谈谈湖北移动百视通R3300-L红盒子如何破解
本帖最后由 hbjmcsc 于 2017-12-23 15:19 编辑湖北移动宽带送的百视通R3300-L破解超级简单,没有任何限制条件,直接U盘插上安装即可,开机也是当贝桌面自动运行。但美中不足是,想修改MAC地址,但无从下手。拆机发现该机顶盒CPU为晶晨S905L,内存1G+8G,TTL孔被锡堵住,电路板上也无任何标识,但我仍然把RX、TX、GND给试出来了。现在请教各位高手,S905L系列里面MAC地址是存储在哪个文件里面的?之前海思3798系列,都是在deviceinfo里面。通过机顶盒关于里面输入start adbd指令也无法开启adb,无奈拆机通过TTL连上了,并且导出了部分文件,但不知道MAC地址、序列号等信息到底在哪个文件里面。
以下是/dev下面部分目录列表:
root@p201_iptv:/dev/block/platform/d0074000.emmc # ls -l
lrwxrwxrwx root root 2015-01-01 08:00 boot -> /dev/block/boot
lrwxrwxrwx root root 2015-01-01 08:00 bootloader -> /dev/block/bootloader
drwxr-xr-x root root 2015-01-01 08:00 by-num
lrwxrwxrwx root root 2015-01-01 08:00 cache -> /dev/block/cache
lrwxrwxrwx root root 2015-01-01 08:00 crypt -> /dev/block/crypt
lrwxrwxrwx root root 2015-01-01 08:00 data -> /dev/block/data
lrwxrwxrwx root root 2015-01-01 08:00 env -> /dev/block/env
lrwxrwxrwx root root 2015-01-01 08:00 instaboot -> /dev/block/instaboot
lrwxrwxrwx root root 2015-01-01 08:00 logo -> /dev/block/logo
lrwxrwxrwx root root 2015-01-01 08:00 misc -> /dev/block/misc
lrwxrwxrwx root root 2015-01-01 08:00 mmcblk0 -> /dev/block/mmcblk0
lrwxrwxrwx root root 2015-01-01 08:00 mmcblk0boot0 -> /dev/block/mmcblk0boot0
lrwxrwxrwx root root 2015-01-01 08:00 mmcblk0boot1 -> /dev/block/mmcblk0boot1
lrwxrwxrwx root root 2015-01-01 08:00 mmcblk0rpmb -> /dev/block/mmcblk0rpmb
lrwxrwxrwx root root 2015-01-01 08:00 params -> /dev/block/params
lrwxrwxrwx root root 2015-01-01 08:00 recovery -> /dev/block/recovery
lrwxrwxrwx root root 2015-01-01 08:00 reserved -> /dev/block/reserved
lrwxrwxrwx root root 2015-01-01 08:00 rsv -> /dev/block/rsv
lrwxrwxrwx root root 2015-01-01 08:00 system -> /dev/block/system
lrwxrwxrwx root root 2015-01-01 08:00 tee -> /dev/block/tee
以下是开机显示的全部代码:
GXL:BL1:9ac50e:a1974b;FEAT:ADFC318C;POC:3;RCY:0;EMMC:0;READ:0;0.0;CHK:0;
TE: 159554
BL2 Built : 14:57:36, Nov4 2016.
gxl g5990442 - xiaobo.gu@droid05
set vcck to 1070 mv
set vddee to 1070 mv
Board ID = 7, adc=541
CPU clk: 1200MHz
2layers board, use ddr_set
DDR chl: Rank0+1 @ 792MHz - FAIL
DDR chl: Rank0 @ 792MHz - PASS
DQS-corr enabled
DDR scramble enabled
Rank0: 1024MB(auto)-2T-11
DataBus test pass!
AddrBus test pass!
-s
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01100000, size: 0x00007400
Load bl301 from eMMC, src: 0x00018200, des: 0x01200000, size: 0x00002200
Load bl31 from eMMC, src: 0x0001c200, des: 0x10100000, size: 0x00019400
Load bl33 from eMMC, src: 0x00038200, des: 0x01000000, size: 0x00083e00
NOTICE:BL3-1: v1.0(debug):959fdf0
NOTICE:BL3-1: Built : 15:01:44, Dec 29 2016
aml log : bl31 normal boot !
bl30: check_permit, count is 1
bl30: check_permit: ok!
chipid: ef be ad de d f0 ad ba ef be ad de not ES chip
efuse init ops = c2
efuse init hdcp = c, cf9=7
seINFcOu:r e t aBsLk3 -s1t:a rItn!it
ializing runthiimgehstearvices
WARNING: No OPTEE provided by BL2 boot loader
ERROR: Error initializing runtime service opteed_fast
INFO: BL3-1: Preparing for EL3 exit to normal world
INFO: BL3-1: Next image address = 0x1000000
INFO: BL3-1: Next image spsr = 0x3c9
U-Boot 2015.01-gd786353-dirty (Apr 21 2017 - 02:56:20)
DRAM:1 GiB
Relocation Offset is: 36eef000
gpio: pin GPIODV_24 (gpio 43) value is 1
mwm 0xc8837004: with ok
mwm 0xc883700c: with ok
mwm 0xc8837010: with ok
mwm 0xc8837010: with ok
register usb cfg = 0000000037f63230
canvas init
vpu: error: vpu: check dts: FDT_ERR_BADMAGIC, load default parameters
vpu: clk_level = 7
vpu: set clk: 666667000Hz, readback: 666660000Hz(0x300)
MMC: aml_priv->desc_buf = 0x0000000033edfac0
aml_priv->desc_buf = 0x0000000033ee1de0
SDIO Port B: 0, SDIO Port C: 1
emmc/sd response timeout, cmd8, status=0x3ff2800
emmc/sd response timeout, cmd55, status=0x3ff2800
mmc refix success
mmc init success
mmc read lba=0x14000, blocks=0x400
Amlogic multi-dtb tool
Multi dtb detected
2layers board, board id use 7
Multi dtb tool version: v2 .
Support 6 dtbs.
aml_dt soc: gxl platform: p211 variant: 1g
dtb 0 soc: gxbb plat: p201 vari: 1g
dtb 1 soc: gxbb plat: p201 vari: 2g
dtb 2 soc: gxl plat: p211 vari: 1g
dtb 3 soc: gxl plat: p211 vari: 2g
dtb 4 soc: gxl plat: p215 vari: 1g
dtb 5 soc: gxl plat: p215 vari: 2g
Find match dtb: 2
start dts,buffer=0000000033ee4630,dt_addr=0000000033ef5e30
parts: 12
00: logo 0000000002000000 1
01:recovery 0000000002000000 1
02: rsv 0000000000800000 1
03: tee 0000000000800000 1
04: crypt 0000000002000000 1
05: misc 0000000002000000 1
06: instaboot 0000000020000000 1
07: boot 0000000002000000 1
08: system 0000000040000000 1
09: cache 0000000020000000 2
10: params 0000000004000000 2
11: data ffffffffffffffff 4
get_dtb_struct: Get emmc dtb OK!
overide_emmc_partition_table: overide cache
skip partition cache.
Partition table get from SPL is :
name offset size flag
===================================================================================
0: bootloader 0 400000 0
1: reserved 2400000 4000000 0
2: cache 6c00000 20000000 2
3: env 27400000 800000 0
4: logo 28400000 2000000 1
5: recovery 2ac00000 2000000 1
6: rsv 2d400000 800000 1
7: tee 2e400000 800000 1
8: crypt 2f400000 2000000 1
9: misc 31c00000 2000000 1
10: instaboot 34400000 20000000 1
11: boot 54c00000 2000000 1
12: system 57400000 40000000 1
13: params 97c00000 4000000 2
14: data 9c400000 135c00000 4
mmc read lba=0x12000, blocks=0x2
mmc read lba=0x12002, blocks=0x2
mmc_read_partition_tbl: mmc read partition OK!
eMMC/TSD partition table have been checked OK!
mmc env offset: 0x27400000
In: serial
Out: serial
Err: serial
board id is : 7
hpd_state=0
cvbs performance type = 7, table = 1
To run cmd
read emmc dtb
Amlogic multi-dtb tool
Multi dtb detected
2layers board, board id use 7
Multi dtb tool version: v2 .
Support 6 dtbs.
aml_dt soc: gxl platform: p211 variant: 1g
dtb 0 soc: gxbb plat: p201 vari: 1g
dtb 1 soc: gxbb plat: p201 vari: 2g
dtb 2 soc: gxl plat: p211 vari: 1g
dtb 3 soc: gxl plat: p211 vari: 2g
dtb 4 soc: gxl plat: p215 vari: 1g
dtb 5 soc: gxl plat: p215 vari: 2g
Find match dtb: 2
Net: dwmac.c9410000
wipe_data=successfulSecd
wipe_cache=successful
bmp pixel: 16
addr=0x3d800000 width=2560, height=1440
upgrade_step=2
amlkey_init() enter!
keynum is 4
: tee size: 0
rebootmode=cold_boot
Hit any key to stop autoboot:0
ee_gate_off ...
## Booting Android Image at 0x01080000 ...
reloc_addr =33f0c190
copy done
Amlogic multi-dtb tool
Single dtb detected
load dtb from 0x1000000 ......
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x01ff2c18
Loading Ramdisk to 33c12000, end 33edc72e ... OK
Loading Device Tree to 000000001fff3000, end 000000001ffff022 ... OK
signature:
fdt_instaboot: get header err
Starting kernel ...
uboot time: 1890007 us
[ 0.000000@0] Initializing cgroup subsys cpu
[ 0.000000@0] Initializing cgroup subsys cpuacct
[ 0.000000@0] Linux version 3.14.29-g0b159cd-dirty (chaiq@ter) (gcc version 4.9.2 20140904 (prerelease) (crosstool-NG linaro-1.13.1-4.9-2014.09 - Linaro GCC 4.9-2014.09) ) #1 SMP PREEMPT Mon Sep 4 23:00:19 EDT 2017
[ 0.000000@0] CPU: armv71 Processor revision 4
[ 0.000000@0] bootconsole enabled
get_dvfs_info 0007
INFO: HDCP22 key read fail!
INFO: p1d 0
INFO: pd1 0
root@p201_iptv:/ #
请各位高手大咖们研究讨论一下,我实在是没招了,网上也无相关教程。文件稍微小一点的比如env、srv、tee等我都导出来看了,没有发现MAC地址信息,params里面是一些类似日志的东西。@hao501802766 https://www.znds.com/tv-824995-1-1.html楼主看看 破解没有问题,我现在主要想知道MAC地址存在什么地方,我需要修改 hbjmcsc 发表于 2017-12-24 13:24
破解没有问题,我现在主要想知道MAC地址存在什么地方,我需要修改
我也没研究MAC地址之类的 只能帮顶了 hao501802766 发表于 2017-12-26 16:57
我也没研究MAC地址之类的 只能帮顶了
兄弟,帮帮忙啦,有空帮忙研究一下,我主要对晶晨的CPU及对应安卓架构不了解 楼主你要发达 楼主你要改mac干嘛? webpad 发表于 2018-1-2 02:22
楼主你要改mac干嘛?
一是作备用,二是学习知识呗 hbjmcsc 发表于 2018-1-2 21:49
一是作备用,二是学习知识呗
uboot终端下keyman指令;
linux终端下操作/sys/class/unifykeys/ ;
风险自担,砖了不管 webpad 发表于 2018-1-3 01:18
uboot终端下keyman指令;
linux终端下操作/sys/class/unifykeys/ ;
风险自担,砖了不管 ...
谢谢,uboot是通过TTL连接进入啦?改天试试,有问题再请教大神!
页:
[1]
2
