Figured it out. To get shell on the GM MDI clone interface and change the serial
numbersee the instructions:
Mount the sdcard parition 1 under linux, and rename telnetd.sh-disabled to telnet.sh in /bin. While there I also edited the init script and added this near the start to make the prompt nicer:
Quote:export PS1='[\u@mdi \W]\$ '
Access u-boot (38400 baud, see previous
post), and at the prompt type:
Quote:askenv setbootargsprimary
Please enter 'setbootargsprimary':run
normalargs addinit addconsole addeth addprimary;setenv bootargs ${bootargs}
mtdparts=flash0:256k(boot),128k(bootvars),1536k(linux1),6144k(initrd1),1536k(linux2),6144k(initrd2),128k(linuxvars1),128k(linuxvars2),32k@16320k(serialnum),32k(macaddress),128k@16256k(id);
Boot
The GM MDI will boot and start a telnet server on its IP and have a new flash partition configured as /dev/mtd10 called 'id'. This will align with the erase block so can be updated. Check in /var/log/messages for the presence of 'id' without it being forced readonly.
Telnet in and rip a copy of mtd10 with dd, and send it to an ftp server you have setup on your lan.
Quote: [root@mdi ~]# cd /tmp
[root@mdi tmp]# dd if=/dev/mtd10
of=mtd10.img
256+0 records in
256+0 records out
[root@mdi tmp]# ls -l mtd10.img
-rw-r--r-- 1 root root 131072 Jan 1 00:07
mtd10.img
[root@mdi tmp]# ftpput -u <user>
-p <pass> <ip> mtd10.img mtd10.img
Now load up mtd10.img on your pc in HxD or Hexworkshop. The serial is at 0x10000 with a crc32 checksum of 0x10000->0x17FFB at 17FFC (LSB).
MAC is at 18000 with a crc32 checksum 0x18000->0x1FFFB at 1FFFC.
Update both (just change the last couple of numbers), and use the calculate checksum feature of the hexeditor to calculate crc32 the sums of of the ranges and save the new sums in the bin (remember to enter them in LSB format).
Now pull the files back to the mdi, and update flash:
Quote:[root@mdi ~]# cd /tmp
[root@mdi tmp]# ftpget -u <user>
-p <pass> <ip> mtd10-new.img mtd10-new.img
[root@mdi tmp]# cd /usr/local/mtd/
[root@mdi mtd]# ./flash_unlock
/dev/mtd10
[root@mdi mtd]# ./flash_erase
/dev/mtd10
Erase Total 1 Units
Performing Flash Erase of length 131072 at
offset 0x0 done
[root@mdi mtd]# ./flashcp
/tmp/mtd10-new.img /dev/mtd10
[root@mdi mtd]# dd if=/dev/mtd10
of=/tmp/mtd10-readback.img
256+0 records in
256+0 records out
[root@mdi mtd]# md5sum
/tmp/mtd10-new.img /tmp/mtd10-readback.img
1a1f4fb7db878218c558b45c0db50c9f
/tmp/mtd10-new.img
1a1f4fb7db878218c558b45c0db50c9f
/tmp/mtd10-readback.img
Now reboot the MDIinterface, and hold down the power button so it goes in to recovery mode. Use MDI manager to recover the device. Once completed it'll have the new serial and mac.
I expect that the cloners will find this thread and soon they wont all have the same serial anymore. But if you already have one then you can do this yourself, so long as your careful and make sure everything is going to plan and makes sense to you as you go.
BIG
THANKS to gmtools from the MH forum
src:
https://mhhauto.com...GM-MDI-serial-number
