openwrt中的vmlinuz.trx 解析:
$ hexdump -C vmlinuz.trx | head -n 3
00000000 48 44 52 30 00 b0 2b 00 d6 3b 1d 6d 00 00 01 00 |HDR0..+..;.m....|
00000010 1c 00 00 00 00 00 00 00 00 00 00 00 5d 00 00 01 |............]...|
00000020 00 00 01 53 00 00 00 00 00 00 69 bc 00 2e 35 68 |...S......i...5h|
00 - 03: 0x30524448 TRX格式文件 Magic Number
04 - 07: 0x002bb000 整个TRX文件大小
08 - 11: CRC32
12 - 15:
16 - 19: 0x0000001C 第一分区文件内偏移
第一分区又是 LZMA 压缩格式,LZMA 压缩文件的头为 13 个字节:
5D 00 00 01 00 00 01 53 00 00 00 00 00 00
前5个字节表示压缩率:
-1 5d 00 00 01 00 -2 5d 00 00 10 00 -3 5d 00 00 08 00 -4 5d 00 00 10 00 -5 5d 00 00 20 00 -6 5d 00 00 40 00 -7 5d 00 00 80 00 -8 5d 00 00 00 01 -9 5d 00 00 00 02
后8个字节是解压后内容的大小:0x00530100 (5439744)
$ dd if=vmlinuz.trx of=vmlinux.lzma bs=1 skip=28
$ unlzma vmlinux.lzma
解压得到的内核文件vmlinux 编译时带了 initramfs,通过搜索“5D 00 00 00”,找到:
$ hexdump -C vmlinux | grep -i "5D 00 00 00"
0001e000 5d 00 00 00 02 ff ff ff ff ff ff ff ff 00 18 0d |]...............|
00402450 5d 00 00 00 08 d2 49 c0 00 00 00 00 e8 be 15 c0 |].....I.........|
00409890 00 00 00 00 5d 00 00 00 94 67 4a c0 74 96 01 c0 |....]....gJ.t...|
00414c70 01 5d 00 00 00 00 c0 00 48 3f 05 01 01 58 00 00 |.]......H?...X..|
004981e0 3c 25 70 3e 5d 00 00 00 20 28 25 73 29 00 00 00 |<%p>]... (%s)...|
00499900 5b 25 6c 78 2b 25 6c 78 5d 00 00 00 6d 6d 2f 6d |[%lx+%lx]...mm/m|
0049c140 65 72 66 64 5d 00 00 00 5b 65 76 65 6e 74 66 64 |erfd]...[eventfd|
0049c150 5d 00 00 00 66 73 2f 6c 6f 63 6b 73 2e 63 00 00 |]...fs/locks.c..|
0049d7d0 5b 44 4d 5d 00 00 00 00 5b 45 5a 44 5d 00 00 00 |[DM]....[EZD]...|
00524490 5d 00 00 00 93 10 00 00 e7 70 00 00 ff ff ff ff |]........p......|
005244a0 ff ff ff ff 00 00 00 00 00 00 00 00 5d 00 00 00 |............]...|
用下面的命令分离出 LZMA 压缩的initramfs:
$ dd if=vmlinux of=initramfs.cpio.lzma bs=1 skip=$((0x1E000))
$ umlzma initramfs.cpio.lzma
#得到 initramfs.cpio 文件,用下面的命令解压:
$ mkdir x && cd x
$ cpio -idv --no-absolute-filenames < ../initramfs.cpio
在ARM linux系统下面执行:
/tmp/mnt/nfs # cat /proc/mtd
dev: size erasesize name
mtd0: 00080000 00020000 "boot"
mtd1: 00180000 00020000 "nvram"
mtd2: 01e00000 00020000 "linux"
mtd3: 01c676f4 00020000 "rootfs"
mtd4: 05ec0000 00020000 "brcmnand"
mtd5: 00140000 00020000 "asus"
/tmp/mnt/nfs # cat /dev/mtd2 > mtd2.linux
/tmp/mnt/nfs # cat /dev/mtd3 > mtd3.rootfs
/tmp/mnt/nfs # cat /dev/mtd0 > mtd3.boot
在PC ubuntu上执行, 注意ls vmlinuz-lzma的大小1673455,所以count要等于此数 。
这里skip=28是由于忽略trx文件的格式头,从而得到真正的vmlinuz-lzma数据。通过
md5sum可以看到他们的数据确实是一样的
root@helloworld-VirtualBox:/home/helloworld/nfs# ls -l /tftproot/vmlinuz-lzma
-rw-r--r-- 1 root root 1673455 11月 7 12:16 /tftproot/vmlinuz-lzma
root@helloworld-VirtualBox:/home/helloworld/nfs# dd if=mtd2.linux of=vmlinuz.trx1 bs=1 skip=28 count=$((1673455))
root@helloworld-VirtualBox:/home/helloworld/nfs# md5sum vmlinuz.trx1
2f77cd790252085d75846a7e5e2b3751 vmlinuz.trx1
root@helloworld-VirtualBox:/home/helloworld/nfs# md5sum /tftproot/vmlinuz-lzma
2f77cd790252085d75846a7e5e2b3751 /tftproot/vmlinuz-lzma
root@helloworld-VirtualBox:/home/helloworld/nfs#
在PC ubuntu系统上rootfs命名是ctools/target.squashfs
但是rootfs则跟vmlinuz-lzma不一样。这里不需要skip 28个字节
root@helloworld-VirtualBox:/home/helloworld/nfs# ls -l /tftproot/target.squashfs
-rw-r--r-- 1 root root 20783104 11月 7 16:51 /tftproot/target.squashfs
root@helloworld-VirtualBox:/home/helloworld/nfs# dd if=mtd3.rootfs of=ausu.rootfs bs=1 count=$((20783104))
记录了20783104+0 的读入
记录了20783104+0 的写出
20783104字节(21 MB)已复制,23.1721 秒,897 kB/秒
root@helloworld-VirtualBox:/home/helloworld/nfs# md5sum ausu.rootfs
f0792d5a7dedc573814bc926ca8d5d21 ausu.rootfs
root@helloworld-VirtualBox:/home/helloworld/nfs# md5sum /tftproot/target.squashfs
f0792d5a7dedc573814bc926ca8d5d21 /tftproot/target.squashfs
在PC ubuntu系统上cfe写入的位置是mtd0
但是cfe则跟vmlinuz-lzma不一样。这里不需要skip 28个字节
root@helloworld-VirtualBox:/home/helloworld/nfs# dd if=mtd0.boot of=asus.boot bs=1 count=$((242560))
记录了242560+0 的读入
记录了242560+0 的写出
242560字节(243 kB)已复制,0.312984 秒,775 kB/秒
root@helloworld-VirtualBox:/home/helloworld/nfs# md5sum asus.boot
84e9a1afb5407d3bf5e5c2b8ba01f7b9 asus.boot
root@helloworld-VirtualBox:/home/helloworld/nfs# md5sum /tftproot/cfe.bin
84e9a1afb5407d3bf5e5c2b8ba01f7b9 /tftproot/cfe.bin
在CFE小系统下面调试命令
//更新CFE
CFE> show devices
Device Name Description
------------------- ---------------------------------------------------------
uart0 NS16550 UART at 0x18000300
uart1 NS16550 UART at 0x18000400
nflash0 AMD NAND flash size 131072KB
nflash0.boot AMD NAND flash offset 0 size 512KB
nflash0.nvram AMD NAND flash offset 80000 size 1536KB
nflash0.trx AMD NAND flash offset 200000 size 1KB
nflash0.os AMD NAND flash offset 20001C size 129024KB
nflash1.boot AMD NAND flash offset 0 size 512KB
nflash1.nvram AMD NAND flash offset 80000 size 1536KB
nflash1.trx AMD NAND flash offset 200000 size 63488KB
nflash1.brcmnand AMD NAND flash offset 4000000 size 65536KB
eth0 Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller
*** command status = 0
CFE>flash -noheader 192.168.1.100:cfe.bin nflash0.boot --- 刷入CFE.bin
直接从tftp的linux kernel启动
CFE>boot -raw -addr=0x00008000 -max=0xe86b468 192.168.1.100:vmlinuz
注意这里是vmlinuz而不是vmlinuz-lzma