CR8809

前置条件

  • M79版CR8809
  • Linux系统
  • TTLtoUSB
  • 想刷成OpenWRT

进查看光猫的管理员密码改桥接

光猫的系统也有点离谱了, 密码直接明文存储在/tmp/ctromfile.cfg 里面

1
2
3
4
5
6
7
8
9
10
11
nix-shell -p busybox                                                         
telnet 192.168.1.1
tc login: admin
Password: <user账户的密码>

# cd tmp
# cat ctromfile.cfg | grep CMCCAdmin
        <Entry0 Active="Yes" username="CMCCAdmin"
web_passwd="CMCCAdmin2r%uDUgV" display_mask="FF FF FF FF FF FF FF FF FF"
#

准备工作: 进入 Uboot 中断

  • 焊接 ttl 引脚, 连接 usbtottl (正面从左到右依次是 VCC,RXD,GND,TXD (VCC 不连))
  • 启动软件 (以 linux-screen 为例 screen /dev/ttyUSB0 115200(波特率设置成 115200, 通过 ls /dev/ttyUSB* 来查看有那些串口设备))
  • 重启路由器, 可以在过程中看到 uboot 和其他系统的输出, 但无法中断 uboot
  • 这时候可以先刷 CR8808的6.2.14版本 固件地址 在小米官网下载刷机软件 (😭,没Linux版)
  • 刷机
  • 第一次启动后狂按 enter 就可以进 uboot 了

启用 Uart

1
2
3
setenv boot_wait on
setenv uart_en 1
saveenv

准备 tftp 服务器

1
2
nix-shell -p tftp-hpa
in.tftpd --foreground --address :69 --secure <PATH>

uboot 里面

1
printenv serverip

或者也可以手动设置 ip

1
2
setenv serverip <TFTP服务器的IP地址>
setenv ipaddr <设备的IP地址>

Linux上设置网卡ip:

1
sudo ifconfig <网卡> <ip> netmask 255.255.255.0

然后测试一下是否成功

1
2
tftp <TFTP服务器的IP地址>
get openwrt-ipq50xx-generic-redmi_ax3000-squashfs-nand-factory.ubi

刷入 OpenWRT

1
2
3
4
5
6
7
8
9
10
11
12
# Download the firmware to the RAM
tftpboot openwrt-ipq50xx-arm-redmi_ax3000-squashfs-nand-factory.ubi

# Flash it as system 2
flash rootfs_1
setenv flag_try_sys2_failed 0
setenv flag_boot_rootfs 1
setenv flag_last_success 1
saveenv

# Reboot
reset

Optional: 合并分区

刷好以后查看分区表, 发现有 rootfs_1rootfs, data, 既然我们不需要OTA, 这两个分区对于我们来说应该没用, 登陆后安装软件的可用空间只有几十 M, 可以尝试刷论坛里面的 不死uboot

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@OpenWrt:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00080000 00020000 "0:SBL1"
mtd1: 00080000 00020000 "0:MIBIB"
mtd2: 00040000 00020000 "0:BOOTCONFIG"
mtd3: 00040000 00020000 "0:BOOTCONFIG1"
mtd4: 00100000 00020000 "0:QSEE"
mtd5: 00100000 00020000 "0:QSEE_1"
mtd6: 00040000 00020000 "0:DEVCFG"
mtd7: 00040000 00020000 "0:DEVCFG_1"
mtd8: 00040000 00020000 "0:CDT"
mtd9: 00040000 00020000 "0:CDT_1"
mtd10: 00080000 00020000 "0:APPSBLENV"
mtd11: 00140000 00020000 "0:APPSBL"
mtd12: 00140000 00020000 "0:APPSBL_1"
mtd13: 00100000 00020000 "0:ART"
mtd14: 00080000 00020000 "0:TRAINING"
mtd15: 00080000 00020000 "bdata"
mtd16: 00080000 00020000 "crash"
mtd17: 00080000 00020000 "crash_log"
mtd18: 02400000 00020000 "rootfs"
mtd19: 02400000 00020000 "rootfs_1"
mtd20: 01f00000 00020000 "overlay"
mtd21: 00d80000 00020000 "data"
1
2
size: 分区的大小,以字节为单位,通常以十六进制表示。
erasesize: 擦除块的大小,以字节为单位,表示最小擦除单元

刷完以后就合并成了一个大分区了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@OpenWrt:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00080000 00020000 "0:SBL1"
mtd1: 00080000 00020000 "0:MIBIB"
mtd2: 00040000 00020000 "0:BOOTCONFIG"
mtd3: 00040000 00020000 "0:BOOTCONFIG1"
mtd4: 00100000 00020000 "0:QSEE"
mtd5: 00100000 00020000 "0:QSEE_1"
mtd6: 00040000 00020000 "0:DEVCFG"
mtd7: 00040000 00020000 "0:DEVCFG_1"
mtd8: 00040000 00020000 "0:CDT"
mtd9: 00040000 00020000 "0:CDT_1"
mtd10: 00080000 00020000 "0:APPSBLENV"
mtd11: 00140000 00020000 "0:APPSBL"
mtd12: 00140000 00020000 "0:APPSBL_1"
mtd13: 00100000 00020000 "0:ART"
mtd14: 00080000 00020000 "0:TRAINING"
mtd15: 00080000 00020000 "bdata"
mtd16: 00080000 00020000 "crash"
mtd17: 00080000 00020000 "crash_log"
mtd18: 07480000 00020000 "rootfs"

UBOOT

变砖警告! 刷完 Uboot 以后不能使用官方的刷机工具进行刷机了, 在进行以下操作之前要确保你知道每一步操作在干啥以及怎么恢复!

1
2
3
4
5
6
tftpboot MIBIB.bin && flash 0:MIBIB

# 重启后重新进UBOOT
tftpboot APPSBL.bin && flash 0:APPSBL
# 按照教程还需要刷APPSBL_1,但实测不需要
# tftpboot APPSBL1.bin && flash 0:APPSBL_1

然后按住 reset, 断电重启, 访问 192.168.10.1 刷固件

在wan口设置Metric 较低的值表示更高的优先级 1

刷错了?

这里有 MIBIB APPSEL 分区的备份文件 GitHub

安装主题/插件

建议首先 ssh 进去 opkg update ,如果遇到网络问题 export http_proxy=xxxxx &&export https_proxy=xxxxx 然后按照教程来

我的主题是 argon, 去 github 下载 luci-app-argon-config_0.9_all.ipkluci-theme-argon_2.3.1_all.ipk

opkg list-installed

Uci

1
2
3
4
5
uci set wireless.radio1.country='CN'
uci set wireless.radio1.htmode='HE160'
uci set wireless.radio1.channel='64'
uci commit wireless
/etc/init.d/network restart

安装 tailscale 内网穿透

1
2
3
4
5
6
7
opkg update
opkg install tailscale
opkg install iptables-nft

tailscale up --netfilter-mode=off --advertise-routes=xxx.xxx.xxx.xxx/xx,yyy.yyy.yyy.yyy/yy --advertise-exit-node --accept-routes=false

# netfilter-mode用于配置Linux系统上的防火墙规则

Telnet

我希望定时重启路由器/光猫, 但是 openwrt 似乎没有内置 telnet client,所以想了这个 work_around 

1
2
3
(echo "<telnet用户名>"; sleep 3; echo "<telnet密码>"; sleep 3; echo "reboot && exit"; sleep 3) | nc 192.168.1.1 23
sleep 20
reboot

然后 crontab -e 编辑, 添加一行 3 * * * /scripts/reboot.sh 每天凌晨 3 点执行这个脚本

控制led灯

1
LED_PATH="/sys/class/leds/<你的LED名称>/brightness"

杂项

(Updated On 2025.5)

dump设备树(没什么用,有一些设备是在系统初始化时候自动探测的)

使用screen -L参数来记录日志

linux可以通过/proc/device-tree访问解析后的设备树或者/sys/firmware/fdt访问原始的DTB文件

screen 的常用操作

1
2
3
screen -ls
screen -r session_id
Ctrl + a ->d

使用base64编解码原始的dtb文件

想试一试如果网络down了应该怎么传文件,所以我想了一个高级的方法

1
base64 /sys/firmware/fdt

在我的电脑上解码

1
base64 -d fdt.b64 > cr8809.dtb

如果出现错误可能包含了特殊字符,可以使用cat -A fdt.b64查看

dtb反编译

1
dtc -I dtb -O dts cr8809.dtb > cr8809.dts

备份分区

查看完整分区表

可以用smem来查看完整分区表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
IPQ5018# smem
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 36 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 288, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 1114395847
ubi0: available PEBs: 48, total reserved PEBs: 240, PEBs reserved for bad PEB handling: 20
flash_type:             0xb
flash_index:            0x0
flash_chip_select:      0x0
flash_block_size:       0x20000
flash_density:          0x80000
partition table offset  0x0
No.: Name             Attributes            Start             Size
  0: 0:SBL1           0x0000ffff              0x0          0x80000
  1: 0:MIBIB          0x0000ffff          0x80000          0x80000
  2: 0:BOOTCONFIG     0x0000ffff         0x100000          0x40000
  3: 0:BOOTCONFIG1    0x0000ffff         0x140000          0x40000
  4: 0:QSEE           0x0000ffff         0x180000         0x100000
  5: 0:QSEE_1         0x0000ffff         0x280000         0x100000
  6: 0:DEVCFG         0x0000ffff         0x380000          0x40000
  7: 0:DEVCFG_1       0x0000ffff         0x3c0000          0x40000
  8: 0:CDT            0x0000ffff         0x400000          0x40000
  9: 0:CDT_1          0x0000ffff         0x440000          0x40000
 10: 0:APPSBLENV      0x0000ffff         0x480000          0x80000
 11: 0:APPSBL         0x0000ffff         0x500000         0x140000
 12: 0:APPSBL_1       0x0000ffff         0x640000         0x140000
 13: 0:ART            0x0000ffff         0x780000         0x100000
 14: 0:TRAINING       0x0000ffff         0x880000          0x80000
 15: bdata            0x0000ffff         0x900000          0x80000
 16: crash            0x0000ffff         0x980000          0x80000
 17: crash_log        0x0000ffff         0xa00000          0x80000
 18: rootfs           0x0000ffff         0xa80000        0x2400000
        ubi vol 0 kernel
        ubi vol 1 ubi_rootfs
 19: rootfs_1         0x0000ffff        0x2e80000        0x2400000
 20: overlay          0x0000ffff        0x5280000        0x1f00000
 21: data             0x0000ffff        0x7180000         0xd80000

原理

1
sudo udpsvd -vE 0.0.0.0 69 tftpd -c /home/seeker/Develop/tftproot/
1
2
nand read <目标内存地址> <NAND源地址/偏移量> <读取大小>
tftpput <内存地址> <数据长度> <服务器上的目标文件名>
1
2
nand read 0x82000000 0x2e80000 0x2400000
tftpput 0x82000000 0x2400000 rootfs_1_backup.img

脚本自动化

备份速度非常慢,可以写一个脚本,然后用uboot-tools编译为镜像文件

1
mkimage -A arm64 -O linux -T script -C none -a 0 -e 0 -n "Backup Script" -d backup_script.txt backup_script.img

然后下载进uboot并执行

1
2
tftpboot backup_script.img
source 0x44000000

source的地址是 loadaddr

1
2
3
4
5
6
7
8
9
10
IPQ5018# tftpboot backup_script.img
Port1 Up Speed :1000M Full duplex
Using eth1 device
TFTP from server 192.168.2.100; our IP address is 192.168.2.1
Filename 'backup_script.img'.
Load address: 0x44000000
Loading: #
         2.1 MiB/s
done
Bytes transferred = 2234 (8ba hex)
backup_scripts

不需要全部备份,选择一两个重要的分区就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# 0: SBL1
nand read 0x82000000 0x0 0x80000
tftpput 0x82000000 0x80000 SBL1_backup.bin

# 1: MIBIB
nand read 0x82000000 0x80000 0x80000
tftpput 0x82000000 0x80000 MIBIB_backup.bin

# 2: BOOTCONFIG
nand read 0x82000000 0x100000 0x40000
tftpput 0x82000000 0x40000 BOOTCONFIG_backup.bin

# 3: BOOTCONFIG1
nand read 0x82000000 0x140000 0x40000
tftpput 0x82000000 0x40000 BOOTCONFIG1_backup.bin

# 4: QSEE
nand read 0x82000000 0x180000 0x100000
tftpput 0x82000000 0x100000 QSEE_backup.bin

# 5: QSEE_1
nand read 0x82000000 0x280000 0x100000
tftpput 0x82000000 0x100000 QSEE_1_backup.bin

# 6: DEVCFG
nand read 0x82000000 0x380000 0x40000
tftpput 0x82000000 0x40000 DEVCFG_backup.bin

# 7: DEVCFG_1
nand read 0x82000000 0x3c0000 0x40000
tftpput 0x82000000 0x40000 DEVCFG_1_backup.bin

# 8: CDT
nand read 0x82000000 0x400000 0x40000
tftpput 0x82000000 0x40000 CDT_backup.bin

# 9: CDT_1
nand read 0x82000000 0x440000 0x40000
tftpput 0x82000000 0x40000 CDT_1_backup.bin

# 10: APPSBLENV
nand read 0x82000000 0x480000 0x80000
tftpput 0x82000000 0x80000 APPSBLENV_backup.bin

# 11: APPSBL
nand read 0x82000000 0x500000 0x140000
tftpput 0x82000000 0x140000 APPSBL_backup.bin

# 12: APPSBL_1
nand read 0x82000000 0x640000 0x140000
tftpput 0x82000000 0x140000 APPSBL_1_backup.bin

# 13: ART
nand read 0x82000000 0x780000 0x100000
tftpput 0x82000000 0x100000 ART_backup.bin

# 14: TRAINING
nand read 0x82000000 0x880000 0x80000
tftpput 0x82000000 0x80000 TRAINING_backup.bin

# 15: bdata
nand read 0x82000000 0x900000 0x80000
tftpput 0x82000000 0x80000 bdata_backup.bin

# 16: crash
nand read 0x82000000 0x980000 0x80000
tftpput 0x82000000 0x80000 crash_backup.bin

# 17: crash_log
nand read 0x82000000 0xa00000 0x80000
tftpput 0x82000000 0x80000 crash_log_backup.bin

# 18: rootfs
nand read 0x82000000 0xa80000 0x2400000
tftpput 0x82000000 0x2400000 rootfs_backup.bin

# 19: rootfs_1
nand read 0x82000000 0x2e80000 0x2400000
tftpput 0x82000000 0x2400000 rootfs_1_backup.bin

# 20: overlay
nand read 0x82000000 0x5280000 0x1f00000
tftpput 0x82000000 0x1f00000 overlay_backup.bin

# 21: data
nand read 0x82000000 0x7180000 0xd80000
tftpput 0x82000000 0xd80000 data_backup.bin

Refrences&Credits&Resources

https://github.com/hzyitc/openwrt-redmi-ax3000

https://github.com/blueberry-pie-11/redmi-ax3000-flash

https://github.com/NakanoSanku/StudyShare/blob/master/ax3000/ax3000-cr880x-SSH.md

https://www.right.com.cn/forum/thread-8274491-1-1.html

https://www.right.com.cn/forum/thread-8275543-1-1.html

https://www.right.com.cn/forum/thread-8280964-1-1.html

https://www.right.com.cn/forum/thread-8314226-1-1.html

https://dmm.ink/2024/10/19/cr8809cr880cr8806ax30op/

https://openwrt.org/docs/techref/flash.layout

https://github.com/Seeker0472/CR8809_BAK/tree/master

#linux #openwrt
CR8809
https://20040702.xyz/2025/01/08/CR8809/
作者
Seeker
发布于
2025年1月8日
许可协议