|
|
本帖最后由 应试教育 于 2024-9-6 20:20 编辑
从某处获得新款的CR8808一台,本来以为是常规的M79或M81型号主板,拆开来一看傻眼了,居然是从来没见过的新布局。
CPU:高通IPQ5018
内存:DDR3 256MB
交换机芯片:YT9215S
5G芯片:QCN6102
ROM:SPI 8脚 128MB FLASH
考虑到很多人刷砖了,这里直接放出我备份的编程器固件,读出芯片型号是GD5F1GM7REYIG,带OOB的不确定能不能适用其它NAND。https://wwen.lanzout.com/i1M2j29d90yd
目前的最新进展是已经有UBOOT可以下载了,但没有适配的固件,OP据说有但没人放出来,静静等吧
因为现在全网还没有多少关于这台路由的资料,也没有相关的刷机方式及固件,从TTL中断UBOOT启动并读出各个分区内容以及贴出启动信息,以供后边有兴趣的网友来分析及研究。
*********************TTL启动信息**************************************
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1.1-00064
S - IMAGE_VARIANT_STRING=MAACANAZA
S - OEM_IMAGE_VERSION_STRING=node-sh-08
S - Boot Config, 0x000002c5
B - 127 - PBL, Start
B - 1560 - bootable_media_detect_entry, Start
B - 3655 - bootable_media_detect_success, Start
B - 3658 - elf_loader_entry, Start
B - 8841 - auth_hash_seg_entry, Start
B - 9201 - auth_hash_seg_exit, Start
B - 104222 - elf_segs_hash_verify_entry, Start
B - 175441 - PBL, End
B - 144234 - SBL1, Start
B - 205082 - GCC [RstStat:0x0, RstDbg:0x600000] WDog Stat : 0x4
B - 213378 - clock_init, Start
D - 7289 - clock_init, Delta
B - 220850 - boot_flash_init, Start
B - 220972 - lsy--->Nov 23 2021, 11:03:10
B - 229848 - lsy--->Nov 23 2021, 11:03:10
D - 25711 - boot_flash_init, Delta
B - 246623 - boot_config_data_table_init, Start
D - 4666 - boot_config_data_table_init, Delta - (575 Bytes)
B - 254370 - Boot Setting : 0x00020618
B - 260744 - CDT version:2,Platform ID:8,Major ID:4,Minor ID:0,Subtype:2
B - 267485 - sbl1_ddr_set_params, Start
B - 268888 - Pre_DDR_clock_init, Start
B - 274744 - Pre_DDR_clock_init, End
B - 916799 - do ddr sanity test, Start
D - 30 - do ddr sanity test, Delta
B - 921466 - Image Load, Start
D - 245159 - QSEE Image Loaded, Delta - (578956 Bytes)
B - 1167479 - Image Load, Start
D - 13908 - DEVCFG Image Loaded, Delta - (13592 Bytes)
B - 1181417 - Image Load, Start
D - 181384 - APPSBL Image Loaded, Delta - (430297 Bytes)
B - 1362892 - QSEE Execution, Start
D - 30 - QSEE Execution, Delta
B - 1369358 - SBL1, End
D - 1227595 - SBL1, Delta
S - Flash Throughput, 2429 KB/s (1024092 Bytes, 421503 us)
S - DDR Frequency, 800 MHz
S - Core 0 Frequency, 800 MHz
U-Boot 2016.01 (Jan 03 2024 - 04:49:48 +0000), Build: jenkins-common_router_openwrt_ota_publish-6449
DRAM: smem ram ptable found: ver: 1 len: 4
256 MiB
NAND: QPIC controller support serial NAND
ID = 81c881c8
Vendor = c8
Device = 81
Serial Nand Device Found With ID : 0xc8 0x81
Serial NAND device Manufacturer:GD5F1GM7REYIG
Device Size:128 MiB, Page size:2048, Spare Size:128, ECC:8-bit
qpic_nand: changing oobsize to 80 from 128 bytes
GD5F1GM7REYIG, disable serial training.
Error in serial training.
switch back to 50MHz with feed back clock bit enabled
SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0000
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
128 MiB
MMC: sdhci: Node Not found, skipping initialization
PCI Link Intialized
In: serial@78AF000
Out: serial@78AF000
Err: serial@78AF000
machid: 8040002
bootwait is on, bootdelay=5
### main_loop: bootcmd="bootmiwifi"
Hit any key to stop autoboot: 0
miwifi: check crash in rmem !
trigger button release!
cmbblk is stable 5
MAC0 addr:cc:d8:43:4c:1d:f0
PHY ID1: 0x4d
PHY ID2: 0xd0c0
MAC1 addr:50:88:11:84:59:d2
GMAC1:Invalid PHY ID
eth0, eth1 [PRIME]
set f0004 to 3c00804
set f0008 to 1940
set f0000 to 1
miwifi_config_env: ox_idx = 0, ft_mode = 0
miwifi_config_env: flag_try_sys1_failed 1
Erasing NAND...
Erasing at 0x4e0000 -- 100% complete.
Writing to NAND... OK
miwifi_bootargs: ubi.mtd=rootfs root=mtd:ubi_rootfs rootfstype=squashfs cnss2.bdf_integrated=0x23 cnss2.bdf_pci0=0x60 cnss2.bdf_pci1=0x60 cnss2.skip_radio_bmap=4 rootwait
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 30 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 240, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 262591897
ubi0: available PEBs: 20, total reserved PEBs: 220, PEBs reserved for bad PEB handling: 20
Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (3555328)
## Loading kernel from FIT Image at 44000000 ...
Using 'config@mp03.3' configuration
Trying 'kernel@1' kernel subimage
Description: ARM OpenWrt Linux-4.4.60
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x440000e4
Data Size: 2087163 Bytes = 2 MiB
Architecture: ARM
OS: Linux
Load Address: 0x41208000
Entry Point: 0x41208000
Hash algo: crc32
Hash value: 5c20292b
Hash algo: sha1
Hash value: 8bb564358e6d4e6c13f81a2545e67b46134d8d42
Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000000 ...
Using 'config@mp03.3' configuration
Trying 'fdt@mp03.3' fdt subimage
Description: ARM OpenWrt qcom-ipq50xx-mpxx device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x442c871c
Data Size: 58919 Bytes = 57.5 KiB
Architecture: ARM
Hash algo: crc32
Hash value: 3bac3030
Hash algo: sha1
Hash value: 4e2d39f96bedf5558de7eb6144cb0949533fb7f7
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x442c871c
Uncompressing Kernel Image ... OK
Loading Device Tree to 4a3ee000, end 4a3ff626 ... OK
Using machid 0x8040002 from environment
Starting kernel ...
到这以后就再没有输出了,一直到进系统获取到IP都没输出。
*********************以上为TTL启动信息**************************************
***************************env信息***********************************
IPQ5018# printenv
CountryCode=CN
ISP_EI=123456789
ISP_SN=123456789
SN=123456789
andlink_dev_key=abcdxxxxxx
boot_wait=on
bootargs=ubi.mtd=rootfs root=mtd:ubi_rootfs rootfstype=squashfs cnss2.bdf_integrated=0x23 cnss2.bdf_pci0=0x60 cnss2.bdf_pci1=0x60 cnss2.skip_radio_bmap=4 rootwait
bootcmd=bootmiwifi
bootdelay=5
bootfile=miwifi_cr8809_firmware_b814a_6.2.102.bin
bridge_dhcp_enable=1
color=101
default_netmode=bridge
eth1addr=aa:cc:cc:dd:ee:ff
eth2addr=aa:cc:cc:dd:ee:ff
eth3addr=aa:cc:cc:dd:ee:ff
ethact=eth1
ethaddr=aa:cc:cc:dd:ee:ff
ethprime=eth1
fdt_high=0x4A400000
fdtcontroladdr=4a9d4004
fileaddr=44000000
filesize=1b40414
flag_boot_rootfs=0
flag_boot_success=1
flag_boot_type=2
flag_last_success=0
flag_ota_reboot=0
flag_try_sys1_failed=1
flag_try_sys2_failed=0
flash_type=11
fsbootargs=ubi.mtd=rootfs root=mtd:ubi_rootfs rootfstype=squashfs cnss2.bdf_integrated=0x23 cnss2.bdf_pci0=0x60 cnss2.bdf_pci1=0x60 cnss2.skip_radio_bmap=4
gatewayip=192.168.31.1
ipaddr=192.168.31.108
isp_svr_try_count=3
machid=8040002
mgtpsd=w3vb#48j
mode=Router
model=CR8818
mtdids=nand0=nand0
netmask=255.255.255.0
no_wifi_dev_times=0
prov_code=HUB
restore_defaults=0
serverip=192.168.31.100
soc_hw_version=20180101
soc_version_major=1
soc_version_minor=1
ssh_en=0
stderr=serial@78AF000
stdin=serial@78AF000
stdout=serial@78AF000
telnet_en=0
uart_en=0
wifipsd=8g6w465d
wl0_radio=1
wl0_ssid=CMCC-b4nn-5G
wl1_radio=1
wl1_ssid=CMCC-b4nn
Environment size: 1602/65532 bytes
***************************以上为env信息***********************************
*********************分区信息**************************************
IPQ5018# smeminfo
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 30 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 240, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 262591897
ubi0: available PEBs: 20, total reserved PEBs: 220, PEBs reserved for bad PEB handling: 20
flash_type: 0xb
flash_index: 0x0
flash_chip_select: 0x0
flash_block_size: 0x20000
flash_density: 0x80000
partition table offset 0x0
No.: Name Attributes Start Size
0: 0:SBL1 0x0000ffff 0x0 0x80000
1: 0:MIBIB 0x0000ffff 0x80000 0x80000
2: 0:BOOTCONFIG 0x0000ffff 0x100000 0x40000
3: 0:BOOTCONFIG1 0x0000ffff 0x140000 0x40000
4: 0 SEE 0x0000ffff 0x180000 0x100000
5: 0SEE_1 0x0000ffff 0x280000 0x100000
6: 0 EVCFG 0x0000ffff 0x380000 0x40000
7: 0EVCFG_1 0x0000ffff 0x3c0000 0x40000
8: 0:CDT 0x0000ffff 0x400000 0x40000
9: 0:CDT_1 0x0000ffff 0x440000 0x40000
10: 0:APPSBLENV 0x0000ffff 0x480000 0x80000
11: 0:APPSBL 0x0000ffff 0x500000 0x140000
12: 0:APPSBL_1 0x0000ffff 0x640000 0x140000
13: 0:ART 0x0000ffff 0x780000 0x100000
14: 0:TRAINING 0x0000ffff 0x880000 0x80000
15: bdata 0x0000ffff 0x900000 0x80000
16: crash 0x0000ffff 0x980000 0x80000
17: crash_syslog 0x0000ffff 0xa00000 0x80000
18: rootfs 0x0000ffff 0xa80000 0x1e00000
ubi vol 0 kernel
ubi vol 1 ubi_rootfs
19: rootfs_1 0x0000ffff 0x2880000 0x1e00000
20: overlay 0x0000ffff 0x4680000 0x3980000
*********************以上为分区信息**************************************
备份的固件内容:
因包含有env、art及factory等内容,以及云平台的key等内容,仅供研究使用,请勿用于其它用途!
https://wwo.lanzout.com/ikxRJ1tsjs9a
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?立即注册
×
|
| 江苏省互联网有害信息举报中心 举报信箱:js12377 | @jischina.com.cn 举报电话:025-88802724
本站不良内容举报信箱:68610888@qq.com
简体中文
繁體中文
English
日本語
Deutsch
한국 사람
بالعربية
TÜRKÇE
português
คนไทย
IP卡
狗仔卡
发表于 2024-4-3 21:18
置顶卡
沉默卡
喧嚣卡
顶贴卡
显身卡
