My dream is to load custom firmware on these and ditch the crestron OS entirely
Itās likely because thereās a backend change for Teams Panel, and they have to wait until Microsoft certifies v3 firmware to be available in the Teams Admin Console, so they canāt have a bunch of panels running teams panel auto-updating before the firmware is certified.
Just re-read the release notes and itās likely because early firmwares were android 8, and you need to update to android 10 firmwares before updating to android 12. I assume jumping from 8 to 12 would likely brick the panel or cause issues, so theyāre keeping it an opt-in rather than opt-out.
Also you seem to have found the answer already, but the OLH you linked refers to the Light bar on the XX70 panel.
And my ticket about the source code was just closed without any response after a few days with no change made.
Well, new update: I managed to borrow a 770 running 3.x, and the wireless debugging option is indeed there. Itās a real pain in the neck to access given it only works on Wi-Fi - apparently Ethernet doesnāt count here. The usual adb pair and adb connect will work though.
From this ADB connection, I can run adb shell, but I cannot run adb root:
ā adb root
adbd cannot run as root in production builds
ā adb shell
error: failed to create pty master: Permission denied
%
ā adb shell /bin/bash
whoami # note, no PTY, so no prompt.
shell
I also canāt touch most of the files in /vendor/bin, so I guess they did their homework and actually locked things down in firmware 3.x. Not bad, Crestron!
I havenāt torn apart my 770 (and canāt tear apart my borrowed one) to try UART yet, and I actually have no idea where the UART traces are.
Next steps are going to be to see if UART gives us root, or whether ADB 
trickery can get us a root shell. Although, Iām not sure what weād really need a root shell for anymoreā¦
UPDATE: Android is reporting that the bootloader is unlocked! Not sure why or how, but hey, Iāll take it.
UPDATE 2: Some board shots of the 770. Now to try to find UART.
UPDATE 3: Iāve probed every contact on the bottom side of the board and couldnāt find a UART. This isnāt really my skillset, but it seems odd. There should be one per boot.img:
console=ttyMSM0,115200,n8 androidboot.console=ttyMSM0
Ooh! Cool to see progress on serial access on the 770.
I suspect the circled pins might be UART. Iām not super experienced with hardware level debugging, but in my experience with networking equipment, UART headers are often laid out in a straight line like in your photo. Iām not certain if Crestron follows the same layout but itās certainly a possibility. Any chance you might be able to provide a close up of the chip adjacent to those pins? Iāll crack open one of my 770s and see if I can get serial access with those pins.
I thought it was too, but no luck when I tried it.
Now, itās very possible that my puny 24MHz logic analyzer and assumption about 115200 baud are incorrect, but I did try every pad and none of them gave me what looked like a sane UART stream.
The chip next to it (and the same one below) only has the markings 64 6 on it. Iāve reassembled my 770 in the meantime to poke at its software, so I canāt easily grab photos at the moment. Iāll do so again once I have it open again - alongside photos under the copper shield ā I just need to wait for a cheap Amazon rework station to show up and replace my broken cheap Amazon rework station.
Iāve been digging through the firmware files for the xx60 unit and discovered that it includes a built in file explorer and the Miracast app preinstalled. It looks like the device is running a modified DroidLogic Android build. Plugging in a USB drive with APKs was easy, but sideloading apps is disabled by default on this 760. Has anyone found the Settings app? I was able to easily launch it on the 770 unit but this 760 is not being so niceā¦
Miracast: APPMODE com.droidlogic.miracast
File Browser: APPMODE com.droidlogic.FileBrower
com.android.settings was a bust on my 1060, but other apps do work - assuming you have any other apps. I managed to get it to launch com.android.development, but it would really depend on what apps you have.
I suspect if you get ADB (run adbd from the serial console), youād be able to do an adb install and launch something else though.
Is the web performance any better in the newer firmware? I notice with bigger dashboards there is slight lag when changing pages and opening menus. I might consider updating one of my panels if there is actually a benefit in daily use.
There are some mosaic quality pictures of under the shield in the FCC listing internal photos
I ordered a few so Iāll poke around whenever they arrive in a week
Havenāt really tested performance, but I have noticed that the adaptive brightness is significantly better. The approach-to-wake thing also is nice, but might be a bit gimmick-y depending on use case. The screen is also just higher resolution.
I donāt have a 1070 installed outside of the bench, so I canāt really say how good the performance is in real life conditions. It does seem faster, though really aggressive charts and all still take a while to load.
Shame though, I was hoping to avoid eBay competition for new tablets 
.
Much appreciated, this isnāt my strong suit. Worst case, anyone looking to hack their devices can just stay on 2.x without too much pain Iād think.
Itās also absolutely possible that these devices just donāt have UART on them. It would be surprising, but not impossible. Itād be much more fun to find a proper exploit then.
I canāt find any x60 series at the moment since I moved recently, but a friend has a dead SD unit. Can someone please send me an image of a x60 series internal SD card?
what format are you folks streaming video to these units. have a TSW-760 and get nothing, but green screens with the formats i try. webrtc, mse, hls, mp4, etc. FW 3.002.1061
are you using the custom:webrtc card or picture glance?
UPDATE: I think it has to do with http camera streams vs. https camera streams. https seems to work, but not http. I donāt get why though.
Alright while poking around on the xx70 board I didnāt see anything that looked like the 3v3 UARTs that the previous versions of these had. I looked in the dtb file in the boot.img and saw the SOC in these is a MSM8953 + PMI8950 QRD SKU3 (a Snapdragon 625). The datasheet for these says the UART is a 1.8V logic level, so in the interest of not blowing it up I will now be ordering yet another FT232H since all my debuggers only do 3v3.
Also, since the xx70 seems to use the built in android updater I wonder if we can use the unlocked firmware version to run that update command with a modified update package, maybe even a stock Android since this uses a Snapdragon SOC that was used in many phones.
I wonder if thereās an onboard USB interface, perhaps? The USB stack on this device should be pretty straightforward since it recognizes USB flash drives and all. I did the lazy thing and tried using an A-to-A cable but didnāt get anything - although I suppose that doesnāt mean too much (or I did something wrong).
Given we at least have remote ADB though APPMODE com.android.settings (or via downgrade on firmwares < 3.0), we do at least have the ability to install and set any app on the xx70. Bodes well, though itās not full root. This is probably enough for almost all use cases, save for the āconvert TSS to TSWā which will still need some privilege escalation somehow.
I did manage to discover an exploit where you can pass a setuid binary into userspace and actually execute it, but Androidās built-in protections mean the typical way(s) of calling su donāt really want to work it seems. Of course, Crestron services still run as root (!), so in theory a vulnerability in Crestronās code could let us escape. Shame they seem to do things mostly well nowadays.
Well itās not https or http that is the cause.
Itās a couple things:
- Carmera bitrate. Havenāt quite figured out the settings, but while using picture-glance card itāll start then go green after 20s or so. The green has to do with variable bitrate i think.
- picture-glance vs. webrtc-camera card. nothing webrtc-camera card works. Get weird option error. picture-glance works āsomewhatā, but not perfect. it is of course delayed as i donāt run go2rtc via ha, but rather outside of ha.
This thing is kinda fun, but iām likely to pass it on to the next person eventually as i donāt see it meeting āallā my needs.
are you able to try sideloading the HA APK on v3 over ADB and then setting the APPMODE to the HA app? Iād upgrade one of mine and try it but the v3 firmware continues to be elusiveā¦
It does work, but it also needs to be hacked into place. adb install works basically as youād expect, but you will then need to use monkey to launch Home Assistant once via adb shell:
TSW-x70bench:/ $ monkey --pct-syskeys 0 -p io.homeassistant.companion.android 1
Then:
TSW-770>APPMODE io.homeassistant.companion.android
Application mode is now enabled.
Please reboot to take in effect.
Note that if you donāt launch the app organically, you get the cryptic error of Failed to enable application mode.
And sure enough, it launches. Iāve also gotten various terminal emulators and other random APKs to work just fine.
This is sweet, we might not even have to break into these, if we can just get our hands on the firmware!
Alright here is the xx70 UART
115200 baud
1v8 ā IMPORTANT
and once againā¦
Crestron Touchpanel:/ $ whoami
shell
Crestron Touchpanel:/ $ su
Crestron Touchpanel:/ # whoami
root
wonderful.
start adbd works like previous, and I was able to adb install the HA app. Since this is real Android it seems that I am unable to remount / to edit system files and such, unfortunate.
Annoying that they put all the test pads on the wrong side of the board
Realistically the 2.004.1026 vuln will be way easier to use instead of tearing the thing open (unless newer v2 firmware is better in some way?), but at least we know root over UART is there.
1 Like
Beautiful find! I swear I probed those pins, but I guess my logic analyzer wasnāt sensitive enough to pick up 1V8. Ah well.
I am very curious to see su in the PATH, since I donāt remember seeing that in the firmware files. Given we (should) have uBoot access though, that would still be good enough.
And yes, a downgrade to 2.004 would be a good idea for most cases (hint: they never deleted the files from the public firmware server), at least as long as we can actually do that. I donāt think itās too bad to up/downgrade as required for a shell, though it would be cool to be able to toggle things without going through far too many steps.
I did independently confirm a second security vulnerability in 3.x (and possibly earlier versions) that allows root access without opening things up. Iāve reported this to Crestron since this does affect active hardware, but between that and the UART find, I suspect weāll be in good shape for as long as this hardware is still kicking. Iāll try to convince my friend to let me pop open the 3.x 770 I have to play with the UART and confirm.