• Allowing Access to the Phone's Hardware

    The Sycorax6 days ago 0 comments

    [Continued from previous log entry]

    Having Debian running on the phone was good and all but to do anything useful with it I had to first set it up so that I could install software packages and give it access to the phone's hardware. The first step was to give Debian access to the phone's hardware devices. This can be done by using the "mknod" command, which is mainly used to create the character and block devices that populate /dev/. 

                                                                          

                                                                         Accessing the Display

    I wanted to first give Debian access to the Linux Framebuffer device (/dev/fb0) which is what drives the phone's LCD display. To do that I issued the following command:

    mknod /dev/fb0 c 29 0

    I then used the "ls /dev" just to make sure that fb0 was added to /dev/. Which it was (Pictured below).

    The next step was to test the framebuffer device in order to see if Debian can actually make use of it and display some form of graphics. I did this by issuing the following command:

    cat /dev/urandom > /dev/fb0

     The command will basically write random pixels to the phone's display as pictured below.

    To clear the display I used the command:

    cat /dev/zero > /dev/fb0

                                                                      

                                                                          Accessing User Input

    Now that Debian was able to access the framebuffer and display graphics to the screen, I then wanted to get user input working by giving it access to the phone's keypad (/dev/input/event0). So I first created the input directory at /dev/ with the command "mkdir /dev/input/". I then issued the following command to add "event0" to /dev/input/.     

    mknod /dev/input/event0 c 13 64

    As I did previously did with /dev/fb0, I checked to make sure that event0 had been successfully added to /dev/input/ (Pictured below). 

    I then tested to make sure that input on the keypad was working properly. I did this by issuing the following command:

    cat /dev/input/event0 | hexdump

    This command will basically output a hexdump of the the data received from the phone's keypad as I press down on it's keys. 

    *To return back to the shell use Ctrl+C.

                                                                                   What's Next?

    Now that Debian has access to these two main hardware devices, the next thing that I wanted to do is to download and install software on the phone.

    [To be continued in next log entry...]

  • Successfully Running Debian on the Phone

    The Sycorax6 days ago 0 comments

    Just a little update before I begin this log entry. This is for anyone that wants to hack their own ACN Iris 3000 but finds my log entries are  too detailed or confusing. I will be making a simple step by step tutorial for everything soon.  Hopefully within the next week or two I should have something ready, so stay tuned! 

    [Continued from previous log entry]

    After getting the RootFS for Debian Squeeze on the SD card, I inserted it into the ACN Iris 3000, turned it on, and logged into it through SSH (explained in my 2nd log entry). Once logged in, I could now use a set of commands to switch over to the new RootFS. 

    As mentioned in one of my previous log entries, the user AUTUIN  made a blog post in 2013 on his personal site specifically for his "Phonetendo" project. In the comment section of blog post he provides the set of commands necessary for switching over the internal RootFS to the new one. The commands that AUTUIN provided are as follows:

    killall mx27
    killall acn
    killall dropbear
    mount /proc /mnt/sd/proc -t proc
    mount /sys /mnt/sd/sys -t sysfs
    /sbin/pivot_root /mnt/sd /mnt/sd/mnt/mtd
    cd /etc/init.d
    ./ssh start
    exec /bin/bash

    The first two commands we're not needed because there are no running processes which are called "mx27" or "acn". The third command is also not needed because it kills the phone's SSH service, and would disconnect me from it. I also had to use the command "mkdir /mnt/sd/mnt/mtd" because pivot_root needs a directory to place the old RootFS to a location in the new RootFS. This location that AUTUIN provided is at /mnt/sd/mnt/mtd and was not present on the new RootFS of my SD card. So upon doing that, I then issued the commands one by one, leaving out the first three. After issuing the commands I was greeted with a new bash shell and was able to use the ACN Iris 3000 as if it was running a complete standard version of Debian, giving it a multitude of commands and features which it did not originally have. 

    Just a side note, every time the ACN Iris 3000 is turned on after being powered off it will switch back to it's internal RootFS. That means that I would have to manually switch over to the new one every time I log into it. So I decided to somewhat automate the process by adding the aforementioned commands to a script which I could then run after logging into the phone through SSH. As mentioned, the first three commands are not needed and therefore I did not add them to the script.

    This script, titled "fs-script", can be downloaded from the Files section of this project. After which it can be copied from a USB drive or an SD card to the ACN Iris 3000 using the "cp" command, and then executed using the command "sh ./fs-script". To execute the script properly you must be in the directory where it was copied to.

    In any case, I think it's fair to say that I have fully unlocked the potential of my ACN Iris 3000. The next step was to configure the Debian RootFS to install and run software packages, load kernel modules and drivers if needed, and to also give it access to hardware devices (e.g. /dev/fb0,  /dev/input/event0, etc...).

    [To be continued in next log entry...]

  • Transferring the Root Filesystem to an SD Card

    The Sycorax12/31/2020 at 03:39 0 comments

    [Continued from previous log entry]

    To get the virtual partitions within the QCOW2 image transferred to the SD card I went back the second tutorial that I found, which I've mentioned in one of my previous log entries. That tutorial however, did not provide the appropriate information for transferring a QCOW2 image to an SD card. It only provides a way to convert a QCOW image to a raw format image, then using kpartx to mount the partitions within the image, and then using rsync to transfer the mounted partitions to a USB stick. This would work in theory but it is very inefficient and time consuming so I decided to not go this route. I had to find other options.

    Doing more research, I found a Stack Exchange question that was posted by a user in 2011 which has to do with transferring a QCOW2 image to a physical drive. The solution provided in the post was enough information for me to successfully do the same thing. The following command is the solution for the user's question. 

    qemu-img convert -f qcow2 -O raw my-qcow2.img /dev/sdb

    Just like the in the second tutorial that I found, this solution uses the qemu-img command but with different arguments that allows for the direct transfer of QCOW2 virtual partitions and data to physical media.  I altered the command arguments to include the QCOW2 image for the RootFS and the storage device where I wanted it to be transferred to. I included the -p argument in order to view the progress of the transfer. The final command is as follows:

    sudo qemu-img convert -p -f qcow2 -O raw debian_squeeze_armel_standard.qcow2 /dev/sdb 
    
    

    Before running the command I used Gparted to unformat the SD card with unallocated space just to make sure that a had a clean slate before proceeding and to avoid any potential errors. I did not test weather this was needed though. For anyone wondering, tutorials on how to unformat drives using Gparted can be easily found using Google.

    I ran the command and the transfer of the compressed QCOW2 image began. The transfer took about 30 minuets. When it was complete I saw that the SD card was mounted properly and had the entire RootFS of Debian Squeeze on it. Out of curiosity I went back into Gparted and saw that, not only was the Root partition transferred but also two additional SWAP partitions, along with the respective file system formats of each partition. This was great, and meant that I could now load the SD card into an ACN Iris 3000 and switch over it's internal RootFS to the new one.

    [To be continued in next log entry...]

  • A New Hope: Obtaining Debian Squeeze

    The Sycorax12/23/2020 at 23:49 0 comments

    [Continued from previous log entry]

    As I continued my research, I discovered that the website which explains how to install Debian on an emulated ARM machine (The one that AUTUIN added to his Blogspot article), includes a link to an archive where I could download pre-installed QCOW2 images of Debian Squeeze and run them in QEMU. This was just what I needed and was the only feasible option that I could find for obtaining Debian with a kernel version that was close to the ACN Iris 3000's as possible. So I decided to go along with it.

    The archive includes two versions of Debian Squeeze. The standard version and the desktop version. The standard version is just a basic command line interface, while the desktop version is a fully fledged GUI interface. I decided to download the standard version for performance and compatibility purposes. The files that I downloaded from the archive was the kernel image (vmlinuz-2.6.32-5-versatile), the initrd image (initrd.img-2.6.32-5-versatile), and the RootFS image (debian_squeeze_armel_standard.qcow2).  I had to make sure that everything would run properly in QEMU. Thankfully enough, the page for the archive includes the commands for doing just that. The Linux command to run the aforementioned files in QEMU is as follows:

    qemu-system-arm -M versatilepb -kernel vmlinuz-2.6.32-5-versatile -initrd initrd.img-2.6.32-5-versatile -hda debian_squeeze_armel_standard.qcow2 -append "root=/dev/sda1

    Upon running the command, a QEMU window appeared and Debian Squeeze began to load up. Within a minute or so I was able to log in by typing "root" as the username and password. Now that I knew that Debian Squeeze could run properly in QEMU, the next step was getting the virtual partition within the QCOW2 image of the RootFS transferred to a physical SD card. At this point I was no longer working with a QCOW image but rather a QCOW2 image which is basically an updated version of the QCOW format. This didn't matter much because both types can be transferred to physical media in the same fashion. 

    However, before I did that I needed to know the exact size of the partition within the QCOW2 image so I could determine how much space the SD card should have. This is because QCOW2 images use compression and are read by QEMU in a decompressed manor. The compressed file size of a QCOW2 image dose not equate to the actual size of it's partitions if decompressed, or transferred to physical media. In fact it is multitudes larger. 

    So while I was still booted into Debian Squeeze I used the command fdisk -l to determine how big the partition within the QCOW2 image actually is, and found that it is nearly 88 times larger then it's initial compressed size of 305.9 MB. Equating to 26.8 GB if decompressed or transferred to physical media. Now that I knew how big the partition would be when transferred, I decided to use a 32 GB SD card. At this point I no longer had to use QEMU.  

    [To be continued in next log entry...]


  • Doing More Research

    The Sycorax12/17/2020 at 21:36 0 comments

    [Continued from previous log entry]

    After gaining a root shell on the phone, I then had to find out how to get Debian Linux to run on it. So I did more research and discovered that AUTUIN has his own personal blog which is dedicated to his various electronics projects, but it has not been active since 2018. On his blog site he made a post in 2013 specifically for his "Phonetendo" project. Just like his Blogspot article he did not explain a step by step process that he took for loading the RootFS of Debian on an SD card, however in the comment section of the post he provides the specific commands needed for switching over the internal RootFS of the ACN Iris 3000 to it. This saved me a lot of time because without the commands I probably would have had to do even more research. 

    Having commands needed for switching over the internal RootFS was great however I needed to first figure out how to get the RootFS of Debian on an SD card. So I went back to AUTUIN's Blogspot article. And in the section titled "A Better Operating System", AUTUIN included a link which includes similar steps that he used for doing that. I went to the link and it brought me to a website that explains how to install Debian Etch to a QCOW image using QEMU. This was a big step forward because from what I understand, QCOW images are typically used by QEMU as virtual hard drives. They can be converted into various formats, including raw format which can then be transferred to a storage device such as an SD card. However the URL's that the website provides for the Debian Etch kernel and installer are no longer hosted and can't be downloaded. This was quite the bottleneck, so I had to find another way of getting Debian installed in this fashion.

    Doing more research I found a blog created in September 2015 by an unknown user who successfully got Debian Linux running on the ACN Iris 3000. They provide a step by step tutorial for installing Debian Squeeze to a QCOW image, which as I said can then be converted into a raw format and then transferred to an SD card. Unlike the previous website, this one provides the URL's for the Debian Squeeze installer and kernel, which are still hosted and can be downloaded. 

    By following this new step by step tutorial I was able to successfully get the Debian Squeeze Installer running in QEMU. However it is not an offline installer. It needs a way to download all of the necessary files in order to install Debian Squeeze on the QCOW image, which btw it see's as just a regular disk drive. All of the necessary files needed to install Debian in this fashion are usually downloaded from a single server/mirror that is included in a list of many, and must be chosen by the user in the installation menu. The problem is that Debian Squeeze is much too old, and is not supported anymore. Because of this, the files that are necessary to install it are no longer hosted on any of the servers/mirrors that are listed in the installer. Therefore I was not able to install Debian in this manner. 

    A newer version of Debian can be installed this way but it's RootFS will not be able run on the ACN Iris 3000 because it's kernel is too old. The kernel version for Debian has to be as close to the kernel version of the ACN Iris 3000 as possible. The ACN Iris 3000 uses the kernel version 2.6.22.6. Therefore the only possible option is to use Debian Squeeze which has a kernel version of 2.6.32.5 because anything newer uses kernel version 3.2 or above.

    [To be continued in next log entry...]


  • Gaining a Root Shell on the Device

    The Sycorax12/11/2020 at 20:51 0 comments

    [Continued from previous log entry]

    While scouring through the forum thread that AUTUIN provided in his Blogspot Article, I found a lot of information and resources for gaining full access to the ACN Iris 3000. The forum thread is pretty long so I'm not going to go into to much detail on it. However, by reading through the thread, it seems that at one point the ACN Iris 3000 had a pretty active but small community of people who we're dedicated to tinkering around with it. Unfortunately it seems that there hasn't been much activity since 2017, with only a few posts from users since then.   

    As I read through the thread I discovered that the user Joshoa was one of the main contributors of information, resources, and methods for gaining a root shell on the device. One of the methods he provides is a way to update the flash storage of phone by using an SD card loaded with some files that he put together. I decided to use that method because it seemed to be the most easiest one. 

    As discussion on the thread went on, Joshoa would provided updated versions of his SD card method. All versions of it an be found at this archive https://www.techidiots.net/notes/iris-3000/downloads. The archive also includes an in depth PDF titled "Tinkering with Iris-3000 aka CU776" which provides a wealth of information, much more then what the forum thread provides in my opinion. So it became the main resource that I used for gaining a root shell on the phone.

    By following the steps outlined in the PDF, everything for the most part was a simple and straight forward process. I downloaded Joshoa's sd-upgrade-v-02.zip and extracted the files from it. I then formatted an SD card to FAT32 and copied the extracted files to it. After I did that I inserted the SD card into the phone, turned the phone on, and watched as the update process took place. Once the update was complete I turned off the phone, ejected the SD card, then turned the phone back on again. According to the PDF, once the phone is updated and booted up I should then be able to log in through SSH and gain a root shell to the phone.

    By using Windows PowerShell I was able to use the following command so that I could log into the phone through SSH.

    ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc -t root@192.168.2.110 -p 7022

    *Replace the IP Address with the one for your ACN Iris 3000.*

    After successfully logging into the device using the password "1234"  I was greeted with a low level, bare bones Linux shell, lacking many of the advanced feature that you would usually find in a standard Linux OS. Despite this, I was able to have a lot of control over the internals of the device.  

    Now that I had full access to the phone, The next step was to do what the user AUTUIN did by getting Debian Linux running on it. 

    [To be continued in next log entry...]

  • Where do we begin?

    The Sycorax12/11/2020 at 18:51 0 comments

    Like I said in the description of this project, I had bought an ACN Iris 3000 for $10 at a thrift shop. I had bought it in January of 2020 because around that time I was into re-purposing costumer electronics to take full advantage of their hardware and software capabilities. Assuming that the device ran on some form of Linux, and that it could be accessed through conventional means, I decided to turn it into a full on project. My assumption was right, and I found out that this device not only runs Linux but that it can also be accessed very easily.

    A simple Google search of "ACN iris 300 hack" led me to a Hackaday article published in November of 2012 about a project called "Phonetendo" by someone who goes by the username "AUTUIN". The Hackaday article outlines how AUTUIN was able to telnet into a root shell on the ACN Iris 3000, gaining complete access to it's internal Linux operating system. The article further goes on to explain that AUTUIN was then able to load the RootFS of Debian Linux to an SD card, insert it into the SD card slot of their ACN Iris 3000, and then use the "pivot_root" command to switch over from the internal RootFS to the SD card loaded with the new one. According to the article, AUTUIN then developed a small game that can be played on the device using the new RootFS. For those who don't know RootFS means Root Filesystem

    The Hackaday article then led me to a Blogspot article, published by AUTUIN, which gives great detail on his project, including the information that he was able to find out about the ACN Iris 3000 regarding it's hardware and software capabilities, and then using that as a means to completely reverse engineer the device. This article was a very important resource for what I wanted to do, however more research was needed because the article dose not explain a step by step process that AUTUIN took for loading the RootFS of Debian Linux to an SD card, nor dose it include the commands needed for switching over the internal OS of the ACN Iris 3000 to it. 

    As a side note, the Blogspot site which his article is published on has not seen activity since 2014 and is not owned by AUTUIN but rather by a non-profit community organization called  Free Geek Vancouver. I know this has nothing to do with my project but they're a pretty cool organization with principles based on Free and Open Source Software, Reducing Environmental Impact of E-waste, and Transparent Consensus-Based Organization. Here's a link to their website if you want to check them out  https://www.freegeekvancouver.org/

    Aside from all of that, I still needed to gain a root shell in order to access the device. Luckily AUTUIN  provided a link in his Blogspot article to a forum thread which provides a wealth of information for doing just that.

    [To be continued in next log entry...]