|
本帖最后由 狐狸也糊涂 于 2024-4-27 16:50 编辑
其实是第一次对路由器这么刷机折腾,开始又没注册该论坛会员,没有看相关帖子,所以遇到很多弯弯绕绕,请听小生一一道来
买该路由器源于刷某音看到一相关评测刷机视频,心想家里4台路由器用了快7年,是该换换新的,于是先买2个回来试用看看,某多多下单购买4月17号收到
当天拿1台先试着刷机,按照www.right.com.cn/forum/forum.php?mod=viewthread&tid=8351029上面操作,已经刷好了固件,是加了上面群在群里找的
结果不曾想心里怎么作祟,找到firmware-selector.immortalwrt.org,想刷里面的固件
怀着好奇的心下了immortalwrt-23.05-snapshot-r27674-a0c4e698e4-mediatek-filogic-nokia_ea0326gmp-squashfs-sysupgrade.itb后进uboot web控制台刷不进去
又想着是不是uboot不同才不支持刷进去,于是又下了immortalwrt-23.05-snapshot-r27674-a0c4e698e4-mediatek-filogic-nokia_ea0326gmp-bl31-uboot.fip
进immortalwrt后台,把刚下的uboot上传后又用控制台命令写进FIP分区,接着又在备份升级里试下刷写刚下的固件,提示有问题后心一横被我强制刷写了
刷完后自动重启,等了很久指示灯亮了power灯和mesh灯微亮,心想不对劲哦
断电又按住mesh wps按键通电5秒后放开,结果192.168.1.1打不开uboot web控制台
心头一紧,坏了,应该成砖,有点后悔不该,警醒大家上面类似的行为莫要乱尝试
接下来就动手抢救了,下面是抢救的整个过程
在群里下载了MediaTek Filogic 系列路由器串口TTL救砖教程 - 暗云.rar,解压后详细拜读了一会
拿出2年多前10块买的土豪金ch341A编程器看了下,有TTL功能,于是决定拆机救砖,下面操作是以ch341A编程器来进行
路由器背部上方的两个垫片用吹风机热风吹后取下来,然后拧下两颗螺丝,用撬棒把外壳上下部严禁赌博开就可以,卡扣卡得很紧实
看到主板后找下TTL接口,4脚分别是VCC GND TX RX,路由器通电后用万用表测了下VCC电压是3.3V
下面是接线,VCC接编程器上3.3V,GND接编程器上GND,TX接编程器上RXD,RX接编程器上TXD,编程器上跳帽接23脚TTL刷机
没有万用表测电压的,可以根据芯片型号查找官方资料,从而知道工作电压是多少,如该路由器芯片是W25N01GV
编程器插上电脑,设备管理器出来USB UART-LPT加感叹号,之前下载的该编程器软件包里有个TTL驱动,装上驱动后出来COM21口
MediaTek Filogic 系列路由器串口TTL救砖教程 - 暗云.rar 解压后的文件夹,打开txt文本教程照着操作,把mt7981_nokia_ea0326gmp-fip-fixed-parts.bin复制进该文件夹
在该文件夹内打开CMD命令提示符,输入命令
- .\mtk_uartboot.exe -s COM21 -p .\mt7981\mt7981-ddr3-bl2.bin -a -f mt7981_nokia_ea0326gmp-fip-fixed-parts.bin --brom-load-baudrate 921600 --bl2-load-baudrate 1500000
复制代码 出来mtk_uartboot - 0.1.1
Using serial port: COM21
Handshake...
后给路由器通电,等待跑完
mtk_uartboot - 0.1.1
Using serial port: COM21
Handshake...
hw code: 0x7981
hw sub code: 0x8a00
hw ver: 0xca00
sw ver: 0x1
Baud rate set to 921600
sending payload to 0x201000...
Checksum: 0x55cf
Setting baudrate back to 115200
Jumping to 0x201000 in aarch64...
Waiting for BL2. Message below:
==================================
NOTICE: BL2: v2.10.0 (release):v2.4-rc0-5845-gbacca82a8-dirty
NOTICE: BL2: Built : 20:18:08, Feb 2 2024
NOTICE: WDT: Cold boot
NOTICE: WDT: disabled
NOTICE: EMI: Using DDR3 settings
NOTICE: EMI: Detected DRAM size: 256MB
NOTICE: EMI: complex R/W mem test passed
NOTICE: CPU: MT7981 (1300MHz)
NOTICE: Starting UART download handshake ...
==================================
BL2 UART DL version: 0x10
Baudrate set to: 1500000
FIP sent.
==================================
NOTICE: Received FIP 0xb34d1 @ 0x40400000 ...
==================================
等跑完这个过程后我按了一下reset键或是几秒,192.168.1.1均打不开,或是按mesh wps键,重复多次后还是不行
最后再仔细研究了下,无意间打开了 MediaTek Filogic 系列路由器串口救砖教程 - 暗云 - 博客园.mhtml
突然从这发现要用串口工具访问串口移动上下键选择操作,感觉又明亮了离成功不远了
随后打开常用软件Xshell点着点着发现可以访问串口,随即创建一个COM21的串口访问配置
又重新操作上面步骤,NOTICE: Received FIP 0xb34d1 @ 0x40400000 ... 跑完这个后,立马用Xshell访问串口按键盘上下键
出来这个界面,跟教程上的略有不同,选了7后出来这个
于是把IP地址设置为192.168.1.254,把要刷的uboot改名为immortalwrt-mediatek-filogic-nokia_ea0326gmp-bl31-uboot.fip
再百度上找了tftpd64下载后打开设置好
随后按ENTER键重回菜单选择7,进入后显示Loading: T T T T T T,T到最后提示Retry count exceeded; starting again
就是找不到电脑上的IP服务器,最后TFTP救砖又没办法
心想这些救砖手段都不起作用,最后还得用编程器救砖吗
随后不停找软件,在www.right.com.cn/forum/thread-8289988-1-1.html找到NeoProgrammer并已经下载好了
在仔细阅读该贴时又随手点开了www.right.com.cn/forum/thread-8265832-1-1.html该贴关于红米AX6000刷机救砖的详细教程
从头到尾先粗略看下,然后仔细阅读救砖方面的,最后发现可以进入U-Boot console用命令操作
于是我也进入U-Boot console,进入后输入help
- MT7981> help
- ? - alias for 'help'
- askenv - get environment variables from stdin
- base - print or set address offset
- bdinfo - print Board Info structure
- boot - boot default, i.e., run 'bootcmd'
- bootd - boot default, i.e., run 'bootcmd'
- bootelf - Boot from an ELF image in memory
- booti - boot Linux kernel 'Image' format from memory
- bootm - boot application image from memory
- bootmenu - ANSI terminal bootmenu
- bootp - boot image via network using BOOTP/TFTP protocol
- bootvx - Boot vxWorks from an ELF image
- button - manage buttons
- cdp - Perform CDP network configuration
- cmp - memory compare
- coninfo - print console devices and information
- cp - memory copy
- cpu - display information about CPUs
- crc32 - checksum calculation
- dcache - enable or disable data cache
- dhcp - boot image via network using DHCP/TFTP protocol
- dm - Driver model low level access
- dns - lookup the IP of a hostname
- echo - echo args to console
- editenv - edit environment variable
- env - environment handling commands
- eraseenv - erase environment variables from persistent storage
- exit - exit script
- false - do nothing, unsuccessfully
- fdt - flattened device tree utility commands
- go - start application at address 'addr'
- gpio - query and control gpio pins
- gpt - GUID Partition Table
- guid - GUID - generate Globally Unique Identifier based on random UUID
- gzwrite - unzip and write memory to block device
- hash - compute hash message digest
- help - print command description/usage
- icache - enable or disable instruction cache
- iminfo - print header information for application image
- imsz - get image total size (in bytes)
- imszb - get image total size (in blocks)
- imxtract - extract a part of a multi-image
- itest - return true/false on integer compare
- led - manage LEDs
- license - print GPL license text
- linklocal - acquire a network IP address using the link-local protocol
- loadb - load binary file over serial line (kermit mode)
- loads - load S-Record file over serial line
- loadx - load binary file over serial line (xmodem mode)
- loady - load binary file over serial line (ymodem mode)
- loop - infinite loop on address range
- lzmadec - lzma uncompress a memory region
- md - memory display
- mm - memory modify (auto-incrementing address)
- mtd - MTD utils
- mw - memory write (fill)
- nand - NAND utility
- net - NET sub-system
- nfs - boot image via network using NFS protocol
- nm - memory modify (constant address)
- panic - Panic with optional message
- part - disk partition related commands
- ping - send ICMP ECHO_REQUEST to network host
- pinmux - show pin-controller muxing
- printenv - print environment variables
- pstore - Manage Linux Persistent Storage
- pxe - commands to get and boot from pxe files
- To use IPv6 add -ipv6 parameter
- random - fill memory with random pattern
- rarpboot - boot image via network using RARP/TFTP protocol
- readmem - get environment variable from memory address
- reset - Perform RESET of the CPU
- run - run commands in an environment variable
- saveenv - save environment variables to persistent storage
- setenv - set environment variables
- setexpr - set environment variable as the result of eval expression
- showvar - print local hushshell variables
- sleep - delay execution for some time
- smc - Issue a Secure Monitor Call
- sntp - synchronize RTC via network
- source - run script from memory
- strings - display strings
- test - minimal test like /bin/sh
- tftpboot - load file via network using TFTP protocol
- tftpsrv - act as a TFTP server and boot the first received file
- true - do nothing, successfully
- ubi - ubi commands
- ubifsload - load file from an UBIFS filesystem
- ubifsls - list files in a directory
- ubifsmount- mount UBIFS volume
- ubifsumount- unmount UBIFS volume
- unlz4 - lz4 uncompress a memory region
- unzip - unzip a memory region
- uuid - UUID - generate random Universally Unique Identifier
- version - print monitor, compiler and linker version
复制代码 从列出来的命令可以看到load(b s x y),是通过串口来传输文件的,但是不知道具体怎么用
又开始百度找相关loadb loads loadx loady资料,最后从blog.csdn.net/qq_31094099/article/details/86496888看到相关资料
知道命令是通过串口把文件下载到内存里的,但是具体哪个内存地址不敢乱尝试
虽然load命令不敢乱尝试,但其他一些指令可以按按,于是学上图那样,按了个printenv
- MT7981> printenv
- boot_default=if env exists flag_recover ; then else run bootcmd ; fi ; run boot_recovery ; setenv replacevol 1 ; run boot_tftp_forever
- boot_first=if button reset ; then led $bootled_rec on ; run boot_tftp_recovery ; setenv flag_recover 1 ; run boot_default ; fi ; bootmenu
- boot_production=led $bootled_pwr on ; run ubi_read_production && bootm $loadaddr#$bootconf ; led $bootled_pwr off
- boot_recovery=led $bootled_rec on ; run ubi_read_recovery && bootm $loadaddr#$bootconf ; led $bootled_rec off
- boot_tftp=tftpboot $loadaddr $bootfile && bootm $loadaddr#$bootconf
- boot_tftp_forever=led $bootled_rec on ; while true ; do run boot_tftp_recovery ; sleep 1 ; done
- boot_tftp_production=tftpboot $loadaddr $bootfile_upg && env exists replacevol && iminfo $loadaddr && run ubi_write_production ; if env exists noboot ; then else bootm $loadaddr#$bootconf ; fi
- boot_tftp_recovery=tftpboot $loadaddr $bootfile && env exists replacevol && iminfo $loadaddr && run ubi_write_recovery ; if env exists noboot ; then else bootm $loadaddr#$bootconf ; fi
- boot_tftp_write_bl2=tftpboot $loadaddr $bootfile_bl2 && run mtd_write_bl2
- boot_tftp_write_fip=tftpboot $loadaddr $bootfile_fip && run mtd_write_fip && run reset_factory
- boot_ubi=run boot_production ; run boot_recovery ; run boot_tftp_forever
- bootcmd=if pstore check ; then run boot_recovery ; else run boot_ubi ; fi
- bootconf=config-1
- bootdelay=3
- bootfile=immortalwrt-mediatek-filogic-nokia_ea0326gmp-initramfs-recovery.itb
- bootfile_bl2=immortalwrt-mediatek-filogic-nokia_ea0326gmp-preloader.bin
- bootfile_fip=immortalwrt-mediatek-filogic-nokia_ea0326gmp-bl31-uboot.fip
- bootfile_upg=immortalwrt-mediatek-filogic-nokia_ea0326gmp-squashfs-sysupgrade.itb
- bootled_pwr=green:power
- bootled_rec=green:power
- bootmenu_0=Run default boot command.=run boot_default
- bootmenu_1=Boot system via TFTP.=run boot_tftp ; run bootmenu_confirm_return
- bootmenu_2=Boot production system from NAND.=run boot_production ; run bootmenu_confirm_return
- bootmenu_3=Boot recovery system from NAND.=run boot_recovery ; run bootmenu_confirm_return
- bootmenu_4=Load production system via TFTP then write to NAND.=setenv noboot 1 ; setenv replacevol 1 ; run boot_tftp_production ; setenv noboot ; setenv replacevol ; run bootmenu_confirm_return
- bootmenu_5=Load recovery system via TFTP then write to NAND.=setenv noboot 1 ; setenv replacevol 1 ; run boot_tftp_recovery ; setenv noboot ; setenv replacevol ; run bootmenu_confirm_return
- bootmenu_6=Load BL31+U-Boot FIP via TFTP then write to NAND.=run boot_tftp_write_fip ; run bootmenu_confirm_return
- bootmenu_7=Load BL2 preloader via TFTP then write to NAND.=run boot_tftp_write_bl2 ; run bootmenu_confirm_return
- bootmenu_8=Reboot.=reset
- bootmenu_9=Reset all settings to factory defaults.=run reset_factory ; reset
- bootmenu_confirm_return=askenv - Press ENTER to return to menu ; bootmenu 60
- bootmenu_default=0
- bootmenu_delay=3
- bootmenu_title= ( ( ( OpenWrt ) ) ) U-Boot 2023.07.02-ImmortalWrt-r27674-a0c4e698e4 (Apr 19 2024 - 14:40:26 +0000)
- console=earlycon=uart8250,mmio32,0x11002000 console=ttyS0
- ethaddr=e2:bc:ae:e6:33:11
- ipaddr=192.168.1.1
- loadaddr=0x46000000
- mtd_write_bl2=mtd erase bl2 && mtd write bl2 $loadaddr
- mtd_write_fip=mtd erase fip && mtd write fip $loadaddr
- reset_factory=ubi part ubi ; mw $loadaddr 0x0 0x800 ; ubi write $loadaddr ubootenv 0x800 ; ubi write $loadaddr ubootenv2 0x800
- serverip=192.168.1.254
- ubi_create_env=ubi check ubootenv || ubi create ubootenv 0x100000 dynamic 0 || run ubi_format ; ubi check ubootenv2 || ubi create ubootenv2 0x100000 dynamic 1 || run ubi_format
- ubi_format=ubi detach ; mtd erase ubi && ubi part ubi ; reset
- ubi_prepare_rootfs=if ubi check rootfs_data ; then else if env exists rootfs_data_max ; then ubi create rootfs_data $rootfs_data_max dynamic || ubi create rootfs_data - dynamic ; else ubi create rootfs_data - dynamic ; fi ; fi
- ubi_read_production=ubi read $loadaddr fit && iminfo $loadaddr && run ubi_prepare_rootfs
- ubi_read_recovery=ubi check recovery && ubi read $loadaddr recovery
- ubi_remove_rootfs=ubi check rootfs_data && ubi remove rootfs_data
- ubi_write_production=ubi check fit && ubi remove fit ; run ubi_remove_rootfs ; ubi create fit $filesize dynamic 2 && ubi write $loadaddr fit $filesize
- ubi_write_recovery=ubi check recovery && ubi remove recovery ; run ubi_remove_rootfs ; ubi create recovery $filesize dynamic 3 && ubi write $loadaddr recovery $filesize
- ver=U-Boot 2023.07.02-ImmortalWrt-r27674-a0c4e698e4 (Apr 19 2024 - 14:40:26 +0000)
- Environment size: 4531/126971 bytes
复制代码 结果从里面发现了
loadaddr=0x46000000
mtd_write_bl2=mtd erase bl2 && mtd write bl2 $loadaddr
mtd_write_fip=mtd erase fip && mtd write fip $loadaddr
这个loadaddr=0x46000000莫不是内存地址,而且 mtd_write_bl2=mtd erase bl2 && mtd write bl2 $loadaddr
和 mtd_write_fip=mtd erase fip && mtd write fip $loadaddr 就是擦除和刷写bl2和fip的命令
仔细找找又发现了
bootmenu_6=Load BL31+U-Boot FIP via TFTP then write to NAND.=run boot_tftp_write_fip ; run bootmenu_confirm_return
run boot_tftp_write_fip 是运行boot_tftp_write_fip命令,往上又发现
boot_tftp_write_fip=tftpboot $loadaddr $bootfile_fip && run mtd_write_fip && run reset_factory
最后凑起来不就是
- boot_tftp_write_fip=tftpboot 0x46000000 $bootfile_fip && mtd erase fip && mtd write fip 0x46000000 && run reset_factory
复制代码
既然前面试过tftp模式不起作用,那可以把 tftpboot 0x46000000 $bootfile_fip 命令改为 load* 0x46000000 命令执行,然后串口传文件进去
在Xshell上查了下,文件—传输 里也有X和Y两种传输模式
开始尝试X模式,输入命令loadx 0x46000000 回车执行,然后Xshell选择X模式传输uboot,结果失败了
接着尝试Y模式,输入命令loady 0x46000000 回车执行,然后Xshell选择Y模式传输uboot,传输速度8KB左右
等文件传输完成后,关闭传输窗口,输入命令 mtd erase fip && mtd write fip 0x46000000 开始刷写uboot
输出如下
- MT7981> loady 0x46000000
- ## Ready for binary (ymodem) download to 0x46000000 at 115200 bps...
- End of file
- ## Binary (ymodem) download aborted
- MT7981> mtd erase fip && mtd write fip 0x46000000
- Erasing 0x00000000 ... 0x001fffff (16 eraseblock(s))
- Writing 2097152 byte(s) (1024 page(s)) at offset 0x00000000
- MT7981>
复制代码 最后断电,按住MESH WPS按键通电5秒后松开,输入192.168.1.1,uboot web控制台又回来
后记:几天后,当我想把该过程重新复现时,又是不同的结果:
结果1:mtk_uartboot救砖时,第一次命令操作跑完后,立即按住reset键5秒松开后,可以进入192.168.1.1
断电后又重新开始mtk_uartboot命令,跑完后不理,不按任何按键,过了一会儿也是可以进入192.168.1.1,跟我当时救砖时不同,怎么尝试都打不开192.168.1.1
在进入192.168.1.1后,刷写了237大的immortalwrt固件,自动重启后,隔一会儿断电,又mtk_uartboot操作一次命令,隔一会儿后wifi和lan灯亮了
这时打开192.168.1.1可以进入immortalwrt后台,所以这时也可以上传uboot后刷写禁FIP分区
然后再次复现时又不这样了,只能进入uboot web控制台,没有正常启动运行immortalwrt固件
结果2:mtk_uartboot命令操作跑完后,串口软件立马访问,即我用Xshell访问COM21串口,然后快速按键盘上下键,出来的bootmenu是mtk_uartboot命令传进去的uboot的
而我当初在用mtk_uartboot命令救砖时,不管怎么尝试出来的bootmenu,都是我刷进去的immortalwrt官方的
结果3:Tftpd64打开后,uboot启动选项里又能正常访问到192.168.1.254这个IP,并下载固件进行刷写,原以为是我误勾防火墙选项把Tftpd64给禁了,结果这么多天没关过电脑,现在试又正常
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?立即注册
×
评分
-
查看全部评分
|