Now that we have a general idea of what we’re looking at on the Pandora’s Box 6 file systems, it’s time to start poking around. As this is a Linux-based single board computer, some Linux knowledge is useful. I’ll do my best to explain things as I see them so that those of you who are less technically inclined can follow along and understand a bit about how the box functions.
Start Me Up
Since the Pandora’s Box 6 is built to basically be a simple appliance that turns on and does one thing, we should start our journey into it by taking a look at how it would go through starting up. Generally speaking, a bootloader would be the first thing that would run and would then load up a Linux kernel and mount a file system. Once that is done, control is normally handed off to the Linux kernel and it finishes the boot up process by mounting the other file systems needed, running various daemons (or services in the Windows world) on start up before finally handing control over to the user. Well, in our case, we have a bit of a problem here as there is no obvious Linux kernel anywhere on either the EXT3 or FAT16 file systems.
Educated guess time: I think the various boot1 through boot9 files in the FAT16 file systems are encrypted/compressed archives that likely contain either the Linux kernel itself and additional files needed or it is somehow loaded up from elsewhere. The one thing that we can easily throw out is that the Linux kernel being loaded is from the UDisk as you are very capable of booting up the Pandora’s Box 6 without it and getting a completely empty game list. (This may be something to remember in the future as it might mean that all ROMs are read from the file system and not just those in the three folders meant for users to add games to. Perhaps something we can exploit here?)
Let’s continue onward with the Linux bootup process. Linux has what it calls runlevels. Basically these runlevels are numbered from 0 to 6 and represent different states. Most Linux boxes will set runlevel to 5 which represents network up and running, graphical interface running, everything ready for users. Runlevel 6 is usually the reboot state and Runlevel 0 is when the system is halted and can be safely shutdown. There are scripts that can be run automatically when certain runlevels are hit, so let’s take a look and see if we’ve got something like that happening here.
A Simplified Look at Our EXT3 File System
Just before we start poking around, let’s take a quick tour of our EXT3 file system so you can get an idea of what you’re looking at.
Starting from the top, here’s what we’ve got:
- /bin – Binaries that are common for the system and available for most to use.
- /dev – Files representing all the machine’s devices are stored here. (Linux treats all devices as if they were virtual files which allows for some interesting ways of doing things.)
- /etc – Configuration files used by the system, some applications and daemons (services).
- /home – This is where your own user files are stored, much like My Documents on Windows but more tightly controlled and secured.
- /lib – Where you will normally find Linux kernel modules and libraries (much like Windows DLLs).
- /lost+found – A directory where Linux will attempt to place any files it recovers upon checking the system at startup.
- /proc – A virtual filesystem that contains information about the running system, no actual files exist here.
- /sbin – Binaries that are needed for running the Linux system and maintaining it.
- /sys – Similar to /proc, it is a virtual filesystem containing information about the running system.
- /tmp – A temporary filesystem that is created in RAM and can be used by processes for temporarily storing data. Disappears when system reboots.
- /usr – Contains binaries meant for users to run and use as well as libraries and additional files needed by those binaries.
- We will ignore the linuxrc symlink (or shortcut) for the moment.
We’re going to take a quick look at the /etc directory to see what we can find there. Typically, it is where you would find scripts that would run when runlevel hits 5 as well as other information such as filesystems to mount on boot.
Poking Around Some More
So what do we have here?
- /etc/init.d/ – A directory that normally holds scripts to run on startup.
- /etc/fstab – A file used by Linux for mounting filesystems.
- /etc/hostname – A filename that tells Linux what hostname the machine should use.
- /etc/profile – A default profile for all users on the machine.
Okay, so taking a look at profile shows absolutely nothing of interest, just something for setting the default terminal prompt, which we cannot see anyways. The hostname file just tells the machine to set the hostname to “hhh”, nothing too exciting here.
Now fstab is very interesting for us as it is where you would normally find filesystems getting mounted. We would expect to find our udisk listed here among the filesystems and… we don't.
Instead, what we see here are the various virtual filesystems that are needed soon after booting. /proc and /sys are created during boot up and /tmp and /dev are created soon after. Well, that would normally be the case except none of the file systems are marked “auto”, so they need to be mounted manually, likely from a script. The use of tmpfs means “this filesystem exists only in RAM”, essentially. Alrighty, so a swing and a miss. Let’s move on to the init.d directory, where we find a file called rcS that I have good feelings about. Let’s open it up, shall we?
This small shell script is run on bootup. It tells the machine to set the hostname using the “hhh” value found in /etc/hostname. It then sets the default directories that Linux will use as its PATH variable, searching the directories listed for any executables the user will attempt to type into the console. Nothing unusual about either command here at all. But what do we have here? A command attempting to run /usr/myinit which definitely isn’t something you would find on a normal Linux box. Let’s check that out.
Okay, so the first two lines here set up the PATH for Linux to look for executables and the PATH to load libraries (like Windows DLLs) from. Both of these are 100% standard for Linux, so nothing odd there. But the next line… that’s… that’s something new to me. A quick Google search for QWS_DISPLAY shows that it is a variable used by QT for Embedded Linux, which is a graphical toolkit. So it is more than likely that our emulator frontend uses the QT toolkit for all its graphics.
After reading that and looking at the line in our /usr/myinit file, we can see now that it is setting a variable to tell a QT application to use the Linux framebuffer device for writing graphics to the screen using the /dev/fb0 device.
Remember when I mentioned how it was odd that /etc/fstab showed filesystems but none of them were flagged as “auto” and therefore wouldn’t be automatically mounted at boot time? Well, the reason for that appears to be that they would rather have this script do it instead. The use of “mount -a” tells Linux to mount all the filesystems listed in /etc/fstab right now, so it is at this point that those virutal file systems are mounted and active. “mdev -s” is responsible for creating all the virtual files for each of your devices in /dev. This is where, for example, the /dev/fb0 framebuffer device will be created.
Finally, we see a while loop that will loop infinitely running what looks like our frontend executable. This is exactly the kind of thing you do when you want a program to always be running because if it terminates at any point, this loop will start it back up again automatically. This is a great stopping point for now.
So, let’s take a look at what we now know about our Pandora’s Box 6 so far.
- The udisk is formatted FAT16 and contains all of our default games and directories for adding more games.
- The boot SD card is split into two partitions, a FAT partition that contains what looks like different archives depending on what settings you use and an EXT3 file system that houses the rest of the system.
- The emulators used by the Pandora’s Box are MAME 0.106, Final Burn Alpha 0.2.97.36 and an unknown PlayStation emulator (likely PCSX ReARMed, but haven’t found evidence yet).
- The emulator frontend appears to load games up on-the-fly.
- The emulator frontend appears to use the QT graphical toolkit for embedded Linux devices.
- The boot sequence once we are past loading the Linux Kernel is /etc/init.d/rcS -> /usr/myinit -> /usr/emu/emulotar
- We learned a bit about how the Linux filesystem looks and what the structure means.
- We learned that sometimes, looking up stuff on Google can bring us some knowledge that we would have needed otherwise.
- The Linux kernel isn’t on the UDisk as the PB6 can be booted up without it attached just fine.
- In the next blog post, we will continue to pull on the thread to see what falls out as we examine the emulator frontend application itself and see what else we can find to help us.
Hope that you’ve learned something from this post. If you have questions, feel free to ask in the comments below.