Recovery Console

The RecoveryConsole application is launched when booting into Recovery Mode and is used to restore the box to factory settings or to flash a new boxee.iso update image.

Tricking RecoveryConsole to flash a modified boxee.iso

Once you've obtained root, it's quite easy to trick the RecoveryConsole into flashing a modified boxee.iso signed with your own keys, it will however fail to boot due to Stage4Verifier. It might be possible to overwrite the nand bootloader, but it's not something I've dared to try as if it fails I know of no way to unbrick it.

In short you first extract and mount the recovery_ramdisk:

dd if=/dev/spectra bs=1 skip=$((0x01200180)) | zcat > /mnt/your_sdcard_or_whatever/recovery_ramdisk
mkdir /mnt/recovery
mount /mnt/your_sdcard_or_whatever/recovery_ramdisk /mnt/recovery

The RecoveryConsole app is in "/mnt/recovery/opt/boxee/RecoveryConsole" iirc, however to run it I need to run the init scripts in reverse order first and then run the recovery ramdisk's init scripts. Probably due to different versions of the kernel modules and/or drivers in the booted ramdisk vs the recovery ramdisk.

To run init scripts in reverse order, shut down boxee and rmmod kernel modules:

/etc/rc3.d/V60graphics stop
/etc/rc3.d/V32sec stop
/etc/rc3.d/U99boxee stop
killall run_boxee.sh
killall Boxee
/etc/rc3.d/U98nmbd stop
/etc/rc3.d/U97smbd stop
/etc/rc3.d/U96pppd stop
/etc/rc3.d/U95thttpd stop
/etc/rc3.d/U95compcache stop
/etc/rc3.d/U94cifs stop
/etc/rc3.d/U94boxeehal stop
killall BoxeeHal
/etc/rc3.d/U93winbindd stop
/etc/rc3.d/U93urandom stop
/etc/rc3.d/U92systemd stop
#/etc/rc3.d/U92sd_card stop
/etc/rc3.d/U91oem stop
/etc/rc3.d/U91boxee_ota stop
/etc/rc3.d/U90boxee_v4l stop
/etc/rc3.d/U89dj_mount stop
/etc/rc3.d/U82afpfsd stop
/etc/rc3.d/U81avahi stop
/etc/rc3.d/U80dbus stop
/etc/rc3.d/U69boxee_vid stop
/etc/rc3.d/U58alsa_shim stop
/etc/rc3.d/U56alsa stop
/etc/rc3.d/U30smd stop
/etc/rc3.d/T52edl stop
/etc/rc3.d/T40hdmi stop
/etc/rc3.d/T28display stop
/etc/rc3.d/S26intel_ce_pm stop
/etc/rc3.d/S24clock_control stop
/etc/rc3.d/S22idl stop
/etc/rc3.d/S20sven stop
/etc/rc3.d/S18system_utils stop
/etc/rc3.d/S16platform_config stop
#/etc/rc3.d/S16boxee_wifi stop
/etc/rc3.d/S14pal stop
/etc/rc3.d/S13lircd stop
/etc/rc3.d/S12osal stop
/etc/rc3.d/S10devtools stop
/etc/rc3.d/S08kernel stop
#/etc/rc3.d/S04network stop
/etc/rc3.d/S02system_setup stop
/etc/rc3.d/44smd_avcap_shim stop
/etc/rc3.d/42avcap_core stop
/etc/rc3.d/36nandflash stop
/etc/rc3.d/34flashtool stop
sleep 2 
rmmod pvrsrvkm
rmmod gdl_mm
rmmod intel_ce_pm
rmmod sec_kernel
rmmod clock_control
rmmod lirc_mceusb
rmmod lirc_dev
rmmod sven_linux
rmmod platform_config
rmmod idl_gpio
rmmod idl_i2c
rmmod pal_linux
rmmod osal_linux

You might want to check "ps" and "lsmod" here to make sure as little as possible is running.

Then to run the recovery console's scripts:

chroot /mnt/recovery
/etc/rc3.d/34flashtool start
/etc/rc3.d/S02system_setup start
/etc/rc3.d/S08kernel start
/etc/rc3.d/S10devtools start
/etc/rc3.d/S12osal start
/etc/rc3.d/S14pal start
/etc/rc3.d/S16platform_config start
/etc/rc3.d/S18system_utils start
/etc/rc3.d/S20sven start
/etc/rc3.d/S22idl start
/etc/rc3.d/S24clock_control start
/etc/rc3.d/S26intel_ce_pm start
/etc/rc3.d/S36nandflash start
/etc/rc3.d/T28display start
/etc/rc3.d/T40hdmi start
/etc/rc3.d/T52edl start
/etc/rc3.d/U30smd start
/etc/rc3.d/U56alsa start
/etc/rc3.d/U58alsa_shim start
/etc/rc3.d/U91oem start
/etc/rc3.d/U92sd_card start
/etc/rc3.d/U92systemd start
/etc/rc3.d/U99boxee_recovery start
/etc/rc3.d/V32sec start
/etc/rc3.d/V60graphics start

The recovery console should now be displaying.

Now here's the trick:

mount -o bind /tmp/mnt/your_sdcard_or_whatever/publickey.pem  /opt/boxee/publickey.pem

In other words we replace the real publickey.pem that the recovery console uses to verify the integrity of the boxee.iso files with our own.

This publickey.pem is created as:

openssl genrsa -out privatekey.pem 1024
openssl rsa -in privatekey.pem -pubout -out publickey.pem

You'll need to create new .sign files for the files in boxee.iso via "openssl dgst -sha256 -sign privatekey.pem -out signatures/filename.sign filename". Put your hacked boxee.iso in the root of your sdcard or usb drive.

Once you select Upgrade from USB storage in the recovery console the output in your telnet window should be something like:

 Checking signatures
 Verifying file /tmp/upgrade_iso//dlink_bootup.bmp signature /tmp/upgrade_iso//signatures/dlink_bootup.bmp.sign: OK
 Verifying file /tmp/upgrade_iso//kernel.1 signature /tmp/upgrade_iso//signatures/kernel.1.sign: OK
 Verifying file /tmp/upgrade_iso//kernel.2 signature /tmp/upgrade_iso//signatures/kernel.2.sign: OK
 Verifying file /tmp/upgrade_iso//libhid.so signature /tmp/upgrade_iso//signatures/libhid.so.sign: OK
 Verifying file /tmp/upgrade_iso//libhid.so.0 signature /tmp/upgrade_iso//signatures/libhid.so.0.sign: OK
 Verifying file /tmp/upgrade_iso//libhid.so.0.0.0 signature /tmp/upgrade_iso//signatures/libhid.so.0.0.0.sign: OK
 Verifying file /tmp/upgrade_iso//manifest.xml signature /tmp/upgrade_iso//signatures/manifest.xml.sign: OK
#  Verifying file /tmp/upgrade_iso//normal.img signature /tmp/upgrade_iso//signatures/normal.img.sign: OK
 Verifying file /tmp/upgrade_iso//nrf6901_110208_00_15.hex signature /tmp/upgrade_iso//signatures/nrf6901_110208_00_15.hex.sign: OK
 Verifying file /tmp/upgrade_iso//postinstall.sh signature /tmp/upgrade_iso//signatures/postinstall.sh.sign: OK
 Verifying file /tmp/upgrade_iso//preflight.sh signature /tmp/upgrade_iso//signatures/preflight.sh.sign: OK
 Verifying file /tmp/upgrade_iso//rf_update.sh signature /tmp/upgrade_iso//signatures/rf_update.sh.sign: OK
 Verifying file /tmp/upgrade_iso//run-time.sig signature /tmp/upgrade_iso//signatures/run-time.sig.sign: OK
 Verifying file /tmp/upgrade_iso//testhid signature /tmp/upgrade_iso//signatures/testhid.sign: OK
 Verifying file /tmp/upgrade_iso//usbfwupgrade signature /tmp/upgrade_iso//signatures/usbfwupgrade.sign: OK
 /tmp/upgrade_iso/preflight.sh
 /opt/local/bin/upgrade_flag r 1
 Succeded
 Programming /tmp/upgrade_iso//normal.img to /dev/Glob_Spectraa1:  SUCCESS
 Programming /tmp/upgrade_iso//../kernel.img to /dev/spectra:  SUCCESS
 Programming /tmp/upgrade_iso//dlink_bootup.bmp to /dev/spectra:  SUCCESS
 Programming /tmp/upgrade_iso//run-time.sig to /dev/spectra:  SUCCESS
 /tmp/upgrade_iso/postinstall.sh
 umount /tmp/upgrade_iso/
 mountpoint /tmp/upgrade_iso/
 rm -rf /tmp/upgrade_iso/
 /opt/local/bin/upgrade_flag r 0
 /opt/local/bin/upgrade_flag u 0
 Sync
 Succeded
Connection closed by foreign host.

Sometimes the "Programming xxx to xxx" fails, but it succeeded once I selected Upgrade from usb again.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License