华为WS832已经损坏了很长时间了,一直提示是没有插上网线,明显是WAN口损坏了。跟华为的售后扯皮了几个月,华为拒绝维修,更换政策又非常的不合理,最后的解决方案就只剩下自己维修这一条路了。
故障现象如下图:
系统版本信息如下图:
拆机后的主板如下图:
上图的顶部中间位置有四个焊点,这四个焊点是串口四个管脚,从左到右分别是GND,RX,TX,VCC。电压为3.3V,管脚间距为1.27MM。波特率115200,数据校验位8N1。
背面屏蔽罩比较难拆,拆开后发现里面仅仅是一堆电阻而已。
器件面的电路图如下:
芯片MX25L12835F在上图的主板中间,屏蔽罩的左下角的位置,这是一颗128Mbit(16MB)的SPI闪存芯片。
没有拆开屏蔽罩,网上找到的处理器型号图片如下:
拆开屏蔽罩,屏蔽罩没有焊接,只是简单扣上的,可以直接弄下来,处理器图片如下:
话说好大的一颗处理器,那么大的面积,却那么孱弱的性能。
需要淘宝购买如下东西:
- 1.27MM 排针
购买链接 单排针 圆排针2.54MM 1.27 2.00间距1*40P双排针2*40P直针弯针
具体样式如图片所示:
一般都是40针的,用到的时候掰开其中的四个连续针即可。
- 1.27MM 转 2.54MM 转换线
购买链接 1.27转2.54 2.54转1.27 杜邦1.27mm转杜邦2.54mm 2.54转1.27排线
具体样式如图片所示:
用来转换连接线,板子上的排针间距太小,非常不方便使用。
- CP2102模块 USB转TTL(其他相似模块也可)
购买链接 Risym CP2102模块 USB转TTL UBS转串口 STC单片机下载 刷机升级板
具体样式如图片所示:
此款芯片类型较多,不必一定是这个型号,手头上的型号一般都够用。
焊接后的效果如下图:
接线的时候注意RX,TX的顺序。如果不能正常接收到数据,适当的交换一下中间的两根引脚。尤其是注意电压,电压是3.3V的。波特率115200,数据校验位8N1。
上电后可以看到类似如下的日志:
Welcome to minicom 2.7
OPTIONS: I18n
Compiled on Feb 7 2016, 13:37:27.
Port /dev/ttyUSB0, 17:22:32
Press CTRL-A Z for help on special keys
�
-------------------
- VER5610 bootrom -
-------------------
-
>> hit <ctrl+c> to stop autoboot:0
-
----------------------------------
- Flash type .......... [ SPI ]
- Boot mode ........... [ NONSEC ]
- Read page0 .......... [ OK ]
- DDR ................. [ OK ]
- bootloader .......... [ OK ]
----------------------------------
-
>> startup bootloader...
Hi-Boot ( 2015-10-13 - 07:45:23 )
DRAM : 128MB SYS : 0xc0c00000
STACK DATA : 0xc0020000 STACK SVC : 0xc0030000
STACK FIQ : 0xc0040000 STACK ABT : 0xc0050000
STACK UND : 0xc0060000 STACK IRQ : 0xc0070000
Memory : total 127.5MB
Memory : start 0xc01b5080 available 94.3MB
Memory : code 125.8KB bss 86.3KB highmem 32MB 0xc6000000
Boot Sel : BOOTROM
sfc chip ID:c2 20 18
Dev Manuf : MXIC
=====bootm=====
Reboot type: 0x530206a
muilt upgrade wait...
Boot from slave system ...
kernel data at 0xc6000040, len = 0x001643cd (1459149)
Uncompressing Kernel Image ...
nas1 phyid:0x6 status:100Mbps FULL
OK
## Transferring control to Linux (at address 80408000) ...
Starting kernel ...
init started: BusyBox vv1.9.1 ()
starting pid 275, tty '': '/etc/init.d/rcS'
RCS DONE
starting pid 276, tty '': '/bin/sh'
BusyBox vv1.9.1 () built-in shell (ash)
Enter 'help' for a list of built-in commands.
boot start running profile...
rootdir=/
table='/etc/devicetable'
boot start running starbsp...
mknod: /dev/mem: File exists
Loading SDK modules
Loading HSAN modules
Loading Huawei modules
Loading realtek WLAN modules
Ending realtek WLAN modules
Loading qtm WLAN modules
Ending qtm WLAN modules
boot running starbsp...
Loading drivers and kernel modules...
HSAN init chip successfully ...!
boot running mic...
INSMOD base START......
retry xhci
retry xhci done
INSMOD base Done
==========================================
attribute(00)-alias(product ) = 00000000
==========================================
Start mic now ...
GlobeMac Init OK
ATP_FomFlashInit 295: Fail to init WLAN nvram!
load cfm ok.
INSMOD wlan START......
==========ATP_SYS_SetConsole_Type======[0]
INSMOD wlan Done
##sendmsg return 16, errno 0.
INSMOD ETH START......
INSMOD ETH Done
device eth0 is not a slave of br0
begin WlanSetChannel...
begin WlanStartServices...
begin WlanUpInterfaces...
=====WlanSetPhyMode(6336), channel is 161
begin WlanSetChannel...
begin WlanStartServices...
wlan wps enabled
begin WlanUpInterfaces...
sh start /var/wlan_init.sh
ifconfig: down: error fetching interface information: Device not found
atp: cur kernel version:[2.6.30]
----------firewallapi.c--------229-------
sh start /var/firewall_init.sh
ChannelWanGuide...1..
deal with rules over...
sh start /var/qos_init.sh
sh start /var/igmp_init.sh
sh end /var/igmp_init.sh
AlgSipStart(): insmod /lib/kernel/net/netfilter/nf_conntrack_sip.ko ports=5060
Current sntp process is 1375!
Start mcast return pid 1575.
cms dispatch now ...
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
==========ATP_SYS_SetConsole_Type======[0]
usbdiskmonitor.c 46 ATP_USBStorage_Throughput_Optimize: lAllMountedDiskSubarea
get net address of eth0 fail:99[Cannot assign requested address]get net address0
preferred_network_adapter:eth0, mac:04021F62194A, ipv4:0, brdaddr:0, netmask:0
get net address result:0, adapter:br0, mac:04021F62194A, ipv4:103a8c0, brdaddr:f
get net address result:0, adapter:br0:9, mac:04021F62194A, ipv4:9c64fea9, brdadf
get net address result:0, adapter:br1, mac:765DAC522CC1, ipv4:19ba8c0, brdaddr:f
fopen [/var/xunlei/etm.ini] fail:No such file or directory.
setting_load_cfg /var/xunlei/etm.ini fail:2
ATP_SEC_GenRSAKey
et version:et_3.0.0_25
settings_config_load, cfg_file_name = /var/xunlei/download.cfg
Inetd app ntwksync:1584 exited: signal number [15], exit code [0].
Ssdp loop.
wscd -start -both_band_ap -w wl0 -c /var/wscd.conf -fi /var/wscd-wl0.fifo -fi2
Writing file /var/wscd.conf...
intVal2 32
intVal 8
is_wep 0
WiFi Simple Config v1.22 (2016.03.10-12:43+0000).
/bin/sh: cannot create /proc/gpio: nonexistent directory
/bin/sh: cannot create /proc/gpio: nonexistent directory
next->d_name is wscd-wl0-wl1.pid
---------FOR_DUAL_BAND
---------000000000
Both band is up
sh end /var/qos_init.sh
sh end /var/firewall_init.sh
sh end /var/wlan_init.sh
********************************************************
------------!!Start All Ext AP Sync Action!!------------
********************************************************
********************************************************
------------!!Sync Action end!!-------------------------
********************************************************
[HILINK_TRACE 40.903862 ntwksync.c:307]: !!Send Heart beat Action!
观察日志可以看到如下内容:
ATP_FomFlashInit 295: Fail to init WLAN nvram!
日志提示WALN相关的一块闪存初始化失败,整个板子上唯一的外置闪存就是MX25L12835FM2I-10G这个芯片了,但是这是一颗128Mbit的SPI闪存芯片,明显是存放系统固件的,因此不像是这颗芯片损坏。
根据提示,上电的时候,狂按Ctrl+C可能获得两个Shell中的一个,一个是bootrom的Shell,一个是Hi-Boot的Shell,如果操作足够快,会获得bootrom的Shell,在这个Shell中可以加载自定义的ROM。后面的Hi-Boot的Shell,暂时不会操作。
这台设备使用了美时龙 KSZ8041NL这款10/100M以太网转换芯片来进行进行以太网操作的,而其他接口都是1000M的,因此,也可能是这颗芯片出现问题。芯片是QFN32封装的。
芯片如下图(大型号一致,小型号不同):
该款芯片的datasheet如下:
我这边尝试用风枪把这颗芯片换掉,并没有出现预期的情况,依旧提示上面的错误。
于是把MX25L12835FM2I-10G这个芯片用风枪吹下来,然后使用EZP_XPro 编程器 USB 主板路由液晶BIOS SPI FLASH IBM 25 烧录器(可以使用CH341A编程器USB主板路由液晶BIOS/FLASH/24/25烧录器替代,此芯片非常便宜,但是比较折腾,但是最好购买宽体 SOP8 转DIP8 烧录座 烧录转接座 烧录头 测试座 弹跳座免去焊接的辛苦)把整颗芯片上的内容读取出来。芯片镜像文件点击这里下载。
编程器的图片如下:
镜像中的内容可以使用binwalk提取出来
$ sudo apt-get install binwalk $ binwalk -Me -v ws832.bin
输出内容如下:
Scan Time: 2018-08-15 11:08:13 Target File: ~/ws832.bin MD5 Checksum: a7c8d481203d47247fbe7bf46d9b8c7e Signatures: 344 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 11428 0x2CA4 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 128864 bytes 262144 0x40000 uImage header, header size: 64 bytes, header CRC: 0x88FAA27F, created: 2015-09-08 15:55:59, image size: 823861 bytes, Data Address: 0x80408000, Entry Point: 0x80408000, data CRC: 0xDA3EE43E, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: lzma, image name: "Linux-2.6.30" 262208 0x40040 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2212928 bytes 1114112 0x110000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2130604 bytes, 960 inodes, blocksize: 1048576 bytes, created: 2015-09-08 16:00:11 3276800 0x320000 uImage header, header size: 64 bytes, header CRC: 0x9BA446F, created: 2015-08-21 12:49:35, image size: 1565479 bytes, Data Address: 0x80408000, Entry Point: 0x80408000, data CRC: 0xA493E4FB, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: lzma, image name: "Linux-2.6.30" 3276864 0x320040 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 4160000 bytes 4658694 0x471606 COBALT boot rom data (Flat boot rom or file system) 5046272 0x4D0000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 10420928 bytes, 1100 inodes, blocksize: 1048576 bytes, created: 2015-08-21 12:54:21 Scan Time: 2018-08-15 11:08:14 Target File: ~/_ws832.bin.extracted/2CA4 MD5 Checksum: b9ed876ee5986929c28bf9541028ed35 Signatures: 344 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 88460 0x1598C SHA256 hash constants, little endian 115112 0x1C1A8 CRC32 polynomial table, little endian 120138 0x1D54A HTML document header 120269 0x1D5CD HTML document footer 125432 0x1E9F8 HTML document header 126955 0x1EFEB HTML document footer 126968 0x1EFF8 HTML document header 128679 0x1F6A7 HTML document footer Scan Time: 2018-08-15 11:08:14 Target File: ~/_ws832.bin.extracted/40040 MD5 Checksum: 59d5ffb0b72d43bd6c0c7e1d277cdb45 Signatures: 344 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 900933 0xDBF45 Certificate in DER format (x509 v3), header length: 4, sequence length: 1284 901057 0xDBFC1 Certificate in DER format (x509 v3), header length: 4, sequence length: 1288 1893708 0x1CE54C Linux kernel version "2.6.30 (root@wuhcitcslx00001) (gcc version 4.4.6 (crosstool-NG 1.13.2 - hsan-5115) ) #1 SMP PREEMPT Tue Sep 8 23:55:20 CST 2015" 1913732 0x1D3384 CRC32 polynomial table, little endian 1922008 0x1D53D8 CRC32 polynomial table, little endian 1977235 0x1E2B93 xz compressed data 2007663 0x1EA26F Unix path: /etc/nginx/conf/domain.dat 2021022 0x1ED69E Neighborly text, "neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)" Scan Time: 2018-08-15 11:08:15 Target File: ~/_ws832.bin.extracted/320040 MD5 Checksum: 793674e360955006b5b1f816285a2fd7 Signatures: 344 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 1353733 0x14A805 Certificate in DER format (x509 v3), header length: 4, sequence length: 1284 1353857 0x14A881 Certificate in DER format (x509 v3), header length: 4, sequence length: 1288 2990892 0x2DA32C Linux kernel version "2.6.30 (root@wuhcitcslx00001) (gcc version 4.4.6 (crosstool-NG 1.13.2 - hsan-5115) ) #1 SMP PREEMPT Fri Aug 21 20:48:45 CST 2015" 3266640 0x31D850 CRC32 polynomial table, little endian 3281980 0x32143C CRC32 polynomial table, little endian 3764063 0x396F5F xz compressed data 3835049 0x3A84A9 Unix path: /etc/nginx/conf/domain.dat 3854022 0x3ACEC6 Neighborly text, "NeighborSolicits init(): can't add protocol" 3854039 0x3ACED7 Neighborly text, "NeighborAdvertisementsd protocol" 3857063 0x3ADAA7 Neighborly text, "neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)" 3865240 0x3AFA98 Unix path: /mru/rcvseq/sendseq/lns debug reorderto
我们上面看到的
ATP_FomFlashInit 295: Fail to init WLAN nvram!
这行出错信息,是在_ws832.bin.extracted/squashfs-root-0/lib/libbhalapi.so这个文件中的。
我们使用如下命令反汇编整个文件:
$ sudo apt-get install gcc-arm-none-eabi $ arm-none-eabi-objdump -s -D '_ws832.bin.extracted/squashfs-root-0/lib/libbhalapi.so' >> libbhalapi.txt
反编译出的汇编代码点击此处下载libbhalapi.txt
我们重点关注报错的函数,如下:
00008e70 <ATP_FomFlashInit>:
8e70: e92d45f0 push {r4, r5, r6, r7, r8, sl, lr}
8e74: e24dd07c sub sp, sp, #124 ; 0x7c
8e78: e28d3078 add r3, sp, #120 ; 0x78
8e7c: e3a0a001 mov sl, #1
8e80: e523a004 str sl, [r3, #-4]!
8e84: e3a00005 mov r0, #5
8e88: e3a01a01 mov r1, #4096 ; 0x1000
8e8c: e3a02034 mov r2, #52 ; 0x34
8e90: ebffe65d bl 280c <ATP_UTIL_GVarInit@plt>
8e94: e59f53e4 ldr r5, [pc, #996] ; 9280 <ATP_FomFlashInit+0x410>
8e98: e150000a cmp r0, sl
8e9c: e08f5005 add r5, pc, r5
8ea0: 0a0000f2 beq 9270 <ATP_FomFlashInit+0x400>
8ea4: e3a00005 mov r0, #5
8ea8: ebffe5f7 bl 268c <ATP_UTIL_GVarGetMemHandle@plt>
8eac: e59f23d0 ldr r2, [pc, #976] ; 9284 <ATP_FomFlashInit+0x414>
8eb0: e3500000 cmp r0, #0
8eb4: e7958002 ldr r8, [r5, r2]
8eb8: e5880000 str r0, [r8]
8ebc: 0a0000eb beq 9270 <ATP_FomFlashInit+0x400>
8ec0: e3a01014 mov r1, #20
8ec4: ebffe608 bl 26ec <ATP_UTIL_BgetMalloc@plt>
8ec8: e59f23b8 ldr r2, [pc, #952] ; 9288 <ATP_FomFlashInit+0x418>
8ecc: e3500000 cmp r0, #0
8ed0: e7957002 ldr r7, [r5, r2]
8ed4: e5870000 str r0, [r7]
8ed8: 0a0000e4 beq 9270 <ATP_FomFlashInit+0x400>
8edc: e3a01000 mov r1, #0
8ee0: e3a02014 mov r2, #20
8ee4: ebffe67e bl 28e4 <memset@plt>
8ee8: e5973000 ldr r3, [r7]
8eec: e28d4078 add r4, sp, #120 ; 0x78
8ef0: e3a06000 mov r6, #0
8ef4: e3a0201a mov r2, #26
8ef8: e5836004 str r6, [r3, #4]
8efc: e5836008 str r6, [r3, #8]
8f00: e5832000 str r2, [r3]
8f04: e5246008 str r6, [r4, #-8]!
8f08: e5836010 str r6, [r3, #16]
8f0c: e583600c str r6, [r3, #12]
8f10: ebffe66d bl 28cc <FOMGetAllFlashSize@plt>
8f14: ebffe66c bl 28cc <FOMGetAllFlashSize@plt>
8f18: e3a02018 mov r2, #24
8f1c: e1a01000 mov r1, r0
8f20: e3a03040 mov r3, #64 ; 0x40
8f24: e1a00004 mov r0, r4
8f28: ebffff90 bl 8d70 <FOMGetListHead+0x204>
8f2c: e59d1070 ldr r1, [sp, #112] ; 0x70
8f30: e3a02017 mov r2, #23
8f34: e3a03040 mov r3, #64 ; 0x40
8f38: e1a00004 mov r0, r4
8f3c: ebffff8b bl 8d70 <FOMGetListHead+0x204>
8f40: e1a03006 mov r3, r6
8f44: e59d1070 ldr r1, [sp, #112] ; 0x70
8f48: e3a02015 mov r2, #21
8f4c: e1a00004 mov r0, r4
8f50: ebffff86 bl 8d70 <FOMGetListHead+0x204>
8f54: e1a03006 mov r3, r6
8f58: e59d1070 ldr r1, [sp, #112] ; 0x70
8f5c: e3a02014 mov r2, #20
8f60: e1a00004 mov r0, r4
8f64: ebffff81 bl 8d70 <FOMGetListHead+0x204>
8f68: e59d1070 ldr r1, [sp, #112] ; 0x70
8f6c: e3a02013 mov r2, #19
8f70: e3a03040 mov r3, #64 ; 0x40
8f74: e1a00004 mov r0, r4
8f78: ebffff7c bl 8d70 <FOMGetListHead+0x204>
8f7c: e1a03006 mov r3, r6
8f80: e59d1070 ldr r1, [sp, #112] ; 0x70
8f84: e3a02012 mov r2, #18
8f88: e1a00004 mov r0, r4
8f8c: ebffff77 bl 8d70 <FOMGetListHead+0x204>
8f90: e59d1070 ldr r1, [sp, #112] ; 0x70
8f94: e3a02011 mov r2, #17
8f98: e3a03040 mov r3, #64 ; 0x40
8f9c: e1a00004 mov r0, r4
8fa0: ebffff72 bl 8d70 <FOMGetListHead+0x204>
8fa4: e1a03006 mov r3, r6
8fa8: e59d1070 ldr r1, [sp, #112] ; 0x70
8fac: e3a02010 mov r2, #16
8fb0: e1a00004 mov r0, r4
8fb4: ebffff6d bl 8d70 <FOMGetListHead+0x204>
8fb8: e1a03006 mov r3, r6
8fbc: e59d1070 ldr r1, [sp, #112] ; 0x70
8fc0: e3a0200f mov r2, #15
8fc4: e1a00004 mov r0, r4
8fc8: ebffff68 bl 8d70 <FOMGetListHead+0x204>
8fcc: e1a03006 mov r3, r6
8fd0: e59d1070 ldr r1, [sp, #112] ; 0x70
8fd4: e3a0200e mov r2, #14
8fd8: e1a00004 mov r0, r4
8fdc: ebffff63 bl 8d70 <FOMGetListHead+0x204>
8fe0: e59d1070 ldr r1, [sp, #112] ; 0x70
8fe4: e3a0200d mov r2, #13
8fe8: e3a03040 mov r3, #64 ; 0x40
8fec: e1a00004 mov r0, r4
8ff0: ebffff5e bl 8d70 <FOMGetListHead+0x204>
8ff4: e1a00004 mov r0, r4
8ff8: e59d1070 ldr r1, [sp, #112] ; 0x70
8ffc: e3a0200c mov r2, #12
9000: e3a03040 mov r3, #64 ; 0x40
9004: ebffff59 bl 8d70 <FOMGetListHead+0x204>
9008: e2506000 subs r6, r0, #0
900c: 1a000097 bne 9270 <ATP_FomFlashInit+0x400>
9010: e1a01006 mov r1, r6
9014: e3a02080 mov r2, #128 ; 0x80
9018: e1a00004 mov r0, r4
901c: e58d6070 str r6, [sp, #112] ; 0x70
9020: ebffff2e bl 8ce0 <FOMGetListHead+0x174>
9024: e3a01003 mov r1, #3
9028: e3a02d0d mov r2, #832 ; 0x340
902c: e1a00004 mov r0, r4
9030: ebffff2a bl 8ce0 <FOMGetListHead+0x174>
9034: e3a01004 mov r1, #4
9038: e3a02d21 mov r2, #2112 ; 0x840
903c: e1a00004 mov r0, r4
9040: ebffff26 bl 8ce0 <FOMGetListHead+0x174>
9044: e3a01005 mov r1, #5
9048: e3a02d1b mov r2, #1728 ; 0x6c0
904c: e1a00004 mov r0, r4
9050: ebffff22 bl 8ce0 <FOMGetListHead+0x174>
9054: e3a01006 mov r1, #6
9058: e3a02c2b mov r2, #11008 ; 0x2b00
905c: e1a00004 mov r0, r4
9060: ebffff1e bl 8ce0 <FOMGetListHead+0x174>
9064: e3a01009 mov r1, #9
9068: e1a02006 mov r2, r6
906c: e1a00004 mov r0, r4
9070: ebffff1a bl 8ce0 <FOMGetListHead+0x174>
9074: e1a00004 mov r0, r4
9078: e1a02006 mov r2, r6
907c: e3a0100a mov r1, #10
9080: ebffff16 bl 8ce0 <FOMGetListHead+0x174>
9084: e3500000 cmp r0, #0
9088: 1a000078 bne 9270 <ATP_FomFlashInit+0x400>
908c: e1a01007 mov r1, r7
9090: e59f01f4 ldr r0, [pc, #500] ; 928c <ATP_FomFlashInit+0x41c>
9094: e3a02004 mov r2, #4
9098: ebffe5de bl 2818 <ATP_UTIL_GVarSetValue@plt>
909c: e3500000 cmp r0, #0
90a0: 1a000072 bne 9270 <ATP_FomFlashInit+0x400>
90a4: e5980000 ldr r0, [r8]
90a8: e3a01010 mov r1, #16
90ac: ebffe58e bl 26ec <ATP_UTIL_BgetMalloc@plt>
90b0: e59f31d8 ldr r3, [pc, #472] ; 9290 <ATP_FomFlashInit+0x420>
90b4: e3500000 cmp r0, #0
90b8: e7957003 ldr r7, [r5, r3]
90bc: e5870000 str r0, [r7]
90c0: 0a00006a beq 9270 <ATP_FomFlashInit+0x400>
90c4: e59f01c8 ldr r0, [pc, #456] ; 9294 <ATP_FomFlashInit+0x424>
90c8: e1a01007 mov r1, r7
90cc: e3a02004 mov r2, #4
90d0: ebffe5d0 bl 2818 <ATP_UTIL_GVarSetValue@plt>
90d4: e2504000 subs r4, r0, #0
90d8: 1a000064 bne 9270 <ATP_FomFlashInit+0x400>
90dc: e59f21b4 ldr r2, [pc, #436] ; 9298 <ATP_FomFlashInit+0x428>
90e0: e5973000 ldr r3, [r7]
90e4: e7952002 ldr r2, [r5, r2]
90e8: e1c340b2 strh r4, [r3, #2]
90ec: e582a000 str sl, [r2]
90f0: e1c340b0 strh r4, [r3]
90f4: e5834004 str r4, [r3, #4]
90f8: e2800070 add r0, r0, #112 ; 0x70
90fc: ebffe56b bl 26b0 <malloc@plt>
9100: e2506000 subs r6, r0, #0
9104: 0a000059 beq 9270 <ATP_FomFlashInit+0x400>
9108: e1a01004 mov r1, r4
910c: e3a02070 mov r2, #112 ; 0x70
9110: ebffe5f3 bl 28e4 <memset@plt>
9114: e3a03070 mov r3, #112 ; 0x70
9118: e1a01006 mov r1, r6
911c: e1a02004 mov r2, r4
9120: e3a00017 mov r0, #23
9124: ebffe57f bl 2728 <ATP_FLASH_ReadArea@plt>
9128: e5970000 ldr r0, [r7]
912c: e59f8168 ldr r8, [pc, #360] ; 929c <ATP_FomFlashInit+0x42c>
9130: e2867068 add r7, r6, #104 ; 0x68
9134: e1a01007 mov r1, r7
9138: e3a02008 mov r2, #8
913c: e2800008 add r0, r0, #8
9140: ebffe545 bl 265c <memcpy@plt>
9144: e0858008 add r8, r5, r8
9148: e3a03008 mov r3, #8
914c: e1a02007 mov r2, r7
9150: e1a01004 mov r1, r4
9154: e28d700c add r7, sp, #12
9158: e59f0140 ldr r0, [pc, #320] ; 92a0 <ATP_FomFlashInit+0x430>
915c: e88d0110 stm sp, {r4, r8}
9160: ebffe528 bl 2608 <bhalIoctl@plt>
9164: e1a01004 mov r1, r4
9168: e3a02021 mov r2, #33 ; 0x21
916c: e1a00007 mov r0, r7
9170: ebffe5db bl 28e4 <memset@plt>
9174: e1a01007 mov r1, r7
9178: e3a02021 mov r2, #33 ; 0x21
917c: e3a00008 mov r0, #8
9180: ebffe5b9 bl 286c <ATP_SYS_GetInfo@plt>
9184: e3a03021 mov r3, #33 ; 0x21
9188: e1a01004 mov r1, r4
918c: e1a02007 mov r2, r7
9190: e59f010c ldr r0, [pc, #268] ; 92a4 <ATP_FomFlashInit+0x434>
9194: e88d0110 stm sp, {r4, r8}
9198: ebffe51a bl 2608 <bhalIoctl@plt>
919c: e1a00006 mov r0, r6
91a0: ebffe617 bl 2a04 <free@plt>
91a4: e59f00fc ldr r0, [pc, #252] ; 92a8 <ATP_FomFlashInit+0x438>
91a8: e28d6050 add r6, sp, #80 ; 0x50
91ac: e0850000 add r0, r5, r0
91b0: ebffe52f bl 2674 <puts@plt>
91b4: e1a01004 mov r1, r4
91b8: e3a02020 mov r2, #32
91bc: e1a00006 mov r0, r6
91c0: ebffe5c7 bl 28e4 <memset@plt>
91c4: e1a01004 mov r1, r4
91c8: e3a02020 mov r2, #32
91cc: e28d0030 add r0, sp, #48 ; 0x30
91d0: ebffe5c3 bl 28e4 <memset@plt>
91d4: e1a01006 mov r1, r6
91d8: e3a00021 mov r0, #33 ; 0x21
91dc: e3a02020 mov r2, #32
91e0: ebffe5a1 bl 286c <ATP_SYS_GetInfo@plt>
91e4: e2504000 subs r4, r0, #0
91e8: 1a000003 bne 91fc <ATP_FomFlashInit+0x38c>
91ec: e28d0050 add r0, sp, #80 ; 0x50
91f0: e3a01020 mov r1, #32
91f4: ebffe551 bl 2740 <ATP_BHAL_SetMultiNvId@plt>
91f8: e1a04000 mov r4, r0
91fc: e28d6030 add r6, sp, #48 ; 0x30
9200: e1a01006 mov r1, r6
9204: e3a02020 mov r2, #32
9208: e3a00022 mov r0, #34 ; 0x22
920c: ebffe596 bl 286c <ATP_SYS_GetInfo@plt>
9210: e1a00006 mov r0, r6
9214: ebffe570 bl 27dc <IsCustomCountry@plt>
9218: e3500001 cmp r0, #1
921c: 1a000005 bne 9238 <ATP_FomFlashInit+0x3c8>
9220: e59f2084 ldr r2, [pc, #132] ; 92ac <ATP_FomFlashInit+0x43c>
9224: e1a03006 mov r3, r6
9228: e0852002 add r2, r5, r2
922c: e28d0050 add r0, sp, #80 ; 0x50
9230: e3a01020 mov r1, #32
9234: ebffe4ea bl 25e4 <snprintf@plt>
9238: e28d0050 add r0, sp, #80 ; 0x50
923c: e3a01020 mov r1, #32
9240: ebffe53e bl 2740 <ATP_BHAL_SetMultiNvId@plt>
9244: e3540000 cmp r4, #0
9248: 01a00004 moveq r0, r4
924c: 0a000008 beq 9274 <ATP_FomFlashInit+0x404>
9250: e59f0058 ldr r0, [pc, #88] ; 92b0 <ATP_FomFlashInit+0x440>
9254: e59f1058 ldr r1, [pc, #88] ; 92b4 <ATP_FomFlashInit+0x444>
9258: e0850000 add r0, r5, r0
925c: e0851001 add r1, r5, r1
9260: e59f2050 ldr r2, [pc, #80] ; 92b8 <ATP_FomFlashInit+0x448>
9264: ebffe4cf bl 25a8 <printf@plt>
9268: e3a00000 mov r0, #0
926c: ea000000 b 9274 <ATP_FomFlashInit+0x404>
9270: e3e00000 mvn r0, #0
9274: e28dd07c add sp, sp, #124 ; 0x7c
9278: e8bd45f0 pop {r4, r5, r6, r7, r8, sl, lr}
927c: e12fff1e bx lr
9280: 00009da4 andeq r9, r0, r4, lsr #27
9284: 0000019c muleq r0, ip, r1
9288: 000001a8 andeq r0, r0, r8, lsr #3
928c: 00050001 andeq r0, r5, r1
9290: 000001a0 andeq r0, r0, r0, lsr #3
9294: 00050002 andeq r0, r5, r2
9298: 000001a4 andeq r0, r0, r4, lsr #3
929c: ffff6f8e ; <UNDEFINED> instruction: 0xffff6f8e
92a0: c018424f andsgt r4, r8, pc, asr #4
92a4: c0184257 andsgt r4, r8, r7, asr r2
92a8: ffff7da5 ; <UNDEFINED> instruction: 0xffff7da5
92ac: ffff716f ; <UNDEFINED> instruction: 0xffff716f
92b0: ffff7db7 ; <UNDEFINED> instruction: 0xffff7db7
92b4: ffff7d68 ; <UNDEFINED> instruction: 0xffff7d68
92b8: 00000127 andeq r0, r0, r7, lsr #2
这个函数中重点关注一下printf函数的调用,因为日志就是这个函数输出的,但是我们并不清楚具体是哪里出错了。
解压出来的目录中,_ws832.bin.extracted/squashfs-root/html里面空无一物,这个蛮奇怪的。找了半天,才发现网页文件被存放在_ws832.bin.extracted/squashfs-root/etc/webimg这个文件中,然后通过_ws832.bin.extracted/squashfs-root/etc/webidx这个文件存放文件对应的偏移以及长度。对于html的请求都被一个解析这两个文件的应用接管了。
实际过程中发现使用firmware-mod-kit解压出来的固件更加简洁精炼,并且可以重新打包。
$ git clone https://github.com/rampageX/firmware-mod-kit.git $ cd firmware-mod-kit $ sudo apt-get install liblzma-dev //解压命令 $ ./extract-firmware.sh ws832.bin //重新打包命令 $ ./build-firmware.sh
这个工具如果下载困难,可以本站下载一份拷贝 点击这里下载 firmware-mod-kit