Comments (11)
TomKing062
commented on June 23, 2024
i have seen your fdls, custom_exec is needed
there is an un-prefect method to find the address, send_single_test.patch
i assume sp9832e has a similar bootrom structure to 9863a
stack of 9863a is 0x3010-0x5000, so send 8 bytes zero (or directly "00 52 00 00 00 00 00 00") to 0x4ff8, 0x4fe8, 0x4fd8 ... until bootrom stuck(with zero) or fdl1 executed (with 0x5200)
after find the address i can dump full BootROM
besides, "SPRD4:AutoD" belongs to autodloader_handler in uboot, "SPRD3" belongs to BootROM
adb reboot autodloader wipes splloader only if uooot doesn't include autodloader_handler
from cve-2022-38694_unlock_bootloader.
TomKing062
commented on June 23, 2024
take 9863a as example
| func | sp | |||
|---|---|---|---|---|
| j__memcpy | 0x4f40 | 0x4f40 | x29 | 0x4f50 |
| j__memcpy | 0x4f40 | 0x4f48 | x30 | 0x1054A0 |
| cmd_recv_data_usb | 0x4f50 | 0x4f50 | x29 | 0x4f70 |
| cmd_recv_data_usb | 0x4f50 | 0x4f58 | x30 | 0x105740 |
when write 8 zero to 0x4f48, BootROM won't reply "7E 00 80" to "7E 00 02"
when write 8 zero to 0x4f58, BootROM can reply "7E 00 80" to "7E 00 02", but will not reply "7E 00 80" to next "7E 00 01"
from cve-2022-38694_unlock_bootloader.
BenEdridge
commented on June 23, 2024
Thanks @TomKing062 I'll give it a try.
Regarding SPRD3 I don't believe I have seen or been able to enter a mode where this is present. It is always SPRD4 via adb reboot autodloader other methods don't appear to work.
from cve-2022-38694_unlock_bootloader.
BenEdridge
commented on June 23, 2024
Thank you for the help once again.
I've taken the patch and done the following. Not really sure I'm using it correctly.
Created test.bin with:
cat test.bin | xxd
00000000: 0052 0000 0000 0000 .R......
Then used that in the following command:
./spd_dump_interactive --verbose 2 --wait 300 fdl fdl1-sign.bin 0x00005000 fdl fdl2-sign.bin 0x9EFFFE00
Waiting for connection (300s)
libusb_control_transfer ok
send (1):
7e |~|
recv (20):
7e 00 81 00 0c 53 50 52 44 34 3a 41 75 74 6f 44 |~....SPRD4:AutoD|
00 fd 8b 7e |...~|
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD4:AutoD\0"
send (8):
7e 00 00 00 00 00 00 7e |~......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
CMD_CONNECT bootrom
BROM >send test.bin 0x4ff8
send (16):
7e 00 01 00 08 00 00 4f f8 00 00 00 08 e2 d6 7e |~......O.......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 52 00 00 00 00 00 00 03 38 7e |~.....R.......8~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
How do I check for until bootrom stuck(with zero) or fdl1 executed (with 0x5200)?
I've made a script to run against the range 0x5000 -> 0x3000. So should be easy enough to debug once I figure out the command.
from cve-2022-38694_unlock_bootloader.
TomKing062
commented on June 23, 2024
- erase spl can bring it to SPRD3 (it won't boot system until write spl back)
read_part splloader 0 1m spl.bin
read_part splloader_bak 0 1m spl_b.bin
erase_part splloader
erase_part splloader_bak
reset
recover spl
fdl ...
fdl ...
exec
write_part splloader spl.bin
- 0x5200 is actually sent after fdl1 (like execfile), but write 0x5200 without fdl1 would still break "7E 00 01"/"7E 00 02" (so we find the address)
send_file(io, fn, addr, end_data, 528); if (exec_addr) { send_file(io, execfile, exec_addr, 0, 528); } else { encode_msg(io, BSL_CMD_EXEC_DATA, NULL, 0); send_and_check(io); } DBG_LOG("EXEC FDL1\n");
from cve-2022-38694_unlock_bootloader.
BenEdridge
commented on June 23, 2024
I believe I may have found it at 0x4f80?
BROM >send test.bin 0x4f70 ram
send (16):
7e 00 01 00 08 00 00 4f 70 00 00 00 08 c2 2b 7e |~......Op.....+~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 52 00 00 00 00 00 00 03 38 7e |~.....R.......8~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send test.bin 0x4f80 ram
send (17):
7e 00 01 00 08 00 00 4f 80 00 00 00 08 fd 7d 5d |~......O......}]|
7e |~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 52 00 00 00 00 00 00 03 38 7e |~.....R.......8~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send test.bin 0x4ff8 ram
send (16):
7e 00 01 00 08 00 00 4f f8 00 00 00 08 e2 d6 7e |~......O.......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 52 00 00 00 00 00 00 03 38 7e |~.....R.......8~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
from cve-2022-38694_unlock_bootloader.
TomKing062
commented on June 23, 2024
ud710:
D:\UserData\Desktop\addr>spd_dump_interactive
Waiting for connection (30s)
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
BROM >verbose 2
BROM >send zero 0x3f88
send (16):
7e 00 01 00 08 00 00 3f 88 00 00 00 08 ba cc 7e |~......?.......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (0):
timeout reached
D:\UserData\Desktop\addr>spd_dump_interactive
Waiting for connection (30s)
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
BROM >verbose 2
BROM >send zero 0x3f98
send (16):
7e 00 01 00 08 00 00 3f 98 00 00 00 08 be 96 7e |~......?.......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
SEND zero to 0x3f98
BROM >send zero 0x3f98
send (16):
7e 00 01 00 08 00 00 3f 98 00 00 00 08 be 96 7e |~......?.......~|
recv (0):
timeout reached
from cve-2022-38694_unlock_bootloader.
BenEdridge
commented on June 23, 2024
Ohh. Yes that makes more sense. So the 52 was a mistake?
Going through again with zeroes I get a timeout reached on around 0x4f28
starting at 0x4f48, 0x4f38, 0x4f28:
$ ./spd_dump_interactive --verbose 2 --wait 600
Waiting for connection (600s)
libusb_control_transfer ok
send (1):
7e |~|
recv (14):
7e 00 81 00 06 53 50 52 44 33 00 57 0a 7e |~....SPRD3.W.~|
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
send (8):
7e 00 00 00 00 00 00 7e |~......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
CMD_CONNECT bootrom
BROM >send zero.bin 0x4f48
send (16):
7e 00 01 00 08 00 00 4f 48 00 00 00 08 cc e8 7e |~......OH......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send zero.bin 0x4f38
send (16):
7e 00 01 00 08 00 00 4f 38 00 00 00 08 d1 6e 7e |~......O8.....n~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send zero.bin 0x4f28
send (16):
7e 00 01 00 08 00 00 4f 28 00 00 00 08 d5 34 7e |~......O(.....4~|
timeout reached
starting at 0x4f28, 0x4f38, 0x4f48:
Waiting for connection (600s)
libusb_control_transfer ok
send (1):
7e |~|
recv (14):
7e 00 81 00 06 53 50 52 44 33 00 57 0a 7e |~....SPRD3.W.~|
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
send (8):
7e 00 00 00 00 00 00 7e |~......~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
CMD_CONNECT bootrom
BROM >send zero.bin 0x4f28
send (16):
7e 00 01 00 08 00 00 4f 28 00 00 00 08 d5 34 7e |~......O(.....4~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send zero.bin 0x4f38
send (16):
7e 00 01 00 08 00 00 4f 38 00 00 00 08 d1 6e 7e |~......O8.....n~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
send (16):
7e 00 02 00 08 00 00 00 00 00 00 00 00 89 4c 7e |~.............L~|
recv (8):
7e 00 80 00 00 3b 5a 7e |~....;Z~|
BROM >send zero.bin 0x4f48
send (16):
7e 00 01 00 08 00 00 4f 48 00 00 00 08 cc e8 7e |~......OH......~|
timeout reached
from cve-2022-38694_unlock_bootloader.
TomKing062
commented on June 23, 2024
main part done, exec_addr is 0x4f18 for normal download and 0x4ee8 for fallback download
from cve-2022-38694_unlock_bootloader.
BenEdridge
commented on June 23, 2024
Thank you @TomKing062 I will be attempting the SPL method. I've read through https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader/wiki/AddSupportToModel#modify-images does that mean I need to compile from source and do: https://github.com/TomKing062/jing_patch ?
from cve-2022-38694_unlock_bootloader.
TomKing062
commented on June 23, 2024
no need to compile
from cve-2022-38694_unlock_bootloader.
Related Issues (20)
- query HOT 3
- ZTE Blade A51 bootloop HOT 5
- 关于简化 system-root方法的建议 HOT 4
- slow spd_dump download speed on Linux, libusb HOT 3
- Can't flash vbmeta on windows10,ud710 HOT 4
- bootloop on rmx3231 HOT 4
- Can you make bootloader unlock for Nokia C21 Fingerprint Edition TA-1352 SC9863А
- Pls make bootloader unlock for itel p40+ t606 HOT 2
- [bootloop with resigned boot][A11]RMX3511(ums9230) HOT 29
- [bootloop with resigned boot][A11]Bootloader unlocked, but, how can I root with Magisk? ZTE Blade A51 HOT 18
- 希望添加海信E22平板的支持 HOT 1
- [bootloop with resigned boot][A11]ZTE Blade A31 (SC9863A) HOT 5
- Some GSI roms not working with magisk HOT 1
- Realme ums9230 may use both emmc/ufs but unlock only give one HOT 5
- Getting error unlocking the bootloader on itel p40+ HOT 11
- Hi can I use it on teclast t40hd
- 海信A7 CC无法导出boot.img
- Support for Nokia G22 TA-1528
- the problem of unlocking the bootloader on Infinix HOT 12 Play NFC HOT 3
- Support for Motorola Moto E13 (Codename SABAHL)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cve-2022-38694_unlock_bootloader.