提醒
本系列文章为个人分析结果,不代表官方,如有遗漏,非常正常,欢迎指正^_^
分析材料
AT固件 AirM2M_720_V337_LTE_AT.blf
位于 data\default_lod\asr1802At\720\AirM2M_720_V337_LTE_AT
一些准备知识
- Air720的核心asr1802广泛用于mifi,所以出现mifi字眼很正常
- Air720有Nor和Nand两个版本,刷机会不一样,但新版luatools已经屏蔽差异
分析
首先, 顶层的blf是一个zip压缩包
使用7zip, 解压N个文件:
文件名 | 含义 |
---|---|
720.blf | Air720刷机定义,这些就不是压缩包了,是文本文件 |
720D.blf | Air720D刷机定义,移动双模 |
720H.blf | Air720H刷机定义,全网通五模 |
AddtionalAPN.bin | 附加APN,猜测是为国外运营商准备的 |
FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77645_SKY77912_GSM.bin | 功率放大器的数据文件 |
FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77645_SKY77912_GSM_lzma.bin | 功率放大器的数据文件 |
FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77824_SKY77912_082018_CLC.bin | 功率放大器的数据文件 |
FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77824_SKY77912_082018_CLC_lzma.bin | 功率放大器的数据文件 |
Lua_socket_demo.bin | Luat的socket demo代码,不知道为啥在这里 |
Nezha_loader_MIFI_V5_NOR.bin | 为NOR设备准备的bootloader |
Nezha_loader_MIFI_V5_NOR_Release.bin | 为NOR设备准备的bootloader,压缩包版? |
Nezha_loader_MIFI_V5_SPI_NAND.bin | 为NAND设备准备的bootloader |
Nezha_loader_MIFI_V5_SPI_NAND_Release.bin | 为NAND设备准备的bootloader |
ntim_ddr.bin | 未知,可能是DDR配置文件,总是第一个写入闪存 |
NZ_CP_LWG_MIFI_V5_TX.bin | 某种MIFI固件? |
NZ_CP_LWG_MIFI_V5_TX_lzma.bin | 某种MIFI固件的lzma压缩包 |
NZ_LWG_M09_B0_SKL_Flash.bin | 未知 |
NZ_LWG_M09_B0_SKL_Flash_lzma.bin | 上一个文件的lamz压缩包 |
ReliableData+FDD-B138+TDDB38-41.bin | 基带数据 |
WebData.bin | MIFI网页管理工具 |
720.blf内容分析
[BLF_Version]
Blf_Version_Number = V2.0.0 //版本号
[UE_Options]
UE_Boot_Option = 0
[Flash_Properties]
Flash_Block_Size = 0x10000
Max_Upload_Split_Size = 0x1cff000
Max_FBF_Split_Size = 0x1cff000
Flash_Family = SPI-NOR // 内部存储的类型, 有NOR和NAND两种
Spare_Area_Size = 64
Data_Area_Size = 2048
FBF_Sector_Size = 4096
[Flash_Options]
Skip_Blocks_Number =
Erase_All_Flash = 0
Reset_BBT = 0
[TIM_Configuration]
Number_of_Images = 9 // 这个数值决定了Image_List段的数量
Number_of_Keys = 0
Boot_Flash_Signature = 0x5350490A
Processor_Type = PXA1202
OEM_UniqueID = 0x21796B53
Issue_Date = 0x20091029
Version = 0x00030400
Trusted = 0
[Reserved_Data]
UARTID
Port(FFIDENTIFIER) = 0x00004646
Enabled = 0x00000001
End_UARTID
LTWS
LWG only = 0x00000003
End_LTWS
TRFU
Enabled = 0x00000001
Flash_Address = 0x041C0000
Magic = 0x54524657
End_TRFU
End_Reserved_Data
[EraseOnly_Option]
Total_Eraseonly_Areas = 1
1_Eraseonly_Area_Size = 0x03000000
1_Eraseonly_Area_FlashStartAddress = 0x010E0000
1_Eraseonly_Area_Partition = 0
[Extended_Reserved_Data]
Consumer_ID
CID = TBRI
PID = DDR1
End_Consumer_ID
DDR_Initialization
DDR_PID = DDR1 // DDR类型,可以看出是DDR 1代,对MCU来说是够的
DDROperations
DDR_INIT_ENABLE = 0x00000001
DDR_MEMTEST_ENABLE = 0x00000000 // MEMTEST,有点像linux了?但据说是rtos系统
End_DDROperations
Instructions
WRITE = <0xB0000010,0xB0000000>
WRITE = <0xB0000020,0x00001220>
WRITE = <0xB0000080,0x01800000>
WRITE = <0xB0000090,0x00080000>
WRITE = <0xB00000F0,0xC0000000>
WRITE = <0xB00001A0,0x20C0C011>
WRITE = <0xB0000770,0x02000000>
WRITE = <0xB0000570,0x00000001>
WRITE = <0xB0000100,0x00090601>
WRITE = <0xB0000050,0x488B0196>
WRITE = <0xB0000060,0x32330102>
WRITE = <0xB0000190,0x20101009>
WRITE = <0xB00001C0,0x12820002>
WRITE = <0xB0000650,0x00080022>
WRITE = <0xB0000280,0x02020102>
WRITE = <0xB0000210,0x00000000>
WRITE = <0xB0000240,0x80000000>
WRITE = <0xB0000140,0x20004422>
WRITE = <0xB00001D0,0x1330077D>
WRITE = <0xB00001E0,0x03300770>
WRITE = <0xB00001F0,0xC0000077>
WRITE = <0xB0000200,0x0010310C>
WRITE = <0xB0000230,0xF0500003>
WRITE = <0xB0000E10,0x00500003>
WRITE = <0xB0000E20,0x00500003>
WRITE = <0xB0000E30,0x00500003>
WRITE = <0xB0000240,0x20000000>
WRITE = <0xB0000240,0x40000000>
WRITE = <0xB0000200,0x0010311C>
WRITE = <0xB0000120,0x00000001>
WAIT_FOR_BIT_SET = <0xB00001B0,0x00000001,0x00001000>
End_Instructions
End_DDR_Initialization
End_Extended_Reserved_Data
[Image_List]
// 这一段是每个区域的镜像数据, 循环的,所以只分析第一个
1_Image_Enable = 1 // 部分enable=1,部分是0, 应该是启用/禁用的意思
1_Image_Tim_Included = 1 // 未知含义
1_Image_Image_ID = 0x54494D48 // 当前image的id
1_Image_Next_Image_ID = 0x4F424D49 // 下一个image的id
1_Image_Path = ntim_ddr.bin // 数据文件来源
1_Image_Flash_Entry_Address = 0x00000000 // 写入的基地址,非常重要
1_Image_Load_Address = 0xD1101000 // 载入地址
1_Image_Type = RAW // 数据文件格式,这里是裸数据
1_Image_ID_Name = TIMH // 好像是一种内部命名
1_Image_Erase_Size = // 需要抹除的区域,WebData.bin之类的会设置
1_Image_Partition_Number = 0
1_Image_Size_To_CRC_in_bytes = 0
1_Image_Hash_Algorithm_ID =
1_Image_Image_Size_To_Hash_in_bytes =
2_Image_Enable = 1
2_Image_Tim_Included = 1
2_Image_Image_ID = 0x4F424D49
2_Image_Next_Image_ID = 0x52424C49
2_Image_Path = Nezha_loader_MIFI_V5_SPI_NAND.bin
2_Image_Flash_Entry_Address = 0x00006000
2_Image_Load_Address = 0x01C00000
2_Image_Type = RAW
2_Image_ID_Name = OBMI
2_Image_Erase_Size =
2_Image_Partition_Number = 0
2_Image_Size_To_CRC_in_bytes = 0
2_Image_Hash_Algorithm_ID =
2_Image_Image_Size_To_Hash_in_bytes =
3_Image_Enable = 0
3_Image_Tim_Included = 1
3_Image_Image_ID = 0x52424C49
3_Image_Next_Image_ID = 0x52424C52
3_Image_Path = ReliableData+FDD-B138+TDDB38-41.bin
3_Image_Flash_Entry_Address = 0x00020000
3_Image_Load_Address = 0x01D4F000
3_Image_Type = RAW
3_Image_ID_Name = RBLI
3_Image_Erase_Size = 0x00020000
3_Image_Partition_Number = 0
3_Image_Size_To_CRC_in_bytes = 0
3_Image_Hash_Algorithm_ID =
3_Image_Image_Size_To_Hash_in_bytes =
4_Image_Enable = 0
4_Image_Tim_Included = 1
4_Image_Image_ID = 0x52424C52
4_Image_Next_Image_ID = 0x4F534C4F
4_Image_Path = ReliableData+FDD-B138+TDDB38-41.bin
4_Image_Flash_Entry_Address = 0x00040000
4_Image_Load_Address = 0x01D4F000
4_Image_Type = RAW
4_Image_ID_Name = RBLR
4_Image_Erase_Size = 0x00020000
4_Image_Partition_Number = 0
4_Image_Size_To_CRC_in_bytes = 0
4_Image_Hash_Algorithm_ID =
4_Image_Image_Size_To_Hash_in_bytes =
5_Image_Enable = 1
5_Image_Tim_Included = 1
5_Image_Image_ID = 0x4F534C4F
5_Image_Next_Image_ID = 0x47524249
5_Image_Path = NZ_CP_LWG_MIFI_V5_TX.bin
5_Image_Flash_Entry_Address = 0x00060000
5_Image_Load_Address = 0x00000000
5_Image_Type = RAW
5_Image_ID_Name = OSLO
5_Image_Erase_Size = 0x00A00000
5_Image_Partition_Number = 0
5_Image_Size_To_CRC_in_bytes = 0
5_Image_Hash_Algorithm_ID =
5_Image_Image_Size_To_Hash_in_bytes =
6_Image_Enable = 1
6_Image_Tim_Included = 1
6_Image_Image_ID = 0x47524249
6_Image_Next_Image_ID = 0x57454249
6_Image_Path = NZ_LWG_M09_B0_SKL_Flash.bin
6_Image_Flash_Entry_Address = 0x00A60000
6_Image_Load_Address = 0x01D80000
6_Image_Type = RAW
6_Image_ID_Name = GRBI
6_Image_Erase_Size = 0x00280000
6_Image_Partition_Number = 0
6_Image_Size_To_CRC_in_bytes = 0
6_Image_Hash_Algorithm_ID =
6_Image_Image_Size_To_Hash_in_bytes =
7_Image_Enable = 1
7_Image_Tim_Included = 0
7_Image_Image_ID = 0x57454249
7_Image_Next_Image_ID = 0x5246424E
7_Image_Path = WebData.bin
7_Image_Flash_Entry_Address = 0x00D60000
7_Image_Load_Address = 0xFFFFFFFF
7_Image_Type = RAW
7_Image_ID_Name = WEBI
7_Image_Erase_Size = 0x00200000
7_Image_Partition_Number = 0
7_Image_Size_To_CRC_in_bytes = 0
7_Image_Hash_Algorithm_ID =
7_Image_Image_Size_To_Hash_in_bytes =
8_Image_Enable = 0
8_Image_Tim_Included = 1
8_Image_Image_ID = 0x5246424E
8_Image_Next_Image_ID = 0x41504E4C
8_Image_Path = FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77645_SKY77912_GSM.bin
8_Image_Flash_Entry_Address = 0x01060000
8_Image_Load_Address = 0x01FDFFC0
8_Image_Type = RAW
8_Image_ID_Name = RFBN
8_Image_Erase_Size = 0x00020000
8_Image_Partition_Number = 0
8_Image_Size_To_CRC_in_bytes = 0
8_Image_Hash_Algorithm_ID =
8_Image_Image_Size_To_Hash_in_bytes =
9_Image_Enable = 1
9_Image_Tim_Included = 0
9_Image_Image_ID = 0x41504E4C
9_Image_Next_Image_ID = 0xFFFFFFFF
9_Image_Path = AddtionalAPN.bin
9_Image_Flash_Entry_Address = 0x041A0000
9_Image_Load_Address = 0xFFFFFFFF
9_Image_Type = RAW
9_Image_ID_Name = APNL
9_Image_Erase_Size =
9_Image_Partition_Number = 0
9_Image_Size_To_CRC_in_bytes = 0
9_Image_Hash_Algorithm_ID =
9_Image_Image_Size_To_Hash_in_bytes =
下一篇文章,会分析WebData.bin的文件结构