Data processing method and device, computer device and chip
By storing differential configuration files on the terminal and receiving target function enable commands, the target functions of the terminal are enabled, thus solving the problem of low efficiency in single-operator configuration in the existing technology and realizing efficient parallel configuration of multi-operator functions and data transmission integrity.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SPREADTRUM COMM (TIANJIN) INC
- Filing Date
- 2026-03-06
- Publication Date
- 2026-06-05
AI Technical Summary
The existing SIMLOCK solution only supports security data configuration for a single operator, which means that when terminal devices are deployed to multiple operator markets, they need to be redeployed through physical return to the factory, which is inefficient.
By acquiring the firmware update data packet corresponding to the operator configuration request, storing the differential configuration file, and receiving the target function enable instruction, the target function of the terminal is enabled based on the device identifier, thereby realizing the parallel configuration of multiple operator functions.
It improves the configuration efficiency of multi-carrier functions, and enhances the data transmission capabilities and integrity of the terminal.
Smart Images

Figure CN122160800A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of mobile communication technology, and in particular to a data processing method, apparatus, computer equipment, and chip. Background Technology
[0002] With the development of terminal technology in the mobile communication field, the SIMLOCK function has emerged. It is a protective mechanism for terminal security, and the deployment method and enabling efficiency of its security data directly affect the market circulation efficiency of terminal devices. Related technologies can utilize an online deployment mode based on a security server, sending SIMLOCK configuration data to terminal devices via an encrypted channel; or a local deployment method using production line tools, directly burning security data into the device during the production stage using dedicated equipment.
[0003] However, the current SIMLOCK solution only supports the configuration and enabling of security data for a single operator. When terminal devices need to be deployed to multiple operator markets, the production line deployment process must be re-executed through physical return to the factory, resulting in low efficiency in the functional deployment of the devices. Summary of the Invention
[0004] Therefore, it is necessary to provide a data processing method, apparatus, computer equipment, and chip that can improve the efficiency of multi-carrier function deployment for devices, addressing the aforementioned technical problems.
[0005] In a first aspect, this application provides a data processing method, including:
[0006] Obtain the firmware update data packet corresponding to the operator configuration request, and store the differential configuration file corresponding to the firmware update data packet in the target storage area of the terminal based on the firmware update data packet;
[0007] Receive a target function enable command, and in response to the target function enable command passing data verification, enable the target function of the terminal based on the device identifier corresponding to the target function enable command;
[0008] In response to the verification of the enable status of the target function and the verification of the enable data of the target function, a terminal that meets the operator configuration request is obtained.
[0009] In one embodiment, the firmware update data packet is obtained by compiling a differential configuration file. The differential configuration file includes differential data and differential signature data corresponding to each operator. Each differential signature data is obtained by signing the differential data corresponding to each operator. Each differential data is generated in response to the operator configuration request, based on the obtained initial storage data and the device configuration data of each operator.
[0010] In one embodiment, receiving a target function enable command, in response to the target function enable command passing data verification, enables the target function of the terminal based on the device identifier corresponding to the target function enable command, including:
[0011] Receive a target function enable instruction sent by the server, the target function enable instruction carrying signature data and operator identifier;
[0012] The original device identifier of the terminal is read, and the hash data corresponding to the original device identifier is calculated. Based on the hash data and the operator identifier, concatenated data is obtained. In response to the concatenated data passing the verification, operator differential data is extracted from the target storage area based on the operator identifier.
[0013] In response to the operator differential data passing data verification, the target function enable function is populated based on the device identification data in the target storage area, and the target function is activated by calling the target function enable function.
[0014] In one embodiment, receiving a target function enable command, in response to the target function enable command passing data verification, enables the target function of the terminal based on the device identifier corresponding to the target function enable command, including:
[0015] Receive a target function update instruction sent by the enabling tool, the target function update instruction including the length of the operator differential data, the hash value, and the operator differential data;
[0016] In response to the operator differential data and target SIM card lock data passing verification, the processing result corresponding to the target function update instruction is returned to the enabling tool;
[0017] Receive update data sent by the enabling tool; in response to the update data passing verification, encrypt the update data to generate encrypted data, and add the encrypted data to the differential configuration file of the target storage area;
[0018] The differential configuration file is read back to obtain readback data. In response to the readback data being verified, the enable flag of the target function is enabled in the preset storage space of the terminal so as to enable the target function when the terminal restarts.
[0019] In one embodiment, the step of returning the processing result corresponding to the target function update instruction to the enabling tool in response to the verification of the operator differential data and the target SIM card lock data includes:
[0020] In response to the operator differential data passing the verification, the card lock data in the target storage area is updated using preset backup card lock data;
[0021] Calculate the hash value of each card data in the target storage area, and add the hash value to the target storage area;
[0022] The target storage area is read back to obtain the target lock card data. In response to the target lock card data passing the verification, the processing result corresponding to the target function update instruction is returned to the enabling tool.
[0023] In one embodiment, the method further includes:
[0024] Receive a function check command sent by the enabling tool, wherein the function check command includes at least target function enable data;
[0025] In the target storage area, read the enable flag data of the target function;
[0026] In response to the enable flag data being valid, the first plaintext data corresponding to the enable flag data is compared with the target function enable data;
[0027] In response to the first plaintext data matching the target function enable data, the enable state of the target function is determined to have passed the verification; or, in response to the first plaintext data not matching the target function enable data, the enable state of the target function is determined to have failed the verification.
[0028] In one embodiment, the method further includes:
[0029] Read the enable flag of the target function in the preset storage space of the terminal;
[0030] In response to the validity of the target function enable data corresponding to the enable flag, encryption and decryption processing is performed based on the encryption identifier of the terminal and the enable flag to generate second plaintext data; based on the second plaintext data, a new device identifier is obtained, and based on the new device identifier and the operator differential data, a first target hash value is calculated;
[0031] In response to the target hash value matching the original hash value corresponding to the second plaintext data, and the new device identifier matching the original device identifier corresponding to the second plaintext data, it is determined that the enable data of the target function has passed the verification.
[0032] Secondly, this application also provides a data processing apparatus, comprising:
[0033] The first acquisition module is used to acquire the firmware update data packet corresponding to the operator configuration request, and based on the firmware update data packet, store the differential configuration file corresponding to the firmware update data packet in the target storage area of the terminal.
[0034] The first receiving module is configured to receive a target function enable command, and in response to the target function enable command passing data verification, enable the target function of the terminal based on the device identifier corresponding to the target function enable command;
[0035] The first determining module is used to obtain a terminal that meets the operator's configuration request in response to the verification of the enable status of the target function and the verification of the enable data of the target function.
[0036] Thirdly, this application also provides a computer device, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:
[0037] Obtain the firmware update data packet corresponding to the operator configuration request, and execute the firmware update data packet to store the differential configuration file in the update data packet in the target storage area of the terminal;
[0038] Receive the target function enable command, and in response to the target function enable command, pass the data verification and enable the target function of the terminal based on the device identifier corresponding to the target function enable command.
[0039] In response to the successful verification of the enable status of the target function and the successful verification of the enable data of the target function, a terminal that meets the operator's configuration request is obtained.
[0040] Fourthly, this application also provides a chip, including a processor and a communication interface, wherein the processor is configured to cause the chip to perform:
[0041] Obtain the firmware update data packet corresponding to the operator configuration request, and execute the firmware update data packet to store the differential configuration file in the update data packet in the target storage area of the terminal;
[0042] Receive the target function enable command, and in response to the target function enable command, pass the data verification and enable the target function of the terminal based on the device identifier corresponding to the target function enable command.
[0043] In response to the successful verification of the enable status of the target function and the successful verification of the enable data of the target function, a terminal that meets the operator's configuration request is obtained.
[0044] Fifthly, this application also provides a chip module, including a communication module, a power module, a storage module, and a chip, wherein:
[0045] The power module is used to provide power to the chip module;
[0046] The storage module is used to store data and instructions;
[0047] The communication module is used for internal communication within the chip module, or for communication between the chip module and external devices.
[0048] The chip is used to perform the steps of the method provided in the first aspect above.
[0049] Sixthly, this application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, performs the following steps:
[0050] Obtain the firmware update data packet corresponding to the operator configuration request, and execute the firmware update data packet to store the differential configuration file in the update data packet in the target storage area of the terminal;
[0051] Receive the target function enable command, and in response to the target function enable command, pass the data verification and enable the target function of the terminal based on the device identifier corresponding to the target function enable command.
[0052] In response to the successful verification of the enable status of the target function and the successful verification of the enable data of the target function, a terminal that meets the operator's configuration request is obtained.
[0053] In a seventh aspect, this application also provides a computer program product, including a computer program that, when executed by a processor, performs the following steps:
[0054] Obtain the firmware update data packet corresponding to the operator configuration request, and execute the firmware update data packet to store the differential configuration file in the update data packet in the target storage area of the terminal;
[0055] Receive the target function enable command, and in response to the target function enable command, pass the data verification and enable the target function of the terminal based on the device identifier corresponding to the target function enable command.
[0056] In response to the successful verification of the enable status of the target function and the successful verification of the enable data of the target function, a terminal that meets the operator's configuration request is obtained.
[0057] The aforementioned data processing method, apparatus, computer equipment, and chip, wherein the method includes: acquiring a firmware update data packet corresponding to an operator configuration request, and executing the firmware update data packet to store the differential configuration file in the update data packet in the target storage area of the terminal; receiving a target function enable instruction, and enabling the target function of the terminal based on the device identifier corresponding to the target function enable instruction after data verification in response to the target function enable instruction passing verification; and obtaining a terminal that meets the operator configuration request in response to the target function enable status passing verification and the target function enable data passing verification. By employing this method, parallel processing of function configurations from multiple operators can be achieved, improving the operator's configuration efficiency, and enhancing the terminal's data transmission capabilities and further improving the integrity of the data transmission process through the function configurations from multiple operators. Attached Figure Description
[0058] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the drawings used in the description of the embodiments of this application or related technologies will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.
[0059] Figure 1 This is a diagram illustrating the application environment of a data processing method in one embodiment.
[0060] Figure 2 This is a flowchart illustrating a data processing method in one embodiment;
[0061] Figure 3 This is a flowchart illustrating the server enable step in one embodiment;
[0062] Figure 4 This is a flowchart illustrating the enabling step via local tools in one embodiment;
[0063] Figure 5 This is a flowchart illustrating the card lock data verification step in one embodiment;
[0064] Figure 6 This is a flowchart illustrating the enable state verification step in one embodiment;
[0065] Figure 7 This is a flowchart illustrating the enabling data verification step in one embodiment;
[0066] Figure 8 This is a schematic diagram of the architecture of the data processing method in another embodiment;
[0067] Figure 9This is a schematic diagram of the signature step in a data processing method in another embodiment;
[0068] Figure 10 This is a schematic diagram illustrating the changes to the file before and after signing in another embodiment;
[0069] Figure 11 This is a flowchart illustrating the server enable step in one embodiment;
[0070] Figure 12 This is a flowchart illustrating the enabling step via local tools in one embodiment;
[0071] Figure 13 This is a flowchart illustrating the enable state verification step in one embodiment;
[0072] Figure 14 This is a structural block diagram of a data processing device in one embodiment;
[0073] Figure 15 This is an internal structural diagram of a computer device in one embodiment;
[0074] Figure 16 This is an internal structure diagram of a chip module in one embodiment. Detailed Implementation
[0075] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.
[0076] It should be noted that the terms "first," "second," etc., used in this application can be used to describe various elements, but these elements are not limited by these terms. These terms are only used to distinguish the first element from the second element. The terms "comprising" and "having," and any variations thereof, used in this application, are intended to cover non-exclusive inclusion. The term "multiple" used in this application refers to two or more. The term "and / or" used in this application refers to one of the embodiments, or any combination of multiple embodiments.
[0077] The data processing method provided in this application embodiment can be applied to, for example... Figure 1In the application environment shown, terminal 102 communicates with target device 104 via a network. Terminal 102 obtains the firmware update data packet corresponding to the operator's configuration request and executes the firmware update data packet to store the differential configuration file in the update data packet in the target storage area of terminal 102; receives the target function enable command issued by target device 104, and enables the target function of terminal 102 based on the device identifier corresponding to the target function enable command after data verification is passed; and obtains terminal 102 that meets the operator's configuration request after the enable status of the target function and the enable data of the target function are verified.
[0078] The terminal 102 can be, but is not limited to, various personal computers, laptops, smartphones, tablets, chips, chip modules, drones, low-altitude aircraft, IoT devices, and portable wearable devices. IoT devices can include smart speakers, smart TVs, smart air conditioners, smart in-vehicle devices, and projection devices. Portable wearable devices can include smartwatches, smart bracelets, and head-mounted displays. Head-mounted displays can be virtual reality (VR) devices, augmented reality (AR) devices, and smart glasses. The target device 104 can be a cloud server, or a deployment tool (enabling function), etc. The cloud server can be a standalone server, a server cluster, or a distributed system composed of multiple servers.
[0079] In one exemplary embodiment, such as Figure 2 As shown, a data processing method is provided, which can be applied to... Figure 1 Taking terminal 102 as an example, this data processing method can also be applied to other devices. Figure 1 In chips / chip modules with data processing capabilities, the specific process of this data processing method may include:
[0080] Step 202: Obtain the firmware update data packet corresponding to the operator configuration request, and store the differential configuration file corresponding to the firmware update data packet in the target storage area of the terminal based on the firmware update data packet.
[0081] In this context, the operator can be the network provider of the data network used by the terminal for communication. The terminal can interact with other communication devices through different operator networks. The operator configuration request can be a request to configure operator data corresponding to multiple different operator networks on the terminal. This operator data is device configuration data that supports normal communication of the terminal device under the operator network. The operator configuration request can also be an operator switching request, indicating that a terminal configured with operator A be switched to operator B. The firmware update data package can be a PAC (Parameter Configuration Archive), i.e., a flashing data package, used for formatting the terminal or restoring factory settings, etc. The target storage area in the terminal can be a newly configured storage area in the terminal's original storage space after executing the firmware update data package, used to store operator differential data. The differential configuration file corresponding to the firmware update data package can be obtained by processing the operator data / device configuration data of multiple operators corresponding to the operator configuration request. This embodiment does not limit the device generating the firmware update data package; it can be other communication devices, the terminal, or other servers, etc.
[0082] Optionally, in response to an operator configuration request, the terminal can obtain a compiled firmware update data package and execute the firmware update data package on the terminal. That is, the terminal is formatted based on the firmware update data package, and a target storage area is specified in the terminal's original storage space to store operator data of various operators.
[0083] In one example, the generation device can be based on a device running the NV Tool. The NV Tool in the generation device can respond to the operator configuration request, determine the various operators required in the current communication scenario, determine the device configuration data corresponding to each operator, and determine the initial state data (i.e., initial storage data) in the target storage area of the terminal. Then, it can obtain the difference data between each device configuration data and the initial state data, and determine that each difference data is the differential data corresponding to each operator. The generation device can also perform signature processing on each differential data based on a preset signature algorithm to obtain differential signature data corresponding to each differential data. Based on the differential data and differential signature data corresponding to each operator, it can obtain the differential configuration file corresponding to each operator. It can also combine the differential configuration files corresponding to multiple operators to obtain the total configuration file, and compile the total configuration file into the initial PAC package to obtain the compiled firmware update data package.
[0084] Step 204: Receive the target function enable command. In response to the target function enable command passing the data verification, enable the target function of the terminal based on the device identifier corresponding to the target function enable command.
[0085] The target function enable command can be issued by the security server or by the enabling function itself; the target function can be the device's SIMLOCK function (Subscriber Identity Module LOCK); the device identifier corresponding to the target function enable command can be IMEI (International Mobile Equipment Identity); the target function of the enabled terminal can be the target function that activates the terminal.
[0086] Optionally, the terminal can receive a target function enable instruction sent by the security server and perform data verification processing based on the target function enable instruction. In response to the target function enable instruction passing the data verification, the terminal can perform device enable processing based on the device identifier (IMEI) corresponding to the target function enable instruction, thereby enabling the terminal's target function.
[0087] Step 206: In response to the verification of the enable status of the target function and the verification of the enable data of the target function, a terminal that meets the operator's configuration request is obtained.
[0088] Specifically, the enable status of the target function is verified to indicate that the device has configured the correct target function data and enabled the target function; when the target function is the SIMLOCK function, the enable status of the target function is verified to indicate that the correct card locking data has been configured and the card locking function of the terminal has been enabled; the enable data of the target function is verified to indicate that the enable data of the target function and the enable flag of the target function have passed the integrity verification.
[0089] Optionally, after enabling the target function of the terminal, the terminal can verify the enabling status of the target function and the security level of the enabling data corresponding to the target function. If the enabling status of the target function of the terminal passes the verification and the enabling data of the terminal passes the verification, it can be determined that the current terminal is a terminal that meets the operator's configuration request, that is, the current terminal is a terminal that has completed the operator's configuration request.
[0090] In the above data processing method, the firmware update data packet corresponding to the operator configuration request is obtained and executed to store the differential configuration file in the update data packet in the target storage area of the terminal; a target function enable command is received, and in response to the target function enable command passing data verification, the target function of the terminal is enabled based on the device identifier corresponding to the target function enable command; in response to the target function enable status and the target function enable data passing verification, a terminal that meets the operator configuration request is obtained. By adopting this method, parallel processing of function configurations for multiple operators can be achieved, improving the operator's configuration efficiency, and by configuring the SIM card locking function of multiple operators, the terminal's data transmission capability can be improved, and the integrity of the data transmission process can be further enhanced.
[0091] In one embodiment, the firmware update data packet is obtained by compiling a differential configuration file. The differential configuration file includes differential data and differential signature data corresponding to each operator. Each differential signature data is obtained by signing the differential data corresponding to each operator. Each differential data is generated in response to the operator's configuration request, based on the obtained initial storage data and the device configuration data of each operator.
[0092] Optionally, the firmware update data packet can be generated by a generating device and sent to the terminal. This generating device can be a device running NV Tool, such as a server running NV Tool. Through NV Tool, in response to operator configuration requests, the generating device can determine the operators to be configured in the actual communication scenario, the device configuration data corresponding to each operator, and the initial state data (i.e., initial storage data) in the terminal's target storage area. It then obtains the difference data between each device configuration data and the initial state data, identifies each difference data as differential data corresponding to each operator, and stores this differential data in the differential configuration files corresponding to each operator. Based on these differential configuration files, an initial master configuration file is obtained. The generating device can also sign the differential data in each differential configuration file in the initial master configuration file using a preset signature algorithm to obtain differential signature data corresponding to each differential data. The differential signature data and differential data corresponding to each operator are combined to obtain the master configuration file, which is then compiled into the initial PAC package to obtain the compiled firmware update data packet.
[0093] The device configuration data can be the operator data corresponding to each operator. This operator data refers to the data that enables the terminal device to communicate normally under the operator's network.
[0094] The NV Tool can generate a public key and its corresponding private key. The public and private keys are stored in different folders on the same storage path of the generating device. The private key can be used to sign the differential data corresponding to each operator to obtain the differential signature data corresponding to each differential data.
[0095] In this embodiment, by signing the operator data and initial storage data corresponding to each operator, the security of operator data can be guaranteed. The operator data can be configured on the terminal through firmware update data packets, providing a data foundation for enabling the target functions of the device, and further improving the efficiency of data functions and the ease of enabling terminal functions.
[0096] In one embodiment, such as Figure 3 As shown, the specific processing steps of "receiving the target function enable command, responding to the target function enable command passing data verification, and enabling the target function of the terminal based on the device identifier corresponding to the target function enable command" include:
[0097] Step 302: Receive the target function enable instruction sent by the server.
[0098] The target function enable instruction carries signature data and a carrier identifier. The server can be a cloud server or a security server, such as a server capable of communicating with the terminal. The signature data can be data obtained by the server signing the carrier identifier and the first device identifier based on a preset signature algorithm. The carrier identifier can be the identification information of the carrier network that needs to be configured for the terminal in the current communication scenario, such as the network number. The first device identifier can be the IMEI of the terminal collected by the server. The preset signature algorithm can be RSA, SHA, etc. This embodiment does not limit the specific type of preset signature algorithm, and those skilled in the art can determine it based on the needs of the actual communication scenario.
[0099] Optionally, the server can obtain the operator identifier and the terminal's first device identifier, and perform signature processing on the operator identifier and the first device identifier to obtain signature data. Based on this, the server can generate a target function enable instruction based on the terminal's first device identifier, signature data, and operator identifier. This target function enable instruction can be an AI instruction. In one example, the server can obtain the target function enable instruction based on the operator identifier and signature data. In this way, the server can send the target function enable instruction to the terminal.
[0100] Step 304: Read the original device identifier of the terminal and calculate the hash data corresponding to the original device identifier. Obtain the concatenated data based on the hash data and the carrier identifier. In response to the concatenated data passing the verification, extract the carrier differential data from the target storage area based on the carrier identifier.
[0101] The terminal can include the terminal AP side (application server side) and the Modem side (modem side).
[0102] Optionally, the server can send a target function enable command to the terminal's access point (AP). The AP can then transmit this command to the terminal's modem. In response to the command, the modem can collect the terminal's original device identifier, perform a hash calculation on it to obtain hash data, and concatenate the hash data with the carrier identifier to obtain concatenated data. The terminal can then verify the concatenated data against the signature data in the target function enable command. Upon successful verification, the concatenated data is considered validated. Thus, the terminal can extract carrier differential data from the target storage area based on the carrier identifier.
[0103] In one example, the server's signature data generation process can be as follows: the server performs a hash calculation on the first device identifier and the operator identifier to obtain a first hash value, and then encrypts the first hash value using the server's private key and a preset encryption algorithm to obtain encrypted data, which is then identified as signature data. Specifically, the signature verification process can be as follows: the terminal can decrypt the signature data using the public key stored in the terminal and the decryption algorithm corresponding to the preset encryption algorithm to obtain a decrypted first hash value, and then encrypt the concatenated data based on the preset encryption algorithm to obtain a second hash value. In response to a match between the decrypted first hash value and the second hash value, the terminal's modem side can determine that the signature verification is successful, i.e., the concatenated data passes verification. In response to a mismatch between the decrypted first hash value and the second hash value, the signature verification fails, i.e., the concatenated data fails verification. Optionally, a match between the decrypted first hash value and the second hash value can indicate that the decrypted first hash value and the second hash value are identical.
[0104] Optionally, in response to the spliced data passing verification, the terminal's Modem side returns the data verification result to the server via the AP side (ensuring data verification passes), and also returns the carrier identifier to the AP side. In this way, the AP side can extract the differential data corresponding to the carrier identifier from the terminal's target storage area based on the carrier identifier, i.e., read the carrier differential data from the target storage area.
[0105] Optionally, in response to the failure of the spliced data verification, it can be determined that the terminal's SIMLOCK enable data verification has failed. In this case, the verification failure flag can be encrypted and saved to the target storage area, while the efuse enable bit is set, and the data verification result is returned to the protocol stack. After receiving the result, the protocol stack restarts the modem. After restarting, the terminal's modem side can be in a restricted state (i.e., the device's network function will be restricted), which can prevent the terminal from being maliciously sent enable commands, and can achieve accurate identification of malicious enable commands, further improving terminal security.
[0106] Optionally, the modem can read the terminal's original device identifier (IMEI) from the terminal's efuse, a one-time programmable memory that stores data by melting a metal fuse. The IMEI is pre-installed in a unified storage area of this memory before the device leaves the factory, meaning that the original device identifier read from the efuse is an accurate and reliable device identifier.
[0107] Step 306: In response to the operator differential data passing data verification, the target function enable function is populated based on the device identification data in the target storage area, and the target function is activated by calling the target function enable function.
[0108] Optionally, after reading the operator differential data, the terminal AP can generate a first command based on the operator differential data. This first command can be generated according to the AT command data format. The data structure carried by the first command may include the length of the operator differential data, a hash value, and the operator differential data itself. The hash value can be obtained by encrypting the operator differential data, for example, by processing the operator differential data based on the SHA256 algorithm. The data structure can be as follows:
[0109] struct simlock_delta_nv {
[0110] unsigned length;
[0111] unsigned char digest[DIGEST_LENGTH];
[0112] unsigned char delta_nv_body[0];
[0113] }
[0114] Among them, unsigned length(simlock_delta_nv.digest) represents the length of deltaNV data (i.e. the length of operator differential data); unsigned char delta_nv_body[0] represents the content data, which is the operator differential data.
[0115] Based on this, the specific process of verifying the carrier differential data in the first command received by the Modem side of the terminal can be as follows: calculate the hash value H1 of the carrier differential data in the first command; if the hash value H1 is equal to simlock_delta_nv.digest, it is determined that the carrier differential data has passed the first verification; then, the signature verification of the simlock_delta_nv.digest carrier differential data can be performed. For example, a preset public key can be read from the preset image space of the Modem side of the terminal, and the hash value of the carrier differential data can be calculated using the public key. Based on the hash value, a consistency judgment is made with the signature data in the target function enable instruction. If they are consistent, it can be determined that the signature verification has passed. Based on this, the Modem side of the terminal can update the target storage area by backing up the SIM card data in the NV area and the NV interface to obtain the NV area storing the SIM card data in the backed-up NV area. It can also calculate the hash value H2 of each SIM card data and generate an encryption key K1 based on the string "Salt12+UID+Salt22" using the KDF algorithm. The hash value H2 of the SIM card data is then encrypted using the AES CBC algorithm and the encryption key K1 to obtain the ciphertext MH2. The ciphertext MH2 can also be written into the reserved area in the differential configuration file corresponding to the operator identifier.
[0116] The terminal's modem can then read back the NV area to obtain the SIM lock data, calculate the hash value H3 of this data, encrypt the hash value H3 to obtain the ciphertext MH2', and decrypt MH2' using the encryption key K1 and the AES CBC algorithm to obtain the decrypted hash value H2'. Since H3 equals H2', the terminal can determine that the ciphertext MH2' has been written validly, thus confirming that the operator's differential data has passed data verification. The terminal can then fill the target function enable function with the device identifier data in the target storage area (i.e., the NV area) and activate the target function by calling the target function enable function. The target function enable function can be the simlock_enable function, whose input parameter can be a simlock_enable_data structure. This simlock_enable_data structure is filled with the device identifier and used as the input parameter for the simlock_enable function. Thus, the terminal's modem can enable the terminal's target function, i.e., the SIMLOCK function, by calling this function.
[0117] In this embodiment, the target function is enabled online through a security server, further improving the efficiency of function enabling.
[0118] In one embodiment, such as Figure 4 As shown, the specific processing steps of "receiving the target function enable command, responding to the target function enable command passing data verification, and enabling the target function of the terminal based on the device identifier corresponding to the target function enable command" include:
[0119] Step 402: Receive the target function update instruction sent by the enabling tool.
[0120] The target function can be a card locking function; the target function update instruction includes the length of the operator differential data, the original hash value, and the operator differential data; the enabling tool can be a configuration tool.
[0121] Optionally, in response to an input operation of the operator identifier, the enabling function can read the operator differential data corresponding to that operator identifier in the target storage area of the terminal. The enabling tool can generate a target function update instruction according to the data format of the AT command. The data structure of the target function update instruction may include the length of the operator differential data, the original hash value, and the operator differential data. The original hash value can be obtained by encrypting the operator differential data, for example, it can be obtained by processing the operator differential data based on the SHA256 algorithm. The data structure can be as follows:
[0122] struct simlock_delta_nv {
[0123] unsigned length;
[0124] unsigned char digest[DIGEST_LENGTH];
[0125] unsigned char delta_nv_body[0];
[0126] }
[0127] Among them, unsigned length(simlock_delta_nv.digest) represents the length of deltaNV data (i.e. the length of operator differential data); unsigned char delta_nv_body[0] represents the content data, which is the operator differential data.
[0128] Step 404: In response to the verification of the operator differential data and the target SIM card lock data, the processing result corresponding to the target function update instruction is returned to the enabling tool.
[0129] Optionally, upon receiving the target function update instruction, the terminal performs data verification on the operator differential data in the target function update instruction. The specific process may involve calculating the hash value H1 of the operator differential data in the target function update instruction. If the hash value H1 is equal to simlock_delta_nv.digest, the operator differential data is determined to have passed the first verification. In this way, the NV interface can be called to update the SIM card data. For example, the SIM card data in the target storage area can be updated by backing up the SIM card data in the NV area and using the NV interface to obtain the updated target storage area. The hash value H2 of each SIM card data in the target storage area (which may be a hash value generated by the SHA256 algorithm) is calculated. The encryption key K1 is generated by derivation using the KDF algorithm and the string "Salt12+UID+Salt22". The hash value H2 of each SIM card data is encrypted using the AES CBC algorithm and the encryption key K1 to obtain the ciphertext MH2. The ciphertext MH2 can also be written into the reserved area in the differential configuration file (NV file) corresponding to the operator identifier in the target storage area.
[0130] Then, the terminal can read back the target storage area to obtain the readback SIM card data, calculate the hash value H3 of the readback SIM card data, encrypt the hash value H3 to obtain the hash ciphertext MH2'; based on the encryption key K1 and the AES CBC algorithm, MH2' is decrypted to obtain the decrypted hash value H2'; in response to H3 equaling H2', the terminal can determine that the hash ciphertext MH2 is valid, thus confirming that the operator differential data and the target SIM card data have passed the verification. This allows the terminal to generate a verified AT command processing result and return the AT command processing result to the enabling tool.
[0131] Step 406: Receive update data sent by the enabling tool. In response to the update data passing verification, encrypt the update data to generate encrypted data, and add the encrypted data to the differential configuration file of the target storage area.
[0132] Optionally, in response to the AT command processing result that has passed verification, the enabling tool can generate update data according to the AT command data format. The data structure of the update data may include the device identifier IMEI, the enabling identifier, and a hash value of the IMEI and the enabling identifier. The data structure of the update data may be as follows:
[0133] #define IMEI_MAX_NUM0x4;
[0134] #define IMEI_MAX_LENGTH0x10;
[0135] #define SIMLOCK_ENABLE_FLAG0x5a5a5a5a;
[0136] #define DIGEST_LENGTH0x20;
[0137] struct simlock_enable_data {
[0138] unsigned char imei[IMEI_MAX_NUM][IMEI_MAX_LENGTH];
[0139] unsigned int simlock_enable_flag[IMEI_MAX_NUM];
[0140] unsigned char digest[DIGEST_LENGTH]
[0141] }
[0142] The initialization state of the enable flag can be SIMLOCK_ENABLE_FLAG, and the hash values of the IMEI and enable flag can be obtained by processing the IMEI and enable flag using the SHA256 algorithm.
[0143] Based on this, after receiving the update data, the terminal can read the corresponding NV item to obtain the IMEI data based on the assignment of the "simlock_enable_flag" member (if non-zero) in the data carried in the update data (e.g., D1). For example, simlock_enable_flag data 0~3 correspond to the enabling status of IMEI1~IMEI4 respectively. Based on each "simlock_enable_flag" and the terminal's IMEI, a hash value H2 is recalculated. If H2 is equal to the hash value in the received update data, and the device identifier newly read by the terminal is equal to the IMEI in the update data, then the update data can be determined to be valid, i.e., it passes the verification. Otherwise, an error message can be output to the enabling tool. That is, if H2 is equal to the "digest" in the update data, and the IMEI newly read by the terminal is equal to the "imei" in the received update data (i.e., the AT command issued by the enabling tool).
[0144] In response to the terminal confirming that the updated data has passed verification, the KDF algorithm can be used to perform key derivation on the string "Salt13+UID+Salt23" to determine the encryption key K1. It should be noted that Salt13 and Salt23 in this part of the string are different from Salt11, Salt12, Salt21, and Salt22 in the previous embodiment. Based on this encryption key K1 and the AES CBC algorithm, the data D1 carried in the updated data can be encrypted to obtain ciphertext M1, i.e., encrypted data. The terminal can then write the encrypted data M1 to the reserved area in the differential configuration file corresponding to the operator identifier, that is, write the encrypted data M1 to the reserved item in the NV file.
[0145] Step 408: Read back the differential configuration file to obtain readback data. In response to the readback data being verified, enable the target function flag in the terminal's preset storage space to enable the target function when the terminal restarts.
[0146] Optionally, the terminal can read back the differential configuration file, read the stored data (denoted as M2) in the differential configuration file, obtain the encryption key K1 through the same steps as in the above embodiment, and decrypt M2 using the AES CBC algorithm and the encryption key K1 to obtain plaintext data D2. Then, the terminal can read the corresponding NV item based on the assignment of the "simlock_enable_flag" member in plaintext data D2 (if it is non-zero) to obtain the newly read IMEI. The terminal can then recalculate based on the "simlock_enable_flag" in D2 and the newly read IMEI to obtain the hash value H3. Since H3 matches the "digest" value in plaintext data D2, and the newly read IMEI matches the device identifier in plaintext data D2, it can be determined that the encrypted data M1 was successfully written, meaning the readback data has passed verification. In this way, the terminal can enable the SIMLOCK enable flag in the terminal's EFUSE space. The default storage space is the terminal's EFUSE space, and the enable flag for the target function is the SIMLOCK enable flag. Thus, when the device is powered on or the modem is reset, the terminal can determine whether to enable SIM card data and enable flag verification functions based on the SIMLOCK enable flag. For example, if the SIMLOCK enable flag is determined to be in the enabled state, the terminal's SIM card data and enable flag verification functions can be enabled.
[0147] In this embodiment, offline functionality is enabled through a local configuration tool, enhancing the comprehensiveness of data configuration and functionality applicability. By reading back the differential configuration file, it is possible to conveniently and accurately verify whether encrypted data has been successfully written.
[0148] In one embodiment, such as Figure 5 As shown, the specific processing steps of the step "in response to the verification of operator differential data and target SIM card lock data, return the processing result corresponding to the target function update command to the enabling tool" include:
[0149] Step 502: In response to the operator differential data passing the verification, the lock card data in the target storage area is updated using the preset backup lock card data.
[0150] The target function can be a SIM card locking function, and the preset backup SIM card locking data can be the SIM card locking data stored in the backup NV area; the target storage area can be the area on the terminal that is specified to store the differential data of each operator after executing the PAC packet. The preset backup SIM card locking data can be trusted SIM card locking data set at the factory of the terminal.
[0151] Optionally, the terminal can perform data verification on the carrier differential data in the received target function update instruction. The specific process can be as follows: calculate the hash value H1 of the carrier differential data in the target function update instruction. If the hash value H1 is equal to simlock_delta_nv.digest, it is determined that the carrier differential data has passed the verification. In this way, the NV interface can be called to update the SIM card data. For example, the SIM card data in the backup NV area can be updated by using the NV interface to update the SIM card data in the target storage area, so as to obtain the updated target storage area.
[0152] Optionally, the terminal can update the target storage area based on the backup SIM card data in the backup NV area. The process of obtaining the updated target storage area can be as follows: call the NV interface and the backup SIM card data to restore the target storage area to the initial state data / initial storage data, and then update the initial state data / initial storage data to the device configuration data corresponding to each operator based on the SIM card data in the target storage area, i.e., differential data. In other words, update the data stored in the target storage area to the device configuration data / target state data in the configuration request.
[0153] Step 504: Calculate the hash value of each lock card data in the target storage area and add the hash value to the target storage area.
[0154] Optionally, the terminal can re-extract the data of each SIM card in the target storage area, calculate the hash value H2 of each SIM card data (which can be a hash value generated by the SHA256 algorithm), and perform key derivation on the string "Salt12+UID+Salt22" based on the KDF algorithm to generate an encryption key K1; encrypt the hash value H2 of each SIM card data using the AES CBC algorithm and the encryption key K1 to obtain ciphertext MH2, and the terminal can also write the ciphertext MH2 into the target storage area, for example, it can be written into the reserved area in the differential configuration file (NV file) corresponding to the operator identifier in the target storage area.
[0155] Step 506: Read back the target storage area to obtain the target lock card data. In response to the target lock card data passing the verification, return the processing result corresponding to the target function update instruction to the enabling tool.
[0156] Optionally, the terminal can read back the target storage area to obtain the readback lock card data (i.e., the target lock card data), calculate the hash value H3 of the readback lock card data, encrypt the hash value H3 to obtain the hash value ciphertext MH2'; decrypt MH2' based on the encryption key K1 and the AES CBC algorithm to obtain the decrypted hash value H2'; in response to H3 equaling H2', the terminal can determine that the hash value ciphertext MH2 is valid, thus determining that the target lock card data has passed the verification, thereby generating a verified AT command processing result and returning the AT command processing result to the enabling tool.
[0157] In this embodiment, updating the lock card data in the target storage area by pre-setting backup lock card data can ensure the credibility of the lock card data source. By reading back and verifying the target storage area, the validity of data writing in the target storage area can be accurately judged, preventing malicious tampering of lock card data and further improving the security of terminal operation.
[0158] In one embodiment, such as Figure 6 As shown, the data processing method also includes:
[0159] Step 602: Receive the function check command sent by the enabling tool.
[0160] The function check command includes at least the target function enable data. The target function can be the SIMLOCK function, and the corresponding target function enable data can be SIMLOCK enable data (SIM lock enable data). The data structure of the SIMLOCK enable data can be the "struct simlock_enable_data" data structure.
[0161] Optionally, the enabling tool can obtain the corresponding SIM card enable data for the terminal, combine the SIM card enable data according to the data structure of the AT command to obtain a function check command, and send the function check command to the terminal. In one example, the function check command received by the terminal may be the command "AT+SPSLCMD="check_enable_simlock", which may carry the data "struct simlock_enable_data".
[0162] Step 604: In the target storage area, read the enable flag data of the target function.
[0163] Optionally, after receiving the function check command, the terminal can read the card lock enable flag of the card lock function in the target storage area of the terminal, that is, obtain the card lock function enable flag data (which can be recorded as ciphertext M2).
[0164] Step 606: In response to the enable flag data being valid, compare the first plaintext data corresponding to the enable flag data with the target function enable data.
[0165] Optionally, after the terminal reads the enable flag data, it can perform key derivation processing on the string "Salt13+UID+Salt23" based on the KDF algorithm to generate an encryption key K1. Then, using the AES CBC algorithm and this encryption key K1, the ciphertext M2 is decrypted to generate the first plaintext data D2. Based on the assignment of the "simlock_enable_flag" member in the first plaintext data D2, the device identifier IMEI is newly read from the terminal's target storage area, and the hash value H3 of "simlock_enable_flag" and IMEI in the second plaintext data D2 is calculated. If the hash value H3 matches the "digest" in the first plaintext data D2, and the newly read device identifier IMEI matches the "imei" in the first plaintext data D2, then the terminal can determine that the enable flag data is valid, i.e., that the SIMLOCK enable flag is valid. In this way, the terminal can compare the first plaintext data corresponding to the enable flag data with the target function enable data.
[0166] Step 608: In response to the first plaintext data matching the target function enable data, determine that the target function's enable state has passed the verification. Alternatively, in response to the first plaintext data not matching the target function enable data, determine that the target function's enable state has failed the verification.
[0167] The first plaintext data D2 may contain data such as device identifiers; the target function enable data may be the data carried in the function check command issued by the enable tool.
[0168] Optionally, the terminal can compare the data "struct simlock_enable_data" carried by the command "AT+SPSLCMD="check_enable_simlock"" with the second plaintext data D2. If the data "struct simlock_enable_data" carried by the command "AT+SPSLCMD="check_enable_simlock"" matches the second plaintext data D2, it can be determined that the enable state of the target function has passed the verification, and an AT command processing result indicating that the verification has passed is generated. Otherwise, it can be determined that the enable state of the target function has failed the verification, and an AT command processing result indicating that the verification has failed is generated. In this way, the terminal can return the AT command processing result to the enabling tool.
[0169] In this embodiment, after the terminal completes the card lock data update and enables the card lock function, the enabling status of the terminal's card lock function is further judged, which can ensure the correctness of the card lock data configured by the terminal and the reliability of the card lock function's enabling.
[0170] In one embodiment, such as Figure 7 As shown, the data processing method also includes:
[0171] Step 702: Read the enable flag of the target function in the preset storage space of the terminal.
[0172] Optionally, the terminal's preset storage space can be the EFUSE space; the enable flag for the target function can be the SIMLOCK enable flag bit in the EFUSE space. In response to the absence of the SIMLOCK enable flag bit in the preset storage space, a prompt message can be output, indicating that the verification failed or was not performed, etc.; in response to the presence of the SIMLOCK enable flag bit in the preset storage space, the integrity of the target function enable data and the target function enable flag data can be verified, i.e., the integrity of the SIMLOCK data and the SIMLOCK enable flag can be determined.
[0173] Optionally, in response to the SIMLOCK enable flag being set in the preset storage space, the terminal can read back the target storage area to obtain the read-back SIM card data and the read-back encrypted hash value (which can be denoted as MH2'), and encrypt the read-back SIM card data to obtain the second target hash value H3. Then, based on the KDF algorithm, the string "Salt12+UID+Salt22" can be used to derive a key, generating an encryption key K1; based on the encryption key K1 and the AES CBC algorithm, the read-back encrypted hash value MH2' is decrypted to obtain the decrypted hash value H2'; in response to the second target hash value H3 being the same as the decrypted hash value H2', it can be determined that the target function enable data is valid and has passed the integrity check. In response to the second target hash value H3 being the same as the decrypted hash value H2', it can be determined that the target function enable data is invalid, and the terminal can output an error message.
[0174] Step 704: In response to the validity of the target function enable data corresponding to the enable flag, encryption and decryption processing is performed based on the terminal's encryption identifier and the enable flag to generate second plaintext data. Based on the second plaintext data, a new device identifier is obtained, and based on the new device identifier and the operator's differential data, a first target hash value is calculated.
[0175] Optionally, in response to the validity of the target enable data corresponding to the enable flag, the terminal can perform encryption and decryption processing based on the terminal encryption identifier and the enable flag to generate second plaintext data D2. The generation process of D2 can be as follows: the terminal reads back the target storage area and also reads back the card lock enable flag data (which can be denoted as M2). In this way, the terminal can derive the key from the string "Salt13+UID+Salt23" using the KDF algorithm to obtain the encryption key K1. Based on the AES CBC algorithm and the encryption key K1, the terminal decrypts the card lock enable flag data M2 to obtain the second plaintext data D2. In this way, the terminal can read the IMEI data of the corresponding NV item based on the assignment of the "simlock_enable_flag" member in the second plaintext data D2 (if it is non-zero), that is, obtain the newly read device identifier. Based on the newly read device identifier and the "simlock_enable_flag" in the second plaintext data D2, the first target hash value H3 is calculated.
[0176] Step 706: In response to the first target hash value matching the original hash value corresponding to the second plaintext data, and the new device identifier matching the original device identifier corresponding to the second plaintext data, it is determined that the enable data of the target function has passed the verification.
[0177] The original device identifier corresponding to the second plaintext data can be the "imei" carried in the second plaintext data D2. The original hash value corresponding to the second plaintext data can be the "digest" carried in the second plaintext data D2.
[0178] Optionally, in response to the first target hash value H3 matching the "digest" in the second plaintext data D2, and the newly read device identifier matching the "imei" in the second plaintext data D2, it can be determined that the target function's enable flag data is valid, i.e., the target function's enable flag data has passed the integrity check. Therefore, it can be determined that the target function's enable data has passed the check. Otherwise, an error message can be output.
[0179] In this embodiment, by verifying the enable data of the target function, it is possible to prevent the card lock data and card lock enable flag from being maliciously tampered with, and also to ensure the integrity of the card lock data and the enable flag of the card lock function.
[0180] The following, such as Figure 8 As shown, the specific execution flow of the above data processing method is described in detail with reference to an embodiment, including a cloud server (e.g., a security server / HSM) and a terminal, the terminal including an application server (AP) and a communication server (CP), wherein:
[0181] The cloud server can send Simlock enable commands or requests to the application server. The AP and server include the APK application layer, the Service system service layer, the Telephony telephone framework, and the RIL wireless interface layer. The APK application layer is used to trigger the relevant operations of SIM card locking, and the Service system service layer is used to read and manage the differential data corresponding to each operator, i.e., the master configuration file. For example, operator differential data can be read in Simlock delta nv, which includes the differential data of each operator and the operator's data signature.
[0182] The application server can transmit the Simlock enable command, carrier ID, and Simlock deltadata (SIM card differential data) to the communication server. On the communication server, the ATC (AT Command Controller) sends the SIM lock-specific command (AT+SPSLCMD) to the security module. The security module reads the public key SIMLOCK_PUBKEY from the Modem bin file and verifies the integrity and signature of the differential data in the read master configuration file (Simlock delta data) based on the public key verification. After successful verification, the differential data can be merged into the NV partition via the NV merge API interface, updating the Simlock data and Simlock backup data. The SIM card backup data is used to initialize the SIM card storage data area, i.e., to initialize the target storage area; initializing the target storage area / SIM card storage data area means restoring the data within that area to its initial state, i.e., restoring the data within that area to its initial values. This SIM card backup data can be initialized before the device leaves the factory for the SIM card storage data area.
[0183] Optionally, differential data from multiple operators can be saved to a newly added NV partition (the target storage area in the terminal) using differential NV for data updates (changing operator configuration data). Simultaneously, each operator's differential data is signed to ensure data security and integrity. The process for constructing multi-operator differential data may include:
[0184] S1.1, Create multi-carrier differential data; specifically, use the NV Tool to create differential data for each carrier based on the initial state of the NV. The initial state can be the state after flashing the package, or it can be the state after configuring the NV (e.g., when initial carrier data needs to be configured). In the initial state, the Simlock backup NV data also needs to be configured. Differential configuration files (carrier differential files .nv) corresponding to each carrier can be named using the carrier code / carrier number. The NV Tool then packages multiple .nv files into the final simlock_delta.bin file (initial master configuration file), numbered according to each carrier's identifier, which facilitates finding the corresponding carrier's differential data when reading data.
[0185] The differential data for the carrier refers to the difference between the NV state after configuring the carrier data and the initial state. When switching carrier data, the terminal only needs to refresh the storage area containing the corresponding carrier data back to the initial state value, and then restore the storage area to the preset carrier data using the differential data. Refreshing the initial state value can be done through initialization and refresh processing using the SIM card backup data corresponding to the storage area; carrier data refers to the data that enables the device to communicate normally under the carrier network.
[0186] S1.2, Carrier Differential Data Signature, the specific signature process can be as follows: Figure 9 As shown:
[0187] A public-private key pair is generated using a tool. The private key is encrypted and stored on a secure server for signing operator differential data. The public key is placed in the corresponding key storage path. During the compilation of the PAC package, this public key is inserted into modem.bin by the InsertKey.py script. Modify the PAC package compilation script to configure a new NV partition path and place the generated simlock_delta.bin into this new NV partition path (e.g., SIMLOCK-PUBKEY).
[0188] The `imlock_delta.bin` file is read using the operator differential data signing script (SIGN script). Each operator's data in the initial master configuration file is signed to obtain differential signature data. The differential signature data corresponding to each operator is then combined to obtain the master configuration file. In other words, the difference between the master configuration file and the initial master configuration file is that the master configuration file contains differential data, and it includes both differential data and signed differential data. Specifically, the master configuration file contains operator data, the differential data corresponding to each operator's data, and the differential signature data corresponding to each differential data. The data structure before and after signing is as follows: Figure 10 As shown, taking operator 1 as an example, the corresponding operator data could be NV VER FLAG (NV version identifier), File len (file length), FileContent (file content), and File End Flag (file end flag). The calculated signature data for operator 1 could be Sign_Data. Sign_Data is obtained by signing the hash value (SHA256 or a higher level of security hash algorithm is recommended) of all the preceding data (from File_Name to File_End_Flag); this can include operator 1, operator 2, operator 3, etc., which will not be listed here.
[0189] Correspondingly, the unsigned simlock_delta_sign.bin (initial master configuration file) is replaced with the signed simlock_delta_sign.bin file (master configuration file). During compilation, the simlock_delta_sign.bin file is compiled into the corresponding location in the PAC to obtain the master configuration file / firmware update data package.
[0190] S2, SIMLOCK Enable; This embodiment supports both cloud server enablement and local tool enablement. For example, the SIMLOCK function can be enabled by issuing an online enable AT command, and the validity of the data can be verified through signature verification. The SIMLOCK enable data contains the carrier number. The device can use this number to read the corresponding carrier differential data from the newly added NV partition and update it to the relevant SIMLOCK NV. To ensure that the SIMLOCK function can be enabled even offline, this solution also supports local tool enablement of the SIMLOCK function. That is, the tool connects to the device and directly issues an enable AT command. The tool can input the carrier number through an editable window, and the tool reads the corresponding carrier differential data from the NV partition using the input number and transmits it to the device, thereby completing the SIMLOCK data update.
[0191] S2.1, Enable the SIMLOCK function online via cloud server. A specific flowchart could be as follows: Figure 11 As shown, this includes a security server, the AP side of the device terminal, and the MODEM side of the device terminal, specifically:
[0192] S2.1.1, the security server concatenates SIMLOCK enable data (carrier number and signature) and sends the data to the device via AT commands.
[0193] In step S2.1.2, after receiving the SIMLOCK enable data, the modem on the device side reads the original UID from efuse, calculates the corresponding HASH value, and concatenates it with the carrier number. The concatenated data is then compared with the signature sent by the server for data verification, and the verification result and carrier number are returned. The verification result is returned to the security server, and the carrier number is reported to the telephony. The signature verification process can involve the server performing a hash operation on the data to be signed to obtain the corresponding HASH value, and then signing the HASH value using its private key. Verification involves using the public key and the corresponding encryption / decryption algorithm to decrypt the signed data to obtain the data's HASH value. This decrypted HASH value is then compared with the calculated HASH value of the original data (carrier number + UID). If the comparison is successful, the verification is successful; otherwise, it fails.
[0194] S2.1.3, if SIMLOCK enable data verification fails, the verification failure flag is encrypted and saved to the NV, the efuse enable bit is set, and the result is returned. Upon receiving the result, the protocol stack restarts the modem, after which the modem is restricted. Yes; modem restriction mainly limits the device's network functionality. If data verification fails, the SIM lock data will not be updated to the NV. The modem will restart, and since the enable bit is enabled, it will perform the corresponding data verification. Because there is no data in the NV, the verification will fail, and the modem will enter a restricted state. The main purpose of this logic is to prevent the device from being maliciously given enable commands. Once enable fails, it proves that the command is illegal; only a correct enable command can enable the modem to function normally.
[0195] In S2.1.4, Telephony calls the NV interface, passes the carrier number, reads the corresponding carrier differential data from the newly added NV partition, organizes the data according to the "AT^SPSIMLOCKUPDATE" AT command format, and sends it to the device terminal. This command carries the following data structure:
[0196] struct simlock_delta_nv {
[0197] unsigned length;
[0198] unsigned char digest[DIGEST_LENGTH];
[0199] unsigned char delta_nv_body[0];
[0200] }
[0201] The data includes, in sequence, deltaNV data length, hash value (SHA256 algorithm recommended), and content.
[0202] S2.1.5 After receiving the AT command, the device terminal Modem side checks the data to ensure that the data is valid (recalculate the hash value of simlock_delta_nv.delta_nv_body to obtain H1; if simlock_delta_nv.digest and H1 are equal, the data is valid).
[0203] S2.1.6 verifies the operator's differential data signature. It reads the preset public key from the reserved space in the Modem image, calculates the HASH value of the operator's data (using SHA256), and verifies the data signature using the signature data in the data. After the signature verification is successful, it first refreshes the NV corresponding to the SIM card data using the SIM card lock data in the backup NV, and then calls the corresponding NV interface to complete the SIM card lock data update.
[0204] S2.1.7 Calculate the hash value of all card lock data (using the SHA256 algorithm) to obtain H2. Based on the string "Salt12+UID+Salt22", use the KDF algorithm to derive the encryption key K1. Then, based on the key K1, use the AES CBC algorithm to encrypt the hash value H2 of the card lock data to obtain the ciphertext MH2, and write it to the reserved item in the NV file.
[0205] S2.1.8, read back the lock card data and verify the validity of the hash value ciphertext MH2'. Recalculate the hash value of the read back lock card data to obtain H3. Based on the key K1, use the AES CBC algorithm to decrypt MH2' to obtain the hash value H2'. If H3 equals H2', then the hash value ciphertext MH2 in step (7) is valid.
[0206] S2.1.9, read back the IMEI data in NV, fill the simlock_enable_data structure (as the input parameter of the simlock_enable function), and call the simlock_enable function to enable the SIMLOCK function.
[0207] S2.2, enable the SIMLOCK function locally through the tool. The specific flowchart can be as follows: Figure 12 As shown, this includes enabling the function and the device terminal. The tool reads the corresponding carrier differential data from the newly added NV based on the carrier number entered in the input window, and sends the carrier differential data to the device terminal through the data update command "AT+SPSIMLOCKUPDATE". After receiving the success result from the AT command, the tool enables the SIMLOCK function through the command "AT+SPSLCMD="enable_simlock". Specifically:
[0208] S2.2.1, update SIMLOCK data on the tool side and generate target function enable instruction. This target function enable instruction includes deltaNV data length, hash value (SHA256 algorithm recommended) and content in sequence.
[0209] S2.2.2 After receiving the AT command, the device terminal checks the data to ensure that the data is valid (recalculate the hash value of simlock_delta_nv.delta_nv_body to obtain H1; if simlock_delta_nv.digest and H1 are equal, the data is valid), and then calls the corresponding NV interface to complete the card lock data update.
[0210] S2.2.3 Calculate the hash value of all card lock data (SHA256 algorithm is recommended) to obtain H2. Based on the string "Salt12+UID+Salt22", use the KDF algorithm to derive the encryption key K1. Then, based on the key K1, use the AES CBC algorithm to encrypt the hash value H2 of the card lock data to obtain the ciphertext MH2, and write it to the reserved item in the NV file.
[0211] S2.2.4, Read back the lock card data and verify the validity of the write operation using the hash value ciphertext MH2'. Recalculate the hash value of the read-back lock card data to obtain H3. Decrypt MH2' using the AES CBC algorithm based on key K1 to obtain the hash value H2'. If H3 equals H2', then the write of the hash value ciphertext MH2 in step 3 is valid.
[0212] S2.2.5 The tool organizes data according to the AT command format and sends it to the device terminal, that is, it sends the update data line to the terminal, and the update data includes the IMEI, enable identifier (initialization can be SIMLOCK_ENABLE_FLAG), and hash value of IMEI and enable identifier.
[0213] S2.2.6 After receiving the AT command (i.e., update data), the device terminal will read the corresponding NV item to obtain the IMEI data based on the assignment of the "simlock_enable_flag" member of the data carried in the AT command (which can be denoted as D1) (if it is non-zero). (simlock_enable_flag data 0~3 correspond to the enabling status of IMEI1~IMEI4 respectively). Based on "simlock_enable_flag" and IMEI, the hash value H2 is recalculated. If H2 is equal to "digest" in the received AT command, and the newly read IMEI is equal to "imei" in the received update data, the data is considered valid; otherwise, an error is returned.
[0214] S2.2.7, based on the KDF algorithm, the string "Salt13+UID+Salt23" is deduced to generate an encryption key K1. Based on the key K1 and the AES CBC algorithm, the data D1 carried by the AT command is encrypted to obtain ciphertext M1, and then written to the reserved item in the NV file.
[0215] S2.2.8 After writing the ciphertext M1 to the NV file, it is necessary to verify whether the writing was successful. Read back the NV data to obtain M2, and use the same rules to obtain the key K1. Based on M2 and K1, use the AES CBC algorithm to decrypt to obtain the plaintext data D2. According to the assignment of the "simlock_enable_flag" member in data D2 (if it is not zero), read the corresponding NV item to obtain the IMEI data. Combine the "simlock_enable_flag" in D2 and the newly read IMEI to recalculate the hash value H3. If H3 is equal to "digest" in D2 and all newly read IMEIs are equal to "imei" in D2, it is considered that M1 was written successfully.
[0216] S2.2.9 Enable the SIMLOCK enable flag in the EFUSE space of the terminal (the device will use this flag to determine whether to enable card lock data and enable flag verification function when the terminal is powered on or when the Modem is reset).
[0217] S2.3, Check SIMLOCK Enable Status. After completing the SIMLOCK data update and SIMLOCK function enabling operations, the SIMLOCK enable status of the device terminal needs to be confirmed before leaving the factory to ensure that the correct SIMLOCK data is configured and the SIMLOCK function is indeed enabled. The SIMLOCK data confirmation can be done using the corresponding AT command for the non-secure SIMLOCK scheme. The terminal can also synchronously save the SIMLOCK enable flag when deploying it and retrieve it according to the "struct simlock_enable_data" structure. Therefore, the process of obtaining the SIMLOCK enable status can be as follows: Figure 13 As shown, this includes enabling tools and terminals, specifically:
[0218] Step 1: The tool obtains the SIMLOCK enable data corresponding to the device terminal, which may be a "struct simlock_enable_data" data structure.
[0219] Step 2: The tool generates the command "AT+SPSLCMD="check_enable_simlock" and sends it to the device terminal along with the data "structsimlock_enable_data".
[0220] Step 3: After receiving the command "AT+SPSLCMD="check_enable_simlock", the device terminal performs the following steps:
[0221] The SIMLOCK enable flag NV entry is read to obtain ciphertext M2; an encryption key K1 is generated using the KDF algorithm based on the string "Salt13+UID+Salt23"; the plaintext data D2 is obtained by decrypting M2 and K1 using the AES CBC algorithm; the IMEI data is obtained by reading the corresponding NV entry based on the assignment of the "simlock_enable_flag" member in data D2 (if it is non-zero); the hash value H3 is recalculated by combining the "simlock_enable_flag" in D2 and the IMEI; if H3 is equal to "digest" in D2, and the newly read IMEI is equal to "imei" in D2, the SIMLOCK enable flag is considered valid. The data "struct simlock_enable_data" carried by the command "AT+SPSLCMD="check_enable_simlock"" is compared with data D2; if they are equal, success is returned, otherwise failure is returned.
[0222] S2.4, Data Security Verification, specifically, is to prevent malicious tampering of SIMLOCK data and the SIMLOCK enable flag. When the device is powered on and during a Modem Reset, the integrity of the SIMLOCK data and SIMLOCK enable flag is determined based on the SIMLOCK enable flag bit in the EFUSE space. Specifically:
[0223] Step 1: Read the SIMLOCK enable flag in the EFUSE space of the terminal. If the SIMLOCK enable flag is not set, return normally; otherwise, jump to Step 2 and Step 3 to check the integrity of the SIMLOCK data and the SIMLOCK enable flag.
[0224] Step 2, SIMLOCK data integrity check: Read back the card lock data and encrypted hash value MH2'; recalculate the hash value of the card lock data to obtain H3; derive the encryption key K1 based on the string "Salt12+UID+Salt22" using the KDF algorithm; then decrypt MH2' based on the key K1 using the AES CBC algorithm to obtain the hash value H2'; if H3 equals H2', the data is valid, jump to step (3) to continue checking the integrity of the SIMLOCK enable flag, otherwise, exit abnormally.
[0225] Step 3, SIMLOCK enable flag integrity check: Assume the SIMLOCK enable flag data read back is M2; derive the encryption key K1 using the KDF algorithm based on the string "Salt13+UID+Salt23", and decrypt the plaintext data D2 using the AES CBC algorithm based on M2 and K1; read the corresponding NV item to obtain the IMEI data according to the assignment of the "simlock_enable_flag" member in data D2 (if it is non-zero); recalculate the hash value H3 by combining the "simlock_enable_flag" of D2 and the IMEI; if H3 is equal to "digest" in D2 and the newly read IMEI is equal to "imei" in D2, the SIMLOCK enable flag data is considered valid; otherwise, exit abnormally.
[0226] The data processing method provided in this embodiment enables secure cloud server enabling of multi-carrier network-locked data. In the first stage, SIMLOCK data deployment is implemented by compiling the constructed multi-carrier differential data into a PAC package, flashing it into the device, and configuring initial SIMLOCK data. In the second stage, SIMLOCK enabling is implemented, supporting both online server enabling and local tool enabling. This mainly involves sending SIMLOCK enabling data to the device, reading the corresponding carrier differential data through the carrier ID in the data, and updating the corresponding NV in SIMLOCK. In other words, the data processing method provided in this embodiment also offers a secure cloud server enabling solution for multi-carrier network-locked data on Android mobile devices.
[0227] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages in other steps. It is understood that the steps in different embodiments can be freely combined as needed, and all non-contradictory solutions formed by such combinations are within the scope of protection of this application.
[0228] Based on the same inventive concept, this application also provides a data processing apparatus for implementing the data processing method described above. This apparatus can be applied to or integrated into a chip or chip module, for example. The solution provided by this apparatus is similar to the implementation scheme described in the above method; therefore, the specific limitations in one or more data processing apparatus embodiments provided below can be found in the limitations of the data processing method above, and will not be repeated here.
[0229] In one exemplary embodiment, such as Figure 14 As shown, a data processing apparatus 1400 is provided, comprising:
[0230] The first acquisition module 1402 is used to acquire the firmware update data packet corresponding to the operator configuration request and execute the firmware update data packet to store the differential configuration file in the update data packet in the target storage area of the terminal.
[0231] The first receiving module 1404 is used to receive a target function enable command, and in response to the target function enable command passing data verification, enable the target function of the terminal based on the device identifier corresponding to the target function enable command.
[0232] The first determining module 1406 is used to obtain a terminal that meets the operator's configuration request in response to the verification of the enable status of the target function and the verification of the enable data of the target function.
[0233] In one embodiment, the firmware update data packet is obtained by compiling a differential configuration file. The differential configuration file includes differential data and differential signature data corresponding to each operator. Each differential signature data is obtained by signing the differential data corresponding to each operator. Each differential data is generated in response to the operator configuration request, based on the obtained initial storage data and the device configuration data of each operator.
[0234] In one embodiment, the first receiving module is specifically used for:
[0235] Receive a target function enable instruction sent by the server, the target function enable instruction carrying signature data and operator identifier;
[0236] The original device identifier of the terminal is read, and the hash data corresponding to the original device identifier is calculated. Based on the hash data and the operator identifier, concatenated data is obtained. In response to the concatenated data passing the verification, operator differential data is extracted from the target storage area based on the operator identifier.
[0237] In response to the operator differential data passing data verification, the target function enable function is populated based on the device identification data in the target storage area, and the target function is activated by calling the target function enable function.
[0238] In one embodiment, the first receiving module is specifically used for:
[0239] Receive a target function update instruction sent by the enabling tool, the target function update instruction including the length of the operator differential data, the hash value, and the operator differential data;
[0240] In response to the operator differential data and target SIM card lock data passing verification, the processing result corresponding to the target function update instruction is returned to the enabling tool;
[0241] Receive update data sent by the enabling tool; in response to the update data passing verification, encrypt the update data to generate encrypted data, and add the encrypted data to the differential configuration file of the target storage area;
[0242] The differential configuration file is read back to obtain readback data. In response to the readback data being verified, the enable flag of the target function is enabled in the preset storage space of the terminal so as to enable the target function when the terminal restarts.
[0243] In one embodiment, the first receiving module is further specifically used for:
[0244] In response to the operator differential data passing the verification, the card lock data in the target storage area is updated using preset backup card lock data;
[0245] Calculate the hash value of each card data in the target storage area, and add the hash value to the target storage area;
[0246] The target storage area is read back to obtain the target lock card data. In response to the target lock card data passing the verification, the processing result corresponding to the target function update instruction is returned to the enabling tool.
[0247] In one embodiment, the device further includes:
[0248] The second receiving module is used to receive a function check command sent by the enabling tool, wherein the function check command includes at least target function enable data.
[0249] The second acquisition module is used to read the enable flag data of the target function in the target storage area;
[0250] The comparison module is used to compare the first plaintext data corresponding to the enable flag data with the target function enable data in response to the enable flag data being valid.
[0251] The second determining module is configured to determine that the enabling state of the target function passes the verification in response to a match between the first plaintext data and the target function enabling data; or, in response to a mismatch between the first plaintext data and the target function enabling data, determine that the enabling state of the target function fails the verification.
[0252] In one embodiment, the device further includes:
[0253] The reading module is used to read the enable flags of the target functions in the preset storage space of the terminal;
[0254] The calculation module is used to respond to the effective target function enable data corresponding to the enable flag, perform encryption and decryption processing based on the encryption identifier of the terminal and the enable flag to generate second plaintext data; based on the second plaintext data, obtain a new device identifier, and calculate a first target hash value based on the new device identifier and operator differential data;
[0255] The third determining module is used to determine that the enable data of the target function passes the verification in response to the target hash value matching the original hash value corresponding to the second plaintext data and the new device identifier matching the original device identifier corresponding to the second plaintext data.
[0256] Regarding the modules / units included in the various devices and products described in the above embodiments, they can be software modules / units, hardware modules / units, or a combination of both. For example, for various devices and products applied to or integrated into a chip, all of their modules / units can be implemented using hardware methods such as circuits, or at least some modules / units can be implemented using software programs that run on a processor integrated within the chip, while the remaining (if any) modules / units can be implemented using hardware methods such as circuits; for various devices and products applied to or integrated into a chip module, all of their modules / units can be implemented using hardware methods such as circuits, and different modules / units can be located in the same component (e.g., chip, circuit module, etc.) or different components of the chip module, or at least some modules / units can be implemented using hardware methods such as circuits. The components can be implemented using software programs that run on the processor integrated within the chip module. The remaining (if any) modules / units can be implemented using hardware methods such as circuits. For various devices and products applied to or integrated into the terminal, each of its components / units can be implemented using hardware methods such as circuits. Different modules / units can be located in the same component (e.g., chip, circuit module, etc.) or in different components within the terminal. Alternatively, at least some modules / units can be implemented using software programs that run on the processor integrated within the terminal, while the remaining (if any) modules / units can be implemented using hardware methods such as circuits.
[0257] In one exemplary embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as follows: Figure 15 As shown, this computer device includes a processor, memory, input / output interfaces (I / O), and a communication interface. The processor, memory, and I / O interfaces are connected via a system bus, and the communication interface is also connected to the system bus via the I / O interfaces. The processor provides computational and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides the environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The database stores operator data. The I / O interfaces are used for exchanging information between the processor and external devices. The communication interface is used for communicating with external terminals via a network connection. When the computer program is executed by the processor, it implements a data processing method.
[0258] Those skilled in the art will understand that Figure 15The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0259] In one embodiment, a computer device is also provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps in the above method embodiments.
[0260] Based on the same inventive concept, this application also provides a chip, including a processor and a communication interface; the communication interface is used to receive or send data; the processor is configured to cause the chip to perform the following steps:
[0261] Obtain the firmware update data packet corresponding to the operator configuration request, and store the differential configuration file corresponding to the firmware update data packet in the target storage area of the terminal based on the firmware update data packet;
[0262] Receive a target function enable command, and in response to the target function enable command passing data verification, enable the target function of the terminal based on the device identifier corresponding to the target function enable command;
[0263] In response to the verification of the enable status of the target function and the verification of the enable data of the target function, a terminal that meets the operator configuration request is obtained.
[0264] In one embodiment, the firmware update data packet is obtained by compiling a differential configuration file. The differential configuration file includes differential data and differential signature data corresponding to each operator. Each differential signature data is obtained by signing the differential data corresponding to each operator. Each differential data is generated in response to the operator configuration request, based on the obtained initial storage data and the device configuration data of each operator.
[0265] In one embodiment, the processor is configured to cause the chip to perform the following steps:
[0266] Receive a target function enable instruction sent by the server, the target function enable instruction carrying signature data and operator identifier;
[0267] The original device identifier of the terminal is read, and the hash data corresponding to the original device identifier is calculated. Based on the hash data and the operator identifier, concatenated data is obtained. In response to the concatenated data passing the verification, operator differential data is extracted from the target storage area based on the operator identifier.
[0268] In response to the operator differential data passing data verification, the target function enable function is populated based on the device identification data in the target storage area, and the target function is activated by calling the target function enable function.
[0269] In one embodiment, the processor is configured to cause the chip to perform the following steps:
[0270] Receive a target function update instruction sent by the enabling tool, the target function update instruction including the length of the operator differential data, the hash value, and the operator differential data;
[0271] In response to the operator differential data and target SIM card lock data passing verification, the processing result corresponding to the target function update instruction is returned to the enabling tool;
[0272] Receive update data sent by the enabling tool; in response to the update data passing verification, encrypt the update data to generate encrypted data, and add the encrypted data to the differential configuration file of the target storage area;
[0273] The differential configuration file is read back to obtain readback data. In response to the readback data being verified, the enable flag of the target function is enabled in the preset storage space of the terminal so as to enable the target function when the terminal restarts.
[0274] In one embodiment, the processor is configured to cause the chip to perform the following steps:
[0275] In response to the operator differential data passing the verification, the card lock data in the target storage area is updated using preset backup card lock data;
[0276] Calculate the hash value of each card data in the target storage area, and add the hash value to the target storage area;
[0277] The target storage area is read back to obtain the target lock card data. In response to the target lock card data passing the verification, the processing result corresponding to the target function update instruction is returned to the enabling tool.
[0278] In one embodiment, the processor is configured to cause the chip to perform the following steps:
[0279] Receive a function check command sent by the enabling tool, wherein the function check command includes at least target function enable data;
[0280] In the target storage area, read the enable flag data of the target function;
[0281] In response to the enable flag data being valid, the first plaintext data corresponding to the enable flag data is compared with the target function enable data;
[0282] In response to the first plaintext data matching the target function enable data, the enable state of the target function is determined to have passed the verification; or, in response to the first plaintext data not matching the target function enable data, the enable state of the target function is determined to have failed the verification.
[0283] In one embodiment, the processor is configured to cause the chip to perform the following steps:
[0284] Read the enable flag of the target function in the preset storage space of the terminal;
[0285] In response to the validity of the target function enable data corresponding to the enable flag, encryption and decryption processing is performed based on the encryption identifier of the terminal and the enable flag to generate second plaintext data; based on the second plaintext data, a new device identifier is obtained, and based on the new device identifier and the operator differential data, a first target hash value is calculated;
[0286] In response to the target hash value matching the original hash value corresponding to the second plaintext data, and the new device identifier matching the original device identifier corresponding to the second plaintext data, it is determined that the enable data of the target function has passed the verification.
[0287] It is understood that the chip involved in the embodiments of this application may be a field-programmable gate array (FPGA), may be an application-specific integrated circuit (ASIC), may be a system on chip (SoC), may be a central processor unit (CPU), may be a network processor (NP), may be a digital signal processor (DSP), may be a microcontroller unit (MCU), may be a programmable logic device (PLD), or other integrated chips, etc.
[0288] Based on the same inventive concept, this application also provides a chip module, such as... Figure 16 As shown, the chip module includes a communication module, a power module, a storage module, and a chip. Among them:
[0289] The power module is used to provide power to the chip module; the storage module is used to store data and instructions; the communication module is used for internal communication within the chip module, or for communication between the chip module and external devices; this chip corresponds to the chip in the above chip embodiment.
[0290] The implementation method of this chip module can be found in the relevant content of the above chip embodiment, and will not be repeated here.
[0291] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon that, when executed by a processor, implements the steps in the above method embodiments.
[0292] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, implements the steps in the above method embodiments.
[0293] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of the relevant data must comply with relevant regulations.
[0294] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile memory and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, artificial intelligence (AI) processors, etc., and are not limited to these.
[0295] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this application.
[0296] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.
Claims
1. A data processing method, characterized in that, The method includes: Obtain the firmware update data packet corresponding to the operator configuration request, and store the differential configuration file corresponding to the firmware update data packet in the target storage area of the terminal based on the firmware update data packet; Receive a target function enable command, and in response to the target function enable command passing data verification, enable the target function of the terminal based on the device identifier corresponding to the target function enable command; In response to the verification of the enable status of the target function and the verification of the enable data of the target function, a terminal that meets the operator configuration request is obtained.
2. The method according to claim 1, characterized in that, The firmware update data package is obtained by compiling a differential configuration file. The differential configuration file includes differential data and differential signature data corresponding to each operator. Each differential signature data is obtained by signing the differential data corresponding to each operator. Each differential data is generated in response to the operator configuration request, based on the obtained initial storage data and the device configuration data of each operator.
3. The method according to claim 1, characterized in that, The receiving of the target function enable command, in response to the target function enable command passing data verification, enables the target function of the terminal based on the device identifier corresponding to the target function enable command, including: Receive a target function enable instruction sent by the server, the target function enable instruction carrying signature data and operator identifier; The original device identifier of the terminal is read, and the hash data corresponding to the original device identifier is calculated. Based on the hash data and the operator identifier, concatenated data is obtained. In response to the concatenated data passing the verification, operator differential data is extracted from the target storage area based on the operator identifier. In response to the operator differential data passing data verification, the target function enable function is populated based on the device identification data in the target storage area, and the target function is activated by calling the target function enable function.
4. The method according to claim 1, characterized in that, The receiving of the target function enable command, in response to the target function enable command passing data verification, enables the target function of the terminal based on the device identifier corresponding to the target function enable command, including: Receive a target function update instruction sent by the enabling tool, the target function update instruction including the length of the operator differential data, the original hash value, and the operator differential data; In response to the operator differential data and target SIM card lock data passing verification, the processing result corresponding to the target function update instruction is returned to the enabling tool; Receive update data sent by the enabling tool; in response to the update data passing verification, encrypt the update data to generate encrypted data, and add the encrypted data to the differential configuration file of the target storage area; The differential configuration file is read back to obtain readback data. In response to the readback data being verified, the enable flag of the target function is enabled in the preset storage space of the terminal so as to enable the target function when the terminal restarts.
5. The method according to claim 4, characterized in that, The step of responding to the verification of the operator differential data and the target SIM card lock data by returning the processing result corresponding to the target function update instruction to the enabling tool includes: In response to the operator differential data passing the verification, the card lock data in the target storage area is updated using preset backup card lock data; Calculate the hash value of each card data in the target storage area, and add the hash value to the target storage area; The target storage area is read back to obtain the target lock card data. In response to the target lock card data passing the verification, the processing result corresponding to the target function update instruction is returned to the enabling tool.
6. The method according to claim 1, characterized in that, The method further includes: Receive a function check command sent by the enabling tool, wherein the function check command includes at least target function enable data; In the target storage area, read the enable flag data of the target function; In response to the enable flag data being valid, the first plaintext data corresponding to the enable flag data is compared with the target function enable data; In response to the first plaintext data matching the target function enable data, the enable state of the target function is determined to have passed the verification; or, in response to the first plaintext data not matching the target function enable data, the enable state of the target function is determined to have failed the verification.
7. The method according to claim 1, characterized in that, The method further includes: Read the enable flag of the target function in the preset storage space of the terminal; In response to the validity of the target function enable data corresponding to the enable flag, encryption and decryption processing is performed based on the encryption identifier of the terminal and the enable flag to generate second plaintext data; based on the second plaintext data, a new device identifier is obtained, and based on the new device identifier and the operator differential data, a first target hash value is calculated; In response to the target hash value matching the original hash value corresponding to the second plaintext data, and the new device identifier matching the original device identifier corresponding to the second plaintext data, it is determined that the enable data of the target function has passed the verification.
8. A data processing apparatus, characterized in that, The device includes: The first acquisition module is used to acquire the firmware update data packet corresponding to the operator configuration request, and based on the firmware update data packet, store the differential configuration file corresponding to the firmware update data packet in the target storage area of the terminal. The first receiving module is configured to receive a target function enable command, and in response to the target function enable command passing data verification, enable the target function of the terminal based on the device identifier corresponding to the target function enable command; The first determining module is used to obtain a terminal that meets the operator's configuration request in response to the verification of the enable status of the target function and the verification of the enable data of the target function.
9. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 7.
10. A chip, characterized in that, The device includes a processor and a communication interface, the processor being configured to cause the chip to perform the steps of the method described in any one of claims 1 to 7.