開始改造小愛音箱Pro開機自動啟動 SSH

登入 TTL登入系統, 然後開啟 SSH
mico login: root
Password:


BusyBox v1.27.2 () built-in shell (ash)

  _____  _              __     __ __  ___  ___
 |     ||_| ___  ___   |  |   |  |  ||   ||  _|
 | | | || ||  _|| . |  |  |__ |-   -|| | || . |
 |_|_|_||_||___||___|  |_____||__|__||___||___|
------------------------------------------------

      ROM Type:release / Ver:1.58.13
------------------------------------------------
root@mico:~# dropbearkey -t rsa -f /data/dropbear_rsa_host_key
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtEcuiRqr+8GcaQVWUYbnw6AresOdhQ6bdig0FvLPn                             
blvMEeBcKWZDO/kMjGcpNGn719zB8P92wr41LqHM+IP20a9IAbAv03ex+vEVAgz3dpRAlQ7R5ciHg89b                             
6J0pYOgwP3H5Q3t0YWrEOykmUHFQXpx7d/qQLTPIoj4gZVdrXu408Qw3i3f3RkLATbY+41oxnw6yhKDR                             
77ZIMwN/8czxftVXPotMA4VOWFMVlgrvT7HpyZcwhArfnlKYZdCdozmk3nw/zpWxePhiHK/Qodcwh64M                             
FxrSCEoVlfRAvxOq86O2PztbQ5003DBfuwGVv4tu2ZnvXxTz+3WUDFw3j7Ef root@mico
Fingerprint: md5 38:2b:0e:0b:f2:be:b9:39:e0:02:4d:31:5e:af:c9:5a
root@mico:~# dropbear -r /data/dropbear_rsa_host_key
root@mico:~# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:523 errors:0 dropped:0 overruns:0 frame:0
          TX packets:523 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:90551 (88.4 KiB)  TX bytes:90551 (88.4 KiB)

wlan0     Link encap:Ethernet  HWaddr EC:41:18:6D:1C:03
          inet addr:192.168.1.145  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::ee41:18ff:fe6d:1c03/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1072 errors:0 dropped:0 overruns:0 frame:0
          TX packets:607 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:222324 (217.1 KiB)  TX bytes:106862 (104.3 KiB)
 
 
 
因為可以寫入的 /data 可用空間不足, 所以必須掛載部分 RAM 當作寫入空間
root@mico:/data# mkdir backup
root@mico:/data# mount -t tmpfs -o size=50m tmpfs /data/backup/
root@mico:/data# cd /data/backup
root@mico:/data/backup# dd if=/dev/mtdblock4 of=/data/backup/m4.img
81920+0 records in
81920+0 records out
 
 
 
利用 WinSCP 把檔案傳回, 我這邊不知為何無法用 WinSCP 連線小愛音箱, 結果只能用 SCP 傳到另一台 Linux 主機
root@mico:/data/backup# scp m4.img snowwolf725@192.168.1.5:m4.img
/usr/bin/dbclient: Warning: failed creating /root/.ssh: Read-only file system

Host '192.168.1.5' is not in the trusted hosts file.
(ssh-rsa fingerprint md5 37:40:25:31:18:af:55:bf:8c:6a:5d:74:b6:83:de:6f)
Do you want to continue connecting? (y/n) y
snowwolf725@192.168.1.5's password:
m4.img                                                                                                                       100%   40MB 650.2KB/s   01:03
 
 
 
在 Linux 主機中查看下檔案訊息之後會用到
snowwolf725@Chin:~$ unsquashfs -s m4.img
Found a valid SQUASHFS 4:0 superblock on m4.img.
Creation or last append time Mon Oct 14 11:17:13 2019
Filesystem size 31654.99 Kbytes (30.91 Mbytes)
Compression xz
xz: error reading stored compressor options from filesystem!
Block size 131072
Filesystem is exportable via NFS
Inodes are compressed
Data is compressed
Fragments are compressed
Always-use-fragments option is not specified
Xattrs are not stored
Duplicates are removed
Number of fragments 127
Number of inodes 1798
Number of ids 1
 
 
 
將檔案解開
root@Chin:~# unsquashfs -dest tochang m4.img
Parallel unsquashfs: Using 8 processors
1699 inodes (2067 blocks) to write

[============================================================================================================================================/] 2067/2067 100%

created 1124 files
created 99 directories
created 574 symlinks
created 1 devices
created 0 fifos
 
 
 
修改 /etc/rc.local 添加 /data/init.sh
root@Chin:~# cd tochang/etc/
root@Chin:~/tochang/etc# vi rc.local
 
 
 
 /etc/rc.local 修改後內容如下
root@Chin:~/tochang/etc# cat rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
/data/init.sh
exit 0
 
 
 
取消自動升級
root@Chin:~/tochang/etc# cd crontabs/
root@Chin:~/tochang/etc/crontabs# vi root
root@Chin:~/tochang/etc/crontabs# cat root
*/5 * * * * /usr/sbin/easy_logcut size
* * * * * /usr/sbin/network_probe.sh
32 4 * * * /usr/sbin/pns refresh
*/10 * * * * /usr/bin/check_mediaplayer_status
#* 3 * * * /bin/ota slient  # check ota
 
 
 
重新打包img參數按查看的信息寫,可能與我的不同
root@Chin:~/tochang/etc/crontabs# cd
root@Chin:~# mksquashfs tochang m4_crack.img -b 131072 -comp xz -no-xattrs
Parallel mksquashfs: Using 8 processors
Creating 4.0 filesystem on m4_crack.img, block size 131072.
[============================================================================================================================================|] 1492/1492 100%

Exportable Squashfs 4.0 filesystem, xz compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments, no xattrs
        duplicates are removed
Filesystem size 32675.51 Kbytes (31.91 Mbytes)
        48.51% of uncompressed filesystem size (67353.17 Kbytes)
Inode table size 16562 bytes (16.17 Kbytes)
        25.16% of uncompressed inode table size (65831 bytes)
Directory table size 18414 bytes (17.98 Kbytes)
        45.32% of uncompressed directory table size (40632 bytes)
Number of duplicate files found 46
Number of inodes 1798
Number of files 1124
Number of fragments 127
Number of symbolic links  574
Number of device nodes 1
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 99
Number of ids (unique uids + gids) 1
Number of uids 1
        root (0)
Number of gids 1
        root (0)
 
 
在小愛音箱中把 m4.img 刪除, 並把 m4_crack.img 這個改好的檔案複製回來
root@mico:/data/backup# rm m4.img
root@mico:/data/backup# scp snowwolf725@192.168.1.5:m4_crack.img m4_crack.img
/usr/bin/dbclient: Warning: failed creating /root/.ssh: Read-only file system

Host '192.168.1.5' is not in the trusted hosts file.
(ssh-rsa fingerprint md5 37:40:25:31:18:af:55:bf:8c:6a:5d:74:b6:83:de:6f)
Do you want to continue connecting? (y/n) y
snowwolf725@192.168.1.5's password:
m4_crack.img                                                                                                                 100%   32MB 573.3KB/s   00:57
 
 
 
再把破解好的 img 寫回分區, 並設置mtdblock4為啟動分區
root@mico:/data/backup# dd if=m4_crack.img of=/dev/mtdblock4
65352+0 records in
65352+0 records out
root@mico:/data/backup# /usr/bin/fw_env -s boot_part boot0
[ubootenv] update_bootenv_varible name [boot_part]: value [boot0]
[ubootenv] Save ubootenv to /dev/nand_env succeed!
 
 
 
另外記得將啟動 ssh 的部分寫入到 /data/init.sh, 最後將小愛重開驗證改造是否成功,
如果改造成功預設小愛開機後就會啟動 SSH 不用透過 TTL 進行連線
root@mico:/data/backup# vi /data/init.sh
root@mico:/data/backup# cat /data/init.sh
dropbear -r /data/dropbear_rsa_host_key
root@mico:/data# chmod a+x init.sh
root@mico:/data/backup# reboot
 
 
 
切換啟動分區,如果當前是mtdblock4,
就輸入/usr/bin/fw_env -s boot_part boot1 再reboot 是啟動mtdblock5;
如果當前是mtdblock5,就輸入/usr/bin/fw_env -s boot_part boot0 再reboot 是啟動mtdblock4