-
-
华为光猫HG8245H救砖笔记⑤为救砖制定可行的方案
-
发表于: 2017-2-21 09:38 6183
-
原文发在我的blog:http://blog.csersoft.net/archives/167
正文:
前面已经通过JTAG接口连接到了HG8245H,现在需要做的,就是如何通过JTAG将正确的数据刷回Flash。
可行的方案大致有以下几种:
- 直接通过JTAG烧写Nand Flash(通过操作Nand Flash控制器)。
- 加载二级引导(UBoot),通过二级引导自带的命令行来写Flash。
对于前者,基本不用考虑,一是OpenOCD支持的Nand Flash控制器有限,二是目前不知道SD5115的Nand Flash控制器如何访问。如果是Nor Flash,还有点希望。
所以主要的希望就寄托在UBoot上,从HG8245H的固件中提取到的UBoot,拖入IDA Pro,分析一下UBoot的装载地址。然后用OpenOCD的load_image命令装载到内存中去运行:
1 | halt ; load_image binary/8245H_R16_UB.BIN 0x81F00000 ; resume 0x81F00000 |
上面的命令有3条:halt是停止目标CPU;load_image是装载二进制数据到内存的指定的位置;resume是在指定位置恢复CPU运行(设置PC寄存器)。大致作用就是把UBoot写入内存地址0x81F00000并运行。
执行完成后,可以看见UART输出以下内容:
HuaWei StartCode 2012.02 (R13C10 Apr 22 2014 – 18:06:02)
NAND: Nand(Hardware): 128 MiB
startcode select the uboot to load
the high RAM is :8080103c
startcode uboot boot count:0
Slave struct initializtion success!!
Use the UbootA to load first
Start from UbootA ERROR, Change to UbootB
Both UbootA and UbootB are wrong, load it by JTAG!
U-Boot 2010.03 (R16C10 Jul 14 2016 – 14:19:37)DRAM: 128 MB
Boot From NAND flash
Chip Type is SD5115T
NAND: Special Nand id table Version 1.23
Nand ID: 0x01 0xF1 0x00 0x1D 0x01 0xF1 0x00 0x1D
ECC Match pagesize:2K, oobzie:64, ecctype:4bit
Nand(Hardware): Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit
128 MiB
Using default environmentIn: serial
Out: serial
Err: serial
PHY power down !!!
[main.c__6080]::CRC:0xfddebfbf, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x0, Active:0xfffffffd, RunFlag:0xffffffff
0x000000100000-0x000008000000 : “mtd=1”
UBI: attaching mtd1 to ubi0
slave_paramA in flash, CRC:0x9789603f, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x0, Active:0x0, RunFlag:0x2
use slave_paramA which is from flash, the RAM data is not OK!!!
Start from main system(0x0)!
CRC:0x9789603f, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:1, CommitedArea:0x0, Active:0x0, RunFlag:0x2
Main area (A) is OK!
CRC:0x39e1f1ae, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:1, CommitedArea:0x0, Active:0x0, RunFlag:0x2
UBIFS error (pid 0): ubifs_recover_master_node: failed to recover master node
Error reading superblock on volume ‘ubi:file_system’!
mount ubifs error!
Bootcmd:ubi read 0x85c00000 kernelA 0x19f28a; bootm 0x85c00054
BootArgs:noalign mem=118M console=ttyAMA1,115200 ubi.mtd=1 root=/dev/mtdblock11 rootfstype=squashfs mtdparts=hinand:0x100000(startcode),0x7f00000(ubifs),-(reserved) pcie0_sel=x1 maxcpus=0 l2_cache=l2hi coherent_pool=4M user_debug=0x1f panic=1 skb_priv=128 debug_ll=on
U-boot Start from NORMAL Mode!## Booting kernel from Legacy Image at 85c00054 …
Image Name: Linux-3.10.53-HULK2
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1700342 Bytes = 1.6 MB
Load Address: 80e08000
Entry Point: 80e08000
Memory Start: 80a00000
Loading Kernel Image … OK
OK
kernel loaded at 0x80a08000, end = 0x80ba71f6Starting kernel …
Uart base = 0x1010F000
dtb addr = 0x81007398
Uncompressing Linux…LZMA data is corrupt
— System halted
可见,虽然UBoot成功运行,但是内核还是有问题(应该还是ubifs的问题)导致System halted。JTAG也无法访问(UBoot运行后JTAG就无法使用了,不清楚原理,感觉应该是UBoot禁用了JTAG调试),只能断电重启。并且没有发现UBoot有提示按什么键中断自动引导。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)