看雪论坛
发新帖
6

华为光猫HG8245H救砖笔记⑥逆向UBoot恢复海思命令行

bxc 2017-2-22 15:49 1306

原文发在我的blog:http://blog.csersoft.net/archives/174

正文:

前文中虽然成功的运行了UBoot,但是因为内核损坏,依然无法正常启动。想要用UBoot刷写Flash,就必须进入UBoot的命令行模式,一般UBoot在引导过程中,会有短暂的时间让用户按下某些指定的按键来中断自动引导。可是之前运行的UBoot并没有这样的提示,感觉可能是华为禁用了UBoot的命令行。

曾经在网上看到过关于HG8245的UBoot的输出信息,其中包含如下字样的提示:

Press d key to abort autoboot: 10

一番周折后,找到了存在该信息的固件,不过是HG8245的,不是HG8245H的。提取UBoot后,尝试放到HG8245H里运行,但UART没有任何输出。

于是打算逆向UBoot,看看中断自动引导部分功能是否被禁用了,根据对字符串的引用参考分析,定位到了main_loop函数,以下为逆向的伪代码:

网上有很多关于UBoot引导流程分析的文章,阅读过后便可知道abortboot函数是中止自动引导的关键所在,一般这个函数会在bootdelay指定的时间内,检查bootstopkey设定的键码是否被按下。如果条件满足中止引导的话,就返回非0值,否则返回0。

所以看下abortboot函数的伪代码,就清楚问题出在哪里了:

果不其然,可以发现这个函数,无论如何,都会返回0,即永远无法进入命令行模式。

那么修改该函数的返回值,应该就可以实现无条件进入命令行模式了吧。IDA Pro中转到return 0对应的机器码:

使用16进制编辑器,或者IDA的keypatch插件,修改该指令为:

保存后,重启光猫,继续通过OpenOCD写入内存运行UBoot,这时UART中输出如下:

 

HuaWei StartCode 2012.02 (R13C10 Apr 22 2014 – 18:06:02)

NAND: Nand(Hardware): 128 MiB
startcode select the uboot to load
the high RAM is :8080103c
startcode uboot boot count:0
Slave struct initializtion success!!
Use the UbootA to load first
Start from UbootA ERROR, Change to UbootB
Both UbootA and UbootB are wrong, load it by JTAG!
U-Boot 2010.03 (R16C10 Jul 14 2016 – 14:19:37)

DRAM: 128 MB
Boot From NAND flash
Chip Type is SD5115T
NAND: Special Nand id table Version 1.23
Nand ID: 0x01 0xF1 0x00 0x1D 0x01 0xF1 0x00 0x1D
ECC Match pagesize:2K, oobzie:64, ecctype:4bit
Nand(Hardware): Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit
128 MiB
Using default environment

In: serial
Out: serial
Err: serial
PHY power down !!!
[main.c__6080]::CRC:0x39e1f1ae, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x0, Active:0xfffffffd, RunFlag:0xffffffff
0x000000100000-0x000008000000 : “mtd=1”
UBI: attaching mtd1 to ubi0
slave_paramA in flash, CRC:0x9789603f, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x0, Active:0x0, RunFlag:0x2
use slave_paramA which is from flash, the RAM data is not OK!!!
Start from main system(0x0)!
CRC:0x9789603f, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:1, CommitedArea:0x0, Active:0x0, RunFlag:0x2
Main area (A) is OK!
CRC:0x39e1f1ae, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:1, CommitedArea:0x0, Active:0x0, RunFlag:0x2
UBIFS error (pid 0): ubifs_recover_master_node: failed to recover master node
Error reading superblock on volume ‘ubi:file_system’!
mount ubifs error!
Bootcmd:ubi read 0x85c00000 kernelA 0x19f28a; bootm 0x85c00054
BootArgs:noalign mem=118M console=ttyAMA1,115200 ubi.mtd=1 root=/dev/mtdblock11 rootfstype=squashfs mtdparts=hinand:0x100000(startcode),0x7f00000(ubifs),-(reserved) pcie0_sel=x1 maxcpus=0 l2_cache=l2hi coherent_pool=4M user_debug=0x1f panic=1 skb_priv=128 debug_ll=on
U-boot Start from NORMAL Mode!
resetting …
HuaWei StartCode 2012.02 (R13C10 Apr 22 2014 – 18:06:02)

NAND: Nand(Hardware): 128 MiB
startcode select the uboot to load
the high RAM is :8080103c
startcode uboot boot count:0
Slave struct initializtion success!!
Use the UbootA to load first
Start from UbootA ERROR, Change to UbootB
Both UbootA and UbootB are wrong, load it by JTAG!

中止自动引导虽然成功了,但是UBoot直接重启了设备。接着分析main_loop函数,在调用完abortboot函数之后,有个可疑函数,会根据某内存地址的值而被决定是否调用(ps: 当时分析的时候,这个函数的名字还没有被我修改成fn_reset_24100):

跟入该函数后,发现它有向UART输出”resetting …\n”字串,那么导致设备重置的函数,应该就是这个了。尝试无条件跳过该函数:

修改为:

保存后,重新装载UBoot并运行:

 

HuaWei StartCode 2012.02 (R13C10 Apr 22 2014 – 18:06:02)

NAND: Nand(Hardware): 128 MiB
startcode select the uboot to load
the high RAM is :8080103c
startcode uboot boot count:-1
use the main slave_param area from flash, the RAM data is not OK!!!
Use the UbootA to load first
Use the UbootA to load success
U-Boot 2010.03 (R16C10 Jul 14 2016 – 14:19:37)

DRAM: 128 MB
Boot From NAND flash
Chip Type is SD5115T
NAND: Special Nand id table Version 1.23
Nand ID: 0x01 0xF1 0x00 0x1D 0x01 0xF1 0x00 0x1D
ECC Match pagesize:2K, oobzie:64, ecctype:4bit
Nand(Hardware): Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit
128 MiB
Using default environment

In: serial
Out: serial
Err: serial
PHY power down !!!
[main.c__6080]::CRC:0x9789603f, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x0, Active:0x0, RunFlag:0x2
Start from main system(0x0)!
CRC:0x9789603f, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:1, CommitedArea:0x0, Active:0x0, RunFlag:0x2
0x000000100000-0x000008000000 : “mtd=1”
UBI: attaching mtd1 to ubi0
Main area (A) is OK!
CRC:0x39e1f1ae, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:1, CommitedArea:0x0, Active:0x0, RunFlag:0x2
UBIFS error (pid 0): ubifs_recover_master_node: failed to recover master node
Error reading superblock on volume ‘ubi:file_system’!
mount ubifs error!
Bootcmd:ubi read 0x85c00000 kernelA 0x19f28a; bootm 0x85c00054
BootArgs:noalign mem=118M console=ttyAMA1,115200 ubi.mtd=1 root=/dev/mtdblock11 rootfstype=squashfs mtdparts=hinand:0x100000(startcode),0x7f00000(ubifs),-(reserved) pcie0_sel=x1 maxcpus=0 l2_cache=l2hi coherent_pool=4M user_debug=0x1f panic=1 skb_priv=128 debug_ll=on
U-boot Start from NORMAL Mode!
hisilicon #

成功恢复海思UBoot命令行!


上传的附件:
本主题帖已收到 0 次赞赏,累计¥0.00
最新回复 (6)
fnto 2017-3-8 15:43
2
可以提供修改之后的uboot吗?
6
bxc 2017-3-9 12:16
3
fnto 可以提供修改之后的uboot吗?
发到chinadsl上了,还在审核,http://www.chinadsl.net/forum.php?mod=viewthread&tid=128798
fnto 2017-3-12 11:14
4
下载了,非常感谢。
fnto 2017-6-6 11:11
5
应该还有下文吧,如何刷回固件,没有现成编程器固件分包的情况下,用官方固件如何制作编程器固件呢?
6
bxc 2017-6-6 20:22
6
fnto 应该还有下文吧[em_1],如何刷回固件,没有现成编程器固件分包的情况下,用官方固件如何制作编程器固件呢?
最近没时间
fnto 2017-6-7 23:32
7
等您大作
返回



©2000-2017 看雪学院 | Based on Xiuno BBS | 知道创宇带宽支持 | 微信公众号:ikanxue
Time: 0.097, SQL: 10 / 京ICP备10040895号-17