刷机请直接跳转至:刷入openwrt
U-Boot 模式下查看主机情况
IPQ807x# version
U-Boot 2016.01 (Mar 31 2020 - 09:18:55 +0800)
arm-openwrt-linux-muslgnueabi-gcc (OpenWrt GCC 5.2.0 966bcbd+r49254) 5.2.0
GNU ld (GNU Binutils) 2.24.0
Unknown command 'ls' - try 'help'
IPQ807x# printenv
active=2
args_common=root=mtd:ubi_rootfs rootfstype=squashfs clk_ignore_unused
baudrate=115200
boot1=echo Booting from partition: ${partname}
boot2=nand device 0 && set mtdids nand0=nand0,nand1=nand1
boot3=set mtdparts mtdparts=nand0:0x3000000@0x0(fs1),0x3000000@0x3000000(fs2),0x2000000@0x6000000(usrdata)
boot4=ubi part fs${partname} && ubi read 42000000 kernel
boot5=cfgsel 42000000 && run bootfdtcmd
bootargs=console=ttyMSM0,115200n8
bootcmd=run setup && run bootlinux
bootdelay=1
bootlinux=run boot1 boot2 boot3 boot4 boot5 || run do_change
change1=if test $active = 1; then setenv active 2; else setenv active 1; fi
change2=saveenv
change3=echo changed to active $active
do_change=run change1 change2 change3; reset
ethact=eth0
ethaddr=00:00:xxxxxxxx
fdt_high=0x4A400000
fdtcontroladdr=4a975380
flash_type=8
ipaddr=192.168.10.10
machid=801000a
netmask=255.255.255.0
serverip=192.168.10.1
setup=if test $active = 1; then run setup1; else run setup2; fi
setup1=partname=1 && setenv bootargs ubi.mtd=rootfs${partname} ${args_common}
setup2=partname=2 && setenv bootargs ubi.mtd=rootfs${partname} ${args_common}
soc_version_major=2
soc_version_minor=0
stderr=serial@78B3000
stdin=serial@78B3000
stdout=serial@78B3000
Environment size: 1289/65532 bytes
IPQ807x# bdinfo
arch_number = 0x0801000A
boot_params = 0x40000100
DRAM bank = 0x00000000
-> start = 0x40000000
-> size = 0x40000000
eth0name = eth0
ethaddr = 00:00:xxxxxx
current eth = eth0
ip_addr = 192.168.10.10
baudrate = 115200 bps
TLB addr = 0x4A9A0000
relocaddr = 0x4A900000
reloc off = 0x00000000
irq_sp = 0x4A77FA90
sp start = 0x4A77FA80
IPQ807x# mmcinfo
No MMC device available
IPQ807x# smeminfo
flash_type: 0x6
flash_index: 0x0
flash_chip_select: 0x0
flash_block_size: 0x10000
flash_density: 0x1000000
partition table offset 0x0
No.: Name Attributes Start Size
0: 0:SBL1 0x0000ffff 0x0 0x50000
1: 0:MIBIB 0x001040ff 0x50000 0x10000
2: 0:QSEE 0x0000ffff 0x60000 0x180000
3: 0:DEVCFG 0x0000ffff 0x1e0000 0x10000
4: 0:APDP 0x0000ffff 0x1f0000 0x10000
5: 0:RPM 0x0000ffff 0x200000 0x40000
6: 0:CDT 0x0000ffff 0x240000 0x10000
7: 0:APPSBLENV 0x0000ffff 0x250000 0x10000
8: 0:APPSBL 0x0000ffff 0x260000 0xa0000
9: 0:ART 0x0000ffff 0x300000 0x40000
10: 0:ETHPHYFW 0x0000ffff 0x340000 0x80000
11: product_info 0x0000ffff 0x3c0000 0x10000
12: mtdoops 0x0000ffff 0x3d0000 0x20000
13: priv_data1 0x0000ffff 0x3f0000 0x10000
14: rootfs1 0x0100ffff 0x0 0x3000000
15: rootfs2 0x0100ffff 0x3000000 0x3000000
16: usrdata 0x0100ffff 0x6000000 0x2000000
IPQ807x# sf probe
SPI_ADDR_LEN=3
SF: Detected MX25U3235F with page size 256 Bytes, erase size 64 KiB, total 4 MiB
IPQ807x# nand info
Device 0: nand0, sector size 128 KiB
Page size 2048 b
OOB size 64 b
Erase size 131072 b
subpagesize 0 b
options 0x 0
bbt options 0x 0
Device 1: 1241526320x nand1, sector size 64 KiB
Page size 256 b
OOB size 0 b
Erase size 65536 b
subpagesize 1251344494 b
options 0x 11
bbt options 0x64756162
参考Openwrt HWInfo 可以发现确认,其分区表中0-13是4MB的存储,14-16是128MB的存储。
和现代的Android手机类似,为了防止升级失败时候系统挂掉,采用了A/B root分区,整理上述参数可得如下过程
# ===== IPQ807x U-Boot boot script (auto active, explicit bootm) =====
active=2
args_common=root=mtd:ubi_rootfs rootfstype=squashfs clk_ignore_unused
bootcmd=run setup && (run boot1_to_boot5 || run do_change)
# run setup
# ---------
setup() {
if test $active = 1; then
partname=1 && setenv bootargs ubi.mtd=rootfs${partname} ${args_common}
else
partname=2 && setenv bootargs ubi.mtd=rootfs${partname} ${args_common}
fi
}
# run bootlinux
# -------------
boot1_to_boot5() {
echo Booting from partition: ${partname} # boot1
nand device 0 # boot2
setenv mtdids nand0=nand0,nand1=nand1 # boot2
setenv mtdparts mtdparts=nand0:0x3000000@0x0(fs1),0x3000000@0x3000000(fs2),0x2000000@0x6000000(usrdata) # boot3
ubi part fs${partname} && ubi read 0x42000000 kernel # boot4
cfgsel 42000000 && run bootfdtcmd
}
do_change() {
if test $active = 1; then setenv active 2; else setenv active 1; fi #change1
saveenv #change2
echo changed to active $active #change3
reset
}探索原固件
打开ChatGPT,将第一段系统信息全部喂给他,他会告诉你想要的答案。
从bdinfo可以看出 我们的内存地址为0x40000000 - 0x4FFFFFFF(一共1G),后文我们挂载rootfs2,并将其内容copy到某个内存地址,然后使用tftpput将该内存地址上传至tftp-server。
注意这256M并不是都能用!
注意tftp-server端目录或相应文件应有写入权限
在tftp-server端
touch nand0_full.bin
chmod 777 nand0_full.bin
touch nand1_full.bin
chmod 777 nand1_full.bin设置ip以访问tftp服务器
ipaddr是自己的ip, serverip是tftp服务器的ip,ping一下发现成功连接
## 若无DHCP服务
IPQ807x# setenv ipaddr 192.168.6.12
IPQ807x# setenv netmask 255.255.252.0
## 若从dhcp获取
IPQ807x# dhcp
## ping测试
IPQ807x# ping 192.168.4.212
ipq807x_eth_halt: done
Phy ops not mapped
Phy ops not mapped
Phy ops not mapped
Phy ops not mapped
eth0 PHY4 Down Speed :10 Half duplex
eth0 PHY5 up Speed :1000 Full duplex
ipq807x_eth_init: done
Using eth0 device
ipq807x_eth_halt: done
host 192.168.4.212 is alive
# 配置tftp-server地址
IPQ807x# setenv serverip 192.168.6.55不写入nand的情况下 启动openwrt
我们在openwrt/bin/targets/qualcommax/ipq807x/有如下编译好的文件
- openwrt-qualcommax-ipq807x-aliyun_ap8220-initramfs-uImage.itb
- openwrt-qualcommax-ipq807x-aliyun_ap8220-squashfs-factory.ubi
- openwrt-qualcommax-ipq807x-aliyun_ap8220-squashfs-sysupgrade.bin
将上述 .itb文件放入tftp-server目录,然后在Aliyun uboot console中执行如下命令
IPQ807x# tftpboot openwrt.itb
ipq807x_eth_halt: done
Phy ops not mapped
Phy ops not mapped
Phy ops not mapped
Phy ops not mapped
eth0 PHY4 Down Speed :10 Half duplex
eth0 PHY5 up Speed :1000 Full duplex
ipq807x_eth_init: done
Using eth0 device
TFTP from server 192.168.6.55; our IP address is 192.168.4.120
Filename 'openwrt.itb'.
Load address: 0x44000000
Loading: *
Got TFTP_OACK: TFTP remote port: changes from 69 to 39224
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#####
4.4 MiB/s
done
Bytes transferred = 13424720 (ccd850 hex)
ipq807x_eth_halt: done
IPQ807x# bootm 0x44000000
## Loading kernel from FIT Image at 44000000 ...
Using 'config@ac02' configuration
...下文略...探索原厂固件
在我们的临时openwrt中 挂载后执行
## load rootfs0, rootfs1, user data into /dev/
ubiattach /dev/ubi_ctrl -m 0
ubiattach /dev/ubi_ctrl -m 1
ubiattach /dev/ubi_ctrl -m 2
## mount rootfs2 to clear root and admin password. (active=2 for current uboot args)
## replace with: root::20047:0:99999:7:::
## admin::20283:0:999999:7:::
mount -t ubifs -o rw /dev/ubi1_2 /mnt/rootfs2
vim /mnt/rootfs2/upper/etc/shadow
vim /mnt/rootfs2/upper/etc/shadow-
## umount after clear password, then reboot
umount /mnt/rootfs2
reboot重启后成功进入原厂console控制台
插曲 刑天平台显示离线: 在aliyun console中打route 发现默认网关多了一条192.168.1.1 遂删除之 正常了route del default gw 192.168.1.1
其原厂固件 版本2.1.88-R-20241121.0346 发现了如下信息
Linux 4.4.60 #1 SMP PREEMPT Thu Nov 21 06:21:14 CST 2024 armv7l GNU/Linux
DISTRIB_RELEASE='Chaos Calmer'
DISTRIB_TARGET='ipq/ipq807x'
DISTRIB_DESCRIPTION='OpenWrt Chaos Calmer 15.05.1'
刷入openwrt
注意事项:
- 不动4M的uboot 以确保刷不死
- 在rootfs1 和rootfs2中,保留一个原厂固件,另一个刷入openwrt
- openwrt将挂载4M中的 '0:APPSBLENV' (offset=0x10000 size=0x10000) 为firmware env. 该分区在Openwrt OS中可能为
/dev/mtd10(源自于mtd0,1,2 :128M NAND; mtd3,4,... : 4MB MX25U3235F)
以下开始
# 电脑接console线 按住shift+2(也就是@) 通电(或按reset) 直到出现‘IPQ807x#’ 表明进入了uboot
# --------------------
## 切换下一个active, 若当前是2 则切换为1,当前是1 则切换为2。
printenv active
set active 1
saveenv
## 随后输入如下命令配置网络 获取ubi镜像 写入rootfs1 or rootfs2分区
## 注意上文若为set active 1 则此处为flash rootfs1 否则为flash rootfs2
dhcp
setenv serverip 192.168.6.55
tftpboot 0x44000000 openwrt-qualcommax-ipq807x-aliyun_ap8220-squashfs-factory.ubi
flash rootfs1
## boot之
run bootcmd
# 此时应当成功进入openwrt
# --------------------
## 设置root密码
passwd
## 配置一个简易的wifi 随后wifi连入LAN再从网页详细配置
uci set wireless.ap2g=wifi-iface
uci set wireless.ap2g.device='radio0'
uci set wireless.ap2g.mode='ap'
uci set wireless.ap2g.ssid='CAP'
uci set wireless.ap2g.network='lan'
uci set wireless.ap2g.encryption='sae'
uci set wireless.ap2g.key='11111111'
uci set wireless.ap2g.disabled='0'
uci commit wireless
wifi reload
## 安装luci(若镜像中不含)
apk update
apk add luci
后记
读整个4+128M nand到内存 然后推送到tftp服务端
该设备布局为 4M(nand1) + 128M(nand0) 直接读整个nand 先弄回本地 需要读取数据再本地再分割
IPQ807x# sf probe
IPQ807x# sf read 0x42000000 0x0 0x400000
device 0 whole chip
SF: 4194304 bytes @ 0x0 Read: OK
IPQ807x# crc32 0x42000000 0x400000
crc32 for 42000000 ... 423fffff ==> 1982370b
IPQ807x# tftpput 0x42000000 0x400000 up/sf_full.bin
ipq807x_eth_halt: done
Phy ops not mapped
Phy ops not mapped
Phy ops not mapped
Phy ops not mapped
eth0 PHY4 Down Speed :10 Half duplex
eth0 PHY5 up Speed :1000 Full duplex
ipq807x_eth_init: done
Using eth0 device
TFTP to server 192.168.6.55; our IP address is 192.168.4.120
Filename 'up/sf_full.bin'.
Save address: 0x42000000
Save size: 0x400000
Saving: *
Got TFTP_OACK: TFTP remote port: changes from 69 to 55549
################################################################
#################################################################
#################################################################
#################################################################
##########################
6.9 MiB/s
done
Bytes transferred = 4194304 (400000 hex)
ipq807x_eth_halt: done
IPQ807x# nand read 0x40000000 0x0 0x8000000
NAND read: device 0 whole chip
134217728 bytes read: OK
IPQ807x# setenv tftpblocksize 1024
IPQ807x# crc32 0x40000000 0x8000000
crc32 for 40000000 ... 47ffffff ==> 6bab005f
IPQ807x# tftpput 0x40000000 0x8000000 up/nand0_full.bin
...上传过程同上 略...(linux)检验crc32并从上述nand0_full.bin提取rootfs2和userdata
sudo dnf install perl-Archive-Zip. # for command crc32
crc32 sf_full.bin # result is 1982370b
crc32 nand0_full.bin # result is 6bab005f
# extract ubi partition
dd if=nand0_full.bin of=nand0_rootfs1.ubi bs=1M skip=$((0x0/0x100000)) count=$((0x3000000/0x100000)) status=progress
dd if=nand0_full.bin of=nand0_rootfs2.ubi bs=1M skip=$((0x0/0x100000)) count=$((0x3000000/0x100000)) status=progress
dd if=nand0_full.bin of=nand0_userdata.ubi bs=1M skip=$((0x6000000/0x100000)) count=$((0x2000000/0x100000)) status=progress补全环境变量 并尝试在uboot下 挂载nand0分区
命令来自于上文 printenv 可以参考整理好的bash脚本
IPQ807x# setenv mtdids nand0=nand0,nand1=nand1
IPQ807x# setenv mtdparts mtdparts=nand0:0x3000000@0x0(fs1),0x3000000@0x3000000(fs2),0x2000000@0x6000000(usrdata)
IPQ807x# nand device 0
IPQ807x# ubi part fs2
ubi0: attaching mtd2
ubi0: scanning is finished
ubi0: attached mtd2 (name "mtd=1", size 48 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 384, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 60/12, WL threshold: 4096, image sequence number: 1668673445
ubi0: available PEBs: 0, total reserved PEBs: 384, PEBs reserved for bad PEB handling: 20
IPQ807x# ubi info
UBI: MTD device name: "mtd=1"
UBI: MTD device size: 48 MiB
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: number of good PEBs: 384
UBI: number of bad PEBs: 0
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 3
UBI: available PEBs: 0
UBI: total number of reserved PEBs: 384
UBI: number of PEBs reserved for bad PEB handling: 20
UBI: max/mean erase counter: 60/12从tftp server引导openwrt系统
IPQ807x# setenv serverip 192.168.4.212
tftpboot 0x44000000 openwrt-qualcommax-ipq807x-aliyun_ap8220-squashfs-factory.ubiReference:
uboot tftpput reference https://docs.u-boot.org/en/stable/usage/cmd/tftpput.html
nand command https://github.com/ARM-software/u-boot/blob/master/doc/README.nand
Openwrt Commit ipq807x https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=6e03304c76aee6fc5c3139f4af8c24665ec7f89b
阿里云 AP8220 刷机教程 https://www.right.com.cn/forum/thread-8388412-1-1.html
macOS开启内建的TFTP服务器 https://www.cnblogs.com/shenyixin/p/19270255
IoT(八)ubi文件系统挂载&解包【转】 https://www.cnblogs.com/sky-heaven/p/16306271.html