187 replies to this topic

[billndotnet]

Can someone who has unlocked and upgraded to Firmware 2.42 (or later) make a dd image of the root partition?  I want to write it to my locked Seestar that is on 2.42.    I have one for firmware 2.30, but not sure if there would be any issues between it and the pi user partition that is on the later firmware.

 

Thanks.

I know this has been done, and there's a reliable method for it, I don't know that it's been released yet, though. Let me see if I shake that out for you.

[kepler64]

thanks a lot to the authors of the jailbreak and some useful hints and tips. I got my Seestar today and immediately used the jailbreak without doing any firmware updates. 

pi@SeeStar:~ $ cat /etc/version
Seestar_v1.7 20231219
pi@SeeStar:~ $ sudo /home/pi/factory/zwoasi_factory -v
zwoasi_factory version: 1.6.2 (Jan 11 2024 15:00:56)
pi@SeeStar:~ $ uname -a
Linux SeeStar 4.19.111 #1 SMP PREEMPT Tue Dec 19 11:01:41 CST 2023 armv7l GNU/Linux
pi@SeeStar:~ $ date
Fri 19 Apr 11:50:39 CEST 2024

after the firmware update to version 2.48, I was still able to logon with the pi account, no password change. Did not need by new user or another backdoor. To my surprise, it still reports the same versions as before. Btw I have copied the update tar file with the packages and scripts.

There seem to be usb driver modules for ethernet and mass storage. Should be doable to connect the thing to a wire and have more local storage. A world of possibilities opens up beyond the original use case of ZWO, turning this thingy into a real fully controllable remote observatory. With the root access, this is real fun now :-)

 

CS, Markus

[DarrylP796]

Just bought a Seestar and unfortunately found this forum too late as I  had updated the firmware upon startup..

 

Tried the root script and no luck. Seestar responds with a verbal "update of firmware failed". Tried SSH into pi with password raspberry and it did not allow a connection.

 

Darryl

Edited by DarrylP796, 20 April 2024 - 12:10 PM.

[pupak]

thanks a lot to the authors of the jailbreak and some useful hints and tips. I got my Seestar today and immediately used the jailbreak without doing any firmware updates. 

pi@SeeStar:~ $ cat /etc/version
Seestar_v1.7 20231219
pi@SeeStar:~ $ sudo /home/pi/factory/zwoasi_factory -v
zwoasi_factory version: 1.6.2 (Jan 11 2024 15:00:56)
pi@SeeStar:~ $ uname -a
Linux SeeStar 4.19.111 #1 SMP PREEMPT Tue Dec 19 11:01:41 CST 2023 armv7l GNU/Linux
pi@SeeStar:~ $ date
Fri 19 Apr 11:50:39 CEST 2024

after the firmware update to version 2.48, I was still able to logon with the pi account, no password change. Did not need by new user or another backdoor. To my surprise, it still reports the same versions as before. Btw I have copied the update tar file with the packages and scripts.

There seem to be usb driver modules for ethernet and mass storage. Should be doable to connect the thing to a wire and have more local storage. A world of possibilities opens up beyond the original use case of ZWO, turning this thingy into a real fully controllable remote observatory. With the root access, this is real fun now :-)

 

CS, Markus

The update data is in every seestar APK in the iScope file. Just rename it to iScope.tar.bz2 and you can see what the new installation will do. It would be great to get USB ports working, or Ethernet. There is a USB debug port marked on the board, but I have no idea how to make it work yet.

Petr

[DarrylP796]

Anyone know how to downgrade the Seestar so I can gain root?

[Artimon]

Anyone know how to downgrade the Seestar so I can gain root?

as of today, downgrade firmware is not possible. Use a former version of the android/IOS app is possible, but will not allow you to downgrade firmware. Sorry ...

[pupak]

# echo "{"id":1,"method":"begin_downgrade","params":{}}" | nc seestar.local 4350

 

Does this method no longer work? It wasn't that long ago that I successfully used it.

[Artimon]

# echo "{"id":1,"method":"begin_downgrade","params":{}}" | nc seestar.local 4350

 

Does this method no longer work? It wasn't that long ago that I successfully used it.

Can you erxplain the full procedure, it might help lot of us here !!

thanks in advance!

[pupak]

# Seestar/ASIAIR jailbreak by @joshumax
# Licensed in the public domain

import socket
import os
import hashlib
import sys

def recv_all(sock):
    text = ''

    while True:
        chunk = sock.recv(1024)
        text += chunk.decode()

        if not chunk or chunk.decode().endswith('\n'):
            break

    return text

def begin_update(address):
    s = socket.socket()
  
    # echo "{"id":1,"method":"begin_downgrade","params":{}}" | nc seestar.local 4350
    json_str ='{"id":1,"method":"begin_downgrade","params":{}}\r\n'
    s.connect((address, 4350))
   
    print('Got: ' + recv_all(s))

    print('Sending RPC: {rpc}'.format(rpc = json_str))
    s.sendall(json_str.encode())

    print('Got back: ' + recv_all(s))

    s.close()

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print('Usage: {name} [ASIAIR_IP]'.format(name = sys.argv[0]))
        sys.exit(1)

    begin_update(sys.argv[1])

-------------------------------------------------------------------------------

 

Save text at file named  "DG.py"  install Python 2.7 - 3.

Windows - run in cmd : "py DG.py IP_seestar "

Edited by pupak, 23 April 2024 - 10:28 AM.

[fieldsweeper]

I was just looking into this, I will be following along as well.

[DarrylP796]

Pupak,    What version does this script downgrade to?  Do I need to supply the firmware version? If so, I've been unable to find a repository online. Or is it a sort of factory reset to the supplied version?

[pupak]

For me it was version 1.6. It is not important. The replacement FW is stored in the EMC. The command will perform a Downgrade. Hope you have a version that allows JB. It is possible that ZWO will make a change soon.

[DarrylP796]

Thank you Pupak. That worked. Root access after downgrade then running jailbreak script.

 

Not sure what I'm going to do with it, but I have it.

[AstroPotamus]

I just discovered this thread. Have had the SS since January but never thought to JB it. I have a fully upgraded firmware but tomorrow will try to downgrade, JB, and upgrade. Looking forward to putting Plex on it! (Just kidding)

[AstroPotamus]

Also, I can confirm that the downgrade code @pupak listed above, followed by the original JB code from @joshumax, works when starting with a V1.7 Seestar S50 running firmware version 2.53.  After downgrading and jail breaking, I captured some history information for the pi and root users, then remounted the root filesytem rw, added a personal account, and then added my SSH key to pi, root, and the personal account authorized_keys.  Then I connected with the Seestar app and did the firmware upgrade back to 2.53.

 

My changes stuck, and I am still able to SSH into the device.  Here's my steps:

 

1. Use @pupaks changes to the script from post #134, above, to downgrade
2. Use @joshumax's originals script from the topic start to jailbreak
3. I did this all through a "screen" session so I could capture output as required
4. Pretend the device IP is 192.168.111 and ssh to the device:  ssh -l pi 192.168.1.111 (password is "raspberry")
5. Remount the root filesystem read-write:  sudo mount -o remount,rw /
6. Added my account:  sudo useradd -c "AstroPostamus" -d /home/eloyd -m -G sudo astropotamus
7. Changed the password:  sudo passwd astropotamus
8. Added my personal SSH key to /home/pi/.ssh/authorized_key, /root/.ssh/authorized_keys, and /home/astropotamus/.ssh/authorized_keys, creating the directories and/or files as needed.
9. Logged out and back in again as all three users, confirming SSH worked.
10. Connected with SeeStar app and did the (forced) firmware upgrade.
11. After upgrade, confirmed I was still able to connect and sudo.
12. Bob's my Uncle.

Thanks so much for this!  Now if I could convince it to turn on when power is applied, as opposed to pushing a button, I could automate this little guy as one of my SkyShed POD imaging rigs!

[AstroPotamus]

Then, for posterity's sake, I did an rsync of the entire device to a cloud storage so I could look at stuff offline without being on the device:

1. sudo rsync -avu --exclude="/boot/Image" --exclude="/proc" --exclude="/sys" / user@cloud.astropotamus.com:/path/to/storage/seestar_files/
2. sent 3,337,810,188 bytes  received 1,154,133 bytes  12,528,946.80 bytes/sec
   total size is 3,591,558,208  speedup is 1.08

Obviously, this is a bonus; you don't have to do this. :-)

[AstroPotamus]

While we're at it...

if you log into the seestar and then switch to /usr/bin

the following command

./indiserver indi_v4l2_ccd indi_lx200generic

 

will start an indi port on 7624 (found via nmap) that Kstars/Ekos recognizes.  I neglected to put in a scope definition, but its a nice start ...

 

This was on a linux box

 

mconsidine

Yes, /usr/bin/indiserver indi_lx200zeq25 will start an INDI server, which KSTARs can connect to, but it doesn't seem to be able to connect to the LX200 mount definition.  Neither will it let me connect to the camera if I use the indi_v4l2_ccd module.  Has anyone had any luck connecting via INDI? 

 

My goal is to start a session when it's cloudy but that I know will clear later in the night, and have KSTARs kick off some imaging while I'm sleeping.

[pupak]

#!/bin/bash

# $1=indi_lx200zeq25

if [ $# == 0 ];then
echo "no argument"
exit 1
fi

echo "driver:$1"

server_running=$(ps -ef|grep -v grep|grep indiserver|grep "$1"|awk '{print $2}')

if [ ! -z "$server_running" ];then
echo "server is already running"
exit 0
fi

killall -9 indiserver
indiserver $1 > /dev/null 2>&1 &

cnt=0
while [ $cnt -lt 50 ]
do
#netstat -lp会很慢
indi_running=$(ss -tlp|grep -v zwoair_guider|grep -w indiserver|awk '{print $1}') 
if [ ! -z "$indi_running" ];then
echo "indi is running"
break
fi
sleep 0.05
cnt=$[$cnt+1]
done

: '
guider里起indi时
ss -tlp
LISTEN   0        5                0.0.0.0:7624                  0.0.0.0:*       users:(("indiserver",pid=31588,fd=4))
LISTEN   0        5                0.0.0.0:4040                  0.0.0.0:*       users:(("indiserver",pid=31588,fd=13),("zwoair_guider",pid=13413,fd=13))
LISTEN   0        5                0.0.0.0:4400                  0.0.0.0:*       users:(("indiserver",pid=31588,fd=17),("zwoair_guider",pid=13413,fd=17))
LISTEN   0        5                0.0.0.0:4500                  0.0.0.0:*       users:(("indiserver",pid=31588,fd=16),("zwoair_guider",pid=13413,fd=16))
LISTEN   0        5                0.0.0.0:4030                  0.0.0.0:*       users:(("indiserver",pid=31588,fd=15),("zwoair_guider",pid=13413,fd=15))
'

 

This "Start_indi.sh" script will kill every Indi process if the daemon is running. It would take a good deep research on how to work with Indies, because third party mounts are definitely used by Indies. EAF and the camera are controlled via binaries, since there is little chance of getting onto these devices. The USB operator deserves a detailed investigation. I think there is a chance to break through.

[AstroPotamus]

Thanks.  I already looked at that script.  I also killed all the guider and camera processes in case they were claiming exclusive access to the ttys (it looks like "guider" is /dev/ttys3 according to logs) but I was unable to progress much farther because I had to work.

 

I may play with it again tonight to see if I can talk directly to the ttys.  There's three things I'd love to see, even if it means not running Seestar app:

1. Turn on without having to push and hold power button (so I could use a programmable outlet or crack the case and power it directly) or have it on but wait to image until a certain time
2. Tell it to pick a target and do the 3-star calibration (aka "horizontal calibration") automatically
3. Be be able to change targets at a particular time

I know it's not a full-blown AP rig, but with small program changes, this would all be possible.

[billndotnet]

Thanks.  I already looked at that script.  I also killed all the guider and camera processes in case they were claiming exclusive access to the ttys (it looks like "guider" is /dev/ttys3 according to logs) but I was unable to progress much farther because I had to work.

 

I may play with it again tonight to see if I can talk directly to the ttys.  There's three things I'd love to see, even if it means not running Seestar app:

1. Turn on without having to push and hold power button (so I could use a programmable outlet or crack the case and power it directly) or have it on but wait to image until a certain time
2. Tell it to pick a target and do the 3-star calibration (aka "horizontal calibration") automatically
3. Be be able to change targets at a particular time

I know it's not a full-blown AP rig, but with small program changes, this would all be possible.

The indiserver isn't in use on the Seestar, you can safely ignore it.

Have you looked at the seestar_run kit yet, for automation to support 2 and 3?

[AstroPotamus]

The indiserver isn't in use on the Seestar, you can safely ignore it.

Have you looked at the seestar_run kit yet, for automation to support 2 and 3?

Oooohhhhh.  I have not.  I just looked at the Git page.  Will definitely investigate after tonight's G-5 Aurora storm!

[AstroPotamus]

Wow.  Okay, I may have to play with it tonight, actually!  We won't have rain, but we will have clouds.  But maybe I can do some stuff in the western skies where there's...less clouds.  I can turn it on and plug it in to AC power so I can deal with my issue #1, above, and you're right - this deals with #2 and #3!  This is going on the Mele for sure!

[f-zappa]

# echo "{"id":1,"method":"begin_downgrade","params":{}}" | nc seestar.local 4350

 

Does this method no longer work? It wasn't that long ago that I successfully used it.

unfortunately, this does not seem to work anymore. any chance there is another method to downgrade .. or another way to implement the ssh access? my device is on the recent firmware v2.76

❯ echo '{"id":1,"method":"begin_downgrade","params":{}}' |nc seestar.local 4350

{"Event":"Version","Timestamp":"1593.376382635","name":"ASI AIR updater","svr_ver_string":"1.7","svr_ver_int":7}
{"jsonrpc":"2.0","Timestamp":"1593.377439631","error":"method not found","code":103,"id":1}

[AstroPotamus]

For me, I had to do a factory reset to the version that was burned into memory on the device. It was old enough that the exploit still worked. Your mileage may vary.

[f-zappa]

For me, I had to do a factory reset to the version that was burned into memory on the device. It was old enough that the exploit still worked. Your mileage may vary.

Well I am want to do that, but how? This API request seems to fail and in the app I don’t find a „factory reset“ option. Maybe I missed something?