[求助]recovery.img破解-Android安全-看雪-安全社区|安全招聘|kanxue.com

[求助]recovery.img破解

发表于: 2016-3-2 15:23 4351

[求助]recovery.img破解

步平凡

2016-3-2 15:23

4351

为自己的手机修改原厂固件recovery.img，目的开放adb的root权限。
已经拿到对应版本的recovery.img，有几处不明需要帮助。先粘贴头hex数据。

00000000h: 41 4E 44 52 4F 49 44 21 20 00 7B 00 00 80 00 80 ; ANDROID! .{.....
00000010h: 89 38 2F 00 00 00 00 82 00 00 00 00 00 00 F0 80 ; .8/...........ð.
00000020h: 00 00 E0 81 00 08 00 00 00 A0 0C 00 00 00 00 00 ; ..à.............
00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000040h: 63 6F 6E 73 6F 6C 65 3D 6E 75 6C 6C 20 61 6E 64 ; console=null and
00000050h: 72 6F 69 64 62 6F 6F 74 2E 68 61 72 64 77 61 72 ; roidboot.hardwar
00000060h: 65 3D 71 63 6F 6D 20 75 73 65 72 5F 64 65 62 75 ; e=qcom user_debu
00000070h: 67 3D 33 31 20 6D 73 6D 5F 72 74 62 2E 66 69 6C ; g=31 msm_rtb.fil
00000080h: 74 65 72 3D 30 78 33 46 20 65 68 63 69 2D 68 63 ; ter=0x3F ehci-hc
00000090h: 64 2E 70 61 72 6B 3D 33 20 61 6E 64 72 6F 69 64 ; d.park=3 android
000000a0h: 62 6F 6F 74 2E 62 6F 6F 74 64 65 76 69 63 65 3D ; boot.bootdevice=
000000b0h: 37 38 32 34 39 30 30 2E 73 64 68 63 69 00 00 00 ; 7824900.sdhci...
000000c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000100h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000110h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000120h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000130h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000140h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000160h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000170h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000180h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000190h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000200h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000210h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000220h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000230h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000240h: D7 F8 A8 96 76 42 C4 1A 49 01 A7 1A 25 93 91 BA ; ×ø¨.vBÄ.I.§.%..º
00000250h: 86 E8 DD 09 00 00 00 00 00 00 00 00 00 00 00 00 ; .èÝ.............
00000260h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000270h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................

下面是我的分析结果：
第一行：
BOOT_MAGIC 8位，kernel_size 4位， kernel_add 4位
第二行
ramdisk_size 4位 ramdisk_addr 4位，second_size 4位 second_add 4位
第三行
tags_add 4位 page_size 4位，unused[2] 8位
第四行
name 16位
第五行
cmdline 512位
最后
id[8] 32位占两行

kernel_size ＝ 8060960(0x007b0020)
kernel_addr ＝ 0x80008000
ramdisk_size = 3094665(0x2f3889)
ramdisk_addr = 0x82000000
second_size = 0
second_addr = 0x80f00000

tags_addr=0x81e00000
page_size=0x00000800
unused[2]=0x000ca000

文件最后多出一段不在这个结构内的数据

00000000h: 51 43 44 54 02 00 00 00 14 00 00 00 CE 00 00 00 ; QCDT........Î...
00000010h: 01 FF 08 CE 02 00 00 00 00 00 00 00 00 08 00 00 ; .ÿ.Î............
00000020h: 00 88 02 00 CE 00 00 00 01 FF 08 CE 04 00 00 00 ; ....Î....ÿ.Î....
00000030h: 00 00 00 00 00 90 02 00 00 88 02 00 CE 00 00 00 ; ............Î...
00000040h: 01 FF 08 CE 06 00 00 00 00 00 00 00 00 18 05 00 ; .ÿ.Î............
00000050h: 00 88 02 00 CE 00 00 00 01 FF 08 CE 07 00 00 00 ; ....Î....ÿ.Î....
00000060h: 00 00 00 00 00 A0 07 00 00 80 02 00 CE 00 00 00 ; ............Î...
00000070h: 01 FF 08 CE 08 00 00 00 00 00 00 00 00 20 0A 00 ; .ÿ.Î......... ..
00000080h: 00 80 02 00 F8 00 00 00 01 FF 08 CE 02 00 00 00 ; ....ø....ÿ.Î....
00000090h: 00 00 00 00 00 08 00 00 00 88 02 00 F8 00 00 00 ; ............ø...
000000a0h: 01 FF 08 CE 04 00 00 00 00 00 00 00 00 90 02 00 ; .ÿ.Î............
000000b0h: 00 88 02 00 F8 00 00 00 01 FF 08 CE 06 00 00 00 ; ....ø....ÿ.Î....
000000c0h: 00 00 00 00 00 18 05 00 00 88 02 00 F8 00 00 00 ; ............ø...
000000d0h: 01 FF 08 CE 07 00 00 00 00 00 00 00 00 A0 07 00 ; .ÿ.Î............
000000e0h: 00 80 02 00 F8 00 00 00 01 FF 08 CE 08 00 00 00 ; ....ø....ÿ.Î....
000000f0h: 00 00 00 00 00 20 0A 00 00 80 02 00 F9 00 00 00 ; ..... ......ù...
00000100h: 01 FF 08 CE 02 00 00 00 00 00 00 00 00 08 00 00 ; .ÿ.Î............
00000110h: 00 88 02 00 F9 00 00 00 01 FF 08 CE 04 00 00 00 ; ....ù....ÿ.Î....
00000120h: 00 00 00 00 00 90 02 00 00 88 02 00 F9 00 00 00 ; ............ù...
00000130h: 01 FF 08 CE 06 00 00 00 00 00 00 00 00 18 05 00 ; .ÿ.Î............
00000140h: 00 88 02 00 F9 00 00 00 01 FF 08 CE 07 00 00 00 ; ....ù....ÿ.Î....
00000150h: 00 00 00 00 00 A0 07 00 00 80 02 00 F9 00 00 00 ; ............ù...
00000160h: 01 FF 08 CE 08 00 00 00 00 00 00 00 00 20 0A 00 ; .ÿ.Î......... ..
00000170h: 00 80 02 00 FA 00 00 00 01 FF 08 CE 02 00 00 00 ; ....ú....ÿ.Î....
00000180h: 00 00 00 00 00 08 00 00 00 88 02 00 FA 00 00 00 ; ............ú...
00000190h: 01 FF 08 CE 04 00 00 00 00 00 00 00 00 90 02 00 ; .ÿ.Î............
000001a0h: 00 88 02 00 FA 00 00 00 01 FF 08 CE 06 00 00 00 ; ....ú....ÿ.Î....
000001b0h: 00 00 00 00 00 18 05 00 00 88 02 00 FA 00 00 00 ; ............ú...
000001c0h: 01 FF 08 CE 07 00 00 00 00 00 00 00 00 A0 07 00 ; .ÿ.Î............
000001d0h: 00 80 02 00 FA 00 00 00 01 FF 08 CE 08 00 00 00 ; ....ú....ÿ.Î....
000001e0h: 00 00 00 00 00 20 0A 00 00 80 02 00 00 00 00 00 ; ..... ..........

并且second_size是0，这段又不像是second的数据。second应该是.gz文件。面对这样的recovery.img要从哪方面下手破解？

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・0

免费・0

支持

最新回复 (4)
jpacg 雪币： 89 活跃值： (2520) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 61 粉丝 3 关注私信	jpacg 2 楼有一种工具叫bootimg 2016-3-2 16:47 0
步平凡雪币： 34 活跃值： (50) 能力值： ( LV3，RANK：20 ) 在线值：发帖 23 回帖 97 粉丝 1 关注私信	步平凡 3 楼现在的手机用那个打包刷不进去。后面少了一段数据。 2016-3-2 17:01 0
cofface 雪币： 262 活跃值： (178) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 33 粉丝 0 关注私信	cofface 4 楼那是你这个img还加了签名校验吧？ 2016-3-2 17:44 0
步平凡雪币： 34 活跃值： (50) 能力值： ( LV3，RANK：20 ) 在线值：发帖 23 回帖 97 粉丝 1 关注私信	步平凡 6 楼对apk的签名我知道，但是img用什么工具来签名？求教。 2016-3-4 12:41 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

步平凡

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
jpacg 雪币： 89 活跃值： (2520) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 61 粉丝 3 关注私信	jpacg 2 楼有一种工具叫bootimg 2016-3-2 16:47 0
步平凡雪币： 34 活跃值： (50) 能力值： ( LV3，RANK：20 ) 在线值：发帖 23 回帖 97 粉丝 1 关注私信	步平凡 3 楼现在的手机用那个打包刷不进去。后面少了一段数据。 2016-3-2 17:01 0
cofface 雪币： 262 活跃值： (178) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 33 粉丝 0 关注私信	cofface 4 楼那是你这个img还加了签名校验吧？ 2016-3-2 17:44 0
步平凡雪币： 34 活跃值： (50) 能力值： ( LV3，RANK：20 ) 在线值：发帖 23 回帖 97 粉丝 1 关注私信	步平凡 6 楼对apk的签名我知道，但是img用什么工具来签名？求教。 2016-3-4 12:41 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复