Monthly Archives: 一月 2016

Buffalo WZR-HP-G450H 固件修复

修复固件一共有三种方法


 

方法一:windows tftp

首先下载TFTPopenwrt tftp专用固件

https://blog.memotz.com/wp-content/uploads/2016/01/TFTP.7z #tftp

https://downloads.openwrt.org/ #openwrt

路由器的地址为192.168.11.1,本机地址设置为192.168.11.2

管理员模式cmd绑定mac地址

arp -s 192.168.11.1 02-AA-BB-CC-DD-23 #绑定mac

02-AA-BB-CC-DD-20 #wzr-hp-ag300h

arp -d #删除arp指定主机

根据以往经验,不同型号的buffalo,需要绑定的mac是不同的

下面会说到printenv命令,可以查看mac地址

 

连接ttl ,加电 #波特率115200

观察启动日志,发现机器有两颗flash,并且无法启动

===========================================
== Broken first FW, Trying second FW... ==
===========================================

Loading second FW to RAM...

## Checking Image at 81f00000 ...
Bad Magic Number

===========================================
== Broken second FW. Need to repair FW...==
===========================================

# LED(0x4000) Blink[2] (Please press 'Ctrl+c' to stop)

ctrl+c中断启动

输入printenv显示参数

ar7240> printenv #显示参数
bootcmd=bootm BF060000 
baudrate=115200 #波特率
ethaddr=02:AA:BB:CC:DD:23 #mac地址
ipaddr=192.168.11.1 #路由器IP
serverip=192.168.11.2 #主机IP
tmp_ram=81F00000 #临时内存初始地址
tmp_bottom=83F00000 #临时内存结束地址
fw_eaddr=BF060000 BEFFFFFF #固件地址
uboot_eaddr=BF000000 BF03FFFF #uboot地址
u_fw=erase $fw_eaddr; cp.fw $fileaddr BF060000 $filesize; bootm BF060000; #命令格式
ut_fw=tftp $tmp_ram firmware.bin; erase $fw_eaddr; cp.fw $fileaddr BF060000 $filesize; bootm BF060000; #命令格式
ut_uboot=tftp $tmp_ram u-boot.bin; protect off $uboot_eaddr; erase $uboot_eaddr; cp.b $fileaddr BF000000 $filesize; #命令格式
melco_id=RD_BB10082
hw_rev=0
tftp_wait=4 #tftp等待时间
uboot_ethaddr=02:AA:BB:CC:DD:23 #uboot mac地址
DEF-p_wireless_ath0_11bg-authmode=psk
DEF-p_wireless_ath0_11bg-crypto=tkip+aes
DEF-p_wireless_ath0_11bg-authmode_ex=mixed-psk
DEF-p_wireless_ath0_11bg-wpapsk=ca6hfujrvt3de
pincode=00000000 #PIN码
custom_id=0
buf_ver=1.00
product=WZR-HP-G450H #设备型号
build_date=Apr 6 2011 - 08:52:48
accept_open_rt_fmt=1
buf_crc=DF2978DD
bootargs=console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),1152k@384k(uImage),6592k@1536k(rootfs),64k@320k(ART),64k@8128k(properties),8192k@8192k(flash1),16384k@16384k(flash2) mem=64M
filesize=157F0FC #固件大小
stdin=serial
stdout=serial
stderr=serial
loadaddr=81F00000 #固件加载地址
ethact=eth0
region=CH #管制区域

Environment size: 1211/65532 bytes

 

断电再加电,观察启动日志,加电8秒会发现有4秒等待时间,这个时候上传固件
tftp server(receive) go, waiting:4[sec] 

 

由于buffalo的uboot有固件头校验,所以在刷机过程中官方固件出现校验失败

tftp server done
Bytes transferred = 22421756 (15620fc hex)

## Checking Image at bf060000 ... #校验固件
Bad Magic Number #校验失败

 

所以要用openwrt的tftp固件,显示上传成功,开始写入

tftp server done
Bytes transferred = 3407908 (340024 hex)

Airstation Public header #正确识别
Recv fw image [3407876] bytes, now writing... #写入固件

 

固件校验成功,出现刷机进度

tftp server done
Bytes transferred = 3407908 (340024 hex)

Airstation Public header
Recv fw image [3407876] bytes, now writing...

flash-addr 0xBF060000 - 0xBF3AFFFF
search sector 0xbf060000 - 0xbf3affff
BANK #1 (6 : 58)
000 PPPP.Poooooooooooooooooooooooooo
032 ooooooooooooooooooooooooooo.....
064 ................................
096 ................................
128 ................................
160 ................................
192 ................................
224 ................................
BANK #2 (-1 : -1)
000 ................................
032 ................................
064 ................................
096 ................................
128 ................................
160 ................................
192 ................................
224 ................................

First 0x6 last 0x3a sector size 0x1000058
Erased 53 sectors
Copy to Flash...
Copy 3407876 byte to Flash...
write data: 81f00020 --> bf060000 (len:340004)
done

 

刷机完成,出现启动日志和openwrt界面

change bootargs
console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),1152k@384k(uImage),6592k@1536k(rootfs),64k@320k(ART),64k@8128k(properties),8192k@8192k(flash1),16384k@16384k(flash2) mem=64M
## Booting image at bf060000 ...
Image Name: MIPS OpenWrt Linux-3.18.20
Created: 2015-09-11 15:35:41 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1098531 Bytes = 1 MB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum at 0xbf060040 ...crc32_fw: bf060040 - bf16c362 (len:0010c323) calc...
crc32_fw: range1 bf060040 - bf16c362
OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 67108864

Starting kernel ...

#此处省略

BusyBox v1.23.2 (2015-07-25 15:09:46 CEST) built-in shell (ash)

_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
CHAOS CALMER (15.05, r46767)
-----------------------------------------------------
* 1 1/2 oz Gin Shake with a glassful
* 1/4 oz Triple Sec of broken ice and pour
* 3/4 oz Lime Juice unstrained into a goblet.
* 1 1/2 oz Orange Juice
* 1 tsp. Grenadine Syrup
-----------------------------------------------------
root@OpenWrt:/#

刷机完成


 

方法二:linux tftp

安装TFTP工具
sudo apt-get update
sudo apt-get install tftp

停止网络服务
sudo service network-manager stop

修改网络地址
sudo ifconfig eth0 192.168.11.2 #设置网络接口地址
sudo ifconfig eth0 netmask 255.255.255.0 #设置子网掩码地址
sudo arp -s 192.168.11.1 02:AA:BB:CC:DD:23 #设置MAC地址绑定

02:AA:BB:CC:DD:20 #wzr-hp-ag300h

进入固件目录
cd /home/admin #固件放置目录

TFTP恢复命令
       >tftp 192.168.11.1
tftp>verbose
tftp>binary
tftp>trace
tftp>rexmt 1
tftp>timeout 600
tftp>connect 192.168.11.1
tftp>put buffalo.enc #固件文件名
tftp>q #退出tftp
       >exit #退出终端

照着命令做,找准四秒等待时间,肯定成功


方法三:ttl修改内存区块#仅供参考

省略拆解过程,直接看PCB,红框部分为TTL接口,焊上插针顺便改了固态电容

25V 470UF >16V 470UF

25V 100UF>6.3V 220UF

针脚定义,实际使用【TX】【RX】调换

JP2 GND RX TX VCC
JP1 RX TX GND VCC

G450H

IMG_20160115_180951_AO_HDR

 

进入UBOOT,下面看启动日志

BUFFALO U-BOOT Ver 1.00
== CPU:400MHz, DDR:400MHz, AHB:200MHz ==
AP111 (ar7241 - Virian) U-boot
DRAM: 64 MB
WAN port disabling: done
Top of RAM usable for U-Boot at: 84000000
Reserving 258k for U-Boot at: 83fbc000
Reserving 192k for malloc() at: 83f8c000
Reserving 44 Bytes for Board Info at: 83f8bfd4
Reserving 36 Bytes for Global Data at: 83f8bfb0
Reserving 128k for boot params() at: 83f6bfb0
Stack Pointer at: 83f6bf98
Now running in RAM - U-Boot at: 83fbc000
flash bank #0 found 16 MB flash [W25Q128BV, blk:0x10000, sectors:256]
flash bank #1 found 16 MB flash [W25Q128BV, blk:0x10000, sectors:256]
Flash: 32 MB
In: serial
Out: serial
Err: serial
Memory Test (address line)
uboot use 83F6BFB0 - 84000000
Memory Test start(0x80000000) end(0x83F00000) size(67108864)
Data line test start:0x80000000 pattern 0x00000001 0x00000003 0x00000007 0x0000000F 0x00000005 0x00000015 0x00000055 0xAAAAAAAA
Address line test start:0x80000000 len:0x3f00000 pattern 0xAAAAAAAA 0x55555555
Fill test patnum:5
fill Pattern 5555AAAA Writing... Reading...
fill Pattern AAAA5555 Writing... Reading...
fill Pattern 0000FFFF Writing... Reading...
fill Pattern FFFF0000 Writing... Reading...
fill Pattern AAAAAAAA Writing... Reading...
Memory Test OK
### buf_ver=[1.00] U-Boot Ver.=[1.00]
### build_date(env)=[Apr 6 2011 - 08:52:48] build_date(bin)=[Apr 6 2011 - 08:52:48]
ag7240_enet_initialize...
Reading MAC Address from ENV(0x83f8c322)
No valid address in Flash. Using fixed address
Virian MDC CFG Value ==> 4
: cfg1 0x7 cfg2 0x7114
eth0: 02:aa:bb:cc:dd:23
athrs16_reg_init: complete
eth0 up
Virian MDC CFG Value ==> 4
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
eth1 up
eth0 02:AA:BB:CC:DD:23
, eth1 00:03:7F:09:0B:AD

eth0 link down

tftp server(receive) go, waiting:4[sec]
eth0 link down
Load address: 0x81f00000

TftpServer Timeout;
no file was loaded.
LAN port disabling: done

## Checking Image at bf060000 ...
Bad Magic Number

===========================================
== Broken first FW, Trying second FW... ==
===========================================

Loading second FW to RAM...

## Checking Image at 81f00000 ...
Bad Magic Number

===========================================
== Broken second FW. Need to repair FW...==
===========================================

# LED(0x4000) Blink[2] (Please press 'Ctrl+c' to stop)

ar7240>

 

简单的分析启动日志,发现这个机器居然有两颗Flash

Broken first FW, Trying second FW...

Broken second FW. Need to repair FW...

 

输入命令help显示帮助

ar7240> help #指令帮助
? - alias for 'help'
TFTPS - boot image via network as TFTP server
base - print or set address offset
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootelf - Boot from an ELF image in memory
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
echo - echo args to console
erase - erase FLASH memory
exit - exit script
flinfo - print FLASH memory information
gigatest - Enable Giga test mode
go - start application at address 'addr'
help - print online help
iminfo - print header information for application image
imls - list all images found in flash
itest - return true/false on integer compare
ledb - LED test blink
ledoff - LED test off
ledon - LED test on
ledt - LED test toggle
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
pci - list and access PCI Configuration Space
phyreg - read/write phyreg
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
progmac - Set ethernet MAC addresses
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
set_inspection - set/unset inspection mode
setenv - set environment variables
sleep - delay execution for some time
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
version - print monitor version
autoscr - run script from memory

输入printenv显示参数

ar7240> printenv #显示参数
bootcmd=bootm BF060000 
baudrate=115200 #比特率
ethaddr=02:AA:BB:CC:DD:23 #mac地址
ipaddr=192.168.11.1 #路由器IP
serverip=192.168.11.2 #主机IP
tmp_ram=81F00000 #临时内存初始地址
tmp_bottom=83F00000 #临时内存结束地址
fw_eaddr=BF060000 BEFFFFFF #固件地址
uboot_eaddr=BF000000 BF03FFFF #uboot地址
u_fw=erase $fw_eaddr; cp.fw $fileaddr BF060000 $filesize; bootm BF060000; #命令格式
ut_fw=tftp $tmp_ram firmware.bin; erase $fw_eaddr; cp.fw $fileaddr BF060000 $filesize; bootm BF060000; #命令格式
ut_uboot=tftp $tmp_ram u-boot.bin; protect off $uboot_eaddr; erase $uboot_eaddr; cp.b $fileaddr BF000000 $filesize; #命令格式
melco_id=RD_BB10082
hw_rev=0
tftp_wait=4 #tftp等待时间
uboot_ethaddr=02:AA:BB:CC:DD:23 #uboot mac地址
DEF-p_wireless_ath0_11bg-authmode=psk
DEF-p_wireless_ath0_11bg-crypto=tkip+aes
DEF-p_wireless_ath0_11bg-authmode_ex=mixed-psk
DEF-p_wireless_ath0_11bg-wpapsk=ca6hfujrvt3de
pincode=00000000 #PIN码
custom_id=0
buf_ver=1.00
product=WZR-HP-G450H #设备型号
build_date=Apr 6 2011 - 08:52:48
accept_open_rt_fmt=1
buf_crc=DF2978DD
bootargs=console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),1152k@384k(uImage),6592k@1536k(rootfs),64k@320k(ART),64k@8128k(properties),8192k@8192k(flash1),16384k@16384k(flash2) mem=64M
filesize=157F0FC #固件大小
stdin=serial
stdout=serial
stderr=serial
loadaddr=81F00000 #固件加载地址
ethact=eth0
region=CH #管制区域

Environment size: 1211/65532 bytes

输入命令setenv修改参数

ar7240>setenv tftp_wait 10 #修改等待时间

输入命令saveenv保存参数

ar7240>saveenv #保存参数

 

tmp_ram=81F00000,临时目录内存区块,用来放置tftp上传的固件

正常情况下可以在终端通过tftp接收固件

ar7240> tftp 81f00000 buffalo.bin #TFTP接收固件
Using eth0 device
TFTP from server 192.168.11.2; our IP address is 192.168.11.1
Filename 'openwrt-15.05-ar71xx-generic-wzr-hp-g450h-squashfs-tftp.bin'.
Load address: 0x81f00000
Loading: T T T T T T T T T T
Retry count exceeded; starting again

 

因为无法接收所以用命令loady,通过ymodem的方式上传到tmp_ram

ar7240> loady #Ymodem上传固件
## Ready for binary (ymodem) download to 0x81F00000 at 115200 bps...
CC

 

在CCC执行完毕以前,通过【securecrt>transfer>send ymodem】上传固件
Starting ymodem transfer. Press Ctrl+C to cancel.
Transferring openwrt-15.05-ar71xx-generic-wzr-hp-g450h-squashfs-tftp.bin...
100% 3328 KB 6 KB/sec 00:08:34 1 Errors

## Total Size = 0x00340024 = 3407908 Bytes

 

文件接收完毕,接下来执行清除命令

命令格式erase $fw_eaddr,参数查询命令printenv

ar7240> erase BF060000 BEFFFFFF #清除ROM
search sector 0xbf060000 - 0xbeffffff
BANK #1 (6 : 255)
000 PPPP.Poooooooooooooooooooooooooo
032 oooooooooooooooooooooooooooooooo
064 oooooooooooooooooooooooooooooooo
096 oooooooooooooooooooooooooooooooo
128 oooooooooooooooooooooooooooooooo
160 oooooooooooooooooooooooooooooooo
192 oooooooooooooooooooooooooooooooo
224 oooooooooooooooooooooooooooooooo
BANK #2 (0 : 255)
000 oooooooooooooooooooooooooooooooo
032 oooooooooooooooooooooooooooooooo
064 oooooooooooooooooooooooooooooooo
096 oooooooooooooooooooooooooooooooo
128 oooooooooooooooooooooooooooooooo
160 oooooooooooooooooooooooooooooooo
192 oooooooooooooooooooooooooooooooo
224 oooooooooooooooooooooooooooooooo

First 0x6 last 0xff sector size 0x10000
255

First 0x0 last 0xff sector size 0x10000
255
Erased 506 sectors

 

清除完毕,接下来复制固件到ROM

命令格式cp.fw $fileaddr BF060000 $filesize,参数查询命令printenv

ar7240> cp.b 81f00000 BF060000 340024 #复制固件到ROM
Copy to Flash...
Copy 3407908 byte to Flash...
write data: 81f00000 --> bf060000 (len:340024)
done

 

最后启动固件,命令bootm

ar7240>bootm

 

由于固件头的原因,校验失败,仅供参考


 

LINKSYS e1200v2 变砖修复 unbrick

之前想多拨就给这玩意刷了个DUALWAN TOMATO

结果就是NO ZUO NO DIE。。。

话不多说了,变砖应该怎么办,上TTL啊!

  1. TTL相关(硬件准备)

forum注意到红圈里的矩形没有。这个就是一号位

从这个位置开始

5号位接GND线      3号位是TXD    2号位是RXD

然后插上TTL线到控制面板更改下速率

QQ截图20160109212444

2.刷入固件前的软件准备

1下载SecureCRT

QQ截图20160109213009注意端口要和控制面板里的一样

2点连接之后狂按CTRL+C

{{_$D)502C8G~XM5YGE5U)93先输入nvram erase

4把你下载的固件重命名成code.bin

5打开TFTP

6QQ截图20160109213408把重试的次数调高一点

然后在SecureCRT里输入

flash -ctheader : flash1.trx

等它显示programing done的时候

7输入go重启

然后就大功告成了

microMsg.1452343457946