Close

Day1: exploring ...

A project log for Tsukuyomi

Hacking Lunii

dan kszdan ksz 09/23/2019 at 15:483 Comments

I started the project by just exploring the Lunii box physically and connect it to a Linux workstation. so I noticed the following:

1. When the box usb is plugged into a linux system, lsusb and dmesg gives :

$ lsusb
...
Bus 001 Device 016: ID 0c45:6820 Microdia
...

And a media storage is also appearing:

$ dmesg | tail -30

$ dmesg | tail -30
...
667105.143680] usb 1-2: new high-speed USB device number 17 using xhci_hcd
[667105.616668] usb 1-2: New USB device found, idVendor=0c45, idProduct=6820
[667105.616671] usb 1-2: New USB device strings: Mfr=0, Product=1, SerialNumber=1
[667105.616674] usb 1-2: Product: USB2.0 DSP
[667105.616676] usb 1-2: SerialNumber: USB2.0 DSP
[667105.618045] usb-storage 1-2:1.0: USB Mass Storage device detected
[667105.618551] scsi host4: usb-storage 1-2:1.0
[667106.628045] scsi 4:0:0:0: Direct-Access     SONiX    SNC7001A USBDisk 0.01 PQ: 0 ANSI: 0 CCS
[667106.628239] sd 4:0:0:0: Attached scsi generic sg3 type 0
[667106.628770] sd 4:0:0:0: [sdd] 20480 512-byte logical blocks: (10.5 MB/10.0 MiB)
[667106.629015] sd 4:0:0:0: [sdd] Write Protect is off
[667106.629016] sd 4:0:0:0: [sdd] Mode Sense: 03 00 00 00
[667106.629268] sd 4:0:0:0: [sdd] No Caching mode page found
[667106.629270] sd 4:0:0:0: [sdd] Assuming drive cache: write through
[667106.634987]  sdd:
[667106.636788] sd 4:0:0:0: [sdd] Attached SCSI removable disk

2. After unboxing Lunii, the chipset/SoC appears to be an obscure Chinese chip called Sonix. But unfortunately the exact part number cannot be read. It was maybe intentionally obfuscated.



Thanks to dmesg (see above) we know that the SoC is a Sonix SNC7001A. And a datasheet can be found here: here

3. In the PCB we can identify an SDCard (surrounded in red in picture below). But it seems to be soldered to the PCB, because it's not eject-able.

We can also identify a 10pts connector (surrounded in green in picture below) that I hope it can handle signals to UART and SWD.


====
Next Steps

  1. Extract the SDCARD and analyze its content
  2. Hook a digital analyzer on the 10pts connector to probe UART.
  3. Read the datasheet.

Discussions

Bousselham Anas wrote 10/03/2019 at 07:42 point

Thanks for this hack, excited for the next steps ;)

  Are you sure? yes | no

dan ksz wrote 09/25/2019 at 17:07 point

@Ken Yap thanks, I was not aware of the follow option (-w)

  Are you sure? yes | no

Ken Yap wrote 09/24/2019 at 12:56 point

Tip: You can follow the kernel log entries with:

dmesg -T -w

You don't even have to keep running dmesg and tail, the output will follow appends.

  Are you sure? yes | no