红米小爱Play hack

视频 BV12T4y1E7nq

因为没找到什么入口,于是打算拆开ttl

要无损拆开,需要准备金属撬棒,大塑料撬棒,锤子

先找一个角,用金属撬棒向外顶着锤子敲开一点缝(因为4个角缝最小)

然后塑料撬棒塞进去翘一圈即可拆开

准备一个ttl小板,三根弯排针

pcb上有小字写着线的连接顺序,tx,rx与小板的反着接

插电,开机,开机完会看到控制台输出了sn_code: ,后面的复制下来,这样拼起来

sn码A20EDC68-62E5-70C6-76E8-75879721B8EC

到这里算一个32位小写md5,前14位就是root的密码

开启ssh:

dropbearkey -t rsa -f /data/dropbear_rsa_host_key
dropbear -r /data/dropbear_rsa_host_key

由于/是只读的,所以没法修改开机启动打开ssh,可以使用内置一个单片机来延时执行serial

播放音频:

mphelper tone 文件或链接

具体可以 cat /usr/bin/mphelper来了解提供的控制api

系统信息:

U-Boot 2018.05 (Dec 11 2019 - 02:53:20 +0000) Allwinner Technology, Build: jenkins-Mico_l07a_ota_publish-63
CPU: Allwinner Family
Model: sun8iw18
I2C: ready
DRAM: 64 MiB
Relocation Offset is: 00f48000
secure enable bit: 1
CPU=1008 MHz,PLL6=600 Mhz,AHB=200 Mhz, APB1=100Mhz MBus=264Mhz
Linux version 4.9.118 ([email protected]) (gcc version 6.4.1 (OpenWrt/Linaro GCC 6.4-2017.11 2017-11) ) #1 SMP Wed Mar 25 02:19:05 UTC 2020
[email protected]:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/root 23296 23296 0 100% /
devtmpfs 512 0 512 0% /dev
tmpfs 29240 204 29036 1% /tmp
tmpfs 512 0 512 0% /dev
/dev/by-name/UDISK 24981 3604 19497 16% /data
/dev/by-name/UDISK 24981 3604 19497 16% /etc/shadow
[email protected]:~# free
total used free shared buffers cached
Mem: 58484 56312 2172 272 6532 16968
-/+ buffers/cache: 32812 25672
Swap: 0 0 0
[email protected]:~# ps
PID USER VSZ STAT COMMAND
1 root 1324 S /sbin/procd
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [kworker/0:0]
5 root 0 SW< [kworker/0:0H]
6 root 0 SW [kworker/u4:0]
7 root 0 SW [rcu_sched]
8 root 0 SW [rcu_bh]
9 root 0 SW [migration/0]
10 root 0 SW< [lru-add-drain]
11 root 0 SW [cpuhp/0]
12 root 0 SW [cpuhp/1]
13 root 0 SW [migration/1]
14 root 0 SW [ksoftirqd/1]
15 root 0 SW [kworker/1:0]
16 root 0 SW< [kworker/1:0H]
17 root 0 SW [kdevtmpfs]
18 root 0 SW [kworker/u4:1]
205 root 0 SW [kworker/u4:2]
228 root 0 SW [oom_reaper]
229 root 0 SW< [writeback]
230 root 0 SW< [crypto]
232 root 0 SW< [bioset]
234 root 0 SW< [kblockd]
273 root 0 SW [kworker/1:1]
275 root 0 SW< [cfg80211]
304 root 0 SW [kworker/0:1]
320 root 0 SW [kswapd0]
321 root 0 SW< [vmstat]
452 root 0 SW< [bioset]
453 root 0 SW [nand]
454 root 0 SW [nftld]
466 root 0 SW [nand_rcd]
483 root 0 SW< [btfwwork]
484 root 0 SW [cfinteractive]
485 root 0 SW [autohotplug]
486 root 0 SW [irq/165-sunxi-m]
648 root 0 SW< [ipv6_addrconf]
666 root 0 SW< [kworker/0:1H]
667 root 0 SW< [kworker/1:1H]
858 root 972 S /sbin/ubusd
866 root 1040 S -ash
1250 root 0 SW< [krfcommd]
1331 root 1324 S /usr/sbin/dbus-daemon --system
1383 root 1412 S /sbin/netifd
1402 root 0 SW [jbd2/nand0p9-8]
1403 root 0 SW< [ext4-rsv-conver]
1410 root 2600 S< /usr/bin/quickplayer
1419 root 1040 S< /bin/ledserver
1461 root 1040 S /usr/sbin/crond -f -c /etc/crontabs -l 5
1479 root 4296 S {syslog-ng} supervising syslog-ng
1480 root 4348 S /usr/sbin/syslog-ng
1581 root 6440 S /usr/bin/xiaomi_dns_server
1630 root 0 SW [ksdioirqd/mmc0]
1641 root 0 SW [RTW_XMIT_THREAD]
1642 root 0 SW [RTW_CMD_THREAD]
1643 root 0 SW [RTWHALXT]
1655 root 1700 S /usr/sbin/wpa_supplicant -Dnl80211 -iwlan0 -c/data/w
1678 root 1040 S udhcpc -f -S -s /bin/simple_dhcp.sh -R -t 0 -i wlan0
1699 root 704 S odhcp6c -s /lib/netifd/odhcp6c-script.sh -P0 -e -v w
1702 root 1048 S {wireless_point.} /bin/sh /usr/bin/wireless_point.sh
2578 root 824 S rtk_hciattach -n -s 115200 ttyS1 rtk_h4
2628 nobody 872 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf -k -x /va
2651 root 9936 S /usr/bin/upnp-disc
2667 root 1340 S /usr/bin/alarmd
2687 root 7820 S /usr/bin/mico_aivs_lab
2700 root 0 SW< [kworker/u5:0]
2701 root 0 SW< [hci0]
2702 root 0 SW< [hci0]
2705 root 0 SW< [kworker/u5:1]
2706 root 0 SW< [kworker/u5:2]
2729 root 3420 S /usr/bin/bluetoothd -n
2776 root 10040 S /usr/bin/mediaplayer
2790 root 736 S /usr/sbin/wpa_cli -a/bin/wpa_action.sh
2791 root 8004 S /usr/bin/messagingagent --handler_threads 8
2809 root 1300 S /usr/bin/mico-helper
2823 root 1024 S /bin/wifitool
2899 root 5208 S /usr/bin/statpoints_daemon
2999 root 1032 S /usr/bin/miio_client -L /dev/null
3000 root 1092 S {miio_client_hel} /bin/sh /usr/bin/miio_client_helpe
3315 root 5248 S /usr/bin/bluealsa -i hci0 -p a2dp-sink
3316 root 5760 S /usr/bin/bluealsa-aplay 00:00:00:00:00:00 -vv -i hci
3317 root 5964 S /usr/bin/bluez_mibt_classical
3318 root 2628 S /usr/bin/bluez_mibt_ble
3385 root 564 S /usr/bin/miio_recv_line
3428 root 1236 S /usr/bin/miio_service
3449 mosquitt 844 S mosquitto -c /etc/mosquitto/mosquitto.conf
3482 root 18604 S< /usr/bin/mipns-horizon -c /usr/share/mipns/ -r opus3
3490 root 960 S /bin/touchpad
3668 root 5832 S /usr/bin/mibrain_service
3678 root 1400 S /usr/bin/mico_ai_crontab
3689 root 780 S /usr/bin/nano_httpd
3702 root 3316 S /usr/bin/pns_ubus_helper
3721 root 3204 S /usr/bin/mibt_mesh_proxy
4028 root 1040 S sleep 10s
4030 root 1040 R ps
[email protected]:/data# ls /etc/init.d/
adbd dnsmasq mico_ai_crontab silentboot
alarm done mico_aivs_lab start_sound
alsa dropbear mico_helper statpoints_daemon
bluetooth fstab miio sysctl
bluetoothd gpio_switch mitv-disc sysfixtime
boot led mosquitto syslog-ng
boot_check logrotate nano_httpd system
check_mac mediaplayer network touchpad
coredump messagingagent odhcp6c umount
cron mibrain_service pns wifitool
dbus mibt_mesh pns_ubus_helper wireless
dhcpc mibt_mesh_proxy quickplayer xiaomi_dns_server
[email protected]:/data# cat /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

#playback#
amixer -D hw:audiocodec cset name='External Speaker Switch' 1
amixer -D hw:audiocodec cset name='digital volume' 63
amixer -D hw:audiocodec cset name='LINEOUT volume' 23
amixer -D hw:audiocodec cset name='Right LINEOUT Mux' 1

#capture#
amixer -D hw:audiocodec cset name='Left Input Mixer MIC1 Boost Switch' 1
amixer -D hw:audiocodec cset name='Right Input Mixer MIC2 Boost Switch' 1
amixer -D hw:audiocodec cset name='Xadc Input Mixer MIC3 Boost Switch' 1
amixer -D hw:audiocodec cset name='MIC1 gain volume' 2
amixer -D hw:audiocodec cset name='MIC2 gain volume' 2
amixer -D hw:audiocodec cset name='MIC3 gain volume' 0

exit 0
[email protected]:/data#

如果文章对你有帮助, 你可以: 请我喝可乐

Leave a Comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.