Hey! So I recently found a Klipad, which was waiting somewhere in my house. It is a cheap, tiny tablet, and I wanted to tinker a bit with it. I then decided to somewhat root it, or even install GNU/ Linux on it. As it is running Android 8.1.0 and didn’t receive any security patches since something like September 2019, exploit-db.com gave me some ideas of root exploits. However, that would not be the simplest way to install GNU/ Linux, if it is even possible without breaking everything.
I went into the recovery mode (using
adb reboot recovery from my pc), hoping it doesn’t require a signature when flashing updates, and it did require it. Signatures are a way for the device to verify that the updates it gets are from its manufacturer. I could not create DIY updates to do anything I wanted.
While trying some other random things, I executed
adb reboot bootloader, which usually reboots the phone in a weird way, and gives access to something different from normal Android, and the recovery. I supposed it would give me some kind of fastboot mode or odin mode, which are other ways to send updates on most phones. I would maybe have the capability to unlock the tablet, and upload my own updates.
However, all I saw was a black screen. As it was supposed to be some kind of reboot, and not a shutdown, I wired it to my Linux PC, and ran
lsusb to see if I could talk with it:
$ lsusb Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub [...] Bus 001 Device 018: ID 2207:310d Fuzhou Rockchip Electronics Company RK3126 in Mask ROM mode [...] Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
ROM is the memory a device, and stand for Read-Only Memory, but it is usually writable anyway, so it is often used to refer to the Android software which runs on the device. “Stock ROM” refers to the official software created by the manufacturer of the device, while “Custom ROM” refers to a ROM created by anyone else. LineageOS and GrapheneOS are examples of custom ROMs for Android phones.
So the device is in
Mask ROM mode, may I upload my own custom ROM ?
After copy-pasting the name of the device on Qwant, I got on a wiki by kobol.io. Sroll-scroll-scroll And… it mentions some commands starting with
Let’s search rkdevelop on the AUR (Arch User Repository, a land of software) !
$ yay -Ss rkdevelop aur/rkdeveloptool 66-1 (+2 0.01) Development tool for Rockchip SOC
So, I can simply install it with
yay -S rkdeveloptool. Let’s see what it can do.
$ sudo rkdeveloptool ---------------------Tool Usage --------------------- Help: -h or --help Version: -v or --version ListDevice: ld DownloadBoot: db <Loader> UpgradeLoader: ul <Loader> ReadLBA: rl <BeginSec> <SectorLen> <File> WriteLBA: wl <BeginSec> <File> WriteLBA: wlx <PartitionName> <File> WriteGPT: gpt <gpt partition table> WriteParameter: prm <parameter> PrintPartition: ppt EraseFlash: ef TestDevice: td ResetDevice: rd [subcode] ReadFlashID: rid ReadFlashInfo: rfi ReadChipInfo: rci ReadCapability: rcb PackBootLoader: pack UnpackBootLoader: unpack <boot loader> TagSPL: tagspl <tag> <U-Boot SPL> ------------------------------------------------------- $ sudo rkdeveloptool ld DevNo=1 Vid=0x2207,Pid=0x310d,LocationID=103 Loader
Cool, this tool recognizes my tabet.
Wait… what are these
ReadLBA things ?
$ sudo rkdeveloptool rfi Flash Info: Manufacturer: MICRON, value=04 Flash Size: 16384 MB Flash Size: 33554432 Sectors Block Size: 8192 KB Page Size: 16 KB ECC Bits: 60 Access Time: 32 Flash CS: Flash<0>
Hmmmm… 33554432 sectors (~= 16 Gib)… didn’t
ReadLBA need some sector data ?
ReadLBA: rl <BeginSec> <SectorLen> <File>
ReadLBA then !
$ time sudo rkdeveloptool rl 0 33554432 image.img Read LBA to file (100%) sudo rkdeveloptool rl 0 33554432 image.img 8,95s user 18,99s system 3% cpu 14:40,88 total
So, approximately 15 minutes to dump 16 GiB, and that’s a 16GiB-tablet. Is it that simple to dump user data ?
$ fdisk -l image.img Disk image.img: 16 GiB, 17179869184 bytes, 33554432 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes
This doesn’t look like a normal hard disk or usb drive… There should be some partitions like “system” or “userdata” or “boot” but it shows nothing.
Let’s manually look at it !
$ dd if=image.img count=2 2>/dev/null | cat PARM?FIRMWARE_VER:7.1 MACHINE_MODEL:RK3126c MACHINE_ID:007 MANUFACTURER:rk3126c MAGIC: 0x5041524B ATAG: 0x00200800 MACHINE: 3126c CHECK_MASK: 0x80 PWR_HLD: 0,0,A,0,1 CMDLINE: console=ttyFIQ0 androidboot.baseband=N/A androidboot.veritymode=enforcing androidboot.hardware=rk30board androidboot.console=ttyFIQ0 init=/init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:0x00002000@0x00002000(uboot),0x00002000@0x00004000(trust),0x00002000@0x00006000(misc),0x00008000@0x00008000(resource),0x00010000@0x00010000(kernel),0x00010000@0x00020000(boot),0x00020000@0x00030000(recovery),0x00038000@0x00050000(backup),0x00002000@0x00088000(security),0x00100000@0x0008a000(cache),0x00280000@0x0018a000(system),0x00008000@0x0040a000(metadata),0x00038000@0x00412000(vendor),0x00008000@0x0044a000(oem),0x00000400@0x00452000(frp),-@0x00452400(userdata) �XX
I don’t really know what kind of magic (header)
However, CMDLINE looks like Linux Kernel parameters !
Also, I actually see some
After some digging on rockchip linux kernel, I could understand this
So, let’s say I want to dump
It is from sector 0x00020000 to sector 0x00020000 + 0x00010000.
Now, I want to dump my
It starts at sector 0x00452400, and, as the offset is a dash (
-), it is until the end.
As I am on Linux, that’s rather simple to mount it as a normal drive.
$ dd if=image.img skip=$((0x00452400)) | file - /dev/stdin: F2FS filesystem, UUID=adcf4214-0553-4465-944c-bce0017cce5c, volume name "" $ sudo mount -r -t f2fs -o loop,offset=$((0x00452400 * 512)) image.img /mnt/ $ ls /mnt adb anr app app-asec app-ephemeral app-lib app-private backup bootchart cache camera cifsmanager dalvik-cache data drm gps local logs lost+found media [...]
I did create a file
hello.txt from Termux on this tablet so let’s read it:
$ sudo cat /mnt/data/com.termux/files/home/hello.txt Hello, World !
This way, anyone should be able to dump my data.
This tablet is capable of user data encryption. However, using
rkdeveloptool, anyone could change the system binary so that it saves your password in a file. Moreover, if you set a schema, it can easily be cracked, using aplc for example.
I think I’m going to shred all the data I can on this tablet, and, if you’ve got a similar one, you should too.
Next step will be to let GNU/ Linux run on this tablet ! Seems like the PineBook Pro has a similar processor and boot process, I might use its postmarketOS wiki page as a starting point.