ReadRollbackIndex.exe 获取
调查avbVBMeta结构体
typedef struct AvbVBMetaImageHeader {
/* 0: Four bytes equal to "AVB0" (AVB_MAGIC). */
uint8_t magic[AVB_MAGIC_LEN];
/* 4: The major version of libavb required for this header. */
uint32_t required_libavb_version_major;
/* 8: The minor version of libavb required for this header. */
uint32_t required_libavb_version_minor;
/* 12: The size of the signature block. */
uint64_t authentication_data_block_size;
/* 20: The size of the auxiliary data block. */
uint64_t auxiliary_data_block_size;
/* 28: The verification algorithm used, see |AvbAlgorithmType| enum. */
uint32_t algorithm_type;
/* 32: Offset into the "Authentication data" block of hash data. */
uint64_t hash_offset;
/* 40: Length of the hash data. */
uint64_t hash_size;
/* 48: Offset into the "Authentication data" block of signature data. */
uint64_t signature_offset;
/* 56: Length of the signature data. */
uint64_t signature_size;
/* 64: Offset into the "Auxiliary data" block of public key data. */
uint64_t public_key_offset;
/* 72: Length of the public key data. */
uint64_t public_key_size;
/* 80: Offset into the "Auxiliary data" block of public key metadata. */
uint64_t public_key_metadata_offset;
/* 88: Length of the public key metadata. Must be set to zero if there
* is no public key metadata.
*/
uint64_t public_key_metadata_size;
/* 96: Offset into the "Auxiliary data" block of descriptor data. */
uint64_t descriptors_offset;
/* 104: Length of descriptor data. */
uint64_t descriptors_size;
/* 112: The rollback index which can be used to prevent rollback to
* older versions.
*/
uint64_t rollback_index;
/* 120: Flags from the AvbVBMetaImageFlags enumeration. This must be
* set to zero if the vbmeta image is not a top-level image.
*/
uint32_t flags;
/* 124: The location of the rollback index defined in this header.
* Only valid for the main vbmeta. For chained partitions, the rollback
* index location must be specified in the AvbChainPartitionDescriptor
* and this value must be set to 0.
*/
uint32_t rollback_index_location;
/* 128: The release string from avbtool, e.g. "avbtool 1.0.0" or
* "avbtool 1.0.0 xyz_board Git-234abde89". Is guaranteed to be NUL
* terminated. Applications must not make assumptions about how this
* string is formatted.
*/
uint8_t release_string[AVB_RELEASE_STRING_SIZE];
/* 176: Padding to ensure struct is size AVB_VBMETA_IMAGE_HEADER_SIZE
* bytes. This must be set to zeroes.
*/
uint8_t reserved[80];
} AVB_ATTR_PACKED AvbVBMetaImageHeader;
发现antirollback 值保存位置在vbmeata.img offset 是112~119
故可以做一个exe文件读取vbmeta.img文件rollback index值,代码如下:
// ReadRollbackIndex.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "stdio.h"
#include "stdlib.h"
#include <direct.h>
#include "Windows.h"
#define MAX_PATH_LEN 1024
#define ROLLBAK_INDEX_OFFSET 0x77
void TcharToChar(const TCHAR * tchar, char * _char)
{
int iLength;
//获取字节长度
iLength = WideCharToMultiByte(CP_ACP, 0, tchar, -1, NULL, 0, NULL, NULL);
//将tchar值赋给_char
WideCharToMultiByte(CP_ACP, 0, tchar, -1, _char, iLength, NULL, NULL);
}
int _tmain(int argc, _TCHAR* argv[])
{
char currPath[MAX_PATH_LEN] = "\0";
char fileName[MAX_PATH_LEN] = "\0";
if(argc > 1)
{
TcharToChar(argv[1], fileName);
printf("transfer filename: %s \n", fileName);
}
// get current path
if (getcwd(currPath, sizeof(currPath)) == NULL){
printf("getcwd() error");
};
//printf(" currPath = %s \n", currPath);
char vbmetaFileName[MAX_PATH_LEN] = "\0";
//if(strlen(fileName) > 0){
if(argc > 1)
sprintf(vbmetaFileName, "%s\\%s", currPath, fileName);
}else{
sprintf(vbmetaFileName, "%s\\vbmeta.img", currPath);
}
printf("vbmeta.img file path: %s \n", vbmetaFileName);
// open and read file
FILE* pVbmetaFile = fopen(vbmetaFileName, "rb");
if (pVbmetaFile == NULL)
{
printf("open %s failed.", vbmetaFileName);
return -1;
}
//文件指针偏移 SEEK_SET初始位置开始偏移
if(!fseek(pVbmetaFile, ROLLBAK_INDEX_OFFSET, SEEK_SET)){
int rollbackIndex = fgetc(pVbmetaFile);
printf("Rollback Index: %d\n", rollbackIndex);
}
// release file handle
fclose(pVbmetaFile);
return 0;
}
此段代码经 vs2010 编译验证ok,程序运行结果:
代码中获取
antirollback 获取:
pl阶段获取 pl/lk的version。 需要在校验完LK img后可以呼叫获取:
获取pl ver api:seclib_get_pl_ver
获取LK ver api:get_img_ver
LK阶段获取modem 的img ver:
api: get_img_ver
MTK:
/vendor/mediatek/proprietary/bootable/bootloader/lk/platform/common/avb/libavb/avb_slot_verify.c
io_ret = ops->read_rollback_index(ops, rollback_index_location, &stored_rollback_index);
这里会根据rollback_index_location来读anti-rollback值
/vendor/mediatek/proprietary/bootable/bootloader/lk/platform/common/boot/avb20/load_vfy_boot.c
int load_vfy_boot(uint32_t bootimg_type, uint32_t addr)函数
ret = record_avb_version(slot_data);
这里会在验证AVB结束后更新anti-rollback ver。
set_avb_otp_ver(AVB_GROUP, (uint32_t)min_ver);
#define AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS 32
qcom:
LINUX/android/external/u-boot/common/avb_verify.c
virtual AvbIOResult read_rollback_index(AvbOps* ops,
size_t rollback_index_slot,
uint64_t* out_rollback_index) = 0;
virtual AvbIOResult write_rollback_index(AvbOps* ops,
size_t rollback_index_slot,
uint64_t rollback_index) = 0;
memset(param, 0, sizeof(param));
param[0].attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT;
param[0].u.value.a = rollback_index_slot;
param[1].attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT;
param[1].u.value.a = (u32)(rollback_index >> 32);
param[1].u.value.b = (u32)rollback_index;
return invoke_func(ops->user_data, TA_AVB_CMD_WRITE_ROLLBACK_INDEX,
ARRAY_SIZE(param), param);