A company 3531 Board debug notes--Reprint

From http://www.youback.net/arm/%E6%9F%90%E5%85%AC%E5%8F%B83531%E6%9D%BF%E5%AD%90%E8%B0%83%E8%AF%95%E7%AC%94%E8%AE%B0.html

Because the work needs need to debug a company's 3531 board, run our program, from the entire debugging process or learn some knowledge of the current record.
Get the board to find the serial port hanging, the power of the serial message as follows:

1u-boot 2010.06-svn83 (Jan 06 2013-17:36:14)
2dram:256 MiB
3nand:special Nand ID Table Version 1.35
4Nand id:0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
5No NAND device found!!!
MiB
7Spi (CS1) id:0xc2 0x20 0x18 0xC2 0x20 0x18
8Spi (CS1): block:64kb chip:16mb Name: "mx25l128"
9ENVCRC 0X8197CCC1
10env_size = 0X3FFFC
11in:serial
12out:serial
13err:serial
14boardvalue:0x1
15PHY 0x02:oui = 0x1374, Model = 0x07, Rev = 0x02, PHY not link!
16user init finish.
17Press ctrl-c to abort autoboot in 0 secondscfg_boot_addr:0x58080000

The hardware parameters of this board will come out
DDR:256MB
flash:16m spi-flash
Serial port to continue printing message kernel load message will not output, it is obvious that the serial port information is closed, and so the entire board completely started the Telnet
Telnet 192.168.1.10
Enter the root password is empty attempt to login, log in, try to try a few other simple password also can not log on, it seems that telnet temporarily can't connect to another way
look at the uboot start message there is such a sentence Press Ctrl-c to abort autoboot in 0 secondscfg_boot_addr:0x58080000
Restart the device, it's lucky to be decisive, BOOT is not encrypted, there is dead end.

Enter printenv in Uboot to view the startup parameters:
bootargs=mem=160m console=ttyama0,115200 root=1f01 Rootfstype=cramfs mtdparts=hi_sfc:512k (boot), 4M (Romfs), 5632K ( usr), 1536K (web), 3M (custom), 256K (logo), 1280K (MTD)
Can see Rootfstype=cramfs the entire root file system is Cramfs, Cramfs the root file system can be mounted to the local, so we can see the changes to the inside of the file
Can also be based on the original Cramfs re-production to write back, cracked the idea of Telnet password immediately have.
From the boot message, it is divided into 6 zones, the offset address of each partition is calculated:
Uboot (uboot_xm.bin): 0x0~0x80000 512K (0x80000)
Romfs (ROMFS.CRAMFS): 0x80000~0x480000 4M (0x400000)
User (User.cramfs): 0x480000~0xa00000 5632K (0x580000)
Web (WEB.CRAMFS): 0xa00000~0xb80000 1536K (0x180000)
Custom (CUSTOM.CRAMFS): 0xb80000~0xe80000 3M (0x300000)
Logo (not dump): 0xe80000~0xec0000 512k (0x80000)
MTD (not dump): 0xec0000~0xffffff 1280K (0x140000)

How to get 4M (Romfs) out? It's really simple, just read the flash memory and then the TFTP from the memory to the TFTP server.
Modify the TFTP server address inside the uboot to my TFTP server address:
Setenv ServerIP 192.168.0.7
SA #保存修改的参数, or the restart is lost
Plug in the cable using the following command to upload the ROMFS to the TFTP server.

1 mw.b 0x82000000 0xFF 0xb00000
2SF Probe 0
3SF Read 0x82000000 0x80000 0x400000
4tftp 0x82000000 Romfs.cramfs 0x400000

No errors are uploaded to the TFTP server, copy the Romfs.cramfs to a local directory, execute the following command

1cramfsck romfs.cramfs-x Romfs

(If you can't find the cramfsck or MKCRAMFS command, see my other blog post. Fedora cannot find a workaround for MKFS.JFFS2 genext2fs Mkcramfs)
So I unzipped Romfs.cramfs into the Romfs, and checked his startup script.
Etc/inittab there's nothing to see
Etc/init.d/rcs has a lot of information.

1 #!/bin/sh
2mount-t CRAMFS/DEV/MTDBLOCK2/USR
3mount-t Cramfs/dev/mtdblock3/mnt/web
4mount-t Cramfs/dev/mtdblock4/mnt/custom
5mount-t Cramfs/dev/mtdblock5/mnt/logo
6mount-t JFFS2/DEV/MTDBLOCK6/MNT/MTD
7 .....
8 ...
9cd/usr/etc
10./loadmod
11 .....
12 .....

Here are just some important information, you can see that the partition is basically Cramfs, that is, the file in this has no secrets to us.
Using the same method, we can get all the files in him.
Now all we have to do is hack the telnet password, and we know that the Telnet password is open in Etc/password. Replace the root user and password in the
root:$1$ $qRPK 7m23gjusamgpoglby/:0:0::/root:/bin/sh
We can use the root password to log in, execute the following command to create a Cramfs file system
Mkcramfs Romfs Rom_root.cramfs
This completes the Cramfs file system, using the TFTP command just write back to flash on the board, reboot into the Uboot enter the following command

1 mw.b 0x82000000 0xFF 0xb00000
2tftp 0x82000000 Romfs_root.cramfs
3SF Probe 0
4SF Erase 0x80000 0x400000
5SF Write 0x82000000 0x80000 0x400000 #千万要注意不要把地址搞错否则会破坏flash里面的固件
6reset

The system restarts successfully, the serial port of the words directly can appear the following prompt:
Logging in with Telnet is OK,

Successfully logged on Telnet

The following is the hanging NFS, my virtual machine directory Root_fs mounted, all the programs are placed in the NFS including libraries and so on several environment variables

1 Mount-o nolock 192.168.1.22:/root_fs/home
2export ld_library_path=/home/lib: $LD _library_path
3export Qt_qws_fontdir=/home/lib/font
4export Path=/home/lib: $PATH

After some debugging and viewing, this goods use is all static compile, not a system library file, my program uses the dynamic library compiles, the system library glibc and so also copy to Root_fs under
The program always can not run, BusyBox also cut not a few commands available, it would have changed a busybox, but made out of the Romfs.cramfs more than 4 m did not engage, later
You can only use the following command to

1	ld-2.11.1.so ./gui_test -qws

Error:
Cannot create Qt for Embedded Linux Data directory:/tmp/qtembedded-0
My program is a QT interface program, today only know that the QT program run to write files in the TMP directory, Cramfs file system is aware of how to do, put TMP into memory is OK

1	mount-t tmpfs none /tmp

Something, in fact, a company to do 3531 is still very good, the cost of low pressure, natural flash these things use 16M.

A company 3531 Board debug notes--Reprint