brmlab

User Tools

Site Tools

You are here: Hackerspace Prague » Projects » The KernelLAB » kernellab
project:kernellab:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
project:kernellab:start [2019/08/21 16:42] – [Challanges] ctxzproject:kernellab:start [2020/02/29 17:33] – old revision restored (2019/10/23 20:52) maxfx
Line 1: Line 1:
  
-{{template>:project:infobox | name=KernelLAB | image=freebsd.jpg?200| sw=BSD| hw=BSD| founder= [[user:maxfx]]| interested=[[user:ruza]]\\ [[user:malanius]]\\ [[user:rainbof]]\\ [[user:ray]]\\ [[user:foonix]] \\ [[user:ctxz]] \\ [[user:corgi]] status=active }}+{{template>:project:infobox | name=KernelLAB | image=freebsd.jpg?200| sw=BSD| hw=BSD| status=suspend| founder= [[user:maxfx]]| interested=[[user:ctxz]]\\ [[user:ruza]]\\ [[user:malanius]]\\ [[user:rainbof]]\\ [[user:ray]]\\ [[user:corgi]\\ [[user:foonix]] }}
  
 ~~META: ~~META:
Line 7: Line 7:
 ~~ ~~
 ======= The KernelLAB ======= ======= The KernelLAB =======
- 
-===== Goals and ideas of this project ===== 
  
 * **A Lab for everyone to participate in** * **A Lab for everyone to participate in**
Line 52: Line 50:
 ==== How we hacked the device ==== ==== How we hacked the device ====
 {{ :project:kernellab:img_20190815_221602.jpg?400|}} {{ :project:kernellab:img_20190815_221602.jpg?400|}}
 +
 After countless odd attempts to enter the UEFI menu (such as attaching an external keyboard and pressing a bunch of F- keys), we believed that we had to replace the Android bootloader ([[https://firmware.intel.com/blog/linux-efi-boot-stub | Intel Boot Stub]]) with a standard UEFI Linux bootloader, such as Grub, or a universal bootloader, such as U-Boot. This would be a very difficult and risky process, since tampering with the bootloader can easily result in a hard-brick. At around this point we also popped open the device and searched for a UART header, which we found, yet never ended up being able to obtain data from. After some research we have quickly realised that the "easiest" way to port U-Boot onto an android device is to flash it as a boot image, so that it is chainloaded by the android bootloader. For this to be possible, we also had to root the device in order to obtain valuable information. Fast forwards and we found a somewhat working version of TWRP which booted on our device, but refused to expose the ADB shell and failed to mount certain partitions. After countless odd attempts to enter the UEFI menu (such as attaching an external keyboard and pressing a bunch of F- keys), we believed that we had to replace the Android bootloader ([[https://firmware.intel.com/blog/linux-efi-boot-stub | Intel Boot Stub]]) with a standard UEFI Linux bootloader, such as Grub, or a universal bootloader, such as U-Boot. This would be a very difficult and risky process, since tampering with the bootloader can easily result in a hard-brick. At around this point we also popped open the device and searched for a UART header, which we found, yet never ended up being able to obtain data from. After some research we have quickly realised that the "easiest" way to port U-Boot onto an android device is to flash it as a boot image, so that it is chainloaded by the android bootloader. For this to be possible, we also had to root the device in order to obtain valuable information. Fast forwards and we found a somewhat working version of TWRP which booted on our device, but refused to expose the ADB shell and failed to mount certain partitions.
  
Line 91: Line 90:
  
 We accidentally discovered that you can boot into the hidden UEFI settings by attempting to boot into a boot- or recovery image in the DnX fastboot mode. We accidentally discovered that you can boot into the hidden UEFI settings by attempting to boot into a boot- or recovery image in the DnX fastboot mode.
 +
 +{{ :project:kernellab:img-20190720-wa000000000.jpeg?400|}}
  
 ==== Steps to enter the UEFI settings on your MEDION P10356 ==== ==== Steps to enter the UEFI settings on your MEDION P10356 ====
  
   - Reboot into fastboot mode   - Reboot into fastboot mode
-  - Flash the following TWRP image: <INSERT LINK HERE>+  - Flash the following TWRP image: https://drive.google.com/open?id=1-GK9W-l42V035VrPbPEhUm4ypoYzC8Bw
   - Boot into TWRP   - Boot into TWRP
   - Reboot into fastboot mode once again, this time the tablet will boot into Intel DNX fastbot mode   - Reboot into fastboot mode once again, this time the tablet will boot into Intel DNX fastbot mode
Line 104: Line 105:
 ==== Restoring the UEFI Firmware ==== ==== Restoring the UEFI Firmware ====
 {{ :project:kernellab:img_20190815_221322_1.jpg?400|}} {{ :project:kernellab:img_20190815_221322_1.jpg?400|}}
-While we attempted to install FreeBSD, OpenBSD, Linux onto the tablet we had accidentally disabled the internal graphics card within the UEFI settings (this comes from the fact that users should not even be able to access the UEFI settings). Unfortunately, after that we were no longer able to change UEFI settings back, as the display was now simply blank. Out of desperate hope, we dumped the UEFI ROM from SPI chip, and attempted to re-enable the internal GPU by altering the UEFI binary. Thankfully, this was not necessary, as we found a stock UEFI binary in the MEDION P10356 recovery package that can be obtained from here <INSERT LINK HERE> (<INSERT BINARY NAME HERE>). After flashing the UEFI binary from the recovery package via SPI, the display worked again. 
  
-===== Welcome to router - 10% =====+While we attempted to install FreeBSD, OpenBSD and Linux onto the tablet we had accidentally disabled the internal graphics card within the UEFI settings (this comes from the fact that users should not even be able to access the UEFI settings). Unfortunately, after that we were no longer able to change UEFI settings back, as the display was now simply blank. Out of desperate hope, we dumped the UEFI ROM from SPI chip, and attempted to re-enable the internal GPU by altering the UEFI binary. Thankfully, this was not necessary after we found a stock UEFI binary in the MEDION P10356 recovery package that can be obtained from [[https://www.medion.com/de/servicebackend/_lightbox/software_details.php?did=16956 | here]] (look for ifwi.bin). After flashing the UEFI binary from the recovery package via SPI using a RPi, the UEFI settings were reset and the display worked again. 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 +===== Project - Welcome to router - 10% =====
  
 ==== Goals and ideas of this project ==== ==== Goals and ideas of this project ====
Line 112: Line 122:
  
  * I am preparing talk to taklnight  * I am preparing talk to taklnight
 +