diff --git a/docs/LK_IMG_FASTBOOT_ANALYSIS.md b/docs/LK_IMG_FASTBOOT_ANALYSIS.md new file mode 100644 index 00000000..ff296de6 --- /dev/null +++ b/docs/LK_IMG_FASTBOOT_ANALYSIS.md @@ -0,0 +1,447 @@ +# LK.img Binary Analysis — Fastboot Commands & Configuration Reference + +## Overview + +This document contains the results of a binary analysis of the `lk.img` (Little Kernel bootloader) image for the **MT6768 (Helio P65/G85)** platform, device codename **lamu** (Motorola Moto E32/E32s). + +### Image Information + +| Field | Value | +|-------|-------| +| **File** | `lk.img` | +| **Size** | 1,561,200 bytes (1.49 MB) | +| **Architecture** | ARM 32-bit, Little Endian | +| **Platform** | MT6768 (`=platform:mt6768`) | +| **Product** | lamu (Motorola) | +| **Build ID** | `lamu-2102d01c7f-20250107221720-20250108011733` | +| **Source** | `app/mt_boot/fastboot.c` | + +### Analysis Tools Used + +- **hexdump** — Header structure and raw binary pattern analysis +- **strings** — ASCII/UTF-8 string extraction and command enumeration +- **radare2 (r2)** — Binary analysis, string cross-referencing with offsets, ARM disassembly + +--- + +## Fastboot Standard Commands + +These are the core fastboot protocol commands registered in the LK bootloader command handler table (offsets `0xAE700`–`0xAEB00`): + +| Command | Description | +|---------|-------------| +| `getvar:` | Query a device variable (see Variables section below) | +| `download:` | Download data to the device (for flash/boot operations) | +| `flash:` | Flash a downloaded image to the specified partition | +| `erase:` | Erase the specified partition | +| `boot` | Boot a downloaded boot image without flashing | +| `set_active:` | Set the active boot slot (A/B devices) | +| `reboot-bootloader` | Reboot back into bootloader/fastboot mode | +| `reboot-recovery` | Reboot into recovery mode | +| `reboot-fastboot` | Reboot into fastbootd (userspace fastboot) | +| `flashing unlock` | Unlock the bootloader | +| `flashing lock` | Lock the bootloader | +| `flashing get_unlock_ability` | Query whether OEM unlocking is allowed | +| `continue` | Resume normal boot | + +--- + +## Fastboot OEM Commands + +### Device Information Commands + +| Command | Description | Offset | +|---------|-------------|--------| +| `oem cid` | Get device CID (Carrier ID) | `0xB4CF8` | +| `oem cid digest` | Get CID digest/hash | `0xB4D00` | +| `oem flashinfo` | Display flash/storage information | `0xB4D24` | +| `oem get_socid` | Get SoC unique identifier | `0xAEA08` | +| `oem lks` | Get lock state information | `0xAE9C4` | +| `oem md5` | Compute MD5 checksum | `0xB4D10` | +| `oem sha256` | Compute SHA-256 checksum | `0xB4D18` | +| `oem keepalive` | Keep the fastboot session alive | `0xB4CE8` | +| `oem key` | Device key operations | `0xAE9BC` | + +### Configuration Read Commands (`oem get`) + +| Command | Description | +|---------|-------------| +| `oem fac get` | Get factory mode status | +| `oem barcode get` | Get device barcode | +| `oem batterysn get` | Get battery serial number | +| `oem carrier get` | Get carrier/operator name | +| `oem dualsim get` | Get dual SIM configuration | +| `oem wallpaper get` | Get wallpaper configuration ID | + +### Configuration Write Commands (`oem config `) + +| Command | Description | Valid Inputs | +|---------|-------------|--------------| +| `oem config fac` | Set factory mode | Integer value (0/1) | +| `oem config barcode` | Set device barcode | String | +| `oem config batterysn` | Set battery serial number | String | +| `oem config carrier` | Set carrier/operator | String | +| `oem config dualsim` | Set dual SIM configuration | Integer value | +| `oem config wallpaper` | Set wallpaper ID | Integer value | +| `oem config batt_mfgdate` | Set battery manufacture date | Date string | +| `oem config batt_firstdate` | Set battery first charge date | Date string | +| `oem config batt_firstusagedate` | Set battery first usage date | Date string | +| `oem config ship_dirty` | Set ship dirty flag | Integer value (0/1) | + +### System Control Commands + +| Command | Description | +|---------|-------------| +| `oem continue` | Continue normal boot | +| `oem shutdown` | Power off the device | +| `oem set_active` | Set active boot slot (A/B) | +| `oem off-mode-charge` | Configure off-mode charging behavior | +| `oem efuse enable` | Enable eFuse programming | + +### Debug & Diagnostic Commands + +| Command | Description | +|---------|-------------| +| `oem p2u` | UART logging control | +| `oem printk-ratelimit` | Kernel printk rate limiting control | +| `oem dump_pllk_log` | Dump preloader/LK boot log | +| `oem usb2jtag` | Enable USB-to-JTAG debug interface (triggers reboot) | +| `oem scp_status` | Get SCP (System Control Processor) status | +| `oem scp_log_thru_ap_uart` | Route SCP logs through AP UART | + +### Memory Dump (mrdump) Commands + +| Command | Description | +|---------|-------------| +| `oem mrdump` | Trigger memory dump | +| `oem mrdump-output-set` | Set mrdump output device | +| `oem mrdump-file-allocate` | Pre-allocate mrdump file | +| `oem mrdump_chkimg` | Verify mrdump image integrity | + +### Ultra Flash Commands + +| Command | Description | +|---------|-------------| +| `oem ultraflash:` | Ultra-fast flash operation with arguments | +| `oem ultraflash_en` | Enable ultra flash mode | + +### Security Management Commands + +| Command | Description | +|---------|-------------| +| `oem hw frontcolor` | Get hardware front color/variant | +| `oem ssm disable-thinkshield` | Disable Lenovo ThinkShield security | +| `oem ssm disable-zerotouch` | Disable Android Zero Touch enrollment | + +--- + +## Fastboot Variables (`getvar`) + +### Standard Protocol Variables + +| Variable | Description | Example Value | +|----------|-------------|---------------| +| `version-preloader` | Preloader version | — | +| `version-bootloader` | Bootloader (LK) version | `0.5` | +| `version-baseband` | Modem/baseband version | — | +| `product` | Product name | `lamu` | +| `variant` | Device variant | — | +| `serialno` | Device serial number | — | +| `secure` | Secure boot state | — | +| `unlocked` | Bootloader unlock status | `yes`/`no` | +| `max-download-size` | Maximum download buffer size | hex value | +| `erase-block-size` | Erase block size | hex value | +| `logical-block-size` | Logical block size | hex value | +| `is-userspace` | Whether in userspace fastboot | `yes`/`no` | +| `warranty` | Warranty bit status | `yes`/`no` | + +### Slot (A/B) Variables + +| Variable | Description | +|----------|-------------| +| `current-slot` | Currently active slot | +| `slot-count` | Number of slots (typically 2) | +| `has-slot:` | Whether partition supports A/B | +| `has-slot:preloader` | Preloader A/B support | +| `slot-successful:a` | Slot A boot success status | +| `slot-successful:b` | Slot B boot success status | +| `slot-unbootable:a` | Slot A unbootable flag | +| `slot-unbootable:b` | Slot B unbootable flag | +| `slot-retry-count:a` | Slot A remaining boot retries | +| `slot-retry-count:b` | Slot B remaining boot retries | + +### Partition Variables + +| Variable | Description | +|----------|-------------| +| `partition-size:` | Size of specified partition | +| `partition-type:` | Type/filesystem of specified partition | + +### Battery & Hardware Variables + +| Variable | Description | +|----------|-------------| +| `battery-voltage` | Current battery voltage (mV) | +| `battery-soc-ok` | Battery state-of-charge OK | +| `battery-sn` | Battery serial number | +| `hw-revision` | Hardware revision | +| `off-mode-charge` | Off-mode charge status | + +### Device-Specific Variables (Tinno/Motorola) + +| Variable | Description | +|----------|-------------| +| `securestate` | Security state | +| `imei` | Primary IMEI | +| `imei2` | Secondary IMEI | +| `meid` | Mobile Equipment Identifier | +| `pcb-part-no` | PCB part number | +| `ro.carrier` | Carrier information | +| `dualsim` | Dual SIM status | +| `facmode` | Factory mode status | +| `pcba-rev` | PCBA revision | +| `fdr-allowed` | Factory Data Reset allowed | +| `zero-touch` | Zero Touch enrollment status | +| `security_patch` | Security patch level | +| `boot-allow_status` | Boot allow flag status | +| `boot-allow_need` | Boot allow requirement | +| `flash-allow_status` | Flash allow flag status | +| `flash-allow_need` | Flash allow requirement | +| `ro.build.fingerprint[0-3]` | Build fingerprint segments | + +--- + +## Valid Partitions + +The following partition names were extracted from the LK binary and are valid targets for `flash:` and `erase:` commands: + +| Partition | Description | +|-----------|-------------| +| `preloader` | First-stage bootloader | +| `lk` / `lk_a` / `lk_b` | Little Kernel bootloader (A/B) | +| `boot` / `boot_a` / `boot_b` | Kernel + ramdisk (A/B) | +| `recovery` | Recovery image | +| `dtbo` | Device Tree Blob Overlay | +| `vbmeta` | Verified Boot metadata | +| `logo` | Boot logo image | +| `system` | System partition | +| `vendor` | Vendor partition | +| `super` | Dynamic partitions super image | +| `userdata` | User data partition | +| `cache` | Cache partition | +| `metadata` | Filesystem metadata | +| `misc` | Misc/BCB (Boot Control Block) | +| `proinfo` | Product info (carrier, SN, config) | +| `nvram` | Non-volatile RAM data | +| `nvcfg` | NV configuration | +| `persist` | Persistent data | +| `seccfg` | Security configuration | +| `efuse` | eFuse data | +| `expdb` | Exception database | +| `md1img` | Modem 1 firmware | +| `spmfw` | SPM firmware | +| `sspm` | SSPM firmware | +| `scp` | SCP firmware | + +--- + +## Boot States + +The LK bootloader recognizes the following Android Verified Boot (AVB) states: + +| State | Description | Meaning | +|-------|-------------|---------| +| **Green** | Fully verified | Device is locked, boot image signature verified | +| **Yellow** | Self-signed | Boot image signed with non-OEM key, user has confirmed | +| **Orange** | Unlocked | Bootloader is unlocked, images may be modified | +| **Red** | Verification failed | Image verification failed completely | +| **Unknown** | Undetermined | State could not be determined | + +--- + +## Boot Modes + +| Mode | Description | +|------|-------------| +| **FASTBOOT** | Fastboot command interface mode | +| **META** | MediaTek META mode (factory/engineering) | +| **RECOVERY** | Android Recovery mode | +| **DOWNLOAD** | Download mode | +| **Kernel Power Off Charging** | Off-mode charging | + +--- + +## Device Variants + +The LK image supports the following device variants: + +| Variant | Description | +|---------|-------------| +| `lamu` | Base model | +| `lamu_g` / `lamu_ge` / `lamu_gp` / `lamu_gpe` / `lamu_gr` | Global/regional variants | +| `lamul` | Lite model | +| `lamul_g` / `lamul_ge` / `lamul_gi` / `lamul_gjpn` / `lamul_gr` | Lite global/regional variants | + +### Compatible SoC Models + +MT6767V/CA, MT6767V/CB, MT6767V/WA, MT6767V/WB, MT6768, MT6768V/CA, MT6768V/CB, MT6768V/WA, MT6768V/WB, MT6769L, MT6769V/CA, MT6769V/CB, MT6769V/CT, MT6769V/CU, MT6769V/CY, MT6769V/CZ, MT6769V/WA, MT6769V/WB, MT6769V/WT, MT6769V/WU, MT6769V/WY, MT6769V/WZ + +--- + +## OEM DevInfo Command Line Properties + +These properties are appended to the kernel command line by the LK bootloader: + +| Property | Description | +|----------|-------------| +| `oem_devinfo.chgpower=` | Charger power level | +| `oem_devinfo.nfcexist=` | NFC hardware presence | +| `oem_devinfo.batterysn=` | Battery serial number | +| `oem_devinfo.bootmode=` | Boot mode identifier | +| `oem_devinfo.lcdres=` | LCD resolution ID | +| `oem_devinfo.hwsku=` | Hardware SKU ID | + +--- + +## MRDump Configuration Values + +Valid configuration values for `oem mrdump-output-set` and `oem mrdump-file-allocate`: + +| Parameter | Valid Values | +|-----------|-------------| +| `mrdump_allocate_size` | `0`, `halfmem`, `fullmem`, or custom size string | +| `mrdump_config.dump_type` | Dump type string | +| `mrdump_config.output_dev` | Output device path | +| `mrdump_config.mem_size` | Memory size for dump | +| `mrdump_config.lbaooo` | LBA offset for pre-allocated file | + +--- + +## Binary Structure (Hexdump Analysis) + +### LK Image Header (offset 0x000) + +``` +00000000 88 16 88 58 54 7a 15 00 6c 6b 00 00 00 00 00 00 + ^^ ^^ image name: "lk" +00000030 89 16 89 58 00 02 0000 01 00 00 00 00 00 00 00 + ^^ ^^ ^^ ^^ ^^ entry count + code offset (0x200) +``` + +- **Image magic**: `0x58881688` (MTK image header) +- **Image name**: `lk` +- **Code offset**: `0x200` (512 bytes) — ARM vector table starts at offset `0x200` +- **Architecture**: ARM 32-bit (identified by ARM branch instructions `EA` at offset `0x200`) + +### ARM Vector Table (offset 0x200) + +``` +00000200 07 00 00 ea → B reset_handler (Reset) +00000204 ab 92 00 ea → B undef_handler (Undefined Instruction) +00000208 b1 92 00 ea → B swi_handler (Software Interrupt) +0000020c b7 92 00 ea → B prefetch_handler (Prefetch Abort) +00000210 bd 92 00 ea → B data_handler (Data Abort) +00000214 c3 92 00 ea → B reserved_handler (Reserved) +00000218 c3 92 00 ea → B irq_handler (IRQ) +0000021c da 92 00 ea → B fiq_handler (FIQ) +``` + +### Fastboot Command Table (offset ~0xAE860) + +The fastboot command dispatch strings are located at offset region `0xAE860`–`0xAEB00`: + +``` +000ae860 66 6c 61 73 68 3a → "flash:" +000ae868 65 72 61 73 65 3a → "erase:" +000ae870 6f 65 6d 20 70 72 69... → "oem printk-ratelimit" +000ae888 72 65 62 6f 6f 74 2d... → "reboot-bootloader" +000ae89c 72 65 62 6f 6f 74 2d... → "reboot-recovery" +000ae8ac 72 65 62 6f 6f 74 2d... → "reboot-fastboot" +000ae96c 64 6f 77 6e 6c 6f 61... → "download:" +000ae9cc 66 6c 61 73 68 69 6e... → "flashing unlock" +000ae9dc 66 6c 61 73 68 69 6e... → "flashing lock" +000aeaa8 73 65 74 5f 61 63 74... → "set_active:" +``` + +--- + +## Quick Reference: Common Usage Examples + +```bash +# Query device info +fastboot getvar product +fastboot getvar serialno +fastboot getvar unlocked +fastboot getvar current-slot +fastboot getvar max-download-size +fastboot getvar battery-voltage +fastboot getvar warranty +fastboot getvar securestate + +# Slot management +fastboot getvar slot-count +fastboot getvar current-slot +fastboot set_active a +fastboot set_active b +fastboot getvar slot-successful:a +fastboot getvar slot-retry-count:a + +# Partition operations +fastboot getvar partition-size:boot +fastboot getvar partition-type:system +fastboot flash boot boot.img +fastboot flash dtbo dtbo.img +fastboot flash vbmeta vbmeta.img +fastboot erase userdata +fastboot erase cache + +# OEM commands +fastboot oem lks +fastboot oem get_socid +fastboot oem flashinfo +fastboot oem cid +fastboot oem fac get +fastboot oem barcode get +fastboot oem batterysn get +fastboot oem carrier get +fastboot oem dualsim get +fastboot oem wallpaper get +fastboot oem config carrier +fastboot oem config dualsim +fastboot oem off-mode-charge <0|1> +fastboot oem shutdown +fastboot oem keepalive + +# Bootloader lock/unlock +fastboot flashing get_unlock_ability +fastboot flashing unlock +fastboot flashing lock + +# Debug +fastboot oem p2u +fastboot oem usb2jtag +fastboot oem dump_pllk_log +fastboot oem scp_status +fastboot oem printk-ratelimit + +# Memory dump +fastboot oem mrdump +fastboot oem mrdump-output-set +fastboot oem mrdump-file-allocate +fastboot oem mrdump_chkimg + +# Security +fastboot oem efuse enable +fastboot oem ssm disable-thinkshield +fastboot oem ssm disable-zerotouch +fastboot oem md5 +fastboot oem sha256 + +# Reboot commands +fastboot reboot +fastboot reboot-bootloader +fastboot reboot-recovery +fastboot reboot-fastboot +fastboot oem continue +```