本帖最后由 智能小檸檬 于 2023-10-24 17:04 編輯
我這是一臺(tái)山東有線的E900V21C盒子,背后信息顯示是創(chuàng)維的。第一次刷機(jī)不會(huì)刷,卡刷選錯(cuò)了包,廢掉了,無(wú)法重啟。每次啟動(dòng)的時(shí)候,電視黑屏,實(shí)際上是在瘋狂重啟。TTL串口接入,可見(jiàn)內(nèi)存報(bào)錯(cuò),有如下跑碼信息:
- BL2 Built : 15:03:51, Oct 26 2018.
- gxl gaf9186d-dirty - liqiang.hou@droid07-sz
- Board ID = 1, adc=79
- set vcck to 1070 mv
- set vddee to 1070 mv
- CPU clk: 1200MHz
- DDR3
- DDR scramble enabled
- DDR3 chl: Rank0+1 [url=home.php?mod=space&uid=103582]@[/url] 792MHz - FAIL
- DDR3 chl: Rank0 @ 792MHz - FAIL
- DDR3 chl: Rank0 16bit @ 792MHz - FAIL
- DDR init failed...
- Reset...
- GXLX2:BL1:3cfee7:42a5ae;FEAT:ADFC318C:0;POC:3;RCY:0;EMMC:0;READ:0;0.0;CHK:0;
- TE: 62372
- BL2 Built : 15:03:51, Oct 26 2018.
- gxl gaf9186d-dirty - liqiang.hou@droid07-sz
- Board ID = 1, adc=79
- set vcck to 1070 mv
- set vddee to 1070 mv
- CPU clk: 1200MHz
- DDR3
- DDR scramble enabled
- DDR3 chl: Rank0+1 @ 792MHz - FAIL
- DDR3 chl: Rank0 @ 792MHz - FAIL
- DDR3 chl: Rank0 16bit @ 792MHz - FAIL
- DDR init failed...
- Reset...
- GXLX2:BL1:3cfee7:42a5ae;FEAT:ADFC318C:0;POC:3;RCY:0;EMMC:0;READ:0;0.0;CHK:0;
- TE: 62345
- BL2 Built : 15:03:51, Oct 26 2018.
- gxl gaf9186d-dirty - liqiang.hou@droid07-sz
- Board ID = 1, adc=79
- set vcck to 1070 mv
- set vddee to 1070 mv
- CPU clk: 1200MHz
- DDR3
- DDR scramble enabled
- DDR3 chl: Rank0+1 @ 792MHz - FAIL
- DDR3 chl: Rank0 @ 792MHz - FAIL
- DDR3 chl: Rank0 16bit @ 792MHz - FAIL
- DDR init failed...
- Reset...
- GXLX2:BL1:3cfee7:42a5ae;FEAT:ADFC318C:0;POC:3;RCY:0;EMMC:0;READ:0;0.0;CHK:0;
- TE: 62390
復(fù)制代碼
內(nèi)存都敗了,還啟動(dòng)個(gè)毛?。〔恢朗悄睦锏膯?wèn)題。據(jù)說(shuō)要線刷,可以救磚??墒且恢睕](méi)有成功,刷機(jī)的時(shí)候總是報(bào)告USB的某些錯(cuò)誤。但在最后一次不抱希望的線刷中,居然成功刷入了!包為“144-湖北移動(dòng)E900V21C_S905L3B_emmc_線刷包-內(nèi)有主板圖及短接點(diǎn)-語(yǔ)音OK【黑馬固件】(親測(cè)).zip”。
我的機(jī)器是山東有線的,所以本以為不匹配;刷機(jī)的時(shí)候也依然報(bào)錯(cuò),報(bào)的是“l(fā)ow_power”,但計(jì)數(shù)器仍然在跑;后臺(tái)ttl跑碼打印出一連串的“12345”,大約一分鐘打出一行;直到10分鐘后,刷基軟件報(bào)錯(cuò),重啟之后居然刷好了!不過(guò)打開(kāi)系統(tǒng)信息,居然見(jiàn)到這個(gè)盒子變成了“CM211-1-CH”!我下載的包也是E900V21C??!TNND!先這樣吧,我后來(lái)有嘗試線刷過(guò)別的包,刷不進(jìn)去,報(bào)錯(cuò),里面還是這個(gè)CM211-1-CH系統(tǒng)。刷包的時(shí)候,不要勾選兩個(gè)擦除選項(xiàng)。
啟動(dòng)的時(shí)候連入跑碼,可以看到跑碼到這里停止了,本以為是卡住了,但實(shí)際上是正常的。
- BL2 Built : 13:36:55, Jun 22 2020.
- gxl g85d6ad1 - longyong.chen@droid02-sz
- Board ID = 1, adc=79
- set vcck to 1070 mv
- set vddee to 1070 mv
- CARD_3 high, old board
- CPU clk: 1200MHz
- DDR3 chl: Rank0+1 @ 792MHz - FAIL
- DDR3 chl: Rank0 @ 792MHz - FAIL
- DDR3 chl: Rank0 16bit @ 792MHz - FAIL
- DDR4 chl: Rank0+1 @ 864MHz - FAIL
- DDR4 chl: Rank0 @ 864MHz
- bist_test rank: 0 1f 00 3f 3b 1d 59 1b 00 37 3f 20 5f 1b 00 37 45 28 62 19 00 33 41 23 60 609 - PASS
- Rank0: 1024MB(auto)-2T-18
- AddrBus test pass!
- -s
- Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000
- New fip structure!
- Load bl30 from eMMC, src: 0x00010200, des: 0x013c0000, size: 0x00007600
- Load bl301 from eMMC, src: 0x00018200, des: 0x01380000, size: 0x00002400
- Load bl31 from eMMC, src: 0x0001c200, des: 0x10100000, size: 0x00019600
- Load bl33 from eMMC, src: 0x00038200, des: 0x01000000, size: 0x0007b000
- NOTICE: BL3-1: v1.0(debug):361f8a7
- NOTICE: BL3-1: Built : 16:43:26, Dec 19 2018
- NOTICE: BL31: GXL normal boot!
- NOTICE: BL31: BL33 decompress pass
- [Image: gxl_v1.1.3103-9234004 2018-12-27 10:43:23 yao.zhang@droid07]
- efuse init ops = c5
- efuse init hdcp = c, cf9=7
- x2_hp_e = 0
- bl30: check_permit, count is 1
- bl30: check_permit: ok!
- chipid: 0 0 3 c c 0 6a b3 48 a0 0 c5 not ES chip
- [0.976007 Inits done]
- INFO: BL3-1: Initializing runtime services
- WARNING: No OPTEE provided by BL2 boot loader
- ERROR: Error initializing runtime service opteed_fast
- INFO: BL3-1: Preparing for EL3 exit to normal world
- INFO: BL3-1: Next image address = 0x1000000
- INFO: BL3-1: Next image spsr = 0x3c9
- DRAM:
- MMC: In: Out: Err: ## defenv_reserve
- done
- wipe_data=successful
- wipe_cache=successful
- upgrade_step=2
- [BL31]: tee size: 0
- rebootmode=normal
- OK
- OK
- OK
- [ 0.000000@0] Initializing cgroup subsys cpu
- [ 0.000000@0] Initializing cgroup subsys cpuacct
- [ 0.000000@0] Linux version 3.14.29 (jenkins@ubuntu) (gcc version 4.9.2 20140 904 (prerelease) (crosstool-NG linaro-1.13.1-4.9-2014.09 - Linaro GCC 4.9-2014.0 9) ) #1 SMP PREEMPT Wed Mar 31 18:36:24 CST 2021
- [ 0.000000@0] CPU: ARMv71 Processor [410fd034] revision 4
- [ 0.000000@0] no prop version_code
- [ 0.000000@0] bootconsole [earlycon0] enabled
- get_dvfs_info 0001
- INFO: HDCP22 key read fail!
- INFO: p1d 0
- INFO: pd1 0
- Login: [BL31]: tee size: 0
- [BL31]: tee size: 0
- [BL31]: tee size: 0
- [BL31]: tee size: 0
- WARNING: Unimplemented Sip Call: 0x82000036
- start detecting wifi&Bt......
- wifi detected: uwe5621
復(fù)制代碼
本以為是卡在這里了,但是居然這是正常的!敲擊幾下回車,會(huì)進(jìn)入登錄:
- start detecting wifi&Bt......
- wifi detected: uwe5621
- Login:
- Login:
- Login:
- Login:
- Login:
復(fù)制代碼
登錄為root試試,居然能登錄進(jìn)去!密碼網(wǎng)上查,可以搜到!不愿搜可以看下面:
輸入用戶名root,密碼chcmccch,居然進(jìn)入了Root用戶!
刷了上述這個(gè)包之后,系統(tǒng)是沒(méi)有root的,也找不到一個(gè)root包可以刷,于是手動(dòng)root吧,因?yàn)橐呀?jīng)能從ttl拿到root權(quán)限了!
下面有些信息是從網(wǎng)上搜的,具體哪里不太清楚了,先向原作者致意表示感謝!
首先用 cat /proc/mounts 命令查看結(jié)果如下: - root@p201_iptv:/system/bin # cat /proc/mounts
- rootfs / rootfs ro 0 0 -------------Read Only!
- tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
- devpts /dev/pts devpts rw,relatime,mode=600 0 0
- proc /proc proc rw,relatime 0 0
- sysfs /sys sysfs rw,relatime 0 0
- debugfs /sys/kernel/debug debugfs rw,relatime 0 0
- configfs /sys/kernel/config configfs rw,relatime 0 0
- none /acct cgroup rw,relatime,cpuacct 0 0
- none /sys/fs/cgroup tmpfs rw,relatime,mode=750,gid=1000 0 0
- tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
- tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
- none /dev/cpuctl cgroup rw,relatime,cpu 0 0
- tmpfs /tmp tmpfs rw,relatime 0 0
- tmpfs /tmp/playInfoLog tmpfs rw,relatime 0 0
- tmpfs /tmp/capture tmpfs rw,relatime 0 0
- tmpfs /storage/external_storage tmpfs rw,relatime,mode=775,uid=1000,gid=1023 0 0
- /dev/block/system /system ext4 ro,nosuid,nodev,noatime,nodiratime,noauto_da_alloc,data=ordered 0 0 ----------------Read Only!
- /dev/block/cache /cache ext4 rw,nosuid,nodev,noatime,nodiratime,nodelalloc,noauto_da_alloc,data=ordered 0 0
- /dev/block/data /data ext4 rw,nosuid,nodev,noatime,nodiratime,discard,nodelalloc,noauto_da_alloc,data=ordered 0 0
- /dev/block/params /params ext4 rw,nosuid,nodev,noatime,nodiratime,nodelalloc,noauto_da_alloc,data=ordered 0 0
- /dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
- /dev/block/zram0 /swap_zram0 ext2 rw,relatime,errors=continue 0 0
- adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
- /dev/block/vold/8:1 /storage/external_storage/sda1 vfat rw,dirsync,nosuid,nodev,noexec,relatime,gid=1015,fmask=0002,dmask=0002,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
- root@p201_iptv:/system/bin #
復(fù)制代碼 里面有兩處是我標(biāo)了Read Only的地方。
在上圖中,可以看到,“/”根目錄和“/system”目錄,都被掛載成”ro“只讀模式,其他的文件系統(tǒng)都掛載成”rw“讀寫(xiě)模式,這就導(dǎo)致了在這兩個(gè)目錄下無(wú)法創(chuàng)建和復(fù)制文件。同時(shí)在上圖中也可以看到根目錄對(duì)應(yīng)的設(shè)備文件為“rootfs”,"/system"目錄對(duì)應(yīng)的設(shè)備文件為“/dev/block/system”,把這兩個(gè)設(shè)備文件重新掛載成“rw”可讀寫(xiě)模式即可,執(zhí)行以下命令:
- 1.
- /*把根目錄掛載成可讀寫(xiě)模式*/
- mount -o rw,remount rootfs /
- 2.
- /*把"/system"目錄掛載成可讀寫(xiě)模式*/
- mount -o rw,remount -t ext4 /dev/block/system /system
復(fù)制代碼
然后從這里(“簡(jiǎn)單的方式給機(jī)頂盒添加root權(quán)限/電視盒子ROOT-簡(jiǎn)單的方式給機(jī)頂盒添加root權(quán)限/電視盒子ROOT 很多人總喜歡要加個(gè)root權(quán)限,好像不加就總吃不飽睡不歡一樣 提權(quán)雖然是方便了,但帶來(lái)的風(fēng)險(xiǎn)也幾何級(jí)增加,不建議一般用戶開(kāi)啟,... (xgiu.com)”)下載到了su文件,然后將其放進(jìn)了/system/bin,又往/system/xbin里面拷貝了一份,再往/system/xbin里拷貝一份,這次命名為daemonsu。這三個(gè)文件都加了06755的權(quán)限。
此時(shí)執(zhí)行“/system/xbin/daemonsu --auto-daemon &”盒子就root了,但重啟之后root消失,因?yàn)闆](méi)有地方執(zhí)行這一句。
費(fèi)了更大的周折要把這一句塞到哪個(gè)腳本里面去,結(jié)果btplay.sh不起作用;install_recovery.sh不存在,即便創(chuàng)建了寫(xiě)進(jìn)去也無(wú)效。。。
最后,在root的狀態(tài)下,用supersu.apk解決了root問(wèn)題。運(yùn)行supersu.apk時(shí)會(huì)報(bào)告要更新su文件,選擇常規(guī)方式即可完成root;如果選用另一種方式,盒子重啟會(huì)進(jìn)入緊急恢復(fù)模式,不知道后續(xù)應(yīng)該如何操作,看起來(lái)心驚膽戰(zhàn),因此重新選擇常規(guī)模式,然后就root了。
至此這個(gè)盒子就刷完了也root完了。
暫時(shí)記錄到這里吧,結(jié)局應(yīng)該是很解壓的了。如果有想要深入了解過(guò)程中某些細(xì)節(jié)的,我們私下再交流吧!
|