Osmocom-BB MOTO C118硬刷

简介: 写在最前面,先知我YY下硬刷最好可能实现的功能: 1.把软件刷入flash,修改loader后,可以实现上电就自动运行程序; 2.硬刷后,程序自动起来,可以修改loader就行加密 3.硬刷后,有可能把osmocon cell 等软件整到windwos 省去虚拟机.

写在最前面,先知我YY下硬刷最好可能实现的功能:

1.把软件刷入flash,修改loader后,可以实现上电就自动运行程序;

2.硬刷后,程序自动起来,可以修改loader就行加密

3.硬刷后,有可能把osmocon cell 等软件整到windwos 省去虚拟机.操作方便...(这个是YY的,暂时还不知道....)

4.硬刷后,手机可以变成砖头.

5.刷机有风险,变砖头就损失20RMB,请慎重....哈哈!~

大家自己玩玩就好了,有啥问题就别找我麻烦了...哈哈哈~~

资料来源:

http://bb.osmocom.org/trac/wiki/flashing_new

1.flash layout & memory layout

The memory is mapped as follows:
0x000000-0x00ffff: Flash page 0
0x010000-0x01ffff: Flash page 1
... more Flash pages ...
0x800000-0x83ffff: Ram
Our flash layout is:

0x000000-0x001fff: Compal loader
0x002000-0x00ffff: OSMOCOM menu
0x010000-........: OSMOCOM application and storage

2.代码修改:

git branch 
* master 请用这个分支;
$ cd src/target/firmware/
$ vim Makefile
CFLAGS += -DCONFIG_FLASH_WRITE
CFLAGS += -DCONFIG_FLASH_WRITE_LOADER
CFLAGS += -DCONFIG_TX_ENABLE

编译代码
make clean
make

3.下载一个loader程序到ram,为后面刷机程序提供一个平台.

cd src
host/osmocon/osmocon -p /dev/ttyUSB0 -m c123xor target/firmware/board/compal_e88/loader.compalram.bin
按开机.

终端打印如下:

root@ubuntu:/home/ll/osmocombb/testing/osmocom-bb/src/host/osmocon# ./osmocon -p /dev/ttyUSB0 -m c123xor ../../target/firmware/board/compal_e88/loader.compalram.bin 
got 1 bytes from modem, data looks like: 2f  /
got 1 bytes from modem, data looks like: 00  .
got 1 bytes from modem, data looks like: 1b  .
got 1 bytes from modem, data looks like: f6  .
got 3 bytes from modem, data looks like: 02 00 41  ..A
got 1 bytes from modem, data looks like: 01  .
got 1 bytes from modem, data looks like: 40  @
Received PROMPT1 from phone, responding with CMD
read_file(../../target/firmware/board/compal_e88/loader.compalram.bin): file_size=32988, hdr_len=4, dnload_len=32995
got 1 bytes from modem, data looks like: 1b  .
got 1 bytes from modem, data looks like: f6  .
got 1 bytes from modem, data looks like: 02  .
got 1 bytes from modem, data looks like: 00  .
got 1 bytes from modem, data looks like: 41  A
got 1 bytes from modem, data looks like: 02  .
got 1 bytes from modem, data looks like: 43  C
Received PROMPT2 from phone, starting download
handle_write(): 4096 bytes (4096/32995)
handle_write(): 4096 bytes (8192/32995)
handle_write(): 4096 bytes (12288/32995)
handle_write(): 4096 bytes (16384/32995)
handle_write(): 4096 bytes (20480/32995)
handle_write(): 4096 bytes (24576/32995)
handle_write(): 4096 bytes (28672/32995)
handle_write(): 4096 bytes (32768/32995)
handle_write(): 227 bytes (32995/32995)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b  .
got 1 bytes from modem, data looks like: f6  .
got 1 bytes from modem, data looks like: 02  .
got 1 bytes from modem, data looks like: 00  .
got 1 bytes from modem, data looks like: 41  A
got 1 bytes from modem, data looks like: 03  .
got 1 bytes from modem, data looks like: 42  B
Received DOWNLOAD ACK from phone, your code is running now!
Received DOWNLOAD ACK from phone, your code is running now!
battery_compal_e88_init: starting up


OsmocomBB Loader (revision osmocon_v0.0.0-1753-ge6372a2-modified)
======================================================================
Running on compal_e88 in environment compalram

4.保留原始的loader

$ cd src
$ host/osmocon/osmoload memdump 0x000000 0x2000 compal_loader.bin

备份好这个 compal_loader.bin 文件.

5.为了避免把手机变成砖头先测试下是否可以读写flash.(请参照上面一步的办法把手机里面原始flash的数据备份一份,否则整坏以后,手机就不能复原了)

$ host/osmocon/osmoload funlock 0x010000 0x10000
$ host/osmocon/osmoload ferase 0x010000 0x10000
$ host/osmocon/osmoload fprogram 0 0x010000 compal_loader.bin
$ host/osmocon/osmoload fprogram 0 0x012000 target/firmware/board/compal_e88/menu.e88loader.bin

测试如果没有问题,我们就可以刷入loader了.

$ host/osmocon/osmoload funlock 0x000000 0x10000
$ host/osmocon/osmoload ferase 0x000000 0x10000
$ host/osmocon/osmoload fprogram 0 0x000000 compal_loader.bin
$ host/osmocon/osmoload fprogram 0 0x002000 target/firmware/board/compal_e88/menu.e88loader.bin

这里需要注意的

menu.e88loader.bin 这个是* jolly/menu branch才能有的.请自行下载编译.

funlock 每次开机后都需要做这个。

menu这个文件,就是类似一个菜单的东西.

6.把app程序刷入flash.

app刷入flash,需要利用第五步的menu程序.

menu程序识别app的方式:header + app

echo "highram:RSSI" >temp
cat target/firmware/board/compal_e88/rssi.highram.bin >>temp

temp文件必须是偶数长度

$ ls -la temp
-rw-r--r-- 1 root root 83761 Sep 27 10:08 temp
$ echo >>temp
$ ls -la temp
-rw-r--r-- 1 root root 83762 Sep 27 10:08 temp

刷app到flash:

$ host/osmocon/osmoload funlock 0x010000 0x20000
$ host/osmocon/osmoload ferase 0x010000 0x20000
$ host/osmocon/osmoload fprogram 0 0x010000 temp

注意刷入数据flash的范围

0x010000到0x200000,单位为0x10000;

7.余下来的操作:

Power off your phone.

Disconnect the serial cable.

Turn it on (push power button), the OSMOCOM menu will appear and show available applications.

Use up/down keys or digits to select the application.

Press the green off-hook button, the application will be loaded to ram and is started.

Alternatively press the digit as shown in front of the application's name.

刷机后的效果图,刷机确实成功了..不是YY的..

相关文章
|
2月前
|
安全 网络协议
刘三姐故乡的某网站被植入下载Worm.Win32.Delf.bse, Worm.Win32.Viking.ls等的代码
刘三姐故乡的某网站被植入下载Worm.Win32.Delf.bse, Worm.Win32.Viking.ls等的代码
|
6月前
|
芯片 内存技术
NUC980 添加XT25BF256BWSIG spi-nor flash
NUC980 添加XT25BF256BWSIG spi-nor flash
93 2
|
6月前
rock rv1126buildroot增加ntp过程
rock rv1126buildroot增加ntp过程
230 0
|
6月前
|
芯片
AW2013芯片讲解
AW2013芯片讲解
163 0
|
人工智能 监控 安全
GE IC697CPX928-FE HONEYWELL CC-PAOX01
GE IC697CPX928-FE HONEYWELL CC-PAOX01
52 0
|
监控 程序员 芯片
ABB PPC905AE101 3BHE014070R0101 由陶瓷基板上包含分立元件的电路板
ABB PPC905AE101 3BHE014070R0101 由陶瓷基板上包含分立元件的电路板
127 0
ABB PPC905AE101 3BHE014070R0101 由陶瓷基板上包含分立元件的电路板
|
机器学习/深度学习
高通Qualcomm平台lk(light kernel)启动流程2——aboot_init()
0lk 启动总体流程 1lk启动流程代码 lk app aboot abootc 更多相关文章: 《高通Qualcomm平台lk(light kernel)启动流程1——aboot_init()之前》: http://blog.
3780 1
|
内存技术 开发工具 git
|
开发工具 git C语言