Page 1 of 30

Fully automated rooting script

Posted: Fri Mar 09, 2018 4:19 pm
by martenjacobs
Hi everyone,

Over the last few days I've been busy working on a Python application that will automate the rooting process of Toon from a Raspberry Pi.
It supports rooting using just the serial port on Toons with U-Boot versions with a known password, and will use JTAG on any other Toon.

If you want to check it out, it's on GitHub.

Cheers,
Marten

Re: Fully automated rooting script

Posted: Fri Mar 09, 2018 5:07 pm
by michel30
that is beautiful :)
Especially for new users :)

Re: Fully automated rooting script

Posted: Sat Mar 10, 2018 12:04 pm
by Toonz
That would be nice.....

Re: Fully automated rooting script

Posted: Sat Mar 10, 2018 10:13 pm
by martenjacobs
I’ve tried the script on the one Toon I have on my workbench at the moment and that works very well. I’d like some feedback if anyone has tried it out.

Re: Fully automated rooting script

Posted: Sun Mar 11, 2018 3:01 pm
by TheHogNL
I'm about to get a 2nd Toon myself for testing purposes. I'll use your script when I have the Toon. Hopefully somewhere this week.

Re: Fully automated rooting script

Posted: Thu Mar 15, 2018 3:53 pm
by Fietspomp
Used your script for a 2ndhand toon, works perfect!
Toon was firmware version 3.7.8 I believe (Updated immediately after rooting :-).)
Toon has U-Boot version 2010.09-R10

Only thing was I couldn't enter via SSH after finishing script, no idea why (What password does your script set)?
So I entered serial console, used "passwd", checked if everything was ok and rebooted, this worked.

Re: Fully automated rooting script

Posted: Fri Mar 16, 2018 11:58 am
by Fietspomp
Just rooted another Toon with it, had uboot R8, password worked.
Script works as it should, only thing I do extra is add latest busybox to payload and use flag to skip removal of payload, enter serial console and install latest busybox.
After this I change passwd and that's it.

Re: Fully automated rooting script

Posted: Sat Mar 17, 2018 8:13 pm
by martenjacobs
Hi Fietspomp,

I didn't add a package with a different version of busybox to the package because I feel it's more of a risk if it fails than the current process (possibly bricking the Toon), I may add it in the future as an option. I'm open to a pull request :D

The script does not set the password for the root user, but simply uses or creates a public key pair that you'll be able to use with your SSH client. If you're unfamiliar with public key authentication through SSH, you may want to read this.

The private key is written to the file name supplied with the --output-ssh-key-flag (defaults to id_rsa in the current directory) and the public key is saved next to it with a .pub suffix. The public key is also added to the payload and is put in /root/.ssh/authorized_keys so it's accepted as an access key for the root user. On most unices, you can then connect to the Toon using

Code: Select all

ssh -i id_rsa root@<TOON IP ADDRESS>
If you saved the private key without encryption (the default) you can then connect without a password.
I haven't been able to convert the key created by the script to a ppk file yet (the format which is used by PuTTY). I recommend that, until a better way comes along, PuTTY users create a public key pair with PuTTYGen, save the public key to a file, and use the --ssh-public-key flag to transfer this file to the Toon.

Please let me know if you have any questions!

Cheers,
Marten

Re: Fully automated rooting script

Posted: Mon Mar 19, 2018 11:06 am
by Fietspomp
I tried loggin in using SSH but I couldn't convert the key using PuttyGen, so I just used the busybox passwd option :)

Thanks for the great work, I'm not sure if the newer version of busybox is mandatory so indeed why not leave it out.

Re: Fully automated rooting script

Posted: Mon Mar 19, 2018 11:16 am
by marcelr
Fietspomp wrote: I'm not sure if the newer version of busybox is mandatory so indeed why not leave it out.
The standard busybox blocks serial access. The later version of busybox (1.27.2-r4), retains all features of busybox 1.18.3 and 1.27.2 combined.

Re: Fully automated rooting script

Posted: Wed Mar 21, 2018 8:58 pm
by Martin101010
Marten,

I'm trying to use your script, but got stuck on the dependencies. I get;

Code: Select all

cc -Wall  -I. -g -O2 -fno-unwind-tables -fno-asynchronous-unwind-tables  -rdynamic  -o jimsh jimsh.o initjimsh.o libjim.a -ldl
jimsh.o: file not recognized: File truncated
collect2: error: ld returned 1 exit status
Makefile:52: recipe for target 'jimsh' failed
make[2]: *** [jimsh] Error 1
make[2]: Leaving directory '/home/pi/openocd/jimtcl'
Makefile:3782: recipe for target 'install-recursive' failed
make[1]: *** [install-recursive] Error 1
make[1]: Leaving directory '/home/pi/openocd'
Makefile:4081: recipe for target 'install' failed
make: *** [install] Error 2
pi@raspberrypi3:~/openocd $
What is it that I'm missing?

Update: removed the dir and done it again. No errors anymore :-)

Re: Fully automated rooting script

Posted: Wed Mar 21, 2018 9:04 pm
by martenjacobs
Martin101010 wrote:Marten,

I'm trying to use your script, but got stuck on the dependencies. I get;

(...)

What is it that I'm missing?

Hi Martin,

Which OS are you using? I tested the instructions on a clean raspbian stretch light install.

Marten

Re: Fully automated rooting script

Posted: Wed Mar 21, 2018 9:06 pm
by martenjacobs
marcelr wrote:
Fietspomp wrote: I'm not sure if the newer version of busybox is mandatory so indeed why not leave it out.
The standard busybox blocks serial access. The later version of busybox (1.27.2-r4), retains all features of busybox 1.18.3 and 1.27.2 combined.
I think most users don't need serial access after enabling SSH access.

Re: Fully automated rooting script

Posted: Wed Mar 21, 2018 9:36 pm
by marcelr
Hi @martenjacobs,

Just had a quick peek at your scripts. I would strongly suggest to add the latest busybox (1.27.2-r4) and its two modules to the initial install. If for whatever reason the installation of dropbear fails, you're quite lost. Furthermore, one wrong update and the ssh access is cut off. The serial port can then serve as a last resort to access a toon. Furthermore, there's no harm done in adding busybox, it's fully compatible with quby's version (it only has a few extra features added to it). Then of course, you will also need to patch /etc/inittab to add the getty.

Anyway, nice job.

Re: Fully automated rooting script

Posted: Wed Mar 21, 2018 11:11 pm
by martenjacobs
marcelr wrote:Hi @martenjacobs,

Just had a quick peek at your scripts. I would strongly suggest to add the latest busybox (1.27.2-r4) and its two modules to the initial install. If for whatever reason the installation of dropbear fails, you're quite lost. Furthermore, one wrong update and the ssh access is cut off. The serial port can then serve as a last resort to access a toon. Furthermore, there's no harm done in adding busybox, it's fully compatible with quby's version (it only has a few extra features added to it). Then of course, you will also need to patch /etc/inittab to add the getty.

Anyway, nice job.
Hi Marcel,

I think upgrading busybox could be added as an option. The reason I'm reluctant to do it by default is that busybox is quite an important part of the OS, and if the install borks for some reason (could be power loss, or maybe a newer firmware version breaks something, I don't know) it could brick the Toon. From what I've read, this has already happened to a number of users. The current process is designed to change as little as possible but only give the user SSH access and let them take it from there. If dropbear installation fails, you could simply use the script with the '--boot-only' or '--dont-reboot-after'-flag to boot into the serial console and take it from there with minicom.

FWIW, my Toon is running the latest firmware with stock busybox. I rooted it with my script and haven't had any cause to upgrade busybox.

However, I should add that I made a cable that connects RPi's serial and JTAG to the Toon in one go (see attached picture). I can see why for most users it would be easier to be able to 'rescue' the Toon without having to connect JTAG as well.

Regards,
Marten