拆解新买的小爱音箱Pro, 更新固化开机启动 SSH 教学

snowwolf725 · 发表于 2019-11-29 14:33:54

本帖最后由 snowwolf725 于 2021-3-11 15:15 编辑

2019/12/03 更新固化开机启动 SSH 教学

https://bbs.hassbian.com/forum.p ... tid=8754&pid=283801

小爱音箱固件及破解板固件下载

https://bbs.hassbian.com/forum.p ... 8754&pid=368909

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

前天买了小爱音箱刚好逛到这个论坛,
看到这麽多改造的教学手有点痒,
於是就自己把新买的音箱拆开看看,

登录/注册后可看大图

把音箱底部的胶条拿掉后可以看到固定的螺丝,

把螺丝卸掉然後用螺丝刀插入上方中间的孔可以拔出底盖

登录/注册后可看大图

移除底盘后长这样, 卸掉固定电源座的两个螺丝可以将音箱主体拔出

登录/注册后可看大图

音箱本体, 把固定板子的四个螺丝卸下来可以将板子拆下来

登录/注册后可看大图

板子背面

登录/注册后可看大图

板子左下角为 TTL 的接口

登录/注册后可看大图

接上 TTL 接可以查看开机纪录,
未升级前出厂版本 1.52.7 开机登入不需密码,

AXG:BL1:d1dbf2:a4926f;FEAT:E0DC318C:2000;POC:F;EMMC:800;NAND:0;READ:0;0.0;CHK:0;
sdio debug board detected
TE: 23919

BL2 Built : 18:30:39, Aug 28 2018. axg g56303a2-dirty - liang.yang@droid11-sz

set vcck to 1140 mv
set vddee to 1070 mv
Board ID = 1
CPU clk: 1200MHz
DDR low power enabled
DDR3 chl: Rank0 16bit @ 792MHz
bist_test rank: 0 2b 07 50 2e 0a 52 29 03 4f 34 0f 5a 00 00 00 00 00 00 00 00 00 00 00 00 612   - PASS
Rank0: 256MB(auto)-2T-11
AddrBus test pass!
NAND init
page0 page0->bbt:
0000000000000000000000000000000000000000000000000000000000000000
page0 bbt:
0000000000000000000000000000000000000000000000000000000000000000
Load FIP HDR from NAND, src: 0x0000c000, des: 0x01700000, size: 0x00004000
Load BL3x from NAND, src: 0x00010000, des: 0x01704000, size: 0x00080000
NOTICE:  BL31: v1.3(release):a1a8551
NOTICE:  BL31: Built : 15:59:55, Nov  9 2017
NOTICE:  BL31: AXG normal boot!
NOTICE:  BL31: BL33 decompress pass
[Image: axg_v1.1.3268-b93dd79 2017-12-01 14:22:18 huan.biao@droid12]
OPS=0x43
49 ef 5 94 ca 20 c5 2e b9 78 ca 5f bl30:axg ver: 9 mode: 0
bl30:axg thermal0
[0.014483 Inits done]
secure task start!
high task start!
low task start!
ERROR:   Error initializing runtime service opteed_fast


U-Boot 2015.01 (Oct 14 2019 - 03:47:57), Build: jenkins-Mico_lx06_ota_publish-133

DRAM:  256 MiB
Relocation Offset is: 0ef17000
register usb cfg[0][1] = 000000000ff89588
NAND:  nand id: 0x98 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: 98 f1 80 15 f2 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 1Gib TC58BVG0S3HTA00 )
oob avail size 6
Creating 1 MTD partitions on "A revision NAND 1Gib TC58BVG0S3HTA00 ":
0x000000000000-0x000000200000 : "bootloader"
A revision NAND 1Gib TC58BVG0S3HTA00  initialized ok
nand id: 0x98 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: 98 f1 80 15 f2 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 1Gib TC58BVG0S3HTA00 )
PLANE change!
aml_nand_init :oobmul=1,oobfree.length=8,oob_size=64
oob avail size 8
bbt_start=20 env_start=24 key_start=32 dtb_start=40
nbbt: info size=0x400 max_scan_blk=24, start_blk=20
nbbt : phy_blk_addr=20, ec=0, phy_page_addr=0, timestamp=1
nbbt free list:
blockN=21, ec=-1, dirty_flag=0
blockN=22, ec=-1, dirty_flag=0
blockN=23, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=1
aml_nand_scan_rsv_info 1254
nbbt valid addr: 280000
aml_nand_bbt_check 1389 bbt is valid, reading.
aml_nand_read_rsv_info:397,read nbbt info to 280000
nenv: info size=0x10000 max_scan_blk=32, start_blk=24
nenv : phy_blk_addr=24, ec=19, phy_page_addr=0, timestamp=39
nenv free list:
blockN=25, ec=18, dirty_flag=1
blockN=26, ec=-1, dirty_flag=0
blockN=27, ec=-1, dirty_flag=0
blockN=28, ec=-1, dirty_flag=0
blockN=29, ec=-1, dirty_flag=0
blockN=30, ec=-1, dirty_flag=0
blockN=31, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=32
aml_nand_scan_rsv_info 1254
nenv valid addr: 300000
nkey: info size=0x8000 max_scan_blk=40, start_blk=32
nkey : phy_blk_addr=32, ec=0, phy_page_addr=0, timestamp=1
nkey free list:
blockN=33, ec=-1, dirty_flag=0
blockN=34, ec=-1, dirty_flag=0
blockN=35, ec=-1, dirty_flag=0
blockN=36, ec=-1, dirty_flag=0
blockN=37, ec=-1, dirty_flag=0
blockN=38, ec=-1, dirty_flag=0
blockN=39, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=16
aml_nand_scan_rsv_info 1254
nkey valid addr: 418000
ndtb: info size=0x20000 max_scan_blk=44, start_blk=40
ndtb : phy_blk_addr=40, ec=0, phy_page_addr=0, timestamp=1
ndtb free list:
blockN=41, ec=-1, dirty_flag=0
blockN=42, ec=-1, dirty_flag=0
blockN=43, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=64
aml_nand_scan_rsv_info 1254
ndtb valid addr: 500000
tpl: off 8388608, size 8388608
 NAND bbt detect factory Bad block at 6000000
aml_nand_add_partition:1794 factory bad addr=300
Creating 6 MTD partitions on "A revision NAND 1Gib TC58BVG0S3HTA00 ":
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001600000 : "boot0"
0x000001600000-0x000001c00000 : "boot1"
0x000001c00000-0x000004400000 : "system0"
0x000004400000-0x000006c20000 : "system1"
 NAND bbt detect factory Bad block at 6000000
0x000006c20000-0x000008000000 : "data"
A revision NAND 1Gib TC58BVG0S3HTA00  initialized ok
aml_key_init 170
MMC:
uboot env amlnf_env_read : ####
aml_nand_read_rsv_info:397,read nenv info to 300000
In:    serial
Out:   serial
Err:   serial
[store]To run cmd[amlnf dtb_read 0x1000000 0x20000]
sub cmd dtb
new argv[1] dtb_read
do_dtb_ops(): argc 4
arg 0: amlnf
arg 1: dtb_read
arg 2: 0x1000000
arg 3: 0x20000
do_dtb_ops() read
amlnf_dtb_read: ####
aml_nand_read_rsv_info:397,read ndtb info to 500000
do_dtb_ops(): 131072 bytes read : OK
      Amlogic multi-dtb tool
      Single dtb detected
amlkey_init() enter!
amlnf_key_read key data len too much
aml_nand_read_rsv_info:397,read nkey info to 418000
[EFUSE_MSG]keynum is 4
Hit Enter or space or Ctrl+C key to stop autoboot -- :  0
Saving Environment to aml-storage...
uboot env amlnf_env_save : ####
aml_nand_save_rsv_info:656, nenv: valid=1, pages=32
aml_nand_save_rsv_info:716,save info to 310000
aml_nand_write_rsv:520,write info to 310000
save_power_post ...
## Booting Android Image at 0x01080000 ...
reloc_addr =f0344e0
copy done
load dtb from 0x1000000 ......
      Amlogic multi-dtb tool
      Single dtb detected
   Uncompressing Kernel Image ... OK
   kernel loaded at 0x01080000, end = 0x0185c808
   Loading Ramdisk to 0eea8000, end 0f005332 ... OK
   Loading Device Tree to 000000000ee9c000, end 000000000eea7036 ... OK

Starting kernel ...

uboot time: 1546948 us
domain-0 init dvfs: 4
[    0.290790@1] ff803000.serial: clock gate not found
[    0.298189@1] amlogic-new-usb3 ffe09080.usb3phy: This phy has no usb port
[    1.196193@1] hub 2-0:1.0: config failed, hub doesn't have any ports! (err -19)
LED AW20054
LX06
curr_boot is boot0
Booting from boot0
/dev/mtdblock4 is ready now.
[    2.588301@0] meson-pinctrl pinctrl@ff634480: function 'gpioa_20' not supported
[    2.590102@0] meson-pinctrl pinctrl@ff634480: invalid function gpioa_20 in map table
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
Please press Enter to activate this console.
[    9.867249@2] name: mac_wifi, size 17
[    9.884224@3] name: mac_bt, size 17
ledserver[1246]: current model lx06.

ledserver[1246]: LEDSBAK EXISITS

crond[1283]: crond (busybox 1.27.2) started, log level 5

[   12.673565@1] wlan: Loading MWLAN driver
[   12.674501@1] vendor=0x02DF device=0x9145 class=0 function=1
[   12.677592@1] SDIO: max_segs=1024 max_seg_size=131072
[   12.682519@1] rx_work=1 cpu_num=4
[   12.689843@2] Request firmware: mrvl/sdsd8977_combo_v2.bin
[   14.988585@1] WLAN FW is active
[   15.103121@1] get_channel when STA is not connected
[   15.105345@1] get_channel when AP is not started
[   15.108381@0] wlan: version = SD8977-16.84.9.p6-C4X16C544.P3-GPL-(FP84)
[   15.114713@0] wlan: Driver loaded successfully
[   15.544367@3] BT: Loading driver
[   15.546108@1] BT FW is active(0)
[   15.546148@1] BT: FW already downloaded!
[   15.555877@2] get_channel when STA is not connected
[   15.556503@2] get_channel when STA is not connected
[   15.561417@2] get_channel when STA is not connected
[   15.565363@2] get_channel when STA is not connected
[   15.570813@3] get_channel when STA is not connected
[   15.571440@2] BT: Driver loaded successfully
[   15.733067@2] wlan: wlan0 START SCAN



BusyBox v1.27.2 () built-in shell (ash)

  _____  _              __     __ __  ___  ___
 |     ||_| ___  ___   |  |   |  |  ||   ||  _|
 | | | || ||  _|| . |  |  |__ |-   -|| | || . |
 |_|_|_||_||___||___|  |_____||__|__||___||___|
------------------------------------------------

      ROM Type:release / Ver:1.52.7
------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@mico:/#

升级到最新版 1.58.13 预设 TTL 登入需要密码

https://bbs.hassbian.com/thread-8667-1-1.html
参考这篇的方式自己算出密码可以透过 TTL 登入,

AXG:BL1:d1dbf2:a4926f;FEAT:E0DC318C:2000;POC:F;EMMC:800;NAND:0;READ:0;0.0;CHK:0;
sdio debug board detected
TE: 24140

BL2 Built : 18:30:39, Aug 28 2018. axg g56303a2-dirty - liang.yang@droid11-sz

set vcck to 1140 mv
set vddee to 1070 mv
Board ID = 1
CPU clk: 1200MHz
DDR low power enabled
DDR3 chl: Rank0 16bit @ 792MHz
bist_test rank: 0 2d 08 52 2f 0a 54 28 02 4f 35 0f 5b 00 00 00 00 00 00 00 00 00 00 00 00 607   - PASS
Rank0: 256MB(auto)-2T-11
AddrBus test pass!
NAND init
page0 page0->bbt:
0000000000000000000000000000000000000000000000000000000000000000
page0 bbt:
0000000000000000000000000000000000000000000000000000000000000000
Load FIP HDR from NAND, src: 0x0000c000, des: 0x01700000, size: 0x00004000
Load BL3x from NAND, src: 0x00010000, des: 0x01704000, size: 0x00080000
NOTICE:  BL31: v1.3(release):a1a8551
NOTICE:  BL31: Built : 15:59:55, Nov  9 2017
NOTICE:  BL31: AXG normal boot!
NOTICE:  BL31: BL33 decompress pass
[Image: axg_v1.1.3268-b93dd79 2017-12-01 14:22:18 huan.biao@droid12]
OPS=0x43
49 ef 5 94 ca 20 c5 2e b9 78 ca 5f bl30:axg ver: 9 mode: 0
bl30:axg thermal0
[0.014521 Inits done]
secure task start!
high task start!
low task start!
ERROR:   Error initializing runtime service opteed_fast


U-Boot 2015.01 (Oct 14 2019 - 03:47:57), Build: jenkins-Mico_lx06_ota_publish-133

DRAM:  256 MiB
Relocation Offset is: 0ef17000
register usb cfg[0][1] = 000000000ff89588
NAND:  nand id: 0x98 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: 98 f1 80 15 f2 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 1Gib TC58BVG0S3HTA00 )
oob avail size 6
Creating 1 MTD partitions on "A revision NAND 1Gib TC58BVG0S3HTA00 ":
0x000000000000-0x000000200000 : "bootloader"
A revision NAND 1Gib TC58BVG0S3HTA00  initialized ok
nand id: 0x98 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: 98 f1 80 15 f2 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 1Gib TC58BVG0S3HTA00 )
PLANE change!
aml_nand_init :oobmul=1,oobfree.length=8,oob_size=64
oob avail size 8
bbt_start=20 env_start=24 key_start=32 dtb_start=40
nbbt: info size=0x400 max_scan_blk=24, start_blk=20
nbbt : phy_blk_addr=20, ec=0, phy_page_addr=0, timestamp=1
nbbt free list:
blockN=21, ec=-1, dirty_flag=0
blockN=22, ec=-1, dirty_flag=0
blockN=23, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=1
aml_nand_scan_rsv_info 1254
nbbt valid addr: 280000
aml_nand_bbt_check 1389 bbt is valid, reading.
aml_nand_read_rsv_info:397,read nbbt info to 280000
nenv: info size=0x10000 max_scan_blk=32, start_blk=24
nenv : phy_blk_addr=24, ec=9, phy_page_addr=0, timestamp=19
nenv free list:
blockN=25, ec=8, dirty_flag=1
blockN=26, ec=-1, dirty_flag=0
blockN=27, ec=-1, dirty_flag=0
blockN=28, ec=-1, dirty_flag=0
blockN=29, ec=-1, dirty_flag=0
blockN=30, ec=-1, dirty_flag=0
blockN=31, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=32
aml_nand_scan_rsv_info 1254
nenv valid addr: 300000
nkey: info size=0x8000 max_scan_blk=40, start_blk=32
nkey : phy_blk_addr=32, ec=0, phy_page_addr=0, timestamp=1
nkey free list:
blockN=33, ec=-1, dirty_flag=0
blockN=34, ec=-1, dirty_flag=0
blockN=35, ec=-1, dirty_flag=0
blockN=36, ec=-1, dirty_flag=0
blockN=37, ec=-1, dirty_flag=0
blockN=38, ec=-1, dirty_flag=0
blockN=39, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=16
aml_nand_scan_rsv_info 1254
nkey valid addr: 418000
ndtb: info size=0x20000 max_scan_blk=44, start_blk=40
ndtb : phy_blk_addr=40, ec=0, phy_page_addr=0, timestamp=1
ndtb free list:
blockN=41, ec=-1, dirty_flag=0
blockN=42, ec=-1, dirty_flag=0
blockN=43, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=64
aml_nand_scan_rsv_info 1254
ndtb valid addr: 500000
tpl: off 8388608, size 8388608
 NAND bbt detect factory Bad block at 6000000
aml_nand_add_partition:1794 factory bad addr=300
Creating 6 MTD partitions on "A revision NAND 1Gib TC58BVG0S3HTA00 ":
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001600000 : "boot0"
0x000001600000-0x000001c00000 : "boot1"
0x000001c00000-0x000004400000 : "system0"
0x000004400000-0x000006c20000 : "system1"
 NAND bbt detect factory Bad block at 6000000
0x000006c20000-0x000008000000 : "data"
A revision NAND 1Gib TC58BVG0S3HTA00  initialized ok
aml_key_init 170
MMC:
uboot env amlnf_env_read : ####
aml_nand_read_rsv_info:397,read nenv info to 300000
In:    serial
Out:   serial
Err:   serial
[store]To run cmd[amlnf dtb_read 0x1000000 0x20000]
sub cmd dtb
new argv[1] dtb_read
do_dtb_ops(): argc 4
arg 0: amlnf
arg 1: dtb_read
arg 2: 0x1000000
arg 3: 0x20000
do_dtb_ops() read
amlnf_dtb_read: ####
aml_nand_read_rsv_info:397,read ndtb info to 500000
do_dtb_ops(): 131072 bytes read : OK
      Amlogic multi-dtb tool
      Single dtb detected
amlkey_init() enter!
amlnf_key_read key data len too much
aml_nand_read_rsv_info:397,read nkey info to 418000
[EFUSE_MSG]keynum is 4
InUsbBurn
noSof
Hit Enter or space or Ctrl+C key to stop autoboot -- :  0
HAVE SN Code ...
Saving Environment to aml-storage...
uboot env amlnf_env_save : ####
aml_nand_save_rsv_info:656, nenv: valid=1, pages=32
aml_nand_save_rsv_info:716,save info to 310000
aml_nand_write_rsv:520,write info to 310000
[burnup]Rd:Up sz 0x3f2037 to align 0x1000
save_power_post ...
## Booting Android Image at 0x01080000 ...
reloc_addr =f0344e0
copy done
load dtb from 0x1000000 ......
      Amlogic multi-dtb tool
      Single dtb detected
   Uncompressing Kernel Image ... OK
   kernel loaded at 0x01080000, end = 0x0185c808
   Loading Ramdisk to 0eea8000, end 0f0054ae ... OK
   Loading Device Tree to 000000000ee9c000, end 000000000eea7036 ... OK

Starting kernel ...

uboot time: 1804637 us
domain-0 init dvfs: 4
[    0.295052@3] ff803000.serial: clock gate not found
[    0.302417@3] amlogic-new-usb3 ffe09080.usb3phy: This phy has no usb port
[    1.200534@0] hub 2-0:1.0: config failed, hub doesn't have any ports! (err -19)
LED AW20054
LX06
curr_boot is boot1
Booting from boot1
/dev/mtdblock5 is ready now.
[    2.585896@0] meson-pinctrl pinctrl@ff634480: function 'gpioa_20' not supported
[    2.587582@0] meson-pinctrl pinctrl@ff634480: invalid function gpioa_20 in map table
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
Please press Enter to activate this console.
[    9.802532@2] name: mac_wifi, size 17
[    9.817822@0] name: mac_bt, size 17
ledserver[1245]: current model lx06.

ledserver[1245]: LEDSBAK EXISITS

crond[1283]: crond (busybox 1.27.2) started, log level 5

[   12.661449@1] wlan: Loading MWLAN driver
[   12.662130@0] vendor=0x02DF device=0x9145 class=0 function=1
[   12.665492@0] SDIO: max_segs=1024 max_seg_size=131072
[   12.670397@0] rx_work=1 cpu_num=4
[   12.677638@0] Request firmware: mrvl/sdsd8977_combo_v2.bin
[   14.968238@3] WLAN FW is active
[   15.075150@0] get_channel when STA is not connected
[   15.077559@2] get_channel when AP is not started
[   15.080443@2] wlan: version = SD8977-16.84.9.p17-C4X16C544.P3-GPL-(FP84)
[   15.086106@2] wlan: Driver loaded successfully
[   15.501524@1] BT: Loading driver
[   15.505919@2] BT FW is active(0)
[   15.505956@2] BT: FW already downloaded!
[   15.519064@0] get_channel when STA is not connected
[   15.519646@0] get_channel when STA is not connected
[   15.520630@3] BT: Driver loaded successfully
[   15.528828@0] get_channel when STA is not connected
[   15.532770@0] get_channel when STA is not connected
[   15.538312@1] get_channel when STA is not connected
[   15.668846@1] wlan: wlan0 START SCAN

开机时按 f 并按下 enter 可进入 failsafe 模式

Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
- failsafe -
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC2DP92+nA0hs7KMFsuE+LlcrLcazqb84TWYuPC7u/2                                                                                                                                                             yqzxcLhIXXJTVYo1hdvtJ7XSYLdZ3FhtQqj9Ab1ofCgaNPp+VyDxx9Hc9+UpLqUpL++FyjaoEFWQMCse                                                                                                                                                             3PXhohKjqxSF+zJkKjG0Cd9jM7Vz+T/snAf7zYNYApu0h9LbdQ== root@(none)
Fingerprint: md5 e0:4f:5b:63:cc:4a:10:73:49:6a:76:97:f1:be:46:58
f

BusyBox v1.27.2 () built-in shell (ash)

ash: can't access tty; job control turned off
  _____  _              __     __ __  ___  ___
 |     ||_| ___  ___   |  |   |  |  ||   ||  _|
 | | | || ||  _|| . |  |  |__ |-   -|| | || . |
 |_|_|_||_||___||___|  |_____||__|__||___||___|
------------------------------------------------

      ROM Type:release / Ver:1.58.13
------------------------------------------------
================= FAILSAFE MODE active ================
special commands:
* firstboot          reset settings to factory defaults
* mount_root     mount root-partition with config files

after mount_root:
* passwd                         change root's password
* /etc/config               directory with config files

for more help see:
http://wiki.openwrt.org/doc/howto/generic.failsafe
=======================================================


root@(none):/etc# cat shadow
root:$1$N0Iz0LLs$kZ5zG/Y2AUWHNE5I3ElWm1:18128:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
mosquitto:x:0:0:99999:7:::
root@(none):/etc# cat passwd
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
mosquitto:x:200:200:mosquitto:/var/run/mosquitto:/bin/false

reboot 讯息

root@mico:/data# reboot
root@mico:/data# bluez_mibt_ble_new[2809]: main:

bluez_mibt_ble shutting down...


mediaplayer[1814]: sigterm_handler, somebody killed me, exit!

miio_bt[352]: sig_handler:15
rssi[1890]: failed to reconnect, trying again in 2 seconds
miio_bt[352]: [E][arch_rpc] rpc_agent_ot_message_callback 302: socket

miio_service[3093]: failed to reconnect, trying again in 2 seconds

bluez_mibt_classical[2807]: ------ proxy_removed, 376 ------


bluez_mibt_classical[2807]: Agent unregistered


bluez_mibt_classical[2807]: ------ proxy_removed, 376 ------


bluez_mibt_classical[2807]: ------ proxy_removed, 376 ------


bluez_mibt_classical[2807]: [DEL] Controller EC:41:18:6D: 撠镨阅?喟拳-1807 [default]


bluez_mibt_classical[2807]: ------ proxy_removed, 376 ------


bluez_mibt_classical[2807]: ------ proxy_removed, 376 ------


bluez_mibt_classical[2807]: !!!! disconnect disconnect_handler !!

miio_bt[352]: byebye
bl31 reboot reason: 0xd
bl31 reboot reason: 0x1
system cmd  1.

Aiden1 · 发表于 2019-11-29 15:11:53

意思就是说可以接入HA了？

gheartsea · 发表于 2019-11-29 20:44:20

坐等更新

louis_lee · 发表于 2019-11-30 22:08:47

哇，厉害！可以接入HA吗？

81662064 · 发表于 2019-11-30 22:46:00

期待更多

boyyao · 发表于 2019-12-1 11:55:36

不知道现在小爱除了最初的黑板绿板外。还有什么可以接入ha？比如小爱play可以么？

ygao · 发表于 2019-12-1 22:00:45

应该试一下本站的密码破解，进入failsafe,用处不大吧

snowwolf725 · 发表于 2019-12-2 07:30:42

本帖最后由 snowwolf725 于 2020-12-3 12:21 编辑

ygao 发表于 2019-12-1 22:00
应该试一下本站的密码破解，进入failsafe,用处不大吧

https://bbs.hassbian.com/thread-8667-1-1.html
https://bbs.hassbian.com/thread-11139-1-1.html

参考这篇的方式自己算出密码可以透过 TTL 登入,
不过 / 是 read-only 只有 /data 可以写入,
其余在研究

mico login: root
Password:


BusyBox v1.27.2 () built-in shell (ash)

  _____  _              __     __ __  ___  ___
 |     ||_| ___  ___   |  |   |  |  ||   ||  _|
 | | | || ||  _|| . |  |  |__ |-   -|| | || . |
 |_|_|_||_||___||___|  |_____||__|__||___||___|
------------------------------------------------

      ROM Type:release / Ver:1.58.13
------------------------------------------------
root@mico:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/mtdblock5           30.9M     30.9M         0 100% /
tmpfs                   120.9M    384.0K    120.5M   0% /tmp
tmpfs                   512.0K         0    512.0K   0% /dev
/dev/ubi0_0              13.3M      1.2M     11.4M  10% /data
/dev/ubi0_0              13.3M      1.2M     11.4M  10% /etc/shadow
root@mico:~# mount
/dev/mtdblock5 on / type squashfs (ro,noatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,noatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,noatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,size=512k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=600,ptmxmode=000)
debugfs on /sys/kernel/debug type debugfs (rw,noatime)
pstore on /sys/fs/pstore type pstore (rw,relatime)
/dev/ubi0_0 on /data type ubifs (rw,relatime)
/dev/ubi0_0 on /etc/shadow type ubifs (rw,relatime)
root@mico:~# cd /data/
root@mico:/data# ls
ai-crontab       dts_conf         miio             timer
alarm            etc              mipns            upnp-disc
bt               log              notify           voip
console          mdspeech_status  player           wifi
dlna             messagingagent   sound            work_day_db
dnsmasq.time     mibrain          status           workday
root@mico:/data# cd /etc
root@mico:/etc# ls
TZ                       hosts                    profile
asound.conf              hotplug-preinit.json     protocols
asound.state             hotplug.d                rc.button
banner                   hotplug.json             rc.common
banner.failsafe          init.d                   rc.d
bluetooth                inittab                  rc.local
board.d                  iproute2                 resolv.conf
bt                       localtime                services
config                   marvell                  shadow
crontabs                 miio                     shells
dbus-1                   modules-boot.d           ssl
device_info              modules.d                sysctl.conf
diag.sh                  mosquitto                sysctl.d
diracmobile.config.s12a  mtab                     syslog-ng.conf
diracmobile.config.s12c  nsswitch.conf            sysupgrade.conf
dnsmasq.conf             openwrt_release          uci-defaults
dnsmasq.conf.ap          openwrt_version          wifi
dnsmasq.conf.sta         opkg                     workday
dropbear                 os-release               xattr.conf
fstab                    passwd
group                    preinit

ygao · 发表于 2019-12-2 10:50:38

snowwolf725 发表于 2019-12-2 07:30
https://bbs.hassbian.com/thread-8667-1-1.html

参考这篇的方式自己算出密码可以透过 TTL 登入,

谢谢报告，看来只能走绿板方式来定制了。

snowwolf725 · 发表于 2019-12-3 14:08:07

本帖最后由 snowwolf725 于 2020-12-3 12:50 编辑

# 2020/12/03 更新教程, 改用 mtd 写入分区, 避免 dd 写入分区错误的情况

开始改造小爱音箱Pro开机自动启动 SSH
TTL登入系统, 然后开启 SSH

mico login: root
Password:


BusyBox v1.27.2 () built-in shell (ash)

  _____  _              __     __ __  ___  ___
 |     ||_| ___  ___   |  |   |  |  ||   ||  _|
 | | | || ||  _|| . |  |  |__ |-   -|| | || . |
 |_|_|_||_||___||___|  |_____||__|__||___||___|
------------------------------------------------

      ROM Type:release / Ver:1.58.13
------------------------------------------------
root@mico:~# dropbearkey -t rsa -f /data/dropbear_rsa_host_key
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtEcuiRqr+8GcaQVWUYbnw6AresOdhQ6bdig0FvLPn                             
blvMEeBcKWZDO/kMjGcpNGn719zB8P92wr41LqHM+IP20a9IAbAv03ex+vEVAgz3dpRAlQ7R5ciHg89b                             
6J0pYOgwP3H5Q3t0YWrEOykmUHFQXpx7d/qQLTPIoj4gZVdrXu408Qw3i3f3RkLATbY+41oxnw6yhKDR                             
77ZIMwN/8czxftVXPotMA4VOWFMVlgrvT7HpyZcwhArfnlKYZdCdozmk3nw/zpWxePhiHK/Qodcwh64M                             
FxrSCEoVlfRAvxOq86O2PztbQ5003DBfuwGVv4tu2ZnvXxTz+3WUDFw3j7Ef root@mico
Fingerprint: md5 38:2b:0e:0b:f2:be:b9:39:e0:02:4d:31:5e:af:c9:5a
root@mico:~# dropbear -r /data/dropbear_rsa_host_key
root@mico:~# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:523 errors:0 dropped:0 overruns:0 frame:0
          TX packets:523 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:90551 (88.4 KiB)  TX bytes:90551 (88.4 KiB)

wlan0     Link encap:Ethernet  HWaddr EC:41:18:6D:1C:03
          inet addr:192.168.1.145  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::ee41:18ff:fe6d:1c03/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1072 errors:0 dropped:0 overruns:0 frame:0
          TX packets:607 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:222324 (217.1 KiB)  TX bytes:106862 (104.3 KiB)

先用 mount 或是 df 指令查看下目前系统是用哪个分区启动,
这边会影响到後面是将修改後的固件写入到哪个分区,

如果是 /dev/mtdblock5 表示目前启动的是 system1, 那我们就要将修改的固件写到 system0 分区

(小爱音箱中同时存在两套系统, 避免升级时断电损坏无法开机的情况, 可用另一个分区启动)
mtdblock4 是 system0
mtdblock5 是 system1

root@LX06:~# df -h
Filesystem Size Used Available Use% Mounted on
/dev/mtdblock5 34.5M 34.5M 0 100% /
tmpfs 120.9M 456.0K 120.4M 0% /tmp
tmpfs 512.0K 0 512.0K 0% /dev
/dev/ubi0_0 13.3M 11.4M 1.2M 91% /data
/dev/ubi0_0 13.3M 11.4M 1.2M 91% /etc/shadow

利用 dd 备份系统到 /tmp/m4.img

root@mico:~# cd /tmp
root@mico:/tmp# dd if=/dev/mtdblock4 of=/tmp/m4.img
81920+0 records in
81920+0 records out

利用 WinSCP 把档案传回, 我这边不知为何无法用 WinSCP 连线小爱音箱, 结果只能用 SCP 传到另一台 Linux 主机

root@mico:/tmp# scp m4.img [email protected]:m4.img
/usr/bin/dbclient: Warning: failed creating /root/.ssh: Read-only file system

Host '192.168.1.5' is not in the trusted hosts file.
(ssh-rsa fingerprint md5 37:40:25:31:18:af:55:bf:8c:6a:5d:74:b6:83:de:6f)
Do you want to continue connecting? (y/n) y
[email protected]'s password:
m4.img                                                                                                                       100%   40MB 650.2KB/s   01:03

在 Linux 主机中查看下档案讯息中的 Block size之后打包会用到
这边 Block size 是 131072

snowwolf725@Chin:~$ unsquashfs -s m4.img
Found a valid SQUASHFS 4:0 superblock on m4.img.
Creation or last append time Mon Oct 14 11:17:13 2019
Filesystem size 31654.99 Kbytes (30.91 Mbytes)
Compression xz
xz: error reading stored compressor options from filesystem!
Block size 131072
Filesystem is exportable via NFS
Inodes are compressed
Data is compressed
Fragments are compressed
Always-use-fragments option is not specified
Xattrs are not stored
Duplicates are removed
Number of fragments 127
Number of inodes 1798
Number of ids 1

将档案解开

root@Chin:~# unsquashfs -dest tochang m4.img
Parallel unsquashfs: Using 8 processors
1699 inodes (2067 blocks) to write

[============================================================================================================================================/] 2067/2067 100%

created 1124 files
created 99 directories
created 574 symlinks
created 1 devices
created 0 fifos

修改 /etc/rc.local 添加 /data/init.sh

root@Chin:~# cd tochang/etc/
root@Chin:~/tochang/etc# vi rc.local

/etc/rc.local 修改后内容如下, 加入开机启动 dropbear 这个 ssh 服务及之后扩展用的脚本 /data/init.sh

root@Chin:~/tochang/etc# cat rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
dropbear -r /data/dropbear_rsa_host_key
/data/init.sh
exit 0

取消自动升级, 把 ota slient 这行用 # 注解掉

root@Chin:~/tochang/etc# cd crontabs/
root@Chin:~/tochang/etc/crontabs# vi root
root@Chin:~/tochang/etc/crontabs# cat root
*/5 * * * * /usr/sbin/easy_logcut size
* * * * * /usr/sbin/network_probe.sh
32 4 * * * /usr/sbin/pns refresh
*/10 * * * * /usr/bin/check_mediaplayer_status
#* 3 * * * /bin/ota slient  # check ota
* 8 * * * /bin/check_linein.sh

重新打包img参数按查看的信息写，不同设备可能与我的不同(小爱音箱Pro 的 block size应该都是131072 )

root@Chin:~/tochang/etc/crontabs# cd
root@Chin:~# mksquashfs tochang m4_crack.img -b 131072 -comp xz -no-xattrs
Parallel mksquashfs: Using 8 processors
Creating 4.0 filesystem on m4_crack.img, block size 131072.
[============================================================================================================================================|] 1492/1492 100%

Exportable Squashfs 4.0 filesystem, xz compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments, no xattrs
        duplicates are removed
Filesystem size 32675.51 Kbytes (31.91 Mbytes)
        48.51% of uncompressed filesystem size (67353.17 Kbytes)
Inode table size 16562 bytes (16.17 Kbytes)
        25.16% of uncompressed inode table size (65831 bytes)
Directory table size 18414 bytes (17.98 Kbytes)
        45.32% of uncompressed directory table size (40632 bytes)
Number of duplicate files found 46
Number of inodes 1798
Number of files 1124
Number of fragments 127
Number of symbolic links  574
Number of device nodes 1
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 99
Number of ids (unique uids + gids) 1
Number of uids 1
        root (0)
Number of gids 1
        root (0)

在小爱音箱中把 m4.img 删除, 并把 m4_crack.img 这个改好的档案複製回来

root@mico:/tmp# rm m4.img
root@mico:/tmp# scp [email protected]:m4_crack.img m4_crack.img
/usr/bin/dbclient: Warning: failed creating /root/.ssh: Read-only file system

Host '192.168.1.5' is not in the trusted hosts file.
(ssh-rsa fingerprint md5 37:40:25:31:18:af:55:bf:8c:6a:5d:74:b6:83:de:6f)
Do you want to continue connecting? (y/n) y
[email protected]'s password:
m4_crack.img                                                                                                                 100%   32MB 573.3KB/s   00:57

再把破解好的 img 写回 system0 分区, 并设置mtdblock4为启动分区
=======
如果是 /dev/mtdblock5 表示目前启动的是 system1 你要要把档案写到 system0
并且使用 boot0 启动系统
相反如果是 /dev/mtdblock4 表示目前启动的是 system0 你要要把档案写到 system1
并且使用 boot1 启动系统

root@mico:/tmp# mtd write m4_crack.img system0
Unlocking system0 ...

Writing from m4_crack.img to system0 ...  [w]         
root@mico:/tmp# /usr/bin/fw_env -s boot_part boot0
[ubootenv] update_bootenv_varible name [boot_part]: value [boot0]
[ubootenv] Save ubootenv to /dev/nand_env succeed!

另外如果有什麽需要开机执行的写入到 /data/init.sh, 最后将小爱重开验证改造是否成功，
如果改造成功预设小爱开机后就会启动 SSH 不用透过 TTL 进行连线

root@mico:/tmp# cd /data
root@mico:/data# vi /data/init.sh
root@mico:/data# cat /data/init.sh
dropbear -r /data/dropbear_rsa_host_key
root@mico:/data# chmod a+x init.sh
root@mico:/data# reboot

		自动登录	找回密码
密码			立即注册

[智能音箱] 拆解新买的小爱音箱Pro, 更新固化开机启动 SSH 教学

评分