MT8516 (hw 0x8167)?

[dsborets]

Hi, any chance to see this tool support MT8516 (hw 0x8167)? Does it make sense to try to play with currently supported hw 0x8163?

Device hw code: 0x8167 Device hw sub code: 0x8a00 Device hw version: 0xcb00 Device sw version: 0x1 Device secure boot: True Device serial link authorization: False Device download agent authorization: True

[dsborets]

With -t key:

./main.py -t
[2021-04-07 16:31:47.745152] Waiting for device
[2021-04-07 16:32:20.843313] Found port = /dev/ttyACM0
[2021-04-07 16:32:20.868214] Can't find 0x8167 hw_code in config

[2021-04-07 16:32:20.868380] Device hw code: 0x8167
[2021-04-07 16:32:20.868458] Device hw sub code: 0x8a00
[2021-04-07 16:32:20.868521] Device hw version: 0xcb00
[2021-04-07 16:32:20.868583] Device sw version: 0x1
[2021-04-07 16:32:20.868638] Device secure boot: True
[2021-04-07 16:32:20.868681] Device serial link authorization: False
[2021-04-07 16:32:20.868722] Device download agent authorization: True

[2021-04-07 16:32:20.868766] Disabling watchdog timer
[2021-04-07 16:32:20.869251] Disabling protection
Traceback (most recent call last):
  File "/run/media/root/Storage/projects/bypass_utility/./main.py", line 213, in <module>
    main()
  File "/run/media/root/Storage/projects/bypass_utility/./main.py", line 58, in main
    result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload)
  File "/run/media/root/Storage/projects/bypass_utility/src/exploit.py", line 17, in exploit
    device.read32(addr - (cnt - i) * 4, cnt - i + 1)
  File "/run/media/root/Storage/projects/bypass_utility/src/device.py", line 126, in read32
    self.check(self.dev.read(2), to_bytes(0, 2))  # arg check
  File "/run/media/root/Storage/projects/bypass_utility/src/device.py", line 88, in check
    raise RuntimeError("Unexpected output, expected {} got {}".format(gold, test))
RuntimeError: Unexpected output, expected 0x0000 got 0x0003

[Ghost719]

Go to line 126 and replace it with: assert from_bytes(self.dev.read(2), 2) <= 0xff

[dsborets]

I changed that line, I also had to apply the same changes to the line 132 self.check(self.dev.read(2), to_bytes(0, 2)) # status Is it right assumption?

Now I see this:

[2021-04-07 17:54:04.122420] Disabling protection
[Errno 110] Operation timed out
[2021-04-07 17:54:11.284646] Test mode, testing 0xb...
[2021-04-07 17:54:11.284828] Waiting for device
[2021-04-07 17:54:53.487974] Found port = /dev/ttyACM0
[Errno 110] Operation timed out

After Test mode, testing 0xb... I had to power cycle a device. Is it expected? Should I keep doing it? Because it really time consuming process, I just want to make sure that the changes in the original code are correct, I don;t want to miss a really working settings :-)

[dsborets]

[2021-04-20 17:26:20.335054] Test mode, testing (0xc9)...
[2021-04-20 17:26:20.335449] Waiting for device
[2021-04-20 17:26:27.103697] Found port = /dev/ttyACM0
[Errno 110] Operation timed out
[2021-04-20 17:26:34.175066] Test mode, testing (0xca)...
[2021-04-20 17:26:34.175453] Waiting for device
[2021-04-20 17:26:40.944465] Found port = /dev/ttyACM0
[Errno 110] Operation timed out
[2021-04-20 17:26:48.015044] Test mode, testing (0xcb)...
[2021-04-20 17:26:48.015442] Waiting for device
[2021-04-20 17:26:54.773433] Found port = /dev/ttyACM0
[Errno 110] Operation timed out
[2021-04-20 17:27:01.854987] Test mode, testing (0xcc)...
[2021-04-20 17:27:01.855374] Waiting for device
[2021-04-20 17:27:08.602164] Found port = /dev/ttyACM0
[Errno 110] Operation timed out
[2021-04-20 17:27:09.610632] Found send_dword, dumping bootrom to bootrom_8167.bin```

[dsborets]

and here are the dump: bootrom_8167.zip

[chaosmaster]

Thanks, will look into it.

[bkerler]

Try this payload, var_a = 0xCC

mt8167_payload.zip

[dsborets]

[2021-04-20 20:23:40.817421] Waiting for device
[2021-04-20 20:23:46.636358] Found port = /dev/ttyACM0

[2021-04-20 20:23:46.661460] Device hw code: 0x8167
[2021-04-20 20:23:46.661557] Device hw sub code: 0x8a00
[2021-04-20 20:23:46.661640] Device hw version: 0xcb00
[2021-04-20 20:23:46.661700] Device sw version: 0x1
[2021-04-20 20:23:46.661748] Device secure boot: True
[2021-04-20 20:23:46.661797] Device serial link authorization: False
[2021-04-20 20:23:46.661834] Device download agent authorization: True

[2021-04-20 20:23:46.661892] Disabling watchdog timer
[2021-04-20 20:23:46.662470] Disabling protection
[2021-04-20 20:23:48.788586] Protection disabled

Seems like it worked. But when I power cycle the device it does exact the same thing again (same log). Is it expected?

[chaosmaster]

Yes, disabling security is only temporary until next reboot.

[dsborets]

Great. Thank you!

[dsborets]

@chaosmaster I'm trying to backup a FW but fastboot doesn't see my device after I ran this tool. I'm curious what tools I can use to do it and in which state is the device in after removing a protection?

[chaosmaster]

fastboot is neither the right tool, nor does it allow backing up partitions in general. Please refer to the README