本帖最后由 scutlzy 于 2023-10-7 19:58 编辑
2023.10.07 用编程器重刷一下flash就好了。 追溯之后找到之前刷成砖的问题了。之前提供的小米ax1800提取的各分区文件是有问题的。我用winhex打开发现开头全是FF,可能是因为小米ax1800和红米ax5的分区表不一致导致提取错误。 以后刷入分区前一定要确保备份的分区无误,尤其是uboot分区。
flash重刷之后用的别人的备份分区,mac和sn码也改变了,不过这两个有办法恢复,有两个方法。 一个是通过获取ssh,用bdata写入sn码,另一个方法是手动修改分区文件(记得重新计算crc32)后再刷入。 sn码在bdata分区,高通版本的ax1800的mac存储在art分区。 但还有个miot_did和miot_key应该是设备唯一的,如果没有原始备份的话应该就没有了。
!!!以后刷机前一定要先做完整备份,或者关键分区备份。
小米ax1800分区表: #查询分区 root@XiaoQiang:/tmp # cat /proc/mtddev: size erasesize name mtd0: 00180000 00020000 "0:SBL1" mtd1: 00100000 00020000 "0:MIBIB" mtd2: 00380000 00020000 "0 SEE" mtd3: 00080000 00020000 "0 EVCFG" mtd4: 00080000 00020000 "0:RPM" mtd5: 00080000 00020000 "0:CDT" mtd6: 00080000 00020000 "0:APPSBLENV" mtd7: 00180000 00020000 "0:APPSBL" mtd8: 00080000 00020000 "0:ART" mtd9: 00080000 00020000 "bdata" mtd10: 00080000 00020000 "crash" mtd11: 00080000 00020000 "crash_syslog" mtd12: 02c80000 00020000 "rootfs" mtd13: 02c80000 00020000 "rootfs_1" mtd14: 01680000 00020000 "overlay" mtd15: 00080000 00020000 "cfg_bak" mtd16: 003a2000 0001f000 "kernel" mtd17: 01249000 0001f000 "ubi_rootfs" mtd18: 01249000 0001f000 "rootfs_data" mtd19: 012e4000 0001f000 "data"
红米ax5的分区表: No.: Name Attributes Start Size 0: 0:SBL1 0x0000ffff 0x0 0x180000 1: 0:MIBIB 0x0000ffff 0x180000 0x100000 2: 0 SEE 0x0000ffff 0x280000 0x380000 3: 0 EVCFG 0x0000ffff 0x600000 0x80000 4: 0:RPM 0x0000ffff 0x680000 0x80000 5: 0:CDT 0x0000ffff 0x700000 0x80000 6: 0:APPSBLENV 0x0000ffff 0x780000 0x80000 7: 0:APPSBL 0x0000ffff 0x800000 0x180000 8: 0:ART 0x0000ffff 0x980000 0x80000 9: bdata 0x0000ffff 0xa00000 0x80000 10: crash 0x0000ffff 0xa80000 0x80000 11: crash_syslog 0x0000ffff 0xb00000 0x80000 12: 0:BOOTCONFIG 0x0000ffff 0xb80000 0x80000 13: 0:BOOTCONFIG1 0x0000ffff 0xc00000 0x80000 14: 0 SEE_1 0x0000ffff 0xc80000 0x380000 15: 0 EVCFG_1 0x0000ffff 0x1000000 0x80000 16: 0:RPM_1 0x0000ffff 0x1080000 0x80000 17: 0:CDT_1 0x0000ffff 0x1100000 0x80000 18: rootfs 0x0000ffff 0x1180000 0x2400000 ubi vol 0 kernel ubi vol 1 ubi_rootfs //注意18-19这5行红色的分区表信息 ubi vol 2 rootfs_data 19: rootfs_1 0x0000ffff 0x3580000 0x2400000 20: overlay 0x0000ffff 0x5980000 0x24a0000 21: cfg_bak 0x0000ffff 0x7e20000 0x80000
2023.09.29 记录一下,别轻易刷boot分区。我试着刷入ax1800的分区表和boot分区。结果好像变砖了。 Format: Log Type - Time(microsec) - Message - Optional Info Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic S - QC_IMAGE_VERSION_STRING=BOOT.XF.0.3-00077-IPQ60xxLZB-2 S - IMAGE_VARIANT_STRING=IPQ6018LA S - OEM_IMAGE_VERSION_STRING=crm-ubuntu64 S - Boot Interface: NAND S - Secure Boot: Off S - Boot Config @ 0x000a602c = 0x000002e5 S - JTAG ID @ 0x000a607c = 0x001390e1 S - OEM ID @ 0x000a6080 = 0x00000000 S - Serial Number @ 0x000a4128 = 0x2ee87e32 S - OEM Config Row 0 @ 0x000a4188 = 0x0000000000000000 S - OEM Config Row 1 @ 0x000a4190 = 0x0000000000000000 S - Feature Config Row 0 @ 0x000a4130 = 0x0000800018200021 S - Feature Config Row 1 @ 0x000a4138 = 0x02c3e83783000009 S - PBL Patch Ver: 1 S - I-cache: On S - D-cache: On B - 3413 - PBL, Start B - 592 - bootable_media_detect_entry, Start B - 4339 - bootable_media_detect_success, Start B - 5207 - elf_loader_entry, Start B - 5380 - auth_hash_seg_entry, Start B - 7847 - auth_hash_seg_exit, Start B - 8342 - elf_segs_hash_verify_entry, Start B - 110493 - elf_segs_hash_verify_exit, Start B - 114916 - auth_xbl_sec_hash_seg_entry, Start B - 115059 - auth_xbl_sec_hash_seg_exit, Start B - 121610 - xbl_sec_segs_hash_verify_entry, Start B - 121611 - xbl_sec_segs_hash_verify_exit, Start B - 122540 - PBL, End B - 103303 - SBL1, Start B - 243390 - GCC [RstStat:0x0, RstDbg:0x600000] WDog Stat : 0x4 B - 245830 - clock_init, Start D - 2836 - clock_init, Delta B - 254370 - boot_flash_init, Start B
卡住不动了。
估计需要上编程器了。
2023.07.15 某小黄鱼收了一台ax1800打算组mesh,主要看重ax1800的外观,不占地方。结果到手发现被刷了钛星人的固件,网上查了一下说是不可逆,最后还是砍一刀后留下自己折腾。网上能查到的相关就砖信息较少,于是记录下这次过程。
首先是拆机,这台机子拆机确实比较麻烦,主要是卡扣多,很难有无损拆机的方式。先是底部的橡胶垫撕开,有两个螺丝,外部固定就只有这两个螺丝,其他都是卡扣。撕开贴纸。沿着底部缝隙慢慢撬开,这一步是最难的,沿着边缘一点点撬开。
布局基本和红米的ax5相同,通过ax5的拆机标示,猜测RX,GND和TX的分布,一次就试对了。
接入后ttl后通电按任意键进入u-boot模式
配置IP,设置环境变量: - setenv serverip 192.168.1.239
- setenv ipaddr 192.168.1.2
复制代码
刷入分区信息: - tftpboot mtd1_0MIBIB.bin&&nand erase 0x180000 0x100000&&nand write 0x44000000 0x180000 0x100000 // 分区表
- tftpboot mtd7_0APPSBL.bin&&nand erase 0x800000 0x180000&&nand write 0x44000000 0x800000 0x180000 // boot
- tftpboot mtd18.bin&&nand erase 0x1180000 0x2400000&&nand write 0x44000000 0x1180000 0x2400000 //rootfs
- tftpboot mtd19.bin&&nand erase 0x3580000 0x2400000&&nand write 0x44000000 0x3580000 0x2400000 //rootfs_1
复制代码
刷入分区表,分区表链接:
附: 查看分区命令:smeminfo 查看环境变量命令:printenv
- 刷前:
- IPQ6018# smeminfo
- ubi0: attaching mtd1
- ubi0: scanning is finished
- ubi0: attached mtd1 (name "mtd=0", size 44 MiB)
- ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
- ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
- ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
- ubi0: good PEBs: 356, bad PEBs: 0, corrupted PEBs: 0
- ubi0: user volume: 4, internal volumes: 1, max. volumes count: 128
- ubi0: max/mean erase counter: 85/39, WL threshold: 4096, image sequence number: 157941788
- ubi0: available PEBs: 0, total reserved PEBs: 356, PEBs reserved for bad PEB handling: 20
- flash_type: 0x2
- flash_index: 0x0
- flash_chip_select: 0x0
- flash_block_size: 0x20000
- flash_density: 0x100000
- partition table offset 0x0
- No.: Name Attributes Start Size
- 0: 0:SBL1 0x0000ffff 0x0 0x180000
- 1: 0:MIBIB 0x0000ffff 0x180000 0x100000
- 2: 0:QSEE 0x0000ffff 0x280000 0x380000
- 3: 0:DEVCFG 0x0000ffff 0x600000 0x80000
- 4: 0:RPM 0x0000ffff 0x680000 0x80000
- 5: 0:CDT 0x0000ffff 0x700000 0x80000
- 6: 0:APPSBLENV 0x0000ffff 0x780000 0x80000
- 7: 0:APPSBL 0x0000ffff 0x800000 0x180000
- 8: 0:ART 0x0000ffff 0x980000 0x80000
- 9: bddata 0x0000ffff 0xa00000 0x80000
- 10: hwf_config 0x0000ffff 0xa80000 0x40000
- 11: bdinfo 0x0000ffff 0xac0000 0x40000
- 12: 0:BOOTCONFIG 0x0000ffff 0xb00000 0x40000
- 13: 0:BOOTCONFIG1 0x0000ffff 0xb40000 0x40000
- 14: rootfs 0x0000ffff 0x3800000 0x2c80000
- ubi vol 0 kernel
- ubi vol 1 wifi_fw
- ubi vol 2 ubi_rootfs
- ubi vol 3 rootfs_data
- 15: rootfs_1 0x0000ffff 0xb80000 0x2c80000
- 16: overlay 0x0000ffff 0x6480000 0x1680000
- 17: cfg_bak 0x0000ffff 0x7b00000 0x80000
- 刷后:
- No.: Name Attributes Start Size
- 0: 0:SBL1 0x0000ffff 0x0 0x180000
- 1: 0:MIBIB 0x0000ffff 0x180000 0x100000
- 2: 0:QSEE 0x0000ffff 0x280000 0x380000
- 3: 0:DEVCFG 0x0000ffff 0x600000 0x80000
- 4: 0:RPM 0x0000ffff 0x680000 0x80000
- 5: 0:CDT 0x0000ffff 0x700000 0x80000
- 6: 0:APPSBLENV 0x0000ffff 0x780000 0x80000
- 7: 0:APPSBL 0x0000ffff 0x800000 0x180000
- 8: 0:ART 0x0000ffff 0x980000 0x80000
- 9: bdata 0x0000ffff 0xa00000 0x80000
- 10: crash 0x0000ffff 0xa80000 0x80000
- 11: crash_syslog 0x0000ffff 0xb00000 0x80000
- 12: 0:BOOTCONFIG 0x0000ffff 0xb80000 0x80000
- 13: 0:BOOTCONFIG1 0x0000ffff 0xc00000 0x80000
- 14: 0:QSEE_1 0x0000ffff 0xc80000 0x380000
- 15: 0:DEVCFG_1 0x0000ffff 0x1000000 0x80000
- 16: 0:RPM_1 0x0000ffff 0x1080000 0x80000
- 17: 0:CDT_1 0x0000ffff 0x1100000 0x80000
- 18: rootfs 0x0000ffff 0x1180000 0x2400000
- 19: rootfs_1 0x0000ffff 0x3580000 0x2400000
- 20: overlay 0x0000ffff 0x5980000 0x24a0000
- 21: cfg_bak 0x0000ffff 0x7e20000 0x80000
复制代码
附件下载:下载:https://wwew.lanzouq.com/ivRil12sdruh 密码:9kjy
使用ax1800分区救砖:
主要刷入分区表和u-boot分区(谨慎刷入,刷入前确保文件无误),其中的art分区(可能包含mac地址)非必要不要重新刷,刷入后使用小米救砖工具恢复即可。
分区说明:
图源:QCA、MTK嵌入式Linux系统在线升级断电自动恢复方案分析、对比- OpenWrt开发者之家
mibib // 分区表 appsbl //u-boot分区 appsblenv // 分区大小512KB,存储u-boot环境变量; bdata, art // wifi配置信息,不要轻易刷 cdt
|