中兴F7610m拆机、ttl信息、改联通固件求助,顺便分享了分区备份和编程器备份
本帖最后由 dalingo 于 2024-4-7 15:26 编辑本人比较喜欢折腾电子产品,因为学的不是相关专业,技术有限,都是一边折腾一边摸索。
最近闲来无事看见咸鱼卖移动光猫F7610m比较便宜(30-50元之间),我猜想应该和联通光猫F7610u硬件(80元左右)是一样的,我这是联通宽带,就想着能不能买个F7610m,ttl刷联通固件改成F7610u。
花38元淘来一个,就开始折腾,结果发现碰见不少问题,想来请教各位大神帮忙。
1、拆机
底部四个螺丝,用十字螺丝刀取下,背面右边有个缺口,用一字螺丝刀一撬就打开了
内部图片,中间下面有一排四个孔就是TTL,从左到右分别是GND、TX、RX、VCC(3.3V)
下边有几个印刷字 73030F7610U_201900,从这个字推测这款光猫与联通F7610u是一样。
我焊接了4根插针,方便后面折腾的时候接线,没有焊接经验,第一次GND还虚焊了,折腾了好一会才发现。
背面这个芯片应该是闪存
芯片屏蔽罩没有拆开,嫌麻烦,借用一下别人的拆机图看下
2、TTL进uboot很顺利,默认中断时间是1秒,输入任意键就可中断进入uboot:
Boot SPI NAND
enter bootloader...
secure uboot
verify aes key OK!
verify puk OK!
verify uboot OK!
verify pub_n OK!
Jump
ddr init
ok
U-Boot 2016.01-rc3 (Nov 29 2022 - 23:23:55 +0800)
CPU: ZX279131@A53,900MHZ
Board: ZTE zx279131evb
DRAM:512 MiB
product_vid = 130
vid=130-F7610M
mtk reset,60
bootsel=3
NAND:bootsel=3
manuid=c9,52
HY SPI NAND HYF2GQ4UAACAE 256MiB 3,3V
256 MiB, MLC, erase size: 128 KiB, page size: 2048, OOB size: 64
256 MiB
In: serial
Out: serial
Err: serial
usb3.0-reset
clk_pll env is not setted, core clk won't change
Net: mdio_miiphy_initialize
addr 0x10e1004c before value is ff
addr 0x10e1004c after value is ff80ff
after mdio_miiphy_initialize
ref_clk_set success!
eth0
### main_loop entered: bootdelay=1
版本信息:
=> version
U-Boot 2016.01-rc3 (Nov 29 2022 - 23:23:55 +0800)
aarch64-linux-gcc.br_real (Buildroot 2017.05-svn2186) 5.3.1 20160412
GNU ld (GNU Binutils) 2.27
主板信息:
=> bdinfo
arch_number = 0x0004425B
boot_params = 0x80000100
DRAM bank = 0x00000000
-> start = 0x80000000
-> size = 0x20000000
eth0name = eth0
ethaddr = 00:41:71:00:00:50
current eth = eth0
ip_addr = 192.168.1.1
baudrate = 115200 bps
TLB addr = 0x9FDF0000
relocaddr = 0x9FD87000
reloc off = 0x17D87000
irq_sp = 0x9F346E30
sp start = 0x9F346E30
变量信息:
baudrate=115200
bootcmd=setenv bootargs console=$(console) swiotlb=128 root=/dev/mtdblock12 ro rootfstype=jffs2mem=$(memsize);bootm 0x88000000;
bootdelay=1
bootfile=uboot.bin
bootromfile=bootrom.bin
console=ttyAMA0,115200n8
env_na==@@;
env_pa==@@;
ethact=eth0
ethaddr=00:41:71:00:00:50
filesize=43720f
fullfile=upgrade.bin
gatewayip=192.168.1.1
hostname=unknown
ipaddr=192.168.1.1
linuzfile=vmlinuz.bin
memsize=512M
netmask=255.255.255.0
netretry=5
serverip=192.168.1.100
stderr=serial
stdin=serial
stdout=serial
ver=U-Boot 2016.01-rc3 (Nov 29 2022 - 23:23:55 +0800)
versioninfo=U-Boot V2.3.0P1N9 20220823211658 0x680000 0x0 0x8f 0x83
Environment size: 688/131068 bytes
命令:
=> help
? - alias for 'help'
bdinfo- print Board Info structure
bootk - boot kernel
bootm - boot application image from memory
bootzpon- Boot zte pon img from flash device
cmp - memory compare
cp - memory copy
downver - upgrade software downloaded from TFTP server
env - environment handling commands
fdt - flattened device tree utility commands
fsinfo- print information about filesystems
fsload- load binary file from a filesystem image
go - start application at address 'addr'
gpiotest- gpiotest dir ;gpiotest value ;gpiotest gvalue
help - print command description/usage
ls - list files in a directory (default /)
md - memory display
mii - MII utility commands
mt - memory test
mw - memory write (fill)
nand - NAND sub-system
netdebug- set net debug count
phy_init- phy_init
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv- set environment variables
tftp - boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
version - print monitor, compiler and linker version
xmodem- xmodem
3、但是TTL进root就被屏蔽了,好像运行到启动内核时,TTL就中断显示输出了
Boot SPI NAND
enter bootloader...
secure uboot
verify aes key OK!
verify puk OK!
verify uboot OK!
verify pub_n OK!
Jump
ddr init
ok
U-Boot 2016.01-rc3 (Nov 29 2022 - 23:23:55 +0800)
CPU: ZX279131@A53,900MHZ
Board: ZTE zx279131evb
DRAM:512 MiB
product_vid = 130
vid=130-F7610M
mtk reset,60
bootsel=3
NAND:bootsel=3
manuid=c9,52
HY SPI NAND HYF2GQ4UAACAE 256MiB 3,3V
256 MiB, MLC, erase size: 128 KiB, page size: 2048, OOB size: 64
256 MiB
In: serial
Out: serial
Err: serial
usb3.0-reset
clk_pll env is not setted, core clk won't change
Net: mdio_miiphy_initialize
addr 0x10e1004c before value is ff
addr 0x10e1004c after value is ff80ff
after mdio_miiphy_initialize
ref_clk_set success!
eth0
### main_loop entered: bootdelay=1
Hit any key to stop autoboot:0
zboot info init done!
skip bad block...addr=0x1000000
select=0x0
<nand_read_skip_bad_,1128>!mtdpart=0x6,offset=0x0,mtdpartoffset=0x100000,mtdPartsize=0x80000,length=0x1000
tmp=0x00000000, value=0
select=0x0
search=0x2
search->result.entry=680240,offset=240
<nand_read_skip_bad_,1128>!mtdpart=0x2,offset=0x0,mtdpartoffset=0x680000,mtdPartsize=0x2300000,length=0x1ee0000
<nand_read_skip_bad_,1148>!Skipping bad block 0x1000000
RSA Verify OK
verify vmlinuz success!!
---mtdparts_init--current_mtd_partnum=0-
dev id: type = 2, num = 0, size = 0xffffffff, mtd_id = single part
part: name = rootfs0, size = 0x1ec0000, offset = 0x6a0000
part: name = rootfs1, size = 0x1ec0000, offset = 0x29a0000
--- jffs2_part_info: partition number 0 for device nand0 (single part)
jffs2_part_info:rootfs0,6a0000
### JFFS2 loading '0uImage' to 0x88000000
Scanning JFFS2 FS: ..fsload_skip_bad_offset=ll1000000 ............... done.
### JFFS2 load complete: 4420111 bytes loaded to 0x88000000
<nand_read_skip_bad_,1128>!mtdpart=0x0,offset=0x0,mtdpartoffset=0x20000,mtdPartsize=0xa0000,length=0x80000
lseek=0x8c064800
cmdline=U-Boot V2.3.0P1N9 20220823211658
kernel start step1..images->state:70f
==BOOTM_STATE_START:1
==BOOTM_STATE_FINDOS:2
## Loading kernel from FIT Image at 88000000 ...
Using 'conf@131G' configuration
Trying 'kernel@A53' kernel subimage
Description:Unify(TODO) Linux kernel for project-131G
Type: Kernel Image
Compression:gzip compressed
Data Start: 0x880000f8
Data Size: 4410949 Bytes = 4.2 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x80080000
Entry Point:0x80080000
Verifying Hash Integrity ... OK
==BOOTM_STATE_FINDOTHER:4
## Loading fdt from FIT Image at 88000000 ...
Using 'conf@131G' configuration
Trying 'fdt@131G' fdt subimage
Description:Flattened Device Tree blob for project-131G
Type: Flat Device Tree
Compression:uncompressed
Data Start: 0x88435010
Data Size: 7859 Bytes = 7.7 KiB
Architecture: AArch64
Verifying Hash Integrity ... OK
Booting using the fdt blob at 0x88435010
==BOOTM_STATE_LOADOS:8
Uncompressing Kernel Image ... OK
kernel start step6..
Loading Device Tree to 0000000083ffb000, end 0000000083fffeb2 ... OK
Starting kernel ...
CPUID:0try wake up secondary cpu from rom.
CPUID:1wake up from rom.
init psci ok!!
到这就没有任何输出了,也无法输入,TTL进入root开启telnet的路给堵死了,有知道的大神给个指点。
3、开启telnet
那只能工具开启临时telnet,幸好在论坛找到了mayi5147大神的telnet工具可以开启,也顺利的固化了telnet。
/ # cat /proc/mtd
dev: size erasesizename
mtd0: 10000000 00020000 "whole flash"
mtd1: 000e0000 00020000 "u-boot"
mtd2: 00080000 00020000 "others"
mtd3: 00100000 00020000 "parameter tags"
mtd4: 00100000 00020000 "wlan"
mtd5: 00200000 00020000 "usercfg"
mtd6: 00100000 00020000 "middle"
mtd7: 02300000 00020000 "kernel1"
mtd8: 02300000 00020000 "kernel2"
mtd9: 03900000 00020000 "osgi1"
mtd10: 03900000 00020000 "osgi2"
mtd11: 04180000 00020000 "plugin_data"
mtd12: 022e0000 00020000 "rootfs"
mtd13: 00020000 00020000 "bootrom"
/ # cat /proc/csp/versionstates
baseaddress : 0x680000
current : 0
version1states : 0x8f
version2states : 0x83
____________________________________________________
Index Running LatestCRC Integrality Type
----------------------------------------------------
0 Y Y Y Y Upg
1 N Y N Y Upg
----------------------------------------------------
/proc # cat cpuinfo
processor : 0
BogoMIPS : 50.00
Features : fp asimd crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
processor : 1
BogoMIPS : 50.00
Features : fp asimd crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
4、使用dd备份分区:
dd if=/dev/mtd1 of=/mnt/usb1_1/mtd1.bin
dd if=/dev/mtd2 of=/mnt/usb1_1/mtd2.bin
dd if=/dev/mtd3 of=/mnt/usb1_1/mtd3.bin
dd if=/dev/mtd4 of=/mnt/usb1_1/mtd4.bin
dd if=/dev/mtd5 of=/mnt/usb1_1/mtd5.bin
dd if=/dev/mtd6 of=/mnt/usb1_1/mtd6.bin
dd if=/dev/mtd7 of=/mnt/usb1_1/mtd7.bin
dd if=/dev/mtd8 of=/mnt/usb1_1/mtd8.bin
dd if=/dev/mtd9 of=/mnt/usb1_1/mtd9.bin
dd if=/dev/mtd10 of=/mnt/usb1_1/mtd10.bin
dd if=/dev/mtd11 of=/mnt/usb1_1/mtd11.bin
dd if=/dev/mtd12 of=/mnt/usb1_1/mtd12.bin
以上备份都能正常执行,但是mtd0全区备份,mtd13备份出错,具体原因不知。
/proc # dd if=/dev/mtd0 of=/mnt/usb1_1/mtd0.bin
dd: /dev/mtd0: Invalid argument
/proc # dd if=/dev/mtd13 of=/mnt/usb1_1/mtd13.bin
dd: /dev/mtd13: Invalid argument
软件版本号V2.3.0P1T10
备份的分区:链接:https://pan.baidu.com/s/1JW22fVaciXBW6F_gj98_7A?pwd=vx9q 提取码:vx9q
5、TTL刷联通固件
我的想法是,mtd1"u-boot"分区不动,其他分区全部刷成联通的分区,不知道这个想法可行,但是也没有F7610U的分区,只能到此了。
500猫粮悬赏
求中兴F7610u光猫分区备份
https://www.chinadsl.net/forum.php?mod=viewthread&tid=176942
补充:
6、提取编程器固件
F7610m的闪存芯片是HYF2GQ4UAACAE,封装类型是wson8,芯片大小是8mm*6mm,于是我就买了一个wson8转dip8的探针,用编译器ch341a提取了固件,已经分享在百度云网盘中。探针要用手扶着,提取花了45分钟,手都快残废了,于是自己利用家里能找到的材料做了一个简易的夹子,终于解放了双手。
2024.4.7 uboot下刷写分区
网友分享了F7610u的kernel、framework分区备份文件,为了保险起见,我在u-boot下刷写了备用分区mtd8、mtd10分区。
tftp 0x88000000 kernel.bin
擦除mtd8:nand erase 0x02980000 0x02300000
从内存写入mtd8:nand write 0x88000000 0x02980000 0x02300000
tftp 0x88000000 framework.bin
擦除mtd10:nand erase 0x09180000 0x03900000
从内存写入mtd10:nand write 0x88000000 0x09180000 0x03900000
重启光猫后,使用upgradetest switchver 1切换成备用分区启动,但是启动失败,仅仅替换kernel、framework分区不可行!
也许必须用编程器刷写F7610U的编程器固件才行。
另外:
F7610m在TTL下屏蔽了kernel启动信息,看不到各分区的地址信息,我根据编程器提取的固件,推算了各个分区的地址,如下:
dev: size erasesizename
mtd0: 10000000 00020000 "whole flash"
mtd1: 000e0000 00020000 "u-boot" 0x00020000-0x00100000 ok
mtd2: 00080000 00020000 "others" 0x00100000-0x00180000 ok
mtd3: 00100000 00020000 "parameter tags" 0x00180000-0x00280000 ok
mtd4: 00100000 00020000 "wlan" 0x00280000-0x00380000 ok
mtd5: 00200000 00020000 "usercfg" 0x00380000-0x00580000 ok
mtd6: 00100000 00020000 "middle" 0x00580000-0x00680000 ok
mtd7: 02300000 00020000 "kernel1" 0x00680000-0x02980000 ok
mtd8: 02300000 00020000 "kernel2" 0x02980000-0x05280000 ok
mtd9: 03900000 00020000 "osgi1" 0x05280000-0x09180000 ok
mtd10: 03900000 00020000 "osgi2" 0x09180000-0x0ca80000 ok
mtd11: 04180000 00020000 "plugin_data" 0x0ca80000-0x10c00000 mtd0大小只有10000000,地址是我推算出来的,超出了10000000不知道为什么?
mtd12: 022e0000 00020000 "rootfs" 0x10c00000-0x12ee0000 mtd0大小只有10000000,地址是我推算出来的,超出了10000000不知道为什么?
mtd13: 00020000 00020000 "bootrom" 0x00000000-0x00020000 ok
从其他帖子看到类似情况,好像只需要替换这四个分区就行,
mtd7: 02300000 00020000 "kernel1"
mtd8: 02300000 00020000 "kernel2"
mtd9: 03900000 00020000 "osgi1"
mtd10: 03900000 00020000 "osgi2"
参考:记一次替换移动版F7607P闪存分区为联通和电信版的尝试 不改Uboot大概率不行, uboot 和 env 环境设置都是针对7610m 分区设置也是,替换分区大概率失败,比如直接找个7610u的编程器固件 ,编程器刷进去,同时备份 原固件当后悔药
这两个东西 就决定了他是u 还是m,环境和分区 也是移动和联通 两个体系
product_vid = 130
vid=130-F7610M 感谢分享 在这里找不到教程的,全靠自己折腾 zhjook 发表于 2024-4-3 00:44
不改Uboot大概率不行, uboot 和 env 环境设置都是针对7610m 分区设置也是,替换分区大概率失败,比如直 ...
这个闪存的封装是WSON-8-EP,是不是要找个wson8 8mm*6mm转dip8的板子,用ch341a编程器可以提取固件? dalingo 发表于 2024-4-3 10:03
这个闪存的封装是WSON-8-EP,是不是要找个wson8 8mm*6mm转dip8的板子,用ch341a编程器可以提取固件? ...
341a 自带的小板直接就能焊上 看到你在其他贴中求F7610U的固件,因为和F4610U一样的,所以放一份给你参考试一下,成功后回来说一声。
F4610U固件下载链接:https://pan.baidu.com/s/1dc4y_QEKsSxZOqpDx7xJfA?pwd=3zwr提取码:3zwr zyxnet 发表于 2024-4-5 03:08
看到你在其他贴中求F7610U的固件,因为和F4610U一样的,所以放一份给你参考试一下,成功后回来说一声。
F4 ...
我需要的是分区备份,固件我用不上,我也不会固件解包,不过还是要谢谢你的分享 zhjook 发表于 2024-4-3 00:44
不改Uboot大概率不行, uboot 和 env 环境设置都是针对7610m 分区设置也是,替换分区大概率失败,比如直 ...
仅仅替换kernel、framework分区行不通。
页:
[1]
2