前言
笔记
流程
cd amss/MSM8917.LA.3.0.1/common/sectools/resources/data_prov_assets/General_Assets/Signing
############################################################
# 密钥相关后缀:
# csr: 根据私钥生成的证书
# crt: 数字证书,
# der: 根据 crt 转换格式来的,
############################################################
生成 CA 密钥 及 CA 证书
生成 CA key:
openssl genrsa -out oem_rootca.key -3 2048
生成 cert 证书:
openssl req -new -key oem_rootca.key -x509 -out oem_rootca.crt -subj /C="US"/ST="CA"/L="SANDIEGO"/O="OEM"/OU="General OEM rootca"/CN="OEM ROOT CA" -days 7300 -set_serial 1 -config ./openssl/opensslroot.cfg
输出:
oem_rootca.key : CA 私钥
oem_rootca.crt : CA 根证书,自签名证书
############################################################
生成 attestCA key 及 cert 证书
生成 根 私钥:
openssl genrsa -out oem_attestca.key -3 2048
生成 根 csr 签名请求:
openssl req -new -key oem_attestca.key -out oem_attest.csr -subj /C="US"/ST="CA"/L="SANDIEGO"/O="OEM"/OU="General OEM attestation CA"/CN="OEM attestation CA" -days 7300 -config ./openssl/opensslroot.cfg
使用 CA 证书及 CA 密钥 对请求签发证书进行签发,生成 x509 证书:
openssl x509 -req -in oem_attest.csr -CA oem_rootca.crt -CAkey oem_rootca.key -out oem_attestca.crt -set_serial 5 -days 7300 -extfile ./openssl/v3.ext
转换 PEM 证书编译为 DER:
openssl x509 -in oem_rootca.crt -inform PEM -out oem_rootca.cer -outform DER
openssl x509 -in oem_attestca.crt -inform PEM -out oem_attestca.cer -outform DER
重命名文件:
mv oem_rootca.key qpsa_rootca.key
mv oem_attestca.key qpsa_attestca.key
mv oem_rootca.cer qpsa_rootca.cer
mv oem_attestca.cer qpsa_attestca.cer
###################################################################################
# 相关密钥作用汇总:
# qpsa_rootca.key # CA 根私钥
# qpsa_rootca.cer # CA 签名用证书
# qpsa_attestca.key # Root 根私钥
# qpsa_attestca.cer # 使用 CA 证书及 CA 密钥,对 Root 证书签名生成的证书
###################################################################################
修改权限:
chmod 777 qpsa*
chmod 777 oem*
生成 CA 证书的 Hash 表:
openssl dgst -sha256 qpsa_rootca.cer
SHA256(qpsa_rootca.cer)= fbd4de360136046bbf581dc5eff178e1f716188e6834da714e485695230d00f3
###############################################################
# 修改 amss\MSM8917.LA.3.0.1\common\sectools\config\8917\8917_fuseblower_USER.xml
<entry ignore="false">
<description>contains the OEM public key hash as set by OEM</description>
<name>root_cert_hash</name>
<!--wangjun@wind-mobi.com modefy - b-->
<value>fbd4de360136046bbf581dc5eff178e1f716188e6834da714e485695230d00f3</value>
<!--wangjun@wind-mobi.com modefy - b-->
</entry>
<entry ignore="false">
<description>PK Hash is in Fuse for SEC_BOOT1 : Apps</description>
<name>SEC_BOOT1_PK_Hash_in_Fuse</name>
<!--wangjun@wind-mobi.com modefy - b-->
<value>true</value>
<!--wangjun@wind-mobi.com modefy - b-->
</entry>
<entry ignore="false">
<description>PK Hash is in Fuse for SEC_BOOT2 : MBA</description>
<name>SEC_BOOT2_PK_Hash_in_Fuse</name>
<!--wangjun@wind-mobi.com modefy - b-->
<value>true</value>
<!--wangjun@wind-mobi.com modefy - b-->
</entry>
<entry ignore="false">
<description>PK Hash is in Fuse for SEC_BOOT3 : MPSS</description>
<name>SEC_BOOT3_PK_Hash_in_Fuse</name>
<!--wangjun@wind-mobi.com modefy - b-->
<value>true</value>
<!--wangjun@wind-mobi.com modefy - b-->
</entry>
<entry ignore="false">
<description>The OEM hardware ID</description>
<name>oem_hw_id</name>
<!--wangjun@wind-mobi.com modefy - b-->
<value>0x1234</value>
<!--wangjun@wind-mobi.com modefy - b-->
</entry>
<entry ignore="false">
<description>The OEM product ID</description>
<name>oem_product_id</name>
<!--wangjun@wind-mobi.com modefy - b-->
<value>0x0001</value>
<!--wangjun@wind-mobi.com modefy - e-->
</entry>
# 修改 amss\MSM8917.LA.3.0.1\common\sectools\config\8917\8917_secimage.xml
<selected_signer>local</selected_signer>
<selected_encryptor>unified_encryption_2_0</selected_encryptor>
<!--wangjun@wind-mobi.com modefy - b-->
<selected_cert_config>old_presigned_certs</selected_cert_config>
<!--wangjun@wind-mobi.com modefy - b-->
<cass_capability>secboot_sha2_root</cass_capability>
//该字段定义了 crt 文件存在的目录
//\amss\MSM8937.LA.3.0\common\sectools\resources\data_prov_assets\Signing\Local\oem_presigned_certs-key2048_exp65537
<key_size>2048</key_size>
<exponent>65537</exponent>
<!--wangjun@wind-mobi.com modefy - b-->
<image sign_id="cmnlib" name="cmnlib_30.mbn" image_type="elf_has_ht">
<!--wangjun@wind-mobi.com modefy - b-->
<!--wangjun@wind-mobi.com modefy - b-->
<image sign_id="cmnlib64" name="cmnlib64_30.mbn" image_type="elf_has_ht">
<!--wangjun@wind-mobi.com modefy - b-->
<!--wangjun@wind-mobi.com modefy - b-->
<image sign_id="keymaster" name="keymaster64.mbn" image_type="elf_has_ht">
<!--wangjun@wind-mobi.com modefy - b-->
# 修改 amss\MSM8917.LA.3.0.1\common\sectools\config\8917\8917_fuseblower_OEM.xml
<fuse ignore="false" n="1">
<address>0x000a0158</address>
<operation>BLOW</operation>
<field id="OEM_HW_ID">
<!--wangjun@wind-mobi.com modefy - b-->
<value>0x1234</value>
<!--wangjun@wind-mobi.com modefy - b-->
<bits>15:0</bits>
</field>
<field id="OEM_PRODUCT_ID">
<!--wangjun@wind-mobi.com modefy - b-->
<value>0x0001</value>
<!--wangjun@wind-mobi.com modefy - b-->
<bits>31:16</bits>
</field>
</fuse>
# 拷贝密钥
将生成的
qpsa_rootca.key qpsa_rootca.key qpsa_attestca.key qpsa_rootca.cer qpsa_attestca.cer
四个文件拷贝到如下目录:
amss\MSM8937.LA.3.0\common\sectools\resources\data_prov_assets\Signing\Local\old_presigned_certs-key2048_exp65537
当前目录:src/amss/MSM8917.LA.3.0.1/common/sectools/resources/data_prov_assets/General_Assets/Signing
cp -auv ../../Signing/Local/qti_presigned_certs-key2048_exp65537/ ../../Signing/Local/qti_presigned_certs-key2048_exp65537/
mv qpsa* ../../Signing/Local/old_presigned_certs-key2048_exp65537/
mv oem* ../../Signing/Local/old_presigned_certs-key2048_exp65537/
###############################################################
生成 sec.dat
cd amss/MSM8917.LA.3.0.1/common/sectools
python sectools.py fuseblower -e config/8917/8917_fuseblower_OEM.xml -q config/8917/8917_fuseblower_QTI.xml -u config/8917/8917_fuseblower_USER.xml -g verbose -vvv
###############################################################
校验 sec.dat
python sectools.py fuseblower --oem_config_path=config/8917/8917_fuseblower_OEM.xml --qti_config_path=config/8917/8917_fuseblower_QTI.xml --user_config_path=config/8917/8917_fuseblower_USER.xml --secdat=common_output/v2/sec.dat --validate
###############################################################
获得支持的签名镜像
python sectools.py secimage -h --chipset 8917 --sign_id LIST
Config path is set to: /home/wangjun/work/E300L_WW_1107_eng/src/amss/MSM8917.LA.3.0.1/common/sectools/config/8917/8917_secimage.xml
Chipset is set to: 8917
Sign-ids available for chipset "8917":
1. sbl1
2. vip
3. prog_emmc_firehose_ddr
4. prog_emmc_firehose_lite
5. validated_emmc_firehose_ddr
6. validated_emmc_firehose_lite
7. qsee
8. appsbl
9. adsp
10. mba
11. modem
12. rpm
13. wcnss
14. venus
15. devcfg
16. smplap32
17. smplap64
18. isdbtmm
19. widevine
20. playready
21. cmnlib
22. cmnlib64
23. keymaster
24. mdtp
25. fingerprint
26. fingerprint64
27. dhsecapp
28. qmpsecap
29. macchiato_sample
30. cppf
31. efs_tar
32. mcfg_hw
33. mcfg_sw
###############################################################
镜像签名
需要签名的镜像及位置:
注:所有位于 <target>_secimage.xml 中的镜像都需要被签名,所有镜像位置位于其 contents.xml 中
sbl1.mbn
BOOT.BF.3.3/boot_images/build/ms/bin/LAASANAZ/
DigestsToSign.bin.mbn
无
prog_emmc_firehose_8917_ddr.mbn
BOOT.BF.3.3/boot_images/build/ms/bin/LAADANAZ/
prog_emmc_firehose_8917_lite.mbn
无
validated_emmc_firehose_8917_ddr.mbn
无
validated_emmc_firehose_8917_lite.mbn
无
tz.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
emmc_appsboot.mbn
LINUX/android/out/target/product/msm8937_64/
adsp.mbn
ADSP.8953.2.8.4_8917/adsp_proc/obj/8937/signed/
mba.mbn
MPSS.JO.3.0/modem_proc/build/ms/bin/8937.genns.prod/
qdsp6sw.mbn
MPSS.JO.3.0/modem_proc/build/ms/bin/8937.genns.prod
rpm.mbn
RPM.BF.2.2/rpm_proc/build/ms/bin/8917/
wcnss.mbn
CNSS.PR.4.0/wcnss_proc/build/ms/bin/8937/reloc
venus.mbn
VIDEO.VE_ULT.3.1/venus_proc/build/bsp/asic/build/PROD/mbn/reloc/signed/
devcfg.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
smplap32.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
smplap64.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
isdbtmm.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
widevine.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
playread.mbn
cmnlib_30.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
cmnlib64_30.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
keymaster64.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
mdtp.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
fingerprint.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
fingerprint64.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
dhsecapp.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
qmpsecap.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
macchiato_sample.mbn
cppf.mbn
TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/
fs_image.tar.gz.mbn
mcfg_hw.mbn
mcfg_sw.mbn
# 单签脚本
!#/bin/bash
OUT_PATH=secimage_output_13
##python sectools.py secimage -i ../../../BOOT.BF.3.3/boot_images/build/ms/bin/LAASANAZ/sbl1.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
##python sectools.py secimage -i ../../../RPM.BF.2.2/rpm_proc/build/ms/bin/8917/rpm.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
##python sectools.py secimage -i ../../../BOOT.BF.3.3/boot_images/build/ms/bin/LAADANAZ/prog_emmc_firehose_8917_ddr.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
##python sectools.py secimage -i ../../../TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/tz.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
##python sectools.py secimage -i ../../../../out/target/product/E300L_WW/emmc_appsboot.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
##python sectools.py secimage -i ../../../TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/devcfg.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
##python sectools.py secimage -i ../../../TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/cmnlib_30.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
##python sectools.py secimage -i ../../../TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/cmnlib64_30.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
##python sectools.py secimage -i ../../../TZ.BF.4.0.5_8917/trustzone_images/build/ms/bin/ZALAANAA/keymaster64.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
#### python sectools.py secimage -i ../../../ADSP.8953.2.8.4_8917/adsp_proc/build/dynamic_signed/8937/adspso.bin -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i amss_images/sbl1.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i amss_images/rpm.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i amss_images/prog_emmc_firehose_8917_ddr.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i amss_images/tz.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i amss_images/emmc_appsboot.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i amss_images/devcfg.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i amss_images/cmnlib_30.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i amss_images/cmnlib64_30.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i amss_images/keymaster64.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
## python sectools.py secimage -i ../../../ADSP.8953.2.8.4_8917/adsp_proc/build/dynamic_signed/8937/adspso.bin -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
# 全签名:
python sectools.py secimage -m ../../../MSM8917.LA.3.0.1 -p 8917 -o secimage_output_16 -sa
######################################################################
# QFIL 无法下载
# Deviceprogrammer_initialize.c (amss\boot.bf.3.3\boot_images\core\storage\tools\deviceprogrammer_ddr\src\firehose)
void deviceprogrammer_init_hw()
/
//#ifndef SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM
#if 0
/
// This check below is to ensure that only VIP programmer is run on secure boot devices
// In otherwords, signing the non VIP programmer is highly not recommended
if (FALSE == isValidationMode() && TRUE == isAuthenticationEnabled())
{
strlcat(err_log, "Secure boot detected. VIP not enabled:fail ", sizeof(err_log));
}
#endif
######################################################################
# Modem 无法正常工作:
现象为:
1. 系统-关于手机-软件信息 中 modem 版本信息为 未知
2. 手机无法通过 qpst / pdc 打开 fs_image
3. 还有就是如果使用的不是签名的 mcfg_hw/mcfg_sw.mbn, 则会出现能识卡,但不能识网的现象。
// amss/MPSS.JO.3.0/modem_proc/core/storage/fs_tar/src/fs_tar.c
fs_tar_validate_sw_key (uint8 *current_root_key, uint32 hash_len)
{
uint32 dummy_key_len;
uint8 result = 0;
int cmp_result;
// 替换为生成的签名密钥里面的东西:fbd4de360136046bbf581dc5eff178e1f716188e6834da714e485695230d00f3
/
/* THE BELOW DUMMY KEY SHOULD NOT BE MODIFIED */
//yutao@wind-mobi.com modefy the hash key -b
uint8 fs_dummy_key[] = \
{0xfb ,0xd4 ,0xde ,0x36 ,0x01 ,0x36 ,0x04 ,0x6b, \
0xbf ,0x58 ,0x1d ,0xc5 ,0xef ,0xf1 ,0x78 ,0xe1, \
0xf7 ,0x16 ,0x18 ,0x8e ,0x68 ,0x34 ,0xda ,0x71, \
0x4e ,0x48 ,0x56 ,0x95 ,0x23 ,0x0d ,0x00 ,0xf3};
// {0xd5, 0x85, 0x22, 0xcd, 0x60, 0x2a, 0x50, 0x1c, \
// 0x3a, 0x79, 0x8d, 0x20, 0x15, 0x33, 0xae, 0x31, \
// 0xf9, 0x24, 0x27, 0x2b, 0x0b, 0x76, 0xf1, 0x59, \
// 0xfe, 0x81, 0x75, 0x3b, 0x5f, 0xcf, 0xce, 0x60};
// {0xB5, 0x3F, 0xB2, 0x3d, 0x19, 0x53, 0xDE, 0xCB, \
// 0x95, 0x92, 0x8f, 0xe6, 0x57, 0x55, 0x6c, 0xEA, \
// 0x6E, 0xDA, 0xB3, 0x44, 0x4D, 0xC7, 0x08, 0xC0, \
// 0x19, 0x05, 0x7C, 0xBA, 0xF8, 0xC6, 0x2D, 0x4A};
dummy_key_len = sizeof (fs_dummy_key);
/
// amss/MPSS.JO.3.0/modem_proc/core/storage/fs_tar/src/fs_signed_img_param_8937.c
#include "fs_signed_img_param.h"
/
// {0xfb ,0xd4 ,0xde ,0x36 ,0x01 ,0x36 ,0x04 ,0x6b, \
// 0xbf ,0x58 ,0x1d ,0xc5 ,0xef ,0xf1 ,0x78 ,0xe1, \
// 0xf7 ,0x16 ,0x18 ,0x8e ,0x68 ,0x34 ,0xda ,0x71, \
// 0x4e ,0x48 ,0x56 ,0x95 ,0x23 ,0x0d ,0x00 ,0xf3}
// {0xB5, 0x3F, 0xB2, 0x3d, 0x19, 0x53, 0xDE, 0xCB, \
// 0x95, 0x92, 0x8f, 0xe6, 0x57, 0x55, 0x6c, 0xEA, \
// 0x6E, 0xDA, 0xB3, 0x44, 0x4D, 0xC7, 0x08, 0xC0, \
// 0x19, 0x05, 0x7C, 0xBA, 0xF8, 0xC6, 0x2D, 0x4A}
// {0xd5, 0x85, 0x22, 0xcd, 0x60, 0x2a, 0x50, 0x1c, \
// 0x3a, 0x79, 0x8d, 0x20, 0x15, 0x33, 0xae, 0x31, \
// 0xf9, 0x24, 0x27, 0x2b, 0x0b, 0x76, 0xf1, 0x59, \
// 0xfe, 0x81, 0x75, 0x3b, 0x5f, 0xcf, 0xce, 0x60}
#ifndef FS_SIGNED_IMG_ROOT_HASH
#define FS_SIGNED_IMG_ROOT_HASH \
{0xfb ,0xd4 ,0xde ,0x36 ,0x01 ,0x36 ,0x04 ,0x6b, \
0xbf ,0x58 ,0x1d ,0xc5 ,0xef ,0xf1 ,0x78 ,0xe1, \
0xf7 ,0x16 ,0x18 ,0x8e ,0x68 ,0x34 ,0xda ,0x71, \
0x4e ,0x48 ,0x56 ,0x95 ,0x23 ,0x0d ,0x00 ,0xf3}
#endif
#ifndef FS_SIGNED_IMG_MSM_HW_ID
#define FS_SIGNED_IMG_MSM_HW_ID 0x0004F0E112340001 // 等于 串号 + oem_id + model_id
#endif
#ifndef FS_SIGNED_IMG_SOFTWARE_ID
#define FS_SIGNED_IMG_SOFTWARE_ID 0x000000000000001B // 1B 是与 secimage xml 文件中的一样的 8937_secimage.xml <image sign_id="efs_tar" name="fs_image.tar.gz.mbn" image_type="mbn_40b">
#endif
/
######################################################################
# 指纹 无法正常工作:
// Z:\work\A306_eng\src\amss\MSM8917.LA.3.0.1\common\sectools\config\8917\8917_secimage.xml
<!--/- b-->
<image sign_id="mafp" name="mafp.mbn" image_type="elf_has_ht">
<general_properties_overrides>
<sw_id>0x000000000000000C</sw_id>
<app_id>0x0000000000000BBB</app_id>
</general_properties_overrides>
<pil_split>true</pil_split>
<meta_build_location>$(FILE_TYPE:download_file, ATTR:cmm_file_var, VAR:MAFP_BINARY)</meta_build_location>
</image>
<image sign_id="sw_fp" name="sw_fp.mbn" image_type="elf_has_ht">
<general_properties_overrides>
<sw_id>0x000000000000000C</sw_id>
<app_id>0x0000000000000CCC</app_id>
</general_properties_overrides>
<pil_split>true</pil_split>
<meta_build_location>$(FILE_TYPE:download_file, ATTR:cmm_file_var, VAR:SW_FP_BINARY)</meta_build_location>
</image>
<image sign_id="fngap64" name="fngap64.mbn" image_type="elf_has_ht">
<general_properties_overrides>
<sw_id>0x000000000000000C</sw_id> # 此 ID 此 smplap32 这种保持一致,因为同为 TA
<app_id>0x0000000000000DDD</app_id> # 此 ID 要唯一
</general_properties_overrides>
<pil_split>true</pil_split>
<meta_build_location>$(FILE_TYPE:download_file, ATTR:cmm_file_var, VAR:FNGAP64_BINARY)</meta_build_location>
</image>
<!--/ - b-->
# 签名脚本
// D:\wangjun\Documents\Study\SecureBoot\fingerprint_sign8917_sign8937.sh
#!/bin/bash
OUT_PATH=fingerprint_output
curPWD=`pwd`
# 1. 指纹库放到当前目录 sw_fp.mbn fngap64.mbn mafp.mbn
# 当此脚本是在 8917 目录下执行的
# 2. 指纹签名
python sectools.py secimage -i sw_fp.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i fngap64.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i mafp.mbn -c config/8917/8917_secimage.xml -o $OUT_PATH -sa
cp sw_fp.mbn ../../../MSM8937.LA.3.0.1/common/sectools/
cp mafp.mbn ../../../MSM8937.LA.3.0.1/common/sectools/
cp fngap64.mbn ../../../MSM8937.LA.3.0.1/common/sectools/
cd ../../../MSM8937.LA.3.0.1/common/sectools/
python sectools.py secimage -i sw_fp.mbn -c config/8937/8937_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i fngap64.mbn -c config/8937/8937_secimage.xml -o $OUT_PATH -sa
python sectools.py secimage -i mafp.mbn -c config/8937/8937_secimage.xml -o $OUT_PATH -sa
cp $OUT_PATH $curPWD/ -av
# 3. 用 fingerprint_output/8937 中签名好文件替换 device/common/fingerprint 中相应的指纹 TA 镜像