search

logon84 / Hacking_Huawei_HG8012H_ONT

Steps to hack a HG8012H, access it and mod the firmware
274 stars 67 forks source link

Extracting ubifs from HS8247W #23

Open sn4k3 opened 5 months ago

sn4k3 commented 5 months ago

Hello,

I have a more recent device: HS8247W I have extracted the NAND (W29N02GV), copied the firmware, but can't extract the file contents.

boot log:

HuaWei StartCode 2012.02 (V300R018C00 Nov 13 2017 - 10:57:25)

NAND:  Nand ID: 0xEF 0xDA 0x90 0x95 0x04 0x00 0x00 0x00
ECC Match pagesize:2K, oobzie:64, ecctype:4bit
Nand(Hardware): 256 MiB
startcode select the uboot to load
the high RAM is :8080103c
startcode uboot boot count:-1
use the main slave_param area from flash, the RAM data is not OK!!!
Use the UbootA to load first
Use the UbootA to load success

U-Boot 2017.07 (V300R019C00 Jan 07 2022 - 11:33:36 +0800 V3), Build: jenkins-ONT_V300R019C00_Oversea_Compile_sign_uboot_953302B0B7E346518CDDE1BAE61D9D23-1

DRAM:  256 MiB
Boot From NAND flash
Chip Type is SD5116T
NAND:  Special Nand id table Version 1.23
Nand ID: 0xEF 0xDA 0x90 0x95 0x04 0x00 0x00 0x00
ECC Match pagesize:2K, oobzie:64, ecctype:4bit
Nand(Hardware): Block:128KB Page:2KB Chip:268435456B OOB:64B ECC:4bit
256 MiB
256 MiB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   PHY power down !!!
Mbist flag = 0x0, ddr totoal size = 0x10000000
[common/pon_chip_v3/main.c__4359]::CRC:0x3d80a8b4, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x0, Active:0x0, RunFlag:0x0
Start from main system(0x0)!
CRC:0x3d80a8b4, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:1, CommitedArea:0x0, Active:0x0, RunFlag:0x0
UBI: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=1", size 255 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 2040, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 15, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 33/20, WL threshold: 4096, image sequence number: 957459587
ubi0: available PEBs: 36, total reserved PEBs: 2004, PEBs reserved for bad PEB handling: 40
Main area (A) is OK!
CRC:0x93e83925, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:1, CommitedArea:0x0, Active:0x0, RunFlag:0x0
Loading file 'doublecore' to addr 0x85a00000...
** File not found doublecore **
Unmounting UBIFS volume file_system!
Unmount ubifs success!
Bootcmd:ubi read 0x80907f6c kernelA 0x1bb2c0; bootm 0x80907fc0
BootArgs:noalign mem=247M flashsize=0x10000000 console=ttyAMA1,115200 ubi.mtd=1 root=/dev/mtdblock11 rootfstype=squashfs mtdparts=hinand:0x100000(startcode),0xff00000(ubifs),-(reserved) pcie0_sel=x1 maxcpus=2 l2_cache=l2x0 coherent_pool=4M user_debug=0x1f panic=1 skb_priv=192 debug_ll=on
U-boot Start from NORMAL Mode!
## Booting kernel from Legacy Image at 80907fc0 ...
   Image Name:   Linux-3.10.53-HULK2
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1815084 Bytes = 1.7 MiB
   Load Address: 80e08000
   Entry Point:  80e08000

Match the dtb file index : 3!
   Memory Start: 80900000
   XIP Kernel Image ... OK
   kernel loaded at 0x80908000, end = 0x80ac03ca

Starting kernel ...

Uart base = 0x1010F000
dtb addr = 0x80F633D8
Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0x0
Initializing cgroup subsys cpuset
Initializing cgroup subsys cpu
Initializing cgroup subsys cpuacct
Linux version 3.10.53-HULK2 (ci@SZXRTOSCI10000) (gcc version 4.7.1 (SDK V100R005C00SPC030B050) ) #1 SMP Fri Apr 13 19:54:43 CST 2018
CPU: ARMv7 Processor [414fc091] revision 1 (ARMv7), cr=18c53c7d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: Hisilicon A9, model: HISI-CA9
skbuff priv len is 192.
Memory policy: ECC disabled, Data cache writealloc
On node 0 totalpages: 63232
free_area_init_node: node 0, pgdat c04a7340, node_mem_map c0667800
  Normal zone: 618 pages used for memmap
  Normal zone: 0 pages reserved
  Normal zone: 63232 pages, LIFO batch:15
[dts]:cpu type is 5115
PERCPU: Embedded 7 pages/cpu @c08d6000 s7488 r8192 d12992 u32768
pcpu-alloc: s7488 r8192 d12992 u32768 alloc=8*4096
pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 62614
Kernel command line: noalign mem=247M flashsize=0x10000000 console=ttyAMA1,115200 ubi.mtd=1 root=/dev/mtdblock11 rootfstype=squashfs mtdparts=hinand:0x100000(startcode),0xff00000(ubifs),-(reserved) pcie0_sel=x1 maxcpus=2 l2_cache=l2x0 coherent_pool=4M user_debug=0x1f panic=1 skb_priv=192 debug_ll=on
PID hash table entries: 1024 (order: 0, 4096 bytes)
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
allocated 505856 bytes of page_cgroup
please try 'cgroup_disable=memory' option if you don't want memory cgroups
Memory: 247MB = 247MB total
Memory: 244628k/244628k available, 8300k reserved, 0K highmem
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xffe00000 - 0xfffe0000   (1920 kB)
    vmalloc : 0xcf800000 - 0xff000000   ( 760 MB)
    lowmem  : 0xc0000000 - 0xcf700000   ( 247 MB)
    modules : 0xbf000000 - 0xc0000000   (  16 MB)
      .text : 0xc0008000 - 0xc04350e0   (4277 kB)
      .init : 0xc0436000 - 0xc0462d40   ( 180 kB)
      .data : 0xc0464000 - 0xc04ab3c8   ( 285 kB)
       .bss : 0xc04ab3c8 - 0xc04d4108   ( 164 kB)
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
Hierarchical RCU implementation.
NR_IRQS:512
sched_clock: 32 bits at 100MHz, resolution 10ns, wraps every 42949ms
[DTS][LED]-->WARN:Cannot find led info in dtb,make sure there is no led on board
Calibrating delay loop... 1594.16 BogoMIPS (lpj=7970816)
pid_max: default: 32768 minimum: 301
Security Framework initialized
Mount-cache hash table entries: 512
Initializing cgroup subsys memory
Initializing cgroup subsys devices
Initializing cgroup subsys freezer
Initializing cgroup subsys net_cls
Initializing cgroup subsys blkio
Initializing cgroup subsys net_prio
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0xc0318498 - 0xc03184cc
SD511x chip id:0x51162100
sd511x_core_reset cpu : 1  mask=200
CPU1: Booted secondary processor
Brought up 2 CPUs
SMP: Total of 2 processors activated (3188.32 BogoMIPS).
CPU: All CPU(s) started in SVC mode.
NET: Registered protocol family 16
DMA: preallocated 4096 KiB pool for atomic coherent allocations
L310 cache controller enabled
l2x0: 16 ways, CACHE_ID 0x410000c9, AUX_CTRL 0x02450001, Cache size: 524288 B
bio: create slab <bio-0> at 0
Switching to clocksource arm,sp804
cfg80211: Calling CRDA to update world regulatory domain
NET: Registered protocol family 2
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 12288 bytes)
UDP-Lite hash table entries: 256 (order: 1, 12288 bytes)
NET: Registered protocol family 1
PCI: CLS 0 bytes, default 64
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. © 2001-2006 Red Hat, Inc.
fuse init (API version 7.22)
msgmni has been set to 477
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
brd: module loaded
mtdoops: mtd device (mtddev=name/number) must be supplied
Spi id table Version 1.22
Special nand id table Version 1.33
Hisilicon Nand Flash Controller V301 Device Driver, Version 1.10
Nand ID: 0xEF 0xDA 0x90 0x95 0x04 0x00 0x00 0x00
Nand(Hardware): Block:128KB Page:2KB Chip:256MB OOB:64B ECC:4bit
NAND device: Manufacturer ID: 0xef, Chip ID: 0xda (Winbond W29N02GV), 256MiB, page size: 2048, OOB size: 64
NAND_ECC_NONE selected by board driver. This is not recommended!
3 cmdlinepart partitions found on MTD device hinand
Creating 3 MTD partitions on "hinand":
0x000000000000-0x000000100000 : "startcode"
0x000000100000-0x000010000000 : "ubifs"
0x000010000000-0x000010000000 : "reserved"
mtd: partition "reserved" is out of reach -- disabled
softdog: Software Watchdog Timer: 0.08 initialized. soft_noboot=0 soft_margin=60 sec soft_panic=0 (nowayout=0)
TCP: cubic registered
NET: Registered protocol family 17
ThumbEE CPU extension supported.
mapp kbox ddrram_address=0,                     ddrram_size=0 fail[WARNNING]:Kbox device descriptor struct kbox_dev_des             Intialization Failed
kbox: init ddrram fail ret=-99
kbox: load OK
UBI: attaching mtd1 to ubi0
UBI: scanning is finished
UBI: attached mtd1 (name "ubifs", size 255 MiB) to ubi0
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 2040, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 15, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 33/20, WL threshold: 512, image sequence number: 957459587
UBI: available PEBs: 36, total reserved PEBs: 2004, PEBs reserved for bad PEB handling: 40
UBI: background thread "ubi_bgt0d" started, PID 320
Warning: unable to open an initial console.
squashfs_cache_init: sqcachesize=8.
VFS: Mounted root (squashfs filesystem) readonly on device 31:11.
Freeing unused kernel memory: 176K (c0436000 - c0462000)
******** Total Boot time: 2184 ms, uncompress initrd cost 0 ms ********
Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
1010e000.uart: ttyAMA0 at MMIO 0x1010e000 (irq = 77) is a 16550A
ubireader_extract_files HS8247W.BIN 
UBI_File Warning: end_offset - start_offset length is not block aligned, could mean missing data
ubireader_extract_files 2ubifs.BIN 
UBI_File Warning: end_offset - start_offset length is not block aligned, could mean missing data.
UBI Fatal: Less than 2 layout blocks found.
binwalk HS8247W.BIN 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
98466         0x180A2         CRC32 polynomial table, little endian
100510        0x1889E         CRC32 polynomial table, little endian
101712        0x18D50         CRC32 polynomial table, little endian
1081344       0x108000        UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000
binwalk -y ubifs HS8247W.BIN 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
73805952      0x4663080       UBIFS filesystem master node, CRC: 0xEF0A21B9, highest inode: 66, commit number: 63
73808064      0x46638C0       UBIFS filesystem master node, CRC: 0xCB98EAEA, highest inode: 66, commit number: 63
73810176      0x4664100       UBIFS filesystem master node, CRC: 0xBD7EE1FF, highest inode: 66, commit number: 64
73812288      0x4664940       UBIFS filesystem master node, CRC: 0xB14E14E2, highest inode: 66, commit number: 64
73814400      0x4665180       UBIFS filesystem master node, CRC: 0x3B1B53EB, highest inode: 66, commit number: 65
73816512      0x46659C0       UBIFS filesystem master node, CRC: 0x372BA6F6, highest inode: 66, commit number: 65
73818624      0x4666200       UBIFS filesystem master node, CRC: 0x3DB34991, highest inode: 66, commit number: 66
73820736      0x4666A40       UBIFS filesystem master node, CRC: 0x3183BC8C, highest inode: 66, commit number: 66
73822848      0x4667280       UBIFS filesystem master node, CRC: 0x20393568, highest inode: 66, commit number: 67
73824960      0x4667AC0       UBIFS filesystem master node, CRC: 0xEC9E85CB, highest inode: 66, commit number: 68
73827072      0x4668300       UBIFS filesystem master node, CRC: 0xE0AE70D6, highest inode: 66, commit number: 68
73829184      0x4668B40       UBIFS filesystem master node, CRC: 0xE29587B0, highest inode: 66, commit number: 69
93405312      0x5914080       UBIFS filesystem master node, CRC: 0xCB98EAEA, highest inode: 66, commit number: 63
93407424      0x59148C0       UBIFS filesystem master node, CRC: 0xC7A81FF7, highest inode: 66, commit number: 63
93409536      0x5915100       UBIFS filesystem master node, CRC: 0xB14E14E2, highest inode: 66, commit number: 64
93411648      0x5915940       UBIFS filesystem master node, CRC: 0xA51F0BC5, highest inode: 66, commit number: 64
93413760      0x5916180       UBIFS filesystem master node, CRC: 0x372BA6F6, highest inode: 66, commit number: 65
93415872      0x59169C0       UBIFS filesystem master node, CRC: 0x13B96DA5, highest inode: 66, commit number: 65
93417984      0x5917200       UBIFS filesystem master node, CRC: 0x3183BC8C, highest inode: 66, commit number: 66
93420096      0x5917A40       UBIFS filesystem master node, CRC: 0x25D2A3AB, highest inode: 66, commit number: 66
93422208      0x5918280       UBIFS filesystem master node, CRC: 0x2C09C075, highest inode: 66, commit number: 67
93424320      0x5918AC0       UBIFS filesystem master node, CRC: 0xE0AE70D6, highest inode: 66, commit number: 68
93426432      0x5919300       UBIFS filesystem master node, CRC: 0xF4FF6FF1, highest inode: 66, commit number: 68
93428544      0x5919B40       UBIFS filesystem master node, CRC: 0xF6C49897, highest inode: 66, commit number: 69
143282304     0x88A5080       UBIFS filesystem superblock node, CRC: 0xACB725AE, flags: 0x0, min I/O unit size: 2048, erase block size: 126976, erase block count: 166, max erase blocks: 1024, format version: 4, compression type: lzo
143822976     0x8929080       UBIFS filesystem superblock node, CRC: 0x3D42921F, flags: 0x0, min I/O unit size: 2048, erase block size: 126976, erase block count: 1058, max erase blocks: 1058, format version: 4, compression type: lzo
154230912     0x9316080       UBIFS filesystem master node, CRC: 0x99550E76, highest inode: 184268, commit number: 740
154233024     0x93168C0       UBIFS filesystem master node, CRC: 0x2DB33D44, highest inode: 184275, commit number: 741
154235136     0x9317100       UBIFS filesystem master node, CRC: 0x921F617, highest inode: 184275, commit number: 741
154237248     0x9317940       UBIFS filesystem master node, CRC: 0x94230F0D, highest inode: 184275, commit number: 742
154239360     0x9318180       UBIFS filesystem master node, CRC: 0xDFF6E2A1, highest inode: 184314, commit number: 743
154241472     0x93189C0       UBIFS filesystem master node, CRC: 0xDDC57ABF, highest inode: 184501, commit number: 744
154243584     0x9319200       UBIFS filesystem master node, CRC: 0x8FABE3EC, highest inode: 184724, commit number: 745
154245696     0x9319A40       UBIFS filesystem master node, CRC: 0xD2679171, highest inode: 184939, commit number: 746
159232128     0x97DB080       UBIFS filesystem master node, CRC: 0xBDC7C525, highest inode: 184268, commit number: 740
159234240     0x97DB8C0       UBIFS filesystem master node, CRC: 0x921F617, highest inode: 184275, commit number: 741
159236352     0x97DC100       UBIFS filesystem master node, CRC: 0x511030A, highest inode: 184275, commit number: 741
159238464     0x97DC940       UBIFS filesystem master node, CRC: 0x9813FA10, highest inode: 184275, commit number: 742
159240576     0x97DD180       UBIFS filesystem master node, CRC: 0xC797089B, highest inode: 184314, commit number: 743
159242688     0x97DD9C0       UBIFS filesystem master node, CRC: 0xD1F58FA2, highest inode: 184501, commit number: 744
159244800     0x97DE200       UBIFS filesystem master node, CRC: 0x9BFAFCCB, highest inode: 184724, commit number: 745
159246912     0x97DEA40       UBIFS filesystem master node, CRC: 0xCA067B4B, highest inode: 184939, commit number: 746

I'm not sure now how can I extract the contents. Any clue?