lildebil0/revvl7pro5g-unlock-root

## 核心亮点：CVE-2026-24091/24092 已确认 **`fastboot oem select-display-panel` 接收 2KB+ 字符串且无验证。** ``` $ fastboot oem select-display-panel 0 -> OKAY $ fastboot oem select-display-panel AAAA...(256 chars) -> OKAY <- overflow! $ fastboot oem select-display-panel BBBB...(1024 chars) -> OKAY <- overflow! $ fastboot oem select-display-panel CCCC...(2048 chars) -> OKAY <- overflow! $ fastboot oem select-display-panel EEEE...(4096 chars) -> FAILED "Command length too long" ``` - **Handler**: `LinuxLoader.efi` 中的 `0x55618` - **存储**: `uefivarstore` 分区（512KB）中的 UEFI 变量 - **攻击**: 两阶段 - 通过 fastboot 设置，ABL 在下次启动时读取，导致 **栈缓冲区溢出** - **影响**: UEFI 代码执行（绕过 SELinux、verified boot 和 secure boot） 完整分析请参阅 [docs/cve-2026/abl-fastboot-exploits.md](docs/cve-2026/abl-fastboot-exploits.md)。 ## 覆盖范围图 ### ABL 开源（启动链 CVE） | CVE | 严重程度 | 向量 | 在此设备上？ | |-----|----------|--------|-----------------| | **CVE-2026-24091** | HIGH 7.2 | `oem select-display-panel` 溢出 | **已确认** | | **CVE-2026-24092** | HIGH 7.2 | `oem select-display-panel` 追加 | **已确认** | | CVE-2026-24085 | HIGH 7.2 | Display cmdline 超长 | 需要研究 | | CVE-2026-24087 | HIGH 7.2 | `oem gpu-preemption` | 不存在 | | CVE-2026-24088 | **CRIT 8.2** | efisp 启动认证绕过 | 无 `efisp` 分区 | | CVE-2026-24089 | HIGH 7.2 | `oem set-hw-fence-value` | 不存在 | | CVE-2026-24090 | HIGH 7.1 | 通过 GPT 禁用 VB2 | 已阻止 (需要认证) | ### Qualcomm 闭源 | CVE | 严重程度 | 领域 | 可通过 Shell 触发？ | |-----|----------|------|-------------------| | **CVE-2026-25276** | **CRIT 8.8** | Strongbox EoP | 是 (PR:L) - 但 /dev/qseecom 被阻止 | | **CVE-2026-25277** | **CRIT 8.8** | Strongbox 溢出 | 是 (PR:L) - 但 /dev/qseecom 被阻止 | | CVE-2025-59605 | HIGH 7.8 | HLOS OOB 写入 | 是 (PR:L) | | CVE-2025-47392 | **CRIT 8.8** | GPS 整数溢出 | 相邻 | | CVE-2025-47407 | HIGH 7.8 | DSP Service TOCTOU | 是 (PR:L) | | CVE-2026-25259/260 | HIGH 7.8 | DSP Service | 是 (PR:L) | ### 已失效的 CVE（确认不可利用） | CVE | 失效原因 | 记录于 | |-----|----------|---------------| | CVE-2025-21479 (cheese) | GPU 固件 V020 已打补丁 | [docs/abl-re/cheese-exploit-detail.md](docs/abl-re/cheese-exploit-detail.md) | | CVE-2025-40214 (AF_UNIX) | Kernel 5.10 不受影响 | [docs/cve-2026/dead-cves.md](docs/cve-2026/dead-cves.md) | | CVE-2026-0073 (adbd RCE) | 已拥有 shell | [docs/cve-2026/dead-cves.md](docs/cve-2026/dead-cves.md) | | CVE-2025-38352 (Netfilter) | SELinux 阻止 | [docs/cve-2026/dead-cves.md](docs/cve-2026/dead-cves.md) | | CVE-2026-24087/24089 | 命令不存在 | [docs/cve-2026/dead-cves.md](docs/cve-2026/dead-cves.md) | | CVE-2026-24088 (efisp) | 无 `efisp` 分区 | [docs/cve-2026/dead-cves.md](docs/cve-2026/dead-cves.md) | | CVE-2026-24090 (VB2) | 刷写被认证阻止 | [docs/cve-2026/dead-cves.md](docs/cve-2026/dead-cves.md) | ## 设备快照 | 字段 | 值 | |-------|-------| | 型号 | T-Mobile **REVVL 7 Pro 5G** (TMRV07P5G) | | 代号 | Pinehurst | | SoC | Qualcomm SM6450 (Snapdragon 6 Gen 1) | | GPU | Adreno 710 v1 (固件 V020 - cheese 被阻止) | | ODM | Wingtech | | Android | 16 (API 36) | | Build | BQ2A.250925.001 / 823AA1_W_V020 | | **SPL** | **2026-04-05** (未在 2026 年 6 月打补丁) | | Kernel | 5.10.236-android12-9 | | ADB | BS88823AA14C0301150 | | Bootloader | **已锁定** | | AVB | green, 1.2, RSA-4096 | | Verified boot | green | | SecureBoot | 已启用 | | SELinux | Enforcing | | adbd | shell 用户 (非 root) | ## 仓库结构（50+ 个文件，3500+ 行） ``` . +- README.md - This file +- LICENSE - MIT +- DISCLAIMER.md - Legal disclaimer +- docs/ | +- cve-2026/ - CVE-2026 ABL exploits | | +- abl-fastboot-exploits.md - CVE-2026-24085-24092 | | +- qualcomm-june-2026-cves.md - Qualcomm closed-source CVEs | | +- strongbox-eop.md - CVE-2026-25276/25277 deep dive | | +- dead-cves.md - 4 dead CVEs (cheese, AF_UNIX, etc) | | +- exploit-priority-queue.md - Attack order | +- abl-re/ - ABL static reverse engineering (V016 baseline) | | +- lock-architecture.md - Full architectural map | | +- key-lifecycle.md - HSM-to-device key chain | | +- v016-deep-dive.md - V016 ABL findings | | +- auth-flow.md - 3-stage T-Mobile auth | | +- architecture.md - ELF -> UEFI FV -> PE32+ | | +- findings.md - Full analysis | | +- methodology.md - Research methodology | | +- avb-chain.md - AVB chain (RSA-4096 root) | | +- phone-probes.md - Runtime probes | | +- cheese-exploit-detail.md - Cheese V020 patch analysis | | +- keymint-strongbox-probe.md - KeyMint/Strongbox research | +- kernel/ - Kernel attack surface | | +- kernel-modules.md - 190+ modules analyzed | | +- kernel-cve-survey.md - Kernel CVE survey | +- sibling-devices/ - Sibling SM6450 + Wingtech devices | | +- sibling-intel.md - TCL 50 XL/XE/V3, Coolpad CP12 | +- research-notes/ - Research path notes | | +- a14-v046-search-queries.md | +- phone-probes/ - Live device probes | | +- live-device-results.md - getprop dump | | +- engineernetwork-apk.md - EngineerNetwork APK reverse | +- ru/ - Russian translations | +- architecture.md | +- auth-flow.md | +- avb-chain.md | +- findings.md | +- kernel-cve-survey.md | +- methodology.md | +- phone-probes.md | +- sibling-intel.md +- data/ | +- fastboot-enumeration.md - 26 OEM commands tested | +- partition-sizes.md - 79 partition sizes | +- abl-handler-table.md - ABL handler addresses | +- dispatcher-table.md - Full ABL dispatcher | +- unlock-state-machine.md - DevInfo write state machine | +- code-snippets.md - Decompiled C snippets +- pubkeys/ - 4 extracted RSA-2048 public keys | +- tmo_auth_pubkey.der - T-Mobile AUTH key | +- tmo_factory_pubkey.der - T-Mobile FACTORY key | +- tmo_edl_pubkey.der - T-Mobile EDL key | +- tmo_new_pubkey.der - V016 NEW key | +- tmo_new_pubkey.pem - Same in PEM | +- *.info files - Analysis notes per key | +- pubkeys.md - Full key analysis +- scripts/ - Ghidra + Python analysis tools | +- README.md - Script usage | +- revvl_abl_verifier.py - PE32+ analyzer | +- revvl_fv_extract.py - QC MBN -> PE32+ unwrap | +- FindUnlockHandlers.java - Ghidra: find unlock handlers | +- Stage2Analysis.java - Ghidra: stage 2 analysis | +- Stage3DeepDive.java - Ghidra: stage 3 deep dive | +- Stage4AuthHandlers.java - Ghidra: stage 4 auth handlers +- reproduce/ - Reproduction + probes +- extraction.md - How to extract ABL from OTA +- edl-research.md - EDL mode (9008) research +- fastboot_cve2026_probe.cmd - CVE-2026 ABL probe +- probe-scripts/ +- fastboot_oem_probe.cmd - Read-only OEM enumeration ``` ## 漏洞利用优先级队列 | # | CVE | 向量 | 状态 | 下一步 | 文档 | |---|-----|--------|--------|-----------|-----| | **1** | CVE-2026-24091/24092 | `oem select-display-panel` 溢出 | **活跃** | 设置 EDL 恢复 | [链接](docs/cve-2026/abl-fastboot-exploits.md) | | 2 | CVE-2026-25276/25277 | KeyMint -> Strongbox | 研究中 (被阻止) | 需要 drmrpc 组 | [链接](docs/cve-2026/strongbox-eop.md) | | 3 | CVE-2026-24090 | GPT -> 禁用 VB2 | 已阻止 | 无 (需要认证) | [链接](docs/cve-2026/dead-cves.md) | | 4 | CVE-2025-59605 | 设备 ID 字符串 | 研究中 | 寻找可设置字符串 | [链接](docs/cve-2026/qualcomm-june-2026-cves.md) | | 5 | CVE-2025-47392 | GPS 整数溢出 | 研究中 | 测试 GPS 服务 | [链接](docs/cve-2026/qualcomm-june-2026-cves.md) | | 6 | CVE-2026-21385 | GPU 整数溢出 | 研究中 | 验证 V020 状态 | [链接](docs/cve-2026/qualcomm-june-2026-cves.md) | ## T-Mobile 运营商锁架构 ABL 链: **PBL -> XBL -> ABL -> libavb -> kernel** ABL 具有 **3 阶段签名认证** 流程： 1. `oem auth_start` (handler `0x57f1c`) - 生成 nonce 2. 主机使用 T-Mobile RSA-2048 私钥对 payload 进行签名 3. `oem permission ` (handler `0x584f4`) - 验证签名 4. 成功后：将 `is_unlocked` 位写入 DevInfo @ `0xda448 + 0xD` | 公钥 | 算法 | 用于 | |--------|-----------|---------| | EDL (`E43538E6...`) | RSA-2048 | 硬编码于 `oem auth_start` | | AUTH (`6633EF63...`) | RSA-2048 | 由 `oem permission auth` 验证 | | FACTORY (`D6786635...`) | RSA-2048 | 由 `oem permission factory` 验证 | | NEW (`cef06bcf...`) | RSA-2048 | 硬编码于 `oem factory_auth_start` (V016) | 所有 4 个密钥都位于 [pubkeys/](pubkeys/) 目录中（DER + PEM + 信息文件）。 **OEM Lock GUID**: `C0DD69AC-76BA-11E6-AB24-1FC7F5575F19` (Qualcomm 自定义命名空间) 完整架构请参阅 [docs/abl-re/lock-architecture.md](docs/abl-re/lock-architecture.md)。 ## 攻击面映射（有效部分） ### 有效的 OEM 命令（无需认证） - `oem select-display-panel ` - **存在漏洞** (CVE-2026-24091/24092) - `oem device-info` - 安全状态信息披露 - `oem enable/disable-charger-screen` - 良性 - `oem off-mode-charge 0/1` - 良性 - `oem auth_start` - 为 T-Mobile 认证生成 nonce - `oem factory_auth_start` - 为出厂认证生成 nonce - `oem poweroff` / `oem shipmode` - `getvar all` - 完整分区表转储 ### 被阻止（需要认证） - `flash ` - "permission denied, auth needed" - `erase ` - "permission denied, auth needed" - `oem zeroflag` - 需要认证 - `oem permission ` - "wrong mode arg!" / "decrypt failed" ### 不存在 - `oem gpu-preemption` - "unknown command" - `oem set-hw-fence-value` - "unknown command" - `fastboot boot ` - 被设备阻止 ## 相关仓库 - [revvl7pro-bootloader-research](https://github.com/lildebil0/revvl7pro-bootloader-research) - V016 ABL 深度逆向，4 个 RSA 公钥，认证流程，调度表 (A14/V016) - [revvl7pro5g-root](https://github.com/lildebil0/revvl7pro5g-root) - 针对 V046 Android 14 的 Cheese GPU 漏洞利用 (CVE-2025-21479) ## 搜索关键词 `revvl 7 pro 5g unlock`, `tmrv07p5g root`, `pinehurst bootloader`, `sm6450 exploit`, `cve-2026-24091`, `cve-2026-24092`, `qualcomm june 2026 bulletin`, `wingtech unlock`, `t-mobile carrier lock bypass`, `qualcomm strongbox exploit`, `abl oem select-display-panel`, `cve-2025-21479 cheese`, `pinehurst sm6450`, `tmobile rsu unlock` ## 许可证 [MIT](LICENSE)。仅包含静态逆向 + fastboot 命令枚举。不包含漏洞利用 payload，不包含武器化二进制文件。 **维护者**: [@lildebil0](https://github.com/lildebil0) **日期**: 2026-06-08 **设备**: T-Mobile REVVL 7 Pro 5G (TMRV07P5G / Pinehurst / SM6450)

标签：Bootloader解锁, 云资产清单, 域名枚举, 安卓提权, 目录枚举, 移动安全, 逆向工具, 逆向工程, 高通