|
|
 |
|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
| |||||||
| Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
| GSM / HSDPA Modems and Routers GSM , HSDPA , WCDMA, LTE Modems and Routers Unlock And Firmwares |
 |
| | LinkBack | Thread Tools | Display Modes |
06-17-2016, 15:35
| #1 (permalink) |
| Junior Member Join Date: Jun 2016
Posts: 5
Member: 2587501 Status: Offline Thanks Meter: 5 | Huawei B190 connection(?) / firmware It's a LTE Router, please google for images, can't post em yet. The device has a microUsb-connector. But when connected to Win or Unix it only constantly restarts. Win also states "unknown device", so no luck there. I can't find a way to get it connected to some COM to issue some AT-Commands or anything. Is it possible that i need some sort of special cable (crossed USB?) or am i missing something here? Any other way to unlock/mess with it? Also, i like to start a bit with reverse engineering, but i can't get my hands on the firmware (tried exploiting the website-urls, update-server etc, but no luck). Maybe one of you has something on hand  Thanks in advance! |
 |
| The Following User Says Thank You to bitflip For This Useful Post: |
|
06-20-2016, 09:19
| #2 (permalink) |
| Junior Member Join Date: Jun 2016
Posts: 5
Member: 2587501 Status: Offline Thanks Meter: 5 | Just wanted to update what i got so far. First guess due to the constant restarts was that the B190 needs more power over the USB than my PC gives. But even with active hub it doesn't work. I opened up the router and started probing some testpoints. I still can't post images (10 posts limit), but it seems i found an active UART, will try to connect it with my pi today. I also eventually found JTAG, but i still have no idea what the micro-usb is doing. When i power the device with socket-outlet, the micro-Usb starts transmitting on two pins (same signal) and ground is connected. No Vdd. I also found an unpopulated interface, looks like another micro-Usb (sorry, no image possible). Will report further when i find more. |
| |
| The Following User Says Thank You to bitflip For This Useful Post: |
|
06-21-2016, 13:23
| #3 (permalink) |
| Junior Member Join Date: Jun 2016
Posts: 5
Member: 2587501 Status: Offline Thanks Meter: 5 | I've successfully connected to the B190 via serial. The pins for Tx and Rx can be found at imgur /a/XA5Ad When connected and booted, you get dropped into a VxWorks shell. It's the first time I've seen this OS, so I'll need some time to find my way around. I'm able to browse through the filesystem, but it contains mostly binary files (executeables?). Next, I'll try to extract the firmware. Maybe some of you have experience with VxWorks? Do you know any way i can communicate with the modem through this shell? My goal is still to issue some AT-commands or find a way of unlocking the modem. |
| |
| The Following User Says Thank You to bitflip For This Useful Post: |
|
06-24-2016, 00:15
| #4 (permalink) |
| Junior Member Join Date: Jun 2016
Posts: 5
Member: 2587501 Status: Offline Thanks Meter: 5 | Got no luck with VxWorks so far. I got lucky again when i was probing with the oscilloscope. I found another UART connection, this time booting into a nice Linux kernel, starting BusyBox and doing some stuff. Sadly, i couldn't get a shell (or it just didn't take my input). Both UARTs can be found at the 10-testingpoint array. Pin Layout: Vdd (5V) ---> (0) (0) <--- Rx (Linux) Vdd (5V) ---> (0) (0) <--- Tx (Linux) ?? ---------> (0) (0) <--- ?? GND -------> (0) (0) <--- Rx (VxWorks) GND -------> (0) (0) <--- Tx (VxWorks) For documentation, here some output of VxWorks UART: Code: onchip
NF_boot!
UnSec_boot!
Balong V7R1 MCore bootloader...
Compile date:Sep 26 2013
Compile time:15:10:18
NANDC_V4.00Partition Table list(HEX):BOOTROM_V01.02H6920CS_UDP
NO. |offset |loadsize |capacity |loadaddr |entry |property |count |id |name |
-------------------------------------------------------------------------------------------------------
00000001: 00000000 ,0000FBE4 ,00020000 ,2FFC0000 ,2FFC0000 ,00000000 ,00000002 ,00000101 ,BootLoad
00000002: 00020000 ,00000000 ,00180000 ,00000000 ,00000000 ,00000800 ,00000000 ,0000010D ,NvBackLTE
00000003: 001A0000 ,00000000 ,00100000 ,00000000 ,00000000 ,00000800 ,00000000 ,0000010E ,NvBackGU
00000004: 002A0000 ,000A264C ,00200000 ,30003F80 ,30004000 ,00000000 ,00000002 ,00000102 ,BootRom
00000005: 004A0000 ,000A267B ,00200000 ,30003F80 ,30004000 ,00000000 ,00000001 ,00000102 ,BootRom
00000006: 006A0000 ,016FD05C ,02000000 ,30003F80 ,30004000 ,00000000 ,00000002 ,00000103 ,VxWorks
00000007: 026A0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000110 ,Logo
00000008: 026A0000 ,00000000 ,00C00000 ,00000000 ,00000000 ,00000201 ,00000000 ,00000106 ,/yaffs0
00000009: 032A0000 ,0000F858 ,00060000 ,369E0000 ,369E0000 ,00000000 ,00000002 ,00000104 ,FastBoot
0000000A: 03300000 ,002A2000 ,003A0000 ,36A40000 ,36A40000 ,00000000 ,00000002 ,00000105 ,kernel
0000000B: 036A0000 ,01249800 ,01C00000 ,00000000 ,00000000 ,00004401 ,00000002 ,00000107 ,/yaffs1
0000000C: 052A0000 ,00000000 ,00500000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000109 ,/yaffs3
0000000D: 057A0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000111 ,/yaffs4
0000000E: 057A0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00004401 ,00000000 ,00000108 ,/yaffs2
0000000F: 057A0000 ,00000000 ,00080000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000113 ,/yaffs6
00000010: 05820000 ,00000000 ,02260000 ,00000000 ,00000000 ,00004401 ,00000000 ,00000112 ,/yaffs5
00000011: 07A80000 ,00000000 ,08580000 ,00000000 ,00000000 ,00004000 ,00000000 ,0000010C ,cdromiso
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
sec disabled
IsBootromStart value = %d00000000
press space key to enter bootrom: Start from: vxWorks Kernel.
>>loading: VxWorks ... OK.
>>loading: FastBoot ... OK.
hw main id:00000909, sub id:00000001activate_fastboot...0x369E0000
Starting from entry: 0x30004000
Target Name: vxTarget
Adding 62360 symbols for standalone.
]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]] ]]]] ]]]]]]]]]] ]] ]]]] (R)
] ]]]]]]]]] ]]]]]] ]]]]]]]] ]] ]]]]
]] ]]]]]]] ]]]]]]]] ]]]]]] ] ]] ]]]]
]]] ]]]]] ] ]]] ] ]]]] ]]] ]]]]]]]]] ]]]] ]] ]]]] ]] ]]]]]
]]]] ]]] ]] ] ]]] ]] ]]]]] ]]]]]] ]] ]]]]]]] ]]]] ]] ]]]]
]]]]] ] ]]]] ]]]]] ]]]]]]]] ]]]] ]] ]]]] ]]]]]]] ]]]]
]]]]]] ]]]]] ]]]]]] ] ]]]]] ]]]] ]] ]]]] ]]]]]]]] ]]]]
]]]]]]] ]]]]] ] ]]]]]] ] ]]] ]]]] ]] ]]]] ]]]] ]]]] ]]]]
]]]]]]]] ]]]]] ]]] ]]]]]]] ] ]]]]]]] ]]]] ]]]] ]]]] ]]]]]
]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]]]]]]]]]]]]]]]]]]]] Development System
]]]]]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]]]]]]]]]]]]]]]]]] VxWorks 6.8
]]]]]]]]]]]]]]]]]]]]]]]]]] KERNEL: WIND version 2.13
]]]]]]]]]]]]]]]]]]]]]]]]] Copyright Wind River Systems, Inc., 1984-2009
CPU: ARM RealView PBX-A9. Processor #0.
Memory Size: 0x40fa000. BSP version 2.0/0.
Created: Sep 26 2013, 14:51:21
ED&R Policy Mode: Deployed
##### icc init ok!, cnt=1999, connet=1
0x340f9d7c (tRootTask): PMU PWR IRQ1 : 0x2
0x340f9d7c (tRootTask): PMU PWR IRQ2 : 0x0
0x340f9d7c (tRootTask): PMU PWR IRQ3 : 0x0
0x340f9d7c (tRootTask): PMU REG IRQ1 : 0x2
0x340f9d7c (tRootTask): PMU REG IRQ2 : 0x0
0x340f9d7c (tRootTask): PMU REG IRQ3 : 0x0
0x340f9d7c (tRootTask): PMU REG H_N_STATUS(0x43) : 0x0
0x340f9d7c (tRootTask): PMU REG H_N_STATUS(0x44) : 0x0
0x340f9d7c (tRootTask): PMU FLAG REG 0x4 : 0x0
0x340f9d7c (tRootTask): PMU FLAG REG 0x5 : 0x0
0x340f9d7c (tRootTask): PMU FLAG REG 0x6 : 0x0
0x340f9d7c (tRootTask): PMU FLAG REG 0x7 : 0x5
0x340f9d7c (tRootTask): PMU FLAG REG 0x8 : 0x5
0x340f9d7c (tRootTask): softtimer uninit!
-> --->GPIO_2_4 id high,enter normal state
Hisilicon NANDC_V4.00 initialize...
NAND device: Manufacturer ID: 0xad, Chip ID: 0xaa (Hynix NAND 256MiB 1,8V 8-bit)
Partition Table list(HEX):BOOTROM_V01.02H6920CS_UDP
NO. |offset |loadsize |capacity |loadaddr |entry |property |count |id |name |
-------------------------------------------------------------------------------------------------------
01: 00000000 ,0000fbe4 ,00020000 ,2ffc0000 ,2ffc0000 ,00000000 ,00000002 ,00000101 ,BootLoad
02: 00020000 ,00000000 ,00180000 ,00000000 ,00000000 ,00000800 ,00000000 ,0000010d ,NvBackLTE
03: 001a0000 ,00000000 ,00100000 ,00000000 ,00000000 ,00000800 ,00000000 ,0000010e ,NvBackGU
04: 002a0000 ,000a264c ,00200000 ,30003f80 ,30004000 ,00000000 ,00000002 ,00000102 ,BootRom
05: 004a0000 ,000a267b ,00200000 ,30003f80 ,30004000 ,00000000 ,00000001 ,00000102 ,BootRom
06: 006a0000 ,016fd05c ,02000000 ,30003f80 ,30004000 ,00000000 ,00000002 ,00000103 ,VxWorks
07: 026a0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000110 ,Logo
08: 026a0000 ,00000000 ,00c00000 ,00000000 ,00000000 ,00000201 ,00000000 ,00000106 ,/yaffs0
09: 032a0000 ,0000f858 ,00060000 ,369e0000 ,369e0000 ,00000000 ,00000002 ,00000104 ,FastBoot
0a: 03300000 ,002a2000 ,003a0000 ,36a40000 ,36a40000 ,00000000 ,00000002 ,00000105 ,kernel
0b: 036a0000 ,01249800 ,01c00000 ,00000000 ,00000000 ,00004401 ,00000002 ,00000107 ,/yaffs1
0c: 052a0000 ,00000000 ,00500000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000109 ,/yaffs3
0d: 057a0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000111 ,/yaffs4
0e: 057a0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00004401 ,00000000 ,00000108 ,/yaffs2
0f: 057a0000 ,00000000 ,00080000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000113 ,/yaffs6
10: 05820000 ,00000000 ,02260000 ,00000000 ,00000000 ,00004401 ,00000000 ,00000112 ,/yaffs5
11: 07a80000 ,00000000 ,08580000 ,00000000 ,00000000 ,00004000 ,00000000 ,0000010c ,cdromiso
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ptable_yaffs_mount: /yaffs0 ...yaffs: Mounting /yaffs0
yaffs: yaffs_GutsInitialise()
yaffs: yaffs_GutsInitialise() done.
OK.
NVM_Init start!
****************LXML_DecodeMain enter********************
****************LXML_DecodeMain over*********************
Collecting block 320, in use 48, shrink 0, wholeBlock 1
Collecting block 318, in use 47, shrink 0, wholeBlock 1
Collecting block 324, in use 47, shrink 0, wholeBlock 1
Collecting block 330, in use 47, shrink 0, wholeBlock 1
MSP_IPC udi_open Start
MSP_IPC udi_open End Handle = 5a0001
++++++++++u32pmu2usbAddr,0x2fffe210,*u32pmu2usbAddr 0x55430001++++++++
============BSP_DMA_Init in=========
============BSP_DMA_Init out=========
after read nv 0xD100: uintValue 0xff ret = 0
normal power on, tick: 2048019677, Board time: 0xd8
Collecting block 333, in use 48, shrink 0, wholeBlock 1
ulZSPSize = 1238512!
ulZSPSize = 0012e5f0, ulZSPReadSize = 0012e5f0
Read dsp file succeeded!
Enter pwctrl initial routing!
cdm_SetCoderSrcBufList pucDataBuf1 = 0x33464060
cdm_SetCoderSrcBufList pucDataBuf2 = 0x335b5060
cdm_SetCoderSrcBufList pucDataBuf3 = 0x335d0060
mcpu msp cdm waitSemaphore
0x340f9d7c (tRootTask): IFC Process init success!
0x340f9d7c (tRootTask): NVIM: C Core NVIM Init Begin!
0x340f9d7c (tRootTask): NVIM: C Core NVIM Init End!
0x340f9d7c (tRootTask): [PMU]USB insert
0x340f9d7c (tRootTask): pmu:save record start flag ok!
0x340f9d7c (tRootTask): PMU NV is 3,0,0,1!
0x340f9d7c (tRootTask): MEMDBG - addr of read-only page = 0x314a1000
0x340f9d7c (tRootTask): stNvSwVer-ulStatus is 0
0x340f9d7c (tRootTask): dload version:21.260.00.00.000
0x340f9d7c (tRootTask): SocpInit: connect tds bbp int OK.
0x340f9d7c (tRootTask): SocpInit: enable tds bbp OK.
0x340f9d7c (tRootTask): stNvSwVer-ulStatus is 0
0x340f9d7c (tRootTask): dload version:0[1ô[1[1
cò0
***********MCPU REV CDM CODER DEST OK******************
ulModuleId: 3
enIpcAppId: 3
ulBuffLen : 4
ucBuff : 0x315AF3F8
mcpu msp cdm recv Semaphore
GU_OamSocpCoderSrcCInit ulRet = 0x0
GU_OamSocpCoderSrcCStart ulRet = 0x0
UE_Root Start !
UE_Root end !
0x340f9d7c (tRootTask): value1 is ff, value2 is ff, value is 0xffff
0x340f9d7c (tRootTask): --Maybe WM8990 is not exist, or communicate failure!
0x340f9d7c (tRootTask): --wm8990 codec is not exist.
0x340f9d7c (tRootTask): audio_create fail, result = 0xffffffff
0x340f9d7c (tRootTask):
========== HIFI read =========
!!!!! VOS_Startup Begin !!!!!
ulHifiSize = 606700!
ulHifiSize = 000941ec, ulHifiReadSize = 000941ec
NOTE: Hifi file buffer Addr: 0x3363c010
Hifi bin release time : XTENSA:2013/09/26 15:21:36.
process_mac_FidInit
Copyright (C) 2004-2020 Hisilicon Technologies Co., Ltd.
BalongV100R001,build on Sep 26 2013 15:22:17.
------------------------codec_open devname /dev/codec0 flags 0x0 mode 0x0
0x330fb820 (root): audio device not create yet!
NAS_PTT_PidInit Pid:195
BSP_DDR_GetSectInfo g_ulDdrMemBase ok 0x37d00000!
BSP_DDR_GetSectInfo g_ulSysRegBase ok 0x9000d000!
BSP_DDR_GetSectInfo g_ulDhiMemBase ok 0x11000000!
zkzlenth error
zzzlenth error
Start addr is 37d10380,1
ftm_MsgProcInit DRV_SDMMC_ADD_HOOK
[007.21s][OK] sdmmcAddHook[0] is done!
!!!!! VOS_Startup End !!!!!
Read hifi file succeeded!
0x340f9d7c (tRootTask):
========== HIFI read ok =========
0x336d0754 (F1_I1): ErrlogRegFunc entered
0x336ef274 (USIMM_FID): sci record ATR save OK!
0x336ef274 (USIMM_FID): sci record REG save OK!
0x336ef274 (USIMM_FID): sci record exc global variables begin:
0x336ef274 (USIMM_FID): sci record exc global variables OK!
0x336ef274 (USIMM_FID): sci tick get begin:
0x336ef274 (USIMM_FID): sci tick get End!
0x336ef274 (USIMM_FID): event save 1!pRegData=0x3426e330
0x336ef274 (USIMM_FID): sci record event save OK!
0x336ef274 (USIMM_FID): sci record file save OK!
INFO :MNTN_ErrorLog:Can't Get Reset Info.
NAS_MMC_GetPsStartInfo: 0
Collecting block 336, in use 46, shrink 0, wholeBlock 1
UimLockMsg_c 186 >> _$ Uimlock_UsimMsg: PS_USIM_GET_STATUS_IND
NAS_MMC_SndAsStartReq, ulReceiverPid:128, ulRet:0.
NAS_MMC_RcvGasStartCnf_SwitchOn_WaitGasStartCnf_ulResult = 0.
0x3311e264 (LRRC_FID): LHPA_CfgRF6360Info, LHPA_CfgRFInfo Succ
0x3311e264 (LRRC_FID): LHPA_LoadDsp,LOAD DSP SUCCESS!
0x3311eb4c (MACRLCUL_FID): LHPA_ProcSaveSelfAdjustPara
NAS_MMC_RcvLmmStartCnf_SwitchOn_WaitLStartCnf_ulResult = 0.
NAS_MMC_SndAsStartReq, ulReceiverPid:133, ulRet:0.
NAS_UTRANCTRL_SndGuAsStartReq, ulReceiverPid:207, ulRet:0.
Load Dsp 1! Load Dsp 2! Load Dsp 3! beg load section:.vect, load addr:0x13040000, len:260, flag:0x0
beg load section:.text, load addr:0x13048a00, len:113308, flag:0x0
beg load section:.data, load addr:0x13000000, len:25084, flag:0x0
beg load section:.dmc, load addr:0x13040400, len:1068, flag:0x0
beg load section:.statemain, load addr:0x13040a00, len:1596, flag:0x0
beg load section:.text1, load addr:0x13041800, len:3720, flag:0x0
beg load section:.asmtext, load addr:0x13042700, len:23772, flag:0x0
beg load section:.dynprotect, load addr:0x13065200, len:16, flag:0x0
beg load section:.dyntext, load addr:0x1307f000, len:640, flag:0x0
beg load section:.dataspecial, load addr:0x1300d000, len:4096, flag:0x1
beg load section:.nvm_data, load addr:0x1300e040, len:3168, flag:0x0
beg load section:.bss1, load addr:0x13012000, len:73616, flag:0x0
beg load section:.ovly, load addr:0x13026600, len:28672, flag:0x1
load ZSP SUCCESS
Load Dsp 4! Load Dsp 5! Tds_Hl1_Write_DspNv_Parameter begin! 0x3311e264 (LRRC_FID): LHPA_ProcGetSelfAdjustPara
Tds_Hl1_Write_DspNv_Parameter SUCCESS! Load Dsp 6! hl103_05InitDspToIrat 1
hl103_05InitDspToIrat 2
hl103_05InitDspToIrat 3
NAS_MMC_RcvWasStartCnf_SwitchOn_WaitWasStartCnf_ulResult = 0.
Function DRV_START_MODEGET unsupport!
NORMAL: TTF_MemPoolInfoEventRpt, Pool 0 Normal
!NORMAL: TTF_MemPoolInfoEventRpt, Pool 1 Normal
!NORMAL: TTF_MemPoolInfoEventRpt, Pool 2 Normal
!0x3324eae0 (RR_FID): SHPA_LoadPhy: Start !
0x3324eae0 (RR_FID): SHPA_LoadPhy: Load W DSP!
0x3324eae0 (RR_FID): SHPA_LoadPhy: Load DSP wait Sem!
0x3324eae0 (RR_FID): SHPA_LoadPhy: Load DSP OK!
0x3319d9c0 (tSoftTimerHandle): temperature_detect_timer_callback: sim adc = 1592
0x3319d9c0 (tSoftTimerHandle): temperature_detect_timer_callback: averge sim adc = 52746
UimLockMsg_dot_c 304 >> _$ Uimlock_AtMsg: usMsgName = 1
UimLockMsg_dot_c 304 >> _$ Uimlock_AtMsg: usMsgName = 1
Collecting block 337, in use 44, shrink 0, wholeBlock 1
Collecting block 348, in use 47, shrink 0, wholeBlock 1
0x340f9d7c (tRootTask): Exc1: remove file /yaffs0/DrvLog/amsg00000001. bin (2)
0x340f9d7c (tRootTask): Exc1: remove file /yaffs0/DrvLog/amsg00000001. bin (2)
[M]->cmd
[vxWorks]#help
List of the registered topics:
basic List of basic shell commands.
breakpoint List of the shell commands related to breakpoints.
filesystem List of the shell commands related to file system.
interpreter Interpreter shell commands.
memory List of the shell commands related to memory.
modules List of the shell commands related to kernel modules.
network Network commands
object List of the shell commands related to objects.
symbols List of the shell commands related to symbols.
tasks List of the shell commands related to tasks.
List of the registered commands:
C Switch to C interpreter
alias Add an alias or display alias
arp IPNET arp control
bp Display, set or unset a breakpoint
cd Change current directory.
demangle Display demangled string
dprintf Insert a dynamic printf eventpoint
echo Display a line of text
exit Exit the shell session.
expr Evaluate expressions
file ...
func ...
getenv Get an environment variable
help Display the list of the shell commands
ifconfig IPNET interface configuration
logout Logout the shell session.
lookup Lookup a symbol
mem ...
module ...
more Browse and page through a text file.
object ...
ping IPNET ping utility
print ...
printf Write formatted output
pwd Display current working directory.
reboot Reboot the system
repeat Repeat a command
set ...
setenv Set an environment variable
show ...
slab Print slab cache information
sleep Suspend execution for an interval.
string ...
sysctl IPNET sysctl configuration
task ...
unalias Remove an alias
unset ...
version Display VxWorks version information.
[vxWorks]# C
[M]->devs
drv name
0 /null
1 /tyCo/0
8 host:
9 /yaffs0
value = 25 = 0x19
[M]->pwd
host:
value = 10 = 0xa
[M]->
[M]-> exit
Au revoir! When space is pressed at loading, following comes up: Code: onchip
NF_boot----------------------------------------------------------
00000001: 00000000 ,0000FBE4 ,00020000 ,2FFC0000 ,2FFC0000 ,00000000 ,00000002 ,00000101 ,BootLoad
00000002: 00020000 ,00000000 ,00180000 ,00000000 ,00000000 ,00000800 ,00000000 ,0000010D ,NvBackLTE
00000003: 001A0000 ,00000000 ,00100000 ,00000000 ,00000000 ,00000800 ,00000000 ,0000010E ,NvBackGU
00000004: 002A0000 ,000A264C ,00200000 ,30003F80 ,30004000 ,00000000 ,00000002 ,00000102 ,BootRom
00000005: 004A0000 ,000A267B ,00200000 ,30003F80 ,30004000 ,00000000 ,00000001 ,00000102 ,BootRom
00000006: 006A0000 ,016FD05C ,02000000 ,30003F80 ,30004000 ,00000000 ,00000002 ,00000103 ,VxWorks
00000007: 026A0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000110 ,Logo
00000008: 026A0000 ,00000000 ,00C00000 ,00000000 ,00000000 ,00000201 ,00000000 ,00000106 ,/yaffs0
00000009: 032A0000 ,0000F858 ,00060000 ,369E0000 ,369E0000 ,00000000 ,00000002 ,00000104 ,FastBoot
0000000A: 03300000 ,002A2000 ,003A0000 ,36A40000 ,36A40000 ,00000000 ,00000002 ,00000105 ,kernel
0000000B: 036A0000 ,01249800 ,01C00000 ,00000000 ,00000000 ,00004401 ,00000002 ,00000107 ,/yaffs1
0000000C: 052A0000 ,00000000 ,00500000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000109 ,/yaffs3
0000000D: 057A0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000111 ,/yaffs4
0000000E: 057A0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00004401 ,00000000 ,00000108 ,/yaffs2
0000000F: 057A0000 ,00000000 ,00080000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000113 ,/yaffs6
00000010: 05820000 ,00000000 ,02260000 ,00000000 ,00000000 ,00004401 ,00000000 ,00000112 ,/yaffs5
00000011: 07A80000 ,00000000 ,08580000 ,00000000 ,00000000 ,00004000 ,00000000 ,0000010C ,cdromiso
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
sec disabled
IsBootromStart value = %d00000000
press space key to enter bootrom: IMAGE_BOOTROM load from:0x002A0000>>loading: BootRom ... try inflate.
image length: 000A25CC
ram_inflate_addr: 3414538C
inflating...
return value: 00000000
inflate success! data check OK!
hw main id:00000909, sub id:00000001Starting from entry: 0x300040Target Name: vxTarget
Adding 5394 symbols for standalone.
]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]] ]]]] ]]]]]]]]]] ]] ]]]] (R)
] ]]]]]]]]] ]]]]]] ]]]]]]]] ]] ]]]]
]] ]]]]]]] ]]]]]]]] ]]]]]] ] ]] ]]]]
]]] ]]]]] ] ]]] ] ]]]] ]]] ]]]]]]]]] ]]]] ]] ]]]] ]] ]]]]]
]]]] ]]] ]] ] ]]] ]] ]]]]] ]]]]]] ]] ]]]]]]] ]]]] ]] ]]]]
]]]]] ] ]]]] ]]]]] ]]]]]]]] ]]]] ]] ]]]] ]]]]]]] ]]]]
]]]]]] ]]]]] ]]]]]] ] ]]]]] ]]]] ]] ]]]] ]]]]]]]] ]]]]
]]]]]]] ]]]]] ] ]]]]]] ] ]]] ]]]] ]] ]]]] ]]]] ]]]] ]]]]
]]]]]]]] ]]]]] ]]] ]]]]]]] ] ]]]]]]] ]]]] ]]]] ]]]] ]]]]]
]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]]]]]]]]]]]]]]]]]]]] Development System
]]]]]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]]]]]]]]]]]]]]]]]] VxWorks 6.8
]]]]]]]]]]]]]]]]]]]]]]]]]] KERNEL: WIND version 2.13
]]]]]]]]]]]]]]]]]]]]]]]]] Copyright Wind River Systems, Inc., 1984-2009
CPU: ARM RealView PBX-A9. Processor #0.
Memory Size: 0x40fa000. BSP version 2.0/0.
Created: Sep 26 2013, 14:51:41
ED&R Policy Mode: Deployed
===== beg mem usr function =====
Hisilicon NANDC_V4.00 initialize...
NAND device: Manufacturer ID: 0xad, Chip ID: 0xaa (Hynix NAND 256MiB 1,8V 8-bit)
Partition Table list(HEX):BOOTROM_V01.02H6920CS_UDP
NO. |offset |loadsize |capacity |loadaddr |entry |property |count |id |name |
-------------------------------------------------------------------------------------------------------
01: 00000000 ,0000fbe4 ,00020000 ,2ffc0000 ,2ffc0000 ,00000000 ,00000002 ,00000101 ,BootLoad
02: 00020000 ,00000000 ,00180000 ,00000000 ,00000000 ,00000800 ,00000000 ,0000010d ,NvBackLTE
03: 001a0000 ,00000000 ,00100000 ,00000000 ,00000000 ,00000800 ,00000000 ,0000010e ,NvBackGU
04: 002a0000 ,000a264c ,00200000 ,30003f80 ,30004000 ,00000000 ,00000002 ,00000102 ,BootRom
05: 004a0000 ,000a267b ,00200000 ,30003f80 ,30004000 ,00000000 ,00000001 ,00000102 ,BootRom
06: 006a0000 ,016fd05c ,02000000 ,30003f80 ,30004000 ,00000000 ,00000002 ,00000103 ,VxWorks
07: 026a0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000000 ,00000110 ,Logo
08: 026a0000 ,00000000 ,00c00000 ,00000000 ,00000000 ,00000201 ,00000000 ,00000106 ,/yaffs0
09: 032a0000 ,0000f858 ,00060000 ,369e0000 ,369e0000 ,00000000 ,00000002 ,00000104 ,FastBoot
0a: 03300000 ,002a2000 ,003a0000 ,36a40000 ,36a40000 ,00000000 ,00000002 ,00000105 ,kernel
0b: 036a0000 ,01249800 ,01c00000 ,00000000 ,00000000 ,00004401 ,00000002 ,00000107 ,/yaffs1
0c: 052a0000 ,00000000 ,00500000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000109 ,/yaffs3
0d: 057a0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000111 ,/yaffs4
0e: 057a0000 ,00000000 ,00000000 ,00000000 ,00000000 ,00004401 ,00000000 ,00000108 ,/yaffs2
0f: 057a0000 ,00000000 ,00080000 ,00000000 ,00000000 ,00004001 ,00000000 ,00000113 ,/yaffs6
10: 05820000 ,00000000 ,02260000 ,00000000 ,00000000 ,00004401 ,00000000 ,00000112 ,/yaffs5
11: 07a80000 ,00000000 ,08580000 ,00000000 ,00000000 ,00004000 ,00000000 ,0000010c ,cdromiso
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ptable_yaffs_mount: /yaffs0 ...yaffs: Mounting /yaffs0
yaffs: yaffs_GutsInitialise()
yaffs: yaffs_GutsInitialise() done.
OK.
ptable_yaffs_mount: /yaffs1 ...yaffs: Mounting /yaffs1
yaffs: yaffs_GutsInitialise()
yaffs: yaffs_GutsInitialise() done.
OK.
ptable_yaffs_mount: /yaffs2 ...CANCEL!*************
ptable_yaffs_mount: /yaffs5 ...yaffs: Mounting /yaffs5
yaffs: yaffs_GutsInitialise()
yaffs: yaffs_GutsInitialise() done.
OK.
Collecting block 400, in use 47, shrink 0, wholeBlock 1
0x340f9d7c (tRootTask): PMU PWR IRQ1 : 0x0
0x340f9d7c (tRootTask): PMU PWR IRQ2 : 0x8
0x340f9d7c (tRootTask): PMU PWR IRQ3 : 0x0
0x340f9d7c (tRootTask): PMU REG IRQ1 : 0x0
0x340f9d7c (tRootTask): PMU REG IRQ2 : 0x8
0x340f9d7c (tRootTask): PMU REG IRQ3 : 0x0
0x340f9d7c (tRootTask): PMU REG H_N_STATUS(0x43) : 0x0
0x340f9d7c (tRootTask): PMU REG H_N_STATUS(0x44) : 0x0
0x340f9d7c (tRootTask): PMU FLAG REG 0x4 : 0x0
0x340f9d7c (tRootTask): PMU FLAG REG 0x5 : 0x0
0x340f9d7c (tRootTask): PMU FLAG REG 0x6 : 0x0
0x340f9d7c (tRootTask): PMU FLAG REG 0x7 : 0x5
0x340f9d7c (tRootTask): PMU FLAG REG 0x8 : 0x5
0x340f9d7c (tRootTask): softtimer uninit!
0x340f9d7c (tRootTask): hw main id:0x909, sub id:0x1
0x340f9d7c (tRootTask): [PMU]USB insert
0x340f9d7c (tRootTask): PMU NVM_Read ERROR.
0x340f9d7c (tRootTask): getFactoryMode:not in factory mode!
0x340f9d7c (tRootTask): no need to do fota update
0x3035b680 (tUSBTask): BSP_USB_GetDevDescIdx: MDM+PCUI+DIAG in Bootrom image
0x3035b680 (tUSBTask): Starting USBware stack, Version 3.4.30.21
-> 0x340f7738 (uw_Controller): Acm:1 Suspend
0x340f7738 (uw_Controller): Acm:2 Suspend
0x340f7738 (uw_Controller): Acm:3 Suspend
0x340f7738 (uw_Controller): ACM:1 Enable, line:531
0x340f7738 (uw_Controller): ACM:2 Enable, line:531
0x340f7738 (uw_Controller): ACM:3 Enable, line:531
0x302b1edc (tSoftTimerHandle): temperature_detect_timer_callback: sim adc = 1777
0x302b1edc (tSoftTimerHandle): temperature_detect_timer_callback: averge sim adc = 52783
0x302b1edc (tSoftTimerHandle): temperature_detect_timer_callback: sim adc = 1763
0x302b1edc (tSoftTimerHandle): temperature_detect_timer_callback: averge sim adc = 40029
[M]->
[M]->task
C interp: unknown symbol name 'task'.
[M]->ts
sorry, the shell can't suspend itself.
value = 10 = 0xa
[M]->
[M]->cmd
shellLib: interpreter 'Cmd' not registered.
[M]->help
help Print this list
dbgHelp Print debugger help info
edrHelp Print ED&R help info
ioHelp Print I/O utilities help info
nfsHelp Print nfs help info
netHelp Print network help info
rtpHelp Print process help info
spyHelp Print task histogrammer help info
timexHelp Print execution timer help info
h [n] Print (or set) shell history
i [task] Summary of tasks' TCBs
ti task Complete info on TCB for task
sp adr,args... Spawn a task, pri=100, opt=0x19, stk=20000
taskSpawn name,pri,opt,stk,adr,args... Spawn a task
tip "dev=device1#tag=tagStr1", "dev=device2#tag=tagStr2", ...
Connect to one or multiple serial lines
td task Delete a task
ts task Suspend a task
tr task Resume a task
Type <CR> to continue, Q<CR> or q<CR> to stop:
tw task Print pending task detailed info
w [task] Print pending task info
d [adr[,nunits[,width]]] Display memory
m adr[,width] Modify memory
mRegs [reg[,task]] Modify a task's registers interactively
pc [task] Return task's program counter
iam "user"[,"passwd"] Set user name and passwd
whoami Print user name
devs List devices
ld [syms[,noAbort][,"name"]] Load stdin, or file, into memory
(syms = add symbols to table:
-1 = none, 0 = globals, 1 = all)
lkup ["substr"] List symbols in system symbol table
lkAddr address List symbol table entries near address
checkStack [task] List task stack sizes and usage
printErrno value Print the name of a status value
period secs,adr,args... Spawn task to call function periodically
repeat n,adr,args... Spawn task to call function n times (0=forever)
version Print VxWorks version info, and boot line
shConfig ["config"] Display or set shell configuration variables
Type <CR> to continue, Q<CR> or q<CR> to stop:
strFree [address] Free strings allocated within the shell (-1=all)
NOTE: Arguments specifying 'task' can be either task ID or name.
value = 10 = 0xa
[M]->devs
drv name
0 /null
1 /tyCo/0
5 /yaffs0
5 /yaffs1
5 /yaffs5
6 /acm/1
6 /acm/2
6 /acm/3
value = 25 = 0x19
[M]->cd "/yaffs0"
C interp: syntax error. Code: rom booting...
DDR!
Hit <ctrl+c> to stop autoboot: 0
try to bootsel1 = bootsel 0 20000 40000!!!
## Starting application at 0x86000000 ...
U-Boot 2010.03-svn ( 9ÔÂ 26 2013 - 20:57:59)
DRAM: 128 MB
Boot From NAND Flash
NAND: Special Nand id table Version 1.23
Nand ID: 0x98 0xD1 0x90 0x15 0x76 0x14 0x01 0x00
Nand(Hardware): NAND device: Manufacturer ID: 0x98, Chip ID: 0xd1 (Toshiba NAND 128MiB 3,3V 8-bit)
Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4Bytes
128 MiB
bbt base ram
Scanning device for bad blocks...
*** Warning - bad CRC or NAND, using default environment
In: serial
Out: serial
Err: serial
MEM_MODE = DDR!
Hit <ctrl+c> to stop autoboot: 0
entry gpio values:0x00100000
---- bootmtd from nand flash----
found 0
boot from main!
########
copy 2112300 bytes successful!
## Booting kernel from Legacy Image at 86000000 ...
Image Name: Linux-2.6.30
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2112236 Bytes = 2 MB
Load Address: 81000000
Entry Point: 81000000
kernel data at 0x86000040, len = 0x00203aec (2112236)
Loading Kernel Image ... OK
OK
found 0
Starting kernel ...
init started: BusyBox vv1.9.1 (2013-09-26 20:51:58 CST)
starting pid 271, tty '': '/etc/init_dot_d/rcS'
RCS DONE
starting pid 273, tty '': '/bin/sh'
BusyBox vv1.9.1 (2013-09-26 20:51:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
rootdir=/
table='/etc/devicetable'
mount: mounting /dev/mtdblock13 on /coredump failed: Input/output error
cat: can't open '/etc/router_dot_version': No such file or directory
Loading SDK modules
Loading HSAN modules
Loading WLAN modules
ifconfig: SIOCGIFFLAGS: No such device
bridge br0 does not exist!
=========================================
start hisilicon access platform
=========================================
hisilicon init sd5115 chip successfully ...!
==========================================
function name= hi_kernel_accel_cmdtype_config_set
attribute(00)-alias(hw ) = 00000000
attribute(01)-alias(sw ) = 00000001
==========================================
Loading drivers and kernel modules...
[main: 4856L]:exit func regist ok
[udp_server_main: 2001L]:Udp initialize successful
udp_server_main:2004 g_udpfd=4 parent_pid=400
[main: 4880L]:Main branch continue execute!
Unable to open device /dev/bhal.
[main: 4943L]:Tcp initialize successful
==========================================
function name= hi_wancmd_add_ext
attribute(00)-alias(vifname ) = bcm-ssid0
attribute(01)-alias(devname ) = ra0
attribute(02)-alias(phyport ) = 00000009
==========================================
==========================================
function name= hi_wancmd_add_ext
attribute(00)-alias(vifname ) = vrmnet0
attribute(01)-alias(devname ) = rmnet0
attribute(02)-alias(phyport ) = 0000000a
==========================================
Start mic now ...
Unable to open device /dev/bhal.
Unable to open device /dev/bhal.
GlobeMac Init
load cfm ok.
mkdir: cannot create directory '/coredump': File exists
chmod: /coredump: Read-only file system
##sendmsg return 16, errno 0.
INSMOD START......
insmod: cannot insert '/lib/extra/rt5390ap_dot_ko': File exists
INSMOD Done
ifconfig: SIOCGIFFLAGS: No such device
ifconfig: SIOCSIFHWADDR: No such device
ifconfig: SIOCGIFFLAGS: No such device
interface eth0.3 does not exist!
ifconfig: SIOCGIFFLAGS: No such device
ifconfig: SIOCGIFFLAGS: No such device
ifconfig: SIOCSIFHWADDR: No such device
ifconfig: SIOCGIFFLAGS: No such device
interface eth0.4 does not exist!
ifconfig: SIOCGIFFLAGS: No such device
Invalid port: should is <0-3> lanchip {enable|disable} enable/disable all port of lan chip[port 0-3] enable/disable a port of lan chip
device eth0 is not a slave of br0
atp: cur kernel version:[2.6.30]
==========================================
function name= hi_kernel_misc_util_inner_mdiowrite
attribute(00)-alias(phy_addr ) = 00000001
attribute(01)-alias(reg_addr ) = 00000000
attribute(02)-alias(data ) = 3900
attribute(03)-alias(resv ) = 0000
==========================================
==========================================
function name= hi_kernel_misc_util_inner_mdiowrite
attribute(00)-alias(phy_addr ) = 00000001
attribute(01)-alias(reg_addr ) = 00000000
attribute(02)-alias(data ) = 3100
attribute(03)-alias(resv ) = 0000
==========================================
==========================================
function name= hi_kernel_misc_util_inner_mdiowrite
attribute(00)-alias(phy_addr ) = 00000002
attribute(01)-alias(reg_addr ) = 00000000
attribute(02)-alias(data ) = 3900
attribute(03)-alias(resv ) = 0000
==========================================
==========================================
function name= hi_kernel_misc_util_inner_mdiowrite
attribute(00)-alias(phy_addr ) = 00000002
attribute(01)-alias(reg_addr ) = 00000000
attribute(02)-alias(data ) = 3100
attribute(03)-alias(resv ) = 0000
==========================================
==========================================
function name= hi_kernel_misc_util_inner_mdiowrite
attribute(00)-alias(phy_addr ) = 00000003
attribute(01)-alias(reg_addr ) = 00000000
attribute(02)-alias(data ) = 3900
attribute(03)-alias(resv ) = 0000
==========================================
==========================================
function name= hi_kernel_misc_util_inner_mdiowrite
attribute(00)-alias(phy_addr ) = 00000003
attribute(01)-alias(reg_addr ) = 00000000
attribute(02)-alias(data ) = 3100
attribute(03)-alias(resv ) = 0000
==========================================
==========================================
function name= hi_kernel_misc_util_inner_mdiowrite
attribute(00)-alias(phy_addr ) = 00000004
attribute(01)-alias(reg_addr ) = 00000000
attribute(02)-alias(data ) = 3900
attribute(03)-alias(resv ) = 0000
==========================================
ip6_min=fd00::
ip6_max=fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
==========================================
function name= hi_kernel_misc_util_inner_mdiowrite
attribute(00)-alias(phy_addr ) = 00000004
attribute(01)-alias(reg_addr ) = 00000000
attribute(02)-alias(data ) = 3100
attribute(03)-alias(resv ) = 0000
==========================================
0
ifconfig: SIOCGIFFLAGS: No such device
==========================================
function name= hi_kernel_misc_util_inner_mdiowrite
attribute(00)-alias(phy_addr ) = 00000004
attribute(01)-alias(reg_addr ) = 00000000
attribute(02)-alias(data ) = 3900
attribute(03)-alias(resv ) = 0000
==========================================
==========================================
function name= hi_kernel_misc_util_inner_mdiowrite
attribute(00)-alias(phy_addr ) = 00000004
attribute(01)-alias(reg_addr ) = 00000000
attribute(02)-alias(data ) = 3100
attribute(03)-alias(resv ) = 0000
==========================================
dms init come in
set no private ioctls.
set no private ioctls.
Get mac3: 3CDFBDXXXXX
Get mac3: 3CDFBDXXXXX
Get mac3: 3CDFBDXXXXX
Get mac3: 3CDFBDXXXXX
begin WlanUpInterfaces...
==========================================
function name= hi_kernel_gpio_cmdtype_bit_write
attribute(00)-alias(port ) = 00000001
attribute(01)-alias(bit ) = 00000014
attribute(02)-alias(level ) = 00000000
==========================================
wait_wm_ready:Pcui is existent
srv_status nok 1
at_repetition_query g_sysinfoRoamingStatus=<1>,ucRoamStatus=<1>
begin WlanSetChannel...
PHY mode status=9
begin WlanStartServices...
[1-----3internet-----*99#--------------NONE ]
[2-----3internet-----*99#--------------NONE ]
[3-----some link-----*99#--------------NONE ]
[4-----some link-----*99#--------------NONE ]
[5-----some link-----*99#--------------NONE ]
[6-----some link-----*99#--------------NONE ]
[7-----some link-----*99#--------------NONE ]
[8-----some link-----*99#--------------NONE ]
set redirection success !
Recvd netlink msg now ...
Cms netlink msg 173015048 finished.
Recvd netlink msg now ...
Cms netlink msg 173015048 finished.
Recvd netlink msg now ...
Cms netlink msg 173015048 finished.
Recvd netlink msg now ...
Cms netlink msg 173015048 finished.
WanSetRedirection has been set !
Recvd netlink msg now ...
Cms netlink msg 173015048 finished.
WanSetRedirection has been set !
************************Write db to flash now ...
done sync
ATP_DMS_StartByUsbmount
g_bDmsEnable == VOS_FALSE
=====ATP_StorageServiceControlByUsbmount: check printer now...===== Code: rom booting... DDR! Hit <ctrl+c> to stop autoboot: 0 try to bootsel1 = bootsel 0 20000 40000!!! ## Starting application at 0x86000000 ... U-Boot 2010.03-svn ( 9ÔÂ 26 2013 - 20:57:59) DRAM: 128 MB Boot From NAND Flash NAND: Special Nand id table Version 1.23 Nand ID: 0x98 0xD1 0x90 0x15 0x76 0x14 0x01 0x00 Nand(Hardware): NAND device: Manufacturer ID: 0x98, Chip ID: 0xd1 (Toshiba NAND 128MiB 3,3V 8-bit) Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4Bytes 128 MiB bbt base ram Scanning device for bad blocks... *** Warning - bad CRC or NAND, using default environment In: serial Out: serial Err: serial MEM_MODE = DDR! Hit <ctrl+c> to stop autoboot: 0 hisilicon # hisilicon # help ? - alias for 'help' base - print or set address offset bbt - display bbt info bootm - boot application image from memory bootp - boot image via network using BOOTP/TFTP protocol ccs - change double system boot flag,ccs 0~5 cmp - memory compare cmpdata - compare the data in different address crc32 - checksum calculation ge_phy - ge phy utility commands go - start application at address 'addr' gpio_read- gpio_read gpioid(0-128) flag(0:data | 1:dir | 2:mode) gpio_write- gpio_write gpioid(0-128) flag(0:data | 1:dir | 2:mode) value(0 | 1) help - print command description/usage inner_phy- inner phy utility commands load_image- load image to nandflash, and boot load_nf_kernel- load kernel to nand flash load_nf_rootfs- load rootfs to nand flash load_nf_uboot- load u-boot to nand flash load_sf_kernel- load kernel to spi flash load_sf_rootfs- load rootfs to spi flash load_sf_uboot- load u-boot to spi flash loop - infinite loop on address range md - memory display mii - MII utility commands mm - memory modify (auto-incrementing address) mtest - simple RAM read/write test mw - memory write (fill) nand - NAND sub-system nboot - boot from NAND device nm - memory modify (constant address) phy_powerdown- all phy powerdown phy_powerup- all phy powerup ping - send ICMP ECHO_REQUEST to network host pphy - patch genius phy printenv- print environment variables rarpboot- boot image via network using RARP/TFTP protocol rcs - get double system boot flag reset - Perform RESET of the CPU saveenv - save environment variables to persistent storage setenv - set environment variables sf - SPI flash sub-system tftpboot- boot image via network using TFTP protocol version - print monitor version hisilicon # ls Unknown command 'ls' - try 'help' hisilicon # version U-Boot 2010.03-svn ( 9ÔÂ 26 2013 - 20:57:59) hisilicon # bootm Wrong Image Format for bootm command ERROR: can't get kernel image! MEM_MODE = DDR! hisilicon # nboot ** No boot device ** They talked about when pressing the wifi-button at boot, a TFPT-service shows up waiting for a binary (packet. bin). And, suprise, it's the same here: Code: rom booting... DDR! Hit <ctrl+c> to stop autoboot: 0 try to bootsel1 = bootsel 0 20000 40000!!! ## Starting application at 0x86000000 ... U-Boot 2010.03-svn ( 9ÔÂ 26 2013 - 20:57:59) DRAM: 128 MB Boot From NAND Flash NAND: Special Nand id table Version 1.23 Nand ID: 0x98 0xD1 0x90 0x15 0x76 0x14 0x01 0x00 Nand(Hardware): NAND device: Manufacturer ID: 0x98, Chip ID: 0xd1 (Toshiba NAND 128MiB 3,3V 8-bit) Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4Bytes 128 MiB bbt base ram Scanning device for bad blocks... *** Warning - bad CRC or NAND, using default environment In: serial Out: serial Err: serial MEM_MODE = DDR! Hit <ctrl+c> to stop autoboot: 0 entry gpio values:0x00000000 entry gpio 1 values:0x00000000 entry gpio 1 values:0x00000000 entry gpio 1 values:0x00000000 entry gpio 1 values:0x00000000 entry gpio 1 values:0x00000000 entry gpio 1 values:0x00000000 entry gpio 1 values:0x00000000 entry gpio 1 values:0x00000000 entry gpio 1 values:0x00000000 entry gpio 1 values:0x00000000 MEM_MODE = DDR! start read image file to DDR... load_addr = 0x86000000, file_name = packet. bin TFTP from server (IP here, no links allowed -.-); our IP address is (IP here, no links allowed -.-) Filename 'packet. bin'. Load address: 0x86000000 Loading: T T T T T T T T T T T T T T T T T T T T Retry count exceeded; starting again TFTP from server (IP here, no links allowed -.-); our IP address is (IP here, no links allowed -.-) Filename 'packet. bin'. Load address: 0x86000000 Loading: T T T T T T T T T T T T T T T T T T T T Retry count exceeded; starting again TFTP from server (IP here, no links allowed -.-); our IP address is (IP here, no links allowed -.-) Filename 'packet. bin'. Load address: 0x86000000 Loading: T T T T T T T T T T T T T T T T T T T T ... ... about 10x ... ... ARP Retry timeout resetting ... Also, HiStudio was mentioned and a AT/DIAG port. NMap brought up following open ports: ------ TCP -------- 53 80 1280 33443 37215 37443 ----- UDP --------- 53 67 514 1900 18234 18676 20359 20424 33281 36108 40441 41058 42056 45247 49396 53037 I guess many of the UDP are false-positives. Well, but after all this i'm stuck again. Dunno what to do next...  |
| |
| The Following User Says Thank You to bitflip For This Useful Post: |
|
07-02-2016, 20:21
| #5 (permalink) |
| Junior Member Join Date: Jun 2016
Posts: 5
Member: 2587501 Status: Offline Thanks Meter: 5 | I was able to dump the whole 128MB-Nand. I found 4 jffs2-filesystems. In 2 of them, there was a boot-able Linux Kernel (Linux kernel version "2.6.30 () (gcc version 4.4.6 (crosstool-NG 1.13.2 - hsan-5115) ), the 3rd contained the whole html/js/css stuff. 4th is just images. I found some interesting files,but i didn't analyzed all of them yet (some certs, .pem and bunch of config files). I was interested in getting somehow a shell on the running system to issue some at-command. Good thing: there exists an Code: atcmd I started with reverse engineering the webserver, looking for some fail in input handling. The webservice they use seems to be a self written server called Code: web  .I've now analyzed this for about 20h+, no luck. The only vulnerable Code: system("....%s...") All other system-calls are with static strings. There isn't even a string-format-attacksurface anywhere. Well, it's not D-Link i guess. They even encrypt the Pin-transmission over TCP/IP with the IMEI in javascript! (Well, no strong encryption, but hey, better than nothing) I further found all the initialization is done by a binary called Code: mic |
| |
| The Following User Says Thank You to bitflip For This Useful Post: |
|
10-25-2017, 17:25
| #6 (permalink) |
| Junior Member Join Date: Oct 2017
Posts: 1
Member: 2771765 Status: Offline Thanks Meter: 0 | Hello, awesome info in this thread. Have you managed to unlock it? I am having the same problem these days (weeks) so I am hoping to hearing from you soon... Thanks in advance! |
| |
|
| Bookmarks |
| |
|
|
Linear Mode
