Ultimate guide bricking a Karotz

WARNING: DON’T TRY THIS AT HOME UNLESS YOU UNDERSTAND EXACTLY WHAT YOU ARE DOING.

SHUT UP AND SHOW ME INSTRUCTIONS HOW TO ROOT KAROTZ AND HOW TO BRICK IT.

After 8 or so months, I decided to write a separate post how to root karotz.

Just in case you need this (which is super unlikely I think) here's more or less complete list of Karotz hardware.

USB communications

Communicates with Swiss-army python daemon.

Supported commands

Examples

ping 
{"cmd":"ping"}
3
{
    "response": "OK"
}
start_syslogd 
{"cmd":"start_syslogd"}
3
{
    "response": "OK"
}
stop_syslogd 
{"cmd":"stop_syslogd"}
3
{
    "response": "OK"
}
get_syslogd 
{"cmd":"get_syslogd"}
4
{
    "log": "Jan  1 01:16:32 karotz user.debug Multimedia[1587]: Multimedia: I have received a SIGCHLD. from mlayer\n
Jan  1 01:16:32 karotz user.debug Multimedia[1587]: multimedia_api_newStatus : 0\n
Jan  1 01:16:32 karotz user.debug Multimedia[1587]: multimedia_api_newStatus signal play finished\n
Jan  1 01:16:32 karotz user.debug Multimedia[1587]: sendSignal_playFinished. uid : \n
Jan  1 01:16:32 karotz user.debug Multimedia[1587]: sendSignal_playFinished. done\n", 
    "response": "OK"
}
set_pass. As I remember it sets Mindscape password 
{"cmd":"set_pass", ???}
reboot 
{"cmd":"reboot"}
3
{
    "response": "OK"
}
get_id 
{"cmd":"get_id"}
4
{
    "id": "", 
    "response": "OK"
}
get_sys_version 
{"cmd":"get_sys_version"}
4
{
    "response": "OK", 
    "version": "12.03.29.00"
}
get_rootfs_version 
{"cmd":"get_rootfs_version"}
4
{
    "response": "OK", 
    "version": "12.03.29.00"
}
get_mac 
{"cmd":"get_mac"}
4
{
    "mac": "00:0E:8E:2D:24:EC", 
    "response": "OK"
}
get_networks 
{"cmd":"get_networks"}
13
{
    "networks": [
        {
            "Address": "00:1E:58:C0:DE:F1", 
            "Channel": 6, 
            "Detail": "CCMP/PSK", 
            "Encryption": "WPA2", 
            "Name": "eden", 
            "Quality": 52
        }
    ], 
    "response": "OK"
}
set_wifi 
{"cmd":"set_wifi","encryption":"wpa","ssid":"eden","settings":
{"ssid":"\"eden\"","scan_ssid":1,"proto":"WPA","key_mgmt":"WPA-PSK","psk":"\"1234567890\""}}
set_ip 
{"cmd":"set_ip","dhcp":true}
3
{
    "response": "OK"
}
{"cmd":"set_ip","ip":"192.168.0.103","netmask":"255.255.255.0","gateway":"192.168.0.1","nameserver":"8.8.8.8"}
3
{
    "response": "OK"
}
get_ip 
{"cmd":"get_ip"}
4
{
    "ip": "192.168.0.103", 
    "response": "OK"
}
is_connected 
{"cmd":"is_connected"}
3
{
    "response": "OK"
}
set_country 
{"cmd":"set_country","code":"US"}
3
{
    "response": "OK"
}
get_iwlist 
{"cmd":"get_iwlist"}
4
{
    "data": "wlan0     Scan completed :\n
          Cell 01 - Address: 00:1E:58:C0:DE:F1\n
                    ESSID:\"eden\"\n
                    Mode:Master\n
                    Channel:6\n
                    Frequency:2.437 GHz (Channel 6)\n
                    Quality=52/100  Signal level:-46 dBm  \n
                    Encryption key:on\n
                    IE: Unknown: 00046564656E\n
                    IE: Unknown: 010882848B0C12961824\n
                    IE: Unknown: 030106\n
                    IE: IEEE 802.11i/WPA2 Version 1\n
                        Group Cipher : CCMP\n
                        Pairwise Ciphers (1) : CCMP\n
                        Authentication Suites (1) : PSK\n
                    IE: Unknown: 2A0100\n
                    IE: Unknown: 32043048606C\n
                    IE: Unknown: DD0900037F01010020FF7F\n
                    IE: Unknown: DD050050F20500\n
                    IE: Unknown: \n
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s\n
                              9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s\n
                              48 Mb/s; 54 Mb/s\n
                    Extra:tsf=00000001370c2181\n
                    Extra: Last beacon: 2685ms ago\n\n", 
    "response": "OK"
}
get_version 
{"cmd":"get_version"}
4
{
    "response": "OK", 
    "version": 1.0
}
get_wifi_status 
{"cmd":"get_wifi_status"}
4
{
    "response": "OK", 
    "status": "00:1E:58:C0:DE:F1"
}

Practical examples

Connect to WEP WiFi 
{"cmd":"set_country","code":"US"}
{"cmd":"set_pass","pwd":"1234567890"}
{"cmd":"set_wifi","encryption":"wpa","ssid":"eden","settings":{"ssid":"\"eden\"","scan_ssid":1,"proto":"WPA","key_mgmt":"WPA-PSK","psk":"\"1234567890\""}}
{"cmd":"set_ip","dhcp":true}
Connect to WPA2 WiFi 
{"cmd":"set_country","code":"US"}
{"cmd":"set_pass","pwd":"1234567890"}
{"cmd":"set_wifi","encryption":"wpa2","ssid":"eden","settings":{"ssid":"\"eden\"","scan_ssid":1,"psk":"\"1234567890\""}}
{"cmd":"set_ip","dhcp":true}

Karotz registration in Violet network

http://www.karotz.com/install?ulogin=&upsw=&kid= where can be obtained by sending command: get_id, which is generated by script:

os.popen("echo "+ __get_mac() +" 'AC353EFA-2B04-45BA-9BDA-FEEFA43BB640' | md5sum | cut -d' ' -f1")

I've found another way to register your Karotz in Violet network:

Useful files

Installer

Java installer: http://karotz.s3.amazonaws.com/installer/Karotz_setup.jar

Flash factory firmware: http://www.karotz.com/plug/flashage and https://s3.amazonaws.com/karotz/installer/key-factory.zip (it's the main proof Karotz can be rooted using USB flash)

Rootfs and yaffs

yaffs eabi yaffs rootfs

rootfs and yaffs latest versions

All of them are signed by md5+pgp pair -- there's no way to substitute them for a bricked one.

rootfs http://update.karotz.com/eabi/rootfs_version 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

12.03.29.00
http://update.karotz.com/eabi/rootfs/rootfs-12.03.29.00.tar.gz 7669e685dac777fc2e194ea6f7ef5c09
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJPdCyjAAoJEDV3C7tYF9eU+isIAJ1I92r+1G1inNikmFQC5xRP
KmYJuAdOOvBHNO2TY86c1vQpbzfgLmLjM1Vr3O8grDc0dWRKOqJYo724l1aahpEz
Kma/uHXZKMiJlUFijkURKfL/88uyc/0kC4MxeyqMF2J2GHLLgqE5QuWTImA8e4nN
sUrXdLWUqcKjBAMymXqMHOr1Y8FdMp4Mcdaft6N8iBMP06AfDeua5+rz/LrBU2n+
MAQj9+DVqeFCeE/SNhUL9ao/YmbOUefovI4AYvFQo67gUJjIiNVRMjmOA7Sp7Iee
IjkkgCP3ObySS134rBYc7KpGFWyDgIA5eoIavGMo4u9LkYGwEa8+IWRg/5OuQrk=
=eRwW
-----END PGP SIGNATURE-----
yaffs http://update.karotz.com/eabi/yaffs_version 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

12.03.29.00
12.03.29.00
http://update.karotz.com/eabi/yaffs/yaffs-12.03.29.00.tar.gz 1ff2d9e4455c0ae67bf51d616ce85540
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJPdCysAAoJEDV3C7tYF9eUwKAIAJvjvDvIrCOmMggnmw4W0m5b
lmt+jqEA1Fe5yXDUW1mLXb1TGV8cnY/Ze4UKvWATiR9OjtJ7R7faEla5y7lPbVIZ
QYq2+DdJx7WdG763j7c1pWulgKcGAqclcswzgRxboLFNF4iqMwC/Fh2w0NQZV8YX
ksldq6ykt7OzmY3+FDwaS0O7g+5u6PyIdzKH5L7or6UzXcUuClXovqFB49K7aUl+
Jgs2X7inzTyUGe3L/nm8b/uCQQfRYYAlU9s6GqEV5/o9Ou4L6QNY97O1IC8S1GA1
t5YKnP7CPSWetTLAFN3F7YW3BrPaaG1o3VS8svhgexneL5Y3MXYYcDpmumI+oxI=
=3t3E
-----END PGP SIGNATURE-----
yaffs http://update.karotz.com/yaffs_version 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

11.04.01.01
11.03.11.03
http://update.karotz.com/yaffs/yaffs-11.04.01.01.tar.gz c380e79ed13923608c65cdffd235edc3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJNlc5MAAoJEDV3C7tYF9eUr7EH/2DNqrcskaB+Ovuq0qmNA8z0
MqOaZaweh5LQWIJPbqgt+CW5tdS9TEN1cOPggQtLJlYyZxqLq0aDBBMdbk0DP0bz
CzFUIC3iHTCMcHYnS2l6FsdFbkgkqJIyeiqhpgygB1VmlY+7Mg6BoYUfta0td4Cj
c40szXn3GrizogxAfkzpctsaHzDk+fMoTBN77+xahmxlGLVvnc1GN5q8DxGnUxKd
29j/LImombqxXz2Igi48oxycfHtXv63BKdEuvXfif+J/EaYArCMcI/E9+gzQQUlT
xkifUQtgxvSYPNdkvrstwqMEgyZtFpKRK7yE+9LUp7rxszqjOTGFP++8p23hJlE=
=Rp/n
-----END PGP SIGNATURE-----

Update syslog

{"cmd":"get_syslogd"}
4
{
   "log": "Jan  1 00:00:13 karotz syslog.info syslogd started: BusyBox v1.16.1
Jan  1 00:00:14 karotz user.info init: starting pid 1336, tty '': '/karotz/scripts/karotz_init.sh'
Jan  1 00:00:14 karotz user.info init: starting pid 1337, tty '': '/karotz/bin/power'
Jan  1 00:00:14 karotz user.info init: starting pid 1338, tty '': '/usr/scripts/miniusb_read.sh'
Jan  1 00:00:14 karotz user.notice root: [INIT] clean yaffs found
Jan  1 00:00:14 karotz user.notice root: [INIT] yaffs start
Jan  1 00:00:14 karotz user.notice root: [START] starting yaffs.
Jan  1 00:00:15 karotz user.notice root: [START] setting wifi country
Jan  1 00:00:16 karotz user.notice root: [START] loading wifi config
Jan  1 00:00:30 karotz user.notice root: [START] asking for ip
Jan  1 00:00:30 karotz user.notice root: udhcpc_script. deleting routers
Jan  1 00:00:30 karotz user.notice root: udhcpc_script. adding dns 192.168.0.1
Jan  1 00:00:31 karotz user.notice root: [START] network is ready to go
Jan  1 00:00:32 karotz user.notice root: [START] checking updates.
Jan  1 00:00:32 karotz user.notice root: [UPDATE] updating rootfs.
Jan  1 00:00:32 karotz user.notice root: [UPDATE] rootfs version: 11.03.12.00
Jan  1 00:00:32 karotz user.notice root: [UPDATE] could not load version.
Jan  1 00:00:32 karotz user.notice root: [UPDATE] updating yaffs.
Jan  1 00:00:33 karotz user.notice root: [UPDATE] sys version: 10.10.10.10.
Jan  1 00:00:33 karotz user.notice root: [UPDATE] rootfs version: 11.03.12.00.
Jan  1 00:00:34 karotz user.notice root: [UPDATE] downloading.
Jan  1 00:00:34 karotz user.notice root: Stopping yaffs
Jan  1 00:03:10 karotz user.notice root: [UPDATE] checking integrity.
Jan  1 00:03:26 karotz user.notice root: Stopping yaffs
Jan  1 00:03:26 karotz user.notice root: [UPDATE] cleanup_yaffs.
Jan  1 00:03:28 karotz user.notice 0: [UPDATE] extract.
Jan  1 00:04:17 karotz user.notice 0: [UPDATE] pre_install.
Jan  1 00:04:17 karotz user.notice 0: [UPDATE] extracting rootfs system from the yaffs package.
Jan  1 00:04:21 karotz user.notice 0: [UPDATE] installing EABI rootfs.
Jan  1 00:04:21 karotz user.notice 0: [ROOTFS INSTALL] flash erasing /dev/mtd1
Jan  1 00:04:21 karotz user.notice 0: [ROOTFS INSTALL] writing new zImage
Jan  1 00:04:21 karotz user.notice 0: [ROOTFS INSTALL] flash erasing /dev/mtd2
Jan  1 00:04:22 karotz user.notice 0: [ROOTFS INSTALL] writing new rootfs
Jan  1 00:04:24 karotz user.notice 0: [UPDATE] extract_sys.
",
   "response": "OK"
}

Applications

Download javascript application: http://apps.karotz.com/file/<uuid>/<version>/get

No auth required to download an application, for example: http://apps.karotz.com/file/fc587216-a572-4c16-85ee-be331de35e40/0.2.0/get

Software root

linuxrc and mounted zImage 
# if there is a signed autorun in a usb key, let's run it
# the directory in which the autorun is located
GNUPGHOME=/karotz/etc/gpg
GPG="/bin/gpg -quiet --lock-never --ignore-time-conflict --homedir $GNUPGHOME"
if [ -x /mnt/usbkey/autorun -a -f /mnt/usbkey/autorun.sig ] ; then
   echo "Launching autorun if present"
	$GPG --verify /mnt/usbkey/autorun.sig 2>/dev/null && /mnt/usbkey/autorun
fi

gpg --verify accepts either signature or signed message, however it works quite differently for these cases.

i.e.

gpg --verify <signature> checks both signature and file, which is supposed to work on Karotz by default.

however for the second case, when gpg --verify accepts a signed message it acts quite differently, basically just verifies that signed message is signed and signed right.

so if we pass to gpg a signed message from http://update.karotz.com/eabi/rootfs_version:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

11.04.01.01
11.03.11.03
http://update.karotz.com/yaffs/yaffs-11.04.01.01.tar.gz c380e79ed13923608c65cdffd235edc3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJNlc5MAAoJEDV3C7tYF9eUr7EH/2DNqrcskaB+Ovuq0qmNA8z0
MqOaZaweh5LQWIJPbqgt+CW5tdS9TEN1cOPggQtLJlYyZxqLq0aDBBMdbk0DP0bz
CzFUIC3iHTCMcHYnS2l6FsdFbkgkqJIyeiqhpgygB1VmlY+7Mg6BoYUfta0td4Cj
c40szXn3GrizogxAfkzpctsaHzDk+fMoTBN77+xahmxlGLVvnc1GN5q8DxGnUxKd
29j/LImombqxXz2Igi48oxycfHtXv63BKdEuvXfif+J/EaYArCMcI/E9+gzQQUlT
xkifUQtgxvSYPNdkvrstwqMEgyZtFpKRK7yE+9LUp7rxszqjOTGFP++8p23hJlE=
=Rp/n
-----END PGP SIGNATURE-----

it will output:

gpg: Signature made Fri 01 Apr 2011 05:08:28 PM MSK using RSA key ID 5817D794
gpg: Good signature from "KarotzDevTeam "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C2A2 8CEE 04C3 4712 F371  6E58 3577 0BBB 5817 D794

with exit code 0, which is a successful result, hence we can bypass that validation.

Here's a step-by-step instructions how to get root on Karotz:

  1. Get a signature at http://update.karotz.com/eabi/rootfs_version
  2. Upload this signature to usb-flash as autorun.sig file.
  3. Create an executable file "autorun" with shebang #!/bin/bash and copy it to the usb-flash.
  4. Insert the usb flash to Karotz's ass and reboot it.
  5. ...
  6. PROFIT.

As an example you can enable telnet daemon with the following autorun file:

#!/bin/bash

LED=/karotz/bin/led

if [ -f /etc/passwd.bak ]
then
  cp /etc/passwd.bak /etc/passwd
else
  cp /etc/passwd /etc/passwd.bak
fi

echo 'karotz::0:0:karotz:/usr/karotz:/bin/bash' >> '/etc/passwd'

[ -f /etc/init.d/telnet ] && . /etc/init.d/telnet start

Now you can telnet into your Karotz with user karotz.

Hardware root

Unscrew the Karotz and find four pins at the right top corner -- serial connection.

Connect GND to GND, RX to TX, TX to RX and switch the Rabbit on.

************************************************************* 
*                                                           *
* Rabbit V3 - ( BIOS v1.16 )                                *
*                                                           *
*                                                           *
* PRAGMATEC/Point Core                                      *
 ************************************************************
FCLK=405MHz, HCLK=135MHz, PCLK=67MHz, CPU is running at 405MHz

Press ENTER to stop the autoboot
........................................Read chip id = adda
Nand flash status = e0
Set boot params = initrd=0x31800000,0x00500000 ...
Load Kernel...
Load Ramdisk...
Uncompressing Linux..............................
.................................................
.................................................
....................... done, booting the kernel.

Press Enter

Please select function : 
0 : Uart download file
1 : Write Nand flash with download file
2 : Load Pragram from Nand flash and run
3 : Erase Nand flash regions
4 : Test NAND flash
5 : Restore default partitions
6 : Set boot params

Now we can change boot parameters to get root console. Press 6.

Config parameters
[0] : bootpara is 0x00000001 (1)
[1] : cpuclk is 0x00000002 (2)
[2] : AUTORUN is 0x00000000 (0)
[3] : serial is 0x00000000 (0)
[4] : baudrate is 0x0001c200 (115200)
[5] : machine is 0x00000778 (1912)
[6] : runAddr is 0x30200000 (807403520)
[7] : rootfs is 0x00000000 (0)
[8] : tty is 0x00000004 (4)
[9] : initrdA is 0x31800000 (830472192)
[10] : initrdL is 0x00500000 (5242880)
[11] : memsize is 0x04000000 (67108864)
[12] : devfs is 0x00000000 (0)
[13] : ostore is 0x00000000 (0)
[14] : userpara is 0x00000000 (0)
[15] : Exit

Enter 14 and add console=ttySAC0,115200 init=/bin/sh as user boot parameter. Now you can back to the previous menu by entering 15 and then press 2 to run Karotz.

After this you can add extra user with empty password:

echo 'karotz::0:0:karotz:/usr/karotz:/bin/bash' >> '/etc/passwd'

and start telnet daemon:

/etc/init.d/telnet start

That's it.

Some random notes

DBus

Karotz uses DBus to communicate with its Ears/Webcam/etc deamons.

We can introspect all available methods with dbus-send command:

dbus-send --system --type=method_call --print-reply 
--dest=com.mindscape.karotz.Webcam /com/mindscape/karotz/Webcam 
org.freedesktop.DBus.Introspectable.Introspect

For example to rotate Karotz left ear:

dbus-send --system --type=method_call --print-reply 
--dest=com.mindscape.karotz.Ears /com/mindscape/karotz/Ears 
com.mindscape.karotz.KarotzInterface.move_left string:l int32:20 int32:10

Webcam

cat /dev/camera > stream.mpg

I'm afraid I don't know yet which codec it uses to encode video. The best result I got is:



--
em

PS. the story of this rooting can be found in FrF by #brickmykarotz tag

PPS. as a proof:

PPPS. Download rooting script.