红米CR8808出厂固件备份刷AX3000和开启SSH并固化操作过程分享(20230608更新)

【AD】DMIT,美国CMIN2 VPS,8折优惠,折后$23.10/季(1核2G/20G SSD /[email protected]流量),三网回程CMIN2

刷机是几个星期前的事了,当时比较忙,没空码帖子,我的CR8808主板编号是M83,自带TTL引脚,工程机???
刷AX3000后,2.4G信号正常,但5G信号极差,估计是5G功放芯片换了。
刷机大概步骤如下:

1、拆机上PL2303HX芯片的TTL线,结果不不跑码,尝试多种方式依旧,无奈重新购买FT232RL芯片的的TTL线,
接线方式是:

RX -> TXD
TX -> RXD
GND -> GND
电源线不用连接

MobaXterm设置如下图

2、路由器通电开机,顺利跑码顺带奇迹出现,未按任何按键既然自动中断AutoBoot!进入U-BOOT(忘记截图了)

3、输入printenv查找确认IP
ipaddr=192.168.10.1                      #此为路由器IP
serverip=192.168.10.100                #此为电脑IP

4、开启Tftpd64设置服务器地址为192.168.10.100

5、输入smeminfo  查看分区表

IPQ5018# smeminfo
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 36 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 288, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 108511920
ubi0: available PEBs: 38, total reserved PEBs: 250, PEBs reserved for bad PEB handling: 40
flash_type:             0xb
flash_index:            0x0
flash_chip_select:      0x0
flash_block_size:       0x20000
flash_density:          0x80000
partition table offset  0x0
No.: Name             Attributes            Start             Size
  0: 0:SBL1           0x0000ffff              0x0          0x80000
  1: 0:MIBIB          0x0000ffff          0x80000          0x80000
  2: 0:BOOTCONFIG     0x0000ffff         0x100000          0x40000
  3: 0:BOOTCONFIG1    0x0000ffff         0x140000          0x40000
  4: 0:QSEE           0x0000ffff         0x280000         0x100000
  5: 0:QSEE_1         0x0000ffff         0x180000         0x100000
  6: 0:DEVCFG         0x0000ffff         0x3c0000          0x40000
  7: 0:DEVCFG_1       0x0000ffff         0x380000          0x40000
  8: 0:CDT            0x0000ffff         0x440000          0x40000
  9: 0:CDT_1          0x0000ffff         0x400000          0x40000
 10: 0:APPSBLENV      0x0000ffff         0x480000          0x80000
 11: 0:APPSBL         0x0000ffff         0x640000         0x140000
 12: 0:APPSBL_1       0x0000ffff         0x500000         0x140000
 13: 0:ART            0x0000ffff         0x780000         0x100000
 14: 0:TRAINING       0x0000ffff         0x880000          0x80000
 15: bdata            0x0000ffff         0x900000          0x80000
 16: crash            0x0000ffff         0x980000          0x80000
 17: crash_log        0x0000ffff         0xa00000          0x80000
 18: rootfs           0x0000ffff         0xa80000        0x2400000
        ubi vol 0 kernel
        ubi vol 1 ubi_rootfs
 19: rootfs_1         0x0000ffff        0x2e80000        0x2400000
 20: overlay          0x0000ffff        0x5280000        0x1f00000
 21: data             0x0000ffff        0x7180000         0xd80000

6、备份出厂固件,逐条输入以下命令,将分区备份到电脑Tftpd64目录下。

nand read 0x44000000 0x0 0x80000
tftpput 0x44000000 0x80000 0SBL1.bin

nand read 0x44000000 0x80000 0x80000
tftpput 0x44000000 0x80000 1MIBIB.bin

nand read 0x44000000 0x100000 0x40000
tftpput 0x44000000 0x40000 2BOOTCONFIG.bin

nand read 0x44000000 0x140000 0x40000
tftpput 0x44000000 0x40000 3BOOTCONFIG1.bin

nand read 0x44000000 0x280000 0x100000
tftpput 0x44000000 0x100000 4QSEE.bin

nand read 0x44000000 0x180000 0x100000
tftpput 0x44000000 0x100000 5QSEE1.bin

nand read 0x44000000 0x3c0000 0x40000
tftpput 0x44000000 0x40000 6DEVCFG.bin

nand read 0x44000000 0x380000 0x40000
tftpput 0x44000000 0x40000 7DEVCFG1.bin

nand read 0x44000000 0x440000 0x40000
tftpput 0x44000000 0x40000 8CDT.bin

nand read 0x44000000 0x400000 0x40000
tftpput 0x44000000 0x40000 9CDT1.bin

nand read 0x44000000 0x480000 0x80000
tftpput 0x44000000 0x80000 10APPSBLENV.bin

nand read 0x44000000 0x640000 0x140000
tftpput 0x44000000 0x140000 11APPSBL.bin

nand read 0x44000000 0x500000 0x140000
tftpput 0x44000000 0x140000 12APPSBL1.bin

nand read 0x44000000 0x780000 0x100000
tftpput 0x44000000 0x100000 13ART.bin

nand read 0x44000000 0x880000 0x80000
tftpput 0x44000000 0x80000 14TRAINING.bin

nand read 0x44000000 0x900000 0x80000
tftpput 0x44000000 0x80000 15bdata.bin

nand read 0x44000000 0x980000 0x80000
tftpput 0x44000000 0x80000 16crash.bin

nand read 0x44000000 0xa00000 0x80000
tftpput 0x44000000 0x80000 17crashlog.bin

nand read 0x44000000 0xa80000 0x2400000
tftpput 0x44000000 0x2400000 18rootfs.bin

nand read 0x44000000 0x2e8000 0x2400000
tftpput 0x44000000 0x2400000 19rootfs1.bin

nand read 0x44000000 0x5280000 0x1f00000
tftpput 0x44000000 0x1f00000 20overlay.bin

nand read 0x44000000 0x7180000 0xd80000
tftpput 0x44000000 0xd80000 21data.bin

7、刷入坛友发的红米AX3000官方APPSBL等分区备份文件,文件需放在Tftpd64目录下,输入以下命令刷入CR8808。

tftpboot OpenWrt.mtd11.bin && flash 0:APPSBL
tftpboot OpenWrt.mtd12.bin && flash 0:APPSBL_1

8、断电,长按reset,用MIWIFIRepairTool刷入红米AX3000_1.0.33固件,待蓝灯闪烁刷机完成,断电拆除TTL线。

9、开机后浏览器输入192.168.31.1进入进入后台,设置测试,结果如开头所说,5G信号极差,失望之极!

10、关机,接上TTL依旧无需任何操作自动进入U-BOOT,重新刷入刚才备份的CR8808原厂APPSBL等分区,命令如下:

tftpboot 11APPSBL.bin && flash 0:APPSBL
tftpboot 12APPSBL1.bin && flash 0:APPSBL_1

11、断电,长按reset,用MIWIFIRepairTool刷入CR8808_6.2.11固件,待蓝灯闪烁刷机完成断电重启。(未拆除TTL线)

12、开机自动进入U-BOOT,输入以下开启SSH及固化命令,会自动重启,拆除TTL,再次重启进入固件。

nvram set ssh_en=1
nvram set telnet_en=1
nvram set uart_en=1
nvram set boot_wait=on
nvram commit
sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
/etc/init.d/dropbear restart
mkdir /data/auto_ssh
cd /data/auto_ssh
curl -O https://fastly.jsdelivr.net/gh/lemoeo/AX6S@main/auto_ssh.sh
chmod +x auto_ssh.sh
uci set firewall.auto_ssh=include
uci set firewall.auto_ssh.type='script'
uci set firewall.auto_ssh.path='/data/auto_ssh/auto_ssh.sh'
uci set firewall.auto_ssh.enabled='1'
uci commit firewall
uci set system.@system[0].timezone='CST-8'
uci set system.@system[0].webtimezone='CST-8'
uci set system.@system[0].timezoneindex='2.84'
uci commit
reboot

20230608更新,上面的SSH固化方法在重置后会失效,可以按下面的方法修改Bdata分区数据来进一步固化SSH
    在SSH终端执行以下指令:

zz=$(dd if=/dev/zero bs=1 count=2 2>/dev/null) ; printf '\xA5\x5A%c%c' $zz $zz | mtd write - crash
reboot

     等待路由器重启后,重新连接ssh,并执行以下指令

nvram set ssh_en=1
nvram set telnet_en=1
nvram set uart_en=1
nvram set boot_wait=on
nvram commit
bdata set ssh_en=1
bdata set telnet_en=1
bdata set uart_en=1
bdata set boot_wait=on
bdata commit
reboot

       等待路由器重启后,重新连接ssh,并执行以下指令

mtd erase crash
reboot

13、SSH连接 [email protected] (不想计算SSH密码,可直接在U-BOOT修改root密码)

14、在SSH下安装Lcky,安装顺利,但重启后扑街!内存爆了,无限重启!

BusyBox v1.25.1 (2021-09-06 08:28:06 UTC) built-in shell (ash)

 -----------------------------------------------------
       Welcome to XiaoQiang!
 -----------------------------------------------------
  $$$$$$\  $$$$$$$\  $$$$$$$$\      $$\      $$\        $$$$$$\  $$\   $$\
 $$  __$$\ $$  __$$\ $$  _____|     $$ |     $$ |      $$  __$$\ $$ | $$  |
 $$ /  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ /  $$ |$$ |$$  /
 $$$$$$$$ |$$$$$$$  |$$$$$\         $$ |     $$ |      $$ |  $$ |$$$$$  /
 $$  __$$ |$$  __$$< $$  __|        $$ |     $$ |      $$ |  $$ |$$  $$<
 $$ |  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ |  $$ |$$ |\$$\
 $$ |  $$ |$$ |  $$ |$$$$$$$$\       $$$$$$$$$  |       $$$$$$  |$$ | \$$\
 \__|  \__|\__|  \__|\________|      \_________/        \______/ \__|  \__|


root@XiaoQiang:/# passwd root
Changing password for root
New password:
Retype password:
passwd: password for root changed by root
root@XiaoQiang:/# wget -O /tmp/install.sh [url]http://cdn001.gdy666.com/lucky-files/g[/url]
olucky.sh  && sh /tmp/install.sh [url]http://cdn001.gdy666.com/lucky-files[/url] 1.8.5
Connecting to cdn001.gdy666.com (172.67.130.244:80)
install.sh           100% |*******************************| 15293   0:00:00 ETA
当前CPU架构:armv7&#137;
*************************************************
**                 欢迎使用                    **
*                LLcky 管理脚本               *
**                            by 古大羊     **
*  
                        202&#460;&#562;0&#498;.&#490;:&#575;:ń**
************************************************
1 鍛装Lucky
2 &#17074;Lucky
----------------------------------------------
 0&#320;退出脚本
请输入对应数字 > 1
安垳
cky...

目标文件载链接:[url]http://cdn001.gdy6[/url]&#540;&#5401;.coшlucky-files/1.&#561;&#538;.н/cky_1.&#561;&#538;λLinux_armv7.tar.gz
-----------------------------------------------
安装lucky至少需要预留约3MB的&#46989;盘空间

 1 /ec目录下安装(适合root用户)
 2 在/usr/sare目录下安装(适合Linux设备)
 3 在当前用户目录下安装(合非o&#212;t用户)
 4 手动设置安装目录
 0 退出安装
----
---&#202;-----------------&#205;-----------------
请输入相应数字 > 1
目标目录/etc空间剩余:204M

确认安装?(1/0) > 1
luckdir:/etc/luckyǎaШM
##########&#351;/&#350;)#>##################################################### 100.0%

------------------------------------&#450;-&#450;%----
开始解压文件!
LICENSE
scripts/lucky.service
sripts/luckyservce
scrits/misnap_init.sh
lucy
已解压到 /etc/lucky.dai
Profile:/etc/profile
设为ini.d方式启动
lu/ky已成功运行
root@XiaoQiang:/#

15、无奈!用MIWIFIRepairTool刷入CR8808_6.2.147固件,并再次开启SSH,输入下面命令卸载了Andlink,暂时不想折腾了。

opkg remove andlink-hy - 1.0.0-1

虽然CR8808性能和内存确实不足,搞机意义不大,但还是很感谢hzyitc  slienna  121716498  NakanoSanku等大佬,开启CR8808搞机之路。


【AD】美国洛杉矶CN2 VPS/香港CN2 VPS/日本CN2 VPS推荐,延迟低、稳定性高、免费备份_搬瓦工vps