玩客云root成功，2019年新方法

joc***

新方法，不是之前的smb poc方法，无需拆机

教程

准备：首先需要下载Charles或类似工具https://www.charlesproxy.com/，并且玩客云需要在同一局域网下且开启SMB访问
1.首先将手机的开启IP代理，代理地址为charles的提供的服务地址。比如我的默认是192.168.1.18 8888端口号

2.进入玩客云选择APP设置->Samba设置，然后开启Samba服务，将samba访问路径设置改为自定义路径，我的设置到\onecloud\mobilebackup目录下
这时候charles会抓取一条sysmgr?opt=setsmbscandir的请求 如图

这时候右键选择edit，将请求地址改成 \/media\/sda1\/onecloud\/mobilebackup\/..\/..\/..\/..\/etc 如图


这时候按下execute发送请求，正常操作下会rtn 0的结果


3.再次进入smb共享，这时候系统会把玩客云的etc目录挂载出来，其实到这里你就可以改你想要的操作了，不过为了防止迅雷检测到改动，我这里去init.d目录下新建了一个S90telnetd的文件（见附件）


然后编辑S90telnetd的两个root属性，改成linux下可执行属性，重启后就可以用telnet 1287端口访问玩客云了，不需要root密码


4.迅雷玩客云有远程检测机制，和挖矿机制（可能影响下载功能，自己判断是否需要屏蔽）
删除/thunder/bin下的start_app.sh文件内APP_MODULES的remote和upgrade模块，把/usr/sbin/upgrade改名就可以屏蔽迅雷检测和升级

joc***

1. / # fw_printenv
   
2. stat /dev/env OK
   
3. attemptboot=if test ${reboot_mode} = charging; then run try_auto_burn; fi;echo Attempting booting...;setenv bootcmd run storeboot; saveenv; run logodisplay; run switchbootonce; run switchrootfspartonce;run resetinitargs; run storeargs;save; if unifykey get usid; then  setenv bootargs ${bootargs} androidboot.serialno=${usid};fi;if unifykey get mac; then  setenv bootargs ${bootargs} mac=${mac};fi;imgread kernel ${bootpart} ${loadaddr};bootm;run bootrecovery
   
4. baudrate=115200
   
5. boardname=m8_board
   
6. bootargs=root=/dev/system rootfstype=ext4 init=/sbin/init console=ttyS0,115200n8 no_console_suspend ramoops.mem_address=0x04e00000 ramoops.mem_size=0x100000 ramoops.record_size=0x8000 ramoops.console_size=0x4000 cvbsdrv=0 vdaccfg=0xa000 logo=osd1,loaded,0x7900000,1080p,full hdmimode=1080p cvbsmode=576cvbs androidboot.firstboot=1 hdmitx=1080p
   
7. bootcmd=run storeboot
   
8. bootdelay=1
   
9. bootfile=boot.img
   
10. bootm_low=0x00000000
    
11. bootm_size=0x80000000
    
12. bootpart=kernel
    
13. bootpath=u-boot.bin
    
14. bootrecovery=run revertbootpart; run storeboot
    
15. bootsdargs=setenv bootargs root=/dev/mmcblk0p1 rw rootfstype=ext2 rootwait init=/sbin/init console=ttyS0,115200n8 no_console_suspend cvbsdrv=${cvbs_drv} vdaccfg=${vdac_config} logo=osd1,loaded,${fb_addr},${outputmode},full hdmimode=${hdmimode} cvbsmode=${cvbsmode} hdmitx=${hdmimode}
    
16. bootsdcard=echo Booting ...;run bootsdargs; mmcinfo;ext2load mmc 0 ${loadaddr} boot.img;bootm
    
17. bootsize=100000
    
18. bootstart=0
    
19. bootupdate=echo Updating...;run bootupdateargs; mmcinfo;fatload mmc 0 ${loadaddr} boot.img;bootm
    
20. bootupdateargs=setenv bootargs root=/dev/mmcblk0p1 rw rootfstype=vfat rootwait init=/sbin/init console=ttyS0,115200n8 no_console_suspend cvbsdrv=${cvbs_drv} vdaccfg=${vdac_config} logo=osd1,loaded,${fb_addr},${outputmode},full hdmimode=${hdmimode} cvbsmode=${cvbsmode} hdmitx=${hdmimode} firmware=rootfs.tar.gz
    
21. check_rebootmode=get_rebootmode; clear_rebootmode; echo reboot_mode=${reboot_mode};if test ${reboot_mode} = factory_reset; then defenv; fi;
    
22. checkbootpart=if test ${second_image_load} = off; then setenv bootpart boot;else if test ${second_image_load} = on; then setenv bootpart kernel; fi;fi;
    
23. checkrootfspart=if test ${second_rootfs_load} = off; then setenv rootfs_part system;else if test ${second_rootfs_load} = on; then setenv rootfs_part backup; fi;fi;
    
24. chipname=8726m8
    
25. console=ttyS0,115200n8
    
26. cvbs_drv=0
    
27. cvbsmode=576cvbs
    
28. display_bpp=16
    
29. display_color_bg=0
    
30. display_color_fg=0xffff
    
31. display_color_format_index=16
    
32. display_height=1080
    
33. display_layer=osd2
    
34. display_width=1920
    
35. do_preloaddtb=if test ${second_image_load} = on; then imgread dtb kernel ${loadaddr}; else imgread dtb boot ${loadaddr}; fi;
    
36. enable_halt=0
    
37. ethact=Meson_Ethernet
    
38. ethaddr=00:15:18:01:81:31
    
39. fb_addr=0x7900000
    
40. fb_height=1080
    
41. fb_width=1920
    
42. firstboot=1
    
43. gatewayip=10.18.9.1
    
44. get_dt=checkhw
    
45. hdmimode=1080p
    
46. hostname=arm_m8
    
47. identifyWaitTime=750
    
48. initargs=root=/dev/system rootfstype=ext4 init=/sbin/init console=ttyS0,115200n8 no_console_suspend ramoops.mem_address=0x04e00000 ramoops.mem_size=0x100000 ramoops.record_size=0x8000 ramoops.console_size=0x4000
    
49. initrd_high=60000000
    
50. ipaddr=10.18.9.97
    
51. led_factory=green
    
52. loadaddr=0x12000000
    
53. loadaddr_logo=0x13000000
    
54. logodisplay=store read logo ${loadaddr_logo} 0 0x400000;bmp display ${loadaddr_logo}; bmp scale;
    
55. netmask=255.255.255.0
    
56. normalsize=400000
    
57. normalstart=1000000
    
58. outputmode=1080p
    
59. p0path=uImage
    
60. p0size=400000
    
61. p0start=1000000
    
62. p1path=android.rootfs
    
63. p1size=8000000
    
64. p1start=1400000
    
65. partnum=2
    
66. preboot=run test_facreset;if itest ${upgrade_step} == 3; then run prepare; run storeargs; run update; fi; if itest ${upgrade_step} == 1; then  defenv_reserve_env; setenv upgrade_step 2; saveenv;fi; run check_rebootmode;run prepare;run storeargs;run update_ir; run switch_bootmode
    
67. preloaddtb=run do_preloaddtb
    
68. prepare=logo size ${outputmode}; video open; video clear; video dev open ${outputmode};imgread pic logo bootup ${loadaddr_logo}; bmp display ${bootup_offset}; bmp scale;
    
69. reboot_mode=charging
    
70. recovery=echo enter recovery;setenv bootargs ${bootargs};wipeisb;if mmcinfo; then if fatload mmc 0 ${loadaddr} recovery.img; then bootm;fi;fi; if usb start 0; then if fatload usb 0 ${loadaddr} recovery.img; then bootm; fi;fi;if imgread kernel recovery ${loadaddr}; then bootm; else echo no recovery in flash; fi;
    
71. resetinitargs=setenv initargs root=/dev/${rootfs_part} rootfstype=ext4 init=/sbin/init console=ttyS0,115200n8 no_console_suspend ramoops.mem_address=0x04e00000 ramoops.mem_size=0x100000 ramoops.record_size=0x8000 ramoops.console_size=0x4000
    
72. revertbootpart=if test ${second_image_load} = off; then setenv second_image_load on; else if test ${second_image_load} = on;then setenv second_image_load off; fi; fi; saveenv
    
73. rootfs_part=system
    
74. sdc_burning=sdc_burn ${sdcburncfg}
    
75. sdcburncfg=aml_sdc_burn.ini
    
76. second_image_load=on
    
77. second_rootfs_load=off
    
78. serverip=10.18.9.113
    
79. stderr=serial
    
80. stdin=serial
    
81. stdout=serial
    
82. stop_dcdn=0
    
83. store=2
    
84. storeargs=setenv bootargs ${initargs} cvbsdrv=${cvbs_drv} vdaccfg=${vdac_config} logo=osd1,loaded,${fb_addr},${outputmode},full hdmimode=${hdmimode} cvbsmode=${cvbsmode} androidboot.firstboot=${firstboot} hdmitx=${hdmimode}
    
85. storeboot=if test ${reboot_mode} = charging; then run try_auto_burn; fi;echo Booting...; run logodisplay; run checkbootpart; run checkrootfspart; run resetinitargs; run storeargs;save; if unifykey get usid; then  setenv bootargs ${bootargs} androidboot.serialno=${usid};fi;if unifykey get mac; then  setenv bootargs ${bootargs} mac=${mac};fi;imgread kernel ${bootpart} ${loadaddr};bootm;run bootrecovery
    
86. switch_bootmode=if test ${reboot_mode} = factory_reset; then run recovery;else if test ${reboot_mode} = update; then run update;else if test ${reboot_mode} = usb_burning; then run usb_burning;else if test ${wipe_data} = failed; then echo wipe_data=${wipe_data}; run recovery;else   fi;fi;fi;fi
    
87. switchbootonce=if test ${second_image_load} = off; then setenv bootpart kernel;else if test ${second_image_load} = on; then setenv bootpart boot; fi;fi;
    
88. switchrootfspartonce=if test ${second_rootfs_load} = off; then setenv rootfs_part backup;else if test ${second_rootfs_load} = on; then setenv rootfs_part system;fi;fi;
    
89. test_facreset=if test ${wipe_data} = failed; then echo -wipe_data=${wipe_data}; run prepare; run storeargs; run recovery;fi; if test ${wipe_cache} = failed; then echo -wipe_cache=${wipe_cache}; run prepare; run storeargs; run recovery;fi;
    
90. testaddr=0x12400000
    
91. try_auto_burn=update 700 750;
    
92. update=run usb_burning; if mmcinfo; then if fatexist mmc 0 ${sdcburncfg}; then run sdc_burning; else if fatload mmc 0 ${loadaddr} aml_autoscript; then autoscr ${loadaddr}; fi;run recovery;fi;else run recovery;fi;
    
93. update_ir=if irdetect; then run update; fi
    
94. upgrade_step=2
    
95. usb_burning=update 1000
    
96. vdac_config=0xa000
    
97. video_dev=tvout
    
98. wipe_cache=success
    
99. wipe_data=success
    
100. xl_kernel_ver=V1.0.427
     
101. xl_rootfs_version=V1.0.427
     
102. xl_softmode=usermode
     
103. xl_system_ver=V1.0.427
     
104. xl_test_flag=false
     
105. xl_uboot_version=V1.0.2

复制代码

uboot

1. df -h
   
2. Filesystem                Size      Used Available Use% Mounted on
   
3. /dev/system             506.3M    351.3M    125.3M  74% /
   
4. devtmpfs                314.5M         0    314.5M   0% /dev
   
5. tmpfs                   424.6M         0    424.6M   0% /dev/shm
   
6. tmpfs                   424.6M    680.0K    424.0M   0% /tmp
   
7. tmpfs                   424.6M     56.0K    424.6M   0% /run
   
8. /dev/misc                30.9M     92.0K     28.6M   0% /misc
   
9. /dev/cache              487.9M     51.4M    400.7M  11% /var/cache
   
10. /dev/app1               239.9M    104.5M    118.6M  47% /tmp/app_mnt
    
11. /dev/app1               239.9M    104.5M    118.6M  47% /thunder
    
12. /dev/sda1                57.8G     88.0M     57.7G   0% /media/sda1
    
13. tmpfs                   424.6M    680.0K    424.0M   0% /var/lib/samba/private/msg.sock

复制代码

emmc分区信息

1. [    6.645205] add_emmc_partition
   
2. [    6.645422] [mmcblk1p01]           bootloader  offset 0x000000000000, size 0x000000400000
   
3. [    6.645621] [mmcblk1p02]             reserved  offset 0x000002400000, size 0x000004000000
   
4. [    6.645820] [mmcblk1p03]                cache  offset 0x000006c00000, size 0x000020000000
   
5. [    6.646032] [mmcblk1p04]                  env  offset 0x000027400000, size 0x000000800000
   
6. [    6.646228] [mmcblk1p05]                 logo  offset 0x000028400000, size 0x000002000000
   
7. [    6.646434] [mmcblk1p06]             recovery  offset 0x00002ac00000, size 0x000002000000
   
8. [    6.646631] [mmcblk1p07]                 misc  offset 0x00002d400000, size 0x000002000000
   
9. [    6.646836] [mmcblk1p08]            instaboot  offset 0x00002fc00000, size 0x000020000000
   
10. [    6.647032] [mmcblk1p09]               kernel  offset 0x000050400000, size 0x000002000000
    
11. [    6.647227] [mmcblk1p10]                 boot  offset 0x000052c00000, size 0x000002000000
    
12. [    6.647433] [mmcblk1p11]               system  offset 0x000055400000, size 0x000040000000
    
13. [    6.647632] [mmcblk1p12]               backup  offset 0x000095c00000, size 0x000040000000
    
14. [    6.647838] [mmcblk1p13]                 app0  offset 0x0000d6400000, size 0x000010000000
    
15. [    6.648036] [mmcblk1p14]                 app1  offset 0x0000e6c00000, size 0x000010000000
    
16. [    6.648231] [mmcblk1p15]                 data  offset 0x0000f7400000, size 0x0000dac00000
    

复制代码

怪蜀黍***

教程呢      

qfn***

好 母鸡不值钱了 折腾一下吧
楼主来教程吧

new***

root后，能干些啥？

ph***

支持，不知道能不能刷armbian

joc***

libreelec

a4040***

不错赞一个

c20***

就是配置有点低

BBB家***

之后可以干嘛？

Jre***

关注， S805这个可以刷armbian？

桅***

支持一下，留个名，等发教程

joc***

Jrenle 发表于 2019-1-12 02:15
关注， S805这个可以刷armbian？

都可以，就是个s805的板子

tuai***

s805能刷哪些？我有个s805的盒子

忘崽***

插眼 紫薯布丁