tomking062 / cve-2022-38694_unlock_bootloader Goto Github PK
View Code? Open in Web Editor NEWThis is a one-time signature verification bypass. For persistent signature verification bypass, check https://github.com/TomKing062/CVE-2022-38691_38692
This is a one-time signature verification bypass. For persistent signature verification bypass, check https://github.com/TomKing062/CVE-2022-38691_38692
Hisense A5PRO cc root failed.
Here Arch linux,
./spd_dump exec_addr 0x3f48 fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec read_part teecfg 0 1M teecfg.bin read_part trustos 0 6M tos.bin read_part sml 0 1M sml.bin erase_part splloader reset
libusb_control_transfer ok
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
input >
After inputing the code from the readme, I end up with an input > asking me to input some code...
I can help debug, should you want it and I also have another Hisense device with a unisoc t610 the hisense q5, that I would like to root. So if you want my help, let me know :)
Hi, I recently purchased a Umidigi G1 max but learned that unlocking the bootloader is a pain. It uses a T610. I used
the Alldocube iplay 50 files and it kind of worked so I think it's possible. (It didn't work but I was still able to reflash the original firmware so I didn't break it) I have the .pac file for the firmware and the logs from running the files mentioned above. I can provide them if needed but I am also not too sure where to start!
python2 C:\Python27\Tools\Scripts\avbtool.py add_hash_footer --image image-new.img --partition_name boot --partition_size 36700160 --key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --salt 5F55215FD2302D021F850B55912ED48D176784678692DC012E054B1ECD0BE025 Traceback (most recent call last): File "C:\Python27\Tools\Scripts\avbtool.py", line 4417, in <module> tool.run(sys.argv) File "C:\Python27\Tools\Scripts\avbtool.py", line 4253, in run args.func(args) File "C:\Python27\Tools\Scripts\avbtool.py", line 4310, in add_hash_footer args.do_not_use_ab) File "C:\Python27\Tools\Scripts\avbtool.py", line 3041, in add_hash_footer image = ImageHandler(image_filename) File "C:\Python27\Tools\Scripts\avbtool.py", line 697, in __init__ self._read_header() File "C:\Python27\Tools\Scripts\avbtool.py", line 719, in _read_header _) = struct.unpack(self.HEADER_FORMAT, header_bin) struct.error: unpack requires a string argument of length 28
I already followed step 0,1,2 of the Tutorial: Android 10: https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader/wiki/Magisk
but due to the error I can't create a final boot.img for root.
I uploaded the original boot.img and the repacked&magisk patched image-new.img here:
https://filebin.net/alcq7svzcl3oso9b
With the boot.img from TomKing062 I rooted the phone successfully.
However getting Google Services to work is another story unfortunately.
Even with root, Google Services are still not accessible.
I followed a tutorial to integrate google apps into the system: https://blindhelp.net/blog/how-install-google-apps-without-custom-recovery-learn-manually-install-gapps-any-chinesenon
However even with root I can't modify the hosts file (system/etc) to remove the Google-Server block.
Integrating the apps into the system also doesn't work as adb tells me that there is "no space left on device" which is not really true...
@TomKing062 thanks for helping me unlock the bootloader on tecno spark 8c! tecno_spark_8c.zip
Can you help me get boot.img from the stock firmware, since I don’t understand how to do this?
The phone has the latest firmware version "KG5n-F062RU-11.0-RU-V91-20231011", it is not available on the Internet.
Maybe somehow using adb shell or fastboot you can get boot.img?
According to the code of tyyh2020 branch,the machine can boot into system with unlock status.But it is not able to flash the fixed-boot partition via Magisk App in fastboot mode.
Here is the log of unlocking:
`E:>spd_dump_3f88 fdl fdl1-no-verify-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec read_part sml 0 1M sml.bin read_part trustos 0 6M tos.bin reset
Waiting for connection (30s)
libusb_control_transfer ok
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
SEND FDL1
EXEC FDL1
CHECK_BAUD FAIL
CHECK_BAUD FDL1
BSL_REP_VER: "Spreadtrum Boot Block version 1.1\0"
CMD_CONNECT FDL1
KEEP_CHARGE FDL1
SEND uboot-mod.bin
FDL2: incompatible partition
EXEC FDL2
dump_partition: sml+0x0, target: 0x100000, read: 0x100000
dump_partition: trustos+0x0, target: 0x600000, read: 0x600000
E:>chsize sml.bin
E:>chsize tos.bin
E:>spd_dump_3f88 fdl fdl1-no-verify.bin 0x5500 fdl tos.bin 0x9403fe00 fdl uboot-mod.bin 0x9efffe00 fdl sml.bin 0x93fffe00 exec
Waiting for connection (30s)
libusb_control_transfer ok
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
SEND FDL1
EXEC FDL1
CHECK_BAUD FAIL
CHECK_BAUD FDL1
BSL_REP_VER: "Spreadtrum Boot Block version 1.1\0"
CMD_CONNECT FDL1
KEEP_CHARGE FDL1
SEND tos.bin
SEND uboot-mod.bin
SEND sml.bin
usb_recv failed : LIBUSB_ERROR_PIPE
E:>spd_dump_3f88 fdl fdl1-no-verify.bin 0x5500 fdl tos.bin 0x9403fe00 fdl uboot-mod.bin 0x9efffe00 fdl sml.bin 0x93fffe00 exec
Waiting for connection (30s)
libusb_control_transfer ok
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
SEND FDL1
EXEC FDL1
CHECK_BAUD FAIL
CHECK_BAUD FDL1
BSL_REP_VER: "Spreadtrum Boot Block version 1.1\0"
CMD_CONNECT FDL1
KEEP_CHARGE FDL1
SEND tos.bin
SEND uboot-mod.bin
SEND sml.bin
usb_recv failed : LIBUSB_ERROR_PIPE
E:>spd_dump_3f88 fdl fdl1-no-verify-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec erase_part uboot_log write_part userdata userdata.bin reset
Waiting for connection (30s)
libusb_control_transfer ok
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
SEND FDL1
EXEC FDL1
CHECK_BAUD FAIL
CHECK_BAUD FDL1
BSL_REP_VER: "Spreadtrum Boot Block version 1.1\0"
CMD_CONNECT FDL1
KEEP_CHARGE FDL1
SEND uboot-mod.bin
FDL2: incompatible partition
EXEC FDL2
Answer "yes" to confirm the "erase partition" command: yes
file size : 0x2413c
Answer "yes" to confirm the "write partition" command: yes
unexpected response (0xffffffff)
load_partition: userdata, target: 0x2413c, written: 0x24000
usb_send failed : LIBUSB_ERROR_TIMEOUT`
Hello! I'm attempting to install the drivers on a Hisense A5 Pro CC, but I'm having issues booting into Download Mode. Using the button combos, I've only managed to get Safe Mode, Recovery Mode, and a classic reboot. Using ADB, running adb reboot download
does a classic reboot, and adb reboot bootloader
brings up FastBoot Mode.
FastBoot seems the most promising, but I'm hesitant because of the USB ID mismatch. Instead of getting 1782 4d00 for Download Mode, I'm getting 18d1 4ee0 for FastBoot Mode. Will this still be a valid method? If not, could you provide more detailed instructions for booting into Download Mode specifically? Thanks so much!
I used your ums9230_alldocube50mini unlocking tool to unlock the bootloader on my Alldocube iPlay 50 mini (T811) tablet. It kind of worked - during boot up there is now a warning message about the device being unlocked, and the tablet itself still functions properly. However, when I put the tablet into bootloader mode, I am unable to flash a new vbmeta image. The writing process just hangs and does nothing.
I also tried installing the AOSP 13/14 GSI using the DSU and Shizuku/ADB tools. The installation process reported completing successfully, but after rebooting, the tablet fails to load the B system partition and instead falls back to the A partition. During boot up, I see a black screen before the tablet reboots back into the original stock firmware.
This makes me think that maybe the bootloader is not fully unlocked, if that is possible.
I have a sp9832e
device and the relevant stock fdl1, fdl2, spl and uboot img files. I also have the device XML file containing details on partition layout.
I've attempted to patch fdl1 and fdl2 files but not 100% sure I'm doing it correctly. I believe I also need to create a custom_exec file as per: https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader/wiki/AddSupportToModel
Is it possible on this device or am I wasting my time?
Hello, is there a way to unlock the bootloader of a ZTE Blade A31 Lite RU P932f21
My device is "2021". Thank you for your tutorial. I successfully unlocked the bootloader, but I encountered a problem in step 2 of Magisk. I don't know how to obtain the original boot.img, so I cannot patch it and get the magisk_patched-*.img
Can you help me? Thanks.
I tried to install Google Services using the Magisk-module LiteGapps but it gave me a bootloop.
Is there another Module which works with the phone? There doesn't seem to be too much around for Android 10...
Hello, I encountered some issues while modifying uboot. It seems that the manufacturer has rebooted it_ Functions like devices are all hidden, which makes me unsure how to modify them to forcibly unlock the bootloader. If possible, could you take a look? I have uploaded some files that I extracted from the upgrade package
您好,我在修改uboot时出现了一些问题,厂商貌似把reboot_devices之类的函数都给隐藏了,导致我也不知道该怎么修改来强制解锁bootloader,如果行的话您能研究一下吗,我上传了从升级包中提取出的spl和uboot文件
Does it work for Nokia C21/TA-1352 and on linux? (Unisoc SC9863A)
sign patched boot with avbtool or you will stuck at bootlogo
不能直接安装,必须选择文件修补,然后用avbtool签名,签名后的boot才不会卡开机
請問如果我把自己存檔的 BOO.img 用在另一支Magisk PATH的 後的存檔, 可以直接刷入嗎?!
還是要照您說的需要用avbtool签名 , 才能刷入?
If I use the BOO.img of my own archive in another Magisk PATH archive, can it be flashed directly?
Or do I need to sign it with avbtool as you said?
I have a Hisense A7 running on Android 10, and I first unlocked bootloader on Windows 11 with no problems, but then stuck at extracting boot.img. The terminal returns 'bad command args' error and so I searched closed issues list to find a solution untill stumbled upon using 'adb reboot autodloader' then desperately runned it only to find my phone freezed and unresponsive. I then checked #6 and got to the step of installing libusbK using Zadig but not sure what to do next, the 3 commands seemed to be phone specific. Please advise what to do to save the phone. Thanks a lot.
Hi again,
I successfully unlocked my bootloader and now I am trying to flash google's GSI. When I try and flash vbmeta it hangs. I'm assuming it's because it needs the be signed? Or do I need to flash the stock vbmeta? Do I need to flash in a partition slot (a/b)? I tried using the magisk tutorial as a guide but, that is for boot.img.
Thank you so much for your help!!
Upgrading to Magisk 26.3 bricks phone. So take care with it. Do you know if there is any solution than hard resetting the phone and not loosing all the data?
I have the ZTE Blade A5 2019, it is unisoc SC9863A. I was able to root it by flashing a prerooted gsi, now I would like to unlock bootloader. The thing now is: if I flash the edited images with dd will this method work for my device? I mean I don't need to hack download mode as I can flash partitions with dd, that said with root would this method be applicable to my device? I can provide all the firmware images that you may need if necessary.
I'm currently stuck trying to get fastboot
commands to work properly. I've successfully booted into fastbootd (yes, with a d at the end) with the adb reboot fastboot
command, but at that point, none of the following commands work. The only response I get with them is < waiting for any device >
. Not sure why it can't find it yet, but I've been unable to run anything with fastboot
throughout this whole process. Any ideas why that might be?
Hi,
I blindly tried the iplay50 mini binary, and of course it did not work for an iplay 50 (T1030).
The log:
[2023-10-13 15:55:36:945] ===============================D:\alldocube50mini\spd_dump.exe
[2023-10-13 15:55:46:377] Write: Call GetOverlappedResult() fail, [ErrorCode: 0x00000079].
Any chance to add support to this device?
Thanks.
Hello everyone,
I attempted to root my Hisense A5 Pro, but unfortunately, the process went awry, and now my device is bricked. I used ums512_hisense_a5pro
for rooting, and my operating system version is the latest.
I followed the instructions in an article, and when it came to entering commands, I attempted the ones provided in the article. However, the command prompt displayed custom_exec_no_verify_3f48.bin does not exist.
Subsequently, I ran unlock.bat
and, after holding down the volume up and power buttons for 10 seconds, connected the phone. After inputting several "yes" responses, the command prompt window closed following the execution of the last command. Unfortunately, my phone showed no response. I have tried repeating the steps mentioned above, including holding down the volume up and power buttons, but the phone remains unresponsive. I also attempted to access the 9008 mode by removing the back cover, but I couldn't locate any touchpoints near the flashlight.
Could anyone provide guidance or suggestions on how to recover my Hisense A5 Pro?
Thank you for your assistance!
sorry for my poor english,this is translate by chatgpt
After executing the last line mentioned above, the terminal closed on its own.
Hello Sir,
is it possible to add any appropriate "how to" tutorial for average pc user with basic hardware knowledge ?
So I could finaly perform a bootloader unlocking on my nokia t20 with unisoc ums512.
Thanks
( ( clear ) && ( ( yes yes ) | "./spd_dump" keep_charge 1 fdl "./DownloadFiles/fdl1-sign.bin" 0x00005000 fdl "./DownloadFiles/fdl2-sign.bin" 0x9EFFFE00 erase_part user_partition power_off ) )
Waiting for connection (30s)
libusb_control_transfer ok
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
SEND FDL1
EXEC FDL1
CHECK_BAUD FAIL
CHECK_BAUD FDL1
BSL_REP_VER: "Spreadtrum Boot Block version 1.1\0"
CMD_CONNECT FDL1
KEEP_CHARGE FDL1
SEND ./DownloadFiles/fdl2-sign.bin
Answer "yes" to confirm the "erase partition" command: timeout reached
Is it possible to add support for this sp9832e_1h10_gofu
PoS device? What may I need to send you to help?
can use this safely on Realme Narzo 50i / RMX3235 ?
My A7CC USB ID "0x1782 0xd001" different with info/spreadtrum_flash-main_exec/spd_dump.c line:1028 "0x1782, 0x4d00". So get the below error:
D:\hisense_a7cc>spd_dump exec_addr 0x3f88 fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec read_part teecfg 0 1M teecfg.bin read_part trustos 0 6M tos.bin read_part sml 0 1M sml.bin erase_part splloader reset
Waiting for connection (30s)
libusb_open_device failed
After changing the source code USB ID:
//device = libusb_open_device_with_vid_pid(NULL, 0x1782, 0x4d00);
device = libusb_open_device_with_vid_pid(NULL, 0x1782, 0xd001);
Get error:
$ ./spd_dump exec_addr 0x3f88 fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec read_part teecfg 0 1M teecfg.bin read_part trustos 0 6M tos.bin read_part sml 0 1M sml.bin erase_part splloader reset libusb_control_transfer ok usb_recv failed : LIBUSB_ERROR_PIPE
PS: source code compiler with Cygwin environment.
Next will try spreadtrum_flash project suggest to rebuild:
https://github.com/ilyakurdyukov/spreadtrum_flash
I want to ask if it's possible to make compatible the ZTE Blade V40 Design with bootloader unlock. I can send firmware if it's needed
Using "make" in spreadtrum_flash ending up with this error:
cc -s -O2 -Wall -Wextra -std=c99 -pedantic -Wno-unused -DUSE_LIBUSB=1 -o spd_dump spd_dump.c common.c -lusb-1.0
/usr/lib64/gcc/x86_64-suse-linux/13/../../../../x86_64-suse-linux/bin/ld: /tmp/ccAyzaHW.o: in funciton «main»:
spd_dump.c:(.text.startup+0x6e9): undefined reference to `pow'
/usr/lib64/gcc/x86_64-suse-linux/13/../../../../x86_64-suse-linux/bin/ld: spd_dump.c:(.text.startup+0x71a): undefined reference to `pow'
/usr/lib64/gcc/x86_64-suse-linux/13/../../../../x86_64-suse-linux/bin/ld: spd_dump.c:(.text.startup+0x744): undefined reference to `pow'
collect2: error: ld execution terminated with return code 1
make: *** [Makefile:19: spd_dump] Error 1
I use OpenSUSE Tubleweed, all required libraries including libusb are installed
A7CC stuck at bootlogo screen up right: "INFO: LOCK FLAG IS: UNLOCK!!!" center: "Hisense" and bottom:"Powered by Android".
Why stuck:
Step 1. Finish unlock follow step: 解锁教程 | Unlock
Step 2. Install Magisk App.
Step 3. Run Magisk App then app ask install miss part and reboot.
Step 4. After reoot device success rooted check by "adb shell su".
until finish step 4 everything is fine.
Step 5. Run Magisk select Magisk install and select install then A7CC stuck at bootlogo screen.
I think step 5. install unsign patched boot. May I use the below command to rewrite the boot?
spd_dump exec_addr 0x3f88 fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec write_part boot image-new.img reset
Or have way jump from bootload mode to fastboot mode to rewrite boot by 面具 | Magisk step 4?
Hey, I was wondering if it's possible to check directly on fdl1, fdl2, uboot, spl or on another file if it's affected by that CVE exploit to allow bootloader unlock ?
嘿,我想知道是否可以直接检查 fdl1、fdl2、uboot、spl 或其他文件是否受到该 CVE 漏洞的影响以允许引导加载程序解锁?
Sorry if my Chinese translation is bad
Dear TomKing,
Thank you! Your advice was very helpful.
However, There are some parts I don't understand. I would like to know how your csv* came out.
*CVE-2022-38694_unlock_bootloader/ums512/stack-info-ums512.csv
I'm interested in your data, so I'm trying it out on my own chipset.
It is "Unisoc SC9863A".
I like your materials so much that my studies are going well.
My goal is to complete your tutorial(UNLOCK FDL1 method) targeting this chipset.
I desperately need your help.
Best regards!
with all spd_dump commands, all get is this error message:
.\spd_dump exec_addr 0x3f48 fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec write_part uboot uboot-mod.bin erase_part splloader reset
libusb_control_transfer ok
CHECK_BAUD FAIL
CHECK_BAUD FAIL
CHECK_BAUD FAIL
CHECK_BAUD FAIL
Also my phone froze to death. Any solutions?
Hi, i just wanted to ask that you have listed in your unlock manual to put your device into download mode, as far as i know realme doesnot have download mode but has recovery mode, fastboobD mode and fastboot mode so, i was wondering which one is same as the download mode
"How did you load the fdl1 binary file into IDA in the tutorial?"
I don't understand about loading binary file.
Thank you.
Good day to you.
Thank you very much for your help in unlocking the ZTE blade a51 smartphone (sc9863a)
Please tell me: the boot.img signature for sc9863a (Android 11+) is similar to ums9230 Unisonic t606 (Android 11+), or are there other methods?
Thank you very much for your reply.
Good luck to you.
Hello!
I attempted unlocking the bootloader of my Q5 using this tool but now can't exit out of the download mode.
While the batch file was executing I did see that "chsize spl.bin" returned "The file is not sprd trusted firmware" so I'm guessing it was a bad dump but since the first command already erased sploader I couldn't really do much anymore.
What can I do in this situation to fix my tablet? Would I need a spl dump from someone else? If so how could I get one?
Hello @TomKing062 , thank you for the work that you've been doing. After inserting the next command:
spd_dump exec_addr 0x3f28 fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec erase_part uboot_log write_part splloader spl.bin timeout 100000 write_part userdata userdata.bin reset
I get that message error "fopen (load) failed"
In the previous command spd_dump exec_addr 0x3f28 fdl fdl1-boot.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 fdl teecfg.bin 0x9401fe00 fdl tos.bin 0x9403fe00 fdl sml.bin 0x93fffe00 exec
I got the message "usb_recv failed: LIBUSB_ERROR_IO" but I continued with the next command because I saw that other user got it to work.
Everything else seemed to work fine and I got the boot.img file in the carpet already the phone just doesn't restart normally so I can install Magisk and patch the image. Do you know anything about those errors? I tried copying every different file in the same carpet and using different drivers.
Thank you in advance!
hello developer can i have your help unlocking my unisoc phone i really need to unlock my bootloader. tysm
I see you have all the supported devices combination, and that you also just updated the page with a iplay50 mini zip file. Do you have the button combination used so I can unlock my iplay50 mini bootloader?
Moto E30 has unisoc T700 and oem unlock future but doesnt work when trying to unlock bootloader
Making an automatic upgrade from Magisk 26.1 to Magisk 26.3 leads to a phone brick.
Is there any way to upgrade Magisk without loosing phone data?
Hello. I have a request for you. I have a ZTE Blade A31 smartphone (sc9863a 1h10_go_32b platform) Android 11 go. I'm not good at programming. May I ask you, if possible, to help me unlock the bootloader. I am attaching files for my smartphone. Thank you very much if you can help me.
ZTE Blade A31 (sc9863a).zip
Good afternoon, I ask you for help in unlocking the ZTE Blade A51 bootloader.
I am not very literate in the field of programming. I spent a lot of time reading and experimenting, but I couldn't get the desired effect.
I am attaching the files FDL1-2, u-boot-spl-16k-sign.bin
I really hope that you can help me a little.
Thank you in advance!
A51RU_v1.2.zip
Good afternoon to you.
Please tell me:
Smartphone ZTE Blade A51 (SC9863A). Android 11
The bootloader is unlocked. I was able to sign the corrected boot.img according to your instructions, and if I flash boot.img on your command, the firmware will happen. But the wizard does not see the roots. If I insert boot.img into slot a/b, bootloop occurs.
Please tell me where the mistake is in my actions.
I am grateful in advance.
Thanks
Good luck to you.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.