04-22-2025, 05:10 PM
(This post was last modified: 04-22-2025, 05:17 PM by soxrok2212.)
(04-08-2025, 05:44 PM)FiosFiend Wrote: From the UART output posted previously we know that it is running AArch64 Linux. Is the sha256 hash value just a check, or something that can be cracked?
Code:## Loading kernel from FIT Image at 02000000 ...
Using 'conf_lx_VERIZON-G3100' configuration
Verifying Hash Integrity ... OK
Trying 'kernel' kernel subimage
Description: 4.19 kernel
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x0228c800
Data Size: 3461392 Bytes = 3.3 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x00100000
Entry Point: 0x00100000
Hash algo: sha256
Hash value: 77e40836ec218fa969f9d2bd572115ed9a7ef008cc75bfec4912354ce78a6349
Verifying Hash Integrity ... sha256+ OK
This is a Flattened Image Tree (FIT) image. It uses the same structure as a standard device tree, but it is used to pack together a kernel, device tree, rootfs and device config into a single image. The integrity check you are referring to is not something that can be cracked/bruteforced. It is a sum across the component (kernel, rootfs, etc) to ensure nothing was modified or corrupted.
I do have a NAND dump of both a g1100 and a g3100, but I don't think I have the physical devices any more.
HOWEVER, I will tell you that it is possible to glitch the bootloader into giving you a shell; you have to short the data out pin on the flash chip to ground when it loads the bootloader environment from flash, and the short has to be very brief. The trick here is that they left the fallback config built into u-boot. I can't remember exactly what it was that let me in, maybe it was a bootdelay counter, but it is possible.
Be aware that you can damage the flash and/or its contents doing this, but you may be able to get a root shell.