I am glad you are looking into all of this. Perhaps you'll find something new.

Since the earliest firmware, Seagate has been encrypting their video firmware, audio firmware and the kernel.

With the latest firmware Seagate encrypted their Resource directory and the root filesystem.

They also changed the rescue kernel, and perhaps settings and/or portions of the Realtek Rom Monitor (a significantly cut down, modified YAMON Rom Monitor). That's what's happening with the bootloader.tar section.

What this means is that from here on out, there's three principle hopes for getting into firmware 1.55 flashed fat+:

1. Some breakthrough on the serial cable connection. As of now, the serial console remains locked to input, meaning that while you can "watch" the serial console, you cannot enter any commands there.
2. Someone reverses the stock password from the /etc/passwd file: $1$CYIUjf8S$qmFTebTkQEEyoRreGEq4S . Here's the entire line for good measure: root:$1$CYIUjf8S$qmFTebTkQEEyoRreGEq4S/:0:0:root::/bin/sh .
3. Someone tricks fw 1.55 into accepting a new firmware update- by altering the configuration.xml file, swapping out the install_a, etc., AND/OR utilizing some liveupdate url based workaround to accomplish the same.

The most hopeful one is the last, based on the fact that two people mentioned downgrading from fw 1.55 by way the liveupdate url- one was a brand new person who seemed otherwise rather competent, but as he/she was new and never returned, there's some question about which firmware was actually downgraded from... who can say what the precise details were there. The other came a member who'd shown that he knew he was way around the fat+ and other devices. Presumably he knew what he was talking about when he said he downgraded from fw 1.55, but as he firmly stated he wouldn't share details on it, that is apparently that.

Anyway, hope you have some luck. Oh, you might try your luck at some other forums, other eyes on the problems you know.

-wig_out

I apologize for editing my post this morning before I noticed that you replied. I changed the direction of it completely away from modding 1.55 to backflashing from it to 1.45.

Been working with the unyaffs application and opening up the img files in Playdude's last mod release.

I'm trying to find the ".sh" (shell script) file that executes the flash.

Does anyone know where this file is located or how the flashing mechanism works as a command?

I suspect that it executes from the installed firmware on the device unless the cold method is executed, then it executes off the image file on the USB.

But in order to backflash I have to find the script file on the flash drive to change the command line to force it, otherwise by default it will detect and

not override the newer version on the device.

When I extracted the "yaffs2_1.img" file, I found a boot.img file located in /usr/local/firmware that I suspect contains the shell script I'm looking for.

Just looking to see if I can open that file.

Thanks,

Steve

You could find a lot of good background info over on: minimodding.com

Generally speaking, loader_a is the executable that starts the install process. It then hands things off to install_a from the firmware file, install.img which does most of the installation.

As for scripts, the configuration.xml file from the install.img hands off a lot of vital information to install_a-- however they are related to one another. Some changes to the configuration.xml will be rejected by the install_a, even though such changes may have worked with a previous firmware. In some cases, people have had success swapping out older install_a's, from previous firmwares, to accomplish their mods.

When you use the "cold boot" you're triggering the "rescue" kernel. That's a second, minimal kernel just to save your device when things go wrong. loader_a is running like a watchdog application when you boot up the rescue kernel, whenever you plug in a usb drive it will search its root directory for an install.img and get started with installing the firmware.

The latest firmware, 1.55, replaced the rescue kernel by way of the bootloader.tar. So, previously observed behaviour there may no longer be true.

I guess that's all I got.

Good luck,

wig_out

OK, thanks. So where is this "loader_a" application in all this?

Is there still a script involved where a flashing command line is executed (that could be easily edited) or is the command built into the binary?

Still seems like that stuff could be bypassed somehow and just go straight for some kind of boot.sh that handles flashing.

/usr/sbin/loader_a

There's no simple script that I am aware of. It's all compiled as near as I can tell.

-wig_out

In the latest (1.45) modded INSTALL.IMG file, this is the path to the file I'm asking about...

(INSTALL.IMG opened with 7zip)

package2/yaffs2_1.img ...

...then, upon un-YAFFS'ing the above-mentioned IMG file, look in:

/usr/local/firmware/boot.img (160kB in size)

I would just like to know what format that BOOT.IMG file is in.

TrID (http://mark0.net/soft-trid-e.html) seems to think it's Macbinary. I don't know of any better utility to identify what the compression format of a file is.

Nothing I've tried to use so far can touch it.

It seems there could be something in there that would be useful to boot the FAT+, maybe more.

---

wig_out wrote:

/usr/sbin/loader_a

 

There's no simple script that I am aware of. It's all compiled as near as I can tell.

 

-wig_out

---

OK, thanks wig

I've always wondered what that was. An examination of the strings of that file aren't terribly revealing to me. It seems like it's something to do with wireless network connections..... I don't think it's the answer. Of course I haven't found the answer yet so I wouldn't know it when I found it I suppose.

If you want to go done this road, you might examine the gpl source code released by Seagate and other manufacturers utilizing the rtd1073dd, or realtek 1073dd SoC.

Understand that all such gpl releases have been incomplete and often quite of date, however.....

-wigout