首先我们先看看这个路由器的外观
外观看起来还算正常,三天线设计,官方声称此款路由器的三天线设计让信号更强劲,穿墙能力更牛逼。是不是这样呢?好,找来螺丝刀,拆开。看图哎哟我去,电路板就这么大点儿,壳子的一半大。还以为多大块呢,壳子上的散热孔一排排,之前还以为是一大块电路板。内部走线还算是工整,三天线的连接线。好吧,电路板不吐槽了,咱们来看下CPU用的啥?没错,CPU采用了主流的MTK 7620N,这款CPU目前来看性能并不是很差。再来看下RAM采用了8M的闪存颗粒,家用路由器这配置不错了,当然如果想折腾下刷其他系统,这内存颗粒估计得换大点的。接下来,等等.......我好像发现了什么,我不说话我们看图对,你没看错,这里根本就没有焊上去,这是哪里呢?博主来告诉你,这是三天线中间那根天线,仔细一看!!!!高科,你过来,我保证不打死你!说好的节操呢?这就是官方大力宣传的高性能穿墙三天线么?高科你就打算搞个假的来忽悠老板姓么?真特么是日了动物园了。好了,不吐槽了,我们继续。在板子上找到了预留的串口焊点上面标记的很清晰RX,TX,GND和5V。我们接下来要做的就是利用这个串口来跟路由器通信。串口焊点中我们不需要用到的是5V接口,这个接口如果连接到ttl转usb模块上很容易烧掉路由器板子,所以不要连接。这里我们使用的ttl转usb模块是CP2102模块,长这个样子
为了连接调试方便,我这里使用了排针焊在路由器串口预留焊点,焊接好后就成了这个样子是不是很赞,接着我们使用母对母杜邦线连接路由器和ttl模块,路由器上面的tx,rx对应ttl模块上的rx,tx,gnd还是直接连接gnd,连接好了以后ttl插电脑,安装cp2102驱动,推荐使用驱动精灵安装,驱动人生安装后可能导致系统无法识别到USB。正确识别后就可以开始使用串口通信了。给个连接之后的图好了,接下来我们要用到的工具是SecureCRT,首先打开“我的电脑”的管理,进入设备管理器,点开 “端口(COM和LPT)”,找到ttl模块对应的端口号,这里是COM5
然后打开软件SecureCRT,新建一个连接。波特率选择57600,端口选择COM5,其他的默认就可以了。至于波特率为何是57600,这个主要是靠大家的尝试,常用的一般是9600,19200,115200,这里可以一个个的尝试,波特率不对应的话会导致回显的数据都是乱码。好了,建了新的连接之后,我们来测试一下吧,断开路由器电源,然后插上电源,此时在模拟终端窗口就可以看到启动信息了,我把这里的启动信息打印出来U-Boot 1.1.3 (Nov 23 2012 - 13:41:42) Board: Ralink APSoC DRAM: 8 MB relocate_code Pointer at: 807b4000 enable ephy clock...done. rf reg 29 = 5 SSC disabled. spi_wait_nsec: 42 spi device id: c2 20 14 c2 20 (2014c220) Warning: un-recognized chip ID, please update bootloader! raspi_read: from:20000 len:1000 *** Warning - bad CRC, using default environment ============================================ Ralink UBoot Version: 4.0.0.0 -------------------------------------------- ASIC 7620_MP (Port5<->None) DRAM component: 64 Mbits SDR DRAM bus: 16 bit Total memory: 8 MBytes Flash component: SPI Flash Date:Nov 23 2012 Time:13:41:42 ============================================ icache: sets:512, ways:4, linesz:32 ,total:65536 dcache: sets:256, ways:4, linesz:32 ,total:32768 ##### The CPU freq = 600 MHZ #### estimate memory size =8 Mbytes Please choose the operation: 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Entr boot command line interface. 7: Load Boot Loader code then write to Flash via Serial. 9: Load Boot Loader code then write to Flash via TFTP. 0 3: System Boot system code via Flash. ## Booting image at bc030000 ... raspi_read: from:30000 len:40 Image Name: zxrouter Image Type: MIPS Linux Standalone Program (uncompressed) Data Size: 819952 Bytes = 800.7 kB Load Address: 80500000 Entry Point: 80500000 raspi_read: from:30040 len:c82f0 Verifying Checksum ... OK OK ZzOK ifra305x eth0: init pnde=803285a8, sc=80322280, ifp=8032244c ifra305x: driver init ifra305x: init numtxd=128 txd-base=800 at a0332b20 ifra305x: init num_rxd=64 rxd_base=900 at a0333320 CFG_load: flash offset=3060, len=1044 cfg_parse: add cfg item=316 (4164 bytes) CFG_load: flash read 316 items(4164 bytes) into ram cfg_parse: null config! CFG_load: read-only 2 items(48 bytes) into ram CFG_load: total 318 items(4212 bytes) ssid = GAOKE_2f6b78 cfg_parse_wlan: parse 3000 bytes! Parsing WIFI configuration succeeds cfg_get_mac: id=0 : 00:16:78:2f:6b:78 ifra305x eth1: init pnde=803285b8, sc=80322350, ifp=80322494 cfg_get_mac: id=1 : 00:16:78:2f:6b:78 <-- RTMPAllocAdapterBlock, Status=0 IP Filter: v3.4.31 initialized. Default = pass all, Logging = disabled [cpuload_init]:calibration=9986985Operation Mode: Gateway ifra305x0: start ifra305x0: start ----------------------------------------- eth0: Get IP by manual IP address:192.168.8.1 MASK:255.255.255.0 Broadcast:192.168.8.255 Gateway:255.255.255.255 Server:0.0.0.0 mtu:0 Domain Name: ----------------------------------------- interface eth0 init_net successed! [DOT1X] Dot1x_Reboot [DOT1X] DOT1X_Stop [DOT1X] 1x daemon not running interfaces.rtapd == NULL [00000069] RX DESC 0xa0653000 size = 1024 <-- RTMPAllocTxRxRingMemory, Status=0 [00000071] ===>RtmpNetTaskInit [00000071] <===RtmpNetTaskInit [00000073] APSDCapable[0]=0 [00000074] APSDCapable[1]=0 [00000074] APSDCapable[2]=0 [00000075] APSDCapable[3]=0 [00000075] APSDCapable[4]=0 [00000076] APSDCapable[5]=0 [00000076] APSDCapable[6]=0 [00000077] APSDCapable[7]=0 [00000077] APSDCapable[8]=0 [00000078] APSDCapable[9]=0 [00000078] APSDCapable[10]=0 [00000079] APSDCapable[11]=0 [00000079] APSDCapable[12]=0 [00000080] APSDCapable[13]=0 [00000080] APSDCapable[14]=0 [00000081] APSDCapable[15]=0 [00000081] default ApCliAPSDCapable[0]=0 [00000082] Key1Str is Invalid key length(0) or Type(0) [00000083] Key2Str is Invalid key length(0) or Type(0) [00000084] Key3Str is Invalid key length(0) or Type(0) [00000085] Key4Str is Invalid key length(0) or Type(0) [00000087] MACRepeaterEn=0 [00000089] 1. Phy Mode = 9 [00000090] 2. Phy Mode = 9 [00000090] E2PROM: D0 target power=0xff20 [00000091] E2PROM: 40 MW Power Delta= 0 [00000092] 3. Phy Mode = 9 [00000092] AntCfgInit: primary/secondary ant 0/1 [00000093] Initialize RF Central Registers for E2 !!! [00000094] D1 = 0, D2 = 4, CalCode = 9 !!! [00000095] RT6352_Temperature_Init : BBPR49 = 0x0 [00000096] RT6352_Temperature_Init : TemperatureRef25C = 0xfffffff6 [00000097] Current Temperature from BBP_R49=0xfffffffd [00000099] TX BW Filter Calibration !!! [00000112] RX BW Filter Calibration !!! [00000136] LOFT Calibration Done! [00000136] IQCalibration Start! [00000138] IQCalibration Done! CH = 0, (gain= f, phase= 2) [00000139] IQCalibration Start! [00000141] IQCalibration Done! CH = 1, (gain= 0, phase= 2) [00000142] TX IQ Calibration Done! [00000146] RXIQ Sigma_i=1118, Sigma_q=1107, R_iq=-650 [00000147] RXIQ Sigma_i=1045, Sigma_q=1039, R_iq=-800 [00000148] internal ALC is not enabled in NVM ! [00000149] MCS Set = ff ff 00 00 01 [00000157] Main bssid = 00:16:78:2f:6b:78 <==== rt28xx_init, Status=0 0x1300 = 00064300 br_add_all : num=2, brdg=bridge0, arglists[1]=ra0 br_add_all : num=2, brdg=bridge0, arglists[0]=eth0 bridge0: flags=45<UP,DEBUG,RUNNING> Interfaces: eth0 flags=3<LEARNING,DISCOVER> ra0 flags=3<LEARNING,DISCOVER> Addresses (max cache: 100, timeout: 300): CFG_commit: 0 update! DNS_daemon dnsMasqstart interfaceGet(): bind socket successful on 192.168.8.1:53 serverInit(): DNS Server List 0. 192.168.8.1:53 [00000165][SYS] Ver 2.1.2.121 Tue Oct 07 09:11:13 2014 CMD>[DOT1X] Dot1x_Reboot [DOT1X] DOT1X_Stop [DOT1X] 1x daemon not running interfaces.rtapd == NULL [DOT1X] ra0 is up ! [DOT1X] AuthMode=0, IEEE8021X=0 [DOT1X] Don't need trigger the 1x Daemon zweb_location:80254557
从这些信息里面我们可以看出来很多东西,Uboot版本是1.1.3,比较老,12年的老版本。Ralink(雷凌)的网卡,8M的RAM,启动信息里面有这句话
Warning: un-recognized chip ID, please update bootloader!提示无法识别芯片ID,请升级bootloader,看来bootloader确实是挺老的。CPU频率为600 MHZ,在路由器启动的时候会有一个选择项,我们通常刷机的时候就是需要在这里选择,看下是啥
Please choose the operation: 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Entr boot command line interface. 7: Load Boot Loader code then write to Flash via Serial. 9: Load Boot Loader code then write to Flash via TFTP.这几个选项通常在刷机的时候很有用,具体代表啥意思,有兴趣的朋友可以搜索下,都有详细的介绍。系统默认选择了3,从flash闪存中加载系统。
接着博主想到能不能使用telnet来连接路由器呢?
二话不说,找来一个网线,插到路由器LAN口,在模拟终端窗口看到自动给笔记本分配了ip,192.168.8.2
ESW: Link Status Changed - Port 3 Link up Route - dst: 192.168.8.2, mask: 255.255.255.255, gateway: 192.168.8.2 SIOCDELRT: No such process check ip passed [00008925][DHCPD] sending OFFER of 192.168.8.2 [00008926][DHCPD] broadcasting packet to client [00008927][DHCPD] Recive REQUEST [00008927][DHCPD] sending ACK to 192.168.8.2 [00008928][DHCPD] broadcasting packet to client [http]: file "webnoauth/model.cgi" not found [http]: file "router/get_rand_key.cgi" not found [http]: file "router/get_rand_key.cgi" not found [http]: file "router/get_rand_key.cgi" not found [http]: file "router/get_rand_key.cgi" not found [00009300][DHCPD] unicasting packet to client ciaddr [00009301][DHCPD] Receive 192.168.8.2 inform
打开putty这个软件,用telnet连接,其实这里还是可以用SecureCRT这个软件telnet,只是博主比较喜欢使用putty的telnet,这里高科路由器默认的用户admin是不能修改的,默认密码是gaoke,telnet登录成功之后会出现CMD>控制台
这里我们使用路由里里面通常使用的help来查看到底能执行哪些命令很好,已经输出来了,这些命令可以直接操作路由器内部设置。要知道这些命令怎么用,只需要进去到命令里面执行help即可。接下来,使用浏览器登录路由器,登录路由器成功后,会在刚才的串口模拟终端看到路由器的登录密码
call CFG set SYS_ADMPASS=[gaoke] CFG_commit: 0 update!
在telnet里面溜达了半天也没发现啥命令比较有用的,倒是有好几个命令可以直接导致路由器死机,模拟终端显示system halted.
好吧,这次就分析到这,改天有时间再分析下高科的固件,目前固件版本2.4.1.8,最新固件版本为2.4.20(2015年1月20号发布),下次直接分析固件。
!!! 转载请先联系non3gov@gmail.com授权并在显著位置注明作者和原文链接 !!! 小黑屋
提示:技术文章有一定的时效性,请先确认是否适用你当前的系统环境。