search

MTK-bypass / bypass_utility

MIT License
460 stars 114 forks source link

The exploit does not work on the chipset MT6580 #40

Closed Heheheking closed 3 years ago

Heheheking commented 3 years ago

I'm researching Mediatek protection, and I still can't figure out which function uses the var_1 variable in BootROM to understand exactly how the exploit works.

It doesn't want to work on my device at all. 

[2021-06-18 19:27:33.235679] Waiting for device
[2021-06-18 19:27:43.037656] Found port = COM6

[2021-06-18 19:27:43.104233] Device hw code: 0x6580
[2021-06-18 19:27:43.105210] Device hw sub code: 0x8a00
[2021-06-18 19:27:43.106187] Device hw version: 0xca00
[2021-06-18 19:27:43.107166] Device sw version: 0x0
[2021-06-18 19:27:43.107166] Device secure boot: True
[2021-06-18 19:27:43.108142] Device serial link authorization: False
[2021-06-18 19:27:43.108142] Device download agent authorization: False

[2021-06-18 19:27:43.109120] Disabling watchdog timer
[2021-06-18 19:27:43.110097] Disabling protection
[2021-06-18 19:28:00.174894] Payload did not reply

bootrom_6580_ca00.zip

akrmkrmo14 commented 3 years ago

I'm researching Mediatek protection, and I still can't figure out which function uses the var_1 variable in BootROM to understand exactly how the exploit works.

It doesn't want to work on my device at all. 

[2021-06-18 19:27:33.235679] Waiting for device
[2021-06-18 19:27:43.037656] Found port = COM6

[2021-06-18 19:27:43.104233] Device hw code: 0x6580
[2021-06-18 19:27:43.105210] Device hw sub code: 0x8a00
[2021-06-18 19:27:43.106187] Device hw version: 0xca00
[2021-06-18 19:27:43.107166] Device sw version: 0x0
[2021-06-18 19:27:43.107166] Device secure boot: True
[2021-06-18 19:27:43.108142] Device serial link authorization: False
[2021-06-18 19:27:43.108142] Device download agent authorization: False

[2021-06-18 19:27:43.109120] Disabling watchdog timer
[2021-06-18 19:27:43.110097] Disabling protection
[2021-06-18 19:28:00.174894] Payload did not reply

bootrom_6580_ca00.zip

Not all versions of this SOC contain sSLA.... ONLY NEW versions!!

chaosmaster commented 3 years ago

Your device has neither SLA nor DAA enabled, so there should not be any bypass required. Did you use the --force option? Also there was recently a fix for 6580 in https://github.com/MTK-bypass/exploits_collection/commit/4fbdb6bd72a819381cd731f5249297241bad37c8

Heheheking commented 3 years ago

I got curious about how the exploit works, so I needed to use -f option. After adding the value var_1, I got the ability to execute at BootROM EL. Thank you very much. But I'm still at a loss where var_1 comes from. I will be very grateful if you give a little hint where a vuln usb request handler is located or send a ida database :-)

chaosmaster commented 3 years ago

The handler for 6580 is at 0x5cbc