firmware – enrutador: ¿cómo entrar en el arranque?

Pregunta:

Tengo un enrutador provisto por un ISP, Huawei B5318-42. Me conecté a él a través de UART y un convertidor UART-USB, copié la salida del arranque y logré averiguar qué chip es la memoria flash integrada. Al colocar un puente conectado al VCC integrado en la memoria flash, puedo detener el arranque en ciertos puntos sin que pueda recuperarse o continuar, pero eso no me ha ayudado a obtener un shell. Hay un punto en el arranque (#Reset_MT7530) donde hay un temporizador y cuatro opciones (¡una de las cuales es el símbolo del sistema!) pero no puedo elegir nada.

Esto es lo que tengo hasta ahora:

Hoja de datos de la memoria flash: http://static6.arrow.com/aropdfconversion/ad37e5e560057875befe533ab753d2eb5063011f/125413166402097mx25l25635f203v20256mb20v1.5.pdf

Sé que ejecuta BusyBox y vPort Release +D2Tech+ VPORT_R_1_6_91 según la secuencia de arranque.

Es arquitectura MIPS.

Salida sin procesar después de presionar restablecer en el enrutador:

    press for several seconds
ralink_gpio: sending a SIGUSR2 to process 332
[Reboot.sh]: start reboot......
unkown led action
[CM]:send reboot msg to ODU.
[CM]:send msg magic:0xaabbccdd, class:0x80, msgtype:0x40.
press for several seconds
ralink_gpio: sending a SIGUSR2 to process 332
[CM]:send reboot msg to ODU.
[CM]:send reboot msg to ODU.
[Reboot.sh]: start reboot......
unkown led action
[CM]:send msg magic:0xaabbccdd, class:0x80, msgtype:0x40.
1 /sbin/miniupnpd.sh remove && at^tmode=3
[CM]:send reboot msg to ODU.
[CM]:send reboot msg to ODU.
1 /sbin/miniupnpd.sh remove && at^tmode=3
[CM]:send reboot msg to ODU.
modem have no response.
usb 2-1: USB disconnect, device number 2
usb 2-1: [DBG HUB]Lock device done, device number 2
usb 2-1: [DBG HUB]mutex_lock hcd->bandwidth_mutex done, device number 2
usb 2-1: [DBG MESSAGE]set all interface unregister 2
usb 2-1: [DBG MESSAGE]remove interface 0
usb 2-1: [DBG MESSAGE]device delete interface 0
eth_data: unregister 'huawei_ether', usb-xhc_mtk-1, Huawei Ethernet Device
usb 2-1: [DBG MESSAGE]remove interface 1
usb 2-1: [DBG MESSAGE]device delete interface 1
eth_voip: unregister 'huawei_ether', usb-xhc_mtk-1, Huawei Ethernet Device
usb 2-1: [DBG MESSAGE]remove interface 2
usb 2-1: [DBG MESSAGE]device delete interface 2
eth_tr069: unregister 'huawei_ether', usb-xhc_mtk-1, Huawei Ethernet Device
usb 2-1: [DBG MESSAGE]remove interface 3
usb 2-1: [DBG MESSAGE]device delete interface 3
usbcomm0: unregister 'huawei_ether', usb-xhc_mtk-1, Huawei Ethernet Device
fxz-hw_stop: called
usb 2-1: [DBG MESSAGE]remove interface 4
usb 2-1: [DBG MESSAGE]device delete interface 4
option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0
option 2-1:1.4: device disconnected


OK


usb 2-1: [DBG MESSAGE]remove interface 5
usb 2-1: [DBG MESSAGE]device delete interface 5
option1 ttyUSB1: GSM modem (1-port) converter now disconnected from ttyUSB1
option 2-1:1.5: device disconnected
usb 2-1: [DBG MESSAGE]remove interface 6
usb 2-1: [DBG MESSAGE]device delete interface 6
option1 ttyUSB2: GSM modem (1-port) converter now disconnected from ttyUSB2
option 2-1:1.6: device disconnected
usb 2-1: [DBG MESSAGE]remove interface 7
usb 2-1: [DBG MESSAGE]device delete interface 7
option1 ttyUSB3: GSM modem (1-port) converter now disconnected from ttyUSB3
option 2-1:1.7: device disconnected
usb 2-1: [DBG MESSAGE]remove all interface_ep_devs 2
usb 2-1: [DBG MESSAGE]set all interface NULL 2
usb 2-1: [DBG MESSAGE]set device state ADDRESS done 2
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
usb 2-1: [DBG HUB]usb_disable_device done, device number 2
usb 2-1: [DBG HUB]mutex_unlock hcd->bandwidth_mutex done, device number 2
usb 2-1: [DBG HUB]usb_remove_ep_devs done, device number 2
usb 2-1: [DBG HUB]usb_unlock_device done, device number 2
[ModemReboot]: usb net disconnect.
VAPP is shuting down
vapp_sip_manage.c 131: Stopping SIP
[ 3: 7:54.621340][LCM]:signal 15 exit.
[CM]:cm process is killed:15
[CM]:send reboot msg to ODU.
SHUTDOWN - _VAPP_mgmtEventWriteTask
[CM]:send reboot msg to ODU.
SHUTDOWN - sipUaHandlerTask. infc:0
Stopped WatchDog Timer.
Restarting system.


===================================================================

            MT7621   stage1 code Mar 12 2015 14:43:30 (ASIC)

            CPU=500000000 HZ BUS=166666666 HZ

==================================================================

Change MPLL source from XTAL to CR...

do MEMPLL setting..

MEMPLL Config : 0x11000000

3PLL mode + External loopback

=== XTAL-40Mhz === DDR-1200Mhz ===

PLL2 FB_DL: 0x6, 1/0 = 584/440 19000000

PLL3 FB_DL: 0xf, 1/0 = 577/447 3D000000

PLL4 FB_DL: 0x14, 1/0 = 589/435 51000000

do DDR setting..[01F40000]

Apply DDR3 Setting...(use default AC)

          0    8   16   24   32   40   48   56   64   72   80   88   96  104  112  120

      --------------------------------------------------------------------------------

0000:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0001:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0002:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0003:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0004:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0005:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0006:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0007:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0008:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0009:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

000A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

000B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

000C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

000D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    1

000E:|    0    0    0    0    0    0    0    0    0    1    1    1    1    1    1    1

000F:|    0    0    0    0    1    1    1    1    1    1    1    1    1    1    0    0

0010:|    1    1    1    1    1    1    1    1    1    0    0    0    0    0    0    0

0011:|    1    1    1    0    0    0    0    0    0    0    0    0    0    0    0    0

0012:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0013:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0014:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0015:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0016:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0017:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0018:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0019:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001E:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001F:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

DRAMC_DQSCTL1[0e0]=13000000

DRAMC_DQSGCTL[124]=80000033

rank 0 coarse = 15

rank 0 fine = 72

B:|    0    0    0    0    0    0    0    0    0    0    1    1    1    0    0    0

opt_dle value:11

DRAMC_DDR2CTL[07c]=C287223D

DRAMC_PADCTL4[0e4]=000022B3

DRAMC_DQIDLY1[210]=0C0B070B

DRAMC_DQIDLY2[214]=07090909

DRAMC_DQIDLY3[218]=0D0A0909

DRAMC_DQIDLY4[21c]=0B080C0A

DRAMC_R0DELDLY[018]=0000211F

==================================================================

        RX  DQS perbit delay software calibration 

==================================================================

1.0-15 bit dq delay value

==================================================================

bit|     0  1  2  3  4  5  6  7  8  9

--------------------------------------

0 |    11 7 11 11 9 9 9 7 7 7 

10 |    8 9 9 11 7 11 

--------------------------------------




==================================================================

2.dqs window

x=pass dqs delay value (min~max)center 

y=0-7bit DQ of every group

input delay:DQS0 =31 DQS1 = 33

==================================================================

bit DQS0     bit      DQS1

0  (1~62)31  8  (1~62)31

1  (1~62)31  9  (1~62)31

2  (1~62)31  10  (1~62)31

3  (1~59)30  11  (0~58)29

4  (1~62)31  12  (1~63)32

5  (1~62)31  13  (1~64)32

6  (1~62)31  14  (0~65)32

7  (1~62)31  15  (2~64)33

==================================================================

3.dq delay value last

==================================================================

bit|    0  1  2  3  4  5  6  7  8   9

--------------------------------------

0 |    11 7 11 12 9 9 9 7 9 9 

10 |    10 13 10 12 8 11 

==================================================================

==================================================================

     TX  perbyte calibration 

==================================================================

DQS loop = 15, cmp_err_1 = ffff0000 

dqs_perbyte_dly.last_dqsdly_pass[0]=15,  finish count=1 

dqs_perbyte_dly.last_dqsdly_pass[1]=15,  finish count=2 

DQ loop=15, cmp_err_1 = ffff0000

dqs_perbyte_dly.last_dqdly_pass[0]=15,  finish count=1 

dqs_perbyte_dly.last_dqdly_pass[1]=15,  finish count=2 

byte:0, (DQS,DQ)=(8,8)

byte:1, (DQS,DQ)=(8,8)

DRAMC_DQODLY1[200]=88888888

DRAMC_DQODLY2[204]=88888888

20,data:88

[EMI] DRAMC calibration passed




===================================================================

            MT7621   stage1 code done 

            CPU=500000000 HZ BUS=166666666 HZ

===================================================================



U-Boot 1.1.3 (Oct 20 2016 - 14:48:59)


Board: Ralink APSoC DRAM:  128 MB

relocate_code Pointer at: 87fb8000


Config XHCI 40M PLL 

******************************

Software System Reset Occurred

******************************

flash manufacture id: c2, device id 20 19

find flash: MX25L25635E

*** Warning - bad CRC, using default environment


============================================ 

Ralink UBoot Version: 4.3.0.0

-------------------------------------------- 

ASIC MT7621A DualCore (MAC to MT7530 Mode)

DRAM_CONF_FROM: Auto-Detection 

DRAM_TYPE: DDR3 

DRAM bus: 16 bit

Xtal Mode=5 OCP Ratio=1/3

Flash component: SPI Flash

Date:Oct 20 2016  Time:14:48:59

============================================ 

icache: sets:256, ways:4, linesz:32 ,total:32768

dcache: sets:256, ways:4, linesz:32 ,total:32768 


 ##### The CPU freq = 880 MHZ #### 

 estimate memory size =128 Mbytes

#Reset_MT7530


Please choose the operation: 

   1: Load system code to SDRAM via TFTP. 

   2: Load system code then write to Flash via TFTP. 

   3: Boot system code via Flash (default).

   4: Entr boot command line interface.

   7: Load Boot Loader code then write to Flash via Serial. 

   9: Load Boot Loader code then write to Flash via TFTP. 

 4  3  2  1  0 



3: System Boot system code via Flash[1st image].

## Booting image at bc050000 ...

Skip checking image magic number

   Image Name:   

   Image Type:   MIPS Linux Kernel Image (lzma compressed)

   Data Size:    9748152 Bytes =  9.3 MB

   Load Address: 80001000

   Entry Point:  8000d210

   Verifying Checksum ... OK

   Uncompressing Kernel Image ... OK

No initrd

## Transferring control to Linux (at address 8000d210) ...

## Giving linux memsize in MB, 128


Starting kernel ...




LINUX started...

 THIS IS ASIC
Linux version 2.6.36 (root@pesi-xian) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #1 SMP PREEMPT Thu Dec 15 16:55:50 CST 2016

 The CPU feqenuce set to 880 MHz
GCMP present
CPU revision is: 0001992f (MIPS 1004Kc)
Software DMA cache coherency
Determined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00008000
Detected 3 available secondary CPU(s)
PERCPU: Embedded 7 pages/cpu @81103000 s7424 r8192 d13056 u65536
pcpu-alloc: s7424 r8192 d13056 u65536 alloc=16*4096
pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: console=ttyS1,57600n8 root=/dev/ram0 console=ttyS1,57600 root=/dev/ram0 rootfstype=squashfs,jffs2 isolcpus=1
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 32kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Writing ErrCtl register=00008001
Readback ErrCtl register=00008001
Memory: 115720k/131072k available (4558k kernel code, 15352k reserved, 1583k data, 7568k init, 0k highmem)
Hierarchical RCU implementation.
    Verbose stalled-CPUs detection is disabled.
NR_IRQS:128
Trying to install interrupt handler for IRQ24
Trying to install interrupt handler for IRQ25
Trying to install interrupt handler for IRQ22
Trying to install interrupt handler for IRQ9
Trying to install interrupt handler for IRQ10
Trying to install interrupt handler for IRQ11
Trying to install interrupt handler for IRQ12
Trying to install interrupt handler for IRQ13
Trying to install interrupt handler for IRQ14
Trying to install interrupt handler for IRQ16
Trying to install interrupt handler for IRQ17
Trying to install interrupt handler for IRQ18
Trying to install interrupt handler for IRQ19
Trying to install interrupt handler for IRQ20
Trying to install interrupt handler for IRQ21
Trying to install interrupt handler for IRQ23
Trying to install interrupt handler for IRQ26
Trying to install interrupt handler for IRQ27
Trying to install interrupt handler for IRQ28
Trying to install interrupt handler for IRQ15
Trying to install interrupt handler for IRQ8
Trying to install interrupt handler for IRQ29
Trying to install interrupt handler for IRQ30
Trying to install interrupt handler for IRQ31
console [ttyS1] enabled
Calibrating delay loop... 577.53 BogoMIPS (lpj=1155072)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
launch: starting cpu1
launch: cpu1 gone!
CPU revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
launch: starting cpu2
launch: cpu2 gone!
CPU revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
launch: starting cpu3
launch: cpu3 gone!
CPU revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Brought up 4 CPUs
Synchronize counters across 4 CPUs: done.
NET: Registered protocol family 16
release PCIe RST: RALINK_RSTCTRL = 7000000
PCIE PHY initialize
***** Xtal 40MHz *****
start MT7621 PCIe register access
RALINK_RSTCTRL = 7000000
RALINK_CLKCFG1 = 77ffeff8

*************** MT7621 PCIe RC mode *************
PCIE0 no card, disable it(RST&CLK)
PCIE1 no card, disable it(RST&CLK)
PCIE2 no card, disable it(RST&CLK)
pcie_link status = 0x0
RALINK_RSTCTRL= 0
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Switching to clocksource Ralink Systick timer
usbcore: registered new interface driver huawei_ether
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
UDP hash table entries: 128 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 128 (order: 0, 4096 bytes)
NET: Registered protocol family 1
cu: Got hangup signal
Connected.
Connected.

Disconnected.

¿Dejo de arrancar en un punto determinado, apuntando un voltaje o tierra a los pines de la memoria flash? Soldar la memoria flash fuera de la placa también es una opción, pero es demasiado extrema para intentarlo desde el principio.

Cualquier y toda ayuda es apreciada.

Respuesta:

Espero que ya hayas podido solucionar tu problema. En caso de que todavía estés luchando, quiero compartir mis ideas contigo.

Solo quiero señalar que no estoy 100% seguro.

Como ya dijo Gogeta70, puede conectarse directamente a los pines de E/S de su chip flash. El Bus Pirate es una buena opción para hacerlo ya que no es tan caro y parece que estás de suerte. Ya te enteraste que tu flash es el MX25L25635EF de Macronix. Puede verificar en la página web de flashrom que este dispositivo es parte de la lista de dispositivos compatibles. https://flashrom.org/Supported_hardware

Sin embargo, si decide optar por eso, debe tener en cuenta que es posible que tenga algunos problemas si no lo desolda. Solo quería señalar esto para que no te frustres si lo conectas mientras aún está soldado a la placa y no obtienes el resultado que deseas. En la página web de flashroms hay una sección de solución de problemas para tal caso. Si nada más funciona, puedes intentar desoldar el flash de la placa. https://flashrom.org/ISP

Hay otra cosa que puedes intentar hacer. Hice esto con un flash NAND con el que trabajé hace un mes para obtener acceso a la caja ocupada. Aún necesitará acceso a su flash para eso porque tiene que acceder al pin de selección de chip. Solo recomendaría hacer esto si puede permitirse destruir el dispositivo.

Creo que la parte interesante es donde te pide que elijas una opción. Inmediatamente después de esto, el cargador de arranque comienza a iniciar el sistema a través de flash.

    Please choose the operation: 

   1: Load system code to SDRAM via TFTP. 

   2: Load system code then write to Flash via TFTP. 

   3: Boot system code via Flash (default).

   4: Entr boot command line interface.

   7: Load Boot Loader code then write to Flash via Serial. 

   9: Load Boot Loader code then write to Flash via TFTP. 

 4  3  2  1  0 



3: System Boot system code via Flash[1st image].

## Booting image at bc050000 ...

Intentaría llevar CS hacia GND justo antes de que el contador llegue a cero. En mi caso tenia un contador como el tuyo y al final el bootloader comenzo a arrancar desde la flash. Cuando llevé a CS hacia el suelo, ya no podía acceder al flash y entré directamente en la consola de la caja ocupada donde podía explorar el sistema de archivos.

Leave a Comment

Your email address will not be published.

Scroll to Top

istanbul avukat

-

web tasarım