安卓安全CVE-2022-38694 紫光展锐解锁BL
不是炒米线几个月前二手淘了一个二手外版酷比魔方iPlay 50。Unisoc T618,4GB RAM,自带系统太卡了,打算解个BL先。
教程
我没有Windows环境,使用Ubuntu:
1
2
3
4
5
6
7
8
| sudo apt-get install build-essential libusb-1.0-0-dev git
git clone --recursive https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader.git
cd CVE-2022-38694_unlock_bootloader
gcc chsize.c -o chsize
gcc gen_spl-unlock.c -o gen_spl-unlock
gcc gen_spl-unlock-legacy.c -o gen_spl-unlock-legacy
cd spreadtrum_flash
make
|
会得到chsize、gen_spl-unlock、spd_dump。
在Release下载对应的设备的固件,我使用这个,下载,解压
将前面编译获得的chsize、gen_spl-unlock、spd_dump复制到刚刚解压的文件夹根目录。
创建以下脚本:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| #!/bin/bash
if [ ! -f "u-boot-spl-16k-sign.bin" ]; then
./spd_dump --wait 300 exec_addr 0x3ee8 fdl fdl1-dl.bin 0x5500 fdl fdl2-dl.bin 0x9efffe00 exec r splloader r uboot e splloader e splloader_bak reset
echo "(这是提示而非错误) 如果看到 'find port failed',请直接关闭并重新运行此脚本。"
read -p "按回车键继续..."
./gen_spl-unlock splloader.bin
if [ $? -eq 0 ]; then
mv "splloader.bin" "u-boot-spl-16k-sign.bin"
./chsize uboot.bin
mv uboot.bin uboot_bak.bin
fi
read -p "按回车键继续..."
else
./spd_dump --wait 300 exec_addr 0x3ee8 fdl fdl1-dl.bin 0x5500 fdl fdl2-dl.bin 0x9efffe00 exec e splloader e splloader_bak reset
echo "(这是提示而非错误) 如果看到 'find port failed',请直接关闭并重新运行此脚本。"
read -p "按回车键继续..."
fi
./spd_dump --wait 300 exec_addr 0x3ee8 fdl fdl1-dl.bin 0x5500 fdl fdl2-dl.bin 0x9efffe00 exec w uboot fdl2-cboot.bin reset
echo "等待 10 秒供设备响应..."
sleep 10
./spd_dump exec_addr 0x3ee8 fdl spl-unlock.bin 0x5500
./spd_dump exec_addr 0x3ee8 fdl fdl1-dl.bin 0x5500 fdl fdl2-dl.bin 0x9efffe00 exec verbose 2 read_part miscdata 8192 64 m.bin reset
read -p "检查 m.bin 后按回车键继续..."
./spd_dump exec_addr 0x3ee8 fdl fdl1-dl.bin 0x5500 fdl fdl2-dl.bin 0x9efffe00 exec r boot w splloader u-boot-spl-16k-sign.bin w uboot uboot_bak.bin w misc misc-wipe.bin reset
read -p "脚本执行完毕。按回车键退出..."
|
需要使用Root权限执行:
按组合键(iPlay 50 是 电源+音量加 7秒)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
| chao@pearfish:~/ums512_alldocube_iplay_50_EN_20230801$ sudo ./unlock.sh
branch:HEAD, sha1:f2fc779210d9e4b5ca1904c79a49cc5e114b58f3
Waiting for dl_diag connection (300s)
libusb_control_transfer ok
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
current exec_addr is 0x3ee8
SEND fdl1-dl.bin to 0x5500
SEND custom_exec_no_verify_3ee8.bin to 0x3ee8
EXEC FDL1
usb_recv failed : LIBUSB_ERROR_TIMEOUT
CHECK_BAUD FAIL
CHECK_BAUD FDL1
BSL_REP_VER: "Spreadtrum Boot Block version 1.1\0"
CMD_CONNECT FDL1
KEEP_CHARGE FDL1
SEND fdl2-dl.bin to 0x9efffe00
FDL2: incompatible partition
EXEC FDL2
usb_recv failed : LIBUSB_ERROR_TIMEOUT
DISABLE_TRANSCODE
Reading Partition List
[===== ] 12.5%
[========== ] 25.0%
[=============== ] 37.5%
[==================== ] 50.0%
[========================= ] 62.5%
[============================== ] 75.0%
[=================================== ] 87.5%
[========================================] 100.0%
Read Part Done: user_partition+0x0, target: 0x8000, read: 0x8000
0 splloader 256KB
1 prodnv 10MB
2 miscdata 1MB
3 misc 1MB
4 trustos_a 6MB
5 trustos_b 6MB
6 sml_a 1MB
7 sml_b 1MB
8 uboot_a 3MB
9 uboot_b 3MB
10 uboot_log 4MB
11 logo 8MB
12 fbootlogo 8MB
13 l_fixnv1_a 2MB
14 l_fixnv2_a 2MB
15 l_fixnv1_b 2MB
16 l_fixnv2_b 2MB
17 l_runtimenv1 2MB
18 l_runtimenv2 2MB
19 gnssmodem_a 1MB
20 gnssmodem_b 1MB
21 wcnmodem_a 10MB
22 wcnmodem_b 10MB
23 persist 2MB
24 l_modem_a 25MB
25 l_modem_b 25MB
26 l_deltanv_a 1MB
27 l_deltanv_b 1MB
28 l_gdsp_a 10MB
29 l_gdsp_b 10MB
30 l_ldsp_a 20MB
31 l_ldsp_b 20MB
32 l_agdsp_a 6MB
33 l_agdsp_b 6MB
34 l_cdsp_a 1MB
35 l_cdsp_b 1MB
36 pm_sys_a 1MB
37 pm_sys_b 1MB
38 teecfg_a 1MB
39 teecfg_b 1MB
40 hypervsior_a 10MB
41 hypervsior_b 10MB
42 boot_a 64MB
43 boot_b 64MB
44 vendor_boot_a 100MB
45 vendor_boot_b 100MB
46 init_boot_a 8MB
47 init_boot_b 8MB
48 dtb_a 8MB
49 dtb_b 8MB
50 dtbo_a 8MB
51 dtbo_b 8MB
52 super 5600MB
53 cache 100MB
54 vbmeta_a 1MB
55 vbmeta_b 1MB
56 metadata 16MB
57 sysdumpdb 10MB
58 vbmeta_system_a 1MB
59 vbmeta_system_b 1MB
60 vbmeta_vendor_a 1MB
61 vbmeta_vendor_b 1MB
62 vbmeta_system_ext_a 1MB
63 vbmeta_system_ext_b 1MB
64 vbmeta_product_a 1MB
65 vbmeta_product_b 1MB
66 vbmeta_odm_a 1MB
67 vbmeta_odm_b 1MB
68 avbmeta_rs_a 1MB
69 avbmeta_rs_b 1MB
70 common_rs1_a 8MB
71 common_rs1_b 8MB
72 common_rs2_a 16MB
73 common_rs2_b 16MB
74 userdata 53243MB
standard gpt table saved to pgpt.bin
skip saving sprd partition list packet
partition list saved to partition_1772917064.xml
Total number of partitions: 74
Storage is emmc
ENABLE_WRITE_RAW_DATA
Device is using slot b
[========= ] 24.2%
[=================== ] 48.4%
[============================= ] 72.7%
[====================================== ] 96.9%
[========================================] 100.0%
Read Part Done: splloader+0x0, target: 0x40000, read: 0x40000
[= ] 4.0%
[== ] 6.1%
[=== ] 8.1%
[==== ] 10.1%
[===== ] 14.1%
[====== ] 16.1%
[======= ] 18.2%
[======== ] 20.2%
[========= ] 24.2%
[========== ] 26.2%
[=========== ] 28.3%
[============ ] 30.3%
[============= ] 34.3%
[============== ] 36.3%
[=============== ] 38.3%
[================ ] 40.4%
[================= ] 44.4%
[================== ] 46.4%
[=================== ] 48.4%
[==================== ] 50.5%
[===================== ] 54.5%
[====================== ] 56.5%
[======================= ] 58.5%
[======================== ] 60.5%
[========================= ] 62.6%
[========================== ] 66.6%
[=========================== ] 68.6%
[============================ ] 70.6%
[============================= ] 72.7%
[============================== ] 76.7%
[=============================== ] 78.7%
[================================ ] 80.7%
[================================= ] 82.7%
[================================== ] 86.8%
[=================================== ] 88.8%
[==================================== ] 90.8%
[===================================== ] 92.8%
[====================================== ] 96.9%
[======================================= ] 98.9%
[========================================] 100.0%
Read Part Done: uboot_b+0x0, target: 0x300000, read: 0x300000
Erase Part Done: splloader
Erase Part Done: splloader_bak
(这是提示而非错误) 如果看到 'find port failed',请直接关闭并重新运行此脚本。
按回车键继续...
0xf9f4
0xdb1f4
按回车键继续...
branch:HEAD, sha1:f2fc779210d9e4b5ca1904c79a49cc5e114b58f3
Waiting for dl_diag connection (300s)
libusb_control_transfer ok
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
current exec_addr is 0x3ee8
SEND fdl1-dl.bin to 0x5500
SEND custom_exec_no_verify_3ee8.bin to 0x3ee8
EXEC FDL1
usb_recv failed : LIBUSB_ERROR_TIMEOUT
CHECK_BAUD FAIL
CHECK_BAUD FDL1
BSL_REP_VER: "Spreadtrum Boot Block version 1.1\0"
CMD_CONNECT FDL1
KEEP_CHARGE FDL1
SEND fdl2-dl.bin to 0x9efffe00
FDL2: incompatible partition
EXEC FDL2
usb_recv failed : LIBUSB_ERROR_TIMEOUT
DISABLE_TRANSCODE
Reading Partition List
[===== ] 12.5%
[========== ] 25.0%
[=============== ] 37.5%
[==================== ] 50.0%
[========================= ] 62.5%
[============================== ] 75.0%
[=================================== ] 87.5%
[========================================] 100.0%
Read Part Done: user_partition+0x0, target: 0x8000, read: 0x8000
0 splloader 256KB
1 prodnv 10MB
2 miscdata 1MB
3 misc 1MB
4 trustos_a 6MB
5 trustos_b 6MB
6 sml_a 1MB
7 sml_b 1MB
8 uboot_a 3MB
9 uboot_b 3MB
10 uboot_log 4MB
11 logo 8MB
12 fbootlogo 8MB
13 l_fixnv1_a 2MB
14 l_fixnv2_a 2MB
15 l_fixnv1_b 2MB
16 l_fixnv2_b 2MB
17 l_runtimenv1 2MB
18 l_runtimenv2 2MB
19 gnssmodem_a 1MB
20 gnssmodem_b 1MB
21 wcnmodem_a 10MB
22 wcnmodem_b 10MB
23 persist 2MB
24 l_modem_a 25MB
25 l_modem_b 25MB
26 l_deltanv_a 1MB
27 l_deltanv_b 1MB
28 l_gdsp_a 10MB
29 l_gdsp_b 10MB
30 l_ldsp_a 20MB
31 l_ldsp_b 20MB
32 l_agdsp_a 6MB
33 l_agdsp_b 6MB
34 l_cdsp_a 1MB
35 l_cdsp_b 1MB
36 pm_sys_a 1MB
37 pm_sys_b 1MB
38 teecfg_a 1MB
39 teecfg_b 1MB
40 hypervsior_a 10MB
41 hypervsior_b 10MB
42 boot_a 64MB
43 boot_b 64MB
44 vendor_boot_a 100MB
45 vendor_boot_b 100MB
46 init_boot_a 8MB
47 init_boot_b 8MB
48 dtb_a 8MB
49 dtb_b 8MB
50 dtbo_a 8MB
51 dtbo_b 8MB
52 super 5600MB
53 cache 100MB
54 vbmeta_a 1MB
55 vbmeta_b 1MB
56 metadata 16MB
57 sysdumpdb 10MB
58 vbmeta_system_a 1MB
59 vbmeta_system_b 1MB
60 vbmeta_vendor_a 1MB
61 vbmeta_vendor_b 1MB
62 vbmeta_system_ext_a 1MB
63 vbmeta_system_ext_b 1MB
64 vbmeta_product_a 1MB
65 vbmeta_product_b 1MB
66 vbmeta_odm_a 1MB
67 vbmeta_odm_b 1MB
68 avbmeta_rs_a 1MB
69 avbmeta_rs_b 1MB
70 common_rs1_a 8MB
71 common_rs1_b 8MB
72 common_rs2_a 16MB
73 common_rs2_b 16MB
74 userdata 53243MB
standard gpt table saved to pgpt.bin
skip saving sprd partition list packet
partition list saved to partition_1772917079.xml
Total number of partitions: 74
Storage is emmc
ENABLE_WRITE_RAW_DATA
Device is using slot b
file size : 0xf0ba4
[== ] 6.4%
[===== ] 12.9%
[======= ] 19.3%
[========== ] 25.8%
[============ ] 32.2%
[=============== ] 38.6%
[================== ] 45.1%
[==================== ] 51.5%
[======================= ] 57.9%
[========================= ] 64.4%
[============================ ] 70.8%
[============================== ] 77.3%
[================================= ] 83.7%
[==================================== ] 90.1%
[====================================== ] 96.6%
[========================================] 100.0%
Write Part Done: uboot_b, target: 0xf0ba4, written: 0xf0ba4
等待 10 秒供设备响应...
branch:HEAD, sha1:f2fc779210d9e4b5ca1904c79a49cc5e114b58f3
Waiting for dl_diag connection (30s)
libusb_control_transfer ok
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
current exec_addr is 0x3ee8
SEND spl-unlock.bin to 0x5500
SEND custom_exec_no_verify_3ee8.bin to 0x3ee8
EXEC FDL1
usb_recv failed : LIBUSB_ERROR_IO
CHECK_BAUD FAIL
usb_send failed : LIBUSB_ERROR_IO
branch:HEAD, sha1:f2fc779210d9e4b5ca1904c79a49cc5e114b58f3
Waiting for dl_diag connection (30s)
libusb_control_transfer failed : LIBUSB_ERROR_IO
检查 m.bin 后按回车键继续...
branch:HEAD, sha1:f2fc779210d9e4b5ca1904c79a49cc5e114b58f3
Waiting for dl_diag connection (30s)
libusb_control_transfer ok
CHECK_BAUD bootrom
BSL_REP_VER: "SPRD3\0"
CMD_CONNECT bootrom
current exec_addr is 0x3ee8
SEND fdl1-dl.bin to 0x5500
SEND custom_exec_no_verify_3ee8.bin to 0x3ee8
EXEC FDL1
usb_recv failed : LIBUSB_ERROR_TIMEOUT
CHECK_BAUD FAIL
CHECK_BAUD FDL1
BSL_REP_VER: "Spreadtrum Boot Block version 1.1\0"
CMD_CONNECT FDL1
KEEP_CHARGE FDL1
SEND fdl2-dl.bin to 0x9efffe00
FDL2: incompatible partition
EXEC FDL2
usb_recv failed : LIBUSB_ERROR_TIMEOUT
DISABLE_TRANSCODE
Reading Partition List
[===== ] 12.5%
[========== ] 25.0%
[=============== ] 37.5%
[==================== ] 50.0%
[========================= ] 62.5%
[============================== ] 75.0%
[=================================== ] 87.5%
[========================================] 100.0%
Read Part Done: user_partition+0x0, target: 0x8000, read: 0x8000
0 splloader 256KB
1 prodnv 10MB
2 miscdata 1MB
3 misc 1MB
4 trustos_a 6MB
5 trustos_b 6MB
6 sml_a 1MB
7 sml_b 1MB
8 uboot_a 3MB
9 uboot_b 3MB
10 uboot_log 4MB
11 logo 8MB
12 fbootlogo 8MB
13 l_fixnv1_a 2MB
14 l_fixnv2_a 2MB
15 l_fixnv1_b 2MB
16 l_fixnv2_b 2MB
17 l_runtimenv1 2MB
18 l_runtimenv2 2MB
19 gnssmodem_a 1MB
20 gnssmodem_b 1MB
21 wcnmodem_a 10MB
22 wcnmodem_b 10MB
23 persist 2MB
24 l_modem_a 25MB
25 l_modem_b 25MB
26 l_deltanv_a 1MB
27 l_deltanv_b 1MB
28 l_gdsp_a 10MB
29 l_gdsp_b 10MB
30 l_ldsp_a 20MB
31 l_ldsp_b 20MB
32 l_agdsp_a 6MB
33 l_agdsp_b 6MB
34 l_cdsp_a 1MB
35 l_cdsp_b 1MB
36 pm_sys_a 1MB
37 pm_sys_b 1MB
38 teecfg_a 1MB
39 teecfg_b 1MB
40 hypervsior_a 10MB
41 hypervsior_b 10MB
42 boot_a 64MB
43 boot_b 64MB
44 vendor_boot_a 100MB
45 vendor_boot_b 100MB
46 init_boot_a 8MB
47 init_boot_b 8MB
48 dtb_a 8MB
49 dtb_b 8MB
50 dtbo_a 8MB
51 dtbo_b 8MB
52 super 5600MB
53 cache 100MB
54 vbmeta_a 1MB
55 vbmeta_b 1MB
56 metadata 16MB
57 sysdumpdb 10MB
58 vbmeta_system_a 1MB
59 vbmeta_system_b 1MB
60 vbmeta_vendor_a 1MB
61 vbmeta_vendor_b 1MB
62 vbmeta_system_ext_a 1MB
63 vbmeta_system_ext_b 1MB
64 vbmeta_product_a 1MB
65 vbmeta_product_b 1MB
66 vbmeta_odm_a 1MB
67 vbmeta_odm_b 1MB
68 avbmeta_rs_a 1MB
69 avbmeta_rs_b 1MB
70 common_rs1_a 8MB
71 common_rs1_b 8MB
72 common_rs2_a 16MB
73 common_rs2_b 16MB
74 userdata 53243MB
standard gpt table saved to pgpt.bin
skip saving sprd partition list packet
partition list saved to partition_1772917112.xml
Total number of partitions: 74
Storage is emmc
ENABLE_WRITE_RAW_DATA
Device is using slot b
[= ] 2.6%
[== ] 5.0%
[=== ] 7.6%
[==== ] 10.0%
[===== ] 12.6%
[====== ] 15.0%
[======= ] 17.5%
[======== ] 20.1%
[========= ] 22.5%
[========== ] 25.1%
[=========== ] 27.5%
[============ ] 30.1%
[============= ] 32.5%
[============== ] 35.0%
[=============== ] 37.6%
[================ ] 40.0%
[================= ] 42.6%
[================== ] 45.0%
[=================== ] 47.6%
[==================== ] 50.0%
[===================== ] 52.5%
[====================== ] 55.1%
[======================= ] 57.5%
[======================== ] 60.1%
[========================= ] 62.5%
[========================== ] 65.1%
[=========================== ] 67.5%
[============================ ] 70.0%
[============================= ] 72.6%
[============================== ] 75.0%
[=============================== ] 77.6%
[================================ ] 80.0%
[================================= ] 82.6%
[================================== ] 85.0%
[=================================== ] 87.5%
[==================================== ] 90.1%
[===================================== ] 92.5%
[====================================== ] 95.1%
[======================================= ] 97.5%
[========================================] 100.0%
Read Part Done: boot_b+0x0, target: 0x4000000, read: 0x4000000
file size : 0xf9f4
[======================================= ] 99.2%
[========================================] 100.0%
Write Part Done: splloader, target: 0xf9f4, written: 0xf9f4
file size : 0xdb1f4
[== ] 7.1%
[===== ] 14.1%
[======== ] 21.2%
[=========== ] 28.3%
[============== ] 35.4%
[================ ] 42.4%
[=================== ] 49.5%
[====================== ] 56.6%
[========================= ] 63.7%
[============================ ] 70.7%
[=============================== ] 77.8%
[================================= ] 84.9%
[==================================== ] 92.0%
[======================================= ] 99.0%
[========================================] 100.0%
Write Part Done: uboot_b, target: 0xdb1f4, written: 0xdb1f4
file size : 0x800
[========================================] 100.0%
Write Part Done: misc, target: 0x800, written: 0x800
脚本执行完毕。按回车键退出...
|
