从底层修改路由器固件，以刷入OpenWrt，附实例：极壹-HC6361|创意DIY

离线神经病

数码4段

发帖: 2696

M币: 18

专家: 5

粉丝: 100

只看楼主倒序阅读我要置顶楼主发表于: 2015-08-13

声明：帖子是原创，引用内容都会标注，翻译来的也会标出来。在此鄙视翻译来就当是自己原创内容的某些人。
简介：
话说前几天入了个二手极壹玩，主要是看硬件还不错，AR9331+16M+64M，还有板载4G U盘（我拿到的是8G）。没想到到手之后刷不了固件，因为U-Boot有防刷。网上的编程器固件不敢用，鬼知道里面有什么，而且ART分区也不是自己的了，mac地址也都乱套了。去Openwrt官网看，确实是有对HC6361的支持的，但是固件分了常见的sysupgrade，还有kernel和rootfs两项。sysupgade改名为recovery.bin，使用TFTP上传无效，不报错也不刷写直接重启，看来是u-boot有防刷措施，连官方的固件恢复工具都不起作用的。于是萌生了直接修改Flash内容的想法。

Flash的分区方式：
先来看张图[1]，图片上只是个例子，要点在Layer0，Layer1和Layer2，再详细的目前不做深究。

下面是一些详细说明，源文字来自OpenWrt官方Wiki，中文版很难看明白，我从英文翻译并简化了一下搬过来[2]：

Layer0: 代表整个Flash芯片，通过SPI接口连接到SoC。
Layer1: 第一层将路由器flash分成3个区，/mtd0分区是给Bootloader的，相当于电脑的引导程序。一般来说大小是128KiB，这128KiB又包含64KiB的u-boot和64KiB的区域来放置其他信息，例如有线网的mac地址。但是这个需要根据实际情况来确定，有的路由器会有不同的大小。实例中的HC6361的/mtd0分区就是128KiB的大小。（注：容量单位这里使用的比较严格，防止误解。1KiB=1024Byte，1KB=1000Byte）
/mtd4，指的art（Atheros Radio Test）分区（Atheros芯片组特有的），它包含无线的校准信息，还有无线的MAC地址，如果此分区损坏wifi将不能工作。
/firmware是固件区，下面会说明。
Layer2: /mtd5分区，表示整个固件区域，又被分成/mtd1给内核（Kernel）和/mtd2给根文件系统（rootfs）。内核二进制文件是以LZMA压缩，之后在以gzip压缩，最后直接写入flash上的/mtd1，没有文件系统的存在。rootfs就不深究了，目前我们只要了解到Layer2就可以进行操作了。

实战编辑：
了解了Flash基础之后，我们可以知道对应的地址了，就可以对Flash的内容直接进行编辑了。当然在此我们并不能真正的直接编辑Flash的内容，只能通过编程器读出BIN文件，修改好了再刷回去。软件只需要使用WinHEX即可，一款十六进制编译器。读出flash内容的过程就不再赘述了，重点是对文件进行编辑。

1. 用WinHex打开文件，我们可以看到左侧的Offset（偏移）和右侧的文件大小。文件大小转换来是16777216Bytes，转换成十六进制就是从0开始的Offset。在平常的计算器上不停的转换进制是很麻烦的，还好我们有windows自带的计算器，模式调整成“程序员”就能看到进制切换了。计算器打开不要关，下面还要用到很多次。

2. 知道了Offset和文件大小的关系，下一步就是找地址。
为了方便，我在这里直接贴出我计算好的地址范围，还是拿这个HC6361为例：
16MiBFlash=16384KiB=16777216Bytes
/mtd0=0x00000-0x1FFFF
/mtd1=0x20000-0x15FFFF
/mtd2=0x160000-0xFEFFFF
/mtd4=0xFF0000-0xFFFFFF
别的flash请自己计算吧，/mtd0一般在头128KiB，/mtd4在最后64KiB。

3. 既然我们的固件是有kernel和rootfs的，所以我们要把原来的kernel和rootfs全部清理干净。
按Alt+G，填入16进制的偏移量，在这里是20000，也就是/mtd1（内核）开始的地方。

现在我们来到了0x20000的位置，右键选第一项或者Alt+1，标出起始点。

再去0xFEFFFF，这里是/mtd4（根文件系统）的终点，在这里右键第二项或者Alt+2标志结束点。这时，winhex会自动选中0x20000到0xFEFFFF的区域。按Ctrl+L，将此区域填充FF，达到清空的目的。

4. 现在我们没有了内核和根文件系统，下一步就是要把OpenWrt原生的写进去。从downloads.openwrt.org/下载内核和根文件系统，都用winhex打开备用。首先切换到内核部分，全选，然后复制；再切回刚刚我们用编程器读出的那个文件，跳转到0x20000（内核开始的地址），按Ctrl+B写入。不要使用粘贴，因为会增加文件大小。之后跳转到0x160000，这里是根文件系统的开始地址，去下载的根文件系统文件里复制过来，Ctrl+B写入就可以了。

5. 经过这么一番折腾，我们就可以保存文件并刷回去了。附TTL输出（mac地址去掉了，固件是我自己编译的）：

复制代码

U-Boot 1.1.4 (Aug 25 2014 - 14:17:29)
AP121 (ar9331) U-boot
DRAM: 64 MB
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16777216, sector count = 256
Flash: 16 MB
Using default environment
In: serial
Out: serial
Err: serial
Net: ag7240_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ag7240 gmac:
eth0:
eth0 up
ag7240 gmac:
eth1:
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
eth1 up
eth0, eth1
Autobooting in 2 seconds
## Booting image at 9f020000 ...
Image Name: tw150v1 MIPS OpenWrt Linux-4.1.4
Created: 2015-08-10 11:41:28 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1166935 Bytes = 1.1 MB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum at 0x9f020040 ...OK
Uncompressing Kernel Image ... OK
Starting kernel ...
[ 0.000000] Linux version 4.1.4 (ian@ian-FMVNT1CG) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r46576) ) #1 Mon Aug 10 19:41:15 CST 2015
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[ 0.000000] SoC: Atheros AR9330 rev 1
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 04000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000003ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000003ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff]
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
[ 0.000000] Kernel command line: board=HiWiFi-HC6361 console=ttyATH0,115200 mtdparts=spi0.0:64k(u-boot)ro,64k(bdinfo)ro,1280k(kernel),14848k(rootfs),64k(backup)ro,64k(art)ro,16128k@0x20000(firmware) rootfstype=squashfs,jffs2 noinitrd
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 60880K/65536K available (2565K kernel code, 126K rwdata, 544K rodata, 212K init, 188K bss, 4656K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:83
[ 0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz
[ 0.000000] clocksource MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 9556302233 ns
[ 0.000013] sched_clock: 32 bits at 200MHz, resolution 5ns, wraps every 10737418237ns
[ 0.007531] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104)
[ 0.088729] pid_max: default: 32768 minimum: 301
[ 0.093314] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.099479] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.110101] clocksource jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.119043] NET: Registered protocol family 16
[ 0.124211] MIPS: machine is HiWiFi HC6361
[ 0.616542] Switched to clocksource MIPS
[ 0.620725] NET: Registered protocol family 2
[ 0.624926] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.630275] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.636298] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.642534] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.647990] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.654298] NET: Registered protocol family 1
[ 0.659690] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.687871] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.692079] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.704265] io scheduler noop registered
[ 0.706727] io scheduler deadline registered (default)
[ 0.711844] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 0.718343] ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a AR933X UART
[ 0.726849] console [ttyATH0] enabled
[ 0.726849] console [ttyATH0] enabled
[ 0.733623] bootconsole [early0] disabled
[ 0.733623] bootconsole [early0] disabled
[ 0.745070] m25p80 spi0.0: found w25q128, expected m25p80
[ 0.749106] m25p80 spi0.0: w25q128 (16384 Kbytes)
[ 0.753749] 7 cmdlinepart partitions found on MTD device spi0.0
[color=#ff0000][ 0.759622] Creating 7 MTD partitions on "spi0.0":[/color]
[color=#ff0000][ 0.764401] 0x000000000000-0x000000010000 : "u-boot"[/color]
[color=#ff0000][ 0.770631] 0x000000010000-0x000000020000 : "bdinfo"[/color]
[color=#ff0000][ 0.775427] 0x000000020000-0x000000160000 : "kernel"[/color]
[color=#ff0000][ 0.780484] 0x000000160000-0x000000fe0000 : "rootfs"[/color]
[color=#ff0000][ 0.785254] mtd: device 3 (rootfs) set to be root filesystem[/color]
[color=#ff0000][ 0.789934] 1 squashfs-split partitions found on MTD device rootfs[/color]
[color=#ff0000][ 0.795989] 0x0000004a0000-0x000000fe0000 : "rootfs_data"[/color]
[color=#ff0000][ 0.802536] 0x000000fe0000-0x000000ff0000 : "backup"[/color]
[color=#ff0000][ 0.807526] 0x000000ff0000-0x000001000000 : "art"[/color]
[color=#ff0000][ 0.812116] 0x000000020000-0x000000fe0000 : "firmware"[/color]
[ 0.839490] libphy: ag71xx_mdio: probed
[ 1.428038] ag71xx-mdio.1: Found an AR7240/AR9330 built-in switch
[ 1.460085] eth0: Atheros AG71xx at 0xba000000, irq 5, mode:GMII
[ 2.048249] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY]
[ 2.057004] eth1: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
[ 2.063585] NET: Registered protocol family 17
[ 2.066777] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[ 2.079354] 8021q: 802.1Q VLAN Support v1.8
[ 2.093951] VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
[ 2.101272] Freeing unused kernel memory: 212K (8038b000 - 803c0000)
[ 3.460989] init: Console is alive
[ 3.463213] init: - watchdog -
[ 5.634839] usbcore: registered new interface driver usbfs
[ 5.639076] usbcore: registered new interface driver hub
[ 5.644289] usbcore: registered new device driver usb
[ 5.703017] SCSI subsystem initialized
[ 5.714074] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 5.721209] ehci-platform: EHCI generic platform driver
[ 5.725089] ehci-platform ehci-platform: EHCI Host Controller
[ 5.730841] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[ 5.740756] ehci-platform ehci-platform: irq 3, io mem 0x1b000000
[ 5.756588] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00
[ 5.762615] hub 1-0:1.0: USB hub found
[ 5.765550] hub 1-0:1.0: 1 port detected
[ 5.775260] usbcore: registered new interface driver usb-storage
[ 6.086570] usb 1-1: new high-speed USB device number 2 using ehci-platform
[ 6.239969] usb-storage 1-1:1.0: USB Mass Storage device detected
[ 6.245450] scsi host0: usb-storage 1-1:1.0
[ 6.506222] init: - preinit -
[ 7.172317] random: procd urandom read with 11 bits of entropy available
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[ 8.265508] scsi 0:0:0:0: Direct-Access Skymedi PenDrive 1.21 PQ: 0 ANSI: 4
[ 8.276709] sd 0:0:0:0: [sda] 15663104 512-byte logical blocks: (8.01 GB/7.46 GiB)
[ 8.284454] sd 0:0:0:0: [sda] Write Protect is off
[ 8.289463] sd 0:0:0:0: [sda] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[ 8.312086] sd 0:0:0:0: [sda] Attached SCSI removable disk
[ 8.747868] eth0: link up (1000Mbps/Full duplex)
[ 9.423711] mount_root: loading kmods from internal overlay
[ 9.706526] block: attempting to load /etc/config/fstab
[ 9.710678] block: unable to load configuration (fstab: Entry not found)
[ 9.717642] block: no usable configuration
[ 9.722073] mount_root: jffs2 not ready yet, using temporary tmpfs overlay
[ 9.759661] eth0: link down
[ 9.776304] procd: - early -
[ 9.778060] procd: - watchdog -
[ 10.693947] procd: - ubus -
[ 11.718448] procd: - init -
Please press Enter to activate this console.
[ 12.939732] NET: Registered protocol family 10
[ 12.967977] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 12.991801] Loading modules backported from Linux version master-2015-07-21-0-g47cd203
[ 12.998351] Backport generated by backports.git backports-20150626-0-gc1a4168
[ 13.009824] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 13.029288] nf_conntrack version 0.5.0 (954 buckets, 3816 max)
[ 13.088609] xt_time: kernel timezone is -0000
[ 13.129844] cfg80211: World regulatory domain updated:
[ 13.133528] cfg80211: DFS Master region: unset
[ 13.137943] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 13.147616] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 13.155583] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 13.163584] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[ 13.171572] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (N/A)
[ 13.181034] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (0 s)
[ 13.190492] cfg80211: (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[ 13.198560] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 13.206552] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[ 13.321304] PPP generic driver version 2.4.2
[ 13.328073] NET: Registered protocol family 24
[ 13.411850] ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2
[ 13.420986] cfg80211: Regulatory domain changed to country: US
[ 13.425369] cfg80211: DFS Master region: FCC
[ 13.429608] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 13.439287] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)
[ 13.447271] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 1700 mBm), (N/A)
[ 13.456731] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2300 mBm), (0 s)
[ 13.466176] cfg80211: (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2300 mBm), (0 s)
[ 13.474262] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A)
[ 13.482247] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
[ 28.461289] device eth0 entered promiscuous mode
[ 28.487811] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[ 28.540479] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 28.630424] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[ 28.656762] jffs2_build_filesystem(): unlocking the mtd device... done.
[ 28.661927] jffs2_build_filesystem(): erasing all blocks after the end marker...
[ 30.057949] eth0: link up (1000Mbps/Full duplex)
[ 30.061321] br-lan: port 1(eth0) entered forwarding state
[ 30.066750] br-lan: port 1(eth0) entered forwarding state
[ 30.116759] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[ 32.066622] br-lan: port 1(eth0) entered forwarding state
[ 54.096600] random: nonblocking pool is initialized
[ 75.313215] done.