Be aware, serial access is now password protected (starting from v.8.12)!!!
Besides that the software is becoming just great! Finally!
Before I got shut out, I managed to get a glimpse at how they do the OTA updates:
3819 root 2344 S fw_update -r /usr/local/upload/install.img -v 8.13.0-131
3939 root 3712 S sh -c busybox tar xvOf /usr/local/upload/install.img KDP/system.bin | busybox dd of=/dev/sda bs=512 seek=499712 count=467896
3940 root 3712 S busybox tar xvOf /usr/local/upload/install.img KDP/system.bin
3941 root 3712 R busybox dd of /dev/sda bs 512 seek 499712 count 467896
- install.img apparently contains system.bin - that’s the part that gets mounted to /usr/local/tmp
- the actual content is a file called image.cfs which gets loop-mounted to /usr/local/modules
- If we would be able to modify the system.bin/image.cfs, we’d be able start arbitrary code