chaosmaster
commented
3 years ago The payload for 6261 doesn't reply? It's already listed in the default_config:
"0x6261": { // mt6261
"payload": "mt6261_payload.bin",
"var_1": 0x28,
"watchdog_address": 0xA0030000,
},What happens if you try to run the _generic_dumppayload ?
banksy-git
Hi,
Thanks for your great work.
When using the latest bypass_utility with the latest exploits_collection on FireISO 2.0 on real hardware (not a VM):
1) The device does not respond to the initial commands 0xFD and 0xFC. However we can read the device code using 0xA2 (READ16) 0x80000008 and it returns 0x6261 telling us the device is mt6261.
2) Given 0x80000008 says device is a 6261 we hard code it in device.get_hw_code() and not call device.get_hw_dict()
3) From that point, the rest seems to run properly however the payload doesn't run. The test mode has runs of "Pipe Error" followed by runs of "Operation timed out" and it reboots every time making me think the device is probably vulnerable but we aren't loaded at the right address so it just breaks.
How did you find the payload load address? Any other suggestions most welcome!