MF79U设备解锁后通过ADB访问

硬件参数

1
2
3
4
5
6
7
8
# 中兴MF79U的一些硬件参数
CPU:ZX297520V3 ARMv7 Processor rev 4 (v7l) @ 624MHz
MEM:64M
ROM:32M
WiFi:RTL8192C

硬件版本:MF79U-V1.0.0
软件版本:BD_TENCENTMF79UV1.0.0B06

解锁设备

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# 解锁MF79U简单的步骤,所需资源均可在此下载:https://qyyd5g.top/中兴4G-5G路由刷机工具分享/

1. 运行 【SCSI.exe 即中兴mifi/ufi/卡托打开端口的工具】,运行完成后设备管理器里面会多两个未知的【DEMO Mobile Broadband】设备

2. 安装驱动 【DRV_DC_ZTE_AS_SETUPV1.0.0B03.exe】 并从调制解调器中取出SIM卡和存储卡(如果已插入)

3. 将MF79U重新插入计算机的USB端口,将发现设备管理器里面会多两个COM调试端口【AT Inteface】【LOG Inteface】

4. 使用调试工具访问【AT Inteface】后输入AT命令:【AT+ZMODE=1】来开启高级模式,会多出【调制解调器 + AT&LOG接口】

5. 开启了高级模式后,将MF79U插入电脑设备管理器里不会有显示Android设备,但可以通过adb shell进入交互界面

6. 还可通过AT端口读写AT指令了,默认不显示回显,记得输入【ATE1】使输入的命令可从终端看到

-------------------------------------------------------------------------------
# 中兴的固件一般有up和售后包,up这类的是升级补丁类的不完整的固件,不建议使用
# zip/7z之类的都是售后固件,有完整的一套文件以及救砖烧录文件。中兴微的通过官方工具刷就可以了

-------------------------------------------------------------------------------
# 设备正常的工作模式为 AT+ZMODE=0 和 AT+ZMODE=1
AT+ZMODE=0(设备的默认模式)
RNDIS + MMC & CD

AT+ZMODE=1 (开启高级模式)
RNDIS + MMC & CD + ADB + 调制解调器 + AT&LOG接口

AT+ZMODE=2 (调试模式,通常执行SCSI.EXE程序后处于此模式)
AT & LOG接口(其他com端口号)

AT+ZMODE=3 (救砖模式,我没试过切换到这个模式)
调制解调器 + AT&LOG接口(其他com端口号,接口不响应命令,复位按钮不起作用)
-------------------------------------------------------------------------------

RNDIS => 模拟以太网端口的协议。这意味着当计算机(路由器)连接到 USB 端口时,它将作为网卡与调制解调器一起使用
MMC & CD => 带驱动程序的CD和MicroSD读卡器功能
ADB => Android Debug Bridge,通过它可以将文件复制到调制解调器或从调制解调器复制文件,也可访问SHELL与设备交互
MODEM => 调制解调器接口,我没有尝试过,但显然它可以直接作为调制解调器连接。但即使你设法做到这一点,速度也会很慢
AT&LOG => 通过COM端口进行调制解调器管理和调制解调器状态信息的接口,例如,通过AT接口,您可以使用终端程序将调制解调器模式从AT+ZMODE=2更改为AT+ZMODE=0

使用SCSI.exe程序后,每次调制解调器启动前设备管理器里面都会在短时间内再出现两个接口:DL1 和 DL2(调制解调器通过该接口进行刷新)

硬件信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
BusyBox v1.21.0-uc0 (2020-11-30 16:19:57 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # df -h
Filesystem Size Used Available Use% Mounted on
ubi0:rootfs 31.8M 24.4M 7.4M 77% /
mdev 26.9M 0 26.9M 0% /dev
tmpfs 26.9M 0 26.9M 0% /dev/shm
ubi1_0 6.4M 344.0K 6.0M 5% /etc_rw_mbb
ubi1_1 2.9M 16.0K 2.9M 1% /logfs
ubi1_2 14.1M 36.0K 14.1M 0% /cache
mtd:yaffs 2.0M 388.0K 1.6M 19% /mnt/yaffs

~ # free -m
total used free shared buffers
Mem: 53 35 18 0 0
-/+ buffers: 35 18
Swap: 0 0 0

~ # cat /proc/cpuinfo
Processor : ARMv7 Processor rev 4 (v7l)
BogoMIPS : 620.54
Features : swp half fastmult edsp tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4

Hardware : ZX297520V3
Revision : 0000
Serial : 0000000000000000

~ # cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
624000
~ # cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
312000

~ # uname -a
Linux DEMO 3.4.110 #2 Mon Nov 30 16:13:52 CST 2020 armv7l GNU/Linux
~ # cat /proc/cmdline
mem=62M console=ttyS1,115200 no_console_suspend mtdparts=spi-nand:512k@0x0(zloader),1m@0x80000(uboot),512k@0x180000(cpurpm),1m@0x200000(uboot-mirr),1m@0x300000(nvfac),2m@0x400000(nvro),3m@0x600000(nvrw),1m@0x900000(fotaflag),6656k@0xa00000(cpuphy),512k@0x1080000(sms),8m@0x1100000(cpups),5m@0x1900000(cpuap),4m@0x1e00000(cpfs),5m@0x2200000(recovery),5m@0x2700000(recovery-kernel),8m@0x2c00000(cdrom),38m@0x3400000(userdata),2m@0x5a00000(yaffs),33m@0x5c00000(zterw) root=ubi0:rootfs ubi.mtd=16 ro rootfstype=ubifs boot_reason=0

~ # ls /lib/modules/3.4.110/kernel/
drivers net
~ # ls /lib/
ld-uClibc-0.9.33.2.so libebt_nflog.so libnsl-0.9.33.2.so
ld-uClibc.so.0 libebt_pkttype.so libnsl.so.0
libatext.so libebt_redirect.so libnvram.so
libattest.so libebt_standard.so libpaho-mqtt3c.so.1
libatuser.so libebt_stp.so libpthread-0.9.33.2.so
libatutils.so libebt_ulog.so libpthread.so.0
libbz2.so libebt_vlan.so libresolv-0.9.33.2.so
libbz2.so.1.0 libebtable_broute.so libresolv.so.0
libbz2.so.1.0.3 libebtable_filter.so librt-0.9.33.2.so
libc.so.0 libebtable_nat.so librt.so.0
libcares.so.2 libebtc.so libsoft_timer.so
libcrypt-0.9.33.2.so libexpat.so libsoftap.so
libcrypt.so.0 libexpat.so.1 libsqlite.so
libdl-0.9.33.2.so libexpat.so.1.6.0 libstdc++.so
libdl.so.0 libezxml.so libstdc++.so.6
libdmgr.so.1 libgcc_s.so libstdc++.so.6.0.17
libebt_802_3.so libgcc_s.so.1 libuClibc-0.9.33.2.so
libebt_among.so libm-0.9.33.2.so libubacktrace-0.9.33.2.so
libebt_arp.so libm.so.0 libubacktrace.so.0
libebt_arpreply.so libmxml.so libutil-0.9.33.2.so
libebt_ip.so libneon.so libutil.so.0
libebt_ip6.so libnl-3.so libwlan_interface.so
libebt_limit.so libnl-3.so.200 libz.so
libebt_log.so libnl-3.so.200.20.0 libzte_pbm.so
libebt_mark.so libnl-genl-3.so libztedmapp.so
libebt_mark_m.so libnl-genl-3.so.200 modules
libebt_nat.so libnl-genl-3.so.200.20.0 stat.makefun

启动分析

  1. 内核启动完成后会执行 /sbin/init 程序读取配置文件 /etc/inittab
1
2
3
4
5
~ # cat /etc/inittab
::sysinit:/etc/rc
::respawn:-/bin/sh
slog:unknown:/sbin/syslogd -n
klog:unknown:/sbin/klogd -n
  1. init 程序执行 /etc/rc 来拉起整个运行环境
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
~ # cat /etc/rc
#!/bin/sh

/bin/mount -t proc proc /proc

echo "Starting mdevd..."
/bin/mount -t tmpfs mdev /dev
/bin/mount -t sysfs sysfs /sys
echo /sbin/mdev > /proc/sys/kernel/hotplug
mdev -s


/bin/mount -t ramfs ramfs /tmp
mkdir /dev/pts
mkdir /dev/shm
/bin/mount -t devpts devpts /dev/pts
/bin/mount -t tmpfs tmpfs /dev/shm
/bin/mount -t debugfs none /sys/kernel/debug

#mkdir -p /securefs
#mount -t jffs2 -o ro mtd:securefs /securefs
#mtdnum_securefs=$(cat /proc/mtd | grep "securefs" | awk '{print $1}'| cut -b 4- |sed 's/://g')
#ubiattach /dev/ubi_ctrl -m $mtdnum_securefs
#mount -t ubifs -o ro ubi1_0 /securefs

mtdnum_zterw=$(cat /proc/mtd | grep "zterw" | awk '{print $1}'| cut -b 4- |sed 's/://g')
ubiattach /dev/ubi_ctrl -m $mtdnum_zterw
mount -t ubifs -o rw ubi1_0 /etc_rw_mbb
mount -t ubifs -o rw ubi1_1 /logfs
mount -t ubifs -o rw ubi1_2 /cache

ln -s /tmp /tmp/local
ln -s /tmp /tmp/tmp

mkdir -p /tmp/mnt

#####sunquan start
mkdir -p /var/local/tmp/ppp/status
mkdir -p /var/local/tmp/ppp/peers
#####sunquan end

#mkdir -p /var/run
#mkdir -p /var/log
#mkdir -p /var/db
#mkdir -p /var/ct/tmp

mkdir -p /tmp/run
mkdir -p /tmp/log
mkdir -p /tmp/db
mkdir -p /tmp/ct/tmp

echo off > /sys/kernel/debug/kmemleak
echo 32768 > /proc/sys/kernel/msgmnb
#####sunquan start
ifconfig lo 127.0.0.1 up
#####sunquan end

# insmod drivers
KVER=`uname -r | cut -f 1 -d '-'`

##### xuxinqiang start
mknod /dev/slic c 211 0
##### xujianqiang end
#####sunquan start
mknod /dev/myioctl c 222 0
#####sunquan end

mknod /dev/tun c 10 200

MODULE_PATH=/lib/modules/$KVER/net

#####sunquan start
#insert ipt modules
if [ -f $MODULE_PATH/nf_conntrack_rtsp.ko ]; then
insmod $MODULE_PATH/nf_conntrack_rtsp.ko
fi
if [ -f $MODULE_PATH/nf_nat_rtsp.ko ]; then
insmod $MODULE_PATH/nf_nat_rtsp.ko
fi
if [ -f $MODULE_PATH/ipt_classify.ko ]; then
insmod $MODULE_PATH/ipt_classify.ko
fi
if [ -f $MODULE_PATH/xt_webstr.ko ]; then
insmod $MODULE_PATH/xt_webstr.ko
fi
#####sunquan end


##### for app core dump start
ulimit -c unlimited
mkdir -p /cache/pid-core-dumps
echo /cache/pid-core-dumps/core.%e > /proc/sys/kernel/core_pattern
##### for app core dump end

echo 4096 > /proc/sys/vm/min_free_kbytes

nvserver &

# fota升级后相关nv更新,仅限fota升级后第一次开机
nv_fota_update.sh

cmdline=$(cat /proc/cmdline)
bootmode=${cmdline##*bootmode=}
bootmode=${bootmode%% *}
bootreason="${cmdline##*boot_reason=}"
nv set bootreason=$bootreason
if [[ $bootmode == "amt" ]]; then
nv set ver_mode=0
# internet.sh
zte_usbCfgMng &
zte_log_agent &

zte_amt -p 10027 &

chown root:root /bin/adbd
adbd &
mode_test&
exit 0
fi

nv set ver_mode=1

#echo 0 > /etc_ro/wifiStatus
#echo 0 > /etc_ro/wpsStatus
#echo F > /etc_ro/staStatus

#####sunquan start
mkdir -p /usr/netlog

#syslogd -O /syslogd.log -l 2 -s 1024 &
sysctl -w net.unix.max_dgram_qlen=5000
#syslogd -l 2 -s 10240 -f /etc/syslog.conf &
#####sunquan end
at_ctl 2>&1 1>/dev/null &
zte_drvComMng &
#rtc-service & #del by zuoshu for remove rtc service
bootflag=$(nv get LanEnable)
if [[ $bootreason == "10" ]]; then
nv set ver_mode=2
fi

# follow disabled by mbb
#if [[ $bootflag == "1" ]]; then
#if [[ $bootreason == "2" ]]; then
# zte_mmi poweroff_charger &
# zte_usbCfgMng poweroff_charger &
# zte_mainctrl poweroff_charger &
# zte_audio_ctrl &
# rtc-service &
# adbd &
# zte_watchdog &
# /usr/sbin/telnetd -p 4719 &
# exit 0
#fi
#fi
zte_usb_cfg &
zte_usbCfgMng &

if [[ $bootflag == "1" ]]; then
echo "no mmi and wlan"
#zte_mmi &
fi

echo /sbin/modprobe -d /lib/modules/3.4.5 > /proc/sys/kernel/modprobe


#add by suhao for cfg ko insmod begin
insmod /lib/modules/`uname -r`/kernel/drivers/cfg/cfg.ko
#add by suhao for cfg ko insmod end

#add by suhao for cfg device node begin
mknod /dev/flash0 c 200 0
mknod /dev/flash1 c 200 1
nvram
#add by suhao for cfg device node end

#####sunquan start
echo 2 > /proc/sys/net/ipv6/conf/default/accept_dad
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
#####sunquan end

# start the page cache/kmem cache cleanup timer in the kernel
echo 1 > /proc/sys/vm/drop-cache

#####sunquan start
# Change default NAT policy of UDP sessions, per Win7 Logo
# requirement for Xbox-Live. The defaut session timeout on
# linux 3.4.5 was 30 seconds. Win7 logo requires at least
# 70.
echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout

# treat reset close session as fin close session, set same timeout
# this is required to pass CDRouter NAT timeout test case.
echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close

# add this to support up to 20 PPTP tunnel
echo 40 > /proc/sys/net/netfilter/nf_conntrack_expect_max
#####sunquan end

##### zhouguopo say watch USB status
mount -t usbfs none /proc/bus/usb

echo 0 > /proc/sys/kernel/panic
echo 1 > /proc/sys/kernel/panic_on_oops
echo 2 > /proc/sys/vm/panic_on_oom

#add by zuoshu for keep wakelock when boot up
echo system_lock > /sys/power/wake_lock

#add for adbd
chmod a+rw /dev/android_adb /dev/ptmx
#mkdir -p /system/bin
#ln -s /bin/busybox /system/bin/sh
chown root:root /bin/adbd
#ln -sf /bin/netdog /bin/set_loglevl
export MYRESETFLAG=`nv get reboot_val_flag`
if [ x"${MYRESETFLAG}" == x"AAAA" ];then
nv set reboot_val_flag=BBBB
elif [ x"${MYRESETFLAG}" == x"BBBB" ]; then
nv set reboot_val_flag=CCCC
fi
unset MYRESETFLAG
nv save

#houp
export MODEFLAG=`nv get usb_modetype`
if [ x`cat /sys/class/android_usb/android0/download` = x"1" ];then
cat /proc/driver/codec_id
else
cat /proc/driver/sensor_id
fi
unset MODEFLAG
#hou

# apps start

#if [[ $bootflag == "1" ]]; then
# wifi要基于内网做配置,必须启动在内网后面
#wlan-server &
#fi
zte_mainctrl &
#netdog_init_set.sh
# for audio res ctrl
zte_audio_ctrl &
#internet.sh

zte_log_agent &

zte_hotplug &

## please confirm your app should place after or before
## for dial up and wifi go faster
sleep 7

zte_watchdog &

if [[ $bootflag == "1" ]]; then
#fluxstat &
#sntp &
#goahead &
sd_hotplug &
#ccapp &
#zte_pcs &
#sms &
#phonebook &
fi

adbd &
#mode_test&

echo "Starting FOTA apps......!!"
##### fota need start
#mkdir -p /cache/zte_socket
##### fota need end
#/sbin/start_update_app.sh &

zte_adapter_usb_ctl &

#if [[ $bootflag == "1" ]]; then
#/usr/sbin/telnetd -p 4719 &
#/sbin/start_telnetd.sh &
#fi

#mkdir /mnt/tmp
#mount --bind / /mnt/tmp

chmod +x /sbin/app_monitor.sh
app_monitor.sh open
rm -rf /etc_rw/udhcpd*.pid
#zte start
#mkdir -p /media/zte/zte_socket
sh /usr/zte/zte_conf/scripts/zte_debug.sh &

#modify by houweifeng for mount yaffs2 20170711 begin
#mkdir -p /mnt/yaffs
#mount -t yaffs2 /dev/mtdblock16 /mnt/yaffs
mount -t jffs2 mtd:yaffs /mnt/yaffs
#modify by houweifeng for mount yaffs2 20170711 end
#zte_topsw_production_at &
zte_production_server_at &
/usr/bin/jtcard_sdk 3 &