So good news there is a micro USB port and boot mode jumpers to be able to get the hub into SDP mode.
[4215213.643950] usb 3-4.4.2: new high-speed USB device number 8 using ehci-pci [4215213.753446] usb 3-4.4.2: New USB device found, idVendor=15a2, idProduct=007d, bcdDevice= 0.01 [4215213.753448] usb 3-4.4.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [4215213.753450] usb 3-4.4.2: Product: SP Blank 6UL [4215213.753451] usb 3-4.4.2: Manufacturer: Freescale SemiConductor Inc [4215213.906618] hidraw: raw HID events driver (C) Jiri Kosina [4215213.924124] usbcore: registered new interface driver usbhid [4215213.924126] usbhid: USB HID core driver [4215213.986475] hid-generic 0003:15A2:007D.0001: hiddev0,hidraw0: USB HID v1.10 Device [Freescale SemiConductor Inc SP Blank 6UL ] on usb-0000:00:16.2-4.4.2/input0
For this you’ll need a couple of parts
J8 is the micro USB plug https://www.digikey.ca/en/products/detail/molex/1051330011/4356675
R703 and R704 are 10K 0402 resistors
With all of those populated the board will power from the micro USB slot. To put it into SDP mode short R709 while applying power.
Thanks for this. I’ll be trying to replicate this, hopefully will be able to use snagboot or uuu to interact with the chip, and pull a copy of the flash off. Can you tell me how you were able to figure out which resistors to bridge to choose the SDP boot?
I’ve been reviewing the latest firmware of the V1 Hub, and concluded that it appears to be fairly similar to the V2 (the localcontrol app is even common to the Relay). If so, and it is possible to write to the /database partition somehow, it should be possible to get code exec by injecting into the flash_get function call in platform.sh, where it does:
eval “$1=`cat /database/$2`”
i.e. have the file contain “a;$(reboot)”, for example.
Obviously, having to solder a micro-USB connector onto the board makes this inccessible to the majority of users, but once code exec is obtained, it should be possible to explore the firmware further to find other openings.
My experience with IMX6/7/8 led my to believe there would be boot mode jumpers on the board. Finding unpopulated jumpers next to a micro USB header all but confirmed that.
Makes sense! And the FCCID.IO pictures were a dead giveaway in that case! The other thing is that the D+ and D- lines are brought out to reasonably sized test pads, so using pogo pins would also be an option, if I can find a way to write to the /database partition.
So, I was able to get into SDP mode by adding the mentioned 10k resistors and booting with R709 bridged. Unfortunately, it appears to be protected by the HAB settings.
“`
parse .//mx6_usb_work.conf
Trying to open device vid=0x15a2 pid=0x007d
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename /home/rogan/spl-imx6-mmc.bin
load_size 0 bytes
load_addr 0x00000000
dcd 1
clear_dcd 0
plug 1
jump_mode 3
jump_addr 0x00000000
== end work item
No DCD table
loading binary file(/home/rogan/spl-imx6-mmc.bin) to 00907400, skip=0, fsize=cc00 type=aa
<<>>
succeeded (security 0x12343412, status 0x88888888)
jumping to 0x00907400
failed (security 0x12343412, status 0x33220a00)
“`
I tried booting a custom u-boot over SDP and it didn’t work. I assumed it was the HAB. Thanks for confirming it.
I just confirmed that you can access SDP via UART, and have no need to do the finicky soldering of 0402 resistors and microUSB connectors. Just ground one of the NAND pins while applying 12V power, boot ROM will fail to recognise the flash, or at least, will fail to verify U-Boot, and you can now use SDP over UART.