So this is a pretty interesting one, i found this one on a local marketplace for 25 dollars, so i immediately snagged it up.
After it booted up, it showed an activation screen. Looks like the previous owner has logged out.
We can't do much from this screen, either call the number to activate it, or go to the wifi settings.
Since i don't own a restaurant (shocker, i know) i am sure that they will refuse to activate this, so wifi settings it is!
It seems that we have another android specimen on our hands! Looks like a pretty old android version tho.
From the wifi menu, you are able to open the file picker by trying to install a wifi certificate. Unfortunately, this is only a file picker and not the full app. So we can't take advantage of this.
I also tried to use a captive portal to get anywhere else but nope, dead end.
Alright then, let's look at the ports this thing has.
It has an ethernet port, a wireless antenna screw in thingy, 2 usb ports and an AC adapter port!
First things first, plugging in a keyboard.
I am able to get to the app switcher with Alt Tab! Other shortcuts for brightness and volume also work but you can't get anywhere else with that.
By holding the settings icon i am able to open up the app info page of the settings app. However, since this is not a recent enough android version (android 6 it seems from the app version), there is no way to open the app from this screen.
Another dead end.
Looking at teardowns of the device, there are lots of exposed pins for UART or uboot things and also a switch that seemingly disables the usb ports (maybe a male to male connector can now link it up to a pc or something?)
Picture credit: jahfaby on xda
In my own teardown (didn't take a pic and i am not opening this thing again) i noticed that it also has an NFC reader on the left side in the stand.
I tried to android beam some things over and it actually did pick it up and beamed the file over, however i still couldn't use them because i didn't have access to a full file picker....
Then, 130km.ro on XDA found out that NFC tags work to open an app? I never heard of this before but apparently, yes, it is possible to make an NFC card open any app you want! Just specify the android package you want to open from the NFC tools app on android, and then write that to an NFC card. Unfortunately he bricked his device after setting a lockscreen for which the UI is not implemented, leaving him with a black screen. It was now my task to complete this.
Yup, there is settings!
The settings menu has a kiosk menu which can enable back the status and navbar! Also an Adminsettings toggle which removes most advanced settings menus including the kiosk menu itself. However it is enabled by default. (I found out what it did the hard way lol)
With the status bar and navbar re-enabled, i plugged in a usb drive, pulled the navbar down and accessed the files on it. However, installing an apk didn't seem to work, giving back "Can't open file".
However, while browsing through the apps which were installed on the device, i noticed a different filemanager that was installed that could possibly install apks! I needed to get the package name of that app from somewhere. Luckily, this rom is a userdebug rom (why?) and can debug all apps, and that menu gives the package names back!
So i went ahead and made a different NFC card for com.cyanogenmod.filemanager
And after copying the apk to internal storage from the usb menu (cyanogenmod filemanager could only read the internal storage) i could install the apk!
And there we are! I installed niagara launcher, firefox for downloading more apps and a power menu app so i could reboot and power off. (this thing doesn't have any physical buttons)
I dumped all the apps from it to see if i could find other juicy things.
Apparently if you press the bottom left corner of the screen 4 times in a row you can fill in an admin password. Let's check that out.
Here you can fill in 59047 for an admin menu that includes an app launcher and a shortcut to settings.
You can also fill in 14611 for a factory test menu.
I have confirmed that these codes do not change per device because i also found out the update url, downloaded the entire firmware and extracted it. So you can just go the code route instead of the nfc route. But i think that both are pretty easy to do.
The full update url is normally communicated over an MQTT connection, however i have the domain host from the constants file i showed earlier and i found a test path in the factory test app. Combining these two gives https://update.gronic.com/torg_latest.zip
The system.new.dat can be extracted with sdat2img and can then be mounted to see the entire filesystem.
So, that's it. I have not yet taken the time to figure out how to accomplish an adb connection because it would either require a male to male usb cable or soldering to some test pads. But once you have that, because it's a userdebug rom, you already have root 😄
Happy modding and gaming :)
If you liked this article, consider supporting me so i will be able to convince myself that buying more strange android devices is worth it lol
https://ko-fi.com/mgdproductions