Another interesting fact is pulling the ChipSelect Pin on the NAND Flash high during boot causes the boot loader to loop, this is interesting as U-Boot appears to be held on the flash, meaning there could be a vector into dumping the ROM modifying it and flashing it back, or reversing out any U-Boot passwords etc.
I’ve ordered a few more bits to try and remove the NAND Flash from the board without killing anything and getting a dump of the contents. I’m going to try and fit a socket to the board as well so I can quickly swap in storage chips to hopefully speed up debugging.
Well reading the flash was a bit fussy, but after some hot air and a ZIF socket here’s a dump of the firmware for those interested: 50.5 MB file on MEGA
I’ve got more flash chips on the way, so hopefully it’s time to crack this image open and start investigating. Next stop, binwalk!
Update 20250605:
Minor update, I’ve obtained two more remotes. I’ve managed to dump the flash from these in board by using a better quality probe and some precautions around introducing errant noise.
I’m still poking around in firmware when I have time. I’ll probably move further discussion to the thread linked above to address the common elements around figuring out how the passwords are generated etc. Getting to a stage where some sort of shell is available to anyone without having to have specialized tools is probably the first thing to address.
You guys are awesome. Great to see progress on this one! I gave up much earlier in the process unfortunately, but will follow this thread for new updates. All the best.
Just as a “Keep alive” for anyone interested I haven’t forgotten this, it’s just that my hardware is mostly out of commission due to some construction work. Once I get that out of the way I’ll get back to this.
Unfortunately nothing substantial, I’ve had a go at the dumped ROM with Binwalk and Binwalk V3 and getting the squashfs to extract nicely wasn’t happening. I haven’t had much time to look at it since my last attempts. If anyone reading wants to have a crack at this one of the dumps is linked above. I still have this on my list of todo’s but my focus has had to be elsewhere for the minute.
Update: 20251103, following the above I had another quick look at this and I made an obvious error and did not account for OOB, the following script takes care of that:
import sys
if len(sys.argv) != 3:
print("Usage: python strip_oob.py input.bin output.bin")
sys.exit(1)
input_file = sys.argv[1]
output_file = sys.argv[2]
page_size = 2048
oob_size = 128
with open(input_file, 'rb') as f_in, open(output_file, 'wb') as f_out:
while True:
page = f_in.read(page_size)
if not page:
break
f_out.write(page)
f_in.seek(oob_size, 1) # Skip OOB
This now makes binwalk happy, I’ve also created the following script to unpack the mtd’s as per the live running file system:
These can now be directly manipulated as there is a mix of formats involved.
I’ve also managed to find an SDK for the SoC: AnyCloud37E_SDK_V1.08 which includes the various tools for burning system images and building the firmware. It looks like the boot loader could be manipulated too, although I’ve not tried anything extensive. I still need to solder a ZIF socket to my original remote before I try anything drastic. My thinking is a replacement modified operating system is possible.
The initial challenge of getting the masses ‘root’ on the device still remains the first objective, there’s several approaches, but as with all things; I need more time in my day. As ever any help welcome.