一加工程模式分析

前提: 已经root

mkdir fr
cd fr
adb pull  /system/framework/arm64/
cd ..


adb pull /system/app/EngineeringMode/EngineeringMode.apk
adb pull /system/app/EngineeringMode/oat/arm64/EngineeringMode.odex
adb pull /system/lib64/libdiagdci.so

提取manifest 和其他资源

~/utils/apktool/apktool d EngineeringMode.apk 

com.oneplus.factorymode.nvbackup.OemHookManager
会使用 com.qualcomm.qcrilhook 和 com.qualcomm.qcnvitems

com.oneplus.factorymode.network.NetWorkSet

com.oneplus.factorymode.network.GsmInfo

com.oneplus.factorymode.network.NetWorkInfo

com.oneplus.factorymode.network.BandMode

com.oneplus.factorymode.network.BandMode2

com.oneplus.factorymode.IMeiAndPcbCheck

com.oneplus.factorymode.ShowEncryptImeiActivity (对IMEI实行加密)

com.oneplus.factorymode.qualcomm.QualCommActivity (显示 备份nv 和 校准状态 按钮 )

com.oneplus.factorymode.qualcomm.CalibrateStatus (校准状态)

com.oneplus.factorymode.qualcomm.QualCommNv (查看nv功能)

com.oneplus.factorymode.qualcomm.QualCommNv2 (另外一个版本

com.oneplus.factorymode.qualcomm.QualCommNvShow

com.oneplus.factorymode.qualcomm.InitTelcelNV

com.oneplus.factorymode.qualcomm.ClearTelcelnetlock

com.oneplus.factorymode.qualcomm.ModemTelcelnetlock

com.oneplus.factorymode.qualcomm.RecoverTelcelnetlock

com.oneplus.factorymode.qualcomm.HideSpecialApk

com.oneplus.factorymode.qualcomm.InstallSpecialApk

com.oneplus.factorymode.manualtest.SimCardTes

com.oneplus.factorymode.manualtest.CheckRootStatusActivity

———————–
cn.oneplus.nvbackup/.NVBackupUI
/system/app/NVBackupUI
———————-
分析 com.oneplus.factorymode.IMeiAndPcbCheck

java -jar ~/utils/apktool/oat2dex.jar EngineeringMode.odex fr/arm64/

得到 EngineeringMode.odex

mQcNvItems.getMEID();

mQcNvItems.getPcbNumber();

mQcNvItems.getEncryptImei()
mQcNvItems.getEncryptImei(byte slot_id);

TelephonyManager.getImei(int slot_id);

—————
分析 boot-qcnvitems.oat

cd fr/arm64
java -jar ~/utils/apktool/oat2dex.jar boot-qcnvitems.oat   ./
 Art version=88 (boot-qcnvitems.oat)
De-optimizing /system/framework/qcnvitems.jar
 Output to oneplus/fr/arm64/qcnvitems.dex


java -jar ~/utils/apktool/oat2dex.jar boot-qcrilhook.oat ./
Art version=88 (boot-qcrilhook.oat)
De-optimizing /system/framework/qcrilhook.jar
Output to  oneplus/fr/arm64/qcrilhook.dex

用JEB打开 qcnvitems.dex , 可以看到

    public String getEncryptImei() throws IOException {
        QcNvItems.vLog(String.format("getEncryptImei()"));
        NvEncryptImeiType raw_imei = new NvEncryptImeiType(this.doNvRead(2500));
        QcNvItems.vLog(raw_imei.toDebugString());
        return raw_imei.getEncryptImei();
    }

读取的2500号nv item

getAnalogHomeSid NvRead(18)

IMSI_MIN1 doNvRead(32)
IMSI_MIN2 doNvRead(33)
IMSI_MCC doNvRead(176)
FTM_MODE doNvRead(453)

实际读取

mQcRilOemHook.sendQcRilHookMsg(561155, 0, slot_id);

可以确定 2500 存储的是 IMEI-1 的加密