patch_do_cboot‐SPL
SPL only start in fallback download.
track from _start
to reset
to main
(sub_10218)
here we see a set of register, the #4 is data_exec
(sub_10094), now NOP(1F 20 03 D5) verfication in this func.
first find these functions
search for VerifiedBoot-UNLOCK
to find set_lock_status
.
find do_download
or do_download_common
, you will see a set of register, #0x5 is dl_cmd_reboot(), dl_cmd_reboot() calls reset_to_normal(), remember the number (MOV W0, #2 here) reset_to_normal used as its parameter, it will be used when patching do_cboot().
a9-a11: search for do_download
to find do_download
, you will see a set of register, #0x17 is dl_powerdown_device()
a12(+): search for download mode
to find download_handler
, or search reply exec act as Romcode
to find autodloader_handler
, both download_handler
and autodloader_handler
will call do_download_common
, you will see a set of register in do_download_common
, #0x17 is dl_powerdown_device()
an example on a13 uboot(search download end power down device
to find dl_powerdown_device() directly, only tested on a13)
dl_powerdown_device() will call power_down_devices
search for enter boot mode
to find do_cboot
, patch it to call set_lock_status
and reset_to_normal()(reboot_devices) (use the number previous used in dl_cmd_reboot()) or power_down_devices(), the parameter for power_down_devices() is zero
example: a9/a10
example: a11(+), patch after slot_ab() and boot_env_check(the #0x104 check)
for a9/a10, patch 1 and 2 can apply to same binary, save it as uboot-mod.bin
for a11(+): apply patch 1 to original FDL2, save as fdl2-cboot.bin, apply patch 2 to original FDL2, save as fdl2-dl.bin.(because do_cboot() runs before do_download now, we won't enter download mode when apply two patch)
spl load image A B C D and verify, if verify failed, reload A B C D from A_bak B_bak C_bak D_bak and verify again.
(modify BL secboot_init
to B loc_F230
, 0xF230 is the addr of CMP W19, WZR
after BL update_swVersion
)
so we patched nand_boot just load images, skip verify, and directly execute.
in nand_boot(), NOP signcheck() and result check of signcheck()
usually there is 4 signcheck() in nand_boot()
-
(normal download) send fdl1-dl.bin, send uboot-mod(fdl2-dl), write uboot-mod(fdl2-cboot) to uboot, erase splloader
-
(fallback download) send spl-unlock.bin
-
(fallback download) send fdl1-dl.bin, send uboot-mod(fdl2-dl), write official uboot back, write official splloader back, erase userdata.