HGG420N V3光猫TTL破解成功一半,求高人
本帖最后由 yale2000 于 2013-3-7 09:02 编辑HGG420N V3拆机
1. 取出底部4个橡胶垫,去除藏在橡胶垫下面的螺丝。
看看PCBA:
2. 我们看到在PCBA左上角有5个并排插针,无任何标识。经仪表检测和研究,确认插针从左到右依次为VCC,RXD,GND,TXD,VCC(如图)。
TTL线破解前的准备
1. 安装TTL-to-Serial驱动
2. 使用杜邦线或其他线材连接到光猫对应的接口上。TTL线的GND的细长型插管插到GND插针上,TTL线的RXD插到RXD插针上,TXD也如此办理。千万,VCC插针请不要插(烧了编程器别怪我没有提醒)。
3. USB-TTL编程器插入电脑。这时,打开设备管理器,点开端口,我们能看到COM x已经作为TTL通信口。(根据每台电脑的具体情况,COM口会不一样,我自己的是COM3口,需要自己去设备管理器里查看)。
4.将网线一段连入猫的LAN口,任意一个都可以,另一段连接电脑。设置电脑:192.168.1.100,255.255.255.0,192.168.1.1
5. 下载并安装SecureCRT v6.5.8.380汉化版
6. 到此我们的准备工作就做好了,下面我们就开始破解过程。
破解步骤
1. 重复检查准备工作。
2. 我们在PC上启动程序SecureCRT,选择菜单“文件”,然后选择快速连接,并按下图进行设置。
点击连接,我们就能看到如下界面:
3.然后打开HGG420N V3电源,这时SecureCRT窗口会有E文滚动,当滚动到停止,任意按下键盘任意一个键,就会进入ONT> 命令行界面(如下分割线)。
4. 令人郁闷的是:输入各种linux命令,无任何反应。。。。。。{:soso_e111:}{:soso_e111:}{:soso_e111:}
至此,TTL破解成功一半,求高人。。。
-------------------------------------------------------------------------------------------------------------------------------------------------
BootROM 1.34
Booting from NAND flash
BootROM: Image checksum verification PASSED
Gpon System Boot
Copyright 2011 CIG Gpon ONT System.
CPU : GPON Soc
BOOT version: V8.1.13
PEX 1: Root Complex Interface, Detected Link X1
DRAM : 128 MB
NAND:1bit HM ECC, Size: 64 MiB
EEPROM version: 0x0003
USB 0: Host Mode
Modules Detected:
GPON module detected.
Ethernet Switch on MAC0.
3xFE PHY Module.
GE-PHY on Switch port #0.
Net: egiga0 , egiga1
**************************************
* *
*KEY -- Enter console terminal *
* *
**************************************
waiting for your select ...
Loading 'uImage' fromCRAMFS Partition 'imageb' to 0x2000000.
Root Filesystem crc check successfully!
### CRAMFS load complete: 2036300 bytes loaded to 0x2000000
Software version:1.22UYG.1F0
## Booting kernel from Legacy Image at 02000000 ...
Image Name: Linux-2.6.32.11
Created: 2012-05-10 5:21:52 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2036236 Bytes =1.9 MB
Load Address: 00008000
Entry Point:00008000
Verifying Checksum ... OK
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux..................................................................................................................................... done, booting the kernel.
Linux version 2.6.32.11 (root@localhost.localdomain) (gcc version 4.2.4) #1 Wed May 9 22:21:44 PDT 2012
CPU: Feroceon 88FR131 revision 1 (ARMv5TE), cr=00053977
CPU: VIVT data cache, VIVT instruction cache
Machine: Feroceon-KW2
Using UBoot passing parameters structure
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on.Total pages: 32512
Kernel command line: console=ttyS0,115200 root=/dev/mtdblock3 mtdparts=nand_mtd:0x100000@0x0(Boot1),0x200000@0x200000(Config1),18M@0x600000(ImageA),18M@0x2100000(ImageB),4M@0x3c00000(MidWare),0x100000@0x100000(Boot2),0x200000@0x400000(Config2),9M@0x1800000(Imagec1),9M@0x3300000(Imagec2) rootfstype=cramfs mv_net_config=0 mv_phone_config=dev0:fxs,dev1:fxs mem=128M flash=nand 5srst=0 pwrLed=255 ethOpt=560
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 128MB = 128MB total
Memory: 125340KB available (3796K code, 524K data, 104K init, 0K highmem)
Hierarchical RCU implementation.
NR_IRQS:192
Console: colour dummy device 80x30
Calibrating delay loop... 1191.93 BogoMIPS (lpj=595968)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
Feroceon L2: Cache support initialised.
CPU Interface
-------------
SDRAM_CS0 ....base 00000000, size 128MB
SDRAM_CS1 ....no such
SDRAM_CS2 ....no such
SDRAM_CS3 ....no such
DEVICE_CS0 ....no such
DEVICE_CS1 ....no such
DEVICE_CS2 ....no such
DEVICE_CS3 ....no such
PEX0_MEM ....base f3000000, size16MB
PEX0_IO ....base f2000000, size 1MB
PEX1_MEM ....base f4000000, size16MB
PEX1_IO ....base f2100000, size 1MB
INTER_REGS ....base f1000000, size 1MB
NAND_NOR_CS ....base f8000000, size 2MB
SPI_CS0 ....base f0000000, size16MB
SPI_CS1 ....no such
SPI_CS2 ....no such
SPI_CS3 ....no such
SPI_CS4 ....no such
SPI_CS5 ....no such
SPI_CS6 ....no such
SPI_CS7 ....no such
SPI_B_CS0 ....no such
BOOT_ROM_CS ....no such
DEV_BOOTCS ....no such
CRYPT1_ENG ....base f2200000, size 2MB
CRYPT2_ENG ....no such
PNC_BM ....base f5000000, size 1MB
ETH_CTRL ....base f5100000, size 1MB
PON_CTRL ....base f5200000, size 1MB
NFC_CTRL ....no such
Marvell Development Board (LSP Version KW2_LSP_2.0.5_p14_NQ)-- RD-88F6560-GWSoc: MV88F6560 Rev 2 LE
Detected Tclk 200000000 and SysClk 0
Marvell USB EHCI Host controller #0: c783e800
PEX0 interface detected no Link.
PEX1 interface detected Link X1
PCI: bus0: Fast back to back transfers enabled
pci 0000:01:01.0: PME# supported from D0 D1 D2 D3hot D3cold
pci 0000:01:01.0: PME# disabled
PCI: bus1: Fast back to back transfers disabled
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource kw_clocksource
Switched to NOHz mode on CPU #0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
NET: Registered protocol family 1
RTC has been updated!!!
rtc mv_rtc: rtc core: registered kw-rtc as rtc0
RTC registered
cpufreq: Init kirkwood cpufreq driver
NFP (fib) init 16384 entries, 65536 bytes
NFP (pnc) init 471 entries, 13188 bytes
cesadev_init(c000cad0)
mvCesaInit: channels=1, session=640, queue=64
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.13)
msgmni has been set to 245
alg: No test for cipher_null (cipher_null-generic)
alg: No test for ecb(cipher_null) (ecb-cipher_null)
alg: No test for digest_null (digest_null-generic)
alg: No test for compress_null (compress_null-generic)
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler anticipatory registered (default)
Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xf1012000 (irq = 33) is a 16550A
console enabled
loop: module loaded
NAND device: Manufacturer ID: 0x98, Chip ID: 0x76 (Toshiba NAND 64MiB 3,3V 8-bit)
Scanning device for bad blocks
9 cmdlinepart partitions found on MTD device nand_mtd
Using command line partition definition
Creating 9 MTD partitions on "nand_mtd":
0x000000000000-0x000000100000 : "Boot1"
0x000000200000-0x000000400000 : "Config1"
0x000000600000-0x000001800000 : "ImageA"
0x000002100000-0x000003300000 : "ImageB"
0x000003c00000-0x000004000000 : "MidWare"
0x000000100000-0x000000200000 : "Boot2"
0x000000400000-0x000000600000 : "Config2"
0x000001800000-0x000002100000 : "Imagec1"
0x000003300000-0x000003c00000 : "Imagec2"
0 - Base 0x00000000 , Size = 0x08000000.
8 - Base 0xf3000000 , Size = 0x01000000.
9 - Base 0xf2000000 , Size = 0x00100000.
10 - Base 0xf4000000 , Size = 0x01000000.
11 - Base 0xf2100000 , Size = 0x00100000.
12 - Base 0xf1000000 , Size = 0x00100000.
13 - Base 0xf8000000 , Size = 0x00200000.
14 - Base 0xf0000000 , Size = 0x01000000.
25 - Base 0xf2200000 , Size = 0x00200000.
27 - Base 0xf5000000 , Size = 0x00100000.
28 - Base 0xf5100000 , Size = 0x00100000.
29 - Base 0xf5200000 , Size = 0x00100000.
mvPncVirtBase = 0xc8c00000
o 3 Giga ports supported
o Giga PON port is #2: - 8 TCONTs supported
o SKB recycle supported (Enabled)
o NETA acceleration mode 4
o BM supported: short buffer size is 256 bytes
o PnC supported
o HWF supported
o PMT supported
o RX Queue support: 8 Queues * 128 Descriptors
o TX Queue support: 8 Queues * 256 Descriptors
o GSO supported
o GRO supported
o Receive checksum offload supported
o Transmit checksum offload supported
o Network Fast Processing (Routing) supported
o Driver ERROR statistics enabled
o Driver INFO statistics enabled
o Driver DEBUG statistics enabled
o Proc tool API enabled
o Switch support enabled
o IGMP special processing support
o Loading Switch QuarterDeck driver
o Internal GE PHY Connected to Switch Port 0 Detected
o Setting Switch CPU port (port #4) for 1000 Full with FC
o Setting Switch CPU port (port #5) for 1000 Full with FC
o Disable disconnected switch port (port #6) and force link down
o Loading 3 network interface(s)
o Port 0 is connected to Linux netdevice
o Using UBoot netconfig string
net_config_str: 0
o Working in External Switch mode
giga p=0: mtu=2000, mac=c7819f6a
eth0: Dropping NETIF_F_SG since no checksum feature.
o eth0, ifindex = 2, GbE port = 0
o Port 1 is connected to Linux netdevice
o Using UBoot netconfig string
net_config_str: 0
o Working in External Switch mode
giga p=1: mtu=2000, mac=c7819f6a
eth1: Dropping NETIF_F_SG since no checksum feature.
o eth1, ifindex = 3, GbE port = 1
o Port 2 is connected to Linux netdevice
pon p=2: mtu=2000, mac=c7819f6a
eth2: Dropping NETIF_F_SG since no checksum feature.
o eth2, ifindex = 4, GbE port = 2
PPP generic driver version 2.4.2
PPP BSD Compression module registered
NET: Registered protocol family 24
mice: PS/2 mouse device common for all mice
i2c /dev entries driver
Linux telephony interface: v1.00
Loading Marvell vpapi device
Loading Marvell tdm device
cpuidle: using governor ladder
cpuidle: using governor menu
nf_conntrack version 0.5.0 (1960 buckets, 7840 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
IPv4 over IPv4 tunneling driver
GRE over IPv4 tunneling driver
TCP cubic registered
NET: Registered protocol family 17
Bridge firewalling registered
Marvell Kirkwood2 Power Management Initializing
rtc mv_rtc: setting system clock to 2000-01-01 00:00:00 UTC (946684800)
VFS: Mounted root (cramfs filesystem) readonly on device 31:3.
Freeing init memory: 104K
Populating /dev using udev: done
Initializing random number generator... read-only file system detected...done
Starting system message bus: done
Starting network...
ip: RTNETLINK answers: File exists
:Extract Board Configuration
:Load kernel modules
mv_eth_ports_num = 3
mv_eth_rx_special_proc_func register
mv_eth_rx_special_proc_func register
mv_eth_rx_special_proc_func register
mv_eth_tx_special_check_func register
mv_eth_tx_special_check_func register
mv_eth_tx_special_check_func register
= SW Module SYS FS Init ended successfully =
= TPM Module Init ended successfully =
: Start XPON
pon interface is eth2
: Start Data Configuration
: Start Network
pool #0: pkt_size=2048, buf_size=2144 - 2048 of 2048 buffers added
pool #3: pkt_size=256, buf_size=352 - 2048 of 2048 buffers added
eth0: link up
eth0: started
pool #1: pkt_size=2048, buf_size=2144 - 2048 of 2048 buffers added
pool #3: pkt_size=256, buf_size=352 - 2048 of 2048 buffers added
eth1: link up
eth1: started
pool #2: pkt_size=2048, buf_size=2144 - 2048 of 2048 buffers added
pool #3: pkt_size=256, buf_size=352 - 2048 of 2048 buffers added
pon0: link up
pon0: started
Empty flash at 0x001ff170 ends at 0x001ff200
# num is 10,nothing need to do
Empty flash at 0x00116214 ends at 0x00116400
Empty flash at 0x00116d88 ends at 0x00116e00
Empty flash at 0x001f0854 ends at 0x001f0a00
Empty flash at 0x001f1268 ends at 0x001f1400
Empty flash at 0x001f1c6c ends at 0x001f1e00
Empty flash at 0x001f266c ends at 0x001f2800
Empty flash at 0x001f306c ends at 0x001f3200
ONT>Starting Application: 0x00002000, /bin/TimerMgr................Done.
Starting Application: 0x00001000, /bin/LogMgr................Done.
Update timer: curTime=6acfb6c7, gTmrTimerMsCounter=00000000
Starting Application: 0x00007000, /bin/MiscMgr................Done.
Check base image file CRC ... cal_crc (91a57653) ori_crc (91a57653) Success.
Mount Backup as cramfs...Success.
major ID minor ID
VOS_XML_Init():
Load XML OK from file /mnt/rwdir/runtime_rg.xmlVOS_XML_Init():
Load XML OK from file /tmp/default_rg.xmlVOS_XML_Init():
Load XML OK from file /tmp/runtime_rg.xmlVOS_XML_Init():
Load XML OK from file /tmp/runtime_rg.xmlVOS_XML_Init():
Load XML OK from file Starting Application: 0x00003000, /bin/MecMgr................Done.
Starting Application: 0x00004000, /bin/PonMgr................Done.
Starting Application: 0x00009000, /bin/NetMgr................Done.
Starting Application: 0x00006000, /bin/VmrMgr................Done.
Starting Application: 0x00005000, /bin/EthMgr................Done.
CfgDIR = /etc/tr069cfg
cd /tmp/cpe3
dir = data
dir = filetrans
dir = options
dir = parameter
cdir = /tmp/cpe3
ifconfig: SIOCSIFADDR: No such device
add call back OK
add call back OK
Starting Application: 0x0000d000, /bin/tr069Mgr................Done.
ln: /tmp/web/web: Read-only file system
Starting Application: 0x0000c000, /bin/WebMgr................Done.
Sync 0xc0002, msg no reply, dest NET, VOS_SendSyncMsg:1845
init SIP.
/tmp/default_rg.xmlVOS_XML_Init():
Load XML OK from file
5376a591 5376a591 5376a591
Sync 0xc0002, msg no reply, dest UNKNOWN, VOS_SendSyncMsg:1845
Sync 0xc0004, msg no reply, dest EMR, VOS_SendSyncMsg:1845
/mnt/rwdir/voicecfg.xml
INFO: ALL APPs are ready.
APPL 3000, Warning: do not reply sync message 0x60006d
--ok to listen to port 5060!!!!get local sip port from mec is 5060
!!!!get local sip port from mec is 5060
ONT>
---------------------------------------------------------------------------------------------------------------------------------------------------
求人还收钱……………… 呵呵,2楼正解。已经取消猫粮。 手头没猫,不好说,帮你顶贴,我用的TTL转USB,跑完E文之后,按回车,真接输入root root就进了Linux Shell了!! 好好学习中 maicalyin 发表于 2013-3-7 09:19 static/image/common/back.gif
手头没猫,不好说,帮你顶贴,我用的TTL转USB,跑完E文之后,按回车,真接输入root root就进了Linux Shell了 ...
不行啊!!! 不是吧,这也要破解成功一半,有点动手能力的人去最知道如果接TTL线好不~~我真的是汗呀!!! 华勤天地 HGG420N V3光猫路由器配置文件 这种定制的LINUX应该有专门的命令集,查一下
页:
[1]
2