中兴F7606P修复实战速览

mgsxer

24小时前，兴冲冲的拿着移动原版国货之光回家，思考半天搞定win10下本地编译py脚本执行的方式，还有本地telnet登录，顺利刷了大佬教程的联通固件（日志如下，没有错误信息）。

F7607P
Login: g8agM3M4
Password:

BusyBox v1.17.2 (2019-06-14 10:38:16 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # df
Filesystem           1024-blocks    Used Available Use% Mounted on
/dev/root                37632     35252      2380  94% /
/dev/mtdblock3            2048       484      1564  24% /tagparam
tmpfs                    20480       480     20000   2% /var
tmpfs                   102400         0    102400   0% /upgtempfile
tmpfs                     2048         0      2048   0% /var/osstmp
tmpfs                     2048         0      2048   0% /mnt
tmpfs                    16384        20     16364   0% /var/felix-temp
tmpfs                    15360       144     15216   1% /tmp
/dev/mtdblock5            8192       616      7576   8% /userconfig
/dev/mtdblock6            6144       384      5760   6% /usr/local/ct
ubi0_0                   37960     36900      1060  97% /usr/tmp
/dev/loop0               37888     37888         0 100% /usr/java
ubi1_0                   41744      5980     33596  15% /usr/plugin
/dev/mtdblock4            2048       420      1628  21% /wlan
cgroup_root             225640         0    225640   0% /sys/fs/cgroup
/dev/sda1             30293904   6351328  23942576  21% /mnt/usb1_1
/ # cat /proc/mtd
dev:    size   erasesize  name
mtd0: 10000000 00020000 "whole flash"
mtd1: 00200000 00020000 "u-boot"
mtd2: 00200000 00020000 "others"
mtd3: 00200000 00020000 "parameter tags"
mtd4: 00200000 00020000 "wlan"
mtd5: 00800000 00020000 "usercfg"
mtd6: 00600000 00020000 "middle"
mtd7: 02800000 00020000 "kernel1"
mtd8: 02800000 00020000 "kernel2"
mtd9: 03200000 00020000 "osgi1"
mtd10: 03200000 00020000 "osgi2"
mtd11: 03600000 00020000 "plugin_data"
mtd12: 024c0000 00020000 "rootfs"
/ #
/ # dd if=/dev/mtd0 of=/mnt/usb1_1/f7607p_dd.bin
524288+0 records in
524288+0 records out
/ # cat /dev/mtd0 > /mnt/usb1_1/f7607p_cat.bin
/ # nand kread /dev/mtd0 0x0 0x10000000 /mnt/usb1_1/f7607p_nand.bin
malloc fail!
/ # df
Filesystem           1024-blocks    Used Available Use% Mounted on
/dev/root                37632     35252      2380  94% /
/dev/mtdblock3            2048       484      1564  24% /tagparam
tmpfs                    20480       480     20000   2% /var
tmpfs                   102400         0    102400   0% /upgtempfile
tmpfs                     2048         0      2048   0% /var/osstmp
tmpfs                     2048         0      2048   0% /mnt
tmpfs                    16384        20     16364   0% /var/felix-temp
tmpfs                    15360       144     15216   1% /tmp
/dev/mtdblock5            8192       616      7576   8% /userconfig
/dev/mtdblock6            6144       384      5760   6% /usr/local/ct
ubi0_0                   37960     36900      1060  97% /usr/tmp
/dev/loop0               37888     37888         0 100% /usr/java
ubi1_0                   41744      5980     33596  15% /usr/plugin
/dev/mtdblock4            2048       420      1628  21% /wlan
cgroup_root             225640         0    225640   0% /sys/fs/cgroup
/dev/sda1             30293904   6875616  23418288  23% /mnt/usb1_1
/mnt/usb1_1 # ls
Android                       f7607p_cat.bin
DVR                           f7607p_dd.bin
LOST.DIR                      framework.bin
Lexar DataSafe_windows.exe    kernel.bin
LexarDataSafe_mac_1.0.31.pkg  plugin_data.bin
System Volume Information     preplugin.bin
aimp_3.10.1036.apk

/ # fw_flashing
g_zte_current_version_base_address=1600000
<b000000005>11932:12:21 [U_fw_flashing][Error] [fw_flashing.c(2246)main] baseaddr:1600000, curpdev=/dev/mtd7, offset=0
<b000000005>11932:12:21 [U_fw_flashing][Error] [fw_flashing.c(2251)main] open  failed!
<b000000005>11932:12:21 [U_fw_flashing][Error] [fw_flashing.c(2371)main] fw_flashing error
/ # upgradetest switchver 1
<a00002a025>11932:14:18 [U_upgradetest][Crit] [upgrade_test.c(143)main] LOG_SEC: Upgradetest switchver!
ONT software versin switched to region 1.
Please reboot ONT to change software version.
success!
/ # cd /mnt/usb1_1
/mnt/usb1_1 # echo 2 > /proc/zteinfo/factory/factorymode
/mnt/usb1_1 # touch /userconfig/nanddebug
/mnt/usb1_1 # nand kerase /dev/mtd8 0x0 0x2800000
/mnt/usb1_1 # nand kwrite /dev/mtd8 0x0 0x2800000 ./kernel.bin
length=0x2800000,offset=0x0
kwriteffset=0x0, *length=0x2800000
real=2800000
kwrite afterffset=0x0, *length=0x2800000
/mnt/usb1_1 # reboot
/mnt/usb1_1 #

遗失对主机的连接。


然后，就没有然后了......电源灯闪灭，复位无效。开始意识到这是逼我出道既巅峰的节奏.....

xulinvip

没看到啊

mgsxer

今天到公司，自己拆机。找硬件组帮忙焊3根插针，按照大佬们的指导贴，用公司的FT232插上，xshell回显UART信息。发现kernel居然没报错，还要启动4个核了......
SPI NAND
start read bootloader
secure boot
CBC decrypt OK!
CBC decrypt OK!
verify OK!
Jump

enter bootloader...
pll init, cpu freq=1100

crpm init ok
product_vid == 69,ddrsize == 0x20000000
ddr3 init, rate=1600Mbps
ddr3 init 3
ddr3 init 3
ddr3 init done
Calibration pull UP:        0x17
Calibration pull DOWN:        0x1e

ddr init ok
SPI NAND
ncfg:111013
1,40,b,800
secure uboot
verify OK!
backup header!!
Jump


U-Boot 2016.01-rc3 (Oct 14 2022 - 19:24:51 +0800)

CPU  : ZX279132@A53,1100MHZ
Board: ZTE zx279132evb
I2C:   ready
DRAM:  496 MiB
el=3
product_vid = 69
vid=69-F7607P
mtk reset,66
NAND:  spifc pin mux config ok!!!
manuid=2c,24
found flash: SPI NAND MT29F2G01ABAGDWB 256MiB 3,3V
Micron SPI NAND MT29F2G01ABAGDWB 256MiB 3,3V
256 MiB, MLC, erase size: 128 KiB, page size: 2048, OOB size: 64
256 MiB
In:    serial
Out:   serial
Err:   serial
Net:   No ethernet found.
rx data disable
mdio_miiphy_initialize
addr 0x15600018 before value is 1f0000
addr 0x15600018 after value is 1f0000
addr 0x15600018 after value is 1f01ff
AN1_pll_lock_finish
mode_10g_epon_nsyn_fifo_cfg
top soft reset =0x313
com_pll_lock_ready
rx los =0 rx data in
switch security version start...
sec mode!
### main_loop entered: bootdelay=1

Hit any key to stop autoboot:  0
rx data disable
zboot info init done!
select=0x0
<nand_read_skip_bad_,1199>!mtdpart=0x6,offset=0x0,mtdpartoffset=0x200000,mtdPartsize=0x200000,length=0x1000
tmp=0x00000001, value=1
select=0x1
search=0x2
search->result[1].entry=3e00240,offset=240
<nand_read_skip_bad_,1199>!mtdpart=0x3,offset=0x0,mtdpartoffset=0x3e00000,mtdPartsize=0x2800000,length=0x2600000
verify vmlinuz success!!
RSA Verify OK
start 3e00000-6600000
no jffs2 found!
<nand_read_skip_bad_,1199>!mtdpart=0x0,offset=0x0,mtdpartoffset=0x0,mtdPartsize=0x180000,length=0x180000
lseek=0x8c084c80
cmdline=U-Boot V2.0.0P1N4 20220516225243
kernel start step1..images->state:70f
    ==BOOTM_STATE_START:1
    ==BOOTM_STATE_FINDOS:2
## Loading kernel from FIT Image at 88000240 ...
   Using 'conf@132SG' configuration
   Trying 'kernel@A53' kernel subimage
     Description:  Unify(TODO) Linux kernel for project-131G
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x88000348
     Data Size:    3275946 Bytes = 3.1 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x80080000
     Entry Point:  0x80080000
   Verifying Hash Integrity ... OK
    ==BOOTM_STATE_FINDOTHER:4
## Loading fdt from FIT Image at 88000240 ...
   Using 'conf@132SG' configuration
   Trying 'fdt@132SG' fdt subimage
     Description:  Flattened Device Tree blob for project-132SG
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x883200e0
     Data Size:    35163 Bytes = 34.3 KiB
     Architecture: AArch64
   Verifying Hash Integrity ... OK
   Booting using the fdt blob at 0x883200e0
    ==BOOTM_STATE_LOADOS:8
   Uncompressing Kernel Image ... OK
kernel start step6..
   Loading Device Tree to 0000000083ff4000, end 0000000083fff95a ... OK

Starting kernel ...

first spin
first spin
first spin
first spin
CPUID:0 cpunoline 1 nucpus 4 try wake up secondary cpu from rom.
CPUID:1  wake up from rom.
CPUID:2  wake up from rom.
CPUID:3  wake up from rom.
init psci ok!!
cpu 1 power on
cpu 1 has been powered on
cpu 2 power on
cpu 2 has been powered on
cpu 3 power on
cpu 3 has been powered on


看来刷的联通固件出现偶发错误了（我还放U盘后做了SHA256呢，我就.....）

mgsxer

下班回家赶紧注册个新手，上来仔细思考下。因为我只刷了MTD8，而且引导信息启动地址也是MTD8的，于是就用MTD7的覆盖了MTD8，这样不需要TFTP。反正有TTL，也不怕了。于是，猫修好了......
Hit any key to stop autoboot:  0
=> nand read 0x88000000 0x1600000 0x2800000

NAND read: device 0 offset 0x1600000, size 0x2800000
read:1,off:1600000,rwsize:2800000,maxsize:ea00000
41943040 bytes read: OK
=> nand write 0x88000000 0x3e00000 0x2800000

NAND write: device 0 offset 0x3e00000, size 0x2800000
read:0,off:3e00000,rwsize:2800000,maxsize:c200000
need_skip:0
41943040 bytes written: OK
=> nand bad

Device 0 bad blocks:
=> reset
resetting ...
SPI NAND
start read bootloader
secure boot
CBC decrypt OK!
CBC decrypt OK!
verify OK!
Jump

enter bootloader...
pll init, cpu freq=1100

crpm init ok
product_vid == 69,ddrsize == 0x20000000
ddr3 init, rate=1600Mbps
ddr3 init 3
ddr3 init 3
ddr3 init done
Calibration pull UP:        0x18
Calibration pull DOWN:        0x1f

ddr init ok
SPI NAND
ncfg:111013
1,40,b,800
secure uboot
verify OK!
backup header!!
Jump


U-Boot 2016.01-rc3 (Oct 14 2022 - 19:24:51 +0800)

CPU  : ZX279132@A53,1100MHZ
Board: ZTE zx279132evb
I2C:   ready
DRAM:  496 MiB
el=3
product_vid = 69
vid=69-F7607P
mtk reset,66
NAND:  spifc pin mux config ok!!!
manuid=2c,24
found flash: SPI NAND MT29F2G01ABAGDWB 256MiB 3,3V
Micron SPI NAND MT29F2G01ABAGDWB 256MiB 3,3V
256 MiB, MLC, erase size: 128 KiB, page size: 2048, OOB size: 64
256 MiB
In:    serial
Out:   serial
Err:   serial
Net:   No ethernet found.
rx data disable
mdio_miiphy_initialize
addr 0x15600018 before value is 1f0000
addr 0x15600018 after value is 1f0000
addr 0x15600018 after value is 1f01ff
AN1_pll_lock_finish
mode_10g_epon_nsyn_fifo_cfg
top soft reset =0x313
com_pll_lock_ready
rx los =0 rx data in
switch security version start...
sec mode!
### main_loop entered: bootdelay=1

Hit any key to stop autoboot:  0
rx data disable
zboot info init done!
header crc error,add=0x03e00000
select=0x0
<nand_read_skip_bad_,1199>!mtdpart=0x6,offset=0x0,mtdpartoffset=0x200000,mtdPartsize=0x200000,length=0x1000
tmp=0x00000001, value=1
select=0x0
search=0x1
search->result[0].entry=1600240,offset=240
<nand_read_skip_bad_,1199>!mtdpart=0x2,offset=0x0,mtdpartoffset=0x1600000,mtdPartsize=0x2800000,length=0x24a0000
verify vmlinuz success!!
RSA Verify OK
start 1600000-3e00000
addrstart=1940000,jffsoffset=340000
<nand_read_skip_bad_,1199>!mtdpart=0x0,offset=0x0,mtdpartoffset=0x0,mtdPartsize=0x180000,length=0x180000
lseek=0x8c084c80
cmdline=U-Boot V2.0.0P1N4 20220516225243
Saving Environment to NAND...
Erasing 0x180000 - 0x1a0000:<nand_erase_skip_bad_,1397>!mtdpart=0x1,start=0x0,mtdpartoffset=0x180000,mtdPartsize=0x80000,length=0x20000
                [Done]
Writing to Nand:<nand_write_skip_bad_,1292>!mtdpart=0x1,offset=0x0,mtdpartoffset=0x180000,mtdPartsize=0x80000,length=0x20000
                [Done]
kernel start step1..images->state:70f
    ==BOOTM_STATE_START:1
    ==BOOTM_STATE_FINDOS:2
## Loading kernel from FIT Image at 88000240 ...
   Using 'conf@132SG' configuration
   Trying 'kernel@A53' kernel subimage
     Description:  Unify(TODO) Linux kernel for project-131G
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x88000348
     Data Size:    3262650 Bytes = 3.1 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x80080000
     Entry Point:  0x80080000
   Verifying Hash Integrity ... OK
    ==BOOTM_STATE_FINDOTHER:4
## Loading fdt from FIT Image at 88000240 ...
   Using 'conf@132SG' configuration
   Trying 'fdt@132SG' fdt subimage
     Description:  Flattened Device Tree blob for project-132SG
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x8831ccf0
     Data Size:    35163 Bytes = 34.3 KiB
     Architecture: AArch64
   Verifying Hash Integrity ... OK
   Booting using the fdt blob at 0x8831ccf0
    ==BOOTM_STATE_LOADOS:8
   Uncompressing Kernel Image ... OK
kernel start step6..
   Loading Device Tree to 0000000083ff4000, end 0000000083fff95a ... OK

Starting kernel ...

first spin
first spin
first spin
first spin
CPUID:0 cpunoline 1 nucpus 4 try wake up secondary cpu from rom.
CPUID:1  wake up from rom.
CPUID:2  wake up from rom.
CPUID:3  wake up from rom.
init psci ok!!
cpu 1 power on
cpu 1 has been powered on
cpu 2 power on
cpu 2 has been powered on
cpu 3 power on
cpu 3 has been powered on

zyq53719

还是失败了?

kidcydia

还没更新 扑街了？

mgsxer

联通P1N9已正常，还没开始设置替换老猫

mgsxer

本次折腾，到目前为止，想跟新手分享的如下：
1.离线TELNET PYTHON工具，如果没有shell，在win下也可以：
从github上下载后解压，README.md就是纯文本打开。里面的前三句意义如下：


前两句，如果电脑里根本没有python，不懂的话可以忽略掉。只是建立个虚拟环境，不影响当前电脑相关设置而已。但注意，这两句不是win下的用法，会报错。如果在win下用，懂得自己就能搜baidu了，不赘述~
python3 -m venv .venv
source ./.venv/bin/activate
下面的在cmd里直接运行就行（前提是安装python的官方包了）。自动下载必要的库。
pip install -r requirements.txt


然后把脚本在win下执行本地编译命令，就能生成dist路径下的对应exe文件。然后在cmd里
zte_factroymode.exe telnet
就可以在cmd里拿到telnet了，效果跟用py脚本一样。

2.脚本给出的临时telnet账户名和密码有时效，几分钟就过期。随用随执行。最好5min内不要重复执行。
在cmd里可以telnet 192.168.1.1
Login名是明文，password打字不显示，这是学俗。

3.按照前辈们的流程顺序执行，不要疏忽，U盘用个可靠的，别像我偷懒，结果直接拆机TTL了....

4.如果光猫趴窝了。那只能拆开自己用排针焊上。主板很容易拿出来。没啥复杂的。
找个转换器（FT232即可，USB转UART串口，3线就够，要支持3.3v的），两侧的TXD和RXD反着插。引导信息回显用Xshell即可，官网可以用个人免费版。很好用（还能作为ssh跑python用）。用Linux的人应该都知道，我在公司里就用它。

5.如果只是刷一个分区出意外（非坏块问题）的问题，可以尝试从好的分区读NAND FLASH出来直接覆盖错误的分区即可。这样不用折腾TFTP一次。



想到的就这些吧~有问题的同学可以沟通，看不懂的同学，真的，还是别折腾了.....