热门标签
热门文章
- 1【Yarn】Yarn 命令详解_yarn命令
- 2阿里巴巴魔塔ModelScope Library-基于python的AI领域库
- 3Nagios安装与配置详解
- 4python-excel教程_for row in ws.values 设定起始
- 5python爬虫基础(二)~工具包: 下载包requests、urllib和解析包BeautifulSoup(bs4)、lxml.etree.xpath_etree与beautifulsoup
- 6Linux中防火墙实战之Web服务器和ssh远程服务配置指南_linux防火墙采用非加密的web服务
- 7跨时钟域处理_vivado 跨时钟域电平信号
- 8Linux 基本指令讲解 上
- 9国企程序员有多香?工作两年后,我准备跳槽了!
- 10Mysql笔记:第02章_MySQL环境搭建_mysql -version -bash :cannot execute binary file
当前位置: article > 正文
Khadas VIM3 (Amlogic A311D) uboot去掉烦人的乱七八糟的打印1——BL2 BL3x_khadas vim3 uboot
作者:寸_铁 | 2024-08-20 03:35:13
赞
踩
khadas vim3 uboot
BL2 BL30 BL31 DDRFW改造串口静默
BL2拖到IDA64,以ARM LittleEndian 64bit反汇编,很轻易的找到puts putchar函数,
- ROM:000000000000B4B8 putchar ; CODE XREF: sub_6134+28↑p
- ROM:000000000000B4B8 ; sub_6174+6C↑p ...
- ROM:000000000000B4B8 21 00 00 B0 ADRP X1, #0x10724@PAGE
- ROM:000000000000B4BC 21 90 1C 91 ADD X1, X1, #0x10724@PAGEOFF
- ROM:000000000000B4C0 21 00 40 B9 LDR W1, [X1]
- ROM:000000000000B4C4 41 02 00 35 CBNZ W1, locret_B50C
- ROM:000000000000B4C8 1F 28 00 71 CMP W0, #0xA
- ROM:000000000000B4CC 21 01 00 54 B.NE loc_B4F0
- ROM:000000000000B4D0
- ROM:000000000000B4D0 loc_B4D0 ; CODE XREF: putchar+24↓j
- ROM:000000000000B4D0 81 01 86 D2 MOV X1, #0x300C
- ROM:000000000000B4D4 01 F0 BF F2 MOVK X1, #0xFF80,LSL#16
- ROM:000000000000B4D8 21 00 40 B9 LDR W1, [X1]
- ROM:000000000000B4DC A1 FF AF 37 TBNZ W1, #0x15, loc_B4D0
- ROM:000000000000B4E0 01 00 86 D2 MOV X1, #0x3000
- ROM:000000000000B4E4 01 F0 BF F2 MOVK X1, #0xFF80,LSL#16
- ROM:000000000000B4E8 A2 01 80 52 MOV W2, #0xD
- ROM:000000000000B4EC 22 00 00 B9 STR W2, [X1]
- ROM:000000000000B4F0
- ROM:000000000000B4F0 loc_B4F0 ; CODE XREF: putchar+14↑j
- ROM:000000000000B4F0 ; putchar+44↓j
- ROM:000000000000B4F0 81 01 86 D2 MOV X1, #0x300C
- ROM:000000000000B4F4 01 F0 BF F2 MOVK X1, #0xFF80,LSL#16
- ROM:000000000000B4F8 21 00 40 B9 LDR W1, [X1]
- ROM:000000000000B4FC A1 FF AF 37 TBNZ W1, #0x15, loc_B4F0
- ROM:000000000000B500 01 00 86 D2 MOV X1, #0x3000
- ROM:000000000000B504 01 F0 BF F2 MOVK X1, #0xFF80,LSL#16
- ROM:000000000000B508 20 00 00 B9 STR W0, [X1]
- ROM:000000000000B50C
- ROM:000000000000B50C locret_B50C ; CODE XREF: putchar+C↑j
- ROM:000000000000B50C C0 03 5F D6 RET
- ROM:000000000000B50C ; End of function putchar
将putchar函数的开头改为
C0 03 5F D6 RET
即可。
BL30拖到IDA,以ARM LittleEndian 反汇编,很轻易的找到puts putchar函数
- ROM:00002CB0 putchar ; CODE XREF: putchar+10↓p
- ROM:00002CB0 ; j_putchar↓j
- ROM:00002CB0 PUSH {R4,LR}
- ROM:00002CB2 LDR R3, =0x10009474
- ROM:00002CB4 MOV R4, R0
- ROM:00002CB6 LDR R3, [R3]
- ROM:00002CB8 CBNZ R3, locret_2CDA
- ROM:00002CBA CMP R0, #0xA
- ROM:00002CBC BNE loc_2CC4
- ROM:00002CBE MOVS R0, #0xD
- ROM:00002CC0 BL putchar
- ROM:00002CC4
- ROM:00002CC4 loc_2CC4 ; CODE XREF: putchar+C↑j
- ROM:00002CC4 ; putchar+1C↓j
- ROM:00002CC4 LDR R3, =0xFF80300C
- ROM:00002CC6 LDR R3, [R3]
- ROM:00002CC8 TST.W R3, #0x200000
- ROM:00002CCC BNE loc_2CC4
- ROM:00002CCE LDR R3, =0xFF803000
- ROM:00002CD0 STR R4, [R3]
- ROM:00002CD2 POP.W {R4,LR}
- ROM:00002CD6 B.W maybewait
- ROM:00002CDA ; ---------------------------------------------------------------------------
- ROM:00002CDA
- ROM:00002CDA locret_2CDA ; CODE XREF: putchar+8↑j
- ROM:00002CDA POP {R4,PC}
- ROM:00002CDA ; End of function putchar
将putchar函数的开头改为
70 47 BX LR
即可。BL31拖到IDA64,以ARM LittleEndian 64bit反汇编,很轻易找到printf函数,再看putchar函数有点奇怪,和之前的不一样
是因为这个程序有inituart初始化函数,将串口设备寄存器基地址FF803000存到了一个全局变量
- ROM:0000000000025000 init_uart ; CODE XREF: sub_18698+2C↑p
- ROM:0000000000025000 ; sub_187A0+20↑p ...
- ROM:0000000000025000 CBZ X0, locret_25010
- ROM:0000000000025004 ADRP X3, #UART_BASE@PAGE
- ROM:0000000000025008 STR X0, [X3,#UART_BASE@PAGEOFF]
- ROM:000000000002500C B loc_25020
- ROM:0000000000025010 ; ---------------------------------------------------------------------------
- ROM:0000000000025010
- ROM:0000000000025010 locret_25010 ; CODE XREF: init_uart↑j
- ROM:0000000000025010 RET
- ROM:0000000000025010 ; End of function init_uart
-
- ROM:0000000000025014 putchar ; CODE XREF: sub_23504+14↑p
- ROM:0000000000025014 ; sub_23B84+8↑j
- ROM:0000000000025014 ADRP X2, #UART_BASE@PAGE
- ROM:0000000000025018 LDR X1, [X2,#UART_BASE@PAGEOFF]
- ROM:000000000002501C B loc_25028
- ROM:0000000000025020 ; ---------------------------------------------------------------------------
- ROM:0000000000025020
- ROM:0000000000025020 loc_25020 ; CODE XREF: init_uart+C↑j
- ROM:0000000000025020 MOV W0, #1
- ROM:0000000000025024 RET
- ROM:0000000000025028 ; ---------------------------------------------------------------------------
- ROM:0000000000025028
- ROM:0000000000025028 loc_25028 ; CODE XREF: putchar+8↑j
- ROM:0000000000025028 CBZ X1, loc_25054
- ROM:000000000002502C CMP W0, #0xA
- ROM:0000000000025030 B.NE loc_25044
- ROM:0000000000025034
- ROM:0000000000025034 loc_25034 ; CODE XREF: putchar+24↓j
- ROM:0000000000025034 LDR W2, [X1,#loc_C]
- ROM:0000000000025038 TBNZ W2, #0x15, loc_25034
- ROM:000000000002503C MOV W2, #0xD
- ROM:0000000000025040 STR W2, [X1]
- ROM:0000000000025044
- ROM:0000000000025044 loc_25044 ; CODE XREF: putchar+1C↑j
- ROM:0000000000025044 ; putchar+34↓j
- ROM:0000000000025044 LDR W2, [X1,#loc_C]
- ROM:0000000000025048 TBNZ W2, #0x15, loc_25044
- ROM:000000000002504C STR W0, [X1]
- ROM:0000000000025050 RET
- ROM:0000000000025054 ; ---------------------------------------------------------------------------
- ROM:0000000000025054
- ROM:0000000000025054 loc_25054 ; CODE XREF: putchar:loc_25028↑j
- ROM:0000000000025054 MOV W0, #0xFFFFFFFF
- ROM:0000000000025058 RET
- ROM:0000000000025058 ; End of function putchar
将putchar函数的开头改为
C0 03 5F D6 RET
即可。
aml_ddr.fw拖到IDA64,以ARM LittleEndian 64bit反汇编,很轻易找到putchar函数
- ROM:000000000000A5C4 putchar ; CODE XREF: sub_148+28↑p
- ROM:000000000000A5C4 ; sub_188:loc_1C8↑p ...
- ROM:000000000000A5C4 01 00 00 B0 ADRP X1, #dword_B718@PAGE
- ROM:000000000000A5C8 21 60 1C 91 ADD X1, X1, #dword_B718@PAGEOFF
- ROM:000000000000A5CC 21 00 40 B9 LDR W1, [X1]
- ROM:000000000000A5D0 41 02 00 35 CBNZ W1, locret_A618
- ROM:000000000000A5D4 1F 28 00 71 CMP W0, #0xA
- ROM:000000000000A5D8 21 01 00 54 B.NE loc_A5FC
- ROM:000000000000A5DC
- ROM:000000000000A5DC loc_A5DC ; CODE XREF: putchar+24↓j
- ROM:000000000000A5DC 81 01 86 D2 MOV X1, #0x300C
- ROM:000000000000A5E0 01 F0 BF F2 MOVK X1, #0xFF80,LSL#16
- ROM:000000000000A5E4 21 00 40 B9 LDR W1, [X1]
- ROM:000000000000A5E8 A1 FF AF 37 TBNZ W1, #0x15, loc_A5DC
- ROM:000000000000A5EC 01 00 86 D2 MOV X1, #0x3000
- ROM:000000000000A5F0 01 F0 BF F2 MOVK X1, #0xFF80,LSL#16
- ROM:000000000000A5F4 A2 01 80 52 MOV W2, #0xD
- ROM:000000000000A5F8 22 00 00 B9 STR W2, [X1]
- ROM:000000000000A5FC
- ROM:000000000000A5FC loc_A5FC ; CODE XREF: putchar+14↑j
- ROM:000000000000A5FC ; putchar+44↓j
- ROM:000000000000A5FC 81 01 86 D2 MOV X1, #0x300C
- ROM:000000000000A600 01 F0 BF F2 MOVK X1, #0xFF80,LSL#16
- ROM:000000000000A604 21 00 40 B9 LDR W1, [X1]
- ROM:000000000000A608 A1 FF AF 37 TBNZ W1, #0x15, loc_A5FC
- ROM:000000000000A60C 01 00 86 D2 MOV X1, #0x3000
- ROM:000000000000A610 01 F0 BF F2 MOVK X1, #0xFF80,LSL#16
- ROM:000000000000A614 20 00 00 B9 STR W0, [X1]
- ROM:000000000000A618
- ROM:000000000000A618 locret_A618 ; CODE XREF: putchar+C↑j
- ROM:000000000000A618 C0 03 5F D6 RET
- ROM:000000000000A618 ; End of function putchar
将putchar函数的开头改为
C0 03 5F D6 RET
另外文件头部有32字节的SHA256哈希,需要重算,Winhex搞定
bl2.bin bl30.bin bl31.bin aml_ddr.fw覆盖到u-boot/fip/g12b/
重新编译,烧录,引导后就没有bl2 bl3x打印的乱七八糟的东西了。
下面是串口引导记录,uboot仍然有很多乱七八糟的打印,后面我再讲如何去掉这些乱糟糟的东西。
- G12B:BL:6e7c85:2a3b91;FEAT:E0F83180:402000;POC:F;RCY:0;EMMC:0;READ:0;CHK:1F;READ:0;CHK:1F;READ:0;CHK:1F;SD?:0;SD:0;READ:0;0.0.0;M3 CHK:0;secure task start!
- high task start!
- low task start!
-
-
- U-Boot 2015.01 (Dec 31 2019 - 13:12:30)
-
- DRAM: 3.8 GiB
- Relocation Offset is: d6e46000
- spi_post_bind(spifc): req_seq = 0
- register usb cfg[0][1] = 00000000d7f394b0
- aml_i2c_init_port init regs for 0
- MMC: aml_priv->desc_buf = 0x00000000d3e36a70
- aml_priv->desc_buf = 0x00000000d3e38db0
- SDIO Port B: 0, SDIO Port C: 1
- co-phase 0x3, tx-dly 0, clock 400000
- co-phase 0x3, tx-dly 0, clock 400000
- co-phase 0x3, tx-dly 0, clock 400000
- emmc/sd response timeout, cmd8, status=0x3ff2800
- emmc/sd response timeout, cmd55, status=0x3ff2800
- co-phase 0x3, tx-dly 0, clock 400000
- co-phase 0x1, tx-dly 0, clock 40000000
- aml_sd_retry_refix[983]:delay = 0x0,gadjust =0x2000
- [mmc_startup] mmc refix success
- [mmc_init] mmc init success
- start dts,buffer=00000000d3e3b620,dt_addr=00000000d3e3b620
- check_valid_dts: FDT_ERR_BADMAGIC
- get_partition_from_dts() 91: ret -9
- get_partition_from_dts() 94: ret -9
- get_ptbl_from_dtb()-272: get partition table from dts faild
- mmc_device_init()-1254: get partition table from dtb failed
- get_ptbl_rsv()-494: magic faild MPT,
- mmc_device_init()-1281: dtb&rsv are not exist, no LPT source
- get partition info failed !!
- Using default environment
-
- In: serial
- Out: serial
- Err: serial
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/寸_铁/article/detail/1005014
推荐阅读
相关标签
