Hacking the 2.0 Hub.
3 3

31 posts in this topic

On 1/27/2019 at 12:12 AM, kruftindustries said:

Looks like the reset pin is between the AM3352 and the UART header, circled in your original image. I wasn't able to get it to boot via UART though

8A3zSKw.jpg

20190126_233050.jpg

Is There Any Way You Can Pull Off The JW999 And Take A photo?

I would like to see if there is a way to read this chip on board without removing it.

Share this post


Link to post
Share on other sites
On 1/27/2019 at 12:12 AM, kruftindustries said:

Looks like the reset pin is between the AM3352 and the UART header, circled in your original image. I wasn't able to get it to boot via UART though

8A3zSKw.jpg

20190126_233050.jpg

Is There Any Way You Can Pull Off The JW999 And Take A photo?

I would like to see if there is a way to read this chip on board without removing it.

 

I also found something  interesting from QMotion.  Their new Qzhub is a jilia hub and their user guide provides the following information:

Follow these instructions to update the firmware.

1. Download the firmware and copy it to a USB flash drive formatted to FAT32 (recommended 4 GB size).

2. Create a folder named “jiliaupdate” in the root drive of the USB.

3. Place the downloaded firmware in the jiliaupdate folder (will be a .bin file).

4. Power off the hub and insert the USB drive into one of the USB ports.

5.Power up the hub and allow 10 minutes for the hub to update the firmware.

6. Remove USB device.

 

QMotionQzHub-User_Guide-Updated.pdf

Share this post


Link to post
Share on other sites

I was investigating using a USB sd card reader and the 6 vias next to the emmc to read out the memory, haven't got the multimeter after the mmc pins under the bga yet though, some other things came up.

Considering @thegillion's experience of debug output while connecting a USB thumbdrive, the same update detect script is probably running on the iris hub also.

Share this post


Link to post
Share on other sites
On 2/16/2019 at 11:15 AM, clarkabrank said:

I also found something  interesting from QMotion.  Their new Qzhub is a jilia hub and their user guide provides the following information:

Follow these instructions to update the firmware.

1. Download the firmware and copy it to a USB flash drive formatted to FAT32 (recommended 4 GB size).

2. Create a folder named “jiliaupdate” in the root drive of the USB.

3. Place the downloaded firmware in the jiliaupdate folder (will be a .bin file).

4. Power off the hub and insert the USB drive into one of the USB ports.

5.Power up the hub and allow 10 minutes for the hub to update the firmware.

6. Remove USB device.

 

QMotionQzHub-User_Guide-Updated.pdf

Here is what happened when I did steps. 

Poky (Yocto Project Reference Distro) 2.1.2 LWP-1002 /dev/ttyO0

LWP-1002 login: 8
U-Boot SPL 2013.10 (Jul 27 2015 - 13:27:27)
reading args
spl: error reading image args, err - -1
reading u-boot.img
reading u-boot.img
omap-sham 53100000.sham: initialization failed.
omap_voltage_late_init: Voltage driver support not added
INIT: version 2.88 booting
Starting udev
sh: 19700101000004: unknown operand
Setting up needed gpios...
Done with gpio setup
Setup buzzer pwm
Done with pwm setup
mfg: clean, 23/4096 files, 678/16368 blocks
Manufacturing partition is clean
phy[lan8710]: Disabling Auto-MDIX support
libphy: PHY 4a101000.mdio:01 not found
net eth0: phy 4a101000.mdio:01 not found on slave 1
Flash size:  1920991232
data: clean, 219/88176 files, 37652/352252 blocks
Data partition is clean
Current Timestamp:
kernel.panic = 3
kernel.panic_on_oops = 1
Starting ifplugd:  eth0
Setting up 4G dongle support...
Setting up Hub Agent...
INIT: Entering runlevel: 5
Configuring network interfaces... done.
Initializing Dropbear SSH server: dropbear.
Starting syslogd/klogd: done
Starting crond: OK

Poky (Yocto Project Reference Distro) 2.1.2 LWP-1002 /dev/ttyO0

LWP-1002 login: irisagentd[636]: No agent debug configuration is present.
irisagentd[636]: Starting hub agent...

 

Share this post


Link to post
Share on other sites

922f7c0f793d88e18738d09e69b825da.jpg

Here’s a good internal pic. Some things I’ve noted:

S2 looks like a SMT bank for four switches.

J6 is likely the serial header.

J5 looks almost like an ICSP header, but smaller.

There’s a dozen test points around the board.



Share this post


Link to post
Share on other sites

The hub keys have been posted, and it’s pretty easy to get root on the hub and update it - on the software side we should be able to do a lot - I don’t think there’s any platform level code signing in place 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
3 3