au Qua Station - Part 3 - Getting a connection

In our previous installment, so we discussed before how the stock software is relatively useless at this point (and seemingly useless to begin with).  

Of the machines I ordered, one had been "activated" and never reset, so I was actually able to connect to it after hacking Windows in a VM to enable SMBv1 compatibility - but that is not really all that useful to me.  

By the way, most of the machines I received were unused and uopened - not bad for less than $20 USD.  

Comparable boards using the same chipset, such as the Banana Pi, go for over $100 on Amazon Japan.  This one includes a NAS Grade 1TB HDD, which by itself it worth more than the $20.

Some people apparently know that and buy up the QuaStations, rip out the HDDs, and then re-sell them without HDDs for more like $5.  That is no problem for me because I had a bunch of 1TB HDDs lying around anyway.  

As you can see, it is easy enough to insert an SSD into the drive carrier and it works fine.  

Now, onto the real star of the show:  Since this machine has no HDMI out jack, the connection to the console is via TTL serial.  That means that unless your computer has a compatible port already (unlikely), you need to buy an adaptor.  Luckily, USB to serial adaptors are dirt cheap.  They can be found them on Amazon, such as this one.  I got a 3 pack for around $5 US.  

I didn't see any with USB C, but that issue was easy enough to solve with an adaptor.  

Although the Qua station has four pins, you only actually need to connect 3 of the wires.  

At least for the model linked above, the wires will go in the same order on the adaptor and the Qua Station from left to right if you turn the unit so that the LED faces up and arrange the Qua Station so that the side with the power jack faces you.  (i.e. Orange, Red, Brown in this case).  

I used Minicom on OS X, but if you are on OS X, ZOC (Zap-o-com) or iTerm would also work fine.  For Linux, Minicom is my choice, and if you are stuck with Windows Tera term is satisfactory.  (Although for Windows, I would just use WSL with Ubuntu and Minicom...)

I didn't need to install any driver, but you will need to figure out what port the USB adaptor is showing up as and set  that up in your program.    

In Linux or OS X, you can use dmesg, and in Windows you can use the device manager.  (Actually in OS X, it is probably easiest just to do "ls /dev/cu.*", and then look for the device you don't recognize.  

You need to set your serial port settings to 115200 baud, N, 1.

If you are using Minicom, you can use "minicom -s" to enter the setup screen.

The example above is from OS X, on Linux, the serial converter will typically show up as /dev/ttyUSB0.

Note that on Windows, the COM port may change depending on which USB port you plug the adaptor into and which way the wind is blowing.  

Once this is set up properly, plug in the power, and lots of stuff will scroll by.  Actually here is the dump:

C1:80000000

C2

?

C3hswitch frequency to 0x00000046

frequency divider is 0x00000080

switch frequency to 0x00000046

frequency divider is 0x00000004

switch to SDR 8 bit

switch bus width to 0x00000008 bits success

hwsetting size: 000005E0

C4

f 

5-5

Goto FSBL: 0x10100000

<=============================================>

fsbl_main: sys_secure_type = 0x0000BEEE

fsbl_main: sys_boot_type = 0x00000002

fsbl_main: sys_boot_enc = 0x00000000

fsbl_main: sys_bisr_done = 0x00000000

sys_hwsetting_size:00000600

sys_bootcode_size:000B31C0

sys_secure_fsbl_size:00010B80

sys_secure_os_size:00067B00

sys_bl31_size:00005040

sys_rsa_key_fw_size:00000000

sys_rsa_key_tee_size:00000000

sys_rescue_size:00000000

HwSetting:

hwsetting_blk_no:00000100

hwsetting_total_size:00000680

hwsetting_blk_count:00000004

Bootcode:

bootcode_blk_no:00000104

bootcode_total_size:000B31E0

bootcode_blk_count:00000599

FSBL:

secure_fsbl_blk_no:0000069D

secure_fsbl_total_size:00010BA0

secure_fsbl_blk_count:00000086

TEE OS:

secure_os_blk_no:00000723

secure_os_total_size:00067B20

secure_os_blk_count:0000033E

BL31:

bl31_blk_no:00000A61

bl31_total_size:00005060

bl31_blk_count:00000029

RSA Key Fw:

rsa_key_fw_blk_no:00000A8A

rsa_key_fw_total_size:00000000

rsa_key_fw_blk_count:00000000

RSA Key TEE:

rsa_key_tee_blk_no:00000A8A

rsa_key_tee_total_size:00000000

rsa_key_tee_blk_count:00000000

Rescue:

rescue_blk_no:00000A8A

rescue_total_size:00000000

rescue_blk_count:00000000

********** FW_TYPE_GOLD_TEE **********

fwInfo->fwType: 00000023

fwInfo->isGolden: 00000001

fwInfo->ddrReadAddr: 00520000

fwInfo->ddrDestAddr: 10200000

fwInfo->flashType: 00000002

fwInfo->flashUnitSize: 00000200

fwInfo->flashOffset: 000E4600

fwInfo->dataSize: 00067B20

body_size:00067B00

flash_unit_no:00000723

flash_unit_count:0000033E

real_size:00067AEC

sha256 Fw 

********** FW_TYPE_GOLD_BL31 **********

fwInfo->fwType: 00000028

fwInfo->isGolden: 00000001

fwInfo->ddrReadAddr: 00520000

fwInfo->ddrDestAddr: 10120000

fwInfo->flashType: 00000002

fwInfo->flashUnitSize: 00000200

fwInfo->flashOffset: 0014C200

fwInfo->dataSize: 00005060

body_size:00005040

flash_unit_no:00000A61

flash_unit_count:00000029

real_size:00005018

sha256 Fw 

********** FW_TYPE_BOOTCODE **********

fwInfo->fwType: 00000001

fwInfo->isGolden: 00000001

fwInfo->ddrReadAddr: 00520000

fwInfo->ddrDestAddr: 00020000

fwInfo->flashType: 00000002

fwInfo->flashUnitSize: 00000200

fwInfo->flashOffset: 00020800

fwInfo->dataSize: 000B31E0

body_size:000B31C0

flash_unit_no:00000104

flash_unit_count:00000599

real_size:000B3180

sha256 Fw 

j bootcode jump address:00020000

64b

SHG0001W-D111.1.2.162

CPU  : Cortex-A53 quad core - AARCH32

Board: Realtek QA Board

DRAM:  0 Bytes

Watchdog: Disabled

Cache: Enabled

Non-Cache Region: 1 MB@0x07900000

MMC:   RTD1295 eMMC: 0

mmc->version=0x00010000

version=0x00000004

[LY] cardtype=57, mmc->card_caps=0f

[LY] freq = 00464388, clk diver = 00000080

[LY] speed up emmc at HS-200 

[LY] HS-200 bus width=2

[LY] mmc->boot_caps = 20b

TEMP TX_WINDOW=0x7fffffff, TX_best=0xf 

RX_WINDOW=0xffffc03f, RX_best=0x19 

TX1_WINDOW=0x3fffff80, TX_best=0x12 

[LY] hs200 : 0

[HC] WPG_SIZE = 8388608                                                                               

Device: RTD1295 eMMC                                                                                  

Manufacturer ID: 15                                                                                   

OEM: 100                                                                                              

Name: 8GME4                                                                                           

Tran Speed: 5f5e100                                                                                   

Rd Block Len: 512                                                                                     

MMC version 4.0                                                                                       

High Capacity: No                                                                                     

Capacity: 7.3 GiB                                                                                     

Bus Width: 8-bit                                                                                      

Speed: HS200                                                                                          

Factory: MMC                                                                                          

Factory: pp:1, seq#:0x59, size:0x21e00                                                                

------------can't find tmp/factory/000BootParam.h                                                     

In:    serial                                                                                         

Out:   serial                                                                                         

Err:   serial                                                                                         

Net:   Realtek PCIe GBE Family Controller mcfg = 0024                                                 

dev->name=r8168#0

Hit Esc or Tab key to enter console mode or rescue linux:  2 

------------can't find tmp/factory/recovery

WPS button => 1 

reset button => 1 

Current AdbStatus=off

Current Power status 1 =on

Current Power status 2 =on

======== Checking into android recovery ====

 0 

@sz0:   exit

Eventually, it will stop, and if enter is pressed, it will drop to a prompt like this:

kylin#

This is a root prompt for Android Linux.

Some standard linux commands, like dd, df, and mount are there, while others are not.

Android is not your standard linux distribution, so files are not where you would expect them to be if you know linux.  f.e. /etc/fstab isn't present, but there is another similar file.

Also, the standard commands are just based on busy box, so the typical options may not work.  f.e. df works, but df -h does not.

The "mount" command doesn't help you much since basically everything is mounted via FUSE.

The /dev folder is not what you would expect, so trying to mount a drive manually is not easy, and the system automatically mount USB drives - but only if they are FAT formatted.

Still, you can play around here, and even exfiltrate files you think might be useful.  Have a look in the /vendor directory, for example.  

Note that pressing buttons causes status messages to display on the console.  

The root filesystem is mounted read-only, but if you know how, you can actually remount is as read-write (I looked in init.rc for hints).

Some people have even run Debian and Arch by using chroot from here with this stock Android kernel.  

Once you have entertained yourself enough, you may want to know how to get into the bootloader.  hold down the esc key on your computer and press the power button for around 5 seconds.  If you wait for about 20 seconds (keep holding ESC!), then the system will shut down, reboot, and stop.

A prompt like the following should be displayed:

U-Boot Prompt

Realtek>

If you see this, you are at the u-boot prompt.  If you see the kylin# prompt, you missed it, so you have to remove and reinsert the power plug and try again.  

The point where you can enter u-boot is where it displays:

======== Checking into android recovery ====

 0 

In order to make this process easier for future boots, you can set up a delay using:

env set bootdelay 5

env save   

From the next boot, u-boot will count down before continuing the boot process.  If ESC is pressed, it will drop to the Realtek> prompt.  Note that the boot loader is a two stage loader, so whatever delay you put in here will happen twice.  For me, two seconds is more than enough to be able to hit the escape key in time.  

From here you can do things like boot from USB or eMMC.

Luckily, someone figured out that there is a set top box with the same chipset made by a company called Zidoo (The Zidoo X9S - which, interestingly, costs around $250!), and they have a Linux rescue image available here or here which we can use.  

There is a post here by a blogger explaining in detail how to use this, but basically:

1. On a computer, download and extract the file, it will look like this:

2. Create a FAT32 formatted USB and put all of the files into it.

3. Stick the USB disk into one of the USB ports of the Qua Station and boot it up to the Realtek> prompt.

4. Type "goru".

Note: If you have played around with the environment variables (such as bootargs) in the Qua Station you are using before, then this may not work smoothly, as the rescue kernel will read those and try to follow them.  

If all goes well, you will be sitting at a linux prompt in a few seconds.  This rescue environment is based on OpenWRT, but it is still much more "normal" than an Android environment, and can be used for various things, including burning a new kernel into the eMMC (more about that in a blog entry by U-Haru here).  

Looking at the u-boot and dmesg output, one interesting thing is that there are "phantom devices" for audio, video, ethernet and other features that are part of the chipset but a physical port hasn't been added to the board.  This means that (for example) even though video is not displayed, there is actually a frame buffer.  

This rescue environment only boots up with 500MB of RAM, but that can be changed by altering which DTB is used.

/sys/class/net # cat /proc/meminfo 

MemTotal:         582152 kB

MemFree:          523412 kB

MemAvailable:     525452 kB

One can even set up a root filesystem on an SD card or HDD and pass it to this kernel to run Ubuntu 16, etc. (Both this kernel and the au kernel are based on 4.1.17).  Since this kernel is designed for rescue use, it may not have every feature you want.

It does, however, have support for two gigabit ethernet dongles I tried:

[  933.256835] cdc_ether 1-1:2.0 eth1: register 'cdc_ether' at usb-xhci-hcd.4.auto-1, CDC Ethernet Device, 28:ee:52:15:e0:eb

[ 1013.085061] ax88179_178a 2-1:1.0 eth1: register 'ax88179_178a' at usb-xhci-hcd.4.auto-1, ASIX AX88179 USB 3.0 Gigabit Ethernet, 50:c40

Once you're done playing here, you'll probably want to know how to set up things to boot automatically so that you don't need to keep a serial console connected forever.  

Next entry - au Qua Station - Part 4 - Kernel Build & Install