search

Raxone / Amlogic-exploit

Amogic exploit in linux level
8 stars 1 forks source link
amlogic bl31 bootrom efuse exploit s905x2 s905x3

readme

BL31 Exploit for Amlogic S905X2, S905X3, and S922X SoCs

This repository contains a modified version of Blasty's exploit for the Amlogic A113X SoC, adapted to work with the Amlogic S905X2, S905X3, and S922X SoCs. Thanks to Taco for the assistance in modifying the original exploit.

Features

Note: This module does not work with CoreELEC versions 20.3 or 20.4.

Getting Started

Prerequisites

Installation

  1. Clone or download the repository files.
  2. Transfer the following files to the Downloads folder of CoreELEC:
    • aml_pwn
    • khax.ko
    • load_lkm.sh
  3. Establish an SSH or UART connection to the CoreELEC device.

SSH Example

ssh root@<ip_address_of_device>  # Example: ssh root@192.168.x.x

Default SSH password: coreelec

Usage

  1. Load the kernel exploit module: 
    ./load_lkm.sh
  2. Use aml_pwn to dump different parts of the system memory:
    • Dump BootROM/BL1: 
      ./aml_pwn dump_bootrom bootrom.bin
    • Dump efuse/OTP pattern: 
      ./aml_pwn dump_otp otp.bin
    • Dump efuse values from SRAM: 
      ./aml_pwn dump_mem 0x800 0xfffe0000 efuse.bin
    • Dump decrypted BL2 from SRAM: 
      ./aml_pwn dump_mem 0x10000 0xfffa0000 bl2.bin

Compilation Resources

To compile the necessary tools and kernel modules, follow these steps:

GCC for aml_pwn

Download and install the GCC toolchain:

GCC for Kernel Module (khax.ko)

Install GCC for AArch64 cross-compilation:

sudo apt install gcc-aarch64-linux-gnu

Kernel Configuration

Use the Linux/arm64 kernel 4.9.269 configuration for compilation:

Video Demo

Watch a demo of the exploit in action on YouTube:

Credits

License

This project is licensed under the MIT License – see the LICENSE file for details.