Closed dsborets closed 3 years ago
With -t key:
./main.py -t
[2021-04-07 16:31:47.745152] Waiting for device
[2021-04-07 16:32:20.843313] Found port = /dev/ttyACM0
[2021-04-07 16:32:20.868214] Can't find 0x8167 hw_code in config
[2021-04-07 16:32:20.868380] Device hw code: 0x8167
[2021-04-07 16:32:20.868458] Device hw sub code: 0x8a00
[2021-04-07 16:32:20.868521] Device hw version: 0xcb00
[2021-04-07 16:32:20.868583] Device sw version: 0x1
[2021-04-07 16:32:20.868638] Device secure boot: True
[2021-04-07 16:32:20.868681] Device serial link authorization: False
[2021-04-07 16:32:20.868722] Device download agent authorization: True
[2021-04-07 16:32:20.868766] Disabling watchdog timer
[2021-04-07 16:32:20.869251] Disabling protection
Traceback (most recent call last):
File "/run/media/root/Storage/projects/bypass_utility/./main.py", line 213, in <module>
main()
File "/run/media/root/Storage/projects/bypass_utility/./main.py", line 58, in main
result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload)
File "/run/media/root/Storage/projects/bypass_utility/src/exploit.py", line 17, in exploit
device.read32(addr - (cnt - i) * 4, cnt - i + 1)
File "/run/media/root/Storage/projects/bypass_utility/src/device.py", line 126, in read32
self.check(self.dev.read(2), to_bytes(0, 2)) # arg check
File "/run/media/root/Storage/projects/bypass_utility/src/device.py", line 88, in check
raise RuntimeError("Unexpected output, expected {} got {}".format(gold, test))
RuntimeError: Unexpected output, expected 0x0000 got 0x0003
Go to line 126 and replace it with:
assert from_bytes(self.dev.read(2), 2) <= 0xff
I changed that line, I also had to apply the same changes to the line 132
self.check(self.dev.read(2), to_bytes(0, 2)) # status
Is it right assumption?
Now I see this:
[2021-04-07 17:54:04.122420] Disabling protection
[Errno 110] Operation timed out
[2021-04-07 17:54:11.284646] Test mode, testing 0xb...
[2021-04-07 17:54:11.284828] Waiting for device
[2021-04-07 17:54:53.487974] Found port = /dev/ttyACM0
[Errno 110] Operation timed out
After Test mode, testing 0xb...
I had to power cycle a device. Is it expected? Should I keep doing it?
Because it really time consuming process, I just want to make sure that the changes in the original code are correct, I don;t want to miss a really working settings :-)
[2021-04-20 17:26:20.335054] Test mode, testing (0xc9)...
[2021-04-20 17:26:20.335449] Waiting for device
[2021-04-20 17:26:27.103697] Found port = /dev/ttyACM0
[Errno 110] Operation timed out
[2021-04-20 17:26:34.175066] Test mode, testing (0xca)...
[2021-04-20 17:26:34.175453] Waiting for device
[2021-04-20 17:26:40.944465] Found port = /dev/ttyACM0
[Errno 110] Operation timed out
[2021-04-20 17:26:48.015044] Test mode, testing (0xcb)...
[2021-04-20 17:26:48.015442] Waiting for device
[2021-04-20 17:26:54.773433] Found port = /dev/ttyACM0
[Errno 110] Operation timed out
[2021-04-20 17:27:01.854987] Test mode, testing (0xcc)...
[2021-04-20 17:27:01.855374] Waiting for device
[2021-04-20 17:27:08.602164] Found port = /dev/ttyACM0
[Errno 110] Operation timed out
[2021-04-20 17:27:09.610632] Found send_dword, dumping bootrom to bootrom_8167.bin```
and here are the dump: bootrom_8167.zip
Thanks, will look into it.
Try this payload, var_a = 0xCC
[2021-04-20 20:23:40.817421] Waiting for device
[2021-04-20 20:23:46.636358] Found port = /dev/ttyACM0
[2021-04-20 20:23:46.661460] Device hw code: 0x8167
[2021-04-20 20:23:46.661557] Device hw sub code: 0x8a00
[2021-04-20 20:23:46.661640] Device hw version: 0xcb00
[2021-04-20 20:23:46.661700] Device sw version: 0x1
[2021-04-20 20:23:46.661748] Device secure boot: True
[2021-04-20 20:23:46.661797] Device serial link authorization: False
[2021-04-20 20:23:46.661834] Device download agent authorization: True
[2021-04-20 20:23:46.661892] Disabling watchdog timer
[2021-04-20 20:23:46.662470] Disabling protection
[2021-04-20 20:23:48.788586] Protection disabled
Seems like it worked. But when I power cycle the device it does exact the same thing again (same log). Is it expected?
Yes, disabling security is only temporary until next reboot.
Great. Thank you!
@chaosmaster I'm trying to backup a FW but fastboot
doesn't see my device after I ran this tool. I'm curious what tools I can use to do it and in which state is the device in after removing a protection?
fastboot is neither the right tool, nor does it allow backing up partitions in general. Please refer to the README
Hi, any chance to see this tool support MT8516 (hw 0x8167)? Does it make sense to try to play with currently supported hw 0x8163?
Device hw code: 0x8167 Device hw sub code: 0x8a00 Device hw version: 0xcb00 Device sw version: 0x1 Device secure boot: True Device serial link authorization: False Device download agent authorization: True