Maemo - Nokia 770 development platform

Maemo Development Platform

This page is dedicated to the maemo development platform, which can be used to develop applications for the Nokia 770. In october 2005, I received such a device through the Nokia developer device program, and started to develop stuff for it, which I need for my daily work.

Becoming root

A precondition for most interesting modfications to this device is having root on it. Basically, the maemo 1.1 release should contain the tools that allow you to become root without much hassle, but hey, there was a time before maemo 1.1...

After Toni came up with the idea to run sudo -l to see which commands can be executed as root, especially the shell script /usr/sbin/gainroot looked suspicious. The naive approach, i.e. just executing sudo /usr/sbin/gainroot did not work, because the script uses cal-tool to check, whether r&d-mode is enabled. If not (which is the default), the script terminates. Otherwise, if r&d-mode is enabled, gainroot should spawn a root shell.

The other thing available was an Internet Tablet Software Edition 2005 image and a flasher tool for Microsoft Windows. The idea now was to modify this image in such a way, that said gainroot script would spawn a root shell anyway. Of course there are various other possibilities to get root, once you could modify the image.

A quick check of /proc/mounts and /proc/mtd on the Nokia 770 revealed that all interesting file-systems are of type jffs2, and that the erase size of the mtd device was 0x2000. With the knowledge of the file-system type it was easy to spot the begining of several file-systems in the software image. Comparing the bytes before the different file-systems suggested that they had the following structure:

        struct header {
            char     magic[7];
            uint64_t unknown1;
            char     name[12];
            uint32_t len;
            uint32_t zero;
            uint8_t  unknown2;
        } __attribute__((packed));

The field magic are seven bytes that are the same in all headers. The name is a zero terminated string describing the following block. len is the (big-endian) length of the following block in bytes. The meaning of unknown1 and unknown2 is, well, unknown to me.

Similarly, the whole software image starts with an header like this:

        struct preamble {
            char     magic[10];
            uint8_t  len;
        } __attribute__((packed));

No idea whether magic is really a constant value or several fields. The field len denotes the length of the directly following character string, which means, well, something.

I got this information from looking at the hexdump for a few hours. With this information, it was easy to write a program that extracts the single blocks from the software image (see ex.c).

Once the single file-systems were extracted, it was easy to mount them with the erase size values extracted from /proc/mtd. I modified the gainroot script so it didn't check the state of the r&d-mode anymore. With an similar program (see cn.c), I reassembled the firmware image, and used the flasher tool to copy it on the device. Easy enough, I could now become root by executing sudo /usr/sbin/gainroot.

The original post, where I announced this to the maemo-devel list is here. I want to thank Toni for his help in trying this out.

Other stuff

The other stuff you can find in the download area is

I plan to add more stuff/documentation later.