Jibo-Revival-Group/JiboDocs
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

quick update

Browse Source
This commit is contained in:
Kevin
2026-03-18 15:23:30 +02:00
parent a8dbcb1645
commit 5fd69861c4
14 changed files with 336 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

254
Documentation/AtDev - New Firewall script.md Normal file
View File

@@ -0,0 +1,254 @@
- - -
# #AtDev , work in progress
- - -
Under /etc/init.d/ we have
```shell
# cd /etc/init.d/
# ls
S00fix-os S15crond S33dbus S48avahi-daemon S63body-board-power S78jibo-system-manager
S01logging S18udev S36sshd S51upload-logs S66ntp S81named
S06coredumps S21firewall S39audio-enable S54modules S69start-X11 S84identity-syslog
S09wifi-enable S24cpufreq S42avahi-setup.sh S57alsa-volume S72jibo-apply-update rcK
S12dns-prime S30urandom S45network S60alsaloopback S75jibo-service-registry rcS
```
currently interested in `/etc/init.d/S21firewall`
```log
# cat /etc/init.d/S21firewall
#!/bin/sh
#
# Jibo Firewall init script
#
set -e
IPTABLES_CMDS="/usr/sbin/iptables /usr/sbin/ip6tables"
flush_rules() {
for iptables in $IPTABLES_CMDS; do
$iptables -t filter -F
$iptables -t filter -P INPUT ACCEPT
$iptables -t filter -P FORWARD ACCEPT
$iptables -t filter -P OUTPUT ACCEPT
# add the DYNAMIC_ACCESS chain unconditionally
$iptables -t filter -X
$iptables -t filter -N DYNAMIC_ACCESS
done
}
normal_rules() {
for iptables in $IPTABLES_CMDS; do
$iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t filter -A INPUT -p icmp -j ACCEPT
$iptables -t filter -A INPUT -i lo -j ACCEPT
# allow dynamic access rules from system-manager
$iptables -t filter -A INPUT -j DYNAMIC_ACCESS
$iptables -t filter -A INPUT -j REJECT
$iptables -t filter -A FORWARD -j REJECT
done
}
developer_rules() {
for iptables in $IPTABLES_CMDS; do
# jibo-dev-shell
$iptables -t filter -A INPUT -p tcp --syn --dport 8686 -j ACCEPT
# jibo-skills-service
$iptables -t filter -A INPUT -p tcp --syn --dport 8779 -j ACCEPT
# jibo-sync
$iptables -t filter -A INPUT -p tcp --syn --dport 8989 -j ACCEPT
# jibo-debug-proxy
$iptables -t filter -A INPUT -p tcp --syn --dport 9191 -j ACCEPT
# avahi
$iptables -t filter -A INPUT -p udp --dport 5353 -j ACCEPT
done
normal_rules
}
certification_rules() {
for iptables in $IPTABLES_CMDS; do
# jibo-certification-service
$iptables -t filter -A INPUT -p tcp --syn --dport 9292 -j ACCEPT
done
normal_rules
}
service_rules() {
for iptables in $IPTABLES_CMDS; do
# jibo-certification-service
$iptables -t filter -A INPUT -p tcp --syn --dport 9292 -j ACCEPT
# jibo-service-center-service
$iptables -t filter -A INPUT -p tcp --syn --dport 9797 -j ACCEPT
# avahi
$iptables -t filter -A INPUT -p udp --dport 5353 -j ACCEPT
done
normal_rules
}
start() {
echo -n "Configuring firewall: "
flush_rules
my_mode=$(/usr/bin/jibo-getmode)
if [ $? -ne 0 ]; then
echo "Unspecified mode. SKIP"
elif [ "$my_mode" == "identified" ]; then
echo "IDENTIFIED"
elif [ "$my_mode" == "int-developer" ]; then
echo "INT-DEVELOPER"
elif [ "$my_mode" == "developer" ]; then
developer_rules
test $? -eq 0 && echo "DEVELOPER" || echo "ERROR"
elif [ "$my_mode" == "certification" ]; then
certification_rules
test $? -eq 0 && echo "CERTIFICATION" || echo "ERROR"
elif [ "$my_mode" == "service" ]; then
service_rules
test $? -eq 0 && echo "SERVICE" || echo "ERROR"
else
normal_rules
test $? -eq 0 && echo "OK" || echo "ERROR"
fi
}
stop() {
echo -n "Unconfiguring firewall: "
flush_rules
test $? -eq 0 && echo "OK" || echo "ERROR"
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "Usage: $0 {start|stop|restart}" >&2
exit 1
;;
esac
```
and in `S78jibo-system-manager`
```log
# cat S78jibo-system-manager
#!/bin/sh
#
# Jibo System Manager init script
#
set -e
PROCESS=jibo-system-manager
BIN_DIR=/usr/local/bin
CFG_DIR=/usr/local/etc
check_mode() {
my_mode=$(/usr/bin/jibo-getmode)
if [ $? -ne 0 ]; then
echo "Unspecified mode. SKIP"
exit 0;
fi
if [ "$my_mode" != "oobe" \
-a "$my_mode" != "int-developer" \
-a "$my_mode" != "developer" \
-a "$my_mode" != "normal" \
-a "$my_mode" != "certification" \
-a "$my_mode" != "service" ]; then
echo "Mode is $my_mode. SKIP"
exit 0;
fi
# only configure coredump generation for internal development modes
# for all other modes, don't configure as they cannot be used
if [ "$my_mode" == "int-developer" ]; then
echo "Configuring coredumps"
# all subprocesses should generate core dumps
ulimit -c unlimited
fi
}
check_running() {
pgrep -x jibo-system-man >& /dev/null
return $?
}
wait_for_stopped() {
while check_running; do
echo -n "waiting... "
sleep 2
done
}
start() {
echo -n "Starting $PROCESS: "
check_mode
$BIN_DIR/$PROCESS -c $CFG_DIR/$PROCESS.json --daemon
test $? -eq 0 && echo "OK" || echo "ERROR"
}
stop() {
echo -n "Stopping $PROCESS: "
killall $PROCESS
wait_for_stopped
test $? -eq 0 && echo "OK" || echo "ERROR"
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo "Usage: $0 {start|stop}" >&2
exit 1
;;
esac
```
to bypass the lockout in normal mode we can add like a filter under the normal rules function
first ima remount with write permissions :
```shell
mount -o remount,rw /
# vi and append :
normal_rules() {
for iptables in $IPTABLES_CMDS; do
$iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t filter -A INPUT -p icmp -j ACCEPT
$iptables -t filter -A INPUT -i lo -j ACCEPT
# allow dynamic access rules from system-manager
>>> $iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT <<<
$iptables -t filter -A INPUT -j DYNAMIC_ACCESS
$iptables -t filter -A INPUT -j REJECT
$iptables -t filter -A FORWARD -j REJECT
done
}
```
i was gonna use telnetd but its not installed
anyway using`jibo-getmode` i will revert back to the `normal` mode
and it works! saving diff for the installer
now that we have normal mode with ssh we have more capabilities, i will re screw the head back!... i broke my face ring

71
Documentation/Networking/Network Profiling & Traffic Analysis.md Executable file
View File

@@ -0,0 +1,71 @@
Since Jibos official servers were decommissioned, the robot hangs during the "Checking for Updates" phase, and of course. By sniffing its network traffic, (Community member : Jaked) has identified several hardcoded endpoints. Our goal is to redirect this traffic to a local server to simulate a "Success" response and unlock the robots full functionality.
- - -
Initial scans show that Jibo uses a standard network stack but maintains a strict internal firewall.
- **Primary DNS:** Hardcoded to `8.8.8.8` (Google DNS).
- **Web Config:** Ports `80`and `443` are closed/filtered by default.
- **ROS Bridge:** Port `9090` (used for MIT Workspace/SDK) is **blocked**. It appears to require a specific "Skill" (likely the _be-skill_) to be running before the port opens.
---
## Known Target Endpoints
The following table lists the IPs Jibo attempts to contact immediately after connecting to WiFi.
### **Time Synchronization (NTP)**
Jibo hits these IPs repeatedly to sync its internal clock. Without a successful time sync, SSL handshakes for other services will fail.
```
-45.115.225.48
216.229.4.66
93.57.144.50
66.231.64.28
194.195.253.58
```
### **Persistent AWS Infrastructure**
These are the most critical targets. Jibo hits these over and over, likely checking for signals or update manifests.
- **IP 1:** `35.172.208.31`
- **IP 2:** `44.198.39.206`
> **Hypothesis:** These were likely the primary API endpoints for `jibo.com`. I am investigating the packet payload to see if they are expecting JSON or XML responses.
### **Legacy & Third-Party Hits**
These appear less frequently, possibly for analytics or legacy newsletter/resource loading.
| IP Address | Ownership (potential) | Purpose |
| ---------------- | --------------------- | -------------------------- |
| `66.118.231.14` | Constant Contact | Maybe email or newsletter? |
| `172.232.15.202` | Akamai | Content Delivery? |
| `72.30.35.89` | Yahoo | Weather / News API |
| `67.210.96.32` | Host Papa | Domain hosting |
---
## Current Observations
### **The Update Loop**
When Jibo reaches the "Checking for Updates" screen, it isn't "dead." Even while the screen is stuck loading , the background :
1. **Audio Processing stays active:** Saying _"Hey Jibo"_ causes the robot to turn toward the sound source.
2. **Network Persistence:** It continues to attempt connections to the AWS IPs listed above.
3. **Timeout Behavior:** It is unclear if the timeout is extremely long or if it is failing a specific SSL handshake.
### **Domain Discrepancy**
- **jibo.com:** Officially shut down; no longer resolves to an active site.
- **jibo.net:** Tribute site made by Community member Jibo-detective or RoboticaLabs on youtube
---
Check out [[Networking & ports & Error codes]] by ZaneDev from discord
---

21
Documentation/Networking/Networking & ports & Error codes.md Normal file
View File

@@ -0,0 +1,21 @@
- - -
# Useful Ports
> [!INFORMATION]
> You might not be able to access some ports if you haven't unblocked them on Jibo's firewall.
### 8779
This port has the skills manager. From here you can do a semi-reboot by stopping and starting the "@be/Be" skill.
### 15150
This port has logs. This port is only available on v3+ of the revival project (can be checked on the information section in settings).
### 10004
Error service, allows you to simulate errors in realtime. Shows names of third parties by accident.
It seems in recent versions of Jibo errors relating to him not being able to connect to Jibo Inc Servers don't create a pop up L2, L7, Q1 (oddly WIFI4 and WIFI4a still give pop up), Q4. N1-N12 don't have pop ups either. OTA11 and R1 also makes an error inside an error saying "NOT HANDLED BY ERROR SKILL".
**TL;DR:**
| Error Code(s) | Shows Popup? | Notes |
|---|---|---|
| L2, L7, Q1 | No | Server connection errors |
| WIFI4, WIFI4a | Yes | |
| Q4 | No | |
| N1N12 | No | |
| OTA11, R1 | No | Triggers error-within-error: "NOT HANDLED BY ERROR SKILL" |

5
Documentation/The be skill/About the be skill.md Normal file
View File

@@ -0,0 +1,5 @@
- - -
The Be skill really is just jibos main menu including his eye and well... menu...
anyway i will write about this later but for now here are some references to check out :)

BIN
Documentation/The be skill/Assets/Menu Buttons/ButtonSetup.kra Normal file
View File

Binary file not shown.

BIN
Documentation/The be skill/Assets/Menu Buttons/ButtonSetup.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 133 KiB

5
Documentation/The be skill/Assets/The assets directory.md Normal file
View File

@@ -0,0 +1,5 @@
- - -
Located in `/usr/local/bin/`
Has a lot of random assets, potentially has assets useful for restoration.

5
Documentation/The be skill/Assets/The audio directory.md Normal file
View File

@@ -0,0 +1,5 @@
- - -
Located in `/opt/jibo/Jibo/Skills/@be/be/node_modules/jibo-anim-db-animations/audio/`
Lots of audio assets, the surrounding folders also contain other assets.

7
Documentation/The be skill/The Splash screen image!.md Normal file
View File

@@ -0,0 +1,7 @@
- - -
it is located in:
`/opt/jibo/Jibo/Skills/@be/be/resources/JiboSplash.png`
This file allows you to edit the splash screen. This is the image that shows at the start of the Be skill (normally the Jibo logo, Jibo Revival logo, OpenJiboOS logo, or some variation). Note: This is only the splash screen for the Be skill. It will only edit the splash seen when you restart "@be/Be", or in the **'second boot stage'** when Jibo spins and shows the splash a second time.

13
Documentation/Useful Items List.md Normal file
View File

@@ -0,0 +1,13 @@
Jibo was built a little weird, so it's easy to forget things. This document contains things that are nice to know for tinkering or developing for Jibo Revival.
- - -
## About [[The Splash screen image!]]
## About [[The assets directory]]
## About [[The audio directory]]
## About [[Networking & ports & Error codes]]
## About [[Network Profiling & Traffic Analysis]]
- - -
Documented by ZaneDev @ Our Discord

176
Documentation/Validated memory adresses.md
View File

@@ -1,176 +0,0 @@
- - -
# Power Management Controller (PMC)
### `0x7000E400` — PMC Base Address
**Use:** The starting point for all Power Management operations.
### `0x7000E450` — PMC_SCRATCH0
- **Use:** undefined but i used it as a Data Safe.
- **Example:** When the USB connection dies, store 4 bytes of data here.
- **C Code exampple:**
```c
// Store a 4-byte value from IRAM into the scratch register
uint32_t leaked_data = *(volatile uint32_t *)0x40001000;
*(volatile uint32_t *)0x7000E450 = leaked_data;
```
### `0x7000E414` — PMC_CNTRL (Reset Control)
- **Use:** The Reboot Trigger.
- **Bit 4:** Setting this bit triggers a Warm Reset.
- **Example:** use this immediately after writing to `SCRATCH0` to force Jibo back into RCM mode.
- **C Code Implementation:**
```c
// Trigger Warm Reset to return to RCM mode
*(volatile uint32_t *)0x7000E414 |= (1 << 4);
```
# Timer and Watchdog (TMR/WDT)
These addresses allow us to cut the systems security features from what i can tell so they don't interfere with the payload.
### `0x6000501c` — TMR_WDT_RESTART
- **Use:** The Watchdog cut.
- **Mechanism:** The Tegra K1 has a timer that reboots the device if it doesn't receive a clock signal within a few seconds.
- **Example:** We write the magic value `0xcafe` here in every loop to prevent Jibo from panic-resetting during a dump.
- **C Code Implementation:**
```c
while(1) {
// (reset)
*(volatile uint32_t *)0x6000501c = 0xcafe;
// ... rest of the exploit ...
}
```
# Internal RAM (IRAM/SRAM)
This is the part where the BootROM is.
### `0x40000000` — IRAM Base (Start)
- **Use:** The beginning of the 256KB internal memory.
- **Significance:** This is where the payload is injected. If u dump from here, u get the "Leftovers" of the boot process (keys, signatures, and config data) from what i could tell.
### `0x4003FFFF` — IRAM End
- **Use:** The boundary of the volatile memory. (not 100% Sure but pretty certain)
- **Constraint:** If we try to read past this address, the system will hard-crash because we are hitting undefined memory space.
# BootROM Service Functions
The BootROM (at `0x00000000`) is read-only memory etched into the silicon. It contains pre-written functions for USB communication that we can "borrow" so we don't have to write a full USB driver from scratch.
### `0x00003551` — usb_send (Standard)
- **Use:** Sends a structured data packet over the RCM USB connection.
- **Significance:** This is the basically the proper way i could get it to talk. It handles some of the USB protocol handshaking automatically.
- **Example:**
```C
// Define the function signature based on BootROM
typedef int (*usb_send_ptr)(void *buffer, unsigned int length);
usb_send_ptr usb_send = (usb_send_ptr)0x00003551;
//push 64 bytes of IRAM to the PC
usb_send((void *)0x40000000, 64);
```
### `0x000035e5` — usb_send_raw (Bulk)
- **Use:** A lower-level function that bypasses some of the standard RCM state checks i think.
- **Significance:** This is how i got those first **16 bytes** out. It is open data pushing.
- **Example:** I used this when the standard `usb_send` was stalling, as it forces the hardware to dump the buffer to the endpoint immediately.
```c
// Define the raw function pointer
typedef void (*usb_send_raw_ptr)(void *buffer, unsigned int length);
usb_send_raw_ptr usb_send_raw = (usb_send_raw_ptr)0x000035e5;
//Force dump a 16-byte chunk of IRAM regardless of USB state
void dump_raw_chunk() {
uint8_t buffer[16];
// Copy the data from a target address (e.g.sstart of IRAM)
memcpy(buffer, (void*)0x40000000, 16);
// Push it out. On the PC side
usb_send_raw(buffer, 16);
}
```
# Hardware Fuse Registers
The Fuses are permanent oly set at the factory so we cant change these
### `0x7000F800` — FUSE_BASE
- **Use:** The starting point for reading the hardware id & status.
- **Significance:** Reading from here tells us if Jibo is in "Production" mode (Locked) or "Development" mode (Unlocked).
### `0x7000F800 + 0x60` — Security Config Fuse
- **Use:** Determines if **Secure Boot** is active.
- **Discovery:** In my tests, reading this offset returned random data.
- **The Verdict:** This confirmed that Jibo is a **Secure Boot** device. He will only boot software that has been digitally signed by Jibo Inc.s private keys.
### `0x7000F900` — FUSE_RESERVED_ODM (The SBK/SSK Area)
- **Use:** This is where the **Secure Boot Key (SBK)** usually is.
- **The Goal:** If we can successfully read this entire block, we might find the AES keys needed to decrypt the Jibo OS files on the EMMC.
# The Boot Configuration Table (BCT)
The BCT is a piece of data usually found at the very start of the boot process (and often cached in IRAM).
### `0x400000f0` — BCT Pointer / Entry Point
- **Use:** I identified this address in on of the `hexdumps` i sent on discord.
- **Significance:** This is where the BootROM hands over control to the next stage of the bootloader.
- **The Hack:** By targeting our leaker near this address, we can see how the Tegra sets up its memory controllers before it realizes we've hijacked the process.
```C
void inspect_bct_handoff() {
// Read the instruction at the BCT entry point
uint32_t entry_instruction = *(volatile uint32_t *)0x400000f0;
// Often, this is a 'Branch' (B) instruction in ARM hex: 0xEAXXXXXX
// If 0xEA, we know Jibo is ready run the bootloader
if ((entry_instruction >> 24) == 0xEA) {
// Log it for the PC to see
*(volatile uint32_t *)0x7000E450 = 0xBC7DE4D; // "BCT DEAD" hex flag
}
}
```