大型连续剧之拯救变砖黑莓KEY2之第三集—-小米Note3的ROM分析
前景提要:刷入了同为660的小米Note3的固件
在使用高通模式刷入固件的时候,在小米note3的ROM下分析可以看出,比fastboot多出几个xml文件,分布是partition.xml、rawprogram0.xml和patch0.xml,大致如下
<?xml version="1.0"?>
<configuration>
<parser_instructions>
<!-- NOTE: entries here are used by the parser when generating output -->
<!-- NOTE: each filename must be on it's own line as in variable=value-->
WRITE_PROTECT_BOUNDARY_IN_KB = 65536
GROW_LAST_PARTITION_TO_FILL_DISK= true
ALIGN_PARTITIONS_TO_PERFORMANCE_BOUNDARY = true
PERFORMANCE_BOUNDARY_IN_KB = 4
</parser_instructions>
<!-- NOTE: "physical_partition" are listed in order and apply to devices such as eMMC cards that have (for example) 3 physical partitions -->
<!-- This is physical partition 0 -->
<physical_partition>
<!-- NOTE: Define information for each partition, which will be created in order listed here -->
<!-- NOTE: Place all "readonly=true" partitions side by side for optimum space usage -->
<!-- NOTE: If OPTIMIZE_READONLY_PARTITIONS=true, then partitions won't be in the order listed here -->
<!-- they will instead be placed side by side at the beginning of the disk -->
<!-- pre: 20k, next: 1M-20k -->
<partition label="switch" size_in_kb="8" type="0FC63DAF-8483-4772-8E79-3D69D8477DE4" bootable="false" readonly="false" filename="dummy.img" />
<partition label="fsc" size_in_kb="8" type="57B90A16-22C9-E33B-8F5D-0E81686A68CB" bootable="false" readonly="false" filename=""/>
<partition label="dpo" size_in_kb="8" type="11406F35-1173-4869-807B-27DF71802812" bootable="false" readonly="false" filename=""/>
<partition label="bk1" size_in_kb="20" type="0FC63DAF-8483-4772-8E79-3D69D8477DE4" bootable="false" readonly="false" filename="" />
<partition label="sec" size_in_kb="32" type="303E6AC3-AF15-4C54-9E9B-D9A8FBECF401" bootable="false" readonly="false" filename="" />
<partition label="ssd" size_in_kb="32" type="2C86E742-745E-4FDD-BFD8-B6A7AC638772" bootable="false" readonly="false" filename=""/>
<!-- ---->
<!-- pre: 13*64M, next: 4*64M -->
<partition label="cache" size_in_kb="262144" type="5594C694-C871-4B5F-90B1-690A6F68E0F7" bootable="false" readonly="false" filename="cache.img" sparse="true"/>
<!-- pre: 17*64M, left -->
<partition label="cust" size_in_kb="851968" type="0FC63DAF-8483-4772-8E79-3D69D8477DE4" bootable="false" readonly="false" filename="cust.img" sparse="true" />
<partition label="system" size_in_kb="5242880" type="97D7B011-54DA-4835-B3C4-917AD6E73D74" bootable="false" readonly="false" filename="system.img" sparse="true"/>
<partition label="userdata" size_in_kb="12582912" type="1B81E7E6-F50D-419B-A739-2AEEF8DA3335" bootable="false" readonly="false" filename="userdata.img" sparse="true"/>
</physical_partition>
</configuration>
<?xml version="1.0" ?>
<data>
<!--NOTE: This is an ** Autogenerated file **-->
<!--NOTE: Sector size is 512bytes-->
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="dummy.img" label="switch" num_partition_sectors="16" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8.0" sparse="false" start_byte_hex="0x5000" start_sector="40"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="" label="fsc" num_partition_sectors="16" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8.0" sparse="false" start_byte_hex="0x7000" start_sector="56"/>
<!-- -------- ---->
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="system.img" label="system" num_partition_sectors="10485760" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="5242880.0" sparse="true" start_byte_hex="0x78000000" start_sector="3932160"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="userdata.img" label="userdata" num_partition_sectors="0" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="0" sparse="true" start_byte_hex="0x1b8000000" start_sector="14417920"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="gpt_main0.bin" label="PrimaryGPT" num_partition_sectors="34" partofsingleimage="true" physical_partition_number="0" readbackverify="false" size_in_KB="17.0" sparse="false" start_byte_hex="0x0" start_sector="0"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="gpt_backup0.bin" label="BackupGPT" num_partition_sectors="33" partofsingleimage="true" physical_partition_number="0" readbackverify="false" size_in_KB="16.5" sparse="false" start_byte_hex="(512*NUM_DISK_SECTORS)-16896." start_sector="NUM_DISK_SECTORS-33."/>
</data>
<?xml version="1.0" ?>
<patches>
<!--NOTE: This is an ** Autogenerated file **-->
<!--NOTE: Patching is in little endian format, i.e. 0xAABBCCDD will look like DD CC BB AA in the file or on disk-->
<!--NOTE: This file is used by Trace32 - So make sure to add decimals, i.e. 0x10-10=0, *but* 0x10-10.=6.-->
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="19" value="NUM_DISK_SECTORS-34." what="Update last partition 70 'userdata' with actual size in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="19" value="NUM_DISK_SECTORS-34." what="Update last partition 70 'userdata' with actual size in Primary Header."/>
<!--- ------>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="NUM_DISK_SECTORS-1." value="CRC32(NUM_DISK_SECTORS-1.,92)" what="Update Backup Header with CRC of Backup Header."/>
</patches>
可以看出,这是对手机存储进行了分区操作,比fastboot更底层,所以只要对比小米Note3这个固件信息,利用黑莓官方的ROM正确构造出上面三个文件就极有可能成功恢复,为了验证我的想法,我先用部分黑莓固件文件替换,然后刷入,果不其然,比前面能点亮呼吸又更成功了一步,刷完后重启屏幕亮机,只是进入不了系统,处在fastboot界面,另外条形码信息也是空的。
