写在最前面,先知我YY下硬刷最好可能实现的功能:

1.把软件刷入flash,修改loader后,可以实现上电就自动运行程序;

2.硬刷后,程序自动起来,可以修改loader就行加密

3.硬刷后,有可能把osmocon cell 等软件整到windwos 省去虚拟机.操作方便...(这个是YY的,暂时还不知道....)

4.硬刷后,手机可以变成砖头.

5.刷机有风险,变砖头就损失20RMB,请慎重....哈哈!~

大家自己玩玩就好了,有啥问题就别找我麻烦了...哈哈哈~~

资料来源:

http://bb.osmocom.org/trac/wiki/flashing_new

1.flash layout & memory layout

The memory is mapped as follows:

0x000000-0x00ffff: Flash page

0x010000-0x01ffff: Flash page

... more Flash pages ...

0x800000-0x83ffff: Ram

Our flash layout is:

0x000000-0x001fff: Compal loader

0x002000-0x00ffff: OSMOCOM menu

0x010000-........: OSMOCOM application and storage

2.代码修改:

git branch

* master 请用这个分支;

$ cd src/target/firmware/

$ vim Makefile

CFLAGS += -DCONFIG_FLASH_WRITE

CFLAGS += -DCONFIG_FLASH_WRITE_LOADER

CFLAGS += -DCONFIG_TX_ENABLE

编译代码

make clean

make

3.下载一个loader程序到ram,为后面刷机程序提供一个平台.

cd src

host/osmocon/osmocon -p /dev/ttyUSB0 -m c123xor target/firmware/board/compal_e88/loader.compalram.bin

按开机.

终端打印如下:

root@ubuntu:/home/ll/osmocombb/testing/osmocom-bb/src/host/osmocon# ./osmocon -p /dev/ttyUSB0 -m c123xor ../../target/firmware/board/compal_e88/loader.compalram.bin

got  bytes from modem, data looks like: 2f  /

got  bytes from modem, data looks like:   .

got  bytes from modem, data looks like: 1b  .

got  bytes from modem, data looks like: f6  .

got  bytes from modem, data looks like:     ..A

got  bytes from modem, data looks like:   .

got  bytes from modem, data looks like:   @

Received PROMPT1 from phone, responding with CMD

read_file(../../target/firmware/board/compal_e88/loader.compalram.bin): file_size=, hdr_len=, dnload_len=

got  bytes from modem, data looks like: 1b  .

got  bytes from modem, data looks like: f6  .

got  bytes from modem, data looks like:   .

got  bytes from modem, data looks like:   .

got  bytes from modem, data looks like:   A

got  bytes from modem, data looks like:   .

got  bytes from modem, data looks like:   C

Received PROMPT2 from phone, starting download

handle_write():  bytes (/)

handle_write():  bytes (/)

handle_write():  bytes (/)

handle_write():  bytes (/)

handle_write():  bytes (/)

handle_write():  bytes (/)

handle_write():  bytes (/)

handle_write():  bytes (/)

handle_write():  bytes (/)

handle_write(): finished

got  bytes from modem, data looks like: 1b  .

got  bytes from modem, data looks like: f6  .

got  bytes from modem, data looks like:   .

got  bytes from modem, data looks like:   .

got  bytes from modem, data looks like:   A

got  bytes from modem, data looks like:   .

got  bytes from modem, data looks like:   B

Received DOWNLOAD ACK from phone, your code is running now!

Received DOWNLOAD ACK from phone, your code is running now!

battery_compal_e88_init: starting up

OsmocomBB Loader (revision osmocon_v0.0.0--ge6372a2-modified)

======================================================================

Running on compal_e88 in environment compalram

4.保留原始的loader

$ cd src

$ host/osmocon/osmoload memdump 0x000000 0x2000 compal_loader.bin

备份好这个 compal_loader.bin 文件.

5.为了避免把手机变成砖头先测试下是否可以读写flash.(请参照上面一步的办法把手机里面原始flash的数据备份一份,否则整坏以后,手机就不能复原了)

$ host/osmocon/osmoload funlock 0x010000 0x10000

$ host/osmocon/osmoload ferase 0x010000 0x10000

$ host/osmocon/osmoload fprogram  0x010000 compal_loader.bin

$ host/osmocon/osmoload fprogram  0x012000 target/firmware/board/compal_e88/menu.e88loader.bin

测试如果没有问题,我们就可以刷入loader了.

$ host/osmocon/osmoload funlock 0x000000 0x10000

$ host/osmocon/osmoload ferase 0x000000 0x10000

$ host/osmocon/osmoload fprogram  0x000000 compal_loader.bin

$ host/osmocon/osmoload fprogram  0x002000 target/firmware/board/compal_e88/menu.e88loader.bin

这里需要注意的

menu.e88loader.bin 这个是* jolly/menu branch才能有的.请自行下载编译.

funlock 每次开机后都需要做这个。

menu这个文件,就是类似一个菜单的东西.

6.把app程序刷入flash.

app刷入flash,需要利用第五步的menu程序.

menu程序识别app的方式:header + app

echo "highram:RSSI" >temp

cat target/firmware/board/compal_e88/rssi.highram.bin >>temp

temp文件必须是偶数长度

$ ls -la temp

-rw-r--r--  root root  Sep  : temp

$ echo >>temp

$ ls -la temp

-rw-r--r--  root root  Sep  : temp

刷app到flash:

$ host/osmocon/osmoload funlock 0x010000 0x20000

$ host/osmocon/osmoload ferase 0x010000 0x20000

$ host/osmocon/osmoload fprogram  0x010000 temp

注意刷入数据flash的范围

0x010000到0x200000,单位为0x10000;

7.余下来的操作:

Power off your phone.

Disconnect the serial cable.

Turn it on (push power button), the OSMOCOM menu will appear and show available applications.

Use up/down keys or digits to select the application.

Press the green off-hook button, the application will be loaded to ram and is started.

Alternatively press the digit as shown in front of the application's name.

刷机后的效果图,刷机确实成功了..不是YY的..

Osmocom-BB MOTO C118硬刷的更多相关文章

  1. 刷固件Layer1到手机FLASH(硬刷)

    开头: 注意:本文章并不是做GSM 嗅探必须的,平时我们刷机叫软刷是刷到内存里面的,断电就消失了,这个是硬刷,刷到flash里面的,断电不消失,开机就运行的. 本文章经过作者实测可行,这只是单个应用程 ...

  2. Moto C118 基于 Osmocom-BB 和 OpenBTS 搭建小型GSM短信基站

    此文章PDF文档下载地址:点击下载 0x00 写在前面 大家应该都听说过摩托罗拉C118配合Osmocom-BB实现GSM网络下的短信拦截功能吧,在14年左右新出了一种玩法就是Osmocom-BB的s ...

  3. 三极管的妙用之C118自动刷机

    首先咱们要搞清楚咱们自动刷机的原理,不谈修改固件那么高深的东西,简单的就是控制开机键. 使用继电器来控制基本上算是上个世纪的想法吧,之前博主也做过,做出来的感觉其实也很不错,就像是一个收藏品.因为继电 ...

  4. Sony Z1 flashtool 刷机笔记

    第一次硬刷,(相较于recovery的卡刷)差点变成无限重启..记录一些关键步骤: 1 unlock bootloader http://developer.sonymobile.com/unlock ...

  5. E6全部刷机包

    此版本号基于R533_G_11.11.10P_GSZMCAUT679DA01B_LP064DA_T679DA_S005_E001_P002_R001_G004_1FF.sbf制作耳机接听或挂机正常内置 ...

  6. 电脑机器刷BIOS

    http://www.51nb.com/forum/viewthread.php?tid=934570&page=1#pid13765036 [原创]hp笔记本刷新bios失败后真的可以恢复吗 ...

  7. Hasse神舟笔记本卡logo解决,刷BIOS方法,教你修复神船

    我的电脑是神舟战神K660E i7 d7的,前两天装Windows10,Ubuntu,MAC OS Mojave,PE 一堆操作,使用bootice重建uefi引导,结果在前几天,我删了一个重复的ue ...

  8. LinuxE2系统刷机后OSCAM安装与读卡器设置

    我也属于E2小白,最近才开始玩这个系统.从dinobot 4k+,到H7s,在到H5,各种E2机器都买了.刚开始入手的时候,怎么这么麻烦?慢慢的发现,烧新,玩E2也是一种乐趣,只不过最近困扰我的刷机后 ...

  9. GSM Sniffing入门之硬件篇

    3个月前,听朋友介绍得知OsmocomBB项目.此前一直以为GSM Sniffing需要价格昂贵的专用设备,但osmocomBB的上手成本:一个25元左右的手机,外加一根USB转TTL的串口线,着实让 ...

随机推荐

  1. Android虚拟机常见错误及解决办法

    第一个: [2012-11-09 13:15:14 - Tesa] Android Launch! [2012-11-09 13:15:14 - Tesa] The connection to adb ...

  2. 使用Visual Studio 2013进行单元测试--初级篇

    1.打开VS2013 --> 新建一个项目.这里我们默认创建一个控制台项目.取名为UnitTestDemo 2.在解决方案里面新增一个单元测试项目.取名为UnitTestDemoTest 创建完 ...

  3. css3中clip属性

    clip 属性用来设置元素的形状.用来剪裁绝对定位元素. 当一幅图像的尺寸大于包含它的元素时,"clip" 属性允许规定一个元素的可见尺寸,这样此元素就会被修剪并显示在这个元素中. ...

  4. DOM操作 append prependTo after before

    通过JavaScript可以很方便的获取DOM节点,从而进行一系列的DOM操作.但实际上一般开发者都习惯性的先定义好HTML结构,但这样就非常不灵活了. 试想下这样的情况:如果我们通过AJAX获取到数 ...

  5. prepareStatement和Statement的区别

    1:创建时的区别:    Statement stm=con.createStatement();    PreparedStatement pstm=con.prepareStatement(sql ...

  6. while、do while练习——7月24日

    while循环的格式是for循环的变形 //while 循环(当循环),是for循环的变形 //for(int i=0;i<=5;i++) //{ // Console.WriteLine(&q ...

  7. long型转日期型

    //时分秒格式//不知为何,出来的时间有点差别 public class Test { public static void main(String[] args) throws Exception ...

  8. VoltDB介绍——本质:数据保存在内存,充分利用CPU,单线程去锁,底层数据结构未知

    转自:http://blog.csdn.net/ransom0512/article/details/50440316 简介 VoltDB数据库是一个分布式,可扩展,shared-nothing的内存 ...

  9. 318. Maximum Product of Word Lengths ——本质:英文单词中字符是否出现可以用26bit的整数表示

    Given a string array words, find the maximum value of length(word[i]) * length(word[j]) where the tw ...

  10. ...python の 学习

    5.14 ...上次学python 好像是一个月前.. 写点东西记录下叭.. 现在在看李老大写的博客写..可能直接开抄代码... 感觉自己写的总是爬不成功,之前写的爬豆瓣影评的爬虫还是残的... 1. ...