Redmi小爱音箱Play的登录密码（已破案）

Augustus

趁着618半价活动，39.5块买了一台Redmi小爱音箱Play，固件版本为1.66.4稳定版。
拆开后通过串口连接设备发现需要登录密码，尝试了无密码和md5算法的组合，都不能登录。
怀疑md5算法中的通配符9C78089F-83C7-3CDC-BCC9-93B378868E7F并不适用于Redmi小爱音箱Play，不知道有没有大佬知道这款音箱的密码，或者怎么获得通配符，我可以自己折腾折腾。



==========2020-06-05 12:12 更新===========
感谢楼下的链接，实际测试发现红米音箱的Boot过程中没有出现过failsafe的字样，但是有提示

Hit any key to stop autoboot: 0

复制代码

按下按键后会进入Uboot命令行，输入help可以查看到所有支持的命令

=> help
?       - alias for 'help'
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dm      - Driver model low level access
echo    - echo args to console
editenv - edit environment variable
efex    - run to efex
env     - environment handling commands
erase   - erase FLASH memory
fastboot- fastboot - enter USB Fastboot protocol
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
fatsize - determine a file's size
fatwrite- write file into a dos filesystem
fdt     - flattened device tree utility commands
flinfo  - print FLASH memory information
go      - start application at address 'addr'
gpt     - GUID Partition Table
help    - print command description/usage
i2c     - I2C sub-system
iminfo  - print header information for application image
itest   - return true/false on integer compare
key_test- Test the key value
led     - manage LEDs
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loadx   - load binary file over serial line (xmodem mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing address)
mw      - memory write (fill)
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
part    - disk partition related commands
pbread  - read data from private data
printenv- print environment variables
protect - enable or disable FLASH write protection
pst     - read data from secure storageerase flag in secure storage
pwm_led - pwm_led  - set pwm led
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables<font face="Times New Roman" size="2">
</font>

复制代码

可以输出环境变量看看里面有没有什么有意思的内容

boot_fastboot=fastboot
boot_first=sunxi_flash read 40007800 ${boot_partition_1};bootm 40007800
boot_partition_1=kernel1
boot_partition_2=kernel2
boot_second=sunxi_flash read 40007800 ${boot_partition_2};bootm 40007800
bootcmd=run setargs_first boot_first
bootdelay=0
console=ttyS0,115200
earlyprintk=sunxi-uart,0x05000000
fastboot_key_value_max=0x8
fastboot_key_value_min=0x2
fdtcontroladdr=42b172a8
first_root=/dev/nand0p3
gpt=1
init=/sbin/init
loglevel=1
partitions=env@nand0p1:kernel1@nand0p2:rootfs1@nand0p3:kernel2@nand0p4:rootfs2@nand0p5:misc@nand0p6:private@nand0p7:crashlog@nand0p8:UDISK@nand0p9
rdinit=/rdinit
recovery_key_value_max=0x13
recovery_key_value_min=0x10
rotpk_status=1
second_root=/dev/nand0p5
setargs_first=setenv bootargs earlyprintk=${earlyprintk} console=${console} root=${first_root} rootwait init=${init} rdinit=${rdinit} loglevel=${loglevel} partitions=${partitions} gpt=${gpt} rotpk_status=${rotpk_status}
setargs_second=setenv bootargs earlyprintk=${earlyprintk} console=${console} root=${second_root} rootwait init=${init} rdinit=${rdinit} loglevel=${loglevel} partitions=${partitions} gpt=${gpt} rotpk_status=${rotpk_status}

复制代码

可以看到boot的启动命令bootcmd，将init变量改为/bin/sh就可以进入系统了

=> setenv init /bin/sh
=> run bootcmd
partinfo: name kernel1, start 0x600, size 0x3000
pubkey rootfs1 valid
partition rootfs1 verify pass
total_len=3121152
pubkey kernel1 valid
## Booting Android Image at 0x40007800 ...
Android's image name: cowbell-l07a
Kernel load addr 0x40008000 size 3043 KiB
RAM disk load addr 0x41000000 size 1 KiB
   XIP Kernel Image ... OK
   Loading Ramdisk to 42b11000, end 42b1100c ... OK
   reserving fdt memory region: addr=41a00000 size=100000
   Using Device Tree in place at 42b172a8, end 42b2ae67
[24.440]Starting kernel ...

NAND_UbootExit
[24.444]NB1: NAND_LogicExit
nand release dma:43fb5e1c
nand release dma:0
[    0.088277] Initramfs unpacking failed: junk in compressed archive


BusyBox v1.27.2 () built-in shell (ash)

/bin/sh: can't access tty; job control turned off
/ # 

复制代码

运行mi_console sn命令即可得到密码，与别的帖子中的密码算法得到的结果一致，但是实际使用还是密码错误。可能红米音箱的密码并不是由这种方式得到的。

这种方法进入系统是只读权限，改不了密码。 显示/data/console/passwd not found，可能加载过程有什么不同

==========2020-06-05 12:12 更新===========
感谢楼下的大佬，确实是通配符的问题，改成A20EDC68-62E5-70C6-76E8-75879721B8EC就可以了，已成功进入

有一个奇怪的点是，修改init进入系统和登录进入系统的mi_console的结果不一样，分别对应两个通配符


==========2020-06-08 23:56 更新===========
尝试拿了一下rootfs
链接: https://pan.baidu.com/s/1_dLEgnJzO6PCfDlMANptug  密码: wgbq

ghostist

这....车还有吗？我也想上

Augustus

ghostist 发表于 2020-6-4 21:21
这....车还有吗？我也想上

看了一下，已经恢复原价了

hugh_jie

我也搞了个这个，准备把门锁弄进去呢，，门锁还没到，你试试这个能行不呢，https://bbs.hassbian.com/thread-9144-1-1.html

hellkun

我也买了，居然还有这种玩法，还好没有取消订单。。关注一下

ghostist

Augustus 发表于 2020-6-4 22:34
看了一下，已经恢复原价了

什么渠道获取信息啊  我消息闭塞

Augustus

hugh_jie 发表于 2020-6-4 22:52
我也搞了个这个，准备把门锁弄进去呢，，门锁还没到，你试试这个能行不呢，https://bbs.hassbian.com/threa ...

感谢分享，我实际试了一下，红米音箱和小爱音箱的boot过程似乎不一样，log里面没有出现过failsage的字样，但是发现boot过程中按任意按键可以中断Boot过程进入Uboot命令行

Augustus

ghostist 发表于 2020-6-5 09:07
什么渠道获取信息啊  我消息闭塞

京东？有一天突然推给我了

hugh_jie

Augustus 发表于 2020-6-5 12:11
感谢分享，我实际试了一下，红米音箱和小爱音箱的boot过程似乎不一样，log里面没有出现过failsage的字样 ...

那我得搞个小白万能遥控器了

小飞

能进去那就直接改掉密码啊