"NotABug" - superbird-bulkcmd

Spotify Car Thing (superbird) resources to access U-Boot shell over USB. Not a bug, it is a "feature".

Note: this method has been tested on the factory firmware (device never used/updated : App Version 0.24.107 - OS Version 6.3.29), but should work on all firmware versions released as of this article's writing.

Disclaimer

You are solely responsible for any damage caused to your hardware/software/keys/DRM licences/warranty/data/cat/etc...

Requirements

• A Car Thing (superbird) without USB password
• Either a USB A to C, or a C to C cable
• A PC running some flavor of 64-bit GNU Linux
• libusb-dev installed

FAQ

Does this process void my warranty on this device?

• Probably, assume so.

Can I OTA afterwards?

• If you don't perform any persistent change, probably yes.
• But if you disable dm-verity and modify on-device partitions, OTA updates will fail, though given this device is EOL, we don't expect further OTA updates.

Can I still use stock features ?

• Yes! Perfectly normal and usable, this just enables root access and ADB.

Can I go back to stock after installing custom OS's or messing up the stock image?

• Theoretically, if you have a good eMMC dump, the U-Boot shell should allow you to restore the partitions. But this has not been tested thoroughly!

Files

• /bin/: prebuilt set of required tools
  • update: Client for the USB Burning protocol implemented in Amlogic bootloaders
• /images/: prebuilt images to upload via USB
  • superbird.bl2.encrypted.bin : dump of hardware partition boot0 (mmcblk0boot0)
  • superbird.bootloader.img : dump of user partition bootloader (mmcblk0p01)
  • superbird.initrd-base.cpio : created by provided script extract-cpio.sh
  • superbird.initrd.img : created by provided script pack-initrd.sh
  • superbird.kernel.img : zImage extracted from user partition boot_a (mmcblk0p12) + weird AML modifications reverted
• /initrd/: files to customize the initrd image
• /scripts/: scripts used to simplify interactions with the devices

Guide : U-Boot shell over USB (USB burning mode)

1. Unplug the Car Thing from everything
2. Clone/Download this repo locally, and change your shell's directory to it & ensure you libusb-dev installed
3. Hold buttons 1 & 4 on the case, and plug the Car Thing into your PC via USB

The host should see a new USB device connection in dmesg like this one:

usb 1-1: New USB device found, idVendor=1b8e, idProduct=c003, bcdDevice= 0.20
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-1: Product: GX-CHIP
usb 1-1: Manufacturer: Amlogic

4. Release the button once this device has been detected by host computer.
5. Execute script scripts/burn-mode.sh to boot U-Boot in USB burning mode. A new USB device appears on host side :

usb 1-1: New USB device found, idVendor=1b8e, idProduct=c003, bcdDevice= 0.07
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0

6. Execute the following commands to enable U-Boot shell at every boot.

WARNING: This step modifies the env partition. Changes are persistent, so it shall be executed only once.

./bin/update bulkcmd 'amlmmc env'
./bin/update bulkcmd 'setenv storeargs ${storeargs} run update\;'
./bin/update bulkcmd 'env save'