Skip to content

patch_do_cboot‐SPL

Jump to bottom
TomKing062 edited this page Feb 24, 2024 · 8 revisions

SPL only start in fallback download.

Part 1: modify FDL1, save modified fdl1 as fdl1-dl.bin

track from _start to reset to main(sub_10218)

image

here we see a set of register, the #4 is data_exec(sub_10094), now NOP(1F 20 03 D5) verfication in this func.

data_exec

Part 2: modify FDL2(uboot)

Patch 1: do_cboot.

first find these functions

set_lock_status()

search for VerifiedBoot-UNLOCK to find set_lock_status.

Deprecated reset_to_normal(), i recommand use power_down_devices()

find do_download or do_download_common, you will see a set of register, #0x5 is dl_cmd_reboot(), dl_cmd_reboot() calls reset_to_normal(), remember the number (MOV W0, #2 here) reset_to_normal used as its parameter, it will be used when patching do_cboot().

reboot_devices

power_down_devices()

a9-a11: search for do_download to find do_download, you will see a set of register, #0x17 is dl_powerdown_device()

image

a12(+): search for download mode to find download_handler, or search reply exec act as Romcode to find autodloader_handler, both download_handler and autodloader_handler will call do_download_common, you will see a set of register in do_download_common, #0x17 is dl_powerdown_device()

image

an example on a13 uboot(search download end power down device to find dl_powerdown_device() directly, only tested on a13)

image

dl_powerdown_device() will call power_down_devices

do_cboot()

search for enter boot mode to find do_cboot, patch it to call set_lock_status and reset_to_normal()(reboot_devices) (use the number previous used in dl_cmd_reboot()) or power_down_devices(), the parameter for power_down_devices() is zero

example: a9/a10

do_cboot

example: a11(+), patch after slot_ab() and boot_env_check(the #0x104 check)

image

Patch 2 : NOP write check of secure partitions.

_check_secure_part

for a9/a10, patch 1 and 2 can apply to same binary, save it as uboot-mod.bin

for a11(+): apply patch 1 to original FDL2, save as fdl2-cboot.bin, apply patch 2 to original FDL2, save as fdl2-dl.bin.(because do_cboot() runs before do_download now, we won't enter download mode when apply two patch)

Part 3: modify SPL, save modified spl as spl-unlock.bin

old type

nand_boot_1

spl load image A B C D and verify, if verify failed, reload A B C D from A_bak B_bak C_bak D_bak and verify again.

nand_boot_2

(modify BL secboot_init to B loc_F230, 0xF230 is the addr of CMP W19, WZR after BL update_swVersion)

so we patched nand_boot just load images, skip verify, and directly execute.

new type

in nand_boot(), NOP signcheck() and result check of signcheck()

image

usually there is 4 signcheck() in nand_boot()

Last thing: prepare unlock command

  1. (normal download) send fdl1-dl.bin, send uboot-mod(fdl2-dl), write uboot-mod(fdl2-cboot) to uboot, erase splloader

  2. (fallback download) send spl-unlock.bin

  3. (fallback download) send fdl1-dl.bin, send uboot-mod(fdl2-dl), write official uboot back, write official splloader back, erase userdata.

Clone this wiki locally