Welcome! Log In Create A New Profile

Advanced

Sony NSZ-GS7 - serial connection ?

Posted by dietgert 
Sony NSZ-GS7 - serial connection ?
October 20, 2021 03:09AM
Hello,

yesterday i opened an older sony-box.
The box is pretty useless with the ancient Android 3 now.
There is no convenient way to install another os however (secured bootloader).
Because of the ancient android - os there
are some usable security-holes though...

But my question here is: is CN2000 a connector to a serial console ?
If so, what kind/type of connector is this ?
Direct soldering would be a challenge for me because of the small pitch ...
And i see little to no information available for this box ...

BR
dietgert
Attachments:
open | download - IMG_20211019_201241.jpg (356.1 KB)
open | download - IMG_20211019_201338.jpg (477.5 KB)
Re: Sony NSZ-GS7 - serial connection ?
October 20, 2021 05:49PM
dietgert,

> There is no convenient way to install another os
> however (secured bootloader).

Then it will be a challenge to get it to run Debian.

> But my question here is: is CN2000 a connector to
> a serial console ?
> If so, what kind/type of connector is this ?
> Direct soldering would be a challenge for me
> because of the small pitch ...

It is hard to tell because of the scale relative to other components are not really obvious.

IIRC, there are 2 common types of JST headers: full size one (2.54 mm), and micro-JST (1 mm). You can buy a female JST or miro-JST header with wires already attched, and use them to test this port to see if they are serial port. No soldering needed.

Use the 1mm and 2.54 mm as a reference, and measure that header to see which one you should buy. On eBay these parts are really cheap.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Sony NSZ-GS7 - serial connection ?
October 20, 2021 11:49PM
There is a page for this device at https://www.exploitee.rs/index.php/Sony_NSZ-GS7_(Streamer). I did not see any details about serial access, but you should be able to gain root via the same hack as other GoogleTV devices.

Ray
Re: Sony NSZ-GS7 - serial connection ?
November 12, 2021 08:34AM
bodhi Wrote:
-------------------------------------------------------
> dietgert,

....

> Use the 1mm and 2.54 mm as a reference, and
> measure that header to see which one you should
> buy. On eBay these parts are really cheap.

Thank You, bodhi!
Used the 1mm micro-JST pitch version (there are 1,25mm types available too).

CN2000 IS the serial console connector.

right: GND
left: probably + 3.3V
next to left pin: Tx
next to GND: probably Rx (i could not interrupt anything here).

... and of course a first look at the boot process:

���sys_init start. boot_strap=0x00000940 (source=eMMC), boot_state=0x0
CID_SerialNum=11840038  RCA=11840038.
pSDMMCP->EraseSize = 0x80000.
eMMC init ok.
Load images from boot partition 1.
get_custom_key ok.
MV_DRMLIB_Load_Customer_Key OK.
bootloader image verified, start...

Beetle A0 [Aug  7 2013 16:06:19]
uiBoot = 0
Pinmux configuration:

GSM 0xf7fcd040 0x0000c400;
GSOC 0xf7ea0000 0x02820044;
GSOC1 0xf7ea0004 0xb8493480;

leakage info 1120.
set voltage to 1025.
set vcore to 1025
vout_percentage 9c, set Vout to 1025mV
GpioOneWireVoltCtrl, data = 0x2a539
0xf7ea0014: 8d48a005 0108312a 00100000 08000000 
0xf7ea0028: 8d48a005 03c80c02 001c0400 00a71f40 
0xf7ea003c: 9948b005 0108312d 00100000 00000000 
Clock configuration:
 VCO_B		frequency 1620
 AVPLLB[4]	frequency 690
 AVPLLB[5]	frequency 850
 AVPLLB[6]	frequency 690
 AVPLLB[7]	frequency 490
 cpuPll		frequency 1200
 memPll		frequency 1600
 sysPll		frequency 800
 dClk		frequency 400
 cpuClk		frequency 1200
 sysClk		frequency 400
 drmClk		frequency 400
 cfgClk		frequency 100
 gfxClk		frequency 400
 zspClk		frequency 490
 perifClk	frequency 200
 pCubeClk	frequency 850
 vScopeClk	frequency 850
 nfcEccClk	frequency 100
 vppSysClk	frequency 400
 appClk		frequency 800
 gfx3DCoreClk	frequency 690
 gfx3DSysClk	frequency 490
 arcRefClk	frequency 400
 vipClk		frequency 400
 sdioXinClk	frequency 100
 sdio1XinClk	frequency 100
 gfx3DExtraClk	frequency 490
 gc360Clk	frequency 400
Manufacture ID:21
Product name:M8G2F
CID_SerialNum=11840038  RCA=11840038.
pSDMMCP->EraseSize = 0x80000.
EMMC: Load version table from boot partition 1.
[00,sd00] bootloader: part1(start=0, blks=1, version=201308071606), part2(start=0, blks=1, version=000000000000)
[01,sd01] bootimgs: part1(start=2, blks=48, version=201308071606), part2(start=50, blks=50, version=000000000000)
[02,sd03] u-boot.env: part1(start=120, blks=4, version=201308071606), part2(start=120, blks=4, version=000000000000)
[03,sd05] factory_setting: part1(start=126, blks=62, version=201308071606), part2(start=126, blks=62, version=000000000000)
[04,sd06] flashless: part1(start=190, blks=30, version=201308071606), part2(start=190, blks=30, version=000000000000)
[05,sd07] kernel: part1(start=222, blks=38, version=201308071606), part2(start=222, blks=38, version=000000000000)
[06,sd08] fts: part1(start=262, blks=22, version=201308071606), part2(start=262, blks=22, version=000000000000)
[07,sd09] boot: part1(start=286, blks=238, version=201308071606), part2(start=286, blks=238, version=000000000000)
[08,sd10] recovery: part1(start=526, blks=638, version=201308071606), part2(start=526, blks=638, version=000000000000)
[09,sd11] system: part1(start=1166, blks=2046, version=201308071606), part2(start=1166, blks=2046, version=000000000000)
[10,sd12] cache: part1(start=3214, blks=1022, version=201308071606), part2(start=3214, blks=1022, version=000000000000)
[11,sd13] chrome: part1(start=4238, blks=2046, version=201308071606), part2(start=4238, blks=2046, version=000000000000)
[12,sd14] userdata: part1(start=6286, blks=8466, version=201308071606), part2(start=6286, blks=8466, version=000000000000)
######## value: 0x35
flash_ts_init() start.
fts: v565 loaded from 0x008d0000
flash_ts_init() success.
get macaddr from fts: 54:53:ed:d9:5f:e9
macaddr=54:53:ed:d9:5f:e9
WOL MAC address: 54:53:ed:d9:5f:e9
######## value: 0x35
Not warm up.
######## value: 0x35
start to kick off SM CPU: start 0x006863ec, size 41612
SM CPU is kicked off.
######## value: 0x37
fts: crashcounter.android: L0E
_fOtNs :N ObWo o              D
loader.command: t
SM starts,enters warmup state!
Kernel image decrypt start now
Kernel image decrypt finished 
verify Kernel image passed.
OTP Temperature: 99 celsius degree
BOOT: CPU - B0
get macaddr from fts: 54:53:ed:d9:5f:e9
macaddr=54:53:ed:d9:5f:e9
WOL MAC address: 54:53:ed:d9:5f:e9
Image3 bootargs: androidboot.console=ttyS0 console=ttyS0,115200 init=/init macaddr=54:53:ed:d9:5f:e9 emmc_ts.dev_id=8 emmc_ts.size=11534336 emmc_ts.erasesize=524288 emmc_ts.writesize=512
mkbootimg bootargs: androidboot.hardware=berlin root=/dev/mmcblk0p9 rootfstype=ext4 inithash=b1631ff48a4543703524559bc1c2e062128d0e92 rootwait
Generated bootargs: androidboot.hardware=berlin root=/dev/mmcblk0p9 rootfstype=ext4 inithash=b1631ff48a4543703524559bc1c2e062128d0e92 rootwait androidboot.console=ttyS0 console=ttyS0,115200 init=/init macaddr=54:53:ed:d9:5f:e9 emmc_ts.dev_id=8 emmc_ts.size=11534336 emmc_ts.erasesize=524288 emmc_ts.writesize=512
Send bootmode=0 to SM.
R
se
oPnRdOiCnEgS St_oP OSWME.R._.M
GW aGrOmT  uBpO.O             S
MBOoDoEt= 0nxo0r T
al GTV image    m
[Flash Write]page=0x000045ea, buf=0x006a0c8c, size=8192
MM4_WriteBlocks, write 0x10 blocks to 0x45ea0
 [Flash Write]page=0x000045eb, buf=0x006a2c8c, size=8192
MM4_WriteBlocks, write 0x10 blocks to 0x45eb0
 fts: record v566 commited @ 0x008d4000
Uncompressing Linux... done, booting the kernel.
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Linux version 2.6.35.14 (root@BTV3G-Slave34) (gcc version 4.4.5 20100614 (prerelease) (FSF GNU GCC branch-4.4.5. Marvell GCC 2010q4-113) ) #2 SMP PREEMPT Wed Aug 7 16:07:40 JST 2013
[    0.000000] CPU: ARMv7 Processor [562f5841] revision 1 (ARMv7), cr=10c53c7f
[    0.000000] CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
[    0.000000] Machine: MV88DE3100
[    0.000000] Memory policy: ECC disabled, Data cache writealloc
[    0.000000] PERCPU: Embedded 7 pages/cpu @80aae000 s6592 r8192 d13888 u65536
[    0.000000] pcpu-alloc: s6592 r8192 d13888 u65536 alloc=16*4096
[    0.000000] pcpu-alloc: [0] 0 [0] 1 
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 162560
[    0.000000] Kernel command line: androidboot.hardware=berlin root=/dev/mmcblk0p9 rootfstype=ext4 inithash=b1631ff48a4543703524559bc1c2e062128d0e92 rootwait androidboot.console=ttyS0 console=ttyS0,115200 init=/init macaddr=54:53:ed:d9:5f:e9 emmc_ts.dev_id=8 emmc_ts.size=11534336 emmc_ts.erasesize=524288 emmc_ts.writesize=512
[    0.000000] PID hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
[    0.000000] Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
[    0.000000] Memory: 640MB = 640MB total
[    0.000000] Memory: 643616k/643616k available, 11744k reserved, 0K highmem
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
[    0.000000]     DMA     : 0xffc00000 - 0xffe00000   (   2 MB)
[    0.000000]     vmalloc : 0xa8800000 - 0xf6000000   (1240 MB)
[    0.000000]     lowmem  : 0x80000000 - 0xa8000000   ( 640 MB)
[    0.000000]     modules : 0x7f000000 - 0x80000000   (  16 MB)
[    0.000000]       .init : 0x80008000 - 0x8002f000   ( 156 kB)
[    0.000000]       .text : 0x8002f000 - 0x804af000   (4608 kB)
[    0.000000]       .data : 0x804b0000 - 0x804df780   ( 190 kB)
[    0.000000] SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[    0.000000] Hierarchical RCU implementation.
[    0.000000] 	RCU-based detection of stalled CPUs is disabled.
[    0.000000] 	Verbose stalled-CPUs detection is disabled.
[    0.000000] NR_IRQS:118
[    0.047146] Calibrating delay loop... 1196.03 BogoMIPS (lpj=5980160)
[    0.287097] pid_max: default: 4096 minimum: 301
[    0.287186] Security Framework initialized
[    0.287208] Guardian:  Initializing.
[    0.287297] Mount-cache hash table entries: 512
[    0.287711] Initializing cgroup subsys cpuacct
[    0.287757] CPU: Testing write buffer coherency: ok
[    0.287968] Calibrating local timer... 399.97MHz.
[    0.348708] Tauros3: System L2 cache support initialised
[    0.512644] CPU1: Booted secondary processor
[    0.746901] Brought up 2 CPUs
[    0.746915] SMP: Total of 2 processors activated (2392.06 BogoMIPS).
[    0.749255] NET: Registered protocol family 16
[    0.750416] hw perfevents: enabled with Marvell PJ4B PMU driver, 7 counters available
[    0.765137] bio: create slab <bio-0> at 0
[    0.773172] SCSI subsystem initialized
[    0.773492] usbcore: registered new interface driver usbfs
[    0.773713] usbcore: registered new interface driver hub
[    0.773870] usbcore: registered new device driver usb
[    0.774537] Advanced Linux Sound Architecture Driver Version 1.0.23.
[    0.775096] Bluetooth: Core ver 2.15
[    0.775210] NET: Registered protocol family 31
[    0.775219] Bluetooth: HCI device and connection manager initialized
[    0.775232] Bluetooth: HCI socket layer initialized
[    0.775482] Switching to clocksource apbt
[    0.777681] NET: Registered protocol family 2
[    0.777771] IP route cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.777976] TCP established hash table entries: 131072 (order: 8, 1048576 bytes)
[    0.779130] TCP bind hash table entries: 65536 (order: 7, 786432 bytes)
[    0.779697] TCP: Hash tables configured (established 131072 bind 65536)
[    0.779708] TCP reno registered
[    0.779843] NET: Registered protocol family 1
[    0.798124] RPC: Registered udp transport module.
[    0.798134] RPC: Registered tcp transport module.
[    0.798143] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.798641] PMU: registered new PMU device of type 0
[    0.798758] galois_pinmux_init
[    0.798905] current setting: 2820044:b8493480:c400
[    0.798937] mv88de3100_eth1 mv88de3100_eth1: use dummy geth_platform_data
[    0.799041] Marvell PHY, LED2:link, LED0:link/act.
[    0.800302] net eth0: port 0 with MAC address 54:53:ed:d9:5f:e9
[    0.800576] register major 249
[    0.800688] minor=0
[    0.800820] minor=1
[    0.800941] minor=2
[    0.801064] minor=3
[    0.801624] input: Inafra-Red as /devices/virtual/input/input0
[    0.801976] [Galois][shm_driver] memory size (bytes)                 = 0x16400000
[    0.801989] [Galois][shm_driver] memory threshold (bytes)            = 0x00000040
[    0.801999] [Galois][shm_driver] memory base phys addr               = 0x29000000
[    0.802008] [Galois][shm_driver] shm_device_create OK.
[    0.802017] [Galois][shm_driver] memory size (bytes)                 = 0x00C00000
[    0.802027] [Galois][shm_driver] memory threshold (bytes)            = 0x00000040
[    0.802036] [Galois][shm_driver] memory base phys addr               = 0x3F400000
[    0.802045] [Galois][shm_driver] shm_device_create OK.
[    0.802055] [Galois][shm_driver] memory ioremap_noncache, base:0x3F400000, size:0x00C00000
[    0.802651] [Galois][shm_driver] memory ioremap, base:0x29000000, size:0x16400000
[    0.819414] [Galois][shm_driver] memory base virt addr (cache)       = 0xAA000000
[    0.819426] [Galois][shm_driver] memory base virt addr (non-cache)   = 0xA9000000
[    0.819435] [Galois][shm_driver] MV_SHM_Init OK
[    0.819471] [Galois][shm_driver] shm_driver_init OK
[    0.819816] [Galois][cc_driver] cc_driver_init OK
[    0.819962] NetWinder Floating Point Emulator V0.97 (extended precision)
[    0.826610] ashmem: initialized
[    0.848273] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.848672] Slow work thread pool: Starting up
[    0.848781] Slow work thread pool: Ready
[    0.848790] NTFS driver 2.1.29 [Flags: R/O].
[    0.848827] fuse init (API version 7.14)
[    0.849081] msgmni has been set to 1257
[    0.868789] io scheduler noop registered
[    0.868800] io scheduler deadline registered
[    0.868819] io scheduler cfq registered (default)
[    0.869069] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[    0.869984] serial8250.0: ttyS0 at MMIO 0xf7fc9000 (irq = 104) is a 16550A
[    1.485582] console [ttyS0] enabled
[    1.489549] serial8250.0: ttyS1 at MMIO 0xf7fca000 (irq = 105) is a 16550A
[    1.497320] brd: module loaded
[    1.503424] loop: module loaded
[    1.507192] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.514015] mv88de3100_ehci mv88de3100_ehci.0: Marvell On-Chip EHCI Host Controller
[    1.522010] mv88de3100_ehci mv88de3100_ehci.0: new USB bus registered, assigned bus number 1
[    1.558068] mv88de3100_ehci mv88de3100_ehci.0: irq 43, io mem 0xf7ed0000
[    1.578043] mv88de3100_ehci mv88de3100_ehci.0: USB 2.0 started, EHCI 1.00
[    1.585610] hub 1-0:1.0: USB hub found
[    1.589520] hub 1-0:1.0: 1 port detected
[    1.593869] usb_ehci_mv_probe : usb_add_hcd successful
[    1.599225] mv88de3100_ehci mv88de3100_ehci.1: Marvell On-Chip EHCI Host Controller
[    1.607160] mv88de3100_ehci mv88de3100_ehci.1: new USB bus registered, assigned bus number 2
[    1.648059] mv88de3100_ehci mv88de3100_ehci.1: irq 44, io mem 0xf7ee0000
[    1.668041] mv88de3100_ehci mv88de3100_ehci.1: USB 2.0 started, EHCI 1.00
[    1.675537] hub 2-0:1.0: USB hub found
[    1.679440] hub 2-0:1.0: 1 port detected
[    1.683766] usb_ehci_mv_probe : usb_add_hcd successful
[    1.689233] Initializing USB Mass Storage driver...
[    1.694452] usbcore: registered new interface driver usb-storage
[    1.700674] USB Mass Storage support registered.
[    1.705725] usbcore: registered new interface driver usbserial
[    1.711869] USB Serial support registered for generic
[    1.717218] usbcore: registered new interface driver usbserial_generic
[    1.723978] usbserial: USB Serial Driver core
[    1.728595] USB Serial support registered for cp210x
[    1.733864] usbcore: registered new interface driver cp210x
[    1.739638] cp210x: v0.09:Silicon Labs CP210x RS232 serial adaptor driver
[    1.746759] USB Serial support registered for FTDI USB Serial Device
[    1.753536] usbcore: registered new interface driver ftdi_sio
[    1.759493] ftdi_sio: v1.6.0:USB FTDI Serial Converters Driver
[    1.765632] USB Serial support registered for pl2303
[    1.770910] usbcore: registered new interface driver pl2303
[    1.776672] pl2303: Prolific PL2303 USB to serial adaptor driver
[    1.783599] IR NEC protocol handler initialized
[    1.788300] IR RC5(x) protocol handler initialized
[    1.793253] IR RC6 protocol handler initialized
[    1.797936] IR JVC protocol handler initialized
[    1.802627] IR Sony protocol handler initialized
[    1.807401] Linux video capture interface: v2.00
[    1.812284] gspca: main v2.9.0 registered
[    1.816759] usbcore: registered new interface driver uvcvideo
[    1.822714] USB Video Class driver (v0.1.0)
[    1.827039] Bluetooth: Generic Bluetooth SDIO driver ver 0.1
[    1.833196] sdhci: Secure Digital Host Controller Interface driver
[    1.839597] sdhci: Copyright(c) Pierre Ossman
[    1.844331] mmc0: SDHCI controller on MVSD [mv_sdhci] using DMA
[    1.850495] mmc1: Invalid maximum block size, assuming 512 bytes
[    1.856881] mmc1: SDHCI controller on MVSD [mv_sdhci.0] using DMA
[    1.863222] mmc2: Invalid maximum block size, assuming 512 bytes
[    1.869588] mmc2: SDHCI controller on MVSD [mv_sdhci.1] using DMA
[    1.876856] usbcore: registered new interface driver hiddev
[    1.882764] usbcore: registered new interface driver usbhid
[    1.888536] usbhid: USB HID core driver
[    1.892845] logger: created 256K log 'log_main'
[    1.897678] logger: created 256K log 'log_events'
[    1.902695] logger: created 64K log 'log_radio'
[    1.907511] logger: created 64K log 'log_system'
[    1.912769] usbcore: registered new interface driver snd-usb-audio
[    1.919426] ALSA device list:
[    1.922498]   No soundcards found.
[    1.926285] oprofile: using timer interrupt.
[    1.930745] nf_conntrack version 0.5.0 (10056 buckets, 40224 max)
[    1.937176] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
[    1.938959] mmc0: new high speed MMC card at address 0001
[    1.939474] mmcblk0: mmc0:0001 M8G2FA 7.20 GiB 
[    1.939638] mmcblk0boot0: mmc0:0001 M8G2FA partition 1 512 KiB
[    1.939790] mmcblk0boot1: mmc0:0001 M8G2FA partition 2 512 KiB
[    1.967127] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
[    1.975316] sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
[    1.981899] ip_tables: (C) 2000-2006 Netfilter Core Team
[    1.987467] TCP cubic registered
[    1.990880] NET: Registered protocol family 10
[    1.996000] IPv6 over IPv4 tunneling driver
[    2.000706]  mmcblk0: p1 p2 p3 p4 <
[    2.005300] NET: Registered protocol family 17
[    2.010195]  p5
[    2.011880] Bluetooth: UCD (Unicast Connectionless Data) ver 0.1
[    2.018297] Bluetooth: L2CAP ver 2.14
[    2.022083] Bluetooth: L2CAP socket layer initialized
[    2.027306] Bluetooth: SCO (Voice Link) ver 0.6
[    2.031997] Bluetooth: SCO socket layer initialized
[    2.037088]  p6
[    2.038770] Bluetooth: RFCOMM TTY layer initialized
[    2.044010] Bluetooth: RFCOMM socket layer initialized
[    2.049352] Bluetooth: RFCOMM ver 1.11
[    2.053231] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    2.058738] Bluetooth: BNEP filters: protocol multicast
[    2.064140] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[    2.070326]  p7
[    2.072004] Bluetooth: UCD (Unicast Connectionless Data) ver 0.1
[    2.078607]  p8
[    2.080280] input: Bluetooth UCD Input as /devices/virtual/input/input1
[    2.087408]  p9
[    2.089083] Bluetooth: SONY UCD Input ver 0.2
[    2.093924]  p10
[    2.095715] input: sony_ucd_remote as /devices/virtual/input/input2
[    2.102493]  p11
[    2.104301] PJ4 iWMMXt coprocessor enabled.
[    2.108856] VFP support v0.3: implementor 56 architecture 2 part 20 variant 9 rev 6
[    2.116838]  p12 p13 p14 >
[    2.124589]  mmcblk0boot1: unknown partition table
[    2.130663]  mmcblk0boot0: unknown partition table
[    2.151592] EXT4-fs (mmcblk0p9): mounted filesystem with ordered data mode. Opts: (null)
[    2.160055] VFS: Mounted root (ext4 filesystem) on device 179:9.
[    2.166308] Freeing init memory: 156K
[    2.170108] init_hash_flag=1
[    2.191043] Authentification OK
[    2.208503] mmc1: new high speed SDIO card at address 0001
[    2.257627] mmc2: Got command interrupt 0x00030000 even though no command operation was in progress.
[    2.385671] EXT4-fs (mmcblk0p11): mounted filesystem with ordered data mode. Opts: (null)
[    2.407014] [Galois][pe_agent_driver] pe_agent_driver_init OK
[    2.412956] [Galois][pe_driver] pe_driver_init OK
e2fsck 1.41.11 (14-Mar-2010)
/dev/block/mmcblk0p14: recovering journal
Clearing orphaned inode 96416 (uid=10002, gid=10002, mode=0100644, size=5944)
Clearing orphaned inode 96274 (uid=10002, gid=10002, mode=0100600, size=3026)
Superblock last mount time is in the future.
	(by less than a day, probably due to the hardware clock being incorrectly set)  Fix? yes

/dev/block/mmcblk0p14: clean, 1402/270912 files, 52833/1083648 blocks
e2fsck 1.41.11 (14-Mar-2010)
/dev/block/mmcblk0p12: recovering journal
Superblock last mount time is in the future.
	(by less than a day, probably due to the hardware clock being incorrectly set)  Fix? yes

/dev/block/mmcblk0p12: clean, 14/32704 files, 4202/130816 blocks
e2fsck 1.41.11 (14-Mar-2010)
/dev/block/mmcblk0p13: recovering journal
/dev/block/mmcblk0p13: clean, 164/65536 files, 11102/261888 blocks
e2fsck 1.41.11 (14-Mar-2010)
/dev/block/mmcblk0p6: recovering journal
Superblock last mount time (Fri Oct 15 07:00:01 2010,
	now = Fri Feb 13 23:31:35 2009) is in the future.
Fix? yes

/dev/block/mmcblk0p6: clean, 16/960 files, 1102/3840 blocks
[    5.483027] EXT4-fs (mmcblk0p14): mounted filesystem with ordered data mode. Opts: (null)
[    5.526864] EXT4-fs (mmcblk0p12): mounted filesystem with ordered data mode. Opts: (null)
[    5.571097] EXT4-fs (mmcblk0p13): mounted filesystem with ordered data mode. Opts: (null)
[    5.604015] Clear GiQuila INTR = 00000000
[    5.625811] gal3d 4.6.9 options:
[    5.629159]   irqLine           = 37
[    5.633187]   registerMemBase   = 0xF7BC0000
[    5.637934]   registerMemSize   = 0x00000800
[    5.642352]   contiguousSize    = 512
[    5.646157]   contiguousBase    = 0x00000000
[    5.650849]   bankSize          = 0x00000000
[    5.655562]   fastClear         = -1
[    5.659260]   compression       = -1
[    5.662956]   signal            = 48
[    5.667177]   baseAddress       = 0x00000000
[    5.671869]   physSize          = 0x00000000
[    5.676297]  logFileSize         = 0 KB 
Minimum date: 20[    5.732059] alarm_set_rtc: no RTC, time will be lost on reboot
10-10-14 09:00:00
Current date: 2009-02-14 00:31:35
Maximum date: 2030-10-09 09:00:00
Default date: 2010-10-15 09:00:00
Current time is less than minimum; setting to default.
 Drv Launch: Normal Mode!
[    5.821529] 87mlan: module license 'Marvell Proprietary' taints kernel.
[    5.828432] Disabling lock debugging due to kernel taint
[    7.021035] BT FW is active(6)
[    7.045868] BT FW is active(0)
[    7.049056] BT: FW already downloaded!
[    7.139318] WLAN FW already running! Skip FW download
[    7.144591] WLAN FW is active
[    7.234472] EXT4-fs (mmcblk0p5): mounted filesystem with ordered data mode. Opts: (null)
[    7.253575] fts: fts partition is on /dev/block/mmcblk0p8, 0xb00000 bytes
[    7.260657] fts: chunk: 0x4000
[    7.299918] fts: flash_ts_scan skiped 22 blocks
[    7.304633] fts: v566 loaded from 0x008d4000
[    7.326113] EXT4-fs (mmcblk0p6): mounted filesystem with ordered data mode. Opts: (null)
[    7.339850] ramzswap: module is from the staging directory, the quality is unknown, you have been warned.
[    7.353815] ramzswap: num_devices not specified. Using default: 1
[    7.368713] ramzswap: disk size not provided. You can use disksize_kb module param to specify size.
[    7.368724] Using default: (25% of RAM).
[    7.382521] ramzswap: /dev/ramzswap0 initialized: disksize_kb=160940
[    7.395587] Adding 160936k swap on /dev/block/ramzswap0.  Priority:1 extents:1 across:160936k SS
[    7.479390] EXT4-fs (mmcblk0p9): re-mounted. Opts: (null)
[   12.587594] init: sys_prop: unable to send getprop response
[   12.594400] init: sys_prop: unable to send getprop response
[   12.600347] init: sys_prop: unable to send getprop response
[   12.606257] init: sys_prop: unable to send getprop response
[   12.612224] init: sys_prop: unable to send getprop response
[   12.636913] init: cannot find '/system/bin/provision_key', disabling 'provision_key'
[   13.199339] warning: `adbd' uses 32-bit capabilities (legacy support in use)
[   13.420555] input: com.sony.rdis.Keyboard.common as /devices/virtual/input/input3
[   13.430655] input: com.sony.rdis.Mouse.common as /devices/virtual/input/input4
[   15.501916] memory_engine_release_by_taskid,962 memory note for pid(522) exceed 64
<<<<< CPU-1 OSAL Init
memory map size for cache:0x16400000, fd_cache:7, ret:0
memory map size for non-cache:0x00C00000, fd_noncache:5
MV_SHM_Init OK:
base_virtaddr_cache:0x2B1FA000, size:0x16400000
base_virtaddr_noncache:0x415FA000, size:0x00C00000
[   20.043966] GPIO irq init++ 1
[21306]SM: received all edid packets.
[21311]SM: begin to update edid
[21583]SM: edid return successfully!
[   32.014178] init: no such service 'hciattach'
[   32.086922] ADDRCONF(NETDEV_UP): eth0: link is not ready
[   33.603024] input: sony-remote as /devices/virtual/input/input5
SM CEC:Logical address:4,Physical address:4096
SMCEC2SM: got Appready packet from SoC CEC:
SMCEC2SM:  01  00  00  00  01  00  00  00  
SM CEC:pcBody[4]=0x1.
SMCEC2SM: sending launch req to SOC, msg_type=0xb, len=4
SMCEC2SM:  0b 00 00 00 
< HCI Command: ogf 0x3f, ocf 0x001d, plen 1
  00 
> HCI Event: 0x0e plen 4
  01 1D FC 00 
< HCI Command: ogf 0x03, ocf 0x0026, plen 2
  A0 00 
> HCI Event: 0x0e plen 4
  01 26 0C 00 
[   43.715930] input: anymote as /devices/virtual/input/input6
[   44.933966] fts: fts partition is on /dev/block/mmcblk0p8, 0xb00000 bytes
[   44.941159] fts: chunk: 0x4000
[   44.983458] fts: flash_ts_scan skiped 22 blocks
[   44.988284] fts: v566 loaded from 0x008d4000
[   44.994330] fts: write off=0x008d8000 size=0x200
[   45.004552] fts: record v567 commited @ 0x008d8000

BR
dietgert
Re: Sony NSZ-GS7 - serial connection ?
November 18, 2021 02:51AM
@rayknight:
Well, i found not much useful content on that site.
I remember, that my attempts to gain root-acccess (from that site) on this device were not succesful years ago:
Sony fixed this possibility with a Firmware-Update, which was already installed when i purchased the
used device.
However, when you can give me another / an actual hint or link i`ll try of course.
Without root-access at least this device is a lost cause.

BR
dietgert

rayknight Wrote:
-------------------------------------------------------
> There is a page for this device at
> https://www.exploitee.rs/index.php/Sony_NSZ-GS7_(Streamer).
> I did not see any details about serial access,
> but you should be able to gain root via the same
> hack as other GoogleTV devices.
>
> Ray



Edited 2 time(s). Last edit at 11/18/2021 04:57AM by dietgert.
meep
Re: Sony NSZ-GS7 - serial connection ?
April 11, 2022 10:54PM
It appears that there is a method to load a custom recovery (also performed by the same group), which apparently offers the possibility of booting an unsigned kernel. See the link and slides/presentation below, the last third of the video is where they detail the recovery exploit:

https://exploitee.rs/index.php/Installing_Custom_Recovery_(Gen_2_Only)
https://media.defcon.org/DEF%20CON%2021/DEF%20CON%2021%20presentations/DEF%20CON%2021%20-%20Etemadieh-Panel-Google-TV-Secure-Boot-Exploit-GTVHacker.pdf
https://www.youtube.com/watch?v=9gEooKg77Yw

They were able to load up their custom version of u-boot and then left it at that, though there is the potential of booting a custom kernel entirely as a result. It seems that most of the talk about this device is on the root and less on the recovery exploit.

(BTW, I stumbled across a NSZ-GS7 and this is why I'm currently looking at these options. Seems like a nice little box to play with if it can run custom code)
meep
Re: Sony NSZ-GS7 - serial connection ?
April 12, 2022 07:32PM
So a quick update on the above, since I spent some time playing with this today.

First of all, I hooked up to the serial connector and both RX and TX work (I can see the kernel messages but as stated by dietgert there is no interactive shell, I can just send an interrupt with control-c). It's also worth mentioning that if you don't have the suitable serial connector there are test points on the bottom on the board connected to the RX and TX traces you can solder leads to. Personally I found that easier than trying to procure a connector. The service manual with all that information can be found at https://www.manualslib.com/manual/2029443/Sony-Nsz-Gs7.html.

Unfortunately I was unable to test the recovery as it requires network adb access and I couldn't get to that point since I couldn't set the device up in the first place! Turns out the device is so old that I am unable to sign in with my current Google account (complains about an invalid login), and trying to create a new account also doesn't work (a problem occured communicating with Google servers). Likely Google APIs were updated or something. An account and internet connection is necessary to set up the box; there's no way to skip that like I can on some Android phones.

Looks like the NSZ-GS7 is going in the trash, just like all the devices out there that were abandoned by their manufacturers. Though if someone has adb access and the custom recovery works there may be a chance of getting Debian running on this device.
Re: Sony NSZ-GS7 - serial connection ?
April 12, 2022 08:55PM
meep,

> Unfortunately I was unable to test the recovery as
> it requires network adb access and I couldn't get
> to that point since I couldn't set the device up
> in the first place! Turns out the device is so old
> that I am unable to sign in with my current Google
> account (complains about an invalid login), and
> trying to create a new account also doesn't work
> (a problem occured communicating with Google
> servers). Likely Google APIs were updated or
> something.

Lately, Google has disabled login for "unsecure" app by default. Perhaps you have to turn that off in your new account (go to Settings page). They required "secure" app after May 31st, no exception, so 2FA must be used to log in.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
meep
Re: Sony NSZ-GS7 - serial connection ?
April 13, 2022 01:58PM
Thanks for your reply. During my tests I tried enabling insecure app access in the account, as well as turning 2FA on and off, and could not get the device to to recognise the account. It's worth noting that the account creation page actually asked me to enter PVQs like frequent flyer number/etc. (Google normally doesn't ask for that) instead of a phone number so it appears that the forms on the device are severely out of date. Also the terms of service and privacy policy agreements would not show up properly when their links were pressed.

Unless there's another way into the device (I tried looking at Honeycomb exploits but all required actual access to the device), I think I'm out of luck.
LX
Re: Sony NSZ-GS7 - serial connection ?
December 06, 2023 03:26AM
It's really a shame.
Sony abandoned this device almost instantly.
It least they could have opened it up.
I had the same experience with one of Sony's MP3 players.
Sony is a brand I avoid since then.
Author:

Your Email:


Subject:


Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically. If the code is hard to read, then just try to guess it right. If you enter the wrong code, a new image is created and you get another chance to enter it right.
Message: