华为光猫HG8245H救砖笔记⑤为救砖制定可行的方案

前面已经通过JTAG接口连接到了HG8245H,现在需要做的,就是如何通过JTAG将正确的数据刷回Flash。

可行的方案大致有以下几种:

  • 直接通过JTAG烧写Nand Flash(通过操作Nand Flash控制器)。
  • 加载二级引导(UBoot),通过二级引导自带的命令行来写Flash。

对于前者,基本不用考虑,一是OpenOCD支持的Nand Flash控制器有限,二是目前不知道SD5115的Nand Flash控制器如何访问。如果是Nor Flash,还有点希望。

所以主要的希望就寄托在UBoot上,从HG8245H的固件中提取到的UBoot,拖入IDA Pro,分析一下UBoot的装载地址。然后用OpenOCD的load_image命令装载到内存中去运行:

上面的命令有3条:halt是停止目标CPU;load_image是装载二进制数据到内存的指定的位置;resume是在指定位置恢复CPU运行(设置PC寄存器)。大致作用就是把UBoot写入内存地址0x81F00000并运行。

执行完成后,可以看见UART输出以下内容:

HuaWei StartCode 2012.02 (R13C10 Apr 22 2014 – 18:06:02)

NAND: Nand(Hardware): 128 MiB
startcode select the uboot to load
the high RAM is :8080103c
startcode uboot boot count:0
Slave struct initializtion success!!
Use the UbootA to load first
Start from UbootA ERROR, Change to UbootB
Both UbootA and UbootB are wrong, load it by JTAG!
U-Boot 2010.03 (R16C10 Jul 14 2016 – 14:19:37)

DRAM: 128 MB
Boot From NAND flash
Chip Type is SD5115T
NAND: Special Nand id table Version 1.23
Nand ID: 0x01 0xF1 0x00 0x1D 0x01 0xF1 0x00 0x1D
ECC Match pagesize:2K, oobzie:64, ecctype:4bit
Nand(Hardware): Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit
128 MiB
Using default environment

In: serial
Out: serial
Err: serial
PHY power down !!!
[main.c__6080]::CRC:0xfddebfbf, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x0, Active:0xfffffffd, RunFlag:0xffffffff
0x000000100000-0x000008000000 : “mtd=1”
UBI: attaching mtd1 to ubi0
slave_paramA in flash, CRC:0x9789603f, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x0, Active:0x0, RunFlag:0x2
use slave_paramA which is from flash, the RAM data is not OK!!!
Start from main system(0x0)!
CRC:0x9789603f, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:1, CommitedArea:0x0, Active:0x0, RunFlag:0x2
Main area (A) is OK!
CRC:0x39e1f1ae, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:1, CommitedArea:0x0, Active:0x0, RunFlag:0x2
UBIFS error (pid 0): ubifs_recover_master_node: failed to recover master node
Error reading superblock on volume ‘ubi:file_system’!
mount ubifs error!
Bootcmd:ubi read 0x85c00000 kernelA 0x19f28a; bootm 0x85c00054
BootArgs:noalign mem=118M console=ttyAMA1,115200 ubi.mtd=1 root=/dev/mtdblock11 rootfstype=squashfs mtdparts=hinand:0x100000(startcode),0x7f00000(ubifs),-(reserved) pcie0_sel=x1 maxcpus=0 l2_cache=l2hi coherent_pool=4M user_debug=0x1f panic=1 skb_priv=128 debug_ll=on
U-boot Start from NORMAL Mode!

## Booting kernel from Legacy Image at 85c00054 …
Image Name: Linux-3.10.53-HULK2
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1700342 Bytes = 1.6 MB
Load Address: 80e08000
Entry Point: 80e08000
Memory Start: 80a00000
Loading Kernel Image … OK
OK
kernel loaded at 0x80a08000, end = 0x80ba71f6

Starting kernel …

Uart base = 0x1010F000
dtb addr = 0x81007398
Uncompressing Linux…

LZMA data is corrupt

— System halted

可见,虽然UBoot成功运行,但是内核还是有问题(应该还是ubifs的问题)导致System halted。JTAG也无法访问(UBoot运行后JTAG就无法使用了,不清楚原理,感觉应该是UBoot禁用了JTAG调试),只能断电重启。并且没有发现UBoot有提示按什么键中断自动引导。

Print Friendly, PDF & Email

《华为光猫HG8245H救砖笔记⑤为救砖制定可行的方案》有2条留言

留下评论

6 − 2 =

*

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

%d 博主赞过: