最近收了个EBAZ4205矿机控制卡,某鱼上非常便宜,手上只有串口调式器,没有JTAG调试器,也没有改造板子,只是焊了串口连接的引脚,上电串口能打印信息,也能进系统,但是系统还有密码。想玩又没有其他工具怎么办。游荡于各个网页上的相关论坛和资料,终于找到了突破口,可以先玩玩ARM的linux应用开发。关于板子的相关资料网上已经比较丰富了。本文主要参考了以下论坛和帖子的内容,再此向这些大拿表示感谢表示。
https://whycan.cn/t_2297.html
https://blog.csdn.net/long0801/article/details/77368205
https://www.cnblogs.com/findumars/p/5869608.html
1、备份原始系统
1、链接调试串口,上电查看启动信息,记录分区情况
上电后,串口会打印启动信息,其中可以看到如下相关信息:
9 ofpart partitions found on MTD device pl35x-nand
Creating 9 MTD partitions on "pl35x-nand":
0x000000000000-0x000000300000 : "nand-fsbl-uboot"
0x000000300000-0x000000800000 : "nand-linux"
0x000000800000-0x000000820000 : "nand-device-tree"
0x000000820000-0x000001220000 : "nand-rootfs"
0x000001220000-0x000002220000 : "nand-jffs2"
0x000002220000-0x000002a20000 : "nand-bitstream"
0x000002a20000-0x000006a20000 : "nand-allrootfs"
0x000006a20000-0x000007e00000 : "nand-release"
0x000007e00000-0x000008000000 : "nand-reserve"这就是nand分区结构,下面就开始对这些分区进行备份,以防不时之需。
2、重新启动,按‘d’进入U-BOOT
Hit 'd' to stop autoboot(eric): 0
zynq-uboot>3、修改网络配置
setenv serverip 192.168.0.139
setenc ipaddr 192.168.0.99分别指定服务器ip和板子的ip,根据自己的网络情况来设置。因为nand无法保存环境变量,设置玩不要重启。
4、测试网络连接
zynq-uboot> ping 192.168.0.139
Gem.e000b000 Waiting for PHY auto negotiation to complete.... done
Gem.e000b000----100----4047----
Using Gem.e000b000 device
host 192.168.0.139 is alive看到上面的信息说明网络连接没有问题。
5、备份分区
Ubuntu下安装搭建tftp服务器,网上有很多教程,但有的确实不好使,这里参考的http://blog.sina.com.cn/s/blog_7e8fb215010166di.html,搭建好服务器,就可以开始使用tftp备份了。
首先读取指定分区内容到内存,使用nand read命令,第一个参数是内存的地址,第二个是nand的偏移地址,第三个参数是大小,然后通过tftp将内存中的内容上传至服务器,具体操作如下:
ynq-uboot> nand read 0x100000 0x000000 0x300000
NAND read: device 0 offset 0x0, size 0x300000
3145728 bytes read: OK
zynq-uboot> md.b 100000 80
00100000: fe ff ff ea fe ff ff ea fe ff ff ea fe ff ff ea ................
00100010: fe ff ff ea fe ff ff ea fe ff ff ea fe ff ff ea ................
00100020: 66 55 99 aa 58 4e 4c 58 00 00 00 00 00 00 01 01 fU..XNLX........
00100030: 00 17 00 00 10 80 01 00 00 00 00 00 00 00 00 00 ................
00100040: 10 80 01 00 01 00 00 00 20 45 16 fc 00 00 00 00 ........ E......
00100050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00100060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00100070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
zynq-uboot> tftpput 0x100000 0x300000 fsbl-uboot
Gem.e000b000:0 is connected to Gem.e000b000. Reconnecting to Gem.e000b000
Gem.e000b000 Waiting for PHY auto negotiation to complete..... done
Gem.e000b000----100----4047----
Using Gem.e000b000 device
TFTP to server 192.168.0.139; our IP address is 192.168.0.99
Filename 'fsbl-uboot'.
Save address: 0x100000
Save size: 0x300000
Saving: ################################################################
#################################################################
#################################################################
####################
1.2 MiB/s
done
Bytes transferred = 3145728 (300000 hex)
zynq-uboot> 其中使用了u-boot的md命令查看了以下内存的内容,只显示了部分(0x80即128字节),再查看以下上传到服务其上的文件内容:
zhy@ubuntu:/var/tftpboot$ xxd -l 0x80 fsbl-uboot
00000000: feff ffea feff ffea feff ffea feff ffea ................
00000010: feff ffea feff ffea feff ffea feff ffea ................
00000020: 6655 99aa 584e 4c58 0000 0000 0000 0101 fU..XNLX........
00000030: 0017 0000 1080 0100 0000 0000 0000 0000 ................
00000040: 1080 0100 0100 0000 2045 16fc 0000 0000 ........ E......
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
zhy@ubuntu:/var/tftpboot$ 可以看出,文件内容与开发板上我们拷贝到内存中的数据一致,说明上传的文件没有问题,接下来是linux分区
zynq-uboot> nand read 0x100000 0x300000 0x500000
NAND read: device 0 offset 0x300000, size 0x500000
5242880 bytes read: OK
zynq-uboot> md.b 100000 80
00100000: 27 05 19 56 15 a8 ff 9c 59 10 12 0c 00 3a 4c 90 '..V....Y....:L.
00100010: 00 00 80 00 00 00 80 00 05 59 97 a0 05 02 02 00 .........Y......
00100020: 4c 69 6e 75 78 2d 34 2e 36 2e 30 2d 78 69 6c 69 Linux-4.6.0-xili
00100030: 6e 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 nx..............
00100040: 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 ................
00100050: 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 ................
00100060: 03 00 00 ea 18 28 6f 01 00 00 00 00 90 4c 3a 00 .....(o......L:.
00100070: 01 02 03 04 00 90 0f e1 d8 0b 00 eb 01 70 a0 e1 .............p..
zynq-uboot> tftpput 0x100000 0x500000 linux
Gem.e000b000:0 is connected to Gem.e000b000. Reconnecting to Gem.e000b000
Gem.e000b000 Waiting for PHY auto negotiation to complete....... done
Gem.e000b000----100----4047----
Using Gem.e000b000 device
TFTP to server 192.168.0.139; our IP address is 192.168.0.99
Filename 'linux'.
Save address: 0x100000
Save size: 0x500000
Saving: ################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################
1.3 MiB/s
done
Bytes transferred = 5242880 (500000 hex)
zynq-uboot> 上传后文件的内容
hy@ubuntu:/var/tftpboot$ xxd -l 0x80 linux
00000000: 2705 1956 15a8 ff9c 5910 120c 003a 4c90 '..V....Y....:L.
00000010: 0000 8000 0000 8000 0559 97a0 0502 0200 .........Y......
00000020: 4c69 6e75 782d 342e 362e 302d 7869 6c69 Linux-4.6.0-xili
00000030: 6e78 0000 0000 0000 0000 0000 0000 0000 nx..............
00000040: 0000 a0e1 0000 a0e1 0000 a0e1 0000 a0e1 ................
00000050: 0000 a0e1 0000 a0e1 0000 a0e1 0000 a0e1 ................
00000060: 0300 00ea 1828 6f01 0000 0000 904c 3a00 .....(o......L:.
00000070: 0102 0304 0090 0fe1 d80b 00eb 0170 a0e1 .............p..
zhy@ubuntu:/var/tftpboot$ 检查内容没有问题,其它分区采用同样的方法依次备份即可。 最后一个分区按照大小读取nand总是失败,也就不管了,查看备份后的文件:
zhy@ubuntu:/var/tftpboot$ ls -l
总用量 129024
-rw-rw-rw- 1 tftp tftp 67108864 5月 17 11:49 allrootfs
-rw-rw-rw- 1 tftp tftp 8388608 5月 17 11:46 bitstream
-rw-rw-rw- 1 tftp tftp 131072 5月 17 11:33 device-tree
-rw-rw-rw- 1 tftp tftp 3145728 5月 17 10:42 fsbl-uboot
-rw-rw-rw- 1 tftp tftp 16777216 5月 17 11:43 jffs2
-rw-rw-rw- 1 tftp tftp 5242880 5月 17 11:15 linux
-rw-rw-rw- 1 tftp tftp 20840448 5月 17 11:52 release
-rw-rw-rw- 1 tftp tftp 10485760 5月 17 11:39 rootfs读取nand中分区到内存是需要注意起始地址和大小不要写错了,起始地址就是个分区的开始地址,大小直接用结束地址减去开始地址就行。
2、清除root用户密码
1、挂载文件系统,将备份好的文件系统allrootfs,网上论坛帖子说密码存放在该文件系统中。
参考《已有 JFFs2文件系统的修改》先安装mtd工具,然后进行如下操作即可
sudo modprobe -v mtd
sudo modprobe -v jffs2
sudo modprobe -v mtdram total_size=100000 erase_size=128 (单位:K)
sudo modprobe -v mtdblock
sudo flash_eraseall /dev/mtd0
用dd命令将allrootfs装入mtd0分区:
sudo dd if=allrootfs of=/dev/mtd0注意total_size的大小,不能小于allrootfs的大小,这里我直接使用100000KB,足够用了,如果小了后面使用dd命令装载时会提示没有足够的空间。使用dd命令装载allrootfs时要注意文件的位置。装载成功后,就可以挂载设备了。
zhy@ubuntu:/var/tftpboot$ sudo mkdir fsmount
zhy@ubuntu:/var/tftpboot$ sudo mount -t jffs2 /dev/mtdblock0 fsmount
zhy@ubuntu:/var/tftpboot$ cd fsmount/
zhy@ubuntu:/var/tftpboot/fsmount$ ls
bin dev home lib mnt proc sbin tmp var
boot etc init media opt run sys usr挂载成功后即可看到熟悉的linux目录结构了
2、清除root用户密码
将etc/passwd
root:$1$EDMrnDlh$7LkuvQcUboEGtCysGgqng/:0:0:root:/home/root:/bin/sh
daemon:*:1:1:daemon:/usr/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/bin/sh
man:*:6:12:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
news:*:9:9:news:/var/spool/news:/bin/sh
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:*:13:13:proxy:/bin:/bin/sh
www-data:*:33:33:www-data:/var/www:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
list:*:38:38:Mailing List Manager:/var/list:/bin/sh
irc:*:39:39:ircd:/var/run/ircd:/bin/sh
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh第一行修改为
root::0:0:root:/home/root:/bin/sh注意相应操作的目录都是在挂载的目录下,而不是主机的相应目录。修改后保存即可。
也可以将自动挖矿的程序停止。将etc/rcS.d/S95cgminer.sh下的shell脚本移动到其它目录或直接删除即可
zhy@ubuntu:/var/tftpboot/fsmount$ sudo mv etc/rcS.d/S95cgminer.sh home/root/ 3、重新生成jffs2文件系统
zhy@ubuntu:/var/tftpboot/fsmount$ cd ..
zhy@ubuntu:/var/tftpboot$ mkfs.jffs2 -r fsmount -o allrootfs.new -e 0x20000 –pad=0x4000000 -n -l 4、把改好的文件系统烧回nand对应分区
zynq-uboot> tftpboot 0x100000 allrootfs.new
zynq-uboot> nand erase 0x2a20000 0x4000000 zynq-uboot> nand write 0x100000 0x2a20000 0x4000000 重起开发板,登录的时候直接输入root就进系统了。
3、启用网络
进入系统发现网络只有回环,没有有线网络链接。
root@zedboard-zynq7:~# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1%768144/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 既然uboot都能使用网络,linux下肯定也没有问题的。打开/etc/network/interface文件
root@zedboard-zynq7:~# vi /etc/network/interfaces找到下面的内容
# Wired or wireless interfaces
# auto eth0
# iface eth0 inet dhcp
#iface eth1 inet dhcp改为
# Wired or wireless interfaces
auto eth0
iface eth0 inet dhcp
#iface eth1 inet dhcp重启后,就可以使用有线网络了
root@zedboard-zynq7:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0A:35:00:01:22
inet addr:192.168.0.122 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20a:35ff:fe00:122%768144/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:143012 errors:0 dropped:10 overruns:0 frame:0
TX packets:142435 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:77596550 (74.0 MiB) TX bytes:6555498 (6.2 MiB)
Interrupt:148 Base address:0xb000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1%768144/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@zedboard-zynq7:~# 而且tftp、ssh都可以使用
root@zedboard-zynq7:~# ssh
Dropbear SSH client v2016.72 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: ssh [options] [user@]host[/port][,[user@]host/port],...] [command]
-p <remoteport>
-l <username>
-t Allocate a pty
-T Don't allocate a pty
-N Don't run a remote command
-f Run in background after auth
-y Always accept remote host key if unknown
-y -y Don't perform any remote host key checking (caution)
-s Request a subsystem (use by external sftp)
-i <identityfile> (multiple allowed, default .ssh/id_dropbear)
-A Enable agent auth forwarding
-L <[listenaddress:]listenport:remotehost:remoteport> Local port forwarding
-g Allow remote hosts to connect to forwarded ports
-R <[listenaddress:]listenport:remotehost:remoteport> Remote port forwarding
-W <receive_window_buffer> (default 24576, larger may be faster, max 1MB)
-K <keepalive> (0 is never, default 0)
-I <idle_timeout> (0 is never, default 0)
-B <endhost:endport> Netcat-alike forwarding
-J <proxy_program> Use program pipe rather than TCP connection
-c <cipher list> Specify preferred ciphers ('-c help' to list options)
-m <MAC list> Specify preferred MACs for packet verification (or '-m help')
-V Version
root@zedboard-zynq7:~# tftp
BusyBox v1.24.1 (2016-12-12 22:50:17 MST) multi-call binary.
Usage: tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
root@zedboard-zynq7:~# 4、Linux下测试程序
编写hello程序测试
#include <stdio.h>
int main(void)
{
printf("hello ebaz4205!\r\n");
return 0;
}交叉编译,并将可执行程序移到tftp服务器根目录
zhy@ubuntu:~/project/$ arm-linux-gcc -o test main.c -static
zhy@ubuntu:~/project$ sudo mv test /var/tftpboot/test使用tftp下载执行
扫一扫
739
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
