中兴H108L
本帖最后由 ysg2k6 于 2010-11-12 18:05 编辑google上能查到的资料太少了,留下点东西给后来的高手参考,螃蟹芯片用得越来越多,希望有高手开发开发。
1)H108L使用如下芯片
CPU RTL8672 400Mhz
DSL RTL8271B
交换 RTL8306G
Wifi RTL8191RU
RAM NT5SV16M16BS-K6 应该是32M
Flash WX25L12845??? 16M
比较了一下,硬件几乎和华为HG526一模一样,但操作系统都是用的自己的,拷贝出来的配置文件格式完全不同,华为集成的软件丰富些,中兴的telnetd缺省下是关闭的,手动运行telnetd出错,vsftp可以启动,但登不进去。/etc下都是ROM文件,不让修改覆盖。
另外如果有兄弟有华为的HG526,麻烦帮我把/bin/*考出来发给我,我看能不能直接运行sshd等服务,总不能老接根ttl线。
这个设备,还没有见过内部是啥样的呢。。能否拍些图片看看呢。。。
另,我只是对RTL8672有点兴趣。但两种设备都还没有呢。 拍照水平很差,Canon D450拍成了手机质量。 本帖最后由 quakegirl 于 2010-11-13 19:33 编辑
破解之后无线信号不是太稳定,破解之前还好,拆解图数码之家前几天发过,百度一下吧 启动信息
Booting...
Press '1' to enter BOOT console...
Press '2' to enter DEBUG mode......
Using Int. PHY
Hardware or Otherway Reset!
To read reset key,if on,to update
Found image at 0xbd4e0000
Found image at 0xbd630000
Flash owned validImgNum: 2
****Try the first image...
para->BootParaCksum= 9a4
ok!
Linux version 2.6.20.16zte (xia@njzd) (gcc version 3.4.6-1.3.6) #2 Tue Aug 24 11:47:51 CST 2010
Check boot para cksum...
boot para cksum OK!
bootPara.runmode=3
SDRAM MTCR0: 0x54480000
CPU revision is: 0000ff00
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
Built 1 zonelists.Total pages: 8128
Kernel command line: console=ttyS0,115200 root=31:4
Primary instruction cache 16kB, linesize 16 bytes.
Primary data cache 8kB, linesize 16 bytes.
Synthesized TLB refill handler (17 instructions).
Synthesized TLB load handler fastpath (31 instructions).
Synthesized TLB store handler fastpath (31 instructions).
Synthesized TLB modify handler fastpath (25 instructions).
PID hash table entries: 128 (order: 7, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 26988k/32768k available (3828k kernel code, 5780k reserved, 808k data, 132k init, 0k highmem)
Mount-cache hash table entries: 512
Checking for 'wait' instruction...disabled.
pdt_cspkernel_init
NET: Registered protocol family 16
11930:22:53 [(1511)LogCtlInit] LogCtlInit begin
11930:22:53 [(1250)AddLogtab] AddLogtab: pLogTab=80484000,wLogTabNum=64,dwLogTabIDBase = 0X00000000
11930:22:53 [(1317)AddLogOutModule] AddLogOutModule:OutputMode=0X00000200,ptLogProcSet=81063c48
11930:22:53 [(1078)LogStdioProcInit] LogStdioProcInit
11930:22:53 [(1317)AddLogOutModule] AddLogOutModule:OutputMode=0X00000100,ptLogProcSet=81063c48
11930:22:53 [(2922)LogFileProcInit] LogFileProcInit
11930:22:53 [(2934)LogFileProcInit] g_dwUptime is 946684800
11930:22:53 [(1250)AddLogtab] AddLogtab: pLogTab=804855e0,wLogTabNum=2,dwLogTabIDBase = 0X00080000
11930:22:53 [(1366)SetLogOutputMode] SetLogOutputMode:bType=1,OutputMode=0X00000700
11930:22:53 [(1444)SetLogConf] SetLogConf OutputMode=0X00000100,pBuf=81063bd0,iLen=88
11930:22:53 [(2741)ProcLogConf] Set LOG_FILE_CONF_SET_PDTCONF
11930:22:53 [(2829)ProcLogConf] Set LogFileFormatTimestamp
11930:22:53 [(1559)LogCtlInit] LogCtlInit end
11930:22:53 System start!
11930:22:53 [(473)InitLogSaveBuff] InitLogSaveBuff
11930:22:53 cspmonitor init... !
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
11930:22:53 CspMirror start init ...
11930:22:53 Qos module init
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
ip_rt_init() start call CSP_alloc_large_system_hash
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
ip_rt_init() call CSP_alloc_large_system_hash end
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
squashfs: version 3.2 (2007/01/02) Phillip Lougher
JFFS2 version 2.2. (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver $Revision: 1.90 $ 1 ports, IRQ sharing disabled
netlog start
serial8250: ttyS0 at MMIO 0x0 (irq = 12) is a 16550A
flash device: 0x1000000 at 0xbd000000
get SPI chip driver!
Physically mapped flash: Found an alies 0x1000000 for the chip at 0x0, mxic device detect.
Creating 8 MTD partitions on "Physically mapped flash":
0x00000000-0x01000000 : "whole_flash"
0x00000000-0x00020000 : "bootloader"
0x00020000-0x00060000 : "userconfig"
0x004e0000-0x00630000 : "kernel"
0x00060000-0x004e0000 : "filesystem"
0x00630000-0x00780000 : "kernel2"
0x00780000-0x00c00000 : "filesystem2"
0x00c00000-0x01000000 : "ct-jffs2"
block2mtd: version $Revision: 1.30 $
RTL8192SU(for RTL867x platform) driver version 0.4.8 (2009-11-30 - 2009-12-21)
usbcore: registered new interface driver RTL8192SU(for RTL867x platform)
Enable 8671G 1 function
Enable 8671 0 function
Enable 8672 function
ratm: Realtek SAR v1.02 (Feb 17, 2009)
u32 classifier
OLD policer on
nf_conntrack version 0.5.0 (256 buckets, 2048 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
netfilter PSD loaded - (c) astaro AG
NET: Registered protocol family 1
NET: Registered protocol family 10
6WIND/LSIIT IPv6 multicast forwarding 0.1 plus PIM-SM/SSM with *BSD API
ip6_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 17
af_packet.c packet_init call register_netdevice_notifier
Bridge firewalling registered
br_init call register_netdevice_notifier
Ebtables v2.0 registered
NET: Registered protocol family 24
PPP Deflate Compression module registered
11930:22:55 Ledkey_mod Driver Version 0.0.1.
11930:22:55 watchdog enable!
watchdog started
11930:22:55 Tagaram module Driver Version 0.0.1.
11930:22:55 parse tag param success
11930:22:55 ver_info_init
________________CspGetVerInfo____________________
bootPara.bootWhichImg=1
bootPara.img_info_tbl.flashOffset=0x4e0000
g_MaxNumOfFirmWare =2
sHardVersion=V1.0.02
11930:22:55 ver_info_init
11930:22:55 ver_info_init
11930:22:55 wFirmwareForm is:0x1
11930:22:55 Initializing CSP IFinfo...
11930:22:55 No IFinfo in flash!
11930:22:55 SWÐ HAL driver initing!
11930:22:55 Create SW & ETH objects
11930:22:55 nEmac = 1, nSw = 1, nEth=4.
11930:22:55 SW obj0: TypeId = 1, CpuEmac = 0, PortToCpu=4
11930:22:55 ETH obj0: PhyType = 4, Is_assoc_sw = 1, Emac = 0, Phy = 0
11930:22:55 ETH obj1: PhyType = 4, Is_assoc_sw = 1, Emac = 0, Phy = 1
11930:22:55 ETH obj2: PhyType = 4, Is_assoc_sw = 1, Emac = 0, Phy = 2
11930:22:55 ETH obj3: PhyType = 4, Is_assoc_sw = 1, Emac = 0, Phy = 3
REALTEK NIC Ethernet driver v0.1 (Feb 13, 2009)
eth0: RTL-8139C+ at 0xb8018000, d0:15:4a:9e:3d:e3, IRQ 0
eth1: RTL-8139C+ at 0xb8018000, d0:15:4a:9e:3d:e3, IRQ 0
eth2: RTL-8139C+ at 0xb8018000, d0:15:4a:9e:3d:e3, IRQ 0
eth3: RTL-8139C+ at 0xb8018000, d0:15:4a:9e:3d:e3, IRQ 0
11930:22:55 Register reltk EMAC driver
11930:22:55 Register EMAC driver
11930:22:55 Initialise SW & ETH objects
11930:22:55 SW obj connected with ETH0 is not initialised yet!
11930:22:55 SW obj connected with ETH1 is not initialised yet!
11930:22:55 SW obj connected with ETH2 is not initialised yet!
11930:22:55 SW obj connected with ETH3 is not initialised yet!
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 132k freed
init started:BusyBox v1.01 (2010.08.24-03:36+0000) multi-call binary
Starting pid 17, console /dev/ttyS0: '/etc/rc'
Starting pid 26, console /dev/ttyS0: '/sbin/getty'
(none)
Login: 11930:22:59 open file: /proc/cfg/logconf
11930:22:59 close file: /proc/cfg/logconf
11930:22:59 open file: /proc/cfg/log
11930:22:59 close file: /proc/cfg/log
root
Password:
Jan1 00:00:10 login: root loginon `ttyS0'
BusyBox v1.01 (2010.08.24-03:36+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
# cd /etc
# ls -la
-rwxrwxrwx 1 500 501 166714 Aug 242010 ctadmin
-rwxrwxrwx 1 500 501 67008 Aug 242010 db_default_cfg.xml
-rwxrwxrwx 1 500 501 74209 Aug 242010 device.xml
drwxrwxrwx 1 500 501 19 Aug 242010 dhcp
-rwxrwxrwx 1 500 501 62 Aug 242010 fstab
-rwxrwxrwx 1 500 501 13418 Aug 242010 gateconnSCPD.xml
-rwxrwxrwx 1 500 501 2846 Aug 242010 gatedesc.skl
-rwxrwxrwx 1 500 501 4570 Aug 242010 gateicfgSCPD.xml
-rwxrwxrwx 1 500 501 734 Aug 242010 gateinfoSCPD.xml
-rwxrwxrwx 1 500 501 363 Aug 242010 group
-rwxrwxrwx 1 500 501 415 Aug 242010 inetd.conf
-rwxrwxrwx 1 500 501 2643 Aug 242010 init.debug
-rwxrwxrwx 1 500 501 1102 Aug 242010 init.norm
-rwxrwxrwx 1 500 501 53 Aug 242010 inittab
-rwxrwxrwx 1 500 501 180 Aug 242010 modules_install
-rwxrwxrwx 1 500 501 684 Aug 242010 passwd
-rwxrwxrwx 1 500 501 524 Aug 242010 rc
-rwxrwxrwx 1 500 501 427 Aug 242010 rsa_host_key
-rwxrwxrwx 1 500 501 8205 Aug 242010 services
-rwxrwxrwx 1 500 501 507 Aug 242010 shadow
drwxrwxrwx 1 500 501 0 Aug 242010 snmp
-rwxrwxrwx 1 500 501 13322 Aug 242010 tr64action.xml
-rw-r--r-- 1 500 501 52 Aug 242010 ver_num_des
-rwxrwxrwx 1 500 501 37 Aug 242010 version
-rwxrwxrwx 1 500 501 2376 Aug 242010 wsc_config.txt
-rwxrwxrwx 1 500 501 1260 Aug 242010 wscd.conf
-rwxrwxrwx 1 500 501 1810 Aug 242010 zxv10.pem
螃蟹的东西还可以,没大家认为的这么差 本帖最后由 hotqj 于 2010-11-14 00:21 编辑
Booting...
Press '1' to enter BOOT console...
Press '2' to enter DEBUG mode......
在这里,有没试过,按1或2进去看看是什么样的,有些什么命令啊。
Boot console可能是类似6358的CFE的Bootload状态。。
但Debug Mode就不知道是什么了。
本帖最后由 ysg2k6 于 2010-11-14 00:55 编辑
斑竹辛苦了,boot console进去啥都没有,打"?","h","help"都试过没反应。Debug估计是windows安全模式,好像进去不能上网了。
搞了一天也没进展,这个版本所有的配置都是加了密的,在浏览器改配置保存时,进程从内存里读取当前配置,写出来,加密压缩保存,然后把写出来的文件删掉,想改配置一点办法都没有。
有个/usr/local/ct目录,测试放个rc1启动不能执行,简单查看了一下,应该是boot后执行/etc/rc,然后根据级别执行init.norm或init.debug,中件不转任何用户启动文件。/etc下所有文件只读。
这个版本的安全性较高,好像没留任何活口。init.norm里有说明缺省禁用telnetd (#telnetd&),很奇怪ps看到telnetd进程,但怎么也登不上,iptables全清了也没用。水平有限,实在搞不定,希望有高人指点。 能不能看到Bootload的版本之类的信息啊。 看不到,提示好像是RTLXXXX> 可能就是cpu。