帮助扭转停产的罗技链接。如何获取 Flash 内容

逆向工程 固件 linux 嵌入式
2021-07-09 11:17:20

请参阅下面的更新。

我收到了来自罗技的一封电子邮件,说他们的 Harmony Link 产品即将结束(参见https://community.logitech.com/s/question/0D55A0000745EkCSAU/harmony-link-eos-or-eol)。

所以我自己开始拆解它。剥开底部的粘性焊盘,露出 4 个焊点。其中两个发生在 UART 连接上。

这是启动时的信息:

++NAND: RCSR=54200900
Searching for BBT table in the flash ...
.
Found version 1 Bbt0 at block 1023 (0x7fe0000)
Total bad blocks: 0
.[Warning] FEC not connect right PHY: ID=fffffc
FEC: [ FULL_DUPLEX ] [ connected ] [ 100M bps ]:
Ethernet mxc_fec: MAC address sn:ip:ped:fr:om:vu
No IP info for device!
Unrecognized chip: 0xf8!!!
hardware reset by POR

Clock input is 24 MHz
RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version FSL 200904 - built 21:32:37, Jul  5 2011

Platform: Logitech Baby (i.MX25 )  PASS 1.0 [x32 DDR]
System type 2070 revision 6
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2003, 2004, 2005, 2006 eCosCentric Limited

RAM: 0x00000000-0x03f00000, [0x00095250-0x03ef1000] available
FLASH: 0x00000000 - 0x8000000, 1024 blocks of 0x00020000 bytes each.
== Executing boot script in 3.000 seconds - enter ^C to abort
RedBoot> ubi attach -f 0x80000 -l 0x07EC0000 -w 0x800 -e 0x20000 -s 0x200
scanning 1014 PEBs
........................................................................................................................................d
RedBoot> ubi load -b 0x100000 kernel%{os_backup}
RedBoot> exec -c %{os_cmdline}entry=0x80008000, target=0x80008000
Using base address 0x00100000 and length 0x0013a6d4
Uncompressing Linux..................................................................................... done, booting the kernel.

所以它正在运行一个名为 RedBoot 的引导程序。这似乎显示了单个图像文件:

RedBoot> ubi info
Volumes count:                           8
Logical eraseblock size:                 129024
Total amount of logical eraseblocks:     1014 (130830336 bytes)
Amount of available logical eraseblocks: 337 (43481088 bytes)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  10
Current min/mean/max erase counter:      2/5/9
Minimum input/output unit size:          2048 bytes
VID header offset:                       512
-----------------------------------
Volume ID:   0
Type:        static
Alignment:   1
Size:        17 LEBs (2228224 bytes)
Used:        10 LEBs (1287892 bytes)
State:       OK
Name:        kernel
-----------------------------------
Volume ID:   1
Type:        static
Alignment:   1
Size:        114 LEBs (14942208 bytes)
Used:        92 LEBs (11862016 bytes)
State:       OK
Name:        cramfs
-----------------------------------
Volume ID:   4
Type:        dynamic
Alignment:   1
Size:        25 LEBs (3276800 bytes)
State:       OK
Name:        mfgdata
-----------------------------------
Volume ID:   5
Type:        dynamic
Alignment:   1
Size:        261 LEBs (34209792 bytes)
State:       OK
Name:        storage
-----------------------------------
Volume ID:   6
Type:        static
Alignment:   1
Size:        25 LEBs (3276800 bytes)
Used:        10 LEBs (1287892 bytes)
State:       OK
Name:        kernel_sm
-----------------------------------
Volume ID:   7
Type:        static
Alignment:   1
Size:        114 LEBs (14942208 bytes)
Used:        102 LEBs (13033472 bytes)
State:       OK
Name:        cramfs_sm
-----------------------------------
Volume ID:   8
Type:        dynamic
Alignment:   1
Size:        25 LEBs (3276800 bytes)
State:       OK
Name:        usrconf
-----------------------------------
Volume ID:   9
Type:        dynamic
Alignment:   1
Size:        82 LEBs (10747904 bytes)
State:       OK
Name:        logitech
-----------------------------------
Volume ID:   2147479551
Type:        dynamic
Alignment:   0
Size:        0 LEBs (0 bytes)
State:       OK
Name:

问题是:谁能帮我利用这些信息?我怎样才能最好地通过这条 UART 电缆从设备上获取信息?我已经玩弄了dump各种成功级别命令,但是仅仅以00139E70: F8 13 90 C7 98 3B 7B CF 04 9F 80 E1 9A FF 8B 68 |.....;{........h| 难以做任何事情的形式显示典型的十六进制文本就非常麻烦 那么,关于我应该如何进行的任何想法?非常感谢。

更新: 我已经成功地转储了(我认为)整个内存,但使用 Binwalk 并没有得到太多。如果其他人想看一看,就在这里。 https://www.dropbox.com/s/pxpugqpptqc3ph9/data-complete.bin

3个回答

如果您能够获得分区数据的十六进制输出,则可以将其存储在文本文件中,然后转换为二进制文件。在 Linux 上,以下命令可能会有所帮助:

cat data.txt | cut -d' ' -f2-18 | sed s/\\s//g | tr -d '\n' | xxd -r -p > data.bin

您是否能够将此转储的任何部分安装为 ubifs ?

$ strings data-complete.bin | grep -i ubi
"console=ttymxc1,115200 noinitrd init=/linuxrc ubi.mtd=1 root=/dev/mtdblock:cramfs%{os_backup} %{os_cmdargs}"
ubi attach -f 0x80000 -l 0x07EC0000 -w 0x800 -e 0x20000 -s 0x200
ubi load -b 0x100000 kernel%{os_backup}
"console=ttymxc1,115200 noinitrd init=/linuxrc ubi.mtd=1 root=/dev/mtdblock:cramfs%{os_backup} %{os_cmdargs}"
ubi attach -f 0x80000 -l 0x07EC0000 -w 0x800 -e 0x20000 -s 0x200
ubi load -b 0x100000 kernel%{os_backup}
*** invalid 'ubi' command: %s
ubi 
*** UBI is not attached
*** UBI is already attached
UBI start address
UBI length
Attach Unsorted Block Image [UBI]
[-f <ubi_addr> -l <ubi_length> -w <write_size> -e <erase_size> -s <subpage_size>]
Detach Unsorted Block Image [UBI]
Display contents of Unsorted Block Image [UBI]
Load image from Unsorted Block Image [UBI] into RAM
Erase an Unsorted Block Image [UBI]
Format using a UBI image
Manage UBI images
node with incompatible UBI version found: this UBI version is %d, image version is %d
this UBI version is %d, image version is %d
bad UBI magic %08lx, should be %08x
ubi attach -f 0x80000 -l 0x07EC0000 -w 0x800 -e 0x20000 -s 0x200
ubi load -b 0x100000 kernel%{os_backup}
"console=ttymxc1,115200 noinitrd init=/linuxrc ubi.mtd=1 root=/dev/mtdblock:cramfs%{os_backup} %{os_cmdargs}"

见参考:

在找到更好的解决方案之前,也许可以通过阻止此设备访问外部互联网(通过在您的路由器/网关上阻止它)来避免“EOL”过程。

我已经为我不信任访问互联网的支持互联网的设备完成了这项工作(它在我的局域网上仍然有效)

其它你可能感兴趣的问题
上一篇重新组装 ELF 二进制文件 下一篇如何知道我目前在哪个模块?(EIP/RIP 指针)