逆向工程 - 路由器：如何闯入开机？ - 吾爱随笔录

路由器：如何闯入开机？

逆向工程固件记忆硬件

2021-06-19 02:50:50

我有一个 ISP 提供的路由器，华为 B5318-42。我通过 UART 和 UART-USB 转换器连接到它，从引导复制输出，并设法找出哪个芯片是板载闪存。通过在闪存上放置一个连接到板载 VCC 的跳线，我可以在某些点停止启动而没有它能够恢复或继续，但这并没有帮助我获得外壳。启动时有一个点 (#Reset_MT7530)，其中有一个计时器和四个选项（其中一个是命令提示符！）但我无法选择任何内容。

这是我到目前为止：

闪存数据表：http : //static6.arrow.com/aropdfconversion/ad37e5e560057875befe533ab753d2eb5063011f/125413166402097mx25l25635f203v20256mb20v1.5

我知道它根据启动顺序运行BusyBox和vPort Release +D2Tech+ VPORT_R_1_6_91。

它是 MIPS 架构。

在路由器上按下重置后的原始输出：

    press for several seconds
ralink_gpio: sending a SIGUSR2 to process 332
[Reboot.sh]: start reboot......
unkown led action
[CM]:send reboot msg to ODU.
[CM]:send msg magic:0xaabbccdd, class:0x80, msgtype:0x40.
press for several seconds
ralink_gpio: sending a SIGUSR2 to process 332
[CM]:send reboot msg to ODU.
[CM]:send reboot msg to ODU.
[Reboot.sh]: start reboot......
unkown led action
[CM]:send msg magic:0xaabbccdd, class:0x80, msgtype:0x40.
1 /sbin/miniupnpd.sh remove && at^tmode=3
[CM]:send reboot msg to ODU.
[CM]:send reboot msg to ODU.
1 /sbin/miniupnpd.sh remove && at^tmode=3
[CM]:send reboot msg to ODU.
modem have no response.
usb 2-1: USB disconnect, device number 2
usb 2-1: [DBG HUB]Lock device done, device number 2
usb 2-1: [DBG HUB]mutex_lock hcd->bandwidth_mutex done, device number 2
usb 2-1: [DBG MESSAGE]set all interface unregister 2
usb 2-1: [DBG MESSAGE]remove interface 0
usb 2-1: [DBG MESSAGE]device delete interface 0
eth_data: unregister 'huawei_ether', usb-xhc_mtk-1, Huawei Ethernet Device
usb 2-1: [DBG MESSAGE]remove interface 1
usb 2-1: [DBG MESSAGE]device delete interface 1
eth_voip: unregister 'huawei_ether', usb-xhc_mtk-1, Huawei Ethernet Device
usb 2-1: [DBG MESSAGE]remove interface 2
usb 2-1: [DBG MESSAGE]device delete interface 2
eth_tr069: unregister 'huawei_ether', usb-xhc_mtk-1, Huawei Ethernet Device
usb 2-1: [DBG MESSAGE]remove interface 3
usb 2-1: [DBG MESSAGE]device delete interface 3
usbcomm0: unregister 'huawei_ether', usb-xhc_mtk-1, Huawei Ethernet Device
fxz-hw_stop: called
usb 2-1: [DBG MESSAGE]remove interface 4
usb 2-1: [DBG MESSAGE]device delete interface 4
option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0
option 2-1:1.4: device disconnected


OK


usb 2-1: [DBG MESSAGE]remove interface 5
usb 2-1: [DBG MESSAGE]device delete interface 5
option1 ttyUSB1: GSM modem (1-port) converter now disconnected from ttyUSB1
option 2-1:1.5: device disconnected
usb 2-1: [DBG MESSAGE]remove interface 6
usb 2-1: [DBG MESSAGE]device delete interface 6
option1 ttyUSB2: GSM modem (1-port) converter now disconnected from ttyUSB2
option 2-1:1.6: device disconnected
usb 2-1: [DBG MESSAGE]remove interface 7
usb 2-1: [DBG MESSAGE]device delete interface 7
option1 ttyUSB3: GSM modem (1-port) converter now disconnected from ttyUSB3
option 2-1:1.7: device disconnected
usb 2-1: [DBG MESSAGE]remove all interface_ep_devs 2
usb 2-1: [DBG MESSAGE]set all interface NULL 2
usb 2-1: [DBG MESSAGE]set device state ADDRESS done 2
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
xhc_mtk xhc_mtk: [MTK]Doesn't find ep_sch instance when removing endpoint
usb 2-1: [DBG HUB]usb_disable_device done, device number 2
usb 2-1: [DBG HUB]mutex_unlock hcd->bandwidth_mutex done, device number 2
usb 2-1: [DBG HUB]usb_remove_ep_devs done, device number 2
usb 2-1: [DBG HUB]usb_unlock_device done, device number 2
[ModemReboot]: usb net disconnect.
VAPP is shuting down
vapp_sip_manage.c 131: Stopping SIP
[ 3: 7:54.621340][LCM]:signal 15 exit.
[CM]:cm process is killed:15
[CM]:send reboot msg to ODU.
SHUTDOWN - _VAPP_mgmtEventWriteTask
[CM]:send reboot msg to ODU.
SHUTDOWN - sipUaHandlerTask. infc:0
Stopped WatchDog Timer.
Restarting system.


===================================================================

            MT7621   stage1 code Mar 12 2015 14:43:30 (ASIC)

            CPU=500000000 HZ BUS=166666666 HZ

==================================================================

Change MPLL source from XTAL to CR...

do MEMPLL setting..

MEMPLL Config : 0x11000000

3PLL mode + External loopback

=== XTAL-40Mhz === DDR-1200Mhz ===

PLL2 FB_DL: 0x6, 1/0 = 584/440 19000000

PLL3 FB_DL: 0xf, 1/0 = 577/447 3D000000

PLL4 FB_DL: 0x14, 1/0 = 589/435 51000000

do DDR setting..[01F40000]

Apply DDR3 Setting...(use default AC)

          0    8   16   24   32   40   48   56   64   72   80   88   96  104  112  120

      --------------------------------------------------------------------------------

0000:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0001:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0002:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0003:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0004:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0005:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0006:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0007:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0008:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0009:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

000A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

000B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

000C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

000D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    1

000E:|    0    0    0    0    0    0    0    0    0    1    1    1    1    1    1    1

000F:|    0    0    0    0    1    1    1    1    1    1    1    1    1    1    0    0

0010:|    1    1    1    1    1    1    1    1    1    0    0    0    0    0    0    0

0011:|    1    1    1    0    0    0    0    0    0    0    0    0    0    0    0    0

0012:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0013:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0014:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0015:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0016:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0017:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0018:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

0019:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001E:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

001F:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0

DRAMC_DQSCTL1[0e0]=13000000

DRAMC_DQSGCTL[124]=80000033

rank 0 coarse = 15

rank 0 fine = 72

B:|    0    0    0    0    0    0    0    0    0    0    1    1    1    0    0    0

opt_dle value:11

DRAMC_DDR2CTL[07c]=C287223D

DRAMC_PADCTL4[0e4]=000022B3

DRAMC_DQIDLY1[210]=0C0B070B

DRAMC_DQIDLY2[214]=07090909

DRAMC_DQIDLY3[218]=0D0A0909

DRAMC_DQIDLY4[21c]=0B080C0A

DRAMC_R0DELDLY[018]=0000211F

==================================================================

        RX  DQS perbit delay software calibration 

==================================================================

1.0-15 bit dq delay value

==================================================================

bit|     0  1  2  3  4  5  6  7  8  9

--------------------------------------

0 |    11 7 11 11 9 9 9 7 7 7 

10 |    8 9 9 11 7 11 

--------------------------------------




==================================================================

2.dqs window

x=pass dqs delay value (min~max)center 

y=0-7bit DQ of every group

input delay:DQS0 =31 DQS1 = 33

==================================================================

bit DQS0     bit      DQS1

0  (1~62)31  8  (1~62)31

1  (1~62)31  9  (1~62)31

2  (1~62)31  10  (1~62)31

3  (1~59)30  11  (0~58)29

4  (1~62)31  12  (1~63)32

5  (1~62)31  13  (1~64)32

6  (1~62)31  14  (0~65)32

7  (1~62)31  15  (2~64)33

==================================================================

3.dq delay value last

==================================================================

bit|    0  1  2  3  4  5  6  7  8   9

--------------------------------------

0 |    11 7 11 12 9 9 9 7 9 9 

10 |    10 13 10 12 8 11 

==================================================================

==================================================================

     TX  perbyte calibration 

==================================================================

DQS loop = 15, cmp_err_1 = ffff0000 

dqs_perbyte_dly.last_dqsdly_pass[0]=15,  finish count=1 

dqs_perbyte_dly.last_dqsdly_pass[1]=15,  finish count=2 

DQ loop=15, cmp_err_1 = ffff0000

dqs_perbyte_dly.last_dqdly_pass[0]=15,  finish count=1 

dqs_perbyte_dly.last_dqdly_pass[1]=15,  finish count=2 

byte:0, (DQS,DQ)=(8,8)

byte:1, (DQS,DQ)=(8,8)

DRAMC_DQODLY1[200]=88888888

DRAMC_DQODLY2[204]=88888888

20,data:88

[EMI] DRAMC calibration passed




===================================================================

            MT7621   stage1 code done 

            CPU=500000000 HZ BUS=166666666 HZ

===================================================================



U-Boot 1.1.3 (Oct 20 2016 - 14:48:59)


Board: Ralink APSoC DRAM:  128 MB

relocate_code Pointer at: 87fb8000


Config XHCI 40M PLL 

******************************

Software System Reset Occurred

******************************

flash manufacture id: c2, device id 20 19

find flash: MX25L25635E

*** Warning - bad CRC, using default environment


============================================ 

Ralink UBoot Version: 4.3.0.0

-------------------------------------------- 

ASIC MT7621A DualCore (MAC to MT7530 Mode)

DRAM_CONF_FROM: Auto-Detection 

DRAM_TYPE: DDR3 

DRAM bus: 16 bit

Xtal Mode=5 OCP Ratio=1/3

Flash component: SPI Flash

Date:Oct 20 2016  Time:14:48:59

============================================ 

icache: sets:256, ways:4, linesz:32 ,total:32768

dcache: sets:256, ways:4, linesz:32 ,total:32768 


 ##### The CPU freq = 880 MHZ #### 

 estimate memory size =128 Mbytes

#Reset_MT7530


Please choose the operation: 

   1: Load system code to SDRAM via TFTP. 

   2: Load system code then write to Flash via TFTP. 

   3: Boot system code via Flash (default).

   4: Entr boot command line interface.

   7: Load Boot Loader code then write to Flash via Serial. 

   9: Load Boot Loader code then write to Flash via TFTP. 

 4  3  2  1  0 



3: System Boot system code via Flash[1st image].

## Booting image at bc050000 ...

Skip checking image magic number

   Image Name:   

   Image Type:   MIPS Linux Kernel Image (lzma compressed)

   Data Size:    9748152 Bytes =  9.3 MB

   Load Address: 80001000

   Entry Point:  8000d210

   Verifying Checksum ... OK

   Uncompressing Kernel Image ... OK

No initrd

## Transferring control to Linux (at address 8000d210) ...

## Giving linux memsize in MB, 128


Starting kernel ...




LINUX started...

 THIS IS ASIC
Linux version 2.6.36 (root@pesi-xian) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #1 SMP PREEMPT Thu Dec 15 16:55:50 CST 2016

 The CPU feqenuce set to 880 MHz
GCMP present
CPU revision is: 0001992f (MIPS 1004Kc)
Software DMA cache coherency
Determined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00008000
Detected 3 available secondary CPU(s)
PERCPU: Embedded 7 pages/cpu @81103000 s7424 r8192 d13056 u65536
pcpu-alloc: s7424 r8192 d13056 u65536 alloc=16*4096
pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: console=ttyS1,57600n8 root=/dev/ram0 console=ttyS1,57600 root=/dev/ram0 rootfstype=squashfs,jffs2 isolcpus=1
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 32kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Writing ErrCtl register=00008001
Readback ErrCtl register=00008001
Memory: 115720k/131072k available (4558k kernel code, 15352k reserved, 1583k data, 7568k init, 0k highmem)
Hierarchical RCU implementation.
    Verbose stalled-CPUs detection is disabled.
NR_IRQS:128
Trying to install interrupt handler for IRQ24
Trying to install interrupt handler for IRQ25
Trying to install interrupt handler for IRQ22
Trying to install interrupt handler for IRQ9
Trying to install interrupt handler for IRQ10
Trying to install interrupt handler for IRQ11
Trying to install interrupt handler for IRQ12
Trying to install interrupt handler for IRQ13
Trying to install interrupt handler for IRQ14
Trying to install interrupt handler for IRQ16
Trying to install interrupt handler for IRQ17
Trying to install interrupt handler for IRQ18
Trying to install interrupt handler for IRQ19
Trying to install interrupt handler for IRQ20
Trying to install interrupt handler for IRQ21
Trying to install interrupt handler for IRQ23
Trying to install interrupt handler for IRQ26
Trying to install interrupt handler for IRQ27
Trying to install interrupt handler for IRQ28
Trying to install interrupt handler for IRQ15
Trying to install interrupt handler for IRQ8
Trying to install interrupt handler for IRQ29
Trying to install interrupt handler for IRQ30
Trying to install interrupt handler for IRQ31
console [ttyS1] enabled
Calibrating delay loop... 577.53 BogoMIPS (lpj=1155072)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
launch: starting cpu1
launch: cpu1 gone!
CPU revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
launch: starting cpu2
launch: cpu2 gone!
CPU revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
launch: starting cpu3
launch: cpu3 gone!
CPU revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Brought up 4 CPUs
Synchronize counters across 4 CPUs: done.
NET: Registered protocol family 16
release PCIe RST: RALINK_RSTCTRL = 7000000
PCIE PHY initialize
***** Xtal 40MHz *****
start MT7621 PCIe register access
RALINK_RSTCTRL = 7000000
RALINK_CLKCFG1 = 77ffeff8

*************** MT7621 PCIe RC mode *************
PCIE0 no card, disable it(RST&CLK)
PCIE1 no card, disable it(RST&CLK)
PCIE2 no card, disable it(RST&CLK)
pcie_link status = 0x0
RALINK_RSTCTRL= 0
bio: create slab <bio-0> at 0
vgaarb: loaded
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Switching to clocksource Ralink Systick timer
usbcore: registered new interface driver huawei_ether
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
UDP hash table entries: 128 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 128 (order: 0, 4096 bytes)
NET: Registered protocol family 1
cu: Got hangup signal
Connected.
Connected.

Disconnected.

通过将电压或接地指向闪存的引脚，我是否会在某个点停止启动？从板上焊接闪存也是一种选择，但对我来说太极端了，无法尽早尝试。

任何和所有的帮助表示赞赏。

2个回答

我希望你已经可以解决你的问题。以防万一你还在挣扎，我想和你分享我的想法。

我只想指出，我不是 100% 确定。

正如 Gogeta70 已经说过的，您可以直接连接到闪存芯片的 I/O 引脚。Bus Pirate 是一个不错的选择，因为它并不昂贵，而且您似乎很幸运。您已经发现您的闪存是 Macronix 的 MX25L25635EF。您可以在 flashrom 网页上查看此设备是否属于受支持设备列表的一部分。 https://flashrom.org/Supported_hardware

但是，如果您决定这样做，则必须记住，如果不拆焊，可能会遇到一些问题。我只是想指出这一点，这样您就不会在它仍然焊接到电路板上时连接它而感到沮丧，并且您不会重新获得想要的结果。在 flashroms 网页上有针对这种情况的故障排除部分。如果没有其他效果，您仍然可以尝试从板上拆下闪光灯。 https://flashrom.org/ISP

您还可以尝试做另一件事。我使用一个月前使用过的 NAND 闪存完成此操作，以访问busybox。您仍然需要访问您的闪存，因为您必须访问芯片选择引脚。如果您有能力破坏设备，我只会建议您这样做。

我认为有趣的部分是他要求你选择一个选项。在此之后，引导加载程序开始通过闪存引导系统。

    Please choose the operation: 

   1: Load system code to SDRAM via TFTP. 

   2: Load system code then write to Flash via TFTP. 

   3: Boot system code via Flash (default).

   4: Entr boot command line interface.

   7: Load Boot Loader code then write to Flash via Serial. 

   9: Load Boot Loader code then write to Flash via TFTP. 

 4  3  2  1  0 



3: System Boot system code via Flash[1st image].

## Booting image at bc050000 ...

我会尝试在计数器归零之前将 CS 拉向 GND。就我而言，我有一个像你这样的计数器，最后引导加载程序开始从闪存启动。当我将 CS 拉向地面时，他无法再访问闪存，而我直接进入了busybox 控制台，在那里我可以探索文件系统。

所以你试图获得一个引导外壳。做什么？您是否要转储闪存？

在任何情况下，您都说您没有启动进入 shell 的选项，但转储中的文本另有说明：

Please choose the operation: 

   1: Load system code to SDRAM via TFTP. 

   2: Load system code then write to Flash via TFTP. 

   3: Boot system code via Flash (default).

   4: Entr boot command line interface.

   7: Load Boot Loader code then write to Flash via Serial. 

   9: Load Boot Loader code then write to Flash via TFTP.

如果你按“4”，你应该得到一个引导外壳。你试过这个吗？

如果您按一个数字（后跟 Enter）但它似乎没有响应，我会仔细检查您的 UART 桥接器是否确实发送了您的按键。

如果做不到这一点，您还有其他一些途径可以采用。您可以尝试直接连接到闪存芯片的 I/O 引脚，并使用带有flashrom的 Bus Pirate 之类的东西直接从芯片读取固件。从那里，您可以开始对固件进行一些逆向工程以了解引导过程。您甚至可以修改固件以提供引导外壳。

可以尝试的另一件事是在板上找到 JTAG 连接。如果您这样做了，您可以尝试使用 OpenOCD 与微处理器对话，然后您几乎可以做任何您想做的事情——您可以控制处理器。

另外，我不确定你是如何将 VCC 跳接到你的闪存芯片上的，但是我会小心地对它不是设计的闪存芯片做任何事情 - 你不想炸它，对吧？

其它你可能感兴趣的问题

上一篇理解/逆向简单（但质量好）的 TTS 引擎下一篇ghidra：如何使用无头分析器运行 python 3 脚本