首页
社区
课程
招聘
[已解决]路由器AP固件分析问题,求大神分析下。
发表于: 2022-8-4 23:59 12923

[已解决]路由器AP固件分析问题,求大神分析下。

2022-8-4 23:59
12923

已经 完美解决,感谢四楼 堂前燕 ,答案在四楼
收了几个nap840的ap,其中有一个无法启动固件坏了,拆下编程器读取好的里面内容,写到坏的AP坏的可以启动了,但是 MAC和提取的一样,
用winhex找到偏移007c0000处有MAC地址信息,修改后刷入,mac会重置为:081011000304,接上ttl查看启动信息报错:

1
2
ERROR: Invalid checksum of current setting! for HW from /dev/mtdblock2, offset:6, len:5522,
                [apmib_load_conf3:294][722:factory_args.sh, 721:/bin/sh][time:8]

发现好像和factory_args.sh有关,用 binwalk提取出来好像加密了看不懂,有大神 可以帮忙研究下吗?
8.5日补充研究,又提取了一个同型号的编程器固件,提取007c0000处1598字节mac信息写到另一个不同mac的编程器固件刷回机器发现MAC是可以改的。说明校验就是007c0000处的1598字节。提取了两个编程器的MAC和一个修改后被重置成默认的MAC。共计三个,发现开头2个字节和尾部两个字节会变就是不知道如何校验,知道如何校验后自己手工校验把字节修改下应该就不会报错了,过程记录一下,希望有大佬解惑。
自己研究对比图:


最新提取的三个不同MAC:提取三个 不同MAC文件
完整版 编程器固件读取: 编程器固件
factory_args.sh 下载: factory_args.sh
修改MAC后的启动信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
Booting...
 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
[url=home.php?mod=space&uid=162986]@[/url] chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0ef4017h 00000efh 0000040h 0000017h 0000000h 0000017h 0800000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000080h 0001000h 0000800h 0000100h 0000010h 000003eh W25Q64
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
---RealTek(RTL8196D)at 2018.04.03-10:30+0800 v1.6b [16bit](579MHz)
====no sys signature at 00010000!cs6c[cr6c]
ret=0  sys signature at 00010000!
====no sys signature at 00020000!cs6c[cr6c]
ret=0  sys signature at 00020000!
ret=2  sys signature at 00030000!
checksum sum 0, p_kernel_img 80500000, 00117882
no rootfs signature at 000E0000!
no rootfs signature at 000F0000!
no rootfs signature at 00130000!
no rootfs signature at 000E1000!
no rootfs signature at 000E2000!
no rootfs signature at 000E3000!
no rootfs signature at 000E4000!
no rootfs signature at 000E5000!
no rootfs signature at 000E6000!
no rootfs signature at 000E7000!
no rootfs signature at 000E8000!
no rootfs signature at 000E9000!
no rootfs signature at 000EA000!
no rootfs signature at 000EB000!
no rootfs signature at 000EC000!
no rootfs signature at 000ED000!
no rootfs signature at 000EE000!
no rootfs signature at 000EF000!
no rootfs signature at 000F1000!
no rootfs signature at 000F2000!
no rootfs signature at 000F3000!
no rootfs signature at 000F4000!
no rootfs signature at 000F5000!
no rootfs signature at 000F6000!
no rootfs signature at 000F7000!
no rootfs signature at 000F8000!
no rootfs signature at 000F9000!
no rootfs signature at 000FA000!
no rootfs signature at 000FB000!
no rootfs signature at 000FC000!
no rootfs signature at 000FD000!
no rootfs signature at 000FE000!
no rootfs signature at 000FF000!
no rootfs signature at 00100000!
no rootfs signature at 00101000!
no rootfs signature at 00102000!
no rootfs signature at 00103000!
no rootfs signature at 00104000!
no rootfs signature at 00105000!
no rootfs signature at 00106000!
no rootfs signature at 00107000!
no rootfs signature at 00108000!
no rootfs signature at 00109000!
no rootfs signature at 0010A000!
no rootfs signature at 0010B000!
no rootfs signature at 0010C000!
no rootfs signature at 0010D000!
no rootfs signature at 0010E000!
no rootfs signature at 0010F000!
no rootfs signature at 00110000!
no rootfs signature at 00111000!
no rootfs signature at 00112000!
no rootfs signature at 00113000!
no rootfs signature at 00114000!
no rootfs signature at 00115000!
no rootfs signature at 00116000!
no rootfs signature at 00117000!
no rootfs signature at 00118000!
no rootfs signature at 00119000!
no rootfs signature at 0011A000!
no rootfs signature at 0011B000!
no rootfs signature at 0011C000!
no rootfs signature at 0011D000!
no rootfs signature at 0011E000!
no rootfs signature at 0011F000!
no rootfs signature at 00120000!
no rootfs signature at 00121000!
no rootfs signature at 00122000!
no rootfs signature at 00123000!
no rootfs signature at 00124000!
no rootfs signature at 00125000!
no rootfs signature at 00126000!
no rootfs signature at 00127000!
no rootfs signature at 00128000!
no rootfs signature at 00129000!
no rootfs signature at 0012A000!
no rootfs signature at 0012B000!
no rootfs signature at 0012C000!
no rootfs signature at 0012D000!
no rootfs signature at 0012E000!
no rootfs signature at 0012F000!
no rootfs signature at 00131000!
no rootfs signature at 00132000!
no rootfs signature at 00133000!
no rootfs signature at 00134000!
no rootfs signature at 00135000!
no rootfs signature at 00136000!
no rootfs signature at 00137000!
no rootfs signature at 00138000!
no rootfs signature at 00139000!
no rootfs signature at 0013A000!
no rootfs signature at 0013B000!
no rootfs signature at 0013C000!
no rootfs signature at 0013D000!
no rootfs signature at 0013E000!
no rootfs signature at 0013F000!
no rootfs signature at 00140000!
no rootfs signature at 00141000!
no rootfs signature at 00142000!
no rootfs signature at 00143000!
no rootfs signature at 00144000!
no rootfs signature at 00145000!
no rootfs signature at 00146000!
no rootfs signature at 00147000!
no rootfs signature at 00148000!
no rootfs signature at 00149000!
no rootfs signature at 0014A000!
no rootfs signature at 0014B000!
no rootfs signature at 0014C000!
no rootfs signature at 0014D000!
no rootfs signature at 0014E000!
no rootfs signature at 0014F000!
Jump to image start=0x80500000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003400
Realtek WLAN driver - version 1.6 (2013-02-21)
Adaptivity function - version 7.1
 
 
#######################################################
SKB_BUF_SIZE=2408 MAX_SKB_NUM=480
#######################################################
 
 
 
 
Probing RTL8186 10/100 NIC-kenel stack size order[3]...
chip name: 8196C, chip revid: 0
NOT YET
eth0 added. vid=1 Member port 0x1...
eth1 added. vid=2 Member port 0x10...
eth2 added. vid=1 Member port 0x2...
eth3 added. vid=1 Member port 0x4...
eth4 added. vid=1 Member port 0x8...
eth5 added. vid=1 Member port 0x0...
[peth0] added, mapping to [eth1]...
zlr Creating 7 MTD partitions on "flash_bank_1":
WARNNING:       find rootfs in:0x150000,        real_offset:150000
0x000000000000-0x000000150000 : "boot+cfg+linux"
0x000000150000-0x000000740000 : "root fs"
0x0000007c0000-0x000000800000 : "parm flash"
0x000000000000-0x000000800000 : "all"
0x000000740000-0x0000007c0000 : "jffs2"
0x000000000000-0x0000000d0000 : "linux up"
0x0000000d0000-0x000000800000 : "rootfs up"
Realtek FastPath:v1.03
serial console detected.  Disabling virtual terminals.
init started:  BusyBox v1.00-pre8 (2014.08.14-10:37+0000) multi-call binary
Bummer, could not run '/etc/init.d/rcS': No such file or directory
 
 
BusyBox v1.00-pre8 (2014.08.14-10:37+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
 
mount -t jffs2 /dev/mtdblock4 /tmp/para status:0
ERROR: Invalid checksum of current setting! for HW from /dev/mtdblock2, offset:6, len:5522,
                [apmib_load_conf3:294][722:factory_args.sh, 721:/bin/sh][time:8]
WARNNING: first 2048 bytes of /dev/mtdblock2: hw={
boardVer=1
nic0Addr=081079e3fd78
nic1Addr=0810117830c9
wlan={
0={
macAddr=081079e3fd79
macAddr1=081079e3fd80
macAddr2=081079e3fd81
macAddr3=081079e3fd82
macAddr4=081079e3fd83
macAddr5=081079e3fd84
macAddr6=08101781,
                [apmib_load_conf3:300][722:factory_args.sh, 721:/bin/sh][time:8]
WARNNING: last 2048 bytes of /dev/mtdblock2: S_A=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
                [apmib_load_conf3:307][722:factory_args.sh, 721:/bin/sh][time:8]
WARNNING: try again, cnt:1,
                [apmib_load_conf3:313][722:factory_args.sh, 721:/bin/sh][time:8]
ERROR: Invalid checksum of current setting! for HW from /dev/mtdblock2, offset:6, len:5522,
                [apmib_load_conf3:294][722:factory_args.sh, 721:/bin/sh][time:8]
WARNNING: first 2048 bytes of /dev/mtdblock2: hw={
boardVer=1
nic0Addr=081079e3fd78
nic1Addr=0810117830c9
wlan={
0={
macAddr=081079e3fd79
macAddr1=081079e3fd80
macAddr2=081079e3fd81
macAddr3=081079e3fd82
macAddr4=081079e3fd83
macAddr5=081079e3fd84
macAddr6=08101781,
                [apmib_load_conf3:300][722:factory_args.sh, 721:/bin/sh][time:8]
WARNNING: last 2048 bytes of /dev/mtdblock2: S_A=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
                [apmib_load_conf3:307][722:factory_args.sh, 721:/bin/sh][time:8]
ERROR: can't read args from /dev/mtdblock2. set->nam:HW, set->len:2317, set->offset:0,
                [apmib_load_conf4:537][722:factory_args.sh, 721:/bin/sh][time:8]
ERROR: section:HW, will reset to default!,
                [normal_err_msg_fun_of_section:562][722:factory_args.sh, 721:/bin/sh][time:8]
@@@@@@@@@normal_reset_fun_of_section
ERROR: Invalid checksum of current setting! for HW from /dev/mtdblock2, offset:6, len:5522,
                [apmib_load_conf3:294][time:8]
WARNNING: first 2048 bytes of /dev/mtdblock2: hw={
boardVer=1
nic0Addr=081079e3fd78
nic1Addr=0810117830c9
wlan={
0={
macAddr=081079e3fd79
macAddr1=081079e3fd80
macAddr2=081079e3fd81
macAddr3=081079e3fd82
macAddr4=081079e3fd83
macAddr5=081079e3fd84
macAddr6=08101781,
                [apmib_load_conf3:300][time:8]
WARNNING: last 2048 bytes of /dev/mtdblock2: S_A=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
                [apmib_load_conf3:307][time:8]
WARNNING: try again, cnt:1,
                [apmib_load_conf3:313][time:8]
ERROR: Invalid checksum of current setting! for HW from /dev/mtdblock2, offset:6, len:5522,
                [apmib_load_conf3:294][time:8]
WARNNING: first 2048 bytes of /dev/mtdblock2: hw={
boardVer=1
nic0Addr=081079e3fd78
nic1Addr=0810117830c9
wlan={
0={
macAddr=081079e3fd79
macAddr1=081079e3fd80
macAddr2=081079e3fd81
macAddr3=081079e3fd82
macAddr4=081079e3fd83
macAddr5=081079e3fd84
macAddr6=08101781,
                [apmib_load_conf3:300][time:8]
WARNNING: last 2048 bytes of /dev/mtdblock2: S_A=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
                [apmib_load_conf3:307][time:8]
ERROR: can't read args from /dev/mtdblock2. set->nam:HW, set->len:2317, set->offset:0,
                [apmib_load_conf4:537][time:8]
Initialize AP HW MIB failed for writeDefault(), LINE:1667!
[writeDefault:1708:flash.c][writeDefault:1708]
 
[writeDefault:1713:flash.c],
[writeDefault:2277:1],
[writeDefault:2277:1],
!!!!!olddefconf.ssid=NETCORE_2.4G
!!!!!olddefconf.ssid=NETCORE_2.4G
!!!!!olddefconf.ssid=NETCORE_2.4G-VAP1
!!!!!olddefconf.ssid=NETCORE_2.4G-VAP2
!!!!!olddefconf.ssid=NETCORE_2.4G-VAP3
!!!!!olddefconf.ssid=NETCORE_2.4G-VAP4
!!!!!olddefconf.ssid=NETCORE_2.4G
!!!!!olddefconf.ssid=NETCORE_2.4G
!!!!!olddefconf.ssid=NETCORE_2.4G-VAP1
!!!!!olddefconf.ssid=NETCORE_2.4G-VAP2
!!!!!olddefconf.ssid=NETCORE_2.4G-VAP3
!!!!!olddefconf.ssid=NETCORE_2.4G-VAP4
##############num:1677760575###############
###################ac_ip:169.254.96.65####################
ipadd is 192.168.1.254
[writeDefault:4339:flash.c][writeDefault:4339]
 
@@@@@@@@@apmib_update set 1 @@@@@@@@@@@@@@@
@@@@@@[flash_write_by_dev,152]/dev/mtdblock2
[writeDefault:4360:flash.c]type:1, ret:1
@@@@@@@@@apmib_update set 2 @@@@@@@@@@@@@@@
@@@@@@[flash_write_by_dev,152]/dev/mtdblock2
[writeDefault:4365:flash.c]type:2, ret:1
@@@@@@@@@apmib_update set 4 @@@@@@@@@@@@@@@
@@@@@@[flash_write_by_dev,152]/dev/mtdblock2
[writeDefault:4369:flash.c]type:4, ret:1
[writeDefault:4451:flash.c][writeDefault:4451]
 
[writeDefault:4508:flash.c][writeDefault:4508], success of writeDefault
 
ERROR: section:HW, load default*************************************,
                [normal_reset_fun_of_section:571][722:factory_args.sh, 721:/bin/sh][time:10]
0072700727007270072700727normal_reset_fun_of_section
ERROR: Will reboot*************************************,
                [apmib_init:3325][722:factory_args.sh, 721:/bin/sh][time:10]
 
The system is going down NOW !!
Sending SIGTERM to all processes.
Terminated
733
wlan_check.sh: do nothing......
version_new=Netcore(NAP840+)CN-V1.2.42856,2018.04.03 10:16.
 
/proc/wps_btn_delay: cannot create
killall: xhcatv: no process killed
killall: multi_ppp: no process killed
killall: igmpproxy: no process killed
killall: udhcpc: no process killed
wlanapp_sh:1942:@@@@@@@####;wlan0
~~~~~~~~~~~~~~~~~~~~~~ssid=NETCORE_2.4G
initWlan[6477]stanum=0
MIB_HW_TX_POWER_CCK_A=2e2e2e2d2d2d2d2d2d2c2c2c2c2c
MIB_HW_TX_POWER_CCK_A_new=2e2e2e2d2d2d2d2d2d2c2c2c2c2c
MIB_HW_TX_POWER_HT40_1S_A=333232323231313130302f2f2e2e
MIB_HW_TX_POWER_HT40_1S_An=333232323231313130302f2f2e2e
MIB_HW_TX_POWER_HT20=0f0f0f0f0f0f0f0f0f0f0f0f0f0f
MIB_HW_TX_POWER_HT20n=0f0f0f0f0f0f0f0f0f0f0f0f0f0f
MIB_HW_TX_POWER_DIFF_OFDM=0102010101010101010102010202
MIB_HW_TX_POWER_DIFF_OFDMn=0102010101010101010102010202
initWlan:6172,wlan0-vxd is off
initWlan:6172,wlan0-va0 is off
initWlan:6172,wlan0-va1 is off
initWlan:6172,wlan0-va2 is off
initWlan:6172,wlan0-va3 is off
cmd=/bin/brctl addif br0 eth0
cmd=/sbin/ifconfig eth0 up
qvlan_set_write 7855  41 0 0 0   0 0 0 0 0 0
qvlan_set_write 7855  44 -1 -1 0         0 0 0 0 0 0
brctl setfd br0 0
brctl stp br0 0
Se▒Bummer, could not run '/sbin/swapoff': No such file or directory
Please stand by while rebooting the system.
 
Booting...
 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0ef4017h 00000efh 0000040h 0000017h 0000000h 0000017h 0800000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000080h 0001000h 0000800h 0000100h 0000010h 000003eh W25Q64
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Reboot Result from Watchdog Timeout!
 
---RealTek(RTL8196D)at 2018.04.03-10:30+0800 v1.6b [16bit](579MHz)
====no sys signature at 00010000!cs6c[cr6c]
ret=0  sys signature at 00010000!
====no sys signature at 00020000!cs6c[cr6c]
ret=0  sys signature at 00020000!
ret=2  sys signature at 00030000!
checksum sum 0, p_kernel_img 80500000, 00117882
no rootfs signature at 000E0000!
no rootfs signature at 000F0000!
no rootfs signature at 00130000!
no rootfs signature at 000E1000!
no rootfs signature at 000E2000!
no rootfs signature at 000E3000!
no rootfs signature at 000E4000!
no rootfs signature at 000E5000!
no rootfs signature at 000E6000!
no rootfs signature at 000E7000!
no rootfs signature at 000E8000!
no rootfs signature at 000E9000!
no rootfs signature at 000EA000!
no rootfs signature at 000EB000!
no rootfs signature at 000EC000!
no rootfs signature at 000ED000!
no rootfs signature at 000EE000!
no rootfs signature at 000EF000!
no rootfs signature at 000F1000!
no rootfs signature at 000F2000!
no rootfs signature at 000F3000!
no rootfs signature at 000F4000!
no rootfs signature at 000F5000!
no rootfs signature at 000F6000!
no rootfs signature at 000F7000!
no rootfs signature at 000F8000!
no rootfs signature at 000F9000!
no rootfs signature at 000FA000!
no rootfs signature at 000FB000!
no rootfs signature at 000FC000!
no rootfs signature at 000FD000!
no rootfs signature at 000FE000!
no rootfs signature at 000FF000!
no rootfs signature at 00100000!
no rootfs signature at 00101000!
no rootfs signature at 00102000!
no rootfs signature at 00103000!
no rootfs signature at 00104000!
no rootfs signature at 00105000!
no rootfs signature at 00106000!
no rootfs signature at 00107000!
no rootfs signature at 00108000!
no rootfs signature at 00109000!
no rootfs signature at 0010A000!
no rootfs signature at 0010B000!
no rootfs signature at 0010C000!
no rootfs signature at 0010D000!
no rootfs signature at 0010E000!
no rootfs signature at 0010F000!
no rootfs signature at 00110000!
no rootfs signature at 00111000!
no rootfs signature at 00112000!
no rootfs signature at 00113000!
no rootfs signature at 00114000!
no rootfs signature at 00115000!
no rootfs signature at 00116000!
no rootfs signature at 00117000!
no rootfs signature at 00118000!
no rootfs signature at 00119000!
no rootfs signature at 0011A000!
no rootfs signature at 0011B000!
no rootfs signature at 0011C000!
no rootfs signature at 0011D000!
no rootfs signature at 0011E000!
no rootfs signature at 0011F000!
no rootfs signature at 00120000!
no rootfs signature at 00121000!
no rootfs signature at 00122000!
no rootfs signature at 00123000!
no rootfs signature at 00124000!
no rootfs signature at 00125000!
no rootfs signature at 00126000!
no rootfs signature at 00127000!
no rootfs signature at 00128000!
no rootfs signature at 00129000!
no rootfs signature at 0012A000!
no rootfs signature at 0012B000!
no rootfs signature at 0012C000!
no rootfs signature at 0012D000!
no rootfs signature at 0012E000!
no rootfs signature at 0012F000!
no rootfs signature at 00131000!
no rootfs signature at 00132000!
no rootfs signature at 00133000!
no rootfs signature at 00134000!
no rootfs signature at 00135000!
no rootfs signature at 00136000!
no rootfs signature at 00137000!
no rootfs signature at 00138000!
no rootfs signature at 00139000!
no rootfs signature at 0013A000!
no rootfs signature at 0013B000!
no rootfs signature at 0013C000!
no rootfs signature at 0013D000!
no rootfs signature at 0013E000!
no rootfs signature at 0013F000!
no rootfs signature at 00140000!
no rootfs signature at 00141000!
no rootfs signature at 00142000!
no rootfs signature at 00143000!
no rootfs signature at 00144000!
no rootfs signature at 00145000!
no rootfs signature at 00146000!
no rootfs signature at 00147000!
no rootfs signature at 00148000!
no rootfs signature at 00149000!
no rootfs signature at 0014A000!
no rootfs signature at 0014B000!
no rootfs signature at 0014C000!
no rootfs signature at 0014D000!
no rootfs signature at 0014E000!
no rootfs signature at 0014F000!
Jump to image start=0x80500000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003400
Realtek WLAN driver - version 1.6 (2013-02-21)
Adaptivity function - version 7.1
 
 
#######################################################
SKB_BUF_SIZE=2408 MAX_SKB_NUM=480
#######################################################
 
 
 
 
Probing RTL8186 10/100 NIC-kenel stack size order[3]...
chip name: 8196C, chip revid: 0
NOT YET
eth0 added. vid=1 Member port 0x1...
eth1 added. vid=2 Member port 0x10...
eth2 added. vid=1 Member port 0x2...
eth3 added. vid=1 Member port 0x4...
eth4 added. vid=1 Member port 0x8...
eth5 added. vid=1 Member port 0x0...
[peth0] added, mapping to [eth1]...
zlr Creating 7 MTD partitions on "flash_bank_1":
WARNNING:       find rootfs in:0x150000,        real_offset:150000
0x000000000000-0x000000150000 : "boot+cfg+linux"
0x000000150000-0x000000740000 : "root fs"
0x0000007c0000-0x000000800000 : "parm flash"
0x000000000000-0x000000800000 : "all"
0x000000740000-0x0000007c0000 : "jffs2"
0x000000000000-0x0000000d0000 : "linux up"
0x0000000d0000-0x000000800000 : "rootfs up"
Realtek FastPath:v1.03
serial console detected.  Disabling virtual terminals.
init started:  BusyBox v1.00-pre8 (2014.08.14-10:37+0000) multi-call binary
Bummer, could not run '/etc/init.d/rcS': No such file or directory
 
 
BusyBox v1.00-pre8 (2014.08.14-10:37+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
 
mount -t jffs2 /dev/mtdblock4 /tmp/para status:0
725
wlan_check.sh: do nothing......
version_new=Netcore(NAP840+)CN-V1.2.42856,2018.04.03 10:16.
 
/proc/wps_btn_delay: cannot create
killall: xhcatv: no process killed
killall: multi_ppp: no process killed
killall: igmpproxy: no process killed
killall: udhcpc: no process killed
wlanapp_sh:1942:@@@@@@@####;wlan0
~~~~~~~~~~~~~~~~~~~~~~ssid=NETCORE_2.4G
initWlan[6477]stanum=0
MIB_HW_TX_POWER_CCK_A=2e2e2e2d2d2d2d2d2d2c2c2c2c2c
MIB_HW_TX_POWER_CCK_A_new=2e2e2e2d2d2d2d2d2d2c2c2c2c2c
MIB_HW_TX_POWER_HT40_1S_A=333232323231313130302f2f2e2e
MIB_HW_TX_POWER_HT40_1S_An=333232323231313130302f2f2e2e
MIB_HW_TX_POWER_HT20=0f0f0f0f0f0f0f0f0f0f0f0f0f0f
MIB_HW_TX_POWER_HT20n=0f0f0f0f0f0f0f0f0f0f0f0f0f0f
MIB_HW_TX_POWER_DIFF_OFDM=0102010101010101010102010202
MIB_HW_TX_POWER_DIFF_OFDMn=0102010101010101010102010202
initWlan:6172,wlan0-vxd is off
initWlan:6172,wlan0-va0 is off
initWlan:6172,wlan0-va1 is off
initWlan:6172,wlan0-va2 is off
initWlan:6172,wlan0-va3 is off
cmd=/bin/brctl addif br0 eth0
cmd=/sbin/ifconfig eth0 up
qvlan_set_write 7855  41 0 0 0   0 0 0 0 0 0
qvlan_set_write 7855  44 -1 -1 0         0 0 0 0 0 0
brctl setfd br0 0
brctl stp br0 0
brctl addif br0 wlan0
/sbin/ifconfig wlan0 0.0.0.0
[PHY_REG_8192E_extlna]
[AGC_TAB_8192E_extlna]
[RadioA_8192E_extlna]
[RadioB_8192E_extlna]
ifconfig br0 hw ether 08:10:11:00:03:04
/sbin/ifconfig br0 192.168.1.254
wlanapp_sh:1942:@@@@@@@####;wlan0 wlan0-va0 wlan0-va1 wlan0-va2 wlan0-va3 wlan0-vxd
Register to wlan0
iwcontrol RegisterPID to (wlan0)
SIOCDELRT: No such process
argc:3 [dhcpc_sh:296:dhcpc.c]
open logs file
options_strings:c:fbH:h:i:np:qr:s:x:v:ld:a:u:
udhcp client (v0.9.9-pre) started
script is/usr/share/udhcpc/br0.sh
IEEE 802.11f (IAPP) using interface br0 (v1.8)
@@@@@@rand=18
SIOCDELRT: No such process
SIOCDELRT: No such process
doamin=0
[set_default_route_sh:295:set_default_gw.c], not impl...
#########08:10:11:00:03:04########
#########host:772#############################
##############reply_ip:169.254.3.4######################
SIOCSIFFLAGS: Cannot assign requested address
========================END init.sh===============================
SIGNAl 17;reset_flag[0]
/bin/udp_ap_handle [interface] [file version path] [server ip]MIMO : NAP840+
check_udp_ap_handle[430]:udp_ap_handle running.....
killall: boa: no process killed
killall: boa: no process killed
/proc/sys/net/ipv4/ip_conntrack_max: cannot create
[run_webs_server_by_execv:46:restart_webs.c]
Starting Protocol Module: HTTP Server                      ... OK
/proc/sys/net/core/hot_list_length: cannot create
# Auto channel choose ch:5 2nd:0
 
translate_uri:222;Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
translate_uri:254

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2022-8-6 14:00 被mszgx编辑 ,原因:
收藏
免费 0
支持
分享
最新回复 (11)
雪    币: 2930
活跃值: (6676)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2

你这个问题是强行修改导致分区校验失败, 一般路由器是有修改MAC的命令, 没必要强行修改.

螃蟹家的芯片一旦出现no rootfs signature at 几乎可以肯定是分区有问题导致校验失败才报的错

这是从你原版固件提取的文件大小(验证方式用万能的7zip右键打开你的原固件即可查看rootfs的内容)

文件内容


这是你分享的怀疑有问题的那个

文件大小

文件内容


至此 可以确定你强制修改固件导致固件校验失败




最后于 2022-8-5 01:30 被微启宇编辑 ,原因:
2022-8-5 00:55
0
雪    币: 4
活跃值: (168)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
爱我佳鑫 你这个问题是强行修改导致分区校验失败, 一般路由器是有修改MAC的命令, 没必要强行修改.螃蟹家的芯片一旦出现no rootfs signature at 几乎可以肯定是分区有问题导致校验失败才报的 ...
找不到修改MAC命令,就是修改MAC导致校验失败才求助的,factory_args.sh这个应该就是负责校验的,就是不知道校验的原理。
2022-8-5 11:33
0
雪    币: 10837
活跃值: (4462)
能力值: ( LV12,RANK:404 )
在线值:
发帖
回帖
粉丝
4

开头2字节是长度,尾部一字节检验码

(Big endian)

31 73 68 30 31 —》header

15 8E—》len

AF—》checksum_num

 

Data checksum应为0,即--》byte(!checksum_func(data[:len-1]))+1= checksum_num

ex:

累加158D长度的数据(结果取一字节),取反加1后要等于158E处的数据



lib/apmib.so

check_1775C

check_17048

最后于 2022-8-6 10:15 被堂前燕编辑 ,原因:
2022-8-5 15:24
1
雪    币: 2930
活跃值: (6676)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
mszgx 找不到修改MAC命令,就是修改MAC导致校验失败才求助的,factory_args.sh这个应该就是负责校验的,就是不知道校验的原理。

分区校验是bootloader的事, 螃蟹的SDK里的官方版bootloader是没有校验的, 厂商基于SDK自行开发的版本是有分区校验的. 网上可以下载到螃蟹的SDK你自己去看看.


自己看代码, 这是螃蟹芯片SDK里的bootloader代码里关于校验分区的代码片段

//------------------------------------------------------------------------------------------
// check img
unsigned int gCHKKEY_HIT = 0;
unsigned int gCHKKEY_CNT = 0;
#if defined(CONFIG_NFBI)
// return,  0: not found, 1: linux found, 2:linux with root found
int check_system_image(unsigned long addr, IMG_HEADER_Tp pHeader)
{
    // Read header, heck signature and checksum
    int i, ret = 0;
    unsigned short sum = 0, *word_ptr;
    unsigned short length = 0;
    unsigned short temp16 = 0;

    if (gCHKKEY_HIT == 1)
        return 0;

    /*check firmware image.*/
    word_ptr = (unsigned short *)pHeader;
    for (i = 0; i < sizeof(IMG_HEADER_T); i += 2, word_ptr++)
        *word_ptr = *((unsigned short *)(addr + i));

    if (!memcmp(pHeader->signature, FW_SIGNATURE, SIG_LEN))
        ret = 1;
    else if (!memcmp(pHeader->signature, FW_SIGNATURE_WITH_ROOT, SIG_LEN))
        ret = 2;
    else
        dprintf("no sys signature at %X!\n", addr);
#if defined(NEED_CHKSUM)
    if (ret)
    {
        for (i = 0; i < pHeader->len; i += 2)
        {
            sum += *((unsigned short *)(addr + sizeof(IMG_HEADER_T) + i));
            // prom_printf("x=%x\n", (addr + sizeof(IMG_HEADER_T) + i));
        }

        if (sum)
        {
            // SYSSR: checksum done, but fail
            REG32(NFBI_SYSSR) = (REG32(NFBI_SYSSR) | 0x8000) & (~0x4000);
            dprintf("sys checksum error at %X!\n", addr);
            ret = 0;
        }
        else
        {
            // SYSSR: checksum done and OK
            REG32(NFBI_SYSSR) = REG32(NFBI_SYSSR) | 0xc000;
        }
    }
#else
    // SYSSR: checksum done and OK
    REG32(NFBI_SYSSR) = REG32(NFBI_SYSSR) | 0xc000;
#endif
    return (ret);
}

#elif defined(CONFIG_NONE_FLASH)
// return,  0: not found, 1: linux found, 2:linux with root found
int check_system_image(unsigned long addr, IMG_HEADER_Tp pHeader)
{
    // Read header, heck signature and checksum
    int i, ret = 0;
    unsigned short sum = 0, *word_ptr;
    unsigned short length = 0;
    unsigned short temp16 = 0;

    if (gCHKKEY_HIT == 1)
        return 0;

    /*check firmware image.*/
    word_ptr = (unsigned short *)pHeader;
    for (i = 0; i < sizeof(IMG_HEADER_T); i += 2, word_ptr++)
        *word_ptr = *((unsigned short *)(addr + i));

    if (!memcmp(pHeader->signature, FW_SIGNATURE, SIG_LEN))
        ret = 1;
    else if (!memcmp(pHeader->signature, FW_SIGNATURE_WITH_ROOT, SIG_LEN))
        ret = 2;
    else
        dprintf("no sys signature at %X!\n", addr);
#if defined(NEED_CHKSUM)
    if (ret)
    {
        for (i = 0; i < pHeader->len; i += 2)
        {
            sum += *((unsigned short *)(addr + sizeof(IMG_HEADER_T) + i));
            // prom_printf("x=%x\n", (addr + sizeof(IMG_HEADER_T) + i));
        }

        if (sum)
        {
            // SYSSR: checksum done, but fail

            dprintf("sys checksum error at %X!\n", addr);
            ret = 0;
        }
        else
        {
            // SYSSR: checksum done and OK
        }
    }
#else

#endif
    return (ret);
}

#else
#if CHECK_BURN_SERIAL
unsigned long board_rootfs_length = 0;
IMG_HEADER_T linux_imghdr;

/* return 0:fail, 2:success, 1: no  burn_serial */
int check_burn_serial(unsigned long addr, IMG_HEADER_Tp pHeader)
{
    int ret = 0;

    if ((pHeader->burnAddr & (1 << 31)))
    {
        unsigned long pad;
        memcpy((void *)(&pad), addr, sizeof(unsigned long));
        BDBG_BSN("\tburnAddr=0x%08x, pad=0x%08x", pHeader->burnAddr, pad);
        if (pHeader->burnAddr == pad)
        {
            BDBG_BSN(", ok\n");
            ret = 2;
        }
    }
    else
    {
        BDBG_BSN("\tfail\n");
        ret = 1;
    }

    return ret;
}
#endif
// return,  0: not found, 1: linux found, 2:linux with root found
int check_system_image(unsigned long addr, IMG_HEADER_Tp pHeader, SETTING_HEADER_Tp setting_header)
{
    // Read header, heck signature and checksum
    int i, ret = 0;
    unsigned short sum = 0, *word_ptr;
    unsigned short length = 0;
    unsigned short temp16 = 0;
    char image_sig_check[1] = {0};
    char image_sig[4] = {0};
    char image_sig_root[4] = {0};

    if (gCHKKEY_HIT == 1)
        return 0;

#ifdef CONFIG_NAND_FLASH_BOOTING
    if (nflashread((unsigned int)pHeader, addr, sizeof(IMG_HEADER_T), 0) < 0)
    {
        prom_printf("nand flash read fail,addr=%x,size=%d\n", addr, sizeof(IMG_HEADER_T));
        return 0;
    }
#else
    /*check firmware image.*/
    word_ptr = (unsigned short *)pHeader;
    for (i = 0; i < sizeof(IMG_HEADER_T); i += 2, word_ptr++)
        *word_ptr = rtl_inw(addr + i);
#endif

    memcpy(image_sig, FW_SIGNATURE, SIG_LEN);
    memcpy(image_sig_root, FW_SIGNATURE_WITH_ROOT, SIG_LEN);

    if (!memcmp(pHeader->signature, image_sig, SIG_LEN))
        ret = 1;
    else if (!memcmp(pHeader->signature, image_sig_root, SIG_LEN))
        ret = 2;
    else
    {
        prom_printf("no sys signature at %X!\n", addr - FLASH_BASE);
    }
    // prom_printf("ret=%d  sys signature at %X!\n",ret,addr-FLASH_BASE);

#if CHECK_BURN_SERIAL
    if (ret)
    {
        int ret_val = 0;
        BDBG_BSN("==> check linux:\n");
        BDBG_BSN("\tby burn_serial\n");

        memcpy((void *)(&linux_imghdr), (void *)(pHeader), sizeof(IMG_HEADER_T));
#ifndef CONFIG_NAND_FLASH_BOOTING
        ret_val = check_burn_serial(addr + mips_io_port_base + sizeof(IMG_HEADER_T) + pHeader->len, pHeader);
#else
        /* for nand */
        goto SKIP_CHECK_BURN_SERIAL;
#endif
        if (ret_val != 1)
            return ret_val;
    }
    BDBG_BSN("\n\tno burn_serial, check by sum\n");

SKIP_CHECK_BURN_SERIAL:
#endif

    if (ret)
    {

#ifdef CONFIG_NAND_FLASH_BOOTING
#ifdef NAND_FLASH_BOOT_SPEEDUP
        unsigned char *ptr_data = (volatile unsigned char *)(pHeader->startAddr | 0x20000000);
        if (nflashread(ptr_data, addr + sizeof(IMG_HEADER_T), pHeader->len, 1) < 0)
        {
            prom_printf("nand flash read fail,addr=%x,size=%d\n", addr, pHeader->len);
            return 0;
        }

#if 1 // def NAND_FLASH_BOOT_SPEEDUP
#ifdef CONFIG_RTK_NAND_BBT
        for (i = 0; i < pHeader->len; i += 2)
        {
#if CONFIG_ESD_SUPPORT // patch for ESD
            REG32(0xb800311c) |= (1 << 23);
#endif

#if defined(NEED_CHKSUM)
            sum += (unsigned short)(((*(ptr_data + 1 + i)) | (*(ptr_data + i)) << 8) & 0xffff);
// sum += rtl_inw(ptr_data + sizeof(IMG_HEADER_T) + i);
#endif
        }
#endif
#endif
#else
        volatile unsigned char *ptr_data = (volatile unsigned char *)DRAM_DIMAGE_ADDR;
        if (nflashread(DRAM_DIMAGE_ADDR, addr, pHeader->len + sizeof(IMG_HEADER_T), 1) < 0)
        {
            prom_printf("nand flash read fail,addr=%x,size=%d\n", addr, pHeader->len + sizeof(IMG_HEADER_T));
            return 0;
        }
#ifdef CONFIG_RTK_NAND_BBT
        for (i = 0; i < pHeader->len; i += 2)
        {
#if CONFIG_ESD_SUPPORT // patch for ESD
            REG32(0xb800311c) |= (1 << 23);
#endif

#if defined(NEED_CHKSUM)
            sum += (unsigned short)(((*(ptr_data + 1 + i + sizeof(IMG_HEADER_T))) | (*(ptr_data + i + sizeof(IMG_HEADER_T))) << 8) & 0xffff);
// sum += rtl_inw(ptr_data + sizeof(IMG_HEADER_T) + i);
#endif
        }
#endif
#endif

#else
        for (i = 0; i < pHeader->len; i += 2)
        {
#if 1 // slowly
            gCHKKEY_CNT++;
            if (gCHKKEY_CNT > ACCCNT_TOCHKKEY)
            {
                gCHKKEY_CNT = 0;
                if (user_interrupt(0) == 1) // return 1: got ESC Key
                {
                    // prom_printf("ret=%d  ------> line %d!\n",ret,__LINE__);
                    return 0;
                }
            }
#else // speed-up, only support UART, not support GPIO
            if ((Get_UART_Data() == ESC) || (Get_GPIO_SW_IN() != 0))
            {
                gCHKKEY_HIT = 1;
                return 0;
            }
#endif
#if defined(NEED_CHKSUM)
            sum += rtl_inw(addr + sizeof(IMG_HEADER_T) + i);
#endif
        }
#endif

#if defined(NEED_CHKSUM)
        if (sum)
        {
            // prom_printf("ret=%d  ------> line %d!\n",ret,__LINE__);
            ret = 0;
        }
#endif
    }
    // prom_printf("ret=%d  sys signature at %X!\n",ret,addr-FLASH_BASE);

    return (ret);
}
//------------------------------------------------------------------------------------------

int check_rootfs_image(unsigned long addr)
{
#ifdef CONFIG_RTK_VOIP
    // Don't check rootfs in voip
    return 1;
#else
    // Read header, heck signature and checksum
    int i;
    unsigned short sum = 0, *word_ptr;
    unsigned long length = 0;
    unsigned char tmpbuf[16];

    if (gCHKKEY_HIT == 1)
        return 0;

#ifdef CONFIG_NAND_FLASH_BOOTING
    if (nflashread((unsigned int)tmpbuf, addr, 16, 0) < 0)
    {
        prom_printf("nand flash read fail,addr=%x,size=%d\n", addr, 16);
        return 0;
    }
#else
    word_ptr = (unsigned short *)tmpbuf;
    for (i = 0; i < 16; i += 2, word_ptr++)
        *word_ptr = rtl_inw(addr + i);
#endif

    if (memcmp(tmpbuf, SQSH_SIGNATURE, SIG_LEN) && memcmp(tmpbuf, SQSH_SIGNATURE_LE, SIG_LEN))
    {
        prom_printf("no rootfs signature at %X!\n", addr - FLASH_BASE);
        return 0;
    }

#if CHECK_BURN_SERIAL
    board_rootfs_length =
#endif
        length = *(((unsigned long *)tmpbuf) + OFFSET_OF_LEN) + SIZE_OF_SQFS_SUPER_BLOCK + SIZE_OF_CHECKSUM;

#if CHECK_BURN_SERIAL
    {
        struct _rootfs_padding rootfs_padding;
        BDBG_BSN("==> check rootfs:\n");
        BDBG_BSN("\tby burn_serial\n");

#ifndef CONFIG_NAND_FLASH_BOOTING
        memcpy((void *)(&rootfs_padding) + sizeof(rootfs_padding.zero_pad), (void *)(mips_io_port_base + addr + length - SIZE_OF_CHECKSUM), sizeof(struct _rootfs_padding) - sizeof(rootfs_padding.zero_pad));
#else
        /* nand */
        goto SKIP_CHECK_BURN_SERIAL;
#endif

        BDBG_BSN("\trootfs_padding.signature[%s]\n", rootfs_padding.signature);
        if (!memcmp(rootfs_padding.signature, ROOT_SIGNATURE, SIG_LEN))
        {
            BDBG_BSN("\tburn_serial=0x%08x, length=0x%08x",
                     rootfs_padding.len + SIZE_OF_SQFS_SUPER_BLOCK + SIZE_OF_CHECKSUM, length);

            if (rootfs_padding.len + SIZE_OF_SQFS_SUPER_BLOCK + SIZE_OF_CHECKSUM == length)
            {
                BDBG_BSN(", ok\n");
                return 1;
            }
            else
            {
                BDBG_BSN(", fail\n");
                return 0;
            }
        }
        BDBG_BSN("\n\tno burn_serial, check by sum\n");
    }

SKIP_CHECK_BURN_SERIAL:
#endif
#ifdef CONFIG_NAND_FLASH_BOOTING
#ifndef NAND_FLASH_BOOT_SPEEDUP
    volatile unsigned char *ptr_data = (volatile unsigned char *)DRAM_DIMAGE_ADDR;
    if (nflashread(DRAM_DIMAGE_ADDR, addr, length, 1) < 0)
    {
        prom_printf("nand flash read fail,addr=%x,size=%d\n", addr, length);
        return 0;
    }
#ifdef CONFIG_RTK_NAND_BBT
    for (i = 0; i < length; i += 2)
    {
#if CONFIG_ESD_SUPPORT // patch for ESD
        REG32(0xb800311c) |= (1 << 23);
#endif

#if defined(NEED_CHKSUM)
        sum += (unsigned short)(((*(ptr_data + 1 + i)) | (*(ptr_data + i)) << 8) & 0xffff);
// sum += rtl_inw(ptr_data + sizeof(IMG_HEADER_T) + i);
#endif
    }
#endif
#endif
#else

    for (i = 0; i < length; i += 2)
    {
#if 1                  // slowly
#if CONFIG_ESD_SUPPORT // patch for ESD
        REG32(0xb800311c) |= (1 << 23);
#endif
        gCHKKEY_CNT++;
        if (gCHKKEY_CNT > ACCCNT_TOCHKKEY)
        {
            gCHKKEY_CNT = 0;
            if (user_interrupt(0) == 1) // return 1: got ESC Key
                return 0;
        }
#else // speed-up, only support UART, not support GPIO.
        if ((Get_UART_Data() == ESC) || (Get_GPIO_SW_IN() != 0))
        {
            gCHKKEY_HIT = 1;
            return 0;
        }
#endif
#if defined(NEED_CHKSUM)
        sum += rtl_inw(addr + i);
#endif
    }
#endif

#ifndef NAND_FLASH_BOOT_SPEEDUP
#if defined(NEED_CHKSUM)
    if (sum)
    {
        prom_printf("rootfs checksum error at %X!\n", addr - FLASH_BASE);
        return 0;
    }
#endif
#endif
    return 1;
#endif // CONFIG_RTK_VOIP
}


最后于 2022-8-5 23:08 被微启宇编辑 ,原因:
2022-8-5 22:51
0
雪    币: 2930
活跃值: (6676)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6

这是螃蟹芯片SDK里的bootloader源码

上传的附件:
2022-8-5 23:14
0
雪    币: 4
活跃值: (168)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
堂前燕 开头2字节是长度,尾部一字节检验码(Big endian)31 73 68 30 31 —》header15 8E—》lenAF—》checksum_num&nbsp;Data checksu ...

大佬,非常感谢,开头73 68 30 31这个应该是header吧并没有31。这个: 73 68 30 31 —》header 


 还有大佬的公式我并没计算出来如何修改才能校验通过(水平有限,(─.─|||),如果有空请指点下,感谢!

 “ Data checksum应为0,即!checksum_func(data[:len-1])= checksum_num ” 

套用下:checksum_func(data[:158E-1])= AF  


最新提取的三个不同MAC:提取三个 不同MAC文件   这个是我提取的两个不同的AP,还有一个是修改MAC后被自动重置后的。求大佬分析下, 如果我修改MAC后如何才能让程序校验通过。

2022-8-6 02:00
0
雪    币: 4
活跃值: (168)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
爱我佳鑫 mszgx 找不到修改MAC命令,就是修改MAC导致校验失败才求助的,factory_args.sh这个应该就是负责校验的,就是不知道校验的原理。 ...
是的,谢谢回答,四楼有大佬回复了,是厂商自己加的应该是factory_args.sh这个校验的。
2022-8-6 02:01
0
雪    币: 4
活跃值: (168)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
爱我佳鑫 这是螃蟹芯片SDK里的bootloader源码
非常感谢,这个我找到过,网上搜了下好像有最新的sdk4.4 找不到
2022-8-6 02:03
0
雪    币: 4
活跃值: (168)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
堂前燕 开头2字节是长度,尾部一字节检验码(Big endian)31 73 68 30 31 —》header15 8E—》lenAF—》checksum_num&nbsp;Data checksu ...
大佬,我又仔细研究了下大概懂了一点,开头2字节文件头,第三个字节也就是四位就是要校验的长度。如158E,然后158E-1=158D ,通过程序校验这158D数据等于158E处的那个字节就行了。如您演示的,如何校验计算这158D数据才能等于AF。
2022-8-6 02:39
0
雪    币: 10837
活跃值: (4462)
能力值: ( LV12,RANK:404 )
在线值:
发帖
回帖
粉丝
11
mszgx 大佬,我又仔细研究了下大概懂了一点,开头2字节文件头,第三个字节也就是四位就是要校验的长度。如158E,然后158E-1=158D ,通过程序校验这158D数据等于158E处的那个字节就行了。如您演示 ...
158E长度的数据累加应为0(低1字节),即--》byte(!checksum_func(data[:len-1]))+1= checksum_num
ex:
​累加158D长度的数据(结果取一字节),取反加1后要等于158E处的数据
2022-8-6 10:18
0
雪    币: 4
活跃值: (168)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12

大佬就是牛逼,我已经算出来了,总结记录下:

73 68 30 31 文件头 15 92 文件长度 ,15 92 - 1 =1591 ,实际校验的文件长度。

提取1591所有数据 16进制相加,取末尾一个字节 减去1 ,然后取反。得出一个字节的校验值,填入15 92处。OK过了校验,随意修改MAC了。。


改这个mac 测试下 081079e3fd78



  1. 上个图记录下,七八年前上学时候学习的编程都忘了,winhex可以复制C代码出来,本来想用C自动计算,复制出来直接看不懂了,现在工作和写代码没啥关系,算了不用程序程序计算了,用EXCEL算下。先用函数转换10进制,相加,然后计算出结果转换16进制4 B2DA 取DA-1=D9 。


2.取反百度了下,好像还分为什么逻辑取反,不管了,有在线工具,直接计算。D9取反得26.

填入校验结果26

3.进入BOOT,用ttl波特率38400.  用这个命令刷入。

FLW <dst_ROM_offset><src_RAM_addr><length_Byte> <SPI cnt#>: Write offset-data to SPI from RAM


刷入重启并未报错,完美解决!

在此非常感谢 堂前燕坛友。感谢了!

https://bbs.pediy.com/user-home-778603.htm


通过这个学习了不少东西,还是要多学习,还行需要懂程序,会反编译才能看出过程,靠自己瞎测试不行。至此这个问题完美解决,改下MAC刷回我的AP不折腾了。

2022-8-6 13:58
0
游客
登录 | 注册 方可回帖
返回
//