BL31 Exploit of the Amlogic s905x2, s905x3 and s922x SOCs

• The vulnerability was discovered by Blasty for the Amlogic a113x.
• https://github.com/blasty/sonos

This is a modification of Blasty's exploit, made to work the Amlogic s905x2, s905x3 and s922x(Thanks Taco) SOCs.

Added a memory dumping function (dump_mem) to read RAM & SRAM.

The compiled Lkm_module is compatible with CoreELEC versions 19.5,20.2 and 21, Linux/arm64 4.9.269 kernel configuration.

• P.S This module not work on CE20.3,CE20.4.

All source has been compiled and is ready to use.

How to use

CoreELEC (version 19.5-21) needs to be booted on the target device to run the exploit.

Use CoreELEC's default smb server to copy & paste the exploit files to the target.

Transfer aml_pwn, khax.ko and load_lkm.sh to the Downloads folder of CoreELEC.

To run the exploit establish an ssh or uart connection with the Amlogic box.

SSH Example

ssh root@ip_addr_box (ssh root@192.168.x.x) default password for ssh is "coreelec"

• ./load_lkm.sh * load khax exploit module required for aml_pwn

• ./aml_pwn dump_bootrom bootrom.bin * dump bootrom/BL1

• ./aml_pwn dump_otp otp.bin * dump efuse/otp pattern

• ./aml_pwn dump_mem 0x800 0xfffe0000 efuse.bin * dump efuse values from SRAM

• ./aml_pwn dump_mem 0x10000 0xfffa0000 bl2.bin * dump decrypted BL2 from SRAM

Compilation resources

*GCC for aml_pwn

• https://musl.cc/aarch64-linux-musl-cross.tgz

*GCC for lkm

• sudo apt install gcc-aarch64-linux-gnu

*Linux/arm64 4.9.269 Kernel Configuration

• https://github.com/CoreELEC/linux-amlogic/archive/ab03043a776354e02be86d06007751f652680c00.tar.gz

Video Demo

YouTube * https://youtu.be/i1MrdO4PWYw