 0.399173@0] ramoops: attached 0x100000@0x7400000, ecc: 0/0 150 | domain-0 init dvfs: 4 151 | [ 0.413081@0] aml_iomap: amlogic iomap probe done 152 | [ 0.425346@0] aml_snd_reg_map[0], reg:ff632000, size:20 153 | [ 0.425397@0] aml_snd_reg_map[1], reg:ff642000, size:2000 154 | [ 0.430380@0] aml snd iomap probe done 155 | [ 0.475760@1] vgaarb: loaded 156 | [ 0.476127@1] usbcore: registered new interface driver usbfs 157 | [ 0.478900@1] usbcore: registered new interface driver hub 158 | [ 0.484306@1] usbcore: registered new device driver usb 159 | [ 0.489794@1] pps_core: LinuxPPS API ver. 1 registered 160 | [ 0.494631@1] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti 161 | [ 0.504021@1] PTP clock support registered 162 | [ 0.508762@1] spicc ffd13000.spicc_a: dma_en=0 163 | [ 0.512599@1] spicc ffd13000.spicc_a: irq = 0x86 164 | [ 0.517181@1] spicc ffd13000.spicc_a: delay_control=21 165 | [ 0.522346@1] spicc ffd13000.spicc_a: enhance=1 166 | [ 0.526933@1] spicc ffd13000.spicc_a: get reset failed 167 | [ 0.532116@1] spicc ffd13000.spicc_a: enhance_dlyctl=0x0 168 | [ 0.537628@1] spicc ffd13000.spicc_a: master is unqueued, this is deprecated 169 | [ 0.544698@1] spicc ffd13000.spicc_a: cs_num=1 170 | [ 0.549254@1] amlogic-pcie f9800000.pcieA: amlogic_pcie_probe! 171 | [ 0.554890@1] amlogic-pcie f9800000.pcieA: GPIO pad: reset low 172 | [ 0.580999@1] OF: PCI: host bridge /pcieA@f9800000 ranges: 173 | [ 0.581039@1] OF: PCI: MEM 0xf9c00000..0xf9efffff -> 0x00000000 174 | [ 0.588044@1] amlogic-pcie f9800000.pcieA: Set the RC Bus Master, Memory Space and I/O Space enables. 175 | [ 0.596252@1] amlogic-pcie f9800000.pcieA: normal gpio 176 | [ 0.712881@1] amlogic-pcie f9800000.pcieA: link up 177 | [ 0.713085@1] amlogic-pcie f9800000.pcieA: PCI host bridge to bus 0000:00 178 | [ 0.718870@1] pci_bus 0000:00: root bus resource [bus 00-ff] 179 | [ 0.724553@1] pci_bus 0000:00: root bus resource [mem 0xf9c00000-0xf9efffff] (bus address [0x00000000-0x002fffff]) 180 | [ 0.734980@1] amlogic-pcie f9800000.pcieA: the device class is not reported correctly from the register 181 | [ 0.745223@1] pci 0000:01:00.0: can't set Max Payload Size to 256; if necessary, use "pci=pcie_bus_safe" and report a bug 182 | [ 0.755924@1] pci 0000:00:00.0: BAR 8: assigned [mem 0xf9c00000-0xf9cfffff] 183 | [ 0.762453@1] pci 0000:00:00.0: BAR 6: assigned [mem 0xf9d00000-0xf9d0ffff pref] 184 | [ 0.769878@1] pci 0000:01:00.0: BAR 0: assigned [mem 0xf9c00000-0xf9cfffff 64bit] 185 | [ 0.777446@1] pci 0000:00:00.0: PCI bridge to [bus 01] 186 | [ 0.782561@1] pci 0000:00:00.0: bridge window [mem 0xf9c00000-0xf9cfffff] 187 | [ 0.789723@1] Advanced Linux Sound Architecture Driver Initialized. 188 | [ 0.796412@1] Bluetooth: Core ver 2.22 189 | [ 0.799671@1] NET: Registered protocol family 31 190 | [ 0.804278@1] Bluetooth: HCI device and connection manager initialized 191 | [ 0.810833@1] Bluetooth: HCI socket layer initialized 192 | [ 0.815903@1] Bluetooth: L2CAP socket layer initialized 193 | [ 0.821181@1] Bluetooth: SCO socket layer initialized 194 | [ 0.826238@1] NetLabel: Initializing 195 | [ 0.829799@1] NetLabel: domain hash size = 128 196 | [ 0.834355@1] NetLabel: protocols = UNLABELED CIPSOv4 197 | [ 0.839580@1] NetLabel: unlabeled traffic allowed by default 198 | [ 0.845728@1] clocksource: Switched to clocksource arch_sys_counter 199 | [ 0.851730@1] VFS: Disk quotas dquot_6.6.0 200 | [ 0.855770@1] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) 201 | [ 0.872130@3] jtag: module init 202 | [ 0.872482@3] NET: Registered protocol family 2 203 | [ 0.874787@3] TCP established hash table entries: 8192 (order: 4, 65536 bytes) 204 | [ 0.881516@3] TCP bind hash table entries: 8192 (order: 5, 131072 bytes) 205 | [ 0.888300@3] TCP: Hash tables configured (established 8192 bind 8192) 206 | [ 0.894851@3] UDP hash table entries: 512 (order: 2, 16384 bytes) 207 | [ 0.900890@3] UDP-Lite hash table entries: 512 (order: 2, 16384 bytes) 208 | [ 0.907636@3] NET: Registered protocol family 1 209 | [ 0.912360@3] RPC: Registered named UNIX socket transport module. 210 | [ 0.918105@3] RPC: Registered udp transport module. 211 | [ 0.922999@3] RPC: Registered tcp transport module. 212 | [ 0.927894@3] RPC: Registered tcp NFSv4.1 backchannel transport module. 213 | [ 1.004177@3] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available 214 | [ 1.009274@3] audit: initializing netlink subsys (disabled) 215 | [ 1.012168@3] audit: type=2000 audit(0.924:1): initialized 216 | [ 1.018310@3] workingset: timestamp_bits=62 max_order=18 bucket_order=0 217 | [ 1.032926@3] proc_dmverity_init 218 | [ 1.034289@3] squashfs: version 4.0 (2009/01/31) Phillip Lougher 219 | [ 1.038767@3] fuse init (API version 7.26) 220 | [ 1.044562@3] NET: Registered protocol family 38 221 | [ 1.045297@3] Key type asymmetric registered 222 | [ 1.049862@3] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 247) 223 | [ 1.057219@3] io scheduler noop registered 224 | [ 1.061311@3] io scheduler deadline registered (default) 225 | [ 1.066841@3] io scheduler cfq registered 226 | [ 1.079215@3] Unable to detect cache hierarchy from DT for CPU 0 227 | [ 1.085764@3] loop: module loaded 228 | [ 1.086064@3] libphy: Fixed MDIO Bus: probed 229 | [ 1.088819@3] meson6-dwmac ff3f0000.ethernet: no reset control found 230 | [ 1.094141@3] stmmac - user ID: 0x11, Synopsys ID: 0x37 231 | [ 1.099364@3] Ring mode enabled 232 | [ 1.102601@3] DMA HW capability register supported[ 1.107327@3] Normal descriptors 233 | [ 1.110650@3] RX Checksum Offload Engine supported 234 | [ 1.115546@3] COE Type 2 235 | [ 1.118174@3] TX Checksum insertion supported 236 | [ 1.122633@3] Wake-Up On Lan supported 237 | [ 1.126551@3] Enable RX Mitigation via HW Watchdog Timer 238 | [ 1.134895@3] libphy: stmmac: probed 239 | [ 1.135495@3] eth%d: PHY ID 2000a240 at 1 IRQ POLL (stmmac-0:01) active 240 | [ 1.143188@3] usbcore: registered new interface driver r8152 241 | [ 1.147942@3] usbcore: registered new interface driver asix 242 | [ 1.153512@3] usbcore: registered new interface driver ax88179_178a 243 | [ 1.159797@3] usbcore: registered new interface driver cdc_ether 244 | [ 1.165839@3] usbcore: registered new interface driver net1080 245 | [ 1.171696@3] usbcore: registered new interface driver cdc_subset 246 | [ 1.177817@3] usbcore: registered new interface driver zaurus 247 | [ 1.183622@3] usbcore: registered new interface driver cdc_ncm 248 | [ 1.190038@3] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver 249 | [ 1.196154@3] ehci-pci: EHCI PCI platform driver 250 | [ 1.200861@3] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver 251 | [ 1.207200@3] ohci-pci: OHCI PCI platform driver 252 | [ 1.212270@3] usbcore: registered new interface driver cdc_acm 253 | [ 1.217682@3] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters 254 | [ 1.226011@3] usbcore: registered new interface driver usbserial 255 | [ 1.232018@3] usbcore: registered new interface driver usbtest 256 | [ 1.237857@3] usbcore: registered new interface driver usb_ehset_test 257 | [ 1.244388@3] i2c /dev entries driver 258 | [ 1.248423@3] device-mapper: ioctl: 4.35.0-ioctl (2016-06-23) initialised: dm-devel@redhat.com 259 | [ 1.256753@3] Bluetooth: HCI UART driver ver 2.3 260 | [ 1.261246@3] Bluetooth: HCI UART protocol H4 registered 261 | [ 1.266573@3] Bluetooth: HCI UART protocol BCSP registered 262 | [ 1.273056@3] cpu cpu0: bL_cpufreq_init: CPU 0 initialized 263 | [ 1.277694@3] arm_big_little: bL_cpufreq_register: Registered platform driver: scpi 264 | [ 1.286900@3] usbcore: registered new interface driver usbhid 265 | [ 1.291097@3] usbhid: USB HID core driver 266 | [ 1.295890@0] ff803000.serial: clock gate not found 267 | [ 1.300079@0] meson_uart ff803000.serial: ==uart0 reg addr = ffffff800830d000 268 | [ 1.307275@0] ff803000.serial: ttyS0 at MMIO 0xff803000 (irq = 129, base_baud = 1500000) is a meson_uart 269 | [ 1.322302@0] meson_uart ff803000.serial: ttyS0 use xtal(8M) 24000000 change 0 to 115200 270 | [ 1.324896@0] console [ttyS0] enabled 271 | [ 1.324896@0] console [ttyS0] enabled 272 | [ 1.332176@0] bootconsole [aml_uart0] disabled 273 | [ 1.332176@0] bootconsole [aml_uart0] disabled 274 | [ 1.341290@0] ff804000.serial: clock gate not found 275 | [ 1.345791@0] meson_uart ff804000.serial: ==uart1 reg addr = ffffff8008321000 276 | [ 1.352854@0] ff804000.serial: ttyS1 at MMIO 0xff804000 (irq = 130, base_baud = 1500000) is a meson_uart 277 | [ 1.362841@0] secmon secmon: assigned reserved memory node linux,secmon 278 | [ 1.369195@0] secmon: share in base: 0xffffffc0050fe000, share out base: 0xffffffc0050ff000 279 | [ 1.377046@0] secmon: phy_in_base: 0x50fe000, phy_out_base: 0x50ff000 280 | [ 1.388101@2] clkmsr: msr_clk_reg0=ffffff800834a004,msr_clk_reg2=ffffff800834c00c 281 | [ 1.390982@2] clkmsr: clkmsr: driver init 282 | [ 1.395348@2] aml_aes_dma ff63e000.aml_aes: Aml AES_dma 283 | [ 1.400597@2] aml_tdes_dma ff63e000.aml_tdes: Aml TDES_dma 284 | [ 1.406164@2] aml_sha_dma ff63e000.aml_sha: Aml SHA1/SHA224/SHA256 dma 285 | [ 1.412532@2] efuse efuse: probe OK! 286 | [ 1.416535@2] meson-mmc: mmc driver version: 3.02, 2017-05-15: New Emmc Host Controller 287 | [ 1.461755@2] meson-mmc: meson_mmc_probe() : success! 288 | [ 1.466312@1] aml_vrtc rtc: rtc core: registered aml_vrtc as rtc0 289 | [ 1.467715@1] aml_unifykeys_init done! 290 | [ 1.471122@1] storage: storage in base: 0xffffffc005000000 291 | [ 1.476407@1] storage: storage out base: 0xffffffc005040000 292 | [ 1.481920@1] storage: storage block base: 0xffffffc005080000 293 | [ 1.487610@1] storage: probe done! 294 | [ 1.491179@1] audio_dsp: [dsp]register dsp to char divece(257) 295 | [ 1.502553@1] asoc debug: aml_audio_controller_probe-115 296 | [ 1.502951@1] aml-audio-clocks ff642000.audio_clocks: aml_audio_clocks_probe register audio gate clks 297 | [ 1.512368@1] meson-pinctrl pinctrl@ff634480: function 'gen_clk' not supported 298 | [ 1.518569@1] meson-pinctrl pinctrl@ff634480: invalid function gen_clk in map table 299 | [ 1.526207@1] id = 0 300 | [ 1.528484@1] meson-pinctrl pinctrl@ff634480: function 'gen_clk' not supported 301 | [ 1.535456@1] meson-pinctrl pinctrl@ff634480: invalid function gen_clk in map table 302 | [ 1.543102@1] aml_tdm_platform_probe, try register soc platform 303 | [ 1.550054@1] aml_pdm_platform_probe pdm filter mode from dts:1 304 | [ 1.551544@2] meson-aml-mmc ffe07000.emmc: divider requested rate 52000000 != actual rate 49999952: ret=0 305 | [ 1.551621@2] meson-aml-mmc ffe07000.emmc: divider requested rate 52000000 != actual rate 49999952: ret=0 306 | [ 1.553165@2] meson-aml-mmc ffe07000.emmc: divider requested rate 52000000 != actual rate 49999952: ret=0 307 | [ 1.553169@2] meson-mmc: emmc: try set sd/emmc to DDR mode 308 | [ 1.553710@2] emmc: new DDR MMC card at address 0001 309 | [ 1.554457@2] emmc: clock 49999952, 8-bit-bus-width 310 | [ 1.554457@2] 311 | [ 1.554458@2] mmcblk0: emmc:0001 M62704 3.56 GiB 312 | [ 1.554666@2] mmcblk0boot0: emmc:0001 M62704 partition 1 2.00 MiB 313 | [ 1.558881@2] mmcblk0boot1: emmc:0001 M62704 partition 2 2.00 MiB 314 | [ 1.563116@2] mmcblk0rpmb: emmc:0001 M62704 partition 3 512 KiB 315 | [ 1.567160@2] mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 316 | [ 1.627847@1] aml_pdm_platform_probe, register soc platform 317 | [ 1.634187@1] NET: Registered protocol family 10 318 | [ 1.639143@1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver 319 | [ 1.644607@1] NET: Registered protocol family 17 320 | [ 1.648680@1] Bluetooth: RFCOMM TTY layer initialized 321 | [ 1.653542@1] Bluetooth: RFCOMM socket layer initialized 322 | [ 1.658831@1] Bluetooth: RFCOMM ver 1.11 323 | [ 1.662678@1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3 324 | [ 1.668097@1] Bluetooth: BNEP filters: protocol multicast 325 | [ 1.673450@1] Bluetooth: BNEP socket layer initialized 326 | [ 1.678532@1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2 327 | [ 1.684579@1] Bluetooth: HIDP socket layer initialized 328 | [ 1.689681@1] Key type dns_resolver registered 329 | [ 1.695002@1] registered taskstats version 1 330 | [ 1.699407@1] Key type encrypted registered 331 | [ 1.710804@1] aml_pdm_probe 332 | [ 1.710852@1] aml_pdm_dai_probe 333 | [ 1.711092@1] asoc aml_dai_set_tdm_fmt, 0x4211, ffffffc03c950418, id(0), clksel(0) 334 | [ 1.718657@1] pad clk ctl value:3 335 | [ 1.721882@1] sclk_ph0 (pad) clk ctl set:1 336 | [ 1.725930@1] master_mode(1), binv(0), finv(1) out_skew(1), in_skew(3) 337 | [ 1.732717@1] asoc-aml-card meson_sound: sonos-soundcard <-> TDM-A mapping ok 338 | [ 1.739625@1] aml_pdm_pcm_new dai->name: ff642000.audiobus:pdm dai->id: 0 339 | [ 1.746288@1] asoc-aml-card meson_sound: sonos-soundcard <-> ff642000.audiobus:pdm mapping ok 340 | [ 1.755864@1] snd_card_add_kcontrols card:ffffffc03c8e2818 341 | [ 1.761265@3] aml_vrtc rtc: setting system clock to 2015-01-01 00:36:21 UTC (1) 342 | [ 1.768329@3] cpucore_cooling_register, max_cpu_core_num:4 343 | [ 1.780614@3] gxbb_pm: enter meson_pm_probe! 344 | [ 1.780711@3] gxbb_pm: meson_pm_probe done 345 | [ 1.783v[ 1.789850@3] meson_uart ff803000.serial: ttyS0 use xtal(8M) 24000000 change 115200 to 115200 346 | [ 1.793821@3] Freeing unused kernel memory: 2240K 347 | [ 1.797474@3] checking cpuid whitelist (my cpuid is 25:CO:FF:EE:CO:FF:EE:CO:FF:EE:CO:FF:EE:CO:FF:EE)... 348 | [ 1.806693@3] whitelist check completed 349 | initramfs: opening rootfs LUKS volume on /dev/mmcblk0p8 350 | initramfs: setting up rootfs dm-verity on /dev/mapper/luks_root 351 | initramfs: switching to rootfs 352 | [ 1.969357@1] allow_mount_exec set to 0 353 | [ 2.092777@3] meson_uart ff803000.serial: ttyS0 use xtal(8M) 24000000 change 115200 to 115200 354 | init started: BusyBox v1.24.2 (2018-11-12 18:20:59 EST) 355 | starting pid 1067, tty '': '/etc/Configure' 356 | [ 2.160271@3] allow_mount_dev set to 0 357 | [ 2.185618@2] random: crng init done 358 | [ 2.275885@1] /jffs LUKS volume detected on /dev/nandjffs 359 | [ 2.299016@1] opening /jffs LUKS volume on /dev/nandjffs 360 | [ 2.413412@2] checking /jffs file system on /dev/mapper/luks_jffs 361 | [ 2.442097@3] e2fsck 1.44.1 (24-Mar-2018) 362 | [ 2.450884@3] /dev/mapper/luks_jffs: recovering journal 363 | [ 2.556973@3] Pass 1: Checking 364 | [ 2.557015@3] inodes, 365 | [ 2.557047@3] block 366 | [ 2.558815@3] s, and sizes 367 | [ 2.607183@2] EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: (null) 368 | [ 2.612858@1] Configure: 12 output lines suppressed due to ratelimiting 369 | Initializing random number generator... 370 | Loading default i2c-eeprom.ko 371 | [ 2.626627@0] i2c_eeprom: loading out-of-tree module taints kernel. 372 | [ 2.628816@0] chip size: 0x10000, page size: 0x20, addr len: 2. 373 | [ 2.634068@0] i2c eeprom probe m24c64, addr 0x55. 374 | [ 2.793442@3] register mt_drv 375 | [ 2.793625@3] mt_drv 0000:01:00.0: enabling device (0000 -> 0002) 376 | [ 2.797005@3] MSI resource request success!! 377 | [ 2.802582@3] 378 | [ 2.802582@3] 379 | [ 2.802582@3] === pAd = ffffff800a175000, size = 3261472 === 380 | [ 2.802582@3] 381 | [ 2.812420@3] <-- RTMPAllocAdapterBlock, Status=0 382 | [ 2.816289@3] pAd->PciHif.CSRBaseAddress =0xffffff8008f00000, csr_addr=0xffffff8008f00000! 383 | [ 2.824458@3] RTMPInitPCIeDevice():device_id=0x7615 384 | [ 3.129595@3] mt_pci_chip_cfg(): HWVer=0x8a10, FWVer=0x8a10, pAd->ChipID=0x7615 385 | [ 3.131260@3] mt_pci_chip_cfg(): HIF_SYS_REV=0x76150001 386 | [ 3.136434@3] RTMPInitPCIeDevice():is_msi = 1 387 | [ 3.140752@3] RtmpChipOpsHook(493): Not support for HIF_MT yet! MACVersion=0x0 388 | [ 3.147906@3] mt7615_init()--> 389 | [ 3.150925@3] Use the default ePAeLNA bin image! 390 | [ 3.155494@3] Use the default /etc_ro/wlan/MT7615E_EEPROM1.bin bin image! 391 | [ 3.162225@3] <--mt7615_init() 392 | [ 3.165233@3] ChipOpsMCUHook 393 | [ 3.175524@3] <-- RTMPAllocTxRxRingMemory, Status=0 394 | [ 3.175559@3] SONOS: ignoring RT2860APCard.dat in favor of hard-coded configuration and calibration file locations 395 | [ 3.185100@3] SONOS: MTK dev ra0 created on PCI bus #1 396 | [ 3.190789@3] pci probe count=1 397 | [ 3.193235@3] rtmp_fwdl_prepare(): FW DL in probe stage 398 | [ 3.200471@3] Hif Init Done! 399 | [ 3.325171@0] MCU Init Done! 400 | [ 3.325215@0] RtmpChipOpsEepromHook::forceMode: 4 , infType: 5 401 | [ 3.328416@0] i2c_eeprom_bin_read: cout: 632, offset: 0[ 3.333635@0] i2c bus read failed. 402 | [ 3.336604@0] rtmp_load_wifical: Get WiFi-CAL header failed! 403 | [ 3.342388@0] Can't find bin file, Load EEPROM Buffer from efuse. 404 | [ 3.360155@0] Can't find bin file, Create one from efuse. 405 | [ 3.360181@0] rtmp_ee_write_to_bin::FileName=/tmp/wifi-binfile.ra0 406 | [ 3.366221@0] ra0 - overwriting DPD bits 407 | [ 3.370030@0] MtCmdSetRlmPorCal: (ret = 0) 408 | Using MDP serial number ACOFFEECOFFEE 409 | Current wifi address: 00:00:00:00:00:00 410 | br0=78:28:AA:CO:FF:EE 411 | eth0=78:28:AA:CO:FF:EE 412 | [ 3.428157@0] meson_pinctrl: gpio virq[122] connect to GIC hwirq[96] 413 | [ 3.429041@0] ti83822_config_init: intentionally disabling EEE [0x018b -> 0x180] *** 414 | [ 3.436967@0] ti83822_config_init: digital restart - writing 0x4000 to register 0x1f 415 | [ 3.444443@0] meson_pinctrl: gpio virq[122] connect to GIC hwirq[97] 416 | [ 3.451071@0] ti83822_announce_linkup: announcing link status change 417 | [ 3.457212@2] ti83822_announce_linkup: announcing link status change 418 | [ 3.457529@0] ti83822_announce_linkup: announcing link status change 419 | [ 3.480976@2] meson6-dwmac ff3f0000.ethernet eth0: fail to init PTP. 420 | [ 3.482125@2] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready 421 | Loading default blackbox.ko 422 | [ 3.499640@3] Sonos Blackbox kernel trace module, buffer size 131072 423 | Loading default utils.ko 424 | Loading default sonos_device.ko 425 | Loading default event_queue.ko 426 | [ 3.510854@3] event_queue: module license 'Proprietary' taints kernel. 427 | [ 3.514776@3] Disabling lock debugging due to kernel taint 428 | Loading default 429 | [ 3.524098@3] Registered chk driver 430 | chk.ko 431 | Loading default apple_auth.ko 432 | Loading default lla.ko 433 | Loading default micctl.ko 434 | Loading default sensors.ko 435 | [ 3.650487@1] meson_pinctrl: gpio virq[87] connect to GIC hwirq[98] 436 | Loading default lp5562_led.ko 437 | [ 3.673783@1] meson_pinctrl: gpio virq[87] connect to GIC hwirq[98] 438 | [ 3.697758@1] meson_pinctrl: gpio virq[87] connect to GIC hwirq[98] 439 | Loading default ampctl.ko 440 | [ 3.708915@3] meson_pinctrl: gpio virq[89] connect to GIC hwirq[99] 441 | Loading default caamkeys.ko 442 | [ 3.714270@0] caamkeys_init: module inserted for major 124 443 | Loading default psoc_33.ko 444 | Loading default sdd.ko 445 | [ 5.037222@0] ti83822: port up, speed 100, full duplex 446 | [ 5.037272@0] ti83822_announce_linkup: announcing link status change 447 | [ 5.043216@0] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready 448 | [ 5.049638@0] meson6-dwmac ff3f0000.ethernet eth0: Link is Up - 100Mbps/Full - flow control off 449 | [ 6.015985@1] meson_pinctrl: gpio virq[20] connect to GIC hwirq[232] 450 | mv: can't rename '/jffs/upgrade_mgr.txt': No such file or directory 451 | mv: can't rename '/jffs/upgrade_mgr_report.json': No such file or directory 452 | mv: can't rename '/jffs/upgrade_mgr.log': No such file or directory 453 | [ 6.107676@1] ath: SKB CB Linux 48 ATH 48 TX 48 RX 20 454 | [ 6.107717@1] ath: testpoints available 455 | [ 6.110938@1] ath_attach: ffffff8001cf7698 40 rxbufs, 200 txbufs 456 | [ 6.116855@1] wifi: interface 0: mdp region 0x2 maps to MTK region code, 2G: 1, 5G: 9 457 | [ 6.125675@1] ra0: SONOS: Locked unit, checking config in /wifi 458 | [ 6.133779@3] [SKUenable] BAND0: 1 459 | [ 6.133928@3] CalCacheApply = 1 460 | [ 6.138443@3] ra0: SONOS: Read in config file: /wifi/config.ra0 461 | [ 6.143125@3] FW DL in probe, bypass Hif and MCU Init! 462 | [ 6.148084@3] RTMP_COM_IoctlHandle: Wait FW complete the calibration cmd 463 | [ 9.505209@3] i2c_eeprom_bin_read: cout: 632, offset: 0 464 | [ 9.505747@3] i2c bus read failed. 465 | [ 9.507993@3] rtmp_load_wifical: Get WiFi-CAL header failed! 466 | [ 9.513814@3] Can't find bin file, Load EEPROM Buffer from efuse. 467 | [ 9.531593@3] Can't find bin file, Create one from efuse. 468 | [ 9.531620@3] rtmp_ee_write_to_bin::FileName=/tmp/wifi-binfile.ra0 469 | [ 9.537541@3] ra0 - overwriting DPD bits 470 | [ 9.543407@3] MtCmdTxPowerSKUCtrl: fgTxPowerSKUEn: 1, BandIdx: 0 471 | [ 10.816493@0] ath: EDMA fastabort disabled 472 | [ 10.817238@0] ath0: mt7615 shim attached to ra0 473 | Using MDP serial number ACOFFEECOFFEE 474 | Current wifi address: 00:00:00:00:00:00 475 | [ 10.830239@1] ath0: set MAC address to 78:28:BB:CO:FF:EE 476 | br0=78:28:AA:CO:FF:EE 477 | eth0=78:28:AA:CO:FF:EE 478 | SIOCGIFHWADDR: Device or resource busy 479 | ath0=78:28:BB:CO:FF:EE 480 | Starting Bluetooth Services 481 | [ 10.908219@0] meson_uart ff804000.serial: ttyS1 use xtal(8M) 24000000 change 0 to 9600 482 | [ 10.910652@0] meson_uart ff804000.serial: ttyS1 use xtal(8M) 24000000 change 9600 to 115200 483 | [ 10.932321@1] allow_insmod set to 0 484 | Saving random seed... 485 | Configure script complete. 486 | [ 11.042951@0] sat: enable=0 487 | [ 11.074007@3] ath0: set MAC address to 78:28:BB:CO:FF:EE 488 | [ 11.082399@0] br0: port 1(eth0) entering blocking state 489 | [ 11.082441@0] br0: port 1(eth0) entering disabled state 490 | [ 11.087505@0] device eth0 entered promiscuous mode 491 | [ 11.118101@0] ath0: set SonosNet SSID to "" 492 | [ 11.118146@0] block ns probes 1 493 | [ 11.121787@2] ath_ioctl_set_channel: frequency 2412 (1) 494 | [ 11.134888@0] br0: port 1(eth0) entering blocking state 495 | [ 11.134928@0] br0: port 1(eth0) entering listening state 496 | [ 11.142425@3] ath0: ath_init 497 | [ 11.142770@0] SONOS station module v1.0 498 | [ 11.146499@0] ath0: bridge addr=78:28:AA:CO:FF:EE 499 | 500 | Please press Enter to activate this console. 501 | starting pid 1339, tty '/dev/ttyS0': '/usr/sbin/secure_console.sh' 502 | Console usage not enabled 503 | process '/usr/sbin/secure_console.sh' (pid 1339) exited. Scheduling for restart. 504 | 505 | Please press Enter to activate this console. 506 | -------------------------------------------------------------------------------- /devices/S18-One/dumps/sonos-tupelo-v1.dts: -------------------------------------------------------------------------------- 1 | /dts-v1/; 2 | 3 | / { 4 | model = "Sonos-Tupelo V1"; 5 | amlogic-dt-id = "axg_a113d_skt_v1"; 6 | compatible = "amlogic, axg"; 7 | interrupt-parent = <0x1>; 8 | #address-cells = <0x2>; 9 | #size-cells = <0x2>; 10 | sonos-product-id = <0x1>; 11 | 12 | cpus { 13 | #address-cells = <0x2>; 14 | #size-cells = <0x0>; 15 | 16 | cpu-map { 17 | 18 | cluster0 { 19 | 20 | core0 { 21 | cpu = <0x2>; 22 | }; 23 | 24 | core1 { 25 | cpu = <0x3>; 26 | }; 27 | 28 | core2 { 29 | cpu = <0x4>; 30 | }; 31 | 32 | core3 { 33 | cpu = <0x5>; 34 | }; 35 | }; 36 | }; 37 | 38 | cpu@0 { 39 | device_type = "cpu"; 40 | compatible = "arm,cortex-a53", "arm,armv8"; 41 | reg = <0x0 0x0>; 42 | enable-method = "psci"; 43 | clocks = <0x6 0x0>; 44 | clock-names = "cpu-cluster.0"; 45 | cpu-idle-states = <0x7>; 46 | linux,phandle = <0x2>; 47 | phandle = <0x2>; 48 | }; 49 | 50 | cpu@1 { 51 | device_type = "cpu"; 52 | compatible = "arm,cortex-a53", "arm,armv8"; 53 | reg = <0x0 0x1>; 54 | enable-method = "psci"; 55 | clocks = <0x6 0x0>; 56 | clock-names = "cpu-cluster.0"; 57 | cpu-idle-states = <0x7>; 58 | linux,phandle = <0x3>; 59 | phandle = <0x3>; 60 | }; 61 | 62 | cpu@2 { 63 | device_type = "cpu"; 64 | compatible = "arm,cortex-a53", "arm,armv8"; 65 | reg = <0x0 0x2>; 66 | enable-method = "psci"; 67 | clocks = <0x6 0x0>; 68 | clock-names = "cpu-cluster.0"; 69 | cpu-idle-states = <0x7>; 70 | linux,phandle = <0x4>; 71 | phandle = <0x4>; 72 | }; 73 | 74 | cpu@3 { 75 | device_type = "cpu"; 76 | compatible = "arm,cortex-a53", "arm,armv8"; 77 | reg = <0x0 0x3>; 78 | enable-method = "psci"; 79 | clocks = <0x6 0x0>; 80 | clock-names = "cpu-cluster.0"; 81 | cpu-idle-states = <0x7>; 82 | linux,phandle = <0x5>; 83 | phandle = <0x5>; 84 | }; 85 | 86 | idle-states { 87 | entry-method = "arm,psci-0.2"; 88 | 89 | cpu-sleep-0 { 90 | compatible = "arm,idle-state"; 91 | arm,psci-suspend-param = <0x10000>; 92 | local-timer-stop; 93 | entry-latency-us = <0x1388>; 94 | exit-latency-us = <0x1388>; 95 | min-residency-us = <0x3a98>; 96 | linux,phandle = <0x7>; 97 | phandle = <0x7>; 98 | }; 99 | }; 100 | }; 101 | 102 | timer { 103 | compatible = "arm,armv8-timer"; 104 | interrupts = <0x1 0xd 0xff08 0x1 0xe 0xff08 0x1 0xb 0xff08 0x1 0xa 0xff08>; 105 | }; 106 | 107 | timer_bc { 108 | compatible = "arm, meson-bc-timer"; 109 | reg = <0x0 0xffd0f190 0x0 0x4 0x0 0xffd0f194 0x0 0x4>; 110 | timer_name = "Meson TimerF"; 111 | clockevent-rating = <0x12c>; 112 | clockevent-shift = <0x14>; 113 | clockevent-features = <0x23>; 114 | interrupts = <0x0 0x3c 0x1>; 115 | bit_enable = <0x10>; 116 | bit_mode = <0xc>; 117 | bit_resolution = <0x0>; 118 | }; 119 | 120 | arm_pmu { 121 | compatible = "arm,armv8-pmuv3"; 122 | interrupts = <0x0 0x89 0x4 0x0 0x8a 0x4 0x0 0x99 0x4 0x0 0x9a 0x4>; 123 | }; 124 | 125 | interrupt-controller@2c001000 { 126 | compatible = "arm,cortex-a15-gic", "arm,cortex-a9-gic"; 127 | #interrupt-cells = <0x3>; 128 | #address-cells = <0x0>; 129 | interrupt-controller; 130 | reg = <0x0 0xffc01000 0x0 0x1000 0x0 0xffc02000 0x0 0x100>; 131 | interrupts = <0x1 0x9 0xf04>; 132 | linux,phandle = <0x1>; 133 | phandle = <0x1>; 134 | }; 135 | 136 | psci { 137 | compatible = "arm,psci-0.2"; 138 | method = "smc"; 139 | }; 140 | 141 | pm { 142 | compatible = "amlogic, pm"; 143 | device_name = "aml_pm"; 144 | status = "okay"; 145 | reg = <0x0 0xff80023c 0x0 0x4>; 146 | }; 147 | 148 | secmon { 149 | compatible = "amlogic, secmon"; 150 | memory-region = <0x8>; 151 | in_base_func = <0x82000020>; 152 | out_base_func = <0x82000021>; 153 | reserve_mem_size = <0x300000>; 154 | }; 155 | 156 | securitykey { 157 | compatible = "aml, securitykey"; 158 | storage_query = <0x82000060>; 159 | storage_read = <0x82000061>; 160 | storage_write = <0x82000062>; 161 | storage_tell = <0x82000063>; 162 | storage_verify = <0x82000064>; 163 | storage_status = <0x82000065>; 164 | storage_list = <0x82000067>; 165 | storage_remove = <0x82000068>; 166 | storage_in_func = <0x82000023>; 167 | storage_out_func = <0x82000024>; 168 | storage_block_func = <0x82000025>; 169 | storage_size_func = <0x82000027>; 170 | storage_set_enctype = <0x8200006a>; 171 | storage_get_enctype = <0x8200006b>; 172 | storage_version = <0x8200006c>; 173 | }; 174 | 175 | rng { 176 | compatible = "amlogic,meson-rng"; 177 | status = "okay"; 178 | #add-cells = <0x2>; 179 | #size-cells = <0x2>; 180 | reg = <0x0 0xff634018 0x0 0x4>; 181 | }; 182 | 183 | mhu@c883c400 { 184 | compatible = "amlogic, meson_mhu"; 185 | reg = <0x0 0xff63c400 0x0 0x4c 0x0 0xfffd3000 0x0 0x800>; 186 | interrupts = <0x0 0xd1 0x1 0x0 0xd2 0x1>; 187 | #mbox-cells = <0x1>; 188 | mbox-names = "cpu_to_scp_low", "cpu_to_scp_high"; 189 | mboxes = <0x9 0x0 0x9 0x1>; 190 | linux,phandle = <0x9>; 191 | phandle = <0x9>; 192 | }; 193 | 194 | scpi_clocks { 195 | compatible = "arm, scpi-clks"; 196 | 197 | scpi_clocks@0 { 198 | compatible = "arm, scpi-clk-indexed"; 199 | #clock-cells = <0x1>; 200 | clock-indices = <0x0>; 201 | clock-output-names = "vcpu"; 202 | linux,phandle = <0x6>; 203 | phandle = <0x6>; 204 | }; 205 | }; 206 | 207 | cpu_iomap { 208 | compatible = "amlogic, iomap"; 209 | #address-cells = <0x2>; 210 | #size-cells = <0x2>; 211 | ranges; 212 | 213 | io_cbus_base { 214 | reg = <0x0 0xffd00000 0x0 0x100000>; 215 | }; 216 | 217 | io_apb_base { 218 | reg = <0x0 0xffe00000 0x0 0x100000>; 219 | }; 220 | 221 | io_aobus_base { 222 | reg = <0x0 0xff800000 0x0 0x100000>; 223 | }; 224 | 225 | io_vapb_base { 226 | reg = <0x0 0xff900000 0x0 0x50000>; 227 | }; 228 | 229 | io_hiu_base { 230 | reg = <0x0 0xff63c000 0x0 0x10000>; 231 | }; 232 | }; 233 | 234 | xtal-clk { 235 | compatible = "fixed-clock"; 236 | clock-frequency = <0x16e3600>; 237 | clock-output-names = "xtal"; 238 | #clock-cells = <0x0>; 239 | linux,phandle = <0xa>; 240 | phandle = <0xa>; 241 | }; 242 | 243 | rtc { 244 | compatible = "amlogic, aml_vrtc"; 245 | alarm_reg_addr = <0xff8000a8>; 246 | timer_e_addr = <0xffd0f188>; 247 | init_date = "2015/01/01"; 248 | status = "okay"; 249 | }; 250 | 251 | cpu_info { 252 | compatible = "amlogic, cpuinfo"; 253 | status = "okay"; 254 | cpuinfo_cmd = <0x82000044>; 255 | }; 256 | 257 | aml_reboot { 258 | compatible = "aml, reboot"; 259 | sys_reset = <0x84000009>; 260 | sys_poweroff = <0x84000008>; 261 | }; 262 | 263 | watchdog@0xffd0f0d0 { 264 | compatible = "amlogic, meson-wdt"; 265 | status = "disabled"; 266 | default_timeout = <0xa>; 267 | reset_watchdog_method = <0x1>; 268 | reset_watchdog_time = <0x2>; 269 | shutdown_timeout = <0xa>; 270 | firmware_timeout = <0x6>; 271 | suspend_timeout = <0x6>; 272 | reg = <0x0 0xffd0f0d0 0x0 0x10>; 273 | clock-names = "xtal"; 274 | clocks = <0xa>; 275 | }; 276 | 277 | pinctrl@ff800014 { 278 | compatible = "amlogic,meson-axg-aobus-pinctrl"; 279 | #address-cells = <0x2>; 280 | #size-cells = <0x2>; 281 | ranges; 282 | 283 | ao-bank@ff800014 { 284 | reg = <0x0 0xff800014 0x0 0x8 0x0 0xff80002c 0x0 0x4 0x0 0xff800024 0x0 0x8 0x0 0xff800084 0x0 0x4>; 285 | interrupts = <0x0 0xc8 0x1 0x0 0xc9 0x1>; 286 | reg-names = "mux", "pull", "gpio", "irq"; 287 | gpio-controller; 288 | #gpio-cells = <0x2>; 289 | interrupt-controller; 290 | #interrupt-cells = <0x2>; 291 | linux,phandle = <0x11>; 292 | phandle = <0x11>; 293 | }; 294 | 295 | remote_pin { 296 | linux,phandle = <0x19>; 297 | phandle = <0x19>; 298 | 299 | mux { 300 | pins = "GPIOAO_6"; 301 | function = "ir_in"; 302 | }; 303 | }; 304 | 305 | irblaster_pin { 306 | 307 | mux { 308 | pins = "GPIOAO_7"; 309 | function = "ir_out"; 310 | }; 311 | }; 312 | 313 | ao_uart { 314 | linux,phandle = <0x12>; 315 | phandle = <0x12>; 316 | 317 | mux { 318 | pins = "GPIOAO_0", "GPIOAO_1"; 319 | function = "uart_ao_a"; 320 | }; 321 | }; 322 | 323 | ao_b_1_uart { 324 | 325 | mux { 326 | pins = "GPIOAO_4", "GPIOAO_5"; 327 | function = "uart_ao_b"; 328 | }; 329 | }; 330 | 331 | ao_i2c { 332 | 333 | mux { 334 | pins = "GPIOAO_4", "GPIOAO_5"; 335 | function = "i2c_ao"; 336 | }; 337 | }; 338 | 339 | ao_i2c_pin1 { 340 | 341 | mux { 342 | pins = "GPIOAO_8", "GPIOAO_9"; 343 | function = "i2c_ao"; 344 | }; 345 | }; 346 | 347 | ao_i2c_pin2 { 348 | linux,phandle = <0xf>; 349 | phandle = <0xf>; 350 | 351 | mux { 352 | pins = "GPIOAO_10", "GPIOAO_11"; 353 | function = "i2c_ao"; 354 | }; 355 | }; 356 | 357 | s_i2c { 358 | linux,phandle = <0x1e>; 359 | phandle = <0x1e>; 360 | 361 | mux { 362 | pins = "GPIOAO_10", "GPIOAO_11"; 363 | function = "i2c_slave_ao"; 364 | }; 365 | }; 366 | }; 367 | 368 | pinctrl@ff634480 { 369 | compatible = "amlogic,meson-axg-periphs-pinctrl"; 370 | #address-cells = <0x2>; 371 | #size-cells = <0x2>; 372 | ranges; 373 | 374 | banks@ff634480 { 375 | reg = <0x0 0xff634480 0x0 0x40 0x0 0xff6344e8 0x0 0x14 0x0 0xff634520 0x0 0x14 0x0 0xff634430 0x0 0x3c 0x0 0xffd0f080 0x0 0x10>; 376 | interrupts = <0x0 0x40 0x1 0x0 0x41 0x1 0x0 0x42 0x1 0x0 0x43 0x1 0x0 0x44 0x1 0x0 0x45 0x1 0x0 0x46 0x1 0x0 0x47 0x1>; 377 | reg-names = "mux", "pull", "pull-enable", "gpio", "irq"; 378 | gpio-controller; 379 | #gpio-cells = <0x2>; 380 | interrupt-controller; 381 | #interrupt-cells = <0x2>; 382 | linux,phandle = <0xd>; 383 | phandle = <0xd>; 384 | }; 385 | 386 | external_eth_pins { 387 | linux,phandle = <0x24>; 388 | phandle = <0x24>; 389 | 390 | mux { 391 | groups = "GPIOY_0", "GPIOY_1", "GPIOY_2", "GPIOY_3", "GPIOY_4", "GPIOY_5", "GPIOY_6", "GPIOY_7", "GPIOY_8", "GPIOY_9", "GPIOY_10", "GPIOY_11", "GPIOY_12", "GPIOY_13"; 392 | function = "eth"; 393 | }; 394 | }; 395 | 396 | ao_b_uart { 397 | linux,phandle = <0x10>; 398 | phandle = <0x10>; 399 | 400 | mux { 401 | pins = "GPIOZ_8", "GPIOZ_9", "GPIOZ_6", "GPIOZ_7"; 402 | function = "uart_ao_b"; 403 | }; 404 | }; 405 | 406 | a_uart { 407 | linux,phandle = <0x29>; 408 | phandle = <0x29>; 409 | 410 | mux { 411 | pins = "GPIOX_8", "GPIOX_9", "GPIOX_10", "GPIOX_11"; 412 | function = "uart_a"; 413 | }; 414 | }; 415 | 416 | b_uart { 417 | linux,phandle = <0x2a>; 418 | phandle = <0x2a>; 419 | 420 | mux { 421 | pins = "GPIOZ_0", "GPIOZ_1", "GPIOZ_2", "GPIOZ_3"; 422 | function = "uart_b"; 423 | }; 424 | }; 425 | 426 | ao_b_gpio { 427 | 428 | mux { 429 | pins = "GPIOZ_6", "GPIOZ_7"; 430 | function = "gpio"; 431 | }; 432 | }; 433 | 434 | a_i2c { 435 | 436 | mux { 437 | pins = "GPIOZ_6", "GPIOZ_7"; 438 | function = "i2c_a"; 439 | }; 440 | }; 441 | 442 | b_i2c { 443 | 444 | mux { 445 | pins = "GPIOZ_8", "GPIOZ_9"; 446 | function = "i2c_b"; 447 | }; 448 | }; 449 | 450 | b_i2c_pin1 { 451 | linux,phandle = <0xc>; 452 | phandle = <0xc>; 453 | 454 | mux { 455 | pins = "GPIOX_16", "GPIOX_17"; 456 | function = "i2c_b"; 457 | }; 458 | }; 459 | 460 | c_i2c { 461 | 462 | mux { 463 | pins = "GPIOX_18", "GPIOX_19"; 464 | function = "i2c_c"; 465 | }; 466 | }; 467 | 468 | c_i2c_pin1 { 469 | 470 | mux { 471 | pins = "GPIOA_17", "GPIOA_18"; 472 | function = "i2c_c"; 473 | }; 474 | }; 475 | 476 | d_i2c { 477 | 478 | mux { 479 | pins = "GPIOA_6", "GPIOA_7"; 480 | function = "i2c_d"; 481 | }; 482 | }; 483 | 484 | d_i2c_pin1 { 485 | 486 | mux { 487 | pins = "GPIOA_12", "GPIOA_13"; 488 | function = "i2c_d"; 489 | }; 490 | }; 491 | 492 | d_i2c_pin2 { 493 | linux,phandle = <0xe>; 494 | phandle = <0xe>; 495 | 496 | mux { 497 | pins = "GPIOA_19", "GPIOA_20"; 498 | function = "i2c_d"; 499 | }; 500 | }; 501 | 502 | spicc_a_pins { 503 | linux,phandle = <0x17>; 504 | phandle = <0x17>; 505 | 506 | mux { 507 | pins = "GPIOZ_0", "GPIOZ_1", "GPIOZ_2", "GPIOZ_3"; 508 | function = "spi_a"; 509 | }; 510 | }; 511 | 512 | spicc_b_pins_A { 513 | 514 | mux { 515 | pins = "GPIOA_2", "GPIOA_3", "GPIOA_4", "GPIOA_5"; 516 | function = "spi_b"; 517 | }; 518 | }; 519 | 520 | spicc_b_pins_X { 521 | linux,phandle = <0x18>; 522 | phandle = <0x18>; 523 | 524 | mux { 525 | pins = "GPIOX_16", "GPIOX_17", "GPIOX_18", "GPIOX_19"; 526 | function = "spi_b"; 527 | }; 528 | }; 529 | 530 | nand_pulldown { 531 | 532 | mux { 533 | pins = "BOOT_0", "BOOT_1", "BOOT_2", "BOOT_3", "BOOT_4", "BOOT_5", "BOOT_6", "BOOT_7", "BOOT_13"; 534 | function = "nandflash"; 535 | bias-pull-down; 536 | }; 537 | }; 538 | 539 | nand_pullup { 540 | 541 | mux { 542 | pins = "BOOT_8"; 543 | function = "nandflash"; 544 | bias-pull-up; 545 | }; 546 | }; 547 | 548 | all_nand_pins { 549 | linux,phandle = <0x1f>; 550 | phandle = <0x1f>; 551 | 552 | mux { 553 | pins = "BOOT_0", "BOOT_1", "BOOT_2", "BOOT_3", "BOOT_4", "BOOT_5", "BOOT_6", "BOOT_7", "BOOT_8", "BOOT_9", "BOOT_10", "BOOT_11", "BOOT_12", "BOOT_13"; 554 | function = "nandflash"; 555 | input-enable; 556 | }; 557 | }; 558 | 559 | nand_cs { 560 | linux,phandle = <0x20>; 561 | phandle = <0x20>; 562 | 563 | mux { 564 | pins = "BOOT_8"; 565 | function = "nandflash"; 566 | }; 567 | }; 568 | 569 | emmc_clk_cmd_pins { 570 | linux,phandle = <0x2f>; 571 | phandle = <0x2f>; 572 | 573 | mux { 574 | pins = "BOOT_8", "BOOT_10"; 575 | function = "emmc"; 576 | input-enable; 577 | bias-pull-up; 578 | }; 579 | }; 580 | 581 | emmc_conf_pull_up { 582 | linux,phandle = <0x30>; 583 | phandle = <0x30>; 584 | 585 | mux { 586 | pins = "BOOT_0", "BOOT_1", "BOOT_2", "BOOT_3", "BOOT_4", "BOOT_5", "BOOT_6", "BOOT_7", "BOOT_8", "BOOT_10"; 587 | function = "emmc"; 588 | input-enable; 589 | bias-pull-up; 590 | }; 591 | }; 592 | 593 | emmc_conf_pull_done { 594 | linux,phandle = <0x31>; 595 | phandle = <0x31>; 596 | 597 | mux { 598 | groups = "BOOT_13"; 599 | function = "emmc"; 600 | input-enable; 601 | bias-pull-down; 602 | }; 603 | }; 604 | 605 | sdio_clk_cmd_pins { 606 | 607 | mux { 608 | groups = "GPIOX_4", "GPIOX_5"; 609 | function = "sdio"; 610 | input-enable; 611 | bias-pull-up; 612 | }; 613 | }; 614 | 615 | sdio_all_pins { 616 | 617 | mux { 618 | groups = "GPIOX_0", "GPIOX_1", "GPIOX_2", "GPIOX_3", "GPIOX_4", "GPIOX_5"; 619 | function = "sdio"; 620 | input-enable; 621 | bias-pull-up; 622 | }; 623 | }; 624 | 625 | wifi_32k_pins { 626 | 627 | mux { 628 | groups = "GPIOX_20"; 629 | function = "pwm_a"; 630 | }; 631 | }; 632 | 633 | tdma_mclk { 634 | linux,phandle = <0x14>; 635 | phandle = <0x14>; 636 | 637 | mux { 638 | pins = "GPIOAO_13"; 639 | function = "gen_clk"; 640 | }; 641 | }; 642 | 643 | tdmout_a { 644 | linux,phandle = <0x15>; 645 | phandle = <0x15>; 646 | 647 | mux { 648 | pins = "GPIOX_12", "GPIOX_13", "GPIOX_14"; 649 | function = "tdma_out"; 650 | }; 651 | }; 652 | 653 | tdmin_a { 654 | 655 | mux { 656 | function = "tdma_in"; 657 | }; 658 | }; 659 | 660 | tdmb_mclk { 661 | 662 | mux { 663 | pins = "GPIOA_1"; 664 | function = "mclk"; 665 | }; 666 | }; 667 | 668 | tdmout_b { 669 | 670 | mux { 671 | pins = "GPIOA_8", "GPIOA_9", "GPIOA_10"; 672 | function = "tdmb_out"; 673 | }; 674 | }; 675 | 676 | tdmin_b { 677 | 678 | mux { 679 | pins = "GPIOA_11", "GPIOA_12", "GPIOA_13"; 680 | function = "tdmb_in"; 681 | }; 682 | }; 683 | 684 | tdmc_mclk { 685 | 686 | mux { 687 | pins = "GPIOA_0"; 688 | function = "mclk"; 689 | }; 690 | }; 691 | 692 | tdmout_c { 693 | 694 | mux { 695 | pins = "GPIOA_2", "GPIOA_3", "GPIOA_4", "GPIOA_6", "GPIOA_7"; 696 | function = "tdmc_out"; 697 | }; 698 | }; 699 | 700 | tdmin_c { 701 | 702 | mux { 703 | pins = "GPIOA_5"; 704 | function = "tdmc_in"; 705 | }; 706 | }; 707 | 708 | spidfout { 709 | 710 | mux { 711 | pins = "GPIOA_20"; 712 | function = "spdif_out"; 713 | }; 714 | }; 715 | 716 | spidfin { 717 | 718 | mux { 719 | pins = "GPIOA_19"; 720 | function = "spdif_in"; 721 | }; 722 | }; 723 | 724 | pdmin { 725 | linux,phandle = <0x16>; 726 | phandle = <0x16>; 727 | 728 | mux { 729 | pins = "GPIOA_14", "GPIOA_15", "GPIOA_16", "GPIOA_17", "GPIOA_18"; 730 | function = "pdm"; 731 | }; 732 | }; 733 | }; 734 | 735 | soc { 736 | compatible = "simple-bus"; 737 | #address-cells = <0x2>; 738 | #size-cells = <0x2>; 739 | ranges; 740 | 741 | cbus@ffd00000 { 742 | compatible = "simple-bus"; 743 | reg = <0x0 0xffd00000 0x0 0x25000>; 744 | #address-cells = <0x2>; 745 | #size-cells = <0x2>; 746 | ranges = <0x0 0x0 0x0 0xffd00000 0x0 0x25000>; 747 | 748 | meson_clk_msr { 749 | compatible = "amlogic, gxl_measure"; 750 | reg = <0x0 0x18004 0x0 0x4 0x0 0x1800c 0x0 0x4>; 751 | }; 752 | 753 | i2c@1f000 { 754 | compatible = "amlogic,meson-axg-i2c"; 755 | status = "disabled"; 756 | reg = <0x0 0x1f000 0x0 0x20>; 757 | interrupts = <0x0 0x15 0x1 0x0 0x2f 0x1>; 758 | #address-cells = <0x1>; 759 | #size-cells = <0x0>; 760 | clocks = <0xb 0x27>; 761 | clock-names = "clk_i2c"; 762 | clock-frequency = <0x186a0>; 763 | }; 764 | 765 | i2c@1e000 { 766 | compatible = "amlogic,meson-axg-i2c"; 767 | status = "okay"; 768 | reg = <0x0 0x1e000 0x0 0x20>; 769 | interrupts = <0x0 0xd6 0x1 0x0 0x30 0x1>; 770 | #address-cells = <0x1>; 771 | #size-cells = <0x0>; 772 | clocks = <0xb 0x27>; 773 | clock-names = "clk_i2c"; 774 | clock-frequency = <0x186a0>; 775 | pinctrl-names = "default"; 776 | pinctrl-0 = <0xc>; 777 | 778 | apple_auth@0 { 779 | compatible = "Sonos,apple_auth"; 780 | reg = <0x11>; 781 | reset-gpio = <0xd 0x37 0x0>; 782 | }; 783 | }; 784 | 785 | i2c@1d000 { 786 | compatible = "amlogic,meson-axg-i2c"; 787 | status = "disabled"; 788 | reg = <0x0 0x1d000 0x0 0x20>; 789 | interrupts = <0x0 0xd7 0x1 0x0 0x31 0x1>; 790 | #address-cells = <0x1>; 791 | #size-cells = <0x0>; 792 | clocks = <0xb 0x27>; 793 | clock-names = "clk_i2c"; 794 | clock-frequency = <0x186a0>; 795 | }; 796 | 797 | i2c@1c000 { 798 | compatible = "amlogic,meson-axg-i2c"; 799 | status = "okay"; 800 | reg = <0x0 0x1c000 0x0 0x20>; 801 | interrupts = <0x0 0x27 0x1 0x0 0x32 0x1>; 802 | #address-cells = <0x1>; 803 | #size-cells = <0x0>; 804 | clocks = <0xb 0x27>; 805 | clock-names = "clk_i2c"; 806 | clock-frequency = <0x186a0>; 807 | pinctrl-names = "default"; 808 | pinctrl-0 = <0xe>; 809 | 810 | pcm1684_0@0x4a { 811 | compatible = "ti,pcm1864"; 812 | #sound-dai-cells = <0x0>; 813 | reg = <0x4a>; 814 | status = "okay"; 815 | }; 816 | 817 | pcm1684_1@0x4b { 818 | compatible = "ti,pcm1864"; 819 | #sound-dai-cells = <0x0>; 820 | reg = <0x4b>; 821 | status = "okay"; 822 | }; 823 | }; 824 | }; 825 | 826 | aobus@ff800000 { 827 | compatible = "simple-bus"; 828 | reg = <0x0 0xff800000 0x0 0xa000>; 829 | #address-cells = <0x2>; 830 | #size-cells = <0x2>; 831 | ranges = <0x0 0x0 0x0 0xff800000 0x0 0xa000>; 832 | 833 | cpu_version { 834 | reg = <0x0 0x220 0x0 0x4>; 835 | }; 836 | 837 | clock-controller@0 { 838 | compatible = "amlogic,axg-aoclkc"; 839 | #clock-cells = <0x1>; 840 | reg = <0x0 0x0 0x0 0x320>; 841 | }; 842 | 843 | i2c@5000 { 844 | compatible = "amlogic,meson-axg-i2c"; 845 | status = "okay"; 846 | reg = <0x0 0x5000 0x0 0x20>; 847 | interrupts = <0x0 0xc3 0x1>; 848 | #address-cells = <0x1>; 849 | #size-cells = <0x0>; 850 | clocks = <0xb 0x27>; 851 | clock-names = "clk_i2c"; 852 | clock-frequency = <0x186a0>; 853 | pinctrl-names = "default"; 854 | pinctrl-0 = <0xf>; 855 | 856 | lp5562@0 { 857 | compatible = "ti,lp5562"; 858 | reg = <0x30>; 859 | }; 860 | 861 | s5851@0 { 862 | compatible = "seiko,s5851"; 863 | reg = <0x48>; 864 | device_type = "CPU"; 865 | }; 866 | 867 | s5851@1 { 868 | compatible = "seiko,s5851"; 869 | reg = <0x49>; 870 | device_type = "AMP"; 871 | }; 872 | 873 | sge@0 { 874 | compatible = "Sonos,sge-psoc4"; 875 | pinctrl-names = "mode-uart-hiz", "mode-flow-ctrl"; 876 | pinctrl-0; 877 | pinctrl-1 = <0x10>; 878 | reg = <0x40>; 879 | gpio-addr = <0xff634400 0x130 0x58 0x0 0x5c 0x58 0x0 0x5c>; 880 | gpio-params = "base-addr", "len", "io-set", "io-clr", "io-din", "scl-set", "scl-clr", "scl-din"; 881 | scl-bitmask = <0x80>; 882 | io-bitmask = <0x40>; 883 | xres-gpio = <0xd 0x38 0x0>; 884 | io-gpio = <0xd 0x6 0x0>; 885 | scl-gpio = <0xd 0x7 0x0>; 886 | irq-gpio = <0x11 0x5 0x0>; 887 | zonea = "vol1"; 888 | zoneb = "pp"; 889 | zonec = "vol2"; 890 | zonem = "mic"; 891 | finger-threshold = <0x21>; 892 | noise-threshold = <0xc>; 893 | hysteresis = <0x4>; 894 | share-swd-uart = <0x1>; 895 | psoc-rtc = <0x0>; 896 | status = "okay"; 897 | }; 898 | 899 | m24c64@55 { 900 | compatible = "st,m24c64"; 901 | reg = <0x55>; 902 | dev-id = <0x2>; 903 | chip-size = <0x10000>; 904 | page-size = <0x20>; 905 | addr-len = <0x2>; 906 | status = "okay"; 907 | write-protect = <0xd 0x30 0x1>; 908 | }; 909 | }; 910 | 911 | serial@3000 { 912 | compatible = "amlogic, meson-uart"; 913 | reg = <0x0 0x3000 0x0 0x18>; 914 | interrupts = <0x0 0xc1 0x1>; 915 | status = "okay"; 916 | clocks = <0xa>; 917 | clock-names = "clk_uart"; 918 | xtal_tick_en = <0x1>; 919 | fifosize = <0x40>; 920 | pinctrl-names = "default"; 921 | pinctrl-0 = <0x12>; 922 | support-sysrq = <0x0>; 923 | }; 924 | 925 | serial@4000 { 926 | compatible = "amlogic, meson-uart"; 927 | reg = <0x0 0x4000 0x0 0x18>; 928 | interrupts = <0x0 0xc5 0x1>; 929 | status = "okay"; 930 | clocks = <0xa>; 931 | clock-names = "clk_uart"; 932 | fifosize = <0x40>; 933 | pinctrl-names = "default"; 934 | pinctrl-0; 935 | }; 936 | }; 937 | 938 | periphs@ff634400 { 939 | compatible = "simple-bus"; 940 | reg = <0x0 0xff634400 0x0 0x1c00>; 941 | #address-cells = <0x2>; 942 | #size-cells = <0x2>; 943 | ranges = <0x0 0x0 0x0 0xff634400 0x0 0x1c00>; 944 | }; 945 | 946 | hiubus@ff63c000 { 947 | compatible = "simple-bus"; 948 | reg = <0x0 0xff63c000 0x0 0x10000>; 949 | #address-cells = <0x2>; 950 | #size-cells = <0x2>; 951 | ranges = <0x0 0x0 0x0 0xff63c000 0x0 0x10000>; 952 | 953 | clock-controller@0 { 954 | compatible = "amlogic,axg-clkc"; 955 | #clock-cells = <0x1>; 956 | reg = <0x0 0x0 0x0 0x320>; 957 | linux,phandle = <0xb>; 958 | phandle = <0xb>; 959 | }; 960 | }; 961 | 962 | audiobus@0xff642000 { 963 | compatible = "amlogic, audio-controller", "simple-bus"; 964 | reg = <0x0 0xff642000 0x0 0x2000>; 965 | #address-cells = <0x2>; 966 | #size-cells = <0x2>; 967 | ranges = <0x0 0x0 0x0 0xff642000 0x0 0x2000>; 968 | 969 | audio_clocks { 970 | compatible = "amlogic, audio_clocks"; 971 | #clock-cells = <0x1>; 972 | reg = <0x0 0x0 0x0 0xb0>; 973 | linux,phandle = <0x13>; 974 | phandle = <0x13>; 975 | }; 976 | 977 | tdma { 978 | compatible = "amlogic, snd-tdma"; 979 | #sound-dai-cells = <0x0>; 980 | dai-tdm-lane-slot-mask-in = <0x1 0x1 0x1 0x1>; 981 | dai-tdm-clk-sel = <0x0>; 982 | tdm_from_ddr = <0x0>; 983 | tdm_to_ddr = <0x0>; 984 | clocks = <0xb 0xc 0x13 0x6 0x13 0x14>; 985 | clock-names = "mpll0", "gate", "mclk"; 986 | interrupts = <0x0 0x54 0x1 0x0 0x58 0x1>; 987 | interrupt-names = "tdmin", "tdmout"; 988 | pinctrl-names = "tdm_pins"; 989 | pinctrl-0 = <0x14 0x15>; 990 | linux,phandle = <0x2b>; 991 | phandle = <0x2b>; 992 | }; 993 | 994 | pdm { 995 | compatible = "amlogic, snd-pdm"; 996 | #sound-dai-cells = <0x0>; 997 | to_ddr = <0x2>; 998 | clocks = <0x13 0x1 0xb 0xf 0x13 0x1c 0x13 0x1d>; 999 | clock-names = "gate", "pll_clk", "pdm_dclk", "pdm_sysclk"; 1000 | interrupts = <0x0 0x56 0x1>; 1001 | interrupt-names = "pdmin_irq"; 1002 | pinctrl-names = "pdm_pins"; 1003 | pinctrl-0 = <0x16>; 1004 | filter_mode = <0x1>; 1005 | status = "okay"; 1006 | linux,phandle = <0x2d>; 1007 | phandle = <0x2d>; 1008 | }; 1009 | }; 1010 | }; 1011 | 1012 | pwm@ffd1b000 { 1013 | compatible = "amlogic,axg-ee-pwm"; 1014 | reg = <0x0 0xffd1b000 0x0 0x20>; 1015 | #pwm-cells = <0x3>; 1016 | clocks = <0xa 0xa 0xa 0xa>; 1017 | clock-names = "clkin0", "clkin1", "clkin2", "clkin3"; 1018 | status = "disabled"; 1019 | }; 1020 | 1021 | pwm@ffd1a000 { 1022 | compatible = "amlogic,axg-ee-pwm"; 1023 | reg = <0x0 0xffd1a000 0x0 0x20>; 1024 | #pwm-cells = <0x3>; 1025 | clocks = <0xa 0xa 0xa 0xa>; 1026 | clock-names = "clkin0", "clkin1", "clkin2", "clkin3"; 1027 | status = "disabled"; 1028 | }; 1029 | 1030 | pwm@ff807000 { 1031 | compatible = "amlogic,axg-ao-pwm"; 1032 | reg = <0x0 0xff807000 0x0 0x20>; 1033 | #pwm-cells = <0x3>; 1034 | clocks = <0xa 0xa 0xa 0xa>; 1035 | clock-names = "clkin0", "clkin1", "clkin2", "clkin3"; 1036 | status = "disabled"; 1037 | }; 1038 | 1039 | pwm@ff802000 { 1040 | compatible = "amlogic,axg-ao-pwm"; 1041 | reg = <0x0 0xff802000 0x0 0x20>; 1042 | #pwm-cells = <0x3>; 1043 | clocks = <0xa 0xa 0xa 0xa>; 1044 | clock-names = "clkin0", "clkin1", "clkin2", "clkin3"; 1045 | status = "disabled"; 1046 | }; 1047 | 1048 | spicc_a { 1049 | compatible = "amlogic, spicc"; 1050 | status = "okay"; 1051 | reg = <0x0 0xffd13000 0x0 0x3c>; 1052 | clocks = <0xb 0x26 0xb 0x76>; 1053 | clock-names = "spicc_clk", "cts_spicc_hclk"; 1054 | interrupts = <0x0 0x51 0x1>; 1055 | device_id = <0x0>; 1056 | enhance = <0x1>; 1057 | pinctrl-names = "default"; 1058 | pinctrl-0 = <0x17>; 1059 | dma_tx_threshold = <0x3>; 1060 | dma_rx_threshold = <0x3>; 1061 | dma_num_per_read_burst = <0x3>; 1062 | dma_num_per_write_burst = <0x3>; 1063 | ssctl = <0x0>; 1064 | num_chipselect = <0x1>; 1065 | dma_en = <0x0>; 1066 | delay_control = <0x15>; 1067 | cs_delay = <0xa>; 1068 | enhance_dlyctl = <0x0>; 1069 | }; 1070 | 1071 | spicc_b { 1072 | compatible = "amlogic, spicc"; 1073 | status = "disabled"; 1074 | reg = <0x0 0xffd15000 0x0 0x3c>; 1075 | clocks = <0xb 0x2b 0xb 0x76>; 1076 | clock-names = "spicc_clk", "cts_spicc_hclk"; 1077 | interrupts = <0x0 0x52 0x1>; 1078 | device_id = <0x1>; 1079 | enhance = <0x1>; 1080 | pinctrl-names = "default"; 1081 | pinctrl-0 = <0x18>; 1082 | dma_tx_threshold = <0x3>; 1083 | dma_rx_threshold = <0x3>; 1084 | dma_num_per_read_burst = <0x3>; 1085 | dma_num_per_write_burst = <0x3>; 1086 | ssctl = <0x0>; 1087 | num_chipselect = <0x1>; 1088 | dma_en = <0x0>; 1089 | delay_control = <0x15>; 1090 | cs_delay = <0xa>; 1091 | enhance_dlyctl = <0x0>; 1092 | }; 1093 | 1094 | rc@0xff808040 { 1095 | compatible = "amlogic, aml_remote"; 1096 | dev_name = "meson-remote"; 1097 | reg = <0x0 0xff808040 0x0 0x44 0x0 0xff808000 0x0 0x20>; 1098 | status = "okay"; 1099 | protocol = <0x1>; 1100 | interrupts = <0x0 0xc4 0x1>; 1101 | pinctrl-names = "default"; 1102 | pinctrl-0 = <0x19>; 1103 | map = <0x1a>; 1104 | max_frame_time = <0xc8>; 1105 | }; 1106 | 1107 | custom_maps { 1108 | mapnum = <0x3>; 1109 | map0 = <0x1b>; 1110 | map1 = <0x1c>; 1111 | map2 = <0x1d>; 1112 | linux,phandle = <0x1a>; 1113 | phandle = <0x1a>; 1114 | 1115 | map_0 { 1116 | mapname = "amlogic-remote-1"; 1117 | customcode = <0xfb04>; 1118 | release_delay = <0x50>; 1119 | size = <0x32>; 1120 | keymap = <0x47000b 0x130002 0x100003 0x110004 0xf0005 0xc0006 0xd0007 0xb0008 0x80009 0x9000a 0x5c0061 0x51003d 0x50003e 0x40003f 0x4d0040 0x430041 0x170042 0x43 0x10044 0x160057 0x49000e 0x60082 0x140083 0x440067 0x1d006c 0x1c0069 0x48006a 0x53007d 0x450068 0x19006d 0x520077 0x5007a 0x59007b 0x1b0078 0x40079 0x1a0074 0xa000f 0xe0071 0x1f0066 0x1e0084 0x70085 0x120086 0x540087 0x20088 0x4f001e 0x420030 0x5d002e 0x4c0020 0x580089 0x55008c>; 1121 | linux,phandle = <0x1b>; 1122 | phandle = <0x1b>; 1123 | }; 1124 | 1125 | map_1 { 1126 | mapname = "amlogic-remote-2"; 1127 | customcode = <0xfe01>; 1128 | release_delay = <0x50>; 1129 | size = <0x35>; 1130 | keymap = <0x10002 0x20003 0x30004 0x40005 0x50006 0x60007 0x70008 0x80009 0x9000a 0xa000b 0x1f01d2 0x15008b 0x16000f 0xc0192 0xd0193 0xe0073 0xf0072 0x110066 0x1c006a 0x1b0069 0x190067 0x1a006c 0x1d001c 0x170071 0x4900db 0x43009e 0x1201d5 0x1401d6 0x1801d7 0x590166 0x5a00a6 0x100074 0x4200a5 0x4400a3 0x1e00a8 0x4b00d0 0x5800a4 0x460082 0x400083 0x380046 0x5701d0 0x5b01d1 0x54018e 0x4c018f 0x4e0190 0x550191 0x5300ed 0x5200ee 0x3900d4 0x4100d5 0xb00d6 0xd8 0x1300d9>; 1131 | linux,phandle = <0x1c>; 1132 | phandle = <0x1c>; 1133 | }; 1134 | 1135 | map_2 { 1136 | mapname = "amlogic-remote-3"; 1137 | customcode = <0xbd02>; 1138 | release_delay = <0x50>; 1139 | size = <0x11>; 1140 | keymap = <0xca0067 0xd2006c 0x990069 0xc1006a 0xce0061 0x450074 0xc50085 0x800071 0xd0000f 0xd6007d 0x950066 0xdd0068 0x8c006d 0x890083 0x9c0082 0x9a0078 0xcd0079>; 1141 | linux,phandle = <0x1d>; 1142 | phandle = <0x1d>; 1143 | }; 1144 | }; 1145 | 1146 | i2c_slave@ff806000 { 1147 | compatible = "amlogic, meson-i2c-slave"; 1148 | status = "disabled"; 1149 | reg = <0x0 0xff806000 0x0 0x20>; 1150 | interrupts = <0x0 0xc2 0x1>; 1151 | pinctrl-names = "default"; 1152 | pinctrl-0 = <0x1e>; 1153 | }; 1154 | 1155 | aml_aes { 1156 | compatible = "amlogic,aes_dma"; 1157 | dev_name = "aml_aes_dma"; 1158 | status = "okay"; 1159 | interrupts = <0x0 0xb4 0x1 0x0 0xb5 0x1>; 1160 | reg = <0x0 0xff63e000 0x0 0x48>; 1161 | }; 1162 | 1163 | aml_tdes { 1164 | compatible = "amlogic,des_dma,tdes_dma"; 1165 | dev_name = "aml_tdes_dma"; 1166 | status = "okay"; 1167 | interrupts = <0x0 0xb4 0x1 0x0 0xb5 0x1>; 1168 | reg = <0x0 0xff63e000 0x0 0x48>; 1169 | }; 1170 | 1171 | aml_sha { 1172 | compatible = "amlogic,sha_dma"; 1173 | dev_name = "aml_sha_dma"; 1174 | status = "okay"; 1175 | interrupts = <0x0 0xb4 0x1 0x0 0xb5 0x1>; 1176 | reg = <0x0 0xff63e000 0x0 0x48>; 1177 | }; 1178 | 1179 | saradc { 1180 | compatible = "amlogic,meson-axg-saradc"; 1181 | status = "okay"; 1182 | #io-channel-cells = <0x1>; 1183 | clocks = <0xa 0xb 0x7a>; 1184 | clock-names = "xtal", "saradc_clk"; 1185 | interrupts = <0x0 0x49 0x1>; 1186 | reg = <0x0 0xff809000 0x0 0x38>; 1187 | linux,phandle = <0x32>; 1188 | phandle = <0x32>; 1189 | }; 1190 | 1191 | efuse { 1192 | compatible = "amlogic, efuse"; 1193 | read_cmd = <0x82000030>; 1194 | write_cmd = <0x82000031>; 1195 | read_obj_cmd = <0x82000036>; 1196 | write_obj_cmd = <0x82000037>; 1197 | get_max_cmd = <0x82000033>; 1198 | clocks = <0xb 0x3d>; 1199 | clock-names = "efuse_clk"; 1200 | status = "okay"; 1201 | }; 1202 | 1203 | sonos-rollback@ff800000 { 1204 | compatible = "sonos,sonos-rollback", "syscon"; 1205 | reg = <0x0 0xff800000 0x0 0x4>; 1206 | offset = <0x0>; 1207 | shift = <0x0>; 1208 | }; 1209 | 1210 | sonos-platform { 1211 | 1212 | sonos-ampctl { 1213 | status = "okay"; 1214 | 1215 | sonos-ampfaults { 1216 | num-faults = <0x1>; 1217 | status = "okay"; 1218 | 1219 | ampfault@0 { 1220 | fault-flags = <0x2>; 1221 | fault-label = "Amp fault"; 1222 | fault-gpio = <0xd 0x33 0x1>; 1223 | }; 1224 | }; 1225 | 1226 | sonos-ampctl-signals { 1227 | num-ctl-signals = <0x3>; 1228 | 1229 | sonos-ampsignal@0 { 1230 | sig-label = "DACRESET"; 1231 | signal-index = <0x0>; 1232 | on-event = <0xc>; 1233 | off-event = <0xd>; 1234 | config = <0x1>; 1235 | on-time = <0x4>; 1236 | off-time = <0x4>; 1237 | supports-off = <0x1>; 1238 | active-low = <0x1>; 1239 | sig-gpio = <0xd 0x35 0x1>; 1240 | }; 1241 | 1242 | sonos-ampsignal@1 { 1243 | sig-label = "POWER"; 1244 | signal-index = <0x1>; 1245 | on-req = <0x0>; 1246 | off-req = <0x1>; 1247 | on-event = <0x2>; 1248 | off-event = <0x3>; 1249 | on-time = <0xf>; 1250 | off-time = <0x0>; 1251 | supports-off = <0x1>; 1252 | sig-gpio = <0xd 0x34 0x1>; 1253 | }; 1254 | 1255 | sonos-ampsignal@2 { 1256 | sig-label = "MUTE"; 1257 | signal-index = <0x2>; 1258 | config = <0x1>; 1259 | on-req = <0x4>; 1260 | off-req = <0x5>; 1261 | on-event = <0x6>; 1262 | off-event = <0x7>; 1263 | on-time = <0x4>; 1264 | off-time = <0x1>; 1265 | supports-off = <0x1>; 1266 | sig-gpio = <0xd 0x3e 0x1>; 1267 | }; 1268 | 1269 | sonos-ampsignal@3 { 1270 | sig-label = "HIPOWER"; 1271 | signal-index = <0x3>; 1272 | on-req = <0x8>; 1273 | off-req = <0x9>; 1274 | on-event = <0xa>; 1275 | off-event = <0xb>; 1276 | }; 1277 | }; 1278 | }; 1279 | 1280 | misc-gpio { 1281 | connect-button = <0xd 0x31 0x1>; 1282 | }; 1283 | 1284 | gpio-outs { 1285 | }; 1286 | 1287 | sonos-gpio-micctl { 1288 | micctl-gpio = <0xd 0x44 0x1>; 1289 | }; 1290 | 1291 | simulated-buttons { 1292 | 1293 | join { 1294 | event-sources = <0x3>; 1295 | }; 1296 | }; 1297 | 1298 | thermal-mgmt { 1299 | 1300 | AMP { 1301 | fault-temperature = <0x64>; 1302 | warn-temperature = <0x5f>; 1303 | }; 1304 | 1305 | CPU { 1306 | fault-temperature = <0x5f>; 1307 | warn-temperature = <0x5b>; 1308 | }; 1309 | }; 1310 | }; 1311 | 1312 | sonos-lla { 1313 | compatible = "sonos,alsa-lla"; 1314 | status = "okay"; 1315 | }; 1316 | 1317 | hrtimer-a113 { 1318 | compatible = "sonos,hrtimer-a113"; 1319 | status = "okay"; 1320 | }; 1321 | 1322 | aliases { 1323 | serial0 = "/soc/aobus@ff800000/serial@3000"; 1324 | serial1 = "/soc/aobus@ff800000/serial@4000"; 1325 | serial2 = "/serial@ffd23000"; 1326 | serial3 = "/serial@ffd24000"; 1327 | }; 1328 | 1329 | memory@00000000 { 1330 | device_type = "memory"; 1331 | linux,usable-memory = <0x0 0x100000 0x0 0x3ff00000>; 1332 | }; 1333 | 1334 | reserved-memory { 1335 | #address-cells = <0x2>; 1336 | #size-cells = <0x2>; 1337 | ranges; 1338 | 1339 | ramoops@0x07400000 { 1340 | compatible = "ramoops"; 1341 | reg = <0x0 0x7400000 0x0 0x100000>; 1342 | record-size = <0x8000>; 1343 | console-size = <0x10000>; 1344 | ftrace-size = <0x2000>; 1345 | pmsg-size = <0x4000>; 1346 | }; 1347 | 1348 | linux,secmon { 1349 | compatible = "shared-dma-pool"; 1350 | reusable; 1351 | size = <0x0 0x400000>; 1352 | alignment = <0x0 0x400000>; 1353 | alloc-ranges = <0x0 0x5000000 0x0 0x400000>; 1354 | linux,phandle = <0x8>; 1355 | phandle = <0x8>; 1356 | }; 1357 | 1358 | linux,secos { 1359 | status = "disable"; 1360 | compatible = "amlogic, aml_secos_memory"; 1361 | reg = <0x0 0x5300000 0x0 0x2000000>; 1362 | no-map; 1363 | }; 1364 | }; 1365 | 1366 | mtd_nand { 1367 | compatible = "amlogic, aml_mtd_nand"; 1368 | dev_name = "mtdnand"; 1369 | status = "disable"; 1370 | reg = <0x0 0xffe07800 0x0 0x200>; 1371 | interrupts = <0x0 0x22 0x1>; 1372 | pinctrl-names = "nand_rb_mod", "nand_norb_mod", "nand_cs_only"; 1373 | pinctrl-0 = <0x1f>; 1374 | pinctrl-1 = <0x1f>; 1375 | pinctrl-2 = <0x20>; 1376 | device_id = <0x0>; 1377 | bl_mode = <0x1>; 1378 | fip_copies = <0x4>; 1379 | fip_size = <0x200000>; 1380 | nand_clk_ctrl = <0xffe07000>; 1381 | plat-names = "bootloader", "nandnormal"; 1382 | plat-num = <0x2>; 1383 | plat-part-0 = <0x21>; 1384 | plat-part-1 = <0x22>; 1385 | 1386 | bootloader { 1387 | enable_pad = "ce0"; 1388 | busy_pad = "rb0"; 1389 | timming_mode = "mode5"; 1390 | bch_mode = "bch8_1k"; 1391 | t_rea = <0x14>; 1392 | t_rhoh = <0xf>; 1393 | chip_num = <0x1>; 1394 | part_num = <0x0>; 1395 | rb_detect = <0x1>; 1396 | linux,phandle = <0x21>; 1397 | phandle = <0x21>; 1398 | }; 1399 | 1400 | nandnormal { 1401 | enable_pad = "ce0"; 1402 | busy_pad = "rb0"; 1403 | timming_mode = "mode5"; 1404 | bch_mode = "bch8_1k"; 1405 | plane_mode = "twoplane"; 1406 | t_rea = <0x14>; 1407 | t_rhoh = <0xf>; 1408 | chip_num = <0x2>; 1409 | part_num = <0x3>; 1410 | partition = <0x23>; 1411 | rb_detect = <0x1>; 1412 | linux,phandle = <0x22>; 1413 | phandle = <0x22>; 1414 | }; 1415 | 1416 | nand_partition { 1417 | linux,phandle = <0x23>; 1418 | phandle = <0x23>; 1419 | 1420 | tpl { 1421 | offset = <0x0 0x0>; 1422 | size = <0x0 0x0>; 1423 | }; 1424 | 1425 | logo { 1426 | offset = <0x0 0x0>; 1427 | size = <0x0 0x200000>; 1428 | }; 1429 | 1430 | recovery { 1431 | offset = <0x0 0x0>; 1432 | size = <0x0 0x1000000>; 1433 | }; 1434 | 1435 | boot { 1436 | offset = <0x0 0x0>; 1437 | size = <0x0 0xc00000>; 1438 | }; 1439 | 1440 | system { 1441 | offset = <0x0 0x0>; 1442 | size = <0x0 0xdc40000>; 1443 | }; 1444 | 1445 | data { 1446 | offset = <0xffffffff 0xffffffff>; 1447 | size = <0x0 0x0>; 1448 | }; 1449 | }; 1450 | }; 1451 | 1452 | ethernet@0xff3f0000 { 1453 | compatible = "amlogic, gxbb-eth-dwmac"; 1454 | status = "okay"; 1455 | reg = <0x0 0xff3f0000 0x0 0x10000 0x0 0xff634540 0x0 0x8>; 1456 | interrupts = <0x0 0x8 0x1>; 1457 | pinctrl-names = "external_eth_pins"; 1458 | pinctrl-0 = <0x24>; 1459 | mc_val_internal_phy = <0x1800>; 1460 | mc_val_external_phy = <0x1404>; 1461 | interrupt-names = "macirq"; 1462 | clocks = <0xb 0x35>; 1463 | clock-names = "ethclk81"; 1464 | internal_phy = <0x0>; 1465 | 1466 | phy0 { 1467 | compatible = "Sonos,ti83822_phy"; 1468 | interrupts = <0xd 0x54 0x0>; 1469 | }; 1470 | }; 1471 | 1472 | aml-sensor@0 { 1473 | compatible = "amlogic, aml-thermal"; 1474 | device_name = "thermal"; 1475 | #thermal-sensor-cells = <0x1>; 1476 | linux,phandle = <0x25>; 1477 | phandle = <0x25>; 1478 | 1479 | cooling_devices { 1480 | 1481 | cpufreq_cool_cluster0 { 1482 | min_state = <0xf4240>; 1483 | dyn_coeff = <0x8c>; 1484 | cluster_id = <0x0>; 1485 | node_name = "cpufreq_cool0"; 1486 | device_type = "cpufreq"; 1487 | }; 1488 | 1489 | cpucore_cool_cluster0 { 1490 | min_state = <0x1>; 1491 | dyn_coeff = <0x0>; 1492 | cluster_id = <0x0>; 1493 | node_name = "cpucore_cool0"; 1494 | device_type = "cpucore"; 1495 | }; 1496 | }; 1497 | 1498 | cpufreq_cool0 { 1499 | #cooling-cells = <0x2>; 1500 | linux,phandle = <0x27>; 1501 | phandle = <0x27>; 1502 | }; 1503 | 1504 | cpucore_cool0 { 1505 | #cooling-cells = <0x2>; 1506 | linux,phandle = <0x28>; 1507 | phandle = <0x28>; 1508 | }; 1509 | }; 1510 | 1511 | thermal-zones { 1512 | 1513 | soc_thermal { 1514 | polling-delay = <0x3e8>; 1515 | polling-delay-passive = <0x64>; 1516 | sustainable-power = <0x41a>; 1517 | thermal-sensors = <0x25 0x3>; 1518 | 1519 | trips { 1520 | 1521 | trip-point@0 { 1522 | temperature = <0x11170>; 1523 | hysteresis = <0x3e8>; 1524 | type = "passive"; 1525 | }; 1526 | 1527 | trip-point@1 { 1528 | temperature = <0x13880>; 1529 | hysteresis = <0x3e8>; 1530 | type = "passive"; 1531 | linux,phandle = <0x26>; 1532 | phandle = <0x26>; 1533 | }; 1534 | 1535 | trip-point@2 { 1536 | temperature = <0x19a28>; 1537 | hysteresis = <0x1388>; 1538 | type = "hot"; 1539 | }; 1540 | 1541 | trip-point@3 { 1542 | temperature = <0x3f7a0>; 1543 | hysteresis = <0x3e8>; 1544 | type = "critical"; 1545 | }; 1546 | }; 1547 | 1548 | cooling-maps { 1549 | 1550 | cpufreq_cooling_map { 1551 | trip = <0x26>; 1552 | cooling-device = <0x27 0x0 0x4>; 1553 | contribution = <0x400>; 1554 | }; 1555 | 1556 | cpucore_cooling_map { 1557 | trip = <0x26>; 1558 | cooling-device = <0x28 0x0 0x3>; 1559 | contribution = <0x400>; 1560 | }; 1561 | }; 1562 | }; 1563 | }; 1564 | 1565 | usb2phy@ffe09000 { 1566 | compatible = "amlogic, amlogic-new-usb2"; 1567 | status = "disabled"; 1568 | portnum = <0x4>; 1569 | reg = <0x0 0xffe09000 0x0 0x80>; 1570 | }; 1571 | 1572 | usb3phy@ffe09080 { 1573 | compatible = "amlogic, amlogic-new-usb3"; 1574 | status = "disabled"; 1575 | portnum = <0x0>; 1576 | reg = <0x0 0xffe09080 0x0 0x20>; 1577 | interrupts = <0x0 0x10 0x4>; 1578 | otg = <0x1>; 1579 | gpio-vbus-power = "GPIOAO_5"; 1580 | gpios = <0x11 0x5 0x0>; 1581 | }; 1582 | 1583 | dwc2_a { 1584 | compatible = "amlogic, dwc2"; 1585 | device_name = "dwc2_a"; 1586 | reg = <0x0 0xff400000 0x0 0x40000>; 1587 | status = "disabled"; 1588 | interrupts = <0x0 0x1f 0x4>; 1589 | pl-periph-id = <0x0>; 1590 | clock-src = "usb0"; 1591 | port-id = <0x0>; 1592 | port-type = <0x2>; 1593 | port-speed = <0x0>; 1594 | port-config = <0x0>; 1595 | port-dma = <0x0>; 1596 | port-id-mode = <0x0>; 1597 | usb-fifo = <0x2d8>; 1598 | cpu-type = "gxl"; 1599 | controller-type = <0x3>; 1600 | phy-reg = <0xffe09000>; 1601 | phy-reg-size = <0xa0>; 1602 | clocks = <0xb 0x3b 0xb 0x41 0xb 0x39>; 1603 | clock-names = "usb_general", "usb1", "usb1_to_ddr"; 1604 | }; 1605 | 1606 | pcieA@f9800000 { 1607 | compatible = "amlogic, amlogic-pcie", "snps,dw-pcie"; 1608 | reg = <0x0 0xf9800000 0x0 0x400000 0x0 0xff646000 0x0 0x2000 0x0 0xf9f00000 0x0 0x100000 0x0 0xff644000 0x0 0x2000 0x0 0xffd01080 0x0 0x10>; 1609 | reg-names = "elbi", "cfg", "config", "phy", "reset"; 1610 | reset-gpio = <0xd 0x43 0x0>; 1611 | interrupts = <0x0 0xb1 0x0 0x0 0xb3 0x0>; 1612 | #interrupt-cells = <0x1>; 1613 | bus-range = <0x0 0xff>; 1614 | #address-cells = <0x3>; 1615 | #size-cells = <0x2>; 1616 | device_type = "pci"; 1617 | ranges = <0x82000000 0x0 0x0 0x0 0xf9c00000 0x0 0x300000>; 1618 | num-lanes = <0x1>; 1619 | pcie-num = <0x1>; 1620 | speed-mod = <0x1>; 1621 | clocks = <0xb 0x3b 0xb 0x18 0xb 0x1e 0xb 0x1f 0xb 0x2c 0xb 0x1c>; 1622 | clock-names = "pcie_general", "pcie_refpll", "pcie_mipi_enable_gate", "pcie_mipi_bandgap_gate", "pcie", "port"; 1623 | gpio-type = <0x2>; 1624 | status = "okay"; 1625 | }; 1626 | 1627 | pcieB@fa000000 { 1628 | compatible = "amlogic, amlogic-pcie", "snps,dw-pcie"; 1629 | reg = <0x0 0xfa000000 0x0 0x400000 0x0 0xff648000 0x0 0x2000 0x0 0xfa400000 0x0 0x100000 0x0 0xff644000 0x0 0x2000 0x0 0xffd01080 0x0 0x10>; 1630 | reg-names = "elbi", "cfg", "config", "phy", "reset"; 1631 | reset-gpio = <0xd 0x42 0x0>; 1632 | interrupts = <0x0 0xa7 0x0 0x0 0xa9 0x0>; 1633 | #interrupt-cells = <0x1>; 1634 | bus-range = <0x0 0xff>; 1635 | #address-cells = <0x3>; 1636 | #size-cells = <0x2>; 1637 | device_type = "pci"; 1638 | ranges = <0x81000000 0x0 0x0 0x0 0xfa500000 0x0 0x10000 0x82000000 0x0 0xfa510000 0x0 0xfa510000 0x0 0x2f0000>; 1639 | num-lanes = <0x1>; 1640 | pcie-num = <0x2>; 1641 | speed-mod = <0x1>; 1642 | clocks = <0xb 0x3b 0xb 0x18 0xb 0x1e 0xb 0x1f 0xb 0x2d 0xb 0x1d>; 1643 | clock-names = "pcie_general", "pcie_refpll", "pcie_mipi_enable_gate", "pcie_mipi_bandgap_gate", "pcie", "port"; 1644 | gpio-type = <0x0>; 1645 | status = "disable"; 1646 | }; 1647 | 1648 | serial@ffd24000 { 1649 | compatible = "amlogic, meson-uart"; 1650 | reg = <0x0 0xffd24000 0x0 0x18>; 1651 | interrupts = <0x0 0x1a 0x1>; 1652 | status = "disable"; 1653 | clocks = <0xa 0xb 0x29>; 1654 | clock-names = "clk_uart", "clk_gate"; 1655 | fifosize = <0x80>; 1656 | pinctrl-names = "default"; 1657 | pinctrl-0 = <0x29>; 1658 | }; 1659 | 1660 | serial@ffd23000 { 1661 | compatible = "amlogic, meson-uart"; 1662 | reg = <0x0 0xffd23000 0x0 0x18>; 1663 | interrupts = <0x0 0x4b 0x1>; 1664 | status = "disable"; 1665 | clocks = <0xa 0xb 0x36>; 1666 | clock-names = "clk_uart", "clk_gate"; 1667 | fifosize = <0x40>; 1668 | pinctrl-names = "default"; 1669 | pinctrl-0 = <0x2a>; 1670 | }; 1671 | 1672 | aml_snd_iomap { 1673 | compatible = "amlogic, snd_iomap"; 1674 | status = "okay"; 1675 | #address-cells = <0x2>; 1676 | #size-cells = <0x2>; 1677 | ranges; 1678 | 1679 | pdm_bus { 1680 | reg = <0x0 0xff632000 0x0 0x20>; 1681 | }; 1682 | 1683 | audiobus_base { 1684 | reg = <0x0 0xff642000 0x0 0x2000>; 1685 | }; 1686 | }; 1687 | 1688 | dummy { 1689 | #sound-dai-cells = <0x0>; 1690 | compatible = "amlogic, aml_dummy_codec"; 1691 | status = "okay"; 1692 | }; 1693 | 1694 | dac_dummy_codec { 1695 | #sound-dai-cells = <0x0>; 1696 | compatible = "Sonos,dummy-codec"; 1697 | stream-name = "Sonos DAC playback stream"; 1698 | rate = <0xac44>; 1699 | format = "S32_LE"; 1700 | channels = <0x2>; 1701 | status = "okay"; 1702 | linux,phandle = <0x2c>; 1703 | phandle = <0x2c>; 1704 | }; 1705 | 1706 | pdm_dummy_codec { 1707 | #sound-dai-cells = <0x0>; 1708 | compatible = "Sonos,dummy-codec"; 1709 | stream-name = "Sonos PDM mic capture stream"; 1710 | rate = <0x3e80>; 1711 | format = "S32_LE"; 1712 | channels = <0x8>; 1713 | capture; 1714 | status = "okay"; 1715 | linux,phandle = <0x2e>; 1716 | phandle = <0x2e>; 1717 | }; 1718 | 1719 | meson_sound { 1720 | compatible = "amlogic, sound-card"; 1721 | aml-audio-card,name = "AML-AXGSOUND"; 1722 | aml-audio-card,mclk-fs = <0x100>; 1723 | 1724 | aml-audio-card,dai-link@0 { 1725 | format = "i2s"; 1726 | mclk-fs = <0x100>; 1727 | continuous-clock; 1728 | frame-inversion; 1729 | bitclock-master = <0x2b>; 1730 | frame-master = <0x2b>; 1731 | 1732 | cpu { 1733 | sound-dai = <0x2b>; 1734 | dai-tdm-slot-tx-mask = <0x1 0x1>; 1735 | dai-tdm-slot-rx-mask = <0x1 0x1>; 1736 | dai-tdm-slot-num = <0x2>; 1737 | dai-tdm-slot-width = <0x20>; 1738 | }; 1739 | 1740 | codec { 1741 | prefix-names = "Sonos i2s out"; 1742 | sound-dai = <0x2c>; 1743 | }; 1744 | }; 1745 | 1746 | aml-audio-card,dai-link@3 { 1747 | mclk-fs = <0x100>; 1748 | 1749 | cpu { 1750 | sound-dai = <0x2d>; 1751 | }; 1752 | 1753 | codec { 1754 | prefix-names = "Sonos PDM in"; 1755 | sound-dai = <0x2e>; 1756 | }; 1757 | }; 1758 | }; 1759 | 1760 | emmc@ffe07000 { 1761 | status = "okay"; 1762 | compatible = "amlogic, meson-mmc-axg"; 1763 | reg = <0x0 0xffe07000 0x0 0x2000>; 1764 | interrupts = <0x0 0xda 0x1>; 1765 | pinctrl-names = "emmc_clk_cmd_pins", "emmc_all_pins"; 1766 | pinctrl-0 = <0x2f>; 1767 | pinctrl-1 = <0x30 0x31>; 1768 | clocks = <0xb 0x31 0xb 0x53 0xb 0x2 0xb 0x5 0xa>; 1769 | clock-names = "core", "clkin0", "clkin1", "clkin2", "xtal"; 1770 | bus-width = <0x8>; 1771 | cap-sd-highspeed; 1772 | cap-mmc-highspeed; 1773 | mmc-ddr-1_8v; 1774 | mmc-hs200-1_8v; 1775 | max-frequency = <0xbebc200>; 1776 | non-removable; 1777 | disable-wp; 1778 | 1779 | emmc { 1780 | status = "disable"; 1781 | pinname = "emmc"; 1782 | ocr_avail = <0x200080>; 1783 | caps = "MMC_CAP_8_BIT_DATA", "MMC_CAP_MMC_HIGHSPEED", "MMC_CAP_SD_HIGHSPEED", "MMC_CAP_NONREMOVABLE", "MMC_CAP_1_8V_DDR", "MMC_CAP_HW_RESET", "MMC_CAP_ERASE", "MMC_CAP_CMD23"; 1784 | f_min = <0x61a80>; 1785 | f_max = <0xbebc200>; 1786 | max_req_size = <0x20000>; 1787 | gpio_dat3 = <0xd 0xe 0x0>; 1788 | tx_delay = <0x8>; 1789 | hw_reset = <0xd 0x14 0x0>; 1790 | card_type = <0x1>; 1791 | }; 1792 | }; 1793 | 1794 | adc_keypad { 1795 | compatible = "amlogic, adc_keypad"; 1796 | status = "okay"; 1797 | key_name = "power", "vol-", "vol+", "wifi", "<<", ">>"; 1798 | key_num = <0x6>; 1799 | io-channels = <0x32 0x0>; 1800 | io-channel-names = "key-chan-0"; 1801 | key_chan = <0x0 0x0 0x0 0x0 0x0 0x0>; 1802 | key_code = <0x74 0x72 0x73 0x8b 0x69 0x6a>; 1803 | key_val = <0x0 0x8f 0x10a 0x185 0x200 0x27b>; 1804 | key_tolerance = <0x28 0x28 0x28 0x28 0x28 0x28>; 1805 | }; 1806 | }; -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/.gitignore -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/logicboard-001.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/logicboard-001.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/logicboard-002.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/logicboard-002.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/logicboard-003.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/logicboard-003.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/ports-uart.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/ports-uart.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/radio-i2c-001.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/radio-i2c-001.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/teardown-001.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/teardown-001.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/teardown-002.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/teardown-002.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/teardown-003.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/teardown-003.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/teardown-004.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/teardown-004.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/teardown-005.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/teardown-005.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/teardown-006.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/teardown-006.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/teardown-007.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/teardown-007.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/teardown-008.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/teardown-008.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/teardown-009.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/teardown-009.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/teardown-010.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/teardown-010.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/photographs/teardown-011.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/photographs/teardown-011.jpg -------------------------------------------------------------------------------- /devices/S18-One/images/s18-one.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/S18-One/images/s18-one.png -------------------------------------------------------------------------------- /devices/S18-One/scripts/arm-trusted-calculator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 -i 2 | ''' 3 | https://github.com/u-boot/u-boot/blob/master/arch/arm/include/asm/arch-meson/ 4 | ''' 5 | 6 | def AXG_AO_ADDR(off): 7 | return ((AXG_AOBUS_BASE) + ((off) << 2)) 8 | 9 | 10 | SZ_1K=0x00000400 11 | 12 | AXG_AOBUS_BASE=0xff800000 13 | 14 | AXG_AO_BOOT_DEVICE=0xF 15 | AXG_AO_MEM_SIZE_MASK=0xFFFF0000 16 | AXG_AO_MEM_SIZE_SHIFT=16 17 | AXG_AO_BL31_RSVMEM_SIZE_MASK=0xFFFF0000 18 | AXG_AO_BL31_RSVMEM_SIZE_SHIFT=16 19 | AXG_AO_BL32_RSVMEM_SIZE_MASK=0xFFFF 20 | 21 | AXG_AO_SEC_GP_CFG0=AXG_AO_ADDR(0x90) 22 | AXG_AO_SEC_GP_CFG3=AXG_AO_ADDR(0x93) 23 | AXG_AO_SEC_GP_CFG4=AXG_AO_ADDR(0x94) 24 | AXG_AO_SEC_GP_CFG5=AXG_AO_ADDR(0x95) 25 | 26 | 27 | print('[-] 0x{0:0x}'.format(AXG_AO_SEC_GP_CFG0)) 28 | 29 | -------------------------------------------------------------------------------- /devices/S18-One/scripts/dump-from-mmc.py: -------------------------------------------------------------------------------- 1 | ''' 2 | This script will attempt to dump the data from the given partition - defined by 3 | first LBA and last LBA - from a Sonos One (Generation 2) [S18]. In the event 4 | that no LBA range is provided, the GPT partition list will be dumped to the 5 | terminal instead. 6 | 7 | This will automatically hot patch U-Boot in order to enable the 'privileged' 8 | command set, which is usually restricted to device which have been 'unlocked'. 9 | After this has been done, the relevant data will be read from MMC 0 using the 10 | built in U-Boot `mmc read` and `md` commands. 11 | 12 | Oh, by the way: This code is awful, it's PoC grade at best :) 13 | 14 | Author: Peter Adkins (@Darkarnium) 15 | ''' 16 | 17 | import re 18 | import sys 19 | import struct 20 | import serial 21 | import pathlib 22 | import datetime 23 | 24 | PROMPT = 'sonos tupelo >' 25 | 26 | 27 | def unit_to_uboot(): 28 | ''' 29 | Attempt to use a serial console to bring the Unit into a clean U-Boot 30 | prompt at power on, or reset and re-enter U-Boot if already at a U-Boot 31 | prompt. 32 | ''' 33 | with serial.Serial('/dev/ttyUSB0', 115200, timeout=10) as interface: 34 | # First up, reset the unit to get into a clean state. 35 | print('[+] Attempting to issue reset command to U-Boot') 36 | interface.write(b'reset\n') 37 | 38 | # Drop back into U-Boot. 39 | print('[-] Waiting for U-Boot boot interrupt prompt') 40 | buffer = bytes() 41 | while True: 42 | buffer += interface.readline() 43 | 44 | try: 45 | line = str(buffer, 'utf-8') 46 | except UnicodeDecodeError as err: 47 | buffer = bytes() 48 | continue 49 | 50 | # The whitelist check is just prior to the U-Boot interupt prompt. 51 | # When this line is encountered start reading N bytes rather than 52 | # until EoL - as the count down does not print an \n character 53 | # until AFTER the timeout. 54 | if line.lower().startswith('whitelist check completed'): 55 | # Check whether the 'Hit any key' prompt follows. 56 | try: 57 | peek = interface.read(12) 58 | if str(peek, 'utf-8').lower().startswith('hit any key'): 59 | print('[+] Writing U-Boot interrupt to console') 60 | interface.write(b'A') 61 | buffer = bytes() 62 | continue 63 | else: 64 | buffer += peek 65 | except: 66 | # No point in tracking the read bytes if they'll just be 67 | # discarded at the top of the next iteration. 68 | pass 69 | 70 | # Drop out of the loop when we see the U-Boot prompt 71 | if line.lower().startswith(PROMPT): 72 | print('[-] Unit is now at U-Boot prompt') 73 | buffer = bytes() 74 | break 75 | 76 | # Dump the buffer contents if no matches. 77 | buffer = bytes() 78 | 79 | 80 | def write_to_memory(value, addr, device=0x30, register=0x70): 81 | ''' 82 | Attempt to write the given value (byte) into memory at the given address. 83 | 84 | Args: 85 | value (int): The value to write. 86 | addr (int): The address in memory to write to. 87 | device (int): The address of the device on the i2c bus to read from 88 | register (int): The address of the register to use as a buffer 89 | 90 | Return: 91 | Whether the read operation was successful (bool). 92 | ''' 93 | with serial.Serial('/dev/ttyUSB0', 115200, timeout=5) as interface: 94 | command = 'i2c mw 0x{0:0x} 0x{1:0x} 0x{2:0x}\n'.format( 95 | device, 96 | register, 97 | value 98 | ) 99 | interface.write(bytes(command, 'utf-8')) 100 | 101 | # Loop back is enabled, so throw away the first line. 102 | interface.readline() 103 | status = str(interface.read(len(PROMPT)), 'utf-8') 104 | 105 | # Abort if the write failed. 106 | if not status.lower().startswith(PROMPT): 107 | print('[!] Write failed: {0}'.format(status)) 108 | return False 109 | 110 | # Attempt to read from the register into memory. 111 | command = 'i2c read 0x{0:0x} 0x{1:0x} 0x01 0x{2:0x}\n'.format( 112 | device, 113 | register, 114 | addr 115 | ) 116 | interface.write(bytes(command, 'utf-8')) 117 | 118 | # Loop back is enabled, so throw away the first line. 119 | interface.readline() 120 | status = str(interface.read(len(PROMPT)), 'utf-8') 121 | 122 | # Abort if the write failed. 123 | if not status.lower().startswith(PROMPT): 124 | print('[!] Write failed: {0}'.format(status)) 125 | return False 126 | 127 | return True 128 | 129 | 130 | def read_from_mmc(addr=0x300000, start=0x3200, end=0x3201): 131 | ''' 132 | Attempts to read data from the MMC into memory, and then out of memory to 133 | the terminal. 134 | 135 | Args: 136 | addr (int): The address to read to in memory. 137 | start (int): The block to start reading from (LBA). 138 | end (int): The block to stop reading at (LBA). 139 | 140 | Return: 141 | Data from MMC. 142 | ''' 143 | with serial.Serial('/dev/ttyUSB0', 115200, timeout=1) as interface: 144 | command = 'mmc read 0x{0:0x} 0x{1:0x} 0x{2:0x}\n'.format( 145 | addr, 146 | start, 147 | (end - start), # Size in blocks. 148 | ) 149 | interface.write(bytes(command, 'utf-8')) 150 | 151 | # Loop back is enabled, so throw away the first line. 152 | interface.readline() 153 | 154 | # The next line is a blank new line. 155 | interface.readline() 156 | status = str(interface.readline(), 'utf-8').strip() 157 | 158 | # Abort if the write failed. 159 | if not re.match('^MMC.*OK$', status): 160 | print('[!] Read failed: {0}'.format(status)) 161 | return False 162 | 163 | # Read from memory. 164 | command = 'md.b 0x{0:0x} 0x{1:0x}\n'.format( 165 | addr, 166 | (end - start) * 512, # Blocks are 512-bytes. 167 | ) 168 | interface.write(bytes(command, 'utf-8')) 169 | 170 | # Loop back is enabled, so throw away the first line. 171 | interface.readline() 172 | 173 | # Keep reading until all bytes have been read. 174 | kernel = bytearray() 175 | buffer = str(interface.readline(), 'utf-8') 176 | while re.match('^[0-9A-Za-z]{8}:', buffer): 177 | for byte in buffer.split(' ')[1:17]: 178 | kernel.append(int(byte, 16)) 179 | 180 | # Read more. 181 | buffer = str(interface.readline(), 'utf-8') 182 | 183 | if len(kernel) > 0: 184 | return kernel 185 | else: 186 | return None 187 | 188 | 189 | def unlock_uboot(): 190 | ''' 191 | Attempt to 'unlock' U-Boot by patching the return value from the procedure 192 | responsible for validating whether the device is marked as unlocked. This 193 | will only 'unlock' U-Boot, as there are additional checks in Linux. 194 | 195 | Return: 196 | Whether the unlock operation was successful. 197 | ''' 198 | # Patch `CBNZ` to `CBZ`. 199 | addr = base + (0x100CD17 - 0x01000000) 200 | print('[+] Patching CBNZ to CBZ at 0x{0:0x}'.format(addr)) 201 | if not write_to_memory(0x34, addr): 202 | return False 203 | 204 | # Patch `MOV W0, #0` to `MOV W0, #1`. 205 | addr = base + (0x100CDAC - 0x01000000) 206 | print('[+] Patching MOV at 0x{0:0x}'.format(addr)) 207 | if not write_to_memory(0x20, addr): 208 | return False 209 | 210 | return True 211 | 212 | 213 | def cli_usage(): 214 | ''' 215 | Prints the command line usage to the terminal. 216 | ''' 217 | print('Usage: dump-from-mmc.py [ ]') 218 | 219 | 220 | if __name__ == '__main__': 221 | if len(sys.argv) > 4: 222 | cli_usage() 223 | sys.exit(-1) 224 | if len(sys.argv) > 1 and len(sys.argv) < 4: 225 | cli_usage() 226 | print( 227 | 'Output file, LBA start, and LBA end must be provided! ' + 228 | 'One cannot be specified without the others' 229 | ) 230 | sys.exit(-1) 231 | 232 | # Addresses for locating the unlock procedures in memory. 233 | load = 0x01000000 234 | base = 0x3ff21000 235 | 236 | # Resolve the path for the output file. 237 | if len(sys.argv) > 1 and sys.argv[1]: 238 | output = pathlib.Path(sys.argv[1]).expanduser().resolve() 239 | else: 240 | output = None 241 | 242 | try: 243 | lba_start = int(sys.argv[2], 16) if len(sys.argv) > 2 else None 244 | lba_end = int(sys.argv[3], 16) if len(sys.argv) > 3 else None 245 | except ValueError as err: 246 | print( 247 | '[!] Cannot cast input LBA ranges to int from hex: {0}'.format(err) 248 | ) 249 | 250 | # Reset to a clean state first. 251 | start_time = datetime.datetime.utcnow() 252 | unit_to_uboot() 253 | 254 | # 'Unlock' U-boot. 255 | if not unlock_uboot(): 256 | print('[!] Failed to unlock U-Boot, cannot continue') 257 | sys.exit(-2) 258 | 259 | # If no range was provided, dump the GPT patition list instead. 260 | if not lba_start: 261 | data = read_from_mmc(start=0x3002, end=0x3035) 262 | if not data: 263 | print('[!] Failed to dump data from MMC, cannot continue') 264 | sys.exit(-3) 265 | 266 | part_s = 0x0 267 | part_c = part_s 268 | part_sz = 0x80 269 | while part_c < len(data): 270 | (part_lba_s, part_lba_e, part_name) = struct.unpack( 271 | '<32xQQ8x72s', 272 | data[part_s:part_s+part_sz] 273 | ) 274 | part_s += part_sz 275 | 276 | # Skip empty. 277 | if part_lba_s == 0: 278 | break 279 | 280 | # Fix up name / NULLs. 281 | part_name = part_name.replace(b'\x00', b'') 282 | print( 283 | '[+] LBA 0x{1:08x} to 0x{2:08x} is name "{0}"'.format( 284 | str(part_name, 'utf-8'), 285 | part_lba_s, 286 | part_lba_e, 287 | ) 288 | ) 289 | else: 290 | # Attempt to read the data from MMC. 291 | data = read_from_mmc(start=lba_start, end=lba_end) 292 | if not data: 293 | print('[!] Failed to dump data from MMC, cannot continue') 294 | sys.exit(-3) 295 | 296 | print('[+] Got data, writing to file at {0}'.format(output)) 297 | try: 298 | with open(output, 'wb') as fout: 299 | fout.write(data) 300 | except IOError as err: 301 | print('[!] Could not write to file: {0}'.format(err)) 302 | sys.exit(-4) 303 | 304 | end_time = datetime.datetime.utcnow() 305 | print('[-] Complete in {0}\n'.format(end_time - start_time)) 306 | -------------------------------------------------------------------------------- /devices/S18-One/scripts/dump-kernel-from-itb.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | ''' 3 | A quick and dirty script to dump a Kernel image from an input ITB (Image Tree 4 | Binary) file. This is intended for use with data dumped from a Sonos One 5 | (Generation 2) [S18]. 6 | 7 | Oh, by the way: This code is awful, it's PoC grade at best :) 8 | 9 | Author: Peter Adkins (@Darkarnium) 10 | ''' 11 | 12 | import sys 13 | import struct 14 | import pathlib 15 | import collections 16 | 17 | from pyfdt.pyfdt import FdtBlobParse 18 | 19 | 20 | if __name__ == '__main__': 21 | if len(sys.argv) != 3: 22 | print('Usage: dump-kernel-from-itb.py ') 23 | sys.exit(-1) 24 | 25 | in_path = pathlib.Path(sys.argv[1]).expanduser().resolve() 26 | out_path = pathlib.Path(sys.argv[2]).expanduser().resolve() 27 | 28 | # Load the ITB. 29 | print('[-] Attempting to load ITB from {0}'.format(in_path)) 30 | with open(in_path, 'rb') as fin: 31 | itb = FdtBlobParse(fin).to_fdt() 32 | 33 | # Locate the Kernel, and process it. 34 | print('[-] Looking for kernel@1 image in ITB') 35 | kernel = itb.resolve_path(path='/images/kernel@1') 36 | kernel_image = None 37 | kernel_description = None 38 | kernel_compression = None 39 | kernel_checksum_type = None 40 | kernel_checksum_value = None 41 | 42 | for node in kernel: 43 | # Find the checksum, and type. 44 | if node.name == 'hash@1': 45 | for entry in node: 46 | if entry.name == 'value': 47 | kernel_checksum_value = entry.words[0] 48 | if entry.name == 'algo': 49 | kernel_checksum_type = entry.strings[0] 50 | 51 | # Find the description. 52 | if node.name == 'description': 53 | kernel_description = node.strings[0] 54 | 55 | # Find the compression type. 56 | if node.name == 'compression': 57 | kernel_compression = node.strings[0] 58 | 59 | # Find the data entry. 60 | if node.name == 'data': 61 | kernel_image = node.words 62 | 63 | if not kernel_image: 64 | print('[!] Could not find kernel image in ITB! Cannot continue') 65 | sys.exit(-1) 66 | 67 | print('[-] Attempting to write kernel to {0}'.format(out_path)) 68 | try: 69 | with open(out_path, 'wb') as fout: 70 | for byte in kernel_image: 71 | fout.write(struct.pack(">I", byte)) 72 | except Exception as err: 73 | print('[!] Failed to extract kernel: {0}'.format(err)) 74 | sys.exit(-2) 75 | 76 | print('[+] Write complete, have fun! :)') 77 | -------------------------------------------------------------------------------- /devices/S18-One/scripts/dump-mdp.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Provides a mechanism to process the MDP from a device and output a human 3 | readable view of the data contained within. This script will attempt to find 4 | the MDP inside of the provided image, so a full NAND dump can be provided. 5 | ''' 6 | 7 | import sys 8 | import json 9 | import pathlib 10 | import struct 11 | import logging 12 | import argparse 13 | import collections 14 | 15 | # The MDP is quite large, so let's wrangle it with a namedtuple. 16 | ManufacturerDataPage = collections.namedtuple( 17 | 'ManufacturerDataPage', 18 | [ 19 | 'mdp_magic', 20 | 'mdp_vendor', 21 | 'mdp_model', 22 | 'mdp_submodel', 23 | 'mdp_revision', 24 | 'mdp_serial', 25 | 'mdp_region', 26 | 'mdp_reserved', 27 | 'mdp_copyright_statement', 28 | 'mdp_flags', 29 | 'mdp_hwfeatures', 30 | 'mdp_ch11spurimmunitylevel', 31 | 'mdp_reserved2', 32 | 'mdp_version', 33 | 'mdp2_version', 34 | 'mdp3_version', 35 | 'mdp_pages_present', 36 | 'mdp_authorized_flags', 37 | 'mdp_unused', 38 | 'mdp_fusevalue', 39 | 'mdp_sw_features', 40 | 'mdp_pin', 41 | 'mdp_series_id', 42 | 'mdp_reserved3', 43 | 'u_reserved', 44 | ] 45 | ) 46 | 47 | # MDP can be detected using the following magic. 48 | MDP_BE_MAGIC = struct.pack('>I', 0xce10e47d) 49 | MDP_LE_MAGIC = struct.pack('') 33 | sys.exit(-1) 34 | 35 | filepath = pathlib.Path(sys.argv[1]).expanduser().resolve() 36 | with open(filepath, 'rb') as fin: 37 | sox_hdr = SoxHeader._make( 38 | struct.unpack(" /dev/ttyUSB0 26 | sleep 1 27 | 28 | # Boot from network. 29 | echo -en 'setenv autostart yes\n' > /dev/ttyUSB0 30 | sleep 1 31 | echo -en 'setenv bootargs console=ttyS0,115200n1 gpt root=/dev/mmcblk0p8 rw no_console_suspend earlycon=aml_uart,0xff803000 bootsect=1 bootgen=2 mdpaddr=0000000000000268 enable_console=1 enable_printk=1\n' > /dev/ttyUSB0 32 | sleep 1 33 | echo -en 'dhcp 0x100040 bootme.img\n' > /dev/ttyUSB0 34 | sleep 1 35 | 36 | # Start monitoring. 37 | cat /dev/ttyUSB0 38 | -------------------------------------------------------------------------------- /devices/S18-One/scripts/gzip-to-its.py: -------------------------------------------------------------------------------- 1 | ''' 2 | A quick helper to take an input kernel gzip and output an ITS (Image Tree 3 | Source) data line for its contents. 4 | 5 | Author: Peter Adkins (@Darkarnium) 6 | 7 | ''' 8 | 9 | import sys 10 | import struct 11 | import pathlib 12 | import collections 13 | 14 | 15 | if __name__ == '__main__': 16 | if len(sys.argv) != 3: 17 | print('Usage: gzip-to-its.py ') 18 | sys.exit(-1) 19 | 20 | in_path = pathlib.Path(sys.argv[1]).expanduser().resolve() 21 | out_path = pathlib.Path(sys.argv[2]).expanduser().resolve() 22 | 23 | # Load the ITB. 24 | print('[-] Attempting to load Gzip from {0}'.format(in_path)) 25 | with open(in_path, 'rb') as fin: 26 | kernel = fin.read() 27 | 28 | # Iterate over in 4-byte chunks. 29 | c_addr = 0 30 | kernel_data = '' 31 | while c_addr <= len(kernel): 32 | # Add header and trailer. 33 | if c_addr == 0: 34 | kernel_data += 'data = <' 35 | 36 | if c_addr >= len(kernel): 37 | kernel_data += '>;\n' 38 | break 39 | 40 | increment = 4 41 | token = '>I' 42 | sz = len(kernel) - c_addr 43 | if sz < 4: 44 | if sz == 1: 45 | increment = 1 46 | token = 'B' 47 | elif sz == 2: 48 | increment = 2 49 | token = '>H' 50 | else: 51 | increment = 3 52 | token = '>3B' 53 | 54 | # Add encoded, byte-swapped bytes as string. 55 | kernel_data += '0x{0:0x} '.format( 56 | struct.unpack(token, kernel[c_addr:c_addr + increment])[0] 57 | ) 58 | c_addr += increment 59 | 60 | with open(out_path, 'w') as fout: 61 | fout.write(kernel_data) 62 | -------------------------------------------------------------------------------- /devices/S18-One/scripts/i2c-thief.py: -------------------------------------------------------------------------------- 1 | ''' 2 | i2c-thief utilises the U-Boot console and an i2c bus to read data from 3 | arbitrary memory locations on devices where U-Boot has been stripped of 'all' 4 | useful memory read primitives. 5 | 6 | This script was developed for performing read-out of data via U-Boot for Sonos 7 | One (Generation 2) [S18] devices. 8 | 9 | ### NOTE ### 10 | 11 | The address on the i2c bus to write to must be that of a device present on the 12 | bus or writes will fail. Interestingly, writes to the M24C64 EEPROM on the 13 | Sonos One (Generation 2) [S18] do not error, but data does not appear to ever 14 | be properly written to the EEPROM - nor are any NACKs observed on the bus. As 15 | a result of this quirk, the `i2c write` command can be abused to read memory 16 | 255-bytes at a time. 17 | 18 | Data is read directly off the i2c bus using a logic analyser attached to i2c 19 | SDA and SCK test points on the 'radio board' of the unit. 20 | 21 | Please be advised that this is *NOT* a quick process. 22 | 23 | Author: Peter Adkins (@Darkarnium) 24 | ''' 25 | 26 | import sys 27 | import serial 28 | import datetime 29 | 30 | PROMPT = 'sonos tupelo >' 31 | 32 | 33 | def unit_to_uboot(): 34 | ''' 35 | Attempt to use a serial console to bring the Unit into a clean U-Boot 36 | prompt at power on, or reset and re-enter U-Boot if already at a U-Boot 37 | prompt. 38 | ''' 39 | with serial.Serial('/dev/ttyUSB0', 115200, timeout=10) as interface: 40 | # First up, reset the unit to get into a clean state. 41 | print('[+] Attempting to issue reset command to U-Boot') 42 | interface.write(b'reset\n') 43 | 44 | # Drop back into U-Boot. 45 | print('[-] Waiting for U-Boot boot interrupt prompt') 46 | buffer = bytes() 47 | while True: 48 | buffer += interface.readline() 49 | 50 | try: 51 | line = str(buffer, 'utf-8') 52 | except UnicodeDecodeError as err: 53 | buffer = bytes() 54 | continue 55 | 56 | # The whitelist check is just prior to the U-Boot interupt prompt. 57 | # When this line is encountered start reading N bytes rather than 58 | # until EoL - as the count down does not print an \n character 59 | # until AFTER the timeout. 60 | if line.lower().startswith('whitelist check completed'): 61 | # Check whether the 'Hit any key' prompt follows. 62 | try: 63 | peek = interface.read(12) 64 | if str(peek, 'utf-8').lower().startswith('hit any key'): 65 | print('[+] Writing U-Boot interrupt to console') 66 | interface.write(b'A') 67 | buffer = bytes() 68 | continue 69 | else: 70 | buffer += peek 71 | except: 72 | # No point in tracking the read bytes if they'll just be 73 | # discarded at the top of the next iteration. 74 | pass 75 | 76 | # Drop out of the loop when we see the U-Boot prompt 77 | if line.lower().startswith(PROMPT): 78 | print('[-] Unit is now at U-Boot prompt') 79 | buffer = bytes() 80 | break 81 | 82 | # Dump the buffer contents if no matches. 83 | buffer = bytes() 84 | 85 | 86 | def read_from_i2c(device=0x30, register=0x70, length=0x1): 87 | ''' 88 | Attempt to read a byte from the register on the specified i2c device. 89 | 90 | Args: 91 | device (int): The address of the device on the i2c bus to read from 92 | register (int): The address of the register on the i2c device to read 93 | 94 | Return: 95 | The byte read from the device - as an int. 96 | ''' 97 | with serial.Serial('/dev/ttyUSB0', 115200, timeout=5) as interface: 98 | command = 'i2c md 0x{0:0x} 0x{1:0x} 0x{2:0x}\n'.format( 99 | device, 100 | register, 101 | length, 102 | ) 103 | interface.write(bytes(command, 'utf-8')) 104 | 105 | # Loop back is enabled, so throw away the first line. 106 | interface.readline() 107 | result = str(interface.read(len(PROMPT)), 'utf-8') 108 | 109 | # Split the value and cast to an integer. 110 | return int(result.split(' ')[1], 16) 111 | 112 | 113 | def write_memory_to_i2c(addr, device=0x30, register=0x70, length=0x1): 114 | ''' 115 | Attempt to read addr from unit memory and write it to the target i2c 116 | device. This assumes that the i2c commands are available in U-Boot, 117 | however memory read commands are not required as the i2c write command 118 | handles this. 119 | 120 | Args: 121 | addr (int): The address in memory to read from 122 | device (int): The address of the device on the i2c bus to write to 123 | register (int): The address of the register on the i2c device to write 124 | length (int): The number of bytes to read from addr 125 | 126 | Return: 127 | Whether the write operation was successful (bool). 128 | ''' 129 | print( 130 | '[+] Writing {0} bytes from 0x{1:0x} to 0x{2:0x} at 0x{3:0x}'.format( 131 | length, 132 | addr, 133 | device, 134 | register 135 | ) 136 | ) 137 | with serial.Serial('/dev/ttyUSB0', 115200, timeout=5) as interface: 138 | command = 'i2c write 0x{0:0x} 0x{1:0x} 0x{2:0x} 0x{3:0x}\n'.format( 139 | addr, 140 | device, 141 | register, 142 | length 143 | ) 144 | interface.write(bytes(command, 'utf-8')) 145 | 146 | # Loop back is enabled, so throw away the first line. 147 | interface.readline() 148 | status = str(interface.read(len(PROMPT)), 'utf-8') 149 | 150 | # Check whether the write was successful. 151 | if status.lower().startswith(PROMPT): 152 | return True 153 | else: 154 | print('[!] Write failed: {0}'.format(status)) 155 | return False 156 | 157 | 158 | if __name__ == '__main__': 159 | if len(sys.argv) < 2: 160 | print('Usage: i2c-thief.py ') 161 | sys.exit(-1) 162 | 163 | # Attempt to dump memory. 164 | load = 0x01000000 165 | base = 0x3ff21000 166 | s_addr = int(sys.argv[1], 16) 167 | e_addr = int(sys.argv[2], 16) 168 | result = [] 169 | 170 | # Fix the base addresses, if required. 171 | if s_addr < base: 172 | print('[-] Fixing base address for 0x{0:0x}'.format(s_addr)) 173 | s_addr = base + (s_addr - load) 174 | 175 | if e_addr < base: 176 | print('[-] Fixing base address for 0x{0:0x}'.format(e_addr)) 177 | e_addr = base + (e_addr - load) 178 | 179 | print('[-] Dumping 0x{0:0x} to 0x{1:0x}'.format(s_addr, e_addr)) 180 | start_time = datetime.datetime.utcnow() 181 | 182 | c_addr = s_addr 183 | # unit_to_uboot() 184 | while c_addr < e_addr: 185 | write_memory_to_i2c(c_addr) 186 | result.append(read_from_i2c()) 187 | c_addr += 0x1 188 | 189 | end_time = datetime.datetime.utcnow() 190 | print('[-] Complete in {0}\n'.format(end_time - start_time)) 191 | print(', '.join(['0x{0:0x}'.format(value) for value in result])) 192 | -------------------------------------------------------------------------------- /devices/S18-One/scripts/string-code-from-relocations.py: -------------------------------------------------------------------------------- 1 | ''' 2 | This is quick and dirty script to help clean-up relocation entries quickly. It 3 | is quite terrible and will likely not work properly in different versions, and 4 | certainly not different platforms. 5 | 6 | This is included for an example of what was done, rather than for any other 7 | reason. 8 | 9 | Author: Peter Adkins (@Darkarnium) 10 | ''' 11 | 12 | import re 13 | import idautils 14 | 15 | s_addr = 0x1071A70 16 | e_addr = 0x107B658 17 | c_addr = s_addr 18 | 19 | # Used to cache addresses of strings known to IDA (as int). 20 | string_addrs = {} 21 | 22 | 23 | def has_string_entry(addr): 24 | ''' 25 | Check whether the provided address is being tracked by IDA as a string. In 26 | order to attempt to speed up subsequent lookups, string addresses will be 27 | cached into a dictionary on first use. 28 | 29 | Data returned will be a dictionary of strings, keyed by the address of the 30 | string with the length as the value. 31 | 32 | Args: 33 | addr (int): The address to check. 34 | 35 | Returns: 36 | A dictionary of string lengths keyed by their address. 37 | ''' 38 | if len(string_addrs) == 0: 39 | for s in idautils.Strings(): 40 | string_addrs[s.ea] = s.length 41 | 42 | try: 43 | return string_addrs[addr] 44 | except KeyError: 45 | return None 46 | 47 | 48 | # Fix relocation table to be qwords, if required. 49 | # while c_addr < e_addr: 50 | # create_qword(c_addr) 51 | # c_addr += 0x8 52 | 53 | # Get the get src address from each relocation entry and mark it as a qword. 54 | # c_addr = s_addr 55 | # while c_addr < e_addr: 56 | # src = Qword(c_addr) 57 | # create_qword(src) 58 | # c_addr += 0x18 59 | 60 | # Mark code sections and strings appropriately, based on whether IDA knows the 61 | # address as a string. 62 | c_addr = s_addr 63 | while c_addr < e_addr: 64 | candidate = Qword(c_addr+0x10) 65 | c_addr += 0x18 66 | 67 | # If it looks like a string, mark as a string literal. 68 | if has_string_entry(candidate): 69 | if not create_strlit(candidate, candidate + string_addrs[candidate]): 70 | print('[!] Failed to mark 0x{0:0x} as string'.format(candidate)) 71 | continue 72 | 73 | # Attempt to mark as a procedure, and wait for AA. 74 | ida_auto.auto_make_proc(candidate) 75 | ida_auto.auto_wait() 76 | 77 | if not isCode(GetFlags(candidate)): 78 | print('[!] Failed to mark 0x{0:0x} as code'.format(candidate)) 79 | 80 | continue 81 | -------------------------------------------------------------------------------- /devices/S18-One/scripts/write-what-where.py: -------------------------------------------------------------------------------- 1 | ''' 2 | This write-what-where script allows for writing to arbitrary memory locations 3 | on a Sonos One (Generation 2) [S18] device, though it may be compatible with 4 | others. 5 | 6 | ### NOTE ### 7 | 8 | Addresses will be automatically shifted to the `relocaddr` if provided with a 9 | memory address which is less than the defined `relocaddr`. This allows for 10 | translation between the addresses from a disassembler and as loaded in memory 11 | on the unit just to speed things up. However, this may differ from product to 12 | product, so may need adjustment. 13 | 14 | Author: Peter Adkins (@Darkarnium) 15 | ''' 16 | 17 | import sys 18 | import serial 19 | import datetime 20 | 21 | PROMPT = 'sonos tupelo >' 22 | 23 | 24 | def unit_to_uboot(): 25 | ''' 26 | Attempt to use a serial console to bring the Unit into a clean U-Boot 27 | prompt at power on, or reset and re-enter U-Boot if already at a U-Boot 28 | prompt. 29 | ''' 30 | with serial.Serial('/dev/ttyUSB0', 115200, timeout=10) as interface: 31 | # First up, reset the unit to get into a clean state. 32 | print('[+] Attempting to issue reset command to U-Boot') 33 | interface.write(b'reset\n') 34 | 35 | # Drop back into U-Boot. 36 | print('[-] Waiting for U-Boot boot interrupt prompt') 37 | buffer = bytes() 38 | while True: 39 | buffer += interface.readline() 40 | 41 | try: 42 | line = str(buffer, 'utf-8') 43 | except UnicodeDecodeError as err: 44 | buffer = bytes() 45 | continue 46 | 47 | # The whitelist check is just prior to the U-Boot interupt prompt. 48 | # When this line is encountered start reading N bytes rather than 49 | # until EoL - as the count down does not print an \n character 50 | # until AFTER the timeout. 51 | if line.lower().startswith('whitelist check completed'): 52 | # Check whether the 'Hit any key' prompt follows. 53 | try: 54 | peek = interface.read(12) 55 | if str(peek, 'utf-8').lower().startswith('hit any key'): 56 | print('[+] Writing U-Boot interrupt to console') 57 | interface.write(b'A') 58 | buffer = bytes() 59 | continue 60 | else: 61 | buffer += peek 62 | except: 63 | # No point in tracking the read bytes if they'll just be 64 | # discarded at the top of the next iteration. 65 | pass 66 | 67 | # Drop out of the loop when we see the U-Boot prompt 68 | if line.lower().startswith(PROMPT): 69 | print('[-] Unit is now at U-Boot prompt') 70 | buffer = bytes() 71 | break 72 | 73 | # Dump the buffer contents if no matches. 74 | buffer = bytes() 75 | 76 | 77 | def write_to_memory(value, addr, device=0x30, register=0x70): 78 | ''' 79 | Attempt to write the given value (byte) into memory at the given address. 80 | 81 | Args: 82 | value (int): The value to write. 83 | addr (int): The address in memory to write to. 84 | device (int): The address of the device on the i2c bus to read from 85 | register (int): The address of the register to use as a buffer 86 | 87 | Return: 88 | Whether the read operation was successful (bool). 89 | ''' 90 | with serial.Serial('/dev/ttyUSB0', 115200, timeout=5) as interface: 91 | command = 'i2c mw 0x{0:0x} 0x{1:0x} 0x{2:0x}\n'.format( 92 | device, 93 | register, 94 | value 95 | ) 96 | interface.write(bytes(command, 'utf-8')) 97 | 98 | # Loop back is enabled, so throw away the first line. 99 | interface.readline() 100 | status = str(interface.read(len(PROMPT)), 'utf-8') 101 | 102 | # Abort if the write failed. 103 | if not status.lower().startswith(PROMPT): 104 | print('[!] Write failed: {0}'.format(status)) 105 | return False 106 | 107 | # Attempt to read from the register into memory. 108 | command = 'i2c read 0x{0:0x} 0x{1:0x} 0x01 0x{2:0x}\n'.format( 109 | device, 110 | register, 111 | addr 112 | ) 113 | interface.write(bytes(command, 'utf-8')) 114 | 115 | # Loop back is enabled, so throw away the first line. 116 | interface.readline() 117 | status = str(interface.read(len(PROMPT)), 'utf-8') 118 | 119 | # Abort if the write failed. 120 | if not status.lower().startswith(PROMPT): 121 | print('[!] Write failed: {0}'.format(status)) 122 | return False 123 | 124 | return True 125 | 126 | 127 | if __name__ == '__main__': 128 | if len(sys.argv) < 2: 129 | print('Usage: write-what-where.py
') 130 | sys.exit(-1) 131 | 132 | # Attempt to dump memory. 133 | load = 0x01000000 134 | base = 0x3ff21000 135 | addr = int(sys.argv[1], 16) 136 | byte = int(sys.argv[2], 16) 137 | 138 | # Fix the base addresses, if required. 139 | if addr < base: 140 | print('[-] Fixing base address for 0x{0:0x}'.format(addr)) 141 | addr = base + (addr - load) 142 | 143 | # Reset to a clean state first. 144 | unit_to_uboot() 145 | print('[+] Patching 0x{0:0x} with byte 0x{0:0x}'.format(addr, byte)) 146 | write_to_memory(byte, addr) 147 | -------------------------------------------------------------------------------- /devices/S18-One/sources/.gitiginore: -------------------------------------------------------------------------------- 1 | .repo/ 2 | u-boot-amlogic/ 3 | -------------------------------------------------------------------------------- /devices/S18-One/sources/README.md: -------------------------------------------------------------------------------- 1 | ## Sources 2 | 3 | 1. [Usage](#usage) 4 | 1. [U-Boot](#u-boot) 5 | 6 | Unfortunately, it appears that the build root referenced in the public Amlogic 7 | documentation is no longer accessible via the published URL. In addition to 8 | this, access to an alternate Git source requires an account: 9 | 10 | * [Amlogic_A311D_Buildroot_Preview_Release_Notes_V20180706.pdf](http://openlinux.amlogic.com:8000/download/doc/Amlogic_A311D_Buildroot_Preview_Release_Notes_V20180706.pdf) 11 | 12 | However, a few relevant resources appear to be mirrored in a number of 13 | locations which have been submoduled into this directory. These have not 14 | been mirrored in this repository as they may be liable for take-down requests 15 | due to the potential for them to include 'propriatary code'. 16 | 17 | ### Usage 18 | 19 | Perform a recursive clone of the submodules in the root of this repository in 20 | order to clone these: 21 | 22 | ``` 23 | cd ../../../ 24 | git submodule update --init 25 | ``` 26 | 27 | ### U-Boot 28 | 29 | Though far from identical to the Sonos unit, the submoduled U-Boot sources 30 | contain support for an Amlogic S400 development board. This board appears to 31 | use the same SoC, and may serve as a reference point for how the Sonos U-Boot 32 | image _may_ have been constructed - given that this is proprietary. 33 | 34 | * [Amlogic S400 README](./u-boot-amlogic/board/amlogic/s400/README) 35 | -------------------------------------------------------------------------------- /devices/ZP120/BOM.md: -------------------------------------------------------------------------------- 1 | ## Bill Of Materials (BOM) 2 | 3 | 1. [Overview](#overview) 4 | 5 | ### Overview 6 | 7 | The following list details the major components on the logic board of a Sonos 8 | ZP120. 9 | 10 | |Package|Manufacturer|Part Number|Description|Silk Screen|Board| 11 | |-|-|-|-|-|-| 12 | |PBGA|Freescale|MPC8247VRPIEA|MPC8247 SoC (Power Architecture)|I15000|Logic Board| 13 | |TSOP|ISSI|IS42S16800D-7TL|128-MBIT SYNCHRONOUS DRAM (16MB)|U15012|Logic Board| 14 | |TSOP|ISSI|IS42S16800D-7TL|128-MBIT SYNCHRONOUS DRAM (16MB)|U15011|Logic Board| 15 | |TSOP|ST|NAND256W3A2?|NAND Flash (32MB)|U1500?|Logic Board| 16 | 17 | ### Data Sheets 18 | 19 | * [Freescale MPC8272](https://www.nxp.com/docs/en/data-sheet/MPC8272EC.pdf) 20 | * [ISSI IS42S16800D](https://www.mouser.co.uk/datasheet/2/198/42s81600d-1169584.pdf) 21 | -------------------------------------------------------------------------------- /devices/ZP120/CONSOLE.md: -------------------------------------------------------------------------------- 1 | ## Console 2 | 3 | 1. [Overview](#overview) 4 | 1. [Pinout](#pinout) 5 | 1. [Boot Console](#boot-console) 6 | 7 | ### Overview 8 | 9 | An unpopulated connector which provides a serial console can be found under the 10 | CPU shield can just below the MiniPCI connector on the Sonos ZP120 logic board. 11 | This is labelled `J15005` 12 | 13 | The console baud is `38400` (`8N1`). 14 | 15 | ### Pinout 16 | 17 | The pinout for `J15005` is as follows: 18 | 19 | ![UART / Console Pinout](./images/photographs/ports-uart.jpg?raw=true) 20 | 21 | ### Boot Console 22 | 23 | The boot-time output from the unit can be found in the following text dump: 24 | 25 | * [J15005-Console-Boot.txt](./dumps/j15005-console-boot.txt) 26 | -------------------------------------------------------------------------------- /devices/ZP120/README.md: -------------------------------------------------------------------------------- 1 | ## Sonos ZP120 2 | 3 | ![ZP120](images/zp120.png?raw=true) 4 | 5 | ### Thanks 6 | 7 | A massive thank you to [Andre Protas](https://twitter.com/cveiche) for donating 8 | a ZP120 for research purposes! 9 | 10 | ### Overview 11 | 12 | > The SONOS CONNECT:AMP (formerly ZonePlayer 120) includes a built-in 13 | > state-of-the-art digital amplifier that can power large or small speakers, 14 | > allowing you to enjoy superior audio quality in every room. 15 | 16 | * **FCC ID** - [SBVRM001](https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=14YvdloOg8%2F%2FTvOufUmeOg%3D%3D&fcc_id=SBVRM001) 17 | 18 | ### Summary 19 | 20 | Sonos ZP120 is powered by a Freescale MPC8247 SoC (Power ISA). 21 | 22 | ### Detail 23 | 24 | The following pages contain more information about the respective components 25 | / areas of this device. 26 | 27 | 1. [Tear Down](./TEARDOWN.md) 28 | 1. [Bill Of Materials](./BOM.md) 29 | 1. [Serial Console](./CONSOLE.md) 30 | 1. [U-Boot](./UBOOT.md) 31 | 32 | ### References 33 | 34 | -------------------------------------------------------------------------------- /devices/ZP120/TEARDOWN.md: -------------------------------------------------------------------------------- 1 | ## Teardown 2 | 3 | 1. [Overview](#overview) 4 | 1. [Tools](#tools) 5 | 1. [Process](#process) 6 | 1. [References](#references) 7 | 8 | ### Overview 9 | 10 | The following guide details the tear down of a Sonos ZP120 in order to access 11 | the logic board. 12 | 13 | ### Tools 14 | 15 | * Phillips #1 Screwdriver 16 | * Phillips #2 Screwdriver 17 | * Plastic Spudger 18 | 19 | ### Process 20 | 21 | 1. Using a plastic spudger, remove the rubber feet from the base of the unit. 22 | 23 | ![teardown-001.jpg](./images/photographs/teardown-001.jpg?raw=true) 24 | 25 | 2. Remove the four bottom screws using a #2 Phillips. 26 | 27 | ![teardown-002.jpg](./images/photographs/teardown-002.jpg?raw=true) 28 | 29 | 3. Gently pull the base away from the unit, to reveal the bottom shield. 30 | 31 | 4. Remove the six main screws with a #2 and #1 Phillips. 32 | 33 | ![teardown-003.jpg](./images/photographs/teardown-003.jpg?raw=true) 34 | 35 | 5. If the entire shield is to be removed, ensure that the six antenns PCB screws are also removed. 36 | 37 | ![teardown-004.jpg](./images/photographs/teardown-004.jpg?raw=true) 38 | 39 | 6. Once the shield has been removed, flip the unit over and remove the top "grill" 40 | using a plastic spudger. 41 | 42 | 7. Once again remove the six main screws with a #2 and #1 Phillips. 43 | 44 | ![teardown-005.jpg](./images/photographs/teardown-005.jpg?raw=true) 45 | 46 | 8. To remove the logic board, unplug the MiniPCI antenna card, carefully 47 | disconnect the ribbon cable and remove the three main screws using a #1 48 | Phillips. 49 | 50 | **NOTE** There are TWO screws between the RCA connectors on the rear of the 51 | unit. These are **BEHIND** the blue back-covering, which must be punctured or 52 | removed in order to remove these screws. 53 | 54 | ![teardown-006.jpg](./images/photographs/teardown-006.jpg?raw=true) 55 | 56 | 9. Carefully un-mate the logic board as there is a 32-pin board to board 57 | connector on the underside. 58 | 59 | ![teardown-007.jpg](./images/photographs/teardown-007.jpg?raw=true) 60 | 61 | -------------------------------------------------------------------------------- /devices/ZP120/UBOOT.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/UBOOT.md -------------------------------------------------------------------------------- /devices/ZP120/dumps/j15005-console-boot.txt: -------------------------------------------------------------------------------- 1 | U-Boot 1.1.1(1-16-3-0.9), Build: 0.9 2 | 3 | MPC8272 Reset Status: External Soft, External Hard 4 | 5 | MPC8272 Clock Configuration 6 | - Bus-to-Core Mult 3x, VCO Div 4, 60x Bus Freq 16-50 , Core Freq 50-150 7 | - dfbrg 1, corecnf 0x10, busdf 3, cpmdf 1, plldf 0, pllmf 3 8 | - vco_out 400000000, scc_clk 100000000, brg_clk 25000000 9 | - cpu_clk 300000000, cpm_clk 200000000, bus_clk 100000000 10 | - pci_clk 33333333 11 | 12 | CPU: MPC8272 (HiP7 Rev 14, Mask unknown [immr=0x0d10,k=0x00e1]) at 300 MHz 13 | Board: Sonos Wembley 14 | DRAM: 32 MB 15 | DRAM test 16 | Test complete - 0 errors, error pattern 00000000 17 | Using default environment 18 | 19 | In: serial 20 | Out: serial 21 | Err: serial 22 | Net: FCC2 ETHERNET 23 | Hit any key to stop autoboot: 0 24 | => -------------------------------------------------------------------------------- /devices/ZP120/dumps/j15005-console-os-boot.txt: -------------------------------------------------------------------------------- 1 | U-Boot 1.1.1(1-16-3-0.9), Build: 0.9 2 | 3 | MPC8272 Reset Status: External Soft, External Hard 4 | 5 | MPC8272 Clock Configuration 6 | - Bus-to-Core Mult 3x, VCO Div 4, 60x Bus Freq 16-50 , Core Freq 50-150 7 | - dfbrg 1, corecnf 0x10, busdf 3, cpmdf 1, plldf 0, pllmf 3 8 | - vco_out 400000000, scc_clk 100000000, brg_clk 25000000 9 | - cpu_clk 300000000, cpm_clk 200000000, bus_clk 100000000 10 | - pci_clk 33333333 11 | 12 | CPU: MPC8272 (HiP7 Rev 14, Mask unknown [immr=0x0d10,k=0x00e1]) at 300 MHz 13 | Board: Sonos Wembley 14 | DRAM: 32 MB 15 | DRAM test 16 | Test complete - 0 errors, error pattern 00000000 17 | Using default environment 18 | 19 | In: serial 20 | Out: serial 21 | Err: serial 22 | Net: FCC2 ETHERNET 23 | Hit any key to stop autoboot: 0 24 | NAND ID is 20:75 25 | 32M NAND flash (ST NAND256W3A) 26 | S0 provisionally good, KP=1, G39 27 | S1 provisionally good, KP=4, G40 28 | Boot from partition 4 29 | ## Starting application at 0x00400000 ..�TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT.............................. 30 | -------------------------------------------------------------------------------- /devices/ZP120/dumps/j15005-recoverme.txt: -------------------------------------------------------------------------------- 1 | U-Boot 1.1.1(1-16-3-0.9), Build: 0.9 2 | 3 | MPC8272 Reset Status: External Soft, External Hard 4 | 5 | MPC8272 Clock Configuration 6 | - Bus-to-Core Mult 3x, VCO Div 4, 60x Bus Freq 16-50 , Core Freq 50-150 7 | - dfbrg 1, corecnf 0x10, busdf 3, cpmdf 1, plldf 0, pllmf 3 8 | - vco_out 400000000, scc_clk 100000000, brg_clk 25000000 9 | - cpu_clk 300000000, cpm_clk 200000000, bus_clk 100000000 10 | - pci_clk 33333333 11 | 12 | CPU: MPC8272 (HiP7 Rev 14, Mask unknown [immr=0x0d10,k=0x00e1]) at 300 MHz 13 | Board: Sonos Wembley 14 | DRAM: 32 MB 15 | DRAM test 16 | Test complete - 0 errors, error pattern 00000000 17 | Using default environment 18 | 19 | In: serial 20 | Out: serial 21 | Err: serial 22 | Net: FCC2 ETHERNET 23 | Hit any key to stop autoboot: 0 24 | => _recoverme 25 | NAND ID is 20:75 26 | 32M NAND flash (ST NAND256W3A) 27 | No partition table 28 | MDP2 is not blank 29 | My cert filename is 000e58314978.cert 30 | Using FCC2 ETHERNET device 31 | TFTP from server 169.254.2.2; our IP address is 169.254.1.1 32 | Filename '000e58314978.cert'. 33 | Load address: 0x400000 34 | Loading: T T T T T T T T T T -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/logicboard-001.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/logicboard-001.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/logicboard-002.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/logicboard-002.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/logicboard-003.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/logicboard-003.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/logicboard-004.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/logicboard-004.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/logicboard-005.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/logicboard-005.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/ports-uart.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/ports-uart.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/teardown-001.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/teardown-001.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/teardown-002.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/teardown-002.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/teardown-003.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/teardown-003.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/teardown-004.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/teardown-004.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/teardown-005.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/teardown-005.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/teardown-006.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/teardown-006.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/photographs/teardown-007.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/photographs/teardown-007.jpg -------------------------------------------------------------------------------- /devices/ZP120/images/zp120.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkarnium/sonor/d2715819b84b6f486b04b01c753aff341651ebbd/devices/ZP120/images/zp120.png -------------------------------------------------------------------------------- /devices/ZP120/scripts/boot-brute.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import serial 3 | import datetime 4 | import logging 5 | import argparse 6 | import string 7 | import time 8 | 9 | PROMPT = '=> ' 10 | SERIAL_DEVICE = '/dev/ttyUSB0' 11 | SERIAL_BAUD = 38400 12 | 13 | # A list of commands to NOT execute. 14 | NOEXECUTE = [ 15 | 'nandboot', 16 | '_recoverme', 17 | ] 18 | 19 | 20 | def console_from_powerup(): 21 | ''' 22 | Attempts to drop the unit into U-Boot console at power-up. 23 | ''' 24 | buffer = bytes() 25 | with serial.Serial(SERIAL_DEVICE, SERIAL_BAUD, timeout=10) as interface: 26 | # Wait until a prompt. 27 | while True: 28 | buffer += interface.readline() 29 | 30 | try: 31 | line = str(buffer, 'utf-8') 32 | except UnicodeDecodeError: 33 | buffer = bytes() 34 | continue 35 | 36 | # Start writing interrupt sequences as early as the 'using default' 37 | # line. Due to the boot timeout being zero there's a very small 38 | # window to interrupt the boot process, so we have to start early. 39 | if line.lower().startswith('using default'): 40 | interface.write(b'\r\n' * 10) 41 | buffer = bytes() 42 | continue 43 | 44 | # Drop out of the loop when we see the U-Boot prompt 45 | if line.lower().startswith(PROMPT): 46 | buffer = bytes() 47 | break 48 | 49 | # Dump the buffer contents if no matches. 50 | buffer = bytes() 51 | 52 | 53 | def brute_force_command(start_char, alphabet): 54 | ''' 55 | Attempts to brute force a command over serial. 56 | 57 | Args: 58 | start_char (str): The character to start from. 59 | alphabet (list): The alphabet to use when searching. 60 | 61 | Returns: 62 | str: The enumerated command 63 | ''' 64 | ptr = 0 65 | command = start_char 66 | with serial.Serial(SERIAL_DEVICE, SERIAL_BAUD, timeout=10) as interface: 67 | while True: 68 | # Start again, or finish, when we've exhausted a suitable search 69 | # space. 70 | if len(command) > 10: 71 | return command 72 | 73 | # Return with any detected commands once we've exhausted our 74 | # alphabet 75 | if ptr >= len(alphabet): 76 | if len(command) > 1: 77 | return command 78 | else: 79 | return None 80 | 81 | # Build the new command and check whether it's blank, or on the 82 | # NOEXECUTE list before sending to the device. 83 | outgoing = '{0}{1}\n'.format(command, alphabet[ptr]) 84 | if not outgoing.strip(): 85 | ptr += 1 86 | 87 | if outgoing.strip() in NOEXECUTE: 88 | return outgoing.strip() 89 | 90 | # Push the command, and discard loopback. 91 | interface.write(bytes(outgoing, 'utf-8')) 92 | interface.readline() 93 | 94 | # Read until prompt, and then check whether the result was as 95 | # expected 96 | buffer = bytes() 97 | while True: 98 | peek = interface.read(1) 99 | buffer += peek 100 | 101 | # Break out of the loop if the prompt is detected. 102 | if len(buffer) >= len(PROMPT): 103 | if str(buffer[-len(PROMPT):], 'utf-8') == PROMPT: 104 | break 105 | 106 | try: 107 | line = str(buffer, 'utf-8') 108 | except UnicodeDecodeError: 109 | continue 110 | 111 | if line.lower().startswith('unknown'): 112 | ptr += 1 113 | else: 114 | command += alphabet[ptr] 115 | ptr = 0 116 | 117 | 118 | def main(args): 119 | ''' 120 | Args: 121 | args (...): A set of arguments parsed by the Python argparse module. 122 | ''' 123 | logging.basicConfig( 124 | level=logging.INFO, 125 | format='%(asctime)s - %(process)d - [%(levelname)s] %(message)s', 126 | ) 127 | logger = logging.getLogger(__name__) 128 | 129 | # Start by attempting to drop the device into console. 130 | logger.info('Waiting for U-Boot messages, please power on device now') 131 | console_from_powerup() 132 | logger.info('Device at U-Boot console, starting brute force') 133 | 134 | # Kick off the brute force. 135 | candidates = [] 136 | candidates.extend(list(string.ascii_letters)) 137 | candidates.extend(list(string.digits)) 138 | candidates.append('_') 139 | candidates.append(' ') 140 | 141 | for candidate in candidates: 142 | command = brute_force_command(candidate, candidates) 143 | if command: 144 | logger.info('Found command {0}'.format(command)) 145 | 146 | 147 | if __name__ == '__main__': 148 | parser = argparse.ArgumentParser( 149 | description="Attempts to brute force U-Boot commands" 150 | ) 151 | main(parser.parse_args()) 152 | --------------------------------------------------------------------------------