比特米刷机记录

家里虽然部署了一台 Gen8 Micro 用作 NAS，但最近想针对一些重要内容增加一份本地备份，于是咸鱼上找一下矿渣，找到这台金色比特米。

U 盘烧录 Armbian_23.08.0_amlogic_s905x_bullseye_5.15.120_server_2023.07.08.img.gz

接上鼠标键盘（USB口可能供电不足，无法同时支持多个设备接入，建议使用可外接供电的 USB hub），HDMI开机，发现可进入 Android 系统，点击配置图标，可进入标准的 Android 设置页，点击几下版本号，可打开开发者模式

配置好IP，网线连上电脑，adb connect 192.168.x.x 然后选择允许即可 adb shell 接入

重命名 切换卡载系统V1.1.20180808.apk 到 20180808.apk，然后通过 adb 安装与启用：

adb install 20180808.apk
adb shell monkey -p cn.edu.tit.reboot -c android.intent.category.LAUNCHER 1

在弹出界面选择第一次安装/启用，接上U盘，重启可进入 armbian

armbian 常规设置后，可远程 root ssh 登录

挂载sd卡，先备份整个 mmc，并校验（注意：如果使用fat32可能无法完整备份）：

dd if=/dev/mmcblk2 of=/mnt/data/p212_mmc_backup.img bs=4M status=progress
sha256sum /dev/mmcblk2

分析旧 mmc 分区，其中 /dev/mmcblk2p2 包含分区表与结构

hexdump -C -n 10240 /dev/mmcblk2p2

00000000 4d 50 54 00 30 31 2e 30 30 2e 30 30 00 00 00 00 |MPT.01.00.00….| 00000010 0f 00 00 00 fd c1 03 b8 62 6f 6f 74 6c 6f 61 64 |……..bootload| 00000020 65 72 00 00 00 00 00 00 00 00 40 00 00 00 00 00 |er……..@…..| 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….| 00000040 72 65 73 65 72 76 65 64 00 00 00 00 00 00 00 00 |reserved……..| 00000050 00 00 00 04 00 00 00 00 00 00 40 02 00 00 00 00 |……….@…..| 00000060 00 00 00 00 00 00 00 00 63 61 63 68 65 00 00 00 |……..cache…| 00000070 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |……….. ….| 00000080 00 00 c0 06 00 00 00 00 02 00 00 00 00 00 00 00 |…………….| 00000090 65 6e 76 00 00 00 00 00 00 00 00 00 00 00 00 00 |env………….| 000000a0 00 00 80 00 00 00 00 00 00 00 40 27 00 00 00 00 |……….@’….| 000000b0 00 00 00 00 00 00 00 00 6c 6f 67 6f 00 00 00 00 |……..logo….| 000000c0 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 |…………….| 000000d0 00 00 40 28 00 00 00 00 01 00 00 00 00 00 00 00 |..@(…………| 000000e0 72 65 63 6f 76 65 72 79 00 00 00 00 00 00 00 00 |recovery……..| 000000f0 00 00 00 02 00 00 00 00 00 00 c0 2a 00 00 00 00 |………..*….| 00000100 01 00 00 00 00 00 00 00 72 73 76 00 00 00 00 00 |……..rsv…..| 00000110 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 |…………….| 00000120 00 00 40 2d 00 00 00 00 01 00 00 00 00 00 00 00 |..@-…………| 00000130 74 65 65 00 00 00 00 00 00 00 00 00 00 00 00 00 |tee………….| 00000140 00 00 80 00 00 00 00 00 00 00 40 2e 00 00 00 00 |……….@…..| 00000150 01 00 00 00 00 00 00 00 63 72 79 70 74 00 00 00 |……..crypt…| 00000160 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 |…………….| 00000170 00 00 40 2f 00 00 00 00 01 00 00 00 00 00 00 00 |..@/…………| 00000180 6d 69 73 63 00 00 00 00 00 00 00 00 00 00 00 00 |misc…………| 00000190 00 00 00 02 00 00 00 00 00 00 c0 31 00 00 00 00 |………..1….| 000001a0 01 00 00 00 00 00 00 00 69 6e 73 74 61 62 6f 6f |……..instaboo| 000001b0 74 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |t………. ….| 000001c0 00 00 40 34 00 00 00 00 01 00 00 00 00 00 00 00 |..@4…………| 000001d0 62 6f 6f 74 00 00 00 00 00 00 00 00 00 00 00 00 |boot…………| 000001e0 00 00 00 02 00 00 00 00 00 00 c0 54 00 00 00 00 |………..T….| 000001f0 01 00 00 00 00 00 00 00 73 79 73 74 65 6d 00 00 |……..system..| 00000200 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 |………..@….| 00000210 00 00 40 57 00 00 00 00 01 00 00 00 00 00 00 00 |..@W…………| 00000220 63 68 61 6f 6d 69 00 00 00 00 00 00 00 00 00 00 |chaomi……….| 00000230 00 00 00 60 00 00 00 00 00 00 c0 97 00 00 00 00 |…`…………| 00000240 01 00 00 00 00 00 00 00 64 61 74 61 00 00 00 00 |……..data….| 00000250 00 00 00 00 00 00 00 00 00 00 c0 d9 00 00 00 00 |…………….| 00000260 00 00 40 f8 00 00 00 00 04 00 00 00 00 00 00 00 |..@………….| 00000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….| * 00002800

猜测 /dev/mmcblk2p13 为内核，在 00000800 offset 找到 1f8b0808 magic

寻找 dtb：

通过 binwalk -R ‘\xd0\x0d\xfe\xed’ p212_mmc_backup.img 查找 dtb 特征

binwalk -R '\xd0\x0d\xfe\xed' p212_mmc_backup.img 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
41945088      0x2800800       Raw signature (\xd0\x0d\xfe\xed)
41986048      0x280A800       Raw signature (\xd0\x0d\xfe\xed)
42207232      0x2840800       Raw signature (\xd0\x0d\xfe\xed)
42248192      0x284A800       Raw signature (\xd0\x0d\xfe\xed)
728629248     0x2B6E0000      Raw signature (\xd0\x0d\xfe\xed)
728670208     0x2B6EA000      Raw signature (\xd0\x0d\xfe\xed)
1430345728    0x55415800      Raw signature (\xd0\x0d\xfe\xed)
1430386688    0x5541F800      Raw signature (\xd0\x0d\xfe\xed)

然后

dd if=../p212_mmc_backup.img of=./dtb.dtb bs=1 skip=$((0x2800800)) count=$((1024*1024))
dtc -I dtb -O dts -o dtb.dts dtb.dtb

安装 armbian：

• umount 所有分区
• dd if=/dev/zero of=/dev/mmcblk2 bs=512 count=1 conv=fsync 清空分区表
• 运行 armbian-install，选择设备ID 105，等待