patch_do_cboot‐FDL1 - TomKing062/CVE-2022-38694_unlock_bootloader GitHub Wiki

中文版看这里

Part 1: modify FDL1

1.1 Patch 1: NOP(1F 20 03 D5) verfication in data_exec

track from _start to reset to main(sub_10218)

image

here we see a set of register, the #4 is data_exec(sub_10094), now NOP(1F 20 03 D5) verfication in this func.

data_exec

1.2 Patch 2: change download mode (0x102)(40 20 80 52) to boot mode(0x104)(80 20 80 52)

main

1.3 Patch 3 (android 11 and up)

soc sml teecfg trustos
(old) not ums9620 type 1 0x94000000 0x94020000 0x94040000
(old) not ums9620 type 2 0x94000000 0x94040000 0x94060000
(new) not ums9620 0xb0000000 0xb0040000 0xb0060000
ums9620 0xbd000000 0xbd040000 0xbd060000

(new type and ums9620) sml need trustos addr and teecfg addr as parameters

image

so back to data_exec(), add trustos addr and teecfg addr (example is ums9620 a13)

image

1.4 Save file

Apply patch 1 to original FDL1, save as fdl1-dl.bin.

Apply patch 1 and patch 2 (and patch 3 if needed) to original FDL1, save as fdl1-boot.bin.

Part 2: modify FDL2(uboot/lk)

Patch: do_cboot()

set_lock_status()

search for VerifiedBoot-UNLOCK to find set_lock_status.

get_lock_status() is just the first function after set_lock_status().

some manufacturers (eg: ZTE TECNO BBK) modified set_lock_status() or get_lock_status() to block bootloader unlock

do_download(), dl_powerdown_device(), power_down_devices(), do_cboot()

uboot/lk without autodloader: search for do_download to find do_download, you will see a set of register, #0x17 is dl_powerdown_device()

image

uboot/lk with autodloader: search for download mode to find download_handler, or search reply exec act as Romcode to find autodloader_handler, both download_handler and autodloader_handler will call do_download_common, you will see a set of register in do_download_common, #0x17 is dl_powerdown_device()

image

find 00 00 00 14 (while 1) in dl_powerdown_device(), the function before while 1 is power_down_devices().

image

check xref list of power_down_devices(), usually the first function called power_down_devices() is do_cboot(), remember the address of code block in do_cboot().

image

the patch:

example: a9/a10 and some a11(+) without vab layout

image

example: a11(+) with vab layout: patch after boot_env_check(the #0x104 check)

image

apply patch to original FDL2, save as fdl2-cboot.bin

Part 3: get trustos images and get load address from splloader

although 1.3 gives an addr list, it's better to analyze splloader to know these addresses

In splloader, _start calls reset, reset calls nand_boot/emmc_boot/ufs_boot, x_boot will load images from nand/emmc/ufs to memory and boot.

Last thing: prepare unlock command

  1. send fdl1-dl.bin, send fdl2-dl, read_part trustos images and chsize these images

  2. send fdl1-boot.bin, send fdl2-cboot with trustos images, sml must be the last one sent to device.

  3. erase userdata.