patch_do_cboot‐SPL - TomKing062/CVE-2022-38694_unlock_bootloader GitHub Wiki

中文版看这里

SPL only start in fallback download.

Part 1: modify FDL1, save modified fdl1 as fdl1-dl.bin

track from _start to reset to main(sub_10218)

image

here we see a set of register, the #4 is data_exec(sub_10094), now NOP(1F 20 03 D5) verfication in this func.

data_exec

Part 2: modify FDL2(uboot/lk)

2.1 Patch 1: do_cboot()

set_lock_status()

search for VerifiedBoot-UNLOCK to find set_lock_status.

get_lock_status() is just the first function after set_lock_status().

some manufacturers (eg: ZTE TECNO BBK) modified set_lock_status() or get_lock_status() to block bootloader unlock

do_download(), dl_powerdown_device(), power_down_devices(), do_cboot()

uboot/lk without autodloader: search for do_download to find do_download, you will see a set of register, #0x17 is dl_powerdown_device()

image

uboot/lk with autodloader: search for download mode to find download_handler, or search reply exec act as Romcode to find autodloader_handler, both download_handler and autodloader_handler will call do_download_common, you will see a set of register in do_download_common, #0x17 is dl_powerdown_device()

image

find 00 00 00 14 (while 1) in dl_powerdown_device(), the function before while 1 is power_down_devices().

image

check xref list of power_down_devices(), usually the first function called power_down_devices() is do_cboot(), remember the address of code block in do_cboot().

image

the patch:

example: a9/a10 and some a11(+) without vab layout

image

example: a11(+) with vab layout: patch after boot_env_check(the #0x104 check)

image

2.2 Patch 2 : NOP write check of secure partitions

search sml, in search result, find code like LDR Xm, [Xn],#8 ; "sml", patch this function, disable check and just return 1

_check_secure_part

2.3 Save file

apply patch 1 to original FDL2, save as fdl2-cboot.bin, apply patch 2 to original FDL2, save as fdl2-dl.bin.

Part 3: modify SPL, save modified spl as spl-unlock.bin

old type

nand_boot_1

spl load image A B C D and verify, if verify failed, reload A B C D from A_bak B_bak C_bak D_bak and verify again.

nand_boot_2

(modify BL secboot_init to B loc_F230, 0xF230 is the addr of CMP W19, WZR after BL update_swVersion)

so we patched nand_boot just load images, skip verify, and directly execute.

new type

in nand_boot(), NOP signcheck() and result check of signcheck()

image

usually there is 4 signcheck() in nand_boot()

Last thing: prepare unlock command

  1. (normal download) send fdl1-dl.bin, send fdl2-dl, write fdl2-cboot to uboot, erase splloader

  2. (fallback download) send spl-unlock.bin

  3. (fallback download) send fdl1-dl.bin, send fdl2-dl, write official uboot back, write official splloader back, erase userdata.