Closed Heheheking closed 3 years ago
I'm researching Mediatek protection, and I still can't figure out which function uses the var_1 variable in BootROM to understand exactly how the exploit works.
It doesn't want to work on my device at all.
[2021-06-18 19:27:33.235679] Waiting for device [2021-06-18 19:27:43.037656] Found port = COM6 [2021-06-18 19:27:43.104233] Device hw code: 0x6580 [2021-06-18 19:27:43.105210] Device hw sub code: 0x8a00 [2021-06-18 19:27:43.106187] Device hw version: 0xca00 [2021-06-18 19:27:43.107166] Device sw version: 0x0 [2021-06-18 19:27:43.107166] Device secure boot: True [2021-06-18 19:27:43.108142] Device serial link authorization: False [2021-06-18 19:27:43.108142] Device download agent authorization: False [2021-06-18 19:27:43.109120] Disabling watchdog timer [2021-06-18 19:27:43.110097] Disabling protection [2021-06-18 19:28:00.174894] Payload did not reply
Not all versions of this SOC contain sSLA.... ONLY NEW versions!!
Your device has neither SLA nor DAA enabled, so there should not be any bypass required.
Did you use the --force
option?
Also there was recently a fix for 6580 in https://github.com/MTK-bypass/exploits_collection/commit/4fbdb6bd72a819381cd731f5249297241bad37c8
I got curious about how the exploit works, so I needed to use -f option. After adding the value var_1, I got the ability to execute at BootROM EL. Thank you very much. But I'm still at a loss where var_1 comes from. I will be very grateful if you give a little hint where a vuln usb request handler is located or send a ida database :-)
The handler for 6580 is at 0x5cbc
I'm researching Mediatek protection, and I still can't figure out which function uses the var_1 variable in BootROM to understand exactly how the exploit works.
It doesn't want to work on my device at all.
bootrom_6580_ca00.zip