绿板小爱同学升级后无法再破解

zhenxiwen · 发表于 2020-1-23 16:35:23

本帖最后由 zhenxiwen 于 2020-1-23 16:42 编辑

我的绿板小爱同学原来用单片机的方法破解成功并且接入了ha，但不知道什么时候自动升级以后再也无法使用，在那里一直在吃灰，最近想把它重新破解用起来，固件升级到了最新版本，可是无论使用单片机的方法：
解決新版 [綠色PCB小愛同學] 無法寫入檔案+開機ssh+mico(3P排....https://bbs.hassbian.com/thread-5301-1-1.html (出处: 『瀚思彼岸』» 智能家居技术论坛)

（绿板小爱同学升级启用root密码后的故事。。【单片机玩家】https://bbs.hassbian.com/thread-8903-1-1.html (出处: 『瀚思彼岸』» 智能家居技术论坛)

还是其他大介绍的修改固件的方法：

绿板小爱同学摆脱外挂单片机自动启动拦截脚本教程 https://bbs.hassbian.com/thread-7075-1-1.html (出处: 『瀚思彼岸』» 智能家居技术论坛)

拆解新买的小爱音箱Pro, 更新固化开机启动 SSH 教学 https://bbs.hassbian.com/thread-8754-1-1.html (出处: 『瀚思彼岸』» 智能家居技术论坛)

都无法成功实现ssh。
我通过usb ttl用root密码成功登录ssh，但一重启以后ssh就会失效，需要用USB ttl重做一次才能再次打开ssh，也就是说ssh方法已经失效，我试了多种方法和多次，结果都是重启后ssh失效，无法成功破解接入ha。

此外，我按照下面帖子修改固件的时候，好像无法切换启动分区：

绿板小爱同学摆脱外挂单片机自动启动拦截脚本教程 https://bbs.hassbian.com/thread-7075-1-1.html (出处: 『瀚思彼岸』» 智能家居技术论坛)

拆解新买的小爱音箱Pro, 更新固化开机启动 SSH 教学 https://bbs.hassbian.com/thread-8754-1-1.html (出处: 『瀚思彼岸』» 智能家居技术论坛)

不管我输入 /usr/bin/fw_env -s boot_part boot0 还是 /usr/bin/fw_env -s boot_part boot1 ，重启后都是启动mtdblock5分区，是不是我的
mtdblock4 分区坏了呢？

请求大大指点和帮助，不胜感谢！

kenlau · 发表于 2020-1-23 19:04:01

#include <Arduino.h>
#include <SoftwareSerial.h>
SoftwareSerial swSer(10, 11);

void setup()
{
  Serial.begin(115200); 
  swSer.begin(57600);
  pinMode(LED_BUILTIN, OUTPUT);  
  for (int i=0; i<30; i++) {
    digitalWrite(LED_BUILTIN, !digitalRead(LED_BUILTIN));
    delay(50);
  }
  digitalWrite(LED_BUILTIN, LOW);   
}


void loop()
{
  while(swSer.available()) 
  {
    String str = swSer.readString(); 
    Serial.println(str);
  }
  delay(1); 
}

void serialEvent()
{
  while(Serial.available()) 
  {
    String str = Serial.readString(); 
    //Serial.println(str); 
    swSer.println(str);
    if ( (str.indexOf("Please press Enter to activate this console") > 0) or (str.indexOf("crond (busybox 1.27.2) started, log level 5") > 0) )
    {
      Serial.println();
      delay(1000);
    }
    if (str.indexOf("mico login: ") > 0)
    {
      Serial.println("root");  //mico login: 
      Serial.println();
      delay(2000);
    }
    if (str.indexOf("Password: ") > 0)
    {
      Serial.println("修改成你自己的密码");  //Password: 
      Serial.println();
      delay(2000);
      Serial.println("test `ps|grep 'sh /data/mico.sh'|grep -v grep|wc -l` -eq 0 && sh /data/mico.sh > /tmp/mico.log 2>&1 &");
      Serial.println();
      delay(2000);
      Serial.println("test `ps|grep 'dropbear -r /data/dropbear_rsa_host_key'|grep -v grep|wc -l` -eq 0 && dropbear -r /data/dropbear_rsa_host_key");
      Serial.println();
      for (int i=0; i<20; i++) {
        digitalWrite(LED_BUILTIN, !digitalRead(LED_BUILTIN));
        delay(10);
      }
      digitalWrite(LED_BUILTIN, LOW);
    }
    delay(1);
  }
}

这个代码跟https://bbs.hassbian.com/thread-8903-1-1.html这个有少少不同，主要修改地方在填写root账号密码那里，你在修改密码的地方把你密码改上再重新上传到单片机试试，我是这样子弄才可以的

zhenxiwen · 发表于 2020-1-23 19:58:34

kenlau 发表于 2020-1-23 19:04
这个代码跟https://bbs.hassbian.com/thread-8903-1-1.html这个有少少不同，主要修改地方在填写root账号密 ...

我也是填写了root密码的：

if (str.indexOf("Password: ") > 0)
{
   Serial.println("ac113fa7c2XXX");  //Password:
   Serial.println();
   delay(1000);
   Serial.println("test `ps|grep 'sh /data/mico.sh'|grep -v grep|wc -l` -eq 0 && sh /data/mico.sh > /tmp/mico.log 2>&1 &");
   Serial.println();
   delay(2000);

kenlau · 发表于 2020-1-23 22:03:56

我本来用https://bbs.hassbian.com/thread-8903-1-1.html这个帖子的代码，也是SSH失败，后来接上板子，再并接USB-TTL数据线看小爱开机代码运行情况，发现到了crond (busybox 1.27.2) started, log level 5这段后代码只执行了Serial.println()这个，一直停在mico login:没输入root,然后我就把代码改成我贴出来这个，再重新上传，开机看代码运行情况，正常了。

zhenxiwen · 发表于 2020-1-23 23:21:52

kenlau 发表于 2020-1-23 22:03
我本来用https://bbs.hassbian.com/thread-8903-1-1.html这个帖子的代码，也是SSH失败，后来接上板子，再并 ...

非常感谢，但是我用你的代码和填写我的root密码，还是一样的结果，重启后ssh仍然失效。

hihi123 · 发表于 2020-1-24 00:20:56

有同樣的情況，救助救助

x7cell · 发表于 2020-1-24 01:59:02

我碰到的是，即使屏蔽了OTA升级，小爱仍然会自动升级，最后在路由器上屏蔽了固件升级的域名才好。

wukequdai5426 · 发表于 2020-1-24 07:57:30

kenlau 发表于 2020-1-23 19:04
这个代码跟https://bbs.hassbian.com/thread-8903-1-1.html这个有少少不同，主要修改地方在填写root账号密 ...

也是按照这个直接刷上，连接就OK了

zhenxiwen · 发表于 2020-1-28 02:41:25

本帖最后由 zhenxiwen 于 2020-1-28 13:23 编辑

kenlau 发表于 2020-1-23 19:04
这个代码跟https://bbs.hassbian.com/thread-8903-1-1.html这个有少少不同，主要修改地方在填写root账号密 ...

很多次尝试都失败了，我在arduino的串口监视窗口看到，输出全是乱码，是什么原因呀，ssh不成功是否与这个有关。
你能否将你的代码以arduino文件的形式直接发给我试试，不要黏贴在网页上，网页复制保存可能有文件编码问题导致乱码。

miai乱码.JPG

zhenxiwen · 发表于 2020-1-28 20:24:25

kenlau 发表于 2020-1-23 22:03
我本来用https://bbs.hassbian.com/thread-8903-1-1.html这个帖子的代码，也是SSH失败，后来接上板子，再并 ...

TTL连接小爱开机的log如下，我是码盲，看不懂，你看看是什么问题。

1、TTL连接小爱开机的log：

AXG:BL1:d95c53:a4926f;FEAT:E0DC318C:2000

OC:F;EMMC:800;NAND:0;READ:0;0.0;CHK:0;
sdio debug board detected
TE: 23351

BL2 Built : 18:30:39, Aug 28 2018. axg g56303a2-dirty - liang.yang@droid11-sz

set vcck to 1140 mv
set vddee to 1070 mv
Board ID = 6
CPU clk: 1200MHz
DDR low power enabled
DDR3 chl: Rank0 16bit @ 792MHz
bist_test rank: 0 2f 0a 54 33 12 55 28 03 4e 35 18 53 00 00 00 00 00 00 00 00 00                                                                                                                                                             00 00 00 625 - PASS
Rank0: 256MB(auto)-2T-11
AddrBus test pass!
NAND init
page0 page0->bbt:
0000000000000000000000000000000000000000000000000000000000000000
page0 bbt:
0000000000000000000000000000000000000000000000000000000000000000
Load FIP HDR from NAND, src: 0x0000c000, des: 0x01700000, size: 0x00004000
Load BL3x from NAND, src: 0x00010000, des: 0x01704000, size: 0x00080000
NOTICE:  BL31: v1.3(release):a1a8551
NOTICE:  BL31: Built : 15:59:55, Nov  9 2017
NOTICE:  BL31: AXG normal boot!
NOTICE:  BL31: BL33 decompress pass
[Image: axg_v1.1.3268-b93dd79 2017-12-01 14:22:18 huan.biao@droid12]
OPS=0x42
93 4f f8 20 65 7 9a b2 a5 9 9c 79 bl30:axg ver: 9 mode: 0
bl30:axg thermal0
[0.014435 Inits done]
secure task start!
high task start!
low task start!
ERROR: Error initializing runtime service opteed_fast

U-Boot 2015.01 (Dec 24 2019 - 07:00:02), Build: jenkins-Mico_s12a_ota_publish-37                                                                                                                                                          9

DRAM:  256 MiB
Relocation Offset is: 0ef17000
register usb cfg[0][1] = 000000000ff89690
NAND:  nand id: 0x98 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: 98 f1 80 15 f2 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 1Gib                                                                                                                                                             TC58BVG0S3HTA00 )
oob avail size 6
Creating 1 MTD partitions on "A revision NAND 1Gib TC58BVG0S3HTA00 ":
0x000000000000-0x000000200000 : "bootloader"
A revision NAND 1Gib TC58BVG0S3HTA00  initialized ok
nand id: 0x98 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: 98 f1 80 15 f2 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 1Gib                                                                                                                                                             TC58BVG0S3HTA00 )
PLANE change!
aml_nand_init

obmul=1,oobfree.length=8,oob_size=64
oob avail size 8
bbt_start=20 env_start=24 key_start=32 dtb_start=40
nbbt: info size=0x400 max_scan_blk=24, start_blk=20
nbbt : phy_blk_addr=20, ec=0, phy_page_addr=0, timestamp=1
nbbt free list:
blockN=21, ec=-1, dirty_flag=0
blockN=22, ec=-1, dirty_flag=0
blockN=23, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=1
aml_nand_scan_rsv_info 1254
nbbt valid addr: 280000
aml_nand_bbt_check 1389 bbt is valid, reading.
aml_nand_read_rsv_info:397,read nbbt info to 280000
nenv: info size=0x10000 max_scan_blk=32, start_blk=24
nenv : phy_blk_addr=25, ec=108, phy_page_addr=0, timestamp=220
nenv free list:
blockN=24, ec=108, dirty_flag=1
blockN=26, ec=1, dirty_flag=1
blockN=27, ec=-1, dirty_flag=0
blockN=28, ec=-1, dirty_flag=0
blockN=29, ec=-1, dirty_flag=0
blockN=30, ec=-1, dirty_flag=0
blockN=31, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=32
aml_nand_scan_rsv_info 1254
nenv valid addr: 330000
nkey: info size=0x8000 max_scan_blk=40, start_blk=32
nkey : phy_blk_addr=33, ec=0, phy_page_addr=0, timestamp=2
nkey free list:
blockN=32, ec=0, dirty_flag=1
blockN=34, ec=-1, dirty_flag=0
blockN=35, ec=-1, dirty_flag=0
blockN=36, ec=-1, dirty_flag=0
blockN=37, ec=-1, dirty_flag=0
blockN=38, ec=-1, dirty_flag=0
blockN=39, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=16
aml_nand_scan_rsv_info 1254
nkey valid addr: 420000
ndtb: info size=0x20000 max_scan_blk=44, start_blk=40
ndtb : phy_blk_addr=40, ec=2, phy_page_addr=0, timestamp=5
ndtb free list:
blockN=41, ec=1, dirty_flag=1
blockN=42, ec=-1, dirty_flag=0
blockN=43, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=64
aml_nand_scan_rsv_info 1254
ndtb valid addr: 500000
tpl: off 8388608, size 8388608
NAND bbt detect factory Bad block at 1a00000
aml_nand_add_partition:1794 factory bad addr=d0
NAND bbt detect factory Bad block at 1c60000
aml_nand_add_partition:1794 factory bad addr=e3
NAND bbt detect factory Bad block at 1fe0000
aml_nand_add_partition:1794 factory bad addr=ff
NAND bbt detect factory Bad block at 2e00000
aml_nand_add_partition:1794 factory bad addr=170
NAND bbt detect factory Bad block at 3980000
aml_nand_add_partition:1794 factory bad addr=1cc
NAND bbt detect factory Bad block at 6000000
aml_nand_add_partition:1794 factory bad addr=300
NAND bbt detect factory Bad block at 66e0000
Creating 6 MTD partitions on "A revision NAND 1Gib TC58BVG0S3HTA00 ":
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001800000 : "boot0"
0x000001800000-0x000002060000 : "boot1"
NAND bbt detect factory Bad block at 1a00000
NAND bbt detect factory Bad block at 1c60000
NAND bbt detect factory Bad block at 1fe0000
0x000002060000-0x0000040a0000 : "system0"
NAND bbt detect factory Bad block at 2e00000
NAND bbt detect factory Bad block at 3980000
0x0000040a0000-0x0000060c0000 : "system1"
NAND bbt detect factory Bad block at 6000000
0x0000060c0000-0x000008000000 : "data"
NAND bbt detect factory Bad block at 66e0000
A revision NAND 1Gib TC58BVG0S3HTA00  initialized ok
aml_key_init 170
MMC:
uboot env amlnf_env_read : ####
aml_nand_read_rsv_info:397,read nenv info to 330000
In: serial
Out: serial
Err: serial
[store]To run cmd[amlnf dtb_read 0x1000000 0x20000]
sub cmd dtb
new argv[1] dtb_read
do_dtb_ops(): argc 4
arg 0: amlnf
arg 1: dtb_read
arg 2: 0x1000000
arg 3: 0x20000
do_dtb_ops() read
amlnf_dtb_read: ####
aml_nand_read_rsv_info:397,read ndtb info to 500000
do_dtb_ops(): 131072 bytes read : OK
   Amlogic multi-dtb tool
   GZIP format, decompress...
   Multi dtb detected
   Multi dtb tool version: v2 .
   Support 5 dtbs.
      aml_dt soc: xiaomi platform: s12c variant: v02
      dtb 0 soc: xiaomi plat: s12 vari: v1
      dtb 1 soc: xiaomi plat: s12a vari: v01
      dtb 2 soc: xiaomi plat: s12c vari: v01
      dtb 3 soc: xiaomi plat: s12c vari: v02
      dtb 4 soc: xiaomi plat: s12c vari: v03
   Find match dtb: 3
amlkey_init() enter!
amlnf_key_read key data len too much
aml_nand_read_rsv_info:397,read nkey info to 420000
[EFUSE_MSG]keynum is 4
InUsbBurn
noSof
Hit Enter or space or Ctrl+C key to stop autoboot -- :  0
HAVE SN Code ...
Saving Environment to aml-storage...
uboot env amlnf_env_save : ####
aml_nand_save_rsv_info:656, nenv: valid=1, pages=32
release_free_node 61: bitmap=1fffff
release_free_node 74: bitmap=1ffff7
aml_nand_save_rsv_info:716,save info to 300000
aml_nand_write_rsv:520,write info to 300000
[burnup]Rd:Up sz 0x3a6440 to align 0x1000
save_power_post ...
## Booting Android Image at 0x01080000 ...
reloc_addr =f0344e0
copy done
load dtb from 0x1000000 ......
   Amlogic multi-dtb tool
   Single dtb detected
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x017a7808
Loading Ramdisk to 0eead000, end 0f004ce0 ... OK
Loading Device Tree to 000000000eea1000, end 000000000eeac2bf ... OK

Starting kernel ...

uboot time: 1885850 us
domain-0 init dvfs: 4
[ 0.281359@0] ff803000.serial: clock gate not found
get key is 0x00 , curr_boot is boot0
Booting from boot0
/dev/mtdblock4 is ready now.
[ 1.885811@0] i2c i2c-1: [aml_i2c_xfer] error ret = -5 (-EIO)
[ 1.885931@0] i2c i2c-1: token 1, master_no(1) 300K addr 0x3c
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
Please press Enter to activate this console.
[ 6.352960@1] cyttsp 0-0008: Failed to request firmware touch.cyacd
[ 6.353624@1] cyttsp 0-0008: Failed to update firmware;
[ 8.219232@2] name: mac_wifi, size 17
[ 8.235041@2] name: mac_bt, size 17
crond[1102]: crond (busybox 1.27.2) started, log level 5

mico login: ^CPlease press Enter to activate this console.

mico login: root
Password:
Login timed out after 60 seconds
Please press Enter to activate this console.

mico login: root
Password:

BusyBox v1.27.2 () built-in shell (ash)

_____  _             _____  ___ ___  _____
|    ||_| ___  ___ | __||_  |  |_  ||  _  |
| | | || ||  _|| . |  |__ | _| |_ |  _||    |
|_|_|_||_||___||___|  |_____||_____||___||__|__|
-------------------------------------------------
Reboot (SNAPSHOT, 70-1-1)
-------------------------------------------------

root@mico:~#

2、刷过破解代码的Esp866与TTL并联，加电开机，出现的乱码，并且卡死状态：
与刷代码的esp866并联在TTL中看到的是乱码.JPG

		自动登录	找回密码
密码			立即注册

[经验分享] 绿板小爱同学升级后无法再破解