本文将讨论S905X处理器上的软件保护。最终目标是启动未经授权的软件。S905X
S905X处理器是时钟频率高达1.5GHz的ARM Cortex-A53,装有用于视频和音频流的各种解码器,例如H.265 4K,VP9,支持4KUHD等。通常,这不是一个坏选择。与之前的产品不同,AMLogic在该处理器中集成了所谓的“高级TrustZone安全系统”,该系统控制所有关键的系统操作,例如访问ROM存储器的保护区,检查签名和解密软件等。可在制造商的网站上找到有关此主题的详细文档。 SecureOS充当ATOS-V1.5-g3e467d9(我不会断言,我没有检查)。训练
分解前缀后,我很容易找到UART的RxD,TxD和GND引脚。背面有一个用于重置按钮的连接器(未验证)和一个用于放置连接器的地方。从位置来看,该连接器看上去像是另一种eMMS卡的板对板(自然没有引脚排列)。
S905的免费文档涵盖了一些关键主题,例如引导顺序,但还远远不够完整,从RE的角度来看实际上是无用的。撇开文档不说,我连接了UART,...对处理器的加载速度感到惊讶。但这可能就是全部。U-Boot对键盘完全没有反应,经过一些硬件设置后,它巧妙地加载并启动了Android内核。U-Boot'a启动日志 GXL:BL1:9ac50e:bb16dc;FEAT:BDFC31BC:0;POC:3;RCY:0;EMMC:0;READ:0;0.0;0.0;CHK:0;
TE: 351954
BL2 Built : 16:42:36, Nov 3 2016.
gxl g3eddb43 - xiaobo.gu@droid05
set vcck to 1120 mv
set vddee to 1000 mv
Board ID = 4
CPU clk: 1200MHz
DQS-corr enabled
DDR scramble enabled
DDR3 chl: Rank0+1 @ 768MHz - FAIL
DDR3 chl: Rank0 @ 768MHz - PASS
Rank0: 1024MB(auto)-2T-11
DataBus test pass!
AddrBus test pass!
-s
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000
aml log : R2048 check pass!
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01700000, size: 0x0000d600
aml log : R2048 check pass!
Load bl31 from eMMC, src: 0x00020200, des: 0x01700000, size: 0x00015400
aml log : R2048 check pass!
Load bl32 from eMMC, src: 0x00038200, des: 0x01700000, size: 0x00035a00
aml log : R2048 check pass!
Load bl33 from eMMC, src: 0x00070200, des: 0x01700000, size: 0x000aa200
aml log : R2048 check pass!
NOTICE: BL3-1: v1.0(debug):fb68908
NOTICE: BL3-1: Built : 18:30:11, Nov 1 2016
aml log : bl31 detect secure boot !
[Image: gxl_v1.1.3154-065f772 2016-09-29 14:08:54 yan.wang@droid05]
OPS=0x84
bc fc af 5f a2 b4 4d 4b 1c 91 59 9f [1.280536 Inits done]
secure task start!
high task start!
low task start!
INFO: BL3-1: Initializing runtime services
INFO: BL3-1: Initializing BL3-2
INFO: BL3-2: ATOS-V1.5-g3e467d9 #1 Mon Aug 22 17:11:43 CST 2016 arm
INFO: BL3-2: chip version = RevC (21:C - 0:0)
INFO: BL3-2: crypto engine DMA
INFO: BL3-2: secure time TEE
INFO: BL3-1: Preparing for EL3 exit to normal world
INFO: BL3-1: Next image address = 0x1000000
INFO: BL3-1: Next image spsr = 0x3c9
U-Boot 2015.01 (Nov 23 2018 - 15:50:35)
DRAM: 1 GiB
Relocation Offset is: 36ec8000
register usb cfg[0][1] = 0000000037f5e258
[CANVAS]canvas init
vpu: error: vpu: check dts: FDT_ERR_BADMAGIC, load default parameters
vpu: clk_level = 7
vpu: set clk: 666667000Hz, readback: 666660000Hz(0x300)
vpp: vpp_init
boot_device_flag : 1
Nand PHY Ver:1.01.001.0006 (c) 2013 Amlogic Inc.
init bus_cycle=6, bus_timing=7, system=5.0ns
reset failed
get_chip_type and ret:fffffffe
get_chip_type and ret:fffffffe
chip detect failed and ret:fffffffe
nandphy_init failed and ret=0xfffffff1
MMC: aml_priv->desc_buf = 0x0000000033ec86b0
aml_priv->desc_buf = 0x0000000033eca9d0
SDIO Port B: 0, SDIO Port C: 1
emmc/sd response timeout, cmd8, status=0x1ff2800
emmc/sd response timeout, cmd55, status=0x1ff2800
[mmc_startup] mmc refix success
[mmc_init] mmc init success
mmc read lba=0x14000, blocks=0x400
Amlogic multi-dtb tool
Multi dtb detected
Multi dtb tool version: v2 .
Support 2 dtbs.
aml_dt soc: gxl platform: sx6b6x variant: 1g
dtb 0 soc: gxl plat: sx6b6x vari: 1g
dtb 1 soc: gxl plat: sx6b6x vari: 2g
Find match dtb: 0
start dts,buffer=0000000033ecd270,dt_addr=0000000033ecda70
parts: 11
00: logo 0000000002000000 1
01: recovery 0000000002000000 1
02: rsv 0000000000800000 1
03: tee 0000000000800000 1
04: crypt 0000000002000000 1
05: misc 0000000002000000 1
06: instaboot 0000000020000000 1
07: boot 0000000002000000 1
08: system 0000000050000000 1
09: cache 0000000040000000 2
10: data ffffffffffffffff 4
get_dtb_struct: Get emmc dtb OK!
overide_emmc_partition_table: overide cache
[mmc_get_partition_table] skip partition cache.
Partition table get from SPL is :
name offset size flag
===================================================================================
0: bootloader 0 400000 0
1: reserved 2400000 4000000 0
2: cache 6c00000 40000000 2
3: env 47400000 800000 0
4: logo 48400000 2000000 1
5: recovery 4ac00000 2000000 1
6: rsv 4d400000 800000 1
7: tee 4e400000 800000 1
8: crypt 4f400000 2000000 1
9: misc 51c00000 2000000 1
10: instaboot 54400000 20000000 1
11: boot 74c00000 2000000 1
12: system 77400000 50000000 1
13: data c7c00000 10a400000 4
mmc read lba=0x12000, blocks=0x2
mmc read lba=0x12002, blocks=0x2
mmc_read_partition_tbl: mmc read partition OK!
eMMC/TSD partition table have been checked OK!
mmc env offset: 0x47400000
WARNING: 'recovery_from_sdcard' neither in running nor in imported env!
WARNING: 'recovery_from_udisk' neither in running nor in imported env!
In: serial
Out: serial
Err: serial
hpd_state=0
cvbs performance type = 6, table = 0
[store]To run cmd[emmc dtb_read 0x1000000 0x40000]
read emmc dtb
Amlogic multi-dtb tool
Multi dtb detected
Multi dtb tool version: v2 .
Support 2 dtbs.
aml_dt soc: gxl platform: sx6b6x variant: 1g
dtb 0 soc: gxl plat: sx6b6x vari: 1g
dtb 1 soc: gxl plat: sx6b6x vari: 2g
Find match dtb: 0
Net: dwmac.c9410000
wipe_data=successful
wipe_cache=successful
upgrade_step=2
[OSD]load fb addr from dts
[OSD]failed to get fb addr for logo
[OSD]use default fb_addr parameters
[OSD]fb_addr for logo: 0x3d800000
[OSD]load fb addr from dts
[OSD]failed to get fb addr for logo
[OSD]use default fb_addr parameters
[OSD]fb_addr for logo: 0x3d800000
[CANVAS]addr=0x3d800000 width=3840, height=2160
amlkey_init() enter!
[EFUSE_MSG]keynum is 4
[BL31]: tee size: 0
[KM]Error:f[key_manage_query_size]L507:key[deviceid] not programed yet
gpio: pin GPIOAO_2 (gpio 102) value is 1
get_cpu_id flag_12bit=1
SARADC channel(0) is 0x3e1.
SARADC closed.
Hit Enter or space or Ctrl+C key to stop autoboot -- : 0
[imgread]szTimeStamp[2019121002280214]
[imgread]secureKernelImgSz=0x977000
aml log : R2048 check pass!
aml log : R2048 check pass!
aml log : R2048 check pass!
ee_gate_off ...
## Booting Android Image at 0x01080000 ...
reloc_addr =33f4d440
copy done
Amlogic multi-dtb tool
Single dtb detected
load dtb from 0x1000000 ......
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x02258fd0
Loading Ramdisk to 33d12000, end 33eb6000 ... OK
Loading Device Tree to 000000001fff3000, end 000000001ffff8f4 ... OK
signature:
fdt_instaboot: no instaboot image
Starting kernel ...
值得注意的是,U-Boot(bl33)本身已经在“正常世界”环境中运行(BL3-1在将控制权转移给它之前立即切换了模式)。那些。即使我们以某种方式控制了U-Boot,我们对系统的访问也将受到限制。原则上,这不是那么重要。毕竟,即使您删除了ROM转储,拔出AES密钥并从保险丝中打开RSA,也没有太大意义,因为仍然没有RSA私钥。U-Boot本身未读取任何密钥。他将内核加载到内存中,并调用安全监视器以解密和验证代码。 Security Monitor完成了所有必要的操作,并告诉U-Boot是否加载内核。通常,使用自己的TrustedOS和某种功能(例如BIOS)来认真保护软件的方法。我的进一步计划是访问eMMC内存。多媒体卡
要连接到eMMC,必须至少找到DAT_0,CLK,CMD和GND引脚。并找出eMMC控制器在什么电压下工作(1V8或3V3)。肉眼无法做到这一点,对于跟踪轨迹,我自己拔出了eMMC。由于芯片在我手中,因此在跟踪之后,我将其连接到适配器并转储了完整的转储。不幸的是,我没有专业的设备,为此我使用了简易的材料。结果就是这样的“死虫”。好吧,实际上是连接器的引脚排列:引脚排列完成后,我研究了没有eMMC时处理器的行为。从日志判断,从eMMC引导失败后,ROM尝试从mSD卡加载代码。这令人鼓舞。我迅速将转储上传到mSD卡,并打开了控制台。一个小惊喜在这里等着我。 ROM从卡上下载了BL2代码并将控制权转移给它(这意味着eMMC的“启动”部分没有涉及,并且不需要root访问权限)。好了,转弯到U-Boot时,他抱怨了几次关于eMMC缺乏的问题(开发1),并且很长一段时间都没有想到他会停在码头。cmd store failed
Err imgread(L132):Fail to read 0x100000B from part[recovery] at offset 0
gxl_sx6b6x_768_v2#version
U-Boot 2015.01 (Nov 23 2018 - 15:50:35)
aarch64-none-elf-gcc (crosstool-NG linaro-1.13.1-4.8-2013.11 - Linaro GCC 2013.10) 4.8.3 20131111 (prerelease)
GNU ld (crosstool-NG linaro-1.13.1-4.8-2013.11 - Linaro GCC 2013.10) 2.23.2.20130610 Linaro 2013.10-4
gxl_sx6b6x_768_v2#
首先,它一点也不差。在使用终端进行一些实验之后,我将bootdelay = 5参数添加到“ env”部分,计算了新的校验和并将eMMC焊接回去。使用新选项,我希望U-Boot可以停止。但实际上,一切都不同。似乎U-Boot对此参数不感兴趣,并且引导过程与常规参数没有什么不同。很难过,因为对于我来说,采取连接eMMC的终端是必要的。稍加思考,我将DAT_0接地并插入了mSD卡。 ROM现在无法从eMMC加载代码并切换到mSD。以这种方式加载U-Boot之后,我打开了联系人并询问:gxl_sx6b6x_768_v2#mmc dev 1
emmc/sd response timeout, cmd8, status=0x1ff2800
emmc/sd response timeout, cmd55, status=0x1ff2800
[mmc_startup] mmc refix success
[mmc_init] mmc init success
mmc read lba=0x14000, blocks=0x400
Amlogic multi-dtb tool
Multi dtb detected
Multi dtb tool version: v2 .
Support 2 dtbs.
aml_dt soc: gxl platform: sx6b6x variant: 1g
dtb 0 soc: gxl plat: sx6b6x vari: 1g
dtb 1 soc: gxl plat: sx6b6x vari: 2g
Find match dtb: 0
start dts,buffer=0000000033ee4050,dt_addr=0000000033ee4850
parts: 11
00: logo 0000000002000000 1
01: recovery 0000000002000000 1
02: rsv 0000000000800000 1
03: tee 0000000000800000 1
04: crypt 0000000002000000 1
05: misc 0000000002000000 1
06: instaboot 0000000020000000 1
07: boot 0000000002000000 1
08: system 0000000050000000 1
09: cache 0000000040000000 2
10: data ffffffffffffffff 4
get_dtb_struct: Get emmc dtb OK!
overide_emmc_partition_table: overide cache
[mmc_get_partition_table] skip partition cache.
Partition table get from SPL is :
name offset size flag
===================================================================================
0: bootloader 0 400000 0
1: reserved 2400000 4000000 0
2: cache 6c00000 40000000 2
3: env 47400000 800000 0
4: logo 48400000 2000000 1
5: recovery 4ac00000 2000000 1
6: rsv 4d400000 800000 1
7: tee 4e400000 800000 1
8: crypt 4f400000 2000000 1
9: misc 51c00000 2000000 1
10: instaboot 54400000 20000000 1
11: boot 74c00000 2000000 1
12: system 77400000 50000000 1
13: data c7c00000 10a400000 4
mmc read lba=0x12000, blocks=0x2
mmc read lba=0x12002, blocks=0x2
mmc_read_partition_tbl: mmc read partition OK!
eMMC/TSD partition table have been checked OK!
switch to partitions #0, OK
mmc1(part 0) is current device
gxl_sx6b6x_768_v2#
U-Boot没有抗拒,愉快地切换到eMMC。我当然看了bootdelay参数中的内容。而不是我的五个,我又看到了0.好像U-Boot在某个地方写下了0,以防万一有人突然改变那里的东西。但这不再让我感兴趣,因此eMMC的主题已关闭。注意:连接器有一个引脚,您可以在不焊接芯片的情况下连接到eMMC。为此,您需要一个带有电压转换器的特殊适配器,因为 eMMC控制器在1V8上运行,如果将普通的SD适配器连接到3V3,则存在烧毁1V8总线上的组件的风险。还必须除去此电阻器,否则处理器将干扰适配器。缺少组件
要完全访问U-Boot终端,我必须做两件事:进入DeviceTree机顶盒,并说服U-Boot放弃与内核验证有关的Security Monitor服务。对于第一次启动,最好有原始内核,以免浪费时间调试新内核。获得DeviceTree非常容易。我问:gxl_sx6b6x_768_v2#emmc dtb_read 0x1000000 0x40000
read emmc dtb
gxl_sx6b6x_768_v2#
他在我的口袋里。U-Boot需要详细分析。从日志中可以看到,U-Boot本身最初是在0x1000000处加载和解密的,随后又将自身转移到0x36ES8000(偏移量)。我丢弃了U-Boot,并在IDA中对其进行了分析。当然,我对从bootm命令访问安全监视器的位置感兴趣。在
这里X0-AML_D_P_IMG_DECRYPTX1-nLoadAddrX2-GXB_IMG_SIZEX3-GXB_IMG_DEC_ALL要删除原始内核转储,您必须通过imgread函数将其加载到内存中,并修改bootm,以便在调用aml_sec_boot_check之后,立即从地址0x1080000开始向终端发出内存(这当然不是唯一的方法)。为此,我编写了一段代码并将其下载到正确的位置。这是发生的情况(当然,我无法提供完整的日志):gxl_sx6b6x_768_v2#imgread kernel boot
[imgread]szTimeStamp[2019121002280214]
[imgread]secureKernelImgSz=0x977000
gxl_sx6b6x_768_v2#bootm
aml log : R2048 check pass!
aml log : R2048 check pass!
aml log : R2048 check pass!
Ready for dumping kernel
41 4e 44 52 4f 49 44 21 20 d8 7b 20 20 20 08 01 | ANDROID!
除了内核之外,我还获得了ramdisk(如果有重要的驱动程序或固件,例如WiFi),它会派上用场。我不再是Android
对于我的软件的第一次启动,我从原始内核制作了uImage,在Busybox的基础上构建了rootfs,并使用了自己的dtb。我直接从USB驱动器中加载了所有三个部分,并运行了“ bootm”命令,之前禁用了解密和图像验证。gxl_sx6b6x_768_v2#usb start
(Re)start USB...
USB0: USB3.0 XHCI init start
Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
scanning usb for storage devices... 1 Storage Device(s) found
gxl_sx6b6x_768_v2#mw.l 0x37ed240c 0xd2800000
gxl_sx6b6x_768_v2#fatload usb 0:1 0x1000000 dtb.img
reading dtb.img
40960 bytes read in 43 ms (929.7 KiB/s)
gxl_sx6b6x_768_v2#fatload usb 0:1 0x2000000 uImage
reading uImage
8116288 bytes read in 4197 ms (1.8 MiB/s)
gxl_sx6b6x_768_v2#fatload usb 0:1 0x3000000 rootfs.img.uboot
reading rootfs.img.uboot
1041462 bytes read in 563 ms (1.8 MiB/s)
gxl_sx6b6x_768_v2#bootm 0x2000000 0x3000000 0x1000000
ee_gate_off ...
## Booting kernel from Legacy Image at 02000000 ...
Image Name: S905X Original
Image Type: AArch64 Linux Kernel Image (gzip compressed)
Data Size: 8116224 Bytes = 7.7 MiB
Load Address: 01080000
Entry Point: 01080000
Verifying Checksum ... OK
## Loading init Ramdisk from Legacy Image at 03000000 ...
Image Name: Root Filesystem
Image Type: AArch64 Linux RAMDisk Image (gzip compressed)
Data Size: 1041398 Bytes = 1017 KiB
Load Address: 033d1200
Entry Point: 033d1200
Verifying Checksum ... OK
Amlogic multi-dtb tool
Single dtb detected
load dtb from 0x1000000 ......
## Flattened Device Tree blob at 01000000
Booting using the fdt blob at 0x1000000
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x02258fd0
Loading Ramdisk to 33db8000, end 33eb63f6 ... OK
Loading Device Tree to 000000001fff3000, end 000000001ffff8f4 ... OK
fdt_instaboot: no instaboot image
Starting kernel ...
uboot time: 136710682 us
[ 0.000000@0] Initializing cgroup subsys cpu
[ 0.000000@0] Initializing cgroup subsys cpuacct
[ 0.000000@0] Linux version 3.14.29 (build@build2) (gcc version 4.9.2 20140904 (prerelease) (crosstool-NG linaro-1.13.1-4.9-2014.09 - Linaro GCC 4.9-2014.09) ) #1 SMP PREEMPT Thu Sep 12 21:24:53 MSK 2019
[ 0.000000@0] CPU: AArch64 Processor [410fd034] revision 4
[ 6.302659@2] meson_uart c81004c0.serial: ttyS0 use xtal(8M) 24000000 change 115200 to 115200
# cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
processor : 0
processor : 1
processor : 2
processor : 3
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32 wp half thumb fastmult vfp edsp neon vfpv3 tlsi vfpv4 idiva idivt
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
Hardware : Amlogic
Serial : 210c84009f59911c4b4db4a25faffcbc
#
越狱
由于U-Boot已针对更改的env参数进行了免疫(这不仅涉及“ bootdelay”),因此不可能通过env影响启动过程,并且为了加载其软件,必须将前缀连接到计算机。这个选项根本不适合我。分析了整个加载链后,此命令引起了我的注意:init_display=osd open;osd clear;imgread pic logo bootup $loadaddr;bmp display $bootup_offset;bmp scale
特别是:imgread pic logo bootup $loadaddr
其中U-Boot正在加载地址“ addaddr = 0x1080000”的某个“启动”资源。资源本身是用以下结构描述的:struct resource_header{
unsigned int magic;
unsigned int hcrc;
unsigned int size;
unsigned int start;
unsigned int end;
unsigned int next;
unsigned int dcrc;
unsigned char index;
unsigned char nums;
unsigned char type;
unsigned char comp;
char name[32];
}
当然,“大小”和“开始”参数很有趣。从它们以及“ loadaddr”参数开始,U-Boot解析了三个新参数,可直接从eMMC读取。当然,理想情况下,他当然是从0x000B00C0的“徽标”部分下载了一张图片到0x1130000的内存中...我想我的想法已经明确了。我解析了新的参数“大小”和“开始”,并编写了代码,并将其保存在eMMC中。经过这样的操作,U-Boot不再读取图片,而是立即获得控制权的漏洞利用。该漏洞由汇编器中的几行组成。LDR X21, printf
ADR X0, .message
BLR X21
LDR X21, run_command
ADR X0, .command
MOV X1,#0x0
BLR X21
.align 4
printf: .quad 0x37EE50A0
.align 4
run_command: .quad 0x37EE9BA0
.align 4
.message: .string "\nJailbreaking BL3-3...\n"
.align 4
.command: .string "fatload mmc 0:1 0x1000000 uboot.bin; go 0x1000000"
他从mSD卡的第一部分读取了uboot.bin并将控制权转移给了它(uboot.bin是一个新收集的未加密的U-Boot。当然,可以使用本机修改过的U-Boot)。事实证明,引导过程返回到BL3-1解密原始U-Boot并将控制权转移到该位置的地方。仅这次,未签名的代码已经在运行。现在,从eMMS的下载看起来像这样(最后一个片段):Hit Enter or space or Ctrl+C key to stop autoboot -- : 0
Jailbreaking BL3-3...
card in
[mmc_init] mmc init success
reading uboot.bin
408579 bytes read in 28 ms (13.9 MiB/s)
## Starting application at 0x01000000 ...
U-Boot 2017.11-02414-g9b5924abf2-dirty (Mar 01 2020 - 22:17:58 +0100) p212
DRAM: 1 GiB
MMC: mmc@72000: 0, mmc@74000: 1
reading uboot.env
In: serial@4c0
Out: serial@4c0
Err: serial@4c0
[BL31]: tee size: 0
[BL31]: tee size: 0
Net:
Warning: ethernet@c9410000 (eth0) using random MAC address - 22:10:89:5b:74:85
eth0: ethernet@c9410000
Hit any key to stop autoboot: 2 0
=> version
U-Boot 2017.11-02414-g9b5924abf2-dirty (Mar 01 2020 - 22:17:58 +0100) p212
aarch64-elf-gcc (Linaro GCC 7.2-2017.11) 7.2.1 20171011
GNU ld (Linaro_Binutils-2017.11) 2.28.2.20170706
=>
结论
为了使前缀不会闲置在架子上,我决定将LibreElec放在上面。新组装的图像几乎立即发布,没有任何问题。最终,内核完成了一个小文件,安装了WiFi和远程控制驱动程序,并重做了关机功能。一切正常,但后来我想起了该控制台还支持蓝牙,这在LibreElec中自然不起作用。尽管我不需要它,但我仍然决定对其进行设置以补充图片。板载的是Ampak的AP6255芯片,该芯片负责WiFi和蓝牙。 UART蓝牙已连接至ttyS1,但该芯片未响应任何HCI命令,并假装死了。此外,在本机内核上,该芯片按预期对团队做出了响应。该芯片的文档非常差,可以从那里提取所有引脚。首先,我检查了芯片电源和BT_WAKE引脚。一切都很正常。在测试了驱动程序本身和ttyS1端口后,我没有得到任何结果-该芯片作为一个游击队没有声音,我将示波器连接到了它。我在上面检查并比较了所有电子UART信号(RTS,TXD,RXD,CTS)。一切都很正常。接下来,我检查了重置序列,该序列由rfkill控制(这些是BT_WAKE和BT_REGON引脚)。但是这里一切都很好。然后,我检查了LPO引脚,根据文档,此处应输入32.768KHz频率的信号,但即使在这里,我也看到了示波器上的信号。总的来说,一切都井井有条,但该芯片无法与我的内核配合使用。花了几天的时间拆卸了原始的UART驱动程序后,我返回到LPO信号并测量其频率。结果显示为26KHz。怎么了wifi_dt驱动程序负责此信号,在我的核心中此信号未正确生成频率。我拆开了原来的驱动程序,然后从那里接管了pwm信号的初始化,然后……芯片变得栩栩如生(后来我找到了带有正确信号的该驱动程序的版本)。因此,该芯片已经准备好进行进一步的调整,但是我不知道如何使它处于警报状态,因为我没有找到任何驱动程序/固件/文档。在最初的Android中,使用蓝牙时,除了rfkill之外,内核日志中没有任何内容。这是可以理解的,因为没有内核驱动程序,并且启动是在用户级别进行的。必须以某种方式获取Android本身的日志,为此,需要对该设备进行root访问。为此,我天真地在系统部分添加了必要的设置并打开了adb。但是在这种情况下,Android注意到出了点问题,并且根本拒绝启动,而是指那里的一些操作……嗯,不,不。我通过简单地在其中包含sh来恢复了系统分区并重做了rootfs。在随后的启动之后,我在终端中具有root用户访问权限。这就是芯片初始化的方式。5759 5781 I bt_hci_h4: hal_open
5759 5781 I bt_userial_vendor: userial vendor open: opening /dev/ttyS1
5759 5781 E bt_userial_vendor: userial vendor open success!!
5759 5781 I bt_userial_vendor: device fd = 52 open
5759 5781 I bt_hwcfg: bt vendor lib: set UART baud 2000000
5759 5781 I bt_hwcfg: FW prepatch file: /etc/bluetooth/4335/bcm4335_prepatch.hcd
5759 5781 I bt_hwcfg: bt vendor lib: loading prepatch /etc/bluetooth/4335/bcm4335_prepatch.hcd
5759 5781 D bt_hwcfg: Chipset BCM4335A0
5759 5781 D bt_hwcfg: Target name = [BCM4335A0]
5759 5781 I bt_hwcfg: FW patchfile: /etc/bluetooth/4335/bcm4335.hcd
5759 5781 I bt_hwcfg: bt vendor lib: set UART baud 115200
5759 5781 D bt_hwcfg: Settlement delay -- 200 ms
5759 5781 I bt_hwcfg: Setting fw settlement delay to 200
5759 5781 I bt_hwcfg: bt vendor lib: set UART baud 2000000
5759 5781 I bt_hwcfg: Setting local bd addr to 22:22:99:F7:B6:BD
5759 5781 I bt_hwcfg: vendor lib fwcfg completed
该信息足以编写执行相同操作的程序。最后一步是启动hciattach,LibreElec正确识别了蓝牙。现在,设备已完全配置。如果有人感兴趣,这是完成的图像。