Air720固件分析系列A-结构分析 [ Luat doc 社区文章静态页面 ]

提醒

本系列文章为个人分析结果,不代表官方,如有遗漏,非常正常,欢迎指正^_^

分析材料

AT固件 AirM2M_720_V337_LTE_AT.blf
位于 data\default_lod\asr1802At\720\AirM2M_720_V337_LTE_AT

一些准备知识

Air720的核心asr1802广泛用于mifi,所以出现mifi字眼很正常
Air720有Nor和Nand两个版本,刷机会不一样,但新版luatools已经屏蔽差异

分析

首先, 顶层的blf是一个zip压缩包

使用7zip, 解压N个文件:

文件名	含义
720.blf	Air720刷机定义,这些就不是压缩包了,是文本文件
720D.blf	Air720D刷机定义,移动双模
720H.blf	Air720H刷机定义,全网通五模
AddtionalAPN.bin	附加APN,猜测是为国外运营商准备的
FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77645_SKY77912_GSM.bin	功率放大器的数据文件
FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77645_SKY77912_GSM_lzma.bin	功率放大器的数据文件
FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77824_SKY77912_082018_CLC.bin	功率放大器的数据文件
FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77824_SKY77912_082018_CLC_lzma.bin	功率放大器的数据文件
Lua_socket_demo.bin	Luat的socket demo代码,不知道为啥在这里
Nezha_loader_MIFI_V5_NOR.bin	为NOR设备准备的bootloader
Nezha_loader_MIFI_V5_NOR_Release.bin	为NOR设备准备的bootloader,压缩包版?
Nezha_loader_MIFI_V5_SPI_NAND.bin	为NAND设备准备的bootloader
Nezha_loader_MIFI_V5_SPI_NAND_Release.bin	为NAND设备准备的bootloader
ntim_ddr.bin	未知,可能是DDR配置文件,总是第一个写入闪存
NZ_CP_LWG_MIFI_V5_TX.bin	某种MIFI固件?
NZ_CP_LWG_MIFI_V5_TX_lzma.bin	某种MIFI固件的lzma压缩包
NZ_LWG_M09_B0_SKL_Flash.bin	未知
NZ_LWG_M09_B0_SKL_Flash_lzma.bin	上一个文件的lamz压缩包
ReliableData+FDD-B138+TDDB38-41.bin	基带数据
WebData.bin	MIFI网页管理工具

720.blf内容分析

[BLF_Version]
Blf_Version_Number = V2.0.0 //版本号
[UE_Options]
UE_Boot_Option = 0
[Flash_Properties]
Flash_Block_Size = 0x10000
Max_Upload_Split_Size = 0x1cff000
Max_FBF_Split_Size = 0x1cff000
Flash_Family = SPI-NOR // 内部存储的类型, 有NOR和NAND两种
Spare_Area_Size = 64
Data_Area_Size = 2048
FBF_Sector_Size = 4096
[Flash_Options]
Skip_Blocks_Number = 
Erase_All_Flash = 0
Reset_BBT = 0
[TIM_Configuration]
Number_of_Images = 9 // 这个数值决定了Image_List段的数量
Number_of_Keys = 0
Boot_Flash_Signature = 0x5350490A
Processor_Type = PXA1202
OEM_UniqueID = 0x21796B53
Issue_Date = 0x20091029
Version = 0x00030400
Trusted = 0
[Reserved_Data]
UARTID
Port(FFIDENTIFIER) = 0x00004646
Enabled = 0x00000001
End_UARTID
LTWS
LWG only = 0x00000003
End_LTWS
TRFU
Enabled = 0x00000001
Flash_Address = 0x041C0000
Magic = 0x54524657
End_TRFU
End_Reserved_Data
[EraseOnly_Option]
Total_Eraseonly_Areas = 1
1_Eraseonly_Area_Size = 0x03000000
1_Eraseonly_Area_FlashStartAddress = 0x010E0000
1_Eraseonly_Area_Partition = 0
[Extended_Reserved_Data]
Consumer_ID
CID = TBRI
PID = DDR1
End_Consumer_ID
DDR_Initialization
DDR_PID = DDR1 // DDR类型,可以看出是DDR 1代,对MCU来说是够的
DDROperations
DDR_INIT_ENABLE = 0x00000001
DDR_MEMTEST_ENABLE = 0x00000000 // MEMTEST,有点像linux了?但据说是rtos系统
End_DDROperations
Instructions
WRITE = <0xB0000010,0xB0000000> 
WRITE = <0xB0000020,0x00001220> 
WRITE = <0xB0000080,0x01800000> 
WRITE = <0xB0000090,0x00080000> 
WRITE = <0xB00000F0,0xC0000000> 
WRITE = <0xB00001A0,0x20C0C011> 
WRITE = <0xB0000770,0x02000000> 
WRITE = <0xB0000570,0x00000001> 
WRITE = <0xB0000100,0x00090601> 
WRITE = <0xB0000050,0x488B0196> 
WRITE = <0xB0000060,0x32330102> 
WRITE = <0xB0000190,0x20101009> 
WRITE = <0xB00001C0,0x12820002> 
WRITE = <0xB0000650,0x00080022> 
WRITE = <0xB0000280,0x02020102> 
WRITE = <0xB0000210,0x00000000> 
WRITE = <0xB0000240,0x80000000> 
WRITE = <0xB0000140,0x20004422> 
WRITE = <0xB00001D0,0x1330077D> 
WRITE = <0xB00001E0,0x03300770> 
WRITE = <0xB00001F0,0xC0000077> 
WRITE = <0xB0000200,0x0010310C> 
WRITE = <0xB0000230,0xF0500003> 
WRITE = <0xB0000E10,0x00500003> 
WRITE = <0xB0000E20,0x00500003> 
WRITE = <0xB0000E30,0x00500003> 
WRITE = <0xB0000240,0x20000000> 
WRITE = <0xB0000240,0x40000000> 
WRITE = <0xB0000200,0x0010311C> 
WRITE = <0xB0000120,0x00000001> 
WAIT_FOR_BIT_SET = <0xB00001B0,0x00000001,0x00001000> 
End_Instructions
End_DDR_Initialization
End_Extended_Reserved_Data
[Image_List]
// 这一段是每个区域的镜像数据, 循环的,所以只分析第一个
1_Image_Enable = 1 // 部分enable=1,部分是0, 应该是启用/禁用的意思
1_Image_Tim_Included = 1 // 未知含义
1_Image_Image_ID = 0x54494D48 // 当前image的id
1_Image_Next_Image_ID = 0x4F424D49 // 下一个image的id
1_Image_Path = ntim_ddr.bin // 数据文件来源
1_Image_Flash_Entry_Address = 0x00000000 // 写入的基地址,非常重要
1_Image_Load_Address = 0xD1101000 // 载入地址
1_Image_Type = RAW // 数据文件格式,这里是裸数据
1_Image_ID_Name = TIMH // 好像是一种内部命名
1_Image_Erase_Size = // 需要抹除的区域,WebData.bin之类的会设置
1_Image_Partition_Number = 0
1_Image_Size_To_CRC_in_bytes = 0
1_Image_Hash_Algorithm_ID = 
1_Image_Image_Size_To_Hash_in_bytes = 
2_Image_Enable = 1
2_Image_Tim_Included = 1
2_Image_Image_ID = 0x4F424D49
2_Image_Next_Image_ID = 0x52424C49
2_Image_Path = Nezha_loader_MIFI_V5_SPI_NAND.bin
2_Image_Flash_Entry_Address = 0x00006000
2_Image_Load_Address = 0x01C00000
2_Image_Type = RAW
2_Image_ID_Name = OBMI
2_Image_Erase_Size = 
2_Image_Partition_Number = 0
2_Image_Size_To_CRC_in_bytes = 0
2_Image_Hash_Algorithm_ID = 
2_Image_Image_Size_To_Hash_in_bytes = 
3_Image_Enable = 0
3_Image_Tim_Included = 1
3_Image_Image_ID = 0x52424C49
3_Image_Next_Image_ID = 0x52424C52
3_Image_Path = ReliableData+FDD-B138+TDDB38-41.bin
3_Image_Flash_Entry_Address = 0x00020000
3_Image_Load_Address = 0x01D4F000
3_Image_Type = RAW
3_Image_ID_Name = RBLI
3_Image_Erase_Size = 0x00020000
3_Image_Partition_Number = 0
3_Image_Size_To_CRC_in_bytes = 0
3_Image_Hash_Algorithm_ID = 
3_Image_Image_Size_To_Hash_in_bytes = 
4_Image_Enable = 0
4_Image_Tim_Included = 1
4_Image_Image_ID = 0x52424C52
4_Image_Next_Image_ID = 0x4F534C4F
4_Image_Path = ReliableData+FDD-B138+TDDB38-41.bin
4_Image_Flash_Entry_Address = 0x00040000
4_Image_Load_Address = 0x01D4F000
4_Image_Type = RAW
4_Image_ID_Name = RBLR
4_Image_Erase_Size = 0x00020000
4_Image_Partition_Number = 0
4_Image_Size_To_CRC_in_bytes = 0
4_Image_Hash_Algorithm_ID = 
4_Image_Image_Size_To_Hash_in_bytes = 
5_Image_Enable = 1
5_Image_Tim_Included = 1
5_Image_Image_ID = 0x4F534C4F
5_Image_Next_Image_ID = 0x47524249
5_Image_Path = NZ_CP_LWG_MIFI_V5_TX.bin
5_Image_Flash_Entry_Address = 0x00060000
5_Image_Load_Address = 0x00000000
5_Image_Type = RAW
5_Image_ID_Name = OSLO
5_Image_Erase_Size = 0x00A00000
5_Image_Partition_Number = 0
5_Image_Size_To_CRC_in_bytes = 0
5_Image_Hash_Algorithm_ID = 
5_Image_Image_Size_To_Hash_in_bytes = 
6_Image_Enable = 1
6_Image_Tim_Included = 1
6_Image_Image_ID = 0x47524249
6_Image_Next_Image_ID = 0x57454249
6_Image_Path = NZ_LWG_M09_B0_SKL_Flash.bin
6_Image_Flash_Entry_Address = 0x00A60000
6_Image_Load_Address = 0x01D80000
6_Image_Type = RAW
6_Image_ID_Name = GRBI
6_Image_Erase_Size = 0x00280000
6_Image_Partition_Number = 0
6_Image_Size_To_CRC_in_bytes = 0
6_Image_Hash_Algorithm_ID = 
6_Image_Image_Size_To_Hash_in_bytes = 
7_Image_Enable = 1
7_Image_Tim_Included = 0
7_Image_Image_ID = 0x57454249
7_Image_Next_Image_ID = 0x5246424E
7_Image_Path = WebData.bin
7_Image_Flash_Entry_Address = 0x00D60000
7_Image_Load_Address = 0xFFFFFFFF
7_Image_Type = RAW
7_Image_ID_Name = WEBI
7_Image_Erase_Size = 0x00200000
7_Image_Partition_Number = 0
7_Image_Size_To_CRC_in_bytes = 0
7_Image_Hash_Algorithm_ID = 
7_Image_Image_Size_To_Hash_in_bytes = 
8_Image_Enable = 0
8_Image_Tim_Included = 1
8_Image_Image_ID = 0x5246424E
8_Image_Next_Image_ID = 0x41504E4C
8_Image_Path = FIC_SKY_v176_Hezhou_32X29_Skyworks_SKY77645_SKY77912_GSM.bin
8_Image_Flash_Entry_Address = 0x01060000
8_Image_Load_Address = 0x01FDFFC0
8_Image_Type = RAW
8_Image_ID_Name = RFBN
8_Image_Erase_Size = 0x00020000
8_Image_Partition_Number = 0
8_Image_Size_To_CRC_in_bytes = 0
8_Image_Hash_Algorithm_ID = 
8_Image_Image_Size_To_Hash_in_bytes = 
9_Image_Enable = 1
9_Image_Tim_Included = 0
9_Image_Image_ID = 0x41504E4C
9_Image_Next_Image_ID = 0xFFFFFFFF
9_Image_Path = AddtionalAPN.bin
9_Image_Flash_Entry_Address = 0x041A0000
9_Image_Load_Address = 0xFFFFFFFF
9_Image_Type = RAW
9_Image_ID_Name = APNL
9_Image_Erase_Size = 
9_Image_Partition_Number = 0
9_Image_Size_To_CRC_in_bytes = 0
9_Image_Hash_Algorithm_ID = 
9_Image_Image_Size_To_Hash_in_bytes =

下一篇文章,会分析WebData.bin的文件结构