原版描述:
1.优化了开机系统资源;
2.优化了倒车影像流畅度;
3.优化了丰云悦享登录算法;
注意:升级过程中请勿断电!
升级不成功请及时联络当地经销商。
本文件特点:
无视当前版本,即当前版本高于v1.000062仍然可以使用本文件进行覆盖车机系统
可以强制降级
使用:
解压文件得到NVF-9108ZT文件夹,将整个文件夹放到优盘根目录。
注意:混动版本的凯美瑞车机型号为NVF-9308,不可以使用本文件,车机系统不会认,不要白费力气。
原版描述:
1.优化了开机系统资源;
2.优化了倒车影像流畅度;
3.优化了丰云悦享登录算法;
注意:升级过程中请勿断电!
升级不成功请及时联络当地经销商。
本文件特点:
无视当前版本,即当前版本高于v1.000062仍然可以使用本文件进行覆盖车机系统
可以强制降级
使用:
解压文件得到NVF-9108ZT文件夹,将整个文件夹放到优盘根目录。
注意:混动版本的凯美瑞车机型号为NVF-9308,不可以使用本文件,车机系统不会认,不要白费力气。
Spectrum RAC2V1S驱动不了2.4Ghz频段无线的原因找到了,华硕RT-AC86U的源码里的预置博通无线驱动没有bcm43602的驱动,而Spectrum RAC2V1S的2.4G无线芯片是bcm43602而不是bcm4365e,wikidevi网站上将Spectrum RAC2V1S的无线芯片型号标错了。
而涉及到博通无线的驱动,基本上我是不知道解决的,因为闭源且已知RT-AC68U是bcm43602的无线芯片,但是其内核是2.6,远低于RT-AC86U的4.1,且编译链也不一样,无法用上。
如果要在RAC2V1S的梅林固件驱动2.4G无线,可能的解决方法是硬解换无线芯片,但是算了下成本,芯片要60块左右,然后购买风枪又要大几百,作罢。本人以后可能会因为别的原因买风枪然后顺便硬改一波RAC2V1S,但是普通玩家不建议了。
如果不介意无线的,还想尝试梅林或者想解锁原固件拨号功能的,可以联系我,联系方式还是右下角的QQ图标,链接里能找到我的联系方式
暂时还咩有破解成功,公布行不通的路和将要尝试的路
最近买了台车,但是对车机很恼火,因为装不了第三方应用。
车机的系统是安卓7.1的,硬件也是烂大街的配置,但是系统安全方面做的很好。
尝试一:假设车机打开了adb,尝试对其端口扫描,扫出adb端口或者其他服务端口
结论:没有开启adb,也没有任何服务监听端口,水桶机
尝试二:本还以为只是我发现的入口,但是也有网友发现了,见帖子https://tieba.baidu.com/p/7751675087。
此方法是官方留下的后门,需要密码,尝试简易密码无果,本想截取系统升级包进行解包分析,看下密码,但是本人的车机一直是最新版本系统,无法使用此方法,有机会的网友可以提供给我离线升级包。
方法三:此方法还未尝试,原理是车机的微信应用会检查自身版本是否最新然后进行升级,可以做一个伪服务端,再进行DNS劫持,让微信安装其他应用如“悟空遥控”等来进行下一步破解。
问题:此前曾想截取系统升级的请求,但是发现所有请求都是https的,且车机无法安装自签名证书,分析不出具体的请求内容,映像中微信自更新也是https流量,感觉劫持不一定通的过,有待验证。
抓包证实为http流量:请求地址为:http://dldir1.qq.com/weixin/android/car/wxcrSgns.xml
请求返回为:
<wxcrconfig>
<update>
<channelId>Not-Exist</channelId>
<targetVersion>21000D00</targetVersion>
<url> http://dldir1.qq.com/weixin/android/car/wechat-v1.0.13.0.2472-release-202111232123.apk </url>
<md5>41d10f3b5fe6e870a0486b794eb434b7</md5>
<desc>Not exist channeIld, up to CDN</desc>
<silent>true</silent>
</update>
</wxcrconfig>
有时间再写个伪服务端,目前看来通过微信车机版自升级漏洞可行。
最新:一条代码关闭APP白名单配置,任意安装APP,USB升级底包下载
以上针对改装和配件店的商家,暂定资料包RMB5000,有兴趣右下角QQ联系。
离线升级包:
梅林2022年上半年版本,first half of 2022版本。
基于原版梅林386.7版本,加入了软件中心,其他都是安全更新,功能继承自Spring 2021版。
烧入请确保CFE版本为2.2以达到最佳体验,2.2版本的CFE解决了可能造成的变砖问题。
特性:
安装说明:
固件升级后,请恢复出厂设置,否则会有部分功能不正常
提示:
离线安装上一个版本的软件中心应用,下载https://sc.paldier.com/arm/softcenter/app.json.js文件,然后参照此文章【教程】手动获取koolshare软件中心最新安装包
已在后台为购买上一个版本的所有用户充值了100浪币,请大家注意查收,如果觉得本固件不错,可以打赏文章
固件下载地址:
无线还是没有解决,从查devpath,再到驱动,再到gpio电位,每一次以为将要解决了。
最终都徒劳了,看机缘吧,黑盒子没得办法,也没有参考资料.
博通ARM64芯片的分区不同于之前ARMv7的分区,不能从分区名来看它的分区作用。
一般而言,博通ARM64的芯片CFE有三个部分,cfe、cfe_ram、和cfe_rom,至于三者的关系没去弄明白,反正就是都要有。
不过有一点是可以确定的,mtd0分区依然是u-boot所在的分区,但不是唯一的CFE分区,一般而言,完整的CFE有三个分区。
但是从研究的多个品牌的多台机器来看,mtd0分区被命名为nvram,实际上这个分区跟nvram没有任何关系,真正的nvram内容是由固件指定位置的,不同的厂家指定的位置和方式不同。
首先说一下nvram内容对于博通芯片路由器的重要性:由于博通无线网卡需要nvram提供一些配置参数,所以如果错误的nvram内容将直接导致无线失效。
再说说华硕HND系列路由器(包含AX系列)将出厂nvram存放的位置及方式:
asuswrt将出厂nvram存在misc1分区中,此分区在固件中被定义为mtd10
asuswrt将实时的nvram存放在misc2中,此分区在固件中被定义为mtd9
接下来重点来了,修改misc1内容的步骤:
教程到此结束,这不是傻瓜化教程,只是给迷途大众一个方向,不要再用老机型的方式猜测怎么修改默认nvram,而且这个操作不是修改CFE,只是老机型(RT-AC68U等)的CFE分区明文包含了默认nvram数据而已,所以老有人将这个操作称之为改CFE。强调一遍,CFE是引导程序,不是你以为的文本数据!博通的新架构将默认nvram不再包含在CFE分区中,实则减少了很多动不动就喜欢刷CFE的傻缺的损失。
没有更细致的方法,但是可以在线接单,哈哈哈
自新的博通架构起,其u-boot和nvram分区有了很大改变,最重要的是bcm94908基板的主板没有预留Nor Flash的位置,同样CFE的源代码里也没有nor flash启动的代码,所以此机型救砖很难。
全网没有bcm4908/4906的SOC datasheet,所以在电路板上做改动十分困难,一旦机器变砖,无法进行JTAG,因为很难找到接线方法。
最后一个救砖的方法,也可能是唯一救砖方法,焊下nand进行烧录。但是Spectrum RAC2V1S的nand是没有针脚的,也就是BGA接口的nand,这个接口的nand编程器及其烧录座,够你买6个Spectrum RAC2V1S
综上所述,由于Spectrum RAC2V1S刷入梅林CFE只有一次机会,且容不得任何出错,所以不建议个人进行折腾,一句话:你可能真没那个经济实力,就算有没必要,鉴于这种风险极高的机器,建议你直接买RT-AC86U。
所以此方法主要针对卖家,售出金额为RMB 3000
在线接单代刷:
RMB 60/次,原则上不拆机,不含来回邮费,需要请留言
终于拿到了root权限的shell,将整块256MB的nand进行了备份。
分区表也在压缩包里。
分区位置:
0x000000000000-0x000000020000 : “nvram”
0x000000020000-0x0000000c0000 : “cfe”
0x0000000c0000-0x000000980000 : “boot”
0x000000980000-0x00000c8c0000 : “ubi”
0x00000c8c0000-0x000010000000 : “data”
终于在官方固件上将固件升级界面解锁出来了,放个图,但是没有固件,官网上不提供,全网搜索了两圈也没有。
导出了该路由启动后的完整bootlog,供其他玩机的一起看看
BTRM V1.6 CPU0 L1CD MMUI MMU7 DATA ZBBS MAIN OTP? OTPP USBT NAND IMG? IMGL UHD? UHDP RLO? RLOP UBI? UBIP PASS ---- HELO 5.0203-1.0.38-161.184 CPU0 L1CD MMUI MMUA CODE ZBBS MAIN NVRAM memcfg 0x1427 MCB chksum 0xa89ec7d9, config 0x1427 MemsysInit lpf0_generic_aarch64 1.3.0.1 20150910 DDR3 900017E8 80018000 8001A000 00000000 00000000 0050371A MCB rev=0x00040301 Ref ID=0x0371A Sub Bld=0x005 Dram Timing 11-11-11 DDR3-1600 CL11 total 512MB 1 16bits part[s] %1 SSC Add/Ctl Alignment no adjustment ZQ Cal LP PHY R in Ohm P: Finger=0x2D0 Term=0x78 Drv=0x28 N: Finger=0x2D0 Term=0x78 Drv=0x2A PLL Ref(Hz)=0x02FAF080 UI STEPS=0x038 DDR CLK(MHz)=0x31B WL CLK dly(ps)=0x0C8 bitT(ps)=0x274 VDLsize(fs)=0x2BCE CLK_VDL=0x01A SHMOO 28nm 8001A000 80018800 00000000 00020000 00000000 Shmoo WL One UI Steps : 0x43 auto-clk result = 00B (filter=0C steps) initial CLK shift = 01A final CLK shift = 00B 0000000000111111111122222222223333333333444444444455555555556666666 0123456789012345678901234567890123456789012345678901234567890123456 00 S-------------X++++++++++++++++++++++++++++++++++++++++++++++++++++ 01 S------------X+++++++++++++++++++++++++++++++++++++++++++++++++++++ Shmoo RD En FORCED WR ODT = 0x18001800 DQSN DRIVE PAD CONTROL (from) (to) B0 00031A51 00079A51 B1 00031A51 00079A51 B0 RISE UI=1 VDL=11 PICK UI=2 VDL=11 B1 RISE UI=1 VDL=0E PICK UI=2 VDL=0E 0000000000111111111122222222223333333333444444444455555555556666666 0123456789012345678901234567890123456789012345678901234567890123456 00 --S--------------X+++++++++++++++++++++++++++++++++++++++++++++++++ 01 --S-----------X++++++++++++++++++++++++++++++++++++++++++++++++++++ Shmoo RD DQ NP DQS : B0 VDL=3A ok B1 VDL=38 ok 0000000000111111111122222222223333333333444444444455555555556666666 0123456789012345678901234567890123456789012345678901234567890123456 00 --+++++++++++++++++++++++X++++++++++++++++++++++++----------------- 01 -------+++++++++++++++++++++++X+++++++++++++++++++++++------------- 02 -+++++++++++++++++++++++X++++++++++++++++++++++++------------------ 03 -------++++++++++++++++++++++++X++++++++++++++++++++++++----------- 04 ---+++++++++++++++++++++++X++++++++++++++++++++++++---------------- 05 -------+++++++++++++++++++++++X++++++++++++++++++++++++------------ 06 --+++++++++++++++++++++++X++++++++++++++++++++++++----------------- 07 ---------+++++++++++++++++++++++X++++++++++++++++++++++++---------- 08 -----++++++++++++++++++++++++X++++++++++++++++++++++++------------- 09 --+++++++++++++++++++++++++X+++++++++++++++++++++++++-------------- 10 ----++++++++++++++++++++++++X+++++++++++++++++++++++++------------- 11 -+++++++++++++++++++++++++X+++++++++++++++++++++++++--------------- 12 ------+++++++++++++++++++++++++X++++++++++++++++++++++++++--------- 13 --++++++++++++++++++++++++X+++++++++++++++++++++++++--------------- 14 ----++++++++++++++++++++++++X+++++++++++++++++++++++++------------- 15 ----+++++++++++++++++++++++++X+++++++++++++++++++++++++------------ Shmoo RD DQ P 0000000000111111111122222222223333333333444444444455555555556666666 0123456789012345678901234567890123456789012345678901234567890123456 00 ++++++++++++++++++++++++X+++++++++++++++++++++++++----------------- 01 ------++++++++++++++++++++++++X++++++++++++++++++++++++------------ 02 ++++++++++++++++++++++++X++++++++++++++++++++++++------------------ 03 ------++++++++++++++++++++++++X+++++++++++++++++++++++++----------- 04 --++++++++++++++++++++++++X++++++++++++++++++++++++---------------- 05 ------++++++++++++++++++++++++X++++++++++++++++++++++++------------ 06 ++++++++++++++++++++++++X+++++++++++++++++++++++++----------------- 07 --------++++++++++++++++++++++++X++++++++++++++++++++++++---------- 08 -----++++++++++++++++++++++++X++++++++++++++++++++++++------------- 09 --+++++++++++++++++++++++++X++++++++++++++++++++++++++------------- 10 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++------------- 11 -+++++++++++++++++++++++++X++++++++++++++++++++++++++-------------- 12 ------+++++++++++++++++++++++++X++++++++++++++++++++++++++--------- 13 --+++++++++++++++++++++++++X+++++++++++++++++++++++++-------------- 14 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++------------- 15 ----+++++++++++++++++++++++++X+++++++++++++++++++++++++------------ Shmoo RD DQ N 0000000000111111111122222222223333333333444444444455555555556666666 0123456789012345678901234567890123456789012345678901234567890123456 00 -+++++++++++++++++++++++++X++++++++++++++++++++++++++-------------- 01 --------++++++++++++++++++++++++X+++++++++++++++++++++++++--------- 02 -+++++++++++++++++++++++++X+++++++++++++++++++++++++--------------- 03 -------+++++++++++++++++++++++++X++++++++++++++++++++++++++-------- 04 ---+++++++++++++++++++++++++X++++++++++++++++++++++++++------------ 05 --------+++++++++++++++++++++++++X++++++++++++++++++++++++++------- 06 --+++++++++++++++++++++++++X++++++++++++++++++++++++++------------- 07 ---------++++++++++++++++++++++++++X++++++++++++++++++++++++++----- 08 -----++++++++++++++++++++++++X+++++++++++++++++++++++++------------ 09 --+++++++++++++++++++++++++X+++++++++++++++++++++++++-------------- 10 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++------------- 11 -+++++++++++++++++++++++++X++++++++++++++++++++++++++-------------- 12 ------+++++++++++++++++++++++++X++++++++++++++++++++++++++--------- 13 --+++++++++++++++++++++++++X++++++++++++++++++++++++++------------- 14 ---+++++++++++++++++++++++++X++++++++++++++++++++++++++------------ 15 ----++++++++++++++++++++++++++X++++++++++++++++++++++++++---------- RD DQS adjustments : BL0: Start: 0x38 Final: 0x3A BL1: Start: 0x38 Final: 0x38 Shmoo WR DQ 0000000000111111111122222222223333333333444444444455555555556666666 0123456789012345678901234567890123456789012345678901234567890123456 00 -++++++++++++++++++++++++X++++++++++++++++++++++++----------------- 01 ----++++++++++++++++++++++++X++++++++++++++++++++++++-------------- 02 --++++++++++++++++++++++X+++++++++++++++++++++++------------------- 03 ------++++++++++++++++++++++++X+++++++++++++++++++++++++----------- 04 --+++++++++++++++++++++++++X+++++++++++++++++++++++++-------------- 05 ------++++++++++++++++++++++++X+++++++++++++++++++++++++----------- 06 ++++++++++++++++++++++++X+++++++++++++++++++++++++----------------- 07 -------++++++++++++++++++++++++X+++++++++++++++++++++++++---------- 08 ------+++++++++++++++++++++++X++++++++++++++++++++++++------------- 09 -----+++++++++++++++++++++++X++++++++++++++++++++++++-------------- 10 ------+++++++++++++++++++++++X++++++++++++++++++++++++------------- 11 --++++++++++++++++++++++++X+++++++++++++++++++++++++--------------- 12 ------++++++++++++++++++++++++X+++++++++++++++++++++++++----------- 13 ---++++++++++++++++++++++++X+++++++++++++++++++++++++-------------- 14 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++------------- 15 ----+++++++++++++++++++++++++X+++++++++++++++++++++++++------------ Shmoo WR DM WR DM 0000000000111111111122222222223333333333444444444455555555556666666 0123456789012345678901234567890123456789012345678901234567890123456 00 -----+++++++++++++++++++++++++X+++++++++++++++++++++++++----------- 01 --++++++++++++++++++++++++X+++++++++++++++++++++++++--------------- DDR test done successfully Version cfe-rom: 0.8.2 FPS0 J2EP Base: 5.2_03 CFE version 1.0.38-161.184 for BCM94908 (64bit,SP,LE) Build Date: vendredi 6 octobre 2017, 18:20:02 (UTC+0200) (g601671@rmm-1186759) Copyright (C) 2000-2015 Broadcom Corporation. Version cfe-ram: 0.8.2 Boot Strap Register: 0x6fd42 Chip ID: BCM4906_A0, Broadcom B53 Quad Core: 1800MHz Total Memory: 536870912 bytes (512MB) NAND ECC BCH-4, page size 0x800 bytes, spare size used 64 bytes NAND flash device: Spansion S34ML02G1, id 0x01da block 128KB size 262144KB pmc_init:PMC using DQM mode pmc_init:7 0 fe790472 34c0346 Board IP address : 192.168.1.1:ffffff00 Host IP address : 192.168.1.100 Gateway IP address : Run from flash/host/tftp (f/h/c) : f Default host run file name : vmlinux Default host flash file name : bcm963xx_fs_kernel Boot delay (0-9 seconds) : 1 Default host ramdisk file name : Default ramdisk store address : Default DTB file name : Board Id : F@ST5280 Number of MAC Addresses (1-64) : 10 Base MAC Address : 98:1e:19:5e:6a:f2 PSI Size (1-128) KBytes : 128 Enable Backup PSI [0|1] : 0 System Log Size (0-256) KBytes : 0 Auxillary File System Size Percent: 0 flow memory allocation (MB) : 14 buffer memory allocation (MB) : 16 DHD 0 memory allocation (MB) : 0 DHD 1 memory allocation (MB) : 0 DHD 2 memory allocation (MB) : 0 WLan Feature : 0x00 Partition 1 Size (MB) : Partition 2 Size (MB) : Partition 3 Size (MB) : Partition 4 Size (MB) (Data) : 4MB Initalizing switch low level hardware. Software Resetting Switch ... Done. Waiting MAC port Rx/Tx to be enabled by hardware ...Done Disable Switch All MAC port Rx/Tx Initializing UBI and starting U-Boot... Looking for UBI... Looking for U-Boot... Found valid GSDF Starting U-Boot from UBI at 0x0000000000080000 U-Boot 2017.05@sc-0.14.2 (Oct 06 2017 - 18:00:03 +0200) sc_f5280 CPU: BCM490x Model: Sagemcom F@ST5280 DRAM: 512 MiB NAND: 256 MiB MMC: ubi0: attaching mtd1 ubi0: scanning is finished ubi0: attached mtd1 (name "mtd=2", size 8 MiB) ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048 ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096 ubi0: good PEBs: 70, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 4, internal volumes: 1, max. volumes count: 128 ubi0: max/mean erase counter: 128/7, WL threshold: 4096, image sequence number: 49925173 ubi0: available PEBs: 0, total reserved PEBs: 70, PEBs reserved for bad PEB handling: 30 Volume bootenv not found! ** Unable to read env from boot:bootenv ** Using default environment In: serial Out: serial Err: serial Version: 2017.05@sc-0.14.2 Board: F@ST5280 Mode: standard ubi0: detaching mtd1 ubi0: mtd1 is detached ubi0: attaching mtd1 ubi0: scanning is finished ubi0: attached mtd1 (name "mtd=2", size 8 MiB) ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048 ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096 ubi0: good PEBs: 70, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 4, internal volumes: 1, max. volumes count: 128 ubi0: max/mean erase counter: 128/7, WL threshold: 4096, image sequence number: 49925173 ubi0: available PEBs: 0, total reserved PEBs: 70, PEBs reserved for bad PEB handling: 30 Net: brcmenet Autoboot in 0 seconds. Press <SPACE> to abort. sbp: check net command sbp: boot operational sb3: booting 'operational' ubi0: detaching mtd1 ubi0: mtd1 is detached ubi0: attaching mtd1 ubi0: scanning is finished ubi0: attached mtd1 (name "mtd=3", size 191 MiB) ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048 ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096 ubi0: good PEBs: 1530, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128 ubi0: max/mean erase counter: 422/5, WL threshold: 4096, image sequence number: 1077548300 ubi0: available PEBs: 536, total reserved PEBs: 994, PEBs reserved for bad PEB handling: 40 sb3: loaded image 'operational' (27683584 bytes) at 0x0000000001000000 sb3: image 'operational' type is 'gsdf' sb3: image 'operational' signature is OK sb3: no pre-boot command found sb3: found FDT in image 'operational' ## Booting kernel from Legacy Image at 0101f000 ... Image Name: scOS SGAC11003K (8c.27.43.624_pr Image Type: AArch64 Linux Kernel Image (gzip compressed) Data Size: 3342336 Bytes = 3.2 MiB Load Address: 00080000 Entry Point: 00080000 Verifying Checksum ... OK ## Flattened Device Tree blob at 02a66000 Booting using the fdt blob at 0x2a66000 Uncompressing Kernel Image ... OK reserving fdt memory region: addr=0 size=10000 Loading Device Tree to 000000000fffc000, end 000000000ffffaf7 ... OK Starting kernel ... Booting Linux on physical CPU 0x0 Linux version 4.1.27 (g507801@compil-atr-1) (gcc version 5.3.0 (GCC) ) #6 SMP PREEMPT Mon Mar 5 18:46:16 CET 2018 CPU: AArch64 Processor [420f1000] revision 0 Detected VIPT I-cache on CPU0 alternatives: enabling workaround for ARM erratum 845719 On node 0 totalpages: 127488 DMA zone: 1792 pages used for memmap DMA zone: 0 pages reserved DMA zone: 127488 pages, LIFO batch:31 PERCPU: Embedded 16 pages/cpu @ffffffc01ffb4000 s25536 r8192 d31808 u65536 pcpu-alloc: s25536 r8192 d31808 u65536 alloc=16*4096 pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 125696 Kernel command line: root=mtd:rootfs earlyprintk debug init=/etc/preinit ro rootfstype=squashfs console=ttyS0,115200 rootfs_offset=0x364000 rootfs_size=0x1702000 coherent_pool=1M init=/etc/preinit rw mtdparts=brcmnand.0:128k(nvram),640k(cfe),8960k(boot),195840k(ubi),-(data) ubi.mtd=ubi,0 part_main=ubi part_boot=boot image_ubivol=operational board_type=00030080 UBI image volume: "operational" log_buf_len individual max cpu contribution: 4096 bytes log_buf_len total cpu_extra contributions: 12288 bytes log_buf_len min size: 16384 bytes log_buf_len: 32768 bytes early log buf free: 14892(90%) PID hash table entries: 2048 (order: 2, 16384 bytes) Dentry cache hash table entries: 65536 (order: 7, 524288 bytes) Inode-cache hash table entries: 32768 (order: 6, 262144 bytes) Memory: 454456K/509952K available (4683K kernel code, 277K rwdata, 1588K rodata, 224K init, 397K bss, 55496K reserved, 0K cma-reserved) Virtual kernel memory layout: vmalloc : 0xffffff8000000000 - 0xffffffbdffff0000 ( 247 GB) vmemmap : 0xffffffbe00000000 - 0xffffffbfc0000000 ( 7 GB maximum) 0xffffffbe00000000 - 0xffffffbe00700000 ( 7 MB actual) fixed : 0xffffffbffabfd000 - 0xffffffbffac00000 ( 12 KB) PCI I/O : 0xffffffbffae00000 - 0xffffffbffbe00000 ( 16 MB) modules : 0xffffffbffc000000 - 0xffffffc000000000 ( 64 MB) memory : 0xffffffc000000000 - 0xffffffc020000000 ( 512 MB) .init : 0xffffffc0006a1000 - 0xffffffc0006d9000 ( 224 KB) .text : 0xffffffc000080000 - 0xffffffc0006a0624 ( 6274 KB) .data : 0xffffffc0006da000 - 0xffffffc00071f620 ( 278 KB) Preemptible hierarchical RCU implementation. NR_IRQS:64 nr_irqs:64 0 Architected cp15 timer(s) running at 50.00MHz (phys). clocksource arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0xb8812736b, max_idle_ns: 440795202655 ns sched_clock: 56 bits at 50MHz, resolution 20ns, wraps every 4398046511100ns BRCM Legacy Drivers' Helper, all legacy drivers' IO memories/interrupts should be remapped here Remapping interrupts... hwirq virq 61 5 64 6 66 7 91 8 92 9 93 10 77 11 78 12 79 13 80 14 81 15 82 16 83 17 84 18 85 19 86 20 88 21 96 22 97 23 98 24 99 25 118 26 119 27 106 28 104 29 105 30 76 31 120 32 110 33 148 34 154 35 155 36 156 37 157 38 158 39 159 40 69 41 Remapping IO memories... phys virt size 00000000ff800000 ffffff8000008000 00003000 00000000ff858000 ffffff8000002000 00001000 00000000ff85a000 ffffff800000c000 00001000 00000000ffe00000 ffffff8000040000 00020000 0000000080002000 ffffff800000e000 00001000 0000000080018000 ffffff8000010000 00004000 0000000080200000 ffffff8000018000 00005000 0000000080280000 ffffff8000016000 00001000 0000000082200000 ffffff8000080000 00100000 0000000080080000 ffffff8000200000 00050000 0000000080008000 ffffff8000020000 00003fff 000000008000c000 ffffff8000028000 00003fff 0000000081060000 ffffff8000030000 00004000 0000000080100000 ffffff8000038000 00002000 0000000080010000 ffffff800001e000 00001000 000000008001d000 ffffff800003c000 00001010 000000008001c000 ffffff8000026000 00000448 console [ttyS0] enabled Calibrating delay loop (skipped), value calculated using timer frequency.. 100.00 BogoMIPS (lpj=500000) pid_max: default: 32768 minimum: 301 Mount-cache hash table entries: 1024 (order: 1, 8192 bytes) Mountpoint-cache hash table entries: 1024 (order: 1, 8192 bytes) --Kernel Config-- SMP=1 PREEMPT=1 DEBUG_SPINLOCK=0 DEBUG_MUTEXES=0 Broadcom Logger v0.1 Do not need to create mapping for reserved memory phys 0x07000000 size 0x02000000 for buffer creating mapping for reserved memory phys 0x06200000 virt 0xffffffc006200000 size 0x00e00000 for flow pmc_init:PMC using DQM mode CPU1: Booted secondary processor Detected VIPT I-cache on CPU1 CPU2: failed to come online CPU3: failed to come online Brought up 2 CPUs SMP: Total of 2 processors activated. CPU: All CPU(s) started at EL2 alternatives: patching kernel code clocksource jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns NET: Registered protocol family 16 cpuidle: using governor ladder cpuidle: using governor menu vdso: 2 pages (1 code @ ffffffc0006e1000, 1 data @ ffffffc0006e0000) DMA: preallocated 1024 KiB pool for atomic allocations ACPI: Interpreter disabled. SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb bcmhs_spi bcmhs_spi.1: master is unqueued, this is deprecated skbFreeTask created successfully gbpm_do_work scheduled BLOG v3.0 Initialized BLOG Rule v1.0 Initialized Broadcom IQoS v0.1 initialized Broadcom GBPM v0.1 initialized Switched to clocksource arch_sys_counter pnp: PnP ACPI: disabled NET: Registered protocol family 2 TCP established hash table entries: 4096 (order: 3, 32768 bytes) TCP bind hash table entries: 4096 (order: 4, 65536 bytes) TCP: Hash tables configured (established 4096 bind 4096) UDP hash table entries: 256 (order: 1, 8192 bytes) UDP-Lite hash table entries: 256 (order: 1, 8192 bytes) NET: Registered protocol family 1 PCI: CLS 0 bytes, default 64 futex hash table entries: 1024 (order: 4, 65536 bytes) squashfs: version 4.0 (2009/01/31) Phillip Lougher jffs2: version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc. fuse init (API version 7.23) io scheduler noop registered (default) brd: module loaded loop: module loaded nand: Could not find valid ONFI parameter page; aborting nand: device found, Manufacturer ID: 0x01, Chip ID: 0xda nand: AMD/Spansion NAND 256MiB 3,3V 8-bit nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64 bcm63xx_nand ff801800.nand: Adjust timing_1 to 0x65324458 timing_2 to 0x80040e54 bcm63xx_nand ff801800.nand: detected 256MiB total, 128KiB blocks, 2KiB pages, 16B OOB, 8-bit, BCH-4 Bad block table found at page 131008, version 0x01 Bad block table found at page 130944, version 0x01 Part[0] name=rootfs, size=20000, ofs=0 Part[1] name=rootfs_update, size=a0000, ofs=20000 Part[2] name=ubi, size=7a40000, ofs=c0000 Part[3] name=data, size=0, ofs=0 Part[4] name=nvram, size=0, ofs=0 ELB 5 cmdlinepart partitions found on MTD device brcmnand.0 Creating 5 MTD partitions on "brcmnand.0": 0x000000000000-0x000000020000 : "nvram" 0x000000020000-0x0000000c0000 : "cfe" 0x0000000c0000-0x000000980000 : "boot" 0x000000980000-0x00000c8c0000 : "ubi" 0x00000c8c0000-0x000010000000 : "data" tun: Universal TUN/TAP device driver, 1.6 tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com> PPP generic driver version 2.4.2 PPP BSD Compression module registered PPP Deflate Compression module registered NET: Registered protocol family 24 i2c /dev entries driver bcm96xxx-wdt ff800428.watchdog: Broadcom BCM96xxx watchdog timer brcmboard registered brcmboard: brcm_board_init entry print_rst_status: Last RESET due to SW reset print_rst_status: RESET reason: 0x00000000 SES: LED GPIO 0x400c is enabled DYING GASP IRQ Initialized and Enabled map_hw_timer_interrupt,132: interrupt_id 22 map_hw_timer_interrupt,132: interrupt_id 23 map_hw_timer_interrupt,132: interrupt_id 24 map_hw_timer_interrupt,132: interrupt_id 25 Serial: BCM63XX driver $Revision: 3.00 $ Magic SysRq with Auxilliary trigger char enabled (type ^ h for list of supported commands) ttyS0 at MMIO 0xff800640 (irq = 6, base_baud = 921600) is a BCM63XX BPM: tot_mem_size=536870912B (512MB), buf_mem_size <15%> =80530635B (76MB), num of buffers=35951, buf size=2240 Broadcom BPM Module Char Driver v0.1 Registered<3004> PCIe HCD (impl1) bcm963xx-pcie: found core [0] Rev [ 3. 4] bcm963xx-pcie: failed to bring up core [0] link bcm963xx-pcie: found core [1] Rev [ 3. 4] bcm963xx-pcie: [1] Link Speed set to 1 bcm963xx-pcie: failed to bring up core [1] link bcm963xx-pcie: found core [2] Rev [ 3. 4] bcm963xx-pcie: failed to bring up core [2] link GACT probability NOT on Mirror/redirect action on u32 classifier input device check on Actions configured Initializing XFRM netlink socket NET: Registered protocol family 10 sit: IPv6 over IPv4 tunneling driver NET: Registered protocol family 17 NET: Registered protocol family 15 bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this. L2TP core: blog_l2tp_rcv_check l2tp_core: L2TP core driver, V2.0 l2tp_ppp: PPPoL2TP kernel driver, V2.0 8021q: 802.1Q VLAN Support v1.8 ubi0: attaching mtd3 ubi0: scanning is finished ubi0: attached mtd3 (name "ubi", size 191 MiB) ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048 ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096 ubi0: good PEBs: 1530, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128 ubi0: max/mean erase counter: 422/5, WL threshold: 4096, image sequence number: 1077548300 ubi0: available PEBs: 546, total reserved PEBs: 984, PEBs reserved for bad PEB handling: 30 ubi0: background thread "ubi_bgt0d" started, PID 352 Add partitions for UBI volume 'filesystem1' Add partitions for UBI volume 'rescue' Add partitions for UBI volume 'operational' Creating 3 MTD partitions on "operational": 0x000000000000-0x00000001f000 : "firm_header" 0x00000001f000-0x000000383000 : "kernel" 0x000000364000-0x000001a66000 : "rootfs" VFS: Mounted root (squashfs filesystem) readonly on device 31:10. Freeing unused kernel memory: 224K (ffffffc0006a1000 - ffffffc0006d9000) kernel.hotplug = /sbin/mdev - preinit - - regular preinit - - init - UBIFS (ubi0:0): background thread "ubifs_bgt0_0" started, PID 409 UBIFS (ubi0:0): recovery needed UBIFS (ubi0:0): recovery completed UBIFS (ubi0:0): UBIFS: mounted UBI device 0, volume 0, name "filesystem1" UBIFS (ubi0:0): LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes UBIFS (ubi0:0): FS size: 31236096 bytes (29 MiB, 246 LEBs), journal size 1523712 bytes (1 MiB, 12 LEBs) UBIFS (ubi0:0): reserved for root: 1475357 bytes (1440 KiB) UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID 9A40B41F-DB01-498D-8C74-68BBD8C6499C, small LPT model ubi1: attaching mtd2 ubi1: scanning is finished ubi1: attached mtd2 (name "boot", size 8 MiB) ubi1: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes ubi1: min./max. I/O unit sizes: 2048/2048, sub-page size 2048 ubi1: VID header offset: 2048 (aligned 2048), data offset: 4096 ubi1: good PEBs: 70, bad PEBs: 0, corrupted PEBs: 0 ubi1: user volume: 4, internal volumes: 1, max. volumes count: 128 ubi1: max/mean erase counter: 128/7, WL threshold: 4096, image sequence number: 49925173 ubi1: available PEBs: 26, total reserved PEBs: 44, PEBs reserved for bad PEB handling: 4 ubi1: background thread "ubi_bgt1d" started, PID 519 Add partitions for UBI volume 'secondaryboot' Add partitions for UBI volume 'uboot' Add partitions for UBI volume 'uboot-rescue' Add partitions for UBI volume 'permanent_param' BUG: scheduling while atomic: insmod/743/0x00000003 Call trace: hub 1-0:1.0: config failed, hub doesn't have any ports! (err -19)
当前在原版CFE的条件下,接了TTL也就能做这点有用的事.
折腾第一天,拆机加焊TTL接口,做完之后发现没有必要,但还是记录整个过程。
拆机不放图了,但RAC2V1S和RAC2V1K等的拆机步骤不一样,里面的结构不同,虽然外面看起来一样。
简单说明下步骤:
整个拆机过程比较繁琐,尤其是撬上下两个盖子的时候。拆完之后在如图的位置焊上TTL排针,TTL各个针脚的定义如图,注意连接TTL时,路由器的RXD接编程器的TXD,路由器的TXD接编程器的RXD,GND对应接上,3.3伏的VCC不要碰。
焊完之后发现还不如不焊,因为其官方CFE自带的命令都没有太大用处,唯一是看清楚了其开机日志,了解到是块256MB的nand,而不是之前以为的128MB,跟华硕AC-86U完全一样。
该机型TTL输入命令的方式与其它路由不同,不存在键入CTRL+C或者按空格键中断日志模式,它的所有命令连续按两次^键会有help菜单,然后help打印出的命令通过^+字母(命令后面括起来的)输入,非常别扭,且没有高级一点的命令。
其次发现两个移植梅林固件不好的消息:
1.机器只有nand闪存,而nand编程器价格昂贵
2.机器的CFE没有miniweb,原厂固件的web页面没有上传固件的页面,也没有地方下载官方固件。
那么Spectrum RAC2V1S想要吃上梅林,只得借助编程器在nand上烧入RT-AC86U的cfe和boot分区,甚至是固件分区;还有一种是加焊SPI Flash,用SPI Flash启动,但是改启动顺序的电路未知。
综上,第一个吃螃蟹的人现在比较蛋疼,发现这个机器只能硬解梅林,不建议新手乱入。
我对中规中矩的路由器没有兴趣,垃圾桶造型节约桌面空间,这次换成方形垃圾桶,作为DIR-868L的继任者。
先上图
配置:
Series: AC2900
CPU1: Broadcom BCM4906 (1.8 GHz, 2 cores)
FLA1: 256 MiB (Spansion Model?)
RAM1: 512 MiB (Samsung K4B4G1646E-BYK0)
Expansion IFs: USB 3.0
USB ports: 1
WI1 chip1: Broadcom BCM4366E
WI1 802dot11 protocols: an+ac
WI1 MIMO config: 4×4:4
WI1 antenna connector: none
WI2 chip1: Broadcom BCM4365E
WI2 802dot11 protocols: bgn
WI2 MIMO config: 3×3:3
WI2 antenna connector: none
ETH chip1: Broadcom BCM4906
Switch: Broadcom BCM4906
LAN speed: 1G
LAN ports: 4
WAN speed: 1G
WAN ports: 1
abgn+ac
这个配置可以对标华硕RT-AC86U,从cpu到ram再到rom,以及无线芯片完全一样,这款路由的无线信号很好,可以作为WIFI5的终极性价比产品啦。
但是前提在150元以内买的这款,高了就不值得了,毕竟现在也没有第三方固件适配,甚至原厂固件还是只有英文的,不是特别友好。
近几年内WIFI6的新路由器,应该是捡不到漏了,主要wifi6现在10G口的路由器屈指可数,而且都大几千。其它的2.5G还是WAN口的路由,买它干啥,再等几年吧。
RAC2V1S是一个系列,同系列的还有RAC2V1A和RAC2V1K,这两款是高通芯片的,喜欢openwrt的可以买这两款,我反正是不买,openwrt路由器太多了。
版本号说明:
该版本的上一版本为2.9,从此版本起版本号采用年度+季度的方式进行标记,这是2021春季版
主要更新:
更新说明:
1. 直接在老版本固件的后台上传更新
2.CFE版本请保持2.2版本
3.如软件中心不正常请在后台页面恢复出厂设置
软件中心特别感谢paldier,在线服务器亦使用其代码默认的,笔者懒得搭了。
前期对本站进行打赏的用户,已分批次从后台充值了1000浪币,与终生会员等值,如有未充值到的请留言。