Comments (11)
i have seen your fdls, custom_exec is needed
there is an un-prefect method to find the address, send_single_test.patch
i assume sp9832e has a similar bootrom structure to 9863a
stack of 9863a is 0x3010-0x5000, so send 8 bytes zero (or directly "00 52 00 00 00 00 00 00") to 0x4ff8, 0x4fe8, 0x4fd8 ... until bootrom stuck(with zero) or fdl1 executed (with 0x5200)
after find the address i can dump full BootROM
besides, "SPRD4:AutoD" belongs to autodloader_handler in uboot, "SPRD3" belongs to BootROM
adb reboot autodloader
wipes splloader only if uooot doesn't include autodloader_handler
from cve-2022-38694_unlock_bootloader.
take 9863a as example
func | sp | |||
---|---|---|---|---|
j__memcpy | 0x4f40 | 0x4f40 | x29 | 0x4f50 |
j__memcpy | 0x4f40 | 0x4f48 | x30 | 0x1054A0 |
cmd_recv_data_usb | 0x4f50 | 0x4f50 | x29 | 0x4f70 |
cmd_recv_data_usb | 0x4f50 | 0x4f58 | x30 | 0x105740 |
when write 8 zero to 0x4f48, BootROM won't reply "7E 00 80" to "7E 00 02"
when write 8 zero to 0x4f58, BootROM can reply "7E 00 80" to "7E 00 02", but will not reply "7E 00 80" to next "7E 00 01"
from cve-2022-38694_unlock_bootloader.
Thanks @TomKing062 I'll give it a try.
Regarding SPRD3 I don't believe I have seen or been able to enter a mode where this is present. It is always SPRD4 via adb reboot autodloader
other methods don't appear to work.
from cve-2022-38694_unlock_bootloader.
Thank you for the help once again.
I've taken the patch and done the following. Not really sure I'm using it correctly.
Created test.bin
with:
cat test.bin | xxd
00000000: 0052 0000 0000 0000 .R......
Then used that in the following command:
./spd_dump_interactive --verbose 2 --wait 300 fdl fdl1-sign.bin 0x00005000 fdl fdl2-sign.bin 0x9EFFFE00
Waiting for connection (300s)
libusb_control_transfer ok
send (1):
7e |~|
recv (20):
7e 00 81 00 0c 53 50 52 44 34 3a 41 75 74 6f 44 |~....SPRD4:AutoD|
00 fd 8b 7e |...~|
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD4:AutoD\0"
send (8):
7e 00 00 00 00 00 00 7e |~......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
CMD_CONNECT bootrom
BROM >send test.bin 0x4ff8
send (16):
7e 00 01 00 08 00 00 4f f8 00 00 00 08 e2 d6 7e |~......O.......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 52 00 00 00 00 00 00 03 38 7e |~.....R.......8~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
How do I check for until bootrom stuck(with zero) or fdl1 executed (with 0x5200)
?
I've made a script to run against the range 0x5000 -> 0x3000. So should be easy enough to debug once I figure out the command.
from cve-2022-38694_unlock_bootloader.
- erase spl can bring it to SPRD3 (it won't boot system until write spl back)
read_part splloader 0 1m spl.bin
read_part splloader_bak 0 1m spl_b.bin
erase_part splloader
erase_part splloader_bak
reset
recover spl
fdl ...
fdl ...
exec
write_part splloader spl.bin
- 0x5200 is actually sent after fdl1 (like execfile), but write 0x5200 without fdl1 would still break "7E 00 01"/"7E 00 02" (so we find the address)
send_file(io, fn, addr, end_data, 528); if (exec_addr) { send_file(io, execfile, exec_addr, 0, 528); } else { encode_msg(io, BSL_CMD_EXEC_DATA, NULL, 0); send_and_check(io); } DBG_LOG("EXEC FDL1\n");
from cve-2022-38694_unlock_bootloader.
I believe I may have found it at 0x4f80
?
BROM >send test.bin 0x4f70 ram
send (16):
7e 00 01 00 08 00 00 4f 70 00 00 00 08 c2 2b 7e |~......Op.....+~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 52 00 00 00 00 00 00 03 38 7e |~.....R.......8~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send test.bin 0x4f80 ram
send (17):
7e 00 01 00 08 00 00 4f 80 00 00 00 08 fd 7d 5d |~......O......}]|
7e |~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 52 00 00 00 00 00 00 03 38 7e |~.....R.......8~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send test.bin 0x4ff8 ram
send (16):
7e 00 01 00 08 00 00 4f f8 00 00 00 08 e2 d6 7e |~......O.......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 52 00 00 00 00 00 00 03 38 7e |~.....R.......8~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
from cve-2022-38694_unlock_bootloader.
ud710:
D:\UserData\Desktop\addr>spd_dump_interactive
Waiting for connection (30s)
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
BROM >verbose 2
BROM >send zero 0x3f88
send (16):
7e 00 01 00 08 00 00 3f 88 00 00 00 08 ba cc 7e |~......?.......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (0):
timeout reached
D:\UserData\Desktop\addr>spd_dump_interactive
Waiting for connection (30s)
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
BROM >verbose 2
BROM >send zero 0x3f98
send (16):
7e 00 01 00 08 00 00 3f 98 00 00 00 08 be 96 7e |~......?.......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
SEND zero to 0x3f98
BROM >send zero 0x3f98
send (16):
7e 00 01 00 08 00 00 3f 98 00 00 00 08 be 96 7e |~......?.......~|
recv (0):
timeout reached
from cve-2022-38694_unlock_bootloader.
Ohh. Yes that makes more sense. So the 52 was a mistake?
Going through again with zeroes I get a timeout reached on around 0x4f28
starting at 0x4f48, 0x4f38, 0x4f28:
$ ./spd_dump_interactive --verbose 2 --wait 600
Waiting for connection (600s)
libusb_control_transfer ok
send (1):
7e |~|
recv (14):
7e 00 81 00 06 53 50 52 44 33 00 57 0a 7e |~....SPRD3.W.~|
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
send (8):
7e 00 00 00 00 00 00 7e |~......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
CMD_CONNECT bootrom
BROM >send zero.bin 0x4f48
send (16):
7e 00 01 00 08 00 00 4f 48 00 00 00 08 cc e8 7e |~......OH......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send zero.bin 0x4f38
send (16):
7e 00 01 00 08 00 00 4f 38 00 00 00 08 d1 6e 7e |~......O8.....n~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send zero.bin 0x4f28
send (16):
7e 00 01 00 08 00 00 4f 28 00 00 00 08 d5 34 7e |~......O(.....4~|
timeout reached
starting at 0x4f28, 0x4f38, 0x4f48:
Waiting for connection (600s)
libusb_control_transfer ok
send (1):
7e |~|
recv (14):
7e 00 81 00 06 53 50 52 44 33 00 57 0a 7e |~....SPRD3.W.~|
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
send (8):
7e 00 00 00 00 00 00 7e |~......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
CMD_CONNECT bootrom
BROM >send zero.bin 0x4f28
send (16):
7e 00 01 00 08 00 00 4f 28 00 00 00 08 d5 34 7e |~......O(.....4~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send zero.bin 0x4f38
send (16):
7e 00 01 00 08 00 00 4f 38 00 00 00 08 d1 6e 7e |~......O8.....n~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send zero.bin 0x4f48
send (16):
7e 00 01 00 08 00 00 4f 48 00 00 00 08 cc e8 7e |~......OH......~|
timeout reached
from cve-2022-38694_unlock_bootloader.
main part done, exec_addr is 0x4f18 for normal download and 0x4ee8 for fallback download
from cve-2022-38694_unlock_bootloader.
Thank you @TomKing062 I will be attempting the SPL method. I've read through https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader/wiki/AddSupportToModel#modify-images does that mean I need to compile from source and do: https://github.com/TomKing062/jing_patch ?
from cve-2022-38694_unlock_bootloader.
no need to compile
from cve-2022-38694_unlock_bootloader.
Related Issues (20)
- query HOT 3
- ZTE Blade A51 bootloop HOT 5
- 关于简化 system-root方法的建议 HOT 4
- slow spd_dump download speed on Linux, libusb HOT 3
- Can't flash vbmeta on windows10,ud710 HOT 4
- bootloop on rmx3231 HOT 4
- Can you make bootloader unlock for Nokia C21 Fingerprint Edition TA-1352 SC9863А
- Pls make bootloader unlock for itel p40+ t606 HOT 2
- [bootloop with resigned boot][A11]RMX3511(ums9230) HOT 29
- [bootloop with resigned boot][A11]Bootloader unlocked, but, how can I root with Magisk? ZTE Blade A51 HOT 18
- 希望添加海信E22平板的支持 HOT 1
- [bootloop with resigned boot][A11]ZTE Blade A31 (SC9863A) HOT 5
- Some GSI roms not working with magisk HOT 1
- Realme ums9230 may use both emmc/ufs but unlock only give one HOT 5
- Getting error unlocking the bootloader on itel p40+ HOT 11
- Hi can I use it on teclast t40hd
- 海信A7 CC无法导出boot.img
- Support for Nokia G22 TA-1528
- the problem of unlocking the bootloader on Infinix HOT 12 Play NFC HOT 3
- Support for Motorola Moto E13 (Codename SABAHL)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cve-2022-38694_unlock_bootloader.