|
Motivated user here. I freed a Cervantes 4 a few weeks ago.
Registering the device with the now defunct online service would just have created one of this flag files, depending on the model:
/mnt/private/hackers_ok
/mnt/private/hackers_e60q22_ok
Installing hackers firmware checks if the file exists.
1. Open the device by sliding a guitar pick around it. The screen sticks with some adhesive to the top half of the case. Be careful not to break your screen.
2. There are at least 3 groups of the four pads that look like serial ports. The boot console is the one at the top.
It uses TTL, so you'll need a level shifter. I used a BusPirate to connect.
3. Send ESC early at boot to enter the U-Boot console.
4. Add the kernel parameter 'init=/bin/bash' and boot. This will bypass most of the startup an go straight to a root shell.
5. Use sed to clear the root password from /etc/passwd (or /etc/shadow, I don't remember), reboot.
6. Login as root.
7. touch /mnt/private/hackers_ok /mnt/private/hackers_e60q22_ok
8. Clean the adhesive residue (not the strip, the other side) with alcohol, reassemble the device.
9. Now you can flash the hackers firmware as if your device was registered.
This instructions are from memory, so details like the pinout of the serial port, sed usage and how to set U-Boot environment variables are left as an excercise to the reader.
It might be possible to skip 5 and 6 and create the flag files from the recovery shell if /mnt/private is available or can be mounted from there. I did not try that.
It might be possible to get the flag files written without opening the device. The original firmware is pretty old, I would be surprised if there is no vulnerability in it that allows that.
|