请选择 进入手机版 | 继续访问电脑版

『瀚思彼岸』» 智能家居技术论坛

 找回密码
 立即注册
查看: 742|回复: 26

[智能音箱] 拆解新买的小爱音箱Pro, 更新固化开机启动 SSH 教学

[复制链接]

1

主题

21

帖子

70

积分

论坛分享达人

积分
70
金钱
49
HASS币
0
发表于 2019-11-29 14:33:54 | 显示全部楼层 |阅读模式
本帖最后由 snowwolf725 于 2019-12-3 14:41 编辑

2019/12/03 更新固化开机启动 SSH 教学

https://bbs.hassbian.com/forum.p ... tid=8754&pid=283801

小爱音箱Pro 1.58.13 固件下载地址:

https://bigota.miwifi.com/xiaoqi ... e_8b63c_1.58.13.bin


前天买了小爱音箱刚好逛到这个论坛,
看到这麽多改造的教学手有点痒,
於是就自己把新买的音箱拆开看看,



                               
登录/注册后可看大图


把音箱底部的胶条拿掉后可以看到固定的螺丝,

把螺丝卸掉然後用螺丝刀插入上方中间的孔可以拔出底盖


                               
登录/注册后可看大图


移除底盘后长这样, 卸掉固定电源座的两个螺丝可以将音箱主体拔出


                               
登录/注册后可看大图


音箱本体, 把固定板子的四个螺丝卸下来可以将板子拆下来


                               
登录/注册后可看大图


板子背面

                               
登录/注册后可看大图



板子左下角为 TTL 的接口

                               
登录/注册后可看大图


接上 TTL 接可以查看开机纪录,
未升级前出厂版本 1.52.7 开机登入不需密码,
AXG:BL1:d1dbf2:a4926f;FEAT:E0DC318C:2000;POC:F;EMMC:800;NAND:0;READ:0;0.0;CHK:0;
sdio debug board detected
TE: 23919

BL2 Built : 18:30:39, Aug 28 2018. axg g56303a2-dirty - [email protected]

set vcck to 1140 mv
set vddee to 1070 mv
Board ID = 1
CPU clk: 1200MHz
DDR low power enabled
DDR3 chl: Rank0 16bit @ 792MHz
bist_test rank: 0 2b 07 50 2e 0a 52 29 03 4f 34 0f 5a 00 00 00 00 00 00 00 00 00 00 00 00 612   - PASS
Rank0: 256MB(auto)-2T-11
AddrBus test pass!
NAND init
page0 page0->bbt:
0000000000000000000000000000000000000000000000000000000000000000
page0 bbt:
0000000000000000000000000000000000000000000000000000000000000000
Load FIP HDR from NAND, src: 0x0000c000, des: 0x01700000, size: 0x00004000
Load BL3x from NAND, src: 0x00010000, des: 0x01704000, size: 0x00080000
NOTICE:  BL31: v1.3(release):a1a8551
NOTICE:  BL31: Built : 15:59:55, Nov  9 2017
NOTICE:  BL31: AXG normal boot!
NOTICE:  BL31: BL33 decompress pass
[Image: axg_v1.1.3268-b93dd79 2017-12-01 14:22:18 [email protected]]
OPS=0x43
49 ef 5 94 ca 20 c5 2e b9 78 ca 5f bl30:axg ver: 9 mode: 0
bl30:axg thermal0
[0.014483 Inits done]
secure task start!
high task start!
low task start!
ERROR:   Error initializing runtime service opteed_fast


U-Boot 2015.01 (Oct 14 2019 - 03:47:57), Build: jenkins-Mico_lx06_ota_publish-133

DRAM:  256 MiB
Relocation Offset is: 0ef17000
register usb cfg[0][1] = 000000000ff89588
NAND:  nand id: 0x98 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: 98 f1 80 15 f2 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 1Gib TC58BVG0S3HTA00 )
oob avail size 6
Creating 1 MTD partitions on "A revision NAND 1Gib TC58BVG0S3HTA00 ":
0x000000000000-0x000000200000 : "bootloader"
A revision NAND 1Gib TC58BVG0S3HTA00  initialized ok
nand id: 0x98 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: 98 f1 80 15 f2 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 1Gib TC58BVG0S3HTA00 )
PLANE change!
aml_nand_init :oobmul=1,oobfree.length=8,oob_size=64
oob avail size 8
bbt_start=20 env_start=24 key_start=32 dtb_start=40
nbbt: info size=0x400 max_scan_blk=24, start_blk=20
nbbt : phy_blk_addr=20, ec=0, phy_page_addr=0, timestamp=1
nbbt free list:
blockN=21, ec=-1, dirty_flag=0
blockN=22, ec=-1, dirty_flag=0
blockN=23, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=1
aml_nand_scan_rsv_info 1254
nbbt valid addr: 280000
aml_nand_bbt_check 1389 bbt is valid, reading.
aml_nand_read_rsv_info:397,read nbbt info to 280000
nenv: info size=0x10000 max_scan_blk=32, start_blk=24
nenv : phy_blk_addr=24, ec=19, phy_page_addr=0, timestamp=39
nenv free list:
blockN=25, ec=18, dirty_flag=1
blockN=26, ec=-1, dirty_flag=0
blockN=27, ec=-1, dirty_flag=0
blockN=28, ec=-1, dirty_flag=0
blockN=29, ec=-1, dirty_flag=0
blockN=30, ec=-1, dirty_flag=0
blockN=31, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=32
aml_nand_scan_rsv_info 1254
nenv valid addr: 300000
nkey: info size=0x8000 max_scan_blk=40, start_blk=32
nkey : phy_blk_addr=32, ec=0, phy_page_addr=0, timestamp=1
nkey free list:
blockN=33, ec=-1, dirty_flag=0
blockN=34, ec=-1, dirty_flag=0
blockN=35, ec=-1, dirty_flag=0
blockN=36, ec=-1, dirty_flag=0
blockN=37, ec=-1, dirty_flag=0
blockN=38, ec=-1, dirty_flag=0
blockN=39, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=16
aml_nand_scan_rsv_info 1254
nkey valid addr: 418000
ndtb: info size=0x20000 max_scan_blk=44, start_blk=40
ndtb : phy_blk_addr=40, ec=0, phy_page_addr=0, timestamp=1
ndtb free list:
blockN=41, ec=-1, dirty_flag=0
blockN=42, ec=-1, dirty_flag=0
blockN=43, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=64
aml_nand_scan_rsv_info 1254
ndtb valid addr: 500000
tpl: off 8388608, size 8388608
 NAND bbt detect factory Bad block at 6000000
aml_nand_add_partition:1794 factory bad addr=300
Creating 6 MTD partitions on "A revision NAND 1Gib TC58BVG0S3HTA00 ":
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001600000 : "boot0"
0x000001600000-0x000001c00000 : "boot1"
0x000001c00000-0x000004400000 : "system0"
0x000004400000-0x000006c20000 : "system1"
 NAND bbt detect factory Bad block at 6000000
0x000006c20000-0x000008000000 : "data"
A revision NAND 1Gib TC58BVG0S3HTA00  initialized ok
aml_key_init 170
MMC:
uboot env amlnf_env_read : ####
aml_nand_read_rsv_info:397,read nenv info to 300000
In:    serial
Out:   serial
Err:   serial
[store]To run cmd[amlnf dtb_read 0x1000000 0x20000]
sub cmd dtb
new argv[1] dtb_read
do_dtb_ops(): argc 4
arg 0: amlnf
arg 1: dtb_read
arg 2: 0x1000000
arg 3: 0x20000
do_dtb_ops() read
amlnf_dtb_read: ####
aml_nand_read_rsv_info:397,read ndtb info to 500000
do_dtb_ops(): 131072 bytes read : OK
      Amlogic multi-dtb tool
      Single dtb detected
amlkey_init() enter!
amlnf_key_read key data len too much
aml_nand_read_rsv_info:397,read nkey info to 418000
[EFUSE_MSG]keynum is 4
Hit Enter or space or Ctrl+C key to stop autoboot -- :  0
Saving Environment to aml-storage...
uboot env amlnf_env_save : ####
aml_nand_save_rsv_info:656, nenv: valid=1, pages=32
aml_nand_save_rsv_info:716,save info to 310000
aml_nand_write_rsv:520,write info to 310000
save_power_post ...
## Booting Android Image at 0x01080000 ...
reloc_addr =f0344e0
copy done
load dtb from 0x1000000 ......
      Amlogic multi-dtb tool
      Single dtb detected
   Uncompressing Kernel Image ... OK
   kernel loaded at 0x01080000, end = 0x0185c808
   Loading Ramdisk to 0eea8000, end 0f005332 ... OK
   Loading Device Tree to 000000000ee9c000, end 000000000eea7036 ... OK

Starting kernel ...

uboot time: 1546948 us
domain-0 init dvfs: 4
[    [email protected]] ff803000.serial: clock gate not found
[    [email protected]] amlogic-new-usb3 ffe09080.usb3phy: This phy has no usb port
[    [email protected]] hub 2-0:1.0: config failed, hub doesn't have any ports! (err -19)
LED AW20054
LX06
curr_boot is boot0
Booting from boot0
/dev/mtdblock4 is ready now.
[    [email protected]] meson-pinctrl [email protected]: function 'gpioa_20' not supported
[    [email protected]] meson-pinctrl [email protected]: invalid function gpioa_20 in map table
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
Please press Enter to activate this console.
[    [email protected]] name: mac_wifi, size 17
[    [email protected]] name: mac_bt, size 17
ledserver[1246]: current model lx06.

ledserver[1246]: LEDSBAK EXISITS

crond[1283]: crond (busybox 1.27.2) started, log level 5

[   [email protected]] wlan: Loading MWLAN driver
[   [email protected]] vendor=0x02DF device=0x9145 class=0 function=1
[   [email protected]] SDIO: max_segs=1024 max_seg_size=131072
[   [email protected]] rx_work=1 cpu_num=4
[   [email protected]] Request firmware: mrvl/sdsd8977_combo_v2.bin
[   [email protected]] WLAN FW is active
[   [email protected]] get_channel when STA is not connected
[   [email protected]] get_channel when AP is not started
[   [email protected]] wlan: version = SD8977-16.84.9.p6-C4X16C544.P3-GPL-(FP84)
[   [email protected]] wlan: Driver loaded successfully
[   [email protected]] BT: Loading driver
[   [email protected]] BT FW is active(0)
[   [email protected]] BT: FW already downloaded!
[   [email protected]] get_channel when STA is not connected
[   [email protected]] get_channel when STA is not connected
[   [email protected]] get_channel when STA is not connected
[   [email protected]] get_channel when STA is not connected
[   [email protected]] get_channel when STA is not connected
[   [email protected]] BT: Driver loaded successfully
[   [email protected]] wlan: wlan0 START SCAN



BusyBox v1.27.2 () built-in shell (ash)

  _____  _              __     __ __  ___  ___
 |     ||_| ___  ___   |  |   |  |  ||   ||  _|
 | | | || ||  _|| . |  |  |__ |-   -|| | || . |
 |_|_|_||_||___||___|  |_____||__|__||___||___|
------------------------------------------------

      ROM Type:release / Ver:1.52.7
------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
[email protected]:/#


升级到最新版 1.58.13 预设 TTL 登入需要密码

https://bbs.hassbian.com/thread-8667-1-1.html
参考这篇的方式自己算出密码可以透过 TTL 登入,

AXG:BL1:d1dbf2:a4926f;FEAT:E0DC318C:2000;POC:F;EMMC:800;NAND:0;READ:0;0.0;CHK:0;
sdio debug board detected
TE: 24140

BL2 Built : 18:30:39, Aug 28 2018. axg g56303a2-dirty - [email protected]

set vcck to 1140 mv
set vddee to 1070 mv
Board ID = 1
CPU clk: 1200MHz
DDR low power enabled
DDR3 chl: Rank0 16bit @ 792MHz
bist_test rank: 0 2d 08 52 2f 0a 54 28 02 4f 35 0f 5b 00 00 00 00 00 00 00 00 00 00 00 00 607   - PASS
Rank0: 256MB(auto)-2T-11
AddrBus test pass!
NAND init
page0 page0->bbt:
0000000000000000000000000000000000000000000000000000000000000000
page0 bbt:
0000000000000000000000000000000000000000000000000000000000000000
Load FIP HDR from NAND, src: 0x0000c000, des: 0x01700000, size: 0x00004000
Load BL3x from NAND, src: 0x00010000, des: 0x01704000, size: 0x00080000
NOTICE:  BL31: v1.3(release):a1a8551
NOTICE:  BL31: Built : 15:59:55, Nov  9 2017
NOTICE:  BL31: AXG normal boot!
NOTICE:  BL31: BL33 decompress pass
[Image: axg_v1.1.3268-b93dd79 2017-12-01 14:22:18 [email protected]]
OPS=0x43
49 ef 5 94 ca 20 c5 2e b9 78 ca 5f bl30:axg ver: 9 mode: 0
bl30:axg thermal0
[0.014521 Inits done]
secure task start!
high task start!
low task start!
ERROR:   Error initializing runtime service opteed_fast


U-Boot 2015.01 (Oct 14 2019 - 03:47:57), Build: jenkins-Mico_lx06_ota_publish-133

DRAM:  256 MiB
Relocation Offset is: 0ef17000
register usb cfg[0][1] = 000000000ff89588
NAND:  nand id: 0x98 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: 98 f1 80 15 f2 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 1Gib TC58BVG0S3HTA00 )
oob avail size 6
Creating 1 MTD partitions on "A revision NAND 1Gib TC58BVG0S3HTA00 ":
0x000000000000-0x000000200000 : "bootloader"
A revision NAND 1Gib TC58BVG0S3HTA00  initialized ok
nand id: 0x98 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: 98 f1 80 15 f2 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 1Gib TC58BVG0S3HTA00 )
PLANE change!
aml_nand_init :oobmul=1,oobfree.length=8,oob_size=64
oob avail size 8
bbt_start=20 env_start=24 key_start=32 dtb_start=40
nbbt: info size=0x400 max_scan_blk=24, start_blk=20
nbbt : phy_blk_addr=20, ec=0, phy_page_addr=0, timestamp=1
nbbt free list:
blockN=21, ec=-1, dirty_flag=0
blockN=22, ec=-1, dirty_flag=0
blockN=23, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=1
aml_nand_scan_rsv_info 1254
nbbt valid addr: 280000
aml_nand_bbt_check 1389 bbt is valid, reading.
aml_nand_read_rsv_info:397,read nbbt info to 280000
nenv: info size=0x10000 max_scan_blk=32, start_blk=24
nenv : phy_blk_addr=24, ec=9, phy_page_addr=0, timestamp=19
nenv free list:
blockN=25, ec=8, dirty_flag=1
blockN=26, ec=-1, dirty_flag=0
blockN=27, ec=-1, dirty_flag=0
blockN=28, ec=-1, dirty_flag=0
blockN=29, ec=-1, dirty_flag=0
blockN=30, ec=-1, dirty_flag=0
blockN=31, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=32
aml_nand_scan_rsv_info 1254
nenv valid addr: 300000
nkey: info size=0x8000 max_scan_blk=40, start_blk=32
nkey : phy_blk_addr=32, ec=0, phy_page_addr=0, timestamp=1
nkey free list:
blockN=33, ec=-1, dirty_flag=0
blockN=34, ec=-1, dirty_flag=0
blockN=35, ec=-1, dirty_flag=0
blockN=36, ec=-1, dirty_flag=0
blockN=37, ec=-1, dirty_flag=0
blockN=38, ec=-1, dirty_flag=0
blockN=39, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=16
aml_nand_scan_rsv_info 1254
nkey valid addr: 418000
ndtb: info size=0x20000 max_scan_blk=44, start_blk=40
ndtb : phy_blk_addr=40, ec=0, phy_page_addr=0, timestamp=1
ndtb free list:
blockN=41, ec=-1, dirty_flag=0
blockN=42, ec=-1, dirty_flag=0
blockN=43, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=64
aml_nand_scan_rsv_info 1254
ndtb valid addr: 500000
tpl: off 8388608, size 8388608
 NAND bbt detect factory Bad block at 6000000
aml_nand_add_partition:1794 factory bad addr=300
Creating 6 MTD partitions on "A revision NAND 1Gib TC58BVG0S3HTA00 ":
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001600000 : "boot0"
0x000001600000-0x000001c00000 : "boot1"
0x000001c00000-0x000004400000 : "system0"
0x000004400000-0x000006c20000 : "system1"
 NAND bbt detect factory Bad block at 6000000
0x000006c20000-0x000008000000 : "data"
A revision NAND 1Gib TC58BVG0S3HTA00  initialized ok
aml_key_init 170
MMC:
uboot env amlnf_env_read : ####
aml_nand_read_rsv_info:397,read nenv info to 300000
In:    serial
Out:   serial
Err:   serial
[store]To run cmd[amlnf dtb_read 0x1000000 0x20000]
sub cmd dtb
new argv[1] dtb_read
do_dtb_ops(): argc 4
arg 0: amlnf
arg 1: dtb_read
arg 2: 0x1000000
arg 3: 0x20000
do_dtb_ops() read
amlnf_dtb_read: ####
aml_nand_read_rsv_info:397,read ndtb info to 500000
do_dtb_ops(): 131072 bytes read : OK
      Amlogic multi-dtb tool
      Single dtb detected
amlkey_init() enter!
amlnf_key_read key data len too much
aml_nand_read_rsv_info:397,read nkey info to 418000
[EFUSE_MSG]keynum is 4
InUsbBurn
noSof
Hit Enter or space or Ctrl+C key to stop autoboot -- :  0
HAVE SN Code ...
Saving Environment to aml-storage...
uboot env amlnf_env_save : ####
aml_nand_save_rsv_info:656, nenv: valid=1, pages=32
aml_nand_save_rsv_info:716,save info to 310000
aml_nand_write_rsv:520,write info to 310000
[burnup]Rd:Up sz 0x3f2037 to align 0x1000
save_power_post ...
## Booting Android Image at 0x01080000 ...
reloc_addr =f0344e0
copy done
load dtb from 0x1000000 ......
      Amlogic multi-dtb tool
      Single dtb detected
   Uncompressing Kernel Image ... OK
   kernel loaded at 0x01080000, end = 0x0185c808
   Loading Ramdisk to 0eea8000, end 0f0054ae ... OK
   Loading Device Tree to 000000000ee9c000, end 000000000eea7036 ... OK

Starting kernel ...

uboot time: 1804637 us
domain-0 init dvfs: 4
[    [email protected]] ff803000.serial: clock gate not found
[    [email protected]] amlogic-new-usb3 ffe09080.usb3phy: This phy has no usb port
[    [email protected]] hub 2-0:1.0: config failed, hub doesn't have any ports! (err -19)
LED AW20054
LX06
curr_boot is boot1
Booting from boot1
/dev/mtdblock5 is ready now.
[    [email protected]] meson-pinctrl [email protected]: function 'gpioa_20' not supported
[    [email protected]] meson-pinctrl [email protected]: invalid function gpioa_20 in map table
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
Please press Enter to activate this console.
[    [email protected]] name: mac_wifi, size 17
[    [email protected]] name: mac_bt, size 17
ledserver[1245]: current model lx06.

ledserver[1245]: LEDSBAK EXISITS

crond[1283]: crond (busybox 1.27.2) started, log level 5

[   [email protected]] wlan: Loading MWLAN driver
[   12.662130[email protected]] vendor=0x02DF device=0x9145 class=0 function=1
[   [email protected]] SDIO: max_segs=1024 max_seg_size=131072
[   [email protected]] rx_work=1 cpu_num=4
[   [email protected]] Request firmware: mrvl/sdsd8977_combo_v2.bin
[   [email protected]] WLAN FW is active
[   [email protected]] get_channel when STA is not connected
[   [email protected]] get_channel when AP is not started
[   [email protected]] wlan: version = SD8977-16.84.9.p17-C4X16C544.P3-GPL-(FP84)
[   [email protected]] wlan: Driver loaded successfully
[   [email protected]] BT: Loading driver
[   [email protected]] BT FW is active(0)
[   [email protected]] BT: FW already downloaded!
[   [email protected]] get_channel when STA is not connected
[   [email protected]] get_channel when STA is not connected
[   [email protected]] BT: Driver loaded successfully
[   [email protected]] get_channel when STA is not connected
[   [email protected]] get_channel when STA is not connected
[   [email protected]] get_channel when STA is not connected
[   [email protected]] wlan: wlan0 START SCAN

开机时按 f 并按下 enter 可进入 failsafe 模式


  1. Press the [f] key and hit [enter] to enter failsafe mode
  2. Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
  3. - failsafe -
  4. Generating key, this may take a while...
  5. Public key portion is:
  6. ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC2DP92+nA0hs7KMFsuE+LlcrLcazqb84TWYuPC7u/2                                                                                                                                                             yqzxcLhIXXJTVYo1hdvtJ7XSYLdZ3FhtQqj9Ab1ofCgaNPp+VyDxx9Hc9+UpLqUpL++FyjaoEFWQMCse                                                                                                                                                             3PXhohKjqxSF+zJkKjG0Cd9jM7Vz+T/snAf7zYNYApu0h9LbdQ== [email protected](none)
  7. Fingerprint: md5 e0:4f:5b:63:cc:4a:10:73:49:6a:76:97:f1:be:46:58
  8. f

  9. BusyBox v1.27.2 () built-in shell (ash)

  10. ash: can't access tty; job control turned off
  11.   _____  _              __     __ __  ___  ___
  12. |     ||_| ___  ___   |  |   |  |  ||   ||  _|
  13. | | | || ||  _|| . |  |  |__ |-   -|| | || . |
  14. |_|_|_||_||___||___|  |_____||__|__||___||___|
  15. ------------------------------------------------

  16.       ROM Type:release / Ver:1.58.13
  17. ------------------------------------------------
  18. ================= FAILSAFE MODE active ================
  19. special commands:
  20. * firstboot          reset settings to factory defaults
  21. * mount_root     mount root-partition with config files

  22. after mount_root:
  23. * passwd                         change root's password
  24. * /etc/config               directory with config files

  25. for more help see:
  26. http://wiki.openwrt.org/doc/howto/generic.failsafe
  27. =======================================================


  28. [email protected](none):/etc# cat shadow
  29. root:$1$N0Iz0LLs$kZ5zG/Y2AUWHNE5I3ElWm1:18128:0:99999:7:::
  30. daemon:*:0:0:99999:7:::
  31. ftp:*:0:0:99999:7:::
  32. network:*:0:0:99999:7:::
  33. nobody:*:0:0:99999:7:::
  34. mosquitto:x:0:0:99999:7:::
  35. [email protected](none):/etc# cat passwd
  36. root:x:0:0:root:/root:/bin/ash
  37. daemon:*:1:1:daemon:/var:/bin/false
  38. ftp:*:55:55:ftp:/home/ftp:/bin/false
  39. network:*:101:101:network:/var:/bin/false
  40. nobody:*:65534:65534:nobody:/var:/bin/false
  41. mosquitto:x:200:200:mosquitto:/var/run/mosquitto:/bin/false
复制代码reboot 讯息
[email protected]:/data# reboot [email protected]:/data# bluez_mibt_ble_new[2809]: main: bluez_mibt_ble shutting down... mediaplayer[1814]: sigterm_handler, somebody killed me, exit! miio_bt[352]: sig_handler:15 rssi[1890]: failed to reconnect, trying again in 2 seconds miio_bt[352]: [E][arch_rpc] rpc_agent_ot_message_callback 302: socket miio_service[3093]: failed to reconnect, trying again in 2 seconds bluez_mibt_classical[2807]: ------ proxy_removed, 376 ------ bluez_mibt_classical[2807]: Agent unregistered bluez_mibt_classical[2807]: ------ proxy_removed, 376 ------ bluez_mibt_classical[2807]: ------ proxy_removed, 376 ------ bluez_mibt_classical[2807]: [DEL] Controller EC:41:18:6D: 撠镨阅?喟拳-1807 [default] bluez_mibt_classical[2807]: ------ proxy_removed, 376 ------ bluez_mibt_classical[2807]: ------ proxy_removed, 376 ------ bluez_mibt_classical[2807]: !!!! disconnect disconnect_handler !! miio_bt[352]: byebye bl31 reboot reason: 0xd bl31 reboot reason: 0x1 system cmd 1.
复制代码
reboot 讯息
复制代码



回复

使用道具 举报

7

主题

639

帖子

2256

积分

金牌会员

Rank: 6Rank: 6

积分
2256
金钱
1612
HASS币
40
QQ
发表于 2019-11-29 15:11:53 | 显示全部楼层
意思就是说可以接入HA了?
回复

使用道具 举报

2

主题

42

帖子

159

积分

论坛积极会员

积分
159
金钱
117
HASS币
0
发表于 2019-11-29 20:44:20 | 显示全部楼层
坐等更新
回复

使用道具 举报

1

主题

31

帖子

160

积分

论坛分享达人

积分
160
金钱
129
HASS币
0
发表于 2019-11-30 22:08:47 | 显示全部楼层
哇,厉害!可以接入HA吗?
回复

使用道具 举报

7

主题

82

帖子

379

积分

中级会员

Rank: 3Rank: 3

积分
379
金钱
297
HASS币
0
发表于 2019-11-30 22:46:00 | 显示全部楼层
期待更多
回复

使用道具 举报

3

主题

36

帖子

135

积分

注册会员

Rank: 2

积分
135
金钱
99
HASS币
0
发表于 2019-12-1 11:55:36 | 显示全部楼层
不知道现在小爱除了最初的黑板绿板外。还有什么可以接入ha?比如小爱play可以么?
回复

使用道具 举报

5

主题

80

帖子

738

积分

高级会员

Rank: 4

积分
738
金钱
658
HASS币
0
发表于 2019-12-1 22:00:45 来自手机 | 显示全部楼层
应该试一下本站的密码破解,进入failsafe,用处不大吧
回复

使用道具 举报

1

主题

21

帖子

70

积分

论坛分享达人

积分
70
金钱
49
HASS币
0
 楼主| 发表于 2019-12-2 07:30:42 | 显示全部楼层
ygao 发表于 2019-12-1 22:00
应该试一下本站的密码破解,进入failsafe,用处不大吧

https://bbs.hassbian.com/thread-8667-1-1.html

参考这篇的方式自己算出密码可以透过 TTL 登入,
不过 / 是 read-only 只有 /data 可以写入,
其余在研究
mico login: root
Password:


BusyBox v1.27.2 () built-in shell (ash)

  _____  _              __     __ __  ___  ___
 |     ||_| ___  ___   |  |   |  |  ||   ||  _|
 | | | || ||  _|| . |  |  |__ |-   -|| | || . |
 |_|_|_||_||___||___|  |_____||__|__||___||___|
------------------------------------------------

      ROM Type:release / Ver:1.58.13
------------------------------------------------
[email protected]:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/mtdblock5           30.9M     30.9M         0 100% /
tmpfs                   120.9M    384.0K    120.5M   0% /tmp
tmpfs                   512.0K         0    512.0K   0% /dev
/dev/ubi0_0              13.3M      1.2M     11.4M  10% /data
/dev/ubi0_0              13.3M      1.2M     11.4M  10% /etc/shadow
[email protected]:~# mount
/dev/mtdblock5 on / type squashfs (ro,noatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,noatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,noatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,size=512k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=600,ptmxmode=000)
debugfs on /sys/kernel/debug type debugfs (rw,noatime)
pstore on /sys/fs/pstore type pstore (rw,relatime)
/dev/ubi0_0 on /data type ubifs (rw,relatime)
/dev/ubi0_0 on /etc/shadow type ubifs (rw,relatime)
[email protected]:~# cd /data/
[email protected]:/data# ls
ai-crontab       dts_conf         miio             timer
alarm            etc              mipns            upnp-disc
bt               log              notify           voip
console          mdspeech_status  player           wifi
dlna             messagingagent   sound            work_day_db
dnsmasq.time     mibrain          status           workday
[email protected]:/data# cd /etc
[email protected]:/etc# ls
TZ                       hosts                    profile
asound.conf              hotplug-preinit.json     protocols
asound.state             hotplug.d                rc.button
banner                   hotplug.json             rc.common
banner.failsafe          init.d                   rc.d
bluetooth                inittab                  rc.local
board.d                  iproute2                 resolv.conf
bt                       localtime                services
config                   marvell                  shadow
crontabs                 miio                     shells
dbus-1                   modules-boot.d           ssl
device_info              modules.d                sysctl.conf
diag.sh                  mosquitto                sysctl.d
diracmobile.config.s12a  mtab                     syslog-ng.conf
diracmobile.config.s12c  nsswitch.conf            sysupgrade.conf
dnsmasq.conf             openwrt_release          uci-defaults
dnsmasq.conf.ap          openwrt_version          wifi
dnsmasq.conf.sta         opkg                     workday
dropbear                 os-release               xattr.conf
fstab                    passwd
group                    preinit
回复

使用道具 举报

5

主题

80

帖子

738

积分

高级会员

Rank: 4

积分
738
金钱
658
HASS币
0
发表于 2019-12-2 10:50:38 来自手机 | 显示全部楼层
snowwolf725 发表于 2019-12-2 07:30
https://bbs.hassbian.com/thread-8667-1-1.html

参考这篇的方式自己算出密码可以透过 TTL 登入,

谢谢报告,看来只能走绿板方式来定制了。
回复

使用道具 举报

1

主题

21

帖子

70

积分

论坛分享达人

积分
70
金钱
49
HASS币
0
 楼主| 发表于 2019-12-3 14:08:07 | 显示全部楼层
开始改造小爱音箱Pro开机自动启动 SSH
TTL登入系统, 然后开启 SSH
mico login: root
Password:


BusyBox v1.27.2 () built-in shell (ash)

  _____  _              __     __ __  ___  ___
 |     ||_| ___  ___   |  |   |  |  ||   ||  _|
 | | | || ||  _|| . |  |  |__ |-   -|| | || . |
 |_|_|_||_||___||___|  |_____||__|__||___||___|
------------------------------------------------

      ROM Type:release / Ver:1.58.13
------------------------------------------------
[email protected]:~# dropbearkey -t rsa -f /data/dropbear_rsa_host_key
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtEcuiRqr+8GcaQVWUYbnw6AresOdhQ6bdig0FvLPn                             
blvMEeBcKWZDO/kMjGcpNGn719zB8P92wr41LqHM+IP20a9IAbAv03ex+vEVAgz3dpRAlQ7R5ciHg89b                             
6J0pYOgwP3H5Q3t0YWrEOykmUHFQXpx7d/qQLTPIoj4gZVdrXu408Qw3i3f3RkLATbY+41oxnw6yhKDR                             
77ZIMwN/8czxftVXPotMA4VOWFMVlgrvT7HpyZcwhArfnlKYZdCdozmk3nw/zpWxePhiHK/Qodcwh64M                             
FxrSCEoVlfRAvxOq86O2PztbQ5003DBfuwGVv4tu2ZnvXxTz+3WUDFw3j7Ef [email protected]
Fingerprint: md5 38:2b:0e:0b:f2:be:b9:39:e0:02:4d:31:5e:af:c9:5a
[email protected]:~# dropbear -r /data/dropbear_rsa_host_key
[email protected]:~# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:523 errors:0 dropped:0 overruns:0 frame:0
          TX packets:523 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:90551 (88.4 KiB)  TX bytes:90551 (88.4 KiB)

wlan0     Link encap:Ethernet  HWaddr EC:41:18:6D:1C:03
          inet addr:192.168.1.145  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::ee41:18ff:fe6d:1c03/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1072 errors:0 dropped:0 overruns:0 frame:0
          TX packets:607 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:222324 (217.1 KiB)  TX bytes:106862 (104.3 KiB)


因为可以写入的 /data 可用空间不足, 所以必须挂载部分內存当作写入空间
[email protected]:/data# mkdir backup
[email protected]:/data# mount -t tmpfs -o size=50m tmpfs /data/backup/
[email protected]:/data# cd /data/backup
[email protected]:/data/backup# dd if=/dev/mtdblock4 of=/data/backup/m4.img
81920+0 records in
81920+0 records out


利用 WinSCP 把档案传回, 我这边不知为何无法用 WinSCP 连线小爱音箱, 结果只能用 SCP 传到另一台 Linux 主机
[email protected]:/data/backup# scp m4.img [email protected]:m4.img
/usr/bin/dbclient: Warning: failed creating /root/.ssh: Read-only file system

Host '192.168.1.5' is not in the trusted hosts file.
(ssh-rsa fingerprint md5 37:40:25:31:18:af:55:bf:8c:6a:5d:74:b6:83:de:6f)
Do you want to continue connecting? (y/n) y
[email protected]'s password:
m4.img                                                                                                                       100%   40MB 650.2KB/s   01:03


在 Linux 主机中查看下档案讯息之后会用到
[email protected]:~$ unsquashfs -s m4.img
Found a valid SQUASHFS 4:0 superblock on m4.img.
Creation or last append time Mon Oct 14 11:17:13 2019
Filesystem size 31654.99 Kbytes (30.91 Mbytes)
Compression xz
xz: error reading stored compressor options from filesystem!
Block size 131072
Filesystem is exportable via NFS
Inodes are compressed
Data is compressed
Fragments are compressed
Always-use-fragments option is not specified
Xattrs are not stored
Duplicates are removed
Number of fragments 127
Number of inodes 1798
Number of ids 1


将档案解开
[email protected]:~# unsquashfs -dest tochang m4.img
Parallel unsquashfs: Using 8 processors
1699 inodes (2067 blocks) to write

[============================================================================================================================================/] 2067/2067 100%

created 1124 files
created 99 directories
created 574 symlinks
created 1 devices
created 0 fifos


修改 /etc/rc.local 添加 /data/init.sh
[email protected]:~# cd tochang/etc/
[email protected]:~/tochang/etc# vi rc.local


/etc/rc.local 修改后内容如下
[email protected]:~/tochang/etc# cat rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
/data/init.sh
exit 0


取消自动升级
[email protected]:~/tochang/etc# cd crontabs/
[email protected]:~/tochang/etc/crontabs# vi root
[email protected]:~/tochang/etc/crontabs# cat root
*/5 * * * * /usr/sbin/easy_logcut size
* * * * * /usr/sbin/network_probe.sh
32 4 * * * /usr/sbin/pns refresh
*/10 * * * * /usr/bin/check_mediaplayer_status
#* 3 * * * /bin/ota slient  # check ota


重新打包img参数按查看的信息写,可能与我的不同
[email protected]:~/tochang/etc/crontabs# cd
[email protected]:~# mksquashfs tochang m4_crack.img -b 131072 -comp xz -no-xattrs
Parallel mksquashfs: Using 8 processors
Creating 4.0 filesystem on m4_crack.img, block size 131072.
[============================================================================================================================================|] 1492/1492 100%

Exportable Squashfs 4.0 filesystem, xz compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments, no xattrs
        duplicates are removed
Filesystem size 32675.51 Kbytes (31.91 Mbytes)
        48.51% of uncompressed filesystem size (67353.17 Kbytes)
Inode table size 16562 bytes (16.17 Kbytes)
        25.16% of uncompressed inode table size (65831 bytes)
Directory table size 18414 bytes (17.98 Kbytes)
        45.32% of uncompressed directory table size (40632 bytes)
Number of duplicate files found 46
Number of inodes 1798
Number of files 1124
Number of fragments 127
Number of symbolic links  574
Number of device nodes 1
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 99
Number of ids (unique uids + gids) 1
Number of uids 1
        root (0)
Number of gids 1
        root (0)


在小爱音箱中把 m4.img 删除, 并把 m4_crack.img 这个改好的档案複製回来
[email protected]:/data/backup# rm m4.img
[email protected]:/data/backup# scp [email protected]:m4_crack.img m4_crack.img
/usr/bin/dbclient: Warning: failed creating /root/.ssh: Read-only file system

Host '192.168.1.5' is not in the trusted hosts file.
(ssh-rsa fingerprint md5 37:40:25:31:18:af:55:bf:8c:6a:5d:74:b6:83:de:6f)
Do you want to continue connecting? (y/n) y
[email protected]'s password:
m4_crack.img                                                                                                                 100%   32MB 573.3KB/s   00:57


再把破解好的 img 写回分区, 并设置mtdblock4为启动分区
[email protected]:/data/backup# dd if=m4_crack.img of=/dev/mtdblock4
65352+0 records in
65352+0 records out
[email protected]:/data/backup# /usr/bin/fw_env -s boot_part boot0
[ubootenv] update_bootenv_varible name [boot_part]: value [boot0]
[ubootenv] Save ubootenv to /dev/nand_env succeed!


另外记得将启动 ssh 的部分写入到 /data/init.sh, 最后将小爱重开验证改造是否成功,
如果改造成功预设小爱开机后就会启动 SSH 不用透过 TTL 进行连线
[email protected]:/data/backup# vi /data/init.sh
[email protected]:/data/backup# cat /data/init.sh
dropbear -r /data/dropbear_rsa_host_key
[email protected]:/data# chmod a+x init.sh
[email protected]:/data/backup# reboot

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|手机版|小黑屋|Hassbian

GMT+8, 2019-12-16 04:18 , Processed in 0.100012 second(s), 22 queries .

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表