Flyme系统 解锁后强制进入丢失模式
只是个笔记,没写全 但是按上面的来就行了
01-01 08:07:32.372 842 4385 E NxpHal : write error status = 0x1ff 01-01 08:07:32.372 842 842 E NxpHal : write_unlocked failed - PN54X Maybe in Standby Mode - Retry 01-01 08:07:32.375 3771 5279 D IPowerModeImp: getCurrentModeLocked:0 01-01 08:07:32.375 3771 5279 D IPowerModeImp: stateMode = 29 getcurrentMode = 0 01-01 08:07:32.375 3771 5279 E CpuExceptionManager: receive intent: android.intent.action.SCREEN_ON 01-01 08:07:32.375 3771 5279 D PowerModeManager: receive intent: android.intent.action.SCREEN_ON 01-01 08:07:32.378 581 581 I hwservicemanager: getTransport: Cannot find entry vendor.qti.hardware.servicetracker@1.0::IServicetracker/default in either framework or device manifest. 01-01 08:07:32.380 1479 3008 D DeviceStateService: mIsFlymeVerifyEnable != null, mIsFlymeVerifyEnable: false, log: 111 ro.soc.vendor is qcom, continue. 222 proc/mz_info/sec is Secure Chip, continue. 3333 proc/mz_info/bl_unlock is 1, disable verify. 01-01 08:07:32.380 1479 3008 D DeviceStateService: doCheckState handle=3 01-01 08:07:32.380 1479 3008 D DeviceStateService: doCheckLockStateRpmb: the device is not legal! 01-01 08:07:32.380 1479 3629 D DeviceStateService: mIsFlymeVerifyEnable != null, mIsFlymeVerifyEnable: false, log: 111 ro.soc.vendor is qcom, continue. 222 proc/mz_info/sec is Secure Chip, continue. 3333 proc/mz_info/bl_unlock is 1, disable verify. 01-01 08:07:32.380 1479 3629 D DeviceStateService: doCheckState handle=4 01-01 08:07:32.380 1479 3629 D DeviceStateService: doCheckLockStateRpmb: the device is not legal! 01-01 08:07:32.381 2365 2365 V SystemModeUtils: FindPhone is lossMode 01-01 08:07:32.381 2365 2365 D SystemModeUtils: exitGuestMode lossMode() == true 01-01 08:07:32.381 1479 3008 D DeviceStateService: mIsFlymeVerifyEnable != null, mIsFlymeVerifyEnable: false, log: 111 ro.soc.vendor is qcom, continue. 222 proc/mz_info/sec is Secure Chip, continue. 3333 proc/mz_info/bl_unlock is 1, disable verify. 01-01 08:07:32.381 1479 3008 D DeviceStateService: doCheckState handle=3 01-01 08:07:32.381 1479 3008 D DeviceStateService: doCheckLockStateRpmb: the device is not legal! 01-01 08:07:32.381 1479 11920 D DeviceStateService: mIsFlymeVerifyEnable != null, mIsFlymeVerifyEnable: false, log: 111 ro.soc.vendor is qcom, continue. 222 proc/mz_info/sec is Secure Chip, continue. 3333 proc/mz_info/bl_unlock is 1, disable verify. 01-01 08:07:32.381 1479 11920 D DeviceStateService: doCheckState handle=4 01-01 08:07:32.381 1479 11920 D DeviceStateService: doCheckLockStateRpmb: the device is not legal! 01-01 08:07:32.381 2365 2365 V SystemModeUtils: FindPhone is lossMode 01-01 08:07:32.381 2815 2815 D QSLMJ : SLM received action android.intent.action.SCREEN_ON 01-01 08:07:32.382 4070 4070 D SYS_EVENT: send event 16 notification to client 01-01 08:07:32.382 842 4383 D NxpTml : PN54X - Write requested..... 01-01 08:07:32.382 842 4383 D NxpTml : PN54X - Invoking I2C Write..... 01-01 08:07:32.384 842 4383 D NxpNciX : len = 7 > 20020401020100
以上为解锁bootloader后第一次开机抓取的关键log信息
其中明确写明了进入丢失模式(FindPhone is lossMode)
设备状态监测失败(doCheckLockStateRpmb: the device is not legal!)
0-----0
通过 (FindPhone is lossMode)作为关键字查找整个system app 和framework
发现关键方法
[info]service.jar中的相关方法[/info]
// 老版本系统上定义的丢失模式方法
public boolean lossMode() {
DeviceStateManager v0 = this.mDeviceStateManager;
if(v0 != null) {
int v0_1 = v0.doCheckState(DeviceStateManager$RemoteHandle.Lock.ordinal());
int v2 = this.mDeviceStateManager.doCheckState(DeviceStateManager$RemoteHandle.Lock_Report_Loss.ordinal());
if(v0_1 != 1 && v2 != 1) {
return 0;
}
Log.v("SystemModeUtils", "FindPhone is lossMode");
return 1;
}
return 0;
}
// 新版本系统 17p 8.1.2.2上找到的定义方法
com.android.server.policy.MzGlobalActions
private boolean lossMode() {
if(this.mDeviceStateManager != null && this.mDeviceStateManager.doCheckState(DeviceStateManager.RemoteHandle.Lock_Report_Loss.ordinal()) == 1) {
Log.v("FindPhone", "lossMode");
return 1;
}
return 0;
}
// 这个是通用的外部整合接口 查询是否root 是否解锁什么的
package com.android.server.DeviceStateService ;
public int doCheckState(int arg5) {
String v1 = "DeviceStateService";
if((this.isFlymeVerifyEnable()) && !this.doFlymeVerify(arg5)) {
Slog.d(v1, "doFlymeVerify failed, handle = " + arg5);
return 1;
}
Slog.d(v1, "doCheckState handle=" + arg5);
// 真个nactive方法很重要
return this.nativeDoCheckState(arg5);
}
//nativeDoCheckState的伪代码
__int64 __fastcall android::nativeDoCheckState(__int64 a1, int a2, unsigned int a3)
{
if ( a3 - 3 < 3 ) return android::doCheckLockStateRpmb((android *)a3, a2); if ( a3 - 1 > 1 )
return 0LL;
return android::doCheckRootStateRpmb((android *)a3, a2);
}
__int64 __fastcall android::doCheckRootStateRpmb(android *this)
{
unsigned __int64 v1; // x20
int v2; // w19
int v3; // w0
unsigned int v4; // w19
__int64 result; // x0
__int128 v6; // [xsp+0h] [xbp-80h]
__int128 v7; // [xsp+10h] [xbp-70h]
__int128 v8; // [xsp+20h] [xbp-60h]
__int128 v9; // [xsp+30h] [xbp-50h]
char v10[28]; // [xsp+40h] [xbp-40h]
__int64 v11; // [xsp+68h] [xbp-18h]
v1 = _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
v2 = (signed int)this;
v11 = *(_QWORD *)(v1 + 40);
*(_OWORD *)&v10[12] = 0u;
v9 = 0u;
*(_OWORD *)v10 = 0u;
v7 = 0u;
v8 = 0u;
v6 = 0u;
property_get("ro.flyme.root.state", &v6, "0");
v3 = strtoul(&v6, 0LL, 10LL);
if ( v2 != 1 || v3 != 1 )
{
*(_OWORD *)&v10[12] = 0u;
v9 = 0u;
*(_OWORD *)v10 = 0u;
v7 = 0u;
v8 = 0u;
v6 = 0u;
property_get("ro.flyme.root.state", &v6, "0");
v4 = (v2 == 2) & ((unsigned int)strtoul(&v6, 0LL, 10LL) != 1);
}
else
{
v4 = 1;
}
result = __android_log_print(3LL, "DeviceStateService", "doCheckRootStateRpmb: the result is: %d", v4);
if ( *(_QWORD *)(v1 + 40) == v11 )
result = v4;
return result;
}
__int64 __fastcall android::doCheckLockStateRpmb(android *this)
{
unsigned __int64 v1; // x21
int v2; // w19
__int64 v3; // x0
unsigned int v4; // w20
unsigned int v5; // w19
__int64 result; // x0
unsigned int *v7; // x0
__int128 v8; // [xsp+0h] [xbp-130h]
__int128 v9; // [xsp+10h] [xbp-120h]
__int128 v10; // [xsp+20h] [xbp-110h]
__int128 v11; // [xsp+30h] [xbp-100h]
char v12[28]; // [xsp+40h] [xbp-F0h]
__int64 v13; // [xsp+108h] [xbp-28h]
v1 = _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
v2 = (signed int)this;
v13 = *(_QWORD *)(v1 + 40);
*(_OWORD *)&v12[12] = 0u;
v11 = 0u;
*(_OWORD *)v12 = 0u;
v9 = 0u;
v10 = 0u;
v8 = 0u;
//测试魅族17 返回值-4
property_get("ro.flyme.device.legal", &v8, "0");
if ( strtoul(&v8, 0LL, 10LL) & 0x80000000 )
{
result = __android_log_print(3LL, "DeviceStateService", "doCheckLockStateRpmb: the device is not legal!");
v5 = 1;
}
else
{
// 实测魅族17 无法打开这个文件
v3 = __open_2("/dev/mz_rpmb_ctl", 2LL);
if ( v3 & 0x80000000 )
{
v7 = (unsigned int *)__errno();
result = __android_log_print(3LL, "DeviceStateService", "doCheckLockStateRpmb: open rpmb failed, errno=%d\n", *v7);
v5 = -1;
}
else
{
v4 = v3;
LODWORD(v8) = 559286153;
if ( ioctl(v3) & 0x80000000 && DWORD1(v8) & 0x80000000 )
{
result = __android_log_print(3LL, "DeviceStateService", "doCheckLockStateRpmb: ioctl failed!");
v5 = -1;
}
else
{
if ( (v2 != 3 || DWORD2(v8) != 626460454) && (v2 != 4 || DWORD2(v8) != 626460453) )
{
if ( DWORD2(v8) == 626460450 )
v5 = 0;
else
v5 = -1;
}
else
{
v5 = 1;
}
close(v4);
result = __android_log_print(3LL, "DeviceStateService", "doCheckLockStateRpmb: the result is: %d", v5);
}
}
}
if ( *(_QWORD *)(v1 + 40) == v13 )
result = v5;
return result;
}
[info]systemui中的相关方法 基于17p 8.1.2.2[/info]
private boolean isLossMode() {
if(this.mDeviceStateManager != null && (this.mDeviceStateManager.doCheckState(DeviceStateManager.RemoteHandle.Lock.ordinal()) == 1 || this.mDeviceStateManager.doCheckState(DeviceStateManager.RemoteHandle.Lock_Report_Loss.ordinal()) == 1)) {
Log.v(this.TAG, "isLossMode");
return 1;
}
return 0;
}
public boolean lossMode() {
if(this.mDeviceStateManager != null && (this.mDeviceStateManager.doCheckState(DeviceStateManager.RemoteHandle.Lock.ordinal()) == 1 || this.mDeviceStateManager.doCheckState(DeviceStateManager.RemoteHandle.Lock_Report_Loss.ordinal()) == 1)) {
Log.v("SystemModeUtils", "FindPhone is lossMode");
return 1;
}
return 0;
}
我们可以看到 丢失模式 都是调用doCheckState处理的
且判断丢失模式的方法定义比较多 哪里都有 修改 doCheckState比较合适
经过研究 直接修改 libanddroid_services.so中的doCheckLockStateRpmb方法,直接二进制修改字符串/dev/mz_rpmb_ctl实现起来难度低,稳定性好
后续:
直接修改so能破锁定,但似乎还有其他的策略,联网一段时间后还是会被远程服务器锁定。所以doCheckState lossMode也需要改
