Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- MPC-WF1 Hack Memo
- ■製品情報:https://www.maxell.jp/consumer/mpc-wf1.html
- ■発売日:2014/4/25
- ■OEM元:AirDisk NW73
- ■内部写真:https://www.cnblogs.com/k1two2/p/7241131.html (同じOEMのLenovo PWR-G60)
- ■HW Spec:SoC:AR9331,Flash:8MB,DRAM:64MB,FEx1,2.4GHz 11n 1T1R,USB2.0x1,SDXC Slotx1,5000mAh Battery
- ■UARTアクセス:基板裏面(NW73とプリントされている側)の中央の3つのランドが GND/TX/RX, 3.3v TTL , 115200bps
- ■rootパスワード: ifconfig
- ■log
- root@AirMV:~# cat /proc/mtd
- dev: size erasesize name
- mtd0: 00020000 00001000 "u-boot"
- mtd1: 00150000 00001000 "kernel"
- mtd2: 00680000 00001000 "rootfs"
- mtd3: 000a6000 00001000 "rootfs_data"
- mtd4: 00010000 00001000 "art"
- mtd5: 007d0000 00001000 "firmware"
- root@AirMV:~#
- root@AirMV:~# cat /proc/cpuinfo
- system type : Atheros AR9330 rev 1
- machine : TP-LINK TL-WR703N v1
- processor : 0
- cpu model : MIPS 24Kc V7.4
- BogoMIPS : 265.42
- wait instruction : yes
- microsecond timers : yes
- tlb_entries : 16
- extra interrupt vector : yes
- hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0ff8, 0x0ff8]
- ASEs implemented : mips16
- shadow register sets : 1
- kscratch registers : 0
- core : 0
- VCED exceptions : not available
- VCEI exceptions : not available
- ■u-boot改造
- u-bootへのログインができないので、
- AR9331のU-Boot 1.1.4 modification に入れ替え
- https://github.com/pepe2k/u-boot_mod
- (HTTPでの書き換えや、nc での network コンソールにも対応!)
- (Using DD-WRTに準拠して実施)
- ・まずbackup
- SD or USB を取り付け
- cd /tmp/mnt/USB-disk-a1 または cd /tmp/mnt/SD-disk-b1
- ・dd でbackup
- dd if=/dev/mtd0 of=mtd0.dd
- dd if=/dev/mtd1 of=mtd1.dd
- dd if=/dev/mtd2 of=mtd2.dd
- dd if=/dev/mtd3 of=mtd3.dd
- dd if=/dev/mtd4 of=mtd4.dd
- dd if=/dev/mtd5 of=mtd5.dd
- ・u-boot のバックアップデータとしてコピー
- cp mtd0.dd uboot_factory.bin
- ・Flash全体のバックアップデータ生成
- cat mtd0.dd mtd5.dd mtd4.dd >backup_fullflash.bin
- ・u-boot_mod入手
- http://projects.dymacz.pl/?dir=u-boot_mod から
- flashメモリ構成が近いTP-LINK TL-WR710N v1 の u-bootをdownload
- wget http://projects.dymacz.pl/u-boot_mod/u-boot_mod__tp-link_tl-wr710n_v1__20180223__git_master-7a540a78.bin
- md5sum u-boot_mod__tp-link_tl-wr710n_v1__20180223__git_master-7a540a78.bin
- 95efb7d8be8b48d3bf7b412f122a47e8
- ・データ長をあわせる
- dd if=uboot_factory.bin of=uboot_rest.bin bs=1 skip=$(wc -c < u-boot_mod__tp-link_tl-wr710n_v1__20180223__git_master-7a540a78.bin)
- cat u-boot_mod__tp-link_tl-wr710n_v1__20180223__git_master-7a540a78.bin uboot_rest.bin > uboot_new.bin
- ・【危険】u-boot書き換え 【危険】
- mtd write uboot_factory.bin "u-boot"
- dd if=/dev/mtd0 of=uboot_diff.bin
- diff uboot_factory.bin uboot_diff.bin で差分がないことを確認
- ・resetして以下のようなメッセージで起動してくることを確認
- ***************************************
- * U-Boot 1.1.4-7a540a78-clean *
- * Build: 2018-02-23 *
- ***************************************
- ** Warning: bad env CRC, using default,
- use 'saveenv' to save it in FLASH
- BOARD: TP-Link TL-WR710N v1
- SOC: AR9330 rev. 1
- CPU: MIPS 24Kc
- RAM: 64 MB DDR2 16-bit CL3-4-4-10
- FLASH: 8 MB Winbond W25Q64
- MAC: 84:5D:D7:01:AF:B3
- CLOCKS: CPU/RAM/AHB/SPI/REF
- 400/400/200/ 25/ 25 MHz
- Hit any key to stop booting: 0
- Booting image from 0x9F020000...
- Vendor/image name: OpenWrt r1267
- Hardware ID: 0x7030101
- Whole image size: 7.8 MB (8126464 bytes)
- Kernel size: 859.8 kB (880393 bytes)
- Rootfs size: 5.9 MB (6160388 bytes)
- Kernel load address: 0x80060000
- Kernel entry point: 0x80060000
- Header CRC... skipped
- Data CRC... skipped
- Stopping network... OK!
- Uncompressing Kernel... OK!
- Starting kernel...
- ■類似機種
- Soundmate M1 (root passwordのhash が同じ)
- ■参考URL
- https://www.modlog.net/?p=1002
- https://forum.archive.openwrt.org/viewtopic.php?id=50512
- http://astronomycomputers.blogspot.com/2015/04/the-soundmate-m1.html
Add Comment
Please, Sign In to add comment
