Get a shell

From OpenEZX

Here is how to get a shell on the phone, using a Linux host computer. This process gets you under the hood where you can mess up your phone sufficiently that it won't boot any longer. For E680 users, as long as you don't mess up the bootloader, you can restore the phone to a working state with Motorola's PST software and a copy of the firmware. No links will be provided here since it's illegal and leaked. We don't know of any A780 firmware in the wild (but on motorolafans.com, one is listed - it is completely unverified though).

If you aren't careful, you can mess up your phone to the point that it will take a skilled person to restore an E680, and an A780 might have to be sent for factory service.

This howto is mainly intended for Linux or Mac OS X and a specific phones. For further howto's and questions check motorolafans.com.

By default, the A780 would set its IP address to 192.168.1.2. This won't work if your system already has a network configured that would include 192.168.1.2. Since this is a network commonly used for DHCP, that could be a problem.

Therefore in the LinLoader approach below, we will put the phone's IP address to 169.254.1.2 here, and the host's IP address to 169.254.1.1. You can replace that numbers by any IP address from the following ranges: 192.168.1.* or 169.254.*.* (where the phone and the host must have different IP addresses but from the same subnet). You cannot easily use totally different IP addresses. This requires you to enable these in /etc/hosts.allow on the phone.

Contents 1 Preparing the host 1.1 Mac OS X 1.2 Linux 2 Change Modem Mode 3 Configuring the USB Network device 3.1 Windows 4 Using LinLoader 5 Notes 5.1 Firewall 5.2 mtu 900 5.3 DHCP 5.4 Services 5.5 Switching to usblan mode 5.6 Issues 5.7 Phones without telnet enabled 5.8 Creating a backup 6 LICENSE NOTE

Preparing the host

Mac OS X

On a MAC OS X host, you need the AJZaurusUSB network driver. Get it at AJZaurusUSB. To work with the A780, install the driver. Just before restarting, edit the tile /System/Library/Extensions/AJZaurusUSB.kext/Contents/Info.plist and add just under

<key>IOKitPersonalities</key>
<dict>

this text:

<key>Motorola A780</key>
<dict>
  <key>CFBundleIdentifier</key>
  <string>org.lucidcake.driver.AJZaurusUSB</string>
  <key>IOClass</key>
  <string>org_lucidcake_driver_AJZaurusUSB</string>
  <key>IOProviderClass</key>
  <string>IOUSBDevice</string>
  <key>idProduct</key>
  <integer>24588</integer>
  <key>idVendor</key>
  <integer>8888</integer>
</dict>

After reboot, when connecting the phone, a device /dev/tty.usbmodem3B11 should appear (and disappear when you switch the phone to usblan mode, see below). Once the phone is in usblan mode it will identify as something like en3. In the Network control panel, set this to be configured manually and set the ip address to 192.168.1.1 (or whatever is appropriate for your setup).

This is known to work when #Using LinLoader.

Motorola Ming/A1200 information:

There are more steps you may need to take, see an article on motorolafans.com called "MacOS X A1200 46p working with telnet & samba, FINALLY !" You will need to replace your Info.plist with the following contents, first:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleExecutable</key>
<string>AJZaurusUSB</string>
<key>CFBundleGetInfoString</key>
<string>MacOS X 10.4 USB driver for Linux PDAs</string>
<key>CFBundleIdentifier</key>
<string>org.lucidcake.driver.AJZaurusUSB</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>AJZaurusUSB</string>
<key>CFBundlePackageType</key>
<string>KEXT</string>
<key>CFBundleShortVersionString</key>
<string>0.3.2</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>0.3.2</string>
<key>IOKitPersonalities</key>
<dict>
<key>Motorola Ming</key>
<dict>
<key>CFBundleIdentifier</key>
<string>org.lucidcake.driver.AJZaurusUSB</string>
<key>IOClass</key>
<string>org_lucidcake_driver_AJZaurusUSB</string>
<key>IOProviderClass</key>
<string>IOUSBDevice</string>
<key>idProduct</key>
<integer>24615</integer>
<key>idVendor</key>
<integer>8888</integer>
</dict>
</dict>
<key>OSBundleLibraries</key>
<dict>
<key>com.apple.iokit.IONetworkingFamily</key>
<string>1.5.0</string>
<key>com.apple.iokit.IOUSBFamily</key>
<string>2.5.6</string>
<key>com.apple.kpi.bsd</key>
<string>8.8.0</string>
<key>com.apple.kpi.iokit</key>
<string>8.8.0</string>
<key>com.apple.kpi.libkern</key>
<string>8.8.0</string>
<key>com.apple.kpi.mach</key>
<string>8.8.0</string>
<key>com.apple.kpi.unsupported</key>
<string>8.8.0</string>
</dict>
<key>OSBundleLibrariesDisabled</key>
<dict/>
<key>OSBundleRequired</key>
<string>Network-Root</string>
</dict>
</plist>

Linux

On your Linux host, load the USB ATM (modem) and USB network drivers:

modprobe usbnet
modprobe cdc-acm

Depending on your host configuration, you will need to modprobe zaurus (CONFIG_USBNET_ZAURUS):

modprobe zaurus

Go into the setup application and configure the USB mode to be modem.

Plug the phone and the host together with a USB cable. On the console you should see:

cdc_acm 4-2:1.0: ttyACM0: USB ACM device

You can play back the console messages with the dmesg command. If you look in /proc/bus/usb/devices, you will find a device with a manufacturer ID of Motorola and a product ID of Motorola USB Modem.

Change Modem Mode

In A68 you can simply change the modem type by visiting the Settings applet on the phone and changing USBNET to On. The phone will display the IP number assigned, so far I only saw 192.168.1.1.

Using the shell

echo "AT+mode=99" > /dev/ttyACM0

For the Rokr E2, the A910 and the Rokr E6:

echo "AT+mode=13" > /dev/ttyACM0

Using Minicom

Install minicom if it's not installed. On Debian, I used:

apt-get install minicom

Start minicom. Type Control-A and then o to get the setup screen. Set the serial port to /dev/ttyACM0. Also have a look at the serial settings, I needed to adjust them to 38400 8N1 (I am normally using 9600 8N1, which the A780 did not like). Save that as the default. Exit out of minicom with Control-A x and start it again.

At this point you can type Hayes modem commands to the phone. This is useful for GPRS, etc., but that's another tutorial.

Type AT+mode=99 followed by carriage return. The phone goes out of modem mode at this point, so you won't get an "OK". (If +mode=99 does not work, try +mode=13. That seems to do the trick on a1200 here).

Exit minicom.

These tricks don't work on some of the A780 models (according to Harald Welte the German models), since "+mode=99" was disabled. So you have to use linloader and switch usbd using the /proc file. See below.

Configuring the USB Network device

When you gave that "mode" command, the phone caused the host to re-enumerate its USB device - which looks like unplugging it and plugging it in again, but you didn't touch the cable. Now, the USB device has changed its flavor! The console should say something like:

usb 4-2: USB disconnect, address 8
usb 4-2: new full speed USB device using uhci_hcd and address 9
usb0: register usbnet at usb-0000:00:10.2-2, pseudo-MDLM (BLAN) device, 8e:36:06:d5:16:9d

And now /proc/bus/usb/devices should contain a device with manufacturer ID of Motorola and product id of Motorola USBLAN.

Configure the network interface with

ifconfig usb0 192.168.1.1 netmask 255.255.255.0 mtu 900

Note that on some devices, such as the ROKR2-Z8, the handset IP net is 192.168.16.XXX

and log in to your phone as "root" (no password is set, simply press return):

telnet 192.168.1.2

once you're logged in, you should adjust the mtu on the phone side, too:

ifconfig usbl0 mtu 900

Windows

A free driver is available for Windows XP users on the motorolafans.com forum. For A780 users, you will need to hack the .inf file as described in that thread.

Windows 2k users have no other choice but to use the Belcarra demo driver (while the link is still good) which was neither intended nor licensed for public consumption. Alternately, you can install Linux :). For A780 users, the .inf file for the Belcarra driver will have to be hacked as well. To hack the .inf, you will have to go through each section where there are entries for other devices and duplicate them with the Vendor ID / Product ID string of VID_22b8&PID_600c.

TODO: Post torrent for Belcarra driver & more newbie-friendly instructions for the .inf mods

You will also need to setup the Windows network adapter. However, this cannot be done until after you have gotten your phone into USBLAN mode (the following sections). Once you do, however, you will have a new "network connection", in Control Panel/Network & Dial-up Connections, Probably called "Local Area Network x" where x is the highest number. Configure that, set the IP address you want to use on your PC for the connection (it must be the same subnet that the phone is going to be on).

Using LinLoader

First get the LinLoader script from here. Unzip and copy the following files to the ".system/QTDownLoad/loader" directory on your TransFlash (or SD/MMC) card (you will need to create the "loader" subdirectory):

• lin_loader
• loader.png
• loader-sm.png

Then edit ".system/java/PlugCardDB" (also on your TransFlash or SD/MMC card) and add the following:

 [AppLinkRecord100000101]
 AllPosition = 200
 BigIcon = loader.png
 Directory = loader
 Exec = lin_loader
 Group = 3
 Icon = loader-sm.png
 InstalledDate = 2005/11/29
 JavaId = -1
 Mime =
 MpkgFile =
 Name = LinLoader
 OsVersion =
 Position = 1
 Rotation =
 Shared = 0
 Size = 24K
 Type = 4
 uid = 100000101

The "AppLinkRecord100000101" and "uid = 100000101" should have an identical number, and shouldn't collide with any other application. Also "Directory" and "Type" should be the following for the 680 series:

 Directory = ../../../../mmc/mmca1/.system/QTDownLoad/loader
 Type = 2

A1200 and E6 needs different setup. This should go into CardRegistry file (i.e. .system/Java/CardRegistry):

 [863f87db-7e13-c673-a56b-aeec28347561]
 AniIcon =
 AppID = {863f87db-7e13-c673-a56b-aeec28347561}
 Args =
 Attribute = 2
 BigIcon = loader.png
 Daemon = 0
 Directory = /mmc/mmca1/.system/QTDownLoad/loader
 Eraseable = 1
 Exec = lin_loader
 FixedAllPosition = 0
 FixedPosition = 0
 GroupID = ezx
 Icon = loader-sm.png
 InstalledDate = 2006/4/24
 JavaId = -1
 MassStorageStatus = 0
 MpkgFile =
 Name = LinLoader
 OsVersion = 1.0
 Shared = 1
 Size = 24K
 Type = 2
 UserID = ezx
 Visible = 1

Now reboot your phone. You should now have a new application (called LinLoader) on the A780.

Now place the following script called usblan.lin on your TransFlash (or SD/MMC) card:

 #!/bin/bash
 echo MotNet > /proc/usbd-switch
 ifconfig usbl0 up 169.254.1.2 netmask 255.255.255.0 mtu 900

This will switch you from modem mode to usblan mode, switch the phone's IP address to 169.254.1.2 and put the phone's mtu to 900.

If you dont like the 169.254.x.x address, you can use an address in the 192.168.1.x range. Do not change anything but the x! Only

169.254.x.x and 192.168.1.x are in /etc/hosts.allow on the A780 (dont know about the rest).

Now set your phone in modem mode and run the script with LinLoader (long press and choose "open with").

Load the modules "usbnet" and "zaurus" in Linux. Linux should now see a Motorola USBLAN device (Vendor ID: 22b8, Product ID: 600c here).

Configure the host's network interface with

ifconfig usb0 169.254.1.1 netmask 255.255.255.0 mtu 900

and log in to your phone as "root" (no password is set, simply press return):

telnet 169.254.1.2

or (this happens on my European e680i, address 169... from usblan.lin is ignored):

telnet 192.168.1.2

A detailed page in German language on how to get a shell via USBLAN: http://permalink.de/tino/mc-a780-shell

Notes

Firewall

By default, your firewall may forbid telnet connections to your phone. Easiest way to fix that would be to disable it temporary using following command (as root):

service iptables stop

mtu 900

If you experience strange behavior (smb hangs when listing directories, telnet crashes on long output), set the mtu to 900, as seen above.

DHCP

Someone wrote that the device actually sends a DHCP query before it settles on 192.168.1.2 as the default address. I have so far not been able to confirm this.

Services

There is a samba server running on the phone. smbclient -L only shows the share home (= /diska), but theres also the hidden share system (= /). This is quite practical for sending and receiving files, as putting the phone in "USB mass storage mode" also disables bluetooth.

The command line will be somewhat more useful once you install busybox.

At least the ROKR E2 has NFS support in the kernel. An NFS export on the host can be mounted with the "noloop" option.

Switching to usblan mode

There is a small utility that allows you to do this that can be installed with no extra configuration on some A780 phones (i.e no LinLoader)

You can download it from the motorolafans download page http://www.motorolafans.com/forums/local_links.php?catid=25

Issues

There seem to be certain A780's where the modem mode trick doesn't work on, more info on this follows.

• LinLoader works, so if AT+mode=99 returns an error, dont bother and use the second part of the tutorial -- Kosta

Phones without telnet enabled

Some phones doesn't have telnet enabled by default. To work around this issue:

• Get nc ([1] netcat) compiled to the target phone;
• Put the executable in the CF card;
• Create a file named nc.lin with:

#!/bin/sh
/mmc/mmca1/tools/nc -l -n -e /bin/sh -s 192.168.1.2 -p 8888 -v >$0.out 2>$0.err

• And run it on the phone with linloader

This will run nc on the phone, programmed to spawn an ash shell.

Please note that /mmc/mmca1/nc should point to the path where the executable is on the phone. In the example, I've stored nc inside the a folder "tools" in the memory card ("/mmc/mmca1" is the root of the mounted card). The redirections (> and 2>) create files with the contents of stderr and stdout, and can be opened with the phone text editor for debug.

• After running the script on the phone (opening the file with linloader), connect to the phone:

nc 192.168.1.2 8888

If you like the shell prompt ($, #, etc), run the shell in interactive mode:

/bin/ash -i

(sh is a link to the ash shell)

You should login as user ezx. If you need to be root, you should edit the linloader file, find this two lines:

GroupID = ezx
UserID = ezx

and change ezx to root.

Creating a backup

• This section is a duplicate of Backups although it has better netcat information as well as some tar goodies (except that the tar code below appears to miss /.backup).

Before tinkering with a system, one of the first steps is usually to create a full backup. For the A780, this can be done with minor changes as soon as a shell login is possible. When using NFS mounts or netcat to tar the whole file system over the (USB) network, there is a small catch: the default MTU of 1500 bytes doesn't seem to work over the usbnet connection. The symptoms are that e.g. a directory listing over a NFS-mounted directory works, but that creating a file doesn't, or that netcat can connect, but that no data at all comes across. Setting a lower MTU at both sides of the connection (I used 900 as an overly conservative value that worked flawlessly, but it will most probably also work with higher values) solves the problem and allows to easily create a full backup.

That's the reason why you should add mtu 900 to the ifconfig commands above, and should adjust the mtu on the phone if using the modem hack.

Then I used netcat for the actual backup, you can get the utils.zip at pre-compiled at http://pashkovsky.com/e680/.

Now copy the utils.zip to the phone (e.g. with Bluetooth OBEX push), and extract it under /diska. Executing /diska/profile.txt allows to use some additional tools like netcat. For a backup, execute e.g.

nc -p2030 -l | bzip2 -9 > full-backup-a780.tar.bz2

on the host machine and

cd /; tar --preserve --same-owner --atime-preserve --exclude ram/proc --exclude mmc/mmca1 -cv * | nc 192.168.1.1 2030

on the phone. Then repeat something similar for the TransFlash (or SD/MMC) card (if available).

Attention: This is not a full backup of the firmware, it only contains the files that are directly visible from Linux. It will not allow to re-flash the phone using standard flash tools.

LICENSE NOTE

The default license for this site is GNU FDL. In order that this page be indisputably Free Software, we waive or interpret some provisions of the GNU FDL for this page:

There are no invariant sections connected with this page.

The sentence "You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute." is sufficiently vague that it could be used to prevent the use of login security and file permissions, a common feature of the GNU system, which is not our intent. What we desire is that once this page is presented to or otherwise made available to someone, there must be no technical restriction mechanism that is intended to keep that person from further copying that page or creating a modified copy.