Air720固件分析系列A-结构分析
Air720固件分析系列-结构分析
提醒
本系列文章为个人分析结果,不代表官方,如有遗漏,非常正常,欢迎指正^_^
分析材料
AT固件 AirM2M_720_V337_LTE_AT.blf
位于 data\default_lod\asr1802At\720\AirM2M_720_V337_LTE_AT
一些准备知识
- Air720的核心asr1802广泛用于mifi,所以出现mifi字眼很正常
- Air720有Nor和Nand两个版本,刷机会不一样,但新版luatools已经屏蔽差异
分析
首先, 顶层的blf是一个zip压缩包
使用7zip, 解压N个文件:
| 文件名 | 含义 |
|---|---|
| 720.blf | Air720刷机定义,这些就不是压缩包了,是文本文件 |
| 720D.blf | Air720D刷机定义,移动双模 |
| 720H.blf | Air720H刷机定义,全网通五模 |
| AddtionalAPN.bin | 附加APN,猜测是为国外运营商准备的 |
| FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77645_SKY77912_GSM.bin | 功率放大器的数据文件 |
| FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77645_SKY77912_GSM_lzma.bin | 功率放大器的数据文件 |
| FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77824_SKY77912_082018_CLC.bin | 功率放大器的数据文件 |
| FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77824_SKY77912_082018_CLC_lzma.bin | 功率放大器的数据文件 |
| Lua_socket_demo.bin | Luat的socket demo代码,不知道为啥在这里 |
| Nezha_loader_MIFI_V5_NOR.bin | 为NOR设备准备的bootloader |
| Nezha_loader_MIFI_V5_NOR_Release.bin | 为NOR设备准备的bootloader,压缩包版? |
| Nezha_loader_MIFI_V5_SPI_NAND.bin | 为NAND设备准备的bootloader |
| Nezha_loader_MIFI_V5_SPI_NAND_Release.bin | 为NAND设备准备的bootloader |
| ntim_ddr.bin | 未知,可能是DDR配置文件,总是第一个写入闪存 |
| NZ_CP_LWG_MIFI_V5_TX.bin | 某种MIFI固件? |
| NZ_CP_LWG_MIFI_V5_TX_lzma.bin | 某种MIFI固件的lzma压缩包 |
| NZ_LWG_M09_B0_SKL_Flash.bin | 未知 |
| NZ_LWG_M09_B0_SKL_Flash_lzma.bin | 上一个文件的lamz压缩包 |
| ReliableData+FDD-B138+TDDB38-41.bin | 基带数据 |
| WebData.bin | MIFI网页管理工具 |
720.blf内容分析
[BLF_Version]Blf_Version_Number = V2.0.0 //版本号[UE_Options]UE_Boot_Option = 0[Flash_Properties]Flash_Block_Size = 0x10000Max_Upload_Split_Size = 0x1cff000Max_FBF_Split_Size = 0x1cff000Flash_Family = SPI-NOR // 内部存储的类型, 有NOR和NAND两种Spare_Area_Size = 64Data_Area_Size = 2048FBF_Sector_Size = 4096[Flash_Options]Skip_Blocks_Number =Erase_All_Flash = 0Reset_BBT = 0[TIM_Configuration]Number_of_Images = 9 // 这个数值决定了Image_List段的数量Number_of_Keys = 0Boot_Flash_Signature = 0x5350490AProcessor_Type = PXA1202OEM_UniqueID = 0x21796B53Issue_Date = 0x20091029Version = 0x00030400Trusted = 0[Reserved_Data]UARTIDPort(FFIDENTIFIER) = 0x00004646Enabled = 0x00000001End_UARTIDLTWSLWG only = 0x00000003End_LTWSTRFUEnabled = 0x00000001Flash_Address = 0x041C0000Magic = 0x54524657End_TRFUEnd_Reserved_Data[EraseOnly_Option]Total_Eraseonly_Areas = 11_Eraseonly_Area_Size = 0x030000001_Eraseonly_Area_FlashStartAddress = 0x010E00001_Eraseonly_Area_Partition = 0[Extended_Reserved_Data]Consumer_IDCID = TBRIPID = DDR1End_Consumer_IDDDR_InitializationDDR_PID = DDR1 // DDR类型,可以看出是DDR 1代,对MCU来说是够的DDROperationsDDR_INIT_ENABLE = 0x00000001DDR_MEMTEST_ENABLE = 0x00000000 // MEMTEST,有点像linux了?但据说是rtos系统End_DDROperationsInstructionsWRITE = <0xB0000010,0xB0000000>WRITE = <0xB0000020,0x00001220>WRITE = <0xB0000080,0x01800000>WRITE = <0xB0000090,0x00080000>WRITE = <0xB00000F0,0xC0000000>WRITE = <0xB00001A0,0x20C0C011>WRITE = <0xB0000770,0x02000000>WRITE = <0xB0000570,0x00000001>WRITE = <0xB0000100,0x00090601>WRITE = <0xB0000050,0x488B0196>WRITE = <0xB0000060,0x32330102>WRITE = <0xB0000190,0x20101009>WRITE = <0xB00001C0,0x12820002>WRITE = <0xB0000650,0x00080022>WRITE = <0xB0000280,0x02020102>WRITE = <0xB0000210,0x00000000>WRITE = <0xB0000240,0x80000000>WRITE = <0xB0000140,0x20004422>WRITE = <0xB00001D0,0x1330077D>WRITE = <0xB00001E0,0x03300770>WRITE = <0xB00001F0,0xC0000077>WRITE = <0xB0000200,0x0010310C>WRITE = <0xB0000230,0xF0500003>WRITE = <0xB0000E10,0x00500003>WRITE = <0xB0000E20,0x00500003>WRITE = <0xB0000E30,0x00500003>WRITE = <0xB0000240,0x20000000>WRITE = <0xB0000240,0x40000000>WRITE = <0xB0000200,0x0010311C>WRITE = <0xB0000120,0x00000001>WAIT_FOR_BIT_SET = <0xB00001B0,0x00000001,0x00001000>End_InstructionsEnd_DDR_InitializationEnd_Extended_Reserved_Data[Image_List]// 这一段是每个区域的镜像数据, 循环的,所以只分析第一个1_Image_Enable = 1 // 部分enable=1,部分是0, 应该是启用/禁用的意思1_Image_Tim_Included = 1 // 未知含义1_Image_Image_ID = 0x54494D48 // 当前image的id1_Image_Next_Image_ID = 0x4F424D49 // 下一个image的id1_Image_Path = ntim_ddr.bin // 数据文件来源1_Image_Flash_Entry_Address = 0x00000000 // 写入的基地址,非常重要1_Image_Load_Address = 0xD1101000 // 载入地址1_Image_Type = RAW // 数据文件格式,这里是裸数据1_Image_ID_Name = TIMH // 好像是一种内部命名1_Image_Erase_Size = // 需要抹除的区域,WebData.bin之类的会设置1_Image_Partition_Number = 01_Image_Size_To_CRC_in_bytes = 01_Image_Hash_Algorithm_ID =1_Image_Image_Size_To_Hash_in_bytes =2_Image_Enable = 12_Image_Tim_Included = 12_Image_Image_ID = 0x4F424D492_Image_Next_Image_ID = 0x52424C492_Image_Path = Nezha_loader_MIFI_V5_SPI_NAND.bin2_Image_Flash_Entry_Address = 0x000060002_Image_Load_Address = 0x01C000002_Image_Type = RAW2_Image_ID_Name = OBMI2_Image_Erase_Size =2_Image_Partition_Number = 02_Image_Size_To_CRC_in_bytes = 02_Image_Hash_Algorithm_ID =2_Image_Image_Size_To_Hash_in_bytes =3_Image_Enable = 03_Image_Tim_Included = 13_Image_Image_ID = 0x52424C493_Image_Next_Image_ID = 0x52424C523_Image_Path = ReliableData+FDD-B138+TDDB38-41.bin3_Image_Flash_Entry_Address = 0x000200003_Image_Load_Address = 0x01D4F0003_Image_Type = RAW3_Image_ID_Name = RBLI3_Image_Erase_Size = 0x000200003_Image_Partition_Number = 03_Image_Size_To_CRC_in_bytes = 03_Image_Hash_Algorithm_ID =3_Image_Image_Size_To_Hash_in_bytes =4_Image_Enable = 04_Image_Tim_Included = 14_Image_Image_ID = 0x52424C524_Image_Next_Image_ID = 0x4F534C4F4_Image_Path = ReliableData+FDD-B138+TDDB38-41.bin4_Image_Flash_Entry_Address = 0x000400004_Image_Load_Address = 0x01D4F0004_Image_Type = RAW4_Image_ID_Name = RBLR4_Image_Erase_Size = 0x000200004_Image_Partition_Number = 04_Image_Size_To_CRC_in_bytes = 04_Image_Hash_Algorithm_ID =4_Image_Image_Size_To_Hash_in_bytes =5_Image_Enable = 15_Image_Tim_Included = 15_Image_Image_ID = 0x4F534C4F5_Image_Next_Image_ID = 0x475242495_Image_Path = NZ_CP_LWG_MIFI_V5_TX.bin5_Image_Flash_Entry_Address = 0x000600005_Image_Load_Address = 0x000000005_Image_Type = RAW5_Image_ID_Name = OSLO5_Image_Erase_Size = 0x00A000005_Image_Partition_Number = 05_Image_Size_To_CRC_in_bytes = 05_Image_Hash_Algorithm_ID =5_Image_Image_Size_To_Hash_in_bytes =6_Image_Enable = 16_Image_Tim_Included = 16_Image_Image_ID = 0x475242496_Image_Next_Image_ID = 0x574542496_Image_Path = NZ_LWG_M09_B0_SKL_Flash.bin6_Image_Flash_Entry_Address = 0x00A600006_Image_Load_Address = 0x01D800006_Image_Type = RAW6_Image_ID_Name = GRBI6_Image_Erase_Size = 0x002800006_Image_Partition_Number = 06_Image_Size_To_CRC_in_bytes = 06_Image_Hash_Algorithm_ID =6_Image_Image_Size_To_Hash_in_bytes =7_Image_Enable = 17_Image_Tim_Included = 07_Image_Image_ID = 0x574542497_Image_Next_Image_ID = 0x5246424E7_Image_Path = WebData.bin7_Image_Flash_Entry_Address = 0x00D600007_Image_Load_Address = 0xFFFFFFFF7_Image_Type = RAW7_Image_ID_Name = WEBI7_Image_Erase_Size = 0x002000007_Image_Partition_Number = 07_Image_Size_To_CRC_in_bytes = 07_Image_Hash_Algorithm_ID =7_Image_Image_Size_To_Hash_in_bytes =8_Image_Enable = 08_Image_Tim_Included = 18_Image_Image_ID = 0x5246424E8_Image_Next_Image_ID = 0x41504E4C8_Image_Path = FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77645_SKY77912_GSM.bin8_Image_Flash_Entry_Address = 0x010600008_Image_Load_Address = 0x01FDFFC08_Image_Type = RAW8_Image_ID_Name = RFBN8_Image_Erase_Size = 0x000200008_Image_Partition_Number = 08_Image_Size_To_CRC_in_bytes = 08_Image_Hash_Algorithm_ID =8_Image_Image_Size_To_Hash_in_bytes =9_Image_Enable = 19_Image_Tim_Included = 09_Image_Image_ID = 0x41504E4C9_Image_Next_Image_ID = 0xFFFFFFFF9_Image_Path = AddtionalAPN.bin9_Image_Flash_Entry_Address = 0x041A00009_Image_Load_Address = 0xFFFFFFFF9_Image_Type = RAW9_Image_ID_Name = APNL9_Image_Erase_Size =9_Image_Partition_Number = 09_Image_Size_To_CRC_in_bytes = 09_Image_Hash_Algorithm_ID =9_Image_Image_Size_To_Hash_in_bytes =
下一篇文章,会分析WebData.bin的文件结构
- 发表于 2018-10-18 15:04
- 阅读 ( 3258 )
- 分类:默认分类
你可能感兴趣的文章
- 稀饭放姜 iRTU 学习日记 (1):认识iRTU开源电路 4829 浏览
- Air系列AT控制命令,针对STM32F103C8T6的示例代码 4926 浏览
- 教你用Air720 模块通过AT指令以MQTTS方式连接华为云(下篇) 4735 浏览
- 教你用Air720 模块通过AT指令以MQTTS方式连接华为云(上篇) 6663 浏览
- Air720搭配Air530实现4G+GPS定位 5767 浏览
- Air720系列模块如何设置频段 5719 浏览
相关问题
0 条评论
请先 登录 后评论
