search

fxsheep / firehorse_land

EDL exploit for Redmi 3S
31 stars 7 forks source link

Hello,is it possible to port on msm8953 #2

Open bzy-080408 opened 1 year ago

bzy-080408 commented 1 year ago

I have a msm8953 device(huawei maimang 5,same as G9 plus,nova plus) and just build a lk1st on it.But my device has enabled secure boot so it cannot boot my costum bootloader. I want to port with this projcet,is it possible?and how to do that? 我有一个msm8953的设备(华为麦芒5,和G9plus,Nova Plus相同) 并且我为它编译了一个自己的bootloader,但是它开启的secure boot所以无法引导。我想借助你们的这个项目,有可能吗?如何做? P.S.如果你来自中国就直接用中文,我在酷安上面看到你们这个项目的

fxsheep commented 1 year ago

有可能。需要在EDL固件里找到设备对应的firehose mbn, 然后用https://github.com/bkerler/edl 试试看能否读出PBL和QFPROM。如果可以,说明这条路走得通。但是后面的过程仍然漫长且繁琐,并且vendor对bootloader的修改越多就会越麻烦。同时,由于使用了EDL中的exploit,设备每次启动都需要借助USB。如果你编译的bootloader指的是aboot/lk,或者你不需要获取设备的trustzone/hypervisor权限,建议参考https://github.com/msm8916-mainline/lk2nd

bzy-080408 commented 1 year ago

...lk2nd多了一层引导我感觉太麻烦了,lk2nd我上个月已经移植上了

bzy-080408 commented 1 year ago

不过我想我把9008触点给他飞一下应该可以

fxsheep commented 1 year ago

目前只支持软件重启到9008,不支持冷启动9008, i.e. 必须通过reboot edl / fastboot oem edl等方式进EDL。个人认为lk2nd已经足够方便了,毕竟有secure boot就认命吧。菊厂的8916,8952有部分无secboot的型号,想体验的话可以去收一个。如果没有修改底层(sbl1/tz/rpm/dsp)的需求,就没有必要。如果一定要用这个实现修改aboot,需要修改sbl1、修改pbl,然后把https://github.com/fxsheep/lk4edl 移植到8953

bzy-080408 commented 1 year ago

话说pbl咋改?不是固化到soc里面了吗? 话说PBL咋回读

fxsheep commented 1 year ago

PBL用https://github.com/bkerler/edl 读取 不是真正意义上修改PBL,是通过MMU重映射“修改”,重启就会失效,所以每次都需要从USB启动 这个项目就是基于https://alephsecurity.com/2018/01/22/qualcomm-edl-1/ 而来的,可以看一下

bzy-080408 commented 1 year ago

话说不行酷安聊,我家这里GitHub总是被墙

bzy-080408 commented 1 year ago

新年快乐

bzy-080408 commented 1 year ago

额话说msm8974的SBL啥的代码能够上哪里找? 我有个msm8974的手机没锁secure boot

alikates commented 1 year ago

Hello, mind if i write in english? Some time ago I tried the same approach on msm8953 and I managed to crash the phone a couple times with peek and poke commands.

After disassembling the loader I think i found the address in the stack for the return address of the function that reads the edl commands, so I guess the same exploit is possible.

bzy-080408 commented 1 year ago

我试了一下,qfp能完整读出来,但是pbl读到75%就显示viceClass - USBError(19, 'No such device (it may have been disconnected)')

bzy-080408 commented 1 year ago

Hello, mind if i write in english? Some time ago I tried the same approach on msm8953 and I managed to crash the phone a couple times with peek and poke commands.

After disassembling the loader I think i found the address in the stack for the return address of the function that reads the edl commands, so I guess the same exploit is possible.

I think that you can use English,but my English is terrible